simon-git: putty (main): Simon Tatham
Commits to Tartarus hosted VCS
tartarus-commits at lists.tartarus.org
Sat Nov 20 15:17:23 GMT 2021
TL;DR:
c9e10b31 HTTP proxy: don't eagerly send a Basic auth header.
52ee636b Extend testcrypt macros up to 12-ary functions.
3c21fa54 HTTP proxy: implement Digest authentication.
Repository: https://git.tartarus.org/simon/putty.git
On the web: https://git.tartarus.org/?p=simon/putty.git
Branch updated: main
Committer: Simon Tatham <anakin at pobox.com>
Date: 2021-11-20 15:17:23
commit c9e10b316a5d63058cef48cf0bef17582d0a3f4a
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=c9e10b316a5d63058cef48cf0bef17582d0a3f4a;hp=9a0b1fa3f6b8d850b7a603dca081ded31de2ad2f
Author: Simon Tatham <anakin at pobox.com>
Date: Sat Nov 20 10:47:11 2021 +0000
HTTP proxy: don't eagerly send a Basic auth header.
Now, we always try an initial CONNECT request with no auth at all, and
wait for the proxy to reject it before sending a second try with
auth.
That way, we can wait to see what _kind_ of authentication the proxy
requests, which will enable us to support something more secure than
Basic, such as HTTP Digest.
(I mean, it would _work_ to try Basic in request #1 and then retrying
with Digest in #2 when the proxy asks for it. But if the aim of using
Digest is to avoid sending the password in cleartext, it defeats the
entire purpose to have sent it in cleartext anyway by the time you
realise the server is prepared to do something better!)
proxy/http.c | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
commit 52ee636b092c199afd1df9442bb334b216ea106b
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=52ee636b092c199afd1df9442bb334b216ea106b;hp=c9e10b316a5d63058cef48cf0bef17582d0a3f4a
Author: Simon Tatham <anakin at pobox.com>
Date: Sat Nov 20 14:28:36 2021 +0000
Extend testcrypt macros up to 12-ary functions.
I'm about to add a monster new function that takes 12 arguments.
testcrypt.c | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-------
1 file changed, 74 insertions(+), 9 deletions(-)
commit 3c21fa54c5927c17b5abb248ec1ce5801fded9bf
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=3c21fa54c5927c17b5abb248ec1ce5801fded9bf;hp=52ee636b092c199afd1df9442bb334b216ea106b
Author: Simon Tatham <anakin at pobox.com>
Date: Sat Nov 20 14:56:32 2021 +0000
HTTP proxy: implement Digest authentication.
In http.c, this drops in reasonably neatly alongside the existing
support for Basic, now that we're waiting for an initial 407 response
from the proxy to tell us which auth mechanism it would prefer to use.
The rest of this patch is mostly contriving to add testcrypt support
for the function in cproxy.c that generates the complicated output
header to go in the HTTP request: you need about a dozen assorted
parameters, the actual response hash has two more hashes in its
preimage, and there's even an option to hash the username as well if
necessary. Much more complicated than CHAP (which is just plain
HMAC-MD5), so it needs testing!
Happily, RFC 7616 comes with some reasonably useful test cases, and
I've managed to transcribe them directly into cryptsuite.py and
demonstrate that my response-generator agrees with them.
End-to-end testing of the whole system was done against Squid 4.13
(specifically, the squid package in Debian bullseye, version 4.13-10).
proxy/cproxy.c | 156 +++++++++++++++++++++++++++++++
proxy/cproxy.h | 25 +++++
proxy/http.c | 268 ++++++++++++++++++++++++++++++++++++++++++++++-------
proxy/nocproxy.c | 11 +++
proxy/proxy.h | 7 +-
test/cryptsuite.py | 63 +++++++++++++
test/testcrypt.py | 2 +-
testcrypt.c | 21 +++++
testcrypt.h | 1 +
9 files changed, 513 insertions(+), 41 deletions(-)
More information about the tartarus-commits
mailing list