From patchwork Sun Mar 15 23:05:31 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: luca.boccassi@gmail.com
X-Patchwork-Id: 4834
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:2755:b0:83c:d90d:321 with SMTP id j21csp2536720maq;
        Sun, 15 Mar 2026 16:06:47 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCX0w1NPN7MSiaz9EwfaN43JOXCB+QNeGmzfCSVBWDiSRXtIQ/6S6AxznMFOWGNbt1mQiFMilYsqZw4=@openvpn.net
X-Received: by 2002:a05:6820:1628:b0:67b:baae:3341 with SMTP id
 006d021491bc7-67bdaa376d8mr8011858eaf.43.1773616007616;
        Sun, 15 Mar 2026 16:06:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1773616007; cv=none;
        d=google.com; s=arc-20240605;
        b=SLBQeWDVgLkTjvBiIR5cKiltL2kJPOFauKpQ8r1uEy54im8k005IkfdC30lm4wQ0g2
         hWjle0c7rXZD2HZ25F+NuyA5PB845RT/zDB2gGVyqDK2dcxjGtpKoQnYEXAwXCXtD6J0
         hoQKbtXiBaufDUcOHhYUP8wPG1aH+giAqihDNJl7JKkbc4VT76P4YC17YuaWmLZ3gGjv
         NW3G4szjg4mzFTjwvwnGzYTcqz8xwu+LeW8GxDS2+EZS7esoA9wgxl5eNDKjUsD/Wvjp
         fTzxcIEFj+NwyfSwcn9h25qqUnztUX8zcVcgg0y6HWXLd95PKITJc29NazILY+Q43bSC
         wnJQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature:dkim-signature:dkim-signature;
        bh=Rep6ksANQnwkZcRoz88Y+ozInpeiZUScBb9JHkL24FE=;
        fh=FRWMOQmE4vArX8xPll5WCJJjcBedLRfud2/cHUpioeU=;
        b=SpLT6dPuz+F1nvXG9bYJtK7vTAwP8Gc+QaY1eYX3lpXvAQh/vT5KfDJW/b2pAOyIqC
         HR777sSq4wFeZ/wYUrbE2MxzRWt1SXbBNfiYAsLyfD6miXeUvJtoZ1Q/4bTu9QBrBv7Y
         TvVqfeGNUVQS3u+aArfmfKgY1CTM5ldRYm5s7tVOdifz5dBSasChSD+u1/PfJhr8sXC2
         Ra7kV2P3YR458vNj0dMqrjuXhzOjyjv0/0zfc93o5LVSY2g+Edn8Hl4qJL0A1XKZAiw3
         f2MbK8ekkEF+As3OgGIlfQC58+uH8NBRtV/5piaMRUnsmkyyPfDW7sfM+VsZ0l6NzogG
         mDRw==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b=RhjYCmkF;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=kT8AFg4i;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=Kc7TH4jo;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20230601 header.b=abeZp9uz;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
       dara=neutral header.i=@openvpn.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 006d021491bc7-67bf3e2a8e1si1646504eaf.77.2026.03.15.16.06.47
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 15 Mar 2026 16:06:47 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b=RhjYCmkF;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=kT8AFg4i;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=Kc7TH4jo;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20230601 header.b=abeZp9uz;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
       dara=neutral header.i=@openvpn.net
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:Cc:
	List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:
	Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender:
	Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender
	:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
	bh=Rep6ksANQnwkZcRoz88Y+ozInpeiZUScBb9JHkL24FE=; b=RhjYCmkFAvWeGDXKS+U8M1rh3k
	NnjX7mh615Y26yZKwNYvrmcQ9Rc3q/BRdfitsysts1/TFxVqEjLoC6dt+HTqTD+VFLB/4aLfR/xaq
	jsxtxncT4hDI/Nwf0SFWzgylKbbRNkvsy5jcJ5iGG4ysUy8/NKprvKgKtmONaioneN/4=;
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
	by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1w1uXi-0000je-Fg;
	Sun, 15 Mar 2026 23:06:43 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
 by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <luca.boccassi@gmail.com>) id 1w1uXh-0000jR-Cy
 for openvpn-devel@lists.sourceforge.net;
 Sun, 15 Mar 2026 23:06:42 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=gHxvvjzLZ7Ps1MX5y7X1zHoREUU7u/SYZkXhxdEBjcQ=; b=kT8AFg4iXU3cPnnp2onKxvzI2v
 iDauMuzXPLFUCVUdtm+ZlQ1kd8rDD+64ZKkbJEfoWsuZjRhqZBcBIkVxtosKa++MNFK71a1NeiGst
 iWBJxLK9LNpiYHK/GftbWK0xf8/eV3tG6NdxzqZj+LTVZLdBeo7z7R4I2TcHIn7GZ7+Y=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:
 Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=gHxvvjzLZ7Ps1MX5y7X1zHoREUU7u/SYZkXhxdEBjcQ=; b=Kc7TH4joj1xVOGNclvpgLIWFFh
 lg8FfE9K9GRNy7G6tIyNPjimiM1PJWyMamIMTgNQVqreMhD6aCf5gcEBWjkvERtlLGa+/esoiZChG
 fcsfbvvQqKifV4UragYg02E6WVlDjfqkRjY90sUoTLnyL/oCZu4jyqgpC3vkladLOvS8=;
