Commit 9a3a2573 authored by Ondřej Surý's avatar Ondřej Surý
Browse files

Always use random data from the crypto provider

parent 6a49d41c
......@@ -154,11 +154,9 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
DO("create entropy context", isc_entropy_create(mctx, &ectx));
#ifdef ISC_PLATFORM_CRYPTORANDOM
if (randomfile == NULL) {
isc_entropy_usehook(ectx, ISC_TRUE);
}
#endif
if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
randomfile = NULL;
open_keyboard = ISC_ENTROPY_KEYBOARDYES;
......
......@@ -239,11 +239,9 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
ISC_LIST_INIT(sources);
}
#ifdef ISC_PLATFORM_CRYPTORANDOM
if (randomfile == NULL) {
isc_entropy_usehook(*ectx, ISC_TRUE);
}
#endif
if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
usekeyboard = ISC_ENTROPY_KEYBOARDYES;
randomfile = NULL;
......
......@@ -89,11 +89,7 @@ options {\n\
# pid-file \"" NAMED_LOCALSTATEDIR "/run/named/named.pid\"; \n\
port 53;\n\
prefetch 2 9;\n"
#if defined(ISC_PLATFORM_CRYPTORANDOM)
" random-device none;\n"
#elif defined(PATH_RANDOMDEV)
" random-device \"" PATH_RANDOMDEV "\";\n"
#endif
" recursing-file \"named.recursing\";\n\
recursive-clients 1000;\n\
request-nsid false;\n\
......
......@@ -8536,18 +8536,7 @@ load_configuration(const char *filename, named_server_t *server,
}
}
if (randomdev == NULL) {
#ifdef ISC_PLATFORM_CRYPTORANDOM
isc_entropy_usehook(named_g_entropy, ISC_TRUE);
#else
if ((obj != NULL) && !cfg_obj_isvoid(obj))
level = ISC_LOG_INFO;
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_SERVER, level,
"no source of entropy found");
if ((obj == NULL) || cfg_obj_isvoid(obj)) {
CHECK(ISC_R_FAILURE);
}
#endif
} else {
result = isc_entropy_createfilesource(named_g_entropy,
randomdev);
......
......@@ -276,11 +276,9 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
randomfile = NULL;
}
#ifdef ISC_PLATFORM_CRYPTORANDOM
if (randomfile == NULL) {
isc_entropy_usehook(*ectx, ISC_TRUE);
}
#endif
result = isc_entropy_usebestsource(*ectx, &source, randomfile,
usekeyboard);
......
......@@ -278,11 +278,9 @@ main(int argc, char *argv[]) {
ectx = NULL;
RUNCHECK(isc_entropy_create(mctx, &ectx));
#ifdef ISC_PLATFORM_CRYPTORANDOM
if (randomfile == NULL) {
isc_entropy_usehook(ectx, ISC_TRUE);
}
#endif
if (randomfile != NULL)
RUNCHECK(isc_entropy_createfilesource(ectx, randomfile));
......
......@@ -185,9 +185,7 @@ main(int argc, char **argv) {
CHECK(isc_mem_create(0, 0, &mctx), "isc_mem_create()");
CHECK(isc_entropy_create(mctx, &ectx), "isc_entropy_create()");
#ifdef ISC_PLATFORM_CRYPTORANDOM
isc_entropy_usehook(ectx, ISC_TRUE);
#endif
CHECK(isc_entropy_usebestsource(ectx, &source,
"../random.data",
ISC_ENTROPY_KEYBOARDNO),
......
......@@ -252,13 +252,12 @@ main(int argc, char *argv[]) {
ectx = NULL;
RUNCHECK(isc_entropy_create(mctx, &ectx));
#ifdef ISC_PLATFORM_CRYPTORANDOM
if (randomfile == NULL) {
isc_entropy_usehook(ectx, ISC_TRUE);
}
#endif
if (randomfile != NULL)
if (randomfile != NULL) {
RUNCHECK(isc_entropy_createfilesource(ectx, randomfile));
}
log = NULL;
logconfig = NULL;
......
