From: Daniel Lenski <dlenski@gmail.com>
Date: Fri, 1 Jun 2018 19:13:57 +0000 (+0300)
Subject: provide CSD_SHA256 via environment variable rather than command-line argument
X-Git-Tag: v8.00~99^2
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=313e95ddcbd29aab4bb0bf2062763f7faa4578bc;p=users%2Fdwmw2%2Fopenconnect.git

provide CSD_SHA256 via environment variable rather than command-line argument

David Woodhouse pointed out that -scert_256 might cause the old, non-XMLPOST CSD trojan to misbehave
---

diff --git a/auth.c b/auth.c
index 5a75afb0..510c4f97 100644
--- a/auth.c
+++ b/auth.c
@@ -1142,8 +1142,6 @@ static int run_csd_script(struct openconnect_info *vpninfo, char *buf, int bufle
 			if (asprintf(&csd_argv[i++], "\"%s:%s\"", scertbuf, ccertbuf) == -1)
 				goto out;
 
-			csd_argv[i++] = (char *)"-scert_sha256";
-			csd_argv[i++] = openconnect_get_peer_cert_hash(vpninfo) + 11; /* remove initial 'pin-sha256:' */
 
 			csd_argv[i++] = (char *)"-url";
 			if (asprintf(&csd_argv[i++], "\"https://%s%s\"", vpninfo->hostname, vpninfo->csd_starturl) == -1)
@@ -1152,6 +1150,8 @@ static int run_csd_script(struct openconnect_info *vpninfo, char *buf, int bufle
 			csd_argv[i++] = (char *)"-langselen";
 			csd_argv[i++] = NULL;
 
+			if (setenv("CSD_SHA256", openconnect_get_peer_cert_hash(vpninfo)+11, 1))  /* remove initial 'pin-sha256:' */
+				goto out;
 			if (setenv("CSD_TOKEN", vpninfo->csd_token, 1))
 				goto out;
 			if (setenv("CSD_HOSTNAME", vpninfo->hostname, 1))
diff --git a/csd-wrapper.sh b/csd-wrapper.sh
index 67ffaaca..d7165d7f 100755
--- a/csd-wrapper.sh
+++ b/csd-wrapper.sh
@@ -15,6 +15,7 @@ URL="https://${CSD_HOSTNAME}/CACHE"
 HOSTSCAN_DIR="$HOME/.cisco/hostscan"
 LIB_DIR="$HOSTSCAN_DIR/lib"
 BIN_DIR="$HOSTSCAN_DIR/bin"
+PINNEDPUBKEY=${CSD_SHA256:+"--pinnedpubkey sha256//$CSD_SHA256"}
 
 BINS=("cscan" "cstub" "cnotify")
 
@@ -27,7 +28,6 @@ STUB=
 GROUP=
 CERTHASH=
 LANGSELEN=
-PINNEDPUBKEY=
 
 while [ "$1" ]; do
     if [ "$1" == "-ticket" ];   then shift; TICKET=$1; fi
@@ -36,7 +36,6 @@ while [ "$1" ]; do
     if [ "$1" == "-certhash" ]; then shift; CERTHASH=$1; fi
     if [ "$1" == "-url" ];      then shift; URL=$(echo $1|tr -d '"'); fi # strip quotes
     if [ "$1" == "-langselen" ];then shift; LANGSELEN=$1; fi
-    if [ "$1" == "-scert_sha256" ]; then shift; PINNEDPUBKEY="--pinnedpubkey sha256//$1"; fi
     shift
 done