From patchwork Fri Mar 24 12:10:50 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 3166 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7301:10f:b0:b2:6796:f29 with SMTP id gj15csp444346dyb; Fri, 24 Mar 2023 05:11:35 -0700 (PDT) X-Google-Smtp-Source: AKy350a9Wui/pfV6aQIrno26tZkumTNoLEpanbmLSKGr4VINN161Y13e6kMrMnXwYDC2P4j3yhdj X-Received: by 2002:a17:902:f34c:b0:19c:fbdb:43cb with SMTP id q12-20020a170902f34c00b0019cfbdb43cbmr1966135ple.51.1679659895110; Fri, 24 Mar 2023 05:11:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1679659895; cv=none; d=google.com; s=arc-20160816; b=d/7haIIHgVsf3HwIJwjv+5U3h4eONMvwle99u6C2vLNFWYs2vbxLg3NdL45Ji7TPRd kENb9BCVYKGB+JpkKwAR8CP/vYGXSn0DZ9dW5z4k0CWRAdfOgyJdVRgAJNWa2O9Lbk8q 2jPkoQlEaJlc1eg2/Mv03sdgoIzSl6DxWl6am8l4zdkkjZQqCD4qHghyglMlE0TzoblS j/TIzi8I+FU8ZR8uPIMk6cgzqgTs1M+I0w9k1lKQb4dq/yKCvmbqWEQhtPinlDWMlKo2 hai95dx3QIZbCQBqU0fc4RWtDj69J2W1hO6I7rKSIBJdoZUikdvkVDRAMmHp1sOvmxkI 8oGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature; bh=26RH8Sn4fR4PtlYCY1xV8bGU/rOXk1xcRNLVU2OTetw=; b=qzHy+b35W0vLmHhUJGIIQJo7yeamrwp+hHbkOYAG3SgCjJvKWLE8jyu0chy8bVsLA1 VO9G8iY/Md15V8q9o9HSD9mJT9DmhwnjAYnBKavL1UaK1BLdpjG55EkZFiciZpuF48qG TFEjZjDhuhmIhJl0TTQVcOU+wOEf3byP5TMPryXNNP/le1+3CuvtjZn1H1A6aRmQRkm7 p5oZkohuUvYLsaoeXYwScU+jNk043F+fF8jZRGCy8qpgA7AbLXNz7itRUFR4DU2hX2oQ JcEDwsa7k6jBwBRkOBO34llwW5RL1SjEMvixO/R/uHSfclqVKmc9OgBkotnxF+qzuNZB 1BzA== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="EPCNuSD/"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=EU6p4712; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net ([216.105.38.7]) by mx.google.com with ESMTPS id t19-20020a170902e1d300b0019e8c3cd415si19756040pla.260.2023.03.24.05.11.34 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 24 Mar 2023 05:11:35 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="EPCNuSD/"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=EU6p4712; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pfgG5-0005Fv-2P; Fri, 24 Mar 2023 12:11:01 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pfgG3-0005Fd-Bg for openvpn-devel@lists.sourceforge.net; Fri, 24 Mar 2023 12:11:00 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Eyv4qNIzmXv0ll1XpLihzk1RySYufe1EgiumSBXOfRA=; b=EPCNuSD/X/SUDs3CpM0Hhw1tBg htL+XUYj1kZts77/pBG1sKuzfDuvR3V0P4E6bFTn++B7RHCTiaEPKVaJ6Vo1YHhNn9H1nwITL3QRw ZNSeiJBIkmvTWQ0lgeZ7a+fyM/dVEceJR1nMWYJNAKemFEVfk3BRF23rmqf2edm9YwBM=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=Eyv4qNIzmXv0ll1XpLihzk1RySYufe1EgiumSBXOfRA=; b=E U6p4712ukvpwWsIJhRgRFromufB3kR9OFwDRIjUw5wOTUJyVdsG+FdStfYDMg5SVJhjUH1kte+JjT Fl4br+8Zd6pwy7xwYEhHJrRB8PUiHnebtTHJQs0Z2aG91YGV9SYKuHyEtTbdht85iPrgE0WWJ3jaY /YAlGWGtJAKJViuY=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1pfgG2-001ZvH-Bv for openvpn-devel@lists.sourceforge.net; Fri, 24 Mar 2023 12:10:59 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1pfgFv-00010h-0Z for openvpn-devel@lists.sourceforge.net; Fri, 24 Mar 2023 13:10:51 +0100 Received: (nullmailer pid 1350959 invoked by uid 10006); Fri, 24 Mar 2023 12:10:50 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Fri, 24 Mar 2023 13:10:50 +0100 Message-Id: <20230324121050.1350913-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This change keeps the option parsing of compression options even when compression is disabled. This allows OpenVPN to also refuse/reject connections that try to use compression when compression is com [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1pfgG2-001ZvH-Bv Subject: [Openvpn-devel] [PATCH v4] Parse compression options and bail out when compression is disabled X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1761251053936965997?= X-GMAIL-MSGID: =?utf-8?q?1761251053936965997?