3:42 p.m.
From: Daniel Gryniewicz [mailto:dang@redhat.com]
On 10/29/19 7:58 PM, Frank Filz wrote:
> I made some progress on the Kerberos stuff.
>
> For Integrity, Daniel’s fix didn’t quite work because it didn’t
> account for the length of the mic token length field…
>
> Instead of doing a SETPOS, I fixed up the xdrs directly with the tail
> of the last buffer.
>
> I also re-organized the xdr_iov for XDR_ALLOCHDR to explicitly have a
> buffer for the length field (which is not part of the gss_iov). This
> makes the debug code work better.
>
> Now krb5 and krb5i work, but krb5p doesn’t work, so a bit more debug
> to figure out what’s wrong there. I suspect a similar problem with the
> length of the output, but it needs to be fixed up a little differently.
>
> Frank
>
Yeah, this gets you back to the fix I had at Bakeathon. It used the tail, too, but
didn't account for multiple buffers (and so didn't work for krb5p).
The fix ended up being Daniel's, except we needed to initialize totlen to start before
start was modified (and then not use start when doing the SETPOS - late breaking
change...). A fix I had put in to make debugging look nicer also turns out to be important
for integrity. The xdr stream for integrity has a length of the token field that is not
part of the gss information, and so the totlen computed by Daniel's initial patch was
4 short. By making an explicit element of the xdr_vio vector for this length, it easily
allows that length to be considered in totlen as well as making the debug look a bit
nicer. The resulting VIO_TRAILER_LEN buffer then changes meaning to be used to hold this
length but is not included in the gss_iov.
Frank