+2739. [cleanup] Clean up API for initializing and clearing trust
+ anchors for a view. [RT #20211]
+
2738. [func] Add RSASHA256 and RSASHA512 tests to the dnssec system
test. [RT #20453]
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: server.c,v 1.553 2009/10/26 23:14:53 each Exp $ */
+/* $Id: server.c,v 1.554 2009/10/27 22:46:13 each Exp $ */
/*! \file */
const cfg_listelt_t *elt, *elt2;
const cfg_obj_t *key, *keylist;
dst_key_t *dstkey = NULL;
- isc_result_t result = ISC_R_SUCCESS;
+ isc_result_t result;
+ dns_keytable_t *secroots = NULL;
+
+ CHECK(dns_view_getsecroots(view, &secroots));
for (elt = cfg_list_first(keys);
elt != NULL;
}
if (result != ISC_R_SUCCESS)
goto cleanup;
- CHECK(dns_keytable_add(view->secroots, managed,
- &dstkey));
+
+ CHECK(dns_keytable_add(secroots, managed, &dstkey));
}
}
cleanup:
+ if (secroots != NULL)
+ dns_keytable_detach(&secroots);
if (result == DST_R_NOCRYPTO)
result = ISC_R_SUCCESS;
return (result);
const cfg_obj_t *maps[4];
const cfg_obj_t *voptions = NULL;
const cfg_obj_t *options = NULL;
+ isc_boolean_t meta;
int i = 0;
/* We don't need trust anchors for the _bind view */
- if (strcmp(view->name, "_bind") == 0) {
- view->secroots = NULL;
+ if (strcmp(view->name, "_bind") == 0 &&
+ view->rdclass == dns_rdataclass_chaos) {
return (ISC_R_SUCCESS);
}
+ meta = ISC_TF(strcmp(view->name, "_meta") == 0 &&
+ view->rdclass == dns_rdataclass_in);
+
if (vconfig != NULL) {
voptions = cfg_tuple_get(vconfig, "options");
if (voptions != NULL) {
maps[i++] = ns_g_defaults;
maps[i] = NULL;
- if (view->secroots != NULL)
- dns_keytable_detach(&view->secroots);
- result = dns_keytable_create(mctx, &view->secroots);
+ result = dns_view_initsecroots(view, mctx);
if (result != ISC_R_SUCCESS) {
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
CHECK(load_view_keys(builtin_keys, vconfig, view,
ISC_FALSE, mctx));
- if (strcmp(view->name, "_meta") == 0)
+ if (meta)
CHECK(load_view_keys(builtin_managed_keys, vconfig,
view, ISC_TRUE, mctx));
}
CHECK(load_view_keys(view_keys, vconfig, view, ISC_FALSE, mctx));
CHECK(load_view_keys(global_keys, vconfig, view, ISC_FALSE, mctx));
- if (strcmp(view->name, "_meta") == 0)
+ if (meta)
CHECK(load_view_keys(global_managed_keys, vconfig, view,
ISC_TRUE, mctx));
}
static isc_result_t
-mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver)
-{
+mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver) {
const cfg_listelt_t *element;
const cfg_obj_t *obj;
const char *str;
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: client.c,v 1.5 2009/09/03 21:45:46 jinmei Exp $ */
+/* $Id: client.c,v 1.6 2009/10/27 22:46:13 each Exp $ */
#include <config.h>
if (result != ISC_R_SUCCESS)
return (result);
- /*
- * Workaround for a recent change in dns_view_create(): proactively
- * create view->secroots if it's not created with view creation.
