@@ -6,6 +6,7 @@

 #             packet compression.

 #

 #  Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>

+#  Copyright (C) 2010      David Sommerseth <dazo@users.sourceforge.net>

 #

 #  This program is free software; you can redistribute it and/or modify

 #  it under the terms of the GNU General Public License version 2

@@ -37,7 +38,7 @@ MAINTAINERCLEANFILES = \

 	$(srcdir)/depcomp $(srcdir)/aclocal.m4 \

 	$(srcdir)/config.guess $(srcdir)/config.sub \

 	$(srcdir)/openvpn.spec

-CLEANFILES = openvpn.8.html

+CLEANFILES = openvpn.8.html configure.h

 EXTRA_DIST = \

 	easy-rsa \

@@ -64,7 +65,8 @@ dist_noinst_SCRIPTS = \

 	$(TESTS) \

 	doclean \

 	domake-win \

-	t_cltsrv-down.sh

+	t_cltsrv-down.sh \

+	configure_h.awk configure_log.awk

 dist_noinst_DATA = \

 	openvpn.spec \

@@ -140,6 +142,12 @@ openvpn_SOURCES = \

 	win32.h win32.c \

 	cryptoapi.h cryptoapi.c

+nodist_openvpn_SOURCES = configure.h

+options.$(OBJEXT): configure.h

+

+configure.h: Makefile

+	awk -f $(srcdir)/configure_h.awk config.h > $@

+	awk -f $(srcdir)/configure_log.awk config.log >> $@

 dist-hook:

 	cd $(distdir) && for i in $(EXTRA_DIST) $(SUBDIRS) ; do find $$i -name .svn -type d -prune -exec rm -rf '{}' ';' ; rm -f `find $$i -type f | grep -E '(^|\/)\.?\#|\~$$|\.s?o$$'` ; done

@@ -97,6 +97,6 @@ typedef unsigned long ptr_type;

 /*

  * Script security warning

  */

-#define SCRIPT_SECURITY_WARNING "openvpn_execve: external program may not be called unless '--script-security 2' or higher is enabled.  Use '--script-security 3 system' for backward compatibility with 2.1_rc8 and earlier.  See --help text or man page for detailed info."

+#define SCRIPT_SECURITY_WARNING "WARNING: External program may not be called unless '--script-security 2' or higher is enabled.  Use '--script-security 3 system' for backward compatibility with 2.1_rc8 and earlier.  See --help text or man page for detailed info."

 #endif

new file mode 100644

@@ -0,0 +1,39 @@

+#

+#  OpenVPN -- An application to securely tunnel IP networks

+#             over a single UDP port, with support for SSL/TLS-based

+#             session authentication and key exchange,

+#             packet encryption, packet authentication, and

+#             packet compression.

+#

+#  Copyright (C) 2010  David Sommerseth <dazo@users.sourceforge.net>

+#

+#  This program is free software; you can redistribute it and/or modify

+#  it under the terms of the GNU General Public License version 2

+#  as published by the Free Software Foundation.

+#

+#  This program is distributed in the hope that it will be useful,

+#  but WITHOUT ANY WARRANTY; without even the implied warranty of

+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+#  GNU General Public License for more details.

+#

+#  You should have received a copy of the GNU General Public License

+#  along with this program (see the file COPYING included with this

+#  distribution); if not, write to the Free Software Foundation, Inc.,

+#  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

+#

+#

+#  This script will build up a line which can be included into a C program.

+#  The line will contain all interesting #define statements from f.ex. ./config.h

+#

+

+BEGIN {

+	printf ("#define CONFIGURE_DEFINES \"")

+}

+

+/^#define (ENABLE|DISABLE|DEPRECATED|USE)_/ {

+	printf (" %s", $2)

+}

+

+END {

+	printf ("\"\n")

+}

new file mode 100644

@@ -0,0 +1,33 @@

+#

+#  OpenVPN -- An application to securely tunnel IP networks

+#             over a single UDP port, with support for SSL/TLS-based

+#             session authentication and key exchange,

+#             packet encryption, packet authentication, and

+#             packet compression.

+#

+#  Copyright (C) 2010  David Sommerseth <dazo@users.sourceforge.net>

+#

+#  This program is free software; you can redistribute it and/or modify

+#  it under the terms of the GNU General Public License version 2

+#  as published by the Free Software Foundation.

+#

+#  This program is distributed in the hope that it will be useful,

+#  but WITHOUT ANY WARRANTY; without even the implied warranty of

+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+#  GNU General Public License for more details.

