From patchwork Wed Jan 11 13:44:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2995 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:c95:b0:82:e4b3:40a0 with SMTP id p21csp4401111dyk; Wed, 11 Jan 2023 05:45:49 -0800 (PST) X-Google-Smtp-Source: AMrXdXuXv1lks7IHPvNOrT8tBhCJEtMG7SjIaQ/5cYWP9AOXQkeFZe5qy2Wsl0UE48S6VEag9heo X-Received: by 2002:a92:de0a:0:b0:30c:699e:7f42 with SMTP id x10-20020a92de0a000000b0030c699e7f42mr19666166ilm.9.1673444749226; Wed, 11 Jan 2023 05:45:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673444749; cv=none; d=google.com; s=arc-20160816; b=XwJ+Yex2XRHIsYjYKGxzuGgEtmt1x9OIg4NaRlVTQAuc65PSU7UZEvRlCqA3Mqd7Uq m1kG7CyWIDW5jDOGeVveDfrKUsCJAjz6SdQ5LKWOfB2N4tVPxhAPgbR2c5WyzGXZOoIi M2azfdnJqNb9ISqqD6gir7XKyWOS91sZYD/ah45597Q6HN2Lb7HzntejTlwLBqUeWa7r sSJ6zC5+A3p59VuUl4HB0qCl4PXAh5QhwJU78JMBugrIAAfIxLGe0br0qgKLhFz1Ifpw 2nieDEkz9WWh6nlDsjs/h0z1qbixWC14Wp8nQwp3YDvnNBksMuoS3Krv9ljMMABHU/VE NLcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature; bh=lDtWx/2u9oUmWIFCNpGDmIxzyWx0641t8f5fYCTGMxM=; b=igjPPzw2A8dhJVq78AmSezj/5l3sy6zml9J86+G3H3AGpIsamuLk6XRX7fQpgwc+vG rTsOclpsfJ+stAOcGTAhlSd+0kWpP+mT3VftuGVpM6IX/bKktPoFhjZRJkMAUHcJRZ5A BWkSS58CkQCtT1lEFETIVoAq1t0Y7dqPipM2O0GLYIUwgXd18pZi+o9GUW+9jCSReM1w h1B0jR+JSMdlGC8X+4QjlfzOw5IzvROvgOrZ0CKjqAvJFeNLS3dhaqQe2eKTh6d8SJ8O 1+yvLPYZf9NPfDNSisWFwANkGkyokegxR8sbKModArhnQs0+5XunUQYhkENR1zNuam6A OMeQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=OcLAOPDZ; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=I4CLBS8c; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id b23-20020a02a597000000b0039962005ea3si13090056jam.27.2023.01.11.05.45.48 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 11 Jan 2023 05:45:49 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=OcLAOPDZ; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=I4CLBS8c; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pFbPW-0008Gk-77; Wed, 11 Jan 2023 13:44:56 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pFbPS-0008GT-Qp for openvpn-devel@lists.sourceforge.net; Wed, 11 Jan 2023 13:44:53 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=/q5MkejDU6qxpm220p+MSCcI1+bSwZgiYfpMoXVfzVI=; b=OcLAOPDZjhs8kQhFMYFkDhK/Rx znXRqrMH6uzXRdDDa4zrfNyH81RaWWnTdvlJQuBtE/AXwhCpsgrD9PB8aSTvOJwPx5VJf+JvkzDKi aR37LyLwd8jzwvljqsE2xlNdjdkarJJSYREYVnCBojhPac7aYmxeyQy2Ryy3LfvxNCVQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=/q5MkejDU6qxpm220p+MSCcI1+bSwZgiYfpMoXVfzVI=; b=I 4CLBS8cdpE8QNt6uayze6UqiGkRotpRQ4vY9UJ5pK7Btxb7rrl/6PRjuA/OZrmLwFtWVaqiXYTqGp 6FVBcSz06jEMIM1XQ6wJQWUCCv3MSBkzt762btJlAOEbAVwaAFH7L3oZBAGEbNbTkYi6kc6RnOhja pma3qTo2Vtdxmbec=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1pFbPP-00DusB-S5 for openvpn-devel@lists.sourceforge.net; Wed, 11 Jan 2023 13:44:53 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1pFbPD-0007MA-ID for openvpn-devel@lists.sourceforge.net; Wed, 11 Jan 2023 14:44:39 +0100 Received: (nullmailer pid 1107961 invoked by uid 10006); Wed, 11 Jan 2023 13:44:39 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 11 Jan 2023 14:44:39 +0100 Message-Id: <20230111134439.1107915-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: - Move OCC warnings to debug level. This moves the only useful OCC message of compress-migrate to D_PUSH - remove configure option --enable-strict-options - ignore disable-occ in TLS mode as it is log [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: configure.ac] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different X-Headers-End: 1pFbPP-00DusB-S5 Subject: [Openvpn-devel] [PATCH v2] Deprecate OCC checking X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1754734000963504565?= X-GMAIL-MSGID: =?utf-8?q?1754734000963504565?