[Openvpn-devel,1/2] Remove x509-username-fields uppercasing

Message ID	cb8317eb-bfb6-47e8-9bc3-ae5cc603ff21@gmx.de
State	Accepted
Headers	show Return-Path: <openvpn-devel-bounces@lists.sourceforge.net> Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Message-ID: <cb8317eb-bfb6-47e8-9bc3-ae5cc603ff21@gmx.de> Date: Sat, 15 Feb 2025 20:00:33 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: de-CH To: openvpn-devel@lists.sourceforge.net References: <951b0ff7-9fb7-405b-bf6e-ef4ebf12afaf@gmx.de> In-Reply-To: <951b0ff7-9fb7-405b-bf6e-ef4ebf12afaf@gmx.de> UI-OutboundReport: notjunk:1;M01:P0:i7lNX1JScTs=;wRLThgERfWLs6TBsvqkQo1vJhFh gExa1MPALF+aNqAtVZzmnW86cX1B2dBZYw906sDL3c2fpZvDupcz3x130I6M0Xgoyu7WR+zPf khu3UOJkyuLnkLw1uPhpD+e4WObm0aqq1be8M9iFFcPmywgrOcapGRoP4jcgYhC0Fw4EPrjMV 21paJDeL2d2y5YEOyjR24Z7iySkfdcPetgJ2gcX6MLR7dwRd3khywD2EpqXyECZDejif2ue7k 7l0Efj4nPahSgmFTg1oIx+ZwSqIEmzDA5LNNnSHjWli/xrnKClAyygo1TE4BzsZ2ECNPsiKJI d4Q8YnwKS36nQA71OGn139WNMAm9FCwZATBoQDhzfPatNrkciGn9trm7hTb+2MqElOBal7One AtrQxZKVp3Z06QoS5MkEojkr/YDyPr+t2ROhU8xXwtgevuz0oPF2Qd7sLZrJnQsDP5/V8ITsu AEdXOTjRrcZAeCGjPgaXGhnOYIlVAT8rNKi9Pd64acvdrhe6kAa26v8jDlJbsM1biDdtYeNko 2UEAjpzSWou8KBHOlwvwIQ83BKzGwYXFiokN6+Wru1HeFDyE4BccP6n3XSbTduBXAdgf0JHDo ob1PcbYIgPaIeRcxdIq57EmRVPesRjSzq1MZkp7XJZWdZgbDGqsYwHvhyPlEaflFS5t3gGX1q dD7JzG9PE8FGR2dsH2U0sbr7j/y0CPLWBl23cyJwQHXF91WSxg8NmpDOoPnqpYg2xtIZiUokP fRoKCnN/diOeqXi/5raEjK7fDLp+pCXyAZ2HcHElN7rnCSb6BRCdXtWXLlvsOKGpGx/A60t26 X+WX1j1QcuMG3fKttdhXpHDOWlVEYIR3iOSSRVN7tUaTAK2cC2mifByAGVZdr+sf+vphlFTXo K2CADn6Aa9lgLNqHtcNUVGptSxA0mS8QV/u3ik6qhY+NOckUdi5uZrouOHQoyHmUuUKbt4Y6I s2wVIftzdp6Riy7JQgqmPRTZq7eR4JJlKD2e23g818RKc8glei+LKuuDlEt/WT1xI+aI/ad+/ HRARtnLLPPyAZK2rAqXzEd0EIXOFcYSriVRlDKyjJ547z937kMthmxyKmHkOzBNGtem+/ud0Y cg4Jqbba3YKNjCb/HOkMaJeNSbRU7p4vB/8f1iTSLx8mWEoJ+RU9la1B6HbQtnAb1WUUyJDG4 iRuRfHQrJE+gUEiyd+fKTXB33am9gFt9Ug8ZexciEPcnpVWAfiTnuKiw6RHWt2Y5hsMGf9/C7 SvpRKO9SXwZtJVWIIcK8gtECTyg0gKALdjgBkfc0vIRJt7+zVH4Teu5J3j6AArdL5cnhEKVxe rP3Y0oWXARZzajequUwgUxnxe2Knn3T7jnCsUYfpIOqi/uUwl3gsPIYe0SfthnvZS1041aqhj fyzYB2io3nJWyy6bWwVrZDP42cilRuQyn4SeI7fXiGZtG8U6Z5QxoXLg2cRTvXICD3lo0dTpr URTfTeg== preview: The uppercasing was first introduced together with the x509-username-field option in commit 935c62be, and first released with v2.2.0 in 2011. The uppercasing was later deprecated with commit f4e0ad82 [...] Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [212.227.17.22 listed in sa-trusted.bondedsender.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [212.227.17.22 listed in bl.score.senderscore.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [corubba[at]gmx.de] -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [212.227.17.22 listed in list.dnswl.org] 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [212.227.17.22 listed in wl.mailspike.net] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders Subject: [Openvpn-devel] [PATCH 1/2] Remove x509-username-fields uppercasing Precedence: list From: corubba via Openvpn-devel <openvpn-devel@lists.sourceforge.net> Reply-To: corubba <corubba@gmx.de> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox
Series	x509-username-fields improvements \| expand [Openvpn-devel,0/2] x509-username-fields improvements [Openvpn-devel,1/2] Remove x509-username-fields uppercasing [Openvpn-devel,2/2] Document x509-username-fields oid usage

