Bug 5453 - gss_unwrap() fails when it should not
: gss_unwrap() fails when it should not
Status: RESOLVED FIXED
: GSI C
Authentication
: 4.0.1
: PC Linux
: P3 major
: 4.0.6
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2007-07-20 08:08 by
Modified: 2008-08-11 15:19 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2007-07-20 08:08:07
gss_unwrap() uses SSL_get_error() to determine if a call to SSL_read() failed
because of an EOF or for some other reason, returning an error in the second
case.

Unfortunately, SSL_get_error() documentation says: "The current thread's error
queue must be empty before the TLS/SSL I/O operation is attempted, or
SSL_get_error() will not work reliably."  gss_unwrap() does nothing to ensure
that the error stack is empty before calling SSL_read(), and this does indeed
cause failures which should not be there.

Since it is unreasonable to expect the callers to call ERR_clear_error() before
gss_unwrap(0, since gss should hide the underlyng mechanism, and so this should
be done by gss_unwrap()

This problem has also been verified in GT 2.4.3

Patches for both GT2.4.3 and GT4.0.1 are needed for the EGEE project.
------- Comment #1 From 2007-07-26 12:16:48 -------
I've uploaded a proposed patch to the globus_gssapi_gsi package to
http://dev.globus.org/images/4/49/Bug5453.diff

This patch is against the GT 4.0 branch. Let me know if there are issues
applying it to the older versions of the toolkit you are using and whether it
addresses your issue.

joe
------- Comment #2 From 2007-08-08 13:38:14 -------
The proposed patch has been committed to CVS.