From patchwork Sun Mar 15 18:39:54 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: luca.boccassi@gmail.com
X-Patchwork-Id: 24
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:2755:b0:83c:d90d:321 with SMTP id j21csp2448332maq;
        Sun, 15 Mar 2026 11:44:01 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCWSkcqb36ufs/LlHJduRDiuRnGJdUto1AVS+QH9midU1SfpRSyl8TOU+MNExiRsA2cesy+6Ufjk4lg=@openvpn.net
X-Received: by 2002:a05:6808:e8b:b0:45d:336:5609 with SMTP id
 5614622812f47-467570aaa0emr5720525b6e.20.1773600241277;
        Sun, 15 Mar 2026 11:44:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1773600241; cv=none;
        d=google.com; s=arc-20240605;
        b=iadL9dVt1RqU4PEeyl8Zx6kquU1qaXhF876G2lydtAB+1Nfs7sRghXuVO8LN7siFN+
         fHnJAeYHOqYLZI6xsgV6qHy+JAueNKbNKz7DgAEXOHTaDuoUbCQKNphcm0po1CpDVnGO
         IG2sGqb+x84TZqy5LcqSR/Jjp7mCE/iWbDYRENNWI/YDA0qeldJX6L9XbVLB42/Pt/pk
         tv3BOuJxSwYmAsoSdgwf3+9x/32zi78f4zZiECtUoJLhpb9fmj65iJwgyyPBAy9QZ3Wz
         TcyY1NjgjT97w6gz3xhylYNqzji1bhzpPHSf+cBfKzCgygI10CaM/FYDKknrsPWKCP8Y
         3GyQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:message-id:date:to:from:dkim-signature:dkim-signature
         :dkim-signature:dkim-signature;
        bh=tXWzu/rRZhDfHq+FvPFbvzGX9iDCE9150AtT9eZIVh8=;
        fh=FRWMOQmE4vArX8xPll5WCJJjcBedLRfud2/cHUpioeU=;
        b=gX4vBqU7/u4ISUQuI7yUsBLZDFMU02+vjVGp2lAk8hXw2I6KHSZR00sB6KBu7qDiNA
         3lyqSt/vfC7YYcTrVjXL1rO316FdXfCZ/Rbk7P9snypG6pX+/0ZUrWwmy3IOY6UOuWkW
         HtqfkfszLzkCX4w+WsXJ+1wBEh3/tm8UBBRsDD/JU54OxYsJrvAPiaKeQP41YlQ21H/6
         ZU5jan4aFFZV1c5dWpfjV8eO8BjgOPitoZr1w8jBHe2OY97KqCSo/f6kNsDnxGHHGssI
         3cdGZffYkcwIDtg0IfZ2eax/ZKZTlYmq2IPrJkhZjyOowisCYKI8R4Hd+fv9vvu5QnB0
         pghg==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b=CSZoIu9h;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=KffTZwBw;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=dwgUSMAy;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20230601 header.b=Tz2thIBw;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
       dara=neutral header.i=@openvpn.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 5614622812f47-4673411ff5fsi7296602b6e.51.2026.03.15.11.44.00
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 15 Mar 2026 11:44:01 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b=CSZoIu9h;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=KffTZwBw;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=dwgUSMAy;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20230601 header.b=Tz2thIBw;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
       dara=neutral header.i=@openvpn.net
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:Cc:
	List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:
	Subject:MIME-Version:Message-ID:Date:To:From:Sender:Reply-To:Content-ID:
	Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
	:Resent-Message-ID:In-Reply-To:References:List-Owner;
	bh=tXWzu/rRZhDfHq+FvPFbvzGX9iDCE9150AtT9eZIVh8=; b=CSZoIu9hNY6jR1bctTi+GD3BMO
