Skip to content
Browse files
auth: Implement special handling of password fields on XML POST
The Cisco AnyConnect client exhibits some quirky behavior on fields
with certain names:

For "answer", "whichpin", and "new_password", the field is renamed to
"password" in the submission.

For "verify_pin" and "verify_password", the field is omitted entirely.
One might expect the client to perform a comparison to see if the first
password/PIN field matches the verify_* field, but in my testing, I didn't
actually see it doing so.

Signed-off-by: Kevin Cernekee <>
Signed-off-by: David Woodhouse <>
  • Loading branch information
cernekee authored and David Woodhouse committed Feb 17, 2013
1 parent 5c4d37a commit e8a0cecc6ddcfffd4663d359f17ebba195cb4d69
Showing 1 changed file with 15 additions and 0 deletions.
15 auth.c
@@ -803,6 +803,21 @@ static int xmlpost_append_form_opts(struct openconnect_info *vpninfo,

/* answer,whichpin,new_password: rename to "password" */
if (!strcmp(opt->name, "answer") ||
!strcmp(opt->name, "whichpin") ||
!strcmp(opt->name, "new_password")) {
if (!xmlNewTextChild(node, NULL, XCAST("password"), XCAST(opt->value)))
goto bad;

/* verify_pin,verify_password: ignore */
if (!strcmp(opt->name, "verify_pin") ||
!strcmp(opt->name, "verify_password")) {

/* everything else: create <foo>user_input</foo> under <auth> */
if (!xmlNewTextChild(node, NULL, XCAST(opt->name), XCAST(opt->value)))
goto bad;

0 comments on commit e8a0cec

Please sign in to comment.