1
0
forked from rpms/bind
bind/bind-9.11-rt31459.patch
DistroBaker a9c482da54 Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/bind.git#ad33c6c09557956426b2c7053495496dc9c442cb
2020-11-26 13:20:54 +00:00

2123 lines
63 KiB
Diff

From 63d1fe9e1ac0db37f89cf31b40c35d6d22578ded Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Tue, 12 Sep 2017 19:05:46 -0700
Subject: [PATCH] rebased rt31459c
[rt31459d] update the newer tools
[rt31459d] setup entropy in dns_lib_init()
[rt31459d] silence compiler warning
DNS_OPENSSL_LIBS -> DST_OPENSSL_LIBS
Include new unit test
---
bin/confgen/keygen.c | 7 +
bin/dnssec/dnssec-dsfromkey.c | 8 +-
bin/dnssec/dnssec-importkey.c | 8 +-
bin/dnssec/dnssec-revoke.c | 8 +-
bin/dnssec/dnssec-settime.c | 8 +-
bin/dnssec/dnssec-signzone.c | 11 +-
bin/dnssec/dnssec-verify.c | 8 +-
bin/dnssec/dnssectool.c | 11 +-
bin/named/server.c | 6 +
bin/nsupdate/nsupdate.c | 14 +-
bin/tests/makejournal.c | 6 +-
bin/tests/system/pipelined/pipequeries.c | 20 +-
bin/tests/system/pipelined/tests.sh | 4 +-
bin/tests/system/rsabigexponent/bigkey.c | 4 +
bin/tests/system/tkey/keycreate.c | 26 ++-
bin/tests/system/tkey/keydelete.c | 26 ++-
bin/tests/system/tkey/tests.sh | 8 +-
bin/tools/mdig.c | 3 +-
configure | 250 +++++++++++++----------
configure.ac | 77 ++++++-
lib/dns/dst_api.c | 21 +-
lib/dns/include/dst/dst.h | 8 +
lib/dns/lib.c | 15 +-
lib/dns/openssl_link.c | 72 ++++++-
lib/dns/pkcs11.c | 29 ++-
lib/dns/tests/Kyuafile | 1 +
lib/dns/tests/Makefile.in | 7 +
lib/dns/tests/dstrandom_test.c | 115 +++++++++++
lib/dns/win32/libdns.def.in | 7 +
lib/isc/entropy.c | 24 +++
lib/isc/include/isc/entropy.h | 12 ++
lib/isc/include/isc/platform.h.in | 5 +
lib/isc/include/isc/types.h | 2 +
lib/isc/pk11.c | 12 +-
lib/isc/win32/include/isc/platform.h.in | 5 +
win32utils/Configure | 28 ++-
36 files changed, 701 insertions(+), 175 deletions(-)
create mode 100644 lib/dns/tests/dstrandom_test.c
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
index 40cf74c..bd269e7 100644
--- a/bin/confgen/keygen.c
+++ b/bin/confgen/keygen.c
@@ -165,6 +165,13 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
randomfile = NULL;
open_keyboard = ISC_ENTROPY_KEYBOARDYES;
}
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+ if (randomfile != NULL &&
+ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
+ randomfile = NULL;
+ isc_entropy_usehook(ectx, true);
+ }
+#endif
DO("start entropy source", isc_entropy_usebestsource(ectx,
&entropy_source,
randomfile,
diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c
index 4420f2d..9cb63a8 100644
--- a/bin/dnssec/dnssec-dsfromkey.c
+++ b/bin/dnssec/dnssec-dsfromkey.c
@@ -498,14 +498,14 @@ main(int argc, char **argv) {
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
- if (result != ISC_R_SUCCESS)
- fatal("could not initialize hash");
result = dst_lib_init(mctx, ectx,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (result != ISC_R_SUCCESS)
fatal("could not initialize dst: %s",
isc_result_totext(result));
+ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
+ if (result != ISC_R_SUCCESS)
+ fatal("could not initialize hash");
isc_entropy_stopcallbacksources(ectx);
setup_logging(mctx, &log);
@@ -574,8 +574,8 @@ main(int argc, char **argv) {
if (dns_rdataset_isassociated(&rdataset))
dns_rdataset_disassociate(&rdataset);
cleanup_logging(&log);
- dst_lib_destroy();
isc_hash_destroy();
+ dst_lib_destroy();
cleanup_entropy(&ectx);
dns_name_destroy();
if (verbose > 10)
diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c
index dc9a293..52863a1 100644
--- a/bin/dnssec/dnssec-importkey.c
+++ b/bin/dnssec/dnssec-importkey.c
@@ -404,14 +404,14 @@ main(int argc, char **argv) {
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
- if (result != ISC_R_SUCCESS)
- fatal("could not initialize hash");
result = dst_lib_init(mctx, ectx,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (result != ISC_R_SUCCESS)
fatal("could not initialize dst: %s",
isc_result_totext(result));
+ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
+ if (result != ISC_R_SUCCESS)
+ fatal("could not initialize hash");
isc_entropy_stopcallbacksources(ectx);
setup_logging(mctx, &log);
@@ -455,8 +455,8 @@ main(int argc, char **argv) {
if (dns_rdataset_isassociated(&rdataset))
dns_rdataset_disassociate(&rdataset);
cleanup_logging(&log);
- dst_lib_destroy();
isc_hash_destroy();
+ dst_lib_destroy();
cleanup_entropy(&ectx);
dns_name_destroy();
if (verbose > 10)
diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c
index 0121a34..74a99b0 100644
--- a/bin/dnssec/dnssec-revoke.c
+++ b/bin/dnssec/dnssec-revoke.c
@@ -184,14 +184,14 @@ main(int argc, char **argv) {
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
- if (result != ISC_R_SUCCESS)
- fatal("Could not initialize hash");
result = dst_lib_init2(mctx, ectx, engine,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (result != ISC_R_SUCCESS)
fatal("Could not initialize dst: %s",
isc_result_totext(result));
+ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
+ if (result != ISC_R_SUCCESS)
+ fatal("Could not initialize hash");
isc_entropy_stopcallbacksources(ectx);
result = dst_key_fromnamedfile(filename, dir,
@@ -273,8 +273,8 @@ main(int argc, char **argv) {
cleanup:
dst_key_free(&key);
- dst_lib_destroy();
isc_hash_destroy();
+ dst_lib_destroy();
cleanup_entropy(&ectx);
if (verbose > 10)
isc_mem_stats(mctx, stdout);
diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
index f017895..2c568fc 100644
--- a/bin/dnssec/dnssec-settime.c
+++ b/bin/dnssec/dnssec-settime.c
@@ -391,14 +391,14 @@ main(int argc, char **argv) {
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
- if (result != ISC_R_SUCCESS)
- fatal("Could not initialize hash");
result = dst_lib_init2(mctx, ectx, engine,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (result != ISC_R_SUCCESS)
fatal("Could not initialize dst: %s",
isc_result_totext(result));
+ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
+ if (result != ISC_R_SUCCESS)
+ fatal("Could not initialize hash");
isc_entropy_stopcallbacksources(ectx);
if (predecessor != NULL) {
@@ -683,8 +683,8 @@ main(int argc, char **argv) {
if (prevkey != NULL)
dst_key_free(&prevkey);
dst_key_free(&key);
- dst_lib_destroy();
isc_hash_destroy();
+ dst_lib_destroy();
cleanup_entropy(&ectx);
if (verbose > 10)
isc_mem_stats(mctx, stdout);
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index dde1b2f..7308fc6 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -3465,14 +3465,15 @@ main(int argc, char *argv[]) {
if (!pseudorandom)
eflags |= ISC_ENTROPY_GOODONLY;
- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
- if (result != ISC_R_SUCCESS)
- fatal("could not create hash context");
-
result = dst_lib_init2(mctx, ectx, engine, eflags);
if (result != ISC_R_SUCCESS)
fatal("could not initialize dst: %s",
isc_result_totext(result));
+
+ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
+ if (result != ISC_R_SUCCESS)
+ fatal("could not create hash context");
+
isc_stdtime_get(&now);
if (startstr != NULL) {
@@ -3884,8 +3885,8 @@ main(int argc, char *argv[]) {
dns_master_styledestroy(&dsstyle, mctx);
cleanup_logging(&log);
- dst_lib_destroy();
isc_hash_destroy();
+ dst_lib_destroy();
cleanup_entropy(&ectx);
dns_name_destroy();
if (verbose > 10)
diff --git a/bin/dnssec/dnssec-verify.c b/bin/dnssec/dnssec-verify.c
index 087cd5d..07c7294 100644
--- a/bin/dnssec/dnssec-verify.c
+++ b/bin/dnssec/dnssec-verify.c
@@ -281,15 +281,15 @@ main(int argc, char *argv[]) {
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
- if (result != ISC_R_SUCCESS)
- fatal("could not create hash context");
-
result = dst_lib_init2(mctx, ectx, engine, ISC_ENTROPY_BLOCKING);
if (result != ISC_R_SUCCESS)
fatal("could not initialize dst: %s",
isc_result_totext(result));
+ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
+ if (result != ISC_R_SUCCESS)
+ fatal("could not create hash context");
+
isc_stdtime_get(&now);
rdclass = strtoclass(classname);
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
index 7f045e8..2a0f9c6 100644
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
@@ -34,6 +34,7 @@
#include <isc/heap.h>
#include <isc/list.h>
#include <isc/mem.h>
+#include <isc/platform.h>
#include <isc/print.h>
#include <isc/string.h>
#include <isc/time.h>
@@ -235,7 +236,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
if (*ectx == NULL) {
result = isc_entropy_create(mctx, ectx);
if (result != ISC_R_SUCCESS)
- fatal("could not create entropy object");
+ fatal("could not create entropy object: %s",
+ isc_result_totext(result));
ISC_LIST_INIT(sources);
}
@@ -244,6 +246,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
randomfile = NULL;
}
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+ if (randomfile != NULL &&
+ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
+ randomfile = NULL;
+ isc_entropy_usehook(*ectx, true);
+ }
+#endif
result = isc_entropy_usebestsource(*ectx, &source, randomfile,
usekeyboard);
diff --git a/bin/named/server.c b/bin/named/server.c
index 30d38be..b2ae57c 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -36,6 +36,7 @@
#include <isc/lex.h>
#include <isc/meminfo.h>
#include <isc/parseint.h>
+#include <isc/platform.h>
#include <isc/portset.h>
#include <isc/print.h>
#include <isc/random.h>
@@ -8286,6 +8287,10 @@ load_configuration(const char *filename, ns_server_t *server,
"no source of entropy found");
} else {
const char *randomdev = cfg_obj_asstring(obj);
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+ if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0)
+ isc_entropy_usehook(ns_g_entropy, true);
+#else
int level = ISC_LOG_ERROR;
result = isc_entropy_createfilesource(ns_g_entropy,
randomdev);
@@ -8320,6 +8325,7 @@ load_configuration(const char *filename, ns_server_t *server,
}
isc_entropy_detach(&ns_g_fallbackentropy);
}
+#endif
#endif
}
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index 5a2c660..7f15cbc 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -278,7 +278,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
if (*ectx == NULL) {
result = isc_entropy_create(mctx, ectx);
if (result != ISC_R_SUCCESS)
- fatal("could not create entropy object");
+ fatal("could not create entropy object: %s",
+ isc_result_totext(result));
ISC_LIST_INIT(sources);
}
@@ -287,6 +288,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
randomfile = NULL;
}
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+ if (randomfile != NULL &&
+ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
+ randomfile = NULL;
+ isc_entropy_usehook(*ectx, true);
+ }
+#endif
result = isc_entropy_usebestsource(*ectx, &source, randomfile,
usekeyboard);
@@ -989,11 +997,11 @@ setup_system(void) {
}
}
- setup_entropy(gmctx, NULL, &entropy);
+ if (entropy == NULL)
+ setup_entropy(gmctx, NULL, &entropy);
result = isc_hash_create(gmctx, entropy, DNS_NAME_MAXWIRE);
check_result(result, "isc_hash_create");
- isc_hash_init();
result = dns_dispatchmgr_create(gmctx, entropy, &dispatchmgr);
check_result(result, "dns_dispatchmgr_create");
diff --git a/bin/tests/makejournal.c b/bin/tests/makejournal.c
index 68b5e5a..cd54c8d 100644
--- a/bin/tests/makejournal.c
+++ b/bin/tests/makejournal.c
@@ -102,12 +102,12 @@ main(int argc, char **argv) {
CHECK(isc_mem_create(0, 0, &mctx));
CHECK(isc_entropy_create(mctx, &ectx));
- CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
- hash_active = true;
-
CHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING));
dst_active = true;
+ CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
+ hash_active = true;
+
CHECK(isc_log_create(mctx, &lctx, &logconfig));
isc_log_registercategories(lctx, categories);
isc_log_setcontext(lctx);
diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c
index e16ec11..95b65bf 100644
--- a/bin/tests/system/pipelined/pipequeries.c
+++ b/bin/tests/system/pipelined/pipequeries.c
@@ -204,6 +204,7 @@ sendqueries(isc_task_t *task, isc_event_t *event) {
int
main(int argc, char *argv[]) {
+ char *randomfile = NULL;
isc_sockaddr_t bind_any;
struct in_addr inaddr;
isc_result_t result;
@@ -222,7 +223,7 @@ main(int argc, char *argv[]) {
int c;
isc_commandline_errprint = false;
- while ((c = isc_commandline_parse(argc, argv, "p:")) != -1) {
+ while ((c = isc_commandline_parse(argc, argv, "p:r:")) != -1) {
switch (c) {
case 'p':
result = isc_parse_uint16(&port,
@@ -233,6 +234,9 @@ main(int argc, char *argv[]) {
exit(1);
}
break;
+ case 'r':
+ randomfile = isc_commandline_argument;
+ break;
case '?':
fprintf(stderr, "%s: invalid argument '%c'",
argv[0], c);
@@ -275,10 +279,18 @@ main(int argc, char *argv[]) {
ectx = NULL;
RUNCHECK(isc_entropy_create(mctx, &ectx));
- RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data"));
- RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+ if (randomfile != NULL &&
+ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
+ randomfile = NULL;
+ isc_entropy_usehook(ectx, true);
+ }
+#endif
+ if (randomfile != NULL)
+ RUNCHECK(isc_entropy_createfilesource(ectx, randomfile));
RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY));
+ RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
taskmgr = NULL;
RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr));
@@ -331,8 +343,8 @@ main(int argc, char *argv[]) {
isc_task_detach(&task);
isc_taskmgr_destroy(&taskmgr);
- dst_lib_destroy();
isc_hash_destroy();
+ dst_lib_destroy();
isc_entropy_detach(&ectx);
isc_log_destroy(&lctx);
diff --git a/bin/tests/system/pipelined/tests.sh b/bin/tests/system/pipelined/tests.sh
index c0a99a2..0245527 100644
--- a/bin/tests/system/pipelined/tests.sh
+++ b/bin/tests/system/pipelined/tests.sh
@@ -19,7 +19,7 @@ status=0
echo_i "check pipelined TCP queries"
ret=0
-$PIPEQUERIES -p ${PORT} < input > raw || ret=1
+$PIPEQUERIES -p ${PORT} -r $RANDFILE < input > raw || ret=1
awk '{ print $1 " " $5 }' < raw > output
sort < output > output-sorted
$DIFF ref output-sorted || { ret=1 ; echo_i "diff sorted failed"; }
@@ -43,7 +43,7 @@ status=`expr $status + $ret`
echo_i "check keep-response-order"
ret=0
-$PIPEQUERIES -p ${PORT} ++ < inputb > rawb || ret=1
+$PIPEQUERIES -p ${PORT} -r $RANDFILE ++ < inputb > rawb || ret=1
awk '{ print $1 " " $5 }' < rawb > outputb
$DIFF refb outputb || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
diff --git a/bin/tests/system/rsabigexponent/bigkey.c b/bin/tests/system/rsabigexponent/bigkey.c
index abf12ed..fa5182c 100644
--- a/bin/tests/system/rsabigexponent/bigkey.c
+++ b/bin/tests/system/rsabigexponent/bigkey.c
@@ -20,6 +20,7 @@
#include <isc/buffer.h>
#include <isc/entropy.h>
#include <isc/mem.h>
+#include <isc/platform.h>
#include <isc/print.h>
#include <isc/region.h>
#include <isc/stdio.h>
@@ -183,6 +184,9 @@ main(int argc, char **argv) {
CHECK(isc_mem_create(0, 0, &mctx), "isc_mem_create()");
CHECK(isc_entropy_create(mctx, &ectx), "isc_entropy_create()");
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+ isc_entropy_usehook(ectx, true);
+#endif
CHECK(isc_entropy_usebestsource(ectx, &source,
"../random.data",
ISC_ENTROPY_KEYBOARDNO),
diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c
index 34360aa..3236968 100644
--- a/bin/tests/system/tkey/keycreate.c
+++ b/bin/tests/system/tkey/keycreate.c
@@ -206,6 +206,7 @@ sendquery(isc_task_t *task, isc_event_t *event) {
int
main(int argc, char *argv[]) {
char *ourkeyname;
+ char *randomfile;
isc_taskmgr_t *taskmgr;
isc_timermgr_t *timermgr;
isc_socketmgr_t *socketmgr;
@@ -225,10 +226,21 @@ main(int argc, char *argv[]) {
RUNCHECK(isc_app_start());
+ randomfile = NULL;
+
if (argc < 2) {
fprintf(stderr, "I:no DH key provided\n");
exit(-1);
}
+ if (strcmp(argv[1], "-r") == 0) {
+ if (argc < 4) {
+ fprintf(stderr, "I:no DH key provided\n");
+ exit(-1);
+ }
+ randomfile = argv[2];
+ argv += 2;
+ argc -= 2;
+ }
ourkeyname = argv[1];
if (argc >= 3)
@@ -242,14 +254,22 @@ main(int argc, char *argv[]) {
ectx = NULL;
RUNCHECK(isc_entropy_create(mctx, &ectx));
- RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data"));
- RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+ if (randomfile != NULL &&
+ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
+ randomfile = NULL;
+ isc_entropy_usehook(ectx, true);
+ }
+#endif
+ if (randomfile != NULL)
+ RUNCHECK(isc_entropy_createfilesource(ectx, randomfile));
log = NULL;
logconfig = NULL;
RUNCHECK(isc_log_create(mctx, &log, &logconfig));
RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY));
+ RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
taskmgr = NULL;
RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr));
@@ -328,8 +348,8 @@ main(int argc, char *argv[]) {
isc_log_destroy(&log);
- dst_lib_destroy();
isc_hash_destroy();
+ dst_lib_destroy();
isc_entropy_detach(&ectx);
isc_mem_destroy(&mctx);
diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
index 4b5b901..43fb6b0 100644
--- a/bin/tests/system/tkey/keydelete.c
+++ b/bin/tests/system/tkey/keydelete.c
@@ -136,6 +136,7 @@ sendquery(isc_task_t *task, isc_event_t *event) {
int
main(int argc, char **argv) {
char *keyname;
+ char *randomfile;
isc_taskmgr_t *taskmgr;
isc_timermgr_t *timermgr;
isc_socketmgr_t *socketmgr;
@@ -156,10 +157,21 @@ main(int argc, char **argv) {
RUNCHECK(isc_app_start());
+ randomfile = NULL;
+
if (argc < 2) {
fprintf(stderr, "I:no key to delete\n");
exit(-1);
}
+ if (strcmp(argv[1], "-r") == 0) {
+ if (argc < 4) {
+ fprintf(stderr, "I:no DH key provided\n");
+ exit(-1);
+ }
+ randomfile = argv[2];
+ argv += 2;
+ argc -= 2;
+ }
keyname = argv[1];
dns_result_register();
@@ -169,14 +181,22 @@ main(int argc, char **argv) {
ectx = NULL;
RUNCHECK(isc_entropy_create(mctx, &ectx));
- RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data"));
- RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+ if (randomfile != NULL &&
+ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
+ randomfile = NULL;
+ isc_entropy_usehook(ectx, true);
+ }
+#endif
+ if (randomfile != NULL)
+ RUNCHECK(isc_entropy_createfilesource(ectx, randomfile));
log = NULL;
logconfig = NULL;
RUNCHECK(isc_log_create(mctx, &log, &logconfig));
RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY));
+ RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
taskmgr = NULL;
RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr));
@@ -264,8 +284,8 @@ main(int argc, char **argv) {
isc_log_destroy(&log);
- dst_lib_destroy();
isc_hash_destroy();
+ dst_lib_destroy();
isc_entropy_detach(&ectx);
isc_mem_destroy(&mctx);
diff --git a/bin/tests/system/tkey/tests.sh b/bin/tests/system/tkey/tests.sh
index b265156..bcd60a6 100644
--- a/bin/tests/system/tkey/tests.sh
+++ b/bin/tests/system/tkey/tests.sh
@@ -33,7 +33,7 @@ for owner in . foo.example.
do
echo_i "creating new key using owner name \"$owner\" ($n)"
ret=0
- keyname=`$KEYCREATE $dhkeyname $owner` || ret=1
+ keyname=`$KEYCREATE -r $RANDFILE $dhkeyname $owner` || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status+ret))
@@ -57,7 +57,7 @@ do
echo_i "deleting new key ($n)"
ret=0
- $KEYDELETE $keyname || ret=1
+ $KEYDELETE -r $RANDFILE $keyname || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
fi
@@ -79,7 +79,7 @@ done
echo_i "creating new key using owner name bar.example. ($n)"
ret=0
-keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1
+keyname=`$KEYCREATE -r $RANDFILE $dhkeyname bar.example.` || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status+ret))
@@ -124,7 +124,7 @@ n=$((n+1))
echo_i "recreating the bar.example. key ($n)"
ret=0
-keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1
+keyname=`$KEYCREATE -r $RANDFILE $dhkeyname bar.example.` || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
status=$((status+ret))
diff --git a/bin/tools/mdig.c b/bin/tools/mdig.c
index 26fa609..fb34aa0 100644
--- a/bin/tools/mdig.c
+++ b/bin/tools/mdig.c
@@ -2005,12 +2005,11 @@ main(int argc, char *argv[]) {
ectx = NULL;
RUNCHECK(isc_entropy_create(mctx, &ectx));
+ RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY));
RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
RUNCHECK(isc_entropy_getdata(ectx, cookie_secret,
sizeof(cookie_secret), NULL, 0));
- RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY));
-
ISC_LIST_INIT(queries);
parse_args(false, argc, argv);
if (server == NULL)
diff --git a/configure b/configure
index 0faca65..d5ffc87 100755
--- a/configure
+++ b/configure
@@ -640,6 +640,7 @@ ac_includes_default="\
ac_subst_vars='LTLIBOBJS
LIBOBJS
+LIBDIR_SUFFIX
BUILD_LIBS
BUILD_LDFLAGS
BUILD_CPPFLAGS
@@ -823,6 +824,7 @@ LIBXML2_CFLAGS
NZDTARGETS
NZDSRCS
NZD_TOOLS
+ISC_PLATFORM_CRYPTORANDOM
PKCS11_TEST
PKCS11_ED25519
PKCS11_GOST
@@ -1047,6 +1049,7 @@ with_eddsa
with_aes
enable_openssl_hash
with_cc_alg
+enable_crypto_rand
with_lmdb
with_libxml2
with_libjson
@@ -1749,6 +1752,7 @@ Optional Features:
--enable-threads enable multithreading
--enable-native-pkcs11 use native PKCS11 for all crypto [default=no]
--enable-openssl-hash use OpenSSL for hash functions [default=no]
+ --enable-crypto-rand use the crypto provider for random [default=yes]
--enable-largefile 64-bit file support
--enable-backtrace log stack backtrace on abort [default=yes]
--enable-symtable use internal symbol table for backtrace
@@ -17205,6 +17209,7 @@ case "$use_openssl" in
$as_echo "disabled because of native PKCS11" >&6; }
DST_OPENSSL_INC=""
CRYPTO="-DPKCS11CRYPTO"
+ CRYPTOLIB="pkcs11"
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
@@ -17219,6 +17224,7 @@ $as_echo "disabled because of native PKCS11" >&6; }
$as_echo "no" >&6; }
DST_OPENSSL_INC=""
CRYPTO=""
+ CRYPTOLIB=""
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
@@ -17231,6 +17237,7 @@ $as_echo "no" >&6; }
auto)
DST_OPENSSL_INC=""
CRYPTO=""
+ CRYPTOLIB=""
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
@@ -17240,7 +17247,7 @@ $as_echo "no" >&6; }
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
-If you don't want OpenSSL, use --without-openssl" "$LINENO" 5
+If you do not want OpenSSL, use --without-openssl" "$LINENO" 5
;;
*)
if test "yes" = "$want_native_pkcs11"
@@ -17271,6 +17278,7 @@ $as_echo "not found" >&6; }
as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5
fi
CRYPTO='-DOPENSSL'
+ CRYPTOLIB="openssl"
if test "/usr" = "$use_openssl"
then
DST_OPENSSL_INC=""
@@ -17897,8 +17905,6 @@ fi
# Use OpenSSL for hash functions
#
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for using OpenSSL for hash functions" >&5
-$as_echo_n "checking for using OpenSSL for hash functions... " >&6; }
ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
case $want_openssl_hash in
yes)
@@ -18273,6 +18279,86 @@ if test "rt" = "$have_clock_gt"; then
LIBS="-lrt $LIBS"
fi
+#
+# Use the crypto provider (OpenSSL/PKCS#11) for random functions
+#
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for using the crypto library (vs. builtin) for random functions" >&5
+$as_echo_n "checking for using the crypto library (vs. builtin) for random functions... " >&6; }
+# Check whether --enable-crypto-rand was given.
+if test "${enable_crypto_rand+set}" = set; then :
+ enableval=$enable_crypto_rand; want_crypto_rand="$enableval"
+else
+ want_crypto_rand="auto"
+fi
+
+if test "$want_crypto_rand" = "auto"
+then
+ case "$CRYPTOLIB" in
+ "")
+ want_crypto_rand="no"
+ ;;
+ pkcs11)
+ want_crypto_rand="yes"
+ ;;
+ openssl)
+ saved_cflags="$CFLAGS"
+ saved_libs="$LIBS"
+ CFLAGS="$CFLAGS $DST_OPENSSL_INC"
+ LIBS="$LIBS $DST_OPENSSL_LIBS"
+ if test "$cross_compiling" = yes; then :
+ want_crypto_rand="yes"
+else
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+#include <openssl/rand.h>
+
+unsigned char buf[128];
+
+int main()
+{
+ if (RAND_bytes(buf, 128) != 1)
+ return (1);
+ return (0);
+}
+
+_ACEOF
+if ac_fn_c_try_run "$LINENO"; then :
+ want_crypto_rand="yes"
+else
+ want_crypto_rand="no"
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+ conftest.$ac_objext conftest.beam conftest.$ac_ext
+fi
+
+ CFLAGS="$saved_cflags"
+ LIBS="$saved_libs"
+ ;;
+ *)
+ as_fn_error $? "Unknown crypto library define $CRYPTOLIB" "$LINENO" 5
+ ;;
+ esac
+fi
+case $want_crypto_rand in
+ yes)
+ if test "$CRYPTOLIB" = ""
+ then
+ as_fn_error $? "No crypto library for random functions" "$LINENO" 5
+ fi
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: \"$CRYPTOLIB\"" >&5
+$as_echo "\"$CRYPTOLIB\"" >&6; }
+ ISC_PLATFORM_CRYPTORANDOM="#define ISC_PLATFORM_CRYPTORANDOM \"$CRYPTOLIB\""
+ ;;
+ no)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ ISC_PLATFORM_CRYPTORANDOM="#undef ISC_PLATFORM_CRYPTORANDOM"
+ ;;
+esac
+
+
#
# was --with-lmdb specified?
#
@@ -20549,9 +20635,12 @@ _ACEOF
if ac_fn_c_try_compile "$LINENO"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for flags" >&5
$as_echo "size_t for buflen; int for flags" >&6; }
- $as_echo "#define IRS_GETNAMEINFO_SOCKLEN_T size_t" >>confdefs.h
+ # Changed to solve multilib conflict on Fedora
+ # AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, size_t)
+ # AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, size_t)
+ $as_echo "#define IRS_GETNAMEINFO_SOCKLEN_T socklen_t" >>confdefs.h
- $as_echo "#define IRS_GETNAMEINFO_BUFLEN_T size_t" >>confdefs.h
+ $as_echo "#define IRS_GETNAMEINFO_BUFLEN_T socklen_t" >>confdefs.h
$as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h
@@ -21877,12 +21966,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
if test "yes" = "$use_atomic"; then
- have_atomic=yes # set default
- case "$host" in
- i[3456]86-*)
- # XXX: some old x86 architectures actually do not support
- # (some of) these operations. Do we need stricter checks?
- # The cast to long int works around a bug in the HP C Compiler
+ # The cast to long int works around a bug in the HP C Compiler
# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
# This bug is HP SR number 8606223364.
@@ -21915,6 +21999,11 @@ cat >>confdefs.h <<_ACEOF
_ACEOF
+ have_atomic=yes # set default
+ case "$host" in
+ i[3456]86-*)
+ # XXX: some old x86 architectures actually do not support
+ # (some of) these operations. Do we need stricter checks?
if test $ac_cv_sizeof_void_p = 8; then
arch=x86_64
have_xaddq=yes
@@ -21923,39 +22012,6 @@ _ACEOF
fi
;;
x86_64-*|amd64-*)
- # The cast to long int works around a bug in the HP C Compiler
-# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
-# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
-# This bug is HP SR number 8606223364.
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of void *" >&5
-$as_echo_n "checking size of void *... " >&6; }
-if ${ac_cv_sizeof_void_p+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (void *))" "ac_cv_sizeof_void_p" "$ac_includes_default"; then :
-
-else
- if test "$ac_cv_type_void_p" = yes; then
- { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error 77 "cannot compute sizeof (void *)
-See \`config.log' for more details" "$LINENO" 5; }
- else
- ac_cv_sizeof_void_p=0
- fi
-fi
-
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_void_p" >&5
-$as_echo "$ac_cv_sizeof_void_p" >&6; }
-
-
-
-cat >>confdefs.h <<_ACEOF
-#define SIZEOF_VOID_P $ac_cv_sizeof_void_p
-_ACEOF
-
-
if test $ac_cv_sizeof_void_p = 8; then
arch=x86_64
have_xaddq=yes
@@ -21986,6 +22042,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; }
$as_echo "$arch" >&6; }
fi
+if test ! "$arch" = "x86_64" -a "$have_xaddq" = "yes"; then
+ as_fn_error $? "XADDQ present but disabled by Fedora patch!" "$LINENO" 5
+fi
+
if test "yes" = "$have_atomic"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline assembly code" >&5
$as_echo_n "checking compiler support for inline assembly code... " >&6; }
@@ -24567,6 +24627,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS"
#
dlzdir='${DLZ_DRIVER_DIR}'
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for target libdir" >&5
+$as_echo_n "checking for target libdir... " >&6; }
+if test "$cross_compiling" = yes; then :
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "cannot run test program while cross compiling
+See \`config.log' for more details" "$LINENO" 5; }
+else
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+int main(void) {exit((sizeof(void *) == 8) ? 0 : 1);}
+_ACEOF
+if ac_fn_c_try_run "$LINENO"; then :
+ target_lib=lib64
+else
+ target_lib=lib
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+ conftest.$ac_objext conftest.beam conftest.$ac_ext
+fi
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: \"$target_lib\"" >&5
+$as_echo "\"$target_lib\"" >&6; }
+
#
# Private autoconf macro to simplify configuring drivers:
#
@@ -24897,11 +24981,11 @@ $as_echo "no" >&6; }
$as_echo "using mysql with libs ${mysql_lib} and includes ${mysql_include}" >&6; }
;;
*)
- if test -d "$use_dlz_mysql/lib/mysql"
+ if test -d $use_dlz_mysql/${target_lib}/mysql
then
- mysql_lib="$use_dlz_mysql/lib/mysql"
+ mysql_lib=$use_dlz_mysql/${target_lib}/mysql
else
- mysql_lib="$use_dlz_mysql/lib"
+ mysql_lib=$use_dlz_mysql/${target_lib}
fi
CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL"
@@ -24986,7 +25070,7 @@ $as_echo "" >&6; }
# Check other locations for includes.
# Order is important (sigh).
- bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /db"
+ bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /libdb /db"
# include a blank element first
for d in "" $bdb_incdirs
do
@@ -25011,57 +25095,9 @@ $as_echo "" >&6; }
bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
for d in $bdb_libnames
do
- if test "$dd" = "/usr"
- then
- as_ac_Lib=`$as_echo "ac_cv_lib_$d''_db_create" | $as_tr_sh`
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for db_create in -l$d" >&5
-$as_echo_n "checking for db_create in -l$d... " >&6; }
-if eval \${$as_ac_Lib+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_check_lib_save_LIBS=$LIBS
-LIBS="-l$d $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char db_create ();
-int
-main ()
-{
-return db_create ();
- ;
- return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
- eval "$as_ac_Lib=yes"
-else
- eval "$as_ac_Lib=no"
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-eval ac_res=\$$as_ac_Lib
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
-if eval test \"x\$"$as_ac_Lib"\" = x"yes"; then :
- dlz_bdb_libs="-l${d}"
-fi
-
- if test $dlz_bdb_libs != "yes"
- then
- break
- fi
- elif test -f "$dd/lib/lib${d}.so"
+ if test -f "$dd/${target_lib}/lib${d}.so"
then
- dlz_bdb_libs="-L${dd}/lib -l${d}"
+ dlz_bdb_libs="-L${dd}/${target_lib}/libdb -l${d}"
break
fi
done
@@ -25220,10 +25256,10 @@ $as_echo "no" >&6; }
DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include"
DLZ_DRIVER_LDAP_INCLUDES="-I$use_dlz_ldap/include"
fi
- if test -n "-L$use_dlz_ldap/lib -lldap -llber"
+ if test -n "-L$use_dlz_ldap/${target_lib} -lldap -llber"
then
- DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS -L$use_dlz_ldap/lib -lldap -llber"
- DLZ_DRIVER_LDAP_LIBS="-L$use_dlz_ldap/lib -lldap -llber"
+ DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS -L$use_dlz_ldap/${target_lib} -lldap -llber"
+ DLZ_DRIVER_LDAP_LIBS="-L$use_dlz_ldap/${target_lib} -lldap -llber"
fi
@@ -25309,11 +25345,11 @@ fi
odbcdirs="/usr /usr/local /usr/pkg"
for d in $odbcdirs
do
- if test -f $d/include/sql.h -a -f $d/lib/libodbc.a
+ if test -f $d/include/sql.h -a -f $d/${target_lib}/libodbc.a
then
use_dlz_odbc=$d
dlz_odbc_include="-I$use_dlz_odbc/include"
- dlz_odbc_libs="-L$use_dlz_odbc/lib -lodbc"
+ dlz_odbc_libs="-L$use_dlz_odbc/${target_lib} -lodbc"
break
fi
done
@@ -25588,6 +25624,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS"
+
+
#
# Commands to run at the end of config.status.
# Don't just put these into configure, it won't work right if somebody
@@ -27966,6 +28004,8 @@ report() {
echo " IPv6 support (--enable-ipv6)"
test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
+ test "no" = "$want_crypto_rand" || \
+ echo " Crypto provider entropy source (--enable-crypto-rand)"
test "X$PYTHON" = "X" || echo " Python tools (--with-python)"
test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)"
test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)"
@@ -28006,6 +28046,8 @@ report() {
echo " Very verbose query trace logging (--enable-querytrace)"
test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)"
+ echo " Cryptographic library for DNSSEC: $CRYPTOLIB"
+
echo " Dynamically loadable zone (DLZ) drivers:"
test "no" = "$use_dlz_bdb" || \
echo " Berkeley DB (--with-dlz-bdb)"
@@ -28053,6 +28095,8 @@ report() {
echo " ECDSA algorithm support (--with-ecdsa)"
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
echo " EDDSA algorithm support (--with-eddsa)"
+ test "yes" = "$want_crypto_rand" || \
+ echo " Crypto provider entropy source (--enable-crypto-rand)"
test "yes" = "$enable_seccomp" || \
echo " Use libseccomp system call filtering (--enable-seccomp)"
diff --git a/configure.ac b/configure.ac
index 78535bd..faef2e8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1598,6 +1598,7 @@ case "$use_openssl" in
AC_MSG_RESULT(disabled because of native PKCS11)
DST_OPENSSL_INC=""
CRYPTO="-DPKCS11CRYPTO"
+ CRYPTOLIB="pkcs11"
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
@@ -1611,6 +1612,7 @@ case "$use_openssl" in
AC_MSG_RESULT(no)
DST_OPENSSL_INC=""
CRYPTO=""
+ CRYPTOLIB=""
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
@@ -1623,6 +1625,7 @@ case "$use_openssl" in
auto)
DST_OPENSSL_INC=""
CRYPTO=""
+ CRYPTOLIB=""
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
@@ -1633,7 +1636,7 @@ case "$use_openssl" in
OPENSSLLINKSRCS=""
AC_MSG_ERROR(
[OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
-If you don't want OpenSSL, use --without-openssl])
+If you do not want OpenSSL, use --without-openssl])
;;
*)
if test "yes" = "$want_native_pkcs11"
@@ -1663,6 +1666,7 @@ If you don't want OpenSSL, use --without-openssl])
AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found])
fi
CRYPTO='-DOPENSSL'
+ CRYPTOLIB="openssl"
if test "/usr" = "$use_openssl"
then
DST_OPENSSL_INC=""
@@ -2099,7 +2103,6 @@ fi
# Use OpenSSL for hash functions
#
-AC_MSG_CHECKING(for using OpenSSL for hash functions)
ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
case $want_openssl_hash in
yes)
@@ -2371,6 +2374,67 @@ if test "rt" = "$have_clock_gt"; then
LIBS="-lrt $LIBS"
fi
+#
+# Use the crypto provider (OpenSSL/PKCS#11) for random functions
+#
+
+AC_MSG_CHECKING(for using the crypto library (vs. builtin) for random functions)
+AC_ARG_ENABLE(crypto-rand,
+ [ --enable-crypto-rand use the crypto provider for random [[default=yes]]],
+ want_crypto_rand="$enableval", want_crypto_rand="auto")
+if test "$want_crypto_rand" = "auto"
+then
+ case "$CRYPTOLIB" in
+ "")
+ want_crypto_rand="no"
+ ;;
+ pkcs11)
+ want_crypto_rand="yes"
+ ;;
+ openssl)
+ saved_cflags="$CFLAGS"
+ saved_libs="$LIBS"
+ CFLAGS="$CFLAGS $DST_OPENSSL_INC"
+ LIBS="$LIBS $DST_OPENSSL_LIBS"
+ AC_TRY_RUN([
+#include <openssl/rand.h>
+
+unsigned char buf[128];
+
+int main()
+{
+ if (RAND_bytes(buf, 128) != 1)
+ return (1);
+ return (0);
+}
+],
+ [want_crypto_rand="yes"],
+ [want_crypto_rand="no"],
+ [want_crypto_rand="yes"])
+ CFLAGS="$saved_cflags"
+ LIBS="$saved_libs"
+ ;;
+ *)
+ AC_MSG_ERROR([Unknown crypto library define $CRYPTOLIB])
+ ;;
+ esac
+fi
+case $want_crypto_rand in
+ yes)
+ if test "$CRYPTOLIB" = ""
+ then
+ AC_MSG_ERROR([No crypto library for random functions])
+ fi
+ AC_MSG_RESULT(["$CRYPTOLIB"])
+ ISC_PLATFORM_CRYPTORANDOM="#define ISC_PLATFORM_CRYPTORANDOM \"$CRYPTOLIB\""
+ ;;
+ no)
+ AC_MSG_RESULT(no)
+ ISC_PLATFORM_CRYPTORANDOM="#undef ISC_PLATFORM_CRYPTORANDOM"
+ ;;
+esac
+AC_SUBST(ISC_PLATFORM_CRYPTORANDOM)
+
#
# was --with-lmdb specified?
#
@@ -4188,12 +4252,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
if test "yes" = "$use_atomic"; then
+ AC_CHECK_SIZEOF([void *])
have_atomic=yes # set default
case "$host" in
[i[3456]86-*])
# XXX: some old x86 architectures actually do not support
# (some of) these operations. Do we need stricter checks?
- AC_CHECK_SIZEOF([void *])
if test $ac_cv_sizeof_void_p = 8; then
arch=x86_64
have_xaddq=yes
@@ -4202,7 +4266,6 @@ if test "yes" = "$use_atomic"; then
fi
;;
x86_64-*|amd64-*)
- AC_CHECK_SIZEOF([void *])
if test $ac_cv_sizeof_void_p = 8; then
arch=x86_64
have_xaddq=yes
@@ -5635,6 +5698,8 @@ report() {
echo " IPv6 support (--enable-ipv6)"
test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
+ test "no" = "$want_crypto_rand" || \
+ echo " Crypto provider entropy source (--enable-crypto-rand)"
test "X$PYTHON" = "X" || echo " Python tools (--with-python)"
test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)"
test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)"
@@ -5675,6 +5740,8 @@ report() {
echo " Very verbose query trace logging (--enable-querytrace)"
test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)"
+ echo " Cryptographic library for DNSSEC: $CRYPTOLIB"
+
echo " Dynamically loadable zone (DLZ) drivers:"
test "no" = "$use_dlz_bdb" || \
echo " Berkeley DB (--with-dlz-bdb)"
@@ -5722,6 +5789,8 @@ report() {
echo " ECDSA algorithm support (--with-ecdsa)"
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
echo " EDDSA algorithm support (--with-eddsa)"
+ test "yes" = "$want_crypto_rand" || \
+ echo " Crypto provider entropy source (--enable-crypto-rand)"
test "yes" = "$enable_seccomp" || \
echo " Use libseccomp system call filtering (--enable-seccomp)"
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 7a86506..aa54afc 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -277,6 +277,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
#ifdef GSSAPI
RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));
#endif
+#if defined(OPENSSL) || defined(PKCS11CRYPTO)
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+ if (dst_entropy_pool != NULL)
+ isc_entropy_sethook(dst_random_getdata);
+#endif
+#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */
dst_initialized = true;
return (ISC_R_SUCCESS);
@@ -296,11 +302,19 @@ dst_lib_destroy(void) {
for (i = 0; i < DST_MAX_ALGS; i++)
if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL)
dst_t_func[i]->cleanup();
+#if defined(OPENSSL) || defined(PKCS11CRYPTO)
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+ if (dst_entropy_pool != NULL) {
+ isc_entropy_usehook(dst_entropy_pool, false);
+ isc_entropy_sethook(NULL);
+ }
+#endif
#ifdef OPENSSL
dst__openssl_destroy();
#elif PKCS11CRYPTO
(void) dst__pkcs11_destroy();
#endif /* if OPENSSL, elif PKCS11CRYPTO */
+#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */
if (dst__memory_pool != NULL)
isc_mem_detach(&dst__memory_pool);
if (dst_entropy_pool != NULL)
@@ -2002,13 +2016,17 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) {
flags &= ~ISC_ENTROPY_GOODONLY;
else
flags |= ISC_ENTROPY_BLOCKING;
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+ return (dst_random_getdata(buf, len, NULL, flags));
+#else
return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
+#endif
#endif /* PKCS11CRYPTO */
}
unsigned int
dst__entropy_status(void) {
-#ifndef PKCS11CRYPTO
+#if !defined(PKCS11CRYPTO) && !defined(ISC_PLATFORM_CRYPTORANDOM)
#ifdef GSSAPI
unsigned int flags = dst_entropy_flags;
isc_result_t ret;
@@ -2031,6 +2049,7 @@ dst__entropy_status(void) {
#endif
return (isc_entropy_status(dst_entropy_pool));
#else
+ /* Doesn't matter as it is not used in this case. */
return (0);
#endif
}
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index 5b42ab4..3aba028 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -159,6 +159,14 @@ dst_lib_destroy(void);
* Releases all resources allocated by DST.
*/
+isc_result_t
+dst_random_getdata(void *data, unsigned int length,
+ unsigned int *returned, unsigned int flags);
+/*%<
+ * \brief Return data from the crypto random generator.
+ * Specialization of isc_entropy_getdata().
+ */
+
bool
dst_algorithm_supported(unsigned int alg);
/*%<
diff --git a/lib/dns/lib.c b/lib/dns/lib.c
index d9417de..0dc935d 100644
--- a/lib/dns/lib.c
+++ b/lib/dns/lib.c
@@ -16,6 +16,7 @@
#include <stdbool.h>
#include <stddef.h>
+#include <isc/entropy.h>
#include <isc/hash.h>
#include <isc/mem.h>
#include <isc/msgcat.h>
@@ -76,6 +77,7 @@ static unsigned int references = 0;
static void
initialize(void) {
isc_result_t result;
+ isc_entropy_t *ectx = NULL;
REQUIRE(initialize_done == false);
@@ -86,11 +88,14 @@ initialize(void) {
result = dns_ecdb_register(dns_g_mctx, &dbimp);
if (result != ISC_R_SUCCESS)
goto cleanup_mctx;
- result = isc_hash_create(dns_g_mctx, NULL, DNS_NAME_MAXWIRE);
+ result = isc_entropy_create(dns_g_mctx, &ectx);
if (result != ISC_R_SUCCESS)
goto cleanup_db;
+ result = isc_hash_create(dns_g_mctx, NULL, DNS_NAME_MAXWIRE);
+ if (result != ISC_R_SUCCESS)
+ goto cleanup_ectx;
- result = dst_lib_init(dns_g_mctx, NULL, 0);
+ result = dst_lib_init(dns_g_mctx, ectx, 0);
if (result != ISC_R_SUCCESS)
goto cleanup_hash;
@@ -98,11 +103,17 @@ initialize(void) {
if (result != ISC_R_SUCCESS)
goto cleanup_dst;
+ isc_hash_init();
+ isc_entropy_detach(&ectx);
+
initialize_done = true;
return;
cleanup_dst:
dst_lib_destroy();
+ cleanup_ectx:
+ if (ectx != NULL)
+ isc_entropy_detach(&ectx);
cleanup_hash:
isc_hash_destroy();
cleanup_db:
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
index 1e57c71..3f4f822 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -31,6 +31,7 @@
#include <isc/mem.h>
#include <isc/mutex.h>
#include <isc/mutexblock.h>
+#include <isc/platform.h>
#include <isc/string.h>
#include <isc/thread.h>
#include <isc/util.h>
@@ -46,8 +47,6 @@
#include <openssl/engine.h>
#endif
-static RAND_METHOD *rm = NULL;
-
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
static isc_mutex_t *locks = NULL;
static int nlocks;
@@ -57,6 +56,9 @@ static int nlocks;
static ENGINE *e = NULL;
#endif
+#ifndef ISC_PLATFORM_CRYPTORANDOM
+static RAND_METHOD *rm = NULL;
+
static int
entropy_get(unsigned char *buf, int num) {
isc_result_t result;
@@ -102,6 +104,7 @@ entropy_add(const void *buf, int num, double entropy) {
return (1);
}
#endif
+#endif /* !ISC_PLATFORM_CRYPTORANDOM */
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
static void
@@ -192,7 +195,7 @@ _set_thread_id(CRYPTO_THREADID *id)
isc_result_t
dst__openssl_init(const char *engine) {
isc_result_t result;
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && !defined(ISC_PLATFORM_CRYPTORANDOM)
ENGINE *re;
#else
UNUSED(engine);
@@ -222,6 +225,7 @@ dst__openssl_init(const char *engine) {
ERR_load_crypto_strings();
#endif
+#ifndef ISC_PLATFORM_CRYPTORANDOM
rm = mem_alloc(sizeof(RAND_METHOD) FILELINE);
if (rm == NULL) {
result = ISC_R_NOMEMORY;
@@ -233,6 +237,7 @@ dst__openssl_init(const char *engine) {
rm->add = entropy_add;
rm->pseudorand = entropy_getpseudo;
rm->status = entropy_status;
+#endif
#if !defined(OPENSSL_NO_ENGINE)
#if !defined(CONF_MFLAGS_DEFAULT_SECTION)
@@ -266,6 +271,7 @@ dst__openssl_init(const char *engine) {
}
}
+#ifndef ISC_PLATFORM_CRYPTORANDOM
re = ENGINE_get_default_RAND();
if (re == NULL) {
re = ENGINE_new();
@@ -278,9 +284,21 @@ dst__openssl_init(const char *engine) {
ENGINE_free(re);
} else
ENGINE_finish(re);
+#endif
#else
+#ifndef ISC_PLATFORM_CRYPTORANDOM
RAND_set_rand_method(rm);
+#endif
#endif /* !defined(OPENSSL_NO_ENGINE) */
+
+ /* Protect ourselves against unseeded PRNG */
+ if (RAND_status() != 1) {
+ FATAL_ERROR(__FILE__, __LINE__,
+ "OpenSSL pseudorandom number generator "
+ "cannot be initialized (see the `PRNG not "
+ "seeded' message in the OpenSSL FAQ)");
+ }
+
return (ISC_R_SUCCESS);
#if !defined(OPENSSL_NO_ENGINE)
@@ -288,10 +306,14 @@ dst__openssl_init(const char *engine) {
if (e != NULL)
ENGINE_free(e);
e = NULL;
+#ifndef ISC_PLATFORM_CRYPTORANDOM
mem_free(rm FILELINE);
rm = NULL;
#endif
+#endif
+#ifndef ISC_PLATFORM_CRYPTORANDOM
cleanup_mutexinit:
+#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
CRYPTO_set_locking_callback(NULL);
DESTROYMUTEXBLOCK(locks, nlocks);
@@ -306,14 +328,17 @@ void
dst__openssl_destroy(void) {
#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
OPENSSL_cleanup();
+#ifndef ISC_PLATFORM_CRYPTORANDOM
if (rm != NULL) {
mem_free(rm FILELINE);
rm = NULL;
}
+#endif
#else
/*
* Sequence taken from apps_shutdown() in <apps/apps.h>.
