Use the entropy api.

lib/dns/sec/dst/bsafe_link.c

@@ -19,13 +19,14 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: bsafe_link.c,v 1.28 2000/06/09 20:58:32 gson Exp $
+ * $Id: bsafe_link.c,v 1.29 2000/06/09 22:32:13 bwelling Exp $
  */
 
 #if defined(DNSSAFE)
 
 #include <config.h>
 
+#include <isc/entropy.h>
 #include <isc/md5.h>
 #include <isc/mem.h>
 #include <isc/string.h>
@@ -177,7 +178,7 @@ static isc_result_t
 dnssafersa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 	isc_md5_t *md5ctx = dctx->opaque;
 	unsigned char digest[ISC_MD5_DIGESTLENGTH];
-	unsigned char work_area[DST_HASH_SIZE + sizeof(pkcs1)];
+	unsigned char work_area[ISC_MD5_DIGESTLENGTH + sizeof(pkcs1)];
 	isc_buffer_t work;
 	isc_region_t work_region;
 	dst_key_t *key = dctx->key;
@@ -299,7 +300,7 @@ dnssafersa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 }
 
 static isc_result_t
-dnssafersa_generate(dst_key_t *key, int exp) {
+dnssafersa_generate(dst_key_t *key, int exp, isc_entropy_t *ectx) {
 	B_KEY_OBJ private;
 	B_KEY_OBJ public;
 	B_ALGORITHM_OBJ keypairGenerator = NULL;
@@ -309,7 +310,7 @@ dnssafersa_generate(dst_key_t *key, int exp) {
 	int exponent_len = 0;
 	RSA_Key *rsa;
 	unsigned char randomSeed[256];
-	isc_buffer_t b, rand;
+	isc_buffer_t b;
 	A_RSA_KEY *pub = NULL;
 	isc_result_t ret;
 	isc_mem_t *mctx;
@@ -392,8 +393,8 @@ dnssafersa_generate(dst_key_t *key, int exp) {
 	if (B_RandomInit(randomAlgorithm, CHOOSER, NULL_SURRENDER) != 0)
 		do_fail(ISC_R_NOMEMORY);
 
-	isc_buffer_init(&rand, randomSeed, sizeof(randomSeed));
-	ret = dst_random_get(sizeof(randomSeed), &rand);
+	ret = isc_entropy_getdata(ectx, randomSeed, sizeof(randomSeed), NULL,
+				  ISC_ENTROPY_GOODONLY | ISC_ENTROPY_BLOCKING);
 	if (ret != ISC_R_SUCCESS)
 		goto fail;
 

lib/dns/sec/dst/dst_api.c

@@ -19,7 +19,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.52 2000/06/09 20:58:33 gson Exp $
+ * $Id: dst_api.c,v 1.53 2000/06/09 22:32:15 bwelling Exp $
  */
 
 #include <config.h>
@@ -28,6 +28,7 @@
 
 #include <isc/buffer.h>
 #include <isc/dir.h>
+#include <isc/entropy.h>
 #include <isc/lex.h>
 #include <isc/mem.h>
 #include <isc/once.h>
@@ -56,14 +57,13 @@
 
 static dst_func_t *dst_t_func[DST_MAX_ALGS];
 static isc_mem_t *dst_memory_pool = NULL;
+static isc_entropy_t *dst_entropy_pool = NULL;
+static unsigned int dst_entropy_flags = 0;
 static isc_boolean_t dst_initialized = ISC_FALSE;
-static isc_mutex_t mutex, random_lock;
-static isc_once_t once = ISC_ONCE_INIT;
 
 /*
  * Static functions.
  */
-static isc_result_t	initialize(isc_mem_t *mctx);
 static dst_key_t *	get_key_struct(dns_name_t *name,
 				       const unsigned int alg,
 				       const unsigned int flags,
@@ -82,9 +82,41 @@ static isc_result_t	buildfilename(dns_name_t *name,
 				      const char *directory,
 				      isc_buffer_t *out);
 
