From patchwork Wed Oct 29 06:53:10 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4541 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7001:2f13:b0:72f:f16c:e055 with SMTP id sa19csp44520mab; Tue, 28 Oct 2025 23:53:29 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCULC46q8fYgbPbfdNqWdVk8a6PDQPSzj5OpnRGYyLqEtATcuH8mxDfseHuWFxwaCKOu9fgEStUqhAo=@openvpn.net X-Google-Smtp-Source: AGHT+IGwGZlXvuzJ1R18HNxeQFEEPVKGOm6yA5nPeBEaUWsHRn9pEqGZQE0FawahRjs2A4SqqGOU X-Received: by 2002:a05:6e02:1a05:b0:425:8744:de7d with SMTP id e9e14a558f8ab-432f9066dd6mr22626255ab.30.1761720809074; Tue, 28 Oct 2025 23:53:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1761720809; cv=none; d=google.com; s=arc-20240605; b=hp0rX9Jgm9v79Lt49pGjMk0BPjo2qOlcNViwxIkcKYkXqngCsz0htA+Bw3hg4zDQN2 yGiYe6iPt0aHKXfYZl/KPVEc4c0Y4K3vSGeaGq4msxsclNBv4fy/TmQo9cNBIlv294Ug NLmnKvfBeLEXoe1lnu/BGeZe61cmf5S0xqm7wMjv98GRZ8PBU5YLH2DXyANv8dVPprgr +7+HNpHbG3Ebqcb6xeKtO5cuZ5uPiNXsoNAAPM81YKwovL2gZom5JnHOKulw3Lba4yT0 5jJKvFYOyztFVT16ynJlanshlGsCpdWKjgxDckLkpGo+yioQYPjsh941TffcEMkaUDzP 6y+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=0a4OhW/k2EIXU25yRXNQ6neATFkiow+9XVwoL2Q05wc=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=h78+t4lkhK7rLK69beOGr+ZDPcLBPGRw6wSxVMotq4vMpwkIBQyUEIZob6v1Cx70S1 ibTCenvEd4IkRw203j7iYNxDqkTtr+dzi3roh5ukO2I1Czzd2rjNsK88TtpFzoKH8skk 7n77MedJylrxlHYRoso/q6QWn7w33m0GEiumNuk0V2tyJGdjiPN4ql9klaGwLaT8Yvbj fec8EgaweTtL7oZ2OyRgEV4CKs06gDEDM4S+NXOQ1C0jmOxCgL5S87QW851X9iUF9hck mB8rbo1AWOj1kBQgFzXNH+y+0GPqZj5B8/8wy+TbeclsMCJNMgyj9aE2XcgK3HPk7/SU mx/w==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=VEuz3c+O; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=eStGfl2i; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=U2jRjyuR; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 8926c6da1cb9f-5aec88f3548si9064650173.147.2025.10.28.23.53.28 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 28 Oct 2025 23:53:28 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=VEuz3c+O; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=eStGfl2i; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=U2jRjyuR; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=0a4OhW/k2EIXU25yRXNQ6neATFkiow+9XVwoL2Q05wc=; b=VEuz3c+OM46rry9rGJ5b8ggoJP yhN9vDTJp64V+oHzoLujjWPpDt7i5aSfeY4b0esYEiq+8IKPK3vrFPOEbhtM1K9EvcpPo/gPSHDoa YIceyAD9n0eHihFolJXOyogf2RAQRoJBhrBPziwRmxuNUO4tbTxZhUJX+byHfTlo/bN0=; Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vE03i-0005AH-D7; Wed, 29 Oct 2025 06:53:26 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vE03h-0005AB-3J for openvpn-devel@lists.sourceforge.net; Wed, 29 Oct 2025 06:53:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=myKaF0eKw+BMXMkCnZc/i9mM+Kl8caTkLHb9ZSE4w/g=; b=eStGfl2iZ1oTSpLzZVly9f6J/F T5n68EZHTW23s+sbu5tHlcSUvyazsT6ZPx6Bk1MO+oJBa1LIvrPDf5Rpi5Ezsnxujnqh0EBNk3Jy0 bck1RhqEqa0k50aqTYNZpO08WJTxDurXxLDpoikKdKL76yKdxRrpti4NLipx0RoW9QVA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=myKaF0eKw+BMXMkCnZc/i9mM+Kl8caTkLHb9ZSE4w/g=; b=U2jRjyuRYhIDf8jTq+1vS87FvA C4iZGvVt31QpSqA+CNLISQgXUZ59pJAvG7/Whkvf1UZH7S05mIwVk3rGCucHLrapOoAvRx1Qofxhu jnxHRtG/TC69mK8Tr0eDqu6t8PBxN1pR6PwBqy8wcyznDvgl+A3c/i5Mzr3rVw+zgYp0=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vE03f-0006dX-Vy for openvpn-devel@lists.sourceforge.net; Wed, 29 Oct 2025 06:53:24 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 59T6rGEh010197 for ; Wed, 29 Oct 2025 07:53:16 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 59T6rGK4010196 for openvpn-devel@lists.sourceforge.net; Wed, 29 Oct 2025 07:53:16 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 29 Oct 2025 07:53:10 +0100 Message-ID: <20251029065316.10182-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe The logic was inverted. Only when link-mtu is used, pushing a cipher can change the MTU and not the other way round. (found by zeropath) Also ignore a few more options that should not trigger a reopen of tun in push message. Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1vE03f-0006dX-Vy Subject: [Openvpn-devel] [PATCH v1] Fix logic when pushed cipher triggers tun reopen and ignore more options X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1847298159230455027?= X-GMAIL-MSGID: =?utf-8?q?1847298159230455027?= From: Arne Schwabe The logic was inverted. Only when link-mtu is used, pushing a cipher can change the MTU and not the other way round. (found by zeropath) Also ignore a few more options that should not trigger a reopen of tun in push message. Reported-By: contact@joshua.hu Found-By: Zeropath Change-Id: I76eb584024610a6054a069340adbac988abf686c Signed-off-by: Arne Schwabe Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1321 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1321 This mail reflects revision 1 of this Change. Signed-off-by line for the author was added as per our policy. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 2c717c7..d7063e6 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -1025,15 +1025,25 @@ char line[OPTION_PARM_SIZE]; while (buf_parse(buf, ',', line, sizeof(line))) { - /* peer-id and auth-token might change on restart and this should not trigger reopening tun + /* peer-id and auth-token might change on restart and this should not + * trigger reopening tun + * Also other options that only affect the control channel should + * not trigger a reopen of the tun device */ - if (strprefix(line, "peer-id ") || strprefix(line, "auth-token ") - || strprefix(line, "auth-token-user ")) + if (strprefix(line, "peer-id ") + || strprefix(line, "auth-token ") + || strprefix(line, "auth-token-user") + || strprefix(line, "protocol-flags ") + || strprefix(line, "key-derivation ") + || strprefix(line, "explicit-exit-notify ") + || strprefix(line, "ping ") + || strprefix(line, "ping-restart ") + || strprefix(line, "ping-timer ")) { continue; } /* tun reopen only needed if cipher change can change tun MTU */ - if (strprefix(line, "cipher ") && !opt->ce.tun_mtu_defined) + if (strprefix(line, "cipher ") && opt->ce.tun_mtu_defined) { continue; }