]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
[rt31459d] rebased rt31459c
authorEvan Hunt <each@isc.org>
Wed, 13 Sep 2017 02:05:46 +0000 (19:05 -0700)
committerEvan Hunt <each@isc.org>
Wed, 13 Sep 2017 02:05:46 +0000 (19:05 -0700)
34 files changed:
bin/confgen/keygen.c
bin/dnssec/dnssec-dsfromkey.c
bin/dnssec/dnssec-importkey.c
bin/dnssec/dnssec-revoke.c
bin/dnssec/dnssec-settime.c
bin/dnssec/dnssec-signzone.c
bin/dnssec/dnssec-verify.c
bin/dnssec/dnssectool.c
bin/named/server.c
bin/nsupdate/nsupdate.c
bin/tests/system/pipelined/pipequeries.c
bin/tests/system/pipelined/tests.sh
bin/tests/system/rsabigexponent/bigkey.c
bin/tests/system/tkey/keycreate.c
bin/tests/system/tkey/keydelete.c
bin/tests/system/tkey/tests.sh
configure
configure.in
lib/dns/dst_api.c
lib/dns/include/dst/dst.h
lib/dns/openssl_link.c
lib/dns/pkcs11.c
lib/dns/tests/Makefile.in
lib/dns/tests/dnstest.c
lib/dns/tests/dstrandom_test.c [new file with mode: 0644]
lib/dns/tests/testdata/dstrandom/random.data [new file with mode: 0644]
lib/dns/win32/libdns.def.in
lib/isc/entropy.c
lib/isc/include/isc/entropy.h
lib/isc/include/isc/platform.h.in
lib/isc/include/isc/types.h
lib/isc/pk11.c
lib/isc/win32/include/isc/platform.h.in
win32utils/Configure

index 4de31a0772b7a891b1ebfb8439b9478be051fad0..a73c2f22b7cca306d77ac3dd3a05d26afbdaf229 100644 (file)
@@ -155,6 +155,13 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
                randomfile = NULL;
                open_keyboard = ISC_ENTROPY_KEYBOARDYES;
        }
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+       if (randomfile != NULL &&
+           strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
+               randomfile = NULL;
+               isc_entropy_usehook(ectx, ISC_TRUE);
+       }
+#endif
        DO("start entropy source", isc_entropy_usebestsource(ectx,
                                                             &entropy_source,
                                                             randomfile,
index 43dcce82364037a907f1f80c1f433b805a32fea1..ad44c3c28d5a89a76964a00a220e4012cc77996f 100644 (file)
@@ -494,14 +494,14 @@ main(int argc, char **argv) {
 
        if (ectx == NULL)
                setup_entropy(mctx, NULL, &ectx);
-       result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-       if (result != ISC_R_SUCCESS)
-               fatal("could not initialize hash");
        result = dst_lib_init(mctx, ectx,
                              ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
        if (result != ISC_R_SUCCESS)
                fatal("could not initialize dst: %s",
                      isc_result_totext(result));
+       result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
+       if (result != ISC_R_SUCCESS)
+               fatal("could not initialize hash");
        isc_entropy_stopcallbacksources(ectx);
 
        setup_logging(mctx, &log);
@@ -563,8 +563,8 @@ main(int argc, char **argv) {
        if (dns_rdataset_isassociated(&rdataset))
                dns_rdataset_disassociate(&rdataset);
        cleanup_logging(&log);
-       dst_lib_destroy();
        isc_hash_destroy();
+       dst_lib_destroy();
        cleanup_entropy(&ectx);
        dns_name_destroy();
        if (verbose > 10)
index 05b00000c6d5f7bcd546adc6df9a81c478817993..95558267e1362c2317b5b1b44f785b6cdacc1269 100644 (file)
@@ -405,14 +405,14 @@ main(int argc, char **argv) {
 
        if (ectx == NULL)
                setup_entropy(mctx, NULL, &ectx);
-       result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-       if (result != ISC_R_SUCCESS)
-               fatal("could not initialize hash");
        result = dst_lib_init(mctx, ectx,
                              ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
        if (result != ISC_R_SUCCESS)
                fatal("could not initialize dst: %s",
                      isc_result_totext(result));
+       result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
+       if (result != ISC_R_SUCCESS)
+               fatal("could not initialize hash");
        isc_entropy_stopcallbacksources(ectx);
 
        setup_logging(mctx, &log);
@@ -456,8 +456,8 @@ main(int argc, char **argv) {
        if (dns_rdataset_isassociated(&rdataset))
                dns_rdataset_disassociate(&rdataset);
        cleanup_logging(&log);
-       dst_lib_destroy();
        isc_hash_destroy();
+       dst_lib_destroy();
        cleanup_entropy(&ectx);
        dns_name_destroy();
        if (verbose > 10)
index 437e1530b8f17de61674cb6f8371526102b87d7d..70998e8546919d5106c654f99d6242e12d6b9fe5 100644 (file)
@@ -179,14 +179,14 @@ main(int argc, char **argv) {
 
        if (ectx == NULL)
                setup_entropy(mctx, NULL, &ectx);
-       result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-       if (result != ISC_R_SUCCESS)
-               fatal("Could not initialize hash");
        result = dst_lib_init2(mctx, ectx, engine,
                               ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
        if (result != ISC_R_SUCCESS)
                fatal("Could not initialize dst: %s",
                      isc_result_totext(result));
+       result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
+       if (result != ISC_R_SUCCESS)
+               fatal("Could not initialize hash");
        isc_entropy_stopcallbacksources(ectx);
 
        result = dst_key_fromnamedfile(filename, dir,
@@ -268,8 +268,8 @@ main(int argc, char **argv) {
 
 cleanup:
        dst_key_free(&key);
-       dst_lib_destroy();
        isc_hash_destroy();
+       dst_lib_destroy();
        cleanup_entropy(&ectx);
        if (verbose > 10)
                isc_mem_stats(mctx, stdout);
index a51fd453f006a4c91d70ad838496d4a5e3200b04..f5bf724e1f394c4884057cfceb8e83f77bce0094 100644 (file)
@@ -377,14 +377,14 @@ main(int argc, char **argv) {
 
        if (ectx == NULL)
                setup_entropy(mctx, NULL, &ectx);
-       result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-       if (result != ISC_R_SUCCESS)
-               fatal("Could not initialize hash");
        result = dst_lib_init2(mctx, ectx, engine,
                               ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
        if (result != ISC_R_SUCCESS)
                fatal("Could not initialize dst: %s",
                      isc_result_totext(result));
+       result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
+       if (result != ISC_R_SUCCESS)
+               fatal("Could not initialize hash");
        isc_entropy_stopcallbacksources(ectx);
 
        if (predecessor != NULL) {
@@ -669,8 +669,8 @@ main(int argc, char **argv) {
        if (prevkey != NULL)
                dst_key_free(&prevkey);
        dst_key_free(&key);
-       dst_lib_destroy();
        isc_hash_destroy();
+       dst_lib_destroy();
        cleanup_entropy(&ectx);
        if (verbose > 10)
                isc_mem_stats(mctx, stdout);
index 47759558e5dfe0469b7662cd16b289a2cd15bb8b..9fcd5f8e33acb014cd578a1b94d4cda84a487a14 100644 (file)
@@ -3431,14 +3431,15 @@ main(int argc, char *argv[]) {
        if (!pseudorandom)
                eflags |= ISC_ENTROPY_GOODONLY;
 
-       result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-       if (result != ISC_R_SUCCESS)
-               fatal("could not create hash context");
-
        result = dst_lib_init2(mctx, ectx, engine, eflags);
        if (result != ISC_R_SUCCESS)
                fatal("could not initialize dst: %s",
                      isc_result_totext(result));
+
+       result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
+       if (result != ISC_R_SUCCESS)
+               fatal("could not create hash context");
+
        isc_stdtime_get(&now);
 
        if (startstr != NULL) {
@@ -3845,8 +3846,8 @@ main(int argc, char *argv[]) {
        dns_master_styledestroy(&dsstyle, mctx);
 
        cleanup_logging(&log);
-       dst_lib_destroy();
        isc_hash_destroy();
+       dst_lib_destroy();
        cleanup_entropy(&ectx);
        dns_name_destroy();
        if (verbose > 10)
index cbf319dea4cc7e4ff76e598a4d55c49df9f11b87..c5f394efe55ad9ce4f2349bf35cc8ab3d029c03b 100644 (file)
@@ -278,15 +278,15 @@ main(int argc, char *argv[]) {
        if (ectx == NULL)
                setup_entropy(mctx, NULL, &ectx);
 
