upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-04-21 22:28:34 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

[rt31459d] rebased rt31459c

Browse source
This commit is contained in:
Evan Hunt 2017-09-12 19:05:46 -07:00
parent 30973087a0
commit 586e65ea5c
34 changed files with 660 additions and 115 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
bin/confgen/keygen.c
View file

@ -155,6 +155,13 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
randomfile = NULL;
open_keyboard = ISC_ENTROPY_KEYBOARDYES;
}
#ifdef ISC_PLATFORM_CRYPTORANDOM
if (randomfile != NULL &&
strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
randomfile = NULL;
isc_entropy_usehook(ectx, ISC_TRUE);
}
#endif
DO("start entropy source", isc_entropy_usebestsource(ectx,
&entropy_source,
randomfile,

8
bin/dnssec/dnssec-dsfromkey.c
View file

@ -494,14 +494,14 @@ main(int argc, char **argv) {
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
if (result != ISC_R_SUCCESS)
fatal("could not initialize hash");
result = dst_lib_init(mctx, ectx,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (result != ISC_R_SUCCESS)
fatal("could not initialize dst: %s",
isc_result_totext(result));
result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
if (result != ISC_R_SUCCESS)
fatal("could not initialize hash");
isc_entropy_stopcallbacksources(ectx);
setup_logging(mctx, &log);
@ -563,8 +563,8 @@ main(int argc, char **argv) {
if (dns_rdataset_isassociated(&rdataset))
dns_rdataset_disassociate(&rdataset);
cleanup_logging(&log);
dst_lib_destroy();
isc_hash_destroy();
dst_lib_destroy();
cleanup_entropy(&ectx);
dns_name_destroy();
if (verbose > 10)

8
bin/dnssec/dnssec-importkey.c
View file

@ -405,14 +405,14 @@ main(int argc, char **argv) {
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
if (result != ISC_R_SUCCESS)
fatal("could not initialize hash");
result = dst_lib_init(mctx, ectx,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (result != ISC_R_SUCCESS)
fatal("could not initialize dst: %s",
isc_result_totext(result));
result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
if (result != ISC_R_SUCCESS)
fatal("could not initialize hash");
isc_entropy_stopcallbacksources(ectx);
setup_logging(mctx, &log);
@ -456,8 +456,8 @@ main(int argc, char **argv) {
if (dns_rdataset_isassociated(&rdataset))
dns_rdataset_disassociate(&rdataset);
cleanup_logging(&log);
dst_lib_destroy();
isc_hash_destroy();
dst_lib_destroy();
cleanup_entropy(&ectx);
dns_name_destroy();
if (verbose > 10)

8
bin/dnssec/dnssec-revoke.c
View file

@ -179,14 +179,14 @@ main(int argc, char **argv) {
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
if (result != ISC_R_SUCCESS)
fatal("Could not initialize hash");
result = dst_lib_init2(mctx, ectx, engine,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (result != ISC_R_SUCCESS)
fatal("Could not initialize dst: %s",
isc_result_totext(result));
result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
if (result != ISC_R_SUCCESS)
fatal("Could not initialize hash");
isc_entropy_stopcallbacksources(ectx);
result = dst_key_fromnamedfile(filename, dir,
@ -268,8 +268,8 @@ main(int argc, char **argv) {
cleanup:
dst_key_free(&key);
dst_lib_destroy();
isc_hash_destroy();
dst_lib_destroy();
cleanup_entropy(&ectx);
if (verbose > 10)
isc_mem_stats(mctx, stdout);

8
bin/dnssec/dnssec-settime.c
View file

@ -377,14 +377,14 @@ main(int argc, char **argv) {
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
if (result != ISC_R_SUCCESS)
fatal("Could not initialize hash");
result = dst_lib_init2(mctx, ectx, engine,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (result != ISC_R_SUCCESS)
fatal("Could not initialize dst: %s",
isc_result_totext(result));
result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
if (result != ISC_R_SUCCESS)
fatal("Could not initialize hash");
isc_entropy_stopcallbacksources(ectx);
if (predecessor != NULL) {
@ -669,8 +669,8 @@ main(int argc, char **argv) {
if (prevkey != NULL)
dst_key_free(&prevkey);
dst_key_free(&key);
dst_lib_destroy();
isc_hash_destroy();
dst_lib_destroy();
cleanup_entropy(&ectx);
if (verbose > 10)
isc_mem_stats(mctx, stdout);

11
bin/dnssec/dnssec-signzone.c
View file

@ -3431,14 +3431,15 @@ main(int argc, char *argv[]) {
if (!pseudorandom)
eflags |= ISC_ENTROPY_GOODONLY;
result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
if (result != ISC_R_SUCCESS)
fatal("could not create hash context");
result = dst_lib_init2(mctx, ectx, engine, eflags);
if (result != ISC_R_SUCCESS)
fatal("could not initialize dst: %s",
isc_result_totext(result));
result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
if (result != ISC_R_SUCCESS)
fatal("could not create hash context");
isc_stdtime_get(&now);
if (startstr != NULL) {
@ -3845,8 +3846,8 @@ main(int argc, char *argv[]) {
dns_master_styledestroy(&dsstyle, mctx);
cleanup_logging(&log);
dst_lib_destroy();
isc_hash_destroy();
dst_lib_destroy();
cleanup_entropy(&ectx);
dns_name_destroy();
if (verbose > 10)

8
bin/dnssec/dnssec-verify.c
View file

@ -278,15 +278,15 @@ main(int argc, char *argv[]) {
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
if (result != ISC_R_SUCCESS)
fatal("could not create hash context");
result = dst_lib_init2(mctx, ectx, engine, ISC_ENTROPY_BLOCKING);
if (result != ISC_R_SUCCESS)
fatal("could not initialize dst: %s",
isc_result_totext(result));
result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
if (result != ISC_R_SUCCESS)
fatal("could not create hash context");
isc_stdtime_get(&now);
rdclass = strtoclass(classname);

11
bin/dnssec/dnssectool.c
View file

@ -29,6 +29,7 @@
#include <isc/heap.h>
#include <isc/list.h>
#include <isc/mem.h>
#include <isc/platform.h>
#include <isc/print.h>
#include <isc/string.h>
#include <isc/time.h>
@ -228,7 +229,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
if (*ectx == NULL) {
result = isc_entropy_create(mctx, ectx);
if (result != ISC_R_SUCCESS)
fatal("could not create entropy object");
fatal("could not create entropy object: %s",
isc_result_totext(result));
ISC_LIST_INIT(sources);
}
@ -237,6 +239,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
randomfile = NULL;
}
#ifdef ISC_PLATFORM_CRYPTORANDOM
if (randomfile != NULL &&
strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
randomfile = NULL;
isc_entropy_usehook(*ectx, ISC_TRUE);
}
#endif
result = isc_entropy_usebestsource(*ectx, &source, randomfile,
usekeyboard);

