Currently override-username is artificially restricted to the length of
TLS common-name (64) for the corner case of using username-as-common-name,
which we explicitly do not recommend to use.
Do away with that limitation and only error out on longer usernames when
username-as-common-name is actually in effect.
Change-Id: I1c2c050dd160746a0f8d9c234abe1e258bc8e48d
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <
20250402134546.3504-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31323.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
if (!multi->locked_original_username
&& strcmp(multi->locked_username, options->override_username) != 0)
{
+ /* Check if the username length is acceptable */
+ if (!ssl_verify_username_length(session, options->override_username))
+ {
+ return false;
+ }
+
multi->locked_original_username = multi->locked_username;
multi->locked_username = strdup(options->override_username);
else if (streq(p[0], "override-username") && p[1] && !p[2])
{
VERIFY_PERMISSION(OPT_P_INSTANCE);
- if (strlen(p[1]) > TLS_USERNAME_LEN)
+ if (strlen(p[1]) > USER_PASS_LEN)
{
msg(msglevel, "override-username exceeds the maximum length of %d "
- "characters", TLS_USERNAME_LEN);
+ "characters", USER_PASS_LEN);
/* disable the connection since ignoring the request to
* set another username might cause serious problems */
}
}
+bool
+ssl_verify_username_length(struct tls_session *session, const char *username)
+{
+ if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)
+ && strlen(username) > TLS_USERNAME_LEN)
+ {
+ msg(D_TLS_ERRORS,
+ "TLS Auth Error: --username-as-common name specified and "
+ "username is longer than the maximum permitted Common Name "
+ "length of %d characters", TLS_USERNAME_LEN);
+ return false;
+ }
+ else
+ {
+ return true;
+ }
+}
+
/**
* Main username/password verification entry point
*
}
/* check sizing of username if it will become our common name */
- if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)
- && strlen(up->username)>TLS_USERNAME_LEN)
+ if (!ssl_verify_username_length(session, up->username))
{
- msg(D_TLS_ERRORS,
- "TLS Auth Error: --username-as-common name specified and username is longer than the maximum permitted Common Name length of %d characters",
- TLS_USERNAME_LEN);
plugin_status = OPENVPN_PLUGIN_FUNC_ERROR;
script_status = OPENVPN_PLUGIN_FUNC_ERROR;
}
+
/* auth succeeded? */
bool plugin_ok = plugin_status == OPENVPN_PLUGIN_FUNC_SUCCESS
|| plugin_status == OPENVPN_PLUGIN_FUNC_DEFERRED;
struct tls_session *session);
+/**
+ * Checks if the username length is valid to use. This checks when
+ * username-as-common-name is active if the username is shorter than
+ * the maximum TLS common name length (64).
+ *
+ * It will also display an error message if the name is too long
+ *
+ * @param session current TLS session
+ * @param username username to check
+ * @return true if name is under limit or username-as-common-name
+ * is not active
+ */
+bool ssl_verify_username_length(struct tls_session *session,
+ const char *username);
/**
* Runs the --client-crresponse script if one is defined.
projects / thirdparty / openvpn.git / commitdiff
