)]}'
{"id":"openvpn~787","triplet_id":"openvpn~master~I60f02c919767eb8f1b95253689a8233f5f68621d","project":"openvpn","branch":"master","attention_set":{},"removed_from_attention_set":{"1000003":{"account":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"last_update":"2024-10-28 15:42:40.000000000","reason":"Change was submitted"},"1000002":{"account":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"last_update":"2024-10-28 13:54:21.000000000","reason":"\u003cGERRIT_ACCOUNT_1000002\u003e replied on the change","reason_account":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"}},"1000001":{"account":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"last_update":"2024-10-28 15:42:40.000000000","reason":"Change was submitted"}},"hashtags":[],"change_id":"I60f02c919767eb8f1b95253689a8233f5f68621d","subject":"Refuse clients if username or password is longer than USER_PASS_LEN","status":"MERGED","created":"2024-10-25 14:45:31.000000000","updated":"2024-10-28 15:42:40.000000000","submitted":"2024-10-28 15:42:40.000000000","submitter":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"total_comment_count":7,"unresolved_comment_count":0,"has_review_started":true,"submission_id":"787","meta_rev_id":"ae6470a293243f06bda4d2df42ee9d676781b584","_number":787,"virtual_id_number":787,"owner":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"actions":{},"labels":{"Code-Review":{"all":[{"value":0,"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"}],"values":{"-2":"This shall not be submitted","-1":"I would prefer this is not submitted as is"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me, approved"},"default_value":0}},"removable_reviewers":[{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."}],"reviewers":{"REVIEWER":[{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"}],"CC":[{"_account_id":1000026,"name":"openvpn-devel","email":"openvpn-devel@lists.sourceforge.net","username":"openvpn-devel"}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2024-10-25 14:45:32.000000000","updated_by":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"reviewer":{"_account_id":1000026,"name":"openvpn-devel","email":"openvpn-devel@lists.sourceforge.net","username":"openvpn-devel"},"state":"CC"},{"updated":"2024-10-25 14:45:32.000000000","updated_by":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"reviewer":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"state":"REVIEWER"},{"updated":"2024-10-26 09:16:15.000000000","updated_by":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"reviewer":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"state":"REVIEWER"}],"messages":[{"id":"fc6cf52250315fea6047a77bd46eaa38e4f1c209","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2024-10-25 14:45:31.000000000","message":"Uploaded patch set 1.","accounts_in_message":[],"_revision_number":1},{"id":"44a847f3429a617addd56111e5526820ab7deb5a","author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"date":"2024-10-26 09:16:15.000000000","message":"Patch Set 1: Code-Review-2\n\n(1 comment)","accounts_in_message":[],"_revision_number":1},{"id":"a1a24fea9396d8be2040937d26e8a9be605ea0d0","author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"date":"2024-10-26 09:18:16.000000000","message":"Patch Set 1:\n\n(1 comment)","accounts_in_message":[],"_revision_number":1},{"id":"2e0fdb79af56cbe699cb4ff88665df94ad459b1e","author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"date":"2024-10-27 09:41:32.000000000","message":"Patch Set 1: Code-Review-1\n\n(1 comment)","accounts_in_message":[],"_revision_number":1},{"id":"ab983774489c65fec98b5a154d6031747fe04161","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2024-10-27 15:17:44.000000000","message":"Patch Set 1:\n\n(1 comment)","accounts_in_message":[],"_revision_number":1},{"id":"65b20751c7639ceca3942c9ebf92202d64aa1c6c","author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"date":"2024-10-28 10:09:14.000000000","message":"Patch Set 1:\n\n(1 comment)","accounts_in_message":[],"_revision_number":1},{"id":"0b4935cbc24c395b9ddf583f0e691afa08020ca6","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2024-10-28 13:12:21.000000000","message":"Patch Set 1:\n\n(1 comment)","accounts_in_message":[],"_revision_number":1},{"id":"f89be01a5a5f97202b673843a92465cbe1b854e0","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2024-10-28 13:48:22.000000000","message":"Uploaded patch set 2.\n\nOutdated Votes:\n* Code-Review-1 (copy condition: \"changekind:NO_CHANGE OR changekind:TRIVIAL_REBASE OR is:MIN\")\n","accounts_in_message":[],"_revision_number":2},{"id":"f845577d8fdb38fcdba79cb1e0365c133ef9b8c5","author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"date":"2024-10-28 13:54:21.000000000","message":"Patch Set 2: Code-Review+2\n\n(1 comment)","accounts_in_message":[],"_revision_number":2},{"id":"ae6470a293243f06bda4d2df42ee9d676781b584","tag":"autogenerated:gerrit:merged","author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"date":"2024-10-28 15:42:40.000000000","message":"Change has been successfully pushed.","accounts_in_message":[],"_revision_number":3}],"current_revision_number":3,"current_revision":"a7f80d402fb95df3c58a8fc5d12cdb8f39c37d3e","revisions":{"7143f3d32c26b202c24b9e5eb5ec890043144ebf":{"kind":"REWORK","_number":1,"created":"2024-10-25 14:45:31.000000000","uploader":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"ref":"refs/changes/87/787/1","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/87/787/1","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/87/787/1 \u0026\u0026 git checkout -b change-787 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/87/787/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/87/787/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/87/787/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/87/787/1","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/87/787/1 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"37db7fe37afb555de651314a04c537fd7fbaa280","subject":"t_server_null: forcibly kill misbehaving servers"}],"author":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2024-10-25 14:37:01.000000000","tz":120},"committer":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2024-10-25 14:45:17.000000000","tz":120},"subject":"Refuse clients if username or password is \u003e USER_PASS_LEN","message":"Refuse clients if username or password is \u003e USER_PASS_LEN\n\nWhen OpenVPN is compiled without PKCS11 support USER_PASS_LEN is 128\nbytes. If we encounter a username larger than this length we would\nonly read the 2 bytes length header of the username/password.  