Juniper: support password and 2FA fields in the same form

Juniper login forms typically ask for the password in the first form,
then put the 2FA field in a later form. However, some use a second
password field in the first form (usually frmLogin) for the 2FA token.
We now assume password fields after the first in a frmLogin to be 2FA
fields to cope with this case.

Signed-off-by: Ash Holland <ash@sorrel.sh>

diff --git a/auth-juniper.c b/auth-juniper.c
index f1d66bb07c18a3d37f5e562de847e4c12c3c834b..94986dfaefeb3b7f76eeb6bce287552323e5dcf6 100644 (file)
--- a/auth-juniper.c
+++ b/auth-juniper.c
@@ -74,6 +74,18 @@ static int oncp_can_gen_tokencode(struct openconnect_info *vpninfo,
            vpninfo->token_bypassed)
                return -EINVAL;
 
+       if (!strcmp(form->auth_id, "frmLogin")) {
+               // The first "password" input in frmLogin is likely to be a password, not 2FA token
+               struct oc_form_opt **p = &form->opts;
+               while (*p) {
+                       if ((*p)->type == OC_FORM_OPT_PASSWORD) {
+                               return can_gen_tokencode(vpninfo, form, opt);
+                       }
+                       p = &(*p)->next;
+               }
+               return -EINVAL;
+       }
+
        if (strcmp(form->auth_id, "frmDefender") &&
            strcmp(form->auth_id, "frmNextToken") &&
            strcmp(form->auth_id, "frmTotpToken"))