This needs to allow for input elements named "answer" instead of "password", and it needs to check form->message instead of the label attribute for the "Next TOKENCODE" prompt. Signed-off-by: Kevin Cernekee <cernekee at gmail.com> --- auth.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) Note: I suspect that more work will need to be done to accommodate other SecurID use cases: 1) "Next TOKENCODE" mode in a non-XML-POST configuration is untested. 2) Currently can_gen_tokencode() just tries to fill in the first field named "password" or "answer" with the tokencode. But it is possible to set up the gateway to request a login/password, and then prompt for a tokencode only if the l/p were correct. To autopopulate the second password field, but not the first one, we would need to distinguish this setup from the case where the first (and only) password requested is the tokencode. It is not clear whether the gateway gives us enough information to figure this out automatically. diff --git a/auth.c b/auth.c index 59587f1..da0c029 100644 --- a/auth.c +++ b/auth.c @@ -43,7 +43,8 @@ static int xmlpost_append_form_opts(struct openconnect_info *vpninfo, struct oc_auth_form *form, char *body, int bodylen); -static int can_gen_tokencode(struct openconnect_info *vpninfo, struct oc_form_opt *opt); +static int can_gen_tokencode(struct openconnect_info *vpninfo, + struct oc_auth_form *form, struct oc_form_opt *opt); static int do_gen_tokencode(struct openconnect_info *vpninfo, struct oc_auth_form *form); static int append_opt(char *body, int bodylen, char *opt, char *name) @@ -235,7 +236,7 @@ static int parse_form(struct openconnect_info *vpninfo, struct oc_auth_form *for } else if (!strcmp(input_type, "text")) opt->type = OC_FORM_OPT_TEXT; else if (!strcmp(input_type, "password")) { - if (vpninfo->use_stoken && !can_gen_tokencode(vpninfo, opt)) + if (vpninfo->use_stoken && !can_gen_tokencode(vpninfo, form, opt)) opt->type = OC_FORM_OPT_STOKEN; else opt->type = OC_FORM_OPT_PASSWORD; @@ -980,16 +981,19 @@ int prepare_stoken(struct openconnect_info *vpninfo) * < 0, if unable to generate a tokencode * = 0, on success */ -static int can_gen_tokencode(struct openconnect_info *vpninfo, struct oc_form_opt *opt) +static int can_gen_tokencode(struct openconnect_info *vpninfo, struct oc_auth_form *form, + struct oc_form_opt *opt) { #ifdef LIBSTOKEN_HDR - if (strcmp(opt->name, "password") || vpninfo->stoken_bypassed) + if ((strcmp(opt->name, "password") && strcmp(opt->name, "answer")) || + vpninfo->stoken_bypassed) return -EINVAL; if (vpninfo->stoken_tries == 0) { vpn_progress(vpninfo, PRG_DEBUG, _("OK to generate INITIAL tokencode\n")); vpninfo->stoken_time = 0; - } else if (vpninfo->stoken_tries == 1 && strcasestr(opt->label, "next")) { + } else if (vpninfo->stoken_tries == 1 && form->message && + strcasestr(form->message, "next tokencode")) { vpn_progress(vpninfo, PRG_DEBUG, _("OK to generate NEXT tokencode\n")); vpninfo->stoken_time += 60; -- 1.7.10.4