From patchwork Thu Mar 23 17:06:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 3161 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7301:10f:b0:b2:6796:f29 with SMTP id gj15csp72975dyb; Thu, 23 Mar 2023 10:06:43 -0700 (PDT) X-Google-Smtp-Source: AK7set/kHtr3tCwlGF47Zsi80gE1Pk0na6iA8R8qIvoxy41GyoL1xE0ntdRj/jGuvuK2qGUejeKi X-Received: by 2002:a05:6a20:4ca5:b0:d9:162d:98e4 with SMTP id fq37-20020a056a204ca500b000d9162d98e4mr175932pzb.54.1679591202906; Thu, 23 Mar 2023 10:06:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1679591202; cv=none; d=google.com; s=arc-20160816; b=vLW94/1E26nUF8r6e6KEsBmGT/BvyB0DhdjjUQ7TFB/3yQjZTcDmWXtuxQmvvpxdJV 3oZaI0eNGyx37jTKJwKIh/dM7wq90MiCIDR4NKhqs6Fxh+POA4c7sQgpZRBDzlVGhrx3 yJxbdXTkhGrLz4HArLTUvBR+08BXURN1g11Hzqh4bcHi03Ac/oChb2Ncimq32JqkUMyW xjzBGE2Y+//HihxoKNtR97q2G/vBb5JrqW190Nrmu3Z1ro0keEW2YbuoKWOl3PCCkY8g Ua5RmW89G5SXktmGr/XDH7bYSGcAffCwyxLbhlrBjs27Vud6/KBT9hhKbbhHQtXK9Yhd 4q8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=FFr1SYy4E9aYDf9Mv7mOeas7KN81HnCKNro5iSKJZsk=; b=BXZh77j/PoEaeLSyYe/DTWaVXQa7Kg7/6SWM/tEtSkMEKH3JuL3Cq3PMj8edpdnSGt W7BH1dwvi9YdIXe0NF0hSPBiC24xAC460z5VQDWokqS1RYeIyIwa4/Gqb/1KnuAcZvJM uJhpfLCVvWFgQ+Af5OkK2utR4N7lTWitqTnuBfX+nZphZGrcMEXE1pwNimasKk1QlJtH fV5lDtvojIKKUiveDXMYR5hH1Mn7BQdnvm2FLagXP+nKcZ4VSwekEjdlArMMVLZ4R3DI iL32d+MKa/et+rDA/iyqC2+4RngiI5uzS47ePuV4Wlfe+tKRIDO94z19NY3sNdptPa0a pMpg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=SkEK9nqk; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=J1k+Lk2V; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net ([216.105.38.7]) by mx.google.com with ESMTPS id x189-20020a6286c6000000b005a8efbddf5esi18170300pfd.238.2023.03.23.10.06.42 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 23 Mar 2023 10:06:42 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=SkEK9nqk; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=J1k+Lk2V; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pfOOH-0003ug-J2; Thu, 23 Mar 2023 17:06:18 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pfOOG-0003uR-3P for openvpn-devel@lists.sourceforge.net; Thu, 23 Mar 2023 17:06:16 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=A81juj9GBXrAsFjbtrkCwg8sMqX+GCv99uxR1HWQG/8=; b=SkEK9nqkArG7bn9yJWTUUrpUou WdfX1yHnHHq0rttoiP4PmQGLWVs1LA/kttrZim8hlVEuL2Wm3VMDG6lthdYiI86UY50rRDS9nneF0 YMtG/L0dJOZG9Y5X+EqSpspF6oPvQhEC2MH53BjfUcj2VZn8jz7e5vQxrwbEnBcv7C1k=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=A81juj9GBXrAsFjbtrkCwg8sMqX+GCv99uxR1HWQG/8=; b=J1k+Lk2V/EfGoCX/tLt+cavdHL PEK9TPt3UMCcWb2qkCpYzVez7uXsv0J/TB8P2+dAuE3H5wQyDERpiVMooJMnfocGZ+W1hmXHah3hi 8aR+jYrB4fEye+xjFELnsBsutEINq0GWs01ntJc6cOYLVuiETA0tLxWmodoljUZzhIM0=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1pfOOF-0004VX-0u for openvpn-devel@lists.sourceforge.net; Thu, 23 Mar 2023 17:06:16 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1pfOO1-000M0W-L2 for openvpn-devel@lists.sourceforge.net; Thu, 23 Mar 2023 18:06:01 +0100 Received: (nullmailer pid 1256186 invoked by uid 10006); Thu, 23 Mar 2023 17:06:01 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 23 Mar 2023 18:06:01 +0100 Message-Id: <20230323170601.1256132-4-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230323170601.1256132-1-arne@rfc2549.org> References: <20230323170601.1256132-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This change keeps the option parsing of compression options even when compression is disabled. This allows OpenVPN to also refuse/reject connections that try to use compression when compression is com [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different X-Headers-End: 1pfOOF-0004VX-0u Subject: [Openvpn-devel] [PATCH v3 4/4] Parse compression options and bail out when compression is disabled X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1761179025302759477?= X-GMAIL-MSGID: =?utf-8?q?1761179025302759477?