SSL timer fixes: not DTLS only, start cancelled

2024-10-18 16:01:07 +00:00 · 2015-05-13 16:22:05 +02:00 · 2015-05-13 16:22:05 +02:00 · 286a136e63
parent d2377e7e78
commit 286a136e63
1 changed files with 18 additions and 6 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -76,8 +76,6 @@ static inline size_t ssl_ep_len( const mbedtls_ssl_context *ssl )
    return( 0 );
 }

-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
 /*
 * Start a timer.
 * Passing millisecs = 0 cancels a running timer.
@ -100,11 +98,15 @@ static int ssl_check_timer( mbedtls_ssl_context *ssl )
        return( -2 );

    if( ssl->f_get_timer( ssl->p_timer ) == 2 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) );
        return( -1 );
+    }

    return( 0 );
 }

+#if defined(MBEDTLS_SSL_PROTO_DTLS)
 /*
 * Double the retransmit timeout value, within the allowed range,
 * returning -1 if the maximum value has already been reached.
@ -2355,7 +2357,11 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
        while( ssl->in_left < nb_want )
        {
            len = nb_want - ssl->in_left;
-            ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr + ssl->in_left, len );
+
+            if( ssl_check_timer( ssl ) != 0 )
+                ret = MBEDTLS_ERR_SSL_TIMEOUT;
+            else
+                ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr + ssl->in_left, len );

            MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
                           ssl->in_left, nb_want ) );
@ -4934,6 +4940,8 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl )
            ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
        else
            ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
+
+        ssl_set_timer( ssl, 0 );
    }
 #endif

@ -5050,6 +5058,9 @@ int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl )

    ssl->state = MBEDTLS_SSL_HELLO_REQUEST;

+    /* Cancel any possibly running timer */
+    ssl_set_timer( ssl, 0 );
+
 #if defined(MBEDTLS_SSL_RENEGOTIATION)
    ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
    ssl->renego_records_seen = 0;
@ -5276,6 +5287,9 @@ void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
    ssl->p_timer        = p_timer;
    ssl->f_set_timer    = f_set_timer;
    ssl->f_get_timer    = f_get_timer;
+
+    /* Make sure we start with no timer running */
+    ssl_set_timer( ssl, 0 );
 }

 #if defined(MBEDTLS_SSL_SRV_C)
@ -6056,11 +6070,9 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )

    if( ssl->in_offt == NULL )
    {
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
        /* Start timer if not already running */
        if( ssl->f_get_timer( ssl->p_timer ) == -1 )
            ssl_set_timer( ssl, ssl->conf->read_timeout );
-#endif

        if( ! record_read )
        {
@ -6218,12 +6230,12 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )

        ssl->in_offt = ssl->in_msg;

-#if defined(MBEDTLS_SSL_PROTO_DTLS)
        /* We're going to return something now, cancel timer,
         * except if handshake (renegotiation) is in progress */
        if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
            ssl_set_timer( ssl, 0 );

+#if defined(MBEDTLS_SSL_PROTO_DTLS)
        /* If we requested renego but received AppData, resend HelloRequest.
         * Do it now, after setting in_offt, to avoid taking this branch
         * again if ssl_write_hello_request() returns WANT_WRITE */