Hi, I am using Globus GSSAPI libraries for authentication in my client-server application. In general it works, but from time to time the authentication begins to fail, and the program resumes normal operation only after server restart. I was yet not able to understand the causes of the problem, and at the moment I can not show you the piece of code which always fails (or better works :-) ), that's why my explanations may seem vague, please excuse me for that.
The problem is that sometimes on server side "gss_accept_sec_context()" returns 'GSS_S_COMPLETE' while "gss_init_sec_context()" on client side still awaits for input. So on client side I am having "gss_init_sec_context()" which returned GSS_S_CONTINUE_NEEDED and on server side I have nothing to send to the client (since server has finished authentication and returned GSS_S_COMPLETE). The length of challenge-response messages in case of *successful* authentication looks like this client SENDS 53 bytes client GETS 10 bytes client SENDS 106 bytes client GETS 804 bytes client SENDS 1500 bytes client GETS 71 bytes client SENDS 26 bytes At this point "gss_init_sec_context" returns GSS_S_COMPLETE and if on server side "gss_accept_sec_context" also returns GSS_S_COMPLETE (after 'processing' last 26 bytes) I consider the mutual authentication complete. When the problem comes around the messages have the similar lengths, but "gss_accept_sec_context" returns 'GSS_S_COMPLETE' after receiving 1500 bytes (and the client at that point still awaits for input). For me, it looks like that failures are caused because "gss_accept_sec_context" doesn't 'understand' that client has required mutual authentication (although 'GSS_C_MUTUAL_FLAG' has been passed to "gss_init_sec_context"), but that is just an assumption. I would be thankful for any hints or suggestions, please do not hesitate to require additional information. Thank you very much for your help, Artem.
