From patchwork Sun Mar 15 23:05:28 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: luca.boccassi@gmail.com X-Patchwork-Id: 25 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:2755:b0:83c:d90d:321 with SMTP id j21csp2536721maq; Sun, 15 Mar 2026 16:06:47 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVHRtlaqczY9sGfOMdbWUnmKckLIS3cggRmyIaPT4Fu9UbBD2dsHEXWAL7IKV+d0w+VO5Uv2SKeh/k=@openvpn.net X-Received: by 2002:a05:6808:524c:b0:467:29d2:1ea4 with SMTP id 5614622812f47-467572edbf2mr5422407b6e.35.1773616007764; Sun, 15 Mar 2026 16:06:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1773616007; cv=none; d=google.com; s=arc-20240605; b=iIkUOoar8z31gwPKsPlSU+R/74zt0HVxqSlOQ5uBWcis2M/e48FGWvj4b6mFWQLvUe xEP/Eg7T9clAY+dX+QUpdMNxCfqoV6TE479YaBY0rykymVekjNhVR+elDr4osPwMZBW7 cLIBEx59GpQ5I8+qinJ54NsgZmAQelH+I56t7PIPjUq76QNNXznYR8rdEtT2d9pWtrZo 9tqltPSK3CC/Eg+0gRwNiStvCpngd/5A0iGTNtt6osRKIoHE1cjg/xm08OOlJFzuJXhI qsqmHv/xf7KEUvCQgp8Nzgp/xxiLm9bhwYuKISj0yEs9yLYDeCA+cWMj0YwIdv1IG/CW UIXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature:dkim-signature; bh=yTa165Hyd+77S92Nj8oMllM7SSmJYyN0Pzq0qpi5Zyk=; fh=FRWMOQmE4vArX8xPll5WCJJjcBedLRfud2/cHUpioeU=; b=WNYo/nas0/PLR3RlF9xbx8xzJ748M8k3Nanzs31qXdnkawjebB9CQ/sJX8Nrdm8LoB WxDKFwdzifdDBRXeAPbbgle4LWXm6El4CBe3v38fXXb9PUyyuiqi/PaAQ0d1ePniSbQ1 xTpXS5/hVNJGMDMnT3Xu9+vKW6cNwDj36PtktcE1xRbNycM/BOMxBwb5CN96O4Y0vsb8 nOrUEBvopwUlg/2s60alJDYIP+Q5rrmKKmIJntkW0D/Taw7zrryY8kfzow3SIQkH4OLc xpVt0Ev1cnbL96HpzyIGbf7XjuudFCgGqreUGotnDG6Dl72hlxW0bjlbi+oGgeSJBKSv 4Rbw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=fpml9jF7; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Ktj5SPy+; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="g/4jUouI"; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b="Jd18/hNT"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=neutral header.i=@openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-467343d691dsi7445958b6e.103.2026.03.15.16.06.47 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 15 Mar 2026 16:06:47 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=fpml9jF7; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Ktj5SPy+; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="g/4jUouI"; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b="Jd18/hNT"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=neutral header.i=@openvpn.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:Cc: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=yTa165Hyd+77S92Nj8oMllM7SSmJYyN0Pzq0qpi5Zyk=; b=fpml9jF7Nvpb8yrtwkj9+dEMIc iKqBgvZSDRZXAiAEZStdgBDYuso3MiWUFo9MWRuV9rFxYqvzy4N6m9AZ1BeWbDUG+wUdq9BA8vre6 0pE6xFs3Tyhgav+/Q3LIg1jIrOxfuiJDUr7lQ0IsyyIDJ7BK3Rqj2vEv2427/TbARv/s=; Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1w1uXe-0006CW-MB; Sun, 15 Mar 2026 23:06:38 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1w1uXc-0006CO-HF for openvpn-devel@lists.sourceforge.net; Sun, 15 Mar 2026 23:06:36 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=SkZ+72aRkCFRJYiBrXyEp5Z2sLqr8lQ12a/zCH1UIxo=; b=Ktj5SPy+cS5j6rOwp0pOZd2Y5s giKlMtaKm14aHg8cRXnzdzlU8/muEtyBUoRU5HCIU/b//3NJDIY33BbQhBGCMUsx1aoO7lyWC3OQx JbMtrGTFv4zCVk94b9T7S/HjP/WCV/vX1/Gbo4oR2pYP6IeBmZHqcbszB08zGEOLjuQ8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=SkZ+72aRkCFRJYiBrXyEp5Z2sLqr8lQ12a/zCH1UIxo=; b=g/4jUouIoFPnAXd1CYwgvvAzEg OYoFQ0+4RzYIJmDQNgcohoQSN4MDCumOA3Ykm0JJrP3P6U6z8D4XTzC24pu8ZwDM9O028sfZE44v0 i4qT3DFSWzzaTlkYHH02dO4IvXV8pn1ULNAsu1UGa6dtm9m2MkF6YnaNO8MuPwuhXGsI=; Received: from mail-wm1-f42.google.com ([209.85.128.42]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1w1uXc-00033B-6v for openvpn-devel@lists.sourceforge.net; Sun, 15 Mar 2026 23:06:36 +0000 Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-48541edecf9so42818795e9.1 for ; Sun, 15 Mar 2026 16:06:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773615984; x=1774220784; darn=lists.sourceforge.net; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=SkZ+72aRkCFRJYiBrXyEp5Z2sLqr8lQ12a/zCH1UIxo=; b=Jd18/hNTOECSAgQVcfBMCeQppbsmJFlSk0Q2IfmgMfUTpmP9LUOFbOvsqgbHlBX9Zw