Bug#988631: unblock: openvpn/2.5.1-3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#988631: unblock: openvpn/2.5.1-3
From: Bernhard Schmidt <berni@debian.org>
Date: Mon, 17 May 2021 08:22:45 +0200
Message-id: <[🔎] 162123256565.1227428.16485182895419607720.reportbug@BOTOX.krs8.birkenwald.de>
Reply-to: Bernhard Schmidt <berni@debian.org>, 988631@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package openvpn

This update cherry-picks one further commit from upstream release
2.5.2 to fix a regression in 2.5.x in some situations. I could not
reproduce the issue, it was reported to be privately and I have
forwarded it to Bug#988478.

Additionally it fixes the autopkgtest by adapting the expected
output to the 2.5 upstream series (fix imported from Ubuntu) and
force batch mode in easyrsa3.

The problem was not detected in Debian because autopkgtest is not
run on debci (isolation-machine is not provided there), but I think
it would be worth not having broken tests for future stable updates.

[ Reason ]
autopkgtest is not run, cannot migrate on it's own.

[ Impact ]
(At least) one user having issues
Future stable-updates harder due to known-broken autopkgtest

[ Tests ]
Testsuite is run during build

[ Risks ]
Patch has been part of an upstream release

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Other info ]

unblock openvpn/2.5.1-3

diff -Nru openvpn-2.5.1/debian/changelog openvpn-2.5.1/debian/changelog
--- openvpn-2.5.1/debian/changelog	2021-04-28 14:41:58.000000000 +0200
+++ openvpn-2.5.1/debian/changelog	2021-05-14 09:40:04.000000000 +0200
@@ -1,3 +1,12 @@
+openvpn (2.5.1-3) unstable; urgency=medium
+
+  * Fix autopkgtest (Closes: #983662)
+    - adapt autopkgtest output to 2.5 (from Ubuntu)
+    - Fix easyrsa batch mode invocation
+  * Cherry-Pick "Fix condition to generate session keys" (Closes: #988478)
+
+ -- Bernhard Schmidt <berni@debian.org>  Fri, 14 May 2021 09:40:04 +0200
+
 openvpn (2.5.1-2) unstable; urgency=high
 
   * Cherry-Pick 3 (+ 1 predependency) patches from upstream to fix
diff -Nru openvpn-2.5.1/debian/patches/Fix-condition-to-generate-session-keys.patch openvpn-2.5.1/debian/patches/Fix-condition-to-generate-session-keys.patch
--- openvpn-2.5.1/debian/patches/Fix-condition-to-generate-session-keys.patch	1970-01-01 01:00:00.000000000 +0100
+++ openvpn-2.5.1/debian/patches/Fix-condition-to-generate-session-keys.patch	2021-05-14 09:40:04.000000000 +0200
@@ -0,0 +1,85 @@
+From 227fbc117d58a87465804f7b2a5cd95ef1b94da6 Mon Sep 17 00:00:00 2001
+From: Arne Schwabe <arne@rfc2549.org>
+Date: Sun, 28 Mar 2021 14:02:41 +0200
+Subject: [PATCH] Fix condition to generate session keys
+
+When OpenVPN sees a new (SSL) connection via HARD_RESET or SOFT_RESET with
+the same port/ip as an existing session, it will give it the slot of the
+renegotiation session (TM_UNTRUSTED). And when the authentication
+succeeds it will replace the current session. In the case of a SOFT_RESET
+this a renegotiation and we will generated data channel keys at the of
+key_method_2_write function as key-id > 0.
+
+For a HARD RESET the key-id is 0. Since we already have gone through
+connect stages and set context_auth to CAS_SUCCEEDED, we don't
+call all the connect stages again, and therefore also never call
+multi_client_generate_tls_keys for this session.
+
+This commit changes postponing the key generation to be done only if
+the multi_connect has not yet been finished.
+
+Patch V2: Explain better in the commit message why this change is done.
+
+This is "sort of" a backport of commit a005044be9ca, except that the
+master commit only got 1 of 3 hunks from the mailing list patch merged
+while release/2.5 needs all 3.  So this is exactly the patch as it was
+sent to the list, URL below.
+
+Trac: #1316
+
+Signed-off-by: Arne Schwabe <arne@rfc2549.org>
+Acked-by: Antonio Quartulli <antonio@openvpn.net>
+Acked-by: Gert Doering <gert@greenie.muc.de>
+Message-Id: <20210328120241.27605-2-arne@rfc2549.org>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21873.html
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+---
+ src/openvpn/ssl.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
+index d7494c2b3e..8359748b9b 100644
+--- a/src/openvpn/ssl.c
++++ b/src/openvpn/ssl.c
+@@ -2295,7 +2295,8 @@ push_peer_info(struct buffer *buf, struct tls_session *session)
+  * to the TLS control channel (cleartext).
+  */
+ static bool
+-key_method_2_write(struct buffer *buf, struct tls_session *session)
++key_method_2_write(struct buffer *buf, struct tls_multi *multi,
++                   struct tls_session *session)
+ {
+     struct key_state *ks = &session->key[KS_PRIMARY];      /* primary key */
+ 
+@@ -2386,12 +2387,17 @@ key_method_2_write(struct buffer *buf, struct tls_session *session)
+         goto error;
+     }
+ 
+-    /* Generate tunnel keys if we're a TLS server.
+-     * If we're a p2mp server and IV_NCP >= 2 is negotiated, the first key
+-     * generation is postponed until after the pull/push, so we can process pushed
+-     * cipher directives.
++    /*
++     * Generate tunnel keys if we're a TLS server.
++     *
++     * If we're a p2mp server to allow NCP, the first key
++     * generation is postponed until after the connect script finished and the
++     * NCP options can be processed. Since that always happens at after connect
++     * script options are available the CAS_SUCCEEDED status is identical to
++     * NCP options are processed and we have no extra state for NCP finished.
+      */
+-    if (session->opt->server && !(session->opt->mode == MODE_SERVER && ks->key_id <= 0))
++    if (session->opt->server && (session->opt->mode != MODE_SERVER
++            || multi->multi_state == CAS_SUCCEEDED))
+     {
+         if (ks->authenticated > KS_AUTH_FALSE)
+         {
+@@ -2847,7 +2853,7 @@ tls_process(struct tls_multi *multi,
+         if (!buf->len && ((ks->state == S_START && !session->opt->server)
+                           || (ks->state == S_GOT_KEY && session->opt->server)))
+         {
+-            if (!key_method_2_write(buf, session))
++            if (!key_method_2_write(buf, multi, session))
+             {
+                 goto error;
+             }
diff -Nru openvpn-2.5.1/debian/patches/series openvpn-2.5.1/debian/patches/series
--- openvpn-2.5.1/debian/patches/series	2021-04-28 14:41:58.000000000 +0200
+++ openvpn-2.5.1/debian/patches/series	2021-05-14 09:40:04.000000000 +0200
@@ -9,3 +9,4 @@
 CVE-2020-15078-1.patch
 CVE-2020-15078-2.patch
 CVE-2020-15078-3.patch
+Fix-condition-to-generate-session-keys.patch
diff -Nru openvpn-2.5.1/debian/tests/server-setup-with-ca openvpn-2.5.1/debian/tests/server-setup-with-ca
--- openvpn-2.5.1/debian/tests/server-setup-with-ca	2021-04-28 14:41:58.000000000 +0200
+++ openvpn-2.5.1/debian/tests/server-setup-with-ca	2021-05-14 09:40:04.000000000 +0200
@@ -38,10 +38,10 @@
 EOF
 
