Revert "Remove kasp mutex lock"

This reverts commit 634c80ea1237520b7660a8469af2c38b7865ca24.

diff --git a/bin/named/server.c b/bin/named/server.c
index 29658c2219652e56b2cc76267857ec546a32af11..80c5b5f1bb8a99c019b7d442d488f0f8dab774cb 100644 (file)
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -14690,7 +14690,9 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex,
        dir = dns_zone_getkeydirectory(zone);
        CHECK(dns_zone_getdb(zone, &db));
        dns_db_currentversion(db, &version);
+       LOCK(&kasp->lock);
        result = dns_zone_getdnsseckeys(zone, db, version, now, &keys);
+       UNLOCK(&kasp->lock);
        if (result != ISC_R_SUCCESS) {
                if (result != ISC_R_NOTFOUND) {
                        goto cleanup;
@@ -14701,7 +14703,9 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex,
                /*
                 * Output the DNSSEC status of the key and signing policy.
                 */
+               LOCK(&kasp->lock);
                dns_keymgr_status(kasp, &keys, now, &output[0], sizeof(output));
+               UNLOCK(&kasp->lock);
                CHECK(putstr(text, output));
        } else if (checkds) {
                /*
@@ -14713,6 +14717,7 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex,
                isc_time_formattimestamp(&timewhen, whenbuf, sizeof(whenbuf));
                isc_result_t ret;
 
+               LOCK(&kasp->lock);
                if (use_keyid) {
                        result = dns_keymgr_checkds_id(kasp, &keys, dir, now,
                                                       when, dspublish, keyid,
@@ -14721,6 +14726,7 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex,
                        result = dns_keymgr_checkds(kasp, &keys, dir, now, when,
                                                    dspublish);
                }
+               UNLOCK(&kasp->lock);
 
                switch (result) {
                case ISC_R_SUCCESS:
@@ -14767,8 +14773,10 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex,
                isc_time_formattimestamp(&timewhen, whenbuf, sizeof(whenbuf));
                isc_result_t ret;
 
+               LOCK(&kasp->lock);
                result = dns_keymgr_rollover(kasp, &keys, dir, now, when, keyid,
                                             (unsigned int)algorithm);
+               UNLOCK(&kasp->lock);
 
                switch (result) {
                case ISC_R_SUCCESS:

diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h
index 32b4a99d8ea01fc59391eaa6b1879d34550d56c3..9a32f586b2d3adf0f0d3d7a162cd84d7581af119 100644 (file)
--- a/lib/dns/include/dns/kasp.h
+++ b/lib/dns/include/dns/kasp.h
@@ -27,6 +27,7 @@
 
 #include <isc/lang.h>
 #include <isc/magic.h>
+#include <isc/mutex.h>
 #include <isc/refcount.h>
 
 #include <dns/types.h>
@@ -43,7 +44,10 @@ struct dns_kasp_digest {
 struct dns_kasp_key {
        isc_mem_t *mctx;
 
+       /* Locked by themselves. */
        isc_refcount_t references;
+
+       /* Under owner's locking control. */
        ISC_LINK(struct dns_kasp_key) link;
 
        /* Configuration */
@@ -67,9 +71,13 @@ struct dns_kasp {
        char        *name;
 
        /* Internals. */
-       bool           frozen;
+       isc_mutex_t lock;
+       bool        frozen;
+
+       /* Locked by themselves. */
        isc_refcount_t references;
 
+       /* Under owner's locking control. */
        ISC_LINK(struct dns_kasp) link;
 
        /* Configuration: signatures */

diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c
index f7efeda805dbb0d5eba67131c093f8cf44414b37..639811bf4e992775496c37384078fc08b2c62121 100644 (file)
--- a/lib/dns/kasp.c
+++ b/lib/dns/kasp.c
@@ -51,6 +51,7 @@ dns_kasp_create(isc_mem_t *mctx, const char *name, dns_kasp_t **kaspp) {
        kasp->mctx = NULL;
        isc_mem_attach(mctx, &kasp->mctx);
        kasp->name = isc_mem_strdup(mctx, name);
+       isc_mutex_init(&kasp->lock);
        isc_refcount_init(&kasp->references, 1);
 
        *kaspp = kasp;
@@ -89,6 +90,7 @@ destroy(dns_kasp_t *kasp) {
        }
        INSIST(ISC_LIST_EMPTY(kasp->digests));
 
+       isc_mutex_destroy(&kasp->lock);
        isc_mem_free(kasp->mctx, kasp->name);
        isc_mem_putanddetach(&kasp->mctx, kasp, sizeof(*kasp));
 }

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 1073e0f25b8699d4006600f63526624a476e162d..8ade0e8cb0fb9343573323691db168d630a2c522 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -139,6 +139,15 @@
 /*%
  * KASP flags
  */
+#define KASP_LOCK(k)                  \
+       if ((k) != NULL) {            \
+               LOCK((&((k)->lock))); \
+       }
+
+#define KASP_UNLOCK(k)                  \
+       if ((k) != NULL) {              \
+               UNLOCK((&((k)->lock))); \
+       }
 
 /*
  * Default values.
@@ -6086,7 +6095,7 @@ failure:
 
 /*%
  * Find DNSSEC keys used for signing zone with dnssec-policy. Load these keys
- * into 'keys'.
+ * into 'keys'. Requires KASP to be locked.
  */
 isc_result_t
 dns_zone_getdnsseckeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
@@ -7021,6 +7030,7 @@ signed_with_good_key(dns_zone_t *zone, dns_db_t *db, dns_dbnode_t *node,
                int zsk_count = 0;
                bool approved;
 
+               KASP_LOCK(kasp);
                for (kkey = ISC_LIST_HEAD(dns_kasp_keys(kasp)); kkey != NULL;
                     kkey = ISC_LIST_NEXT(kkey, link))
                {
@@ -7031,6 +7041,7 @@ signed_with_good_key(dns_zone_t *zone, dns_db_t *db, dns_dbnode_t *node,
                                zsk_count++;
                        }
                }
+               KASP_UNLOCK(kasp);
 
                if (dns_rdatatype_iskeymaterial(type)) {
                        /*
@@ -20239,6 +20250,7 @@ checkds_done(void *arg) {
        CHECK(dns_zone_getdb(zone, &db));
        dns_db_currentversion(db, &version);
 
+       KASP_LOCK(kasp);
        LOCK_ZONE(zone);
        for (key = ISC_LIST_HEAD(zone->checkds_ok); key != NULL;
             key = ISC_LIST_NEXT(key, link))
@@ -20331,6 +20343,7 @@ checkds_done(void *arg) {
                }
        }
        UNLOCK_ZONE(zone);
+       KASP_UNLOCK(kasp);
 
        /* Rekey after checkds. */
        if (rekey) {
@@ -21308,6 +21321,8 @@ zone_rekey(dns_zone_t *zone) {
         */
        fullsign = DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_FULLSIGN);
 
+       KASP_LOCK(kasp);
+
        dns_zone_lock_keyfiles(zone);
        result = dns_dnssec_findmatchingkeys(&zone->origin, dir, now, mctx,
                                             &keys);
@@ -21355,11 +21370,14 @@ zone_rekey(dns_zone_t *zone) {
                                           "zone_rekey:dns_dnssec_keymgr "
                                           "failed: %s",
                                           isc_result_totext(result));
+                               KASP_UNLOCK(kasp);
                                goto failure;
                        }
                }
        }
 
+       KASP_UNLOCK(kasp);
+
        if (result == ISC_R_SUCCESS) {
                dns_kasp_digestlist_t digests;
                bool cdsdel = false;