Bug #77960 for LWP-Authen-Negotiate: Wrong mechanism used for the context

Fri Jun 22 05:34:06 2012 1983-01-06 [...] gmx.net - Ticket created

Subject:	Wrong mechanism used for the context
Date:	Fri, 22 Jun 2012 11:33:55 +0200
To:	bug-LWP-Authen-Negotiate [...] rt.cpan.org
From:	1983-01-06 [...] gmx.net

The module fails to create a token which the server expects. The server expects a SPNEGO token and not a Kerberos token for WWW-Authenticate: Negotiate. Change line 78 to my $imech = GSSAPI::OID::gss_mech_spnego; and it works perfectly. This is a very serious bug. The Kerberos mechanism can be used with WWW-Authenticate: Kerberos. -- NEU: FreePhone 3-fach-Flat mit kostenlosem Smartphone! Jetzt informieren: http://mobile.1und1.de/?ac=OM.PW.PW003K20328T7073a

Fri Jun 22 08:32:15 2012 achim [...] grolmsnet.de - Correspondence added

Subject:	Re: [rt.cpan.org #77960] Wrong mechanism used for the context
Date:	Fri, 22 Jun 2012 14:31:59 +0200
To:	bug-LWP-Authen-Negotiate [...] rt.cpan.org
From:	Achim Grolms <achim [...] grolmsnet.de>

Hi, gss_mech_krb5 is used to be compatible with old Versions of MIT/Heimdal that don't provide gss_mech_spnego. (I think I can change it to use 'gss_mech_spnego' if 'gss_mech_spnego' is present. The Version using gss_mech_krb5() was tested against Apache/mod_auth_kerb and IIS, what combination of client/server create the problems you describe? Thank you! Best Regards, Achim On Friday 22 June 2012, Michael-O via RT wrote: Show quoted text

> Fri Jun 22 05:34:06 2012: Request 77960 was acted upon. > Transaction: Ticket created by 1983-01-06@gmx.net > Queue: LWP-Authen-Negotiate > Subject: Wrong mechanism used for the context > Broken in: (no value) > Severity: (no value) > Owner: Nobody > Requestors: 1983-01-06@gmx.net > Status: new > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=77960 > > > > The module fails to create a token which the server expects. The server > expects a SPNEGO token and not a Kerberos token for WWW-Authenticate: > Negotiate. > > Change line 78 to my $imech = GSSAPI::OID::gss_mech_spnego; > > and it works perfectly. This is a very serious bug. > > The Kerberos mechanism can be used with WWW-Authenticate: Kerberos.

Fri Jun 22 08:32:16 2012 The RT System itself - Status changed from 'new' to 'open'

Fri Jun 22 13:46:35 2012 1983-01-06 [...] gmx.net - Correspondence added

Subject:	Re: [rt.cpan.org #77960] Wrong mechanism used for the context
Date:	Fri, 22 Jun 2012 19:46:23 +0200
To:	bug-LWP-Authen-Negotiate [...] rt.cpan.org
From:	Michael-O <1983-01-06 [...] gmx.net>

Grüß dich Achim, Am 2012-06-22 14:32, schrieb achim@grolmsnet.de via RT: Show quoted text

> <URL: https://rt.cpan.org/Ticket/Display.html?id=77960 > > > Hi, > > gss_mech_krb5 is used to be compatible with old Versions of > MIT/Heimdal that don't provide gss_mech_spnego.

Agreed! Show quoted text

> (I think I can change it to use 'gss_mech_spnego' if 'gss_mech_spnego' > is present.

This should be done. Show quoted text

> The Version using gss_mech_krb5() was tested against > Apache/mod_auth_kerb and IIS, what combination of client/server > create the problems you describe?

I am on a Red Hat 6.2 client and HP-UX Java 6 with JGSS on the server. The acceptor is a Tomcat 6.0.35 with a SPNEGO Authenticator [1]. The point simply is, the module is named LWP::Authenticate::Negotiate. Kerberos 5 and SPNEGO do have completely diffent OIDs. Sending Kerberos 5 token even though the server requested a SPNEGO token is simply not correct. My connector threw an exception because the OID is incompatible. It expected a SPNEGO token. If the server advertises WWW-Authenticate: Kerberos, this is just fine else not. I checked the source if mod_auth_kerb and they do not use the recent built-in SPNEGO feature of MIT/Heimdal. They unwrap the token theirselves. (Just as libcurl does, that's why I ditched it and simply love your implementation.) What wonders me are theses lines from 1257: gss_OID_desc spnego_oid; gss_ctx_id_t context = GSS_C_NO_CONTEXT; gss_cred_id_t server_creds = GSS_C_NO_CREDENTIAL; *negotiate_ret_value = "\0"; spnego_oid.length = 6; spnego_oid.elements = (void *)"\x2b\x06\x01\x05\x05\x02"; This is SPNEGO and not Kerberos 5 [2]. If this really works, it's simply broken. Please keep in mind that IIS often advertises both, Negotiate and Kerberos. Mike [1] http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java?view=markup#l210 Code was donated by me to the Tomcat project. [2] http://msdn.microsoft.com/en-us/library/ms995330.aspx

Fri Jun 22 14:47:26 2012 achim [...] grolmsnet.de - Correspondence added

Subject:	Re: [rt.cpan.org #77960] Wrong mechanism used for the context
Date:	Fri, 22 Jun 2012 20:47:12 +0200
To:	bug-LWP-Authen-Negotiate [...] rt.cpan.org
From:	Achim Grolms <achim [...] grolmsnet.de>

On Friday 22 June 2012, Michael-O via RT wrote: Show quoted text

> The point simply is, the module is named LWP::Authenticate::Negotiate.

correct. Show quoted text

> Kerberos 5 and SPNEGO do have completely diffent OIDs.

correct. Show quoted text

> Sending Kerberos > 5 token even though the server requested a SPNEGO token is simply not > correct.

