Use the entropy api.

2025-08-29 13:38:26 +00:00 · 2000-06-09 22:32:20 +00:00 · 2000-06-09 22:32:20 +00:00 · 09a1a618cd
commit 09a1a618cd
parent f8b50c193f
7 changed files with 138 additions and 193 deletions
--- a/lib/dns/sec/dst/bsafe_link.c
+++ b/lib/dns/sec/dst/bsafe_link.c
@ -19,13 +19,14 @@
 /*
 * Principal Author: Brian Wellington
- * $Id: bsafe_link.c,v 1.28 2000/06/09 20:58:32 gson Exp $
+ * $Id: bsafe_link.c,v 1.29 2000/06/09 22:32:13 bwelling Exp $
 */
 #if defined(DNSSAFE)
 #include <config.h>
 #include <isc/entropy.h>
 #include <isc/md5.h>
 #include <isc/mem.h>
 #include <isc/string.h>
@ -177,7 +178,7 @@ static isc_result_t
 dnssafersa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 	isc_md5_t *md5ctx = dctx->opaque;
 	unsigned char digest[ISC_MD5_DIGESTLENGTH];
-	unsigned char work_area[DST_HASH_SIZE + sizeof(pkcs1)];
+	unsigned char work_area[ISC_MD5_DIGESTLENGTH + sizeof(pkcs1)];
 	isc_buffer_t work;
 	isc_region_t work_region;
 	dst_key_t *key = dctx->key;
@ -299,7 +300,7 @@ dnssafersa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 }
 static isc_result_t
-dnssafersa_generate(dst_key_t *key, int exp) {
+dnssafersa_generate(dst_key_t *key, int exp, isc_entropy_t *ectx) {
 	B_KEY_OBJ private;
 	B_KEY_OBJ public;
 	B_ALGORITHM_OBJ keypairGenerator = NULL;
@ -309,7 +310,7 @@ dnssafersa_generate(dst_key_t *key, int exp) {
 	int exponent_len = 0;
 	RSA_Key *rsa;
 	unsigned char randomSeed[256];
-	isc_buffer_t b, rand;
+	isc_buffer_t b;
 	A_RSA_KEY *pub = NULL;
 	isc_result_t ret;
 	isc_mem_t *mctx;
@ -392,8 +393,8 @@ dnssafersa_generate(dst_key_t *key, int exp) {
 	if (B_RandomInit(randomAlgorithm, CHOOSER, NULL_SURRENDER) != 0)
 		do_fail(ISC_R_NOMEMORY);
-	isc_buffer_init(&rand, randomSeed, sizeof(randomSeed));
+	ret = isc_entropy_getdata(ectx, randomSeed, sizeof(randomSeed), NULL,
-	ret = dst_random_get(sizeof(randomSeed), &rand);
+				  ISC_ENTROPY_GOODONLY | ISC_ENTROPY_BLOCKING);
 	if (ret != ISC_R_SUCCESS)
 		goto fail;
--- a/lib/dns/sec/dst/dst_api.c
+++ b/lib/dns/sec/dst/dst_api.c
@ -19,7 +19,7 @@
 /*
 * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.52 2000/06/09 20:58:33 gson Exp $
+ * $Id: dst_api.c,v 1.53 2000/06/09 22:32:15 bwelling Exp $
 */
 #include <config.h>
@ -28,6 +28,7 @@
 #include <isc/buffer.h>
 #include <isc/dir.h>
 #include <isc/entropy.h>
 #include <isc/lex.h>
 #include <isc/mem.h>
 #include <isc/once.h>
@ -56,14 +57,13 @@
 static dst_func_t *dst_t_func[DST_MAX_ALGS];
 static isc_mem_t *dst_memory_pool = NULL;
 static isc_entropy_t *dst_entropy_pool = NULL;
 static unsigned int dst_entropy_flags = 0;
 static isc_boolean_t dst_initialized = ISC_FALSE;
 static isc_mutex_t mutex, random_lock;
 static isc_once_t once = ISC_ONCE_INIT;
 /*
 * Static functions.
