From 5ca229e0d9c19699eb39345a2a8513a956518cb7 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Mon, 6 May 2019 11:29:04 +1000 Subject: [PATCH] krb5: krb5_get_init_creds_opt_set_pkinit flag names Add macros to give symbolic names to the flags which can be passed to krb5_get_init_creds_opt_set_pkinit(). Reserve flags for BTMM and not validating KDC anchors. --- kuser/kinit.c | 4 ++-- lib/krb5/krb5.h | 9 +++++++++ lib/krb5/pkinit.c | 4 ++-- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/kuser/kinit.c b/kuser/kinit.c index 8771b1d54..92c96f22e 100644 --- a/kuser/kinit.c +++ b/kuser/kinit.c @@ -537,8 +537,8 @@ get_new_tickets(krb5_context context, pk_x509_anchors, NULL, NULL, - pk_use_enckey ? 2 : 0 | - anonymous_pkinit ? 4 : 0, + pk_use_enckey ? KRB5_GIC_OPT_PKINIT_USE_ENCKEY : 0 | + anonymous_pkinit ? KRB5_GIC_OPT_PKINIT_ANONYMOUS : 0, prompter, NULL, passwd); diff --git a/lib/krb5/krb5.h b/lib/krb5/krb5.h index 17459c993..1535329cb 100644 --- a/lib/krb5/krb5.h +++ b/lib/krb5/krb5.h @@ -944,6 +944,15 @@ typedef struct krb5_name_canon_rule_data *krb5_name_canon_rule; typedef const struct krb5_name_canon_rule_data *krb5_const_name_canon_rule; typedef struct krb5_name_canon_iterator_data *krb5_name_canon_iterator; +/* + * krb5_get_init_creds_opt_set_pkinit flags + */ + +#define KRB5_GIC_OPT_PKINIT_USE_ENCKEY 2 /* use RSA, not DH */ +#define KRB5_GIC_OPT_PKINIT_ANONYMOUS 4 /* anonymous PKINIT */ +#define KRB5_GIC_OPT_PKINIT_BTMM 8 /* reserved by Apple */ +#define KRB5_GIC_OPT_PKINIT_NO_KDC_ANCHOR 16 /* do not authenticate KDC */ + /* * */ diff --git a/lib/krb5/pkinit.c b/lib/krb5/pkinit.c index 953b55046..a947c7215 100644 --- a/lib/krb5/pkinit.c +++ b/lib/krb5/pkinit.c @@ -2269,7 +2269,7 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context, x509_anchors = anchors; } - if (flags & 4) + if (flags & KRB5_GIC_OPT_PKINIT_ANONYMOUS) opt->opt_private->pk_init_ctx->anonymous = 1; ret = _krb5_pk_load_id(context, @@ -2295,7 +2295,7 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context, } else opt->opt_private->pk_init_ctx->id->cert = NULL; - if ((flags & 2) == 0) { + if ((flags & KRB5_GIC_OPT_PKINIT_USE_ENCKEY) == 0) { hx509_context hx509ctx = context->hx509ctx; hx509_cert cert = opt->opt_private->pk_init_ctx->id->cert;