From patchwork Fri Mar 24 10:06:40 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 3165 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7301:10f:b0:b2:6796:f29 with SMTP id gj15csp377612dyb; Fri, 24 Mar 2023 03:07:19 -0700 (PDT) X-Google-Smtp-Source: AKy350aA4fEZwxALy6R0yG2/uzIMtQl+zPxyKWBRvBs4Kka2b4QzgHqX+L+gYXM5mpi4a3ykZCM1 X-Received: by 2002:a17:902:f0cb:b0:1a1:aa68:7e61 with SMTP id v11-20020a170902f0cb00b001a1aa687e61mr1776518pla.33.1679652439625; Fri, 24 Mar 2023 03:07:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1679652439; cv=none; d=google.com; s=arc-20160816; b=J9VY753iCo1QJ1dMQbT080aAaA/mMgI1IxDa4A7+1UaoL2BVg4czE331MG/mU6GJ6a g3oaTA/eD1tFHwDSisRE1pF4HFL+quB6fgGk07icQLqscCH18fAOPgfWDMHSKYsMIGUo UT6yIfBCCVe6JFTC3La6sE0b9gipHpr7SX/KQ/QO2aFkzmSQ9MQM9LuNsBfcCDrhvZjG 12lj0mNbEOIeOU4SbhN1GkVP4OgGtYRoRXDXPWPdc/spuZsgeAJzHbBD684z5AWA7hCg uak7IepCzVuqAAXuThv01Et0GzrfUivK1ZGXTlzw1m1/piMuqvG4+6LQRSvswIgEvx1+ y0Nw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature; bh=E+fWe6J+noj9azl8jjFgllri1GaauzFZvwk8cP8Zp/Q=; b=AsOZJ14TLPB7Ftr6g5C/e55w+1qZ2TdepUcndB26X1E7gPXIAoo+h+j5Bu9gSZdrrg 9jWPTaZN0f5WXtcRQlBLfLLXePFsxvIK0OsX06E5xKMDPTTAUoQH95OIodus4+Qql/q6 cQunZAWd4PBd/sPLQY7YksaBsvrnHUenG7BKFSdRvWghzX51FyufNa+f3GWe+ozde1mL l1jWEznwzRm+TY39sT7w5b4LlcBUqg7W9bGPlcqWMHE9heoAI+8+vYsXM2I0rkmn3Kv0 UvoBKDcDC08qIovqxgsmQWpOw+OKI0t1qbB0zp7kSDEMob25sMGaCTaZomiizpgPPfrC gQnQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=BvzQC0Un; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=izDydrnv; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net ([216.105.38.7]) by mx.google.com with ESMTPS id b22-20020a170902d89600b001a1b5e2deb0si17784730plz.334.2023.03.24.03.07.19 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 24 Mar 2023 03:07:19 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=BvzQC0Un; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=izDydrnv; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pfeK2-000068-F8; Fri, 24 Mar 2023 10:06:58 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pfeK0-00005l-6a for openvpn-devel@lists.sourceforge.net; Fri, 24 Mar 2023 10:06:56 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=UiNLwl+X3v70mwy8Kq+qhbORdGcGu0AkBPHtputuTsw=; b=BvzQC0UnIYJ5Vo8GlnwX/yVBPx D2gKB29oNMoZIHNAC6unbHAaMmI+aEaIYfvdUc2u7LgLlu2FN5W+/lOjH0bEtBZNalPKheVkdrZTM 2CzS9oApbcka1RkrNxyOVeqMCCvIoV5EmCbapZJIhShzE96dyf+GKgYzZ2ITNimi3TWY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=UiNLwl+X3v70mwy8Kq+qhbORdGcGu0AkBPHtputuTsw=; b=i zDydrnvMw6yKPi1lwru16OChVkuITCBs5/vUZjRxq+Tmor9Qff6paXuytc2W0n+1E0mAJInLW2tD9 EqXSjIa5VyYuVTp7vFMhhGE+BzobFA4e+gVR0TszqPyqFysfiKLv/BOI+Da7ZFUSomgW7tu6idF3i CZ0qAy4w8WgA1FYE=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1pfeJw-001UBb-US for openvpn-devel@lists.sourceforge.net; Fri, 24 Mar 2023 10:06:56 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1pfeJl-0000Vs-0Z for openvpn-devel@lists.sourceforge.net; Fri, 24 Mar 2023 11:06:41 +0100 Received: (nullmailer pid 1340581 invoked by uid 10006); Fri, 24 Mar 2023 10:06:40 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Fri, 24 Mar 2023 11:06:40 +0100 Message-Id: <20230324100640.1340535-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This