From patchwork Mon Mar 30 12:43:26 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4857 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:6c4a:b0:83c:d90d:321 with SMTP id c10csp1421903may; Mon, 30 Mar 2026 05:43:55 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCU1uuTOrJovduxUxh3MjudEWfXyVcwvVQhmFbXOjnT9UAOCowNEUgh+mGrJ9SojBJ+wbvJ1//NUl0k=@openvpn.net X-Received: by 2002:a05:6808:1989:b0:467:dae8:645a with SMTP id 5614622812f47-46a8a60a504mr5826461b6e.53.1774874634862; Mon, 30 Mar 2026 05:43:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1774874634; cv=none; d=google.com; s=arc-20240605; b=QuQJmHOatvK6TZiFJnZgfJd4Pvt2IhmggcwrHakZvbMfo4rkHIxCy2Wjb8yf6SSXuv Ishlo9HTEPHQaD3+fyMS268/i7dchWAH6pETNo6HeB3bmKXBhDO/+eXUTtPCdVSwa0u0 si26+Xemed4KKacBrueX5FAnoH9fWv3teaHNXa1Bk/p0A2850EotaNEVo5wDGWVJBsV0 AKdW3Oc74xAy4ynHjp6qsW3X4M/jH/l5Xe4npTdhVJWtBQph3AkxDRLpAq4JjLS1myIS 9PMmCIbMfyK5ym5QhZC8wdQrWhHRcb+1piEpdQpzuIzKLxa3uf8OufMMKwaanLKQZenl 6piA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=6RD+zncLwQ+D9dLCGuaNjv4BuKUycVEWjnhMXC/TCB8=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=RKWejDFQOG+XxjM0IHCInGSVINiEyCge28kORmSoHn8Ul9RCoZ37Kb0VEND4utJk4Q zcRKlAiqof7jWL//J0x7rTLc2mz9t3xbKtpDK6pqzElEZ37GD8vz4hDrqewfFoafNoie dAEOjc8ig2ZekYgCJPhzNLcWl6dop8ZddYBzOENC/uqJVOzUAxiEC2q9c6JhgtNxq9on mJxucLp2OsRwGOdYkxYCmKn55YwwzgbBk3F5jh3Xs5hTtfVaQTsgHwgDxhnAGkOhGSxi /K2TU7PA/DbUicTj3j0bAT0MnGRQByqdYlyuYHM/sx1jHaUnZ3M256ucmhrjXs/bCh9r DxTg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=ZPRJw9sw; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=eA+yHOry; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=RTdqVUsU; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-41d04eb15easi6150627fac.358.2026.03.30.05.43.54 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 30 Mar 2026 05:43:54 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=ZPRJw9sw; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=eA+yHOry; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=RTdqVUsU; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=6RD+zncLwQ+D9dLCGuaNjv4BuKUycVEWjnhMXC/TCB8=; b=ZPRJw9swRpfHpIxtjUPwx4OzoV Gb7MccYbLEErvzMnalwCCSnqw9B3lUojGqwZo8JIvSCoKT6ns9Vu0wuLbx/KnTNtdlnlEbwTrLfB/ +2PHDNrxM3gePdmI4nJ/s2lfCxjPp5lzClEms4/gfIQ2F52n/dfR29Mb/WuKwXDYZst0=; Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1w7By9-0003yC-8g; Mon, 30 Mar 2026 12:43:49 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1w7By6-0003y4-L4 for openvpn-devel@lists.sourceforge.net; Mon, 30 Mar 2026 12:43:46 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=9Kx0HjhZ5UH03cNLaIJP8f9OhfQkYasyBsneW3PCAhU=; b=eA+yHOryOgBcFMM1QfR1doQkXm jNx8ZjxuKvjgTl/vIGsSJlKtC9ggJUIcH5k2zOB3DMmQqf+VkHDylmKGDDt9Vfoag+TDdrTwQKdnd SCYTKCyqn4UeCQe8IlUPlbcFmo4wqPNwNjmRcbNfj1z9nFENxgjzy9fQITcxfdTtin4o=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=9Kx0HjhZ5UH03cNLaIJP8f9OhfQkYasyBsneW3PCAhU=; b=RTdqVUsUiTSUlTmbYZLc8mKl7h zmwa6hJPXotXn2CHMiEFQJYNqVS2cuv2KAaeZpO/6KKk5MmLK7XQbzsjIAZ3V/iyJYDzy8oADgx1A A9Ry9EYMd6m9kA8uBXYd02VPHilXJtWqWlJoa/Yr+Ix0kvF50JxZsLxLdIRMH3Zgwkr4=; Received: from [193.149.48.129] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1w7By5-0004eU-91 for openvpn-devel@lists.sourceforge.net; Mon, 30 Mar 2026 12:43:46 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 62UChXMh025327 for ; Mon, 30 Mar 2026 14:43:33 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 62UChXqR025326 for openvpn-devel@lists.sourceforge.net; Mon, 30 Mar 2026 14:43:33 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Mon, 30 Mar 2026 14:43:26 +0200 Message-ID: <20260330124332.25311-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.52.