From patchwork Mon Sep 30 12:43:53 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Lichtenheld X-Patchwork-Id: 3883 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:101b:b0:5b9:581e:f939 with SMTP id k27csp1746658mae; Mon, 30 Sep 2024 05:44:43 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUE1cFTHnizx5L00PR/Fvqkv7UwN7qAi32MmQk4Xm893Rwo/oUcFvdTSyA0YQaaPoyPjNx2x3O4SPY=@openvpn.net X-Google-Smtp-Source: AGHT+IG1zbkLwepYw81lzoceACOWTV7FVG5zebPL0XEqztUEjNz0YBndzErAXsFnRvSo+N4AVtOk X-Received: by 2002:a05:6602:2d8a:b0:82d:9b0:ecb7 with SMTP id ca18e2360f4ac-8349318ae5dmr909450139f.3.1727700283535; Mon, 30 Sep 2024 05:44:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1727700283; cv=none; d=google.com; s=arc-20240605; b=UVL+Ws8UazO5IhUdet/E7QK3l+5BBrjmpqV2DyjECM4tiz6HAzGPHjaAQKAIQYCInj u+kYlXPkiTHP9a9tY+N3qhcAurA0E1skUqcivr3mYExfB3ffJjNjgu80kNz3iY6nkYr6 nZaHmwfApOcONfKJ2u2kDuW5QqeQqP9+2PR9zooBIxxdb+23l9YJodJIIduW52NZw+Bf DQKbAX2l+LUbDGMVW8CezEiUD3IJz/JG6crIiS2Lr1hVOk3tHT7dtfmh5/yOTS4/CGa3 SfTqQHtZo0BK06trPKLLKnIHKUiksP+HqWpqF/gWKycnb1OTROFymJ7nqBTqsFjtHBwc gngA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=8A9sznvT5NWsQQoj6AFuy7H6MkAaoCwqu32U62z5uFc=; fh=CfxSpwd5kfiMJoL3kcov7PTxVKT7pGe/79idnx9XlBs=; b=Uxi+dhDS6b/Xfs0WHh0OoeCLJJpXmpNoslOQdaRJ4z10YkEgGyiw+aqk4MS/CYjzHo mMQpXFKHjDc3KwEUAyQs/BZNFwW+MSb2ngDCfnqbFtSCp/EFBk4txITzPV8vP6iO9dTy kluo8RfyxaOuVriVqkWINWNRgrvrhgyAA03ijITeZSH88ahKMEyg23CTkSiV75zycit0 6uyPpJ7FVuWNqrIc7tssZ0aNnAlXRU3Jbm4R5YaC57hyMSxSHiWZQGsn8eBKouYFPKV9 AeQLwN04BxYmb9n9U6Pb2j4jFcBo/MDtRS9u/j/OFeclkg6TsujN2BGmYAh+bIVL0ynn QrEw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=CBSP1E0k; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=hj2Wt2Xm; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b="Z/2D7Fsz"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 8926c6da1cb9f-4d888863985si3414452173.77.2024.09.30.05.44.43 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 30 Sep 2024 05:44:43 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=CBSP1E0k; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=hj2Wt2Xm; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b="Z/2D7Fsz"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1svFlN-0002yL-G9; Mon, 30 Sep 2024 12:44:29 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1svFlC-0002y1-K6 for openvpn-devel@lists.sourceforge.net; Mon, 30 Sep 2024 12:44:19 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=48fXEm4HpHgcJOB7SUbsEPj4V5tKzVCA3jx92mQgSlU=; b=CBSP1E0k2NcmEabdpjKvo8GTUl x9QqaYoceei+y1hx8YJGO+7NOam9zGKdKSdB5x/iYSbTs2y6I7kTb7cQIq7Eai3cjEFySXEPVFt08 PWSWsA0zi4yIG53I27sxwfKi13u9K2wYvwDZ84lUZQLry2rKC4QwhYmCTJXO6IIudLY4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=48fXEm4HpHgcJOB7SUbsEPj4V5tKzVCA3jx92mQgSlU=; b=hj2Wt2Xm2bRbevKZO4Sb780bGz 116FgF7u8uZYeeXgZSd6Eq+HudGD2nJ2Hu5IjsTDzB4pASCfRR+Xz++VxZJoXI+X9GVxRobl8UPM8 geR+P1G+vBgk6l1pzuW/09a4SO/lmR0s6DAQg0x2FrjGxyTo+zS3y0YxeU/yHBDVs66Q=; Received: from mout-p-101.mailbox.org ([80.241.56.151]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1svFl3-0007VF-AB for openvpn-devel@lists.sourceforge.net; Mon, 30 Sep 2024 12:44:12 +0000 Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:b231:465::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4XHLNW65SNz9sZ6; Mon, 30 Sep 2024 14:43:55 