From patchwork Sun Sep 22 14:15:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "ralf_lici (Code Review)" X-Patchwork-Id: 3852 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:10cd:b0:5b9:581e:f939 with SMTP id j13csp1728953mae; Sun, 22 Sep 2024 07:16:00 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCV7+uGm6jusJ6qkrnIHKUAfMgmkF6A7jpfiEIXKzCQK77J1/WJIlX2eJ5WMksemuZinIvIafNPtdjM=@openvpn.net X-Google-Smtp-Source: AGHT+IFiieWGg8qKiPgBL2JjMrXLCb10OXtonS6/BG9KiwERwcxXjtjnjsjX0XNuVRXlCd2NCzlG X-Received: by 2002:a05:6e02:1ca9:b0:3a0:a4ac:ee36 with SMTP id e9e14a558f8ab-3a0c8c8dd60mr79396245ab.5.1727014559825; Sun, 22 Sep 2024 07:15:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1727014559; cv=none; d=google.com; s=arc-20240605; b=RsUB8AelsrMp9HrdGF72lD9jE9XDqqOYIhBBkH4USNq3++IB1LnwvqjESzmu4EM/NK yyJVTS+TOBCC8j1x9Hd0bf61Gqx7DANGcgwF9182iryzf8mVMZXHkni9Vjs+h9W5Snen hy1YQ7QHRd0Io6o/JuKkeqU+0VPGRfgrvwnkUl67amz3atc1+Ah+ag9ViWHj/W7CEBc/ e4ioYzroTcqFDvRGj6KNkdx2rtb+jt1Kgt0igJtPqVpmCLR5ijZAm6k7k7ryvOC+ZpO3 ZbViPHoGOktLkF3P1I5TI+k5yCuYLoY+yIOp1ZUmrd8xVf2pSSQe2KwmqndJPTUNoTda Vq+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=NZSP1R4sUF/ueDTuw0ql3+tsjr4ABCHnAAjHBksdUw0=; fh=GFP4qDxgyJ2WEPo/oeLZg3Mj4NqvY1j2nTvTt7psNwg=; b=ktj8rR81VdCIux9t8W/B0vWBtCdYruViagamfKyVDAXaOVbAL9TsejNJPQqgSkFJdw CieQ33XCWMoHhm/4lGvfiP4Nb1u+ZbPH2DbFobJQMaTqHzxY+WLhwCV+jgHEWOeO5Y0/ SOZfu8KiAUm8mD3MmJ57FHbjiEbJdD7Wkc3tbwD1QbLKahafylWiXKQexS20+o6D5DLh yTpIFj2JCWj2piHuIf96Sekh/f/F7M0k6xhSRMBoU6fxKs76pHB8DSwW539Q6paEQIv4 fgz3600ob+FbbvhhOjpcli1fJPCN/x1Cz05IqVCLw0B3ba3RCcfXHznax0UaMGmVDoir KwvA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=ewFjJDs0; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=ObXcs4pK; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=BRSke6QY; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 8926c6da1cb9f-4d37ecffc65si8546980173.90.2024.09.22.07.15.59 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 22 Sep 2024 07:15:59 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=ewFjJDs0; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=ObXcs4pK; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=BRSke6QY; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1ssNNR-0001Yw-Ke; Sun, 22 Sep 2024 14:15:54 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1ssNNQ-0001Yn-BL for openvpn-devel@lists.sourceforge.net; Sun, 22 Sep 2024 14:15:53 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=AuThXmdAHrXGzoZ6wfzajZsIP+k/si73fPGWONhMEqU=; b=ewFjJDs0HUqfFdM8bwowDi9ppY m5NHbsV7a4xhXIN5om5GrqCli+O0sRl2KY83qoFqgRWD+zyMpHXpGHGjdx40JOkF72EZSv9V5Yt4x qNLPzlF0I+3VJrekud9Yw5qH84dLXJHvmZsTQ/YXt1fprhA9YoT6Djl06zaGroZGdSAg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=AuThXmdAHrXGzoZ6wfzajZsIP+k/si73fPGWONhMEqU=; b=O bXcs4pK/eXI233+pGEsVG8H+V4MmAzOnAmo6gXymJHK3M++FR9KNIiczij67AWR+Q/JLVWlEEdbga xbuIDQu7Cz8HXYvOJ4KFERy/On8cd1rQcERPJP7GNFBq5cI0x0geG7csANjiVNUEKRIa03Ff4Xk07 syhtvlhq+1z6ls4Q=; Received: from mail-wm1-f53.google.com ([209.85.128.53]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1ssNNP-00007G-Fk for openvpn-devel@lists.sourceforge.net; Sun, 22 Sep 2024 14:15:53 +0000 Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-42cba8340beso27501235e9.1 for ; Sun, 22 Sep 2024 07:15:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1727014540; x=1727619340; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=AuThXmdAHrXGzoZ6wfzajZsIP+k/si73fPGWONhMEqU=; b=BRSke6QYuDtZCI6qbPfzEO3O9kL51spGmckPayeaWNkt/INXumM8lQMwBO7QopyU4Y FUgUEo2SN9UKov23PZUUOOS0EhqRs46T3MQyvK+SwWJoJ5tVMvS0JNv/44O4oiZ1pSxq 