Re: [Openvpn-devel] [PATCH v4] Make compression asymmetric by default and add warnings
Hi, > Is that an "ACKed if Gert changes the text of the message as suggested" > (which is a typo, so okay-ish), Yes, ACKed if the committer (Gert) will change the message. ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v4] Make compression asymmetric by default and add warnings
Hi, On Fri, Jun 26, 2020 at 12:51:34PM +0300, Lev Stipakov wrote: > Semi-acked-by: Lev-Stipakov Is that an "ACKed if Gert changes the text of the message as suggested" (which is a typo, so okay-ish), or "Arne should send a new version"? gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v4] Make compression asymmetric by default and add warnings
Hi, Apologize for delay. I tested with various combinations of flags and code works as expected. Let's reword messages as you proposed: > We reword the message a bit so that two messages are not that bad if both > are shown: > > WARNING: Compression for receiving enabled, Compression > has been used in the past to break encryption. Sent packet are not compress > unless "allow-compression yes" is also set. A small typo: .. Sent packets are not compressed ... > > > WARNING: Compression for sending and receiving enabled, Compression has > been used in the past to break encryption. Allowing compression allows > attacks that break encryption. Using '--allow-compression yes' is > strongly discouraged for common usage. See --compress in the manual > page for more information Semi-acked-by: Lev-Stipakov -- -Lev ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v4] Make compression asymmetric by default and add warnings
> Cannot we set some bit flags in options processing, like > > COMP_WARN_GENERIC 1 << 0 // Compression enabled, Compression has been > used in the past to break encryption. > COMP_WARN_ASYNC 1 << 1 // Enabling decompression of received packet > only. Sent packets are not compressed. > COMP_WARN_ALLOWED_YES 1 << 2 // Using '--allow-compression yes' is > strongly discouraged for common usage. See --compress in the manual > page for more information > > and handle them in options postprocessing - excluding > COMP_ENABLED_WARN_ASYNC if COMP_ENABLED_WARN_YES is set and printing > the message? > Same explaination as last time when Steffan reviewed this patch. The warning should also show up in pushed options. And I don't want to complicate the logic for to avoid an extra warning for a corner case. We reword the message a bit so that two messages are not that bad if both are shown: WARNING: Compression for receiving enabled, Compression has been used in the past to break encryption. Sent packet are not compress unless "allow-compression yes" is also set. WARNING: Compression for sending and receiving enabled, Compression has been used in the past to break encryption. Allowing compression allows attacks that break encryption. Using '--allow-compression yes' is strongly discouraged for common usage. See --compress in the manual page for more information ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v4] Make compression asymmetric by default and add warnings
Hi,
> Warning for comp-lzo/compress are not generated in the post option check
> (options_postprocess_mutate) since these warnings should also be shown
> on pushed options. Moving the showing the warning showing for
Typo in the last sentence.
If I want to use compression and specify algorithm, I got confusing warnings:
➜ openvpn git:(master) ✗ sudo src/openvpn/openvpn --config ~/lev.ovpn
--compress lz4-v2 --allow-compression yes
Thu May 14 16:16:26 2020 WARNING: Compression enabled, Compression
has been used in the past to break encryption. Enabling decompression
of received packet only. Sent packets are not compressed.
Thu May 14 16:16:26 2020 WARNING: Compression enabled, Compression has
beenused in the past to break encryption. Allowing compression allows
attacks that break encryption. Using '--allow-compression yes' is
strongly discouraged for common usage. See --compress in the manual
page for more information
Thu May 14 16:16:26 2020 OpenVPN 2.5_git
[git:master/6001784afd89c4e9+] x86_64-apple-darwin19.4.0 [SSL
(OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May 14 2020
1) The first warning is wrong, since I explicitly allowed compression.
Also it has unneeded whitespace in the beginning.
2) The second warning is missing whitespace ("beenused").
> The logic of warnings etc in options.c has not been changed
> since adding all the code to mutate_options would a lot more
> and more complicated code and after discussion we decided that
> it is okay as is.
Cannot we set some bit flags in options processing, like
COMP_WARN_GENERIC 1 << 0 // Compression enabled, Compression has been
used in the past to break encryption.
COMP_WARN_ASYNC 1 << 1 // Enabling decompression of received packet
only. Sent packets are not compressed.
COMP_WARN_ALLOWED_YES 1 << 2 // Using '--allow-compression yes' is
strongly discouraged for common usage. See --compress in the manual
page for more information
and handle them in options postprocessing - excluding
COMP_ENABLED_WARN_ASYNC if COMP_ENABLED_WARN_YES is set and printing
the message?
