Add backend code to verify username against cn on login if set by user. Needs GUI code to set the option yet. Ticket #887

2 files changed, 10 insertions, 1 deletions

diff --git a/etc/inc/openvpn.auth-user.php b/etc/inc/openvpn.auth-user.php
index a611f8c..544e21f 100755
--- a/etc/inc/openvpn.auth-user.php
+++ b/etc/inc/openvpn.auth-user.php
@@ -85,6 +85,7 @@ openlog("openvpn", LOG_ODELAY, LOG_AUTH);
 /* read data from environment */
 $username = getenv("username");
 $password = getenv("password");
+$common_name = getenv("common_name");
 
 if (!$username || !$password) {
 	syslog(LOG_ERR, "invalid user authentication environment");
@@ -95,6 +96,12 @@ if (!$username || !$password) {
 //<template>
 
 $authenticated = false;
+
+if (($strictusercn === true) && ($common_name != $username)) {
+	syslog(LOG_WARNING, "Username does not match certificate common name ({$username} != {$common_name}), access denied.\n");
+	exit(1);
+}
+
 foreach ($authmodes as $authmode) {
 	$authcfg = auth_get_authserver($authmode);
 	if (!$authcfg && $authmode != "local")
diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc
index e41d39e..b25b257 100644
--- a/etc/inc/openvpn.inc
+++ b/etc/inc/openvpn.inc
@@ -392,7 +392,9 @@ function openvpn_reconfigure($mode,& $settings) {
 						$firstsed = 1;
 						$sed .= "\"{$authcfg}\"";
 					}
-					$sed .= ");";
+					$sed .= ");\\\n";
+					if (isset($settings['strictusercn']))
+						$sed .= "\$strictusercn = true;";
 					mwexec("/bin/cat /etc/inc/openvpn.auth-user.php | /usr/bin/sed 's/\/\/<template>/{$sed}/g' >  {$g['varetc_path']}/openvpn/{$mode_id}.php");
 					mwexec("/bin/chmod a+x {$g['varetc_path']}/openvpn/{$mode_id}.php");
 					$conf .= "auth-user-pass-verify {$g['varetc_path']}/openvpn/{$mode_id}.php via-env\n";