diff options
Diffstat (limited to 'debian/patches')
-rw-r--r-- | debian/patches/series | 1 | ||||
-rw-r--r-- | debian/patches/upstream-issue-879.patch | 87 |
2 files changed, 88 insertions, 0 deletions
diff --git a/debian/patches/series b/debian/patches/series index 457e897..907dc15 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -7,3 +7,4 @@ CVE-2017-7478.patch CVE-2017-7479-prereq.patch CVE-2017-7479.patch wipe_tokens_on_de-auth.patch +upstream-issue-879.patch diff --git a/debian/patches/upstream-issue-879.patch b/debian/patches/upstream-issue-879.patch new file mode 100644 index 0000000..2139afc --- /dev/null +++ b/debian/patches/upstream-issue-879.patch @@ -0,0 +1,87 @@ +Index: openvpn/src/openvpn/forward.c +=================================================================== +--- openvpn.orig/src/openvpn/forward.c 2017-05-22 14:59:09.634938195 +0200 ++++ openvpn/src/openvpn/forward.c 2017-05-22 14:59:09.630937170 +0200 +@@ -866,9 +866,16 @@ + * will load crypto_options with the correct encryption key + * and return false. + */ ++ uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT; + if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co, + floated, &ad_start)) + { ++ /* Restore pre-NCP frame parameters */ ++ if (is_hard_reset(opcode, c->options.key_method)) ++ { ++ c->c2.frame = c->c2.frame_initial; ++ } ++ + interval_action(&c->c2.tmp_int); + + /* reset packet received timer if TLS packet */ +Index: openvpn/src/openvpn/init.c +=================================================================== +--- openvpn.orig/src/openvpn/init.c 2017-05-22 14:59:09.634938195 +0200 ++++ openvpn/src/openvpn/init.c 2017-05-22 14:59:09.634938195 +0200 +@@ -4055,6 +4055,8 @@ + c->c2.did_open_tun = do_open_tun(c); + } + ++ c->c2.frame_initial = c->c2.frame; ++ + /* print MTU info */ + do_print_data_channel_mtu_parms(c); + +Index: openvpn/src/openvpn/openvpn.h +=================================================================== +--- openvpn.orig/src/openvpn/openvpn.h 2017-05-22 14:59:09.634938195 +0200 ++++ openvpn/src/openvpn/openvpn.h 2017-05-22 14:59:09.634938195 +0200 +@@ -263,7 +263,8 @@ + struct link_socket_actual from; /* address of incoming datagram */ + + /* MTU frame parameters */ +- struct frame frame; ++ struct frame frame; /* Active frame parameters */ ++ struct frame frame_initial; /* Restored on new session */ + + #ifdef ENABLE_FRAGMENT + /* Object to handle advanced MTU negotiation and datagram fragmentation */ +Index: openvpn/src/openvpn/ssl.c +=================================================================== +--- openvpn.orig/src/openvpn/ssl.c 2017-05-22 14:59:09.634938195 +0200 ++++ openvpn/src/openvpn/ssl.c 2017-05-22 14:59:09.634938195 +0200 +@@ -830,14 +830,7 @@ + return BSTR(&out); + } + +-/* +- * Given a key_method, return true if op +- * represents the required form of hard_reset. +- * +- * If key_method = 0, return true if any +- * form of hard reset is used. +- */ +-static bool ++bool + is_hard_reset(int op, int key_method) + { + if (!key_method || key_method == 1) +Index: openvpn/src/openvpn/ssl.h +=================================================================== +--- openvpn.orig/src/openvpn/ssl.h 2017-05-22 14:59:09.634938195 +0200 ++++ openvpn/src/openvpn/ssl.h 2017-05-22 14:59:09.634938195 +0200 +@@ -591,6 +591,14 @@ + /*#define EXTRACT_X509_FIELD_TEST*/ + void extract_x509_field_test(void); + ++/** ++ * Given a key_method, return true if opcode represents the required form of ++ * hard_reset. ++ * ++ * If key_method == 0, return true if any form of hard reset is used. ++ */ ++bool is_hard_reset(int op, int key_method); ++ + #endif /* ENABLE_CRYPTO */ + + #endif /* ifndef OPENVPN_SSL_H */ |