-       result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-       if (result != ISC_R_SUCCESS)
-               fatal("could not create hash context");
-
        result = dst_lib_init2(mctx, ectx, engine, ISC_ENTROPY_BLOCKING);
        if (result != ISC_R_SUCCESS)
                fatal("could not initialize dst: %s",
                      isc_result_totext(result));
 
+       result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
+       if (result != ISC_R_SUCCESS)
+               fatal("could not create hash context");
+
        isc_stdtime_get(&now);
 
        rdclass = strtoclass(classname);
index dc05b745637426afdeda9cb735b89dbe3391e232..fc763e978182202dc834d0bbc1a9a3d9fb053f16 100644 (file)
@@ -29,6 +29,7 @@
 #include <isc/heap.h>
 #include <isc/list.h>
 #include <isc/mem.h>
+#include <isc/platform.h>
 #include <isc/print.h>
 #include <isc/string.h>
 #include <isc/time.h>
@@ -228,7 +229,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
        if (*ectx == NULL) {
                result = isc_entropy_create(mctx, ectx);
                if (result != ISC_R_SUCCESS)
-                       fatal("could not create entropy object");
+                       fatal("could not create entropy object: %s",
+                             isc_result_totext(result));
                ISC_LIST_INIT(sources);
        }
 
@@ -237,6 +239,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
                randomfile = NULL;
        }
 
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+       if (randomfile != NULL &&
+           strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
+               randomfile = NULL;
+               isc_entropy_usehook(*ectx, ISC_TRUE);
+       }
+#endif
        result = isc_entropy_usebestsource(*ectx, &source, randomfile,
                                           usekeyboard);
 
index 323e7f526cf65286f120fb94e42f088029e54625..34b39a66f2d1e55355143dad5681c3363bca1608 100644 (file)
@@ -31,6 +31,7 @@
 #include <isc/lex.h>
 #include <isc/meminfo.h>
 #include <isc/parseint.h>
+#include <isc/platform.h>
 #include <isc/portset.h>
 #include <isc/print.h>
 #include <isc/random.h>
@@ -8293,6 +8294,10 @@ load_configuration(const char *filename, named_server_t *server,
                                      "no source of entropy found");
                } else {
                        const char *randomdev = cfg_obj_asstring(obj);
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+                       if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0)
+                               isc_entropy_usehook(ns_g_entropy, ISC_TRUE);
+#else
                        int level = ISC_LOG_ERROR;
                        result = isc_entropy_createfilesource(named_g_entropy,
                                                              randomdev);
@@ -8326,6 +8331,7 @@ load_configuration(const char *filename, named_server_t *server,
                                }
                                isc_entropy_detach(&named_g_fallbackentropy);
                        }
+#endif
 #endif
                }
        }
index e5436e753cff8f5ffa27430c787e739ae5e0a787..61cfce7947e58ed8e57c0b9b12f5ec7138d1d800 100644 (file)
@@ -29,6 +29,7 @@
 #include <isc/mem.h>
 #include <isc/parseint.h>
 #include <isc/print.h>
+#include <isc/platform.h>
 #include <isc/random.h>
 #include <isc/region.h>
 #include <isc/sockaddr.h>
@@ -261,7 +262,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
        if (*ectx == NULL) {
                result = isc_entropy_create(mctx, ectx);
                if (result != ISC_R_SUCCESS)
-                       fatal("could not create entropy object");
+                       fatal("could not create entropy object: %s",
+                             isc_result_totext(result));
                ISC_LIST_INIT(sources);
        }
 
@@ -270,6 +272,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
                randomfile = NULL;
        }
 
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+       if (randomfile != NULL &&
+           strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
+               randomfile = NULL;
+               isc_entropy_usehook(*ectx, ISC_TRUE);
+       }
+#endif
        result = isc_entropy_usebestsource(*ectx, &source, randomfile,
                                           usekeyboard);
 
@@ -955,11 +964,11 @@ setup_system(void) {
 
        irs_resconf_destroy(&resconf);
 
-       setup_entropy(gmctx, NULL, &entropy);
+       if (entropy == NULL)
+               setup_entropy(gmctx, NULL, &entropy);
 
        result = isc_hash_create(gmctx, entropy, DNS_NAME_MAXWIRE);
        check_result(result, "isc_hash_create");
-       isc_hash_init();
 
        result = dns_dispatchmgr_create(gmctx, entropy, &dispatchmgr);
        check_result(result, "dns_dispatchmgr_create");
@@ -983,6 +992,9 @@ setup_system(void) {
        check_result(result, "dst_lib_init");
        is_dst_up = ISC_TRUE;
 
+       /* moved after dst_lib_init() */
+       isc_hash_init();
+
        attrmask = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_TCP;
        attrmask |= DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_IPV6;
 
index a5bd6c42a2dd70f8c5e5822be87ddfb6d6e4f4ff..fa0d5c724b28002cfb33ca0003001e580de6ef4e 100644 (file)
@@ -19,6 +19,7 @@
 #include <isc/log.h>
 #include <isc/mem.h>
 #include <isc/net.h>
+#include <isc/platform.h>
 #include <isc/print.h>
 #include <isc/sockaddr.h>
 #include <isc/socket.h>
@@ -196,6 +197,7 @@ sendqueries(isc_task_t *task, isc_event_t *event) {
 
 int
 main(int argc, char *argv[]) {
+       char *randomfile = NULL;
        isc_sockaddr_t bind_any;
        struct in_addr inaddr;
        isc_result_t result;
@@ -211,12 +213,16 @@ main(int argc, char *argv[]) {
        dns_dispatch_t *dispatchv4;
        dns_view_t *view;
 
-       UNUSED(argv);
+       RUNCHECK(isc_app_start());
 
-       if (argc > 1)
+       if ((argc == 2) || (argc == 4))
                have_src = ISC_TRUE;
 
-       RUNCHECK(isc_app_start());
+       if ((argc > 2) && (strcmp(argv[1], "-r") == 0)) {
+               randomfile = argv[2];
+               argv += 2;
+               argc -= 2;
+       }
 
        dns_result_register();
 
@@ -241,10 +247,18 @@ main(int argc, char *argv[]) {
 
        ectx = NULL;
        RUNCHECK(isc_entropy_create(mctx, &ectx));
-       RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data"));
-       RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+       if (randomfile != NULL &&
+           strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
+               randomfile = NULL;
+               isc_entropy_usehook(ectx, ISC_TRUE);
+       }
+#endif
+       if (randomfile != NULL)
+               RUNCHECK(isc_entropy_createfilesource(ectx, randomfile));
 
        RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY));
+       RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
 
        taskmgr = NULL;
        RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr));
@@ -297,8 +311,8 @@ main(int argc, char *argv[]) {
        isc_task_detach(&task);
        isc_taskmgr_destroy(&taskmgr);
 
-       dst_lib_destroy();
        isc_hash_destroy();
+       dst_lib_destroy();
        isc_entropy_detach(&ectx);
 
        isc_log_destroy(&lctx);
index 4397afa0da799b9f3398f1d34ab872729bc2b151..58742f8657e97cc2b885698aecc252cb957a7432 100644 (file)
@@ -13,7 +13,7 @@ status=0
 
 echo "I:check pipelined TCP queries"
 ret=0
-$PIPEQUERIES < input > raw || ret=1
+$PIPEQUERIES -r $RANDFILE < input > raw || ret=1
 awk '{ print $1 " " $5 }' < raw > output
 sort < output > output-sorted
 diff ref output-sorted || { ret=1 ; echo "I: diff sorted failed"; }
@@ -37,7 +37,7 @@ status=`expr $status + $ret`
 
 echo "I:check keep-response-order"
 ret=0
-$PIPEQUERIES ++ < inputb > rawb || ret=1
+$PIPEQUERIES -r $RANDFILE ++ < inputb > rawb || ret=1
 awk '{ print $1 " " $5 }' < rawb > outputb
 diff refb outputb || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
index 9c4686619708b55e873f7171cacb94475c7a68fa..e60c84b9c0cc713a097912c69ec1d1baf8d23795 100644 (file)
@@ -18,6 +18,7 @@
 #include <isc/buffer.h>
 #include <isc/entropy.h>
 #include <isc/mem.h>
+#include <isc/platform.h>
 #include <isc/print.h>
 #include <isc/region.h>
 #include <isc/stdio.h>
@@ -181,6 +182,9 @@ main(int argc, char **argv) {
 
