From patchwork Sun Jun 3 00:11:56 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffan Karger X-Patchwork-Id: 340 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net (Dovecot) with LMTP id y8kYHjq/E1sfHgAAIUCqbw for ; Sun, 03 Jun 2018 06:13:14 -0400 Received: from proxy3.mail.iad3b.rsapps.net ([172.31.255.6]) by director9.mail.ord1d.rsapps.net (Dovecot) with LMTP id k6bxGDq/E1v1TAAAalYnBA ; Sun, 03 Jun 2018 06:13:14 -0400 Received: from smtp13.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy3.mail.iad3b.rsapps.net with LMTP id OE0xFzq/E1s/TwAAM8Wetg ; Sun, 03 Jun 2018 06:13:14 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp13.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=karger-me.20150623.gappssmtp.com; dmarc=none (p=nil; dis=none) header.from=karger.me X-Suspicious-Flag: YES X-Classification-ID: b98af72a-6716-11e8-952a-5254001dfc40-1-1 Received: from [216.105.38.7] ([216.105.38.7:63446] helo=lists.sourceforge.net) by smtp13.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id F1/5B-04763-A3FB31B5; Sun, 03 Jun 2018 06:13:14 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1fPPzi-0000yI-Va; Sun, 03 Jun 2018 10:12:14 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1fPPzg-0000y6-TD for openvpn-devel@lists.sourceforge.net; Sun, 03 Jun 2018 10:12:12 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=0pRR7FMABfvilvzxIt9EMg5zuuAodLjqFJR9apUUs2c=; b=GwN+wg6wxTzNHm8v73LspTZyrG otSJ/cCSAQ99u8L/zGJy4KEaPVIx3A/jDWB3GWrSVL+y9cSgyCWlnFe4jrEhi+xffJax9RV74gbr6 8cDX+EYFGm1nkPuGKyLa52pj70LkrFdWwSw15ih/EaR/DBdUPI/4t6DTEJLdWFN1uDiI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=0pRR7FMABfvilvzxIt9EMg5zuuAodLjqFJR9apUUs2c=; b=BeywWgIv/52VXMD3pwWE4h3+4m A11n98Lc9zyfppf+uZKpWLQ5yF4koKygOkGU/k9HiyCDBxiDFD1Th5hwoyqZlG6LSASbv7Hr/SJSy wyxR2W2PG72k6eawx1p4tRiquHlw0UIYAANGgUOS2+PJP7rXq9GkSOuhGSOmE9lQCIrY=; Received: from mail-wm0-f46.google.com ([74.125.82.46]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.90_1) id 1fPPzd-00BKAj-Ay for openvpn-devel@lists.sourceforge.net; Sun, 03 Jun 2018 10:12:12 +0000 Received: by mail-wm0-f46.google.com with SMTP id r15-v6so10225826wmc.1 for ; Sun, 03 Jun 2018 03:12:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=karger-me.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=0pRR7FMABfvilvzxIt9EMg5zuuAodLjqFJR9apUUs2c=; b=kijNXmK5Bbouicv0+KNOyiLckVFcqyAsTK6iFEOtE+/RdImH3L6PnI3t3w2oAkDZCO YbW5E324TabAWbdYQYcdd/fED36xk0xtnWp6kDEv7bisOofp992e+2sriqLQfQcI2PgF dJ9Xx5SQLtC+zDLA78mUQW4fx2Uc3OPY0YIDJgyYclb7DPvrjhtfrtjbqYOLolyD7Zor j3KyYzHaeojfxMpQLgC0DQXe2xKaOSY1n5ZyqDAPvi6xt3iI/Ba9xxQuUfSyJcKn3o9l SbLqclp8ryitxEd6PdJARTjcxMbrQMmUe84lJ2bb/OCpfv3zKnWwLemA2bBhLzAjhVH/ cp2g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=0pRR7FMABfvilvzxIt9EMg5zuuAodLjqFJR9apUUs2c=; b=ceIzZlzyI6D0cMmrJvbRoeU3Oh5Lo0kJ+6w5ZhSividlDpJl8HrRXvB8TOc8cyz+TN BuMWEcrrH9Tr6+4Gv8DlVHZI/XSQ8znlrYUUZkGEoUBZtfukK6IDhgGdH4XtHhVz3Bpq pNxKNIMHuK4QKUft3osf81p4oaakxmM4N2ymsc0H2gRgb8b2sO6yE6K2WCJSsoCeCXjV 4ob0Op7RzC1o/9B7vFOBqG8wYQKGMPnYh/6v1p+NAuLBOMg/tV4Ami5PL+g6dwWj+m8v JhQ+MonY5hXPuwOoTERz2LhG2Q26gXhry8ZvKhFNFUGsBO9B810rD72VTx2+494fSwXe