From 41e131bf4e462280c06fa96b81beada6d9ed7130 Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Tue, 24 Feb 2015 15:40:51 +0000 Subject: [PATCH] Clean up handling of default disable for Basic auth Now it works cleanly for both proxy and normal HTTP auth. Signed-off-by: David Woodhouse --- http-auth.c | 22 ++++++++++++++-------- http.c | 4 ++-- library.c | 2 ++ openconnect-internal.h | 2 +- 4 files changed, 19 insertions(+), 11 deletions(-) diff --git a/http-auth.c b/http-auth.c index b4c2271d..1e0f21fb 100644 --- a/http-auth.c +++ b/http-auth.c @@ -163,13 +163,6 @@ static int basic_authorization(struct openconnect_info *vpninfo, int proxy, if (!user || !pass) return -EINVAL; - if (!vpninfo->authmethods_set) { - vpn_progress(vpninfo, PRG_ERR, - _("Proxy requested Basic authentication which is disabled by default\n")); - auth_state->state = AUTH_FAILED; - return -EINVAL; - } - if (auth_state->state == AUTH_IN_PROGRESS) { auth_state->state = AUTH_FAILED; return -EAGAIN; @@ -240,6 +233,20 @@ int gen_authorization_hdr(struct openconnect_info *vpninfo, int proxy, auth_state = &vpninfo->proxy_auth[auth_methods[i].state_index]; else auth_state = &vpninfo->http_auth[auth_methods[i].state_index]; + + if (auth_state->state == AUTH_DEFAULT_DISABLED) { + if (proxy) + vpn_progress(vpninfo, PRG_ERR, + _("Proxy requested Basic authentication which is disabled by default\n")); + else + vpn_progress(vpninfo, PRG_ERR, + _("Server '%s' requested Basic authentication which is disabled by default\n"), + vpninfo->hostname); + auth_state->state = AUTH_FAILED; + return -EINVAL; + } + + if (auth_state->state > AUTH_UNSEEN) { ret = auth_methods[i].authorization(vpninfo, proxy, auth_state, buf); if (ret == -EAGAIN || !ret) @@ -380,7 +387,6 @@ int openconnect_set_proxy_auth(struct openconnect_info *vpninfo, const char *met } methods = p; } - vpninfo->authmethods_set = 1; return 0; } diff --git a/http.c b/http.c index b1e5a9fa..483e2443 100644 --- a/http.c +++ b/http.c @@ -1135,11 +1135,11 @@ static int process_socks_proxy(struct openconnect_info *vpninfo) buf[2 + nr_auth_methods++] = SOCKS_AUTH_NONE; #if defined(HAVE_GSSAPI) || defined(_WIN32) - if (vpninfo->proxy_auth[AUTH_TYPE_GSSAPI].state != AUTH_DISABLED && + if (vpninfo->proxy_auth[AUTH_TYPE_GSSAPI].state > AUTH_FAILED && !vpninfo->proxy_user && !vpninfo->proxy_pass) buf[2 + nr_auth_methods++] = SOCKS_AUTH_GSSAPI; #endif - if (vpninfo->proxy_auth[AUTH_TYPE_BASIC].state != AUTH_DISABLED && + if (vpninfo->proxy_auth[AUTH_TYPE_BASIC].state > AUTH_FAILED && vpninfo->proxy_user && vpninfo->proxy_pass) buf[2 + nr_auth_methods++] = SOCKS_AUTH_PASSWORD; diff --git a/library.c b/library.c index 3198f091..77adb1fc 100644 --- a/library.c +++ b/library.c @@ -84,6 +84,8 @@ struct openconnect_info *openconnect_vpninfo_new(const char *useragent, vpninfo->xmlpost = 1; vpninfo->verbose = PRG_TRACE; vpninfo->try_http_auth = 1; + vpninfo->proxy_auth[AUTH_TYPE_BASIC].state = AUTH_DEFAULT_DISABLED; + vpninfo->http_auth[AUTH_TYPE_BASIC].state = AUTH_DEFAULT_DISABLED; openconnect_set_reported_os(vpninfo, NULL); if (!vpninfo->localname || !vpninfo->useragent) diff --git a/openconnect-internal.h b/openconnect-internal.h index f0b7029a..04cb2268 100644 --- a/openconnect-internal.h +++ b/openconnect-internal.h @@ -206,6 +206,7 @@ struct oc_text_buf { #define MAX_AUTH_TYPES 4 +#define AUTH_DEFAULT_DISABLED -3 #define AUTH_DISABLED -2 #define AUTH_FAILED -1 /* Failed */ #define AUTH_UNSEEN 0 /* Server has not offered it */ @@ -378,7 +379,6 @@ struct openconnect_info { int try_http_auth; struct http_auth_state http_auth[MAX_AUTH_TYPES]; struct http_auth_state proxy_auth[MAX_AUTH_TYPES]; - int authmethods_set; char *localname; char *hostname;