Added --no-name-remapping option to allow Common Name, X509 Subject,

and username strings to include any printable character including
space, but excluding control characters such as tab, newline, and
carriage-return.


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3467 e7ae566f-a301-0410-adde-c780ea21d3b5

4 files changed, 42 insertions, 3 deletions

diff --git a/openvpn.8 b/openvpn.8
index b91dc7b..2e95d4a 100644
--- a/openvpn.8
+++ b/openvpn.8
@@ -203,6 +203,7 @@ openvpn \- secure IP tunnel daemon.
 [\ \fB\-\-mute\fR\ \fIn\fR\ ]
 [\ \fB\-\-nice\fR\ \fIn\fR\ ]
 [\ \fB\-\-no\-iv\fR\ ]
+[\ \fB\-\-no\-name\-remapping\fR\ ]
 [\ \fB\-\-no\-replay\fR\ ]
 [\ \fB\-\-bind\fR\ ]
 [\ \fB\-\-nobind\fR\ ]
@@ -3297,6 +3298,27 @@ the authenticated username as the common name,
 rather than the common name from the client cert.
 .\"*********************************************************
 .TP
+.B --no-name-remapping
+Allow Common Name, X509 Subject, and username strings to include
+any printable character including space, but excluding control
+characters such as tab, newline, and carriage-return.
+
+By default, OpenVPN will remap
+any character other than alphanumeric, underbar ('_'), dash
+('-'), dot ('.'), and slash ('/') to underbar ('_').  The X509
+Subject string as returned by the
+.B tls_id
+environmental variable, can additionally contain colon (':') or
+equal ('=').
+
+While name remapping is performed for security reasons to reduce
+the possibility of introducing string expansion security vulnerabilities
+in user-defined authentication
+scripts, this option is provided for those cases where it is desirable to
+disable the remapping feature.  Don't use this option unless you 
+know what you are doing!
+.\"*********************************************************
+.TP
 .B --port-share host port
 When run in TCP server mode, share the OpenVPN port with
 another application, such as an HTTPS server.  If OpenVPN
diff --git a/options.c b/options.c
index 22bdeb0..3986057 100644
--- a/options.c
+++ b/options.c
@@ -383,6 +383,8 @@ static const char usage_message[] =
   "                  user/pass via temporary file.\n"
   "--auth-user-pass-optional : Allow connections by clients that don't\n"
   "                  specify a username/password.\n"
+  "--no-name-remapping : Allow Common Name and X509 Subject to include\n"
+  "                      any printable character.\n"
   "--client-to-client : Internally route client-to-client traffic.\n"
   "--duplicate-cn  : Allow multiple clients with the same common name to\n"
   "                  concurrently connect.\n"
@@ -4576,6 +4578,11 @@ add_option (struct options *options,
       VERIFY_PERMISSION (OPT_P_GENERAL);
       options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL;
     }
+  else if (streq (p[0], "no-name-remapping"))
+    {
+      VERIFY_PERMISSION (OPT_P_GENERAL);
+      options->ssl_flags |= SSLF_NO_NAME_REMAPPING;
+    }
   else if (streq (p[0], "auth-user-pass-verify") && p[1])
     {
       VERIFY_PERMISSION (OPT_P_SCRIPT);
diff --git a/ssl.c b/ssl.c
index ebd03a6..f289af0 100644
--- a/ssl.c
+++ b/ssl.c
@@ -580,6 +580,15 @@ print_nsCertType (int type)
     }
 }
 
+static void
+string_mod_sslname (char *str, const unsigned int restrictive_flags, const unsigned int ssl_flags)
+{
+  if (ssl_flags & SSLF_NO_NAME_REMAPPING)
+    string_mod (str, CC_PRINT, CC_CRLF, '_');
+  else
+    string_mod (str, restrictive_flags, 0, '_');
+}
+
 /*
  * Our verify callback function -- check
  * that an incoming peer certificate is good.
@@ -619,7 +628,7 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx)
   setenv_x509 (opt->es, ctx->error_depth, X509_get_subject_name (ctx->current_cert));
 
   /* enforce character class restrictions in X509 name */
-  string_mod (subject, X509_NAME_CHAR_CLASS, 0, '_');
+  string_mod_sslname (subject, X509_NAME_CHAR_CLASS, opt->ssl_flags);
   string_replace_leading (subject, '-', '_');
 
   /* extract the common name */
@@ -634,7 +643,7 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx)
 	}
     }
 
-  string_mod (common_name, COMMON_NAME_CHAR_CLASS, 0, '_');
+  string_mod_sslname (common_name, COMMON_NAME_CHAR_CLASS, opt->ssl_flags);
 
 #if 0 /* print some debugging info */
   msg (D_LOW, "LOCAL OPT: %s", opt->local_options);
@@ -3350,7 +3359,7 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi
       string_mod (raw_username, CC_PRINT, CC_CRLF, '_');
 
       /* enforce character class restrictions in username/password */
-      string_mod (up->username, COMMON_NAME_CHAR_CLASS, 0, '_');
+      string_mod_sslname (up->username, COMMON_NAME_CHAR_CLASS, session->opt->ssl_flags);
       string_mod (up->password, CC_PRINT, CC_CRLF, '_');
 
       /* call plugin(s) and/or script */
diff --git a/ssl.h b/ssl.h
index 6921cf3..41df175 100644
--- a/ssl.h
+++ b/ssl.h
@@ -468,6 +468,7 @@ struct tls_options
 # define SSLF_CLIENT_CERT_NOT_REQUIRED (1<<0)
 # define SSLF_USERNAME_AS_COMMON_NAME  (1<<1)
 # define SSLF_AUTH_USER_PASS_OPTIONAL  (1<<2)
+# define SSLF_NO_NAME_REMAPPING        (1<<3)
   unsigned int ssl_flags;
 
 #ifdef MANAGEMENT_DEF_AUTH