From patchwork Tue Apr 14 05:58:24 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4889 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:3ad5:b0:84a:48f:a1fd with SMTP id q21csp526678mas; Mon, 13 Apr 2026 22:58:47 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ/SaxUKHoWRpxRsfEZgKOGhZmUnxYnivETx+hpi7ItC6rDwmWdIloXO1LAosplAKYUO67U+cqiK6aE=@openvpn.net X-Received: by 2002:a05:6870:3232:b0:423:6b20:8462 with SMTP id 586e51a60fabf-423e11e6927mr8675520fac.37.1776146327457; Mon, 13 Apr 2026 22:58:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1776146327; cv=none; d=google.com; s=arc-20240605; b=U6unefZGFWaLczlI6LPsLk/ePVO/P13+MYO9+kxwrnCHnBO4gisoCltr7os5gDhtsg cO3BWyiYQOZ93rreyd0xD6YohSlrgZVNaX9X7FIb3VTouThX5Qsj7nnwCLCuwstnRfos E5GbBW0ToTQh92rGPh2i3b5Eu94nwKdCK4375/I+pPVxxrKyXUtTQ3PXv4hWQaVOiqZl hZ7+/6emEVbAguGGili2TXhRS0zL2SY2wDQSDdXRvMctaL6J6Bgv0VymLJ00EZVNc4GO uClKKT6FJSwZEZJ+oy/SwEPD8lCH+xHUk+4o/R/296F6auOrsqaYHd2qb9/tw9kr/a/j 5iLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=A6cHrUXoZz05XmZ2N7BLKmC+WpUX0xFXAvC8Vr0wddY=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=L6DyOMcrTbzWL2gjVuuBUMQ7o0/M3P65IPMwh1iG6lGYIpFkHHqZNPw4djOSzfzvN2 eJfSeiHhLPdPGSQ1W38VBd3AzBv2cHBH7uO8cBI9hAb1mU/t0Ml7xy+Tgu1gj1hOsten dnrQIRgGxs2V+rHfPIq6nHAylN3JeCMkS6XeFhOu0KBSz19WzcxlTYC6vfQnYNOZBX4V EBNFJduTHdgovhHXXdRXla+AEJn0CR6YZLPpX4tckyfQGED+JQHpuPfwlSBwKE9Gb9fr GuWbg77PEuyJT+oZ8gAQ/sMjqT/hFXXTA0lvMEt8sCOfbXdUjs/XXCgpyNNf8ZQkvBRB RtEw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=ZZxHru7X; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=hKcFUWEw; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=NBtRVuRU; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-423ddd5b630si11134882fac.270.2026.04.13.22.58.47 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 13 Apr 2026 22:58:47 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=ZZxHru7X; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=hKcFUWEw; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=NBtRVuRU; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=A6cHrUXoZz05XmZ2N7BLKmC+WpUX0xFXAvC8Vr0wddY=; b=ZZxHru7XdjYhbFkbyXq6vRflVG zm1QDKbXZ5JZDrDSvL1bimTbx+R55/tdCEScAXBJ7F5ToEfnE+QYEJZn+eKEWw3QlIkJsGRln/rFD +jiCqqK9PaiIcuXh14miwyzxCM5MAQBDN1v1Zu0N144ouuCqj0uZSCdxgQsWZPEt7TTk=; Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wCWnM-0005q4-Na; Tue, 14 Apr 2026 05:58:45 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wCWnK-0005pj-UO for openvpn-devel@lists.sourceforge.net; Tue, 14 Apr 2026 05:58:43 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=S0cBSj5Kz9YGJfu02gw9ZOe9SfZ09Nizososv68/j3w=; b=hKcFUWEw6gTlJCW8Jg5AuH7mz7 myizmrfB6i6+tY7ANC9hUu2cSzf9rEjF20wKnOEAC2ukJekgydy891eFgxP3nv8SVLB9cf2KSMPdM zqRAPzHx+vhLeeCDk+HmYgJ4wBqTTjELvzypL+t3FDj/m5YJoCXzCHv/18lzbC6eTuuc=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=S0cBSj5Kz9YGJfu02gw9ZOe9SfZ09Nizososv68/j3w=; b=NBtRVuRUHsBEhtwvHfTLDsvy1b 6/mkm6//o7uA4a76YEWkeaXrHG1YGY35cs2D1QGTgJjNswbEWn2Rjd/Twx+5SHxWzaNwza+bTDr40 Btyk/4DWUpP7fIbxr+z6eFVfxZ4a2uYWY4L7jXcXPnWoRSjqsAH+MHnkRikgyTa4CW2I=; Received: from [193.149.48.129] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wCWnK-0003dT-BJ for openvpn-devel@lists.sourceforge.net; Tue, 14 Apr 2026 05:58:43 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 63E5wU5X017047 for ; Tue, 14 Apr 2026 07:58:30 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 63E5wUq8017046 for openvpn-devel@lists.sourceforge.net; Tue, 14 Apr 2026 07:58:30 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Tue, 14 Apr 2026 07:58:24 +0200 Message-ID: <20260414055830.17032-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.52.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair Print the actual string that was used for the match instead of the whole subject. Github: closes OpenVPN/openvpn#992 Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1wCWnK-0003dT-BJ Subject: [Openvpn-devel] [PATCH v1] verify_x509_name: Improve the error message on failure X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1862424411458324777?= X-GMAIL-MSGID: =?utf-8?q?1862424411458324777?= From: Selva Nair Print the actual string that was used for the match instead of the whole subject. Github: closes OpenVPN/openvpn#992 Change-Id: I6e7947ab81cf229f0d27714dd563a07ace6bd38a Signed-off-by: Selva Nair Acked-by: Arne Schwabe Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1624 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1624 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index d44f25f..21b516d 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -369,21 +369,32 @@ /* verify X509 name or username against --verify-x509-[user]name */ if (opt->verify_x509_type != VERIFY_X509_NONE) { - if ((opt->verify_x509_type == VERIFY_X509_SUBJECT_DN - && strcmp(opt->verify_x509_name, subject) == 0) - || (opt->verify_x509_type == VERIFY_X509_SUBJECT_RDN - && strcmp(opt->verify_x509_name, common_name) == 0) - || (opt->verify_x509_type == VERIFY_X509_SUBJECT_RDN_PREFIX - && strncmp(opt->verify_x509_name, common_name, strlen(opt->verify_x509_name)) == 0)) + const char *err_fmt = "VERIFY X509NAME ERROR: %s, must be %s"; + const char *match_str = common_name; + bool verified = false; + switch (opt->verify_x509_type) { - msg(D_HANDSHAKE, "VERIFY X509NAME OK: %s", subject); + case VERIFY_X509_SUBJECT_DN: + match_str = subject; + verified = !strcmp(opt->verify_x509_name, match_str); + break; + case VERIFY_X509_SUBJECT_RDN: + verified = !strcmp(opt->verify_x509_name, match_str); + break; + case VERIFY_X509_SUBJECT_RDN_PREFIX: + err_fmt = "VERIFY X509NAME ERROR: %s, must start with %s"; + verified = !strncmp(opt->verify_x509_name, match_str, strlen(opt->verify_x509_name)); + break; + default: + ASSERT(0); /* should not happen */ + break; } - else + if (!verified) { - msg(D_HANDSHAKE, "VERIFY X509NAME ERROR: %s, must be %s", subject, - opt->verify_x509_name); - return FAILURE; /* Reject connection */ + msg(D_HANDSHAKE, err_fmt, match_str, opt->verify_x509_name); + return FAILURE; } + msg(D_HANDSHAKE, "VERIFY X509NAME OK: %s", subject); } return SUCCESS;