Iristyle
commented
5 years ago IMHO, this is one that could use a bugfix release @mwrock / @sneal. Thanks!
Closed Iristyle closed 5 years ago
Iristyle
commented
5 years ago IMHO, this is one that could use a bugfix release @mwrock / @sneal. Thanks!
Iristyle
commented
5 years ago Docs for these APIs are at https://web.mit.edu/Kerberos/krb5-1.14/doc/appdev/gssapi.html#iov-message-wrapping
mwrock
commented
5 years ago Thanks a bunch Ethan! Will get a release out ASAP
The winrm_decrypt method, which appears to be a near copy of the original GSSAPI gem helpers from
https://github.com/zenchild/gssapi/blob/master/examples
includes a fatal bug.
Specifically the original code at line https://github.com/zenchild/gssapi/blob/master/examples/gss_iov_helpers.rb#L50
When breaking apart the given binary string response into length of header, header and payload - the incorrect value is given to Rubys unpack method.
https://ruby-doc.org/core-2.3.0/String.html#method-i-unpack
The directive 'A' is used:
A | String | arbitrary binary string (remove trailing nulls and ASCII spaces)
Since the given string is encrypted binary data, 'A' is the wrong directive given it performs removals.
Instead, the directive 'a' should be used as it leaves all bytes intact:
a | String | arbitrary binary string
Without this change, intermittent failures will occur as the decrypted SOAP messages will contain almost valid XML, but usually end with corrupt binary strings at the end of otherwise valid UTF-8 like
</s:Body></s\xB5f\xAF\x9B\xE5\x9B\xE9\xFE\xBB
These failures occur frequently enough to make Kerberos usage completely unreliable