From patchwork Wed Oct 8 10:03:39 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4479 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:7d42:b0:72f:f16c:e055 with SMTP id fr2csp816957mab; Wed, 8 Oct 2025 03:04:02 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWcXL8WTRWigKn9vDSlmHj5GksyaQ29VGYjfF8501PhP/ZLjqTF+haAdKpA6yfPvcTzT7vpXejzsPw=@openvpn.net X-Google-Smtp-Source: AGHT+IFZllpDZ7L9GvKQDdGLS6roEnC6GHqWElZmhPxtxQF9Zef/MwjK0z3OrG1ShkLhOY0/1C1N X-Received: by 2002:a05:6830:82d1:b0:7ae:b6cd:b0de with SMTP id 46e09a7af769-7c0df78a0a4mr1687779a34.24.1759917842457; Wed, 08 Oct 2025 03:04:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1759917842; cv=none; d=google.com; s=arc-20240605; b=bnSiZqmPJ75FGZbWUgBAZnoqEA9sLB33bEpdKkeR2nnOXaFJ437FMo28mW6gKyNWon w4aq935JnapP/cxjiXZ9OUd0LforheAvattRjZUTkKkWEWIx19xcvbC5fqhk5nCJtTMW NBHgN/5B/S9a25Ka14gadSZ0w0bFGogh31CxDOoM39n32P7zJh6MHXN6qnrmzUieY8yT Uc3C2EptTYVXm6xcx2CoVTQNKvJsfCbSB6pUlk3U5EwIQkmS42y4Tjg9Z7ABHigBdvHn DM2rT7noai/G5GBxJzI46HyXQI8tEhjmYgq9ayh5PCazFwPdOZgKYsBbccw2i5PbUimR RutQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=ovXQpArMG53yYQp5shWP6Vi85AEnGzwZK9xopteOcqw=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=cHqRK77KMWyal3gFzLzobPdfJgsOYpuKwH/f9LTadg1rdqmhHYUQbGNzuSHPW3NupN OuYr7tgkYhYBDd+fQSMGSxaQIc25Yso8T0u9hl9JNZJI+xcx4IKewZ1V4XNAm6yUTEWS 9vpKD1EzYe0Fi9JXKj+4VzjOuiMT5iGB95XFoFabitl+lX+1dqpYpVbPjyuDXuwC47qd wH/GkeNiRbXaKiBX3qLGTue8U3JptNRB933XM4/jUIJwcv069TwENZFQHniR2t9OHBZp 16Cs27ON9h1Ce4w44kZGMBdgvvxvkvbyw7GiIksG997lbaq+L+LAKGxVWw91T+tuOuSn HLtw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=kCgaMoFN; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=EJjVmUHf; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=SJXzKShH; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-7c06be24799si1313200a34.180.2025.10.08.03.04.02 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Oct 2025 03:04:02 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=kCgaMoFN; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=EJjVmUHf; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=SJXzKShH; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=ovXQpArMG53yYQp5shWP6Vi85AEnGzwZK9xopteOcqw=; b=kCgaMoFNgPgFYn4aGlZlLJOSJf GYosFj+aAGmig/01FansxReWEqhWlikDMt9tPOKK7PpPBbgdLV7T48ai7qU2LetrjAo9/GjLgbf9n ywWxNteqhJ3F/2f9fWo39cOWb7QL9MTQDar/yv2aKpg0qBKzvjpevhjd+QAcUuJ13LiI=; Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1v6R1c-0003ff-JN; Wed, 08 Oct 2025 10:04:00 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1v6R1Z-0003fV-2h for openvpn-devel@lists.sourceforge.net; Wed, 08 Oct 2025 10:03:57 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=bOG/35/oMbDvtAYIO0ZYhbRvkiindgbr5XwF9gNNxtE=; b=EJjVmUHfALUAYwHBmEAAu+oh0/ mVuj8fZMG6xO36f1Kkf1pQ4veMEDGU5Beh4CAmu9XrI/goZltKuvK2xMr+jolShN63j8JffEXks+w 7FNOWokQ8C0s0WfD6/sP4e9Xe1jutqfG+YPqx41+urC7swp/1IOaPAjpH5IqiBDeRnrY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=bOG/35/oMbDvtAYIO0ZYhbRvkiindgbr5XwF9gNNxtE=; b=SJXzKShHCOJarkA0QXcKYH3lvh JnIruUUpxXMUCID9j2tr3DwmfQR+OQtwOwsYIfpStjcRBBW2OS1PhE4NcjwmcoOWiRk3QhRUodZh7 ZAIjqbAz64/ojVkvErXI7POM4+uwACNL1+EF7yibTP3KCWVsnSfPRfPWPtwaJsJfAK2o=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1v6R1Y-0003RI-5E for openvpn-devel@lists.sourceforge.net; Wed, 08 Oct 2025 10:03:57 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 598A3iJR004944 for ; Wed, 8 Oct 2025 12:03:44 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 598A3iQb004942 for openvpn-devel@lists.sourceforge.net; Wed, 8 Oct 2025 12:03:44 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 8 Oct 2025 12:03:39 +0200 Message-ID: <20251008100344.4907-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Marco Baffo The PUSH_UPDATE currently doesn't work with DCO. For example, in server, if a new ifconfig is sent, the DCO doesn't receive the new peer address and the connection drops. Similarly in the client when [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1v6R1Y-0003RI-5E Subject: [Openvpn-devel] [PATCH v7] PUSH_UPDATE: disabling PUSH_UPDATE server and client if DCO is enabled X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1845401764882757921?