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lichtenheld.com; s=MBO0001; t=1727700235; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=48fXEm4HpHgcJOB7SUbsEPj4V5tKzVCA3jx92mQgSlU=; b=Z/2D7FszRUrMwQM+L9YMVopVdpp3cBjNFTOE8kuE/tgZWLp4mvYwXTB7MRyTLW53K/5CKL KxXvn7b4G6Eylw+CtOksh66g0bZ5hZMUScQnSlsAjc4226NQSNON26sznD1iJAnt+BSaQz D0wVW2VPMKxuY3bv6BY1H9bpxDbqK48akxytt0tqlmhlEUWHFfE4lLJuUB1eTQTcIQlEyR KpeMpoiFZ+PrIM420nmWBafIakeygYGJu3C8NVkZO52cx34AVLImF6U5NJG3gf1ninU9+X vK0kwloViHL+LJuBAbdBHld5xm13loADLCL0pjz/D4sXqVPHQVUYwjJBlc++cQ== From: Frank Lichtenheld To: openvpn-devel@lists.sourceforge.net Date: Mon, 30 Sep 2024 14:43:53 +0200 Message-Id: <20240930124353.31987-1-frank@lichtenheld.com> In-Reply-To: References: MIME-Version: 1.0 X-Rspamd-Queue-Id: 4XHLNW65SNz9sZ6 X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: We can't disable compression support on receive because that would break too many configurations out there. But we can remove the support for compressing outgoing traffic, it was disabled by default a [...] Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [80.241.56.151 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-Headers-End: 1svFl3-0007VF-AB Subject: [Openvpn-devel] [PATCH v5] Remove support for compression on send X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Arne Schwabe Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1811625052636831464?= X-GMAIL-MSGID: =?utf-8?q?1811625052636831464?= We can't disable compression support on receive because that would break too many configurations out there. But we can remove the support for compressing outgoing traffic, it was disabled by default anyway. Makes "--allow-compression yes" an alias for "--allow-compression asym" and removes all resulting dead code. Change-Id: I402ba016b75cfcfec4fc8b2b01cc4eca7e2bcc60 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/755 This mail reflects revision 5 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/Changes.rst b/Changes.rst index 439352a..b9287ce 100644 --- a/Changes.rst +++ b/Changes.rst @@ -46,6 +46,12 @@ Support for building with OpenSSL 1.0.2 has been removed. The minimum supported OpenSSL version is now 1.1.0. +Compression on send + OpenVPN 2.7 will never compress data before sending. Decompression of + received data is still supported. + ``--allow-compression yes`` is now an alias for + ``--allow-compression asym``. + Overview of changes in 2.6 ========================== diff --git a/doc/man-sections/protocol-options.rst b/doc/man-sections/protocol-options.rst index 8b061d2..b78ce6d 100644 --- a/doc/man-sections/protocol-options.rst +++ b/doc/man-sections/protocol-options.rst @@ -30,7 +30,9 @@ framing (stub). :code:`yes` - OpenVPN will send and receive compressed packets. + **DEPRECATED** This option is an alias for :code:`asym`. Previously + it did enable compression for uplink packets, but OpenVPN never + compresses uplink packets now. --auth alg Authenticate data channel packets and (if enabled) ``tls-auth`` control @@ -135,48 +137,26 @@ entirely sure that the above does not apply to your traffic, you are advised to *not* enable compression. + For this reason compression support was removed from current versions + of OpenVPN. It will still decompress compressed packets received via + a VPN connection but it will never compress any outgoing