From patchwork Mon Mar 30 18:08:54 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4858 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:6c4a:b0:83c:d90d:321 with SMTP id c10csp1637342may; Mon, 30 Mar 2026 11:09:21 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCW/Ggy10XFJy4926+2rzjmMFxSn5DBjQJsgZKSbLyX5S/om4j+iLSXQN42a8fhU3puvhVXGZydiFio=@openvpn.net X-Received: by 2002:a05:6820:1505:b0:67e:34c2:5fb5 with SMTP id 006d021491bc7-67e34c26101mr1961968eaf.6.1774894161167; Mon, 30 Mar 2026 11:09:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1774894161; cv=none; d=google.com; s=arc-20240605; b=UFIRitfGdI/OFTlTK8LpsdD7rI94aeXo80nu5r1lQ0X5KACScl7dQtDgHiKesl6h0I J6DEKdeyEMDNG82xCr9EwKnU/j+VDABDR0Oh2sb4wYhZeJt6jKghnV7qe8floWSDF0gF 8DUIx4LtkchMCoVbraM8jRDlzN/rmXJwk95DjQoVQ11Hj9/+gCID5udAIv9nxIqIya8g 8R1hAZ1I6gRwjHycfiyzpwhD+EcCoEvYJxMQyuKZLxVXdxDB3zVVdQw1O+xlGjPbryJL B6vEtf+dtecWAKQpUj6HCgNa3GK7jpbBzBfdT2QRyFjBAV2JN5tGFQsjZAqHTf+ev57k zOUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=psJlTOVRYj3vrIyeyLWRvQRbePK3gZuqAWOzb2u64DY=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=K8LA8ATeNghRCjlngey88U9/zFK5UcvxzVKEY4AVbKyjRKisAadJaOS0KaswXFMFU5 Svd2TZrVBqk2JeiFuArSA/4Pf4onlC8UcA/tWJQy/1rsH6xE98S/eSBZQxwx0/sYObv9 /FaHIZ6nC6Zp32brk8KCv4Gs8MIZnU+OlGYLFDiAZsVsFUfe/NiGOFkxe+NGYpotw8Dp P9Lb38HtIXyvXIjRSe6Wwa2JB65CuQNJwLWgG4+Ygw/UjgW1xI5ibNKOcfOCqbuVOxGC afmqIPGBw2/FLOWuDVla3x85edW60TMlZ4XtKI/834oR7USPJYY0ctKO/Ilf9GHmDpYX fUSw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=DhCm0zvU; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=ZwBA0+gc; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=LCL8bo6S; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-41d04cb8772si6485520fac.118.2026.03.30.11.09.20 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 30 Mar 2026 11:09:20 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=DhCm0zvU; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=ZwBA0+gc; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=LCL8bo6S; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=psJlTOVRYj3vrIyeyLWRvQRbePK3gZuqAWOzb2u64DY=; b=DhCm0zvUnD/FFOxXWqVwbArHDI /G+pwAFvUD6pyvZegpI0OjX5Cy3jxkTNxBkzuFRd1+pIJbB/MMUHKmgDeztJtXkEyLpbkN4wI7vHZ 4Y6fVZP48wUUXrChQgmOJDZ25r+K3LCjIA3316fqqq1+em8f4hzo72/g35XWx+zZgYxY=; Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1w7H35-0003W4-N5; Mon, 30 Mar 2026 18:09:15 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1w7H34-0003Vv-02 for openvpn-devel@lists.sourceforge.net; Mon, 30 Mar 2026 18:09:14 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=B5bcfTSFLFDwEvFlekmc8FBAGeax9kybsezs3I8oBDs=; b=ZwBA0+gcv2lKVvBWoyjdXP26ae yj16nD2CyR/E3PWDeIZo0gucMIUvqrLKDzvc7nTvLTOKvFiBohMz1rnKg52TSKnY35QBqcCWHu2w8 z+DBdUDm1xLhiaZ+EjKy7OHrCSxDlFxi168jg9lgmJqZg/Z/L/4472J5dk6TWphiQUFM=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=B5bcfTSFLFDwEvFlekmc8FBAGeax9kybsezs3I8oBDs=; b=LCL8bo6Sgrs6VEbvaNW8zb5J2V Qwr9EkIMmBU9A/oNL6sz82LPHMjGmbcAftqhUf0XKZ4sbdPDbjlGqxOLiSKIfqR7giYwqgXpiM+o1 qnBvtob9X0a1zbOH1uV07Xe9orn4F0V4t4kKdOXqY4J6QWre72YMwnU7jDxXNsiSmibk=; Received: from [193.149.48.129] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1w7H32-0002qC-N8 for openvpn-devel@lists.sourceforge.net; Mon, 30 Mar 2026 18:09:13 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 62UI90FN016623 for ; Mon, 30 Mar 2026 20:09:00 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 62UI90U0016621 for openvpn-devel@lists.sourceforge.net; Mon, 30 Mar 2026 20:09:00 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Mon, 30 Mar 2026 20:08:54 +0200 Message-ID: <20260330180900.16608-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.52.