6
bin/named/server.c
View file

@ -31,6 +31,7 @@
#include <isc/lex.h>
#include <isc/meminfo.h>
#include <isc/parseint.h>
#include <isc/platform.h>
#include <isc/portset.h>
#include <isc/print.h>
#include <isc/random.h>
@ -8293,6 +8294,10 @@ load_configuration(const char *filename, named_server_t *server,
"no source of entropy found");
} else {
const char *randomdev = cfg_obj_asstring(obj);
#ifdef ISC_PLATFORM_CRYPTORANDOM
if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0)
isc_entropy_usehook(ns_g_entropy, ISC_TRUE);
#else
int level = ISC_LOG_ERROR;
result = isc_entropy_createfilesource(named_g_entropy,
randomdev);
@ -8326,6 +8331,7 @@ load_configuration(const char *filename, named_server_t *server,
}
isc_entropy_detach(&named_g_fallbackentropy);
}
#endif
#endif
}
}

18
bin/nsupdate/nsupdate.c
View file

@ -29,6 +29,7 @@
#include <isc/mem.h>
#include <isc/parseint.h>
#include <isc/print.h>
#include <isc/platform.h>
#include <isc/random.h>
#include <isc/region.h>
#include <isc/sockaddr.h>
@ -261,7 +262,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
if (*ectx == NULL) {
result = isc_entropy_create(mctx, ectx);
if (result != ISC_R_SUCCESS)
fatal("could not create entropy object");
fatal("could not create entropy object: %s",
isc_result_totext(result));
ISC_LIST_INIT(sources);
}
@ -270,6 +272,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
randomfile = NULL;
}
#ifdef ISC_PLATFORM_CRYPTORANDOM
if (randomfile != NULL &&
strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
randomfile = NULL;
isc_entropy_usehook(*ectx, ISC_TRUE);
}
#endif
result = isc_entropy_usebestsource(*ectx, &source, randomfile,
usekeyboard);
@ -955,11 +964,11 @@ setup_system(void) {
irs_resconf_destroy(&resconf);
setup_entropy(gmctx, NULL, &entropy);
if (entropy == NULL)
setup_entropy(gmctx, NULL, &entropy);
result = isc_hash_create(gmctx, entropy, DNS_NAME_MAXWIRE);
check_result(result, "isc_hash_create");
isc_hash_init();
result = dns_dispatchmgr_create(gmctx, entropy, &dispatchmgr);
check_result(result, "dns_dispatchmgr_create");
@ -983,6 +992,9 @@ setup_system(void) {
check_result(result, "dst_lib_init");
is_dst_up = ISC_TRUE;
/* moved after dst_lib_init() */
isc_hash_init();
attrmask = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_TCP;
attrmask |= DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_IPV6;

26
bin/tests/system/pipelined/pipequeries.c
View file

@ -19,6 +19,7 @@
#include <isc/log.h>
#include <isc/mem.h>
#include <isc/net.h>
#include <isc/platform.h>
#include <isc/print.h>
#include <isc/sockaddr.h>
#include <isc/socket.h>
@ -196,6 +197,7 @@ sendqueries(isc_task_t *task, isc_event_t *event) {
int
main(int argc, char *argv[]) {
char *randomfile = NULL;
isc_sockaddr_t bind_any;
struct in_addr inaddr;
isc_result_t result;
@ -211,12 +213,16 @@ main(int argc, char *argv[]) {
dns_dispatch_t *dispatchv4;
dns_view_t *view;
UNUSED(argv);
RUNCHECK(isc_app_start());
if (argc > 1)
if ((argc == 2) || (argc == 4))
have_src = ISC_TRUE;
RUNCHECK(isc_app_start());
if ((argc > 2) && (strcmp(argv[1], "-r") == 0)) {
randomfile = argv[2];
argv += 2;
argc -= 2;
}
dns_result_register();
@ -241,10 +247,18 @@ main(int argc, char *argv[]) {
ectx = NULL;
RUNCHECK(isc_entropy_create(mctx, &ectx));
RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data"));
RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
#ifdef ISC_PLATFORM_CRYPTORANDOM
if (randomfile != NULL &&
strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
randomfile = NULL;
isc_entropy_usehook(ectx, ISC_TRUE);
}
#endif
if (randomfile != NULL)
RUNCHECK(isc_entropy_createfilesource(ectx, randomfile));
RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY));
RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
taskmgr = NULL;
RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr));
@ -297,8 +311,8 @@ main(int argc, char *argv[]) {
isc_task_detach(&task);
isc_taskmgr_destroy(&taskmgr);
dst_lib_destroy();
isc_hash_destroy();
dst_lib_destroy();
isc_entropy_detach(&ectx);
isc_log_destroy(&lctx);

4
bin/tests/system/pipelined/tests.sh
View file

@ -13,7 +13,7 @@ status=0
echo "I:check pipelined TCP queries"
ret=0
$PIPEQUERIES < input > raw || ret=1
$PIPEQUERIES -r $RANDFILE < input > raw || ret=1
awk '{ print $1 " " $5 }' < raw > output
sort < output > output-sorted
diff ref output-sorted || { ret=1 ; echo "I: diff sorted failed"; }
@ -37,7 +37,7 @@ status=`expr $status + $ret`
echo "I:check keep-response-order"
ret=0
$PIPEQUERIES ++ < inputb > rawb || ret=1
$PIPEQUERIES -r $RANDFILE ++ < inputb > rawb || ret=1
awk '{ print $1 " " $5 }' < rawb > outputb
diff refb outputb || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi

4
bin/tests/system/rsabigexponent/bigkey.c
View file

@ -18,6 +18,7 @@
#include <isc/buffer.h>
#include <isc/entropy.h>
#include <isc/mem.h>
#include <isc/platform.h>
#include <isc/print.h>
#include <isc/region.h>
#include <isc/stdio.h>
@ -181,6 +182,9 @@ main(int argc, char **argv) {
CHECK(isc_mem_create(0, 0, &mctx), "isc_mem_create()");
CHECK(isc_entropy_create(mctx, &ectx), "isc_entropy_create()");
#ifdef ISC_PLATFORM_CRYPTORANDOM
isc_entropy_usehook(ectx, ISC_TRUE);
#endif
CHECK(isc_entropy_usebestsource(ectx, &source,
"../random.data",
ISC_ENTROPY_KEYBOARDNO),