        CHECK(isc_mem_create(0, 0, &mctx), "isc_mem_create()");
        CHECK(isc_entropy_create(mctx, &ectx), "isc_entropy_create()");
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+       isc_entropy_usehook(ectx, ISC_TRUE);
+#endif
        CHECK(isc_entropy_usebestsource(ectx, &source,
                                        "../random.data",
                                        ISC_ENTROPY_KEYBOARDNO),
index e582dbe1710dbe2fe941ad893ef9e15bb4ee67f9..1f9e1bbba810920670a1fe377e3b8ab355156238 100644 (file)
@@ -201,6 +201,7 @@ sendquery(isc_task_t *task, isc_event_t *event) {
 int
 main(int argc, char *argv[]) {
        char *ourkeyname;
+       char *randomfile;
        isc_taskmgr_t *taskmgr;
        isc_timermgr_t *timermgr;
        isc_socketmgr_t *socketmgr;
@@ -220,10 +221,21 @@ main(int argc, char *argv[]) {
 
        RUNCHECK(isc_app_start());
 
+       randomfile = NULL;
+
        if (argc < 2) {
                fprintf(stderr, "I:no DH key provided\n");
                exit(-1);
        }
+       if (strcmp(argv[1], "-r") == 0) {
+               if (argc < 4) {
+                       fprintf(stderr, "I:no DH key provided\n");
+                       exit(-1);
+               }
+               randomfile = argv[2];
+               argv += 2;
+               argc -= 2;
+       }
        ourkeyname = argv[1];
 
        if (argc >= 3)
@@ -237,14 +249,22 @@ main(int argc, char *argv[]) {
 
        ectx = NULL;
        RUNCHECK(isc_entropy_create(mctx, &ectx));
-       RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data"));
-       RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+       if (randomfile != NULL &&
+           strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
+               randomfile = NULL;
+               isc_entropy_usehook(ectx, ISC_TRUE);
+       }
+#endif
+       if (randomfile != NULL)
+               RUNCHECK(isc_entropy_createfilesource(ectx, randomfile));
 
        log = NULL;
        logconfig = NULL;
        RUNCHECK(isc_log_create(mctx, &log, &logconfig));
 
        RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY));
+       RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
 
        taskmgr = NULL;
        RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr));
@@ -323,8 +343,8 @@ main(int argc, char *argv[]) {
 
        isc_log_destroy(&log);
 
-       dst_lib_destroy();
        isc_hash_destroy();
+       dst_lib_destroy();
        isc_entropy_detach(&ectx);
 
        isc_mem_destroy(&mctx);
index cf1fae75da2b0abfc30993c07d4525e846dfc4f7..40a83b1ed7fe71bb0b39e82b8cfdd74d8593a7c0 100644 (file)
@@ -134,6 +134,7 @@ sendquery(isc_task_t *task, isc_event_t *event) {
 int
 main(int argc, char **argv) {
        char *keyname;
+       char *randomfile;
        isc_taskmgr_t *taskmgr;
        isc_timermgr_t *timermgr;
        isc_socketmgr_t *socketmgr;
@@ -154,10 +155,21 @@ main(int argc, char **argv) {
 
        RUNCHECK(isc_app_start());
 
+       randomfile = NULL;
+
        if (argc < 2) {
                fprintf(stderr, "I:no key to delete\n");
                exit(-1);
        }
+       if (strcmp(argv[1], "-r") == 0) {
+               if (argc < 4) {
+                       fprintf(stderr, "I:no DH key provided\n");
+                       exit(-1);
+               }
+               randomfile = argv[2];
+               argv += 2;
+               argc -= 2;
+       }
        keyname = argv[1];
 
        dns_result_register();
@@ -167,14 +179,22 @@ main(int argc, char **argv) {
 
        ectx = NULL;
        RUNCHECK(isc_entropy_create(mctx, &ectx));
-       RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data"));
-       RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+       if (randomfile != NULL &&
+           strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
+               randomfile = NULL;
+               isc_entropy_usehook(ectx, ISC_TRUE);
+       }
+#endif
+       if (randomfile != NULL)
+               RUNCHECK(isc_entropy_createfilesource(ectx, randomfile));
 
        log = NULL;
        logconfig = NULL;
        RUNCHECK(isc_log_create(mctx, &log, &logconfig));
 
        RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY));
+       RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
 
        taskmgr = NULL;
        RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr));
@@ -257,8 +277,8 @@ main(int argc, char **argv) {
 
        isc_log_destroy(&log);
 
-       dst_lib_destroy();
        isc_hash_destroy();
+       dst_lib_destroy();
        isc_entropy_detach(&ectx);
 
        isc_mem_destroy(&mctx);
index 0f7c22b05e0fbf1f9b4e6268fbba6eafbbc35ef3..2601d7d39cf13d28e6774f27e7f45d4520f2fd80 100644 (file)
@@ -28,7 +28,7 @@ for owner in . foo.example.
 do
        echo "I:creating new key using owner name \"$owner\""
        ret=0
-       keyname=`$KEYCREATE $dhkeyname $owner` || ret=1
+       keyname=`$KEYCREATE -r $RANDFILE $dhkeyname $owner` || ret=1
        if [ $ret != 0 ]; then
                echo "I:failed"
                status=`expr $status + $ret`
@@ -50,7 +50,7 @@ do
 
        echo "I:deleting new key"
        ret=0
-       $KEYDELETE $keyname || ret=1
+       $KEYDELETE -r $RANDFILE $keyname || ret=1
        if [ $ret != 0 ]; then
                echo "I:failed"
        fi
@@ -70,7 +70,7 @@ done
 
 echo "I:creating new key using owner name bar.example."
 ret=0
-keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1
+keyname=`$KEYCREATE -r $RANDFILE $dhkeyname bar.example.` || ret=1
 if [ $ret != 0 ]; then
         echo "I:failed"
        status=`expr $status + $ret`
@@ -111,7 +111,7 @@ status=`expr $status + $ret`
 
 echo "I:recreating the bar.example. key"
 ret=0
-keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1
+keyname=`$KEYCREATE -r $RANDFILE $dhkeyname bar.example.` || ret=1
 if [ $ret != 0 ]; then
         echo "I:failed"
        status=`expr $status + $ret`
index 0fc239ef11c809a9444e5dd07192dfde4eeaf1ce..67151758f61d488ccb8ff1be4bcc4692971be239 100755 (executable)
--- a/configure
+++ b/configure
@@ -794,6 +794,7 @@ XMLSTATS
 NZDTARGETS
 NZDSRCS
 NZD_TOOLS
+ISC_PLATFORM_CRYPTORANDOM
 PKCS11_TEST
 PKCS11_ED25519
 PKCS11_GOST
@@ -935,6 +936,7 @@ infodir
 docdir
 oldincludedir
 includedir
+runstatedir
 localstatedir
 sharedstatedir
 sysconfdir
@@ -1001,6 +1003,7 @@ with_aes
 enable_openssl_hash
 with_cc_alg
 enable_openssl_version_check
+enable_crypto_rand
 with_lmdb
 with_libxml2
 with_libjson
@@ -1096,6 +1099,7 @@ datadir='${datarootdir}'
 sysconfdir='${prefix}/etc'
 sharedstatedir='${prefix}/com'
 localstatedir='${prefix}/var'
+runstatedir='${localstatedir}/run'
 includedir='${prefix}/include'
 oldincludedir='/usr/include'
 docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@@ -1348,6 +1352,15 @@ do
   | -silent | --silent | --silen | --sile | --sil)
     silent=yes ;;
 
