diff options
author | Andris Kalnozols <andris@hpl.hp.com> | 2014-06-28 19:41:02 +0200 |
---|---|---|
committer | Gert Doering <gert@greenie.muc.de> | 2014-07-10 21:02:55 +0200 |
commit | a2da658ba6aa34043d87226c3f971474942e0bed (patch) | |
tree | 1d87b547c6a81734466fb36ba99501e861884446 /src/openvpn/options.c | |
parent | 75c3a82e8085233306107495d6b1e0b1ab19eccf (diff) | |
download | openvpn-a2da658ba6aa34043d87226c3f971474942e0bed.tar.gz openvpn-a2da658ba6aa34043d87226c3f971474942e0bed.tar.xz openvpn-a2da658ba6aa34043d87226c3f971474942e0bed.zip |
Do not upcase x509-username-field for mixed-case arguments.
I revisited options.c to refine its brute-force upcasing behavior. Now, the
upcasing is done only if the option argument is all lowercase. Mixed-case
arguments and those with the "ext:" prefix are left unchanged. This
preserves the original intent of the "helpful" upcasing feature for
backwards compatibility while limiting its scope in a straightforward way.
Signed-off-by: Andris Kalnozols <andris@hpl.hp.com>
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <53B1BDD8.8020705@karger.me>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f4e0ad82b0eaccce965074c1ceec2b7e3853dc0d)
Diffstat (limited to 'src/openvpn/options.c')
-rw-r--r-- | src/openvpn/options.c | 26 |
1 files changed, 22 insertions, 4 deletions
diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 035d3aa..fa53a17 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -577,8 +577,8 @@ static const char usage_message[] = " and optionally the root CA certificate.\n" #endif #ifdef ENABLE_X509ALTUSERNAME - "--x509-username-field : Field used in x509 certificate to be username.\n" - " Default is CN.\n" + "--x509-username-field : Field in x509 certificate containing the username.\n" + " Default is CN in the Subject field.\n" #endif "--verify-hash : Specify SHA1 fingerprint for level-1 cert.\n" #ifdef WIN32 @@ -6875,10 +6875,28 @@ add_option (struct options *options, #ifdef ENABLE_X509ALTUSERNAME else if (streq (p[0], "x509-username-field") && p[1]) { + /* This option used to automatically upcase the fieldname passed as the + * option argument, e.g., "ou" became "OU". Now, this "helpfulness" is + * fine-tuned by only upcasing Subject field attribute names which consist + * of all lower-case characters. Mixed-case attributes such as + * "emailAddress" are left as-is. An option parameter having the "ext:" + * prefix for matching X.509v3 extended fields will also remain unchanged. + */ char *s = p[1]; + VERIFY_PERMISSION (OPT_P_GENERAL); - if( strncmp ("ext:",s,4) != 0 ) - while ((*s = toupper(*s)) != '\0') s++; /* Uppercase if necessary */ + if (strncmp("ext:", s, 4) != 0) + { + size_t i = 0; + while (s[i] && !isupper(s[i])) i++; + if (strlen(s) == i) + { + while ((*s = toupper(*s)) != '\0') s++; + msg(M_WARN, "DEPRECATED FEATURE: automatically upcased the " + "--x509-username-field parameter to '%s'; please update your" + "configuration", p[1]); + } + } options->x509_username_field = p[1]; } #endif /* ENABLE_X509ALTUSERNAME */ |