@@ -83,7 +83,7 @@

 #define D_RESTART            LOGLEV(3, 33, 0)        /* show certain restart messages */

 #define D_PUSH               LOGLEV(3, 34, 0)        /* show push/pull info */

 #define D_IFCONFIG_POOL      LOGLEV(3, 35, 0)        /* show ifconfig pool info */

-#define D_BACKTRACK          LOGLEV(3, 36, 0)        /* show replay backtracks */

+#define D_PID_DEBUG_LOW      LOGLEV(3, 36, 0)        /* show low-freq packet-id debugging info */

 #define D_AUTH               LOGLEV(3, 37, 0)        /* show user/pass auth info */

 #define D_MULTI_LOW          LOGLEV(3, 38, 0)        /* show point-to-multipoint low-freq debug info */

 #define D_PLUGIN             LOGLEV(3, 39, 0)        /* show plugin calls */

@@ -107,6 +107,7 @@

 #define D_INIT_MEDIUM        LOGLEV(4, 60, 0)        /* show medium frequency init messages */

 #define D_MTU_INFO           LOGLEV(4, 61, 0)        /* show terse MTU info */

 #define D_SHOW_OCC_HASH      LOGLEV(4, 62, 0)        /* show MD5 hash of option compatibility string */

+#define D_PID_DEBUG_MEDIUM   LOGLEV(4, 63, 0)        /* show medium-freq packet-id debugging info */

 #define D_LOG_RW             LOGLEV(5, 0,  0)        /* Print 'R' or 'W' to stdout for read/write */

@@ -121,7 +122,6 @@

 #define D_FRAG_DEBUG         LOGLEV(7, 70, M_DEBUG)  /* show fragment debugging info */

 #define D_WIN32_IO_LOW       LOGLEV(7, 70, M_DEBUG)  /* low freq win32 I/O debugging info */

 #define D_MTU_DEBUG          LOGLEV(7, 70, M_DEBUG)  /* show MTU debugging info */

-#define D_PID_DEBUG_LOW      LOGLEV(7, 70, M_DEBUG)  /* show low-freq packet-id debugging info */

 #define D_MULTI_DEBUG        LOGLEV(7, 70, M_DEBUG)  /* show medium-freq multi debugging info */

 #define D_MSS                LOGLEV(7, 70, M_DEBUG)  /* show MSS adjustments */

 #define D_COMP_LOW           LOGLEV(7, 70, M_DEBUG)  /* show adaptive compression state changes */

@@ -145,6 +145,7 @@

 #define D_TLS_KEYSELECT      LOGLEV(7, 70, M_DEBUG)  /* show information on key selection for data channel */

 #define D_ARGV_PARSE_CMD     LOGLEV(7, 70, M_DEBUG)  /* show parse_line() errors in argv_printf %sc */

 #define D_CRYPTO_DEBUG       LOGLEV(7, 70, M_DEBUG)  /* show detailed info from crypto.c routines */

+#define D_PID_DEBUG          LOGLEV(7, 70, M_DEBUG)  /* show packet-id debugging info */

 #define D_PF_DROPPED_BCAST   LOGLEV(7, 71, M_DEBUG)  /* packet filter dropped a broadcast packet */

 #define D_PF_DEBUG           LOGLEV(7, 72, M_DEBUG)  /* packet filter debugging, must also define PF_DEBUG in pf.h */

@@ -162,7 +163,6 @@

 #define D_READ_WRITE         LOGLEV(9, 70, M_DEBUG)  /* show all tun/tcp/udp reads/writes/opens */

 #define D_PACKET_CONTENT     LOGLEV(9, 70, M_DEBUG)  /* show before/after encryption packet content */

 #define D_TLS_NO_SEND_KEY    LOGLEV(9, 70, M_DEBUG)  /* show when no data channel send-key exists */

-#define D_PID_DEBUG          LOGLEV(9, 70, M_DEBUG)  /* show packet-id debugging info */

 #define D_PID_PERSIST_DEBUG  LOGLEV(9, 70, M_DEBUG)  /* show packet-id persist debugging info */

 #define D_LINK_RW_VERBOSE    LOGLEV(9, 70, M_DEBUG)  /* show link reads/writes with greater verbosity */

 #define D_STREAM_DEBUG       LOGLEV(9, 70, M_DEBUG)  /* show TCP stream debug info */

@@ -1833,7 +1833,7 @@ do_init_crypto_static (struct context *c, const unsigned int flags)

   if (options->replay)

     {

       packet_id_init (&c->c2.packet_id, options->replay_window,

-		      options->replay_time);

+		      options->replay_time, "STATIC", 0);

       c->c2.crypto_options.packet_id = &c->c2.packet_id;

       c->c2.crypto_options.pid_persist = &c->c1.pid_persist;

       c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;

@@ -41,6 +41,8 @@

 #include "memdbg.h"

+/* #define PID_SIMULATE_BACKTRACK */

+

 /*

  * Special time_t value that indicates that

  * sequence number has expired.

