Out of memory is returned from command line for gssapi auth with missing krb5 ticket

[lslebodn]

I did this

Ensure there is not any valid krb5 ticket

sh-5.0# klist -l
Principal name                 Cache name
--------------                 ----------

Try to use gssapi authentication for some site.
It will obviously fail but it should continue with basic auth

sh-5.0# curl -v --negotiate -u : -k https://kvm-guest.example.com/application/login
*   Trying 10.37.153.81...
* TCP_NODELAY set
* Connected to kvm-guest.example.com (10.37.153.81) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; O=Unspecified; CN=kvm-guest.example.com; emailAddress=root@kvm-guest.example.com
*  start date: Apr  3 14:59:21 2019 GMT
*  expire date: Apr  7 16:39:21 2020 GMT
*  issuer: C=US; O=Unspecified; OU=ca-64193668093928912; CN=kvm-guest.example.com; emailAddress=root@kvm-guest.example.com
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* gss_init_sec_context() failed: SPNEGO cannot find mechanisms to negotiate. 
* Connection #0 to host kvm-guest.example.com left intact
curl: (27) Out of memory
* Closing connection 0

I expected the following

sh-5.0# curl -v --negotiate -u : -k https://kvm-02-guest07.rhts.eng.brq.redhat.com/application/login
*   Trying 10.37.153.81...
* TCP_NODELAY set
* Connected to kvm-02-guest07.rhts.eng.brq.redhat.com (10.37.153.81) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; O=Unspecified; CN=kvm-02-guest07.rhts.eng.brq.redhat.com; emailAddress=root@kvm-02-guest07.rhts.eng.brq.redhat.com
*  start date: Apr  3 14:59:21 2019 GMT
*  expire date: Apr  7 16:39:21 2020 GMT
*  issuer: C=US; O=Unspecified; OU=ca-64193668093928912; CN=kvm-02-guest07.rhts.eng.brq.redhat.com; emailAddress=root@kvm-02-guest07.rhts.eng.brq.redhat.com
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET /application/login HTTP/1.1
> Host: kvm-02-guest07.rhts.eng.brq.redhat.com
> User-Agent: curl/7.64.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/1.1 401 Unauthorized
< Date: Wed, 03 Apr 2019 21:28:08 GMT
< Server: Apache/2.4.38 (Fedora) OpenSSL/1.1.1b mod_auth_gssapi/1.6.1
* gss_init_sec_context() failed: SPNEGO cannot find mechanisms to negotiate.
< WWW-Authenticate: Negotiate
< Content-Length: 127
< Content-Type: text/html; charset=iso-8859-1
<
* Connection #0 to host kvm-02-guest07.rhts.eng.brq.redhat.com left intact
<html><meta http-equiv="refresh" content="0; URL=/application/login2"><body>Kerberos authentication did not pass.</body></html>sh-5.0#

curl/libcurl version

sh-5.0# curl -V
curl 7.64.1 (x86_64-redhat-linux-gnu) libcurl/7.64.1 OpenSSL/1.1.1b zlib/1.2.11 brotli/1.0.7 libidn2/2.1.1 libpsl/0.20.2 (+libidn2/2.0.5) libssh/0.8.7/openssl/zlib nghttp2/1.37.0
Release-Date: 2019-03-27
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz Metalink NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets

operating system

sh-5.0# rpm -q curl
curl-7.64.1-1.fc31.x86_64
sh-5.0# cat /etc/os-release 
NAME=Fedora
VERSION="31 (Rawhide)"
ID=fedora
VERSION_ID=31
VERSION_CODENAME=""
PLATFORM_ID="platform:f31"
PRETTY_NAME="Fedora 31 (Rawhide)"
ANSI_COLOR="0;34"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:31"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/"
SUPPORT_URL="https://fedoraproject.org/wiki/Communicating_and_getting_help"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=rawhide
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=rawhide
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy"

[lslebodn]