Message ID

cb8317eb-bfb6-47e8-9bc3-ae5cc603ff21@gmx.de

State

Accepted

Headers

Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Message-ID: <cb8317eb-bfb6-47e8-9bc3-ae5cc603ff21@gmx.de>
Date: Sat, 15 Feb 2025 20:00:33 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: de-CH
To: openvpn-devel@lists.sourceforge.net
References: <951b0ff7-9fb7-405b-bf6e-ef4ebf12afaf@gmx.de>
In-Reply-To: <951b0ff7-9fb7-405b-bf6e-ef4ebf12afaf@gmx.de>
UI-OutboundReport: notjunk:1;M01:P0:i7lNX1JScTs=;wRLThgERfWLs6TBsvqkQo1vJhFh
 gExa1MPALF+aNqAtVZzmnW86cX1B2dBZYw906sDL3c2fpZvDupcz3x130I6M0Xgoyu7WR+zPf
 khu3UOJkyuLnkLw1uPhpD+e4WObm0aqq1be8M9iFFcPmywgrOcapGRoP4jcgYhC0Fw4EPrjMV
 21paJDeL2d2y5YEOyjR24Z7iySkfdcPetgJ2gcX6MLR7dwRd3khywD2EpqXyECZDejif2ue7k
 7l0Efj4nPahSgmFTg1oIx+ZwSqIEmzDA5LNNnSHjWli/xrnKClAyygo1TE4BzsZ2ECNPsiKJI
 d4Q8YnwKS36nQA71OGn139WNMAm9FCwZATBoQDhzfPatNrkciGn9trm7hTb+2MqElOBal7One
 AtrQxZKVp3Z06QoS5MkEojkr/YDyPr+t2ROhU8xXwtgevuz0oPF2Qd7sLZrJnQsDP5/V8ITsu
 AEdXOTjRrcZAeCGjPgaXGhnOYIlVAT8rNKi9Pd64acvdrhe6kAa26v8jDlJbsM1biDdtYeNko
 2UEAjpzSWou8KBHOlwvwIQ83BKzGwYXFiokN6+Wru1HeFDyE4BccP6n3XSbTduBXAdgf0JHDo
 ob1PcbYIgPaIeRcxdIq57EmRVPesRjSzq1MZkp7XJZWdZgbDGqsYwHvhyPlEaflFS5t3gGX1q
 dD7JzG9PE8FGR2dsH2U0sbr7j/y0CPLWBl23cyJwQHXF91WSxg8NmpDOoPnqpYg2xtIZiUokP
 fRoKCnN/diOeqXi/5raEjK7fDLp+pCXyAZ2HcHElN7rnCSb6BRCdXtWXLlvsOKGpGx/A60t26
 X+WX1j1QcuMG3fKttdhXpHDOWlVEYIR3iOSSRVN7tUaTAK2cC2mifByAGVZdr+sf+vphlFTXo
 K2CADn6Aa9lgLNqHtcNUVGptSxA0mS8QV/u3ik6qhY+NOckUdi5uZrouOHQoyHmUuUKbt4Y6I
 s2wVIftzdp6Riy7JQgqmPRTZq7eR4JJlKD2e23g818RKc8glei+LKuuDlEt/WT1xI+aI/ad+/
 HRARtnLLPPyAZK2rAqXzEd0EIXOFcYSriVRlDKyjJ547z937kMthmxyKmHkOzBNGtem+/ud0Y
 cg4Jqbba3YKNjCb/HOkMaJeNSbRU7p4vB/8f1iTSLx8mWEoJ+RU9la1B6HbQtnAb1WUUyJDG4
 iRuRfHQrJE+gUEiyd+fKTXB33am9gFt9Ug8ZexciEPcnpVWAfiTnuKiw6RHWt2Y5hsMGf9/C7
 SvpRKO9SXwZtJVWIIcK8gtECTyg0gKALdjgBkfc0vIRJt7+zVH4Teu5J3j6AArdL5cnhEKVxe
 rP3Y0oWXARZzajequUwgUxnxe2Knn3T7jnCsUYfpIOqi/uUwl3gsPIYe0SfthnvZS1041aqhj
 fyzYB2io3nJWyy6bWwVrZDP42cilRuQyn4SeI7fXiGZtG8U6Z5QxoXLg2cRTvXICD3lo0dTpr
 URTfTeg==
Subject: [Openvpn-devel] [PATCH 1/2] Remove x509-username-fields uppercasing
Precedence: list
From: corubba via Openvpn-devel <openvpn-devel@lists.sourceforge.net>
Reply-To: corubba <corubba@gmx.de>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net

Series

x509-username-fields improvements | expand

Commit Message

corubba Feb. 15, 2025, 7 p.m. UTC

The uppercasing was first introduced together with the
x509-username-field option in commit 935c62be, and first released with
v2.2.0 in 2011. The uppercasing was later deprecated with commit
f4e0ad82 and release v2.4.0 in 2016. It think it is time to finally
remove it.

