10d019
From 5a465424f5249ceaf0547ab90361a16eb08f7a2b Mon Sep 17 00:00:00 2001
89a891
From: Evan Hunt <each@isc.org>
89a891
Date: Thu, 28 Sep 2017 10:09:22 -0700
89a891
Subject: [PATCH] completed and corrected the crypto-random change
89a891
89a891
4724.	[func]		By default, BIND now uses the random number
89a891
			functions provided by the crypto library (i.e.,
89a891
			OpenSSL or a PKCS#11 provider) as a source of
89a891
			randomness rather than /dev/random.  This is
89a891
			suitable for virtual machine environments
89a891
			which have limited entropy pools and lack
89a891
			hardware random number generators.
89a891
89a891
			This can be overridden by specifying another
89a891
			entropy source via the "random-device" option
89a891
			in named.conf, or via the -r command line option;
89a891
			however, for functions requiring full cryptographic
89a891
			strength, such as DNSSEC key generation, this
89a891
			cannot be overridden. In particular, the -r
89a891
			command line option no longer has any effect on
89a891
			dnssec-keygen.
89a891
89a891
			This can be disabled by building with
89a891
			"configure --disable-crypto-rand".
89a891
			[RT #31459] [RT #46047]
89a891
---
89a891
 bin/confgen/keygen.c                     | 12 +++---
89a891
 bin/dnssec/dnssec-keygen.docbook         | 24 +++++++----
89a891
 bin/dnssec/dnssectool.c                  | 12 +++---
89a891
 bin/named/client.c                       |  3 +-
89a891
 bin/named/config.c                       |  4 +-
89a891
 bin/named/controlconf.c                  | 19 +++++---
89a891
 bin/named/include/named/server.h         |  2 +
89a891
 bin/named/interfacemgr.c                 |  1 +
89a891
 bin/named/query.c                        |  1 +
10d019
 bin/named/server.c                       | 52 ++++++++++++++--------
89a891
 bin/nsupdate/nsupdate.c                  |  4 +-
89a891
 bin/tests/system/pipelined/pipequeries.c |  4 +-
89a891
 bin/tests/system/tkey/keycreate.c        |  4 +-
10d019
 bin/tests/system/tkey/keydelete.c        |  5 +--
89a891
 doc/arm/Bv9ARM-book.xml                  | 55 +++++++++++++++++-------
10d019
 doc/arm/notes-rh-changes.xml             | 43 ++++++++++++++++++
10d019
 doc/arm/notes.xml                        |  1 +
10d019
 lib/dns/dst_api.c                        |  4 +-
89a891
 lib/dns/include/dst/dst.h                | 14 +++++-
89a891
 lib/dns/openssl_link.c                   |  3 +-
89a891
 lib/isc/include/isc/entropy.h            | 50 +++++++++++++++------
89a891
 lib/isc/include/isc/random.h             | 28 +++++++-----
89a891
 lib/isccfg/namedconf.c                   |  2 +-
10d019
 23 files changed, 241 insertions(+), 106 deletions(-)
10d019
 create mode 100644 doc/arm/notes-rh-changes.xml
89a891
89a891
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
10d019
index 295e16f..0f79aa8 100644
89a891
--- a/bin/confgen/keygen.c
89a891
+++ b/bin/confgen/keygen.c
89a891
@@ -161,17 +161,15 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
89a891
 
