git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Selva Nair <selva.nair@gmail.com>
	Sat, 23 Oct 2021 00:07:06 +0000 (20:07 -0400)
committer	Gert Doering <gert@greenie.muc.de>
	Sat, 23 Oct 2021 15:47:48 +0000 (17:47 +0200)
commit	644bcb87e76f0c56ec5b6cb205771a00fc28e598
tree	d6488c0bd8ec3ad5b564ac5ca4383871f05370fa	tree \| snapshot
parent	f2f64e058b819d07da9125824717e4bc4d8f9a9d	commit \| diff

Ensure the current common_name is in the environment for scripts

When username-as-common-name is in effect, the common_name
is "CN" from the certificate for auth-user-pass-verify. It gets
changed to "username" after successful authentication. This
changed value gets into the env when client-connect script is
called.

However, "common_name" goes through the cycle of being
"CN", then "username" during every reauth (renegotiation).
As the client-connect script is not called during reneg, the changed
value never gets back into the env. The end result is that the
disconnect script gets "common_name=<CN>" instead of the username.
Unless no reneg steps have happened before disconnect.
(For a more detailed analysis see
https://community.openvpn.net/openvpn/ticket/1434#comment:12)

Fix by adding common_name to env whenever it changes.

Trac: #1434
Very likely applies to #160 as well, but that's too old and
some of the relevant code path has evolved since then.

Same as commit fa5ab2438a in master, except for the context change
due to PF.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211023000706.25016-2-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23050.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a2412bf4a6bb6ac7a6f26128d00fe81b0fa4a18e)