Re: [Openvpn-devel] [PATCH] Do not upcase x509-username-field for mixed-case arguments.

Sat, 09 Aug 2014 22:52:27 +0000 

Hi Andris

On 08-07-14 10:16, Kalnozols, Andris wrote:
> Regarding the "ext:" argument prefix, I had submitted an enhanced
> version of extract_x509_extension() mainly for more helpful log
> messages.

I finally had some time to look at those changes (for other, see
https://community.openvpn.net/openvpn/ticket/402 for the patch), but
while figuring out the impact of the changes, I managed to make it
segfault by running

openvpn --config sample-config-files/loopback-server
--x509-username-field "ext:authorityKeyIdentifier"

and make a client connect using

openvpn --config sample-config-files/loopback-client

The culprit was in i2v_GENERAL_NAMES(), but I decided not to dive in any
further and go for your second option:

> If it doesn't pass muster, then I would suggest that
> this function be at least changed as follows:
> 
>                     }
>                   break;
>                 default:
> -                 msg (D_TLS_ERRORS, "ASN1 ERROR: can not handle field
> type %i",
> +                 msg (D_TLS_DEBUG, "Ignoring name field type %i",
>                        name->type);
>                   break;
>               }
> 
> I don't see the need for alarm if an extension field has additional
> GeneralName field types other than "email".

I completely agree. Attached a patch that does just that. I changed the
message a bit, but I guess I can still ACK this. So, ACK :)

-Steffan

From 6170243b318cade1ca905e4a3b7a62faaeada755 Mon Sep 17 00:00:00 2001
From: Andris Kalnozols <and...@hpl.hp.com>
List-Post: openvpn-devel@lists.sourceforge.net
Date: Sun, 10 Aug 2014 00:40:44 +0200
Subject: [PATCH] extract_x509_extension(): hide status message during normal
 operation.

For each recognized extension in a certificate, extract_x509_extension()
would issue an "ASN1 ERROR: can not handle field type" debug message at
verb 2. Reduce that to verb 9 (D_TLS_ERRORS -> D_TLS_DEBUG) and alter the
message text accordingly.

Signed-off-by: Andris Kalnozols <and...@hpl.hp.com>
Signed-off-by: Steffan Karger <stef...@karger.me>
---
 src/openvpn/ssl_verify_openssl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index cbcff02..56e1c11 100644
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -140,8 +140,8 @@ bool extract_x509_extension(X509 *cert, char *fieldname, char *out, int size)
                   }
                 break;
               default:
-                msg (D_TLS_ERRORS, "ASN1 ERROR: can not handle field type %i",
-                     name->type);
+                msg (D_TLS_DEBUG, "%s: ignoring general name field type %i",
+                    __func__, name->type);
                 break;
             }
           }
-- 
1.9.1

Reply via email to