1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
|
From 1bad8f831a9fd506516549ac7461f97c689a0c46 Mon Sep 17 00:00:00 2001
From: Daniel Salzman <daniel.salzman@nic.cz>
Date: Mon, 11 Dec 2023 17:08:23 +0100
Subject: [PATCH] Revert "zone-sign: don't share PKCS 11 private keys by
multiple signing threads"
This reverts commit 7d63e8e0825e03b8e0608e87b86968c452755c93.
---
src/knot/dnssec/zone-keys.c | 38 +++----------------------------------
src/libdnssec/key.h | 4 ++--
src/libdnssec/key/key.c | 24 +----------------------
tests/libdnssec/test_key.c | 4 ++--
4 files changed, 8 insertions(+), 62 deletions(-)
diff --git a/src/knot/dnssec/zone-keys.c b/src/knot/dnssec/zone-keys.c
index cd6bf0bb3..d5cccc759 100644
--- a/src/knot/dnssec/zone-keys.c
+++ b/src/knot/dnssec/zone-keys.c
@@ -642,21 +642,6 @@ int zone_key_calculate_ds(zone_key_t *for_key, dnssec_key_digest_t digesttype,
return ret;
}
-static int dup_zone_key(const zone_key_t *src, zone_key_t *dst)
-{
- assert(src);
- assert(dst);
-
- *dst = *src;
-
- dst->key = dnssec_key_dup(src->key);
- if (dst->key == NULL) {
- return KNOT_ENOMEM;
- }
-
- return KNOT_EOK;
-}
-
zone_sign_ctx_t *zone_sign_ctx(const zone_keyset_t *keyset, const kdnssec_ctx_t *dnssec_ctx)
{
zone_sign_ctx_t *ctx = calloc(1, sizeof(*ctx) + keyset->count * sizeof(*ctx->sign_ctxs));
@@ -665,24 +650,11 @@ zone_sign_ctx_t *zone_sign_ctx(const zone_keyset_t *keyset, const kdnssec_ctx_t
}
ctx->sign_ctxs = (dnssec_sign_ctx_t **)(ctx + 1);
-
- ctx->keys = calloc(keyset->count, sizeof(*ctx->keys));
- if (ctx->keys == NULL) {
- zone_sign_ctx_free(ctx);
- return NULL;
- }
ctx->count = keyset->count;
-
+ ctx->keys = keyset->keys;
ctx->dnssec_ctx = dnssec_ctx;
for (size_t i = 0; i < ctx->count; i++) {
- // Clone the key to avoid thread contention on the key mutex.
- int ret = dup_zone_key(&keyset->keys[i], &ctx->keys[i]);
- if (ret != KNOT_EOK) {
- zone_sign_ctx_free(ctx);
- return NULL;
- }
-
- ret = dnssec_sign_new(&ctx->sign_ctxs[i], ctx->keys[i].key);
+ int ret = dnssec_sign_new(&ctx->sign_ctxs[i], ctx->keys[i].key);
if (ret != DNSSEC_EOK) {
zone_sign_ctx_free(ctx);
return NULL;
@@ -719,12 +691,8 @@ void zone_sign_ctx_free(zone_sign_ctx_t *ctx)
{
if (ctx != NULL) {
for (size_t i = 0; i < ctx->count; i++) {
- if (ctx->keys != NULL) {
- dnssec_key_free(ctx->keys[i].key);
- }
dnssec_sign_free(ctx->sign_ctxs[i]);
}
- free(ctx->keys);
free(ctx);
}
}
diff --git a/src/libdnssec/key.h b/src/libdnssec/key.h
index aa8002b4a..2a69d377f 100644
--- a/src/libdnssec/key.h
+++ b/src/libdnssec/key.h
@@ -1,4 +1,4 @@
-/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+/* Copyright (C) 2022 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -134,7 +134,7 @@ void dnssec_key_free(dnssec_key_t *key);
/*!
* Create a copy of a DNSSEC key.
*
- * Public key isn't duplicated.
+ * Only a public part of the key is copied.
*/
dnssec_key_t *dnssec_key_dup(const dnssec_key_t *key);
diff --git a/src/libdnssec/key/key.c b/src/libdnssec/key/key.c
index 4574bbefb..f36316712 100644
--- a/src/libdnssec/key/key.c
+++ b/src/libdnssec/key/key.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -141,28 +141,6 @@ dnssec_key_t *dnssec_key_dup(const dnssec_key_t *key)
return NULL;
}
- if (key->private_key != NULL) {
- gnutls_privkey_init(&dup->private_key);
-
- gnutls_privkey_type_t type = gnutls_privkey_get_type(key->private_key);
- if (type == GNUTLS_PRIVKEY_PKCS11) {
-#ifdef ENABLE_PKCS11
- gnutls_pkcs11_privkey_t tmp;
- gnutls_privkey_export_pkcs11(key->private_key, &tmp);
- gnutls_privkey_import_pkcs11(dup->private_key, tmp,
- GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
-#else
- assert(0);
-#endif // ENABLE_PKCS11
- } else {
- assert(type == GNUTLS_PRIVKEY_X509);
- gnutls_x509_privkey_t tmp;
- gnutls_privkey_export_x509(key->private_key, &tmp);
- gnutls_privkey_import_x509(dup->private_key, tmp,
- GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
- }
- }
-
return dup;
}
diff --git a/tests/libdnssec/test_key.c b/tests/libdnssec/test_key.c
index c3643f08c..cd0aaee0e 100644
--- a/tests/libdnssec/test_key.c
+++ b/tests/libdnssec/test_key.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+/* Copyright (C) 2021 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -148,7 +148,7 @@ static void test_private_key(const key_parameters_t *params)
check_key_tag(copy, params);
check_key_size(copy, params);
- check_usage(copy, true, true);
+ check_usage(copy, true, false);
dnssec_key_free(copy);
dnssec_key_free(key);
--
2.34.1
|