It was changed in #1975

Following diff fixed that but I am not sure whether it is right solution

diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c
index 9415236fb..08d85e253 100644
--- a/lib/http_negotiate.c
+++ b/lib/http_negotiate.c
@@ -143,6 +143,12 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
     }
     if(!neg_ctx->context) {
       result = Curl_input_negotiate(conn, proxy, "Negotiate");
+      if(result == CURLE_OUT_OF_MEMORY) {
+        authp->done = FALSE;
+        /*neg_ctx->havenegdata = FALSE;*/
+
+        return CURLE_OK;
+      }
       if(result)
         return result;
     }

Just test323 failed for me but it seems to be unrelated to spnego or gssapi

[jay]

Ref: https://github.com/curl/curl/blob/curl-7_64_1/lib/vauth/spnego_gssapi.c#L150-L174

It's returned OOM there for a long time, not sure why it's different now.

/cc @dhoelzl @iboukris @MarcelRaad @kdudka

[dhoelzl]

The call to Curl_input_negotiate at this point (https://github.com/curl/curl/blob/curl-7_64_1/lib/http_negotiate.c#L144-L148) is new. The reason for this is to initiate negotiating already on the first request, if authentication is already known to be negotiate (as curl was set to do so). Prior to my changes negotiating was not started before the first request without negotating failed (and the server said it needs negotiate), even if it was already known that negotiate authentication needs to be used in advance.
I changed this because all browsers behave like this and otherwise there would be one extra unnecessary round trip (especially sending huge amounts of POST/PUT data this causes needless delay).

That is why prior to my changes it switched to basic as negotiate was never getting initiated in your case.

Probably there is missing some error handling logic at that point. The fix above seems valid to me (but I have not checked the details).

Or this can be seen as intended behaviour, as curl is set to use negotiate (only) in this case?
There are some options to curl to automatically switch over to another authentication (--anyauth), maybe this needs to be considered as well? Does the version without your fix work with --anyauth in your case?

Besides:
CURLE_OUT_OF_MEMORY is "misused" here (probably due to no appropriate error code):

curl/lib/vauth/spnego_gssapi.c

Line 124 in 6c60355

return CURLE_OUT_OF_MEMORY;

There is no real "out of memory", just an error from the negotiate API.

[kdudka]

This bug is triggered by 6c60355. I agree that CURLE_OUT_OF_MEMORY is inappropriate in this case. It looks like a copy/paste error. It should probably return CURLE_RECV_ERROR as done in krb5_gssapi.c. However, just changing the error code does not fix the bug. The transfer is still terminated prematurely.

[MarcelRaad]

Maybe I don't fully understand the problem, but is this really a bug? --negotiate is not documented to fall back to Basic in https://curl.haxx.se/docs/manpage.html#--negotiate.

[dhoelzl]

I also cannot understand why curl should fall back to basic if it is directed to use negotiate authentication.
Maybe it was a bug that it did this before my fixes for #1975.

[kdudka]

I am not sure what you are talking about. In which version does curl --negotiate fallback to basic?

[dhoelzl]

I assume before #1975: 7.64.0

How does this behave with e.g. NTLM? Is there also a fallback to basic? I have never tried this.

[MarcelRaad]

@kdudka The issue description says:

It will obviously fail but it should continue with basic auth

So probably before #1975 . Isn't that what this issue is about? 😕

[kdudka]

Sorry, I somehow missed this expectation from the original report. It sounds incorrect to me and I do not think that curl --negotiate has ever worked like that. I tried curl --negotiate with 7.64.0 and it just sent an HTTP request without any Authorization header when gss_init_sec_context() failed.

You can see that the expected verbose output from the original report, which I believe was captured by an unaffected version of curl, does not contain any Authorization header either.

@lslebodn Could you please clarify your expectations?

[bagder]

curl never "falls back" to another authentication method. It picks one and goes with that. If that fails to work/authenticate, it returns error. (I would suggest anything else is a bug.)