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Luca Boccassi Allow management clients to send long passwords via the usual multi-line base64 encoded protocol. A client declares MCV 4 support and sends a 'password ' line, followed by as many lines (each up to 1024 bytes) as needed, in base64 encoded format, terminated by 'END'. Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1w7By5-0004eU-91 Subject: [Openvpn-devel] [PATCH v7] management: add base64 multi-line input for passwords X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1861090945542222567?= X-GMAIL-MSGID: =?utf-8?q?1861090945542222567?= From: Luca Boccassi Allow management clients to send long passwords via the usual multi-line base64 encoded protocol. A client declares MCV 4 support and sends a 'password ' line, followed by as many lines (each up to 1024 bytes) as needed, in base64 encoded format, terminated by 'END'. This is useful when a password is a JIT-generated use-once token. Declare management version 6 for this feature. Change-Id: Ib99f171fb69d51f2260b44edf8ebe21ac958f233 Signed-off-by: Luca Boccassi Acked-by: Selva Nair Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1593 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1593 This mail reflects revision 7 of this Change. Acked-by according to Gerrit (reflected above): Selva Nair diff --git a/doc/management-notes.txt b/doc/management-notes.txt index 41e2a91..a527e5e 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -313,6 +313,22 @@ The escaping rules are the same as for the config file. See the "Command Parsing" section below for more info. + If the password is too long to fit in a single command line + (longer than 256 bytes), the management interface client should + use the multi-line base64 format instead. This requires that + the management client has announced version > 3 via the + "version" command: + + password "Auth" + [BASE64_PASSWORD_LINE] + ... + END + + In this format, the password is base64-encoded and split across + multiple lines, followed by END. Each line can be at most 1024 + bytes. This is the same format used by pk-sig and certificate + commands. Requires OpenVPN 2.8+ management version >= 6. + The PASSWORD real-time message type can also be used to indicate password or other types of authentication failure: diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index df72f15..d828df0 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -31,6 +31,7 @@ #include "error.h" #include "fdmisc.h" #include "options.h" +#include "base64.h" #include "sig.h" #include "event.h" #include "otime.h" @@ -70,6 +71,7 @@ MCV_DEFAULT = 1, MCV_PKSIGN = 2, MCV_PKSIGN_ALG = 3, + MCV_MULTILINE_PASSWORD = 4, }; struct management *management; /* GLOBAL */ @@ -107,6 +109,8 @@ msg(M_CLIENT, " where action is reply string."); msg(M_CLIENT, "net : (Windows only) Show network info and routing table."); msg(M_CLIENT, "password type p : Enter password p for a queried OpenVPN password."); + msg(M_CLIENT, "password type : (version >3) Enter password base64-encoded on"); + msg(M_CLIENT, " subsequent lines followed by END."); msg(M_CLIENT, "remote