From fbd18db6485e3d08d8d933263cff96ee60eddb39 Mon Sep 17 00:00:00 2001 From: David Sommerseth Date: Wed, 15 Dec 2010 10:53:04 +0100 Subject: Make the --x509-username-field feature an opt-in feature After some discussion [1] regarding an extension of this feature, James Yonan wanted this extension to be an opt-in feature. However, as it does not make sense to opt-in on a extension of a feature which was discussed, this patch makes the base feature an opt-in instead. The base feature comes from commit 2e8337de248ef0b5b48cbb2964 (beta2.2) and commit 935c62be9c0c8a256112 (feat_misc). [1] http://thread.gmane.org/gmane.network.openvpn.devel/4266 Signed-off-by: David Sommerseth Acked-by: James Yonan (cherry picked from commit 024972e2ced84c6e5cabc43620ab510e5693d1d4) --- configure.ac | 11 +++++++++++ options.c | 6 ++++++ options.h | 2 ++ ssl.c | 4 ++++ 4 files changed, 23 insertions(+) diff --git a/configure.ac b/configure.ac index 1d55263..e30f990 100644 --- a/configure.ac +++ b/configure.ac @@ -80,6 +80,12 @@ AC_ARG_ENABLE(ssl, [SSL="yes"] ) +AC_ARG_ENABLE(x509-alt-username, + [ --enable-x509-alt-username Enable the --x509-username-field feature], + [X509ALTUSERNAME="$enableval"], + [X509ALTUSERNAME="no"] +) + AC_ARG_ENABLE(multi, [ --disable-multi Disable client/server support (--mode server + client mode)], [MULTI="$enableval"], @@ -751,6 +757,11 @@ dnl fi fi +dnl enable --x509-username-field feature if requested +if test "$X509ALTUSERNAME" = "yes"; then + AC_DEFINE(ENABLE_X509ALTUSERNAME, 1, [Enable --x509-username-field feature]) +fi + dnl enable pkcs11 capability if test "$PKCS11" = "yes"; then AC_CHECKING([for pkcs11-helper Library and Header files]) diff --git a/options.c b/options.c index 524c781..f4eeaee 100644 --- a/options.c +++ b/options.c @@ -506,8 +506,10 @@ static const char usage_message[] = "--key file : Local private key in .pem format.\n" "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n" " and optionally the root CA certificate.\n" +#ifdef ENABLE_X509ALTUSERNAME "--x509-username-field : Field used in x509 certificat to be username.\n" " Default is CN.\n" +#endif #ifdef WIN32 "--cryptoapicert select-string : Load the certificate and private key from the\n" " Windows Certificate System Store.\n" @@ -761,9 +763,11 @@ init_options (struct options *o, const bool init_gc) o->renegotiate_seconds = 3600; o->handshake_window = 60; o->transition_window = 3600; +#ifdef ENABLE_X509ALTUSERNAME o->x509_username_field = X509_USERNAME_FIELD_DEFAULT; #endif #endif +#endif #ifdef ENABLE_PKCS11 o->pkcs11_pin_cache_period = -1; #endif /* ENABLE_PKCS11 */ @@ -5898,6 +5902,7 @@ add_option (struct options *options, } options->key_method = key_method; } +#ifdef ENABLE_X509ALTUSERNAME else if (streq (p[0], "x509-username-field") && p[1]) { char *s = p[1]; @@ -5905,6 +5910,7 @@ add_option (struct options *options, while ((*s = toupper(*s)) != '\0') s++; /* Uppercase if necessary */ options->x509_username_field = p[1]; } +#endif /* ENABLE_X509ALTUSERNAME */ #endif /* USE_SSL */ #endif /* USE_CRYPTO */ #ifdef ENABLE_PKCS11 diff --git a/options.h b/options.h index 7a61e3d..7f4c0cd 100644 --- a/options.h +++ b/options.h @@ -508,8 +508,10 @@ struct options within n seconds of handshake initiation. */ int handshake_window; +#ifdef ENABLE_X509ALTUSERNAME /* Field used to be the username in X509 cert. */ char *x509_username_field; +#endif /* Old key allowed to live n seconds after new key goes active */ int transition_window; diff --git a/ssl.c b/ssl.c index 2fa091a..da6f7d7 100644 --- a/ssl.c +++ b/ssl.c @@ -1874,7 +1874,11 @@ init_ssl (const struct options *options) } else #endif +#ifdef ENABLE_X509ALTUSERNAME x509_username_field = (char *) options->x509_username_field; +#else + x509_username_field = X509_USERNAME_FIELD_DEFAULT; +#endif SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback); -- cgit