89a891
 	DO("create entropy context", isc_entropy_create(mctx, &ectx));
89a891
 
89a891
-	if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
89a891
-		randomfile = NULL;
89a891
-		open_keyboard = ISC_ENTROPY_KEYBOARDYES;
89a891
-	}
89a891
 #ifdef ISC_PLATFORM_CRYPTORANDOM
89a891
-	if (randomfile != NULL &&
89a891
-	    strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
89a891
-		randomfile = NULL;
89a891
+	if (randomfile == NULL) {
10d019
 		isc_entropy_usehook(ectx, true);
89a891
 	}
89a891
 #endif
89a891
+	if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
89a891
+		randomfile = NULL;
89a891
+		open_keyboard = ISC_ENTROPY_KEYBOARDYES;
89a891
+	}
89a891
 	DO("start entropy source", isc_entropy_usebestsource(ectx,
89a891
 							     &entropy_source,
89a891
 							     randomfile,
89a891
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
10d019
index 0ae6b41..4562430 100644
89a891
--- a/bin/dnssec/dnssec-keygen.docbook
89a891
+++ b/bin/dnssec/dnssec-keygen.docbook
10d019
@@ -348,15 +348,23 @@
89a891
 	<term>-r <replaceable class="parameter">randomdev</replaceable></term>
89a891
 	<listitem>
89a891
 	  <para>
89a891
-	    Specifies the source of randomness.  If the operating
89a891
-	    system does not provide a <filename>/dev/random</filename>
89a891
-	    or equivalent device, the default source of randomness
89a891
-	    is keyboard input.  <filename>randomdev</filename>
89a891
-	    specifies
89a891
+	    Specifies a source of randomness.  Normally, when generating
89a891
+	    DNSSEC keys, this option has no effect; the random number
89a891
+	    generation function provided by the cryptographic library will
89a891
+	    be used.
89a891
+	  </para>
89a891
+	  <para>
89a891
+	    If that behavior is disabled at compile time, however,
89a891
+	    the specified file will be used as entropy source
89a891
+	    for key generation.  <filename>randomdev</filename> is
89a891
 	    the name of a character device or file containing random
89a891
-	    data to be used instead of the default.  The special value
89a891
-	    <filename>keyboard</filename> indicates that keyboard
89a891
-	    input should be used.
89a891
+	    data to be used.  The special value <filename>keyboard</filename>
89a891
+	    indicates that keyboard input should be used.
89a891
+	  </para>
89a891
+	  <para>
89a891
+	    The default is <filename>/dev/random</filename> if the
89a891
+	    operating system provides it or an equivalent device;
89a891
+	    if not, the default source of randomness is keyboard input.
89a891
 	  </para>
89a891
 	</listitem>
89a891
       </varlistentry>
89a891
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
10d019
index 31a99e7..38c83ed 100644
89a891
--- a/bin/dnssec/dnssectool.c
89a891
+++ b/bin/dnssec/dnssectool.c
10d019
@@ -241,18 +241,16 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
89a891
 		ISC_LIST_INIT(sources);
89a891
 	}
89a891
 
89a891
+#ifdef ISC_PLATFORM_CRYPTORANDOM
89a891
+	if (randomfile == NULL) {
10d019
+		isc_entropy_usehook(*ectx, true);
89a891
+	}
89a891
+#endif
89a891
 	if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
89a891
 		usekeyboard = ISC_ENTROPY_KEYBOARDYES;
89a891
 		randomfile = NULL;
89a891
 	}
89a891
 
89a891
-#ifdef ISC_PLATFORM_CRYPTORANDOM
89a891
-	if (randomfile != NULL &&
89a891
-	    strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
89a891
-		randomfile = NULL;
10d019
-		isc_entropy_usehook(*ectx, true);
89a891
-	}
89a891
-#endif
89a891
 	result = isc_entropy_usebestsource(*ectx, &source, randomfile,
89a891
 					   usekeyboard);
89a891
 
89a891
diff --git a/bin/named/client.c b/bin/named/client.c
10d019
index 50fa2cd..524d9a3 100644
89a891
--- a/bin/named/client.c
89a891
+++ b/bin/named/client.c
10d019
@@ -1762,7 +1762,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
89a891
 
89a891
 		isc_buffer_init(&buf, cookie, sizeof(cookie));
89a891
 		isc_stdtime_get(&now;;
89a891
-		isc_random_get(&nonce);
89a891
+		nonce = ((isc_rng_random(ns_g_server->rngctx) << 16) |
89a891
+			 isc_rng_random(ns_g_server->rngctx));
89a891
 
89a891
 		compute_cookie(client, now, nonce, ns_g_server->secret, &buf;;
89a891
 
89a891
diff --git a/bin/named/config.c b/bin/named/config.c
10d019
index dbdff64..63da4b0 100644
89a891
--- a/bin/named/config.c
89a891
+++ b/bin/named/config.c
10d019
@@ -98,7 +98,9 @@ options {\n\
89a891
 #	pid-file \"" NS_LOCALSTATEDIR "/run/named/named.pid\"; /* or /lwresd.pid */\n\
89a891
 	port 53;\n\
89a891
 	prefetch 2 9;\n"
89a891
-#ifdef PATH_RANDOMDEV
89a891
+#if defined(ISC_PLATFORM_CRYPTORANDOM)
89a891
+"	random-device none;\n"
89a891
+#elif defined(PATH_RANDOMDEV)
89a891
 "	random-device \"" PATH_RANDOMDEV "\";\n"
89a891
 #endif
89a891
 "	recursing-file \"named.recursing\";\n\
89a891
diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
10d019
index d955c2f..40621f2 100644
89a891
--- a/bin/named/controlconf.c
89a891
+++ b/bin/named/controlconf.c
10d019
@@ -325,9 +325,10 @@ log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) {
89a891
 
