diff --git a/bin/check/named-checkconf.c b/bin/check/named-checkconf.c index 661dd5a5de..ab2a467f66 100644 --- a/bin/check/named-checkconf.c +++ b/bin/check/named-checkconf.c @@ -20,7 +20,6 @@ #include #include -#include #include #include #include @@ -538,7 +537,6 @@ main(int argc, char **argv) { isc_mem_t *mctx = NULL; isc_result_t result; int exit_status = 0; - isc_entropy_t *ectx = NULL; isc_boolean_t load_zones = ISC_FALSE; isc_boolean_t list_zones = ISC_FALSE; isc_boolean_t print = ISC_FALSE; @@ -654,7 +652,6 @@ main(int argc, char **argv) { RUNTIME_CHECK(setup_logging(mctx, stdout, &logc) == ISC_R_SUCCESS); - RUNTIME_CHECK(isc_entropy_create(mctx, &ectx) == ISC_R_SUCCESS); dns_result_register(); RUNTIME_CHECK(cfg_parser_create(mctx, logc, &parser) == ISC_R_SUCCESS); @@ -685,8 +682,6 @@ main(int argc, char **argv) { isc_log_destroy(&logc); - isc_entropy_detach(&ectx); - isc_mem_destroy(&mctx); #ifdef _WIN32 diff --git a/bin/check/named-checkzone.c b/bin/check/named-checkzone.c index 7f12abffb6..76cc0c97ed 100644 --- a/bin/check/named-checkzone.c +++ b/bin/check/named-checkzone.c @@ -19,7 +19,6 @@ #include #include #include -#include #include #include #include @@ -46,7 +45,6 @@ static int quiet = 0; static isc_mem_t *mctx = NULL; -static isc_entropy_t *ectx = NULL; dns_zone_t *zone = NULL; dns_zonetype_t zonetype = dns_zone_master; static int dumpzone = 0; @@ -521,7 +519,6 @@ main(int argc, char **argv) { if (!quiet) RUNTIME_CHECK(setup_logging(mctx, errout, &lctx) == ISC_R_SUCCESS); - RUNTIME_CHECK(isc_entropy_create(mctx, &ectx) == ISC_R_SUCCESS); dns_result_register(); @@ -553,7 +550,6 @@ main(int argc, char **argv) { destroy(); if (lctx != NULL) isc_log_destroy(&lctx); - isc_entropy_detach(&ectx); isc_mem_destroy(&mctx); #ifdef _WIN32 DestroySockets(); diff --git a/bin/confgen/ddns-confgen.c b/bin/confgen/ddns-confgen.c index f9ed35e624..bf8664dafa 100644 --- a/bin/confgen/ddns-confgen.c +++ b/bin/confgen/ddns-confgen.c @@ -26,7 +26,6 @@ #include #include #include -#include #include #include #include @@ -67,10 +66,9 @@ usage(int status) { if (progmode == progmode_confgen) { fprintf(stderr, "\ Usage:\n\ - %s [-a alg] [-k keyname] [-r randomfile] [-q] [-s name | -z zone]\n\ + %s [-a alg] [-k keyname] [-q] [-s name | -z zone]\n\ -a alg: algorithm (default hmac-sha256)\n\ -k keyname: name of the key as it will be used in named.conf\n\ - -r randomfile: source of random data (use \"keyboard\" for key timing)\n\ -s name: domain name to be updated using the created key\n\ -z zone: name of the zone as it will be used in named.conf\n\ -q: quiet mode: print the key, with no explanatory text\n", @@ -78,9 +76,8 @@ Usage:\n\ } else { fprintf(stderr, "\ Usage:\n\ - %s [-a alg] [-r randomfile] [keyname]\n\ - -a alg: algorithm (default hmac-sha256)\n\ - -r randomfile: source of random data (use \"keyboard\" for key timing)\n", + %s [-a alg] [keyname]\n\ + -a alg: algorithm (default hmac-sha256)\n\n", progname); } @@ -95,7 +92,6 @@ main(int argc, char **argv) { isc_buffer_t key_txtbuffer; char key_txtsecret[256]; isc_mem_t *mctx = NULL; - const char *randomfile = NULL; const char *keyname = NULL; const char *zone = NULL; const char *self_domain = NULL; @@ -168,7 +164,7 @@ main(int argc, char **argv) { usage(1); break; case 'r': - randomfile = isc_commandline_argument; + fatal("The -r option has been deprecated."); break; case 's': if (progmode == progmode_confgen) @@ -235,7 +231,7 @@ main(int argc, char **argv) { isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret)); - generate_key(mctx, randomfile, alg, keysize, &key_txtbuffer); + generate_key(mctx, alg, keysize, &key_txtbuffer); if (!quiet) diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c index 9f3a4e1f8a..048826a5bb 100644 --- a/bin/confgen/keygen.c +++ b/bin/confgen/keygen.c @@ -19,7 +19,6 @@ #include #include -#include #include #include #include @@ -113,17 +112,12 @@ alg_bits(dns_secalg_t alg) { } /*% - * Generate a key of size 'keysize' using entropy source 'randomfile', - * and place it in 'key_txtbuffer' + * Generate a key of size 'keysize' and place it in 'key_txtbuffer' */ void -generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg, - int keysize, isc_buffer_t *key_txtbuffer) { +generate_key(isc_mem_t *mctx, dns_secalg_t alg, int keysize, + isc_buffer_t *key_txtbuffer) { isc_result_t result = ISC_R_SUCCESS; - isc_entropysource_t *entropy_source = NULL; - int open_keyboard = ISC_ENTROPY_KEYBOARDMAYBE; - int entropy_flags = 0; - isc_entropy_t *ectx = NULL; isc_buffer_t key_rawbuffer; isc_region_t key_rawregion; char key_rawsecret[64]; @@ -150,24 +144,7 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg, fatal("unsupported algorithm %d\n", alg); } - - DO("create entropy context", isc_entropy_create(mctx, &ectx)); - - if (randomfile == NULL) { - isc_entropy_usehook(ectx, ISC_TRUE); - } - if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) { - randomfile = NULL; - open_keyboard = ISC_ENTROPY_KEYBOARDYES; - } - DO("start entropy source", isc_entropy_usebestsource(ectx, - &entropy_source, - randomfile, - open_keyboard)); - - entropy_flags = ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY; - - DO("initialize dst library", dst_lib_init(mctx, ectx, NULL, entropy_flags)); + DO("initialize dst library", dst_lib_init(mctx, NULL)); DO("generate key", dst_key_generate(dns_rootname, alg, keysize, 0, 0, DNS_KEYPROTO_ANY, @@ -183,17 +160,9 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg, DO("bsse64 encode secret", isc_base64_totext(&key_rawregion, -1, "", key_txtbuffer)); - /* - * Shut down the entropy source now so the "stop typing" message - * does not muck with the output. - */ - if (entropy_source != NULL) - isc_entropy_destroysource(&entropy_source); - if (key != NULL) dst_key_free(&key); - isc_entropy_detach(&ectx); dst_lib_destroy(); } diff --git a/bin/confgen/keygen.h b/bin/confgen/keygen.h index 58debab4f8..165e596aa9 100644 --- a/bin/confgen/keygen.h +++ b/bin/confgen/keygen.h @@ -19,8 +19,8 @@ ISC_LANG_BEGINDECLS -void generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg, - int keysize, isc_buffer_t *key_txtbuffer); +void generate_key(isc_mem_t *mctx, dns_secalg_t alg, int keysize, + isc_buffer_t *key_txtbuffer); void write_key_file(const char *keyfile, const char *user, const char *keyname, isc_buffer_t *secret, diff --git a/bin/confgen/rndc-confgen.c b/bin/confgen/rndc-confgen.c index c7a73745e1..a8ef906c0f 100644 --- a/bin/confgen/rndc-confgen.c +++ b/bin/confgen/rndc-confgen.c @@ -29,7 +29,6 @@ #include #include #include -#include #include #include #include @@ -70,7 +69,7 @@ usage(int status) { fprintf(stderr, "\ Usage:\n\ - %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \ + %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] \ [-s addr] [-t chrootdir] [-u user]\n\ -a: generate just the key clause and write it to keyfile (%s)\n\ -A alg: algorithm (default hmac-sha256)\n\ @@ -78,7 +77,6 @@ Usage:\n\ -c keyfile: specify an alternate key file (requires -a)\n\ -k keyname: the name as it will be used in named.conf and rndc.conf\n\ -p port: the port named will listen on and rndc will connect to\n\ - -r randomfile: source of random data (use \"keyboard\" for key timing)\n\ -s addr: the address to which rndc should connect\n\ -t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\ -u user: set the keyfile owner to \"user\" (requires -a)\n", @@ -95,7 +93,6 @@ main(int argc, char **argv) { isc_mem_t *mctx = NULL; isc_result_t result = ISC_R_SUCCESS; const char *keyname = NULL; - const char *randomfile = NULL; const char *serveraddr = NULL; dns_secalg_t alg; const char *algname; @@ -165,7 +162,7 @@ main(int argc, char **argv) { isc_commandline_argument); break; case 'r': - randomfile = isc_commandline_argument; + fatal("The -r option has been deprecated."); break; case 's': serveraddr = isc_commandline_argument; @@ -217,7 +214,7 @@ main(int argc, char **argv) { DO("create memory context", isc_mem_create(0, 0, &mctx)); isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret)); - generate_key(mctx, randomfile, alg, keysize, &key_txtbuffer); + generate_key(mctx, alg, keysize, &key_txtbuffer); if (keyonly) { write_key_file(keyfile, chrootdir == NULL ? user : NULL, diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c index 53f1a7eece..ef8ceb6c1e 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c @@ -57,7 +57,6 @@ #include #include -#include #include #include #include @@ -178,7 +177,6 @@ unsigned int digestbits = 0; isc_buffer_t *namebuf = NULL; dns_tsigkey_t *tsigkey = NULL; isc_boolean_t validated = ISC_TRUE; -isc_entropy_t *entp = NULL; isc_mempool_t *commctx = NULL; isc_boolean_t debugging = ISC_FALSE; isc_boolean_t debugtiming = ISC_FALSE; @@ -1316,10 +1314,8 @@ setup_system(isc_boolean_t ipv4only, isc_boolean_t ipv6only) { setup_file_key(); else if (keysecret[0] != 0) setup_text_key(); - result = isc_entropy_getdata(entp, cookie_secret, - sizeof(cookie_secret), NULL, 0); - if (result != ISC_R_SUCCESS) - fatal("unable to generate cookie secret"); + + isc_random_buf(cookie_secret, sizeof(cookie_secret)); } /*% @@ -1388,10 +1384,7 @@ setup_libs(void) { result = isc_socketmgr_create(mctx, &socketmgr); check_result(result, "isc_socketmgr_create"); - result = isc_entropy_create(mctx, &entp); - check_result(result, "isc_entropy_create"); - - result = dst_lib_init(mctx, entp, NULL, 0); + result = dst_lib_init(mctx, NULL); check_result(result, "dst_lib_init"); is_dst_up = ISC_TRUE; @@ -1877,7 +1870,7 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section) srv != NULL; srv = ISC_LIST_HEAD(lookup->my_server_list)) { INSIST(i > 0); - isc_random_get(&j); + j = isc_random(); j %= i; next = ISC_LIST_NEXT(srv, link); while (j-- > 0 && next != NULL) { @@ -2205,7 +2198,7 @@ setup_lookup(dig_lookup_t *lookup) { dighost_trying(store, lookup); INSIST(dns_name_isabsolute(lookup->name)); - isc_random_get(&id); + id = isc_random(); lookup->sendmsg->id = (unsigned short)id & 0xFFFF; lookup->sendmsg->opcode = lookup->opcode; lookup->msgcounter = 0; @@ -4217,10 +4210,6 @@ destroy_libs(void) { dst_lib_destroy(); is_dst_up = ISC_FALSE; } - if (entp != NULL) { - debug("detach from entropy"); - isc_entropy_detach(&entp); - } UNLOCK_LOOKUP; DESTROYLOCK(&lookup_lock); diff --git a/bin/dnssec/dnssec-cds.c b/bin/dnssec/dnssec-cds.c index 89b9fa0404..ed111d423c 100644 --- a/bin/dnssec/dnssec-cds.c +++ b/bin/dnssec/dnssec-cds.c @@ -23,7 +23,6 @@ #include #include -#include #include #include #include @@ -72,7 +71,6 @@ int verbose; */ static isc_log_t *lctx = NULL; static isc_mem_t *mctx = NULL; -static isc_entropy_t *ectx = NULL; /* * The domain we are working on @@ -1233,16 +1231,11 @@ main(int argc, char *argv[]) { setup_logging(mctx, &lctx); - if (ectx == NULL) { - setup_entropy(mctx, NULL, &ectx); - } - result = dst_lib_init(mctx, ectx, NULL, - ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); + result = dst_lib_init(mctx, NULL); if (result != ISC_R_SUCCESS) { fatal("could not initialize dst: %s", isc_result_totext(result)); } - isc_entropy_stopcallbacksources(ectx); if (ds_path == NULL) { fatal("missing -d DS pathname"); @@ -1392,7 +1385,6 @@ main(int argc, char *argv[]) { free_all_sets(); cleanup_logging(&lctx); dst_lib_destroy(); - cleanup_entropy(&ectx); if (verbose > 10) { isc_mem_stats(mctx, stdout); } diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c index 09f943b3ac..026a1a5309 100644 --- a/bin/dnssec/dnssec-dsfromkey.c +++ b/bin/dnssec/dnssec-dsfromkey.c @@ -17,7 +17,6 @@ #include #include -#include #include #include #include @@ -359,7 +358,6 @@ main(int argc, char **argv) { isc_boolean_t showall = ISC_FALSE; isc_result_t result; isc_log_t *log = NULL; - isc_entropy_t *ectx = NULL; dns_rdataset_t rdataset; dns_rdata_t rdata; @@ -475,14 +473,10 @@ main(int argc, char **argv) { if (argc > isc_commandline_index + 1) fatal("extraneous arguments"); - if (ectx == NULL) - setup_entropy(mctx, NULL, &ectx); - result = dst_lib_init(mctx, ectx, NULL, - ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); + result = dst_lib_init(mctx, NULL); if (result != ISC_R_SUCCESS) fatal("could not initialize dst: %s", isc_result_totext(result)); - isc_entropy_stopcallbacksources(ectx); setup_logging(mctx, &log); @@ -544,7 +538,6 @@ main(int argc, char **argv) { dns_rdataset_disassociate(&rdataset); cleanup_logging(&log); dst_lib_destroy(); - cleanup_entropy(&ectx); dns_name_destroy(); if (verbose > 10) isc_mem_stats(mctx, stdout); diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c index 7ba08a4081..1920e070b4 100644 --- a/bin/dnssec/dnssec-importkey.c +++ b/bin/dnssec/dnssec-importkey.c @@ -17,7 +17,6 @@ #include #include -#include #include #include #include @@ -297,7 +296,6 @@ main(int argc, char **argv) { int ch; isc_result_t result; isc_log_t *log = NULL; - isc_entropy_t *ectx = NULL; dns_rdataset_t rdataset; dns_rdata_t rdata; isc_stdtime_t now; @@ -404,14 +402,10 @@ main(int argc, char **argv) { if (argc > isc_commandline_index + 1) fatal("extraneous arguments"); - if (ectx == NULL) - setup_entropy(mctx, NULL, &ectx); - result = dst_lib_init(mctx, ectx, NULL, - ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); + result = dst_lib_init(mctx, NULL); if (result != ISC_R_SUCCESS) fatal("could not initialize dst: %s", isc_result_totext(result)); - isc_entropy_stopcallbacksources(ectx); setup_logging(mctx, &log); @@ -455,7 +449,6 @@ main(int argc, char **argv) { dns_rdataset_disassociate(&rdataset); cleanup_logging(&log); dst_lib_destroy(); - cleanup_entropy(&ectx); dns_name_destroy(); if (verbose > 10) isc_mem_stats(mctx, stdout); diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c index 1d0b75bdf4..0977a0cad1 100644 --- a/bin/dnssec/dnssec-keyfromlabel.c +++ b/bin/dnssec/dnssec-keyfromlabel.c @@ -18,7 +18,6 @@ #include #include -#include #include #include #include @@ -146,7 +145,6 @@ main(int argc, char **argv) { char filename[255]; isc_buffer_t buf; isc_log_t *log = NULL; - isc_entropy_t *ectx = NULL; dns_rdataclass_t rdclass; int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC; char *label = NULL; @@ -347,10 +345,7 @@ main(int argc, char **argv) { } } - if (ectx == NULL) - setup_entropy(mctx, NULL, &ectx); - ret = dst_lib_init(mctx, ectx, engine, - ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); + ret = dst_lib_init(mctx, engine); if (ret != ISC_R_SUCCESS) fatal("could not initialize dst: %s", isc_result_totext(ret)); @@ -618,7 +613,6 @@ main(int argc, char **argv) { engine, #endif label, NULL, mctx, &key); - isc_entropy_stopcallbacksources(ectx); if (ret != ISC_R_SUCCESS) { char namestr[DNS_NAME_FORMATSIZE]; @@ -737,7 +731,6 @@ main(int argc, char **argv) { dst_key_free(&prevkey); cleanup_logging(&log); - cleanup_entropy(&ectx); dst_lib_destroy(); dns_name_destroy(); if (verbose > 10) diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index 5f27728185..9209f4cb72 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -33,7 +33,6 @@ #include #include -#include #include #include #include @@ -121,7 +120,7 @@ usage(void) { "(DH only)\n"); fprintf(stderr, " -L : default key TTL\n"); fprintf(stderr, " -p : (default: 3 [dnssec])\n"); - fprintf(stderr, " -r : a file containing random data\n"); + fprintf(stderr, " -r : DEPRECATED and ignored\n"); fprintf(stderr, " -s : strength value this key signs DNS " "records with (default: 0)\n"); fprintf(stderr, " -T : DNSKEY | KEY (default: DNSKEY; " @@ -218,7 +217,6 @@ main(int argc, char **argv) { dst_key_t *prevkey = NULL; isc_buffer_t buf; isc_log_t *log = NULL; - isc_entropy_t *ectx = NULL; #ifdef USE_PKCS11 const char *engine = PKCS11_ENGINE; #else @@ -365,7 +363,8 @@ main(int argc, char **argv) { quiet = ISC_TRUE; break; case 'r': - setup_entropy(mctx, isc_commandline_argument, &ectx); + fatal("The -r option has been deprecated.\n" + "System random data is always used.\n"); break; case 's': signatory = strtol(isc_commandline_argument, @@ -494,10 +493,7 @@ main(int argc, char **argv) { if (!isatty(0)) quiet = ISC_TRUE; - if (ectx == NULL) - setup_entropy(mctx, NULL, &ectx); - ret = dst_lib_init(mctx, ectx, engine, - ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); + ret = dst_lib_init(mctx, engine); if (ret != ISC_R_SUCCESS) fatal("could not initialize dst: %s", isc_result_totext(ret)); @@ -872,8 +868,6 @@ main(int argc, char **argv) { NULL); } - isc_entropy_stopcallbacksources(ectx); - if (ret != ISC_R_SUCCESS) { char namestr[DNS_NAME_FORMATSIZE]; char algstr[DNS_SECALG_FORMATSIZE]; @@ -1026,7 +1020,6 @@ main(int argc, char **argv) { dst_key_free(&prevkey); cleanup_logging(&log); - cleanup_entropy(&ectx); dst_lib_destroy(); dns_name_destroy(); if (verbose > 10) diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c index 3363c1d59b..99954dad0b 100644 --- a/bin/dnssec/dnssec-revoke.c +++ b/bin/dnssec/dnssec-revoke.c @@ -18,7 +18,6 @@ #include #include -#include #include #include #include @@ -87,7 +86,6 @@ main(int argc, char **argv) { char keystr[DST_KEY_FORMATSIZE]; char *endp; int ch; - isc_entropy_t *ectx = NULL; dst_key_t *key = NULL; isc_uint32_t flags; isc_buffer_t buf; @@ -180,14 +178,10 @@ main(int argc, char **argv) { } } - if (ectx == NULL) - setup_entropy(mctx, NULL, &ectx); - result = dst_lib_init(mctx, ectx, engine, - ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); + result = dst_lib_init(mctx, engine); if (result != ISC_R_SUCCESS) fatal("Could not initialize dst: %s", isc_result_totext(result)); - isc_entropy_stopcallbacksources(ectx); result = dst_key_fromnamedfile(filename, dir, DST_TYPE_PUBLIC|DST_TYPE_PRIVATE, @@ -269,7 +263,6 @@ main(int argc, char **argv) { cleanup: dst_key_free(&key); dst_lib_destroy(); - cleanup_entropy(&ectx); if (verbose > 10) isc_mem_stats(mctx, stdout); if (dir != NULL) diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c index 221152361f..e2fcc41227 100644 --- a/bin/dnssec/dnssec-settime.c +++ b/bin/dnssec/dnssec-settime.c @@ -20,7 +20,6 @@ #include #include -#include #include #include #include @@ -139,7 +138,6 @@ main(int argc, char **argv) { char keystr[DST_KEY_FORMATSIZE]; char *endp, *p; int ch; - isc_entropy_t *ectx = NULL; const char *predecessor = NULL; dst_key_t *prevkey = NULL; dst_key_t *key = NULL; @@ -378,14 +376,10 @@ main(int argc, char **argv) { if (argc > isc_commandline_index + 1) fatal("Extraneous arguments"); - if (ectx == NULL) - setup_entropy(mctx, NULL, &ectx); - result = dst_lib_init(mctx, ectx, engine, - ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); + result = dst_lib_init(mctx, engine); if (result != ISC_R_SUCCESS) fatal("Could not initialize dst: %s", isc_result_totext(result)); - isc_entropy_stopcallbacksources(ectx); if (predecessor != NULL) { int major, minor; @@ -670,7 +664,6 @@ main(int argc, char **argv) { dst_key_free(&prevkey); dst_key_free(&key); dst_lib_destroy(); - cleanup_entropy(&ectx); if (verbose > 10) isc_mem_stats(mctx, stdout); cleanup_logging(&log); diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 06c07685fc..ab092c6955 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -34,7 +34,6 @@ #include #include #include -#include #include #include #include @@ -130,7 +129,6 @@ static int jitter = 0; static isc_boolean_t tryverify = ISC_FALSE; static isc_boolean_t printstats = ISC_FALSE; static isc_mem_t *mctx = NULL; -static isc_entropy_t *ectx = NULL; static dns_ttl_t zone_soa_min_ttl; static dns_ttl_t soa_ttl; static FILE *outfp = NULL; @@ -282,11 +280,10 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_t *key, else expiry = endtime; - jendtime = (jitter != 0) ? isc_random_jitter(expiry, jitter) : expiry; + jendtime = (jitter != 0) ? expiry - isc_random_uniform(jitter) : expiry; isc_buffer_init(&b, array, sizeof(array)); result = dns_dnssec_sign(name, rdataset, key, &starttime, &jendtime, mctx, &b, &trdata); - isc_entropy_stopcallbacksources(ectx); if (result != ISC_R_SUCCESS) { fatal("dnskey '%s' failed to sign data: %s", keystr, isc_result_totext(result)); @@ -3071,8 +3068,6 @@ usage(void) { #else fprintf(stderr, "\t\tname of an OpenSSL engine to use\n"); #endif - fprintf(stderr, "\t-p:\t"); - fprintf(stderr, "use pseudorandom data (faster but less secure)\n"); fprintf(stderr, "\t-P:\t"); fprintf(stderr, "disable post-sign verification\n"); fprintf(stderr, "\t-Q:\t"); @@ -3162,13 +3157,11 @@ main(int argc, char *argv[]) { dns_dnsseckey_t *key; isc_result_t result; isc_log_t *log = NULL; - isc_boolean_t pseudorandom = ISC_FALSE; #ifdef USE_PKCS11 const char *engine = PKCS11_ENGINE; #else const char *engine = NULL; #endif - unsigned int eflags; isc_boolean_t free_output = ISC_FALSE; int tempfilelen = 0; dns_rdataclass_t rdclass; @@ -3397,7 +3390,7 @@ main(int argc, char *argv[]) { break; case 'p': - pseudorandom = ISC_TRUE; + fatal("The -p option has been deprecated.\n"); break; case 'Q': @@ -3409,7 +3402,7 @@ main(int argc, char *argv[]) { break; case 'r': - setup_entropy(mctx, isc_commandline_argument, &ectx); + fatal("The -r options has been deprecated.\n"); break; case 'S': @@ -3485,13 +3478,7 @@ main(int argc, char *argv[]) { } } - if (ectx == NULL) - setup_entropy(mctx, NULL, &ectx); - eflags = ISC_ENTROPY_BLOCKING; - if (!pseudorandom) - eflags |= ISC_ENTROPY_GOODONLY; - - result = dst_lib_init(mctx, ectx, engine, eflags); + result = dst_lib_init(mctx, engine); if (result != ISC_R_SUCCESS) fatal("could not initialize dst: %s", isc_result_totext(result)); @@ -3910,7 +3897,6 @@ main(int argc, char *argv[]) { cleanup_logging(&log); dst_lib_destroy(); - cleanup_entropy(&ectx); dns_name_destroy(); if (verbose > 10) isc_mem_stats(mctx, stdout); diff --git a/bin/dnssec/dnssec-verify.c b/bin/dnssec/dnssec-verify.c index 961225491b..b4a3339c0a 100644 --- a/bin/dnssec/dnssec-verify.c +++ b/bin/dnssec/dnssec-verify.c @@ -19,7 +19,6 @@ #include #include #include -#include #include #include #include @@ -73,7 +72,6 @@ int verbose; static isc_stdtime_t now; static isc_mem_t *mctx = NULL; -static isc_entropy_t *ectx = NULL; static dns_masterformat_t inputformat = dns_masterformat_text; static dns_db_t *gdb; /* The database */ static dns_dbversion_t *gversion; /* The database version */ @@ -277,10 +275,7 @@ main(int argc, char *argv[]) { } } - if (ectx == NULL) - setup_entropy(mctx, NULL, &ectx); - - result = dst_lib_init(mctx, ectx, engine, ISC_ENTROPY_BLOCKING); + result = dst_lib_init(mctx, engine); if (result != ISC_R_SUCCESS) fatal("could not initialize dst: %s", isc_result_totext(result)); @@ -335,7 +330,6 @@ main(int argc, char *argv[]) { cleanup_logging(&log); dst_lib_destroy(); - cleanup_entropy(&ectx); dns_name_destroy(); if (verbose > 10) isc_mem_stats(mctx, stdout); diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c index 9116c62cfd..5a8208bb84 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c @@ -27,7 +27,6 @@ #include #include #include -#include #include #include #include @@ -73,15 +72,6 @@ struct nsec3_chain_fixed { extern int verbose; extern const char *program; -typedef struct entropysource entropysource_t; - -struct entropysource { - isc_entropysource_t *source; - isc_mem_t *mctx; - ISC_LINK(entropysource_t) link; -}; - -static ISC_LIST(entropysource_t) sources; static fatalcallback_t *fatalcallback = NULL; void @@ -222,61 +212,6 @@ cleanup_logging(isc_log_t **logp) { dns_log_setcontext(NULL); } -void -setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { - isc_result_t result; - isc_entropysource_t *source = NULL; - entropysource_t *elt; - int usekeyboard = ISC_ENTROPY_KEYBOARDMAYBE; - - REQUIRE(ectx != NULL); - - if (*ectx == NULL) { - result = isc_entropy_create(mctx, ectx); - if (result != ISC_R_SUCCESS) - fatal("could not create entropy object: %s", - isc_result_totext(result)); - ISC_LIST_INIT(sources); - } - - if (randomfile == NULL) { - isc_entropy_usehook(*ectx, ISC_TRUE); - } - if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) { - usekeyboard = ISC_ENTROPY_KEYBOARDYES; - randomfile = NULL; - } - - result = isc_entropy_usebestsource(*ectx, &source, randomfile, - usekeyboard); - - if (result != ISC_R_SUCCESS) - fatal("could not initialize entropy source: %s", - isc_result_totext(result)); - - if (source != NULL) { - elt = isc_mem_get(mctx, sizeof(*elt)); - if (elt == NULL) - fatal("out of memory"); - elt->source = source; - elt->mctx = mctx; - ISC_LINK_INIT(elt, link); - ISC_LIST_APPEND(sources, elt, link); - } -} - -void -cleanup_entropy(isc_entropy_t **ectx) { - entropysource_t *source; - while (!ISC_LIST_EMPTY(sources)) { - source = ISC_LIST_HEAD(sources); - ISC_LIST_UNLINK(sources, source, link); - isc_entropy_destroysource(&source->source); - isc_mem_put(source->mctx, source, sizeof(*source)); - } - isc_entropy_detach(ectx); -} - static isc_stdtime_t time_units(isc_stdtime_t offset, char *suffix, const char *str) { switch (suffix[0]) { diff --git a/bin/dnssec/dnssectool.h b/bin/dnssec/dnssectool.h index 41f048ed85..248fcbbf28 100644 --- a/bin/dnssec/dnssectool.h +++ b/bin/dnssec/dnssectool.h @@ -55,12 +55,6 @@ setup_logging(isc_mem_t *mctx, isc_log_t **logp); void cleanup_logging(isc_log_t **logp); -void -setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx); - -void -cleanup_entropy(isc_entropy_t **ectx); - dns_ttl_t strtottl(const char *str); isc_stdtime_t diff --git a/bin/named/config.c b/bin/named/config.c index e8ef5e3c82..3c99e707ae 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -88,9 +88,8 @@ options {\n\ nta-recheck 300;\n\ # pid-file \"" NAMED_LOCALSTATEDIR "/run/named/named.pid\"; \n\ port 53;\n\ - prefetch 2 9;\n" -" random-device none;\n" -" recursing-file \"named.recursing\";\n\ + prefetch 2 9;\n\ + recursing-file \"named.recursing\";\n\ recursive-clients 1000;\n\ request-nsid false;\n\ reserved-sockets 512;\n\ diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c index c859f1ebd5..627df09b4e 100644 --- a/bin/named/controlconf.c +++ b/bin/named/controlconf.c @@ -326,7 +326,6 @@ static void control_recvmessage(isc_task_t *task, isc_event_t *event) { controlconnection_t *conn = NULL; controllistener_t *listener = NULL; - named_server_t *server = NULL; controlkey_t *key = NULL; isccc_sexpr_t *request = NULL; isccc_sexpr_t *response = NULL; @@ -348,7 +347,6 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { conn = event->ev_arg; listener = conn->listener; - server = listener->controls->server; algorithm = DST_ALG_UNKNOWN; secret.rstart = NULL; text = NULL; @@ -460,8 +458,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { */ if (conn->nonce == 0) { while (conn->nonce == 0) { - isc_rng_randombytes(server->sctx->rngctx, &conn->nonce, - sizeof(conn->nonce)); + isc_random_buf(&conn->nonce, sizeof(conn->nonce)); } eresult = ISC_R_SUCCESS; } else diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h index 8f59dfc7a1..9eb0be2184 100644 --- a/bin/named/include/named/globals.h +++ b/bin/named/include/named/globals.h @@ -48,8 +48,6 @@ EXTERN unsigned int named_g_cpus INIT(0); EXTERN unsigned int named_g_udpdisp INIT(0); EXTERN isc_taskmgr_t * named_g_taskmgr INIT(NULL); EXTERN dns_dispatchmgr_t * named_g_dispatchmgr INIT(NULL); -EXTERN isc_entropy_t * named_g_entropy INIT(NULL); -EXTERN isc_entropy_t * named_g_fallbackentropy INIT(NULL); EXTERN unsigned int named_g_cpus_detected INIT(1); #ifdef ENABLE_AFL diff --git a/bin/named/include/named/tkeyconf.h b/bin/named/include/named/tkeyconf.h index 4b58632938..2e66e301e2 100644 --- a/bin/named/include/named/tkeyconf.h +++ b/bin/named/include/named/tkeyconf.h @@ -23,7 +23,7 @@ ISC_LANG_BEGINDECLS isc_result_t named_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx, - isc_entropy_t *ectx, dns_tkeyctx_t **tctxp); + dns_tkeyctx_t **tctxp); /*%< * Create