......@@ -183,13 +183,12 @@ main(int argc, char **argv) {
ectx = NULL;
RUNCHECK(isc_entropy_create(mctx, &ectx));
#ifdef ISC_PLATFORM_CRYPTORANDOM
if (randomfile == NULL) {
isc_entropy_usehook(ectx, ISC_TRUE);
}
#endif
if (randomfile != NULL)
if (randomfile != NULL) {
RUNCHECK(isc_entropy_createfilesource(ectx, randomfile));
}
log = NULL;
logconfig = NULL;
......
......@@ -797,7 +797,6 @@ XMLSTATS
NZDTARGETS
NZDSRCS
NZD_TOOLS
ISC_PLATFORM_CRYPTORANDOM
PKCS11_TEST
PKCS11_ED25519
PKCS11_GOST
......@@ -1008,7 +1007,6 @@ with_eddsa
with_aes
with_cc_alg
enable_openssl_hash
enable_crypto_rand
with_lmdb
with_libxml2
with_libjson
......@@ -1699,7 +1697,6 @@ Optional Features:
--enable-threads enable multithreading
--enable-native-pkcs11 use native PKCS11 for all crypto [default=no]
--enable-openssl-hash use OpenSSL for hash functions [default=yes]
--enable-crypto-rand use the crypto provider for random [default=yes]
--enable-largefile 64-bit file support
--enable-backtrace log stack backtrace on abort [default=yes]
--enable-symtable use internal symbol table for backtrace
......@@ -17379,86 +17376,6 @@ if test "rt" = "$have_clock_gt"; then
LIBS="-lrt $LIBS"
fi
 
#
# Use the crypto provider (OpenSSL/PKCS#11) for random functions
#
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for using the crypto library (vs. builtin) for random functions" >&5
$as_echo_n "checking for using the crypto library (vs. builtin) for random functions... " >&6; }
# Check whether --enable-crypto-rand was given.
if test "${enable_crypto_rand+set}" = set; then :
enableval=$enable_crypto_rand; want_crypto_rand="$enableval"
else
want_crypto_rand="auto"
fi
if test "$want_crypto_rand" = "auto"
then
case "$CRYPTOLIB" in
"")
want_crypto_rand="no"
;;
pkcs11)
want_crypto_rand="yes"
;;
openssl)
saved_cflags="$CFLAGS"
saved_libs="$LIBS"
CFLAGS="$CFLAGS $DST_OPENSSL_INC"
LIBS="$LIBS $DST_OPENSSL_LIBS"
if test "$cross_compiling" = yes; then :
want_crypto_rand="yes"
else
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#include <openssl/rand.h>
unsigned char buf[128];
int main()
{
if (RAND_bytes(buf, 128) != 1)
return (1);
return (0);
}
_ACEOF
if ac_fn_c_try_run "$LINENO"; then :
want_crypto_rand="yes"
else
want_crypto_rand="no"
fi
rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
conftest.$ac_objext conftest.beam conftest.$ac_ext
fi
CFLAGS="$saved_cflags"
LIBS="$saved_libs"
;;
*)
as_fn_error $? "Unknown crypto library define $CRYPTOLIB" "$LINENO" 5
;;
esac
fi
case $want_crypto_rand in
yes)
if test "$CRYPTOLIB" = ""
then
as_fn_error $? "No crypto library for random functions" "$LINENO" 5
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: \"$CRYPTOLIB\"" >&5
$as_echo "\"$CRYPTOLIB\"" >&6; }
ISC_PLATFORM_CRYPTORANDOM="#define ISC_PLATFORM_CRYPTORANDOM \"$CRYPTOLIB\""
;;
no)
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
ISC_PLATFORM_CRYPTORANDOM="#undef ISC_PLATFORM_CRYPTORANDOM"
;;
esac
#
# was --with-lmdb specified?
#
......@@ -26455,8 +26372,6 @@ report() {
echo " IPv6 support (--enable-ipv6)"
test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
test "no" = "$want_crypto_rand" || \
echo " Crypto provider entropy source (--enable-crypto-rand)"
test "X$PYTHON" = "X" || echo " Python tools (--with-python)"
test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)"
test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)"
......@@ -26547,8 +26462,6 @@ report() {
echo " ECDSA algorithm support (--with-ecdsa)"
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
echo " EDDSA algorithm support (--with-eddsa)"
test "yes" = "$want_crypto_rand" || \
echo " Crypto provider entropy source (--enable-crypto-rand)"
 
test "yes" = "$want_backtrace" || \
echo " Print backtrace on crash (--enable-backtrace)"
......
