From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 21 Aug 2013 09:46:58 +0000 (+0200)
Subject: ldns-dane setup new ssl for each new connect
X-Git-Tag: release-1.6.17rc1~69
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=15bd9b90243d779ab9ff2abe7b44209dc2d50741;p=thirdparty%2Fldns.git

ldns-dane setup new ssl for each new connect

Thanks Marco Davids
---

diff --git a/Changelog b/Changelog
index 9a9104bc..22644a3a 100644
--- a/Changelog
+++ b/Changelog
@@ -35,6 +35,7 @@
 	* Fix buffer overflow in fget_token and bget_token.
 	* ldns-verify-zone NSEC3 checking from quadratic to linear performance.
 	  Thanks NIC MX (nicmexico.mx)
+	* ldns-dane setup new ssl session for each new connect to prevent hangs
 
 1.6.16	2012-11-13
 	* Fix Makefile to build pyldns with BSD make
diff --git a/examples/ldns-dane.c b/examples/ldns-dane.c
index 00ba602b..2ade5c02 100644
--- a/examples/ldns-dane.c
+++ b/examples/ldns-dane.c
@@ -384,12 +384,6 @@ ssl_interact(SSL* ssl)
 }
 
 
-void
-ssl_shutdown(SSL* ssl)
-{
-	while (SSL_shutdown(ssl) == 0);
-}
-
 ldns_rr_list*
 rr_list_filter_rr_type(ldns_rr_list* l, ldns_rr_type t)
 {
@@ -1631,13 +1625,13 @@ main(int argc, char* const* argv)
 	    SSL_CTX_use_certificate_chain_file(ctx, cert_file) != 1) {
 		ssl_err("error loading certificate");
 	}
-	ssl = SSL_new(ctx);
-	if (! ssl) {
-		ssl_err("could not SSL_new");
-	}
 
 	if (cert_file) { /* ssl load certificate */
 
+		ssl = SSL_new(ctx);
+		if (! ssl) {
+			ssl_err("could not SSL_new");
+		}
 		cert = SSL_get_certificate(ssl);
 		if (! cert) {
 			ssl_err("could not SSL_get_certificate");
@@ -1661,6 +1655,7 @@ main(int argc, char* const* argv)
 			     break;
 		default:     break; /* suppress warning */
 		}
+		SSL_free(ssl);
 
 	} else {/* No certificate file given, creation/validation via TLS. */
 
@@ -1681,6 +1676,10 @@ main(int argc, char* const* argv)
 		/* for all addresses, setup SSL and retrieve certificates */
 		for (i = 0; i < ldns_rr_list_rr_count(addresses); i++) {
 
+			ssl = SSL_new(ctx);
+			if (! ssl) {
+				ssl_err("could not SSL_new");
+			}
 			address = ldns_rr_a_address(
 					ldns_rr_list_rr(addresses, i));
 			assert(address != NULL);
@@ -1718,7 +1717,8 @@ main(int argc, char* const* argv)
 				     break;
 			default:     break; /* suppress warning */
 			}
-			ssl_shutdown(ssl);
+			while (SSL_shutdown(ssl) == 0);
+			SSL_free(ssl);
 		} /* end for all addresses */
 	} /* end No certification file */
 
@@ -1732,7 +1732,6 @@ main(int argc, char* const* argv)
 	ldns_rr_list_deep_free(tlsas);
 
 	/* cleanup */
-	SSL_free(ssl);
 	SSL_CTX_free(ctx);
 
 	if (store) {