Make the --x509-username-field feature an opt-in feature

After some discussion [1] regarding an extension of this feature,
James Yonan wanted this extension to be an opt-in feature.  However,
as it does not make sense to opt-in on a extension of a feature which
was discussed, this patch makes the base feature an opt-in instead.

The base feature comes from commit 2e8337de248ef0b5b48cbb2964 (beta2.2)
and commit 935c62be9c0c8a256112 (feat_misc).

[1] http://thread.gmane.org/gmane.network.openvpn.devel/4266

Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: James Yonan <james@openvpn.net>
(cherry picked from commit 024972e2ced84c6e5cabc43620ab510e5693d1d4)

4 files changed, 23 insertions, 0 deletions

diff --git a/configure.ac b/configure.ac
index 1d55263..e30f990 100644
--- a/configure.ac
+++ b/configure.ac
@@ -80,6 +80,12 @@ AC_ARG_ENABLE(ssl,
    [SSL="yes"]
 )
 
+AC_ARG_ENABLE(x509-alt-username,
+   [  --enable-x509-alt-username    Enable the --x509-username-field feature],
+   [X509ALTUSERNAME="$enableval"],
+   [X509ALTUSERNAME="no"]
+)
+
 AC_ARG_ENABLE(multi,
    [  --disable-multi         Disable client/server support (--mode server + client mode)],
    [MULTI="$enableval"],
@@ -751,6 +757,11 @@ dnl
    fi
 fi
 
+dnl enable --x509-username-field feature if requested
+if test "$X509ALTUSERNAME" = "yes"; then
+   AC_DEFINE(ENABLE_X509ALTUSERNAME, 1, [Enable --x509-username-field feature])
+fi
+
 dnl enable pkcs11 capability
 if test "$PKCS11" = "yes"; then
    AC_CHECKING([for pkcs11-helper Library and Header files])
diff --git a/options.c b/options.c
index 524c781..f4eeaee 100644
--- a/options.c
+++ b/options.c
@@ -506,8 +506,10 @@ static const char usage_message[] =
   "--key file      : Local private key in .pem format.\n"
   "--pkcs12 file   : PKCS#12 file containing local private key, local certificate\n"
   "                  and optionally the root CA certificate.\n"
+#ifdef ENABLE_X509ALTUSERNAME
   "--x509-username-field : Field used in x509 certificat to be username.\n"
   "                        Default is CN.\n"
+#endif
 #ifdef WIN32
   "--cryptoapicert select-string : Load the certificate and private key from the\n"
   "                  Windows Certificate System Store.\n"
@@ -761,9 +763,11 @@ init_options (struct options *o, const bool init_gc)
   o->renegotiate_seconds = 3600;
   o->handshake_window = 60;
   o->transition_window = 3600;
+#ifdef ENABLE_X509ALTUSERNAME
   o->x509_username_field = X509_USERNAME_FIELD_DEFAULT;
 #endif
 #endif
+#endif
 #ifdef ENABLE_PKCS11
   o->pkcs11_pin_cache_period = -1;
 #endif			/* ENABLE_PKCS11 */
@@ -5898,6 +5902,7 @@ add_option (struct options *options,
 	}
       options->key_method = key_method;
     }
+#ifdef ENABLE_X509ALTUSERNAME
   else if (streq (p[0], "x509-username-field") && p[1])
     {
       char *s = p[1];
@@ -5905,6 +5910,7 @@ add_option (struct options *options,
       while ((*s = toupper(*s)) != '\0') s++; /* Uppercase if necessary */
       options->x509_username_field = p[1];
     }
+#endif /* ENABLE_X509ALTUSERNAME */
 #endif /* USE_SSL */
 #endif /* USE_CRYPTO */
 #ifdef ENABLE_PKCS11
diff --git a/options.h b/options.h
index 7a61e3d..7f4c0cd 100644
--- a/options.h
+++ b/options.h
@@ -508,8 +508,10 @@ struct options
      within n seconds of handshake initiation. */
   int handshake_window;
 
+#ifdef ENABLE_X509ALTUSERNAME
   /* Field used to be the username in X509 cert. */
   char *x509_username_field;
+#endif
 
   /* Old key allowed to live n seconds after new key goes active */
   int transition_window;
diff --git a/ssl.c b/ssl.c
index 2fa091a..da6f7d7 100644
--- a/ssl.c
+++ b/ssl.c
@@ -1874,7 +1874,11 @@ init_ssl (const struct options *options)
     }
   else
 #endif
+#ifdef ENABLE_X509ALTUSERNAME
   x509_username_field = (char *) options->x509_username_field;
+#else
+  x509_username_field = X509_USERNAME_FIELD_DEFAULT;
+#endif
   SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
 			verify_callback);