Hmm. You can read this "simply not correct" from RFC 4559 "SPNEGO-based Kerberos and NTLM HTTP Authentication"? | The "Negotiate" auth-scheme calls for the use of SPNEGO GSSAPI tokens | that the specific mechanism type specifies. Yes... sounds as you are correct. To be honest: we have stolen the implementation of LWP::Authenticate::Negotiate from Firefox, so I never was really sure what's correct and what's not. Show quoted text

> I checked the source if mod_auth_kerb and they do not use the recent > built-in SPNEGO feature of MIT/Heimdal. > They unwrap the token > theirselves.

Yes. That's because mod_auth_kerb was released when "built-in SPNEGO feature" of MIT/Heimdal was not avaiable. Today's mod_auth_kerb checks at compile-time for SPNEGO in MIT/Heimdal and makes use of it. (Have a look at the configure-skript). Please let me first do some checks what things get broken when chaning to $imech = GSSAPI::OID::gss_mech_spnego; Best Regards, Achim

Tue Jun 26 02:23:31 2012 1983-01-06 [...] gmx.net - Correspondence added

Subject:	Re: [rt.cpan.org #77960] Wrong mechanism used for the context
Date:	Tue, 26 Jun 2012 08:23:18 +0200
To:	bug-LWP-Authen-Negotiate [...] rt.cpan.org
From:	Michael-O <1983-01-06 [...] gmx.net>

Achim, Am 2012-06-22 20:47, schrieb achim@grolmsnet.de via RT: Show quoted text

> [...] >

>> I checked the source if mod_auth_kerb and they do not use the recent >> built-in SPNEGO feature of MIT/Heimdal. >> They unwrap the token >> theirselves.

> > Yes. That's because mod_auth_kerb was released when > "built-in SPNEGO feature" of MIT/Heimdal was not avaiable. > Today's mod_auth_kerb checks at compile-time for SPNEGO in MIT/Heimdal > and makes use of it. (Have a look at the configure-skript). > > Please let me first do some checks what things > get broken when chaning to > > $imech = GSSAPI::OID::gss_mech_spnego;

just a quick update for you while you are examing the issue. I inspected the Wireshark dump and it looks exactly as I have described. Additionaly to that, I wanted to know if other libraries suffer from the same problem. Yes, indeed they do. libneon just makes the same erronous request. See my mail here [1]. Seems like Subversion is incapable of doing SPNEGO too with libneon. Michael [1] http://lists.manyfish.co.uk/pipermail/neon/2012-June/001475.html

Tue Jun 26 13:29:51 2012 1983-01-06 [...] gmx.net - Correspondence added

Subject:	Re: [rt.cpan.org #77960] Wrong mechanism used for the context
Date:	Tue, 26 Jun 2012 19:29:42 +0200
To:	bug-LWP-Authen-Negotiate [...] rt.cpan.org
From:	Michael-O <1983-01-06 [...] gmx.net>

Another side note: libserf is incorrectly implemented too: http://code.google.com/p/serf/source/browse/trunk/auth/auth_kerb_gss.c#69

Sat Aug 18 05:51:57 2012 1983-01-06 [...] gmx.net - Correspondence added

Subject:	Re: [rt.cpan.org #77960] Wrong mechanism used for the context
Date:	Sat, 18 Aug 2012 11:51:45 +0200
To:	bug-LWP-Authen-Negotiate [...] rt.cpan.org
From:	Michael-O <1983-01-06 [...] gmx.net>

Achim, are you done with your investigations? Can you apply that patch? SPNEGO support has been added in MIT Kerberos in 2006 [1] and in Heimdal in version 0.7, 2005 [2] Mike [1] http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=2931 [2] http://www.h5l.org/releases.html

Wed Apr 19 05:21:34 2017 ZHENYZ [...] cpan.org - Correspondence added

Bump! Achim could you take a look at this? If you no longer work on this module, I wonder if it could be better to hand over it to the https://github.com/libwww-perl group. Thanks!

Wed Apr 19 08:24:01 2017 achim [...] grolmsnet.de - Correspondence added

Subject:	Re: [rt.cpan.org #77960] Wrong mechanism used for the context
Date:	Wed, 19 Apr 2017 14:18:08 +0200
To:	bug-LWP-Authen-Negotiate [...] rt.cpan.org
From:	Achim Grolms <achim [...] grolmsnet.de>

Hi, if https://github.com/libwww-perl is interested in maintaining - what are the steps I need to do to hand over? Best Regards, Achim On Wednesday 19 April 2017, you wrote: Show quoted text

> Queue: LWP-Authen-Negotiate > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=77960 > > > Bump! > > Achim could you take a look at this? > > If you no longer work on this module, I wonder if it could be better to > hand over it to the https://github.com/libwww-perl group. > > Thanks!