mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-09 17:38:00 +00:00
f85716be45
FreeProxy sends 'algorithm="MD5"' instead of 'algorithm=MD5.' I'm actually not sure whether that's legal by RFC 7616, but it's certainly no trouble to parse if we see it. With all these changes, PuTTY now _can_ successfully make connections through FreeProxy again, whether it's in Basic or Digest mode.
782 lines
27 KiB
C
782 lines
27 KiB
C
/*
|
|
* HTTP CONNECT proxy negotiation.
|
|
*/
|
|
|
|
#include "putty.h"
|
|
#include "network.h"
|
|
#include "proxy.h"
|
|
#include "sshcr.h"
|
|
|
|
static bool read_line(bufchain *input, strbuf *output, bool is_header)
|
|
{
|
|
char c;
|
|
|
|
while (bufchain_try_fetch(input, &c, 1)) {
|
|
if (is_header && output->len > 0 &&
|
|
output->s[output->len - 1] == '\n') {
|
|
/*
|
|
* A newline terminates the header, provided we're sure it
|
|
* is _not_ followed by a space or a tab.
|
|
*/
|
|
if (c != ' ' && c != '\t')
|
|
goto done; /* we have a complete header line */
|
|
} else {
|
|
put_byte(output, c);
|
|
bufchain_consume(input, 1);
|
|
|
|
if (!is_header && output->len > 0 &&
|
|
output->s[output->len - 1] == '\n') {
|
|
/* If we're looking for just a line, not an HTTP
|
|
* header, then any newline terminates it. */
|
|
goto done;
|
|
}
|
|
}
|
|
}
|
|
|
|
return false;
|
|
|
|
done:
|
|
strbuf_chomp(output, '\n');
|
|
strbuf_chomp(output, '\r');
|
|
return true;
|
|
}
|
|
|
|
/* Types of HTTP authentication, in preference order. */
|
|
typedef enum HttpAuthType {
|
|
AUTH_ERROR, /* if an HttpAuthDetails was never satisfactorily filled in */
|
|
AUTH_NONE, /* if no auth header is seen, assume no auth required */
|
|
AUTH_BASIC, /* username + password sent in clear (only keyless base64) */
|
|
AUTH_DIGEST, /* cryptographic hash, most preferred if available */
|
|
} HttpAuthType;
|
|
|
|
typedef struct HttpAuthDetails {
|
|
HttpAuthType auth_type;
|
|
bool digest_nonce_was_stale;
|
|
HttpDigestHash digest_hash;
|
|
strbuf *realm, *nonce, *opaque, *error;
|
|
bool got_opaque;
|
|
bool hash_username;
|
|
} HttpAuthDetails;
|
|
|
|
typedef struct HttpProxyNegotiator {
|
|
int crLine;
|
|
strbuf *response, *header, *token;
|
|
int http_status_pos;
|
|
size_t header_pos;
|
|
strbuf *username, *password;
|
|
int http_status;
|
|
bool connection_close;
|
|
HttpAuthDetails *next_auth;
|
|
bool try_auth_from_conf;
|
|
strbuf *uri;
|
|
uint32_t nonce_count;
|
|
prompts_t *prompts;
|
|
int username_prompt_index, password_prompt_index;
|
|
size_t content_length, chunk_length;
|
|
bool chunked_transfer;
|
|
ProxyNegotiator pn;
|
|
} HttpProxyNegotiator;
|
|
|
|
static inline HttpAuthDetails *auth_error(HttpAuthDetails *d,
|
|
const char *fmt, ...)