26
bin/tests/system/tkey/keycreate.c
View file

@ -201,6 +201,7 @@ sendquery(isc_task_t *task, isc_event_t *event) {
int
main(int argc, char *argv[]) {
char *ourkeyname;
char *randomfile;
isc_taskmgr_t *taskmgr;
isc_timermgr_t *timermgr;
isc_socketmgr_t *socketmgr;
@ -220,10 +221,21 @@ main(int argc, char *argv[]) {
RUNCHECK(isc_app_start());
randomfile = NULL;
if (argc < 2) {
fprintf(stderr, "I:no DH key provided\n");
exit(-1);
}
if (strcmp(argv[1], "-r") == 0) {
if (argc < 4) {
fprintf(stderr, "I:no DH key provided\n");
exit(-1);
}
randomfile = argv[2];
argv += 2;
argc -= 2;
}
ourkeyname = argv[1];
if (argc >= 3)
@ -237,14 +249,22 @@ main(int argc, char *argv[]) {
ectx = NULL;
RUNCHECK(isc_entropy_create(mctx, &ectx));
RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data"));
RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
#ifdef ISC_PLATFORM_CRYPTORANDOM
if (randomfile != NULL &&
strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
randomfile = NULL;
isc_entropy_usehook(ectx, ISC_TRUE);
}
#endif
if (randomfile != NULL)
RUNCHECK(isc_entropy_createfilesource(ectx, randomfile));
log = NULL;
logconfig = NULL;
RUNCHECK(isc_log_create(mctx, &log, &logconfig));
RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY));
RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
taskmgr = NULL;
RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr));
@ -323,8 +343,8 @@ main(int argc, char *argv[]) {
isc_log_destroy(&log);
dst_lib_destroy();
isc_hash_destroy();
dst_lib_destroy();
isc_entropy_detach(&ectx);
isc_mem_destroy(&mctx);

26
bin/tests/system/tkey/keydelete.c
View file

@ -134,6 +134,7 @@ sendquery(isc_task_t *task, isc_event_t *event) {
int
main(int argc, char **argv) {
char *keyname;
char *randomfile;
isc_taskmgr_t *taskmgr;
isc_timermgr_t *timermgr;
isc_socketmgr_t *socketmgr;
@ -154,10 +155,21 @@ main(int argc, char **argv) {
RUNCHECK(isc_app_start());
randomfile = NULL;
if (argc < 2) {
fprintf(stderr, "I:no key to delete\n");
exit(-1);
}
if (strcmp(argv[1], "-r") == 0) {
if (argc < 4) {
fprintf(stderr, "I:no DH key provided\n");
exit(-1);
}
randomfile = argv[2];
argv += 2;
argc -= 2;
}
keyname = argv[1];
dns_result_register();
@ -167,14 +179,22 @@ main(int argc, char **argv) {
ectx = NULL;
RUNCHECK(isc_entropy_create(mctx, &ectx));
RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data"));
RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
#ifdef ISC_PLATFORM_CRYPTORANDOM
if (randomfile != NULL &&
strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
randomfile = NULL;
isc_entropy_usehook(ectx, ISC_TRUE);
}
#endif
if (randomfile != NULL)
RUNCHECK(isc_entropy_createfilesource(ectx, randomfile));
log = NULL;
logconfig = NULL;
RUNCHECK(isc_log_create(mctx, &log, &logconfig));
RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY));
RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
taskmgr = NULL;
RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr));
@ -257,8 +277,8 @@ main(int argc, char **argv) {
isc_log_destroy(&log);
dst_lib_destroy();
isc_hash_destroy();
dst_lib_destroy();
isc_entropy_detach(&ectx);
isc_mem_destroy(&mctx);

8
bin/tests/system/tkey/tests.sh
View file

@ -28,7 +28,7 @@ for owner in . foo.example.
do
echo "I:creating new key using owner name \"$owner\""
ret=0
keyname=`$KEYCREATE $dhkeyname $owner` || ret=1
keyname=`$KEYCREATE -r $RANDFILE $dhkeyname $owner` || ret=1
if [ $ret != 0 ]; then
echo "I:failed"
status=`expr $status + $ret`
@ -50,7 +50,7 @@ do
echo "I:deleting new key"
ret=0
$KEYDELETE $keyname || ret=1
$KEYDELETE -r $RANDFILE $keyname || ret=1
if [ $ret != 0 ]; then
echo "I:failed"
fi
@ -70,7 +70,7 @@ done
echo "I:creating new key using owner name bar.example."
ret=0
keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1
keyname=`$KEYCREATE -r $RANDFILE $dhkeyname bar.example.` || ret=1
if [ $ret != 0 ]; then
echo "I:failed"
status=`expr $status + $ret`
@ -111,7 +111,7 @@ status=`expr $status + $ret`
echo "I:recreating the bar.example. key"
ret=0
keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1
keyname=`$KEYCREATE -r $RANDFILE $dhkeyname bar.example.` || ret=1
if [ $ret != 0 ]; then
echo "I:failed"
status=`expr $status + $ret`

