[PATCH 4/4] auth: stoken: Fix handling of "Next TOKENCODE" prompt

Kevin Cernekee cernekee at gmail.com
Sat Feb 16 19:18:07 EST 2013


This needs to allow for input elements named "answer" instead of
"password", and it needs to check form->message instead of the label
attribute for the "Next TOKENCODE" prompt.

Signed-off-by: Kevin Cernekee <cernekee at gmail.com>
---
 auth.c |   14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)


Note: I suspect that more work will need to be done to accommodate other
SecurID use cases:

1) "Next TOKENCODE" mode in a non-XML-POST configuration is untested.

2) Currently can_gen_tokencode() just tries to fill in the first field
named "password" or "answer" with the tokencode.  But it is possible to
set up the gateway to request a login/password, and then prompt for a
tokencode only if the l/p were correct.  To autopopulate the second
password field, but not the first one, we would need to distinguish this
setup from the case where the first (and only) password requested is the
tokencode.  It is not clear whether the gateway gives us enough
information to figure this out automatically.


diff --git a/auth.c b/auth.c
index 59587f1..da0c029 100644
--- a/auth.c
+++ b/auth.c
@@ -43,7 +43,8 @@
 
 static int xmlpost_append_form_opts(struct openconnect_info *vpninfo,
 				    struct oc_auth_form *form, char *body, int bodylen);
-static int can_gen_tokencode(struct openconnect_info *vpninfo, struct oc_form_opt *opt);
+static int can_gen_tokencode(struct openconnect_info *vpninfo,
+			     struct oc_auth_form *form, struct oc_form_opt *opt);
 static int do_gen_tokencode(struct openconnect_info *vpninfo, struct oc_auth_form *form);
 
 static int append_opt(char *body, int bodylen, char *opt, char *name)
@@ -235,7 +236,7 @@ static int parse_form(struct openconnect_info *vpninfo, struct oc_auth_form *for
 		} else if (!strcmp(input_type, "text"))
 			opt->type = OC_FORM_OPT_TEXT;
 		else if (!strcmp(input_type, "password")) {
-			if (vpninfo->use_stoken && !can_gen_tokencode(vpninfo, opt))
+			if (vpninfo->use_stoken && !can_gen_tokencode(vpninfo, form, opt))
 				opt->type = OC_FORM_OPT_STOKEN;
 			else
 				opt->type = OC_FORM_OPT_PASSWORD;
@@ -980,16 +981,19 @@ int prepare_stoken(struct openconnect_info *vpninfo)
  *  < 0, if unable to generate a tokencode
  *  = 0, on success
  */
-static int can_gen_tokencode(struct openconnect_info *vpninfo, struct oc_form_opt *opt)
+static int can_gen_tokencode(struct openconnect_info *vpninfo, struct oc_auth_form *form,
+			     struct oc_form_opt *opt)
 {
 #ifdef LIBSTOKEN_HDR
-	if (strcmp(opt->name, "password") || vpninfo->stoken_bypassed)
+	if ((strcmp(opt->name, "password") && strcmp(opt->name, "answer")) ||
+	    vpninfo->stoken_bypassed)
 		return -EINVAL;
 	if (vpninfo->stoken_tries == 0) {
 		vpn_progress(vpninfo, PRG_DEBUG,
 			     _("OK to generate INITIAL tokencode\n"));
 		vpninfo->stoken_time = 0;
-	} else if (vpninfo->stoken_tries == 1 && strcasestr(opt->label, "next")) {
+	} else if (vpninfo->stoken_tries == 1 && form->message &&
+		   strcasestr(form->message, "next tokencode")) {
 		vpn_progress(vpninfo, PRG_DEBUG,
 			     _("OK to generate NEXT tokencode\n"));
 		vpninfo->stoken_time += 60;
-- 
1.7.10.4




More information about the openconnect-devel mailing list