As promised, remove these options for OpenVPN 2.5.
If a user still uses these, print an error that the user should update it's
configuration. Just printing a warning would cause much more confusing
errors, somewhere in middle of a failed connection attempt because the
(non-compat) names no longer match the expected names.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1540375925-6111-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17804.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -3801,77 +3801,6 @@ the authenticated username as the common name, |
3801 | 3801 |
rather than the common name from the client cert. |
3802 | 3802 |
.\"********************************************************* |
3803 | 3803 |
.TP |
3804 |
-.B \-\-compat\-names [no\-remapping] |
|
3805 |
-.B DEPRECATED |
|
3806 |
-This option will be removed in OpenVPN 2.5 |
|
3807 |
- |
|
3808 |
-Until OpenVPN v2.3 the format of the X.509 Subject fields was formatted |
|
3809 |
-like this: |
|
3810 |
-.IP |
|
3811 |
-.B |
|
3812 |
-/C=US/L=Somewhere/CN=John Doe/emailAddress=john@example.com |
|
3813 |
-.IP |
|
3814 |
-In addition the old behaviour was to remap any character other than |
|
3815 |
-alphanumeric, underscore ('_'), dash ('\-'), dot ('.'), and slash ('/') to |
|
3816 |
-underscore ('_'). The X.509 Subject string as returned by the |
|
3817 |
-.B tls_id |
|
3818 |
-environmental variable, could additionally contain colon (':') or equal ('='). |
|
3819 |
-.IP |
|
3820 |
-When using the |
|
3821 |
-.B \-\-compat\-names |
|
3822 |
-option, this old formatting and remapping will be re\-enabled again. This is |
|
3823 |
-purely implemented for compatibility reasons when using older plug\-ins or |
|
3824 |
-scripts which does not handle the new formatting or UTF\-8 characters. |
|
3825 |
-.IP |
|
3826 |
-In OpenVPN 2.3 the formatting of these fields changed into a more |
|
3827 |
-standardised format. It now looks like: |
|
3828 |
-.IP |
|
3829 |
-.B |
|
3830 |
-C=US, L=Somewhere, CN=John Doe, emailAddress=john@example.com |
|
3831 |
-.IP |
|
3832 |
-The new default format in OpenVPN 2.3 also does not do the character remapping |
|
3833 |
-which happened earlier. This new format enables proper support for UTF\-8 |
|
3834 |
-characters in the usernames, X.509 Subject fields and Common Name variables and |
|
3835 |
-it complies to the RFC 2253, UTF\-8 String Representation of Distinguished |
|
3836 |
-Names. |
|
3837 |
- |
|
3838 |
-The |
|
3839 |
-.B no\-remapping |
|
3840 |
-mode flag can be used with the |
|
3841 |
-.B |
|
3842 |
-\-\-compat\-names |
|
3843 |
-option to be compatible with the now deprecated \-\-no\-name\-remapping option. |
|
3844 |
-It is only available at the server. When this mode flag is used, the Common Name, |
|
3845 |
-Subject, and username strings are allowed to include any printable character |
|
3846 |
-including space, but excluding control characters such as tab, newline, and |
|
3847 |
-carriage\-return. no\-remapping is only available on the server side. |
|
3848 |
- |
|
3849 |
-.B Please note: |
|
3850 |
