From: Matt Caswell <matt@openssl.org>
Date: Mon, 1 Dec 2014 11:13:15 +0000 (+0000)
Subject: The SSL_OP_NO_QUERY_MTU option is supposed to stop the mtu from being
X-Git-Tag: OpenSSL_1_0_1k~68
X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=8aaeec9f9a46b4f79d70e30ff5bb189f0283797d

The SSL_OP_NO_QUERY_MTU option is supposed to stop the mtu from being
automatically updated, and we should use the one provided instead.
Unfortunately there are a couple of locations where this is not respected.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 001235778a6e9c645dc0507cad6092d99c9af8f5)
---

diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index 99a031c0af..4e68a2907b 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -350,10 +350,17 @@ int dtls1_do_write(SSL *s, int type)
 			 */
 			if ( BIO_ctrl(SSL_get_wbio(s),
 				BIO_CTRL_DGRAM_MTU_EXCEEDED, 0, NULL) > 0 )
-				s->d1->mtu = BIO_ctrl(SSL_get_wbio(s),
-					BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
+				{
+				if(!(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU))
+					s->d1->mtu = BIO_ctrl(SSL_get_wbio(s),
+						BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
+				else
+					return -1;
+				}
 			else
+				{
 				return(-1);
+				}
 			}
 		else
 			{
diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index f7d681bfdb..1e1c32ae8d 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -416,7 +416,8 @@ int dtls1_check_timeout_num(SSL *s)
 	s->d1->timeout.num_alerts++;
 
 	/* Reduce MTU after 2 unsuccessful retransmissions */
-	if (s->d1->timeout.num_alerts > 2)
+	if (s->d1->timeout.num_alerts > 2
+			&& !(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU))
 		{
 		s->d1->mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL);		
 		}