SASL security layers

[Paul Leach <paulle@xxxxxxxxxxxxx>]

I'm trying to add a confidentiality layer to Digest SASL mechanism. In the
process, some questions arose.

RFC 2222 says:

"If use of a security layer is negotiated, it is applied to all
   subsequent data sent over the connection.  The security layer takes
   effect immediately following the last response of the authentication
   exchange for data sent by the client and the completion indication
   for data sent by the server.  Once the security layer is in effect,
   the protocol stream is processed by the security layer into buffers
   of cipher-text.  Each buffer is transferred over the connection as a
   stream of octets prepended with a four octet field in network byte
   order that represents the length of the following buffer.  The length
   of the cipher-text buffer must be no larger than the maximum size
   that was defined or negotiated by the other side."

When applied to GSS mechanisms, the following issue arises. My data stream
looks like this:

	4 byte count
	App protocol data unit (APDU)
	padding to cipher block size
	GSS mechanism trailer

All three of those are variable length. (There is a slight constraint on the
padding -- the sum of the length of the APDU and the padding is 0 mod the
cipher blocksize.) How does one locate:
1. The start of the padding
2. The start of the trailer
3. The start of the next buffer

Can any one tell me how this is supposed to work?

Paul

PS: It would be much more convenient if the data stream looked like:

	4 byte count
	App protocol data unit (APDU)
	padding to cipher block size
      4 byte trailer size
	GSS mechanism trailer