-This option is immediately deprecated. It is only implemented |
|
3851 |
-to make the transition to the new formatting less intrusive. It will be |
|
3852 |
-removed in OpenVPN 2.5. So please update your scripts/plug\-ins where necessary. |
|
3853 |
-.\"********************************************************* |
|
3854 |
-.TP |
|
3855 |
-.B \-\-no\-name\-remapping |
|
3856 |
-.B DEPRECATED |
|
3857 |
-This option will be removed in OpenVPN 2.5 |
|
3858 |
- |
|
3859 |
-The |
|
3860 |
-.B \-\-no\-name\-remapping |
|
3861 |
-option is an alias for |
|
3862 |
-.B \-\-compat\-names\ no\-remapping. |
|
3863 |
-It ensures compatibility with server configurations using the |
|
3864 |
-.B \-\-no\-name\-remapping |
|
3865 |
-option. |
|
3866 |
- |
|
3867 |
-.B Please note: |
|
3868 |
-This option is now deprecated. It will be removed in OpenVPN 2.5. |
|
3869 |
-So please make sure you support the new X.509 name formatting |
|
3870 |
-described with the |
|
3871 |
-.B \-\-compat\-names |
|
3872 |
-option as soon as possible. |
|
3873 |
-.\"********************************************************* |
|
3874 |
-.TP |
|
3875 | 3804 |
.B \-\-port\-share host port [dir] |
3876 | 3805 |
When run in TCP server mode, share the OpenVPN port with |
3877 | 3806 |
another application, such as an HTTPS server. If OpenVPN |
... | ... |
@@ -666,29 +666,6 @@ sanitize_control_message(const char *src, struct gc_arena *gc) |
666 | 666 |
return ret; |
667 | 667 |
} |
668 | 668 |
|
669 |
-/** |
|
670 |
- * Will set or query for a global compat flag. To modify the compat flags |
|
671 |
- * the COMPAT_FLAG_SET must be bitwise ORed together with the flag to set. |
|
672 |
- * If no "operator" flag is given it defaults to COMPAT_FLAG_QUERY, |
|
673 |
- * which returns the flag state. |
|
674 |
- * |
|
675 |
- * @param flag Flag to be set/queried for bitwise ORed with the operator flag |
|
676 |
- * @return Returns 0 if the flag is not set, otherwise the 'flag' value is returned |
|
677 |
- */ |
|
678 |
-bool |
|
679 |
-compat_flag(unsigned int flag) |
|
680 |
-{ |
|
681 |
- static unsigned int compat_flags = 0; |
|
682 |
- |
|
683 |
- if (flag & COMPAT_FLAG_SET) |
|
684 |
- { |
|
685 |
- compat_flags |= (flag >> 1); |
|
686 |
- } |
|
687 |
- |
|
688 |
- return (compat_flags & (flag >> 1)); |
|
689 |
- |
|
690 |
-} |
|
691 |
- |
|
692 | 669 |
#if P2MP_SERVER |
693 | 670 |
|
694 | 671 |
/* helper to parse peer_info received from multi client, validate |
... | ... |
@@ -166,12 +166,6 @@ const char *sanitize_control_message(const char *str, struct gc_arena *gc); |
166 | 166 |
extern const char *iproute_path; |
167 | 167 |
#endif |
168 | 168 |
|
169 |
-#define COMPAT_FLAG_QUERY 0 /** compat_flags operator: Query for a flag */ |
|
170 |
-#define COMPAT_FLAG_SET (1<<0) /** compat_flags operator: Set a compat flag */ |
|
171 |
-#define COMPAT_NAMES (1<<1) /** compat flag: --compat-names set */ |
|
172 |
-#define COMPAT_NO_NAME_REMAPPING (1<<2) /** compat flag: --compat-names without char remapping */ |
|
173 |
-bool compat_flag(unsigned int flag); |
|
174 |
- |
|
175 | 169 |
#if P2MP_SERVER |
176 | 170 |
