gssapi: fail if client sets wrong principal

Problem: if client sets ZMQ_GSSAPI_PRINCIPAL to a name for which credentials cannot be obtained, authentication proceeds with default credentials. Solution: Before initializing the security context, check whether there was a failed attempt to acquire credentials for a specific principal and bail out if so. Fixes #2531

gssapi: fail if client sets wrong principal
Problem: if client sets ZMQ_GSSAPI_PRINCIPAL to a name for which credentials cannot be obtained, authentication proceeds with default credentials. Solution: Before initializing the security context, check whether there was a failed attempt to acquire credentials for a specific principal and bail out if so. Fixes #2531
4e22dd0e · Jim Garlick · f2b579ce · 4e22dd0e
Commit 4e22dd0e authored Apr 19, 2017 by Jim Garlick
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

gssapi_client.cpp src/gssapi_client.cpp +4 -0

No files found.
--- a/src/gssapi_client.cpp
+++ b/src/gssapi_client.cpp
@@ -166,6 +166,10 @@ zmq::mechanism_t::status_t zmq::gssapi_client_t::status () const

 int zmq::gssapi_client_t::initialize_context ()
 {
+    // principal was specified but credentials could not be acquired
+    if (principal_name != NULL && cred == NULL)
+        return -1;
+
    // First time through, import service_name into target_name
    if (target_name == GSS_C_NO_NAME) {
        send_tok.value = service_name;