YB3A== X-Gm-Message-State: APt69E16HQVbvCgzwTJ7yGRCFJLUvRanm1/WcQzZAPrDrQ2IHv/25nRc kZrcqdhOe5MFcVJHVPB4D6fiTTb8ASI= X-Google-Smtp-Source: ADUXVKJlJt+lRVlA40p/uiqiyDhnllA2AU05ePpEe8ip33YBFixvXecAtpPj6ted3J+tC8DC+49+gQ== X-Received: by 2002:a50:b286:: with SMTP id p6-v6mr6777980edd.22.1528020722549; Sun, 03 Jun 2018 03:12:02 -0700 (PDT) Received: from syzzer-tweakbak.fritz.box ([2001:985:e54:1:881e:647d:3c8e:6ee4]) by smtp.gmail.com with ESMTPSA id v23-v6sm23812167edr.48.2018.06.03.03.12.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 03 Jun 2018 03:12:01 -0700 (PDT) From: Steffan Karger To: openvpn-devel@lists.sourceforge.net Date: Sun, 3 Jun 2018 12:11:56 +0200 Message-Id: <1528020718-12721-1-git-send-email-steffan@karger.me> X-Mailer: git-send-email 2.7.4 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [74.125.82.46 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [74.125.82.46 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders -0.0 T_DKIMWL_WL_MED DKIMwl.org - Whitelisted Medium sender X-Headers-End: 1fPPzd-00BKAj-Ay Subject: [Openvpn-devel] [PATCH 1/3] man: add security considerations to --compress section X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox As Ahamed Nafeez reported to the OpenVPN security team, we did not sufficiently inform our users about the risks of combining encryption and compression. This patch adds a "Security Considerations" paragraph to the --compress section of the manpage to point the risks out to our users. Signed-off-by: Steffan Karger Acked-By: Gert Doering --- doc/openvpn.8 | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 4114f40..0e5d467 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -2516,6 +2516,16 @@ If the parameter is empty, compression will be turned off, but the packet framing for compression will still be enabled, allowing a different setting to be pushed later. + +.B Security Considerations + +Compression and encryption is a tricky combination. If an attacker knows or is +able to control (parts of) the plaintext of packets that contain secrets, the +attacker might be able to extract the secret if compression is enabled. See +e.g. the CRIME and BREACH attacks on TLS which also leverage compression to +break encryption. If you are not entirely sure that the above does not apply +to your traffic, you are advised to *not* enable compression. + .\"********************************************************* .TP .B \-\-comp\-lzo [mode] From patchwork Sun Jun 3 00:11:57 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffan Karger X-Patchwork-Id: 339 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net (Dovecot) with LMTP id 46VNHTC/E1sfHgAAIUCqbw for ; Sun, 03 Jun 2018 06:13:04 -0400 Received: from proxy14.mail.iad3b.rsapps.net ([172.31.255.6]) by director7.mail.ord1d.rsapps.net (Dovecot) with LMTP id 2wjIFTC/E1toeQAAovjBpQ ; Sun, 03 Jun 2018 06:13:04 -0400 Received: from smtp40.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy14.mail.iad3b.rsapps.net with LMTP id oCyYEzC/E1u+KQAA+7ETDg ; Sun, 03 Jun 2018 06:13:04 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp40.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=karger-me.20150623.gappssmtp.com; dmarc=none (p=nil; dis=none) header.from=karger.me X-Suspicious-Flag: YES X-Classification-ID: b359601c-6716-11e8-8e5f-5254000cc6d4-1-1 Received: from [216.105.38.7] ([216.105.38.7:3373] helo=lists.sourceforge.net) by smtp40.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 09/8C-05846-F2FB31B5; Sun, 03 Jun 2018 06:13:04 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1fPPzj-0000yR-2I; Sun, 03 Jun 2018 10:12:15 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1fPPzh-0000yC-S0 for openvpn-devel@lists.sourceforge.net; Sun, 03 Jun 2018 10:12:13 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=13ASMwHm6J2WUk7NBUSRKkKF0c+dldn16UU9ORslHhk=; b=ZCmKnE8mWbG9nXdR4Pr4Ktuocg bTr5p5N5lLbzE50GqyQEknbiPSdclQT8UnNaTr1UBQGTgdPRBa+KUnUfBeS9iN3GKwawt4geDS6BC YepNb0tQDDqfQhoVSxxYi/joIPK0GMCGiuFpJhUdu7bO17EQIo4JtwH6cCxWaArvlRKU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=13ASMwHm6J2WUk7NBUSRKkKF0c+dldn16UU9ORslHhk=; b=dlVJ6eqrWq4goaAp8QqRBzCbZK U0KUx95bdlCEbKLw8socPX6XvWvF+Idcv1dR+ccyk8dDAR1LWe1I/IIX/cNM3cxG1aPDWFeACL8Dd H+UA1F7XGdFRLQe233NBzMtlY9L8xqkC1LcpyGgnpC//Qnjd4E7e/w7Q7iTWG6L3E8UA=; Received: from mail-wm0-f45.google.com ([74.125.82.45]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.90_1) id 1fPPze-007sVu-6Q for openvpn-devel@lists.sourceforge.net; Sun, 03 Jun 2018 10:12:13 +0000 Received: by mail-wm0-f45.google.com with SMTP id m129-v6so9410077wmb.3 for ; Sun, 03 Jun 2018 03:12:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=karger-me.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=13ASMwHm6J2WUk7NBUSRKkKF0c+dldn16UU9ORslHhk=; b=LcPce0Z0zItnCZVo29CLkjanpRPfeoQKPSLv7nwYaOk3O6w3T2DF8+aQufWV1+XVB8 AgQ78Jes5M8RD5MuEZLm7wWs9lEUnXn6HSTxPAjwsh1yDbSJtiyXqGn4p1YQ+mF0uYdq DcAUOje2RODUgE9B3v+yh4rqozFjzb5yxc0HBTtt4H8zJC8kSu9H08puK/+RDG0DIvsc boeoZx0MZHPaPTYfvJZSa/k4Wgl9uwovakh52WVPV+x6s6V2sn1NXeXB5UnTHPJc2OBY D8FwrU0O2qm2apdPqsssdXL8PGqUaWwECcAlUBf/CXUhELRz4LaXYUFyOvCxt0FcwBIh WdaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=13ASMwHm6J2WUk7NBUSRKkKF0c+dldn16UU9ORslHhk=; b=nvqjPospfvzEG2POUQWHTCPNnbFjFrdvnnxueQJ2iIR1CZUOZtvpKsxBvVDecEX7ym 3rpgyBXH1YQMHuvNIIgJvNp7HPLl/i1a0actzxPEuqQtbVRHUf6xR0DUYdFVH8f3uATu FgYGkn6cZvIlQhPptt52bP6t4mLavXx9FCemJ2mKSHx9PRr5hNjb4xxw4phT8K4mGqI4 kVaPngu5jDclC26D29sCSVlt8XynZnIzpPtwUKff/axcklHLQq+J7jKqu6uiGfHT3/uM Ks/LRZvz2zKEjc1NIydRIjKV4tyEqm2xl7lY8URfUbbabSaCvo6WWExXbzzRiM+mXhjA Y+Gw== X-Gm-Message-State: ALKqPwfbDeE0YHNSQZQugWDJ/XBNlr7zOHB0omhWmVCd20kV+9nm89TS WInFnEhCzEKvGUye3qgR86ymss5Tx+0= X-Google-Smtp-Source: ADUXVKIzbYRsjfC9Dg7nTTM/DzOPkHM4RM3YSmxw3iPsv2BygTGtqsnP80jtL+deV3zjv43Ss1ZY6g== X-Received: by 2002:a50:b6bc:: with SMTP id d57-v6mr19721075ede.250.1528020723382; Sun, 03 Jun 2018 03:12:03 -0700 (PDT) Received: from syzzer-tweakbak.fritz.box ([2001:985:e54:1:881e:647d:3c8e:6ee4]) by smtp.gmail.com with ESMTPSA id v23-v6sm23812167edr.48.2018.06.03.03.12.02 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 03 Jun 2018 03:12:02 -0700 (PDT) From: Steffan Karger To: openvpn-devel@lists.sourceforge.net Date: Sun, 3 Jun 2018 