/* helper to parse peer_info received from multi client, validate |
177 | 171 |
* (this is untrusted data) and put into environment */ |
... | ... |
@@ -2436,10 +2436,6 @@ options_postprocess_verify_ce(const struct options *options, const struct connec |
2436 | 2436 |
{ |
2437 | 2437 |
msg(M_USAGE, "--stale-routes-check requires --mode server"); |
2438 | 2438 |
} |
2439 |
- if (compat_flag(COMPAT_FLAG_QUERY | COMPAT_NO_NAME_REMAPPING)) |
|
2440 |
- { |
|
2441 |
- msg(M_USAGE, "--compat-x509-names no-remapping requires --mode server"); |
|
2442 |
- } |
|
2443 | 2439 |
} |
2444 | 2440 |
#endif /* P2MP_SERVER */ |
2445 | 2441 |
|
... | ... |
@@ -7883,49 +7879,24 @@ add_option(struct options *options, |
7883 | 7883 |
options->tls_export_cert = p[1]; |
7884 | 7884 |
} |
7885 | 7885 |
#endif |
7886 |
-#if P2MP_SERVER |
|
7887 |
- else if (streq(p[0], "compat-names") && ((p[1] && streq(p[1], "no-remapping")) || !p[1]) && !p[2]) |
|
7888 |
-#else |
|
7889 |
- else if (streq(p[0], "compat-names") && !p[1]) |
|
7890 |
-#endif |
|
7886 |
+ else if (streq(p[0], "compat-names")) |
|
7891 | 7887 |
{ |
7892 | 7888 |
VERIFY_PERMISSION(OPT_P_GENERAL); |
7893 |
- if (options->verify_x509_type != VERIFY_X509_NONE) |
|
7894 |
- { |
|
7895 |
- msg(msglevel, "you cannot use --compat-names with --verify-x509-name"); |
|
7896 |
- goto err; |
|
7897 |
- } |
|
7898 |
- msg(M_WARN, "DEPRECATED OPTION: --compat-names, please update your configuration. This will be removed in OpenVPN 2.5."); |
|
7899 |
- compat_flag(COMPAT_FLAG_SET | COMPAT_NAMES); |
|
7900 |
-#if P2MP_SERVER |
|
7901 |
- if (p[1] && streq(p[1], "no-remapping")) |
|
7902 |
- { |
|
7903 |
- compat_flag(COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING); |
|
7904 |
- } |
|
7889 |
+ msg(msglevel, "--compat-names was removed in OpenVPN 2.5. " |
|
7890 |
+ "Update your configuration."); |
|
7891 |
+ goto err; |
|
7905 | 7892 |
} |
7906 | 7893 |
else if (streq(p[0], "no-name-remapping") && !p[1]) |
7907 | 7894 |
{ |
7908 | 7895 |
VERIFY_PERMISSION(OPT_P_GENERAL); |
7909 |
- if (options->verify_x509_type != VERIFY_X509_NONE) |
|
7910 |
- { |
|
7911 |
- msg(msglevel, "you cannot use --no-name-remapping with --verify-x509-name"); |
|
7912 |
- goto err; |
|
7913 |
- } |
|
7914 |
- msg(M_WARN, "DEPRECATED OPTION: --no-name-remapping, please update your configuration. This will be removed in OpenVPN 2.5."); |
|
7915 |
- compat_flag(COMPAT_FLAG_SET | COMPAT_NAMES); |
|
7916 |
- compat_flag(COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING); |
|
7917 |
-#endif |
|
7896 |
+ msg(msglevel, "--no-name-remapping was removed in OpenVPN 2.5. " |
|
7897 |
+ "Update your configuration."); |
|
7898 |
+ goto err; |
|
7918 | 7899 |
} |
7919 | 7900 |
else if (streq(p[0], "verify-x509-name") && p[1] && strlen(p[1]) && !p[3]) |
7920 | 7901 |
{ |
7921 | 7902 |
int type = VERIFY_X509_SUBJECT_DN; |
7922 | 7903 |
VERIFY_PERMISSION(OPT_P_GENERAL); |
7923 |
- if (compat_flag(COMPAT_FLAG_QUERY | COMPAT_NAMES)) |
|
7924 |
- { |
|
7925 |
- msg(msglevel, "you cannot use --verify-x509-name with " |
|
7926 |