89a891
 static void
89a891
 control_recvmessage(isc_task_t *task, isc_event_t *event) {
89a891
-	controlconnection_t *conn;
89a891
-	controllistener_t *listener;
89a891
-	controlkey_t *key;
89a891
+	controlconnection_t *conn = NULL;
89a891
+	controllistener_t *listener = NULL;
89a891
+	ns_server_t *server = NULL;
89a891
+	controlkey_t *key = NULL;
89a891
 	isccc_sexpr_t *request = NULL;
89a891
 	isccc_sexpr_t *response = NULL;
10d019
 	uint32_t algorithm;
10d019
@@ -338,16 +339,17 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
89a891
 	isc_buffer_t *text;
89a891
 	isc_result_t result;
89a891
 	isc_result_t eresult;
89a891
-	isccc_sexpr_t *_ctrl;
89a891
+	isccc_sexpr_t *_ctrl = NULL;
89a891
 	isccc_time_t sent;
89a891
 	isccc_time_t exp;
10d019
 	uint32_t nonce;
89a891
-	isccc_sexpr_t *data;
89a891
+	isccc_sexpr_t *data = NULL;
89a891
 
89a891
 	REQUIRE(event->ev_type == ISCCC_EVENT_CCMSG);
89a891
 
89a891
 	conn = event->ev_arg;
89a891
 	listener = conn->listener;
89a891
+	server = listener->controls->server;
89a891
 	algorithm = DST_ALG_UNKNOWN;
89a891
 	secret.rstart = NULL;
89a891
 	text = NULL;
10d019
@@ -458,8 +460,11 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
89a891
 	 * Establish nonce.
89a891
 	 */
89a891
 	if (conn->nonce == 0) {
89a891
-		while (conn->nonce == 0)
89a891
-			isc_random_get(&conn->nonce);
89a891
+		while (conn->nonce == 0) {
10d019
+			uint16_t r1 = isc_rng_random(server->rngctx);
10d019
+			uint16_t r2 = isc_rng_random(server->rngctx);
89a891
+			conn->nonce = (r1 << 16) | r2;
89a891
+		}
89a891
 		eresult = ISC_R_SUCCESS;
89a891
 	} else
89a891
 		eresult = ns_control_docommand(request, listener->readonly, &text);
89a891
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
10d019
index 7ee8f66..8982d26 100644
89a891
--- a/bin/named/include/named/server.h
89a891
+++ b/bin/named/include/named/server.h
10d019
@@ -20,6 +20,7 @@
89a891
 #include <isc/log.h>
89a891
 #include <isc/magic.h>
89a891
 #include <isc/quota.h>
89a891
+#include <isc/random.h>
89a891
 #include <isc/sockaddr.h>
89a891
 #include <isc/types.h>
89a891
 #include <isc/xml.h>
10d019
@@ -134,6 +135,7 @@ struct ns_server {
89a891
 	char *			lockfile;
89a891
 
10d019
 	uint16_t		transfer_tcp_message_size;
89a891
+	isc_rng_t *		rngctx;
89a891
 };
89a891
 
89a891
 struct ns_altsecret {
89a891
diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
10d019
index 9dea7c1..272d300 100644
89a891
--- a/bin/named/interfacemgr.c
89a891
+++ b/bin/named/interfacemgr.c
10d019
@@ -17,6 +17,7 @@
89a891
 
