From f9124506c63d42f1c8a624ff3e60a58ca7fd5e53 Mon Sep 17 00:00:00 2001
From: Daniel Lenski <dlenski@gmail.com>
Date: Wed, 1 Apr 2020 22:05:54 -0700
Subject: [PATCH] pass TNCC_SHA256 and TNCC_HOSTNAME environment variables to
 wrapper script (just like for CSD)

TNCC_SHA256 will allow a future version to validate the server certificate
fingerprint (like csd-post.sh already does).

TNCC_HOSTNAME passes along the *local* hostname override from OpenConnect
(set with `--local-hostname` or `openconnect_set_localname`) to the TNCC
wrapper script.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
---
 auth-juniper.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/auth-juniper.c b/auth-juniper.c
index 8a81317e..69a87081 100644
--- a/auth-juniper.c
+++ b/auth-juniper.c
@@ -400,7 +400,13 @@ static int tncc_preauth(struct openconnect_info *vpninfo)
 		for (i = 3; i < 1024 ; i++)
 			close(i);
 
+		if (setenv("TNCC_SHA256", openconnect_get_peer_cert_hash(vpninfo)+11, 1))  /* remove initial 'pin-sha256:' */
+			goto out;
+		if (setenv("TNCC_HOSTNAME", vpninfo->localname, 1))
+			goto out;
+
 		execl(vpninfo->csd_wrapper, vpninfo->csd_wrapper, vpninfo->hostname, NULL);
+	out:
 		fprintf(stderr, _("Failed to exec TNCC script %s: %s\n"),
 			vpninfo->csd_wrapper, strerror(errno));
 		exit(1);
-- 
2.50.1