12:11:57 +0200 Message-Id: <1528020718-12721-2-git-send-email-steffan@karger.me> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1528020718-12721-1-git-send-email-steffan@karger.me> References: <1528020718-12721-1-git-send-email-steffan@karger.me> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [74.125.82.45 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [74.125.82.45 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders -0.0 T_DKIMWL_WL_MED DKIMwl.org - Whitelisted Medium sender X-Headers-End: 1fPPze-007sVu-6Q Subject: [Openvpn-devel] [PATCH 2/3] Reject unadvertised compression algorithms X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox A server should not push us compression algorithms we didn't specify. If the server does so anyway, reject the compression algorithm. This will result in a warning being printed, and a non-working connection to be set up. This is currently our way to "handle push/pull errors", which should probably be improved. But I didn't want refactor that in this patch. Signed-off-by: Steffan Karger --- doc/openvpn.8 | 16 +++++++--- src/openvpn/options.c | 85 ++++++++++++++++++++++++++++++++------------------- 2 files changed, 65 insertions(+), 36 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 0e5d467..9e988b3 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -2505,11 +2505,12 @@ Enable a compression algorithm. The .B algorithm -parameter may be "lzo", "lz4", or empty. LZO and LZ4 -are different compression algorithms, with LZ4 generally -offering the best performance with least CPU usage. -For backwards compatibility with OpenVPN versions before v2.4, use "lzo" -(which is identical to the older option "\-\-comp\-lzo yes"). +parameter may be empty, "stub", "stub-v2", "lzo", "lz4", or "lz4-v2". + +LZO and LZ4 are different compression algorithms, with LZ4 generally offering +the best performance with least CPU usage. For backwards compatibility with +OpenVPN versions before v2.4, use "lzo" (which is identical to the older option +"\-\-comp\-lzo yes"). If the .B algorithm @@ -2517,6 +2518,11 @@ parameter is empty, compression will be turned off, but the packet framing for compression will still be enabled, allowing a different setting to be pushed later. +If the +.B algorithm +parameter is "stub" or "stub-v2", compression framing is enabled, but no +compression will be used (even if pushed by the server). + .B Security Considerations Compression and encryption is a tricky combination. If an attacker knows or is diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 426057a..ad44f8e 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -7354,50 +7354,73 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_COMP); options->comp.flags &= ~COMP_F_ADAPTIVE; } - else if (streq(p[0], "compress") && !p[2]) + else if (streq(p[0], "compress") && !p[3]) { VERIFY_PERMISSION(OPT_P_COMP); - if (p[1]) + + /* Reset all compression flags, except "stubs only" and "no warn" if + * this option was pushed. */ + if (streq(file, "[PUSH-OPTIONS]")) + { + options->comp.flags = options->comp.flags + & (COMP_F_ADVERTISE_STUBS_ONLY|COMP_F_NOWARN); + } + + /* Parse