From patchwork Mon Mar 16 22:43:21 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luca Boccassi X-Patchwork-Id: 4840 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:2755:b0:83c:d90d:321 with SMTP id j21csp3194288maq; Mon, 16 Mar 2026 15:47:35 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWfjpwlETeDQUvpr63nkmnmGHEOFIlz4VhZlBUHYuN+uJtKTnnOz0rSSa9sl6ULNkFKPfEGwKmcD68=@openvpn.net X-Received: by 2002:a05:6870:309:b0:417:7b1d:1b2 with SMTP id 586e51a60fabf-417b942eb26mr8687547fac.42.1773701254826; Mon, 16 Mar 2026 15:47:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1773701254; cv=none; d=google.com; s=arc-20240605; b=Dd6oy2+SdNTQNg6paz1JKR+6mnzyezclucLIKcCgulPruJ8yoYQ8KWW2q3yx3GP+sU vqg293F7Q8wLrRcC3+OE1WxmzZAFL/LN0pDhpCmYTM1BQnPiyXlsMMshY6F0wKMEANf8 Ygw5YKu0l85oFJh8VvgfRNgO86sNZgqSkT6rKWrJKB5kx8Z/RPFBBUKYJAVPu1hUG7xM ZW58gpZ3YakW+SFzpQam6j24yH8SazDdTuvUdxQkBN3rAJgZffWfIys7gXOgE5oOould olI22erQJwLZmFJnxdfoOtuk/r1WlwfPKTrcAiXZOC2x7CWGqTTkCQze2fd1S3/mWM0k ZGoQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature :dkim-signature:dkim-signature; bh=c5GS4juo9qviA6CAbnir6TGRjCRpSBzsWml2bMdZmUs=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=N/8KoDepYdcefJ2jnpBSuN8hkBqQralv0tEjN2YVYQ0HzLbdsHJ3rO98d8DCb7YZVN s3nhQ66z6r1PWR0PLA7d48s6Bm6+EbPo7SI3c/ua01VR2T1IcJDyLb1SNopGjqsdcwiz DQtKupqIQxrqDSNKRBQXqVllwgxecCzBTOvJIN4Z1/xID0Plejyr0Yx6Zyd4lsr2U53V 0WIsXBB8qf70m+/bh7RNkgfdwFHZghBDiThrqSaMUntdq7Y6oBIU1RCxJVE/gpgb5OHh +zFNCN26Fr6INYREr8vCUBKuTqNT1zde+6lHwEWJRnJ8sY6d074n4ks4wttgP8Zk/E0U qW+Q==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=iEikIawT; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=L6tLMVA6; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=TXxkXQVA; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=KXfpiwlP; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=neutral header.i=@openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-417c0bc3154si7000141fac.187.2026.03.16.15.47.34 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 16 Mar 2026 15:47:34 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=iEikIawT; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=L6tLMVA6; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=TXxkXQVA; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=KXfpiwlP; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=neutral header.i=@openvpn.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:Message-ID:Date:To:From:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Owner; bh=c5GS4juo9qviA6CAbnir6TGRjCRpSBzsWml2bMdZmUs=; b=iEikIawTDoVS/r3mnRphV7KJOK fRfgwBNsGNdw27ln0Vr4R7bcp9NAFENVAQfvqP1fVCMN88QhsM3Ip/YkL1PxtlDYbyO9qY1c6yLqE h3G0PVLPUEtOkLduulUQKbDtAuvDDc1QjDQceLwiz48XF9WkAJ22wLWVTHwAFC7TgLWc=; Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1w2Gif-0005EY-6Q; Mon, 16 Mar 2026 22:47:29 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1w2Gic-0005E9-2V for openvpn-devel@lists.sourceforge.net; Mon, 16 Mar 2026 22:47:26 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=sjt3Uh65NfAovpJtasbxKu8drK+N9FdsvDyXzLAXboU=; b=L6tLMVA66/l88eAS051HPpPYNs Zhq9mAxD0/h9VaUtcKZ9UHlduqcEOcX5CRgN0dOWYHpXPZ74VLL4kmZMGtPqw3F5PNdaQwRkiy+7x h/4a1TdRAANcmMVchS5DvkYdSLXy1kaOWr1NQYLJFL5OiddEaVL+BpEQJRzAJ6TYjVxE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=sjt3Uh65NfAovpJtasbxKu8drK+N9FdsvDyXzLAXboU=; b=T XxkXQVAiHW8JvnjJM0gVpXeWOmG1vS31ZWsvhoydoaluLRzBc55td6+DPipqL4bweck3DursVBoTJ y/JN3Itbh295FIso52o96ZJgq0eeEWO3S4jsmyfDf1My0ChVTIedSlQBwlvmRozAvrUDk/QB+rxBM aS+MK5QoxLPHgkak=; Received: from mail-wr1-f52.google.com ([209.85.221.52]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1w2Gic-0000Uw-D4 for openvpn-devel@lists.sourceforge.net; Mon, 16 Mar 2026 22:47:26 +0000 Received: by mail-wr1-f52.google.com with SMTP id ffacd0b85a97d-439cd6b0aedso4042599f8f.1 for ; Mon, 16 Mar 2026 15:47:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773701239; x=1774306039; darn=lists.sourceforge.net; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=sjt3Uh65NfAovpJtasbxKu8drK+N9FdsvDyXzLAXboU=; b=KXfpiwlP5jjNX6tCn5NUoBgxKSG4fbAKKSYwWdjjwzSdt12Z+NntvCzDkbquAC41g/ 8JoYQCcyIF6vW6QljfVfszaJRCl4FpyFEhujPFIZMugfqeFnWLOv7NQFXsxoIUCuYtfF AYN9Gs204DFD5MFq7NT+6M5kQ6We7eTw6EEjHeAboA9meFjgplbY3x0L/yzqqjyX9W2A Mi+MW8z7Hy59Rt6gy/dbJqyNBJEQmEw8JI6riSmGxeNwKUkB0yGaJa6r8Sd31LbUkU13 Rxn3gkSFtAotuNUcufca86gQkpHeztJXzm1HMwYMzCjbtv3RtVh+OcOC02CQevHnSIPg XyiQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773701239; x=1774306039; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=sjt3Uh65NfAovpJtasbxKu8drK+N9FdsvDyXzLAXboU=; b=S1Xn1dlTrwgatikwWyCVTmeZF/Dup/p3D1sywqnIS/l/+TtCgXyW53AcYTwM9lLUcz VaIqAUBHiVFOhyMNwoU8xeppqksSQYnL+NqlWkoOV24JR5V0F7Gb7YmQDJyO/sJKAPe7 Fm4k/KfcnQBs3O9/3TZi0QSx1i4J6/KKETF2258MUI97sckVVWO7EcV0dpvso48rBv3m TBHgq8JQ6ui0Rb1InF5eV6sdihExOYGUSlbiqEk3VpnNGX5UC4yxPB2WJ4o2KjRB9aqh AMFWTQaDobszMSQLIWgOITPBucd5+jCef9fxpH+FQUuuHVSIjikBqNwpWWeX/+fUVNW3 xjGA== X-Gm-Message-State: AOJu0YzBS73suQ3JF5o791LTKQlj4IZm8HYj0r4UmGdKoh+OjlgvBdAB K+hwNhyGp+H6LPo47oB/RRYrqY9qA/yCeJP2OMSFmTBjwGetnqeEE1XdfTrG7NHk X-Gm-Gg: ATEYQzz1RIMXw7hd9EFx6MM0ysskBtLVmqkx9bMTFNu3ixleN1x6jTfNnHaUqwG92N1 Pkpd4Cj/dqpcUwsbYhy77m06bTOR8mMubBPFOcy540Uer1FvMihH3f56H0Qwe6KvDf0t3aMKDWd 8pcyXoLod5NkEpuFv+6A99lVv8kCIDynxBzt9Ict8aprHUwOUiak4BKS1NbgxMXGIejC7cWHoPo uxgXGyp+2oWZ6B/uVKs3FJpRsgpb0SCShv2OSpiiO7ypax6PVOMCVLDKWG9etaOnlp747qlHEMu vlqlbE9hHnJOb2xEOd6H44ZcGjWL4dIWdr0oVxyZXMAGnOc/NaUJGHKW6GDwYgTMAVD+2ITWjpU Y9QwwnxT7Q2HZMrt9VOZgfG+mnXR+IbDwV0l0w42gpjcLOMC/+eTzlNe4y66S+AyCwMHDSvDjJk TV+ydYFyXI+5vcxA8KK+uKOrKVzH+r X-Received: by 2002:adf:fc03:0:b0:43b:3cdc:9414 with SMTP id ffacd0b85a97d-43b3cdc9546mr10345638f8f.10.1773701239450; Mon, 16 Mar 2026 15:47:19 -0700 (PDT) Received: from localhost ([2a01:4b00:d036:ae00:affd:46f3:18a1:fd2d]) by smtp.gmail.com with UTF8SMTPSA id ffacd0b85a97d-43b41065f8csm19288731f8f.30.2026.03.16.15.47.17 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 16 Mar 2026 15:47:17 -0700 (PDT) From: luca.boccassi@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Mon, 16 Mar 2026 22:43:21 +0000 Message-ID: <20260316224531.315912-1-luca.boccassi@gmail.com> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 X-Spam-Score: 0.8 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Luca Boccassi With ENABLE_PKCS11 USER_PASS_LEN is set to 4096 bytes. But if a user specifies a large password, as allowed by the limit, there are two places in the client that fail to handle it: Content analysis details: (0.8 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 1.0 FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received' headers 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [luca.boccassi(at)gmail.com] 0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.221.52 listed in wl.mailspike.net] X-Headers-End: 1w2Gic-0000Uw-D4 Subject: [Openvpn-devel] [PATCH] Fix password usage with ENABLE_PKCS11 X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1859860566881567885?= X-GMAIL-MSGID: =?utf-8?q?1859860566881567885?