- "--compat-names or --no-name-remapping"); |
|
7927 |
- goto err; |
|
7928 |
- } |
|
7929 | 7904 |
if (p[2]) |
7930 | 7905 |
{ |
7931 | 7906 |
if (streq(p[2], "subject")) |
... | ... |
@@ -48,24 +48,10 @@ |
48 | 48 |
/** Maximum length of common name */ |
49 | 49 |
#define TLS_USERNAME_LEN 64 |
50 | 50 |
|
51 |
-/** Legal characters in an X509 name with --compat-names */ |
|
52 |
-#define X509_NAME_CHAR_CLASS (CC_ALNUM|CC_UNDERBAR|CC_DASH|CC_DOT|CC_AT|CC_SLASH|CC_COLON|CC_EQUAL) |
|
53 |
- |
|
54 |
-/** Legal characters in a common name with --compat-names */ |
|
55 |
-#define COMMON_NAME_CHAR_CLASS (CC_ALNUM|CC_UNDERBAR|CC_DASH|CC_DOT|CC_AT|CC_SLASH) |
|
56 |
- |
|
57 | 51 |
static void |
58 |
-string_mod_remap_name(char *str, const unsigned int restrictive_flags) |
|
52 |
+string_mod_remap_name(char *str) |
|
59 | 53 |
{ |
60 |
- if (compat_flag(COMPAT_FLAG_QUERY | COMPAT_NAMES) |
|
61 |
- && !compat_flag(COMPAT_FLAG_QUERY | COMPAT_NO_NAME_REMAPPING)) |
|
62 |
- { |
|
63 |
- string_mod(str, restrictive_flags, 0, '_'); |
|
64 |
- } |
|
65 |
- else |
|
66 |
- { |
|
67 |
- string_mod(str, CC_PRINT, CC_CRLF, '_'); |
|
68 |
- } |
|
54 |
+ string_mod(str, CC_PRINT, CC_CRLF, '_'); |
|
69 | 55 |
} |
70 | 56 |
|
71 | 57 |
/* |
... | ... |
@@ -690,7 +676,7 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep |
690 | 690 |
} |
691 | 691 |
|
692 | 692 |
/* enforce character class restrictions in X509 name */ |
693 |
- string_mod_remap_name(subject, X509_NAME_CHAR_CLASS); |
|
693 |
+ string_mod_remap_name(subject); |
|
694 | 694 |
string_replace_leading(subject, '-', '_'); |
695 | 695 |
|
696 | 696 |
/* extract the username (default is CN) */ |
... | ... |
@@ -710,7 +696,7 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep |
710 | 710 |
} |
711 | 711 |
|
712 | 712 |
/* enforce character class restrictions in common name */ |
713 |
- string_mod_remap_name(common_name, COMMON_NAME_CHAR_CLASS); |
|
713 |
+ string_mod_remap_name(common_name); |
|
714 | 714 |
|
715 | 715 |
/* warn if cert chain is too deep */ |
716 | 716 |
if (cert_depth >= MAX_CERT_DEPTH) |
... | ... |
@@ -1168,7 +1154,7 @@ done: |
1168 | 1168 |
* Verify the username and password using a plugin |
1169 | 1169 |
*/ |
1170 | 1170 |
static int |
1171 |
-verify_user_pass_plugin(struct tls_session *session, const struct user_pass *up, const char *raw_username) |
|
1171 |
+verify_user_pass_plugin(struct tls_session *session, const struct user_pass *up) |
|
1172 | 1172 |
{ |
1173 | 1173 |
int retval = OPENVPN_PLUGIN_FUNC_ERROR; |
1174 | 1174 |
#ifdef PLUGIN_DEF_AUTH |
... | ... |
@@ -1179,7 +1165,7 @@ verify_user_pass_plugin(struct tls_session *session, const struct user_pass *up, |
1179 | 1179 |
if ((session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) || strlen(up->username)) |
1180 | 1180 |
{ |
1181 | 1181 |
/* set username/password in private env space */ |
1182 |
- setenv_str(session->opt->es, "username", (raw_username ? raw_username : up->username)); |
|
1182 |
+ setenv_str(session->opt->es, "username", up->username); |
|
1183 | 1183 |
setenv_str(session->opt->es, "password", up->password); |
