diff options
| author | jsing <> | 2021-07-21 08:42:14 +0000 |
|---|---|---|
| committer | jsing <> | 2021-07-21 08:42:14 +0000 |
| commit | 24017b25b6aa507cb8684a8f62c86469a7aa2c4d (patch) | |
| tree | bae082e5c4f00caf24ddf7d2b8bb7f2636f17592 /src/lib/libssl/d1_pkt.c | |
| parent | 79b1c4fd5d0d72bf2e38130064b797ecc99c1cbe (diff) | |
| download | openbsd-24017b25b6aa507cb8684a8f62c86469a7aa2c4d.tar.gz openbsd-24017b25b6aa507cb8684a8f62c86469a7aa2c4d.tar.bz2 openbsd-24017b25b6aa507cb8684a8f62c86469a7aa2c4d.zip | |
Remove DTLS processed_rcds queue.
When DTLS handshake records are received from the next epoch, we will
potentially queue them on the unprocessed_rcds queue - this is usually
a Finished message that has been received without the ChangeCipherSuite
(CCS) message (which may have been dropped or reordered).
After the epoch increments (due to the CCS being received), the current
code processes all records on the unprocessed queue and immediate queues
them on the processed queue, which dtls1_get_record() then pulls from.
This form of processing only adds more complexity and another queue.
Instead, once the epoch increments, pull a single record from the
unprocessed queue and process it, allowing the contents to be consumed
by the caller. We repeat this process until the unprocessed queue is
empty, at which point we go back to consuming messages from the wire.
ok inoguchi@ tb@
Diffstat (limited to 'src/lib/libssl/d1_pkt.c')
| -rw-r--r-- | src/lib/libssl/d1_pkt.c | 57 |
1 files changed, 19 insertions, 38 deletions
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c index 4e773a42bb..0416ee9c59 100644 --- a/src/lib/libssl/d1_pkt.c +++ b/src/lib/libssl/d1_pkt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: d1_pkt.c,v 1.102 2021/07/21 07:51:12 jsing Exp $ */ | 1 | /* $OpenBSD: d1_pkt.c,v 1.103 2021/07/21 08:42:14 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * DTLS implementation written by Nagendra Modadugu | 3 | * DTLS implementation written by Nagendra Modadugu |
| 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. | 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. |
| @@ -274,34 +274,23 @@ dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue) | |||
| 274 | } | 274 | } |
| 275 | 275 | ||
| 276 | static int | 276 | static int |
| 277 | dtls1_process_buffered_records(SSL *s) | 277 | dtls1_process_buffered_record(SSL *s) |
| 278 | { | 278 | { |
| 279 | pitem *item; | 279 | /* Check if epoch is current. */ |
| 280 | if (D1I(s)->unprocessed_rcds.epoch != D1I(s)->r_epoch) | ||
| 281 | return (0); | ||
| 280 | 282 | ||
| 281 | item = pqueue_peek(D1I(s)->unprocessed_rcds.q); | 283 | /* Update epoch once all unprocessed records have been processed. */ |
| 282 | if (item) { | 284 | if (pqueue_peek(D1I(s)->unprocessed_rcds.q) == NULL) { |
| 283 | /* Check if epoch is current. */ | 285 | D1I(s)->unprocessed_rcds.epoch = D1I(s)->r_epoch + 1; |
| 284 | if (D1I(s)->unprocessed_rcds.epoch != D1I(s)->r_epoch) | 286 | return (0); |
| 285 | return (1); | ||
| 286 | /* Nothing to do. */ | ||
| 287 | |||
| 288 | /* Process all the records. */ | ||
| 289 | while (pqueue_peek(D1I(s)->unprocessed_rcds.q)) { | ||
| 290 | if (!dtls1_retrieve_buffered_record((s), | ||
| 291 | &((D1I(s))->unprocessed_rcds))) | ||
| 292 | return (0); | ||
| 293 | if (!dtls1_process_record(s)) | ||
| 294 | return (0); | ||
| 295 | if (dtls1_buffer_record(s, &(D1I(s)->processed_rcds), | ||
| 296 | S3I(s)->rrec.seq_num) < 0) | ||
| 297 | return (-1); | ||
| 298 | } | ||
| 299 | } | 287 | } |
| 300 | 288 | ||
| 301 | /* sync epoch numbers once all the unprocessed records | 289 | /* Process one of the records. */ |
| 302 | * have been processed */ | 290 | if (!dtls1_retrieve_buffered_record(s, &D1I(s)->unprocessed_rcds)) |
| 303 | D1I(s)->processed_rcds.epoch = D1I(s)->r_epoch; | 291 | return (-1); |
| 304 | D1I(s)->unprocessed_rcds.epoch = D1I(s)->r_epoch + 1; | 292 | if (!dtls1_process_record(s)) |
| 293 | return (-1); | ||
| 305 | 294 | ||
| 306 | return (1); | 295 | return (1); |
| 307 | } | 296 | } |
| @@ -365,22 +354,15 @@ dtls1_process_record(SSL *s) | |||
| 365 | int | 354 | int |
| 366 | dtls1_get_record(SSL *s) | 355 | dtls1_get_record(SSL *s) |
| 367 | { | 356 | { |
| 368 | SSL3_RECORD_INTERNAL *rr; | 357 | SSL3_RECORD_INTERNAL *rr = &(S3I(s)->rrec); |
| 369 | unsigned char *p = NULL; | 358 | unsigned char *p = NULL; |
| 370 | DTLS1_BITMAP *bitmap; | 359 | DTLS1_BITMAP *bitmap; |
| 371 | unsigned int is_next_epoch; | 360 | unsigned int is_next_epoch; |
| 372 | int n; | 361 | int ret, n; |
| 373 | 362 | ||
| 374 | rr = &(S3I(s)->rrec); | 363 | /* See if there are pending records that can now be processed. */ |
| 375 | 364 | if ((ret = dtls1_process_buffered_record(s)) != 0) | |
| 376 | /* The epoch may have changed. If so, process all the | 365 | return (ret); |
| 377 | * pending records. This is a non-blocking operation. */ | ||
| 378 | if (dtls1_process_buffered_records(s) < 0) | ||
| 379 | return (-1); | ||
| 380 | |||
| 381 | /* if we're renegotiating, then there may be buffered records */ | ||
| 382 | if (dtls1_retrieve_buffered_record((s), &((D1I(s))->processed_rcds))) | ||
| 383 | return 1; | ||
| 384 | 366 | ||
| 385 | /* get something from the wire */ | 367 | /* get something from the wire */ |
| 386 | if (0) { | 368 | if (0) { |
| @@ -1189,7 +1171,6 @@ dtls1_dispatch_alert(SSL *s) | |||
| 1189 | return (i); | 1171 | return (i); |
| 1190 | } | 1172 | } |
| 1191 | 1173 | ||
| 1192 | |||
| 1193 | static DTLS1_BITMAP * | 1174 | static DTLS1_BITMAP * |
| 1194 | dtls1_get_bitmap(SSL *s, SSL3_RECORD_INTERNAL *rr, unsigned int *is_next_epoch) | 1175 | dtls1_get_bitmap(SSL *s, SSL3_RECORD_INTERNAL *rr, unsigned int *is_next_epoch) |
| 1195 | { | 1176 | { |