152
configure vendored
View file

@ -794,6 +794,7 @@ XMLSTATS
NZDTARGETS
NZDSRCS
NZD_TOOLS
ISC_PLATFORM_CRYPTORANDOM
PKCS11_TEST
PKCS11_ED25519
PKCS11_GOST
@ -935,6 +936,7 @@ infodir
docdir
oldincludedir
includedir
runstatedir
localstatedir
sharedstatedir
sysconfdir
@ -1001,6 +1003,7 @@ with_aes
enable_openssl_hash
with_cc_alg
enable_openssl_version_check
enable_crypto_rand
with_lmdb
with_libxml2
with_libjson
@ -1096,6 +1099,7 @@ datadir='${datarootdir}'
sysconfdir='${prefix}/etc'
sharedstatedir='${prefix}/com'
localstatedir='${prefix}/var'
runstatedir='${localstatedir}/run'
includedir='${prefix}/include'
oldincludedir='/usr/include'
docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@ -1348,6 +1352,15 @@ do
| -silent | --silent | --silen | --sile | --sil)
silent=yes ;;
-runstatedir | --runstatedir | --runstatedi | --runstated \
| --runstate | --runstat | --runsta | --runst | --runs \
| --run | --ru | --r)
ac_prev=runstatedir ;;
-runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
| --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
| --run=* | --ru=* | --r=*)
runstatedir=$ac_optarg ;;
-sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
ac_prev=sbindir ;;
-sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@ -1485,7 +1498,7 @@ fi
for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
datadir sysconfdir sharedstatedir localstatedir includedir \
oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
libdir localedir mandir
libdir localedir mandir runstatedir
do
eval ac_val=\$$ac_var
# Remove trailing slashes.
@ -1638,6 +1651,7 @@ Fine tuning of the installation directories:
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
--runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
@ -1694,6 +1708,7 @@ Optional Features:
--enable-openssl-hash use OpenSSL for hash functions [default=yes]
--enable-openssl-version-check
check OpenSSL version [default=yes]
--enable-crypto-rand use the crypto provider for random [default=yes]
--enable-largefile 64-bit file support
--enable-backtrace log stack backtrace on abort [default=yes]
--enable-symtable use internal symbol table for backtrace
@ -15936,6 +15951,7 @@ case "$use_openssl" in
$as_echo "disabled because of native PKCS11" >&6; }
DST_OPENSSL_INC=""
CRYPTO="-DPKCS11CRYPTO"
CRYPTOLIB="pkcs11"
OPENSSLEDDSALINKOBJS=""
OPENSSLEDDSALINKSRS=""
OPENSSLGOSTLINKOBJS=""
@ -15948,6 +15964,7 @@ $as_echo "disabled because of native PKCS11" >&6; }
$as_echo "no" >&6; }
DST_OPENSSL_INC=""
CRYPTO=""
CRYPTOLIB=""
OPENSSLEDDSALINKOBJS=""
OPENSSLEDDSALINKSRS=""
OPENSSLGOSTLINKOBJS=""
@ -15958,6 +15975,7 @@ $as_echo "no" >&6; }
auto)
DST_OPENSSL_INC=""
CRYPTO=""
CRYPTOLIB=""
OPENSSLEDDSALINKOBJS=""
OPENSSLEDDSALINKSRS=""
OPENSSLGOSTLINKOBJS=""
@ -15965,7 +15983,7 @@ $as_echo "no" >&6; }
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
If you don't want OpenSSL, use --without-openssl" "$LINENO" 5
If you do not want OpenSSL, use --without-openssl" "$LINENO" 5
;;
*)
if test "yes" = "$want_native_pkcs11"
@ -15996,6 +16014,7 @@ $as_echo "not found" >&6; }
as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5
fi
CRYPTO='-DOPENSSL'
CRYPTOLIB="openssl"
if test "/usr" = "$use_openssl"
then
DST_OPENSSL_INC=""
@ -16639,8 +16658,6 @@ esac
# Use OpenSSL for hash functions
#
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for using OpenSSL for hash functions" >&5
$as_echo_n "checking for using OpenSSL for hash functions... " >&6; }
ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
if test "whenossl" = "$want_openssl_hash"
then
@ -17023,6 +17040,86 @@ if test "rt" = "$have_clock_gt"; then
LIBS="-lrt $LIBS"
fi
#
# Use the crypto provider (OpenSSL/PKCS#11) for random functions
#
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for using the crypto library (vs. builtin) for random functions" >&5
$as_echo_n "checking for using the crypto library (vs. builtin) for random functions... " >&6; }
# Check whether --enable-crypto-rand was given.
if test "${enable_crypto_rand+set}" = set; then :
enableval=$enable_crypto_rand; want_crypto_rand="$enableval"
else
want_crypto_rand="auto"
fi
if test "$want_crypto_rand" = "auto"
then
case "$CRYPTOLIB" in
"")
want_crypto_rand="no"
;;
pkcs11)
want_crypto_rand="yes"
;;
openssl)
saved_cflags="$CFLAGS"
saved_libs="$LIBS"
CFLAGS="$CFLAGS $DST_OPENSSL_INC"
LIBS="$LIBS $DNS_OPENSSL_LIBS"
if test "$cross_compiling" = yes; then :
want_crypto_rand="yes"
else
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#include <openssl/rand.h>
unsigned char buf[128];
int main()
{
if (RAND_bytes(buf, 128) != 1)
return (1);
return (0);
}
_ACEOF
if ac_fn_c_try_run "$LINENO"; then :
want_crypto_rand="yes"
else
want_crypto_rand="no"
fi
rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
conftest.$ac_objext conftest.beam conftest.$ac_ext
fi
CFLAGS="$saved_cflags"
LIBS="$saved_libs"
;;
*)
as_fn_error $? "Unknown crypto library define $CRYPTOLIB" "$LINENO" 5
;;
esac
fi
case $want_crypto_rand in
yes)
if test "$CRYPTOLIB" = ""
then
as_fn_error $? "No crypto library for random functions" "$LINENO" 5
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: \"$CRYPTOLIB\"" >&5
$as_echo "\"$CRYPTOLIB\"" >&6; }
ISC_PLATFORM_CRYPTORANDOM="#define ISC_PLATFORM_CRYPTORANDOM \"$CRYPTOLIB\""
;;
no)
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
ISC_PLATFORM_CRYPTORANDOM="#undef ISC_PLATFORM_CRYPTORANDOM"
;;
esac
#
# was --with-lmdb specified?
#
@ -20105,12 +20202,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
if test "yes" = "$use_atomic"; then
have_atomic=yes # set default
case "$host" in
i[3456]86-*)
# XXX: some old x86 architectures actually do not support
# (some of) these operations. Do we need stricter checks?
# The cast to long int works around a bug in the HP C Compiler
# The cast to long int works around a bug in the HP C Compiler
# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
# This bug is HP SR number 8606223364.
@ -20143,6 +20235,11 @@ cat >>confdefs.h <<_ACEOF
_ACEOF
have_atomic=yes # set default
case "$host" in
i[3456]86-*)
# XXX: some old x86 architectures actually do not support
# (some of) these operations. Do we need stricter checks?
if test $ac_cv_sizeof_void_p = 8; then
arch=x86_64
have_xaddq=yes
@ -20151,39 +20248,6 @@ _ACEOF
fi
;;
x86_64-*|amd64-*)
# The cast to long int works around a bug in the HP C Compiler
# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
# This bug is HP SR number 8606223364.
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of void *" >&5
$as_echo_n "checking size of void *... " >&6; }
if ${ac_cv_sizeof_void_p+:} false; then :
$as_echo_n "(cached) " >&6
else
if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (void *))" "ac_cv_sizeof_void_p" "$ac_includes_default"; then :
else
if test "$ac_cv_type_void_p" = yes; then
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error 77 "cannot compute sizeof (void *)
See \`config.log' for more details" "$LINENO" 5; }
else
ac_cv_sizeof_void_p=0
fi
fi
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_void_p" >&5
$as_echo "$ac_cv_sizeof_void_p" >&6; }
cat >>confdefs.h <<_ACEOF
#define SIZEOF_VOID_P $ac_cv_sizeof_void_p
_ACEOF
if test $ac_cv_sizeof_void_p = 8; then
arch=x86_64
have_xaddq=yes
@ -26059,6 +26123,8 @@ report() {
echo " Very verbose query trace logging (--enable-querytrace)"
test "no" = "$atf" || echo " Automated Testing Framework (--with-atf)"
echo " Cryptographic library for DNSSEC: $CRYPTOLIB"
echo " Dynamically loadable zone (DLZ) drivers:"
test "no" = "$use_dlz_bdb" || \
echo " Berkeley DB (--with-dlz-bdb)"

