diff options
| -rw-r--r-- | apps/s_client.c | 19 | ||||
| -rw-r--r-- | apps/s_server.c | 16 | ||||
| -rw-r--r-- | ssl/d1_both.c | 29 | ||||
| -rw-r--r-- | ssl/d1_lib.c | 53 | ||||
| -rw-r--r-- | ssl/d1_pkt.c | 7 | ||||
| -rw-r--r-- | ssl/ssl.h | 9 | ||||
| -rw-r--r-- | ssl/ssl_err.c | 1 | ||||
| -rw-r--r-- | ssl/ssl_locl.h | 3 |
8 files changed, 100 insertions, 37 deletions
diff --git a/apps/s_client.c b/apps/s_client.c index 18dcd13663..f6717f1a71 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -318,6 +318,7 @@ int MAIN(int argc, char **argv) BIO *sbio; char *inrand=NULL; int mbuf_len=0; + struct timeval timeout, *timeoutp; #ifndef OPENSSL_NO_ENGINE char *engine_id=NULL; char *ssl_client_engine_id=NULL; @@ -819,7 +820,6 @@ re_start: if ( SSL_version(con) == DTLS1_VERSION) { - struct timeval timeout; sbio=BIO_new_dgram(s,BIO_NOCLOSE); if (getsockname(s, &peer, (void *)&peerlen) < 0) @@ -1036,6 +1036,12 @@ SSL_set_tlsext_status_ids(con, ids); FD_ZERO(&readfds); FD_ZERO(&writefds); + if ((SSL_version(con) == DTLS1_VERSION) && + DTLSv1_get_timeout(con, &timeout)) + timeoutp = &timeout; + else + timeoutp = NULL; + if (SSL_in_init(con) && !SSL_total_renegotiations(con)) { in_init=1; @@ -1132,7 +1138,7 @@ SSL_set_tlsext_status_ids(con, ids); if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue; #endif } else i=select(width,(void *)&readfds,(void *)&writefds, - NULL,NULL); + NULL,timeoutp); } #elif defined(OPENSSL_SYS_NETWARE) if(!write_tty) { @@ -1142,11 +1148,11 @@ SSL_set_tlsext_status_ids(con, ids); i=select(width,(void *)&readfds,(void *)&writefds, NULL,&tv); } else i=select(width,(void *)&readfds,(void *)&writefds, - NULL,NULL); + NULL,timeoutp); } #else i=select(width,(void *)&readfds,(void *)&writefds, - NULL,NULL); + NULL,timeoutp); #endif if ( i < 0) { @@ -1157,6 +1163,11 @@ SSL_set_tlsext_status_ids(con, ids); } } + if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0) + { + BIO_printf(bio_err,"TIMEOUT occured\n"); + } + if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds)) { k=SSL_write(con,&(cbuf[cbuf_off]), diff --git a/apps/s_server.c b/apps/s_server.c index 23d2217625..5c5168aad4 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -1590,6 +1590,7 @@ static int sv_body(char *hostname, int s, unsigned char *context) unsigned long l; SSL *con=NULL; BIO *sbio; + struct timeval timeout, *timeoutp; #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) struct timeval tv; #endif @@ -1643,7 +1644,6 @@ static int sv_body(char *hostname, int s, unsigned char *context) if (SSL_version(con) == DTLS1_VERSION) { - struct timeval timeout; sbio=BIO_new_dgram(s,BIO_NOCLOSE); @@ -1744,7 +1744,19 @@ static int sv_body(char *hostname, int s, unsigned char *context) if(_kbhit()) read_from_terminal = 1; #else - i=select(width,(void *)&readfds,NULL,NULL,NULL); + if ((SSL_version(con) == DTLS1_VERSION) && + DTLSv1_get_timeout(con, &timeout)) + timeoutp = &timeout; + else + timeoutp = NULL; + + i=select(width,(void *)&readfds,NULL,NULL,timeoutp); + + if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0) + { + BIO_printf(bio_err,"TIMEOUT occured\n"); + } + if (i <= 0) continue; if (FD_ISSET(fileno(stdin),&readfds)) read_from_terminal = 1; diff --git a/ssl/d1_both.c b/ssl/d1_both.c index e2c5e89e22..c2834e79f8 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -892,9 +892,6 @@ unsigned long dtls1_output_cert_chain(SSL *s, X509 *x) int dtls1_read_failed(SSL *s, int code) { - DTLS1_STATE *state; - int send_alert = 0; - if ( code > 0) { fprintf( stderr, "invalid state reached %s:%d", __FILE__, __LINE__); @@ -914,24 +911,6 @@ int dtls1_read_failed(SSL *s, int code) return code; } - dtls1_double_timeout(s); - state = s->d1; - state->timeout.num_alerts++; - if ( state->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) - { - /* fail the connection, enough alerts have been sent */ - SSLerr(SSL_F_DTLS1_READ_FAILED,SSL_R_READ_TIMEOUT_EXPIRED); - return 0; - } - - state->timeout.read_timeouts++; - if ( state->timeout.read_timeouts > DTLS1_TMO_READ_COUNT) - { - send_alert = 1; - state->timeout.read_timeouts = 1; - } - - #if 0 /* for now, each alert contains only one record number */ item = pqueue_peek(state->rcvd_records); if ( item ) @@ -942,12 +921,12 @@ int dtls1_read_failed(SSL *s, int code) #endif #if 0 /* no more alert sending, just retransmit the last set of messages */ - if ( send_alert) - ssl3_send_alert(s,SSL3_AL_WARNING, - DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); + if ( state->timeout.read_timeouts >= DTLS1_TMO_READ_COUNT) + ssl3_send_alert(s,SSL3_AL_WARNING, + DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); #endif - return dtls1_retransmit_buffered_messages(s) ; + return dtls1_handle_timeout(s); } int diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index be0dd49034..4f8044d451 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -210,6 +210,29 @@ void dtls1_clear(SSL *s) s->version=DTLS1_VERSION; } +long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg) + { + int ret=0; + + switch (cmd) + { + case DTLS_CTRL_GET_TIMEOUT: + if (dtls1_get_timeout(s, (struct timeval*) parg) != NULL) + { + ret = 1; + } + break; + case DTLS_CTRL_HANDLE_TIMEOUT: + ret = dtls1_handle_timeout(s); + break; + + default: + ret = ssl3_ctrl(s, cmd, larg, parg); + break; + } + return(ret); + } + /* * As it's impossible to use stream ciphers in "datagram" mode, this * simple filter is designed to disengage them in DTLS. Unfortunately @@ -317,6 +340,36 @@ void dtls1_stop_timer(SSL *s) BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, &(s->d1->next_timeout)); } +int dtls1_handle_timeout(SSL *s) + { + DTLS1_STATE *state; + + /* if no timer is expired, don't do anything */ + if (!dtls1_is_timer_expired(s)) + { + return 0; + } + + dtls1_double_timeout(s); + state = s->d1; + state->timeout.num_alerts++; + if ( state->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) + { + /* fail the connection, enough alerts have been sent */ + SSLerr(SSL_F_DTLS1_HANDLE_TIMEOUT,SSL_R_READ_TIMEOUT_EXPIRED); + return 0; + } + + state->timeout.read_timeouts++; + if ( state->timeout.read_timeouts > DTLS1_TMO_READ_COUNT) + { + state->timeout.read_timeouts = 1; + } + + dtls1_start_timer(s); + return dtls1_retransmit_buffered_messages(s); + } + static void get_current_time(struct timeval *t) { #ifdef OPENSSL_SYS_WIN32 diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index 8059ebd3a4..0f67f77b1d 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -730,11 +730,8 @@ start: } /* Check for timeout */ - if (dtls1_is_timer_expired(s)) - { - if (dtls1_read_failed(s, -1) > 0) - goto start; - } + if (dtls1_handle_timeout(s) > 0) + goto start; /* get new packet if necessary */ if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY)) @@ -1271,6 +1271,14 @@ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count); #define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB 72 #endif +#define DTLS_CTRL_GET_TIMEOUT 73 +#define DTLS_CTRL_HANDLE_TIMEOUT 74 + +#define DTLSv1_get_timeout(ssl, arg) \ + SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg) +#define DTLSv1_handle_timeout(ssl) \ + SSL_ctrl(ssl,DTLS_CTRL_HANDLE_TIMEOUT,0, NULL) + #define SSL_session_reused(ssl) \ SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL) #define SSL_num_renegotiations(ssl) \ @@ -1660,6 +1668,7 @@ void ERR_load_SSL_strings(void); #define SSL_F_DTLS1_GET_MESSAGE 252 #define SSL_F_DTLS1_GET_MESSAGE_FRAGMENT 253 #define SSL_F_DTLS1_GET_RECORD 254 +#define SSL_F_DTLS1_HANDLE_TIMEOUT 282 #define SSL_F_DTLS1_OUTPUT_CERT_CHAIN 255 #define SSL_F_DTLS1_PREPROCESS_FRAGMENT 277 #define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE 256 diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index ba2807e27f..f8f678fb08 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -87,6 +87,7 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE), "DTLS1_GET_MESSAGE"}, {ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT), "DTLS1_GET_MESSAGE_FRAGMENT"}, {ERR_FUNC(SSL_F_DTLS1_GET_RECORD), "DTLS1_GET_RECORD"}, +{ERR_FUNC(SSL_F_DTLS1_HANDLE_TIMEOUT), "DTLS1_HANDLE_TIMEOUT"}, {ERR_FUNC(SSL_F_DTLS1_OUTPUT_CERT_CHAIN), "DTLS1_OUTPUT_CERT_CHAIN"}, {ERR_FUNC(SSL_F_DTLS1_PREPROCESS_FRAGMENT), "DTLS1_PREPROCESS_FRAGMENT"}, {ERR_FUNC(SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE), "DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE"}, diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 8c177b9f1f..9df2186c6f 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -694,7 +694,7 @@ SSL_METHOD *func_name(void) \ dtls1_read_bytes, \ dtls1_write_app_data_bytes, \ dtls1_dispatch_alert, \ - ssl3_ctrl, \ + dtls1_ctrl, \ ssl3_ctx_ctrl, \ ssl3_get_cipher_by_char, \ ssl3_put_cipher_by_char, \ @@ -870,6 +870,7 @@ void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr); void dtls1_reset_seq_numbers(SSL *s, int rw); long dtls1_default_timeout(void); struct timeval* dtls1_get_timeout(SSL *s, struct timeval* timeleft); +int dtls1_handle_timeout(SSL *s); SSL_CIPHER *dtls1_get_cipher(unsigned int u); void dtls1_start_timer(SSL *s); void dtls1_stop_timer(SSL *s); |