= This change keeps the option parsing of compression options even when compression is disabled. This allows OpenVPN to also refuse/reject connections that try to use compression when compression is completely disabled. Change-Id: I9d7afd8f1d67d2455b4ec6bc12f4dcde80140c4f Signed-off-by: Arne Schwabe --- src/openvpn/comp.c | 14 ++++--- src/openvpn/comp.h | 85 ++++++++++++++++++++++--------------------- src/openvpn/init.c | 2 - src/openvpn/multi.c | 2 - src/openvpn/options.c | 12 +----- src/openvpn/options.h | 4 -- 6 files changed, 54 insertions(+), 65 deletions(-) diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c index c7a562f5a..27b640ce0 100644 --- a/src/openvpn/comp.c +++ b/src/openvpn/comp.c @@ -29,10 +29,11 @@ #include "syshead.h" -#ifdef USE_COMP - #include "comp.h" #include "error.h" + +#ifdef USE_COMP + #include "otime.h" #include "memdbg.h" @@ -158,6 +159,7 @@ comp_generate_peer_info_string(const struct compress_options *opt, struct buffer buf_printf(out, "IV_COMP_STUB=1\n"); buf_printf(out, "IV_COMP_STUBv2=1\n"); } +#endif /* USE_COMP */ bool check_compression_settings_valid(struct compress_options *info, int msglevel) @@ -170,8 +172,13 @@ check_compression_settings_valid(struct compress_options *info, int msglevel) if (info->alg != COMP_ALGV2_UNCOMPRESSED && info->alg != COMP_ALG_UNDEF && (info->flags & COMP_F_ALLOW_NOCOMP_ONLY)) { +#ifdef USE_COMP msg(msglevel, "Compression or compression stub framing is not allowed " "since data-channel offloading is enabled."); +#else + msg(msglevel, "Compression or compression stub framing is not allowed " + "since OpenVPN was built without compression support."); +#endif return false; } @@ -199,6 +206,3 @@ check_compression_settings_valid(struct compress_options *info, int msglevel) #endif return true; } - - -#endif /* USE_COMP */ diff --git a/src/openvpn/comp.h b/src/openvpn/comp.h index 71b350d09..89940cf3a 100644 --- a/src/openvpn/comp.h +++ b/src/openvpn/comp.h @@ -28,12 +28,19 @@ #ifndef OPENVPN_COMP_H #define OPENVPN_COMP_H -#ifdef USE_COMP +/* We always parse all compression options, so we include these defines/struct + * outside of the USE_COMP define */ -#include "buffer.h" -#include "mtu.h" -#include "common.h" -#include "status.h" +/* Compression flags */ +#define COMP_F_ADAPTIVE (1<<0) /* COMP_ALG_LZO only */ +#define COMP_F_ALLOW_COMPRESS (1<<1) /* not only downlink is compressed but also uplink */ +#define COMP_F_SWAP (1<<2) /* initial command byte is swapped with last byte in buffer to preserve payload alignment */ +#define COMP_F_ADVERTISE_STUBS_ONLY (1<<3) /* tell server that we only support compression stubs */ +#define COMP_F_ALLOW_STUB_ONLY (1<<4) /* Only accept stub compression, even with COMP_F_ADVERTISE_STUBS_ONLY + * we still accept other compressions to be pushed */ +#define COMP_F_MIGRATE (1<<5) /* push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ */ +#define COMP_F_ALLOW_ASYM (1<<6) /* Compression was explicitly set to allow asymetric compression */ +#define COMP_F_ALLOW_NOCOMP_ONLY (1<<7) /* Do not allow compression framing (breaks DCO) */ /* algorithms */ #define COMP_ALG_UNDEF 0 @@ -51,16 +58,37 @@ #define COMP_ALGV2_SNAPPY 13 */ -/* Compression flags */ -#define COMP_F_ADAPTIVE (1<<0) /* COMP_ALG_LZO only */ -#define COMP_F_ALLOW_COMPRESS (1<<1) /* not only downlink is compressed but also uplink */ -#define COMP_F_SWAP (1<<2) /* initial command byte is swapped with last byte in buffer to preserve payload alignment */ -#define COMP_F_ADVERTISE_STUBS_ONLY (1<<3) /* tell server that we only support compression stubs */ -#define COMP_F_ALLOW_STUB_ONLY (1<<4) /* Only accept stub compression, even with COMP_F_ADVERTISE_STUBS_ONLY - * we still accept other compressions to be pushed */ -#define COMP_F_MIGRATE (1<<5) /* push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ */ -#define COMP_F_ALLOW_ASYM (1<<6) /* Compression was explicitly set to allow asymetric compression */ -#define COMP_F_ALLOW_NOCOMP_ONLY (1<<7) /* Do not allow compression framing (breaks DCO) */ +/* + * Information that basically identifies a compression + * algorithm and related flags. + */ +struct compress_options +{ + int alg; + unsigned int flags; +}; + +static inline bool +comp_non_stub_enabled(const struct compress_options *info) +{ + return info->alg != COMP_ALGV2_UNCOMPRESSED + && info->alg != COMP_ALG_STUB + && info->alg != COMP_ALG_UNDEF; +} + +/** + * Checks if the compression settings are valid. Takes into account the + * flags of allow-compression and also the whether algorithms are compiled + * in + */ +bool +check_compression_settings_valid(struct compress_options *info, int msglevel); + +#ifdef USE_COMP +#include "buffer.h" +#include "mtu.h" +#include "common.h" +#include "status.h" /* * Length of prepended prefix on compressed packets @@ -130,16 +158,6 @@ struct compress_alg #include "comp-lz4.h" #endif -/* - * Information that basically identifies a compression - * algorithm and related flags. - */ -struct compress_options -{ - int alg; - unsigned int flags; -}; - /* * Workspace union of all supported compression algorithms */ @@ -187,22 +205,5 @@ comp_enabled(const struct compress_options *info) { return info->alg != COMP_ALG_UNDEF; } - -static inline bool -comp_non_stub_enabled(const struct compress_options *info) -{ - return info->alg != COMP_ALGV2_UNCOMPRESSED - && info->alg != COMP_ALG_STUB - && info->alg != COMP_ALG_UNDEF; -} - -/** - * Checks if the compression settings are valid. Takes into account the - * flags of allow-compression and also the whether algorithms are compiled - * in - */ -bool -check_compression_settings_valid(struct compress_options *info, int msglevel); - #endif /* USE_COMP */ #endif /* ifndef OPENVPN_COMP_H */ diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 14859499d..9172bbb22 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2634,7 +2634,6 @@ do_deferred_options(struct context *c, const unsigned int found) } } -#ifdef USE_COMP if (found & OPT_P_COMP) { if (!check_compression_settings_valid(&c->options.comp, D_PUSH_ERRORS)) @@ -2649,7 +2648,6 @@ do_deferred_options(struct context *c, const unsigned int found) comp_uninit(c->c2.comp_context); c->c2.comp_context = comp_init(&c->options.comp); } -#endif if (found & OPT_P_SHAPER) { diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index ac090ef5a..5444e7520 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2766,13 +2766,11 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) cc_succeeded = false; } -#ifdef USE_COMP if (!check_compression_settings_valid(&mi->context.options.comp, D_MULTI_ERRORS)) { msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to invalid compression options"); cc_succeeded = false; } -#endif if (cc_succeeded) { diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 92f7456a4..cfde54939 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1906,10 +1906,8 @@ show_settings(const struct options *o) SHOW_BOOL(fast_io); -#ifdef USE_COMP SHOW_INT(comp.alg); SHOW_INT(comp.flags); -#endif SHOW_STR(route_script); SHOW_STR(route_default_gateway); @@ -3320,9 +3318,7 @@ pre_connect_save(struct options *o) o->pre_connect->ping_send_timeout = o->ping_send_timeout; /* Miscellaneous Options */ -#ifdef USE_COMP o->pre_connect->comp = o->comp; -#endif } void @@ -3386,9 +3382,7 @@ pre_connect_restore(struct options *o, struct gc_arena *gc) o->ping_send_timeout = pp->ping_send_timeout; /* Miscellaneous Options */ -#ifdef USE_COMP o->comp = pp->comp; -#endif } o->push_continuation = 0; @@ -3655,6 +3649,8 @@ options_set_backwards_compatible_options(struct options *o) o->comp.flags = COMP_F_ALLOW_STUB_ONLY | COMP_F_ADVERTISE_STUBS_ONLY; } } +#else /* ifdef USE_COMP */ + o->comp.flags = COMP_F_ALLOW_NOCOMP_ONLY; #endif } @@ -5669,7 +5665,6 @@ set_user_script(struct options *options, #endif } -#ifdef USE_COMP static void show_compression_warning(struct compress_options *info) { @@ -5688,7 +5683,6 @@ show_compression_warning(struct compress_options *info) } } } -#endif bool key_is_external(const struct options *options) @@ -8370,7 +8364,6 @@ add_option(struct options *options, options->passtos = true; } #endif -#if defined(USE_COMP) else if (streq(p[0], "allow-compression") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); @@ -8506,7 +8499,6 @@ add_option(struct options *options, show_compression_warning(&options->comp); } -#endif /* USE_COMP */ else if (streq(p[0], "show-ciphers") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 2f25f5d07..f5890b90f 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -87,9 +87,7 @@ struct options_pre_connect int ping_rec_timeout_action; int foreign_option_index; -#ifdef USE_COMP struct compress_options comp; -#endif }; #if !defined(ENABLE_CRYPTO_OPENSSL) && !defined(ENABLE_CRYPTO_MBEDTLS) @@ -395,9 +393,7 @@ struct options /* optimize TUN/TAP/UDP writes */ bool fast_io; -#ifdef USE_COMP struct compress_options comp; -#endif /* buffer sizes */ int rcvbuf;