From patchwork Thu Mar 23 17:05:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 3160 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7301:10f:b0:b2:6796:f29 with SMTP id gj15csp72981dyb; Thu, 23 Mar 2023 10:06:43 -0700 (PDT) X-Google-Smtp-Source: AKy350aglD45n7qM0NmC/JUPDQFdthhJE18qZDQdYHN+mZPauMDFIA2mbIRDKeZVROAEXh4oJqan X-Received: by 2002:a92:dc4d:0:b0:325:ca46:7c59 with SMTP id x13-20020a92dc4d000000b00325ca467c59mr182725ilq.30.1679591203247; Thu, 23 Mar 2023 10:06:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1679591203; cv=none; d=google.com; s=arc-20160816; b=0OSXd99e7KnYLcSaIcQBI4XL6VhjVxhljtWSbDaGfFed7b80b2xR7jzX9qhYWfIeJU hUKLakAdnM5sGM6MUkFj2VHfjNGks6rbN8KARQN+nsWAbGllIhd1WJX3E8QSI71Ja0gd DCEMt+Hw+MS9cHtqGa071DM6VQmmik3DwZCaEgQvPWtW9s0Ou5FanSbKJTbes83ajqfL P5qaevvBFNkVXOQF8vkV/JY6incFJHPwHSuNS/pEL4KACZHV/y/1ljZY2cziJ3ChH41k mcvKfkMa5j9ONMNQ371wk4oBeRp/wyCYAPg4yXPCAhjRqYOSJTc3OZTGwLlmIW9Q6ygk n2DQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature; bh=jC8FiTnLC3Z/gckyURPm/f1PG8GzyzV4EYJKnIPkipc=; b=wXFaWK+T6U6Ber+FcnsiT6vSo5xeT7HKeizObongmfLO2eXTk0ZNtZLnf3qun7P1d3 HjLgojfjqJDY/aLEvTsey1RPygUl1zfjU8XbxF7XN4lLJXji69agVi0g+GHd8LieB39a rd1nxAQKRBBM3tsV+Ph+1XUjMLHhXWXiuooq0LuiZCfimLkusuFj+hovy1pkAElZE/JZ 0StwXQ+6//xHg8wSHPZ3b0P3o15pT/soEnK+OTcqStqdwIQfLdMW3G5gfYG+92y+al7T Aikxn6bKow6Ta809QOHUHGgiyfXW+Jxoc5nF7JxDcXm/U2eOgXxLSzjl2tMxv2nQsZwy gXug== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=BrR9uABc; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=QWMx1BZl; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net ([216.105.38.7]) by mx.google.com with ESMTPS id u5-20020a056638134500b004061d6abcd0si20935102jad.125.2023.03.23.10.06.43 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 23 Mar 2023 10:06:43 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=BrR9uABc; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=QWMx1BZl; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pfOOJ-0007ek-17; Thu, 23 Mar 2023 17:06:19 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pfOOG-0007eJ-8u for openvpn-devel@lists.sourceforge.net; Thu, 23 Mar 2023 17:06:16 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=t/HhlgHlxpV5ftgbPwkITRzCP3jUk7rMrQ0jFOj0tZU=; b=BrR9uABcFKRjWOaGPc2term37X 8e1wx73P8uLdyWcCaZTcehfc2g4KTY1B+usdVpvqK808bBI5Sx962QU9CaqG0ZFSdut8dEOxQprLv NpQPnniCtSfUXMj38TGNtt4SmF7R3UiqFpKgNelN43+KexXDuGsDmCmlsGdANwKMO0tY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=t/HhlgHlxpV5ftgbPwkITRzCP3jUk7rMrQ0jFOj0tZU=; b=Q WMx1BZlXhECtzfGeDQDcTQg+tztrrdB5aqB7Jpf8pweplIPxjZ4vRW32xhqqjXrfuSry0sve5dxC/ fd3n+0pY+deZEGxPDGpasqqFogzwbgS5soCicwbz7rlFBaIrRc7u7m6L7sUHKzcM9iNIxA2gtn6GG z9gwXrwobqfAP5dc=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1pfOOF-0004VW-0J for openvpn-devel@lists.sourceforge.net; Thu, 23 Mar 2023 17:06:15 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1pfOO1-000M0Q-JA for openvpn-devel@lists.sourceforge.net; Thu, 23 Mar 2023 18:06:01 +0100 Received: (nullmailer pid 1256178 invoked by uid 10006); Thu, 23 Mar 2023 17:06:01 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 23 Mar 2023 18:05:58 +0100 Message-Id: <20230323170601.1256132-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This removes a level of identation and make the "stub" condition easier to see. Change-Id: Iae47b191f522625f81eedd3a237b272cb7374d90 Signed-off-by: Arne Schwabe --- src/openvpn/options.c | 87 +++++++++++++++++++++ 1 file changed, 43 insert [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1pfOOF-0004VW-0J Subject: [Openvpn-devel] [PATCH v3 1/4] Simplify --compress parsing in options.c X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1761179025131924255?= X-GMAIL-MSGID: =?utf-8?q?1761179025131924255?= This removes a level of identation and make the "stub" condition easier to see. Change-Id: Iae47b191f522625f81eedd3a237b272cb7374d90 Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/options.c | 87 +++++++++++++++++++++---------------------- 1 file changed, 43 insertions(+), 44 deletions(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 64a8250b2..2bed4ce99 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -8458,60 +8458,59 @@ add_option(struct options *options, else if (streq(p[0], "compress") && !p[2]) { VERIFY_PERMISSION(OPT_P_COMP); + const char *alg = "stub"; if (p[1]) { - if (streq(p[1], "stub")) - { - options->comp.alg = COMP_ALG_STUB; - options->comp.flags |= (COMP_F_SWAP|COMP_F_ADVERTISE_STUBS_ONLY); - } - else if (streq(p[1], "stub-v2")) - { - options->comp.alg = COMP_ALGV2_UNCOMPRESSED; - options->comp.flags |= COMP_F_ADVERTISE_STUBS_ONLY; - } - else if (streq(p[1], "migrate")) - { - options->comp.alg = COMP_ALG_UNDEF; - options->comp.flags = COMP_F_MIGRATE; + alg = p[1]; + } - } - else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY) - { - /* Also printed on a push to hint at configuration problems */ - msg(msglevel, "Cannot set compress