Ticket #402: 0002-Do-not-upcase-x509-username-field-for-mixed-case-arg.patch

File 0002-Do-not-upcase-x509-username-field-for-mixed-case-arg.patch, 4.8 KB (added by Steffan Karger, 8 years ago)
  • doc/openvpn.8

    From 904fc93d6578896cdb1010a9af29ed0745b8a6b8 Mon Sep 17 00:00:00 2001
    From: Andris Kalnozols <andris@hpl.hp.com>
    Date: Sat, 28 Jun 2014 19:41:02 +0200
    Subject: [PATCH 2/3] Do not upcase x509-username-field for mixed-case
     arguments.
    
    I revisited options.c to refine its brute-force upcasing behavior. Now, the
    upcasing is done only if the option argument is all lowercase. Mixed-case
    arguments and those with the "ext:" prefix are left unchanged. This
    preserves the original intent of the "helpful" upcasing feature for
    backwards compatibility while limiting its scope in a straightforward way.
    
    Signed-off-by: Andris Kalnozols <andris@hpl.hp.com>
    ---
     doc/openvpn.8         | 44 ++++++++++++++++++++++++++++++++++++++------
     src/openvpn/options.c | 29 +++++++++++++++++++++++++----
     2 files changed, 63 insertions(+), 10 deletions(-)
    
    diff --git a/doc/openvpn.8 b/doc/openvpn.8
    index 14f3129..64247a4 100644
    a b the tls-verify script returns. The file name used for the certificate 
    47454745is available via the peer_cert environment variable.
    47464746.\"*********************************************************
    47474747.TP
    4748 .B \-\-x509-username-field fieldname
    4749 Field in x509 certificate subject to be used as username (default=CN).
    4750 .B Fieldname
    4751 will be uppercased before matching. When this option is used, the
    4752 .B \-\-verify-x509-username
    4753 option will match against the chosen fieldname instead of the CN.
     4748.B \-\-x509-username-field [ext:\]fieldname
     4749Field in the X.509 certificate subject to be used as the username (default=CN).
     4750Typically, this option is specified with
     4751.B fieldname
     4752as either of the following:
     4753
     4754.B \-\-x509-username-field
     4755emailAddress
     4756.br
     4757.B \-\-x509-username-field ext:\fRsubjectAltName
     4758
     4759The first example uses the value of the "emailAddress" attribute in the
     4760certificate's Subject field as the username.  The second example uses
     4761the
     4762.B ext:
     4763prefix to signify that the X.509 extension
     4764.B fieldname
     4765"subjectAltName" be searched for an rfc822Name (email) field to be used
     4766as the username.  In cases where there are multiple email addresses
     4767in
     4768.B ext:fieldname\fR,
     4769the last occurrence is chosen.
     4770
     4771When this option is used, the
     4772.B \-\-verify-x509-name
     4773option will match against the chosen
     4774.B fieldname
     4775instead of the Common Name.
     4776
     4777.B Please note:
     4778This option has a feature which will convert an all-lowercase
     4779.B fieldname
     4780to uppercase characters, e.g., ou -> OU.  A mixed-case
     4781.B fieldname
     4782or one having the
     4783.B ext:
     4784prefix will be left as-is.  This automatic upcasing feature
     4785is deprecated and will be removed in a future release.
    47544786.\"*********************************************************
    47554787.TP
    47564788.B \-\-tls-remote name (DEPRECATED)
  • src/openvpn/options.c

    diff --git a/src/openvpn/options.c b/src/openvpn/options.c
    index 035d3aa..10a8e7f 100644
    a b static const char usage_message[] = 
    577577  "                  and optionally the root CA certificate.\n"
    578578#endif
    579579#ifdef ENABLE_X509ALTUSERNAME
    580   "--x509-username-field : Field used in x509 certificate to be username.\n"
    581   "                        Default is CN.\n"
     580  "--x509-username-field : Field in x509 certificate containing the username.\n"
     581  "                        Default is CN in the Subject field.\n"
    582582#endif
    583583  "--verify-hash   : Specify SHA1 fingerprint for level-1 cert.\n"
    584584#ifdef WIN32
    add_option (struct options *options, 
    68756875#ifdef ENABLE_X509ALTUSERNAME
    68766876  else if (streq (p[0], "x509-username-field") && p[1])
    68776877    {
     6878      /* This option also introduced a feature to automatically upcase the
     6879       * fieldname passed as the option argument, e.g., "ou" became "OU".
     6880       * Fine-tune this "helpfulness" by only upcasing Subject field
     6881       * attribute names which consist of all lower-case characters.
     6882       * Mixed-case attributes such as "emailAddress" are left as-is.
     6883       * An option parameter having the "ext:" prefix for matching
     6884       * X.509v3 extended fields will also remain unchanged.
     6885       */
    68786886      char *s = p[1];
     6887      char *l;
     6888      char lowercase_name[OPTION_PARM_SIZE] = { 0 };
     6889
    68796890      VERIFY_PERMISSION (OPT_P_GENERAL);
    6880       if( strncmp ("ext:",s,4) != 0 )
    6881         while ((*s = toupper(*s)) != '\0') s++; /* Uppercase if necessary */
     6891      if (strncmp("ext:", s, 4) != 0)
     6892        {
     6893          strncpy(lowercase_name, s, strlen(s));
     6894          l = lowercase_name;
     6895          while ((*l = tolower(*l)) != '\0') l++;
     6896          if (strncmp(s, lowercase_name, strlen(s)) == 0)
     6897            {
     6898              while ((*s = toupper(*s)) != '\0') s++;
     6899              msg(M_WARN, "DEPRECATED FEATURE: automatically upcased the --x509-username-field parameter from '%s' to '%s'; please update your configuration",
     6900                  lowercase_name, p[1]);
     6901            }
     6902        }
    68826903      options->x509_username_field = p[1];
    68836904    }
    68846905#endif /* ENABLE_X509ALTUSERNAME */