tls: Set min/max timeout to DTLS handshake

Fixes #34

ChangeLog

@@ -1,3 +1,7 @@
+[next]
+
+* tls: Add accessors to min/max timeout DTLS handshake.
+
 [1.3.1] - 2020-07-23
 
 * *: Add support for Python 3.9.

src/mbedtls/tls.pxd

@@ -151,6 +151,9 @@ cdef extern from "mbedtls/ssl.h" nogil:
         unsigned char min_minor_ver
         # set_anti_replay
         unsigned int anti_replay
+        # set_handshake_timeout
+        unsigned int hs_timeout_min
+        unsigned int hs_timeout_max
 
         unsigned int endpoint
         unsigned int transport
@@ -219,7 +222,9 @@ cdef extern from "mbedtls/ssl.h" nogil:
         mbedtls_ssl_config *conf,
         char mode)
     # mbedtls_ssl_conf_dtls_badmac_limit
-    # mbedtls_ssl_conf_handshake_timeout
+    void mbedtls_ssl_conf_handshake_timeout(
+        mbedtls_ssl_config *conf,
+        int min, int max)
     # mbedtls_ssl_conf_ciphersuites_for_version
     # mbedtls_ssl_conf_cert_profile
 
@@ -440,6 +445,7 @@ cdef class TLSConfiguration(_BaseConfiguration):
 cdef class DTLSConfiguration(_BaseConfiguration):
     cdef _DTLSCookie _cookie
     cdef _set_anti_replay(self, mode)
+    cdef _set_handshake_timeout(self, minimum, maximum)
     cdef _set_cookie(self, _DTLSCookie cookie)
 
 

src/mbedtls/tls.pyx

@@ -774,7 +774,8 @@ cdef class DTLSConfiguration(_BaseConfiguration):
         trust_store=None,
         anti_replay=None,
         # badmac_limit
-        # handshake_timeout
+        handshake_timeout_min=None,
+        handshake_timeout_max=None,
         sni_callback=None,
         pre_shared_key=None,
         pre_shared_key_store=None,
@@ -793,6 +794,7 @@ cdef class DTLSConfiguration(_BaseConfiguration):
             _transport=_tls.MBEDTLS_SSL_TRANSPORT_DATAGRAM,
         )
         self._set_anti_replay(anti_replay)
+        self._set_handshake_timeout(handshake_timeout_min, handshake_timeout_max)
         # For security reasons, we do not make cookie optional here.
         cdef _tls._DTLSCookie cookie = _tls._DTLSCookie()
         cookie.generate()
@@ -821,6 +823,38 @@ cdef class DTLSConfiguration(_BaseConfiguration):
         cdef unsigned int enabled = _tls.MBEDTLS_SSL_ANTI_REPLAY_ENABLED
         return True if self._ctx.anti_replay == enabled else False
 
+    cdef _set_handshake_timeout(self, minimum, maximum):
+        """Set DTLS handshake timeout.
+
+        Args:
+            minimum (float, optional): minimum timeout in seconds.
+            maximum (float, optional): maximum timeout in seconds.
+
+        """
+        if minimum is None and maximum is None:
+            return
+
+        def validate(extremum: float, *, default: float) -> float:
+            if extremum < 0.0:
+                raise ValueError(extremum)
+            return default if extremum is None else extremum
+
+        _tls.mbedtls_ssl_conf_handshake_timeout(
+            &self._ctx,
+            int(1000.0 * validate(minimum, default=1.0)),
+            int(1000.0 * validate(maximum, default=60.0)),
+        )
+
+    @property
+    def handshake_timeout_min(self):
+        """Min handshake timeout in seconds (default 1.0)."""
+        return float(self._ctx.hs_timeout_min) / 1000.0
+
+    @property
+    def handshake_timeout_max(self):
+        """Max handshake timeout in seconds (default 60.0)."""
+        return float(self._ctx.hs_timeout_max) / 1000.0
+
     cdef _set_cookie(self, _tls._DTLSCookie cookie):
         """Register callbacks for DTLS cookies (server only)."""
         self._cookie = cookie
@@ -848,10 +882,12 @@ cdef class DTLSConfiguration(_BaseConfiguration):
         lowest_supported_version=_DEFAULT_VALUE,
         highest_supported_version=_DEFAULT_VALUE,
         trust_store=_DEFAULT_VALUE,
+        anti_replay=_DEFAULT_VALUE,
+        handshake_timeout_min=_DEFAULT_VALUE,
+        handshake_timeout_max=_DEFAULT_VALUE,
         sni_callback=_DEFAULT_VALUE,
         pre_shared_key=_DEFAULT_VALUE,
         pre_shared_key_store=_DEFAULT_VALUE,
-        anti_replay=_DEFAULT_VALUE,
     ):
         """Create a new ``DTLSConfiguration``.
 
@@ -880,6 +916,15 @@ cdef class DTLSConfiguration(_BaseConfiguration):
         if trust_store is _DEFAULT_VALUE:
             trust_store = self.trust_store
 
+        if anti_replay is _DEFAULT_VALUE:
+            anti_replay = self.anti_replay
+
+        if handshake_timeout_min is _DEFAULT_VALUE:
+            handshake_timeout_min = self.handshake_timeout_min
+
+        if handshake_timeout_max is _DEFAULT_VALUE:
+            handshake_timeout_max = self.handshake_timeout_max
+
         if sni_callback is _DEFAULT_VALUE:
             sni_callback = self.sni_callback
 
@@ -889,9 +934,6 @@ cdef class DTLSConfiguration(_BaseConfiguration):
         if pre_shared_key_store is _DEFAULT_VALUE:
             pre_shared_key_store = self.pre_shared_key_store
 
-        if anti_replay is _DEFAULT_VALUE:
-            anti_replay = self.anti_replay
-
         return self.__class__(
             validate_certificates=validate_certificates,
             certificate_chain=certificate_chain,
@@ -900,10 +942,12 @@ cdef class DTLSConfiguration(_BaseConfiguration):
             lowest_supported_version=lowest_supported_version,
             highest_supported_version=highest_supported_version,
             trust_store=trust_store,
+            anti_replay=anti_replay,
+            handshake_timeout_min=handshake_timeout_min,
+            handshake_timeout_max=handshake_timeout_max,
             sni_callback=sni_callback,
             pre_shared_key=pre_shared_key,
             pre_shared_key_store=pre_shared_key_store,
-            anti_replay=anti_replay,
         )
 
 

tests/test_tls.py

@@ -239,6 +239,18 @@ def test_set_anti_replay(self, conf, anti_replay):
         conf_ = conf.update(anti_replay=anti_replay)
         assert conf_.anti_replay is anti_replay
 
+    @pytest.mark.parametrize(
+        "hs_min, hs_max", [(1, 60), (42, 69), (4.2, 6.9), (42.0, 69.0)]
+    )
+    def test_handshake_timeout_minmax(self, conf, hs_min, hs_max):
+        assert conf.handshake_timeout_min == 1.0
+        assert conf.handshake_timeout_max == 60.0
+        conf_ = conf.update(
+            handshake_timeout_min=hs_min, handshake_timeout_max=hs_max,
+        )
+        assert conf_.handshake_timeout_min == hs_min
+        assert conf_.handshake_timeout_max == hs_max
+
 
 class TestBaseContext:
     @pytest.fixture(params=[Purpose.SERVER_AUTH, Purpose.CLIENT_AUTH])