openconnect: Pass server certificate hash directly to openconnect

When we spawn openconnect to make a VPN connection, it obviously needs
to validate the server's SSL certificate to protect against a MiTM
attack. But it may not have full access to the user's CA chain, or the
user may have manually accepted a dubious certificate.

To allow for this, the GUI authentication dialog returns a SHA1 of the
server's SSL certificate fingerprint, for the *specific* server that it
managed to authenticate to.

The intention is that this should be passed through to openconnect when
it connects. That way, openconnect doesn't need to do any normal
validation; it only needs to compare the certificate with what's
expected.

From openconnect v2.26, certificate validation is enabled by default;
rather than only when a --cafile option is given. So it's important that
we start passing the certificate fingerprint through, to avoid
connection failures (which we don't currently detect and report
gracefully, btw).

1 files changed, 7 insertions, 1 deletions

diff --git a/plugins/openconnect.c b/plugins/openconnect.c
index 42192f6a..f0d39a14 100644
--- a/plugins/openconnect.c
+++ b/plugins/openconnect.c
@@ -105,7 +105,7 @@ static int oc_notify(DBusMessage *msg, struct connman_provider *provider)
 static int oc_connect(struct connman_provider *provider,
 			struct connman_task *task, const char *if_name)
 {
-	const char *vpnhost, *vpncookie, *cafile, *mtu;
+	const char *vpnhost, *vpncookie, *cafile, *certsha1, *mtu;
 	int fd, err;
 
 	vpnhost = connman_provider_get_string(provider, "Host");
@@ -120,6 +120,12 @@ static int oc_connect(struct connman_provider *provider,
 		return -EINVAL;
 	}
 
+	certsha1 = connman_provider_get_string(provider,
+						"OpenConnect.ServerCert");
+	if (certsha1)
+		connman_task_add_argument(task, "--servercert",
+					  (char *)certsha1);
+
 	cafile = connman_provider_get_string(provider, "OpenConnect.CACert");
 	mtu = connman_provider_get_string(provider, "VPN.MTU");