+#define RETERR(x) do { \
+	result = (x); \
+	if (result != ISC_R_SUCCESS) \
+		goto out; \
+	} while (0)
+
 isc_result_t
-dst_lib_init(isc_mem_t *mctx) {
-	return (initialize(mctx));
+dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
+	isc_result_t result;
+
+	REQUIRE(mctx != NULL && ectx != NULL);
+	REQUIRE(dst_initialized == ISC_FALSE);
+
+	isc_mem_attach(mctx, &dst_memory_pool);
+	isc_entropy_attach(ectx, &dst_entropy_pool);
+	dst_entropy_flags = eflags;
+
+	dst_result_register();
+
+	memset(dst_t_func, 0, sizeof(dst_t_func));
+	RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5]));
+#ifdef DNSSAFE
+	RETERR(dst__dnssafersa_init(&dst_t_func[DST_ALG_RSA]));
+#endif
+#ifdef OPENSSL
+	RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA]));
+	RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
+#endif
+
+	dst_initialized = ISC_TRUE;
+	return (ISC_R_SUCCESS);
+
+ out:
+	dst_lib_destroy();
+	return (result);
 }
 
 void
@@ -100,13 +132,16 @@ dst_lib_destroy(void) {
 	dst__openssldsa_destroy();
 	dst__openssldh_destroy();
 #endif
-	isc_mem_detach(&dst_memory_pool);
+	if (dst_memory_pool != NULL)
+		isc_mem_detach(&dst_memory_pool);
+	if (dst_entropy_pool != NULL)
+		isc_entropy_detach(&dst_entropy_pool);
 
 }
 
 isc_boolean_t
 dst_algorithm_supported(const unsigned int alg) {
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
+	REQUIRE(dst_initialized == ISC_TRUE);
 
 	if (alg >= DST_MAX_ALGS || dst_t_func[alg] == NULL)
 		return (ISC_FALSE);
@@ -118,7 +153,7 @@ dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp) {
 	dst_context_t *dctx;
 	isc_result_t result;
 
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
+	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(mctx != NULL);
 	REQUIRE(dctxp != NULL && *dctxp == NULL);
 
@@ -197,7 +232,7 @@ isc_result_t
 dst_key_computesecret(const dst_key_t *pub, const dst_key_t *priv,
 		  isc_buffer_t *secret) 
 {
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
+	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(VALID_KEY(pub) && VALID_KEY(priv));
 	REQUIRE(secret != NULL);
 
@@ -223,7 +258,7 @@ isc_result_t
 dst_key_tofile(const dst_key_t *key, const int type, const char *directory) {
 	isc_result_t ret = ISC_R_SUCCESS;
 
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
+	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(VALID_KEY(key));
 	REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);
 
@@ -256,7 +291,7 @@ dst_key_fromfile(dns_name_t *name, const isc_uint16_t id,
 	dst_key_t *key;
 	isc_result_t result;
 
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
+	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(dns_name_isabsolute(name));
 	REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);
 	REQUIRE(mctx != NULL);
@@ -294,7 +329,7 @@ dst_key_fromnamedfile(const char *filename, const int type, isc_mem_t *mctx,
 	dst_key_t *pubkey = NULL, *key = NULL;
 	isc_uint16_t id;
 
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
+	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(filename != NULL);
 	REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);
 	REQUIRE(mctx != NULL);
@@ -339,7 +374,7 @@ dst_key_fromnamedfile(const char *filename, const int type, isc_mem_t *mctx,
 
 isc_result_t
 dst_key_todns(const dst_key_t *key, isc_buffer_t *target) {
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
+	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(VALID_KEY(key));
 	REQUIRE(target != NULL);
 
@@ -376,7 +411,7 @@ dst_key_fromdns(dns_name_t *name, isc_buffer_t *source, isc_mem_t *mctx,
 	isc_uint8_t alg, proto;
 	isc_uint32_t flags, extflags;
 
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
+	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(dns_name_isabsolute(name));
 	REQUIRE(source != NULL);
 	REQUIRE(mctx != NULL);
@@ -410,7 +445,7 @@ dst_key_frombuffer(dns_name_t *name, const unsigned int alg,
 	dst_key_t *key;
 	isc_result_t ret;
 
