upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-09 10:12:09 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Initialize the DST subsystem implicitly

Browse source 
Instead of calling dst_lib_init() and dst_lib_destroy() explicitly by
all the programs, create a separate memory context for the DST subsystem
and use the library constructor and destructor to initialize the DST
internals.
This commit is contained in:
Ondřej Surý 2024-08-05 12:14:26 +02:00
parent ab2abfc8b0
commit e6f2f2a5e6
No known key found for this signature in database
GPG key ID: 2820F37E873DEA41
39 changed files with 101 additions and 492 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
bin/check/named-checkconf.c
View file

@ -593,7 +593,6 @@ main(int argc, char **argv) {
const char *conffile = NULL;
isc_mem_t *mctx = NULL;
isc_result_t result = ISC_R_SUCCESS;
bool cleanup_dst = false;
bool load_zones = false;
bool list_zones = false;
bool print = false;
@ -728,9 +727,6 @@ main(int argc, char **argv) {
CHECK(setup_logging(mctx, stdout, &logc));
CHECK(dst_lib_init(mctx));
cleanup_dst = true;
CHECK(cfg_parser_create(mctx, logc, &parser));
if (nodeprecate) {
@ -757,10 +753,6 @@ cleanup:
cfg_parser_destroy(&parser);
}
if (cleanup_dst) {
dst_lib_destroy();
}
if (logc != NULL) {
isc_log_destroy(&logc);
}

6
bin/confgen/keygen.c
View file

@ -120,8 +120,6 @@ generate_key(isc_mem_t *mctx, dns_secalg_t alg, int keysize,
fatal("unsupported algorithm %d\n", alg);
}
DO("initialize dst library", dst_lib_init(mctx));
DO("generate key",
dst_key_generate(dns_rootname, alg, keysize, 0, 0, DNS_KEYPROTO_ANY,
dns_rdataclass_in, NULL, mctx, &key, NULL));
@ -132,14 +130,12 @@ generate_key(isc_mem_t *mctx, dns_secalg_t alg, int keysize,
isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
DO("bsse64 encode secret",
DO("base64 encode secret",
isc_base64_totext(&key_rawregion, -1, "", key_txtbuffer));
if (key != NULL) {
dst_key_free(&key);
}
dst_lib_destroy();
}
/*%

6
bin/delv/delv.c
View file

@ -2220,11 +2220,6 @@ main(int argc, char *argv[]) {
isc_managers_create(&mctx, 1, &loopmgr, &netmgr);
loop = isc_loop_main(loopmgr);
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fatal("dst_lib_init failed: %d", result);
}
parse_args(argc, argv);
CHECK(setup_style());
@ -2267,7 +2262,6 @@ cleanup:
}
isc_log_destroy(&lctx);
dst_lib_destroy();
isc_managers_destroy(&mctx, &loopmgr, &netmgr);

13
bin/dig/dighost.c
View file

@ -93,8 +93,7 @@ static bool cancel_now = false;
bool check_ra = false, have_ipv4 = false, have_ipv6 = false,
specified_source = false, free_now = false, usesearch = false,
showsearch = false, is_dst_up = false, keep_open = false, verbose = false,
yaml = false;
showsearch = false, keep_open = false, verbose = false, yaml = false;
in_port_t port = 53;
bool port_set = false;
unsigned int timeout = 0;
@ -1374,10 +1373,6 @@ setup_libs(void) {
isc_mem_setname(mctx, "dig");
mainloop = isc_loop_main(loopmgr);
result = dst_lib_init(mctx);
check_result(result, "dst_lib_init");
is_dst_up = true;
}
typedef struct dig_ednsoptname {
@ -4722,12 +4717,6 @@ cleanup_openssl_refs(void) {
debug("freeing SIG(0) key %p", sig0key);
dst_key_free(&sig0key);
}
if (is_dst_up) {
debug("destroy DST lib");
dst_lib_destroy();
is_dst_up = false;
}
}
/*%

12
bin/dnssec/dnssec-cds.c
View file

@ -144,7 +144,6 @@ static dns_dbnode_t *parent_node = NULL;
static dns_db_t *update_db = NULL;
static dns_dbnode_t *update_node = NULL;
static dns_dbversion_t *update_version = NULL;
static bool cleanup_dst = false;
static bool print_mem_stats = false;
static void
@ -1074,9 +1073,6 @@ cleanup(void) {
if (lctx != NULL) {
cleanup_logging(&lctx);
}
if (cleanup_dst) {
dst_lib_destroy();
}
if (mctx != NULL) {
if (print_mem_stats && verbose > 10) {
isc_mem_stats(mctx, stdout);
@ -1090,7 +1086,6 @@ main(int argc, char *argv[]) {
const char *child_path = NULL;
const char *ds_path = NULL;
const char *inplace = NULL;
isc_result_t result;
bool prefer_cdnskey = false;
bool nsupdate = false;
uint32_t ttl = 0;
@ -1180,13 +1175,6 @@ main(int argc, char *argv[]) {
setup_logging(mctx, &lctx);
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s",
isc_result_totext(result));
}
cleanup_dst = true;
if (ds_path == NULL) {
fatal("missing -d DS pathname");
}

7
bin/dnssec/dnssec-dsfromkey.c
View file

@ -489,12 +489,6 @@ main(int argc, char **argv) {
fatal("extraneous arguments");
}
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s",
isc_result_totext(result));
}
setup_logging(mctx, &log);
dns_rdataset_init(&rdataset);
@ -549,7 +543,6 @@ main(int argc, char **argv) {
dns_rdataset_disassociate(&rdataset);
}
cleanup_logging(&log);
dst_lib_destroy();
if (verbose > 10) {
isc_mem_stats(mctx, stdout);
}

