From patchwork Wed Apr 2 13:45:39 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4208 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:6c6:b0:60a:d70a:d3c7 with SMTP id j6csp3568192maw; Wed, 2 Apr 2025 08:26:32 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUQIMWsIfZaq4C/But2vLMIJOIr5NZkTHQ/7Vg7vkXTSs24wzzM5Ir8Ol6o41QvCRH8Ql58Y020bbg=@openvpn.net X-Google-Smtp-Source: AGHT+IHnpUupenGEdP0H4yVriP51Gq5aOhgRst4hkeo41AA6UYw0wD+T5K1ZOC1p59rDdSIKb0sG X-Received: by 2002:a05:6830:6888:b0:727:3303:7ea8 with SMTP id 46e09a7af769-72dae74a54bmr4569810a34.25.1743607592603; Wed, 02 Apr 2025 08:26:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1743607592; cv=none; d=google.com; s=arc-20240605; b=YZfJCXKFVbwj2m7s3PJmLIYsrN22u+w0qkPiaZHOUiHQ8ld/yoepPv2ROjVJVcvp2w c3q1Sq1xRYQ3FSzUoHGFhpsNvpyUVd9DM+4DhIhGDajTHvbjerwu1EHvElZ4q9UAd3qW 1xiRptPQuj/5nD+KSaacEFFkMV1sm8Ii54Mfwo+7Ujsp3wW4x/0NZQFb6hPMllmrodAe npwLuPGSmkNPJMlI7dRNUXCc/ELwG89ASLz9icK6ozrm9Imd94zhYOPYExYJkLF2w4xF h+ANkUxKjxmrM489GYatQNFqkKKMG7+KJmolz2euq0N23cQrNU6ArBk+g3IYEWYy02kb W9RA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=07fcySV7/4R9Xogutb6VFFLkFy7nqD1doE+Hk6WK8Ww=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=NZKM2SrKyuv2KBObb5uKG3Nc4v2GtO3Cg8T3jpLoX5bEr0OfKl6hiasTNeFhwda2Yv 6sQzPjY415xN60DPq5ye/Q/aGoajgQj6K1p2Cn+0ge+TiWY+QGgW+lYak1uZuhnVAwY+ CkyRITofuT0wUFg88pOwC8vKbgSCN5ZlXBM/L6I0S5k2M1PvCIw241kiMVyLfB/EbreQ 4Mpce2LIgPXtmCAv2GB+zCorBNW+CrwxVsUEU+0jX7neANQRCZHpmohKhGxl7XKb6VSV ZiRK0pJrVYH2ZHhs2Rw23nuwVtUJwEDt5VNsOfoLjXsw8Bs2WS8Ewg0JMIZkDkkqBtwA CzJA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=ICdo3bjy; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=lwcclRum; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-72c58297f3bsi8751649a34.254.2025.04.02.08.26.32 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 02 Apr 2025 08:26:32 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=ICdo3bjy; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=lwcclRum; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tzzz3-0007f1-AM; Wed, 02 Apr 2025 15:26:29 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tzzz2-0007eu-Ni for openvpn-devel@lists.sourceforge.net; Wed, 02 Apr 2025 15:26:28 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=kdx9qjMtsQcW7kyz4K2SIwLPEF+WDcYF0XukBSS0CEs=; b=ICdo3bjyIESu4ZYiRsp4UhH4vz aeEZsomMGQOQsdPmcfBXnT1zl4k1qsTNv1gNladXoyPbNCWAJS5d1bDOCnu1IsKOXiGUyo0Jt46mp aHv6ojTePIAujWj0POFpTMwTT9ghA/RvcYtfCyVEaF3fPU9T5kkzlhxgPdFn5n13EXPQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=kdx9qjMtsQcW7kyz4K2SIwLPEF+WDcYF0XukBSS0CEs=; b=lwcclRumBWqEUnIQ1JnW2vNLWy QqmuDINcn/OQugB7Ekq+QCHpzv+oIteA4eaJaDa8CjnUwLQK0mIUK6TMC+/ctzAkBqSDSnDalZG2i GJ77HHkfOVDL1ENqilzsRacEhfNVOhM+xZvR3Z10va/4XvdnZX205kn9iTcbmrOo7dpY=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1tzzym-0005pB-Kz for openvpn-devel@lists.sourceforge.net; Wed, 02 Apr 2025 15:26:28 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 532DjkYS003639 for ; Wed, 2 Apr 2025 15:45:46 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 532DjksX003638 for openvpn-devel@lists.sourceforge.net; Wed, 2 Apr 2025 15:45:46 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 2 Apr 2025 15:45:39 +0200 Message-ID: <20250402134546.3504-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.45.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe Currently override-username is artificially restricted to the length of TLS common-name (64) for the corner case of using username-as-common-name, which we explicitly do not recommend to use. Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in bl.score.senderscore.com] 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in sa-trusted.bondedsender.