Bug#913529: marked as done (stretch-pu: package openvpn/2.4.0-6+deb9u3)

Debian Bug Tracking System Sat, 16 Feb 2019 03:42:38 -0800

Your message dated Sat, 16 Feb 2019 11:36:33 +0000
with message-id <1550316993.21192.50.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 9.8
has caused the Debian Bug report #913529,
regarding stretch-pu: package openvpn/2.4.0-6+deb9u3
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
913529: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913529
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu

Hi,

I'd like to fix a bug for OpenVPN in Stretch that causes crypto negotiation
errors on reconnection (i.e. one side goes away due to instable connection or
reboot).

The patch is one line being moved (plus logging and comments), and has been
included in the upstream 2.4.3 release for quite a while. The fix has been
tested by one of the original reporters.

Fixes #909430 and #910937

Debdiff attached.

Thanks,
Bernhard

diff -Nru openvpn-2.4.0/debian/changelog openvpn-2.4.0/debian/changelog
--- openvpn-2.4.0/debian/changelog      2017-07-18 22:15:17.000000000 +0200
+++ openvpn-2.4.0/debian/changelog      2018-10-14 22:55:44.000000000 +0200
@@ -1,3 +1,10 @@
+openvpn (2.4.0-6+deb9u3) stretch; urgency=medium
+
+  * Fix NCP behaviour on TLS reconnect, causing "AEAD Decrypt error: cipher
+    final failed" errors (Closes: #909430, #910937)
+
+ -- Bernhard Schmidt <be...@debian.org>  Sun, 14 Oct 2018 22:55:44 +0200
+
 openvpn (2.4.0-6+deb9u2) stretch; urgency=medium
 
   * Fix broken reconnect on connection loss due to wrong push digest 
calculation.
diff -Nru openvpn-2.4.0/debian/patches/887-fix-ncp-on-reconnect.patch 
openvpn-2.4.0/debian/patches/887-fix-ncp-on-reconnect.patch
--- openvpn-2.4.0/debian/patches/887-fix-ncp-on-reconnect.patch 1970-01-01 
01:00:00.000000000 +0100
+++ openvpn-2.4.0/debian/patches/887-fix-ncp-on-reconnect.patch 2018-10-14 
22:55:44.000000000 +0200
@@ -0,0 +1,37 @@
+From: Gert Döring <g...@greenie.muc.de>
+Subject: Fix NCP behaviour on TLS reconnect.
+Origin: upstream, 
https://community.openvpn.net/openvpn/changeset/13c05ca4e9da88ef30a778c16a97f0c0d767b448/
+Bug: https://community.openvpn.net/openvpn/ticket/887
+Bug-Debian: https://bugs.debian.org/909430
+
+Index: src/openvpn/push.c
+===================================================================
+--- a/src/openvpn/push.c       (revision 
5d5437710c282b1a60a892d1910160027a81db92)
++++ b/src/openvpn/push.c       (revision 
13c05ca4e9da88ef30a778c16a97f0c0d767b448)
+@@ -373,6 +373,7 @@
+     if (tls_peer_info_ncp_ver(peer_info) >= 2 && o->ncp_enabled)
+     {
+-        /* if we have already created our key, we cannot change our own
+-         * cipher, so disable NCP and warn = explain why
++        /* if we have already created our key, we cannot *change* our own
++         * cipher -> so log the fact and push the "what we have now" cipher
++         * (so the client is always told what we expect it to use)
+          */
+         const struct tls_session *session = &tls_multi->session[TM_ACTIVE];
+@@ -381,5 +382,6 @@
+             msg( M_INFO, "PUSH: client wants to negotiate cipher (NCP), but "
+                  "server has already generated data channel keys, "
+-                 "ignoring client request" );
++                 "re-sending previously negotiated cipher '%s'",
++                 o->ciphername );
+         }
+         else
+@@ -389,6 +391,6 @@
+             char *push_cipher = string_alloc(o->ncp_ciphers, &o->gc);
+             o->ciphername = strtok(push_cipher, ":");
+-            push_option_fmt(gc, push_list, M_USAGE, "cipher %s", 
o->ciphername);
+-        }
++        }
++        push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername);
+     }
+     else if (o->ncp_enabled)
diff -Nru openvpn-2.4.0/debian/patches/series 
openvpn-2.4.0/debian/patches/series
--- openvpn-2.4.0/debian/patches/series 2017-07-18 22:15:17.000000000 +0200
+++ openvpn-2.4.0/debian/patches/series 2018-10-14 22:55:44.000000000 +0200
@@ -13,3 +13,4 @@
 CVE-2017-7521.patch
 CVE-2017-7521bis.patch
 812-fix-push-options-digest-update.patch
+887-fix-ncp-on-reconnect.patch

--- End Message ---

--- Begin Message ---

Version: 9.8

Hi,

The update referenced by each of these bugs was included in this
morning's stretch point release.

Regards,

Adam

--- End Message ---

Bug#913529: marked as done (stretch-pu: package openvpn/2.4.0-6+deb9u3)

Reply via email to