a TKEY context and configure it, including the default DH key * and default domain, according to 'options'. @@ -31,7 +31,6 @@ named_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx, * Requires: *\li 'cfg' is a valid configuration options object. *\li 'mctx' is not NULL - *\li 'ectx' is not NULL *\li 'tctx' is not NULL *\li '*tctx' is NULL * diff --git a/bin/named/main.c b/bin/named/main.c index 526779befa..21c4f5e4e2 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -21,7 +21,6 @@ #include #include #include -#include #include #include #include @@ -845,14 +844,6 @@ create_managers(void) { ISC_LOG_INFO, "using up to %u sockets", socks); } - result = isc_entropy_create(named_g_mctx, &named_g_entropy); - if (result != ISC_R_SUCCESS) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "isc_entropy_create() failed: %s", - isc_result_totext(result)); - return (ISC_R_UNEXPECTED); - } - return (ISC_R_SUCCESS); } @@ -930,30 +921,6 @@ setup(void) { isc_mem_free(named_g_mctx, instance); #endif /* HAVE_LIBSCF */ -#ifdef PATH_RANDOMDEV - /* - * Initialize system's random device as fallback entropy source - * if running chroot'ed. - */ - if (named_g_chrootdir != NULL) { - result = isc_entropy_create(named_g_mctx, - &named_g_fallbackentropy); - if (result != ISC_R_SUCCESS) - named_main_earlyfatal("isc_entropy_create() failed: %s", - isc_result_totext(result)); - - result = isc_entropy_createfilesource(named_g_fallbackentropy, - PATH_RANDOMDEV); - if (result != ISC_R_SUCCESS) { - named_main_earlywarning("could not open pre-chroot " - "entropy source %s: %s", - PATH_RANDOMDEV, - isc_result_totext(result)); - isc_entropy_detach(&named_g_fallbackentropy); - } - } -#endif - #ifdef ISC_PLATFORM_USETHREADS /* * Check for the number of cpu's before named_os_chroot(). @@ -1160,10 +1127,6 @@ cleanup(void) { if (named_g_mapped != NULL) dns_acl_detach(&named_g_mapped); - isc_entropy_detach(&named_g_entropy); - if (named_g_fallbackentropy != NULL) - isc_entropy_detach(&named_g_fallbackentropy); - named_server_destroy(&named_g_server); named_builtin_deinit(); diff --git a/bin/named/server.c b/bin/named/server.c index 9fe8264943..c5f78baa05 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -25,7 +25,6 @@ #include #include #include -#include #include #include #include @@ -5664,12 +5663,7 @@ create_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist, if (result != ISC_R_SUCCESS) return (result); - result = isc_entropy_getdata(named_g_entropy, view->secret, - sizeof(view->secret), NULL, 0); - if (result != ISC_R_SUCCESS) { - dns_view_detach(&view); - return (result); - } + isc_random_buf(view->secret, sizeof(view->secret)); ISC_LIST_APPEND(*viewlist, view, link); dns_view_attach(view, viewp); @@ -8505,8 +8499,7 @@ load_configuration(const char *filename, named_server_t *server, /* Load the TKEY information from the configuration. */ if (options != NULL) { dns_tkeyctx_t *t = NULL; - CHECKM(named_tkeyctx_fromconfig(options, named_g_mctx, - named_g_entropy, &t), + CHECKM(named_tkeyctx_fromconfig(options, named_g_mctx, &t), "configuring TKEY"); if (server->sctx->tkeyctx != NULL) { dns_tkeyctx_destroy(&server->sctx->tkeyctx); @@ -8521,61 +8514,6 @@ load_configuration(const char *filename, named_server_t *server, named_g_aclconfctx), "binding control channel(s)"); - /* - * Open the source of entropy. - */ - if (first_time) { - const char *randomdev = NULL; - int level = ISC_LOG_ERROR; - obj = NULL; - result = named_config_get(maps, "random-device", &obj); - if (result == ISC_R_SUCCESS) { - if (!cfg_obj_isvoid(obj)) { - level = ISC_LOG_INFO; - randomdev = cfg_obj_asstring(obj); - } - } - if (randomdev == NULL) { - isc_entropy_usehook(named_g_entropy, ISC_TRUE); - } else { - result = isc_entropy_createfilesource(named_g_entropy, - randomdev); -#ifdef PATH_RANDOMDEV - if (named_g_fallbackentropy != NULL) { - level = ISC_LOG_INFO; - } -#endif - if (result != ISC_R_SUCCESS) { - isc_log_write(named_g_lctx, - NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, - level, - "could not open " - "entropy source %s: %s", - randomdev, - isc_result_totext(result)); - } -#ifdef PATH_RANDOMDEV - if (named_g_fallbackentropy != NULL) { - if (result != ISC_R_SUCCESS) { - isc_log_write(named_g_lctx, - NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, - ISC_LOG_INFO, - "using pre-chroot " - "entropy source %s", - PATH_RANDOMDEV); - isc_entropy_detach(&named_g_entropy); - isc_entropy_attach( - named_g_fallbackentropy, - &named_g_entropy); - } - isc_entropy_detach(&named_g_fallbackentropy); - } -#endif - } - } - #ifdef HAVE_LMDB /* * If we're using LMDB, we may have created newzones databases @@ -8905,14 +8843,8 @@ load_configuration(const char *filename, named_server_t *server, } } } else { - result = isc_entropy_getdata(named_g_entropy, - server->sctx->secret, - sizeof(server->sctx->secret), - NULL, - 0); - if (result != ISC_R_SUCCESS) { - goto cleanup; - } + isc_random_buf(server->sctx->secret, + sizeof(server->sctx->secret)); } /* @@ -9166,8 +9098,7 @@ run_server(isc_task_t *task, isc_event_t *event) { isc_event_free(&event); - CHECKFATAL(dns_dispatchmgr_create(named_g_mctx, named_g_entropy, - &named_g_dispatchmgr), + CHECKFATAL(dns_dispatchmgr_create(named_g_mctx, &named_g_dispatchmgr), "creating dispatch manager"); dns_dispatchmgr_setstats(named_g_dispatchmgr, server->resolverstats); @@ -9401,8 +9332,7 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) { server->in_roothints = NULL; /* Must be first. */ - CHECKFATAL(dst_lib_init(named_g_mctx, named_g_entropy, - named_g_engine, ISC_ENTROPY_GOODONLY), + CHECKFATAL(dst_lib_init(named_g_mctx, named_g_engine), "initializing DST"); CHECKFATAL(dns_rootns_create(mctx, dns_rdataclass_in, NULL, @@ -9432,8 +9362,7 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) { isc_taskmgr_setexcltask(named_g_taskmgr, server->task); server->sctx = NULL; - CHECKFATAL(ns_server_create(mctx, named_g_entropy, - get_matching_view, + CHECKFATAL(ns_server_create(mctx, get_matching_view, &server->sctx), "creating server context"); @@ -13591,7 +13520,7 @@ generate_salt(unsigned char *salt, size_t saltlen) { if (saltlen > 256U) return (ISC_R_RANGE); - isc_rng_randombytes(named_g_server->sctx->rngctx, salt, saltlen); + isc_random_buf(salt, saltlen); r.base = salt; r.length = (unsigned int) saltlen; diff --git a/bin/named/tkeyconf.c b/bin/named/tkeyconf.c index 387d450837..0a3a354522 100644 --- a/bin/named/tkeyconf.c +++ b/bin/named/tkeyconf.c @@ -45,7 +45,7 @@ isc_result_t named_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx, - isc_entropy_t *ectx, dns_tkeyctx_t **tctxp) + dns_tkeyctx_t **tctxp) { isc_result_t result; dns_tkeyctx_t *tctx = NULL; @@ -57,7 +57,7 @@ named_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx, const cfg_obj_t *obj; int type; - result = dns_tkeyctx_create(mctx, ectx, &tctx); + result = dns_tkeyctx_create(mctx, &tctx); if (result != ISC_R_SUCCESS) return (result); diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index 3faf6d0f0e..426b4f02db 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -23,7 +23,6 @@ #include #include #include -#include #include #include #include @@ -174,7 +173,6 @@ static isc_sockaddr_t *localaddr4 = NULL; static isc_sockaddr_t *localaddr6 = NULL; static const char *keyfile = NULL; static char *keystr = NULL; -static isc_entropy_t *entropy = NULL; static isc_boolean_t shuttingdown = ISC_FALSE; static FILE *input; static isc_boolean_t interactive = ISC_TRUE; @@ -244,71 +242,6 @@ error(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); #define STATUS_QUIT (isc_uint16_t)2 #define STATUS_SYNTAX (isc_uint16_t)3 -typedef struct entropysource entropysource_t; - -struct entropysource { - isc_entropysource_t *source; - isc_mem_t *mctx; - ISC_LINK(entropysource_t) link; -}; - -static ISC_LIST(entropysource_t) sources; - -static void -setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { - isc_result_t result; - isc_entropysource_t *source = NULL; - entropysource_t *elt; - int usekeyboard = ISC_ENTROPY_KEYBOARDMAYBE; - - REQUIRE(ectx != NULL); - - if (*ectx == NULL) { - result = isc_entropy_create(mctx, ectx); - if (result != ISC_R_SUCCESS) - fatal("could not create entropy object: %s", - isc_result_totext(result)); - ISC_LIST_INIT(sources); - } - - if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) { - usekeyboard = ISC_ENTROPY_KEYBOARDYES; - randomfile = NULL; - } - - if (randomfile == NULL) { - isc_entropy_usehook(*ectx, ISC_TRUE); - } - result = isc_entropy_usebestsource(*ectx, &source, randomfile, - usekeyboard); - - if (result != ISC_R_SUCCESS) - fatal("could not initialize entropy source: %s", - isc_result_totext(result)); - - if (source != NULL) { - elt = isc_mem_get(mctx, sizeof(*elt)); - if (elt == NULL) - fatal("out of memory"); - elt->source = source; - elt->mctx = mctx; - ISC_LINK_INIT(elt, link); - ISC_LIST_APPEND(sources, elt, link); - } -} - -static void -cleanup_entropy(isc_entropy_t **ectx) { - entropysource_t *source; - while (!ISC_LIST_EMPTY(sources)) { - source = ISC_LIST_HEAD(sources); - ISC_LIST_UNLINK(sources, source, link); - isc_entropy_destroysource(&source->source); - isc_mem_put(source->mctx, source, sizeof(*source)); - } - isc_entropy_detach(ectx); -} - static void master_from_servers(void) { @@ -798,8 +731,6 @@ doshutdown(void) { is_dst_up = ISC_FALSE; } - cleanup_entropy(&entropy); - ddebug("Destroying request manager"); dns_requestmgr_detach(&requestmgr); @@ -965,10 +896,7 @@ setup_system(void) { irs_resconf_destroy(&resconf); - if (entropy == NULL) - setup_entropy(gmctx, NULL, &entropy); - - result = dns_dispatchmgr_create(gmctx, entropy, &dispatchmgr); + result = dns_dispatchmgr_create(gmctx, &dispatchmgr); check_result(result, "dns_dispatchmgr_create"); result = isc_socketmgr_create(gmctx, &socketmgr); @@ -986,7 +914,7 @@ setup_system(void) { result = isc_task_onshutdown(global_task, shutdown_program, NULL); check_result(result, "isc_task_onshutdown"); - result = dst_lib_init(gmctx, entropy, NULL, 0); + result = dst_lib_init(gmctx, NULL); check_result(result, "dst_lib_init"); is_dst_up = ISC_TRUE; @@ -1136,7 +1064,7 @@ pre_parse_args(int argc, char **argv) { } static void -parse_args(int argc, char **argv, isc_mem_t *mctx, isc_entropy_t **ectx) { +parse_args(int argc, char **argv) { int ch; isc_uint32_t i; isc_result_t result; @@ -1243,7 +1171,7 @@ parse_args(int argc, char **argv, isc_mem_t *mctx, isc_entropy_t **ectx) { break; case 'R': - setup_entropy(mctx, isc_commandline_argument, ectx); + fatal("The -R options has been deprecated.\n"); break; default: @@ -2920,7 +2848,7 @@ start_gssrequest(dns_name_t *master) { keyname = dns_fixedname_initname(&fkname); - isc_random_get(&val); + val = isc_random(); result = snprintf(mykeystr, sizeof(mykeystr), "%u.sig-%s", val, namestr); RUNTIME_CHECK(result <= sizeof(mykeystr)); @@ -3349,7 +3277,7 @@ main(int argc, char **argv) { result = isc_mem_create(0, 0, &gmctx); check_result(result, "isc_mem_create"); - parse_args(argc, argv, gmctx, &entropy); + parse_args(argc, argv); setup_system(); diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c index d1dd411c5b..d86bdb4eaf 100644 --- a/bin/rndc/rndc.c +++ b/bin/rndc/rndc.c @@ -930,7 +930,7 @@ main(int argc, char **argv) { if (argc < 1) usage(1); - isc_random_get(&serial); + serial = isc_random(); DO("create memory context", isc_mem_create(0, 0, &rndc_mctx)); DO("create socket manager", isc_socketmgr_create(rndc_mctx, &socketmgr)); diff --git a/bin/tests/makejournal.c b/bin/tests/makejournal.c index 1fa9e31d84..c990d6c3ac 100644 --- a/bin/tests/makejournal.c +++ b/bin/tests/makejournal.c @@ -12,7 +12,6 @@ /*! \file */ #include -#include #include #include #include @@ -38,7 +37,6 @@ isc_mem_t *mctx = NULL; isc_log_t *lctx = NULL; -isc_entropy_t *ectx = NULL; static isc_boolean_t dst_active = ISC_FALSE; @@ -98,9 +96,8 @@ main(int argc, char **argv) { isc_mem_debugging |= ISC_MEM_DEBUGRECORD; CHECK(isc_mem_create(0, 0, &mctx)); - CHECK(isc_entropy_create(mctx, &ectx)); - CHECK(dst_lib_init(mctx, ectx, NULL, ISC_ENTROPY_BLOCKING)); + CHECK(dst_lib_init(mctx, NULL)); dst_active = ISC_TRUE; CHECK(isc_log_create(mctx, &lctx, &logconfig)); @@ -149,8 +146,6 @@ main(int argc, char **argv) { dst_lib_destroy(); dst_active = ISC_FALSE; } - if (ectx != NULL) - isc_entropy_detach(&ectx); if (mctx != NULL) isc_mem_destroy(&mctx); diff --git a/bin/tests/optional/Makefile.in b/bin/tests/optional/Makefile.in index 8cefb5a916..c0736eb17f 100644 --- a/bin/tests/optional/Makefile.in +++ b/bin/tests/optional/Makefile.in @@ -47,8 +47,6 @@ XTARGETS = adb_test@EXEEXT@ \ byname_test@EXEEXT@ \ db_test@EXEEXT@ \ dst_test@EXEEXT@ \ - entropy_test@EXEEXT@ \ - entropy2_test@EXEEXT@ \ gsstest@EXEEXT@ \ hash_test@EXEEXT@ \ fsaccess_test@EXEEXT@ \ @@ -80,8 +78,6 @@ XSRCS = adb_test.c \ byname_test.c \ db_test.c \ dst_test.c \ - entropy_test.c \ - entropy2_test.c \ hash_test.c \ fsaccess_test.c \ gsstest.c \ diff --git a/bin/tests/optional/adb_test.c b/bin/tests/optional/adb_test.c index 2dfaa09a8c..fb6c2a6715 100644 --- a/bin/tests/optional/adb_test.c +++ b/bin/tests/optional/adb_test.c @@ -19,7 +19,6 @@ #include #include -#include #include #include #include @@ -44,7 +43,6 @@ struct client { }; static isc_mem_t *mctx = NULL; -static isc_entropy_t *ectx = NULL; static isc_mempool_t *cmp; static isc_log_t *lctx; static isc_logconfig_t *lcfg; @@ -160,7 +158,7 @@ create_managers(void) { check_result(result, "isc_socketmgr_create"); dispatchmgr = NULL; - result = dns_dispatchmgr_create(mctx, NULL, &dispatchmgr); + result = dns_dispatchmgr_create(mctx, &dispatchmgr); check_result(result, "dns_dispatchmgr_create"); } @@ -306,8 +304,6 @@ main(int argc, char **argv) { == ISC_R_SUCCESS); isc_mempool_setname(cmp, "adb test clients"); - result = isc_entropy_create(mctx, &ectx); - check_result(result, "isc_entropy_create()"); result = isc_log_create(mctx, &lctx, &lcfg); check_result(result, "isc_log_create()"); isc_log_setcontext(lctx); @@ -417,8 +413,6 @@ main(int argc, char **argv) { isc_log_destroy(&lctx); - isc_entropy_detach(&ectx); - isc_mempool_destroy(&cmp); isc_mem_stats(mctx, stdout); isc_mem_destroy(&mctx); diff --git a/bin/tests/optional/byaddr_test.c b/bin/tests/optional/byaddr_test.c index c6b598da42..f4e44d19e5 100644 --- a/bin/tests/optional/byaddr_test.c +++ b/bin/tests/optional/byaddr_test.c @@ -121,7 +121,7 @@ main(int argc, char *argv[]) { isc_task_setname(task, "byaddr", NULL); dispatchmgr = NULL; - RUNTIME_CHECK(dns_dispatchmgr_create(mctx, NULL, &dispatchmgr) + RUNTIME_CHECK(dns_dispatchmgr_create(mctx, &dispatchmgr) == ISC_R_SUCCESS); timermgr = NULL; diff --git a/bin/tests/optional/byname_test.c b/bin/tests/optional/byname_test.c index a94097c37f..b560e6d20a 100644 --- a/bin/tests/optional/byname_test.c +++ b/bin/tests/optional/byname_test.c @@ -19,7 +19,6 @@ #include #include -#include #include #include #include @@ -37,7 +36,6 @@ #include static isc_mem_t *mctx = NULL; -static isc_entropy_t *ectx = NULL; static isc_taskmgr_t *taskmgr; static dns_view_t *view = NULL; static dns_adbfind_t *find = NULL; @@ -206,8 +204,6 @@ main(int argc, char *argv[]) { mctx = NULL; RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS); - RUNTIME_CHECK(isc_entropy_create(mctx, &ectx) == ISC_R_SUCCESS); - while ((ch = isc_commandline_parse(argc, argv, "d:vw:")) != -1) { switch (ch) { case 'd': @@ -239,7 +235,7 @@ main(int argc, char *argv[]) { isc_task_setname(task, "byname", NULL); dispatchmgr = NULL; - RUNTIME_CHECK(dns_dispatchmgr_create(mctx, NULL, &dispatchmgr) + RUNTIME_CHECK(dns_dispatchmgr_create(mctx, &dispatchmgr) == ISC_R_SUCCESS); timermgr = NULL; @@ -352,8 +348,6 @@ main(int argc, char *argv[]) { isc_log_destroy(&lctx); - isc_entropy_detach(&ectx); - if (verbose) isc_mem_stats(mctx, stdout); isc_mem_destroy(&mctx); diff --git a/bin/tests/optional/dst_test.c b/bin/tests/optional/dst_test.c index 32492b025b..6dc9853b32 100644 --- a/bin/tests/optional/dst_test.c +++ b/bin/tests/optional/dst_test.c @@ -16,7 +16,6 @@ #include /* XXX */ #include -#include #include #include #include @@ -228,7 +227,6 @@ generate(int alg, isc_mem_t *mctx) { int main(void) { isc_mem_t *mctx = NULL; - isc_entropy_t *ectx = NULL; isc_buffer_t b; dns_fixedname_t fname; dns_name_t *name; @@ -248,14 +246,7 @@ main(void) { dns_result_register(); - result = isc_entropy_create(mctx, &ectx); - if (result != ISC_R_SUCCESS) - return (1); - result = isc_entropy_createfilesource(ectx, "randomfile"); - if (result != ISC_R_SUCCESS) - return (1); - dst_lib_init(mctx, ectx, NULL, - ISC_ENTROPY_BLOCKING|ISC_ENTROPY_GOODONLY); + dst_lib_init(mctx, NULL); name = dns_fixedname_initname(&fname); isc_buffer_constinit(&b, "test.", 5); @@ -283,7 +274,6 @@ main(void) { generate(DST_ALG_HMACMD5, mctx); dst_lib_destroy(); - isc_entropy_detach(&ectx); isc_mem_put(mctx, current, 256); /* isc_mem_stats(mctx, stdout);*/ diff --git a/bin/tests/optional/entropy2_test.c b/bin/tests/optional/entropy2_test.c deleted file mode 100644 index d7ae39e4bd..0000000000 --- a/bin/tests/optional/entropy2_test.c +++ /dev/null @@ -1,167 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -/*! \file */ - -#include - -#include -#include - -#include -#include -#include -#include -#include -#include -#include - -static void -hex_dump(const char *msg, void *data, unsigned int length) { - unsigned int len; - unsigned char *base; - isc_boolean_t first = ISC_TRUE; - - base = data; - - printf("DUMP of %u bytes: %s\n\t", length, msg); - for (len = 0; len < length; len++) { - if (len % 16 == 0 && !first) - printf("\n\t"); - printf("%02x ", base[len]); - first = ISC_FALSE; - } - printf("\n"); -} - -static void -CHECK(const char *msg, isc_result_t result) { - if (result != ISC_R_SUCCESS) { - printf("FAILURE: %s: %s\n", msg, isc_result_totext(result)); - exit(1); - } -} - -static isc_result_t -start(isc_entropysource_t *source, void *arg, isc_boolean_t blocking) { - isc_keyboard_t *kbd = (isc_keyboard_t *)arg; - - UNUSED(source); - - if (blocking) - printf("start called, blocking mode.\n"); - else - printf("start called, non-blocking mode.\n"); - - return (isc_keyboard_open(kbd)); -} - -static void -stop(isc_entropysource_t *source, void *arg) { - isc_keyboard_t *kbd = (isc_keyboard_t *)arg; - - UNUSED(source); - - printf("ENOUGH! Stop typing, please.\r\n"); - - (void)isc_keyboard_close(kbd, 3); - printf("stop called\n"); -} - -static isc_result_t -get(isc_entropysource_t *source, void *arg, isc_boolean_t blocking) { - isc_keyboard_t *kbd = (isc_keyboard_t *)arg; - isc_result_t result; - isc_time_t t; - isc_uint32_t sample; - isc_uint32_t extra; - unsigned char c; - - if (!blocking) - return (ISC_R_NOENTROPY); - - result = isc_keyboard_getchar(kbd, &c); - if (result != ISC_R_SUCCESS) - return (result); - - TIME_NOW(&t); - - sample = isc_time_nanoseconds(&t); - extra = c; - - result = isc_entropy_addcallbacksample(source, sample, extra); - if (result != ISC_R_SUCCESS) { - printf("\r\n"); - return (result); - } - - printf("."); - fflush(stdout); - - return (result); -} - -int -main(int argc, char **argv) { - isc_mem_t *mctx; - unsigned char buffer[512]; - isc_entropy_t *ent; - isc_entropysource_t *source; - unsigned int returned; - unsigned int flags; - isc_result_t result; - isc_keyboard_t kbd; - - UNUSED(argc); - UNUSED(argv); - - mctx = NULL; - CHECK("isc_mem_create()", - isc_mem_create(0, 0, &mctx)); - - ent = NULL; - CHECK("isc_entropy_create()", - isc_entropy_create(mctx, &ent)); - - isc_entropy_stats(ent, stderr); - - source = NULL; - result = isc_entropy_createcallbacksource(ent, start, get, stop, &kbd, - &source); - CHECK("isc_entropy_createcallbacksource()", result); - - fprintf(stderr, - "Reading 32 bytes of GOOD random data only, partial OK\n"); - - flags = 0; - flags |= ISC_ENTROPY_GOODONLY; - flags |= ISC_ENTROPY_PARTIAL; - flags |= ISC_ENTROPY_BLOCKING; - returned = 0; - result = isc_entropy_getdata(ent, buffer, 32, &returned, flags); - if (result == ISC_R_NOENTROPY) { - fprintf(stderr, "No entropy.\r\n"); - } - - isc_entropy_stopcallbacksources(ent); - - hex_dump("good data only:", buffer, returned); - - isc_entropy_stats(ent, stderr); - - isc_entropy_destroysource(&source); - isc_entropy_detach(&ent); - - isc_mem_stats(mctx, stderr); - isc_mem_destroy(&mctx); - - return (0); -} diff --git a/bin/tests/optional/entropy_test.c b/bin/tests/optional/entropy_test.c deleted file mode 100644 index ffe2a47b18..0000000000 --- a/bin/tests/optional/entropy_test.c +++ /dev/null @@ -1,132 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -/*! \file */ - -#include - -#include -#include - -#include -#include -#include -#include -#include - -static void -hex_dump(const char *msg, void *data, unsigned int length) { - unsigned int len; - unsigned char *base; - isc_boolean_t first = ISC_TRUE; - - base = data; - - printf("DUMP of %u bytes: %s\n\t", length, msg); - for (len = 0; len < length; len++) { - if (len % 16 == 0 && !first) - printf("\n\t"); - printf("%02x ", base[len]); - first = ISC_FALSE; - } - printf("\n"); -} - -static void -CHECK(const char *msg, isc_result_t result) { - if (result != ISC_R_SUCCESS) { - printf("FAILURE: %s: %s\n", msg, isc_result_totext(result)); - exit(1); - } -} - -int -main(int argc, char **argv) { - isc_mem_t *mctx; - unsigned char buffer[512]; - isc_entropy_t *ent; - unsigned int returned; - unsigned int flags; - isc_result_t result; - - UNUSED(argc); - UNUSED(argv); - - mctx = NULL; - CHECK("isc_mem_create()", - isc_mem_create(0, 0, &mctx)); - - ent = NULL; - CHECK("isc_entropy_create()", - isc_entropy_create(mctx, &ent)); - - isc_entropy_stats(ent, stderr); - -#if 1 - CHECK("isc_entropy_createfilesource() 1", - isc_entropy_createfilesource(ent, "/dev/random")); - CHECK("isc_entropy_createfilesource() 2", - isc_entropy_createfilesource(ent, "/dev/random")); -#else - CHECK("isc_entropy_createfilesource() 3", - isc_entropy_createfilesource(ent, "/tmp/foo")); -#endif - - fprintf(stderr, - "Reading 32 bytes of GOOD random data only, partial OK\n"); - - flags = 0; - flags |= ISC_ENTROPY_GOODONLY; - flags |= ISC_ENTROPY_PARTIAL; - result = isc_entropy_getdata(ent, buffer, 32, &returned, flags); - if (result == ISC_R_NOENTROPY) { - fprintf(stderr, "No entropy.\n"); - goto any; - } - hex_dump("good data only:", buffer, returned); - - any: - isc_entropy_stats(ent, stderr); - CHECK("isc_entropy_getdata() pseudorandom", - isc_entropy_getdata(ent, buffer, 128, NULL, 0)); - hex_dump("pseudorandom data", buffer, 128); - - isc_entropy_stats(ent, stderr); - flags = 0; - flags |= ISC_ENTROPY_GOODONLY; - flags |= ISC_ENTROPY_BLOCKING; - result = isc_entropy_getdata(ent, buffer, sizeof(buffer), &returned, - flags); - CHECK("good data only, blocking mode", result); - hex_dump("blocking mode data", buffer, sizeof(buffer)); - - { - isc_entropy_t *entcopy1 = NULL; - isc_entropy_t *entcopy2 = NULL; - isc_entropy_t *entcopy3 = NULL; - - isc_entropy_attach(ent, &entcopy1); - isc_entropy_attach(ent, &entcopy2); - isc_entropy_attach(ent, &entcopy3); - - isc_entropy_stats(ent, stderr); - - isc_entropy_detach(&entcopy1); - isc_entropy_detach(&entcopy2); - isc_entropy_detach(&entcopy3); - } - - isc_entropy_detach(&ent); - isc_mem_stats(mctx, stderr); - isc_mem_destroy(&mctx); - - return (0); -} diff --git a/bin/tests/optional/gsstest.c b/bin/tests/optional/gsstest.c index 74ff400808..0e90ad017e 100644 --- a/bin/tests/optional/gsstest.c +++ b/bin/tests/optional/gsstest.c @@ -17,7 +17,6 @@ #include #include -#include #include #include #include @@ -435,7 +434,6 @@ main(int argc, char *argv[]) { dns_dispatchmgr_t *dispatchmgr; dns_dispatch_t *dispatchv4; dns_view_t *view; - isc_entropy_t *ectx; isc_task_t *task; isc_log_t *lctx = NULL; isc_logconfig_t *lcfg = NULL; @@ -471,11 +469,7 @@ main(int argc, char *argv[]) { isc_log_setdebuglevel(lctx, 9); - ectx = NULL; - RUNCHECK(isc_entropy_create(mctx, &ectx)); - RUNCHECK(isc_entropy_createfilesource(ectx, "/dev/urandom")); - - RUNCHECK(dst_lib_init(mctx, ectx, NULL, ISC_ENTROPY_GOODONLY)); + RUNCHECK(dst_lib_init(mctx, NULL)); taskmgr = NULL; RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr)); @@ -486,7 +480,7 @@ main(int argc, char *argv[]) { socketmgr = NULL; RUNCHECK(isc_socketmgr_create(mctx, &socketmgr)); dispatchmgr = NULL; - RUNCHECK(dns_dispatchmgr_create(mctx, ectx, &dispatchmgr)); + RUNCHECK(dns_dispatchmgr_create(mctx, &dispatchmgr)); isc_sockaddr_any(&bind_any); attrs = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_MAKEQUERY | @@ -543,7 +537,6 @@ main(int argc, char *argv[]) { dns_view_detach(&view); dst_lib_destroy(); - isc_entropy_detach(&ectx); isc_mem_stats(mctx, stdout); isc_mem_destroy(&mctx); diff --git a/bin/tests/optional/sig0_test.c b/bin/tests/optional/sig0_test.c index eb2ccc91c1..ad3e416ec2 100644 --- a/bin/tests/optional/sig0_test.c +++ b/bin/tests/optional/sig0_test.c @@ -19,7 +19,6 @@ #include #include #include -#include #include #include #include @@ -59,7 +58,6 @@ isc_mem_t *mctx; unsigned char qdata[1024], rdata[1024]; isc_buffer_t qbuffer, rbuffer; isc_taskmgr_t *taskmgr; -isc_entropy_t *ent = NULL; isc_task_t *task1; isc_log_t *lctx = NULL; isc_logconfig_t *logconfig = NULL; @@ -224,8 +222,7 @@ main(int argc, char *argv[]) { } } - RUNTIME_CHECK(isc_entropy_create(mctx, &ent) == ISC_R_SUCCESS); - RUNTIME_CHECK(dst_lib_init(mctx, ent, NULL, 0) == ISC_R_SUCCESS); + RUNTIME_CHECK(dst_lib_init(mctx, NULL) == ISC_R_SUCCESS); dns_result_register(); dst_result_register(); @@ -279,8 +276,6 @@ main(int argc, char *argv[]) { dst_lib_destroy(); - isc_entropy_detach(&ent); - isc_log_destroy(&lctx); if (verbose) diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c index 72db37c63b..3f18b77e8a 100644 --- a/bin/tests/system/pipelined/pipequeries.c +++ b/bin/tests/system/pipelined/pipequeries.c @@ -18,7 +18,6 @@ #include #include #include -#include #include #include #include @@ -204,13 +203,11 @@ sendqueries(isc_task_t *task, isc_event_t *event) { int main(int argc, char *argv[]) { - char *randomfile = NULL; isc_sockaddr_t bind_any; struct in_addr inaddr; isc_result_t result; isc_log_t *lctx; isc_logconfig_t *lcfg; - isc_entropy_t *ectx; isc_taskmgr_t *taskmgr; isc_task_t *task; isc_timermgr_t *timermgr; @@ -237,7 +234,7 @@ main(int argc, char *argv[]) { } break; case 'r': - randomfile = isc_commandline_argument; + fprintf(stderr, "The -r option has been deprecated.