packets. + --comp-lzo mode **DEPRECATED** Enable LZO compression algorithm. Compression is generally not recommended. VPN tunnels which uses compression are suspectible to the VORALCE attack vector. - Use LZO compression -- may add up to 1 byte per packet for incompressible - data. ``mode`` may be :code:`yes`, :code:`no`, or :code:`adaptive` - (default). + Allows the other side of the connection to use LZO compression. Due + to difference in packet format this may add 1 additional byte per packet. + With current versions of OpenVPN no actual compression will happen. - In a server mode setup, it is possible to selectively turn compression - on or off for individual clients. + ``mode`` may be :code:`yes`, :code:`no`, or :code:`adaptive` + but there is no actual change in behavior anymore. - First, make sure the client-side config file enables selective - compression by having at least one ``--comp-lzo`` directive, such as - ``--comp-lzo no``. This will turn off compression by default, but allow - a future directive push from the server to dynamically change the - :code:`on`/:code:`off`/:code:`adaptive` setting. - - Next in a ``--client-config-dir`` file, specify the compression setting - for the client, for example: - :: - - comp-lzo yes - push "comp-lzo yes" - - The first line sets the ``comp-lzo`` setting for the server side of the - link, the second sets the client side. --comp-noadapt - **DEPRECATED** When used in conjunction with ``--comp-lzo``, this option - will disable OpenVPN's adaptive compression algorithm. Normally, adaptive - compression is enabled with ``--comp-lzo``. - - Adaptive compression tries to optimize the case where you have - compression enabled, but you are sending predominantly incompressible - (or pre-compressed) packets over the tunnel, such as an FTP or rsync - transfer of a large, compressed file. With adaptive compression, OpenVPN - will periodically sample the compression process to measure its - efficiency. If the data being sent over the tunnel is already - compressed, the compression efficiency will be very low, triggering - openvpn to disable compression for a period of time until the next - re-sample test. + **DEPRECATED** This option does not have any effect anymore since current + versions of OpenVPN never compress outgoing packets. --key-direction Alternative way of specifying the optional direction parameter for the diff --git a/src/openvpn/comp-lz4.c b/src/openvpn/comp-lz4.c index ac020a4..b35df4a 100644 --- a/src/openvpn/comp-lz4.c +++ b/src/openvpn/comp-lz4.c @@ -55,129 +55,40 @@ { } -static bool -do_lz4_compress(struct buffer *buf, - struct buffer *work, - struct compress_context *compctx, - const struct frame *frame) -{ - /* - * In order to attempt compression, length must be at least COMPRESS_THRESHOLD. - * and asymmetric compression must be disabled - */ - if (buf->len >= COMPRESS_THRESHOLD && (compctx->flags & COMP_F_ALLOW_COMPRESS)) - { - const size_t ps = frame->buf.payload_size; - int zlen_max = ps + COMP_EXTRA_BUFFER(ps); - int zlen; - - ASSERT(buf_init(work, frame->buf.headroom)); - ASSERT(buf_safe(work, zlen_max)); - - if (buf->len > ps) - { - dmsg(D_COMP_ERRORS, "LZ4 compression buffer overflow"); - buf->len = 0; - return false; - } - - zlen = LZ4_compress_default((const char *)BPTR(buf), (char *)BPTR(work), BLEN(buf), zlen_max); - - if (zlen <= 0) - { - dmsg(D_COMP_ERRORS, "LZ4 compression error"); - buf->len = 0; - return false; - } - - ASSERT(buf_safe(work, zlen)); - work->len = zlen; - - - dmsg(D_COMP, "LZ4 compress %d -> %d", buf->len, work->len); - compctx->pre_compress += buf->len; - compctx->post_compress += work->len; - return true; - } - return false; -} - - +/* Doesn't do any actual compression anymore */ static void lz4_compress(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame) { - bool compressed; if (buf->len <= 0) { return; } - compressed = do_lz4_compress(buf, &work, compctx, frame); + uint8_t comp_head_byte = NO_COMPRESS_BYTE_SWAP; + uint8_t *head = BPTR(buf); + uint8_t *tail = BEND(buf); + ASSERT(buf_safe(buf, 1)); + ++buf->len; - /* On error do_lz4_compress sets buf len to zero, just return */ - if (buf->len == 0) - { - return; - } - - /* did compression save us anything? */ - { - uint8_t comp_head_byte = NO_COMPRESS_BYTE_SWAP; - if (compressed && work.len < buf->len) - { - *buf = work; - comp_head_byte = LZ4_COMPRESS_BYTE; - } - - { - uint8_t *head = BPTR(buf); - uint8_t *tail = BEND(buf); - ASSERT(buf_safe(buf, 1)); - ++buf->len; - - /* move head byte of payload to tail */ - *tail = *head; - *head = comp_head_byte; - } - } + /* move head byte of payload to tail */ + *tail = *head; + *head = comp_head_byte; } - +/* Doesn't do any actual compression anymore */ static void lz4v2_compress(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame) { - bool compressed; if (buf->len <= 0) { return; } - compressed = do_lz4_compress(buf, &work, compctx, frame); - - /* On Error just return */ - if (buf->len == 0) - { - return; - } - - /* did compression save us anything? Include 2 byte compression header - * in calculation */ - if (compressed && work.len + 2 < buf->len) - { - ASSERT(buf_prepend(&work, 2)); - uint8_t *head = BPTR(&work); - head[0] = COMP_ALGV2_INDICATOR_BYTE; - head[1] = COMP_ALGV2_LZ4_BYTE; - *buf = work; - } - else - { - compv2_escape_data_ifneeded(buf); - } + compv2_escape_data_ifneeded(buf); } static void diff --git a/src/openvpn/comp.h b/src/openvpn/comp.h index 267f680b..ed6a563 100644 --- a/src/openvpn/comp.h +++ b/src/openvpn/comp.h @@ -32,8 +32,9 @@ * outside of the USE_COMP define */ /* Compression flags */ -#define COMP_F_ADAPTIVE (1<<0) /* COMP_ALG_LZO only */ -#define COMP_F_ALLOW_COMPRESS (1<<1) /* not only downlink is compressed but also uplink */ +/*Removed */ +/*#define COMP_F_ADAPTIVE (1<<0) / * COMP_ALG_LZO only */ +/*#define COMP_F_ALLOW_COMPRESS (1<<1) / * not only downlink is compressed but also uplink * / */ #define COMP_F_SWAP (1<<2) /* initial command byte is swapped with last byte in buffer to preserve payload alignment */ #define COMP_F_ADVERTISE_STUBS_ONLY (1<<3) /* tell server that we only support compression stubs */ #define COMP_F_ALLOW_STUB_ONLY (1<<4) /* Only accept stub compression, even with COMP_F_ADVERTISE_STUBS_ONLY diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index 0df185e..40ee33b 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -413,8 +413,7 @@ #if defined(USE_COMP) if (o->comp.alg != COMP_ALG_UNDEF - || o->comp.flags & COMP_F_ALLOW_ASYM - || o->comp.flags & COMP_F_ALLOW_COMPRESS) + || o->comp.flags & COMP_F_ALLOW_ASYM) { msg(msglevel, "Note: '--allow-compression' is not set to 'no', disabling data channel