+#

+#  You should have received a copy of the GNU General Public License

+#  along with this program (see the file COPYING included with this

+#  distribution); if not, write to the Free Software Foundation, Inc.,

+#  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

+#

+#

+#  This script will build up a line which can be included into a C program.

+#  The line will only contain the first entry of the ./configure line from

+#  ./config.log.

+#

+

+/\$ (.*)\/configure/ {

+	printf ("#define CONFIGURE_CALL \"%s\"\n", $0)

+	exit 0

+}

@@ -192,6 +192,12 @@ while [ $# -gt 0 ]; do

 		     $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"

 		     exit 0;;

+        --help|--usage)

+                    usage

+                    exit ;;

+        --version)

+                    echo "$PROGNAME $VERSION"

+                    exit ;;

 	# errors

 	--*        ) die "$PROGNAME: unknown option: $1" ;;

 	*          ) break ;;

@@ -1191,7 +1191,7 @@ do_route (const struct options *options,

       struct argv argv = argv_new ();

       setenv_str (es, "script_type", "route-up");

       argv_printf (&argv, "%sc", options->route_script);

-      openvpn_execve_check (&argv, es, S_SCRIPT, "Route script failed");

+      openvpn_run_script (&argv, es, 0, "--route-up");

       argv_reset (&argv);

     }

@@ -2024,6 +2024,7 @@ do_init_crypto_tls (struct context *c, const unsigned int flags)

 #endif

   to.verify_command = options->tls_verify;

+  to.verify_export_cert = options->tls_export_cert;

   to.verify_x509name = options->tls_remote;

   to.crl_file = options->crl_file;

   to.ns_cert_type = options->ns_cert_type;

@@ -230,7 +230,7 @@ run_up_down (const char *command,

 		  ifconfig_local, ifconfig_remote,

 		  context);

       argv_msg (M_INFO, &argv);

-      openvpn_execve_check (&argv, es, S_SCRIPT|S_FATAL, "script failed");

+      openvpn_run_script (&argv, es, S_FATAL, "--up/--down");

       argv_reset (&argv);

     }

@@ -493,6 +493,7 @@ openvpn_execve_allowed (const unsigned int flags)

     return script_security >= SSEC_BUILT_IN;

 }

+

 #ifndef WIN32

 /*

  * Run execve() inside a fork().  Designed to replicate the semantics of system() but

@@ -504,6 +505,7 @@ openvpn_execve (const struct argv *a, const struct env_set *es, const unsigned i

 {

   struct gc_arena gc = gc_new ();

   int ret = -1;

+  static bool warn_shown = false;

   if (a && a->argv[0])

     {

@@ -540,9 +542,10 @@ openvpn_execve (const struct argv *a, const struct env_set *es, const unsigned i

 	      ASSERT (0);

 	    }

 	}

-      else

+      else if (!warn_shown && (script_security < SSEC_SCRIPTS))

 	{

 	  msg (M_WARN, SCRIPT_SECURITY_WARNING);

+          warn_shown = true;

 	}

 #else

       msg (M_WARN, "openvpn_execve: execve function not available");

@@ -136,6 +136,15 @@ bool openvpn_execve_check (const struct argv *a, const struct env_set *es, const

 bool openvpn_execve_allowed (const unsigned int flags);

 int openvpn_system (const char *command, const struct env_set *es, unsigned int flags);

+static inline bool

+openvpn_run_script (const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)

+{

+  char msg[256];

+

+  openvpn_snprintf(msg, sizeof(msg), "WARNING: Failed running command (%s)", hook);

+  return openvpn_execve_check(a, es, flags | S_SCRIPT, msg);

+};

+

 #ifdef HAVE_STRERROR

 /* a thread-safe version of strerror */

 const char* strerror_ts (int errnum, struct gc_arena *gc);

@@ -308,6 +317,7 @@ void get_user_pass_auto_userid (struct user_pass *up, const char *tag);

 extern const char *iproute_path;

 #endif

+/* Script security */

 #define SSEC_NONE      0 /* strictly no calling of external programs */

 #define SSEC_BUILT_IN  1 /* only call built-in programs such as ifconfig, route, netsh, etc.*/

 #define SSEC_SCRIPTS   2 /* allow calling of built-in programs and user-defined scripts */

