curl --fail --negotiate behavior changed between 7.64.0 and 7.65.0 #3992

nicowilliams · 2019-06-05T17:59:07Z

Per #3726 I am opening a new issue for this.

$ curl --fail --negotiate -u: http://localhost:54321/x

fails with exit code 22 and no useful messages. Enabling verbose output also shows nothing telling about what happened.

The issue is that if even the initial gss_init_sec_context() call fails, then conn->data->state.authproblem gets set to TRUE.

Certainly for HTTP/Negotiate (and only HTTP/Negotiate) any failures of followup gss_init_sec_context() calls (when the input_token is non-empty) should be fatal, but not the initial one.

The text was updated successfully, but these errors were encountered:

bagder · 2019-06-06T10:48:02Z

We should up our efforts in adding tests for GSS...

nicowilliams · 2019-06-07T19:13:33Z

@bagder yeah... Heimdal has a useful tool for testing, kimpersonate, that might help that.

kdudka · 2019-07-29T12:57:59Z

I do not think that you need to have a working GSS setup to test this class of bugs. These bugs are about changes of behavior in cases where HTTPAUTH_GSSNEGOTIATE is enabled but no valid GSS credentials (or even configuration) available.

Before 6c60355 there was either no failure at all (because gss_init_sec_context() was not called unless the server asked for GSS-based authentication) or the failure of gss_init_sec_context() did not result in a failed transfer (because the HTTP request succeeded without any authentication in the end).

kdudka · 2019-07-29T15:44:13Z

It is not only --fail what is broken. If HTTPAUTH_GSSNEGOTIATE is used for a POST request and gss_init_sec_context() fails, the POST request is now sent with empty body. I am experimenting with the following patch:

--- a/lib/http_negotiate.c
+++ b/lib/http_negotiate.c
@@ -151,7 +151,7 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
       if(result == CURLE_LOGIN_DENIED) {
         /* negotiate auth failed, let's continue unauthenticated to stay
          * compatible with the behavior before curl-7_64_0-158-g6c6035532 */
-        conn->data->state.authproblem = TRUE;
+        authp->done = TRUE;
         return CURLE_OK;
       }
       else if(result)

... and will open a pull request once I have some test-coverage for it...

If HTTPAUTH_GSSNEGOTIATE was used for a POST request and gss_init_sec_context() failed, the POST request was sent with empty body. This commit also restores the original behavior of `curl --fail --negotiate`, which was changed by commit 6c60355. Add regression tests 2077 and 2078 to cover this. Fixes curl#3992

nicowilliams mentioned this issue Jun 5, 2019

Out of memory is returned from command line for gssapi auth with missing krb5 ticket #3726

Closed

bagder added authentication HTTP labels Jun 6, 2019

bagder added the help wanted label Jun 10, 2019

kdudka mentioned this issue Jul 30, 2019

http_negotiate: improve handling of gss_init_sec_context() failures #4171

Closed

kdudka changed the title ~~curl --fail --negotiate behavior changed in 7.64.0 and 7.65.0~~ curl --fail --negotiate behavior changed between 7.64.0 and 7.65.0 Jul 30, 2019

kdudka closed this as completed in 4c18704 Aug 1, 2019

lock bot locked as resolved and limited conversation to collaborators Oct 30, 2019

curl --fail --negotiate behavior changed between 7.64.0 and 7.65.0 #3992

curl --fail --negotiate behavior changed between 7.64.0 and 7.65.0 #3992

nicowilliams commented Jun 5, 2019

bagder commented Jun 6, 2019

nicowilliams commented Jun 7, 2019

kdudka commented Jul 29, 2019

kdudka commented Jul 29, 2019

curl --fail --negotiate behavior changed between 7.64.0 and 7.65.0 #3992

curl --fail --negotiate behavior changed between 7.64.0 and 7.65.0 #3992

Comments

nicowilliams commented Jun 5, 2019

bagder commented Jun 6, 2019

nicowilliams commented Jun 7, 2019

kdudka commented Jul 29, 2019

kdudka commented Jul 29, 2019