|
|
27025e |
From 7e61714a5d1509ec79af42391e41eb1afc53063a Mon Sep 17 00:00:00 2001
|
|
|
e55890 |
From: Evan Hunt <each@isc.org>
|
|
|
e55890 |
Date: Tue, 12 Sep 2017 19:05:46 -0700
|
|
|
e55890 |
Subject: [PATCH] rebased rt31459c
|
|
|
e55890 |
|
|
|
e55890 |
[rt31459d] update the newer tools
|
|
|
e55890 |
|
|
|
e55890 |
[rt31459d] setup entropy in dns_lib_init()
|
|
|
e55890 |
|
|
|
e55890 |
[rt31459d] silence compiler warning
|
|
|
e55890 |
|
|
|
e55890 |
DNS_OPENSSL_LIBS -> DST_OPENSSL_LIBS
|
|
|
e55890 |
|
|
|
e55890 |
Include new unit test
|
|
|
e55890 |
---
|
|
|
e55890 |
bin/confgen/keygen.c | 7 +
|
|
|
e55890 |
bin/dnssec/dnssec-dsfromkey.c | 8 +-
|
|
|
e55890 |
bin/dnssec/dnssec-importkey.c | 8 +-
|
|
|
e55890 |
bin/dnssec/dnssec-revoke.c | 8 +-
|
|
|
e55890 |
bin/dnssec/dnssec-settime.c | 8 +-
|
|
|
e55890 |
bin/dnssec/dnssec-signzone.c | 11 +-
|
|
|
e55890 |
bin/dnssec/dnssec-verify.c | 8 +-
|
|
|
e55890 |
bin/dnssec/dnssectool.c | 11 +-
|
|
|
e55890 |
bin/named/server.c | 6 +
|
|
|
27025e |
bin/nsupdate/nsupdate.c | 14 +-
|
|
|
e55890 |
bin/tests/makejournal.c | 6 +-
|
|
|
27025e |
bin/tests/system/pipelined/pipequeries.c | 20 +-
|
|
|
e55890 |
bin/tests/system/pipelined/tests.sh | 4 +-
|
|
|
e55890 |
bin/tests/system/rsabigexponent/bigkey.c | 4 +
|
|
|
27025e |
bin/tests/system/tkey/keycreate.c | 26 ++-
|
|
|
27025e |
bin/tests/system/tkey/keydelete.c | 26 ++-
|
|
|
e55890 |
bin/tests/system/tkey/tests.sh | 8 +-
|
|
|
e55890 |
bin/tools/mdig.c | 3 +-
|
|
|
27025e |
configure | 250 +++++++++++++----------
|
|
|
27025e |
configure.ac | 77 ++++++-
|
|
|
27025e |
lib/dns/dst_api.c | 21 +-
|
|
|
e55890 |
lib/dns/include/dst/dst.h | 8 +
|
|
|
27025e |
lib/dns/lib.c | 15 +-
|
|
|
27025e |
lib/dns/openssl_link.c | 72 ++++++-
|
|
|
27025e |
lib/dns/pkcs11.c | 29 ++-
|
|
|
e55890 |
lib/dns/tests/Kyuafile | 1 +
|
|
|
e55890 |
lib/dns/tests/Makefile.in | 7 +
|
|
|
27025e |
lib/dns/tests/dstrandom_test.c | 115 +++++++++++
|
|
|
e55890 |
lib/dns/win32/libdns.def.in | 7 +
|
|
|
e55890 |
lib/isc/entropy.c | 24 +++
|
|
|
e55890 |
lib/isc/include/isc/entropy.h | 12 ++
|
|
|
e55890 |
lib/isc/include/isc/platform.h.in | 5 +
|
|
|
e55890 |
lib/isc/include/isc/types.h | 2 +
|
|
|
e55890 |
lib/isc/pk11.c | 12 +-
|
|
|
e55890 |
lib/isc/win32/include/isc/platform.h.in | 5 +
|
|
|
27025e |
win32utils/Configure | 28 ++-
|
|
|
27025e |
36 files changed, 701 insertions(+), 175 deletions(-)
|
|
|
e55890 |
create mode 100644 lib/dns/tests/dstrandom_test.c
|
|
|
e55890 |
|
|
|
e55890 |
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
|
|
|
27025e |
index 5015abb..295e16f 100644
|
|
|
e55890 |
--- a/bin/confgen/keygen.c
|
|
|
e55890 |
+++ b/bin/confgen/keygen.c
|
|
|
e55890 |
@@ -165,6 +165,13 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
|
|
|
e55890 |
randomfile = NULL;
|
|
|
e55890 |
open_keyboard = ISC_ENTROPY_KEYBOARDYES;
|
|
|
e55890 |
}
|
|
|
e55890 |
+#ifdef ISC_PLATFORM_CRYPTORANDOM
|
|
|
e55890 |
+ if (randomfile != NULL &&
|
|
|
e55890 |
+ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
|
|
|
e55890 |
+ randomfile = NULL;
|
|
|
27025e |
+ isc_entropy_usehook(ectx, true);
|
|
|
e55890 |
+ }
|
|
|
e55890 |
+#endif
|
|
|
e55890 |
DO("start entropy source", isc_entropy_usebestsource(ectx,
|
|
|
e55890 |
&entropy_source,
|
|
|
e55890 |
randomfile,
|
|
|
e55890 |
diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c
|
|
|
27025e |
index 2c0c308..3e585af 100644
|
|
|
e55890 |
--- a/bin/dnssec/dnssec-dsfromkey.c
|
|
|
e55890 |
+++ b/bin/dnssec/dnssec-dsfromkey.c
|
|
|
27025e |
@@ -494,14 +494,14 @@ main(int argc, char **argv) {
|
|
|
e55890 |
|
|
|
e55890 |
if (ectx == NULL)
|
|
|
e55890 |
setup_entropy(mctx, NULL, &ectx);
|
|
|
e55890 |
- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
|
|
|
e55890 |
- if (result != ISC_R_SUCCESS)
|
|
|
e55890 |
- fatal("could not initialize hash");
|
|
|
e55890 |
result = dst_lib_init(mctx, ectx,
|
|
|
e55890 |
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
|
|
|
e55890 |
if (result != ISC_R_SUCCESS)
|
|
|
e55890 |
fatal("could not initialize dst: %s",
|
|
|
e55890 |
isc_result_totext(result));
|
|
|
e55890 |
+ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
|
|
|
e55890 |
+ if (result != ISC_R_SUCCESS)
|
|
|
e55890 |
+ fatal("could not initialize hash");
|
|
|
e55890 |
isc_entropy_stopcallbacksources(ectx);
|
|
|
e55890 |
|
|
|
e55890 |
setup_logging(mctx, &log;;
|
|
|
27025e |
@@ -571,8 +571,8 @@ main(int argc, char **argv) {
|
|
|
e55890 |
if (dns_rdataset_isassociated(&rdataset))
|
|
|
e55890 |
dns_rdataset_disassociate(&rdataset);
|
|
|
e55890 |
cleanup_logging(&log;;
|
|
|
e55890 |
- dst_lib_destroy();
|
|
|
e55890 |
isc_hash_destroy();
|
|
|
e55890 |
+ dst_lib_destroy();
|
|
|
e55890 |
cleanup_entropy(&ectx);
|
|
|
e55890 |
dns_name_destroy();
|
|
|
e55890 |
if (verbose > 10)
|
|
|
e55890 |
diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c
|
|
|
27025e |
index 0d1e7f8..79c4d74 100644
|
|
|
e55890 |
--- a/bin/dnssec/dnssec-importkey.c
|
|
|
e55890 |
+++ b/bin/dnssec/dnssec-importkey.c
|
|
|
27025e |
@@ -407,14 +407,14 @@ main(int argc, char **argv) {
|
|
|
e55890 |
|
|
|
e55890 |
if (ectx == NULL)
|
|
|
e55890 |
setup_entropy(mctx, NULL, &ectx);
|
|
|
e55890 |
- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
|
|
|
e55890 |
- if (result != ISC_R_SUCCESS)
|
|
|
e55890 |
- fatal("could not initialize hash");
|
|
|
e55890 |
result = dst_lib_init(mctx, ectx,
|
|
|
e55890 |
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
|
|
|
e55890 |
if (result != ISC_R_SUCCESS)
|
|
|
e55890 |
fatal("could not initialize dst: %s",
|
|
|
e55890 |
isc_result_totext(result));
|
|
|
e55890 |
+ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
|
|
|
e55890 |
+ if (result != ISC_R_SUCCESS)
|
|
|
e55890 |
+ fatal("could not initialize hash");
|
|
|
e55890 |
isc_entropy_stopcallbacksources(ectx);
|
|
|
e55890 |
|
|
|
e55890 |
setup_logging(mctx, &log;;
|
|
|
27025e |
@@ -458,8 +458,8 @@ main(int argc, char **argv) {
|
|
|
e55890 |
if (dns_rdataset_isassociated(&rdataset))
|
|
|
e55890 |
dns_rdataset_disassociate(&rdataset);
|
|
|
e55890 |
cleanup_logging(&log;;
|
|
|
e55890 |
- dst_lib_destroy();
|
|
|
e55890 |
isc_hash_destroy();
|
|
|
e55890 |
+ dst_lib_destroy();
|
|
|
e55890 |
cleanup_entropy(&ectx);
|
|
|
e55890 |
dns_name_destroy();
|
|
|
e55890 |
if (verbose > 10)
|
|
|
e55890 |
diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c
|
|
|
27025e |
index 7d82dbf..10f9359 100644
|
|
|
e55890 |
--- a/bin/dnssec/dnssec-revoke.c
|
|
|
e55890 |
+++ b/bin/dnssec/dnssec-revoke.c
|
|
|
27025e |
@@ -184,14 +184,14 @@ main(int argc, char **argv) {
|
|
|
e55890 |
|
|
|
e55890 |
if (ectx == NULL)
|
|
|
e55890 |
setup_entropy(mctx, NULL, &ectx);
|
|
|
e55890 |
- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
|
|
|
e55890 |
- if (result != ISC_R_SUCCESS)
|
|
|
e55890 |
- fatal("Could not initialize hash");
|
|
|
e55890 |
result = dst_lib_init2(mctx, ectx, engine,
|
|
|
e55890 |
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
|
|
|
e55890 |
if (result != ISC_R_SUCCESS)
|
|
|
e55890 |
fatal("Could not initialize dst: %s",
|
|
|
e55890 |
isc_result_totext(result));
|
|
|
e55890 |
+ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
|
|
|
e55890 |
+ if (result != ISC_R_SUCCESS)
|
|
|
e55890 |
+ fatal("Could not initialize hash");
|
|
|
e55890 |
isc_entropy_stopcallbacksources(ectx);
|
|
|
e55890 |
|
|
|
e55890 |
result = dst_key_fromnamedfile(filename, dir,
|
|
|
27025e |
@@ -273,8 +273,8 @@ main(int argc, char **argv) {
|
|
|
e55890 |
|
|
|
e55890 |
cleanup:
|
|
|
e55890 |
dst_key_free(&key);
|
|
|
e55890 |
- dst_lib_destroy();
|
|
|
e55890 |
isc_hash_destroy();
|
|
|
e55890 |
+ dst_lib_destroy();
|
|
|
e55890 |
cleanup_entropy(&ectx);
|
|
|
e55890 |
if (verbose > 10)
|
|
|
e55890 |
isc_mem_stats(mctx, stdout);
|
|
|
e55890 |
diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
|
|
|
27025e |
index f355903..6a2ca59 100644
|
|
|
e55890 |
--- a/bin/dnssec/dnssec-settime.c
|
|
|
e55890 |
+++ b/bin/dnssec/dnssec-settime.c
|
|
|
27025e |
@@ -382,14 +382,14 @@ main(int argc, char **argv) {
|
|
|
e55890 |
|
|
|
e55890 |
if (ectx == NULL)
|
|
|
e55890 |
setup_entropy(mctx, NULL, &ectx);
|
|
|
e55890 |
- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
|
|
|
e55890 |
- if (result != ISC_R_SUCCESS)
|
|
|
e55890 |
- fatal("Could not initialize hash");
|
|
|
e55890 |
result = dst_lib_init2(mctx, ectx, engine,
|
|
|
e55890 |
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
|
|
|
e55890 |
if (result != ISC_R_SUCCESS)
|
|
|
e55890 |
fatal("Could not initialize dst: %s",
|
|
|
e55890 |
isc_result_totext(result));
|
|
|
e55890 |
+ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
|
|
|
e55890 |
+ if (result != ISC_R_SUCCESS)
|
|
|
e55890 |
+ fatal("Could not initialize hash");
|
|
|
e55890 |
isc_entropy_stopcallbacksources(ectx);
|
|
|
e55890 |
|
|
|
e55890 |
if (predecessor != NULL) {
|
|
|
27025e |
@@ -674,8 +674,8 @@ main(int argc, char **argv) {
|
|
|
e55890 |
if (prevkey != NULL)
|
|
|
e55890 |
dst_key_free(&prevkey);
|
|
|
e55890 |
dst_key_free(&key);
|
|
|
e55890 |
- dst_lib_destroy();
|
|
|
e55890 |
isc_hash_destroy();
|
|
|
e55890 |
+ dst_lib_destroy();
|
|
|
e55890 |
cleanup_entropy(&ectx);
|
|
|
e55890 |
if (verbose > 10)
|
|
|
e55890 |
isc_mem_stats(mctx, stdout);
|
|
|
e55890 |
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
|
|
|
27025e |
index c6a0313..6ddaebe 100644
|
|
|
e55890 |
--- a/bin/dnssec/dnssec-signzone.c
|
|
|
e55890 |
+++ b/bin/dnssec/dnssec-signzone.c
|
|
|
27025e |
@@ -3460,14 +3460,15 @@ main(int argc, char *argv[]) {
|
|
|
e55890 |
if (!pseudorandom)
|
|
|
e55890 |
eflags |= ISC_ENTROPY_GOODONLY;
|
|
|
e55890 |
|
|
|
e55890 |
- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
|
|
|
e55890 |
- if (result != ISC_R_SUCCESS)
|
|
|
e55890 |
- fatal("could not create hash context");
|
|
|
e55890 |
-
|
|
|
e55890 |
result = dst_lib_init2(mctx, ectx, engine, eflags);
|
|
|
e55890 |
if (result != ISC_R_SUCCESS)
|
|
|
e55890 |
fatal("could not initialize dst: %s",
|
|
|
e55890 |
isc_result_totext(result));
|
|
|
e55890 |
+
|
|
|
e55890 |
+ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
|
|
|
e55890 |
+ if (result != ISC_R_SUCCESS)
|
|
|
e55890 |
+ fatal("could not create hash context");
|
|
|
e55890 |
+
|
|
|
e55890 |
isc_stdtime_get(&now;;
|
|
|
e55890 |
|
|
|
e55890 |
if (startstr != NULL) {
|
|
|
27025e |
@@ -3879,8 +3880,8 @@ main(int argc, char *argv[]) {
|
|
|
e55890 |
dns_master_styledestroy(&dsstyle, mctx);
|
|
|
e55890 |
|
|
|
e55890 |
cleanup_logging(&log;;
|
|
|
e55890 |
- dst_lib_destroy();
|
|
|
e55890 |
isc_hash_destroy();
|
|
|
e55890 |
+ dst_lib_destroy();
|
|
|
e55890 |
cleanup_entropy(&ectx);
|
|
|
e55890 |
dns_name_destroy();
|
|
|
e55890 |
if (verbose > 10)
|
|
|
e55890 |
diff --git a/bin/dnssec/dnssec-verify.c b/bin/dnssec/dnssec-verify.c
|
|
|
27025e |
index 4c293bf..3263cbc 100644
|
|
|
e55890 |
--- a/bin/dnssec/dnssec-verify.c
|
|
|
e55890 |
+++ b/bin/dnssec/dnssec-verify.c
|
|
|
27025e |
@@ -281,15 +281,15 @@ main(int argc, char *argv[]) {
|
|
|
e55890 |
if (ectx == NULL)
|
|
|
e55890 |
setup_entropy(mctx, NULL, &ectx);
|
|
|
e55890 |
|
|
|
e55890 |
- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
|
|
|
e55890 |
- if (result != ISC_R_SUCCESS)
|
|
|
e55890 |
- fatal("could not create hash context");
|
|
|
e55890 |
-
|
|
|
e55890 |
result = dst_lib_init2(mctx, ectx, engine, ISC_ENTROPY_BLOCKING);
|
|
|
e55890 |
if (result != ISC_R_SUCCESS)
|
|
|
e55890 |
fatal("could not initialize dst: %s",
|
|
|
e55890 |
isc_result_totext(result));
|
|
|
e55890 |
|
|
|
e55890 |
+ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
|
|
|
e55890 |
+ if (result != ISC_R_SUCCESS)
|
|
|
e55890 |
+ fatal("could not create hash context");
|
|
|
e55890 |
+
|
|
|
e55890 |
isc_stdtime_get(&now;;
|
|
|
e55890 |
|
|
|
e55890 |
rdclass = strtoclass(classname);
|
|
|
e55890 |
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
|
|
|
27025e |
index fbc7ece..31a99e7 100644
|
|
|
e55890 |
--- a/bin/dnssec/dnssectool.c
|
|
|
e55890 |
+++ b/bin/dnssec/dnssectool.c
|
|
|
27025e |
@@ -34,6 +34,7 @@
|
|
|
e55890 |
#include <isc/heap.h>
|
|
|
e55890 |
#include <isc/list.h>
|
|
|
e55890 |
#include <isc/mem.h>
|
|
|
e55890 |
+#include <isc/platform.h>
|
|
|
e55890 |
#include <isc/print.h>
|
|
|
e55890 |
#include <isc/string.h>
|
|
|
e55890 |
#include <isc/time.h>
|
|
|
27025e |
@@ -235,7 +236,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
|
|
|
e55890 |
if (*ectx == NULL) {
|
|
|
e55890 |
result = isc_entropy_create(mctx, ectx);
|
|
|
e55890 |
if (result != ISC_R_SUCCESS)
|
|
|
e55890 |
- fatal("could not create entropy object");
|
|
|
e55890 |
+ fatal("could not create entropy object: %s",
|
|
|
e55890 |
+ isc_result_totext(result));
|
|
|
e55890 |
ISC_LIST_INIT(sources);
|
|
|
e55890 |
}
|
|
|
e55890 |
|
|
|
27025e |
@@ -244,6 +246,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
|
|
|
e55890 |
randomfile = NULL;
|
|
|
e55890 |
}
|
|
|
e55890 |
|
|
|
e55890 |
+#ifdef ISC_PLATFORM_CRYPTORANDOM
|
|
|
e55890 |
+ if (randomfile != NULL &&
|
|
|
e55890 |
+ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
|
|
|
e55890 |
+ randomfile = NULL;
|
|
|
27025e |
+ isc_entropy_usehook(*ectx, true);
|
|
|
e55890 |
+ }
|
|
|
e55890 |
+#endif
|
|
|
e55890 |
result = isc_entropy_usebestsource(*ectx, &source, randomfile,
|
|
|
e55890 |
usekeyboard);
|
|
|
e55890 |
|
|
|
e55890 |
diff --git a/bin/named/server.c b/bin/named/server.c
|
|
|
27025e |
index 7d85d3b..c782073 100644
|
|
|
e55890 |
--- a/bin/named/server.c
|
|
|
e55890 |
+++ b/bin/named/server.c
|
|
|
27025e |
@@ -36,6 +36,7 @@
|
|
|
e55890 |
#include <isc/lex.h>
|
|
|
e55890 |
#include <isc/meminfo.h>
|
|
|
e55890 |
#include <isc/parseint.h>
|
|
|
e55890 |
+#include <isc/platform.h>
|
|
|
e55890 |
#include <isc/portset.h>
|
|
|
e55890 |
#include <isc/print.h>
|
|
|
e55890 |
#include <isc/random.h>
|
|
|
27025e |
@@ -8211,6 +8212,10 @@ load_configuration(const char *filename, ns_server_t *server,
|
|
|
e55890 |
"no source of entropy found");
|
|
|
e55890 |
} else {
|
|
|
e55890 |
const char *randomdev = cfg_obj_asstring(obj);
|
|
|
e55890 |
+#ifdef ISC_PLATFORM_CRYPTORANDOM
|
|
|
e55890 |
+ if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0)
|
|
|
27025e |
+ isc_entropy_usehook(ns_g_entropy, true);
|
|
|
e55890 |
+#else
|
|
|
e55890 |
int level = ISC_LOG_ERROR;
|
|
|
e55890 |
result = isc_entropy_createfilesource(ns_g_entropy,
|
|
|
e55890 |
randomdev);
|
|
|
27025e |
@@ -8245,6 +8250,7 @@ load_configuration(const char *filename, ns_server_t *server,
|
|
|
e55890 |
}
|
|
|
e55890 |
isc_entropy_detach(&ns_g_fallbackentropy);
|
|
|
e55890 |
}
|
|
|
e55890 |
+#endif
|
|
|
e55890 |
#endif
|
|
|
e55890 |
}
|
|
|
27025e |
|
|
|
e55890 |
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
|
|
|
27025e |
index bbb3936..0286987 100644
|
|
|
e55890 |
--- a/bin/nsupdate/nsupdate.c
|
|
|
e55890 |
+++ b/bin/nsupdate/nsupdate.c
|
|
|
27025e |
@@ -272,7 +272,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
|
|
|
e55890 |
if (*ectx == NULL) {
|
|
|
e55890 |
result = isc_entropy_create(mctx, ectx);
|
|
|
e55890 |
if (result != ISC_R_SUCCESS)
|
|
|
e55890 |
- fatal("could not create entropy object");
|
|
|
e55890 |
+ fatal("could not create entropy object: %s",
|
|
|
e55890 |
+ isc_result_totext(result));
|
|
|
e55890 |
ISC_LIST_INIT(sources);
|
|
|
e55890 |
}
|
|
|
e55890 |
|
|
|
27025e |
@@ -281,6 +282,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
|
|
|
e55890 |
randomfile = NULL;
|
|
|
e55890 |
}
|
|
|
e55890 |
|
|
|
e55890 |
+#ifdef ISC_PLATFORM_CRYPTORANDOM
|
|
|
e55890 |
+ if (randomfile != NULL &&
|
|
|
e55890 |
+ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
|
|
|
e55890 |
+ randomfile = NULL;
|
|
|
27025e |
+ isc_entropy_usehook(*ectx, true);
|
|
|
e55890 |
+ }
|
|
|
e55890 |
+#endif
|
|
|
e55890 |
result = isc_entropy_usebestsource(*ectx, &source, randomfile,
|
|
|
e55890 |
usekeyboard);
|
|
|
e55890 |
|
|
|
27025e |
@@ -979,11 +987,11 @@ setup_system(void) {
|
|
|
e55890 |
}
|
|
|
e55890 |
}
|
|
|
e55890 |
|
|
|
e55890 |
- setup_entropy(gmctx, NULL, &entropy);
|
|
|
e55890 |
+ if (entropy == NULL)
|
|
|
e55890 |
+ setup_entropy(gmctx, NULL, &entropy);
|
|
|
e55890 |
|
|
|
e55890 |
result = isc_hash_create(gmctx, entropy, DNS_NAME_MAXWIRE);
|
|
|
e55890 |
check_result(result, "isc_hash_create");
|
|
|
e55890 |
- isc_hash_init();
|
|
|
e55890 |
|
|
|
e55890 |
result = dns_dispatchmgr_create(gmctx, entropy, &dispatchmgr);
|
|
|
e55890 |
check_result(result, "dns_dispatchmgr_create");
|
|
|
e55890 |
diff --git a/bin/tests/makejournal.c b/bin/tests/makejournal.c
|
|
|
27025e |
index 61a41b0..acc71a1 100644
|
|
|
e55890 |
--- a/bin/tests/makejournal.c
|
|
|
e55890 |
+++ b/bin/tests/makejournal.c
|
|
|
27025e |
@@ -102,12 +102,12 @@ main(int argc, char **argv) {
|
|
|
e55890 |
CHECK(isc_mem_create(0, 0, &mctx));
|
|
|
e55890 |
CHECK(isc_entropy_create(mctx, &ectx));
|
|
|
e55890 |
|
|
|
e55890 |
- CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
|
|
|
27025e |
- hash_active = true;
|
|
|
e55890 |
-
|
|
|
e55890 |
CHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING));
|
|
|
27025e |
dst_active = true;
|
|
|
e55890 |
|
|
|
e55890 |
+ CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
|
|
|
27025e |
+ hash_active = true;
|
|
|
e55890 |
+
|
|
|
e55890 |
CHECK(isc_log_create(mctx, &lctx, &logconfig));
|
|
|
e55890 |
isc_log_registercategories(lctx, categories);
|
|
|
e55890 |
isc_log_setcontext(lctx);
|
|
|
e55890 |
diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c
|
|
|
27025e |
index c6ab7f8..f0a6ff2 100644
|
|
|
e55890 |
--- a/bin/tests/system/pipelined/pipequeries.c
|
|
|
e55890 |
+++ b/bin/tests/system/pipelined/pipequeries.c
|
|
|
27025e |
@@ -204,6 +204,7 @@ sendqueries(isc_task_t *task, isc_event_t *event) {
|
|
|
e55890 |
|
|
|
e55890 |
int
|
|
|
e55890 |
main(int argc, char *argv[]) {
|
|
|
e55890 |
+ char *randomfile = NULL;
|
|
|
e55890 |
isc_sockaddr_t bind_any;
|
|
|
e55890 |
struct in_addr inaddr;
|
|
|
e55890 |
isc_result_t result;
|
|
|
e55890 |
@@ -222,7 +223,7 @@ main(int argc, char *argv[]) {
|
|
|
27025e |
int c;
|
|
|
e55890 |
|
|
|
27025e |
isc_commandline_errprint = false;
|
|
|
e55890 |
- while ((c = isc_commandline_parse(argc, argv, "p:")) != -1) {
|
|
|
e55890 |
+ while ((c = isc_commandline_parse(argc, argv, "p:r:")) != -1) {
|
|
|
e55890 |
switch (c) {
|
|
|
e55890 |
case 'p':
|
|
|
e55890 |
result = isc_parse_uint16(&port,
|
|
|
e55890 |
@@ -233,6 +234,9 @@ main(int argc, char *argv[]) {
|
|
|
e55890 |
exit(1);
|
|
|
e55890 |
}
|
|
|
e55890 |
break;
|
|
|
e55890 |
+ case 'r':
|
|
|
e55890 |
+ randomfile = isc_commandline_argument;
|
|
|
e55890 |
+ break;
|
|
|
e55890 |
case '?':
|
|
|
e55890 |
fprintf(stderr, "%s: invalid argument '%c'",
|
|
|
e55890 |
argv[0], c);
|
|
|
27025e |
@@ -275,10 +279,18 @@ main(int argc, char *argv[]) {
|
|
|
e55890 |
|
|
|
e55890 |
ectx = NULL;
|
|
|
e55890 |
RUNCHECK(isc_entropy_create(mctx, &ectx));
|
|
|
e55890 |
- RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data"));
|
|
|
e55890 |
- RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
|
|
|
e55890 |
+#ifdef ISC_PLATFORM_CRYPTORANDOM
|
|
|
e55890 |
+ if (randomfile != NULL &&
|
|
|
e55890 |
+ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
|
|
|
e55890 |
+ randomfile = NULL;
|
|
|
27025e |
+ isc_entropy_usehook(ectx, true);
|
|
|
e55890 |
+ }
|
|
|
e55890 |
+#endif
|
|
|
e55890 |
+ if (randomfile != NULL)
|
|
|
e55890 |
+ RUNCHECK(isc_entropy_createfilesource(ectx, randomfile));
|
|
|
e55890 |
|
|
|
e55890 |
RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY));
|
|
|
e55890 |
+ RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
|
|
|
e55890 |
|
|
|
e55890 |
taskmgr = NULL;
|
|
|
e55890 |
RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr));
|
|
|
27025e |
@@ -331,8 +343,8 @@ main(int argc, char *argv[]) {
|
|
|
e55890 |
isc_task_detach(&task);
|
|
|
e55890 |
isc_taskmgr_destroy(&taskmgr);
|
|
|
e55890 |
|
|
|
e55890 |
- dst_lib_destroy();
|
|
|
e55890 |
isc_hash_destroy();
|
|
|
e55890 |
+ dst_lib_destroy();
|
|
|
e55890 |
isc_entropy_detach(&ectx);
|
|
|
e55890 |
|
|
|
e55890 |
isc_log_destroy(&lctx);
|
|
|
e55890 |
diff --git a/bin/tests/system/pipelined/tests.sh b/bin/tests/system/pipelined/tests.sh
|
|
|
27025e |
index 61f1ff7..ed1302a 100644
|
|
|
e55890 |
--- a/bin/tests/system/pipelined/tests.sh
|
|
|
e55890 |
+++ b/bin/tests/system/pipelined/tests.sh
|
|
|
e55890 |
@@ -19,7 +19,7 @@ status=0
|
|
|
e55890 |
|
|
|
e55890 |
echo_i "check pipelined TCP queries"
|
|
|
e55890 |
ret=0
|
|
|
e55890 |
-$PIPEQUERIES -p ${PORT} < input > raw || ret=1
|
|
|
e55890 |
+$PIPEQUERIES -p ${PORT} -r $RANDFILE < input > raw || ret=1
|
|
|
e55890 |
awk '{ print $1 " " $5 }' < raw > output
|
|
|
e55890 |
sort < output > output-sorted
|
|
|
27025e |
$DIFF ref output-sorted || { ret=1 ; echo_i "diff sorted failed"; }
|
|
|
e55890 |
@@ -43,7 +43,7 @@ status=`expr $status + $ret`
|
|
|
e55890 |
|
|
|
e55890 |
echo_i "check keep-response-order"
|
|
|
e55890 |
ret=0
|
|
|
e55890 |
-$PIPEQUERIES -p ${PORT} ++ < inputb > rawb || ret=1
|
|
|
e55890 |
+$PIPEQUERIES -p ${PORT} -r $RANDFILE ++ < inputb > rawb || ret=1
|
|
|
e55890 |
awk '{ print $1 " " $5 }' < rawb > outputb
|
|
|
27025e |
$DIFF refb outputb || ret=1
|
|
|
e55890 |
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
|
e55890 |
diff --git a/bin/tests/system/rsabigexponent/bigkey.c b/bin/tests/system/rsabigexponent/bigkey.c
|
|
|
27025e |
index 4462f2e..f06268d 100644
|
|
|
e55890 |
--- a/bin/tests/system/rsabigexponent/bigkey.c
|
|
|
e55890 |
+++ b/bin/tests/system/rsabigexponent/bigkey.c
|
|
|
e55890 |
@@ -20,6 +20,7 @@
|
|
|
e55890 |
#include <isc/buffer.h>
|
|
|
e55890 |
#include <isc/entropy.h>
|
|
|
e55890 |
#include <isc/mem.h>
|
|
|
e55890 |
+#include <isc/platform.h>
|
|
|
e55890 |
#include <isc/print.h>
|
|
|
e55890 |
#include <isc/region.h>
|
|
|
e55890 |
#include <isc/stdio.h>
|
|
|
e55890 |
@@ -183,6 +184,9 @@ main(int argc, char **argv) {
|
|
|
e55890 |
|
|
|
e55890 |
CHECK(isc_mem_create(0, 0, &mctx), "isc_mem_create()");
|
|
|
e55890 |
CHECK(isc_entropy_create(mctx, &ectx), "isc_entropy_create()");
|
|
|
e55890 |
+#ifdef ISC_PLATFORM_CRYPTORANDOM
|
|
|
27025e |
+ isc_entropy_usehook(ectx, true);
|
|
|
e55890 |
+#endif
|
|
|
e55890 |
CHECK(isc_entropy_usebestsource(ectx, &source,
|
|
|
e55890 |
"../random.data",
|
|
|
e55890 |
ISC_ENTROPY_KEYBOARDNO),
|
|
|
e55890 |
diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c
|
|
|
27025e |
index 653c951..fe8698e 100644
|
|
|
e55890 |
--- a/bin/tests/system/tkey/keycreate.c
|
|
|
e55890 |
+++ b/bin/tests/system/tkey/keycreate.c
|
|
|
e55890 |
@@ -206,6 +206,7 @@ sendquery(isc_task_t *task, isc_event_t *event) {
|
|
|
e55890 |
int
|
|
|
e55890 |
main(int argc, char *argv[]) {
|
|
|
e55890 |
char *ourkeyname;
|
|
|
e55890 |
+ char *randomfile;
|
|
|
e55890 |
isc_taskmgr_t *taskmgr;
|
|
|
e55890 |
isc_timermgr_t *timermgr;
|
|
|
e55890 |
isc_socketmgr_t *socketmgr;
|
|
|
e55890 |
@@ -225,10 +226,21 @@ main(int argc, char *argv[]) {
|
|
|
e55890 |
|
|
|
e55890 |
RUNCHECK(isc_app_start());
|
|
|
e55890 |
|
|
|
e55890 |
+ randomfile = NULL;
|
|
|
e55890 |
+
|
|
|
e55890 |
if (argc < 2) {
|
|
|
