Ticket #402: 0002-Do-not-upcase-x509-username-field-for-mixed-case-arg.patch
File 0002-Do-not-upcase-x509-username-field-for-mixed-case-arg.patch, 4.8 KB (added by , 10 years ago) |
---|
-
doc/openvpn.8
From 904fc93d6578896cdb1010a9af29ed0745b8a6b8 Mon Sep 17 00:00:00 2001 From: Andris Kalnozols <andris@hpl.hp.com> Date: Sat, 28 Jun 2014 19:41:02 +0200 Subject: [PATCH 2/3] Do not upcase x509-username-field for mixed-case arguments. I revisited options.c to refine its brute-force upcasing behavior. Now, the upcasing is done only if the option argument is all lowercase. Mixed-case arguments and those with the "ext:" prefix are left unchanged. This preserves the original intent of the "helpful" upcasing feature for backwards compatibility while limiting its scope in a straightforward way. Signed-off-by: Andris Kalnozols <andris@hpl.hp.com> --- doc/openvpn.8 | 44 ++++++++++++++++++++++++++++++++++++++------ src/openvpn/options.c | 29 +++++++++++++++++++++++++---- 2 files changed, 63 insertions(+), 10 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 14f3129..64247a4 100644
a b the tls-verify script returns. The file name used for the certificate 4745 4745 is available via the peer_cert environment variable. 4746 4746 .\"********************************************************* 4747 4747 .TP 4748 .B \-\-x509-username-field fieldname 4749 Field in x509 certificate subject to be used as username (default=CN). 4750 .B Fieldname 4751 will be uppercased before matching. When this option is used, the 4752 .B \-\-verify-x509-username 4753 option will match against the chosen fieldname instead of the CN. 4748 .B \-\-x509-username-field [ext:\]fieldname 4749 Field in the X.509 certificate subject to be used as the username (default=CN). 4750 Typically, this option is specified with 4751 .B fieldname 4752 as either of the following: 4753 4754 .B \-\-x509-username-field 4755 emailAddress 4756 .br 4757 .B \-\-x509-username-field ext:\fRsubjectAltName 4758 4759 The first example uses the value of the "emailAddress" attribute in the 4760 certificate's Subject field as the username. The second example uses 4761 the 4762 .B ext: 4763 prefix to signify that the X.509 extension 4764 .B fieldname 4765 "subjectAltName" be searched for an rfc822Name (email) field to be used 4766 as the username. In cases where there are multiple email addresses 4767 in 4768 .B ext:fieldname\fR, 4769 the last occurrence is chosen. 4770 4771 When this option is used, the 4772 .B \-\-verify-x509-name 4773 option will match against the chosen 4774 .B fieldname 4775 instead of the Common Name. 4776 4777 .B Please note: 4778 This option has a feature which will convert an all-lowercase 4779 .B fieldname 4780 to uppercase characters, e.g., ou -> OU. A mixed-case 4781 .B fieldname 4782 or one having the 4783 .B ext: 4784 prefix will be left as-is. This automatic upcasing feature 4785 is deprecated and will be removed in a future release. 4754 4786 .\"********************************************************* 4755 4787 .TP 4756 4788 .B \-\-tls-remote name (DEPRECATED) -
src/openvpn/options.c
diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 035d3aa..10a8e7f 100644
a b static const char usage_message[] = 577 577 " and optionally the root CA certificate.\n" 578 578 #endif 579 579 #ifdef ENABLE_X509ALTUSERNAME 580 "--x509-username-field : Field used in x509 certificate to be username.\n"581 " Default is CN .\n"580 "--x509-username-field : Field in x509 certificate containing the username.\n" 581 " Default is CN in the Subject field.\n" 582 582 #endif 583 583 "--verify-hash : Specify SHA1 fingerprint for level-1 cert.\n" 584 584 #ifdef WIN32 … … add_option (struct options *options, 6875 6875 #ifdef ENABLE_X509ALTUSERNAME 6876 6876 else if (streq (p[0], "x509-username-field") && p[1]) 6877 6877 { 6878 /* This option also introduced a feature to automatically upcase the 6879 * fieldname passed as the option argument, e.g., "ou" became "OU". 6880 * Fine-tune this "helpfulness" by only upcasing Subject field 6881 * attribute names which consist of all lower-case characters. 6882 * Mixed-case attributes such as "emailAddress" are left as-is. 6883 * An option parameter having the "ext:" prefix for matching 6884 * X.509v3 extended fields will also remain unchanged. 6885 */ 6878 6886 char *s = p[1]; 6887 char *l; 6888 char lowercase_name[OPTION_PARM_SIZE] = { 0 }; 6889 6879 6890 VERIFY_PERMISSION (OPT_P_GENERAL); 6880 if( strncmp ("ext:",s,4) != 0 ) 6881 while ((*s = toupper(*s)) != '\0') s++; /* Uppercase if necessary */ 6891 if (strncmp("ext:", s, 4) != 0) 6892 { 6893 strncpy(lowercase_name, s, strlen(s)); 6894 l = lowercase_name; 6895 while ((*l = tolower(*l)) != '\0') l++; 6896 if (strncmp(s, lowercase_name, strlen(s)) == 0) 6897 { 6898 while ((*s = toupper(*s)) != '\0') s++; 6899 msg(M_WARN, "DEPRECATED FEATURE: automatically upcased the --x509-username-field parameter from '%s' to '%s'; please update your configuration", 6900 lowercase_name, p[1]); 6901 } 6902 } 6882 6903 options->x509_username_field = p[1]; 6883 6904 } 6884 6905 #endif /* ENABLE_X509ALTUSERNAME */