Received: from mail-wr1-f53.google.com ([209.85.221.53])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95)
 id 1w1uXh-00033U-Kt for openvpn-devel@lists.sourceforge.net;
 Sun, 15 Mar 2026 23:06:42 +0000
Received: by mail-wr1-f53.google.com with SMTP id
 ffacd0b85a97d-439b73f4ab4so4476974f8f.1
 for <openvpn-devel@lists.sourceforge.net>;
 Sun, 15 Mar 2026 16:06:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1773615990; x=1774220790;
 darn=lists.sourceforge.net;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=gHxvvjzLZ7Ps1MX5y7X1zHoREUU7u/SYZkXhxdEBjcQ=;
 b=abeZp9uzP4Aj4rpvArd0/JHt2LRsOUy0OsyJ8RosPGD9njQOYFcMBQ/1Wu+2ghhOwQ
 V0CDhVfUE4Mv15NP/bwKzKRl86J35+qesPyJo1BP38WbU5PN7nbHEVLuOYBN+5qedYje
 puZgmuSuflvr+nCYB+WI4EWGCZYu+awR+7eOg0j4s96zyN0y3O+KtUC2hMAdKunvi7l4
 VRATVCds5IcZenT6upvaBCmcO89rtPnOTldlrS9VMLHEF0WujZ7MggRCsMBLG4I52/aa
 vMV9eJ31BEOnkUiznUfOzfnfVxMe/3B24ijcF8Fa6Vt7SbBnqLl25iOyYiN0ctmIfljP
 aOKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20251104; t=1773615990; x=1774220790;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
 :to:cc:subject:date:message-id:reply-to;
 bh=gHxvvjzLZ7Ps1MX5y7X1zHoREUU7u/SYZkXhxdEBjcQ=;
 b=dnrH4oAfX3baWzRt0L5SxcKKKktXACtTp5tf78mR6LlyI6VN/t56Nh51wfWlxzRdZV
 UH7ZlU7I4pY7iBqFI/XZ2+MTAllJSNHwKanmbp/o0LU/fqPrDf8yB903PnTLlo0LKepO
 HwrzRAl7MPf4jQu5QvUasUGKgfRjL4mFtfB0ZOrQKr6+zCbBYECHbEi82BG7hgGdvU8d
 9CIeIhCFYiz//liinwU8qS/yP9e46DgdTQ4IK8EeikMi6eCUo3T7cQhifNmoYZrPwarY
 XNGCTau8YNHVi+nkoptoaX8s2MK4UQmUMz4Lx7FdqaWNihLJ109On249sgIBNlXCdybg
 1IuQ==
X-Gm-Message-State: AOJu0YxKGKqYcUEPdMMqj+toQy0ezCId3Sha7n3+7uaY0UlE6Zy0w1U1
 0cuQMhKlzEqnXoLI6BOmPnLWV7U+XRkHMJxtMVz5v4aaBx7rtNdeRcgpOykEcg==
X-Gm-Gg: ATEYQzzOP53tsErNivZ/Sypn6LkhxOxRmlykdfiVN4iXAGw4/muFkfoJbTHxhEBXIsk
 B9GliBQTa843HzR9H9tZLvR6cf2flSn43TV6R3Tn75WU/8TYf6Pbgbd1/5El4kPppN6SX3L1Xx6
 wCD4zxDhCIM67oCETeqXyYemlCnYyaQXDiTNEAvKlxvPjWVfUgRIURVqJFKDDlTZZZzw0dC5j2Q
 nFlfaVcmGItf7s4bQu4XBWgN2B0ihkHWCgXause5+mKkRDAj5vPpOUOLDKyu8wrCp0gKvKaYtRk
 BOCr5DaJ/DUsiRbRlRvaxwI9N4tv9b8gumQ/VYYC4GDbSsGwWgA6iCuoymzasZrNm2jpCJAGsKR
 sNWCyppB5J2EBN/6P+hZBpka5dglcaEH4He1agfQWBB74mIrWfs2Kk58Dw7h/bGGShzaoStogBX
 85Xj9/lnxyc/SPlKUCn4+qfcs/pWuK
X-Received: by 2002:a05:6000:2010:b0:439:b60a:b3ed with SMTP id
 ffacd0b85a97d-43a04d83c49mr20988427f8f.9.1773615989729;
 Sun, 15 Mar 2026 16:06:29 -0700 (PDT)
Received: from localhost ([2a01:4b00:d036:ae00:21cd:def0:a01d:d2aa])
 by smtp.gmail.com with UTF8SMTPSA id
 ffacd0b85a97d-439fe20b544sm38034074f8f.20.2026.03.15.16.06.28
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sun, 15 Mar 2026 16:06:29 -0700 (PDT)
From: luca.boccassi@gmail.com
To: openvpn-devel@lists.sourceforge.net
Date: Sun, 15 Mar 2026 23:05:31 +0000
Message-ID: <20260315230620.1594780-4-luca.boccassi@gmail.com>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <20260315230620.1594780-1-luca.boccassi@gmail.com>
References: <20260315184337.1541272-1-luca.boccassi@gmail.com>
 <20260315230620.1594780-1-luca.boccassi@gmail.com>
MIME-Version: 1.0
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
 running on the system "sfi-spamd-1.hosts.colo.sdot.me",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: From: Luca Boccassi These hardcoded limits are different
 than
 the password size limit. Use the macro to ensure a password can always fit
 via the management channel, otherwise when long passwords are used (e.g.:
 tokens) t [...]
 Content analysis details:   (-0.2 points, 5.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily valid
 -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
 domain
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
 [luca.boccassi(at)gmail.com]
 0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
 [209.85.221.53 listed in wl.mailspike.net]
X-Headers-End: 1w1uXh-00033U-Kt
Subject: [Openvpn-devel] [PATCH v2 3/3] Ensure the management channel can
 take passwords up to the max length
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Cc: Luca Boccassi <luca.boccassi@gmail.com>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1859771178492765389?=
X-GMAIL-MSGID: =?utf-8?q?1859771178492765389?=

