Bug 1154747 – NTLM: ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1154747 - NTLM: ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth

Summary:	NTLM: ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	curl (Show other bugs)
Sub Component:
Version:	6.3
Hardware:	x86_64 Linux

Priority	unspecified Severity low
Target Milestone:	rc
Target Release:	---
Assigned To:	Kamil Dudka
QA Contact:	Stefan Kremen
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:	1166264
Blocks:
	Show dependency tree / graph

Reported:	2014-10-20 12:38 EDT by Paul Ling
Modified:	2015-07-22 01:43 EDT (History)
CC List:	4 users (show)

See Also:
Fixed In Version:	curl-7.19.7-43.el6
Doc Type:	Bug Fix
Doc Text:	libcurl provides a FORBID_REUSE flag to disable reuse of existing connections. However, the connection reuse feature is internally used to implement NTLM (NT LAN Manager) authentication. This resulted in authentication failures when the FORBID_REUSE was set. An upstream patch has been applied on libcurl sources to ensure that the FORBID_REUSE flag does not interfere with the NTLM authentication. Now both the features can be used together with no side effects.
Story Points:	---
Clone Of:
Clones:	1166264 (view as bug list)
Environment:
Last Closed:	2015-07-22 01:43:55 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:1254	normal	SHIPPED_LIVE	Moderate: curl security, bug fix, and enhancement update	2015-07-20 13:50:03 EDT

Groups: None (edit)

Description Paul Ling 2014-10-20 12:38:32 EDT

Description of problem:
if CURLOPT_FORBID_REUSE is set, requests using NTLM failed
since NTLM requires multiple requests that re-use the same connection
for the authentication to work

Version-Release number of selected component (if applicable):
7.19.7

How reproducible:
The connection of NTLM authenticated request shouldn't be reuse in libcurl multi interface because it includes authentication context, after reuse with other plain requests to the same server, the context will be messed up and then next request with the same user's NTLM authentication will get 401 always until this connection get closed by HTTP server, and new connection to be established for the NTLM request. 

But because of this defect, I couldn't set CURLOPT_FORBID_REUSE for NTLM authenticated request (it always failed after retry five times), due to NTLM requires the same connection for at least two continuous requests to finish authentication. This issue normally may not be able reproduce with curl command line because curl doesn't use the multi interface for asynchronous I/O that my appserver did.

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:
Ignore the forbid reuse flag in case the NTLM authentication
handshake is in progress, according to the NTLM state flag.

Additional info:

Please refer to curl fix here.
https://github.com/bagder/curl/commit/63a0bd4270decef04e64fbe497b42f2c9e26c62b

Comment 2 Kamil Dudka 2014-10-21 09:01:20 EDT

(In reply to Paul Ling from comment #0)
> The connection of NTLM authenticated request shouldn't be reuse in libcurl
> multi interface because it includes authentication context, after reuse with
> other plain requests to the same server, the context will be messed up and
> then next request with the same user's NTLM authentication will get 401
> always until this connection get closed by HTTP server, and new connection
> to be established for the NTLM request.

Which bug do you refer to above?  Has it been already reported?  How are you confirming that libcurl is used correctly in the above scenario?

Please provide a minimal example.

Comment 3 Paul Ling 2014-10-21 19:51:21 EDT

Here is the information copied from curl known bugs in the link I gave in this bug additional info section.

-77. CURLOPT_FORBID_REUSE on a handle prevents NTLM from working since it
-  "abuses" the underlying connection re-use system and if connections are
-  forced to close they break the NTLM support.
-

Comment 4 Kamil Dudka 2014-10-21 20:44:37 EDT

That is actually not what I was asking about.  I meant what is the reason you need to use CURLOPT_FORBID_REUSE at all?

