Ticket #402: 0002-Do-not-upcase-x509-username-field-for-mixed-case-arg.patch

doc/openvpn.8

@@ -4745 +4745 @@
 is available via the peer_cert environment variable.
 .\"*********************************************************
 .TP
-.B \-\-x509-username-field fieldname
-Field in x509 certificate subject to be used as username (default=CN).
-.B Fieldname
-will be uppercased before matching. When this option is used, the
-.B \-\-verify-x509-username
-option will match against the chosen fieldname instead of the CN.
+.B \-\-x509-username-field [ext:\]fieldname
+Field in the X.509 certificate subject to be used as the username (default=CN).
+Typically, this option is specified with
+.B fieldname
+as either of the following:
+
+.B \-\-x509-username-field
+emailAddress
+.br
+.B \-\-x509-username-field ext:\fRsubjectAltName
+
+The first example uses the value of the "emailAddress" attribute in the
+certificate's Subject field as the username.  The second example uses
+the
+.B ext:
+prefix to signify that the X.509 extension
+.B fieldname
+"subjectAltName" be searched for an rfc822Name (email) field to be used
+as the username.  In cases where there are multiple email addresses
+in
+.B ext:fieldname\fR,
+the last occurrence is chosen.
+
+When this option is used, the
+.B \-\-verify-x509-name
+option will match against the chosen
+.B fieldname
+instead of the Common Name.
+
+.B Please note:
+This option has a feature which will convert an all-lowercase
+.B fieldname
+to uppercase characters, e.g., ou -> OU.  A mixed-case
+.B fieldname
+or one having the
+.B ext:
+prefix will be left as-is.  This automatic upcasing feature
+is deprecated and will be removed in a future release.
 .\"*********************************************************
 .TP
 .B \-\-tls-remote name (DEPRECATED)

src/openvpn/options.c

@@ -577 +577 @@
   "                  and optionally the root CA certificate.\n"
 #endif
 #ifdef ENABLE_X509ALTUSERNAME
-  "--x509-username-field : Field used in x509 certificate to be username.\n"
-  "                        Default is CN.\n"
+  "--x509-username-field : Field in x509 certificate containing the username.\n"
+  "                        Default is CN in the Subject field.\n"
 #endif
   "--verify-hash   : Specify SHA1 fingerprint for level-1 cert.\n"
 #ifdef WIN32
@@ -6875 +6875 @@
 #ifdef ENABLE_X509ALTUSERNAME
   else if (streq (p[0], "x509-username-field") && p[1])
     {
+      /* This option also introduced a feature to automatically upcase the
+       * fieldname passed as the option argument, e.g., "ou" became "OU".
+       * Fine-tune this "helpfulness" by only upcasing Subject field
+       * attribute names which consist of all lower-case characters.
+       * Mixed-case attributes such as "emailAddress" are left as-is.
+       * An option parameter having the "ext:" prefix for matching
+       * X.509v3 extended fields will also remain unchanged.
+       */
       char *s = p[1];
+      char *l;
+      char lowercase_name[OPTION_PARM_SIZE] = { 0 };
+
       VERIFY_PERMISSION (OPT_P_GENERAL);
-      if( strncmp ("ext:",s,4) != 0 )
-        while ((*s = toupper(*s)) != '\0') s++; /* Uppercase if necessary */
+      if (strncmp("ext:", s, 4) != 0)
+        {
+          strncpy(lowercase_name, s, strlen(s));
+          l = lowercase_name;
+          while ((*l = tolower(*l)) != '\0') l++;
+          if (strncmp(s, lowercase_name, strlen(s)) == 0)
+            {
+              while ((*s = toupper(*s)) != '\0') s++;
+              msg(M_WARN, "DEPRECATED FEATURE: automatically upcased the --x509-username-field parameter from '%s' to '%s'; please update your configuration",
+                  lowercase_name, p[1]);
+            }
+        }
       options->x509_username_field = p[1];
     }
 #endif /* ENABLE_X509ALTUSERNAME */