Skip to content

Commit

Permalink
Allow longer username and password under Dynamic Challenge/Response P…
Browse files Browse the repository at this point in the history
…rotocol.

Based on patches found at https://github.com/samm-git/aws-vpn-client,
this updates OpenVPN for compatibility with AWS' (and other vendors) use
of the dynamic challenge/response protocol to implement SAML-based authentication.

Those vendors submit the password via the management interface, which can be up to 50kb
long.
  • Loading branch information
m4dc4p committed Mar 22, 2023
1 parent 7aa3520 commit 41f6310
Show file tree
Hide file tree
Showing 4 changed files with 17 additions and 8 deletions.
6 changes: 4 additions & 2 deletions src/openvpn/common.h
Original file line number Diff line number Diff line change
Expand Up @@ -64,9 +64,11 @@ typedef unsigned long ptr_type;
/*
* This parameter controls the TLS channel buffer size and the
* maximum size of a single TLS message (cleartext).
* This parameter must be >= PUSH_BUNDLE_SIZE
* This parameter must be >= PUSH_BUNDLE_SIZE. It must also be greater than
* the size of a long (>50Kb) password in the dyanmic challenge/response
* protocol,
*/
#define TLS_CHANNEL_BUF_SIZE 2048
#define TLS_CHANNEL_BUF_SIZE 65536

/* TLS control buffer minimum size
*
Expand Down
4 changes: 2 additions & 2 deletions src/openvpn/manage.c
Original file line number Diff line number Diff line change
Expand Up @@ -2244,7 +2244,7 @@ man_read(struct management *man)
/*
* read command line from socket
*/
unsigned char buf[256];
unsigned char buf[TLS_CHANNEL_BUF_SIZE];
int len = 0;

#ifdef TARGET_ANDROID
Expand Down Expand Up @@ -2580,7 +2580,7 @@ man_connection_init(struct management *man)
* Allocate helper objects for command line input and
* command output from/to the socket.
*/
man->connection.in = command_line_new(1024);
man->connection.in = command_line_new(TLS_CHANNEL_BUF_SIZE);
man->connection.out = buffer_list_new();

/*
Expand Down
6 changes: 5 additions & 1 deletion src/openvpn/misc.h
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,11 @@ struct user_pass
#ifdef ENABLE_PKCS11
#define USER_PASS_LEN 4096
#else
#define USER_PASS_LEN 128
/*
* Increase the username and password length size to 65KB, in order
* to support long passwords under the dynamic challenge/response protocol.
*/
#define USER_PASS_LEN 65536
#endif
/* Note that username and password are expected to be null-terminated */
char username[USER_PASS_LEN];
Expand Down
9 changes: 6 additions & 3 deletions src/openvpn/options.h
Original file line number Diff line number Diff line change
Expand Up @@ -52,10 +52,13 @@
#define MAX_PARMS 16

/*
* Max size of options line and parameter.
* Max size of options line and parameter. Note these
* must be able to accomodate large (>50Kb) values in
* order to support long passwords under the dynamic challenge-response
* protocol.
*/
#define OPTION_PARM_SIZE 256
#define OPTION_LINE_SIZE 256
#define OPTION_PARM_SIZE USER_PASS_LEN
#define OPTION_LINE_SIZE OPTION_PARM_SIZE

extern const char title_string[];

Expand Down

0 comments on commit 41f6310

Please sign in to comment.