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
+	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(dns_name_isabsolute(name));
 	REQUIRE(source != NULL);
 	REQUIRE(mctx != NULL);
@@ -440,7 +475,7 @@ dst_key_frombuffer(dns_name_t *name, const unsigned int alg,
 
 isc_result_t 
 dst_key_tobuffer(const dst_key_t *key, isc_buffer_t *target) {
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
+	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(VALID_KEY(key));
 	REQUIRE(target != NULL);
 
@@ -462,7 +497,7 @@ dst_key_generate(dns_name_t *name, const unsigned int alg,
 	dst_key_t *key;
 	isc_result_t ret;
 
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
+	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(dns_name_isabsolute(name));
 	REQUIRE(mctx != NULL);
 	REQUIRE(keyp != NULL && *keyp == NULL);
@@ -485,7 +520,7 @@ dst_key_generate(dns_name_t *name, const unsigned int alg,
 		return (DST_R_UNSUPPORTEDALG);
 	}
 
-	ret = key->func->generate(key, param);
+	ret = key->func->generate(key, param, dst_entropy_pool);
 	if (ret != ISC_R_SUCCESS) {
 		dst_key_free(&key);
 		return (ret);
@@ -497,7 +532,7 @@ dst_key_generate(dns_name_t *name, const unsigned int alg,
 
 isc_boolean_t
 dst_key_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
+	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(VALID_KEY(key1));
 	REQUIRE(VALID_KEY(key2));
 
@@ -516,7 +551,7 @@ dst_key_compare(const dst_key_t *key1, const dst_key_t *key2) {
 
 isc_boolean_t
 dst_key_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
+	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(VALID_KEY(key1));
 	REQUIRE(VALID_KEY(key2));
 
@@ -537,7 +572,7 @@ dst_key_free(dst_key_t **keyp) {
 	isc_mem_t *mctx;
 	dst_key_t *key;
 
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
+	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(keyp != NULL && VALID_KEY(*keyp));
 
 	key = *keyp;
@@ -640,7 +675,7 @@ dst_key_buildfilename(const dst_key_t *key, const int type,
 
 isc_result_t
 dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
+	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(VALID_KEY(key));
 	REQUIRE(n != NULL);
 
@@ -663,7 +698,7 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
 
 isc_result_t
 dst_key_secretsize(const dst_key_t *key, unsigned int *n) {
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
+	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(VALID_KEY(key));
 	REQUIRE(n != NULL);
 
@@ -680,114 +715,10 @@ dst_key_secretsize(const dst_key_t *key, unsigned int *n) {
 	return (ISC_R_SUCCESS);
 }
 
-isc_result_t 
-dst_random_get(const unsigned int wanted, isc_buffer_t *target) {
-	isc_region_t r;
-	int status;
-
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
-	REQUIRE(target != NULL);
-
-	isc_buffer_availableregion(target, &r);
-	if (r.length < wanted)
-		return (ISC_R_NOSPACE);
-
-	RUNTIME_CHECK(isc_mutex_lock((&random_lock)) == ISC_R_SUCCESS);
-	status = RAND_bytes(r.base, wanted);
-	RUNTIME_CHECK(isc_mutex_unlock((&random_lock)) == ISC_R_SUCCESS);
-	if (status == 0)
-		return (DST_R_NORANDOMNESS);
-
-	isc_buffer_add(target, wanted);
-	return (ISC_R_SUCCESS);
-}
-
 /***
  *** Static methods
  ***/
 
