From patchwork Wed Jan 14 11:04:47 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4704 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:9186:b0:80a:3855:ce6a with SMTP id j6csp143449maf; Wed, 14 Jan 2026 03:05:07 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCW15WgUhHlyrBccaUgz52J9ncDzPMV9+aO49JEpV09X3z2ISUmH67mrS89WzN2I5ISPbINi2UKq+9Q=@openvpn.net X-Received: by 2002:a05:6808:ec6:b0:450:b215:8f22 with SMTP id 5614622812f47-45c715b0195mr1426026b6e.55.1768388707703; Wed, 14 Jan 2026 03:05:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1768388707; cv=none; d=google.com; s=arc-20240605; b=MtRFwXCIpzVncAyGV6A7BtDybUID43ETPBXwblcFmOMJlkkyi8UPBypyWBugU89mc/ OwSwDE9FFxMv28QlcJYcKg2dYfzKr+dvoJEBchVXICqXzlVgSftZBJv9vmQM6d0RQFpw 25NOyezDrel6N7GEsiibLz5FiQ6TlEZ53MjrdkdsiDiF6ntVs+lOi5yoM+sxuGsJ6+A+ hW21Jhy9qZYqqW9q1OKiYT+dVahVcIHimekF4UpoOQJDPoH6I5RVk/aFoTcg+SQZzt5c 4HI3v87wbrgYfSgJc/FYXUBW5kvWGSRDsNtKpnbN6PUEws5gNDWK2L5UejzlKQTDlW3l sWzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=p3NQpFiLElDdZ7/okCu4Rh1yoLN6TzIrM9nl82nuSgs=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=dFngOUcX55d2SZXDiylkSQHxnKQlouhELIhBHnp2ViZekomVpxgeuK8W+WHdW89gTI v+q3kdzfbMPQx3xXcYi/XJIJSXCdKcs/nKtFN3wpznPITSTxo6CGXw7UhJ6uSIsoVoP0 zZ85N7hcWSwErjY+oNTWvhQcRgQThvc+mhk1XYJti17Mud++cmkzqYghpsMcD/czqUgz vRD/PDeV1rDFbqKsQneuvI714ZaSkMAgDDhmfBqeGcQyQdSzAY8KOe0dTI29cRlYjqAk kTqvZ9b3gJ8UVZIJiHpzZQOxA95AYi5yovPI4Aif9qAF+s+AkitWiL8W6JyAt/G/j4Hn aRSw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=cZZ2Xa90; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=C3p3JXYZ; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=hDWg5mRS; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-45a5e37122asi15362778b6e.120.2026.01.14.03.05.07 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 14 Jan 2026 03:05:07 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=cZZ2Xa90; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=C3p3JXYZ; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=hDWg5mRS; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=p3NQpFiLElDdZ7/okCu4Rh1yoLN6TzIrM9nl82nuSgs=; b=cZZ2Xa90oouCb9QvnR2do+KJqd Ag9Y4b1DAzPvoFhqua1eU07px3hJ/tlNcmg0dmxZermrJizt9yNd6OFXsgnnMWy6icdYszUqvBSXv HQGLWvssji5rQWQ11xVNYLVDeoDKGxUhBVRkWJV7G7qqYBmXeRf/h6BI+ZAF5F7QnmKI=; Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vfygQ-0003kV-UX; Wed, 14 Jan 2026 11:05:02 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vfygQ-0003kM-0B for openvpn-devel@lists.sourceforge.net; Wed, 14 Jan 2026 11:05:02 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=nFqfKKtglueqlVM+Dh1TUyuJJ5Z/58uz7TbyYTvRakE=; b=C3p3JXYZ4fwwJRW0vCP9dHGCPD pa4yFvJjQy5io9JRhIrjlCk2qT+p+95K4ruQAY24KnFq4k9FvSWmZ35SJHfZE+3lsxU47ZaUntcho VR55xFSCqRcwq8KcItIAjnf1wydSosOSiPVrIARmRUcGG0ZeoXFMh8IDIHNeKI8l2mV4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=nFqfKKtglueqlVM+Dh1TUyuJJ5Z/58uz7TbyYTvRakE=; b=hDWg5mRS5eLvKS54vErqp5BWYZ LHxhZ/3STiPZdimsYMXwChYlKFwszNiX/uX4uI8g/5RK3OVy+vO2iby5KkcV+LlLe0hsOgiKidq9s hEGr2A8a23Ro5wuCJUfE6z+PdkryQVEJL948g+YY/hBWMyXXrT8y8/n48JAWc22u1N0A=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vfygO-0007BK-DE for openvpn-devel@lists.sourceforge.net; Wed, 14 Jan 2026 11:05:01 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 60EB4rJt004989 for ; Wed, 14 Jan 2026 12:04:53 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 60EB4rnG004988 for openvpn-devel@lists.sourceforge.net; Wed, 14 Jan 2026 12:04:53 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 14 Jan 2026 12:04:47 +0100 Message-ID: <20260114110452.4976-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.51.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This is one of the #ifdef producing compile-time variants that make the code harder to read and harder to test. The extra code size due to turning it on is marginal. The mbedTLS backend does not (yet) support it. To cope with that, add a minimum function x509_username_field_ext_supported() that always returns "false", and omit the --x509-username-field from the he [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1vfygO-0007BK-DE Subject: [Openvpn-devel] [PATCH v1] remove ENABLE_X509ALTUSERNAME conditional X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1854289957655989062?