From patchwork Sun Mar 22 01:44:48 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luca Boccassi X-Patchwork-Id: 4843 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:8796:b0:83c:d90d:321 with SMTP id cq22csp169073mab; Sat, 21 Mar 2026 18:46:44 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXfa0CzCX4r/RJxpdkhgl+Bb07NEZOzAzkrolBuT9P14TSF5ZWA24Rozm6BMWuFszzSBcdkutCG4I0=@openvpn.net X-Received: by 2002:a05:6870:c1c6:b0:417:532c:f10 with SMTP id 586e51a60fabf-41c111e33a7mr5232118fac.40.1774144004799; Sat, 21 Mar 2026 18:46:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1774144004; cv=none; d=google.com; s=arc-20240605; b=gzN3mpoQRJA1Yh8jFTFI3dCre8AbF5llcbkX7T3C06e05ciQclsGseuUnZ/oikAhe1 n84PNOL72w/cb1WELpbsXX7nitS/8dDk5jWtTGdC81PBS+h0dEGzUtqk0j2UwsHDVmcg M3wNpuZpyf4IiJlakUo+1WxytCpAZ6dG+4yFFXQEbnzPg2MWqMy0n3BYtdhElep48qxU 25tP0z/9qlWF7gtOh9XIApKs+giQnsZ2uXS8KSyr+oayitld5zfX1pQR8UEeh0jEySg3 G1WyzAqo/l5fcJG4v7iF0qjDzm4lDN3zMIvG81hnsOPjXcnJPRiuDaCnukuM/EGRd4c3 yADQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature :dkim-signature:dkim-signature; bh=5m2dM5GiNkU63Ry6COyQ1SzpK++JnuiEdqYgVGzXEek=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=NBwOPsx0P3xQPBDJbvUd0Kwco3yDgCcJz4W8CBDkPMo1zRTtrnsf1htV5RRtPVb0QJ 2nzsIeLW78LQ0JXcr0lhDKxgayL4YdEJmcOKYPzSA7zDiMUzjS1iwfTHE46VsGdHbfPP WRdrtAwMfrYGpcszzzfxaa8EVjVRNbfUP4JuOI3OtJkCADo7EE8Nb3qss5ghGS5gzEOd XAKqmzT54kmmmuInC84OBAQ4rCgQ307e0NdT6CEYKv8Bzb2tRpcAAj5UDwneflDOCTUz JnEV5PbOwROP1OBymOr17pTA3gok3ViBv5T0DA5C4wbl1eg4t1eKEFR0xS3HsZHd07VQ 0SBw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=klFj4p2H; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=EQbc0a5C; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=MYglxK6t; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=WPMgNgSu; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=neutral header.i=@openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-41c14dcb8d0si4219791fac.114.2026.03.21.18.46.44 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 21 Mar 2026 18:46:44 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=klFj4p2H; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=EQbc0a5C; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=MYglxK6t; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=WPMgNgSu; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=neutral header.i=@openvpn.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:Message-ID:Date:To:From:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Owner; bh=5m2dM5GiNkU63Ry6COyQ1SzpK++JnuiEdqYgVGzXEek=; b=klFj4p2HMOtolav2N/KT3hyWyk SycRYErdOkBNYIVelEgHXF0BQaCfHMbGdl8q/PR5m4EUZ5oHtEy7XjWbjCw0Z7lSUmojkuQO+okpN rB/nf+DIkONzNgy0KPr1MdsbB6j/sZbqxsEvwB6eSa0EetgVwOcTjkM9so339sp8kB28=; Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1w47th-0001Nn-Ax; Sun, 22 Mar 2026 01:46:34 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1w47tT-0001NV-8h for openvpn-devel@lists.sourceforge.net; Sun, 22 Mar 2026 01:46:20 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=A1TNelg+IkVuX128q47yEaY0lnlCqx6McAQmFDCk/h8=; b=EQbc0a5Cj/X5Fw//vskOQnpSWu