From patchwork Thu Mar 23 17:06:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 3162 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7301:10f:b0:b2:6796:f29 with SMTP id gj15csp72976dyb; Thu, 23 Mar 2023 10:06:43 -0700 (PDT) X-Google-Smtp-Source: AK7set+WlfLH/YiAy51jB+QvxQGhGl5QPmCgutlUx26sdt7TmnVtiFsmDMLVlDt13gp5O9yQ2Llt X-Received: by 2002:a05:6870:73cf:b0:17a:e448:3dcb with SMTP id a15-20020a05687073cf00b0017ae4483dcbmr54455oan.10.1679591202908; Thu, 23 Mar 2023 10:06:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1679591202; cv=none; d=google.com; s=arc-20160816; b=CDjGWEPQVanVQHnbv0EisfItVtuN9/q+HUuIMPozkGiqL/X7VTJyo5cMVZrsG24LQw zLSEI1zIs7s0Swe3mKIOdGbAoRPyuBrOVhXAA0BxL0Q80gMwMpDNWnyeNDrr2oUIQwbk whBmwrTW5U3GBN4QL2RW4g0B6FMGSsEMK0pE5/gOIR85KUtfNTrfUC6KMtQjlfchGWs2 Xvozd8H3GRa5PQTmLhFJMQPHvUBMggcbOTHOvZLavrqioPSBkMHQFryA7e7asajaSZM3 NHYof538MIj7eT3q1kI+rx0A0Z0OLr8/S0M3yE7ydstOe1LsVn+TPRfpVWAVp6q9Rs7s mhHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=A98oMBP0mClsb/dKIoI+UtUcJIUFQ9xBvM0u6gg2sCk=; b=Enz5o6Yrne/C4v1zVVk9cB+WT/MWCdEiXB+q1lMh5Udl0c0pKMjkzzx10+O4BJ7lKE 0qvFYxI1ygAa3XBfi4vuxHVEVJt/7qf30C1IInOtE+1mA1awRIFYfckPiGT0VhZp9H5I TtI08JNgvmvjAVpNZP3nv4JnQCSlZzQP04TsO4qiY5CRTap1NGVyh19oXwHHwioCbXXU bATtuZqKWhUKlFUOTLLaja5lnMQtP4lrut1AXOtTBYZSQ0C+j+Wcng7y0bo5QzGy7kMK udlI+DMLm7Jr9ZF1k4/bD6shMimOVsWu3C88kRCsTnYC9IrSHCaaVpanZSCbH4oMJP9v k9Fw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=N9iwtkWJ; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=mB+OHPC0; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net ([216.105.38.7]) by mx.google.com with ESMTPS id q42-20020a056871082a00b0017215863653si16741155oap.314.2023.03.23.10.06.42 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 23 Mar 2023 10:06:42 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=N9iwtkWJ; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=mB+OHPC0; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pfOOA-0001VH-2c; Thu, 23 Mar 2023 17:06:12 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pfOO8-0001VB-Jl for openvpn-devel@lists.sourceforge.net; Thu, 23 Mar 2023 17:06:10 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=bmBQnOTi0MzvOMpOTc+1vl1ltix1unrT6TgfTGDu/WM=; b=N9iwtkWJkQok4BlBdQ/TEKyea+ yOS9ITcbynGz+dXlk0KUuM9hhm1GkPhKVn33uGj/2MofASneLHaz9E+ZKQ3LR3qV9tQLG7WiyxA8A QCpo2awZPwNcJs7zwfok+okkw2IW5YZigVBox6OeBPsRHK3xyocGQCKnm/NaHx4oDVgw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=bmBQnOTi0MzvOMpOTc+1vl1ltix1unrT6TgfTGDu/WM=; b=mB+OHPC0oom0YGDdoEWJeiyBuE /ck4frpcGxF4a/4Bahf9HsWaFaJM4y+U9JRFz1B5GVjPQHFFppDyA+MVQR9FFlpC1OaSqV/wYCja6 Wv/QyyLK6DM3blK/9RkyJm8TnXXhzIOqfq5aChfqWAoDBXvMoBVy5fFN20TV0D13EgBs=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1pfOO8-000RTw-Vi for openvpn-devel@lists.sourceforge.net; Thu, 23 Mar 2023 17:06:10 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1pfOO1-000M0U-KQ for openvpn-devel@lists.sourceforge.net; Thu, 23 Mar 2023 18:06:01 +0100 Received: (nullmailer pid 1256183 invoked by uid 10006); Thu, 23 Mar 2023 17:06:01 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 23 Mar 2023 18:06:00 +0100 Message-Id: <20230323170601.1256132-3-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230323170601.1256132-1-arne@rfc2549.org> References: <20230323170601.1256132-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This changes the "no" setting of allow-compression to also refuse framing. This is important for our DCO implementation as these do not implement framing. This behaviour surfaced when a commercial VPN provider was pushing "comp-lzo no" to a client with DCO. While we are technically at fault here for announcing comp-lzo no support by announcing IV_LZO_ST [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different X-Headers-End: 1pfOO8-000RTw-Vi Subject: [Openvpn-devel] [PATCH v3 3/4] Add 'allow-compression stub-only' internally for DCO X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1761179025115480861?= X-GMAIL-MSGID: =?utf-8?q?1761179025115480861?= This changes the "no" setting of allow-compression to also refuse framing. This is important for our DCO implementation as these do not implement framing. This behaviour surfaced when a commercial VPN provider was pushing "comp-lzo no" to a client with DCO. While we are technically at fault here for announcing comp-lzo no support by announcing IV_LZO_STUB=1, the VPN provider continues to push "comp-lzo no" even in absense of that flag. As the new default we default to allow-compression stub-only if a stub option is found in the config and to allow-compression no otherwise. This ensures that we only enable DCO when no compression framing is used. This will now also bail out if the server pushes a compression setting that we do not support as mismatching compression is almost never a working connection. In my lz4-v2 and lzo-v2 you might have a connection that works mostly but some packets will be dropped since they compressed which is not desirable either since it becomes very hard to debug. Patch v2: bail out if server pushes an unsupported method. Also include this bail out logic when OpenVPN is compiled without compression support. Patch v3: always parse all compression option and move logic to check method Change-Id: Ibd0c77af24e2214b3055d585dc23a4b06dccd414 Signed-off-by: Arne Schwabe --- doc/man-sections/protocol-options.rst | 4 ++- src/openvpn/comp.c | 47 ++++++++++++++++++--------- src/openvpn/comp.h | 2 +- src/openvpn/options.c | 18 ++++++++-- 4 files changed, 50 insertions(+), 21 deletions(-) diff --git a/doc/man-sections/protocol-options.rst b/doc/man-sections/protocol-options.rst index 248f65cfd..055d08f95 100644 --- a/doc/man-sections/protocol-options.rst +++ b/doc/man-sections/protocol-options.rst @@ -25,7 +25,9 @@ configured in a compatible way between both the local and remote side. compression at the same time is not a feasible option. :code:`no` (default) - OpenVPN will refuse any non-stub compression. + OpenVPN will refuse any compression. If data-channel offloading + is enabled. OpenVPN will additionally also refuse compression + framing (stub). :code:`yes` OpenVPN will send and receive compressed packets. diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c index d6d8029da..c7a562f5a 100644 --- a/src/openvpn/comp.c +++ b/src/openvpn/comp.c @@ -134,36 +134,51 @@ comp_print_stats(const struct compress_context *compctx, struct status_output *s void comp_generate_peer_info_string(const struct compress_options *opt, struct buffer *out) { - if (opt) + if (!opt || opt->flags & COMP_F_ALLOW_NOCOMP_ONLY) + { + return; + } + + bool lzo_avail = false; + if (!