+  -runstatedir | --runstatedir | --runstatedi | --runstated \
+  | --runstate | --runstat | --runsta | --runst | --runs \
+  | --run | --ru | --r)
+    ac_prev=runstatedir ;;
+  -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
+  | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
+  | --run=* | --ru=* | --r=*)
+    runstatedir=$ac_optarg ;;
+
   -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
     ac_prev=sbindir ;;
   -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@@ -1485,7 +1498,7 @@ fi
 for ac_var in  exec_prefix prefix bindir sbindir libexecdir datarootdir \
                datadir sysconfdir sharedstatedir localstatedir includedir \
                oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
-               libdir localedir mandir
+               libdir localedir mandir runstatedir
 do
   eval ac_val=\$$ac_var
   # Remove trailing slashes.
@@ -1638,6 +1651,7 @@ Fine tuning of the installation directories:
   --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
   --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
   --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
+  --runstatedir=DIR       modifiable per-process data [LOCALSTATEDIR/run]
   --libdir=DIR            object code libraries [EPREFIX/lib]
   --includedir=DIR        C header files [PREFIX/include]
   --oldincludedir=DIR     C header files for non-gcc [/usr/include]
@@ -1694,6 +1708,7 @@ Optional Features:
   --enable-openssl-hash   use OpenSSL for hash functions [default=yes]
   --enable-openssl-version-check
                           check OpenSSL version [default=yes]
+  --enable-crypto-rand    use the crypto provider for random [default=yes]
   --enable-largefile     64-bit file support
   --enable-backtrace      log stack backtrace on abort [default=yes]
   --enable-symtable       use internal symbol table for backtrace
@@ -15936,6 +15951,7 @@ case "$use_openssl" in
 $as_echo "disabled because of native PKCS11" >&6; }
                DST_OPENSSL_INC=""
                CRYPTO="-DPKCS11CRYPTO"
+               CRYPTOLIB="pkcs11"
                OPENSSLEDDSALINKOBJS=""
                OPENSSLEDDSALINKSRS=""
                OPENSSLGOSTLINKOBJS=""
@@ -15948,6 +15964,7 @@ $as_echo "disabled because of native PKCS11" >&6; }
 $as_echo "no" >&6; }
                DST_OPENSSL_INC=""
                CRYPTO=""
+               CRYPTOLIB=""
                OPENSSLEDDSALINKOBJS=""
                OPENSSLEDDSALINKSRS=""
                OPENSSLGOSTLINKOBJS=""
@@ -15958,6 +15975,7 @@ $as_echo "no" >&6; }
        auto)
                DST_OPENSSL_INC=""
                CRYPTO=""
+               CRYPTOLIB=""
                OPENSSLEDDSALINKOBJS=""
                OPENSSLEDDSALINKSRS=""
                OPENSSLGOSTLINKOBJS=""
@@ -15965,7 +15983,7 @@ $as_echo "no" >&6; }
                OPENSSLLINKOBJS=""
                OPENSSLLINKSRCS=""
                as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
-If you don't want OpenSSL, use --without-openssl" "$LINENO" 5
+If you do not want OpenSSL, use --without-openssl" "$LINENO" 5
                ;;
        *)
                if test "yes" = "$want_native_pkcs11"
@@ -15996,6 +16014,7 @@ $as_echo "not found" >&6; }
                        as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5
                fi
                CRYPTO='-DOPENSSL'
+               CRYPTOLIB="openssl"
                if test "/usr" = "$use_openssl"
                then
                        DST_OPENSSL_INC=""
@@ -16639,8 +16658,6 @@ esac
 # Use OpenSSL for hash functions
 #
 
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for using OpenSSL for hash functions" >&5
-$as_echo_n "checking for using OpenSSL for hash functions... " >&6; }
 ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
 if test "whenossl" = "$want_openssl_hash"
 then
@@ -17023,6 +17040,86 @@ if test "rt" = "$have_clock_gt"; then
        LIBS="-lrt $LIBS"
 fi
 
+#
+# Use the crypto provider (OpenSSL/PKCS#11) for random functions
+#
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for using the crypto library (vs. builtin) for random functions" >&5
+$as_echo_n "checking for using the crypto library (vs. builtin) for random functions... " >&6; }
+# Check whether --enable-crypto-rand was given.
+if test "${enable_crypto_rand+set}" = set; then :
+  enableval=$enable_crypto_rand; want_crypto_rand="$enableval"
+else
+  want_crypto_rand="auto"
+fi
+
+if test "$want_crypto_rand" = "auto"
+then
+       case "$CRYPTOLIB" in
+       "")
+               want_crypto_rand="no"
+               ;;
+       pkcs11)
+               want_crypto_rand="yes"
+               ;;
+       openssl)
+               saved_cflags="$CFLAGS"
+               saved_libs="$LIBS"
+               CFLAGS="$CFLAGS $DST_OPENSSL_INC"
+               LIBS="$LIBS $DNS_OPENSSL_LIBS"
+               if test "$cross_compiling" = yes; then :
+  want_crypto_rand="yes"
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+#include <openssl/rand.h>
+
+unsigned char buf[128];
+
+int main()
+{
+       if (RAND_bytes(buf, 128) != 1)
+               return (1);
+       return (0);
+}
+
+_ACEOF
+if ac_fn_c_try_run "$LINENO"; then :
+  want_crypto_rand="yes"
+else
+  want_crypto_rand="no"
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+  conftest.$ac_objext conftest.beam conftest.$ac_ext
+fi
+
+               CFLAGS="$saved_cflags"
+               LIBS="$saved_libs"
+               ;;
+       *)
+               as_fn_error $? "Unknown crypto library define $CRYPTOLIB" "$LINENO" 5
+               ;;
+       esac
+fi
+case $want_crypto_rand in
+       yes)
+               if test "$CRYPTOLIB" = ""
+               then
+                       as_fn_error $? "No crypto library for random functions" "$LINENO" 5
+               fi
+               { $as_echo "$as_me:${as_lineno-$LINENO}: result: \"$CRYPTOLIB\"" >&5
+$as_echo "\"$CRYPTOLIB\"" >&6; }
+               ISC_PLATFORM_CRYPTORANDOM="#define ISC_PLATFORM_CRYPTORANDOM \"$CRYPTOLIB\""
+               ;;
+       no)
+               { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+               ISC_PLATFORM_CRYPTORANDOM="#undef ISC_PLATFORM_CRYPTORANDOM"
+               ;;
+esac
+
+
 #
 # was --with-lmdb specified?
 #
@@ -20105,12 +20202,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
 ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
 ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
 if test "yes" = "$use_atomic"; then
-       have_atomic=yes         # set default
-       case "$host" in
-       i[3456]86-*)
-               # XXX: some old x86 architectures actually do not support
-               #      (some of) these operations.  Do we need stricter checks?
-               # The cast to long int works around a bug in the HP C Compiler
+       # The cast to long int works around a bug in the HP C Compiler
 # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
 # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
 # This bug is HP SR number 8606223364.
@@ -20143,6 +20235,11 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 
+       have_atomic=yes         # set default
+       case "$host" in
+       i[3456]86-*)
+               # XXX: some old x86 architectures actually do not support
+               #      (some of) these operations.  Do we need stricter checks?
                if test $ac_cv_sizeof_void_p = 8; then
                        arch=x86_64
                        have_xaddq=yes
@@ -20151,39 +20248,6 @@ _ACEOF
                fi
        ;;
        x86_64-*|amd64-*)
-               # The cast to long int works around a bug in the HP C Compiler
-# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
-# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
-# This bug is HP SR number 8606223364.
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of void *" >&5
-$as_echo_n "checking size of void *... " >&6; }
-if ${ac_cv_sizeof_void_p+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (void *))" "ac_cv_sizeof_void_p"        "$ac_includes_default"; then :
-
-else
-  if test "$ac_cv_type_void_p" = yes; then
-     { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error 77 "cannot compute sizeof (void *)
-See \`config.log' for more details" "$LINENO" 5; }
-   else
-     ac_cv_sizeof_void_p=0
-   fi
-fi
-
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_void_p" >&5
-$as_echo "$ac_cv_sizeof_void_p" >&6; }
-
-
-
-cat >>confdefs.h <<_ACEOF
-#define SIZEOF_VOID_P $ac_cv_sizeof_void_p
-_ACEOF
-
-
                if test $ac_cv_sizeof_void_p = 8; then
                        arch=x86_64
                        have_xaddq=yes
@@ -26059,6 +26123,8 @@ report() {
         echo "    Very verbose query trace logging (--enable-querytrace)"
     test "no" = "$atf" || echo "    Automated Testing Framework (--with-atf)"
 