\n"); break; case '?': fprintf(stderr, "%s: invalid argument '%c'", @@ -277,15 +274,7 @@ main(int argc, char *argv[]) { lcfg = NULL; RUNCHECK(isc_log_create(mctx, &lctx, &lcfg)); - ectx = NULL; - RUNCHECK(isc_entropy_create(mctx, &ectx)); - if (randomfile == NULL) { - isc_entropy_usehook(ectx, ISC_TRUE); - } - if (randomfile != NULL) - RUNCHECK(isc_entropy_createfilesource(ectx, randomfile)); - - RUNCHECK(dst_lib_init(mctx, ectx, NULL, ISC_ENTROPY_GOODONLY)); + RUNCHECK(dst_lib_init(mctx, NULL)); taskmgr = NULL; RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr)); @@ -297,7 +286,7 @@ main(int argc, char *argv[]) { socketmgr = NULL; RUNCHECK(isc_socketmgr_create(mctx, &socketmgr)); dispatchmgr = NULL; - RUNCHECK(dns_dispatchmgr_create(mctx, ectx, &dispatchmgr)); + RUNCHECK(dns_dispatchmgr_create(mctx, &dispatchmgr)); attrs = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_MAKEQUERY | @@ -339,7 +328,6 @@ main(int argc, char *argv[]) { isc_taskmgr_destroy(&taskmgr); dst_lib_destroy(); - isc_entropy_detach(&ectx); isc_log_destroy(&lctx); diff --git a/bin/tests/system/rsabigexponent/bigkey.c b/bin/tests/system/rsabigexponent/bigkey.c index 8cfc6915dd..4f7ea74fad 100644 --- a/bin/tests/system/rsabigexponent/bigkey.c +++ b/bin/tests/system/rsabigexponent/bigkey.c @@ -18,7 +18,6 @@ #include #include -#include #include #include #include @@ -117,8 +116,6 @@ dst_key_t *key; dns_fixedname_t fname; dns_name_t *name; unsigned int bits = 1024U; -isc_entropy_t *ectx; -isc_entropysource_t *source; isc_mem_t *mctx; isc_log_t *log_; isc_logconfig_t *logconfig; @@ -174,13 +171,7 @@ main(int argc, char **argv) { dns_result_register(); CHECK(isc_mem_create(0, 0, &mctx), "isc_mem_create()"); - CHECK(isc_entropy_create(mctx, &ectx), "isc_entropy_create()"); - isc_entropy_usehook(ectx, ISC_TRUE); - CHECK(isc_entropy_usebestsource(ectx, &source, - "../random.data", - ISC_ENTROPY_KEYBOARDNO), - "isc_entropy_usebestsource(\"../random.data\")"); - CHECK(dst_lib_init(mctx, ectx, NULL, 0), "dst_lib_init()"); + CHECK(dst_lib_init(mctx, NULL), "dst_lib_init()"); CHECK(isc_log_create(mctx, &log_, &logconfig), "isc_log_create()"); isc_log_setcontext(log_); dns_log_init(log_); @@ -222,9 +213,6 @@ main(int argc, char **argv) { isc_log_destroy(&log_); isc_log_setcontext(NULL); dns_log_setcontext(NULL); - if (source != NULL) - isc_entropy_destroysource(&source); - isc_entropy_detach(&ectx); dst_lib_destroy(); dns_name_destroy(); isc_mem_destroy(&mctx); diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c index 1d1ca94965..0619f38159 100644 --- a/bin/tests/system/tkey/keycreate.c +++ b/bin/tests/system/tkey/keycreate.c @@ -17,11 +17,11 @@ #include #include -#include #include #include #include #include +#include #include #include #include @@ -203,7 +203,6 @@ sendquery(isc_task_t *task, isc_event_t *event) { int main(int argc, char *argv[]) { char *ourkeyname; - char *randomfile; isc_taskmgr_t *taskmgr; isc_timermgr_t *timermgr; isc_socketmgr_t *socketmgr; @@ -213,7 +212,6 @@ main(int argc, char *argv[]) { dns_dispatchmgr_t *dispatchmgr; dns_dispatch_t *dispatchv4; dns_view_t *view; - isc_entropy_t *ectx; dns_tkeyctx_t *tctx; isc_log_t *log; isc_logconfig_t *logconfig; @@ -223,20 +221,13 @@ main(int argc, char *argv[]) { RUNCHECK(isc_app_start()); - randomfile = NULL; - if (argc < 2) { fprintf(stderr, "I:no DH key provided\n"); exit(-1); } if (strcmp(argv[1], "-r") == 0) { - if (argc < 4) { - fprintf(stderr, "I:no DH key provided\n"); - exit(-1); - } - randomfile = argv[2]; - argv += 2; - argc -= 2; + fprintf(stderr, "I:the -r option has been deprecated\n"); + exit(-1); } ourkeyname = argv[1]; @@ -249,20 +240,11 @@ main(int argc, char *argv[]) { isc_mem_debugging = ISC_MEM_DEBUGRECORD; RUNCHECK(isc_mem_create(0, 0, &mctx)); - ectx = NULL; - RUNCHECK(isc_entropy_create(mctx, &ectx)); - if (randomfile == NULL) { - isc_entropy_usehook(ectx, ISC_TRUE); - } - if (randomfile != NULL) { - RUNCHECK(isc_entropy_createfilesource(ectx, randomfile)); - } - log = NULL; logconfig = NULL; RUNCHECK(isc_log_create(mctx, &log, &logconfig)); - RUNCHECK(dst_lib_init(mctx, ectx, NULL, ISC_ENTROPY_GOODONLY)); + RUNCHECK(dst_lib_init(mctx, NULL)); taskmgr = NULL; RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr)); @@ -273,7 +255,7 @@ main(int argc, char *argv[]) { socketmgr = NULL; RUNCHECK(isc_socketmgr_create(mctx, &socketmgr)); dispatchmgr = NULL; - RUNCHECK(dns_dispatchmgr_create(mctx, NULL, &dispatchmgr)); + RUNCHECK(dns_dispatchmgr_create(mctx, &dispatchmgr)); isc_sockaddr_any(&bind_any); attrs = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_MAKEQUERY | @@ -294,7 +276,7 @@ main(int argc, char *argv[]) { ring = NULL; RUNCHECK(dns_tsigkeyring_create(mctx, &ring)); tctx = NULL; - RUNCHECK(dns_tkeyctx_create(mctx, ectx, &tctx)); + RUNCHECK(dns_tkeyctx_create(mctx, &tctx)); view = NULL; RUNCHECK(dns_view_create(mctx, 0, "_test", &view)); @@ -313,9 +295,7 @@ main(int argc, char *argv[]) { CHECK("dst_key_fromnamedfile", result); isc_buffer_init(&nonce, noncedata, sizeof(noncedata)); - result = isc_entropy_getdata(ectx, noncedata, sizeof(noncedata), - NULL, ISC_ENTROPY_BLOCKING); - CHECK("isc_entropy_getdata", result); + isc_random_buf(noncedata, sizeof(noncedata)); isc_buffer_add(&nonce, sizeof(noncedata)); (void)isc_app_run(); @@ -342,7 +322,6 @@ main(int argc, char *argv[]) { isc_log_destroy(&log); dst_lib_destroy(); - isc_entropy_detach(&ectx); isc_mem_destroy(&mctx); diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c index 9b04843321..6cfa7b42af 100644 --- a/bin/tests/system/tkey/keydelete.c +++ b/bin/tests/system/tkey/keydelete.c @@ -17,11 +17,11 @@ #include #include -#include #include #include #include #include +#include #include #include #include @@ -136,7 +136,6 @@ sendquery(isc_task_t *task, isc_event_t *event) { int main(int argc, char **argv) { char *keyname; - char *randomfile; isc_taskmgr_t *taskmgr; isc_timermgr_t *timermgr; isc_socketmgr_t *socketmgr; @@ -146,7 +145,6 @@ main(int argc, char **argv) { dns_dispatchmgr_t *dispatchmgr; dns_dispatch_t *dispatchv4; dns_view_t *view; - isc_entropy_t *ectx; dns_tkeyctx_t *tctx; dst_key_t *dstkey; isc_log_t *log; @@ -157,21 +155,14 @@ main(int argc, char **argv) { RUNCHECK(isc_app_start()); - randomfile = NULL; if (argc < 2) { fprintf(stderr, "I:no key to delete\n"); exit(-1); } if (strcmp(argv[1], "-r") == 0) { - if (argc < 4) { - fprintf(stderr, "I:no DH key provided\n"); - exit(-1); - } - randomfile = argv[2]; - argv += 2; - argc -= 2; - POST(argc); + fprintf(stderr, "I:The -r options has been deprecated\n"); + exit(-1); } keyname = argv[1]; @@ -180,20 +171,11 @@ main(int argc, char **argv) { mctx = NULL; RUNCHECK(isc_mem_create(0, 0, &mctx)); - ectx = NULL; - RUNCHECK(isc_entropy_create(mctx, &ectx)); - if (randomfile == NULL) { - isc_entropy_usehook(ectx, ISC_TRUE); - } - if (randomfile != NULL) { - RUNCHECK(isc_entropy_createfilesource(ectx, randomfile)); - } - log = NULL; logconfig = NULL; RUNCHECK(isc_log_create(mctx, &log, &logconfig)); - RUNCHECK(dst_lib_init(mctx, ectx, NULL, ISC_ENTROPY_GOODONLY)); + RUNCHECK(dst_lib_init(mctx, NULL)); taskmgr = NULL; RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr)); @@ -204,7 +186,7 @@ main(int argc, char **argv) { socketmgr = NULL; RUNCHECK(isc_socketmgr_create(mctx, &socketmgr)); dispatchmgr = NULL; - RUNCHECK(dns_dispatchmgr_create(mctx, NULL, &dispatchmgr)); + RUNCHECK(dns_dispatchmgr_create(mctx, &dispatchmgr)); isc_sockaddr_any(&bind_any); attrs = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_MAKEQUERY | @@ -225,7 +207,7 @@ main(int argc, char **argv) { ring = NULL; RUNCHECK(dns_tsigkeyring_create(mctx, &ring)); tctx = NULL; - RUNCHECK(dns_tkeyctx_create(mctx, ectx, &tctx)); + RUNCHECK(dns_tkeyctx_create(mctx, &tctx)); view = NULL; RUNCHECK(dns_view_create(mctx, 0, "_test", &view)); @@ -277,7 +259,6 @@ main(int argc, char **argv) { isc_log_destroy(&log); dst_lib_destroy(); - isc_entropy_detach(&ectx); isc_mem_destroy(&mctx); diff --git a/bin/tools/mdig.c b/bin/tools/mdig.c index 3b4c067c75..9fd980de8b 100644 --- a/bin/tools/mdig.c +++ b/bin/tools/mdig.c @@ -17,7 +17,6 @@ #include #include -#include #include #include #include @@ -25,6 +24,7 @@ #include #include #include +#include #include #include #include @@ -1886,7 +1886,6 @@ main(int argc, char *argv[]) { isc_sockaddr_t bind_any; isc_log_t *lctx; isc_logconfig_t *lcfg; - isc_entropy_t *ectx; isc_taskmgr_t *taskmgr; isc_task_t *task; isc_timermgr_t *timermgr; @@ -1917,11 +1916,8 @@ main(int argc, char *argv[]) { lcfg = NULL; RUNCHECK(isc_log_create(mctx, &lctx, &lcfg)); - ectx = NULL; - RUNCHECK(isc_entropy_create(mctx, &ectx)); - RUNCHECK(dst_lib_init(mctx, ectx, NULL, ISC_ENTROPY_GOODONLY)); - RUNCHECK(isc_entropy_getdata(ectx, cookie_secret, - sizeof(cookie_secret), NULL, 0)); + RUNCHECK(dst_lib_init(mctx, NULL)); + isc_random_buf(cookie_secret, sizeof(cookie_secret)); ISC_LIST_INIT(queries); parse_args(ISC_FALSE, argc, argv); @@ -1955,7 +1951,7 @@ main(int argc, char *argv[]) { socketmgr = NULL; RUNCHECK(isc_socketmgr_create(mctx, &socketmgr)); dispatchmgr = NULL; - RUNCHECK(dns_dispatchmgr_create(mctx, ectx, &dispatchmgr)); + RUNCHECK(dns_dispatchmgr_create(mctx, &dispatchmgr)); attrs = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_MAKEQUERY; @@ -2021,7 +2017,6 @@ main(int argc, char *argv[]) { isc_taskmgr_destroy(&taskmgr); dst_lib_destroy(); - isc_entropy_detach(&ectx); isc_log_destroy(&lctx); diff --git a/config.h.in b/config.h.in index 45d342ef68..5590de4e4f 100644 --- a/config.h.in +++ b/config.h.in @@ -185,11 +185,11 @@ int sigwait(const unsigned int *set, int *sig); /* Define to 1 if you have the `arc4random' function. */ #undef HAVE_ARC4RANDOM -/* Define to 1 if you have the `arc4random_addrandom' function. */ -#undef HAVE_ARC4RANDOM_ADDRANDOM +/* Define to 1 if you have the `arc4random_buf' function. */ +#undef HAVE_ARC4RANDOM_BUF -/* Define to 1 if you have the `arc4random_stir' function. */ -#undef HAVE_ARC4RANDOM_STIR +/* Define to 1 if you have the `arc4random_uniform' function. */ +#undef HAVE_ARC4RANDOM_UNIFORM /* Define to 1 if the compiler supports __builtin_clz. */ #undef HAVE_BUILTIN_CLZ @@ -272,6 +272,9 @@ int sigwait(const unsigned int *set, int *sig); /* Build with GeoIP Country IPv6 support */ #undef HAVE_GEOIP_V6 +/* Define to 1 if you have the `getrandom' function. */ +#undef HAVE_GETRANDOM + /* Define to use gperftools CPU profiler. */ #undef HAVE_GPERFTOOLS_PROFILER diff --git a/configure b/configure index 0ad864870e..217f168247 100755 --- a/configure +++ b/configure @@ -995,7 +995,6 @@ enable_epoll enable_devpoll with_geoip with_gssapi -with_randomdev enable_threads with_locktype with_libtool @@ -1749,7 +1748,6 @@ Optional Packages: --with-gssapi=PATH|/path/krb5-config Specify path for system-supplied GSSAPI [default=yes] - --with-randomdev=PATH Specify path for random device --with-locktype=ARG Specify mutex lock type (adaptive or standard) --with-libtool use GNU libtool --with-openssl=PATH Build with OpenSSL [yes|no|path]. (Crypto is @@ -14900,81 +14898,7 @@ DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS" -# -# was --with-randomdev specified? -# -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for random device" >&5 -$as_echo_n "checking for random device... " >&6; } - -# Check whether --with-randomdev was given. -if test "${with_randomdev+set}" = set; then : - withval=$with_randomdev; use_randomdev="$withval" -else - use_randomdev="unspec" -fi - - -case "$use_randomdev" in - unspec) - case "$cross_compiling" in - yes) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: unspecified" >&5 -$as_echo "unspecified" >&6; } - as_fn_error $? " need --with-randomdev=PATH or --with-randomdev=no" "$LINENO" 5 - esac - case "$host" in - *-openbsd*) - devrandom=/dev/arandom - ;; - *) - devrandom=/dev/random - ;; - esac - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $devrandom" >&5 -$as_echo "$devrandom" >&6; } - as_ac_File=`$as_echo "ac_cv_file_$devrandom" | $as_tr_sh` -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $devrandom" >&5 -$as_echo_n "checking for $devrandom... " >&6; } -if eval \${$as_ac_File+:} false; then : - $as_echo_n "(cached) " >&6 -else - test "$cross_compiling" = yes && - as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5 -if test -r "$devrandom"; then - eval "$as_ac_File=yes" -else - eval "$as_ac_File=no" -fi -fi -eval ac_res=\$$as_ac_File - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -$as_echo "$ac_res" >&6; } -if eval test \"x\$"$as_ac_File"\" = x"yes"; then : - cat >>confdefs.h <<_ACEOF -#define PATH_RANDOMDEV "$devrandom" -_ACEOF - -fi - - - ;; - yes) - as_fn_error $? "--with-randomdev must specify a path" "$LINENO" 5 - ;; - no) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5 -$as_echo "disabled" >&6; } - ;; - *) - cat >>confdefs.h <<_ACEOF -#define PATH_RANDOMDEV "$use_randomdev" -_ACEOF - - { $as_echo "$as_me:${as_lineno-$LINENO}: result: using \"$use_randomdev\"" >&5 -$as_echo "using \"$use_randomdev\"" >&6; } - ;; -esac - +# XXXOND: Change this to deterministic DSA generation # # Only check dsa signature generation on these platforms when performing # system tests. @@ -14992,36 +14916,14 @@ fi # # Do we have arc4random(), etc ? -# Will use stir and if not exist addrandom # -for ac_func in arc4random +for ac_func in arc4random arc4random_buf arc4random_uniform getrandom do : - ac_fn_c_check_func "$LINENO" "arc4random" "ac_cv_func_arc4random" -if test "x$ac_cv_func_arc4random" = xyes; then : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF -#define HAVE_ARC4RANDOM 1 -_ACEOF - -fi -done - -for ac_func in arc4random_stir -do : - ac_fn_c_check_func "$LINENO" "arc4random_stir" "ac_cv_func_arc4random_stir" -if test "x$ac_cv_func_arc4random_stir" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_ARC4RANDOM_STIR 1 -_ACEOF - -fi -done - -for ac_func in arc4random_addrandom -do : - ac_fn_c_check_func "$LINENO" "arc4random_addrandom" "ac_cv_func_arc4random_addrandom" -if test "x$ac_cv_func_arc4random_addrandom" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_ARC4RANDOM_ADDRANDOM 1 +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF fi diff --git a/configure.in b/configure.in index 387310a759..88f28f4c68 100644 --- a/configure.in +++ b/configure.in @@ -1099,48 +1099,7 @@ DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS" AC_SUBST(DNS_CRYPTO_LIBS) -# -# was --with-randomdev specified? -# -AC_MSG_CHECKING(for random device) -AC_ARG_WITH(randomdev, - AS_HELP_STRING([--with-randomdev=PATH], - [Specify path for random device]), - use_randomdev="$withval", use_randomdev="unspec") - -case "$use_randomdev" in - unspec) - case "$cross_compiling" in - yes) - AC_MSG_RESULT(unspecified) - AC_MSG_ERROR([ need --with-randomdev=PATH or --with-randomdev=no]) - esac - case "$host" in - *-openbsd*) - devrandom=/dev/arandom - ;; - *) - devrandom=/dev/random - ;; - esac - AC_MSG_RESULT($devrandom) - AC_CHECK_FILE($devrandom, - AC_DEFINE_UNQUOTED(PATH_RANDOMDEV, - "$devrandom"),) - - ;; - yes) - AC_MSG_ERROR([--with-randomdev must specify a path]) - ;; - no) - AC_MSG_RESULT(disabled) - ;; - *) - AC_DEFINE_UNQUOTED(PATH_RANDOMDEV, "$use_randomdev") - AC_MSG_RESULT(using "$use_randomdev") - ;; -esac - +# XXXOND: Change this to deterministic DSA generation # # Only check dsa signature generation on these platforms when performing # system tests. @@ -1158,11 +1117,8 @@ AC_SUBST(CHECK_DSA) # # Do we have arc4random(), etc ? -# Will use stir and if not exist addrandom # -AC_CHECK_FUNCS(arc4random) -AC_CHECK_FUNCS(arc4random_stir) -AC_CHECK_FUNCS(arc4random_addrandom) +AC_CHECK_FUNCS(arc4random arc4random_buf arc4random_uniform getrandom) sinclude(config.threads.in)dnl diff --git a/contrib/sdb/ldap/zone2ldap.c b/contrib/sdb/ldap/zone2ldap.c index a8e49555da..2220138efd 100644 --- a/contrib/sdb/ldap/zone2ldap.c +++ b/contrib/sdb/ldap/zone2ldap.c @@ -20,7 +20,6 @@ #include #include -#include #include #include #include @@ -120,7 +119,6 @@ int main (int argc, char **argv) { isc_mem_t *mctx = NULL; - isc_entropy_t *ectx = NULL; isc_result_t result; char *basedn; ldap_info *tmp; @@ -214,9 +212,6 @@ main (int argc, char **argv) result = isc_mem_create (0, 0, &mctx); isc_result_check (result, "isc_mem_create"); - result = isc_entropy_create(mctx, &ectx); - isc_result_check (result, "isc_entropy_create"); - isc_buffer_init (&buff, argzone, strlen (argzone)); isc_buffer_add (&buff, strlen (argzone)); zone = dns_fixedname_initname(&fixedzone); @@ -343,7 +338,6 @@ main (int argc, char **argv) printf("Operation Complete.\n"); /* Cleanup */ - isc_entropy_detach(&ectx); isc_mem_destroy(&mctx); if (zonefile) free(zonefile); diff --git a/contrib/sdb/pgsql/zonetodb.c b/contrib/sdb/pgsql/zonetodb.c index b8b7d6b1eb..6cb2033ee9 100644 --- a/contrib/sdb/pgsql/zonetodb.c +++ b/contrib/sdb/pgsql/zonetodb.c @@ -14,7 +14,6 @@ #include #include -#include #include #include #include @@ -135,7 +134,6 @@ main(int argc, char **argv) { dns_rdataset_t rdataset; dns_rdata_t rdata = DNS_RDATA_INIT; isc_mem_t *mctx = NULL; - isc_entropy_t *ectx = NULL; isc_buffer_t b; isc_result_t result; PGresult *res; @@ -157,9 +155,6 @@ main(int argc, char **argv) { result = isc_mem_create(0, 0, &mctx); check_result(result, "isc_mem_create"); - result = isc_entropy_create(mctx, &ectx); - check_result(result, "isc_entropy_create"); - isc_buffer_init(&b, porigin, strlen(porigin)); isc_buffer_add(&b, strlen(porigin)); origin = dns_fixedname_initname(&forigin); @@ -272,7 +267,6 @@ main(int argc, char **argv) { PQclear(res); dns_dbiterator_destroy(&dbiter); dns_db_detach(&db); - isc_entropy_detach(&ectx); isc_mem_destroy(&mctx); closeandexit(0); exit(0); diff --git a/contrib/sdb/sqlite/zone2sqlite.c b/contrib/sdb/sqlite/zone2sqlite.c index cf6747d4ed..06d7166351 100644 --- a/contrib/sdb/sqlite/zone2sqlite.c +++ b/contrib/sdb/sqlite/zone2sqlite.c @@ -16,7 +16,6 @@ #include #include -#include #include #include #include @@ -148,7 +147,6 @@ main(int argc, char *argv[]) dns_rdataset_t rdataset; dns_rdata_t rdata = DNS_RDATA_INIT; isc_mem_t *mctx = NULL; - isc_entropy_t *ectx = NULL; isc_buffer_t b; isc_result_t result; @@ -167,8 +165,6 @@ main(int argc, char *argv[]) result = isc_mem_create(0, 0, &mctx); check_result(result, "isc_mem_create"); - result = isc_entropy_create(mctx, &ectx); - check_result(result, "isc_entropy_create"); isc_buffer_init(&b, porigin, strlen(porigin)); isc_buffer_add(&b, strlen(porigin)); @@ -284,7 +280,6 @@ main(int argc, char *argv[]) dns_dbiterator_destroy(&dbiter); dns_db_detach(&db); - isc_entropy_detach(&ectx); isc_mem_destroy(&mctx); closeandexit(0); diff --git a/lib/dns/adb.c b/lib/dns/adb.c index 567ed6614e..4c79df71b9 100644 --- a/lib/dns/adb.c +++ b/lib/dns/adb.c @@ -1812,7 +1812,6 @@ free_adblameinfo(dns_adb_t *adb, dns_adblameinfo_t **lameinfo) { static inline dns_adbentry_t * new_adbentry(dns_adb_t *adb) { dns_adbentry_t *e; - isc_uint32_t r; e = isc_mempool_get(adb->emp); if (e == NULL) @@ -1835,8 +1834,7 @@ new_adbentry(dns_adb_t *adb) { e->to512 = 0; e->cookie = NULL; e->cookielen = 0; - isc_random_get(&r); - e->srtt = (r & 0x1f) + 1; + e->srtt = (isc_random() & 0x1f) + 1; e->lastage = 0; e->expires = 0; e->active = 0; diff --git a/lib/dns/client.c b/lib/dns/client.c index cb35938c4b..9676b126bc 100644 --- a/lib/dns/client.c +++ b/lib/dns/client.c @@ -464,7 +464,7 @@ dns_client_createx(isc_mem_t *mctx, isc_appctx_t *actx, if (result != ISC_R_SUCCESS) goto cleanup; - result = dns_dispatchmgr_create(mctx, NULL, &dispatchmgr); + result = dns_dispatchmgr_create(mctx, &dispatchmgr); if (result != ISC_R_SUCCESS) goto cleanup; client->dispatchmgr = dispatchmgr; diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c index a65f693002..55b2eab85a 100644 --- a/lib/dns/dispatch.c +++ b/lib/dns/dispatch.c @@ -18,7 +18,6 @@ #include #include -#include #include #include #include @@ -65,17 +64,12 @@ struct dns_dispatchmgr { dns_acl_t *blackhole; dns_portlist_t *portlist; isc_stats_t *stats; - isc_entropy_t *entropy; /*%< entropy source */ /* Locked by "lock". */ isc_mutex_t lock; unsigned int state; ISC_LIST(dns_dispatch_t) list; - /* Locked by rng_lock. */ - isc_mutex_t rng_lock; - isc_rng_t *rngctx; /*%< RNG context for QID */ - /* locked by buffer_lock */ dns_qid_t *qid; isc_mutex_t buffer_lock; @@ -240,7 +234,6 @@ struct dns_dispatch { unsigned int tcpbuffers; /*%< allocated buffers */ dns_tcpmsg_t tcpmsg; /*%< for tcp streams */ dns_qid_t *qid; - isc_rng_t *rngctx; /*%< for QID/UDP port num */ dispportlist_t *port_table; /*%< hold ports 'owned' by us */ isc_mempool_t *portpool; /*%< port table entries */ }; @@ -262,8 +255,6 @@ struct dns_dispatch { #define DNS_QID(disp) ((disp)->socktype == isc_sockettype_tcp) ? \ (disp)->qid : (disp)->mgr->qid -#define DISP_RNGCTX(disp) ((disp)->socktype == isc_sockettype_udp) ? \ - ((disp)->rngctx) : ((disp)->mgr->rngctx) /*% * Locking a query port buffer is a bit tricky. We access the buffer without @@ -663,7 +654,6 @@ get_dispsocket(dns_dispatch_t *disp, const isc_sockaddr_t *dest, in_port_t *portp) { int i; - isc_uint32_t r; dns_dispatchmgr_t *mgr = disp->mgr; isc_socket_t *sock = NULL; isc_result_t result = ISC_R_FAILURE; @@ -702,9 +692,8 @@ get_dispsocket(dns_dispatch_t *disp, const isc_sockaddr_t *dest, dispsock->disp = disp; dispsock->resp = NULL; dispsock->portentry = NULL; - isc_random_get(&r); dispsock->task = NULL; - isc_task_attach(disp->task[r % disp->ntasks], &dispsock->task); + isc_task_attach(disp->task[isc_random() % disp->ntasks], &dispsock->task); ISC_LINK_INIT(dispsock, link); ISC_LINK_INIT(dispsock, blink); dispsock->magic = DISPSOCK_MAGIC; @@ -719,7 +708,7 @@ get_dispsocket(dns_dispatch_t *disp, const isc_sockaddr_t *dest, qid = DNS_QID(disp); for (i = 0; i < 64; i++) { - port = ports[isc_rng_uniformrandom(DISP_RNGCTX(disp), nports)]; + port = ports[isc_random_uniform(nports)]; isc_sockaddr_setport(&localaddr, port); LOCK(&qid->lock); @@ -1636,10 +1625,6 @@ destroy_mgr(dns_dispatchmgr_t **mgrp) { DESTROYLOCK(&mgr->lock); mgr->state = 0; - if (mgr->rngctx != NULL) - isc_rng_detach(&mgr->rngctx); - DESTROYLOCK(&mgr->rng_lock); - isc_mempool_destroy(&mgr->depool); isc_mempool_destroy(&mgr->rpool); isc_mempool_destroy(&mgr->dpool); @@ -1654,8 +1639,6 @@ destroy_mgr(dns_dispatchmgr_t **mgrp) { DESTROYLOCK(&mgr->rpool_lock); DESTROYLOCK(&mgr->depool_lock); - if (mgr->entropy != NULL) - isc_entropy_detach(&mgr->entropy); if (mgr->qid != NULL) qid_destroy(mctx, &mgr->qid); @@ -1749,8 +1732,7 @@ create_default_portset(isc_mem_t *mctx, isc_portset_t **portsetp) { */ isc_result_t -dns_dispatchmgr_create(isc_mem_t *mctx, isc_entropy_t *entropy, - dns_dispatchmgr_t **mgrp) +dns_dispatchmgr_create(isc_mem_t *mctx, dns_dispatchmgr_t **mgrp) { dns_dispatchmgr_t *mgr; isc_result_t result; @@ -1769,19 +1751,14 @@ dns_dispatchmgr_create(isc_mem_t *mctx, isc_entropy_t *entropy, mgr->blackhole = NULL; mgr->stats = NULL; - mgr->rngctx = NULL; result = isc_mutex_init(&mgr->lock); if (result != ISC_R_SUCCESS) goto deallocate; - result = isc_mutex_init(&mgr->rng_lock); - if (result != ISC_R_SUCCESS) - goto kill_lock; - result = isc_mutex_init(&mgr->buffer_lock); if (result != ISC_R_SUCCESS) - goto kill_rng_lock; + goto kill_lock; result = isc_mutex_init(&mgr->depool_lock); if (result != ISC_R_SUCCESS) @@ -1847,7 +1824,6 @@ dns_dispatchmgr_create(isc_mem_t *mctx, isc_entropy_t *entropy, mgr->maxbuffers = 0; mgr->bpool = NULL; mgr->spool = NULL; - mgr->entropy = NULL; mgr->qid = NULL; mgr->state = 0; ISC_LIST_INIT(mgr->list); @@ -1873,13 +1849,6 @@ dns_dispatchmgr_create(isc_mem_t *mctx, isc_entropy_t *entropy, if (result != ISC_R_SUCCESS) goto kill_dpool; - if (entropy != NULL) - isc_entropy_attach(entropy, &mgr->entropy); - - result = isc_rng_create(mctx, mgr->entropy, &mgr->rngctx); - if (result != ISC_R_SUCCESS) - goto kill_dpool; - *mgrp = mgr; return (ISC_R_SUCCESS); @@ -1901,8 +1870,6 @@ dns_dispatchmgr_create(isc_mem_t *mctx, isc_entropy_t *entropy, DESTROYLOCK(&mgr->depool_lock); kill_buffer_lock: DESTROYLOCK(&mgr->buffer_lock); - kill_rng_lock: - DESTROYLOCK(&mgr->rng_lock); kill_lock: DESTROYLOCK(&mgr->lock); deallocate: @@ -2406,8 +2373,6 @@ dispatch_allocate(dns_dispatchmgr_t *mgr, unsigned int maxrequests, ISC_LIST_INIT(disp->activesockets); ISC_LIST_INIT(disp->inactivesockets); disp->nsockets = 0; - disp->rngctx = NULL; - isc_rng_attach(mgr->rngctx, &disp->rngctx); disp->port_table = NULL; disp->portpool = NULL; disp->dscp = -1; @@ -2433,8 +2398,6 @@ dispatch_allocate(dns_dispatchmgr_t *mgr, unsigned int maxrequests, kill_lock: DESTROYLOCK(&disp->lock); deallocate: - if (disp->rngctx != NULL) - isc_rng_detach(&disp->rngctx); isc_mempool_put(mgr->dpool, disp); return (result); @@ -2485,9 +2448,6 @@ dispatch_free(dns_dispatch_t **dispp) { if (disp->portpool != NULL) isc_mempool_destroy(&disp->portpool); - if (disp->rngctx != NULL) - isc_rng_detach(&disp->rngctx); - disp->mgr = NULL; DESTROYLOCK(&disp->lock); disp->magic = 0; @@ -2830,8 +2790,7 @@ get_udpsocket(dns_dispatchmgr_t *mgr, dns_dispatch_t *disp, for (i = 0; i < 1024; i++) { in_port_t prt; - prt = ports[isc_rng_uniformrandom(DISP_RNGCTX(disp), - nports)]; + prt = ports[isc_random_uniform(nports)]; isc_sockaddr_setport(&localaddr_bound, prt); result = open_socket(sockmgr, &localaddr_bound, 0, &sock, NULL); @@ -3208,10 +3167,11 @@ dns_dispatch_addresponse(dns_dispatch_t *disp, unsigned int options, * in which case we use the id passed in via *idp. */ LOCK(&qid->lock); - if ((options & DNS_DISPATCHOPT_FIXEDID) != 0) + if ((options & DNS_DISPATCHOPT_FIXEDID) != 0) { id = *idp; - else - isc_rng_randombytes(DISP_RNGCTX(disp), &id, sizeof(id)); + } else { + isc_random_buf(&id, sizeof(id)); + } ok = ISC_FALSE; i = 0; do { diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index aa630bc45c..8f7e075b8d 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -32,7 +32,6 @@ #include #include -#include #include #include #include @@ -67,8 +66,6 @@ #define DST_AS_STR(t) ((t).value.as_textregion.base) static dst_func_t *dst_t_func[DST_MAX_ALGS]; -static isc_entropy_t *dst_entropy_pool = NULL; -static unsigned int dst_entropy_flags = 0; static isc_boolean_t dst_initialized = ISC_FALSE; @@ -143,8 +140,7 @@ default_memfree(void *arg, void *ptr) { #endif isc_result_t -dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, - const char *engine, unsigned int eflags) { +dst_lib_init(isc_mem_t *mctx, const char *engine) { isc_result_t result; REQUIRE(mctx != NULL); @@ -177,10 +173,6 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, #else /* OPENSSL */ isc_mem_attach(mctx, &dst__memory_pool); #endif /* OPENSSL */ - if (ectx != NULL) { - isc_entropy_attach(ectx, &dst_entropy_pool); - dst_entropy_flags = eflags; - } dst_result_register(); @@ -260,11 +252,10 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, #ifdef GSSAPI RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI])); #endif -#if defined(OPENSSL) || defined(PKCS11CRYPTO) - if (dst_entropy_pool != NULL) { - isc_entropy_sethook(dst_random_getdata); - } -#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */ + +#if !defined(OPENSSL) && !defined(PKCS11CRYPTO) +#error Either OpenSSL or PKCS#11 cryptographic provider needed. +#endif /* !defined(OPENSSL) && !defined(PKCS11CRYPTO) */ dst_initialized = ISC_TRUE; return (ISC_R_SUCCESS); @@ -285,10 +276,6 @@ dst_lib_destroy(void) { if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL) dst_t_func[i]->cleanup(); #if defined(OPENSSL) || defined(PKCS11CRYPTO) - if (dst_entropy_pool != NULL) { - isc_entropy_usehook(dst_entropy_pool, ISC_FALSE); - isc_entropy_sethook(NULL); - } #ifdef OPENSSL dst__openssl_destroy(); #elif PKCS11CRYPTO @@ -297,8 +284,6 @@ dst_lib_destroy(void) { #endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */ if (dst__memory_pool != NULL) isc_mem_detach(&dst__memory_pool); - if (dst_entropy_pool != NULL) - isc_entropy_detach(&dst_entropy_pool); } isc_boolean_t @@ -1937,36 +1922,6 @@ addsuffix(char *filename, int len, const char *odirname, return (ISC_R_SUCCESS); } -isc_result_t -dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) { - unsigned int flags = dst_entropy_flags; - - if (dst_entropy_pool == NULL) - return (ISC_R_FAILURE); - - if (len == 0) - return (ISC_R_SUCCESS); - -#ifdef PKCS11CRYPTO - UNUSED(pseudo); - UNUSED(flags); - return (pk11_rand_bytes(buf, len)); -#else /* PKCS11CRYPTO */ - if (pseudo) - flags &= ~ISC_ENTROPY_GOODONLY; - else - flags |= ISC_ENTROPY_BLOCKING; - /* get entropy directly from crypto provider */ - return (dst_random_getdata(buf, len, NULL, flags)); -#endif /* PKCS11CRYPTO */ -} - -unsigned int -dst__entropy_status(void) { - /* Doesn't matter as it is not used in this case. */ - return (0); -} - isc_buffer_t * dst_key_tkeytoken(const dst_key_t *key) { REQUIRE(VALID_KEY(key)); diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h