From 644bcb87e76f0c56ec5b6cb205771a00fc28e598 Mon Sep 17 00:00:00 2001 From: Selva Nair Date: Fri, 22 Oct 2021 20:07:06 -0400 Subject: [PATCH] Ensure the current common_name is in the environment for scripts When username-as-common-name is in effect, the common_name is "CN" from the certificate for auth-user-pass-verify. It gets changed to "username" after successful authentication. This changed value gets into the env when client-connect script is called. However, "common_name" goes through the cycle of being "CN", then "username" during every reauth (renegotiation). As the client-connect script is not called during reneg, the changed value never gets back into the env. The end result is that the disconnect script gets "common_name=" instead of the username. Unless no reneg steps have happened before disconnect. (For a more detailed analysis see https://community.openvpn.net/openvpn/ticket/1434#comment:12) Fix by adding common_name to env whenever it changes. Trac: #1434 Very likely applies to #160 as well, but that's too old and some of the relevant code path has evolved since then. Same as commit fa5ab2438a in master, except for the context change due to PF. Signed-off-by: Selva Nair Acked-by: Gert Doering Message-Id: <20211023000706.25016-2-selva.nair@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23050.html Signed-off-by: Gert Doering (cherry picked from commit a2412bf4a6bb6ac7a6f26128d00fe81b0fa4a18e) --- src/openvpn/ssl_verify.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index ed14ccd65..293a39f02 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -152,6 +152,8 @@ set_common_name(struct tls_session *session, const char *common_name) } #endif } + /* update common name in env */ + setenv_str(session->opt->es, "common_name", common_name); } /* -- 2.47.3