= X-GMAIL-MSGID: =?utf-8?q?1854289957655989062?= This is one of the #ifdef producing compile-time variants that make the code harder to read and harder to test. The extra code size due to turning it on is marginal. The mbedTLS backend does not (yet) support it. To cope with that, add a minimum function x509_username_field_ext_supported() that always returns "false", and omit the --x509-username-field from the help text if ENABLE_CRYPTO_MBEDTLS. Implement this on another day. Github: closes OpenVPN/openvpn#917 Change-Id: I3f661cf305c52652e430b8d219df5186dd8ea4f7 Signed-off-by: Gert Doering Acked-by: Arne Schwabe Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1442 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1442 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/CMakeLists.txt b/CMakeLists.txt index bdb1904..181c112 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -325,8 +325,6 @@ target_link_libraries(${target} PUBLIC ${wolfssl_LINK_LIBRARIES}) target_include_directories(${target} PRIVATE ${wolfssl_INCLUDE_DIRS}/wolfssl) else () - set(ENABLE_X509ALTUSERNAME YES) - find_package(OpenSSL REQUIRED) target_link_libraries(${target} PUBLIC OpenSSL::SSL OpenSSL::Crypto) if (WIN32) @@ -365,10 +363,8 @@ elseif (${WOLFSSL}) set(ENABLE_CRYPTO_OPENSSL YES) set(ENABLE_CRYPTO_WOLFSSL YES) - set(ENABLE_X509ALTUSERNAME YES) else () set(ENABLE_CRYPTO_OPENSSL YES) - set(ENABLE_X509ALTUSERNAME YES) endif () include_directories(${CMAKE_CURRENT_SOURCE_DIR} src/compat include) diff --git a/config.h.cmake.in b/config.h.cmake.in index 53c3598..ee5936a 100644 --- a/config.h.cmake.in +++ b/config.h.cmake.in @@ -62,9 +62,6 @@ /* Enable systemd integration */ /* #undef ENABLE_SYSTEMD */ -/* Enable --x509-username-field feature */ -#cmakedefine ENABLE_X509ALTUSERNAME - /* Define to 1 if you have the header file. */ #cmakedefine HAVE_ARPA_INET_H 1 diff --git a/configure.ac b/configure.ac index d5a0c70..9beae5a 100644 --- a/configure.ac +++ b/configure.ac @@ -88,13 +88,6 @@ ) AC_ARG_ENABLE( - [x509-alt-username], - [AS_HELP_STRING([--enable-x509-alt-username], [enable the --x509-username-field feature @<:@default=no@:>@])], - , - [enable_x509_alt_username="no"] -) - -AC_ARG_ENABLE( [dns-updown-by-default], [AS_HELP_STRING([--disable-dns-updown-by-default], [disable running --dns-updown by default @<:@default=yes@:>@])], , @@ -1186,15 +1179,6 @@ fi AC_MSG_RESULT([${GIT_CHECKOUT}]) -dnl enable --x509-username-field feature if requested -if test "${enable_x509_alt_username}" = "yes"; then - if test "${with_crypto_library}" = "mbedtls" ; then - AC_MSG_ERROR([mbed TLS does not support the --x509-username-field feature]) - fi - - AC_DEFINE([ENABLE_X509ALTUSERNAME], [1], [Enable --x509-username-field feature]) -fi - test "${enable_management}" = "yes" && AC_DEFINE([ENABLE_MANAGEMENT], [1], [Enable management server capability]) test "${enable_debug}" = "yes" && AC_DEFINE([ENABLE_DEBUG], [1], [Enable debugging support]) test "${enable_small}" = "yes" && AC_DEFINE([ENABLE_SMALL], [1], [Enable smaller executable size]) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index cd01520..52e7592 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3328,11 +3328,7 @@ to.verify_hash_algo = options->verify_hash_algo; to.verify_hash_depth = options->verify_hash_depth; to.verify_hash_no_ca = options->verify_hash_no_ca; -#ifdef ENABLE_X509ALTUSERNAME memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field)); -#else - to.x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT; -#endif to.es = c->c2.es; to.net_ctx = &c->net_ctx; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 34af0d3..ead6c73 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -595,8 +595,6 @@ #ifndef ENABLE_CRYPTO_MBEDTLS "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n" " and optionally the root CA certificate.