From: Luca Boccassi <luca.boccassi@gmail.com>

These hardcoded limits are different than the password size limit.
Use the macro to ensure a password can always fit via the management
channel, otherwise when long passwords are used (e.g.: tokens) they
will be silently dropped.

Signed-off-by: Luca Boccassi <luca.boccassi@gmail.com>
---
 src/openvpn/manage.c  | 4 ++--
 src/openvpn/options.h | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c
index df72f15f..5cb25107 100644
--- a/src/openvpn/manage.c
+++ b/src/openvpn/manage.c
@@ -2653,9 +2653,9 @@ man_connection_init(struct management *man)
 
         /*
          * Allocate helper objects for command line input and
-         * command output from/to the socket.
+         * command output from/to the socket. Ensure a password cat fit.
          */
-        man->connection.in = command_line_new(1024);
+        man->connection.in = command_line_new(USER_PASS_LEN);
         man->connection.out = buffer_list_new();
 
         /*
diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index 3d8b5059..4fafdc52 100644
--- a/src/openvpn/options.h
+++ b/src/openvpn/options.h
@@ -51,10 +51,10 @@
 #define MAX_PARMS 16
 
 /*
- * Max size of options line and parameter.
+ * Max size of options line and parameter. Ensure a password can fit.
  */
-#define OPTION_PARM_SIZE 256
-#define OPTION_LINE_SIZE 256
+#define OPTION_PARM_SIZE USER_PASS_LEN
+#define OPTION_LINE_SIZE USER_PASS_LEN
 
 extern const char title_string[];