= This change keeps the option parsing of compression options even when compression is disabled. This allows OpenVPN to also refuse/reject connections that try to use compression when compression is completely disabled. Patch v4: fix one missing USE_COMP Change-Id: I9d7afd8f1d67d2455b4ec6bc12f4dcde80140c4f Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/comp.c | 14 ++++--- src/openvpn/comp.h | 85 ++++++++++++++++++++++--------------------- src/openvpn/init.c | 4 +- src/openvpn/multi.c | 2 - src/openvpn/options.c | 12 +----- src/openvpn/options.h | 4 -- 6 files changed, 56 insertions(+), 65 deletions(-) diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c index c7a562f5a..27b640ce0 100644 --- a/src/openvpn/comp.c +++ b/src/openvpn/comp.c @@ -29,10 +29,11 @@ #include "syshead.h" -#ifdef USE_COMP - #include "comp.h" #include "error.h" + +#ifdef USE_COMP + #include "otime.h" #include "memdbg.h" @@ -158,6 +159,7 @@ comp_generate_peer_info_string(const struct compress_options *opt, struct buffer buf_printf(out, "IV_COMP_STUB=1\n"); buf_printf(out, "IV_COMP_STUBv2=1\n"); } +#endif /* USE_COMP */ bool check_compression_settings_valid(struct compress_options *info, int msglevel) @@ -170,8 +172,13 @@ check_compression_settings_valid(struct compress_options *info, int msglevel) if (info->alg != COMP_ALGV2_UNCOMPRESSED && info->alg != COMP_ALG_UNDEF && (info->flags & COMP_F_ALLOW_NOCOMP_ONLY)) { +#ifdef USE_COMP msg(msglevel, "Compression or compression stub framing is not allowed " "since data-channel offloading is enabled."); +#else + msg(msglevel, "Compression or compression stub framing is not allowed " + "since OpenVPN was built without compression support."); +#endif return false; } @@ -199,6 +206,3 @@ check_compression_settings_valid(struct compress_options *info, int msglevel) #endif return true; } - - -#endif /* USE_COMP */ diff --git a/src/openvpn/comp.h b/src/openvpn/comp.h index 71b350d09..89940cf3a 100644 --- a/src/openvpn/comp.h +++ b/src/openvpn/comp.h @@ -28,12 +28,19 @@ #ifndef OPENVPN_COMP_H #define OPENVPN_COMP_H -#ifdef USE_COMP +/* We always parse all compression options, so we include these defines/struct + * outside of the USE_COMP define */ -#include "buffer.h" -#include "mtu.h" -#include "common.h" -#include "status.h" +/* Compression flags */ +#define COMP_F_ADAPTIVE (1<<0) /* COMP_ALG_LZO only */ +#define COMP_F_ALLOW_COMPRESS (1<<1) /* not only downlink is compressed but also uplink */ +#define COMP_F_SWAP (1<<2) /* initial command byte is swapped with last byte in buffer to preserve payload alignment */ +#define COMP_F_ADVERTISE_STUBS_ONLY (1<<3) /* tell server that we only support compression stubs */ +#define COMP_F_ALLOW_STUB_ONLY (1<<4) /* Only accept stub compression, even with COMP_F_ADVERTISE_STUBS_ONLY + * we still accept other compressions to be pushed */ +#define COMP_F_MIGRATE (1<<5) /* push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ */ +#define COMP_F_ALLOW_ASYM (1<<6) /* Compression was explicitly set to allow asymetric compression */ +#define COMP_F_ALLOW_NOCOMP_ONLY (1<<7) /* Do not allow compression framing (breaks DCO) */ /* algorithms */ #define COMP_ALG_UNDEF 0 @@ -51,16 +58,37 @@ #define COMP_ALGV2_SNAPPY 13 */ -/* Compression flags */ -#define COMP_F_ADAPTIVE (1<<0) /* COMP_ALG_LZO only */ -#define COMP_F_ALLOW_COMPRESS (1<<1) /* not only downlink is compressed but also uplink */ -#define COMP_F_SWAP (1<<2) /* initial command byte is swapped with last byte in buffer to preserve payload alignment */ -#define COMP_F_ADVERTISE_STUBS_ONLY (1<<3) /* tell server that we only support compression stubs */ -#define COMP_F_ALLOW_STUB_ONLY (1<<4) /* Only accept stub compression, even with COMP_F_ADVERTISE_STUBS_ONLY - * we still accept other compressions to be pushed */ -#define COMP_F_MIGRATE (1<<5) /* push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ */ -#define COMP_F_ALLOW_ASYM (1<<6) /* Compression was explicitly set to allow asymetric compression */ -#define COMP_F_ALLOW_NOCOMP_ONLY (1<<7) /* Do not allow compression framing (breaks DCO) */ +/* + * Information that basically identifies a compression + * algorithm and related flags. + */ +struct compress_options +{ + int alg; + unsigned int flags; +}; + +static inline bool +comp_non_stub_enabled(const struct compress_options *info) +{ + return info->alg != COMP_ALGV2_UNCOMPRESSED + && info->alg != COMP_ALG_STUB + && info->alg != COMP_ALG_UNDEF; +} + +/** + * Checks if the compression settings are valid. Takes into account the + * flags of allow-compression and also the whether algorithms are compiled + * in + */ +bool +check_compression_settings_valid(struct compress_options *info, int msglevel); + +#ifdef USE_COMP +#include "buffer.h" +#include "mtu.h" +#include "common.h" +#include "status.h" /* * Length of prepended prefix on compressed packets @@ -130,16 +158,6 @@ struct compress_alg #include "comp-lz4.h" #endif -/* - * Information that basically identifies a compression - * algorithm and related flags. - */ -struct compress_options -{ - int alg; - unsigned int flags; -}; - /* * Workspace union of all supported compression algorithms */ @@ -187,22 +205,5 @@ comp_enabled(const struct compress_options *info) { return info->alg != COMP_ALG_UNDEF; } - -static inline bool -comp_non_stub_enabled(const struct compress_options *info) -{ - return info->alg != COMP_ALGV2_UNCOMPRESSED - && info->alg != COMP_ALG_STUB - && info->alg != COMP_ALG_UNDEF; -} - -/** - * Checks if the compression settings are valid. Takes into account the - * flags of allow-compression and also the whether algorithms are compiled - * in - */ -bool -check_compression_settings_valid(struct compress_options *info, int msglevel); - #endif /* USE_COMP */ #endif /* ifndef OPENVPN_COMP_H */ diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 14859499d..d358ad003 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2634,7 +2634,6 @@ do_deferred_options(struct context *c, const unsigned int found) } } -#ifdef USE_COMP if (found & OPT_P_COMP) { if (!check_compression_settings_valid(&c->options.comp, D_PUSH_ERRORS)) @@ -2645,11 +2644,12 @@ do_deferred_options(struct context *c, const unsigned int found) "See also allow-compression in the manual."); return false; } +#ifdef USE_COMP msg(D_PUSH_DEBUG, "OPTIONS IMPORT: compression parms modified"); comp_uninit(c->c2.comp_context); c->c2.comp_context = comp_init(&c->options.comp); - } #endif + } if (found & OPT_P_SHAPER) { diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index ac090ef5a..5444e7520 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2766,13 +2766,11 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) cc_succeeded = false; } -#ifdef USE_COMP if (!check_compression_settings_valid(&mi->context.options.comp, D_MULTI_ERRORS)) { msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to invalid compression options"); cc_succeeded = false; } -#endif if (cc_succeeded) { diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 0ccff7213..2680f2684 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1906,10 +1906,8 @@ show_settings(const struct options *o) SHOW_BOOL(fast_io); -#ifdef USE_COMP SHOW_INT(comp.alg); SHOW_INT(comp.flags); -#endif SHOW_STR(route_script); SHOW_STR(route_default_gateway); @@ -3320,9 +3318,7 @@ pre_connect_save(struct options *o) o->pre_connect->ping_send_timeout = o->ping_send_timeout; /* Miscellaneous Options */ -#ifdef USE_COMP o->pre_connect->comp = o->comp; -#endif } void @@ -3386,9 +3382,7 @@ pre_connect_restore(struct options *o, struct gc_arena *gc) o->ping_send_timeout = pp->ping_send_timeout; /* Miscellaneous Options */ -#ifdef USE_COMP o->comp = pp->comp; -#endif } o->push_continuation = 0; @@ -3651,6 +3645,8 @@ options_set_backwards_compatible_options(struct options *o) o->comp.flags = COMP_F_ALLOW_STUB_ONLY | COMP_F_ADVERTISE_STUBS_ONLY; } } +#else /* ifdef USE_COMP */ + o->comp.flags = COMP_F_ALLOW_NOCOMP_ONLY; #endif } @@ -5665,7 +5661,6 @@ set_user_script(struct options *options, #endif } -#ifdef USE_COMP static void show_compression_warning(struct compress_options *info) { @@ -5684,7 +5679,6 @@ show_compression_warning(struct compress_options *info) } } } -#endif bool key_is_external(const struct options *options) @@ -8366,7 +8360,6 @@ add_option(struct options *options, options->passtos = true; } #endif -#if defined(USE_COMP) else if (streq(p[0], "allow-compression") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); @@ -8502,7 +8495,6 @@ add_option(struct options *options, show_compression_warning(&options->comp); } -#endif /* USE_COMP */ else if (streq(p[0], "show-ciphers") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 2f25f5d07..f5890b90f 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -87,9 +87,7 @@ struct options_pre_connect int ping_rec_timeout_action; int foreign_option_index; -#ifdef USE_COMP struct compress_options comp; -#endif }; #if !defined(ENABLE_CRYPTO_OPENSSL) && !defined(ENABLE_CRYPTO_MBEDTLS) @@ -395,9 +393,7 @@ struct options /* optimize TUN/TAP/UDP writes */ bool fast_io; -#ifdef USE_COMP struct compress_options comp; -#endif /* buffer sizes */ int rcvbuf;