@@ -109,7 +109,7 @@ learn_address_script (const struct multi_context *m,

 		   mroute_addr_print (addr, &gc));

       if (mi)

 	argv_printf_cat (&argv, "%s", tls_common_name (mi->context.c2.tls_multi, false));

-      if (!openvpn_execve_check (&argv, es, S_SCRIPT, "WARNING: learn-address command failed"))

+      if (!openvpn_run_script (&argv, es, 0, "--learn-address"))

 	ret = false;

       argv_reset (&argv);

     }

@@ -480,7 +480,7 @@ multi_client_disconnect_script (struct multi_context *m,

 	  struct argv argv = argv_new ();

 	  setenv_str (mi->context.c2.es, "script_type", "client-disconnect");

 	  argv_printf (&argv, "%sc", mi->context.options.client_disconnect_script);

-	  openvpn_execve_check (&argv, mi->context.c2.es, S_SCRIPT, "client-disconnect command failed");

+	  openvpn_run_script (&argv, mi->context.c2.es, 0, "--client-disconnect");

 	  argv_reset (&argv);

 	}

 #ifdef MANAGEMENT_DEF_AUTH

@@ -1594,7 +1594,7 @@ multi_connection_established (struct multi_context *m, struct multi_instance *mi

 		       mi->context.options.client_connect_script,

 		       dc_file);

-	  if (openvpn_execve_check (&argv, mi->context.c2.es, S_SCRIPT, "client-connect command failed"))

+	  if (openvpn_run_script (&argv, mi->context.c2.es, 0, "--client-connect"))

 	    {

 	      multi_client_connect_post (m, mi, dc_file, option_permissions_mask, &option_types_found);

 	      ++cc_succeeded_count;

@@ -4244,11 +4244,23 @@ test).

 .B cmd

 should return 0 to allow the TLS handshake to proceed, or 1 to fail.

+

+Note that

+.B cmd

+is a command line and as such may (if enclosed in quotes) contain

+whitespace separated arguments.  The first word of

 .B cmd

-is executed as

+is the shell command to execute and the remaining words are its

+arguments.

+When

+.B cmd

+is executed two arguments are appended, as follows:

 .B cmd certificate_depth X509_NAME_oneline

+These arguments are, respectively, the current certificate depth and

+the X509 common name (cn) of the peer.

+

 This feature is useful if the peer you want to trust has a certificate

 which was signed by a certificate authority who also signed many

 other certificates, where you don't necessarily want to trust all of them,

@@ -4262,14 +4274,14 @@ in the OpenVPN distribution.

 See the "Environmental Variables" section below for

 additional parameters passed as environmental variables.

-

-Note that

-.B cmd

-can be a shell command with multiple arguments, in which

-case all OpenVPN-generated arguments will be appended

-to

-.B cmd

-to build a command line which will be passed to the script.

+.\"*********************************************************

+.TP

+.B --tls-export-cert directory

+Store the certificates the clients uses upon connection to this

+directory. This will be done before --tls-verify is called.  The

+certificates will use a temporary name and will be deleted when

+the tls-verify script returns.  The file name used for the certificate

+is available via the peer_cert environment variable.

 .\"*********************************************************

 .TP

 .B \-\-tls-remote name

@@ -5262,6 +5274,11 @@ than their names as denoted on the command line

 or configuration file.

 .\"*********************************************************

 .TP

+.B peer_cert

+Temporary file name containing the client certificate upon

+connection.  Useful in conjunction with --tls-verify

+.\"*********************************************************

+.TP

 .B script_context

 Set to "init" or "restart" prior to up/down script execution.

 For more information, see

@@ -45,6 +45,8 @@

 #include "pool.h"

 #include "helper.h"

 #include "manage.h"

+#include "configure.h"

+#include <ctype.h>

 #include "memdbg.h"

@@ -503,6 +505,8 @@ static const char usage_message[] =

   "--key file      : Local private key in .pem format.\n"

   "--pkcs12 file   : PKCS#12 file containing local private key, local certificate\n"

   "                  and optionally the root CA certificate.\n"

+  "--x509-username-field : Field used in x509 certificat to be username.\n"

+  "                        Default is CN.\n"

 #ifdef WIN32

   "--cryptoapicert select-string : Load the certificate and private key from the\n"

   "                  Windows Certificate System Store.\n"

@@ -533,6 +537,9 @@ static const char usage_message[] =

   "                  tests of certification.  cmd should return 0 to allow\n"

   "                  TLS handshake to proceed, or 1 to fail.  (cmd is\n"