	27eFSJLYbjTLpmSk8SudhGQd51Y2toIksWQkXBj5OgRfOrI+ZaetWtwymE5RKv/MbLQ2GafwOOjtz
	VOTv0bufSWTWfylvWbaHVzvGx7QL4591ZoaZa09xS9Ft+sk6WhQsVZrKICoTcpZZnQWM=;
Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com)
	by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1w1qRN-0002Sr-Vf;
	Sun, 15 Mar 2026 18:43:53 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
 by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <luca.boccassi@gmail.com>) id 1w1qRM-0002Sk-NG
 for openvpn-devel@lists.sourceforge.net;
 Sun, 15 Mar 2026 18:43:52 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-ID:
 Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=MXbIdDzli2TM5cDk3QZFr+Whx0kh4WwVw1kbp4asV+o=; b=KffTZwBwz3LWJbRxAGXvUQBnlg
 3XcD7okcj+Nf1XfJEz29JlTVFX2/t5Zqj2urItPGRxXIaCeObEAlRAEeI1xUqlzIyMtYMsDRs7dYn
 gQzFB/MFERa55kZOIMlbUUnFT3507totWLtjLuQflpBTYx5AM4kbGr5lhkQcrQH8pgjg=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject:Cc:To:From
 :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date:
 Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
 References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:
 List-Owner:List-Archive; bh=MXbIdDzli2TM5cDk3QZFr+Whx0kh4WwVw1kbp4asV+o=; b=d
 wgUSMAyo3wB2vvDd/1weGAn0H5HQStfYZ4deUlGc1SkSRWXS+8o9YumA+Vxy00yZ3IU1D/DB6rK3l
 wMA6osI3PUwapD9NmCE5DoqNzoz1aIzJoMmSZM04SW8rXonMHM72nja770t7AgS4NqkEXsvvQqImV
 4c20LEf8Er9lXhNc=;
Received: from mail-wr1-f44.google.com ([209.85.221.44])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95)
 id 1w1qRM-0000Nx-6U for openvpn-devel@lists.sourceforge.net;
 Sun, 15 Mar 2026 18:43:52 +0000
Received: by mail-wr1-f44.google.com with SMTP id
 ffacd0b85a97d-439b2965d4bso2643873f8f.2
 for <openvpn-devel@lists.sourceforge.net>;
 Sun, 15 Mar 2026 11:43:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1773600225; x=1774205025;
 darn=lists.sourceforge.net;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=MXbIdDzli2TM5cDk3QZFr+Whx0kh4WwVw1kbp4asV+o=;
 b=Tz2thIBwh3bcIP44hfZm2lvg8iFM5bkGSd6JALWMPVko8DOunXooZ1jrvJPXtbI9i5
 Dd8yvuJDBR9bpsEO9Jhq+p6wxYZXVD9dibniq+MtUlcg6p1zqpp0v2nd7NMHV0hzOqbP
 MKA3Tl/IMKkpW0ecUi7K1MtWMy1ml8aLzChrX87Fyg4QT81r7h0HVB5+e63G8YUGFsYU
 mgCgoT0Mbj2QAEP2J8mT4iXv1y5YEAhqQ5IKDd/ci/gjhQjxq3fuTHEDVj7qUW7JWZHn
 891ENdotkqyJW01u96YrReHgIrs3GLFiP2FBP9S9Iy8oeP+FHWw9FRJyj/MbsGzlq8+6
 sV1w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20251104; t=1773600225; x=1774205025;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
 :message-id:reply-to;
 bh=MXbIdDzli2TM5cDk3QZFr+Whx0kh4WwVw1kbp4asV+o=;
 b=iEQ4k7mbSqNXePNQ4rOan72+sjSIcSW+TS8YpdjU00wLeVYrMF0gi0QSoIZQew7agY
 z5Vu6quqEcGDMn7JXQ/nzfTTZRu3/rOTwVePwzCfs1ouJROYz/kSQIJ1uQKQUphn9PKI
 DpXYNXeYWUgusCB4CtHCYlU/tLXyquK+ZVvHJt7HhdCRsrTN/uCZWxZG4W7GnkjflNJI
 xMB2INz9CvUdtl9nPPBIR3xyRI5+VT3pRuruiosdEVlJIeaF+/Y1dXiGtJN+oJD/6i5I
 joCp+P3y0QYixOSPF/eWY5/lECDtXf1cj6ItJfhDMugICS36xZ39frHCK/Sa+pAfBm7i
 cQPA==
X-Gm-Message-State: AOJu0YyBR3t5rgAeqjWri5NJyV3/Hn35A9euLjTsv87TeL8nCwBSQo4X