Comment 5 Paul Ling 2014-10-22 14:51:24 EDT

Steps to Reproduce:
1. Create curl multi handle with most default options, I only set CURLMOPT_SOCKETFUNCTION/CURLMOPT_SOCKETDATA for libevent integration
2. Create and add easy handle for NTLM authentication HTTPS request with AD user A credentials. One connection will be established this time
3. Create and add one HTTPS request to the same web server but doesn't require NTLM authentication afterward, libcurl will reuse the connection which send NTLM authentication request.
4. Create and add the third request as same as the first NTLM requests with the same user. libcurl still want to reuse the same connection for this new NTLM request. But IIS will return 401 always as below unless the old connection break down and new connection established.


 * Re-using existing connection! (#0) with host hhh.xxx.com
 * Connected to hhh.xxx.com (10.26.0.100) port 443 (#0)
 * Server auth using NTLM with user 'ppp@xxx.com'
 > POST /auth/useradauth HTTP/1.1^M
 User-Agent: libcurl/7.19.7 NSS/3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2^M
 Host: hhh.xxx.com^M
 Accept: */*^M
 Content-Type: application/json^M
 Content-Length: 67^M
 ^M
 < HTTP/1.1 401 Unauthorized^M
 < Server: Microsoft-IIS/7.5^M
 * gss_init_sec_context() failed: : Credentials cache file '/tmp/krb5cc_0' not found< WWW-Authenticate: Negotiate^M
 * Authentication problem. Ignoring this.
 < WWW-Authenticate: NTLM^M
 < X-Powered-By: ASP.NET^M
 < Date: Wed, 22 Oct 2014 18:40:44 GMT^M
 < Content-Length: 0^M
 < ^M
 * Connection #0 to host hhh.xxx.com left intact

Comment 6 Kamil Dudka 2014-10-23 10:05:40 EDT

This looks like CVE-2014-0015, which is fixed since curl-7.19.7-37.el6_5.3.  Please have a look at bug #1053903 for details.

Comment 7 Paul Ling 2014-10-24 02:34:08 EDT

I noticed bug #1053903 as well, but it only happened when use multiple auth options together. To avoid this issue, I already specified only CURLAUTH_NTLM as HTTP_AUTH option in my app.

Comment 8 Kamil Dudka 2014-10-24 03:03:06 EDT

The point is that, if the authentication credentials (at least user name?) differ, the connection cannot be reused (even if CURLOPT_FORBID_REUSE is not set).  So the request for a minimal example is still valid.

Comment 9 Paul Ling 2014-10-24 03:08:30 EDT

But in my case, it is the same user to make NTLM http request twice in two minutes. If it is another user to make NTLM HTTP request, there is no problem.

Comment 10 Kamil Dudka 2014-10-24 03:33:27 EDT

As I understand it, you give libcurl user name and password to authenticate on sites that do not require (more precisely deny) authentication, which causes a problem later on.

Comment 11 Paul Ling 2014-10-24 17:19:20 EDT

Let me explain little bit more about my case.
My web server has two web apps, one is authenticator which takes IWA authentication and issue my special ticket to client. The second web app is that takes this ticket inside of HTTP body to provide discovery service, this web app does not request NTLM authentication.

The client process is that sending authentication HTTPS request with user/password to the first webapp, following by the second NON-NTLM HTTPS request without user/password. Once my client repeat this process, only the first authentication HTTPS request got succeeded, the second time authentication and later will always got 401 failure because of the connection re-use.

Comment 12 Kamil Dudka 2014-10-29 10:41:50 EDT

(In reply to Paul Ling from comment #11)
> The client process is that sending authentication HTTPS request with
> user/password to the first webapp, following by the second NON-NTLM HTTPS
> request without user/password. Once my client repeat this process, only the
> first authentication HTTPS request got succeeded, the second time
> authentication and later will always got 401 failure because of the
> connection re-use.

That ^^^ is the part that I still do not understand.  If your first request has user/password set and the second request does not have user/password set, the connection cannot be re-used for them.

Are you sure you have upgraded to curl-7.19.7-37.el6_5.3 or later?

Comment 22 errata-xmlrpc 2015-07-22 01:43:55 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1254.html

Note You need to log in before you can comment on or make changes to this bug.