diff --git a/CHANGES b/CHANGES index 53698120f6..c55c891fc4 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +4936. [func] Always use OpenSSL or PKCS#11 random data providers and + remove the configure option --{enable,disable}-crypto-rand. + [GL #165] + 4935. [func] Add support for LibreSSL >= 2.7.0 (some OpenSSL 1.1.0 call were added). [GL #191] diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c index 21e59631ae..ff89980969 100644 --- a/bin/confgen/keygen.c +++ b/bin/confgen/keygen.c @@ -154,11 +154,9 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg, DO("create entropy context", isc_entropy_create(mctx, &ectx)); -#ifdef ISC_PLATFORM_CRYPTORANDOM if (randomfile == NULL) { isc_entropy_usehook(ectx, ISC_TRUE); } -#endif if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) { randomfile = NULL; open_keyboard = ISC_ENTROPY_KEYBOARDYES; diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c index 3de034e45a..9116c62cfd 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c @@ -239,11 +239,9 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { ISC_LIST_INIT(sources); } -#ifdef ISC_PLATFORM_CRYPTORANDOM if (randomfile == NULL) { isc_entropy_usehook(*ectx, ISC_TRUE); } -#endif if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) { usekeyboard = ISC_ENTROPY_KEYBOARDYES; randomfile = NULL; diff --git a/bin/named/config.c b/bin/named/config.c index c2ff14a975..e8ef5e3c82 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -89,11 +89,7 @@ options {\n\ # pid-file \"" NAMED_LOCALSTATEDIR "/run/named/named.pid\"; \n\ port 53;\n\ prefetch 2 9;\n" -#if defined(ISC_PLATFORM_CRYPTORANDOM) " random-device none;\n" -#elif defined(PATH_RANDOMDEV) -" random-device \"" PATH_RANDOMDEV "\";\n" -#endif " recursing-file \"named.recursing\";\n\ recursive-clients 1000;\n\ request-nsid false;\n\ diff --git a/bin/named/server.c b/bin/named/server.c index e037557f6c..93611f2949 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -8536,18 +8536,7 @@ load_configuration(const char *filename, named_server_t *server, } } if (randomdev == NULL) { -#ifdef ISC_PLATFORM_CRYPTORANDOM isc_entropy_usehook(named_g_entropy, ISC_TRUE); -#else - if ((obj != NULL) && !cfg_obj_isvoid(obj)) - level = ISC_LOG_INFO; - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, level, - "no source of entropy found"); - if ((obj == NULL) || cfg_obj_isvoid(obj)) { - CHECK(ISC_R_FAILURE); - } -#endif } else { result = isc_entropy_createfilesource(named_g_entropy, randomdev); diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index 2c671edd40..3faf6d0f0e 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -276,11 +276,9 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { randomfile = NULL; } -#ifdef ISC_PLATFORM_CRYPTORANDOM if (randomfile == NULL) { isc_entropy_usehook(*ectx, ISC_TRUE); } -#endif result = isc_entropy_usebestsource(*ectx, &source, randomfile, usekeyboard); diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c index 0a042fbcf5..6f986c77c3 100644 --- a/bin/tests/system/pipelined/pipequeries.c +++ b/bin/tests/system/pipelined/pipequeries.c @@ -278,11 +278,9 @@ main(int argc, char *argv[]) { ectx = NULL; RUNCHECK(isc_entropy_create(mctx, &ectx)); -#ifdef ISC_PLATFORM_CRYPTORANDOM if (randomfile == NULL) { isc_entropy_usehook(ectx, ISC_TRUE); } -#endif if (randomfile != NULL) RUNCHECK(isc_entropy_createfilesource(ectx, randomfile)); diff --git a/bin/tests/system/rsabigexponent/bigkey.c b/bin/tests/system/rsabigexponent/bigkey.c index d9dde40cd5..be04320578 100644 --- a/bin/tests/system/rsabigexponent/bigkey.c +++ b/bin/tests/system/rsabigexponent/bigkey.c @@ -185,9 +185,7 @@ main(int argc, char **argv) { CHECK(isc_mem_create(0, 0, &mctx), "isc_mem_create()"); CHECK(isc_entropy_create(mctx, &ectx), "isc_entropy_create()"); -#ifdef ISC_PLATFORM_CRYPTORANDOM isc_entropy_usehook(ectx, ISC_TRUE); -#endif CHECK(isc_entropy_usebestsource(ectx, &source, "../random.data", ISC_ENTROPY_KEYBOARDNO), diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c index 4bbc721aa1..7049f9f9ea 100644 --- a/bin/tests/system/tkey/keycreate.c +++ b/bin/tests/system/tkey/keycreate.c @@ -252,13 +252,12 @@ main(int argc, char *argv[]) { ectx = NULL; RUNCHECK(isc_entropy_create(mctx, &ectx)); -#ifdef ISC_PLATFORM_CRYPTORANDOM if (randomfile == NULL) { isc_entropy_usehook(ectx, ISC_TRUE); } -#endif - if (randomfile != NULL) + if (randomfile != NULL) { RUNCHECK(isc_entropy_createfilesource(ectx, randomfile)); + } log = NULL; logconfig = NULL; diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c index b49c1711fb..721ec3afbc 100644 --- a/bin/tests/system/tkey/keydelete.c +++ b/bin/tests/system/tkey/keydelete.c @@ -183,13 +183,12 @@ main(int argc, char **argv) { ectx = NULL; RUNCHECK(isc_entropy_create(mctx, &ectx)); -#ifdef ISC_PLATFORM_CRYPTORANDOM if (randomfile == NULL) { isc_entropy_usehook(ectx, ISC_TRUE); } -#endif - if (randomfile != NULL) + if (randomfile != NULL) { RUNCHECK(isc_entropy_createfilesource(ectx, randomfile)); + } log = NULL; logconfig = NULL; diff --git a/configure b/configure index ade0cdc073..92341fa5fb 100755 --- a/configure +++ b/configure @@ -797,7 +797,6 @@ XMLSTATS NZDTARGETS NZDSRCS NZD_TOOLS -ISC_PLATFORM_CRYPTORANDOM PKCS11_TEST PKCS11_ED25519 PKCS11_GOST @@ -1008,7 +1007,6 @@ with_eddsa with_aes with_cc_alg enable_openssl_hash -enable_crypto_rand with_lmdb with_libxml2 with_libjson @@ -1699,7 +1697,6 @@ Optional Features: --enable-threads enable multithreading --enable-native-pkcs11 use native PKCS11 for all crypto [default=no] --enable-openssl-hash use OpenSSL for hash functions [default=yes] - --enable-crypto-rand use the crypto provider for random [default=yes] --enable-largefile 64-bit file support --enable-backtrace log stack backtrace on abort [default=yes] --enable-symtable use internal symbol table for backtrace @@ -17379,86 +17376,6 @@ if test "rt" = "$have_clock_gt"; then LIBS="-lrt $LIBS" fi -# -# Use the crypto provider (OpenSSL/PKCS#11) for random functions -# - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for using the crypto library (vs. builtin) for random functions" >&5 -$as_echo_n "checking for using the crypto library (vs. builtin) for random functions... " >&6; } -# Check whether --enable-crypto-rand was given. -if test "${enable_crypto_rand+set}" = set; then : - enableval=$enable_crypto_rand; want_crypto_rand="$enableval" -else - want_crypto_rand="auto" -fi - -if test "$want_crypto_rand" = "auto" -then - case "$CRYPTOLIB" in - "") - want_crypto_rand="no" - ;; - pkcs11) - want_crypto_rand="yes" - ;; - openssl) - saved_cflags="$CFLAGS" - saved_libs="$LIBS" - CFLAGS="$CFLAGS $DST_OPENSSL_INC" - LIBS="$LIBS $DST_OPENSSL_LIBS" - if test "$cross_compiling" = yes; then : - want_crypto_rand="yes" -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -#include - -unsigned char buf[128]; - -int main() -{ - if (RAND_bytes(buf, 128) != 