to '%s', " - "allow-compression is set to 'no'", p[1]); - goto err; - } + if (streq(alg, "stub")) + { + options->comp.alg = COMP_ALG_STUB; + options->comp.flags |= (COMP_F_SWAP|COMP_F_ADVERTISE_STUBS_ONLY); + } + else if (streq(alg, "stub-v2")) + { + options->comp.alg = COMP_ALGV2_UNCOMPRESSED; + options->comp.flags |= COMP_F_ADVERTISE_STUBS_ONLY; + } + else if (streq(alg, "migrate")) + { + options->comp.alg = COMP_ALG_UNDEF; + options->comp.flags = COMP_F_MIGRATE; + + } + else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY) + { + /* Also printed on a push to hint at configuration problems */ + msg(msglevel, "Cannot set compress to '%s', " + "allow-compression is set to 'no'", alg); + goto err; + } #if defined(ENABLE_LZO) - else if (streq(p[1], "lzo")) - { - options->comp.alg = COMP_ALG_LZO; - options->comp.flags &= ~(COMP_F_ADAPTIVE | COMP_F_SWAP); - } + else if (streq(alg, "lzo")) + { + options->comp.alg = COMP_ALG_LZO; + options->comp.flags &= ~(COMP_F_ADAPTIVE | COMP_F_SWAP); + } #endif #if defined(ENABLE_LZ4) - else if (streq(p[1], "lz4")) - { - options->comp.alg = COMP_ALG_LZ4; - options->comp.flags |= COMP_F_SWAP; - } - else if (streq(p[1], "lz4-v2")) - { - options->comp.alg = COMP_ALGV2_LZ4; - } -#endif - else - { - msg(msglevel, "bad comp option: %s", p[1]); - goto err; - } + else if (streq(alg, "lz4")) + { + options->comp.alg = COMP_ALG_LZ4; + options->comp.flags |= COMP_F_SWAP; + } + else if (streq(alg, "lz4-v2")) + { + options->comp.alg = COMP_ALGV2_LZ4; } +#endif else { - options->comp.alg = COMP_ALG_STUB; - options->comp.flags |= COMP_F_SWAP; + msg(msglevel, "bad comp option: %s", alg); + goto err; } + show_compression_warning(&options->comp); } #endif /* USE_COMP */ From patchwork Thu Mar 23 17:05:59 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 3163 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7301:10f:b0:b2:6796:f29 with SMTP id gj15csp72985dyb; Thu, 23 Mar 2023 10:06:43 -0700 (PDT) X-Google-Smtp-Source: AK7set+hRnsi/fLwEbgSLRlNyjSDHmejKspL6Aa7QuiOFZRn7dFocpYZTV4658/mFs7vYbdK6JGw X-Received: by 2002:a9d:7301:0:b0:699:5ac8:17b9 with SMTP id e1-20020a9d7301000000b006995ac817b9mr81333otk.26.1679591203522; Thu, 23 Mar 2023 10:06:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1679591203; cv=none; d=google.com; s=arc-20160816; b=jtC5mESUlwO5cg8o+yC3DfsIeDzesR4hqe4R+54TOyEJRv1R35hpBAHMwEPlgCK7a8 g75EU2Rlf40WIHRJaMBLbDCKhTsW68Vi3VQiV6LJWWOzcPqDUPz4d6MorGbIYBP+HEzF 9KnZ/wiPR12VR8zV8JHFyTH/OGB1OZn0EW8B0bEJ45kfTEVCoCmgoiYGe5M0BWNO5X3+ ssvQMH8tzMGecNNj8HELDyJcJlLvZN4jXETtGMFHN+KLxR/TrgElhyAn1pP817jbIhYx EW5TzHHr1jKy1DIqLmo4sufdGCKydpvIccc5Fzc0u0ZZf9WHsL98fR3MrQvyoeINPTaM hCGw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=u6b6KmgNOxmlel8NvI+EazBBnyOsjK5W8oQXBl4Bzrw=; b=P86uayMXtpQb8rnJuHfj8LC0vzUXDaBluf/AwjNHg3ZxlVsGANtxtNsVbiOyT6Qns7 +2zxVXspZNem7dNWXbAtWQhsueByuPGAJiXvRRH0FyMYbYc58ELas4PliM3gUiKhznjo azIpG7/HiCqnKxJQ/0RlMixOyH2YNiHKC/pfJ6bxBnxw9m9bSs+adnOgNe9sc8E/ri/N zxuyKiIKO0qEriXoSpjIf3/QjIHlj9A9ia2MIX56OtNLlUwOrVfM+hYOLvjo8xbJR9YL MtsbYaQ8pqL7tciJqRb0r1TvqebMkoKwHQc0Ydma8UDx6QVDCqqrh0R3oV6WFGY5fk0M VLlw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=mPjIL6NK; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="b3ENg2S/"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net ([216.105.38.7]) by mx.google.com with ESMTPS id d10-20020a0568301b6a00b0069433ce600esi16376982ote.117.2023.03.23.10.06.43 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 23 Mar 2023 10:06:43 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=mPjIL6NK; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="b3ENg2S/"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pfOOG-0003uS-67; Thu, 23 Mar 2023 17:06:16 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pfOO9-0003uG-V4 for openvpn-devel@lists.sourceforge.net; Thu, 23 Mar 2023 17:06:10 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=29Kwm6rvDFRddta/7Qoj95nqOjGZXeiwBKwbcI4jiBA=; b=mPjIL6NKsbu9XvL4CaK3tthXPu rYmtiZwQ2tHcNnpZbistBydQ/WLX1pZf6nFlFFLMgG3niNQeAhXwZSKFEOR1BV4ptHvY+u+eO/yHT +8QPzOahdBgHrJ17P4ggzaT+4P6wV/4v8+E1ZzEGBLuP+61ifhIO6Q6ktj2bLVAoo9bA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=29Kwm6rvDFRddta/7Qoj95nqOjGZXeiwBKwbcI4jiBA=; b=b3ENg2S/l4p8EUsiVEOBMBt+6C bdVE0RwZ+0kV+LciObaMTkKCLd4MKOw09TYwFk4+6sbHQIFABxe7GVRWY+QDRJX3k1u8F840eZBQa 8v8QfJEhu6v0I39/xLX6OQEJT9veNHGaGvI/I426Wo9cfiRjcx6EDyJkLmUjTpoDzFSY=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1pfOO8-000RTv-Ve for openvpn-devel@lists.sourceforge.net; Thu, 23 Mar 2023 17:06:10 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1pfOO1-000M0S-Jm for openvpn-devel@lists.sourceforge.net; Thu, 23 Mar 2023 18:06:01 +0100 Received: (nullmailer pid 1256181 invoked by uid 10006); Thu, 23 Mar 2023 17:06:01 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 23 Mar 2023 18:05:59 +0100 Message-Id: <20230323170601.1256132-2-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230323170601.1256132-1-arne@rfc2549.org> References: <20230323170601.1256132-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This removes also the checks in options.c itself as they we now bail out later and no longer need to ignore them during parsing. Change-Id: I872c06f402c35112194ba77c3d6aee78e22547cb Signed-off-by: Arne Schwabe --- Changes.rst | 4 ++++ src/openvpn/comp.c | 29 +++++++++++++++++++++++++++++ src/openvpn/comp.h | [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different X-Headers-End: 1pfOO8-000RTv-Ve Subject: [Openvpn-devel] [PATCH v3 2/4] Refuse connection if server pushes an option contradicting allow-compress X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1761179025756792689?