diff options
author | james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> | 2008-10-31 07:04:51 +0000 |
---|---|---|
committer | james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> | 2008-10-31 07:04:51 +0000 |
commit | ed3042470f498fbf1468d3d757982a19df38b3bd (patch) | |
tree | 4c1a6bc48634f1dccddc6bd27cad0b5a390378c6 | |
parent | Added --status-version 3 which is the same as version 2 (diff) | |
download | openvpn-ed3042470f498fbf1468d3d757982a19df38b3bd.tar.xz |
Added --no-name-remapping option to allow Common Name, X509 Subject,
and username strings to include any printable character including
space, but excluding control characters such as tab, newline, and
carriage-return.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3467 e7ae566f-a301-0410-adde-c780ea21d3b5
-rw-r--r-- | openvpn.8 | 22 | ||||
-rw-r--r-- | options.c | 7 | ||||
-rw-r--r-- | ssl.c | 15 | ||||
-rw-r--r-- | ssl.h | 1 |
4 files changed, 42 insertions, 3 deletions
@@ -203,6 +203,7 @@ openvpn \- secure IP tunnel daemon. [\ \fB\-\-mute\fR\ \fIn\fR\ ] [\ \fB\-\-nice\fR\ \fIn\fR\ ] [\ \fB\-\-no\-iv\fR\ ] +[\ \fB\-\-no\-name\-remapping\fR\ ] [\ \fB\-\-no\-replay\fR\ ] [\ \fB\-\-bind\fR\ ] [\ \fB\-\-nobind\fR\ ] @@ -3297,6 +3298,27 @@ the authenticated username as the common name, rather than the common name from the client cert. .\"********************************************************* .TP +.B --no-name-remapping +Allow Common Name, X509 Subject, and username strings to include +any printable character including space, but excluding control +characters such as tab, newline, and carriage-return. + +By default, OpenVPN will remap +any character other than alphanumeric, underbar ('_'), dash +('-'), dot ('.'), and slash ('/') to underbar ('_'). The X509 +Subject string as returned by the +.B tls_id +environmental variable, can additionally contain colon (':') or +equal ('='). + +While name remapping is performed for security reasons to reduce +the possibility of introducing string expansion security vulnerabilities +in user-defined authentication +scripts, this option is provided for those cases where it is desirable to +disable the remapping feature. Don't use this option unless you +know what you are doing! +.\"********************************************************* +.TP .B --port-share host port When run in TCP server mode, share the OpenVPN port with another application, such as an HTTPS server. If OpenVPN @@ -383,6 +383,8 @@ static const char usage_message[] = " user/pass via temporary file.\n" "--auth-user-pass-optional : Allow connections by clients that don't\n" " specify a username/password.\n" + "--no-name-remapping : Allow Common Name and X509 Subject to include\n" + " any printable character.\n" "--client-to-client : Internally route client-to-client traffic.\n" "--duplicate-cn : Allow multiple clients with the same common name to\n" " concurrently connect.\n" @@ -4576,6 +4578,11 @@ add_option (struct options *options, VERIFY_PERMISSION (OPT_P_GENERAL); options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL; } + else if (streq (p[0], "no-name-remapping")) + { + VERIFY_PERMISSION (OPT_P_GENERAL); + options->ssl_flags |= SSLF_NO_NAME_REMAPPING; + } else if (streq (p[0], "auth-user-pass-verify") && p[1]) { VERIFY_PERMISSION (OPT_P_SCRIPT); @@ -580,6 +580,15 @@ print_nsCertType (int type) } } +static void +string_mod_sslname (char *str, const unsigned int restrictive_flags, const unsigned int ssl_flags) +{ + if (ssl_flags & SSLF_NO_NAME_REMAPPING) + string_mod (str, CC_PRINT, CC_CRLF, '_'); + else + string_mod (str, restrictive_flags, 0, '_'); +} + /* * Our verify callback function -- check * that an incoming peer certificate is good. @@ -619,7 +628,7 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx) setenv_x509 (opt->es, ctx->error_depth, X509_get_subject_name (ctx->current_cert)); /* enforce character class restrictions in X509 name */ - string_mod (subject, X509_NAME_CHAR_CLASS, 0, '_'); + string_mod_sslname (subject, X509_NAME_CHAR_CLASS, opt->ssl_flags); string_replace_leading (subject, '-', '_'); /* extract the common name */ @@ -634,7 +643,7 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx) } } - string_mod (common_name, COMMON_NAME_CHAR_CLASS, 0, '_'); + string_mod_sslname (common_name, COMMON_NAME_CHAR_CLASS, opt->ssl_flags); #if 0 /* print some debugging info */ msg (D_LOW, "LOCAL OPT: %s", opt->local_options); @@ -3350,7 +3359,7 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi string_mod (raw_username, CC_PRINT, CC_CRLF, '_'); /* enforce character class restrictions in username/password */ - string_mod (up->username, COMMON_NAME_CHAR_CLASS, 0, '_'); + string_mod_sslname (up->username, COMMON_NAME_CHAR_CLASS, session->opt->ssl_flags); string_mod (up->password, CC_PRINT, CC_CRLF, '_'); /* call plugin(s) and/or script */ @@ -468,6 +468,7 @@ struct tls_options # define SSLF_CLIENT_CERT_NOT_REQUIRED (1<<0) # define SSLF_USERNAME_AS_COMMON_NAME (1<<1) # define SSLF_AUTH_USER_PASS_OPTIONAL (1<<2) +# define SSLF_NO_NAME_REMAPPING (1<<3) unsigned int ssl_flags; #ifdef MANAGEMENT_DEF_AUTH |