= From: Luca Boccassi With ENABLE_PKCS11 USER_PASS_LEN is set to 4096 bytes. But if a user specifies a large password, as allowed by the limit, there are two places in the client that fail to handle it: - in the TLS handling functions a single read/write is done into/out of the TLS layer, using a fixed size buffer at 2048 bytes, so the rest of the password is truncated - in the management protocol when processing a "password" field another fixed buffer at 256 bytes is used, so the rest of the password is truncated Use int_max(xyz, USER_PASS_LEN) to define these buffers. In normal builds the current hardcoded values will stay the same, as they are higher. In ENABLE_PKCS11 builds the 4096 value will be higher which will allow longer passwords to work when communicating to the server and in the management protocol. Testing new client/old server shows no issues with a password that follows the existing 2048 bytes limit. In order to use a > 2048 bytes password, the server needs to be updated to this change too, otherwise it will truncate it, but that is the same as status quo: only passwords < 2048 bytes work, so there should be no regression. This enables the use case where JIT use-once tokens are used as passwords. Signed-off-by: Luca Boccassi --- Alternative to: https://sourceforge.net/p/openvpn/mailman/openvpn-devel/thread/20260315230620.1594780-1-luca.boccassi%40gmail.com/#msg59309452 Instead of hardcoding larger buffers, simply use USER_PASS_LEN, so that builds without ENABLE_PKCS11 are not affected. With these small changes, it is possible to successfully connect to an Azure VPN endpoint using the OpenVPN 2.7 client, using a dummy username, an Entra token as password and the server-secret from the azvpn XML config that users get as tls-auth key. src/openvpn/common.h | 2 +- src/openvpn/manage.c | 2 +- src/openvpn/options.h | 4 ++-- src/openvpn/options_parse.c | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/openvpn/common.h b/src/openvpn/common.h index aa7b7217..e1096b98 100644 --- a/src/openvpn/common.h +++ b/src/openvpn/common.h @@ -67,7 +67,7 @@ typedef unsigned long ptr_type; * maximum size of a single TLS message (cleartext). * This parameter must be >= PUSH_BUNDLE_SIZE */ -#define TLS_CHANNEL_BUF_SIZE 2048 +#define TLS_CHANNEL_BUF_SIZE max_int(2048, USER_PASS_LEN) /* TLS control buffer minimum size * diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index df72f15f..ea9bd8b0 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -2655,7 +2655,7 @@ man_connection_init(struct management *man) * Allocate helper objects for command line input and * command output from/to the socket. */ - man->connection.in = command_line_new(1024); + man->connection.in = command_line_new(max_int(1024, USER_PASS_LEN)); man->connection.out = buffer_list_new(); /* diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 3d8b5059..a46c0d7c 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -53,8 +53,8 @@ /* * Max size of options line and parameter. */ -#define OPTION_PARM_SIZE 256 -#define OPTION_LINE_SIZE 256 +#define OPTION_PARM_SIZE max_int(256, USER_PASS_LEN) +#define OPTION_LINE_SIZE max_int(256, USER_PASS_LEN) extern const char title_string[]; diff --git a/src/openvpn/options_parse.c b/src/openvpn/options_parse.c index cb51ad24..1372a5fb 100644 --- a/src/openvpn/options_parse.c +++ b/src/openvpn/options_parse.c @@ -374,7 +374,7 @@ read_config_file(struct options *options, const char *file, int level, const cha int offset = 0; CLEAR(p); ++line_num; - if (strlen(line) == OPTION_LINE_SIZE) + if ((int)strlen(line) == OPTION_LINE_SIZE) { msg(msglevel, "In %s:%d: Maximum option line length (%d) exceeded, line starts with %s",