From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Wed, 7 Aug 2019 14:54:31 +0000 (+0200)
Subject: dnsdist: Check that the TLS key type is supported
X-Git-Tag: dnsdist-1.4.0-rc1~4^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=37b9ba5a610104dffd99f0ee95da16b9a7dcc94c;p=thirdparty%2Fpdns.git

dnsdist: Check that the TLS key type is supported
---

diff --git a/pdns/dnsdist-lua.cc b/pdns/dnsdist-lua.cc
index 4195d428ba..62a2341667 100644
--- a/pdns/dnsdist-lua.cc
+++ b/pdns/dnsdist-lua.cc
@@ -87,7 +87,7 @@ void resetLuaSideEffect()
   g_noLuaSideEffect = boost::logic::indeterminate;
 }
 
-typedef std::unordered_map<std::string, boost::variant<bool, int, std::string, std::vector<std::pair<int,int> >, std::map<std::string,std::string>, std::vector<std::pair<int, std::string> > > > localbind_t;
+typedef std::unordered_map<std::string, boost::variant<bool, int, std::string, std::vector<std::pair<int,int> >, std::vector<std::pair<int, std::string> >, std::map<std::string,std::string>  > > localbind_t;
 
 static void parseLocalBindVars(boost::optional<localbind_t> vars, bool& reusePort, int& tcpFastOpenQueueSize, std::string& interface, std::set<int>& cpus)
 {
diff --git a/pdns/dnsdistdist/doh.cc b/pdns/dnsdistdist/doh.cc
index bb4b6da94f..3074c8ed76 100644
--- a/pdns/dnsdistdist/doh.cc
+++ b/pdns/dnsdistdist/doh.cc
@@ -773,7 +773,11 @@ static std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)> getTLSContext(const std::vect
       throw std::runtime_error("Failed to setup SSL/TLS for DoH listener, the key from '" + pair.second + "' does not match the certificate from '" + pair.first + "'");
     }
     /* store the type of the new key, we might need it later to select the right OCSP stapling response */
-    keyTypes.push_back(libssl_get_last_key_type(ctx));
+    auto keyType = libssl_get_last_key_type(ctx);
+    if (keyType < 0) {
+      throw std::runtime_error("Failed to setup SSL/TLS for DoH listener, the key from '" + pair.second + "' has an unknown type");
+    }
+    keyTypes.push_back(keyType);
   }
 
   if (!ocspFiles.empty()) {
diff --git a/pdns/dnsdistdist/tcpiohandler.cc b/pdns/dnsdistdist/tcpiohandler.cc
index f14c6e8ddf..fab7815deb 100644
--- a/pdns/dnsdistdist/tcpiohandler.cc
+++ b/pdns/dnsdistdist/tcpiohandler.cc
@@ -438,7 +438,11 @@ public:
       }
 
       /* store the type of the new key, we might need it later to select the right OCSP stapling response */
-      keyTypes.push_back(libssl_get_last_key_type(d_tlsCtx));
+      auto keyType = libssl_get_last_key_type(d_tlsCtx);
+      if (keyType < 0) {
+        throw std::runtime_error("Key from '" + pair.second + "' has an unknown type");
+      }
+      keyTypes.push_back(keyType);
     }
 
     if (!fe.d_ocspFiles.empty()) {