[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

seam client's sequence number



I've been working on implementing RPCSEC_GSS for our NFS server, but I
have some trouble with the GSS token sent by the NFS client, which runs
in SunOS 5.9 on i386.

Specifically, gss_accept_sec_context() accepting GSS token from the
client succeeds, but gss_verify_mic() and gss_unwrap() fails at checking
the remote sequence number.  I traced through gss_accept_sec_context()
in the following series of calls:

    accept_sec_context.c:gss_accept_sec_context()
      rd_req.c:krb5_rd_req()
        rd_req.c:krb5_verify_ap_req()
          rd_req.c:krb5_verify_ap_req2()
            rd_req.c:descrypt_authenticator()
              codec.c:krb5_decode_Authenticator()
                asn1_Authenticator.c:decode_Authenticator()

and figured that in the last call, when it's trying to get the sequence
number, it reaches the end of buffer and didn't get the sequence number.

In RFC 1964, Section 1.1.1, it clearly states that "the authenticator
shall include the optional sequence number."  So it seems the SEAM
client is in clear violation of the RFC?  Has anyone run into this
problem before?  Any suggestion?  Thanks in advance!

Zi-Bin Yang
DECRU, INC.