schannel: lower the maximum allowed time to block to 7 seconds

During TLS renegotiation, the schannel_recv_renegotiate() function is
allowed to block for a short while. Reduce the maximum allowed time to
block from 10 minutes down to 7 seconds.

Closes #19205
This commit is contained in:
Daniel Stenberg 2025-10-23 16:25:24 +02:00
parent a3793ee7e3
commit 3e12ed955b
No known key found for this signature in database
GPG key ID: 5CC908FDB71E12C2

View file

@ -1691,6 +1691,8 @@ enum schannel_renegotiate_caller_t {
SCH_RENEG_CALLER_IS_SEND
};
#define MAX_RENEG_BLOCK_TIME (7 * 1000) /* 7 seconds in milliseconds */
/* This function renegotiates the connection due to a server request received
by schannel_recv. This function returns CURLE_AGAIN if the renegotiation is
incomplete. In that case, we remain in the renegotiation (connecting) stage
@ -1702,7 +1704,6 @@ schannel_recv_renegotiate(struct Curl_cfilter *cf, struct Curl_easy *data,
{
CURLcode result;
curl_socket_t sockfd;
const timediff_t max_renegotiate_ms = 5 * 60 * 1000; /* 5 minutes */
struct ssl_connect_data *connssl = cf->ctx;
struct schannel_ssl_backend_data *backend =
(struct schannel_ssl_backend_data *)connssl->backend;
@ -1743,7 +1744,7 @@ schannel_recv_renegotiate(struct Curl_cfilter *cf, struct Curl_easy *data,
timediff_t elapsed;
elapsed = curlx_timediff(curlx_now(), rs->start_time);
if(elapsed >= max_renegotiate_ms) {
if(elapsed >= MAX_RENEG_BLOCK_TIME) {
failf(data, "schannel: renegotiation timeout");
result = CURLE_SSL_CONNECT_ERROR;
break;
@ -1810,12 +1811,12 @@ schannel_recv_renegotiate(struct Curl_cfilter *cf, struct Curl_easy *data,
}
elapsed = curlx_timediff(curlx_now(), rs->start_time);
if(elapsed >= max_renegotiate_ms) {
if(elapsed >= MAX_RENEG_BLOCK_TIME) {
failf(data, "schannel: renegotiation timeout");
result = CURLE_SSL_CONNECT_ERROR;
break;
}
remaining = max_renegotiate_ms - elapsed;
remaining = MAX_RENEG_BLOCK_TIME - elapsed;
if(blocking) {
timeout = Curl_timeleft(data, NULL, FALSE);