Merge pull request #2541 from garlick/gssapi_fix

fix misc. bugs in GSSAPI support

Merge pull request #2541 from garlick/gssapi_fix
fix misc. bugs in GSSAPI support
42729256 · Luca Boccassi · GitHub · aa90863b · 2b9a352a · 42729256
Commit 42729256 authored Apr 20, 2017 by Luca Boccassi Committed by GitHub Apr 20, 2017
Showing with 17 additions and 11 deletions

configure.ac configure.ac +2 -1

zmq_gssapi.txt doc/zmq_gssapi.txt +9 -8

gssapi_client.cpp src/gssapi_client.cpp +5 -1

gssapi_mechanism_base.cpp src/gssapi_mechanism_base.cpp +1 -1

No files found.
--- a/configure.ac
+++ b/configure.ac
@@ -427,7 +427,8 @@ AC_ARG_WITH([libgssapi_krb5], [AS_HELP_STRING([--with-libgssapi_krb5],
 # conditionally require libgssapi_krb5
 if test "x$require_libgssapi_krb5_ext" != "xno"; then
    AC_CHECK_HEADERS(gssapi/gssapi_generic.h)
-    AC_SEARCH_LIBS([gss_init_sec_context], [gssapi_krb5 gssapi],,
+    AC_SEARCH_LIBS([gss_init_sec_context], [gssapi_krb5 gssapi],
+        AC_DEFINE(HAVE_LIBGSSAPI_KRB5, [1], [Enabled GSSAPI security]),
        AC_MSG_ERROR(libgssapi_krb5 is needed for GSSAPI security))
 fi


--- a/doc/zmq_gssapi.txt
+++ b/doc/zmq_gssapi.txt
@@ -22,16 +22,17 @@ CLIENT AND SERVER ROLES
 -----------------------
 A socket using GSSAPI can be either client or server, but not both.

-To become either a GSSAPI client or server, the application sets the
-ZMQ_GSSAPI_PRINCIPAL option to provide the socket with the name of the principal
-for whom GSSAPI credentials should be acquired.
+To become a GSSAPI server, the application sets the ZMQ_GSSAPI_SERVER
+option on the socket.

-To become a GSSAPI server, the application additionally sets the
-ZMQ_GSSAPI_SERVER option on the socket.
+To become a GSSAPI client, the application sets the ZMQ_GSSAPI_SERVICE_PRINCIPAL
+option to the name of the principal on the server to which it intends to
+connect.

-To become a GSSAPI client, the application additionally sets the
-ZMQ_GSSAPI_SERVICE_PRINCIPAL option to the name of the principal of the server
-to which it intends to connect.
+On client or server, the application may additionally set the
+ZMQ_GSSAPI_PRINCIPAL option to provide the socket with the name of the
+principal for whom GSSAPI credentials should be acquired.  If this option
+is not set, default credentials are used.


 OPTIONAL ENCRYPTION

--- a/src/gssapi_client.cpp
+++ b/src/gssapi_client.cpp
@@ -166,10 +166,14 @@ zmq::mechanism_t::status_t zmq::gssapi_client_t::status () const

 int zmq::gssapi_client_t::initialize_context ()
 {
+    // principal was specified but credentials could not be acquired
+    if (principal_name != NULL && cred == NULL)
+        return -1;
+
    // First time through, import service_name into target_name
    if (target_name == GSS_C_NO_NAME) {
        send_tok.value = service_name;
-        send_tok.length = strlen(service_name);
+        send_tok.length = strlen(service_name) + 1;
        OM_uint32 maj = gss_import_name(&min_stat, &send_tok,
                                        GSS_C_NT_HOSTBASED_SERVICE,
                                        &target_name);

--- a/src/gssapi_mechanism_base.cpp
+++ b/src/gssapi_mechanism_base.cpp
@@ -338,7 +338,7 @@ int zmq::gssapi_mechanism_base_t::acquire_credentials (char * service_name_, gss
        return -1;

    maj_stat = gss_acquire_cred (&min_stat, server_name, 0,
-                                 GSS_C_NO_OID_SET, GSS_C_ACCEPT,
+                                 GSS_C_NO_OID_SET, GSS_C_BOTH,
                                 cred_, NULL, NULL);

    if (maj_stat != GSS_S_COMPLETE)