From patchwork Thu Mar 23 17:05:59 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 3163 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7301:10f:b0:b2:6796:f29 with SMTP id gj15csp72985dyb; Thu, 23 Mar 2023 10:06:43 -0700 (PDT) X-Google-Smtp-Source: AK7set+hRnsi/fLwEbgSLRlNyjSDHmejKspL6Aa7QuiOFZRn7dFocpYZTV4658/mFs7vYbdK6JGw X-Received: by 2002:a9d:7301:0:b0:699:5ac8:17b9 with SMTP id e1-20020a9d7301000000b006995ac817b9mr81333otk.26.1679591203522; Thu, 23 Mar 2023 10:06:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1679591203; cv=none; d=google.com; s=arc-20160816; b=jtC5mESUlwO5cg8o+yC3DfsIeDzesR4hqe4R+54TOyEJRv1R35hpBAHMwEPlgCK7a8 g75EU2Rlf40WIHRJaMBLbDCKhTsW68Vi3VQiV6LJWWOzcPqDUPz4d6MorGbIYBP+HEzF 9KnZ/wiPR12VR8zV8JHFyTH/OGB1OZn0EW8B0bEJ45kfTEVCoCmgoiYGe5M0BWNO5X3+ ssvQMH8tzMGecNNj8HELDyJcJlLvZN4jXETtGMFHN+KLxR/TrgElhyAn1pP817jbIhYx EW5TzHHr1jKy1DIqLmo4sufdGCKydpvIccc5Fzc0u0ZZf9WHsL98fR3MrQvyoeINPTaM hCGw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=u6b6KmgNOxmlel8NvI+EazBBnyOsjK5W8oQXBl4Bzrw=; b=P86uayMXtpQb8rnJuHfj8LC0vzUXDaBluf/AwjNHg3ZxlVsGANtxtNsVbiOyT6Qns7 +2zxVXspZNem7dNWXbAtWQhsueByuPGAJiXvRRH0FyMYbYc58ELas4PliM3gUiKhznjo azIpG7/HiCqnKxJQ/0RlMixOyH2YNiHKC/pfJ6bxBnxw9m9bSs+adnOgNe9sc8E/ri/N zxuyKiIKO0qEriXoSpjIf3/QjIHlj9A9ia2MIX56OtNLlUwOrVfM+hYOLvjo8xbJR9YL MtsbYaQ8pqL7tciJqRb0r1TvqebMkoKwHQc0Ydma8UDx6QVDCqqrh0R3oV6WFGY5fk0M VLlw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=mPjIL6NK; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="b3ENg2S/"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net ([216.105.38.7]) by mx.google.com with ESMTPS id d10-20020a0568301b6a00b0069433ce600esi16376982ote.117.2023.03.23.10.06.43 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 23 Mar 2023 10:06:43 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=mPjIL6NK; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="b3ENg2S/"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pfOOG-0003uS-67; Thu, 23 Mar 2023 17:06:16 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pfOO9-0003uG-V4 for openvpn-devel@lists.sourceforge.net; Thu, 23 Mar 2023 17:06:10 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=29Kwm6rvDFRddta/7Qoj95nqOjGZXeiwBKwbcI4jiBA=; b=mPjIL6NKsbu9XvL4CaK3tthXPu rYmtiZwQ2tHcNnpZbistBydQ/WLX1pZf6nFlFFLMgG3niNQeAhXwZSKFEOR1BV4ptHvY+u+eO/yHT +8QPzOahdBgHrJ17P4ggzaT+4P6wV/4v8+E1ZzEGBLuP+61ifhIO6Q6ktj2bLVAoo9bA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=29Kwm6rvDFRddta/7Qoj95nqOjGZXeiwBKwbcI4jiBA=; b=b3ENg2S/l4p8EUsiVEOBMBt+6C bdVE0RwZ+0kV+LciObaMTkKCLd4MKOw09TYwFk4+6sbHQIFABxe7GVRWY+QDRJX3k1u8F840eZBQa 8v8QfJEhu6v0I39/xLX6OQEJT9veNHGaGvI/I426Wo9cfiRjcx6EDyJkLmUjTpoDzFSY=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1pfOO8-000RTv-Ve for openvpn-devel@lists.sourceforge.net; Thu, 23 Mar 2023 17:06:10 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1pfOO1-000M0S-Jm for openvpn-devel@lists.sourceforge.net; Thu, 23 Mar 2023 18:06:01 +0100 Received: (nullmailer pid 1256181 invoked by uid 10006); Thu, 23 Mar 2023 17:06:01 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 23 Mar 2023 18:05:59 +0100 Message-Id: <20230323170601.1256132-2-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230323170601.1256132-1-arne@rfc2549.org> References: <20230323170601.1256132-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This removes also the checks