)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"change_message_id":"2e0fdb79af56cbe699cb4ff88665df94ad459b1e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"1f1ac234_57cfc7cc","updated":"2024-10-27 09:41:32.000000000","message":"Okay, my client was not compiled the way I thought - so with --enable-pkcs11, sending a long username to an unmodified server yields\n\n```\nOct 27 10:30:59 gentoo tun-udp-p2mp-global-authpam[14201]: 194.97.140.21:36736 TLS Error: Auth Username/Password was not provided by peer\nOct 27 10:30:59 gentoo tun-udp-p2mp-global-authpam[14201]: 194.97.140.21:36736 TLS Error: TLS handshake failed\n``\n\nand with the patch it does a proper\n\n```\nOct 27 10:34:48 gentoo tun-udp-p2mp-global-authpam[15712]: 194.97.140.21:60127 TLS INFO: Username (-230) or password (14)  long\n...\nOct 27 10:34:48 gentoo tun-udp-p2mp-global-authpam[15712]: 194.97.140.21:60127 TLS Error: Username (230) or password (14) too long\n```\n\nand the client receives\n\n```\n2024-10-27 10:34:48 AUTH: Received control message: AUTH_FAILED,Username or password is too long. Maximum length is 128 bytes\n```\n\n(the \"-\" 230 is my doing, I removed the abs() call to more clearly see what is being returned).\n\nUpgrading the patch to \"-1\" ;-) - I think the \"TLS INFO:\" line clould either be removed (because it\u0027s duplicating the TLS Error: message later) or the `abs()` should go, and the double space before `  long`)","commit_id":"7143f3d32c26b202c24b9e5eb5ec890043144ebf"},{"author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"change_message_id":"44a847f3429a617addd56111e5526820ab7deb5a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"298dc1ea_10396e5b","updated":"2024-10-26 09:16:15.000000000","message":"This is not working right for me.\n\nI have a client, built with PKCS11 support, that sends a 230 byte username and a short passwort (11 characters).  On the server side (not built with PKCS11, verified by printing out USER_PASS_LEN at startup), this is using plugin-auth-pam, and it seems to happily pass things onward, in confusing ways\n\n```\n2024-10-26 11:10:24 USER_PASS_LEN\u003d128\n...\nOct 26 11:06:47 gentoo tun-udp-p2mp-global-authpam[1709]: 194.97.140.21:50280 TLS INFO: Username (128) or password (103)  long\nOct 26 11:06:47 gentoo tun-udp-p2mp-global-authpam[1709]: PLUGIN AUTH-PAM: deferred authentication\nOct 26 11:06:47 gentoo tun-udp-p2mp-global-authpam[1709]: 194.97.140.21:50280 TLS: Username/Password authentication deferred for username \u0027ThisUserNameIsTooLongReally_ThisUserNameIsTooLongReally_ThisUserNameIsTooLongReally_ThisUserNameIsTooLongReally_ThisUserNameIsT\u0027 \n```\n\nso it\u0027s not overrunning the buffer, and not getting confused anymore, but it *is* truncating the username to 128 bytes and using \"the rest\" for the password (103 \u003d (230-128).  Turning on password logging in plugin-auth-pam confirms:\n\n```\nOct 26 11:06:47 gentoo openvpn[1711]: PLUGIN AUTH-PAM: BACKGROUND: USER/PASS: ThisUserNameIsTooLongReally_ThisUserNameIsTooLongReally_ThisUserNameIsTooLongReally_ThisUserNameIsTooLongReally_ThisUserNameIsT/ooLongReally_ThisUserNameIsTooLongReally_ThisUserNameIsTooLongReally_ThisUserNameIsTooLongReally_230ch\n```\n\n(the password the client sends is `totallysecret`, and the client username ends in `_230ch`)","commit_id":"7143f3d32c26b202c24b9e5eb5ec890043144ebf"}],"src/openvpn/ssl.c":[{"author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"change_message_id":"a1a24fea9396d8be2040937d26e8a9be605ea0d0","unresolved":true,"context_lines":[{"line_number":2281,"context_line":"    int password_len \u003d read_string(buf, up-\u003epassword, USER_PASS_LEN);"},{"line_number":2282,"context_line":""},{"line_number":2283,"context_line":"    msg(D_TLS_ERRORS, \"TLS INFO: Username (%d) or password (%d)  long\","},{"line_number":2284,"context_line":"        abs(username_len), abs(password_len));"},{"line_number":2285,"context_line":""},{"line_number":2286,"context_line":"    /* get peer info from control channel */"},{"line_number":2287,"context_line":"    free(multi-\u003epeer_info);"}],"source_content_type":"text/x-csrc","patch_set":1,"id":"bdf98e73_25fe4401","line":2284,"updated":"2024-10-26 09:18:16.000000000","message":"I suggest printing the variables without `abs()` so the log is clear *if* there is an overrun - in my case it\u0027s always \"128\", not the expected \"-128\".  But you can\u0027t see that difference or non-difference with the `abs()`...