mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-31 06:25:31 +00:00
[master] completed and corrected the crypto-random change
4724. [func] By default, BIND now uses the random number functions provided by the crypto library (i.e., OpenSSL or a PKCS#11 provider) as a source of randomness rather than /dev/random. This is suitable for virtual machine environments which have limited entropy pools and lack hardware random number generators. This can be overridden by specifying another entropy source via the "random-device" option in named.conf, or via the -r command line option; however, for functions requiring full cryptographic strength, such as DNSSEC key generation, this cannot be overridden. In particular, the -r command line option no longer has any effect on dnssec-keygen. This can be disabled by building with "configure --disable-crypto-rand". [RT #31459] [RT #46047]
This commit is contained in:
@@ -8289,34 +8289,47 @@ load_configuration(const char *filename, named_server_t *server,
|
||||
* Open the source of entropy.
|
||||
*/
|
||||
if (first_time) {
|
||||
const char *randomdev = NULL;
|
||||
int level = ISC_LOG_ERROR;
|
||||
obj = NULL;
|
||||
result = named_config_get(maps, "random-device", &obj);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
|
||||
NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
|
||||
"no source of entropy found");
|
||||
} else {
|
||||
const char *randomdev = cfg_obj_asstring(obj);
|
||||
if (result == ISC_R_SUCCESS) {
|
||||
if (!cfg_obj_isvoid(obj)) {
|
||||
level = ISC_LOG_INFO;
|
||||
randomdev = cfg_obj_asstring(obj);
|
||||
}
|
||||
}
|
||||
if (randomdev == NULL) {
|
||||
#ifdef ISC_PLATFORM_CRYPTORANDOM
|
||||
if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0)
|
||||
isc_entropy_usehook(named_g_entropy, ISC_TRUE);
|
||||
isc_entropy_usehook(named_g_entropy, ISC_TRUE);
|
||||
#else
|
||||
int level = ISC_LOG_ERROR;
|
||||
if ((obj != NULL) && !cfg_obj_isvoid(obj))
|
||||
level = ISC_LOG_INFO;
|
||||
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
|
||||
NAMED_LOGMODULE_SERVER, level,
|
||||
"no source of entropy found");
|
||||
if ((obj == NULL) || cfg_obj_isvoid(obj)) {
|
||||
CHECK(ISC_R_FAILURE);
|
||||
}
|
||||
#endif
|
||||
} else {
|
||||
result = isc_entropy_createfilesource(named_g_entropy,
|
||||
randomdev);
|
||||
#ifdef PATH_RANDOMDEV
|
||||
if (named_g_fallbackentropy != NULL)
|
||||
if (named_g_fallbackentropy != NULL) {
|
||||
level = ISC_LOG_INFO;
|
||||
}
|
||||
#endif
|
||||
if (result != ISC_R_SUCCESS)
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
isc_log_write(named_g_lctx,
|
||||
NAMED_LOGCATEGORY_GENERAL,
|
||||
NAMED_LOGMODULE_SERVER,
|
||||
level,
|
||||
"could not open entropy source "
|
||||
"%s: %s",
|
||||
"could not open "
|
||||
"entropy source %s: %s",
|
||||
randomdev,
|
||||
isc_result_totext(result));
|
||||
}
|
||||
#ifdef PATH_RANDOMDEV
|
||||
if (named_g_fallbackentropy != NULL) {
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
@@ -8334,7 +8347,6 @@ load_configuration(const char *filename, named_server_t *server,
|
||||
}
|
||||
isc_entropy_detach(&named_g_fallbackentropy);
|
||||
}
|
||||
#endif
|
||||
#endif
|
||||
}
|
||||
}
|
||||
@@ -13298,10 +13310,10 @@ newzone_cfgctx_destroy(void **cfgp) {
|
||||
|
||||
static isc_result_t
|
||||
generate_salt(unsigned char *salt, size_t saltlen) {
|
||||
int i, n;
|
||||
size_t i, n;
|
||||
union {
|
||||
unsigned char rnd[256];
|
||||
isc_uint32_t rnd32[64];
|
||||
isc_uint16_t rnd16[128];
|
||||
} rnd;
|
||||
unsigned char text[512 + 1];
|
||||
isc_region_t r;
|
||||
@@ -13311,9 +13323,10 @@ generate_salt(unsigned char *salt, size_t saltlen) {
|
||||
if (saltlen > 256U)
|
||||
return (ISC_R_RANGE);
|
||||
|
||||
n = (int) (saltlen + sizeof(isc_uint32_t) - 1) / sizeof(isc_uint32_t);
|
||||
for (i = 0; i < n; i++)
|
||||
isc_random_get(&rnd.rnd32[i]);
|
||||
n = (saltlen + sizeof(isc_uint16_t) - 1) / sizeof(isc_uint16_t);
|
||||
for (i = 0; i < n; i++) {
|
||||
rnd.rnd16[i] = isc_rng_random(named_g_server->sctx->rngctx);
|
||||
}
|
||||
|
||||
memmove(salt, rnd.rnd, saltlen);
|
||||
|
||||
|
Reference in New Issue
Block a user