From 916c739b877cc21ff901ec99ba50ad3e4a4f7f2b Mon Sep 17 00:00:00 2001 From: Achim Kraus Date: Mon, 26 Aug 2024 10:32:55 +0200 Subject: [PATCH] dtls.c: ensure, alerts are reported by events. For warning/close_notify wait for the retransmission time or response before closing the peer. For other alerts report event immediately and close the peer. Signed-off-by: Achim Kraus --- dtls.c | 77 ++++++++++++++++++++++++---------------------------------- 1 file changed, 32 insertions(+), 45 deletions(-) diff --git a/dtls.c b/dtls.c index 47590c2..279da9e 100644 --- a/dtls.c +++ b/dtls.c @@ -2133,42 +2133,45 @@ static inline int dtls_send_alert(dtls_context_t *ctx, dtls_peer_t *peer, dtls_alert_level_t level, dtls_alert_t description) { uint8_t msg[] = { level, description }; + netq_t *n = NULL; dtls_send(ctx, peer, DTLS_CT_ALERT, msg, sizeof(msg)); - /* copy close alert in retransmit buffer to emulate timeout */ - /* not resent, therefore don't copy the complete record */ - netq_t *n = netq_node_new(2); - if (n) { - dtls_tick_t now; - dtls_ticks(&now); - n->t = now + 2 * CLOCK_SECOND; - n->retransmit_cnt = 0; - n->timeout = 2 * CLOCK_SECOND; - n->peer = peer; - n->epoch = peer->security_params[0]->epoch; - n->type = DTLS_CT_ALERT; - n->length = 2; - n->data[0] = level; - n->data[1] = description; - n->job = TIMEOUT; - - if (!netq_insert_node(&ctx->sendqueue, n)) { - dtls_warn("cannot add alert to retransmit buffer\n"); - netq_node_free(n); - n = NULL; + if (description == DTLS_ALERT_CLOSE_NOTIFY && level == DTLS_ALERT_LEVEL_WARNING) { + /* copy close alert in retransmit buffer to emulate timeout */ + /* not resent, therefore don't copy the complete record */ + n = netq_node_new(2); + if (n) { + dtls_tick_t now; + dtls_ticks(&now); + n->t = now + 2 * CLOCK_SECOND; + n->retransmit_cnt = 0; + n->timeout = 2 * CLOCK_SECOND; + n->peer = peer; + n->epoch = peer->security_params[0]->epoch; + n->type = DTLS_CT_ALERT; + n->length = 2; + n->data[0] = level; + n->data[1] = description; + n->job = TIMEOUT; + + if (!netq_insert_node(&ctx->sendqueue, n)) { + dtls_warn("cannot add alert to retransmit buffer\n"); + netq_node_free(n); + n = NULL; #ifdef WITH_CONTIKI - } else { - /* must set timer within the context of the retransmit process */ - PROCESS_CONTEXT_BEGIN(&dtls_retransmit_process); - etimer_set(&ctx->retransmit_timer, n->timeout); - PROCESS_CONTEXT_END(&dtls_retransmit_process); + } else { + /* must set timer within the context of the retransmit process */ + PROCESS_CONTEXT_BEGIN(&dtls_retransmit_process); + etimer_set(&ctx->retransmit_timer, n->timeout); + PROCESS_CONTEXT_END(&dtls_retransmit_process); #else /* WITH_CONTIKI */ - dtls_debug("alert copied to retransmit buffer\n"); + dtls_debug("alert copied to retransmit buffer\n"); #endif /* WITH_CONTIKI */ + } + } else { + dtls_warn("cannot add alert, retransmit buffer full\n"); } - } else { - dtls_warn("cannot add alert, retransmit buffer full\n"); } if (!n) { /* timeout not registered */ @@ -4735,10 +4738,6 @@ dtls_handle_message(dtls_context_t *ctx, dtls_stop_retransmission(ctx, peer); dtls_alert_send_from_err(ctx, peer, err); - /* invalidate peer */ - dtls_destroy_peer(ctx, peer, DTLS_DESTROY_CLOSE); - peer = NULL; - return err; } break; @@ -4759,10 +4758,6 @@ dtls_handle_message(dtls_context_t *ctx, dtls_info("received close_notify alert, peer has been invalidated\n"); else dtls_warn("received fatal alert, peer has been invalidated\n"); - /* handle alert has invalidated peer */ - peer = NULL; - err = -1; - /* no more valid records after fatal alerts */ return 0; } else { dtls_stop_retransmission(ctx, peer); @@ -4777,14 +4772,6 @@ dtls_handle_message(dtls_context_t *ctx, " state %d\n", -err, dtls_handshake_type_to_name(data[0]), data[0], peer->state); dtls_alert_send_from_err(ctx, peer, err); - - if (peer && DTLS_ALERT_LEVEL_FATAL == ((-err) & 0xff00) >> 8) { - /* invalidate peer */ - peer->state = DTLS_STATE_CLOSED; - dtls_stop_retransmission(ctx, peer); - dtls_destroy_peer(ctx, peer, DTLS_DESTROY_CLOSE); - peer = NULL; - } return err; } if (peer && peer->state == DTLS_STATE_CONNECTED) {