uSmMG1YGWKEgAHuLKpSODNUdKpHEClgUzRztxn3UBRhLAkehGyKWcbYEFuQra8ilEr5obCFaGWt4F ebk6Bd4tZAgAoLmXCf763VoUUN6lou8kqr4rQUHImkrbnVG5t46FhYnTNcFX5LQAz5ig=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=A1TNelg+IkVuX128q47yEaY0lnlCqx6McAQmFDCk/h8=; b=M YglxK6t/xLFNOKivyrCykN6jLfchFajc3TIQVgm6VqndRaciqsfItkZFL2ve37pqq2RcyxNKRy31t 6gxlU5Gyl6XV4CWPHAlpXO+pBvVJN26zM8j1Z8/J3FtANqVXvpuXH8nZW8WDizrVS/8H269sCq5YZ te0GLQYTWQocMSQk=; Received: from mail-wr1-f51.google.com ([209.85.221.51]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1w47tT-00063Z-B6 for openvpn-devel@lists.sourceforge.net; Sun, 22 Mar 2026 01:46:19 +0000 Received: by mail-wr1-f51.google.com with SMTP id ffacd0b85a97d-439cd6b09f8so2304695f8f.3 for ; Sat, 21 Mar 2026 18:46:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1774143972; x=1774748772; darn=lists.sourceforge.net; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=A1TNelg+IkVuX128q47yEaY0lnlCqx6McAQmFDCk/h8=; b=WPMgNgSuFzqjU92XloPalix/ZUp7cbmI0NregMcg0MCJXOFNAInrGK22Wi+ubtpZbo cI49Xki+3i7sxFjgMeUSxAOMKmmIl5KSMM/KVZoC341gT1zBntHwBH/b5vcQ3CijgCH/ EMi3MVo/Y4DEpw883Zv2zQybCW8TxwXK5CGHWTL5Km9ZHyaxojexH9hUf6EV78A0jvvF 0rFP4RovWQb869r7Gbjs/XMAakJiMr5ZmPL6u6BZ5lCGWDfhuZrQ02T0g+RX5oxqRaQ1 2VK8TgCEVGPSchxeXt3jwB6QXS/yZB/0Ry9ZZELQJjxNCnaMH0Mbj3lff7JK/8LcBDgM XRZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774143972; x=1774748772; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=A1TNelg+IkVuX128q47yEaY0lnlCqx6McAQmFDCk/h8=; b=momWNrxWRTugJtcxkVmtVgFV6PoFk/siSuCFz5/mUyeaVApXVxVr6l1qqVJdTPEfOG nCUJOslDXdkfF3cmZ3jzjqbz5WkFusDpKv5jp3oRABa99lh2vkF7PYYea4IK27HGzuQz ZrxMPXoE4aoK6tPtA70ZCSRn1OiwVLRpYMsR5k8DtfY4TcXcUkaptfljf/mJO6uCz5pB W0SugxrUbQMhck3j9CZks9HoZeNtWh1iV/8Dc8EQxtUz85zT+Ls+6fFQgIH7urM0kPp7 b/97ABuyP9I7jPZkPDSwuBfIBe7FCB1i2XEk9hw9zMOZtOdDU8YHg4rLVF5TXnLMdHm3 DzxQ== X-Gm-Message-State: AOJu0Ywp5ldXHU2UbGj9go5kdLKC+5Cxani9wuVXA/KGgwZZzIYydC1Q pUiXfNc1A8i0w4K/FXtqTtqkm7d8rHflUZHpWHMAHt6hyGbzRdfAidQnQFD8UA== X-Gm-Gg: ATEYQzzm6XyHkq1Vsw/0oSi54XdpLjvAMuWX/G0oRcykjko7i+Oa+bmkhrQDW9OXa26 YcHeZz4NFZas9FGw/kbFZB8GeNlKDsj15U7g+ys9IRILM1pwkU09InXOj+yivGNn77Fq7qMNSXM diVAmZkEwECRvnC+nO1mcZZXwlpaKLJ/CuKNA8DxzokKtFpixT/Ga9W6Z1r0Z08NEssV2dvr9FO +colF7F6U1GtXsqAtvZ7k1bTUUs/wBaVHfRF2E0He6uaR+LU6Ndj0+35vQ2lHz0NoGHjGClm+aW hNZY2Z4nfyTaILvS/dF8HwSP6OGPtIswZkxReDXsc8fM7ItLn51ZOC6J66mcLxt+dF5LUBiBIMC FXJyvgNRwDv1k37sA9ZPgeTpzFwe/WTIkZZyiqHe/5wag16hV45LmEcWTInFBDtZq7WvgG6Y9UE I4xEBYg6/QpkWkEhpEDMhKFaRfG2B38P99dj3SNqE= X-Received: by 2002:a05:6000:4382:b0:439:c5c5:4146 with SMTP id ffacd0b85a97d-43b64240753mr12613532f8f.11.1774143972379; Sat, 21 Mar 2026 18:46:12 -0700 (PDT) Received: from localhost ([2a01:4b00:d036:ae00:5d1a:9185:4704:c5d2]) by smtp.gmail.com with UTF8SMTPSA id ffacd0b85a97d-43b64715539sm18454935f8f.33.2026.03.21.18.46.11 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 21 Mar 2026 18:46:11 -0700 (PDT) From: luca.boccassi@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Sun, 22 Mar 2026 01:44:48 +0000 Message-ID: <20260322014606.1415363-1-luca.boccassi@gmail.com> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Luca Boccassi Allow management clients to send long passwords via the usual multi-line base64 encoded protocol. A client sends a 'password ' line, followed by as many lines (each up to 1024 bytes) as needed, in base64 encoded format, terminated by 'END'. Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [luca.boccassi(at)gmail.com] 0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.221.51 listed in wl.mailspike.net] X-Headers-End: 1w47tT-00063Z-B6 Subject: [Openvpn-devel] [PATCH] management: add multi-line base64 input for passwords X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1860324824138130630?= X-GMAIL-MSGID: =?utf-8?q?1860324824138130630?= From: Luca Boccassi Allow management clients to send long passwords via the usual multi-line base64 encoded protocol. A client sends a 'password ' line, followed by as many lines (each up to 1024 bytes) as needed, in base64 encoded format, terminated by 'END'. This is useful when a password is a JIT-generated use-once token. Signed-off-by: Luca Boccassi --- As suggested by: https://sourceforge.net/p/openvpn/mailman/openvpn-devel/thread/CAKuzo_gRotwfVONQSn-yj1otvUNocAeUZqX8YjkRhP_L9jfb7A%40mail.gmail.com/#msg59309940 I have kept the same keyword 'password'. Currently sending 'password ' without a third field results in an hard error, so I hope this is ok, but can of course use a different token if preferred/needed. doc/management-notes.txt | 14 ++++++++ src/openvpn/manage.c | 76 ++++++++++++++++++++++++++++++++++++++-- src/openvpn/manage.h | 1 + 3 files changed, 89 insertions(+), 2 deletions(-) diff --git a/doc/management-notes.txt b/doc/management-notes.txt index 41e2a914..dc5a71dc 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -313,6 +313,20 @@ COMMAND -- password and username The escaping rules are the same as for the config file. See the "Command Parsing" section below for more info. + If the password is too long to fit in a single command line + (longer than 256 bytes), the management interface client should + use the multi-line base64 format instead: + + password "Auth" + [BASE64_PASSWORD_LINE] + ... + END + + In this format, the password is base64-encoded and split across + multiple lines, followed by END. Each line can be at most 1024 + bytes. This is the same format used by pk-sig and certificate + commands. + The PASSWORD real-time message type can also be used to indicate password or other types of authentication failure: diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index df72f15f..a155d1fd 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -31,6 +31,7 @@ #include "error.h" #include "fdmisc.h" #include "options.h" +#include "base64.h" #include "sig.h" #include "event.h" #include "otime.h" @@ -107,6 +108,8 @@ man_help(void) msg(M_CLIENT, " where action is reply string."); msg(M_CLIENT, "net : (Windows only) Show network info and routing table."); msg(M_CLIENT, "password type p : Enter password p for a queried OpenVPN password."); + msg(M_CLIENT, "password type : Enter password for a queried OpenVPN