   "                  executed as 'cmd certificate_depth X509_NAME_oneline')\n"

+  "--tls-export-cert [directory] : Get peer cert in PEM format and store it \n"

+  "                  in an openvpn temporary file in [directory]. Peer cert is \n"

+  "                  stored before tls-verify script execution and deleted after.\n"

   "--tls-remote x509name: Accept connections only from a host with X509 name\n"

   "                  x509name. The remote host must also pass all other tests\n"

   "                  of verification.\n"

@@ -755,6 +762,7 @@ init_options (struct options *o, const bool init_gc)

   o->renegotiate_seconds = 3600;

   o->handshake_window = 60;

   o->transition_window = 3600;

+  o->x509_username_field = X509_USERNAME_FIELD_DEFAULT;

 #endif

 #endif

 #ifdef ENABLE_PKCS11

@@ -1333,6 +1341,7 @@ show_settings (const struct options *o)

 #endif

   SHOW_STR (cipher_list);

   SHOW_STR (tls_verify);

+  SHOW_STR (tls_export_cert);

   SHOW_STR (tls_remote);

   SHOW_STR (crl_file);

   SHOW_INT (ns_cert_type);

@@ -2061,6 +2070,7 @@ options_postprocess_verify_ce (const struct options *options, const struct conne

       MUST_BE_UNDEF (pkcs12_file);

       MUST_BE_UNDEF (cipher_list);

       MUST_BE_UNDEF (tls_verify);

+      MUST_BE_UNDEF (tls_export_cert);

       MUST_BE_UNDEF (tls_remote);

       MUST_BE_UNDEF (tls_timeout);

       MUST_BE_UNDEF (renegotiate_bytes);

@@ -2903,6 +2913,12 @@ usage_version (void)

   msg (M_INFO|M_NOPREFIX, "%s", title_string);

   msg (M_INFO|M_NOPREFIX, "Originally developed by James Yonan");

   msg (M_INFO|M_NOPREFIX, "Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>");

+#ifndef ENABLE_SMALL

+#ifdef CONFIGURE_CALL

+  msg (M_INFO|M_NOPREFIX, "\n%s\n", CONFIGURE_CALL);

+#endif

+  msg (M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);

+#endif

   openvpn_exit (OPENVPN_EXIT_STATUS_USAGE); /* exit point */

 }

@@ -5730,6 +5746,11 @@ add_option (struct options *options,

 	goto err;

       options->tls_verify = string_substitute (p[1], ',', ' ', &options->gc);

     }

+  else if (streq (p[0], "tls-export-cert") && p[1])

+    {

+      VERIFY_PERMISSION (OPT_P_GENERAL);

+      options->tls_export_cert = p[1];

+    }

   else if (streq (p[0], "tls-remote") && p[1])

     {

       VERIFY_PERMISSION (OPT_P_GENERAL);

@@ -5855,6 +5876,13 @@ add_option (struct options *options,

 	}

       options->key_method = key_method;

     }

+  else if (streq (p[0], "x509-username-field") && p[1])

+    {

+      char *s = p[1];

+      VERIFY_PERMISSION (OPT_P_GENERAL);

+      while ((*s = toupper(*s)) != '\0') s++; /* Uppercase if necessary */

+      options->x509_username_field = p[1];

+    }

 #endif /* USE_SSL */

 #endif /* USE_CRYPTO */

 #ifdef ENABLE_PKCS11

@@ -465,6 +465,7 @@ struct options

   const char *pkcs12_file;

   const char *cipher_list;

   const char *tls_verify;

+  const char *tls_export_cert;

   const char *tls_remote;

   const char *crl_file;

@@ -508,6 +509,9 @@ struct options

      within n seconds of handshake initiation. */

   int handshake_window;

+  /* Field used to be the username in X509 cert. */

+  char *x509_username_field;

+

   /* Old key allowed to live n seconds after new key goes active */

   int transition_window;

@@ -1695,7 +1695,7 @@ link_socket_connection_initiated (const struct buffer *buf,

       struct argv argv = argv_new ();

       setenv_str (es, "script_type", "ipchange");

       ipchange_fmt (true, &argv, info, &gc);

-      openvpn_execve_check (&argv, es, S_SCRIPT, "ip-change command failed");

+      openvpn_run_script (&argv, es, 0, "--ipchange");

       argv_reset (&argv);

     }

@@ -687,6 +687,51 @@ string_mod_sslname (char *str, const unsigned int restrictive_flags, const unsig

     string_mod (str, restrictive_flags, 0, '_');

