From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 19 Dec 2023 16:07:40 +0000 (+0100)
Subject: Revert "Remove kasp mutex lock"
X-Git-Tag: v9.19.21~28^2~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=16f2c811e3e0c2bcebb42a3816711a3f2db1c684;p=thirdparty%2Fbind9.git

Revert "Remove kasp mutex lock"

This reverts commit 634c80ea1237520b7660a8469af2c38b7865ca24.
---

diff --git a/bin/named/server.c b/bin/named/server.c
index 29658c22196..80c5b5f1bb8 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -14690,7 +14690,9 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex,
 	dir = dns_zone_getkeydirectory(zone);
 	CHECK(dns_zone_getdb(zone, &db));
 	dns_db_currentversion(db, &version);
+	LOCK(&kasp->lock);
 	result = dns_zone_getdnsseckeys(zone, db, version, now, &keys);
+	UNLOCK(&kasp->lock);
 	if (result != ISC_R_SUCCESS) {
 		if (result != ISC_R_NOTFOUND) {
 			goto cleanup;
@@ -14701,7 +14703,9 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex,
 		/*
 		 * Output the DNSSEC status of the key and signing policy.
 		 */
+		LOCK(&kasp->lock);
 		dns_keymgr_status(kasp, &keys, now, &output[0], sizeof(output));
+		UNLOCK(&kasp->lock);
 		CHECK(putstr(text, output));
 	} else if (checkds) {
 		/*
@@ -14713,6 +14717,7 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex,
 		isc_time_formattimestamp(&timewhen, whenbuf, sizeof(whenbuf));
 		isc_result_t ret;
 
+		LOCK(&kasp->lock);
 		if (use_keyid) {
 			result = dns_keymgr_checkds_id(kasp, &keys, dir, now,
 						       when, dspublish, keyid,
@@ -14721,6 +14726,7 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex,
 			result = dns_keymgr_checkds(kasp, &keys, dir, now, when,
 						    dspublish);
 		}
+		UNLOCK(&kasp->lock);
 
 		switch (result) {
 		case ISC_R_SUCCESS:
@@ -14767,8 +14773,10 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex,
 		isc_time_formattimestamp(&timewhen, whenbuf, sizeof(whenbuf));
 		isc_result_t ret;
 
+		LOCK(&kasp->lock);
 		result = dns_keymgr_rollover(kasp, &keys, dir, now, when, keyid,
 					     (unsigned int)algorithm);
+		UNLOCK(&kasp->lock);
 
 		switch (result) {
 		case ISC_R_SUCCESS:
diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h
index 32b4a99d8ea..9a32f586b2d 100644
--- a/lib/dns/include/dns/kasp.h
+++ b/lib/dns/include/dns/kasp.h
@@ -27,6 +27,7 @@
 
 #include <isc/lang.h>
 #include <isc/magic.h>
+#include <isc/mutex.h>
 #include <isc/refcount.h>
 
 #include <dns/types.h>
@@ -43,7 +44,10 @@ struct dns_kasp_digest {
 struct dns_kasp_key {
 	isc_mem_t *mctx;
 
+	/* Locked by themselves. */
 	isc_refcount_t references;
+
+	/* Under owner's locking control. */
 	ISC_LINK(struct dns_kasp_key) link;
 
 	/* Configuration */
@@ -67,9 +71,13 @@ struct dns_kasp {
 	char	    *name;
 
 	/* Internals. */
-	bool	       frozen;
+	isc_mutex_t lock;
+	bool	    frozen;
+
+	/* Locked by themselves. */
 	isc_refcount_t references;
 
+	/* Under owner's locking control. */
 	ISC_LINK(struct dns_kasp) link;
 
 	/* Configuration: signatures */
diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c
index f7efeda805d..639811bf4e9 100644
--- a/lib/dns/kasp.c
+++ b/lib/dns/kasp.c
@@ -51,6 +51,7 @@ dns_kasp_create(isc_mem_t *mctx, const char *name, dns_kasp_t **kaspp) {
 	kasp->mctx = NULL;
 	isc_mem_attach(mctx, &kasp->mctx);
 	kasp->name = isc_mem_strdup(mctx, name);
+	isc_mutex_init(&kasp->lock);
 	isc_refcount_init(&kasp->references, 1);
 
 	*kaspp = kasp;
@@ -89,6 +90,7 @@ destroy(dns_kasp_t *kasp) {
 	}
 	INSIST(ISC_LIST_EMPTY(kasp->digests));
 
+	isc_mutex_destroy(&kasp->lock);
 	isc_mem_free(kasp->mctx, kasp->name);
 	isc_mem_putanddetach(&kasp->mctx, kasp, sizeof(*kasp));
 }
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 1073e0f25b8..8ade0e8cb0f 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -139,6 +139,15 @@
 /*%
  * KASP flags
  */
+#define KASP_LOCK(k)                  \
+	if ((k) != NULL) {            \
+		LOCK((&((k)->lock))); \
+	}
+
+#define KASP_UNLOCK(k)                  \
+	if ((k) != NULL) {              \
+		UNLOCK((&((k)->lock))); \
+	}
 
 /*
  * Default values.
@@ -6086,7 +6095,7 @@ failure:
 
 /*%
  * Find DNSSEC keys used for signing zone with dnssec-policy. Load these keys
- * into 'keys'.
+ * into 'keys'. Requires KASP to be locked.
  */
 isc_result_t
 dns_zone_getdnsseckeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
@@ -7021,6 +7030,7 @@ signed_with_good_key(dns_zone_t *zone, dns_db_t *db, dns_dbnode_t *node,
 		int zsk_count = 0;
 		bool approved;
 
+		KASP_LOCK(kasp);
 		for (kkey = ISC_LIST_HEAD(dns_kasp_keys(kasp)); kkey != NULL;
 		     kkey = ISC_LIST_NEXT(kkey, link))
 		{
@@ -7031,6 +7041,7 @@ signed_with_good_key(dns_zone_t *zone, dns_db_t *db, dns_dbnode_t *node,
 				zsk_count++;
 			}
 		}
+		KASP_UNLOCK(kasp);
 
 		if (dns_rdatatype_iskeymaterial(type)) {
 			/*
@@ -20239,6 +20250,7 @@ checkds_done(void *arg) {
 	CHECK(dns_zone_getdb(zone, &db));
 	dns_db_currentversion(db, &version);
 
+	KASP_LOCK(kasp);
 	LOCK_ZONE(zone);
 	for (key = ISC_LIST_HEAD(zone->checkds_ok); key != NULL;
 	     key = ISC_LIST_NEXT(key, link))
@@ -20331,6 +20343,7 @@ checkds_done(void *arg) {
 		}
 	}
 	UNLOCK_ZONE(zone);
+	KASP_UNLOCK(kasp);
 
 	/* Rekey after checkds. */
 	if (rekey) {
@@ -21308,6 +21321,8 @@ zone_rekey(dns_zone_t *zone) {
 	 */
 	fullsign = DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_FULLSIGN);
 
+	KASP_LOCK(kasp);
+
 	dns_zone_lock_keyfiles(zone);
 	result = dns_dnssec_findmatchingkeys(&zone->origin, dir, now, mctx,
 					     &keys);
@@ -21355,11 +21370,14 @@ zone_rekey(dns_zone_t *zone) {
 					   "zone_rekey:dns_dnssec_keymgr "
 					   "failed: %s",
 					   isc_result_totext(result));
+				KASP_UNLOCK(kasp);
 				goto failure;
 			}
 		}
 	}
 
+	KASP_UNLOCK(kasp);
+
 	if (result == ISC_R_SUCCESS) {
 		dns_kasp_digestlist_t digests;
 		bool cdsdel = false;