From: Matthijs Mekking Date: Wed, 13 Dec 2023 08:38:17 +0000 (+0100) Subject: Remove kasp mutex lock X-Git-Tag: v9.19.21~32^2~1 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=634c80ea1237520b7660a8469af2c38b7865ca24;p=thirdparty%2Fbind9.git Remove kasp mutex lock Multiple zones should be able to read the same key and signing policy at the same time. Since writing the kasp lock only happens during reconfiguration, and the complete kasp list is being replaced, there is actually no need for a lock. Reference counting ensures that a kasp structure is not destroyed when still being attached to one or more zones. This significantly improves the load configuration time. --- diff --git a/bin/named/server.c b/bin/named/server.c index 80c5b5f1bb8..29658c22196 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -14690,9 +14690,7 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex, dir = dns_zone_getkeydirectory(zone); CHECK(dns_zone_getdb(zone, &db)); dns_db_currentversion(db, &version); - LOCK(&kasp->lock); result = dns_zone_getdnsseckeys(zone, db, version, now, &keys); - UNLOCK(&kasp->lock); if (result != ISC_R_SUCCESS) { if (result != ISC_R_NOTFOUND) { goto cleanup; @@ -14703,9 +14701,7 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex, /* * Output the DNSSEC status of the key and signing policy. */ - LOCK(&kasp->lock); dns_keymgr_status(kasp, &keys, now, &output[0], sizeof(output)); - UNLOCK(&kasp->lock); CHECK(putstr(text, output)); } else if (checkds) { /* @@ -14717,7 +14713,6 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex, isc_time_formattimestamp(&timewhen, whenbuf, sizeof(whenbuf)); isc_result_t ret; - LOCK(&kasp->lock); if (use_keyid) { result = dns_keymgr_checkds_id(kasp, &keys, dir, now, when, dspublish, keyid, @@ -14726,7 +14721,6 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex, result = dns_keymgr_checkds(kasp, &keys, dir, now, when, dspublish); } - UNLOCK(&kasp->lock); switch (result) { case ISC_R_SUCCESS: @@ -14773,10 +14767,8 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex, isc_time_formattimestamp(&timewhen, whenbuf, sizeof(whenbuf)); isc_result_t ret; - LOCK(&kasp->lock); result = dns_keymgr_rollover(kasp, &keys, dir, now, when, keyid, (unsigned int)algorithm); - UNLOCK(&kasp->lock); switch (result) { case ISC_R_SUCCESS: diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h index 9a32f586b2d..32b4a99d8ea 100644 --- a/lib/dns/include/dns/kasp.h +++ b/lib/dns/include/dns/kasp.h @@ -27,7 +27,6 @@ #include #include -#include #include #include @@ -44,10 +43,7 @@ struct dns_kasp_digest { struct dns_kasp_key { isc_mem_t *mctx; - /* Locked by themselves. */ isc_refcount_t references; - - /* Under owner's locking control. */ ISC_LINK(struct dns_kasp_key) link; /* Configuration */ @@ -71,13 +67,9 @@ struct dns_kasp { char *name; /* Internals. */ - isc_mutex_t lock; - bool frozen; - - /* Locked by themselves. */ + bool frozen; isc_refcount_t references; - /* Under owner's locking control. */ ISC_LINK(struct dns_kasp) link; /* Configuration: signatures */ diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c index 639811bf4e9..f7efeda805d 100644 --- a/lib/dns/kasp.c +++ b/lib/dns/kasp.c @@ -51,7 +51,6 @@ dns_kasp_create(isc_mem_t *mctx, const char *name, dns_kasp_t **kaspp) { kasp->mctx = NULL; isc_mem_attach(mctx, &kasp->mctx); kasp->name = isc_mem_strdup(mctx, name); - isc_mutex_init(&kasp->lock); isc_refcount_init(&kasp->references, 1); *kaspp = kasp; @@ -90,7 +89,6 @@ destroy(dns_kasp_t *kasp) { } INSIST(ISC_LIST_EMPTY(kasp->digests)); - isc_mutex_destroy(&kasp->lock); isc_mem_free(kasp->mctx, kasp->name); isc_mem_putanddetach(&kasp->mctx, kasp, sizeof(*kasp)); } diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 8ade0e8cb0f..1073e0f25b8 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -139,15 +139,6 @@ /*% * KASP flags */ -#define KASP_LOCK(k) \ - if ((k) != NULL) { \ - LOCK((&((k)->lock))); \ - } - -#define KASP_UNLOCK(k) \ - if ((k) != NULL) { \ - UNLOCK((&((k)->lock))); \ - } /* * Default values. @@ -6095,7 +6086,7 @@ failure: /*% * Find DNSSEC keys used for signing zone with dnssec-policy. Load these keys - * into 'keys'. Requires KASP to be locked. + * into 'keys'. */ isc_result_t dns_zone_getdnsseckeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, @@ -7030,7 +7021,6 @@ signed_with_good_key(dns_zone_t *zone, dns_db_t *db, dns_dbnode_t *node, int zsk_count = 0; bool approved; - KASP_LOCK(kasp); for (kkey = ISC_LIST_HEAD(dns_kasp_keys(kasp)); kkey != NULL; kkey = ISC_LIST_NEXT(kkey, link)) { @@ -7041,7 +7031,6 @@ signed_with_good_key(dns_zone_t *zone, dns_db_t *db, dns_dbnode_t *node, zsk_count++; } } - KASP_UNLOCK(kasp); if (dns_rdatatype_iskeymaterial(type)) { /* @@ -20250,7 +20239,6 @@ checkds_done(void *arg) { CHECK(dns_zone_getdb(zone, &db)); dns_db_currentversion(db, &version); - KASP_LOCK(kasp); LOCK_ZONE(zone); for (key = ISC_LIST_HEAD(zone->checkds_ok); key != NULL; key = ISC_LIST_NEXT(key, link)) @@ -20343,7 +20331,6 @@ checkds_done(void *arg) { } } UNLOCK_ZONE(zone); - KASP_UNLOCK(kasp); /* Rekey after checkds. */ if (rekey) { @@ -21321,8 +21308,6 @@ zone_rekey(dns_zone_t *zone) { */ fullsign = DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_FULLSIGN); - KASP_LOCK(kasp); - dns_zone_lock_keyfiles(zone); result = dns_dnssec_findmatchingkeys(&zone->origin, dir, now, mctx, &keys); @@ -21370,14 +21355,11 @@ zone_rekey(dns_zone_t *zone) { "zone_rekey:dns_dnssec_keymgr " "failed: %s", isc_result_totext(result)); - KASP_UNLOCK(kasp); goto failure; } } } - KASP_UNLOCK(kasp); - if (result == ISC_R_SUCCESS) { dns_kasp_digestlist_t digests; bool cdsdel = false;