[CDRIVER-4635] Speculative authentication state is incorrectly kept Created: 04/May/23 Updated: 28/Oct/23 Resolved: 05/May/23 |
|
| Status: | Closed |
| Project: | C Driver |
| Component/s: | None |
| Affects Version/s: | 1.23.3 |
| Fix Version/s: | 1.23.4 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Andreas Braun | Assignee: | Andreas Braun |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Case: | (copied to CRM) | ||||||||||||
| Description |
|
The topology scanner does not correctly reset authentication status when using speculative authentication. This affects single-threaded mode only, where authentication is done on the monitoring connection, which is also used for data. When resetting auth state, the previous result of a speculative authentication is not cleared. On subsequent handshakes, the previous authentication result is re-used. For SCRAM authentication, the conversation will be continued and will fail due to an outdated result. For X.509 however, the stale result means that the client will incorrectly assume the connection to be authenticated, while the server rejects any commands due to missing authentication. The fix should be backported to 1.23 to allow the PHP team to fix this in the current stable release. |
| Comments |
| Comment by Githook User [ 09/May/23 ] |
|
Author: {'name': 'Jeremy Mikola', 'email': 'jmikola@gmail.com', 'username': 'jmikola'}Message: Includes |
| Comment by Githook User [ 05/May/23 ] |
|
Author: {'name': 'Andreas Braun', 'email': 'alcaeus@users.noreply.github.com', 'username': 'alcaeus'}Message:
`mongoc_topology_scanner_node_disconnect` sets `stream` to NULL. That will result in the stream being recreated and state being reset in `mongoc_topology_scanner_node_setup`
This previously passed because SCRAM would fail speculativeAuthentication and restart the authentication steps. The restart would use the SCRAM cache. Now speculativeAuthentication succeeds. speculativeAuthentication in the topology scanner does not use the SCRAM cache (refer: CDRIVER-3642). This does not result in the expected error.
--------- Co-authored-by: Kevin Albertson <kevin.albertson@mongodb.com> |
| Comment by Githook User [ 05/May/23 ] |
|
Author: {'name': 'Andreas Braun', 'email': 'alcaeus@users.noreply.github.com', 'username': 'alcaeus'}Message:
`mongoc_topology_scanner_node_disconnect` sets `stream` to NULL. That will result in the stream being recreated and state being reset in `mongoc_topology_scanner_node_setup`
This previously passed because SCRAM would fail speculativeAuthentication and restart the authentication steps. The restart would use the SCRAM cache. Now speculativeAuthentication succeeds. speculativeAuthentication in the topology scanner does not use the SCRAM cache (refer: CDRIVER-3642). This does not result in the expected error.
--------- Co-authored-by: Kevin Albertson <kevin.albertson@mongodb.com> |
| Comment by Andreas Braun [ 04/May/23 ] |