bugfix for OTP "challenge" form handling

In the patch entitled 'Recognise auth forms named "challenge" as token
requests' (commit 51f8feb6, released in v8.00) the condition for using an
OTP token in an AnyConnect login form was changed from:

  (field is named `secondary_password`)

… to:

  (field is named `secondary_password`) AND (form is named `challenge`)

This was almost certainly a mistake, and should have been as follows:

  (field is named `secondary_password`) OR (form is named `challenge`)

This patch rewrites the condition to do just that, in a clearer form, and
should fix GitLab issue #24 (https://gitlab.com/openconnect/openconnect/issues/24#note_157035052).

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

diff --git a/auth.c b/auth.c
index 07a9706a2b0c4e4ab3748ca8e48b13b297c2fc1c..e7e73adaf6bc3b1029edbfb3aee7b1c0b31189e6 100644 (file)
--- a/auth.c
+++ b/auth.c
@@ -902,11 +902,11 @@ static int cstp_can_gen_tokencode(struct openconnect_info *vpninfo,
        }
 #endif
        /* Otherwise it's an OATH token of some kind. */
-       if (strcmp(opt->name, "secondary_password") &&
-        (!form->auth_id || strcmp(form->auth_id, "challenge")))
-               return -EINVAL;
+       if (!strcmp(opt->name, "secondary_password") ||
+        (form->auth_id && !strcmp(form->auth_id, "challenge")))
+         return can_gen_tokencode(vpninfo, form, opt);
 
-       return can_gen_tokencode(vpninfo, form, opt);
+       return -EINVAL;
 }
 
 static int fetch_config(struct openconnect_info *vpninfo)