Merge branch '165-always-use-crypto-provider-for-random-data' into 'master'

Always use OpenSSL or PKCS#11 random data providers

Closes #165

See merge request isc-projects/bind9!208

CHANGES

@@ -1,3 +1,7 @@
+4936.	[func]		Always use OpenSSL or PKCS#11 random data providers and
+			remove the configure option --{enable,disable}-crypto-rand.
+			[GL #165]
+
 4935.	[func]		Add support for LibreSSL >= 2.7.0 (some OpenSSL 1.1.0
 			call were added). [GL #191]
 

bin/confgen/keygen.c

@@ -154,11 +154,9 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
 
 	DO("create entropy context", isc_entropy_create(mctx, &ectx));
 
-#ifdef ISC_PLATFORM_CRYPTORANDOM
 	if (randomfile == NULL) {
 		isc_entropy_usehook(ectx, ISC_TRUE);
 	}
-#endif
 	if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
 		randomfile = NULL;
 		open_keyboard = ISC_ENTROPY_KEYBOARDYES;

bin/dnssec/dnssectool.c

@@ -239,11 +239,9 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
 		ISC_LIST_INIT(sources);
 	}
 
-#ifdef ISC_PLATFORM_CRYPTORANDOM
 	if (randomfile == NULL) {
 		isc_entropy_usehook(*ectx, ISC_TRUE);
 	}
-#endif
 	if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
 		usekeyboard = ISC_ENTROPY_KEYBOARDYES;
 		randomfile = NULL;

bin/named/config.c

@@ -89,11 +89,7 @@ options {\n\
 #	pid-file \"" NAMED_LOCALSTATEDIR "/run/named/named.pid\"; \n\
 	port 53;\n\
 	prefetch 2 9;\n"
-#if defined(ISC_PLATFORM_CRYPTORANDOM)
 "	random-device none;\n"
-#elif defined(PATH_RANDOMDEV)
-"	random-device \"" PATH_RANDOMDEV "\";\n"
-#endif
 "	recursing-file \"named.recursing\";\n\
 	recursive-clients 1000;\n\
 	request-nsid false;\n\

bin/named/server.c

@@ -8536,18 +8536,7 @@ load_configuration(const char *filename, named_server_t *server,
 			}
 		}
 		if (randomdev == NULL) {
-#ifdef ISC_PLATFORM_CRYPTORANDOM
 			isc_entropy_usehook(named_g_entropy, ISC_TRUE);
-#else
-			if ((obj != NULL) && !cfg_obj_isvoid(obj))
-				level = ISC_LOG_INFO;
-			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
-				      NAMED_LOGMODULE_SERVER, level,
-				      "no source of entropy found");
-			if ((obj == NULL) || cfg_obj_isvoid(obj)) {
-				CHECK(ISC_R_FAILURE);
-			}
-#endif
 		} else {
 			result = isc_entropy_createfilesource(named_g_entropy,
 							      randomdev);

bin/nsupdate/nsupdate.c

@@ -276,11 +276,9 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
 		randomfile = NULL;
 	}
 
-#ifdef ISC_PLATFORM_CRYPTORANDOM
 	if (randomfile == NULL) {
 		isc_entropy_usehook(*ectx, ISC_TRUE);
 	}
-#endif
 	result = isc_entropy_usebestsource(*ectx, &source, randomfile,
 					   usekeyboard);
 

bin/tests/system/pipelined/pipequeries.c

@@ -278,11 +278,9 @@ main(int argc, char *argv[]) {
 
 	ectx = NULL;
 	RUNCHECK(isc_entropy_create(mctx, &ectx));
-#ifdef ISC_PLATFORM_CRYPTORANDOM
 	if (randomfile == NULL) {
 		isc_entropy_usehook(ectx, ISC_TRUE);
 	}
-#endif
 	if (randomfile != NULL)
 		RUNCHECK(isc_entropy_createfilesource(ectx, randomfile));
 

bin/tests/system/rsabigexponent/bigkey.c

@@ -185,9 +185,7 @@ main(int argc, char **argv) {
 
 	CHECK(isc_mem_create(0, 0, &mctx), "isc_mem_create()");
 	CHECK(isc_entropy_create(mctx, &ectx), "isc_entropy_create()");
-#ifdef ISC_PLATFORM_CRYPTORANDOM
 	isc_entropy_usehook(ectx, ISC_TRUE);
-#endif
 	CHECK(isc_entropy_usebestsource(ectx, &source,
 					"../random.data",
 					ISC_ENTROPY_KEYBOARDNO),

bin/tests/system/tkey/keycreate.c

@@ -252,13 +252,12 @@ main(int argc, char *argv[]) {
 
 	ectx = NULL;
 	RUNCHECK(isc_entropy_create(mctx, &ectx));
-#ifdef ISC_PLATFORM_CRYPTORANDOM
 	if (randomfile == NULL) {
 		isc_entropy_usehook(ectx, ISC_TRUE);
 	}
-#endif
-	if (randomfile != NULL)
+	if (randomfile != NULL) {
 		RUNCHECK(isc_entropy_createfilesource(ectx, randomfile));
+	}
 
 	log = NULL;
 	logconfig = NULL;

bin/tests/system/tkey/keydelete.c

@@ -183,13 +183,12 @@ main(int argc, char **argv) {
 
 	ectx = NULL;
 	RUNCHECK(isc_entropy_create(mctx, &ectx));
-#ifdef ISC_PLATFORM_CRYPTORANDOM
 	if (randomfile == NULL) {
 		isc_entropy_usehook(ectx, ISC_TRUE);
 	}
-#endif
-	if (randomfile != NULL)
+	if (randomfile != NULL) {
 		RUNCHECK(isc_entropy_createfilesource(ectx, randomfile));
+	}
 
 	log = NULL;
 	logconfig = NULL;

configure

@@ -797,7 +797,6 @@ XMLSTATS
 NZDTARGETS
 NZDSRCS
 NZD_TOOLS
-ISC_PLATFORM_CRYPTORANDOM
 PKCS11_TEST
 PKCS11_ED25519
 PKCS11_GOST
@@ -1008,7 +1007,6 @@ with_eddsa
 with_aes
 with_cc_alg
 enable_openssl_hash
-enable_crypto_rand
 with_lmdb
 with_libxml2
 with_libjson
@@ -1699,7 +1697,6 @@ Optional Features:
   --enable-threads        enable multithreading
   --enable-native-pkcs11  use native PKCS11 for all crypto [default=no]
   --enable-openssl-hash   use OpenSSL for hash functions [default=yes]
-  --enable-crypto-rand    use the crypto provider for random [default=yes]
   --enable-largefile      64-bit file support
   --enable-backtrace      log stack backtrace on abort [default=yes]
   --enable-symtable       use internal symbol table for backtrace
@@ -17379,86 +17376,6 @@ if test "rt" = "$have_clock_gt"; then
 	LIBS="-lrt $LIBS"
 fi
 
-#
-# Use the crypto provider (OpenSSL/PKCS#11) for random functions
-#
-
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for using the crypto library (vs. builtin) for random functions" >&5
-$as_echo_n "checking for using the crypto library (vs. builtin) for random functions... " >&6; }
-# Check whether --enable-crypto-rand was given.
-if test "${enable_crypto_rand+set}" = set; then :
-  enableval=$enable_crypto_rand; want_crypto_rand="$enableval"
-else
-  want_crypto_rand="auto"
-fi
-
-if test "$want_crypto_rand" = "auto"
-then
-	case "$CRYPTOLIB" in
-	"")
-		want_crypto_rand="no"
-		;;
-	pkcs11)
-		want_crypto_rand="yes"
-		;;
-	openssl)
-		saved_cflags="$CFLAGS"
-		saved_libs="$LIBS"
-		CFLAGS="$CFLAGS $DST_OPENSSL_INC"
-		LIBS="$LIBS $DST_OPENSSL_LIBS"
-		if test "$cross_compiling" = yes; then :
-  want_crypto_rand="yes"
-else
-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-
-#include <openssl/rand.h>
-
-unsigned char buf[128];
-
-int main()
-{
-	if (RAND_bytes(buf, 128) != 1)
-		return (1);
-	return (0);
-}
-
-_ACEOF
-if ac_fn_c_try_run "$LINENO"; then :
-  want_crypto_rand="yes"
-else
-  want_crypto_rand="no"
-fi
-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
-  conftest.$ac_objext conftest.beam conftest.$ac_ext
-fi
-
-		CFLAGS="$saved_cflags"
-		LIBS="$saved_libs"
-		;;
-	*)
-		as_fn_error $? "Unknown crypto library define $CRYPTOLIB" "$LINENO" 5
-		;;
-	esac
-fi
-case $want_crypto_rand in
-	yes)
-		if test "$CRYPTOLIB" = ""
-		then
-			as_fn_error $? "No crypto library for random functions" "$LINENO" 5
-		fi
-		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: \"$CRYPTOLIB\"" >&5
-$as_echo "\"$CRYPTOLIB\"" >&6; }
-		ISC_PLATFORM_CRYPTORANDOM="#define ISC_PLATFORM_CRYPTORANDOM \"$CRYPTOLIB\""
-		;;
-	no)
-		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-		ISC_PLATFORM_CRYPTORANDOM="#undef ISC_PLATFORM_CRYPTORANDOM"
-		;;
-esac
-
-
 #
 # was --with-lmdb specified?
 #
@@ -26455,8 +26372,6 @@ report() {
 	    echo "    IPv6 support (--enable-ipv6)"
 	test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
 		echo "    OpenSSL cryptography/DNSSEC (--with-openssl)"
-	test "no" = "$want_crypto_rand" || \
-		echo "    Crypto provider entropy source (--enable-crypto-rand)"
 	test "X$PYTHON" = "X" || echo "    Python tools (--with-python)"
 	test "X$XMLSTATS" = "X" || echo "    XML statistics (--with-libxml2)"
 	test "X$JSONSTATS" = "X" || echo "    JSON statistics (--with-libjson)"
@@ -26547,8 +26462,6 @@ report() {
 	echo "    ECDSA algorithm support (--with-ecdsa)"
     test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
 	echo "    EDDSA algorithm support (--with-eddsa)"
-    test "yes" = "$want_crypto_rand" || \
-	echo "    Crypto provider entropy source (--enable-crypto-rand)"
 
     test "yes" = "$want_backtrace" || \
 	echo "    Print backtrace on crash (--enable-backtrace)"

configure.in

@@ -2324,68 +2324,6 @@ if test "rt" = "$have_clock_gt"; then
 	LIBS="-lrt $LIBS"
 fi
 
-#
-# Use the crypto provider (OpenSSL/PKCS#11) for random functions
-#
-
-AC_MSG_CHECKING(for using the crypto library (vs. builtin) for random functions)
-AC_ARG_ENABLE(crypto-rand,
-	      AS_HELP_STRING([--enable-crypto-rand],
-			    [use the crypto provider for random [default=yes]]),
-	want_crypto_rand="$enableval", want_crypto_rand="auto")
-if test "$want_crypto_rand" = "auto"
-then
-	case "$CRYPTOLIB" in
-	"")
-		want_crypto_rand="no"
-		;;
-	pkcs11)
-		want_crypto_rand="yes"
-		;;
-	openssl)
-		saved_cflags="$CFLAGS"
-		saved_libs="$LIBS"
-		CFLAGS="$CFLAGS $DST_OPENSSL_INC"
-		LIBS="$LIBS $DST_OPENSSL_LIBS"
-		AC_TRY_RUN([
-#include <openssl/rand.h>
-
-unsigned char buf[128];
-
-int main()
-{
-	if (RAND_bytes(buf, 128) != 1)
-		return (1);
-	return (0);
-}
-],
-		[want_crypto_rand="yes"],
-		[want_crypto_rand="no"],
-		[want_crypto_rand="yes"])
-		CFLAGS="$saved_cflags"
-		LIBS="$saved_libs"
-		;;
-	*)
-		AC_MSG_ERROR([Unknown crypto library define $CRYPTOLIB])
-		;;
-	esac
-fi
-case $want_crypto_rand in
-	yes)
-		if test "$CRYPTOLIB" = ""
-		then
-			AC_MSG_ERROR([No crypto library for random functions])
-		fi
-		AC_MSG_RESULT(["$CRYPTOLIB"])
-		ISC_PLATFORM_CRYPTORANDOM="#define ISC_PLATFORM_CRYPTORANDOM \"$CRYPTOLIB\""
-		;;
-	no)
-		AC_MSG_RESULT(no)
-		ISC_PLATFORM_CRYPTORANDOM="#undef ISC_PLATFORM_CRYPTORANDOM"
-		;;
-esac
-AC_SUBST(ISC_PLATFORM_CRYPTORANDOM)
-
 #
 # was --with-lmdb specified?
 #
@@ -5374,8 +5312,6 @@ report() {
 	    echo "    IPv6 support (--enable-ipv6)"
 	test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
 		echo "    OpenSSL cryptography/DNSSEC (--with-openssl)"
-	test "no" = "$want_crypto_rand" || \
-		echo "    Crypto provider entropy source (--enable-crypto-rand)"
 	test "X$PYTHON" = "X" || echo "    Python tools (--with-python)"
 	test "X$XMLSTATS" = "X" || echo "    XML statistics (--with-libxml2)"
 	test "X$JSONSTATS" = "X" || echo "    JSON statistics (--with-libjson)"
@@ -5466,8 +5402,6 @@ report() {
 	echo "    ECDSA algorithm support (--with-ecdsa)"
     test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
 	echo "    EDDSA algorithm support (--with-eddsa)"
-    test "yes" = "$want_crypto_rand" || \
-	echo "    Crypto provider entropy source (--enable-crypto-rand)"
 
     test "yes" = "$want_backtrace" || \
 	echo "    Print backtrace on crash (--enable-backtrace)"

doc/arm/Bv9ARM-book.xml

@@ -4950,20 +4950,6 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 		effect during the initial configuration load at server
 		startup time and is ignored on subsequent reloads.
 	      </para>
-	      <para>
-		If BIND is built with
-		<command>configure --disable-crypto-rand</command>, then
-		entropy is <emphasis>not</emphasis> sourced from the
-		cryptographic library. In this case, if
-		<command>random-device</command> is not specified, the
-		default value is the system random device,
-		<filename>/dev/random</filename> or the equivalent.
-		This default can be overridden with
-		<command>configure --with-randomdev</command>.
-		If no system random device exists, then no entropy source
-		will be configured, and <command>named</command> will only
-		be able to use pseudo-random numbers.
-	      </para>
 	    </listitem>
 	  </varlistentry>
 

lib/dns/dst_api.c

@@ -266,11 +266,9 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx,
 	RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));
 #endif
 #if defined(OPENSSL) || defined(PKCS11CRYPTO)
-#ifdef ISC_PLATFORM_CRYPTORANDOM
 	if (dst_entropy_pool != NULL) {
 		isc_entropy_sethook(dst_random_getdata);
 	}
-#endif
 #endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */
 	dst_initialized = ISC_TRUE;
 	return (ISC_R_SUCCESS);
@@ -292,12 +290,10 @@ dst_lib_destroy(void) {
 		if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL)
 			dst_t_func[i]->cleanup();
 #if defined(OPENSSL) || defined(PKCS11CRYPTO)
-#ifdef ISC_PLATFORM_CRYPTORANDOM
 	if (dst_entropy_pool != NULL) {
 		isc_entropy_usehook(dst_entropy_pool, ISC_FALSE);
 		isc_entropy_sethook(NULL);
 	}
-#endif
 #ifdef OPENSSL
 	dst__openssl_destroy();
 #elif PKCS11CRYPTO
@@ -1965,44 +1961,15 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) {
 		flags &= ~ISC_ENTROPY_GOODONLY;
 	else
 		flags |= ISC_ENTROPY_BLOCKING;
-#ifdef ISC_PLATFORM_CRYPTORANDOM
 	/* get entropy directly from crypto provider */
 	return (dst_random_getdata(buf, len, NULL, flags));
-#else
-	/* get entropy from entropy source or hook function */
-	return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
-#endif /* ISC_PLATFORM_CRYPTORANDOM */
 #endif /* PKCS11CRYPTO */
 }
 
 unsigned int
 dst__entropy_status(void) {
-#if !defined(PKCS11CRYPTO) && !defined(ISC_PLATFORM_CRYPTORANDOM)
-#ifdef GSSAPI
-	unsigned int flags = dst_entropy_flags;
-	isc_result_t ret;
-	unsigned char buf[32];
-	static isc_boolean_t first = ISC_TRUE;
-
-	if (dst_entropy_pool == NULL)
-		return (0);
-
-	if (first) {
-		/* Someone believes RAND_status() initializes the PRNG */
-		flags &= ~ISC_ENTROPY_GOODONLY;
-		ret = isc_entropy_getdata(dst_entropy_pool, buf,
-					  sizeof(buf), NULL, flags);
-		INSIST(ret == ISC_R_SUCCESS);
-		isc_entropy_putdata(dst_entropy_pool, buf,
-				    sizeof(buf), 2 * sizeof(buf));
-		first = ISC_FALSE;
-	}
-#endif
-	return (isc_entropy_status(dst_entropy_pool));
-#else
 	/* Doesn't matter as it is not used in this case. */
 	return (0);
-#endif
 }
 
 isc_buffer_t *

lib/dns/include/dst/dst.h

@@ -158,7 +158,7 @@ dst_random_getdata(void *data, unsigned int length,
 		   unsigned int *returned, unsigned int flags);
 /*%<
  * Gets random data from the random generator provided by the
- * crypto library, if BIND was built with --enable-crypto-rand.
+ * crypto library.
  *
  * See isc_entropy_getdata() for parameter usage. Normally when
  * this function is available, it will be set up as a hook in the
@@ -167,7 +167,6 @@ dst_random_getdata(void *data, unsigned int length,
  *
  * Returns:
  * \li	ISC_R_SUCCESS on success
- * \li	ISC_R_NOTIMPLEMENTED if BIND is built with --disable-crypto-rand
  * \li	DST_R_OPENSSLFAILURE, DST_R_CRYPTOFAILURE, or other codes on error
  */
 

lib/dns/openssl_link.c

@@ -59,56 +59,6 @@ static int nlocks;
 static ENGINE *e = NULL;
 #endif
 
-#ifndef ISC_PLATFORM_CRYPTORANDOM
-static RAND_METHOD *rm = NULL;
-
-static int
-entropy_get(unsigned char *buf, int num) {
-	isc_result_t result;
-	if (num < 0)
-		return (-1);
-	result = dst__entropy_getdata(buf, (unsigned int) num, ISC_FALSE);
-	return (result == ISC_R_SUCCESS ? 1 : -1);
-}
-
-static int
-entropy_status(void) {
-	return (dst__entropy_status() > 32);
-}
-
-static int
-entropy_getpseudo(unsigned char *buf, int num) {
-	isc_result_t result;
-	if (num < 0)
-		return (-1);
-	result = dst__entropy_getdata(buf, (unsigned int) num, ISC_TRUE);
-	return (result == ISC_R_SUCCESS ? 1 : -1);
-}
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-static void
-entropy_add(const void *buf, int num, double entropy) {
-	/*
-	 * Do nothing.  The only call to this provides no useful data anyway.
-	 */
-	UNUSED(buf);
-	UNUSED(num);
-	UNUSED(entropy);
-}
-#else
-static int
-entropy_add(const void *buf, int num, double entropy) {
-	/*
-	 * Do nothing.  The only call to this provides no useful data anyway.
-	 */
-	UNUSED(buf);
-	UNUSED(num);
-	UNUSED(entropy);
-	return (1);
-}
-#endif
-#endif /* !ISC_PLATFORM_CRYPTORANDOM */
-
 #if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 static void
 lock_callback(int mode, int type, const char *file, int line) {
@@ -196,10 +146,8 @@ _set_thread_id(CRYPTO_THREADID *id)
 isc_result_t
 dst__openssl_init(const char *engine) {
 	isc_result_t result;
-#if defined(USE_ENGINE) && !defined(ISC_PLATFORM_CRYPTORANDOM)
-	ENGINE *re;
-#else
 
+#if !defined(USE_ENGINE)
 	UNUSED(engine);
 #endif
 
@@ -227,20 +175,6 @@ dst__openssl_init(const char *engine) {
 	ERR_load_crypto_strings();
 #endif
 
-#ifndef ISC_PLATFORM_CRYPTORANDOM
-	rm = mem_alloc(sizeof(RAND_METHOD) FILELINE);
-	if (rm == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_mutexinit;
-	}
-	rm->seed = NULL;
-	rm->bytes = entropy_get;
-	rm->cleanup = NULL;
-	rm->add = entropy_add;
-	rm->pseudorand = entropy_getpseudo;
-	rm->status = entropy_status;
-#endif
-
 #ifdef USE_ENGINE
 #if !defined(CONF_MFLAGS_DEFAULT_SECTION)
 	OPENSSL_config(NULL);
@@ -273,27 +207,8 @@ dst__openssl_init(const char *engine) {
 		}
 	}
 
-#ifndef ISC_PLATFORM_CRYPTORANDOM
-	re = ENGINE_get_default_RAND();
-	if (re == NULL) {
-		re = ENGINE_new();
-		if (re == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto cleanup_rm;
-		}
-		ENGINE_set_RAND(re, rm);
-		ENGINE_set_default_RAND(re);
-		ENGINE_free(re);
-	} else
-		ENGINE_finish(re);
-#endif
-#else
-#ifndef ISC_PLATFORM_CRYPTORANDOM
-	RAND_set_rand_method(rm);
-#endif
 #endif /* USE_ENGINE */
 
-#ifdef ISC_PLATFORM_CRYPTORANDOM
 	/* Protect ourselves against unseeded PRNG */
 	if (RAND_status() != 1) {
 		FATAL_ERROR(__FILE__, __LINE__,
@@ -301,7 +216,6 @@ dst__openssl_init(const char *engine) {
 			    "cannot be initialized (see the `PRNG not "
 			    "seeded' message in the OpenSSL FAQ)");
 	}
-#endif
 
 	return (ISC_R_SUCCESS);
 
@@ -310,13 +224,6 @@ dst__openssl_init(const char *engine) {
 	if (e != NULL)
 		ENGINE_free(e);
 	e = NULL;
-#ifndef ISC_PLATFORM_CRYPTORANDOM
-	mem_free(rm FILELINE);
-	rm = NULL;
-#endif
-#endif
-#ifndef ISC_PLATFORM_CRYPTORANDOM
- cleanup_mutexinit:
 #endif
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 	CRYPTO_set_locking_callback(NULL);
@@ -332,25 +239,10 @@ void
 dst__openssl_destroy(void) {
 #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
 	OPENSSL_cleanup();
-#ifndef ISC_PLATFORM_CRYPTORANDOM
-	if (rm != NULL) {
-		mem_free(rm FILELINE);
-		rm = NULL;
-	}
-#endif
 #else
 	/*
 	 * Sequence taken from apps_shutdown() in <apps/apps.h>.
 	 */
-#ifndef ISC_PLATFORM_CRYPTORANDOM
-	if (rm != NULL) {
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
-		RAND_cleanup();
-#endif
-		mem_free(rm FILELINE);
-		rm = NULL;
-	}
-#endif
 #if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
 	CONF_modules_free();
 #endif
@@ -490,7 +382,6 @@ isc_result_t
 dst_random_getdata(void *data, unsigned int length,
 		   unsigned int *returned, unsigned int flags)
 {
-#ifdef ISC_PLATFORM_CRYPTORANDOM
 #ifndef DONT_REQUIRE_DST_LIB_INIT
 	INSIST(dst__memory_pool != NULL);
 #endif
@@ -517,14 +408,6 @@ dst_random_getdata(void *data, unsigned int length,
 	if (returned != NULL)
 		*returned = length;
 	return (ISC_R_SUCCESS);
-#else
-	UNUSED(data);
-	UNUSED(length);
-	UNUSED(returned);
-	UNUSED(flags);
-
-	return (ISC_R_NOTIMPLEMENTED);
-#endif
 }
 
 #endif /* OPENSSL */

lib/dns/pkcs11.c

@@ -40,7 +40,6 @@ dst__pkcs11_toresult(const char *funcname, const char *file, int line,
 isc_result_t
 dst_random_getdata(void *data, unsigned int length,
 		   unsigned int *returned, unsigned int flags) {
-#ifdef ISC_PLATFORM_CRYPTORANDOM
 	isc_result_t ret;
 
 #ifndef DONT_REQUIRE_DST_LIB_INIT
@@ -54,29 +53,6 @@ dst_random_getdata(void *data, unsigned int length,
 	if ((ret == ISC_R_SUCCESS) && (returned != NULL))
 		*returned = length;
 	return (ret);
-#else
-	UNUSED(data);
-	UNUSED(length);
-	UNUSED(returned);
-	UNUSED(flags);
-
-	return (ISC_R_NOTIMPLEMENTED);
-#endif
-}
-
-#else /* PKCS11CRYPTO */
-
-#include <isc/util.h>
-
-isc_result_t
-dst_random_getdata(void *data, unsigned int length,
-		   unsigned int *returned, unsigned int flags) {
-	UNUSED(data);
-	UNUSED(length);
-	UNUSED(returned);
-	UNUSED(flags);
-
-	return (ISC_R_NOTIMPLEMENTED);
 }
 
 #endif /* PKCS11CRYPTO */

lib/dns/tests/dstrandom_test.c

@@ -51,7 +51,6 @@ ATF_TC_BODY(isc_entropy_getdata, tc) {
 	result = dst_lib_init(mctx, ectx, NULL, 0);
 	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-#ifdef ISC_PLATFORM_CRYPTORANDOM
 	isc_entropy_usehook(ectx, ISC_TRUE);
 
 	returned = 0;
@@ -64,7 +63,6 @@ ATF_TC_BODY(isc_entropy_getdata, tc) {
 	ATF_REQUIRE_EQ(status, 0);
 
 	isc_entropy_usehook(ectx, ISC_FALSE);
-#endif
 
 	ret = chdir(TESTS);
 	ATF_REQUIRE_EQ(ret, 0);

lib/isc/include/isc/platform.h.in

@@ -332,11 +332,6 @@
  */
 @ISC_PLATFORM_HAVESTRINGSH@
 
-/*
- * Define if the random functions are provided by crypto.
- */
-@ISC_PLATFORM_CRYPTORANDOM@
-
 /*
  * Define if the hash functions must be provided by OpenSSL.
  */

lib/isc/win32/include/isc/platform.h.in

@@ -89,11 +89,6 @@
 #define ISC_PLATFORM_NORETURN_PRE __declspec(noreturn)
 #define ISC_PLATFORM_NORETURN_POST
 
-/*
- * Define if the random functions are provided by crypto.
- */
-@ISC_PLATFORM_CRYPTORANDOM@
-
 /*
  * Define if the hash functions must be provided by OpenSSL.
  */

win32utils/Configure

@@ -232,7 +232,6 @@ my @substdefh = ("AES_CC",
 my %configdefp;
 
 my @substdefp = ("ISC_PLATFORM_BUSYWAITNOP",
-                 "ISC_PLATFORM_CRYPTORANDOM",
                  "ISC_PLATFORM_HAVEATOMICSTORE",
                  "ISC_PLATFORM_HAVEATOMICSTOREQ",
                  "ISC_PLATFORM_HAVECMPXCHG",
@@ -362,8 +361,7 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER");
 
 # enable-xxx/disable-xxx
 
-my @enablelist = ("crypto-rand",
-                  "developer",
+my @enablelist = ("developer",
                   "fixed-rrset",
                   "intrinsics",
                   "isc-spnego",
@@ -425,7 +423,6 @@ my @help = (
 "\nOptional Features:\n",
 "  enable-intrinsics     enable instrinsic/atomic functions [default=yes]\n",
 "  enable-native-pkcs11  use native PKCS#11 for all crypto [default=no]\n",
-"  enable-crypto-rand    use crypto provider for random [default=yes]\n",
 "  enable-openssl-hash   use OpenSSL for hash functions [default=yes]\n",
 "  enable-isc-spnego     use SPNEGO from lib/dns [default=yes]\n",
 "  enable-fixed-rrset    enable fixed rrset ordering [default=no]\n",
@@ -681,10 +678,6 @@ sub myenable {
         if ($val =~ /^yes$/i) {
             $enable_native_pkcs11 = "yes";
         }
-    } elsif ($key =~ /^crypto-rand$/i) {
-        if ($val =~ /^no$/i) {
-            $enable_crypto_rand = "no";
-        }
     } elsif ($key =~ /^openssl-hash$/i) {
         if ($val =~ /^yes$/i) {
             $enable_openssl_hash = "yes";
@@ -971,11 +964,6 @@ if ($verbose) {
     } else {
         print "native-pkcs11: disabled\n";
     }
-    if ($enable_crypto_rand eq "yes") {
-        print "crypto-rand: enabled\n";
-    } else {
-        print "crypto-rand: disabled\n";
-    }
     if ($enable_openssl_hash eq "yes") {
         print "openssl-hash: enabled\n";
     } else {
@@ -2076,13 +2064,6 @@ if ($cookie_algorithm eq "sha1") {
     die "Unrecognized cookie algorithm: $cookie_algorithm\n";
 }
 
-# enable-crypto-rand
-if ($enable_crypto_rand eq "yes") {
-    if (($use_openssl eq "no") && ($enable_native_pkcs11 eq "no")) {
-        die "No crypto provider for random functions\n";
-    }
-    $configdefp{"ISC_PLATFORM_CRYPTORANDOM"} = "\"$cryptolib\"";
-}
 print "Cryptographic library for DNSSEC: $cryptolib\n";
 
 # enable-openssl-hash
@@ -3407,7 +3388,6 @@ exit 0;
 #  --enable-developer partially supported
 #  --enable-newstats (9.9/9.9sub only)
 #  --enable-native-pkcs11 supported
-#  --enable-crypto-rand supported
 #  --enable-openssl-version-check included without a way to disable it
 #  --enable-openssl-hash supported
 #  --enable-threads included without a way to disable it