1) - return (1); - return (0); -} - -_ACEOF -if ac_fn_c_try_run "$LINENO"; then : - want_crypto_rand="yes" -else - want_crypto_rand="no" -fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext -fi - - CFLAGS="$saved_cflags" - LIBS="$saved_libs" - ;; - *) - as_fn_error $? "Unknown crypto library define $CRYPTOLIB" "$LINENO" 5 - ;; - esac -fi -case $want_crypto_rand in - yes) - if test "$CRYPTOLIB" = "" - then - as_fn_error $? "No crypto library for random functions" "$LINENO" 5 - fi - { $as_echo "$as_me:${as_lineno-$LINENO}: result: \"$CRYPTOLIB\"" >&5 -$as_echo "\"$CRYPTOLIB\"" >&6; } - ISC_PLATFORM_CRYPTORANDOM="#define ISC_PLATFORM_CRYPTORANDOM \"$CRYPTOLIB\"" - ;; - no) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - ISC_PLATFORM_CRYPTORANDOM="#undef ISC_PLATFORM_CRYPTORANDOM" - ;; -esac - - # # was --with-lmdb specified? # @@ -26455,8 +26372,6 @@ report() { echo " IPv6 support (--enable-ipv6)" test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \ echo " OpenSSL cryptography/DNSSEC (--with-openssl)" - test "no" = "$want_crypto_rand" || \ - echo " Crypto provider entropy source (--enable-crypto-rand)" test "X$PYTHON" = "X" || echo " Python tools (--with-python)" test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)" test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)" @@ -26547,8 +26462,6 @@ report() { echo " ECDSA algorithm support (--with-ecdsa)" test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \ echo " EDDSA algorithm support (--with-eddsa)" - test "yes" = "$want_crypto_rand" || \ - echo " Crypto provider entropy source (--enable-crypto-rand)" test "yes" = "$want_backtrace" || \ echo " Print backtrace on crash (--enable-backtrace)" diff --git a/configure.in b/configure.in index 7221a0ea86..f930e709ae 100644 --- a/configure.in +++ b/configure.in @@ -2324,68 +2324,6 @@ if test "rt" = "$have_clock_gt"; then LIBS="-lrt $LIBS" fi -# -# Use the crypto provider (OpenSSL/PKCS#11) for random functions -# - -AC_MSG_CHECKING(for using the crypto library (vs. builtin) for random functions) -AC_ARG_ENABLE(crypto-rand, - AS_HELP_STRING([--enable-crypto-rand], - [use the crypto provider for random [default=yes]]), - want_crypto_rand="$enableval", want_crypto_rand="auto") -if test "$want_crypto_rand" = "auto" -then - case "$CRYPTOLIB" in - "") - want_crypto_rand="no" - ;; - pkcs11) - want_crypto_rand="yes" - ;; - openssl) - saved_cflags="$CFLAGS" - saved_libs="$LIBS" - CFLAGS="$CFLAGS $DST_OPENSSL_INC" - LIBS="$LIBS $DST_OPENSSL_LIBS" - AC_TRY_RUN([ -#include - -unsigned char buf[128]; - -int main() -{ - if (RAND_bytes(buf, 128) != 1) - return (1); - return (0); -} -], - [want_crypto_rand="yes"], - [want_crypto_rand="no"], - [want_crypto_rand="yes"]) - CFLAGS="$saved_cflags" - LIBS="$saved_libs" - ;; - *) - AC_MSG_ERROR([Unknown crypto library define $CRYPTOLIB]) - ;; - esac -fi -case $want_crypto_rand in - yes) - if test "$CRYPTOLIB" = "" - then - AC_MSG_ERROR([No crypto library for random functions]) - fi - AC_MSG_RESULT(["$CRYPTOLIB"]) - ISC_PLATFORM_CRYPTORANDOM="#define ISC_PLATFORM_CRYPTORANDOM \"$CRYPTOLIB\"" - ;; - no) - AC_MSG_RESULT(no) - ISC_PLATFORM_CRYPTORANDOM="#undef ISC_PLATFORM_CRYPTORANDOM" - ;; -esac -AC_SUBST(ISC_PLATFORM_CRYPTORANDOM) - # # was --with-lmdb specified? # @@ -5374,8 +5312,6 @@ report() { echo " IPv6 support (--enable-ipv6)" test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \ echo " OpenSSL cryptography/DNSSEC (--with-openssl)" - test "no" = "$want_crypto_rand" || \ - echo " Crypto provider entropy source (--enable-crypto-rand)" test "X$PYTHON" = "X" || echo " Python tools (--with-python)" test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)" test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)" @@ -5466,8 +5402,6 @@ report() { echo " ECDSA algorithm support (--with-ecdsa)" test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \ echo " EDDSA algorithm support (--with-eddsa)" - test "yes" = "$want_crypto_rand" || \ - echo " Crypto provider entropy source (--enable-crypto-rand)" test "yes" = "$want_backtrace" || \ echo " Print backtrace on crash (--enable-backtrace)" diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 3f025f15a7..835466269d 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -4950,20 +4950,6 @@ badresp:1,adberr:0,findfail:0,valfail:0] effect during the initial configuration load at server startup time and is ignored on subsequent reloads. - - If BIND is built with - configure --disable-crypto-rand, then - entropy is not sourced from the - cryptographic library. In this case, if - random-device is not specified, the - default value is the system random device, - /dev/random or the equivalent. - This default can be overridden with - configure --with-randomdev. - If no system random device exists, then no entropy source - will be configured, and named will only - be able to use pseudo-random numbers. - diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index 97340bcad2..921ea48294 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -266,11 +266,9 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI])); #endif #if defined(OPENSSL) || defined(PKCS11CRYPTO) -#ifdef ISC_PLATFORM_CRYPTORANDOM if (dst_entropy_pool != NULL) { isc_entropy_sethook(dst_random_getdata); } -#endif #endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */ dst_initialized = ISC_TRUE; return (ISC_R_SUCCESS); @@ -292,12 +290,10 @@ dst_lib_destroy(void) { if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL) dst_t_func[i]->cleanup(); #if defined(OPENSSL) || defined(PKCS11CRYPTO) -#ifdef ISC_PLATFORM_CRYPTORANDOM if (dst_entropy_pool != NULL) { isc_entropy_usehook(dst_entropy_pool, ISC_FALSE); isc_entropy_sethook(NULL); } -#endif #ifdef OPENSSL dst__openssl_destroy(); #elif PKCS11CRYPTO @@ -1965,44 +1961,15 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) { flags &= ~ISC_ENTROPY_GOODONLY; else flags |= ISC_ENTROPY_BLOCKING; -#ifdef ISC_PLATFORM_CRYPTORANDOM /* get entropy directly from crypto provider */ return (dst_random_getdata(buf, len, NULL, flags)); -#else - /* get entropy from entropy source or hook function */ - return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags)); -#endif /* ISC_PLATFORM_CRYPTORANDOM */ #endif /* PKCS11CRYPTO */ } unsigned int dst__entropy_status(void) { -#if !defined(PKCS11CRYPTO) && !defined(ISC_PLATFORM_CRYPTORANDOM) -#ifdef GSSAPI - unsigned int flags = dst_entropy_flags; - isc_result_t ret; - unsigned char buf[32]; - static isc_boolean_t first = ISC_TRUE; - - if (dst_entropy_pool == NULL) - return (0); - - if (first) { - /* Someone believes RAND_status() initializes the PRNG */ - flags &= ~ISC_ENTROPY_GOODONLY; - ret = isc_entropy_getdata(dst_entropy_pool, buf, - sizeof(buf), NULL, flags); - INSIST(ret == ISC_R_SUCCESS); - isc_entropy_putdata(dst_entropy_pool, buf, - sizeof(buf), 2 * sizeof(buf)); - first = ISC_FALSE; - } -#endif - return (isc_entropy_status(dst_entropy_pool)); -#else /* Doesn't matter as it is not used in this case. */ return (0); -#endif } isc_buffer_t * diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h index 2053ff8264..9d1524821f 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h @@ -158,7 +158,7 @@ dst_random_getdata(void *data, unsigned int length, unsigned int *returned, unsigned int flags); /*%< * Gets random data from the random generator provided by the - * crypto library, if BIND was built with --enable-crypto-rand. + * crypto library. * * See isc_entropy_getdata() for parameter usage. Normally when * this function is available, it will be set up as a hook in the @@ -167,7 +167,6 @@ dst_random_getdata(void *data, unsigned int length, * * Returns: * \li ISC_R_SUCCESS on success - * \li ISC_R_NOTIMPLEMENTED if BIND is built with --disable-crypto-rand * \li DST_R_OPENSSLFAILURE, DST_R_CRYPTOFAILURE, or other codes on error */ diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c index 0f3a679f03..4f1ff1c259 100644 --- a/lib/dns/openssl_link.c +++ b/lib/dns/openssl_link.c @@ -59,56 +59,6 @@ static int nlocks; static ENGINE *e = NULL; #endif -#ifndef ISC_PLATFORM_CRYPTORANDOM -static RAND_METHOD *rm = NULL; - -static int -entropy_get(unsigned char *buf, int num) { - isc_result_t result; - if (num < 0) - return (-1); - result = dst__entropy_getdata(buf, (unsigned int) num, ISC_FALSE); - return (result == ISC_R_SUCCESS ? 1 : -1); -} - -static int -entropy_status(void) { - return (dst__entropy_status() > 32); -} - -static int -entropy_getpseudo(unsigned char *buf, int num) { - isc_result_t result; - if (num < 0) - return (-1); - result = dst__entropy_getdata(buf, (unsigned int) num, ISC_TRUE); - return (result == ISC_R_SUCCESS ? 1 : -1); -} - -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) -static void -entropy_add(const void *buf, int num, double entropy) { - /* - * Do nothing. The only call to this provides no useful data anyway. - */ - UNUSED(buf); - UNUSED(num); - UNUSED(entropy); -} -#else -static int -entropy_add(const void *buf, int num, double entropy) { - /* - * Do nothing. The only call to this provides no useful data anyway. - */ - UNUSED(buf); - UNUSED(num); - UNUSED(entropy); - return (1); -} -#endif -#endif /* !ISC_PLATFORM_CRYPTORANDOM */ - #if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) static void lock_callback(int mode, int type, const char *file, int line) { @@ -196,10 +146,8 @@ _set_thread_id(CRYPTO_THREADID *id) isc_result_t dst__openssl_init(const char *engine) { isc_result_t result; -#if defined(USE_ENGINE) && !defined(ISC_PLATFORM_CRYPTORANDOM) - ENGINE *re; -#else +#if !defined(USE_ENGINE) UNUSED(engine); #endif @@ -227,20 +175,6 @@ dst__openssl_init(const char *engine) { ERR_load_crypto_strings(); #endif -#ifndef ISC_PLATFORM_CRYPTORANDOM - rm = mem_alloc(sizeof(RAND_METHOD) FILELINE); - if (rm == NULL) { - result = ISC_R_NOMEMORY; - goto cleanup_mutexinit; - } - rm->seed = NULL; - rm->bytes = entropy_get; - rm->cleanup = NULL; - rm->add = entropy_add; - rm->pseudorand = entropy_getpseudo; - rm->status = entropy_status; -#endif - #ifdef USE_ENGINE #if !defined(CONF_MFLAGS_DEFAULT_SECTION) OPENSSL_config(NULL); @@ -273,27 +207,8 @@ dst__openssl_init(const char *engine) { } } -#ifndef ISC_PLATFORM_CRYPTORANDOM - re = ENGINE_get_default_RAND(); - if (re == NULL) { - re = ENGINE_new(); - if (re == NULL) { - result = ISC_R_NOMEMORY; - goto cleanup_rm; - } - ENGINE_set_RAND(re, rm); - ENGINE_set_default_RAND(re); - ENGINE_free(re); - } else - ENGINE_finish(re); -#endif -#else -#ifndef ISC_PLATFORM_CRYPTORANDOM - RAND_set_rand_method(rm); -#endif #endif /* USE_ENGINE */ -#ifdef ISC_PLATFORM_CRYPTORANDOM /* Protect ourselves against unseeded PRNG */ if (RAND_status() != 1) { FATAL_ERROR(__FILE__, __LINE__, @@ -301,7 +216,6 @@ dst__openssl_init(const char *engine) { "cannot be initialized (see the `PRNG not " "seeded' message in the OpenSSL FAQ)"); } -#endif return (ISC_R_SUCCESS); @@ -310,13 +224,6 @@ dst__openssl_init(const char *engine) { if (e != NULL) ENGINE_free(e); e = NULL; -#ifndef ISC_PLATFORM_CRYPTORANDOM - mem_free(rm FILELINE); - rm = NULL; -#endif -#endif -#ifndef ISC_PLATFORM_CRYPTORANDOM - cleanup_mutexinit: #endif #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) CRYPTO_set_locking_callback(NULL); @@ -332,25 +239,10 @@ void dst__openssl_destroy(void) { #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L) OPENSSL_cleanup(); -#ifndef ISC_PLATFORM_CRYPTORANDOM - if (rm != NULL) { - mem_free(rm FILELINE); - rm = NULL; - } -#endif #else /* * Sequence taken from apps_shutdown() in . */ -#ifndef ISC_PLATFORM_CRYPTORANDOM - if (rm != NULL) { -#if OPENSSL_VERSION_NUMBER >= 0x00907000L - RAND_cleanup(); -#endif - mem_free(rm FILELINE); - rm = NULL; - } -#endif #if (OPENSSL_VERSION_NUMBER >= 0x00907000L) CONF_modules_free(); #endif @@ -490,7 +382,6 @@ isc_result_t dst_random_getdata(void *data, unsigned int length, unsigned int *returned, unsigned int flags) { -#ifdef ISC_PLATFORM_CRYPTORANDOM #ifndef DONT_REQUIRE_DST_LIB_INIT INSIST(dst__memory_pool != NULL); #endif @@ -517,14 +408,6 @@ dst_random_getdata(void *data, unsigned int length, if (returned != NULL) *returned = length; return (ISC_R_SUCCESS); -#else - UNUSED(data); - UNUSED(length); - UNUSED(returned); - UNUSED(flags); - - return (ISC_R_NOTIMPLEMENTED); -#endif } #endif /* OPENSSL */ diff --git a/lib/dns/pkcs11.c b/lib/dns/pkcs11.c index 1b6dccc4fd..67c7e4eb1d 100644 --- a/lib/dns/pkcs11.c +++ b/lib/dns/pkcs11.c @@ -40,7 +40,6 @@ dst__pkcs11_toresult(const char *funcname, const char *file, int line, isc_result_t dst_random_getdata(void *data, unsigned int length, unsigned int *returned, unsigned int flags) { -#ifdef ISC_PLATFORM_CRYPTORANDOM isc_result_t ret; #ifndef DONT_REQUIRE_DST_LIB_INIT @@ -54,29 +53,6 @@ dst_random_getdata(void *data, unsigned int length, if ((ret == ISC_R_SUCCESS) && (returned != NULL)) *returned = length; return (ret); -#else - UNUSED(data); - UNUSED(length); - UNUSED(returned); - UNUSED(flags); - - return (ISC_R_NOTIMPLEMENTED); -#endif -} - -#else /* PKCS11CRYPTO */ - -#include - -isc_result_t -dst_random_getdata(void *data, unsigned int length, - unsigned int *returned, unsigned int flags) { - UNUSED(data); - UNUSED(length); - UNUSED(returned); - UNUSED(flags); - - return (ISC_R_NOTIMPLEMENTED); } #endif /* PKCS11CRYPTO */ diff --git a/lib/dns/tests/dstrandom_test.c b/lib/dns/tests/dstrandom_test.c index 55d1de66a3..b9e590488d 100644 --- a/lib/dns/tests/dstrandom_test.c +++ b/lib/dns/tests/dstrandom_test.c @@ -51,7 +51,6 @@ ATF_TC_BODY(isc_entropy_getdata, tc) { result = dst_lib_init(mctx, ectx, NULL, 0); ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); -#ifdef ISC_PLATFORM_CRYPTORANDOM isc_entropy_usehook(ectx, ISC_TRUE); returned = 0; @@ -64,7 +63,6 @@ ATF_TC_BODY(isc_entropy_getdata, tc) { ATF_REQUIRE_EQ(status, 0); isc_entropy_usehook(ectx, ISC_FALSE); -#endif ret = chdir(TESTS); ATF_REQUIRE_EQ(ret, 0); diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in index c511fa99f7..9a74ee64d5 100644 --- a/lib/isc/include/isc/platform.h.in +++ b/lib/isc/include/isc/platform.h.in @@ -332,11 +332,6 @@ */ @ISC_PLATFORM_HAVESTRINGSH@ -/* - * Define if the random functions are provided by crypto. - */ -@ISC_PLATFORM_CRYPTORANDOM@ - /* * Define if the hash functions must be provided by OpenSSL. */ diff --git a/lib/isc/win32/include/isc/platform.h.in b/lib/isc/win32/include/isc/platform.h.in index 2e79ae450b..9cf466919a 100644 --- a/lib/isc/win32/include/isc/platform.h.in +++ b/lib/isc/win32/include/isc/platform.h.in @@ -89,11 +89,6 @@ #define ISC_PLATFORM_NORETURN_PRE __declspec(noreturn) #define ISC_PLATFORM_NORETURN_POST -/* - * Define if the random functions are provided by crypto. - */ -@ISC_PLATFORM_CRYPTORANDOM@ - /* * Define if the hash functions must be provided by OpenSSL. */ diff --git a/win32utils/Configure b/win32utils/Configure index e4de0aeab3..cf8cf891db 100644 --- a/win32utils/Configure +++ b/win32utils/Configure @@ -232,7 +232,6 @@ my @substdefh = ("AES_CC", my %configdefp; my @substdefp = ("ISC_PLATFORM_BUSYWAITNOP", - "ISC_PLATFORM_CRYPTORANDOM", "ISC_PLATFORM_HAVEATOMICSTORE", "ISC_PLATFORM_HAVEATOMICSTOREQ", "ISC_PLATFORM_HAVECMPXCHG", @@ -362,8 +361,7 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER"); # enable-xxx/disable-xxx -my @enablelist = ("crypto-rand", - "developer", +my @enablelist = ("developer", "fixed-rrset", "intrinsics", "isc-spnego", @@ -425,7 +423,6 @@ my @help = ( "\nOptional Features:\n", " enable-intrinsics enable instrinsic/atomic functions [default=yes]\n", " enable-native-pkcs11 use native PKCS#11 for all crypto [default=no]\n", -" enable-crypto-rand use crypto provider for random [default=yes]\n", " enable-openssl-hash use OpenSSL for hash functions [default=yes]\n", " enable-isc-spnego use SPNEGO from lib/dns [default=yes]\n", " enable-fixed-rrset enable fixed rrset ordering [default=no]\n", @@ -681,10 +678,6 @@ sub myenable { if ($val =~ /^yes$/i) { $enable_native_pkcs11 = "yes"; } - } elsif ($key =~ /^crypto-rand$/i) { - if ($val =~ /^no$/i) { - $enable_crypto_rand = "no"; - } } elsif ($key =~ /^openssl-hash$/i) { if ($val =~ /^yes$/i) { $enable_openssl_hash = "yes"; @@ -971,11 +964,6 @@ if ($verbose) { } else { print "native-pkcs11: disabled\n"; } - if ($enable_crypto_rand eq "yes") { - print "crypto-rand: enabled\n"; - } else { - print "crypto-rand: disabled\n"; - } if ($enable_openssl_hash eq "yes") { print "openssl-hash: enabled\n"; } else { @@ -2076,13 +2064,6 @@ if ($cookie_algorithm eq "sha1") { die "Unrecognized cookie algorithm: $cookie_algorithm\n"; } -# enable-crypto-rand -if ($enable_crypto_rand eq "yes") { - if (($use_openssl eq "no") && ($enable_native_pkcs11 eq "no")) { - die "No crypto provider for random functions\n"; - } - $configdefp{"ISC_PLATFORM_CRYPTORANDOM"} = "\"$cryptolib\""; -} print "Cryptographic library for DNSSEC: $cryptolib\n"; # enable-openssl-hash @@ -3407,7 +3388,6 @@ exit 0; # --enable-developer partially supported # --enable-newstats (9.9/9.9sub only) # --enable-native-pkcs11 supported -# --enable-crypto-rand supported # --enable-openssl-version-check included without a way to disable it # --enable-openssl-hash supported # --enable-threads included without a way to disable it