Allow for CN/username of 64 characters (fixes off-by-one)

This is an alternative patch to fix the issue reported in trac #515 by
Jorge Peixoto. Instead of increasing the TLS_USERNAME_LEN define, do +1 at
the relevant places in the code.

Also see Jorge's original patch and the discussion on the maillinglist:
http://thread.gmane.org/gmane.network.openvpn.devel/9438

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <54F8CC9B.9040104@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9508
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ecd934b1ef83eec58eb2df5d3a98309ca56d5812)

Conflicts:
	src/openvpn/ssl_verify.c

diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index c90c2c38730c1adde98fa4557596ff24391481d1..9693b816b3c5e3b0ecd4e9a476f551f8de732774 100644 (file)
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -596,7 +596,7 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep
 {
   result_t ret = FAILURE;
   char *subject = NULL;
-  char common_name[TLS_USERNAME_LEN] = {0};
+  char common_name[TLS_USERNAME_LEN+1] = {0}; /* null-terminated */
   const struct tls_options *opt;
   struct gc_arena gc = gc_new();
 
@@ -619,7 +619,7 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep
   string_replace_leading (subject, '-', '_');
 
   /* extract the username (default is CN) */
-  if (SUCCESS != x509_get_username (common_name, TLS_USERNAME_LEN,
+  if (SUCCESS != x509_get_username (common_name, sizeof(common_name),
       opt->x509_username_field, cert))
     {
       if (!cert_depth)
@@ -1165,7 +1165,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi,
     s2 = verify_user_pass_script (session, up);
 
   /* check sizing of username if it will become our common name */
-  if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && strlen (up->username) >= TLS_USERNAME_LEN)
+  if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && strlen (up->username) > TLS_USERNAME_LEN)
     {
       msg (D_TLS_ERRORS, "TLS Auth Error: --username-as-common name specified and username is longer than the maximum permitted Common Name length of %d characters", TLS_USERNAME_LEN);
       s1 = OPENVPN_PLUGIN_FUNC_ERROR;