From aef03811cf465cd8b464689e1a37fde2d8f090aa Mon Sep 17 00:00:00 2001
From: Bernhard Schmidt <berni@debian.org>
Date: Sun, 11 Nov 2018 22:19:12 +0100
Subject: Cherry-Pick Upstream commit to fix Cipher mismatch on reconnect

Closes: #909430, #910937
---
 debian/patches/887-fix-ncp-on-reconnect.patch | 37 +++++++++++++++++++++++++++
 debian/patches/series                         |  1 +
 2 files changed, 38 insertions(+)
 create mode 100644 debian/patches/887-fix-ncp-on-reconnect.patch

diff --git a/debian/patches/887-fix-ncp-on-reconnect.patch b/debian/patches/887-fix-ncp-on-reconnect.patch
new file mode 100644
index 0000000..d8a18af
--- /dev/null
+++ b/debian/patches/887-fix-ncp-on-reconnect.patch
@@ -0,0 +1,37 @@
+From: Gert Döring <gert@greenie.muc.de>
+Subject: Fix NCP behaviour on TLS reconnect.
+Origin: upstream, https://community.openvpn.net/openvpn/changeset/13c05ca4e9da88ef30a778c16a97f0c0d767b448/
+Bug: https://community.openvpn.net/openvpn/ticket/887
+Bug-Debian: https://bugs.debian.org/909430
+
+Index: src/openvpn/push.c
+===================================================================
+--- a/src/openvpn/push.c	(revision 5d5437710c282b1a60a892d1910160027a81db92)
++++ b/src/openvpn/push.c	(revision 13c05ca4e9da88ef30a778c16a97f0c0d767b448)
+@@ -373,6 +373,7 @@
+     if (tls_peer_info_ncp_ver(peer_info) >= 2 && o->ncp_enabled)
+     {
+-        /* if we have already created our key, we cannot change our own
+-         * cipher, so disable NCP and warn = explain why
++        /* if we have already created our key, we cannot *change* our own
++         * cipher -> so log the fact and push the "what we have now" cipher
++         * (so the client is always told what we expect it to use)
+          */
+         const struct tls_session *session = &tls_multi->session[TM_ACTIVE];
+@@ -381,5 +382,6 @@
+             msg( M_INFO, "PUSH: client wants to negotiate cipher (NCP), but "
+                  "server has already generated data channel keys, "
+-                 "ignoring client request" );
++                 "re-sending previously negotiated cipher '%s'",
++                 o->ciphername );
+         }
+         else
+@@ -389,6 +391,6 @@
+             char *push_cipher = string_alloc(o->ncp_ciphers, &o->gc);
+             o->ciphername = strtok(push_cipher, ":");
+-            push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername);
+-        }
++        }
++        push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername);
+     }
+     else if (o->ncp_enabled)
diff --git a/debian/patches/series b/debian/patches/series
index 4357c69..1c79cca 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,3 +13,4 @@ CVE-2017-7520.patch
 CVE-2017-7521.patch
 CVE-2017-7521bis.patch
 812-fix-push-options-digest-update.patch
+887-fix-ncp-on-reconnect.patch
-- 
cgit v1.2.3