This deprecated feature prevents you from using non-extension
all-lowercase fieldnames like `name`, because these are converted to
uppercase and then cause an error. The deprecation warning is also shown
in cases where there is no actual uppercasing happening, for example
with numerical forms (aka oids) like `2.5.4.41` (oid of `name`).

Signed-off-by: Corubba Smith <corubba@gmx.de>
---
 Changes.rst                      |  5 +++++
 doc/man-sections/tls-options.rst |  6 ------
 src/openvpn/options.c            | 27 +--------------------------
 3 files changed, 6 insertions(+), 32 deletions(-)

--
2.48.1

Comments

Gert Doering Feb. 20, 2025, 10:07 a.m. UTC | #1

Acked-by: Gert Doering <gert@greenie.muc.de>

Thanks for helping us get rid of our technical debt ;-) - and indeed,
if we declared it obsolete years ago, it should go now.  Someone will
complain, but this is not something which can't be fixed with a small
config change.

I have not tested this beyond a GHA test run (which is compiling on
all platforms but not actually excercising this code).

Your patch has been applied to the master branch.

commit 90d89cc4cc41da6678d244f03c842d1b745f106b
Author: Corubba Smith
Date:   Sat Feb 15 20:00:33 2025 +0100

     Remove x509-username-fields uppercasing

     Signed-off-by: Corubba Smith <corubba@gmx.de>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <cb8317eb-bfb6-47e8-9bc3-ae5cc603ff21@gmx.de>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30915.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

diff --git a/Changes.rst b/Changes.rst
index e0118111..bcc64fca 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -92,6 +92,11 @@  Compression on send
     ``--allow-compression yes`` is now an alias for
     ``--allow-compression asym``.

+User-visible Changes
+--------------------
+- ``--x509-username-field`` will no longer automatically convert fieldnames to
+  uppercase. This is deprecated since OpenVPN 2.4, and has now been removed.
+
 Overview of changes in 2.6
 ==========================

diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst
index cdb85716..7882e924 100644
--- a/doc/man-sections/tls-options.rst
+++ b/doc/man-sections/tls-options.rst
@@ -763,12 +763,6 @@  If the option is inlined, ``algo`` is always :code:`SHA256`.
   Only the :code:`subjectAltName` and :code:`issuerAltName` X.509
   extensions and :code:`serialNumber` X.509 attribute are supported.

-  **Please note:** This option has a feature which will convert an
-  all-lowercase ``fieldname`` to uppercase characters, e.g.,
-  :code:`ou` -> :code:`OU`. A mixed-case ``fieldname`` or one having the
-  :code:`ext:` prefix will be left as-is. This automatic upcasing feature is
-  deprecated and will be removed in a future release.
-
   Non-compliant symbols are being replaced with the :code:`_` symbol, same as
   the field separator, so concatenating multiple fields with such or :code:`_`
   symbols can potentially lead to username collisions.
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 3ae44dbe..6b2dfa58 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -9395,37 +9395,12 @@  add_option(struct options *options,
 #ifdef ENABLE_X509ALTUSERNAME
     else if (streq(p[0], "x509-username-field") && p[1])
     {
-        /* This option used to automatically upcase the fieldnames passed as the
-         * option arguments, e.g., "ou" became "OU". Now, this "helpfulness" is
-         * fine-tuned by only upcasing Subject field attribute names which consist
-         * of all lower-case characters. Mixed-case attributes such as
-         * "emailAddress" are left as-is. An option parameter having the "ext:"
-         * prefix for matching X.509v3 extended fields will also remain unchanged.
-         */
         VERIFY_PERMISSION(OPT_P_GENERAL);
         for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
         {
             char *s = p[j];

-            if (strncmp("ext:", s, 4) != 0)
-            {
-                size_t i = 0;
-                while (s[i] && !isupper(s[i]))
-                {
-                    i++;
-                }
-                if (strlen(s) == i)
-                {
-                    while ((*s = toupper(*s)) != '\0')
-                    {
-                        s++;
-                    }
-                    msg(M_WARN, "DEPRECATED FEATURE: automatically upcased the "
-                        "--x509-username-field parameter to '%s'; please update your "
-                        "configuration", p[j]);
-                }
-            }
-            else if (!x509_username_field_ext_supported(s+4))
+            if (strncmp("ext:", s, 4) == 0 && !x509_username_field_ext_supported(s+4))
             {
                 msg(msglevel, "Unsupported x509-username-field extension: %s", s);
             }

[Openvpn-devel,1/2] Remove x509-username-fields uppercasing

Commit Message

Comments

Patch