From 3094ef83b898bb7b7a3e835084e444fd403c6ee8 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Tue, 1 Apr 2025 14:53:24 +0300 Subject: [PATCH] DNS: detect when OpenSSL engine should be removed on upgrade For OpenSSL Provider API use we don't need 'named -E engine-name' anymore, it has to be removed. The removal process is slightly complicated because we need to detect '-E engine-name' and compare it with the engine we know about (pkcs11) but if we are upgrading to the build that supports OpenSSL Provider API, we don't know the engine name anymore. Fixes: https://pagure.io/freeipa/issue/9696 Signed-off-by: Alexander Bokovoy Reviewed-By: Florence Blanc-Renaud Reviewed-By: Alexander Bokovoy Reviewed-By: Rob Crittenden --- ipaserver/install/dnskeysyncinstance.py | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py index 1979a472dd882a70cb0a41d782689debc66017a9..ae8a67a007cab36f81bf931e24755d3744265b8c 100644 --- a/ipaserver/install/dnskeysyncinstance.py +++ b/ipaserver/install/dnskeysyncinstance.py @@ -149,7 +149,19 @@ class DNSKeySyncInstance(service.Service): if options: pattern = r"[ ]*-[a-zA-Z46]*E[ ]*(.*?)(?: |$)" engines = re.findall(pattern, options) - if engines and engines[-1] == constants.NAMED_OPENSSL_ENGINE: + + # if no '-E ' and we switched to the provider API, + # just exist, no named configuration to adjust + if len(engines) == 0 and constants.NAMED_OPENSSL_ENGINE is None: + return False + + # Something is configured in '-E ' but we don't have + # an engine name to compare because we already switched to the + # provider API, we only need to ensure old engine ref is removed. + if constants.NAMED_OPENSSL_ENGINE is None: + return True + + if engines[-1] == constants.NAMED_OPENSSL_ENGINE: return True return False -- 2.49.0