1 files changed, 12 insertions, 8 deletions

diff --git a/tests/tap/kerberos.h b/tests/tap/kerberos.h
index c34f891..26f45f9 100644
--- a/tests/tap/kerberos.h
+++ b/tests/tap/kerberos.h
@@ -5,7 +5,7 @@
  * which can be found at <http://www.eyrie.org/~eagle/software/rra-c-util/>.
  *
  * Written by Russ Allbery <eagle@eyrie.org>
- * Copyright 2006, 2007, 2009, 2011, 2012, 2013
+ * Copyright 2006, 2007, 2009, 2011, 2012, 2013, 2014
  *     The Board of Trustees of the Leland Stanford Junior University
  *
  * Permission is hereby granted, free of charge, to any person obtaining a
@@ -46,17 +46,21 @@ struct kerberos_config {
     char *username;             /* The local (non-realm) part of principal. */
     char *realm;                /* The realm part of the principal. */
     char *password;             /* The password. */
+    char *pkinit_principal;     /* Principal for PKINIT authentication. */
+    char *pkinit_cert;          /* Path to certificates for PKINIT. */
 };
 
 /*
  * Whether to skip all tests (by calling skip_all) in kerberos_setup if
- * certain configuration information isn't available.
+ * certain configuration information isn't available.  "_BOTH" means that the
+ * tests require both keytab and password, but PKINIT is not required.
  */
 enum kerberos_needs {
     TAP_KRB_NEEDS_NONE     = 0x00,
     TAP_KRB_NEEDS_KEYTAB   = 0x01,
     TAP_KRB_NEEDS_PASSWORD = 0x02,
-    TAP_KRB_NEEDS_BOTH     = 0x01 | 0x02
+    TAP_KRB_NEEDS_BOTH     = 0x01 | 0x02,
+    TAP_KRB_NEEDS_PKINIT   = 0x04
 };
 
 BEGIN_DECLS
@@ -73,11 +77,11 @@ BEGIN_DECLS
  * the principal field will be NULL.  If the files exist but loading them
  * fails, or authentication fails, kerberos_setup calls bail.
  *
- * kerberos_cleanup will be set up to run from an atexit handler.  This means
- * that any child processes that should not remove the Kerberos ticket cache
- * should call _exit instead of exit.  The principal will be automatically
- * freed when kerberos_cleanup is called or if kerberos_setup is called again.
- * The caller doesn't need to worry about it.
+ * kerberos_cleanup will be run as a cleanup function normally, freeing all
+ * resources and cleaning up temporary files on process exit.  It can,
+ * however, be called directly if for some reason the caller needs to delete
+ * the Kerberos environment again.  However, normally the caller can just call
+ * kerberos_setup again.
  */
 struct kerberos_config *kerberos_setup(enum kerberos_needs)
     __attribute__((__malloc__));