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1tzzym-0005pB-Kz Subject: [Openvpn-devel] [PATCH v3] Use USER_PASS_LEN instead of TLS_USERNAME_LEN for override-username X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1828305074988496233?= X-GMAIL-MSGID: =?utf-8?q?1828305074988496233?= From: Arne Schwabe Currently override-username is artificially restricted to the length of TLS common-name (64) for the corner case of using username-as-common-name, which we explicitly do not recommend to use. Do away with that limitation and only error out on longer usernames when username-as-common-name is actually in effect. Change-Id: I1c2c050dd160746a0f8d9c234abe1e258bc8e48d Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/913 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index a673ec1..a2d3fd1 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2705,6 +2705,12 @@ if (!multi->locked_original_username && strcmp(multi->locked_username, options->override_username) != 0) { + /* Check if the username length is acceptable */ + if (!ssl_verify_username_length(session, options->override_username)) + { + return false; + } + multi->locked_original_username = multi->locked_username; multi->locked_username = strdup(options->override_username); diff --git a/src/openvpn/options.c b/src/openvpn/options.c index ab56609..f89fc7d 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -7875,10 +7875,10 @@ else if (streq(p[0], "override-username") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_INSTANCE); - if (strlen(p[1]) > TLS_USERNAME_LEN) + if (strlen(p[1]) > USER_PASS_LEN) { msg(msglevel, "override-username exceeds the maximum length of %d " - "characters", TLS_USERNAME_LEN); + "characters", USER_PASS_LEN); /* disable the connection since ignoring the request to * set another username might cause serious problems */ diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 5f8f1d3..d2cc3d1 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -1568,6 +1568,24 @@ } } +bool +ssl_verify_username_length(struct tls_session *session, const char *username) +{ + if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) + && strlen(username) > TLS_USERNAME_LEN) + { + msg(D_TLS_ERRORS, + "TLS Auth Error: --username-as-common name specified and " + "username is longer than the maximum permitted Common Name " + "length of %d characters", TLS_USERNAME_LEN); + return false; + } + else + { + return true; + } +} + /** * Main username/password verification entry point * @@ -1689,15 +1707,12 @@ } /* check sizing of username if it will become our common name */ - if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) - && strlen(up->username)>TLS_USERNAME_LEN) + if (!ssl_verify_username_length(session, up->username)) { - msg(D_TLS_ERRORS, - "TLS Auth Error: --username-as-common name specified and username is longer than the maximum permitted Common Name length of %d characters", - TLS_USERNAME_LEN); plugin_status = OPENVPN_PLUGIN_FUNC_ERROR; script_status = OPENVPN_PLUGIN_FUNC_ERROR; } + /* auth succeeded? */ bool plugin_ok = plugin_status == OPENVPN_PLUGIN_FUNC_SUCCESS || plugin_status == OPENVPN_PLUGIN_FUNC_DEFERRED; diff --git a/src/openvpn/ssl_verify.h b/src/openvpn/ssl_verify.h index eba3832..7a4d44a 100644 --- a/src/openvpn/ssl_verify.h +++ b/src/openvpn/ssl_verify.h @@ -192,6 +192,20 @@ struct tls_session *session); +/** + * Checks if the username length is valid to use. This checks when + * username-as-common-name is active if the username is shorter than + * the maximum TLS common name length (64). + * + * It will also display an error message if the name is too long + * + * @param session current TLS session + * @param username username to check + * @return true if name is under limit or username-as-common-name + * is not active + */ +bool ssl_verify_username_length(struct tls_session *session, + const char *username); /** * Runs the --client-crresponse script if one is defined.