On Thu, Sep 22, 2016 at 6:04 AM, David Sommerseth <dav...@openvpn.net>

> If running an OpenVPN client with --enable-pkcs11 and a server without
> and having a username and/or password with more than 128 characters,
> the authentication will fail as the server truncates the password
> to 128 bytes.
> This makes things easier and more predictable.  Username/passwords
> can be up to 4096 bytes, regardless of the --enable-pkcs11 state.

In spite of this change, in most usage scenarios, username, password and
even pkcs11-id are limited to a much smaller length (more like ~256 bytes)
for other reasons:

The pkcs11-id is the only string that probably needs such a long length,
but its limited to ~240 bytes when read from the config file because of max
line length of 256 bytes + 1 for NUL (in some code paths 255?). Even if the
max line length is increased, the max size of an option parameter is 256
bytes (+ 1 for NUL).

The 256 byte limit on parameters in response received from management
(pointed out by Jonathan) is also somewhat related to the above: Input from
management goes through the same parsing code as the lines read from the
config file for handling escapes, embedded whitespace etc. and a limit of
256 bytes per option parameter is imposed

Also usernames > 64 bytes will break --username-as-common-name as CN is
limited to 64 bytes (could 64 code points, but it seems openvpn interprets
that as 64 bytes).

So for most practical purposes, pkcs11-id appears to be limited to ~240
bytes characters in the current code. Changing USER_PASS_LEN to, say, 256
may be more sensible. That shouldn't break any existing configs but may
break some use cases where a long id is supplied from the command line.

Openvpn-devel mailing list

Reply via email to