1 files changed, 43 insertions, 11 deletions
diff --git a/src/lib/libssl/d1_lib.c b/src/lib/libssl/d1_lib.c
index c3b77c889b..f61f718183 100644
--- a/src/lib/libssl/d1_lib.c
+++ b/src/lib/libssl/d1_lib.c
@@ -82,6 +82,7 @@ SSL3_ENC_METHOD DTLSv1_enc_data={
        TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
        TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
        tls1_alert_code,
+        tls1_export_keying_material,
        };
 long dtls1_default_timeout(void)
@@ -291,6 +292,15 @@ const SSL_CIPHER *dtls1_get_cipher(unsigned int u)
 void dtls1_start_timer(SSL *s)
        {
+#ifndef OPENSSL_NO_SCTP
+        /* Disable timer for SCTP */
+        if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
+                {
+                memset(&(s->d1->next_timeout), 0, sizeof(struct timeval));
+                return;
+                }
+#endif
        /* If timer is not set, initialize duration with 1 second */
        if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0)
                {
@@ -381,6 +391,7 @@ void dtls1_double_timeout(SSL *s)
 void dtls1_stop_timer(SSL *s)
        {
        /* Reset everything */
+        memset(&(s->d1->timeout), 0, sizeof(struct dtls1_timeout_st));
        memset(&(s->d1->next_timeout), 0, sizeof(struct timeval));
        s->d1->timeout_duration = 1;
        BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, &(s->d1->next_timeout));
@@ -388,10 +399,28 @@ void dtls1_stop_timer(SSL *s)
        dtls1_clear_record_buffer(s);
        }
-int dtls1_handle_timeout(SSL *s)
+int dtls1_check_timeout_num(SSL *s)
        {
-        DTLS1_STATE *state;
+        s->d1->timeout.num_alerts++;
+        /* Reduce MTU after 2 unsuccessful retransmissions */
+        if (s->d1->timeout.num_alerts > 2)
+                {
+                s->d1->mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL);               
+                }
+        if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT)
+                {
+                /* fail the connection, enough alerts have been sent */
+                SSLerr(SSL_F_DTLS1_CHECK_TIMEOUT_NUM,SSL_R_READ_TIMEOUT_EXPIRED);
+                return -1;
+                }
+        return 0;
+        }
+int dtls1_handle_timeout(SSL *s)
+        {
        /* if no timer is expired, don't do anything */
        if (!dtls1_is_timer_expired(s))
                {
@@ -399,20 +428,23 @@ int dtls1_handle_timeout(SSL *s)
                }
        dtls1_double_timeout(s);
-        state = s->d1;
-        state->timeout.num_alerts++;
+        if (dtls1_check_timeout_num(s) < 0)
-        if ( state->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT)
-                {
-                /* fail the connection, enough alerts have been sent */
-                SSLerr(SSL_F_DTLS1_HANDLE_TIMEOUT,SSL_R_READ_TIMEOUT_EXPIRED);
                return -1;
+        s->d1->timeout.read_timeouts++;
+        if (s->d1->timeout.read_timeouts > DTLS1_TMO_READ_COUNT)
+                {
+                s->d1->timeout.read_timeouts = 1;
                }
-        state->timeout.read_timeouts++;
+#ifndef OPENSSL_NO_HEARTBEATS
-        if ( state->timeout.read_timeouts > DTLS1_TMO_READ_COUNT)
+        if (s->tlsext_hb_pending)
                {
-                state->timeout.read_timeouts = 1;
+                s->tlsext_hb_pending = 0;
+                return dtls1_heartbeat(s);
                }
+#endif
        dtls1_start_timer(s);
        return dtls1_retransmit_buffered_messages(s);

diff --git a/src/lib/libssl/d1_lib.c b/src/lib/libssl/d1_lib.c index c3b77c889b..f61f718183 100644 --- a/src/lib/libssl/d1_lib.c +++ b/src/lib/libssl/d1_lib.c
@@ -82,6 +82,7 @@ SSL3_ENC_METHOD DTLSv1_enc_data={
