From patchwork Wed Jan 11 12:07:28 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2993 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:c95:b0:82:e4b3:40a0 with SMTP id p21csp4336282dyk; Wed, 11 Jan 2023 04:08:39 -0800 (PST) X-Google-Smtp-Source: AMrXdXu9AH15WXFR0iPzqI7mSqA+2bG6OkhivoPMCAVJprVpafwitngUoU3oitAurEf84l1w1+WY X-Received: by 2002:a92:c903:0:b0:300:c8:de85 with SMTP id t3-20020a92c903000000b0030000c8de85mr46608861ilp.2.1673438919416; Wed, 11 Jan 2023 04:08:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673438919; cv=none; d=google.com; s=arc-20160816; b=mDlwExC+Gm+LAPM5PGM78dP1L3UzC8c73pO9O1LJ1LWeuUs9YbzUw12HYEqEXNhK/2 a93YiMqd0HD/cvDuh5ufpujSZtwtPXiB1ygWgXQBtzJMTy6/NRSSW/T+ssES1AjT+/f8 XPEPHx5U2mKvWL0YtQ6tMnzNBvLqwBdG6pv0yVxPW06vT+6CjrOqlFxvoc3UaB8UX5fZ QTKa3UfQZ2kV47oC2qAenOeCbDj+dIV6fl+aH27B0Bd1q5nNo+gOIYRouI82NWOYC3pH 2Yh91b7epCO7dsHc+Fly9ZhkFx0V+yiHgkEfLaaov3wPV1cJjPLda8gxFv7+qkpf2lJO oNkQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature; bh=198axkZ+/ZEEecWQvxmtcA8HHOV1ElPGkg/IgQwUm28=; b=j9AG8E/5nmzltkOia3IJBPEtVfCuq2U1y8ie8Il42O2fryV6KCJeH2o+mEiPgePTTI g8Ti/NFvzHsKvTjGyNrzqY4q5scNs7crE63CCqio0uI08QViNxx198ee04664TDP0D1Y Ujc+kYhPXjHAVHE9XjYuceMymZGI30CuOwdG36K6x91/tBbK2DcksHDcyTcQZxRSR+sk btpTSrD/xjNzCOpIy8XDCFd3MiXyDCuhk1qenfi9V8PcQ7fLlpp4IJBX6AemyZ2HbSeR 6bJKBDmRrRpbuzTu8M5n2X/Y5/dnAhDF2ApA5ePNCVSqQAOUsTnyAqsGsU7zYHUofFIk WAGQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=OrL2T3Wy; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=WAN1w+ch; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id h7-20020a92c267000000b00302f51e46c9si14212581ild.40.2023.01.11.04.08.39 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 11 Jan 2023 04:08:39 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=OrL2T3Wy; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=WAN1w+ch; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pFZtR-0003OC-7B; Wed, 11 Jan 2023 12:07:44 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pFZtP-0003Nw-HM for openvpn-devel@lists.sourceforge.net; Wed, 11 Jan 2023 12:07:42 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=MxrX9AkgkprOb4Ov1ICtIN8JoTNIqsmK2X/OyjUnKQ8=; b=OrL2T3Wy32XWCbQhmIP/Qr8NB9 cReqhn7N4hP+4Bp/1aYWpTypxp947p5mQ1jrmNZGYeCO5QySmk23Nv3adh5BLHT7AlqWcf8CvZ4GI NC9kRSCU0CL3g2vnWcjvGc632n+P3kECmn/HNzf/7UYJJO1o3yf8GjG9Phyx1dWYOgO4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=MxrX9AkgkprOb4Ov1ICtIN8JoTNIqsmK2X/OyjUnKQ8=; b=W AN1w+chpfIsgAXuNDFIiw6fm3NHN5uIAuV8WbnIQgrDvoDTjhrs3CFWRq0oOzUJpyZSJuFTd58LWv p/eM4NITr4XjYMcBWiE8v08wFN4Ji6WfE1jtazUOrpjjP/OyC+Iz/xsPNbWGESvt1nbNhIwls2E1A tNXaC/6+R8SXYxjQ=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1pFZtM-00Dqau-Sr for openvpn-devel@lists.sourceforge.net; Wed, 11 Jan 2023 12:07:42 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1pFZtA-0006ys-7Q for openvpn-devel@lists.sourceforge.net; Wed, 11 Jan 2023 13:07:28 +0100 Received: (nullmailer pid 1099861 invoked by uid 10006); Wed, 11 Jan 2023 12:07:28 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 11 Jan 2023 13:07:28 +0100 Message-Id: <20230111120728.1099815-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: - Move OCC warnings to debug level. This moves the only useful OCC message of compress-migrate to D_PUSH - remove configure option --enable-strict-options - ignore disable-occ in TLS mode as it is log [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: configure.ac] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1pFZtM-00Dqau-Sr Subject: [Openvpn-devel] [PATCH] Deprecate OCC checking X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1754727888463265607?= X-GMAIL-MSGID: =?utf-8?q?1754727888463265607?