diff options
Diffstat (limited to '')
-rw-r--r-- | distro/pkg/el-7/04-revert-don-t-share-PKCS-11-private-keys.patch | 160 |
1 files changed, 0 insertions, 160 deletions
diff --git a/distro/pkg/el-7/04-revert-don-t-share-PKCS-11-private-keys.patch b/distro/pkg/el-7/04-revert-don-t-share-PKCS-11-private-keys.patch deleted file mode 100644 index d360433..0000000 --- a/distro/pkg/el-7/04-revert-don-t-share-PKCS-11-private-keys.patch +++ /dev/null @@ -1,160 +0,0 @@ -From 1bad8f831a9fd506516549ac7461f97c689a0c46 Mon Sep 17 00:00:00 2001 -From: Daniel Salzman <daniel.salzman@nic.cz> -Date: Mon, 11 Dec 2023 17:08:23 +0100 -Subject: [PATCH] Revert "zone-sign: don't share PKCS 11 private keys by - multiple signing threads" - -This reverts commit 7d63e8e0825e03b8e0608e87b86968c452755c93. ---- - src/knot/dnssec/zone-keys.c | 38 +++---------------------------------- - src/libdnssec/key.h | 4 ++-- - src/libdnssec/key/key.c | 24 +---------------------- - tests/libdnssec/test_key.c | 4 ++-- - 4 files changed, 8 insertions(+), 62 deletions(-) - -diff --git a/src/knot/dnssec/zone-keys.c b/src/knot/dnssec/zone-keys.c -index cd6bf0bb3..d5cccc759 100644 ---- a/src/knot/dnssec/zone-keys.c -+++ b/src/knot/dnssec/zone-keys.c -@@ -642,21 +642,6 @@ int zone_key_calculate_ds(zone_key_t *for_key, dnssec_key_digest_t digesttype, - return ret; - } - --static int dup_zone_key(const zone_key_t *src, zone_key_t *dst) --{ -- assert(src); -- assert(dst); -- -- *dst = *src; -- -- dst->key = dnssec_key_dup(src->key); -- if (dst->key == NULL) { -- return KNOT_ENOMEM; -- } -- -- return KNOT_EOK; --} -- - zone_sign_ctx_t *zone_sign_ctx(const zone_keyset_t *keyset, const kdnssec_ctx_t *dnssec_ctx) - { - zone_sign_ctx_t *ctx = calloc(1, sizeof(*ctx) + keyset->count * sizeof(*ctx->sign_ctxs)); -@@ -665,24 +650,11 @@ zone_sign_ctx_t *zone_sign_ctx(const zone_keyset_t *keyset, const kdnssec_ctx_t - } - - ctx->sign_ctxs = (dnssec_sign_ctx_t **)(ctx + 1); -- -- ctx->keys = calloc(keyset->count, sizeof(*ctx->keys)); -- if (ctx->keys == NULL) { -- zone_sign_ctx_free(ctx); -- return NULL; -- } - ctx->count = keyset->count; -- -+ ctx->keys = keyset->keys; - ctx->dnssec_ctx = dnssec_ctx; - for (size_t i = 0; i < ctx->count; i++) { -- // Clone the key to avoid thread contention on the key mutex. -- int ret = dup_zone_key(&keyset->keys[i], &ctx->keys[i]); -- if (ret != KNOT_EOK) { -- zone_sign_ctx_free(ctx); -- return NULL; -- } -- -- ret = dnssec_sign_new(&ctx->sign_ctxs[i], ctx->keys[i].key); -+ int ret = dnssec_sign_new(&ctx->sign_ctxs[i], ctx->keys[i].key); - if (ret != DNSSEC_EOK) { - zone_sign_ctx_free(ctx); - return NULL; -@@ -719,12 +691,8 @@ void zone_sign_ctx_free(zone_sign_ctx_t *ctx) - { - if (ctx != NULL) { - for (size_t i = 0; i < ctx->count; i++) { -- if (ctx->keys != NULL) { -- dnssec_key_free(ctx->keys[i].key); -- } - dnssec_sign_free(ctx->sign_ctxs[i]); - } -- free(ctx->keys); - free(ctx); - } - } -diff --git a/src/libdnssec/key.h b/src/libdnssec/key.h -index aa8002b4a..2a69d377f 100644 ---- a/src/libdnssec/key.h -+++ b/src/libdnssec/key.h -@@ -1,4 +1,4 @@ --/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> -+/* Copyright (C) 2022 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by -@@ -134,7 +134,7 @@ void dnssec_key_free(dnssec_key_t *key); - /*! - * Create a copy of a DNSSEC key. - * -- * Public key isn't duplicated. -+ * Only a public part of the key is copied. - */ - dnssec_key_t *dnssec_key_dup(const dnssec_key_t *key); - -diff --git a/src/libdnssec/key/key.c b/src/libdnssec/key/key.c -index 4574bbefb..f36316712 100644 ---- a/src/libdnssec/key/key.c -+++ b/src/libdnssec/key/key.c -@@ -1,4 +1,4 @@ --/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> -+/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by -@@ -141,28 +141,6 @@ dnssec_key_t *dnssec_key_dup(const dnssec_key_t *key) - return NULL; - } - -- if (key->private_key != NULL) { -- gnutls_privkey_init(&dup->private_key); -- -- gnutls_privkey_type_t type = gnutls_privkey_get_type(key->private_key); -- if (type == GNUTLS_PRIVKEY_PKCS11) { --#ifdef ENABLE_PKCS11 -- gnutls_pkcs11_privkey_t tmp; -- gnutls_privkey_export_pkcs11(key->private_key, &tmp); -- gnutls_privkey_import_pkcs11(dup->private_key, tmp, -- GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE); --#else -- assert(0); --#endif // ENABLE_PKCS11 -- } else { -- assert(type == GNUTLS_PRIVKEY_X509); -- gnutls_x509_privkey_t tmp; -- gnutls_privkey_export_x509(key->private_key, &tmp); -- gnutls_privkey_import_x509(dup->private_key, tmp, -- GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE); -- } -- } -- - return dup; - } - -diff --git a/tests/libdnssec/test_key.c b/tests/libdnssec/test_key.c -index c3643f08c..cd0aaee0e 100644 ---- a/tests/libdnssec/test_key.c -+++ b/tests/libdnssec/test_key.c -@@ -1,4 +1,4 @@ --/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> -+/* Copyright (C) 2021 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by -@@ -148,7 +148,7 @@ static void test_private_key(const key_parameters_t *params) - - check_key_tag(copy, params); - check_key_size(copy, params); -- check_usage(copy, true, true); -+ check_usage(copy, true, false); - - dnssec_key_free(copy); - dnssec_key_free(key); --- -2.34.1 - |