From ad82a4a668eecb653cfdd1e42e1c932b8a5e67ad Mon Sep 17 00:00:00 2001
From: James Yonan <james@openvpn.net>
Date: Sat, 2 Apr 2011 08:21:28 +0000
Subject: [PATCH] Fixed bug that incorrectly placed stricter TCP packet replay
 rules on UDP sessions when the client daemon was running in UDP/TCP adaptive
 mode, and transitioned from TCP to UDP.

The bug would cause a single dropped packet in UDP mode to trigger a
barrage of packet replay errors followed by a disconnect and
reconnect.

Version 2.1.3r


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7125 e7ae566f-a301-0410-adde-c780ea21d3b5
---
 init.c      | 15 ++++++---------
 packet_id.c |  7 ++++---
 packet_id.h |  2 +-
 ssl.c       |  2 ++
 ssl.h       |  1 +
 version.m4  |  2 +-
 6 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/init.c b/init.c
index a1a1a8fe..ef09e8e6 100644
--- a/init.c
+++ b/init.c
@@ -102,13 +102,6 @@ update_options_ce_post (struct options *options)
       options->ping_rec_timeout_action = PING_RESTART;
     }
 #endif
-#ifdef USE_CRYPTO
-  /* 
-   * Don't use replay window for TCP mode (i.e. require that packets be strictly in sequence).
-   */
-  if (link_socket_proto_connection_oriented (options->ce.proto))
-    options->replay_window = options->replay_time = 0;
-#endif
 }
 
 #if HTTP_PROXY_FALLBACK
@@ -1832,8 +1825,11 @@ do_init_crypto_static (struct context *c, const unsigned int flags)
   /* Initialize packet ID tracking */
   if (options->replay)
     {
-      packet_id_init (&c->c2.packet_id, options->replay_window,
-		      options->replay_time, "STATIC", 0);
+      packet_id_init (&c->c2.packet_id,
+		      link_socket_proto_connection_oriented (options->ce.proto),
+		      options->replay_window,
+		      options->replay_time,
+		      "STATIC", 0);
       c->c2.crypto_options.packet_id = &c->c2.packet_id;
       c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
       c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
@@ -2034,6 +2030,7 @@ do_init_crypto_tls (struct context *c, const unsigned int flags)
   to.replay = options->replay;
   to.replay_window = options->replay_window;
   to.replay_time = options->replay_time;
+  to.tcp_mode = link_socket_proto_connection_oriented (options->ce.proto);
   to.transition_window = options->transition_window;
   to.handshake_window = options->handshake_window;
   to.packet_timeout = options->tls_timeout;
diff --git a/packet_id.c b/packet_id.c
index f38c1212..9bbfbf32 100644
--- a/packet_id.c
+++ b/packet_id.c
@@ -70,9 +70,10 @@ packet_id_debug (int msglevel,
 }
 
 void
-packet_id_init (struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
+packet_id_init (struct packet_id *p, bool tcp_mode, int seq_backtrack, int time_backtrack, const char *name, int unit)
 {
-  dmsg (D_PID_DEBUG, "PID packet_id_init seq_backtrack=%d time_backtrack=%d",
+  dmsg (D_PID_DEBUG, "PID packet_id_init tcp_mode=%d seq_backtrack=%d time_backtrack=%d",
+	tcp_mode,
 	seq_backtrack,
 	time_backtrack);
 
@@ -81,7 +82,7 @@ packet_id_init (struct packet_id *p, int seq_backtrack, int time_backtrack, cons
 
   p->rec.name = name;
   p->rec.unit = unit;
-  if (seq_backtrack)
+  if (seq_backtrack && !tcp_mode)
     {
       ASSERT (MIN_SEQ_BACKTRACK <= seq_backtrack && seq_backtrack <= MAX_SEQ_BACKTRACK);
       ASSERT (MIN_TIME_BACKTRACK <= time_backtrack && time_backtrack <= MAX_TIME_BACKTRACK);
diff --git a/packet_id.h b/packet_id.h
index 1c341f79..7f4be8ac 100644
--- a/packet_id.h
+++ b/packet_id.h
@@ -210,7 +210,7 @@ struct packet_id
   struct packet_id_rec rec;
 };
 
-void packet_id_init (struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit);
+void packet_id_init (struct packet_id *p, bool tcp_mode, int seq_backtrack, int time_backtrack, const char *name, int unit);
 void packet_id_free (struct packet_id *p);
 
 /* should we accept an incoming packet id ? */
diff --git a/ssl.c b/ssl.c
index bbb9701c..572d8e25 100644
--- a/ssl.c
+++ b/ssl.c
@@ -2643,6 +2643,7 @@ key_state_init (struct tls_session *session, struct key_state *ks)
 
   /* init packet ID tracker */
   packet_id_init (&ks->packet_id,
+		  session->opt->tcp_mode,
 		  session->opt->replay_window,
 		  session->opt->replay_time,
 		  "SSL", ks->key_id);
@@ -2749,6 +2750,7 @@ tls_session_init (struct tls_multi *multi, struct tls_session *session)
 
   /* initialize packet ID replay window for --tls-auth */
   packet_id_init (session->tls_auth.packet_id,
+		  session->opt->tcp_mode,
 		  session->opt->replay_window,
 		  session->opt->replay_time,
 		  "TLS_AUTH", session->key_id);
diff --git a/ssl.h b/ssl.h
index 82d9c128..eca3922f 100644
--- a/ssl.h
+++ b/ssl.h
@@ -477,6 +477,7 @@ struct tls_options
 
   int replay_window;                   /* --replay-window parm */
   int replay_time;                     /* --replay-window parm */
+  bool tcp_mode;
 
   /* packet authentication for TLS handshake */
   struct crypto_options tls_auth;
diff --git a/version.m4 b/version.m4
index b539d1ae..97447b7f 100644
--- a/version.m4
+++ b/version.m4
@@ -1,5 +1,5 @@
 dnl define the OpenVPN version
-define(PRODUCT_VERSION,[2.1.3q])
+define(PRODUCT_VERSION,[2.1.3r])
 dnl define the TAP version
 define(PRODUCT_TAP_ID,[tap0901])
 define(PRODUCT_TAP_WIN32_MIN_MAJOR,[9])