diff options
author | Jörg Frings-Fürst <debian@jff-webhosting.net> | 2017-06-27 13:56:16 +0200 |
---|---|---|
committer | Jörg Frings-Fürst <debian@jff-webhosting.net> | 2017-06-27 13:56:16 +0200 |
commit | 749384a154025e268b53cf3cc79eaeddde2b3ceb (patch) | |
tree | 27baa9e6aec76635d750405d90cd461440a656d1 /debian/patches/upstream-issue-879.patch | |
parent | db4f04c584f7d4e828b5d317cf40962b9d854ac5 (diff) |
initial stretch branch release 2.4.0-6
Diffstat (limited to 'debian/patches/upstream-issue-879.patch')
-rw-r--r-- | debian/patches/upstream-issue-879.patch | 87 |
1 files changed, 87 insertions, 0 deletions
diff --git a/debian/patches/upstream-issue-879.patch b/debian/patches/upstream-issue-879.patch new file mode 100644 index 0000000..2139afc --- /dev/null +++ b/debian/patches/upstream-issue-879.patch @@ -0,0 +1,87 @@ +Index: openvpn/src/openvpn/forward.c +=================================================================== +--- openvpn.orig/src/openvpn/forward.c 2017-05-22 14:59:09.634938195 +0200 ++++ openvpn/src/openvpn/forward.c 2017-05-22 14:59:09.630937170 +0200 +@@ -866,9 +866,16 @@ + * will load crypto_options with the correct encryption key + * and return false. + */ ++ uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT; + if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co, + floated, &ad_start)) + { ++ /* Restore pre-NCP frame parameters */ ++ if (is_hard_reset(opcode, c->options.key_method)) ++ { ++ c->c2.frame = c->c2.frame_initial; ++ } ++ + interval_action(&c->c2.tmp_int); + + /* reset packet received timer if TLS packet */ +Index: openvpn/src/openvpn/init.c +=================================================================== +--- openvpn.orig/src/openvpn/init.c 2017-05-22 14:59:09.634938195 +0200 ++++ openvpn/src/openvpn/init.c 2017-05-22 14:59:09.634938195 +0200 +@@ -4055,6 +4055,8 @@ + c->c2.did_open_tun = do_open_tun(c); + } + ++ c->c2.frame_initial = c->c2.frame; ++ + /* print MTU info */ + do_print_data_channel_mtu_parms(c); + +Index: openvpn/src/openvpn/openvpn.h +=================================================================== +--- openvpn.orig/src/openvpn/openvpn.h 2017-05-22 14:59:09.634938195 +0200 ++++ openvpn/src/openvpn/openvpn.h 2017-05-22 14:59:09.634938195 +0200 +@@ -263,7 +263,8 @@ + struct link_socket_actual from; /* address of incoming datagram */ + + /* MTU frame parameters */ +- struct frame frame; ++ struct frame frame; /* Active frame parameters */ ++ struct frame frame_initial; /* Restored on new session */ + + #ifdef ENABLE_FRAGMENT + /* Object to handle advanced MTU negotiation and datagram fragmentation */ +Index: openvpn/src/openvpn/ssl.c +=================================================================== +--- openvpn.orig/src/openvpn/ssl.c 2017-05-22 14:59:09.634938195 +0200 ++++ openvpn/src/openvpn/ssl.c 2017-05-22 14:59:09.634938195 +0200 +@@ -830,14 +830,7 @@ + return BSTR(&out); + } + +-/* +- * Given a key_method, return true if op +- * represents the required form of hard_reset. +- * +- * If key_method = 0, return true if any +- * form of hard reset is used. +- */ +-static bool ++bool + is_hard_reset(int op, int key_method) + { + if (!key_method || key_method == 1) +Index: openvpn/src/openvpn/ssl.h +=================================================================== +--- openvpn.orig/src/openvpn/ssl.h 2017-05-22 14:59:09.634938195 +0200 ++++ openvpn/src/openvpn/ssl.h 2017-05-22 14:59:09.634938195 +0200 +@@ -591,6 +591,14 @@ + /*#define EXTRACT_X509_FIELD_TEST*/ + void extract_x509_field_test(void); + ++/** ++ * Given a key_method, return true if opcode represents the required form of ++ * hard_reset. ++ * ++ * If key_method == 0, return true if any form of hard reset is used. ++ */ ++bool is_hard_reset(int op, int key_method); ++ + #endif /* ENABLE_CRYPTO */ + + #endif /* ifndef OPENVPN_SSL_H */ |