[master] completed and corrected the crypto-random change

4724. [func] By default, BIND now uses the random number functions provided by the crypto library (i.e., OpenSSL or a PKCS#11 provider) as a source of randomness rather than /dev/random. This is suitable for virtual machine environments which have limited entropy pools and lack hardware random number generators. This can be overridden by specifying another entropy source via the "random-device" option in named.conf, or via the -r command line option; however, for functions requiring full cryptographic strength, such as DNSSEC key generation, this cannot be overridden. In particular, the -r command line option no longer has any effect on dnssec-keygen. This can be disabled by building with "configure --disable-crypto-rand". [RT #31459] [RT #46047]
2025-08-31 06:25:31 +00:00 · 2017-09-28 10:09:22 -07:00
parent 86e5d14e82
commit 24172bd2ee
24 changed files with 242 additions and 131 deletions
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -485,7 +485,8 @@ dst__openssl_getengine(const char *engine) {

 isc_result_t
 dst_random_getdata(void *data, unsigned int length,
-		   unsigned int *returned, unsigned int flags) {
+		   unsigned int *returned, unsigned int flags)
+{
 #ifdef ISC_PLATFORM_CRYPTORANDOM
 #ifndef DONT_REQUIRE_DST_LIB_INIT
 	INSIST(dst__memory_pool != NULL);