[master] completed and corrected the crypto-random change

4724.	[func]		By default, BIND now uses the random number
			functions provided by the crypto library (i.e.,
			OpenSSL or a PKCS#11 provider) as a source of
			randomness rather than /dev/random.  This is
			suitable for virtual machine environments
			which have limited entropy pools and lack
			hardware random number generators.

			This can be overridden by specifying another
			entropy source via the "random-device" option
			in named.conf, or via the -r command line option;
			however, for functions requiring full cryptographic
			strength, such as DNSSEC key generation, this
			cannot be overridden. In particular, the -r
			command line option no longer has any effect on
			dnssec-keygen.

			This can be disabled by building with
			"configure --disable-crypto-rand".
			[RT #31459] [RT #46047]

lib/dns/dst_api.c

@@ -269,8 +269,9 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
 #endif
 #if defined(OPENSSL) || defined(PKCS11CRYPTO)
 #ifdef ISC_PLATFORM_CRYPTORANDOM
-	if (dst_entropy_pool != NULL)
+	if (dst_entropy_pool != NULL) {
 		isc_entropy_sethook(dst_random_getdata);
+	}
 #endif
 #endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */
 	dst_initialized = ISC_TRUE;
@@ -2007,10 +2008,12 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) {
 	else
 		flags |= ISC_ENTROPY_BLOCKING;
 #ifdef ISC_PLATFORM_CRYPTORANDOM
+	/* get entropy directly from crypto provider */
 	return (dst_random_getdata(buf, len, NULL, flags));
 #else
+	/* get entropy from entropy source or hook function */
 	return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
-#endif
+#endif /* ISC_PLATFORM_CRYPTORANDOM */
 #endif /* PKCS11CRYPTO */
 }