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Luca Boccassi Allow management clients to send long passwords via the usual multi-line base64 encoded protocol. A client declares MCV 5 support and sends a 'password ' line, followed by as many lines (each up to 1024 bytes) as needed, in base64 encoded format, terminated by 'END'. Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1w7H32-0002qC-N8 Subject: [Openvpn-devel] [PATCH v11] management: add base64 multi-line input for passwords X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1861090945542222567?= X-GMAIL-MSGID: =?utf-8?q?1861111420059995434?= From: Luca Boccassi Allow management clients to send long passwords via the usual multi-line base64 encoded protocol. A client declares MCV 5 support and sends a 'password ' line, followed by as many lines (each up to 1024 bytes) as needed, in base64 encoded format, terminated by 'END'. This is useful when a password is a JIT-generated use-once token. Declare management version 6 for this feature. Change-Id: Ib99f171fb69d51f2260b44edf8ebe21ac958f233 Signed-off-by: Luca Boccassi Acked-by: Selva Nair Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1593 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1593 This mail reflects revision 11 of this Change. Acked-by according to Gerrit (reflected above): Selva Nair diff --git a/doc/management-notes.txt b/doc/management-notes.txt index 7da4aaf..1126468 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -326,6 +326,22 @@ The escaping rules are the same as for the config file. See the "Command Parsing" section below for more info. + If the password is too long to fit in a single command line + (longer than 256 bytes), the management interface client should + use the multi-line base64 format instead. This requires that + the management client has announced version >= 5 via the + "version" command: + + password "Auth" + [BASE64_PASSWORD_LINE] + ... + END + + In this format, the password is base64-encoded and split across + multiple lines, followed by END. Each line can be at most 1024 + bytes. This is the same format used by pk-sig and certificate + commands. Requires OpenVPN management version >= 6. + The PASSWORD real-time message type can also be used to indicate password or other types of authentication failure: @@ -513,6 +529,7 @@ >PK_SIGN:[base64] -- version 2 or greater >PK_SIGN:[base64],[alg] -- version 3 or greater >PASSWORD:Need 'Auth' username -- version 4 or greater + multiline password from client -- version 5 or greater COMMAND -- auth-retry --------------------- diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index 6cab7db..c22a2a4 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -31,6 +31,7 @@ #include "error.h" #include "fdmisc.h" #include "options.h" +#include "base64.h" #include "sig.h" #include "event.h" #include "otime.h" @@ -68,6 +69,7 @@ MCV_PKSIGN = 2, MCV_PKSIGN_ALG = 3, MCV_USERNAME_ONLY = 4, + MCV_MULTILINE_PASSWORD = 5, }; struct management *management; /* GLOBAL */ @@ -105,6 +107,8 @@ msg(M_CLIENT, " where action is reply string."); msg(M_CLIENT, "net : (Windows only) Show network info and routing table."); msg(M_CLIENT, "password type p : Enter password p for a queried OpenVPN password."); + msg(M_CLIENT, "password type : (version >=5) Enter password