89a891
 #include <isc/interfaceiter.h>
89a891
 #include <isc/os.h>
89a891
+#include <isc/random.h>
89a891
 #include <isc/string.h>
89a891
 #include <isc/task.h>
89a891
 #include <isc/util.h>
89a891
diff --git a/bin/named/query.c b/bin/named/query.c
10d019
index c9e5469..0940714 100644
89a891
--- a/bin/named/query.c
89a891
+++ b/bin/named/query.c
10d019
@@ -19,6 +19,7 @@
89a891
 #include <isc/hex.h>
89a891
 #include <isc/mem.h>
89a891
 #include <isc/print.h>
89a891
+#include <isc/random.h>
89a891
 #include <isc/rwlock.h>
89a891
 #include <isc/serial.h>
89a891
 #include <isc/stats.h>
89a891
diff --git a/bin/named/server.c b/bin/named/server.c
10d019
index 36fc047..3c1eec0 100644
89a891
--- a/bin/named/server.c
89a891
+++ b/bin/named/server.c
10d019
@@ -8208,21 +8208,32 @@ load_configuration(const char *filename, ns_server_t *server,
89a891
 	 * Open the source of entropy.
89a891
 	 */
89a891
 	if (first_time) {
89a891
+		const char *randomdev = NULL;
89a891
+		int level = ISC_LOG_ERROR;
89a891
 		obj = NULL;
89a891
 		result = ns_config_get(maps, "random-device", &obj);
89a891
-		if (result != ISC_R_SUCCESS) {
89a891
+		if (result == ISC_R_SUCCESS) {
89a891
+			if (!cfg_obj_isvoid(obj)) {
89a891
+				level = ISC_LOG_INFO;
89a891
+				randomdev = cfg_obj_asstring(obj);
89a891
+			}
89a891
+		}
89a891
+		if (randomdev == NULL) {
10d019
+#ifdef ISC_PLATFORM_CRYPTORANDOM
10d019
+			isc_entropy_usehook(ns_g_entropy, true);
10d019
+#else
89a891
+			if ((obj != NULL) && !cfg_obj_isvoid(obj))
89a891
+				level = ISC_LOG_INFO;
10d019
 			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
10d019
-				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
89a891
+				      NS_LOGMODULE_SERVER, level,
10d019
 				      "no source of entropy found");
89a891
+			if ((obj == NULL) || cfg_obj_isvoid(obj)) {
89a891
+				CHECK(ISC_R_FAILURE);
89a891
+			}
89a891
+#endif
10d019
 		} else {
10d019
-			const char *randomdev = cfg_obj_asstring(obj);
10d019
-#ifdef ISC_PLATFORM_CRYPTORANDOM
10d019
-			if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0)
10d019
-				isc_entropy_usehook(ns_g_entropy, true);
10d019
-#else
10d019
-			int level = ISC_LOG_ERROR;
10d019
 			result = isc_entropy_createfilesource(ns_g_entropy,
10d019
-							      randomdev);
10d019
+			                                      randomdev);
89a891
 #ifdef PATH_RANDOMDEV
89a891
 			if (ns_g_fallbackentropy != NULL) {
89a891
 				level = ISC_LOG_INFO;
10d019
@@ -8233,8 +8244,8 @@ load_configuration(const char *filename, ns_server_t *server,
89a891
 					      NS_LOGCATEGORY_GENERAL,
89a891
 					      NS_LOGMODULE_SERVER,
89a891
 					      level,
89a891
-					      "could not open entropy source "
89a891
-					      "%s: %s",
89a891
+					      "could not open "
89a891
+					      "entropy source %s: %s",
89a891
 					      randomdev,
89a891
 					      isc_result_totext(result));
89a891
 			}
10d019
@@ -8254,7 +8265,6 @@ load_configuration(const char *filename, ns_server_t *server,
89a891
 				}
89a891
 				isc_entropy_detach(&ns_g_fallbackentropy);
89a891
 			}
89a891
-#endif
89a891
 #endif
89a891
 		}
10d019
 
10d019
@@ -9022,6 +9032,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
10d019
 	server->in_roothints = NULL;
10d019
 	server->blackholeacl = NULL;
10d019
 	server->keepresporder = NULL;
10d019
+	server->rngctx = NULL;
10d019
 
10d019
 	/* Must be first. */
10d019
 	CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy,
10d019
@@ -9048,6 +9059,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
89a891
 	CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy,
89a891
 				      &server->tkeyctx),
89a891
 		   "creating TKEY context");
10d019
+	server->rngctx = NULL;
89a891
+	CHECKFATAL(isc_rng_create(ns_g_mctx, ns_g_entropy, &server->rngctx),
89a891
+	           "creating random numbers context");
89a891
 
89a891
 	/*
89a891
 	 * Setup the server task, which is responsible for coordinating
10d019
@@ -9254,7 +9268,8 @@ ns_server_destroy(ns_server_t **serverp) {
89a891
 
89a891
 	if (server->zonemgr != NULL)
89a891
 		dns_zonemgr_detach(&server->zonemgr);
89a891
-
89a891
+	if (server->rngctx != NULL)
89a891
+		isc_rng_detach(&server->rngctx);
89a891
 	if (server->tkeyctx != NULL)
89a891
 		dns_tkeyctx_destroy(&server->tkeyctx);
89a891
 
