1785509 – cockpit-ws cannot process longer HTTPS request than 4096 bytes

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1785509 - cockpit-ws cannot process longer HTTPS request than 4096 bytes

Summary: cockpit-ws cannot process longer HTTPS request than 4096 bytes

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	cockpit
Sub Component:
Version:	8.0
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	8.2
Assignee:	Martin Pitt
QA Contact:	Jan Ščotka
Docs Contact:
URL:
Whiteboard:
Depends On:	1785497
Blocks:
TreeView+	depends on / blocked

Reported:	2019-12-20 04:46 UTC by Masahiro Matsuya
Modified:	2023-12-15 17:07 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1785497
Environment:
Last Closed:	2020-04-28 16:51:35 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-33365	0	None	None	None	2023-02-12 21:27:43 UTC
Red Hat Product Errata	RHBA-2020:1837	0	None	None	None	2020-04-28 16:51:49 UTC

Description Masahiro Matsuya 2019-12-20 04:46:15 UTC

+++ This bug was initially created as a clone of Bug #1785497 +++

Description of problem:
A customer had a cockpit login issue. This login issue happened when the longer HTTP GET request was received. 

This customer configured SSO login with Kerberos for cockpit. Some user could log into the cockpit with SSO enabled, but other user could not login.

The following is the sequence I found when the problem happened.

1)  The browser sent GET method with /cockpit/login to cockipt-ws
2)  cockpit-ws created a cockpit-session process
3)  cockpit-session sent to cockpit-ws:
{"command":"authorize","cookie":"sessionXXXXXXXXXXXXXXX","challenge":"*"}
4)  cockpit-ws sent to cockpit-session:
{"command":"authorize","cookie":"sessionXXXXXXXXXXXXXXX","response":"Negotiate"}
5)  cockpit-session sent to cockpit-ws:
{"command":"authorize","cookie":"sessioXXXXXXXXXXXXXXXX","challenge":"Negotiate"}
6)  cockpit-ws sent to browser:  "HTTP/1.1 401 Authentication required" and "WWW-Authenticate: Negotiate"
7)  browser sent to cockpit-ws:  "GET /cockpit/login HTTP/1.1" and "Authorization: Negotiate YIILc..."

The size of the last GET request was 4101 bytes, and cockpit-ws didn't pass the Authorization data into cockpit-session.

This is the problem of the request buffer size in cockpit-ws. Now it's 4096.
So, it cannot process the request longer than 4096.

The customer confirmed that the problem was fixed by a test package to increase the buffer size into 8192.

I'll attach the patch on this bugzilla.

Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux 7

How reproducible:
Always reproduced with a specific user in customer's system only.

Steps to Reproduce:
1. Setup cockpit SSO configuration.
2. Make a larger HTTP request than 4096 to cockpit.
   Not sure if we can do it by intent. 

In the customer's case, the data following "Authorization: Negotiate" was too long. 


Actual results:
cockpit login didn't work with SSO with some users.

Expected results:
cockpit login works with SSO with any user.

--- Additional comment from RHEL Program Management on 2019-12-20 03:14:20 UTC ---

Since this bug report was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.

--- Additional comment from Masahiro Matsuya on 2019-12-20 03:18:19 UTC ---

Comment 2 Martin Pitt 2019-12-20 07:35:08 UTC

Thanks for your report!

I did an initial attempt at reproducing this, with the debug patch below. But that doesn't reproduce it. A small request with

    $ curl -H "Authorization: Negotiate AAAAA" http://localhost:9999/cockpit/login

is correctly plumbed through the web server to cockpit-session:

    cockpit-session: authorize message: Negotiate AAAAA


But so is a large request > 4KiB:

   $ curl -H "Authorization: Negotiate $(printf '%0.5000i' 1)" http://localhost:9999/cockpit/login

   cockpit-session: authorize message: Negotiate 00[.... 5000 more '0's ...]01

It  only breaks down at 8 KiB:

   $ curl -H "Authorization: Negotiate $(printf '%0.8200i' 1)" http://localhost:9999/cockpit/login
   curl: (52) Empty reply from server

   cockpit-protocol-Message: 08:27:09.360: received HTTP request that was too large

But this is not affected by your patch, it's enforced in parse_and_process_request():

  /* The hard input limit, we just terminate the connection */
  if (request->buffer->len > cockpit_webserver_request_maximum * 2)
    {
      g_message ("received HTTP request that was too large");
      goto out;
    }

(cockpit_webserver_request_maximum is 4096).

So it seems what's going on is slightly more complicated than this naïve attempt at reproducing.