We did\nthen also NOT skip the username or password field meaning that we would\ncontinue reading the rest of the packet at the wrong offset and get\ngarbage results like not having peerinfo and then rejecting a client\nbecause of no common cipher or missing data v2 support.\n\nThis will tell the client that username/password is too regardless\nof whether password/username authentication is used.  This way we\ndo not leak if username/password authentication is active.\n\nTo reproduce this issue have the server compiled with a USER_PASS_LEN\nset to 128 (e.g. without pkcs11 or manually adjusting the define) and\nhave the client with a larger USER_PASS_LEN to actually be able to\nsend the larger password.\n\nUsing the openvpn3 test client with overlong username/password also\nworks.\n\nChange-Id: I60f02c919767eb8f1b95253689a8233f5f68621d\nSigned-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e\n"},"branch":"refs/heads/master"},"ada74f9e34bffd2af68872088f8cf4c04f8ae75b":{"kind":"REWORK","_number":2,"created":"2024-10-28 13:48:22.000000000","uploader":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"ref":"refs/changes/87/787/2","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/87/787/2","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/87/787/2 \u0026\u0026 git checkout -b change-787 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/87/787/2 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/87/787/2 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/87/787/2 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/87/787/2","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/87/787/2 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"37db7fe37afb555de651314a04c537fd7fbaa280","subject":"t_server_null: forcibly kill misbehaving servers"}],"author":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2024-10-25 14:37:01.000000000","tz":120},"committer":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2024-10-28 13:42:32.000000000","tz":60},"subject":"Refuse clients if username or password is longer than USER_PASS_LEN","message":"Refuse clients if username or password is longer than USER_PASS_LEN\n\nWhen OpenVPN is compiled without PKCS11 support USER_PASS_LEN is 128\nbytes. If we encounter a username larger than this length, we would\nonly read the 2 bytes length header of the username/password.  We did\nthen also NOT skip the username or password field meaning that we would\ncontinue reading the rest of the packet at the wrong offset and get\ngarbage results like not having peerinfo and then rejecting a client\nbecause of no common cipher or missing data v2 support.\n\nThis will tell the client that username/password is too regardless\nof whether password/username authentication is used.  This way we\ndo not leak if username/password authentication is active.\n\nTo reproduce this issue have the server compiled with a USER_PASS_LEN\nset to 128 (e.g. without pkcs11 or manually adjusting the define) and\nhave the client with a larger USER_PASS_LEN to actually be able to\nsend the larger password. The server must also be set to use only\ncertificate authentication while the client must use certificates\nand auth-user-pass because otherwise the user/pass verification will\nreject the empty credentials.\n\nUsing the openvpn3 test client with overlong username/password also\nworks.\n\nChange-Id: I60f02c919767eb8f1b95253689a8233f5f68621d\nSigned-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e\n"},"branch":"refs/heads/master"},"a7f80d402fb95df3c58a8fc5d12cdb8f39c37d3e":{"kind":"TRIVIAL_REBASE_WITH_MESSAGE_UPDATE","_number":3,"created":"2024-10-28 15:42:40.000000000","uploader":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"ref":"refs/changes/87/787/3","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/87/787/3","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/87/787/3 \u0026\u0026 git checkout -b change-787 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/87/787/3 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/87/787/3 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/87/787/3 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/87/787/3","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/87/787/3 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"5dd1b8b06335831206077a1eb4aa81c3ceb3f3ee","subject":"t_server_null: use wait instead of marker files"}],"author":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2024-10-28 13:55:04.000000000","tz":60},"committer":{"name":"Gert Doering","email":"gert@greenie.muc.de","date":"2024-10-28 14:24:20.000000000","tz":60},"subject":"Refuse clients if username or password is longer than USER_PASS_LEN","message":"Refuse clients if username or password is longer than USER_PASS_LEN\n\nWhen OpenVPN is compiled without PKCS11 support USER_PASS_LEN is 128\nbytes. If we encounter a username larger than this length, we would\nonly read the 2 bytes length header of the username/password.  We did\nthen also NOT skip the username or password field meaning that we would\ncontinue reading the rest of the packet at the wrong offset and get\ngarbage results like not having peerinfo and then rejecting a client\nbecause of no common cipher or missing data v2 support.\n\nThis will tell the client that username/password is too regardless\nof whether password/username authentication is used.  This way we\ndo not leak if username/password authentication is active.\n\nTo reproduce this issue have the server compiled with a USER_PASS_LEN\nset to 128 (e.g. without pkcs11 or manually adjusting the define) and\nhave the client with a larger USER_PASS_LEN to actually be able to\nsend the larger password. The server must also be set to use only\ncertificate authentication while the client must use certificates\nand auth-user-pass because otherwise the user/pass verification will\nreject the empty credentials.\n\nUsing the openvpn3 test client with overlong username/password also\nworks.\n\nChange-Id: I60f02c919767eb8f1b95253689a8233f5f68621d\nSigned-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e\nAcked-by: Gert Doering \u003cgert@greenie.muc.de\u003e\nMessage-Id: \u003c20241028135505.28651-1-gert@greenie.muc.de\u003e\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29675.html\nSigned-off-by: Gert Doering \u003cgert@greenie.muc.de\u003e\n"},"branch":"refs/heads/master"}},"requirements":[],"submit_records":[],"submit_requirements":[]}