From 41f63106dcb537409c863cdf7bd07c20991e83cf Mon Sep 17 00:00:00 2001 From: Justin Bailey Date: Thu, 9 Mar 2023 10:43:16 -0800 Subject: [PATCH] Allow longer username and password under Dynamic Challenge/Response Protocol. Based on patches found at https://github.com/samm-git/aws-vpn-client, this updates OpenVPN for compatibility with AWS' (and other vendors) use of the dynamic challenge/response protocol to implement SAML-based authentication. Those vendors submit the password via the management interface, which can be up to 50kb long. --- src/openvpn/common.h | 6 ++++-- src/openvpn/manage.c | 4 ++-- src/openvpn/misc.h | 6 +++++- src/openvpn/options.h | 9 ++++++--- 4 files changed, 17 insertions(+), 8 deletions(-) diff --git a/src/openvpn/common.h b/src/openvpn/common.h index f77685c8f32d..16af2d774524 100644 --- a/src/openvpn/common.h +++ b/src/openvpn/common.h @@ -64,9 +64,11 @@ typedef unsigned long ptr_type; /* * This parameter controls the TLS channel buffer size and the * maximum size of a single TLS message (cleartext). - * This parameter must be >= PUSH_BUNDLE_SIZE + * This parameter must be >= PUSH_BUNDLE_SIZE. It must also be greater than + * the size of a long (>50Kb) password in the dyanmic challenge/response + * protocol, */ -#define TLS_CHANNEL_BUF_SIZE 2048 +#define TLS_CHANNEL_BUF_SIZE 65536 /* TLS control buffer minimum size * diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index db88e347911b..fa79e6ce95f2 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -2244,7 +2244,7 @@ man_read(struct management *man) /* * read command line from socket */ - unsigned char buf[256]; + unsigned char buf[TLS_CHANNEL_BUF_SIZE]; int len = 0; #ifdef TARGET_ANDROID @@ -2580,7 +2580,7 @@ man_connection_init(struct management *man) * Allocate helper objects for command line input and * command output from/to the socket. */ - man->connection.in = command_line_new(1024); + man->connection.in = command_line_new(TLS_CHANNEL_BUF_SIZE); man->connection.out = buffer_list_new(); /* diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h index b000b729a18f..2bf3dcdef3e0 100644 --- a/src/openvpn/misc.h +++ b/src/openvpn/misc.h @@ -65,7 +65,11 @@ struct user_pass #ifdef ENABLE_PKCS11 #define USER_PASS_LEN 4096 #else -#define USER_PASS_LEN 128 +/* + * Increase the username and password length size to 65KB, in order + * to support long passwords under the dynamic challenge/response protocol. + */ +#define USER_PASS_LEN 65536 #endif /* Note that username and password are expected to be null-terminated */ char username[USER_PASS_LEN]; diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 7df717f73f6e..78ca5dabef52 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -52,10 +52,13 @@ #define MAX_PARMS 16 /* - * Max size of options line and parameter. + * Max size of options line and parameter. Note these + * must be able to accomodate large (>50Kb) values in + * order to support long passwords under the dynamic challenge-response + * protocol. */ -#define OPTION_PARM_SIZE 256 -#define OPTION_LINE_SIZE 256 +#define OPTION_PARM_SIZE USER_PASS_LEN +#define OPTION_LINE_SIZE OPTION_PARM_SIZE extern const char title_string[];