73
configure.in
View file

@ -1553,6 +1553,7 @@ case "$use_openssl" in
AC_MSG_RESULT(disabled because of native PKCS11)
DST_OPENSSL_INC=""
CRYPTO="-DPKCS11CRYPTO"
CRYPTOLIB="pkcs11"
OPENSSLEDDSALINKOBJS=""
OPENSSLEDDSALINKSRS=""
OPENSSLGOSTLINKOBJS=""
@ -1564,6 +1565,7 @@ case "$use_openssl" in
AC_MSG_RESULT(no)
DST_OPENSSL_INC=""
CRYPTO=""
CRYPTOLIB=""
OPENSSLEDDSALINKOBJS=""
OPENSSLEDDSALINKSRS=""
OPENSSLGOSTLINKOBJS=""
@ -1574,6 +1576,7 @@ case "$use_openssl" in
auto)
DST_OPENSSL_INC=""
CRYPTO=""
CRYPTOLIB=""
OPENSSLEDDSALINKOBJS=""
OPENSSLEDDSALINKSRS=""
OPENSSLGOSTLINKOBJS=""
@ -1582,7 +1585,7 @@ case "$use_openssl" in
OPENSSLLINKSRCS=""
AC_MSG_ERROR(
[OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
If you don't want OpenSSL, use --without-openssl])
If you do not want OpenSSL, use --without-openssl])
;;
*)
if test "yes" = "$want_native_pkcs11"
@ -1612,6 +1615,7 @@ If you don't want OpenSSL, use --without-openssl])
AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found])
fi
CRYPTO='-DOPENSSL'
CRYPTOLIB="openssl"
if test "/usr" = "$use_openssl"
then
DST_OPENSSL_INC=""
@ -2077,7 +2081,6 @@ esac
# Use OpenSSL for hash functions
#
AC_MSG_CHECKING(for using OpenSSL for hash functions)
ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
if test "whenossl" = "$want_openssl_hash"
then
@ -2358,6 +2361,67 @@ if test "rt" = "$have_clock_gt"; then
LIBS="-lrt $LIBS"
fi
#
# Use the crypto provider (OpenSSL/PKCS#11) for random functions
#
AC_MSG_CHECKING(for using the crypto library (vs. builtin) for random functions)
AC_ARG_ENABLE(crypto-rand,
[ --enable-crypto-rand use the crypto provider for random [[default=yes]]],
want_crypto_rand="$enableval", want_crypto_rand="auto")
if test "$want_crypto_rand" = "auto"
then
case "$CRYPTOLIB" in
"")
want_crypto_rand="no"
;;
pkcs11)
want_crypto_rand="yes"
;;
openssl)
saved_cflags="$CFLAGS"
saved_libs="$LIBS"
CFLAGS="$CFLAGS $DST_OPENSSL_INC"
LIBS="$LIBS $DNS_OPENSSL_LIBS"
AC_TRY_RUN([
#include <openssl/rand.h>
unsigned char buf[128];
int main()
{
if (RAND_bytes(buf, 128) != 1)
return (1);
return (0);
}
],
[want_crypto_rand="yes"],
[want_crypto_rand="no"],
[want_crypto_rand="yes"])
CFLAGS="$saved_cflags"
LIBS="$saved_libs"
;;
*)
AC_MSG_ERROR([Unknown crypto library define $CRYPTOLIB])
;;
esac
fi
case $want_crypto_rand in
yes)
if test "$CRYPTOLIB" = ""
then
AC_MSG_ERROR([No crypto library for random functions])
fi
AC_MSG_RESULT(["$CRYPTOLIB"])
ISC_PLATFORM_CRYPTORANDOM="#define ISC_PLATFORM_CRYPTORANDOM \"$CRYPTOLIB\""
;;
no)
AC_MSG_RESULT(no)
ISC_PLATFORM_CRYPTORANDOM="#undef ISC_PLATFORM_CRYPTORANDOM"
;;
esac
AC_SUBST(ISC_PLATFORM_CRYPTORANDOM)
#
# was --with-lmdb specified?
#
@ -3979,12 +4043,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
if test "yes" = "$use_atomic"; then
AC_CHECK_SIZEOF([void *])
have_atomic=yes # set default
case "$host" in
[i[3456]86-*])
# XXX: some old x86 architectures actually do not support
# (some of) these operations. Do we need stricter checks?
AC_CHECK_SIZEOF([void *])
if test $ac_cv_sizeof_void_p = 8; then
arch=x86_64
have_xaddq=yes
@ -3993,7 +4057,6 @@ if test "yes" = "$use_atomic"; then
fi
;;
x86_64-*|amd64-*)
AC_CHECK_SIZEOF([void *])
if test $ac_cv_sizeof_void_p = 8; then
arch=x86_64
have_xaddq=yes
@ -5401,6 +5464,8 @@ report() {
echo " Very verbose query trace logging (--enable-querytrace)"
test "no" = "$atf" || echo " Automated Testing Framework (--with-atf)"
echo " Cryptographic library for DNSSEC: $CRYPTOLIB"
echo " Dynamically loadable zone (DLZ) drivers:"
test "no" = "$use_dlz_bdb" || \
echo " Berkeley DB (--with-dlz-bdb)"

21
lib/dns/dst_api.c
View file

@ -266,6 +266,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
#ifdef GSSAPI
RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));
#endif
#if defined(OPENSSL) || defined(PKCS11CRYPTO)
#ifdef ISC_PLATFORM_CRYPTORANDOM
if (dst_entropy_pool != NULL)
isc_entropy_sethook(dst_random_getdata);
#endif
#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */
dst_initialized = ISC_TRUE;
return (ISC_R_SUCCESS);
@ -285,11 +291,19 @@ dst_lib_destroy(void) {
for (i = 0; i < DST_MAX_ALGS; i++)
if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL)
dst_t_func[i]->cleanup();
#if defined(OPENSSL) || defined(PKCS11CRYPTO)
#ifdef ISC_PLATFORM_CRYPTORANDOM
if (dst_entropy_pool != NULL) {
isc_entropy_usehook(dst_entropy_pool, ISC_FALSE);
isc_entropy_sethook(NULL);
}
#endif
#ifdef OPENSSL
dst__openssl_destroy();
#elif PKCS11CRYPTO
(void) dst__pkcs11_destroy();
#endif /* if OPENSSL, elif PKCS11CRYPTO */
#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */
if (dst__memory_pool != NULL)
isc_mem_detach(&dst__memory_pool);
if (dst_entropy_pool != NULL)
@ -1991,13 +2005,17 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) {
flags &= ~ISC_ENTROPY_GOODONLY;
else
flags |= ISC_ENTROPY_BLOCKING;
#ifdef ISC_PLATFORM_CRYPTORANDOM
return (dst_random_getdata(buf, len, NULL, flags));
#else
return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
#endif
#endif /* PKCS11CRYPTO */
}
unsigned int
dst__entropy_status(void) {
#ifndef PKCS11CRYPTO
#if !defined(PKCS11CRYPTO) && !defined(ISC_PLATFORM_CRYPTORANDOM)
#ifdef GSSAPI
unsigned int flags = dst_entropy_flags;
isc_result_t ret;
@ -2020,6 +2038,7 @@ dst__entropy_status(void) {
#endif
return (isc_entropy_status(dst_entropy_pool));
#else
/* Doesn't matter as it is not used in this case. */
return (0);
#endif
}

8
lib/dns/include/dst/dst.h
View file

@ -154,6 +154,14 @@ dst_lib_destroy(void);
* Releases all resources allocated by DST.
*/
isc_result_t
dst_random_getdata(void *data, unsigned int length,
unsigned int *returned, unsigned int flags);
/*%<
* \brief Return data from the crypto random generator.
* Specialization of isc_entropy_getdata().
*/
isc_boolean_t
dst_algorithm_supported(unsigned int alg);
/*%<