10d019
@@ -13230,10 +13245,10 @@ newzone_cfgctx_destroy(void **cfgp) {
89a891
 
89a891
 static isc_result_t
89a891
 generate_salt(unsigned char *salt, size_t saltlen) {
89a891
-	int i, n;
89a891
+	size_t i, n;
89a891
 	union {
89a891
 		unsigned char rnd[256];
10d019
-		uint32_t rnd32[64];
10d019
+		uint16_t rnd16[128];
89a891
 	} rnd;
89a891
 	unsigned char text[512 + 1];
89a891
 	isc_region_t r;
10d019
@@ -13243,9 +13258,10 @@ generate_salt(unsigned char *salt, size_t saltlen) {
89a891
 	if (saltlen > 256U)
89a891
 		return (ISC_R_RANGE);
89a891
 
10d019
-	n = (int) (saltlen + sizeof(uint32_t) - 1) / sizeof(uint32_t);
89a891
-	for (i = 0; i < n; i++)
89a891
-		isc_random_get(&rnd.rnd32[i]);
10d019
+	n = (saltlen + sizeof(uint16_t) - 1) / sizeof(uint16_t);
89a891
+	for (i = 0; i < n; i++) {
89a891
+		rnd.rnd16[i] = isc_rng_random(ns_g_server->rngctx);
89a891
+	}
89a891
 
89a891
 	memmove(salt, rnd.rnd, saltlen);
89a891
 
89a891
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
10d019
index 0286987..0376377 100644
89a891
--- a/bin/nsupdate/nsupdate.c
89a891
+++ b/bin/nsupdate/nsupdate.c
10d019
@@ -283,9 +283,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
89a891
 	}
89a891
 
89a891
 #ifdef ISC_PLATFORM_CRYPTORANDOM
89a891
-	if (randomfile != NULL &&
89a891
-	    strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
89a891
-		randomfile = NULL;
89a891
+	if (randomfile == NULL) {
10d019
 		isc_entropy_usehook(*ectx, true);
89a891
 	}
89a891
 #endif
89a891
diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c
10d019
index f0a6ff2..55064f6 100644
89a891
--- a/bin/tests/system/pipelined/pipequeries.c
89a891
+++ b/bin/tests/system/pipelined/pipequeries.c
10d019
@@ -280,9 +280,7 @@ main(int argc, char *argv[]) {
89a891
 	ectx = NULL;
89a891
 	RUNCHECK(isc_entropy_create(mctx, &ectx));
89a891
 #ifdef ISC_PLATFORM_CRYPTORANDOM
89a891
-	if (randomfile != NULL &&
89a891
-	    strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
89a891
-		randomfile = NULL;
89a891
+	if (randomfile == NULL) {
10d019
 		isc_entropy_usehook(ectx, true);
89a891
 	}
89a891
 #endif
89a891
diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c
10d019
index fe8698e..937fcc3 100644
89a891
--- a/bin/tests/system/tkey/keycreate.c
89a891
+++ b/bin/tests/system/tkey/keycreate.c
89a891
@@ -255,9 +255,7 @@ main(int argc, char *argv[]) {
89a891
 	ectx = NULL;
89a891
 	RUNCHECK(isc_entropy_create(mctx, &ectx));
89a891
 #ifdef ISC_PLATFORM_CRYPTORANDOM
89a891
-	if (randomfile != NULL &&
89a891
-	    strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
89a891
-		randomfile = NULL;
89a891
+	if (randomfile == NULL) {
10d019
 		isc_entropy_usehook(ectx, true);
89a891
 	}
89a891
 #endif
89a891
diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
10d019
index 2146f9b..64b8e74 100644
89a891
--- a/bin/tests/system/tkey/keydelete.c
89a891
+++ b/bin/tests/system/tkey/keydelete.c
10d019
@@ -171,6 +171,7 @@ main(int argc, char **argv) {
10d019
 		randomfile = argv[2];
10d019
 		argv += 2;
10d019
 		argc -= 2;
10d019
+		POST(argc);
10d019
 	}
10d019
 	keyname = argv[1];
10d019
 
