From ad3d95222d94918cfe7e7f27b40a07b18af871a5 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Fri, 9 Mar 2012 15:52:09 +0000 Subject: [PATCH] PR: 2756 Submitted by: Robin Seggelmann Fix DTLS timeout handling. --- ssl/d1_lib.c | 43 ++++++++++++++++++++++++++----------------- ssl/d1_pkt.c | 12 +++--------- ssl/ssl_locl.h | 1 + 3 files changed, 30 insertions(+), 26 deletions(-) diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index 7603715159..c6ca85f1bb 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -381,6 +381,7 @@ void dtls1_double_timeout(SSL *s) void dtls1_stop_timer(SSL *s) { /* Reset everything */ + memset(&(s->d1->timeout), 0, sizeof(struct dtls1_timeout_st)); memset(&(s->d1->next_timeout), 0, sizeof(struct timeval)); s->d1->timeout_duration = 1; BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, &(s->d1->next_timeout)); @@ -388,10 +389,28 @@ void dtls1_stop_timer(SSL *s) dtls1_clear_record_buffer(s); } +int dtls1_check_timeout_num(SSL *s) + { + s->d1->timeout.num_alerts++; + + /* Reduce MTU after 2 unsuccessful retransmissions */ + if (s->d1->timeout.num_alerts > 2) + { + s->d1->mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL); + } + + if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) + { + /* fail the connection, enough alerts have been sent */ + SSLerr(SSL_F_DTLS1_HANDLE_TIMEOUT,SSL_R_READ_TIMEOUT_EXPIRED); + return -1; + } + + return 0; + } + int dtls1_handle_timeout(SSL *s) { - DTLS1_STATE *state; - /* if no timer is expired, don't do anything */ if (!dtls1_is_timer_expired(s)) { @@ -399,24 +418,14 @@ int dtls1_handle_timeout(SSL *s) } dtls1_double_timeout(s); - state = s->d1; - state->timeout.num_alerts++; - if ( state->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) - { - /* fail the connection, enough alerts have been sent */ - SSLerr(SSL_F_DTLS1_HANDLE_TIMEOUT,SSL_R_READ_TIMEOUT_EXPIRED); + + if (dtls1_check_timeout_num(s) < 0) return -1; - } - state->timeout.read_timeouts++; - if ( state->timeout.read_timeouts > DTLS1_TMO_READ_COUNT) + s->d1->timeout.read_timeouts++; + if (s->d1->timeout.read_timeouts > DTLS1_TMO_READ_COUNT) { - state->timeout.read_timeouts = 1; - } - - if (state->timeout_duration > 2) - { - s->d1->mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL); + s->d1->timeout.read_timeouts = 1; } dtls1_start_timer(s); diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index de30a505a6..6d245736f6 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -179,7 +179,6 @@ static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr, static int dtls1_buffer_record(SSL *s, record_pqueue *q, unsigned char *priority); static int dtls1_process_record(SSL *s); -static void dtls1_clear_timeouts(SSL *s); /* copy buffered record into SSL structure */ static int @@ -682,7 +681,6 @@ again: goto again; /* get another record */ } - dtls1_clear_timeouts(s); /* done waiting */ return(1); } @@ -1152,6 +1150,9 @@ start: */ if (msg_hdr.type == SSL3_MT_FINISHED) { + if (dtls1_check_timeout_num(s) < 0) + return -1; + dtls1_retransmit_buffered_messages(s); rr->length = 0; goto start; @@ -1765,10 +1766,3 @@ dtls1_reset_seq_numbers(SSL *s, int rw) memset(seq, 0x00, seq_bytes); } - - -static void -dtls1_clear_timeouts(SSL *s) - { - memset(&(s->d1->timeout), 0x00, sizeof(struct dtls1_timeout_st)); - } diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index cea622a2a6..4e4e79b99d 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -943,6 +943,7 @@ void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr); void dtls1_reset_seq_numbers(SSL *s, int rw); long dtls1_default_timeout(void); struct timeval* dtls1_get_timeout(SSL *s, struct timeval* timeleft); +int dtls1_check_timeout_num(SSL *s); int dtls1_handle_timeout(SSL *s); const SSL_CIPHER *dtls1_get_cipher(unsigned int u); void dtls1_start_timer(SSL *s);