72
lib/dns/openssl_link.c
View file

@ -32,6 +32,7 @@
#include <isc/mem.h>
#include <isc/mutex.h>
#include <isc/mutexblock.h>
#include <isc/platform.h>
#include <isc/string.h>
#include <isc/thread.h>
#include <isc/util.h>
@ -47,8 +48,6 @@
#include <openssl/engine.h>
#endif
static RAND_METHOD *rm = NULL;
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
static isc_mutex_t *locks = NULL;
static int nlocks;
@ -58,6 +57,9 @@ static int nlocks;
static ENGINE *e = NULL;
#endif
#ifndef ISC_PLATFORM_CRYPTORANDOM
static RAND_METHOD *rm = NULL;
static int
entropy_get(unsigned char *buf, int num) {
isc_result_t result;
@ -103,6 +105,7 @@ entropy_add(const void *buf, int num, double entropy) {
return (1);
}
#endif
#endif /* !ISC_PLATFORM_CRYPTORANDOM */
#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
static void
@ -191,7 +194,7 @@ _set_thread_id(CRYPTO_THREADID *id)
isc_result_t
dst__openssl_init(const char *engine) {
isc_result_t result;
#ifdef USE_ENGINE
#if defined(USE_ENGINE) && !defined(ISC_PLATFORM_CRYPTORANDOM)
ENGINE *re;
#else
@ -222,6 +225,7 @@ dst__openssl_init(const char *engine) {
ERR_load_crypto_strings();
#endif
#ifndef ISC_PLATFORM_CRYPTORANDOM
rm = mem_alloc(sizeof(RAND_METHOD) FILELINE);
if (rm == NULL) {
result = ISC_R_NOMEMORY;
@ -233,6 +237,7 @@ dst__openssl_init(const char *engine) {
rm->add = entropy_add;
rm->pseudorand = entropy_getpseudo;
rm->status = entropy_status;
#endif
#ifdef USE_ENGINE
#if !defined(CONF_MFLAGS_DEFAULT_SECTION)
@ -266,6 +271,7 @@ dst__openssl_init(const char *engine) {
}
}
#ifndef ISC_PLATFORM_CRYPTORANDOM
re = ENGINE_get_default_RAND();
if (re == NULL) {
re = ENGINE_new();
@ -278,9 +284,21 @@ dst__openssl_init(const char *engine) {
ENGINE_free(re);
} else
ENGINE_finish(re);
#endif
#else
#ifndef ISC_PLATFORM_CRYPTORANDOM
RAND_set_rand_method(rm);
#endif
#endif /* USE_ENGINE */
/* Protect ourselves against unseeded PRNG */
if (RAND_status() != 1) {
FATAL_ERROR(__FILE__, __LINE__,
"The OpenSSL pseudo random number generator "
"cannot be initialized (cf the `PRNG not "
"seeded' message in the OpenSSL FAQ)");
}
return (ISC_R_SUCCESS);
#ifdef USE_ENGINE
@ -288,10 +306,14 @@ dst__openssl_init(const char *engine) {
if (e != NULL)
ENGINE_free(e);
e = NULL;
#ifndef ISC_PLATFORM_CRYPTORANDOM
mem_free(rm FILELINE);
rm = NULL;
#endif
#endif
#ifndef ISC_PLATFORM_CRYPTORANDOM
cleanup_mutexinit:
#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
CRYPTO_set_locking_callback(NULL);
DESTROYMUTEXBLOCK(locks, nlocks);
@ -306,14 +328,17 @@ void
dst__openssl_destroy(void) {
#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
OPENSSL_cleanup();
#ifndef ISC_PLATFORM_CRYPTORANDOM
if (rm != NULL) {
mem_free(rm FILELINE);
rm = NULL;
}
#endif
#else
/*
* Sequence taken from apps_shutdown() in <apps/apps.h>.
*/
#ifndef ISC_PLATFORM_CRYPTORANDOM
if (rm != NULL) {
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
RAND_cleanup();
@ -321,6 +346,7 @@ dst__openssl_destroy(void) {
mem_free(rm FILELINE);
rm = NULL;
}
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
CONF_modules_free();
#endif
@ -456,11 +482,45 @@ dst__openssl_getengine(const char *engine) {
}
#endif
#else /* OPENSSL */
isc_result_t
dst_random_getdata(void *data, unsigned int length,
unsigned int *returned, unsigned int flags) {
#ifdef ISC_PLATFORM_CRYPTORANDOM
#ifndef DONT_REQUIRE_DST_LIB_INIT
INSIST(dst__memory_pool != NULL);
#endif
REQUIRE(data != NULL);
REQUIRE(length > 0);
#include <isc/util.h>
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
if ((flags & ISC_ENTROPY_GOODONLY) == 0) {
if (RAND_pseudo_bytes((unsigned char *)data, (int)length) < 0)
return (dst__openssl_toresult2("RAND_pseudo_bytes",
DST_R_OPENSSLFAILURE));
} else {
if (RAND_bytes((unsigned char *)data, (int)length) != 1)
return (dst__openssl_toresult2("RAND_bytes",
DST_R_OPENSSLFAILURE));
}
#else
UNUSED(flags);
EMPTY_TRANSLATION_UNIT
if (RAND_bytes((unsigned char *)data, (int)length) != 1)
return (dst__openssl_toresult2("RAND_bytes",
DST_R_OPENSSLFAILURE));
#endif
if (returned != NULL)
*returned = length;
return (ISC_R_SUCCESS);
#else
UNUSED(data);
UNUSED(length);
UNUSED(returned);
UNUSED(flags);
return (ISC_R_NOTIMPLEMENTED);
#endif
}
#endif /* OPENSSL */
/*! \file */

40
lib/dns/pkcs11.c
View file

@ -10,12 +10,15 @@
#include <config.h>
#include <isc/util.h>
#include <dns/log.h>
#include <dns/result.h>
#include <pk11/pk11.h>
#include <pk11/internal.h>
#include "dst_internal.h"
#include "dst_pkcs11.h"
isc_result_t
@ -31,12 +34,47 @@ dst__pkcs11_toresult(const char *funcname, const char *file, int line,
return (fallback);
}
isc_result_t
dst_random_getdata(void *data, unsigned int length,
unsigned int *returned, unsigned int flags) {
#ifdef ISC_PLATFORM_CRYPTORANDOM
isc_result_t ret;
#ifndef DONT_REQUIRE_DST_LIB_INIT
INSIST(dst__memory_pool != NULL);
#endif
REQUIRE(data != NULL);
REQUIRE(length > 0);
UNUSED(flags);
ret = pk11_rand_bytes(data, (int) length);
if ((ret == ISC_R_SUCCESS) && (returned != NULL))
*returned = length;
return (ret);
#else
UNUSED(data);
UNUSED(length);
UNUSED(returned);
UNUSED(flags);
return (ISC_R_NOTIMPLEMENTED);
#endif
}
#else /* PKCS11CRYPTO */
#include <isc/util.h>
EMPTY_TRANSLATION_UNIT
isc_result_t
dst_random_getdata(void *data, unsigned int length,
unsigned int *returned, unsigned int flags) {
UNUSED(data);
UNUSED(length);
UNUSED(returned);
UNUSED(flags);
return (ISC_R_NOTIMPLEMENTED);
}
#endif /* PKCS11CRYPTO */
/*! \file */