= - Move OCC warnings to debug level. This moves the only useful OCC message of compress-migrate to D_PUSH - remove configure option --enable-strict-options - ignore disable-occ in TLS mode as it is logged under debug now only disable-occ is now strictly a non-TLS option - mark opt-verify and disable-occ as deprecated. Patch v2: change one missed M_WARN to D_OCC Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- Changes.rst | 6 ++++++ configure.ac | 1 - doc/man-sections/generic-options.rst | 3 ++- doc/man-sections/server-options.rst | 4 ++-- src/openvpn/errlevel.h | 3 ++- src/openvpn/init.c | 2 -- src/openvpn/options.c | 14 ++++++++------ src/openvpn/ssl.c | 5 ++--- 8 files changed, 22 insertions(+), 16 deletions(-) diff --git a/Changes.rst b/Changes.rst index 187d03fcf..35337a483 100644 --- a/Changes.rst +++ b/Changes.rst @@ -183,6 +183,12 @@ PF (Packet Filtering) support has been removed This implies that also ``--management-client-pf`` and any other compile time or run time related option do not exist any longer. +Option conflict checking is being deprecated and phased out + The static option checking is no longer useful in typical setup that + negotiate most connection parameters. The ``--opt-verify`` and + ``--occ-disable`` are deprecated and the configure option + enable-strict-options has been removed. Logging of mismatched options has + been moved to debug logging. User-visible Changes -------------------- diff --git a/configure.ac b/configure.ac index befdaa096..915000870 100644 --- a/configure.ac +++ b/configure.ac @@ -1233,7 +1233,6 @@ test "${enable_debug}" = "yes" && AC_DEFINE([ENABLE_DEBUG], [1], [Enable debuggi test "${enable_small}" = "yes" && AC_DEFINE([ENABLE_SMALL], [1], [Enable smaller executable size]) test "${enable_fragment}" = "yes" && AC_DEFINE([ENABLE_FRAGMENT], [1], [Enable internal fragmentation support]) test "${enable_port_share}" = "yes" && AC_DEFINE([ENABLE_PORT_SHARE], [1], [Enable TCP Server port sharing]) -test "${enable_strict_options}" = "yes" && AC_DEFINE([ENABLE_STRICT_OPTIONS_CHECK], [1], [Enable strict options check between peers]) test "${enable_crypto_ofb_cfb}" = "yes" && AC_DEFINE([ENABLE_OFB_CFB_MODE], [1], [Enable OFB and CFB cipher modes]) if test "${have_export_keying_material}" = "yes"; then diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index d2b226c45..c827651d6 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -181,7 +181,8 @@ which mode OpenVPN is configured as. older than version 2.4 to connect. --disable-occ - Disable "options consistency check" (OCC). + **DEPRECATED** Disable "options consistency check" (OCC) in configurations + that do not use TLS. Don't output a warning message if option inconsistencies are detected between peers. An example of an option inconsistency would be where one diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index dbe35d6e1..6b9ad21b8 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -400,8 +400,8 @@ fast hardware. SSL/TLS authentication must be used in this mode. the kernel routing table. --opt-verify - Clients that connect with options that are incompatible with those of the - server will be disconnected. + **DEPRECATED** Clients that connect with options that are incompatible with + those of the server will be disconnected. Options that will be compared for compatibility include ``dev-type``, ``link-mtu``, ``tun-mtu``, ``proto``, ``ifconfig``, diff --git a/src/openvpn/errlevel.h b/src/openvpn/errlevel.h index 64ba4a339..c69ea91d6 100644 --- a/src/openvpn/errlevel.h +++ b/src/openvpn/errlevel.h @@ -94,7 +94,6 @@ #define D_DCO LOGLEV(3, 0, 0) /* show DCO related messages */ #define D_SHOW_PARMS LOGLEV(4, 50, 0) /* show all parameters on program initiation */ -#define D_SHOW_OCC LOGLEV(4, 51, 0) /* show options compatibility string */ #define D_LOW LOGLEV(4, 52, 0) /* miscellaneous low-frequency debug info */ #define D_DHCP_OPT LOGLEV(4, 53, 0) /* show DHCP options binary string */ #define D_MBUF LOGLEV(4, 54, 0) /* mbuf.