From c9e10b316a5d63058cef48cf0bef17582d0a3f4a Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Sat, 20 Nov 2021 10:47:11 +0000 Subject: [PATCH] HTTP proxy: don't eagerly send a Basic auth header. Now, we always try an initial CONNECT request with no auth at all, and wait for the proxy to reject it before sending a second try with auth. That way, we can wait to see what _kind_ of authentication the proxy requests, which will enable us to support something more secure than Basic, such as HTTP Digest. (I mean, it would _work_ to try Basic in request #1 and then retrying with Digest in #2 when the proxy asks for it. But if the aim of using Digest is to avoid sending the password in cleartext, it defeats the entire purpose to have sent it in cleartext anyway by the time you realise the server is prepared to do something better!) --- proxy/http.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/proxy/http.c b/proxy/http.c index 8cd043d4..4f184dbe 100644 --- a/proxy/http.c +++ b/proxy/http.c @@ -49,6 +49,7 @@ typedef struct HttpProxyNegotiator { strbuf *username, *password; int http_status; bool connection_close; + bool tried_no_auth, try_auth_from_conf; prompts_t *prompts; int username_prompt_index, password_prompt_index; size_t content_length; @@ -160,6 +161,8 @@ static void proxy_http_process_queue(ProxyNegotiator *pn) */ put_dataz(s->username, conf_get_str(pn->ps->conf, CONF_proxy_username)); put_dataz(s->password, conf_get_str(pn->ps->conf, CONF_proxy_password)); + if (s->username->len || s->password->len) + s->try_auth_from_conf = true; while (true) { /* @@ -175,10 +178,12 @@ static void proxy_http_process_queue(ProxyNegotiator *pn) } /* - * Optionally send an HTTP Basic auth header with the username and - * password. + * Optionally send an HTTP Basic auth header with the username + * and password. We do this only after we've first tried no + * authentication at all (even if we have a password to start + * with). */ - { + if (s->tried_no_auth) { if (s->username->len || s->password->len) { put_datalit(pn->output, "Proxy-Authorization: Basic "); @@ -197,6 +202,8 @@ static void proxy_http_process_queue(ProxyNegotiator *pn) smemclr(base64_output, sizeof(base64_output)); put_datalit(pn->output, "\r\n"); } + } else { + s->tried_no_auth = true; } /* @@ -300,6 +307,13 @@ static void proxy_http_process_queue(ProxyNegotiator *pn) crStopV; } + /* If we have auth details from the Conf and haven't tried + * them yet, that's our first step. */ + if (s->try_auth_from_conf) { + s->try_auth_from_conf = false; + continue; + } + /* Either we never had a password in the first place, or * the one we already presented was rejected. We can only * proceed from here if we have a way to ask the user