--- src/ws/cockpitauth.c
+++ src/ws/cockpitauth.c
@@ -53,7 +53,7 @@
 
 /* Some tunables that can be set from tests */
 const gchar *cockpit_ws_session_program =
-    PACKAGE_LIBEXEC_DIR "/cockpit-session";
+    "./cockpit-session";
 
 const gchar *cockpit_ws_ssh_program =
     PACKAGE_LIBEXEC_DIR "/cockpit-ssh";
diff --git src/ws/session-utils.c src/ws/session-utils.c
index b5d074926..6bd871b9b 100644
--- src/ws/session-utils.c
+++ src/ws/session-utils.c
@@ -79,6 +79,7 @@ read_authorize_response (const char *what)
   len -= auth_prefix_size + auth_response_size + auth_suffix_size;
   memmove (message, message + auth_prefix_size + auth_response_size, len);
   message[len] = '\0';
+  debug ("authorize message: %s", message);
   return (char *)message;
 }
 
diff --git src/ws/session-utils.h src/ws/session-utils.h
index a64c37858..eb9a68936 100644
--- src/ws/session-utils.h
+++ src/ws/session-utils.h
@@ -38,7 +38,7 @@
 #include "common/cockpitauthorize.h"
 #include "common/cockpitmemory.h"
 
-#define DEBUG_SESSION 0
+#define DEBUG_SESSION 1
 #define EX 127
 #define DEFAULT_PATH "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 
and run `G_MESSAGES_DEBUG=all ./cockpit-ws --no-tls -p 9999`

Comment 3 Martin Pitt 2019-12-20 08:46:31 UTC

If there is more data to read from the request than 4KiB, on_request_input() is just being called several times. After the first 4K, the header is still incomplete, and this is supposed to be caught by this in parse_and_process_request():

  off2 = web_socket_util_parse_headers ((const gchar *)request->buffer->data + off1,
                                        request->buffer->len - off1,
                                        &headers);
  if (off2 == 0)
    {
      again = TRUE;
      goto out;
    }

i. e. if this hits, it ignores the currently pending buffer, and goes back to reading more input. web_socket_util_parse_headers() returns 0 mainly if there is no line ending (\n) in the request. I stepped through the code with various scenarios such as adding more headers before and after "Authorization:", but I still can't see how this fails.

Increasing the block size to 8192 fixes your case "by accident", but with slightly different data or network I/O patterns (fragmenting the packets differently) a large request might still be split into multiple smaller send()/recv() blocks, so I don't think this is a robust solution.

As a next step I tried this in a real IdM (FreeIPA) environment with kerberos negotiation. With no functional changes, just some extra debugging, it works fine (as expected, the Negotiate header is 867 bytes):

    $ sudo -u cockpit-wsinstance G_MESSAGES_DEBUG=all /usr/libexec/cockpit-ws --port 9999 --no-tls

    $ curl --negotiate -u: http://x0.cockpit.lan:9999/cockpit/login
    {"csrf-token":"3fe28d3fe7d9beee2277abc63aad7ee8359a0f87b097e9daa43df0ce349930f5"}


    cockpit-session: authorize message: Negotiate YIIC[...]GLE

So now I tried to reproduce it with going the opposite direction -- the read chunk length that you bumped from 4096 to 8192 I changed to 512, so that my 867 byte Negotiate header does not fit in any more. But this still worked, I get a valid login token, and the header was parsed correctly in multiple chunks:

(cockpit-ws:31270): cockpit-protocol-DEBUG: 03:38:15.466: XXX on_request_input current length 0; adding 512
(cockpit-ws:31270): cockpit-protocol-DEBUG: 03:38:15.466: XXX on_request_input current read 512 bytes
(cockpit-ws:31270): cockpit-protocol-DEBUG: 03:38:15.467: XXX on_request_input set new buffer size to 512
(cockpit-ws:31270): cockpit-protocol-DEBUG: 03:38:15.467: XXX parse_and_process_request, current size 512
(cockpit-ws:31270): WebSocket-DEBUG: 03:38:15.467: XXX web_socket_util_parse_headers: got line of len 27
(cockpit-ws:31270): WebSocket-DEBUG: 03:38:15.467: XXX web_socket_util_parse_headers: got header Host val 'x0.cockpit.lan:9999'
(cockpit-ws:31270): WebSocket-DEBUG: 03:38:15.467: XXX web_socket_util_parse_headers no EOL in buffer, ignoring
(cockpit-ws:31270): cockpit-protocol-DEBUG: 03:38:15.467: XXX on_request_input current length 512; adding 512
(cockpit-ws:31270): cockpit-protocol-DEBUG: 03:38:15.467: XXX on_request_input current read 467 bytes
(cockpit-ws:31270): cockpit-protocol-DEBUG: 03:38:15.467: XXX on_request_input set new buffer size to 979
(cockpit-ws:31270): cockpit-protocol-DEBUG: 03:38:15.467: XXX parse_and_process_request, current size 979
(cockpit-ws:31270): WebSocket-DEBUG: 03:38:15.467: XXX web_socket_util_parse_headers: got line of len 27
(cockpit-ws:31270): WebSocket-DEBUG: 03:38:15.467: XXX web_socket_util_parse_headers: got header Host val 'x0.cockpit.lan:9999'
(cockpit-ws:31270): WebSocket-DEBUG: 03:38:15.467: XXX web_socket_util_parse_headers: got line of len 883
(cockpit-ws:31270): WebSocket-DEBUG: 03:38:15.467: XXX web_socket_util_parse_headers: got header Authorization val 'Negotiate YIICfgYGKwYBBQUCoIICcjCCAm6gDTALBgkqhkiG9xIBAgKiggJbBIICV2CCAlMGCSqGSIb3EgECAgEAboICQjCCAj6gAwIBBaEDAgEOogcDBQAgAAAAo4IBVmGCAVIwggFOoAMCAQWhDRsLQ09DS1BJVC5MQU6iITAfoAMCAQOhGDAWGwRIVFRQGw54MC5jb2NrcGl0LmxhbqOCARMwggEPoAMCARKhAwIBAaKCAQEEgf4VpQgWov+ySGYYXPWiIunKbgt093FZpMtWO/M8XTbuZLIHLT1IqHN6KXaJ7rYDxMzTV55i1mMbbaM9sw79Z89kOPNl4hl8/Q1JoBVFm4Ssad5DpymO6Kby9pi/AsPsmAvcYfFHz9owg+J7N6q79ZHhwEMdBv1OzMuR7NnvVJsYZZFt76Sv+mys70wgvIKjZUzeJDJbaxzcMecmznSJtaQ+K4lOtJWvBy3XBH85XkCL5eTWyHurGcG8GjPP+F0rwaHMdcC/BEgp8a7CSW7hDpk82/kB4+mKCZ4jv0TkI9mSLuerN94tvwHr76m+KZ+F6J3aAi5/6+djyG/BgnYYnKSBzjCBy6ADAgESooHDBIHAU9PK3SkE/ppNiNs3GFvcpO5mO3bPCIzm5yF0rTOkk/8smh33dG0Vn8evLixxpwotZzkn6wTklGcwZRgwBsmxGoBPGrTLLG6W1qFElWw8Trq17EQemXWM0LtVXeZIaMJif9zzckyvkjBOn6WfMYvqC8LTKWoOgXNLDVYXj8xWudDXz9zgCpzlB5DYQuwR+wziyEi0eGtxBtVXfZFtcAuLJFRPCVQDOD30TaEN6XU4a+r6229Wu8bD0258Ei7VAtDZ'
(cockpit-ws:31270): WebSocket-DEBUG: 03:38:15.467: XXX web_socket_util_parse_headers: got line of len 25
(cockpit-ws:31270): WebSocket-DEBUG: 03:38:15.467: XXX web_socket_util_parse_headers: got header User-Agent val 'curl/7.66.0'
(cockpit-ws:31270): WebSocket-DEBUG: 03:38:15.467: XXX web_socket_util_parse_headers: got line of len 13
(cockpit-ws:31270): WebSocket-DEBUG: 03:38:15.467: XXX web_socket_util_parse_headers: got header Accept val '*/*'
(cockpit-ws:31270): WebSocket-DEBUG: 03:38:15.467: XXX web_socket_util_parse_headers: got line of len 2
(cockpit-ws:31270): WebSocket-DEBUG: 03:38:15.467: XXX web_socket_util_parse_headers: got empty line


I also tried with 128 bytes, and it still works. (last patch: https://gist.github.com/martinpitt/80502247072aee4199e8b2c7942ede67)

So I'm afraid I still cannot reproduce this.

Masahiro, do you still have access to the affected environment? Any chance that I could get access to that, or perhaps you can try and apply the above gist patch and send me the output? Note that you don't have to put this into /usr actually, you can just run cockpit-ws as normal user out of the build tree. It won't be able to call cockpit-session then and auth will fail, but the interesting parts about the header parsing will have happened by then already.

Thanks!

Comment 4 Masahiro Matsuya 2019-12-20 13:17:03 UTC

Hello Martin,

Thanks for your update.