-#define RETERR(x) do { \
-	result = (x); \
-	if (result != ISC_R_SUCCESS) \
-		goto out; \
-	} while (0)
-
-static void
-initialize_action(void) {
-	RUNTIME_CHECK(isc_mutex_init(&mutex) == ISC_R_SUCCESS);
-}
-
-static isc_result_t
-initialize(isc_mem_t *mctx) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	isc_once_do(&once, initialize_action);
-
-	LOCK(&mutex);
-
-	if (mctx != NULL)
-		REQUIRE(dst_initialized == ISC_FALSE);
-
-	if (dst_initialized) {
-		UNLOCK(&mutex);
-		return (ISC_R_SUCCESS);
-	}
-
-	if (mctx != NULL)
-		isc_mem_attach(mctx, &dst_memory_pool);
-	else {
-		result = isc_mem_create(0, 0, &dst_memory_pool);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	dst_initialized = ISC_TRUE;
-
-	UNLOCK(&mutex);
-
-	memset(dst_t_func, 0, sizeof(dst_t_func));
-
-	RETERR(isc_mutex_init(&random_lock));
-
-	dst_result_register();
-
-	RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5]));
-#ifdef DNSSAFE
-	RETERR(dst__dnssafersa_init(&dst_t_func[DST_ALG_RSA]));
-#endif
-#ifdef OPENSSL
-	RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA]));
-	RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
-
-	/*
-	 * Seed the random number generator, if necessary.
-	 * XXX This doesn't do a very good job, and must be fixed.
-	 */
-	if (RAND_status() == 0) {
-		isc_random_t rctx;
-		isc_uint32_t val;
-		isc_time_t now;
-		isc_result_t result;
-
-		isc_random_init(&rctx);
-		result = isc_time_now(&now);
-		INSIST(result == ISC_R_SUCCESS);
-		isc_random_seed(&rctx, isc_time_nanoseconds(&now));
-		while (RAND_status() == 0) {
-			isc_random_get(&rctx, &val);
-			RAND_add(&val, sizeof(isc_uint32_t), 1);
-		}
-		isc_random_invalidate(&rctx);
-	}
-#endif
-
-	return (ISC_R_SUCCESS);
-
- out:
-	dst_lib_destroy();
-	return (result);
-}
-
 /* 
  * Allocates a key structure and fills in some of the fields. 
  */
@@ -1061,3 +992,10 @@ dst__mem_realloc(void *ptr, size_t size) {
 		dst__mem_free(ptr);
 	return (p);
 }
+
+isc_result_t
+dst__entropy_getdata(void *buf, unsigned int len) {
+	return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL,
+				    dst_entropy_flags));
+	
+}

lib/dns/sec/dst/dst_internal.h

@@ -29,16 +29,6 @@
 
 ISC_LANG_BEGINDECLS
 
-/* 
- * define what crypto systems are supported.
- * BSAFE, DNSSAFE for RSA
- * OPENSSL for DSA
- * Only one package per algorithm can be defined.
- */
-#if defined(BSAFE) && defined(DNSSAFE)
-# error "Cannot have both BSAFE and DNSSAFE defined"
-#endif
-
 /***
  *** Types
  ***/
@@ -84,7 +74,8 @@ struct dst_func {
 	isc_boolean_t (*compare)(const dst_key_t *key1, const dst_key_t *key2);
 	isc_boolean_t (*paramcompare)(const dst_key_t *key1,
 				      const dst_key_t *key2);
-	isc_result_t (*generate)(dst_key_t *key, int parms);
+	isc_result_t (*generate)(dst_key_t *key, int parms,
+				 isc_entropy_t *ectx);
 	isc_boolean_t (*isprivate)(const dst_key_t *key);
 	void (*destroy)(dst_key_t *key);
 
@@ -96,18 +87,15 @@ struct dst_func {
 				 const char *filename);
 };
 
-#ifndef DST_HASH_SIZE
-#define DST_HASH_SIZE 20	/* RIPEMD160 & SHA-1 are 20 bytes, MD5 is 16 */
-#endif
-
 /*
  * Initializers
  */
+isc_result_t dst__openssl_init(void);
+
 isc_result_t dst__hmacmd5_init(struct dst_func **funcp);
 isc_result_t dst__dnssafersa_init(struct dst_func **funcp);
 isc_result_t dst__openssldsa_init(struct dst_func **funcp);
 isc_result_t dst__openssldh_init(struct dst_func **funcp);
-isc_result_t dst__opensslmd5_init(struct dst_func **funcp);
 
 /*
  * Destructors
@@ -116,7 +104,6 @@ void dst__hmacmd5_destroy(void);
 void dst__dnssafersa_destroy(void);
 void dst__openssldsa_destroy(void);
 void dst__openssldh_destroy(void);
-void dst__opensslmd5_destroy(void);
 
