From patchwork Fri Oct 22 13:07:05 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 2047 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id SMSxN6FXc2GaHgAAIUCqbw (envelope-from ) for ; Fri, 22 Oct 2021 20:30:25 -0400 Received: from proxy9.mail.ord1d.rsapps.net ([172.30.191.6]) by director12.mail.ord1d.rsapps.net with LMTP id 0DiNN6FXc2EWPQAAIasKDg (envelope-from ) for ; Fri, 22 Oct 2021 20:30:25 -0400 Received: from smtp31.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy9.mail.ord1d.rsapps.net with LMTPS id CIBPN6FXc2GTHQAA7h+8OQ (envelope-from ) for ; Fri, 22 Oct 2021 20:30:25 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp31.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 6a298230-3398-11ec-87ce-525400b3ac8c-1-1 Received: from [216.105.38.7] ([216.105.38.7:53416] helo=lists.sourceforge.net) by smtp31.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id DC/41-02341-1A753716; Fri, 22 Oct 2021 20:30:25 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1me4uj-0006Sc-Oo; Sat, 23 Oct 2021 00:29:33 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1me4uh-0006SW-LP for openvpn-devel@lists.sourceforge.net; Sat, 23 Oct 2021 00:29:31 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=tisSaIHg3wg6c1bD+GOMvhGOzeB6hd37Q7OOaTiS30c=; b=SaB8dmhuJgbbt8y+ujRTs16u0D qD1OZQ2ki9rK5FOzPb43PfGMD+C6Tf9yv9aLuaUmUrMnmHG8I15yt3HWrRuCibC+8HI6rRyCH0fR7 o+t8XbRcDSPFpiGXKkb2btTbh97c6HNPUDzZG7IUXQ6vuJam5kIZXVcmEdXb3aal8hZM=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=tisSaIHg3wg6c1bD+GOMvhGOzeB6hd37Q7OOaTiS30c=; b=X WQo9BFNPleyro8oPHNv0s97W4yFfJyAlr+CPMevzouFuGNdsJHBoYbkWk0S2W5+/aOD1J88LTUhyL uzoTNgIUBI+8pvWdU4ojMg3sY3E+rRb5x5R0W+8HqAVAJZzC0KLD6Ar+6/4qdxuaDvpkemtRctfvO xzpscNIlSAiviPL0=; Received: from mail-io1-f52.google.com ([209.85.166.52]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.3) id 1me4ug-00CaCF-UX for openvpn-devel@lists.sourceforge.net; Sat, 23 Oct 2021 00:29:31 +0000 Received: by mail-io1-f52.google.com with SMTP id o184so7490640iof.6 for ; Fri, 22 Oct 2021 17:29:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=tisSaIHg3wg6c1bD+GOMvhGOzeB6hd37Q7OOaTiS30c=; b=iIHoRC6lMVk/ykt9dxRe8hhgxSQbC3eT6Rzr4cSz52Tv3Fd5vVFBHQske05mF1t6+r 9fsOBxsr9Ud2K5ipT3Lpu/f1ytz3Xav6Q7pAUuT/WEa3aVR6XHE509JOoMArGMAdXOol xgiGrcE+9XLkqJL9u1skACi0LD/SYPAFoMUJvhYXE6Qqs8e4LFZ5yNQEofGAlWY/wIlC 61BAaxCwnEY8n/1wHYIXloochf9iH/va+BUEnYrHFI+LsYrtMf2vGFvzVLVhnmqGlH95 ZbQBf7aeAKEmvUIX7Mej5n51UGX9cJQCLhNALaQrDhwXnZpG6fgYVM+EMog7DpUQBjKe UbNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=tisSaIHg3wg6c1bD+GOMvhGOzeB6hd37Q7OOaTiS30c=; b=QMmbSw6XqcAfHGR3Y5frsT+mUN4/K5VBPNJNqKxT9O9Ql+RNzo95/iUh0lu0hxKhgo b/KVmh7wBOoYWe50Ca4k0iv8imStwGKX9dCxuM1kcqDvdldCrmr2iLJd9OtQOdhZ7McO s/M3c6fu7sNWLXYzZ7rxaWIKLjGfkbEQMu3J60HwdCrymzZFVN81foF/9dd+PcfSBd8z lABvwXR0+XZP+KA5bMYw7s7t1888vJJg43qIKmeTyBOMhUgs0luXw3xkHiUd21qx9MLu q+boyWMBan9LTnquPpGCq8uEmEundgHmm867NnF7o4WtEAUzCiRhWC66c21/BiwVpGrR 8D0A== X-Gm-Message-State: AOAM532a8PjgpWJ7qumOL0LKvFjgeWpwQyQta5u0NdHqSGJ0Ujq45TpS 8tiKTO58Sz/6zWVc2N1rmgzK5Pj+dsRUkQ== X-Google-Smtp-Source: ABdhPJw7bMdkQXcU7uye9AiSs4iW80O6Edh8kHWC2mq7GriTIs8gClLUo9KNYaeevGJ7CyfKbk9UxQ== X-Received: by 2002:ac8:5a41:: with SMTP id o1mr3253801qta.21.1634947641788; Fri, 22 Oct 2021 17:07:21 -0700 (PDT) Received: from uranus.home.sansel.ca (bras-vprn-tnhlon4053w-lp130-02-70-51-223-227.dsl.bell.ca. [70.51.223.227]) by smtp.gmail.com with ESMTPSA id b127sm4848188qkg.42.2021.10.22.17.07.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 22 Oct 2021 17:07:21 -0700 (PDT) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Fri, 22 Oct 2021 20:07:05 -0400 Message-Id: <20211023000706.25016-1-selva.nair@gmail.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair When username-as-common-name is in effect, the common_name is "CN" from the certificate for auth-user-pass-verify. It gets changed to "username" after successful authentication. This changed value get [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.166.52 listed in list.dnswl.org] 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: openvpn.net] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.166.52 listed in wl.mailspike.net] X-Headers-End: 1me4ug-00CaCF-UX Subject: [Openvpn-devel] [PATCH for 2.6] Ensure the current common_name is in the environment for scripts X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair When username-as-common-name is in effect, the common_name is "CN" from the certificate for auth-user-pass-verify. It gets changed to "username" after successful authentication. This changed value gets into the env when client-connect script is called. However, "common_name" goes through the cycle of being "CN", then "username" during every reauth (renegotiation). As the client-connect script is not called during reneg, the changed value never gets back into the env. The end result is that the disconnect script gets "common_name=" instead of the username. Unless no reneg steps have happened before disconnect. (For a more detailed analysis see https://community.openvpn.net/openvpn/ticket/1434#comment:12) Fix by adding common_name to env whenever it changes. Trac: #1434 Very likely applies to #160 as well, but that's too old and some of the relevant code path has evolved since then. Signed-off-by: Selva Nair Acked-by: Gert Doering --- src/openvpn/ssl_verify.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index b745b3c7..8dbbf5f5 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -101,6 +101,8 @@ set_common_name(struct tls_session *session, const char *common_name) /* FIXME: Last alloc will never be freed */ session->common_name = string_alloc(common_name, NULL); } + /* update common name in env */ + setenv_str(session->opt->es, "common_name", common_name); } /*