(opt->flags & COMP_F_ADVERTISE_STUBS_ONLY)) { - bool lzo_avail = false; - if (!(opt->flags & COMP_F_ADVERTISE_STUBS_ONLY)) - { #if defined(ENABLE_LZ4) - buf_printf(out, "IV_LZ4=1\n"); - buf_printf(out, "IV_LZ4v2=1\n"); + buf_printf(out, "IV_LZ4=1\n"); + buf_printf(out, "IV_LZ4v2=1\n"); #endif #if defined(ENABLE_LZO) - buf_printf(out, "IV_LZO=1\n"); - lzo_avail = true; + buf_printf(out, "IV_LZO=1\n"); + lzo_avail = true; #endif - } - if (!lzo_avail) - { - buf_printf(out, "IV_LZO_STUB=1\n"); - } - buf_printf(out, "IV_COMP_STUB=1\n"); - buf_printf(out, "IV_COMP_STUBv2=1\n"); } + if (!lzo_avail) + { + buf_printf(out, "IV_LZO_STUB=1\n"); + } + buf_printf(out, "IV_COMP_STUB=1\n"); + buf_printf(out, "IV_COMP_STUBv2=1\n"); } bool check_compression_settings_valid(struct compress_options *info, int msglevel) { + /* + * We also allow comp-stub-v2 here as it technically allows escaping of + * weird mac address and IPv5 protocol but practically always is used + * as an way to disable all framing. + */ + if (info->alg != COMP_ALGV2_UNCOMPRESSED && info->alg != COMP_ALG_UNDEF + && (info->flags & COMP_F_ALLOW_NOCOMP_ONLY)) + { + msg(msglevel, "Compression or compression stub framing is not allowed " + "since data-channel offloading is enabled."); + return false; + } + if ((info->flags & COMP_F_ALLOW_STUB_ONLY) && comp_non_stub_enabled(info)) { msg(msglevel, "Compression is not allowed since allow-compression is " - "set to 'no'"); + "set to 'stub-only'"); return false; } #ifndef ENABLE_LZ4 diff --git a/src/openvpn/comp.h b/src/openvpn/comp.h index 8636727ab..71b350d09 100644 --- a/src/openvpn/comp.h +++ b/src/openvpn/comp.h @@ -60,7 +60,7 @@ * we still accept other compressions to be pushed */ #define COMP_F_MIGRATE (1<<5) /* push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ */ #define COMP_F_ALLOW_ASYM (1<<6) /* Compression was explicitly set to allow asymetric compression */ - +#define COMP_F_ALLOW_NOCOMP_ONLY (1<<7) /* Do not allow compression framing (breaks DCO) */ /* * Length of prepended prefix on compressed packets diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 435e1ca9e..92f7456a4 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3644,10 +3644,16 @@ options_set_backwards_compatible_options(struct options *o) * * Disable compression by default starting with 2.6.0 if no other * compression related option has been explicitly set */ - if (!comp_non_stub_enabled(&o->comp) && !need_compatibility_before(o, 20600) - && (o->comp.flags == 0)) + if (!need_compatibility_before(o, 20600) && (o->comp.flags == 0)) { - o->comp.flags = COMP_F_ALLOW_STUB_ONLY|COMP_F_ADVERTISE_STUBS_ONLY; + if (o->comp.alg == COMP_ALG_UNDEF) + { + o->comp.flags = COMP_F_ALLOW_NOCOMP_ONLY; + } + else if (!comp_non_stub_enabled(&o->comp)) + { + o->comp.flags = COMP_F_ALLOW_STUB_ONLY | COMP_F_ADVERTISE_STUBS_ONLY; + } } #endif } @@ -3749,6 +3755,12 @@ options_postprocess_mutate(struct options *o, struct env_set *es) o->tuntap_options.disable_dco = !dco_check_option(D_DCO, o) || !dco_check_startup_option(D_DCO, o); } +#ifdef USE_COMP + if (dco_enabled(o)) + { + o->comp.flags |= COMP_F_ALLOW_NOCOMP_ONLY; + } +#endif #ifdef _WIN32 if (dco_enabled(o))