 /*
  * Support functions.
@@ -127,12 +114,14 @@ dst__id_calc(const unsigned char *key, const int keysize);
 /*
  * Memory allocators using the DST memory pool.
  */
-void *
-dst__mem_alloc(size_t size);
-void
-dst__mem_free(void *ptr);
-void *
-dst__mem_realloc(void *ptr, size_t size);
+void * dst__mem_alloc(size_t size);
+void   dst__mem_free(void *ptr);
+void * dst__mem_realloc(void *ptr, size_t size);
+
+/*
+ * Entropy retriever using the DST entropy pool.
+ */
+isc_result_t dst__entropy_getdata(void *buf, unsigned int len);
 
 ISC_LANG_ENDDECLS
 

lib/dns/sec/dst/hmac_link.c

@@ -19,11 +19,12 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: hmac_link.c,v 1.35 2000/06/09 20:58:37 gson Exp $
+ * $Id: hmac_link.c,v 1.36 2000/06/09 22:32:17 bwelling Exp $
  */
 
 #include <config.h>
 
+#include <isc/entropy.h>
 #include <isc/md5.h>
 #include <isc/mem.h>
 #include <isc/string.h>
@@ -144,7 +145,7 @@ hmacmd5_compare(const dst_key_t *key1, const dst_key_t *key2) {
 }
 
 static isc_result_t
-hmacmd5_generate(dst_key_t *key, int unused) {
+hmacmd5_generate(dst_key_t *key, int unused, isc_entropy_t *ectx) {
 	isc_buffer_t b;
 	isc_result_t ret;
 	int bytes;
@@ -159,8 +160,8 @@ hmacmd5_generate(dst_key_t *key, int unused) {
 	}
 
 	memset(data, 0, HMAC_LEN);
-	isc_buffer_init(&b, data, sizeof(data));
-	ret = dst_random_get(bytes, &b);
+	ret = isc_entropy_getdata(ectx, data, bytes, NULL,
+				  ISC_ENTROPY_GOODONLY | ISC_ENTROPY_BLOCKING);
 	if (ret != ISC_R_SUCCESS)
 		return (ret);
 

lib/dns/sec/dst/include/dst/dst.h

@@ -43,14 +43,13 @@ typedef struct dst_context 	dst_context_t;
  ***/
 
 isc_result_t
-dst_lib_init(isc_mem_t *mctx);
+dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags);
 /*
- * Initializes the DST subsystem.  If this call is omitted, DST will allocate
- * resources itself when the first library call is made (including its own
- * memory context).
+ * Initializes the DST subsystem.
  *
  * Requires:
  * 	"mctx" is a valid memory context
+ * 	"ectx" is a valid entropy context
  *
  * Returns:
  * 	ISC_R_SUCCESS
@@ -475,23 +474,6 @@ dst_key_secretsize(const dst_key_t *key, unsigned int *n);
  * 	"n" stores the size of a generated shared secret
  */
 
-isc_result_t
-dst_random_get(const unsigned int wanted, isc_buffer_t *data);
-/*
- * Generate random data.
- *
- * Requires:
- *	"data" is a valid buffer, with at least "wanted" bytes available.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	any other result indicates failure
- *
- * Ensures:
- *	"wanted" bytes will be written to "data", and the used pointer will
- *	be advanced.
- */
-
 ISC_LANG_ENDDECLS
 
 #endif /* DST_DST_H */

lib/dns/sec/dst/openssl_link.c

@@ -19,12 +19,13 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: openssl_link.c,v 1.28 2000/06/09 20:58:38 gson Exp $
+ * $Id: openssl_link.c,v 1.29 2000/06/09 22:32:18 bwelling Exp $
  */
 #if defined(OPENSSL)
 
 #include <config.h>
 
+#include <isc/entropy.h>
 #include <isc/mem.h>
 #include <isc/sha1.h>
 #include <isc/string.h>
@@ -36,6 +37,7 @@
 #include "dst_parse.h"
 
 #include <openssl/dsa.h>
+#include <openssl/rand.h>
 
 static isc_result_t openssldsa_todns(const dst_key_t *key, isc_buffer_t *data);
 
