Skip Menu |
 

Subject: GSS vs SSPI Interop Testing
Download (untitled) / with headers
text/plain 1.2KiB
Back in August 1999, Martin Rexx identified an interoperability problem
between MIT Kerberos 5's GSSAPI implementation and the Kerberos SSPI
implemented by Microsoft.

In particular, there is a problem with an MIT client and SSPI server
when the client specifies GSS_C_INTEG_FLAG and GSS_C_CONF_FLAG but
neither GSS_C_REPLAY_FLAG nor GSS_C_SEQUENCE_FLAG are. In this case, if
messages are sent out-of-order by MIT clients, these messages can NOT be
unwrapped/verified by the SSPI server side. An out-of-sequence error
will be returned.

This interop problem is clearly Microsoft's. However, our GSS Sample
App which is used for testing does not provide the ability to select the
set of GSS_C_ flags which will be used. The client app always sends
GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG. The GSS_C_SEQUENCE_FLAG is never
set and the combinations (MUTUAL | REPLAY | SEQUENCE), (MUTUAL |
SEQUENCE), (REPLAY | SEQUENCE), and (SEQUENCE) cannot be tested.

I propose adding GSS_C_SEQUENCE_FLAG to the default set of flags and
providing both a "-ns" (no sequence) switch and a "-nu" (no mutual)
switch on the client and server to disable the use of the
GSS_C_SEQUENCE_FLAG and GSS_C_MUTUAL_FLAGS.

This work would be beneficial for the on-going CFX testing.
To: rt-comment@krbdev.mit.edu
Cc: krb5-prs@mit.edu
Subject: Re: [krbdev.mit.edu #2212] GSS vs SSPI Interop Testing
From: Sam Hartman <hartmans@mit.edu>
Date: Fri, 06 Feb 2004 11:36:39 -0500
RT-Send-Cc:
Why is this a 1.3.2 bug? I understand needing the code to be written
for 1.3.2, but it seems we're getting overly agressive about which
changes we pull up to the branch.
From: jaltman@mit.edu
Subject: CVS Commit
2004-02-06 Jeffrey Altman <jaltman@mit.edu>

* Add new command line switches to the gss-client
to support the use of GSS_C_SEQUENCE_FLAG or to
disable the use of either GSS_C_MUTUAL_FLAG or
GSS_C_REPLAY_FLAG


To generate a diff of this commit:



cvs diff -r1.67 -r1.68 krb5/src/appl/gss-sample/ChangeLog
cvs diff -r1.6 -r1.7 krb5/src/appl/gss-sample/README
cvs diff -r1.25 -r1.26 krb5/src/appl/gss-sample/gss-client.c
From: jaltman@mit.edu
Subject: CVS Commit
* update usage() for gss-client


To generate a diff of this commit:



cvs diff -r1.68 -r1.69 krb5/src/appl/gss-sample/ChangeLog
cvs diff -r1.7 -r1.8 krb5/src/appl/gss-sample/README
cvs diff -r1.26 -r1.27 krb5/src/appl/gss-sample/gss-client.c
From: tlyu@mit.edu
Subject: CVS Commit
pullup from trunk


To generate a diff of this commit:



cvs diff -r1.65.2.1 -r1.65.2.2 krb5/src/appl/gss-sample/ChangeLog
cvs diff -r1.6 -r1.6.2.1 krb5/src/appl/gss-sample/README
cvs diff -r1.25 -r1.25.2.1 krb5/src/appl/gss-sample/gss-client.c