= X-GMAIL-MSGID: =?utf-8?q?1761179025756792689?= This removes also the checks in options.c itself as they we now bail out later and no longer need to ignore them during parsing. Change-Id: I872c06f402c35112194ba77c3d6aee78e22547cb Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- Changes.rst | 4 ++++ src/openvpn/comp.c | 29 +++++++++++++++++++++++++++++ src/openvpn/comp.h | 8 ++++++++ src/openvpn/init.c | 8 ++++++++ src/openvpn/multi.c | 8 ++++++++ src/openvpn/options.c | 27 ++++----------------------- 6 files changed, 61 insertions(+), 23 deletions(-) diff --git a/Changes.rst b/Changes.rst index dedb97ee4..77bcef266 100644 --- a/Changes.rst +++ b/Changes.rst @@ -232,6 +232,10 @@ User-visible Changes - The ``client-pending-auth`` management command now requires also the key id. The management version has been changed to 5 to indicate this change. +- (OpenVPN 2.6.2) A client will now refuse a connection if pushed compression + settings will contradict the setting of allow-compression as this almost + always results in a non-working connection. + Common errors with OpenSSL 3.0 and OpenVPN 2.6 ---------------------------------------------- Both OpenVPN 2.6 and OpenSSL 3.0 tighten the security considerable, so some diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c index 3b8d78996..d6d8029da 100644 --- a/src/openvpn/comp.c +++ b/src/openvpn/comp.c @@ -157,4 +157,33 @@ comp_generate_peer_info_string(const struct compress_options *opt, struct buffer } } +bool +check_compression_settings_valid(struct compress_options *info, int msglevel) +{ + if ((info->flags & COMP_F_ALLOW_STUB_ONLY) && comp_non_stub_enabled(info)) + { + msg(msglevel, "Compression is not allowed since allow-compression is " + "set to 'no'"); + return false; + } +#ifndef ENABLE_LZ4 + if (info->alg == COMP_ALGV2_LZ4 || info->alg == COMP_ALG_LZ4) + { + msg(msglevel, "OpenVPN is compiled without LZ4 support. Requested " + "compression cannot be enabled."); + return false; + } +#endif +#ifndef ENABLE_LZO + if (info->alg == COMP_ALG_LZO || info->alg == COMP_ALG_LZ4) + { + msg(msglevel, "OpenVPN is compiled without LZO support. Requested " + "compression cannot be enabled."); + return false; + } +#endif + return true; +} + + #endif /* USE_COMP */ diff --git a/src/openvpn/comp.h b/src/openvpn/comp.h index 685f40391..8636727ab 100644 --- a/src/openvpn/comp.h +++ b/src/openvpn/comp.h @@ -196,5 +196,13 @@ comp_non_stub_enabled(const struct compress_options *info) && info->alg != COMP_ALG_UNDEF; } +/** + * Checks if the compression settings are valid. Takes into account the + * flags of allow-compression and also the whether algorithms are compiled + * in + */ +bool +check_compression_settings_valid(struct compress_options *info, int msglevel); + #endif /* USE_COMP */ #endif /* ifndef OPENVPN_COMP_H */ diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 3a6f624fd..14859499d 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2637,6 +2637,14 @@ do_deferred_options(struct context *c, const unsigned int found) #ifdef USE_COMP if (found & OPT_P_COMP) { + if (!check_compression_settings_valid(&c->options.comp, D_PUSH_ERRORS)) + { + msg(D_PUSH_ERRORS, "OPTIONS ERROR: server pushed compression " + "settings that are not allowed and will result " + "in a non-working connection. " + "See also allow-compression in the manual."); + return false; + } msg(D_PUSH_DEBUG, "OPTIONS IMPORT: compression parms modified"); comp_uninit(c->c2.comp_context); c->c2.comp_context = comp_init(&c->options.comp); diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 1480bf477..ac090ef5a 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2766,6 +2766,14 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) cc_succeeded = false; } +#ifdef USE_COMP + if (!check_compression_settings_valid(&mi->context.options.comp, D_MULTI_ERRORS)) + { + msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to invalid compression options"); + cc_succeeded = false; + } +#endif + if (cc_succeeded) { multi_client_connect_late_setup(m, mi, *option_types_found); diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 2bed4ce99..435e1ca9e 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3779,6 +3779,9 @@ options_postprocess_mutate(struct options *o, struct env_set *es) /* this depends on o->windows_driver, which is set above */ options_postprocess_mutate_invariant(o); + /* check that compression settings in the options are okay */ + check_compression_settings_valid(&o->comp, M_USAGE); + /* * Save certain parms before modifying options during connect, especially * when using --pull @@ -8405,21 +8408,12 @@ add_option(struct options *options, /* All lzo variants do not use swap */ options->comp.flags &= ~COMP_F_SWAP; -#if defined(ENABLE_LZO) + if (p[1] && streq(p[1], "no")) -#endif { options->comp.alg = COMP_ALG_STUB; options->comp.flags &= ~COMP_F_ADAPTIVE; } -#if defined(ENABLE_LZO) - else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY) - { - /* Also printed on a push to hint at configuration problems */ - msg(msglevel, "Cannot set comp-lzo to '%s', " - "allow-compression is set to 'no'", p[1]); - goto err; - } else if (p[1]) { if (streq(p[1], "yes")) @@ -8444,7 +8438,6 @@ add_option(struct options *options, options->comp.flags |= COMP_F_ADAPTIVE; } show_compression_warning(&options->comp); -#endif /* if defined(ENABLE_LZO) */ } else if (streq(p[0], "comp-noadapt") && !p[1]) { @@ -8478,23 +8471,12 @@ add_option(struct options *options, { options->comp.alg = COMP_ALG_UNDEF; options->comp.flags = COMP_F_MIGRATE; - } - else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY) - { - /* Also printed on a push to hint at configuration problems */ - msg(msglevel, "Cannot set compress to '%s', " - "allow-compression is set to 'no'", alg); - goto err; - } -#if defined(ENABLE_LZO) else if (streq(alg, "lzo")) { options->comp.alg = COMP_ALG_LZO; options->comp.flags &= ~(COMP_F_ADAPTIVE | COMP_F_SWAP); } -#endif -#if defined(ENABLE_LZ4) else if (streq(alg, "lz4")) { options->comp.alg = COMP_ALG_LZ4; @@ -8504,7 +8486,6 @@ add_option(struct options *options, { options->comp.alg = COMP_ALGV2_LZ4; } -#endif else { msg(msglevel, "bad comp option: %s", alg); From patchwork Thu Mar 23 17:06:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 3162 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7301:10f:b0:b2:6796:f29 with SMTP id gj15csp72976dyb; Thu, 23 Mar 2023 10:06:43 -0700 (PDT) X-Google-Smtp-Source: AK7set+WlfLH/YiAy51jB+QvxQGhGl5QPmCgutlUx26sdt7TmnVtiFsmDMLVlDt13gp5O9yQ2Llt X-Received: by 2002:a05:6870:73cf:b0:17a:e448:3dcb with SMTP id a15-20020a05687073cf00b0017ae4483dcbmr54455oan.10.1679591202908; Thu, 23 Mar 2023 10:06:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1679591202; cv=none; d=google.com; s=arc-20160816; b=CDjGWEPQVanVQHnbv0EisfItVtuN9/q+HUuIMPozkGiqL/X7VTJyo5cMVZrsG24LQw zLSEI1zIs7s0Swe3mKIOdGbAoRPyuBrOVhXAA0BxL0Q80gMwMpDNWnyeNDrr2oUIQwbk whBmwrTW5U3GBN4QL2RW4g0B6FMGSsEMK0pE5/gOIR85KUtfNTrfUC6KMtQjlfchGWs2 Xvozd8H3GRa5PQTmLhFJMQPHvUBMggcbOTHOvZLavrqioPSBkMHQFryA7e7asajaSZM3 NHYof538MIj7eT3q1kI+rx0A0Z0OLr8/S0M3yE7ydstOe1LsVn+TPRfpVWAVp6q9Rs7s mhHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=A98oMBP0mClsb/dKIoI+UtUcJIUFQ9xBvM0u6gg2sCk=; b=Enz5o6Yrne/C4v1zVVk9cB+WT/MWCdEiXB+q1lMh5Udl0c0pKMjkzzx10+O4BJ7lKE 0qvFYxI1ygAa3XBfi4vuxHVEVJt/7qf30C1IInOtE+1mA1awRIFYfckPiGT0VhZp9H5I TtI08JNgvmvjAVpNZP3nv4JnQCSlZzQP04TsO4qiY5CRTap1NGVyh19oXwHHwioCbXXU bATtuZqKWhUKlFUOTLLaja5lnMQtP4lrut1AXOtTBYZSQ0C+j+Wcng7y0bo5QzGy7kMK udlI+DMLm7Jr9ZF1k4/bD6shMimOVsWu3C88kRCsTnYC9IrSHCaaVpanZSCbH4oMJP9v k9Fw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=N9iwtkWJ; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=mB+OHPC0; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net ([216.105.38.7]) by mx.google.com with ESMTPS id q42-20020a056871082a00b0017215863653si16741155oap.314.2023.03.23.10.06.42 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 23 Mar 2023 10:06:42 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=N9iwtkWJ; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=mB+OHPC0; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pfOOA-0001VH-2c; Thu, 23 Mar 2023 17:06:12 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pfOO8-0001VB-Jl for openvpn-devel@lists.sourceforge.net; Thu, 23 Mar 2023 17:06:10 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=bmBQnOTi0MzvOMpOTc+1vl1ltix1unrT6TgfTGDu/WM=; b=N9iwtkWJkQok4BlBdQ/TEKyea+ yOS9ITcbynGz+dXlk0KUuM9hhm1GkPhKVn33uGj/2MofASneLHaz9E+ZKQ3LR3qV9tQLG7WiyxA8A QCpo2awZPwNcJs7zwfok+okkw2IW5YZigVBox6OeBPsRHK3xyocGQCKnm/NaHx4oDVgw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=bmBQnOTi0MzvOMpOTc+1vl1ltix1unrT6TgfTGDu/WM=; b=mB+OHPC0oom0YGDdoEWJeiyBuE /ck4frpcGxF4a/4Bahf9HsWaFaJM4y+U9JRFz1B5GVjPQHFFppDyA+MVQR9FFlpC1OaSqV/wYCja6 Wv/QyyLK6DM3blK/9RkyJm8TnXXhzIOqfq5aChfqWAoDBXvMoBVy5fFN20TV0D13EgBs=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1pfOO8-000RTw-Vi for openvpn-devel@lists.sourceforge.net; Thu, 23 Mar 2023 17:06:10 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1pfOO1-000M0U-KQ for openvpn-devel@lists.sourceforge.net; Thu, 