From 4e22dd0e9709587c4b211066212510c37276ff8c Mon Sep 17 00:00:00 2001 From: Jim Garlick Date: Wed, 19 Apr 2017 16:04:41 -0700 Subject: [PATCH] gssapi: fail if client sets wrong principal Problem: if client sets ZMQ_GSSAPI_PRINCIPAL to a name for which credentials cannot be obtained, authentication proceeds with default credentials. Solution: Before initializing the security context, check whether there was a failed attempt to acquire credentials for a specific principal and bail out if so. Fixes #2531 --- src/gssapi_client.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/gssapi_client.cpp b/src/gssapi_client.cpp index 9eb598ab..6d7444cf 100644 --- a/src/gssapi_client.cpp +++ b/src/gssapi_client.cpp @@ -166,6 +166,10 @@ zmq::mechanism_t::status_t zmq::gssapi_client_t::status () const int zmq::gssapi_client_t::initialize_context () { + // principal was specified but credentials could not be acquired + if (principal_name != NULL && cred == NULL) + return -1; + // First time through, import service_name into target_name if (target_name == GSS_C_NO_NAME) { send_tok.value = service_name;