e55890 |
fprintf(stderr, "I:no DH key provided\n");
|
|
|
e55890 |
exit(-1);
|
|
|
e55890 |
}
|
|
|
e55890 |
+ if (strcmp(argv[1], "-r") == 0) {
|
|
|
e55890 |
+ if (argc < 4) {
|
|
|
e55890 |
+ fprintf(stderr, "I:no DH key provided\n");
|
|
|
e55890 |
+ exit(-1);
|
|
|
e55890 |
+ }
|
|
|
e55890 |
+ randomfile = argv[2];
|
|
|
e55890 |
+ argv += 2;
|
|
|
e55890 |
+ argc -= 2;
|
|
|
e55890 |
+ }
|
|
|
e55890 |
ourkeyname = argv[1];
|
|
|
e55890 |
|
|
|
e55890 |
if (argc >= 3)
|
|
|
e55890 |
@@ -242,14 +254,22 @@ main(int argc, char *argv[]) {
|
|
|
e55890 |
|
|
|
e55890 |
ectx = NULL;
|
|
|
e55890 |
RUNCHECK(isc_entropy_create(mctx, &ectx));
|
|
|
e55890 |
- RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data"));
|
|
|
e55890 |
- RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
|
|
|
e55890 |
+#ifdef ISC_PLATFORM_CRYPTORANDOM
|
|
|
e55890 |
+ if (randomfile != NULL &&
|
|
|
e55890 |
+ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
|
|
|
e55890 |
+ randomfile = NULL;
|
|
|
27025e |
+ isc_entropy_usehook(ectx, true);
|
|
|
e55890 |
+ }
|
|
|
e55890 |
+#endif
|
|
|
e55890 |
+ if (randomfile != NULL)
|
|
|
e55890 |
+ RUNCHECK(isc_entropy_createfilesource(ectx, randomfile));
|
|
|
e55890 |
|
|
|
e55890 |
log = NULL;
|
|
|
e55890 |
logconfig = NULL;
|
|
|
e55890 |
RUNCHECK(isc_log_create(mctx, &log, &logconfig));
|
|
|
e55890 |
|
|
|
e55890 |
RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY));
|
|
|
e55890 |
+ RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
|
|
|
e55890 |
|
|
|
e55890 |
taskmgr = NULL;
|
|
|
e55890 |
RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr));
|
|
|
e55890 |
@@ -328,8 +348,8 @@ main(int argc, char *argv[]) {
|
|
|
e55890 |
|
|
|
e55890 |
isc_log_destroy(&log;;
|
|
|
e55890 |
|
|
|
e55890 |
- dst_lib_destroy();
|
|
|
e55890 |
isc_hash_destroy();
|
|
|
e55890 |
+ dst_lib_destroy();
|
|
|
e55890 |
isc_entropy_detach(&ectx);
|
|
|
e55890 |
|
|
|
e55890 |
isc_mem_destroy(&mctx);
|
|
|
e55890 |
diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
|
|
|
27025e |
index 70a40c3..2146f9b 100644
|
|
|
e55890 |
--- a/bin/tests/system/tkey/keydelete.c
|
|
|
e55890 |
+++ b/bin/tests/system/tkey/keydelete.c
|
|
|
e55890 |
@@ -136,6 +136,7 @@ sendquery(isc_task_t *task, isc_event_t *event) {
|
|
|
e55890 |
int
|
|
|
e55890 |
main(int argc, char **argv) {
|
|
|
e55890 |
char *keyname;
|
|
|
e55890 |
+ char *randomfile;
|
|
|
e55890 |
isc_taskmgr_t *taskmgr;
|
|
|
e55890 |
isc_timermgr_t *timermgr;
|
|
|
e55890 |
isc_socketmgr_t *socketmgr;
|
|
|
e55890 |
@@ -156,10 +157,21 @@ main(int argc, char **argv) {
|
|
|
e55890 |
|
|
|
e55890 |
RUNCHECK(isc_app_start());
|
|
|
e55890 |
|
|
|
e55890 |
+ randomfile = NULL;
|
|
|
e55890 |
+
|
|
|
e55890 |
if (argc < 2) {
|
|
|
e55890 |
fprintf(stderr, "I:no key to delete\n");
|
|
|
e55890 |
exit(-1);
|
|
|
e55890 |
}
|
|
|
e55890 |
+ if (strcmp(argv[1], "-r") == 0) {
|
|
|
e55890 |
+ if (argc < 4) {
|
|
|
e55890 |
+ fprintf(stderr, "I:no DH key provided\n");
|
|
|
e55890 |
+ exit(-1);
|
|
|
e55890 |
+ }
|
|
|
e55890 |
+ randomfile = argv[2];
|
|
|
e55890 |
+ argv += 2;
|
|
|
e55890 |
+ argc -= 2;
|
|
|
e55890 |
+ }
|
|
|
e55890 |
keyname = argv[1];
|
|
|
e55890 |
|
|
|
e55890 |
dns_result_register();
|
|
|
e55890 |
@@ -169,14 +181,22 @@ main(int argc, char **argv) {
|
|
|
e55890 |
|
|
|
e55890 |
ectx = NULL;
|
|
|
e55890 |
RUNCHECK(isc_entropy_create(mctx, &ectx));
|
|
|
e55890 |
- RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data"));
|
|
|
e55890 |
- RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
|
|
|
e55890 |
+#ifdef ISC_PLATFORM_CRYPTORANDOM
|
|
|
e55890 |
+ if (randomfile != NULL &&
|
|
|
e55890 |
+ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
|
|
|
e55890 |
+ randomfile = NULL;
|
|
|
27025e |
+ isc_entropy_usehook(ectx, true);
|
|
|
e55890 |
+ }
|
|
|
e55890 |
+#endif
|
|
|
e55890 |
+ if (randomfile != NULL)
|
|
|
e55890 |
+ RUNCHECK(isc_entropy_createfilesource(ectx, randomfile));
|
|
|
e55890 |
|
|
|
e55890 |
log = NULL;
|
|
|
e55890 |
logconfig = NULL;
|
|
|
e55890 |
RUNCHECK(isc_log_create(mctx, &log, &logconfig));
|
|
|
e55890 |
|
|
|
e55890 |
RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY));
|
|
|
e55890 |
+ RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
|
|
|
e55890 |
|
|
|
e55890 |
taskmgr = NULL;
|
|
|
e55890 |
RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr));
|
|
|
27025e |
@@ -264,8 +284,8 @@ main(int argc, char **argv) {
|
|
|
e55890 |
|
|
|
e55890 |
isc_log_destroy(&log;;
|
|
|
e55890 |
|
|
|
e55890 |
- dst_lib_destroy();
|
|
|
e55890 |
isc_hash_destroy();
|
|
|
e55890 |
+ dst_lib_destroy();
|
|
|
e55890 |
isc_entropy_detach(&ectx);
|
|
|
e55890 |
|
|
|
e55890 |
isc_mem_destroy(&mctx);
|
|
|
e55890 |
diff --git a/bin/tests/system/tkey/tests.sh b/bin/tests/system/tkey/tests.sh
|
|
|
e55890 |
index 9f90dd7..fad6c83 100644
|
|
|
e55890 |
--- a/bin/tests/system/tkey/tests.sh
|
|
|
e55890 |
+++ b/bin/tests/system/tkey/tests.sh
|
|
|
e55890 |
@@ -33,7 +33,7 @@ for owner in . foo.example.
|
|
|
e55890 |
do
|
|
|
e55890 |
echo "I:creating new key using owner name \"$owner\""
|
|
|
e55890 |
ret=0
|
|
|
e55890 |
- keyname=`$KEYCREATE $dhkeyname $owner` || ret=1
|
|
|
e55890 |
+ keyname=`$KEYCREATE -r $RANDFILE $dhkeyname $owner` || ret=1
|
|
|
e55890 |
if [ $ret != 0 ]; then
|
|
|
e55890 |
echo "I:failed"
|
|
|
e55890 |
status=`expr $status + $ret`
|
|
|
e55890 |
@@ -55,7 +55,7 @@ do
|
|
|
e55890 |
|
|
|
e55890 |
echo "I:deleting new key"
|
|
|
e55890 |
ret=0
|
|
|
e55890 |
- $KEYDELETE $keyname || ret=1
|
|
|
e55890 |
+ $KEYDELETE -r $RANDFILE $keyname || ret=1
|
|
|
e55890 |
if [ $ret != 0 ]; then
|
|
|
e55890 |
echo "I:failed"
|
|
|
e55890 |
fi
|
|
|
e55890 |
@@ -75,7 +75,7 @@ done
|
|
|
e55890 |
|
|
|
e55890 |
echo "I:creating new key using owner name bar.example."
|
|
|
e55890 |
ret=0
|
|
|
e55890 |
-keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1
|
|
|
e55890 |
+keyname=`$KEYCREATE -r $RANDFILE $dhkeyname bar.example.` || ret=1
|
|
|
e55890 |
if [ $ret != 0 ]; then
|
|
|
e55890 |
echo "I:failed"
|
|
|
e55890 |
status=`expr $status + $ret`
|
|
|
e55890 |
@@ -116,7 +116,7 @@ status=`expr $status + $ret`
|
|
|
e55890 |
|
|
|
e55890 |
echo "I:recreating the bar.example. key"
|
|
|
e55890 |
ret=0
|
|
|
e55890 |
-keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1
|
|
|
e55890 |
+keyname=`$KEYCREATE -r $RANDFILE $dhkeyname bar.example.` || ret=1
|
|
|
e55890 |
if [ $ret != 0 ]; then
|
|
|
e55890 |
echo "I:failed"
|
|
|
e55890 |
status=`expr $status + $ret`
|
|
|
e55890 |
diff --git a/bin/tools/mdig.c b/bin/tools/mdig.c
|
|
|
27025e |
index bf6dbb6..0416b21 100644
|
|
|
e55890 |
--- a/bin/tools/mdig.c
|
|
|
e55890 |
+++ b/bin/tools/mdig.c
|
|
|
27025e |
@@ -1972,12 +1972,11 @@ main(int argc, char *argv[]) {
|
|
|
e55890 |
|
|
|
e55890 |
ectx = NULL;
|
|
|
e55890 |
RUNCHECK(isc_entropy_create(mctx, &ectx));
|
|
|
e55890 |
+ RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY));
|
|
|
e55890 |
RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
|
|
|
e55890 |
RUNCHECK(isc_entropy_getdata(ectx, cookie_secret,
|
|
|
e55890 |
sizeof(cookie_secret), NULL, 0));
|
|
|
e55890 |
|
|
|
e55890 |
- RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY));
|
|
|
e55890 |
-
|
|
|
e55890 |
ISC_LIST_INIT(queries);
|
|
|
27025e |
parse_args(false, argc, argv);
|
|
|
e55890 |
if (server == NULL)
|
|
|
e55890 |
diff --git a/configure b/configure
|
|
|
27025e |
index ed002e0..a578874 100755
|
|
|
e55890 |
--- a/configure
|
|
|
e55890 |
+++ b/configure
|
|
|
e55890 |
@@ -640,6 +640,7 @@ ac_includes_default="\
|
|
|
e55890 |
|
|
|
e55890 |
ac_subst_vars='LTLIBOBJS
|
|
|
e55890 |
LIBOBJS
|
|
|
e55890 |
+LIBDIR_SUFFIX
|
|
|
e55890 |
BUILD_LIBS
|
|
|
e55890 |
BUILD_LDFLAGS
|
|
|
e55890 |
BUILD_CPPFLAGS
|
|
|
27025e |
@@ -821,6 +822,7 @@ XMLSTATS
|
|
|
e55890 |
NZDTARGETS
|
|
|
e55890 |
NZDSRCS
|
|
|
e55890 |
NZD_TOOLS
|
|
|
e55890 |
+ISC_PLATFORM_CRYPTORANDOM
|
|
|
e55890 |
PKCS11_TEST
|
|
|
e55890 |
PKCS11_ED25519
|
|
|
e55890 |
PKCS11_GOST
|
|
|
27025e |
@@ -1045,6 +1047,7 @@ with_eddsa
|
|
|
e55890 |
with_aes
|
|
|
e55890 |
enable_openssl_hash
|
|
|
e55890 |
with_cc_alg
|
|
|
e55890 |
+enable_crypto_rand
|
|
|
e55890 |
with_lmdb
|
|
|
e55890 |
with_libxml2
|
|
|
e55890 |
with_libjson
|
|
|
27025e |
@@ -1744,6 +1747,7 @@ Optional Features:
|
|
|
e55890 |
--enable-threads enable multithreading
|
|
|
e55890 |
--enable-native-pkcs11 use native PKCS11 for all crypto [default=no]
|
|
|
e55890 |
--enable-openssl-hash use OpenSSL for hash functions [default=no]
|
|
|
e55890 |
+ --enable-crypto-rand use the crypto provider for random [default=yes]
|
|
|
e55890 |
--enable-largefile 64-bit file support
|
|
|
e55890 |
--enable-backtrace log stack backtrace on abort [default=yes]
|
|
|
e55890 |
--enable-symtable use internal symbol table for backtrace
|
|
|
27025e |
@@ -17115,6 +17119,7 @@ case "$use_openssl" in
|
|
|
e55890 |
$as_echo "disabled because of native PKCS11" >&6; }
|
|
|
e55890 |
DST_OPENSSL_INC=""
|
|
|
e55890 |
CRYPTO="-DPKCS11CRYPTO"
|
|
|
e55890 |
+ CRYPTOLIB="pkcs11"
|
|
|
e55890 |
OPENSSLECDSALINKOBJS=""
|
|
|
e55890 |
OPENSSLECDSALINKSRCS=""
|
|
|
e55890 |
OPENSSLEDDSALINKOBJS=""
|
|
|
27025e |
@@ -17129,6 +17134,7 @@ $as_echo "disabled because of native PKCS11" >&6; }
|
|
|
e55890 |
$as_echo "no" >&6; }
|
|
|
e55890 |
DST_OPENSSL_INC=""
|
|
|
e55890 |
CRYPTO=""
|
|
|
e55890 |
+ CRYPTOLIB=""
|
|
|
e55890 |
OPENSSLECDSALINKOBJS=""
|
|
|
e55890 |
OPENSSLECDSALINKSRCS=""
|
|
|
e55890 |
OPENSSLEDDSALINKOBJS=""
|
|
|
27025e |
@@ -17141,6 +17147,7 @@ $as_echo "no" >&6; }
|
|
|
e55890 |
auto)
|
|
|
e55890 |
DST_OPENSSL_INC=""
|
|
|
e55890 |
CRYPTO=""
|
|
|
e55890 |
+ CRYPTOLIB=""
|
|
|
e55890 |
OPENSSLECDSALINKOBJS=""
|
|
|
e55890 |
OPENSSLECDSALINKSRCS=""
|
|
|
e55890 |
OPENSSLEDDSALINKOBJS=""
|
|
|
27025e |
@@ -17150,7 +17157,7 @@ $as_echo "no" >&6; }
|
|
|
e55890 |
OPENSSLLINKOBJS=""
|
|
|
e55890 |
OPENSSLLINKSRCS=""
|
|
|
e55890 |
as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
|
|
|
e55890 |
-If you don't want OpenSSL, use --without-openssl" "$LINENO" 5
|
|
|
e55890 |
+If you do not want OpenSSL, use --without-openssl" "$LINENO" 5
|
|
|
e55890 |
;;
|
|
|
e55890 |
*)
|
|
|
e55890 |
if test "yes" = "$want_native_pkcs11"
|
|
|
27025e |
@@ -17181,6 +17188,7 @@ $as_echo "not found" >&6; }
|
|
|
e55890 |
as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5
|
|
|
e55890 |
fi
|
|
|
e55890 |
CRYPTO='-DOPENSSL'
|
|
|
e55890 |
+ CRYPTOLIB="openssl"
|
|
|
e55890 |
if test "/usr" = "$use_openssl"
|
|
|
e55890 |
then
|
|
|
e55890 |
DST_OPENSSL_INC=""
|
|
|
27025e |
@@ -17806,8 +17814,6 @@ fi
|
|
|
e55890 |
# Use OpenSSL for hash functions
|
|
|
e55890 |
#
|
|
|
e55890 |
|
|
|
e55890 |
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for using OpenSSL for hash functions" >&5
|
|
|
e55890 |
-$as_echo_n "checking for using OpenSSL for hash functions... " >&6; }
|
|
|
e55890 |
ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
|
|
|
e55890 |
case $want_openssl_hash in
|
|
|
e55890 |
yes)
|
|
|
27025e |
@@ -18182,6 +18188,86 @@ if test "rt" = "$have_clock_gt"; then
|
|
|
e55890 |
LIBS="-lrt $LIBS"
|
|
|
e55890 |
fi
|
|
|
e55890 |
|
|
|
e55890 |
+#
|
|
|
e55890 |
+# Use the crypto provider (OpenSSL/PKCS#11) for random functions
|
|
|
e55890 |
+#
|
|
|
e55890 |
+
|
|
|
e55890 |
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for using the crypto library (vs. builtin) for random functions" >&5
|
|
|
e55890 |
+$as_echo_n "checking for using the crypto library (vs. builtin) for random functions... " >&6; }
|
|
|
e55890 |
+# Check whether --enable-crypto-rand was given.
