cURL / Mailing Lists / curl-library / Single Mail

curl-library

A problem with SPNEGO

From: Pavel Andreev <pavel.andreev_at_hp.com>
Date: Fri, 14 Jul 2006 14:16:04 +0200

Hello.

Playing with SPNEGO, I've stumbled upon a problem with handling
negotiation security contexts in libcurl.
It seems that the context is initialized only once (in
Curl_input_negotiate, upon receiving WWW-Authenticate: header), and is
used in all subsequent requests. But the initial output_token is removed
from the context when it is used for the first time, so subsequent
requests end up being sent with zero-length tokens.

I've tried curl 7.15.4 compiled with Heimdal and fbopenssl 0.4 on
FreeBSD and Gentoo. The results of sending malformed Authorization
headers vary: Apache 1.3/mod_auth_kerb child process dies with SIGSEGV,
Apache 2.0 works with keepalives turned on (returns 500 otherwise), IIS
6.0 returns 401.

I'm attaching two examples: one with two requests to the same server,
another with two requests to different servers (the same problem).
I haven't had the time to get familiar with libcurl code yet, so I'm not
suggesting a patch at the moment (freeing the context upon finishing the
negotiation, perhaps?).

--
Pavel Andreev
pavel.andreev_at_hp.com
NSG Engineer, CCIE #5957, CCDP
Hewlett-Packard Czech Republic

