Solution: do not define ZMQ_HAVE_POLLER in src/zmq_drafts.h otherwise
src/zmq.cpp will implement zmq_poll using the new poller classes.
Same for ZMQ_HAVE_TIMERS, even though it has no internal effect, but
to be safe against future development.
Problem: there is no test coverage for GSSAPI.
Solution: add a test structured like the CURVE test.
The test is not built if libzmq is not configured with
--with-libgssapi_krb5. It will report SKIPPED status
if the required environment is missing (see below).
Environment: KRB5_KTNAME and KRB5_CLIENT_KTNAME
environment variables must point to a keytab file
containing creds for a host-based test principal
(see comment at top of source for details).
Kerberos must be configured and a KDC containing the
test principal must be running, otherwise the test
will fail/hang.
N.B. For now, the test must use the same principal for
both client and server roles because it seems impossible
to set them to different principals when they are
threads in the same process. Once one principal is
cached in credential cache, attempts to acquire creds
for a different "desired name" seem to be ignored and
the cached principal is used instead.
Problem: GSSAPI DRAFT code was made conditional on
ZMQ_BUILD_DRAFT_API, but zmq_draft.h duplicates the DRAFT
symbols definitions from zmq.h so this is unnecessary.
Solution: drop the extra ifdefs
Problem: GSSAPI NAMETYPE socket option numbers were modified
+1000 when moved to DRAFT section, but should use the definitive
values while in DRAFT to minimize disruption later.
Solution: renumber the socket options
Problem: GSSAPI NAMETYPE options were not documented in man
pages for zmq_getsockopt() and zmq_setsockopt().
Solution: add new options to these manual pages.
Problem: The new GSSAPI NAMESPACE options should have been
added to the DRAFT section of the API so they can be changed
until stabilized.
Solution:
- Move defines to the DRAFT section of zmq.h
- Duplicate them in zmq_draft.h, as is the local custom
- Compile only if defined (ZMQ_BUILD_DRAFT_API)
- Refactor internals slightly to avoid #ifdef hell
Problem: principals are looked up unconditionally
with the GSS_C_NT_HOSTBASED_SERVICE name type.
Solution: Add two new socket options to set the name type
for ZMQ_GSSAPI_PRINCIPAL and ZMQ_GSSAPI_SERVICE_PRINCIPAL:
ZMQ_GSSAPI_PRINCIPAL_NAMETYPE
ZMQ_GSSAPI_SERVICE_PRINCIPAL_NAMETYPE
They take an integer argument which must be one of
ZMQ_GSSAPI_NT_HOSTBASED (0) - default
ZMQ_GSSAPI_NT_USER_NAME (1)
ZMQ_GSSAPI_NT_KRB5_PRINCIPAL (2)
These correspond to GSSAPI name types of:
GSS_C_NT_HOSTBASED_SERVICE
GSS_C_NT_USER_NAME
GSS_KRB5_NT_PRINCIPAL_NAME
Fixes#2542
Problem: one call to gss_import_name() includes the terminating
NULL in a gss_buffer_desc.length, and one doesn't.
According to the examples at:
http://docs.oracle.com/cd/E19253-01/816-4863/overview-22/index.html
the NULL should be included in the length.
Solution: Fix one case to include the terminating NULL in the length.
Problem: if client sets ZMQ_GSSAPI_PRINCIPAL to a name
for which credentials cannot be obtained, authentication
proceeds with default credentials.
Solution: Before initializing the security context, check
whether there was a failed attempt to acquire credentials
for a specific principal and bail out if so.
Fixes#2531
Problem: if client sets the ZMQ_GSSAPI_PRINCIPAL to a valid
principal, authentication fails.
When an application sets ZMQ_GSSAPI_PRINCIPAL, whether as a
client or a server, libzmq internally calls gss_acquire_cred()
with cred_usage=GSS_C_ACCEPT. This cred_usage setting is for
acceptors (servers) only, thus it doesn't work for initiators
(clients).
Solution: Change the cred_usage parameter to GSS_C_BOTH to allow
initiators to set ZMQ_GSSAPI_PRINCIPAL.
Problem: the ZMQ_GSSAPI_PRINCIPAL socket option is described
as mandatory in the zmq_gssapi(7) manual page. In fact it
is optional.
Solution: Describe ZMQ_GSSAPI_PRINCIPAL as optional.
If unspecified, default credentials are used.
Problem: configure.ac is not setting HAVE_LIBGSSAPI_KRB5
in src/platform.hpp when --with-libgssapi_krb5 is specified
Commit 09e868b743
switched the libgssapi_krb5 check from AC_CHECK_LIB
to AC_SEARCH_LIBS, but neglected to add an AC_DEFINE
for HAVE_LIBGSSAPI_KRB5, thus the GSSAPI code is
never compiled.
Solution: Add missing AC_DEFINE of HAVE_LIBGSSAPI_KRB5.
* change macOS < 10.12 clock to SYSTEM_CLOCK, fixes#2537
* remove clock_id option from alt_clock_gettime since we always want a monotonic clock.
* update header definition for alt_clock_gettime
* pass clock definition down to host_get_clock_service for macOS < 10.12
* change to monotonic clocks
Add two new options to CMakeLists.txt:
`BUILD_SHARED` - Whether or not to build the shared object (Default: ON)
`BUILD_STATIC` - Whether or not to build the static archive (Default: ON)