diff --git a/CHANGES b/CHANGES index 00df744b4f..287de9e075 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2976. [bug] named die on exit after negotiating a GSS-TSIG key. + [RT #3415] + 2975. [bug] rbtdb.c:cleanup_dead_nodes_callback() aquired the wrong lock which could lead to server deadlock. [RT #22614] diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c index a34fce35aa..744579cdb6 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dighost.c,v 1.334 2010/11/16 05:38:30 marka Exp $ */ +/* $Id: dighost.c,v 1.335 2010/12/02 23:22:41 marka Exp $ */ /*! \file * \note @@ -252,7 +252,7 @@ isc_result_t opentmpkey(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp); isc_result_t removetmpkey(isc_mem_t *mctx, const char *file); void clean_trustedkey(void); -void insert_trustedkey(dst_key_t * key); +void insert_trustedkey(dst_key_t **key); #if DIG_SIGCHASE_BU isc_result_t getneededrr(dns_message_t *msg); void sigchase_bottom_up(dns_message_t *msg); @@ -1135,14 +1135,13 @@ setup_file_key(void) { goto failure; } result = dns_tsigkey_createfromkey(dst_key_name(dstkey), hmacname, - dstkey, ISC_FALSE, NULL, 0, 0, + &dstkey, ISC_FALSE, NULL, 0, 0, mctx, NULL, &key); if (result != ISC_R_SUCCESS) { printf(";; Couldn't create key %s: %s\n", keynametext, isc_result_totext(result)); goto failure; } - dstkey = NULL; failure: if (dstkey != NULL) dst_key_free(&dstkey); @@ -4053,14 +4052,15 @@ sigchase_scanname(dns_rdatatype_t type, dns_rdatatype_t covers, } void -insert_trustedkey(dst_key_t * key) +insert_trustedkey(dst_key_t **keyp) { - if (key == NULL) + if (*keyp == NULL) return; if (tk_list.nb_tk >= MAX_TRUSTED_KEY) return; - tk_list.key[tk_list.nb_tk++] = key; + tk_list.key[tk_list.nb_tk++] = *keyp; + *keyp = NULL; return; } @@ -4234,11 +4234,12 @@ get_trusted_key(isc_mem_t *mctx) fclose(fp); return (ISC_R_FAILURE); } - insert_trustedkey(key); #if 0 dst_key_tofile(key, DST_TYPE_PUBLIC,"/tmp"); #endif - key = NULL; + insert_trustedkey(&key); + if (key != NULL) + dst_key_free(&key); } return (ISC_R_SUCCESS); } diff --git a/bin/named/server.c b/bin/named/server.c index 42c2913731..50dbfb6d0e 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.586 2010/11/16 01:37:36 sar Exp $ */ +/* $Id: server.c,v 1.587 2010/12/02 23:22:41 marka Exp $ */ /*! \file */ @@ -634,6 +634,8 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig, } cleanup: + if (dstkey != NULL) + dst_key_free(&dstkey); if (secroots != NULL) dns_keytable_detach(&secroots); if (result == DST_R_NOCRYPTO) @@ -3565,10 +3567,9 @@ generate_session_key(const char *filename, const char *keynamestr, /* Store the key in tsigkey. */ isc_stdtime_get(&now); - CHECK(dns_tsigkey_createfromkey(dst_key_name(key), algname, key, + CHECK(dns_tsigkey_createfromkey(dst_key_name(key), algname, &key, ISC_FALSE, NULL, now, now, mctx, NULL, &tsigkey)); - key = NULL; /* ownership of key has been transferred */ /* Dump the key to the key file. */ fp = ns_os_openfile(filename, S_IRUSR|S_IWUSR, ISC_TRUE); diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index fd18c7813f..8a36aa96ad 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: nsupdate.c,v 1.182 2010/08/10 23:48:19 tbox Exp $ */ +/* $Id: nsupdate.c,v 1.183 2010/12/02 23:22:41 marka Exp $ */ /*! \file */ @@ -682,7 +682,7 @@ setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) { } if (hmacname != NULL) { result = dns_tsigkey_createfromkey(dst_key_name(dstkey), - hmacname, dstkey, ISC_FALSE, + hmacname, &dstkey, ISC_FALSE, NULL, 0, 0, mctx, NULL, &tsigkey); if (result != ISC_R_SUCCESS) { diff --git a/bin/tests/system/allow_query/tests.sh b/bin/tests/system/allow_query/tests.sh index ba782627fe..d8eeeba9be 100644 --- a/bin/tests/system/allow_query/tests.sh +++ b/bin/tests/system/allow_query/tests.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.2 2010/11/16 01:37:37 sar Exp $ +# $Id: tests.sh,v 1.3 2010/12/02 23:22:41 marka Exp $ # Test of allow-query statement. # allow-query takes an address match list and can be included in either the @@ -68,7 +68,7 @@ n=0 n=`expr $n + 1` echo "I:test $n: default - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -82,7 +82,7 @@ sleep 5 echo "I:test $n: explicit any - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -96,7 +96,7 @@ sleep 5 echo "I:test $n: none - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -110,7 +110,7 @@ sleep 5 echo "I:test $n: address allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -124,7 +124,7 @@ sleep 5 echo "I:test $n: address not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -138,7 +138,7 @@ sleep 5 echo "I:test $n: address disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -152,7 +152,7 @@ sleep 5 echo "I:test $n: acl allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -166,7 +166,7 @@ sleep 5 echo "I:test $n: acl not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -181,7 +181,7 @@ sleep 5 echo "I:test $n: acl disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -195,7 +195,7 @@ sleep 5 echo "I:test $n: key allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -209,7 +209,7 @@ sleep 5 echo "I:test $n: key not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -223,7 +223,7 @@ sleep 5 echo "I:test $n: key disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -240,7 +240,7 @@ sleep 5 echo "I:test $n: views default - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -254,7 +254,7 @@ sleep 5 echo "I:test $n: views explicit any - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -268,7 +268,7 @@ sleep 5 echo "I:test $n: views none - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -282,7 +282,7 @@ sleep 5 echo "I:test $n: views address allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -296,7 +296,7 @@ sleep 5 echo "I:test $n: views address not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -310,7 +310,7 @@ sleep 5 echo "I:test $n: views address disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -324,7 +324,7 @@ sleep 5 echo "I:test $n: views acl allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -338,7 +338,7 @@ sleep 5 echo "I:test $n: views acl not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -352,7 +352,7 @@ sleep 5 echo "I:test $n: views acl disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -366,7 +366,7 @@ sleep 5 echo "I:test $n: views key allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -380,7 +380,7 @@ sleep 5 echo "I:test $n: views key not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -394,7 +394,7 @@ sleep 5 echo "I:test $n: views key disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -408,7 +408,7 @@ sleep 5 echo "I:test $n: views over options, views allow - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -422,7 +422,7 @@ sleep 5 echo "I:test $n: views over options, views disallow - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -440,7 +440,7 @@ sleep 5 echo "I:test $n: zone default - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -450,7 +450,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I:test $n: zone explicit any - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.any.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.any.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.any.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -460,7 +460,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I:test $n: zone none - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.none.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.none.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.none.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -470,7 +470,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I:test $n: zone address allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.addrallow.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrallow.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.addrallow.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -480,7 +480,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I:test $n: zone address not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.addrnotallow.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrnotallow.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.addrnotallow.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -490,7 +490,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I:test $n: zone address disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.addrdisallow.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrdisallow.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.addrdisallow.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -500,7 +500,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I:test $n: zone acl allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.aclallow.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclallow.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.aclallow.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -510,7 +510,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I:test $n: zone acl not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.aclnotallow.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.aclnotallow.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -520,7 +520,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I:test $n: zone acl disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.acldisallow.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.acldisallow.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.acldisallow.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -530,7 +530,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I:test $n: zone key allowed - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -540,7 +540,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I:test $n: zone key not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -550,7 +550,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I:test $n: zone key disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -564,7 +564,7 @@ sleep 5 echo "I:test $n: views over options, views allow - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -578,7 +578,7 @@ sleep 5 echo "I:test $n: views over options, views disallow - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -592,7 +592,7 @@ sleep 5 echo "I:test $n: zones over views, views allow - query allowed" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -606,7 +606,7 @@ sleep 5 echo "I:test $n: zones over views, views disallow - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c index 24bb0b3c2c..f5c234f214 100644 --- a/bin/tests/system/tkey/keydelete.c +++ b/bin/tests/system/tkey/keydelete.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: keydelete.c,v 1.13 2009/07/19 23:47:55 tbox Exp $ */ +/* $Id: keydelete.c,v 1.14 2010/12/02 23:22:41 marka Exp $ */ #include @@ -230,7 +230,7 @@ main(int argc, char **argv) { CHECK("dst_key_fromnamedfile", result); result = dns_tsigkey_createfromkey(dst_key_name(dstkey), DNS_TSIG_HMACMD5_NAME, - dstkey, ISC_TRUE, NULL, 0, 0, + &dstkey, ISC_TRUE, NULL, 0, 0, mctx, ring, &tsigkey); CHECK("dns_tsigkey_createfromkey", result); diff --git a/lib/dns/client.c b/lib/dns/client.c index dfbb9130d3..8913c8e503 100644 --- a/lib/dns/client.c +++ b/lib/dns/client.