- */
- if (view->secroots == NULL) {
- result = dns_keytable_create(mctx, &view->secroots);
- if (result != ISC_R_SUCCESS) {
- dns_view_detach(&view);
- return (result);
- }
+ /* Initialize view security roots */
+ result = dns_view_initsecroots(view, mctx);
+ if (result != ISC_R_SUCCESS) {
+ dns_view_detach(&view);
+ return (result);
}
result = dns_view_createresolver(view, taskmgr, ntasks, socketmgr,
isc_result_t result;
dns_view_t *view = NULL;
dst_key_t *dstkey = NULL;
+ dns_keytable_t *secroots = NULL;
REQUIRE(DNS_CLIENT_VALID(client));
rdclass, &view);
UNLOCK(&client->lock);
if (result != ISC_R_SUCCESS)
- return (result);
+ goto cleanup;
+
+ result = dns_view_getsecroots(view, &secroots);
+ if (result != ISC_R_SUCCESS)
+ goto cleanup;
result = dst_key_fromdns(keyname, rdclass, keydatabuf, client->mctx,
&dstkey);
if (result != ISC_R_SUCCESS)
- return (result);
-
- result = dns_keytable_add(view->secroots, ISC_FALSE, &dstkey);
+ goto cleanup;
- dns_view_detach(&view);
+ result = dns_keytable_add(secroots, ISC_FALSE, &dstkey);
+ cleanup:
+ if (view != NULL)
+ dns_view_detach(&view);
+ if (secroots != NULL)
+ dns_keytable_detach(&secroots);
return (result);
}
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: view.h,v 1.118 2009/06/30 02:52:32 each Exp $ */
+/* $Id: view.h,v 1.119 2009/10/27 22:46:13 each Exp $ */
#ifndef DNS_VIEW_H
#define DNS_VIEW_H 1
dns_cache_t * cache;
dns_db_t * cachedb;
dns_db_t * hints;
- dns_keytable_t * secroots; /* security roots */
+
+ /*
+ * security roots.
+ * internal use only; access via * dns_view_getsecroots()
+ */
+ dns_keytable_t * secroots_priv;
+
isc_mutex_t lock;
isc_boolean_t frozen;
isc_task_t * task;
*\li #ISC_FALSE otherwise.
*/
+isc_result_t
+dns_view_initsecroots(dns_view_t *view, isc_mem_t *mctx);
+/*%<
+ * Initialize security roots for the view. (Note that secroots is
+ * NULL until this function is called, so any function using
+ * secroots must check its validity first. One way to do this is
+ * use dns_view_getsecroots() and check its return value.)
+ *
+ * Requires:
+ * \li 'view' is valid.
+ * \li 'view->secroots' is NULL.
+ *
+ * Returns:
+ *\li ISC_R_SUCCESS
+ *\li Any other result indicates failure
+ */
+
+isc_result_t
+dns_view_getsecroots(dns_view_t *view, dns_keytable_t **ktp);
+/*%<
+ * Get the security roots for this view. Returns ISC_R_NOTFOUND if
+ * the security roots keytable has not been initialized for the view.
+ *
+ * '*ktp' is attached on success; the caller is responsible for
+ * detaching it with dns_keytable_detach().
+ *
+ * Requires:
+ * \li 'view' is valid.
+ * \li 'ktp' is not NULL and '*ktp' is NULL.
+ *
+ * Returns:
+ *\li ISC_R_SUCCESS
+ *\li ISC_R_NOTFOUND
+ */
+
+isc_result_t
+dns_view_issecuredomain(dns_view_t *view, dns_name_t *name,
+ isc_boolean_t *secure_domain);
+/*%<
+ * Is 'name' at or beneath a trusted key? Put answer in
+ * '*secure_domain'.
+ *
+ * Requires:
+ * \li 'view' is valid.
+ *
+ * Returns:
+ *\li ISC_R_SUCCESS
+ *\li Any other value indicates failure
+ */
#endif /* DNS_VIEW_H */
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: resolver.c,v 1.405 2009/09/01 00:22:26 jinmei Exp $ */
+/* $Id: resolver.c,v 1.406 2009/10/27 22:46:13 each Exp $ */
/*! \file */
if ((query->options & DNS_FETCHOPT_NOVALIDATE) != 0) {
fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
} else if (res->view->enablevalidation) {
- result = dns_keytable_issecuredomain(res->view->secroots,
- &fctx->name,
- &secure_domain);
+ result = dns_view_issecuredomain(res->view, &fctx->name,
+ &secure_domain);
if (result != ISC_R_SUCCESS)
secure_domain = ISC_FALSE;
if (res->view->dlv != NULL)
* Is DNSSEC validation required for this name?
*/
if (res->view->enablevalidation) {
- result = dns_keytable_issecuredomain(res->view->secroots, name,
- &secure_domain);
+ result = dns_view_issecuredomain(res->view, name,
+ &secure_domain);
if (result != ISC_R_SUCCESS)
return (result);
* Is DNSSEC validation required for this name?
*/
if (fctx->res->view->enablevalidation) {
- result = dns_keytable_issecuredomain(res->view->secroots, name,
- &secure_domain);
+ result = dns_view_issecuredomain(res->view, name,
+ &secure_domain);
if (result != ISC_R_SUCCESS)
return (result);
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: validator.c,v 1.178 2009/06/30 02:52:32 each Exp $ */
+/* $Id: validator.c,v 1.179 2009/10/27 22:46:13 each Exp $ */
#include <config.h>
return (ISC_R_NOMEMORY);
val->view = NULL;
dns_view_weakattach(view, &val->view);
+
event = (dns_validatorevent_t *)
isc_event_allocate(view->mctx, task,
DNS_EVENT_VALIDATORSTART,
val->fetch = NULL;
val->subvalidator = NULL;
val->parent = NULL;
+
val->keytable = NULL;
- dns_keytable_attach(val->view->secroots, &val->keytable);
+ result = dns_view_getsecroots(val->view, &val->keytable);
+ if (result != ISC_R_SUCCESS)
+ return (result);
+
val->keynode = NULL;
val->key = NULL;
val->siginfo = NULL;
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: view.c,v 1.156 2009/09/01 00:22:26 jinmei Exp $ */
+/* $Id: view.c,v 1.157 2009/10/27 22:46:13 each Exp $ */
/*! \file */
goto cleanup_mutex;
}
#endif
- view->secroots = NULL;
+ view->secroots_priv = NULL;
view->fwdtable = NULL;
result = dns_fwdtable_create(mctx, &view->fwdtable);
if (result != ISC_R_SUCCESS) {
isc_stats_detach(&view->resstats);
if (view->resquerystats != NULL)
dns_stats_detach(&view->resquerystats);
- if (view->secroots != NULL)
- dns_keytable_detach(&view->secroots);
+ if (view->secroots_priv != NULL)
+ dns_keytable_detach(&view->secroots_priv);
dns_fwdtable_destroy(&view->fwdtable);
dns_aclenv_destroy(&view->aclenv);
DESTROYLOCK(&view->lock);
if (view->resquerystats != NULL)
dns_stats_attach(view->resquerystats, statsp);
}
+
+isc_result_t
+dns_view_initsecroots(dns_view_t *view, isc_mem_t *mctx) {
+ REQUIRE(DNS_VIEW_VALID(view));
+ if (view->secroots_priv != NULL)
+ dns_keytable_detach(&view->secroots_priv);
+ return (dns_keytable_create(mctx, &view->secroots_priv));
+}
+
+isc_result_t
+dns_view_getsecroots(dns_view_t *view, dns_keytable_t **ktp) {
+ REQUIRE(DNS_VIEW_VALID(view));
+ REQUIRE(ktp != NULL && *ktp == NULL);
+ if (view->secroots_priv == NULL)
+ return (ISC_R_NOTFOUND);
+ dns_keytable_attach(view->secroots_priv, ktp);
+ return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_view_issecuredomain(dns_view_t *view, dns_name_t *name,
+ isc_boolean_t *secure_domain) {
+ REQUIRE(DNS_VIEW_VALID(view));
+ return (dns_keytable_issecuredomain(view->secroots_priv, name,
+ secure_domain));
+}
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: zone.c,v 1.521 2009/10/27 03:59:45 each Exp $ */
+/* $Id: zone.c,v 1.522 2009/10/27 22:46:13 each Exp $ */
/*! \file */
unsigned char data[4096];
isc_buffer_t buffer;
dns_view_t *view;
+ dns_keytable_t *sr = NULL;
/* Convert dnskey to DST key. */
isc_buffer_init(&buffer, data, sizeof(data));
for (view = ISC_LIST_HEAD(*viewlist); view != NULL;
view = ISC_LIST_NEXT(view, link)) {
- if (view->secroots != NULL) {
- dst_key_t *key = NULL;
- CHECK(dns_dnssec_keyfromrdata(keyname, &rdata,
- mctx, &key));
