From: Daniel Lenski <dlenski@gmail.com>
Date: Thu, 29 Apr 2021 18:08:20 +0000 (-0700)
Subject: GP: fix bug in blind retry of login credentials after portal-to-gateway redirect
X-Git-Tag: v8.20~230^2~1
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=9b5652e3445975369a422da402c0318fff5d91ae;p=users%2Fdwmw2%2Fopenconnect.git

GP: fix bug in blind retry of login credentials after portal-to-gateway redirect

We had been incorrectly relying on the first character of the 'auth_id'
being '_' to indicate a non-challenge form, in which case the
username/password can be "blindly retried" from portal to gateway.

However, this has been wrong since v8.09 (specifically, the commit
593df6b1c09ea525a913d4d8401a95ffdb1877db). Unfortunately, it may be
responsible for some user reports of inability to login via portal
interface.

Discovered while writing gp-auth-and-config tests.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
---

diff --git a/auth-globalprotect.c b/auth-globalprotect.c
index 55ceba65..f32acd34 100644
--- a/auth-globalprotect.c
+++ b/auth-globalprotect.c
@@ -649,7 +649,7 @@ static int gpst_login(struct openconnect_info *vpninfo, int portal, struct login
 				 * unless it was a challenge auth form or alt-secret form.
 				 */
 				portal = 0;
-				if (ctx->form->auth_id[0] == '_' && !ctx->alt_secret) {
+				if (strcmp(ctx->form->auth_id, "_challenge") && !ctx->alt_secret) {
 					blind_retry = 1;
 					goto replay_form;
 				}