Opened 10 years ago
Last modified 8 years ago
#226 new Bug / Defect
'--auth-user-pass-verify <script> VIA-FILE' can not pass long passwords (>~512)
Reported by: | ye_olde_iron | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | Generic / unclassified | Version: | OpenVPN 2.2.2 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
While misc.h defines a maximum password length of 4096 when ENABLE_PKCS11 is defined ( ... # define USER_PASS_LEN 4096 ...) you can not successfully write a long password to a file via '--auth-user-pass-verify' as there is a buffer size limit of 512 bytes in status.c/status_printf() (STATUS_PRINTF_MAXLEN is defined as 512 just above the status_printf() routine).
[If output is to a file ssl.c/verify_user_pass_script() executes 'status_printf (so, "%s", up->password);']
It would be sensible to increase the buffer size in status.c/status_printf() so that the max length for passwords is consistent.
At the present time the only way to pass a longer password is via the environment variables (I.E. '--auth-user-pass-verify <script> VIA-ENV') ... not the best option as this is documented as being 'is insecure on some platforms' :-(
Change History (4)
comment:1 Changed 10 years ago by
comment:2 Changed 9 years ago by
Priority: | major → minor |
---|
comment:3 Changed 8 years ago by
I'm wondering a bit where this 4096 byte length is coming from. Is this something a pkcs#11 device might spit out as a *password*? Because for normal passwords, 512 byte should be truly long enough.
comment:4 Changed 8 years ago by
There are other authentication mechanisms that have something other than a user password in the password field, for example a signed token.
In any event, the limit should be consistent between USER_PASS_LEN, via-file, via-env.
Potential solution ... in status.c :-
(a) include misc.c so that we can get the definition of USER_PASS_LEN.
(b) change the definition of STATUS_PRINTF_MAXLEN to use USER_PASS_LEN+2 as long as it is defined and greater than, or equal to, 512 (otherwise just define it as 512 as before).