On Wed, 22 Dec 2004, Charles Duffy wrote:
> On Wed, 22 Dec 2004 11:00:09 +0100, Alberto Gonzalez Iniesta wrote:
> > Recent updates of openvpn appear to have changed the handling of
> > whitespace in tls certificate names.
> ...
> > Now it needs '_' not '.' for spaces:
>
> My guess is that this is a consequence of some string-handling changes
> that were going on around 2.0-beta12 to 2.0-beta15.
Yes, this is something that needs to be better documented. Prior to
2.0-beta12, the string remapping code was a bit ad-hoc. Since then I've
tried to unify all string remapping towards a consistent model which
remaps illegal chars to '_'. The choice of underbar is arbitrary -- any
inert character will do.
Here is a brief rundown of OpenVPN's current string types and the
permitted character class for each string:
X509 Names: Alphanumeric, underbar ('_'), dash ('-'), dot ('.'), at
('@'), colon (':'), slash ('/'), and equal ('='). Alphanumeric is defined
as a character which will cause the C library isalnum() function to return
true.
Common Names: Alphanumeric, underbar ('_'), dash ('-'), dot ('.'), and at
('@').
--auth-user-pass username: Same as Common Name.
--auth-user-pass password: Any "printable" character except CR or LF.
Printable is defined to be a character which will cause the C library
isprint() function to return true.
--client-config-dir filename as derived from common name or username:
Alphanumeric, underbar ('_'), dash ('-'), and dot ('.') except for "." or
".." as standalone strings.
Environmental variable names: Alphanumeric or underbar ('_').
Environmental variable values: Any printable character.
For all cases, characters in a string which are not members of the legal
character class for that string type will be remapped to underbar ('_').
Q: Why is string remapping necessary?
A: It's an important security feature to prevent the malicious coding of
strings from untrusted sources to be passed as parameters to scripts,
saved in the environment, used as a common name, translated to a filename,
etc.
James
