From patchwork Thu Feb 9 14:22:47 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 3065 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:c95:b0:82:e4b3:40a0 with SMTP id p21csp480726dyk; Thu, 9 Feb 2023 06:23:30 -0800 (PST) X-Google-Smtp-Source: AK7set9ZZgl+IV9AA/bbp0NfaEuJB2s3rP4HutDhc+2YhtFi6rcJprmobaDe6xz9bCArWaz5sWw2 X-Received: by 2002:a17:902:ce86:b0:198:adc4:228b with SMTP id f6-20020a170902ce8600b00198adc4228bmr6470261plg.6.1675952610320; Thu, 09 Feb 2023 06:23:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1675952610; cv=none; d=google.com; s=arc-20160816; b=F0QtZAIzETUnpDXxqvP96JTNS63mw3fmDNZsg9mzIR+ggWM2fo9n6K2CO2BlLHcb5x hHpmonsMSDF1a6lywM6gN2bYRR0gtJvxj6gJMEsANQicEfvekVP/tJB5+M775wn+1SQ1 DnY5M/W+hO9q1mSx91UP0Cf+52b+Wxtymx9qu1DcFkOy5t65ul/siASkPndmIabk8c56 WTd8wE/WHIviB7nMHuZMa97PGV2kvY5T8t5HDEd8iHZKiy1u1c701ZLEvJssIehyFyZh 1ag7hG/EXnTrfwcOljp/glgkfKrF1L+BIRjYwtzUsR0Zou1NXAmsbAWuOWDi/gAHTqQV 6IUQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature; bh=3qFG9lWY7yJvMAHwQArTKEXIjDd8hkQApVNid+0q4Zg=; b=UQuKDk6/ud5jx7MRbqfa3AkFY6MuMbtCUKfiaNoD9Rxq6ZJhl/ZL6/lj4gbvMO2v1v nlzS4yOL99W0RYh1KLlObUrpcr90GlW8l2tnwHd9ApUvmshFeBmbOsUxilDM4EpQG6tJ KkaXkspuAJaFhI9BGjSxjA0s6EWMbvMwHC+qZvWjfkEHN3/DwYcU/K8eKRopmzWPxDbU 0nMscZt+tDb+iCyTxtmxjb4qTVvjiSA9f5p1Iy3UHHQYGmbMtqrmsQy5Hm1VGa3E7+L+ s7eQGHfLBfm69DEMvaX54lHaaXP5TySSMczpp3X9JsF8VCF1Xfsrp+dTdx614rjFUIoK iynQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=G9UghUmk; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=IqeuwcMg; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id f4-20020a170902860400b00176a6c988c6si1815205plo.218.2023.02.09.06.23.30 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Feb 2023 06:23:30 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=G9UghUmk; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=IqeuwcMg; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pQ7pK-0007FT-SX; Thu, 09 Feb 2023 14:23:06 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pQ7pH-0007FK-Ph for openvpn-devel@lists.sourceforge.net; Thu, 09 Feb 2023 14:23:03 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=T1Q4WG57l9iKGJ1ZLww3bePnOlSocqPrHY0R5TljTdk=; b=G9UghUmkinMxHKQqLEv99nj+ys j+370N7YvUp0tI8s8FzZWrxDvqLI8X9GdUAj+y7eooYiMBVhCUuGKp3EI2/kOWp0ZCEKBC8xO7Gw7 Yv8ulWCdJutSRunSpAzGysoggX6TShF4nLA3mmdSZ6f05/oQZu5aVADBnmybECPp6FrA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=T1Q4WG57l9iKGJ1ZLww3bePnOlSocqPrHY0R5TljTdk=; b=I qeuwcMgLMB8cblVRk5CNqAP2ieEucCDwJGijGvhWU4H7HBUf1ciqKyC4qMtFtG2jbkX0NNn0aoTQ0 GPsggCvL9Bz4KHNwA+QFvSzD4ObYgugXHr/svo0/fXZ2Cr34bUJyCEn52CneQQ8oTbqRNA1xME4gX 2AODgjD3gGpiPg0c=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1pQ7pD-00GLke-Fh for openvpn-devel@lists.sourceforge.net; Thu, 09 Feb 2023 14:23:03 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1pQ7p2-000OMa-Dy for openvpn-devel@lists.sourceforge.net; Thu, 09 Feb 2023 15:22:48 +0100 Received: (nullmailer pid 455166 invoked by uid 10006); Thu, 09 Feb 2023 14:22:48 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 9 Feb 2023 15:22:47 +0100 Message-Id: <20230209142248.455120-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Score: 0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This changes the "no" setting of allow-compression to also refuse framing. This is important for our DCO implementation as these do not implement framing. This behaviour surfaced when a commercial VPN provider was pushing "comp-lzo no" to a client with DCO. While we are technically at fault here for announcing comp-lzo no support by announcing IV_LZO_ST [...] Content analysis details: (0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different X-Headers-End: 1pQ7pD-00GLke-Fh Subject: [Openvpn-devel] [PATCH 1/2] Add 'allow-compression stub-only and refuse framing with 'allow-compression no' X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1757363684029085760?= X-GMAIL-MSGID: =?utf-8?q?1757363684029085760?= This changes the "no" setting of allow-compression to also refuse framing. This is important for our DCO implementation as these do not implement framing. This behaviour surfaced when a commercial VPN provider was pushing "comp-lzo no" to a client with DCO. While we are technically at fault here for announcing comp-lzo no support by announcing IV_LZO_STUB=1, the VPN provider continues to push "comp-lzo no" even in absense of that flag. As the new default we default to allow-compression stub-only if a stub option is found in the config and to allow-compression no otherwise. This ensures that we only enable DCO when no compression framing is used. Signed-off-by: Arne Schwabe --- Changes.rst | 5 +++ doc/man-sections/protocol-options.rst | 3 ++ src/openvpn/comp.c | 32 +++++++++-------- src/openvpn/comp.h | 2 +- src/openvpn/dco.c | 4 +-- src/openvpn/options.c | 50 +++++++++++++++++++++------ 6 files changed, 66 insertions(+), 30 deletions(-) diff --git a/Changes.rst b/Changes.rst index c5335ce93..3a573cc9a 100644 --- a/Changes.rst +++ b/Changes.rst @@ -223,6 +223,11 @@ User-visible Changes compatibility with older versions. See the manual page on the ``--compat-mode`` for details. +- (OpenVPN 2.6.1) ``--allow-compression no`` has been changed to not allow + compression or compression framing at all now and is the new default. + Use ``--allow-compression stub-only`` for the old ``no`` behaviour of OpenVPN + 2.5 and OpenVPN 2.6.0. + Common errors with OpenSSL 3.0 and OpenVPN 2.6 ---------------------------------------------- Both OpenVPN 2.6 and OpenSSL 3.0 tighten the security considerable, so some diff --git a/doc/man-sections/protocol-options.rst b/doc/man-sections/protocol-options.rst index 248f65cfd..76c323413 100644 --- a/doc/man-sections/protocol-options.rst +++ b/doc/man-sections/protocol-options.rst @@ -25,6 +25,9 @@ configured in a compatible way between both the local and remote side. compression at the same time is not a feasible option. :code:`no` (default) + OpenVPN will refuse any compression or compression framing (stub). + + :code:`stub-only` OpenVPN will refuse any non-stub compression. :code:`yes` diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c index 3b8d78996..c7ec6c7f5 100644 --- a/src/openvpn/comp.c +++ b/src/openvpn/comp.c @@ -134,27 +134,29 @@ comp_print_stats(const struct compress_context *compctx, struct status_output *s void comp_generate_peer_info_string(const struct compress_options *opt, struct buffer *out) { - if (opt) + if (!opt || opt->flags & COMP_F_ALLOW_NOCOMP_ONLY) + { + return; + } + + bool lzo_avail = false; + if (!(opt->flags & COMP_F_ADVERTISE_STUBS_ONLY)) { - bool lzo_avail = false; - if (!(opt->flags & COMP_F_ADVERTISE_STUBS_ONLY)) - { #if defined(ENABLE_LZ4) - buf_printf(out, "IV_LZ4=1\n"); - buf_printf(out, "IV_LZ4v2=1\n"); + buf_printf(out, "IV_LZ4=1\n"); + buf_printf(out, "IV_LZ4v2=1\n"); #endif #if defined(ENABLE_LZO) - buf_printf(out, "IV_LZO=1\n"); - lzo_avail = true; + buf_printf(out, "IV_LZO=1\n"); + lzo_avail = true; #endif - } - if (!lzo_avail) - { - buf_printf(out, "IV_LZO_STUB=1\n"); - } - buf_printf(out, "IV_COMP_STUB=1\n"); - buf_printf(out, "IV_COMP_STUBv2=1\n"); } + if (!lzo_avail) + { + buf_printf(out, "IV_LZO_STUB=1\n"); + } + buf_printf(out, "IV_COMP_STUB=1\n"); + buf_printf(out, "IV_COMP_STUBv2=1\n"); } #endif /* USE_COMP */ diff --git a/src/openvpn/comp.h b/src/openvpn/comp.h index 685f40391..027fa0593 100644 --- a/src/openvpn/comp.h +++ b/src/openvpn/comp.h @@ -60,7 +60,7 @@ * we still accept other compressions to be pushed */ #define COMP_F_MIGRATE (1<<5) /* push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ */ #define COMP_F_ALLOW_ASYM (1<<6) /* Compression was explicitly set to allow asymetric compression */ - +#define COMP_F_ALLOW_NOCOMP_ONLY (1<<7) /* Do not allow compression framing like stub v2 or comp-lzo no. Breaks DCO */ /* * Length of prepended prefix on compressed packets diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index 3087a0df8..10337b964 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -410,9 +410,7 @@ dco_check_option(int msglevel, const struct options *o) } #if defined(USE_COMP) - if (o->comp.alg != COMP_ALG_UNDEF - || o->comp.flags & COMP_F_ALLOW_ASYM - || o->comp.flags & COMP_F_ALLOW_COMPRESS) + if (o->comp.alg != COMP_ALG_UNDEF || !