gssapi: fail if client sets wrong principal

Problem: if client sets ZMQ_GSSAPI_PRINCIPAL to a name for which credentials cannot be obtained, authentication proceeds with default credentials. Solution: Before initializing the security context, check whether there was a failed attempt to acquire credentials for a specific principal and bail out if so. Fixes #2531
2024-12-28 07:58:14 +08:00 · 2017-04-19 16:04:41 -07:00 · 2017-04-19 16:04:41 -07:00 · 4e22dd0e97
commit 4e22dd0e97
parent f2b579ce02
1 changed files with 4 additions and 0 deletions
--- a/src/gssapi_client.cpp
+++ b/src/gssapi_client.cpp
@ -166,6 +166,10 @@ zmq::mechanism_t::status_t zmq::gssapi_client_t::status () const

 int zmq::gssapi_client_t::initialize_context ()
 {
+    // principal was specified but credentials could not be acquired
+    if (principal_name != NULL && cred == NULL)
+        return -1;
+
    // First time through, import service_name into target_name
    if (target_name == GSS_C_NO_NAME) {
        send_tok.value = service_name;