fix(NODE-6372): correctly GSS wrap non-user data #206
Conversation
|
NOTE: I wasn't able to run the full test suite locally, given my Kerberos server configuration. I did run equivalent versions of the new tests in my application. |
| @@ -468,7 +468,7 @@ gss_result authenticate_gss_client_wrap(gss_client_state* state, | |||
| input_token.length = len; | |||
| } | |||
|
|
|||
| if (user) { | |||
| if (user && *user) { | |||
There was a problem hiding this comment.
Should the check in L519 also be adjusted in the same way? The memory management code in this file is honestly a bit hard to follow, but it seems that way to me
There was a problem hiding this comment.
I'm also having a hard time following.
My suspicion is that, since user is never null, that release is never being executed. Or at least has not been since the ToStringWithNonStringAsEmpty behavior was introduced.
Then again, I don't understand why we'd only need to release the buffer if there is no user. Maybe the right fix is to remove that condition altogether and just call the release if there is any data in the buffer?
There was a problem hiding this comment.
Then again, I don't understand why we'd only need to release the buffer if there is no user
I assume that it corresponds to this condition here, hence my suggestion above – if this branch is taken, then input_token contains a stack-allocated reference to buf, rather than a dynamically allocated buffer
|
Closing for inactivity, please feel free to re-open and continue this if there's interest! |
Description
Fix implementation of
wrapfunction to work for use cases other than authentication.What is changing?
Just an extra check for an empty string:
if (user)becomesif (user && *user).Without this, the
wrapfunction was discarding the challenge/payload value and wrapping only the user option value, even if no such value was provided.Is there new documentation needed for these changes?
No, this makes the
wrapmethod work as per the existing documentation.What is the motivation for this change?
Without this change, the
wrapfunction works only for authentication. With this change, any payload can be GSS-wrapped.Release Highlight
Allow Kerberos GSS
wrapfunction to work on arbitrary challenge/payload data, not just user authentication.Double check the following
npm run check:lintscripttype(NODE-xxxx)[!]: descriptionfeat(NODE-1234)!: rewriting everything in coffeescript