HTTP proxy: implement Digest authentication.

In http.c, this drops in reasonably neatly alongside the existing support for Basic, now that we're waiting for an initial 407 response from the proxy to tell us which auth mechanism it would prefer to use. The rest of this patch is mostly contriving to add testcrypt support for the function in cproxy.c that generates the complicated output header to go in the HTTP request: you need about a dozen assorted parameters, the actual response hash has two more hashes in its preimage, and there's even an option to hash the username as well if necessary. Much more complicated than CHAP (which is just plain HMAC-MD5), so it needs testing! Happily, RFC 7616 comes with some reasonably useful test cases, and I've managed to transcribe them directly into cryptsuite.py and demonstrate that my response-generator agrees with them. End-to-end testing of the whole system was done against Squid 4.13 (specifically, the squid package in Debian bullseye, version 4.13-10).
2025-07-02 03:52:49 -05:00 · 2021-11-20 14:56:32 +00:00
parent 52ee636b09
commit 3c21fa54c5
9 changed files with 511 additions and 39 deletions
--- a/proxy/proxy.h
+++ b/proxy/proxy.h
@ -105,11 +105,6 @@ prompts_t *proxy_new_prompts(ProxySocket *ps);
 char *format_telnet_command(SockAddr *addr, int port, Conf *conf,
                            unsigned *flags_out);

-/*
- * These are implemented in cproxy.c or nocproxy.c, depending on
- * whether encrypted proxy authentication is available.
- */
-extern const bool socks5_chap_available;
-strbuf *chap_response(ptrlen challenge, ptrlen password);
+#include "cproxy.h"

 #endif