7
bin/dnssec/dnssec-importkey.c
View file

@ -408,12 +408,6 @@ main(int argc, char **argv) {
fatal("extraneous arguments");
}
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s",
isc_result_totext(result));
}
setup_logging(mctx, &log);
dns_rdataset_init(&rdataset);
@ -459,7 +453,6 @@ main(int argc, char **argv) {
dns_rdataset_disassociate(&rdataset);
}
cleanup_logging(&log);
dst_lib_destroy();
if (verbose > 10) {
isc_mem_stats(mctx, stdout);
}

6
bin/dnssec/dnssec-keyfromlabel.c
View file

@ -332,11 +332,6 @@ main(int argc, char **argv) {
}
}
ret = dst_lib_init(mctx);
if (ret != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s", isc_result_totext(ret));
}
setup_logging(mctx, &log);
if (predecessor == NULL) {
@ -729,7 +724,6 @@ main(int argc, char **argv) {
}
cleanup_logging(&log);
dst_lib_destroy();
if (verbose > 10) {
isc_mem_stats(mctx, stdout);
}

10
bin/dnssec/dnssec-keygen.c
View file

@ -1137,14 +1137,9 @@ main(int argc, char **argv) {
}
}
ret = dst_lib_init(mctx);
if (ret != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s", isc_result_totext(ret));
}
/*
* After dst_lib_init which will set FIPS mode if requested
* at build time. The minumums are both raised to 2048.
* The DST subsystem will set FIPS mode if requested at build time.
* The minimum sizes are both raised to 2048.
*/
if (isc_fips_mode()) {
min_rsa = min_dh = 2048;
@ -1287,7 +1282,6 @@ main(int argc, char **argv) {
}
cleanup_logging(&lctx);
dst_lib_destroy();
if (verbose > 10) {
isc_mem_stats(mctx, stdout);
}

9
bin/dnssec/dnssec-ksr.c
View file

@ -1264,14 +1264,9 @@ main(int argc, char *argv[]) {
fatal("must provide a command and zone name");
}
ret = dst_lib_init(mctx);
if (ret != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s", isc_result_totext(ret));
}
/*
* After dst_lib_init which will set FIPS mode if requested
* at build time. The minumums are both raised to 2048.
* The DST subsystem will set FIPS mode if requested at build time.
* The minimum sizes are both raised to 2048.
*/
if (isc_fips_mode()) {
min_rsa = min_dh = 2048;

7
bin/dnssec/dnssec-revoke.c
View file

@ -157,12 +157,6 @@ main(int argc, char **argv) {
}
}
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fatal("Could not initialize dst: %s",
isc_result_totext(result));
}
result = dst_key_fromnamedfile(
filename, dir, DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, mctx, &key);
if (result != ISC_R_SUCCESS) {
@ -246,7 +240,6 @@ main(int argc, char **argv) {
cleanup:
dst_key_free(&key);
dst_lib_destroy();
if (verbose > 10) {
isc_mem_stats(mctx, stdout);
}

7
bin/dnssec/dnssec-settime.c
View file

@ -553,12 +553,6 @@ main(int argc, char **argv) {
fatal("Options -g, -d, -k, -r and -z require -s to be set");
}
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fatal("Could not initialize dst: %s",
isc_result_totext(result));
}
if (predecessor != NULL) {
int major, minor;
@ -950,7 +944,6 @@ main(int argc, char **argv) {
dst_key_free(&prevkey);
}
dst_key_free(&key);
dst_lib_destroy();
if (verbose > 10) {
isc_mem_stats(mctx, stdout);
}

7
bin/dnssec/dnssec-signzone.c
View file

@ -3745,12 +3745,6 @@ main(int argc, char *argv[]) {
}
}
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s",
isc_result_totext(result));
}
setup_logging(mctx, &log);
argc -= isc_commandline_index;
@ -4123,7 +4117,6 @@ main(int argc, char *argv[]) {
dns_master_styledestroy(&dsstyle, mctx);
cleanup_logging(&log);
dst_lib_destroy();
if (verbose > 10) {
isc_mem_stats(mctx, stdout);
}

7
bin/dnssec/dnssec-verify.c
View file

@ -272,12 +272,6 @@ main(int argc, char *argv[]) {
}
}
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s",
isc_result_totext(result));
}
now = isc_stdtime_now();
rdclass = strtoclass(classname);
@ -333,7 +327,6 @@ main(int argc, char *argv[]) {
dns_db_detach(&gdb);
cleanup_logging(&log);
dst_lib_destroy();
if (verbose > 10) {
isc_mem_stats(mctx, stdout);
}

