Disable Basic auth by default

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
sailfishos-mirror · Jun 20, 2014 · 3d77788 · 3d77788
1 parent 084af2d
commit 3d77788
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 5 deletions.
diff --git a/http.c b/http.c
@@ -1664,6 +1664,13 @@ static int basic_authorization(struct openconnect_info *vpninfo, struct oc_text_
 	if (!vpninfo->proxy_user || !vpninfo->proxy_pass)
 		return -EINVAL;
 
+	if (!vpninfo->authmethods_set) {
+		vpn_progress(vpninfo, PRG_ERR,
+			     _("Proxy requested Basic authentication which is disabled by default\n"));
+		vpninfo->auth[AUTH_TYPE_BASIC].state = AUTH_FAILED;
+		return -EINVAL;
+	}
+
 	if (vpninfo->auth[AUTH_TYPE_BASIC].state == AUTH_IN_PROGRESS) {
 		vpninfo->auth[AUTH_TYPE_BASIC].state = AUTH_FAILED;
 		return -EAGAIN;
@@ -1915,6 +1922,7 @@ int openconnect_set_proxy_auth(struct openconnect_info *vpninfo, char *methods)
 		}
 		methods = p;
 	}
+	vpninfo->authmethods_set = 1;
 	free(start);
 	return 0;
 }

diff --git a/openconnect-internal.h b/openconnect-internal.h
@@ -206,6 +206,7 @@ struct openconnect_info {
 	gss_ctx_id_t gss_context;
 #endif
 	int ntlm_helper_fd;
+	int authmethods_set;
 
 	char *localname;
 	char *hostname;

diff --git a/openconnect.8.in b/openconnect.8.in
@@ -194,11 +194,13 @@ required but no credentials are given, GSSAPI and automatic NTLM authentication
 using Samba's ntlm_auth helper tool may be attempted.
 .TP
 .B \-\-proxy-auth=METHODS
-Use only the specified methods for HTTP authentication to a proxy. The argument
-is a comma-separated list of methods to be enabled. Note that the order does
-not matter: OpenConnect will use Negotiate, NTLM, Digest and Basic authentication
-in that order, if each is enabled, regardless of the order specified in the METHODS
-string.
+Use only the specified methods for HTTP authentication to a proxy.  By default,
+only Negotiate, NTLM and Digest authentication are enabled. Basic authentication
+is also supported but because it is insecure it must be explicitly enabled. The
+argument is a comma-separated list of methods to be enabled. Note that the order
+does not matter: OpenConnect will use Negotiate, NTLM, Digest and Basic
+authentication in that order, if each is enabled, regardless of the order
+specified in the METHODS string.
 .TP
 .B \-\-no\-proxy
 Disable use of proxy