Commit 41e131bf authored by David Woodhouse's avatar David Woodhouse

Clean up handling of default disable for Basic auth

Now it works cleanly for both proxy and normal HTTP auth.
Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
parent 32c08c5a
......@@ -163,13 +163,6 @@ static int basic_authorization(struct openconnect_info *vpninfo, int proxy,
if (!user || !pass)
return -EINVAL;
if (!vpninfo->authmethods_set) {
vpn_progress(vpninfo, PRG_ERR,
_("Proxy requested Basic authentication which is disabled by default\n"));
auth_state->state = AUTH_FAILED;
return -EINVAL;
}
if (auth_state->state == AUTH_IN_PROGRESS) {
auth_state->state = AUTH_FAILED;
return -EAGAIN;
......@@ -240,6 +233,20 @@ int gen_authorization_hdr(struct openconnect_info *vpninfo, int proxy,
auth_state = &vpninfo->proxy_auth[auth_methods[i].state_index];
else
auth_state = &vpninfo->http_auth[auth_methods[i].state_index];
if (auth_state->state == AUTH_DEFAULT_DISABLED) {
if (proxy)
vpn_progress(vpninfo, PRG_ERR,
_("Proxy requested Basic authentication which is disabled by default\n"));
else
vpn_progress(vpninfo, PRG_ERR,
_("Server '%s' requested Basic authentication which is disabled by default\n"),
vpninfo->hostname);
auth_state->state = AUTH_FAILED;
return -EINVAL;
}
if (auth_state->state > AUTH_UNSEEN) {
ret = auth_methods[i].authorization(vpninfo, proxy, auth_state, buf);
if (ret == -EAGAIN || !ret)
......@@ -380,7 +387,6 @@ int openconnect_set_proxy_auth(struct openconnect_info *vpninfo, const char *met
}
methods = p;
}
vpninfo->authmethods_set = 1;
return 0;
}
......@@ -1135,11 +1135,11 @@ static int process_socks_proxy(struct openconnect_info *vpninfo)
buf[2 + nr_auth_methods++] = SOCKS_AUTH_NONE;
#if defined(HAVE_GSSAPI) || defined(_WIN32)
if (vpninfo->proxy_auth[AUTH_TYPE_GSSAPI].state != AUTH_DISABLED &&
if (vpninfo->proxy_auth[AUTH_TYPE_GSSAPI].state > AUTH_FAILED &&
!vpninfo->proxy_user && !vpninfo->proxy_pass)
buf[2 + nr_auth_methods++] = SOCKS_AUTH_GSSAPI;
#endif
if (vpninfo->proxy_auth[AUTH_TYPE_BASIC].state != AUTH_DISABLED &&
if (vpninfo->proxy_auth[AUTH_TYPE_BASIC].state > AUTH_FAILED &&
vpninfo->proxy_user && vpninfo->proxy_pass)
buf[2 + nr_auth_methods++] = SOCKS_AUTH_PASSWORD;
......
......@@ -84,6 +84,8 @@ struct openconnect_info *openconnect_vpninfo_new(const char *useragent,
vpninfo->xmlpost = 1;
vpninfo->verbose = PRG_TRACE;
vpninfo->try_http_auth = 1;
vpninfo->proxy_auth[AUTH_TYPE_BASIC].state = AUTH_DEFAULT_DISABLED;
vpninfo->http_auth[AUTH_TYPE_BASIC].state = AUTH_DEFAULT_DISABLED;
openconnect_set_reported_os(vpninfo, NULL);
if (!vpninfo->localname || !vpninfo->useragent)
......
......@@ -206,6 +206,7 @@ struct oc_text_buf {
#define MAX_AUTH_TYPES 4
#define AUTH_DEFAULT_DISABLED -3
#define AUTH_DISABLED -2
#define AUTH_FAILED -1 /* Failed */
#define AUTH_UNSEEN 0 /* Server has not offered it */
......@@ -378,7 +379,6 @@ struct openconnect_info {
int try_http_auth;
struct http_auth_state http_auth[MAX_AUTH_TYPES];
struct http_auth_state proxy_auth[MAX_AUTH_TYPES];
int authmethods_set;
char *localname;
char *hostname;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment