From patchwork Fri Feb 10 14:27:05 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 3078 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:c95:b0:82:e4b3:40a0 with SMTP id p21csp1313072dyk; Fri, 10 Feb 2023 06:28:23 -0800 (PST) X-Google-Smtp-Source: AK7set+UuWkgTeaHOu97y0cs1J91/bc65FwC/jBslK31vAmSqz4UoILfag2uy6gZUQL4zaEqfh/M X-Received: by 2002:a05:6870:a2d1:b0:15f:38d:27a1 with SMTP id w17-20020a056870a2d100b0015f038d27a1mr7075851oak.46.1676039303663; Fri, 10 Feb 2023 06:28:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676039303; cv=none; d=google.com; s=arc-20160816; b=kwjLkY47UsxA5zv/bVY3MM/f5lvoIfkH7egEv22Y4wB9xSeJsyLsWE/X6rC7+eB7BQ aQob9BAx6MC0qZ/RlwK1aHZnX8OEt69Qc8xTTuRiODbbXzF+MHuZFpVw0hsl/mLTjjlW dtlldMIKU3gfWB8PbQaCHZiBSVQ+OwuVNZs9CyApOpwk01vPLEY+hdqKL+JAbespIAIt iSS94Z5bQ2W5HFKMNfYzIAuojHYociHV9yfRzEjUPhD/7viqrQtRbFhw8bZN4ZxGqIei buGiuCzTg6b1iq+2xW5tNI1MoO0GsEMeABvkXWGOkSltawmTXJJL0+65z/y/sgsHXLBI Jpaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=3qFG9lWY7yJvMAHwQArTKEXIjDd8hkQApVNid+0q4Zg=; b=U48a7ntkZV3KAzpvS7SbMeu2XsVyxFrDC+N/dKNMlJO9+uLDdvfqrSMhv1cu+5+oIj KVH2TYhrTExQVRE0ZOqISD0bDwVx+7tzlCzoWX62xcRWv9PzDA/3OpQRK6YjD3LfV3Lw HEYZZzPDxYbNip0o4JsCNH06W79zb8WtrrehtaNN0V9Wdkf3pd8IfIwkvK1eRw/YV4fE LGcZ9l5IxbHCU53WhrDgJHbRf0KmcbtLMAkXXRCbavxqq3OKXDfmzLPjvZcamkgVoLBp 27lp9EymNodBf/oeL7mFWc1vX81T8w5kEUJA/9BtiA8oT8BJx1tiRDZrSK+ZIBuT2FRs w3BQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=laimWUpE; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=eyruS573; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 189-20020aca06c6000000b00364e7e439b9si5156975oig.292.2023.02.10.06.28.23 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 10 Feb 2023 06:28:23 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=laimWUpE; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=eyruS573; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pQUND-0002ig-Hl; Fri, 10 Feb 2023 14:27:35 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pQUN5-0002iD-Km for openvpn-devel@lists.sourceforge.net; Fri, 10 Feb 2023 14:27:27 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=T1Q4WG57l9iKGJ1ZLww3bePnOlSocqPrHY0R5TljTdk=; b=laimWUpExyFcgsN1SRWxIqLfOV FrZAv5C9yul2t7wJeu6e86/RxzLk2dECHbFIcQNsZbh0UCTCOfYbXACF6GoeVv231sjH5AuYbWUqP 6wydyT0ZDSfyAE5D98r/HBUlux5YFZ+HqRZn0zx9EcPykd6MFV6p7tn/qR5WBGTWf5Io=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=T1Q4WG57l9iKGJ1ZLww3bePnOlSocqPrHY0R5TljTdk=; b=eyruS573VpN7dbaZvI+GJ4OSyK Vf67Ghi9CkkCm/3OSI5Ne4onpqPHlccvPQUAqgDXe4kPtq1GBVVTb/uqDdTIQ5XQ+RebdscmBHyHr ehgqwPry50h2ub2ppAMw9WB/bWClSiRlvvW0leCDo9s/x/5HOjhtCV8oe4ASG5RhQ1M8=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1pQUN1-00HHnr-9Q for openvpn-devel@lists.sourceforge.net; Fri, 10 Feb 2023 14:27:27 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1pQUMq-00051W-59 for openvpn-devel@lists.sourceforge.net; Fri, 10 Feb 2023 15:27:12 +0100 Received: (nullmailer pid 572352 invoked by uid 10006); Fri, 10 Feb 2023 14:27:12 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Fri, 10 Feb 2023 15:27:05 +0100 Message-Id: <20230210142712.572303-2-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230210142712.572303-1-arne@rfc2549.org> References: <20230210142712.572303-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Score: 0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This changes the "no" setting of allow-compression to also refuse framing. This is important for our DCO implementation as these do not implement framing. This behaviour surfaced when a commercial VPN provider was pushing "comp-lzo no" to a client with DCO. While we are technically at fault here for announcing comp-lzo no support by announcing IV_LZO_ST [...] Content analysis details: (0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1pQUN1-00HHnr-9Q Subject: [Openvpn-devel] [PATCH 1/2] Add 'allow-compression stub-only and refuse framing with 'allow-compression no' X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1757454588473905260?= X-GMAIL-MSGID: =?utf-8?q?1757454588473905260?= This changes the "no" setting of allow-compression to also refuse framing. This is important for our DCO implementation as these do not implement framing. This behaviour surfaced when a commercial VPN provider was pushing "comp-lzo no" to a client with DCO. While we are technically at fault here for announcing comp-lzo no support by announcing IV_LZO_STUB=1, the VPN provider continues to push "comp-lzo no" even in absense of that flag. As the new default we default to allow-compression stub-only if a stub option is found in the config and to allow-compression no otherwise. This ensures that we only enable DCO when no compression framing is used. Signed-off-by: Arne Schwabe --- Changes.rst | 5 +++ doc/man-sections/protocol-options.rst | 3 ++ src/openvpn/comp.c | 32 +++++++++-------- src/openvpn/comp.h | 2 +- src/openvpn/dco.c | 4 +-- src/openvpn/options.c | 50 +++++++++++++++++++++------ 6 files changed, 66 insertions(+), 30 deletions(-) diff --git a/Changes.rst b/Changes.rst index c5335ce93..3a573cc9a 100644 --- a/Changes.rst +++ b/Changes.rst @@ -223,6 +223,11 @@ User-visible Changes compatibility with older versions. See the manual page on the ``--compat-mode`` for details. +- (OpenVPN 2.6.1) ``--allow-compression no`` has been changed to not allow + compression or compression framing at all now and is the new default. + Use ``--allow-compression stub-only`` for the old ``no`` behaviour of OpenVPN + 2.5 and OpenVPN 2.6.0. + Common errors with OpenSSL 3.0 and OpenVPN 2.6 ---------------------------------------------- Both OpenVPN 2.6 and OpenSSL 3.0 tighten the security considerable, so some diff --git a/doc/man-sections/protocol-options.rst b/doc/man-sections/protocol-options.rst index 248f65cfd..76c323413 100644 --- a/doc/man-sections/protocol-options.rst +++ b/doc/man-sections/protocol-options.rst @@ -25,6 +25,9 @@ configured in a compatible way between both the local and remote side. compression at the same time is not a feasible option. :code:`no` (default) + OpenVPN will refuse any compression or compression framing (stub). + + :code:`stub-only` OpenVPN will refuse any non-stub compression. :code:`yes` diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c index 3b8d78996..c7ec6c7f5 100644 --- a/src/openvpn/comp.c +++ b/src/openvpn/comp.c @@ -134,27 +134,29 @@ comp_print_stats(const struct compress_context *compctx, struct status_output *s void comp_generate_peer_info_string(const struct compress_options *opt, struct buffer *out) { - if (opt) + if (!opt || opt->flags & COMP_F_ALLOW_NOCOMP_ONLY) + { + return; + } + + bool lzo_avail = false; + if (!(opt->flags & COMP_F_ADVERTISE_STUBS_ONLY)) { - bool lzo_avail = false; - if (!(opt->flags & COMP_F_ADVERTISE_STUBS_ONLY)) - { #if defined(ENABLE_LZ4) - buf_printf(out, "IV_LZ4=1\n"); - buf_printf(out, "IV_LZ4v2=1\n"); + buf_printf(out, "IV_LZ4=1\n"); + buf_printf(out, "IV_LZ4v2=1\n"); #endif #if defined(ENABLE_LZO) - buf_printf(out, "IV_LZO=1\n"); - lzo_avail = true; + buf_printf(out, "IV_LZO=1\n"); + lzo_avail = true; #endif - } - if (!lzo_avail) - { - buf_printf(out, "IV_LZO_STUB=1\n"); - } - buf_printf(out, "IV_COMP_STUB=1\n"); - buf_printf(out, "IV_COMP_STUBv2=1\n"); } + if (!lzo_avail) + { + buf_printf(out, "IV_LZO_STUB=1\n"); + } + buf_printf(out, "IV_COMP_STUB=1\n"); + buf_printf(out, "IV_COMP_STUBv2=1\n"); } #endif /* USE_COMP */ diff --git a/src/openvpn/comp.h b/src/openvpn/comp.h index 685f40391..027fa0593 100644 --- a/src/openvpn/comp.h +++ b/src/openvpn/comp.h @@ -60,7 +60,7 @@ * we still accept other compressions to be pushed */ #define COMP_F_MIGRATE (1<<5) /* push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ */ #define COMP_F_ALLOW_ASYM (1<<6) /* Compression was explicitly set to allow asymetric compression */ - +#define COMP_F_ALLOW_NOCOMP_ONLY (1<<7) /* Do not allow compression framing like stub v2 or comp-lzo no. Breaks DCO */ /* * Length of prepended prefix on compressed packets diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index 3087a0df8..10337b964 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -410,9 +410,7 @@ dco_check_option(int msglevel, const struct options *o) } #if defined(USE_COMP) - if (o->comp.alg != COMP_ALG_UNDEF - || o->comp.flags & COMP_F_ALLOW_ASYM - || o->comp.flags & COMP_F_ALLOW_COMPRESS) + if (o->comp.alg != COMP_ALG_UNDEF || !(o->comp.flags & COMP_F_ALLOW_NOCOMP_ONLY)) { msg(msglevel, "Note: '--allow-compression' is not set to 'no', disabling data channel offload."); diff --git a/src/openvpn/options.c b/src/openvpn/options.c index ab1b01cf7..6550dc52c 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3628,10 +3628,16 @@ options_set_backwards_compatible_options(struct options *o) * * Disable compression by default starting with 2.6.0 if no other * compression related option has been explicitly set */ - if (!comp_non_stub_enabled(&o->comp) && !need_compatibility_before(o, 20600) - && (o->comp.flags == 0)) + if (!need_compatibility_before(o, 20600) && (o->comp.flags == 0)) { - o->comp.flags = COMP_F_ALLOW_STUB_ONLY|COMP_F_ADVERTISE_STUBS_ONLY; + if (o->comp.alg == COMP_ALG_UNDEF) + { + o->comp.flags = COMP_F_ALLOW_NOCOMP_ONLY; + } + else if (!comp_non_stub_enabled(&o->comp)) + { + o->comp.flags = COMP_F_ALLOW_STUB_ONLY | COMP_F_ADVERTISE_STUBS_ONLY; + } } #endif } @@ -8330,8 +8336,16 @@ add_option(struct options *options, if (streq(p[1], "no")) { - options->comp.flags = - COMP_F_ALLOW_STUB_ONLY|COMP_F_ADVERTISE_STUBS_ONLY; + options->comp.flags = COMP_F_ALLOW_NOCOMP_ONLY; + if (comp_non_stub_enabled(&options->comp)) + { + msg(msglevel, "'--allow-compression no' conflicts with " + " enabling compression"); + } + } + else if (streq(p[1], "stub-only")) + { + options->comp.flags = COMP_F_ADVERTISE_STUBS_ONLY|COMP_F_ALLOW_STUB_ONLY; if (comp_non_stub_enabled(&options->comp)) { msg(msglevel, "'--allow-compression no' conflicts with " @@ -8342,7 +8356,7 @@ add_option(struct options *options, { /* Also printed on a push to hint at configuration problems */ msg(msglevel, "Cannot set allow-compression to '%s' " - "after set to 'no'", p[1]); + "after set to 'stub-only'", p[1]); goto err; } else if (streq(p[1], "asym")) @@ -8373,8 +8387,16 @@ add_option(struct options *options, /* All lzo variants do not use swap */ options->comp.flags &= ~COMP_F_SWAP; + + if (options->comp.flags & COMP_F_ALLOW_NOCOMP_ONLY) + { + /* Also printed on a push to hint at configuration problems */ + msg(msglevel, "Cannot set comp-lzo to '%s', " + "allow-compression is set to 'no'", p[1]); + goto err; + } #if defined(ENABLE_LZO) - if (p[1] && streq(p[1], "no")) + else if (p[1] && streq(p[1], "no")) #endif { options->comp.alg = COMP_ALG_STUB; @@ -8385,7 +8407,7 @@ add_option(struct options *options, { /* Also printed on a push to hint at configuration problems */ msg(msglevel, "Cannot set comp-lzo to '%s', " - "allow-compression is set to 'no'", p[1]); + "allow-compression is set to 'stub-only'", p[1]); goto err; } else if (p[1]) @@ -8428,7 +8450,14 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_COMP); if (p[1]) { - if (streq(p[1], "stub")) + if (options->comp.flags & COMP_F_ALLOW_NOCOMP_ONLY) + { + /* Also printed on a push to hint at configuration problems */ + msg(msglevel, "Cannot set compress to '%s', " + "allow-compression is set to 'no'", p[1]); + goto err; + } + else if (streq(p[1], "stub")) { options->comp.alg = COMP_ALG_STUB; options->comp.flags |= (COMP_F_SWAP|COMP_F_ADVERTISE_STUBS_ONLY); @@ -8442,13 +8471,12 @@ add_option(struct options *options, { options->comp.alg = COMP_ALG_UNDEF; options->comp.flags = COMP_F_MIGRATE; - } else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY) { /* Also printed on a push to hint at configuration problems */ msg(msglevel, "Cannot set compress to '%s', " - "allow-compression is set to 'no'", p[1]); + "allow-compression is set to 'stub-only'", p[1]); goto err; } #if defined(ENABLE_LZO)