Authentication failure: Out of memory [$25 awarded]

[radonish]

When I attempt to connect to the TigerVNC server using TigerVNC viewer 1.10.0 I get an error "Authentication failure: Out of memory".

I was previously using TigerVNC 1.9.0 viewer successfully and upgraded to 1.10.0 to get past the macOS security warning associated with 1.9.0.

To Reproduce
Steps to reproduce the behavior:

1. Launch TigerVNC Viewer
2. Enter VNC Server address
3. Click Connect
4. Click "Yes" to continue when warned about the certificate being signed by an unknown authority.
5. Error window displayed with "Authentication failure: Out of memory"

Expected behavior
A successful connection is established, as it was with TigerVNC Viewer 1.9.0.

Client (please complete the following information):

• OS: macOS 10.15.2
• VNC client: TigerVNC
• VNC client version: 1.10.0
• Client downloaded from: Bintray

Server (please complete the following information):

• OS: Red Hat Enterprise Linux 7.4
• VNC server: TigerVNC
• VNC server version: 1.9.0, 1.10.0 (both tried)
• Server downloaded from: Bintray
• Server was started using: vncserver :${DISPLAY} -rfbport 3389 -httpd /dev/null -SecurityTypes X509plain -X509Cert ~/.vnc/certs/${SHOST}_vnc.crt -X509Key ~/.vnc/certs/${SHOST}_vnc.key -PAMService sshd -PlainUsers ${VNCUSER}

Thank you

---

The $25 bounty on this issue has been claimed at Bountysource.

[radonish]

To add, I get the reported error regardless of whether the server is running 1.9.0 or 1.10.0.

Server log:
Xvnc TigerVNC 1.10.0 - built Nov 18 2019 09:12:45
Copyright (C) 1999-2019 TigerVNC Team and many others (see README.rst)
See https://www.tigervnc.org for information on TigerVNC.
Underlying X server release 12001000, The X.Org Foundation

Sun Dec 8 07:50:20 2019
vncext: VNC extension running!
vncext: Listening for VNC connections on all interface(s), port 3389
vncext: created VNC server for screen 0

Sun Dec 8 07:50:50 2019
Connections: accepted: x.x.x.x::62788
SConnection: Client needs protocol version 3.8
SConnection: Client requests security type VeNCrypt(19)
SVeNCrypt: Client requests security type X509Plain (262)

----Certificate accepted on client side at this point.----

Sun Dec 8 07:50:55 2019
VNCSConnST: closing x.x.x.x::62788: Clean disconnection
EncodeManager: Framebuffer updates: 0
EncodeManager: Total: 0 rects, 0 pixels
EncodeManager: 0 B (1:-nan ratio)
TLS: TLS session wasn't terminated gracefully
Connections: closed: x.x.x.x::62788
ComparingUpdateTracker: 0 pixels in / 0 pixels out
ComparingUpdateTracker: (1:-nan ratio)

[samhed]

Well, are you out of memory?

[radonish]

@samhed, nope. I haven't had a chance to look through the source - is the MacOS TigerVNC client ultimately a Java application?

It's awkward that an OOM error exception is propagating up the system as an authentication failure.

[bphinz]

It is not a java application.

On Sun, Dec 8, 2019 at 1:41 PM radonish ***@***.***> wrote: Nope. I haven't had a chance to look through the source - is the MacOS TigerVNC client ultimately a Java application? It's awkward that an OOM error exception is propagating up the system as an authentication failure. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#915?email_source=notifications&email_token=AB45M3N73GQ4NBSTA42WWVLQXU5UVA5CNFSM4JW2PSMKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEGHGDAQ#issuecomment-562979202>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB45M3ODLCWN3TTAW6H7PFTQXU5UVANCNFSM4JW2PSMA> .

-- Sent from Gmail Mobile

[radonish]

More information; I was able to try with macOS Sierra tonight:
macOS 10.12.6 (Sierra) with TigerVNC Viewer 1.10.0 works fine, as 1.9.0 did.
macOS 10.15.1 (Catalina) with TigerVNC Viewer 1.10.0 gets the "Authentication failure: Out of memory"

Any help is appreciated.

[radonish]

macOS 10.15.2 results in the same failure.

I do get a warning about the certificate being signed by an unknown authority prior to the failure (I say yes to the "Do you want to save it and continue?" question). Does that shed any light?

(Also updated the original post according to the bug report template.)

[bphinz]

What certificate? That sounds more like the remote server’s cert. Are you using x509 secType? The dmg is signed with an apple developer certificate.

On Wed, Dec 11, 2019 at 11:08 PM radonish ***@***.***> wrote: macOS 10.15.2 results in the same failure. I do get a warning about the certificate being signed by an unknown authority prior to the failure (I say yes to the "Do you want to save it and continue?" question). Does that shed any light? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#915?email_source=notifications&email_token=AB45M3I7SAO3RA6TIZPTGBTQYG2LPA5CNFSM4JW2PSMKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEGVMVGA#issuecomment-564841112>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB45M3J3G7L7EFKCAQK6IV3QYG2LPANCNFSM4JW2PSMA> .

-- Sent from Gmail Mobile

[radonish]

@bphinz, yes, it is the remote server's cert. I am using x509 secType.

Thanks

[tarun-dholariya]

Hi, @radonish Asked me to post my answer which I posted on other thread because it will help here as well.
Here is my version:
I have catalina 10.15 macOS installed on my mac,
I was getting error "Authentication failure: Out of memory" with Tiger VNC viewer 1.9
Then I found solution on thread #881
I downloaded TigerVNC-1.10.80.dmg from http://tigervnc.bphinz.com/nightly/ "Mac OS-X 10.9+ packages" section, and it worked fine.
Thanks to @gsmurray who posted the solution.

Below are the steps that were posted by @gsmurray

Further Testing Reveals that the following Method will allow the Application to open:

1. Download 1.9.80 from http://tigervnc.bphinz.com/nightly/
2. Click on .dmg ->copy the app in your Applications folder;
3. Double click shows you "Apple cannot check it for malicious software"
4. Go to System Preferences > Security & Privacy > General (Tab) > clicked on Open Anyway nearby TigerVPN app;
5. This will Show the shows you "Apple cannot check it for malicious software" dialog again->Select OK
6. Attempt to open the Application again by DoubleClicking

[radonish]

Thank you for posting your details, @tarun-dholariya. To be clear, you had success with 1.10.80? His steps on #881 from October referenced 1.9.80.

Also, what TigerVNC server version are you connecting to from your Mac?

Thanks

[tarun-dholariya]

Oh right.
His steps mentions 1.9.80, but when I opened link http://tigervnc.bphinz.com/nightly/
it has 1.10.80 which worked with my Mac.

To clarify
1.10.80 worked with my Mac

Do not download 1.9.80. (which is not available on the link anyway)

Thanks @radonish for pointing that out.

about VNC server version, let me find out.
PS: vnc server version: tigervnc-server.x86_64 1.8.0-17.el7
Server OS: CentOS 7
Note: i use my MAC TigerVNC viewer with many other servers which might have different vncserver version, I have no problem connecting with any of them.

[tarun-dholariya]

@radonish
post if my answer works for you.

Thanks.

[radonish]

Thank you, @tarun-dholariya! I will post a follow up tonight.

[bphinz]

Hmm. There’s no reason that 1.10.0 should be showing that problem if it was fixed back in 1.9.80. Please let me know if you are still seeing it.

-brian

On Fri, Dec 13, 2019 at 2:59 PM radonish ***@***.***> wrote: Thank you, @tarun-dholariya <https://github.com/tarun-dholariya>! I will post a follow up tonight. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#915?email_source=notifications&email_token=AB45M3K3LYKTH3RNCUQ5SW3QYPSPXA5CNFSM4JW2PSMKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEG3C2NA#issuecomment-565587252>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB45M3MTKB3L6A4S6CPIWEDQYPSPXANCNFSM4JW2PSMA> .

-- Sent from Gmail Mobile

[radonish]

@tarun-dholariya @bphinz, unfortunately I still get an error with 1.10.80.

To be clear, I do not have to do steps 3 and 4 as you did, @tarun-dholariya - I simply hit "open anyway" and retry to successfully launch TigerVNC Viewer. I still end up with the cryptic "Authentication failure: Out of memory" failure, however.

Client log:
TigerVNC Viewer 64-bit v1.10.80
Built on: 2019-12-01 01:57
Copyright (C) 1999-2019 TigerVNC Team and many others (see README.rst)
See https://www.tigervnc.org for information on TigerVNC.