|
|
{
|
|
d->auth_type = AUTH_ERROR;
|
|
put_fmt(d->error, "Unable to parse auth header from HTTP proxy");
|
|
if (fmt) {
|
|
va_list ap;
|
|
va_start(ap, fmt);
|
|
put_datalit(d->error, ": ");
|
|
put_fmtv(d->error, fmt, ap);
|
|
va_end(ap);
|
|
}
|
|
return d;
|
|
}
|
|
|
|
static HttpAuthDetails *http_auth_details_new(void)
|
|
{
|
|
HttpAuthDetails *d = snew(HttpAuthDetails);
|
|
memset(d, 0, sizeof(*d));
|
|
d->realm = strbuf_new();
|
|
d->nonce = strbuf_new();
|
|
d->opaque = strbuf_new();
|
|
d->error = strbuf_new();
|
|
return d;
|
|
}
|
|
|
|
static void http_auth_details_free(HttpAuthDetails *d)
|
|
{
|
|
strbuf_free(d->realm);
|
|
strbuf_free(d->nonce);
|
|
strbuf_free(d->opaque);
|
|
strbuf_free(d->error);
|
|
sfree(d);
|
|
}
|
|
|
|
static ProxyNegotiator *proxy_http_new(const ProxyNegotiatorVT *vt)
|
|
{
|
|
HttpProxyNegotiator *s = snew(HttpProxyNegotiator);
|
|
memset(s, 0, sizeof(*s));
|
|
s->pn.vt = vt;
|
|
s->response = strbuf_new();
|
|
s->header = strbuf_new();
|
|
s->token = strbuf_new();
|
|
s->username = strbuf_new();
|
|
s->password = strbuf_new_nm();
|
|
s->uri = strbuf_new();
|
|
s->nonce_count = 0;
|
|
/*
|
|
* Always start with a CONNECT request containing no auth. If the
|
|
* proxy rejects that, it will tell us what kind of auth it would
|
|
* prefer.
|
|
*/
|
|
s->next_auth = http_auth_details_new();
|
|
s->next_auth->auth_type = AUTH_NONE;
|
|
return &s->pn;
|
|
}
|
|
|
|
static void proxy_http_free(ProxyNegotiator *pn)
|
|
{
|
|
HttpProxyNegotiator *s = container_of(pn, HttpProxyNegotiator, pn);
|
|
strbuf_free(s->response);
|
|
strbuf_free(s->header);
|
|
strbuf_free(s->token);
|
|
strbuf_free(s->username);
|
|
strbuf_free(s->password);
|
|
strbuf_free(s->uri);
|
|
http_auth_details_free(s->next_auth);
|
|
if (s->prompts)
|
|
free_prompts(s->prompts);
|
|
sfree(s);
|
|
}
|
|
|
|
#define HTTP_HEADER_LIST(X) \
|
|
X(HDR_CONNECTION, "Connection") \
|
|
X(HDR_CONTENT_LENGTH, "Content-Length") \
|
|
X(HDR_TRANSFER_ENCODING, "Transfer-Encoding") \
|
|
X(HDR_PROXY_AUTHENTICATE, "Proxy-Authenticate") \
|
|
X(HDR_PROXY_CONNECTION, "Proxy-Connection") \
|
|
/* end of list */
|
|
|
|
typedef enum HttpHeader {
|
|
#define ENUM_DEF(id, string) id,
|
|
HTTP_HEADER_LIST(ENUM_DEF)
|
|
#undef ENUM_DEF
|
|
HDR_UNKNOWN
|
|
} HttpHeader;
|
|
|
|
static inline bool is_whitespace(char c)
|
|
{
|
|
return (c == ' ' || c == '\t' || c == '\n');
|
|
}
|
|
|
|
static inline bool is_separator(char c)
|
|
{
|
|
return (c == '(' || c == ')' || c == '<' || c == '>' || c == '@' ||
|
|
c == ',' || c == ';' || c == ':' || c == '\\' || c == '"' ||
|
|
c == '/' || c == '[' || c == ']' || c == '?' || c == '=' ||
|
|
c == '{' || c == '}');
|
|
}
|
|
|
|
#define HTTP_SEPARATORS
|
|
|
|
static bool get_end_of_header(HttpProxyNegotiator *s)
|
|
{
|
|
size_t pos = s->header_pos;
|
|
|
|
while (pos < s->header->len && is_whitespace(s->header->s[pos]))
|
|
