DO("create entropy context", isc_entropy_create(mctx, &ectx));
-#ifdef ISC_PLATFORM_CRYPTORANDOM
if (randomfile == NULL) {
isc_entropy_usehook(ectx, ISC_TRUE);
}
-#endif
if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
randomfile = NULL;
open_keyboard = ISC_ENTROPY_KEYBOARDYES;
ISC_LIST_INIT(sources);
}
-#ifdef ISC_PLATFORM_CRYPTORANDOM
if (randomfile == NULL) {
isc_entropy_usehook(*ectx, ISC_TRUE);
}
-#endif
if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
usekeyboard = ISC_ENTROPY_KEYBOARDYES;
randomfile = NULL;
# pid-file \"" NAMED_LOCALSTATEDIR "/run/named/named.pid\"; \n\
port 53;\n\
prefetch 2 9;\n"
-#if defined(ISC_PLATFORM_CRYPTORANDOM)
" random-device none;\n"
-#elif defined(PATH_RANDOMDEV)
-" random-device \"" PATH_RANDOMDEV "\";\n"
-#endif
" recursing-file \"named.recursing\";\n\
recursive-clients 1000;\n\
request-nsid false;\n\
}
}
if (randomdev == NULL) {
-#ifdef ISC_PLATFORM_CRYPTORANDOM
isc_entropy_usehook(named_g_entropy, ISC_TRUE);
-#else
- if ((obj != NULL) && !cfg_obj_isvoid(obj))
- level = ISC_LOG_INFO;
- isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
- NAMED_LOGMODULE_SERVER, level,
- "no source of entropy found");
- if ((obj == NULL) || cfg_obj_isvoid(obj)) {
- CHECK(ISC_R_FAILURE);
- }
-#endif
} else {
result = isc_entropy_createfilesource(named_g_entropy,
randomdev);
randomfile = NULL;
}
-#ifdef ISC_PLATFORM_CRYPTORANDOM
if (randomfile == NULL) {
isc_entropy_usehook(*ectx, ISC_TRUE);
}
-#endif
result = isc_entropy_usebestsource(*ectx, &source, randomfile,
usekeyboard);
ectx = NULL;
RUNCHECK(isc_entropy_create(mctx, &ectx));
-#ifdef ISC_PLATFORM_CRYPTORANDOM
if (randomfile == NULL) {
isc_entropy_usehook(ectx, ISC_TRUE);
}
-#endif
if (randomfile != NULL)
RUNCHECK(isc_entropy_createfilesource(ectx, randomfile));
CHECK(isc_mem_create(0, 0, &mctx), "isc_mem_create()");
CHECK(isc_entropy_create(mctx, &ectx), "isc_entropy_create()");
-#ifdef ISC_PLATFORM_CRYPTORANDOM
isc_entropy_usehook(ectx, ISC_TRUE);
-#endif
CHECK(isc_entropy_usebestsource(ectx, &source,
"../random.data",
ISC_ENTROPY_KEYBOARDNO),
ectx = NULL;
RUNCHECK(isc_entropy_create(mctx, &ectx));
-#ifdef ISC_PLATFORM_CRYPTORANDOM
if (randomfile == NULL) {
isc_entropy_usehook(ectx, ISC_TRUE);
}
-#endif
- if (randomfile != NULL)
+ if (randomfile != NULL) {
RUNCHECK(isc_entropy_createfilesource(ectx, randomfile));
+ }
log = NULL;
logconfig = NULL;
ectx = NULL;
RUNCHECK(isc_entropy_create(mctx, &ectx));
-#ifdef ISC_PLATFORM_CRYPTORANDOM
if (randomfile == NULL) {
isc_entropy_usehook(ectx, ISC_TRUE);
}
-#endif
- if (randomfile != NULL)
+ if (randomfile != NULL) {
RUNCHECK(isc_entropy_createfilesource(ectx, randomfile));
+ }
log = NULL;
logconfig = NULL;
NZDTARGETS
NZDSRCS
NZD_TOOLS
-ISC_PLATFORM_CRYPTORANDOM
PKCS11_TEST
PKCS11_ED25519
PKCS11_GOST
with_aes
with_cc_alg
enable_openssl_hash
-enable_crypto_rand
with_lmdb
with_libxml2
with_libjson
--enable-threads enable multithreading
--enable-native-pkcs11 use native PKCS11 for all crypto [default=no]
--enable-openssl-hash use OpenSSL for hash functions [default=yes]
- --enable-crypto-rand use the crypto provider for random [default=yes]
--enable-largefile 64-bit file support
--enable-backtrace log stack backtrace on abort [default=yes]
--enable-symtable use internal symbol table for backtrace
LIBS="-lrt $LIBS"
fi
-#
-# Use the crypto provider (OpenSSL/PKCS#11) for random functions
-#
-
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for using the crypto library (vs. builtin) for random functions" >&5
-$as_echo_n "checking for using the crypto library (vs. builtin) for random functions... " >&6; }
-# Check whether --enable-crypto-rand was given.
