From a3982181e284f8c5c8fc15bbbd670da4d91a2ba9 Mon Sep 17 00:00:00 2001
From: Mathieu GIANNECCHINI <mat.giann@free.fr>
Date: Tue, 2 Mar 2010 00:26:57 +0100
Subject: enhance tls-verify possibility

It should be nice to enhance tls-verify check possibilities against peer
cert during a pending TLS connection like :
- OCSP verification
- check any X509 extensions of the peer certificate
- delta CRL verification
- ...

This patch add a new "tls-export-cert" option which allow to get peer
certificate in PEM format and to store it in an openvpn temporary file.
Peer certificate is stored before tls-script execution and deleted after.
The name of the related temporary file is available under tls-verify
script by an environment variable "peer_cert".

The patch was made from OpenVPN svn Beta21 branches.

Here is a very simple exemple of Tls-verify script which provide OCSP
support to OpenVPN (with tls-export-cert option) without any OpenVPN
"core" modification :

X509=$2

openssl ocsp \
      -issuer /etc/openvpn/ssl.crt/RootCA.pem \
      -CAfile /etc/openvpn/ssl.capath/OpenVPNServeur-cafile.pem \
      -cert $peer_cert \
      -url http://your-ocsp-url
      if [ $? -ne 0 ]
      then
          echo "error : OCSP check failed for ${X509}" | logger -t
"tls-verify"
          exit 1
       fi

This has been discussed here:
<http://thread.gmane.org/gmane.network.openvpn.devel/2492>
<http://thread.gmane.org/gmane.network.openvpn.devel/3150>
<http://thread.gmane.org/gmane.network.openvpn.devel/3217>

This patch has been modified by David Sommerseth, by fixing a few issues
which came up to during the code review process.  The man page has been
updated and tmp_file in ssl.c is checked for not being NULL before calling
delete_file().

Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
---
 options.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'options.c')

diff --git a/options.c b/options.c
index 36b9913..e79f742 100644
--- a/options.c
+++ b/options.c
@@ -529,6 +529,9 @@ static const char usage_message[] =
   "                  tests of certification.  cmd should return 0 to allow\n"
   "                  TLS handshake to proceed, or 1 to fail.  (cmd is\n"
   "                  executed as 'cmd certificate_depth X509_NAME_oneline')\n"
+  "--tls-export-cert [directory] : Get peer cert in PEM format and store it \n"
+  "                  in an openvpn temporary file in [directory]. Peer cert is \n"
+  "                  stored before tls-verify script execution and deleted after.\n"
   "--tls-remote x509name: Accept connections only from a host with X509 name\n"
   "                  x509name. The remote host must also pass all other tests\n"
   "                  of verification.\n"
@@ -1325,6 +1328,7 @@ show_settings (const struct options *o)
 #endif
   SHOW_STR (cipher_list);
   SHOW_STR (tls_verify);
+  SHOW_STR (tls_export_cert);
   SHOW_STR (tls_remote);
   SHOW_STR (crl_file);
   SHOW_INT (ns_cert_type);
@@ -1914,6 +1918,7 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
       MUST_BE_UNDEF (pkcs12_file);
       MUST_BE_UNDEF (cipher_list);
       MUST_BE_UNDEF (tls_verify);
+      MUST_BE_UNDEF (tls_export_cert);
       MUST_BE_UNDEF (tls_remote);
       MUST_BE_UNDEF (tls_timeout);
       MUST_BE_UNDEF (renegotiate_bytes);
@@ -5525,6 +5530,11 @@ add_option (struct options *options,
 	goto err;
       options->tls_verify = string_substitute (p[1], ',', ' ', &options->gc);
     }
+  else if (streq (p[0], "tls-export-cert") && p[1])
+    {
+      VERIFY_PERMISSION (OPT_P_GENERAL);
+      options->tls_export_cert = p[1];
+    }
   else if (streq (p[0], "tls-remote") && p[1])
     {
       VERIFY_PERMISSION (OPT_P_GENERAL);
-- 
cgit v1.2.3


From f27bf509315a48b0070294c3993a718df0c2626c Mon Sep 17 00:00:00 2001
From: David Sommerseth <dazo@users.sourceforge.net>
Date: Thu, 8 Apr 2010 20:31:01 +0200
Subject: Add comile time information/settings from ./configure to --version

This patch will create ./configure.h which will contain two new #define
strings.  CONFIGURE_DEFINES will contain all USE, ENABLED, DISABLED and
DEPRECATED defines from ./config.h.  CONFIGURE_CALL will contain the
complete ./configure line which was used when configuring the package
for building.

Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: James Yonan <james@openvpn.net>
---
 options.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'options.c')

diff --git a/options.c b/options.c
index e79f742..25936d1 100644
--- a/options.c
+++ b/options.c
@@ -45,6 +45,7 @@
 #include "pool.h"
 #include "helper.h"
 #include "manage.h"
+#include "configure.h"
 
 #include "memdbg.h"
 
@@ -2751,6 +2752,8 @@ usage_version (void)
   msg (M_INFO|M_NOPREFIX, "%s", title_string);
   msg (M_INFO|M_NOPREFIX, "Originally developed by James Yonan");
   msg (M_INFO|M_NOPREFIX, "Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>");
+  msg (M_INFO|M_NOPREFIX, "\n%s\n", CONFIGURE_CALL);
+  msg (M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
   openvpn_exit (OPENVPN_EXIT_STATUS_USAGE); /* exit point */
 }
 
-- 
cgit v1.2.3


From 63c367398a57c98ab56f8532e3ff3ea8b89ab92e Mon Sep 17 00:00:00 2001
From: David Sommerseth <dazo@users.sourceforge.net>
Date: Thu, 22 Apr 2010 23:01:31 +0200
Subject: Fix dependency checking for configure.h (v2)

Alon Bar-Lev indicated commit f27bf509315a48b0070294c3993a718df0c2626c
was missing proper dependency checking.  This patch corrects this and
fixes an issue when creating configure.h via make distcheck.