10d019
@@ -182,9 +183,7 @@ main(int argc, char **argv) {
89a891
 	ectx = NULL;
89a891
 	RUNCHECK(isc_entropy_create(mctx, &ectx));
89a891
 #ifdef ISC_PLATFORM_CRYPTORANDOM
89a891
-	if (randomfile != NULL &&
89a891
-	    strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
89a891
-		randomfile = NULL;
89a891
+	if (randomfile == NULL) {
10d019
 		isc_entropy_usehook(ectx, true);
89a891
 	}
89a891
 #endif
89a891
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
10d019
index 33e06e6..539973c 100644
89a891
--- a/doc/arm/Bv9ARM-book.xml
89a891
+++ b/doc/arm/Bv9ARM-book.xml
10d019
@@ -5076,22 +5076,45 @@ badresp:1,adberr:0,findfail:0,valfail:0]
89a891
 	    <term><command>random-device</command></term>
89a891
 	    <listitem>
89a891
 	      <para>
89a891
-		The source of entropy to be used by the server.  Entropy is
89a891
-		primarily needed
89a891
-		for DNSSEC operations, such as TKEY transactions and dynamic
89a891
-		update of signed
89a891
-		zones.  This options specifies the device (or file) from which
89a891
-		to read
89a891
-		entropy.  If this is a file, operations requiring entropy will
89a891
-		fail when the
89a891
-		file has been exhausted.  If not specified, the default value
89a891
-		is
89a891
-		<filename>/dev/random</filename>
89a891
-		(or equivalent) when present, and none otherwise.  The
89a891
-		<command>random-device</command> option takes
89a891
-		effect during
89a891
-		the initial configuration load at server startup time and
89a891
-		is ignored on subsequent reloads.
89a891
+		Specifies a source of entropy to be used by the server.
89a891
+		This is a device or file from which to read entropy.
89a891
+		If it is a file, operations requiring entropy
89a891
+		will fail when the file has been exhausted.
89a891
+	      </para>
89a891
+	      <para>
89a891
+		Entropy is needed for cryptographic operations such as
89a891
+		TKEY transactions, dynamic update of signed zones, and
89a891
+		generation of TSIG session keys. It is also used for
89a891
+		seeding and stirring the pseudo-random number generator,
89a891
+		which is used for less critical functions requiring
89a891
+		randomness such as generation of DNS message transaction
89a891
+		ID's.
89a891
+	      </para>
89a891
+	      <para>
89a891
+		If <command>random-device</command> is not specified, or
89a891
+		if it is set to <literal>none</literal>, entropy will be
89a891
+		read from the random number generation function supplied
89a891
+		by the cryptographic library with which BIND was linked
89a891
+		(i.e.  OpenSSL or a PKCS#11 provider).
89a891
+	      </para>
89a891
+	      <para>
89a891
+		The <command>random-device</command> option takes
89a891
+		effect during the initial configuration load at server
89a891
+		startup time and is ignored on subsequent reloads.
89a891
+	      </para>
89a891
+	      <para>
89a891
+		If BIND is built with
89a891
+		<command>configure --disable-crypto-rand</command>, then
89a891
+		entropy is <emphasis>not</emphasis> sourced from the
89a891
+		cryptographic library. In this case, if
89a891
+		<command>random-device</command> is not specified, the
89a891
+		default value is the system random device,
89a891
+		<filename>/dev/random</filename> or the equivalent.
89a891
+		This default can be overridden with
89a891
+		<command>configure --with-randomdev</command>.
89a891
+		If no system random device exists, then no entropy source
89a891
+		will be configured, and <command>named</command> will only
89a891
+		be able to use pseudo-random numbers.
89a891
 	      </para>
89a891
 	    </listitem>
89a891
 	  </varlistentry>
10d019
diff --git a/doc/arm/notes-rh-changes.xml b/doc/arm/notes-rh-changes.xml
10d019
new file mode 100644
10d019
index 0000000..11c3a7c
10d019
--- /dev/null
10d019
+++ b/doc/arm/notes-rh-changes.xml
10d019
@@ -0,0 +1,43 @@
10d019
+
10d019
+
10d019
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
10d019
+ -
10d019
+ - This Source Code Form is subject to the terms of the Mozilla Public
10d019
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
10d019
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
10d019
+ -
10d019
+ - See the COPYRIGHT file distributed with this work for additional
10d019
+ - information regarding copyright ownership.
10d019
+-->
10d019
+
10d019
+<section xml:id="relnotes_rh_changes"><info><title>Red Hat Specific Changes</title></info>
10d019
+  <itemizedlist>
10d019
+     <listitem>
10d019
+      <para>
10d019
+        By default, BIND now uses the random number generation functions
10d019
+        in the cryptographic library (i.e., OpenSSL or a PKCS#11
10d019
+        provider) as a source of high-quality randomness rather than
10d019
+        <filename>/dev/random</filename>.  This is suitable for virtual
10d019
+        machine environments, which may have limited entropy pools and
10d019
+        lack hardware random number generators.
10d019
+      </para>
10d019
+      <para>
10d019
+        This can be overridden by specifying another entropy source via
10d019
+        the <command>random-device</command> option in
10d019
+        <filename>named.conf</filename>, or via the <command>-r</command>
10d019
+        command line option.  However, for functions requiring full
10d019
+        cryptographic strength, such as DNSSEC key generation, this
10d019
+        <emphasis>cannot</emphasis> be overridden. In particular, the
10d019
+        <command>-r</command> command line option no longer has any
10d019
+        effect on <command>dnssec-keygen</command>.
10d019
+      </para>
10d019
+      <para>
10d019
+        This can be disabled by building with
10d019
+        <command>configure --disable-crypto-rand</command>, in which
10d019
+        case <filename>/dev/random</filename> will be the default
10d019
+        entropy source.  [RT #31459] [RT #46047]
10d019
+      </para>
10d019
+    </listitem>
10d019
+  </itemizedlist>
10d019
+</section>
10d019
+
89a891
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
10d019
index b16dab6..763ff7e 100644
89a891
--- a/doc/arm/notes.xml
89a891
+++ b/doc/arm/notes.xml
10d019
@@ -36,6 +36,7 @@
10d019
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.1.xml"/>
10d019
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.0.xml"/>
10d019
 
10d019
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-rh-changes.xml"/>
10d019
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-eol.xml"/>
10d019
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-thankyou.xml"/>
10d019
 </section>
89a891
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
10d019
index 1614afa..0f52df9 100644
89a891
--- a/lib/dns/dst_api.c
89a891
+++ b/lib/dns/dst_api.c
10d019
@@ -2017,10 +2017,12 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) {
89a891
 	else
89a891
 		flags |= ISC_ENTROPY_BLOCKING;
89a891
 #ifdef ISC_PLATFORM_CRYPTORANDOM
89a891
+	/* get entropy directly from crypto provider */
89a891
 	return (dst_random_getdata(buf, len, NULL, flags));
89a891
 #else
89a891
+	/* get entropy from entropy source or hook function */
89a891
 	return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
89a891
-#endif
89a891
+#endif /* ISC_PLATFORM_CRYPTORANDOM */
89a891
 #endif /* PKCS11CRYPTO */
89a891
 }
89a891
 
89a891
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
10d019
index 6813c96..665574d 100644
89a891
--- a/lib/dns/include/dst/dst.h
89a891
+++ b/lib/dns/include/dst/dst.h
10d019
@@ -163,8 +163,18 @@ isc_result_t
89a891
 dst_random_getdata(void *data, unsigned int length,
89a891
 		   unsigned int *returned, unsigned int flags);
89a891
 /*%<
89a891
- * \brief Return data from the crypto random generator.
89a891
- * Specialization of isc_entropy_getdata().
89a891
+ * Gets random data from the random generator provided by the
89a891
+ * crypto library, if BIND was built with --enable-crypto-rand.
89a891
+ *
89a891
+ * See isc_entropy_getdata() for parameter usage. Normally when
89a891
+ * this function is available, it will be set up as a hook in the
89a891
+ * entropy context, so that isc_entropy_getdata() is a front-end to
89a891
+ * this function.
89a891
+ *
89a891
+ * Returns:
89a891
+ * \li	ISC_R_SUCCESS on success
89a891
+ * \li	ISC_R_NOTIMPLEMENTED if BIND is built with --disable-crypto-rand
89a891
+ * \li	DST_R_OPENSSLFAILURE, DST_R_CRYPTOFAILURE, or other codes on error
89a891
  */
89a891
 
10d019
 bool
89a891
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
10d019
index 6849732..e00a0e4 100644
89a891
--- a/lib/dns/openssl_link.c
89a891
+++ b/lib/dns/openssl_link.c
10d019
@@ -484,7 +484,8 @@ dst__openssl_getengine(const char *engine) {
89a891
 