supplied compression options */ + if (!p[1]) { - if (streq(p[1], "stub")) + options->comp.alg = COMP_ALG_STUB; + options->comp.flags |= COMP_F_SWAP; + } + else if (streq(p[1], "stub")) + { + options->comp.alg = COMP_ALG_STUB; + options->comp.flags |= COMP_F_SWAP; + if (!streq(file, "[PUSH-OPTIONS]")) { - options->comp.alg = COMP_ALG_STUB; - options->comp.flags = (COMP_F_SWAP|COMP_F_ADVERTISE_STUBS_ONLY); + options->comp.flags |= COMP_F_ADVERTISE_STUBS_ONLY; } - else if (streq(p[1], "stub-v2")) + } + else if (streq(p[1], "stub-v2")) + { + options->comp.alg = COMP_ALGV2_UNCOMPRESSED; + if (!streq(file, "[PUSH-OPTIONS]")) { - options->comp.alg = COMP_ALGV2_UNCOMPRESSED; - options->comp.flags = COMP_F_ADVERTISE_STUBS_ONLY; + options->comp.flags |= COMP_F_ADVERTISE_STUBS_ONLY; } + } + else if (options->comp.flags & COMP_F_ADVERTISE_STUBS_ONLY) + { + /* Reject pushed compression algorithms if explicitly disabled */ + msg(msglevel, "Enabling compression not allowed!"); + goto err; + } #if defined(ENABLE_LZO) - else if (streq(p[1], "lzo")) - { - options->comp.alg = COMP_ALG_LZO; - options->comp.flags = 0; - } + else if (streq(p[1], "lzo")) + { + options->comp.alg = COMP_ALG_LZO; + } #endif #if defined(ENABLE_LZ4) - else if (streq(p[1], "lz4")) - { - options->comp.alg = COMP_ALG_LZ4; - options->comp.flags = COMP_F_SWAP; - } - else if (streq(p[1], "lz4-v2")) - { - options->comp.alg = COMP_ALGV2_LZ4; - options->comp.flags = 0; - } -#endif - else - { - msg(msglevel, "bad comp option: %s", p[1]); - goto err; - } + else if (streq(p[1], "lz4")) + { + options->comp.alg = COMP_ALG_LZ4; + options->comp.flags |= COMP_F_SWAP; } + else if (streq(p[1], "lz4-v2")) + { + options->comp.alg = COMP_ALGV2_LZ4; + } +#endif else { - options->comp.alg = COMP_ALG_STUB; - options->comp.flags = COMP_F_SWAP; + msg(msglevel, "bad comp option: %s", p[1]); + goto err; + } + + if (p[2] && streq(p[2], "nowarn")) + { + options->comp.flags |= COMP_F_NOWARN; } } #endif /* USE_COMP */ From patchwork Sun Jun 3 00:11:58 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffan Karger X-Patchwork-Id: 341 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net (Dovecot) with LMTP id TMlZJDq/E1spIwAAIUCqbw for ; Sun, 03 Jun 2018 06:13:14 -0400 Received: from proxy11.mail.iad3b.rsapps.net ([172.31.255.6]) by director8.mail.ord1d.rsapps.net (Dovecot) with LMTP id 081ILTq/E1u/TQAAfY0hYg ; Sun, 03 Jun 2018 06:13:14 -0400 Received: from smtp31.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy11.mail.iad3b.rsapps.net with LMTP id QJ82Kzq/E1sULgAARNREpw ; Sun, 03 Jun 2018 06:13:14 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp31.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=karger-me.20150623.gappssmtp.com; dmarc=none (p=nil; dis=none) header.from=karger.me X-Suspicious-Flag: YES X-Classification-ID: b9a5fa02-6716-11e8-b8be-52540005277f-1-1 Received: from [216.105.38.7] ([216.105.38.7:33563] helo=lists.sourceforge.net) by smtp31.