type [host port] : Override remote directive, type=ACCEPT|MOD|SKIP."); msg(M_CLIENT, "remote-entry-count : Get number of available remote entries."); msg(M_CLIENT, "remote-entry-get i|all [j]: Get remote entry at index = i to to j-1 or all."); @@ -1012,6 +1016,41 @@ } } +/** + * Enter multi-line base64 mode for receiving a password that exceeds the + * single-line parameter size limit. The management client sends: + * + * password TYPE + * + * + * ... + * END + * + * @param man The management interface struct + * @param type The type of password being entered (e.g. "Auth", "Private Key", etc) + */ +static void +man_query_password_base64(struct management *man, const char *type) +{ + const bool needed = ((man->connection.up_query_mode == UP_QUERY_PASS + || man->connection.up_query_mode == UP_QUERY_USER_PASS) + && man->connection.up_query_type); + if (!needed) + { + msg(M_CLIENT, "ERROR: no password is currently needed at this time"); + return; + } + if (!man->connection.up_query_type || !streq(man->connection.up_query_type, type)) + { + msg(M_CLIENT, "ERROR: password of type '%s' entered, but we need one of type '%s'", + type, man->connection.up_query_type); + return; + } + struct man_connection *mc = &man->connection; + mc->in_extra_cmd = IEC_PASSWORD; + in_extra_reset(mc, IER_NEW); +} + static void in_extra_dispatch(struct management *man) { @@ -1045,6 +1084,41 @@ man->connection.ext_cert_input = man->connection.in_extra; man->connection.in_extra = NULL; return; + + case IEC_PASSWORD: + { + char decoded[USER_PASS_LEN]; + CLEAR(decoded); + + buffer_list_aggregate(man->connection.in_extra, + OPENVPN_BASE64_LENGTH(USER_PASS_LEN) + 1024); + struct buffer *buf = buffer_list_peek(man->connection.in_extra); + + if (buf && BLEN(buf) > 0) + { + if (OPENVPN_BASE64_DECODED_LENGTH(BLEN(buf)) >= USER_PASS_LEN) + { + msg(M_CLIENT, "ERROR: password too long"); + buf_clear(buf); + break; + } + int len = openvpn_base64_decode(BSTR(buf), decoded, + USER_PASS_LEN - 1); + if (len < 0) + { + msg(M_CLIENT, "ERROR: could not base64-decode password"); + buf_clear(buf); + break; + } + decoded[len] = '\0'; + buf_clear(buf); + } + + man_query_password(man, man->connection.up_query_type, + decoded); + secure_memzero(decoded, sizeof(decoded)); + break; + } } in_extra_reset(&man->connection, IER_RESET); } @@ -1591,9 +1665,20 @@ } else if (streq(p[0], "password")) { - if (man_need(man, p, 2, 0)) + if (man_need(man, p, 1, MN_AT_LEAST)) { - man_query_password(man, p[1], p[2]); + if (p[2]) + { + man_query_password(man, p[1], p[2]); + } + else if (man->connection.client_version >= MCV_MULTILINE_PASSWORD) + { + man_query_password_base64(man, p[1]); + } + else + { + msg(M_CLIENT, "ERROR: the 'password' command requires 2 parameters"); + } } } else if (streq(p[0], "forget-passwords")) diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h index 38f437f..c446913 100644 --- a/src/openvpn/manage.h +++ b/src/openvpn/manage.h @@ -50,7 +50,7 @@ #include "socket_util.h" #include "mroute.h" -#define MANAGEMENT_VERSION 5 +#define MANAGEMENT_VERSION 6 #define MANAGEMENT_N_PASSWORD_RETRIES 3 #define MANAGEMENT_LOG_HISTORY_INITIAL_SIZE 100 #define MANAGEMENT_ECHO_BUFFER_SIZE 100 @@ -296,6 +296,7 @@ #define IEC_RSA_SIGN 3 #define IEC_CERTIFICATE 4 #define IEC_PK_SIGN 5 +#define IEC_PASSWORD 6 int in_extra_cmd; struct buffer_list *in_extra; unsigned long in_extra_cid;