(o->comp.flags & COMP_F_ALLOW_NOCOMP_ONLY)) { msg(msglevel, "Note: '--allow-compression' is not set to 'no', disabling data channel offload."); diff --git a/src/openvpn/options.c b/src/openvpn/options.c index ab1b01cf7..6550dc52c 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3628,10 +3628,16 @@ options_set_backwards_compatible_options(struct options *o) * * Disable compression by default starting with 2.6.0 if no other * compression related option has been explicitly set */ - if (!comp_non_stub_enabled(&o->comp) && !need_compatibility_before(o, 20600) - && (o->comp.flags == 0)) + if (!need_compatibility_before(o, 20600) && (o->comp.flags == 0)) { - o->comp.flags = COMP_F_ALLOW_STUB_ONLY|COMP_F_ADVERTISE_STUBS_ONLY; + if (o->comp.alg == COMP_ALG_UNDEF) + { + o->comp.flags = COMP_F_ALLOW_NOCOMP_ONLY; + } + else if (!comp_non_stub_enabled(&o->comp)) + { + o->comp.flags = COMP_F_ALLOW_STUB_ONLY | COMP_F_ADVERTISE_STUBS_ONLY; + } } #endif } @@ -8330,8 +8336,16 @@ add_option(struct options *options, if (streq(p[1], "no")) { - options->comp.flags = - COMP_F_ALLOW_STUB_ONLY|COMP_F_ADVERTISE_STUBS_ONLY; + options->comp.flags = COMP_F_ALLOW_NOCOMP_ONLY; + if (comp_non_stub_enabled(&options->comp)) + { + msg(msglevel, "'--allow-compression no' conflicts with " + " enabling compression"); + } + } + else if (streq(p[1], "stub-only")) + { + options->comp.flags = COMP_F_ADVERTISE_STUBS_ONLY|COMP_F_ALLOW_STUB_ONLY; if (comp_non_stub_enabled(&options->comp)) { msg(msglevel, "'--allow-compression no' conflicts with " @@ -8342,7 +8356,7 @@ add_option(struct options *options, { /* Also printed on a push to hint at configuration problems */ msg(msglevel, "Cannot set allow-compression to '%s' " - "after set to 'no'", p[1]); + "after set to 'stub-only'", p[1]); goto err; } else if (streq(p[1], "asym")) @@ -8373,8 +8387,16 @@ add_option(struct options *options, /* All lzo variants do not use swap */ options->comp.flags &= ~COMP_F_SWAP; + + if (options->comp.flags & COMP_F_ALLOW_NOCOMP_ONLY) + { + /* Also printed on a push to hint at configuration problems */ + msg(msglevel, "Cannot set comp-lzo to '%s', " + "allow-compression is set to 'no'", p[1]); + goto err; + } #if defined(ENABLE_LZO) - if (p[1] && streq(p[1], "no")) + else if (p[1] && streq(p[1], "no")) #endif { options->comp.alg = COMP_ALG_STUB; @@ -8385,7 +8407,7 @@ add_option(struct options *options, { /* Also printed on a push to hint at configuration problems */ msg(msglevel, "Cannot set comp-lzo to '%s', " - "allow-compression is set to 'no'", p[1]); + "allow-compression is set to 'stub-only'", p[1]); goto err; } else if (p[1]) @@ -8428,7 +8450,14 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_COMP); if (p[1]) { - if (streq(p[1], "stub")) + if (options->comp.flags & COMP_F_ALLOW_NOCOMP_ONLY) + { + /* Also printed on a push to hint at configuration problems */ + msg(msglevel, "Cannot set compress to '%s', " + "allow-compression is set to 'no'", p[1]); + goto err; + } + else if (streq(p[1], "stub")) { options->comp.alg = COMP_ALG_STUB; options->comp.flags |= (COMP_F_SWAP|COMP_F_ADVERTISE_STUBS_ONLY); @@ -8442,13 +8471,12 @@ add_option(struct options *options, { options->comp.alg = COMP_ALG_UNDEF; options->comp.flags = COMP_F_MIGRATE; - } else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY) { /* Also printed on a push to hint at configuration problems */ msg(msglevel, "Cannot set compress to '%s', " - "allow-compression is set to 'no'", p[1]); + "allow-compression is set to 'stub-only'", p[1]); goto err; } #if defined(ENABLE_LZO)