-if test "${enable_crypto_rand+set}" = set; then :
- enableval=$enable_crypto_rand; want_crypto_rand="$enableval"
-else
- want_crypto_rand="auto"
-fi
-
-if test "$want_crypto_rand" = "auto"
-then
- case "$CRYPTOLIB" in
- "")
- want_crypto_rand="no"
- ;;
- pkcs11)
- want_crypto_rand="yes"
- ;;
- openssl)
- saved_cflags="$CFLAGS"
- saved_libs="$LIBS"
- CFLAGS="$CFLAGS $DST_OPENSSL_INC"
- LIBS="$LIBS $DST_OPENSSL_LIBS"
- if test "$cross_compiling" = yes; then :
- want_crypto_rand="yes"
-else
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-#include <openssl/rand.h>
-
-unsigned char buf[128];
-
-int main()
-{
- if (RAND_bytes(buf, 128) != 1)
- return (1);
- return (0);
-}
-
-_ACEOF
-if ac_fn_c_try_run "$LINENO"; then :
- want_crypto_rand="yes"
-else
- want_crypto_rand="no"
-fi
-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
- conftest.$ac_objext conftest.beam conftest.$ac_ext
-fi
-
- CFLAGS="$saved_cflags"
- LIBS="$saved_libs"
- ;;
- *)
- as_fn_error $? "Unknown crypto library define $CRYPTOLIB" "$LINENO" 5
- ;;
- esac
-fi
-case $want_crypto_rand in
- yes)
- if test "$CRYPTOLIB" = ""
- then
- as_fn_error $? "No crypto library for random functions" "$LINENO" 5
- fi
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: \"$CRYPTOLIB\"" >&5
-$as_echo "\"$CRYPTOLIB\"" >&6; }
- ISC_PLATFORM_CRYPTORANDOM="#define ISC_PLATFORM_CRYPTORANDOM \"$CRYPTOLIB\""
- ;;
- no)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
- ISC_PLATFORM_CRYPTORANDOM="#undef ISC_PLATFORM_CRYPTORANDOM"
- ;;
-esac
-
-
#
# was --with-lmdb specified?
#
echo " IPv6 support (--enable-ipv6)"
test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
- test "no" = "$want_crypto_rand" || \
- echo " Crypto provider entropy source (--enable-crypto-rand)"
test "X$PYTHON" = "X" || echo " Python tools (--with-python)"
test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)"
test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)"
echo " ECDSA algorithm support (--with-ecdsa)"
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
echo " EDDSA algorithm support (--with-eddsa)"
- test "yes" = "$want_crypto_rand" || \
- echo " Crypto provider entropy source (--enable-crypto-rand)"
test "yes" = "$want_backtrace" || \
echo " Print backtrace on crash (--enable-backtrace)"
LIBS="-lrt $LIBS"
fi
-#
-# Use the crypto provider (OpenSSL/PKCS#11) for random functions
-#
-
-AC_MSG_CHECKING(for using the crypto library (vs. builtin) for random functions)
-AC_ARG_ENABLE(crypto-rand,
- AS_HELP_STRING([--enable-crypto-rand],
- [use the crypto provider for random [default=yes]]),
- want_crypto_rand="$enableval", want_crypto_rand="auto")
-if test "$want_crypto_rand" = "auto"
-then
- case "$CRYPTOLIB" in
- "")
- want_crypto_rand="no"
- ;;
- pkcs11)
- want_crypto_rand="yes"
- ;;
- openssl)
- saved_cflags="$CFLAGS"
- saved_libs="$LIBS"
- CFLAGS="$CFLAGS $DST_OPENSSL_INC"
- LIBS="$LIBS $DST_OPENSSL_LIBS"
- AC_TRY_RUN([
-#include <openssl/rand.h>
-
-unsigned char buf[128];
-
-int main()
-{
- if (RAND_bytes(buf, 128) != 1)
- return (1);
- return (0);
-}
-],
- [want_crypto_rand="yes"],
- [want_crypto_rand="no"],
- [want_crypto_rand="yes"])