paxvel_at_ktest~>curl --negotiate -ux:x -v kweb kweb
* About to connect() to kweb port 80
* Trying 10.50.17.1... connected
* Connected to kweb (10.50.17.1) port 80
> GET / HTTP/1.1
> User-Agent: curl/7.15.4 (i686-pc-linux-gnu) libcurl/7.15.4 OpenSSL/0.9.7e zlib/1.2.3
> Host: kweb
> Accept: */*
>
< HTTP/1.1 401 Authorization Required
< Date: Fri, 14 Jul 2006 11:48:34 GMT
< Server: Apache/2.0.54 (Fedora)
< WWW-Authenticate: Negotiate
< Content-Length: 482
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
* Closing connection #0
* Issue another request to this URL: 'http://kweb'
* About to connect() to kweb port 80
* Trying 10.50.17.1... connected
* Connected to kweb (10.50.17.1) port 80
* Make SPNEGO Initial Token succeeded
* Server auth using GSS-Negotiate with user 'x'
> GET / HTTP/1.1
> Authorization: Negotiate YIIJfQYGKwYBBQUCoIIJcTCCCW2gDTALBgkqhkiG9xIBAgKigglaBIIJVmCCCVIGCSqGSIb3EgECAgEAboIJQTCCCT2gAwIBBaEDAgEOogcDBQAAAAAAo4IDcWGCA20wggNpoAMCAQWhDBsKQUFBTEFCLk5TR6IiMCCgAwIBAaEZMBcbBEhUVFAbD2t3ZWIuYWFhbGFiLm5zZ6OCAy4wggMqoAMCAQOhAwIBA6KCAxwEggMY4hvP0oDkXm5w3b9n4bZJUrmPnP/QGlHSj0khdOwTzzXn9yExhbr59VAtgMwABHMvB4XcLRxNlDKZHhE1lK6umxrKIp0qqtyoaq6smoKz31/2oGfKRTF4Iyh9ULHE7cULrAw8sJWr5uuvLGaCpnCua6pJm5eFvKxD63DebdgQiQ4p8yndtNueUhfvOctY4zkqH4qGrxDUTckpEFjAuGKWB3KQe/dOEwMs2tPdc/SftctXHsOVNyibp/89zkOIYsYyBKqdRfyp1E7OSJPSs8DcU4RmVBS/bZhFOsvTxhzTgQ1p0mFdZZ1wVdVB4b2e5zkI/+Eg5TuGXDYBhlnJgW3zVc5LRf+xdtFeMq1fJoOLSEVVT8U/SbRaOx/KKFjOr7KoGUoyLjn6kPnbl2UDHoLDSVXWXiWNjZykVQ11MZLpuaooJ+xytm2lGnyQ5cCXXi78og6Llx4hkCZVgBU+uiBWUlc2LQ7VvljoqJSHYheo8Ph6OaueDEG54uZ7Pbe9WATJXxq5TK2f32n3SRObdNoAbrxMpls+3/JQAJpeP1qukOm2UJ+3zDfxiz+SVBOxoVhKcY4gn3NKYPIfdT0StSg6oFrr7NLkmZetNQ6VNW5APqD5zAzq8SfWLEWEcul9TWfxb3N9zKvVMbP9Q+7i76H5OkIDWKLPr0dbVk7B1bw1xhWTRHLGHSLG3Pn35UGE/HAlU77Cz18rP7wpHW6t2XHlyAa/Ivirves3+dZN/tkUrEhEobj3nUzTOlp+qILcpJ2xwOazdpL02OnB7NZxxb2LvY+MKPduTUMVK9NI4oBRLrWjPkcPkGrt7skAzfJWarZGzrpZNCAqTrJHzsWvqhdvANi4LbFFFEUNH0EgclvafLY0rA43TDahf4fvm7Q1esJPEmEznlNS0O/kIZaVChULrb8XK2wruUJt2AraMwapWnAON8GB2IwACzJH2wdh5bZuOpoCpr/HCeIunj5fxIR0QIOyiG4HuREMW+AfBTpkoZrd2kWPMQFEGHxDsN4Co1Kmh0q/Y67bH7JQP+jtFy9LvWi0K3oJhDLkpIIFsTCCBa2gAwIBA6KCBaQEggWg4hlqHP7ekVdBMTIEbQXq4otOwl3lXC4dOcrKarPKuk2kuAKfPosAOOGF6u6ajesgRfMtaVEPQZsFUWxnfyfDLToBMJTU86FsX509gu2SrtQS95BDUpaW4510+S1przevZpbtncse+qL7UuLxkNsIpFSi89Y8kzTVZIgOYVmsIq2YK/ipagcrCMUaR2k7Ycr1kmQv4+GyO8Ag6BUjvs5Nyv/JlNB7t6dieQ8iNnRUmUZGSu4odJDO/zHRXJ7MRPmwh84pA66328xxBvRm6b+ATD5tHooledrvHTW4myltokFibd/Z+48eE0iLbVp1jiMaa3yaAxkjC/8E2Gfz7i8ZTx++0RnPUj2GJmph3k3buwpa0+YlzSAElukgWsTsIP2kmsWOofWEsd54TMBuOba/b3rHx50y4EAGnWXtG/dHRKARZ6QUHbzMFK9WmQARnr3t4o5QzRXcWtmgy9FtDrfYBMgQicQ6/d4oEXCld+yIYOHySzAaXyov65GGXKZo/wCcttoVgb8x/wY2KzhmotNwCyjvU0AI988OX01dyMLxR/GT14JehCCFHXmBgSP8iYxWNgBjqEWnV57driW/SQkYe5DCLjxMwQj3SZ1uL4uiwOSz9Y/PCXz+jleBB399RObp/po8Y3l6eoV+SRc3DTnMxK+T9l5B6xTgObXmAcZZkZRtCyEvqv1Itl5+y+Ek/O65O7ankLzX2IemcZCqJse5mwFwYwOZlMeeon6NaVCbES2L6i1zgCE8KZ3nmkxkGCvIk7p4MG2KiVvLRDuHklWvpYpvRDad8CsTUDt8WQyEKfOZI5RlXJ5EAZPj201CsYznUp5z2HNDQxknbxk1z0wKnd8zYYXXqHRZLQwDruEGjGuRZ2b43Wh/OsedH4Ag+32mZdD4f+MvYqFEMjgqorupCaMIhJzf0apWjeTzR7ISBz12wsUPdu0xgc+SaZvUcl/7ooE2kBs6Ct7QCARTPiJM5kvEXfLAvHQbsmnMlZRG4Mv/bchWGTx7jiJiHuZOZx5ZxaM2hxknQBI5xysxLeiyCDnrnXnGaxq5UYHIYWf2CgAVSpTyREB+xebs0yNts2FAug2xqTs1vciWW06Wmesxne1uhfOvQ7v66YLN7/0MIEUBs+/8gOw6Iq/EiWsLW4fYwKcTYWFZ3uqwuVuj8alXIdjPLX7Hg9+W/DLdkESw1yG7o5MVX/LoHMWEXX+zCx2bSvhG+h8lU+Z/UlofDGiznShA/FlrWGl1Ges88faolGOwAmJsqZ80zZfushh3e56i3ylQJMhJ65ddg5QlT4/EyR+myo4RImo7rfKPIkqMEP1o0bzfIKdAYlb5GdLcW1jFQKDY8CuSq+V+LiFJ0nOU2ZCvkg3R3Z5LS4QYw7kiE+YGrA0e2GjGFIoKCwRG6ycjaH/NJBBhgf9hOw4WlNfBrlyJ1UZ3Or76+TCI6r9IeJcJu4ywo3fZMqFb8iJqmIX7pEBSolRT2r9KAavvcfIq2nH2NlVnSjHgKuYA0Zz3I0lskqdXZoFY99Bo+TznvLPsZhBVSJI4LEX22XU5KyY0G54GWyHt48yTNq3sKgMOTQCJC8ovpytCf7uYUY3fKafnW9FNQyY4di+GNImPaEtyI4XxoWPf48SKMYwrBi72F7xiwy4/U+Os1XwXBZjE82YaD+i57qJ2dJPx880gSHaEFwKxAG1QyiN2tuwImmXQJfjCdueVLIJdMTmDCz/KCO/aDE8M2BkCvTYnbQS8G8qyrM/N0CfB2D+m/nAT7QI8E14vnSHxGDovYq+d4NBC2A+flFBdS/Gk2s1zxrNjDflRE8ZPE42N1b+aiRbr2OmbqpaAd45aACXqu3IuFwxXK740vqPins85AtvfCnxuVJjyO3nXXG3H/PngAJo5Z7LcWADN6SFb0PfElIxDWQ+ITysN
> User-Agent: curl/7.15.4 (i686-pc-linux-gnu) libcurl/7.15.4 OpenSSL/0.9.7e zlib/1.2.3
> Host: kweb
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Fri, 14 Jul 2006 11:48:34 GMT
< Server: Apache/2.0.54 (Fedora)
< WWW-Authenticate: Negotiate oRQwEqADCgEAoQsGCSqGSIb3EgECAg==
< Content-Length: 56
< Connection: close
< Content-Type: text/plain; charset=UTF-8
Hello, paxvel_at_AAALAB.NSG!
Fri Jul 14 13:48:34 CEST 2006
* Closing connection #0
* About to connect() to kweb port 80
* Trying 10.50.17.1... connected
* Connected to kweb (10.50.17.1) port 80
* Make SPNEGO Initial Token succeeded
* Server auth using GSS-Negotiate with user 'x'
> GET / HTTP/1.1
> Authorization: Negotiate YBsGBisGAQUFAqARMA+gDTALBgkqhkiG9xIBAgI=
> User-Agent: curl/7.15.4 (i686-pc-linux-gnu) libcurl/7.15.4 OpenSSL/0.9.7e zlib/1.2.3
> Host: kweb
> Accept: */*
>
< HTTP/1.1 500 Internal Server Error
< Date: Fri, 14 Jul 2006 11:48:34 GMT
< Server: Apache/2.0.54 (Fedora)
< Content-Length: 615
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator,
 root_at_localhost and inform them of the time the error occurred,
and anything you might have done that may have
caused the error.</p>
<p>More information about this error may be available
in the server error log.</p>
<hr>
<address>Apache/2.0.54 (Fedora) Server at kweb.aaalab.nsg Port 80</address>
</body></html>
* Closing connection #0

