provide CSD_SHA256 via environment variable rather than command-line …

…argument

David Woodhouse pointed out that -scert_256 might cause the old, non-XMLPOST CSD trojan to misbehave

auth.c

@@ -1142,8 +1142,6 @@ static int run_csd_script(struct openconnect_info *vpninfo, char *buf, int bufle
 			if (asprintf(&csd_argv[i++], "\"%s:%s\"", scertbuf, ccertbuf) == -1)
 				goto out;
 
-			csd_argv[i++] = (char *)"-scert_sha256";
-			csd_argv[i++] = openconnect_get_peer_cert_hash(vpninfo) + 11; /* remove initial 'pin-sha256:' */
 
 			csd_argv[i++] = (char *)"-url";
 			if (asprintf(&csd_argv[i++], "\"https://%s%s\"", vpninfo->hostname, vpninfo->csd_starturl) == -1)
@@ -1152,6 +1150,8 @@ static int run_csd_script(struct openconnect_info *vpninfo, char *buf, int bufle
 			csd_argv[i++] = (char *)"-langselen";
 			csd_argv[i++] = NULL;
 
+			if (setenv("CSD_SHA256", openconnect_get_peer_cert_hash(vpninfo)+11, 1))  /* remove initial 'pin-sha256:' */
+				goto out;
 			if (setenv("CSD_TOKEN", vpninfo->csd_token, 1))
 				goto out;
 			if (setenv("CSD_HOSTNAME", vpninfo->hostname, 1))

csd-wrapper.sh

@@ -15,6 +15,7 @@ URL="https://${CSD_HOSTNAME}/CACHE"
 HOSTSCAN_DIR="$HOME/.cisco/hostscan"
 LIB_DIR="$HOSTSCAN_DIR/lib"
 BIN_DIR="$HOSTSCAN_DIR/bin"
+PINNEDPUBKEY=${CSD_SHA256:+"--pinnedpubkey sha256//$CSD_SHA256"}
 
 BINS=("cscan" "cstub" "cnotify")
 
@@ -27,7 +28,6 @@ STUB=
 GROUP=
 CERTHASH=
 LANGSELEN=
-PINNEDPUBKEY=
 
 while [ "$1" ]; do
     if [ "$1" == "-ticket" ];   then shift; TICKET=$1; fi
@@ -36,7 +36,6 @@ while [ "$1" ]; do
     if [ "$1" == "-certhash" ]; then shift; CERTHASH=$1; fi
     if [ "$1" == "-url" ];      then shift; URL=$(echo $1|tr -d '"'); fi # strip quotes
     if [ "$1" == "-langselen" ];then shift; LANGSELEN=$1; fi
-    if [ "$1" == "-scert_sha256" ]; then shift; PINNEDPUBKEY="--pinnedpubkey sha256//$1"; fi
     shift
 done