= - Move OCC warnings to debug level. This moves the only useful OCC message of compress-migrate to D_PUSH - remove configure option --enable-strict-options - ignore disable-occ in TLS mode as it is logged under debug now only disable-occ is now strictly a non-TLS option - mark opt-verify and disable-occ as deprecated. Signed-off-by: Arne Schwabe --- Changes.rst | 6 ++++++ configure.ac | 1 - doc/man-sections/generic-options.rst | 3 ++- doc/man-sections/server-options.rst | 4 ++-- src/openvpn/errlevel.h | 3 ++- src/openvpn/init.c | 2 -- src/openvpn/options.c | 12 +++++++----- src/openvpn/ssl.c | 5 ++--- 8 files changed, 21 insertions(+), 15 deletions(-) diff --git a/Changes.rst b/Changes.rst index 187d03fcf..35337a483 100644 --- a/Changes.rst +++ b/Changes.rst @@ -183,6 +183,12 @@ PF (Packet Filtering) support has been removed This implies that also ``--management-client-pf`` and any other compile time or run time related option do not exist any longer. +Option conflict checking is being deprecated and phased out + The static option checking is no longer useful in typical setup that + negotiate most connection parameters. The ``--opt-verify`` and + ``--occ-disable`` are deprecated and the configure option + enable-strict-options has been removed. Logging of mismatched options has + been moved to debug logging. User-visible Changes -------------------- diff --git a/configure.ac b/configure.ac index befdaa096..915000870 100644 --- a/configure.ac +++ b/configure.ac @@ -1233,7 +1233,6 @@ test "${enable_debug}" = "yes" && AC_DEFINE([ENABLE_DEBUG], [1], [Enable debuggi test "${enable_small}" = "yes" && AC_DEFINE([ENABLE_SMALL], [1], [Enable smaller executable size]) test "${enable_fragment}" = "yes" && AC_DEFINE([ENABLE_FRAGMENT], [1], [Enable internal fragmentation support]) test "${enable_port_share}" = "yes" && AC_DEFINE([ENABLE_PORT_SHARE], [1], [Enable TCP Server port sharing]) -test "${enable_strict_options}" = "yes" && AC_DEFINE([ENABLE_STRICT_OPTIONS_CHECK], [1], [Enable strict options check between peers]) test "${enable_crypto_ofb_cfb}" = "yes" && AC_DEFINE([ENABLE_OFB_CFB_MODE], [1], [Enable OFB and CFB cipher modes]) if test "${have_export_keying_material}" = "yes"; then diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index d2b226c45..c827651d6 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -181,7 +181,8 @@ which mode OpenVPN is configured as. older than version 2.4 to connect. --disable-occ - Disable "options consistency check" (OCC). + **DEPRECATED** Disable "options consistency check" (OCC) in configurations + that do not use TLS. Don't output a warning message if option inconsistencies are detected between peers. An example of an option inconsistency would be where one diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index dbe35d6e1..6b9ad21b8 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -400,8 +400,8 @@ fast hardware. SSL/TLS authentication must be used in this mode. the kernel routing table. --opt-verify - Clients that connect with options that are incompatible with those of the - server will be disconnected. + **DEPRECATED** Clients that connect with options that are incompatible with + those of the server will be disconnected. Options that will be compared for compatibility include ``dev-type``, ``link-mtu``, ``tun-mtu``, ``proto``, ``ifconfig``, diff --git a/src/openvpn/errlevel.h b/src/openvpn/errlevel.h index 64ba4a339..c69ea91d6 100644 --- a/src/openvpn/errlevel.h +++ b/src/openvpn/errlevel.h @@ -94,7 +94,6 @@ #define D_DCO LOGLEV(3, 0, 0) /* show DCO related messages */ #define D_SHOW_PARMS LOGLEV(4, 50, 0) /* show all parameters on program initiation */ -#define D_SHOW_OCC LOGLEV(4, 51, 0) /* show options compatibility string */ #define D_LOW LOGLEV(4, 52, 0) /* miscellaneous low-frequency debug info */ #define D_DHCP_OPT LOGLEV(4, 53, 0) /* show DHCP options binary string */ #define D_MBUF LOGLEV(4, 54, 0) /* mbuf.