From: Marco Baffo Date: Wed, 8 Oct 2025 08:30:41 +0000 (+0200) Subject: PUSH_UPDATE: disabling PUSH_UPDATE server and client if DCO is enabled X-Git-Tag: v2.7_beta3~25 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=373178b32dfa8f272cb9322b5f0092b03c3c61c2;p=thirdparty%2Fopenvpn.git PUSH_UPDATE: disabling PUSH_UPDATE server and client if DCO is enabled The PUSH_UPDATE currently doesn't work with DCO. For example, in server, if a new ifconfig is sent, the DCO doesn't receive the new peer address and the connection drops. Similarly in the client when a PUSH_UPDATE is received, the tun is closed and reopened but the DCO doesn't receive the peer info. Change-Id: Ibe78949435bb2f26ad68301e2710321bf37c9486 Signed-off-by: Marco Baffo Acked-by: Antonio Quartulli Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1245 Message-Id: <20251008083046.27209-1-gert@greenie.muc.de> URL: https://sourceforge.net/p/openvpn/mailman/message/59243711/ Signed-off-by: Gert Doering --- diff --git a/src/openvpn/push.c b/src/openvpn/push.c index e7fc50cd6..0c8eb84df 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -1112,6 +1112,12 @@ process_incoming_push_msg(struct context *c, const struct buffer *buffer, } else if (honor_received_options && buf_string_compare_advance(&buf, push_update_cmd)) { + if (dco_enabled(&c->options)) + { + msg(M_WARN, "WARN: PUSH_UPDATE messages cannot currently be processed in client mode while DCO is enabled, ignoring." + " To be able to process PUSH_UPDATE messages, be sure to use the --disable-dco option."); + return PUSH_MSG_ERROR; + } return process_incoming_push_update(c, permission_mask, option_types_found, &buf, false); } else diff --git a/src/openvpn/push_util.c b/src/openvpn/push_util.c index 9138bdbfb..f30610423 100644 --- a/src/openvpn/push_util.c +++ b/src/openvpn/push_util.c @@ -191,6 +191,13 @@ send_single_push_update(struct context *c, struct buffer *msgs, unsigned int *op int send_push_update(struct multi_context *m, const void *target, const char *msg, const push_update_type type, const int push_bundle_size) { + if (dco_enabled(&m->top.options)) + { + msg(M_WARN, "WARN: PUSH_UPDATE messages cannot currently be sent while DCO is enabled." + " To send a PUSH_UPDATE message, be sure to use the --disable-dco option."); + return 0; + } + if (!msg || !*msg || !m || (!target && type != UPT_BROADCAST)) { @@ -294,7 +301,6 @@ send_push_update(struct multi_context *m, const void *target, const char *msg, c } \ } while (0) - bool management_callback_send_push_update_broadcast(void *arg, const char *options) { diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 34036f272..567560fee 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1926,8 +1926,12 @@ push_peer_info(struct buffer *buf, struct tls_session *session) /* support for exit notify via control channel */ iv_proto |= IV_PROTO_CC_EXIT_NOTIFY; - /* support push-updates */ - iv_proto |= IV_PROTO_PUSH_UPDATE; + /* currently push-update is not supported when DCO is enabled */ + if (!session->opt->dco_enabled) + { + /* support push-updates */ + iv_proto |= IV_PROTO_PUSH_UPDATE; + } if (session->opt->pull) { diff --git a/tests/unit_tests/openvpn/test_push_update_msg.c b/tests/unit_tests/openvpn/test_push_update_msg.c index 8a5beebc5..6e49f1440 100644 --- a/tests/unit_tests/openvpn/test_push_update_msg.c +++ b/tests/unit_tests/openvpn/test_push_update_msg.c @@ -465,6 +465,7 @@ setup2(void **state) m->instances = calloc(1, sizeof(struct multi_instance *)); struct multi_instance *mi = calloc(1, sizeof(struct multi_instance)); *(m->instances) = mi; + m->top.options.disable_dco = true; *state = m; return 0; }