From patchwork Mon Jan 20 12:12:34 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "plaisthos (Code Review)" X-Patchwork-Id: 4068 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:b7cb:b0:5e7:b9eb:58e8 with SMTP id en11csp2193574mab; Mon, 20 Jan 2025 04:12:56 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCX5bMFOXr12Z15NFPb3HkuuN41z9m9PGDm6cQYPfYMX+RYp4g1VNUElwqTS4v6ap2u6IVuTp4T8d+Q=@openvpn.net X-Google-Smtp-Source: AGHT+IELhYkAfnXtklJXNXcdt43MZTqgH4pZ9stfQ+YbIWKR9/MYtr5xGmu3excMbdz/52lkUQsi X-Received: by 2002:a05:6808:2e89:b0:3eb:6bf8:800a with SMTP id 5614622812f47-3f19fc4dbebmr8563044b6e.3.1737375176356; Mon, 20 Jan 2025 04:12:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1737375176; cv=none; d=google.com; s=arc-20240605; b=WynbLQoFIOSknoMCRsXxolE5zSke7qmHFzJj9mmtH34ToqxskiCagLOftSQklDlmct 1uXbgih3wFgxJMLVheWal6To4yZewchnqRRNGPHUDeO4KdiXkfq62wqrVQOfM7RdJPvK oLF70kzCdT5XF11p+1IsWAzZtq9IXxpZXASKhcuki2/+ek6fhsyn6Fj9k0B5+SHV6qkR bVk7tCX/YUAIRP/1mb/0wQcCjjd2x8Gush6WRSoLftbLrWHtb5Gz3YTDpVU4XWW88Z3l LBvz94vH2PG3eM9qPh4ulT+FNkDL6NOBJ3hIrYiULGcufX8Uzen6woG/3y8Txj1s/fLv CPSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=1mXFJOvSCeo8pWiWirMoI/CIes7iAdWjwE31iqxqVp0=; fh=lm0MLPW7DntlrDqRECIiC9JlE1uPxhepE0URYHIf+eE=; b=Iqy5T/wdxYRxFWnsffpzWK50KM9/djeOAY46GTknDD2vX+xxlZL9D3M4Ue4RYK9jQz BQy90nIdxCSkzCRECKzuvbvI9GrvQBlMCJOJFko1CRD0/p3FmUlsIKyzgzO+SiZJb77s +cRNP0hR3JvGi80kWUrauNVhnUp/V+qrHRqtHQ+lZGxrQN/GHjV5gibmmwOQk07TuGQA pGL1TzKVKsVihgWgXRJwC8s8BdbxKCO/FxMip+oOCYIKEoo0M6QfOKE7CRU0mhC5Nryp T9FnrONYPePmBOR7oCWrj1AfWx1mSl2NPPKS1NJ40D4Kh819A7WpExKj5iyYY82UAW5e Y2gA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=O5sadGtS; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=mU3bY2kr; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=ArRazYIG; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 006d021491bc7-5fa35ec52d6si6310033eaf.17.2025.01.20.04.12.56 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 20 Jan 2025 04:12:56 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=O5sadGtS; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=mU3bY2kr; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=ArRazYIG; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tZqeC-0003mp-4c; Mon, 20 Jan 2025 12:12:51 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tZqeA-0003mj-NO for openvpn-devel@lists.sourceforge.net; Mon, 20 Jan 2025 12:12:50 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=A6L1JwDSYHk9b7P1cvhqjVdcx06nwtknDmqPZKOTmzs=; b=O5sadGtSgsuw3+LCVY4tbrEC4x ASr0bJpNF3fLDfVEwQG58PYTmPfRwoqw3F/j9GEJmX7QIixJDpULf+P6ProyOc3tdq87GRcD73m0h fSpaD3f7pu1Uhrhwu9YrH8SK+uaU1Nq8J1+DyduAHt+PwP+W+TgrO5iU6urjvJJad3PU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=A6L1JwDSYHk9b7P1cvhqjVdcx06nwtknDmqPZKOTmzs=; b=m U3bY2kru9+oNcPHUUn1qtahL3pTrLN/EakuERX0c5TjNqPSvaiIzKpNyiciRWbRzvZoqsgk4cozhG m1GxzOCXNQXCq55hUp1YbjfBo1GZWZrZsyMdmCV1/2OU9PzXVwI4y6EUb25F+nKuRmOgCg3/wFCPY MB7yt4S2BKEheVdA=; Received: from mail-wm1-f54.google.com ([209.85.128.54]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1tZqe8-0001D8-AC for openvpn-devel@lists.sourceforge.net; Mon, 20 Jan 2025 12:12:50 +0000 Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-436281c8a38so31057155e9.3 for ; Mon, 20 Jan 2025 04:12:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1737375156; x=1737979956; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=A6L1JwDSYHk9b7P1cvhqjVdcx06nwtknDmqPZKOTmzs=; b=ArRazYIGuuN5W6jX12i7mU1LpEijwe1sA8vifi1/Rwp2bHb9kPIKWKQP/IV77xQKjq tagfsqOZ8/rzBbRBeYPDYrZdB5NtvIlp5lwwg0pq5CTTZZplMFNeS1RzvI4aHvu+S/a5 YgVltaJSD7pfa0yvMvTUB5EOS8cswdvbR9ha+F/xElsjLQZARH3JzegQNHkUjiyoqbxv /b1q5jeH6BXs1rMu6xwGnLIC1224tBQOtc2UwjO2qCEjH1y5SPjQXgwSvlYeI7kW2VvP TsIR8NoISZ2ltWp889M19RDBEVAGKXT/pellseF0ApkHLXvbV17ajvaloko4gx4QYuDX cE0Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737375156; x=1737979956; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=A6L1JwDSYHk9b7P1cvhqjVdcx06nwtknDmqPZKOTmzs=; b=BiF4tkItPcnAjMPRHFpRLpiz82lZOMy423yML/F0mMdEUXS+QwN75BULUptWWPqY5B IgOfoKFlSL2Nt9+UsiksExtbMGU6HJWVUseOE5yNrqHON/SZf0kkuyIPBu+X4QAlhIZk jDBE8ERaH+O+4A4uIx457dA9wsgVVXS6cwRVrhSeED2RDyvWtZUBYBAB5ko/RUfT68+a YTkWcyw6e+xHmGIBsi58GchW56Xgl5icdkDj6L9hwIJAmeoAUN3Tr6He6IDJ2XbNA23f X+GEFpdPUCnNS4tScvuTkP2m81/ha36XJWMXhhZA5GMPt8u4s64Fy18Au0/2wzJn8z1w vqsg== X-Gm-Message-State: AOJu0YyaKS/acafDRlTMymnyYKL9nPOY6i9mGoPmdIeME8k2bu8mcz9f P6CS9lXe2/Fq+PiLqn1NcSXHx0D6eGMXGb5OhpZNG6N+X0/UUwchoqKDaOtB00Kj270xZwyf2Vi d X-Gm-Gg: ASbGncsSKFjQeNCfGgzocfdduoK4zaci2L87+Y06fyIiSs8FRzdZni0OuZwY9amcDkL HlpFRM1EpM645qfXreJY+m/x96XzR6KmYtUD0lcN5mE2Amd/6FwZhK6eu0Lk7RdTuoWV3Aoq7Lo ZFLhg/l2ou09gAlRDAjx9spM3kVeXsiClCX/Qjw9JIz+mZJZnkQCLbgZKMttcq1lZHY97ngHk10 T+r1WoaJ+BmHeP5jYVOTKRT5K0F/ebF+PBZYMZAiPG09sdlaKLFmqX1mwUr7+uDGzOfUaiv/9Wa iBDWg2DV88TW/4kkA6Mt2iVfe5jlNS5pNb60yG+KFCU4GrxctKruQ43hoxIRMw== X-Received: by 2002:a05:600c:6a93:b0:438:a913:a99 with SMTP id 5b1f17b1804b1-438a9130aa4mr34682185e9.31.1737375156230; Mon, 20 Jan 2025 04:12:36 -0800 (PST) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4389046c59csm138872525e9.40.2025.01.20.04.12.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Jan 2025 04:12:35 -0800 (PST) From: "plaisthos (Code Review)" X-Google-Original-From: "plaisthos (Code Review)" X-Gerrit-PatchSet: 1 Date: Mon, 20 Jan 2025 12:12:34 +0000 To: flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: Ia4095518d5e4447992a2974e0d7a159d79ba6b6f X-Gerrit-Change-Number: 872 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: c940fae90cf283fa7222d7c0f85174c11f0e6d52 References: Message-ID: <232dbf2b8e18146cc35b60c0f93f1c9b4d022ef6-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.128.54 listed in bl.score.senderscore.com] 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.128.54 listed in sa-trusted.bondedsender.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.128.54 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.128.54 listed in wl.mailspike.net] 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1tZqe8-0001D8-AC Subject: [Openvpn-devel] [M] Change in openvpn[master]: Implement override-user X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1821769912983022202?= X-GMAIL-MSGID: =?utf-8?q?1821769912983022202?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/872?usp=email to review the following change. Change subject: Implement override-user ...................................................................... Implement override-user Change-Id: Ia4095518d5e4447992a2974e0d7a159d79ba6b6f Signed-off-by: Arne Schwabe --- M Changes.rst M doc/man-sections/server-options.rst M src/openvpn/auth_token.c M src/openvpn/multi.c M src/openvpn/options.c M src/openvpn/options.h M src/openvpn/push.c M src/openvpn/ssl.c M src/openvpn/ssl_common.h M src/openvpn/ssl_verify.c M src/openvpn/ssl_verify.h 11 files changed, 126 insertions(+), 6 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/72/872/1 diff --git a/Changes.rst b/Changes.rst index 16ae6fc..d7def7c 100644 --- a/Changes.rst +++ b/Changes.rst @@ -36,6 +36,10 @@ add an allowed cipher without having to spell out the default ciphers. +Allow overriding username with ``--override-username`` + This is intended to allow using auth-gen-token in scenarios where the + client use certificates and multi-factor authentication. + Deprecated features ------------------- ``secret`` support has been removed by default. diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 3fe9862..2b2c262 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -670,6 +670,31 @@ AND the ``--auth-user-pass-verify`` script will need to succeed in order for a client to be authenticated and accepted onto the VPN. +--override-username + Sets the username of a connection the specified username. This username + will also be used by the by ``--auth-gen-token``. However, the overridden + username comes only into effect *after* the ``--client-connect``, + ``--client-config-dir`` and the ``--auth-user-pass-verify`` script have + been run. + + Also ``username-as-common-name`` will use the client provided username + as common-name. It is recommended to avoid the use of the + ``--override-username`` option if the option ``username-as-common-name`` + is being used. + + The changed username will be picked up by the status output and also by + the the ``--auth-gen-token`` option. It will also be pushed to the client + using ``--auth-token-user``. + + Special care has to be taken that the initial username of the client is + correctly handled with these options to avoid authentication/authorisation + bypasses. + + This option is mainly intended for use cases that use certificates and + multi factor authentication and therefore do not provide a username that + can be used for ``--auth-gen-token`` to allow providing a username in + these scenarios. + --vlan-tagging Server-only option. Turns the OpenVPN server instance into a switch that understands VLAN-tagging, based on IEEE 802.1Q. diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c index 3cf55e8..312474c 100644 --- a/src/openvpn/auth_token.c +++ b/src/openvpn/auth_token.c @@ -330,10 +330,19 @@ timestamp_initial = ntohll(timestamp_initial); hmac_ctx_t *ctx = multi->opt.auth_token_key.hmac; + if (check_hmac_token(ctx, b64decoded, up->username)) { ret |= AUTH_TOKEN_HMAC_OK; } + else if (multi->locked_original_username && multi->locked_username + && check_hmac_token(ctx, b64decoded, multi->locked_username)) + { + /* if the username has been overridden, check with the overridden + * username and ignore the sent username in case the client does not + * support auth-token-user */ + ret |= AUTH_TOKEN_HMAC_OK; + } else if (check_hmac_token(ctx, b64decoded, "")) { ret |= AUTH_TOKEN_HMAC_OK; diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index f426b46..03e6b6e 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -42,7 +42,9 @@ #include "ssl_verify.h" #include "ssl_ncp.h" #include "vlan.h" +#include "auth_token.h" #include +#include #include "memdbg.h" @@ -2663,6 +2665,41 @@ NULL, }; +/** + * + * @param mi + */ +static void +override_locked_username(struct multi_instance *mi) +{ + struct tls_multi *multi = mi->context.c2.tls_multi; + + struct options *options = &mi->context.options; + + if (!multi->locked_original_username + && strcmp(multi->locked_username, options->override_username) != 0) + { + multi->locked_original_username = multi->locked_username; + multi->locked_username = strdup(options->override_username); + + /* Regenerate the auth-token if enabled */ + if (multi->auth_token_initial) + { + struct user_pass up; + CLEAR(up); + strncpynt(up.username, multi->locked_username, + sizeof(up.username)); + + generate_auth_token(&up, multi); + } + + msg(D_MULTI_LOW, "MULTI: Note, override-username changes username " + "from '%s' to '%s'", + multi->locked_original_username, + multi->locked_username); + + } +} /* * Called as soon as the SSL/TLS connection is authenticated. * @@ -2766,6 +2803,11 @@ (*cur_handler_index)++; } + if (mi->context.options.override_username) + { + override_locked_username(mi); + } + /* Check if we have forbidding options in the current mode */ if (dco_enabled(&mi->context.options) && !dco_check_option(D_MULTI_ERRORS, &mi->context.options)) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 3ef4d78..bf966f3 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -7847,6 +7847,23 @@ VERIFY_PERMISSION(OPT_P_INSTANCE); options->disable = true; } + else if (streq(p[0], "override-username") && p[1] && !p[2]) + { + VERIFY_PERMISSION(OPT_P_INSTANCE); + if (strlen(p[1]) > TLS_USERNAME_LEN) + { + msg(msglevel, "override-username exceeds the maximum length of %d " + "characters", TLS_USERNAME_LEN); + + /* disable the connection since ignoring the request to + * set another username might serious problems */ + options->disable = true; + } + else + { + options->override_username = p[1]; + } + } else if (streq(p[0], "tcp-nodelay") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 55f12dd..274f282 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -492,6 +492,7 @@ const char *client_config_dir; bool ccd_exclusive; bool disable; + const char *override_username; int n_bcast_buf; int tcp_queue_limit; struct iroute *iroutes; diff --git a/src/openvpn/push.c b/src/openvpn/push.c index a7cd3bf..5ccd7d8 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -595,9 +595,19 @@ */ if (tls_multi->auth_token) { - push_option_fmt(gc, push_list, M_USAGE, - "auth-token %s", + push_option_fmt(gc, push_list, M_USAGE, "auth-token %s", tls_multi->auth_token); + + char *base64user; + int ret = openvpn_base64_encode(tls_multi->locked_username, + (int)strlen(tls_multi->locked_username), + &base64user); + if (ret < USER_PASS_LEN && ret > 0) + { + push_option_fmt(gc, push_list, M_USAGE, "auth-token-user %s", + base64user); + } + free(base64user); } } diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index e4a7b57..e548299 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1260,6 +1260,7 @@ free(multi->peer_info); free(multi->locked_cn); free(multi->locked_username); + free(multi->locked_original_username); cert_hash_free(multi->locked_cert_hash_set); diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index e092472..79d0575 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -625,7 +625,15 @@ * Our locked common name, username, and cert hashes (cannot change during the life of this tls_multi object) */ char *locked_cn; + + /** The locked username is the username that the client used for initial + * authentication */ char *locked_username; + + /** The username that client initial used before being overrriden by + * by override-user */ + char *locked_original_username; + struct cert_hash_set *locked_cert_hash_set; /** Time of last when we updated the cached state of diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index e7d7ed6..158fe19 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -48,9 +48,6 @@ #include "push.h" #include "ssl_util.h" -/** Maximum length of common name */ -#define TLS_USERNAME_LEN 64 - static void string_mod_remap_name(char *str) { @@ -153,7 +150,10 @@ { if (multi->locked_username) { - if (strcmp(username, multi->locked_username) != 0) + /* If the username has been overridden, we accept both the original + * username and the changed username */ + if (strcmp(username, multi->locked_username) != 0 + && (!multi->locked_original_username || strcmp(username, multi->locked_original_username) != 0)) { msg(D_TLS_ERRORS, "TLS Auth Error: username attempted to change from '%s' to '%s' -- tunnel disabled", multi->locked_username, diff --git a/src/openvpn/ssl_verify.h b/src/openvpn/ssl_verify.h index cd2ec24..77e814a 100644 --- a/src/openvpn/ssl_verify.h +++ b/src/openvpn/ssl_verify.h @@ -51,6 +51,9 @@ /** Maximum certificate depth we will allow */ #define MAX_CERT_DEPTH 16 +/** Maximum length of common name */ +#define TLS_USERNAME_LEN 64 + /** Structure containing the hash for a single certificate */ struct cert_hash { unsigned char sha256_hash[256/8];