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: client.c,v 1.10 2010/05/19 07:09:25 marka Exp $ */ +/* $Id: client.c,v 1.11 2010/12/02 23:22:41 marka Exp $ */ #include @@ -1424,6 +1424,8 @@ dns_client_addtrustedkey(dns_client_t *client, dns_rdataclass_t rdclass, result = dns_keytable_add(secroots, ISC_FALSE, &dstkey); cleanup: + if (dstkey != NULL) + dns_key_free(&dstkey); if (view != NULL) dns_view_detach(&view); if (secroots != NULL) diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index b1b686cb8d..bdb86ce601 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -31,7 +31,7 @@ /* * Principal Author: Brian Wellington - * $Id: dst_api.c,v 1.51 2010/05/13 03:08:30 marka Exp $ + * $Id: dst_api.c,v 1.52 2010/12/02 23:22:42 marka Exp $ */ /*! \file */ @@ -544,6 +544,7 @@ dst_key_fromnamedfile(const char *filename, const char *dirname, *keyp = key; return (ISC_R_SUCCESS); + out: if (pubkey != NULL) dst_key_free(&pubkey); diff --git a/lib/dns/include/dns/tsec.h b/lib/dns/include/dns/tsec.h index c6b376a19d..37052f627a 100644 --- a/lib/dns/include/dns/tsec.h +++ b/lib/dns/include/dns/tsec.h @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: tsec.h,v 1.3 2009/09/02 23:48:02 tbox Exp $ */ +/* $Id: tsec.h,v 1.4 2010/12/02 23:22:42 marka Exp $ */ #ifndef DNS_TSEC_H #define DNS_TSEC_H 1 @@ -65,7 +65,7 @@ typedef enum { } dns_tsectype_t; isc_result_t -dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key, +dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t **keyp, dns_tsec_t **tsecp); /*%< * Create a TSEC structure and stores a type-dependent key structure in it. diff --git a/lib/dns/include/dns/tsig.h b/lib/dns/include/dns/tsig.h index 025a26d2a3..6a835ed72c 100644 --- a/lib/dns/include/dns/tsig.h +++ b/lib/dns/include/dns/tsig.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: tsig.h,v 1.55 2010/07/09 23:46:51 tbox Exp $ */ +/* $Id: tsig.h,v 1.56 2010/12/02 23:22:42 marka Exp $ */ #ifndef DNS_TSIG_H #define DNS_TSIG_H 1 @@ -103,7 +103,7 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm, isc_result_t dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm, - dst_key_t *dstkey, isc_boolean_t generated, + dst_key_t **dstkeyp, isc_boolean_t generated, dns_name_t *creator, isc_stdtime_t inception, isc_stdtime_t expire, isc_mem_t *mctx, dns_tsig_keyring_t *ring, dns_tsigkey_t **key); diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c index fb500b69b9..6155498219 100644 --- a/lib/dns/tkey.c +++ b/lib/dns/tkey.c @@ -16,7 +16,7 @@ */ /* - * $Id: tkey.c,v 1.94 2010/07/09 23:46:51 tbox Exp $ + * $Id: tkey.c,v 1.95 2010/12/02 23:22:42 marka Exp $ */ /*! \file */ #include @@ -417,10 +417,9 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, } static isc_result_t -process_gsstkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, - dns_rdata_tkey_t *tkeyin, dns_tkeyctx_t *tctx, - dns_rdata_tkey_t *tkeyout, - dns_tsig_keyring_t *ring, dns_namelist_t *namelist) +process_gsstkey(dns_name_t *name, dns_rdata_tkey_t *tkeyin, + dns_tkeyctx_t *tctx, dns_rdata_tkey_t *tkeyout, + dns_tsig_keyring_t *ring) { isc_result_t result = ISC_R_SUCCESS; dst_key_t *dstkey = NULL; @@ -431,9 +430,6 @@ process_gsstkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, isc_buffer_t *outtoken = NULL; gss_ctx_id_t gss_ctx = NULL; - UNUSED(namelist); - UNUSED(signer); - if (tctx->gsscred == NULL) return (ISC_R_NOPERM); @@ -483,7 +479,7 @@ process_gsstkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, #endif isc_uint32_t expire; - RETERR(dst_key_fromgssapi(name, gss_ctx, msg->mctx, &dstkey)); + RETERR(dst_key_fromgssapi(name, gss_ctx, ring->mctx, &dstkey)); /* * Limit keys to 1 hour or the context's lifetime whichever * is smaller. @@ -495,7 +491,7 @@ process_gsstkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, expire = now + lifetime; #endif RETERR(dns_tsigkey_createfromkey(name, &tkeyin->algorithm, - dstkey, ISC_TRUE, + &dstkey, ISC_TRUE, dns_fixedname_name(&principal), now, expire, ring->mctx, ring, NULL)); @@ -551,19 +547,14 @@ failure: } static isc_result_t -process_deletetkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, - dns_rdata_tkey_t *tkeyin, - dns_rdata_tkey_t *tkeyout, - dns_tsig_keyring_t *ring, - dns_namelist_t *namelist) +process_deletetkey(dns_name_t *signer, dns_name_t *name, + dns_rdata_tkey_t *tkeyin, dns_rdata_tkey_t *tkeyout, + dns_tsig_keyring_t *ring) { isc_result_t result; dns_tsigkey_t *tsigkey = NULL; dns_name_t *identity; - UNUSED(msg); - UNUSED(namelist); - result = dns_tsigkey_find(&tsigkey, name, &tkeyin->algorithm, ring); if (result != ISC_R_SUCCESS) { tkeyout->error = dns_tsigerror_badname; @@ -780,16 +771,13 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx, break; case DNS_TKEYMODE_GSSAPI: tkeyout.error = dns_rcode_noerror; - RETERR(process_gsstkey(msg, signer, keyname, &tkeyin, - tctx, &tkeyout, ring, - &namelist)); - + RETERR(process_gsstkey(keyname, &tkeyin, tctx, + &tkeyout, ring)); break; case DNS_TKEYMODE_DELETE: tkeyout.error = dns_rcode_noerror; - RETERR(process_deletetkey(msg, signer, keyname, - &tkeyin, &tkeyout, - ring, &namelist)); + RETERR(process_deletetkey(signer, keyname, &tkeyin, + &tkeyout, ring)); break; case DNS_TKEYMODE_SERVERASSIGNED: case DNS_TKEYMODE_RESOLVERASSIGNED: @@ -1280,15 +1268,13 @@ dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg, isc_buffer_init(&intoken, rtkey.key, rtkey.keylen); RETERR(dst_gssapi_initctx(gname, &intoken, outtoken, context)); - dstkey = NULL; RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx, &dstkey)); RETERR(dns_tsigkey_createfromkey(tkeyname, DNS_TSIG_GSSAPI_NAME, - dstkey, ISC_FALSE, NULL, + &dstkey, ISC_FALSE, NULL, rtkey.inception, rtkey.expire, ring->mctx, ring, outkey)); - dns_rdata_freestruct(&rtkey); return (result); @@ -1296,6 +1282,8 @@ dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg, /* * XXXSRA This probably leaks memory from rtkey and qtkey. */ + if (dstkey != NULL) + dst_key_free(&dstkey); return (result); } @@ -1406,7 +1394,6 @@ dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg, if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS) return (result); - dstkey = NULL; RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx, &dstkey)); @@ -1420,10 +1407,9 @@ dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg, (win2k ? DNS_TSIG_GSSAPIMS_NAME : DNS_TSIG_GSSAPI_NAME), - dstkey, ISC_TRUE, NULL, + &dstkey, ISC_TRUE, NULL, rtkey.inception, rtkey.expire, ring->mctx, ring, outkey)); - dns_rdata_freestruct(&rtkey); return (result); @@ -1432,5 +1418,7 @@ dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg, * XXXSRA This probably leaks memory from qtkey. */ dns_rdata_freestruct(&rtkey); + if (dstkey != NULL) + dst_key_free(&dstkey); return (result); } diff --git a/lib/dns/tsec.c b/lib/dns/tsec.c index c90d4ee256..5ce9f83e91 100644 --- a/lib/dns/tsec.c +++ b/lib/dns/tsec.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: tsec.c,v 1.4 2009/09/02 23:48:02 tbox Exp $ */ +/* $Id: tsec.c,v 1.5 2010/12/02 23:22:42 marka Exp $ */ #include @@ -44,14 +44,16 @@ struct dns_tsec { }; isc_result_t -dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key, +dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t **keyp, dns_tsec_t **tsecp) { isc_result_t result; dns_tsec_t *tsec; dns_tsigkey_t *tsigkey = NULL; dns_name_t *algname; + dst_key_t *key; + REQUIRE(keyp != NULL && *keyp != NULL); REQUIRE(mctx != NULL); REQUIRE(tsecp != NULL && *tsecp == NULL); @@ -59,6 +61,8 @@ dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key, if (tsec == NULL) return (ISC_R_NOMEMORY); + key = *keyp; + tsec->type = type; tsec->mctx = mctx; @@ -88,7 +92,7 @@ dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key, return (DNS_R_BADALG); } result = dns_tsigkey_createfromkey(dst_key_name(key), - algname, key, ISC_FALSE, + algname, keyp, ISC_FALSE, NULL, 0, 0, mctx, NULL, &tsigkey); if (result != ISC_R_SUCCESS) { @@ -99,6 +103,7 @@ dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key, break; case dns_tsectype_sig0: tsec->ukey.key = key; + *keyp = NULL; break; default: INSIST(0); @@ -107,7 +112,7 @@ dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key, tsec->magic = DNS_TSEC_MAGIC; *tsecp = tsec; - + ENSURE(*keyp == NULL); return (ISC_R_SUCCESS); } diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c index bc6454560e..ab33ea3e65 100644 --- a/lib/dns/tsig.c +++ b/lib/dns/tsig.c @@ -16,7 +16,7 @@ */ /* - * $Id: tsig.c,v 1.141 2010/07/09 05:13:15 each Exp $ + * $Id: tsig.c,v 1.142 2010/12/02 23:22:42 marka Exp $ */ /*! \file */ #include @@ -287,7 +287,7 @@ keyring_add(dns_tsig_keyring_t *ring, dns_name_t *name, isc_result_t dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm, - dst_key_t *dstkey, isc_boolean_t generated, + dst_key_t **dstkeyp, isc_boolean_t generated, dns_name_t *creator, isc_stdtime_t inception, isc_stdtime_t expire, isc_mem_t *mctx, dns_tsig_keyring_t *ring, dns_tsigkey_t **key) @@ -295,6 +295,7 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm, dns_tsigkey_t *tkey; isc_result_t ret; unsigned int refs = 0; + dst_key_t *dstkey; REQUIRE(key == NULL || *key == NULL); REQUIRE(name != NULL); @@ -302,6 +303,10 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm, REQUIRE(mctx != NULL); REQUIRE(key != NULL || ring != NULL); + if (dstkeyp != NULL) + dstkey = *dstkeyp; + else + dstkey = NULL; tkey = (dns_tsigkey_t *) isc_mem_get(mctx, sizeof(dns_tsigkey_t)); if (tkey == NULL) return (ISC_R_NOMEMORY); @@ -436,6 +441,8 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm, namestr); } + if (dstkeyp != NULL) + *dstkeyp = NULL; if (key != NULL) *key = tkey; @@ -623,7 +630,7 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm, } else if (length > 0) return (DNS_R_BADALG); - result = dns_tsigkey_createfromkey(name, algorithm, dstkey, + result = dns_tsigkey_createfromkey(name, algorithm, &dstkey, generated, creator, inception, expire, mctx, ring, key); if (result != ISC_R_SUCCESS && dstkey != NULL) diff --git a/lib/dns/zone.c b/lib/dns/zone.c index e0cfdcd428..9ca32c01b7 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.c,v 1.576 2010/11/30 23:46:55 tbox Exp $ */ +/* $Id: zone.c,v 1.577 2010/12/02 23:22:42 marka Exp $ */ /*! \file */ @@ -2831,6 +2831,7 @@ trust_key(dns_viewlist_t *viewlist, dns_name_t *keyname, isc_buffer_t buffer; dns_view_t *view; dns_keytable_t *sr = NULL; + dst_key_t *dstkey = NULL; /* Convert dnskey to DST key. */ isc_buffer_init(&buffer, data, sizeof(data)); @@ -2839,18 +2840,19 @@ trust_key(dns_viewlist_t *viewlist, dns_name_t *keyname, for (view = ISC_LIST_HEAD(*viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) { - dst_key_t *key = NULL; result = dns_view_getsecroots(view, &sr); if (result != ISC_R_SUCCESS) continue; - CHECK(dns_dnssec_keyfromrdata(keyname, &rdata, mctx, &key)); - CHECK(dns_keytable_add(sr, ISC_TRUE, &key)); + CHECK(dns_dnssec_keyfromrdata(keyname, &rdata, mctx, &dstkey)); + CHECK(dns_keytable_add(sr, ISC_TRUE, &dstkey)); dns_keytable_detach(&sr); } failure: + if (dstkey != NULL) + dst_key_free(&dstkey); if (sr != NULL) dns_keytable_detach(&sr); return; @@ -3235,6 +3237,7 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) { dns_fixedname_t fname; dns_name_t *keyname; dst_key_t *key; + key = dns_keynode_key(keynode); dns_fixedname_init(&fname); @@ -4450,6 +4453,7 @@ find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, isc_result_t result; dns_dbnode_t *node = NULL; const char *directory = dns_zone_getkeydirectory(zone); + CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node)); result = dns_dnssec_findzonekeys2(db, ver, node, dns_db_origin(db), directory, mctx, maxkeys, keys, diff --git a/lib/export/samples/sample-update.c b/lib/export/samples/sample-update.c index 7357106e7f..bfff1c4b55 100644 --- a/lib/export/samples/sample-update.c +++ b/lib/export/samples/sample-update.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: sample-update.c,v 1.5 2009/09/29 15:06:07 fdupont Exp $ */ +/* $Id: sample-update.c,v 1.6 2010/12/02 23:22:42 marka Exp $ */ #include @@ -747,6 +747,7 @@ setup_tsec(char *keyfile, isc_mem_t *mctx) { result = dns_tsec_create(mctx, tsectype, dstkey, &tsec); if (result != ISC_R_SUCCESS) { + dns_key_free(&dstkey); fprintf(stderr, "could not create tsec: %s\n", isc_result_totext(result)); exit(1);