23 Mar 2023 18:06:01 +0100 Received: (nullmailer pid 1256183 invoked by uid 10006); Thu, 23 Mar 2023 17:06:01 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 23 Mar 2023 18:06:00 +0100 Message-Id: <20230323170601.1256132-3-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230323170601.1256132-1-arne@rfc2549.org> References: <20230323170601.1256132-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This changes the "no" setting of allow-compression to also refuse framing. This is important for our DCO implementation as these do not implement framing. This behaviour surfaced when a commercial VPN provider was pushing "comp-lzo no" to a client with DCO. While we are technically at fault here for announcing comp-lzo no support by announcing IV_LZO_ST [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different X-Headers-End: 1pfOO8-000RTw-Vi Subject: [Openvpn-devel] [PATCH v3 3/4] Add 'allow-compression stub-only' internally for DCO X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1761179025115480861?= X-GMAIL-MSGID: =?utf-8?q?1761179025115480861?= This changes the "no" setting of allow-compression to also refuse framing. This is important for our DCO implementation as these do not implement framing. This behaviour surfaced when a commercial VPN provider was pushing "comp-lzo no" to a client with DCO. While we are technically at fault here for announcing comp-lzo no support by announcing IV_LZO_STUB=1, the VPN provider continues to push "comp-lzo no" even in absense of that flag. As the new default we default to allow-compression stub-only if a stub option is found in the config and to allow-compression no otherwise. This ensures that we only enable DCO when no compression framing is used. This will now also bail out if the server pushes a compression setting that we do not support as mismatching compression is almost never a working connection. In my lz4-v2 and lzo-v2 you might have a connection that works mostly but some packets will be dropped since they compressed which is not desirable either since it becomes very hard to debug. Patch v2: bail out if server pushes an unsupported method. Also include this bail out logic when OpenVPN is compiled without compression support. Patch v3: always parse all compression option and move logic to check method Change-Id: Ibd0c77af24e2214b3055d585dc23a4b06dccd414 Signed-off-by: Arne Schwabe --- doc/man-sections/protocol-options.rst | 4 ++- src/openvpn/comp.c | 47 ++++++++++++++++++--------- src/openvpn/comp.h | 2 +- src/openvpn/options.c | 18 ++++++++-- 4 files changed, 50 insertions(+), 21 deletions(-) diff --git a/doc/man-sections/protocol-options.rst b/doc/man-sections/protocol-options.rst index 248f65cfd..055d08f95 100644 --- a/doc/man-sections/protocol-options.rst +++ b/doc/man-sections/protocol-options.rst @@ -25,7 +25,9 @@ configured in a compatible way between both the local and remote side. compression at the same time is not a feasible option. :code:`no` (default) - OpenVPN will refuse any non-stub compression. + OpenVPN will refuse any compression. If data-channel offloading + is enabled. OpenVPN will additionally also refuse compression + framing (stub). :code:`yes` OpenVPN will send and receive compressed packets. diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c index d6d8029da..c7a562f5a 100644 --- a/src/openvpn/comp.c +++ b/src/openvpn/comp.c @@ -134,36 +134,51 @@ comp_print_stats(const struct compress_context *compctx, struct status_output *s void comp_generate_peer_info_string(const struct compress_options *opt, struct buffer *out) { - if (opt) + if (!opt || opt->flags & COMP_F_ALLOW_NOCOMP_ONLY) + { + return; + } + + bool lzo_avail = false; + if (!(opt->flags & COMP_F_ADVERTISE_STUBS_ONLY)) { - bool lzo_avail = false; - if (!(opt->flags & COMP_F_ADVERTISE_STUBS_ONLY)) - { #if defined(ENABLE_LZ4) - buf_printf(out, "IV_LZ4=1\n"); - buf_printf(out, "IV_LZ4v2=1\n"); + buf_printf(out, "IV_LZ4=1\n"); + buf_printf(out, "IV_LZ4v2=1\n"); #endif #if defined(ENABLE_LZO) - buf_printf(out, "IV_LZO=1\n"); - lzo_avail = true; + buf_printf(out, "IV_LZO=1\n"); + lzo_avail = true; #endif - } - if (!lzo_avail) - { - buf_printf(out, "IV_LZO_STUB=1\n"); - } - buf_printf(out, "IV_COMP_STUB=1\n"); - buf_printf(out, "IV_COMP_STUBv2=1\n"); } + if (!lzo_avail) + { + buf_printf(out, "IV_LZO_STUB=1\n"); + } + buf_printf(out, "IV_COMP_STUB=1\n"); + buf_printf(out, "IV_COMP_STUBv2=1\n"); } bool check_compression_settings_valid(struct compress_options *info, int msglevel) { + /* + * We also allow comp-stub-v2 here as it technically allows escaping of + * weird mac address and IPv5 protocol but practically always is used + * as an way to disable all framing. + */ + if (info->alg != COMP_ALGV2_UNCOMPRESSED && info->alg != COMP_ALG_UNDEF + && (info->flags & COMP_F_ALLOW_NOCOMP_ONLY)) + { + msg(msglevel, "Compression or compression stub framing is not allowed " + "since data-channel