in options.c itself as they we now bail out later and no longer need to ignore them during parsing. Change-Id: I872c06f402c35112194ba77c3d6aee78e22547cb Signed-off-by: Arne Schwabe --- Changes.rst | 4 ++++ src/openvpn/comp.c | 29 +++++++++++++++++++++++++++++ src/openvpn/comp.h | [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different X-Headers-End: 1pfOO8-000RTv-Ve Subject: [Openvpn-devel] [PATCH v3 2/4] Refuse connection if server pushes an option contradicting allow-compress X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1761179025756792689?= X-GMAIL-MSGID: =?utf-8?q?1761179025756792689?= This removes also the checks in options.c itself as they we now bail out later and no longer need to ignore them during parsing. Change-Id: I872c06f402c35112194ba77c3d6aee78e22547cb Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- Changes.rst | 4 ++++ src/openvpn/comp.c | 29 +++++++++++++++++++++++++++++ src/openvpn/comp.h | 8 ++++++++ src/openvpn/init.c | 8 ++++++++ src/openvpn/multi.c | 8 ++++++++ src/openvpn/options.c | 27 ++++----------------------- 6 files changed, 61 insertions(+), 23 deletions(-) diff --git a/Changes.rst b/Changes.rst index dedb97ee4..77bcef266 100644 --- a/Changes.rst +++ b/Changes.rst @@ -232,6 +232,10 @@ User-visible Changes - The ``client-pending-auth`` management command now requires also the key id. The management version has been changed to 5 to indicate this change. +- (OpenVPN 2.6.2) A client will now refuse a connection if pushed compression + settings will contradict the setting of allow-compression as this almost + always results in a non-working connection. + Common errors with OpenSSL 3.0 and OpenVPN 2.6 ---------------------------------------------- Both OpenVPN 2.6 and OpenSSL 3.0 tighten the security considerable, so some diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c index 3b8d78996..d6d8029da 100644 --- a/src/openvpn/comp.c +++ b/src/openvpn/comp.c @@ -157,4 +157,33 @@ comp_generate_peer_info_string(const struct compress_options *opt, struct buffer } } +bool +check_compression_settings_valid(struct compress_options *info, int msglevel) +{ + if ((info->flags & COMP_F_ALLOW_STUB_ONLY) && comp_non_stub_enabled(info)) + { + msg(msglevel, "Compression is not allowed since allow-compression is " + "set to 'no'"); + return false; + } +#ifndef ENABLE_LZ4 + if (info->alg == COMP_ALGV2_LZ4 || info->alg == COMP_ALG_LZ4) + { + msg(msglevel, "OpenVPN is compiled without LZ4 support. Requested " + "compression cannot be enabled."); + return false; + } +#endif +#ifndef ENABLE_LZO + if (info->alg == COMP_ALG_LZO || info->alg == COMP_ALG_LZ4) + { + msg(msglevel, "OpenVPN is compiled without LZO support. Requested " + "compression cannot be enabled."); + return false; + } +#endif + return true; +} + + #endif /* USE_COMP */ diff --git a/src/openvpn/comp.h b/src/openvpn/comp.h index 685f40391..8636727ab 100644 --- a/src/openvpn/comp.h +++ b/src/openvpn/comp.h @@ -196,5 +196,13 @@ comp_non_stub_enabled(const struct compress_options *info) && info->alg != COMP_ALG_UNDEF; } +/** + * Checks if the compression settings are valid. Takes into account the + * flags of allow-compression and also the whether algorithms are compiled + * in + */ +bool +check_compression_settings_valid(struct compress_options *info, int msglevel); + #endif /* USE_COMP */ #endif /* ifndef OPENVPN_COMP_H */ diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 3a6f624fd..14859499d 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2637,6 +2637,14 @@ do_deferred_options(struct context *c, const unsigned int found) #ifdef USE_COMP if (found & OPT_P_COMP) { + if (!check_compression_settings_valid(&c->options.comp, D_PUSH_ERRORS)) + { + msg(D_PUSH_ERRORS, "OPTIONS ERROR: server pushed compression " + "settings that are not allowed and will result " + "in a non-working connection. " + "See also allow-compression in the manual."); + return false; + } msg(D_PUSH_DEBUG, "OPTIONS IMPORT: compression parms modified"); comp_uninit(c->c2.comp_context); c->c2.comp_context = comp_init(&c->options.comp); diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 1480bf477..ac090ef5a 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2766,6 +2766,14 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) cc_succeeded = false; } +#ifdef USE_COMP + if (!check_compression_settings_valid(&mi->context.options.comp, D_MULTI_ERRORS)) + { + msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to invalid compression options"); + cc_succeeded = false; + } +#endif + if (cc_succeeded) { multi_client_connect_late_setup(m, mi, *option_types_found); diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 2bed4ce99..435e1ca9e 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3779,6 +3779,9 @@ options_postprocess_mutate(struct options *o, struct env_set *es) /* this depends on o->windows_driver, which is set above */ options_postprocess_mutate_invariant(o); + /* check that compression settings in the options are okay */ + check_compression_settings_valid(&o->comp, M_USAGE); + /* * Save certain parms before modifying options during connect, especially * when using --pull @@ -8405,21 +8408,12 @@ add_option(struct options *options, /* All lzo variants do not use swap */ options->comp.flags &= ~COMP_F_SWAP; -#if defined(ENABLE_LZO) + if (p[1] && streq(p[1], "no")) -#endif { options->comp.alg = COMP_ALG_STUB; options->comp.flags &= ~COMP_F_ADAPTIVE; } -#if defined(ENABLE_LZO) - else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY) - { - /* Also printed on a push to hint at configuration problems */ - msg(msglevel, "Cannot set comp-lzo to '%s', " - "allow-compression is set to 'no'", p[1]); - goto err; - } else if (p[1]) { if (streq(p[1], "yes")) @@ -8444,7 +8438,6 @@ add_option(struct options *options, options->comp.flags |= COMP_F_ADAPTIVE; } show_compression_warning(&options->comp); -#endif /* if defined(ENABLE_LZO) */ } else if (streq(p[0], "comp-noadapt") && !p[1]) { @@ -8478,23 +8471,12 @@ add_option(struct options *options, { options->comp.alg = COMP_ALG_UNDEF; options->comp.flags = COMP_F_MIGRATE; - } - else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY) - { - /* Also printed on a push to hint at configuration problems */ - msg(msglevel, "Cannot set compress to '%s', " - "allow-compression is set to 'no'", alg); - goto err; - } -#if defined(ENABLE_LZO) else if (streq(alg, "lzo")) { options->comp.alg = COMP_ALG_LZO; options->comp.flags &= ~(COMP_F_ADAPTIVE | COMP_F_SWAP); } -#endif -#if defined(ENABLE_LZ4) else if (streq(alg, "lz4")) { options->comp.alg = COMP_ALG_LZ4; @@ -8504,7 +8486,6 @@ add_option(struct options *options, { options->comp.alg = COMP_ALGV2_LZ4; } -#endif else { msg(msglevel, "bad comp option: %s", alg);