[Openvpn-devel,for,2.6] Ensure the current common_name is in the environment for scripts

Message ID 20211023000706.25016-1-selva.nair@gmail.com
State Accepted
Headers show
Series [Openvpn-devel,for,2.6] Ensure the current common_name is in the environment for scripts | expand

Commit Message

Selva Nair Oct. 22, 2021, 1:07 p.m. UTC
From: Selva Nair <selva.nair@gmail.com>

When username-as-common-name is in effect, the common_name
is "CN" from the certificate for auth-user-pass-verify. It gets
changed to "username" after successful authentication. This
changed value gets into the env when client-connect script is

However, "common_name" goes through the cycle of being
"CN", then "username" during every reauth (renegotiation).
As the client-connect script is not called during reneg, the changed
value never gets back into the env. The end result is that the
disconnect script gets "common_name=<CN>" instead of the username.
Unless no reneg steps have happened before disconnect.
(For a more detailed analysis see

Fix by adding common_name to env whenever it changes.

Trac: #1434
Very likely applies to #160 as well, but that's too old and
some of the relevant code path has evolved since then.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
 src/openvpn/ssl_verify.c | 2 ++
 1 file changed, 2 insertions(+)


Gert Doering Oct. 23, 2021, 4:44 a.m. UTC | #1
Acked-by: Gert Doering <gert@greenie.muc.de>

Thanks for finding a better theory how to fix this :-) - and then 
finding the single-line "so obvious" place to fix this, without caring
about all our convolutions in changing common_name.

(And thanks to Richard for getting so upset with this bug that he
found nice and reliable ways to test bug and fix)

Your patch has been applied to the master branch.

commit fa5ab2438ad2d8a12eaf43e2cdd8b4294299c175
Author: Selva Nair
Date:   Fri Oct 22 20:07:05 2021 -0400

     Ensure the current common_name is in the environment for scripts

     Signed-off-by: Selva Nair <selva.nair@gmail.com>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <20211023000706.25016-1-selva.nair@gmail.com>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23051.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>

kind regards,

Gert Doering


diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index b745b3c7..8dbbf5f5 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -101,6 +101,8 @@  set_common_name(struct tls_session *session, const char *common_name)
         /* FIXME: Last alloc will never be freed */
         session->common_name = string_alloc(common_name, NULL);
+    /* update common name in env */
+    setenv_str(session->opt->es, "common_name", common_name);