7
lib/dns/tests/Makefile.in
View file

@ -36,6 +36,7 @@ SRCS = acl_test.c \
dispatch_test.c \
dnstap_test.c \
dnstest.c \
dstrandom_test.c \
geoip_test.c \
gost_test.c \
keytable_test.c \
@ -65,6 +66,7 @@ TARGETS = acl_test@EXEEXT@ \
dh_test@EXEEXT@ \
dispatch_test@EXEEXT@ \
dnstap_test@EXEEXT@ \
dstrandom_test@EXEEXT@ \
geoip_test@EXEEXT@ \
gost_test@EXEEXT@ \
keytable_test@EXEEXT@ \
@ -231,6 +233,11 @@ zt_test@EXEEXT@: zt_test.@O@ dnstest.@O@ \
zt_test.@O@ dnstest.@O@ ${DNSLIBS} \
${ISCLIBS} ${LIBS}
dstrandom_test@EXEEXT@: dstrandom_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dstrandom_test.@O@ ${DNSLIBS} \
${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
unit::
sh ${top_srcdir}/unit/unittest.sh

14
lib/dns/tests/dnstest.c
View file

@ -116,12 +116,12 @@ dns_test_begin(FILE *logfile, isc_boolean_t start_managers) {
CHECK(isc_mem_create(0, 0, &mctx));
CHECK(isc_entropy_create(mctx, &ectx));
CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
hash_active = ISC_TRUE;
CHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING));
dst_active = ISC_TRUE;
CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
hash_active = ISC_TRUE;
if (logfile != NULL) {
isc_logdestination_t destination;
isc_logconfig_t *logconfig = NULL;
@ -165,14 +165,14 @@ dns_test_begin(FILE *logfile, isc_boolean_t start_managers) {
void
dns_test_end(void) {
if (dst_active) {
dst_lib_destroy();
dst_active = ISC_FALSE;
}
if (hash_active) {
isc_hash_destroy();
hash_active = ISC_FALSE;
}
if (dst_active) {
dst_lib_destroy();
dst_active = ISC_FALSE;
}
if (ectx != NULL)
isc_entropy_detach(&ectx);

105
lib/dns/tests/dstrandom_test.c Normal file
View file

@ -0,0 +1,105 @@
/*
* Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id$ */
/*! \file */
#include <config.h>
#include <atf-c.h>
#include <stdio.h>
#include <string.h>
#include <isc/entropy.h>
#include <isc/mem.h>
#include <isc/platform.h>
#include <isc/util.h>
#include <dst/dst.h>
isc_mem_t *mctx = NULL;
isc_entropy_t *ectx = NULL;
unsigned char buffer[128];
ATF_TC(isc_entropy_getdata);
ATF_TC_HEAD(isc_entropy_getdata, tc) {
atf_tc_set_md_var(tc, "descr",
"isc_entropy_getdata() examples");
atf_tc_set_md_var(tc, "X-randomfile",
"testdata/dstrandom/random.data");
}
ATF_TC_BODY(isc_entropy_getdata, tc) {
isc_result_t result;
unsigned int returned, status;
int ret;
const char *randomfile = atf_tc_get_md_var(tc, "X-randomfile");
isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
result = isc_mem_create(0, 0, &mctx);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = isc_entropy_create(mctx, &ectx);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dst_lib_init(mctx, ectx, 0);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
#ifdef ISC_PLATFORM_CRYPTORANDOM
isc_entropy_usehook(ectx, ISC_TRUE);
returned = 0;
result = isc_entropy_getdata(ectx, buffer, sizeof(buffer),
&returned, 0);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
ATF_REQUIRE(returned == sizeof(buffer));
status = isc_entropy_status(ectx);
ATF_REQUIRE_EQ(status, 0);
isc_entropy_usehook(ectx, ISC_FALSE);
#endif
ret = chdir(TESTS);
ATF_REQUIRE_EQ(ret, 0);
result = isc_entropy_createfilesource(ectx, randomfile);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
returned = 0;
result = isc_entropy_getdata(ectx, buffer, sizeof(buffer),
&returned, 0);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
ATF_REQUIRE(returned == sizeof(buffer));
status = isc_entropy_status(ectx);
ATF_REQUIRE(status > 0);
dst_lib_destroy();
isc_entropy_detach(&ectx);
ATF_REQUIRE(ectx == NULL);
isc_mem_destroy(&mctx);
ATF_REQUIRE(mctx == NULL);
}
/*
* Main
*/
ATF_TP_ADD_TCS(tp) {
ATF_TP_ADD_TC(tp, isc_entropy_getdata);
return (atf_no_error());
}

BIN
lib/dns/tests/testdata/dstrandom/random.data vendored Normal file
View file

Binary file not shown.

7
lib/dns/win32/libdns.def.in
View file

@ -1463,6 +1463,13 @@ dst_lib_destroy
dst_lib_init
dst_lib_init2
dst_lib_initmsgcat
@IF PKCS11
dst_random_getdata
@ELSE PKCS11
@IF OPENSSL
dst_random_getdata
@END OPENSSL
@END PKCS11
dst_region_computeid
dst_region_computerid
dst_result_register

24
lib/isc/entropy.c
View file

@ -100,11 +100,15 @@ struct isc_entropy {
isc_uint32_t initialized;
isc_uint32_t initcount;
isc_entropypool_t pool;
isc_boolean_t usehook;
unsigned int nsources;
isc_entropysource_t *nextsource;
ISC_LIST(isc_entropysource_t) sources;
};
/*% Global Hook */
static isc_entropy_getdata_t hook;
/*% Sample Queue */
typedef struct {
isc_uint32_t last_time; /*%< last time recorded */
@ -553,6 +557,11 @@ isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length,
LOCK(&ent->lock);
if (ent->usehook && (hook != NULL)) {
UNLOCK(&ent->lock);
return (hook(data, length, returned, flags));
}
remain = length;
buf = data;
total = 0;
@ -704,6 +713,7 @@ isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp) {
ent->refcnt = 1;
ent->initialized = 0;
ent->initcount = 0;
ent->usehook = ISC_FALSE;
ent->magic = ENTROPY_MAGIC;
isc_entropypool_init(&ent->pool);
@ -1284,3 +1294,17 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
*/
return (final_result);
}
void
isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff) {
REQUIRE(VALID_ENTROPY(ectx));
LOCK(&ectx->lock);
ectx->usehook = onoff;
UNLOCK(&ectx->lock);
}
void
isc_entropy_sethook(isc_entropy_getdata_t myhook) {
hook = myhook;
}

12
lib/isc/include/isc/entropy.h
View file

@ -300,6 +300,18 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
* isc_entropy_createcallbacksource().
*/
void
isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff);
/*!<
* \brief Mark/unmark the given entropy structure as being hooked.
*/
void
isc_entropy_sethook(isc_entropy_getdata_t myhook);
/*!<
* \brief Set the getdata hook (e.g., for a crypto random generator).
*/
ISC_LANG_ENDDECLS
#endif /* ISC_ENTROPY_H */

