gssapi: use GSS_C_BOTH to acquire credentials

Problem: if client sets the ZMQ_GSSAPI_PRINCIPAL to a valid principal, authentication fails. When an application sets ZMQ_GSSAPI_PRINCIPAL, whether as a client or a server, libzmq internally calls gss_acquire_cred() with cred_usage=GSS_C_ACCEPT. This cred_usage setting is for acceptors (servers) only, thus it doesn't work for initiators (clients). Solution: Change the cred_usage parameter to GSS_C_BOTH to allow initiators to set ZMQ_GSSAPI_PRINCIPAL.

gssapi: use GSS_C_BOTH to acquire credentials
Problem: if client sets the ZMQ_GSSAPI_PRINCIPAL to a valid principal, authentication fails. When an application sets ZMQ_GSSAPI_PRINCIPAL, whether as a client or a server, libzmq internally calls gss_acquire_cred() with cred_usage=GSS_C_ACCEPT. This cred_usage setting is for acceptors (servers) only, thus it doesn't work for initiators (clients). Solution: Change the cred_usage parameter to GSS_C_BOTH to allow initiators to set ZMQ_GSSAPI_PRINCIPAL.
f2b579ce · Jim Garlick · c371824b · f2b579ce
Commit f2b579ce authored Apr 18, 2017 by Jim Garlick
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

gssapi_mechanism_base.cpp src/gssapi_mechanism_base.cpp +1 -1

No files found.
--- a/src/gssapi_mechanism_base.cpp
+++ b/src/gssapi_mechanism_base.cpp
@@ -338,7 +338,7 @@ int zmq::gssapi_mechanism_base_t::acquire_credentials (char * service_name_, gss
        return -1;

    maj_stat = gss_acquire_cred (&min_stat, server_name, 0,
-                                 GSS_C_NO_OID_SET, GSS_C_ACCEPT,
+                                 GSS_C_NO_OID_SET, GSS_C_BOTH,
                                 cred_, NULL, NULL);

    if (maj_stat != GSS_S_COMPLETE)