Settings validation for LZO looks incorrect

[stephane-rochoy-stormshield]

openvpn/src/openvpn/comp.c

Lines 189 to 204 in 5447571

	#ifndef ENABLE_LZ4
	if (info->alg == COMP_ALGV2_LZ4 || info->alg == COMP_ALG_LZ4)
	{
	msg(msglevel, "OpenVPN is compiled without LZ4 support. Requested "
	"compression cannot be enabled.");
	return false;
	}
	#endif
	#ifndef ENABLE_LZO
	if (info->alg == COMP_ALG_LZO || info->alg == COMP_ALG_LZ4)
	{
	msg(msglevel, "OpenVPN is compiled without LZO support. Requested "
	"compression cannot be enabled.");
	return false;
	}
	#endif

LZ4 is wrongly mixed into the condition at line 198.

[flichtenheld]

Indeed. Introduced by e950ca1 in 2.6.2.
Probably not a lot of people are hitting this since OpenVPN is usually compiled with LZO support and hopefully compression usage is going down due to security recommendations. But should definitely be fixed.

[flichtenheld]

Patch: https://gerrit.openvpn.net/c/openvpn/+/526

[stephane-rochoy-stormshield]

Was hit after moving from LZO to LZ4 to get better performances. But if I understand correctly, the recommendation is to fully disable compression?

[flichtenheld]

Was hit after moving from LZO to LZ4 to get better performances. But if I understand correctly, the recommendation is to fully disable compression?

Yes, disabling compression is generally advised. New DCO kernel drivers for OpenVPN don't even support it. Quoting the man page for --compress:

Security Considerations

Compression and encryption is a tricky combination. If an attacker knows or is able to control (parts of) the plain-text of packets that contain secrets, the attacker might be able to extract the secret if compression is enabled. See e.g. the CRIME and BREACH attacks on TLS and VORACLE on VPNs which also leverage to break encryption. If you are not entirely sure that the above does not apply to your traffic, you are advised to not enable compression.

[stephane-rochoy-stormshield]

Ok, got it. Thanks for your time!