[PATCH 2/4] CSD: add commandline flag to prevent downloading the trojan

Andrew Falk falk0069 at gmail.com
Mon Dec 7 10:11:59 PST 2015 

Antonio,

I tried applying the patch but for some reason it wasn't accepting to new command line argument.  I think I did something wrong though because I didn't even see it in the new '--help' menu.  I think my library paths are all messed up.  I'll hold off figuring out what I might have done wrong until a preferred option is decided.

One question I have is if there is any 'official' wrapper script that should be used?  Or is there are any templates stored in source code?

The one I originally found and was using is located here:
https://gist.github.com/l0ki000/56845c00fd2a0e76d688

It automatically figured out what to download and pulled down a bunch of library files, binaries, and md5hash values. It certainty didn’t care about what openconnect downloaded.  Also interestingly it executes 'cstub' as the CSD which does exist and was downloadable.  I'm not sure what the difference is between 'cstub' and 'sfinst' other than 'cstub' is downloadable and 'sfinst' is not.  Likely, our VPN admins just didn't complete the Linux configuration and things are left in a half configured state.

So, I guess the point I'm making is if others found the same wrapper script, then they likely are NOT depending on the CSD that openconnect downloaded.  I'm not even sure the directory where openconnect downloads the CSD so the wrapper script could even execute it.  To me the logical choice would be to require the wrapper script to download the CSD if the wrapper is specified on the commandline and keep the same API version.  Just my two cent.

Thanks

--Andy

-----Original Message-----
From: Antonio Borneo [mailto:borneo.antonio at gmail.com] 
Sent: Monday, December 07, 2015 1:33 AM
To: David Woodhouse
Cc: Andrew Falk; OpenConnect devel
Subject: Re: [PATCH 2/4] CSD: add commandline flag to prevent downloading the trojan

On Mon, Dec 7, 2015 at 3:58 AM, David Woodhouse <dwmw2 at infradead.org> wrote:
> On Sun, 2015-12-06 at 16:21 +0800, Antonio Borneo wrote:
>> Some misconfigured server provide the URI of the trojan but miss the 
>> binary.
>> The new commandline flag "--csd-skip-download" is used to ignore the 
>> broken URI.
>>
>> Signed-off-by: Antonio Borneo <borneo.antonio at gmail.com>
>
> Doesn't this one need adding to the libopenconnect API too?
>

You are right, I miss it !
I should modify the prototype of openconnect_setup_csd() by adding a parameter skip_download, then propagate the change and set new API 5.4.

So, my question returns in a different way. What is the preferred option:
- new API 5.4 (forcing update for every user of libopenconnect)
- same API but if wrapper is specified then wrapper is resposible to download the trojan blog (only who already uses a wrapper should care
of)
?

Best Regards
Antonio

More information about the openconnect-devel mailing list