pos++;
|
|
|
|
if (pos == s->header->len) {
|
|
s->header_pos = pos;
|
|
return true;
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
static bool get_token(HttpProxyNegotiator *s)
|
|
{
|
|
size_t pos = s->header_pos;
|
|
|
|
while (pos < s->header->len && is_whitespace(s->header->s[pos]))
|
|
pos++;
|
|
|
|
if (pos == s->header->len)
|
|
return false; /* end of string */
|
|
|
|
if (is_separator(s->header->s[pos]))
|
|
return false;
|
|
|
|
strbuf_clear(s->token);
|
|
while (pos < s->header->len &&
|
|
!is_whitespace(s->header->s[pos]) &&
|
|
!is_separator(s->header->s[pos]))
|
|
put_byte(s->token, s->header->s[pos++]);
|
|
|
|
s->header_pos = pos;
|
|
return true;
|
|
}
|
|
|
|
static bool get_separator(HttpProxyNegotiator *s, char sep)
|
|
{
|
|
size_t pos = s->header_pos;
|
|
|
|
while (pos < s->header->len && is_whitespace(s->header->s[pos]))
|
|
pos++;
|
|
|
|
if (pos == s->header->len)
|
|
return false; /* end of string */
|
|
|
|
if (s->header->s[pos] != sep)
|
|
return false;
|
|
|
|
s->header_pos = ++pos;
|
|
return true;
|
|
}
|
|
|
|
static bool get_quoted_string(HttpProxyNegotiator *s)
|
|
{
|
|
size_t pos = s->header_pos;
|
|
|
|
while (pos < s->header->len && is_whitespace(s->header->s[pos]))
|
|
pos++;
|
|
|
|
if (pos == s->header->len)
|
|
return false; /* end of string */
|
|
|
|
if (s->header->s[pos] != '"')
|
|
return false;
|
|
pos++;
|
|
|
|
strbuf_clear(s->token);
|
|
while (pos < s->header->len && s->header->s[pos] != '"') {
|
|
if (s->header->s[pos] == '\\') {
|
|
/* Backslash makes the next char literal, even if it's " or \ */
|
|
pos++;
|
|
if (pos == s->header->len)
|
|
return false; /* unexpected end of string */
|
|
}
|
|
put_byte(s->token, s->header->s[pos++]);
|
|
}
|
|
|
|
if (pos == s->header->len)
|
|
return false; /* no closing quote */
|
|
pos++;
|
|
|
|
s->header_pos = pos;
|
|
return true;
|
|
}
|
|
|
|
static HttpAuthDetails *parse_http_auth_header(HttpProxyNegotiator *s)
|
|
{
|
|
HttpAuthDetails *d = http_auth_details_new();
|
|
|
|
/* Default hash for HTTP Digest is MD5, if none specified explicitly */
|
|
d->digest_hash = HTTP_DIGEST_MD5;
|
|
|
|
if (!get_token(s))
|
|
return auth_error(d, "parse error");
|
|
|
|
if (!stricmp(s->token->s, "Basic")) {
|
|
/* For Basic authentication, we don't need anything else. The
|
|
* realm string is not required for the protocol. */
|
|
d->auth_type = AUTH_BASIC;
|
|
return d;
|
|
}
|
|
|
|
if (!stricmp(s->token->s, "Digest")) {
|
|
/* Parse all the additional parts of the Digest header. */
|
|
if (!http_digest_available)
|
|
return auth_error(d, "Digest authentication not supported");
|
|
|
|
/* Parse the rest of the Digest header */
|
|
while (true) {
|
|
if (!get_token(s))
|
|
return auth_error(d, "parse error in Digest header");
|
|
|
|
if (!stricmp(s->token->s, "realm")) {
|
|
if (!get_separator(s, '=') ||
|
|
!get_quoted_string(s))
|
|