offloading is enabled."); + return false; + } + if ((info->flags & COMP_F_ALLOW_STUB_ONLY) && comp_non_stub_enabled(info)) { msg(msglevel, "Compression is not allowed since allow-compression is " - "set to 'no'"); + "set to 'stub-only'"); return false; } #ifndef ENABLE_LZ4 diff --git a/src/openvpn/comp.h b/src/openvpn/comp.h index 8636727ab..71b350d09 100644 --- a/src/openvpn/comp.h +++ b/src/openvpn/comp.h @@ -60,7 +60,7 @@ * we still accept other compressions to be pushed */ #define COMP_F_MIGRATE (1<<5) /* push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ */ #define COMP_F_ALLOW_ASYM (1<<6) /* Compression was explicitly set to allow asymetric compression */ - +#define COMP_F_ALLOW_NOCOMP_ONLY (1<<7) /* Do not allow compression framing (breaks DCO) */ /* * Length of prepended prefix on compressed packets diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 435e1ca9e..92f7456a4 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3644,10 +3644,16 @@ options_set_backwards_compatible_options(struct options *o) * * Disable compression by default starting with 2.6.0 if no other * compression related option has been explicitly set */ - if (!comp_non_stub_enabled(&o->comp) && !need_compatibility_before(o, 20600) - && (o->comp.flags == 0)) + if (!need_compatibility_before(o, 20600) && (o->comp.flags == 0)) { - o->comp.flags = COMP_F_ALLOW_STUB_ONLY|COMP_F_ADVERTISE_STUBS_ONLY; + if (o->comp.alg == COMP_ALG_UNDEF) + { + o->comp.flags = COMP_F_ALLOW_NOCOMP_ONLY; + } + else if (!comp_non_stub_enabled(&o->comp)) + { + o->comp.flags = COMP_F_ALLOW_STUB_ONLY | COMP_F_ADVERTISE_STUBS_ONLY; + } } #endif } @@ -3749,6 +3755,12 @@ options_postprocess_mutate(struct options *o, struct env_set *es) o->tuntap_options.disable_dco = !dco_check_option(D_DCO, o) || !dco_check_startup_option(D_DCO, o); } +#ifdef USE_COMP + if (dco_enabled(o)) + { + o->comp.flags |= COMP_F_ALLOW_NOCOMP_ONLY; + } +#endif #ifdef _WIN32 if (dco_enabled(o)) From patchwork Thu Mar 23 17:06:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 3161 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7301:10f:b0:b2:6796:f29 with SMTP id gj15csp72975dyb; Thu, 23 Mar 2023 10:06:43 -0700 (PDT) X-Google-Smtp-Source: AK7set/kHtr3tCwlGF47Zsi80gE1Pk0na6iA8R8qIvoxy41GyoL1xE0ntdRj/jGuvuK2qGUejeKi X-Received: by 2002:a05:6a20:4ca5:b0:d9:162d:98e4 with SMTP id fq37-20020a056a204ca500b000d9162d98e4mr175932pzb.54.1679591202906; Thu, 23 Mar 2023 10:06:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1679591202; cv=none; d=google.com; s=arc-20160816; b=vLW94/1E26nUF8r6e6KEsBmGT/BvyB0DhdjjUQ7TFB/3yQjZTcDmWXtuxQmvvpxdJV 3oZaI0eNGyx37jTKJwKIh/dM7wq90MiCIDR4NKhqs6Fxh+POA4c7sQgpZRBDzlVGhrx3 yJxbdXTkhGrLz4HArLTUvBR+08BXURN1g11Hzqh4bcHi03Ac/oChb2Ncimq32JqkUMyW xjzBGE2Y+//HihxoKNtR97q2G/vBb5JrqW190Nrmu3Z1ro0keEW2YbuoKWOl3PCCkY8g Ua5RmW89G5SXktmGr/XDH7bYSGcAffCwyxLbhlrBjs27Vud6/KBT9hhKbbhHQtXK9Yhd 4q8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=FFr1SYy4E9aYDf9Mv7mOeas7KN81HnCKNro5iSKJZsk=; b=BXZh77j/PoEaeLSyYe/DTWaVXQa7Kg7/6SWM/tEtSkMEKH3JuL3Cq3PMj8edpdnSGt W7BH1dwvi9YdIXe0NF0hSPBiC24xAC460z5VQDWokqS1RYeIyIwa4/Gqb/1KnuAcZvJM uJhpfLCVvWFgQ+Af5OkK2utR4N7lTWitqTnuBfX+nZphZGrcMEXE1pwNimasKk1QlJtH fV5lDtvojIKKUiveDXMYR5hH1Mn7BQdnvm2FLagXP+nKcZ4VSwekEjdlArMMVLZ4R3DI iL32d+MKa/et+rDA/iyqC2+4RngiI5uzS47ePuV4Wlfe+tKRIDO94z19NY3sNdptPa0a pMpg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=SkEK9nqk; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=J1k+Lk2V; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net ([216.105.38.7]) by mx.google.com with ESMTPS id x189-20020a6286c6000000b005a8efbddf5esi18170300pfd.238.2023.03.23.10.06.42 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 23 Mar 2023 10:06:42 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=SkEK9nqk; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=J1k+Lk2V; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pfOOH-0003ug-J2; Thu, 23 Mar 2023 17:06:18 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pfOOG-0003uR-3P for openvpn-devel@lists.sourceforge.net; Thu, 23 Mar 2023 17:06:16 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=A81juj9GBXrAsFjbtrkCwg8sMqX+GCv99uxR1HWQG/8=; b=SkEK9nqkArG7bn9yJWTUUrpUou WdfX1yHnHHq0rttoiP4PmQGLWVs1LA/kttrZim8hlVEuL2Wm3VMDG6lthdYiI86UY50rRDS9nneF0 YMtG/L0dJOZG9Y5X+EqSpspF6oPvQhEC2MH53BjfUcj2VZn8jz7e5vQxrwbEnBcv7C1k=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=A81juj9GBXrAsFjbtrkCwg8sMqX+GCv99uxR1HWQG/8=; b=J1k+Lk2V/EfGoCX/tLt+cavdHL PEK9TPt3UMCcWb2qkCpYzVez7uXsv0J/TB8P2+dAuE3H5wQyDERpiVMooJMnfocGZ+W1hmXHah3hi 8aR+jYrB4fEye+xjFELnsBsutEINq0GWs01ntJc6cOYLVuiETA0tLxWmodoljUZzhIM0=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1pfOOF-0004VX-0u for openvpn-devel@lists.sourceforge.net; Thu, 23 Mar 2023 17:06:16 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1pfOO1-000M0W-L2 for openvpn-devel@lists.sourceforge.net; Thu, 23 Mar 2023 18:06:01 +0100 Received: (nullmailer pid 1256186 invoked by uid 10006); Thu, 23 Mar 2023 17:06:01 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 23 Mar 2023 18:06:01 +0100 Message-Id: <20230323170601.1256132-4-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230323170601.1256132-1-arne@rfc2549.org> References: <20230323170601.1256132-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This change keeps the option parsing of compression options even when compression is disabled. This allows OpenVPN to also refuse/reject connections that try to use compression when compression is com [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different X-Headers-End: 1pfOOF-0004VX-0u Subject: [Openvpn-devel] [PATCH v3 4/4] Parse compression options and bail out when compression is disabled X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1761179025302759477?= X-GMAIL-MSGID: =?utf-8?q?1761179025302759477?= This change keeps the option parsing of compression options even when compression is disabled. This allows OpenVPN to also refuse/reject connections that try to use compression when compression is completely disabled. Change-Id: I9d7afd8f1d67d2455b4ec6bc12f4dcde80140c4f Signed-off-by: Arne Schwabe --- src/openvpn/comp.c | 14 ++++--- src/openvpn/comp.h | 85 ++++++++++++++++++++++--------------------- src/openvpn/init.c | 2 - src/openvpn/multi.c | 2 - src/openvpn/options.c | 12 +----- src/openvpn/options.h | 4 -- 6 files changed, 54 insertions(+), 65 deletions(-) diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c index c7a562f5a..27b640ce0 100644 --- a/src/openvpn/comp.c +++ b/src/openvpn/comp.c @@ -29,10 +29,11 @@ #include "syshead.h" -#ifdef USE_COMP - #include "comp.h" #include "error.h" + +#ifdef USE_COMP + #include "otime.h" #include "memdbg.h" @@ -158,6 +159,7 @@ comp_generate_peer_info_string(const struct compress_options *opt, struct buffer buf_printf(out, "IV_COMP_STUB=1\n"); buf_printf(out, "IV_COMP_STUBv2=1\n"); } +#endif /* USE_COMP */ bool check_compression_settings_valid(struct compress_options *info, int msglevel) @@ -170,8 +172,13 @@ check_compression_settings_valid(struct compress_options *info, int msglevel) if (info->alg != COMP_ALGV2_UNCOMPRESSED && info->alg != COMP_ALG_UNDEF && (info->flags & COMP_F_ALLOW_NOCOMP_ONLY)) { +#ifdef USE_COMP msg(msglevel, "Compression or compression stub framing is not allowed " "since data-channel offloading is enabled."); +#else + msg(msglevel, "Compression or compression stub framing is not allowed " + "since OpenVPN was built without compression support."); +#endif return false; } @@ -199,6 +206,3 @@ check_compression_settings_valid(struct compress_options *info, int msglevel) #endif return true; } - - -#endif /* USE_COMP */ diff --git a/src/openvpn/comp.h b/src/openvpn/comp.h index 71b350d09..89940cf3a 100644 --- a/src/openvpn/comp.h +++ b/src/openvpn/comp.h @@ -28,12 +28,19 @@ #ifndef OPENVPN_COMP_H #define OPENVPN_COMP_H -#ifdef USE_COMP +/* We always parse all compression options, so we include these defines/struct + * outside of the USE_COMP define */ -#include "buffer.h" -#include "mtu.h" -#include "common.h" -#include "status.h" +/* Compression flags */ +#define COMP_F_ADAPTIVE (1<<0) /* COMP_ALG_LZO only */ +#define COMP_F_ALLOW_COMPRESS (1<<1) /* not only downlink is compressed but also uplink */ +#define COMP_F_SWAP (1<<2) /* initial command byte is swapped with last byte in buffer to preserve payload alignment */ +#define COMP_F_ADVERTISE_STUBS_ONLY (1<<3) /* tell server that we only support compression stubs */ +#define COMP_F_ALLOW_STUB_ONLY (1<<4) /* Only accept stub compression, even with COMP_F_ADVERTISE_STUBS_ONLY + * we still accept other compressions to be pushed */ +#define COMP_F_MIGRATE (1<<5) /* push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ */ +#define COMP_F_ALLOW_ASYM (1<<6) /* Compression was explicitly set to allow asymetric compression */ +#define COMP_F_ALLOW_NOCOMP_ONLY (1<<7) /* Do not allow compression framing (breaks DCO) */ /* algorithms */ #define COMP_ALG_UNDEF 0 @@ -51,16 +58,37 @@ #define COMP_ALGV2_SNAPPY 13 */ -/* Compression flags */ -#define COMP_F_ADAPTIVE (1<<0) /* COMP_ALG_LZO only */ -#define COMP_F_ALLOW_COMPRESS (1<<1) /* not only downlink is compressed but also uplink */ -#define COMP_F_SWAP (1<<2) /* initial command byte is swapped with last byte in buffer to preserve payload alignment */ -#define COMP_F_ADVERTISE_STUBS_ONLY (1<<3) /* tell server that we only support compression stubs */ -#define COMP_F_ALLOW_STUB_ONLY (1<<4) /* Only accept stub compression, even with COMP_F_ADVERTISE_STUBS_ONLY - * we still accept other compressions to be pushed */ -#define COMP_F_MIGRATE (1<<5) /* push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ */ -#define COMP_F_ALLOW_ASYM (1<<6) /* Compression was explicitly set to allow asymetric compression */ -#define COMP_F_ALLOW_NOCOMP_ONLY (1<<7) /* Do not allow compression framing (breaks