 */
 static isc_result_t	initialize(isc_mem_t *mctx);
 static dst_key_t *	get_key_struct(dns_name_t *name,
 				       const unsigned int alg,
 				       const unsigned int flags,
@ -82,9 +82,41 @@ static isc_result_t	buildfilename(dns_name_t *name,
 				      const char *directory,
 				      isc_buffer_t *out);
 #define RETERR(x) do { \
 	result = (x); \
 	if (result != ISC_R_SUCCESS) \
 		goto out; \
 	} while (0)
 isc_result_t
-dst_lib_init(isc_mem_t *mctx) {
+dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
-	return (initialize(mctx));
+	isc_result_t result;
 	REQUIRE(mctx != NULL && ectx != NULL);
 	REQUIRE(dst_initialized == ISC_FALSE);
 	isc_mem_attach(mctx, &dst_memory_pool);
 	isc_entropy_attach(ectx, &dst_entropy_pool);
 	dst_entropy_flags = eflags;
 	dst_result_register();
 	memset(dst_t_func, 0, sizeof(dst_t_func));
 	RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5]));
 #ifdef DNSSAFE
 	RETERR(dst__dnssafersa_init(&dst_t_func[DST_ALG_RSA]));
 #endif
 #ifdef OPENSSL
 	RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA]));
 	RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
 #endif
 	dst_initialized = ISC_TRUE;
 	return (ISC_R_SUCCESS);
 out:
 	dst_lib_destroy();
 	return (result);
 }
 void
@ -100,13 +132,16 @@ dst_lib_destroy(void) {
 	dst__openssldsa_destroy();
 	dst__openssldh_destroy();
 #endif
-	isc_mem_detach(&dst_memory_pool);
+	if (dst_memory_pool != NULL)
 		isc_mem_detach(&dst_memory_pool);
 	if (dst_entropy_pool != NULL)
 		isc_entropy_detach(&dst_entropy_pool);
 }
 isc_boolean_t
 dst_algorithm_supported(const unsigned int alg) {
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
+	REQUIRE(dst_initialized == ISC_TRUE);
 	if (alg >= DST_MAX_ALGS || dst_t_func[alg] == NULL)
 		return (ISC_FALSE);
@ -118,7 +153,7 @@ dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp) {
 	dst_context_t *dctx;
 	isc_result_t result;
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
+	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(mctx != NULL);
 	REQUIRE(dctxp != NULL && *dctxp == NULL);
@ -197,7 +232,7 @@ isc_result_t
 dst_key_computesecret(const dst_key_t *pub, const dst_key_t *priv,
 		  isc_buffer_t *secret) 
 {
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
+	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(VALID_KEY(pub) && VALID_KEY(priv));
 	REQUIRE(secret != NULL);
@ -223,7 +258,7 @@ isc_result_t
 dst_key_tofile(const dst_key_t *key, const int type, const char *directory) {
 	isc_result_t ret = ISC_R_SUCCESS;
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
+	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(VALID_KEY(key));
 	REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);
@ -256,7 +291,7 @@ dst_key_fromfile(dns_name_t *name, const isc_uint16_t id,
 	dst_key_t *key;
 	isc_result_t result;
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
+	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(dns_name_isabsolute(name));
 	REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);
 	REQUIRE(mctx != NULL);
@ -294,7 +329,7 @@ dst_key_fromnamedfile(const char *filename, const int type, isc_mem_t *mctx,
 	dst_key_t *pubkey = NULL, *key = NULL;
 	isc_uint16_t id;
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
+	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(filename != NULL);
 	REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);
 	REQUIRE(mctx != NULL);
@ -339,7 +374,7 @@ dst_key_fromnamedfile(const char *filename, const int type, isc_mem_t *mctx,
 isc_result_t
 dst_key_todns(const dst_key_t *key, isc_buffer_t *target) {
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
+	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(VALID_KEY(key));
 	REQUIRE(target != NULL);
@ -376,7 +411,7 @@ dst_key_fromdns(dns_name_t *name, isc_buffer_t *source, isc_mem_t *mctx,
 	isc_uint8_t alg, proto;
 	isc_uint32_t flags, extflags;
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
+	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(dns_name_isabsolute(name));
 	REQUIRE(source != NULL);
 	REQUIRE(mctx != NULL);
@ -410,7 +445,7 @@ dst_key_frombuffer(dns_name_t *name, const unsigned int alg,
 	dst_key_t *key;
 	isc_result_t ret;
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