+    echo "    Cryptographic library for DNSSEC: $CRYPTOLIB"
+
     echo "    Dynamically loadable zone (DLZ) drivers:"
     test "no" = "$use_dlz_bdb" || \
         echo "        Berkeley DB (--with-dlz-bdb)"
index 4c27d498c91e2aae5a1a0045f2c9601fe31d3627..485265db2e850bbbe0d27b3d5de99cedcc312dde 100644 (file)
@@ -1553,6 +1553,7 @@ case "$use_openssl" in
                AC_MSG_RESULT(disabled because of native PKCS11)
                DST_OPENSSL_INC=""
                CRYPTO="-DPKCS11CRYPTO"
+               CRYPTOLIB="pkcs11"
                OPENSSLEDDSALINKOBJS=""
                OPENSSLEDDSALINKSRS=""
                OPENSSLGOSTLINKOBJS=""
@@ -1564,6 +1565,7 @@ case "$use_openssl" in
                AC_MSG_RESULT(no)
                DST_OPENSSL_INC=""
                CRYPTO=""
+               CRYPTOLIB=""
                OPENSSLEDDSALINKOBJS=""
                OPENSSLEDDSALINKSRS=""
                OPENSSLGOSTLINKOBJS=""
@@ -1574,6 +1576,7 @@ case "$use_openssl" in
        auto)
                DST_OPENSSL_INC=""
                CRYPTO=""
+               CRYPTOLIB=""
                OPENSSLEDDSALINKOBJS=""
                OPENSSLEDDSALINKSRS=""
                OPENSSLGOSTLINKOBJS=""
@@ -1582,7 +1585,7 @@ case "$use_openssl" in
                OPENSSLLINKSRCS=""
                AC_MSG_ERROR(
 [OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
-If you don't want OpenSSL, use --without-openssl])
+If you do not want OpenSSL, use --without-openssl])
                ;;
        *)
                if test "yes" = "$want_native_pkcs11"
@@ -1612,6 +1615,7 @@ If you don't want OpenSSL, use --without-openssl])
                        AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found])
                fi
                CRYPTO='-DOPENSSL'
+               CRYPTOLIB="openssl"
                if test "/usr" = "$use_openssl"
                then
                        DST_OPENSSL_INC=""
@@ -2077,7 +2081,6 @@ esac
 # Use OpenSSL for hash functions
 #
 
-AC_MSG_CHECKING(for using OpenSSL for hash functions)
 ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
 if test "whenossl" = "$want_openssl_hash"
 then
@@ -2358,6 +2361,67 @@ if test "rt" = "$have_clock_gt"; then
        LIBS="-lrt $LIBS"
 fi
 
+#
+# Use the crypto provider (OpenSSL/PKCS#11) for random functions
+#
+
+AC_MSG_CHECKING(for using the crypto library (vs. builtin) for random functions)
+AC_ARG_ENABLE(crypto-rand,
+       [  --enable-crypto-rand    use the crypto provider for random [[default=yes]]],
+       want_crypto_rand="$enableval", want_crypto_rand="auto")
+if test "$want_crypto_rand" = "auto"
+then
+       case "$CRYPTOLIB" in
+       "")
+               want_crypto_rand="no"
+               ;;
+       pkcs11)
+               want_crypto_rand="yes"
+               ;;
+       openssl)
+               saved_cflags="$CFLAGS"
+               saved_libs="$LIBS"
+               CFLAGS="$CFLAGS $DST_OPENSSL_INC"
+               LIBS="$LIBS $DNS_OPENSSL_LIBS"
+               AC_TRY_RUN([
+#include <openssl/rand.h>
+
+unsigned char buf[128];
+
+int main()
+{
+       if (RAND_bytes(buf, 128) != 1)
+               return (1);
+       return (0);
+}
+],
+               [want_crypto_rand="yes"],
+               [want_crypto_rand="no"],
+               [want_crypto_rand="yes"])
+               CFLAGS="$saved_cflags"
+               LIBS="$saved_libs"
+               ;;
+       *)
+               AC_MSG_ERROR([Unknown crypto library define $CRYPTOLIB])
+               ;;
+       esac
+fi
+case $want_crypto_rand in
+       yes)
+               if test "$CRYPTOLIB" = ""
+               then
+                       AC_MSG_ERROR([No crypto library for random functions])
+               fi
+               AC_MSG_RESULT(["$CRYPTOLIB"])
+               ISC_PLATFORM_CRYPTORANDOM="#define ISC_PLATFORM_CRYPTORANDOM \"$CRYPTOLIB\""
+               ;;
+       no)
+               AC_MSG_RESULT(no)
+               ISC_PLATFORM_CRYPTORANDOM="#undef ISC_PLATFORM_CRYPTORANDOM"
+               ;;
+esac
+AC_SUBST(ISC_PLATFORM_CRYPTORANDOM)
+
 #
 # was --with-lmdb specified?
 #
@@ -3979,12 +4043,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
 ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
 ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
 if test "yes" = "$use_atomic"; then
+       AC_CHECK_SIZEOF([void *])
        have_atomic=yes         # set default
        case "$host" in
        [i[3456]86-*])
                # XXX: some old x86 architectures actually do not support
                #      (some of) these operations.  Do we need stricter checks?
-               AC_CHECK_SIZEOF([void *])
                if test $ac_cv_sizeof_void_p = 8; then
                        arch=x86_64
                        have_xaddq=yes
@@ -3993,7 +4057,6 @@ if test "yes" = "$use_atomic"; then
                fi
        ;;
        x86_64-*|amd64-*)
-               AC_CHECK_SIZEOF([void *])
                if test $ac_cv_sizeof_void_p = 8; then
                        arch=x86_64
                        have_xaddq=yes
@@ -5401,6 +5464,8 @@ report() {
         echo "    Very verbose query trace logging (--enable-querytrace)"
     test "no" = "$atf" || echo "    Automated Testing Framework (--with-atf)"
 
+    echo "    Cryptographic library for DNSSEC: $CRYPTOLIB"
+
     echo "    Dynamically loadable zone (DLZ) drivers:"
     test "no" = "$use_dlz_bdb" || \
         echo "        Berkeley DB (--with-dlz-bdb)"
index f7c063293d2047f06042286b1b474bbb7a0a3bb4..5496bf4c2ca77d782c28da1e89d955cfe6e2723d 100644 (file)
@@ -266,6 +266,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
 #ifdef GSSAPI
        RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));
 #endif
+#if defined(OPENSSL) || defined(PKCS11CRYPTO)
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+       if (dst_entropy_pool != NULL)
+               isc_entropy_sethook(dst_random_getdata);
+#endif
+#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */
        dst_initialized = ISC_TRUE;
        return (ISC_R_SUCCESS);
 
@@ -285,11 +291,19 @@ dst_lib_destroy(void) {
        for (i = 0; i < DST_MAX_ALGS; i++)
                if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL)
                        dst_t_func[i]->cleanup();
+#if defined(OPENSSL) || defined(PKCS11CRYPTO)
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+       if (dst_entropy_pool != NULL) {
+               isc_entropy_usehook(dst_entropy_pool, ISC_FALSE);
+               isc_entropy_sethook(NULL);
+       }
+#endif
 #ifdef OPENSSL
        dst__openssl_destroy();
 #elif PKCS11CRYPTO
        (void) dst__pkcs11_destroy();
 #endif /* if OPENSSL, elif PKCS11CRYPTO */
+#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */
        if (dst__memory_pool != NULL)
                isc_mem_detach(&dst__memory_pool);
        if (dst_entropy_pool != NULL)
@@ -1991,13 +2005,17 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) {
                flags &= ~ISC_ENTROPY_GOODONLY;
        else
                flags |= ISC_ENTROPY_BLOCKING;
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+       return (dst_random_getdata(buf, len, NULL, flags));
+#else
        return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
+#endif
 #endif /* PKCS11CRYPTO */
 }
 
 unsigned int
 dst__entropy_status(void) {
-#ifndef PKCS11CRYPTO
+#if !defined(PKCS11CRYPTO) && !defined(ISC_PLATFORM_CRYPTORANDOM)
 #ifdef GSSAPI
        unsigned int flags = dst_entropy_flags;
        isc_result_t ret;
@@ -2020,6 +2038,7 @@ dst__entropy_status(void) {
 #endif
        return (isc_entropy_status(dst_entropy_pool));
 #else
+       /* Doesn't matter as it is not used in this case. */
        return (0);
 #endif
 }
index 61f5f6b16f360c151a7226a11bdb9e0eefb9ac54..cacf6ca15eb3c42b74271aaedc84cd3f19a313c2 100644 (file)
@@ -154,6 +154,14 @@ dst_lib_destroy(void);
  * Releases all resources allocated by DST.
  */
 
