From patchwork Sun Jun 3 00:11:58 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffan Karger X-Patchwork-Id: 341 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net (Dovecot) with LMTP id TMlZJDq/E1spIwAAIUCqbw for ; Sun, 03 Jun 2018 06:13:14 -0400 Received: from proxy11.mail.iad3b.rsapps.net ([172.31.255.6]) by director8.mail.ord1d.rsapps.net (Dovecot) with LMTP id 081ILTq/E1u/TQAAfY0hYg ; Sun, 03 Jun 2018 06:13:14 -0400 Received: from smtp31.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy11.mail.iad3b.rsapps.net with LMTP id QJ82Kzq/E1sULgAARNREpw ; Sun, 03 Jun 2018 06:13:14 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp31.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=karger-me.20150623.gappssmtp.com; dmarc=none (p=nil; dis=none) header.from=karger.me X-Suspicious-Flag: YES X-Classification-ID: b9a5fa02-6716-11e8-b8be-52540005277f-1-1 Received: from [216.105.38.7] ([216.105.38.7:33563] helo=lists.sourceforge.net) by smtp31.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id D6/5B-21643-A3FB31B5; Sun, 03 Jun 2018 06:13:14 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1fPPzj-0003Sv-Dd; Sun, 03 Jun 2018 10:12:15 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1fPPzi-0003Sg-4f for openvpn-devel@lists.sourceforge.net; Sun, 03 Jun 2018 10:12:14 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=57IkW3/DeSdm8GXsbPPp7BGUyYkOQoD/YbKudc6UGvc=; b=AgirCfLol3oyiTG0WqCLszvtq3 HAku3wlw2Jso8Bq4OdVCjXQ+ndrpcJwS/a276iyRTueeBBhoIT4lJSJqzw3Ts5cf3Ehqk2dAiey4M OVw2f7zmIcCd4Wwf7zCBohqhDgQ8AyMZIC09LpDkhHTMesYQiosn8t36sC1mQVUFmo9g=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=57IkW3/DeSdm8GXsbPPp7BGUyYkOQoD/YbKudc6UGvc=; b=b1M4lYnBmll3vi6KGxhfh4Y317 WIB9RF7ZdZGImxINn4RcWRrsUIrdj+S38sAYxxgUgQwJHiROUGHza8BjGd+Gjc2b5k5DhYC72F69S kBvbzIipY0Hpmn5ds+0Brbxt2eIj29JLPZnwJ+1w3i+uGvoer/aei6RETKz/bu7z/iOg=; Received: from mail-wm0-f67.google.com ([74.125.82.67]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.90_1) id 1fPPzf-007sVw-4O for openvpn-devel@lists.sourceforge.net; Sun, 03 Jun 2018 10:12:14 +0000 Received: by mail-wm0-f67.google.com with SMTP id v131-v6so9420518wma.1 for ; Sun, 03 Jun 2018 03:12:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=karger-me.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=57IkW3/DeSdm8GXsbPPp7BGUyYkOQoD/YbKudc6UGvc=; b=QDPWD83zPdssKDEjydJZz7jxKAbTnQ6P1iJSBNOQRQ1jjl1dQ1tVx334lf8M2EHKYR Sch2FwEx/i4NSuufyWNxo78ddon8OcJobVSioVrsFWo5jwES0tbPxG7hP4KR10Y8LZ/o 5uIFnrnBy6jx0vynMhdV17igzEeu0BgdS9ec6t9ImjEQuBOE0ckRc/M661c0oC4NmFK/ DW/Fa06X/1D271lQPF1vE+5u4RBVe5b1H01wT4UthSy7Zgdke/taaxT3Cjy9wVvM+dtQ 1PsQ/PfohZBUSXRJUSS7Iyo4Toen/pv9zf6yhCM7P0707leIDgR6voCbTyVBdclxJWBc Hz5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=57IkW3/DeSdm8GXsbPPp7BGUyYkOQoD/YbKudc6UGvc=; b=hZc1/552d5jjXpAFuPsmOTXnQqG/9wtdOQgihPNSAzSkNf+0ZUxGCL9ZZNeqJZzXVW hk1VByCaBHFUiIwHnl7xUv7ftAqbMXwheWxAymkJLOdawVoH2wB7AqyG6eSwE91UaHtD 8tuxHqU7Zgdt114rXjqZYZkWiT2MA6Y85SiISIutZejZBC9tIGHkf4+RgolE4iyhT4Xn +bsRS5K9RFQD2GKUb1aFBh0NP6aG4jnvfLGN3geaCNonU7IbKGG+srhWA4phDK2wpnkp dkOWioEMPfI3kRjB45li4bQTS+dekf0QV6NigxK5aVcj06f7D9uWP/G2ZCZCFodtdbj0 lUqg== X-Gm-Message-State: APt69E1Ebn3NCOHV8m73NEOD9k5NFqXlBaGH6i6vN/P7t+9LZaRlrxnk S3U1GV1hAvow3Dx6rP41zIIZxSgMlyY= X-Google-Smtp-Source: ADUXVKLVqvo+UIz0jJZEqzSAb7GWSun/IKSwKtnP8p+riEQiaFhP+Hgn8VrL58GH9OUzahrVWKfvLg== X-Received: by 2002:a50:b4e2:: with SMTP id x31-v6mr6271892edd.155.1528020724396; Sun, 03 Jun 2018 03:12:04 -0700 (PDT) Received: from syzzer-tweakbak.fritz.box ([2001:985:e54:1:881e:647d:3c8e:6ee4]) by smtp.gmail.com with ESMTPSA id v23-v6sm23812167edr.48.2018.06.03.03.12.