From c5d9a5c66a3da36ec5fe544b06da57ac56bf79ab Mon Sep 17 00:00:00 2001 From: Petr Menšík Date: Aug 27 2019 19:39:46 +0000 Subject: Avoid conflicts between OpenSSL and native PKCS#11 Do not set default engine when native module should be used. --- diff --git a/bind-9.11-engine-pkcs11.patch b/bind-9.11-engine-pkcs11.patch new file mode 100644 index 0000000..4a6290d --- /dev/null +++ b/bind-9.11-engine-pkcs11.patch @@ -0,0 +1,27 @@ +From 37f89ccfc439f8d86c401d9ae10e94e53b924961 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Tue, 27 Aug 2019 20:39:59 +0200 +Subject: [PATCH] Do not set engine for native PKCS11 + +It resets already set lib_path to pkcs11, which is invalid in native +pkcs11 crypto. Engine has to be path to PKCS#11 module. +--- + bin/named/include/named/globals.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h +index eda2214..2a611d5 100644 +--- a/bin/named/include/named/globals.h ++++ b/bin/named/include/named/globals.h +@@ -160,7 +160,7 @@ EXTERN const char * ns_g_defaultdnstap INIT(NULL); + + EXTERN const char * ns_g_username INIT(NULL); + +-#if defined(USE_PKCS11) ++#if defined(USE_PKCS11) && !defined(PKCS11CRYPTO) + EXTERN const char * ns_g_engine INIT(PKCS11_ENGINE); + #else + EXTERN const char * ns_g_engine INIT(NULL); +-- +2.20.1 + diff --git a/bind.spec b/bind.spec index 9208af7..97be60f 100644 --- a/bind.spec +++ b/bind.spec @@ -116,6 +116,8 @@ Patch140:bind-9.11-rh1410433.patch Patch145:bind-9.11-rh1205168.patch # [ISC-Bugs #46853] commit cb616c6d5c2ece1fac37fa6e0bca2b53d4043098 ISC 4851 Patch149:bind-9.11-kyua-pkcs11.patch +# Avoid conflicts with OpenSSL PKCS11 engine +Patch150:bind-9.11-engine-pkcs11.patch Patch153:bind-9.11-export-suffix.patch Patch154:bind-9.11-oot-manual.patch Patch155:bind-9.11-pk11.patch @@ -551,6 +553,7 @@ cp -r lib/isc{,-pkcs11} cp -r lib/dns{,-pkcs11} %patch136 -p1 -b .dist_pkcs11 %patch149 -p1 -b .kyua-pkcs11 +%patch150 -p1 -b .engine-pkcs11 %endif %if %{with SDB}