24
bin/named/main.c
View file

@ -556,8 +556,6 @@ format_supported_algorithms(void (*emit)(isc_buffer_t *b)) {
static void
printversion(bool verbose) {
char rndcconf[PATH_MAX], *dot = NULL;
isc_mem_t *mctx = NULL;
isc_result_t result;
isc_buffer_t b;
char buf[512];
#if defined(HAVE_GEOIP2)
@ -631,17 +629,9 @@ printversion(bool verbose) {
#endif /* if defined(HAVE_DNSTAP) */
printf("threads support is enabled\n");
isc_mem_create(&mctx);
result = dst_lib_init(mctx);
if (result == ISC_R_SUCCESS) {
isc_buffer_init(&b, buf, sizeof(buf));
format_supported_algorithms(printit);
printf("\n");
dst_lib_destroy();
} else {
printf("DST initialization failure: %s\n",
isc_result_totext(result));
}
isc_buffer_init(&b, buf, sizeof(buf));
format_supported_algorithms(printit);
printf("\n");
/*
* The default rndc.conf and rndc.key paths are in the same
@ -665,6 +655,8 @@ printversion(bool verbose) {
printf(" named PID file: %s\n", named_g_defaultpidfile);
#if defined(HAVE_GEOIP2)
#define RTC(x) RUNTIME_CHECK((x) == ISC_R_SUCCESS)
isc_mem_t *mctx = NULL;
isc_mem_create(&mctx);
RTC(cfg_parser_create(mctx, named_g_lctx, &parser));
RTC(named_config_parsedefaults(parser, &config));
RTC(cfg_map_get(config, "options", &defaults));
@ -674,8 +666,8 @@ printversion(bool verbose) {
}
cfg_obj_destroy(parser, &config);
cfg_parser_destroy(&parser);
#endif /* HAVE_GEOIP2 */
isc_mem_detach(&mctx);
#endif /* HAVE_GEOIP2 */
}
static void
@ -1300,10 +1292,6 @@ setup(void) {
ENSURE(named_g_server != NULL);
sctx = named_g_server->sctx;
/*
* Report supported algorithms now that dst_lib_init() has
* been called via named_server_create().
*/
format_supported_algorithms(logit);
/*

5
bin/named/server.c
View file

@ -10330,9 +10330,6 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) {
ISC_LIST_INIT(server->keystorelist);
ISC_LIST_INIT(server->viewlist);
/* Must be first. */
CHECKFATAL(dst_lib_init(named_g_mctx), "initializing DST");
CHECKFATAL(dns_rootns_create(mctx, dns_rdataclass_in, NULL,
&server->in_roothints),
"setting up root hints");
@ -10436,8 +10433,6 @@ named_server_destroy(named_server_t **serverp) {
dns_zonemgr_detach(&server->zonemgr);
}
dst_lib_destroy();
INSIST(ISC_LIST_EMPTY(server->kasplist));
INSIST(ISC_LIST_EMPTY(server->keystorelist));
INSIST(ISC_LIST_EMPTY(server->viewlist));

11
bin/nsupdate/nsupdate.c
View file

@ -117,7 +117,6 @@ static bool debugging = false, ddebugging = false;
static bool memdebugging = false;
static bool have_ipv4 = false;
static bool have_ipv6 = false;
static bool is_dst_up = false;
static bool use_tls = false;
static bool usevc = false;
static bool usegsstsig = false;
@ -926,10 +925,6 @@ setup_system(void *arg ISC_ATTR_UNUSED) {
result = dns_dispatchmgr_create(gmctx, loopmgr, netmgr, &dispatchmgr);
check_result(result, "dns_dispatchmgr_create");
result = dst_lib_init(gmctx);
check_result(result, "dst_lib_init");
is_dst_up = true;
set_source_ports(dispatchmgr);
if (have_ipv6) {
@ -3503,12 +3498,6 @@ cleanup(void) {
isc_mutex_destroy(&answer_lock);
if (is_dst_up) {
ddebug("Destroy DST lib");
dst_lib_destroy();
is_dst_up = false;
}
ddebug("Shutting down managers");
isc_managers_destroy(&gmctx, &loopmgr, &netmgr);
}

1
bin/tests/system/.gitignore vendored
View file

@ -9,6 +9,7 @@ named.lock
named.pid
named.run
/feature-test
/legacy.run.sh
/makejournal
/random.data
/*.log

26
bin/tests/system/feature-test.c
View file

@ -198,15 +198,10 @@ main(int argc, char **argv) {
}
if (strcmp(argv[1], "--md5") == 0) {
isc_mem_t *mctx = NULL;
int answer;
isc_mem_create(&mctx);
dst_lib_init(mctx);
answer = dst_algorithm_supported(DST_ALG_HMACMD5) ? 0 : 1;
dst_lib_destroy();
isc_mem_detach(&mctx);
return (answer);
if (!dst_algorithm_supported(DST_ALG_HMACMD5)) {
return (1);
}
return (0);
}
if (strcmp(argv[1], "--ipv6only=no") == 0) {
@ -229,14 +224,11 @@ main(int argc, char **argv) {
}
if (strcasecmp(argv[1], "--rsasha1") == 0) {
int answer;
isc_mem_t *mctx = NULL;
isc_mem_create(&mctx);
dst_lib_init(mctx);
answer = dst_algorithm_supported(DST_ALG_RSASHA1) ? 0 : 1;
dst_lib_destroy();
isc_mem_detach(&mctx);
return (answer);
if (!dst_algorithm_supported(DST_ALG_RSASHA1)) {
return (1);
}
return (0);
}
if (strcmp(argv[1], "--with-dlz-filesystem") == 0) {

9
bin/tests/system/makejournal.c
View file

@ -39,8 +39,6 @@
isc_mem_t *mctx = NULL;
isc_log_t *lctx = NULL;
static bool dst_active = false;
/*
* Logging categories: this needs to match the list in bin/named/log.c.
*/
@ -101,9 +99,6 @@ main(int argc, char **argv) {
isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
isc_mem_create(&mctx);
CHECK(dst_lib_init(mctx));
dst_active = true;
isc_log_create(mctx, &lctx, &logconfig);
isc_log_registercategories(lctx, categories);
isc_log_setcontext(lctx);
@ -148,10 +143,6 @@ cleanup:
if (lctx != NULL) {
isc_log_destroy(&lctx);
}
if (dst_active) {
dst_lib_destroy();
dst_active = false;
}
if (mctx != NULL) {
isc_mem_destroy(&mctx);
}

4
bin/tests/system/pipelined/pipequeries.c
View file

@ -275,8 +275,6 @@ main(int argc, char *argv[]) {
isc_log_create(mctx, &lctx, &lcfg);
RUNCHECK(dst_lib_init(mctx));
RUNCHECK(dns_dispatchmgr_create(mctx, loopmgr, netmgr, &dispatchmgr));
RUNCHECK(dns_dispatch_createudp(
@ -294,8 +292,6 @@ main(int argc, char *argv[]) {
isc_loopmgr_run(loopmgr);
dst_lib_destroy();
isc_log_destroy(&lctx);
isc_managers_destroy(&mctx, &loopmgr, &netmgr);

2
bin/tests/system/rsabigexponent/bigkey.c
View file

@ -105,7 +105,6 @@ main(int argc, char **argv) {
}
isc_mem_create(&mctx);
CHECK(dst_lib_init(mctx), "dst_lib_init()");
isc_log_create(mctx, &log_, &logconfig);
isc_log_setcontext(log_);
dns_log_init(log_);
@ -148,7 +147,6 @@ main(int argc, char **argv) {
isc_log_destroy(&log_);
isc_log_setcontext(NULL);
dns_log_setcontext(NULL);
dst_lib_destroy();
isc_mem_destroy(&mctx);
return (0);
}

3
bin/tools/mdig.c
View file

@ -2131,7 +2131,6 @@ main(int argc, char *argv[]) {
isc_managers_create(&mctx, 1, &loopmgr, &netmgr);
isc_log_create(mctx, &lctx, &lcfg);
RUNCHECK(dst_lib_init(mctx));
isc_nonce_buf(cookie_secret, sizeof(cookie_secret));
ISC_LIST_INIT(queries);
@ -2191,8 +2190,6 @@ main(int argc, char *argv[]) {
isc_loopmgr_run(loopmgr);
dst_lib_destroy();
isc_log_destroy(&lctx);
query = ISC_LIST_HEAD(queries);

10
fuzz/dns_message_checksig.c
View file

@ -124,8 +124,6 @@ static char c3[] = "sig0key. 0 IN SOA . . 0 0 0 0 0\n\
sig0key. 0 IN NS .\n\
sig0key. 0 IN KEY 512 3 8 AwEAAa22lgHi1vAbQvu5ETdTrm2H8rwga9tvyMa6LFiSDyevLvSv0Uo5 uvfrXnxaLdtBMts6e1Ly2piSH9JRbOGMNibOK4EXWhWAn8MII4SWgQAs bFwtiz4HyPn2wScrUQdo8DocKiQJBanesr7vDO8fdA6Rg1e0yAtSeNti e8avx46/HJa6CFs3CoE0sf6oOFSxM954AgCBTXOGNBt1Nt3Bhfqt2qyA TLFii5K1jLDTZDVkoiyDXL1M7wcTwKf9METgj1eQmH3GGlRM/OJ/j8xk ZiFGbL3cipWdiH48031jiV2hlc92mKn8Ya0d9AN6c44piza/JSFydZXw sY32nxzjDbs=\n";
static bool destroy_dst = false;
int
LLVMFuzzerInitialize(int *argc ISC_ATTR_UNUSED, char ***argv ISC_ATTR_UNUSED) {
isc_result_t result;
@ -173,14 +171,6 @@ LLVMFuzzerInitialize(int *argc ISC_ATTR_UNUSED, char ***argv ISC_ATTR_UNUSED) {
isc_mem_create(&mctx);
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "dst_lib_init failed: %s\n",
isc_result_totext(result));
return (1);
}
destroy_dst = true;
isc_loopmgr_create(mctx, 1, &loopmgr);
result = dns_view_create(mctx, NULL, dns_rdataclass_in, "view", &view);

107
lib/dns/dst_api.c
View file

@ -138,9 +138,7 @@ static const char *keystates[KEYSTATES_NVALUES] = {
#define MAX_NTAGS \
(DST_MAX_NUMERIC + DST_MAX_BOOLEAN + DST_MAX_TIMES + DST_MAX_KEYSTATES)
static dst_func_t *dst_t_func[DST_MAX_ALGS];
static bool dst_initialized = false;
static dst_func_t *dst_t_func[DST_MAX_ALGS] = { 0 };
void
gss_log(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
@ -189,71 +187,55 @@ addsuffix(char *filename, int len, const char *dirname, const char *ofilename,
return ((_r)); \
} while (0);
isc_result_t
dst_lib_init(isc_mem_t *mctx) {
isc_result_t result;
static isc_mem_t *dst__mctx = NULL;
REQUIRE(mctx != NULL);
REQUIRE(!dst_initialized);
void ISC_CONSTRUCTOR
dst__lib_init(void);
void ISC_DESTRUCTOR
dst__lib_destroy(void);
void
dst__lib_init(void) {
isc_mem_create(&dst__mctx);
dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5]);
dst__hmacsha1_init(&dst_t_func[DST_ALG_HMACSHA1]);
dst__hmacsha224_init(&dst_t_func[DST_ALG_HMACSHA224]);
dst__hmacsha256_init(&dst_t_func[DST_ALG_HMACSHA256]);
dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384]);
dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]);
memset(dst_t_func, 0, sizeof(dst_t_func));
dst__openssl_init(); /* Sets FIPS mode. */
RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5]));
RETERR(dst__hmacsha1_init(&dst_t_func[DST_ALG_HMACSHA1]));
RETERR(dst__hmacsha224_init(&dst_t_func[DST_ALG_HMACSHA224]));
RETERR(dst__hmacsha256_init(&dst_t_func[DST_ALG_HMACSHA256]));
RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384]));
RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));
/* RSASHA1 (NSEC3RSASHA1) is verify only in FIPS mode. */
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1],
DST_ALG_RSASHA1));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1],
DST_ALG_NSEC3RSASHA1));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA256],
DST_ALG_RSASHA256));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA512],
DST_ALG_RSASHA512));
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED25519],
DST_ALG_ED25519));
dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1], DST_ALG_RSASHA1);
dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1],
DST_ALG_NSEC3RSASHA1);
dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA256], DST_ALG_RSASHA256);
dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA512], DST_ALG_RSASHA512);
dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256]);
dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384]);
dst__openssleddsa_init(&dst_t_func[DST_ALG_ED25519], DST_ALG_ED25519);
#ifdef HAVE_OPENSSL_ED448
RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448],
DST_ALG_ED448));
#endif /* HAVE_OPENSSL_ED448 */
dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448], DST_ALG_ED448);
#endif /* ifdef HAVE_OPENSSL_ED448 */
#if HAVE_GSSAPI
RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));
dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]);
#endif /* HAVE_GSSAPI */
dst_initialized = true;
return (ISC_R_SUCCESS);
out:
/* avoid immediate crash! */
dst_initialized = true;
dst_lib_destroy();
return (result);
}
void
dst_lib_destroy(void) {
int i;
RUNTIME_CHECK(dst_initialized);
dst_initialized = false;
for (i = 0; i < DST_MAX_ALGS; i++) {
dst__lib_destroy(void) {
for (size_t i = 0; i < DST_MAX_ALGS; i++) {
if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL) {
dst_t_func[i]->cleanup();
}
}
dst__openssl_destroy();
isc_mem_destroy(&dst__mctx);
}
bool
dst_algorithm_supported(unsigned int alg) {
REQUIRE(dst_initialized);
if (alg >= DST_MAX_ALGS || dst_t_func[alg] == NULL) {
return (false);
}
@ -273,7 +255,6 @@ dst_context_create(dst_key_t *key, isc_mem_t *mctx, isc_logcategory_t *category,
dst_context_t *dctx;
isc_result_t result;
REQUIRE(dst_initialized);
REQUIRE(VALID_KEY(key));
REQUIRE(mctx != NULL);
REQUIRE(dctxp != NULL && *dctxp == NULL);
@ -398,7 +379,6 @@ dst_context_verify2(dst_context_t *dctx, unsigned int maxbits,
isc_result_t
dst_key_computesecret(const dst_key_t *pub, const dst_key_t *priv,
isc_buffer_t *secret) {
REQUIRE(dst_initialized);
REQUIRE(VALID_KEY(pub) && VALID_KEY(priv));
REQUIRE(secret != NULL);
@ -426,7 +406,6 @@ isc_result_t
dst_key_tofile(const dst_key_t *key, int type, const char *directory) {
isc_result_t ret = ISC_R_SUCCESS;
REQUIRE(dst_initialized);
REQUIRE(VALID_KEY(key));
REQUIRE((type &
(DST_TYPE_PRIVATE | DST_TYPE_PUBLIC | DST_TYPE_STATE)) != 0);
@ -501,7 +480,6 @@ dst_key_getfilename(dns_name_t *name, dns_keytag_t id, unsigned int alg,
isc_buffer_t *buf) {
isc_result_t result;
REQUIRE(dst_initialized);
REQUIRE(dns_name_isabsolute(name));
REQUIRE((type &
(DST_TYPE_PRIVATE | DST_TYPE_PUBLIC | DST_TYPE_STATE)) != 0);
@ -530,7 +508,6 @@ dst_key_fromfile(dns_name_t *name, dns_keytag_t id, unsigned int alg, int type,
isc_buffer_t buf;
dst_key_t *key;
REQUIRE(dst_initialized);
REQUIRE(dns_name_isabsolute(name));
REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);
REQUIRE(mctx != NULL);
@ -583,7 +560,6 @@ dst_key_fromnamedfile(const char *filename, const char *dirname, int type,
int newfilenamelen = 0, statefilenamelen = 0;
isc_lex_t *lex = NULL;
REQUIRE(dst_initialized);
REQUIRE(filename != NULL);
REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);
REQUIRE(mctx != NULL);
@ -716,7 +692,6 @@ out:
isc_result_t
dst_key_todns(const dst_key_t *key, isc_buffer_t *target) {
REQUIRE(dst_initialized);
REQUIRE(VALID_KEY(key));
REQUIRE(target != NULL);
@ -765,8 +740,6 @@ dst_key_fromdns_ex(const dns_name_t *name, dns_rdataclass_t rdclass,
isc_region_t r;
isc_result_t result;
REQUIRE(dst_initialized);
isc_buffer_remainingregion(source, &r);
if (isc_buffer_remaininglength(source) < 4) {
@ -806,8 +779,6 @@ dst_key_frombuffer(const dns_name_t *name, unsigned int alg, unsigned int flags,
dst_key_t *key = NULL;
isc_result_t result;
REQUIRE(dst_initialized);
result = frombuffer(name, alg, flags, protocol, rdclass, source, mctx,
false, &key);
if (result != ISC_R_SUCCESS) {
@ -826,7 +797,6 @@ dst_key_frombuffer(const dns_name_t *name, unsigned int alg, unsigned int flags,
isc_result_t
dst_key_tobuffer(const dst_key_t *key, isc_buffer_t *target) {
REQUIRE(dst_initialized);
REQUIRE(VALID_KEY(key));
REQUIRE(target != NULL);
@ -844,7 +814,6 @@ dst_key_privatefrombuffer(dst_key_t *key, isc_buffer_t *buffer) {
isc_lex_t *lex = NULL;
isc_result_t result = ISC_R_SUCCESS;
REQUIRE(dst_initialized);
REQUIRE(VALID_KEY(key));
REQUIRE(!dst_key_isprivate(key));
REQUIRE(buffer != NULL);
@ -970,7 +939,6 @@ dst_key_buildinternal(const dns_name_t *name, unsigned int alg,
dst_key_t *key;
isc_result_t result;
REQUIRE(dst_initialized);
REQUIRE(dns_name_isabsolute(name));
REQUIRE(mctx != NULL);
REQUIRE(keyp != NULL && *keyp == NULL);
@ -1001,7 +969,6 @@ dst_key_fromlabel(const dns_name_t *name, int alg, unsigned int flags,
dst_key_t *key;
isc_result_t result;
REQUIRE(dst_initialized);
REQUIRE(dns_name_isabsolute(name));
REQUIRE(mctx != NULL);
REQUIRE(keyp != NULL && *keyp == NULL);
@ -1040,7 +1007,6 @@ dst_key_generate(const dns_name_t *name, unsigned int alg, unsigned int bits,
dst_key_t *key;
isc_result_t ret;
REQUIRE(dst_initialized);
REQUIRE(dns_name_isabsolute(name));
REQUIRE(mctx != NULL);
REQUIRE(keyp != NULL && *keyp == NULL);
@ -1265,7 +1231,6 @@ static bool
comparekeys(const dst_key_t *key1, const dst_key_t *key2,
bool match_revoked_key,
bool (*compare)(const dst_key_t *key1, const dst_key_t *key2)) {
REQUIRE(dst_initialized);
REQUIRE(VALID_KEY(key1));
REQUIRE(VALID_KEY(key2));
@ -1362,7 +1327,6 @@ dst_key_pubcompare(const dst_key_t *key1, const dst_key_t *key2,
bool
dst_key_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
REQUIRE(dst_initialized);
REQUIRE(VALID_KEY(key1));
REQUIRE(VALID_KEY(key2));
@ -1381,7 +1345,6 @@ dst_key_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
void
dst_key_attach(dst_key_t *source, dst_key_t **target) {
REQUIRE(dst_initialized);
REQUIRE(target != NULL && *target == NULL);
REQUIRE(VALID_KEY(source));
@ -1391,7 +1354,6 @@ dst_key_attach(dst_key_t *source, dst_key_t **target) {
void
dst_key_free(dst_key_t **keyp) {
REQUIRE(dst_initialized);
REQUIRE(keyp != NULL && VALID_KEY(*keyp));
dst_key_t *key = *keyp;
*keyp = NULL;
@ -1441,7 +1403,6 @@ dst_key_buildfilename(const dst_key_t *key, int type, const char *directory,
isc_result_t
dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
REQUIRE(dst_initialized);
REQUIRE(VALID_KEY(key));
REQUIRE(n != NULL);
@ -1531,7 +1492,6 @@ dst_key_restore(dns_name_t *name, unsigned int alg, unsigned int flags,
isc_result_t result;
dst_key_t *key;
REQUIRE(dst_initialized);
REQUIRE(keyp != NULL && *keyp == NULL);
if (alg >= DST_MAX_ALGS || dst_t_func[alg] == NULL) {
@ -1940,7 +1900,6 @@ cleanup:
static bool
issymmetric(const dst_key_t *key) {
REQUIRE(dst_initialized);
REQUIRE(VALID_KEY(key));
switch (key->key_alg) {
@ -2352,8 +2311,6 @@ frombuffer(const dns_name_t *name, unsigned int alg, unsigned int flags,
static isc_result_t
algorithm_status(unsigned int alg) {
REQUIRE(dst_initialized);
if (dst_algorithm_supported(alg)) {
return (ISC_R_SUCCESS);
}

37
lib/dns/dst_internal.h
View file

@ -195,47 +195,28 @@ struct dst_func {
* Initializers
*/
void
dst__openssl_init(void);
isc_result_t
dst__hmacmd5_init(struct dst_func **funcp);
isc_result_t
void
dst__hmacsha1_init(struct dst_func **funcp);
isc_result_t
void
dst__hmacsha224_init(struct dst_func **funcp);
isc_result_t
void
dst__hmacsha256_init(struct dst_func **funcp);
isc_result_t
void
dst__hmacsha384_init(struct dst_func **funcp);
isc_result_t
void
dst__hmacsha512_init(struct dst_func **funcp);
isc_result_t
void
dst__opensslrsa_init(struct dst_func **funcp, unsigned char algorithm);
isc_result_t
void
dst__opensslecdsa_init(struct dst_func **funcp);
isc_result_t
void
dst__openssleddsa_init(struct dst_func **funcp, unsigned char algorithm);
#if HAVE_GSSAPI
isc_result_t
void
dst__gssapi_init(struct dst_func **funcp);
#endif /* HAVE_GSSAPI*/
/*%
* Destructors
*/
void
dst__openssl_destroy(void);
/*%
* Memory allocators using the DST memory pool.
*/
void *
dst__mem_alloc(size_t size);
void
dst__mem_free(void *ptr);
void *
dst__mem_realloc(void *ptr, size_t size);
/*%
* Secure private file handling
*/

4
lib/dns/gssapi_link.c
View file

@ -353,11 +353,11 @@ static dst_func_t gssapi_functions = {
gssapi_restore,
};
isc_result_t
void
dst__gssapi_init(dst_func_t **funcp) {
REQUIRE(funcp != NULL);
if (*funcp == NULL) {
*funcp = &gssapi_functions;
}
return (ISC_R_SUCCESS);
}

3
lib/dns/hmac_link.c
View file

@ -135,7 +135,7 @@
NULL, /*%< dump */ \
NULL, /*%< restore */ \
}; \
isc_result_t dst__hmac##alg##_init(dst_func_t **funcp) { \
void dst__hmac##alg##_init(dst_func_t **funcp) { \
REQUIRE(funcp != NULL); \
if (*funcp == NULL) { \
isc_hmac_t *ctx = isc_hmac_new(); \
@ -146,7 +146,6 @@
} \
isc_hmac_free(ctx); \
} \
return (ISC_R_SUCCESS); \
}
static isc_result_t

21
lib/dns/include/dst/dst.h
View file

@ -197,27 +197,6 @@ typedef enum dst_algorithm {
/***
*** Functions
***/
isc_result_t
dst_lib_init(isc_mem_t *mctx);
/*%<
* Initializes the DST subsystem.
*
* Requires:
* \li "mctx" is a valid memory context
*
* Returns:
* \li ISC_R_SUCCESS
* \li ISC_R_NOMEMORY
*
* Ensures:
* \li DST is properly initialized.
*/
void
dst_lib_destroy(void);
/*%<
* Releases all resources allocated by DST.
*/
bool
dst_algorithm_supported(unsigned int alg);

28
lib/dns/openssl_link.c
View file

@ -27,7 +27,6 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <isc/fips.h>
#include <isc/mem.h>
#include <isc/mutex.h>
#include <isc/mutexblock.h>
@ -55,33 +54,6 @@
goto err; \
}
static void
enable_fips_mode(void) {
#if defined(ENABLE_FIPS_MODE)
if (isc_fips_mode()) {
/*
* FIPS mode is already enabled.
*/
return;
}
if (isc_fips_set_mode(1) != ISC_R_SUCCESS) {
dst__openssl_toresult2("FIPS_mode_set", DST_R_OPENSSLFAILURE);
exit(EXIT_FAILURE);
}
#endif
}
void
dst__openssl_init(void) {
enable_fips_mode();
}
void
dst__openssl_destroy(void) {
/* No-op */
}
static isc_result_t
toresult(isc_result_t fallback) {
isc_result_t result = fallback;

4
lib/dns/opensslecdsa_link.c
View file

@ -1152,11 +1152,11 @@ static dst_func_t opensslecdsa_functions = {
NULL, /*%< restore */
};
isc_result_t
void
dst__opensslecdsa_init(dst_func_t **funcp) {
REQUIRE(funcp != NULL);
if (*funcp == NULL) {
*funcp = &opensslecdsa_functions;
}
return (ISC_R_SUCCESS);
}

3
lib/dns/openssleddsa_link.c
View file

@ -640,7 +640,7 @@ err:
return (ret);
}
isc_result_t
void
dst__openssleddsa_init(dst_func_t **funcp, unsigned char algorithm) {
REQUIRE(funcp != NULL);
@ -649,5 +649,4 @@ dst__openssleddsa_init(dst_func_t **funcp, unsigned char algorithm) {
*funcp = &openssleddsa_functions;
}
}
return (ISC_R_SUCCESS);
}

29
lib/dns/opensslrsa_link.c
View file

@ -1233,10 +1233,6 @@ check_algorithm(unsigned char algorithm) {
isc_result_t ret = ISC_R_SUCCESS;
size_t len;
if (evp_md_ctx == NULL) {
DST_RET(ISC_R_NOMEMORY);
}
switch (algorithm) {
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
@ -1258,23 +1254,14 @@ check_algorithm(unsigned char algorithm) {
DST_RET(ISC_R_NOTIMPLEMENTED);
}
if (type == NULL) {
DST_RET(ISC_R_NOTIMPLEMENTED);
}
/*
* Construct pkey.
*/
c.e = BN_bin2bn(e_bytes, sizeof(e_bytes) - 1, NULL);
c.n = BN_bin2bn(n_bytes, sizeof(n_bytes) - 1, NULL);
if (c.e == NULL || c.n == NULL) {
DST_RET(ISC_R_NOMEMORY);
}
ret = opensslrsa_build_pkey(false, &c, &pkey);
if (ret != ISC_R_SUCCESS) {
goto err;
}
INSIST(ret == ISC_R_SUCCESS);
/*
* Check that we can verify the signature.
@ -1294,21 +1281,13 @@ err:
return (ret);
}
isc_result_t
void
dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm) {
isc_result_t result;
REQUIRE(funcp != NULL);
result = check_algorithm(algorithm);
if (result == ISC_R_SUCCESS) {
if (*funcp == NULL) {
if (*funcp == NULL) {
if (check_algorithm(algorithm) == ISC_R_SUCCESS) {
*funcp = &opensslrsa_functions;
}
} else if (result == ISC_R_NOTIMPLEMENTED) {
result = ISC_R_SUCCESS;
}
return (result);
}

20
lib/isc/tls.c
View file

@ -34,6 +34,7 @@
#include <openssl/x509v3.h>
#include <isc/atomic.h>
#include <isc/fips.h>
#include <isc/ht.h>
#include <isc/log.h>
#include <isc/magic.h>
@ -125,6 +126,23 @@ isc__tls_free_ex(void *ptr, const char *file, int line) {
#endif /* !defined(LIBRESSL_VERSION_NUMBER) */
static void
enable_fips_mode(void) {
#if defined(ENABLE_FIPS_MODE)
if (isc_fips_mode()) {
/*
* FIPS mode is already enabled.
*/
return;
}
if (isc_fips_set_mode(1) != ISC_R_SUCCESS) {
dst__openssl_toresult2("FIPS_mode_set", DST_R_OPENSSLFAILURE);
exit(EXIT_FAILURE);
}
#endif
}
void
isc__tls_initialize(void) {
isc_mem_create(&isc__tls_mctx);
@ -160,6 +178,8 @@ isc__tls_initialize(void) {
"cannot be initialized (see the `PRNG not "
"seeded' message in the OpenSSL FAQ)");
}
enable_fips_mode();
}
void

22
tests/dns/dst_test.c
View file

@ -43,24 +43,6 @@
#include <tests/dns.h>
static int
setup_test(void **state) {
UNUSED(state);
dst_lib_init(mctx);
return (0);
}
static int
teardown_test(void **state) {
UNUSED(state);
dst_lib_destroy();
return (0);
}
/* Read sig in file at path to buf. Check signature ineffability */
static isc_result_t
sig_fromfile(const char *path, isc_buffer_t *buf) {
@ -440,8 +422,8 @@ ISC_RUN_TEST_IMPL(cmp_test) {
}
ISC_TEST_LIST_START
ISC_TEST_ENTRY_CUSTOM(sig_test, setup_test, teardown_test)
ISC_TEST_ENTRY_CUSTOM(cmp_test, setup_test, teardown_test)
ISC_TEST_ENTRY(sig_test)
ISC_TEST_ENTRY(cmp_test)
ISC_TEST_LIST_END
ISC_TEST_MAIN

28
tests/dns/private_test.c
View file

@ -37,30 +37,6 @@
static dns_rdatatype_t privatetype = 65534;
static int
setup_test(void **state) {
isc_result_t result;
UNUSED(state);
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
return (1);
}
return (0);
}
static int
teardown_test(void **state) {
UNUSED(state);
dst_lib_destroy();
return (0);
}
typedef struct {
unsigned char alg;
dns_keytag_t keyid;
@ -211,8 +187,8 @@ ISC_RUN_TEST_IMPL(private_nsec3_totext) {
}
ISC_TEST_LIST_START
ISC_TEST_ENTRY_CUSTOM(private_signing_totext, setup_test, teardown_test)
ISC_TEST_ENTRY_CUSTOM(private_nsec3_totext, setup_test, teardown_test)
ISC_TEST_ENTRY(private_signing_totext)
ISC_TEST_ENTRY(private_nsec3_totext)
ISC_TEST_LIST_END
ISC_TEST_MAIN

26
tests/dns/rsa_test.c
View file

@ -37,30 +37,6 @@
#include <tests/dns.h>
static int
setup_test(void **state) {
isc_result_t result;
UNUSED(state);
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
return (1);
}
return (0);
}
static int
teardown_test(void **state) {
UNUSED(state);
dst_lib_destroy();
return (0);
}
static unsigned char d[10] = { 0xa, 0x10, 0xbb, 0, 0xfe,
0x15, 0x1, 0x88, 0xcc, 0x7d };
@ -226,7 +202,7 @@ ISC_RUN_TEST_IMPL(isc_rsa_verify) {
}
ISC_TEST_LIST_START
ISC_TEST_ENTRY_CUSTOM(isc_rsa_verify, setup_test, teardown_test)
ISC_TEST_ENTRY(isc_rsa_verify)
ISC_TEST_LIST_END
ISC_TEST_MAIN

26
tests/dns/sigs_test.c
View file

@ -71,30 +71,6 @@ typedef struct {
* */
} updatesigs_test_params_t;
static int
setup_test(void **state) {
isc_result_t result;
UNUSED(state);
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
return (1);
}
return (0);
}
static int
teardown_test(void **state) {
UNUSED(state);
dst_lib_destroy();
return (0);
}
/*%
* Check whether the 'found' tuple matches the 'expected' tuple. 'found' is
* the 'index'th tuple output by dns__zone_updatesigs() in test 'test'.
@ -437,7 +413,7 @@ ISC_RUN_TEST_IMPL(updatesigs_next) {
}
ISC_TEST_LIST_START
ISC_TEST_ENTRY_CUSTOM(updatesigs_next, setup_test, teardown_test)
ISC_TEST_ENTRY(updatesigs_next)
ISC_TEST_LIST_END
ISC_TEST_MAIN

28
tests/dns/tsig_test.c
View file

@ -48,30 +48,6 @@
static int debug = 0;
static int
setup_test(void **state) {
isc_result_t result;
UNUSED(state);
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
return (1);
}
return (0);
}
static int
teardown_test(void **state) {
UNUSED(state);
dst_lib_destroy();
return (0);
}
static isc_result_t
add_mac(dst_context_t *tsigctx, isc_buffer_t *buf) {
dns_rdata_any_tsig_t tsig;
@ -519,8 +495,8 @@ ISC_RUN_TEST_IMPL(algvalid) {
}
ISC_TEST_LIST_START
ISC_TEST_ENTRY_CUSTOM(tsig_tcp, setup_test, teardown_test)
ISC_TEST_ENTRY_CUSTOM(tsig_badtime, setup_test, teardown_test)
ISC_TEST_ENTRY(tsig_tcp)
ISC_TEST_ENTRY(tsig_badtime)
ISC_TEST_ENTRY(algvalid)
ISC_TEST_LIST_END