 }

+/* Get peer cert and store it in pem format in a temporary file

+ * in tmp_dir

+ */

+

+const char *

+get_peer_cert(X509_STORE_CTX *ctx, const char *tmp_dir, struct gc_arena *gc)

+{

+  X509 *peercert;

+  FILE *peercert_file;

+  const char *peercert_filename="";

+

+  if(!tmp_dir)

+      return NULL;

+

+  /* get peer cert */

+  peercert = X509_STORE_CTX_get_current_cert(ctx);

+  if(!peercert)

+    {

+      msg (M_ERR, "Unable to get peer certificate from current context");

+      return NULL;

+    }

+

+  /* create tmp file to store peer cert */

+  peercert_filename = create_temp_filename (tmp_dir, "pcf", gc);

+

+  /* write peer-cert in tmp-file */

+  peercert_file = fopen(peercert_filename, "w+");

+  if(!peercert_file)

+    {

+      msg (M_ERR, "Failed to open temporary file : %s", peercert_filename);

+      return NULL;

+    }

+  if(PEM_write_X509(peercert_file,peercert)<0)

+    {

+      msg (M_ERR, "Failed to write peer certificate in PEM format");

+      fclose(peercert_file);

+      return NULL;

+    }

+

+  fclose(peercert_file);

+  return peercert_filename;

+}

+

+char * x509_username_field; /* GLOBAL */

+

 /*

  * Our verify callback function -- check

  * that an incoming peer certificate is good.

@@ -697,7 +742,7 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx)

 {

   char *subject = NULL;

   char envname[64];

-  char common_name[TLS_CN_LEN];

+  char common_name[TLS_USERNAME_LEN];

   SSL *ssl;

   struct tls_session *session;

   const struct tls_options *opt;

@@ -729,18 +774,20 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx)

   string_mod_sslname (subject, X509_NAME_CHAR_CLASS, opt->ssl_flags);

   string_replace_leading (subject, '-', '_');

-  /* extract the common name */

-  if (!extract_x509_field_ssl (X509_get_subject_name (ctx->current_cert), "CN", common_name, TLS_CN_LEN))

+  /* extract the username (default is CN) */

+  if (!extract_x509_field_ssl (X509_get_subject_name (ctx->current_cert), x509_username_field, common_name, sizeof(common_name)))

     {

       if (!ctx->error_depth)

-	{

-	  msg (D_TLS_ERRORS, "VERIFY ERROR: could not extract Common Name from X509 subject string ('%s') -- note that the Common Name length is limited to %d characters",

-	       subject,

-	       TLS_CN_LEN);

-	  goto err;

-	}

+        {

+          msg (D_TLS_ERRORS, "VERIFY ERROR: could not extract %s from X509 subject string ('%s') -- note that the username length is limited to %d characters",

+                 x509_username_field,

+                 subject,

+                 TLS_USERNAME_LEN);

+          goto err;

+        }

     }

+

   string_mod_sslname (common_name, COMMON_NAME_CHAR_CLASS, opt->ssl_flags);

   cert_hash_remember (session, ctx->error_depth, ctx->current_cert->sha1_hash);

@@ -906,32 +953,48 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx)

   /* run --tls-verify script */

   if (opt->verify_command)

     {

+      const char *tmp_file;

+      struct gc_arena gc;

       int ret;

       setenv_str (opt->es, "script_type", "tls-verify");

+      if (opt->verify_export_cert)

+        {

+          gc = gc_new();

+          if (tmp_file=get_peer_cert(ctx, opt->verify_export_cert,&gc))

+           {

+             setenv_str(opt->es, "peer_cert", tmp_file);

+           }

+        }

+

       argv_printf (&argv, "%sc %d %s",

 		   opt->verify_command,

 		   ctx->error_depth,

 		   subject);

       argv_msg_prefix (D_TLS_DEBUG, &argv, "TLS: executing verify command");

-      ret = openvpn_execve (&argv, opt->es, S_SCRIPT);

+      ret = openvpn_run_script (&argv, opt->es, 0, "--tls-verify script");

-      if (system_ok (ret))

+      if (opt->verify_export_cert)

+        {

+           if (tmp_file)

+              delete_file(tmp_file);

+           gc_free(&gc);

+        }

+

+      if (ret)

 	{

 	  msg (D_HANDSHAKE, "VERIFY SCRIPT OK: depth=%d, %s",

 	       ctx->error_depth, subject);