*/
+#ifndef ISC_PLATFORM_CRYPTORANDOM
if (rm != NULL) {
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
RAND_cleanup();
@@ -321,6 +346,7 @@ dst__openssl_destroy(void) {
mem_free(rm FILELINE);
rm = NULL;
}
+#endif
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
CONF_modules_free();
#endif
@@ -456,11 +482,45 @@ dst__openssl_getengine(const char *engine) {
}
#endif
-#else /* OPENSSL */
+isc_result_t
+dst_random_getdata(void *data, unsigned int length,
+ unsigned int *returned, unsigned int flags) {
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+#ifndef DONT_REQUIRE_DST_LIB_INIT
+ INSIST(dst__memory_pool != NULL);
+#endif
+ REQUIRE(data != NULL);
+ REQUIRE(length > 0);
-#include <isc/util.h>
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ if ((flags & ISC_ENTROPY_GOODONLY) == 0) {
+ if (RAND_pseudo_bytes((unsigned char *)data, (int)length) < 0)
+ return (dst__openssl_toresult2("RAND_pseudo_bytes",
+ DST_R_OPENSSLFAILURE));
+ } else {
+ if (RAND_bytes((unsigned char *)data, (int)length) != 1)
+ return (dst__openssl_toresult2("RAND_bytes",
+ DST_R_OPENSSLFAILURE));
+ }
+#else
+ UNUSED(flags);
-EMPTY_TRANSLATION_UNIT
+ if (RAND_bytes((unsigned char *)data, (int)length) != 1)
+ return (dst__openssl_toresult2("RAND_bytes",
+ DST_R_OPENSSLFAILURE));
+#endif
+ if (returned != NULL)
+ *returned = length;
+ return (ISC_R_SUCCESS);
+#else
+ UNUSED(data);
+ UNUSED(length);
+ UNUSED(returned);
+ UNUSED(flags);
+
+ return (ISC_R_NOTIMPLEMENTED);
+#endif
+}
#endif /* OPENSSL */
/*! \file */
diff --git a/lib/dns/pkcs11.c b/lib/dns/pkcs11.c
index 6b30309..20552fa 100644
--- a/lib/dns/pkcs11.c
+++ b/lib/dns/pkcs11.c
@@ -13,12 +13,15 @@
#include <config.h>
+#include <isc/util.h>
+
#include <dns/log.h>
#include <dns/result.h>
#include <pk11/pk11.h>
#include <pk11/internal.h>
+#include "dst_internal.h"
#include "dst_pkcs11.h"
isc_result_t
@@ -34,12 +37,32 @@ dst__pkcs11_toresult(const char *funcname, const char *file, int line,
return (fallback);
}
+isc_result_t
+dst_random_getdata(void *data, unsigned int length,
+ unsigned int *returned, unsigned int flags) {
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+ isc_result_t ret;
-#else /* PKCS11CRYPTO */
+#ifndef DONT_REQUIRE_DST_LIB_INIT
+ INSIST(dst__memory_pool != NULL);
+#endif
+ REQUIRE(data != NULL);
+ REQUIRE(length > 0);
+ UNUSED(flags);
-#include <isc/util.h>
+ ret = pk11_rand_bytes(data, (int) length);
+ if ((ret == ISC_R_SUCCESS) && (returned != NULL))
+ *returned = length;
+ return (ret);
+#else
+ UNUSED(data);
+ UNUSED(length);
+ UNUSED(returned);
+ UNUSED(flags);
-EMPTY_TRANSLATION_UNIT
+ return (ISC_R_NOTIMPLEMENTED);
+#endif
+}
#endif /* PKCS11CRYPTO */
/*! \file */
diff --git a/lib/dns/tests/Kyuafile b/lib/dns/tests/Kyuafile
index 937b548..f3c0e38 100644
--- a/lib/dns/tests/Kyuafile
+++ b/lib/dns/tests/Kyuafile
@@ -10,6 +10,7 @@ tap_test_program{name='dh_test'}
tap_test_program{name='dispatch_test'}
tap_test_program{name='dnstap_test'}
tap_test_program{name='dst_test'}
+tap_test_program{name='dstrandom_test'}
tap_test_program{name='geoip_test'}
tap_test_program{name='gost_test'}
tap_test_program{name='keytable_test'}
diff --git a/lib/dns/tests/Makefile.in b/lib/dns/tests/Makefile.in
index 4126372..30cab17 100644
--- a/lib/dns/tests/Makefile.in
+++ b/lib/dns/tests/Makefile.in
@@ -37,6 +37,7 @@ SRCS = acl_test.c \
dnstap_test.c \
dst_test.c \
dnstest.c \
+ dstrandom_test.c \
geoip_test.c \
gost_test.c \
keytable_test.c \
@@ -69,6 +70,7 @@ TARGETS = acl_test@EXEEXT@ \
dh_test@EXEEXT@ \
dispatch_test@EXEEXT@ \
dnstap_test@EXEEXT@ \
+ dstrandom_test@EXEEXT@ \
dst_test@EXEEXT@ \
geoip_test@EXEEXT@ \
gost_test@EXEEXT@ \
@@ -258,6 +260,11 @@ zt_test@EXEEXT@: zt_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
${LDFLAGS} -o $@ zt_test.@O@ dnstest.@O@ \
${DNSLIBS} ${ISCLIBS} ${LIBS}
+dstrandom_test@EXEEXT@: dstrandom_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+ dstrandom_test.@O@ ${DNSLIBS} \
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
+
unit::
sh ${top_builddir}/unit/unittest.sh
diff --git a/lib/dns/tests/dstrandom_test.c b/lib/dns/tests/dstrandom_test.c
new file mode 100644
index 0000000..bd3d164
--- /dev/null
+++ b/lib/dns/tests/dstrandom_test.c
@@ -0,0 +1,115 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#if HAVE_CMOCKA
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/entropy.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/platform.h>
+#include <isc/util.h>
+
+#include <dst/dst.h>
+
+isc_mem_t *mctx = NULL;
+isc_entropy_t *ectx = NULL;
+unsigned char buffer[128];
+
+/* isc_entropy_getdata() examples */
+static void
+isc_entropy_getdata_test(void **state) {
+ isc_result_t result;
+ unsigned int returned, status;
+ const char *randomfile = "testdata/dstrandom/random.data";
+ int ret;
+
+ UNUSED(state);
+
+ isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
+ result = isc_mem_create(0, 0, &mctx);
+ assert_int_equal(result, ISC_R_SUCCESS);
+ result = isc_entropy_create(mctx, &ectx);
+ assert_int_equal(result, ISC_R_SUCCESS);
+ result = dst_lib_init(mctx, ectx, 0);
+ assert_int_equal(result, ISC_R_SUCCESS);
+
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+ isc_entropy_usehook(ectx, true);
+
+ returned = 0;
+ result = isc_entropy_getdata(ectx, buffer, sizeof(buffer),
+ &returned, 0);
+ assert_int_equal(result, ISC_R_SUCCESS);
+ assert_int_equal(returned, sizeof(buffer));
+
+ status = isc_entropy_status(ectx);
+ assert_int_equal(status, 0);
+
+ isc_entropy_usehook(ectx, false);
+#endif
+
+ ret = chdir(TESTS);
+ assert_int_equal(ret, 0);
+
+ result = isc_entropy_createfilesource(ectx, randomfile);
+ assert_int_equal(result, ISC_R_SUCCESS);
+
+ returned = 0;
+ result = isc_entropy_getdata(ectx, buffer, sizeof(buffer),
+ &returned, 0);
+ assert_int_equal(result, ISC_R_SUCCESS);
+ assert_int_equal(returned, sizeof(buffer));
+
+ status = isc_entropy_status(ectx);
+ assert_true(status > 0);
+
+ dst_lib_destroy();
+ isc_entropy_detach(&ectx);
+ assert_null(ectx);
+
+ isc_mem_destroy(&mctx);
+ assert_null(mctx);
+}
+
+int
+main(void) {
+ const struct CMUnitTest tests[] = {
+ cmocka_unit_test(isc_entropy_getdata_test),
+ };
+
+ return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
+#else /* HAVE_CMOCKA */
+
+#include <stdio.h>
+
+int
+main(void) {
+ printf("1..0 # Skipped: cmocka not available\n");
+ return (0);
+}
+
+#endif
diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in
index 9c2ef79..f597049 100644
--- a/lib/dns/win32/libdns.def.in
+++ b/lib/dns/win32/libdns.def.in
@@ -1487,6 +1487,13 @@ dst_lib_destroy
dst_lib_init
dst_lib_init2
dst_lib_initmsgcat
+@IF PKCS11
+dst_random_getdata
+@ELSE PKCS11
+@IF OPENSSL
+dst_random_getdata
+@END OPENSSL
+@END PKCS11
dst_region_computeid
dst_region_computerid
dst_result_register
diff --git a/lib/isc/entropy.c b/lib/isc/entropy.c
index 0c1f3ed..fdd17d7 100644
--- a/lib/isc/entropy.c
+++ b/lib/isc/entropy.c
@@ -104,11 +104,15 @@ struct isc_entropy {
uint32_t initialized;
uint32_t initcount;
isc_entropypool_t pool;
+ bool usehook;
unsigned int nsources;
isc_entropysource_t *nextsource;
ISC_LIST(isc_entropysource_t) sources;
};
+/*% Global Hook */
+static isc_entropy_getdata_t hook;
+
/*% Sample Queue */
typedef struct {
uint32_t last_time; /*%< last time recorded */
@@ -557,6 +561,11 @@ isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length,
LOCK(&ent->lock);
+ if (ent->usehook && (hook != NULL)) {
+ UNLOCK(&ent->lock);
+ return (hook(data, length, returned, flags));
+ }
+
remain = length;
buf = data;
total = 0;
@@ -708,6 +717,7 @@ isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp) {
ent->refcnt = 1;
ent->initialized = 0;
ent->initcount = 0;
+ ent->usehook = false;
ent->magic = ENTROPY_MAGIC;
isc_entropypool_init(&ent->pool);
@@ -1286,3 +1296,17 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
*/
return (final_result);
}
+
+void
+isc_entropy_usehook(isc_entropy_t *ectx, bool onoff) {
+ REQUIRE(VALID_ENTROPY(ectx));
+
+ LOCK(&ectx->lock);
+ ectx->usehook = onoff;
+ UNLOCK(&ectx->lock);
+}
+
+void
+isc_entropy_sethook(isc_entropy_getdata_t myhook) {
+ hook = myhook;
+}
diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h
index b5bc956..f32c9dc 100644
--- a/lib/isc/include/isc/entropy.h
+++ b/lib/isc/include/isc/entropy.h
@@ -302,6 +302,18 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
* isc_entropy_createcallbacksource().
