-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello all,
This patch is for the perl fwknop client. It is based off the link Mike
provided to changeset 160. It implements the following changes.
First, the '--HTTP-proxy' option is changed a bit. Rather than requiring
a value, it now takes an optional value. If the
'--HTTP-proxy' option is present, but without a value, the value in the
http_proxy environment variable is used.
The http proxy string now can also take the form
'http://username:[email protected]:port' and
'http://username:[email protected]'
The command line options '--HTTP-proxy-user <username>' and
'--HTTP-proxy-password <password>' also have been added. These command
lines take precedence over the username and/or password specified in
either the environment variable, or with '--HTTP-proxy'
The client does basic proxy authentication, using the supplied username
and password. I've tested it in a hostile environment, and it works
correctly.
I want to start working on NTLM authentication next. I believe I can
implement it in a way that's transparent to the user. Namely, when the
client makes a request to the proxy, the proxy may reply by asking for
stronger authentication. Fwknop would receive that request, and
automatically start the NTLM authentication process.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkrp7nQACgkQhFXk1UR7WbdkHgCffD84qtXFETwv+gJf49d1LhjE
m7UAn1VpPTypYVpk66Ur1VV3ZT9xGpoR
=quit
-----END PGP SIGNATURE-----
--- fwknop 2009-10-28 12:07:52.729547135 -0500
+++ fwknop.new 2009-10-29 14:12:23.263284496 -0500
@@ -90,7 +90,12 @@
my $use_fko_module = 0;
my $fko_obj = '';
my $http_proxy_host = '';
-my $http_proxy = '';
+my $http_proxy;
+### the variable is declared, but not defined. This is necessary for the
+###--HTTP_proxy cli option to work as expected.
+
+my $http_proxy_user = '';
+my $http_proxy_pass = '';
my $gpg_home_dir = '';
my $gpg_recipient = '';
my $use_gpg_agent = 0;
@@ -1000,8 +1005,27 @@
### if using an HTTP proxy, allow the http://HOST:PORT notation
### to determine the port
+ ### parses all the potential forms of http_proxy
+ ###FIXME: Is this the best place to parse this?
if ($http_proxy) {
- if ($http_proxy =~ m|http://(\S+):(\d+)|) {
+ if ($http_proxy =~ m|http://(\S+):(\S+)@(\S+):(\d+)|) {
+ if ($http_proxy_user eq '') {
+ $http_proxy_user = $1;
+ }
+ if ($http_proxy_pass eq '') {
+ $http_proxy_pass = $2;
+ }
+ $http_proxy_host = $3;
+ $enc_pcap_port = $4;
+ } elsif ($http_proxy =~ m|http://(\S+):(\S+)@(\S+)|) {
+ if ($http_proxy_user eq '') {
+ $http_proxy_user = $1;
+ }
+ if ($http_proxy_pass eq '') {
+ $http_proxy_pass = $2;
+ }
+ $http_proxy_host = $3;
+ } elsif ($http_proxy =~ m|http://(\S+):(\d+)|) {
$http_proxy_host = $1;
$enc_pcap_port = $2;
} elsif ($http_proxy =~ m|http://(\S+)|) {
@@ -1337,7 +1361,7 @@
### send the SPA packet to.
my $http_host = $knock_dst_pre_resolve;
my $http_host_ip = $knock_dst;
-
+ my $http_proxy_auth_string = '';
if ($http_proxy_host) {
### if we are sending the SPA packet through a proxy, set the
@@ -1365,6 +1389,10 @@
or die "[*] Could not resolve $http_host_ip to an IP.";
$http_host_ip = $addr;
}
+ if ($http_proxy_user) {
+ my $proxy_auth = encode_base64($http_proxy_user . ':' .
$http_proxy_pass);
+ $http_proxy_auth_string = 'Proxy-Authorization: Basic ' .
$proxy_auth . "\r\n";
+ }
}
print "\n[+] Sending SPA packet over HTTP to ",
@@ -1377,7 +1405,9 @@
"User-Agent: $ext_resolve_user_agent\r\n" .
"Accept: */*\r\n" .
"Host: $http_host\r\n" . ### FIXME?
- "Connection: Keep-Alive\r\n\r\n";
+ "Connection: Keep-Alive\r\n" .
+ "$http_proxy_auth_string" .
+ "\r\n";
print "[+] Sending SPA HTTP request:\n\n$http_request" if $debug;
@@ -2184,7 +2214,9 @@
'Forward-access=s' => \$NAT_access_str,
'TCP-sock' => \$spa_established_tcp,
'HTTP' => \$spa_over_http,
- 'HTTP-proxy=s' => \$http_proxy,
+ 'HTTP-proxy:s' => \$http_proxy, # the :s indicates that the
argument is optional
+ 'HTTP-proxy-user=s' => \$http_proxy_user,
+ 'HTTP-proxy-password=s' => \$http_proxy_pass,
'HTTP-user-agent=s' => \$ext_resolve_user_agent,
'Access=s' => \$access_str,
'fw-timeout=i' => \$cmdl_fw_timeout,
@@ -2225,6 +2257,11 @@
### run a few minor checks against the supplied args
&validate_command_line();
+ ### if HTTP_proxy is specified, but not explicitly set, get it from the
env variable
+ if (defined $http_proxy and $http_proxy eq ''){
+ $http_proxy = $ENV{'http_proxy'};
+ }
+
return;
}
@@ -2468,7 +2505,8 @@
"is not used.\n";
}
- $spa_over_http = 1 if $http_proxy;
+ ### if $ENV{'http_proxy'} is to be used, $http_proxy will be '' at this
point
+ $spa_over_http = 1 if defined $http_proxy;
return;
}
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Fwknop-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
