provide CSD_SHA256 via environment variable rather than command-line argument

David Woodhouse pointed out that -scert_256 might cause the old, non-XMLPOST CSD trojan to misbehave

diff --git a/auth.c b/auth.c
index 5a75afb0d699c1d1416476fed8edfceec69e44b1..510c4f9783b4ea48142106e1967a37afafaf3777 100644 (file)
--- a/auth.c
+++ b/auth.c
@@ -1142,8 +1142,6 @@ static int run_csd_script(struct openconnect_info *vpninfo, char *buf, int bufle
                        if (asprintf(&csd_argv[i++], "\"%s:%s\"", scertbuf, ccertbuf) == -1)
                                goto out;
 
-                       csd_argv[i++] = (char *)"-scert_sha256";
-                       csd_argv[i++] = openconnect_get_peer_cert_hash(vpninfo) + 11; /* remove initial 'pin-sha256:' */
 
                        csd_argv[i++] = (char *)"-url";
                        if (asprintf(&csd_argv[i++], "\"https://%s%s\"", vpninfo->hostname, vpninfo->csd_starturl) == -1)
@@ -1152,6 +1150,8 @@ static int run_csd_script(struct openconnect_info *vpninfo, char *buf, int bufle
                        csd_argv[i++] = (char *)"-langselen";
                        csd_argv[i++] = NULL;
 
+                       if (setenv("CSD_SHA256", openconnect_get_peer_cert_hash(vpninfo)+11, 1))  /* remove initial 'pin-sha256:' */
+                               goto out;
                        if (setenv("CSD_TOKEN", vpninfo->csd_token, 1))
                                goto out;
                        if (setenv("CSD_HOSTNAME", vpninfo->hostname, 1))

diff --git a/csd-wrapper.sh b/csd-wrapper.sh
index 67ffaaca0b902d02b0bb456939f3722537a0fedd..d7165d7f3820bd8be7d4f39475dd8cee77e8634c 100755 (executable)
--- a/csd-wrapper.sh
+++ b/csd-wrapper.sh
@@ -15,6 +15,7 @@ URL="https://${CSD_HOSTNAME}/CACHE"
 HOSTSCAN_DIR="$HOME/.cisco/hostscan"
 LIB_DIR="$HOSTSCAN_DIR/lib"
 BIN_DIR="$HOSTSCAN_DIR/bin"
+PINNEDPUBKEY=${CSD_SHA256:+"--pinnedpubkey sha256//$CSD_SHA256"}
 
 BINS=("cscan" "cstub" "cnotify")
 
@@ -27,7 +28,6 @@ STUB=
 GROUP=
 CERTHASH=
 LANGSELEN=
-PINNEDPUBKEY=
 
 while [ "$1" ]; do
     if [ "$1" == "-ticket" ];   then shift; TICKET=$1; fi
@@ -36,7 +36,6 @@ while [ "$1" ]; do
     if [ "$1" == "-certhash" ]; then shift; CERTHASH=$1; fi
     if [ "$1" == "-url" ];      then shift; URL=$(echo $1|tr -d '"'); fi # strip quotes
     if [ "$1" == "-langselen" ];then shift; LANGSELEN=$1; fi
-    if [ "$1" == "-scert_sha256" ]; then shift; PINNEDPUBKEY="--pinnedpubkey sha256//$1"; fi
     shift
 done