From patchwork Sun Jun  3 00:11:57 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steffan Karger <steffan@karger.me>
X-Patchwork-Id: 339
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Delivered-To: patchwork@openvpn.net
Received: from director7.mail.ord1d.rsapps.net ([172.31.255.6])
	by backend30.mail.ord1d.rsapps.net (Dovecot) with LMTP id
 46VNHTC/E1sfHgAAIUCqbw
	for <patchwork@openvpn.net>; Sun, 03 Jun 2018 06:13:04 -0400
Received: from proxy14.mail.iad3b.rsapps.net ([172.31.255.6])
	by director7.mail.ord1d.rsapps.net (Dovecot) with LMTP id
 2wjIFTC/E1toeQAAovjBpQ
	; Sun, 03 Jun 2018 06:13:04 -0400
Received: from smtp40.gate.iad3b ([172.31.255.6])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by proxy14.mail.iad3b.rsapps.net with LMTP id oCyYEzC/E1u+KQAA+7ETDg
	; Sun, 03 Jun 2018 06:13:04 -0400
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-Orig-To: openvpnslackdevel@openvpn.net
X-Originating-Ip: [216.105.38.7]
Authentication-Results: smtp40.gate.iad3b.rsapps.net;
 iprev=pass policy.iprev="216.105.38.7";
 spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net"
 smtp.helo="lists.sourceforge.net";
 dkim=fail (signature verification failed) header.d=sourceforge.net;
 dkim=fail (signature verification failed) header.d=sf.net;
 dkim=fail (signature verification failed)
 header.d=karger-me.20150623.gappssmtp.com; dmarc=none (p=nil;
 dis=none) header.from=karger.me
X-Suspicious-Flag: YES
X-Classification-ID: b359601c-6716-11e8-8e5f-5254000cc6d4-1-1
Received: from [216.105.38.7] ([216.105.38.7:3373] helo=lists.sourceforge.net)
	by smtp40.gate.iad3b.rsapps.net (envelope-from
 <openvpn-devel-bounces@lists.sourceforge.net>)
	(ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS
 (cipher=DHE-RSA-AES256-GCM-SHA384)
	id 09/8C-05846-F2FB31B5; Sun, 03 Jun 2018 06:13:04 -0400
Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com)
	by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1fPPzj-0000yR-2I; Sun, 03 Jun 2018 10:12:15 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-4.v29.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1)
 (envelope-from <steffan@karger.me>) id 1fPPzh-0000yC-S0
 for openvpn-devel@lists.sourceforge.net; Sun, 03 Jun 2018 10:12:13 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:
 To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=13ASMwHm6J2WUk7NBUSRKkKF0c+dldn16UU9ORslHhk=; b=ZCmKnE8mWbG9nXdR4Pr4Ktuocg
 bTr5p5N5lLbzE50GqyQEknbiPSdclQT8UnNaTr1UBQGTgdPRBa+KUnUfBeS9iN3GKwawt4geDS6BC
 YepNb0tQDDqfQhoVSxxYi/joIPK0GMCGiuFpJhUdu7bO17EQIo4JtwH6cCxWaArvlRKU=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To
 :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=13ASMwHm6J2WUk7NBUSRKkKF0c+dldn16UU9ORslHhk=; b=dlVJ6eqrWq4goaAp8QqRBzCbZK
 U0KUx95bdlCEbKLw8socPX6XvWvF+Idcv1dR+ccyk8dDAR1LWe1I/IIX/cNM3cxG1aPDWFeACL8Dd
 H+UA1F7XGdFRLQe233NBzMtlY9L8xqkC1LcpyGgnpC//Qnjd4E7e/w7Q7iTWG6L3E8UA=;
Received: from mail-wm0-f45.google.com ([74.125.82.45])
 by sfi-mx-3.v28.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.90_1)
 id 1fPPze-007sVu-6Q
 for openvpn-devel@lists.sourceforge.net; Sun, 03 Jun 2018 10:12:13 +0000
Received: by mail-wm0-f45.google.com with SMTP id m129-v6so9410077wmb.3
 for <openvpn-devel@lists.sourceforge.net>;
 Sun, 03 Jun 2018 03:12:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=karger-me.20150623.gappssmtp.com; s=20150623;
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=13ASMwHm6J2WUk7NBUSRKkKF0c+dldn16UU9ORslHhk=;
 b=LcPce0Z0zItnCZVo29CLkjanpRPfeoQKPSLv7nwYaOk3O6w3T2DF8+aQufWV1+XVB8
 AgQ78Jes5M8RD5MuEZLm7wWs9lEUnXn6HSTxPAjwsh1yDbSJtiyXqGn4p1YQ+mF0uYdq
 DcAUOje2RODUgE9B3v+yh4rqozFjzb5yxc0HBTtt4H8zJC8kSu9H08puK/+RDG0DIvsc
 boeoZx0MZHPaPTYfvJZSa/k4Wgl9uwovakh52WVPV+x6s6V2sn1NXeXB5UnTHPJc2OBY
 D8FwrU0O2qm2apdPqsssdXL8PGqUaWwECcAlUBf/CXUhELRz4LaXYUFyOvCxt0FcwBIh
 WdaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=13ASMwHm6J2WUk7NBUSRKkKF0c+dldn16UU9ORslHhk=;
 b=nvqjPospfvzEG2POUQWHTCPNnbFjFrdvnnxueQJ2iIR1CZUOZtvpKsxBvVDecEX7ym
 3rpgyBXH1YQMHuvNIIgJvNp7HPLl/i1a0actzxPEuqQtbVRHUf6xR0DUYdFVH8f3uATu
 FgYGkn6cZvIlQhPptt52bP6t4mLavXx9FCemJ2mKSHx9PRr5hNjb4xxw4phT8K4mGqI4
 kVaPngu5jDclC26D29sCSVlt8XynZnIzpPtwUKff/axcklHLQq+J7jKqu6uiGfHT3/uM
 Ks/LRZvz2zKEjc1NIydRIjKV4tyEqm2xl7lY8URfUbbabSaCvo6WWExXbzzRiM+mXhjA
 Y+Gw==
X-Gm-Message-State: ALKqPwfbDeE0YHNSQZQugWDJ/XBNlr7zOHB0omhWmVCd20kV+9nm89TS
 WInFnEhCzEKvGUye3qgR86ymss5Tx+0=
X-Google-Smtp-Source: 
 ADUXVKIzbYRsjfC9Dg7nTTM/DzOPkHM4RM3YSmxw3iPsv2BygTGtqsnP80jtL+deV3zjv43Ss1ZY6g==
X-Received: by 2002:a50:b6bc:: with SMTP id
 d57-v6mr19721075ede.250.1528020723382;
 Sun, 03 Jun 2018 03:12:03 -0700 (PDT)
Received: from syzzer-tweakbak.fritz.box
 ([2001:985:e54:1:881e:647d:3c8e:6ee4])
 by smtp.gmail.com with ESMTPSA id v23-v6sm23812167edr.48.2018.06.03.03.12.02
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Sun, 03 Jun 2018 03:12:02 -0700 (PDT)
From: Steffan Karger <steffan@karger.me>
To: openvpn-devel@lists.sourceforge.net
Date: Sun,  3 Jun 2018 12:11:57 +0200
Message-Id: <1528020718-12721-2-git-send-email-steffan@karger.me>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1528020718-12721-1-git-send-email-steffan@karger.me>
References: <1528020718-12721-1-git-send-email-steffan@karger.me>
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
 See http://spamassassin.org/tag/ for more details.
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at http://www.dnswl.org/, no
 trust [74.125.82.45 listed in list.dnswl.org]
 -0.0 RCVD_IN_MSPIKE_H3      RBL: Good reputation (+3)
 [74.125.82.45 listed in wl.mailspike.net]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily valid
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 -0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
 -0.0 T_DKIMWL_WL_MED        DKIMwl.org - Whitelisted Medium sender
X-Headers-End: 1fPPze-007sVu-6Q
Subject: [Openvpn-devel] [PATCH 2/3] Reject unadvertised compression
 algorithms
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
MIME-Version: 1.0
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox

A server should not push us compression algorithms we didn't specify.  If
the server does so anyway, reject the compression algorithm.

This will result in a warning being printed, and a non-working connection
to be set up.  This is currently our way to "handle push/pull errors",
which should probably be improved.  But I didn't want refactor that in
this patch.

Signed-off-by: Steffan Karger <steffan@karger.me>
---
 doc/openvpn.8         | 16 +++++++---
 src/openvpn/options.c | 85 ++++++++++++++++++++++++++++++++-------------------
 2 files changed, 65 insertions(+), 36 deletions(-)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 0e5d467..9e988b3 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -2505,11 +2505,12 @@ Enable a compression algorithm.
 
 The
 .B algorithm
-parameter may be "lzo", "lz4", or empty.  LZO and LZ4
-are different compression algorithms, with LZ4 generally
-offering the best performance with least CPU usage.
-For backwards compatibility with OpenVPN versions before v2.4, use "lzo"
-(which is identical to the older option "\-\-comp\-lzo yes").
+parameter may be empty, "stub", "stub-v2", "lzo", "lz4", or "lz4-v2".
+
+LZO and LZ4 are different compression algorithms, with LZ4 generally offering
+the best performance with least CPU usage.  For backwards compatibility with
+OpenVPN versions before v2.4, use "lzo" (which is identical to the older option
+"\-\-comp\-lzo yes").
 
