From 50161075506aedcc57fc7b058d89fefc72481374 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Fri, 9 Mar 2012 15:51:56 +0000 Subject: [PATCH] PR: 2756 Submitted by: Robin Seggelmann Fix DTLS timeout handling. --- ssl/d1_lib.c | 38 ++++++++++++++++++++++++++------------ ssl/d1_pkt.c | 12 +++--------- ssl/ssl_locl.h | 1 + 3 files changed, 30 insertions(+), 21 deletions(-) diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index bceba3c971..8155a890bd 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -421,6 +421,7 @@ void dtls1_double_timeout(SSL *s) void dtls1_stop_timer(SSL *s) { /* Reset everything */ + memset(&(s->d1->timeout), 0, sizeof(struct dtls1_timeout_st)); memset(&(s->d1->next_timeout), 0, sizeof(struct timeval)); s->d1->timeout_duration = 1; BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, &(s->d1->next_timeout)); @@ -428,30 +429,43 @@ void dtls1_stop_timer(SSL *s) dtls1_clear_record_buffer(s); } -int dtls1_handle_timeout(SSL *s) +int dtls1_check_timeout_num(SSL *s) { - DTLS1_STATE *state; + s->d1->timeout.num_alerts++; - /* if no timer is expired, don't do anything */ - if (!dtls1_is_timer_expired(s)) + /* Reduce MTU after 2 unsuccessful retransmissions */ + if (s->d1->timeout.num_alerts > 2) { - return 0; + s->d1->mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL); } - dtls1_double_timeout(s); - state = s->d1; - state->timeout.num_alerts++; - if ( state->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) + if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) { /* fail the connection, enough alerts have been sent */ SSLerr(SSL_F_DTLS1_HANDLE_TIMEOUT,SSL_R_READ_TIMEOUT_EXPIRED); return -1; } - state->timeout.read_timeouts++; - if ( state->timeout.read_timeouts > DTLS1_TMO_READ_COUNT) + return 0; + } + +int dtls1_handle_timeout(SSL *s) + { + /* if no timer is expired, don't do anything */ + if (!dtls1_is_timer_expired(s)) + { + return 0; + } + + dtls1_double_timeout(s); + + if (dtls1_check_timeout_num(s) < 0) + return -1; + + s->d1->timeout.read_timeouts++; + if (s->d1->timeout.read_timeouts > DTLS1_TMO_READ_COUNT) { - state->timeout.read_timeouts = 1; + s->d1->timeout.read_timeouts = 1; } if (state->timeout_duration > 2) diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index b709ebbfaa..65b1ef28cd 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -139,7 +139,6 @@ static int dtls1_process_record(SSL *s); #if PQ_64BIT_IS_INTEGER static PQ_64BIT bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num); #endif -static void dtls1_clear_timeouts(SSL *s); /* copy buffered record into SSL structure */ static int @@ -640,7 +639,6 @@ again: goto again; /* get another record */ } - dtls1_clear_timeouts(s); /* done waiting */ return(1); } @@ -1109,6 +1107,9 @@ start: */ if (msg_hdr.type == SSL3_MT_FINISHED) { + if (dtls1_check_timeout_num(s) < 0) + return -1; + dtls1_retransmit_buffered_messages(s); rr->length = 0; goto start; @@ -1812,10 +1813,3 @@ bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num) return _num; } #endif - - -static void -dtls1_clear_timeouts(SSL *s) - { - memset(&(s->d1->timeout), 0x00, sizeof(struct dtls1_timeout_st)); - } diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 4741e30b2b..3d581f1f2f 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -870,6 +870,7 @@ void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr); void dtls1_reset_seq_numbers(SSL *s, int rw); long dtls1_default_timeout(void); struct timeval* dtls1_get_timeout(SSL *s, struct timeval* timeleft); +int dtls1_check_timeout_num(SSL *s); int dtls1_handle_timeout(SSL *s); SSL_CIPHER *dtls1_get_cipher(unsigned int u); void dtls1_start_timer(SSL *s); -- 2.25.1