diff options
| author | Steffan Karger <steffan@karger.me> | 2015-03-05 22:37:31 +0100 |
|---|---|---|
| committer | Gert Doering <gert@greenie.muc.de> | 2015-03-06 19:40:39 +0100 |
| commit | d7d61b4c2d1f1dd47e779ca38b936f9b99042c82 (patch) | |
| tree | 78163790e82ed4aebcca6293528dc21d735f80be /src | |
| parent | 089d63b2d7ffa98bd40ed1d7eb0e625d37b63c1c (diff) | |
| download | openvpn-d7d61b4c2d1f1dd47e779ca38b936f9b99042c82.tar.gz openvpn-d7d61b4c2d1f1dd47e779ca38b936f9b99042c82.tar.xz openvpn-d7d61b4c2d1f1dd47e779ca38b936f9b99042c82.zip | |
Allow for CN/username of 64 characters (fixes off-by-one)
This is an alternative patch to fix the issue reported in trac #515 by
Jorge Peixoto. Instead of increasing the TLS_USERNAME_LEN define, do +1 at
the relevant places in the code.
Also see Jorge's original patch and the discussion on the maillinglist:
http://thread.gmane.org/gmane.network.openvpn.devel/9438
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <54F8CC9B.9040104@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9508
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ecd934b1ef83eec58eb2df5d3a98309ca56d5812)
Conflicts:
src/openvpn/ssl_verify.c
Diffstat (limited to 'src')
| -rw-r--r-- | src/openvpn/ssl_verify.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index c90c2c3..9693b81 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -596,7 +596,7 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep { result_t ret = FAILURE; char *subject = NULL; - char common_name[TLS_USERNAME_LEN] = {0}; + char common_name[TLS_USERNAME_LEN+1] = {0}; /* null-terminated */ const struct tls_options *opt; struct gc_arena gc = gc_new(); @@ -619,7 +619,7 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep string_replace_leading (subject, '-', '_'); /* extract the username (default is CN) */ - if (SUCCESS != x509_get_username (common_name, TLS_USERNAME_LEN, + if (SUCCESS != x509_get_username (common_name, sizeof(common_name), opt->x509_username_field, cert)) { if (!cert_depth) @@ -1165,7 +1165,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, s2 = verify_user_pass_script (session, up); /* check sizing of username if it will become our common name */ - if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && strlen (up->username) >= TLS_USERNAME_LEN) + if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && strlen (up->username) > TLS_USERNAME_LEN) { msg (D_TLS_ERRORS, "TLS Auth Error: --username-as-common name specified and username is longer than the maximum permitted Common Name length of %d characters", TLS_USERNAME_LEN); s1 = OPENVPN_PLUGIN_FUNC_ERROR; |