This is an enhanced version of the one sent to the openvpn-devel mailing
list April 13, 2010 [1], after having received some feedback from Gert
Doering, cleaning up configure_log.awk further.

[1] <http://thread.gmane.org/gmane.network.openvpn.devel/3410/focus=3491>

Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
---
 options.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'options.c')

diff --git a/options.c b/options.c
index 25936d1..294ba58 100644
--- a/options.c
+++ b/options.c
@@ -2752,7 +2752,9 @@ usage_version (void)
   msg (M_INFO|M_NOPREFIX, "%s", title_string);
   msg (M_INFO|M_NOPREFIX, "Originally developed by James Yonan");
   msg (M_INFO|M_NOPREFIX, "Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>");
+#ifdef CONFIGURE_CALL
   msg (M_INFO|M_NOPREFIX, "\n%s\n", CONFIGURE_CALL);
+#endif
   msg (M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
   openvpn_exit (OPENVPN_EXIT_STATUS_USAGE); /* exit point */
 }
-- 
cgit v1.2.3


From 8dd2672d72508e9edec3d24b75e698b2669d7623 Mon Sep 17 00:00:00 2001
From: David Sommerseth <dazo@users.sourceforge.net>
Date: Thu, 22 Apr 2010 23:05:00 +0200
Subject: Don't add compile time information if --enable-small is used

This is to satisfy those wanting to build openvpn for embedded devices
where every bytes matters.

Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
---
 options.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'options.c')

diff --git a/options.c b/options.c
index 294ba58..86279e4 100644
--- a/options.c
+++ b/options.c
@@ -2752,10 +2752,12 @@ usage_version (void)
   msg (M_INFO|M_NOPREFIX, "%s", title_string);
   msg (M_INFO|M_NOPREFIX, "Originally developed by James Yonan");
   msg (M_INFO|M_NOPREFIX, "Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>");
+#ifndef ENABLE_SMALL
 #ifdef CONFIGURE_CALL
   msg (M_INFO|M_NOPREFIX, "\n%s\n", CONFIGURE_CALL);
 #endif
   msg (M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
+#endif
   openvpn_exit (OPENVPN_EXIT_STATUS_USAGE); /* exit point */
 }
 
-- 
cgit v1.2.3


From 935c62be9c0c8a256112df818bfb8470586a23b6 Mon Sep 17 00:00:00 2001
From: Emilien Mantel <emilien.mantel@businessdecision.com>
Date: Thu, 17 Jun 2010 21:38:59 +0200
Subject: Choose a different field in X509 to be username

For my company, we use a PKI (linked to a LDAP) with OpenVPN. We can't use "CN" to be
username (few people can have the same "CN"). In our case, we only use the UID.

With my patch, you can choose another field to be username with a new option called
--x509-username-field, the default value is "CN".

Signed-off-by: Emilien Mantel <emilien.mantel@businessdecision.com>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
---
 options.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'options.c')

diff --git a/options.c b/options.c
index 86279e4..ea2dcbe 100644
--- a/options.c
+++ b/options.c
@@ -46,6 +46,7 @@
 #include "helper.h"
 #include "manage.h"
 #include "configure.h"
+#include <ctype.h>
 
 #include "memdbg.h"
 
@@ -500,6 +501,8 @@ static const char usage_message[] =
   "--key file      : Local private key in .pem format.\n"
   "--pkcs12 file   : PKCS#12 file containing local private key, local certificate\n"
   "                  and optionally the root CA certificate.\n"
+  "--x509-username-field : Field used in x509 certificat to be username.\n"
+  "                        Default is CN.\n"
 #ifdef WIN32
   "--cryptoapicert select-string : Load the certificate and private key from the\n"
   "                  Windows Certificate System Store.\n"
@@ -753,6 +756,7 @@ init_options (struct options *o, const bool init_gc)
   o->renegotiate_seconds = 3600;
   o->handshake_window = 60;
   o->transition_window = 3600;
+  o->x509_username_field = X509_USERNAME_FIELD_DEFAULT;
 #endif
 #endif
 #ifdef ENABLE_PKCS11
@@ -5667,6 +5671,13 @@ add_option (struct options *options,
 	}
       options->key_method = key_method;
     }
+  else if (streq (p[0], "x509-username-field") && p[1])
+    {
+      char *s = p[1];
+      VERIFY_PERMISSION (OPT_P_GENERAL);
+      while ((*s = toupper(*s)) != '\0') s++; /* Uppercase if necessary */
+      options->x509_username_field = p[1];
+    }
 #endif /* USE_SSL */
 #endif /* USE_CRYPTO */
 #ifdef ENABLE_PKCS11
-- 
cgit v1.2.3