- CHECK(dns_keytable_add(view->secroots, ISC_TRUE, &key));
- }
+ dst_key_t *key = NULL;
+
+ result = dns_view_getsecroots(view, &sr);
+ if (result != ISC_R_SUCCESS)
+ continue;
+
+ CHECK(dns_dnssec_keyfromrdata(keyname, &rdata, mctx, &key));
+ CHECK(dns_keytable_add(sr, ISC_TRUE, &key));
+ dns_keytable_detach(&sr);
}
failure:
+ if (sr != NULL)
+ dns_keytable_detach(&sr);
return;
}
for (view = ISC_LIST_HEAD(*viewlist); view != NULL;
view = ISC_LIST_NEXT(view, link)) {
- if (view->secroots == NULL)
+ dns_keytable_t *sr = NULL;
+ result = dns_view_getsecroots(view, &sr);
+ if (result != ISC_R_SUCCESS)
continue;
- dns_keytable_deletekeynode(view->secroots, key);
+
+ dns_keytable_deletekeynode(sr, key);
+ dns_keytable_detach(&sr);
}
dst_key_free(&key);
*/
static void
fail_secure(dns_viewlist_t *viewlist, dns_name_t *keyname) {
+ isc_result_t result;
dns_view_t *view;
for (view = ISC_LIST_HEAD(*viewlist);
view != NULL;
view = ISC_LIST_NEXT(view, link)) {
- if (view->secroots != NULL)
- dns_keytable_marksecure(view->secroots, keyname);
+ dns_keytable_t *sr = NULL;
+
+ result = dns_view_getsecroots(view, &sr);
+ if (result != ISC_R_SUCCESS)
+ continue;
+
+ dns_keytable_marksecure(sr, keyname);
+ dns_keytable_detach(&sr);
}
}
/* For each view, delete references to this key from secroots. */
for (view = ISC_LIST_HEAD(*viewlist); view != NULL;
view = ISC_LIST_NEXT(view, link)) {
- if (view->secroots != NULL)
- dns_keytable_delete(view->secroots, name);
+ dns_keytable_t *sr = NULL;
+
+ result = dns_view_getsecroots(view, &sr);
+ if (result != ISC_R_SUCCESS)
+ continue;
+
+ dns_keytable_delete(sr, name);
+ dns_keytable_detach(&sr);
}
/* Now insert all the accepted trust anchors from this keydata set. */
dns_name_t foundname, *origin;
dns_keynode_t *keynode = NULL;
dns_view_t *view = zone->view;
- dns_keytable_t *sr = view->secroots;
+ dns_keytable_t *sr = NULL;
dns_dbversion_t *ver = NULL;
dns_diff_t diff;
dns_rriterator_t rrit;
dns_diff_init(zone->mctx, &diff);
+ CHECK(dns_view_getsecroots(view, &sr));
+
result = dns_db_newversion(db, &ver);
if (result != ISC_R_SUCCESS) {
dns_zone_log(zone, ISC_LOG_ERROR,
}
failure:
+ if (sr != NULL)
+ dns_keytable_detach(&sr);
if (ver != NULL)
dns_db_closeversion(db, &ver, changed);
dns_diff_clear(&diff);
dns_fetchevent_t *devent;
dns_keyfetch_t *kfetch;
dns_zone_t *zone;
- dns_keytable_t *secroots;
+ dns_keytable_t *secroots = NULL;
dns_dbversion_t *ver = NULL;
dns_diff_t diff;
isc_boolean_t changed = ISC_FALSE;
kfetch = event->ev_arg;
zone = kfetch->zone;
- secroots = zone->view->secroots;
keyname = dns_fixedname_name(&kfetch->name);
devent = (dns_fetchevent_t *) event;
isc_stdtime_get(&now);
dns_name_format(keyname, namebuf, sizeof(namebuf));
+ result = dns_view_getsecroots(zone->view, &secroots);
+ INSIST(result == ISC_R_SUCCESS);
+
LOCK_ZONE(zone);
dns_db_newversion(kfetch->db, &ver);
dns_diff_init(zone->mctx, &diff);
dns_name_free(keyname, zone->mctx);
isc_mem_put(zone->mctx, kfetch, sizeof(dns_keyfetch_t));
+
+ if (secroots != NULL)
+ dns_keytable_detach(&secroots);
}
/*
projects / thirdparty / bind9.git / commitdiff
