git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Steffan Karger <steffan.karger@fox-it.com>
	Mon, 19 Jun 2017 09:28:39 +0000 (11:28 +0200)
committer	Gert Doering <gert@greenie.muc.de>
	Mon, 19 Jun 2017 18:39:57 +0000 (20:39 +0200)
commit	a6dbec1cb481d6f0237372a7dec059f1c572b7b7
tree	c36e6a76aa10fb30e315531a83a778dff646c2b1	tree \| snapshot
parent	84e1775961de1c9d2ab32159fc03f758591f5238	commit \| diff

Restrict --x509-alt-username extension types

The code never supported all extension types. Make this explicit by only
allowing subjectAltName and issuerAltName (for which the current code does
work).

Using unsupported extension fields would most likely cause OpenVPN to crash
as soon as a client connects. This does not have a real-world security
impact, as such a configuration would not be possible to use in practice.

This bug was discovered, analysed and reported to the OpenVPN team by
Guido Vranken.

Note: small code changes in to avoid "variable declaration in the middle
of a code block" when backporting changes to extract_x509_extension(),
as 2.3 can not assume a C99 compiler.

Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Acked-by: Guido Vranken <guidovranken@gmail.com>
Message-Id: <1497864520-12219-5-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/search?l=mid&q=1497864520-12219-5-git-send-email-steffan.karger@fox-it.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit d2a19185fd78030ce4a1bba6c9f83e0dac9e15a6)

doc/openvpn.8		diff \| blob \| blame \| history
src/openvpn/options.c		diff \| blob \| blame \| history
src/openvpn/ssl_verify_backend.h		diff \| blob \| blame \| history
src/openvpn/ssl_verify_openssl.c		diff \| blob \| blame \| history