[ch] routines */ @@ -147,6 +146,8 @@ #define D_CRYPTO_DEBUG LOGLEV(7, 70, M_DEBUG) /* show detailed info from crypto.c routines */ #define D_PID_DEBUG LOGLEV(7, 70, M_DEBUG) /* show packet-id debugging info */ #define D_PUSH_DEBUG LOGLEV(7, 73, M_DEBUG) /* show push/pull debugging info */ +#define D_SHOW_OCC LOGLEV(7, 74, M_DEBUG) /* show options compatibility string */ + #define D_VLAN_DEBUG LOGLEV(7, 74, M_DEBUG) /* show VLAN tagging/untagging debug info */ diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 773588305..b500d3543 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3175,8 +3175,6 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) to.xmit_hold = true; } - to.disable_occ = !options->occ; - to.verify_command = options->tls_verify; to.verify_export_cert = options->tls_export_cert; to.verify_x509_type = (options->verify_x509_type & 0xff); diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 9f027e768..3a0995f11 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -359,7 +359,7 @@ static const char usage_message[] = "--status file [n] : Write operational status to file every n seconds.\n" "--status-version [n] : Choose the status file format version number.\n" " Currently, n can be 1, 2, or 3 (default=1).\n" - "--disable-occ : Disable options consistency check between peers.\n" + "--disable-occ : (DEPRECATED) Disable options consistency check between peers.\n" #ifdef ENABLE_DEBUG "--gremlin mask : Special stress testing mode (for debugging only).\n" #endif @@ -458,7 +458,7 @@ static const char usage_message[] = " OTP based two-factor auth mechanisms are in use and\n" " --reneg-* options are enabled. Optionally a lifetime in seconds\n" " for generated tokens can be set.\n" - "--opt-verify : Clients that connect with options that are incompatible\n" + "--opt-verify : (DEPRECATED) Clients that connect with options that are incompatible\n" " with those of the server will be disconnected.\n" "--auth-user-pass-optional : Allow connections by clients that don't\n" " specify a username/password.\n" @@ -4567,15 +4567,15 @@ options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n) if (actual_n > 0) { actual[actual_n - 1] = 0; -#ifndef ENABLE_STRICT_OPTIONS_CHECK if (strncmp(actual, expected, 2)) { msg(D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences"); options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n); } else -#endif - ret = !strcmp(actual, expected); + { + ret = !strcmp(actual, expected); + } } gc_free(&gc); return ret; @@ -4584,7 +4584,7 @@ options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n) void options_warning_safe(char *actual, const char *expected, size_t actual_n) { - options_warning_safe_ml(M_WARN, actual, expected, actual_n); + options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n); } const char * @@ -7538,6 +7538,8 @@ add_option(struct options *options, else if (streq(p[0], "opt-verify") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); + msg(M_INFO, "DEPRECATION: opt-verify is deprecated and will be removed " + "in OpenVPN 2.7"); options->ssl_flags |= SSLF_OPT_VERIFY; } else if (streq(p[0], "auth-user-pass-verify") && p[1]) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index cbb596c13..016bdc57f 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2420,14 +2420,13 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio } /* check options consistency */ - if (!session->opt->disable_occ - && !options_cmp_equal(options, session->opt->remote_options)) + if (!options_cmp_equal(options, session->opt->remote_options)) { const char *remote_options = session->opt->remote_options; #ifdef USE_COMP if (multi->opt.comp_options.flags & COMP_F_MIGRATE && multi->remote_usescomp) { - msg(D_SHOW_OCC, "Note: 'compress migrate' detected remote peer " + msg(D_PUSH, "Note: 'compress migrate' detected remote peer " "with compression enabled."); remote_options = options_string_compat_lzo(remote_options, &gc); }