1184 | 1184 |
|
1185 | 1185 |
/* setenv incoming cert common name for script */ |
... | ... |
@@ -1210,10 +1196,6 @@ verify_user_pass_plugin(struct tls_session *session, const struct user_pass *up, |
1210 | 1210 |
#endif |
1211 | 1211 |
|
1212 | 1212 |
setenv_del(session->opt->es, "password"); |
1213 |
- if (raw_username) |
|
1214 |
- { |
|
1215 |
- setenv_str(session->opt->es, "username", up->username); |
|
1216 |
- } |
|
1217 | 1213 |
} |
1218 | 1214 |
else |
1219 | 1215 |
{ |
... | ... |
@@ -1235,7 +1217,7 @@ cleanup: |
1235 | 1235 |
#define KMDA_DEF 3 |
1236 | 1236 |
|
1237 | 1237 |
static int |
1238 |
-verify_user_pass_management(struct tls_session *session, const struct user_pass *up, const char *raw_username) |
|
1238 |
+verify_user_pass_management(struct tls_session *session, const struct user_pass *up) |
|
1239 | 1239 |
{ |
1240 | 1240 |
int retval = KMDA_ERROR; |
1241 | 1241 |
struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ |
... | ... |
@@ -1244,7 +1226,7 @@ verify_user_pass_management(struct tls_session *session, const struct user_pass |
1244 | 1244 |
if ((session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) || strlen(up->username)) |
1245 | 1245 |
{ |
1246 | 1246 |
/* set username/password in private env space */ |
1247 |
- setenv_str(session->opt->es, "username", (raw_username ? raw_username : up->username)); |
|
1247 |
+ setenv_str(session->opt->es, "username", up->username); |
|
1248 | 1248 |
setenv_str(session->opt->es, "password", up->password); |
1249 | 1249 |
|
1250 | 1250 |
/* setenv incoming cert common name for script */ |
... | ... |
@@ -1259,10 +1241,6 @@ verify_user_pass_management(struct tls_session *session, const struct user_pass |
1259 | 1259 |
} |
1260 | 1260 |
|
1261 | 1261 |
setenv_del(session->opt->es, "password"); |
1262 |
- if (raw_username) |
|
1263 |
- { |
|
1264 |
- setenv_str(session->opt->es, "username", up->username); |
|
1265 |
- } |
|
1266 | 1262 |
|
1267 | 1263 |
retval = KMDA_SUCCESS; |
1268 | 1264 |
} |
... | ... |
@@ -1286,9 +1264,6 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, |
1286 | 1286 |
bool s2 = true; |
1287 | 1287 |
struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ |
1288 | 1288 |
|
1289 |
- struct gc_arena gc = gc_new(); |
|
1290 |
- char *raw_username = NULL; |
|
1291 |
- |
|
1292 | 1289 |
#ifdef MANAGEMENT_DEF_AUTH |
1293 | 1290 |
int man_def_auth = KMDA_UNDEF; |
1294 | 1291 |
|
... | ... |
@@ -1298,19 +1273,8 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, |
1298 | 1298 |
} |
1299 | 1299 |
#endif |
1300 | 1300 |
|
1301 |
- /* |
|
1302 |
- * Preserve the raw username before string_mod remapping, for plugins |
|
1303 |
- * and management clients when in --compat-names mode |
|
1304 |
- */ |
|
1305 |
- if (compat_flag(COMPAT_FLAG_QUERY | COMPAT_NAMES)) |
|
1306 |
- { |
|
1307 |
- ALLOC_ARRAY_CLEAR_GC(raw_username, char, USER_PASS_LEN, &gc); |
|
1308 |
- strcpy(raw_username, up->username); |
|
1309 |
- string_mod(raw_username, CC_PRINT, CC_CRLF, '_'); |
|
1310 |
- } |
|
1311 |
- |
|
1312 | 1301 |
/* enforce character class restrictions in username/password */ |
