diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index a673ec12..a2d3fd10 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2705,6 +2705,12 @@ override_locked_username(struct multi_instance *mi) if (!multi->locked_original_username && strcmp(multi->locked_username, options->override_username) != 0) { + /* Check if the username length is acceptable */ + if (!ssl_verify_username_length(session, options->override_username)) + { + return false; + } + multi->locked_original_username = multi->locked_username; multi->locked_username = strdup(options->override_username); diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 6605a42b..96119c48 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -7880,10 +7880,10 @@ add_option(struct options *options, else if (streq(p[0], "override-username") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_INSTANCE); - if (strlen(p[1]) > TLS_USERNAME_LEN) + if (strlen(p[1]) > USER_PASS_LEN) { msg(msglevel, "override-username exceeds the maximum length of %d " - "characters", TLS_USERNAME_LEN); + "characters", USER_PASS_LEN); /* disable the connection since ignoring the request to * set another username might cause serious problems */ diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 5f8f1d36..d2cc3d13 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -1568,6 +1568,24 @@ set_verify_user_pass_env(struct user_pass *up, struct tls_multi *multi, } } +bool +ssl_verify_username_length(struct tls_session *session, const char *username) +{ + if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) + && strlen(username) > TLS_USERNAME_LEN) + { + msg(D_TLS_ERRORS, + "TLS Auth Error: --username-as-common name specified and " + "username is longer than the maximum permitted Common Name " + "length of %d characters", TLS_USERNAME_LEN); + return false; + } + else + { + return true; + } +} + /** * Main username/password verification entry point * @@ -1689,15 +1707,12 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, } /* check sizing of username if it will become our common name */ - if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) - && strlen(up->username)>TLS_USERNAME_LEN) + if (!ssl_verify_username_length(session, up->username)) { - msg(D_TLS_ERRORS, - "TLS Auth Error: --username-as-common name specified and username is longer than the maximum permitted Common Name length of %d characters", - TLS_USERNAME_LEN); plugin_status = OPENVPN_PLUGIN_FUNC_ERROR; script_status = OPENVPN_PLUGIN_FUNC_ERROR; } + /* auth succeeded? */ bool plugin_ok = plugin_status == OPENVPN_PLUGIN_FUNC_SUCCESS || plugin_status == OPENVPN_PLUGIN_FUNC_DEFERRED; diff --git a/src/openvpn/ssl_verify.h b/src/openvpn/ssl_verify.h index eba38323..7a4d44ad 100644 --- a/src/openvpn/ssl_verify.h +++ b/src/openvpn/ssl_verify.h @@ -192,6 +192,20 @@ void verify_user_pass(struct user_pass *up, struct tls_multi *multi, struct tls_session *session); +/** + * Checks if the username length is valid to use. This checks when + * username-as-common-name is active if the username is shorter than + * the maximum TLS common name length (64). + * + * It will also display an error message if the name is too long + * + * @param session current TLS session + * @param username username to check + * @return true if name is under limit or username-as-common-name + * is not active + */ +bool ssl_verify_username_length(struct tls_session *session, + const char *username); /** * Runs the --client-crresponse script if one is defined.