= X-GMAIL-MSGID: =?utf-8?q?1845407611903039357?= From: Marco Baffo The PUSH_UPDATE currently doesn't work with DCO. For example, in server, if a new ifconfig is sent, the DCO doesn't receive the new peer address and the connection drops. Similarly in the client when a PUSH_UPDATE is received, the tun is closed and reopened but the DCO doesn't receive the peer info. Change-Id: Ibe78949435bb2f26ad68301e2710321bf37c9486 Signed-off-by: Marco Baffo Acked-by: Antonio Quartulli Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1245 Message-Id: <20251008083046.27209-1-gert@greenie.muc.de> URL: https://sourceforge.net/p/openvpn/mailman/message/59243711/ Signed-off-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1245 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1245 This mail reflects revision 7 of this Change. Acked-by according to Gerrit (reflected above): diff --git a/src/openvpn/push.c b/src/openvpn/push.c index e7fc50c..0c8eb84 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -1112,6 +1112,12 @@ } else if (honor_received_options && buf_string_compare_advance(&buf, push_update_cmd)) { + if (dco_enabled(&c->options)) + { + msg(M_WARN, "WARN: PUSH_UPDATE messages cannot currently be processed in client mode while DCO is enabled, ignoring." + " To be able to process PUSH_UPDATE messages, be sure to use the --disable-dco option."); + return PUSH_MSG_ERROR; + } return process_incoming_push_update(c, permission_mask, option_types_found, &buf, false); } else diff --git a/src/openvpn/push_util.c b/src/openvpn/push_util.c index 9138bdb..f306104 100644 --- a/src/openvpn/push_util.c +++ b/src/openvpn/push_util.c @@ -191,6 +191,13 @@ int send_push_update(struct multi_context *m, const void *target, const char *msg, const push_update_type type, const int push_bundle_size) { + if (dco_enabled(&m->top.options)) + { + msg(M_WARN, "WARN: PUSH_UPDATE messages cannot currently be sent while DCO is enabled." + " To send a PUSH_UPDATE message, be sure to use the --disable-dco option."); + return 0; + } + if (!msg || !*msg || !m || (!target && type != UPT_BROADCAST)) { @@ -294,7 +301,6 @@ } \ } while (0) - bool management_callback_send_push_update_broadcast(void *arg, const char *options) { diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 34036f2..567560f 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1926,8 +1926,12 @@ /* support for exit notify via control channel */ iv_proto |= IV_PROTO_CC_EXIT_NOTIFY; - /* support push-updates */ - iv_proto |= IV_PROTO_PUSH_UPDATE; + /* currently push-update is not supported when DCO is enabled */ + if (!session->opt->dco_enabled) + { + /* support push-updates */ + iv_proto |= IV_PROTO_PUSH_UPDATE; + } if (session->opt->pull) { diff --git a/tests/unit_tests/openvpn/test_push_update_msg.c b/tests/unit_tests/openvpn/test_push_update_msg.c index 8a5beeb..6e49f14 100644 --- a/tests/unit_tests/openvpn/test_push_update_msg.c +++ b/tests/unit_tests/openvpn/test_push_update_msg.c @@ -465,6 +465,7 @@ m->instances = calloc(1, sizeof(struct multi_instance *)); struct multi_instance *mi = calloc(1, sizeof(struct multi_instance)); *(m->instances) = mi; + m->top.options.disable_dco = true; *state = m; return 0; }