*/
+void
+isc_entropy_usehook(isc_entropy_t *ectx, bool onoff);
+/*!<
+ * \brief Mark/unmark the given entropy structure as being hooked.
+ */
+
+void
+isc_entropy_sethook(isc_entropy_getdata_t myhook);
+/*!<
+ * \brief Set the getdata hook (e.g., for a crypto random generator).
+ */
+
ISC_LANG_ENDDECLS
#endif /* ISC_ENTROPY_H */
diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in
index 2bf8758..f4c684e 100644
--- a/lib/isc/include/isc/platform.h.in
+++ b/lib/isc/include/isc/platform.h.in
@@ -359,6 +359,11 @@
*/
@ISC_PLATFORM_HAVESTRINGSH@
+/*
+ * Define if the random functions are provided by crypto.
+ */
+@ISC_PLATFORM_CRYPTORANDOM@
+
/*
* Define if the hash functions must be provided by OpenSSL.
*/
diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h
index 3bdd54f..d5acd39 100644
--- a/lib/isc/include/isc/types.h
+++ b/lib/isc/include/isc/types.h
@@ -95,6 +95,8 @@ typedef struct isc_time isc_time_t; /*%< Time */
typedef struct isc_timer isc_timer_t; /*%< Timer */
typedef struct isc_timermgr isc_timermgr_t; /*%< Timer Manager */
+typedef isc_result_t (*isc_entropy_getdata_t)(void *, unsigned int,
+ unsigned int *, unsigned int);
typedef void (*isc_taskaction_t)(isc_task_t *, isc_event_t *);
typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *, int);
diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
index 227f807..4a63fdf 100644
--- a/lib/isc/pk11.c
+++ b/lib/isc/pk11.c
@@ -321,14 +321,16 @@ pk11_rand_seed_fromfile(const char *randomfile) {
ret = isc_stdio_open(randomfile, "r", &stream);
if (ret != ISC_R_SUCCESS)
goto cleanup;
- ret = isc_stdio_read(seed, 1, SEEDSIZE, stream, &cc);
- if (ret!= ISC_R_SUCCESS)
- goto cleanup;
+ while (ret == ISC_R_SUCCESS) {
+ ret = isc_stdio_read(seed, 1, SEEDSIZE, stream, &cc);
+ if ((ret != ISC_R_SUCCESS) && (ret != ISC_R_EOF))
+ goto cleanup;
+ (void) pkcs_C_SeedRandom(ctx.session, seed, (CK_ULONG) cc);
+ }
ret = isc_stdio_close(stream);
stream = NULL;
- if (ret!= ISC_R_SUCCESS)
+ if (ret != ISC_R_SUCCESS)
goto cleanup;
- (void) pkcs_C_SeedRandom(ctx.session, seed, (CK_ULONG) cc);
cleanup:
if (stream != NULL)
diff --git a/lib/isc/win32/include/isc/platform.h.in b/lib/isc/win32/include/isc/platform.h.in
index 1f785e0..f9051c3 100644
--- a/lib/isc/win32/include/isc/platform.h.in
+++ b/lib/isc/win32/include/isc/platform.h.in
@@ -73,6 +73,11 @@
#define ISC_PLATFORM_NORETURN_PRE __declspec(noreturn)
#define ISC_PLATFORM_NORETURN_POST
+/*
+ * Define if the random functions are provided by crypto.
+ */
+@ISC_PLATFORM_CRYPTORANDOM@
+
/*
* Define if the hash functions must be provided by OpenSSL.
*/
diff --git a/win32utils/Configure b/win32utils/Configure
index 5f66a82..ff39910 100644
--- a/win32utils/Configure
+++ b/win32utils/Configure
@@ -382,6 +382,7 @@ my @substdefh = ("ALLOW_FILTER_AAAA",
my %configdefp;
my @substdefp = ("ISC_PLATFORM_BUSYWAITNOP",
+ "ISC_PLATFORM_CRYPTORANDOM",
"ISC_PLATFORM_HAVEATOMICSTORE",
"ISC_PLATFORM_HAVEATOMICSTOREQ",
"ISC_PLATFORM_HAVECMPXCHG",
@@ -517,7 +518,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER");
# enable-xxx/disable-xxx
-my @enablelist = ("developer",
+my @enablelist = ("crypto-rand",
+ "developer",
"fixed-rrset",
"intrinsics",
"isc-spnego",
@@ -580,6 +582,7 @@ my @help = (
"\nOptional Features:\n",
" enable-intrinsics enable intrinsic/atomic functions [default=yes]\n",
" enable-native-pkcs11 use native PKCS#11 for all crypto [default=no]\n",
+" enable-crypto-rand use crypto provider for random [default=yes]\n",
" enable-openssl-hash use OpenSSL for hash functions [default=yes]\n",
" enable-isc-spnego use SPNEGO from lib/dns [default=yes]\n",
" enable-filter-aaaa enable filtering of AAAA records [default=yes]\n",
@@ -628,7 +631,9 @@ my $want_clean = "no";
my $want_unknown = "no";
my $unknown_value;
my $enable_intrinsics = "yes";
+my $cryptolib = "";
my $enable_native_pkcs11 = "no";
+my $enable_crypto_rand = "yes";
my $enable_openssl_hash = "auto";
my $enable_filter_aaaa = "yes";
my $enable_isc_spnego = "yes";
@@ -848,6 +853,10 @@ sub myenable {
if ($val =~ /^yes$/i) {
$enable_native_pkcs11 = "yes";
}
+ } elsif ($key =~ /^crypto-rand$/i) {
+ if ($val =~ /^no$/i) {
+ $enable_crypto_rand = "no";
+ }
} elsif ($key =~ /^openssl-hash$/i) {
if ($val =~ /^yes$/i) {
$enable_openssl_hash = "yes";
@@ -1154,6 +1163,11 @@ if ($verbose) {
} else {
print "native-pkcs11: disabled\n";
}
+ if ($enable_crypto_rand eq "yes") {
+ print "crypto-rand: enabled\n";
+ } else {
+ print "crypto-rand: disabled\n";
+ }
if ($enable_openssl_hash eq "yes") {
print "openssl-hash: enabled\n";
} else {
@@ -1511,6 +1525,7 @@ if ($enable_intrinsics eq "yes") {
# enable-native-pkcs11
if ($enable_native_pkcs11 eq "yes") {
+ $cryptolib = "pkcs11";
if ($use_openssl eq "auto") {
$use_openssl = "no";
}
@@ -1720,6 +1735,7 @@ if ($use_openssl eq "yes") {
$openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]");
}
+ $cryptolib = "openssl";
$configcond{"OPENSSL"} = 1;
$configdefd{"CRYPTO"} = "OPENSSL";
$configvar{"OPENSSL_PATH"} = "$openssl_path";
@@ -2291,6 +2307,15 @@ if ($use_aes eq "yes") {
}
+# enable-crypto-rand
+if ($enable_crypto_rand eq "yes") {
+ if (($use_openssl eq "no") && ($enable_native_pkcs11 eq "no")) {
+ die "No crypto provider for random functions\n";
+ }
+ $configdefp{"ISC_PLATFORM_CRYPTORANDOM"} = "\"$cryptolib\"";
+}
+print "Cryptographic library for DNSSEC: $cryptolib";
+
# enable-openssl-hash
if ($enable_openssl_hash eq "yes") {
if ($use_openssl eq "no") {
@@ -3673,6 +3698,7 @@ exit 0;
# --enable-developer partially supported
# --enable-newstats (9.9/9.9sub only)
# --enable-native-pkcs11 supported
+# --enable-crypto-rand supported
# --enable-openssl-version-check included without a way to disable it
# --enable-openssl-hash supported
# --enable-threads included without a way to disable it
--
2.26.2