mirror/openvpn
0
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2024-09-19 19:42:30 +02:00
Code

Refuse connection if server pushes an option contradicting allow-compress

Browse Source 
This removes also the checks in options.c itself as they we now bail out
later and no longer need to ignore them during parsing.

Change-Id: I872c06f402c35112194ba77c3d6aee78e22547cb
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230323170601.1256132-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26503.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This commit is contained in:
Arne Schwabe 2023-03-23 18:05:59 +01:00 committed by Gert Doering
parent bfc00a01c1
commit e86bc8b296
6 changed files with 61 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Changes.rst
View File

@ -232,6 +232,10 @@ User-visible Changes
- The ``client-pending-auth`` management command now requires also the
key id. The management version has been changed to 5 to indicate this change.
- (OpenVPN 2.6.2) A client will now refuse a connection if pushed compression
settings will contradict the setting of allow-compression as this almost
always results in a non-working connection.
Common errors with OpenSSL 3.0 and OpenVPN 2.6
----------------------------------------------
Both OpenVPN 2.6 and OpenSSL 3.0 tighten the security considerable, so some

29
src/openvpn/comp.c
View File

@ -157,4 +157,33 @@ comp_generate_peer_info_string(const struct compress_options *opt, struct buffer
}
}
bool
check_compression_settings_valid(struct compress_options *info, int msglevel)
{
if ((info->flags & COMP_F_ALLOW_STUB_ONLY) && comp_non_stub_enabled(info))
{
msg(msglevel, "Compression is not allowed since allow-compression is "
"set to 'no'");
return false;
}
#ifndef ENABLE_LZ4
if (info->alg == COMP_ALGV2_LZ4 || info->alg == COMP_ALG_LZ4)
{
msg(msglevel, "OpenVPN is compiled without LZ4 support. Requested "
"compression cannot be enabled.");
return false;
}
#endif
#ifndef ENABLE_LZO
if (info->alg == COMP_ALG_LZO || info->alg == COMP_ALG_LZ4)
{
msg(msglevel, "OpenVPN is compiled without LZO support. Requested "
"compression cannot be enabled.");
return false;
}
#endif
return true;
}
#endif /* USE_COMP */

8
src/openvpn/comp.h
View File

@ -196,5 +196,13 @@ comp_non_stub_enabled(const struct compress_options *info)
&& info->alg != COMP_ALG_UNDEF;
}
/**
* Checks if the compression settings are valid. Takes into account the
* flags of allow-compression and also the whether algorithms are compiled
* in
*/
bool
check_compression_settings_valid(struct compress_options *info, int msglevel);
#endif /* USE_COMP */
#endif /* ifndef OPENVPN_COMP_H */

8
src/openvpn/init.c
View File

@ -2637,6 +2637,14 @@ do_deferred_options(struct context *c, const unsigned int found)
#ifdef USE_COMP
if (found & OPT_P_COMP)
{
if (!check_compression_settings_valid(&c->options.comp, D_PUSH_ERRORS))
{
msg(D_PUSH_ERRORS, "OPTIONS ERROR: server pushed compression "
"settings that are not allowed and will result "
"in a non-working connection. "
"See also allow-compression in the manual.");
return false;
}
msg(D_PUSH_DEBUG, "OPTIONS IMPORT: compression parms modified");
comp_uninit(c->c2.comp_context);
c->c2.comp_context = comp_init(&c->options.comp);

8
src/openvpn/multi.c
View File

@ -2766,6 +2766,14 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi)
cc_succeeded = false;
}
#ifdef USE_COMP
if (!check_compression_settings_valid(&mi->context.options.comp, D_MULTI_ERRORS))
{
msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to invalid compression options");
cc_succeeded = false;
}
#endif
if (cc_succeeded)
{
multi_client_connect_late_setup(m, mi, *option_types_found);

27
src/openvpn/options.c
View File

@ -3779,6 +3779,9 @@ options_postprocess_mutate(struct options *o, struct env_set *es)
/* this depends on o->windows_driver, which is set above */
options_postprocess_mutate_invariant(o);
/* check that compression settings in the options are okay */
check_compression_settings_valid(&o->comp, M_USAGE);
/*
* Save certain parms before modifying options during connect, especially
* when using --pull
@ -8405,21 +8408,12 @@ add_option(struct options *options,
/* All lzo variants do not use swap */
options->comp.flags &= ~COMP_F_SWAP;
#if defined(ENABLE_LZO)
if (p[1] && streq(p[1], "no"))
#endif
{
options->comp.alg = COMP_ALG_STUB;
options->comp.flags &= ~COMP_F_ADAPTIVE;
}
#if defined(ENABLE_LZO)
else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY)
{
/* Also printed on a push to hint at configuration problems */
msg(msglevel, "Cannot set comp-lzo to '%s', "
"allow-compression is set to 'no'", p[1]);
goto err;
}
else if (p[1])
{
if (streq(p[1], "yes"))
@ -8444,7 +8438,6 @@ add_option(struct options *options,
options->comp.flags |= COMP_F_ADAPTIVE;
}
show_compression_warning(&options->comp);
#endif /* if defined(ENABLE_LZO) */
}
else if (streq(p[0], "comp-noadapt") && !p[1])
{
@ -8478,23 +8471,12 @@ add_option(struct options *options,
{
options->comp.alg = COMP_ALG_UNDEF;
options->comp.flags = COMP_F_MIGRATE;
}
else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY)
{
/* Also printed on a push to hint at configuration problems */
msg(msglevel, "Cannot set compress to '%s', "
"allow-compression is set to 'no'", alg);
goto err;
}
#if defined(ENABLE_LZO)
else if (streq(alg, "lzo"))
{
options->comp.alg = COMP_ALG_LZO;
options->comp.flags &= ~(COMP_F_ADAPTIVE | COMP_F_SWAP);
}
#endif
#if defined(ENABLE_LZ4)
else if (streq(alg, "lz4"))
{
options->comp.alg = COMP_ALG_LZ4;
@ -8504,7 +8486,6 @@ add_option(struct options *options,
{
options->comp.alg = COMP_ALGV2_LZ4;
}
#endif
else
{
msg(msglevel, "bad comp option: %s", alg);