rec: ensure correct service user on debian

[thirdparty/pdns.git] / pdns / dnscrypt.cc

diff --git a/pdns/dnscrypt.cc b/pdns/dnscrypt.cc
index 1f7456348739834b69a0f3dbd281201bcf7b6231..4cf126ce389d6afc7f8bb979670e34c461e458e9 100644 (file)
--- a/pdns/dnscrypt.cc
+++ b/pdns/dnscrypt.cc
@@ -283,13 +283,19 @@ std::string DNSCryptContext::certificateDateToStr(uint32_t date)
   return string(buf);
 }
 
-void DNSCryptContext::addNewCertificate(const DNSCryptCert& newCert, const DNSCryptPrivateKey& newKey, bool active)
+void DNSCryptContext::addNewCertificate(const DNSCryptCert& newCert, const DNSCryptPrivateKey& newKey, bool active, bool reload)
 {
   WriteLock w(&d_lock);
 
   for (auto pair : certs) {
     if (pair->cert.getSerial() == newCert.getSerial()) {
-      throw std::runtime_error("Error adding a new certificate: we already have a certificate with the same serial");
+      if (reload) {
+        /* on reload we just assume that this is the same certificate */
+        return;
+      }
+      else {
+        throw std::runtime_error("Error adding a new certificate: we already have a certificate with the same serial");
+      }
     }
   }
 
@@ -301,7 +307,7 @@ void DNSCryptContext::addNewCertificate(const DNSCryptCert& newCert, const DNSCr
   certs.push_back(pair);
 }
 
-void DNSCryptContext::loadNewCertificate(const std::string& certFile, const std::string& keyFile, bool active)
+void DNSCryptContext::loadNewCertificate(const std::string& certFile, const std::string& keyFile, bool active, bool reload)
 {
   DNSCryptCert newCert;
   DNSCryptPrivateKey newPrivateKey;
@@ -309,7 +315,14 @@ void DNSCryptContext::loadNewCertificate(const std::string& certFile, const std:
   loadCertFromFile(certFile, newCert);
   newPrivateKey.loadFromFile(keyFile);
 
-  addNewCertificate(newCert, newPrivateKey, active);
+  addNewCertificate(newCert, newPrivateKey, active, reload);
+  certificatePath = certFile;
+  keyPath = keyFile;
+}
+
+void DNSCryptContext::reloadCertificate()
+{
+  loadNewCertificate(certificatePath, keyPath, true, true);
 }
 
 void DNSCryptContext::markActive(uint32_t serial)
@@ -713,7 +726,7 @@ int DNSCryptQuery::encryptResponse(char* response, uint16_t responseLen, uint16_
   return res;
 }
 
-int DNSCryptContext::encryptQuery(char* query, uint16_t queryLen, uint16_t querySize, const unsigned char clientPublicKey[DNSCRYPT_PUBLIC_KEY_SIZE], const DNSCryptPrivateKey& clientPrivateKey, const unsigned char clientNonce[DNSCRYPT_NONCE_SIZE / 2], bool tcp, uint16_t* encryptedResponseLen, const std::shared_ptr<DNSCryptCert> cert) const
+int DNSCryptContext::encryptQuery(char* query, uint16_t queryLen, uint16_t querySize, const unsigned char clientPublicKey[DNSCRYPT_PUBLIC_KEY_SIZE], const DNSCryptPrivateKey& clientPrivateKey, const unsigned char clientNonce[DNSCRYPT_NONCE_SIZE / 2], bool tcp, uint16_t* encryptedResponseLen, const std::shared_ptr<DNSCryptCert>& cert) const
 {
   assert(query != nullptr);
   assert(queryLen > 0);