diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c index 4de31a0772..a73c2f22b7 100644 --- a/bin/confgen/keygen.c +++ b/bin/confgen/keygen.c @@ -155,6 +155,13 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg, randomfile = NULL; open_keyboard = ISC_ENTROPY_KEYBOARDYES; } +#ifdef ISC_PLATFORM_CRYPTORANDOM + if (randomfile != NULL && + strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { + randomfile = NULL; + isc_entropy_usehook(ectx, ISC_TRUE); + } +#endif DO("start entropy source", isc_entropy_usebestsource(ectx, &entropy_source, randomfile, diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c index 43dcce8236..ad44c3c28d 100644 --- a/bin/dnssec/dnssec-dsfromkey.c +++ b/bin/dnssec/dnssec-dsfromkey.c @@ -494,14 +494,14 @@ main(int argc, char **argv) { if (ectx == NULL) setup_entropy(mctx, NULL, &ectx); - result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); - if (result != ISC_R_SUCCESS) - fatal("could not initialize hash"); result = dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); if (result != ISC_R_SUCCESS) fatal("could not initialize dst: %s", isc_result_totext(result)); + result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); + if (result != ISC_R_SUCCESS) + fatal("could not initialize hash"); isc_entropy_stopcallbacksources(ectx); setup_logging(mctx, &log); @@ -563,8 +563,8 @@ main(int argc, char **argv) { if (dns_rdataset_isassociated(&rdataset)) dns_rdataset_disassociate(&rdataset); cleanup_logging(&log); - dst_lib_destroy(); isc_hash_destroy(); + dst_lib_destroy(); cleanup_entropy(&ectx); dns_name_destroy(); if (verbose > 10) diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c index 05b00000c6..95558267e1 100644 --- a/bin/dnssec/dnssec-importkey.c +++ b/bin/dnssec/dnssec-importkey.c @@ -405,14 +405,14 @@ main(int argc, char **argv) { if (ectx == NULL) setup_entropy(mctx, NULL, &ectx); - result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); - if (result != ISC_R_SUCCESS) - fatal("could not initialize hash"); result = dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); if (result != ISC_R_SUCCESS) fatal("could not initialize dst: %s", isc_result_totext(result)); + result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); + if (result != ISC_R_SUCCESS) + fatal("could not initialize hash"); isc_entropy_stopcallbacksources(ectx); setup_logging(mctx, &log); @@ -456,8 +456,8 @@ main(int argc, char **argv) { if (dns_rdataset_isassociated(&rdataset)) dns_rdataset_disassociate(&rdataset); cleanup_logging(&log); - dst_lib_destroy(); isc_hash_destroy(); + dst_lib_destroy(); cleanup_entropy(&ectx); dns_name_destroy(); if (verbose > 10) diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c index 437e1530b8..70998e8546 100644 --- a/bin/dnssec/dnssec-revoke.c +++ b/bin/dnssec/dnssec-revoke.c @@ -179,14 +179,14 @@ main(int argc, char **argv) { if (ectx == NULL) setup_entropy(mctx, NULL, &ectx); - result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); - if (result != ISC_R_SUCCESS) - fatal("Could not initialize hash"); result = dst_lib_init2(mctx, ectx, engine, ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); if (result != ISC_R_SUCCESS) fatal("Could not initialize dst: %s", isc_result_totext(result)); + result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); + if (result != ISC_R_SUCCESS) + fatal("Could not initialize hash"); isc_entropy_stopcallbacksources(ectx); result = dst_key_fromnamedfile(filename, dir, @@ -268,8 +268,8 @@ main(int argc, char **argv) { cleanup: dst_key_free(&key); - dst_lib_destroy(); isc_hash_destroy(); + dst_lib_destroy(); cleanup_entropy(&ectx); if (verbose > 10) isc_mem_stats(mctx, stdout); diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c index a51fd453f0..f5bf724e1f 100644 --- a/bin/dnssec/dnssec-settime.c +++ b/bin/dnssec/dnssec-settime.c @@ -377,14 +377,14 @@ main(int argc, char **argv) { if (ectx == NULL) setup_entropy(mctx, NULL, &ectx); - result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); - if (result != ISC_R_SUCCESS) - fatal("Could not initialize hash"); result = dst_lib_init2(mctx, ectx, engine, ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); if (result != ISC_R_SUCCESS) fatal("Could not initialize dst: %s", isc_result_totext(result)); + result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); + if (result != ISC_R_SUCCESS) + fatal("Could not initialize hash"); isc_entropy_stopcallbacksources(ectx); if (predecessor != NULL) { @@ -669,8 +669,8 @@ main(int argc, char **argv) { if (prevkey != NULL) dst_key_free(&prevkey); dst_key_free(&key); - dst_lib_destroy(); isc_hash_destroy(); + dst_lib_destroy(); cleanup_entropy(&ectx); if (verbose > 10) isc_mem_stats(mctx, stdout); diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 47759558e5..9fcd5f8e33 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -3431,14 +3431,15 @@ main(int argc, char *argv[]) { if (!pseudorandom) eflags |= ISC_ENTROPY_GOODONLY; - result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); - if (result != ISC_R_SUCCESS) - fatal("could not create hash context"); - result = dst_lib_init2(mctx, ectx, engine, eflags); if (result != ISC_R_SUCCESS) fatal("could not initialize dst: %s", isc_result_totext(result)); + + result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); + if (result != ISC_R_SUCCESS) + fatal("could not create hash context"); + isc_stdtime_get(&now); if (startstr != NULL) { @@ -3845,8 +3846,8 @@ main(int argc, char *argv[]) { dns_master_styledestroy(&dsstyle, mctx); cleanup_logging(&log); - dst_lib_destroy(); isc_hash_destroy(); + dst_lib_destroy(); cleanup_entropy(&ectx); dns_name_destroy(); if (verbose > 10) diff --git a/bin/dnssec/dnssec-verify.c b/bin/dnssec/dnssec-verify.c index cbf319dea4..c5f394efe5 100644 --- a/bin/dnssec/dnssec-verify.c +++ b/bin/dnssec/dnssec-verify.c @@ -278,15 +278,15 @@ main(int argc, char *argv[]) { if (ectx == NULL) setup_entropy(mctx, NULL, &ectx); - result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); - if (result != ISC_R_SUCCESS) - fatal("could not create hash context"); - result = dst_lib_init2(mctx, ectx, engine, ISC_ENTROPY_BLOCKING); if (result != ISC_R_SUCCESS) fatal("could not initialize dst: %s", isc_result_totext(result)); + result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); + if (result != ISC_R_SUCCESS) + fatal("could not create hash context"); + isc_stdtime_get(&now); rdclass = strtoclass(classname); diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c index dc05b74563..fc763e9781 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c @@ -29,6 +29,7 @@ #include #include #include +#include #include #include #include @@ -228,7 +229,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { if (*ectx == NULL) { result = isc_entropy_create(mctx, ectx); if (result != ISC_R_SUCCESS) - fatal("could not create entropy object"); + fatal("could not create entropy object: %s", + isc_result_totext(result)); ISC_LIST_INIT(sources); } @@ -237,6 +239,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { randomfile = NULL; } +#ifdef ISC_PLATFORM_CRYPTORANDOM + if (randomfile != NULL && + strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { + randomfile = NULL; + isc_entropy_usehook(*ectx, ISC_TRUE); + } +#endif result = isc_entropy_usebestsource(*ectx, &source, randomfile, usekeyboard); diff --git a/bin/named/server.c b/bin/named/server.c index 323e7f526c..34b39a66f2 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -31,6 +31,7 @@ #include #include #include +#include #include #include #include @@ -8293,6 +8294,10 @@ load_configuration(const char *filename, named_server_t *server, "no source of entropy found"); } else { const char *randomdev = cfg_obj_asstring(obj); +#ifdef ISC_PLATFORM_CRYPTORANDOM + if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0) + isc_entropy_usehook(ns_g_entropy, ISC_TRUE); +#else int level = ISC_LOG_ERROR; result = isc_entropy_createfilesource(named_g_entropy, randomdev); @@ -8326,6 +8331,7 @@ load_configuration(const char *filename, named_server_t *server, } isc_entropy_detach(&named_g_fallbackentropy); } +#endif #endif } } diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index e5436e753c..61cfce7947 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -29,6 +29,7 @@ #include #include #include +#include #include #include #include @@ -261,7 +262,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { if (*ectx == NULL) { result = isc_entropy_create(mctx, ectx); if (result != ISC_R_SUCCESS) - fatal("could not create entropy object"); + fatal("could not create entropy object: %s", + isc_result_totext(result)); ISC_LIST_INIT(sources); } @@ -270,6 +272,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { randomfile = NULL; } +#ifdef ISC_PLATFORM_CRYPTORANDOM + if (randomfile != NULL && + strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { + randomfile = NULL; + isc_entropy_usehook(*ectx, ISC_TRUE); + } +#endif result = isc_entropy_usebestsource(*ectx, &source, randomfile, usekeyboard); @@ -955,11 +964,11 @@ setup_system(void) { irs_resconf_destroy(&resconf); - setup_entropy(gmctx, NULL, &entropy); + if (entropy == NULL) + setup_entropy(gmctx, NULL, &entropy); result = isc_hash_create(gmctx, entropy, DNS_NAME_MAXWIRE); check_result(result, "isc_hash_create"); - isc_hash_init(); result = dns_dispatchmgr_create(gmctx, entropy, &dispatchmgr); check_result(result, "dns_dispatchmgr_create"); @@ -983,6 +992,9 @@ setup_system(void) { check_result(result, "dst_lib_init"); is_dst_up = ISC_TRUE; + /* moved after dst_lib_init() */ + isc_hash_init(); + attrmask = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_TCP; attrmask |= DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_IPV6; diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c index a5bd6c42a2..fa0d5c724b 100644 --- a/bin/tests/system/pipelined/pipequeries.c +++ b/bin/tests/system/pipelined/pipequeries.c @@ -19,6 +19,7 @@ #include #include #include +#include #include #include #include @@ -196,6 +197,7 @@ sendqueries(isc_task_t *task, isc_event_t *event) { int main(int argc, char *argv[]) { + char *randomfile = NULL; isc_sockaddr_t bind_any; struct in_addr inaddr; isc_result_t result; @@ -211,12 +213,16 @@ main(int argc, char *argv[]) { dns_dispatch_t *dispatchv4; dns_view_t *view; - UNUSED(argv); + RUNCHECK(isc_app_start()); - if (argc > 1) + if ((argc == 2) || (argc == 4)) have_src = ISC_TRUE; - RUNCHECK(isc_app_start()); + if ((argc > 2) && (strcmp(argv[1], "-r") == 0)) { + randomfile = argv[2]; + argv += 2; + argc -= 2; + } dns_result_register(); @@ -241,10 +247,18 @@ main(int argc, char *argv[]) { ectx = NULL; RUNCHECK(isc_entropy_create(mctx, &ectx)); - RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data")); - RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); +#ifdef ISC_PLATFORM_CRYPTORANDOM + if (randomfile != NULL && + strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { + randomfile = NULL; + isc_entropy_usehook(ectx, ISC_TRUE); + } +#endif + if (randomfile != NULL) + RUNCHECK(isc_entropy_createfilesource(ectx, randomfile)); RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY)); + RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); taskmgr = NULL; RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr)); @@ -297,8 +311,8 @@ main(int argc, char *argv[]) { isc_task_detach(&task); isc_taskmgr_destroy(&taskmgr); - dst_lib_destroy(); isc_hash_destroy(); + dst_lib_destroy(); isc_entropy_detach(&ectx); isc_log_destroy(&lctx); diff --git a/bin/tests/system/pipelined/tests.sh b/bin/tests/system/pipelined/tests.sh index 4397afa0da..58742f8657 100644 --- a/bin/tests/system/pipelined/tests.sh +++ b/bin/tests/system/pipelined/tests.sh @@ -13,7 +13,7 @@ status=0 echo "I:check pipelined TCP queries" ret=0 -$PIPEQUERIES < input > raw || ret=1 +$PIPEQUERIES -r $RANDFILE < input > raw || ret=1 awk '{ print $1 " " $5 }' < raw > output sort < output > output-sorted diff ref output-sorted || { ret=1 ; echo "I: diff sorted failed"; } @@ -37,7 +37,7 @@ status=`expr $status + $ret` echo "I:check keep-response-order" ret=0 -$PIPEQUERIES ++ < inputb > rawb || ret=1 +$PIPEQUERIES -r $RANDFILE ++ < inputb > rawb || ret=1 awk '{ print $1 " " $5 }' < rawb > outputb diff refb outputb || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi diff --git a/bin/tests/system/rsabigexponent/bigkey.c b/bin/tests/system/rsabigexponent/bigkey.c index 9c46866197..e60c84b9c0 100644 --- a/bin/tests/system/rsabigexponent/bigkey.c +++ b/bin/tests/system/rsabigexponent/bigkey.c @@ -18,6 +18,7 @@ #include #include #include +#include #include #include #include @@ -181,6 +182,9 @@ main(int argc, char **argv) { CHECK(isc_mem_create(0, 0, &mctx), "isc_mem_create()"); CHECK(isc_entropy_create(mctx, &ectx), "isc_entropy_create()"); +#ifdef ISC_PLATFORM_CRYPTORANDOM + isc_entropy_usehook(ectx, ISC_TRUE); +#endif CHECK(isc_entropy_usebestsource(ectx, &source, "../random.data", ISC_ENTROPY_KEYBOARDNO), diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c index e582dbe171..1f9e1bbba8 100644 --- a/bin/tests/system/tkey/keycreate.c +++ b/bin/tests/system/tkey/keycreate.c @@ -201,6 +201,7 @@ sendquery(isc_task_t *task, isc_event_t *event) { int main(int argc, char *argv[]) { char *ourkeyname; + char *randomfile; isc_taskmgr_t *taskmgr; isc_timermgr_t *timermgr; isc_socketmgr_t *socketmgr; @@ -220,10 +221,21 @@ main(int argc, char *argv[]) { RUNCHECK(isc_app_start()); + randomfile = NULL; + if (argc < 2) { fprintf(stderr, "I:no DH key provided\n"); exit(-1); } + if (strcmp(argv[1], "-r") == 0) { + if (argc < 4) { + fprintf(stderr, "I:no DH key provided\n"); + exit(-1); + } + randomfile = argv[2]; + argv += 2; + argc -= 2; + } ourkeyname = argv[1]; if (argc >= 3) @@ -237,14 +249,22 @@ main(int argc, char *argv[]) { ectx = NULL; RUNCHECK(isc_entropy_create(mctx, &ectx)); - RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data")); - RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); +#ifdef ISC_PLATFORM_CRYPTORANDOM + if (randomfile != NULL && + strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { + randomfile = NULL; + isc_entropy_usehook(ectx, ISC_TRUE); + } +#endif + if (randomfile != NULL) + RUNCHECK(isc_entropy_createfilesource(ectx, randomfile)); log = NULL; logconfig = NULL; RUNCHECK(isc_log_create(mctx, &log, &logconfig)); RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY)); + RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); taskmgr = NULL; RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr)); @@ -323,8 +343,8 @@ main(int argc, char *argv[]) { isc_log_destroy(&log); - dst_lib_destroy(); isc_hash_destroy(); + dst_lib_destroy(); isc_entropy_detach(&ectx); isc_mem_destroy(&mctx); diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c index cf1fae75da..40a83b1ed7 100644 --- a/bin/tests/system/tkey/keydelete.c +++ b/bin/tests/system/tkey/keydelete.c @@ -134,6 +134,7 @@ sendquery(isc_task_t *task, isc_event_t *event) { int main(int argc, char **argv) { char *keyname; + char *randomfile; isc_taskmgr_t *taskmgr; isc_timermgr_t *timermgr; isc_socketmgr_t *socketmgr; @@ -154,10 +155,21 @@ main(int argc, char **argv) { RUNCHECK(isc_app_start()); + randomfile = NULL; + if (argc < 2) { fprintf(stderr, "I:no key to delete\n"); exit(-1); } + if (strcmp(argv[1], "-r") == 0) { + if (argc < 4) { + fprintf(stderr, "I:no DH key provided\n"); + exit(-1); + } + randomfile = argv[2]; + argv += 2; + argc -= 2; + } keyname = argv[1]; dns_result_register(); @@ -167,14 +179,22 @@ main(int argc, char **argv) { ectx = NULL; RUNCHECK(isc_entropy_create(mctx, &ectx)); - RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data")); - RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); +#ifdef ISC_PLATFORM_CRYPTORANDOM + if (randomfile != NULL && + strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { + randomfile = NULL; + isc_entropy_usehook(ectx, ISC_TRUE); + } +#endif + if (randomfile != NULL) + RUNCHECK(isc_entropy_createfilesource(ectx, randomfile)); log = NULL; logconfig = NULL; RUNCHECK(isc_log_create(mctx, &log, &logconfig)); RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY)); + RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); taskmgr = NULL; RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr)); @@ -257,8 +277,8 @@ main(int argc, char **argv) { isc_log_destroy(&log); - dst_lib_destroy(); isc_hash_destroy(); + dst_lib_destroy(); isc_entropy_detach(&ectx); isc_mem_destroy(&mctx); diff --git a/bin/tests/system/tkey/tests.sh b/bin/tests/system/tkey/tests.sh index 0f7c22b05e..2601d7d39c 100644 --- a/bin/tests/system/tkey/tests.sh +++ b/bin/tests/system/tkey/tests.sh @@ -28,7 +28,7 @@ for owner in . foo.example. do echo "I:creating new key using owner name \"$owner\"" ret=0 - keyname=`$KEYCREATE $dhkeyname $owner` || ret=1 + keyname=`$KEYCREATE -r $RANDFILE $dhkeyname $owner` || ret=1 if [ $ret != 0 ]; then echo "I:failed" status=`expr $status + $ret` @@ -50,7 +50,7 @@ do echo "I:deleting new key" ret=0 - $KEYDELETE $keyname || ret=1 + $KEYDELETE -r $RANDFILE $keyname || ret=1 if [ $ret != 0 ]; then echo "I:failed" fi @@ -70,7 +70,7 @@ done echo "I:creating new key using owner name bar.example." ret=0 -keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1 +keyname=`$KEYCREATE -r $RANDFILE $dhkeyname bar.example.` || ret=1 if [ $ret != 0 ]; then echo "I:failed" status=`expr $status + $ret` @@ -111,7 +111,7 @@ status=`expr $status + $ret` echo "I:recreating the bar.example. key" ret=0 -keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1 +keyname=`$KEYCREATE -r $RANDFILE $dhkeyname bar.example.` || ret=1 if [ $ret != 0 ]; then echo "I:failed" status=`expr $status + $ret` diff --git a/configure b/configure index 0fc239ef11..67151758f6 100755 --- a/configure +++ b/configure @@ -794,6 +794,7 @@ XMLSTATS NZDTARGETS NZDSRCS NZD_TOOLS +ISC_PLATFORM_CRYPTORANDOM PKCS11_TEST PKCS11_ED25519 PKCS11_GOST @@ -935,6 +936,7 @@ infodir docdir oldincludedir includedir +runstatedir localstatedir sharedstatedir sysconfdir @@ -1001,6 +1003,7 @@ with_aes enable_openssl_hash with_cc_alg enable_openssl_version_check +enable_crypto_rand with_lmdb with_libxml2 with_libjson @@ -1096,6 +1099,7 @@ datadir='${datarootdir}' sysconfdir='${prefix}/etc' sharedstatedir='${prefix}/com' localstatedir='${prefix}/var' +runstatedir='${localstatedir}/run' includedir='${prefix}/include' oldincludedir='/usr/include' docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' @@ -1348,6 +1352,15 @@ do | -silent | --silent | --silen | --sile | --sil) silent=yes ;; + -runstatedir | --runstatedir | --runstatedi | --runstated \ + | --runstate | --runstat | --runsta | --runst | --runs \ + | --run | --ru | --r) + ac_prev=runstatedir ;; + -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ + | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ + | --run=* | --ru=* | --r=*) + runstatedir=$ac_optarg ;; + -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) ac_prev=sbindir ;; -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ @@ -1485,7 +1498,7 @@ fi for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ datadir sysconfdir sharedstatedir localstatedir includedir \ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ - libdir localedir mandir + libdir localedir mandir runstatedir do eval ac_val=\$$ac_var # Remove trailing slashes. @@ -1638,6 +1651,7 @@ Fine tuning of the installation directories: --sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] + --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] --libdir=DIR object code libraries [EPREFIX/lib] --includedir=DIR C header files [PREFIX/include] --oldincludedir=DIR C header files for non-gcc [/usr/include] @@ -1694,6 +1708,7 @@ Optional Features: --enable-openssl-hash use OpenSSL for hash functions [default=yes] --enable-openssl-version-check check OpenSSL version [default=yes] + --enable-crypto-rand use the crypto provider for random [default=yes] --enable-largefile 64-bit file support --enable-backtrace log stack backtrace on abort [default=yes] --enable-symtable use internal symbol table for backtrace @@ -15936,6 +15951,7 @@ case "$use_openssl" in $as_echo "disabled because of native PKCS11" >&6; } DST_OPENSSL_INC="" CRYPTO="-DPKCS11CRYPTO" + CRYPTOLIB="pkcs11" OPENSSLEDDSALINKOBJS="" OPENSSLEDDSALINKSRS="" OPENSSLGOSTLINKOBJS="" @@ -15948,6 +15964,7 @@ $as_echo "disabled because of native PKCS11" >&6; } $as_echo "no" >&6; } DST_OPENSSL_INC="" CRYPTO="" + CRYPTOLIB="" OPENSSLEDDSALINKOBJS="" OPENSSLEDDSALINKSRS="" OPENSSLGOSTLINKOBJS="" @@ -15958,6 +15975,7 @@ $as_echo "no" >&6; } auto) DST_OPENSSL_INC="" CRYPTO="" + CRYPTOLIB="" OPENSSLEDDSALINKOBJS="" OPENSSLEDDSALINKSRS="" OPENSSLGOSTLINKOBJS="" @@ -15965,7 +15983,7 @@ $as_echo "no" >&6; } OPENSSLLINKOBJS="" OPENSSLLINKSRCS="" as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path -If you don't want OpenSSL, use --without-openssl" "$LINENO" 5 +If you do not want OpenSSL, use --without-openssl" "$LINENO" 5 ;; *) if test "yes" = "$want_native_pkcs11" @@ -15996,6 +16014,7 @@ $as_echo "not found" >&6; } as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5 fi CRYPTO='-DOPENSSL' + CRYPTOLIB="openssl" if test "/usr" = "$use_openssl" then DST_OPENSSL_INC="" @@ -16639,8 +16658,6 @@ esac # Use OpenSSL for hash functions # -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for using OpenSSL for hash functions" >&5 -$as_echo_n "checking for using OpenSSL for hash functions... " >&6; } ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" if test "whenossl" = "$want_openssl_hash" then @@ -17023,6 +17040,86 @@ if test "rt" = "$have_clock_gt"; then LIBS="-lrt $LIBS" fi +# +# Use the crypto provider (OpenSSL/PKCS#11) for random functions +# + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for using the crypto library (vs. builtin) for random functions" >&5 +$as_echo_n "checking for using the crypto library (vs. builtin) for random functions... " >&6; } +# Check whether --enable-crypto-rand was given. +if test "${enable_crypto_rand+set}" = set; then : + enableval=$enable_crypto_rand; want_crypto_rand="$enableval" +else + want_crypto_rand="auto" +fi + +if test "$want_crypto_rand" = "auto" +then + case "$CRYPTOLIB" in + "") + want_crypto_rand="no" + ;; + pkcs11) + want_crypto_rand="yes" + ;; + openssl) + saved_cflags="$CFLAGS" + saved_libs="$LIBS" + CFLAGS="$CFLAGS $DST_OPENSSL_INC" + LIBS="$LIBS $DNS_OPENSSL_LIBS" + if test "$cross_compiling" = yes; then : + want_crypto_rand="yes" +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include + +unsigned char buf[128]; + +int main() +{ + if (RAND_bytes(buf, 128) != 1) + return (1); + return (0); +} + +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + want_crypto_rand="yes" +else + want_crypto_rand="no" +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + + CFLAGS="$saved_cflags" + LIBS="$saved_libs" + ;; + *) + as_fn_error $? "Unknown crypto library define $CRYPTOLIB" "$LINENO" 5 + ;; + esac +fi +case $want_crypto_rand in + yes) + if test "$CRYPTOLIB" = "" + then + as_fn_error $? "No crypto library for random functions" "$LINENO" 5 + fi + { $as_echo "$as_me:${as_lineno-$LINENO}: result: \"$CRYPTOLIB\"" >&5 +$as_echo "\"$CRYPTOLIB\"" >&6; } + ISC_PLATFORM_CRYPTORANDOM="#define ISC_PLATFORM_CRYPTORANDOM \"$CRYPTOLIB\"" + ;; + no) + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + ISC_PLATFORM_CRYPTORANDOM="#undef ISC_PLATFORM_CRYPTORANDOM" + ;; +esac + + # # was --with-lmdb specified? # @@ -20105,12 +20202,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM" ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM" if test "yes" = "$use_atomic"; then - have_atomic=yes # set default - case "$host" in - i[3456]86-*) - # XXX: some old x86 architectures actually do not support - # (some of) these operations. Do we need stricter checks? - # The cast to long int works around a bug in the HP C Compiler + # The cast to long int works around a bug in the HP C Compiler # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. # This bug is HP SR number 8606223364. @@ -20143,6 +20235,11 @@ cat >>confdefs.h <<_ACEOF _ACEOF + have_atomic=yes # set default + case "$host" in + i[3456]86-*) + # XXX: some old x86 architectures actually do not support + # (some of) these operations. Do we need stricter checks? if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes @@ -20151,39 +20248,6 @@ _ACEOF fi ;; x86_64-*|amd64-*) - # The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of void *" >&5 -$as_echo_n "checking size of void *... " >&6; } -if ${ac_cv_sizeof_void_p+:} false; then : - $as_echo_n "(cached) " >&6 -else - if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (void *))" "ac_cv_sizeof_void_p" "$ac_includes_default"; then : - -else - if test "$ac_cv_type_void_p" = yes; then - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "cannot compute sizeof (void *) -See \`config.log' for more details" "$LINENO" 5; } - else - ac_cv_sizeof_void_p=0 - fi -fi - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_void_p" >&5 -$as_echo "$ac_cv_sizeof_void_p" >&6; } - - - -cat >>confdefs.h <<_ACEOF -#define SIZEOF_VOID_P $ac_cv_sizeof_void_p -_ACEOF - - if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes @@ -26059,6 +26123,8 @@ report() { echo " Very verbose query trace logging (--enable-querytrace)" test "no" = "$atf" || echo " Automated Testing Framework (--with-atf)" + echo " Cryptographic library for DNSSEC: $CRYPTOLIB" + echo " Dynamically loadable zone (DLZ) drivers:" test "no" = "$use_dlz_bdb" || \ echo " Berkeley DB (--with-dlz-bdb)" diff --git a/configure.in b/configure.in index 4c27d498c9..485265db2e 100644 --- a/configure.in +++ b/configure.in @@ -1553,6 +1553,7 @@ case "$use_openssl" in AC_MSG_RESULT(disabled because of native PKCS11) DST_OPENSSL_INC="" CRYPTO="-DPKCS11CRYPTO" + CRYPTOLIB="pkcs11" OPENSSLEDDSALINKOBJS="" OPENSSLEDDSALINKSRS="" OPENSSLGOSTLINKOBJS="" @@ -1564,6 +1565,7 @@ case "$use_openssl" in AC_MSG_RESULT(no) DST_OPENSSL_INC="" CRYPTO="" + CRYPTOLIB="" OPENSSLEDDSALINKOBJS="" OPENSSLEDDSALINKSRS="" OPENSSLGOSTLINKOBJS="" @@ -1574,6 +1576,7 @@ case "$use_openssl" in auto) DST_OPENSSL_INC="" CRYPTO="" + CRYPTOLIB="" OPENSSLEDDSALINKOBJS="" OPENSSLEDDSALINKSRS="" OPENSSLGOSTLINKOBJS="" @@ -1582,7 +1585,7 @@ case "$use_openssl" in OPENSSLLINKSRCS="" AC_MSG_ERROR( [OpenSSL was not found in any of $openssldirs; use --with-openssl=/path -If you don't want OpenSSL, use --without-openssl]) +If you do not want OpenSSL, use --without-openssl]) ;; *) if test "yes" = "$want_native_pkcs11" @@ -1612,6 +1615,7 @@ If you don't want OpenSSL, use --without-openssl]) AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found]) fi CRYPTO='-DOPENSSL' + CRYPTOLIB="openssl" if test "/usr" = "$use_openssl" then DST_OPENSSL_INC="" @@ -2077,7 +2081,6 @@ esac # Use OpenSSL for hash functions # -AC_MSG_CHECKING(for using OpenSSL for hash functions) ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" if test "whenossl" = "$want_openssl_hash" then @@ -2358,6 +2361,67 @@ if test "rt" = "$have_clock_gt"; then LIBS="-lrt $LIBS" fi +# +# Use the crypto provider (OpenSSL/PKCS#11) for random functions +# + +AC_MSG_CHECKING(for using the crypto library (vs. builtin) for random functions) +AC_ARG_ENABLE(crypto-rand, + [ --enable-crypto-rand use the crypto provider for random [[default=yes]]], + want_crypto_rand="$enableval", want_crypto_rand="auto") +if test "$want_crypto_rand" = "auto" +then + case "$CRYPTOLIB" in + "") + want_crypto_rand="no" + ;; + pkcs11) + want_crypto_rand="yes" + ;; + openssl) + saved_cflags="$CFLAGS" + saved_libs="$LIBS" + CFLAGS="$CFLAGS $DST_OPENSSL_INC" + LIBS="$LIBS $DNS_OPENSSL_LIBS" + AC_TRY_RUN([ +#include + +unsigned char buf[128]; + +int main() +{ + if (RAND_bytes(buf, 128) != 1) + return (1); + return (0); +} +], + [want_crypto_rand="yes"], + [want_crypto_rand="no"], + [want_crypto_rand="yes"]) + CFLAGS="$saved_cflags" + LIBS="$saved_libs" + ;; + *) + AC_MSG_ERROR([Unknown crypto library define $CRYPTOLIB]) + ;; + esac +fi +case $want_crypto_rand in + yes) + if test "$CRYPTOLIB" = "" + then + AC_MSG_ERROR([No crypto library for random functions]) + fi + AC_MSG_RESULT(["$CRYPTOLIB"]) + ISC_PLATFORM_CRYPTORANDOM="#define ISC_PLATFORM_CRYPTORANDOM \"$CRYPTOLIB\"" + ;; + no) + AC_MSG_RESULT(no) + ISC_PLATFORM_CRYPTORANDOM="#undef ISC_PLATFORM_CRYPTORANDOM" + ;; +esac +AC_SUBST(ISC_PLATFORM_CRYPTORANDOM) + # # was --with-lmdb specified? # @@ -3979,12 +4043,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM" ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM" if test "yes" = "$use_atomic"; then + AC_CHECK_SIZEOF([void *]) have_atomic=yes # set default case "$host" in [i[3456]86-*]) # XXX: some old x86 architectures actually do not support # (some of) these operations. Do we need stricter checks? - AC_CHECK_SIZEOF([void *]) if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes @@ -3993,7 +4057,6 @@ if test "yes" = "$use_atomic"; then fi ;; x86_64-*|amd64-*) - AC_CHECK_SIZEOF([void *]) if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes @@ -5401,6 +5464,8 @@ report() { echo " Very verbose query trace logging (--enable-querytrace)" test "no" = "$atf" || echo " Automated Testing Framework (--with-atf)" + echo " Cryptographic library for DNSSEC: $CRYPTOLIB" + echo " Dynamically loadable zone (DLZ) drivers:" test "no" = "$use_dlz_bdb" || \ echo " Berkeley DB (--with-dlz-bdb)" diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index f7c063293d..5496bf4c2c 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -266,6 +266,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, #ifdef GSSAPI RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI])); #endif +#if defined(OPENSSL) || defined(PKCS11CRYPTO) +#ifdef ISC_PLATFORM_CRYPTORANDOM + if (dst_entropy_pool != NULL) + isc_entropy_sethook(dst_random_getdata); +#endif +#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */ dst_initialized = ISC_TRUE; return (ISC_R_SUCCESS); @@ -285,11 +291,19 @@ dst_lib_destroy(void) { for (i = 0; i < DST_MAX_ALGS; i++) if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL) dst_t_func[i]->cleanup(); +#if defined(OPENSSL) || defined(PKCS11CRYPTO) +#ifdef ISC_PLATFORM_CRYPTORANDOM + if (dst_entropy_pool != NULL) { + isc_entropy_usehook(dst_entropy_pool, ISC_FALSE); + isc_entropy_sethook(NULL); + } +#endif #ifdef OPENSSL dst__openssl_destroy(); #elif PKCS11CRYPTO (void) dst__pkcs11_destroy(); #endif /* if OPENSSL, elif PKCS11CRYPTO */ +#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */ if (dst__memory_pool != NULL) isc_mem_detach(&dst__memory_pool); if (dst_entropy_pool != NULL) @@ -1991,13 +2005,17 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) { flags &= ~ISC_ENTROPY_GOODONLY; else flags |= ISC_ENTROPY_BLOCKING; +#ifdef ISC_PLATFORM_CRYPTORANDOM + return (dst_random_getdata(buf, len, NULL, flags)); +#else return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags)); +#endif #endif /* PKCS11CRYPTO */ } unsigned int dst__entropy_status(void) { -#ifndef PKCS11CRYPTO +#if !defined(PKCS11CRYPTO) && !defined(ISC_PLATFORM_CRYPTORANDOM) #ifdef GSSAPI unsigned int flags = dst_entropy_flags; isc_result_t ret; @@ -2020,6 +2038,7 @@ dst__entropy_status(void) { #endif return (isc_entropy_status(dst_entropy_pool)); #else + /* Doesn't matter as it is not