@@ -48,16 +50,37 @@

 #define SEQ_UNSEEN  ((time_t)0)

 #define SEQ_EXPIRED ((time_t)1)

+static void packet_id_debug_print (int msglevel,

+				   const struct packet_id_rec *p,

+				   const struct packet_id_net *pin,

+				   const char *message,

+				   int value);

+

+static inline void

+packet_id_debug (int msglevel,

+		 const struct packet_id_rec *p,

+		 const struct packet_id_net *pin,

+		 const char *message,

+		 int value)

+{

+#ifdef ENABLE_DEBUG

+  if (unlikely(check_debug_level(msglevel)))

+    packet_id_debug_print (msglevel, p, pin, message, value);

+#endif

+}

+

 void

-packet_id_init (struct packet_id *p, int seq_backtrack, int time_backtrack)

+packet_id_init (struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)

 {

-  dmsg (D_PID_DEBUG_LOW, "PID packet_id_init seq_backtrack=%d time_backtrack=%d",

-       seq_backtrack,

-       time_backtrack);

+  dmsg (D_PID_DEBUG, "PID packet_id_init seq_backtrack=%d time_backtrack=%d",

+	seq_backtrack,

+	time_backtrack);

   ASSERT (p);

   CLEAR (*p);

+  p->rec.name = name;

+  p->rec.unit = unit;

   if (seq_backtrack)

     {

       ASSERT (MIN_SEQ_BACKTRACK <= seq_backtrack && seq_backtrack <= MAX_SEQ_BACKTRACK);

@@ -74,7 +97,7 @@ packet_id_free (struct packet_id *p)

 {

   if (p)

     {

-      dmsg (D_PID_DEBUG_LOW, "PID packet_id_free");

+      dmsg (D_PID_DEBUG, "PID packet_id_free");

       if (p->rec.seq_list)

 	free (p->rec.seq_list);

       CLEAR (*p);

@@ -105,7 +128,11 @@ packet_id_add (struct packet_id_rec *p, const struct packet_id_net *pin)

 	  CIRC_LIST_RESET (p->seq_list);

 	}

-      while (p->id < pin->id)

+      while (p->id < pin->id

+#ifdef PID_SIMULATE_BACKTRACK

+	     || (get_random() % 64) < 31

+#endif

+	     )

 	{

 	  CIRC_LIST_PUSH (p->seq_list, SEQ_UNSEEN);

 	  ++p->id;

@@ -155,17 +182,13 @@ packet_id_reap (struct packet_id_rec *p)

  * it is a replay.

  */

 bool

-packet_id_test (const struct packet_id_rec *p,

+packet_id_test (struct packet_id_rec *p,

 		const struct packet_id_net *pin)

 {

-  static int max_backtrack_stat;

   packet_id_type diff;

-  dmsg (D_PID_DEBUG,

-       "PID TEST " time_format ":" packet_id_format " " time_format ":" packet_id_format "",

-       (time_type)p->time, (packet_id_print_type)p->id, (time_type)pin->time,

-       (packet_id_print_type)pin->id);

-

+  packet_id_debug (D_PID_DEBUG, p, pin, "PID_TEST", 0);

+  

   ASSERT (p->initialized);

   if (!pin->id)

@@ -189,19 +212,35 @@ packet_id_test (const struct packet_id_rec *p,

 	  diff = p->id - pin->id;

 	  /* keep track of maximum backtrack seen for debugging purposes */

-	  if ((int)diff > max_backtrack_stat)

+	  if ((int)diff > p->max_backtrack_stat)

 	    {

-	      max_backtrack_stat = (int)diff;

-	      msg (D_BACKTRACK, "Replay-window backtrack occurred [%d]", max_backtrack_stat);

+	      p->max_backtrack_stat = (int)diff;

+	      packet_id_debug (D_PID_DEBUG_LOW, p, pin, "PID_ERR replay-window backtrack occurred", p->max_backtrack_stat);

 	    }

 	  if (diff >= (packet_id_type) CIRC_LIST_SIZE (p->seq_list))

-	    return false;

+	    {

+	      packet_id_debug (D_PID_DEBUG_LOW, p, pin, "PID_ERR large diff", diff);

+	      return false;

+	    }

-	  return CIRC_LIST_ITEM (p->seq_list, diff) == 0;

+	  {

+	    const time_t v = CIRC_LIST_ITEM (p->seq_list, diff);

+	    if (v == 0)

+	      return true;

+	    else

+	      {

+		/* might want to increase this to D_PID_DEBUG_MEDIUM (or even D_PID_DEBUG) in the future */

+		packet_id_debug (D_PID_DEBUG_LOW, p, pin, "PID_ERR replay", diff);

+		return false;

+	      }

+	  }

 	}

       else if (pin->time < p->time) /* if time goes back, reject */

-	return false;

+	{

+	  packet_id_debug (D_PID_DEBUG_LOW, p, pin, "PID_ERR time backtrack", 0);

+	  return false;

+	}

       else                          /* time moved forward */

 	return true;