+	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(dns_name_isabsolute(name));
 	REQUIRE(source != NULL);
 	REQUIRE(mctx != NULL);
@ -440,7 +475,7 @@ dst_key_frombuffer(dns_name_t *name, const unsigned int alg,
 isc_result_t 
 dst_key_tobuffer(const dst_key_t *key, isc_buffer_t *target) {
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
+	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(VALID_KEY(key));
 	REQUIRE(target != NULL);
@ -462,7 +497,7 @@ dst_key_generate(dns_name_t *name, const unsigned int alg,
 	dst_key_t *key;
 	isc_result_t ret;
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
+	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(dns_name_isabsolute(name));
 	REQUIRE(mctx != NULL);
 	REQUIRE(keyp != NULL && *keyp == NULL);
@ -485,7 +520,7 @@ dst_key_generate(dns_name_t *name, const unsigned int alg,
 		return (DST_R_UNSUPPORTEDALG);
 	}
-	ret = key->func->generate(key, param);
+	ret = key->func->generate(key, param, dst_entropy_pool);
 	if (ret != ISC_R_SUCCESS) {
 		dst_key_free(&key);
 		return (ret);
@ -497,7 +532,7 @@ dst_key_generate(dns_name_t *name, const unsigned int alg,
 isc_boolean_t
 dst_key_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
+	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(VALID_KEY(key1));
 	REQUIRE(VALID_KEY(key2));
@ -516,7 +551,7 @@ dst_key_compare(const dst_key_t *key1, const dst_key_t *key2) {
 isc_boolean_t
 dst_key_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
+	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(VALID_KEY(key1));
 	REQUIRE(VALID_KEY(key2));
@ -537,7 +572,7 @@ dst_key_free(dst_key_t **keyp) {
 	isc_mem_t *mctx;
 	dst_key_t *key;
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
+	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(keyp != NULL && VALID_KEY(*keyp));
 	key = *keyp;
@ -640,7 +675,7 @@ dst_key_buildfilename(const dst_key_t *key, const int type,
 isc_result_t
 dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
+	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(VALID_KEY(key));
 	REQUIRE(n != NULL);
@ -663,7 +698,7 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
 isc_result_t
 dst_key_secretsize(const dst_key_t *key, unsigned int *n) {
-	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
+	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(VALID_KEY(key));
 	REQUIRE(n != NULL);
@ -680,114 +715,10 @@ dst_key_secretsize(const dst_key_t *key, unsigned int *n) {
 	return (ISC_R_SUCCESS);
 }
 isc_result_t 
 dst_random_get(const unsigned int wanted, isc_buffer_t *target) {
 	isc_region_t r;
 	int status;
 	REQUIRE(initialize(NULL) == ISC_R_SUCCESS);
 	REQUIRE(target != NULL);
 	isc_buffer_availableregion(target, &r);
 	if (r.length < wanted)
 		return (ISC_R_NOSPACE);
 	RUNTIME_CHECK(isc_mutex_lock((&random_lock)) == ISC_R_SUCCESS);
 	status = RAND_bytes(r.base, wanted);
 	RUNTIME_CHECK(isc_mutex_unlock((&random_lock)) == ISC_R_SUCCESS);
 	if (status == 0)
 		return (DST_R_NORANDOMNESS);
 	isc_buffer_add(target, wanted);
 	return (ISC_R_SUCCESS);
 }
 /***
 *** Static methods
 ***/
 #define RETERR(x) do { \
 	result = (x); \
 	if (result != ISC_R_SUCCESS) \
 		goto out; \
 	} while (0)
 static void
 initialize_action(void) {
 	RUNTIME_CHECK(isc_mutex_init(&mutex) == ISC_R_SUCCESS);
 }
 static isc_result_t
 initialize(isc_mem_t *mctx) {
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_once_do(&once, initialize_action);
 	LOCK(&mutex);
 	if (mctx != NULL)
 		REQUIRE(dst_initialized == ISC_FALSE);
 	if (dst_initialized) {
 		UNLOCK(&mutex);
 		return (ISC_R_SUCCESS);
 	}
 	if (mctx != NULL)
 		isc_mem_attach(mctx, &dst_memory_pool);
 	else {
 		result = isc_mem_create(0, 0, &dst_memory_pool);
 		if (result != ISC_R_SUCCESS)
 			return (result);
 	}
 	dst_initialized = ISC_TRUE;
 	UNLOCK(&mutex);
 	memset(dst_t_func, 0, sizeof(dst_t_func));
 	RETERR(isc_mutex_init(&random_lock));
 	dst_result_register();
 	RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5]));
 #ifdef DNSSAFE
 	RETERR(dst__dnssafersa_init(&dst_t_func[DST_ALG_RSA]));
 #endif
 #ifdef OPENSSL
 	RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA]));
 	RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
 	/*
 	 * Seed the random number generator, if necessary.
