GP: fix bug in blind retry of login credentials after portal-to-gateway redirect

We had been incorrectly relying on the first character of the 'auth_id'
being '_' to indicate a non-challenge form, in which case the
username/password can be "blindly retried" from portal to gateway.

However, this has been wrong since v8.09 (specifically, the commit
593df6b1c09ea525a913d4d8401a95ffdb1877db). Unfortunately, it may be
responsible for some user reports of inability to login via portal
interface.

Discovered while writing gp-auth-and-config tests.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

diff --git a/auth-globalprotect.c b/auth-globalprotect.c
index 55ceba65edc6701acb1930d893132976853ebd9e..f32acd3423052108a9c81a007cc7e37d32337256 100644 (file)
--- a/auth-globalprotect.c
+++ b/auth-globalprotect.c
@@ -649,7 +649,7 @@ static int gpst_login(struct openconnect_info *vpninfo, int portal, struct login
                                 * unless it was a challenge auth form or alt-secret form.
                                 */
                                portal = 0;
-                               if (ctx->form->auth_id[0] == '_' && !ctx->alt_secret) {
+                               if (strcmp(ctx->form->auth_id, "_challenge") && !ctx->alt_secret) {
                                        blind_retry = 1;
                                        goto replay_form;
                                }