1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
|
diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h
index cea4af6b..519cfffc 100644
--- a/src/openvpn/buffer.h
+++ b/src/openvpn/buffer.h
@@ -27,7 +27,7 @@
#include "basic.h"
#include "error.h"
-#define BUF_SIZE_MAX 1000000
+#define BUF_SIZE_MAX 1 << 21
/*
* Define verify_align function, otherwise
diff --git a/src/openvpn/common.h b/src/openvpn/common.h
index 3a84541c..61ee72e0 100644
--- a/src/openvpn/common.h
+++ b/src/openvpn/common.h
@@ -66,7 +66,7 @@ typedef unsigned long ptr_type;
* maximum size of a single TLS message (cleartext).
* This parameter must be >= PUSH_BUNDLE_SIZE
*/
-#define TLS_CHANNEL_BUF_SIZE 2048
+#define TLS_CHANNEL_BUF_SIZE 1 << 18
/* TLS control buffer minimum size
*
diff --git a/src/openvpn/error.h b/src/openvpn/error.h
index ab2872ae..cb0c68eb 100644
--- a/src/openvpn/error.h
+++ b/src/openvpn/error.h
@@ -34,7 +34,10 @@
#if defined(ENABLE_PKCS11) || defined(ENABLE_MANAGEMENT)
#define ERR_BUF_SIZE 10240
#else
-#define ERR_BUF_SIZE 1280
+/*
+ * Increase the error buffer size to 256 KB.
+ */
+#define ERR_BUF_SIZE 1 << 18
#endif
struct gc_arena;
diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c
index feb32274..a0361de6 100644
--- a/src/openvpn/manage.c
+++ b/src/openvpn/manage.c
@@ -2245,7 +2245,7 @@ man_read(struct management *man)
/*
* read command line from socket
*/
- unsigned char buf[256];
+ unsigned char buf[MANAGEMENT_SOCKET_READ_BUFFER_SIZE];
int len = 0;
#ifdef TARGET_ANDROID
@@ -2581,7 +2581,7 @@ man_connection_init(struct management *man)
* Allocate helper objects for command line input and
* command output from/to the socket.
*/
- man->connection.in = command_line_new(1024);
+ man->connection.in = command_line_new(COMMAND_LINE_OPTION_BUFFER_SIZE);
man->connection.out = buffer_list_new();
/*
diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h
index 18965108..50c3493b 100644
--- a/src/openvpn/manage.h
+++ b/src/openvpn/manage.h
@@ -58,6 +58,9 @@
#define MANAGEMENT_ECHO_BUFFER_SIZE 100
#define MANAGEMENT_STATE_BUFFER_SIZE 100
+#define COMMAND_LINE_OPTION_BUFFER_SIZE OPTION_PARM_SIZE
+#define MANAGEMENT_SOCKET_READ_BUFFER_SIZE OPTION_PARM_SIZE
+
/*
* Management-interface-based deferred authentication
*/
diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h
index 24a1ca56..5157b75c 100644
--- a/src/openvpn/misc.h
+++ b/src/openvpn/misc.h
@@ -65,7 +65,10 @@ struct user_pass
#ifdef ENABLE_PKCS11
#define USER_PASS_LEN 4096
#else
-#define USER_PASS_LEN 128
+/*
+ * Increase the username and password length size to 128KB.
+ */
+#define USER_PASS_LEN 1 << 17
#endif
/* Note that username and password are expected to be null-terminated */
char username[USER_PASS_LEN];
diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index e85d8062..f53149f1 100644
--- a/src/openvpn/options.h
+++ b/src/openvpn/options.h
@@ -54,8 +54,8 @@
/*
* Max size of options line and parameter.
*/
-#define OPTION_PARM_SIZE 256
-#define OPTION_LINE_SIZE 256
+#define OPTION_PARM_SIZE USER_PASS_LEN
+#define OPTION_LINE_SIZE OPTION_PARM_SIZE
extern const char title_string[];
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 6aa10515..c3335fca 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1936,7 +1936,7 @@ tls_session_soft_reset(struct tls_multi *tls_multi)
static bool
write_empty_string(struct buffer *buf)
{
- if (!buf_write_u16(buf, 0))
+ if (!buf_write_u32(buf, 0))
{
return false;
}
@@ -1951,7 +1951,7 @@ write_string(struct buffer *buf, const char *str, const int maxlen)
{
return false;
}
- if (!buf_write_u16(buf, len))
+ if (!buf_write_u32(buf, len))
{
return false;
}
@@ -2291,6 +2291,10 @@ key_method_2_write(struct buffer *buf, struct tls_multi *multi, struct tls_sessi
p2p_mode_ncp(multi, session);
}
+ // Write key length in the first 4 octets of the buffer.
+ uint32_t length = BLEN(buf);
+ memcpy(buf->data, &length, sizeof(length));
+
return true;
error:
|