summaryrefslogtreecommitdiffstats
path: root/distro/pkg/el-7/04-revert-don-t-share-PKCS-11-private-keys.patch
diff options
context:
space:
mode:
Diffstat (limited to 'distro/pkg/el-7/04-revert-don-t-share-PKCS-11-private-keys.patch')
-rw-r--r--distro/pkg/el-7/04-revert-don-t-share-PKCS-11-private-keys.patch166
1 files changed, 166 insertions, 0 deletions
diff --git a/distro/pkg/el-7/04-revert-don-t-share-PKCS-11-private-keys.patch b/distro/pkg/el-7/04-revert-don-t-share-PKCS-11-private-keys.patch
new file mode 100644
index 0000000..a13be90
--- /dev/null
+++ b/distro/pkg/el-7/04-revert-don-t-share-PKCS-11-private-keys.patch
@@ -0,0 +1,166 @@
+From 1bad8f831a9fd506516549ac7461f97c689a0c46 Mon Sep 17 00:00:00 2001
+From: Daniel Salzman <daniel.salzman@nic.cz>
+Date: Mon, 11 Dec 2023 17:08:23 +0100
+Subject: [PATCH] Revert "zone-sign: don't share PKCS 11 private keys by
+ multiple signing threads"
+
+This reverts commit 7d63e8e0825e03b8e0608e87b86968c452755c93.
+---
+ src/knot/dnssec/zone-keys.c | 38 +++----------------------------------
+ src/libdnssec/key.h | 4 ++--
+ src/libdnssec/key/key.c | 24 +----------------------
+ tests/libdnssec/test_key.c | 4 ++--
+ 4 files changed, 8 insertions(+), 62 deletions(-)
+
+diff --git a/src/knot/dnssec/zone-keys.c b/src/knot/dnssec/zone-keys.c
+index cd6bf0bb3..d5cccc759 100644
+--- a/src/knot/dnssec/zone-keys.c
++++ b/src/knot/dnssec/zone-keys.c
+@@ -1,4 +1,4 @@
+-/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
++/* Copyright (C) 2022 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+@@ -642,21 +642,6 @@ int zone_key_calculate_ds(zone_key_t *for_key, dnssec_key_digest_t digesttype,
+ return ret;
+ }
+
+-static int dup_zone_key(const zone_key_t *src, zone_key_t *dst)
+-{
+- assert(src);
+- assert(dst);
+-
+- *dst = *src;
+-
+- dst->key = dnssec_key_dup(src->key);
+- if (dst->key == NULL) {
+- return KNOT_ENOMEM;
+- }
+-
+- return KNOT_EOK;
+-}
+-
+ zone_sign_ctx_t *zone_sign_ctx(const zone_keyset_t *keyset, const kdnssec_ctx_t *dnssec_ctx)
+ {
+ zone_sign_ctx_t *ctx = calloc(1, sizeof(*ctx) + keyset->count * sizeof(*ctx->sign_ctxs));
+@@ -665,24 +650,11 @@ zone_sign_ctx_t *zone_sign_ctx(const zone_keyset_t *keyset, const kdnssec_ctx_t
+ }
+
+ ctx->sign_ctxs = (dnssec_sign_ctx_t **)(ctx + 1);
+-
+- ctx->keys = calloc(keyset->count, sizeof(*ctx->keys));
+- if (ctx->keys == NULL) {
+- zone_sign_ctx_free(ctx);
+- return NULL;
+- }
+ ctx->count = keyset->count;
+-
++ ctx->keys = keyset->keys;
+ ctx->dnssec_ctx = dnssec_ctx;
+ for (size_t i = 0; i < ctx->count; i++) {
+- // Clone the key to avoid thread contention on the key mutex.
+- int ret = dup_zone_key(&keyset->keys[i], &ctx->keys[i]);
+- if (ret != KNOT_EOK) {
+- zone_sign_ctx_free(ctx);
+- return NULL;
+- }
+-
+- ret = dnssec_sign_new(&ctx->sign_ctxs[i], ctx->keys[i].key);
++ int ret = dnssec_sign_new(&ctx->sign_ctxs[i], ctx->keys[i].key);
+ if (ret != DNSSEC_EOK) {
+ zone_sign_ctx_free(ctx);
+ return NULL;
+@@ -719,12 +691,8 @@ void zone_sign_ctx_free(zone_sign_ctx_t *ctx)
+ {
+ if (ctx != NULL) {
+ for (size_t i = 0; i < ctx->count; i++) {
+- if (ctx->keys != NULL) {
+- dnssec_key_free(ctx->keys[i].key);
+- }
+ dnssec_sign_free(ctx->sign_ctxs[i]);
+ }
+- free(ctx->keys);
+ free(ctx);
+ }
+ }
+diff --git a/src/libdnssec/key.h b/src/libdnssec/key.h
+index aa8002b4a..2a69d377f 100644
+--- a/src/libdnssec/key.h
++++ b/src/libdnssec/key.h
+@@ -1,4 +1,4 @@
+-/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
++/* Copyright (C) 2022 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+@@ -134,7 +134,7 @@ void dnssec_key_free(dnssec_key_t *key);
+ /*!
+ * Create a copy of a DNSSEC key.
+ *
+- * Public key isn't duplicated.
++ * Only a public part of the key is copied.
+ */
+ dnssec_key_t *dnssec_key_dup(const dnssec_key_t *key);
+
+diff --git a/src/libdnssec/key/key.c b/src/libdnssec/key/key.c
+index 4574bbefb..f36316712 100644
+--- a/src/libdnssec/key/key.c
++++ b/src/libdnssec/key/key.c
+@@ -1,4 +1,4 @@
+-/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
++/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+@@ -141,28 +141,6 @@ dnssec_key_t *dnssec_key_dup(const dnssec_key_t *key)
+ return NULL;
+ }
+
+- if (key->private_key != NULL) {
+- gnutls_privkey_init(&dup->private_key);
+-
+- gnutls_privkey_type_t type = gnutls_privkey_get_type(key->private_key);
+- if (type == GNUTLS_PRIVKEY_PKCS11) {
+-#ifdef ENABLE_PKCS11
+- gnutls_pkcs11_privkey_t tmp;
+- gnutls_privkey_export_pkcs11(key->private_key, &tmp);
+- gnutls_privkey_import_pkcs11(dup->private_key, tmp,
+- GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
+-#else
+- assert(0);
+-#endif // ENABLE_PKCS11
+- } else {
+- assert(type == GNUTLS_PRIVKEY_X509);
+- gnutls_x509_privkey_t tmp;
+- gnutls_privkey_export_x509(key->private_key, &tmp);
+- gnutls_privkey_import_x509(dup->private_key, tmp,
+- GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
+- }
+- }
+-
+ return dup;
+ }
+
+diff --git a/tests/libdnssec/test_key.c b/tests/libdnssec/test_key.c
+index c3643f08c..cd0aaee0e 100644
+--- a/tests/libdnssec/test_key.c
++++ b/tests/libdnssec/test_key.c
+@@ -1,4 +1,4 @@
+-/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
++/* Copyright (C) 2021 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+@@ -148,7 +148,7 @@ static void test_private_key(const key_parameters_t *params)
+
+ check_key_tag(copy, params);
+ check_key_size(copy, params);
+- check_usage(copy, true, true);
++ check_usage(copy, true, false);
+
+ dnssec_key_free(copy);
+ dnssec_key_free(key);
+--
+2.34.1
+