Allow longer username and password under Dynamic Challenge/Response Protocol.

Based on patches found at https://github.com/samm-git/aws-vpn-client,
this updates OpenVPN for compatibility with AWS' (and other vendors) use
of the dynamic challenge/response protocol to implement SAML-based authentication.

Those vendors submit the password via the management interface, which can be up to 50kb
long.

Author: jgbailey-well

flake.lock

@@ -0,0 +1,48 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11";
+    devenv.url = "github:cachix/devenv";
+  };
+
+  outputs = { self, nixpkgs, devenv, ... } @ inputs:
+    let
+      systems = [ "x86_64-linux" "i686-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin" ];
+      forAllSystems = f: builtins.listToAttrs (map (name: { inherit name; value = f name; }) systems);
+    in
+    {
+      devShells = forAllSystems
+        (system:
+          let
+            pkgs = import nixpkgs {
+              inherit system;
+            };
+          in
+          {
+            default = devenv.lib.mkShell {
+              inherit inputs pkgs;
+              modules = [
+                {
+                  # https://devenv.sh/reference/options/
+                  packages = [ 
+                    pkgs.autoconf 
+                    pkgs.automake 
+                    pkgs.libtool 
+                    pkgs.openssl_1_1 
+                    pkgs.lz4 
+                    pkgs.lzo 
+                    pkgs.pam 
+                    pkgs.cmocka 
+                  ];
+
+                  languages.c.enable = true;
+
+                  enterShell = ''
+                    # Allows autreconf to find libtool.
+                    export ACLOCAL_PATH=${pkgs.libtool}/share/aclocal:$ACLOCAL_PATH
+                  '';
+                }
+              ];
+            };
+          });
+    };
+}

flake.nix

@@ -64,9 +64,11 @@ typedef unsigned long ptr_type;
 /*
  * This parameter controls the TLS channel buffer size and the
  * maximum size of a single TLS message (cleartext).
- * This parameter must be >= PUSH_BUNDLE_SIZE
+ * This parameter must be >= PUSH_BUNDLE_SIZE. It must also be greater than 
+ * the size of a long (>50Kb) password in the dyanmic challenge/response
+ * protocol,
  */
-#define TLS_CHANNEL_BUF_SIZE 2048
+#define TLS_CHANNEL_BUF_SIZE 65536
 
 /* TLS control buffer minimum size
  *

src/openvpn/common.h

@@ -2244,7 +2244,7 @@ man_read(struct management *man)
     /*
      * read command line from socket
      */
-    unsigned char buf[256];
+    unsigned char buf[TLS_CHANNEL_BUF_SIZE];
     int len = 0;
 
 #ifdef TARGET_ANDROID
@@ -2580,7 +2580,7 @@ man_connection_init(struct management *man)
          * Allocate helper objects for command line input and
          * command output from/to the socket.
          */
-        man->connection.in = command_line_new(1024);
+        man->connection.in = command_line_new(TLS_CHANNEL_BUF_SIZE);
         man->connection.out = buffer_list_new();
 
         /*

src/openvpn/manage.c

@@ -65,7 +65,11 @@ struct user_pass
 #ifdef ENABLE_PKCS11
 #define USER_PASS_LEN 4096
 #else
-#define USER_PASS_LEN 128
+/*
+ * Increase the username and password length size to 65KB, in order
+ * to support long passwords under the dynamic challenge/response protocol.
+ */
+#define USER_PASS_LEN 65536
 #endif
     /* Note that username and password are expected to be null-terminated */
     char username[USER_PASS_LEN];

src/openvpn/misc.h

@@ -52,10 +52,13 @@
 #define MAX_PARMS 16
 
 /*
- * Max size of options line and parameter.
+ * Max size of options line and parameter. Note these
+ * must be able to accomodate large (>50Kb) values in
+ * order to support long passwords under the dynamic challenge-response
+ * protocol.
  */
-#define OPTION_PARM_SIZE 256
-#define OPTION_LINE_SIZE 256
+#define OPTION_PARM_SIZE USER_PASS_LEN
+#define OPTION_LINE_SIZE OPTION_PARM_SIZE
 
 extern const char title_string[];