|
|
|
e55890 |
+if test "${enable_crypto_rand+set}" = set; then :
|
|
|
e55890 |
+ enableval=$enable_crypto_rand; want_crypto_rand="$enableval"
|
|
|
e55890 |
+else
|
|
|
e55890 |
+ want_crypto_rand="auto"
|
|
|
e55890 |
+fi
|
|
|
e55890 |
+
|
|
|
e55890 |
+if test "$want_crypto_rand" = "auto"
|
|
|
e55890 |
+then
|
|
|
e55890 |
+ case "$CRYPTOLIB" in
|
|
|
e55890 |
+ "")
|
|
|
e55890 |
+ want_crypto_rand="no"
|
|
|
e55890 |
+ ;;
|
|
|
e55890 |
+ pkcs11)
|
|
|
e55890 |
+ want_crypto_rand="yes"
|
|
|
e55890 |
+ ;;
|
|
|
e55890 |
+ openssl)
|
|
|
e55890 |
+ saved_cflags="$CFLAGS"
|
|
|
e55890 |
+ saved_libs="$LIBS"
|
|
|
e55890 |
+ CFLAGS="$CFLAGS $DST_OPENSSL_INC"
|
|
|
e55890 |
+ LIBS="$LIBS $DST_OPENSSL_LIBS"
|
|
|
e55890 |
+ if test "$cross_compiling" = yes; then :
|
|
|
e55890 |
+ want_crypto_rand="yes"
|
|
|
e55890 |
+else
|
|
|
e55890 |
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
|
|
e55890 |
+/* end confdefs.h. */
|
|
|
e55890 |
+
|
|
|
e55890 |
+#include <openssl/rand.h>
|
|
|
e55890 |
+
|
|
|
e55890 |
+unsigned char buf[128];
|
|
|
e55890 |
+
|
|
|
e55890 |
+int main()
|
|
|
e55890 |
+{
|
|
|
e55890 |
+ if (RAND_bytes(buf, 128) != 1)
|
|
|
e55890 |
+ return (1);
|
|
|
e55890 |
+ return (0);
|
|
|
e55890 |
+}
|
|
|
e55890 |
+
|
|
|
e55890 |
+_ACEOF
|
|
|
e55890 |
+if ac_fn_c_try_run "$LINENO"; then :
|
|
|
e55890 |
+ want_crypto_rand="yes"
|
|
|
e55890 |
+else
|
|
|
e55890 |
+ want_crypto_rand="no"
|
|
|
e55890 |
+fi
|
|
|
e55890 |
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
|
|
|
e55890 |
+ conftest.$ac_objext conftest.beam conftest.$ac_ext
|
|
|
e55890 |
+fi
|
|
|
e55890 |
+
|
|
|
e55890 |
+ CFLAGS="$saved_cflags"
|
|
|
e55890 |
+ LIBS="$saved_libs"
|
|
|
e55890 |
+ ;;
|
|
|
e55890 |
+ *)
|
|
|
e55890 |
+ as_fn_error $? "Unknown crypto library define $CRYPTOLIB" "$LINENO" 5
|
|
|
e55890 |
+ ;;
|
|
|
e55890 |
+ esac
|
|
|
e55890 |
+fi
|
|
|
e55890 |
+case $want_crypto_rand in
|
|
|
e55890 |
+ yes)
|
|
|
e55890 |
+ if test "$CRYPTOLIB" = ""
|
|
|
e55890 |
+ then
|
|
|
e55890 |
+ as_fn_error $? "No crypto library for random functions" "$LINENO" 5
|
|
|
e55890 |
+ fi
|
|
|
e55890 |
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: \"$CRYPTOLIB\"" >&5
|
|
|
e55890 |
+$as_echo "\"$CRYPTOLIB\"" >&6; }
|
|
|
e55890 |
+ ISC_PLATFORM_CRYPTORANDOM="#define ISC_PLATFORM_CRYPTORANDOM \"$CRYPTOLIB\""
|
|
|
e55890 |
+ ;;
|
|
|
e55890 |
+ no)
|
|
|
e55890 |
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
|
|
e55890 |
+$as_echo "no" >&6; }
|
|
|
e55890 |
+ ISC_PLATFORM_CRYPTORANDOM="#undef ISC_PLATFORM_CRYPTORANDOM"
|
|
|
e55890 |
+ ;;
|
|
|
e55890 |
+esac
|
|
|
e55890 |
+
|
|
|
e55890 |
+
|
|
|
e55890 |
#
|
|
|
e55890 |
# was --with-lmdb specified?
|
|
|
e55890 |
#
|
|
|
27025e |
@@ -20264,9 +20350,12 @@ _ACEOF
|
|
|
e55890 |
if ac_fn_c_try_compile "$LINENO"; then :
|
|
|
e55890 |
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for flags" >&5
|
|
|
e55890 |
$as_echo "size_t for buflen; int for flags" >&6; }
|
|
|
e55890 |
- $as_echo "#define IRS_GETNAMEINFO_SOCKLEN_T size_t" >>confdefs.h
|
|
|
e55890 |
+ # Changed to solve multilib conflict on Fedora
|
|
|
e55890 |
+ # AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, size_t)
|
|
|
e55890 |
+ # AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, size_t)
|
|
|
e55890 |
+ $as_echo "#define IRS_GETNAMEINFO_SOCKLEN_T socklen_t" >>confdefs.h
|
|
|
e55890 |
|
|
|
e55890 |
- $as_echo "#define IRS_GETNAMEINFO_BUFLEN_T size_t" >>confdefs.h
|
|
|
e55890 |
+ $as_echo "#define IRS_GETNAMEINFO_BUFLEN_T socklen_t" >>confdefs.h
|
|
|
e55890 |
|
|
|
e55890 |
$as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h
|
|
|
e55890 |
|
|
|
27025e |
@@ -21581,12 +21670,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
|
|
|
e55890 |
ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
|
|
|
e55890 |
ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
|
|
|
e55890 |
if test "yes" = "$use_atomic"; then
|
|
|
e55890 |
- have_atomic=yes # set default
|
|
|
e55890 |
- case "$host" in
|
|
|
e55890 |
- i[3456]86-*)
|
|
|
e55890 |
- # XXX: some old x86 architectures actually do not support
|
|
|
e55890 |
- # (some of) these operations. Do we need stricter checks?
|
|
|
e55890 |
- # The cast to long int works around a bug in the HP C Compiler
|
|
|
e55890 |
+ # The cast to long int works around a bug in the HP C Compiler
|
|
|
e55890 |
# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
|
|
|
e55890 |
# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
|
|
|
e55890 |
# This bug is HP SR number 8606223364.
|
|
|
27025e |
@@ -21619,6 +21703,11 @@ cat >>confdefs.h <<_ACEOF
|
|
|
e55890 |
_ACEOF
|
|
|
e55890 |
|
|
|
e55890 |
|
|
|
e55890 |
+ have_atomic=yes # set default
|
|
|
e55890 |
+ case "$host" in
|
|
|
e55890 |
+ i[3456]86-*)
|
|
|
e55890 |
+ # XXX: some old x86 architectures actually do not support
|
|
|
e55890 |
+ # (some of) these operations. Do we need stricter checks?
|
|
|
e55890 |
if test $ac_cv_sizeof_void_p = 8; then
|
|
|
e55890 |
arch=x86_64
|
|
|
e55890 |
have_xaddq=yes
|
|
|
27025e |
@@ -21627,39 +21716,6 @@ _ACEOF
|
|
|
e55890 |
fi
|
|
|
e55890 |
;;
|
|
|
e55890 |
x86_64-*|amd64-*)
|
|
|
e55890 |
- # The cast to long int works around a bug in the HP C Compiler
|
|
|
e55890 |
-# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
|
|
|
e55890 |
-# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
|
|
|
e55890 |
-# This bug is HP SR number 8606223364.
|
|
|
e55890 |
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of void *" >&5
|
|
|
e55890 |
-$as_echo_n "checking size of void *... " >&6; }
|
|
|
e55890 |
-if ${ac_cv_sizeof_void_p+:} false; then :
|
|
|
e55890 |
- $as_echo_n "(cached) " >&6
|
|
|
e55890 |
-else
|
|
|
e55890 |
- if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (void *))" "ac_cv_sizeof_void_p" "$ac_includes_default"; then :
|
|
|
e55890 |
-
|
|
|
e55890 |
-else
|
|
|
e55890 |
- if test "$ac_cv_type_void_p" = yes; then
|
|
|
e55890 |
- { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
|
|
|
e55890 |
-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
|
|
|
e55890 |
-as_fn_error 77 "cannot compute sizeof (void *)
|
|
|
e55890 |
-See \`config.log' for more details" "$LINENO" 5; }
|
|
|
e55890 |
- else
|
|
|
e55890 |
- ac_cv_sizeof_void_p=0
|
|
|
e55890 |
- fi
|
|
|
e55890 |
-fi
|
|
|
e55890 |
-
|
|
|
e55890 |
-fi
|
|
|
e55890 |
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_void_p" >&5
|
|
|
e55890 |
-$as_echo "$ac_cv_sizeof_void_p" >&6; }
|
|
|
e55890 |
-
|
|
|
e55890 |
-
|
|
|
e55890 |
-
|
|
|
e55890 |
-cat >>confdefs.h <<_ACEOF
|
|
|
e55890 |
-#define SIZEOF_VOID_P $ac_cv_sizeof_void_p
|
|
|
e55890 |
-_ACEOF
|
|
|
e55890 |
-
|
|
|
e55890 |
-
|
|
|
e55890 |
if test $ac_cv_sizeof_void_p = 8; then
|
|
|
e55890 |
arch=x86_64
|
|
|
e55890 |
have_xaddq=yes
|
|
|
27025e |
@@ -21690,6 +21746,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; }
|
|
|
e55890 |
$as_echo "$arch" >&6; }
|
|
|
e55890 |
fi
|
|
|
e55890 |
|
|
|
e55890 |
+if test ! "$arch" = "x86_64" -a "$have_xaddq" = "yes"; then
|
|
|
e55890 |
+ as_fn_error $? "XADDQ present but disabled by Fedora patch!" "$LINENO" 5
|
|
|
e55890 |
+fi
|
|
|
e55890 |
+
|
|
|
e55890 |
if test "yes" = "$have_atomic"; then
|
|
|
e55890 |
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline assembly code" >&5
|
|
|
e55890 |
$as_echo_n "checking compiler support for inline assembly code... " >&6; }
|
|
|
27025e |
@@ -24244,6 +24304,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS"
|
|
|
e55890 |
#
|
|
|
e55890 |
dlzdir='${DLZ_DRIVER_DIR}'
|
|
|
e55890 |
|
|
|
e55890 |
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for target libdir" >&5
|
|
|
e55890 |
+$as_echo_n "checking for target libdir... " >&6; }
|
|
|
e55890 |
+if test "$cross_compiling" = yes; then :
|
|
|
e55890 |
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
|
|
|
e55890 |
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
|
|
|
e55890 |
+as_fn_error $? "cannot run test program while cross compiling
|
|
|
e55890 |
+See \`config.log' for more details" "$LINENO" 5; }
|
|
|
e55890 |
+else
|
|
|
e55890 |
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
|
|
e55890 |
+/* end confdefs.h. */
|
|
|
e55890 |
+int main(void) {exit((sizeof(void *) == 8) ? 0 : 1);}
|
|
|
e55890 |
+_ACEOF
|
|
|
e55890 |
+if ac_fn_c_try_run "$LINENO"; then :
|
|
|
e55890 |
+ target_lib=lib64
|
|
|
e55890 |
+else
|
|
|
e55890 |
+ target_lib=lib
|
|
|
e55890 |
+fi
|
|
|
e55890 |
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
|
|
|
e55890 |
+ conftest.$ac_objext conftest.beam conftest.$ac_ext
|
|
|
e55890 |
+fi
|
|
|
e55890 |
+
|
|
|
e55890 |
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: \"$target_lib\"" >&5
|
|
|
e55890 |
+$as_echo "\"$target_lib\"" >&6; }
|
|
|
e55890 |
+
|
|
|
e55890 |
#
|
|
|
e55890 |
# Private autoconf macro to simplify configuring drivers:
|
|
|
e55890 |
#
|
|
|
27025e |
@@ -24574,11 +24658,11 @@ $as_echo "no" >&6; }
|
|
|
e55890 |
$as_echo "using mysql with libs ${mysql_lib} and includes ${mysql_include}" >&6; }
|
|
|
e55890 |
;;
|
|
|
e55890 |
*)
|
|
|
e55890 |
- if test -d "$use_dlz_mysql/lib/mysql"
|
|
|
e55890 |
+ if test -d $use_dlz_mysql/${target_lib}/mysql
|
|
|
e55890 |
then
|
|
|
e55890 |
- mysql_lib="$use_dlz_mysql/lib/mysql"
|
|
|
e55890 |
+ mysql_lib=$use_dlz_mysql/${target_lib}/mysql
|
|
|
e55890 |
else
|
|
|
e55890 |
- mysql_lib="$use_dlz_mysql/lib"
|
|
|
e55890 |
+ mysql_lib=$use_dlz_mysql/${target_lib}
|
|
|
e55890 |
fi
|
|
|
e55890 |
|
|
|
e55890 |
CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL"
|
|
|
27025e |
@@ -24663,7 +24747,7 @@ $as_echo "" >&6; }
|
|
|
e55890 |
# Check other locations for includes.
|
|
|
e55890 |
# Order is important (sigh).
|
|
|
e55890 |
|
|
|
e55890 |
- bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /db"
|
|
|
e55890 |
+ bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /libdb /db"
|
|
|
e55890 |
# include a blank element first
|
|
|
e55890 |
for d in "" $bdb_incdirs
|
|
|
e55890 |
do
|
|
|
27025e |
@@ -24688,57 +24772,9 @@ $as_echo "" >&6; }
|
|
|
e55890 |
bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
|
|
|
e55890 |
for d in $bdb_libnames
|
|
|
e55890 |
do
|
|
|
e55890 |
- if test "$dd" = "/usr"
|
|
|
27025e |
- then
|
|
|
e55890 |
- as_ac_Lib=`$as_echo "ac_cv_lib_$d''_db_create" | $as_tr_sh`
|
|
|
e55890 |
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for db_create in -l$d" >&5
|
|
|
e55890 |
-$as_echo_n "checking for db_create in -l$d... " >&6; }
|
|
|
e55890 |
-if eval \${$as_ac_Lib+:} false; then :
|
|
|
e55890 |
- $as_echo_n "(cached) " >&6
|
|
|
e55890 |
-else
|
|
|
e55890 |
- ac_check_lib_save_LIBS=$LIBS
|
|
|
e55890 |
-LIBS="-l$d $LIBS"
|
|
|
e55890 |
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
|
|
e55890 |
-/* end confdefs.h. */
|
|
|
e55890 |
-
|
|
|
e55890 |
-/* Override any GCC internal prototype to avoid an error.