@@ -170,18 +172,18 @@ openssldsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 }
 
 static isc_result_t
-openssldsa_generate(dst_key_t *key, int unused) {
+openssldsa_generate(dst_key_t *key, int unused, isc_entropy_t *ectx) {
 	DSA *dsa;
 	unsigned char dns_array[DST_KEY_MAXSIZE];
 	unsigned char rand_array[ISC_SHA1_DIGESTLENGTH];
-	isc_buffer_t dns, rand;
+	isc_buffer_t dns;
 	isc_result_t result;
 	isc_region_t r;
 
 	UNUSED(unused);
 
-	isc_buffer_init(&rand, rand_array, sizeof(rand_array));
-	result = dst_random_get(ISC_SHA1_DIGESTLENGTH, &rand);
+	result = isc_entropy_getdata(ectx, rand_array, sizeof(rand_array), NULL,
+				     ISC_ENTROPY_GOODONLY|ISC_ENTROPY_BLOCKING);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
@@ -452,8 +454,6 @@ static dst_func_t openssldsa_functions = {
 isc_result_t
 dst__openssldsa_init(dst_func_t **funcp) {
 	REQUIRE(funcp != NULL && *funcp == NULL);
-	CRYPTO_set_mem_functions(dst__mem_alloc, dst__mem_realloc,
-				 dst__mem_free);
 	*funcp = &openssldsa_functions;
 	return (ISC_R_SUCCESS);
 }
@@ -462,4 +462,38 @@ void
 dst__openssldsa_destroy(void) {
 }
 
+static int
+entropy_get(unsigned char *buf, int num) {
+	isc_result_t result;
+	if (num < 0)
+		return (-1);
+	result = dst__entropy_getdata(buf, (unsigned int) num);
+	return (result == ISC_R_SUCCESS ? 0 : -1);
+}
+
+static void
+entropy_add(const void *buf, int num, double entropy) {
+	/*
+	 * Do nothing.  The only call to this provides no useful data anyway.
+	 */
+	UNUSED(buf);
+	UNUSED(num);
+	UNUSED(entropy);
+}
+
+isc_result_t
+dst__openssl_init(void) {
+	RAND_METHOD rm;
+	CRYPTO_set_mem_functions(dst__mem_alloc, dst__mem_realloc,
+				 dst__mem_free);
+	rm.seed = NULL;
+	rm.bytes = entropy_get;
+	rm.cleanup = NULL;
+	rm.add = entropy_add;
+	rm.pseudorand = entropy_get;
+	rm.status = NULL;
+	RAND_set_rand_method(&rm);
+	return (ISC_R_SUCCESS);
+}
+
 #endif /* OPENSSL */

lib/dns/sec/dst/openssldh_link.c

@@ -19,7 +19,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: openssldh_link.c,v 1.23 2000/06/09 20:58:39 gson Exp $
+ * $Id: openssldh_link.c,v 1.24 2000/06/09 22:32:19 bwelling Exp $
  */
 
 #if defined(OPENSSL)
@@ -128,13 +128,15 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
 }
 
 static isc_result_t
-openssldh_generate(dst_key_t *key, int generator) {
+openssldh_generate(dst_key_t *key, int generator, isc_entropy_t *ectx) {
 	DH *dh = NULL;
 	unsigned char dns_array[DST_KEY_MAXSIZE];
 	isc_buffer_t dns;
 	isc_region_t r;
 	isc_result_t result;
 
+	UNUSED(ectx);
+
 	if (generator == 0) {
 		if (key->key_size == 768 || key->key_size == 1024) {
 			dh = DH_new();
@@ -552,8 +554,6 @@ static dst_func_t openssldh_functions = {
 isc_result_t
 dst__openssldh_init(dst_func_t **funcp) {
 	REQUIRE(funcp != NULL && *funcp == NULL);
-	CRYPTO_set_mem_functions(dst__mem_alloc, dst__mem_realloc,
-				 dst__mem_free);
 	BN_init(&bn2);
 	BN_init(&bn768);
 	BN_init(&bn1024);