......@@ -2324,68 +2324,6 @@ if test "rt" = "$have_clock_gt"; then
LIBS="-lrt $LIBS"
fi
#
# Use the crypto provider (OpenSSL/PKCS#11) for random functions
#
AC_MSG_CHECKING(for using the crypto library (vs. builtin) for random functions)
AC_ARG_ENABLE(crypto-rand,
AS_HELP_STRING([--enable-crypto-rand],
[use the crypto provider for random [default=yes]]),
want_crypto_rand="$enableval", want_crypto_rand="auto")
if test "$want_crypto_rand" = "auto"
then
case "$CRYPTOLIB" in
"")
want_crypto_rand="no"
;;
pkcs11)
want_crypto_rand="yes"
;;
openssl)
saved_cflags="$CFLAGS"
saved_libs="$LIBS"
CFLAGS="$CFLAGS $DST_OPENSSL_INC"
LIBS="$LIBS $DST_OPENSSL_LIBS"
AC_TRY_RUN([
#include <openssl/rand.h>
unsigned char buf[128];
int main()
{
if (RAND_bytes(buf, 128) != 1)
return (1);
return (0);
}
],
[want_crypto_rand="yes"],
[want_crypto_rand="no"],
[want_crypto_rand="yes"])
CFLAGS="$saved_cflags"
LIBS="$saved_libs"
;;
*)
AC_MSG_ERROR([Unknown crypto library define $CRYPTOLIB])
;;
esac
fi
case $want_crypto_rand in
yes)
if test "$CRYPTOLIB" = ""
then
AC_MSG_ERROR([No crypto library for random functions])
fi
AC_MSG_RESULT(["$CRYPTOLIB"])
ISC_PLATFORM_CRYPTORANDOM="#define ISC_PLATFORM_CRYPTORANDOM \"$CRYPTOLIB\""
;;
no)
AC_MSG_RESULT(no)
ISC_PLATFORM_CRYPTORANDOM="#undef ISC_PLATFORM_CRYPTORANDOM"
;;
esac
AC_SUBST(ISC_PLATFORM_CRYPTORANDOM)
#
# was --with-lmdb specified?
#
......@@ -5374,8 +5312,6 @@ report() {
echo " IPv6 support (--enable-ipv6)"
test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
test "no" = "$want_crypto_rand" || \
echo " Crypto provider entropy source (--enable-crypto-rand)"
test "X$PYTHON" = "X" || echo " Python tools (--with-python)"
test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)"
test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)"
......@@ -5466,8 +5402,6 @@ report() {
echo " ECDSA algorithm support (--with-ecdsa)"
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
echo " EDDSA algorithm support (--with-eddsa)"
test "yes" = "$want_crypto_rand" || \
echo " Crypto provider entropy source (--enable-crypto-rand)"
test "yes" = "$want_backtrace" || \
echo " Print backtrace on crash (--enable-backtrace)"
......