 1mi9vLK9nkuzwi6MYPb91bQ7FodlYWQgSpIAmIFDy7JIT7qUEhvatLBF9qVwig==
X-Gm-Gg: ATEYQzzEMsHCIMYl/XrJ7j5HwvgmfX3gfppJnJAD4rChGOCiUxKxnalGYODoiYpv6kO
 bj52Msa8AXOjIshID2MEjjePrZV9rtpPx/v6wnODWqahVfav9LHva6IvF7FDpqEcFccWT1M0h3N
 7SKuEXHPV1HeOZ4mOKsA6cjTwIJUnvO38XOjmIXf6b+HTTZ8cr9aD26d1S9cBvp664qojzsaClJ
 p43+P7TmPsrlok3A+YpzxtOW3C/AaieVn25EvhGLldpEKCejvlQo9tSCyoJPCxtYY+aKQrddnBh
 rPZV/KDUzsl+WxrD6A5DJPtI/a3K+chnoouEzKqTCMOT6eGYWE4uI+2HCaeLSnp4IAKcFATcS8Y
 cEpvWjZd6eG+aMpsSHh42QXx4qamaCxCegJE96PZmL2ho1UK4CcWM6GDSm1v0MhM6aAKERrtZPd
 QRcVlm99pVyFCEFytsQodGAx0ei24u
X-Received: by 2002:a05:6000:400b:b0:439:af96:29e4 with SMTP id
 ffacd0b85a97d-43a04dce6bfmr18333991f8f.54.1773600225129;
 Sun, 15 Mar 2026 11:43:45 -0700 (PDT)
Received: from localhost ([2a01:4b00:d036:ae00:16d6:15ec:8b51:78c3])
 by smtp.gmail.com with UTF8SMTPSA id
 ffacd0b85a97d-439fe1a72cdsm37746916f8f.9.2026.03.15.11.43.44
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sun, 15 Mar 2026 11:43:44 -0700 (PDT)
From: luca.boccassi@gmail.com
To: openvpn-devel@lists.sourceforge.net
Date: Sun, 15 Mar 2026 18:39:54 +0000
Message-ID: <20260315184337.1541272-1-luca.boccassi@gmail.com>
X-Mailer: git-send-email 2.47.3
MIME-Version: 1.0
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
 running on the system "sfi-spamd-1.hosts.colo.sdot.me",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  From: Luca Boccassi When JWT (json web tokens) are used by
 a server to authenticate the client, the default TLS channel buffer size
 and password length are too small. In my local case connecting to an Azure
 VPN server, t [...]
 Content analysis details:   (-0.2 points, 5.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily valid
 -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
 domain
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
 [luca.boccassi(at)gmail.com]
 0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
 [209.85.221.44 listed in wl.mailspike.net]
X-Headers-End: 1w1qRM-0000Nx-6U
Subject: [Openvpn-devel] [PATCH 0/2] Two small fixes for auth via tokens
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Cc: Luca Boccassi <luca.boccassi@gmail.com>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1859754646728732765?=
X-GMAIL-MSGID: =?utf-8?q?1859754646728732765?=

From: Luca Boccassi <luca.boccassi@gmail.com>

When JWT (json web tokens) are used by a server to authenticate
the client, the default TLS channel buffer size and password length
are too small.
In my local case connecting to an Azure VPN server, the Entra ID
token is ~2100 bytes.

With these two small changes, it is possible to successfully
connect to an Azure VPN endpoint using the OpenVPN 2.7 client,
using a dummy username, an Entra token as password and the
server-secret from the azvpn XML config that users get as tls-auth
key.

Luca Boccassi (2):
  Increase TLS_CHANNEL_BUF_SIZE from 2048 to 8192
  Unconditionally set USER_PASS_LEN to 4096

 src/openvpn/common.h | 2 +-
 src/openvpn/misc.h   | 4 ----
 2 files changed, 1 insertion(+), 5 deletions(-)