82	TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,	82	TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
83	TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,	83	TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
84	tls1_alert_code,	84	tls1_alert_code,
		85	tls1_export_keying_material,
85	};	86	};
86		87
87	long dtls1_default_timeout(void)	88	long dtls1_default_timeout(void)
@@ -291,6 +292,15 @@ const SSL_CIPHER *dtls1_get_cipher(unsigned int u)
291		292
292	void dtls1_start_timer(SSL *s)	293	void dtls1_start_timer(SSL *s)
293	{	294	{
		295	#ifndef OPENSSL_NO_SCTP
		296	/* Disable timer for SCTP */
		297	if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
		298	{
		299	memset(&(s->d1->next_timeout), 0, sizeof(struct timeval));
		300	return;
		301	}
		302	#endif
		303
294	/* If timer is not set, initialize duration with 1 second */	304	/* If timer is not set, initialize duration with 1 second */
295	if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0)	305	if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0)
296	{	306	{
@@ -381,6 +391,7 @@ void dtls1_double_timeout(SSL *s)
381	void dtls1_stop_timer(SSL *s)	391	void dtls1_stop_timer(SSL *s)
382	{	392	{
383	/* Reset everything */	393	/* Reset everything */
		394	memset(&(s->d1->timeout), 0, sizeof(struct dtls1_timeout_st));
384	memset(&(s->d1->next_timeout), 0, sizeof(struct timeval));	395	memset(&(s->d1->next_timeout), 0, sizeof(struct timeval));
385	s->d1->timeout_duration = 1;	396	s->d1->timeout_duration = 1;
386	BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, &(s->d1->next_timeout));	397	BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, &(s->d1->next_timeout));
@@ -388,10 +399,28 @@ void dtls1_stop_timer(SSL *s)
388	dtls1_clear_record_buffer(s);	399	dtls1_clear_record_buffer(s);
389	}	400	}
390		401
391	int dtls1_handle_timeout(SSL *s)	402	int dtls1_check_timeout_num(SSL *s)
392	{	403	{
393	DTLS1_STATE *state;	404	s->d1->timeout.num_alerts++;
		405
		406	/* Reduce MTU after 2 unsuccessful retransmissions */
		407	if (s->d1->timeout.num_alerts > 2)
		408	{
		409	s->d1->mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL);
		410	}
394		411
		412	if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT)
		413	{
		414	/* fail the connection, enough alerts have been sent */
		415	SSLerr(SSL_F_DTLS1_CHECK_TIMEOUT_NUM,SSL_R_READ_TIMEOUT_EXPIRED);
		416	return -1;
		417	}
		418
		419	return 0;
		420	}
		421
		422	int dtls1_handle_timeout(SSL *s)
		423	{
395	/* if no timer is expired, don't do anything */	424	/* if no timer is expired, don't do anything */
396	if (!dtls1_is_timer_expired(s))	425	if (!dtls1_is_timer_expired(s))
397	{	426	{
@@ -399,20 +428,23 @@ int dtls1_handle_timeout(SSL *s)
399	}	428	}
400		429
401	dtls1_double_timeout(s);	430	dtls1_double_timeout(s);
402	state = s->d1;	431
403	state->timeout.num_alerts++;	432	if (dtls1_check_timeout_num(s) < 0)
404	if ( state->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT)
405	{
406	/* fail the connection, enough alerts have been sent */
407	SSLerr(SSL_F_DTLS1_HANDLE_TIMEOUT,SSL_R_READ_TIMEOUT_EXPIRED);
408	return -1;	433	return -1;
		434
		435	s->d1->timeout.read_timeouts++;
		436	if (s->d1->timeout.read_timeouts > DTLS1_TMO_READ_COUNT)
		437	{
		438	s->d1->timeout.read_timeouts = 1;
409	}	439	}
410		440
411	state->timeout.read_timeouts++;	441	#ifndef OPENSSL_NO_HEARTBEATS
412	if ( state->timeout.read_timeouts > DTLS1_TMO_READ_COUNT)	442	if (s->tlsext_hb_pending)
413	{	443	{
414	state->timeout.read_timeouts = 1;	444	s->tlsext_hb_pending = 0;
		445	return dtls1_heartbeat(s);
415	}	446	}
		447	#endif
416		448
417	dtls1_start_timer(s);	449	dtls1_start_timer(s);
418	return dtls1_retransmit_buffered_messages(s);	450	return dtls1_retransmit_buffered_messages(s);