1. openvpn
  2. Commit ed3042470f498fbf1468d3d757982a19df38b3bd
Browse code

Added --no-name-remapping option to allow Common Name, X509 Subject, and username strings to include any printable character including space, but excluding control characters such as tab, newline, and carriage-return.

git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3467 e7ae566f-a301-0410-adde-c780ea21d3b5

james authored on 2008/10/31 16:04:51
Showing 4 changed files
openvpn.8
History View file @ ed30424
... ... 
@@ -203,6 +203,7 @@ openvpn \- secure IP tunnel daemon.
203 203 
 [\ \fB\-\-mute\fR\ \fIn\fR\ ]
204 204 
 [\ \fB\-\-nice\fR\ \fIn\fR\ ]
205 205 
 [\ \fB\-\-no\-iv\fR\ ]
206 
+[\ \fB\-\-no\-name\-remapping\fR\ ]
206 207 
 [\ \fB\-\-no\-replay\fR\ ]
207 208 
 [\ \fB\-\-bind\fR\ ]
208 209 
 [\ \fB\-\-nobind\fR\ ]
... ... 
@@ -3297,6 +3298,27 @@ the authenticated username as the common name,
3297 3297 
 rather than the common name from the client cert.
3298 3298 
 .\"*********************************************************
3299 3299 
 .TP
3300 
+.B --no-name-remapping
3301 
+Allow Common Name, X509 Subject, and username strings to include
3302 
+any printable character including space, but excluding control
3303 
+characters such as tab, newline, and carriage-return.
3304 
+
3305 
+By default, OpenVPN will remap
3306 
+any character other than alphanumeric, underbar ('_'), dash
3307 
+('-'), dot ('.'), and slash ('/') to underbar ('_').  The X509
3308 
+Subject string as returned by the
3309 
+.B tls_id
3310 
+environmental variable, can additionally contain colon (':') or
3311 
+equal ('=').
3312 
+
3313 
+While name remapping is performed for security reasons to reduce
3314 
+the possibility of introducing string expansion security vulnerabilities
3315 
+in user-defined authentication
3316 
+scripts, this option is provided for those cases where it is desirable to
3317 
+disable the remapping feature.  Don't use this option unless you
3318 
+know what you are doing!
3319 
+.\"*********************************************************
3320 
+.TP
3300 3321 
 .B --port-share host port
3301 3322 
 When run in TCP server mode, share the OpenVPN port with
3302 3323 
 another application, such as an HTTPS server.  If OpenVPN
options.c
History View file @ ed30424
... ... 
@@ -383,6 +383,8 @@ static const char usage_message[] =
383 383 
   "                  user/pass via temporary file.\n"
384 384 
   "--auth-user-pass-optional : Allow connections by clients that don't\n"
385 385 
   "                  specify a username/password.\n"
386 
+  "--no-name-remapping : Allow Common Name and X509 Subject to include\n"
387 
+  "                      any printable character.\n"
386 388 
   "--client-to-client : Internally route client-to-client traffic.\n"
387 389 
   "--duplicate-cn  : Allow multiple clients with the same common name to\n"
388 390 
   "                  concurrently connect.\n"
... ... 
@@ -4576,6 +4578,11 @@ add_option (struct options *options,
4576 4576 
       VERIFY_PERMISSION (OPT_P_GENERAL);
4577 4577 
       options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL;
4578 4578 
     }
4579 
+  else if (streq (p[0], "no-name-remapping"))
4580 
+    {
4581 
+      VERIFY_PERMISSION (OPT_P_GENERAL);
4582 
+      options->ssl_flags |= SSLF_NO_NAME_REMAPPING;
4583 
+    }
4579 4584 
   else if (streq (p[0], "auth-user-pass-verify") && p[1])
4580 4585 
     {
4581 4586 
       VERIFY_PERMISSION (OPT_P_SCRIPT);
ssl.c
History View file @ ed30424
... ... 
@@ -580,6 +580,15 @@ print_nsCertType (int type)
580 580 
     }
581 581 
 }
582 582
583 
+static void
584 
+string_mod_sslname (char *str, const unsigned int restrictive_flags, const unsigned int ssl_flags)
585 
+{
586 
+  if (ssl_flags & SSLF_NO_NAME_REMAPPING)
587 
+    string_mod (str, CC_PRINT, CC_CRLF, '_');
588 
+  else
589 
+    string_mod (str, restrictive_flags, 0, '_');
590 
+}
591 
+
583 592 
 /*
584 593 
  * Our verify callback function -- check
585 594 
  * that an incoming peer certificate is good.
... ... 
@@ -619,7 +628,7 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx)
619 619 
   setenv_x509 (opt->es, ctx->error_depth, X509_get_subject_name (ctx->current_cert));
620 620
621 621 
   /* enforce character class restrictions in X509 name */
622 
-  string_mod (subject, X509_NAME_CHAR_CLASS, 0, '_');
622 
+  string_mod_sslname (subject, X509_NAME_CHAR_CLASS, opt->ssl_flags);
623 623 
   string_replace_leading (subject, '-', '_');
624 624
625 625 
   /* extract the common name */
... ... 
@@ -634,7 +643,7 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx)
634 634 
 	}
635 635 
     }
636 636
637 
-  string_mod (common_name, COMMON_NAME_CHAR_CLASS, 0, '_');
637 
+  string_mod_sslname (common_name, COMMON_NAME_CHAR_CLASS, opt->ssl_flags);
638 638
639 639 
 #if 0 /* print some debugging info */
640 640 
   msg (D_LOW, "LOCAL OPT: %s", opt->local_options);
... ... 
@@ -3350,7 +3359,7 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi
3350 3350 
       string_mod (raw_username, CC_PRINT, CC_CRLF, '_');
3351 3351
3352 3352 
       /* enforce character class restrictions in username/password */
3353 
-      string_mod (up->username, COMMON_NAME_CHAR_CLASS, 0, '_');
3353 
+      string_mod_sslname (up->username, COMMON_NAME_CHAR_CLASS, session->opt->ssl_flags);
3354 3354 
       string_mod (up->password, CC_PRINT, CC_CRLF, '_');
3355 3355
3356 3356 
       /* call plugin(s) and/or script */
ssl.h
History View file @ ed30424
... ... 
@@ -468,6 +468,7 @@ struct tls_options
468 468 
 # define SSLF_CLIENT_CERT_NOT_REQUIRED (1<<0)
469 469 
 # define SSLF_USERNAME_AS_COMMON_NAME  (1<<1)
470 470 
 # define SSLF_AUTH_USER_PASS_OPTIONAL  (1<<2)
471 
+# define SSLF_NO_NAME_REMAPPING        (1<<3)
471 472 
   unsigned int ssl_flags;
472 473
473 474 
 #ifdef MANAGEMENT_DEF_AUTH