Can you try it with TLS enabled?
I could reproduce the problem with that.

1) Start the cockpit-ws without --no-tls.
2) # curl -H "Authorization: Negotiate $(printf '%0.5000i' 1)" --insecure https://localhost:9999/cockpit/login

   ==> Anything is not output.

3) # curl -H "Authorization: Negotiate $(printf '%0.3000i' 1)" --insecure https://localhost:9999/cockpit/login

   ==> HTML data including "<title>Loading...</title>" was output.

Thanks!

Masahiro

Comment 5 Masahiro Matsuya 2019-12-23 05:09:40 UTC

I built the debug package with the gist patch, and tested it on RHEL8.1 with TLS enabled.

# sudo -u cockpit-ws G_MESSAGES_DEBUG=all /usr/libexec/cockpit-ws --port 9999
(cockpit-ws:1827): cockpit-ws-DEBUG: 14:06:24.216: loaded 1 certificates from /etc/cockpit/ws-certs.d/0-self-signed.cert
cockpit-ws-INFO: 14:06:24.216: Using certificate: /etc/cockpit/ws-certs.d/0-self-signed.cert
(cockpit-ws:1827): cockpit-protocol-DEBUG: 14:07:00.737: XXX on_request_input current length 0; adding 4096
(cockpit-ws:1827): cockpit-protocol-DEBUG: 14:07:00.738: XXX on_request_input current read -1 bytes
(cockpit-ws:1827): cockpit-protocol-DEBUG: 14:07:00.738: XXX on_request_input current length 0; adding 4096
(cockpit-ws:1827): cockpit-protocol-DEBUG: 14:07:00.738: XXX on_request_input current read -1 bytes
(cockpit-ws:1827): cockpit-protocol-DEBUG: 14:07:00.745: XXX on_request_input current length 0; adding 4096
(cockpit-ws:1827): cockpit-protocol-DEBUG: 14:07:00.745: XXX on_request_input current read 4096 bytes
(cockpit-ws:1827): cockpit-protocol-DEBUG: 14:07:00.745: XXX on_request_input set new buffer size to 4096
(cockpit-ws:1827): cockpit-protocol-DEBUG: 14:07:00.745: XXX parse_and_process_request, current size 4096
(cockpit-ws:1827): WebSocket-DEBUG: 14:07:00.745: XXX web_socket_util_parse_headers: got line of len 22
(cockpit-ws:1827): WebSocket-DEBUG: 14:07:00.745: XXX web_socket_util_parse_headers: got header Host val 'localhost:9999'
(cockpit-ws:1827): WebSocket-DEBUG: 14:07:00.746: XXX web_socket_util_parse_headers: got line of len 25
(cockpit-ws:1827): WebSocket-DEBUG: 14:07:00.746: XXX web_socket_util_parse_headers: got header User-Agent val 'curl/7.61.1'
(cockpit-ws:1827): WebSocket-DEBUG: 14:07:00.746: XXX web_socket_util_parse_headers: got line of len 13
(cockpit-ws:1827): WebSocket-DEBUG: 14:07:00.746: XXX web_socket_util_parse_headers: got header Accept val '*/*'
(cockpit-ws:1827): WebSocket-DEBUG: 14:07:00.746: XXX web_socket_util_parse_headers no EOL in buffer, ignoring
cockpit-protocol-Message: 14:07:30.900: request timed out, closing
(cockpit-ws:1827): cockpit-ws-DEBUG: 14:07:54.894: auth is idle


# curl -H "Authorization: Negotiate $(printf '%0.5000i' 1)" --insecure https://localhost:9999/cockpit/login
curl: (52) Empty reply from server


Thanks,

Comment 7 Martin Pitt 2020-01-03 10:08:14 UTC

Thanks Masahiro! Indeed it reproduces well with https, I didn't originally think that this would make a difference. So this is a bug/impedance mismatch between the block sizes acquired from TLS, versus the block sizes read by on_request_input().

This got "accidentally" fixed in RHEL 8.2 due to moving out TLS termination into cockpit-tls, so that cockpit-ws only ever speaks http. But as we need a fix for cockpit-ws for 7.8 anyway, let's just apply the fix to 8.2 as well, so that custom setups that call cockpit-ws directly work properly.

Comment 8 Martin Pitt 2020-01-03 15:45:50 UTC

https://github.com/cockpit-project/cockpit/pull/13351

Comment 12 errata-xmlrpc 2020-04-28 16:51:35 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1837

Note You need to log in before you can comment on or make changes to this bug.