Page MenuHomeFreeBSD
Differential D29533

libfetch: Fix proxy authentication
ClosedPublic
Actions

Authored by kp on Apr 1 2021, 11:59 AM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Oct 30, 8:04 PM
Unknown Object (File)
Sun, Oct 27, 1:04 AM
Unknown Object (File)
Thu, Oct 17, 11:05 AM
Unknown Object (File)
Fri, Oct 11, 7:33 PM
Unknown Object (File)
Fri, Oct 11, 7:33 PM
Unknown Object (File)
Fri, Oct 11, 7:33 PM
Unknown Object (File)
Fri, Oct 11, 7:33 PM
Unknown Object (File)
Fri, Oct 11, 7:07 PM
View All 80 Files
Subscribers
None

Details

Reviewers
kevans
bapt
garga
Commits
rG208c36a005f5: libfetch: Retry with proxy auth when server returns 407
rGd7682961d386: libfetch: Retry with proxy auth when server returns 407
rG345c30a94f64: libfetch: Retry with proxy auth when server returns 407
Summary

This patch is being used on pfSense to fix pkg when proxy is configured and many users reported it works as expected.

libfetch: Retry with proxy authentication when server returns 407

PR:	220468
Submitted by:	Egil Hasting <egil.hasting@higen.org> (based on)
Reviewed by:	kevans, kp
Approved by:	kp	
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D29533
Test Plan

Configure an authenticated proxy server and define HTTP_PROXY and HTTP_PROXY_AUTH environment variables. Without this patch the result is like:

garga@x230 ~ ❯❯❯ env | grep PROXY
HTTP_PROXY_AUTH=basic:*:testproxy:testproxy
HTTP_PROXY=172.21.4.1:3128
garga@x230 ~ ❯❯❯ fetch -v http://ifconfig.me
resolving server address: 172.21.4.1:3128
requesting http://ifconfig.me/
proxy requires authorization
resolving server address: 172.21.4.1:3128
requesting http://ifconfig.me/
302 redirect to https://ifconfig.me/
resolving server address: 172.21.4.1:3128
fetch: http://ifconfig.me: Proxy Authentication Required

After apply the patch:

garga@x230 ~ ❯❯❯ fetch -v http://ifconfig.me
resolving server address: 172.21.4.1:3128
requesting http://ifconfig.me/
proxy requires authorization
resolving server address: 172.21.4.1:3128
requesting http://ifconfig.me/
302 redirect to https://ifconfig.me/
resolving server address: 172.21.4.1:3128
resolving server address: 172.21.4.1:3128
SSL options: 82004854
Peer verification enabled
Using CA cert file: /usr/local/etc/ssl/cert.pem
Verify hostname
TLSv1.3 connection established using TLS_AES_256_GCM_SHA384
Certificate subject: /CN=ifconfig.me
Certificate issuer: /C=US/O=Google Trust Services/CN=GTS CA 1D2
requesting https://ifconfig.me/
remote size / mtime: 8826 / 0
ifconfig.m                                    8826  B   38 MBps    00s

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

garga requested review of this revision.Apr 1 2021, 11:59 AM
garga created this revision.
kp mentioned this in D29532: libfetch: handle 407 (proxy auth) when connecting to HTTPS using connect tunnel.Apr 1 2021, 12:01 PM
kp added inline comments.Apr 1 2021, 12:09 PM
lib/libfetch/http.c
1405

I'm not sure about using warnx() from a library. There are others, but they're for unimplemented functionality (so should arguably be assertions for the calling app), not for runtime errors (i.e. proxy auth information not set).

1453

I don't like '> 0' for an int that's used as a boolean, but that's a question of taste more than anything.

1509

This is wrong though. 'fetch_close(conn)' frees conn, so we can't use or return it.

I think we should just not fetch_close().

kevans added a comment.Apr 1 2021, 12:39 PM

re: commit message:

Submitted by: Egil Hasting <egil.hasting@higen.org>

Drop this line and --amend the commit with --author="Egil Hasting <egil.hasting@higen.org>", git log should show their name and you will be attributed as the committer.

lib/libfetch/http.c
1408

Just before this, we should explicitly check if aparams.user == NULL || aparams.password == NULL and return an error (clean_http_auth_parms first) to propagate the ENOMEM condition properly.

1509

Yes, the caller (below) will close it in ouch if it's not NULL, so just drop this fetch_close() entirely since we're returning a live object.

kevans added inline comments.Apr 1 2021, 12:44 PM
lib/libfetch/http.c
1509

Actually, that's a lie. The caller below needs to observe conn->err then close it.

kp commandeered this revision.Apr 1 2021, 7:21 PM
kp updated this revision to Diff 86704.
kp edited reviewers, added: garga; removed: kp.

Address a few comments (lightly edited version of Renato's work).

kp added inline comments.Apr 1 2021, 7:25 PM
lib/libfetch/http.c
1408

The code is already somewhat inconsistent about checking for memory allocation failures.

On the whole I tend to prefer not to clutter userspace code with such checks, because in the vast majority of cases the system will be overcommitting memory anyway, so the first thing you'll know about an out-of-memory condition is when the OOM killer comes round and terminates you.

kevans accepted this revision.Apr 1 2021, 7:35 PM

Sure

This revision is now accepted and ready to land.Apr 1 2021, 7:35 PM
garga accepted this revision.Apr 1 2021, 8:53 PM
garga edited the summary of this revision. (Show Details)Apr 1 2021, 8:57 PM
garga edited the summary of this revision. (Show Details)Apr 1 2021, 9:00 PM
garga edited the summary of this revision. (Show Details)
Closed by commit rG345c30a94f64: libfetch: Retry with proxy auth when server returns 407 (authored by garga). · Explain WhyApr 1 2021, 9:07 PM
This revision was automatically updated to reflect the committed changes.
garga added a commit: rG345c30a94f64: libfetch: Retry with proxy auth when server returns 407.
kib mentioned this in D29832: ntpd: Change default stack limit to 4096 pages..Apr 26 2021, 11:21 AM
garga added a commit: rGd7682961d386: libfetch: Retry with proxy auth when server returns 407.Apr 28 2021, 7:38 PM
garga added a commit: rG208c36a005f5: libfetch: Retry with proxy auth when server returns 407.

Revision Contents
Changeset List

PathSize
lib/
libfetch/
55 lines

Diff 86710

View Options

lib/libfetch/http.c

Loading...