Bug#863351: unblock: openvpn/2.4.0-6

[Alberto Gonzalez Iniesta]

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package openvpn

I've been contacted by a big Debian & OpenVPN user about a bug present
in Stretch's OpenVPN version and fixed 2 minor reviews later. The bug
was reported upstream [1] and results in clients not able to use the VPN
after several reconnects.

The patch seems nice and clear [2] (and applies cleanly). The bug
impact could be substantial.

The fixed package (2.4.0-6) has been tested by the forementioned user
(that could reproduce the bug in previous versions).

[1] https://community.openvpn.net/openvpn/ticket/879
[2]
https://community.openvpn.net/openvpn/changeset/03d01f4f69cfc6768343b9f0f2dde2049e4882d2/

unblock openvpn/2.4.0-6

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru openvpn-2.4.0/debian/changelog openvpn-2.4.0/debian/changelog
--- openvpn-2.4.0/debian/changelog      2017-05-11 14:15:21.000000000 +0200
+++ openvpn-2.4.0/debian/changelog      2017-05-22 14:59:49.000000000 +0200
@@ -1,3 +1,10 @@
+openvpn (2.4.0-6) unstable; urgency=medium
+
+  * Apply upstream patch to fix shrinking MTU sizes on reconnects causing not
+    usable VPN tunnels.
+
+ -- Alberto Gonzalez Iniesta <a...@inittab.org>  Mon, 22 May 2017 14:59:49 
+0200
+
 openvpn (2.4.0-5) unstable; urgency=high
 
   * Change typo fix in command line help.
diff -Nru openvpn-2.4.0/debian/patches/series 
openvpn-2.4.0/debian/patches/series
--- openvpn-2.4.0/debian/patches/series 2017-05-11 14:15:21.000000000 +0200
+++ openvpn-2.4.0/debian/patches/series 2017-05-22 14:57:31.000000000 +0200
@@ -7,3 +7,4 @@
 CVE-2017-7479-prereq.patch
 CVE-2017-7479.patch
 wipe_tokens_on_de-auth.patch
+upstream-issue-879.patch
diff -Nru openvpn-2.4.0/debian/patches/upstream-issue-879.patch 
openvpn-2.4.0/debian/patches/upstream-issue-879.patch
--- openvpn-2.4.0/debian/patches/upstream-issue-879.patch       1970-01-01 
01:00:00.000000000 +0100
+++ openvpn-2.4.0/debian/patches/upstream-issue-879.patch       2017-05-22 
14:59:14.000000000 +0200
@@ -0,0 +1,87 @@
+Index: openvpn/src/openvpn/forward.c
+===================================================================
+--- openvpn.orig/src/openvpn/forward.c 2017-05-22 14:59:09.634938195 +0200
++++ openvpn/src/openvpn/forward.c      2017-05-22 14:59:09.630937170 +0200
+@@ -866,9 +866,16 @@
+              * will load crypto_options with the correct encryption key
+              * and return false.
+              */
++            uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT;
+             if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co,
+                                 floated, &ad_start))
+             {
++                /* Restore pre-NCP frame parameters */
++                if (is_hard_reset(opcode, c->options.key_method))
++                {
++                    c->c2.frame = c->c2.frame_initial;
++                }
++
+                 interval_action(&c->c2.tmp_int);
+ 
+                 /* reset packet received timer if TLS packet */
+Index: openvpn/src/openvpn/init.c
+===================================================================
+--- openvpn.orig/src/openvpn/init.c    2017-05-22 14:59:09.634938195 +0200
++++ openvpn/src/openvpn/init.c 2017-05-22 14:59:09.634938195 +0200
+@@ -4055,6 +4055,8 @@
+         c->c2.did_open_tun = do_open_tun(c);
+     }
+ 
++    c->c2.frame_initial = c->c2.frame;
++
+     /* print MTU info */
+     do_print_data_channel_mtu_parms(c);
+ 
+Index: openvpn/src/openvpn/openvpn.h
+===================================================================
+--- openvpn.orig/src/openvpn/openvpn.h 2017-05-22 14:59:09.634938195 +0200
++++ openvpn/src/openvpn/openvpn.h      2017-05-22 14:59:09.634938195 +0200
+@@ -263,7 +263,8 @@
+     struct link_socket_actual from;             /* address of incoming 
datagram */
+ 
+     /* MTU frame parameters */
+-    struct frame frame;
++    struct frame frame;                         /* Active frame parameters */
++    struct frame frame_initial;                 /* Restored on new session */
+ 
+ #ifdef ENABLE_FRAGMENT
+     /* Object to handle advanced MTU negotiation and datagram fragmentation */
+Index: openvpn/src/openvpn/ssl.c
+===================================================================
+--- openvpn.orig/src/openvpn/ssl.c     2017-05-22 14:59:09.634938195 +0200
++++ openvpn/src/openvpn/ssl.c  2017-05-22 14:59:09.634938195 +0200
+@@ -830,14 +830,7 @@
+     return BSTR(&out);
+ }
+ 
+-/*
+- * Given a key_method, return true if op
+- * represents the required form of hard_reset.
+- *
+- * If key_method = 0, return true if any
+- * form of hard reset is used.
+- */
+-static bool
++bool
+ is_hard_reset(int op, int key_method)
+ {
+     if (!key_method || key_method == 1)
+Index: openvpn/src/openvpn/ssl.h
+===================================================================
+--- openvpn.orig/src/openvpn/ssl.h     2017-05-22 14:59:09.634938195 +0200
++++ openvpn/src/openvpn/ssl.h  2017-05-22 14:59:09.634938195 +0200
+@@ -591,6 +591,14 @@
+ /*#define EXTRACT_X509_FIELD_TEST*/
+ void extract_x509_field_test(void);
+ 
++/**
++ * Given a key_method, return true if opcode represents the required form of
++ * hard_reset.
++ *
++ * If key_method == 0, return true if any form of hard reset is used.
++ */
++bool is_hard_reset(int op, int key_method);
++
+ #endif /* ENABLE_CRYPTO */
+ 
+ #endif /* ifndef OPENVPN_SSL_H */