HTTP proxy: don't eagerly send a Basic auth header.

Now, we always try an initial CONNECT request with no auth at all, and wait for the proxy to reject it before sending a second try with auth. That way, we can wait to see what _kind_ of authentication the proxy requests, which will enable us to support something more secure than Basic, such as HTTP Digest. (I mean, it would _work_ to try Basic in request #1 and then retrying with Digest in #2 when the proxy asks for it. But if the aim of using Digest is to avoid sending the password in cleartext, it defeats the entire purpose to have sent it in cleartext anyway by the time you realise the server is prepared to do something better!)
2025-01-09 17:38:00 +00:00 · 2021-11-20 10:47:11 +00:00 · 2021-11-20 10:47:11 +00:00 · c9e10b316a
commit c9e10b316a
parent 9a0b1fa3f6
1 changed files with 17 additions and 3 deletions
--- a/proxy/http.c
+++ b/proxy/http.c
@ -49,6 +49,7 @@ typedef struct HttpProxyNegotiator {
    strbuf *username, *password;
    int http_status;
    bool connection_close;
+    bool tried_no_auth, try_auth_from_conf;
    prompts_t *prompts;
    int username_prompt_index, password_prompt_index;
    size_t content_length;
@ -160,6 +161,8 @@ static void proxy_http_process_queue(ProxyNegotiator *pn)
     */
    put_dataz(s->username, conf_get_str(pn->ps->conf, CONF_proxy_username));
    put_dataz(s->password, conf_get_str(pn->ps->conf, CONF_proxy_password));
+    if (s->username->len || s->password->len)
+        s->try_auth_from_conf = true;

    while (true) {
        /*
@ -175,10 +178,12 @@ static void proxy_http_process_queue(ProxyNegotiator *pn)
        }

        /*
-         * Optionally send an HTTP Basic auth header with the username and
-         * password.
+         * Optionally send an HTTP Basic auth header with the username
+         * and password. We do this only after we've first tried no
+         * authentication at all (even if we have a password to start
+         * with).
         */
-        {
+        if (s->tried_no_auth) {
            if (s->username->len || s->password->len) {
                put_datalit(pn->output, "Proxy-Authorization: Basic ");

@ -197,6 +202,8 @@ static void proxy_http_process_queue(ProxyNegotiator *pn)
                smemclr(base64_output, sizeof(base64_output));
                put_datalit(pn->output, "\r\n");
            }
+        } else {
+            s->tried_no_auth = true;
        }

        /*
@ -300,6 +307,13 @@ static void proxy_http_process_queue(ProxyNegotiator *pn)
                crStopV;
            }

+            /* If we have auth details from the Conf and haven't tried
+             * them yet, that's our first step. */
+            if (s->try_auth_from_conf) {
+                s->try_auth_from_conf = false;
+                continue;
+            }
+
            /* Either we never had a password in the first place, or
             * the one we already presented was rejected. We can only
             * proceed from here if we have a way to ask the user