 info "Setup the CA and the server keys"
-./easyrsa init-pki
-./easyrsa build-ca nopass 2>/dev/null
-./easyrsa build-server-full server nopass 2>/dev/null
-./easyrsa gen-dh 2>/dev/null
+./easyrsa --batch init-pki
+./easyrsa --batch build-ca nopass 2>/dev/null
+./easyrsa --batch build-server-full server nopass 2>/dev/null
+./easyrsa --batch gen-dh 2>/dev/null
 
 info "Create the OpenVPN server config file"
 cat << EOF > /etc/openvpn/server.conf
@@ -75,10 +75,10 @@
 cat $LOG_FILE | grep 'Diffie-Hellman initialized'
 
 info "Check if the $DEVICE is linked"
-cat $LOG_FILE | grep "/sbin/ip link set dev $DEVICE up"
+cat $LOG_FILE | grep "net_iface_up: set $DEVICE up"
 
 info "Check if the network route was correctly configured"
-cat $LOG_FILE | grep "/sbin/ip route add $IP_NETWORK/24"
+cat $LOG_FILE | grep "net_route_v4_add: $IP_NETWORK/24 via"
 
 info "Check if the Initialization Sequence completed"
 cat $LOG_FILE | grep 'Initialization Sequence Completed'
diff -Nru openvpn-2.5.1/debian/tests/server-setup-with-static-key openvpn-2.5.1/debian/tests/server-setup-with-static-key
--- openvpn-2.5.1/debian/tests/server-setup-with-static-key	2021-04-28 14:41:58.000000000 +0200
+++ openvpn-2.5.1/debian/tests/server-setup-with-static-key	2021-05-14 09:40:04.000000000 +0200
@@ -50,10 +50,10 @@
 cat $LOG_FILE | grep "shared_secret_file = '$CONFIG_DIR/$STATIC_KEY'"
 
 info "Check if the $DEVICE is linked"
-cat $LOG_FILE | grep "/sbin/ip link set dev $DEVICE up"
+cat $LOG_FILE | grep "net_iface_up: set $DEVICE up"
 
 info "Check if the specified IP addresses were configured"
-cat $LOG_FILE | grep "/sbin/ip addr add dev tun0 local $IP_SERVER peer $IP_CLIENT"
+cat $LOG_FILE | grep "net_addr_ptp_v4_add: $IP_SERVER peer $IP_CLIENT dev tun0"
 
 # Clean up: kill tha OpenVPN process, remove the $DEVICE created and $STATIC_KEY
 cleanup() {

Reply to:

Follow-Ups:
- Bug#988631: marked as done (unblock: openvpn/2.5.1-3)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: unblock: six/1.16.0-1
Next by Date: Bug#988634: unblock: tor/0.4.5.8-1
Previous by thread: Bug#988628: marked as done (unblock: six/1.16.0-1)
Next by thread: Bug#988631: marked as done (unblock: openvpn/2.5.1-3)
Index(es):
- Date
- Thread