+isc_result_t
+dst_random_getdata(void *data, unsigned int length,
+                  unsigned int *returned, unsigned int flags);
+/*%<
+ * \brief Return data from the crypto random generator.
+ * Specialization of isc_entropy_getdata().
+ */
+
 isc_boolean_t
 dst_algorithm_supported(unsigned int alg);
 /*%<
index c8cfad364cc91df3e13adb194b847888ad49c6ec..d8973abe212dd99a13c70dad656b50c128e59eaa 100644 (file)
@@ -32,6 +32,7 @@
 #include <isc/mem.h>
 #include <isc/mutex.h>
 #include <isc/mutexblock.h>
+#include <isc/platform.h>
 #include <isc/string.h>
 #include <isc/thread.h>
 #include <isc/util.h>
@@ -47,8 +48,6 @@
 #include <openssl/engine.h>
 #endif
 
-static RAND_METHOD *rm = NULL;
-
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 static isc_mutex_t *locks = NULL;
 static int nlocks;
@@ -58,6 +57,9 @@ static int nlocks;
 static ENGINE *e = NULL;
 #endif
 
+#ifndef ISC_PLATFORM_CRYPTORANDOM
+static RAND_METHOD *rm = NULL;
+
 static int
 entropy_get(unsigned char *buf, int num) {
        isc_result_t result;
@@ -103,6 +105,7 @@ entropy_add(const void *buf, int num, double entropy) {
        return (1);
 }
 #endif
+#endif /* !ISC_PLATFORM_CRYPTORANDOM */
 
 #if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 static void
@@ -191,7 +194,7 @@ _set_thread_id(CRYPTO_THREADID *id)
 isc_result_t
 dst__openssl_init(const char *engine) {
        isc_result_t result;
-#ifdef USE_ENGINE
+#if defined(USE_ENGINE) && !defined(ISC_PLATFORM_CRYPTORANDOM)
        ENGINE *re;
 #else
 
@@ -222,6 +225,7 @@ dst__openssl_init(const char *engine) {
        ERR_load_crypto_strings();
 #endif
 
+#ifndef ISC_PLATFORM_CRYPTORANDOM
        rm = mem_alloc(sizeof(RAND_METHOD) FILELINE);
        if (rm == NULL) {
                result = ISC_R_NOMEMORY;
@@ -233,6 +237,7 @@ dst__openssl_init(const char *engine) {
        rm->add = entropy_add;
        rm->pseudorand = entropy_getpseudo;
        rm->status = entropy_status;
+#endif
 
 #ifdef USE_ENGINE
 #if !defined(CONF_MFLAGS_DEFAULT_SECTION)
@@ -266,6 +271,7 @@ dst__openssl_init(const char *engine) {
                }
        }
 
+#ifndef ISC_PLATFORM_CRYPTORANDOM
        re = ENGINE_get_default_RAND();
        if (re == NULL) {
                re = ENGINE_new();
@@ -278,9 +284,21 @@ dst__openssl_init(const char *engine) {
                ENGINE_free(re);
        } else
                ENGINE_finish(re);
+#endif
 #else
+#ifndef ISC_PLATFORM_CRYPTORANDOM
        RAND_set_rand_method(rm);
+#endif
 #endif /* USE_ENGINE */
+
+       /* Protect ourselves against unseeded PRNG */
+       if (RAND_status() != 1) {
+               FATAL_ERROR(__FILE__, __LINE__,
+                           "The OpenSSL pseudo random number generator "
+                           "cannot be initialized (cf the `PRNG not "
+                           "seeded' message in the OpenSSL FAQ)");
+       }
+
        return (ISC_R_SUCCESS);
 
 #ifdef USE_ENGINE
@@ -288,10 +306,14 @@ dst__openssl_init(const char *engine) {
        if (e != NULL)
                ENGINE_free(e);
        e = NULL;
+#ifndef ISC_PLATFORM_CRYPTORANDOM
        mem_free(rm FILELINE);
        rm = NULL;
 #endif
+#endif
+#ifndef ISC_PLATFORM_CRYPTORANDOM
  cleanup_mutexinit:
+#endif
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
        CRYPTO_set_locking_callback(NULL);
        DESTROYMUTEXBLOCK(locks, nlocks);
@@ -306,14 +328,17 @@ void
 dst__openssl_destroy(void) {
 #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
        OPENSSL_cleanup();
+#ifndef ISC_PLATFORM_CRYPTORANDOM
        if (rm != NULL) {
                mem_free(rm FILELINE);
                rm = NULL;
        }
+#endif
 #else
        /*
         * Sequence taken from apps_shutdown() in <apps/apps.h>.
         */
+#ifndef ISC_PLATFORM_CRYPTORANDOM
        if (rm != NULL) {
 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
                RAND_cleanup();
@@ -321,6 +346,7 @@ dst__openssl_destroy(void) {
                mem_free(rm FILELINE);
                rm = NULL;
        }
+#endif
 #if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
        CONF_modules_free();
 #endif
@@ -456,11 +482,45 @@ dst__openssl_getengine(const char *engine) {
 }
 #endif
 
-#else /* OPENSSL */
+isc_result_t
+dst_random_getdata(void *data, unsigned int length,
+                  unsigned int *returned, unsigned int flags) {
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+#ifndef DONT_REQUIRE_DST_LIB_INIT
+       INSIST(dst__memory_pool != NULL);
+#endif
+       REQUIRE(data != NULL);
+       REQUIRE(length > 0);
 
-#include <isc/util.h>
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+       if ((flags & ISC_ENTROPY_GOODONLY) == 0) {
+               if (RAND_pseudo_bytes((unsigned char *)data, (int)length) < 0)
+                       return (dst__openssl_toresult2("RAND_pseudo_bytes",
+                                                      DST_R_OPENSSLFAILURE));
+       } else {
+               if (RAND_bytes((unsigned char *)data, (int)length) != 1)
+                       return (dst__openssl_toresult2("RAND_bytes",
+                                                      DST_R_OPENSSLFAILURE));
+       }
+#else
+       UNUSED(flags);
 
-EMPTY_TRANSLATION_UNIT
+       if (RAND_bytes((unsigned char *)data, (int)length) != 1)
+               return (dst__openssl_toresult2("RAND_bytes",
+                                              DST_R_OPENSSLFAILURE));
+#endif
+       if (returned != NULL)
+               *returned = length;
+       return (ISC_R_SUCCESS);
+#else
+       UNUSED(data);
+       UNUSED(length);
+       UNUSED(returned);
+       UNUSED(flags);
+
+       return (ISC_R_NOTIMPLEMENTED);
+#endif
+}
 
 #endif /* OPENSSL */
 /*! \file */
index ccb520eabf821c1d35712cfb3a1ef367c8a23c11..f4ef24546e63f48e17940edf6be9f951625edb3b 100644 (file)
 
 #include <config.h>
 
+#include <isc/util.h>
+
 #include <dns/log.h>
 #include <dns/result.h>
 
 #include <pk11/pk11.h>
 #include <pk11/internal.h>
 
+#include "dst_internal.h"
 #include "dst_pkcs11.h"
 
 isc_result_t
@@ -31,12 +34,47 @@ dst__pkcs11_toresult(const char *funcname, const char *file, int line,
        return (fallback);
 }
 
+isc_result_t
+dst_random_getdata(void *data, unsigned int length,
+                  unsigned int *returned, unsigned int flags) {
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+       isc_result_t ret;
+
+#ifndef DONT_REQUIRE_DST_LIB_INIT
+       INSIST(dst__memory_pool != NULL);
+#endif
+       REQUIRE(data != NULL);
+       REQUIRE(length > 0);
+       UNUSED(flags);
+
+       ret = pk11_rand_bytes(data, (int) length);
+       if ((ret == ISC_R_SUCCESS) && (returned != NULL))
+               *returned = length;
+       return (ret);
+#else
+       UNUSED(data);
+       UNUSED(length);
+       UNUSED(returned);
+       UNUSED(flags);
+
+       return (ISC_R_NOTIMPLEMENTED);
+#endif
+}
 
