Am 12.12.22 um 13:03 schrieb Gert Doering:
Hi,
On Sat, Nov 26, 2022 at 05:26:48PM +0100, Max Fillinger wrote:
The current code only checks if the base64-encoded metadata is at most
980 characters. However, that can encode up to 735 bytes of data, while
only up to 733 bytes are allowed. When passing 734 or 735 bytes, openvpn
prints a misleading error message saying that the base64 cannot be
decoded.
This patch checks the decoded length to show an accurate error message.
This patch looks overly complex to me for "change 735 to 733" - could
you (or Arne) explain the change a bit better?
(I see that the patch has an ACK, so this is not a showstopper, just
be being confused)
Problem is that base64 does padding. So e.g.
a => YQ==
ab => YWI=
abc => YWJj
So checking the length of the base64 gives you only something that is
rounded up to the next 3 bytes (base64 encodes 3 bytes to 4 bytes).
So if you have a limit like 733, you need to actually decode the base64
to check if it is short enough. The alternative would be to only allow
732 bytes, so we could check the base64 length again or use 735 bytes
and use a maximum tls-crypt wrapped key size of 1026 bytes (which sounds
a bit weird)
Arne
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