5eNnryBsjbM5p+1scOGLgWlWvnFX6VT39lGXuc6ZX14GYaA+yoLfZgVGOM1shyFP/l6M FtC647qn3uH+1YubykHhunUZTTmRW/f6zf+b0eTOiiEAVr3TDzDE/puAcdxjV78UytRT 4Bl3g7omcvbR2fxtQHVvL4vO6zT6Pre/+Tl/nEoR+JU1P4LpmUXXqMqV7YIaqWjOGvWc hWsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727014540; x=1727619340; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=AuThXmdAHrXGzoZ6wfzajZsIP+k/si73fPGWONhMEqU=; b=IWogJUK1EwjgvW3akDhtLqGZLvpsdLE66DdIGJpQB8yR7szHIXBKU50LLWbu82YrQ2 WPys77OkSgluj5VXJFw/YQB14kRsXLKvRQtlqynDQkB356ysNKBiaf3+D5VZZsM9xvPi Wo2YwfDhAiJ0RZai/3eLigGw2FBE5KWJThO/6F56PCVPbRtQ5UhwedhazJ+jT+PRdm6R 83iPEHtZsJnnLvvl+BFyM+Z28/aKVHrwVJ/hejBLAGrY6VtYM/8qBCHU7Df4b6co8ahS BYxKREtpiyv40XnFIIktUqOXlWIkOI1vmpxc5AUsr9YAkuui14XY+Oyl7yUNnsleZEXT LQtQ== X-Gm-Message-State: AOJu0Yxj8Ian2SffOmfU1hC9zdvssjrZiQB+KHO9JuPIi8Vzow+s0qoZ ranmzf4FoXlKJyWdKYdGxVOkJ+CFvsrwmkwc4CrnI/evOVEdnpW7XH9LBdAO47yxSOL+88qArSG r X-Received: by 2002:a05:600c:3b28:b0:42c:b81b:c49c with SMTP id 5b1f17b1804b1-42e74426c30mr75149385e9.10.1727014539851; Sun, 22 Sep 2024 07:15:39 -0700 (PDT) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-42e7540e4f9sm102155325e9.1.2024.09.22.07.15.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 22 Sep 2024 07:15:39 -0700 (PDT) From: "flichtenheld (Code Review)" X-Google-Original-From: "flichtenheld (Code Review)" X-Gerrit-PatchSet: 1 Date: Sun, 22 Sep 2024 14:15:38 +0000 To: plaisthos Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: I00209b880cfcedd93e28f97fc3941d8b85e095f3 X-Gerrit-Change-Number: 756 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: 2a0666a53bc7c8690b3d24a260d9111d7a6965c7 References: Message-ID: MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -1.1 (-) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: plaisthos. Hello plaisthos, I'd like you to do a code review. Please visit Content analysis details: (-1.1 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.9 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.128.53 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.128.53 listed in list.dnswl.org] 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1ssNNP-00007G-Fk Subject: [Openvpn-devel] [M] Change in openvpn[master]: Automatically enable --compress migrate on the server X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: frank@lichtenheld.com, arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1810906019409703949?= X-GMAIL-MSGID: =?utf-8?q?1810906019409703949?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: plaisthos. Hello plaisthos, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/756?usp=email to review the following change. Change subject: Automatically enable --compress migrate on the server ...................................................................... Automatically enable --compress migrate on the server If we enable LZO compression, automatically switch to migrate mode. Change-Id: I00209b880cfcedd93e28f97fc3941d8b85e095f3 Signed-off-by: Frank Lichtenheld --- M doc/man-sections/protocol-options.rst M src/openvpn/comp.h M src/openvpn/options.c 3 files changed, 56 insertions(+), 62 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/56/756/1 diff --git a/doc/man-sections/protocol-options.rst b/doc/man-sections/protocol-options.rst index 8b061d2..b2a23fa 100644 --- a/doc/man-sections/protocol-options.rst +++ b/doc/man-sections/protocol-options.rst @@ -30,7 +30,9 @@ framing (stub). :code:`yes` - OpenVPN will send and receive compressed packets. + **DEPRECATED** This option is an alias for :code:`asym`. Previously + it did enable compression for uplink packets, but OpenVPN never + compresses uplink packets now. --auth alg Authenticate data channel packets and (if enabled) ``tls-auth`` control @@ -125,6 +127,12 @@ configuration if supported by the client and otherwise switch to ``comp-lzo no`` and add ``--push comp-lzo`` to the client specific configuration. + If used in a server configuration :code:`lzo` is an alias for :code:`migrate` in + current versions of OpenVPN. Compression will only be enabled if there is no + other choice. Note that these versions of OpenVPN also never actually compress + any packets. But they still will decompress packets received from the other side + of the connection if required. + ***Security Considerations*** Compression and encryption is a tricky combination. If an attacker knows @@ -135,48 +143,31 @@ entirely sure that the above does not apply to your traffic, you are advised to *not* enable compression. + For this reason compression support was removed from current versions + of OpenVPN. It will still decompress compressed packets removed via + a VPN connection but it will never compress any outgoing packets. + --comp-lzo mode **DEPRECATED** Enable LZO compression algorithm. Compression is generally not recommended. VPN tunnels which uses compression are suspectible to the VORALCE attack vector. - Use LZO compression -- may add up to 1 byte per packet for incompressible - data. ``mode`` may be :code:`yes`, :code:`no`, or :code:`adaptive` - (default). + Allows the other side of the connection to use LZO compression. Due + to difference in packet format this may adds 1 additional byte per packet. + With current versions of OpenVPN no actual compression will happen. - In a server mode setup, it is possible to selectively turn compression - on or off for individual clients. + ``mode`` may be :code:`yes`, :code:`no`, or :code:`adaptive` + but there is no actual change in behavior anymore. - First, make sure the client-side config file enables selective - compression by having at least one ``--comp-lzo`` directive, such as - ``--comp-lzo no``. This will turn off compression by default, but allow - a future directive push from the server to dynamically change the - :code:`on`/:code:`off`/:code:`adaptive` setting. - - Next in a ``--client-config-dir`` file, specify the compression setting - for the client, for example: - :: - - comp-lzo yes - push "comp-lzo yes" - - The first line sets the ``comp-lzo`` setting for the server side of the - link, the second sets the client side. + In server mode we convert this setting to ``--compress migrate`` to + automatically disable it when the client doesn't need it. If you want + to remove this setting from your server config you might need to add + an explicit ``--compress migrate`` instead if some clients still have + any variant of ``--comp-lzo`` in their config. --comp-noadapt - **DEPRECATED** When used in conjunction with ``--comp-lzo``, this option - will disable OpenVPN's adaptive compression algorithm. Normally, adaptive - compression is enabled with ``--comp-lzo``. - - Adaptive compression tries to optimize the case where you have - compression enabled, but you are sending predominantly incompressible - (or pre-compressed) packets over the tunnel, such as an FTP or rsync - transfer of a large, compressed file. With adaptive compression, OpenVPN - will periodically sample the compression process to measure its - efficiency. If the data being sent over the tunnel is already - compressed, the compression efficiency will be very low, triggering - openvpn to disable compression for a period of time until the next - re-sample test. + **DEPRECATED** This