 	}

       else

 	{

-	  if (!system_executed (ret))

-	    argv_msg_prefix (M_ERR, &argv, "Verify command failed to execute");

 	  msg (D_HANDSHAKE, "VERIFY SCRIPT ERROR: depth=%d, %s",

 	       ctx->error_depth, subject);

 	  goto err;		/* Reject connection */

 	}

     }

-  

+

   /* check peer cert against CRL */

   if (opt->crl_file)

     {

@@ -1749,7 +1812,8 @@ init_ssl (const struct options *options)

     }

   else

 #endif

-    SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,

+  x509_username_field = (char *) options->x509_username_field;

+  SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,

 			verify_callback);

   /* Connection information callback */

@@ -3190,7 +3254,6 @@ verify_user_pass_script (struct tls_session *session, const struct user_pass *up

   struct gc_arena gc = gc_new ();

   struct argv argv = argv_new ();

   const char *tmp_file = "";

-  int retval;

   bool ret = false;

   /* Is username defined? */

@@ -3233,16 +3296,11 @@ verify_user_pass_script (struct tls_session *session, const struct user_pass *up

       /* format command line */

       argv_printf (&argv, "%sc %s", session->opt->auth_user_pass_verify_script, tmp_file);

-      

+

       /* call command */

-      retval = openvpn_execve (&argv, session->opt->es, S_SCRIPT);

+      ret = openvpn_run_script (&argv, session->opt->es, 0,

+				"--auth-user-pass-verify");

-      /* test return status of command */

-      if (system_ok (retval))

-	ret = true;

-      else if (!system_executed (retval))

-	argv_msg_prefix (D_TLS_ERRORS, &argv, "TLS Auth Error: user-pass-verify script failed to execute");

-	  

       if (!session->opt->auth_user_pass_verify_script_via_file)

 	setenv_del (session->opt->es, "password");

     }

@@ -3688,9 +3746,9 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi

 	s2 = verify_user_pass_script (session, up);

       /* check sizing of username if it will become our common name */

-      if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && strlen (up->username) >= TLS_CN_LEN)

+      if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && strlen (up->username) >= TLS_USERNAME_LEN)

 	{

-	  msg (D_TLS_ERRORS, "TLS Auth Error: --username-as-common name specified and username is longer than the maximum permitted Common Name length of %d characters", TLS_CN_LEN);

+	  msg (D_TLS_ERRORS, "TLS Auth Error: --username-as-common name specified and username is longer than the maximum permitted Common Name length of %d characters", TLS_USERNAME_LEN);

 	  s1 = OPENVPN_PLUGIN_FUNC_ERROR;

 	}

@@ -278,8 +278,8 @@

  * Buffer sizes (also see mtu.h).

  */

-/* Maximum length of common name */

-#define TLS_CN_LEN 64

+/* Maximum length of the username in cert */

+#define TLS_USERNAME_LEN 64

 /* Legal characters in an X509 or common name */

 #define X509_NAME_CHAR_CLASS   (CC_ALNUM|CC_UNDERBAR|CC_DASH|CC_DOT|CC_AT|CC_COLON|CC_SLASH|CC_EQUAL)

@@ -288,6 +288,9 @@

 /* Maximum length of OCC options string passed as part of auth handshake */

 #define TLS_OPTIONS_LEN 512

+/* Default field in X509 to be username */

+#define X509_USERNAME_FIELD_DEFAULT "CN"

+

 /*

  * Range of key exchange methods

  */

@@ -444,6 +447,7 @@ struct tls_options

   /* cert verification parms */

   const char *verify_command;

+  const char *verify_export_cert;

   const char *verify_x509name;

   const char *crl_file;

   int ns_cert_type;

@@ -952,6 +952,8 @@ int

 openvpn_execve (const struct argv *a, const struct env_set *es, const unsigned int flags)

 {

   int ret = -1;

+  static bool exec_warn = false;

+

   if (a && a->argv[0])

     {

       if (openvpn_execve_allowed (flags))

@@ -1002,9 +1004,10 @@ openvpn_execve (const struct argv *a, const struct env_set *es, const unsigned i

 	      ASSERT (0);

 	    }

 	}

-      else

+      else if (!exec_warn && (script_security < SSEC_SCRIPTS))

 	{

 	  msg (M_WARN, SCRIPT_SECURITY_WARNING);

+          exec_warn = true;

 	}

     }

   else