base64-encoded on"); + msg(M_CLIENT, " subsequent lines followed by END."); msg(M_CLIENT, "remote type [host port] : Override remote directive, type=ACCEPT|MOD|SKIP."); msg(M_CLIENT, "remote-entry-count : Get number of available remote entries."); msg(M_CLIENT, "remote-entry-get i|all [j]: Get remote entry at index = i to to j-1 or all."); @@ -1019,6 +1023,41 @@ } } +/** + * Enter multi-line base64 mode for receiving a password that exceeds the + * single-line parameter size limit. The management client sends: + * + * password TYPE + * + * + * ... + * END + * + * @param man The management interface struct + * @param type The type of password being entered (e.g. "Auth", "Private Key", etc) + */ +static void +man_query_password_base64(struct management *man, const char *type) +{ + const bool needed = ((man->connection.up_query_mode == UP_QUERY_PASS + || man->connection.up_query_mode == UP_QUERY_USER_PASS) + && man->connection.up_query_type); + if (!needed) + { + msg(M_CLIENT, "ERROR: no password is currently needed at this time"); + return; + } + if (!man->connection.up_query_type || !streq(man->connection.up_query_type, type)) + { + msg(M_CLIENT, "ERROR: password of type '%s' entered, but we need one of type '%s'", + type, man->connection.up_query_type); + return; + } + struct man_connection *mc = &man->connection; + mc->in_extra_cmd = IEC_PASSWORD; + in_extra_reset(mc, IER_NEW); +} + static void in_extra_dispatch(struct management *man) { @@ -1052,6 +1091,41 @@ man->connection.ext_cert_input = man->connection.in_extra; man->connection.in_extra = NULL; return; + + case IEC_PASSWORD: + { + char decoded[USER_PASS_LEN]; + CLEAR(decoded); + + buffer_list_aggregate(man->connection.in_extra, + OPENVPN_BASE64_LENGTH(USER_PASS_LEN) + 1024); + struct buffer *buf = buffer_list_peek(man->connection.in_extra); + + if (buf && BLEN(buf) > 0) + { + if (OPENVPN_BASE64_DECODED_LENGTH(BLEN(buf)) >= USER_PASS_LEN) + { + msg(M_CLIENT, "ERROR: password too long"); + buf_clear(buf); + break; + } + int len = openvpn_base64_decode(BSTR(buf), decoded, + USER_PASS_LEN - 1); + if (len < 0) + { + msg(M_CLIENT, "ERROR: could not base64-decode password"); + buf_clear(buf); + break; + } + decoded[len] = '\0'; + buf_clear(buf); + } + + man_query_password(man, man->connection.up_query_type, + decoded); + secure_memzero(decoded, sizeof(decoded)); + break; + } } in_extra_reset(&man->connection, IER_RESET); } @@ -1598,9 +1672,20 @@ } else if (streq(p[0], "password")) { - if (man_need(man, p, 2, 0)) + if (man_need(man, p, 1, MN_AT_LEAST)) { - man_query_password(man, p[1], p[2]); + if (p[2]) + { + man_query_password(man, p[1], p[2]); + } + else if (man->connection.client_version >= MCV_MULTILINE_PASSWORD) + { + man_query_password_base64(man, p[1]); + } + else + { + msg(M_CLIENT, "ERROR: the 'password' command requires 2 parameters"); + } } } else if (streq(p[0], "forget-passwords")) diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h index e5ad23f..27d3b60 100644 --- a/src/openvpn/manage.h +++ b/src/openvpn/manage.h @@ -50,7 +50,7 @@ #include "socket_util.h" #include "mroute.h" -#define MANAGEMENT_VERSION 5 +#define MANAGEMENT_VERSION 6 #define MANAGEMENT_N_PASSWORD_RETRIES 3 #define MANAGEMENT_LOG_HISTORY_INITIAL_SIZE 100 #define MANAGEMENT_ECHO_BUFFER_SIZE 100 @@ -297,6 +297,7 @@ #define IEC_RSA_SIGN 3 #define IEC_CERTIFICATE 4 #define IEC_PK_SIGN 5 +#define IEC_PASSWORD 6 int in_extra_cmd; struct buffer_list *in_extra; unsigned long in_extra_cid;