Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi, I'd like to fix a bug for OpenVPN in Stretch that causes crypto negotiation errors on reconnection (i.e. one side goes away due to instable connection or reboot). The patch is one line being moved (plus logging and comments), and has been included in the upstream 2.4.3 release for quite a while. The fix has been tested by one of the original reporters. Fixes #909430 and #910937 Debdiff attached. Thanks, Bernhard
diff -Nru openvpn-2.4.0/debian/changelog openvpn-2.4.0/debian/changelog --- openvpn-2.4.0/debian/changelog 2017-07-18 22:15:17.000000000 +0200 +++ openvpn-2.4.0/debian/changelog 2018-10-14 22:55:44.000000000 +0200 @@ -1,3 +1,10 @@ +openvpn (2.4.0-6+deb9u3) stretch; urgency=medium + + * Fix NCP behaviour on TLS reconnect, causing "AEAD Decrypt error: cipher + final failed" errors (Closes: #909430, #910937) + + -- Bernhard Schmidt <be...@debian.org> Sun, 14 Oct 2018 22:55:44 +0200 + openvpn (2.4.0-6+deb9u2) stretch; urgency=medium * Fix broken reconnect on connection loss due to wrong push digest calculation. diff -Nru openvpn-2.4.0/debian/patches/887-fix-ncp-on-reconnect.patch openvpn-2.4.0/debian/patches/887-fix-ncp-on-reconnect.patch --- openvpn-2.4.0/debian/patches/887-fix-ncp-on-reconnect.patch 1970-01-01 01:00:00.000000000 +0100 +++ openvpn-2.4.0/debian/patches/887-fix-ncp-on-reconnect.patch 2018-10-14 22:55:44.000000000 +0200 @@ -0,0 +1,37 @@ +From: Gert Döring <g...@greenie.muc.de> +Subject: Fix NCP behaviour on TLS reconnect. +Origin: upstream, https://community.openvpn.net/openvpn/changeset/13c05ca4e9da88ef30a778c16a97f0c0d767b448/ +Bug: https://community.openvpn.net/openvpn/ticket/887 +Bug-Debian: https://bugs.debian.org/909430 + +Index: src/openvpn/push.c +=================================================================== +--- a/src/openvpn/push.c (revision 5d5437710c282b1a60a892d1910160027a81db92) ++++ b/src/openvpn/push.c (revision 13c05ca4e9da88ef30a778c16a97f0c0d767b448) +@@ -373,6 +373,7 @@ + if (tls_peer_info_ncp_ver(peer_info) >= 2 && o->ncp_enabled) + { +- /* if we have already created our key, we cannot change our own +- * cipher, so disable NCP and warn = explain why ++ /* if we have already created our key, we cannot *change* our own ++ * cipher -> so log the fact and push the "what we have now" cipher ++ * (so the client is always told what we expect it to use) + */ + const struct tls_session *session = &tls_multi->session[TM_ACTIVE]; +@@ -381,5 +382,6 @@ + msg( M_INFO, "PUSH: client wants to negotiate cipher (NCP), but " + "server has already generated data channel keys, " +- "ignoring client request" ); ++ "re-sending previously negotiated cipher '%s'", ++ o->ciphername ); + } + else +@@ -389,6 +391,6 @@ + char *push_cipher = string_alloc(o->ncp_ciphers, &o->gc); + o->ciphername = strtok(push_cipher, ":"); +- push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername); +- } ++ } ++ push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername); + } + else if (o->ncp_enabled) diff -Nru openvpn-2.4.0/debian/patches/series openvpn-2.4.0/debian/patches/series --- openvpn-2.4.0/debian/patches/series 2017-07-18 22:15:17.000000000 +0200 +++ openvpn-2.4.0/debian/patches/series 2018-10-14 22:55:44.000000000 +0200 @@ -13,3 +13,4 @@ CVE-2017-7521.patch CVE-2017-7521bis.patch 812-fix-push-options-digest-update.patch +887-fix-ncp-on-reconnect.patch
