HTTP proxy: don't eagerly send a Basic auth header.

Now, we always try an initial CONNECT request with no auth at all, and wait for the proxy to reject it before sending a second try with auth. That way, we can wait to see what _kind_ of authentication the proxy requests, which will enable us to support something more secure than Basic, such as HTTP Digest. (I mean, it would _work_ to try Basic in request github#1 and then retrying with Digest in github#2 when the proxy asks for it. But if the aim of using Digest is to avoid sending the password in cleartext, it defeats the entire purpose to have sent it in cleartext anyway by the time you realise the server is prepared to do something better!)
rtsp7 · Nov 20, 2021 · c9e10b3 · c9e10b3
1 parent 9a0b1fa
commit c9e10b3
Showing 1 changed file with 17 additions and 3 deletions.
diff --git a/proxy/http.c b/proxy/http.c
@@ -49,6 +49,7 @@ typedef struct HttpProxyNegotiator {
     strbuf *username, *password;
     int http_status;
     bool connection_close;
+    bool tried_no_auth, try_auth_from_conf;
     prompts_t *prompts;
     int username_prompt_index, password_prompt_index;
     size_t content_length;
@@ -160,6 +161,8 @@ static void proxy_http_process_queue(ProxyNegotiator *pn)
      */
     put_dataz(s->username, conf_get_str(pn->ps->conf, CONF_proxy_username));
     put_dataz(s->password, conf_get_str(pn->ps->conf, CONF_proxy_password));
+    if (s->username->len || s->password->len)
+        s->try_auth_from_conf = true;
 
     while (true) {
         /*
@@ -175,10 +178,12 @@ static void proxy_http_process_queue(ProxyNegotiator *pn)
         }
 
         /*
-         * Optionally send an HTTP Basic auth header with the username and
-         * password.
+         * Optionally send an HTTP Basic auth header with the username
+         * and password. We do this only after we've first tried no
+         * authentication at all (even if we have a password to start
+         * with).
          */
-        {
+        if (s->tried_no_auth) {
             if (s->username->len || s->password->len) {
                 put_datalit(pn->output, "Proxy-Authorization: Basic ");
 
@@ -197,6 +202,8 @@ static void proxy_http_process_queue(ProxyNegotiator *pn)
                 smemclr(base64_output, sizeof(base64_output));
                 put_datalit(pn->output, "\r\n");
             }
+        } else {
+            s->tried_no_auth = true;
         }
 
         /*
@@ -300,6 +307,13 @@ static void proxy_http_process_queue(ProxyNegotiator *pn)
                 crStopV;
             }
 
+            /* If we have auth details from the Conf and haven't tried
+             * them yet, that's our first step. */
+            if (s->try_auth_from_conf) {
+                s->try_auth_from_conf = false;
+                continue;
+            }
+
             /* Either we never had a password in the first place, or
              * the one we already presented was rejected. We can only
              * proceed from here if we have a way to ask the user