Open Bug 1491692 Opened 6 years ago Updated 2 years ago

Kerberos SPNEGO IAKERB incorrect encoding of iakerb-header structure

Categories

(Core :: Networking: HTTP, defect, P5)

62 Branch
defect

Tracking

()

UNCONFIRMED

People

(Reporter: wiml, Unassigned)

References

Details

(Whiteboard: [ntlm][necko-triaged] Close when the Ubuntu krb5 package bug is confirmed)

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0 Build ID: 20180912143528 Steps to reproduce: TLDR: The IAKERB-HEADER structure specifies that the "target-realm" field is a UTF8String, but Firefox is sending an OCTET STRING. I was dissecting a failing http negotiate auth exchange and noticed that the initial negotiate token sent from Firefox uses the mech OID for IAKERB, but the innerToken's encoding does not match draft-ietf-kitten-iakerb-03 (or any earlier draft I could find). To reproduce: 1. Have a TGT but no ticket in your local kerberos cache 2. Connect to a webserver which responds with 401 Unauthorized and "WWW-Authenticate: Negotiate" (i.e., anything protected by kerberos / spnego) 3. Observe the next request sent by Firefox Actual results: The Negotiate header contains a SPNEGO structure with mech 1.3.6.1.5.5.2 (IAKERB), containing a token of mechanism 1.3.6.1.5.5.2 (same), and an innerToken consisting of the concatenation of the TOK_ID, an IAKERB-HEADER, and a TGS_REQ message. (The first few bytes of the inner token: 0501300ca10a0408484848482e4f5247) The IAKERB-HEADER sequence, as you can see above, consisted of one explicitly-tagged OCTET STRING (BER tag 4) containing the target realm name. Expected results: The IAKERB-HEADER sequence should contain an explicitly-tagged UTF8String (BER tag 12) containing the target realm name.
I couldn't reproduce this issue. I am going to assign the "Core: Networking: HTTP" component for it and hopefully someone with more knowledge in this area will a look over this.
Component: Untriaged → Networking: HTTP
Product: Firefox → Core
Can you elaborate on the inability to reproduce? Are you seeing a different datatype being sent by Firefox, or unable to get it to use the IAKERB mechanism, or ... ?
On further investigation, I think this is a bug in the system's GSSAPI library, libgssapi_krb5.so.2.2. I've filed a report against the krb5 package in ubuntu: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1793594
Whiteboard: [ntlm]
(In reply to Wim Lewis from comment #3) > On further investigation, I think this is a bug in the system's GSSAPI > library, libgssapi_krb5.so.2.2. I've filed a report against the krb5 package > in ubuntu: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1793594 Thanks!
Priority: -- → P5
Whiteboard: [ntlm] → [ntlm][necko-triaged]
Whiteboard: [ntlm][necko-triaged] → [ntlm][necko-triaged] Close when the Ubuntu krb5 package bug is confirmed
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.