From patchwork Wed Oct 8 08:30:41 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4476 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:7d42:b0:72f:f16c:e055 with SMTP id fr2csp779075mab; Wed, 8 Oct 2025 01:31:06 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWJJA6Tr8lZoNQ7rVP8pNY+tSM8nDsTDakReVLMViZMix+vkbHDPwDaDPZ6Oe7VFs8LfP4Z5cCIKy4=@openvpn.net X-Google-Smtp-Source: AGHT+IHoAvZtmdK0oZakjLBSdEQVLMVxuhJvmChB02CdEcw4Kas6IicPDWFqwpVA8t8bgJOGxzeY X-Received: by 2002:a05:6830:600e:b0:7bc:6cc3:a624 with SMTP id 46e09a7af769-7c0df7b1562mr1804087a34.32.1759912266543; Wed, 08 Oct 2025 01:31:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1759912266; cv=none; d=google.com; s=arc-20240605; b=i894l7tVsJ8o6ahF7R/sNc5JQPhsnxREokN9GZsTD4l0A+TJLA/C0Rpq4NVIXLY7RM 4O4epyMHdKHObP2GLzXd5/kyQrep5f+x8aqalgF6aKWzoTnL4iBiCp1W/E80H340mqZr 5wWRiw8XOBpaz9/QSHovwQ7tGV6QUOlTgEJkrNTRvKW9Vna6jhxbQ1Xj2u7Ih24X4v3U tFL2UPwQXWGeVbvnFrOCWveeObNaaLSByN+yloIhXJLEhdf17GyU7FzV7p6NK2YildIS 8cSdN8M85t9PGrxg2ZKXuJDhpSJ/WtkKqTUi63q0xxtRCaRaWGkOoQZVMrED6rYBtICy HxYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=NOIQGNCYzS0BjTL2oErrHszZRaaBOpMYR7VcsKPsbIQ=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=VkmRBhlDDoYeCUcfDsgrV07Nj4rMDpUvA1mNsLvUZz0GvCebtNWLUJ7shTXGME68YW mnkvSgxCl1oexz0aR5KbJTaxyQoTnD96l7XQo9K/1bndKUEci44npKh35WWbSEL71uSe HmVGPUTHDBEkAheYEcnBAUmXWb2aOBx0nTl4qF/+j54tatfmg2pV9O+BS+KwNJY+Zqot 93J712RgiHPQgrTRvVYlocUbwB9Lt3b9efbYZoOMd3Ox7Gdwh93zy/FWd0H/zBLK3r5r tePHbJzhgPgPKQ7IoW2UrhRUbnmhvm7LuLa9EieYC2sYqLDfiaIY/+b8J6nIVtfHR5Za hhnQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=FmK5wZxN; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=E7fIyh33; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Bdx1NUXg; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-7c05f8dd85esi1292464a34.60.2025.10.08.01.31.06 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Oct 2025 01:31:06 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=FmK5wZxN; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=E7fIyh33; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Bdx1NUXg; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=NOIQGNCYzS0BjTL2oErrHszZRaaBOpMYR7VcsKPsbIQ=; b=FmK5wZxNom2JCvMayHhxfq6HB4 Om10xkjSU1gTGcOwmGUYGUrxhYySzbP/R+++m2zAJzOKKmF2y7byhM+1AcRGdrJvph1/lJH62FeO3 EiIJfBn/trtjH9SC6CbpbBbLo+Wp6GXnaqUqZ31WQ7f3tEMj0h+Kn9liX2BQeOm/ydo8=; Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1v6PZf-0008UZ-Sx; Wed, 08 Oct 2025 08:31:03 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1v6PZb-0008UH-BG for openvpn-devel@lists.sourceforge.net; Wed, 08 Oct 2025 08:30:59 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=+V+sK+FC8U3ZQDb4Y77E9Ecd9mgiEZcFu4DUkkNXHdU=; b=E7fIyh33s8Al4JIBEoG6wKHYfr SGv9WYpeBLf7JlTHFrCyd8/hmXRI7oZoA7zwjJtuJrfgmksjXF0XM88LKEDfJ4ORluD5mvSCt8YvP YqDNR8IYSfA21zmOfA+jfz3cLFpd0qP5RRZPjq0zITJS8Oossv6Qhh7p8siQZjTHSN2A=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=+V+sK+FC8U3ZQDb4Y77E9Ecd9mgiEZcFu4DUkkNXHdU=; b=Bdx1NUXgUEHPL8ta2lwshIs9e8 KKY93xPFFTD65rEYxV0eVBpEwHqi4K66xTi9vQjdWarrkhS0nuWoepGktsEVEoI0CJY39pVjnT2l7 xJxXWXDJfRhMp3KMCwWqfkQNJ//oS1Qyfgu2LRKQjKFzXPDqng4T4JxQo2+lx9klXVOw=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1v6PZa-00041I-CP for openvpn-devel@lists.sourceforge.net; Wed, 08 Oct 2025 08:30:59 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 5988Uk2X027231 for ; Wed, 8 Oct 2025 10:30:46 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 5988Ukmk027228 for openvpn-devel@lists.sourceforge.net; Wed, 8 Oct 2025 10:30:46 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 8 