From patchwork Fri Sep 3 23:56:25 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 1941 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id iA7xE5hDM2GzMAAAIUCqbw (envelope-from ) for ; Sat, 04 Sep 2021 05:59:52 -0400 Received: from proxy11.mail.ord1d.rsapps.net ([172.30.191.6]) by director14.mail.ord1d.rsapps.net with LMTP id +DWbE5hDM2GfQwAAeJ7fFg (envelope-from ) for ; Sat, 04 Sep 2021 05:59:52 -0400 Received: from smtp8.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy11.mail.ord1d.rsapps.net with LMTPS id MO/8H4hDM2GQMwAAgKDEHA (envelope-from ) for ; Sat, 04 Sep 2021 05:59:36 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp8.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: 9121d1a6-0d66-11ec-aa4a-782bcb03304b-1-1 Received: from [216.105.38.7] ([216.105.38.7:57468] helo=lists.sourceforge.net) by smtp8.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id D1/1D-08627-F1343316; Sat, 04 Sep 2021 05:57:52 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mMSPp-0007eR-5R; Sat, 04 Sep 2021 09:56:49 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMSPn-0007eL-4i for openvpn-devel@lists.sourceforge.net; Sat, 04 Sep 2021 09:56:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Isq6oofArp2sF97zIaWVDstVSy+pOyeNtI582g4NyM0=; b=WMXNk9KRD/QGk7k76j9F38UGui QicgPBgpJJISbzmCejNC/2KpYQyRiyUXZXFonwxGvyx+UqmpVXcgBqQP2O/D33L71rA6+fBPhPg5O GjTXIrwuUvKbsI4QEIAFo12zc/mavAuSxDl9fUK/nZcKMhi81x9o5rqJr9xpupcq3KiY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Isq6oofArp2sF97zIaWVDstVSy+pOyeNtI582g4NyM0=; b=lymSWIM2brFWdd3RVLJkhtIC8s byzxQgUA9DJFB+HQLIp6wtzuKa0D5KIOIljT+2CFs7agTWXrzvQhP8CANsLbJPhHyOVcSt46kkQ7G K8+rh8OgCiY0NhckYucKzx6m7LiUhlWWtgbqSmZBFe0R285wM/67HXba1G6wGHDdc7Ug=; Received: from s2.neomailbox.net ([5.148.176.60]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mMSPm-00EOM8-F3 for openvpn-devel@lists.sourceforge.net; Sat, 04 Sep 2021 09:56:47 +0000 From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Sat, 4 Sep 2021 11:56:25 +0200 Message-Id: <20210904095629.6273-4-a@unstable.cc> In-Reply-To: <20210904095629.6273-1-a@unstable.cc> References: <20210904095629.6273-1-a@unstable.cc> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: With this change the value of '--allow-compression- is set to 'no'. Therefore compression is not enabled by default and cannot be enabled by the server either. This change is in line with the current rend of not recommending compression over VPN tunnels for security reasons (check Voracle). Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1mMSPm-00EOM8-F3 Subject: [Openvpn-devel] [PATCH 3/7] reject compression by default X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox With this change the value of '--allow-compression- is set to 'no'. Therefore compression is not enabled by default and cannot be enabled by the server either. This change is in line with the current rend of not recommending compression over VPN tunnels for security reasons (check Voracle). Of top of that compression is mostly useless nowadays, therefore there is not real reason to enable it. Signed-off-by: Arne Schwabe Signed-off-by: Antonio Quartulli Acked-By: Arne Schwabe --- Changes.rst | 7 +++++++ doc/man-sections/generic-options.rst | 6 ++++++ src/openvpn/comp.h | 1 + src/openvpn/options.c | 11 +++++++++++ 4 files changed, 25 insertions(+) diff --git a/Changes.rst b/Changes.rst index f55b0e3e..65b838b9 100644 --- a/Changes.rst +++ b/Changes.rst @@ -71,6 +71,13 @@ Deprecated features This option mainly served a role as debug option when NCP was first introduced. It should now no longer be necessary. +Compression no longer enabled by default + Unless an explicit compression option is specified in the configuration, + ``--allow-compression`` defaults to ``no`` in OpeNVPN 2.6.0. + By default, OpenVPN 2.5 still allowed a server to enable compression by + pushing compression related options. + + Overview of changes in 2.5 ========================== diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 63c6227c..a8d24572 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -61,6 +61,12 @@ which mode OpenVPN is configured as. Note: Using this option reverts defaults to no longer recommended values and should be avoided if possible. + The following table details what defaults are changed depending on the + version specified. + + - 2.5.x or lower: ``--allow-compression asym`` is automatically added + to the configuration if no other compression options are present. + --config file Load additional config options from ``file`` where each line corresponds to one command line option, but with the leading '--' removed. diff --git a/src/openvpn/comp.h b/src/openvpn/comp.h index cd4f0e1a..619a574e 100644 --- a/src/openvpn/comp.h +++ b/src/openvpn/comp.h @@ -59,6 +59,7 @@ #define COMP_F_ALLOW_STUB_ONLY (1<<4) /* Only accept stub compression, even with COMP_F_ADVERTISE_STUBS_ONLY * we still accept other compressions to be pushed */ #define COMP_F_MIGRATE (1<<5) /* push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ */ +#define COMP_F_ALLOW_ASYM (1<<6) /* Compression was explicitly set to allow assymetric compression */ /* diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 4d971a56..21c76a69 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3146,6 +3146,16 @@ need_compatibility_before(const struct options *o, int version) static void options_set_backwards_compatible_options(struct options *o) { + /* Compression is deprecated and we do not want to announce support for it + * by default anymore, additionally DCO breaks with compression. + * + * Disable compression by default starting with 2.6.0 if no other + * compression related option has been explicitly set */ + if (!comp_non_stub_enabled(&o->comp) && !need_compatibility_before(o, 20600) + && (o->comp.flags == 0)) + { + o->comp.flags = COMP_F_ALLOW_STUB_ONLY|COMP_F_ADVERTISE_STUBS_ONLY; + } } static void @@ -7732,6 +7742,7 @@ add_option(struct options *options, else if (streq(p[1], "asym")) { options->comp.flags &= ~COMP_F_ALLOW_COMPRESS; + options->comp.flags |= COMP_F_ALLOW_ASYM; } else if (streq(p[1], "yes")) {