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id D6/5B-21643-A3FB31B5; Sun, 03 Jun 2018 06:13:14 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1fPPzj-0003Sv-Dd; Sun, 03 Jun 2018 10:12:15 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1fPPzi-0003Sg-4f for openvpn-devel@lists.sourceforge.net; Sun, 03 Jun 2018 10:12:14 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=57IkW3/DeSdm8GXsbPPp7BGUyYkOQoD/YbKudc6UGvc=; b=AgirCfLol3oyiTG0WqCLszvtq3 HAku3wlw2Jso8Bq4OdVCjXQ+ndrpcJwS/a276iyRTueeBBhoIT4lJSJqzw3Ts5cf3Ehqk2dAiey4M OVw2f7zmIcCd4Wwf7zCBohqhDgQ8AyMZIC09LpDkhHTMesYQiosn8t36sC1mQVUFmo9g=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=57IkW3/DeSdm8GXsbPPp7BGUyYkOQoD/YbKudc6UGvc=; b=b1M4lYnBmll3vi6KGxhfh4Y317 WIB9RF7ZdZGImxINn4RcWRrsUIrdj+S38sAYxxgUgQwJHiROUGHza8BjGd+Gjc2b5k5DhYC72F69S kBvbzIipY0Hpmn5ds+0Brbxt2eIj29JLPZnwJ+1w3i+uGvoer/aei6RETKz/bu7z/iOg=; Received: from mail-wm0-f67.google.com ([74.125.82.67]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.90_1) id 1fPPzf-007sVw-4O for openvpn-devel@lists.sourceforge.net; Sun, 03 Jun 2018 10:12:14 +0000 Received: by mail-wm0-f67.google.com with SMTP id v131-v6so9420518wma.1 for ; Sun, 03 Jun 2018 03:12:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=karger-me.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=57IkW3/DeSdm8GXsbPPp7BGUyYkOQoD/YbKudc6UGvc=; b=QDPWD83zPdssKDEjydJZz7jxKAbTnQ6P1iJSBNOQRQ1jjl1dQ1tVx334lf8M2EHKYR Sch2FwEx/i4NSuufyWNxo78ddon8OcJobVSioVrsFWo5jwES0tbPxG7hP4KR10Y8LZ/o 5uIFnrnBy6jx0vynMhdV17igzEeu0BgdS9ec6t9ImjEQuBOE0ckRc/M661c0oC4NmFK/ DW/Fa06X/1D271lQPF1vE+5u4RBVe5b1H01wT4UthSy7Zgdke/taaxT3Cjy9wVvM+dtQ 1PsQ/PfohZBUSXRJUSS7Iyo4Toen/pv9zf6yhCM7P0707leIDgR6voCbTyVBdclxJWBc Hz5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=57IkW3/DeSdm8GXsbPPp7BGUyYkOQoD/YbKudc6UGvc=; b=hZc1/552d5jjXpAFuPsmOTXnQqG/9wtdOQgihPNSAzSkNf+0ZUxGCL9ZZNeqJZzXVW hk1VByCaBHFUiIwHnl7xUv7ftAqbMXwheWxAymkJLOdawVoH2wB7AqyG6eSwE91UaHtD 8tuxHqU7Zgdt114rXjqZYZkWiT2MA6Y85SiISIutZejZBC9tIGHkf4+RgolE4iyhT4Xn +bsRS5K9RFQD2GKUb1aFBh0NP6aG4jnvfLGN3geaCNonU7IbKGG+srhWA4phDK2wpnkp dkOWioEMPfI3kRjB45li4bQTS+dekf0QV6NigxK5aVcj06f7D9uWP/G2ZCZCFodtdbj0 lUqg== X-Gm-Message-State: APt69E1Ebn3NCOHV8m73NEOD9k5NFqXlBaGH6i6vN/P7t+9LZaRlrxnk S3U1GV1hAvow3Dx6rP41zIIZxSgMlyY= X-Google-Smtp-Source: ADUXVKLVqvo+UIz0jJZEqzSAb7GWSun/IKSwKtnP8p+riEQiaFhP+Hgn8VrL58GH9OUzahrVWKfvLg== X-Received: by 2002:a50:b4e2:: with SMTP id x31-v6mr6271892edd.155.1528020724396; Sun, 03 Jun 2018 03:12:04 -0700 (PDT) Received: from syzzer-tweakbak.fritz.box ([2001:985:e54:1:881e:647d:3c8e:6ee4]) by smtp.gmail.com with ESMTPSA id v23-v6sm23812167edr.48.2018.06.03.03.12.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 03 Jun 2018 03:12:03 -0700 (PDT) From: Steffan Karger To: openvpn-devel@lists.sourceforge.net Date: Sun, 3 Jun 2018 12:11:58 +0200 Message-Id: <1528020718-12721-3-git-send-email-steffan@karger.me> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1528020718-12721-1-git-send-email-steffan@karger.me> References: <1528020718-12721-1-git-send-email-steffan@karger.me> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [74.125.82.67 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [74.125.82.67 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders -0.0 T_DKIMWL_WL_MED