openvpn-v2.5.1-aws.patch

diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h
index 1722ffd5..640564bb 100644
--- a/src/openvpn/buffer.h
+++ b/src/openvpn/buffer.h
@@ -27,7 +27,7 @@
 #include "basic.h"
 #include "error.h"

-#define BUF_SIZE_MAX 1000000
+#define BUF_SIZE_MAX 1 << 21

 /*
  * Define verify_align function, otherwise
diff --git a/src/openvpn/common.h b/src/openvpn/common.h
index 623b3e0d..ce53f614 100644
--- a/src/openvpn/common.h
+++ b/src/openvpn/common.h
@@ -75,7 +75,7 @@ typedef unsigned long ptr_type;
  * maximum size of a single TLS message (cleartext).
  * This parameter must be >= PUSH_BUNDLE_SIZE
  */
-#define TLS_CHANNEL_BUF_SIZE 2048
+#define TLS_CHANNEL_BUF_SIZE 1 << 18

 /*
  * This parameter controls the maximum size of a bundle
diff --git a/src/openvpn/error.h b/src/openvpn/error.h
index eaedf172..782ba30c 100644
--- a/src/openvpn/error.h
+++ b/src/openvpn/error.h
@@ -36,7 +36,10 @@
 #ifdef ENABLE_PKCS11
 #define ERR_BUF_SIZE 8192
 #else
-#define ERR_BUF_SIZE 1280
+/*
+ * Increase the error buffer size to 256 KB.
+ */
+#define ERR_BUF_SIZE 1 << 18
 #endif

 struct gc_arena;
diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c
index d86b6a79..d979a441 100644
--- a/src/openvpn/manage.c
+++ b/src/openvpn/manage.c
@@ -2240,7 +2240,7 @@ man_read(struct management *man)
     /*
      * read command line from socket
      */
-    unsigned char buf[256];
+    unsigned char buf[MANAGEMENT_SOCKET_READ_BUFFER_SIZE];
     int len = 0;

 #ifdef TARGET_ANDROID
@@ -2580,7 +2580,7 @@ man_connection_init(struct management *man)
          * Allocate helper objects for command line input and
          * command output from/to the socket.
          */
-        man->connection.in = command_line_new(1024);
+        man->connection.in = command_line_new(COMMAND_LINE_OPTION_BUFFER_SIZE);
         man->connection.out = buffer_list_new(0);

         /*
diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h
index 881bfb14..3f12a82a 100644
--- a/src/openvpn/manage.h
+++ b/src/openvpn/manage.h
@@ -37,6 +37,9 @@
 #define MANAGEMENT_ECHO_BUFFER_SIZE           100
 #define MANAGEMENT_STATE_BUFFER_SIZE          100

+#define COMMAND_LINE_OPTION_BUFFER_SIZE OPTION_PARM_SIZE
+#define MANAGEMENT_SOCKET_READ_BUFFER_SIZE OPTION_PARM_SIZE
+
 /*
  * Management-interface-based deferred authentication
  */
diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h
index e4342b0d..e3900b7d 100644
--- a/src/openvpn/misc.h
+++ b/src/openvpn/misc.h
@@ -69,7 +69,10 @@ struct user_pass
 #ifdef ENABLE_PKCS11
 #define USER_PASS_LEN 4096
 #else
-#define USER_PASS_LEN 128
+/*
+ * Increase the username and password length size to 128KB.
+ */
+#define USER_PASS_LEN 1 << 17
 #endif
     char username[USER_PASS_LEN];
     char password[USER_PASS_LEN];
diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index 877e9396..c385d135 100644
--- a/src/openvpn/options.h
+++ b/src/openvpn/options.h
@@ -53,8 +53,8 @@
 /*
  * Max size of options line and parameter.
  */
-#define OPTION_PARM_SIZE 256
-#define OPTION_LINE_SIZE 256
+#define OPTION_PARM_SIZE USER_PASS_LEN
+#define OPTION_LINE_SIZE OPTION_PARM_SIZE

 extern const char title_string[];

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index d7494c2b..addb2769 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -2110,7 +2110,7 @@ key_state_soft_reset(struct tls_session *session)
 static bool
 write_empty_string(struct buffer *buf)
 {
-    if (!buf_write_u16(buf, 0))
+    if (!buf_write_u32(buf, 0))
     {
         return false;
     }
@@ -2125,7 +2125,7 @@ write_string(struct buffer *buf, const char *str, const int maxlen)
     {
         return false;
     }
-    if (!buf_write_u16(buf, len))
+    if (!buf_write_u32(buf, len))
     {
         return false;
     }
@@ -2403,6 +2403,10 @@ key_method_2_write(struct buffer *buf, struct tls_session *session)
         }
     }

+    // Write key length in the first 4 octets of the buffer.
+    uint32_t length = BLEN(buf);
+    memcpy(buf->data, &length, sizeof(length));
+
     return true;

 error: