- Fix unbound-dnstap-socket test program to reply the finish frame

  over a TLS connection correctly.

diff --git a/dnstap/unbound-dnstap-socket.c b/dnstap/unbound-dnstap-socket.c
index 3bf889463eac4e245cdf5fd30b41670bbf7c5343..618e20fa647111ef0c99cfe3241c98144863782f 100644 (file)
--- a/dnstap/unbound-dnstap-socket.c
+++ b/dnstap/unbound-dnstap-socket.c
@@ -789,7 +789,7 @@ static int reply_with_accept(struct tap_data* data)
 
 /** reply with FINISH control frame to bidirectional client,
  * returns 0 on error */
-static int reply_with_finish(int fd)
+static int reply_with_finish(struct tap_data* data)
 {
 #ifdef USE_DNSTAP
        size_t len = 0;
@@ -799,21 +799,34 @@ static int reply_with_finish(int fd)
                return 0;
        }
 
-       fd_set_block(fd);
-       if(send(fd, finishframe, len, 0) == -1) {
-               log_err("send failed: %s", sock_strerror(errno));
-               fd_set_nonblock(fd);
-               free(finishframe);
-               return 0;
+       fd_set_block(data->fd);
+       if(data->ssl) {
+               int r;
+               if((r=SSL_write(data->ssl, finishframe, len)) <= 0) {
+                       if(SSL_get_error(data->ssl, r) == SSL_ERROR_ZERO_RETURN)
+                               log_err("SSL_write, peer closed connection");
+                       else
+                               log_err("could not SSL_write");
+                       fd_set_nonblock(data->fd);
+                       free(finishframe);
+                       return 0;
+               }
+       } else {
+               if(send(data->fd, finishframe, len, 0) == -1) {
+                       log_err("send failed: %s", sock_strerror(errno));
+                       fd_set_nonblock(data->fd);
+                       free(finishframe);
+                       return 0;
+               }
        }
        if(verbosity) log_info("sent control frame(finish)");
 
-       fd_set_nonblock(fd);
+       fd_set_nonblock(data->fd);
        free(finishframe);
        return 1;
 #else
        log_err("no dnstap compiled, no reply");
-       (void)fd;
+       (void)data;
        return 0;
 #endif
 }
@@ -933,7 +946,7 @@ static int tap_handshake(struct tap_data* data)
 #endif /* HAVE_SSL */
 
 /** callback for dnstap listener */
-void dtio_tap_callback(int fd, short ATTR_UNUSED(bits), void* arg)
+void dtio_tap_callback(int ATTR_UNUSED(fd), short ATTR_UNUSED(bits), void* arg)
 {
        struct tap_data* data = (struct tap_data*)arg;
        if(verbosity>=3) log_info("tap callback");
@@ -1016,7 +1029,7 @@ void dtio_tap_callback(int fd, short ATTR_UNUSED(bits), void* arg)
                }
        } else if(data->len >= 4 && sldns_read_uint32(data->frame) ==
                FSTRM_CONTROL_FRAME_STOP && data->is_bidirectional) {
-               if(!reply_with_finish(fd)) {
+               if(!reply_with_finish(data)) {
                        tap_data_free(data);
                        return;
                }

diff --git a/doc/Changelog b/doc/Changelog
index e95b76bb5e299f9bb3f4f5a58a9db9740d19d350..399da1473cf0977253efb44cae1ebf4e863364b5 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+14 March 2023: Wouter
+       - Fix unbound-dnstap-socket test program to reply the finish frame
+         over a TLS connection correctly.
+
 23 February 2023: Wouter
        - Fix for #852: Completion of error handling.