From 4d453a1792b04f01a8c313157402ce0501ae809c Mon Sep 17 00:00:00 2001 From: James Yonan Date: Sat, 2 Apr 2011 08:21:28 +0000 Subject: Fixed bug that incorrectly placed stricter TCP packet replay rules on UDP sessions when the client daemon was running in UDP/TCP adaptive mode, and transitioned from TCP to UDP. The bug would cause a single dropped packet in UDP mode to trigger a barrage of packet replay errors followed by a disconnect and reconnect. Version 2.1.3r git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7125 e7ae566f-a301-0410-adde-c780ea21d3b5 --- init.c | 15 ++++++--------- packet_id.c | 7 ++++--- packet_id.h | 2 +- ssl.c | 2 ++ ssl.h | 1 + version.m4 | 2 +- 6 files changed, 15 insertions(+), 14 deletions(-) diff --git a/init.c b/init.c index a1a1a8f..ef09e8e 100644 --- a/init.c +++ b/init.c @@ -102,13 +102,6 @@ update_options_ce_post (struct options *options) options->ping_rec_timeout_action = PING_RESTART; } #endif -#ifdef USE_CRYPTO - /* - * Don't use replay window for TCP mode (i.e. require that packets be strictly in sequence). - */ - if (link_socket_proto_connection_oriented (options->ce.proto)) - options->replay_window = options->replay_time = 0; -#endif } #if HTTP_PROXY_FALLBACK @@ -1832,8 +1825,11 @@ do_init_crypto_static (struct context *c, const unsigned int flags) /* Initialize packet ID tracking */ if (options->replay) { - packet_id_init (&c->c2.packet_id, options->replay_window, - options->replay_time, "STATIC", 0); + packet_id_init (&c->c2.packet_id, + link_socket_proto_connection_oriented (options->ce.proto), + options->replay_window, + options->replay_time, + "STATIC", 0); c->c2.crypto_options.packet_id = &c->c2.packet_id; c->c2.crypto_options.pid_persist = &c->c1.pid_persist; c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM; @@ -2034,6 +2030,7 @@ do_init_crypto_tls (struct context *c, const unsigned int flags) to.replay = options->replay; to.replay_window = options->replay_window; to.replay_time = options->replay_time; + to.tcp_mode = link_socket_proto_connection_oriented (options->ce.proto); to.transition_window = options->transition_window; to.handshake_window = options->handshake_window; to.packet_timeout = options->tls_timeout; diff --git a/packet_id.c b/packet_id.c index f38c121..9bbfbf3 100644 --- a/packet_id.c +++ b/packet_id.c @@ -70,9 +70,10 @@ packet_id_debug (int msglevel, } void -packet_id_init (struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit) +packet_id_init (struct packet_id *p, bool tcp_mode, int seq_backtrack, int time_backtrack, const char *name, int unit) { - dmsg (D_PID_DEBUG, "PID packet_id_init seq_backtrack=%d time_backtrack=%d", + dmsg (D_PID_DEBUG, "PID packet_id_init tcp_mode=%d seq_backtrack=%d time_backtrack=%d", + tcp_mode, seq_backtrack, time_backtrack); @@ -81,7 +82,7 @@ packet_id_init (struct packet_id *p, int seq_backtrack, int time_backtrack, cons p->rec.name = name; p->rec.unit = unit; - if (seq_backtrack) + if (seq_backtrack && !tcp_mode) { ASSERT (MIN_SEQ_BACKTRACK <= seq_backtrack && seq_backtrack <= MAX_SEQ_BACKTRACK); ASSERT (MIN_TIME_BACKTRACK <= time_backtrack && time_backtrack <= MAX_TIME_BACKTRACK); diff --git a/packet_id.h b/packet_id.h index 1c341f7..7f4be8a 100644 --- a/packet_id.h +++ b/packet_id.h @@ -210,7 +210,7 @@ struct packet_id struct packet_id_rec rec; }; -void packet_id_init (struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit); +void packet_id_init (struct packet_id *p, bool tcp_mode, int seq_backtrack, int time_backtrack, const char *name, int unit); void packet_id_free (struct packet_id *p); /* should we accept an incoming packet id ? */ diff --git a/ssl.c b/ssl.c index bbb9701..572d8e2 100644 --- a/ssl.c +++ b/ssl.c @@ -2643,6 +2643,7 @@ key_state_init (struct tls_session *session, struct key_state *ks) /* init packet ID tracker */ packet_id_init (&ks->packet_id, + session->opt->tcp_mode, session->opt->replay_window, session->opt->replay_time, "SSL", ks->key_id); @@ -2749,6 +2750,7 @@ tls_session_init (struct tls_multi *multi, struct tls_session *session) /* initialize packet ID replay window for --tls-auth */ packet_id_init (session->tls_auth.packet_id, + session->opt->tcp_mode, session->opt->replay_window, session->opt->replay_time, "TLS_AUTH", session->key_id); diff --git a/ssl.h b/ssl.h index 82d9c12..eca3922 100644 --- a/ssl.h +++ b/ssl.h @@ -477,6 +477,7 @@ struct tls_options int replay_window; /* --replay-window parm */ int replay_time; /* --replay-window parm */ + bool tcp_mode; /* packet authentication for TLS handshake */ struct crypto_options tls_auth; diff --git a/version.m4 b/version.m4 index b539d1a..97447b7 100644 --- a/version.m4 +++ b/version.m4 @@ -1,5 +1,5 @@ dnl define the OpenVPN version -define(PRODUCT_VERSION,[2.1.3q]) +define(PRODUCT_VERSION,[2.1.3r]) dnl define the TAP version define(PRODUCT_TAP_ID,[tap0901]) define(PRODUCT_TAP_WIN32_MIN_MAJOR,[9]) -- cgit v1.2.3