paxvel_at_ktest~>curl --negotiate -ux:x -v kweb kdc
* About to connect() to kweb port 80
* Trying 10.50.17.1... connected
* Connected to kweb (10.50.17.1) port 80
> GET / HTTP/1.1
> User-Agent: curl/7.15.4 (i686-pc-linux-gnu) libcurl/7.15.4 OpenSSL/0.9.7e zlib/1.2.3
> Host: kweb
> Accept: */*
>
< HTTP/1.1 401 Authorization Required
< Date: Fri, 14 Jul 2006 11:49:01 GMT
< Server: Apache/2.0.54 (Fedora)
< WWW-Authenticate: Negotiate
< Content-Length: 482
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
* Closing connection #0
* Issue another request to this URL: 'http://kweb'
* About to connect() to kweb port 80
* Trying 10.50.17.1... connected
* Connected to kweb (10.50.17.1) port 80
* Make SPNEGO Initial Token succeeded
* Server auth using GSS-Negotiate with user 'x'
> GET / HTTP/1.1
> Authorization: Negotiate YIIJfQYGKwYBBQUCoIIJcTCCCW2gDTALBgkqhkiG9xIBAgKigglaBIIJVmCCCVIGCSqGSIb3EgECAgEAboIJQTCCCT2gAwIBBaEDAgEOogcDBQAAAAAAo4IDcWGCA20wggNpoAMCAQWhDBsKQUFBTEFCLk5TR6IiMCCgAwIBAaEZMBcbBEhUVFAbD2t3ZWIuYWFhbGFiLm5zZ6OCAy4wggMqoAMCAQOhAwIBA6KCAxwEggMY4hvP0oDkXm5w3b9n4bZJUrmPnP/QGlHSj0khdOwTzzXn9yExhbr59VAtgMwABHMvB4XcLRxNlDKZHhE1lK6umxrKIp0qqtyoaq6smoKz31/2oGfKRTF4Iyh9ULHE7cULrAw8sJWr5uuvLGaCpnCua6pJm5eFvKxD63DebdgQiQ4p8yndtNueUhfvOctY4zkqH4qGrxDUTckpEFjAuGKWB3KQe/dOEwMs2tPdc/SftctXHsOVNyibp/89zkOIYsYyBKqdRfyp1E7OSJPSs8DcU4RmVBS/bZhFOsvTxhzTgQ1p0mFdZZ1wVdVB4b2e5zkI/+Eg5TuGXDYBhlnJgW3zVc5LRf+xdtFeMq1fJoOLSEVVT8U/SbRaOx/KKFjOr7KoGUoyLjn6kPnbl2UDHoLDSVXWXiWNjZykVQ11MZLpuaooJ+xytm2lGnyQ5cCXXi78og6Llx4hkCZVgBU+uiBWUlc2LQ7VvljoqJSHYheo8Ph6OaueDEG54uZ7Pbe9WATJXxq5TK2f32n3SRObdNoAbrxMpls+3/JQAJpeP1qukOm2UJ+3zDfxiz+SVBOxoVhKcY4gn3NKYPIfdT0StSg6oFrr7NLkmZetNQ6VNW5APqD5zAzq8SfWLEWEcul9TWfxb3N9zKvVMbP9Q+7i76H5OkIDWKLPr0dbVk7B1bw1xhWTRHLGHSLG3Pn35UGE/HAlU77Cz18rP7wpHW6t2XHlyAa/Ivirves3+dZN/tkUrEhEobj3nUzTOlp+qILcpJ2xwOazdpL02OnB7NZxxb2LvY+MKPduTUMVK9NI4oBRLrWjPkcPkGrt7skAzfJWarZGzrpZNCAqTrJHzsWvqhdvANi4LbFFFEUNH0EgclvafLY0rA43TDahf4fvm7Q1esJPEmEznlNS0O/kIZaVChULrb8XK2wruUJt2AraMwapWnAON8GB2IwACzJH2wdh5bZuOpoCpr/HCeIunj5fxIR0QIOyiG4HuREMW+AfBTpkoZrd2kWPMQFEGHxDsN4Co1Kmh0q/Y67bH7JQP+jtFy9LvWi0K3oJhDLkpIIFsTCCBa2gAwIBA6KCBaQEggWgkIUd4prPzGBJSaxH999dH/GrWPJxiIsxTe3Nsl4RmcMywdUglfvdAu9SYIKFeV6szZkDsHlZecbGP9ltS9YiqquYtEKsQU7gBXXmUSWvwQbOe8IAbP8xqNrGErKQd5NGmi+irSUmkfMH1mYqpsVUaBp+etXfupletDEhJT28V0XHB6qXH84NyL1NYrDRVr0YUvdYjZ4/Wr2QrYpz9idoP+TGC2zd4YURTAqqnQXa5hNUI6GPVN8+yCWH8BvnX+rNGh+UA5DkjhCAXyn2c8Z0peTBjTxu09b8xE8LHYns4mloawTmSog5DM+OotWOoygG6wuyhYhi35tcvxu6XD51OKSzKdpXbNsc0z5YScB75FvY2gSe5YCP4sNGxZnSScwAQwQk8pXhhP3nMOLedrWC5x3nRoSY8uye2DezvvLYBIUZJeFQcRC9XwdDDPtfogeWjFm29oleLY/DOKkWr9/5c/LDGWGtvhFjZNLKUYKL0XXUraCvEX4c/bbFbBC3mMXN6GKCYsmUwvghVpIrvjcs6lsmco67420l3WKxfeqCJlJQFs1GgVre7/uxKu54J7C3qF3K4D6F0Pax1mxn89Ws63lpIJXfxwYoP720TijNpElLdl7QdDn6Mwvas4p4tlNFcaeZ00VX6Hz8Cz5UX4ceitME+6v064QGT+Qgya/d1HxZ7XBntFCKxaFRez+LSno6y2vRatHZBsxUogjGER2Uud6lSMss1c/eVsel3QjI41H0KC77ywtPasazLn4sIAKalgyQZfRTo44Y/cqD25RmS0w/U53nMlMUYa4sV3Zb72TcktCHdE0DKvCaw9PBNUomGFbhTygMajF8LFAPGC+i0Y0xll0t0AbB1SBbiNUkJQKuuJLDxW99A5vMWflhhcPm9E/UZjIUaA/PXE7yk8HJG+h2Zl9ncNWOPIJJ+mgx6BHps745s8fBsUXBcMWy76CF9iiQoC6fV0FDIBH5FGLvmCaPDfYUVdHX6LhGa6G7MdLe64iFIdCiUylORQbjBsy6P+B102UwnKt/BNr1bQgz8jEnfMrlqY+4NYuam3uE+dMdEmDe+qZ7GKIsHWC/427DLHw3Bc+N+TvwLxFm4ajQzQugAoRHK/zDCLsGeBYm2rqMHSSJ945DCzAOdUi7mKqffEYKPQfjreKDBViGgiAUsb56xMmN6PViZPUad/deSLvqOUIerfXfRVizZUgheryQ1iBJBjm2LMzom8jTFydhzmqfSowWnS/mIXoh0s84PvLnbq7yOSU22SgXGs3R/dz2VU+/qAyaFnThbZuiDOawmD5c9vTPLHA51s6dtUnrWqO+Z2c8fdl8hYKj26sw0UHUpXdOf43iQxctiRmsnRkdPL1B1Oc3OjSCmyfVELixjNOzojYeAQiUe5gxt2f0knLgX4ECi+tLiauN0Az5km7yFqGU3r4u8vDPBI12MgWxnBtfSI0Vs1Ts6OgV7I59yiGHU5g996X9hUArDa5jiRpx6b84PfUPOMDeDvG/vYtOrOXK0mlKW2Czl6BV5oWZejUaPy33XL+lcwH4rXP4Shpxuf94oY7WSs1pfjFE8FI6Je6ZitwUqBq0nLg7QKWltleoxJymaju9CDPf70ydWhgKg8wHSR4bqFvuE4gcEYksivCmgRsYeiPtPKUs1pQI/OJ7z4b7bIs/2/Z5sxjWZXIVr81e1Z2iDIKl9OQnE/0J5AXHYoozSfFAcDuL79XD2++06HXZ1ybIbU1ArWGXq6SV7DggGOmDcWAYXluqsPn8ReamjiGEQNUT1jQvwGmGmWw0Q7SLNu8Co++8BX3I+K1pU4Uk0zs1jsib82GAYgUIUeMCBYrbDS6g7x94zislWQ0z9jh1rGMi6DFHUERc3OZEW/e2+qGevjsrzfsyzQWfzD5DSFs5L/y2qdePpAmYUJFZ
> User-Agent: curl/7.15.4 (i686-pc-linux-gnu) libcurl/7.15.4 OpenSSL/0.9.7e zlib/1.2.3
> Host: kweb
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Fri, 14 Jul 2006 11:49:01 GMT
< Server: Apache/2.0.54 (Fedora)
< WWW-Authenticate: Negotiate oRQwEqADCgEAoQsGCSqGSIb3EgECAg==
< Content-Length: 56
< Connection: close
< Content-Type: text/plain; charset=UTF-8
Hello, paxvel_at_AAALAB.NSG!
Fri Jul 14 13:49:01 CEST 2006
* Closing connection #0
* About to connect() to kdc port 80
* Trying 10.50.17.254... connected
* Connected to kdc (10.50.17.254) port 80
* Make SPNEGO Initial Token succeeded
* Server auth using GSS-Negotiate with user 'x'
> GET / HTTP/1.1
> Authorization: Negotiate YBsGBisGAQUFAqARMA+gDTALBgkqhkiG9xIBAgI=
> User-Agent: curl/7.15.4 (i686-pc-linux-gnu) libcurl/7.15.4 OpenSSL/0.9.7e zlib/1.2.3
> Host: kdc
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Content-Length: 1539
< Content-Type: text/html
< Server: Microsoft-IIS/6.0
* Authentication problem. Ignoring this.
< WWW-Authenticate: Negotiate oRQwEqADCgEBoQsGCSqGSIb3EgECAg==
< X-Powered-By: ASP.NET
< Date: Fri, 14 Jul 2006 11:49:09 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>You are not authorized to view this page</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
  BODY { font: 8pt/12pt verdana }
  H1 { font: 13pt/15pt verdana }
  H2 { font: 8pt/12pt verdana }
  A:link { color: red }
  A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>You are not authorized to view this page</h1>
You do not have permission to view this directory or page using the credentials that you supplied.
<hr>
<p>Please try the following:</p>
<ul>
<li>Contact the Web site administrator if you believe you should be able to view this directory or page.</li>
<li>Click the Refresh button to try again with different credentials.</li>
</ul>
<h2>HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to Microsoft Product Support Services and perform a title search for the words <b>HTTP</b> and <b>401</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
 and search for topics titled <b>Authentication</b>, <b>Access Control</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>
* Connection #0 to host kdc left intact
* Closing connection #0
Received on 2006-07-14