used in this case. */ return (0); #endif } diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h index 61f5f6b16f..cacf6ca15e 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h @@ -154,6 +154,14 @@ dst_lib_destroy(void); * Releases all resources allocated by DST. */ +isc_result_t +dst_random_getdata(void *data, unsigned int length, + unsigned int *returned, unsigned int flags); +/*%< + * \brief Return data from the crypto random generator. + * Specialization of isc_entropy_getdata(). + */ + isc_boolean_t dst_algorithm_supported(unsigned int alg); /*%< diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c index c8cfad364c..d8973abe21 100644 --- a/lib/dns/openssl_link.c +++ b/lib/dns/openssl_link.c @@ -32,6 +32,7 @@ #include #include #include +#include #include #include #include @@ -47,8 +48,6 @@ #include #endif -static RAND_METHOD *rm = NULL; - #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) static isc_mutex_t *locks = NULL; static int nlocks; @@ -58,6 +57,9 @@ static int nlocks; static ENGINE *e = NULL; #endif +#ifndef ISC_PLATFORM_CRYPTORANDOM +static RAND_METHOD *rm = NULL; + static int entropy_get(unsigned char *buf, int num) { isc_result_t result; @@ -103,6 +105,7 @@ entropy_add(const void *buf, int num, double entropy) { return (1); } #endif +#endif /* !ISC_PLATFORM_CRYPTORANDOM */ #if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) static void @@ -191,7 +194,7 @@ _set_thread_id(CRYPTO_THREADID *id) isc_result_t dst__openssl_init(const char *engine) { isc_result_t result; -#ifdef USE_ENGINE +#if defined(USE_ENGINE) && !defined(ISC_PLATFORM_CRYPTORANDOM) ENGINE *re; #else @@ -222,6 +225,7 @@ dst__openssl_init(const char *engine) { ERR_load_crypto_strings(); #endif +#ifndef ISC_PLATFORM_CRYPTORANDOM rm = mem_alloc(sizeof(RAND_METHOD) FILELINE); if (rm == NULL) { result = ISC_R_NOMEMORY; @@ -233,6 +237,7 @@ dst__openssl_init(const char *engine) { rm->add = entropy_add; rm->pseudorand = entropy_getpseudo; rm->status = entropy_status; +#endif #ifdef USE_ENGINE #if !defined(CONF_MFLAGS_DEFAULT_SECTION) @@ -266,6 +271,7 @@ dst__openssl_init(const char *engine) { } } +#ifndef ISC_PLATFORM_CRYPTORANDOM re = ENGINE_get_default_RAND(); if (re == NULL) { re = ENGINE_new(); @@ -278,9 +284,21 @@ dst__openssl_init(const char *engine) { ENGINE_free(re); } else ENGINE_finish(re); +#endif #else +#ifndef ISC_PLATFORM_CRYPTORANDOM RAND_set_rand_method(rm); +#endif #endif /* USE_ENGINE */ + + /* Protect ourselves against unseeded PRNG */ + if (RAND_status() != 1) { + FATAL_ERROR(__FILE__, __LINE__, + "The OpenSSL pseudo random number generator " + "cannot be initialized (cf the `PRNG not " + "seeded' message in the OpenSSL FAQ)"); + } + return (ISC_R_SUCCESS); #ifdef USE_ENGINE @@ -288,10 +306,14 @@ dst__openssl_init(const char *engine) { if (e != NULL) ENGINE_free(e); e = NULL; +#ifndef ISC_PLATFORM_CRYPTORANDOM mem_free(rm FILELINE); rm = NULL; #endif +#endif +#ifndef ISC_PLATFORM_CRYPTORANDOM cleanup_mutexinit: +#endif #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) CRYPTO_set_locking_callback(NULL); DESTROYMUTEXBLOCK(locks, nlocks); @@ -306,14 +328,17 @@ void dst__openssl_destroy(void) { #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L) OPENSSL_cleanup(); +#ifndef ISC_PLATFORM_CRYPTORANDOM if (rm != NULL) { mem_free(rm FILELINE); rm = NULL; } +#endif #else /* * Sequence taken from apps_shutdown() in . */ +#ifndef ISC_PLATFORM_CRYPTORANDOM if (rm != NULL) { #if OPENSSL_VERSION_NUMBER >= 0x00907000L RAND_cleanup(); @@ -321,6 +346,7 @@ dst__openssl_destroy(void) { mem_free(rm FILELINE); rm = NULL; } +#endif #if (OPENSSL_VERSION_NUMBER >= 0x00907000L) CONF_modules_free(); #endif @@ -456,11 +482,45 @@ dst__openssl_getengine(const char *engine) { } #endif -#else /* OPENSSL */ +isc_result_t +dst_random_getdata(void *data, unsigned int length, + unsigned int *returned, unsigned int flags) { +#ifdef ISC_PLATFORM_CRYPTORANDOM +#ifndef DONT_REQUIRE_DST_LIB_INIT + INSIST(dst__memory_pool != NULL); +#endif + REQUIRE(data != NULL); + REQUIRE(length > 0); -#include +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + if ((flags & ISC_ENTROPY_GOODONLY) == 0) { + if (RAND_pseudo_bytes((unsigned char *)data, (int)length) < 0) + return (dst__openssl_toresult2("RAND_pseudo_bytes", + DST_R_OPENSSLFAILURE)); + } else { + if (RAND_bytes((unsigned char *)data, (int)length) != 1) + return (dst__openssl_toresult2("RAND_bytes", + DST_R_OPENSSLFAILURE)); + } +#else + UNUSED(flags); -EMPTY_TRANSLATION_UNIT + if (RAND_bytes((unsigned char *)data, (int)length) != 1) + return (dst__openssl_toresult2("RAND_bytes", + DST_R_OPENSSLFAILURE)); +#endif + if (returned != NULL) + *returned = length; + return (ISC_R_SUCCESS); +#else + UNUSED(data); + UNUSED(length); + UNUSED(returned); + UNUSED(flags); + + return (ISC_R_NOTIMPLEMENTED); +#endif +} #endif /* OPENSSL */ /*! \file */ diff --git a/lib/dns/pkcs11.c b/lib/dns/pkcs11.c index ccb520eabf..f4ef24546e 100644 --- a/lib/dns/pkcs11.c +++ b/lib/dns/pkcs11.c @@ -10,12 +10,15 @@ #include +#include + #include #include #include #include +#include "dst_internal.h" #include "dst_pkcs11.h" isc_result_t @@ -31,12 +34,47 @@ dst__pkcs11_toresult(const char *funcname, const char *file, int line, return (fallback); } +isc_result_t +dst_random_getdata(void *data, unsigned int length, + unsigned int *returned, unsigned int flags) { +#ifdef ISC_PLATFORM_CRYPTORANDOM + isc_result_t ret; + +#ifndef DONT_REQUIRE_DST_LIB_INIT + INSIST(dst__memory_pool != NULL); +#endif + REQUIRE(data != NULL); + REQUIRE(length > 0); + UNUSED(flags); + + ret = pk11_rand_bytes(data, (int) length); + if ((ret == ISC_R_SUCCESS) && (returned != NULL)) + *returned = length; + return (ret); +#else + UNUSED(data); + UNUSED(length); + UNUSED(returned); + UNUSED(flags); + + return (ISC_R_NOTIMPLEMENTED); +#endif +} #else /* PKCS11CRYPTO */ #include -EMPTY_TRANSLATION_UNIT +isc_result_t +dst_random_getdata(void *data, unsigned int length, + unsigned int *returned, unsigned int flags) { + UNUSED(data); + UNUSED(length); + UNUSED(returned); + UNUSED(flags); + + return (ISC_R_NOTIMPLEMENTED); +} #endif /* PKCS11CRYPTO */ /*! \file */ diff --git a/lib/dns/tests/Makefile.in b/lib/dns/tests/Makefile.in index 1d783c4a85..8ac2f9a913 100644 --- a/lib/dns/tests/Makefile.in +++ b/lib/dns/tests/Makefile.in @@ -36,6 +36,7 @@ SRCS = acl_test.c \ dispatch_test.c \ dnstap_test.c \ dnstest.c \ + dstrandom_test.c \ geoip_test.c \ gost_test.c \ keytable_test.c \ @@ -65,6 +66,7 @@ TARGETS = acl_test@EXEEXT@ \ dh_test@EXEEXT@ \ dispatch_test@EXEEXT@ \ dnstap_test@EXEEXT@ \ + dstrandom_test@EXEEXT@ \ geoip_test@EXEEXT@ \ gost_test@EXEEXT@ \ keytable_test@EXEEXT@ \ @@ -231,6 +233,11 @@ zt_test@EXEEXT@: zt_test.