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 03 Jun 2018 03:12:03 -0700 (PDT) From: Steffan Karger To: openvpn-devel@lists.sourceforge.net Date: Sun, 3 Jun 2018 12:11:58 +0200 Message-Id: <1528020718-12721-3-git-send-email-steffan@karger.me> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1528020718-12721-1-git-send-email-steffan@karger.me> References: <1528020718-12721-1-git-send-email-steffan@karger.me> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [74.125.82.67 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [74.125.82.67 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders -0.0 T_DKIMWL_WL_MED DKIMwl.org - Whitelisted Medium sender X-Headers-End: 1fPPzf-007sVw-4O Subject: [Openvpn-devel] [PATCH 3/3] Print a --verb 1 warning when a connection uses compression X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Can be suppressed by adding a "nowarn" flag to the compress options, for those that are really sure that compression is fine for their use case. Signed-off-by: Steffan Karger --- This patch is also meant to discuss how far we want to go in warning users about using compression. I think this approach is reasonable, but I'm not sure everyone agrees. doc/openvpn.8 | 11 +++++++++-- src/openvpn/comp.c | 14 ++++++++++++++ src/openvpn/comp.h | 1 + 3 files changed, 24 insertions(+), 2 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 9e988b3..21a3c42 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -2500,12 +2500,13 @@ consecutive messages in the same category. This is useful to limit repetitive logging of similar message types. .\"********************************************************* .TP -.B \-\-compress [algorithm] +.B \-\-compress [algorithm] ["nowarn"] Enable a compression algorithm. The .B algorithm -parameter may be empty, "stub", "stub-v2", "lzo", "lz4", or "lz4-v2". +parameter may be empty, "any", "stub", "stub-v2", "lzo", "lz4", or "lz4-v2". +If left empty, OpenVPN defaults to "any". LZO and LZ4 are different compression algorithms, with LZ4 generally offering the best performance with least CPU usage. For backwards compatibility with @@ -2532,6 +2533,12 @@ e.g. the CRIME and BREACH attacks on TLS which also leverage compression to break encryption. If you are not entirely sure that the above does not apply to your traffic, you are advised to *not* enable compression. +If you have carefully considered the above, and are sure that using compression +is safe for your use case, you can add +.B "nowarn" +as the second parameter to suppress warnings about the risk of enabling +compression. + .\"********************************************************* .TP .B \-\-comp\-lzo [mode] diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c index a945913..a34e64a 100644 --- a/src/openvpn/comp.c +++ b/src/openvpn/comp.c @@ -40,6 +40,20 @@ struct compress_context * comp_init(const struct compress_options *opt) { + switch (opt->alg) + { + case COMP_ALG_UNDEF: + case COMP_ALG_STUB: + case COMP_ALGV2_UNCOMPRESSED: + break; + default: + if (!(opt->flags & COMP_F_NOWARN)) + { + msg(M_INFO, "WARNING: Compression enabled, might be insure. " + "See --compress in the man page."); + } + } + struct compress_context *compctx = NULL; switch (opt->alg) { diff --git a/src/openvpn/comp.h b/src/openvpn/comp.h index 0dadd1e..0fa9b10 100644 --- a/src/openvpn/comp.h +++ b/src/openvpn/comp.h @@ -56,6 +56,7 @@ #define COMP_F_ASYM (1<<1) /* only downlink is compressed, not uplink */ #define COMP_F_SWAP (1<<2) /* initial command byte is swapped with last byte in buffer to preserve payload alignment */ #define COMP_F_ADVERTISE_STUBS_ONLY (1<<3) /* tell server that we only support compression stubs */ +#define COMP_F_NOWARN (1<<4) /* Suppress warning about insure compression */ /*