Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Provide unique hostname to CSD script
We see failures when DNS gives us a different IP address and the CSD
trojan ends up talking to a different host to the one we're actually
trying to authenticate to. Since we use pinned certificate hashes, it
shouldn't matter that we lose the hostname and can't validate the cert
against it.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
  • Loading branch information
dwmw2 committed Aug 9, 2018
1 parent 9fecbed commit 9b40766
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions auth.c
Expand Up @@ -1144,7 +1144,7 @@ static int run_csd_script(struct openconnect_info *vpninfo, char *buf, int bufle


csd_argv[i++] = (char *)"-url";
if (asprintf(&csd_argv[i++], "\"https://%s%s\"", vpninfo->hostname, vpninfo->csd_starturl) == -1)
if (asprintf(&csd_argv[i++], "\"https://%s%s\"", openconnect_get_hostname(vpninfo), vpninfo->csd_starturl) == -1)
goto out;

csd_argv[i++] = (char *)"-langselen";
Expand All @@ -1154,7 +1154,7 @@ static int run_csd_script(struct openconnect_info *vpninfo, char *buf, int bufle
goto out;
if (setenv("CSD_TOKEN", vpninfo->csd_token, 1))
goto out;
if (setenv("CSD_HOSTNAME", vpninfo->hostname, 1))
if (setenv("CSD_HOSTNAME", openconnect_get_hostname(vpninfo), 1))
goto out;

apply_script_env(vpninfo->csd_env);
Expand Down

0 comments on commit 9b40766

Please sign in to comment.