......@@ -266,11 +266,9 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx,
RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));
#endif
#if defined(OPENSSL) || defined(PKCS11CRYPTO)
#ifdef ISC_PLATFORM_CRYPTORANDOM
if (dst_entropy_pool != NULL) {
isc_entropy_sethook(dst_random_getdata);
}
#endif
#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */
dst_initialized = ISC_TRUE;
return (ISC_R_SUCCESS);
......@@ -292,12 +290,10 @@ dst_lib_destroy(void) {
if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL)
dst_t_func[i]->cleanup();
#if defined(OPENSSL) || defined(PKCS11CRYPTO)
#ifdef ISC_PLATFORM_CRYPTORANDOM
if (dst_entropy_pool != NULL) {
isc_entropy_usehook(dst_entropy_pool, ISC_FALSE);
isc_entropy_sethook(NULL);
}
#endif
#ifdef OPENSSL
dst__openssl_destroy();
#elif PKCS11CRYPTO
......@@ -1965,44 +1961,15 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) {
flags &= ~ISC_ENTROPY_GOODONLY;
else
flags |= ISC_ENTROPY_BLOCKING;
#ifdef ISC_PLATFORM_CRYPTORANDOM
/* get entropy directly from crypto provider */
return (dst_random_getdata(buf, len, NULL, flags));
#else
/* get entropy from entropy source or hook function */
return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
#endif /* ISC_PLATFORM_CRYPTORANDOM */
#endif /* PKCS11CRYPTO */
}
unsigned int
dst__entropy_status(void) {
#if !defined(PKCS11CRYPTO) && !defined(ISC_PLATFORM_CRYPTORANDOM)
#ifdef GSSAPI
unsigned int flags = dst_entropy_flags;
isc_result_t ret;
unsigned char buf[32];
static isc_boolean_t first = ISC_TRUE;
if (dst_entropy_pool == NULL)
return (0);
if (first) {
/* Someone believes RAND_status() initializes the PRNG */
flags &= ~ISC_ENTROPY_GOODONLY;
ret = isc_entropy_getdata(dst_entropy_pool, buf,
sizeof(buf), NULL, flags);
INSIST(ret == ISC_R_SUCCESS);
isc_entropy_putdata(dst_entropy_pool, buf,
sizeof(buf), 2 * sizeof(buf));
first = ISC_FALSE;
}
#endif
return (isc_entropy_status(dst_entropy_pool));
#else
/* Doesn't matter as it is not used in this case. */
return (0);
#endif
}
isc_buffer_t *
......
......@@ -59,56 +59,6 @@ static int nlocks;
static ENGINE *e = NULL;
#endif
#ifndef ISC_PLATFORM_CRYPTORANDOM
static RAND_METHOD *rm = NULL;
static int
entropy_get(unsigned char *buf, int num) {
isc_result_t result;
if (num < 0)
return (-1);
result = dst__entropy_getdata(buf, (unsigned int) num, ISC_FALSE);
return (result == ISC_R_SUCCESS ? 1 : -1);
}
static int
entropy_status(void) {
return (dst__entropy_status() > 32);
}
static int
entropy_getpseudo(unsigned char *buf, int num) {
isc_result_t result;
if (num < 0)
return (-1);
result = dst__entropy_getdata(buf, (unsigned int) num, ISC_TRUE);
return (result == ISC_R_SUCCESS ? 1 : -1);
}
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
static void
entropy_add(const void *buf, int num, double entropy) {
/*
* Do nothing. The only call to this provides no useful data anyway.
*/
UNUSED(buf);
UNUSED(num);
UNUSED(entropy);
}
#else
static int
entropy_add(const void *buf, int num, double entropy) {
/*
* Do nothing. The only call to this provides no useful data anyway.
*/
UNUSED(buf);
UNUSED(num);
UNUSED(entropy);
return (1);
}
#endif
#endif /* !ISC_PLATFORM_CRYPTORANDOM */
#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
static void
lock_callback(int mode, int type, const char *file, int line) {
......@@ -196,10 +146,8 @@ _set_thread_id(CRYPTO_THREADID *id)
isc_result_t
dst__openssl_init(const char *engine) {
isc_result_t result;
#if defined(USE_ENGINE) && !defined(ISC_PLATFORM_CRYPTORANDOM)
ENGINE *re;
#else
#if !defined(USE_ENGINE)
UNUSED(engine);
#endif
......@@ -227,20 +175,6 @@ dst__openssl_init(const char *engine) {
ERR_load_crypto_strings();
#endif
#ifndef ISC_PLATFORM_CRYPTORANDOM
rm = mem_alloc(sizeof(RAND_METHOD) FILELINE);
if (rm == NULL) {
result = ISC_R_NOMEMORY;
goto cleanup_mutexinit;
}
rm->seed = NULL;
rm->bytes = entropy_get;
rm->cleanup = NULL;
rm->add = entropy_add;
rm->pseudorand = entropy_getpseudo;
rm->status = entropy_status;
#endif
#ifdef USE_ENGINE
#if !defined(CONF_MFLAGS_DEFAULT_SECTION)
OPENSSL_config(NULL);
......@@ -273,27 +207,8 @@ dst__openssl_init(const char *engine) {
}
}
#ifndef ISC_PLATFORM_CRYPTORANDOM
re = ENGINE_get_default_RAND();
if (re == NULL) {
re = ENGINE_new();
if (re == NULL) {
result = ISC_R_NOMEMORY;
goto cleanup_rm;
}
ENGINE_set_RAND(re, rm);
ENGINE_set_default_RAND(re);
ENGINE_free(re);
} else
ENGINE_finish(re);
#endif
#else
#ifndef ISC_PLATFORM_CRYPTORANDOM
RAND_set_rand_method(rm);
#endif
#endif /* USE_ENGINE */
#ifdef ISC_PLATFORM_CRYPTORANDOM
/* Protect ourselves against unseeded PRNG */
if (RAND_status() != 1) {
FATAL_ERROR(__FILE__, __LINE__,
......@@ -301,7 +216,6 @@ dst__openssl_init(const char *engine) {
"cannot be initialized (see the `PRNG not "
"seeded' message in the OpenSSL FAQ)");
}
#endif
return (ISC_R_SUCCESS);
......@@ -310,13 +224,6 @@ dst__openssl_init(const char *engine) {
if (e != NULL)
ENGINE_free(e);
e = NULL;
#ifndef ISC_PLATFORM_CRYPTORANDOM
mem_free(rm FILELINE);
rm = NULL;
#endif
#endif
#ifndef ISC_PLATFORM_CRYPTORANDOM
cleanup_mutexinit:
#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
CRYPTO_set_locking_callback(NULL);
......@@ -332,25 +239,10 @@ void
dst__openssl_destroy(void) {
#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
OPENSSL_cleanup();
#ifndef ISC_PLATFORM_CRYPTORANDOM
if (rm != NULL) {
mem_free(rm FILELINE);
rm = NULL;
}
#endif
#else
/*
* Sequence taken from apps_shutdown() in <apps/apps.h>.
*/
#ifndef ISC_PLATFORM_CRYPTORANDOM
if (rm != NULL) {
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
RAND_cleanup();
#endif
mem_free(rm FILELINE);
rm = NULL;
}
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
CONF_modules_free();
#endif
......@@ -490,7 +382,6 @@ isc_result_t
dst_random_getdata(void *data, unsigned int length,
unsigned int *returned, unsigned int flags)
{
#ifdef ISC_PLATFORM_CRYPTORANDOM
#ifndef DONT_REQUIRE_DST_LIB_INIT
INSIST(dst__memory_pool != NULL);
#endif
......@@ -517,14 +408,6 @@ dst_random_getdata(void *data, unsigned int length,
if (returned != NULL)
*returned = length;
return (ISC_R_SUCCESS);
#else
UNUSED(data);
UNUSED(length);
UNUSED(returned);
UNUSED(flags);
return (ISC_R_NOTIMPLEMENTED);
#endif
}
#endif /* OPENSSL */
......
......@@ -40,7 +40,6 @@ dst__pkcs11_toresult(const char *funcname, const char *file, int line,
isc_result_t
dst_random_getdata(void *data, unsigned int length,
unsigned int *returned, unsigned int flags) {
#ifdef ISC_PLATFORM_CRYPTORANDOM
isc_result_t ret;
#ifndef DONT_REQUIRE_DST_LIB_INIT
......@@ -54,29 +53,6 @@ dst_random_getdata(void *data, unsigned int length,
if ((ret == ISC_R_SUCCESS) && (returned != NULL))
*returned = length;
return (ret);
#else
UNUSED(data);
UNUSED(length);
UNUSED(returned);
UNUSED(flags);
return (ISC_R_NOTIMPLEMENTED);
#endif
}
#else /* PKCS11CRYPTO */
#include <isc/util.h>
isc_result_t
dst_random_getdata(void *data, unsigned int length,
unsigned int *returned, unsigned int flags) {
UNUSED(data);
UNUSED(length);
UNUSED(returned);
UNUSED(flags);
return (ISC_R_NOTIMPLEMENTED);
}
#endif /* PKCS11CRYPTO */
......
......@@ -51,7 +51,6 @@ ATF_TC_BODY(isc_entropy_getdata, tc) {
result = dst_lib_init(mctx, ectx, NULL, 0);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);