 If the
 .B algorithm
@@ -2517,6 +2518,11 @@ parameter is empty, compression will be turned off, but the packet
 framing for compression will still be enabled, allowing a different
 setting to be pushed later.
 
+If the
+.B algorithm
+parameter is "stub" or "stub-v2", compression framing is enabled, but no
+compression will be used (even if pushed by the server).
+
 .B Security Considerations
 
 Compression and encryption is a tricky combination.  If an attacker knows or is
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 426057a..ad44f8e 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -7354,50 +7354,73 @@ add_option(struct options *options,
         VERIFY_PERMISSION(OPT_P_COMP);
         options->comp.flags &= ~COMP_F_ADAPTIVE;
     }
-    else if (streq(p[0], "compress") && !p[2])
+    else if (streq(p[0], "compress") && !p[3])
     {
         VERIFY_PERMISSION(OPT_P_COMP);
-        if (p[1])
+
+        /* Reset all compression flags, except "stubs only" and "no warn" if
+         * this option was pushed. */
+        if (streq(file, "[PUSH-OPTIONS]"))
+        {
+            options->comp.flags = options->comp.flags
+                & (COMP_F_ADVERTISE_STUBS_ONLY|COMP_F_NOWARN);
+        }
+
+        /* Parse supplied compression options */
+        if (!p[1])
         {
-            if (streq(p[1], "stub"))
+            options->comp.alg = COMP_ALG_STUB;
+            options->comp.flags |= COMP_F_SWAP;
+        }
+        else if (streq(p[1], "stub"))
+        {
+            options->comp.alg = COMP_ALG_STUB;
+            options->comp.flags |= COMP_F_SWAP;
+            if (!streq(file, "[PUSH-OPTIONS]"))
             {
-                options->comp.alg = COMP_ALG_STUB;
-                options->comp.flags = (COMP_F_SWAP|COMP_F_ADVERTISE_STUBS_ONLY);
+                options->comp.flags |= COMP_F_ADVERTISE_STUBS_ONLY;
             }
-            else if (streq(p[1], "stub-v2"))
+        }
+        else if (streq(p[1], "stub-v2"))
+        {
+            options->comp.alg = COMP_ALGV2_UNCOMPRESSED;
+            if (!streq(file, "[PUSH-OPTIONS]"))
             {
-                options->comp.alg = COMP_ALGV2_UNCOMPRESSED;
-                options->comp.flags = COMP_F_ADVERTISE_STUBS_ONLY;
+                options->comp.flags |= COMP_F_ADVERTISE_STUBS_ONLY;
             }
+        }
+        else if (options->comp.flags & COMP_F_ADVERTISE_STUBS_ONLY)
+        {
+            /* Reject pushed compression algorithms if explicitly disabled */
+            msg(msglevel, "Enabling compression not allowed!");
+            goto err;
+        }
 #if defined(ENABLE_LZO)
-            else if (streq(p[1], "lzo"))
-            {
-                options->comp.alg = COMP_ALG_LZO;
-                options->comp.flags = 0;
-            }
+        else if (streq(p[1], "lzo"))
+        {
+            options->comp.alg = COMP_ALG_LZO;
+        }
 #endif
 #if defined(ENABLE_LZ4)
-            else if (streq(p[1], "lz4"))
-            {
-                options->comp.alg = COMP_ALG_LZ4;
-                options->comp.flags = COMP_F_SWAP;
-            }
-            else if (streq(p[1], "lz4-v2"))
-            {
-                options->comp.alg = COMP_ALGV2_LZ4;
-                options->comp.flags = 0;
-            }
-#endif
-            else
-            {
-                msg(msglevel, "bad comp option: %s", p[1]);
-                goto err;
-            }
+        else if (streq(p[1], "lz4"))
+        {
+            options->comp.alg = COMP_ALG_LZ4;
+            options->comp.flags |= COMP_F_SWAP;
         }
+        else if (streq(p[1], "lz4-v2"))
+        {
+            options->comp.alg = COMP_ALGV2_LZ4;
+        }
+#endif
         else
         {
-            options->comp.alg = COMP_ALG_STUB;
-            options->comp.flags = COMP_F_SWAP;
+            msg(msglevel, "bad comp option: %s", p[1]);
+            goto err;
+        }
+
+        if (p[2] && streq(p[2], "nowarn"))
+        {
+            options->comp.flags |= COMP_F_NOWARN;
         }
     }
 #endif /* USE_COMP */