Fri Dec 13 18:26:17 2019
DecodeManager: Detected 6 CPU core(s)
DecodeManager: Creating 4 decoder thread(s)
CConn: Connected to host XXX port 3389
CConnection: Server supports RFB protocol version 3.8
CConnection: Using RFB protocol version 3.8
CConnection: Choosing security type VeNCrypt(19)
CVeNCrypt: Choosing security type X509Plain (262)

Fri Dec 13 18:26:18 2019
TLS: Could not load system certificate trust store

Fri Dec 13 18:26:19 2019
CConn: Authentication failure: Out of memory

[radonish]

@bphinz, do you have a 1.9.80 nightly build macOS version you could send my way? It would be another interesting data point. My latest test is on a brand new iMac with macOS Catalina on it - I'm at a loss as to what is special about my configuration.

Thanks

[bphinz]

No, unfortunately not. I checked the S3 bucket and all of the 1.9.80 builds are gone.

…

On Sat, Dec 14, 2019 at 10:25 PM radonish ***@***.***> wrote: @bphinz <https://github.com/bphinz>, do you have a 1.9.80 nightly build macOS version you could send my way? It would be another interesting data point. My latest test is on a brand new iMac with macOS Catalina on it - I'm at a loss as to what is special about my configuration. Thanks — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#915?email_source=notifications&email_token=AB45M3IKJQRC4X62SJN4RDLQYWPTDA5CNFSM4JW2PSMKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEG4QL5A#issuecomment-565773812>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB45M3LSSN3BQVZXR6TDE7TQYWPTDANCNFSM4JW2PSMA> .

[radonish]

Another data point: I installed TigerVNC 1.10.0 via Homebrew and see the same problem. Given that I'm running into this problem with a very vanilla, non-customized macOS system, I'm left thinking that this cryptic "Authentication failure: Out of memory" failure is due to a server-side configuration that is exposing a client-side bug.

If folks could post more detail about how they've configured/started the TigerVNC server I would appreciate it.

[bphinz]

I'm skeptical that it will fix this problem, but could you please try the latest nightly build? I updated the underlying gnutls library and fixed a minor linker issue in the macOS build.

[radonish]

@bphinz, I appreciate the thought - I gave it a try but unfortunately it does fail in the same way. I'm working on getting a development environment set up on the Mac so I can debug.

Thank you

[radonish]

I'm not familiar with the TigerVNC code or the gnutls library, but the issue to me appears to be with the interface to gnutls_x509_crt_export() within common/rfb/CSecurityTLS.cxx.

Based on the TigerVNC code, my best guess is that the developer was first calling gnutls_x509_crt_export() with a NULL output buffer in an attempt to get the minimum buffer size required to store the certificate, knowing GNUTLS_E_SHORT_MEMORY_BUFFER would be returned. The second call, I assume, would then actually store the certificate in the non-NULL buffer.

Please see the proof-of-concept patch attached; the other noise in the patch are changes I made to get it to build on macOS using the compiler noted below. This fixed the issue for me.

$ /Library/Developer/CommandLineTools/usr/bin/c++ --version
Apple clang version 11.0.0 (clang-1100.0.33.16)
Target: x86_64-apple-darwin19.2.0
Thread model: posix

Thanks

Updates-for-macOS-and-gnutls-usage.patch.txt

[radonish]

I've created 2 pull requests:

1. macOS and clang compilation-related updates #928 - changes made to get vncviewer to build with clang 11.0.0
2. Fix gnutls X.509 certificate exporting #927 - fix for this issue

Thanks

[IntiQuan]

Dear all, had the same issue and was not understanding most o the above. But solved the problem as follows:

• When using the X.509 certificate with TigerVNC viewer 1.8.0 all works fine. In the folder "C:\Users<>\AppData\Roaming\vnc" the file "x509_savedcerts.pem" is created.
• If using vncviewer 1.10.0 this "x509_savedcerts.pem" file is not created and the out of memory message is shown.
• When first running 1.8.0 then 1.10.0 runs as well just fine.
• If deleting the "x509_savedcerts.pem" file then 1.10.0 again shows "out of memory"

So somehow 1.10.0 (and 1.10.1) fail in the generation of the "x509_savedcerts.pem" file .. once its there - no problem. Also, when providing the path to the cert in the vncviewer security options: no problem as well!

Maybe that helps is debugging it?

[CendioOssman]

I think that is just because you already have the exception save in that case so you're avoiding the broken code.

Not sure how this ever worked, but it should be fixed as of dbad687.

Thanks for helping out.

[CendioOssman]

@radonish, feel free to claim the bounty if you want as you did the leg work on this issue.