From patchwork Fri Oct 22 13:07:06 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 2046 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 2wnrIoFSc2FrBwAAIUCqbw (envelope-from ) for ; Fri, 22 Oct 2021 20:08:33 -0400 Received: from proxy16.mail.ord1d.rsapps.net ([172.30.191.6]) by director14.mail.ord1d.rsapps.net with LMTP id EBJ2IYFSc2EzQAAAeJ7fFg (envelope-from ) for ; Fri, 22 Oct 2021 20:08:33 -0400 Received: from smtp9.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy16.mail.ord1d.rsapps.net with LMTPS id EMkZIYFSc2FZZQAAetu3IA (envelope-from ) for ; Fri, 22 Oct 2021 20:08:33 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp9.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 5bebd9e6-3395-11ec-8cf8-0026b95bddb7-1-1 Received: from [216.105.38.7] ([216.105.38.7:50322] helo=lists.sourceforge.net) by smtp9.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 0F/4A-15515-18253716; Fri, 22 Oct 2021 20:08:33 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1me4ZU-0004os-Tr; Sat, 23 Oct 2021 00:07:36 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1me4ZT-0004of-Nz for openvpn-devel@lists.sourceforge.net; Sat, 23 Oct 2021 00:07:35 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=kyFtWPwRs/2RImeIe6+BUv4ICZw7QOWyK9f8c/wZaqU=; b=FMC9thXtq01E8xDJHd9OP2xwVB zzZDc7jNkw7vlhNkbScWc6wvHX59Hp2Z5EHQEuC6/0d05iKBcxKmHIu1p6oemYrAmecf5XTYzDgzf 794vqBSPYjsBSzWAdb5+yVSY6udfV6JezyBzBkPjtxMm5Bacr3o7W2OtLhNbVaf35bdw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=kyFtWPwRs/2RImeIe6+BUv4ICZw7QOWyK9f8c/wZaqU=; b=XJwjJRSg4z4wP7LPyJsxnbAOeh vcWmX/B+Vy+bqQ/rakjS9Krui5wVNSD/8RiaxCQ5A1SwUR20WwKh+g55pO59VHVycWfo2aLoniEmb 3VzXYkUgag7B8w8AT93/6woyHezlWoBXVlgh3Jwa29oYZQR3Pn3LGQ96v/rjqPcL0+1I=; Received: from mail-qv1-f41.google.com ([209.85.219.41]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.3) id 1me4ZP-00CYWe-Ts for openvpn-devel@lists.sourceforge.net; Sat, 23 Oct 2021 00:07:35 +0000 Received: by mail-qv1-f41.google.com with SMTP id q8so3454085qvl.9 for ; Fri, 22 Oct 2021 17:07:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=kyFtWPwRs/2RImeIe6+BUv4ICZw7QOWyK9f8c/wZaqU=; b=PEoiR/qxruYOpJ1zxhU1GjAz90F/sGU8SFwSHUC29qlHeNjPgrDe4gaCf8I+n7Wmx3 dvRRjCMlI3s2OrlMo9Eao4gqAAbYVum4nGIccf6N23lcxfdXFAUzJp5y9D+LqTwIgtoF jbzETnXra1WN9i5XVKD/8Q/3YCB2MKMnvl1ajfkXVQAmInjBgg3zjQiPEEpL7ZOtazsH J6HSSSYdVCOIPgNKjdkvBXA+OrIz6pzH2k1I5gg3drep/G4LW21dNREQolyfJyVfYIKr ialn9k+peisK/Ml5bXeNwB7PRBp8tGyfR43BetMaAMZm3WgSRdn14W4iVBqgk9blWKs3 mmCw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=kyFtWPwRs/2RImeIe6+BUv4ICZw7QOWyK9f8c/wZaqU=; b=xF7M8wrfbyfHopGiqWxATjcCLcyFgU//v86+NqsFx8tuG0dsOof/xBsCcwyVDL91/g PCVZiG+EDPSRGc2da1F0MC6jHXAkjrZ3QeuZHhzplCfXvXOIiZ4ZwKyYYsME+INDD9RT X4X5PoogmIPWY1UY0AYe2+VSDAkYrOXp0EHwUxq8wGN5q4IneTvgTZ2/wyNcy/mz0Iu4 csMJntgZ+fj0RpVjAai2zS54HtovJX+RiwDvTzHifCX1cs2hyBIxNmJsINXI7Gx71vGp ycRPxWgo+Qot0CpG6Tek0Dwce/QGaC7tivPcnfVzV+kGcBIUiMVQsG1mHoJ81labaeMe hYhQ== X-Gm-Message-State: AOAM532RlnQOfC6OX8oxGd5F6jmQs0C//A/7UNiGszyKIEXZiW6YKyC5 W1DNsLikkoyxFPXzw0jnt0w2DS5i4VPJdA== X-Google-Smtp-Source: ABdhPJypTKnSfAgQnlr82ge7tAJvQT4DMyUpG9gfQ2V/wpO6lcev407TGA53HviLf7Pa85MssI3ugg== X-Received: by 2002:a05:6214:500a:: with SMTP id jo10mr2735600qvb.40.1634947645991; Fri, 22 Oct 2021 17:07:25 -0700 (PDT) Received: from uranus.home.sansel.ca (bras-vprn-tnhlon4053w-lp130-02-70-51-223-227.dsl.bell.ca. [70.51.223.227]) by smtp.gmail.com with ESMTPSA id b127sm4848188qkg.42.2021.10.22.17.07.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 22 Oct 2021 17:07:25 -0700 (PDT) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Fri, 22 Oct 2021 20:07:06 -0400 Message-Id: <20211023000706.25016-2-selva.nair@gmail.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211023000706.25016-1-selva.nair@gmail.com> References: <20211023000706.25016-1-selva.nair@gmail.com> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair When username-as-common-name is in effect, the common_name is "CN" from the certificate for auth-user-pass-verify. It gets changed to "username" after successful authentication. This changed value get [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: openvpn.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.219.41 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.219.41 listed in wl.mailspike.net] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1me4ZP-00CYWe-Ts Subject: [Openvpn-devel] [PATCH for 2.5] Ensure the current common_name is in the environment for scripts X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair When username-as-common-name is in effect, the common_name is "CN" from the certificate for auth-user-pass-verify. It gets changed to "username" after successful authentication. This changed value gets into the env when client-connect script is called. However, "common_name" goes through the cycle of being "CN", then "username" during every reauth (renegotiation). As the client-connect script is not called during reneg, the changed value never gets back into the env. The end result is that the disconnect script gets "common_name=" instead of the username. Unless no reneg steps have happened before disconnect. (For a more detailed analysis see https://community.openvpn.net/openvpn/ticket/1434#comment:12) Fix by adding common_name to env whenever it changes. Trac: #1434 Very likely applies to #160 as well, but that's too old and some of the relevant code path has evolved since then. Same as for 2.6 except for the context change due to PF. Signed-off-by: Selva Nair Acked-by: Gert Doering --- src/openvpn/ssl_verify.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 4f3b61d6..0ccd43d0 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -116,6 +116,8 @@ set_common_name(struct tls_session *session, const char *common_name) } #endif } + /* update common name in env */ + setenv_str(session->opt->es, "common_name", common_name); } /*