password"); + msg(M_CLIENT, " base64-encoded on subsequent lines followed by END."); msg(M_CLIENT, "remote type [host port] : Override remote directive, type=ACCEPT|MOD|SKIP."); msg(M_CLIENT, "remote-entry-count : Get number of available remote entries."); msg(M_CLIENT, "remote-entry-get i|all [j]: Get remote entry at index = i to to j-1 or all."); @@ -1012,6 +1015,41 @@ in_extra_reset(struct man_connection *mc, const int mode) } } +/** + * Enter multi-line base64 mode for receiving a password that exceeds the + * single-line parameter size limit. The management client sends: + * + * password TYPE + * + * + * ... + * END + * + * @param man The management interface struct + * @param type The type of password being entered (e.g. "Auth", "TLS-Auth", etc) + */ +static void +man_query_password_base64(struct management *man, const char *type) +{ + const bool needed = ((man->connection.up_query_mode == UP_QUERY_PASS + || man->connection.up_query_mode == UP_QUERY_USER_PASS) + && man->connection.up_query_type); + if (!needed) + { + msg(M_CLIENT, "ERROR: no password is currently needed at this time"); + return; + } + if (!man->connection.up_query_type || !streq(man->connection.up_query_type, type)) + { + msg(M_CLIENT, "ERROR: password of type '%s' entered, but we need one of type '%s'", + type, man->connection.up_query_type); + return; + } + struct man_connection *mc = &man->connection; + mc->in_extra_cmd = IEC_PASSWORD; + in_extra_reset(mc, IER_NEW); +} + static void in_extra_dispatch(struct management *man) { @@ -1045,6 +1083,33 @@ in_extra_dispatch(struct management *man) man->connection.ext_cert_input = man->connection.in_extra; man->connection.in_extra = NULL; return; + + case IEC_PASSWORD: + { + char decoded[USER_PASS_LEN]; + CLEAR(decoded); + + buffer_list_aggregate(man->connection.in_extra, + OPENVPN_BASE64_LENGTH(USER_PASS_LEN)); + struct buffer *buf = buffer_list_peek(man->connection.in_extra); + + if (buf && BLEN(buf) > 0) + { + int len = openvpn_base64_decode(BSTR(buf), decoded, + USER_PASS_LEN - 1); + if (len < 0) + { + msg(M_CLIENT, "ERROR: could not base64-decode password"); + break; + } + decoded[len] = '\0'; + } + + man_query_password(man, man->connection.up_query_type, + decoded); + secure_memzero(decoded, sizeof(decoded)); + break; + } } in_extra_reset(&man->connection, IER_RESET); } @@ -1591,9 +1656,16 @@ man_dispatch_command(struct management *man, struct status_output *so, const cha } else if (streq(p[0], "password")) { - if (man_need(man, p, 2, 0)) + if (man_need(man, p, 1, MN_AT_LEAST)) { - man_query_password(man, p[1], p[2]); + if (p[2]) + { + man_query_password(man, p[1], p[2]); + } + else + { + man_query_password_base64(man, p[1]); + } } } else if (streq(p[0], "forget-passwords")) diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h index 38f437f4..797021d3 100644 --- a/src/openvpn/manage.h +++ b/src/openvpn/manage.h @@ -296,6 +296,7 @@ struct man_connection #define IEC_RSA_SIGN 3 #define IEC_CERTIFICATE 4 #define IEC_PK_SIGN 5 +#define IEC_PASSWORD 6 int in_extra_cmd; struct buffer_list *in_extra; unsigned long in_extra_cid;