git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3467 e7ae566f-a301-0410-adde-c780ea21d3b5
james authored on 2008/10/31 16:04:51... | ... |
@@ -203,6 +203,7 @@ openvpn \- secure IP tunnel daemon. |
203 | 203 |
[\ \fB\-\-mute\fR\ \fIn\fR\ ] |
204 | 204 |
[\ \fB\-\-nice\fR\ \fIn\fR\ ] |
205 | 205 |
[\ \fB\-\-no\-iv\fR\ ] |
206 |
+[\ \fB\-\-no\-name\-remapping\fR\ ] |
|
206 | 207 |
[\ \fB\-\-no\-replay\fR\ ] |
207 | 208 |
[\ \fB\-\-bind\fR\ ] |
208 | 209 |
[\ \fB\-\-nobind\fR\ ] |
... | ... |
@@ -3297,6 +3298,27 @@ the authenticated username as the common name, |
3297 | 3297 |
rather than the common name from the client cert. |
3298 | 3298 |
.\"********************************************************* |
3299 | 3299 |
.TP |
3300 |
+.B --no-name-remapping |
|
3301 |
+Allow Common Name, X509 Subject, and username strings to include |
|
3302 |
+any printable character including space, but excluding control |
|
3303 |
+characters such as tab, newline, and carriage-return. |
|
3304 |
+ |
|
3305 |
+By default, OpenVPN will remap |
|
3306 |
+any character other than alphanumeric, underbar ('_'), dash |
|
3307 |
+('-'), dot ('.'), and slash ('/') to underbar ('_'). The X509 |
|
3308 |
+Subject string as returned by the |
|
3309 |
+.B tls_id |
|
3310 |
+environmental variable, can additionally contain colon (':') or |
|
3311 |
+equal ('='). |
|
3312 |
+ |
|
3313 |
+While name remapping is performed for security reasons to reduce |
|
3314 |
+the possibility of introducing string expansion security vulnerabilities |
|
3315 |
+in user-defined authentication |
|
3316 |
+scripts, this option is provided for those cases where it is desirable to |
|
3317 |
+disable the remapping feature. Don't use this option unless you |
|
3318 |
+know what you are doing! |
|
3319 |
+.\"********************************************************* |
|
3320 |
+.TP |
|
3300 | 3321 |
.B --port-share host port |
3301 | 3322 |
When run in TCP server mode, share the OpenVPN port with |
3302 | 3323 |
another application, such as an HTTPS server. If OpenVPN |
... | ... |
@@ -383,6 +383,8 @@ static const char usage_message[] = |
383 | 383 |
" user/pass via temporary file.\n" |
384 | 384 |
"--auth-user-pass-optional : Allow connections by clients that don't\n" |
385 | 385 |
" specify a username/password.\n" |
386 |
+ "--no-name-remapping : Allow Common Name and X509 Subject to include\n" |
|
387 |
+ " any printable character.\n" |
|
386 | 388 |
"--client-to-client : Internally route client-to-client traffic.\n" |
387 | 389 |
"--duplicate-cn : Allow multiple clients with the same common name to\n" |
388 | 390 |
" concurrently connect.\n" |
... | ... |
@@ -4576,6 +4578,11 @@ add_option (struct options *options, |
4576 | 4576 |
VERIFY_PERMISSION (OPT_P_GENERAL); |
4577 | 4577 |
options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL; |
4578 | 4578 |
} |
4579 |
+ else if (streq (p[0], "no-name-remapping")) |
|
4580 |
+ { |
|
4581 |
+ VERIFY_PERMISSION (OPT_P_GENERAL); |
|
4582 |
+ options->ssl_flags |= SSLF_NO_NAME_REMAPPING; |
|
4583 |
+ } |
|
4579 | 4584 |
else if (streq (p[0], "auth-user-pass-verify") && p[1]) |
4580 | 4585 |
{ |
4581 | 4586 |
VERIFY_PERMISSION (OPT_P_SCRIPT); |
... | ... |
@@ -580,6 +580,15 @@ print_nsCertType (int type) |
580 | 580 |
} |
581 | 581 |
} |
582 | 582 |
|
583 |
+static void |
|
584 |
+string_mod_sslname (char *str, const unsigned int restrictive_flags, const unsigned int ssl_flags) |
|
585 |
+{ |
|
586 |
+ if (ssl_flags & SSLF_NO_NAME_REMAPPING) |
|
587 |
+ string_mod (str, CC_PRINT, CC_CRLF, '_'); |
|
588 |
+ else |
|
589 |
+ string_mod (str, restrictive_flags, 0, '_'); |
|
590 |
+} |
|
591 |
+ |
|
583 | 592 |
/* |
584 | 593 |
* Our verify callback function -- check |
585 | 594 |
* that an incoming peer certificate is good. |
... | ... |
@@ -619,7 +628,7 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx) |
619 | 619 |
setenv_x509 (opt->es, ctx->error_depth, X509_get_subject_name (ctx->current_cert)); |
620 | 620 |
|
621 | 621 |
/* enforce character class restrictions in X509 name */ |
622 |
- string_mod (subject, X509_NAME_CHAR_CLASS, 0, '_'); |
|
622 |
+ string_mod_sslname (subject, X509_NAME_CHAR_CLASS, opt->ssl_flags); |
|
623 | 623 |
string_replace_leading (subject, '-', '_'); |
624 | 624 |
|
625 | 625 |
/* extract the common name */ |
... | ... |
@@ -634,7 +643,7 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx) |
634 | 634 |
} |
635 | 635 |
} |
636 | 636 |
|
637 |
- string_mod (common_name, COMMON_NAME_CHAR_CLASS, 0, '_'); |
|
637 |
+ string_mod_sslname (common_name, COMMON_NAME_CHAR_CLASS, opt->ssl_flags); |
|
638 | 638 |
|
639 | 639 |
#if 0 /* print some debugging info */ |
640 | 640 |
msg (D_LOW, "LOCAL OPT: %s", opt->local_options); |
... | ... |
@@ -3350,7 +3359,7 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi |
3350 | 3350 |
string_mod (raw_username, CC_PRINT, CC_CRLF, '_'); |
3351 | 3351 |
|
3352 | 3352 |
/* enforce character class restrictions in username/password */ |
3353 |
- string_mod (up->username, COMMON_NAME_CHAR_CLASS, 0, '_'); |
|
3353 |
+ string_mod_sslname (up->username, COMMON_NAME_CHAR_CLASS, session->opt->ssl_flags); |
|
3354 | 3354 |
string_mod (up->password, CC_PRINT, CC_CRLF, '_'); |
3355 | 3355 |
|
3356 | 3356 |
/* call plugin(s) and/or script */ |
... | ... |
@@ -468,6 +468,7 @@ struct tls_options |
468 | 468 |
# define SSLF_CLIENT_CERT_NOT_REQUIRED (1<<0) |
469 | 469 |
# define SSLF_USERNAME_AS_COMMON_NAME (1<<1) |
470 | 470 |
# define SSLF_AUTH_USER_PASS_OPTIONAL (1<<2) |
471 |
+# define SSLF_NO_NAME_REMAPPING (1<<3) |
|
471 | 472 |
unsigned int ssl_flags; |
472 | 473 |
|
473 | 474 |
#ifdef MANAGEMENT_DEF_AUTH |