summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlberto Gonzalez Iniesta <agi@inittab.org>2017-05-22 15:03:51 +0200
committerAlberto Gonzalez Iniesta <agi@inittab.org>2017-05-22 15:03:51 +0200
commitd73f7253d939e293abf9e27b4b7f37df1ec12a39 (patch)
tree93c186951fa2d3cd4315b17e930c376982853f6d
parentde39933a5c67a449c4c31e4e8f0c1d2c218c8c6c (diff)
Add patch to fix upstream's issue 879
-rw-r--r--debian/changelog7
-rw-r--r--debian/patches/series1
-rw-r--r--debian/patches/upstream-issue-879.patch87
3 files changed, 95 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index 0dbcb49..3de80ab 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+openvpn (2.4.0-6) unstable; urgency=medium
+
+ * Apply upstream patch to fix shrinking MTU sizes on reconnects causing not
+ usable VPN tunnels.
+
+ -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 22 May 2017 14:59:49 +0200
+
openvpn (2.4.0-5) unstable; urgency=high
* Change typo fix in command line help.
diff --git a/debian/patches/series b/debian/patches/series
index 457e897..907dc15 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,4 @@ CVE-2017-7478.patch
CVE-2017-7479-prereq.patch
CVE-2017-7479.patch
wipe_tokens_on_de-auth.patch
+upstream-issue-879.patch
diff --git a/debian/patches/upstream-issue-879.patch b/debian/patches/upstream-issue-879.patch
new file mode 100644
index 0000000..2139afc
--- /dev/null
+++ b/debian/patches/upstream-issue-879.patch
@@ -0,0 +1,87 @@
+Index: openvpn/src/openvpn/forward.c
+===================================================================
+--- openvpn.orig/src/openvpn/forward.c 2017-05-22 14:59:09.634938195 +0200
++++ openvpn/src/openvpn/forward.c 2017-05-22 14:59:09.630937170 +0200
+@@ -866,9 +866,16 @@
+ * will load crypto_options with the correct encryption key
+ * and return false.
+ */
++ uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT;
+ if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co,
+ floated, &ad_start))
+ {
++ /* Restore pre-NCP frame parameters */
++ if (is_hard_reset(opcode, c->options.key_method))
++ {
++ c->c2.frame = c->c2.frame_initial;
++ }
++
+ interval_action(&c->c2.tmp_int);
+
+ /* reset packet received timer if TLS packet */
+Index: openvpn/src/openvpn/init.c
+===================================================================
+--- openvpn.orig/src/openvpn/init.c 2017-05-22 14:59:09.634938195 +0200
++++ openvpn/src/openvpn/init.c 2017-05-22 14:59:09.634938195 +0200
+@@ -4055,6 +4055,8 @@
+ c->c2.did_open_tun = do_open_tun(c);
+ }
+
++ c->c2.frame_initial = c->c2.frame;
++
+ /* print MTU info */
+ do_print_data_channel_mtu_parms(c);
+
+Index: openvpn/src/openvpn/openvpn.h
+===================================================================
+--- openvpn.orig/src/openvpn/openvpn.h 2017-05-22 14:59:09.634938195 +0200
++++ openvpn/src/openvpn/openvpn.h 2017-05-22 14:59:09.634938195 +0200
+@@ -263,7 +263,8 @@
+ struct link_socket_actual from; /* address of incoming datagram */
+
+ /* MTU frame parameters */
+- struct frame frame;
++ struct frame frame; /* Active frame parameters */
++ struct frame frame_initial; /* Restored on new session */
+
+ #ifdef ENABLE_FRAGMENT
+ /* Object to handle advanced MTU negotiation and datagram fragmentation */
+Index: openvpn/src/openvpn/ssl.c
+===================================================================
+--- openvpn.orig/src/openvpn/ssl.c 2017-05-22 14:59:09.634938195 +0200
++++ openvpn/src/openvpn/ssl.c 2017-05-22 14:59:09.634938195 +0200
+@@ -830,14 +830,7 @@
+ return BSTR(&out);
+ }
+
+-/*
+- * Given a key_method, return true if op
+- * represents the required form of hard_reset.
+- *
+- * If key_method = 0, return true if any
+- * form of hard reset is used.
+- */
+-static bool
++bool
+ is_hard_reset(int op, int key_method)
+ {
+ if (!key_method || key_method == 1)
+Index: openvpn/src/openvpn/ssl.h
+===================================================================
+--- openvpn.orig/src/openvpn/ssl.h 2017-05-22 14:59:09.634938195 +0200
++++ openvpn/src/openvpn/ssl.h 2017-05-22 14:59:09.634938195 +0200
+@@ -591,6 +591,14 @@
+ /*#define EXTRACT_X509_FIELD_TEST*/
+ void extract_x509_field_test(void);
+
++/**
++ * Given a key_method, return true if opcode represents the required form of
++ * hard_reset.
++ *
++ * If key_method == 0, return true if any form of hard reset is used.
++ */
++bool is_hard_reset(int op, int key_method);
++
+ #endif /* ENABLE_CRYPTO */
+
+ #endif /* ifndef OPENVPN_SSL_H */