From patchwork Sat Feb 15 19:00:33 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: corubba X-Patchwork-Id: 4147 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:9b51:b0:5e7:b9eb:58e8 with SMTP id b17csp932203max; Sat, 15 Feb 2025 11:00:51 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCXM3uMCHoAzofHli8a4qcgyWMhTkrdChVEIFSrZeaLT5uJ/iNoII0hoVJFAXodMpz7vR5+CdCnHI/I=@openvpn.net X-Google-Smtp-Source: AGHT+IE+BuDPVqquvMHidO94cPNlmF0+IcDytY9+HANBHUjpyiflGQrcIyrUJimCLQA6Q/YuupjU X-Received: by 2002:a5e:8f41:0:b0:841:ab27:acac with SMTP id ca18e2360f4ac-855651b8463mr806668939f.2.1739646051407; Sat, 15 Feb 2025 11:00:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1739646051; cv=none; d=google.com; s=arc-20240605; b=gWgCtJmON+8HkFcQVPyw2oR97R1RMtVoy8EbXvsPpgV53K7d1yR71UZI9oHOiCLd2X J/nG6gw/QMvHBuYODMu4HzeuHAcO/km7s7XQ/ZSvNZJWyZlsvt6xYGvblE7SDOHl7YY/ vxE9SXxUcyWdI2y2ZXiB1/ZLw9qUyvF3i8XzOx1LDUaQ7Qo1zDq1Wv1NKxkRr1k27Lqe LsdRBHTmzmH/5wcYqmZn1ZwDStUVDwYbCU2qwmHeUH3ixdfMSqrf/Itnh3yd8Do+uB9c RrZvYOOCmPq51HzCgJOMpY1WQHI4/5PPJBlABAsTLaRDhxIL0y+eW2CYXGAOeT5btohq lPow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:reply-to:from:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:ui-outboundreport:in-reply-to:references:to :content-language:user-agent:mime-version:date:message-id :dkim-signature:dkim-signature:dkim-signature; bh=ErfvikqDhNumBFXlUOOmnvb5yZcnKQn1NE4Ek5SX57U=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=gY/oHg6OZGn9l0V6EnfCfYLkP6bfbruq5SwgZKaHSprx8iftmOXqXb0TbRr/ogbuwT T23KHk1NKbfFU6u0/wJs/F4/LINqrulcHOFU7IK6/NpSznABUQPsU7eU9qs94yFbLiOD ZH+iHx6uQdHRd16QTHQufujlAmAw77yh5wSu5XUxk2BFxWZD7D2CKBjM7Fg8ZQJlIbyU luD4SGzvZ75zVAYS4yUY5/O7apDITbgm6bXzXee1vQRFPM/+JUR0YyOwJoXejmEG7Yrf P5cif+8aFE5VgnEoijBZohcTAPSzp75NJIeV9nZF8/+u3rw5pSJUYdvKTJVDtSnJQZje FZfA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=FhqAHWTe; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=OBdGg4ZY; dkim=neutral (body hash did not verify) header.i=@gmx.de header.s=s31663417 header.b="A/EsCAWU"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 8926c6da1cb9f-4ee7db74702si1939090173.34.2025.02.15.11.00.51 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 15 Feb 2025 11:00:51 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=FhqAHWTe; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=OBdGg4ZY; dkim=neutral (body hash did not verify) header.i=@gmx.de header.s=s31663417 header.b="A/EsCAWU"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tjNPC-000592-ON; Sat, 15 Feb 2025 19:00:47 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tjNPB-00058n-Jn for openvpn-devel@lists.sourceforge.net; Sat, 15 Feb 2025 19:00:46 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:Content-Type:In-Reply-To: References:To:From:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=g8BjFYIuApOy0gyNKmPmu5W487/upATlvLSr2z5LIJg=; b=FhqAHWTeWl1/D1N6Dx7pwBndgw axJsUFkL4XQKsMZYTuVM/LqdnicsnqHElVN+hLbvnxbDO6YPtsENCJIDFgB67PBxcKdFoBJnAY7Jt eachORsyAAD+reDpDPm6fULovPZg64s6P23Zx2a812J1X/X6weSFgUeMlIipbt5Ery+4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:To:From: Subject:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=g8BjFYIuApOy0gyNKmPmu5W487/upATlvLSr2z5LIJg=; b=OBdGg4ZYCH0bVa4t5+qMq81wEr OcfFaai2DaDDJOSvXSVBYKNFxsS7YVuHH5UKiDuIw1v3fxHB3hlVQ+tJzfwcQAgzdUJrxGk/Gz6ld l9DT/x6UQJP1m8tNrbUZqZ5JzBD63SfecfiUdi5q8lmvt+chHzZcxknxaRy4g0MJACgk=; Received: from mout.gmx.net ([212.227.17.22]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1tjNPB-000731-D5 for openvpn-devel@lists.sourceforge.net; Sat, 15 Feb 2025 19:00:46 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de; s=s31663417; t=1739646034; x=1740250834; i=corubba@gmx.de; bh=g8BjFYIuApOy0gyNKmPmu5W487/upATlvLSr2z5LIJg=; h=X-UI-Sender-Class:Message-ID:Date:MIME-Version:Subject:From:To: References:In-Reply-To:Content-Type:Content-Transfer-Encoding:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=A/EsCAWUJZFA+tNpYU56vqBI3c9fPEEPNcrueZAUYio1STdp4PKpUohcjjEgopoT FcVwVbLF8b+lNWD7SA1YKnuVPM8UwqKxrFIprxbwXR3y/lMlRM3dO/eVnf6uH05Nv /Kpx9uI4vlT0aGpLALOAfNjKJ27duay3e1etLInCHz2MELLjWUVnWVE9O8xgSDVqp PHY2tiRHGx23FMSY5qRlv5YlTqDxhV/jM2ijsTNOdhGhiqVr5+xXQhAz7JjVWh5KO 78jCOv4UcSof2Oq1A+CgeyNTwHqSQT878f1mOSivcVOw2YNMW4F6NhP3ExeZQ5SCr EmXYRZX/gFVduXdbBg== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from [192.168.44.3] ([83.135.91.182]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MaJ81-1tp3tE3X4H-00MwJw for ; Sat, 15 Feb 2025 20:00:33 +0100 Message-ID: Date: Sat, 15 Feb 2025 20:00:33 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: de-CH To: openvpn-devel@lists.sourceforge.net References: <951b0ff7-9fb7-405b-bf6e-ef4ebf12afaf@gmx.de> In-Reply-To: <951b0ff7-9fb7-405b-bf6e-ef4ebf12afaf@gmx.de> X-Provags-ID: V03:K1:U985564Grce1r1fFK3MRh9YCm0R8xvgejeIjDHQDu9IKfOAO5te GxDgEwu4eFrUK8R+sjlk4RYC/+lzYcghYjMdZwDA1J8o8k3LgazzrRjtMBDrLLIJyZ1B72y 6b0MpihKaPaEtRCrsdMVAzetkBRZhKeLUaAhXTS99j7JHe8Q0Y+EQVOtfnhfwuvuVQKQiTr w4c0UTn0sO8WHdAf/7Ssw== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:i7lNX1JScTs=;wRLThgERfWLs6TBsvqkQo1vJhFh gExa1MPALF+aNqAtVZzmnW86cX1B2dBZYw906sDL3c2fpZvDupcz3x130I6M0Xgoyu7WR+zPf khu3UOJkyuLnkLw1uPhpD+e4WObm0aqq1be8M9iFFcPmywgrOcapGRoP4jcgYhC0Fw4EPrjMV 21paJDeL2d2y5YEOyjR24Z7iySkfdcPetgJ2gcX6MLR7dwRd3khywD2EpqXyECZDejif2ue7k 7l0Efj4nPahSgmFTg1oIx+ZwSqIEmzDA5LNNnSHjWli/xrnKClAyygo1TE4BzsZ2ECNPsiKJI d4Q8YnwKS36nQA71OGn139WNMAm9FCwZATBoQDhzfPatNrkciGn9trm7hTb+2MqElOBal7One AtrQxZKVp3Z06QoS5MkEojkr/YDyPr+t2ROhU8xXwtgevuz0oPF2Qd7sLZrJnQsDP5/V8ITsu AEdXOTjRrcZAeCGjPgaXGhnOYIlVAT8rNKi9Pd64acvdrhe6kAa26v8jDlJbsM1biDdtYeNko 2UEAjpzSWou8KBHOlwvwIQ83BKzGwYXFiokN6+Wru1HeFDyE4BccP6n3XSbTduBXAdgf0JHDo ob1PcbYIgPaIeRcxdIq57EmRVPesRjSzq1MZkp7XJZWdZgbDGqsYwHvhyPlEaflFS5t3gGX1q dD7JzG9PE8FGR2dsH2U0sbr7j/y0CPLWBl23cyJwQHXF91WSxg8NmpDOoPnqpYg2xtIZiUokP fRoKCnN/diOeqXi/5raEjK7fDLp+pCXyAZ2HcHElN7rnCSb6BRCdXtWXLlvsOKGpGx/A60t26 X+WX1j1QcuMG3fKttdhXpHDOWlVEYIR3iOSSRVN7tUaTAK2cC2mifByAGVZdr+sf+vphlFTXo K2CADn6Aa9lgLNqHtcNUVGptSxA0mS8QV/u3ik6qhY+NOckUdi5uZrouOHQoyHmUuUKbt4Y6I s2wVIftzdp6Riy7JQgqmPRTZq7eR4JJlKD2e23g818RKc8glei+LKuuDlEt/WT1xI+aI/ad+/ HRARtnLLPPyAZK2rAqXzEd0EIXOFcYSriVRlDKyjJ547z937kMthmxyKmHkOzBNGtem+/ud0Y cg4Jqbba3YKNjCb/HOkMaJeNSbRU7p4vB/8f1iTSLx8mWEoJ+RU9la1B6HbQtnAb1WUUyJDG4 iRuRfHQrJE+gUEiyd+fKTXB33am9gFt9Ug8ZexciEPcnpVWAfiTnuKiw6RHWt2Y5hsMGf9/C7 SvpRKO9SXwZtJVWIIcK8gtECTyg0gKALdjgBkfc0vIRJt7+zVH4Teu5J3j6AArdL5cnhEKVxe rP3Y0oWXARZzajequUwgUxnxe2Knn3T7jnCsUYfpIOqi/uUwl3gsPIYe0SfthnvZS1041aqhj fyzYB2io3nJWyy6bWwVrZDP42cilRuQyn4SeI7fXiGZtG8U6Z5QxoXLg2cRTvXICD3lo0dTpr URTfTeg== X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The uppercasing was first introduced together with the x509-username-field option in commit 935c62be, and first released with v2.2.0 in 2011. The uppercasing was later deprecated with commit f4e0ad82 [...] Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [212.227.17.22 listed in sa-trusted.bondedsender.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [212.227.17.22 listed in bl.score.senderscore.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [corubba[at]gmx.de] -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [212.227.17.22 listed in list.dnswl.org] 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [212.227.17.22 listed in wl.mailspike.net] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Headers-End: 1tjNPB-000731-D5 Subject: [Openvpn-devel] [PATCH 1/2] Remove x509-username-fields uppercasing X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: corubba via Openvpn-devel From: corubba Reply-To: corubba Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1824151098447505201?