Bug 5453 – gss_unwrap() fails when it should not

Bug 5453 - gss_unwrap() fails when it should not

Summary:

gss_unwrap() fails when it should not

Status:	RESOLVED FIXED

Product:	GSI C
Component:	Authentication
Version:	4.0.1
Platform:	PC Linux

Importance:	P3 major
Target Milestone:	4.0.6
Assigned To:	Joe Bester

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2007-07-20 08:08 by vincenzo.ciaschini@cnaf.infn.it
Modified:	2008-08-11 15:19 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From vincenzo.ciaschini@cnaf.infn.it 2007-07-20 08:08:07

gss_unwrap() uses SSL_get_error() to determine if a call to SSL_read() failed
because of an EOF or for some other reason, returning an error in the second
case.

Unfortunately, SSL_get_error() documentation says: "The current thread's error
queue must be empty before the TLS/SSL I/O operation is attempted, or
SSL_get_error() will not work reliably."  gss_unwrap() does nothing to ensure
that the error stack is empty before calling SSL_read(), and this does indeed
cause failures which should not be there.

Since it is unreasonable to expect the callers to call ERR_clear_error() before
gss_unwrap(0, since gss should hide the underlyng mechanism, and so this should
be done by gss_unwrap()

This problem has also been verified in GT 2.4.3

Patches for both GT2.4.3 and GT4.0.1 are needed for the EGEE project.

------- Comment #1 From Joe Bester 2007-07-26 12:16:48 -------

I've uploaded a proposed patch to the globus_gssapi_gsi package to
http://dev.globus.org/images/4/49/Bug5453.diff

This patch is against the GT 4.0 branch. Let me know if there are issues
applying it to the older versions of the toolkit you are using and whether it
addresses your issue.

joe

------- Comment #2 From Joe Bester 2007-08-08 13:38:14 -------

The proposed patch has been committed to CVS.