use curl with --pinnedpubkey to rely on sha256 hash of peer cert passed by openconnect

diff --git a/auth.c b/auth.c
index 83c186d3af830711fb2a3496878d4a804349d176..5a75afb0d699c1d1416476fed8edfceec69e44b1 100644 (file)
--- a/auth.c
+++ b/auth.c
@@ -1142,6 +1142,9 @@ static int run_csd_script(struct openconnect_info *vpninfo, char *buf, int bufle
                        if (asprintf(&csd_argv[i++], "\"%s:%s\"", scertbuf, ccertbuf) == -1)
                                goto out;
 
+                       csd_argv[i++] = (char *)"-scert_sha256";
+                       csd_argv[i++] = openconnect_get_peer_cert_hash(vpninfo) + 11; /* remove initial 'pin-sha256:' */
+
                        csd_argv[i++] = (char *)"-url";
                        if (asprintf(&csd_argv[i++], "\"https://%s%s\"", vpninfo->hostname, vpninfo->csd_starturl) == -1)
                                goto out;

diff --git a/csd-wrapper.sh b/csd-wrapper.sh
old mode 100644 (file)
new mode 100755 (executable)
index bc068f6..d803d6f
--- a/csd-wrapper.sh
+++ b/csd-wrapper.sh
@@ -7,6 +7,8 @@
 #   - use -url argument
 #   - kill cstub after timeout
 #   - fix small typos:
+# [31 May 2018] Updated by Daniel Lenski <dlenski@gmail.com>:
+#   - use curl with --pinnedpubkey to rely on sha256 hash of peer cert passed by openconnect
 
 TIMEOUT=30
 URL="https://${CSD_HOSTNAME}/CACHE"
@@ -25,6 +27,7 @@ STUB=
 GROUP=
 CERTHASH=
 LANGSELEN=
+PINNEDPUBKEY=
 
 while [ "$1" ]; do
     if [ "$1" == "-ticket" ];   then shift; TICKET=$1; fi
@@ -33,6 +36,7 @@ while [ "$1" ]; do
     if [ "$1" == "-certhash" ]; then shift; CERTHASH=$1; fi
     if [ "$1" == "-url" ];      then shift; URL=$(echo $1|tr -d '"'); fi # strip quotes
     if [ "$1" == "-langselen" ];then shift; LANGSELEN=$1; fi
+    if [ "$1" == "-scert_sha256" ]; then shift; PINNEDPUBKEY="--pinnedpubkey sha256//$1"; fi
     shift
 done
 
@@ -54,7 +58,7 @@ for dir in $HOSTSCAN_DIR $LIB_DIR $BIN_DIR ; do
 done
 
 # getting manifest, and checking binaries
-wget --no-check-certificate -c "${URL}/sdesktop/hostscan/$ARCH/manifest" -O "$HOSTSCAN_DIR/manifest"
+curl $PINNEDPUBKEY "${URL}/sdesktop/hostscan/$ARCH/manifest" -o "$HOSTSCAN_DIR/manifest"
 
 # generating md5.sum with full paths from manifest
 export HOSTSCAN_DIR=$HOSTSCAN_DIR
@@ -78,7 +82,7 @@ then
         FILE="$(basename "$i")"
 
         echo "Downloading: $FILE to $TMP_DIR"
-        wget --no-check-certificate -c "${URL}/sdesktop/hostscan/$ARCH/$FILE" -O $FILE
+        curl $PINNEDPUBKEY "${URL}/sdesktop/hostscan/$ARCH/$FILE" -o $FILE
 
         # some files are in gz (don't understand logic here)
         if [[ ! -f $FILE || ! -s $FILE ]]
@@ -90,7 +94,7 @@ then
 
             echo "Failure on $FILE, trying gz"
             FILE_GZ=$FILE.gz
-            wget --no-check-certificate -c "${URL}/sdesktop/hostscan/$ARCH/$FILE_GZ" -O $FILE_GZ
+            curl $PINNEDPUBKEY -c "${URL}/sdesktop/hostscan/$ARCH/$FILE_GZ" -O $FILE_GZ
             gunzip --verbose --decompress $FILE_GZ
         fi