index 886fa5660d..732865fdf3 100644 --- a/lib/dns/dst_internal.h +++ b/lib/dns/dst_internal.h @@ -284,17 +284,6 @@ void * dst__mem_alloc(size_t size); void dst__mem_free(void *ptr); void * dst__mem_realloc(void *ptr, size_t size); -/*% - * Entropy retriever using the DST entropy pool. - */ -isc_result_t dst__entropy_getdata(void *buf, unsigned int len, - isc_boolean_t pseudo); - -/* - * Entropy status hook. - */ -unsigned int dst__entropy_status(void); - ISC_LANG_ENDDECLS #endif /* DST_DST_INTERNAL_H */ diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c index d31ef21f32..1c4eb5bc66 100644 --- a/lib/dns/gssapictx.c +++ b/lib/dns/gssapictx.c @@ -18,7 +18,6 @@ #include #include -#include #include #include #include diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c index 59aa4705e5..0e817c4c4f 100644 --- a/lib/dns/hmac_link.c +++ b/lib/dns/hmac_link.c @@ -29,6 +29,7 @@ #include #include #include +#include #include #include #include @@ -143,12 +144,14 @@ hmacmd5_compare(const dst_key_t *key1, const dst_key_t *key2) { } static isc_result_t -hmacmd5_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) { +hmacmd5_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) +{ isc_buffer_t b; isc_result_t ret; unsigned int bytes; unsigned char data[ISC_MD5_BLOCK_LENGTH]; + UNUSED(pseudorandom_ok); UNUSED(callback); bytes = (key->key_size + 7) / 8; @@ -158,10 +161,7 @@ hmacmd5_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) { } memset(data, 0, ISC_MD5_BLOCK_LENGTH); - ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0)); - - if (ret != ISC_R_SUCCESS) - return (ret); + isc_random_buf(data, bytes); isc_buffer_init(&b, data, bytes); isc_buffer_add(&b, bytes); @@ -451,12 +451,14 @@ hmacsha1_compare(const dst_key_t *key1, const dst_key_t *key2) { } static isc_result_t -hmacsha1_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) { +hmacsha1_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) +{ isc_buffer_t b; isc_result_t ret; unsigned int bytes; unsigned char data[ISC_SHA1_BLOCK_LENGTH]; + UNUSED(pseudorandom_ok); UNUSED(callback); bytes = (key->key_size + 7) / 8; @@ -466,10 +468,7 @@ hmacsha1_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) { } memset(data, 0, ISC_SHA1_BLOCK_LENGTH); - ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0)); - - if (ret != ISC_R_SUCCESS) - return (ret); + isc_random_buf(data, bytes); isc_buffer_init(&b, data, bytes); isc_buffer_add(&b, bytes); @@ -742,14 +741,14 @@ hmacsha224_compare(const dst_key_t *key1, const dst_key_t *key2) { } static isc_result_t -hmacsha224_generate(dst_key_t *key, int pseudorandom_ok, - void (*callback)(int)) +hmacsha224_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) { isc_buffer_t b; isc_result_t ret; unsigned int bytes; unsigned char data[ISC_SHA224_BLOCK_LENGTH]; + UNUSED(pseudorandom_ok); UNUSED(callback); bytes = (key->key_size + 7) / 8; @@ -759,10 +758,7 @@ hmacsha224_generate(dst_key_t *key, int pseudorandom_ok, } memset(data, 0, ISC_SHA224_BLOCK_LENGTH); - ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0)); - - if (ret != ISC_R_SUCCESS) - return (ret); + isc_random_buf(data, bytes); isc_buffer_init(&b, data, bytes); isc_buffer_add(&b, bytes); @@ -1029,14 +1025,14 @@ hmacsha256_compare(const dst_key_t *key1, const dst_key_t *key2) { } static isc_result_t -hmacsha256_generate(dst_key_t *key, int pseudorandom_ok, - void (*callback)(int)) +hmacsha256_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) { isc_buffer_t b; isc_result_t ret; unsigned int bytes; unsigned char data[ISC_SHA256_BLOCK_LENGTH]; + UNUSED(pseudorandom_ok); UNUSED(callback); bytes = (key->key_size + 7) / 8; @@ -1046,10 +1042,7 @@ hmacsha256_generate(dst_key_t *key, int pseudorandom_ok, } memset(data, 0, ISC_SHA256_BLOCK_LENGTH); - ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0)); - - if (ret != ISC_R_SUCCESS) - return (ret); + isc_random_buf(data, bytes); isc_buffer_init(&b, data, bytes); isc_buffer_add(&b, bytes); @@ -1316,14 +1309,14 @@ hmacsha384_compare(const dst_key_t *key1, const dst_key_t *key2) { } static isc_result_t -hmacsha384_generate(dst_key_t *key, int pseudorandom_ok, - void (*callback)(int)) +hmacsha384_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) { isc_buffer_t b; isc_result_t ret; unsigned int bytes; unsigned char data[ISC_SHA384_BLOCK_LENGTH]; + UNUSED(pseudorandom_ok); UNUSED(callback); bytes = (key->key_size + 7) / 8; @@ -1333,10 +1326,7 @@ hmacsha384_generate(dst_key_t *key, int pseudorandom_ok, } memset(data, 0, ISC_SHA384_BLOCK_LENGTH); - ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0)); - - if (ret != ISC_R_SUCCESS) - return (ret); + isc_random_buf(data, bytes); isc_buffer_init(&b, data, bytes); isc_buffer_add(&b, bytes); @@ -1603,14 +1593,14 @@ hmacsha512_compare(const dst_key_t *key1, const dst_key_t *key2) { } static isc_result_t -hmacsha512_generate(dst_key_t *key, int pseudorandom_ok, - void (*callback)(int)) +hmacsha512_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) { isc_buffer_t b; isc_result_t ret; unsigned int bytes; unsigned char data[ISC_SHA512_BLOCK_LENGTH]; + UNUSED(pseudorandom_ok); UNUSED(callback); bytes = (key->key_size + 7) / 8; @@ -1620,10 +1610,7 @@ hmacsha512_generate(dst_key_t *key, int pseudorandom_ok, } memset(data, 0, ISC_SHA512_BLOCK_LENGTH); - ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0)); - - if (ret != ISC_R_SUCCESS) - return (ret); + isc_random_buf(data, bytes); isc_buffer_init(&b, data, bytes); isc_buffer_add(&b, bytes); diff --git a/lib/dns/include/dns/dispatch.h b/lib/dns/include/dns/dispatch.h index 44ade7e905..8bf32013ac 100644 --- a/lib/dns/include/dns/dispatch.h +++ b/lib/dns/include/dns/dispatch.h @@ -144,8 +144,7 @@ struct dns_dispatchset { #define DNS_DISPATCHOPT_FIXEDID 0x00000001U isc_result_t -dns_dispatchmgr_create(isc_mem_t *mctx, isc_entropy_t *entropy, - dns_dispatchmgr_t **mgrp); +dns_dispatchmgr_create(isc_mem_t *mctx, dns_dispatchmgr_t **mgrp); /*%< * Creates a new dispatchmgr object. * @@ -154,10 +153,6 @@ dns_dispatchmgr_create(isc_mem_t *mctx, isc_entropy_t *entropy, * *\li mgrp != NULL && *mgrp == NULL * - *\li "entropy" may be NULL, in which case an insecure random generator - * will be used. If it is non-NULL, it must be a valid entropy - * source. - * * Returns: *\li ISC_R_SUCCESS -- all ok * diff --git a/lib/dns/include/dns/tkey.h b/lib/dns/include/dns/tkey.h index a478334301..e7a48aa0ee 100644 --- a/lib/dns/include/dns/tkey.h +++ b/lib/dns/include/dns/tkey.h @@ -36,13 +36,11 @@ struct dns_tkeyctx { dns_name_t *domain; gss_cred_id_t gsscred; isc_mem_t *mctx; - isc_entropy_t *ectx; char *gssapi_keytab; }; isc_result_t -dns_tkeyctx_create(isc_mem_t *mctx, isc_entropy_t *ectx, - dns_tkeyctx_t **tctxp); +dns_tkeyctx_create(isc_mem_t *mctx, dns_tkeyctx_t **tctxp); /*%< * Create an empty TKEY context. * diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h index 9d1524821f..a503f1e4bc 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h @@ -129,14 +129,12 @@ typedef struct dst_context dst_context_t; *** Functions ***/ isc_result_t -dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, - const char *engine, unsigned int eflags); +dst_lib_init(isc_mem_t *mctx, const char *engine); /*%< * Initializes the DST subsystem. * * Requires: * \li "mctx" is a valid memory context - * \li "ectx" is a valid entropy context * * Returns: * \li ISC_R_SUCCESS @@ -153,23 +151,6 @@ dst_lib_destroy(void); * Releases all resources allocated by DST. */ -isc_result_t -dst_random_getdata(void *data, unsigned int length, - unsigned int *returned, unsigned int flags); -/*%< - * Gets random data from the random generator provided by the - * crypto library. - * - * See isc_entropy_getdata() for parameter usage. Normally when - * this function is available, it will be set up as a hook in the - * entropy context, so that isc_entropy_getdata() is a front-end to - * this function. - * - * Returns: - * \li ISC_R_SUCCESS on success - * \li DST_R_OPENSSLFAILURE, DST_R_CRYPTOFAILURE, or other codes on error - */ - isc_boolean_t dst_algorithm_supported(unsigned int alg); /*%< diff --git a/lib/dns/lib.c b/lib/dns/lib.c index 887851141f..6ec5a968b6 100644 --- a/lib/dns/lib.c +++ b/lib/dns/lib.c @@ -15,7 +15,6 @@ #include -#include #include #include #include @@ -76,7 +75,6 @@ static unsigned int references = 0; static void initialize(void) { isc_result_t result; - isc_entropy_t *ectx = NULL; REQUIRE(initialize_done == ISC_FALSE); @@ -87,28 +85,20 @@ initialize(void) { result = dns_ecdb_register(dns_g_mctx, &dbimp); if (result != ISC_R_SUCCESS) goto cleanup_mctx; - result = isc_entropy_create(dns_g_mctx, &ectx); + + result = dst_lib_init(dns_g_mctx, NULL); if (result != ISC_R_SUCCESS) goto cleanup_db; - result = dst_lib_init(dns_g_mctx, ectx, NULL, 0); - if (result != ISC_R_SUCCESS) - goto cleanup_ectx; - result = isc_mutex_init(&reflock); if (result != ISC_R_SUCCESS) goto cleanup_dst; - isc_entropy_detach(&ectx); - initialize_done = ISC_TRUE; return; cleanup_dst: dst_lib_destroy(); - cleanup_ectx: - if (ectx != NULL) - isc_entropy_detach(&ectx); cleanup_db: if (dbimp != NULL) dns_ecdb_unregister(&dbimp); diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c index 51fb743ccf..3be7b20353 100644 --- a/lib/dns/openssl_link.c +++ b/lib/dns/openssl_link.c @@ -27,7 +27,6 @@ #include -#include #include #include #include @@ -368,37 +367,5 @@ dst__openssl_getengine(const char *engine) { } #endif -isc_result_t -dst_random_getdata(void *data, unsigned int length, - unsigned int *returned, unsigned int flags) -{ -#ifndef DONT_REQUIRE_DST_LIB_INIT - INSIST(dst__memory_pool != NULL); -#endif - REQUIRE(data != NULL); - REQUIRE(length > 0); - -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - if ((flags & ISC_ENTROPY_GOODONLY) == 0) { - if (RAND_pseudo_bytes((unsigned char *)data, (int)length) < 0) - return (dst__openssl_toresult2("RAND_pseudo_bytes", - DST_R_OPENSSLFAILURE)); - } else { - if (RAND_bytes((unsigned char *)data, (int)length) != 1) - return (dst__openssl_toresult2("RAND_bytes", - DST_R_OPENSSLFAILURE)); - } -#else - UNUSED(flags); - - if (RAND_bytes((unsigned char *)data, (int)length) != 1) - return (dst__openssl_toresult2("RAND_bytes", - DST_R_OPENSSLFAILURE)); -#endif - if (returned != NULL) - *returned = length; - return (ISC_R_SUCCESS); -} - #endif /* OPENSSL */ /*! \file */ diff --git a/lib/dns/openssldsa_link.c b/lib/dns/openssldsa_link.c index 355af0e6e0..94279fb58e 100644 --- a/lib/dns/openssldsa_link.c +++ b/lib/dns/openssldsa_link.c @@ -33,8 +33,8 @@ #include -#include #include +#include #include #include #include @@ -340,7 +340,6 @@ static isc_result_t openssldsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { DSA *dsa; unsigned char rand_array[ISC_SHA1_DIGESTLENGTH]; - isc_result_t result; BN_GENCB *cb; #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) BN_GENCB _cb; @@ -352,10 +351,7 @@ openssldsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { UNUSED(unused); - result = dst__entropy_getdata(rand_array, sizeof(rand_array), - ISC_FALSE); - if (result != ISC_R_SUCCESS) - return (result); + isc_random_buf(rand_array, sizeof(rand_array)); dsa = DSA_new(); if (dsa == NULL) diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c index 3b8ba82e25..53cc9d52e4 100644 --- a/lib/dns/opensslecdsa_link.c +++ b/lib/dns/opensslecdsa_link.c @@ -13,7 +13,6 @@ #if defined(OPENSSL) && defined(HAVE_OPENSSL_ECDSA) -#include #include #include #include diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c index 3ba8bce424..3dd08afbc5 100644 --- a/lib/dns/openssleddsa_link.c +++ b/lib/dns/openssleddsa_link.c @@ -14,7 +14,6 @@ #if defined(OPENSSL) && \ (defined(HAVE_OPENSSL_ED25519) || defined(HAVE_OPENSSL_ED448)) -#include #include #include #include diff --git a/lib/dns/opensslgost_link.c b/lib/dns/opensslgost_link.c index f9545117d5..46a660bfdd 100644 --- a/lib/dns/opensslgost_link.c +++ b/lib/dns/opensslgost_link.c @@ -13,7 +13,6 @@ #if defined(OPENSSL) && defined(HAVE_OPENSSL_GOST) -#include #include #include #include diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c index aa8075c1de..37d0362f61 100644 --- a/lib/dns/opensslrsa_link.c +++ b/lib/dns/opensslrsa_link.c @@ -12,7 +12,6 @@ #ifdef OPENSSL #include -#include #include #include #include diff --git a/lib/dns/pkcs11.c b/lib/dns/pkcs11.c index 67c7e4eb1d..714175356f 100644 --- a/lib/dns/pkcs11.c +++ b/lib/dns/pkcs11.c @@ -37,23 +37,5 @@ dst__pkcs11_toresult(const char *funcname, const char *file, int line, return (fallback); } -isc_result_t -dst_random_getdata(void *data, unsigned int length, - unsigned int *returned, unsigned int flags) { - isc_result_t ret; - -#ifndef DONT_REQUIRE_DST_LIB_INIT - INSIST(dst__memory_pool != NULL); -#endif - REQUIRE(data != NULL); - REQUIRE(length > 0); - UNUSED(flags); - - ret = pk11_rand_bytes(data, (int) length); - if ((ret == ISC_R_SUCCESS) && (returned != NULL)) - *returned = length; - return (ret); -} - #endif /* PKCS11CRYPTO */ /*! \file */ diff --git a/lib/dns/pkcs11dsa_link.c b/lib/dns/pkcs11dsa_link.c index 8d0fc62b8b..13a96567de 100644 --- a/lib/dns/pkcs11dsa_link.c +++ b/lib/dns/pkcs11dsa_link.c @@ -19,7 +19,6 @@ #include -#include #include #include #include diff --git a/lib/dns/pkcs11ecdsa_link.c b/lib/dns/pkcs11ecdsa_link.c index 8f3ee4c4d6..308d9d3c9d 100644 --- a/lib/dns/pkcs11ecdsa_link.c +++ b/lib/dns/pkcs11ecdsa_link.c @@ -13,7 +13,6 @@ #if defined(PKCS11CRYPTO) && defined(HAVE_PKCS11_ECDSA) -#include #include #include #include diff --git a/lib/dns/pkcs11eddsa_link.c b/lib/dns/pkcs11eddsa_link.c index ac7f2bb0d5..6644338e5d 100644 --- a/lib/dns/pkcs11eddsa_link.c +++ b/lib/dns/pkcs11eddsa_link.c @@ -14,7 +14,6 @@ #if defined(PKCS11CRYPTO) && \ defined(HAVE_PKCS11_ED25519) || defined(HAVE_PKCS11_ED448) -#include #include #include #include diff --git a/lib/dns/pkcs11gost_link.c b/lib/dns/pkcs11gost_link.c index 55121cf936..7a2f1397a4 100644 --- a/lib/dns/pkcs11gost_link.c +++ b/lib/dns/pkcs11gost_link.c @@ -13,7 +13,6 @@ #if defined(PKCS11CRYPTO) && defined(HAVE_PKCS11_GOST) -#include #include #include #include diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c index 2f8a7f3baf..163517df26 100644 --- a/lib/dns/pkcs11rsa_link.c +++ b/lib/dns/pkcs11rsa_link.c @@ -14,7 +14,6 @@ #include -#include #include #include #include diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index a073d8ce5a..64bd7a93bf 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -5417,9 +5417,8 @@ expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) { isc_stdtime_get(&now); if (isc_mem_isovermem(rbtdb->common.mctx)) { - isc_uint32_t val; + isc_uint32_t val = isc_random(); - isc_random_get(&val); /* * XXXDCL Could stand to have a better policy, like LRU. */ diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c index 23e88710f2..21bcff658f 100644 --- a/lib/dns/rdataset.c +++ b/lib/dns/rdataset.c @@ -410,9 +410,8 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name, * 'Random' order. */ for (i = 0; i < count; i++) { - isc_uint32_t val; + isc_uint32_t val = isc_random(); - isc_random_get(&val); choice = i + (val % (count - i)); rdata = in[i]; in[i] = in[choice]; @@ -432,8 +431,9 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name, unsigned int j; val = rdataset->count; - if (val == ISC_UINT32_MAX) - isc_random_get(&val); + if (val == ISC_UINT32_MAX) { + val = isc_random(); + } j = val % count; for (i = 0; i < count; i++) { if (order != NULL) diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index f31f208a87..f9fddc962f 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -1182,7 +1182,7 @@ fctx_cancelquery(resquery_t **queryp, dns_dispatchevent_t **deventp, * slow. We don't know. Increase the RTT. */ INSIST(no_response); - isc_random_get(&value); + value = isc_random(); if (query->addrinfo->srtt > 800000) mask = 0x3fff; else if (query->addrinfo->srtt > 400000) diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c index ce3e42d650..79aa5e60d4 100644 --- a/lib/dns/spnego.c +++ b/lib/dns/spnego.c @@ -134,7 +134,6 @@ #include #include -#include #include #include #include diff --git a/lib/dns/tests/Kyuafile b/lib/dns/tests/Kyuafile index cb2324d5ce..0353a73990 100644 --- a/lib/dns/tests/Kyuafile +++ b/lib/dns/tests/Kyuafile @@ -10,7 +10,6 @@ atf_test_program{name='dh_test'} atf_test_program{name='dispatch_test'} atf_test_program{name='dnstap_test'} atf_test_program{name='dst_test'} -atf_test_program{name='dstrandom_test'} atf_test_program{name='geoip_test'} atf_test_program{name='gost_test'} atf_test_program{name='keytable_test'} diff --git a/lib/dns/tests/Makefile.in b/lib/dns/tests/Makefile.in index 75a8c3f8b6..becfd1800c 100644 --- a/lib/dns/tests/Makefile.in +++ b/lib/dns/tests/Makefile.in @@ -40,7 +40,6 @@ SRCS = acl_test.c \ dnstap_test.c \ dst_test.c \ dnstest.c \ - dstrandom_test.c \ geoip_test.c \ gost_test.c \ keytable_test.c \ @@ -73,7 +72,6 @@ TARGETS = acl_test@EXEEXT@ \ dispatch_test@EXEEXT@ \ dnstap_test@EXEEXT@ \ dst_test@EXEEXT@ \ - dstrandom_test@EXEEXT@ \ geoip_test@EXEEXT@ \ gost_test@EXEEXT@ \ keytable_test@EXEEXT@ \ @@ -258,11 +256,6 @@ zt_test@EXEEXT@: zt_test.@O@ dnstest.@O@ \ zt_test.@O@ dnstest.@O@ ${DNSLIBS} \ ${ISCLIBS} ${LIBS} -dstrandom_test@EXEEXT@: dstrandom_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ - dstrandom_test.@O@ ${DNSLIBS} \ - ${ISCLIBS} ${ISCPK11LIBS} ${LIBS} - unit:: sh ${top_builddir}/unit/unittest.sh diff --git a/lib/dns/tests/dispatch_test.c b/lib/dns/tests/dispatch_test.c index 815241d2d6..7abb809baa 100644 --- a/lib/dns/tests/dispatch_test.c +++ b/lib/dns/tests/dispatch_test.c @@ -39,7 +39,7 @@ make_dispatchset(unsigned int ndisps) { unsigned int attrs; dns_dispatch_t *disp = NULL; - result = dns_dispatchmgr_create(mctx, NULL, &dispatchmgr); + result = dns_dispatchmgr_create(mctx, &dispatchmgr); if (result != ISC_R_SUCCESS) return (result); @@ -262,7 +262,7 @@ ATF_TC_BODY(dispatch_getnext, tc) { result = isc_task_create(taskmgr, 0, &task); ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - result = dns_dispatchmgr_create(mctx, NULL, &dispatchmgr); + result = dns_dispatchmgr_create(mctx, &dispatchmgr); ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); ina.s_addr = htonl(INADDR_LOOPBACK); diff --git a/lib/dns/tests/dnstest.c b/lib/dns/tests/dnstest.c index acec5ec753..4e8693a72d 100644 --- a/lib/dns/tests/dnstest.c +++ b/lib/dns/tests/dnstest.c @@ -21,7 +21,6 @@ #include #include -#include #include #include #include @@ -47,7 +46,6 @@ #include "dnstest.h" isc_mem_t *mctx = NULL; -isc_entropy_t *ectx = NULL; isc_log_t *lctx = NULL; isc_taskmgr_t *taskmgr = NULL; isc_task_t *maintask = NULL; @@ -118,9 +116,8 @@ dns_test_begin(FILE *logfile, isc_boolean_t start_managers) { if (debug_mem_record) isc_mem_debugging |= ISC_MEM_DEBUGRECORD; CHECK(isc_mem_create(0, 0, &mctx)); - CHECK(isc_entropy_create(mctx, &ectx)); - CHECK(dst_lib_init(mctx, ectx, NULL, ISC_ENTROPY_BLOCKING)); + CHECK(dst_lib_init(mctx, NULL)); dst_active = ISC_TRUE; if (logfile != NULL) { @@ -170,8 +167,6 @@ dns_test_end(void) { dst_lib_destroy(); dst_active = ISC_FALSE; } - if (ectx != NULL) - isc_entropy_detach(&ectx); cleanup_managers(); diff --git a/lib/dns/tests/dnstest.h b/lib/dns/tests/dnstest.h index 8487c4f0d4..e190963537 100644 --- a/lib/dns/tests/dnstest.h +++ b/lib/dns/tests/dnstest.h @@ -14,7 +14,6 @@ #include #include -#include #include #include #include @@ -45,7 +44,6 @@ typedef struct { #define ZONECHANGE_SENTINEL { 0, NULL, 0, NULL, NULL } extern isc_mem_t *mctx; -extern isc_entropy_t *ectx; extern isc_log_t *lctx; extern isc_taskmgr_t *taskmgr; extern isc_task_t *maintask; diff --git a/lib/dns/tests/dstrandom_test.c b/lib/dns/tests/dstrandom_test.c deleted file mode 100644 index b9e590488d..0000000000 --- a/lib/dns/tests/dstrandom_test.c +++ /dev/null @@ -1,97 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -/*! \file */ - -#include - -#include - -#include -#include -#include - -#include -#include -#include -#include - -#include - -isc_mem_t *mctx = NULL; -isc_entropy_t *ectx = NULL; -unsigned char buffer[128]; - -ATF_TC(isc_entropy_getdata); -ATF_TC_HEAD(isc_entropy_getdata, tc) { - atf_tc_set_md_var(tc, "descr", - "isc_entropy_getdata() examples"); - atf_tc_set_md_var(tc, "X-randomfile", - "testdata/dstrandom/random.data"); -} -ATF_TC_BODY(isc_entropy_getdata, tc) { - isc_result_t result; - unsigned int returned, status; - int ret; - const char *randomfile = atf_tc_get_md_var(tc, "X-randomfile"); - - isc_mem_debugging |= ISC_MEM_DEBUGRECORD; - result = isc_mem_create(0, 0, &mctx); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - result = isc_entropy_create(mctx, &ectx); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - result = dst_lib_init(mctx, ectx, NULL, 0); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - isc_entropy_usehook(ectx, ISC_TRUE); - - returned = 0; - result = isc_entropy_getdata(ectx, buffer, sizeof(buffer), - &returned, 0); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - ATF_REQUIRE(returned == sizeof(buffer)); - - status = isc_entropy_status(ectx); - ATF_REQUIRE_EQ(status, 0); - - isc_entropy_usehook(ectx, ISC_FALSE); - - ret = chdir(TESTS); - ATF_REQUIRE_EQ(ret, 0); - - result = isc_entropy_createfilesource(ectx, randomfile); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - returned = 0; - result = isc_entropy_getdata(ectx, buffer, sizeof(buffer), - &returned, 0); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - ATF_REQUIRE(returned == sizeof(buffer)); - - status = isc_entropy_status(ectx); - ATF_REQUIRE(status > 0); - - dst_lib_destroy(); - isc_entropy_detach(&ectx); - ATF_REQUIRE(ectx == NULL); - isc_mem_destroy(&mctx); - ATF_REQUIRE(mctx == NULL); -} - -/* - * Main - */ -ATF_TP_ADD_TCS(tp) { - ATF_TP_ADD_TC(tp, isc_entropy_getdata); - - return (atf_no_error()); -} - diff --git a/lib/dns/tests/rbt_serialize_test.c b/lib/dns/tests/rbt_serialize_test.c index 11923f8639..f52efaa286 100644 --- a/lib/dns/tests/rbt_serialize_test.c +++ b/lib/dns/tests/rbt_serialize_test.c @@ -34,7 +34,6 @@ #include #include -#include #include #include #include @@ -354,7 +353,6 @@ ATF_TC_BODY(deserialize_corrupt, tc) { int fd; off_t filesize = 0; char *base, *p, *q; - isc_uint32_t r; int i; UNUSED(tc); @@ -389,14 +387,11 @@ ATF_TC_BODY(deserialize_corrupt, tc) { close(fd); /* Randomly fuzz a portion of the memory */ - isc_random_get(&r); - p = base + (r % filesize); + p = base + (isc_random() % filesize); q = base + filesize; - isc_random_get(&r); - q -= (r % (q - p)); + q -= (isc_random() % (q - p)); while (p++ < q) { - isc_random_get(&r); - *p = r & 0xff; + *p = isc_random() & 0xff; } result = dns_rbt_deserialize_tree(base, filesize, 0, mctx, diff --git a/lib/dns/tests/rbt_test.c b/lib/dns/tests/rbt_test.c index cfcf8f9614..a957db2ea4 100644 --- a/lib/dns/tests/rbt_test.c +++ b/lib/dns/tests/rbt_test.c @@ -32,7 +32,6 @@ #include #include -#include #include #include #include @@ -369,8 +368,7 @@ ATF_TC_BODY(rbt_check_distance_random, tc) { dns_name_t *name; for (j = 0; j < 32; j++) { - isc_uint32_t v; - isc_random_get(&v); + isc_uint32_t v = isc_random(); namebuf[j] = 'a' + (v % 26); } namebuf[32] = '.'; @@ -896,8 +894,7 @@ insert_nodes(dns_rbt_t *mytree, char **names, isc_result_t result; for (j = 0; j < 32; j++) { - isc_uint32_t v; - isc_random_get(&v); + isc_uint32_t v = isc_random(); namebuf[j] = 'a' + (v % 26); } namebuf[32] = '.'; @@ -933,9 +930,7 @@ remove_nodes(dns_rbt_t *mytree, char **names, dns_name_t *name; isc_result_t result; - isc_random_get(&node); - - node %= *names_count; + node = isc_random_uniform(*names_count); dns_test_namefromstring(names[node], &fname); name = dns_fixedname_name(&fname); @@ -1023,8 +1018,8 @@ ATF_TC_BODY(rbt_insert_and_remove, tc) { /* Repeat the insert/remove test some 4096 times */ for (i = 0; i < 4096; i++) { isc_uint32_t num_names; - isc_random_get(&num_names); + num_names = isc_random(); if (names_count < 1024) { num_names %= 1024 - names_count; num_names++; @@ -1035,7 +1030,7 @@ ATF_TC_BODY(rbt_insert_and_remove, tc) { insert_nodes(mytree, names, &names_count, num_names); check_tree(mytree, names, names_count, __LINE__); - isc_random_get(&num_names); + num_names = isc_random(); if (names_count > 0) { num_names %= names_count; num_names++; diff --git a/lib/dns/tests/resolver_test.c b/lib/dns/tests/resolver_test.c index 1bb34f24a1..6385b04665 100644 --- a/lib/dns/tests/resolver_test.c +++ b/lib/dns/tests/resolver_test.c @@ -43,7 +43,7 @@ setup(void) { result = dns_test_begin(NULL, ISC_TRUE); ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - result = dns_dispatchmgr_create(mctx, NULL, &dispatchmgr); + result = dns_dispatchmgr_create(mctx, &dispatchmgr); ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); result = dns_test_makeview("view", &view); diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c index 3b553287c5..61b59c9142 100644 --- a/lib/dns/tkey.c +++ b/lib/dns/tkey.c @@ -13,10 +13,10 @@ #include #include -#include #include #include #include +#include #include #include @@ -103,12 +103,11 @@ dumpmessage(dns_message_t *msg) { } isc_result_t -dns_tkeyctx_create(isc_mem_t *mctx, isc_entropy_t *ectx, dns_tkeyctx_t **tctxp) +dns_tkeyctx_create(isc_mem_t *mctx, dns_tkeyctx_t **tctxp) { dns_tkeyctx_t *tctx; REQUIRE(mctx != NULL); - REQUIRE(ectx != NULL); REQUIRE(tctxp != NULL && *tctxp == NULL); tctx = isc_mem_get(mctx, sizeof(dns_tkeyctx_t)); @@ -116,8 +115,6 @@ dns_tkeyctx_create(isc_mem_t *mctx, isc_entropy_t *ectx, dns_tkeyctx_t **tctxp) return (ISC_R_NOMEMORY); tctx->mctx = NULL; isc_mem_attach(mctx, &tctx->mctx); - tctx->ectx = NULL; - isc_entropy_attach(ectx, &tctx->ectx); tctx->dhkey = NULL; tctx->domain = NULL; tctx->gsscred = NULL; @@ -149,7 +146,6 @@ dns_tkeyctx_destroy(dns_tkeyctx_t **tctxp) { } if (tctx->gsscred != NULL) dst_gssapi_releasecred(&tctx->gsscred); - isc_entropy_detach(&tctx->ectx); isc_mem_put(mctx, tctx, sizeof(dns_tkeyctx_t)); isc_mem_detach(&mctx); *tctxp = NULL; @@ -415,13 +411,7 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, if (randomdata == NULL) goto failure; - result = dst__entropy_getdata(randomdata, TKEY_RANDOM_AMOUNT, - ISC_FALSE); - if (result != ISC_R_SUCCESS) { - tkey_log("process_dhtkey: failed to obtain entropy: %s", - isc_result_totext(result)); - goto failure; - } + isc_random_buf(randomdata, TKEY_RANDOM_AMOUNT); r.base = randomdata; r.length = TKEY_RANDOM_AMOUNT; @@ -776,12 +766,7 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx, isc_buffer_t b; unsigned int i, j; - result = isc_entropy_getdata(tctx->ectx, - randomdata, - sizeof(randomdata), - NULL, 0); - if (result != ISC_R_SUCCESS) - goto failure; + isc_random_buf(randomdata, sizeof(randomdata)); for (i = 0, j = 0; i < sizeof(randomdata); i++) { unsigned char val = randomdata[i]; diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in index 6c7fa84146..3f9e1f26f8 100644 --- a/lib/dns/win32/libdns.def.in +++ b/lib/dns/win32/libdns.def.in @@ -1421,13 +1421,6 @@ dst_key_unsettime dst_lib_destroy dst_lib_init dst_lib_initmsgcat -@IF PKCS11 -dst_random_getdata -@ELSE PKCS11 -@IF OPENSSL -dst_random_getdata -@END OPENSSL -@END PKCS11 dst_region_computeid dst_region_computerid dst_result_register diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c index 986d6234d0..960212bf01 100644 --- a/lib/dns/xfrin.c +++ b/lib/dns/xfrin.c @@ -781,7 +781,6 @@ xfrin_create(isc_mem_t *mctx, { dns_xfrin_ctx_t *xfr = NULL; isc_result_t result; - isc_uint32_t tmp; xfr = isc_mem_get(mctx, sizeof(*xfr)); if (xfr == NULL) @@ -805,9 +804,8 @@ xfrin_create(isc_mem_t *mctx, dns_name_init(&xfr->name, NULL); xfr->rdclass = rdclass; - isc_random_get(&tmp); xfr->checkid = ISC_TRUE; - xfr->id = (isc_uint16_t)(tmp & 0xffff); + xfr->id = (isc_uint16_t)(isc_random() & 0xffff); xfr->reqtype = reqtype; xfr->dscp = dscp; diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 9274cd1d28..158e6f83c0 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -823,7 +823,7 @@ static const char *dbargv_default[] = { "rbt" }; do { \ isc_interval_t _i; \ isc_uint32_t _j; \ - _j = isc_random_jitter((b), (b)/4); \ + _j = (b) - isc_random_uniform((b)/4); \ isc_interval_set(&_i, _j, 0); \ if (isc_time_add((a), &_i, (c)) != ISC_R_SUCCESS) { \ dns_zone_log(zone, ISC_LOG_WARNING, \ @@ -3576,7 +3576,7 @@ set_resigntime(dns_zone_t *zone) { resign = rdataset.resign - zone->sigresigninginterval; dns_rdataset_disassociate(&rdataset); - isc_random_get(&nanosecs); + nanosecs = isc_random(); nanosecs %= 1000000000; isc_time_set(&zone->resigntime, resign, nanosecs); cleanup: @@ -4699,8 +4699,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, DNS_ZONE_TIME_ADD(&now, zone->retry, &zone->expiretime); - delay = isc_random_jitter(zone->retry, - (zone->retry * 3) / 4); + delay = zone->retry - isc_random_uniform((zone->retry * 3) / 4); DNS_ZONE_TIME_ADD(&now, delay, &zone->refreshtime); if (isc_time_compare(&zone->refreshtime, &zone->expiretime) >= 0) @@ -6413,7 +6412,6 @@ zone_resigninc(dns_zone_t *zone) { isc_boolean_t check_ksk, keyset_kskonly = ISC_FALSE; isc_result_t result; isc_stdtime_t now, inception, soaexpire, expire, stop; - isc_uint32_t jitter; unsigned int i; unsigned int nkeys = 0; unsigned int resign; @@ -6465,8 +6463,7 @@ zone_resigninc(dns_zone_t *zone) { * clumped. We don't do this for each add_sigs() call as * we still want some clustering to occur. */ - isc_random_get(&jitter); - expire = soaexpire - jitter % 3600 - 1; + expire = soaexpire - isc_random_uniform(3600) - 1; stop = now + 5; check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK); @@ -7409,7 +7406,6 @@ zone_nsec3chain(dns_zone_t *zone) { isc_boolean_t first; isc_result_t result; isc_stdtime_t now, inception, soaexpire, expire; - isc_uint32_t jitter; unsigned int i; unsigned int nkeys = 0; isc_uint32_t nodes; @@ -7486,8 +7482,7 @@ zone_nsec3chain(dns_zone_t *zone) { * clumped. We don't do this for each add_sigs() call as * we still want some clustering to occur. */ - isc_random_get(&jitter); - expire = soaexpire - jitter % 3600; + expire = soaexpire - isc_random_uniform(3600); check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK); keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY); @@ -8311,7 +8306,6 @@ zone_sign(dns_zone_t *zone) { isc_boolean_t first; isc_result_t result; isc_stdtime_t now, inception, soaexpire, expire; - isc_uint32_t jitter; unsigned int i, j; unsigned int nkeys = 0; isc_uint32_t nodes; @@ -8370,8 +8364,7 @@ zone_sign(dns_zone_t *zone) { * clumped. We don't do this for each add_sigs() call as * we still want some clustering to occur. */ - isc_random_get(&jitter); - expire = soaexpire - jitter % 3600; + expire = soaexpire - isc_random_uniform(3600); /* * We keep pulling nodes off each iterator in turn until @@ -10132,7 +10125,7 @@ dns_zone_refresh(dns_zone_t *zone) { * Setting this to the retry time will do that. XXXMLG * If we are successful it will be reset using zone->refresh. */ - isc_interval_set(&i, isc_random_jitter(zone->retry, zone->retry / 4), + isc_interval_set(&i, zone->retry - isc_random_uniform(zone->retry / 4), 0); result = isc_time_nowplusinterval(&zone->refreshtime, &i); if (result != ISC_R_SUCCESS) diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in index 30deb48716..33d871f0e4 100644 --- a/lib/isc/Makefile.in +++ b/lib/isc/Makefile.in @@ -29,7 +29,7 @@ CWARNINGS = # Alphabetically UNIXOBJS = @ISC_ISCIPV6_O@ @ISC_ISCPK11_API_O@ \ - unix/app.