AnyConnect: External browser SSO support

The 'external browser' mode allows the user to use a 'real' browser which might have things that an integrated webview doesn't — Kerberos, U2F, magic plugins or cookies.

The problem with the external browser is... how do you get a token back from it when the authentication is done?

In some cases the authentication ends with a redirect to a URL with a special protocol (chime:, slack:), and the application itself (or a helper) is registered as the handler for those protocols. Cisco do it differently, with the VPN client listening on a local port. The SAML authentication flow then ends with a redirect to http://localhost:29786/api/sso/... with the base64-encoded token being the last part of the URL path.

So we have to add a cancellable_accept function and a little bit of basic HTTP server handling in order to accept that.

In addition, since it's passed over unauthenticated loopback networking, the cookie is encrypted using a key we need to generate and provide on each connection, using some form of HPKE.