changes the "no" setting of allow-compression to also refuse framing. This is important for our DCO implementation as these do not implement framing. This behaviour surfaced when a commercial VPN provider was pushing "comp-lzo no" to a client with DCO. While we are technically at fault here for announcing comp-lzo no support by announcing IV_LZO_ST [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1pfeJw-001UBb-US Subject: [Openvpn-devel] [PATCH v4] Add 'allow-compression stub-only' internally for DCO X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1761243236979566885?= X-GMAIL-MSGID: =?utf-8?q?1761243236979566885?= This changes the "no" setting of allow-compression to also refuse framing. This is important for our DCO implementation as these do not implement framing. This behaviour surfaced when a commercial VPN provider was pushing "comp-lzo no" to a client with DCO. While we are technically at fault here for announcing comp-lzo no support by announcing IV_LZO_STUB=1, the VPN provider continues to push "comp-lzo no" even in absense of that flag. As the new default we default to allow-compression stub-only if a stub option is found in the config and to allow-compression no otherwise. This ensures that we only enable DCO when no compression framing is used. This will now also bail out if the server pushes a compression setting that we do not support as mismatching compression is almost never a working connection. In my lz4-v2 and lzo-v2 you might have a connection that works mostly but some packets will be dropped since they compressed which is not desirable either since it becomes very hard to debug. Patch v2: bail out if server pushes an unsupported method. Also include this bail out logic when OpenVPN is compiled without compression support. Patch v3: always parse all compression option and move logic to check method Patch v4: fix for not setting correct default for non-dco Change-Id: Ibd0c77af24e2214b3055d585dc23a4b06dccd414 Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- doc/man-sections/protocol-options.rst | 4 ++- src/openvpn/comp.c | 47 ++++++++++++++++++--------- src/openvpn/comp.h | 2 +- src/openvpn/options.c | 14 ++++++-- 4 files changed, 46 insertions(+), 21 deletions(-) diff --git a/doc/man-sections/protocol-options.rst b/doc/man-sections/protocol-options.rst index 248f65cfd..055d08f95 100644 --- a/doc/man-sections/protocol-options.rst +++ b/doc/man-sections/protocol-options.rst @@ -25,7 +25,9 @@ configured in a compatible way between both the local and remote side. compression at the same time is not a feasible option. :code:`no` (default) - OpenVPN will refuse any non-stub compression. + OpenVPN will refuse any compression. If data-channel offloading + is enabled. OpenVPN will additionally also refuse compression + framing (stub). :code:`yes` OpenVPN will send and receive compressed packets. diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c index d6d8029da..c7a562f5a 100644 --- a/src/openvpn/comp.c +++ b/src/openvpn/comp.c @@ -134,36 +134,51 @@ comp_print_stats(const struct compress_context *compctx, struct status_output *s void comp_generate_peer_info_string(const struct compress_options *opt, struct buffer *out) { - if (opt) + if (!opt || opt->flags & COMP_F_ALLOW_NOCOMP_ONLY) + { + return; + } + + bool lzo_avail = false; + if (!(opt->flags & COMP_F_ADVERTISE_STUBS_ONLY)) { - bool lzo_avail = false; - if (!(opt->flags & COMP_F_ADVERTISE_STUBS_ONLY)) - { #if defined(ENABLE_LZ4) - buf_printf(out, "IV_LZ4=1\n"); - buf_printf(out, "IV_LZ4v2=1\n"); + buf_printf(out, "IV_LZ4=1\n"); + buf_printf(out, "IV_LZ4v2=1\n"); #endif #if defined(ENABLE_LZO) - buf_printf(out, "IV_LZO=1\n"); - lzo_avail = true; + buf_printf(out, "IV_LZO=1\n"); + lzo_avail = true; #endif - } - if (!lzo_avail) - { - buf_printf(out, "IV_LZO_STUB=1\n"); - } - buf_printf(out, "IV_COMP_STUB=1\n"); - buf_printf(out, "IV_COMP_STUBv2=1\n"); } + if (!lzo_avail) + { + buf_printf(out, "IV_LZO_STUB=1\n"); + } + buf_printf(out, "IV_COMP_STUB=1\n"); + buf_printf(out, "IV_COMP_STUBv2=1\n"); } bool check_compression_settings_valid(struct compress_options *info, int msglevel) { + /* + * We also allow comp-stub-v2 here as it technically allows escaping of + * weird mac address and IPv5 protocol but practically always is used + * as an way to disable all framing. + */ + if (info->alg != COMP_ALGV2_UNCOMPRESSED && info->alg != COMP_ALG_UNDEF + && (info->flags & COMP_F_ALLOW_NOCOMP_ONLY)) + { + msg(msglevel, "Compression or compression stub framing is not allowed " + "since data-channel offloading is enabled."); + return false; + } + if ((info->flags & COMP_F_ALLOW_STUB_ONLY) && comp_non_stub_enabled(info)) { msg(msglevel, "Compression is not allowed since allow-compression is " - "set to 'no'"); + "set to 'stub-only'"); return false; } #ifndef ENABLE_LZ4 diff --git a/src/openvpn/comp.h b/src/openvpn/comp.h index 8636727ab..71b350d09 100644 --- a/src/openvpn/comp.h +++ b/src/openvpn/comp.h @@ -60,7 +60,7 @@ * we still accept other compressions to be pushed */ #define COMP_F_MIGRATE (1<<5) /* push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ */ #define COMP_F_ALLOW_ASYM (1<<6) /* Compression was explicitly set to allow asymetric compression */ - +#define COMP_F_ALLOW_NOCOMP_ONLY (1<<7) /* Do not allow compression framing (breaks DCO) */ /* * Length of prepended prefix on compressed packets diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 435e1ca9e..0ccff7213 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3644,10 +3644,12 @@ options_set_backwards_compatible_options(struct options *o) * * Disable compression by default starting with 2.6.0 if no other * compression related option has been explicitly set */ - if (!comp_non_stub_enabled(&o->comp) && !need_compatibility_before(o, 20600) - && (o->comp.flags == 0)) + if (!need_compatibility_before(o, 20600) && (o->comp.flags == 0)) { - o->comp.flags = COMP_F_ALLOW_STUB_ONLY|COMP_F_ADVERTISE_STUBS_ONLY; + if (!comp_non_stub_enabled(&o->comp)) + { + o->comp.flags = COMP_F_ALLOW_STUB_ONLY | COMP_F_ADVERTISE_STUBS_ONLY; + } } #endif } @@ -3749,6 +3751,12 @@ options_postprocess_mutate(struct options *o, struct env_set *es) o->tuntap_options.disable_dco = !dco_check_option(D_DCO, o) || !dco_check_startup_option(D_DCO, o); } +#ifdef USE_COMP + if (dco_enabled(o)) + { + o->comp.flags |= COMP_F_ALLOW_NOCOMP_ONLY; + } +#endif #ifdef _WIN32 if (dco_enabled(o))