Fixed bug that incorrectly placed stricter TCP packet replay rules on

UDP sessions when the client daemon was running in UDP/TCP adaptive
mode, and transitioned from TCP to UDP.

The bug would cause a single dropped packet in UDP mode to trigger a
barrage of packet replay errors followed by a disconnect and
reconnect.

Version 2.1.3r

git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7125 e7ae566f-a301-0410-adde-c780ea21d3b5

diff --git a/init.c b/init.c
index a1a1a8fe3ae4e26f8b6260a56ad8a645f257ad16..ef09e8e66b242b2653853cb30785410af419e112 100644 (file)
--- a/init.c
+++ b/init.c
@@ -102,13 +102,6 @@ update_options_ce_post (struct options *options)
       options->ping_rec_timeout_action = PING_RESTART;
     }
 #endif
-#ifdef USE_CRYPTO
-  /* 
-   * Don't use replay window for TCP mode (i.e. require that packets be strictly in sequence).
-   */
-  if (link_socket_proto_connection_oriented (options->ce.proto))
-    options->replay_window = options->replay_time = 0;
-#endif
 }
 
 #if HTTP_PROXY_FALLBACK
@@ -1832,8 +1825,11 @@ do_init_crypto_static (struct context *c, const unsigned int flags)
   /* Initialize packet ID tracking */
   if (options->replay)
     {
-      packet_id_init (&c->c2.packet_id, options->replay_window,
-                     options->replay_time, "STATIC", 0);
+      packet_id_init (&c->c2.packet_id,
+                     link_socket_proto_connection_oriented (options->ce.proto),
+                     options->replay_window,
+                     options->replay_time,
+                     "STATIC", 0);
       c->c2.crypto_options.packet_id = &c->c2.packet_id;
       c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
       c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
@@ -2034,6 +2030,7 @@ do_init_crypto_tls (struct context *c, const unsigned int flags)
   to.replay = options->replay;
   to.replay_window = options->replay_window;
   to.replay_time = options->replay_time;
+  to.tcp_mode = link_socket_proto_connection_oriented (options->ce.proto);
   to.transition_window = options->transition_window;
   to.handshake_window = options->handshake_window;
   to.packet_timeout = options->tls_timeout;

diff --git a/packet_id.c b/packet_id.c
index f38c1212703092c500b76a8cc2ffafed98ac5ce5..9bbfbf32c2080d78224b8474d89426dea6fac1b6 100644 (file)
--- a/packet_id.c
+++ b/packet_id.c
@@ -70,9 +70,10 @@ packet_id_debug (int msglevel,
 }
 
 void
-packet_id_init (struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
+packet_id_init (struct packet_id *p, bool tcp_mode, int seq_backtrack, int time_backtrack, const char *name, int unit)
 {
-  dmsg (D_PID_DEBUG, "PID packet_id_init seq_backtrack=%d time_backtrack=%d",
+  dmsg (D_PID_DEBUG, "PID packet_id_init tcp_mode=%d seq_backtrack=%d time_backtrack=%d",
+       tcp_mode,
        seq_backtrack,
        time_backtrack);
 
@@ -81,7 +82,7 @@ packet_id_init (struct packet_id *p, int seq_backtrack, int time_backtrack, cons
 
   p->rec.name = name;
   p->rec.unit = unit;
-  if (seq_backtrack)
+  if (seq_backtrack && !tcp_mode)
     {
       ASSERT (MIN_SEQ_BACKTRACK <= seq_backtrack && seq_backtrack <= MAX_SEQ_BACKTRACK);
       ASSERT (MIN_TIME_BACKTRACK <= time_backtrack && time_backtrack <= MAX_TIME_BACKTRACK);

diff --git a/packet_id.h b/packet_id.h
index 1c341f79bdff6051bd493476caf823ccd3e554d8..7f4be8acb1e60a7d7a67dd159755d4ece889ddb7 100644 (file)
--- a/packet_id.h
+++ b/packet_id.h
@@ -210,7 +210,7 @@ struct packet_id
   struct packet_id_rec rec;
 };
 
-void packet_id_init (struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit);
+void packet_id_init (struct packet_id *p, bool tcp_mode, int seq_backtrack, int time_backtrack, const char *name, int unit);
 void packet_id_free (struct packet_id *p);
 
 /* should we accept an incoming packet id ? */

diff --git a/ssl.c b/ssl.c
index bbb9701c3e0fb2908b3702aa9199280bf0d0137d..572d8e25ff3a23a26e21aa45956ba9ae1c5b6867 100644 (file)
--- a/ssl.c
+++ b/ssl.c
@@ -2643,6 +2643,7 @@ key_state_init (struct tls_session *session, struct key_state *ks)
 
   /* init packet ID tracker */
   packet_id_init (&ks->packet_id,
+                 session->opt->tcp_mode,
                  session->opt->replay_window,
                  session->opt->replay_time,
                  "SSL", ks->key_id);
@@ -2749,6 +2750,7 @@ tls_session_init (struct tls_multi *multi, struct tls_session *session)
 
   /* initialize packet ID replay window for --tls-auth */
   packet_id_init (session->tls_auth.packet_id,
+                 session->opt->tcp_mode,
                  session->opt->replay_window,
                  session->opt->replay_time,
                  "TLS_AUTH", session->key_id);

diff --git a/ssl.h b/ssl.h
index 82d9c128b01f76cbb69cfe8a5a2734202f8911df..eca3922f7628e48ba67ab45a6aa16293e99fd795 100644 (file)
--- a/ssl.h
+++ b/ssl.h
@@ -477,6 +477,7 @@ struct tls_options
 
   int replay_window;                   /* --replay-window parm */
   int replay_time;                     /* --replay-window parm */
+  bool tcp_mode;
 
   /* packet authentication for TLS handshake */
   struct crypto_options tls_auth;

diff --git a/version.m4 b/version.m4
index b539d1aed4600a71e5534711bf646aff65962c19..97447b7fdbea96a5d718a75c39b348634ff7c8ef 100644 (file)
--- a/version.m4
+++ b/version.m4
@@ -1,5 +1,5 @@
 dnl define the OpenVPN version
-define(PRODUCT_VERSION,[2.1.3q])
+define(PRODUCT_VERSION,[2.1.3r])
 dnl define the TAP version
 define(PRODUCT_TAP_ID,[tap0901])
 define(PRODUCT_TAP_WIN32_MIN_MAJOR,[9])