[PATCH 2/4] CSD: add commandline flag to prevent downloading the trojan

Antonio Borneo borneo.antonio at gmail.com
Mon Dec 7 23:15:53 PST 2015 

On Tue, Dec 8, 2015 at 2:11 AM, Andrew Falk <falk0069 at gmail.com> wrote:
> Antonio,
>
> I tried applying the patch but for some reason it wasn't accepting to new command line argument.  I think I did something wrong though because I didn't even see it in the new '--help' menu.  I think my library paths are all messed up.  I'll hold off figuring out what I might have done wrong until a preferred option is decided.
>
> One question I have is if there is any 'official' wrapper script that should be used?  Or is there are any templates stored in source code?
>

No, I'm not aware of any 'official' wrapper.
I use the ugly one in attachment. It's a patchwork of fixes at any
update or configuration change in the set of servers I use.
You should be able to use it as is. Just put the data to POST in
~/.openconnect/authdata.txt

> The one I originally found and was using is located here:
> https://gist.github.com/l0ki000/56845c00fd2a0e76d688
>
> It automatically figured out what to download and pulled down a bunch of library files, binaries, and md5hash values. It certainty didn’t care about what openconnect downloaded.  Also interestingly it executes 'cstub' as the CSD which does exist and was downloadable.  I'm not sure what the difference is between 'cstub' and 'sfinst' other than 'cstub' is downloadable and 'sfinst' is not.  Likely, our VPN admins just didn't complete the Linux configuration and things are left in a half configured state.

This wrapper will not work for you.
It tries to execute the CSD script. It expects that the script is on
the server (not your case) and that the computer is compilant with the
CSD rules.
Your company does not support Linux so you need to mimic another OS.
You do not have a Linux CSD script and if you succeed to execute the
Windows' one through wine, it will fail the compliance check.

Antonio

>
> So, I guess the point I'm making is if others found the same wrapper script, then they likely are NOT depending on the CSD that openconnect downloaded.  I'm not even sure the directory where openconnect downloads the CSD so the wrapper script could even execute it.  To me the logical choice would be to require the wrapper script to download the CSD if the wrapper is specified on the commandline and keep the same API version.  Just my two cent.
>
> Thanks
>
> --Andy
>
> -----Original Message-----
> From: Antonio Borneo [mailto:borneo.antonio at gmail.com]
> Sent: Monday, December 07, 2015 1:33 AM
> To: David Woodhouse
> Cc: Andrew Falk; OpenConnect devel
> Subject: Re: [PATCH 2/4] CSD: add commandline flag to prevent downloading the trojan
>
> On Mon, Dec 7, 2015 at 3:58 AM, David Woodhouse <dwmw2 at infradead.org> wrote:
>> On Sun, 2015-12-06 at 16:21 +0800, Antonio Borneo wrote:
>>> Some misconfigured server provide the URI of the trojan but miss the
>>> binary.
>>> The new commandline flag "--csd-skip-download" is used to ignore the
>>> broken URI.
>>>
>>> Signed-off-by: Antonio Borneo <borneo.antonio at gmail.com>
>>
>> Doesn't this one need adding to the libopenconnect API too?
>>
>
> You are right, I miss it !
> I should modify the prototype of openconnect_setup_csd() by adding a parameter skip_download, then propagate the change and set new API 5.4.
>
> So, my question returns in a different way. What is the preferred option:
> - new API 5.4 (forcing update for every user of libopenconnect)
> - same API but if wrapper is specified then wrapper is resposible to download the trojan blog (only who already uses a wrapper should care
> of)
> ?
>
> Best Regards
> Antonio
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fake_any_connect.sh
Type: application/x-sh
Size: 1560 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20151208/01740ca8/attachment.sh>

More information about the openconnect-devel mailing list