\n" -#endif -#ifdef ENABLE_X509ALTUSERNAME "--x509-username-field : Field in x509 certificate containing the username.\n" " Default is CN in the Subject field.\n" #endif @@ -885,9 +883,7 @@ o->transition_window = 3600; o->tls_cert_profile = NULL; o->ecdh_curve = NULL; -#ifdef ENABLE_X509ALTUSERNAME o->x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT; -#endif #ifdef ENABLE_PKCS11 o->pkcs11_pin_cache_period = -1; #endif /* ENABLE_PKCS11 */ @@ -9073,7 +9069,6 @@ VERIFY_PERMISSION(OPT_P_GENERAL); x509_track_add(&options->x509_track, p[1], msglevel, &options->gc); } -#ifdef ENABLE_X509ALTUSERNAME else if (streq(p[0], "x509-username-field") && p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); @@ -9088,7 +9083,6 @@ options->x509_username_field[j - 1] = p[j]; } } -#endif /* ENABLE_X509ALTUSERNAME */ #ifdef ENABLE_PKCS11 else if (streq(p[0], "show-pkcs11-ids") && !p[3]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 0561c25..8fab922 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -651,10 +651,8 @@ * within n seconds of handshake initiation. */ int handshake_window; -#ifdef ENABLE_X509ALTUSERNAME /* Field list used to be the username in X509 cert. */ char *x509_username_field[MAX_PARMS]; -#endif /* Old key allowed to live n seconds after new key goes active */ int transition_window; diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 3129299..3e2a4e8 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -360,11 +360,7 @@ int verify_hash_depth; bool verify_hash_no_ca; hash_algo_type verify_hash_algo; -#ifdef ENABLE_X509ALTUSERNAME char *x509_username_field[MAX_PARMS]; -#else - char *x509_username_field[2]; -#endif /* struct crypto_option flags */ unsigned int crypto_flags; diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h index 1d56533..09fcadf 100644 --- a/src/openvpn/ssl_verify_backend.h +++ b/src/openvpn/ssl_verify_backend.h @@ -113,7 +113,7 @@ /* * Retrieve the certificate's username from the specified field. * - * If the field is prepended with ext: and ENABLE_X509ALTUSERNAME is enabled, + * If the field is prepended with ext: is enabled, * it will be loaded from an X.509 extension * * @param cn Buffer to return the common name in. @@ -126,15 +126,12 @@ result_t backend_x509_get_username(char *common_name, size_t cn_len, char *x509_username_field, openvpn_x509_cert_t *peer_cert); -#ifdef ENABLE_X509ALTUSERNAME /** * Return true iff the supplied extension field is supported by the * --x509-username-field option. */ bool x509_username_field_ext_supported(const char *extname); -#endif - /* * Return the certificate's serial number in decimal string representation. * diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c index 250c806..393e7da 100644 --- a/src/openvpn/ssl_verify_mbedtls.c +++ b/src/openvpn/ssl_verify_mbedtls.c @@ -123,9 +123,12 @@ return 0; } -#ifdef ENABLE_X509ALTUSERNAME -#warning "X509 alt user name not yet supported for mbed TLS" -#endif +/* not supported for mbedTLS yet */ +bool +x509_username_field_ext_supported(const char *fieldname) +{ + return false; +} result_t backend_x509_get_username(char *cn, size_t cn_len, char *x509_username_field, mbedtls_x509_crt *cert) diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 6cb04ee..9fdbe70 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -111,7 +111,6 @@ return ret; } -#ifdef ENABLE_X509ALTUSERNAME bool x509_username_field_ext_supported(const char *fieldname) { @@ -180,7 +179,6 @@ } return retval; } -#endif /* ENABLE_X509ALTUSERNAME */ /* * Extract a field from an X509 subject name. @@ -252,7 +250,6 @@ result_t backend_x509_get_username(char *common_name, size_t cn_len, char *x509_username_field, X509 *peer_cert) { -#ifdef ENABLE_X509ALTUSERNAME if (strncmp("ext:", x509_username_field, 4) == 0) { if (!extract_x509_extension(peer_cert, x509_username_field + 4, common_name, cn_len)) @@ -275,7 +272,6 @@ gc_free(&gc); } else -#endif /* ifdef ENABLE_X509ALTUSERNAME */ { X509_NAME *x509_subject_name = X509_get_subject_name(peer_cert); if (x509_subject_name == NULL)