Ensure the current common_name is in the environment for scripts

When username-as-common-name is in effect, the common_name
is "CN" from the certificate for auth-user-pass-verify. It gets
changed to "username" after successful authentication. This
changed value gets into the env when client-connect script is
called.

However, "common_name" goes through the cycle of being
"CN", then "username" during every reauth (renegotiation).
As the client-connect script is not called during reneg, the changed
value never gets back into the env. The end result is that the
disconnect script gets "common_name=<CN>" instead of the username.
Unless no reneg steps have happened before disconnect.
(For a more detailed analysis see
https://community.openvpn.net/openvpn/ticket/1434#comment:12)

Fix by adding common_name to env whenever it changes.

Trac: #1434
Very likely applies to #160 as well, but that's too old and
some of the relevant code path has evolved since then.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211023000706.25016-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23051.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index b745b3c79054cc98b8ea4018d9d80164fb81e142..8dbbf5f556922182226364a1347e70ebe5bf5455 100644 (file)
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -101,6 +101,8 @@ set_common_name(struct tls_session *session, const char *common_name)
         /* FIXME: Last alloc will never be freed */
         session->common_name = string_alloc(common_name, NULL);
     }
+    /* update common name in env */
+    setenv_str(session->opt->es, "common_name", common_name);
 }
 
 /*