|
|
|
e55890 |
- Use char because int might match the return type of a GCC
|
|
|
e55890 |
- builtin and then its argument prototype would still apply. */
|
|
|
e55890 |
-#ifdef __cplusplus
|
|
|
e55890 |
-extern "C"
|
|
|
e55890 |
-#endif
|
|
|
e55890 |
-char db_create ();
|
|
|
e55890 |
-int
|
|
|
e55890 |
-main ()
|
|
|
e55890 |
-{
|
|
|
e55890 |
-return db_create ();
|
|
|
e55890 |
- ;
|
|
|
e55890 |
- return 0;
|
|
|
e55890 |
-}
|
|
|
e55890 |
-_ACEOF
|
|
|
e55890 |
-if ac_fn_c_try_link "$LINENO"; then :
|
|
|
e55890 |
- eval "$as_ac_Lib=yes"
|
|
|
e55890 |
-else
|
|
|
e55890 |
- eval "$as_ac_Lib=no"
|
|
|
e55890 |
-fi
|
|
|
e55890 |
-rm -f core conftest.err conftest.$ac_objext \
|
|
|
e55890 |
- conftest$ac_exeext conftest.$ac_ext
|
|
|
e55890 |
-LIBS=$ac_check_lib_save_LIBS
|
|
|
e55890 |
-fi
|
|
|
e55890 |
-eval ac_res=\$$as_ac_Lib
|
|
|
e55890 |
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
|
|
|
e55890 |
-$as_echo "$ac_res" >&6; }
|
|
|
e55890 |
-if eval test \"x\$"$as_ac_Lib"\" = x"yes"; then :
|
|
|
e55890 |
- dlz_bdb_libs="-l${d}"
|
|
|
e55890 |
-fi
|
|
|
e55890 |
-
|
|
|
e55890 |
- if test $dlz_bdb_libs != "yes"
|
|
|
e55890 |
- then
|
|
|
e55890 |
- break
|
|
|
e55890 |
- fi
|
|
|
e55890 |
- elif test -f "$dd/lib/lib${d}.so"
|
|
|
27025e |
+ if test -f "$dd/${target_lib}/lib${d}.so"
|
|
|
27025e |
then
|
|
|
e55890 |
- dlz_bdb_libs="-L${dd}/lib -l${d}"
|
|
|
e55890 |
+ dlz_bdb_libs="-L${dd}/${target_lib}/libdb -l${d}"
|
|
|
e55890 |
break
|
|
|
e55890 |
fi
|
|
|
e55890 |
done
|
|
|
27025e |
@@ -24897,10 +24933,10 @@ $as_echo "no" >&6; }
|
|
|
e55890 |
DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include"
|
|
|
e55890 |
DLZ_DRIVER_LDAP_INCLUDES="-I$use_dlz_ldap/include"
|
|
|
e55890 |
fi
|
|
|
e55890 |
- if test -n "-L$use_dlz_ldap/lib -lldap -llber"
|
|
|
e55890 |
+ if test -n "-L$use_dlz_ldap/${target_lib} -lldap -llber"
|
|
|
e55890 |
then
|
|
|
e55890 |
- DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS -L$use_dlz_ldap/lib -lldap -llber"
|
|
|
e55890 |
- DLZ_DRIVER_LDAP_LIBS="-L$use_dlz_ldap/lib -lldap -llber"
|
|
|
e55890 |
+ DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS -L$use_dlz_ldap/${target_lib} -lldap -llber"
|
|
|
e55890 |
+ DLZ_DRIVER_LDAP_LIBS="-L$use_dlz_ldap/${target_lib} -lldap -llber"
|
|
|
e55890 |
fi
|
|
|
e55890 |
|
|
|
e55890 |
|
|
|
27025e |
@@ -24986,11 +25022,11 @@ fi
|
|
|
e55890 |
odbcdirs="/usr /usr/local /usr/pkg"
|
|
|
e55890 |
for d in $odbcdirs
|
|
|
e55890 |
do
|
|
|
e55890 |
- if test -f $d/include/sql.h -a -f $d/lib/libodbc.a
|
|
|
e55890 |
+ if test -f $d/include/sql.h -a -f $d/${target_lib}/libodbc.a
|
|
|
e55890 |
then
|
|
|
e55890 |
use_dlz_odbc=$d
|
|
|
e55890 |
dlz_odbc_include="-I$use_dlz_odbc/include"
|
|
|
e55890 |
- dlz_odbc_libs="-L$use_dlz_odbc/lib -lodbc"
|
|
|
e55890 |
+ dlz_odbc_libs="-L$use_dlz_odbc/${target_lib} -lodbc"
|
|
|
e55890 |
break
|
|
|
e55890 |
fi
|
|
|
e55890 |
done
|
|
|
27025e |
@@ -25265,6 +25301,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS"
|
|
|
e55890 |
|
|
|
e55890 |
|
|
|
e55890 |
|
|
|
e55890 |
+
|
|
|
e55890 |
+
|
|
|
e55890 |
#
|
|
|
e55890 |
# Commands to run at the end of config.status.
|
|
|
e55890 |
# Don't just put these into configure, it won't work right if somebody
|
|
|
27025e |
@@ -27644,6 +27682,8 @@ report() {
|
|
|
e55890 |
echo " IPv6 support (--enable-ipv6)"
|
|
|
e55890 |
test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
|
|
|
e55890 |
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
|
|
|
e55890 |
+ test "no" = "$want_crypto_rand" || \
|
|
|
e55890 |
+ echo " Crypto provider entropy source (--enable-crypto-rand)"
|
|
|
e55890 |
test "X$PYTHON" = "X" || echo " Python tools (--with-python)"
|
|
|
e55890 |
test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)"
|
|
|
e55890 |
test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)"
|
|
|
27025e |
@@ -27684,6 +27724,8 @@ report() {
|
|
|
e55890 |
echo " Very verbose query trace logging (--enable-querytrace)"
|
|
|
27025e |
test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)"
|
|
|
e55890 |
|
|
|
e55890 |
+ echo " Cryptographic library for DNSSEC: $CRYPTOLIB"
|
|
|
e55890 |
+
|
|
|
e55890 |
echo " Dynamically loadable zone (DLZ) drivers:"
|
|
|
e55890 |
test "no" = "$use_dlz_bdb" || \
|
|
|
e55890 |
echo " Berkeley DB (--with-dlz-bdb)"
|
|
|
27025e |
@@ -27731,6 +27773,8 @@ report() {
|
|
|
e55890 |
echo " ECDSA algorithm support (--with-ecdsa)"
|
|
|
e55890 |
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
|
|
|
e55890 |
echo " EDDSA algorithm support (--with-eddsa)"
|
|
|
e55890 |
+ test "yes" = "$want_crypto_rand" || \
|
|
|
e55890 |
+ echo " Crypto provider entropy source (--enable-crypto-rand)"
|
|
|
e55890 |
|
|
|
e55890 |
test "yes" = "$enable_seccomp" || \
|
|
|
e55890 |
echo " Use libseccomp system call filtering (--enable-seccomp)"
|
|
|
27025e |
diff --git a/configure.ac b/configure.ac
|
|
|
27025e |
index 45a8126..bb1345b 100644
|
|
|
27025e |
--- a/configure.ac
|
|
|
27025e |
+++ b/configure.ac
|
|
|
27025e |
@@ -1537,6 +1537,7 @@ case "$use_openssl" in
|
|
|
e55890 |
AC_MSG_RESULT(disabled because of native PKCS11)
|
|
|
e55890 |
DST_OPENSSL_INC=""
|
|
|
e55890 |
CRYPTO="-DPKCS11CRYPTO"
|
|
|
e55890 |
+ CRYPTOLIB="pkcs11"
|
|
|
e55890 |
OPENSSLECDSALINKOBJS=""
|
|
|
e55890 |
OPENSSLECDSALINKSRCS=""
|
|
|
e55890 |
OPENSSLEDDSALINKOBJS=""
|
|
|
27025e |
@@ -1550,6 +1551,7 @@ case "$use_openssl" in
|
|
|
e55890 |
AC_MSG_RESULT(no)
|
|
|
e55890 |
DST_OPENSSL_INC=""
|
|
|
e55890 |
CRYPTO=""
|
|
|
e55890 |
+ CRYPTOLIB=""
|
|
|
e55890 |
OPENSSLECDSALINKOBJS=""
|
|
|
e55890 |
OPENSSLECDSALINKSRCS=""
|
|
|
e55890 |
OPENSSLEDDSALINKOBJS=""
|
|
|
27025e |
@@ -1562,6 +1564,7 @@ case "$use_openssl" in
|
|
|
e55890 |
auto)
|
|
|
e55890 |
DST_OPENSSL_INC=""
|
|
|
e55890 |
CRYPTO=""
|
|
|
e55890 |
+ CRYPTOLIB=""
|
|
|
e55890 |
OPENSSLECDSALINKOBJS=""
|
|
|
e55890 |
OPENSSLECDSALINKSRCS=""
|
|
|
e55890 |
OPENSSLEDDSALINKOBJS=""
|
|
|
27025e |
@@ -1572,7 +1575,7 @@ case "$use_openssl" in
|
|
|
e55890 |
OPENSSLLINKSRCS=""
|
|
|
e55890 |
AC_MSG_ERROR(
|
|
|
e55890 |
[OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
|
|
|
e55890 |
-If you don't want OpenSSL, use --without-openssl])
|
|
|
e55890 |
+If you do not want OpenSSL, use --without-openssl])
|
|
|
e55890 |
;;
|
|
|
e55890 |
*)
|
|
|
e55890 |
if test "yes" = "$want_native_pkcs11"
|
|
|
27025e |
@@ -1602,6 +1605,7 @@ If you don't want OpenSSL, use --without-openssl])
|
|
|
e55890 |
AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found])
|
|
|
e55890 |
fi
|
|
|
e55890 |
CRYPTO='-DOPENSSL'
|
|
|
e55890 |
+ CRYPTOLIB="openssl"
|
|
|
e55890 |
if test "/usr" = "$use_openssl"
|
|
|
e55890 |
then
|
|
|
e55890 |
DST_OPENSSL_INC=""
|
|
|
27025e |
@@ -2037,7 +2041,6 @@ fi
|
|
|
e55890 |
# Use OpenSSL for hash functions
|
|
|
e55890 |
#
|
|
|
e55890 |
|
|
|
e55890 |
-AC_MSG_CHECKING(for using OpenSSL for hash functions)
|
|
|
e55890 |
ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
|
|
|
e55890 |
case $want_openssl_hash in
|
|
|
e55890 |
yes)
|
|
|
27025e |
@@ -2309,6 +2312,67 @@ if test "rt" = "$have_clock_gt"; then
|
|
|
e55890 |
LIBS="-lrt $LIBS"
|
|
|
e55890 |
fi
|
|
|
e55890 |
|
|
|
e55890 |
+#
|
|
|
e55890 |
+# Use the crypto provider (OpenSSL/PKCS#11) for random functions
|
|
|
e55890 |
+#
|
|
|
e55890 |
+
|
|
|
e55890 |
+AC_MSG_CHECKING(for using the crypto library (vs. builtin) for random functions)
|
|
|
e55890 |
+AC_ARG_ENABLE(crypto-rand,
|
|
|
e55890 |
+ [ --enable-crypto-rand use the crypto provider for random [[default=yes]]],
|
|
|
e55890 |
+ want_crypto_rand="$enableval", want_crypto_rand="auto")
|
|
|
e55890 |
+if test "$want_crypto_rand" = "auto"
|
|
|
e55890 |
+then
|
|
|
e55890 |
+ case "$CRYPTOLIB" in
|
|
|
e55890 |
+ "")
|
|
|
e55890 |
+ want_crypto_rand="no"
|
|
|
e55890 |
+ ;;
|
|
|
e55890 |
+ pkcs11)
|
|
|
e55890 |
+ want_crypto_rand="yes"
|
|
|
e55890 |
+ ;;
|
|
|
e55890 |
+ openssl)
|
|
|
e55890 |
+ saved_cflags="$CFLAGS"
|
|
|
e55890 |
+ saved_libs="$LIBS"
|
|
|
e55890 |
+ CFLAGS="$CFLAGS $DST_OPENSSL_INC"
|
|
|
e55890 |
+ LIBS="$LIBS $DST_OPENSSL_LIBS"
|
|
|
e55890 |
+ AC_TRY_RUN([
|
|
|
e55890 |
+#include <openssl/rand.h>
|
|
|
e55890 |
+
|
|
|
e55890 |
+unsigned char buf[128];
|
|
|
e55890 |
+
|
|
|
e55890 |
+int main()
|
|
|
e55890 |
+{
|
|
|
e55890 |
+ if (RAND_bytes(buf, 128) != 1)
|
|
|
e55890 |
+ return (1);
|
|
|
e55890 |
+ return (0);
|
|
|
e55890 |
+}
|
|
|
e55890 |
+],
|
|
|
e55890 |
+ [want_crypto_rand="yes"],
|
|
|
e55890 |
+ [want_crypto_rand="no"],
|
|
|
e55890 |
+ [want_crypto_rand="yes"])
|
|
|
e55890 |
+ CFLAGS="$saved_cflags"
|
|
|
e55890 |
+ LIBS="$saved_libs"
|
|
|
e55890 |
+ ;;
|
|
|
e55890 |
+ *)
|
|
|
e55890 |
+ AC_MSG_ERROR([Unknown crypto library define $CRYPTOLIB])
|
|
|
e55890 |
+ ;;
|
|
|
e55890 |
+ esac
|
|
|
e55890 |
+fi
|
|
|
e55890 |
+case $want_crypto_rand in
|
|
|
e55890 |
+ yes)
|
|
|
e55890 |
+ if test "$CRYPTOLIB" = ""
|
|
|
e55890 |
+ then
|
|
|
e55890 |
+ AC_MSG_ERROR([No crypto library for random functions])
|
|
|
e55890 |
+ fi
|
|
|
e55890 |
+ AC_MSG_RESULT(["$CRYPTOLIB"])
|
|
|
e55890 |
+ ISC_PLATFORM_CRYPTORANDOM="#define ISC_PLATFORM_CRYPTORANDOM \"$CRYPTOLIB\""
|
|
|
e55890 |
+ ;;
|
|
|
e55890 |
+ no)
|
|
|
e55890 |
+ AC_MSG_RESULT(no)
|
|
|
e55890 |
+ ISC_PLATFORM_CRYPTORANDOM="#undef ISC_PLATFORM_CRYPTORANDOM"
|
|
|
e55890 |
+ ;;
|
|
|
e55890 |
+esac
|
|
|
e55890 |
+AC_SUBST(ISC_PLATFORM_CRYPTORANDOM)
|
|
|
e55890 |
+
|
|
|
e55890 |
#
|
|
|
e55890 |
# was --with-lmdb specified?
|
|
|
e55890 |
#
|
|
|
27025e |
@@ -4105,12 +4169,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
|
|
|
e55890 |
ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
|
|
|
e55890 |
ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
|
|
|
e55890 |
if test "yes" = "$use_atomic"; then
|
|
|
e55890 |
+ AC_CHECK_SIZEOF([void *])
|
|
|
e55890 |
have_atomic=yes # set default
|
|
|
e55890 |
case "$host" in
|
|
|
e55890 |
[i[3456]86-*])
