Am 05.05.13 14:36, schrieb Gert Doering:
Without this patch, peer-info pushed by clients in the TLS handshake is only visible on the management interface, and only if --management-client-auth is enabled.With this patch, received records are sanitized and put into the normal "multi instance" environment, where it can be evaluated by --client-connect or --auth-user-pass-verify scripts and plugins, etc. Only records matching a fairly strict "name=value" format are accepted, and only names starting with IV_ or UV_ are exported, to avoid clients sending funny stuff and playing havoc with script/plugin environments on the server. In the "value" part, spaces, non-printable characters and shell metacharacters are replaced by '_'. The change is somewhat invasive as reception of the peer_info string was only done when username+password are expected from the client, but the data is always there (if the client sends no username/password, it will send 0-length strings, so always extracting 3 strings is safe). Also, the sanitation function validate_peer_info_line() and the opts->peer_info field were only compiled in #ifdef MANGEMENT_DEF_AUTH... Patch v3: do not call the old man_output_peer_info_env() anymore, unless a management env-filter has been set (= ensure IV_ and UV_ stuff is sent at most *once*, and exactly the way OpenVPN AS expects it). Add substituting of "bad" characters in the environment values.
ACK
smime.p7s
Description: S/MIME Kryptografische Unterschrift
