PUSH_UPDATE: disabling PUSH_UPDATE server and client if DCO is enabled

The PUSH_UPDATE currently doesn't work with DCO.
For example, in server, if a new ifconfig is sent, the DCO
doesn't receive the new peer address and the connection drops.
Similarly in the client when a PUSH_UPDATE is received, the tun is
closed and reopened but the DCO doesn't receive the peer info.

Change-Id: Ibe78949435bb2f26ad68301e2710321bf37c9486
Signed-off-by: Marco Baffo <marco@mandelbit.com>
Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1245
Message-Id: <20251008083046.27209-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59243711/
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index e7fc50cd613ebe3cc83a7d79f37e503bd5dfdc81..0c8eb84df6b572eb080d9a74d487ef70b0fb523e 100644 (file)
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -1112,6 +1112,12 @@ process_incoming_push_msg(struct context *c, const struct buffer *buffer,
     }
     else if (honor_received_options && buf_string_compare_advance(&buf, push_update_cmd))
     {
+        if (dco_enabled(&c->options))
+        {
+            msg(M_WARN, "WARN: PUSH_UPDATE messages cannot currently be processed in client mode while DCO is enabled, ignoring."
+                        " To be able to process PUSH_UPDATE messages, be sure to use the --disable-dco option.");
+            return PUSH_MSG_ERROR;
+        }
         return process_incoming_push_update(c, permission_mask, option_types_found, &buf, false);
     }
     else

diff --git a/src/openvpn/push_util.c b/src/openvpn/push_util.c
index 9138bdbfbc3d8e7c0632a15fc77f594e7e6fd68a..f306104237e3978e02a032b89251fc6d4c853dd7 100644 (file)
--- a/src/openvpn/push_util.c
+++ b/src/openvpn/push_util.c
@@ -191,6 +191,13 @@ send_single_push_update(struct context *c, struct buffer *msgs, unsigned int *op
 int
 send_push_update(struct multi_context *m, const void *target, const char *msg, const push_update_type type, const int push_bundle_size)
 {
+    if (dco_enabled(&m->top.options))
+    {
+        msg(M_WARN, "WARN: PUSH_UPDATE messages cannot currently be sent while DCO is enabled."
+                    " To send a PUSH_UPDATE message, be sure to use the --disable-dco option.");
+        return 0;
+    }
+
     if (!msg || !*msg || !m
         || (!target && type != UPT_BROADCAST))
     {
@@ -294,7 +301,6 @@ send_push_update(struct multi_context *m, const void *target, const char *msg, c
         }                                                             \
     } while (0)
 
-
 bool
 management_callback_send_push_update_broadcast(void *arg, const char *options)
 {

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 34036f272d9845095bcdfbcbb303963da0493a83..567560feec834d6ca83bd359fc3b36c49c0e5858 100644 (file)
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1926,8 +1926,12 @@ push_peer_info(struct buffer *buf, struct tls_session *session)
         /* support for exit notify via control channel */
         iv_proto |= IV_PROTO_CC_EXIT_NOTIFY;
 
-        /* support push-updates */
-        iv_proto |= IV_PROTO_PUSH_UPDATE;
+        /* currently push-update is not supported when DCO is enabled */
+        if (!session->opt->dco_enabled)
+        {
+            /* support push-updates */
+            iv_proto |= IV_PROTO_PUSH_UPDATE;
+        }
 
         if (session->opt->pull)
         {

diff --git a/tests/unit_tests/openvpn/test_push_update_msg.c b/tests/unit_tests/openvpn/test_push_update_msg.c
index 8a5beebc5fb81041751c595c1a6e947e9da8a2e0..6e49f1440f405a092f7bd3e6752820166d67cdb3 100644 (file)
--- a/tests/unit_tests/openvpn/test_push_update_msg.c
+++ b/tests/unit_tests/openvpn/test_push_update_msg.c
@@ -465,6 +465,7 @@ setup2(void **state)
     m->instances = calloc(1, sizeof(struct multi_instance *));
     struct multi_instance *mi = calloc(1, sizeof(struct multi_instance));
     *(m->instances) = mi;
+    m->top.options.disable_dco = true;
     *state = m;
     return 0;
 }