DKIMwl.org - Whitelisted Medium sender X-Headers-End: 1fPPzf-007sVw-4O Subject: [Openvpn-devel] [PATCH 3/3] Print a --verb 1 warning when a connection uses compression X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Can be suppressed by adding a "nowarn" flag to the compress options, for those that are really sure that compression is fine for their use case. Signed-off-by: Steffan Karger --- This patch is also meant to discuss how far we want to go in warning users about using compression. I think this approach is reasonable, but I'm not sure everyone agrees. doc/openvpn.8 | 11 +++++++++-- src/openvpn/comp.c | 14 ++++++++++++++ src/openvpn/comp.h | 1 + 3 files changed, 24 insertions(+), 2 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 9e988b3..21a3c42 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -2500,12 +2500,13 @@ consecutive messages in the same category. This is useful to limit repetitive logging of similar message types. .\"********************************************************* .TP -.B \-\-compress [algorithm] +.B \-\-compress [algorithm] ["nowarn"] Enable a compression algorithm. The .B algorithm -parameter may be empty, "stub", "stub-v2", "lzo", "lz4", or "lz4-v2". +parameter may be empty, "any", "stub", "stub-v2", "lzo", "lz4", or "lz4-v2". +If left empty, OpenVPN defaults to "any". LZO and LZ4 are different compression algorithms, with LZ4 generally offering the best performance with least CPU usage. For backwards compatibility with @@ -2532,6 +2533,12 @@ e.g. the CRIME and BREACH attacks on TLS which also leverage compression to break encryption. If you are not entirely sure that the above does not apply to your traffic, you are advised to *not* enable compression. +If you have carefully considered the above, and are sure that using compression +is safe for your use case, you can add +.B "nowarn" +as the second parameter to suppress warnings about the risk of enabling +compression. + .\"********************************************************* .TP .B \-\-comp\-lzo [mode] diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c index a945913..a34e64a 100644 --- a/src/openvpn/comp.c +++ b/src/openvpn/comp.c @@ -40,6 +40,20 @@ struct compress_context * comp_init(const struct compress_options *opt) { + switch (opt->alg) + { + case COMP_ALG_UNDEF: + case COMP_ALG_STUB: + case COMP_ALGV2_UNCOMPRESSED: + break; + default: + if (!(opt->flags & COMP_F_NOWARN)) + { + msg(M_INFO, "WARNING: Compression enabled, might be insure. " + "See --compress in the man page."); + } + } + struct compress_context *compctx = NULL; switch (opt->alg) { diff --git a/src/openvpn/comp.h b/src/openvpn/comp.h index 0dadd1e..0fa9b10 100644 --- a/src/openvpn/comp.h +++ b/src/openvpn/comp.h @@ -56,6 +56,7 @@ #define COMP_F_ASYM (1<<1) /* only downlink is compressed, not uplink */ #define COMP_F_SWAP (1<<2) /* initial command byte is swapped with last byte in buffer to preserve payload alignment */ #define COMP_F_ADVERTISE_STUBS_ONLY (1<<3) /* tell server that we only support compression stubs */ +#define COMP_F_NOWARN (1<<4) /* Suppress warning about insure compression */ /*