Make the --x509-username-field feature an opt-in feature

After some discussion [1] regarding an extension of this feature, James Yonan wanted this extension to be an opt-in feature. However, as it does not make sense to opt-in on a extension of a feature which was discussed, this patch makes the base feature an opt-in instead. The base feature comes from commit 2e8337de248ef0b5b48cbb2964 (beta2.2) and commit 935c62be9c0c8a256112 (feat_misc). [1] http://thread.gmane.org/gmane.network.openvpn.devel/4266 Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: James Yonan <james@openvpn.net> (cherry picked from commit 024972e2ced84c6e5cabc43620ab510e5693d1d4)
2025-05-09 13:41:06 +08:00 · 2010-12-15 10:53:04 +01:00 · 2010-12-15 10:53:04 +01:00 · fbd18db648
commit fbd18db648
parent 709271e8af
4 changed files with 23 additions and 0 deletions
--- a/configure.ac
+++ b/configure.ac
@ -80,6 +80,12 @@ AC_ARG_ENABLE(ssl,
   [SSL="yes"]
 )

+AC_ARG_ENABLE(x509-alt-username,
+   [  --enable-x509-alt-username    Enable the --x509-username-field feature],
+   [X509ALTUSERNAME="$enableval"],
+   [X509ALTUSERNAME="no"]
+)
+
 AC_ARG_ENABLE(multi,
   [  --disable-multi         Disable client/server support (--mode server + client mode)],
   [MULTI="$enableval"],
@ -751,6 +757,11 @@ dnl
   fi
 fi

+dnl enable --x509-username-field feature if requested
+if test "$X509ALTUSERNAME" = "yes"; then
+   AC_DEFINE(ENABLE_X509ALTUSERNAME, 1, [Enable --x509-username-field feature])
+fi
+
 dnl enable pkcs11 capability
 if test "$PKCS11" = "yes"; then
   AC_CHECKING([for pkcs11-helper Library and Header files])
--- a/options.c
+++ b/options.c
@ -506,8 +506,10 @@ static const char usage_message[] =
  "--key file      : Local private key in .pem format.\n"
  "--pkcs12 file   : PKCS#12 file containing local private key, local certificate\n"
  "                  and optionally the root CA certificate.\n"
+#ifdef ENABLE_X509ALTUSERNAME
  "--x509-username-field : Field used in x509 certificat to be username.\n"
  "                        Default is CN.\n"
+#endif
 #ifdef WIN32
  "--cryptoapicert select-string : Load the certificate and private key from the\n"
  "                  Windows Certificate System Store.\n"
@ -761,9 +763,11 @@ init_options (struct options *o, const bool init_gc)
  o->renegotiate_seconds = 3600;
  o->handshake_window = 60;
  o->transition_window = 3600;
+#ifdef ENABLE_X509ALTUSERNAME
  o->x509_username_field = X509_USERNAME_FIELD_DEFAULT;
 #endif
 #endif
+#endif
 #ifdef ENABLE_PKCS11
  o->pkcs11_pin_cache_period = -1;
 #endif			/* ENABLE_PKCS11 */
@ -5898,6 +5902,7 @@ add_option (struct options *options,
 	}
      options->key_method = key_method;
    }
+#ifdef ENABLE_X509ALTUSERNAME
  else if (streq (p[0], "x509-username-field") && p[1])
    {
      char *s = p[1];
@ -5905,6 +5910,7 @@ add_option (struct options *options,
      while ((*s = toupper(*s)) != '\0') s++; /* Uppercase if necessary */
      options->x509_username_field = p[1];
    }
+#endif /* ENABLE_X509ALTUSERNAME */
 #endif /* USE_SSL */
 #endif /* USE_CRYPTO */
 #ifdef ENABLE_PKCS11
--- a/options.h
+++ b/options.h
@ -508,8 +508,10 @@ struct options
     within n seconds of handshake initiation. */
  int handshake_window;

+#ifdef ENABLE_X509ALTUSERNAME
  /* Field used to be the username in X509 cert. */
  char *x509_username_field;
+#endif

  /* Old key allowed to live n seconds after new key goes active */
  int transition_window;
--- a/ssl.c
+++ b/ssl.c
@ -1874,7 +1874,11 @@ init_ssl (const struct options *options)
    }
  else
 #endif
+#ifdef ENABLE_X509ALTUSERNAME
  x509_username_field = (char *) options->x509_username_field;
+#else
+  x509_username_field = X509_USERNAME_FIELD_DEFAULT;
+#endif
  SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
 			verify_callback);