Clean up handling of default disable for Basic auth

Now it works cleanly for both proxy and normal HTTP auth.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

http-auth.c

@@ -163,13 +163,6 @@ static int basic_authorization(struct openconnect_info *vpninfo, int proxy,
 	if (!user || !pass)
 		return -EINVAL;
 
-	if (!vpninfo->authmethods_set) {
-		vpn_progress(vpninfo, PRG_ERR,
-			     _("Proxy requested Basic authentication which is disabled by default\n"));
-		auth_state->state = AUTH_FAILED;
-		return -EINVAL;
-	}
-
 	if (auth_state->state == AUTH_IN_PROGRESS) {
 		auth_state->state = AUTH_FAILED;
 		return -EAGAIN;
@@ -240,6 +233,20 @@ int gen_authorization_hdr(struct openconnect_info *vpninfo, int proxy,
 			auth_state = &vpninfo->proxy_auth[auth_methods[i].state_index];
 		else
 			auth_state = &vpninfo->http_auth[auth_methods[i].state_index];
+
+		if (auth_state->state == AUTH_DEFAULT_DISABLED) {
+			if (proxy)
+				vpn_progress(vpninfo, PRG_ERR,
+					     _("Proxy requested Basic authentication which is disabled by default\n"));
+			else
+				vpn_progress(vpninfo, PRG_ERR,
+					     _("Server '%s' requested Basic authentication which is disabled by default\n"),
+					       vpninfo->hostname);
+			auth_state->state = AUTH_FAILED;
+			return -EINVAL;
+		}
+
+
 		if (auth_state->state > AUTH_UNSEEN) {
 			ret = auth_methods[i].authorization(vpninfo, proxy, auth_state, buf);
 			if (ret == -EAGAIN || !ret)
@@ -380,7 +387,6 @@ int openconnect_set_proxy_auth(struct openconnect_info *vpninfo, const char *met
 		}
 		methods = p;
 	}
-	vpninfo->authmethods_set = 1;
 	return 0;
 }
 

http.c

@@ -1135,11 +1135,11 @@ static int process_socks_proxy(struct openconnect_info *vpninfo)
 
 	buf[2 + nr_auth_methods++] = SOCKS_AUTH_NONE;
 #if defined(HAVE_GSSAPI) || defined(_WIN32)
-	if (vpninfo->proxy_auth[AUTH_TYPE_GSSAPI].state != AUTH_DISABLED &&
+	if (vpninfo->proxy_auth[AUTH_TYPE_GSSAPI].state > AUTH_FAILED &&
 	    !vpninfo->proxy_user && !vpninfo->proxy_pass)
 		buf[2 + nr_auth_methods++] = SOCKS_AUTH_GSSAPI;
 #endif
-	if (vpninfo->proxy_auth[AUTH_TYPE_BASIC].state != AUTH_DISABLED &&
+	if (vpninfo->proxy_auth[AUTH_TYPE_BASIC].state > AUTH_FAILED &&
 	    vpninfo->proxy_user && vpninfo->proxy_pass)
 		buf[2 + nr_auth_methods++] = SOCKS_AUTH_PASSWORD;
 

library.c

@@ -84,6 +84,8 @@ struct openconnect_info *openconnect_vpninfo_new(const char *useragent,
 	vpninfo->xmlpost = 1;
 	vpninfo->verbose = PRG_TRACE;
 	vpninfo->try_http_auth = 1;
+	vpninfo->proxy_auth[AUTH_TYPE_BASIC].state = AUTH_DEFAULT_DISABLED;
+	vpninfo->http_auth[AUTH_TYPE_BASIC].state = AUTH_DEFAULT_DISABLED;
 	openconnect_set_reported_os(vpninfo, NULL);
 
 	if (!vpninfo->localname || !vpninfo->useragent)

openconnect-internal.h

@@ -206,6 +206,7 @@ struct oc_text_buf {
 
 #define MAX_AUTH_TYPES		4
 
+#define AUTH_DEFAULT_DISABLED	-3
 #define AUTH_DISABLED		-2
 #define AUTH_FAILED		-1	/* Failed */
 #define AUTH_UNSEEN		0	/* Server has not offered it */
@@ -378,7 +379,6 @@ struct openconnect_info {
 	int try_http_auth;
 	struct http_auth_state http_auth[MAX_AUTH_TYPES];
 	struct http_auth_state proxy_auth[MAX_AUTH_TYPES];
-	int authmethods_set;
 
 	char *localname;
 	char *hostname;