diff --git a/CHANGES b/CHANGES index 36dd658a36..9ddc566e84 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +5980. [func] The internal isc_entropy API provider has been + changed from OpenSSL RAND_bytes() to uv_random() + to use system provided entropy. [GL !6803] + 5979. [func] Implement DoT support for nsupdate. [GL #1781] 5978. [port] The ability to use pkcs11 via engine_pkcs11 has been diff --git a/lib/isc/Makefile.am b/lib/isc/Makefile.am index c23ebf3138..35657e889e 100644 --- a/lib/isc/Makefile.am +++ b/lib/isc/Makefile.am @@ -26,6 +26,7 @@ libisc_la_HEADERS = \ include/isc/deprecated.h \ include/isc/dir.h \ include/isc/endian.h \ + include/isc/entropy.h \ include/isc/errno.h \ include/isc/error.h \ include/isc/event.h \ @@ -132,7 +133,6 @@ libisc_la_SOURCES = \ crc64.c \ dir.c \ entropy.c \ - entropy_private.h \ errno.c \ errno2result.c \ errno2result.h \ diff --git a/lib/isc/entropy.c b/lib/isc/entropy.c index ce79ba21c3..a037960bd1 100644 --- a/lib/isc/entropy.c +++ b/lib/isc/entropy.c @@ -11,18 +11,14 @@ * information regarding copyright ownership. */ -#include -#include - +#include #include #include - -#include "entropy_private.h" +#include void isc_entropy_get(void *buf, size_t buflen) { - if (RAND_bytes(buf, buflen) < 1) { - FATAL_ERROR(__FILE__, __LINE__, "RAND_bytes(): %s", - ERR_error_string(ERR_get_error(), NULL)); - } + int r = uv_random(NULL, NULL, buf, buflen, 0, NULL); + + UV_RUNTIME_CHECK(uv_random, r); } diff --git a/lib/isc/hash.c b/lib/isc/hash.c index 37622ea8c5..8dcc788ab6 100644 --- a/lib/isc/hash.c +++ b/lib/isc/hash.c @@ -15,16 +15,16 @@ #include #include -#include "entropy_private.h" -#include "isc/ascii.h" -#include "isc/hash.h" /* IWYU pragma: keep */ -#include "isc/once.h" -#include "isc/random.h" -#include "isc/result.h" -#include "isc/siphash.h" -#include "isc/string.h" -#include "isc/types.h" -#include "isc/util.h" +#include +#include +#include /* IWYU pragma: keep */ +#include +#include +#include +#include +#include +#include +#include static uint8_t isc_hash_key[16]; static uint8_t isc_hash32_key[8]; diff --git a/lib/isc/entropy_private.h b/lib/isc/include/isc/entropy.h similarity index 85% rename from lib/isc/entropy_private.h rename to lib/isc/include/isc/entropy.h index df9a38274a..4e2dc5f884 100644 --- a/lib/isc/entropy_private.h +++ b/lib/isc/include/isc/entropy.h @@ -17,13 +17,11 @@ #include -/*! \file isc/entropy_private.h +/*! \file isc/entropy.h * \brief Implements wrapper around CSPRNG cryptographic library calls * for getting cryptographically secure pseudo-random numbers. * - * - If OpenSSL is used, it uses RAND_bytes() - * - If PKCS#11 is used, it uses pkcs_C_GenerateRandom() - * + * Uses synchronous version of uv_random(). */ ISC_LANG_BEGINDECLS diff --git a/lib/isc/nonce.c b/lib/isc/nonce.c index 4c2baff77d..316498a613 100644 --- a/lib/isc/nonce.c +++ b/lib/isc/nonce.c @@ -11,10 +11,9 @@ * information regarding copyright ownership. */ +#include #include -#include "entropy_private.h" - void isc_nonce_buf(void *buf, size_t buflen) { isc_entropy_get(buf, buflen); diff --git a/lib/isc/random.c b/lib/isc/random.c index e37366d8cd..5d67f81b14 100644 --- a/lib/isc/random.c +++ b/lib/isc/random.c @@ -35,13 +35,13 @@ #include #include +#include #include #include #include #include #include -#include "entropy_private.h" #include "random_p.h" /*