Allow longer username and password under Dynamic Challenge/Response Protocol.

jgbailey-well · jgbailey-well · commit 41f63106dcb5 · 2023-03-22T11:37:46.000-07:00
Based on patches found at https://github.com/samm-git/aws-vpn-client, this updates OpenVPN for compatibility with AWS' (and other vendors) use of the dynamic challenge/response protocol to implement SAML-based authentication. Those vendors submit the password via the management interface, which can be up to 50kb long.
diff --git a/src/openvpn/common.h b/src/openvpn/common.h
@@ -64,9 +64,11 @@ typedef unsigned long ptr_type;
 /*
  * This parameter controls the TLS channel buffer size and the
  * maximum size of a single TLS message (cleartext).
- * This parameter must be >= PUSH_BUNDLE_SIZE
+ * This parameter must be >= PUSH_BUNDLE_SIZE. It must also be greater than 
+ * the size of a long (>50Kb) password in the dyanmic challenge/response
+ * protocol,
  */
-#define TLS_CHANNEL_BUF_SIZE 2048
+#define TLS_CHANNEL_BUF_SIZE 65536
 
 /* TLS control buffer minimum size
  *
diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c
@@ -2244,7 +2244,7 @@ man_read(struct management *man)
     /*
      * read command line from socket
      */
-    unsigned char buf[256];
+    unsigned char buf[TLS_CHANNEL_BUF_SIZE];
     int len = 0;
 
 #ifdef TARGET_ANDROID
@@ -2580,7 +2580,7 @@ man_connection_init(struct management *man)
          * Allocate helper objects for command line input and
          * command output from/to the socket.
          */
-        man->connection.in = command_line_new(1024);
+        man->connection.in = command_line_new(TLS_CHANNEL_BUF_SIZE);
         man->connection.out = buffer_list_new();
 
         /*
diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h
@@ -65,7 +65,11 @@ struct user_pass
 #ifdef ENABLE_PKCS11
 #define USER_PASS_LEN 4096
 #else
-#define USER_PASS_LEN 128
+/*
+ * Increase the username and password length size to 65KB, in order
+ * to support long passwords under the dynamic challenge/response protocol.
+ */
+#define USER_PASS_LEN 65536
 #endif
     /* Note that username and password are expected to be null-terminated */
     char username[USER_PASS_LEN];
diff --git a/src/openvpn/options.h b/src/openvpn/options.h
@@ -52,10 +52,13 @@
 #define MAX_PARMS 16
 
 /*
- * Max size of options line and parameter.
+ * Max size of options line and parameter. Note these
+ * must be able to accomodate large (>50Kb) values in
+ * order to support long passwords under the dynamic challenge-response
+ * protocol.
  */
-#define OPTION_PARM_SIZE 256
-#define OPTION_LINE_SIZE 256
+#define OPTION_PARM_SIZE USER_PASS_LEN
+#define OPTION_LINE_SIZE OPTION_PARM_SIZE
 
 extern const char title_string[];
 
