diff options
author | Steffan Karger | 2018-10-24 12:12:05 +0200 |
---|---|---|
committer | Gert Doering | 2018-11-26 19:49:42 +0100 |
commit | c3f565f0590b152c6ea18be230509be8f3c832f0 (patch) | |
tree | ea076f7b73b673f55e04c53a4c6d0c7f279ef9b9 /src/openvpn/ssl_verify.c | |
parent | 19d6d9c3533b83f934ea93359bca086a5d06011a (diff) | |
download | openvpn-c3f565f0590b152c6ea18be230509be8f3c832f0.zip openvpn-c3f565f0590b152c6ea18be230509be8f3c832f0.tar.gz |
Remove deprecated --compat-x509-names and --no-name-remapping
As promised, remove these options for OpenVPN 2.5.
If a user still uses these, print an error that the user should update it's
configuration. Just printing a warning would cause much more confusing
errors, somewhere in middle of a failed connection attempt because the
(non-compat) names no longer match the expected names.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1540375925-6111-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17804.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src/openvpn/ssl_verify.c')
-rw-r--r-- | src/openvpn/ssl_verify.c | 67 |
1 files changed, 14 insertions, 53 deletions
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 6187225..03c0b66 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -48,24 +48,10 @@ /** Maximum length of common name */ #define TLS_USERNAME_LEN 64 -/** Legal characters in an X509 name with --compat-names */ -#define X509_NAME_CHAR_CLASS (CC_ALNUM|CC_UNDERBAR|CC_DASH|CC_DOT|CC_AT|CC_SLASH|CC_COLON|CC_EQUAL) - -/** Legal characters in a common name with --compat-names */ -#define COMMON_NAME_CHAR_CLASS (CC_ALNUM|CC_UNDERBAR|CC_DASH|CC_DOT|CC_AT|CC_SLASH) - static void -string_mod_remap_name(char *str, const unsigned int restrictive_flags) +string_mod_remap_name(char *str) { - if (compat_flag(COMPAT_FLAG_QUERY | COMPAT_NAMES) - && !compat_flag(COMPAT_FLAG_QUERY | COMPAT_NO_NAME_REMAPPING)) - { - string_mod(str, restrictive_flags, 0, '_'); - } - else - { - string_mod(str, CC_PRINT, CC_CRLF, '_'); - } + string_mod(str, CC_PRINT, CC_CRLF, '_'); } /* @@ -690,7 +676,7 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep } /* enforce character class restrictions in X509 name */ - string_mod_remap_name(subject, X509_NAME_CHAR_CLASS); + string_mod_remap_name(subject); string_replace_leading(subject, '-', '_'); /* extract the username (default is CN) */ @@ -710,7 +696,7 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep } /* enforce character class restrictions in common name */ - string_mod_remap_name(common_name, COMMON_NAME_CHAR_CLASS); + string_mod_remap_name(common_name); /* warn if cert chain is too deep */ if (cert_depth >= MAX_CERT_DEPTH) @@ -1168,7 +1154,7 @@ done: * Verify the username and password using a plugin */ static int -verify_user_pass_plugin(struct tls_session *session, const struct user_pass *up, const char *raw_username) +verify_user_pass_plugin(struct tls_session *session, const struct user_pass *up) { int retval = OPENVPN_PLUGIN_FUNC_ERROR; #ifdef PLUGIN_DEF_AUTH @@ -1179,7 +1165,7 @@ verify_user_pass_plugin(struct tls_session *session, const struct user_pass *up, if ((session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) || strlen(up->username)) { /* set username/password in private env space */ - setenv_str(session->opt->es, "username", (raw_username ? raw_username : up->username)); + setenv_str(session->opt->es, "username", up->username); setenv_str(session->opt->es, "password", up->password); /* setenv incoming cert common name for script */ @@ -1210,10 +1196,6 @@ verify_user_pass_plugin(struct tls_session *session, const struct user_pass *up, #endif setenv_del(session->opt->es, "password"); - if (raw_username) - { - setenv_str(session->opt->es, "username", up->username); - } } else { @@ -1235,7 +1217,7 @@ cleanup: #define KMDA_DEF 3 static int -verify_user_pass_management(struct tls_session *session, const struct user_pass *up, const char *raw_username) +verify_user_pass_management(struct tls_session *session, const struct user_pass *up) { int retval = KMDA_ERROR; struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ @@ -1244,7 +1226,7 @@ verify_user_pass_management(struct tls_session *session, const struct user_pass if ((session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) || strlen(up->username)) { /* set username/password in private env space */ - setenv_str(session->opt->es, "username", (raw_username ? raw_username : up->username)); + setenv_str(session->opt->es, "username", up->username); setenv_str(session->opt->es, "password", up->password); /* setenv incoming cert common name for script */ @@ -1259,10 +1241,6 @@ verify_user_pass_management(struct tls_session *session, const struct user_pass } setenv_del(session->opt->es, "password"); - if (raw_username) - { - setenv_str(session->opt->es, "username", up->username); - } retval = KMDA_SUCCESS; } @@ -1286,9 +1264,6 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, bool s2 = true; struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ - struct gc_arena gc = gc_new(); - char *raw_username = NULL; - #ifdef MANAGEMENT_DEF_AUTH int man_def_auth = KMDA_UNDEF; @@ -1298,19 +1273,8 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, } #endif - /* - * Preserve the raw username before string_mod remapping, for plugins - * and management clients when in --compat-names mode - */ - if (compat_flag(COMPAT_FLAG_QUERY | COMPAT_NAMES)) - { - ALLOC_ARRAY_CLEAR_GC(raw_username, char, USER_PASS_LEN, &gc); - strcpy(raw_username, up->username); - string_mod(raw_username, CC_PRINT, CC_CRLF, '_'); - } - /* enforce character class restrictions in username/password */ - string_mod_remap_name(up->username, COMMON_NAME_CHAR_CLASS); + string_mod_remap_name(up->username); string_mod(up->password, CC_PRINT, CC_CRLF, '_'); /* If server is configured with --auth-gen-token and we have an @@ -1328,7 +1292,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, { /* auth-token cleared in tls_lock_username() on failure */ ks->authenticated = false; - goto done; + return; } /* If auth-token lifetime has been enabled, @@ -1340,7 +1304,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, msg(D_HANDSHAKE, "Auth-token for client expired\n"); wipe_auth_token(multi); ks->authenticated = false; - goto done; + return; } /* The core authentication of the token itself */ @@ -1367,19 +1331,19 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, up->username, (ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) ? "[CN SET]" : ""); } - goto done; + return; } /* call plugin(s) and/or script */ #ifdef MANAGEMENT_DEF_AUTH if (man_def_auth == KMDA_DEF) { - man_def_auth = verify_user_pass_management(session, up, raw_username); + man_def_auth = verify_user_pass_management(session, up); } #endif if (plugin_defined(session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)) { - s1 = verify_user_pass_plugin(session, up, raw_username); + s1 = verify_user_pass_plugin(session, up); } if (session->opt->auth_user_pass_verify_script) { @@ -1462,9 +1426,6 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, { msg(D_TLS_ERRORS, "TLS Auth Error: Auth Username/Password verification failed for peer"); } - -done: - gc_free(&gc); } void |