dnsdist: Prevent a race when reloading TLS certificates

diff --git a/pdns/dnsdistdist/doh.cc b/pdns/dnsdistdist/doh.cc
index 08bf9376fad0469de62071633ee5567bbbe42f70..eba0a9082c81a4e35d38c7bd3f686f0cbc320e7c 100644 (file)
--- a/pdns/dnsdistdist/doh.cc
+++ b/pdns/dnsdistdist/doh.cc
@@ -1195,7 +1195,7 @@ static void on_accept(h2o_socket_t *listener, const char *err)
 
   gettimeofday(&conn.d_connectionStartTime, nullptr);
   conn.d_nbQueries = 0;
-  conn.d_acceptCtx = dsc->accept_ctx;
+  conn.d_acceptCtx = std::atomic_load_explicit(&dsc->accept_ctx, std::memory_order_acquire);
   conn.d_desc = descriptor;
 
   sock->on_close.cb = on_socketclose;
@@ -1350,7 +1350,7 @@ void DOHFrontend::reloadCertificates()
 {
   auto newAcceptContext = std::make_shared<DOHAcceptContext>();
   setupAcceptContext(*newAcceptContext, *d_dsc, true);
-  d_dsc->accept_ctx = newAcceptContext;
+  std::atomic_store_explicit(&d_dsc->accept_ctx, newAcceptContext, std::memory_order_release);
 }
 
 void DOHFrontend::setup()

diff --git a/pdns/tcpiohandler.cc b/pdns/tcpiohandler.cc
index 7a2989c31688e96628622415ecf84e3f97585515..2449e482cf951384787b36c7704f0e7a3d27d533 100644 (file)
--- a/pdns/tcpiohandler.cc
+++ b/pdns/tcpiohandler.cc
@@ -1220,29 +1220,33 @@ private:
 bool TLSFrontend::setupTLS()
 {
 #ifdef HAVE_DNS_OVER_TLS
+  std::shared_ptr<TLSCtx> newCtx{nullptr};
   /* get the "best" available provider */
   if (!d_provider.empty()) {
 #ifdef HAVE_GNUTLS
     if (d_provider == "gnutls") {
-      d_ctx = std::make_shared<GnuTLSIOCtx>(*this);
+      newCtx = std::make_shared<GnuTLSIOCtx>(*this);
+      std::atomic_store_explicit(&d_ctx, newCtx, std::memory_order_release);
       return true;
     }
 #endif /* HAVE_GNUTLS */
 #ifdef HAVE_LIBSSL
     if (d_provider == "openssl") {
-      d_ctx = std::make_shared<OpenSSLTLSIOCtx>(*this);
+      newCtx = std::make_shared<OpenSSLTLSIOCtx>(*this);
+      std::atomic_store_explicit(&d_ctx, newCtx, std::memory_order_release);
       return true;
     }
 #endif /* HAVE_LIBSSL */
   }
 #ifdef HAVE_LIBSSL
-  d_ctx = std::make_shared<OpenSSLTLSIOCtx>(*this);
+  newCtx = std::make_shared<OpenSSLTLSIOCtx>(*this);
 #else /* HAVE_LIBSSL */
 #ifdef HAVE_GNUTLS
-  d_ctx = std::make_shared<GnuTLSIOCtx>(*this);
+  newCtx = std::make_shared<GnuTLSIOCtx>(*this);
 #endif /* HAVE_GNUTLS */
 #endif /* HAVE_LIBSSL */
 
+  std::atomic_store_explicit(&d_ctx, newCtx, std::memory_order_release);
 #endif /* HAVE_DNS_OVER_TLS */
   return true;
 }

diff --git a/pdns/tcpiohandler.hh b/pdns/tcpiohandler.hh
index d15daa8cafae5b8d0edd0e4c46cef4fb8900794d..cfb7056bb1e26e94736bd9d042c9941deb46f7cb 100644 (file)
--- a/pdns/tcpiohandler.hh
+++ b/pdns/tcpiohandler.hh
@@ -101,8 +101,8 @@ public:
 
 protected:
   std::atomic_flag d_rotatingTicketsKey;
+  std::atomic<time_t> d_ticketsKeyNextRotation{0};
   time_t d_ticketsKeyRotationDelay{0};
-  time_t d_ticketsKeyNextRotation{0};
 };
 
 class TLSFrontend
@@ -132,9 +132,9 @@ public:
     }
   }
 
-  std::shared_ptr<TLSCtx>& getContext()
+  std::shared_ptr<TLSCtx> getContext()
   {
-    return d_ctx;
+    return std::atomic_load_explicit(&d_ctx, std::memory_order_acquire);
   }
 
   void cleanup()