option does not have any effect anymore since current + versions of OpenVPN never compress outgoing packets. --key-direction Alternative way of specifying the optional direction parameter for the diff --git a/src/openvpn/comp.h b/src/openvpn/comp.h index decf0d9..1bc4648 100644 --- a/src/openvpn/comp.h +++ b/src/openvpn/comp.h @@ -32,8 +32,8 @@ * outside of the USE_COMP define */ /* Compression flags */ -#define COMP_F_ADAPTIVE (1<<0) /* COMP_ALG_LZO only */ /*Removed */ +/*#define COMP_F_ADAPTIVE (1<<0) / * COMP_ALG_LZO only */ /*#define COMP_F_ALLOW_COMPRESS (1<<1) / * not only downlink is compressed but also uplink * / */ #define COMP_F_SWAP (1<<2) /* initial command byte is swapped with last byte in buffer to preserve payload alignment */ #define COMP_F_ADVERTISE_STUBS_ONLY (1<<3) /* tell server that we only support compression stubs */ @@ -49,6 +49,7 @@ #define COMP_ALG_LZO 2 /* LZO algorithm */ #define COMP_ALG_SNAPPY 3 /* Snappy algorithm (no longer supported) */ #define COMP_ALG_LZ4 4 /* LZ4 algorithm */ +#define COMP_ALG_LZO_NO 5 /* --comp-lzo no which is similar to COMP_ALG_STUB, but no SWAP */ /* algorithm v2 */ diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 4745ddf..f8688d4 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3448,6 +3448,24 @@ } #endif /* ifdef _WIN32 */ + if (options->mode == MODE_SERVER) + { + /* + * Enable comp migrate automatically on server + */ + if (options->comp.alg == COMP_ALG_LZO || options->comp.alg == COMP_ALG_LZO_NO) + { + msg(M_INFO, "DEPRECATED OPTION: LZO compression enabled on the server side. " + "We will enable --compress migrate instead."); + options->comp.alg = COMP_ALG_UNDEF; + options->comp.flags = COMP_F_MIGRATE; + } + } + else if (options->comp.alg == COMP_ALG_LZO_NO) + { + options->comp.alg = COMP_ALG_STUB; + } + #ifdef DEFAULT_PKCS11_MODULE /* If p11-kit is present on the system then load its p11-kit-proxy.so * by default if the user asks for PKCS#11 without otherwise specifying @@ -8450,45 +8468,29 @@ /* All lzo variants do not use swap */ options->comp.flags &= ~COMP_F_SWAP; + options->comp.alg = COMP_ALG_LZO; - if (p[1] && streq(p[1], "no")) + if (p[1]) { - options->comp.alg = COMP_ALG_STUB; - options->comp.flags &= ~COMP_F_ADAPTIVE; - } - else if (p[1]) - { - if (streq(p[1], "yes")) + if (streq(p[1], "no")) { - options->comp.alg = COMP_ALG_LZO; - options->comp.flags &= ~COMP_F_ADAPTIVE; + options->comp.alg = COMP_ALG_LZO_NO; } - else if (streq(p[1], "adaptive")) - { - options->comp.alg = COMP_ALG_LZO; - options->comp.flags |= COMP_F_ADAPTIVE; - } - else + /* There is no actual difference anymore between these variants. + * We never compress. On the server side we replace this with + * --compress migrate later anyway. + */ + else if (!(streq(p[1], "yes") || streq(p[1], "adaptive"))) { msg(msglevel, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'", p[1]); goto err; } } - else - { - options->comp.alg = COMP_ALG_LZO; - options->comp.flags |= COMP_F_ADAPTIVE; - } show_compression_warning(&options->comp); } else if (streq(p[0], "comp-noadapt") && !p[1]) { - /* - * We do not need to check here if we allow compression since - * it only modifies a flag if compression is enabled - */ - VERIFY_PERMISSION(OPT_P_COMP); - options->comp.flags &= ~COMP_F_ADAPTIVE; + /* NO-OP since we never compress anymore */ } else if (streq(p[0], "compress") && !p[2]) { @@ -8517,7 +8519,7 @@ else if (streq(alg, "lzo")) { options->comp.alg = COMP_ALG_LZO; - options->comp.flags &= ~(COMP_F_ADAPTIVE | COMP_F_SWAP); + options->comp.flags &= ~COMP_F_SWAP; } else if (streq(alg, "lz4")) {