return auth_error(d, "parse error in Digest realm field");
|
|
put_datapl(d->realm, ptrlen_from_strbuf(s->token));
|
|
} else if (!stricmp(s->token->s, "nonce")) {
|
|
if (!get_separator(s, '=') ||
|
|
!get_quoted_string(s))
|
|
return auth_error(d, "parse error in Digest nonce field");
|
|
put_datapl(d->nonce, ptrlen_from_strbuf(s->token));
|
|
} else if (!stricmp(s->token->s, "opaque")) {
|
|
if (!get_separator(s, '=') ||
|
|
!get_quoted_string(s))
|
|
return auth_error(d, "parse error in Digest opaque field");
|
|
put_datapl(d->opaque,
|
|
ptrlen_from_strbuf(s->token));
|
|
d->got_opaque = true;
|
|
} else if (!stricmp(s->token->s, "stale")) {
|
|
if (!get_separator(s, '=') ||
|
|
!get_token(s))
|
|
return auth_error(d, "parse error in Digest stale field");
|
|
d->digest_nonce_was_stale = !stricmp(
|
|
s->token->s, "true");
|
|
} else if (!stricmp(s->token->s, "userhash")) {
|
|
if (!get_separator(s, '=') ||
|
|
!get_token(s))
|
|
return auth_error(d, "parse error in Digest userhash "
|
|
"field");
|
|
d->hash_username = !stricmp(s->token->s, "true");
|
|
} else if (!stricmp(s->token->s, "algorithm")) {
|
|
if (!get_separator(s, '=') ||
|
|
(!get_token(s) && !get_quoted_string(s)))
|
|
return auth_error(d, "parse error in Digest algorithm "
|
|
"field");
|
|
bool found = false;
|
|
size_t i;
|
|
|
|
for (i = 0; i < N_HTTP_DIGEST_HASHES; i++) {
|
|
if (!stricmp(s->token->s, httphashnames[i])) {
|
|
found = true;
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (!found) {
|
|
/* We don't even recognise the name */
|
|
return auth_error(d, "Digest hash algorithm '%s' not "
|
|
"recognised", s->token->s);
|
|
}
|
|
|
|
if (!httphashaccepted[i]) {
|
|
/* We do recognise the name but we
|
|
* don't like it (see comment in cproxy.h) */
|
|
return auth_error(d, "Digest hash algorithm '%s' not "
|
|
"supported", s->token->s);
|
|
}
|
|
|
|
d->digest_hash = i;
|
|
} else if (!stricmp(s->token->s, "qop")) {
|
|
if (!get_separator(s, '=') ||
|
|
!get_quoted_string(s))
|
|
return auth_error(d, "parse error in Digest qop field");
|
|
if (stricmp(s->token->s, "auth"))
|
|
return auth_error(d, "quality-of-protection type '%s' not "
|
|
"supported", s->token->s);
|
|
} else {
|
|
/* Ignore any other auth-param */
|
|
if (!get_separator(s, '=') ||
|
|
(!get_quoted_string(s) && !get_token(s)))
|
|
return auth_error(d, "parse error in Digest header");
|
|
}
|
|
|
|
if (get_end_of_header(s))
|
|
break;
|
|
if (!get_separator(s, ','))
|
|
return auth_error(d, "parse error in Digest header");
|
|
}
|
|
d->auth_type = AUTH_DIGEST;
|
|
return d;
|
|
}
|
|
|
|
return auth_error(d, "authentication type '%s' not supported",
|
|
s->token->s);
|
|
}
|
|
|
|
static void proxy_http_process_queue(ProxyNegotiator *pn)
|
|
{
|
|
HttpProxyNegotiator *s = container_of(pn, HttpProxyNegotiator, pn);
|
|
|
|
crBegin(s->crLine);
|
|
|
|
/*
|
|
* Initialise our username and password strbufs from the Conf.
