Use Case

As a... kerberos client application
I want... to wrap/encrypt data for transmission (not just a user/authentication challenge)
So that... so that it can be transmitted securely to a server

User Experience

Today, the kerberos wrap function works find when we are only sending user authentication data, as in the mongodb.js:
 auth.client.wrap(response, { user:auth.username }, ...)
However, if we try to wrap any other data, the implementation discards the payload and wraps only an empty string. This is because the C++ code interprets a null/undefined user value as an empty string, which is truthy in C++.

// This code sets the input_token to the challenge payload
if (challenge && *challenge) {
  size_t len;
  input_token.value = base64_decode(challenge, &len);
  input_token.length = len;
}

// This will always be true and replaces the input_token with the user
// Replace with: if (user && *user)
if (user) {
  ((char*)input_token.value)[0] = 0;
  buf_size = ntohl(*((long*)input_token.value));
  free(input_token.value);
  ...
}

Again, this doesn't impact the use of the function for authentication, but does mean that it's useless for the broader purpose of GSS wrapping/encrypting data.

Dependencies

None

Risks/Unknowns

There should be no impact to the use case where the user value is provided. That's the only use case that works today, anyway.

Acceptance Criteria

Implementation Requirements

Callers should be able to wrap payload data, not just a user.

Testing Requirements

Existing tests should validate that the user authentication use case does not fail. Not sure how, practically, to test wrapping other data in this system.

Documentation Requirements

None

Follow Up Requirements

None