Bug#969526: negotiate_kerberos_auth: Kerberos auth helper broken with error: "Invalid base64 token" after upgrade from 3.5.23-5+deb9u1 to 3.5.23-5+deb9u3
Package: squid
Version: 3.5.23-5+deb9u3
Severity: important
After upgrading from 3.5.23-5+deb9u1 to 3.5.23-5+deb9u3 the negotiate_kerberos_auth helper is completely broken.
My squid.conf auth helper config:
# cat /etc/squid/squid.conf
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -d -t none -s GSS_C_NO_NAME -k /etc/krb5_HTTP.keytab
auth_param negotiate children 25 idle=2 startup=2
auth_param negotiate keep_alive on
I've enabled the debug option for the Kerberos auth helper (-d).
The following error where logged when I tried to use the proxy and authenticate with Kerberos.
# less /var/log/squid/cache.log
negotiate_kerberos_auth.cc(487): pid=29509 :2020/09/04 11:26:11| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(517): pid=29509 :2020/09/04 11:26:11| negotiate_kerberos_auth: INFO: Setting replay cache type to none
negotiate_kerberos_auth.cc(546): pid=29509 :2020/09/04 11:26:11| negotiate_kerberos_auth: INFO: Setting keytab to /etc/krb5_HTTP.keytab
negotiate_kerberos_auth.cc(570): pid=29509 :2020/09/04 11:26:11| negotiate_kerberos_auth: INFO: Changed keytab to MEMORY:negotiate_kerberos_auth_29509
negotiate_kerberos_auth.cc(610): pid=29508 :2020/09/04 11:26:24| negotiate_kerberos_auth: DEBUG: Got 'YR YI.......snip.......pQ==' from squid (length: 1887).
negotiate_kerberos_auth.cc(664): pid=29508 :2020/09/04 11:26:24| negotiate_kerberos_auth: DEBUG: Decode 'YI.......snip.......pQ==' (decoded length: 1413).
negotiate_kerberos_auth.cc(672): pid=29508 :2020/09/04 11:26:24| negotiate_kerberos_auth: ERROR: Invalid base64 token [YI.......snip.......pQ==]
And now the same debug log with the old, working version 3.5.23-5+deb9u1
I used the same client and the same proxy to test the problem. Only downgraded the squid package to the old version.
# less /var/log/squid/cache.log
negotiate_kerberos_auth.cc(487): pid=31235 :2020/09/04 11:38:52| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(517): pid=31235 :2020/09/04 11:38:52| negotiate_kerberos_auth: INFO: Setting replay cache type to none
negotiate_kerberos_auth.cc(546): pid=31235 :2020/09/04 11:38:52| negotiate_kerberos_auth: INFO: Setting keytab to /etc/krb5_HTTP.keytab
negotiate_kerberos_auth.cc(570): pid=31235 :2020/09/04 11:38:52| negotiate_kerberos_auth: INFO: Changed keytab to MEMORY:negotiate_kerberos_auth_31235
negotiate_kerberos_auth.cc(610): pid=31234 :2020/09/04 11:39:20| negotiate_kerberos_auth: DEBUG: Got 'YR YI.......snip.......Q5eg==' from squid (length: 1887).
negotiate_kerberos_auth.cc(663): pid=31234 :2020/09/04 11:39:20| negotiate_kerberos_auth: DEBUG: Decode 'YI.......snip.......Q5eg==' (decoded length: 1411).
negotiate_kerberos_pac.cc(376): pid=31234 :2020/09/04 11:39:20| negotiate_kerberos_auth: INFO: Got PAC data of lengh 464
negotiate_kerberos_pac.cc(180): pid=31234 :2020/09/04 11:39:20| negotiate_kerberos_auth: INFO: Found 1 rids
negotiate_kerberos_pac.cc(188): pid=31234 :2020/09/04 11:39:20| negotiate_kerberos_auth: Info: Got rid: 515
negotiate_kerberos_pac.cc(256): pid=31234 :2020/09/04 11:39:20| negotiate_kerberos_auth: INFO: Got DomainLogonId S-1.......snip.......59
negotiate_kerberos_pac.cc(278): pid=31234 :2020/09/04 11:39:20| negotiate_kerberos_auth: INFO: Found 1 ExtraSIDs
negotiate_kerberos_pac.cc(327): pid=31234 :2020/09/04 11:39:20| negotiate_kerberos_auth: INFO: Got ExtraSid S-.......snip.......-1
negotiate_kerberos_pac.cc(456): pid=31234 :2020/09/04 11:39:20| negotiate_kerberos_auth: INFO: Read 464 of 464 bytes
negotiate_kerberos_auth.cc(778): pid=31234 :2020/09/04 11:39:20| negotiate_kerberos_auth: DEBUG: Groups group=AQU.......snip.......AAA== group=AQ.......snip.......AA
negotiate_kerberos_auth.cc(783): pid=31234 :2020/09/04 11:39:20| negotiate_kerberos_auth: DEBUG: AF oY.......snip.......pN67 host/test-proxy@DOM.TDS.INT
If you need the complete debug log with the token, write me a mail and I'll send them direct to you.
I've checked the changelog and the diff for version deb9u3. For me it looks like the following patch broke the auth helper.
This patch changed the negotiate_kerberos_auth code. Also the debug error message I've received was added "ERROR: Invalid base64 token".
* Improve patch for CVE-2019-12529 and replace more base64 code with code
from Nettle's crypto library.
patches/CVE-2019-12529.patch
My C knowledge is way too bad to find the problem in the code. Sorry :)
Thank you
Joel K.
-- System Information:
Debian Release: 9.13
APT prefers oldstable-updates
APT policy: (990, 'oldstable-updates'), (990, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-13-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages squid depends on:
ii adduser 3.115
ii libc6 2.24-11+deb9u4
ii libcap2 1:2.25-1
ii libcomerr2 1.43.4-2+deb9u2
ii libdb5.3 5.3.28-12+deb9u1
ii libdbi-perl 1.636-1+b1
ii libecap3 1.0.1-3.2
ii libexpat1 2.2.0-2+deb9u3
ii libgcc1 1:6.3.0-18+deb9u1
ii libgssapi-krb5-2 1.15-1+deb9u1
ii libkrb5-3 1.15-1+deb9u1
ii libldap-2.4-2 2.4.44+dfsg-5+deb9u4
ii libltdl7 2.4.6-2
ii libnetfilter-conntrack3 1.0.6-2
ii libnettle6 3.3-1+b2
ii libpam0g 1.1.8-3.6
ii libsasl2-2 2.1.27~101-g0780600+dfsg-3+deb9u1
ii libstdc++6 6.3.0-18+deb9u1
ii libxml2 2.9.4+dfsg1-2.2+deb9u2
ii logrotate 3.11.0-0.1
ii lsb-base 9.20161125
ii netbase 5.4
ii squid-common 3.5.23-5+deb9u3
Versions of packages squid recommends:
ii libcap2-bin 1:2.25-1
Versions of packages squid suggests:
pn resolvconf <none>
pn smbclient <none>
pn squid-cgi <none>
pn squid-purge <none>
ii squidclient 3.5.23-5+deb9u3
pn ufw <none>
pn winbindd <none>
-- Configuration Files:
/etc/logrotate.d/squid changed [not included]
/etc/squid/squid.conf changed [not included]
-- no debconf information
Reply to: