mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-31 14:35:26 +00:00
Always use random data from the crypto provider
This commit is contained in:
Ondřej Surý
@@ -59,56 +59,6 @@ static int nlocks;
|
||||
static ENGINE *e = NULL;
|
||||
#endif
|
||||
|
||||
#ifndef ISC_PLATFORM_CRYPTORANDOM
|
||||
static RAND_METHOD *rm = NULL;
|
||||
|
||||
static int
|
||||
entropy_get(unsigned char *buf, int num) {
|
||||
isc_result_t result;
|
||||
if (num < 0)
|
||||
return (-1);
|
||||
result = dst__entropy_getdata(buf, (unsigned int) num, ISC_FALSE);
|
||||
return (result == ISC_R_SUCCESS ? 1 : -1);
|
||||
}
|
||||
|
||||
static int
|
||||
entropy_status(void) {
|
||||
return (dst__entropy_status() > 32);
|
||||
}
|
||||
|
||||
static int
|
||||
entropy_getpseudo(unsigned char *buf, int num) {
|
||||
isc_result_t result;
|
||||
if (num < 0)
|
||||
return (-1);
|
||||
result = dst__entropy_getdata(buf, (unsigned int) num, ISC_TRUE);
|
||||
return (result == ISC_R_SUCCESS ? 1 : -1);
|
||||
}
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
||||
static void
|
||||
entropy_add(const void *buf, int num, double entropy) {
|
||||
/*
|
||||
* Do nothing. The only call to this provides no useful data anyway.
|
||||
*/
|
||||
UNUSED(buf);
|
||||
UNUSED(num);
|
||||
UNUSED(entropy);
|
||||
}
|
||||
#else
|
||||
static int
|
||||
entropy_add(const void *buf, int num, double entropy) {
|
||||
/*
|
||||
* Do nothing. The only call to this provides no useful data anyway.
|
||||
*/
|
||||
UNUSED(buf);
|
||||
UNUSED(num);
|
||||
UNUSED(entropy);
|
||||
return (1);
|
||||
}
|
||||
#endif
|
||||
#endif /* !ISC_PLATFORM_CRYPTORANDOM */
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
||||
static void
|
||||
lock_callback(int mode, int type, const char *file, int line) {
|
||||
@@ -196,10 +146,8 @@ _set_thread_id(CRYPTO_THREADID *id)
|
||||
isc_result_t
|
||||
dst__openssl_init(const char *engine) {
|
||||
isc_result_t result;
|
||||
#if defined(USE_ENGINE) && !defined(ISC_PLATFORM_CRYPTORANDOM)
|
||||
ENGINE *re;
|
||||
#else
|
||||
|
||||
#if !defined(USE_ENGINE)
|
||||
UNUSED(engine);
|
||||
#endif
|
||||
|
||||
@@ -227,20 +175,6 @@ dst__openssl_init(const char *engine) {
|
||||
ERR_load_crypto_strings();
|
||||
#endif
|
||||
|
||||
#ifndef ISC_PLATFORM_CRYPTORANDOM
|
||||
rm = mem_alloc(sizeof(RAND_METHOD) FILELINE);
|
||||
if (rm == NULL) {
|
||||
result = ISC_R_NOMEMORY;
|
||||
goto cleanup_mutexinit;
|
||||
}
|
||||
rm->seed = NULL;
|
||||
rm->bytes = entropy_get;
|
||||
rm->cleanup = NULL;
|
||||
rm->add = entropy_add;
|
||||
rm->pseudorand = entropy_getpseudo;
|
||||
rm->status = entropy_status;
|
||||
#endif
|
||||
|
||||
#ifdef USE_ENGINE
|
||||
#if !defined(CONF_MFLAGS_DEFAULT_SECTION)
|
||||
OPENSSL_config(NULL);
|
||||
@@ -273,27 +207,8 @@ dst__openssl_init(const char *engine) {
|
||||
}
|
||||
}
|
||||
|
||||
#ifndef ISC_PLATFORM_CRYPTORANDOM
|
||||
re = ENGINE_get_default_RAND();
|
||||
if (re == NULL) {
|
||||
re = ENGINE_new();
|
||||
if (re == NULL) {
|
||||
result = ISC_R_NOMEMORY;
|
||||
goto cleanup_rm;
|
||||
}
|
||||
ENGINE_set_RAND(re, rm);
|
||||
ENGINE_set_default_RAND(re);
|
||||
ENGINE_free(re);
|
||||
} else
|
||||
ENGINE_finish(re);
|
||||
#endif
|
||||
#else
|
||||
#ifndef ISC_PLATFORM_CRYPTORANDOM
|
||||
RAND_set_rand_method(rm);
|
||||
#endif
|
||||
#endif /* USE_ENGINE */
|
||||
|
||||
#ifdef ISC_PLATFORM_CRYPTORANDOM
|
||||
/* Protect ourselves against unseeded PRNG */
|
||||
if (RAND_status() != 1) {
|
||||
FATAL_ERROR(__FILE__, __LINE__,
|
||||
@@ -301,7 +216,6 @@ dst__openssl_init(const char *engine) {
|
||||
"cannot be initialized (see the `PRNG not "
|
||||
"seeded' message in the OpenSSL FAQ)");
|
||||
}
|
||||
#endif
|
||||
|
||||
return (ISC_R_SUCCESS);
|
||||
|
||||
@@ -310,13 +224,6 @@ dst__openssl_init(const char *engine) {
|
||||
if (e != NULL)
|
||||
ENGINE_free(e);
|
||||
e = NULL;
|
||||
#ifndef ISC_PLATFORM_CRYPTORANDOM
|
||||
mem_free(rm FILELINE);
|
||||
rm = NULL;
|
||||
#endif
|
||||
#endif
|
||||
#ifndef ISC_PLATFORM_CRYPTORANDOM
|
||||
cleanup_mutexinit:
|
||||
#endif
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
||||
CRYPTO_set_locking_callback(NULL);
|
||||
@@ -332,25 +239,10 @@ void
|
||||
dst__openssl_destroy(void) {
|
||||
#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
|
||||
OPENSSL_cleanup();
|
||||
#ifndef ISC_PLATFORM_CRYPTORANDOM
|
||||
if (rm != NULL) {
|
||||
mem_free(rm FILELINE);
|
||||
rm = NULL;
|
||||
}
|
||||
#endif
|
||||
#else
|
||||
/*
|
||||
* Sequence taken from apps_shutdown() in <apps/apps.h>.
|
||||
*/
|
||||
#ifndef ISC_PLATFORM_CRYPTORANDOM
|
||||
if (rm != NULL) {
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
|
||||
RAND_cleanup();
|
||||
#endif
|
||||
mem_free(rm FILELINE);
|
||||
rm = NULL;
|
||||
}
|
||||
#endif
|
||||
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
|
||||
CONF_modules_free();
|
||||
#endif
|
||||
@@ -490,7 +382,6 @@ isc_result_t
|
||||
dst_random_getdata(void *data, unsigned int length,
|
||||
unsigned int *returned, unsigned int flags)
|
||||
{
|
||||
#ifdef ISC_PLATFORM_CRYPTORANDOM
|
||||
#ifndef DONT_REQUIRE_DST_LIB_INIT
|
||||
INSIST(dst__memory_pool != NULL);
|
||||
#endif
|
||||
@@ -517,14 +408,6 @@ dst_random_getdata(void *data, unsigned int length,
|
||||
if (returned != NULL)
|
||||
*returned = length;
|
||||
return (ISC_R_SUCCESS);
|
||||
#else
|
||||
UNUSED(data);
|
||||
UNUSED(length);
|
||||
UNUSED(returned);
|
||||
UNUSED(flags);
|
||||
|
||||
return (ISC_R_NOTIMPLEMENTED);
|
||||
#endif
|
||||
}
|
||||
|
||||
#endif /* OPENSSL */
|
||||
|
||||
Reference in New Issue
Block a user