[lslebodn]

curl never "falls back" to another authentication method. It picks one and goes with that. If that fails to work/authenticate, it returns error. (I would suggest anything else is a bug.)

It worked in curl <= 7.64.0 :-) if --negotaite was used but there was not any krb5 ticket for GSS-API

curl 7.64.0 (x86_64-redhat-linux-gnu) libcurl/7.64.0 OpenSSL/1.1.1b zlib/1.2.11 brotli/1.0.7 libidn2/2.1.1 libpsl/0.20.2 (+libidn2/2.0.5) libssh/0.8.7/openssl/zlib nghttp2/1.37.0
Release-Date: 2019-02-06
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz brotli TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL Metalink 
sh-5.0# 
sh-5.0# curl -v --negotiate -u : -k https://kvm-guest.example.com/application/login
*   Trying 10.37.153.128...
* TCP_NODELAY set
* Connected to kvm-guest.example.com (10.37.153.128) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; O=Unspecified; CN=kvm-guest.example.com; emailAddress=root@kvm-guest.example.com
*  start date: Apr  4 12:27:02 2019 GMT
*  expire date: Apr  8 14:07:02 2020 GMT
*  issuer: C=US; O=Unspecified; OU=ca-6605801528768118960; CN=kvm-guest.example.com; emailAddress=root@kvm-guest.example.com
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET /application/login HTTP/1.1
> Host: kvm-guest.example.com
> User-Agent: curl/7.64.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/1.1 401 Unauthorized
< Date: Thu, 04 Apr 2019 14:58:04 GMT
< Server: Apache/2.4.39 (Fedora) OpenSSL/1.1.1b mod_auth_gssapi/1.6.1
* gss_init_sec_context() failed: SPNEGO cannot find mechanisms to negotiate. 
< WWW-Authenticate: Negotiate
< Content-Length: 127
< Content-Type: text/html; charset=iso-8859-1
< 
* Connection #0 to host kvm-guest.example.com left intact
<html><meta http-equiv="refresh" content="0; URL=/application/login2"><body>Kerberos authentication did not pass.</body></html>

Which is the same as with --basic

sh-5.0# curl -v --basic -u : -k https://kvm-guest.example.com/application/login
*   Trying 10.37.153.128...
* TCP_NODELAY set
* Connected to kvm-guest.example.com (10.37.153.128) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; O=Unspecified; CN=kvm-guest.example.com; emailAddress=root@kvm-guest.example.com
*  start date: Apr  4 12:27:02 2019 GMT
*  expire date: Apr  8 14:07:02 2020 GMT
*  issuer: C=US; O=Unspecified; OU=ca-6605801528768118960; CN=kvm-guest.example.com; emailAddress=root@kvm-guest.example.com
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* Server auth using Basic with user ''
> GET /application/login HTTP/1.1
> Host: kvm-guest.example.com
> Authorization: Basic Og==
> User-Agent: curl/7.64.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/1.1 401 Unauthorized
< Date: Thu, 04 Apr 2019 14:59:43 GMT
< Server: Apache/2.4.39 (Fedora) OpenSSL/1.1.1b mod_auth_gssapi/1.6.1
< WWW-Authenticate: Negotiate
< Content-Length: 127
< Content-Type: text/html; charset=iso-8859-1
< 
* Connection #0 to host kvm-guest.example.com left intact
<html><meta http-equiv="refresh" content="0; URL=/application/login2"><body>Kerberos authentication did not pass.</body></html>

