[Openvpn-devel] incorrect common name extraction

Thu, 22 Nov 2007 04:21:15 -0800 

Openvpn extracts only part of CN before '/'. For example from
"/O=MSU/O=Grid/OU=IMEC/OU=ca.grid.pp.ru/CN=host/vpn.grid.pp.ru"
openvpn extracts "host" (correct is "host/vpn.grid.pp.ru"). 
So all hosts get one CN "host" and client-connect script get incorrect
info.

DN's of such kind are used in Globus.

Fix (rewriting extract_x509_field to use openssl library functions) is
attached.
Second patch adds '/' to the list of allowed chars in CN so it won't be
remapped.

                                        Pavel

commit c96f2538fb506f6c531628ca4f48c3eb33a34765
Author: Pavel Shramov <p...@qwe.ipib.msu.ru>
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Wed Nov 21 17:40:32 2007 +0300

    allow / in CN

diff --git a/ssl.h b/ssl.h
index e07f19a..4319a81 100644
--- a/ssl.h
+++ b/ssl.h
@@ -282,7 +282,7 @@

 /* Legal characters in an X509 or common name */
 #define X509_NAME_CHAR_CLASS   (CC_ALNUM|CC_UNDERBAR|CC_DASH|CC_DOT|CC_AT|CC_COLON|CC_SLASH|CC_EQUAL)
-#define COMMON_NAME_CHAR_CLASS (CC_ALNUM|CC_UNDERBAR|CC_DASH|CC_DOT|CC_AT)
+#define COMMON_NAME_CHAR_CLASS (CC_ALNUM|CC_UNDERBAR|CC_DASH|CC_DOT|CC_AT|CC_SLASH)

 /* Maximum length of OCC options string passed as part of auth handshake */
 #define TLS_OPTIONS_LEN 512

commit c332964d29fb428c01dc691ececc7d80cce07dbd
Author: Pavel Shramov <p...@qwe.ipib.msu.ru>
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Wed Nov 21 17:40:21 2007 +0300

    fix x509 name fields extraction function

diff --git a/ssl.c b/ssl.c
index 9cde47d..cc5d8d3 100644
--- a/ssl.c
+++ b/ssl.c
@@ -370,6 +370,51 @@ extract_x509_field (const char *x509, const char *field_name, char *out, int siz
     }
 }

+/*
+ * Extract a field from an X509 subject name.
+ *
+ * Example:
+ *
+ * /C=US/ST=CO/L=Denver/O=ORG/CN=First-CN/CN=Test-CA/Email=j...@yonan.net
+ *
+ * The common name is 'Test-CA'
+ */
+static void
+extract_x509_field_ssl (X509_NAME *x509, const char *field_name, char *out, int size)
+{
+  int lastpos = -1;
+  int tmp = -1;
+  X509_NAME_ENTRY *x509ne = 0;
+  ASN1_STRING *asn1 = 0;
+  unsigned char *buf = 0;
+  int nid = OBJ_txt2nid(field_name);
+
+  ASSERT (size > 0);
+  *out = '\0';
+  do {
+    lastpos = tmp;
+    tmp = X509_NAME_get_index_by_NID(x509, nid, lastpos);
+  } while (tmp > 0);
+
+  /* Nothing found */
+  if (lastpos == -1)
+    return;
+
+  x509ne = X509_NAME_get_entry(x509, lastpos);
+  if (!x509ne)
+    return;
+
+  asn1 = X509_NAME_ENTRY_get_data(x509ne);
+  if (!asn1)
+    return;
+  tmp = ASN1_STRING_to_UTF8(&buf, asn1);
+  if (tmp <= 0)
+    return;
+
+  strncpynt(out, buf, size);
+  OPENSSL_free(buf);
+}
+
 static void
 setenv_untrusted (struct tls_session *session)
 {
@@ -445,7 +490,8 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx)
   string_mod (subject, X509_NAME_CHAR_CLASS, 0, '_');

   /* extract the common name */
-  extract_x509_field (subject, "CN", common_name, TLS_CN_LEN);
+  extract_x509_field_ssl (X509_get_subject_name (ctx->current_cert), "CN", common_name, TLS_CN_LEN);
+  //extract_x509_field (subject, "CN", common_name, TLS_CN_LEN);
   string_mod (common_name, COMMON_NAME_CHAR_CLASS, 0, '_');

 #if 0 /* print some debugging info */

Reply via email to