|
|
|
e55890 |
# XXX: some old x86 architectures actually do not support
|
|
|
e55890 |
# (some of) these operations. Do we need stricter checks?
|
|
|
e55890 |
- AC_CHECK_SIZEOF([void *])
|
|
|
e55890 |
if test $ac_cv_sizeof_void_p = 8; then
|
|
|
e55890 |
arch=x86_64
|
|
|
e55890 |
have_xaddq=yes
|
|
|
27025e |
@@ -4119,7 +4183,6 @@ if test "yes" = "$use_atomic"; then
|
|
|
e55890 |
fi
|
|
|
e55890 |
;;
|
|
|
e55890 |
x86_64-*|amd64-*)
|
|
|
e55890 |
- AC_CHECK_SIZEOF([void *])
|
|
|
e55890 |
if test $ac_cv_sizeof_void_p = 8; then
|
|
|
e55890 |
arch=x86_64
|
|
|
e55890 |
have_xaddq=yes
|
|
|
27025e |
@@ -5527,6 +5590,8 @@ report() {
|
|
|
e55890 |
echo " IPv6 support (--enable-ipv6)"
|
|
|
e55890 |
test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
|
|
|
e55890 |
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
|
|
|
e55890 |
+ test "no" = "$want_crypto_rand" || \
|
|
|
e55890 |
+ echo " Crypto provider entropy source (--enable-crypto-rand)"
|
|
|
e55890 |
test "X$PYTHON" = "X" || echo " Python tools (--with-python)"
|
|
|
e55890 |
test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)"
|
|
|
e55890 |
test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)"
|
|
|
27025e |
@@ -5567,6 +5632,8 @@ report() {
|
|
|
e55890 |
echo " Very verbose query trace logging (--enable-querytrace)"
|
|
|
27025e |
test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)"
|
|
|
e55890 |
|
|
|
e55890 |
+ echo " Cryptographic library for DNSSEC: $CRYPTOLIB"
|
|
|
e55890 |
+
|
|
|
e55890 |
echo " Dynamically loadable zone (DLZ) drivers:"
|
|
|
e55890 |
test "no" = "$use_dlz_bdb" || \
|
|
|
e55890 |
echo " Berkeley DB (--with-dlz-bdb)"
|
|
|
27025e |
@@ -5614,6 +5681,8 @@ report() {
|
|
|
e55890 |
echo " ECDSA algorithm support (--with-ecdsa)"
|
|
|
e55890 |
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
|
|
|
e55890 |
echo " EDDSA algorithm support (--with-eddsa)"
|
|
|
e55890 |
+ test "yes" = "$want_crypto_rand" || \
|
|
|
e55890 |
+ echo " Crypto provider entropy source (--enable-crypto-rand)"
|
|
|
e55890 |
|
|
|
e55890 |
test "yes" = "$enable_seccomp" || \
|
|
|
e55890 |
echo " Use libseccomp system call filtering (--enable-seccomp)"
|
|
|
e55890 |
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
|
|
|
27025e |
index ec6e00e..1614afa 100644
|
|
|
e55890 |
--- a/lib/dns/dst_api.c
|
|
|
e55890 |
+++ b/lib/dns/dst_api.c
|
|
|
27025e |
@@ -277,6 +277,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
|
|
|
e55890 |
#ifdef GSSAPI
|
|
|
e55890 |
RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));
|
|
|
e55890 |
#endif
|
|
|
e55890 |
+#if defined(OPENSSL) || defined(PKCS11CRYPTO)
|
|
|
e55890 |
+#ifdef ISC_PLATFORM_CRYPTORANDOM
|
|
|
e55890 |
+ if (dst_entropy_pool != NULL)
|
|
|
e55890 |
+ isc_entropy_sethook(dst_random_getdata);
|
|
|
e55890 |
+#endif
|
|
|
e55890 |
+#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */
|
|
|
27025e |
dst_initialized = true;
|
|
|
e55890 |
return (ISC_R_SUCCESS);
|
|
|
e55890 |
|
|
|
27025e |
@@ -296,11 +302,19 @@ dst_lib_destroy(void) {
|
|
|
e55890 |
for (i = 0; i < DST_MAX_ALGS; i++)
|
|
|
e55890 |
if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL)
|
|
|
e55890 |
dst_t_func[i]->cleanup();
|
|
|
e55890 |
+#if defined(OPENSSL) || defined(PKCS11CRYPTO)
|
|
|
e55890 |
+#ifdef ISC_PLATFORM_CRYPTORANDOM
|
|
|
e55890 |
+ if (dst_entropy_pool != NULL) {
|
|
|
27025e |
+ isc_entropy_usehook(dst_entropy_pool, false);
|
|
|
e55890 |
+ isc_entropy_sethook(NULL);
|
|
|
e55890 |
+ }
|
|
|
e55890 |
+#endif
|
|
|
e55890 |
#ifdef OPENSSL
|
|
|
e55890 |
dst__openssl_destroy();
|
|
|
e55890 |
#elif PKCS11CRYPTO
|
|
|
e55890 |
(void) dst__pkcs11_destroy();
|
|
|
e55890 |
#endif /* if OPENSSL, elif PKCS11CRYPTO */
|
|
|
e55890 |
+#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */
|
|
|
e55890 |
if (dst__memory_pool != NULL)
|
|
|
e55890 |
isc_mem_detach(&dst__memory_pool);
|
|
|
e55890 |
if (dst_entropy_pool != NULL)
|
|
|
27025e |
@@ -2002,13 +2016,17 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) {
|
|
|
e55890 |
flags &= ~ISC_ENTROPY_GOODONLY;
|
|
|
e55890 |
else
|
|
|
e55890 |
flags |= ISC_ENTROPY_BLOCKING;
|
|
|
e55890 |
+#ifdef ISC_PLATFORM_CRYPTORANDOM
|
|
|
e55890 |
+ return (dst_random_getdata(buf, len, NULL, flags));
|
|
|
e55890 |
+#else
|
|
|
e55890 |
return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
|
|
|
e55890 |
+#endif
|
|
|
e55890 |
#endif /* PKCS11CRYPTO */
|
|
|
e55890 |
}
|
|
|
e55890 |
|
|
|
e55890 |
unsigned int
|
|
|
e55890 |
dst__entropy_status(void) {
|
|
|
e55890 |
-#ifndef PKCS11CRYPTO
|
|
|
e55890 |
+#if !defined(PKCS11CRYPTO) && !defined(ISC_PLATFORM_CRYPTORANDOM)
|
|
|
e55890 |
#ifdef GSSAPI
|
|
|
e55890 |
unsigned int flags = dst_entropy_flags;
|
|
|
e55890 |
isc_result_t ret;
|
|
|
27025e |
@@ -2031,6 +2049,7 @@ dst__entropy_status(void) {
|
|
|
e55890 |
#endif
|
|
|
e55890 |
return (isc_entropy_status(dst_entropy_pool));
|
|
|
e55890 |
#else
|
|
|
e55890 |
+ /* Doesn't matter as it is not used in this case. */
|
|
|
e55890 |
return (0);
|
|
|
e55890 |
#endif
|
|
|
e55890 |
}
|
|
|
e55890 |
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
|
|
|
27025e |
index 1924e74..6813c96 100644
|
|
|
e55890 |
--- a/lib/dns/include/dst/dst.h
|
|
|
e55890 |
+++ b/lib/dns/include/dst/dst.h
|
|
|
27025e |
@@ -159,6 +159,14 @@ dst_lib_destroy(void);
|
|
|
e55890 |
* Releases all resources allocated by DST.
|
|
|
e55890 |
*/
|
|
|
e55890 |
|
|
|
e55890 |
+isc_result_t
|
|
|
e55890 |
+dst_random_getdata(void *data, unsigned int length,
|
|
|
e55890 |
+ unsigned int *returned, unsigned int flags);
|
|
|
e55890 |
+/*%<
|
|
|
e55890 |
+ * \brief Return data from the crypto random generator.
|
|
|
e55890 |
+ * Specialization of isc_entropy_getdata().
|
|
|
e55890 |
+ */
|
|
|
e55890 |
+
|
|
|
27025e |
bool
|
|
|
e55890 |
dst_algorithm_supported(unsigned int alg);
|
|
|
e55890 |
/*%<
|
|
|
e55890 |
diff --git a/lib/dns/lib.c b/lib/dns/lib.c
|
|
|
27025e |
index 304814b..60543c4 100644
|
|
|
e55890 |
--- a/lib/dns/lib.c
|
|
|
e55890 |
+++ b/lib/dns/lib.c
|
|
|
27025e |
@@ -18,6 +18,7 @@
|
|
|
27025e |
#include <stdbool.h>
|
|
|
e55890 |
#include <stddef.h>
|
|
|
e55890 |
|
|
|
e55890 |
+#include <isc/entropy.h>
|
|
|
e55890 |
#include <isc/hash.h>
|
|
|
e55890 |
#include <isc/mem.h>
|
|
|
e55890 |
#include <isc/msgcat.h>
|
|
|
27025e |
@@ -78,6 +79,7 @@ static unsigned int references = 0;
|
|
|
e55890 |
static void
|
|
|
e55890 |
initialize(void) {
|
|
|
e55890 |
isc_result_t result;
|
|
|
e55890 |
+ isc_entropy_t *ectx = NULL;
|
|
|
e55890 |
|
|
|
27025e |
REQUIRE(initialize_done == false);
|
|
|
e55890 |
|
|
|
27025e |
@@ -88,11 +90,14 @@ initialize(void) {
|
|
|
e55890 |
result = dns_ecdb_register(dns_g_mctx, &dbimp);
|
|
|
e55890 |
if (result != ISC_R_SUCCESS)
|
|
|
e55890 |
goto cleanup_mctx;
|
|
|
e55890 |
- result = isc_hash_create(dns_g_mctx, NULL, DNS_NAME_MAXWIRE);
|
|
|
e55890 |
+ result = isc_entropy_create(dns_g_mctx, &ectx);
|
|
|
e55890 |
if (result != ISC_R_SUCCESS)
|
|
|
e55890 |
goto cleanup_db;
|
|
|
e55890 |
+ result = isc_hash_create(dns_g_mctx, NULL, DNS_NAME_MAXWIRE);
|
|
|
e55890 |
+ if (result != ISC_R_SUCCESS)
|
|
|
e55890 |
+ goto cleanup_ectx;
|
|
|
e55890 |
|
|
|
e55890 |
- result = dst_lib_init(dns_g_mctx, NULL, 0);
|
|
|
e55890 |
+ result = dst_lib_init(dns_g_mctx, ectx, 0);
|
|
|
e55890 |
if (result != ISC_R_SUCCESS)
|
|
|
e55890 |
goto cleanup_hash;
|
|
|
e55890 |
|
|
|
27025e |
@@ -100,11 +105,17 @@ initialize(void) {
|
|
|
e55890 |
if (result != ISC_R_SUCCESS)
|
|
|
e55890 |
goto cleanup_dst;
|
|
|
e55890 |
|
|
|
e55890 |
+ isc_hash_init();
|
|
|
e55890 |
+ isc_entropy_detach(&ectx);
|
|
|
e55890 |
+
|
|
|
27025e |
initialize_done = true;
|
|
|
e55890 |
return;
|
|
|
e55890 |
|
|
|
e55890 |
cleanup_dst:
|
|
|
e55890 |
dst_lib_destroy();
|
|
|
e55890 |
+ cleanup_ectx:
|
|
|
e55890 |
+ if (ectx != NULL)
|
|
|
e55890 |
+ isc_entropy_detach(&ectx);
|
|
|
e55890 |
cleanup_hash:
|
|
|
e55890 |
isc_hash_destroy();
|
|
|
e55890 |
cleanup_db:
|
|
|
e55890 |
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
|
|
|
27025e |
index d65ce26..6849732 100644
|
|
|
e55890 |
--- a/lib/dns/openssl_link.c
|
|
|
e55890 |
+++ b/lib/dns/openssl_link.c
|
|
|
e55890 |
@@ -31,6 +31,7 @@
|
|
|
e55890 |
#include <isc/mem.h>
|
|
|
e55890 |
#include <isc/mutex.h>
|
|
|
e55890 |
#include <isc/mutexblock.h>
|
|
|
e55890 |
+#include <isc/platform.h>
|
|
|
e55890 |
#include <isc/string.h>
|
|
|
e55890 |
#include <isc/thread.h>
|
|
|
e55890 |
#include <isc/util.h>
|
|
|
e55890 |
@@ -46,8 +47,6 @@
|
|
|
e55890 |
#include <openssl/engine.h>
|
|
|
e55890 |
#endif
|
|
|
e55890 |
|
|
|
e55890 |
-static RAND_METHOD *rm = NULL;
|
|
|
e55890 |
-
|
|
|
e55890 |
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
|
|
e55890 |
static isc_mutex_t *locks = NULL;
|
|
|
e55890 |
static int nlocks;
|
|
|
e55890 |
@@ -57,6 +56,9 @@ static int nlocks;
|
|
|
e55890 |
static ENGINE *e = NULL;
|
|
|
e55890 |
#endif
|
|
|
e55890 |
|
|
|
e55890 |
+#ifndef ISC_PLATFORM_CRYPTORANDOM
|
|
|
e55890 |
+static RAND_METHOD *rm = NULL;
|
|
|
e55890 |
+
|
|
|
e55890 |
static int
|
|
|
e55890 |
entropy_get(unsigned char *buf, int num) {
|
|
|
e55890 |
isc_result_t result;
|
|
|
e55890 |
@@ -102,6 +104,7 @@ entropy_add(const void *buf, int num, double entropy) {
|
|
|
e55890 |
return (1);
|
|
|
e55890 |
}
|
|
|
e55890 |
#endif
|
|
|
e55890 |
+#endif /* !ISC_PLATFORM_CRYPTORANDOM */
|
|
|
e55890 |
|
|
|
e55890 |
#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
|
|
e55890 |
static void
|
|
|
27025e |
@@ -192,7 +195,7 @@ _set_thread_id(CRYPTO_THREADID *id)
|
|
|
e55890 |
isc_result_t
|
|
|
e55890 |
dst__openssl_init(const char *engine) {
|
|
|
e55890 |
isc_result_t result;
|
|
|
e55890 |
-#if !defined(OPENSSL_NO_ENGINE)
|
|
|
e55890 |
+#if !defined(OPENSSL_NO_ENGINE) && !defined(ISC_PLATFORM_CRYPTORANDOM)
|
|
|
e55890 |
ENGINE *re;
|
|
|
e55890 |
#else
|
|
|
e55890 |
UNUSED(engine);
|
|
|
27025e |
@@ -222,6 +225,7 @@ dst__openssl_init(const char *engine) {
|
|
|
e55890 |
ERR_load_crypto_strings();
|
|
|
e55890 |
#endif
|
|
|
e55890 |
|
|
|
e55890 |
+#ifndef ISC_PLATFORM_CRYPTORANDOM
|
|
|
e55890 |
rm = mem_alloc(sizeof(RAND_METHOD) FILELINE);
|
|
|
e55890 |
if (rm == NULL) {
|
|
|
e55890 |
result = ISC_R_NOMEMORY;
|
|
|
27025e |
@@ -233,6 +237,7 @@ dst__openssl_init(const char *engine) {
|
|
|
e55890 |
rm->add = entropy_add;
|
|
|
e55890 |
rm->pseudorand = entropy_getpseudo;
|
|
|
e55890 |
rm->status = entropy_status;
|
|
|
e55890 |
+#endif
|
|
|
e55890 |
|
|
|
e55890 |
#if !defined(OPENSSL_NO_ENGINE)
|
|
|
e55890 |
#if !defined(CONF_MFLAGS_DEFAULT_SECTION)
|
|
|
27025e |
@@ -266,6 +271,7 @@ dst__openssl_init(const char *engine) {
|
|
|
e55890 |
}
|
|
|
e55890 |
}
|
|
|
e55890 |
|
|
|
e55890 |
+#ifndef ISC_PLATFORM_CRYPTORANDOM
|
|
|
e55890 |
re = ENGINE_get_default_RAND();
|
|
|
e55890 |
if (re == NULL) {
|
|
|
e55890 |
re = ENGINE_new();
|
|
|
27025e |
@@ -278,9 +284,21 @@ dst__openssl_init(const char *engine) {
|
|
|
e55890 |
ENGINE_free(re);
|
|
|
e55890 |
} else
|
|
|
e55890 |
ENGINE_finish(re);
|
|
|
e55890 |
+#endif
|
|
|
e55890 |
#else
|
|
|
e55890 |
+#ifndef ISC_PLATFORM_CRYPTORANDOM
|
|
|
e55890 |
RAND_set_rand_method(rm);
|
|
|
e55890 |
+#endif
|
|
|
e55890 |
#endif /* !defined(OPENSSL_NO_ENGINE) */
|
|
|
e55890 |
+
|
|
|
e55890 |
+ /* Protect ourselves against unseeded PRNG */
|
|
|
e55890 |
+ if (RAND_status() != 1) {
|
|
|
e55890 |
+ FATAL_ERROR(__FILE__, __LINE__,
|
|
|
e55890 |
+ "OpenSSL pseudorandom number generator "
|
|
|
e55890 |
+ "cannot be initialized (see the `PRNG not "
|
|
|
e55890 |
+ "seeded' message in the OpenSSL FAQ)");
|
|
|
e55890 |
+ }
|
|
|
e55890 |
+
|
|
|
e55890 |
return (ISC_R_SUCCESS);
|
|
|
e55890 |
|
|
|
e55890 |
#if !defined(OPENSSL_NO_ENGINE)
|
|
|
27025e |
@@ -288,10 +306,14 @@ dst__openssl_init(const char *engine) {
|
|
|
e55890 |
if (e != NULL)
|
|
|
e55890 |
ENGINE_free(e);
|
|
|
e55890 |
e = NULL;
|
|
|
e55890 |
+#ifndef ISC_PLATFORM_CRYPTORANDOM
|
|
|
e55890 |
mem_free(rm FILELINE);
|
|
|
e55890 |
rm = NULL;
|
|
|
e55890 |
#endif
|
|
|
e55890 |
+#endif
|
|
|
e55890 |
+#ifndef ISC_PLATFORM_CRYPTORANDOM
|
|
|
e55890 |
cleanup_mutexinit:
|
|
|
e55890 |
+#endif
|
|
|
e55890 |
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
|
|
e55890 |
CRYPTO_set_locking_callback(NULL);
|
|
|
e55890 |
DESTROYMUTEXBLOCK(locks, nlocks);
|
|
|
27025e |
@@ -306,14 +328,17 @@ void
|
|
|
e55890 |
dst__openssl_destroy(void) {
|
|
|
e55890 |
#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
|
|
|
e55890 |
OPENSSL_cleanup();
|
|
|
e55890 |
+#ifndef ISC_PLATFORM_CRYPTORANDOM
|
|
|
e55890 |
if (rm != NULL) {
|
|
|
e55890 |
mem_free(rm FILELINE);
|
|
|
e55890 |
rm = NULL;
|
|
|
e55890 |
}
|
|
|
e55890 |
+#endif
|
|
|
e55890 |
#else
|
|
|
e55890 |
/*
|
|
|
e55890 |
* Sequence taken from apps_shutdown() in <apps/apps.h>.
|
|
|
e55890 |
*/
|
|
|
e55890 |
+#ifndef ISC_PLATFORM_CRYPTORANDOM
|
|
|
e55890 |
if (rm != NULL) {
|
|
|
e55890 |
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
|
|
|
e55890 |
RAND_cleanup();
|
|
|
27025e |
@@ -321,6 +346,7 @@ dst__openssl_destroy(void) {
|
|
|
e55890 |
mem_free(rm FILELINE);
|
|
|
e55890 |
rm = NULL;
|
|
|
e55890 |
}
|
|
|
e55890 |
+#endif
|
|
|
e55890 |
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
|
|
|
e55890 |
CONF_modules_free();
|
|
|
e55890 |
#endif
|
|
|
27025e |
@@ -456,11 +482,45 @@ dst__openssl_getengine(const char *engine) {
|
|
|
e55890 |
}
|
|
|
e55890 |
#endif
|
|
|
e55890 |
|
|
|
e55890 |
-#else /* OPENSSL */
|
|
|
e55890 |
+isc_result_t
|
|
|
e55890 |
+dst_random_getdata(void *data, unsigned int length,
|
|
|
e55890 |
+ unsigned int *returned, unsigned int flags) {
|
|
|
e55890 |
+#ifdef ISC_PLATFORM_CRYPTORANDOM
|
|
|
e55890 |
+#ifndef DONT_REQUIRE_DST_LIB_INIT
|
|
|
e55890 |
+ INSIST(dst__memory_pool != NULL);
|
|
|
e55890 |
+#endif
|
|
|
e55890 |
+ REQUIRE(data != NULL);
|
|
|
e55890 |
+ REQUIRE(length > 0);
|
|
|
e55890 |
|
|
|
e55890 |
-#include <isc/util.h>
|
|
|
e55890 |
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
|
|
e55890 |
+ if ((flags & ISC_ENTROPY_GOODONLY) == 0) {
|
|
|
e55890 |
+ if (RAND_pseudo_bytes((unsigned char *)data, (int)length) < 0)
|
|
|
e55890 |
+ return (dst__openssl_toresult2("RAND_pseudo_bytes",
|
|
|
e55890 |
+ DST_R_OPENSSLFAILURE));
|
|
|
e55890 |
+ } else {
|
|
|
e55890 |
+ if (RAND_bytes((unsigned char *)data, (int)length) != 1)
|
|
|
e55890 |
+ return (dst__openssl_toresult2("RAND_bytes",
|
|
|
e55890 |
+ DST_R_OPENSSLFAILURE));
|
|
|
e55890 |
+ }
|
|
|
e55890 |
+#else
|
|
|
e55890 |
+ UNUSED(flags);
|
|
|
e55890 |
|
|
|
e55890 |
-EMPTY_TRANSLATION_UNIT
|
|
|
e55890 |
+ if (RAND_bytes((unsigned char *)data, (int)length) != 1)
|
|
|
e55890 |
+ return (dst__openssl_toresult2("RAND_bytes",
|
|
|
e55890 |
+ DST_R_OPENSSLFAILURE));
|
|
|
e55890 |
+#endif
|
|
|
e55890 |
+ if (returned != NULL)
|
|
|
e55890 |
+ *returned = length;
|
|
|
e55890 |
+ return (ISC_R_SUCCESS);
|
|
|
e55890 |
+#else
|
|
|
e55890 |
+ UNUSED(data);
|
|
|
e55890 |
+ UNUSED(length);
|
|
|
e55890 |
+ UNUSED(returned);
|
|
|
e55890 |
+ UNUSED(flags);
|
|
|
e55890 |
+
|
|
|
e55890 |
+ return (ISC_R_NOTIMPLEMENTED);
|
|
|
e55890 |
+#endif
|
|
|
e55890 |
+}
|
|
|
e55890 |
|
|
|
e55890 |
#endif /* OPENSSL */
|
|
|
e55890 |
/*! \file */
|
|
|
e55890 |
diff --git a/lib/dns/pkcs11.c b/lib/dns/pkcs11.c
|
|
|
e55890 |
index 5a2c502..8eaef53 100644
|
|
|
e55890 |
--- a/lib/dns/pkcs11.c
|
|
|
e55890 |
+++ b/lib/dns/pkcs11.c
|
|
|
e55890 |
@@ -13,12 +13,15 @@
|
|
|
e55890 |
|
|
|
e55890 |
#include <config.h>
|
|
|
e55890 |
|
|
|
e55890 |
+#include <isc/util.h>
|
|
|
e55890 |
+
|
|
|
e55890 |
#include <dns/log.h>
|
|
|
e55890 |
#include <dns/result.h>
|
|
|
e55890 |
|
|
|
e55890 |
#include <pk11/pk11.h>
|
|
|
e55890 |
#include <pk11/internal.h>
|
|
|
e55890 |
|
|
|
e55890 |
+#include "dst_internal.h"
|
|
|
e55890 |
#include "dst_pkcs11.h"
|
|
|
e55890 |
|
|
|
e55890 |
isc_result_t
|
|
|
e55890 |
@@ -34,12 +37,32 @@ dst__pkcs11_toresult(const char *funcname, const char *file, int line,
|
|
|
e55890 |
return (fallback);
|
|
|
e55890 |
}
|
|
|
e55890 |
|
|
|
e55890 |
+isc_result_t
|
|
|
e55890 |
+dst_random_getdata(void *data, unsigned int length,
|
|
|
e55890 |
+ unsigned int *returned, unsigned int flags) {
|
|
|
e55890 |
+#ifdef ISC_PLATFORM_CRYPTORANDOM
|
|
|
e55890 |
+ isc_result_t ret;
|
|
|
e55890 |
|
|
|
e55890 |
-#else /* PKCS11CRYPTO */
|
|
|
e55890 |
+#ifndef DONT_REQUIRE_DST_LIB_INIT
|
|
|
e55890 |
+ INSIST(dst__memory_pool != NULL);
|
|
|
e55890 |
+#endif
|
|
|
e55890 |
+ REQUIRE(data != NULL);
|
|
|
e55890 |
+ REQUIRE(length > 0);
|
|
|
e55890 |
+ UNUSED(flags);
|
|
|
e55890 |
|
|
|
e55890 |
-#include <isc/util.h>
|
|
|
e55890 |
+ ret = pk11_rand_bytes(data, (int) length);
|
|
|
e55890 |
+ if ((ret == ISC_R_SUCCESS) && (returned != NULL))
|
|
|
e55890 |
+ *returned = length;
|
|
|
e55890 |
+ return (ret);
|
|
|
e55890 |
+#else
|
|
|
e55890 |
+ UNUSED(data);
|
|
|
e55890 |
+ UNUSED(length);
|
|
|
e55890 |
+ UNUSED(returned);
|
|
|
e55890 |
+ UNUSED(flags);
|
|
|
e55890 |
|
|
|
e55890 |
-EMPTY_TRANSLATION_UNIT
|
|
|
e55890 |
+ return (ISC_R_NOTIMPLEMENTED);
|
|
|
e55890 |
+#endif
|
|
|
e55890 |
+}
|
|
|
e55890 |
|
|
|
e55890 |
#endif /* PKCS11CRYPTO */
|
|
|
e55890 |
/*! \file */
|
|
|
e55890 |
diff --git a/lib/dns/tests/Kyuafile b/lib/dns/tests/Kyuafile
|
|
|
27025e |
index 937b548..f3c0e38 100644
|
|
|
e55890 |
--- a/lib/dns/tests/Kyuafile
|
|
|
e55890 |
+++ b/lib/dns/tests/Kyuafile
|
|
|
27025e |
@@ -10,6 +10,7 @@ tap_test_program{name='dh_test'}
|
|
|
27025e |
tap_test_program{name='dispatch_test'}
|
|
|
27025e |
tap_test_program{name='dnstap_test'}
|
|
|
27025e |
tap_test_program{name='dst_test'}
|
|
|
27025e |
+tap_test_program{name='dstrandom_test'}
|
|
|
27025e |
tap_test_program{name='geoip_test'}
|
|
|
27025e |
tap_test_program{name='gost_test'}
|
|
|
27025e |
tap_test_program{name='keytable_test'}
|
|
|
e55890 |
diff --git a/lib/dns/tests/Makefile.in b/lib/dns/tests/Makefile.in
|
|
|
27025e |
index 90dc3a6..7671e1d 100644
|
|
|
e55890 |
--- a/lib/dns/tests/Makefile.in
|
|
|
e55890 |
+++ b/lib/dns/tests/Makefile.in
|
|
|
27025e |
@@ -37,6 +37,7 @@ SRCS = acl_test.c \
|
|
|
e55890 |
dnstap_test.c \
|
|
|
e55890 |
dst_test.c \
|
|
|
e55890 |
dnstest.c \
|
|
|
e55890 |
+ dstrandom_test.c \
|
|
|
e55890 |
geoip_test.c \
|
|
|
e55890 |
gost_test.c \
|
|
|
e55890 |
keytable_test.c \
|
|
|
27025e |
@@ -69,6 +70,7 @@ TARGETS = acl_test@EXEEXT@ \
|
|
|
e55890 |
dh_test@EXEEXT@ \
|
|
|
e55890 |
dispatch_test@EXEEXT@ \
|
|
|
e55890 |
dnstap_test@EXEEXT@ \
|
|
|
e55890 |
+ dstrandom_test@EXEEXT@ \
|
|
|
e55890 |
dst_test@EXEEXT@ \
|
|
|
e55890 |
geoip_test@EXEEXT@ \
|
|
|
e55890 |
gost_test@EXEEXT@ \
|
|
|
27025e |
@@ -258,6 +260,11 @@ zt_test@EXEEXT@: zt_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
|
|
|
27025e |
${LDFLAGS} -o $@ zt_test.@O@ dnstest.@O@ \
|
|
|
27025e |
${DNSLIBS} ${ISCLIBS} ${LIBS}
|
|
|
e55890 |
|
|
|
e55890 |
+dstrandom_test@EXEEXT@: dstrandom_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
|
|
|
e55890 |
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
|
|
|
e55890 |
+ dstrandom_test.@O@ ${DNSLIBS} \
|
|
|
e55890 |
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
|
|
|
e55890 |
+
|
|
|
e55890 |
unit::
|
|
|
e55890 |
sh ${top_builddir}/unit/unittest.sh
|
|
|
e55890 |
|
|
|
e55890 |
diff --git a/lib/dns/tests/dstrandom_test.c b/lib/dns/tests/dstrandom_test.c
|
|
|
e55890 |
new file mode 100644
|
|
|
27025e |
index 0000000..bd3d164
|
|
|
e55890 |
--- /dev/null
|
|
|
e55890 |
+++ b/lib/dns/tests/dstrandom_test.c
|
|
|
27025e |
@@ -0,0 +1,115 @@
|
|
|
e55890 |
+/*
|
|
|
27025e |
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
|
e55890 |
+ *
|
|
|
27025e |
+ * This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
27025e |
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
27025e |
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
e55890 |
+ *
|
|
|
27025e |
+ * See the COPYRIGHT file distributed with this work for additional
|
|
|
27025e |
+ * information regarding copyright ownership.
|
|
|
e55890 |
+ */
|
|
|
e55890 |
+
|
|
|
e55890 |
+#include <config.h>
|
|
|
e55890 |
+
|
|
|
27025e |
+#if HAVE_CMOCKA
|
|
|
27025e |
+
|
|
|
27025e |
+#include <stdarg.h>
|
|
|
27025e |
+#include <stddef.h>
|
|
|
27025e |
+#include <setjmp.h>
|
|
|
e55890 |
+
|
|
|
27025e |
+#include <stdlib.h>
|
|
|
e55890 |
+#include <stdio.h>
|
|
|
e55890 |
+#include <string.h>
|
|
|
27025e |
+#include <unistd.h>
|
|
|
27025e |
+
|
|
|
27025e |
+#define UNIT_TESTING
|
|
|
27025e |
+#include <cmocka.h>
|
|
|
e55890 |
+
|
|
|
e55890 |
+#include <isc/entropy.h>
|
|
|
e55890 |
+#include <isc/mem.h>
|
|
|
27025e |
+#include <isc/print.h>
|
|
|
e55890 |
+#include <isc/platform.h>
|
|
|
e55890 |
+#include <isc/util.h>
|
|
|
e55890 |
+
|
|
|
e55890 |
+#include <dst/dst.h>
|
|
|
e55890 |
+
|
|
|
e55890 |
+isc_mem_t *mctx = NULL;
|
|
|
e55890 |
+isc_entropy_t *ectx = NULL;
|
|
|
e55890 |
+unsigned char buffer[128];
|
|
|
e55890 |
+
|
|
|
27025e |
+/* isc_entropy_getdata() examples */
|
|
|
27025e |
+static void
|
|
|
27025e |
+isc_entropy_getdata_test(void **state) {
|
|
|
e55890 |
+ isc_result_t result;
|
|
|
e55890 |
+ unsigned int returned, status;
|
|
|
27025e |
+ const char *randomfile = "testdata/dstrandom/random.data";
|
|
|
e55890 |
+ int ret;
|
|
|
27025e |
+
|
|
|
27025e |
+ UNUSED(state);
|
|
|
e55890 |
+
|
|
|
e55890 |
+ isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
|
|
|
e55890 |
+ result = isc_mem_create(0, 0, &mctx);
|
|
|
27025e |
+ assert_int_equal(result, ISC_R_SUCCESS);
|
|
|
e55890 |
+ result = isc_entropy_create(mctx, &ectx);
|
|
|
27025e |
+ assert_int_equal(result, ISC_R_SUCCESS);
|
|
|
e55890 |
+ result = dst_lib_init(mctx, ectx, 0);
|
|
|
27025e |
+ assert_int_equal(result, ISC_R_SUCCESS);
|
|
|
e55890 |
+
|
|
|
e55890 |
+#ifdef ISC_PLATFORM_CRYPTORANDOM
|
|
|
27025e |
+ isc_entropy_usehook(ectx, true);
|
|
|
e55890 |
+
|
|
|
e55890 |
+ returned = 0;
|
|
|
e55890 |
+ result = isc_entropy_getdata(ectx, buffer, sizeof(buffer),
|
|
|
e55890 |
+ &returned, 0);
|
|
|
27025e |
+ assert_int_equal(result, ISC_R_SUCCESS);
|
|
|
27025e |
+ assert_int_equal(returned, sizeof(buffer));
|
|
|
e55890 |
+
|
|
|
e55890 |
+ status = isc_entropy_status(ectx);
|
|
|
27025e |
+ assert_int_equal(status, 0);
|
|
|
e55890 |
+
|
|
|
27025e |
+ isc_entropy_usehook(ectx, false);
|
|
|
e55890 |
+#endif
|
|
|
e55890 |
+
|
|
|
e55890 |
+ ret = chdir(TESTS);
|
|
|
27025e |
+ assert_int_equal(ret, 0);
|
|
|
e55890 |
+
|
|
|
e55890 |
+ result = isc_entropy_createfilesource(ectx, randomfile);
|
|
|
27025e |
+ assert_int_equal(result, ISC_R_SUCCESS);
|
|
|
e55890 |
+
|
|
|
e55890 |
+ returned = 0;
|
|
|
e55890 |
+ result = isc_entropy_getdata(ectx, buffer, sizeof(buffer),
|
|
|
e55890 |
+ &returned, 0);
|
|
|
27025e |
+ assert_int_equal(result, ISC_R_SUCCESS);
|
|
|
27025e |
+ assert_int_equal(returned, sizeof(buffer));
|
|
|
e55890 |
+
|
|
|
e55890 |
+ status = isc_entropy_status(ectx);
|
|
|
27025e |
+ assert_true(status > 0);
|
|
|
e55890 |
+
|
|
|
e55890 |
+ dst_lib_destroy();
|
|
|
e55890 |
+ isc_entropy_detach(&ectx);
|
|
|
27025e |
+ assert_null(ectx);
|
|
|
27025e |
+
|
|
|
e55890 |
+ isc_mem_destroy(&mctx);
|
|
|
27025e |
+ assert_null(mctx);
|
|
|
e55890 |
+}
|
|
|
e55890 |
+
|
|
|
27025e |
+int
|
|
|
27025e |
+main(void) {
|
|
|
27025e |
+ const struct CMUnitTest tests[] = {
|
|
|
27025e |
+ cmocka_unit_test(isc_entropy_getdata_test),
|
|
|
27025e |
+ };
|
|
|
e55890 |
+
|
|
|
27025e |
+ return (cmocka_run_group_tests(tests, NULL, NULL));
|
|
|
e55890 |
+}
|
|
|
e55890 |
+
|
|
|
27025e |
+#else /* HAVE_CMOCKA */
|
|
|
27025e |
+
|
|
|
27025e |
+#include <stdio.h>
|
|
|
27025e |
+
|
|
|
27025e |
+int
|
|
|
27025e |
+main(void) {
|
|
|
27025e |
+ printf("1..0 # Skipped: cmocka not available\n");
|
|
|
27025e |
+ return (0);
|
|
|
27025e |
+}
|
|
|
27025e |
+
|
|
|
27025e |
+#endif
|
|
|
e55890 |
diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in
|
|
|
27025e |
index 5c45d59..34b660c 100644
|
|
|
e55890 |
--- a/lib/dns/win32/libdns.def.in
|
|
|
e55890 |
+++ b/lib/dns/win32/libdns.def.in
|
|
|
27025e |
@@ -1484,6 +1484,13 @@ dst_lib_destroy
|
|
|
e55890 |
dst_lib_init
|
|
|
e55890 |
dst_lib_init2
|
|
|
e55890 |
dst_lib_initmsgcat
|
|
|
e55890 |
+@IF PKCS11
|
|
|
e55890 |
+dst_random_getdata
|
|
|
e55890 |
+@ELSE PKCS11
|
|
|
e55890 |
+@IF OPENSSL
|
|
|
e55890 |
+dst_random_getdata
|
|
|
e55890 |
+@END OPENSSL
|
|
|
e55890 |
+@END PKCS11
|
|
|
e55890 |
dst_region_computeid
|
|
|
e55890 |
dst_region_computerid
|
|
|
e55890 |
dst_result_register
|
|
|
e55890 |
diff --git a/lib/isc/entropy.c b/lib/isc/entropy.c
|
|
|
27025e |
index ab2f617..ed05ed6 100644
|
|
|
e55890 |
--- a/lib/isc/entropy.c
|
|
|
e55890 |
+++ b/lib/isc/entropy.c
|
|
|
27025e |
@@ -104,11 +104,15 @@ struct isc_entropy {
|
|
|
27025e |
uint32_t initialized;
|
|
|
27025e |
uint32_t initcount;
|
|
|
e55890 |
isc_entropypool_t pool;
|
|
|
27025e |
+ bool usehook;
|
|
|
e55890 |
unsigned int nsources;
|
|
|
e55890 |
isc_entropysource_t *nextsource;
|
|
|
e55890 |
ISC_LIST(isc_entropysource_t) sources;
|
|
|
e55890 |
};
|
|
|
e55890 |
|
|
|
e55890 |
+/*% Global Hook */
|
|
|
e55890 |
+static isc_entropy_getdata_t hook;
|
|
|
e55890 |
+
|
|
|
e55890 |
/*% Sample Queue */
|
|
|
e55890 |
typedef struct {
|
|
|
27025e |
uint32_t last_time; /*%< last time recorded */
|
|
|
27025e |
@@ -557,6 +561,11 @@ isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length,
|
|
|
e55890 |
|
|
|
e55890 |
LOCK(&ent->lock);
|
|
|
e55890 |
|
|
|
e55890 |
+ if (ent->usehook && (hook != NULL)) {
|
|
|
e55890 |
+ UNLOCK(&ent->lock);
|
|
|
e55890 |
+ return (hook(data, length, returned, flags));
|
|
|
e55890 |
+ }
|
|
|
e55890 |
+
|
|
|
e55890 |
remain = length;
|
|
|
e55890 |
buf = data;
|
|
|
e55890 |
total = 0;
|
|
|
27025e |
@@ -708,6 +717,7 @@ isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp) {
|
|
|
e55890 |
ent->refcnt = 1;
|
|
|
e55890 |
ent->initialized = 0;
|
|
|
e55890 |
ent->initcount = 0;
|
|
|
27025e |
+ ent->usehook = false;
|
|
|
e55890 |
ent->magic = ENTROPY_MAGIC;
|
|
|
e55890 |
|
|
|
e55890 |
isc_entropypool_init(&ent->pool);
|
|
|
e55890 |
@@ -1286,3 +1296,17 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
|
|
|
e55890 |
*/
|
|
|
e55890 |
return (final_result);
|
|
|
e55890 |
}
|
|
|
e55890 |
+
|
|
|
e55890 |
+void
|
|
|
27025e |
+isc_entropy_usehook(isc_entropy_t *ectx, bool onoff) {
|
|
|
e55890 |
+ REQUIRE(VALID_ENTROPY(ectx));
|
|
|
e55890 |
+
|
|
|
e55890 |
+ LOCK(&ectx->lock);
|
|
|
e55890 |
+ ectx->usehook = onoff;
|
|
|
e55890 |
+ UNLOCK(&ectx->lock);
|
|
|
e55890 |
+}
|
|
|
e55890 |
+
|
|
|
e55890 |
+void
|
|
|
e55890 |
+isc_entropy_sethook(isc_entropy_getdata_t myhook) {
|
|
|
e55890 |
+ hook = myhook;
|
|
|
e55890 |
+}
|
|
|
e55890 |
diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h
|
|
|
27025e |
index 4bba8e1..632166a 100644
|
|
|
e55890 |
--- a/lib/isc/include/isc/entropy.h
|
|
|
e55890 |
+++ b/lib/isc/include/isc/entropy.h
|
|
|
27025e |
@@ -304,6 +304,18 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
|
|
|
e55890 |
* isc_entropy_createcallbacksource().