|
|
*/
|
|
put_dataz(s->username, conf_get_str(pn->ps->conf, CONF_proxy_username));
|
|
put_dataz(s->password, conf_get_str(pn->ps->conf, CONF_proxy_password));
|
|
if (s->username->len || s->password->len)
|
|
s->try_auth_from_conf = true;
|
|
|
|
/*
|
|
* Set up the host:port string we're trying to connect to, also
|
|
* used as the URI string in HTTP Digest auth.
|
|
*/
|
|
{
|
|
char dest[512];
|
|
sk_getaddr(pn->ps->remote_addr, dest, lenof(dest));
|
|
put_fmt(s->uri, "%s:%d", dest, pn->ps->remote_port);
|
|
}
|
|
|
|
while (true) {
|
|
/*
|
|
* Standard prefix for the HTTP CONNECT request.
|
|
*/
|
|
put_fmt(pn->output,
|
|
"CONNECT %s HTTP/1.1\r\n"
|
|
"Host: %s\r\n", s->uri->s, s->uri->s);
|
|
|
|
/*
|
|
* Add an auth header, if we're planning to this time round.
|
|
*/
|
|
if (s->next_auth->auth_type == AUTH_BASIC) {
|
|
put_datalit(pn->output, "Proxy-Authorization: Basic ");
|
|
|
|
strbuf *base64_input = strbuf_new_nm();
|
|
put_datapl(base64_input, ptrlen_from_strbuf(s->username));
|
|
put_byte(base64_input, ':');
|
|
put_datapl(base64_input, ptrlen_from_strbuf(s->password));
|
|
|
|
char base64_output[4];
|
|
for (size_t i = 0, e = base64_input->len; i < e; i += 3) {
|
|
base64_encode_atom(base64_input->u + i,
|
|
e-i > 3 ? 3 : e-i, base64_output);
|
|
put_data(pn->output, base64_output, 4);
|
|
}
|
|
strbuf_free(base64_input);
|
|
smemclr(base64_output, sizeof(base64_output));
|
|
put_datalit(pn->output, "\r\n");
|
|
} else if (s->next_auth->auth_type == AUTH_DIGEST) {
|
|
put_datalit(pn->output, "Proxy-Authorization: Digest ");
|
|
|
|
/* If we have a fresh nonce, reset the
|
|
* nonce count. Otherwise, keep incrementing it. */
|
|
if (!ptrlen_eq_ptrlen(ptrlen_from_strbuf(s->token),
|
|
ptrlen_from_strbuf(s->next_auth->nonce)))
|
|
s->nonce_count = 0;
|
|
|
|
http_digest_response(BinarySink_UPCAST(pn->output),
|
|
ptrlen_from_strbuf(s->username),
|
|
ptrlen_from_strbuf(s->password),
|
|
ptrlen_from_strbuf(s->next_auth->realm),
|
|
PTRLEN_LITERAL("CONNECT"),
|
|
ptrlen_from_strbuf(s->uri),
|
|
PTRLEN_LITERAL("auth"),
|
|
ptrlen_from_strbuf(s->next_auth->nonce),
|
|
(s->next_auth->got_opaque ?
|
|
ptrlen_from_strbuf(s->next_auth->opaque) :
|
|
make_ptrlen(NULL, 0)),
|
|
++s->nonce_count, s->next_auth->digest_hash,
|
|
s->next_auth->hash_username);
|
|
put_datalit(pn->output, "\r\n");
|
|
}
|
|
|
|
/*
|
|
* Blank line to terminate the HTTP request.
|
|
*/
|
|
put_datalit(pn->output, "\r\n");
|
|
crReturnV;
|
|
|
|
s->content_length = 0;
|
|
s->chunked_transfer = false;
|
|
s->connection_close = false;
|
|
|
|
/*
|
|
* Read and parse the HTTP status line, and check if it's a 2xx
|
|
* for success.
