From 3e12ed955bd54b738fa882b29dd8439fe919af4c Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 23 Oct 2025 16:25:24 +0200
Subject: [PATCH] schannel: lower the maximum allowed time to block to 7
 seconds

During TLS renegotiation, the schannel_recv_renegotiate() function is
allowed to block for a short while. Reduce the maximum allowed time to
block from 10 minutes down to 7 seconds.

Closes #19205
---
 lib/vtls/schannel.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
index 0178659f9a..0561d6fbdd 100644
--- a/lib/vtls/schannel.c
+++ b/lib/vtls/schannel.c
@@ -1691,6 +1691,8 @@ enum schannel_renegotiate_caller_t {
   SCH_RENEG_CALLER_IS_SEND
 };
 
+#define MAX_RENEG_BLOCK_TIME (7 * 1000) /* 7 seconds in milliseconds */
+
 /* This function renegotiates the connection due to a server request received
    by schannel_recv. This function returns CURLE_AGAIN if the renegotiation is
    incomplete. In that case, we remain in the renegotiation (connecting) stage
@@ -1702,7 +1704,6 @@ schannel_recv_renegotiate(struct Curl_cfilter *cf, struct Curl_easy *data,
 {
   CURLcode result;
   curl_socket_t sockfd;
-  const timediff_t max_renegotiate_ms = 5 * 60 * 1000; /* 5 minutes */
   struct ssl_connect_data *connssl = cf->ctx;
   struct schannel_ssl_backend_data *backend =
     (struct schannel_ssl_backend_data *)connssl->backend;
@@ -1743,7 +1744,7 @@ schannel_recv_renegotiate(struct Curl_cfilter *cf, struct Curl_easy *data,
     timediff_t elapsed;
 
     elapsed = curlx_timediff(curlx_now(), rs->start_time);
-    if(elapsed >= max_renegotiate_ms) {
+    if(elapsed >= MAX_RENEG_BLOCK_TIME) {
       failf(data, "schannel: renegotiation timeout");
       result = CURLE_SSL_CONNECT_ERROR;
       break;
@@ -1810,12 +1811,12 @@ schannel_recv_renegotiate(struct Curl_cfilter *cf, struct Curl_easy *data,
       }
 
       elapsed = curlx_timediff(curlx_now(), rs->start_time);
-      if(elapsed >= max_renegotiate_ms) {
+      if(elapsed >= MAX_RENEG_BLOCK_TIME) {
         failf(data, "schannel: renegotiation timeout");
         result = CURLE_SSL_CONNECT_ERROR;
         break;
       }
-      remaining = max_renegotiate_ms - elapsed;
+      remaining = MAX_RENEG_BLOCK_TIME - elapsed;
 
       if(blocking) {
         timeout = Curl_timeleft(data, NULL, FALSE);
-- 
2.47.3