From 3d4701a10c07a8987418b4a3387fdd4bcd71a2b4 Mon Sep 17 00:00:00 2001 From: Daniel Lenski Date: Wed, 3 Apr 2019 17:22:08 +0300 Subject: [PATCH] bugfix for OTP "challenge" form handling MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit In the patch entitled 'Recognise auth forms named "challenge" as token requests' (commit 51f8feb6, released in v8.00) the condition for using an OTP token in an AnyConnect login form was changed from: (field is named `secondary_password`) … to: (field is named `secondary_password`) AND (form is named `challenge`) This was almost certainly a mistake, and should have been as follows: (field is named `secondary_password`) OR (form is named `challenge`) This patch rewrites the condition to do just that, in a clearer form, and should fix GitLab issue #24 (https://gitlab.com/openconnect/openconnect/issues/24#note_157035052). Signed-off-by: Daniel Lenski --- auth.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/auth.c b/auth.c index 07a9706a..e7e73ada 100644 --- a/auth.c +++ b/auth.c @@ -902,11 +902,11 @@ static int cstp_can_gen_tokencode(struct openconnect_info *vpninfo, } #endif /* Otherwise it's an OATH token of some kind. */ - if (strcmp(opt->name, "secondary_password") && - (!form->auth_id || strcmp(form->auth_id, "challenge"))) - return -EINVAL; + if (!strcmp(opt->name, "secondary_password") || + (form->auth_id && !strcmp(form->auth_id, "challenge"))) + return can_gen_tokencode(vpninfo, form, opt); - return can_gen_tokencode(vpninfo, form, opt); + return -EINVAL; } static int fetch_config(struct openconnect_info *vpninfo) -- 2.50.1