|
|
|
e55890 |
*/
|
|
|
e55890 |
|
|
|
e55890 |
+void
|
|
|
27025e |
+isc_entropy_usehook(isc_entropy_t *ectx, bool onoff);
|
|
|
e55890 |
+/*!<
|
|
|
e55890 |
+ * \brief Mark/unmark the given entropy structure as being hooked.
|
|
|
e55890 |
+ */
|
|
|
e55890 |
+
|
|
|
e55890 |
+void
|
|
|
e55890 |
+isc_entropy_sethook(isc_entropy_getdata_t myhook);
|
|
|
e55890 |
+/*!<
|
|
|
e55890 |
+ * \brief Set the getdata hook (e.g., for a crypto random generator).
|
|
|
e55890 |
+ */
|
|
|
e55890 |
+
|
|
|
e55890 |
ISC_LANG_ENDDECLS
|
|
|
e55890 |
|
|
|
e55890 |
#endif /* ISC_ENTROPY_H */
|
|
|
e55890 |
diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in
|
|
|
27025e |
index 9c7c342..ee8dc3e 100644
|
|
|
e55890 |
--- a/lib/isc/include/isc/platform.h.in
|
|
|
e55890 |
+++ b/lib/isc/include/isc/platform.h.in
|
|
|
27025e |
@@ -341,6 +341,11 @@
|
|
|
e55890 |
*/
|
|
|
e55890 |
@ISC_PLATFORM_HAVESTRINGSH@
|
|
|
e55890 |
|
|
|
e55890 |
+/*
|
|
|
e55890 |
+ * Define if the random functions are provided by crypto.
|
|
|
e55890 |
+ */
|
|
|
e55890 |
+@ISC_PLATFORM_CRYPTORANDOM@
|
|
|
e55890 |
+
|
|
|
e55890 |
/*
|
|
|
e55890 |
* Define if the hash functions must be provided by OpenSSL.
|
|
|
e55890 |
*/
|
|
|
e55890 |
diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h
|
|
|
27025e |
index 42ff7e0..8d87c44 100644
|
|
|
e55890 |
--- a/lib/isc/include/isc/types.h
|
|
|
e55890 |
+++ b/lib/isc/include/isc/types.h
|
|
|
e55890 |
@@ -93,6 +93,8 @@ typedef struct isc_time isc_time_t; /*%< Time */
|
|
|
e55890 |
typedef struct isc_timer isc_timer_t; /*%< Timer */
|
|
|
e55890 |
typedef struct isc_timermgr isc_timermgr_t; /*%< Timer Manager */
|
|
|
e55890 |
|
|
|
e55890 |
+typedef isc_result_t (*isc_entropy_getdata_t)(void *, unsigned int,
|
|
|
e55890 |
+ unsigned int *, unsigned int);
|
|
|
e55890 |
typedef void (*isc_taskaction_t)(isc_task_t *, isc_event_t *);
|
|
|
e55890 |
typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *, int);
|
|
|
e55890 |
|
|
|
e55890 |
diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
|
|
|
27025e |
index 8e6ed93..ceb5a2c 100644
|
|
|
e55890 |
--- a/lib/isc/pk11.c
|
|
|
e55890 |
+++ b/lib/isc/pk11.c
|
|
|
27025e |
@@ -321,14 +321,16 @@ pk11_rand_seed_fromfile(const char *randomfile) {
|
|
|
e55890 |
ret = isc_stdio_open(randomfile, "r", &stream);
|
|
|
e55890 |
if (ret != ISC_R_SUCCESS)
|
|
|
e55890 |
goto cleanup;
|
|
|
e55890 |
- ret = isc_stdio_read(seed, 1, SEEDSIZE, stream, &cc);
|
|
|
e55890 |
- if (ret!= ISC_R_SUCCESS)
|
|
|
e55890 |
- goto cleanup;
|
|
|
e55890 |
+ while (ret == ISC_R_SUCCESS) {
|
|
|
e55890 |
+ ret = isc_stdio_read(seed, 1, SEEDSIZE, stream, &cc);
|
|
|
e55890 |
+ if ((ret != ISC_R_SUCCESS) && (ret != ISC_R_EOF))
|
|
|
e55890 |
+ goto cleanup;
|
|
|
e55890 |
+ (void) pkcs_C_SeedRandom(ctx.session, seed, (CK_ULONG) cc);
|
|
|
e55890 |
+ }
|
|
|
e55890 |
ret = isc_stdio_close(stream);
|
|
|
e55890 |
stream = NULL;
|
|
|
e55890 |
- if (ret!= ISC_R_SUCCESS)
|
|
|
e55890 |
+ if (ret != ISC_R_SUCCESS)
|
|
|
e55890 |
goto cleanup;
|
|
|
e55890 |
- (void) pkcs_C_SeedRandom(ctx.session, seed, (CK_ULONG) cc);
|
|
|
e55890 |
|
|
|
e55890 |
cleanup:
|
|
|
e55890 |
if (stream != NULL)
|
|
|
e55890 |
diff --git a/lib/isc/win32/include/isc/platform.h.in b/lib/isc/win32/include/isc/platform.h.in
|
|
|
27025e |
index 5b8a2c9..913a2ce 100644
|
|
|
e55890 |
--- a/lib/isc/win32/include/isc/platform.h.in
|
|
|
e55890 |
+++ b/lib/isc/win32/include/isc/platform.h.in
|
|
|
27025e |
@@ -69,6 +69,11 @@
|
|
|
e55890 |
#define ISC_PLATFORM_NORETURN_PRE __declspec(noreturn)
|
|
|
e55890 |
#define ISC_PLATFORM_NORETURN_POST
|
|
|
e55890 |
|
|
|
e55890 |
+/*
|
|
|
e55890 |
+ * Define if the random functions are provided by crypto.
|
|
|
e55890 |
+ */
|
|
|
e55890 |
+@ISC_PLATFORM_CRYPTORANDOM@
|
|
|
e55890 |
+
|
|
|
e55890 |
/*
|
|
|
e55890 |
* Define if the hash functions must be provided by OpenSSL.
|
|
|
e55890 |
*/
|
|
|
e55890 |
diff --git a/win32utils/Configure b/win32utils/Configure
|
|
|
27025e |
index ccaf067..240fb80 100644
|
|
|
e55890 |
--- a/win32utils/Configure
|
|
|
e55890 |
+++ b/win32utils/Configure
|
|
|
27025e |
@@ -382,6 +382,7 @@ my @substdefh = ("ALLOW_FILTER_AAAA",
|
|
|
e55890 |
my %configdefp;
|
|
|
e55890 |
|
|
|
e55890 |
my @substdefp = ("ISC_PLATFORM_BUSYWAITNOP",
|
|
|
e55890 |
+ "ISC_PLATFORM_CRYPTORANDOM",
|
|
|
e55890 |
"ISC_PLATFORM_HAVEATOMICSTORE",
|
|
|
e55890 |
"ISC_PLATFORM_HAVEATOMICSTOREQ",
|
|
|
e55890 |
"ISC_PLATFORM_HAVECMPXCHG",
|
|
|
27025e |
@@ -517,7 +518,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER");
|
|
|
e55890 |
|
|
|
e55890 |
# enable-xxx/disable-xxx
|
|
|
e55890 |
|
|
|
e55890 |
-my @enablelist = ("developer",
|
|
|
e55890 |
+my @enablelist = ("crypto-rand",
|
|
|
e55890 |
+ "developer",
|
|
|
e55890 |
"fixed-rrset",
|
|
|
e55890 |
"intrinsics",
|
|
|
e55890 |
"isc-spnego",
|
|
|
27025e |
@@ -581,6 +583,7 @@ my @help = (
|
|
|
e55890 |
"\nOptional Features:\n",
|
|
|
e55890 |
" enable-intrinsics enable instrinsic/atomic functions [default=yes]\n",
|
|
|
e55890 |
" enable-native-pkcs11 use native PKCS#11 for all crypto [default=no]\n",
|
|
|
e55890 |
+" enable-crypto-rand use crypto provider for random [default=yes]\n",
|
|
|
e55890 |
" enable-openssl-hash use OpenSSL for hash functions [default=yes]\n",
|
|
|
e55890 |
" enable-isc-spnego use SPNEGO from lib/dns [default=yes]\n",
|
|
|
e55890 |
" enable-filter-aaaa enable filtering of AAAA records [default=yes]\n",
|
|
|
27025e |
@@ -630,7 +633,9 @@ my $want_clean = "no";
|
|
|
e55890 |
my $want_unknown = "no";
|
|
|
e55890 |
my $unknown_value;
|
|
|
e55890 |
my $enable_intrinsics = "yes";
|
|
|
e55890 |
+my $cryptolib = "";
|
|
|
e55890 |
my $enable_native_pkcs11 = "no";
|
|
|
e55890 |
+my $enable_crypto_rand = "yes";
|
|
|
e55890 |
my $enable_openssl_hash = "auto";
|
|
|
e55890 |
my $enable_filter_aaaa = "yes";
|
|
|
e55890 |
my $enable_isc_spnego = "yes";
|
|
|
27025e |
@@ -850,6 +855,10 @@ sub myenable {
|
|
|
e55890 |
if ($val =~ /^yes$/i) {
|
|
|
e55890 |
$enable_native_pkcs11 = "yes";
|
|
|
e55890 |
}
|
|
|
e55890 |
+ } elsif ($key =~ /^crypto-rand$/i) {
|
|
|
e55890 |
+ if ($val =~ /^no$/i) {
|
|
|
e55890 |
+ $enable_crypto_rand = "no";
|
|
|
e55890 |
+ }
|
|
|
e55890 |
} elsif ($key =~ /^openssl-hash$/i) {
|
|
|
e55890 |
if ($val =~ /^yes$/i) {
|
|
|
e55890 |
$enable_openssl_hash = "yes";
|
|
|
27025e |
@@ -1158,6 +1167,11 @@ if ($verbose) {
|
|
|
e55890 |
} else {
|
|
|
e55890 |
print "native-pkcs11: disabled\n";
|
|
|
e55890 |
}
|
|
|
e55890 |
+ if ($enable_crypto_rand eq "yes") {
|
|
|
e55890 |
+ print "crypto-rand: enabled\n";
|
|
|
e55890 |
+ } else {
|
|
|
e55890 |
+ print "crypto-rand: disabled\n";
|
|
|
e55890 |
+ }
|
|
|
e55890 |
if ($enable_openssl_hash eq "yes") {
|
|
|
e55890 |
print "openssl-hash: enabled\n";
|
|
|
e55890 |
} else {
|
|
|
27025e |
@@ -1516,6 +1530,7 @@ if ($enable_intrinsics eq "yes") {
|
|
|
e55890 |
|
|
|
e55890 |
# enable-native-pkcs11
|
|
|
e55890 |
if ($enable_native_pkcs11 eq "yes") {
|
|
|
e55890 |
+ $cryptolib = "pkcs11";
|
|
|
e55890 |
if ($use_openssl eq "auto") {
|
|
|
e55890 |
$use_openssl = "no";
|
|
|
e55890 |
}
|
|
|
27025e |
@@ -1725,6 +1740,7 @@ if ($use_openssl eq "yes") {
|
|
|
e55890 |
$openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]");
|
|
|
e55890 |
}
|
|
|
e55890 |
|
|
|
e55890 |
+ $cryptolib = "openssl";
|
|
|
e55890 |
$configcond{"OPENSSL"} = 1;
|
|
|
e55890 |
$configdefd{"CRYPTO"} = "OPENSSL";
|
|
|
e55890 |
$configvar{"OPENSSL_PATH"} = "$openssl_path";
|
|
|
27025e |
@@ -2296,6 +2312,15 @@ if ($use_aes eq "yes") {
|
|
|
e55890 |
}
|
|
|
e55890 |
|
|
|
27025e |
|
|
|
e55890 |
+# enable-crypto-rand
|
|
|
e55890 |
+if ($enable_crypto_rand eq "yes") {
|
|
|
e55890 |
+ if (($use_openssl eq "no") && ($enable_native_pkcs11 eq "no")) {
|
|
|
e55890 |
+ die "No crypto provider for random functions\n";
|
|
|
e55890 |
+ }
|
|
|
e55890 |
+ $configdefp{"ISC_PLATFORM_CRYPTORANDOM"} = "\"$cryptolib\"";
|
|
|
e55890 |
+}
|
|
|
e55890 |
+print "Cryptographic library for DNSSEC: $cryptolib";
|
|
|
e55890 |
+
|
|
|
e55890 |
# enable-openssl-hash
|
|
|
e55890 |
if ($enable_openssl_hash eq "yes") {
|
|
|
e55890 |
if ($use_openssl eq "no") {
|
|
|
27025e |
@@ -3671,6 +3696,7 @@ exit 0;
|
|
|
e55890 |
# --enable-developer partially supported
|
|
|
e55890 |
# --enable-newstats (9.9/9.9sub only)
|
|
|
e55890 |
# --enable-native-pkcs11 supported
|
|
|
e55890 |
+# --enable-crypto-rand supported
|
|
|
e55890 |
# --enable-openssl-version-check included without a way to disable it
|
|
|
e55890 |
# --enable-openssl-hash supported
|
|
|
e55890 |
# --enable-threads included without a way to disable it
|
|
|
e55890 |
--
|
|
|
27025e |
2.20.1
|
|
|
e55890 |
|