@O@ unix/dir.@O@ unix/entropy.@O@ unix/errno.@O@ \ + unix/app.@O@ unix/dir.@O@ unix/errno.@O@ \ unix/errno2result.@O@ unix/file.@O@ unix/fsaccess.@O@ \ unix/interfaceiter.@O@ unix/keyboard.@O@ unix/meminfo.@O@ \ unix/net.@O@ unix/os.@O@ unix/resource.@O@ unix/socket.@O@ \ @@ -66,8 +66,6 @@ OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \ ${UNIXOBJS} ${NLSOBJS} ${THREADOBJS} SYMTBLOBJS = backtrace-emptytbl.@O@ -CHACHASRCS = chacha_private.h - # Alphabetically SRCS = @ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \ aes.c assertions.c backtrace.c base32.c base64.c bind9.c \ @@ -77,7 +75,7 @@ SRCS = @ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \ lex.c lfsr.c lib.c log.c \ md5.c mem.c mutexblock.c \ netaddr.c netscope.c pool.c \ - parseint.c portset.c quota.c radix.c random.c ${CHACHASRCS} \ + parseint.c portset.c quota.c radix.c random.c \ ratelimiter.c refcount.c region.c regex.c result.c rwlock.c \ safe.c serial.c sha1.c sha2.c sockaddr.c stats.c string.c \ strtoul.c symtab.c task.c taskpool.c timer.c \ diff --git a/lib/isc/chacha_private.h b/lib/isc/chacha_private.h deleted file mode 100644 index a6653c6a42..0000000000 --- a/lib/isc/chacha_private.h +++ /dev/null @@ -1,229 +0,0 @@ -/* - * Taken from OpenBSD CVS src/lib/libc/crypt/chacha_private.h on - * May 12, 2014. - */ - -/* -chacha-merged.c version 20080118 -D. J. Bernstein -Public domain. -*/ - -typedef unsigned char u8; -typedef unsigned int u32; - -typedef struct -{ - u32 input[16]; /* could be compressed */ -} chacha_ctx; - -#define U8C(v) (v##U) -#define U32C(v) (v##U) - -#define U8V(v) ((u8)(v) & U8C(0xFF)) -#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF)) - -#define ROTL32(v, n) \ - (U32V((v) << (n)) | ((v) >> (32 - (n)))) - -#define U8TO32_LITTLE(p) \ - (((u32)((p)[0]) ) | \ - ((u32)((p)[1]) << 8) | \ - ((u32)((p)[2]) << 16) | \ - ((u32)((p)[3]) << 24)) - -#define U32TO8_LITTLE(p, v) \ - do { \ - (p)[0] = U8V((v) ); \ - (p)[1] = U8V((v) >> 8); \ - (p)[2] = U8V((v) >> 16); \ - (p)[3] = U8V((v) >> 24); \ - } while (0) - -#define ROTATE(v,c) (ROTL32(v,c)) -#define XOR(v,w) ((v) ^ (w)) -#define PLUS(v,w) (U32V((v) + (w))) -#define PLUSONE(v) (PLUS((v),1)) - -#define QUARTERROUND(a,b,c,d) \ - a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \ - c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \ - a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \ - c = PLUS(c,d); b = ROTATE(XOR(b,c), 7); - -static const char sigma[16] = { 'e', 'x', 'p', 'a', 'n', 'd', ' ', '3', - '2', '-', 'b', 'y', 't', 'e', ' ', 'k' }; -static const char tau[16] = { 'e', 'x', 'p', 'a', 'n', 'd', ' ', '1', - '6', '-', 'b', 'y', 't', 'e', ' ', 'k' }; - -static void -chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits,u32 ivbits) -{ - const char *constants; - - UNUSED(ivbits); - - x->input[4] = U8TO32_LITTLE(k + 0); - x->input[5] = U8TO32_LITTLE(k + 4); - x->input[6] = U8TO32_LITTLE(k + 8); - x->input[7] = U8TO32_LITTLE(k + 12); - if (kbits == 256) { /* recommended */ - k += 16; - constants = sigma; - } else { /* kbits == 128 */ - constants = tau; - } - x->input[8] = U8TO32_LITTLE(k + 0); - x->input[9] = U8TO32_LITTLE(k + 4); - x->input[10] = U8TO32_LITTLE(k + 8); - x->input[11] = U8TO32_LITTLE(k + 12); - x->input[0] = U8TO32_LITTLE(constants + 0); - x->input[1] = U8TO32_LITTLE(constants + 4); - x->input[2] = U8TO32_LITTLE(constants + 8); - x->input[3] = U8TO32_LITTLE(constants + 12); -} - -static void -chacha_ivsetup(chacha_ctx *x,const u8 *iv) -{ - x->input[12] = 0; - x->input[13] = 0; - x->input[14] = U8TO32_LITTLE(iv + 0); - x->input[15] = U8TO32_LITTLE(iv + 4); -} - -static void -chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes) -{ - u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15; - u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15; - u8 *ctarget = NULL; - u8 tmp[64]; - u_int i; - - if (!bytes) return; - - j0 = x->input[0]; - j1 = x->input[1]; - j2 = x->input[2]; - j3 = x->input[3]; - j4 = x->input[4]; - j5 = x->input[5]; - j6 = x->input[6]; - j7 = x->input[7]; - j8 = x->input[8]; - j9 = x->input[9]; - j10 = x->input[10]; - j11 = x->input[11]; - j12 = x->input[12]; - j13 = x->input[13]; - j14 = x->input[14]; - j15 = x->input[15]; - - for (;;) { - if (bytes < 64) { - for (i = 0;i < bytes;++i) tmp[i] = m[i]; - m = tmp; - ctarget = c; - c = tmp; - } - x0 = j0; - x1 = j1; - x2 = j2; - x3 = j3; - x4 = j4; - x5 = j5; - x6 = j6; - x7 = j7; - x8 = j8; - x9 = j9; - x10 = j10; - x11 = j11; - x12 = j12; - x13 = j13; - x14 = j14; - x15 = j15; - for (i = 20;i > 0;i -= 2) { - QUARTERROUND( x0, x4, x8,x12) - QUARTERROUND( x1, x5, x9,x13) - QUARTERROUND( x2, x6,x10,x14) - QUARTERROUND( x3, x7,x11,x15) - QUARTERROUND( x0, x5,x10,x15) - QUARTERROUND( x1, x6,x11,x12) - QUARTERROUND( x2, x7, x8,x13) - QUARTERROUND( x3, x4, x9,x14) - } - x0 = PLUS(x0,j0); - x1 = PLUS(x1,j1); - x2 = PLUS(x2,j2); - x3 = PLUS(x3,j3); - x4 = PLUS(x4,j4); - x5 = PLUS(x5,j5); - x6 = PLUS(x6,j6); - x7 = PLUS(x7,j7); - x8 = PLUS(x8,j8); - x9 = PLUS(x9,j9); - x10 = PLUS(x10,j10); - x11 = PLUS(x11,j11); - x12 = PLUS(x12,j12); - x13 = PLUS(x13,j13); - x14 = PLUS(x14,j14); - x15 = PLUS(x15,j15); - -#ifndef KEYSTREAM_ONLY - x0 = XOR(x0,U8TO32_LITTLE(m + 0)); - x1 = XOR(x1,U8TO32_LITTLE(m + 4)); - x2 = XOR(x2,U8TO32_LITTLE(m + 8)); - x3 = XOR(x3,U8TO32_LITTLE(m + 12)); - x4 = XOR(x4,U8TO32_LITTLE(m + 16)); - x5 = XOR(x5,U8TO32_LITTLE(m + 20)); - x6 = XOR(x6,U8TO32_LITTLE(m + 24)); - x7 = XOR(x7,U8TO32_LITTLE(m + 28)); - x8 = XOR(x8,U8TO32_LITTLE(m + 32)); - x9 = XOR(x9,U8TO32_LITTLE(m + 36)); - x10 = XOR(x10,U8TO32_LITTLE(m + 40)); - x11 = XOR(x11,U8TO32_LITTLE(m + 44)); - x12 = XOR(x12,U8TO32_LITTLE(m + 48)); - x13 = XOR(x13,U8TO32_LITTLE(m + 52)); - x14 = XOR(x14,U8TO32_LITTLE(m + 56)); - x15 = XOR(x15,U8TO32_LITTLE(m + 60)); -#endif - - j12 = PLUSONE(j12); - if (!j12) { - j13 = PLUSONE(j13); - /* stopping at 2^70 bytes per nonce is user's responsibility */ - } - - U32TO8_LITTLE(c + 0,x0); - U32TO8_LITTLE(c + 4,x1); - U32TO8_LITTLE(c + 8,x2); - U32TO8_LITTLE(c + 12,x3); - U32TO8_LITTLE(c + 16,x4); - U32TO8_LITTLE(c + 20,x5); - U32TO8_LITTLE(c + 24,x6); - U32TO8_LITTLE(c + 28,x7); - U32TO8_LITTLE(c + 32,x8); - U32TO8_LITTLE(c + 36,x9); - U32TO8_LITTLE(c + 40,x10); - U32TO8_LITTLE(c + 44,x11); - U32TO8_LITTLE(c + 48,x12); - U32TO8_LITTLE(c + 52,x13); - U32TO8_LITTLE(c + 56,x14); - U32TO8_LITTLE(c + 60,x15); - - if (bytes <= 64) { - if (bytes < 64) { - for (i = 0;i < bytes;++i) ctarget[i] = c[i]; - } - x->input[12] = j12; - x->input[13] = j13; - return; - } - bytes -= 64; - c += 64; -#ifndef KEYSTREAM_ONLY - m += 64; -#endif - } -} diff --git a/lib/isc/entropy.c b/lib/isc/entropy.c deleted file mode 100644 index a85650bdce..0000000000 --- a/lib/isc/entropy.c +++ /dev/null @@ -1,1312 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - - -/*! \file - * \brief - * This is the system independent part of the entropy module. It is - * compiled via inclusion from the relevant OS source file, ie, - * \link unix/entropy.c unix/entropy.c \endlink or win32/entropy.c. - * - * \author Much of this code is modeled after the NetBSD /dev/random implementation, - * written by Michael Graff . - */ - -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#ifdef PKCS11CRYPTO -#include -#endif - -#define ENTROPY_MAGIC ISC_MAGIC('E', 'n', 't', 'e') -#define SOURCE_MAGIC ISC_MAGIC('E', 'n', 't', 's') - -#define VALID_ENTROPY(e) ISC_MAGIC_VALID(e, ENTROPY_MAGIC) -#define VALID_SOURCE(s) ISC_MAGIC_VALID(s, SOURCE_MAGIC) - -/*** - *** "constants." Do not change these unless you _really_ know what - *** you are doing. - ***/ - -/*% - * Size of entropy pool in 32-bit words. This _MUST_ be a power of 2. - */ -#define RND_POOLWORDS 128 -/*% Pool in bytes. */ -#define RND_POOLBYTES (RND_POOLWORDS * 4) -/*% Pool in bits. */ -#define RND_POOLBITS (RND_POOLWORDS * 32) - -/*% - * Number of bytes returned per hash. This must be true: - * threshold * 2 <= digest_size_in_bytes - */ -#define RND_ENTROPY_THRESHOLD 10 -#define THRESHOLD_BITS (RND_ENTROPY_THRESHOLD * 8) - -/*% - * Size of the input event queue in samples. - */ -#define RND_EVENTQSIZE 32 - -/*% - * The number of times we'll "reseed" for pseudorandom seeds. This is an - * extremely weak pseudorandom seed. If the caller is using lots of - * pseudorandom data and they cannot provide a stronger random source, - * there is little we can do other than hope they're smart enough to - * call _adddata() with something better than we can come up with. - */ -#define RND_INITIALIZE 128 - -/*% Entropy Pool */ -typedef struct { - isc_uint32_t cursor; /*%< current add point in the pool */ - isc_uint32_t entropy; /*%< current entropy estimate in bits */ - isc_uint32_t pseudo; /*%< bits extracted in pseudorandom */ - isc_uint32_t rotate; /*%< how many bits to rotate by */ - isc_uint32_t pool[RND_POOLWORDS]; /*%< random pool data */ -} isc_entropypool_t; - -struct isc_entropy { - unsigned int magic; - isc_mem_t *mctx; - isc_mutex_t lock; - unsigned int refcnt; - isc_uint32_t initialized; - isc_uint32_t initcount; - isc_entropypool_t pool; - isc_boolean_t usehook; - unsigned int nsources; - isc_entropysource_t *nextsource; - ISC_LIST(isc_entropysource_t) sources; -}; - -/*% Global Hook */ -static isc_entropy_getdata_t hook; - -/*% Sample Queue */ -typedef struct { - isc_uint32_t last_time; /*%< last time recorded */ - isc_uint32_t last_delta; /*%< last delta value */ - isc_uint32_t last_delta2; /*%< last delta2 value */ - isc_uint32_t nsamples; /*%< number of samples filled in */ - isc_uint32_t *samples; /*%< the samples */ - isc_uint32_t *extra; /*%< extra samples added in */ -} sample_queue_t; - -typedef struct { - sample_queue_t samplequeue; -} isc_entropysamplesource_t; - -typedef struct { - isc_boolean_t start_called; - isc_entropystart_t startfunc; - isc_entropyget_t getfunc; - isc_entropystop_t stopfunc; - void *arg; - sample_queue_t samplequeue; -} isc_cbsource_t; - -typedef struct { - FILESOURCE_HANDLE_TYPE handle; -} isc_entropyfilesource_t; - -struct isc_entropysource { - unsigned int magic; - unsigned int type; - isc_entropy_t *ent; - isc_uint32_t total; /*%< entropy from this source */ - ISC_LINK(isc_entropysource_t) link; - char name[32]; - isc_boolean_t bad; - isc_boolean_t warn_keyboard; - isc_keyboard_t kbd; - union { - isc_entropysamplesource_t sample; - isc_entropyfilesource_t file; - isc_cbsource_t callback; - isc_entropyusocketsource_t usocket; - } sources; -}; - -#define ENTROPY_SOURCETYPE_SAMPLE 1 /*%< Type is a sample source */ -#define ENTROPY_SOURCETYPE_FILE 2 /*%< Type is a file source */ -#define ENTROPY_SOURCETYPE_CALLBACK 3 /*%< Type is a callback source */ -#define ENTROPY_SOURCETYPE_USOCKET 4 /*%< Type is a Unix socket source */ - -/*@{*/ -/*% - * The random pool "taps" - */ -#define TAP1 99 -#define TAP2 59 -#define TAP3 31 -#define TAP4 9 -#define TAP5 7 -/*@}*/ - -/*@{*/ -/*% - * Declarations for function provided by the system dependent sources that - * include this file. - */ -static void -fillpool(isc_entropy_t *, unsigned int, isc_boolean_t); - -static int -wait_for_sources(isc_entropy_t *); - -static void -destroyfilesource(isc_entropyfilesource_t *source); - -static void -destroyusocketsource(isc_entropyusocketsource_t *source); - -/*@}*/ - -static void -samplequeue_release(isc_entropy_t *ent, sample_queue_t *sq) { - REQUIRE(sq->samples != NULL); - REQUIRE(sq->extra != NULL); - - isc_mem_put(ent->mctx, sq->samples, RND_EVENTQSIZE * 4); - isc_mem_put(ent->mctx, sq->extra, RND_EVENTQSIZE * 4); - sq->samples = NULL; - sq->extra = NULL; -} - -static isc_result_t -samplesource_allocate(isc_entropy_t *ent, sample_queue_t *sq) { - sq->samples = isc_mem_get(ent->mctx, RND_EVENTQSIZE * 4); - if (sq->samples == NULL) - return (ISC_R_NOMEMORY); - - sq->extra = isc_mem_get(ent->mctx, RND_EVENTQSIZE * 4); - if (sq->extra == NULL) { - isc_mem_put(ent->mctx, sq->samples, RND_EVENTQSIZE * 4); - sq->samples = NULL; - return (ISC_R_NOMEMORY); - } - - sq->nsamples = 0; - - return (ISC_R_SUCCESS); -} - -/*% - * Add in entropy, even when the value we're adding in could be - * very large. - */ -static inline void -add_entropy(isc_entropy_t *ent, isc_uint32_t entropy) { - /* clamp input. Yes, this must be done. */ - entropy = ISC_MIN(entropy, RND_POOLBITS); - /* Add in the entropy we already have. */ - entropy += ent->pool.entropy; - /* Clamp. */ - ent->pool.entropy = ISC_MIN(entropy, RND_POOLBITS); -} - -/*% - * Decrement the amount of entropy the pool has. - */ -static inline void -subtract_entropy(isc_entropy_t *ent, isc_uint32_t entropy) { - entropy = ISC_MIN(entropy, ent->pool.entropy); - ent->pool.entropy -= entropy; -} - -/*! - * Add in entropy, even when the value we're adding in could be - * very large. - */ -static inline void -add_pseudo(isc_entropy_t *ent, isc_uint32_t pseudo) { - /* clamp input. Yes, this must be done. */ - pseudo = ISC_MIN(pseudo, RND_POOLBITS * 8); - /* Add in the pseudo we already have. */ - pseudo += ent->pool.pseudo; - /* Clamp. */ - ent->pool.pseudo = ISC_MIN(pseudo, RND_POOLBITS * 8); -} - -/*! - * Decrement the amount of pseudo the pool has. - */ -static inline void -subtract_pseudo(isc_entropy_t *ent, isc_uint32_t pseudo) { - pseudo = ISC_MIN(pseudo, ent->pool.pseudo); - ent->pool.pseudo -= pseudo; -} - -/*! - * Add one word to the pool, rotating the input as needed. - */ -static inline void -entropypool_add_word(isc_entropypool_t *rp, isc_uint32_t val) { - /* - * Steal some values out of the pool, and xor them into the - * word we were given. - * - * Mix the new value into the pool using xor. This will - * prevent the actual values from being known to the caller - * since the previous values are assumed to be unknown as well. - */ - val ^= rp->pool[(rp->cursor + TAP1) & (RND_POOLWORDS - 1)]; - val ^= rp->pool[(rp->cursor + TAP2) & (RND_POOLWORDS - 1)]; - val ^= rp->pool[(rp->cursor + TAP3) & (RND_POOLWORDS - 1)]; - val ^= rp->pool[(rp->cursor + TAP4) & (RND_POOLWORDS - 1)]; - val ^= rp->pool[(rp->cursor + TAP5) & (RND_POOLWORDS - 1)]; - if (rp->rotate == 0) - rp->pool[rp->cursor++] ^= val; - else - rp->pool[rp->cursor++] ^= - ((val << rp->rotate) | (val >> (32 - rp->rotate))); - - /* - * If we have looped around the pool, increment the rotate - * variable so the next value will get xored in rotated to - * a different position. - * Increment by a value that is relatively prime to the word size - * to try to spread the bits throughout the pool quickly when the - * pool is empty. - */ - if (rp->cursor == RND_POOLWORDS) { - rp->cursor = 0; - rp->rotate = (rp->rotate + 7) & 31; - } -} - -/*! - * Add a buffer's worth of data to the pool. - * - * Requires that the lock is held on the entropy pool. - */ -static void -entropypool_adddata(isc_entropy_t *ent, void *p, unsigned int len, - isc_uint32_t entropy) -{ - isc_uint32_t val; - unsigned long addr; - isc_uint8_t *buf; - - /* Silly MSVC in 64 bit mode complains here... */ -#ifdef _WIN64 - addr = (unsigned long)((unsigned long long)p); -#else - addr = (unsigned long)p; -#endif - buf = p; - - if ((addr & 0x03U) != 0U) { - val = 0; - switch (len) { - case 3: - val = *buf++; - len--; - /* FALLTHROUGH */ - case 2: - val = val << 8 | *buf++; - len--; - /* FALLTHROUGH */ - case 1: - val = val << 8 | *buf++; - len--; - } - - entropypool_add_word(&ent->pool, val); - } - - for (; len > 3; len -= 4) { - val = *((isc_uint32_t *)buf); - - entropypool_add_word(&ent->pool, val); - buf += 4; - } - - if (len != 0) { - val = 0; - switch (len) { - case 3: - val = *buf++; - /* FALLTHROUGH */ - case 2: - val = val << 8 | *buf++; - /* FALLTHROUGH */ - case 1: - val = val << 8 | *buf++; - } - - entropypool_add_word(&ent->pool, val); - } - - add_entropy(ent, entropy); - subtract_pseudo(ent, entropy); -} - -static inline void -reseed(isc_entropy_t *ent) { - isc_time_t t; - pid_t pid; - - if (ent->initcount == 0) { - pid = getpid(); - entropypool_adddata(ent, &pid, sizeof(pid), 0); - pid = getppid(); - entropypool_adddata(ent, &pid, sizeof(pid), 0); - } - - /*! - * After we've reseeded 100 times, only add new timing info every - * 50 requests. This will keep us from using lots and lots of - * CPU just to return bad pseudorandom data anyway. - */ - if (ent->initcount > 100) - if ((ent->initcount % 50) != 0) - return; - - TIME_NOW(&t); - entropypool_adddata(ent, &t, sizeof(t), 0); - ent->initcount++; -} - -static inline unsigned int -estimate_entropy(sample_queue_t *sq, isc_uint32_t t) { - isc_int32_t delta; - isc_int32_t delta2; - isc_int32_t delta3; - - /*! - * If the time counter has overflowed, calculate the real difference. - * If it has not, it is simpler. - */ - if (t < sq->last_time) - delta = UINT_MAX - sq->last_time + t; - else - delta = sq->last_time - t; - - if (delta < 0) - delta = -delta; - - /* - * Calculate the second and third order differentials - */ - delta2 = sq->last_delta - delta; - if (delta2 < 0) - delta2 = -delta2; - - delta3 = sq->last_delta2 - delta2; - if (delta3 < 0) - delta3 = -delta3; - - sq->last_time = t; - sq->last_delta = delta; - sq->last_delta2 = delta2; - - /* - * If any delta is 0, we got no entropy. If all are non-zero, we - * might have something. - */ - if (delta == 0 || delta2 == 0 || delta3 == 0) - return 0; - - /* - * We could find the smallest delta and claim we got log2(delta) - * bits, but for now return that we found 1 bit. - */ - return 1; -} - -static unsigned int -crunchsamples(isc_entropy_t *ent, sample_queue_t *sq) { - unsigned int ns; - unsigned int added; - - if (sq->nsamples < 6) - return (0); - - added = 0; - sq->last_time = sq->samples[0]; - sq->last_delta = 0; - sq->last_delta2 = 0; - - /* - * Prime the values by adding in the first 4 samples in. This - * should completely initialize the delta calculations. - */ - for (ns = 0; ns < 4; ns++) - (void)estimate_entropy(sq, sq->samples[ns]); - - for (ns = 4; ns < sq->nsamples; ns++) - added += estimate_entropy(sq, sq->samples[ns]); - - entropypool_adddata(ent, sq->samples, sq->nsamples * 4, added); - entropypool_adddata(ent, sq->extra, sq->nsamples * 4, 0); - - /* - * Move the last 4 samples into the first 4 positions, and start - * adding new samples from that point. - */ - for (ns = 0; ns < 4; ns++) { - sq->samples[ns] = sq->samples[sq->nsamples - 4 + ns]; - sq->extra[ns] = sq->extra[sq->nsamples - 4 + ns]; - } - - sq->nsamples = 4; - - return (added); -} - -static unsigned int -get_from_callback(isc_entropysource_t *source, unsigned int desired, - isc_boolean_t blocking) -{ - isc_entropy_t *ent = source->ent; - isc_cbsource_t *cbs = &source->sources.callback; - unsigned int added; - unsigned int got; - isc_result_t result; - - if (desired == 0) - return (0); - - if (source->bad) - return (0); - - if (!cbs->start_called && cbs->startfunc != NULL) { - result = cbs->startfunc(source, cbs->arg, blocking); - if (result != ISC_R_SUCCESS) - return (0); - cbs->start_called = ISC_TRUE; - } - - added = 0; - result = ISC_R_SUCCESS; - while (desired > 0 && result == ISC_R_SUCCESS) { - result = cbs->getfunc(source, cbs->arg, blocking); - if (result == ISC_R_QUEUEFULL) { - got = crunchsamples(ent, &cbs->samplequeue); - added += got; - desired -= ISC_MIN(got, desired); - result = ISC_R_SUCCESS; - } else if (result != ISC_R_SUCCESS && - result != ISC_R_NOTBLOCKING) - source->bad = ISC_TRUE; - - } - - return (added); -} - -/* - * Extract some number of bytes from the random pool, decreasing the - * estimate of randomness as each byte is extracted. - * - * Do this by stiring the pool and returning a part of hash as randomness. - * Note that no secrets are given away here since parts of the hash are - * xored together before returned. - * - * Honor the request from the caller to only return good data, any data, - * etc. - */ -isc_result_t -isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length, - unsigned int *returned, unsigned int flags) -{ - unsigned int i; - isc_sha1_t hash; - unsigned char digest[ISC_SHA1_DIGESTLENGTH]; - isc_uint32_t remain, deltae, count, total; - isc_uint8_t *buf; - isc_boolean_t goodonly, partial, blocking; - - REQUIRE(VALID_ENTROPY(ent)); - REQUIRE(data != NULL); - REQUIRE(length > 0); - - goodonly = ISC_TF((flags & ISC_ENTROPY_GOODONLY) != 0); - partial = ISC_TF((flags & ISC_ENTROPY_PARTIAL) != 0); - blocking = ISC_TF((flags & ISC_ENTROPY_BLOCKING) != 0); - - REQUIRE(!partial || returned != NULL); - - LOCK(&ent->lock); - - if (ent->usehook && (hook != NULL)) { - UNLOCK(&ent->lock); - return (hook(data, length, returned, flags)); - } - - remain = length; - buf = data; - total = 0; - while (remain != 0) { - count = ISC_MIN(remain, RND_ENTROPY_THRESHOLD); - - /* - * If we are extracting good data only, make certain we - * have enough data in our pool for this pass. If we don't, - * get some, and fail if we can't, and partial returns - * are not ok. - */ - if (goodonly) { - unsigned int fillcount; - - fillcount = ISC_MAX(remain * 8, count * 8); - - /* - * If, however, we have at least THRESHOLD_BITS - * of entropy in the pool, don't block here. It is - * better to drain the pool once in a while and - * then refill it than it is to constantly keep the - * pool full. - */ - if (ent->pool.entropy >= THRESHOLD_BITS) - fillpool(ent, fillcount, ISC_FALSE); - else - fillpool(ent, fillcount, blocking); - - /* - * Verify that we got enough entropy to do one - * extraction. If we didn't, bail. - */ - if (ent->pool.entropy < THRESHOLD_BITS) { - if (!partial) - goto zeroize; - else - goto partial_output; - } - } else { - /* - * If we've extracted half our pool size in bits - * since the last refresh, try to refresh here. - */ - if (ent->initialized < THRESHOLD_BITS) - fillpool(ent, THRESHOLD_BITS, blocking); - else - fillpool(ent, 0, ISC_FALSE); - - /* - * If we've not initialized with enough good random - * data, seed with our crappy code. - */ - if (ent->initialized < THRESHOLD_BITS) - reseed(ent); - } - - isc_sha1_init(&hash); - isc_sha1_update(&hash, (void *)(ent->pool.pool), - RND_POOLBYTES); - isc_sha1_final(&hash, digest); - - /* - * Stir the extracted data (all of it) back into the pool. - */ - entropypool_adddata(ent, digest, ISC_SHA1_DIGESTLENGTH, 0); - - for (i = 0; i < count; i++) - buf[i] = digest[i] ^ digest[i + RND_ENTROPY_THRESHOLD]; - - buf += count; - remain -= count; - - deltae = count * 8; - deltae = ISC_MIN(deltae, ent->pool.entropy); - total += deltae; - subtract_entropy(ent, deltae); - add_pseudo(ent, count * 8); - } - - partial_output: - isc_safe_memwipe(digest, sizeof(digest)); - - if (returned != NULL) - *returned = (length - remain); - - UNLOCK(&ent->lock); - - return (ISC_R_SUCCESS); - - zeroize: - /* put the entropy we almost extracted back */ - add_entropy(ent, total); - isc_safe_memwipe(data, length); - isc_safe_memwipe(digest, sizeof(digest)); - if (returned != NULL) - *returned = 0; - - UNLOCK(&ent->lock); - - return (ISC_R_NOENTROPY); -} - -static void -isc_entropypool_init(isc_entropypool_t *pool) { - pool->cursor = RND_POOLWORDS - 1; - pool->entropy = 0; - pool->pseudo = 0; - pool->rotate = 0; - memset(pool->pool, 0, RND_POOLBYTES); -} - -static void -isc_entropypool_invalidate(isc_entropypool_t *pool) { - pool->cursor = 0; - pool->entropy = 0; - pool->pseudo = 0; - pool->rotate = 0; - memset(pool->pool, 0, RND_POOLBYTES); -} - -isc_result_t -isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp) { - isc_result_t result; - isc_entropy_t *ent; - - REQUIRE(mctx != NULL); - REQUIRE(entp != NULL && *entp == NULL); - - ent = isc_mem_get(mctx, sizeof(isc_entropy_t)); - if (ent == NULL) - return (ISC_R_NOMEMORY); - - /* - * We need a lock. - */ - result = isc_mutex_init(&ent->lock); - if (result != ISC_R_SUCCESS) - goto errout; - - /* - * From here down, no failures will/can occur. - */ - ISC_LIST_INIT(ent->sources); - ent->nextsource = NULL; - ent->nsources = 0; - ent->mctx = NULL; - isc_mem_attach(mctx, &ent->mctx); - ent->refcnt = 1; - ent->initialized = 0; - ent->initcount = 0; - ent->usehook = ISC_FALSE; - ent->magic = ENTROPY_MAGIC; - - isc_entropypool_init(&ent->pool); - - *entp = ent; - return (ISC_R_SUCCESS); - - errout: - isc_mem_put(mctx, ent, sizeof(isc_entropy_t)); - - return (result); -} - -/*! - * Requires "ent" be locked. - */ -static void -destroysource(isc_entropysource_t **sourcep) { - isc_entropysource_t *source; - isc_entropy_t *ent; - isc_cbsource_t *cbs; - - source = *sourcep; - *sourcep = NULL; - ent = source->ent; - - ISC_LIST_UNLINK(ent->sources, source, link); - ent->nextsource = NULL; - REQUIRE(ent->nsources > 0); - ent->nsources--; - - switch (source->type) { - case ENTROPY_SOURCETYPE_FILE: - if (! source->bad) - destroyfilesource(&source->sources.file); - break; - case ENTROPY_SOURCETYPE_USOCKET: - if (! source->bad) - destroyusocketsource(&source->sources.usocket); - break; - case ENTROPY_SOURCETYPE_SAMPLE: - samplequeue_release(ent, &source->sources.sample.samplequeue); - break; - case ENTROPY_SOURCETYPE_CALLBACK: - cbs = &source->sources.callback; - if (cbs->start_called && cbs->stopfunc != NULL) { - cbs->stopfunc(source, cbs->arg); - cbs->start_called = ISC_FALSE; - } - samplequeue_release(ent, &cbs->samplequeue); - break; - } - - isc_safe_memwipe(source, sizeof(*source)); - isc_mem_put(ent->mctx, source, sizeof(*source)); -} - -static inline isc_boolean_t -destroy_check(isc_entropy_t *ent) { - isc_entropysource_t *source; - - if (ent->refcnt > 0) - return (ISC_FALSE); - - source = ISC_LIST_HEAD(ent->sources); - while (source != NULL) { - switch (source->type) { - case ENTROPY_SOURCETYPE_FILE: - case ENTROPY_SOURCETYPE_USOCKET: - break; - default: - return (ISC_FALSE); - } - source = ISC_LIST_NEXT(source, link); - } - - return (ISC_TRUE); -} - -static void -destroy(isc_entropy_t **entp) { - isc_entropy_t *ent; - isc_entropysource_t *source; - isc_mem_t *mctx; - - REQUIRE(entp != NULL && *entp != NULL); - ent = *entp; - *entp = NULL; - - LOCK(&ent->lock); - - REQUIRE(ent->refcnt == 0); - - /* - * Here, detach non-sample sources. - */ - source = ISC_LIST_HEAD(ent->sources); - while (source != NULL) { - switch(source->type) { - case ENTROPY_SOURCETYPE_FILE: - case ENTROPY_SOURCETYPE_USOCKET: - destroysource(&source); - break; - } - source = ISC_LIST_HEAD(ent->sources); - } - - /* - * If there are other types of sources, we've found a bug. - */ - REQUIRE(ISC_LIST_EMPTY(ent->sources)); - - mctx = ent->mctx; - - isc_entropypool_invalidate(&ent->pool); - - UNLOCK(&ent->lock); - - DESTROYLOCK(&ent->lock); - - isc_safe_memwipe(ent, sizeof(*ent)); - isc_mem_put(mctx, ent, sizeof(*ent)); - isc_mem_detach(&mctx); -} - -void -isc_entropy_destroysource(isc_entropysource_t **sourcep) { - isc_entropysource_t *source; - isc_entropy_t *ent; - isc_boolean_t killit; - - REQUIRE(sourcep != NULL); - REQUIRE(VALID_SOURCE(*sourcep)); - - source = *sourcep; - *sourcep = NULL; - - ent = source->ent; - REQUIRE(VALID_ENTROPY(ent)); - - LOCK(&ent->lock); - - destroysource(&source); - - killit = destroy_check(ent); - - UNLOCK(&ent->lock); - - if (killit) - destroy(&ent); -} - -isc_result_t -isc_entropy_createcallbacksource(isc_entropy_t *ent, - isc_entropystart_t start, - isc_entropyget_t get, - isc_entropystop_t stop, - void *arg, - isc_entropysource_t **sourcep) -{ - isc_result_t result; - isc_entropysource_t *source; - isc_cbsource_t *cbs; - - REQUIRE(VALID_ENTROPY(ent)); - REQUIRE(get != NULL); - REQUIRE(sourcep != NULL && *sourcep == NULL); - - LOCK(&ent->lock); - - source = isc_mem_get(ent->mctx, sizeof(isc_entropysource_t)); - if (source == NULL) { - result = ISC_R_NOMEMORY; - goto errout; - } - source->bad = ISC_FALSE; - - cbs = &source->sources.callback; - - result = samplesource_allocate(ent, &cbs->samplequeue); - if (result != ISC_R_SUCCESS) - goto errout; - - cbs->start_called = ISC_FALSE; - cbs->startfunc = start; - cbs->getfunc = get; - cbs->stopfunc = stop; - cbs->arg = arg; - - /* - * From here down, no failures can occur. - */ - source->magic = SOURCE_MAGIC; - source->type = ENTROPY_SOURCETYPE_CALLBACK; - source->ent = ent; - source->total = 0; - memset(source->name, 0, sizeof(source->name)); - ISC_LINK_INIT(source, link); - - /* - * Hook it into the entropy system. - */ - ISC_LIST_APPEND(ent->sources, source, link); - ent->nsources++; - - *sourcep = source; - - UNLOCK(&ent->lock); - return (ISC_R_SUCCESS); - - errout: - if (source != NULL) - isc_mem_put(ent->mctx, source, sizeof(isc_entropysource_t)); - - UNLOCK(&ent->lock); - - return (result); -} - -void -isc_entropy_stopcallbacksources(isc_entropy_t *ent) { - isc_entropysource_t *source; - isc_cbsource_t *cbs; - - REQUIRE(VALID_ENTROPY(ent)); - - LOCK(&ent->lock); - - source = ISC_LIST_HEAD(ent->sources); - while (source != NULL) { - if (source->type == ENTROPY_SOURCETYPE_CALLBACK) { - cbs = &source->sources.callback; - if (cbs->start_called && cbs->stopfunc != NULL) { - cbs->stopfunc(source, cbs->arg); - cbs->start_called = ISC_FALSE; - } - } - - source = ISC_LIST_NEXT(source, link); - } - - UNLOCK(&ent->lock); -} - -isc_result_t -isc_entropy_createsamplesource(isc_entropy_t *ent, - isc_entropysource_t **sourcep) -{ - isc_result_t result; - isc_entropysource_t *source; - sample_queue_t *sq; - - REQUIRE(VALID_ENTROPY(ent)); - REQUIRE(sourcep != NULL && *sourcep == NULL); - - LOCK(&ent->lock); - - source = isc_mem_get(ent->mctx, sizeof(isc_entropysource_t)); - if (source == NULL) { - result = ISC_R_NOMEMORY; - goto errout; - } - - sq = &source->sources.sample.samplequeue; - result = samplesource_allocate(ent, sq); - if (result != ISC_R_SUCCESS) - goto errout; - - /* - * From here down, no failures can occur. - */ - source->magic = SOURCE_MAGIC; - source->type = ENTROPY_SOURCETYPE_SAMPLE; - source->ent = ent; - source->total = 0; - memset(source->name, 0, sizeof(source->name)); - ISC_LINK_INIT(source, link); - - /* - * Hook it into the entropy system. - */ - ISC_LIST_APPEND(ent->sources, source, link); - ent->nsources++; - - *sourcep = source; - - UNLOCK(&ent->lock); - return (ISC_R_SUCCESS); - - errout: - if (source != NULL) - isc_mem_put(ent->mctx, source, sizeof(isc_entropysource_t)); - - UNLOCK(&ent->lock); - - return (result); -} - -/*! - * Add a sample, and return ISC_R_SUCCESS if the queue has become full, - * ISC_R_NOENTROPY if it has space remaining, and ISC_R_NOMORE if the - * queue was full when this function was called. - */ -static isc_result_t -addsample(sample_queue_t *sq, isc_uint32_t sample, isc_uint32_t extra) { - if (sq->nsamples >= RND_EVENTQSIZE) - return (ISC_R_NOMORE); - - sq->samples[sq->nsamples] = sample; - sq->extra[sq->nsamples] = extra; - sq->nsamples++; - - if (sq->nsamples >= RND_EVENTQSIZE) - return (ISC_R_QUEUEFULL); - - return (ISC_R_SUCCESS); -} - -isc_result_t -isc_entropy_addsample(isc_entropysource_t *source, isc_uint32_t sample, - isc_uint32_t extra) -{ - isc_entropy_t *ent; - sample_queue_t *sq; - unsigned int entropy; - isc_result_t result; - - REQUIRE(VALID_SOURCE(source)); - - ent = source->ent; - - LOCK(&ent->lock); - - sq = &source->sources.sample.samplequeue; - result = addsample(sq, sample, extra); - if (result == ISC_R_QUEUEFULL) { - entropy = crunchsamples(ent, sq); - add_entropy(ent, entropy); - } - - UNLOCK(&ent->lock); - - return (result); -} - -isc_result_t -isc_entropy_addcallbacksample(isc_entropysource_t *source, isc_uint32_t sample, - isc_uint32_t extra) -{ - sample_queue_t *sq; - isc_result_t result; - - REQUIRE(VALID_SOURCE(source)); - REQUIRE(source->type == ENTROPY_SOURCETYPE_CALLBACK); - - sq = &source->sources.callback.samplequeue; - result = addsample(sq, sample, extra); - - return (result); -} - -void -isc_entropy_putdata(isc_entropy_t *ent, void *data, unsigned int length, - isc_uint32_t entropy) -{ - REQUIRE(VALID_ENTROPY(ent)); - - LOCK(&ent->lock); - - entropypool_adddata(ent, data, length, entropy); - - if (ent->initialized < THRESHOLD_BITS) - ent->initialized = THRESHOLD_BITS; - - UNLOCK(&ent->lock); -} - -static void -dumpstats(isc_entropy_t *ent, FILE *out) { - fprintf(out, - isc_msgcat_get(isc_msgcat, ISC_MSGSET_ENTROPY, - ISC_MSG_ENTROPYSTATS, - "Entropy pool %p: refcnt %u cursor %u," - " rotate %u entropy %u pseudo %u nsources %u" - " nextsource %p initialized %u initcount %u\n"), - ent, ent->refcnt, - ent->pool.cursor, ent->pool.rotate, - ent->pool.entropy, ent->pool.pseudo, - ent->nsources, ent->nextsource, ent->initialized, - ent->initcount); -} - -/* - * This function ignores locking. Use at your own risk. - */ -void -isc_entropy_stats(isc_entropy_t *ent, FILE *out) { - REQUIRE(VALID_ENTROPY(ent)); - - LOCK(&ent->lock); - dumpstats(ent, out); - UNLOCK(&ent->lock); -} - -unsigned int -isc_entropy_status(isc_entropy_t *ent) { - unsigned int estimate; - - LOCK(&ent->lock); - estimate = ent->pool.entropy; - UNLOCK(&ent->lock); - - return estimate; -} - -void -isc_entropy_attach(isc_entropy_t *ent, isc_entropy_t **entp) { - REQUIRE(VALID_ENTROPY(ent)); - REQUIRE(entp != NULL && *entp == NULL); - - LOCK(&ent->lock); - - ent->refcnt++; - *entp = ent; - - UNLOCK(&ent->lock); -} - -void -isc_entropy_detach(isc_entropy_t **entp) { - isc_entropy_t *ent; - isc_boolean_t killit; - - REQUIRE(entp != NULL && VALID_ENTROPY(*entp)); - ent = *entp; - *entp = NULL; - - LOCK(&ent->lock); - - REQUIRE(ent->refcnt > 0); - ent->refcnt--; - - killit = destroy_check(ent); - - UNLOCK(&ent->lock); - - if (killit) - destroy(&ent); -} - -static isc_result_t -kbdstart(isc_entropysource_t *source, void *arg, isc_boolean_t blocking) { - /* - * The intent of "first" is to provide a warning message only once - * during the run of a program that might try to gather keyboard - * entropy multiple times. - */ - static isc_boolean_t first = ISC_TRUE; - - UNUSED(arg); - - if (! blocking) - return (ISC_R_NOENTROPY); - - if (first) { - if (source->warn_keyboard) - fprintf(stderr, "You must use the keyboard to create " - "entropy, since your system is lacking\n" - "/dev/random (or equivalent)\n\n"); - first = ISC_FALSE; - } - fprintf(stderr, "start typing:\n"); - - return (isc_keyboard_open(&source->kbd)); -} - -static void -kbdstop(isc_entropysource_t *source, void *arg) { - - UNUSED(arg); - - if (! isc_keyboard_canceled(&source->kbd)) - fprintf(stderr, "stop typing.\r\n"); - - (void)isc_keyboard_close(&source->kbd, 3); -} - -static isc_result_t -kbdget(isc_entropysource_t *source, void *arg, isc_boolean_t blocking) { - isc_result_t result; - isc_time_t t; - isc_uint32_t sample; - isc_uint32_t extra; - unsigned char c; - - UNUSED(arg); - - if (!blocking) - return (ISC_R_NOTBLOCKING); - - result = isc_keyboard_getchar(&source->kbd, &c); - if (result != ISC_R_SUCCESS) - return (result); - - TIME_NOW(&t); - - sample = isc_time_nanoseconds(&t); - extra = c; - - result = isc_entropy_addcallbacksample(source, sample, extra); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "\r\n"); - return (result); - } - - fprintf(stderr, "."); - fflush(stderr); - - return (result); -} - -isc_result_t -isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source, - const char *randomfile, int use_keyboard) -{ - isc_result_t result; - isc_result_t final_result = ISC_R_NOENTROPY; - isc_boolean_t userfile = ISC_TRUE; - - REQUIRE(VALID_ENTROPY(ectx)); - REQUIRE(source != NULL && *source == NULL); - REQUIRE(use_keyboard == ISC_ENTROPY_KEYBOARDYES || - use_keyboard == ISC_ENTROPY_KEYBOARDNO || - use_keyboard == ISC_ENTROPY_KEYBOARDMAYBE); - -#ifdef PKCS11CRYPTO - if (randomfile != NULL) - pk11_rand_seed_fromfile(randomfile); -#endif - -#ifdef PATH_RANDOMDEV - if (randomfile == NULL) { - randomfile = PATH_RANDOMDEV; - userfile = ISC_FALSE; - } -#endif - - if (randomfile != NULL && use_keyboard != ISC_ENTROPY_KEYBOARDYES) { - result = isc_entropy_createfilesource(ectx, randomfile); - if (result == ISC_R_SUCCESS && - use_keyboard == ISC_ENTROPY_KEYBOARDMAYBE) - use_keyboard = ISC_ENTROPY_KEYBOARDNO; - if (result != ISC_R_SUCCESS && userfile) - return (result); - - final_result = result; - } - - if (use_keyboard != ISC_ENTROPY_KEYBOARDNO) { - result = isc_entropy_createcallbacksource(ectx, kbdstart, - kbdget, kbdstop, - NULL, source); - if (result == ISC_R_SUCCESS) - (*source)->warn_keyboard = - ISC_TF(use_keyboard == - ISC_ENTROPY_KEYBOARDMAYBE); - - if (final_result != ISC_R_SUCCESS) - final_result = result; - } - - /* - * final_result is ISC_R_SUCCESS if at least one source of entropy - * could be started, otherwise it is the error from the most recently - * failed operation (or ISC_R_NOENTROPY if PATH_RANDOMDEV is not - * defined and use_keyboard is ISC_ENTROPY_KEYBOARDNO). - */ - return (final_result); -} - -void -isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff) { - REQUIRE(VALID_ENTROPY(ectx)); - - LOCK(&ectx->lock); - ectx->usehook = onoff; - UNLOCK(&ectx->lock); -} - -void -isc_entropy_sethook(isc_entropy_getdata_t myhook) { - hook = myhook; -} diff --git a/lib/isc/hash.c b/lib/isc/hash.c index 7c9d1ed19b..4d1add960f 100644 --- a/lib/isc/hash.c +++ b/lib/isc/hash.c @@ -70,7 +70,7 @@ fnv_initialize(void) { * again, it should not change fnv_offset_basis. */ while (fnv_offset_basis == 0) { - isc_random_get(&fnv_offset_basis); + fnv_offset_basis = isc_random(); } fnv_initialized = ISC_TRUE; diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h deleted file mode 100644 index 2d373630ae..0000000000 --- a/lib/isc/include/isc/entropy.h +++ /dev/null @@ -1,342 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -#ifndef ISC_ENTROPY_H -#define ISC_ENTROPY_H 1 - -/***** - ***** Module Info - *****/ - -/*! \file isc/entropy.h - * \brief The entropy API - * - * \li MP: - * The entropy object is locked internally. All callbacks into - * application-provided functions (for setup, gathering, and - * shutdown of sources) are guaranteed to be called with the - * entropy API lock held. This means these functions are - * not permitted to call back into the entropy API. - * - * \li Reliability: - * No anticipated impact. - * - * \li Resources: - * A buffer, used as an entropy pool. - * - * \li Security: - * While this code is believed to implement good entropy gathering - * and distribution, it has not been reviewed by a cryptographic - * expert. - * Since the added entropy is only as good as the sources used, - * this module could hand out bad data and never know it. - * - * \li Standards: - * None. - */ - -/*** - *** Imports - ***/ - -#include - -#include -#include - -/*@{*/ -/*% Entropy callback function. */ -typedef isc_result_t (*isc_entropystart_t)(isc_entropysource_t *source, - void *arg, isc_boolean_t blocking); -typedef isc_result_t (*isc_entropyget_t)(isc_entropysource_t *source, - void *arg, isc_boolean_t blocking); -typedef void (*isc_entropystop_t)(isc_entropysource_t *source, void *arg); -/*@}*/ - -/*** - *** Flags. - ***/ - -/*! - * \brief - * Extract only "good" data; return failure if there is not enough - * data available and there are no sources which we can poll to get - * data, or those sources are empty. - * - * - */ -#define ISC_ENTROPY_GOODONLY 0x00000001U -/*! - * \brief - * Extract as much good data as possible, but if there isn't enough - * at hand, return what is available. This flag only makes sense - * when used with _GOODONLY. - */ -#define ISC_ENTROPY_PARTIAL 0x00000002U -/*! - * \brief - * Block the task until data is available. This is contrary to the - * ISC task system, where tasks should never block. However, if - * this is a special purpose application where blocking a task is - * acceptable (say, an offline zone signer) this flag may be set. - * This flag only makes sense when used with _GOODONLY, and will - * block regardless of the setting for _PARTIAL. - */ -#define ISC_ENTROPY_BLOCKING 0x00000004U - -/*! - * \brief - * Estimate the amount of entropy contained in the sample pool. - * If this is not set, the source will be gathered and periodically - * mixed into the entropy pool, but no increment in contained entropy - * will be assumed. This flag only makes sense on sample sources. - */ -#define ISC_ENTROPYSOURCE_ESTIMATE 0x00000001U - -/* - * For use with isc_entropy_usebestsource(). - */ -/*! - * \brief - * Use the keyboard as the only entropy source. - */ -#define ISC_ENTROPY_KEYBOARDYES 1 -/*! - * \brief - * Never use the keyboard as an entropy source. - */ -#define ISC_ENTROPY_KEYBOARDNO 2 -/*! - * \brief - * Use the keyboard as an entropy source only if opening the - * random device fails. - */ -#define ISC_ENTROPY_KEYBOARDMAYBE 3 - -ISC_LANG_BEGINDECLS - -/*** - *** Functions - ***/ - -isc_result_t -isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp); -/*!< - * \brief Create a new entropy object. - */ - -void -isc_entropy_attach(isc_entropy_t *ent, isc_entropy_t **entp); -/*!< - * Attaches to an entropy object. - */ - -void -isc_entropy_detach(isc_entropy_t **entp); -/*!< - * \brief Detaches from an entropy object. - */ - -isc_result_t -isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname); -/*!< - * \brief Create a new entropy source from a file. - * - * The file is assumed to contain good randomness, and will be mixed directly - * into the pool with every byte adding 8 bits of entropy. - * - * The file will be put into non-blocking mode, so it may be a device file, - * such as /dev/random. /dev/urandom should not be used here if it can - * be avoided, since it will always provide data even if it isn't good. - * We will make as much pseudorandom data as we need internally if our - * caller asks for it. - * - * If we hit end-of-file, we will stop reading from this source. Callers - * who require strong random data will get failure when our pool drains. - * The file will never be opened/read again once EOF is reached. - */ - -void -isc_entropy_destroysource(isc_entropysource_t **sourcep); -/*!< - * \brief Removes an entropy source from the entropy system. - */ - -isc_result_t -isc_entropy_createsamplesource(isc_entropy_t *ent, - isc_entropysource_t **sourcep); -/*!< - * \brief Create an entropy source that consists of samples. Each sample is - * added to the source via isc_entropy_addsamples(), below. - */ - -isc_result_t -isc_entropy_createcallbacksource(isc_entropy_t *ent, - isc_entropystart_t start, - isc_entropyget_t get, - isc_entropystop_t stop, - void *arg, - isc_entropysource_t **sourcep); -/*!< - * \brief Create an entropy source that is polled via a callback. - * - * This would be used when keyboard input is used, or a GUI input method. - * It can also be used to hook in any external entropy source. - * - * Samples are added via isc_entropy_addcallbacksample(), below. - * _addcallbacksample() is the only function which may be called from - * within an entropy API callback function. - */ - -void -isc_entropy_stopcallbacksources(isc_entropy_t *ent); -/*!< - * \brief Call the stop functions for callback sources that have had their - * start functions called. - */ - -/*@{*/ -isc_result_t -isc_entropy_addcallbacksample(isc_entropysource_t *source, isc_uint32_t sample, - isc_uint32_t extra); -isc_result_t -isc_entropy_addsample(isc_entropysource_t *source, isc_uint32_t sample, - isc_uint32_t extra); -/*!< - * \brief Add a sample to the sample source. - * - * The sample MUST be a timestamp - * that increases over time, with the exception of wrap-around for - * extremely high resolution timers which will quickly wrap-around - * a 32-bit integer. - * - * The "extra" parameter is used only to add a bit more unpredictable - * data. It is not used other than included in the hash of samples. - * - * When in an entropy API callback function, _addcallbacksource() must be - * used. At all other times, _addsample() must be used. - */ -/*@}*/ - -isc_result_t -isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length, - unsigned int *returned, unsigned int flags); -/*!< - * \brief Get random data from entropy pool 'ent'. - * - * If a hook has been set up using isc_entropy_sethook() and - * isc_entropy_usehook(), then the hook function will be called to get - * random data. - * - * Otherwise, randomness is extracted from the entropy pool set up in BIND. - * This may cause the pool to be loaded from various sources. Ths is done - * by stirring the pool and returning a part of hash as randomness. - * (Note that no secrets are given away here since parts of the hash are - * XORed together before returning.) - * - * 'flags' may contain ISC_ENTROPY_GOODONLY, ISC_ENTROPY_PARTIAL, or - * ISC_ENTROPY_BLOCKING. These will be honored if the hook function is - * not in use. If it is, the flags will be passed to the hook function - * but it may ignore them. - * - * Up to 'length' bytes of randomness are retrieved and copied into 'data'. - * (If 'returned' is not NULL, and the number of bytes copied is less than - * 'length' - which may happen if ISC_ENTROPY_PARTIAL was used - then the - * number of bytes copied will be stored in *returned.) - * - * Returns: - * \li ISC_R_SUCCESS on success - * \li ISC_R_NOENTROPY if entropy pool is empty - * \li other error codes are possible when a hook is in use - */ - -void -isc_entropy_putdata(isc_entropy_t *ent, void *data, unsigned int length, - isc_uint32_t entropy); -/*!< - * \brief Add "length" bytes in "data" to the entropy pool, incrementing the - * pool's entropy count by "entropy." - * - * These bytes will prime the pseudorandom portion even if no entropy is - * actually added. - */ - -void -isc_entropy_stats(isc_entropy_t *ent, FILE *out); -/*!< - * \brief Dump some (trivial) stats to the stdio stream "out". - */ - -unsigned int -isc_entropy_status(isc_entropy_t *end); -/* - * Returns the number of bits the pool currently contains. This is just - * an estimate. - */ - -isc_result_t -isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source, - const char *randomfile, int use_keyboard); -/*!< - * \brief Use whatever source of entropy is best. - * - * Notes: - *\li If "randomfile" is not NULL, open it with - * isc_entropy_createfilesource(). - * - *\li If "randomfile" is NULL and the system's random device was detected - * when the program was configured and built, open that device with - * isc_entropy_createfilesource(). - * - *\li If "use_keyboard" is #ISC_ENTROPY_KEYBOARDYES, then always open - * the keyboard as an entropy source (possibly in addition to - * "randomfile" or the random device). - * - *\li If "use_keyboard" is #ISC_ENTROPY_KEYBOARDMAYBE, open the keyboard only - * if opening the random file/device fails. A message will be - * printed describing the need for keyboard input. - * - *\li If "use_keyboard" is #ISC_ENTROPY_KEYBOARDNO, the keyboard will - * never be opened. - * - * Returns: - *\li #ISC_R_SUCCESS if at least one source of entropy could be started. - * - *\li #ISC_R_NOENTROPY if use_keyboard is #ISC_ENTROPY_KEYBOARDNO and - * there is no random device pathname compiled into the program. - * - *\li A return code from isc_entropy_createfilesource() or - * isc_entropy_createcallbacksource(). - */ - -void -isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff); -/*!< - * \brief Configure entropy context 'ectx' to use the hook function - * - * Sets the entropy context to call the hook function for random number - * generation, if such a function has been configured via - * isc_entropy_sethook(), whenever isc_entropy_getdata() is called. - */ - -void -isc_entropy_sethook(isc_entropy_getdata_t myhook); -/*!< - * \brief Set the hook function. - * - * The hook function is a global value: only one hook function - * can be set in the system. Individual entropy contexts may be - * configured to use it, or not, by calling isc_entropy_usehook(). - */ - -ISC_LANG_ENDDECLS - -#endif /* ISC_ENTROPY_H */ diff --git a/lib/isc/include/isc/random.h b/lib/isc/include/isc/random.h index 324e848d72..0648706f27 100644 --- a/lib/isc/include/isc/random.h +++ b/lib/isc/include/isc/random.h @@ -9,134 +9,39 @@ * information regarding copyright ownership. */ -#ifndef ISC_RANDOM_H -#define ISC_RANDOM_H 1 +#pragma once + +#include +#include #include -#include -#include -#include -#include -#include /*! \file isc/random.h - * \brief Implements pseudo random number generators. + * \brief Implements wrapper around system provider pseudo-random data + * generators. * - * Two pseudo-random number generators are implemented, in isc_random_* - * and isc_rng_*. Neither one is very strong; they should not be used - * in cryptography functions. + * The system providers used: + * - On Linux - getrandom() glibc call or syscall + * - On BSDs - arc4random() * - * isc_random_* is based on arc4random if it is available on the system. - * Otherwise it is based on the posix srand() and rand() functions. - * It is useful for jittering values a bit here and there, such as - * timeouts, etc, but should not be relied upon to generate - * unpredictable sequences (for example, when choosing transaction IDs). + * If neither is available, the crypto library provider is used: + * - If OpenSSL is used - RAND_bytes() + * - If PKCS#11 is used - pkcs_C_GenerateRandom() * - * isc_rng_* is based on ChaCha20, and is seeded and stirred from the - * system entropy source. It is stronger than isc_random_* and can - * be used for generating unpredictable sequences. It is still not as - * good as using system entropy directly (see entropy.h) and should not - * be used for cryptographic functions such as key generation. */ ISC_LANG_BEGINDECLS -typedef struct isc_rng isc_rng_t; -/*%< - * Opaque type - */ +uint32_t +isc_random(void); void -isc_random_seed(isc_uint32_t seed); -/*%< - * Set the initial seed of the random state. +isc_random_buf(void *buf, size_t buflen); +/*!