Bug 5474 – gss_import_sec_context fails to restore client session keys

Bug 5474 - gss_import_sec_context fails to restore client session keys

Summary:

gss_import_sec_context fails to restore client session keys

Status:	RESOLVED FIXED

Product:	GSI C
Component:	Authentication
Version:	4.0.5
Platform:	All All

Importance:	P3 major
Target Milestone:	4.0.6
Assigned To:	Joe Bester

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2007-08-08 13:09 by Alain Roy
Modified:	2008-08-11 15:19 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Alain Roy 2007-08-08 13:09:45

Hello,

I'm assisting EGEE with a bug fix they need for Globus in the VDT. I'm not an
expert on the problem, but I include their description below. They also have a
suggested patch that I will attach. 

My questions:

1) Do you see any reason that shouldn't apply this patch for the VDT build of
Globus? 

2) Can you accept this patch (or your own appropriate solution) for Globus in
the 4.0 branch?

The patch is being contributed from Krzysztof Nienartowicz
<Krzysztof.Nienartowicz@cern.ch>. He's on vacation, so his colleague described
it on his behalf:

>As far as I understand there is a new session key generated,
>when the session is restarted. At the end of the key negotiation
>there are basically two keys, one for the outgoing and one
>for the incoming communication.
>
>On the server and the client side these should be swapped,
>i.e. server's outgoing key is the client's incoming key.
>Unfortunately this was not swapped on the client side, so
>the communication couldn't restart after the session restart.
>
>As far as I understand Krzys' patch does this swap on the
>client side.

They classify this is moderately urgent, because the bug "was completely
preventing Krzysztof's code from using globus in his SSL session reuse code." I
plan to release an update to the VDT with this patch in the very near future
unless your expert eyes see a problem with it. 

Thanks,
Alain Roy, OSG Software Coordinator

------- Comment #1 From Alain Roy 2007-08-08 13:11:54 -------

I can't attach the patch because attachments have been disabled to deal with
spam. Therefore I have posted the patch at:

http://vdt.cs.wisc.edu/patches/proposed/2007-08-08.globus_i_gsi_gss_utils.diff

------- Comment #2 From Joe Bester 2007-08-08 15:37:30 -------

The patch doesn't compile--- extra ); in the second hunk.

After tweaking to compile, I wrote a small test program that confirms both the
bug and that the fix repairs it. Both are committed to CVS.

joe

------- Comment #3 From Alain Roy 2007-08-08 17:40:03 -------

Subject: Re:  Problem with session keys in
  globus_i_gsi_gss_utils.c

Joe--

That was incredibly fast response. Thank you!

-alain