offload."); diff --git a/src/openvpn/lzo.c b/src/openvpn/lzo.c index bab2d78..5cd5ea2 100644 --- a/src/openvpn/lzo.c +++ b/src/openvpn/lzo.c @@ -39,61 +39,6 @@ #include "memdbg.h" -/** - * Perform adaptive compression housekeeping. - * - * @param ac the adaptive compression state structure. - * - * @return - */ -static bool -lzo_adaptive_compress_test(struct lzo_adaptive_compress *ac) -{ - const bool save = ac->compress_state; - const time_t local_now = now; - - if (!ac->compress_state) - { - if (local_now >= ac->next) - { - if (ac->n_total > AC_MIN_BYTES - && (ac->n_total - ac->n_comp) < (ac->n_total / (100 / AC_SAVE_PCT))) - { - ac->compress_state = true; - ac->next = local_now + AC_OFF_SEC; - } - else - { - ac->next = local_now + AC_SAMP_SEC; - } - dmsg(D_COMP, "lzo_adaptive_compress_test: comp=%d total=%d", ac->n_comp, ac->n_total); - ac->n_total = ac->n_comp = 0; - } - } - else - { - if (local_now >= ac->next) - { - ac->next = local_now + AC_SAMP_SEC; - ac->n_total = ac->n_comp = 0; - ac->compress_state = false; - } - } - - if (ac->compress_state != save) - { - dmsg(D_COMP_LOW, "Adaptive compression state %s", (ac->compress_state ? "OFF" : "ON")); - } - - return !ac->compress_state; -} - -static inline void -lzo_adaptive_compress_data(struct lzo_adaptive_compress *ac, int n_total, int n_comp) -{ - ac->n_total += n_total; - ac->n_comp += n_comp; -} static void lzo_compress_init(struct compress_context *compctx) @@ -118,92 +63,13 @@ compctx->wu.lzo.wmem = NULL; } -static inline bool -lzo_compression_enabled(struct compress_context *compctx) -{ - if (!(compctx->flags & COMP_F_ALLOW_COMPRESS)) - { - return false; - } - else - { - if (compctx->flags & COMP_F_ADAPTIVE) - { - return lzo_adaptive_compress_test(&compctx->wu.lzo.ac); - } - else - { - return true; - } - } -} - static void lzo_compress(struct buffer *buf, struct buffer work, struct compress_context *compctx, const struct frame *frame) { - lzo_uint zlen = 0; - int err; - bool compressed = false; - - if (buf->len <= 0) - { - return; - } - - /* - * In order to attempt compression, length must be at least COMPRESS_THRESHOLD, - * and our adaptive level must give the OK. - */ - if (buf->len >= COMPRESS_THRESHOLD && lzo_compression_enabled(compctx)) - { - const size_t ps = frame->buf.payload_size; - ASSERT(buf_init(&work, frame->buf.headroom)); - ASSERT(buf_safe(&work, ps + COMP_EXTRA_BUFFER(ps))); - - if (buf->len > ps) - { - dmsg(D_COMP_ERRORS, "LZO compression buffer overflow"); - buf->len = 0; - return; - } - - err = LZO_COMPRESS(BPTR(buf), BLEN(buf), BPTR(&work), &zlen, compctx->wu.lzo.wmem); - if (err != LZO_E_OK) - { - dmsg(D_COMP_ERRORS, "LZO compression error: %d", err); - buf->len = 0; - return; - } - - ASSERT(buf_safe(&work, zlen)); - work.len = zlen; - compressed = true; - - dmsg(D_COMP, "LZO compress %d -> %d", buf->len, work.len); - compctx->pre_compress += buf->len; - compctx->post_compress += work.len; - - /* tell adaptive level about our success or lack thereof in getting any size reduction */ - if (compctx->flags & COMP_F_ADAPTIVE) - { - lzo_adaptive_compress_data(&compctx->wu.lzo.ac, buf->len, work.len); - } - } - - /* did compression save us anything ? */ - if (compressed && work.len < buf->len) - { - uint8_t *header = buf_prepend(&work, 1); - *header = LZO_COMPRESS_BYTE; - *buf = work; - } - else - { - uint8_t *header = buf_prepend(buf, 1); - *header = NO_COMPRESS_BYTE; - } + uint8_t *header = buf_prepend(buf, 1); + *header = NO_COMPRESS_BYTE; } static void diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 61f6285..1beb0ee 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -5715,17 +5715,10 @@ { if (comp_non_stub_enabled(info)) { - /* - * Check if already displayed the strong warning and enabled full - * compression - */ - if (!