 	 * XXX This doesn't do a very good job, and must be fixed.
 	 */
 	if (RAND_status() == 0) {
 		isc_random_t rctx;
 		isc_uint32_t val;
 		isc_time_t now;
 		isc_result_t result;
 		isc_random_init(&rctx);
 		result = isc_time_now(&now);
 		INSIST(result == ISC_R_SUCCESS);
 		isc_random_seed(&rctx, isc_time_nanoseconds(&now));
 		while (RAND_status() == 0) {
 			isc_random_get(&rctx, &val);
 			RAND_add(&val, sizeof(isc_uint32_t), 1);
 		}
 		isc_random_invalidate(&rctx);
 	}
 #endif
 	return (ISC_R_SUCCESS);
 out:
 	dst_lib_destroy();
 	return (result);
 }
 /* 
 * Allocates a key structure and fills in some of the fields. 
 */
@ -1061,3 +992,10 @@ dst__mem_realloc(void *ptr, size_t size) {
 		dst__mem_free(ptr);
 	return (p);
 }
 isc_result_t
 dst__entropy_getdata(void *buf, unsigned int len) {
 	return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL,
 				    dst_entropy_flags));
 }
--- a/lib/dns/sec/dst/dst_internal.h
+++ b/lib/dns/sec/dst/dst_internal.h
@ -29,16 +29,6 @@
 ISC_LANG_BEGINDECLS
 /* 
 * define what crypto systems are supported.
 * BSAFE, DNSSAFE for RSA
 * OPENSSL for DSA
 * Only one package per algorithm can be defined.
 */
 #if defined(BSAFE) && defined(DNSSAFE)
 # error "Cannot have both BSAFE and DNSSAFE defined"
 #endif
 /***
 *** Types
 ***/
@ -84,7 +74,8 @@ struct dst_func {
 	isc_boolean_t (*compare)(const dst_key_t *key1, const dst_key_t *key2);
 	isc_boolean_t (*paramcompare)(const dst_key_t *key1,
 				      const dst_key_t *key2);
-	isc_result_t (*generate)(dst_key_t *key, int parms);
+	isc_result_t (*generate)(dst_key_t *key, int parms,
 				 isc_entropy_t *ectx);
 	isc_boolean_t (*isprivate)(const dst_key_t *key);
 	void (*destroy)(dst_key_t *key);
@ -96,18 +87,15 @@ struct dst_func {
 				 const char *filename);
 };
 #ifndef DST_HASH_SIZE
 #define DST_HASH_SIZE 20	/* RIPEMD160 & SHA-1 are 20 bytes, MD5 is 16 */
 #endif
 /*
 * Initializers
 */
 isc_result_t dst__openssl_init(void);
 isc_result_t dst__hmacmd5_init(struct dst_func **funcp);
 isc_result_t dst__dnssafersa_init(struct dst_func **funcp);
 isc_result_t dst__openssldsa_init(struct dst_func **funcp);
 isc_result_t dst__openssldh_init(struct dst_func **funcp);
 isc_result_t dst__opensslmd5_init(struct dst_func **funcp);
 /*
 * Destructors
@ -116,7 +104,6 @@ void dst__hmacmd5_destroy(void);
 void dst__dnssafersa_destroy(void);
 void dst__openssldsa_destroy(void);
 void dst__openssldh_destroy(void);
 void dst__opensslmd5_destroy(void);
 /*
 * Support functions.
@ -127,12 +114,14 @@ dst__id_calc(const unsigned char *key, const int keysize);
 /*
 * Memory allocators using the DST memory pool.