I tried to use --negotiate --anyauth or --negotiate --basic with 7.64.1 but it does not work as in previous version

sh-5.0# curl -V
curl 7.64.1 (x86_64-redhat-linux-gnu) libcurl/7.64.1 OpenSSL/1.1.1b zlib/1.2.11 brotli/1.0.7 libidn2/2.1.1 libpsl/0.20.2 (+libidn2/2.0.5) libssh/0.8.7/openssl/zlib nghttp2/1.37.0
Release-Date: 2019-03-27
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz Metalink NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets
sh-5.0# 
sh-5.0# curl -v --negotiate --anyauth -u : -k https://kvm-guest.example.com/application/login
*   Trying 10.37.153.128...
* TCP_NODELAY set
* Connected to kvm-guest.example.com (10.37.153.128) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; O=Unspecified; CN=kvm-guest.example.com; emailAddress=root@kvm-guest.example.com
*  start date: Apr  4 12:27:02 2019 GMT
*  expire date: Apr  8 14:07:02 2020 GMT
*  issuer: C=US; O=Unspecified; OU=ca-6605801528768118960; CN=kvm-guest.example.com; emailAddress=root@kvm-guest.example.com
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET /application/login HTTP/1.1
> Host: kvm-guest.example.com
> User-Agent: curl/7.64.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/1.1 401 Unauthorized
< Date: Thu, 04 Apr 2019 15:03:32 GMT
< Server: Apache/2.4.39 (Fedora) OpenSSL/1.1.1b mod_auth_gssapi/1.6.1
< WWW-Authenticate: Negotiate
< Content-Length: 127
< Content-Type: text/html; charset=iso-8859-1
<
* Ignoring the response-body
* Connection #0 to host kvm-guest.example.com left intact
* Issue another request to this URL: 'https://kvm-guest.example.com/application/login'
* Found bundle for host kvm-guest.example.com: 0x55ea157c8a20 [can pipeline]
* Could pipeline, but not asked to!
* Re-using existing connection! (#0) with host kvm-guest.example.com
* Connected to kvm-guest.example.com (10.37.153.128) port 443 (#0)
* gss_init_sec_context() failed: SPNEGO cannot find mechanisms to negotiate.
* Connection #0 to host kvm-guest.example.com left intact
curl: (27) Out of memory
* Closing connection 0

sh-5.0# curl -v --negotiate --basic -u : -k https://kvm-guest.example.com/application/login
*   Trying 10.37.153.128...
* TCP_NODELAY set
* Connected to kvm-guest.example.com (10.37.153.128) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; O=Unspecified; CN=kvm-guest.example.com; emailAddress=root@kvm-guest.example.com
*  start date: Apr  4 12:27:02 2019 GMT
*  expire date: Apr  8 14:07:02 2020 GMT
*  issuer: C=US; O=Unspecified; OU=ca-6605801528768118960; CN=kvm-guest.example.com; emailAddress=root@kvm-guest.example.com
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET /application/login HTTP/1.1
> Host: kvm-guest.example.com
> User-Agent: curl/7.64.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/1.1 401 Unauthorized
< Date: Thu, 04 Apr 2019 15:03:48 GMT
< Server: Apache/2.4.39 (Fedora) OpenSSL/1.1.1b mod_auth_gssapi/1.6.1
< WWW-Authenticate: Negotiate
< Content-Length: 127
< Content-Type: text/html; charset=iso-8859-1
<
* Ignoring the response-body
* Connection #0 to host kvm-guest.example.com left intact
* Issue another request to this URL: 'https://kvm-guest.example.com/application/login'
* Found bundle for host kvm-guest.example.com: 0x56144b571a20 [can pipeline]
* Could pipeline, but not asked to!
* Re-using existing connection! (#0) with host kvm-guest.example.com
* Connected to kvm-guest.example.com (10.37.153.128) port 443 (#0)
* gss_init_sec_context() failed: SPNEGO cannot find mechanisms to negotiate.
* Connection #0 to host kvm-guest.example.com left intact
curl: (27) Out of memory
* Closing connection 0

[lslebodn]

Anyway, returning curl: (27) Out of memory
Is far from ideal return code if --negotiate fails.

curl never "falls back" to another authentication method

I am fine if you do not want to support that and it "worked" just by a change in older version.
but I would appreciate a different and stable return code if --negotiate fails.
So I can rewrite test from and implement fall back from curl --negotiate to curl --basic