On 2009.10.24 at 13:39:56 -0600, James Yonan wrote:
>
> Can you submit a patch (as an email attachment) with this fix?
Attached
This patch also contains X509_NAME_oneline replacement, which handles
MSB characters.
I've not checked if this patch applies cleanly to unmodified source.
I've just diffed original 2.1_rc19 source, imported in our subversion
repository with current working copy and removed all irrelevant chunks.
Index: ssl.c
===================================================================
--- ssl.c (.../tags/openvpn-2.1_rc19) (revision 4645)
+++ ssl.c (.../trunk/openvpn-2.1_rc19) (revision 4645)
@@ -435,8 +435,8 @@
name_expand = (char *) malloc (name_expand_size);
check_malloc_return (name_expand);
openvpn_snprintf (name_expand, name_expand_size, "X509_%d_%s", error_depth, objbuf);
- string_mod (name_expand, CC_PRINT, CC_CRLF, '_');
- string_mod ((char*)buf, CC_PRINT, CC_CRLF, '_');
+ string_mod (name_expand, CC_PRINT|CC_MSB, CC_CRLF, '_');
+ string_mod ((char*)buf, CC_PRINT|CC_MSB, CC_CRLF, '_');
setenv_str (es, name_expand, (char*)buf);
free (name_expand);
OPENSSL_free (buf);
@@ -584,11 +584,24 @@
string_mod_sslname (char *str, const unsigned int restrictive_flags, const unsigned int ssl_flags)
{
if (ssl_flags & SSLF_NO_NAME_REMAPPING)
- string_mod (str, CC_PRINT, CC_CRLF, '_');
+ string_mod (str, CC_PRINT|CC_MSB, CC_CRLF, '_');
else
string_mod (str, restrictive_flags, 0, '_');
}
+static char *my_X509_NAME_oneline(X509_NAME *name) {
+ BIO *b = BIO_new(BIO_s_mem());
+ long datalen;
+ char *p,*q;
+ X509_NAME_print_ex(b, name, 0, (XN_FLAG_ONELINE | ASN1_STRFLGS_UTF8_CONVERT) & ~ASN1_STRFLGS_ESC_MSB);
+ datalen = BIO_get_mem_data(b,&p);
+ q=OPENSSL_malloc(datalen+1);
+ strncpy(q,p,datalen);
+ q[datalen]=0;
+ BIO_free(b);
+ return q;
+}
+
/*
* Our verify callback function -- check
* that an incoming peer certificate is good.
@@ -617,7 +630,7 @@
session->verified = false;
/* get the X509 name */
- subject = X509_NAME_oneline (X509_get_subject_name (ctx->current_cert), NULL, 0);
+ subject = my_X509_NAME_oneline (X509_get_subject_name (ctx->current_cert));
if (!subject)
{
msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, could not extract X509 subject string from certificate", ctx->error_depth);
@@ -3356,11 +3519,11 @@
/* preserve raw username before string_mod remapping, for plugins */
ALLOC_ARRAY_CLEAR_GC (raw_username, char, USER_PASS_LEN, &gc);
strcpy (raw_username, up->username);
- string_mod (raw_username, CC_PRINT, CC_CRLF, '_');
+ string_mod (raw_username, CC_PRINT|CC_MSB, CC_CRLF, '_');
/* enforce character class restrictions in username/password */
string_mod_sslname (up->username, COMMON_NAME_CHAR_CLASS, session->opt->ssl_flags);
- string_mod (up->password, CC_PRINT, CC_CRLF, '_');
+ string_mod (up->password, CC_PRINT|CC_MSB, CC_CRLF, '_');
/* call plugin(s) and/or script */
#ifdef MANAGEMENT_DEF_AUTH
Index: ssl.h
===================================================================
--- ssl.h (.../tags/openvpn-2.1_rc19) (revision 4645)
+++ ssl.h (.../trunk/openvpn-2.1_rc19) (revision 4645)
@@ -284,8 +284,8 @@
#define TLS_CN_LEN 64
/* Legal characters in an X509 or common name */
-#define X509_NAME_CHAR_CLASS (CC_ALNUM|CC_UNDERBAR|CC_DASH|CC_DOT|CC_AT|CC_COLON|CC_SLASH|CC_EQUAL)
-#define COMMON_NAME_CHAR_CLASS (CC_ALNUM|CC_UNDERBAR|CC_DASH|CC_DOT|CC_AT|CC_SLASH)
+#define X509_NAME_CHAR_CLASS (CC_ALNUM|CC_UNDERBAR|CC_DASH|CC_DOT|CC_AT|CC_COLON|CC_SLASH|CC_EQUAL|CC_MSB)
+#define COMMON_NAME_CHAR_CLASS (CC_ALNUM|CC_UNDERBAR|CC_DASH|CC_DOT|CC_AT|CC_SLASH|CC_MSB)
/* Maximum length of OCC options string passed as part of auth handshake */
#define TLS_OPTIONS_LEN 512
Index: buffer.c
===================================================================
--- buffer.c (.../tags/openvpn-2.1_rc19) (revision 4645)
+++ buffer.c (.../trunk/openvpn-2.1_rc19) (revision 4645)
@@ -692,7 +692,8 @@
if ((flags & CC_NULL) && c == '\0')
return true;
-
+ if ((flags & CC_MSB) && (c & 0x80))
+ return true;
if ((flags & CC_ALNUM) && isalnum (c))
return true;
if ((flags & CC_ALPHA) && isalpha (c))
Index: buffer.h
===================================================================
--- buffer.h (.../tags/openvpn-2.1_rc19) (revision 4645)
+++ buffer.h (.../trunk/openvpn-2.1_rc19) (revision 4645)
@@ -684,9 +684,10 @@
#define CC_REVERSE_QUOTE (1<<23)
#define CC_AT (1<<24)
#define CC_EQUAL (1<<25)
+#define CC_MSB (1<<26)
/* macro classes */
-#define CC_NAME (CC_ALNUM|CC_UNDERBAR)
+#define CC_NAME (CC_ALNUM|CC_UNDERBAR|CC_MSB)
#define CC_CRLF (CC_CR|CC_NEWLINE)
bool char_class (const unsigned char c, const unsigned int flags);