     }

@@ -434,6 +473,76 @@ packet_id_persist_print (const struct packet_id_persist *p, struct gc_arena *gc)

   return (char *)out.data;

 }

+#ifdef ENABLE_DEBUG

+

+static void

+packet_id_debug_print (int msglevel,

+		       const struct packet_id_rec *p,

+		       const struct packet_id_net *pin,

+		       const char *message,

+		       int value)

+{

+  struct gc_arena gc = gc_new ();

+  struct buffer out = alloc_buf_gc (256, &gc);

+  struct timeval tv;

+  const time_t prev_now = now;

+  const struct seq_list *sl = p->seq_list;

+  int i;

+

+  CLEAR (tv);

+  gettimeofday (&tv, NULL);

+

+  buf_printf (&out, "%s [%d]", message, value);

+  buf_printf (&out, " [%s-%d] [", p->name, p->unit);

+  for (i = 0; i < sl->x_size; ++i)

+    {

+      char c;

+      time_t v;

+      int diff;

+

+      v = CIRC_LIST_ITEM(sl, i);

+      if (v == SEQ_UNSEEN)

+	c = '_';

+      else if (v == SEQ_EXPIRED)

+	c = 'E';

+      else

+	{

+	  diff = (int) prev_now - v;

+	  if (diff < 0)

+	    c = 'N';

+	  else if (diff < 10)

+	    c = '0' + diff;

+	  else

+	    c = '>';

+	}

+      buf_printf(&out, "%c", c);

+    }

+  buf_printf (&out, "] " time_format ":" packet_id_format, (time_type)p->time, (packet_id_print_type)p->id); 

+  if (pin)

+    buf_printf (&out, " " time_format ":" packet_id_format, (time_type)pin->time, (packet_id_print_type)pin->id);

+

+  buf_printf (&out, " t=" time_format "[%d]",

+	      (time_type)prev_now,

+	      (int)(prev_now - tv.tv_sec));

+

+  buf_printf (&out, " r=[%d,%d,%d,%d,%d]",

+	      (int)(p->last_reap - tv.tv_sec),

+	      p->seq_backtrack,

+	      p->time_backtrack,

+	      p->max_backtrack_stat,

+	      (int)p->initialized);

+  buf_printf (&out, " sl=[%d,%d,%d,%d]",

+	      sl->x_head,

+	      sl->x_size,

+	      sl->x_cap,

+	      sl->x_sizeof);

+

+  msg (msglevel, "%s", BSTR(&out));

+  gc_free (&gc);

+}

+

+#endif

+

 #ifdef PID_TEST

 void

@@ -138,8 +138,11 @@ struct packet_id_rec

   packet_id_type id;          /* highest sequence number received */

   int seq_backtrack;          /* set from --replay-window */

   int time_backtrack;         /* set from --replay-window */

+  int max_backtrack_stat;     /* maximum backtrack seen so far */

   bool initialized;           /* true if packet_id_init was called */

   struct seq_list *seq_list;  /* packet-id "memory" */

+  const char *name;

+  int unit;

 };

 /*

@@ -207,11 +210,11 @@ struct packet_id

   struct packet_id_rec rec;

 };

-void packet_id_init (struct packet_id *p, int seq_backtrack, int time_backtrack);

+void packet_id_init (struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit);

 void packet_id_free (struct packet_id *p);

 /* should we accept an incoming packet id ? */

-bool packet_id_test (const struct packet_id_rec *p,

+bool packet_id_test (struct packet_id_rec *p,

 		     const struct packet_id_net *pin);

 /* change our current state to reflect an accepted packet id */

@@ -2644,7 +2644,8 @@ key_state_init (struct tls_session *session, struct key_state *ks)

   /* init packet ID tracker */

   packet_id_init (&ks->packet_id,

 		  session->opt->replay_window,

-		  session->opt->replay_time);

+		  session->opt->replay_time,

+		  "SSL", ks->key_id);

 #ifdef MANAGEMENT_DEF_AUTH

   ks->mda_key_id = session->opt->mda_context->mda_key_id_counter++;

@@ -2749,7 +2750,8 @@ tls_session_init (struct tls_multi *multi, struct tls_session *session)

   /* initialize packet ID replay window for --tls-auth */

   packet_id_init (session->tls_auth.packet_id,

 		  session->opt->replay_window,

-		  session->opt->replay_time);

+		  session->opt->replay_time,

+		  "TLS_AUTH", session->key_id);

   /* load most recent packet-id to replay protect on --tls-auth */

   packet_id_persist_load_obj (session->tls_auth.pid_persist, session->tls_auth.packet_id);

@@ -1,5 +1,5 @@

 dnl define the OpenVPN version

-define(PRODUCT_VERSION,[2.1.3p])

+define(PRODUCT_VERSION,[2.1.3q])

 dnl define the TAP version

 define(PRODUCT_TAP_ID,[tap0901])

 define(PRODUCT_TAP_WIN32_MIN_MAJOR,[9])