< + * \brief Get random data. */ -void -isc_random_get(isc_uint32_t *val); -/*%< - * Get a random value. - * - * Requires: - * val != NULL. - */ - -isc_uint32_t -isc_random_jitter(isc_uint32_t max, isc_uint32_t jitter); -/*%< - * Get a random value between (max - jitter) and (max). - * This is useful for jittering timer values. - */ - -isc_result_t -isc_rng_create(isc_mem_t *mctx, isc_entropy_t *entropy, isc_rng_t **rngp); -/*%< - * Creates and initializes a pseudo random number generator. The - * returned RNG can be used to generate pseudo random numbers. - * - * The reference count of the returned RNG is set to 1. - * - * Requires: - * \li mctx is a pointer to a valid memory context. - * \li entropy is an optional entopy source (can be NULL) - * \li rngp != NULL && *rngp == NULL is where a pointer to the RNG is - * returned. - * - * Ensures: - *\li If result is ISC_R_SUCCESS: - * *rngp points to a valid RNG. - * - *\li If result is failure: - * *rngp does not point to a valid RNG. - * - * Returns: - *\li #ISC_R_SUCCESS Success - *\li #ISC_R_NOMEMORY Resource limit: Out of Memory - */ - -void -isc_rng_attach(isc_rng_t *source, isc_rng_t **targetp); -/*%< - * Increments a reference count on the passed RNG. - * - * Requires: - * \li source the RNG struct to attach to (is refcount is incremented) - * \li targetp != NULL && *targetp == NULL where a pointer to the - * reference incremented RNG is returned. - */ - -void -isc_rng_detach(isc_rng_t **rngp); -/*%< - * Decrements a reference count on the passed RNG. If the reference - * count reaches 0, the RNG is destroyed. - * - * Requires: - * \li rngp != NULL the RNG struct to decrement reference for - */ - -void -isc_rng_randombytes(isc_rng_t *rngctx, void *output, size_t length); -/*%< - * Returns a pseudo random sequence of length octets in output. - */ - -isc_uint16_t -isc_rng_random(isc_rng_t *rngctx) ISC_DEPRECATED; -/*%< - * Returns a pseudo random 16-bit unsigned integer. - * - * This function is deprecated. You should use `isc_rng_randombytes()` - * instead. - */ - -isc_uint16_t -isc_rng_uniformrandom(isc_rng_t *rngctx, isc_uint16_t upper_bound); -/*%< - * Returns a uniformly distributed pseudo-random 16-bit unsigned integer - * less than 'upper_bound'. - */ +uint32_t +isc_random_uniform(uint32_t upper_bound); ISC_LANG_ENDDECLS - -#endif /* ISC_RANDOM_H */ diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h index 3793cb99c7..7e9fe504d7 100644 --- a/lib/isc/include/isc/types.h +++ b/lib/isc/include/isc/types.h @@ -42,8 +42,6 @@ typedef struct isc_constregion isc_constregion_t; /*%< Const region */ typedef struct isc_consttextregion isc_consttextregion_t; /*%< Const Text Region */ typedef struct isc_counter isc_counter_t; /*%< Counter */ typedef isc_int16_t isc_dscp_t; /*%< Diffserv code point */ -typedef struct isc_entropy isc_entropy_t; /*%< Entropy */ -typedef struct isc_entropysource isc_entropysource_t; /*%< Entropy Source */ typedef struct isc_event isc_event_t; /*%< Event */ typedef ISC_LIST(isc_event_t) isc_eventlist_t; /*%< Event List */ typedef unsigned int isc_eventtype_t; /*%< Event Type */ @@ -68,7 +66,6 @@ typedef struct isc_msgcat isc_msgcat_t; /*%< Message Catalog */ typedef struct isc_netaddr isc_netaddr_t; /*%< Net Address */ typedef struct isc_portset isc_portset_t; /*%< Port Set */ typedef struct isc_quota isc_quota_t; /*%< Quota */ -typedef struct isc_random isc_random_t; /*%< Random */ typedef struct isc_ratelimiter isc_ratelimiter_t; /*%< Rate Limiter */ typedef struct isc_region isc_region_t; /*%< Region */ typedef isc_uint64_t isc_resourcevalue_t; /*%< Resource Value */ @@ -90,8 +87,6 @@ typedef struct isc_time isc_time_t; /*%< Time */ typedef struct isc_timer isc_timer_t; /*%< Timer */ typedef struct isc_timermgr isc_timermgr_t; /*%< Timer Manager */ -typedef isc_result_t (*isc_entropy_getdata_t)(void *, unsigned int, - unsigned int *, unsigned int); typedef void (*isc_taskaction_t)(isc_task_t *, isc_event_t *); typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *, int); diff --git a/lib/isc/pool.c b/lib/isc/pool.c index e4ad2c4bcc..853e54d6e8 100644 --- a/lib/isc/pool.c +++ b/lib/isc/pool.c @@ -98,8 +98,7 @@ isc_pool_create(isc_mem_t *mctx, unsigned int count, void * isc_pool_get(isc_pool_t *pool) { - isc_uint32_t i; - isc_random_get(&i); + isc_uint32_t i = isc_random(); return (pool->pool[i % pool->count]); } diff --git a/lib/isc/random.c b/lib/isc/random.c index c6415789e8..a9fca3f9e2 100644 --- a/lib/isc/random.c +++ b/lib/isc/random.c @@ -9,13 +9,11 @@ * information regarding copyright ownership. */ -/*% - * ChaCha based random number generator derived from OpenBSD. +/* + * Portions of isc_random_uniform(): * - * The original copyright follows: * Copyright (c) 1996, David Mazieres * Copyright (c) 2008, Damien Miller - * Copyright (c) 2013, Markus Friedl * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -30,400 +28,174 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/*! \file */ - #include +#include #include -#include /* Required for time(). */ -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_UNISTD_H #include -#endif -#include -#include -#include -#include -#include +#ifdef OPENSSL +#include +#endif /* ifdef OPENSSL */ + +#ifdef PKCS11CRYPTO +#include +#endif /* ifdef PKCS11CRYPTO */ + +#if defined(__linux__) +# include +# ifdef HAVE_GETRANDOM +# include +# else /* HAVE_GETRANDOM */ +# include +# endif /* HAVE_GETRANDOM */ +#endif /* defined(__linux__) */ + #include -#include -#include +#include +#include #include -#define RNG_MAGIC ISC_MAGIC('R', 'N', 'G', 'x') -#define VALID_RNG(r) ISC_MAGIC_VALID(r, RNG_MAGIC) +#if defined(__linux__) +# ifdef HAVE_GETRANDOM +# define have_getrandom() 1 +# else /* ifdef HAVE_GETRANDOM */ +# undef getrandom +# if defined(SYS_getrandom) +# define getrandom(dst,s,flags) syscall(SYS_getrandom, \ + (void*)dst, \ + (size_t)s, \ + (unsigned int)flags) -#define KEYSTREAM_ONLY -#include "chacha_private.h" +static unsigned +have_getrandom(void) +{ + uint16_t buf; + ssize_t ret; + ret = getrandom(&buf, sizeof(buf), 1 /*GRND_NONBLOCK*/); + return (ret == sizeof(buf) || + (ret == -1 && errno == EAGAIN)); +} + +# else /* defined(SYS_getrandom) */ +# define have_getrandom() 0 +# define getrandom(dst,s,flags) -1 +# endif /* defined(SYS_getrandom) */ +# endif /* ifdef HAVE_GETRANDOM */ + +static int +getrandom_buf(void *buf, size_t buflen) +{ + size_t left = buflen; + ssize_t ret; + uint8_t *p = buf; + + while (left > 0) { + ret = getrandom(p, left, 0); + if (ret == -1 && errno == EINTR) { + continue; + } + + RUNTIME_CHECK(ret >= 0); + + if (ret > 0) { + left -= ret; + p += ret; + } + } + + return(0); +} +#endif /* __linux__ */ + +#if defined(_WIN32) || defined(_WIN64) + +static isc_once_t isc_random_once = ISC_ONCE_INIT; + +static HCRYPTPROV isc_random_hcryptprov; + +static void isc_random_initialize(void) { + RUNTIME_CHECK(CryptAcquireContext(&hcryptprov, NULL, NULL, PROV_RSA_FULL, + CRYPT_VERIFYCONTEXT|CRYPT_SILENT)); +} + +#endif /* defined(_WIN32) || defined(_WIN64) */ + +uint32_t +isc_random(void) +{ +#if defined(HAVE_ARC4RANDOM) + return(arc4random()); +#else /* HAVE_ARC4RANDOM */ + uint32_t ret; + isc_random_buf(&ret, sizeof(ret)); + return (ret); +#endif /* HAVE_ARC4RANDOM */ +} -#define CHACHA_KEYSIZE 32U -#define CHACHA_IVSIZE 8U -#define CHACHA_BLOCKSIZE 64 -#define CHACHA_BUFFERSIZE (16 * CHACHA_BLOCKSIZE) -#define CHACHA_MAXHAVE (CHACHA_BUFFERSIZE - CHACHA_KEYSIZE - CHACHA_IVSIZE) /* - * Derived from OpenBSD's implementation. The rationale is not clear, - * but should be conservative enough in safety, and reasonably large for - * efficiency. + * Fill the region buf of length buflen with random data. */ -#define CHACHA_MAXLENGTH 1600000 +void +isc_random_buf(void *buf, size_t buflen) +{ + REQUIRE(buf); + REQUIRE(buflen > 0); -/* ChaCha RNG state */ -struct isc_rng { - unsigned int magic; - isc_mem_t *mctx; - chacha_ctx cpctx; - isc_uint8_t buffer[CHACHA_BUFFERSIZE]; - size_t have; - unsigned int references; - int count; - isc_entropy_t *entropy; /*%< entropy source */ - isc_mutex_t lock; -}; - -static isc_once_t once = ISC_ONCE_INIT; - -static void -initialize_rand(void) { -#ifndef HAVE_ARC4RANDOM - unsigned int pid = getpid(); - - /* - * The low bits of pid generally change faster. - * Xor them with the high bits of time which change slowly. - */ - pid = ((pid << 16) & 0xffff0000) | ((pid >> 16) & 0xffff); - - srand((unsigned)time(NULL) ^ pid); -#endif -} - -static void -initialize(void) { +#if defined(_WIN32) || defined(_WIN64) RUNTIME_CHECK(isc_once_do(&once, initialize_rand) == ISC_R_SUCCESS); -} - -void -isc_random_seed(isc_uint32_t seed) { - initialize(); - -#ifndef HAVE_ARC4RANDOM - srand(seed); -#elif defined(HAVE_ARC4RANDOM_STIR) - /* Formally not necessary... */ - UNUSED(seed); - arc4random_stir(); -#elif defined(HAVE_ARC4RANDOM_ADDRANDOM) - arc4random_addrandom((u_char *) &seed, sizeof(isc_uint32_t)); + RUNTIME_CHECK(CryptGenRandom(isc_random_hcryptprov, (DWORD)buflen, buf)); + return; +#elif defined(HAVE_ARC4RANDOM_BUF) + arc4random_buf(buf, buflen); + return; #else - /* - * If arc4random() is available and no corresponding seeding - * function arc4random_addrandom() is available, no seeding is - * done on such platforms (e.g., OpenBSD 5.5). This is because - * the OS itself is supposed to seed the RNG and it is assumed - * that no explicit seeding is required. - */ - UNUSED(seed); -#endif -} -void -isc_random_get(isc_uint32_t *val) { - REQUIRE(val != NULL); - - initialize(); - -#ifndef HAVE_ARC4RANDOM - /* - * rand()'s lower bits are not random. - * rand()'s upper bit is zero. +# if defined(__linux__) + /* We need to check the availability of the SYS_getrandom syscall at runtime + * and fall back to crypto library provider if not available */ -#if RAND_MAX >= 0xfffff - /* We have at least 20 bits. Use lower 16 excluding lower most 4 */ - *val = ((((unsigned int)rand()) & 0xffff0) >> 4) | - ((((unsigned int)rand()) & 0xffff0) << 12); -#elif RAND_MAX >= 0x7fff - /* We have at least 15 bits. Use lower 10/11 excluding lower most 4 */ - *val = ((rand() >> 4) & 0x000007ff) | ((rand() << 7) & 0x003ff800) | - ((rand() << 18) & 0xffc00000); -#else -#error RAND_MAX is too small -#endif -#else - *val = arc4random(); -#endif -} - -isc_uint32_t -isc_random_jitter(isc_uint32_t max, isc_uint32_t jitter) { - isc_uint32_t rnd; - - REQUIRE(jitter < max || (jitter == 0 && max == 0)); - - if (jitter == 0) - return (max); - - isc_random_get(&rnd); - return (max - rnd % jitter); -} - -static void -chacha_reinit(isc_rng_t *rng, isc_uint8_t *buffer, size_t n) { - REQUIRE(rng != NULL); - - if (n < CHACHA_KEYSIZE + CHACHA_IVSIZE) + if (have_getrandom()) { + getrandom_buf(buf, buflen); return; - - chacha_keysetup(&rng->cpctx, buffer, CHACHA_KEYSIZE * 8, 0); - chacha_ivsetup(&rng->cpctx, buffer + CHACHA_KEYSIZE); -} - -isc_result_t -isc_rng_create(isc_mem_t *mctx, isc_entropy_t *entropy, isc_rng_t **rngp) { - union { - unsigned char rnd[128]; - isc_uint32_t rnd32[32]; - } rnd; - isc_result_t result; - isc_rng_t *rng; - - REQUIRE(mctx != NULL); - REQUIRE(rngp != NULL && *rngp == NULL); - - if (entropy != NULL) { - /* - * We accept any quality of random data to avoid blocking. - */ - result = isc_entropy_getdata(entropy, rnd.rnd, - sizeof(rnd), NULL, 0); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - } else { - int i; - for (i = 0; i < 32; i++) - isc_random_get(&rnd.rnd32[i]); } - rng = isc_mem_get(mctx, sizeof(*rng)); - if (rng == NULL) - return (ISC_R_NOMEMORY); +# endif /* defined(__linux__) */ - chacha_reinit(rng, rnd.rnd, sizeof(rnd.rnd)); +/* Use crypto library as fallback when no other CSPRNG is available */ +# if defined(OPENSSL) + RUNTIME_CHECK(RAND_bytes(buf, buflen) < 1); +# elif defined(PKCS11CRYPTO) + RUNTIME_CHECK(pk11_rand_bytes(buf, buflen) == ISC_R_SUCCESS); +# endif /* if defined(HAVE_ARC4RANDOM_BUF) */ - rng->have = 0; - memset(rng->buffer, 0, CHACHA_BUFFERSIZE); - - /* Create lock */ - result = isc_mutex_init(&rng->lock); - if (result != ISC_R_SUCCESS) { - isc_mem_put(mctx, rng, sizeof(*rng)); - return (result); - } - - /* Attach to memory context */ - rng->mctx = NULL; - isc_mem_attach(mctx, &rng->mctx); - - /* Local non-algorithm initializations. */ - rng->count = 0; - rng->entropy = entropy; /* don't have to attach */ - rng->references = 1; - rng->magic = RNG_MAGIC; - - *rngp = rng; - - return (ISC_R_SUCCESS); -} - -void -isc_rng_attach(isc_rng_t *source, isc_rng_t **targetp) { - - REQUIRE(VALID_RNG(source)); - REQUIRE(targetp != NULL && *targetp == NULL); - - LOCK(&source->lock); - source->references++; - UNLOCK(&source->lock); - - *targetp = (isc_rng_t *)source; -} - -static void -destroy(isc_rng_t *rng) { - - REQUIRE(VALID_RNG(rng)); - - rng->magic = 0; - isc_mutex_destroy(&rng->lock); - isc_mem_putanddetach(&rng->mctx, rng, sizeof(isc_rng_t)); -} - -void -isc_rng_detach(isc_rng_t **rngp) { - isc_rng_t *rng; - isc_boolean_t dest = ISC_FALSE; - - REQUIRE(rngp != NULL && VALID_RNG(*rngp)); - - rng = *rngp; - *rngp = NULL; - - LOCK(&rng->lock); - - INSIST(rng->references > 0); - rng->references--; - if (rng->references == 0) - dest = ISC_TRUE; - UNLOCK(&rng->lock); - - if (dest) - destroy(rng); -} - -static void -chacha_rekey(isc_rng_t *rng, u_char *dat, size_t datlen) { - REQUIRE(VALID_RNG(rng)); - -#ifndef KEYSTREAM_ONLY - memset(rng->buffer, 0, CHACHA_BUFFERSIZE); #endif - - /* Fill buffer with the keystream. */ - chacha_encrypt_bytes(&rng->cpctx, rng->buffer, rng->buffer, - CHACHA_BUFFERSIZE); - - /* Mix in optional user provided data. */ - if (dat != NULL) { - size_t i, m; - - m = ISC_MIN(datlen, CHACHA_KEYSIZE + CHACHA_IVSIZE); - for (i = 0; i < m; i++) - rng->buffer[i] ^= dat[i]; - } - - /* Immediately reinit for backtracking resistance. */ - chacha_reinit(rng, rng->buffer, - CHACHA_KEYSIZE + CHACHA_IVSIZE); - memset(rng->buffer, 0, CHACHA_KEYSIZE + CHACHA_IVSIZE); - rng->have = CHACHA_MAXHAVE; } -static void -chacha_getbytes(isc_rng_t *rng, isc_uint8_t *output, size_t length) { - REQUIRE(VALID_RNG(rng)); +uint32_t +isc_random_uniform(uint32_t upper_bound) +{ +#if defined(HAVE_ARC4RANDOM_UNIFORM) + return(arc4random_uniform(upper_bound)); +#else /* if defined(HAVE_ARC4RANDOM_UNIFORM) */ + /* Copy of arc4random_uniform from OpenBSD */ + u_int32_t r, min; - while (ISC_UNLIKELY(length > CHACHA_MAXHAVE)) { - chacha_rekey(rng, NULL, 0); - memmove(output, rng->buffer + CHACHA_BUFFERSIZE - rng->have, - CHACHA_MAXHAVE); - output += CHACHA_MAXHAVE; - length -= CHACHA_MAXHAVE; - rng->have = 0; - } - - if (rng->have < length) - chacha_rekey(rng, NULL, 0); - - memmove(output, rng->buffer + CHACHA_BUFFERSIZE - rng->have, length); - /* Clear the copied region. */ - memset(rng->buffer + CHACHA_BUFFERSIZE - rng->have, 0, length); - rng->have -= length; -} - -static void -chacha_stir(isc_rng_t *rng) { - union { - unsigned char rnd[128]; - isc_uint32_t rnd32[32]; - } rnd; - isc_result_t result; - - REQUIRE(VALID_RNG(rng)); - - if (rng->entropy != NULL) { - /* - * We accept any quality of random data to avoid blocking. - */ - result = isc_entropy_getdata(rng->entropy, rnd.rnd, - sizeof(rnd), NULL, 0); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - } else { - int i; - for (i = 0; i < 32; i++) - isc_random_get(&rnd.rnd32[i]); - } - - chacha_rekey(rng, rnd.rnd, sizeof(rnd.rnd)); - - isc_safe_memwipe(rnd.rnd, sizeof(rnd.rnd)); - - /* Invalidate the buffer too. */ - rng->have = 0; - memset(rng->buffer, 0, CHACHA_BUFFERSIZE); - - /* - * Derived from OpenBSD's implementation. The rationale is not clear, - * but should be conservative enough in safety, and reasonably large - * for efficiency. - */ - rng->count = CHACHA_MAXLENGTH; -} - -void -isc_rng_randombytes(isc_rng_t *rng, void *output, size_t length) { - isc_uint8_t *ptr = output; - - REQUIRE(VALID_RNG(rng)); - REQUIRE(output != NULL && length > 0); - - LOCK(&rng->lock); - - while (ISC_UNLIKELY(length > CHACHA_MAXLENGTH)) { - chacha_stir(rng); - chacha_getbytes(rng, ptr, CHACHA_MAXLENGTH); - ptr += CHACHA_MAXLENGTH; - length -= CHACHA_MAXLENGTH; - rng->count = 0; - } - - rng->count -= length; - if (rng->count <= 0) - chacha_stir(rng); - - chacha_getbytes(rng, ptr, length); - - UNLOCK(&rng->lock); -} - -isc_uint16_t -isc_rng_random(isc_rng_t *rng) { - isc_uint16_t result; - - isc_rng_randombytes(rng, &result, sizeof(result)); - - return (result); -} - -isc_uint16_t -isc_rng_uniformrandom(isc_rng_t *rng, isc_uint16_t upper_bound) { - isc_uint16_t min, r; - - REQUIRE(VALID_RNG(rng)); - - if (upper_bound < 2) + if (upper_bound < 2) { return (0); + } - /* - * Ensure the range of random numbers [min, 0xffff] be a multiple of - * upper_bound and contain at least a half of the 16 bit range. - */ - - if (upper_bound > 0x8000) - min = 1 + ~upper_bound; /* 0x8000 - upper_bound */ - else - min = (isc_uint16_t)(0x10000 % (isc_uint32_t)upper_bound); +#if (ULONG_MAX > 0xffffffffUL) + min = 0x100000000UL % upper_bound; +#else /* if (ULONG_MAX > 0xffffffffUL) */ + /* Calculate (2**32 % upper_bound) avoiding 64-bit math */ + if (upper_bound > 0x80000000) { + min = 1 + ~upper_bound; /* 2**32 - upper_bound */ + } else { + /* (2**32 - (x * 2)) % x == 2**32 % x when x <= 2**31 */ + min = ((0xffffffff - (upper_bound * 2)) + 1) % upper_bound; + } +#endif /* if (ULONG_MAX > 0xffffffffUL) */ /* * This could theoretically loop forever but each retry has @@ -432,10 +204,12 @@ isc_rng_uniformrandom(isc_rng_t *rng, isc_uint16_t upper_bound) { * to re-roll. */ for (;;) { - isc_rng_randombytes(rng, &r, sizeof(r)); - if (r >= min) + r = isc_random(); + if (r >= min) { break; + } } return (r % upper_bound); +#endif /* if defined(HAVE_ARC4RANDOM_UNIFORM) */ } diff --git a/lib/isc/taskpool.c b/lib/isc/taskpool.c index fe9ac5f7cc..706b1b1b69 100644 --- a/lib/isc/taskpool.c +++ b/lib/isc/taskpool.c @@ -95,8 +95,7 @@ isc_taskpool_create(isc_taskmgr_t *tmgr, isc_mem_t *mctx, void isc_taskpool_gettask(isc_taskpool_t *pool, isc_task_t **targetp) { - isc_uint32_t i; - isc_random_get(&i); + isc_uint32_t i = isc_random(); isc_task_attach(pool->tasks[i % pool->ntasks], targetp); } diff --git a/lib/isc/tests/isctest.c b/lib/isc/tests/isctest.c index 9e83de34c9..50d23b3df4 100644 --- a/lib/isc/tests/isctest.c +++ b/lib/isc/tests/isctest.c @@ -18,7 +18,6 @@ #include #include -#include #include #include #include @@ -31,7 +30,6 @@ #include "isctest.h" isc_mem_t *mctx = NULL; -isc_entropy_t *ectx = NULL; isc_log_t *lctx = NULL; isc_taskmgr_t *taskmgr = NULL; isc_timermgr_t *timermgr = NULL; @@ -105,7 +103,6 @@ isc_test_begin(FILE *logfile, isc_boolean_t start_managers, isc_mem_debugging |= ISC_MEM_DEBUGRECORD; CHECK(isc_mem_create(0, 0, &mctx)); - CHECK(isc_entropy_create(mctx, &ectx)); if (logfile != NULL) { isc_logdestination_t destination; @@ -149,8 +146,6 @@ isc_test_end(void) { isc_task_detach(&maintask); if (taskmgr != NULL) isc_taskmgr_destroy(&taskmgr); - if (ectx != NULL) - isc_entropy_detach(&ectx); cleanup_managers(); diff --git a/lib/isc/tests/isctest.h b/lib/isc/tests/isctest.h index b596993ccb..ecb40f85c6 100644 --- a/lib/isc/tests/isctest.h +++ b/lib/isc/tests/isctest.h @@ -14,7 +14,6 @@ #include #include -#include #include #include #include @@ -33,7 +32,6 @@ } while (0) extern isc_mem_t *mctx; -extern isc_entropy_t *ectx; extern isc_log_t *lctx; extern isc_taskmgr_t *taskmgr; extern isc_timermgr_t *timermgr; diff --git a/lib/isc/tests/random_test.c b/lib/isc/tests/random_test.c index 3c7b8ff23e..6d52bbe6ab 100644 --- a/lib/isc/tests/random_test.c +++ b/lib/isc/tests/random_test.c @@ -253,7 +253,6 @@ static void random_test(pvalue_func_t *func, isc_boolean_t word_sized) { isc_mem_t *mctx = NULL; isc_result_t result; - isc_rng_t *rng; isc_uint32_t m; isc_uint32_t j; isc_uint32_t histogram[11] = { 0 }; @@ -270,10 +269,6 @@ random_test(pvalue_func_t *func, isc_boolean_t word_sized) { result = isc_mem_create(0, 0, &mctx); ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - rng = NULL; - result = isc_rng_create(mctx, NULL, &rng); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - m = 1000; passed = 0; @@ -284,11 +279,10 @@ random_test(pvalue_func_t *func, isc_boolean_t word_sized) { if (word_sized) { for (i = 0; i < REPS; i++) { - isc_rng_randombytes(rng, &values[i], - sizeof(values[i])); + isc_random_buf(&values[i], sizeof(values[i])); } } else { - isc_rng_randombytes(rng, values, sizeof(values)); + isc_random_buf(values, sizeof(values)); } p_value = (*func)(mctx, values, REPS); @@ -303,8 +297,6 @@ random_test(pvalue_func_t *func, isc_boolean_t word_sized) { histogram[i]++; } - isc_rng_detach(&rng); - /* * Check proportion of sequences passing a test (see section * 4.2.1 in NIST SP 800-22). @@ -360,7 +352,7 @@ random_test(pvalue_func_t *func, isc_boolean_t word_sized) { /* * This is a frequency (monobits) test taken from the NIST SP 800-22 - * RNG test suite. + * RANDOM test suite. */ static double monobit(isc_mem_t *mctx, isc_uint16_t *values, size_t length) { @@ -613,97 +605,97 @@ binarymatrixrank(isc_mem_t *mctx, isc_uint16_t *values, size_t length) { return (p_value); } -ATF_TC(isc_rng_monobit_16); -ATF_TC_HEAD(isc_rng_monobit_16, tc) { - atf_tc_set_md_var(tc, "descr", "Monobit test for the RNG"); +ATF_TC(isc_random_monobit_16); +ATF_TC_HEAD(isc_random_monobit_16, tc) { + atf_tc_set_md_var(tc, "descr", "Monobit test for the RANDOM"); } -ATF_TC_BODY(isc_rng_monobit_16, tc) { +ATF_TC_BODY(isc_random_monobit_16, tc) { UNUSED(tc); random_test(monobit, ISC_TRUE); } -ATF_TC(isc_rng_runs_16); -ATF_TC_HEAD(isc_rng_runs_16, tc) { - atf_tc_set_md_var(tc, "descr", "Runs test for the RNG"); +ATF_TC(isc_random_runs_16); +ATF_TC_HEAD(isc_random_runs_16, tc) { + atf_tc_set_md_var(tc, "descr", "Runs test for the RANDOM"); } -ATF_TC_BODY(isc_rng_runs_16, tc) { +ATF_TC_BODY(isc_random_runs_16, tc) { UNUSED(tc); random_test(runs, ISC_TRUE); } -ATF_TC(isc_rng_blockfrequency_16); -ATF_TC_HEAD(isc_rng_blockfrequency_16, tc) { - atf_tc_set_md_var(tc, "descr", "Block frequency test for the RNG"); +ATF_TC(isc_random_blockfrequency_16); +ATF_TC_HEAD(isc_random_blockfrequency_16, tc) { + atf_tc_set_md_var(tc, "descr", "Block frequency test for the RANDOM"); } -ATF_TC_BODY(isc_rng_blockfrequency_16, tc) { +ATF_TC_BODY(isc_random_blockfrequency_16, tc) { UNUSED(tc); random_test(blockfrequency, ISC_TRUE); } -ATF_TC(isc_rng_binarymatrixrank_16); -ATF_TC_HEAD(isc_rng_binarymatrixrank_16, tc) { - atf_tc_set_md_var(tc, "descr", "Binary matrix rank test for the RNG"); +ATF_TC(isc_random_binarymatrixrank_16); +ATF_TC_HEAD(isc_random_binarymatrixrank_16, tc) { + atf_tc_set_md_var(tc, "descr", "Binary matrix rank test for the RANDOM"); } /* * This is the binary matrix rank test taken from the NIST SP 800-22 RNG * test suite. */ -ATF_TC_BODY(isc_rng_binarymatrixrank_16, tc) { +ATF_TC_BODY(isc_random_binarymatrixrank_16, tc) { UNUSED(tc); random_test(binarymatrixrank, ISC_TRUE); } -ATF_TC(isc_rng_monobit_bytes); -ATF_TC_HEAD(isc_rng_monobit_bytes, tc) { - atf_tc_set_md_var(tc, "descr", "Monobit test for the RNG"); +ATF_TC(isc_random_monobit_bytes); +ATF_TC_HEAD(isc_random_monobit_bytes, tc) { + atf_tc_set_md_var(tc, "descr", "Monobit test for the RANDOM"); } -ATF_TC_BODY(isc_rng_monobit_bytes, tc) { +ATF_TC_BODY(isc_random_monobit_bytes, tc) { UNUSED(tc); random_test(monobit, ISC_FALSE); } -ATF_TC(isc_rng_runs_bytes); -ATF_TC_HEAD(isc_rng_runs_bytes, tc) { - atf_tc_set_md_var(tc, "descr", "Runs test for the RNG"); +ATF_TC(isc_random_runs_bytes); +ATF_TC_HEAD(isc_random_runs_bytes, tc) { + atf_tc_set_md_var(tc, "descr", "Runs test for the RANDOM"); } -ATF_TC_BODY(isc_rng_runs_bytes, tc) { +ATF_TC_BODY(isc_random_runs_bytes, tc) { UNUSED(tc); random_test(runs, ISC_FALSE); } -ATF_TC(isc_rng_blockfrequency_bytes); -ATF_TC_HEAD(isc_rng_blockfrequency_bytes, tc) { - atf_tc_set_md_var(tc, "descr", "Block frequency test for the RNG"); +ATF_TC(isc_random_blockfrequency_bytes); +ATF_TC_HEAD(isc_random_blockfrequency_bytes, tc) { + atf_tc_set_md_var(tc, "descr", "Block frequency test for the RANDOM"); } -ATF_TC_BODY(isc_rng_blockfrequency_bytes, tc) { +ATF_TC_BODY(isc_random_blockfrequency_bytes, tc) { UNUSED(tc); random_test(blockfrequency, ISC_FALSE); } -ATF_TC(isc_rng_binarymatrixrank_bytes); -ATF_TC_HEAD(isc_rng_binarymatrixrank_bytes, tc) { - atf_tc_set_md_var(tc, "descr", "Binary matrix rank test for the RNG"); +ATF_TC(isc_random_binarymatrixrank_bytes); +ATF_TC_HEAD(isc_random_binarymatrixrank_bytes, tc) { + atf_tc_set_md_var(tc, "descr", "Binary matrix rank test for the RANDOM"); } /* * This is the binary matrix rank test taken from the NIST SP 800-22 RNG * test suite. */ -ATF_TC_BODY(isc_rng_binarymatrixrank_bytes, tc) { +ATF_TC_BODY(isc_random_binarymatrixrank_bytes, tc) { UNUSED(tc); random_test(binarymatrixrank, ISC_FALSE); @@ -713,14 +705,14 @@ ATF_TC_BODY(isc_rng_binarymatrixrank_bytes, tc) { * Main */ ATF_TP_ADD_TCS(tp) { - ATF_TP_ADD_TC(tp, isc_rng_monobit_16); - ATF_TP_ADD_TC(tp, isc_rng_runs_16); - ATF_TP_ADD_TC(tp, isc_rng_blockfrequency_16); - ATF_TP_ADD_TC(tp, isc_rng_binarymatrixrank_16); - ATF_TP_ADD_TC(tp, isc_rng_monobit_bytes); - ATF_TP_ADD_TC(tp, isc_rng_runs_bytes); - ATF_TP_ADD_TC(tp, isc_rng_blockfrequency_bytes); - ATF_TP_ADD_TC(tp, isc_rng_binarymatrixrank_bytes); + ATF_TP_ADD_TC(tp, isc_random_monobit_16); + ATF_TP_ADD_TC(tp, isc_random_runs_16); + ATF_TP_ADD_TC(tp, isc_random_blockfrequency_16); + ATF_TP_ADD_TC(tp, isc_random_binarymatrixrank_16); + ATF_TP_ADD_TC(tp, isc_random_monobit_bytes); + ATF_TP_ADD_TC(tp, isc_random_runs_bytes); + ATF_TP_ADD_TC(tp, isc_random_blockfrequency_bytes); + ATF_TP_ADD_TC(tp, isc_random_binarymatrixrank_bytes); return (atf_no_error()); } diff --git a/lib/isc/unix/Makefile.in b/lib/isc/unix/Makefile.in index bdd7bfd650..f0929c1c84 100644 --- a/lib/isc/unix/Makefile.in +++ b/lib/isc/unix/Makefile.in @@ -22,7 +22,7 @@ CWARNINGS = # Alphabetically OBJS = @ISC_IPV6_O@ @ISC_PK11_API_O@ \ - app.@O@ dir.@O@ entropy.@O@ errno.@O@ errno2result.@O@ \ + app.@O@ dir.@O@ errno.@O@ errno2result.@O@ \ file.@O@ fsaccess.@O@ interfaceiter.@O@ \ keyboard.@O@ meminfo.@O@ \ net.@O@ os.@O@ resource.@O@ socket.@O@ stdio.@O@ stdtime.@O@ \ @@ -30,7 +30,7 @@ OBJS = @ISC_IPV6_O@ @ISC_PK11_API_O@ \ # Alphabetically SRCS = @ISC_IPV6_C@ @ISC_PK11_API_C@ \ - app.c dir.c entropy.c errno.c errno2result.c \ + app.c dir.c errno.c errno2result.c \ file.c fsaccess.c interfaceiter.c keyboard.c meminfo.c \ net.c os.c resource.c socket.c stdio.c stdtime.c \ strerror.c syslog.c time.c diff --git a/lib/isc/unix/entropy.c b/lib/isc/unix/entropy.c deleted file mode 100644 index bb49370470..0000000000 --- a/lib/isc/unix/entropy.c +++ /dev/null @@ -1,601 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -/* \file unix/entropy.c - * \brief - * This is the system dependent part of the ISC entropy API. - */ - -#include - -#include /* Openserver 5.0.6A and FD_SETSIZE */ -#include -#include -#include -#include -#include - -#ifdef HAVE_NANOSLEEP -#include -#endif -#include - -#include -#include -#include -#include - -#ifdef ISC_PLATFORM_NEEDSYSSELECTH -#include -#endif - -#include "errno2result.h" - -/*% - * There is only one variable in the entropy data structures that is not - * system independent, but pulling the structure that uses it into this file - * ultimately means pulling several other independent structures here also to - * resolve their interdependencies. Thus only the problem variable's type - * is defined here. - */ -#define FILESOURCE_HANDLE_TYPE int - -typedef struct { - int handle; - enum { - isc_usocketsource_disconnected, - isc_usocketsource_connecting, - isc_usocketsource_connected, - isc_usocketsource_ndesired, - isc_usocketsource_wrote, - isc_usocketsource_reading - } status; - size_t sz_to_recv; -} isc_entropyusocketsource_t; - -#include "../entropy.c" - -static unsigned int -get_from_filesource(isc_entropysource_t *source, isc_uint32_t desired) { - isc_entropy_t *ent = source->ent; - unsigned char buf[128]; - int fd = source->sources.file.handle; - ssize_t n, ndesired; - unsigned int added; - - if (source->bad) - return (0); - - desired = desired / 8 + (((desired & 0x07) > 0) ? 1 : 0); - - added = 0; - while (desired > 0) { - ndesired = ISC_MIN(desired, sizeof(buf)); - n = read(fd, buf, ndesired); - if (n < 0) { - if (errno == EAGAIN || errno == EINTR) - goto out; - goto err; - } - if (n == 0) - goto err; - - entropypool_adddata(ent, buf, n, n * 8); - added += n * 8; - desired -= n; - } - goto out; - - err: - (void)close(fd); - source->sources.file.handle = -1; - source->bad = ISC_TRUE; - - out: - return (added); -} - -static unsigned int -get_from_usocketsource(isc_entropysource_t *source, isc_uint32_t desired) { - isc_entropy_t *ent = source->ent; - unsigned char buf[128]; - int fd = source->sources.usocket.handle; - ssize_t n = 0, ndesired; - unsigned int added; - size_t sz_to_recv = source->sources.usocket.sz_to_recv; - - if (source->bad) - return (0); - - desired = desired / 8 + (((desired & 0x07) > 0) ? 