Use USER_PASS_LEN instead of TLS_USERNAME_LEN for override-username

Currently override-username is artificially restricted to the length of TLS common-name (64) for the corner case of using username-as-common-name, which we explicitly do not recommend to use. Do away with that limitation and only error out on longer usernames when username-as-common-name is actually in effect. Change-Id: I1c2c050dd160746a0f8d9c234abe1e258bc8e48d Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20250402134546.3504-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31323.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
2026-05-28 04:03:29 -04:00 · 2025-04-02 15:45:39 +02:00 · 2025-04-02 15:45:39 +02:00 · bb8f2e373c
commit bb8f2e373c
parent b60d2bb98c
4 changed files with 42 additions and 7 deletions
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@ -2705,6 +2705,12 @@ override_locked_username(struct multi_instance *mi)
    if (!multi->locked_original_username
        && strcmp(multi->locked_username, options->override_username) != 0)
    {
+        /* Check if the username length is acceptable */
+        if (!ssl_verify_username_length(session, options->override_username))
+        {
+            return false;
+        }
+
        multi->locked_original_username = multi->locked_username;
        multi->locked_username = strdup(options->override_username);

--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@ -7880,10 +7880,10 @@ add_option(struct options *options,
    else if (streq(p[0], "override-username") && p[1] && !p[2])
    {
        VERIFY_PERMISSION(OPT_P_INSTANCE);
-        if (strlen(p[1]) > TLS_USERNAME_LEN)
+        if (strlen(p[1]) > USER_PASS_LEN)
        {
            msg(msglevel, "override-username exceeds the maximum length of %d "
-                "characters", TLS_USERNAME_LEN);
+                "characters", USER_PASS_LEN);

            /* disable the connection since ignoring the request to
             * set another username might cause serious problems */
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@ -1568,6 +1568,24 @@ set_verify_user_pass_env(struct user_pass *up, struct tls_multi *multi,
    }
 }

+bool
+ssl_verify_username_length(struct tls_session *session, const char *username)
+{
+    if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)
+        && strlen(username) > TLS_USERNAME_LEN)
+    {
+        msg(D_TLS_ERRORS,
+            "TLS Auth Error: --username-as-common name specified and "
+            "username is longer than the maximum permitted Common Name "
+            "length of %d characters", TLS_USERNAME_LEN);
+        return false;
+    }
+    else
+    {
+        return true;
+    }
+}
+
 /**
 * Main username/password verification entry point
 *
@ -1689,15 +1707,12 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi,
    }

    /* check sizing of username if it will become our common name */
-    if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)
-        && strlen(up->username)>TLS_USERNAME_LEN)
+    if (!ssl_verify_username_length(session, up->username))
    {
-        msg(D_TLS_ERRORS,
-            "TLS Auth Error: --username-as-common name specified and username is longer than the maximum permitted Common Name length of %d characters",
-            TLS_USERNAME_LEN);
        plugin_status = OPENVPN_PLUGIN_FUNC_ERROR;
        script_status = OPENVPN_PLUGIN_FUNC_ERROR;
    }
+
    /* auth succeeded? */
    bool plugin_ok = plugin_status == OPENVPN_PLUGIN_FUNC_SUCCESS
                     || plugin_status == OPENVPN_PLUGIN_FUNC_DEFERRED;
--- a/src/openvpn/ssl_verify.h
+++ b/src/openvpn/ssl_verify.h
@ -192,6 +192,20 @@ void verify_user_pass(struct user_pass *up, struct tls_multi *multi,
                      struct tls_session *session);


+/**
+ * Checks if the username length is valid to use.  This checks when
+ * username-as-common-name is active if the username is shorter than
+ * the maximum TLS common name length (64).
+ *
+ * It will also display an error message if the name is too long
+ *
+ * @param session       current TLS session
+ * @param username      username to check
+ * @return              true if name is under limit or username-as-common-name
+ *                      is not active
+ */
+bool ssl_verify_username_length(struct tls_session *session,
+                                const char *username);

 /**
 * Runs the --client-crresponse script if one is defined.