 */
-void *
+void * dst__mem_alloc(size_t size);
-dst__mem_alloc(size_t size);
+void   dst__mem_free(void *ptr);
-void
+void * dst__mem_realloc(void *ptr, size_t size);
-dst__mem_free(void *ptr);
+
-void *
+/*
-dst__mem_realloc(void *ptr, size_t size);
+ * Entropy retriever using the DST entropy pool.
 */
 isc_result_t dst__entropy_getdata(void *buf, unsigned int len);
 ISC_LANG_ENDDECLS
--- a/lib/dns/sec/dst/hmac_link.c
+++ b/lib/dns/sec/dst/hmac_link.c
@ -19,11 +19,12 @@
 /*
 * Principal Author: Brian Wellington
- * $Id: hmac_link.c,v 1.35 2000/06/09 20:58:37 gson Exp $
+ * $Id: hmac_link.c,v 1.36 2000/06/09 22:32:17 bwelling Exp $
 */
 #include <config.h>
 #include <isc/entropy.h>
 #include <isc/md5.h>
 #include <isc/mem.h>
 #include <isc/string.h>
@ -144,7 +145,7 @@ hmacmd5_compare(const dst_key_t *key1, const dst_key_t *key2) {
 }
 static isc_result_t
-hmacmd5_generate(dst_key_t *key, int unused) {
+hmacmd5_generate(dst_key_t *key, int unused, isc_entropy_t *ectx) {
 	isc_buffer_t b;
 	isc_result_t ret;
 	int bytes;
@ -159,8 +160,8 @@ hmacmd5_generate(dst_key_t *key, int unused) {
 	}
 	memset(data, 0, HMAC_LEN);
-	isc_buffer_init(&b, data, sizeof(data));
+	ret = isc_entropy_getdata(ectx, data, bytes, NULL,
-	ret = dst_random_get(bytes, &b);
+				  ISC_ENTROPY_GOODONLY | ISC_ENTROPY_BLOCKING);
 	if (ret != ISC_R_SUCCESS)
 		return (ret);
--- a/lib/dns/sec/dst/include/dst/dst.h
+++ b/lib/dns/sec/dst/include/dst/dst.h
@ -43,14 +43,13 @@ typedef struct dst_context 	dst_context_t;
 ***/
 isc_result_t
-dst_lib_init(isc_mem_t *mctx);
+dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags);
 /*
- * Initializes the DST subsystem.  If this call is omitted, DST will allocate
+ * Initializes the DST subsystem.
 * resources itself when the first library call is made (including its own
 * memory context).
 *
 * Requires:
 * 	"mctx" is a valid memory context
 * 	"ectx" is a valid entropy context
 *
 * Returns:
 * 	ISC_R_SUCCESS
@ -475,23 +474,6 @@ dst_key_secretsize(const dst_key_t *key, unsigned int *n);
 * 	"n" stores the size of a generated shared secret
 */
 isc_result_t
 dst_random_get(const unsigned int wanted, isc_buffer_t *data);
 /*
 * Generate random data.
 *
 * Requires:
 *	"data" is a valid buffer, with at least "wanted" bytes available.
 *
 * Returns:
 *	ISC_R_SUCCESS
 *	any other result indicates failure
 *
 * Ensures:
 *	"wanted" bytes will be written to "data", and the used pointer will
 *	be advanced.
