I've found out that string_mod family of function do very bad job
with certificates with cyrillic characters in the subject.

As of OpenVPN 2.1_rc19 class CC_PRINT is determined by function
isprint from ctype.h, which does wrong job if there was no setlocale
call (and there is no setlocale call in the OpenVPN).

Moreover, all printable data except ones produced by X509_NAME_oneline 
function is produced by ASN1_STRING_to_UTF8 functions and no one
guaranties that current locale of openvpn process has UTF-8 codeset.

I've fixed this problem by defining new character class CC_MSB, which
all bytes from UTF-8 multibyte sequence belong to, allow this
character class everywhere where CC_PRINT is allowed  and include it
into macro definition of  X509_NAME_CHAR_CLASS and
COMMON_NAME_CHAR_CLASS

I think that it is enough for security purposes, because no shell would
ever treat unicode codepoints above 128 as word or command separators.

And it gives me valid utf-8 string in the script variables and logs.

But may be there exist better solution.

Reply via email to