 #else /* PKCS11CRYPTO */
 
 #include <isc/util.h>
 
-EMPTY_TRANSLATION_UNIT
+isc_result_t
+dst_random_getdata(void *data, unsigned int length,
+                  unsigned int *returned, unsigned int flags) {
+       UNUSED(data);
+       UNUSED(length);
+       UNUSED(returned);
+       UNUSED(flags);
+
+       return (ISC_R_NOTIMPLEMENTED);
+}
 
 #endif /* PKCS11CRYPTO */
 /*! \file */
index 1d783c4a8538a37b851dcd532ac8c2a404833d9c..8ac2f9a91324a359886d151cd6b5c1f46c37502b 100644 (file)
@@ -36,6 +36,7 @@ SRCS =                acl_test.c \
                dispatch_test.c \
                dnstap_test.c \
                dnstest.c \
+               dstrandom_test.c \
                geoip_test.c \
                gost_test.c \
                keytable_test.c \
@@ -65,6 +66,7 @@ TARGETS =     acl_test@EXEEXT@ \
                dh_test@EXEEXT@ \
                dispatch_test@EXEEXT@ \
                dnstap_test@EXEEXT@ \
+               dstrandom_test@EXEEXT@ \
                geoip_test@EXEEXT@ \
                gost_test@EXEEXT@ \
                keytable_test@EXEEXT@ \
@@ -231,6 +233,11 @@ zt_test@EXEEXT@: zt_test.@O@ dnstest.@O@ \
                        zt_test.@O@ dnstest.@O@ ${DNSLIBS} \
                                ${ISCLIBS} ${LIBS}
 
+dstrandom_test@EXEEXT@: dstrandom_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+       ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+                       dstrandom_test.@O@ ${DNSLIBS} \
+                       ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
+
 unit::
        sh ${top_srcdir}/unit/unittest.sh
 
index 260ec6f939e9721bd30937dfc40cafcddcfe0af7..092c155ee1508a37e232e701cbcb6a6bc34ae763 100644 (file)
@@ -116,12 +116,12 @@ dns_test_begin(FILE *logfile, isc_boolean_t start_managers) {
        CHECK(isc_mem_create(0, 0, &mctx));
        CHECK(isc_entropy_create(mctx, &ectx));
 
-       CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
-       hash_active = ISC_TRUE;
-
        CHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING));
        dst_active = ISC_TRUE;
 
+       CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
+       hash_active = ISC_TRUE;
+
        if (logfile != NULL) {
                isc_logdestination_t destination;
                isc_logconfig_t *logconfig = NULL;
@@ -165,14 +165,14 @@ dns_test_begin(FILE *logfile, isc_boolean_t start_managers) {
 
 void
 dns_test_end(void) {
-       if (dst_active) {
-               dst_lib_destroy();
-               dst_active = ISC_FALSE;
-       }
        if (hash_active) {
                isc_hash_destroy();
                hash_active = ISC_FALSE;
        }
+       if (dst_active) {
+               dst_lib_destroy();
+               dst_active = ISC_FALSE;
+       }
        if (ectx != NULL)
                isc_entropy_detach(&ectx);
 
diff --git a/lib/dns/tests/dstrandom_test.c b/lib/dns/tests/dstrandom_test.c
new file mode 100644 (file)
index 0000000..d2c72e7
--- /dev/null
@@ -0,0 +1,105 @@
+/*
+ * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <stdio.h>
+#include <string.h>
+
+#include <isc/entropy.h>
+#include <isc/mem.h>
+#include <isc/platform.h>
+#include <isc/util.h>
+
+#include <dst/dst.h>
+
+isc_mem_t *mctx = NULL;
+isc_entropy_t *ectx = NULL;
+unsigned char buffer[128];
+
+ATF_TC(isc_entropy_getdata);
+ATF_TC_HEAD(isc_entropy_getdata, tc) {
+       atf_tc_set_md_var(tc, "descr",
+                         "isc_entropy_getdata() examples");
+       atf_tc_set_md_var(tc, "X-randomfile",
+                         "testdata/dstrandom/random.data");
+}
+ATF_TC_BODY(isc_entropy_getdata, tc) {
+       isc_result_t result;
+       unsigned int returned, status;
+       int ret;
+       const char *randomfile = atf_tc_get_md_var(tc, "X-randomfile");
+
+       isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
+       result = isc_mem_create(0, 0, &mctx);
+       ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+       result = isc_entropy_create(mctx, &ectx);
+       ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+       result = dst_lib_init(mctx, ectx, 0);
+       ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+       isc_entropy_usehook(ectx, ISC_TRUE);
+
+       returned = 0;
+       result = isc_entropy_getdata(ectx, buffer, sizeof(buffer),
+                                    &returned, 0);
+       ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+       ATF_REQUIRE(returned == sizeof(buffer));
+
+       status = isc_entropy_status(ectx);
+       ATF_REQUIRE_EQ(status, 0);
+
+       isc_entropy_usehook(ectx, ISC_FALSE);
+#endif
+
+       ret = chdir(TESTS);
+       ATF_REQUIRE_EQ(ret, 0);
+
+       result = isc_entropy_createfilesource(ectx, randomfile);
+       ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+       returned = 0;
+       result = isc_entropy_getdata(ectx, buffer, sizeof(buffer),
+                                    &returned, 0);
+       ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+       ATF_REQUIRE(returned == sizeof(buffer));
+
+       status = isc_entropy_status(ectx);
+       ATF_REQUIRE(status > 0);
+
+       dst_lib_destroy();
+       isc_entropy_detach(&ectx);
+       ATF_REQUIRE(ectx == NULL);
+       isc_mem_destroy(&mctx);
+       ATF_REQUIRE(mctx == NULL);
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+       ATF_TP_ADD_TC(tp, isc_entropy_getdata);
+
+       return (atf_no_error());
+}
+
diff --git a/lib/dns/tests/testdata/dstrandom/random.data b/lib/dns/tests/testdata/dstrandom/random.data
new file mode 100644 (file)
index 0000000..354add0
Binary files /dev/null and b/lib/dns/tests/testdata/dstrandom/random.data differ
index 80f51aa13af31187a04772583ec4682f4ee31234..9118392d0399d031d425ab4084ed264a52b3bafb 100644 (file)
@@ -1463,6 +1463,13 @@ dst_lib_destroy
 dst_lib_init
 dst_lib_init2
 dst_lib_initmsgcat
+@IF PKCS11
+dst_random_getdata
+@ELSE PKCS11
+@IF OPENSSL
+dst_random_getdata
+@END OPENSSL
+@END PKCS11
 dst_region_computeid
 dst_region_computerid
 dst_result_register
index e8d406ba219b9ba94c5854f008fb62e90bfa0111..65278b9beeb3d69b0a2aaf82bdbf7617e6b3b368 100644 (file)
@@ -100,11 +100,15 @@ struct isc_entropy {
        isc_uint32_t                    initialized;
        isc_uint32_t                    initcount;
        isc_entropypool_t               pool;
+       isc_boolean_t                   usehook;
        unsigned int                    nsources;
        isc_entropysource_t            *nextsource;
        ISC_LIST(isc_entropysource_t)   sources;
 };
 
+/*% Global Hook */
+static isc_entropy_getdata_t hook;
+
 /*% Sample Queue */
 typedef struct {
        isc_uint32_t    last_time;      /*%< last time recorded */
@@ -553,6 +557,11 @@ isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length,
 
        LOCK(&ent->lock);
 
+       if (ent->usehook && (hook != NULL)) {
+               UNLOCK(&ent->lock);
+               return (hook(data, length, returned, flags));
+       }
+
        remain = length;
        buf = data;
        total = 0;
@@ -704,6 +713,7 @@ isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp) {
        ent->refcnt = 1;
        ent->initialized = 0;
        ent->initcount = 0;
+       ent->usehook = ISC_FALSE;
        ent->magic = ENTROPY_MAGIC;
 
        isc_entropypool_init(&ent->pool);
@@ -1284,3 +1294,17 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
         */
        return (final_result);
 }
+
+void
+isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff) {
+       REQUIRE(VALID_ENTROPY(ectx));
+
+       LOCK(&ectx->lock);
+       ectx->usehook = onoff;
+       UNLOCK(&ectx->lock);
+}
+
+void
+isc_entropy_sethook(isc_entropy_getdata_t myhook) {
+       hook = myhook;
+}
index 18707429f28993e3c96eaae45223385cabc41f2c..32d5e653d30c2814e1707667783b218a04b00b81 100644 (file)
@@ -300,6 +300,18 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
  *     isc_entropy_createcallbacksource().
  */
 