 */
 ISC_LANG_ENDDECLS
 #endif /* DST_DST_H */
--- a/lib/dns/sec/dst/openssl_link.c
+++ b/lib/dns/sec/dst/openssl_link.c
@ -19,12 +19,13 @@
 /*
 * Principal Author: Brian Wellington
- * $Id: openssl_link.c,v 1.28 2000/06/09 20:58:38 gson Exp $
+ * $Id: openssl_link.c,v 1.29 2000/06/09 22:32:18 bwelling Exp $
 */
 #if defined(OPENSSL)
 #include <config.h>
 #include <isc/entropy.h>
 #include <isc/mem.h>
 #include <isc/sha1.h>
 #include <isc/string.h>
@ -36,6 +37,7 @@
 #include "dst_parse.h"
 #include <openssl/dsa.h>
 #include <openssl/rand.h>
 static isc_result_t openssldsa_todns(const dst_key_t *key, isc_buffer_t *data);
@ -170,18 +172,18 @@ openssldsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 }
 static isc_result_t
-openssldsa_generate(dst_key_t *key, int unused) {
+openssldsa_generate(dst_key_t *key, int unused, isc_entropy_t *ectx) {
 	DSA *dsa;
 	unsigned char dns_array[DST_KEY_MAXSIZE];
 	unsigned char rand_array[ISC_SHA1_DIGESTLENGTH];
-	isc_buffer_t dns, rand;
+	isc_buffer_t dns;
 	isc_result_t result;
 	isc_region_t r;
 	UNUSED(unused);
-	isc_buffer_init(&rand, rand_array, sizeof(rand_array));
+	result = isc_entropy_getdata(ectx, rand_array, sizeof(rand_array), NULL,
-	result = dst_random_get(ISC_SHA1_DIGESTLENGTH, &rand);
+				     ISC_ENTROPY_GOODONLY|ISC_ENTROPY_BLOCKING);
 	if (result != ISC_R_SUCCESS)
 		return (result);
@ -452,8 +454,6 @@ static dst_func_t openssldsa_functions = {
 isc_result_t
 dst__openssldsa_init(dst_func_t **funcp) {
 	REQUIRE(funcp != NULL && *funcp == NULL);
 	CRYPTO_set_mem_functions(dst__mem_alloc, dst__mem_realloc,
 				 dst__mem_free);
 	*funcp = &openssldsa_functions;
 	return (ISC_R_SUCCESS);
 }
@ -462,4 +462,38 @@ void
 dst__openssldsa_destroy(void) {
 }
 static int
 entropy_get(unsigned char *buf, int num) {
 	isc_result_t result;
 	if (num < 0)
 		return (-1);
 	result = dst__entropy_getdata(buf, (unsigned int) num);
 	return (result == ISC_R_SUCCESS ? 0 : -1);
 }
 static void
 entropy_add(const void *buf, int num, double entropy) {
 	/*
 	 * Do nothing.  The only call to this provides no useful data anyway.
 	 */
 	UNUSED(buf);
 	UNUSED(num);
 	UNUSED(entropy);
 }
 isc_result_t
 dst__openssl_init(void) {
 	RAND_METHOD rm;
 	CRYPTO_set_mem_functions(dst__mem_alloc, dst__mem_realloc,
 				 dst__mem_free);
 	rm.seed = NULL;
 	rm.bytes = entropy_get;
 	rm.cleanup = NULL;
 	rm.add = entropy_add;
 	rm.pseudorand = entropy_get;
 	rm.status = NULL;
 	RAND_set_rand_method(&rm);
 	return (ISC_R_SUCCESS);
 }
 #endif /* OPENSSL */
--- a/lib/dns/sec/dst/openssldh_link.c
+++ b/lib/dns/sec/dst/openssldh_link.c
@ -19,7 +19,7 @@
 /*
 * Principal Author: Brian Wellington
- * $Id: openssldh_link.c,v 1.23 2000/06/09 20:58:39 gson Exp $
+ * $Id: openssldh_link.c,v 1.24 2000/06/09 22:32:19 bwelling Exp $
 */
 #if defined(OPENSSL)
@ -128,13 +128,15 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
 }
 static isc_result_t
-openssldh_generate(dst_key_t *key, int generator) {
+openssldh_generate(dst_key_t *key, int generator, isc_entropy_t *ectx) {
 	DH *dh = NULL;
 	unsigned char dns_array[DST_KEY_MAXSIZE];
 	isc_buffer_t dns;
 	isc_region_t r;
 	isc_result_t result;
 	UNUSED(ectx);
 	if (generator == 0) {
 		if (key->key_size == 768 || key->key_size == 1024) {
 			dh = DH_new();
@ -552,8 +554,6 @@ static dst_func_t openssldh_functions = {
 isc_result_t
 dst__openssldh_init(dst_func_t **funcp) {
 	REQUIRE(funcp != NULL && *funcp == NULL);
 	CRYPTO_set_mem_functions(dst__mem_alloc, dst__mem_realloc,
 				 dst__mem_free);
 	BN_init(&bn2);
 	BN_init(&bn768);
 	BN_init(&bn1024);