5
lib/isc/include/isc/platform.h.in
View file

@ -331,6 +331,11 @@
*/
@ISC_PLATFORM_HAVESTRINGSH@
/*
* Define if the random functions are provided by crypto.
*/
@ISC_PLATFORM_CRYPTORANDOM@
/*
* Define if the hash functions must be provided by OpenSSL.
*/

2
lib/isc/include/isc/types.h
View file

@ -90,6 +90,8 @@ typedef struct isc_time isc_time_t; /*%< Time */
typedef struct isc_timer isc_timer_t; /*%< Timer */
typedef struct isc_timermgr isc_timermgr_t; /*%< Timer Manager */
typedef isc_result_t (*isc_entropy_getdata_t)(void *, unsigned int,
unsigned int *, unsigned int);
typedef void (*isc_taskaction_t)(isc_task_t *, isc_event_t *);
typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *, int);

12
lib/isc/pk11.c
View file

@ -318,14 +318,16 @@ pk11_rand_seed_fromfile(const char *randomfile) {
ret = isc_stdio_open(randomfile, "r", &stream);
if (ret != ISC_R_SUCCESS)
goto cleanup;
ret = isc_stdio_read(seed, 1, SEEDSIZE, stream, &cc);
if (ret!= ISC_R_SUCCESS)
goto cleanup;
while (ret == ISC_R_SUCCESS) {
ret = isc_stdio_read(seed, 1, SEEDSIZE, stream, &cc);
if ((ret != ISC_R_SUCCESS) && (ret != ISC_R_EOF))
goto cleanup;
(void) pkcs_C_SeedRandom(ctx.session, seed, (CK_ULONG) cc);
}
ret = isc_stdio_close(stream);
stream = NULL;
if (ret!= ISC_R_SUCCESS)
if (ret != ISC_R_SUCCESS)
goto cleanup;
(void) pkcs_C_SeedRandom(ctx.session, seed, (CK_ULONG) cc);
cleanup:
if (stream != NULL)

5
lib/isc/win32/include/isc/platform.h.in
View file

@ -69,6 +69,11 @@
#define ISC_PLATFORM_NORETURN_PRE __declspec(noreturn)
#define ISC_PLATFORM_NORETURN_POST
/*
* Define if the random functions are provided by crypto.
*/
@ISC_PLATFORM_CRYPTORANDOM@
/*
* Define if the hash functions must be provided by OpenSSL.
*/

29
win32utils/Configure
View file

@ -257,6 +257,7 @@ my @substdefh = ("AES_CC",
my %configdefp;
my @substdefp = ("ISC_PLATFORM_BUSYWAITNOP",
"ISC_PLATFORM_CRYPTORANDOM",
"ISC_PLATFORM_HAVEATOMICSTORE",
"ISC_PLATFORM_HAVEATOMICSTOREQ",
"ISC_PLATFORM_HAVECMPXCHG",
@ -385,7 +386,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER");
# enable-xxx/disable-xxx
my @enablelist = ("developer",
my @enablelist = ("crypto-rand",
"developer",
"fixed-rrset",
"intrinsics",
"isc-spnego",
@ -446,6 +448,7 @@ my @help = (
"\nOptional Features:\n",
" enable-intrinsics enable instrinsic/atomic functions [default=yes]\n",
" enable-native-pkcs11 use native PKCS#11 for all crypto [default=no]\n",
" enable-crypto-rand use crypto provider for random [default=yes]\n",
" enable-openssl-hash use OpenSSL for hash functions [default=yes]\n",
" enable-isc-spnego use SPNEGO from lib/dns [default=yes]\n",
" enable-filter-aaaa enable filtering of AAAA records [default=yes]\n",
@ -489,7 +492,9 @@ my $want_clean = "no";
my $want_unknown = "no";
my $unknown_value;
my $enable_intrinsics = "yes";
my $cryptolib = "";
my $enable_native_pkcs11 = "no";
my $enable_crypto_rand = "yes";
my $enable_openssl_hash = "auto";
my $enable_filter_aaaa = "yes";
my $enable_isc_spnego = "yes";
@ -698,6 +703,10 @@ sub myenable {
if ($val =~ /^yes$/i) {
$enable_native_pkcs11 = "yes";
}
} elsif ($key =~ /^crypto-rand$/i) {
if ($val =~ /^no$/i) {
$enable_crypto_rand = "no";
}
} elsif ($key =~ /^openssl-hash$/i) {
if ($val =~ /^yes$/i) {
$enable_openssl_hash = "yes";
@ -981,6 +990,11 @@ if ($verbose) {
} else {
print "native-pkcs11: disabled\n";
}
if ($enable_crypto_rand eq "yes") {
print "crypto-rand: enabled\n";
} else {
print "crypto-rand: disabled\n";
}
if ($enable_openssl_hash eq "yes") {
print "openssl-hash: enabled\n";
} else {
@ -1324,6 +1338,7 @@ if ($enable_intrinsics eq "yes") {
# enable-native-pkcs11
if ($enable_native_pkcs11 eq "yes") {
$cryptolib = "pkcs11";
if ($use_openssl eq "auto") {
$use_openssl = "no";
}
@ -1533,6 +1548,7 @@ if ($use_openssl eq "yes") {
$openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]");
}
$cryptolib = "openssl";
$configcond{"OPENSSL"} = 1;
$configdefd{"CRYPTO"} = "OPENSSL";
$configvar{"OPENSSL_PATH"} = "$openssl_path";
@ -2057,6 +2073,15 @@ if ($cookie_algorithm eq "sha1") {
die "Unrecognized cookie algorithm: $cookie_algorithm\n";
}
# enable-crypto-rand
if ($enable_crypto_rand eq "yes") {
if (($use_openssl eq "no") && ($enable_native_pkcs11 eq "no")) {
die "No crypto provider for random functions\n";
}
$configdefp{"ISC_PLATFORM_CRYPTORANDOM"} = "\"$cryptolib\"";
}
print "Cryptographic library for DNSSEC: $cryptolib";
# enable-openssl-hash
if ($enable_openssl_hash eq "yes") {
if ($use_openssl eq "no") {
@ -3375,6 +3400,7 @@ exit 0;
# --enable-developer partially supported
# --enable-newstats (9.9/9.9sub only)
# --enable-native-pkcs11 supported
# --enable-crypto-rand supported
# --enable-openssl-version-check included without a way to disable it
# --enable-openssl-hash supported
# --enable-threads included without a way to disable it
@ -3400,6 +3426,7 @@ exit 0;
# --with-gost supported
# --with-aes supported
# --with-cc-alg supported
# --with-randomdev not supported on WIN32 (makes no sense)
# --with-geoip supported
# --with-gssapi supported with MIT (K)erberos (f)or (W)indows
# --with-lmdb no supported on WIN32 (port is not reliable)