[ch] routines */ @@ -147,6 +146,8 @@ #define D_CRYPTO_DEBUG LOGLEV(7, 70, M_DEBUG) /* show detailed info from crypto.c routines */ #define D_PID_DEBUG LOGLEV(7, 70, M_DEBUG) /* show packet-id debugging info */ #define D_PUSH_DEBUG LOGLEV(7, 73, M_DEBUG) /* show push/pull debugging info */ +#define D_SHOW_OCC LOGLEV(7, 74, M_DEBUG) /* show options compatibility string */ + #define D_VLAN_DEBUG LOGLEV(7, 74, M_DEBUG) /* show VLAN tagging/untagging debug info */ diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 773588305..b500d3543 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3175,8 +3175,6 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) to.xmit_hold = true; } - to.disable_occ = !options->occ; - to.verify_command = options->tls_verify; to.verify_export_cert = options->tls_export_cert; to.verify_x509_type = (options->verify_x509_type & 0xff); diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 9f027e768..e88d0056a 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -359,7 +359,7 @@ static const char usage_message[] = "--status file [n] : Write operational status to file every n seconds.\n" "--status-version [n] : Choose the status file format version number.\n" " Currently, n can be 1, 2, or 3 (default=1).\n" - "--disable-occ : Disable options consistency check between peers.\n" + "--disable-occ : (DEPRECATED) Disable options consistency check between peers.\n" #ifdef ENABLE_DEBUG "--gremlin mask : Special stress testing mode (for debugging only).\n" #endif @@ -458,7 +458,7 @@ static const char usage_message[] = " OTP based two-factor auth mechanisms are in use and\n" " --reneg-* options are enabled. Optionally a lifetime in seconds\n" " for generated tokens can be set.\n" - "--opt-verify : Clients that connect with options that are incompatible\n" + "--opt-verify : (DEPRECATED) Clients that connect with options that are incompatible\n" " with those of the server will be disconnected.\n" "--auth-user-pass-optional : Allow connections by clients that don't\n" " specify a username/password.\n" @@ -4567,15 +4567,15 @@ options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n) if (actual_n > 0) { actual[actual_n - 1] = 0; -#ifndef ENABLE_STRICT_OPTIONS_CHECK if (strncmp(actual, expected, 2)) { msg(D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences"); options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n); } else -#endif - ret = !strcmp(actual, expected); + { + ret = !strcmp(actual, expected); + } } gc_free(&gc); return ret; @@ -7538,6 +7538,8 @@ add_option(struct options *options, else if (streq(p[0], "opt-verify") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); + msg(M_INFO, "DEPRECATION: opt-verify is deprecated and will be removed " + "in OpenVPN 2.7"); options->ssl_flags |= SSLF_OPT_VERIFY; } else if (streq(p[0], "auth-user-pass-verify") && p[1]) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index cbb596c13..016bdc57f 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2420,14 +2420,13 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio } /* check options consistency */ - if (!session->opt->disable_occ - && !options_cmp_equal(options, session->opt->remote_options)) + if (!options_cmp_equal(options, session->opt->remote_options)) { const char *remote_options = session->opt->remote_options; #ifdef USE_COMP if (multi->opt.comp_options.flags & COMP_F_MIGRATE && multi->remote_usescomp) { - msg(D_SHOW_OCC, "Note: 'compress migrate' detected remote peer " + msg(D_PUSH, "Note: 'compress migrate' detected remote peer " "with compression enabled."); remote_options = options_string_compat_lzo(remote_options, &gc); }