--
-Lev
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v4] Make compression asymmetric by default and add warnings
This commit introduces the allow-compression option that allow
changing the new default to the previous default or to a stricter
version.
Warning for comp-lzo/compress are not generated in the post option check
(options_postprocess_mutate) since these warnings should also be shown
on pushed options. Moving the showing the warning showing for
allow-compression to options_postprocess_mutate will complicate the
option handling without giving any other benefit.
Patch V2: fix spelling and grammer (thanks tincantech), also fix
uncompressiable to incompressible in three other instances in the
source code
Patch V3: fix overlong lines. Do not allow compression to be pushed
Patch V4: rename COMP_F_NO_ASYM to COMP_F_ALLOW_COMPRESS, fix style.
The logic of warnings etc in options.c has not been changed
since adding all the code to mutate_options would a lot more
and more complicated code and after discussion we decided that
it is okay as is.
Signed-off-by: Arne Schwabe
---
doc/openvpn.8 | 44 +
src/openvpn/comp-lz4.c | 3 +-
src/openvpn/comp.c | 2 +-
src/openvpn/comp.h | 16 +--
src/openvpn/lzo.c | 2 +-
src/openvpn/mtu.h | 2 +-
src/openvpn/options.c | 105 -
7 files changed, 147 insertions(+), 27 deletions(-)
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index c0ec80f9..80b0f192 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -2545,26 +2545,54 @@ Enable a compression algorithm.
The
.B algorithm
-parameter may be "lzo", "lz4", or empty. LZO and LZ4
-are different compression algorithms, with LZ4 generally
+parameter may be "lzo", "lz4", "lz4\-v2", "stub", "stub\-v2" or empty.
+LZO and LZ4 are different compression algorithms, with LZ4 generally
offering the best performance with least CPU usage.
For backwards compatibility with OpenVPN versions before v2.4, use "lzo"
(which is identical to the older option "\-\-comp\-lzo yes").
+The "lz4\-v2" and "stub\-v2" variants implement a better framing that does not
add
+overhead when packets cannot be compressed. All other variants always add one
extra
+framing byte compared to no compression framing.
+
If the
.B algorithm
-parameter is empty, compression will be turned off, but the packet
-framing for compression will still be enabled, allowing a different
-setting to be pushed later.
+parameter is "stub", "stub\-v2", or empty, compression will be turned off, but
+the packet framing for compression will still be enabled, allowing a different
+setting to be pushed later. Additionally, "stub" and "stub\-v2" will disable
+announcing lzo and lz4 compression support via "IV_" variables to the server.
+
.B Security Considerations
Compression and encryption is a tricky combination. If an attacker knows or is
able to control (parts of) the plaintext of packets that contain secrets, the
attacker might be able to extract the secret if compression is enabled. See
-e.g. the CRIME and BREACH attacks on TLS which also leverage compression to
-break encryption. If you are not entirely sure that the above does not apply
-to your traffic, you are advised to *not* enable compression.
+e.g. the CRIME and BREACH attacks on TLS and VORACLE on VPNs which also
leverage
+compression to break encryption. If you are not entirely sure that the above
does
+not apply to your traffic, you are advised to *not* enable compression.
+
+.\"*
+.TP
+.B \-\-allow\-compression [mode]
+As described in
+\.B \-\-compress
+option, compression is potentially dangerous option. This option allows
+controlling the behaviour of OpenVPN when compression is used and allowed.
+.B mode
+may be "yes", "no", or "asym" (default).
+
+With allow\-compression set to "no", OpenVPN will refuse any non stub
+compression. With "yes" OpenVPN will send and receive compressed packets.
+With "asym", the default, OpenVPN will only decompress (downlink) packets but
+not compress (uplink) packets. This also allows migrating to disable
compression
+when changing both server and client configurations to remove compression at
the
+same time is not a feasible option.
+
+The default of asym has been chosen to maximise compatibility with existing
+configuration while at the same time phasing out compression in existing
+deployment by disabling compression on the uplink, effectively completely
disabling
+compression if both client and server are upgraded.
.\"*
.TP
diff --git a/src/openvpn/comp-lz4.c b/src/openvpn/comp-lz4.c
index f52fdbfb..30e6da95 100644
--- a/src/openvpn/comp-lz4.c
+++ b/src/openvpn/comp-lz4.c
@@ -70,8 +70,9 @@ do_lz4_compress(struct buffer *buf,
{
/*
* In order to attempt compression, length must be at least
COMPRESS_THRESHOLD.
+ * and asymmetric compression must be disabled
*/
-if (buf->len >=
