diff options
author | Alberto Gonzalez Iniesta <agi@inittab.org> | 2017-05-22 15:03:51 +0200 |
---|---|---|
committer | Alberto Gonzalez Iniesta <agi@inittab.org> | 2017-05-22 15:03:51 +0200 |
commit | d73f7253d939e293abf9e27b4b7f37df1ec12a39 (patch) | |
tree | 93c186951fa2d3cd4315b17e930c376982853f6d | |
parent | de39933a5c67a449c4c31e4e8f0c1d2c218c8c6c (diff) |
Add patch to fix upstream's issue 879
-rw-r--r-- | debian/changelog | 7 | ||||
-rw-r--r-- | debian/patches/series | 1 | ||||
-rw-r--r-- | debian/patches/upstream-issue-879.patch | 87 |
3 files changed, 95 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 0dbcb49..3de80ab 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +openvpn (2.4.0-6) unstable; urgency=medium + + * Apply upstream patch to fix shrinking MTU sizes on reconnects causing not + usable VPN tunnels. + + -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 22 May 2017 14:59:49 +0200 + openvpn (2.4.0-5) unstable; urgency=high * Change typo fix in command line help. diff --git a/debian/patches/series b/debian/patches/series index 457e897..907dc15 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -7,3 +7,4 @@ CVE-2017-7478.patch CVE-2017-7479-prereq.patch CVE-2017-7479.patch wipe_tokens_on_de-auth.patch +upstream-issue-879.patch diff --git a/debian/patches/upstream-issue-879.patch b/debian/patches/upstream-issue-879.patch new file mode 100644 index 0000000..2139afc --- /dev/null +++ b/debian/patches/upstream-issue-879.patch @@ -0,0 +1,87 @@ +Index: openvpn/src/openvpn/forward.c +=================================================================== +--- openvpn.orig/src/openvpn/forward.c 2017-05-22 14:59:09.634938195 +0200 ++++ openvpn/src/openvpn/forward.c 2017-05-22 14:59:09.630937170 +0200 +@@ -866,9 +866,16 @@ + * will load crypto_options with the correct encryption key + * and return false. + */ ++ uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT; + if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co, + floated, &ad_start)) + { ++ /* Restore pre-NCP frame parameters */ ++ if (is_hard_reset(opcode, c->options.key_method)) ++ { ++ c->c2.frame = c->c2.frame_initial; ++ } ++ + interval_action(&c->c2.tmp_int); + + /* reset packet received timer if TLS packet */ +Index: openvpn/src/openvpn/init.c +=================================================================== +--- openvpn.orig/src/openvpn/init.c 2017-05-22 14:59:09.634938195 +0200 ++++ openvpn/src/openvpn/init.c 2017-05-22 14:59:09.634938195 +0200 +@@ -4055,6 +4055,8 @@ + c->c2.did_open_tun = do_open_tun(c); + } + ++ c->c2.frame_initial = c->c2.frame; ++ + /* print MTU info */ + do_print_data_channel_mtu_parms(c); + +Index: openvpn/src/openvpn/openvpn.h +=================================================================== +--- openvpn.orig/src/openvpn/openvpn.h 2017-05-22 14:59:09.634938195 +0200 ++++ openvpn/src/openvpn/openvpn.h 2017-05-22 14:59:09.634938195 +0200 +@@ -263,7 +263,8 @@ + struct link_socket_actual from; /* address of incoming datagram */ + + /* MTU frame parameters */ +- struct frame frame; ++ struct frame frame; /* Active frame parameters */ ++ struct frame frame_initial; /* Restored on new session */ + + #ifdef ENABLE_FRAGMENT + /* Object to handle advanced MTU negotiation and datagram fragmentation */ +Index: openvpn/src/openvpn/ssl.c +=================================================================== +--- openvpn.orig/src/openvpn/ssl.c 2017-05-22 14:59:09.634938195 +0200 ++++ openvpn/src/openvpn/ssl.c 2017-05-22 14:59:09.634938195 +0200 +@@ -830,14 +830,7 @@ + return BSTR(&out); + } + +-/* +- * Given a key_method, return true if op +- * represents the required form of hard_reset. +- * +- * If key_method = 0, return true if any +- * form of hard reset is used. +- */ +-static bool ++bool + is_hard_reset(int op, int key_method) + { + if (!key_method || key_method == 1) +Index: openvpn/src/openvpn/ssl.h +=================================================================== +--- openvpn.orig/src/openvpn/ssl.h 2017-05-22 14:59:09.634938195 +0200 ++++ openvpn/src/openvpn/ssl.h 2017-05-22 14:59:09.634938195 +0200 +@@ -591,6 +591,14 @@ + /*#define EXTRACT_X509_FIELD_TEST*/ + void extract_x509_field_test(void); + ++/** ++ * Given a key_method, return true if opcode represents the required form of ++ * hard_reset. ++ * ++ * If key_method == 0, return true if any form of hard reset is used. ++ */ ++bool is_hard_reset(int op, int key_method); ++ + #endif /* ENABLE_CRYPTO */ + + #endif /* ifndef OPENVPN_SSL_H */ |