[\ \fB\-\-mute\fR\ \fIn\fR\ ]
[\ \fB\-\-nice\fR\ \fIn\fR\ ]
[\ \fB\-\-no\-iv\fR\ ]
+[\ \fB\-\-no\-name\-remapping\fR\ ]
[\ \fB\-\-no\-replay\fR\ ]
[\ \fB\-\-bind\fR\ ]
[\ \fB\-\-nobind\fR\ ]
rather than the common name from the client cert.
.\"*********************************************************
.TP
+.B --no-name-remapping
+Allow Common Name, X509 Subject, and username strings to include
+any printable character including space, but excluding control
+characters such as tab, newline, and carriage-return.
+
+By default, OpenVPN will remap
+any character other than alphanumeric, underbar ('_'), dash
+('-'), dot ('.'), and slash ('/') to underbar ('_'). The X509
+Subject string as returned by the
+.B tls_id
+environmental variable, can additionally contain colon (':') or
+equal ('=').
+
+While name remapping is performed for security reasons to reduce
+the possibility of introducing string expansion security vulnerabilities
+in user-defined authentication
+scripts, this option is provided for those cases where it is desirable to
+disable the remapping feature. Don't use this option unless you
+know what you are doing!
+.\"*********************************************************
+.TP
.B --port-share host port
When run in TCP server mode, share the OpenVPN port with
another application, such as an HTTPS server. If OpenVPN
" user/pass via temporary file.\n"
"--auth-user-pass-optional : Allow connections by clients that don't\n"
" specify a username/password.\n"
+ "--no-name-remapping : Allow Common Name and X509 Subject to include\n"
+ " any printable character.\n"
"--client-to-client : Internally route client-to-client traffic.\n"
"--duplicate-cn : Allow multiple clients with the same common name to\n"
" concurrently connect.\n"
VERIFY_PERMISSION (OPT_P_GENERAL);
options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL;
}
+ else if (streq (p[0], "no-name-remapping"))
+ {
+ VERIFY_PERMISSION (OPT_P_GENERAL);
+ options->ssl_flags |= SSLF_NO_NAME_REMAPPING;
+ }
else if (streq (p[0], "auth-user-pass-verify") && p[1])
{
VERIFY_PERMISSION (OPT_P_SCRIPT);
}
}
+static void
+string_mod_sslname (char *str, const unsigned int restrictive_flags, const unsigned int ssl_flags)
+{
+ if (ssl_flags & SSLF_NO_NAME_REMAPPING)
+ string_mod (str, CC_PRINT, CC_CRLF, '_');
+ else
+ string_mod (str, restrictive_flags, 0, '_');
+}
+
/*
* Our verify callback function -- check
* that an incoming peer certificate is good.
setenv_x509 (opt->es, ctx->error_depth, X509_get_subject_name (ctx->current_cert));
/* enforce character class restrictions in X509 name */
- string_mod (subject, X509_NAME_CHAR_CLASS, 0, '_');
+ string_mod_sslname (subject, X509_NAME_CHAR_CLASS, opt->ssl_flags);
string_replace_leading (subject, '-', '_');
/* extract the common name */
}
}
- string_mod (common_name, COMMON_NAME_CHAR_CLASS, 0, '_');
+ string_mod_sslname (common_name, COMMON_NAME_CHAR_CLASS, opt->ssl_flags);
#if 0 /* print some debugging info */
msg (D_LOW, "LOCAL OPT: %s", opt->local_options);
string_mod (raw_username, CC_PRINT, CC_CRLF, '_');
/* enforce character class restrictions in username/password */
- string_mod (up->username, COMMON_NAME_CHAR_CLASS, 0, '_');
+ string_mod_sslname (up->username, COMMON_NAME_CHAR_CLASS, session->opt->ssl_flags);
string_mod (up->password, CC_PRINT, CC_CRLF, '_');
/* call plugin(s) and/or script */
# define SSLF_CLIENT_CERT_NOT_REQUIRED (1<<0)
# define SSLF_USERNAME_AS_COMMON_NAME (1<<1)
# define SSLF_AUTH_USER_PASS_OPTIONAL (1<<2)
+# define SSLF_NO_NAME_REMAPPING (1<<3)
unsigned int ssl_flags;
#ifdef MANAGEMENT_DEF_AUTH
projects / thirdparty / openvpn.git / commitdiff