|
|
*/
|
|
strbuf_clear(s->response);
|
|
crMaybeWaitUntilV(read_line(pn->input, s->response, false));
|
|
{
|
|
int maj_ver, min_ver, n_scanned;
|
|
n_scanned = sscanf(
|
|
s->response->s, "HTTP/%d.%d %n%d",
|
|
&maj_ver, &min_ver, &s->http_status_pos, &s->http_status);
|
|
|
|
if (n_scanned < 3) {
|
|
pn->error = dupstr("HTTP response was absent or malformed");
|
|
crStopV;
|
|
}
|
|
|
|
if (maj_ver < 1 || (maj_ver == 1 && min_ver < 1)) {
|
|
/* Before HTTP/1.1, connections close by default */
|
|
s->connection_close = true;
|
|
}
|
|
}
|
|
|
|
if (s->http_status == 407) {
|
|
/*
|
|
* If this is going to be an auth request, we expect to
|
|
* see at least one Proxy-Authorization header offering us
|
|
* auth options. Start by preloading s->next_auth with a
|
|
* fallback error message, which will be used if nothing
|
|
* better is available.
|
|
*/
|
|
http_auth_details_free(s->next_auth);
|
|
s->next_auth = http_auth_details_new();
|
|
auth_error(s->next_auth, "no Proxy-Authorization header seen in "
|
|
"HTTP 407 Proxy Authentication Required response");
|
|
}
|
|
|
|
/*
|
|
* Read the HTTP response header section.
|
|
*/
|
|
do {
|
|
strbuf_clear(s->header);
|
|
crMaybeWaitUntilV(read_line(pn->input, s->header, true));
|
|
s->header_pos = 0;
|
|
|
|
if (!get_token(s)) {
|
|
/* Possibly we ought to panic if we see an HTTP header
|
|
* we can't make any sense of at all? But whatever,
|
|
* ignore it and hope the next one makes more sense */
|
|
continue;
|
|
}
|
|
|
|
/* Parse the header name */
|
|
HttpHeader hdr = HDR_UNKNOWN;
|
|
{
|
|
#define CHECK_HEADER(id, string) \
|
|
if (!stricmp(s->token->s, string)) hdr = id;
|
|
HTTP_HEADER_LIST(CHECK_HEADER);
|
|
#undef CHECK_HEADER
|
|
}
|
|
|
|
if (!get_separator(s, ':'))
|
|
continue;
|
|
|
|
if (hdr == HDR_CONTENT_LENGTH) {
|
|
if (!get_token(s))
|
|
continue;
|
|
s->content_length = strtoumax(s->token->s, NULL, 10);
|
|
} else if (hdr == HDR_TRANSFER_ENCODING) {
|
|
/*
|
|
* The Transfer-Encoding header value should be a
|
|
* comma-separated list of keywords including
|
|
* "chunked", "deflate" and "gzip". We parse it in the
|
|
* most superficial way, by just looking for "chunked"
|
|
* and ignoring everything else.
|
|
*
|
|
* It's OK to do that because we're not actually
|
|
* _using_ the error document - we only have to skip
|
|
* over it to find the end of the HTTP response. So we
|
|
* don't care if it's gzipped or not.
|
|
*/
|
|
while (get_token(s)) {
|
|
if (!stricmp(s->token->s, "chunked"))
|
|
s->chunked_transfer = true;
|
|
}
|
|
} else if (hdr == HDR_CONNECTION ||
|
|
hdr == HDR_PROXY_CONNECTION) {
|
|
if (!get_token(s))
|
|
continue;
|
|
if (!stricmp(s->token->s, "close"))
|
|
s->connection_close = true;
|
|
else if (!stricmp(s->token->s, "keep-alive"))
|
|
s->connection_close = false;
|
|
} else if (hdr == HDR_PROXY_AUTHENTICATE) {
|
|
HttpAuthDetails *auth = parse_http_auth_header(s);
|
|
|
|
/*
|
|
* See if we prefer this set of auth details to the
|
|
* previous one we had (either from a previous auth
|
|
* header, or the fallback when no auth header is
|
|
* provided at all).
|
|
*/
|
|
bool change;
|
|
|
|
if (auth->auth_type != s->next_auth->auth_type) {
|
|
/* Use the preference order implied by the enum */
|
|
change = auth->auth_type > s->next_auth->auth_type;
|
|
} else if (auth->auth_type == AUTH_DIGEST &&
|
|
auth->digest_hash != s->next_auth->digest_hash) {
|
|
/* Choose based on the hash functions */
|
|
change = auth->digest_hash > s->next_auth->digest_hash;
|
|
} else {
|
|
/*
|
|
* If in doubt, go with the later one of the
|
|
* headers.
|
|
*
|
|
* The main reason for this is so that an error in
|
|
* interpreting an auth header will supersede the
|
|
* default error we preload saying 'no header
|
|
* found', because that would be a particularly
|
|
* bad error to report if there _was_ one.
|
|
*
|
|
* But we're in a tie-breaking situation by now,
|
|
* so there's no other reason to choose - we might
|
|
* as well apply the same policy everywhere else
|
|
* too.
|
|
*/
|
|
change = true;
|
|
}
|
|
|
|
if (change) {
|
|
http_auth_details_free(s->next_auth);
|
|
s->next_auth = auth;
|
|
} else {
|
|
http_auth_details_free(auth);
|
|
}
|
|
}
|
|
} while (s->header->len > 0);
|
|
|
|
/* Read and ignore the entire response document */
|
|
if (!s->chunked_transfer) {
|
|
/* Simple approach: read exactly Content-Length bytes */
|
|
crMaybeWaitUntilV(bufchain_try_consume(
|
|
pn->input, s->content_length));
|
|
} else {
|
|
/* Chunked transfer: read a sequence of
|
|
* <hex length>\r\n<data>\r\n chunks, terminating in one with
|
|
* zero length */
|
|
do {
|
|
/*
|
|
* Expect a chunk length
|
|
*/
|
|
s->chunk_length = 0;
|
|
while (true) {
|
|
char c;
|
|
crMaybeWaitUntilV(bufchain_try_fetch_consume(
|
|
pn->input, &c, 1));
|
|
if (c == '\r') {
|
|
continue;
|
|
} else if (c == '\n') {
|
|
break;
|
|
} else if ('0' <= c && c <= '9') {
|
|
s->chunk_length = s->chunk_length*16 + (c-'0');
|
|
} else if ('A' <= c && c <= 'F') {
|
|
s->chunk_length = s->chunk_length*16 + (c-'A'+10);
|
|
} else if ('a' <= c && c <= 'f') {
|
|
s->chunk_length = s->chunk_length*16 + (c-'a'+10);
|
|
} else {
|
|
pn->error = dupprintf(
|
|
"Received bad character 0x%02X in chunk length "
|
|
"during HTTP chunked transfer encoding",
|
|
(unsigned)(unsigned char)c);
|
|
crStopV;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Expect that many bytes of chunked data
|
|
*/
|
|
crMaybeWaitUntilV(bufchain_try_consume(
|
|
pn->input, s->chunk_length));
|
|
|
|
/* Now expect \r\n */
|
|
{
|
|
char buf[2];
|
|
crMaybeWaitUntilV(bufchain_try_fetch_consume(
|
|
pn->input, buf, 2));
|
|
if (memcmp(buf, "\r\n", 2)) {
|
|
pn->error = dupprintf(
|
|
"Missing CRLF after chunk "
|
|
"during HTTP chunked transfer encoding");
|
|
crStopV;
|
|
}
|
|
}
|
|
} while (s->chunk_length);
|
|
}
|
|
|
|
if (200 <= s->http_status && s->http_status < 300) {
|
|
/* Any 2xx HTTP response means we're done */
|
|
goto authenticated;
|
|
} else if (s->http_status == 407) {
|
|
/* 407 is Proxy Authentication Required, which we may be
|
|
* able to do something about. */
|
|
if (s->connection_close) {
|
|
/* If we got 407 + connection closed, reconnect before
|
|
* sending our next request. */
|
|
pn->reconnect = true;
