From 5a9cff116b5c4607b13d8d036e799a5de4b71934 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Mon, 3 May 2021 10:22:08 +0200
Subject: [PATCH] dnsdist: Fix missing locks in DNSCrypt certificates
 management

In theory these functions should already be protected by the Lua
lock but better safe than sorry.
Found while working on the migration to LockGuarded.
---
 pdns/dnscrypt.cc | 24 +++++++++++++++++++++---
 pdns/dnscrypt.hh |  2 +-
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/pdns/dnscrypt.cc b/pdns/dnscrypt.cc
index 4a0abe5656..d728a5c32e 100644
--- a/pdns/dnscrypt.cc
+++ b/pdns/dnscrypt.cc
@@ -327,14 +327,22 @@ void DNSCryptContext::loadNewCertificate(const std::string& certFile, const std:
   auto newPair = DNSCryptContext::loadCertificatePair(certFile, keyFile);
   newPair->active = active;
   addNewCertificate(newPair, reload);
-  d_certKeyPaths.push_back({certFile, keyFile});
+  {
+    WriteLock w(&d_lock);
+    d_certKeyPaths.push_back({certFile, keyFile});
+  }
 }
 
 void DNSCryptContext::reloadCertificates()
 {
   std::vector<std::shared_ptr<DNSCryptCertificatePair>> newCerts;
-  for (const auto& pair : d_certKeyPaths) {
-    newCerts.push_back(DNSCryptContext::loadCertificatePair(pair.cert, pair.key));
+
+  {
+    ReadLock rl(&d_lock);
+    newCerts.reserve(d_certKeyPaths.size());
+    for (const auto& pair : d_certKeyPaths) {
+      newCerts.push_back(DNSCryptContext::loadCertificatePair(pair.cert, pair.key));
+    }
   }
 
   {
@@ -343,6 +351,16 @@ void DNSCryptContext::reloadCertificates()
   }
 }
 
+std::vector<std::shared_ptr<DNSCryptCertificatePair>> DNSCryptContext::getCertificates() {
+  std::vector<std::shared_ptr<DNSCryptCertificatePair>> ret;
+  {
+    ReadLock w(&d_lock);
+    ret = d_certs;
+  }
+
+  return ret;
+};
+
 void DNSCryptContext::markActive(uint32_t serial)
 {
   WriteLock w(&d_lock);
diff --git a/pdns/dnscrypt.hh b/pdns/dnscrypt.hh
index 8139e281e5..0dec4c2883 100644
--- a/pdns/dnscrypt.hh
+++ b/pdns/dnscrypt.hh
@@ -278,7 +278,7 @@ public:
   void markActive(uint32_t serial);
   void markInactive(uint32_t serial);
   void removeInactiveCertificate(uint32_t serial);
-  std::vector<std::shared_ptr<DNSCryptCertificatePair>> getCertificates() { return d_certs; };
+  std::vector<std::shared_ptr<DNSCryptCertificatePair>> getCertificates();
   const DNSName& getProviderName() const { return providerName; }
 
   int encryptQuery(PacketBuffer& query, size_t maximumSize, const unsigned char clientPublicKey[DNSCRYPT_PUBLIC_KEY_SIZE], const DNSCryptPrivateKey& clientPrivateKey, const unsigned char clientNonce[DNSCRYPT_NONCE_SIZE / 2], bool tcp, const std::shared_ptr<DNSCryptCert>& cert) const;
-- 
2.47.2