+void
+isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff);
+/*!<
+ * \brief Mark/unmark the given entropy structure as being hooked.
+ */
+
+void
+isc_entropy_sethook(isc_entropy_getdata_t myhook);
+/*!<
+ * \brief Set the getdata hook (e.g., for a crypto random generator).
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_ENTROPY_H */
index d4128a9846a918e23078aac10bfdef1d87c55f73..f648dffa5d5736cbd081ec30f539baed31609c73 100644 (file)
  */
 @ISC_PLATFORM_HAVESTRINGSH@
 
+/*
+ * Define if the random functions are provided by crypto.
+ */
+@ISC_PLATFORM_CRYPTORANDOM@
+
 /*
  * Define if the hash functions must be provided by OpenSSL.
  */
index 6679bbc43c96a0244a76b9ea88d3a0cc4172fe82..dbcf8e85ab267e2f5a9ec56ddccbf0af24231086 100644 (file)
@@ -90,6 +90,8 @@ typedef struct isc_time                       isc_time_t;             /*%< Time */
 typedef struct isc_timer               isc_timer_t;            /*%< Timer */
 typedef struct isc_timermgr            isc_timermgr_t;         /*%< Timer Manager */
 
+typedef isc_result_t (*isc_entropy_getdata_t)(void *, unsigned int,
+                                             unsigned int *, unsigned int);
 typedef void (*isc_taskaction_t)(isc_task_t *, isc_event_t *);
 typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *, int);
 
index a7347d1d2d0fe72ccba6cca23dcab0144708c3d1..ca1496235f7b41e8e239a637fd161b24bd5bc733 100644 (file)
@@ -318,14 +318,16 @@ pk11_rand_seed_fromfile(const char *randomfile) {
        ret = isc_stdio_open(randomfile, "r", &stream);
        if (ret != ISC_R_SUCCESS)
                goto cleanup;
-       ret = isc_stdio_read(seed, 1, SEEDSIZE, stream, &cc);
-       if (ret!= ISC_R_SUCCESS)
-               goto cleanup;
+       while (ret == ISC_R_SUCCESS) {
+               ret = isc_stdio_read(seed, 1, SEEDSIZE, stream, &cc);
+               if ((ret != ISC_R_SUCCESS) && (ret != ISC_R_EOF))
+                       goto cleanup;
+               (void) pkcs_C_SeedRandom(ctx.session, seed, (CK_ULONG) cc);
+       } 
        ret = isc_stdio_close(stream);
        stream = NULL;
-       if (ret!= ISC_R_SUCCESS)
+       if (ret != ISC_R_SUCCESS)
                goto cleanup;
-       (void) pkcs_C_SeedRandom(ctx.session, seed, (CK_ULONG) cc);
 
     cleanup:
        if (stream != NULL)
index 77e40a81c8ab0553d26c34e290283da8603c4ee2..867718ef992fe0ae385cb0b56a643eae5caeb902 100644 (file)
 #define ISC_PLATFORM_NORETURN_PRE __declspec(noreturn)
 #define ISC_PLATFORM_NORETURN_POST
 
+/*
+ * Define if the random functions are provided by crypto.
+ */
+@ISC_PLATFORM_CRYPTORANDOM@
+
 /*
  * Define if the hash functions must be provided by OpenSSL.
  */
index be0f02cbcc9dc4d1aff7f2b62986a112fdc9f84f..b06089cbc31d5bd7c16321acd027d07615ac26fc 100644 (file)
@@ -257,6 +257,7 @@ my @substdefh = ("AES_CC",
 my %configdefp;
 
 my @substdefp = ("ISC_PLATFORM_BUSYWAITNOP",
+                 "ISC_PLATFORM_CRYPTORANDOM",
                  "ISC_PLATFORM_HAVEATOMICSTORE",
                  "ISC_PLATFORM_HAVEATOMICSTOREQ",
                  "ISC_PLATFORM_HAVECMPXCHG",
@@ -385,7 +386,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER");
 
 # enable-xxx/disable-xxx
 
-my @enablelist = ("developer",
+my @enablelist = ("crypto-rand",
+                  "developer",
                   "fixed-rrset",
                   "intrinsics",
                   "isc-spnego",
@@ -446,6 +448,7 @@ my @help = (
 "\nOptional Features:\n",
 "  enable-intrinsics     enable instrinsic/atomic functions [default=yes]\n",
 "  enable-native-pkcs11  use native PKCS#11 for all crypto [default=no]\n",
+"  enable-crypto-rand    use crypto provider for random [default=yes]\n",
 "  enable-openssl-hash   use OpenSSL for hash functions [default=yes]\n",
 "  enable-isc-spnego     use SPNEGO from lib/dns [default=yes]\n",
 "  enable-filter-aaaa    enable filtering of AAAA records [default=yes]\n",
@@ -489,7 +492,9 @@ my $want_clean = "no";
 my $want_unknown = "no";
 my $unknown_value;
 my $enable_intrinsics = "yes";
+my $cryptolib = "";
 my $enable_native_pkcs11 = "no";
+my $enable_crypto_rand = "yes";
 my $enable_openssl_hash = "auto";
 my $enable_filter_aaaa = "yes";
 my $enable_isc_spnego = "yes";
@@ -698,6 +703,10 @@ sub myenable {
         if ($val =~ /^yes$/i) {
             $enable_native_pkcs11 = "yes";
         }
+    } elsif ($key =~ /^crypto-rand$/i) {
+        if ($val =~ /^no$/i) {
+            $enable_crypto_rand = "no";
+        }
     } elsif ($key =~ /^openssl-hash$/i) {
         if ($val =~ /^yes$/i) {
             $enable_openssl_hash = "yes";
@@ -981,6 +990,11 @@ if ($verbose) {
     } else {
         print "native-pkcs11: disabled\n";
     }
+    if ($enable_crypto_rand eq "yes") {
+        print "crypto-rand: enabled\n";
+    } else {
+        print "crypto-rand: disabled\n";
+    }
     if ($enable_openssl_hash eq "yes") {
         print "openssl-hash: enabled\n";
     } else {
@@ -1324,6 +1338,7 @@ if ($enable_intrinsics eq "yes") {
 
 # enable-native-pkcs11
 if ($enable_native_pkcs11 eq "yes") {
+    $cryptolib = "pkcs11";
     if ($use_openssl eq "auto") {
         $use_openssl = "no";
     }
@@ -1533,6 +1548,7 @@ if ($use_openssl eq "yes") {
         $openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]");
     }   
 
+    $cryptolib = "openssl";
     $configcond{"OPENSSL"} = 1;
     $configdefd{"CRYPTO"} = "OPENSSL";
     $configvar{"OPENSSL_PATH"} = "$openssl_path";
@@ -2057,6 +2073,15 @@ if ($cookie_algorithm eq "sha1") {
     die "Unrecognized cookie algorithm: $cookie_algorithm\n";
 }
 
+# enable-crypto-rand
+if ($enable_crypto_rand eq "yes") {
+    if (($use_openssl eq "no") && ($enable_native_pkcs11 eq "no")) {
+        die "No crypto provider for random functions\n";
+    }
+    $configdefp{"ISC_PLATFORM_CRYPTORANDOM"} = "\"$cryptolib\"";
+}
+print "Cryptographic library for DNSSEC: $cryptolib";
+
 # enable-openssl-hash
 if ($enable_openssl_hash eq "yes") {
     if ($use_openssl eq "no") {
@@ -3375,6 +3400,7 @@ exit 0;
 #  --enable-developer partially supported
 #  --enable-newstats (9.9/9.9sub only)
 #  --enable-native-pkcs11 supported
+#  --enable-crypto-rand supported
 #  --enable-openssl-version-check included without a way to disable it
 #  --enable-openssl-hash supported
 #  --enable-threads included without a way to disable it
@@ -3400,6 +3426,7 @@ exit 0;
 #  --with-gost supported
 #  --with-aes supported
 #  --with-cc-alg supported
+#  --with-randomdev not supported on WIN32 (makes no sense)
 #  --with-geoip supported
 #  --with-gssapi supported with MIT (K)erberos (f)or (W)indows
 #  --with-lmdb no supported on WIN32 (port is not reliable)