Open
Bug 1491692
Opened 6 years ago
Updated 2 years ago
Kerberos SPNEGO IAKERB incorrect encoding of iakerb-header structure
Categories
(Core :: Networking: HTTP, defect, P5)
Tracking
()
UNCONFIRMED
People
(Reporter: wiml, Unassigned)
References
Details
(Whiteboard: [ntlm][necko-triaged] Close when the Ubuntu krb5 package bug is confirmed)
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
Build ID: 20180912143528
Steps to reproduce:
TLDR: The IAKERB-HEADER structure specifies that the "target-realm" field is a UTF8String, but Firefox is sending an OCTET STRING.
I was dissecting a failing http negotiate auth exchange and noticed that the initial negotiate token sent from Firefox uses the mech OID for IAKERB, but the innerToken's encoding does not match draft-ietf-kitten-iakerb-03 (or any earlier draft I could find).
To reproduce:
1. Have a TGT but no ticket in your local kerberos cache
2. Connect to a webserver which responds with 401 Unauthorized and "WWW-Authenticate: Negotiate" (i.e., anything protected by kerberos / spnego)
3. Observe the next request sent by Firefox
Actual results:
The Negotiate header contains a SPNEGO structure with mech 1.3.6.1.5.5.2 (IAKERB), containing a token of mechanism 1.3.6.1.5.5.2 (same), and an innerToken consisting of the concatenation of the TOK_ID, an IAKERB-HEADER, and a TGS_REQ message. (The first few bytes of the inner token: 0501300ca10a0408484848482e4f5247)
The IAKERB-HEADER sequence, as you can see above, consisted of one explicitly-tagged OCTET STRING (BER tag 4) containing the target realm name.
Expected results:
The IAKERB-HEADER sequence should contain an explicitly-tagged UTF8String (BER tag 12) containing the target realm name.
Comment 1•6 years ago
|
||
I couldn't reproduce this issue. I am going to assign the "Core: Networking: HTTP" component for it and hopefully someone with more knowledge in this area will a look over this.
Component: Untriaged → Networking: HTTP
Product: Firefox → Core
Can you elaborate on the inability to reproduce? Are you seeing a different datatype being sent by Firefox, or unable to get it to use the IAKERB mechanism, or ... ?
On further investigation, I think this is a bug in the system's GSSAPI library, libgssapi_krb5.so.2.2. I've filed a report against the krb5 package in ubuntu: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1793594
Updated•6 years ago
|
Whiteboard: [ntlm]
Comment 4•6 years ago
|
||
(In reply to Wim Lewis from comment #3)
> On further investigation, I think this is a bug in the system's GSSAPI
> library, libgssapi_krb5.so.2.2. I've filed a report against the krb5 package
> in ubuntu: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1793594
Thanks!
Priority: -- → P5
See Also: → https://launchpad.net/bugs/1793594
Whiteboard: [ntlm] → [ntlm][necko-triaged]
Updated•6 years ago
|
Whiteboard: [ntlm][necko-triaged] → [ntlm][necko-triaged] Close when the Ubuntu krb5 package bug is confirmed
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•