(info->flags & COMP_F_ALLOW_COMPRESS)) - { - msg(M_WARN, "WARNING: Compression for receiving enabled. " - "Compression has been used in the past to break encryption. " - "Sent packets are not compressed unless \"allow-compression yes\" " - "is also set."); - } + msg(M_WARN, "WARNING: Compression for receiving enabled. " + "Compression has been used in the past to break encryption. " + "Compression support is deprecated and we recommend to disable " + "it completely."); } } @@ -8435,18 +8428,14 @@ } else if (streq(p[1], "asym")) { - options->comp.flags &= ~COMP_F_ALLOW_COMPRESS; options->comp.flags |= COMP_F_ALLOW_ASYM; } else if (streq(p[1], "yes")) { - msg(M_WARN, "WARNING: Compression for sending and receiving enabled. Compression has " - "been used in the past to break encryption. Allowing compression allows " - "attacks that break encryption. Using \"--allow-compression yes\" is " - "strongly discouraged for common usage. See --compress in the manual " - "page for more information "); + msg(M_WARN, "DEPRECATED OPTION: \"--allow-compression yes\" has been removed. " + "We will use \"asym\" mode instead. See the manual page for more information."); - options->comp.flags |= COMP_F_ALLOW_COMPRESS; + options->comp.flags |= COMP_F_ALLOW_ASYM; } else { @@ -8461,45 +8450,29 @@ /* All lzo variants do not use swap */ options->comp.flags &= ~COMP_F_SWAP; + options->comp.alg = COMP_ALG_LZO; - if (p[1] && streq(p[1], "no")) + if (p[1]) { - options->comp.alg = COMP_ALG_STUB; - options->comp.flags &= ~COMP_F_ADAPTIVE; - } - else if (p[1]) - { - if (streq(p[1], "yes")) + if (streq(p[1], "no")) { - options->comp.alg = COMP_ALG_LZO; - options->comp.flags &= ~COMP_F_ADAPTIVE; + options->comp.alg = COMP_ALG_STUB; } - else if (streq(p[1], "adaptive")) - { - options->comp.alg = COMP_ALG_LZO; - options->comp.flags |= COMP_F_ADAPTIVE; - } - else + /* There is no actual difference anymore between these variants. + * We never compress. On the server side we replace this with + * --compress migrate later anyway. + */ + else if (!(streq(p[1], "yes") || streq(p[1], "adaptive"))) { msg(msglevel, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'", p[1]); goto err; } } - else - { - options->comp.alg = COMP_ALG_LZO; - options->comp.flags |= COMP_F_ADAPTIVE; - } show_compression_warning(&options->comp); } else if (streq(p[0], "comp-noadapt") && !p[1]) { - /* - * We do not need to check here if we allow compression since - * it only modifies a flag if compression is enabled - */ - VERIFY_PERMISSION(OPT_P_COMP); - options->comp.flags &= ~COMP_F_ADAPTIVE; + /* NO-OP since we never compress anymore */ } else if (streq(p[0], "compress") && !p[2]) { @@ -8528,7 +8501,7 @@ else if (streq(alg, "lzo")) { options->comp.alg = COMP_ALG_LZO; - options->comp.flags &= ~(COMP_F_ADAPTIVE | COMP_F_SWAP); + options->comp.flags &= ~COMP_F_SWAP; } else if (streq(alg, "lz4")) {