Bugzilla – Bug 5453
gss_unwrap() fails when it should not
Last modified: 2008-08-11 15:19:47
You need to
before you can comment on or make changes to this bug.
gss_unwrap() uses SSL_get_error() to determine if a call to SSL_read() failed
because of an EOF or for some other reason, returning an error in the second
Unfortunately, SSL_get_error() documentation says: "The current thread's error
queue must be empty before the TLS/SSL I/O operation is attempted, or
SSL_get_error() will not work reliably." gss_unwrap() does nothing to ensure
that the error stack is empty before calling SSL_read(), and this does indeed
cause failures which should not be there.
Since it is unreasonable to expect the callers to call ERR_clear_error() before
gss_unwrap(0, since gss should hide the underlyng mechanism, and so this should
be done by gss_unwrap()
This problem has also been verified in GT 2.4.3
Patches for both GT2.4.3 and GT4.0.1 are needed for the EGEE project.
I've uploaded a proposed patch to the globus_gssapi_gsi package to
This patch is against the GT 4.0 branch. Let me know if there are issues
applying it to the older versions of the toolkit you are using and whether it
addresses your issue.
The proposed patch has been committed to CVS.