The SSL_OP_NO_QUERY_MTU option is supposed to stop the mtu from being

[openssl.git] / ssl / d1_lib.c

diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index 2287ba6fa42ddffda61ac53051311394318474db..09268b87903e341055e2ccf03080364705962a93 100644 (file)
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -72,7 +72,7 @@ static int dtls1_handshake_write(SSL *s);
 const char dtls1_version_str[]="DTLSv1" OPENSSL_VERSION_PTEXT;
 int dtls1_listen(SSL *s, struct sockaddr *client);
 
-SSL3_ENC_METHOD DTLSv1_enc_data={
+const SSL3_ENC_METHOD DTLSv1_enc_data={
        tls1_enc,
        tls1_mac,
        tls1_setup_key_block,
@@ -91,7 +91,7 @@ SSL3_ENC_METHOD DTLSv1_enc_data={
        dtls1_handshake_write   
        };
 
-SSL3_ENC_METHOD DTLSv1_2_enc_data={
+const SSL3_ENC_METHOD DTLSv1_2_enc_data={
        tls1_enc,
        tls1_mac,
        tls1_setup_key_block,
@@ -187,24 +187,25 @@ static void dtls1_clear_queues(SSL *s)
     while( (item = pqueue_pop(s->d1->buffered_messages)) != NULL)
         {
         frag = (hm_fragment *)item->data;
-        OPENSSL_free(frag->fragment);
-        OPENSSL_free(frag);
+        dtls1_hm_fragment_free(frag);
         pitem_free(item);
         }
 
     while ( (item = pqueue_pop(s->d1->sent_messages)) != NULL)
         {
         frag = (hm_fragment *)item->data;
-        OPENSSL_free(frag->fragment);
-        OPENSSL_free(frag);
+        dtls1_hm_fragment_free(frag);
         pitem_free(item);
         }
 
        while ( (item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL)
                {
-               frag = (hm_fragment *)item->data;
-               OPENSSL_free(frag->fragment);
-               OPENSSL_free(frag);
+               rdata = (DTLS1_RECORD_DATA *) item->data;
+               if (rdata->rbuf.buf)
+                       {
+                       OPENSSL_free(rdata->rbuf.buf);
+                       }
+               OPENSSL_free(item->data);
                pitem_free(item);
                }
        }
@@ -291,6 +292,25 @@ long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg)
        case DTLS_CTRL_LISTEN:
                ret = dtls1_listen(s, parg);
                break;
+       case SSL_CTRL_CHECK_PROTO_VERSION:
+               /* For library-internal use; checks that the current protocol
+                * is the highest enabled version (according to s->ctx->method,
+                * as version negotiation may have changed s->method). */
+               if (s->version == s->ctx->method->version)
+                       return 1;
+               /* Apparently we're using a version-flexible SSL_METHOD
+                * (not at its highest protocol version). */
+               if (s->ctx->method->version == DTLS_method()->version)
+                       {
+#if DTLS_MAX_VERSION != DTLS1_2_VERSION
+#  error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
+#endif
+                       if (!(s->options & SSL_OP_NO_DTLSv1_2))
+                               return s->version == DTLS1_2_VERSION;
+                       if (!(s->options & SSL_OP_NO_DTLSv1))
+                               return s->version == DTLS1_VERSION;
+                       }
+               return 0; /* Unexpected state; fail closed. */
 
        default:
                ret = ssl3_ctrl(s, cmd, larg, parg);
@@ -433,7 +453,8 @@ int dtls1_check_timeout_num(SSL *s)
        s->d1->timeout.num_alerts++;
 
        /* Reduce MTU after 2 unsuccessful retransmissions */
-       if (s->d1->timeout.num_alerts > 2)
+       if (s->d1->timeout.num_alerts > 2
+                       && !(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU))
                {
                s->d1->mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL);               
                }