mlr2/rHXi3WnBlUuLXGTiikkGV7kxWp2n8WMmd4szEBVxrp3s9hVUv2UpifqP8qE6wpU oiglOt9APlTRYFMcWFKpAd16F8dcffFxEglrXibCwyotQlNPID82ecspcgkr0fOzVvkb poqQ4bQ49gIVWnWZjq+4OMVc8dWF/aW4fjmri75TBYEDs3/MKzngWo7RKlmL5E6rmHpx FEwuUrxW9RpA/YM6Em22ZNraAMwdGmDqi8D7fmPgEd+kGr/YW6X8fSkHNSo+IpcUAsaH bGBQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773615984; x=1774220784; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=SkZ+72aRkCFRJYiBrXyEp5Z2sLqr8lQ12a/zCH1UIxo=; b=Xemk5ThZkbuG7by+uCYV5kIEYhhbd+t78R8BmFJpr7lrvzJaeTXmQxqqaqfX7aPFt1 3laxu8MGyDADHmsuJjdVTTp2JimCrLJYa8zIgRusyIar3Oy+Rw/xpb5jhS64bNdJ+d1H iD/FLsVE80x/kYTE1OOX1LB9K3GXv38wA+0IZ4URAfIrOsYJUdbJ6oucePcZgux2qvzb t1zZYgZ3t3bTooe9dQViGbo4XRB68Ryznn82lkbxioHo4eC5jMp2iL1EnfIDucKfDi4u LQqT9gsGutUk+FFce49jdKTEfYVRYMgNBtLIWYxnbAT6RwSsjDW/Jnye8dVZQMuq9pk9 FEhw== X-Gm-Message-State: AOJu0YxjIKjl+Pm1oH/5K4aTUxnTLAIluuALbv72bGZCgnfTrISLdB57 iHtiCBLNK+n5yJGu97V/hmXIb+zlYjAKYQNaE0qtMvEa8NOPUT2cbLq26PAkWg== X-Gm-Gg: ATEYQzyj2v+MXn8Vv5X763+nCgB4l7Hu8+fFZvlV0yMnni7fCd4btny4IVEfPk434Rt TQXD5AY/XMcXA87wzgXV/qRxgXz1votmYHFzN7AY8r+E1lHrJb9aTw6cwrCH5UNzpECf+DJjrOO CPun/W1UoJB5j3F1haFonykgQEfcWGYwGy0Un+s49OgORWt1yzdatlE6190l+Rp0TUMLoOhLQIy k8v30op9K/zjsUGHxa4j3LidVs9qH69+tUmGfqCDl3pGXvyoOWA9hDa9e3cZ0BLDJgSoAMdxrzJ jzlh4DHOVCP3B8vAe+mYStAj5c35jJhmwNgigswH9lC7M2BHxxJCz5TkwyWQfgFS2/C3KJZk0NR TZQ1dRzmKNHiENdL6c+cCK4o+2VSEr3Vyd2L2JbLWbY/Y9kH59R/vQp4KGsAbtkH3ZPgIatGCUS 94GPIoSgmaOfuynkwU2l5oS677jCso X-Received: by 2002:a05:600c:1388:b0:485:3ee1:eba5 with SMTP id 5b1f17b1804b1-4855670297amr186875875e9.27.1773615984176; Sun, 15 Mar 2026 16:06:24 -0700 (PDT) Received: from localhost ([2a01:4b00:d036:ae00:21cd:def0:a01d:d2aa]) by smtp.gmail.com with UTF8SMTPSA id 5b1f17b1804b1-48557a7473fsm75285955e9.14.2026.03.15.16.06.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 15 Mar 2026 16:06:23 -0700 (PDT) From: luca.boccassi@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Sun, 15 Mar 2026 23:05:28 +0000 Message-ID: <20260315230620.1594780-1-luca.boccassi@gmail.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260315184337.1541272-1-luca.boccassi@gmail.com> References: <20260315184337.1541272-1-luca.boccassi@gmail.com> MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Luca Boccassi When JWT (json web tokens) are used by a server to authenticate the client, the default TLS channel buffer size and password length are too small. In my local case connecting to an Azure VPN server, t [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [luca.boccassi(at)gmail.com] 0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.128.42 listed in wl.mailspike.net] X-Headers-End: 1w1uXc-00033B-6v Subject: [Openvpn-devel] [PATCH v2 0/3] Two small fixes for auth via tokens X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Luca Boccassi Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1859754646728732765?= X-GMAIL-MSGID: =?utf-8?q?1859771179217019418?= From: Luca Boccassi When JWT (json web tokens) are used by a server to authenticate the client, the default TLS channel buffer size and password length are too small. In my local case connecting to an Azure VPN server, the Entra ID token is ~2100 bytes. With these small changes, it is possible to successfully connect to an Azure VPN endpoint using the OpenVPN 2.7 client, using a dummy username, an Entra token as password and the server-secret from the azvpn XML config that users get as tls-auth key. v2: also use the USER_PASS_LEN macro in the management channel params. Luca Boccassi (3): Increase TLS_CHANNEL_BUF_SIZE from 2048 to 8192 Unconditionally set USER_PASS_LEN to 4096 Ensure the management channel can take passwords up to the max length src/openvpn/common.h | 2 +- src/openvpn/manage.c | 4 ++-- src/openvpn/misc.h | 4 ---- src/openvpn/options.h | 6 +++--- 4 files changed, 6 insertions(+), 10 deletions(-)