= X-GMAIL-MSGID: =?utf-8?q?1824151098447505201?= The uppercasing was first introduced together with the x509-username-field option in commit 935c62be, and first released with v2.2.0 in 2011. The uppercasing was later deprecated with commit f4e0ad82 and release v2.4.0 in 2016. It think it is time to finally remove it. This deprecated feature prevents you from using non-extension all-lowercase fieldnames like `name`, because these are converted to uppercase and then cause an error. The deprecation warning is also shown in cases where there is no actual uppercasing happening, for example with numerical forms (aka oids) like `2.5.4.41` (oid of `name`). Signed-off-by: Corubba Smith Acked-by: Gert Doering --- Changes.rst | 5 +++++ doc/man-sections/tls-options.rst | 6 ------ src/openvpn/options.c | 27 +-------------------------- 3 files changed, 6 insertions(+), 32 deletions(-) -- 2.48.1 diff --git a/Changes.rst b/Changes.rst index e0118111..bcc64fca 100644 --- a/Changes.rst +++ b/Changes.rst @@ -92,6 +92,11 @@ Compression on send ``--allow-compression yes`` is now an alias for ``--allow-compression asym``. +User-visible Changes +-------------------- +- ``--x509-username-field`` will no longer automatically convert fieldnames to + uppercase. This is deprecated since OpenVPN 2.4, and has now been removed. + Overview of changes in 2.6 ========================== diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index cdb85716..7882e924 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -763,12 +763,6 @@ If the option is inlined, ``algo`` is always :code:`SHA256`. Only the :code:`subjectAltName` and :code:`issuerAltName` X.509 extensions and :code:`serialNumber` X.509 attribute are supported. - **Please note:** This option has a feature which will convert an - all-lowercase ``fieldname`` to uppercase characters, e.g., - :code:`ou` -> :code:`OU`. A mixed-case ``fieldname`` or one having the - :code:`ext:` prefix will be left as-is. This automatic upcasing feature is - deprecated and will be removed in a future release. - Non-compliant symbols are being replaced with the :code:`_` symbol, same as the field separator, so concatenating multiple fields with such or :code:`_` symbols can potentially lead to username collisions. diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 3ae44dbe..6b2dfa58 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -9395,37 +9395,12 @@ add_option(struct options *options, #ifdef ENABLE_X509ALTUSERNAME else if (streq(p[0], "x509-username-field") && p[1]) { - /* This option used to automatically upcase the fieldnames passed as the - * option arguments, e.g., "ou" became "OU". Now, this "helpfulness" is - * fine-tuned by only upcasing Subject field attribute names which consist - * of all lower-case characters. Mixed-case attributes such as - * "emailAddress" are left as-is. An option parameter having the "ext:" - * prefix for matching X.509v3 extended fields will also remain unchanged. - */ VERIFY_PERMISSION(OPT_P_GENERAL); for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; ++j) { char *s = p[j]; - if (strncmp("ext:", s, 4) != 0) - { - size_t i = 0; - while (s[i] && !isupper(s[i])) - { - i++; - } - if (strlen(s) == i) - { - while ((*s = toupper(*s)) != '\0') - { - s++; - } - msg(M_WARN, "DEPRECATED FEATURE: automatically upcased the " - "--x509-username-field parameter to '%s'; please update your " - "configuration", p[j]); - } - } - else if (!x509_username_field_ext_supported(s+4)) + if (strncmp("ext:", s, 4) == 0 && !x509_username_field_ext_supported(s+4)) { msg(msglevel, "Unsupported x509-username-field extension: %s", s); }