- CFLAGS="$saved_cflags"
- LIBS="$saved_libs"
- ;;
- *)
- AC_MSG_ERROR([Unknown crypto library define $CRYPTOLIB])
- ;;
- esac
-fi
-case $want_crypto_rand in
- yes)
- if test "$CRYPTOLIB" = ""
- then
- AC_MSG_ERROR([No crypto library for random functions])
- fi
- AC_MSG_RESULT(["$CRYPTOLIB"])
- ISC_PLATFORM_CRYPTORANDOM="#define ISC_PLATFORM_CRYPTORANDOM \"$CRYPTOLIB\""
- ;;
- no)
- AC_MSG_RESULT(no)
- ISC_PLATFORM_CRYPTORANDOM="#undef ISC_PLATFORM_CRYPTORANDOM"
- ;;
-esac
-AC_SUBST(ISC_PLATFORM_CRYPTORANDOM)
-
#
# was --with-lmdb specified?
#
echo " IPv6 support (--enable-ipv6)"
test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
- test "no" = "$want_crypto_rand" || \
- echo " Crypto provider entropy source (--enable-crypto-rand)"
test "X$PYTHON" = "X" || echo " Python tools (--with-python)"
test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)"
test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)"
echo " ECDSA algorithm support (--with-ecdsa)"
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
echo " EDDSA algorithm support (--with-eddsa)"
- test "yes" = "$want_crypto_rand" || \
- echo " Crypto provider entropy source (--enable-crypto-rand)"
test "yes" = "$want_backtrace" || \
echo " Print backtrace on crash (--enable-backtrace)"
RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));
#endif
#if defined(OPENSSL) || defined(PKCS11CRYPTO)
-#ifdef ISC_PLATFORM_CRYPTORANDOM
if (dst_entropy_pool != NULL) {
isc_entropy_sethook(dst_random_getdata);
}
-#endif
#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */
dst_initialized = ISC_TRUE;
return (ISC_R_SUCCESS);
if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL)
dst_t_func[i]->cleanup();
#if defined(OPENSSL) || defined(PKCS11CRYPTO)
-#ifdef ISC_PLATFORM_CRYPTORANDOM
if (dst_entropy_pool != NULL) {
isc_entropy_usehook(dst_entropy_pool, ISC_FALSE);
isc_entropy_sethook(NULL);
}
-#endif
#ifdef OPENSSL
dst__openssl_destroy();
#elif PKCS11CRYPTO
flags &= ~ISC_ENTROPY_GOODONLY;
else
flags |= ISC_ENTROPY_BLOCKING;
-#ifdef ISC_PLATFORM_CRYPTORANDOM
/* get entropy directly from crypto provider */
return (dst_random_getdata(buf, len, NULL, flags));
-#else
- /* get entropy from entropy source or hook function */
- return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
-#endif /* ISC_PLATFORM_CRYPTORANDOM */
#endif /* PKCS11CRYPTO */
}
unsigned int
dst__entropy_status(void) {
-#if !defined(PKCS11CRYPTO) && !defined(ISC_PLATFORM_CRYPTORANDOM)
-#ifdef GSSAPI
- unsigned int flags = dst_entropy_flags;
- isc_result_t ret;
- unsigned char buf[32];
- static isc_boolean_t first = ISC_TRUE;
-
- if (dst_entropy_pool == NULL)
- return (0);
-
- if (first) {
- /* Someone believes RAND_status() initializes the PRNG */
- flags &= ~ISC_ENTROPY_GOODONLY;
- ret = isc_entropy_getdata(dst_entropy_pool, buf,
- sizeof(buf), NULL, flags);
- INSIST(ret == ISC_R_SUCCESS);
- isc_entropy_putdata(dst_entropy_pool, buf,
- sizeof(buf), 2 * sizeof(buf));
- first = ISC_FALSE;
- }
-#endif
- return (isc_entropy_status(dst_entropy_pool));
-#else
/* Doesn't matter as it is not used in this case. */
return (0);
-#endif
}
isc_buffer_t *
static ENGINE *e = NULL;
