Remove x509-username-fields uppercasing

The uppercasing was first introduced together with the x509-username-field option in commit 935c62b, and first released with v2.2.0 in 2011. The uppercasing was later deprecated with commit f4e0ad8 and release v2.4.0 in 2016. It think it is time to finally remove it. This deprecated feature prevents you from using non-extension all-lowercase fieldnames like `name`, because these are converted to uppercase and then cause an error. The deprecation warning is also shown in cases where there is no actual uppercasing happening, for example with numerical forms (aka oids) like `2.5.4.41` (oid of `name`). Signed-off-by: Corubba Smith <[email protected]> Acked-by: Gert Doering <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg30915.html Signed-off-by: Gert Doering <[email protected]>
OpenVPN · Feb 20, 2025 · 90d89cc · 90d89cc
1 parent 680ad84
commit 90d89cc
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 32 deletions.
diff --git a/Changes.rst b/Changes.rst
@@ -92,6 +92,11 @@ Compression on send
     ``--allow-compression yes`` is now an alias for
     ``--allow-compression asym``.
 
+User-visible Changes
+--------------------
+- ``--x509-username-field`` will no longer automatically convert fieldnames to
+  uppercase. This is deprecated since OpenVPN 2.4, and has now been removed.
+
 Overview of changes in 2.6
 ==========================
 

diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst
@@ -765,12 +765,6 @@ If the option is inlined, ``algo`` is always :code:`SHA256`.
   Only the :code:`subjectAltName` and :code:`issuerAltName` X.509
   extensions and :code:`serialNumber` X.509 attribute are supported.
 
-  **Please note:** This option has a feature which will convert an
-  all-lowercase ``fieldname`` to uppercase characters, e.g.,
-  :code:`ou` -> :code:`OU`. A mixed-case ``fieldname`` or one having the
-  :code:`ext:` prefix will be left as-is. This automatic upcasing feature is
-  deprecated and will be removed in a future release.
-
   Non-compliant symbols are being replaced with the :code:`_` symbol, same as
   the field separator, so concatenating multiple fields with such or :code:`_`
   symbols can potentially lead to username collisions.
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
@@ -9395,37 +9395,12 @@ add_option(struct options *options,
 #ifdef ENABLE_X509ALTUSERNAME
     else if (streq(p[0], "x509-username-field") && p[1])
     {
-        /* This option used to automatically upcase the fieldnames passed as the
-         * option arguments, e.g., "ou" became "OU". Now, this "helpfulness" is
-         * fine-tuned by only upcasing Subject field attribute names which consist
-         * of all lower-case characters. Mixed-case attributes such as
-         * "emailAddress" are left as-is. An option parameter having the "ext:"
-         * prefix for matching X.509v3 extended fields will also remain unchanged.
-         */
         VERIFY_PERMISSION(OPT_P_GENERAL);
         for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
         {
             char *s = p[j];
 
-            if (strncmp("ext:", s, 4) != 0)
-            {
-                size_t i = 0;
-                while (s[i] && !isupper(s[i]))
-                {
-                    i++;
-                }
-                if (strlen(s) == i)
-                {
-                    while ((*s = toupper(*s)) != '\0')
-                    {
-                        s++;
-                    }
-                    msg(M_WARN, "DEPRECATED FEATURE: automatically upcased the "
-                        "--x509-username-field parameter to '%s'; please update your "
-                        "configuration", p[j]);
-                }
-            }
-            else if (!x509_username_field_ext_supported(s+4))
+            if (strncmp("ext:", s, 4) == 0 && !x509_username_field_ext_supported(s+4))
             {
                 msg(msglevel, "Unsupported x509-username-field extension: %s", s);
             }