\n\nAlso, there\u0027s an extra space ;-)","commit_id":"7143f3d32c26b202c24b9e5eb5ec890043144ebf"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"0b4935cbc24c395b9ddf583f0e691afa08020ca6","unresolved":true,"context_lines":[{"line_number":2281,"context_line":"    int password_len \u003d read_string(buf, up-\u003epassword, USER_PASS_LEN);"},{"line_number":2282,"context_line":""},{"line_number":2283,"context_line":"    msg(D_TLS_ERRORS, \"TLS INFO: Username (%d) or password (%d)  long\","},{"line_number":2284,"context_line":"        abs(username_len), abs(password_len));"},{"line_number":2285,"context_line":""},{"line_number":2286,"context_line":"    /* get peer info from control channel */"},{"line_number":2287,"context_line":"    free(multi-\u003epeer_info);"}],"source_content_type":"text/x-csrc","patch_set":1,"id":"932858d7_a579b6b4","line":2284,"in_reply_to":"144948ce_63eadfa8","updated":"2024-10-28 13:12:21.000000000","message":"Yeah sounds good.","commit_id":"7143f3d32c26b202c24b9e5eb5ec890043144ebf"},{"author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"change_message_id":"65b20751c7639ceca3942c9ebf92202d64aa1c6c","unresolved":true,"context_lines":[{"line_number":2281,"context_line":"    int password_len \u003d read_string(buf, up-\u003epassword, USER_PASS_LEN);"},{"line_number":2282,"context_line":""},{"line_number":2283,"context_line":"    msg(D_TLS_ERRORS, \"TLS INFO: Username (%d) or password (%d)  long\","},{"line_number":2284,"context_line":"        abs(username_len), abs(password_len));"},{"line_number":2285,"context_line":""},{"line_number":2286,"context_line":"    /* get peer info from control channel */"},{"line_number":2287,"context_line":"    free(multi-\u003epeer_info);"}],"source_content_type":"text/x-csrc","patch_set":1,"id":"144948ce_63eadfa8","line":2284,"in_reply_to":"801fc40c_ea3a9703","updated":"2024-10-28 10:09:14.000000000","message":"You have two messages there - the \"TLS INFO:\" which is always printed, and only has a negative number if one of the strings is too long.  This is what I\u0027m talking about.\n\nThe second message is the \"TLS Error:\" which is only printed in case of overflow - the abs() is reasonable there.\n\nSo I\u0027d suggest to remove the \"TLS INFO:\" message, because in case of errors it\u0027s just duplicate information, and in case of non-errors, it\u0027s log noise.  No?","commit_id":"7143f3d32c26b202c24b9e5eb5ec890043144ebf"},{"author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"change_message_id":"f845577d8fdb38fcdba79cb1e0365c133ef9b8c5","unresolved":false,"context_lines":[{"line_number":2281,"context_line":"    int password_len \u003d read_string(buf, up-\u003epassword, USER_PASS_LEN);"},{"line_number":2282,"context_line":""},{"line_number":2283,"context_line":"    msg(D_TLS_ERRORS, \"TLS INFO: Username (%d) or password (%d)  long\","},{"line_number":2284,"context_line":"        abs(username_len), abs(password_len));"},{"line_number":2285,"context_line":""},{"line_number":2286,"context_line":"    /* get peer info from control channel */"},{"line_number":2287,"context_line":"    free(multi-\u003epeer_info);"}],"source_content_type":"text/x-csrc","patch_set":1,"id":"2171c946_e254f51c","line":2284,"in_reply_to":"932858d7_a579b6b4","updated":"2024-10-28 13:54:21.000000000","message":"Done","commit_id":"7143f3d32c26b202c24b9e5eb5ec890043144ebf"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"ab983774489c65fec98b5a154d6031747fe04161","unresolved":true,"context_lines":[{"line_number":2281,"context_line":"    int password_len \u003d read_string(buf, up-\u003epassword, USER_PASS_LEN);"},{"line_number":2282,"context_line":""},{"line_number":2283,"context_line":"    msg(D_TLS_ERRORS, \"TLS INFO: Username (%d) or password (%d)  long\","},{"line_number":2284,"context_line":"        abs(username_len), abs(password_len));"},{"line_number":2285,"context_line":""},{"line_number":2286,"context_line":"    /* get peer info from control channel */"},{"line_number":2287,"context_line":"    free(multi-\u003epeer_info);"}],"source_content_type":"text/x-csrc","patch_set":1,"id":"801fc40c_ea3a9703","line":2284,"in_reply_to":"bdf98e73_25fe4401","updated":"2024-10-27 15:17:44.000000000","message":"I think a negative length is more alarming and confusing that a positive one. If you remove the abs() one of the number will be always negative. Since it errors out now anyway and of them is too long anyway, it is a larger one. I just didn\u0027t want to do all the if/else cases and different message for password too long and username too long.","commit_id":"7143f3d32c26b202c24b9e5eb5ec890043144ebf"}]}