@O@ dnstest.@O@ \ zt_test.@O@ dnstest.@O@ ${DNSLIBS} \ ${ISCLIBS} ${LIBS} +dstrandom_test@EXEEXT@: dstrandom_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ + dstrandom_test.@O@ ${DNSLIBS} \ + ${ISCLIBS} ${ISCPK11LIBS} ${LIBS} + unit:: sh ${top_srcdir}/unit/unittest.sh diff --git a/lib/dns/tests/dnstest.c b/lib/dns/tests/dnstest.c index 260ec6f939..092c155ee1 100644 --- a/lib/dns/tests/dnstest.c +++ b/lib/dns/tests/dnstest.c @@ -116,12 +116,12 @@ dns_test_begin(FILE *logfile, isc_boolean_t start_managers) { CHECK(isc_mem_create(0, 0, &mctx)); CHECK(isc_entropy_create(mctx, &ectx)); - CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); - hash_active = ISC_TRUE; - CHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING)); dst_active = ISC_TRUE; + CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); + hash_active = ISC_TRUE; + if (logfile != NULL) { isc_logdestination_t destination; isc_logconfig_t *logconfig = NULL; @@ -165,14 +165,14 @@ dns_test_begin(FILE *logfile, isc_boolean_t start_managers) { void dns_test_end(void) { - if (dst_active) { - dst_lib_destroy(); - dst_active = ISC_FALSE; - } if (hash_active) { isc_hash_destroy(); hash_active = ISC_FALSE; } + if (dst_active) { + dst_lib_destroy(); + dst_active = ISC_FALSE; + } if (ectx != NULL) isc_entropy_detach(&ectx); diff --git a/lib/dns/tests/dstrandom_test.c b/lib/dns/tests/dstrandom_test.c new file mode 100644 index 0000000000..d2c72e7685 --- /dev/null +++ b/lib/dns/tests/dstrandom_test.c @@ -0,0 +1,105 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id$ */ + +/*! \file */ + +#include + +#include + +#include +#include + +#include +#include +#include +#include + +#include + +isc_mem_t *mctx = NULL; +isc_entropy_t *ectx = NULL; +unsigned char buffer[128]; + +ATF_TC(isc_entropy_getdata); +ATF_TC_HEAD(isc_entropy_getdata, tc) { + atf_tc_set_md_var(tc, "descr", + "isc_entropy_getdata() examples"); + atf_tc_set_md_var(tc, "X-randomfile", + "testdata/dstrandom/random.data"); +} +ATF_TC_BODY(isc_entropy_getdata, tc) { + isc_result_t result; + unsigned int returned, status; + int ret; + const char *randomfile = atf_tc_get_md_var(tc, "X-randomfile"); + + isc_mem_debugging |= ISC_MEM_DEBUGRECORD; + result = isc_mem_create(0, 0, &mctx); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + result = isc_entropy_create(mctx, &ectx); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + result = dst_lib_init(mctx, ectx, 0); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + +#ifdef ISC_PLATFORM_CRYPTORANDOM + isc_entropy_usehook(ectx, ISC_TRUE); + + returned = 0; + result = isc_entropy_getdata(ectx, buffer, sizeof(buffer), + &returned, 0); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + ATF_REQUIRE(returned == sizeof(buffer)); + + status = isc_entropy_status(ectx); + ATF_REQUIRE_EQ(status, 0); + + isc_entropy_usehook(ectx, ISC_FALSE); +#endif + + ret = chdir(TESTS); + ATF_REQUIRE_EQ(ret, 0); + + result = isc_entropy_createfilesource(ectx, randomfile); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + returned = 0; + result = isc_entropy_getdata(ectx, buffer, sizeof(buffer), + &returned, 0); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + ATF_REQUIRE(returned == sizeof(buffer)); + + status = isc_entropy_status(ectx); + ATF_REQUIRE(status > 0); + + dst_lib_destroy(); + isc_entropy_detach(&ectx); + ATF_REQUIRE(ectx == NULL); + isc_mem_destroy(&mctx); + ATF_REQUIRE(mctx == NULL); +} + +/* + * Main + */ +ATF_TP_ADD_TCS(tp) { + ATF_TP_ADD_TC(tp, isc_entropy_getdata); + + return (atf_no_error()); +} + diff --git a/lib/dns/tests/testdata/dstrandom/random.data b/lib/dns/tests/testdata/dstrandom/random.data new file mode 100644 index 0000000000..354add021c Binary files /dev/null and b/lib/dns/tests/testdata/dstrandom/random.data differ diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in index 80f51aa13a..9118392d03 100644 --- a/lib/dns/win32/libdns.def.in +++ b/lib/dns/win32/libdns.def.in @@ -1463,6 +1463,13 @@ dst_lib_destroy dst_lib_init dst_lib_init2 dst_lib_initmsgcat +@IF PKCS11 +dst_random_getdata +@ELSE PKCS11 +@IF OPENSSL +dst_random_getdata +@END OPENSSL +@END PKCS11 dst_region_computeid dst_region_computerid dst_result_register diff --git a/lib/isc/entropy.c b/lib/isc/entropy.c index e8d406ba21..65278b9bee 100644 --- a/lib/isc/entropy.c +++ b/lib/isc/entropy.c @@ -100,11 +100,15 @@ struct isc_entropy { isc_uint32_t initialized; isc_uint32_t initcount; isc_entropypool_t pool; + isc_boolean_t usehook; unsigned int nsources; isc_entropysource_t *nextsource; ISC_LIST(isc_entropysource_t) sources; }; +/*% Global Hook */ +static isc_entropy_getdata_t hook; + /*% Sample Queue */ typedef struct { isc_uint32_t last_time; /*%< last time recorded */ @@ -553,6 +557,11 @@ isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length, LOCK(&ent->lock); + if (ent->usehook && (hook != NULL)) { + UNLOCK(&ent->lock); + return (hook(data, length, returned, flags)); + } + remain = length; buf = data; total = 0; @@ -704,6 +713,7 @@ isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp) { ent->refcnt = 1; ent->initialized = 0; ent->initcount = 0; + ent->usehook = ISC_FALSE; ent->magic = ENTROPY_MAGIC; isc_entropypool_init(&ent->pool); @@ -1284,3 +1294,17 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source, */ return (final_result); } + +void +isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff) { + REQUIRE(VALID_ENTROPY(ectx)); + + LOCK(&ectx->lock); + ectx->usehook = onoff; + UNLOCK(&ectx->lock); +} + +void +isc_entropy_sethook(isc_entropy_getdata_t myhook) { + hook = myhook; +} diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h index 18707429f2..32d5e653d3 100644 --- a/lib/isc/include/isc/entropy.h +++ b/lib/isc/include/isc/entropy.h @@ -300,6 +300,18 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source, * isc_entropy_createcallbacksource(). */ +void +isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff); +/*!