Fixed bug that incorrectly placed stricter TCP packet replay rules on

UDP sessions when the client daemon was running in UDP/TCP adaptive mode, and transitioned from TCP to UDP. The bug would cause a single dropped packet in UDP mode to trigger a barrage of packet replay errors followed by a disconnect and reconnect. Version 2.1.3r git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7125 e7ae566f-a301-0410-adde-c780ea21d3b5
2024-11-27 11:43:51 +08:00 · 2011-04-02 08:21:28 +00:00 · 2011-04-02 08:21:28 +00:00 · 4d453a1792
commit 4d453a1792
parent ac1310528a
6 changed files with 15 additions and 14 deletions
--- a/init.c
+++ b/init.c
@ -102,13 +102,6 @@ update_options_ce_post (struct options *options)
      options->ping_rec_timeout_action = PING_RESTART;
    }
 #endif
-#ifdef USE_CRYPTO
-  /* 
-   * Don't use replay window for TCP mode (i.e. require that packets be strictly in sequence).
-   */
-  if (link_socket_proto_connection_oriented (options->ce.proto))
-    options->replay_window = options->replay_time = 0;
-#endif
 }

 #if HTTP_PROXY_FALLBACK
@ -1832,8 +1825,11 @@ do_init_crypto_static (struct context *c, const unsigned int flags)
  /* Initialize packet ID tracking */
  if (options->replay)
    {
-      packet_id_init (&c->c2.packet_id, options->replay_window,
-		      options->replay_time, "STATIC", 0);
+      packet_id_init (&c->c2.packet_id,
+		      link_socket_proto_connection_oriented (options->ce.proto),
+		      options->replay_window,
+		      options->replay_time,
+		      "STATIC", 0);
      c->c2.crypto_options.packet_id = &c->c2.packet_id;
      c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
      c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
@ -2034,6 +2030,7 @@ do_init_crypto_tls (struct context *c, const unsigned int flags)
  to.replay = options->replay;
  to.replay_window = options->replay_window;
  to.replay_time = options->replay_time;
+  to.tcp_mode = link_socket_proto_connection_oriented (options->ce.proto);
  to.transition_window = options->transition_window;
  to.handshake_window = options->handshake_window;
  to.packet_timeout = options->tls_timeout;
--- a/packet_id.c
+++ b/packet_id.c
@ -70,9 +70,10 @@ packet_id_debug (int msglevel,
 }

 void
-packet_id_init (struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
+packet_id_init (struct packet_id *p, bool tcp_mode, int seq_backtrack, int time_backtrack, const char *name, int unit)
 {
-  dmsg (D_PID_DEBUG, "PID packet_id_init seq_backtrack=%d time_backtrack=%d",
+  dmsg (D_PID_DEBUG, "PID packet_id_init tcp_mode=%d seq_backtrack=%d time_backtrack=%d",
+	tcp_mode,
 	seq_backtrack,
 	time_backtrack);

@ -81,7 +82,7 @@ packet_id_init (struct packet_id *p, int seq_backtrack, int time_backtrack, cons

  p->rec.name = name;
  p->rec.unit = unit;
-  if (seq_backtrack)
+  if (seq_backtrack && !tcp_mode)
    {
      ASSERT (MIN_SEQ_BACKTRACK <= seq_backtrack && seq_backtrack <= MAX_SEQ_BACKTRACK);
      ASSERT (MIN_TIME_BACKTRACK <= time_backtrack && time_backtrack <= MAX_TIME_BACKTRACK);
--- a/packet_id.h
+++ b/packet_id.h
@ -210,7 +210,7 @@ struct packet_id
  struct packet_id_rec rec;
 };

-void packet_id_init (struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit);
+void packet_id_init (struct packet_id *p, bool tcp_mode, int seq_backtrack, int time_backtrack, const char *name, int unit);
 void packet_id_free (struct packet_id *p);

 /* should we accept an incoming packet id ? */
--- a/ssl.c
+++ b/ssl.c
@ -2643,6 +2643,7 @@ key_state_init (struct tls_session *session, struct key_state *ks)

  /* init packet ID tracker */
  packet_id_init (&ks->packet_id,
+		  session->opt->tcp_mode,
 		  session->opt->replay_window,
 		  session->opt->replay_time,
 		  "SSL", ks->key_id);
@ -2749,6 +2750,7 @@ tls_session_init (struct tls_multi *multi, struct tls_session *session)

  /* initialize packet ID replay window for --tls-auth */
  packet_id_init (session->tls_auth.packet_id,
+		  session->opt->tcp_mode,
 		  session->opt->replay_window,
 		  session->opt->replay_time,
 		  "TLS_AUTH", session->key_id);
--- a/ssl.h
+++ b/ssl.h
@ -477,6 +477,7 @@ struct tls_options

  int replay_window;                   /* --replay-window parm */
  int replay_time;                     /* --replay-window parm */
+  bool tcp_mode;

  /* packet authentication for TLS handshake */
  struct crypto_options tls_auth;
--- a/version.m4
+++ b/version.m4
@ -1,5 +1,5 @@
 dnl define the OpenVPN version
-define(PRODUCT_VERSION,[2.1.3q])
+define(PRODUCT_VERSION,[2.1.3r])
 dnl define the TAP version
 define(PRODUCT_TAP_ID,[tap0901])
 define(PRODUCT_TAP_WIN32_MIN_MAJOR,[9])