1313 |
- string_mod_remap_name(up->username, COMMON_NAME_CHAR_CLASS); |
|
1302 |
+ string_mod_remap_name(up->username); |
|
1314 | 1303 |
string_mod(up->password, CC_PRINT, CC_CRLF, '_'); |
1315 | 1304 |
|
1316 | 1305 |
/* If server is configured with --auth-gen-token and we have an |
... | ... |
@@ -1328,7 +1292,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, |
1328 | 1328 |
{ |
1329 | 1329 |
/* auth-token cleared in tls_lock_username() on failure */ |
1330 | 1330 |
ks->authenticated = false; |
1331 |
- goto done; |
|
1331 |
+ return; |
|
1332 | 1332 |
} |
1333 | 1333 |
|
1334 | 1334 |
/* If auth-token lifetime has been enabled, |
... | ... |
@@ -1340,7 +1304,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, |
1340 | 1340 |
msg(D_HANDSHAKE, "Auth-token for client expired\n"); |
1341 | 1341 |
wipe_auth_token(multi); |
1342 | 1342 |
ks->authenticated = false; |
1343 |
- goto done; |
|
1343 |
+ return; |
|
1344 | 1344 |
} |
1345 | 1345 |
|
1346 | 1346 |
/* The core authentication of the token itself */ |
... | ... |
@@ -1367,19 +1331,19 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, |
1367 | 1367 |
up->username, |
1368 | 1368 |
(ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) ? "[CN SET]" : ""); |
1369 | 1369 |
} |
1370 |
- goto done; |
|
1370 |
+ return; |
|
1371 | 1371 |
} |
1372 | 1372 |
|
1373 | 1373 |
/* call plugin(s) and/or script */ |
1374 | 1374 |
#ifdef MANAGEMENT_DEF_AUTH |
1375 | 1375 |
if (man_def_auth == KMDA_DEF) |
1376 | 1376 |
{ |
1377 |
- man_def_auth = verify_user_pass_management(session, up, raw_username); |
|
1377 |
+ man_def_auth = verify_user_pass_management(session, up); |
|
1378 | 1378 |
} |
1379 | 1379 |
#endif |
1380 | 1380 |
if (plugin_defined(session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)) |
1381 | 1381 |
{ |
1382 |
- s1 = verify_user_pass_plugin(session, up, raw_username); |
|
1382 |
+ s1 = verify_user_pass_plugin(session, up); |
|
1383 | 1383 |
} |
1384 | 1384 |
if (session->opt->auth_user_pass_verify_script) |
1385 | 1385 |
{ |
... | ... |
@@ -1462,9 +1426,6 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, |
1462 | 1462 |
{ |
1463 | 1463 |
msg(D_TLS_ERRORS, "TLS Auth Error: Auth Username/Password verification failed for peer"); |
1464 | 1464 |
} |
1465 |
- |
|
1466 |
-done: |
|
1467 |
- gc_free(&gc); |
|
1468 | 1465 |
} |
1469 | 1466 |
|
1470 | 1467 |
void |
... | ... |
@@ -332,18 +332,6 @@ x509_get_subject(X509 *cert, struct gc_arena *gc) |
332 | 332 |
BUF_MEM *subject_mem; |
333 | 333 |
char *subject = NULL; |
334 | 334 |
|
335 |
- /* |
|
336 |
- * Generate the subject string in OpenSSL proprietary format, |
|
337 |
- * when in --compat-names mode |
|
338 |
- */ |
|
339 |
- if (compat_flag(COMPAT_FLAG_QUERY | COMPAT_NAMES)) |
|
340 |
- { |
|
341 |
- subject = gc_malloc(256, false, gc); |
|
342 |
- X509_NAME_oneline(X509_get_subject_name(cert), subject, 256); |
|
343 |
- subject[255] = '\0'; |
|
344 |
- return subject; |
|
345 |
- } |
|
346 |
- |
|
347 | 335 |
subject_bio = BIO_new(BIO_s_mem()); |
348 | 336 |
if (subject_bio == NULL) |
349 | 337 |
{ |