[krbdev.mit.edu #2212] GSS vs SSPI Interop Testing

[Jeffrey Altman via RT]

Back in August 1999, Martin Rexx identified an interoperability problem
between MIT Kerberos 5's GSSAPI implementation and the Kerberos SSPI
implemented by Microsoft.

In particular, there is a problem with an MIT client and SSPI server
when the client specifies GSS_C_INTEG_FLAG and GSS_C_CONF_FLAG but
neither GSS_C_REPLAY_FLAG nor GSS_C_SEQUENCE_FLAG are.  In this case, if
messages are sent out-of-order by MIT clients, these messages can NOT be
unwrapped/verified by the SSPI server side.  An out-of-sequence error
will be returned.

This interop problem is clearly Microsoft's.  However, our GSS Sample
App which is used for testing does not provide the ability to select the
set of GSS_C_ flags which will be used.  The client app always sends
GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG.  The GSS_C_SEQUENCE_FLAG is never
set and the combinations (MUTUAL | REPLAY | SEQUENCE), (MUTUAL |
SEQUENCE), (REPLAY | SEQUENCE), and (SEQUENCE) cannot be tested.

I propose adding GSS_C_SEQUENCE_FLAG to the default set of flags and
providing both a "-ns" (no sequence) switch and a "-nu" (no mutual)
switch on the client and server to disable the use of the
GSS_C_SEQUENCE_FLAG and GSS_C_MUTUAL_FLAGS.  

This work would be beneficial for the on-going CFX testing.