From: Evan Hunt Date: Tue, 27 Oct 2009 22:46:13 +0000 (+0000) Subject: 2739. [cleanup] Clean up API for initializing and clearing trust X-Git-Tag: v9.7.0b2^2~7 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=95f2377b4f180a564d35343c8d150e8f03c98a52;p=thirdparty%2Fbind9.git 2739. [cleanup] Clean up API for initializing and clearing trust anchors for a view. [RT #20211] --- diff --git a/CHANGES b/CHANGES index d5a78f0488a..e928a4a2cc5 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2739. [cleanup] Clean up API for initializing and clearing trust + anchors for a view. [RT #20211] + 2738. [func] Add RSASHA256 and RSASHA512 tests to the dnssec system test. [RT #20453] diff --git a/bin/named/server.c b/bin/named/server.c index 6bedd20887e..99ef01eff0a 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.553 2009/10/26 23:14:53 each Exp $ */ +/* $Id: server.c,v 1.554 2009/10/27 22:46:13 each Exp $ */ /*! \file */ @@ -578,7 +578,10 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig, const cfg_listelt_t *elt, *elt2; const cfg_obj_t *key, *keylist; dst_key_t *dstkey = NULL; - isc_result_t result = ISC_R_SUCCESS; + isc_result_t result; + dns_keytable_t *secroots = NULL; + + CHECK(dns_view_getsecroots(view, &secroots)); for (elt = cfg_list_first(keys); elt != NULL; @@ -597,12 +600,14 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig, } if (result != ISC_R_SUCCESS) goto cleanup; - CHECK(dns_keytable_add(view->secroots, managed, - &dstkey)); + + CHECK(dns_keytable_add(secroots, managed, &dstkey)); } } cleanup: + if (secroots != NULL) + dns_keytable_detach(&secroots); if (result == DST_R_NOCRYPTO) result = ISC_R_SUCCESS; return (result); @@ -628,14 +633,18 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, const cfg_obj_t *maps[4]; const cfg_obj_t *voptions = NULL; const cfg_obj_t *options = NULL; + isc_boolean_t meta; int i = 0; /* We don't need trust anchors for the _bind view */ - if (strcmp(view->name, "_bind") == 0) { - view->secroots = NULL; + if (strcmp(view->name, "_bind") == 0 && + view->rdclass == dns_rdataclass_chaos) { return (ISC_R_SUCCESS); } + meta = ISC_TF(strcmp(view->name, "_meta") == 0 && + view->rdclass == dns_rdataclass_in); + if (vconfig != NULL) { voptions = cfg_tuple_get(vconfig, "options"); if (voptions != NULL) { @@ -657,9 +666,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, maps[i++] = ns_g_defaults; maps[i] = NULL; - if (view->secroots != NULL) - dns_keytable_detach(&view->secroots); - result = dns_keytable_create(mctx, &view->secroots); + result = dns_view_initsecroots(view, mctx); if (result != ISC_R_SUCCESS) { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_ERROR, @@ -697,7 +704,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, CHECK(load_view_keys(builtin_keys, vconfig, view, ISC_FALSE, mctx)); - if (strcmp(view->name, "_meta") == 0) + if (meta) CHECK(load_view_keys(builtin_managed_keys, vconfig, view, ISC_TRUE, mctx)); } @@ -705,7 +712,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, CHECK(load_view_keys(view_keys, vconfig, view, ISC_FALSE, mctx)); CHECK(load_view_keys(global_keys, vconfig, view, ISC_FALSE, mctx)); - if (strcmp(view->name, "_meta") == 0) + if (meta) CHECK(load_view_keys(global_managed_keys, vconfig, view, ISC_TRUE, mctx)); @@ -714,8 +721,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, } static isc_result_t -mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver) -{ +mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver) { const cfg_listelt_t *element; const cfg_obj_t *obj; const char *str; diff --git a/lib/dns/client.c b/lib/dns/client.c index 3124cf4642a..4e218b716db 100644 --- a/lib/dns/client.c +++ b/lib/dns/client.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: client.c,v 1.5 2009/09/03 21:45:46 jinmei Exp $ */ +/* $Id: client.c,v 1.6 2009/10/27 22:46:13 each Exp $ */ #include @@ -309,16 +309,11 @@ dns_client_createview(isc_mem_t *mctx, dns_rdataclass_t rdclass, if (result != ISC_R_SUCCESS) return (result); - /* - * Workaround for a recent change in dns_view_create(): proactively - * create view->secroots if it's not created with view creation. - */ - if (view->secroots == NULL) { - result = dns_keytable_create(mctx, &view->secroots); - if (result != ISC_R_SUCCESS) { - dns_view_detach(&view); - return (result); - } + /* Initialize view security roots */ + result = dns_view_initsecroots(view, mctx); + if (result != ISC_R_SUCCESS) { + dns_view_detach(&view); + return (result); } result = dns_view_createresolver(view, taskmgr, ntasks, socketmgr, @@ -1398,6 +1393,7 @@ dns_client_addtrustedkey(dns_client_t *client, dns_rdataclass_t rdclass, isc_result_t result; dns_view_t *view = NULL; dst_key_t *dstkey = NULL; + dns_keytable_t *secroots = NULL; REQUIRE(DNS_CLIENT_VALID(client)); @@ -1406,17 +1402,24 @@ dns_client_addtrustedkey(dns_client_t *client, dns_rdataclass_t rdclass, rdclass, &view); UNLOCK(&client->lock); if (result != ISC_R_SUCCESS) - return (result); + goto cleanup; + + result = dns_view_getsecroots(view, &secroots); + if (result != ISC_R_SUCCESS) + goto cleanup; result = dst_key_fromdns(keyname, rdclass, keydatabuf, client->mctx, &dstkey); if (result != ISC_R_SUCCESS) - return (result); - - result = dns_keytable_add(view->secroots, ISC_FALSE, &dstkey); + goto cleanup; - dns_view_detach(&view); + result = dns_keytable_add(secroots, ISC_FALSE, &dstkey); + cleanup: + if (view != NULL) + dns_view_detach(&view); + if (secroots != NULL) + dns_keytable_detach(&secroots); return (result); } diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h index 0f511384d15..b29d7ba14f8 100644 --- a/lib/dns/include/dns/view.h +++ b/lib/dns/include/dns/view.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: view.h,v 1.118 2009/06/30 02:52:32 each Exp $ */ +/* $Id: view.h,v 1.119 2009/10/27 22:46:13 each Exp $ */ #ifndef DNS_VIEW_H #define DNS_VIEW_H 1 @@ -92,7 +92,13 @@ struct dns_view { dns_cache_t * cache; dns_db_t * cachedb; dns_db_t * hints; - dns_keytable_t * secroots; /* security roots */ + + /* + * security roots. + * internal use only; access via * dns_view_getsecroots() + */ + dns_keytable_t * secroots_priv; + isc_mutex_t lock; isc_boolean_t frozen; isc_task_t * task; @@ -904,4 +910,53 @@ dns_view_iscacheshared(dns_view_t *view); *\li #ISC_FALSE otherwise. */ +isc_result_t +dns_view_initsecroots(dns_view_t *view, isc_mem_t *mctx); +/*%< + * Initialize security roots for the view. (Note that secroots is + * NULL until this function is called, so any function using + * secroots must check its validity first. One way to do this is + * use dns_view_getsecroots() and check its return value.) + * + * Requires: + * \li 'view' is valid. + * \li 'view->secroots' is NULL. + * + * Returns: + *\li ISC_R_SUCCESS + *\li Any other result indicates failure + */ + +isc_result_t +dns_view_getsecroots(dns_view_t *view, dns_keytable_t **ktp); +/*%< + * Get the security roots for this view. Returns ISC_R_NOTFOUND if + * the security roots keytable has not been initialized for the view. + * + * '*ktp' is attached on success; the caller is responsible for + * detaching it with dns_keytable_detach(). + * + * Requires: + * \li 'view' is valid. + * \li 'ktp' is not NULL and '*ktp' is NULL. + * + * Returns: + *\li ISC_R_SUCCESS + *\li ISC_R_NOTFOUND + */ + +isc_result_t +dns_view_issecuredomain(dns_view_t *view, dns_name_t *name, + isc_boolean_t *secure_domain); +/*%< + * Is 'name' at or beneath a trusted key? Put answer in + * '*secure_domain'. + * + * Requires: + * \li 'view' is valid. + * + * Returns: + *\li ISC_R_SUCCESS + *\li Any other value indicates failure + */ #endif /* DNS_VIEW_H */ diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 4cfc737e00b..df1f2a4defe 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.405 2009/09/01 00:22:26 jinmei Exp $ */ +/* $Id: resolver.c,v 1.406 2009/10/27 22:46:13 each Exp $ */ /*! \file */ @@ -1691,9 +1691,8 @@ resquery_send(resquery_t *query) { if ((query->options & DNS_FETCHOPT_NOVALIDATE) != 0) { fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD; } else if (res->view->enablevalidation) { - result = dns_keytable_issecuredomain(res->view->secroots, - &fctx->name, - &secure_domain); + result = dns_view_issecuredomain(res->view, &fctx->name, + &secure_domain); if (result != ISC_R_SUCCESS) secure_domain = ISC_FALSE; if (res->view->dlv != NULL) @@ -4217,8 +4216,8 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, * Is DNSSEC validation required for this name? */ if (res->view->enablevalidation) { - result = dns_keytable_issecuredomain(res->view->secroots, name, - &secure_domain); + result = dns_view_issecuredomain(res->view, name, + &secure_domain); if (result != ISC_R_SUCCESS) return (result); @@ -4675,8 +4674,8 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, * Is DNSSEC validation required for this name? */ if (fctx->res->view->enablevalidation) { - result = dns_keytable_issecuredomain(res->view->secroots, name, - &secure_domain); + result = dns_view_issecuredomain(res->view, name, + &secure_domain); if (result != ISC_R_SUCCESS) return (result); diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 8f8f3312968..88582cd5a51 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.178 2009/06/30 02:52:32 each Exp $ */ +/* $Id: validator.c,v 1.179 2009/10/27 22:46:13 each Exp $ */ #include @@ -3651,6 +3651,7 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, return (ISC_R_NOMEMORY); val->view = NULL; dns_view_weakattach(view, &val->view); + event = (dns_validatorevent_t *) isc_event_allocate(view->mctx, task, DNS_EVENT_VALIDATORSTART, @@ -3679,8 +3680,12 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, val->fetch = NULL; val->subvalidator = NULL; val->parent = NULL; + val->keytable = NULL; - dns_keytable_attach(val->view->secroots, &val->keytable); + result = dns_view_getsecroots(val->view, &val->keytable); + if (result != ISC_R_SUCCESS) + return (result); + val->keynode = NULL; val->key = NULL; val->siginfo = NULL; diff --git a/lib/dns/view.c b/lib/dns/view.c index 0c477c36569..2265a4934ae 100644 --- a/lib/dns/view.c +++ b/lib/dns/view.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: view.c,v 1.156 2009/09/01 00:22:26 jinmei Exp $ */ +/* $Id: view.c,v 1.157 2009/10/27 22:46:13 each Exp $ */ /*! \file */ @@ -97,7 +97,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, goto cleanup_mutex; } #endif - view->secroots = NULL; + view->secroots_priv = NULL; view->fwdtable = NULL; result = dns_fwdtable_create(mctx, &view->fwdtable); if (result != ISC_R_SUCCESS) { @@ -354,8 +354,8 @@ destroy(dns_view_t *view) { isc_stats_detach(&view->resstats); if (view->resquerystats != NULL) dns_stats_detach(&view->resquerystats); - if (view->secroots != NULL) - dns_keytable_detach(&view->secroots); + if (view->secroots_priv != NULL) + dns_keytable_detach(&view->secroots_priv); dns_fwdtable_destroy(&view->fwdtable); dns_aclenv_destroy(&view->aclenv); DESTROYLOCK(&view->lock); @@ -1531,3 +1531,29 @@ dns_view_getresquerystats(dns_view_t *view, dns_stats_t **statsp) { if (view->resquerystats != NULL) dns_stats_attach(view->resquerystats, statsp); } + +isc_result_t +dns_view_initsecroots(dns_view_t *view, isc_mem_t *mctx) { + REQUIRE(DNS_VIEW_VALID(view)); + if (view->secroots_priv != NULL) + dns_keytable_detach(&view->secroots_priv); + return (dns_keytable_create(mctx, &view->secroots_priv)); +} + +isc_result_t +dns_view_getsecroots(dns_view_t *view, dns_keytable_t **ktp) { + REQUIRE(DNS_VIEW_VALID(view)); + REQUIRE(ktp != NULL && *ktp == NULL); + if (view->secroots_priv == NULL) + return (ISC_R_NOTFOUND); + dns_keytable_attach(view->secroots_priv, ktp); + return (ISC_R_SUCCESS); +} + +isc_result_t +dns_view_issecuredomain(dns_view_t *view, dns_name_t *name, + isc_boolean_t *secure_domain) { + REQUIRE(DNS_VIEW_VALID(view)); + return (dns_keytable_issecuredomain(view->secroots_priv, name, + secure_domain)); +} diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 3bb7094f11d..72cb8c10025 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.c,v 1.521 2009/10/27 03:59:45 each Exp $ */ +/* $Id: zone.c,v 1.522 2009/10/27 22:46:13 each Exp $ */ /*! \file */ @@ -2705,6 +2705,7 @@ trust_key(dns_viewlist_t *viewlist, dns_name_t *keyname, unsigned char data[4096]; isc_buffer_t buffer; dns_view_t *view; + dns_keytable_t *sr = NULL; /* Convert dnskey to DST key. */ isc_buffer_init(&buffer, data, sizeof(data)); @@ -2713,15 +2714,20 @@ trust_key(dns_viewlist_t *viewlist, dns_name_t *keyname, for (view = ISC_LIST_HEAD(*viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) { - if (view->secroots != NULL) { - dst_key_t *key = NULL; - CHECK(dns_dnssec_keyfromrdata(keyname, &rdata, - mctx, &key)); - CHECK(dns_keytable_add(view->secroots, ISC_TRUE, &key)); - } + dst_key_t *key = NULL; + + result = dns_view_getsecroots(view, &sr); + if (result != ISC_R_SUCCESS) + continue; + + CHECK(dns_dnssec_keyfromrdata(keyname, &rdata, mctx, &key)); + CHECK(dns_keytable_add(sr, ISC_TRUE, &key)); + dns_keytable_detach(&sr); } failure: + if (sr != NULL) + dns_keytable_detach(&sr); return; } @@ -2755,9 +2761,13 @@ untrust_key(dns_viewlist_t *viewlist, dns_name_t *keyname, isc_mem_t *mctx, for (view = ISC_LIST_HEAD(*viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) { - if (view->secroots == NULL) + dns_keytable_t *sr = NULL; + result = dns_view_getsecroots(view, &sr); + if (result != ISC_R_SUCCESS) continue; - dns_keytable_deletekeynode(view->secroots, key); + + dns_keytable_deletekeynode(sr, key); + dns_keytable_detach(&sr); } dst_key_free(&key); @@ -2769,13 +2779,20 @@ untrust_key(dns_viewlist_t *viewlist, dns_name_t *keyname, isc_mem_t *mctx, */ static void fail_secure(dns_viewlist_t *viewlist, dns_name_t *keyname) { + isc_result_t result; dns_view_t *view; for (view = ISC_LIST_HEAD(*viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) { - if (view->secroots != NULL) - dns_keytable_marksecure(view->secroots, keyname); + dns_keytable_t *sr = NULL; + + result = dns_view_getsecroots(view, &sr); + if (result != ISC_R_SUCCESS) + continue; + + dns_keytable_marksecure(sr, keyname); + dns_keytable_detach(&sr); } } @@ -2801,8 +2818,14 @@ load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) { /* For each view, delete references to this key from secroots. */ for (view = ISC_LIST_HEAD(*viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) { - if (view->secroots != NULL) - dns_keytable_delete(view->secroots, name); + dns_keytable_t *sr = NULL; + + result = dns_view_getsecroots(view, &sr); + if (result != ISC_R_SUCCESS) + continue; + + dns_keytable_delete(sr, name); + dns_keytable_detach(&sr); } /* Now insert all the accepted trust anchors from this keydata set. */ @@ -3029,7 +3052,7 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) { dns_name_t foundname, *origin; dns_keynode_t *keynode = NULL; dns_view_t *view = zone->view; - dns_keytable_t *sr = view->secroots; + dns_keytable_t *sr = NULL; dns_dbversion_t *ver = NULL; dns_diff_t diff; dns_rriterator_t rrit; @@ -3042,6 +3065,8 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) { dns_diff_init(zone->mctx, &diff); + CHECK(dns_view_getsecroots(view, &sr)); + result = dns_db_newversion(db, &ver); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, @@ -3150,6 +3175,8 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) { } failure: + if (sr != NULL) + dns_keytable_detach(&sr); if (ver != NULL) dns_db_closeversion(db, &ver, changed); dns_diff_clear(&diff); @@ -6994,7 +7021,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { dns_fetchevent_t *devent; dns_keyfetch_t *kfetch; dns_zone_t *zone; - dns_keytable_t *secroots; + dns_keytable_t *secroots = NULL; dns_dbversion_t *ver = NULL; dns_diff_t diff; isc_boolean_t changed = ISC_FALSE; @@ -7020,7 +7047,6 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { kfetch = event->ev_arg; zone = kfetch->zone; - secroots = zone->view->secroots; keyname = dns_fixedname_name(&kfetch->name); devent = (dns_fetchevent_t *) event; @@ -7037,6 +7063,9 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { isc_stdtime_get(&now); dns_name_format(keyname, namebuf, sizeof(namebuf)); + result = dns_view_getsecroots(zone->view, &secroots); + INSIST(result == ISC_R_SUCCESS); + LOCK_ZONE(zone); dns_db_newversion(kfetch->db, &ver); dns_diff_init(zone->mctx, &diff); @@ -7431,6 +7460,9 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { dns_name_free(keyname, zone->mctx); isc_mem_put(zone->mctx, kfetch, sizeof(dns_keyfetch_t)); + + if (secroots != NULL) + dns_keytable_detach(&secroots); } /*