< + * \brief Mark/unmark the given entropy structure as being hooked. + */ + +void +isc_entropy_sethook(isc_entropy_getdata_t myhook); +/*!< + * \brief Set the getdata hook (e.g., for a crypto random generator). + */ + ISC_LANG_ENDDECLS #endif /* ISC_ENTROPY_H */ diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in index d4128a9846..f648dffa5d 100644 --- a/lib/isc/include/isc/platform.h.in +++ b/lib/isc/include/isc/platform.h.in @@ -331,6 +331,11 @@ */ @ISC_PLATFORM_HAVESTRINGSH@ +/* + * Define if the random functions are provided by crypto. + */ +@ISC_PLATFORM_CRYPTORANDOM@ + /* * Define if the hash functions must be provided by OpenSSL. */ diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h index 6679bbc43c..dbcf8e85ab 100644 --- a/lib/isc/include/isc/types.h +++ b/lib/isc/include/isc/types.h @@ -90,6 +90,8 @@ typedef struct isc_time isc_time_t; /*%< Time */ typedef struct isc_timer isc_timer_t; /*%< Timer */ typedef struct isc_timermgr isc_timermgr_t; /*%< Timer Manager */ +typedef isc_result_t (*isc_entropy_getdata_t)(void *, unsigned int, + unsigned int *, unsigned int); typedef void (*isc_taskaction_t)(isc_task_t *, isc_event_t *); typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *, int); diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c index a7347d1d2d..ca1496235f 100644 --- a/lib/isc/pk11.c +++ b/lib/isc/pk11.c @@ -318,14 +318,16 @@ pk11_rand_seed_fromfile(const char *randomfile) { ret = isc_stdio_open(randomfile, "r", &stream); if (ret != ISC_R_SUCCESS) goto cleanup; - ret = isc_stdio_read(seed, 1, SEEDSIZE, stream, &cc); - if (ret!= ISC_R_SUCCESS) - goto cleanup; + while (ret == ISC_R_SUCCESS) { + ret = isc_stdio_read(seed, 1, SEEDSIZE, stream, &cc); + if ((ret != ISC_R_SUCCESS) && (ret != ISC_R_EOF)) + goto cleanup; + (void) pkcs_C_SeedRandom(ctx.session, seed, (CK_ULONG) cc); + } ret = isc_stdio_close(stream); stream = NULL; - if (ret!= ISC_R_SUCCESS) + if (ret != ISC_R_SUCCESS) goto cleanup; - (void) pkcs_C_SeedRandom(ctx.session, seed, (CK_ULONG) cc); cleanup: if (stream != NULL) diff --git a/lib/isc/win32/include/isc/platform.h.in b/lib/isc/win32/include/isc/platform.h.in index 77e40a81c8..867718ef99 100644 --- a/lib/isc/win32/include/isc/platform.h.in +++ b/lib/isc/win32/include/isc/platform.h.in @@ -69,6 +69,11 @@ #define ISC_PLATFORM_NORETURN_PRE __declspec(noreturn) #define ISC_PLATFORM_NORETURN_POST +/* + * Define if the random functions are provided by crypto. + */ +@ISC_PLATFORM_CRYPTORANDOM@ + /* * Define if the hash functions must be provided by OpenSSL. */ diff --git a/win32utils/Configure b/win32utils/Configure index be0f02cbcc..b06089cbc3 100644 --- a/win32utils/Configure +++ b/win32utils/Configure @@ -257,6 +257,7 @@ my @substdefh = ("AES_CC", my %configdefp; my @substdefp = ("ISC_PLATFORM_BUSYWAITNOP", + "ISC_PLATFORM_CRYPTORANDOM", "ISC_PLATFORM_HAVEATOMICSTORE", "ISC_PLATFORM_HAVEATOMICSTOREQ", "ISC_PLATFORM_HAVECMPXCHG", @@ -385,7 +386,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER"); # enable-xxx/disable-xxx -my @enablelist = ("developer", +my @enablelist = ("crypto-rand", + "developer", "fixed-rrset", "intrinsics", "isc-spnego", @@ -446,6 +448,7 @@ my @help = ( "\nOptional Features:\n", " enable-intrinsics enable instrinsic/atomic functions [default=yes]\n", " enable-native-pkcs11 use native PKCS#11 for all crypto [default=no]\n", +" enable-crypto-rand use crypto provider for random [default=yes]\n", " enable-openssl-hash use OpenSSL for hash functions [default=yes]\n", " enable-isc-spnego use SPNEGO from lib/dns [default=yes]\n", " enable-filter-aaaa enable filtering of AAAA records [default=yes]\n", @@ -489,7 +492,9 @@ my $want_clean = "no"; my $want_unknown = "no"; my $unknown_value; my $enable_intrinsics = "yes"; +my $cryptolib = ""; my $enable_native_pkcs11 = "no"; +my $enable_crypto_rand = "yes"; my $enable_openssl_hash = "auto"; my $enable_filter_aaaa = "yes"; my $enable_isc_spnego = "yes"; @@ -698,6 +703,10 @@ sub myenable { if ($val =~ /^yes$/i) { $enable_native_pkcs11 = "yes"; } + } elsif ($key =~ /^crypto-rand$/i) { + if ($val =~ /^no$/i) { + $enable_crypto_rand = "no"; + } } elsif ($key =~ /^openssl-hash$/i) { if ($val =~ /^yes$/i) { $enable_openssl_hash = "yes"; @@ -981,6 +990,11 @@ if ($verbose) { } else { print "native-pkcs11: disabled\n"; } + if ($enable_crypto_rand eq "yes") { + print "crypto-rand: enabled\n"; + } else { + print "crypto-rand: disabled\n"; + } if ($enable_openssl_hash eq "yes") { print "openssl-hash: enabled\n"; } else { @@ -1324,6 +1338,7 @@ if ($enable_intrinsics eq "yes") { # enable-native-pkcs11 if ($enable_native_pkcs11 eq "yes") { + $cryptolib = "pkcs11"; if ($use_openssl eq "auto") { $use_openssl = "no"; } @@ -1533,6 +1548,7 @@ if ($use_openssl eq "yes") { $openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]"); } + $cryptolib = "openssl"; $configcond{"OPENSSL"} = 1; $configdefd{"CRYPTO"} = "OPENSSL"; $configvar{"OPENSSL_PATH"} = "$openssl_path"; @@ -2057,6 +2073,15 @@ if ($cookie_algorithm eq "sha1") { die "Unrecognized cookie algorithm: $cookie_algorithm\n"; } +# enable-crypto-rand +if ($enable_crypto_rand eq "yes") { + if (($use_openssl eq "no") && ($enable_native_pkcs11 eq "no")) { + die "No crypto provider for random functions\n"; + } + $configdefp{"ISC_PLATFORM_CRYPTORANDOM"} = "\"$cryptolib\""; +} +print "Cryptographic library for DNSSEC: $cryptolib"; + # enable-openssl-hash if ($enable_openssl_hash eq "yes") { if ($use_openssl eq "no") { @@ -3375,6 +3400,7 @@ exit 0; # --enable-developer partially supported # --enable-newstats (9.9/9.9sub only) # --enable-native-pkcs11 supported +# --enable-crypto-rand supported # --enable-openssl-version-check included without a way to disable it # --enable-openssl-hash supported # --enable-threads included without a way to disable it @@ -3400,6 +3426,7 @@ exit 0; # --with-gost supported # --with-aes supported # --with-cc-alg supported +# --with-randomdev not supported on WIN32 (makes no sense) # --with-geoip supported # --with-gssapi supported with MIT (K)erberos (f)or (W)indows # --with-lmdb no supported on WIN32 (port is not reliable)