debian/patches/upstream-issue-879.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

Index: openvpn/src/openvpn/forward.c
===================================================================
--- openvpn.orig/src/openvpn/forward.c	2017-05-22 14:59:09.634938195 +0200
+++ openvpn/src/openvpn/forward.c	2017-05-22 14:59:09.630937170 +0200
@@ -866,9 +866,16 @@
              * will load crypto_options with the correct encryption key
              * and return false.
              */
+            uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT;
             if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co,
                                 floated, &ad_start))
             {
+                /* Restore pre-NCP frame parameters */
+                if (is_hard_reset(opcode, c->options.key_method))
+                {
+                    c->c2.frame = c->c2.frame_initial;
+                }
+
                 interval_action(&c->c2.tmp_int);
 
                 /* reset packet received timer if TLS packet */
Index: openvpn/src/openvpn/init.c
===================================================================
--- openvpn.orig/src/openvpn/init.c	2017-05-22 14:59:09.634938195 +0200
+++ openvpn/src/openvpn/init.c	2017-05-22 14:59:09.634938195 +0200
@@ -4055,6 +4055,8 @@
         c->c2.did_open_tun = do_open_tun(c);
     }
 
+    c->c2.frame_initial = c->c2.frame;
+
     /* print MTU info */
     do_print_data_channel_mtu_parms(c);
 
Index: openvpn/src/openvpn/openvpn.h
===================================================================
--- openvpn.orig/src/openvpn/openvpn.h	2017-05-22 14:59:09.634938195 +0200
+++ openvpn/src/openvpn/openvpn.h	2017-05-22 14:59:09.634938195 +0200
@@ -263,7 +263,8 @@
     struct link_socket_actual from;             /* address of incoming datagram */
 
     /* MTU frame parameters */
-    struct frame frame;
+    struct frame frame;                         /* Active frame parameters */
+    struct frame frame_initial;                 /* Restored on new session */
 
 #ifdef ENABLE_FRAGMENT
     /* Object to handle advanced MTU negotiation and datagram fragmentation */
Index: openvpn/src/openvpn/ssl.c
===================================================================
--- openvpn.orig/src/openvpn/ssl.c	2017-05-22 14:59:09.634938195 +0200
+++ openvpn/src/openvpn/ssl.c	2017-05-22 14:59:09.634938195 +0200
@@ -830,14 +830,7 @@
     return BSTR(&out);
 }
 
-/*
- * Given a key_method, return true if op
- * represents the required form of hard_reset.
- *
- * If key_method = 0, return true if any
- * form of hard reset is used.
- */
-static bool
+bool
 is_hard_reset(int op, int key_method)
 {
     if (!key_method || key_method == 1)
Index: openvpn/src/openvpn/ssl.h
===================================================================
--- openvpn.orig/src/openvpn/ssl.h	2017-05-22 14:59:09.634938195 +0200
+++ openvpn/src/openvpn/ssl.h	2017-05-22 14:59:09.634938195 +0200
@@ -591,6 +591,14 @@
 /*#define EXTRACT_X509_FIELD_TEST*/
 void extract_x509_field_test(void);
 
+/**
+ * Given a key_method, return true if opcode represents the required form of
+ * hard_reset.
+ *
+ * If key_method == 0, return true if any form of hard reset is used.
+ */
+bool is_hard_reset(int op, int key_method);
+
 #endif /* ENABLE_CRYPTO */
 
 #endif /* ifndef OPENVPN_SSL_H */