From ffd1136e94ca82b60169a415bd19f3d0d7a3c414 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Thu, 15 Nov 2018 13:23:00 +0000
Subject: [PATCH] tls_create_object(): Move setting client state and auto-retry
 into connection_new and add setting connection session.

---
 src/openssl/tls.c | 14 ++++++++++++++
 src/openssl/tls.h |  3 ++-
 src/stub.c        |  7 ++-----
 3 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/src/openssl/tls.c b/src/openssl/tls.c
index f6a663a6..c0e6338c 100644
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@@ -261,6 +261,11 @@ _getdns_tls_connection* _getdns_tls_connection_new(_getdns_tls_context* ctx, int
 		return NULL;
 	}
 
+	/* Connection is a client. */
+	SSL_set_connect_state(res->ssl);
+
+	/* If non-application data received, retry read. */
+	SSL_set_mode(res->ssl, SSL_MODE_AUTO_RETRY);
 	return res;
 }
 
@@ -309,6 +314,15 @@ getdns_return_t _getdns_tls_connection_set_curves_list(_getdns_tls_connection* c
 	return GETDNS_RETURN_GOOD;
 }
 
+getdns_return_t _getdns_tls_connection_set_session(_getdns_tls_connection* conn, _getdns_tls_session* s)
+{
+	if (!conn || !conn->ssl || !s || !s->ssl)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	if (!SSL_set_session(conn->ssl, s->ssl))
+		return GETDNS_RETURN_GENERIC_ERROR;
+	return GETDNS_RETURN_GOOD;
+}
+
 _getdns_tls_session* _getdns_tls_connection_get_session(_getdns_tls_connection* conn)
 {
 	_getdns_tls_session* res;
diff --git a/src/openssl/tls.h b/src/openssl/tls.h
index f86aa465..53430653 100644
--- a/src/openssl/tls.h
+++ b/src/openssl/tls.h
@@ -75,9 +75,10 @@ getdns_return_t _getdns_tls_connection_shutdown(_getdns_tls_connection* conn);
 
 getdns_return_t _getdns_tls_connection_set_cipher_list(_getdns_tls_connection* conn, const char* list);
 getdns_return_t _getdns_tls_connection_set_curves_list(_getdns_tls_connection* conn, const char* list);
+getdns_return_t _getdns_tls_connection_set_session(_getdns_tls_connection* conn, _getdns_tls_session* s);
 _getdns_tls_session* _getdns_tls_connection_get_session(_getdns_tls_connection* conn);
 
-getdns_return_t _getdns_tls_session_free(_getdns_tls_session* ctx);
+getdns_return_t _getdns_tls_session_free(_getdns_tls_session* s);
 
 getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict);
 
diff --git a/src/stub.c b/src/stub.c
index 8be04fd7..16b49060 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -925,7 +925,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 	_getdns_tls_connection* tls = _getdns_tls_connection_new(context->tls_ctx, fd);
 	if(!tls) 
 		return NULL;
-#if defined(HAVE_DECL_SSL_SET1_CURVES_LIST) && HAVE_DECL_SSL_SET1_CURVES_LIST
+#if HAVE_TLS_CONN_CURVES_LIST
 	if (upstream->tls_curves_list)
 		_getdns_tls_connection_set_curves_list(tls, upstream->tls_curves_list);
 #endif
@@ -1072,9 +1072,6 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 	SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, tls_verify_callback);
 #endif
 
-	SSL_set_connect_state(tls->ssl);
-	(void) SSL_set_mode(tls->ssl, SSL_MODE_AUTO_RETRY);
-
 	/* Session resumption. There are trade-offs here. Want to do it when
 	   possible only if we have the right type of connection. Note a change
 	   to the upstream auth info creates a new upstream so never re-uses.*/
@@ -1082,7 +1079,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		if ((upstream->tls_fallback_ok == 0 &&
 		     upstream->last_tls_auth_state == GETDNS_AUTH_OK) ||
 		     upstream->tls_fallback_ok == 1) {
-			SSL_set_session(tls->ssl, upstream->tls_session->ssl);
+			_getdns_tls_connection_set_session(tls, upstream->tls_session);
 			DEBUG_STUB("%s %-35s: Attempting session re-use\n", STUB_DEBUG_SETUP_TLS, 
 			            __FUNC__);
 			}