1 : 0); - - added = 0; - while (desired > 0) { - ndesired = ISC_MIN(desired, sizeof(buf)); - eagain_loop: - - switch ( source->sources.usocket.status ) { - case isc_usocketsource_ndesired: - buf[0] = ndesired; - if ((n = sendto(fd, buf, 1, 0, NULL, 0)) < 0) { - if (errno == EWOULDBLOCK || errno == EINTR || - errno == ECONNRESET) - goto out; - goto err; - } - INSIST(n == 1); - source->sources.usocket.status = - isc_usocketsource_wrote; - goto eagain_loop; - - case isc_usocketsource_connecting: - case isc_usocketsource_connected: - buf[0] = 1; - buf[1] = ndesired; - if ((n = sendto(fd, buf, 2, 0, NULL, 0)) < 0) { - if (errno == EWOULDBLOCK || errno == EINTR || - errno == ECONNRESET) - goto out; - goto err; - } - if (n == 1) { - source->sources.usocket.status = - isc_usocketsource_ndesired; - goto eagain_loop; - } - INSIST(n == 2); - source->sources.usocket.status = - isc_usocketsource_wrote; - /* FALLTHROUGH */ - - case isc_usocketsource_wrote: - if (recvfrom(fd, buf, 1, 0, NULL, NULL) != 1) { - if (errno == EAGAIN) { - /* - * The problem of EAGAIN (try again - * later) is a major issue on HP-UX. - * Solaris actually tries the recvfrom - * call again, while HP-UX just dies. - * This code is an attempt to let the - * entropy pool fill back up (at least - * that's what I think the problem is.) - * We go to eagain_loop because if we - * just "break", then the "desired" - * amount gets borked. - */ -#ifdef HAVE_NANOSLEEP - struct timespec ts; - - ts.tv_sec = 0; - ts.tv_nsec = 1000000; - nanosleep(&ts, NULL); -#else - usleep(1000); -#endif - goto eagain_loop; - } - if (errno == EWOULDBLOCK || errno == EINTR) - goto out; - goto err; - } - source->sources.usocket.status = - isc_usocketsource_reading; - sz_to_recv = buf[0]; - source->sources.usocket.sz_to_recv = sz_to_recv; - if (sz_to_recv > sizeof(buf)) - goto err; - /* FALLTHROUGH */ - - case isc_usocketsource_reading: - if (sz_to_recv != 0U) { - n = recv(fd, buf, sz_to_recv, 0); - if (n < 0) { - if (errno == EWOULDBLOCK || - errno == EINTR) - goto out; - goto err; - } - } else - n = 0; - break; - - default: - goto err; - } - - if ((size_t)n != sz_to_recv) - source->sources.usocket.sz_to_recv -= n; - else - source->sources.usocket.status = - isc_usocketsource_connected; - - if (n == 0) - goto out; - - entropypool_adddata(ent, buf, n, n * 8); - added += n * 8; - desired -= n; - } - goto out; - - err: - close(fd); - source->bad = ISC_TRUE; - source->sources.usocket.status = isc_usocketsource_disconnected; - source->sources.usocket.handle = -1; - - out: - return (added); -} - -/* - * Poll each source, trying to get data from it to stuff into the entropy - * pool. - */ -static void -fillpool(isc_entropy_t *ent, unsigned int desired, isc_boolean_t blocking) { - unsigned int added; - unsigned int remaining; - unsigned int needed; - unsigned int nsource; - isc_entropysource_t *source; - - REQUIRE(VALID_ENTROPY(ent)); - - needed = desired; - - /* - * This logic is a little strange, so an explanation is in order. - * - * If needed is 0, it means we are being asked to "fill to whatever - * we think is best." This means that if we have at least a - * partially full pool (say, > 1/4th of the pool) we probably don't - * need to add anything. - * - * Also, we will check to see if the "pseudo" count is too high. - * If it is, try to mix in better data. Too high is currently - * defined as 1/4th of the pool. - * - * Next, if we are asked to add a specific bit of entropy, make - * certain that we will do so. Clamp how much we try to add to - * (DIGEST_SIZE * 8 < needed < POOLBITS - entropy). - * - * Note that if we are in a blocking mode, we will only try to - * get as much data as we need, not as much as we might want - * to build up. - */ - if (needed == 0) { - REQUIRE(!blocking); - - if ((ent->pool.entropy >= RND_POOLBITS / 4) - && (ent->pool.pseudo <= RND_POOLBITS / 4)) - return; - - needed = THRESHOLD_BITS * 4; - } else { - needed = ISC_MAX(needed, THRESHOLD_BITS); - needed = ISC_MIN(needed, RND_POOLBITS); - } - - /* - * In any case, clamp how much we need to how much we can add. - */ - needed = ISC_MIN(needed, RND_POOLBITS - ent->pool.entropy); - - /* - * But wait! If we're not yet initialized, we need at least - * THRESHOLD_BITS - * of randomness. - */ - if (ent->initialized < THRESHOLD_BITS) - needed = ISC_MAX(needed, THRESHOLD_BITS - ent->initialized); - - /* - * Poll each file source to see if we can read anything useful from - * it. XXXMLG When where are multiple sources, we should keep a - * record of which one we last used so we can start from it (or the - * next one) to avoid letting some sources build up entropy while - * others are always drained. - */ - - added = 0; - remaining = needed; - if (ent->nextsource == NULL) { - ent->nextsource = ISC_LIST_HEAD(ent->sources); - if (ent->nextsource == NULL) - return; - } - source = ent->nextsource; - again_file: - for (nsource = 0; nsource < ent->nsources; nsource++) { - unsigned int got; - - if (remaining == 0) - break; - - got = 0; - - switch ( source->type ) { - case ENTROPY_SOURCETYPE_FILE: - got = get_from_filesource(source, remaining); - break; - - case ENTROPY_SOURCETYPE_USOCKET: - got = get_from_usocketsource(source, remaining); - break; - } - - added += got; - - remaining -= ISC_MIN(remaining, got); - - source = ISC_LIST_NEXT(source, link); - if (source == NULL) - source = ISC_LIST_HEAD(ent->sources); - } - ent->nextsource = source; - - if (blocking && remaining != 0) { - int fds; - - fds = wait_for_sources(ent); - if (fds > 0) - goto again_file; - } - - /* - * Here, if there are bits remaining to be had and we can block, - * check to see if we have a callback source. If so, call them. - */ - source = ISC_LIST_HEAD(ent->sources); - while ((remaining != 0) && (source != NULL)) { - unsigned int got; - - got = 0; - - if (source->type == ENTROPY_SOURCETYPE_CALLBACK) - got = get_from_callback(source, remaining, blocking); - - added += got; - remaining -= ISC_MIN(remaining, got); - - if (added >= needed) - break; - - source = ISC_LIST_NEXT(source, link); - } - - /* - * Mark as initialized if we've added enough data. - */ - if (ent->initialized < THRESHOLD_BITS) - ent->initialized += added; -} - -static int -wait_for_sources(isc_entropy_t *ent) { - isc_entropysource_t *source; - int maxfd, fd; - int cc; - fd_set reads; - fd_set writes; - - maxfd = -1; - FD_ZERO(&reads); - FD_ZERO(&writes); - - source = ISC_LIST_HEAD(ent->sources); - while (source != NULL) { - if (source->type == ENTROPY_SOURCETYPE_FILE) { - fd = source->sources.file.handle; - if (fd >= 0) { - maxfd = ISC_MAX(maxfd, fd); - FD_SET(fd, &reads); - } - } - if (source->type == ENTROPY_SOURCETYPE_USOCKET) { - fd = source->sources.usocket.handle; - if (fd >= 0) { - switch (source->sources.usocket.status) { - case isc_usocketsource_disconnected: - break; - case isc_usocketsource_connecting: - case isc_usocketsource_connected: - case isc_usocketsource_ndesired: - maxfd = ISC_MAX(maxfd, fd); - FD_SET(fd, &writes); - break; - case isc_usocketsource_wrote: - case isc_usocketsource_reading: - maxfd = ISC_MAX(maxfd, fd); - FD_SET(fd, &reads); - break; - } - } - } - source = ISC_LIST_NEXT(source, link); - } - - if (maxfd < 0) - return (-1); - - cc = select(maxfd + 1, &reads, &writes, NULL, NULL); - if (cc < 0) - return (-1); - - return (cc); -} - -static void -destroyfilesource(isc_entropyfilesource_t *source) { - (void)close(source->handle); -} - -static void -destroyusocketsource(isc_entropyusocketsource_t *source) { - close(source->handle); -} - -/* - * Make a fd non-blocking - */ -static isc_result_t -make_nonblock(int fd) { - int ret; - char strbuf[ISC_STRERRORSIZE]; -#ifdef USE_FIONBIO_IOCTL - int on = 1; -#else - int flags; -#endif - -#ifdef USE_FIONBIO_IOCTL - ret = ioctl(fd, FIONBIO, (char *)&on); -#else - flags = fcntl(fd, F_GETFL, 0); - flags |= PORT_NONBLOCK; - ret = fcntl(fd, F_SETFL, flags); -#endif - - if (ret == -1) { - isc__strerror(errno, strbuf, sizeof(strbuf)); - UNEXPECTED_ERROR(__FILE__, __LINE__, -#ifdef USE_FIONBIO_IOCTL - "ioctl(%d, FIONBIO, &on): %s", fd, -#else - "fcntl(%d, F_SETFL, %d): %s", fd, flags, -#endif - strbuf); - - return (ISC_R_UNEXPECTED); - } - - return (ISC_R_SUCCESS); -} - -isc_result_t -isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname) { - int fd; - struct stat _stat; - isc_boolean_t is_usocket = ISC_FALSE; - isc_boolean_t is_connected = ISC_FALSE; - isc_result_t ret; - isc_entropysource_t *source; - - REQUIRE(VALID_ENTROPY(ent)); - REQUIRE(fname != NULL); - - LOCK(&ent->lock); - - if (stat(fname, &_stat) < 0) { - ret = isc__errno2result(errno); - goto errout; - } - /* - * Solaris 2.5.1 does not have support for sockets (S_IFSOCK), - * but it does return type S_IFIFO (the OS believes that - * the socket is a fifo). This may be an issue if we tell - * the program to look at an actual FIFO as its source of - * entropy. - */ -#if defined(S_ISSOCK) - if (S_ISSOCK(_stat.st_mode)) - is_usocket = ISC_TRUE; -#endif -#if defined(S_ISFIFO) && defined(sun) - if (S_ISFIFO(_stat.st_mode)) - is_usocket = ISC_TRUE; -#endif - if (is_usocket) - fd = socket(PF_UNIX, SOCK_STREAM, 0); - else - fd = open(fname, O_RDONLY | PORT_NONBLOCK, 0); - - if (fd < 0) { - ret = isc__errno2result(errno); - goto errout; - } - - ret = make_nonblock(fd); - if (ret != ISC_R_SUCCESS) - goto closefd; - - if (is_usocket) { - struct sockaddr_un sname; - - memset(&sname, 0, sizeof(sname)); - sname.sun_family = AF_UNIX; - strlcpy(sname.sun_path, fname, sizeof(sname.sun_path)); -#ifdef ISC_PLATFORM_HAVESALEN -#if !defined(SUN_LEN) -#define SUN_LEN(su) \ - (sizeof(*(su)) - sizeof((su)->sun_path) + strlen((su)->sun_path)) -#endif - sname.sun_len = SUN_LEN(&sname); -#endif - - if (connect(fd, (struct sockaddr *) &sname, - sizeof(struct sockaddr_un)) < 0) { - if (errno != EINPROGRESS) { - ret = isc__errno2result(errno); - goto closefd; - } - } else - is_connected = ISC_TRUE; - } - - source = isc_mem_get(ent->mctx, sizeof(isc_entropysource_t)); - if (source == NULL) { - ret = ISC_R_NOMEMORY; - goto closefd; - } - - /* - * From here down, no failures can occur. - */ - source->magic = SOURCE_MAGIC; - source->ent = ent; - source->total = 0; - source->bad = ISC_FALSE; - memset(source->name, 0, sizeof(source->name)); - ISC_LINK_INIT(source, link); - if (is_usocket) { - source->sources.usocket.handle = fd; - if (is_connected) - source->sources.usocket.status = - isc_usocketsource_connected; - else - source->sources.usocket.status = - isc_usocketsource_connecting; - source->sources.usocket.sz_to_recv = 0; - source->type = ENTROPY_SOURCETYPE_USOCKET; - } else { - source->sources.file.handle = fd; - source->type = ENTROPY_SOURCETYPE_FILE; - } - - /* - * Hook it into the entropy system. - */ - ISC_LIST_APPEND(ent->sources, source, link); - ent->nsources++; - - UNLOCK(&ent->lock); - return (ISC_R_SUCCESS); - - closefd: - (void)close(fd); - - errout: - UNLOCK(&ent->lock); - - return (ret); -} diff --git a/lib/isc/unix/file.c b/lib/isc/unix/file.c index 1196a68c72..609ba5035a 100644 --- a/lib/isc/unix/file.c +++ b/lib/isc/unix/file.c @@ -272,9 +272,7 @@ isc_file_renameunique(const char *file, char *templet) { x = cp--; while (cp >= templet && *cp == 'X') { - isc_uint32_t which; - - isc_random_get(&which); + isc_uint32_t which = isc_random(); *cp = alphnum[which % (sizeof(alphnum) - 1)]; x = cp--; } @@ -331,9 +329,7 @@ isc_file_openuniquemode(char *templet, int mode, FILE **fp) { x = cp--; while (cp >= templet && *cp == 'X') { - isc_uint32_t which; - - isc_random_get(&which); + isc_uint32_t which = isc_random(); *cp = alphnum[which % (sizeof(alphnum) - 1)]; x = cp--; } diff --git a/lib/isc/win32/entropy.c b/lib/isc/win32/entropy.c deleted file mode 100644 index 0cf69f5bc5..0000000000 --- a/lib/isc/win32/entropy.c +++ /dev/null @@ -1,301 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - - -/* - * This is the system dependent part of the ISC entropy API. - */ - -#include - -#include -#include - -#include -#include -#include - -/* - * There is only one variable in the entropy data structures that is not - * system independent, but pulling the structure that uses it into this file - * ultimately means pulling several other independent structures here also to - * resolve their interdependencies. Thus only the problem variable's type - * is defined here. - */ -#define FILESOURCE_HANDLE_TYPE HCRYPTPROV - -typedef struct { - int dummy; -} isc_entropyusocketsource_t; - -#include "../entropy.c" - -static unsigned int -get_from_filesource(isc_entropysource_t *source, isc_uint32_t desired) { - isc_entropy_t *ent = source->ent; - unsigned char buf[128]; - HCRYPTPROV hcryptprov = source->sources.file.handle; - ssize_t ndesired; - unsigned int added; - - if (source->bad) - return (0); - - desired = desired / 8 + (((desired & 0x07) > 0) ? 1 : 0); - - added = 0; - while (desired > 0) { - ndesired = ISC_MIN(desired, sizeof(buf)); - if (!CryptGenRandom(hcryptprov, (DWORD)ndesired, buf)) { - CryptReleaseContext(hcryptprov, 0); - source->bad = ISC_TRUE; - goto out; - } - - entropypool_adddata(ent, buf, - (unsigned int)ndesired, - (unsigned int)ndesired * 8); - added += (unsigned int)ndesired * 8; - desired -= (isc_uint32_t)ndesired; - } - - out: - return (added); -} - -/* - * Poll each source, trying to get data from it to stuff into the entropy - * pool. - */ -static void -fillpool(isc_entropy_t *ent, unsigned int desired, isc_boolean_t blocking) { - unsigned int added; - unsigned int remaining; - unsigned int needed; - unsigned int nsource; - isc_entropysource_t *source; - isc_entropysource_t *firstsource; - - REQUIRE(VALID_ENTROPY(ent)); - - needed = desired; - - /* - * This logic is a little strange, so an explanation is in order. - * - * If needed is 0, it means we are being asked to "fill to whatever - * we think is best." This means that if we have at least a - * partially full pool (say, > 1/4th of the pool) we probably don't - * need to add anything. - * - * Also, we will check to see if the "pseudo" count is too high. - * If it is, try to mix in better data. Too high is currently - * defined as 1/4th of the pool. - * - * Next, if we are asked to add a specific bit of entropy, make - * certain that we will do so. Clamp how much we try to add to - * (DIGEST_SIZE * 8 < needed < POOLBITS - entropy). - * - * Note that if we are in a blocking mode, we will only try to - * get as much data as we need, not as much as we might want - * to build up. - */ - if (needed == 0) { - REQUIRE(!blocking); - - if ((ent->pool.entropy >= RND_POOLBITS / 4) - && (ent->pool.pseudo <= RND_POOLBITS / 4)) - return; - - needed = THRESHOLD_BITS * 4; - } else { - needed = ISC_MAX(needed, THRESHOLD_BITS); - needed = ISC_MIN(needed, RND_POOLBITS); - } - - /* - * In any case, clamp how much we need to how much we can add. - */ - needed = ISC_MIN(needed, RND_POOLBITS - ent->pool.entropy); - - /* - * But wait! If we're not yet initialized, we need at least - * THRESHOLD_BITS - * of randomness. - */ - if (ent->initialized < THRESHOLD_BITS) - needed = ISC_MAX(needed, THRESHOLD_BITS - ent->initialized); - - /* - * Poll each file source to see if we can read anything useful from - * it. XXXMLG When where are multiple sources, we should keep a - * record of which one we last used so we can start from it (or the - * next one) to avoid letting some sources build up entropy while - * others are always drained. - */ - - added = 0; - remaining = needed; - if (ent->nextsource == NULL) { - ent->nextsource = ISC_LIST_HEAD(ent->sources); - if (ent->nextsource == NULL) - return; - } - source = ent->nextsource; - /* - * Remember the first source so we can break if we have looped back to - * the beginning and still have nothing - */ - firstsource = source; - again_file: - for (nsource = 0; nsource < ent->nsources; nsource++) { - unsigned int got; - - if (remaining == 0) - break; - - got = 0; - - if (source->type == ENTROPY_SOURCETYPE_FILE) - got = get_from_filesource(source, remaining); - - added += got; - - remaining -= ISC_MIN(remaining, got); - - source = ISC_LIST_NEXT(source, link); - if (source == NULL) - source = ISC_LIST_HEAD(ent->sources); - } - ent->nextsource = source; - - /* - * Go again only if there's been progress and we've not - * gone back to the beginning - */ - if (!(ent->nextsource == firstsource && added == 0)) { - if (blocking && remaining != 0) { - goto again_file; - } - } - - /* - * Here, if there are bits remaining to be had and we can block, - * check to see if we have a callback source. If so, call them. - */ - source = ISC_LIST_HEAD(ent->sources); - while ((remaining != 0) && (source != NULL)) { - unsigned int got; - - got = 0; - - if (source->type == ENTROPY_SOURCETYPE_CALLBACK) - got = get_from_callback(source, remaining, blocking); - - added += got; - remaining -= ISC_MIN(remaining, got); - - if (added >= needed) - break; - - source = ISC_LIST_NEXT(source, link); - } - - /* - * Mark as initialized if we've added enough data. - */ - if (ent->initialized < THRESHOLD_BITS) - ent->initialized += added; -} - - - -/* - * Requires "ent" be locked. - */ -static void -destroyfilesource(isc_entropyfilesource_t *source) { - CryptReleaseContext(source->handle, 0); -} - -static void -destroyusocketsource(isc_entropyusocketsource_t *source) { - UNUSED(source); -} - - -isc_result_t -isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname) { - isc_result_t ret; - isc_entropysource_t *source; - HCRYPTPROV hcryptprov; - BOOL err; - - REQUIRE(VALID_ENTROPY(ent)); - REQUIRE(fname != NULL); - - LOCK(&ent->lock); - - source = NULL; - - /* - * The first time we just try to acquire the context - */ - err = CryptAcquireContext(&hcryptprov, NULL, NULL, PROV_RSA_FULL, - CRYPT_VERIFYCONTEXT); - if (!err){ - (void)GetLastError(); - ret = ISC_R_IOERROR; - goto errout; - } - - source = isc_mem_get(ent->mctx, sizeof(isc_entropysource_t)); - if (source == NULL) { - ret = ISC_R_NOMEMORY; - goto closecontext; - } - - /* - * From here down, no failures can occur. - */ - source->magic = SOURCE_MAGIC; - source->type = ENTROPY_SOURCETYPE_FILE; - source->ent = ent; - source->total = 0; - source->bad = ISC_FALSE; - memset(source->name, 0, sizeof(source->name)); - ISC_LINK_INIT(source, link); - source->sources.file.handle = hcryptprov; - - /* - * Hook it into the entropy system. - */ - ISC_LIST_APPEND(ent->sources, source, link); - ent->nsources++; - - UNLOCK(&ent->lock); - return (ISC_R_SUCCESS); - - closecontext: - CryptReleaseContext(hcryptprov, 0); - - errout: - if (source != NULL) - isc_mem_put(ent->mctx, source, sizeof(isc_entropysource_t)); - - UNLOCK(&ent->lock); - - return (ret); -} - - - - diff --git a/lib/isc/win32/file.c b/lib/isc/win32/file.c index e33ade84ee..49dc50605c 100644 --- a/lib/isc/win32/file.c +++ b/lib/isc/win32/file.c @@ -56,9 +56,7 @@ gettemp(char *path, isc_boolean_t binary, int *doopen) { trv++; /* extra X's get set to 0's */ while (*--trv == 'X') { - isc_uint32_t which; - - isc_random_get(&which); + isc_uint32_t which = isc_random(); *trv = alphnum[which % (sizeof(alphnum) - 1)]; } /* diff --git a/lib/isc/win32/libisc.def.in b/lib/isc/win32/libisc.def.in index 72687aee2f..3b074d53d6 100644 --- a/lib/isc/win32/libisc.def.in +++ b/lib/isc/win32/libisc.def.in @@ -197,23 +197,6 @@ isc_dir_init isc_dir_open isc_dir_read isc_dir_reset -isc_entropy_addcallbacksample -isc_entropy_addsample -isc_entropy_attach -isc_entropy_create -isc_entropy_createcallbacksource -isc_entropy_createfilesource -isc_entropy_createsamplesource -isc_entropy_destroysource -isc_entropy_detach -isc_entropy_getdata -isc_entropy_putdata -isc_entropy_sethook -isc_entropy_stats -isc_entropy_status -isc_entropy_stopcallbacksources -isc_entropy_usebestsource -isc_entropy_usehook isc_errno_toresult isc_error_fatal isc_error_runtimecheck @@ -522,9 +505,9 @@ isc_radix_insert isc_radix_process isc_radix_remove isc_radix_search -isc_random_get -isc_random_jitter -isc_random_seed +isc_random +isc_random_buf +isc_random_uniform isc_ratelimiter_attach isc_ratelimiter_create isc_ratelimiter_dequeue @@ -546,12 +529,6 @@ isc_result_register isc_result_registerids isc_result_toid isc_result_totext -isc_rng_attach -isc_rng_create -isc_rng_detach -isc_rng_random -isc_rng_randombytes -isc_rng_uniformrandom isc_rwlock_destroy isc_rwlock_downgrade isc_rwlock_init diff --git a/lib/isc/win32/libisc.vcxproj.filters.in b/lib/isc/win32/libisc.vcxproj.filters.in index eaf019fd77..ba10ea7254 100644 --- a/lib/isc/win32/libisc.vcxproj.filters.in +++ b/lib/isc/win32/libisc.vcxproj.filters.in @@ -1,4 +1,4 @@ - + @@ -67,9 +67,6 @@ Library Header Files - - Library Header Files - Library Header Files @@ -404,9 +401,6 @@ Win32 Source Files - - Win32 Source Files - Win32 Source Files diff --git a/lib/isc/win32/libisc.vcxproj.in b/lib/isc/win32/libisc.vcxproj.in index 0815eac2e8..66f0c52f73 100644 --- a/lib/isc/win32/libisc.vcxproj.in +++ b/lib/isc/win32/libisc.vcxproj.in @@ -1,4 +1,4 @@ - + @@ -310,7 +310,6 @@ copy InstallFiles ..\Build\Release\ - @@ -492,7 +491,6 @@ copy InstallFiles ..\Build\Release\ - diff --git a/lib/ns/client.c b/lib/ns/client.c index 6ba515c4e9..59e4b00de1 100644 --- a/lib/ns/client.c +++ b/lib/ns/client.c @@ -1651,8 +1651,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, isc_buffer_init(&buf, cookie, sizeof(cookie)); isc_stdtime_get(&now); - isc_rng_randombytes(client->sctx->rngctx, - &nonce, sizeof(nonce)); + isc_random_buf(&nonce, sizeof(nonce)); compute_cookie(client, now, nonce, client->sctx->secret, &buf); diff --git a/lib/ns/include/ns/server.h b/lib/ns/include/ns/server.h index 0b85570764..7f738ccd83 100644 --- a/lib/ns/include/ns/server.h +++ b/lib/ns/include/ns/server.h @@ -96,7 +96,6 @@ struct ns_server { isc_uint16_t transfer_tcp_message_size; isc_boolean_t interface_auto; dns_tkeyctx_t * tkeyctx; - isc_rng_t * rngctx; /*% Server id for NSID */ char * server_id; @@ -132,8 +131,8 @@ struct ns_altsecret { }; isc_result_t -ns_server_create(isc_mem_t *mctx, isc_entropy_t *entropy, - ns_matchview_t matchingview, ns_server_t **sctxp); +ns_server_create(isc_mem_t *mctx, ns_matchview_t matchingview, + ns_server_t **sctxp); /*%< * Create a server context object with default settings. */ diff --git a/lib/ns/server.c b/lib/ns/server.c index c8220592bd..01965aef64 100644 --- a/lib/ns/server.c +++ b/lib/ns/server.c @@ -32,8 +32,8 @@ } while (0) \ isc_result_t -ns_server_create(isc_mem_t *mctx, isc_entropy_t *entropy, - ns_matchview_t matchingview, ns_server_t **sctxp) +ns_server_create(isc_mem_t *mctx, ns_matchview_t matchingview, + ns_server_t **sctxp) { ns_server_t *sctx; isc_result_t result; @@ -56,8 +56,7 @@ ns_server_create(isc_mem_t *mctx, isc_entropy_t *entropy, CHECKFATAL(isc_quota_init(&sctx->tcpquota, 10)); CHECKFATAL(isc_quota_init(&sctx->recursionquota, 100)); - CHECKFATAL(dns_tkeyctx_create(mctx, entropy, &sctx->tkeyctx)); - CHECKFATAL(isc_rng_create(mctx, entropy, &sctx->rngctx)); + CHECKFATAL(dns_tkeyctx_create(mctx, &sctx->tkeyctx)); CHECKFATAL(ns_stats_create(mctx, ns_statscounter_max, &sctx->nsstats)); @@ -159,8 +158,6 @@ ns_server_detach(ns_server_t **sctxp) { dns_acl_detach(&sctx->blackholeacl); if (sctx->keepresporder != NULL) dns_acl_detach(&sctx->keepresporder); - if (sctx->rngctx != NULL) - isc_rng_detach(&sctx->rngctx); if (sctx->tkeyctx != NULL) dns_tkeyctx_destroy(&sctx->tkeyctx); diff --git a/lib/ns/tests/nstest.c b/lib/ns/tests/nstest.c index 9e3fcb40b7..11e12c7e9c 100644 --- a/lib/ns/tests/nstest.c +++ b/lib/ns/tests/nstest.c @@ -19,7 +19,6 @@ #include #include -#include #include #include #include @@ -52,7 +51,6 @@ #include "nstest.h" isc_mem_t *mctx = NULL; -isc_entropy_t *ectx = NULL; isc_log_t *lctx = NULL; isc_taskmgr_t *taskmgr = NULL; isc_task_t *maintask = NULL; @@ -194,9 +192,9 @@ create_managers(void) { CHECK(isc_socketmgr_create(mctx, &socketmgr)); - CHECK(ns_server_create(mctx, ectx, matchview, &sctx)); + CHECK(ns_server_create(mctx, matchview, &sctx)); - CHECK(dns_dispatchmgr_create(mctx, ectx, &dispatchmgr)); + CHECK(dns_dispatchmgr_create(mctx, &dispatchmgr)); CHECK(ns_interfacemgr_create(mctx, sctx, taskmgr, timermgr, socketmgr, dispatchmgr, maintask, @@ -243,9 +241,8 @@ ns_test_begin(FILE *logfile, isc_boolean_t start_managers) { if (debug_mem_record) isc_mem_debugging |= ISC_MEM_DEBUGRECORD; CHECK(isc_mem_create(0, 0, &mctx)); - CHECK(isc_entropy_create(mctx, &ectx)); - CHECK(dst_lib_init(mctx, ectx, NULL, ISC_ENTROPY_BLOCKING)); + CHECK(dst_lib_init(mctx, NULL)); dst_active = ISC_TRUE; if (logfile != NULL) { @@ -300,9 +297,6 @@ ns_test_end(void) { cleanup_managers(); - if (ectx != NULL) - isc_entropy_detach(&ectx); - if (lctx != NULL) isc_log_destroy(&lctx); @@ -557,7 +551,7 @@ attach_query_msg_to_client(ns_client_t *client, const char *qnamestr, /* * Set query ID to a random value. */ - isc_random_get(&qid); + qid = isc_random(); message->id = (dns_messageid_t)(qid & 0xffff); /* diff --git a/lib/ns/tests/nstest.h b/lib/ns/tests/nstest.h index ad92b288d5..d4bc626787 100644 --- a/lib/ns/tests/nstest.h +++ b/lib/ns/tests/nstest.h @@ -14,7 +14,6 @@ #include #include -#include #include #include #include @@ -44,7 +43,6 @@ typedef struct ns_test_id { } while (0) extern isc_mem_t *mctx; -extern isc_entropy_t *ectx; extern isc_log_t *lctx; extern isc_taskmgr_t *taskmgr; extern isc_task_t *maintask; diff --git a/util/copyrights b/util/copyrights index 888aa61fbe..fb7014e76c 100644 --- a/util/copyrights +++ b/util/copyrights @@ -354,8 +354,6 @@ ./bin/tests/optional/byname_test.c C 2000,2001,2004,2005,2007,2009,2012,2015,2016,2017,2018 ./bin/tests/optional/db_test.c C 1999,2000,2001,2004,2005,2007,2008,2009,2011,2012,2013,2015,2016,2017,2018 ./bin/tests/optional/dst_test.c C 2018 -./bin/tests/optional/entropy2_test.c C 2000,2001,2004,2005,2007,2015,2016,2018 -./bin/tests/optional/entropy_test.c C 2000,2001,2004,2005,2007,2015,2016,2018 ./bin/tests/optional/fsaccess_test.c C 2000,2001,2004,2005,2007,2012,2015,2016,2018 ./bin/tests/optional/gsstest.c C 2018 ./bin/tests/optional/hash_test.c C 2000,2001,2004,2005,2006,2007,2014,2015,2016,2017,2018 @@ -3494,7 +3492,6 @@ ./lib/isc/commandline.c C.PORTION 1999,2000,2001,2004,2005,2007,2008,2014,2015,2016,2018 ./lib/isc/counter.c C 2014,2016,2018 ./lib/isc/crc64.c C 2013,2016,2018 -./lib/isc/entropy.c C 2000,2001,2002,2003,2004,2005,2006,2007,2009,2010,2014,2015,2016,2017,2018 ./lib/isc/error.c C 1998,1999,2000,2001,2004,2005,2007,2015,2016,2018 ./lib/isc/event.c C 1998,1999,2000,2001,2004,2005,2007,2014,2016,2017,2018 ./lib/isc/fsaccess.c C 2000,2001,2004,2005,2007,2016,2017,2018 @@ -3525,7 +3522,6 @@ ./lib/isc/include/isc/counter.h C 2014,2016,2018 ./lib/isc/include/isc/crc64.h C 2013,2016,2018 ./lib/isc/include/isc/deprecated.h C 2017,2018 -./lib/isc/include/isc/entropy.h C 2000,2001,2004,2005,2006,2007,2009,2016,2017,2018 ./lib/isc/include/isc/errno.h C 2016,2018 ./lib/isc/include/isc/error.h C 1998,1999,2000,2001,2004,2005,2006,2007,2009,2016,2017,2018 ./lib/isc/include/isc/event.h C 1998,1999,2000,2001,2002,2004,2005,2006,2007,2014,2016,2017,2018 @@ -3728,7 +3724,6 @@ ./lib/isc/unix/Makefile.in MAKE 1998,1999,2000,2001,2004,2007,2009,2012,2014,2015,2016,2017,2018 ./lib/isc/unix/app.c C 1999,2000,2001,2002,2003,2004,2005,2007,2008,2009,2013,2014,2015,2016,2017,2018 ./lib/isc/unix/dir.c C 1999,2000,2001,2004,2005,2007,2008,2009,2011,2012,2016,2017,2018 -./lib/isc/unix/entropy.c C 2000,2001,2002,2003,2004,2005,2006,2007,2008,2012,2016,2017,2018 ./lib/isc/unix/errno.c C 2016,2018 ./lib/isc/unix/errno2result.c C 2000,2001,2002,2004,2005,2007,2011,2012,2013,2016,2018 ./lib/isc/unix/errno2result.h C 2000,2001,2004,2005,2007,2011,2012,2016,2018 @@ -3773,7 +3768,6 @@ ./lib/isc/win32/app.c C 1999,2000,2001,2004,2007,2009,2013,2014,2016,2018 ./lib/isc/win32/condition.c C 1998,1999,2000,2001,2004,2006,2007,2016,2018 ./lib/isc/win32/dir.c C 1999,2000,2001,2004,2007,2008,2009,2011,2012,2013,2016,2017,2018 -./lib/isc/win32/entropy.c C 2000,2001,2002,2004,2007,2009,2013,2016,2018 ./lib/isc/win32/errno.c C 2016,2018 ./lib/isc/win32/errno2result.c C 2000,2001,2002,2004,2005,2007,2008,2013,2016,2018 ./lib/isc/win32/errno2result.h C 2000,2001,2004,2005,2007,2016,2018