- Replace external -DOPENSSL/-DPKCS11CRYPTO with properly AC_DEFINEd
HAVE_OPENSSL/HAVE_PKCS11
- Don't enforce the crypto provider from platform.h, just from dst_api.c
and configure scripts
The three functions has been modeled after the arc4random family of
functions, and they will always return random bytes.
The isc_random family of functions internally use these CSPRNG (if available):
1. getrandom() libc call (might be available on Linux and Solaris)
2. SYS_getrandom syscall (might be available on Linux, detected at runtime)
3. arc4random(), arc4random_buf() and arc4random_uniform() (available on BSDs and Mac OS X)
4. crypto library function:
4a. RAND_bytes in case OpenSSL
4b. pkcs_C_GenerateRandom() in case PKCS#11 library
Replace dns_fixedname_init() calls followed by dns_fixedname_name()
calls with calls to dns_fixedname_initname() where it is possible
without affecting current behavior and/or performance.
This patch was mostly prepared using Coccinelle and the following
semantic patch:
@@
expression fixedname, name;
@@
- dns_fixedname_init(&fixedname);
...
- name = dns_fixedname_name(&fixedname);
+ name = dns_fixedname_initname(&fixedname);
The resulting set of changes was then manually reviewed to exclude false
positives and apply minor tweaks.
It is likely that more occurrences of this pattern can be refactored in
an identical way. This commit only takes care of the low-hanging fruit.
4594. [func] dnssec-keygen no longer uses RSASHA1 by default;
the signing algorithm must be specified on
the command line with the "-a" option. Signing
scripts that rely on the existing default behavior
will break; use "dnssec-keygen -a RSASHA1" to
repair them. (The goal of this change is to make
it easier to find scripts using RSASHA1 so they
can be changed in the event of that algorithm
being deprecated in the future.) [RT #44755]
3786. [func] Provide more detailed error codes when using
native PKCS#11. "pkcs11-tokens" now fails robustly
rather than asserting when run against an HSM with
an incomplete PCKS#11 API implementation. [RT #35479]
3764. [bug] The dnssec-keygen/settime -S and -i options
(to set up a successor key and set the prepublication
interval) were missing from dnssec-keyfromlabel.
[RT #35394]
3730. [cleanup] Added "never" as a synonym for "none" when
configuring key event dates in the dnssec tools.
[RT #35277]
3729. [bug] dnssec-kegeyn could set the publication date
incorrectly when only the activation date was
specified on the command line. [RT #35278]
3705. [func] "configure --enable-native-pkcs11" enables BIND
to use the PKCS#11 API for all cryptographic
functions, so that it can drive a hardware service
module directly without the need to use a modified
OpenSSL as intermediary (so long as the HSM's vendor
provides a complete-enough implementation of the
PKCS#11 interface). This has been tested successfully
with the Thales nShield HSM and with SoftHSMv2 from
the OpenDNSSEC project. [RT #29031]
creating key files if there is a chance that the new
key ID will collide with an existing one after
either of the keys has been revoked. (To override
this in the case of dnssec-keyfromlabel, use the -y
option. dnssec-keygen will simply create a
different, noncolliding key, so an override is
not necessary.) [RT #20838]
activation date in all cases. [RT #20648]
2779. [bug] Dynamic key revokation could fail. [RT #20644]
2778. [bug] dnssec-signzone could fail when a key was revoked
without deleting the unrevoked version. [RT #20638]