DCO) */ +/* + * Information that basically identifies a compression + * algorithm and related flags. + */ +struct compress_options +{ + int alg; + unsigned int flags; +}; + +static inline bool +comp_non_stub_enabled(const struct compress_options *info) +{ + return info->alg != COMP_ALGV2_UNCOMPRESSED + && info->alg != COMP_ALG_STUB + && info->alg != COMP_ALG_UNDEF; +} + +/** + * Checks if the compression settings are valid. Takes into account the + * flags of allow-compression and also the whether algorithms are compiled + * in + */ +bool +check_compression_settings_valid(struct compress_options *info, int msglevel); + +#ifdef USE_COMP +#include "buffer.h" +#include "mtu.h" +#include "common.h" +#include "status.h" /* * Length of prepended prefix on compressed packets @@ -130,16 +158,6 @@ struct compress_alg #include "comp-lz4.h" #endif -/* - * Information that basically identifies a compression - * algorithm and related flags. - */ -struct compress_options -{ - int alg; - unsigned int flags; -}; - /* * Workspace union of all supported compression algorithms */ @@ -187,22 +205,5 @@ comp_enabled(const struct compress_options *info) { return info->alg != COMP_ALG_UNDEF; } - -static inline bool -comp_non_stub_enabled(const struct compress_options *info) -{ - return info->alg != COMP_ALGV2_UNCOMPRESSED - && info->alg != COMP_ALG_STUB - && info->alg != COMP_ALG_UNDEF; -} - -/** - * Checks if the compression settings are valid. Takes into account the - * flags of allow-compression and also the whether algorithms are compiled - * in - */ -bool -check_compression_settings_valid(struct compress_options *info, int msglevel); - #endif /* USE_COMP */ #endif /* ifndef OPENVPN_COMP_H */ diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 14859499d..9172bbb22 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2634,7 +2634,6 @@ do_deferred_options(struct context *c, const unsigned int found) } } -#ifdef USE_COMP if (found & OPT_P_COMP) { if (!check_compression_settings_valid(&c->options.comp, D_PUSH_ERRORS)) @@ -2649,7 +2648,6 @@ do_deferred_options(struct context *c, const unsigned int found) comp_uninit(c->c2.comp_context); c->c2.comp_context = comp_init(&c->options.comp); } -#endif if (found & OPT_P_SHAPER) { diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index ac090ef5a..5444e7520 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2766,13 +2766,11 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) cc_succeeded = false; } -#ifdef USE_COMP if (!check_compression_settings_valid(&mi->context.options.comp, D_MULTI_ERRORS)) { msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to invalid compression options"); cc_succeeded = false; } -#endif if (cc_succeeded) { diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 92f7456a4..cfde54939 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1906,10 +1906,8 @@ show_settings(const struct options *o) SHOW_BOOL(fast_io); -#ifdef USE_COMP SHOW_INT(comp.alg); SHOW_INT(comp.flags); -#endif SHOW_STR(route_script); SHOW_STR(route_default_gateway); @@ -3320,9 +3318,7 @@ pre_connect_save(struct options *o) o->pre_connect->ping_send_timeout = o->ping_send_timeout; /* Miscellaneous Options */ -#ifdef USE_COMP o->pre_connect->comp = o->comp; -#endif } void @@ -3386,9 +3382,7 @@ pre_connect_restore(struct options *o, struct gc_arena *gc) o->ping_send_timeout = pp->ping_send_timeout; /* Miscellaneous Options */ -#ifdef USE_COMP o->comp = pp->comp; -#endif } o->push_continuation = 0; @@ -3655,6 +3649,8 @@ options_set_backwards_compatible_options(struct options *o) o->comp.flags = COMP_F_ALLOW_STUB_ONLY | COMP_F_ADVERTISE_STUBS_ONLY; } } +#else /* ifdef USE_COMP */ + o->comp.flags = COMP_F_ALLOW_NOCOMP_ONLY; #endif } @@ -5669,7 +5665,6 @@ set_user_script(struct options *options, #endif } -#ifdef USE_COMP static void show_compression_warning(struct compress_options *info) { @@ -5688,7 +5683,6 @@ show_compression_warning(struct compress_options *info) } } } -#endif bool key_is_external(const struct options *options) @@ -8370,7 +8364,6 @@ add_option(struct options *options, options->passtos = true; } #endif -#if defined(USE_COMP) else if (streq(p[0], "allow-compression") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); @@ -8506,7 +8499,6 @@ add_option(struct options *options, show_compression_warning(&options->comp); } -#endif /* USE_COMP */ else if (streq(p[0], "show-ciphers") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 2f25f5d07..f5890b90f 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -87,9 +87,7 @@ struct options_pre_connect int ping_rec_timeout_action; int foreign_option_index; -#ifdef USE_COMP struct compress_options comp; -#endif }; #if !defined(ENABLE_CRYPTO_OPENSSL) && !defined(ENABLE_CRYPTO_MBEDTLS) @@ -395,9 +393,7 @@ struct options /* optimize TUN/TAP/UDP writes */ bool fast_io; -#ifdef USE_COMP struct compress_options comp; -#endif /* buffer sizes */ int rcvbuf;