Send 'cas-support=yes' in GlobalProtect prelogin request

Per https://gitlab.com/openconnect/openconnect/-/issues/651, some newer GP
servers are responding to prelogin.esp requests with an error:

    CAS is not supported by the client.  Minimum client version is 6.0

It appears that CAS ("Central Authentication Server";
https://apereo.github.io/cas/index.html) is a standardized single-sign-on
protocol requiring an external browser.

Per https://gitlab.com/openconnect/openconnect/-/issues/651#note_1576596243,
the field 'cas-support=yes' needs to be sent in the POST *body* of the
prelogin request, in order to avoid this error message; the error message's
claim that a specific client software version is necessary isn't very
helpful.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

diff --git a/auth-globalprotect.c b/auth-globalprotect.c
index c09fddee8d5f1bbb181c02c0077aa8e0caa0d3a8..feed3c93fec354c2d91ce86fcaadaf2338b7ca97 100644 (file)
--- a/auth-globalprotect.c
+++ b/auth-globalprotect.c
@@ -646,7 +646,10 @@ static int gpst_login(struct openconnect_info *vpninfo, int portal, struct login
                        }
                }
                /* submit prelogin request to get form */
-               result = do_https_request(vpninfo, "POST", NULL, NULL, &xml_buf, NULL, HTTP_REDIRECT);
+               buf_truncate(request_body);
+               if (!vpninfo->no_external_auth)
+                       buf_append(request_body, "cas-support=yes");
+               result = do_https_request(vpninfo, "POST", "application/x-www-form-urlencoded", request_body, &xml_buf, NULL, HTTP_REDIRECT);
                if (!keep_urlpath) {
                        free(vpninfo->urlpath);
                        vpninfo->urlpath = orig_path;