From 19dd3ef12f45b2c70c0657ea72fbdce5241e45c2 Mon Sep 17 00:00:00 2001
From: Adriaan de Jong <dejong@fox-it.com>
Date: Thu, 30 Jun 2011 12:37:33 +0200
Subject: [PATCH] Refactored: removed global x509_username_field

Moved to tls_options.

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
---
 init.c       |  5 +++++
 ssl.c        | 17 ++---------------
 ssl_common.h |  1 +
 3 files changed, 8 insertions(+), 15 deletions(-)

diff --git a/init.c b/init.c
index 54bb2d13f..b809b960d 100644
--- a/init.c
+++ b/init.c
@@ -2211,6 +2211,11 @@ do_init_crypto_tls (struct context *c, const unsigned int flags)
   memmove (to.remote_cert_ku, options->remote_cert_ku, sizeof (to.remote_cert_ku));
   to.remote_cert_eku = options->remote_cert_eku;
   to.verify_hash = options->verify_hash;
+#ifdef ENABLE_X509ALTUSERNAME
+  to.x509_username_field = (char *) options->x509_username_field;
+#else
+  to.x509_username_field = X509_USERNAME_FIELD_DEFAULT;
+#endif
   to.es = c->c2.es;
 
 #ifdef ENABLE_DEBUG
diff --git a/ssl.c b/ssl.c
index 17ef478fd..ef0678286 100644
--- a/ssl.c
+++ b/ssl.c
@@ -594,8 +594,6 @@ write_peer_cert(X509 *peercert, const char *tmp_dir, struct gc_arena *gc)
   return peercert_filename;
 }
 
-char * x509_username_field; /* GLOBAL */
-
 int
 verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth)
 {
@@ -632,14 +630,14 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth)
   string_replace_leading (subject, '-', '_');
 
   /* extract the username (default is CN) */
-  if (verify_get_username (common_name, TLS_USERNAME_LEN, x509_username_field, cert))
+  if (verify_get_username (common_name, TLS_USERNAME_LEN, opt->x509_username_field, cert))
     {
       if (!cert_depth)
         {
           msg (D_TLS_ERRORS, "VERIFY ERROR: could not extract %s from X509 "
               "subject string ('%s') -- note that the username length is "
               "limited to %d characters",
-                 x509_username_field,
+		 opt->x509_username_field,
                  subject,
                  TLS_USERNAME_LEN);
           goto err;
@@ -1045,17 +1043,6 @@ init_ssl (const struct options *options, struct tls_root_ctx *new_ctx)
       tls_ctx_load_extra_certs(new_ctx, options->extra_certs_file, options->extra_certs_file_inline);
     }
 
-#if P2MP_SERVER
-  if (!(options->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED))
-#endif
-    {
-#ifdef ENABLE_X509ALTUSERNAME
-      x509_username_field = (char *) options->x509_username_field;
-#else
-      x509_username_field = X509_USERNAME_FIELD_DEFAULT;
-#endif
-    }
-
   /* Allowable ciphers */
   if (options->cipher_list)
     {
diff --git a/ssl_common.h b/ssl_common.h
index 525a1daf3..f3f43be25 100644
--- a/ssl_common.h
+++ b/ssl_common.h
@@ -251,6 +251,7 @@ struct tls_options
   unsigned remote_cert_ku[MAX_PARMS];
   const char *remote_cert_eku;
   uint8_t *verify_hash;
+  char *x509_username_field;
 
   /* allow openvpn config info to be
      passed over control channel */
-- 
2.47.2