diff options
Diffstat (limited to 'distro/pkg/el-7/04-revert-don-t-share-PKCS-11-private-keys.patch')
| -rw-r--r-- | distro/pkg/el-7/04-revert-don-t-share-PKCS-11-private-keys.patch | 166 |
1 files changed, 166 insertions, 0 deletions
diff --git a/distro/pkg/el-7/04-revert-don-t-share-PKCS-11-private-keys.patch b/distro/pkg/el-7/04-revert-don-t-share-PKCS-11-private-keys.patch new file mode 100644 index 0000000..a13be90 --- /dev/null +++ b/distro/pkg/el-7/04-revert-don-t-share-PKCS-11-private-keys.patch @@ -0,0 +1,166 @@ +From 1bad8f831a9fd506516549ac7461f97c689a0c46 Mon Sep 17 00:00:00 2001 +From: Daniel Salzman <daniel.salzman@nic.cz> +Date: Mon, 11 Dec 2023 17:08:23 +0100 +Subject: [PATCH] Revert "zone-sign: don't share PKCS 11 private keys by + multiple signing threads" + +This reverts commit 7d63e8e0825e03b8e0608e87b86968c452755c93. +--- + src/knot/dnssec/zone-keys.c | 38 +++---------------------------------- + src/libdnssec/key.h | 4 ++-- + src/libdnssec/key/key.c | 24 +---------------------- + tests/libdnssec/test_key.c | 4 ++-- + 4 files changed, 8 insertions(+), 62 deletions(-) + +diff --git a/src/knot/dnssec/zone-keys.c b/src/knot/dnssec/zone-keys.c +index cd6bf0bb3..d5cccc759 100644 +--- a/src/knot/dnssec/zone-keys.c ++++ b/src/knot/dnssec/zone-keys.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> ++/* Copyright (C) 2022 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by +@@ -642,21 +642,6 @@ int zone_key_calculate_ds(zone_key_t *for_key, dnssec_key_digest_t digesttype, + return ret; + } + +-static int dup_zone_key(const zone_key_t *src, zone_key_t *dst) +-{ +- assert(src); +- assert(dst); +- +- *dst = *src; +- +- dst->key = dnssec_key_dup(src->key); +- if (dst->key == NULL) { +- return KNOT_ENOMEM; +- } +- +- return KNOT_EOK; +-} +- + zone_sign_ctx_t *zone_sign_ctx(const zone_keyset_t *keyset, const kdnssec_ctx_t *dnssec_ctx) + { + zone_sign_ctx_t *ctx = calloc(1, sizeof(*ctx) + keyset->count * sizeof(*ctx->sign_ctxs)); +@@ -665,24 +650,11 @@ zone_sign_ctx_t *zone_sign_ctx(const zone_keyset_t *keyset, const kdnssec_ctx_t + } + + ctx->sign_ctxs = (dnssec_sign_ctx_t **)(ctx + 1); +- +- ctx->keys = calloc(keyset->count, sizeof(*ctx->keys)); +- if (ctx->keys == NULL) { +- zone_sign_ctx_free(ctx); +- return NULL; +- } + ctx->count = keyset->count; +- ++ ctx->keys = keyset->keys; + ctx->dnssec_ctx = dnssec_ctx; + for (size_t i = 0; i < ctx->count; i++) { +- // Clone the key to avoid thread contention on the key mutex. +- int ret = dup_zone_key(&keyset->keys[i], &ctx->keys[i]); +- if (ret != KNOT_EOK) { +- zone_sign_ctx_free(ctx); +- return NULL; +- } +- +- ret = dnssec_sign_new(&ctx->sign_ctxs[i], ctx->keys[i].key); ++ int ret = dnssec_sign_new(&ctx->sign_ctxs[i], ctx->keys[i].key); + if (ret != DNSSEC_EOK) { + zone_sign_ctx_free(ctx); + return NULL; +@@ -719,12 +691,8 @@ void zone_sign_ctx_free(zone_sign_ctx_t *ctx) + { + if (ctx != NULL) { + for (size_t i = 0; i < ctx->count; i++) { +- if (ctx->keys != NULL) { +- dnssec_key_free(ctx->keys[i].key); +- } + dnssec_sign_free(ctx->sign_ctxs[i]); + } +- free(ctx->keys); + free(ctx); + } + } +diff --git a/src/libdnssec/key.h b/src/libdnssec/key.h +index aa8002b4a..2a69d377f 100644 +--- a/src/libdnssec/key.h ++++ b/src/libdnssec/key.h +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> ++/* Copyright (C) 2022 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by +@@ -134,7 +134,7 @@ void dnssec_key_free(dnssec_key_t *key); + /*! + * Create a copy of a DNSSEC key. + * +- * Public key isn't duplicated. ++ * Only a public part of the key is copied. + */ + dnssec_key_t *dnssec_key_dup(const dnssec_key_t *key); + +diff --git a/src/libdnssec/key/key.c b/src/libdnssec/key/key.c +index 4574bbefb..f36316712 100644 +--- a/src/libdnssec/key/key.c ++++ b/src/libdnssec/key/key.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> ++/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by +@@ -141,28 +141,6 @@ dnssec_key_t *dnssec_key_dup(const dnssec_key_t *key) + return NULL; + } + +- if (key->private_key != NULL) { +- gnutls_privkey_init(&dup->private_key); +- +- gnutls_privkey_type_t type = gnutls_privkey_get_type(key->private_key); +- if (type == GNUTLS_PRIVKEY_PKCS11) { +-#ifdef ENABLE_PKCS11 +- gnutls_pkcs11_privkey_t tmp; +- gnutls_privkey_export_pkcs11(key->private_key, &tmp); +- gnutls_privkey_import_pkcs11(dup->private_key, tmp, +- GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE); +-#else +- assert(0); +-#endif // ENABLE_PKCS11 +- } else { +- assert(type == GNUTLS_PRIVKEY_X509); +- gnutls_x509_privkey_t tmp; +- gnutls_privkey_export_x509(key->private_key, &tmp); +- gnutls_privkey_import_x509(dup->private_key, tmp, +- GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE); +- } +- } +- + return dup; + } + +diff --git a/tests/libdnssec/test_key.c b/tests/libdnssec/test_key.c +index c3643f08c..cd0aaee0e 100644 +--- a/tests/libdnssec/test_key.c ++++ b/tests/libdnssec/test_key.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> ++/* Copyright (C) 2021 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by +@@ -148,7 +148,7 @@ static void test_private_key(const key_parameters_t *params) + + check_key_tag(copy, params); + check_key_size(copy, params); +- check_usage(copy, true, true); ++ check_usage(copy, true, false); + + dnssec_key_free(copy); + dnssec_key_free(key); +-- +2.34.1 + |