summaryrefslogtreecommitdiffstats
path: root/distro/pkg/el-7/04-revert-don-t-share-PKCS-11-private-keys.patch
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--distro/pkg/el-7/04-revert-don-t-share-PKCS-11-private-keys.patch160
1 files changed, 0 insertions, 160 deletions
diff --git a/distro/pkg/el-7/04-revert-don-t-share-PKCS-11-private-keys.patch b/distro/pkg/el-7/04-revert-don-t-share-PKCS-11-private-keys.patch
deleted file mode 100644
index d360433..0000000
--- a/distro/pkg/el-7/04-revert-don-t-share-PKCS-11-private-keys.patch
+++ /dev/null
@@ -1,160 +0,0 @@
-From 1bad8f831a9fd506516549ac7461f97c689a0c46 Mon Sep 17 00:00:00 2001
-From: Daniel Salzman <daniel.salzman@nic.cz>
-Date: Mon, 11 Dec 2023 17:08:23 +0100
-Subject: [PATCH] Revert "zone-sign: don't share PKCS 11 private keys by
- multiple signing threads"
-
-This reverts commit 7d63e8e0825e03b8e0608e87b86968c452755c93.
----
- src/knot/dnssec/zone-keys.c | 38 +++----------------------------------
- src/libdnssec/key.h | 4 ++--
- src/libdnssec/key/key.c | 24 +----------------------
- tests/libdnssec/test_key.c | 4 ++--
- 4 files changed, 8 insertions(+), 62 deletions(-)
-
-diff --git a/src/knot/dnssec/zone-keys.c b/src/knot/dnssec/zone-keys.c
-index cd6bf0bb3..d5cccc759 100644
---- a/src/knot/dnssec/zone-keys.c
-+++ b/src/knot/dnssec/zone-keys.c
-@@ -642,21 +642,6 @@ int zone_key_calculate_ds(zone_key_t *for_key, dnssec_key_digest_t digesttype,
- return ret;
- }
-
--static int dup_zone_key(const zone_key_t *src, zone_key_t *dst)
--{
-- assert(src);
-- assert(dst);
--
-- *dst = *src;
--
-- dst->key = dnssec_key_dup(src->key);
-- if (dst->key == NULL) {
-- return KNOT_ENOMEM;
-- }
--
-- return KNOT_EOK;
--}
--
- zone_sign_ctx_t *zone_sign_ctx(const zone_keyset_t *keyset, const kdnssec_ctx_t *dnssec_ctx)
- {
- zone_sign_ctx_t *ctx = calloc(1, sizeof(*ctx) + keyset->count * sizeof(*ctx->sign_ctxs));
-@@ -665,24 +650,11 @@ zone_sign_ctx_t *zone_sign_ctx(const zone_keyset_t *keyset, const kdnssec_ctx_t
- }
-
- ctx->sign_ctxs = (dnssec_sign_ctx_t **)(ctx + 1);
--
-- ctx->keys = calloc(keyset->count, sizeof(*ctx->keys));
-- if (ctx->keys == NULL) {
-- zone_sign_ctx_free(ctx);
-- return NULL;
-- }
- ctx->count = keyset->count;
--
-+ ctx->keys = keyset->keys;
- ctx->dnssec_ctx = dnssec_ctx;
- for (size_t i = 0; i < ctx->count; i++) {
-- // Clone the key to avoid thread contention on the key mutex.
-- int ret = dup_zone_key(&keyset->keys[i], &ctx->keys[i]);
-- if (ret != KNOT_EOK) {
-- zone_sign_ctx_free(ctx);
-- return NULL;
-- }
--
-- ret = dnssec_sign_new(&ctx->sign_ctxs[i], ctx->keys[i].key);
-+ int ret = dnssec_sign_new(&ctx->sign_ctxs[i], ctx->keys[i].key);
- if (ret != DNSSEC_EOK) {
- zone_sign_ctx_free(ctx);
- return NULL;
-@@ -719,12 +691,8 @@ void zone_sign_ctx_free(zone_sign_ctx_t *ctx)
- {
- if (ctx != NULL) {
- for (size_t i = 0; i < ctx->count; i++) {
-- if (ctx->keys != NULL) {
-- dnssec_key_free(ctx->keys[i].key);
-- }
- dnssec_sign_free(ctx->sign_ctxs[i]);
- }
-- free(ctx->keys);
- free(ctx);
- }
- }
-diff --git a/src/libdnssec/key.h b/src/libdnssec/key.h
-index aa8002b4a..2a69d377f 100644
---- a/src/libdnssec/key.h
-+++ b/src/libdnssec/key.h
-@@ -1,4 +1,4 @@
--/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
-+/* Copyright (C) 2022 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
-
- This program is free software: you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
-@@ -134,7 +134,7 @@ void dnssec_key_free(dnssec_key_t *key);
- /*!
- * Create a copy of a DNSSEC key.
- *
-- * Public key isn't duplicated.
-+ * Only a public part of the key is copied.
- */
- dnssec_key_t *dnssec_key_dup(const dnssec_key_t *key);
-
-diff --git a/src/libdnssec/key/key.c b/src/libdnssec/key/key.c
-index 4574bbefb..f36316712 100644
---- a/src/libdnssec/key/key.c
-+++ b/src/libdnssec/key/key.c
-@@ -1,4 +1,4 @@
--/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
-+/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
-
- This program is free software: you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
-@@ -141,28 +141,6 @@ dnssec_key_t *dnssec_key_dup(const dnssec_key_t *key)
- return NULL;
- }
-
-- if (key->private_key != NULL) {
-- gnutls_privkey_init(&dup->private_key);
--
-- gnutls_privkey_type_t type = gnutls_privkey_get_type(key->private_key);
-- if (type == GNUTLS_PRIVKEY_PKCS11) {
--#ifdef ENABLE_PKCS11
-- gnutls_pkcs11_privkey_t tmp;
-- gnutls_privkey_export_pkcs11(key->private_key, &tmp);
-- gnutls_privkey_import_pkcs11(dup->private_key, tmp,
-- GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
--#else
-- assert(0);
--#endif // ENABLE_PKCS11
-- } else {
-- assert(type == GNUTLS_PRIVKEY_X509);
-- gnutls_x509_privkey_t tmp;
-- gnutls_privkey_export_x509(key->private_key, &tmp);
-- gnutls_privkey_import_x509(dup->private_key, tmp,
-- GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
-- }
-- }
--
- return dup;
- }
-
-diff --git a/tests/libdnssec/test_key.c b/tests/libdnssec/test_key.c
-index c3643f08c..cd0aaee0e 100644
---- a/tests/libdnssec/test_key.c
-+++ b/tests/libdnssec/test_key.c
-@@ -1,4 +1,4 @@
--/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
-+/* Copyright (C) 2021 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
-
- This program is free software: you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
-@@ -148,7 +148,7 @@ static void test_private_key(const key_parameters_t *params)
-
- check_key_tag(copy, params);
- check_key_size(copy, params);
-- check_usage(copy, true, true);
-+ check_usage(copy, true, false);
-
- dnssec_key_free(copy);
- dnssec_key_free(key);
---
-2.34.1
-