From 4d377ea1861cbb084fd9cf1bd2986c7fb9366bb0 Mon Sep 17 00:00:00 2001
From: David Woodhouse <dwmw2@infradead.org>
Date: Fri, 2 Aug 2019 10:51:09 -0700
Subject: [PATCH] Implicitly enable basic auth for SOCKS if creds are provided.

Forcing the user to add --proxy-auth=basic on the command line as well as
providing the creds in the proxy URL is horrid. It took me a long time to
work out why it wasn't working.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
---
 http.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/http.c b/http.c
index b5871360..36995e12 100644
--- a/http.c
+++ b/http.c
@@ -1119,7 +1119,14 @@ static int process_socks_proxy(struct openconnect_info *vpninfo)
 	    !vpninfo->proxy_user && !vpninfo->proxy_pass)
 		buf[2 + nr_auth_methods++] = SOCKS_AUTH_GSSAPI;
 #endif
-	if (vpninfo->proxy_auth[AUTH_TYPE_BASIC].state > AUTH_FAILED &&
+	/*
+	 * Basic auth is disabled by default. But for SOCKS, if the user has
+	 * actually provided a password then that should implicitly allow
+	 * basic auth since that's all that SOCKS can do. We shouldn't force
+	 * the user to also add --proxy-auth=basic on the command line.
+	 */
+	if ((vpninfo->proxy_auth[AUTH_TYPE_BASIC].state > AUTH_FAILED ||
+	     vpninfo->proxy_auth[AUTH_TYPE_BASIC].state == AUTH_DEFAULT_DISABLED) &&
 	    vpninfo->proxy_user && vpninfo->proxy_pass)
 		buf[2 + nr_auth_methods++] = SOCKS_AUTH_PASSWORD;
 
-- 
2.49.0