Re: [Fwknop-discuss] patch for basic proxy authentication support
Brought to you by:
mbr
From: Michael R. <mb...@ci...> - 2009-11-02 05:16:07
|
On Oct 29, 2009, Jonathan Bennett wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello all, > This patch is for the perl fwknop client. It is based off the link Mike > provided to changeset 160. It implements the following changes. > > First, the '--HTTP-proxy' option is changed a bit. Rather than requiring > a value, it now takes an optional value. If the > '--HTTP-proxy' option is present, but without a value, the value in the > http_proxy environment variable is used. > > The http proxy string now can also take the form > 'http://username:pas...@pr...:port' and > 'http://username:pas...@pr...' > > The command line options '--HTTP-proxy-user <username>' and > '--HTTP-proxy-password <password>' also have been added. These command > lines take precedence over the username and/or password specified in > either the environment variable, or with '--HTTP-proxy' > > The client does basic proxy authentication, using the supplied username > and password. I've tested it in a hostile environment, and it works > correctly. Thanks for the patch. I have applied it here: http://trac.cipherdyne.org/trac/fwknop-c/changeset/164/ > I want to start working on NTLM authentication next. I believe I can > implement it in a way that's transparent to the user. Namely, when the > client makes a request to the proxy, the proxy may reply by asking for > stronger authentication. Fwknop would receive that request, and > automatically start the NTLM authentication process. That sounds feasible. Currently the fwknop client does not do anything with data returned by the webserver when sending SPA packets over HTTP, but this could be changed to support NTLM. --Mike > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkrp7nQACgkQhFXk1UR7WbdkHgCffD84qtXFETwv+gJf49d1LhjE > m7UAn1VpPTypYVpk66Ur1VV3ZT9xGpoR > =quit > -----END PGP SIGNATURE----- > --- fwknop 2009-10-28 12:07:52.729547135 -0500 > +++ fwknop.new 2009-10-29 14:12:23.263284496 -0500 > @@ -90,7 +90,12 @@ > my $use_fko_module = 0; > my $fko_obj = ''; > my $http_proxy_host = ''; > -my $http_proxy = ''; > +my $http_proxy; > +### the variable is declared, but not defined. This is necessary for the > +###--HTTP_proxy cli option to work as expected. > + > +my $http_proxy_user = ''; > +my $http_proxy_pass = ''; > my $gpg_home_dir = ''; > my $gpg_recipient = ''; > my $use_gpg_agent = 0; > @@ -1000,8 +1005,27 @@ > > ### if using an HTTP proxy, allow the http://HOST:PORT notation > ### to determine the port > + ### parses all the potential forms of http_proxy > + ###FIXME: Is this the best place to parse this? > if ($http_proxy) { > - if ($http_proxy =~ m|http://(\S+):(\d+)|) { > + if ($http_proxy =~ m|http://(\S+):(\S+)@(\S+):(\d+)|) { > + if ($http_proxy_user eq '') { > + $http_proxy_user = $1; > + } > + if ($http_proxy_pass eq '') { > + $http_proxy_pass = $2; > + } > + $http_proxy_host = $3; > + $enc_pcap_port = $4; > + } elsif ($http_proxy =~ m|http://(\S+):(\S+)@(\S+)|) { > + if ($http_proxy_user eq '') { > + $http_proxy_user = $1; > + } > + if ($http_proxy_pass eq '') { > + $http_proxy_pass = $2; > + } > + $http_proxy_host = $3; > + } elsif ($http_proxy =~ m|http://(\S+):(\d+)|) { > $http_proxy_host = $1; > $enc_pcap_port = $2; > } elsif ($http_proxy =~ m|http://(\S+)|) { > @@ -1337,7 +1361,7 @@ > ### send the SPA packet to. > my $http_host = $knock_dst_pre_resolve; > my $http_host_ip = $knock_dst; > - > + my $http_proxy_auth_string = ''; > if ($http_proxy_host) { > > ### if we are sending the SPA packet through a proxy, set the > @@ -1365,6 +1389,10 @@ > or die "[*] Could not resolve $http_host_ip to an IP."; > $http_host_ip = $addr; > } > + if ($http_proxy_user) { > + my $proxy_auth = encode_base64($http_proxy_user . ':' . $http_proxy_pass); > + $http_proxy_auth_string = 'Proxy-Authorization: Basic ' . $proxy_auth . "\r\n"; > + } > } > > print "\n[+] Sending SPA packet over HTTP to ", > @@ -1377,7 +1405,9 @@ > "User-Agent: $ext_resolve_user_agent\r\n" . > "Accept: */*\r\n" . > "Host: $http_host\r\n" . ### FIXME? > - "Connection: Keep-Alive\r\n\r\n"; > + "Connection: Keep-Alive\r\n" . > + "$http_proxy_auth_string" . > + "\r\n"; > > print "[+] Sending SPA HTTP request:\n\n$http_request" if $debug; > > @@ -2184,7 +2214,9 @@ > 'Forward-access=s' => \$NAT_access_str, > 'TCP-sock' => \$spa_established_tcp, > 'HTTP' => \$spa_over_http, > - 'HTTP-proxy=s' => \$http_proxy, > + 'HTTP-proxy:s' => \$http_proxy, # the :s indicates that the argument is optional > + 'HTTP-proxy-user=s' => \$http_proxy_user, > + 'HTTP-proxy-password=s' => \$http_proxy_pass, > 'HTTP-user-agent=s' => \$ext_resolve_user_agent, > 'Access=s' => \$access_str, > 'fw-timeout=i' => \$cmdl_fw_timeout, > @@ -2225,6 +2257,11 @@ > ### run a few minor checks against the supplied args > &validate_command_line(); > > + ### if HTTP_proxy is specified, but not explicitly set, get it from the env variable > + if (defined $http_proxy and $http_proxy eq ''){ > + $http_proxy = $ENV{'http_proxy'}; > + } > + > return; > } > > @@ -2468,7 +2505,8 @@ > "is not used.\n"; > } > > - $spa_over_http = 1 if $http_proxy; > + ### if $ENV{'http_proxy'} is to be used, $http_proxy will be '' at this point > + $spa_over_http = 1 if defined $http_proxy; > > return; > } > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry(R) Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9 - 12, 2009. Register now! > http://p.sf.net/sfu/devconference > _______________________________________________ > Fwknop-discuss mailing list > Fwk...@li... > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss |