mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 13:38:26 +00:00
Code Issues Releases Wiki Activity

2976. [bug] named die on exit after negotiating a GSS-TSIG key. [RT #3415]

Browse Source
This commit is contained in:
Mark Andrews 2010-12-02 23:22:42 +00:00
parent 7fb319204e
commit c87f15dac8
15 changed files with 121 additions and 108 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@ -1,3 +1,6 @@
2976. [bug] named die on exit after negotiating a GSS-TSIG key.
[RT #3415]
2975. [bug] rbtdb.c:cleanup_dead_nodes_callback() aquired the 2975. [bug] rbtdb.c:cleanup_dead_nodes_callback() aquired the
wrong lock which could lead to server deadlock. wrong lock which could lead to server deadlock.
[RT #22614] [RT #22614]

19
bin/dig/dighost.c
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: dighost.c,v 1.334 2010/11/16 05:38:30 marka Exp $ */ /* $Id: dighost.c,v 1.335 2010/12/02 23:22:41 marka Exp $ */
/*! \file /*! \file
* \note * \note
@ -252,7 +252,7 @@ isc_result_t opentmpkey(isc_mem_t *mctx, const char *file,
char **tempp, FILE **fp); char **tempp, FILE **fp);
isc_result_t removetmpkey(isc_mem_t *mctx, const char *file); isc_result_t removetmpkey(isc_mem_t *mctx, const char *file);
void clean_trustedkey(void); void clean_trustedkey(void);
void insert_trustedkey(dst_key_t * key); void insert_trustedkey(dst_key_t **key);
#if DIG_SIGCHASE_BU #if DIG_SIGCHASE_BU
isc_result_t getneededrr(dns_message_t *msg); isc_result_t getneededrr(dns_message_t *msg);
void sigchase_bottom_up(dns_message_t *msg); void sigchase_bottom_up(dns_message_t *msg);
@ -1135,14 +1135,13 @@ setup_file_key(void) {
goto failure; goto failure;
} }
result = dns_tsigkey_createfromkey(dst_key_name(dstkey), hmacname, result = dns_tsigkey_createfromkey(dst_key_name(dstkey), hmacname,
dstkey, ISC_FALSE, NULL, 0, 0, &dstkey, ISC_FALSE, NULL, 0, 0,
mctx, NULL, &key); mctx, NULL, &key);
if (result != ISC_R_SUCCESS) { if (result != ISC_R_SUCCESS) {
printf(";; Couldn't create key %s: %s\n", printf(";; Couldn't create key %s: %s\n",
keynametext, isc_result_totext(result)); keynametext, isc_result_totext(result));
goto failure; goto failure;
} }
dstkey = NULL;
failure: failure:
if (dstkey != NULL) if (dstkey != NULL)
dst_key_free(&dstkey); dst_key_free(&dstkey);
@ -4053,14 +4052,15 @@ sigchase_scanname(dns_rdatatype_t type, dns_rdatatype_t covers,
} }
void void
insert_trustedkey(dst_key_t * key) insert_trustedkey(dst_key_t **keyp)
{ {
if (key == NULL) if (*keyp == NULL)
return; return;
if (tk_list.nb_tk >= MAX_TRUSTED_KEY) if (tk_list.nb_tk >= MAX_TRUSTED_KEY)
return; return;
tk_list.key[tk_list.nb_tk++] = key; tk_list.key[tk_list.nb_tk++] = *keyp;
*keyp = NULL;
return; return;
} }
@ -4234,11 +4234,12 @@ get_trusted_key(isc_mem_t *mctx)
fclose(fp); fclose(fp);
return (ISC_R_FAILURE); return (ISC_R_FAILURE);
} }
insert_trustedkey(key);
#if 0 #if 0
dst_key_tofile(key, DST_TYPE_PUBLIC,"/tmp"); dst_key_tofile(key, DST_TYPE_PUBLIC,"/tmp");
#endif #endif
key = NULL; insert_trustedkey(&key);
if (key != NULL)
dst_key_free(&key);
} }
return (ISC_R_SUCCESS); return (ISC_R_SUCCESS);
} }

7
bin/named/server.c
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: server.c,v 1.586 2010/11/16 01:37:36 sar Exp $ */ /* $Id: server.c,v 1.587 2010/12/02 23:22:41 marka Exp $ */
/*! \file */ /*! \file */
@ -634,6 +634,8 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
} }
cleanup: cleanup:
if (dstkey != NULL)
dst_key_free(&dstkey);
if (secroots != NULL) if (secroots != NULL)
dns_keytable_detach(&secroots); dns_keytable_detach(&secroots);
if (result == DST_R_NOCRYPTO) if (result == DST_R_NOCRYPTO)
@ -3565,10 +3567,9 @@ generate_session_key(const char *filename, const char *keynamestr,
/* Store the key in tsigkey. */ /* Store the key in tsigkey. */
isc_stdtime_get(&now); isc_stdtime_get(&now);
CHECK(dns_tsigkey_createfromkey(dst_key_name(key), algname, key, CHECK(dns_tsigkey_createfromkey(dst_key_name(key), algname, &key,
ISC_FALSE, NULL, now, now, mctx, NULL, ISC_FALSE, NULL, now, now, mctx, NULL,
&tsigkey)); &tsigkey));
key = NULL; /* ownership of key has been transferred */
/* Dump the key to the key file. */ /* Dump the key to the key file. */
fp = ns_os_openfile(filename, S_IRUSR|S_IWUSR, ISC_TRUE); fp = ns_os_openfile(filename, S_IRUSR|S_IWUSR, ISC_TRUE);

4
bin/nsupdate/nsupdate.c
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: nsupdate.c,v 1.182 2010/08/10 23:48:19 tbox Exp $ */ /* $Id: nsupdate.c,v 1.183 2010/12/02 23:22:41 marka Exp $ */
/*! \file */ /*! \file */
@ -682,7 +682,7 @@ setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) {
} }
if (hmacname != NULL) { if (hmacname != NULL) {
result = dns_tsigkey_createfromkey(dst_key_name(dstkey), result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
hmacname, dstkey, ISC_FALSE, hmacname, &dstkey, ISC_FALSE,
NULL, 0, 0, mctx, NULL, NULL, 0, 0, mctx, NULL,
&tsigkey); &tsigkey);
if (result != ISC_R_SUCCESS) { if (result != ISC_R_SUCCESS) {

86
bin/tests/system/allow_query/tests.sh
View File

@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE. # PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.2 2010/11/16 01:37:37 sar Exp $ # $Id: tests.sh,v 1.3 2010/12/02 23:22:41 marka Exp $
# Test of allow-query statement. # Test of allow-query statement.
# allow-query takes an address match list and can be included in either the # allow-query takes an address match list and can be included in either the
@ -68,7 +68,7 @@ n=0
n=`expr $n + 1` n=`expr $n + 1`
echo "I:test $n: default - query allowed" echo "I:test $n: default - query allowed"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -82,7 +82,7 @@ sleep 5
echo "I:test $n: explicit any - query allowed" echo "I:test $n: explicit any - query allowed"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -96,7 +96,7 @@ sleep 5
echo "I:test $n: none - query refused" echo "I:test $n: none - query refused"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -110,7 +110,7 @@ sleep 5
echo "I:test $n: address allowed - query allowed" echo "I:test $n: address allowed - query allowed"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -124,7 +124,7 @@ sleep 5
echo "I:test $n: address not allowed - query refused" echo "I:test $n: address not allowed - query refused"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -138,7 +138,7 @@ sleep 5
echo "I:test $n: address disallowed - query refused" echo "I:test $n: address disallowed - query refused"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -152,7 +152,7 @@ sleep 5
echo "I:test $n: acl allowed - query allowed" echo "I:test $n: acl allowed - query allowed"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -166,7 +166,7 @@ sleep 5
echo "I:test $n: acl not allowed - query refused" echo "I:test $n: acl not allowed - query refused"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -181,7 +181,7 @@ sleep 5
echo "I:test $n: acl disallowed - query refused" echo "I:test $n: acl disallowed - query refused"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -195,7 +195,7 @@ sleep 5
echo "I:test $n: key allowed - query allowed" echo "I:test $n: key allowed - query allowed"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -209,7 +209,7 @@ sleep 5
echo "I:test $n: key not allowed - query refused" echo "I:test $n: key not allowed - query refused"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -223,7 +223,7 @@ sleep 5
echo "I:test $n: key disallowed - query refused" echo "I:test $n: key disallowed - query refused"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -240,7 +240,7 @@ sleep 5
echo "I:test $n: views default - query allowed" echo "I:test $n: views default - query allowed"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -254,7 +254,7 @@ sleep 5
echo "I:test $n: views explicit any - query allowed" echo "I:test $n: views explicit any - query allowed"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -268,7 +268,7 @@ sleep 5
echo "I:test $n: views none - query refused" echo "I:test $n: views none - query refused"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -282,7 +282,7 @@ sleep 5
echo "I:test $n: views address allowed - query allowed" echo "I:test $n: views address allowed - query allowed"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -296,7 +296,7 @@ sleep 5
echo "I:test $n: views address not allowed - query refused" echo "I:test $n: views address not allowed - query refused"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -310,7 +310,7 @@ sleep 5
echo "I:test $n: views address disallowed - query refused" echo "I:test $n: views address disallowed - query refused"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -324,7 +324,7 @@ sleep 5
echo "I:test $n: views acl allowed - query allowed" echo "I:test $n: views acl allowed - query allowed"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -338,7 +338,7 @@ sleep 5
echo "I:test $n: views acl not allowed - query refused" echo "I:test $n: views acl not allowed - query refused"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -352,7 +352,7 @@ sleep 5
echo "I:test $n: views acl disallowed - query refused" echo "I:test $n: views acl disallowed - query refused"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -366,7 +366,7 @@ sleep 5
echo "I:test $n: views key allowed - query allowed" echo "I:test $n: views key allowed - query allowed"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -380,7 +380,7 @@ sleep 5
echo "I:test $n: views key not allowed - query refused" echo "I:test $n: views key not allowed - query refused"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -394,7 +394,7 @@ sleep 5
echo "I:test $n: views key disallowed - query refused" echo "I:test $n: views key disallowed - query refused"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -408,7 +408,7 @@ sleep 5
echo "I:test $n: views over options, views allow - query allowed" echo "I:test $n: views over options, views allow - query allowed"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -422,7 +422,7 @@ sleep 5
echo "I:test $n: views over options, views disallow - query refused" echo "I:test $n: views over options, views disallow - query refused"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -440,7 +440,7 @@ sleep 5
echo "I:test $n: zone default - query allowed" echo "I:test $n: zone default - query allowed"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -450,7 +450,7 @@ status=`expr $status + $ret`
n=`expr $n + 1` n=`expr $n + 1`
echo "I:test $n: zone explicit any - query allowed" echo "I:test $n: zone explicit any - query allowed"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.any.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.any.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.any.example' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.any.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -460,7 +460,7 @@ status=`expr $status + $ret`
n=`expr $n + 1` n=`expr $n + 1`
echo "I:test $n: zone none - query refused" echo "I:test $n: zone none - query refused"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.none.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.none.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.none.example' dig.out.ns2.$n > /dev/null && ret=1 grep '^a.none.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -470,7 +470,7 @@ status=`expr $status + $ret`
n=`expr $n + 1` n=`expr $n + 1`
echo "I:test $n: zone address allowed - query allowed" echo "I:test $n: zone address allowed - query allowed"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.addrallow.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrallow.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.addrallow.example' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.addrallow.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -480,7 +480,7 @@ status=`expr $status + $ret`
n=`expr $n + 1` n=`expr $n + 1`
echo "I:test $n: zone address not allowed - query refused" echo "I:test $n: zone address not allowed - query refused"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.addrnotallow.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrnotallow.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.addrnotallow.example' dig.out.ns2.$n > /dev/null && ret=1 grep '^a.addrnotallow.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -490,7 +490,7 @@ status=`expr $status + $ret`
n=`expr $n + 1` n=`expr $n + 1`
echo "I:test $n: zone address disallowed - query refused" echo "I:test $n: zone address disallowed - query refused"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.addrdisallow.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrdisallow.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.addrdisallow.example' dig.out.ns2.$n > /dev/null && ret=1 grep '^a.addrdisallow.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -500,7 +500,7 @@ status=`expr $status + $ret`
n=`expr $n + 1` n=`expr $n + 1`
echo "I:test $n: zone acl allowed - query allowed" echo "I:test $n: zone acl allowed - query allowed"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.aclallow.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclallow.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.aclallow.example' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.aclallow.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -510,7 +510,7 @@ status=`expr $status + $ret`
n=`expr $n + 1` n=`expr $n + 1`
echo "I:test $n: zone acl not allowed - query refused" echo "I:test $n: zone acl not allowed - query refused"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.aclnotallow.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.aclnotallow.example' dig.out.ns2.$n > /dev/null && ret=1 grep '^a.aclnotallow.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -520,7 +520,7 @@ status=`expr $status + $ret`
n=`expr $n + 1` n=`expr $n + 1`
echo "I:test $n: zone acl disallowed - query refused" echo "I:test $n: zone acl disallowed - query refused"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.acldisallow.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.acldisallow.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.acldisallow.example' dig.out.ns2.$n > /dev/null && ret=1 grep '^a.acldisallow.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -530,7 +530,7 @@ status=`expr $status + $ret`
n=`expr $n + 1` n=`expr $n + 1`
echo "I:test $n: zone key allowed - query allowed" echo "I:test $n: zone key allowed - query allowed"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -540,7 +540,7 @@ status=`expr $status + $ret`
n=`expr $n + 1` n=`expr $n + 1`
echo "I:test $n: zone key not allowed - query refused" echo "I:test $n: zone key not allowed - query refused"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -550,7 +550,7 @@ status=`expr $status + $ret`
n=`expr $n + 1` n=`expr $n + 1`
echo "I:test $n: zone key disallowed - query refused" echo "I:test $n: zone key disallowed - query refused"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -564,7 +564,7 @@ sleep 5
echo "I:test $n: views over options, views allow - query allowed" echo "I:test $n: views over options, views allow - query allowed"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -578,7 +578,7 @@ sleep 5
echo "I:test $n: views over options, views disallow - query refused" echo "I:test $n: views over options, views disallow - query refused"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -592,7 +592,7 @@ sleep 5
echo "I:test $n: zones over views, views allow - query allowed" echo "I:test $n: zones over views, views allow - query allowed"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@ -606,7 +606,7 @@ sleep 5
echo "I:test $n: zones over views, views disallow - query refused" echo "I:test $n: zones over views, views disallow - query refused"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1 $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi

4
bin/tests/system/tkey/keydelete.c
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: keydelete.c,v 1.13 2009/07/19 23:47:55 tbox Exp $ */ /* $Id: keydelete.c,v 1.14 2010/12/02 23:22:41 marka Exp $ */
#include <config.h> #include <config.h>
@ -230,7 +230,7 @@ main(int argc, char **argv) {
CHECK("dst_key_fromnamedfile", result); CHECK("dst_key_fromnamedfile", result);
result = dns_tsigkey_createfromkey(dst_key_name(dstkey), result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
DNS_TSIG_HMACMD5_NAME, DNS_TSIG_HMACMD5_NAME,
dstkey, ISC_TRUE, NULL, 0, 0, &dstkey, ISC_TRUE, NULL, 0, 0,
mctx, ring, &tsigkey); mctx, ring, &tsigkey);
CHECK("dns_tsigkey_createfromkey", result); CHECK("dns_tsigkey_createfromkey", result);

4
lib/dns/client.c
View File

@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: client.c,v 1.10 2010/05/19 07:09:25 marka Exp $ */ /* $Id: client.c,v 1.11 2010/12/02 23:22:41 marka Exp $ */
#include <config.h> #include <config.h>
@ -1424,6 +1424,8 @@ dns_client_addtrustedkey(dns_client_t *client, dns_rdataclass_t rdclass,
result = dns_keytable_add(secroots, ISC_FALSE, &dstkey); result = dns_keytable_add(secroots, ISC_FALSE, &dstkey);
cleanup: cleanup:
if (dstkey != NULL)
dns_key_free(&dstkey);
if (view != NULL) if (view != NULL)
dns_view_detach(&view); dns_view_detach(&view);
if (secroots != NULL) if (secroots != NULL)

3
lib/dns/dst_api.c
View File

@ -31,7 +31,7 @@
/* /*
* Principal Author: Brian Wellington * Principal Author: Brian Wellington
* $Id: dst_api.c,v 1.51 2010/05/13 03:08:30 marka Exp $ * $Id: dst_api.c,v 1.52 2010/12/02 23:22:42 marka Exp $
*/ */
/*! \file */ /*! \file */
@ -544,6 +544,7 @@ dst_key_fromnamedfile(const char *filename, const char *dirname,
*keyp = key; *keyp = key;
return (ISC_R_SUCCESS); return (ISC_R_SUCCESS);
out: out:
if (pubkey != NULL) if (pubkey != NULL)
dst_key_free(&pubkey); dst_key_free(&pubkey);

4
lib/dns/include/dns/tsec.h
View File

@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: tsec.h,v 1.3 2009/09/02 23:48:02 tbox Exp $ */ /* $Id: tsec.h,v 1.4 2010/12/02 23:22:42 marka Exp $ */
#ifndef DNS_TSEC_H #ifndef DNS_TSEC_H
#define DNS_TSEC_H 1 #define DNS_TSEC_H 1
@ -65,7 +65,7 @@ typedef enum {
} dns_tsectype_t; } dns_tsectype_t;
isc_result_t isc_result_t
dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key, dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t **keyp,
dns_tsec_t **tsecp); dns_tsec_t **tsecp);
/*%< /*%<
* Create a TSEC structure and stores a type-dependent key structure in it. * Create a TSEC structure and stores a type-dependent key structure in it.