|
|
}
|
|
|
|
/* If the best we can do is report some kind of error from
|
|
* a Proxy-Auth header (or an error saying there wasn't
|
|
* one at all), and no successful parsing of an auth
|
|
* header superseded that, then just throw that error and
|
|
* die. */
|
|
if (s->next_auth->auth_type == AUTH_ERROR) {
|
|
pn->error = dupstr(s->next_auth->error->s);
|
|
crStopV;
|
|
}
|
|
|
|
/* If we have auth details from the Conf and haven't tried
|
|
* them yet, that's our first step. */
|
|
if (s->try_auth_from_conf) {
|
|
s->try_auth_from_conf = false;
|
|
continue;
|
|
}
|
|
|
|
/* If the server sent us stale="true" in a Digest auth
|
|
* header, that means we _don't_ need to request a new
|
|
* password yet; just try again with the existing details
|
|
* and the fresh nonce it sent us. */
|
|
if (s->next_auth->digest_nonce_was_stale)
|
|
continue;
|
|
|
|
/* Either we never had a password in the first place, or
|
|
* the one we already presented was rejected. We can only
|
|
* proceed from here if we have a way to ask the user
|
|
* questions. */
|
|
if (!pn->itr) {
|
|
pn->error = dupprintf("HTTP proxy requested authentication "
|
|
"which we do not have");
|
|
crStopV;
|
|
}
|
|
|
|
/*
|
|
* Send some prompts to the user. We'll assume the
|
|
* password is always required (since it's just been
|
|
* rejected, even if we did send one before), and we'll
|
|
* prompt for the username only if we don't have one from
|
|
* the Conf.
|
|
*/
|
|
s->prompts = proxy_new_prompts(pn->ps);
|
|
s->prompts->to_server = true;
|
|
s->prompts->from_server = false;
|
|
s->prompts->name = dupstr("HTTP proxy authentication");
|
|
if (!s->username->len) {
|
|
s->username_prompt_index = s->prompts->n_prompts;
|
|
add_prompt(s->prompts, dupstr("Proxy username: "), true);
|
|
} else {
|
|
s->username_prompt_index = -1;
|
|
}
|
|
|
|
s->password_prompt_index = s->prompts->n_prompts;
|
|
add_prompt(s->prompts, dupstr("Proxy password: "), false);
|
|
|
|
while (true) {
|
|
SeatPromptResult spr = seat_get_userpass_input(
|
|
interactor_announce(pn->itr), s->prompts);
|
|
if (spr.kind == SPRK_OK) {
|
|
break;
|
|
} else if (spr_is_abort(spr)) {
|
|
proxy_spr_abort(pn, spr);
|
|
crStopV;
|
|
}
|
|
crReturnV;
|
|
}
|
|
|
|
if (s->username_prompt_index != -1) {
|
|
strbuf_clear(s->username);
|
|
put_dataz(s->username,
|
|
prompt_get_result_ref(
|
|
s->prompts->prompts[s->username_prompt_index]));
|
|
}
|
|
|
|
strbuf_clear(s->password);
|
|
put_dataz(s->password,
|
|
prompt_get_result_ref(
|
|
s->prompts->prompts[s->password_prompt_index]));
|
|
|
|
free_prompts(s->prompts);
|
|
s->prompts = NULL;
|
|
} else {
|
|
/* Any other HTTP response is treated as permanent failure */
|
|
pn->error = dupprintf("HTTP response %s",
|
|
s->response->s + s->http_status_pos);
|
|
crStopV;
|
|
}
|
|
}
|
|
|
|
authenticated:
|
|
/*
|
|
* Success! Hand over to the main connection.
|
|
*/
|
|
pn->done = true;
|
|
|
|
crFinishV;
|
|
}
|
|
|
|
const struct ProxyNegotiatorVT http_proxy_negotiator_vt = {
|
|
.new = proxy_http_new,
|
|
.free = proxy_http_free,
|
|
.process_queue = proxy_http_process_queue,
|
|
.type = "HTTP",
|
|
};
|