Oct 2025 10:30:41 +0200 Message-ID: <20251008083046.27209-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Marco Baffo The PUSH_UPDATE currently doesn't work with DCO. For example, in server, if a new ifconfig is sent, the DCO doesn't receive the new peer address and the connection drops. Similarly in the client when [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1v6PZa-00041I-CP Subject: [Openvpn-devel] [PATCH v6] PUSH_UPDATE: disabling PUSH_UPDATE server and client if DCO is enabled X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1845401764882757921?= X-GMAIL-MSGID: =?utf-8?q?1845401764882757921?= From: Marco Baffo The PUSH_UPDATE currently doesn't work with DCO. For example, in server, if a new ifconfig is sent, the DCO doesn't receive the new peer address and the connection drops. Similarly in the client when a PUSH_UPDATE is received, the tun is closed and reopened but the DCO doesn't receive the peer info. Change-Id: Ibe78949435bb2f26ad68301e2710321bf37c9486 Signed-off-by: Marco Baffo Acked-by: Antonio Quartulli Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1245 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1245 This mail reflects revision 6 of this Change. Acked-by according to Gerrit (reflected above): Antonio Quartulli diff --git a/src/openvpn/push.c b/src/openvpn/push.c index e7fc50c..0c8eb84 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -1112,6 +1112,12 @@ } else if (honor_received_options && buf_string_compare_advance(&buf, push_update_cmd)) { + if (dco_enabled(&c->options)) + { + msg(M_WARN, "WARN: PUSH_UPDATE messages cannot currently be processed in client mode while DCO is enabled, ignoring." + " To be able to process PUSH_UPDATE messages, be sure to use the --disable-dco option."); + return PUSH_MSG_ERROR; + } return process_incoming_push_update(c, permission_mask, option_types_found, &buf, false); } else diff --git a/src/openvpn/push_util.c b/src/openvpn/push_util.c index 9138bdb..f306104 100644 --- a/src/openvpn/push_util.c +++ b/src/openvpn/push_util.c @@ -191,6 +191,13 @@ int send_push_update(struct multi_context *m, const void *target, const char *msg, const push_update_type type, const int push_bundle_size) { + if (dco_enabled(&m->top.options)) + { + msg(M_WARN, "WARN: PUSH_UPDATE messages cannot currently be sent while DCO is enabled." + " To send a PUSH_UPDATE message, be sure to use the --disable-dco option."); + return 0; + } + if (!msg || !*msg || !m || (!target && type != UPT_BROADCAST)) { @@ -294,7 +301,6 @@ } \ } while (0) - bool management_callback_send_push_update_broadcast(void *arg, const char *options) { diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 34036f2..567560f 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1926,8 +1926,12 @@ /* support for exit notify via control channel */ iv_proto |= IV_PROTO_CC_EXIT_NOTIFY; - /* support push-updates */ - iv_proto |= IV_PROTO_PUSH_UPDATE; + /* currently push-update is not supported when DCO is enabled */ + if (!session->opt->dco_enabled) + { + /* support push-updates */ + iv_proto |= IV_PROTO_PUSH_UPDATE; + } if (session->opt->pull) { diff --git a/tests/unit_tests/openvpn/test_push_update_msg.c b/tests/unit_tests/openvpn/test_push_update_msg.c index 8a5beeb..6e49f14 100644 --- a/tests/unit_tests/openvpn/test_push_update_msg.c +++ b/tests/unit_tests/openvpn/test_push_update_msg.c @@ -465,6 +465,7 @@ m->instances = calloc(1, sizeof(struct multi_instance *)); struct multi_instance *mi = calloc(1, sizeof(struct multi_instance)); *(m->instances) = mi; + m->top.options.disable_dco = true; *state = m; return 0; }