4
lib/dns/include/dns/tsig.h
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: tsig.h,v 1.55 2010/07/09 23:46:51 tbox Exp $ */ /* $Id: tsig.h,v 1.56 2010/12/02 23:22:42 marka Exp $ */
#ifndef DNS_TSIG_H #ifndef DNS_TSIG_H
#define DNS_TSIG_H 1 #define DNS_TSIG_H 1
@ -103,7 +103,7 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
isc_result_t isc_result_t
dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm, dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
dst_key_t *dstkey, isc_boolean_t generated, dst_key_t **dstkeyp, isc_boolean_t generated,
dns_name_t *creator, isc_stdtime_t inception, dns_name_t *creator, isc_stdtime_t inception,
isc_stdtime_t expire, isc_mem_t *mctx, isc_stdtime_t expire, isc_mem_t *mctx,
dns_tsig_keyring_t *ring, dns_tsigkey_t **key); dns_tsig_keyring_t *ring, dns_tsigkey_t **key);

50
lib/dns/tkey.c
View File

@ -16,7 +16,7 @@
*/ */
/* /*
* $Id: tkey.c,v 1.94 2010/07/09 23:46:51 tbox Exp $ * $Id: tkey.c,v 1.95 2010/12/02 23:22:42 marka Exp $
*/ */
/*! \file */ /*! \file */
#include <config.h> #include <config.h>
@ -417,10 +417,9 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
} }
static isc_result_t static isc_result_t
process_gsstkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, process_gsstkey(dns_name_t *name, dns_rdata_tkey_t *tkeyin,
dns_rdata_tkey_t *tkeyin, dns_tkeyctx_t *tctx, dns_tkeyctx_t *tctx, dns_rdata_tkey_t *tkeyout,
dns_rdata_tkey_t *tkeyout, dns_tsig_keyring_t *ring)
dns_tsig_keyring_t *ring, dns_namelist_t *namelist)
{ {
isc_result_t result = ISC_R_SUCCESS; isc_result_t result = ISC_R_SUCCESS;
dst_key_t *dstkey = NULL; dst_key_t *dstkey = NULL;
@ -431,9 +430,6 @@ process_gsstkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
isc_buffer_t *outtoken = NULL; isc_buffer_t *outtoken = NULL;
gss_ctx_id_t gss_ctx = NULL; gss_ctx_id_t gss_ctx = NULL;
UNUSED(namelist);
UNUSED(signer);
if (tctx->gsscred == NULL) if (tctx->gsscred == NULL)
return (ISC_R_NOPERM); return (ISC_R_NOPERM);
@ -483,7 +479,7 @@ process_gsstkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
#endif #endif
isc_uint32_t expire; isc_uint32_t expire;
RETERR(dst_key_fromgssapi(name, gss_ctx, msg->mctx, &dstkey)); RETERR(dst_key_fromgssapi(name, gss_ctx, ring->mctx, &dstkey));
/* /*
* Limit keys to 1 hour or the context's lifetime whichever * Limit keys to 1 hour or the context's lifetime whichever
* is smaller. * is smaller.
@ -495,7 +491,7 @@ process_gsstkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
expire = now + lifetime; expire = now + lifetime;
#endif #endif
RETERR(dns_tsigkey_createfromkey(name, &tkeyin->algorithm, RETERR(dns_tsigkey_createfromkey(name, &tkeyin->algorithm,
dstkey, ISC_TRUE, &dstkey, ISC_TRUE,
dns_fixedname_name(&principal), dns_fixedname_name(&principal),
now, expire, ring->mctx, ring, now, expire, ring->mctx, ring,
NULL)); NULL));
@ -551,19 +547,14 @@ failure:
} }
static isc_result_t static isc_result_t
process_deletetkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, process_deletetkey(dns_name_t *signer, dns_name_t *name,
dns_rdata_tkey_t *tkeyin, dns_rdata_tkey_t *tkeyin, dns_rdata_tkey_t *tkeyout,
dns_rdata_tkey_t *tkeyout, dns_tsig_keyring_t *ring)
dns_tsig_keyring_t *ring,
dns_namelist_t *namelist)
{ {
isc_result_t result; isc_result_t result;
dns_tsigkey_t *tsigkey = NULL; dns_tsigkey_t *tsigkey = NULL;
dns_name_t *identity; dns_name_t *identity;
UNUSED(msg);
UNUSED(namelist);
result = dns_tsigkey_find(&tsigkey, name, &tkeyin->algorithm, ring); result = dns_tsigkey_find(&tsigkey, name, &tkeyin->algorithm, ring);
if (result != ISC_R_SUCCESS) { if (result != ISC_R_SUCCESS) {
tkeyout->error = dns_tsigerror_badname; tkeyout->error = dns_tsigerror_badname;
@ -780,16 +771,13 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
break; break;
case DNS_TKEYMODE_GSSAPI: case DNS_TKEYMODE_GSSAPI:
tkeyout.error = dns_rcode_noerror; tkeyout.error = dns_rcode_noerror;
RETERR(process_gsstkey(msg, signer, keyname, &tkeyin, RETERR(process_gsstkey(keyname, &tkeyin, tctx,
tctx, &tkeyout, ring, &tkeyout, ring));
&namelist));
break; break;
case DNS_TKEYMODE_DELETE: case DNS_TKEYMODE_DELETE:
tkeyout.error = dns_rcode_noerror; tkeyout.error = dns_rcode_noerror;
RETERR(process_deletetkey(msg, signer, keyname, RETERR(process_deletetkey(signer, keyname, &tkeyin,
&tkeyin, &tkeyout, &tkeyout, ring));
ring, &namelist));
break; break;
case DNS_TKEYMODE_SERVERASSIGNED: case DNS_TKEYMODE_SERVERASSIGNED:
case DNS_TKEYMODE_RESOLVERASSIGNED: case DNS_TKEYMODE_RESOLVERASSIGNED:
@ -1280,15 +1268,13 @@ dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
isc_buffer_init(&intoken, rtkey.key, rtkey.keylen); isc_buffer_init(&intoken, rtkey.key, rtkey.keylen);
RETERR(dst_gssapi_initctx(gname, &intoken, outtoken, context)); RETERR(dst_gssapi_initctx(gname, &intoken, outtoken, context));
dstkey = NULL;
RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx, RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx,
&dstkey)); &dstkey));
RETERR(dns_tsigkey_createfromkey(tkeyname, DNS_TSIG_GSSAPI_NAME, RETERR(dns_tsigkey_createfromkey(tkeyname, DNS_TSIG_GSSAPI_NAME,
dstkey, ISC_FALSE, NULL, &dstkey, ISC_FALSE, NULL,
rtkey.inception, rtkey.expire, rtkey.inception, rtkey.expire,
ring->mctx, ring, outkey)); ring->mctx, ring, outkey));
dns_rdata_freestruct(&rtkey); dns_rdata_freestruct(&rtkey);
return (result); return (result);
@ -1296,6 +1282,8 @@ dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
/* /*
* XXXSRA This probably leaks memory from rtkey and qtkey. * XXXSRA This probably leaks memory from rtkey and qtkey.
*/ */
if (dstkey != NULL)
dst_key_free(&dstkey);
return (result); return (result);
} }
@ -1406,7 +1394,6 @@ dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS) if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS)
return (result); return (result);
dstkey = NULL;
RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx, RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx,
&dstkey)); &dstkey));
@ -1420,10 +1407,9 @@ dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
(win2k (win2k
? DNS_TSIG_GSSAPIMS_NAME ? DNS_TSIG_GSSAPIMS_NAME
: DNS_TSIG_GSSAPI_NAME), : DNS_TSIG_GSSAPI_NAME),
dstkey, ISC_TRUE, NULL, &dstkey, ISC_TRUE, NULL,
rtkey.inception, rtkey.expire, rtkey.inception, rtkey.expire,
ring->mctx, ring, outkey)); ring->mctx, ring, outkey));
dns_rdata_freestruct(&rtkey); dns_rdata_freestruct(&rtkey);
return (result); return (result);
@ -1432,5 +1418,7 @@ dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
* XXXSRA This probably leaks memory from qtkey. * XXXSRA This probably leaks memory from qtkey.
*/ */
dns_rdata_freestruct(&rtkey); dns_rdata_freestruct(&rtkey);
if (dstkey != NULL)
dst_key_free(&dstkey);
return (result); return (result);
} }

13
lib/dns/tsec.c
View File

@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: tsec.c,v 1.4 2009/09/02 23:48:02 tbox Exp $ */ /* $Id: tsec.c,v 1.5 2010/12/02 23:22:42 marka Exp $ */
#include <config.h> #include <config.h>
@ -44,14 +44,16 @@ struct dns_tsec {
}; };
isc_result_t isc_result_t
dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key, dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t **keyp,
dns_tsec_t **tsecp) dns_tsec_t **tsecp)
{ {
isc_result_t result; isc_result_t result;
dns_tsec_t *tsec; dns_tsec_t *tsec;
dns_tsigkey_t *tsigkey = NULL; dns_tsigkey_t *tsigkey = NULL;
dns_name_t *algname; dns_name_t *algname;
dst_key_t *key;
REQUIRE(keyp != NULL && *keyp != NULL);
REQUIRE(mctx != NULL); REQUIRE(mctx != NULL);
REQUIRE(tsecp != NULL && *tsecp == NULL); REQUIRE(tsecp != NULL && *tsecp == NULL);
@ -59,6 +61,8 @@ dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key,
if (tsec == NULL) if (tsec == NULL)
return (ISC_R_NOMEMORY); return (ISC_R_NOMEMORY);
key = *keyp;
tsec->type = type; tsec->type = type;
tsec->mctx = mctx; tsec->mctx = mctx;
@ -88,7 +92,7 @@ dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key,
return (DNS_R_BADALG); return (DNS_R_BADALG);
} }
result = dns_tsigkey_createfromkey(dst_key_name(key), result = dns_tsigkey_createfromkey(dst_key_name(key),
algname, key, ISC_FALSE, algname, keyp, ISC_FALSE,
NULL, 0, 0, mctx, NULL, NULL, 0, 0, mctx, NULL,
&tsigkey); &tsigkey);
if (result != ISC_R_SUCCESS) { if (result != ISC_R_SUCCESS) {
@ -99,6 +103,7 @@ dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key,
break; break;
case dns_tsectype_sig0: case dns_tsectype_sig0:
tsec->ukey.key = key; tsec->ukey.key = key;
*keyp = NULL;
break; break;
default: default:
INSIST(0); INSIST(0);
@ -107,7 +112,7 @@ dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key,
tsec->magic = DNS_TSEC_MAGIC; tsec->magic = DNS_TSEC_MAGIC;
*tsecp = tsec; *tsecp = tsec;
ENSURE(*keyp == NULL);
return (ISC_R_SUCCESS); return (ISC_R_SUCCESS);
} }

13
lib/dns/tsig.c
View File

@ -16,7 +16,7 @@
*/ */
/* /*
* $Id: tsig.c,v 1.141 2010/07/09 05:13:15 each Exp $ * $Id: tsig.c,v 1.142 2010/12/02 23:22:42 marka Exp $
*/ */
/*! \file */ /*! \file */
#include <config.h> #include <config.h>
@ -287,7 +287,7 @@ keyring_add(dns_tsig_keyring_t *ring, dns_name_t *name,
isc_result_t isc_result_t
dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm, dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
dst_key_t *dstkey, isc_boolean_t generated, dst_key_t **dstkeyp, isc_boolean_t generated,
dns_name_t *creator, isc_stdtime_t inception, dns_name_t *creator, isc_stdtime_t inception,
isc_stdtime_t expire, isc_mem_t *mctx, isc_stdtime_t expire, isc_mem_t *mctx,
dns_tsig_keyring_t *ring, dns_tsigkey_t **key) dns_tsig_keyring_t *ring, dns_tsigkey_t **key)
@ -295,6 +295,7 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
dns_tsigkey_t *tkey; dns_tsigkey_t *tkey;
isc_result_t ret; isc_result_t ret;
unsigned int refs = 0; unsigned int refs = 0;
dst_key_t *dstkey;
REQUIRE(key == NULL || *key == NULL); REQUIRE(key == NULL || *key == NULL);
REQUIRE(name != NULL); REQUIRE(name != NULL);
@ -302,6 +303,10 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
REQUIRE(mctx != NULL); REQUIRE(mctx != NULL);
REQUIRE(key != NULL || ring != NULL); REQUIRE(key != NULL || ring != NULL);
if (dstkeyp != NULL)
dstkey = *dstkeyp;
else
dstkey = NULL;
tkey = (dns_tsigkey_t *) isc_mem_get(mctx, sizeof(dns_tsigkey_t)); tkey = (dns_tsigkey_t *) isc_mem_get(mctx, sizeof(dns_tsigkey_t));
if (tkey == NULL) if (tkey == NULL)
return (ISC_R_NOMEMORY); return (ISC_R_NOMEMORY);
@ -436,6 +441,8 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
namestr); namestr);
} }
if (dstkeyp != NULL)
*dstkeyp = NULL;
if (key != NULL) if (key != NULL)
*key = tkey; *key = tkey;
@ -623,7 +630,7 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
} else if (length > 0) } else if (length > 0)
return (DNS_R_BADALG); return (DNS_R_BADALG);
result = dns_tsigkey_createfromkey(name, algorithm, dstkey, result = dns_tsigkey_createfromkey(name, algorithm, &dstkey,
generated, creator, generated, creator,
inception, expire, mctx, ring, key); inception, expire, mctx, ring, key);
if (result != ISC_R_SUCCESS && dstkey != NULL) if (result != ISC_R_SUCCESS && dstkey != NULL)

12
lib/dns/zone.c
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: zone.c,v 1.576 2010/11/30 23:46:55 tbox Exp $ */ /* $Id: zone.c,v 1.577 2010/12/02 23:22:42 marka Exp $ */
/*! \file */ /*! \file */
@ -2831,6 +2831,7 @@ trust_key(dns_viewlist_t *viewlist, dns_name_t *keyname,
isc_buffer_t buffer; isc_buffer_t buffer;
dns_view_t *view; dns_view_t *view;
dns_keytable_t *sr = NULL; dns_keytable_t *sr = NULL;
dst_key_t *dstkey = NULL;
/* Convert dnskey to DST key. */ /* Convert dnskey to DST key. */
isc_buffer_init(&buffer, data, sizeof(data)); isc_buffer_init(&buffer, data, sizeof(data));
@ -2839,18 +2840,19 @@ trust_key(dns_viewlist_t *viewlist, dns_name_t *keyname,
for (view = ISC_LIST_HEAD(*viewlist); view != NULL; for (view = ISC_LIST_HEAD(*viewlist); view != NULL;
view = ISC_LIST_NEXT(view, link)) { view = ISC_LIST_NEXT(view, link)) {
dst_key_t *key = NULL;
result = dns_view_getsecroots(view, &sr); result = dns_view_getsecroots(view, &sr);
if (result != ISC_R_SUCCESS) if (result != ISC_R_SUCCESS)
continue; continue;
CHECK(dns_dnssec_keyfromrdata(keyname, &rdata, mctx, &key)); CHECK(dns_dnssec_keyfromrdata(keyname, &rdata, mctx, &dstkey));
CHECK(dns_keytable_add(sr, ISC_TRUE, &key)); CHECK(dns_keytable_add(sr, ISC_TRUE, &dstkey));
dns_keytable_detach(&sr); dns_keytable_detach(&sr);
} }
failure: failure:
if (dstkey != NULL)
dst_key_free(&dstkey);
if (sr != NULL) if (sr != NULL)
dns_keytable_detach(&sr); dns_keytable_detach(&sr);
return; return;
@ -3235,6 +3237,7 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) {
dns_fixedname_t fname; dns_fixedname_t fname;
dns_name_t *keyname; dns_name_t *keyname;
dst_key_t *key; dst_key_t *key;
key = dns_keynode_key(keynode); key = dns_keynode_key(keynode);
dns_fixedname_init(&fname); dns_fixedname_init(&fname);
@ -4450,6 +4453,7 @@ find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
isc_result_t result; isc_result_t result;
dns_dbnode_t *node = NULL; dns_dbnode_t *node = NULL;
const char *directory = dns_zone_getkeydirectory(zone); const char *directory = dns_zone_getkeydirectory(zone);
CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node)); CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
result = dns_dnssec_findzonekeys2(db, ver, node, dns_db_origin(db), result = dns_dnssec_findzonekeys2(db, ver, node, dns_db_origin(db),
directory, mctx, maxkeys, keys, directory, mctx, maxkeys, keys,

3
lib/export/samples/sample-update.c
View File

@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: sample-update.c,v 1.5 2009/09/29 15:06:07 fdupont Exp $ */ /* $Id: sample-update.c,v 1.6 2010/12/02 23:22:42 marka Exp $ */
#include <config.h> #include <config.h>
@ -747,6 +747,7 @@ setup_tsec(char *keyfile, isc_mem_t *mctx) {
result = dns_tsec_create(mctx, tsectype, dstkey, &tsec); result = dns_tsec_create(mctx, tsectype, dstkey, &tsec);
if (result != ISC_R_SUCCESS) { if (result != ISC_R_SUCCESS) {
dns_key_free(&dstkey);
fprintf(stderr, "could not create tsec: %s\n", fprintf(stderr, "could not create tsec: %s\n",
isc_result_totext(result)); isc_result_totext(result));
exit(1); exit(1);