#endif
-#ifndef ISC_PLATFORM_CRYPTORANDOM
-static RAND_METHOD *rm = NULL;
-
-static int
-entropy_get(unsigned char *buf, int num) {
- isc_result_t result;
- if (num < 0)
- return (-1);
- result = dst__entropy_getdata(buf, (unsigned int) num, ISC_FALSE);
- return (result == ISC_R_SUCCESS ? 1 : -1);
-}
-
-static int
-entropy_status(void) {
- return (dst__entropy_status() > 32);
-}
-
-static int
-entropy_getpseudo(unsigned char *buf, int num) {
- isc_result_t result;
- if (num < 0)
- return (-1);
- result = dst__entropy_getdata(buf, (unsigned int) num, ISC_TRUE);
- return (result == ISC_R_SUCCESS ? 1 : -1);
-}
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-static void
-entropy_add(const void *buf, int num, double entropy) {
- /*
- * Do nothing. The only call to this provides no useful data anyway.
- */
- UNUSED(buf);
- UNUSED(num);
- UNUSED(entropy);
-}
-#else
-static int
-entropy_add(const void *buf, int num, double entropy) {
- /*
- * Do nothing. The only call to this provides no useful data anyway.
- */
- UNUSED(buf);
- UNUSED(num);
- UNUSED(entropy);
- return (1);
-}
-#endif
-#endif /* !ISC_PLATFORM_CRYPTORANDOM */
-
#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
static void
lock_callback(int mode, int type, const char *file, int line) {
isc_result_t
dst__openssl_init(const char *engine) {
isc_result_t result;
-#if defined(USE_ENGINE) && !defined(ISC_PLATFORM_CRYPTORANDOM)
- ENGINE *re;
-#else
+#if !defined(USE_ENGINE)
UNUSED(engine);
#endif
ERR_load_crypto_strings();
#endif
-#ifndef ISC_PLATFORM_CRYPTORANDOM
- rm = mem_alloc(sizeof(RAND_METHOD) FILELINE);
- if (rm == NULL) {
- result = ISC_R_NOMEMORY;
- goto cleanup_mutexinit;
- }
- rm->seed = NULL;
- rm->bytes = entropy_get;
- rm->cleanup = NULL;
- rm->add = entropy_add;
- rm->pseudorand = entropy_getpseudo;
- rm->status = entropy_status;
-#endif
-
#ifdef USE_ENGINE
#if !defined(CONF_MFLAGS_DEFAULT_SECTION)
OPENSSL_config(NULL);
}
}
-#ifndef ISC_PLATFORM_CRYPTORANDOM
- re = ENGINE_get_default_RAND();
- if (re == NULL) {
- re = ENGINE_new();
- if (re == NULL) {
- result = ISC_R_NOMEMORY;
- goto cleanup_rm;
- }
- ENGINE_set_RAND(re, rm);
- ENGINE_set_default_RAND(re);
- ENGINE_free(re);
- } else
- ENGINE_finish(re);
-#endif
-#else
-#ifndef ISC_PLATFORM_CRYPTORANDOM
- RAND_set_rand_method(rm);
-#endif
#endif /* USE_ENGINE */
-#ifdef ISC_PLATFORM_CRYPTORANDOM
/* Protect ourselves against unseeded PRNG */
if (RAND_status() != 1) {
FATAL_ERROR(__FILE__, __LINE__,
"cannot be initialized (see the `PRNG not "
"seeded' message in the OpenSSL FAQ)");
}
-#endif
return (ISC_R_SUCCESS);
if (e != NULL)
ENGINE_free(e);
e = NULL;
-#ifndef ISC_PLATFORM_CRYPTORANDOM
- mem_free(rm FILELINE);
- rm = NULL;
-#endif
-#endif
-#ifndef ISC_PLATFORM_CRYPTORANDOM
- cleanup_mutexinit:
#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
CRYPTO_set_locking_callback(NULL);
dst__openssl_destroy(void) {
#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
OPENSSL_cleanup();
-#ifndef ISC_PLATFORM_CRYPTORANDOM
- if (rm != NULL) {
- mem_free(rm FILELINE);
- rm = NULL;
- }
-#endif
#else
/*
* Sequence taken from apps_shutdown() in <apps/apps.h>.
*/
-#ifndef ISC_PLATFORM_CRYPTORANDOM
- if (rm != NULL) {
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
- RAND_cleanup();
-#endif
- mem_free(rm FILELINE);
- rm = NULL;
- }
-#endif
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
CONF_modules_free();
#endif
dst_random_getdata(void *data, unsigned int length,
unsigned int *returned, unsigned int flags)
{
-#ifdef ISC_PLATFORM_CRYPTORANDOM
#ifndef DONT_REQUIRE_DST_LIB_INIT
INSIST(dst__memory_pool != NULL);
#endif
if (returned != NULL)
*returned = length;
return (ISC_R_SUCCESS);
-#else
- UNUSED(data);
- UNUSED(length);
- UNUSED(returned);
- UNUSED(flags);
-
- return (ISC_R_NOTIMPLEMENTED);
-#endif
}
#endif /* OPENSSL */
isc_result_t
dst_random_getdata(void *data, unsigned int length,
unsigned int *returned, unsigned int flags) {
-#ifdef ISC_PLATFORM_CRYPTORANDOM
isc_result_t ret;
#ifndef DONT_REQUIRE_DST_LIB_INIT
if ((ret == ISC_R_SUCCESS) && (returned != NULL))
*returned = length;
return (ret);
-#else
- UNUSED(data);
- UNUSED(length);
- UNUSED(returned);
- UNUSED(flags);
-
- return (ISC_R_NOTIMPLEMENTED);
-#endif
-}
-
-#else /* PKCS11CRYPTO */
-
-#include <isc/util.h>
-
-isc_result_t
-dst_random_getdata(void *data, unsigned int length,
- unsigned int *returned, unsigned int flags) {
- UNUSED(data);
- UNUSED(length);
- UNUSED(returned);
- UNUSED(flags);
-
- return (ISC_R_NOTIMPLEMENTED);
}
#endif /* PKCS11CRYPTO */
result = dst_lib_init(mctx, ectx, NULL, 0);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-#ifdef ISC_PLATFORM_CRYPTORANDOM
isc_entropy_usehook(ectx, ISC_TRUE);
returned = 0;
ATF_REQUIRE_EQ(status, 0);
isc_entropy_usehook(ectx, ISC_FALSE);
-#endif
ret = chdir(TESTS);
ATF_REQUIRE_EQ(ret, 0);
*/
@ISC_PLATFORM_HAVESTRINGSH@
-/*
- * Define if the random functions are provided by crypto.
- */
-@ISC_PLATFORM_CRYPTORANDOM@
-
/*
* Define if the hash functions must be provided by OpenSSL.
*/
#define ISC_PLATFORM_NORETURN_PRE __declspec(noreturn)
#define ISC_PLATFORM_NORETURN_POST
-/*
- * Define if the random functions are provided by crypto.
- */
-@ISC_PLATFORM_CRYPTORANDOM@
-
/*
* Define if the hash functions must be provided by OpenSSL.
*/
my %configdefp;
my @substdefp = ("ISC_PLATFORM_BUSYWAITNOP",
- "ISC_PLATFORM_CRYPTORANDOM",
"ISC_PLATFORM_HAVEATOMICSTORE",
"ISC_PLATFORM_HAVEATOMICSTOREQ",
"ISC_PLATFORM_HAVECMPXCHG",
die "Unrecognized cookie algorithm: $cookie_algorithm\n";
}
-# enable-crypto-rand
-if ($enable_crypto_rand eq "yes") {
- if (($use_openssl eq "no") && ($enable_native_pkcs11 eq "no")) {
- die "No crypto provider for random functions\n";
- }
- $configdefp{"ISC_PLATFORM_CRYPTORANDOM"} = "\"$cryptolib\"";
-}
print "Cryptographic library for DNSSEC: $cryptolib\n";
# enable-openssl-hash
projects / thirdparty / bind9.git / commitdiff