89a891
 isc_result_t
89a891
 dst_random_getdata(void *data, unsigned int length,
89a891
-		   unsigned int *returned, unsigned int flags) {
89a891
+		   unsigned int *returned, unsigned int flags)
89a891
+{
89a891
 #ifdef ISC_PLATFORM_CRYPTORANDOM
89a891
 #ifndef DONT_REQUIRE_DST_LIB_INIT
89a891
 	INSIST(dst__memory_pool != NULL);
89a891
diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h
10d019
index 632166a..c7cb17d 100644
89a891
--- a/lib/isc/include/isc/entropy.h
89a891
+++ b/lib/isc/include/isc/entropy.h
89a891
@@ -9,8 +9,6 @@
89a891
  * information regarding copyright ownership.
89a891
  */
89a891
 
89a891
-/* $Id: entropy.h,v 1.35 2009/10/19 02:37:08 marka Exp $ */
89a891
-
89a891
 #ifndef ISC_ENTROPY_H
89a891
 #define ISC_ENTROPY_H 1
89a891
 
10d019
@@ -191,9 +189,8 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent,
89a891
 /*!<
89a891
  * \brief Create an entropy source that is polled via a callback.
89a891
  *
89a891
- * This would
89a891
- * be used when keyboard input is used, or a GUI input method.  It can
89a891
- * also be used to hook in any external entropy source.
89a891
+ * This would be used when keyboard input is used, or a GUI input method.
89a891
+ * It can also be used to hook in any external entropy source.
89a891
  *
89a891
  * Samples are added via isc_entropy_addcallbacksample(), below.
89a891
  * _addcallbacksample() is the only function which may be called from
10d019
@@ -234,15 +231,32 @@ isc_result_t
89a891
 isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length,
89a891
 		    unsigned int *returned, unsigned int flags);
89a891
 /*!<
89a891
- * \brief Extract data from the entropy pool.  This may load the pool from various
89a891
- * sources.
89a891
+ * \brief Get random data from entropy pool 'ent'.
89a891
+ *
89a891
+ * If a hook has been set up using isc_entropy_sethook() and
89a891
+ * isc_entropy_usehook(), then the hook function will be called to get
89a891
+ * random data.
89a891
+ *
89a891
+ * Otherwise, randomness is extracted from the entropy pool set up in BIND.
89a891
+ * This may cause the pool to be loaded from various sources. Ths is done
89a891
+ * by stirring the pool and returning a part of hash as randomness.
89a891
+ * (Note that no secrets are given away here since parts of the hash are
89a891
+ * XORed together before returning.)
89a891
+ *
89a891
+ * 'flags' may contain ISC_ENTROPY_GOODONLY, ISC_ENTROPY_PARTIAL, or
89a891
+ * ISC_ENTROPY_BLOCKING. These will be honored if the hook function is
89a891
+ * not in use. If it is, the flags will be passed to the hook function
89a891
+ * but it may ignore them.
89a891
  *
89a891
- * Do this by stiring the pool and returning a part of hash as randomness.
89a891
- * Note that no secrets are given away here since parts of the hash are
89a891
- * xored together before returned.
89a891
+ * Up to 'length' bytes of randomness are retrieved and copied into 'data'.
89a891
+ * (If 'returned' is not NULL, and the number of bytes copied is less than
89a891
+ * 'length' - which may happen if ISC_ENTROPY_PARTIAL was used - then the
89a891
+ * number of bytes copied will be stored in *returned.)
89a891
  *
89a891
- * Honor the request from the caller to only return good data, any data,
89a891
- * etc.
89a891
+ * Returns:
89a891
+ * \li	ISC_R_SUCCESS on success
89a891
+ * \li	ISC_R_NOENTROPY if entropy pool is empty
89a891
+ * \li	other error codes are possible when a hook is in use
89a891
  */
89a891
 
89a891
 void
10d019
@@ -307,13 +321,21 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
89a891
 void
10d019
 isc_entropy_usehook(isc_entropy_t *ectx, bool onoff);
89a891
 /*!<
89a891
- * \brief Mark/unmark the given entropy structure as being hooked.
89a891
+ * \brief Configure entropy context 'ectx' to use the hook function
89a891
+ *
89a891
+ * Sets the entropy context to call the hook function for random number
89a891
+ * generation, if such a function has been configured via
89a891
+ * isc_entropy_sethook(), whenever isc_entropy_getdata() is called.
89a891
  */
89a891
 
89a891
 void
89a891
 isc_entropy_sethook(isc_entropy_getdata_t myhook);
89a891
 /*!<
89a891
- * \brief Set the getdata hook (e.g., for a crypto random generator).
89a891
+ * \brief Set the hook function.
89a891
+ *
89a891
+ * The hook function is a global value: only one hook function
89a891
+ * can be set in the system. Individual entropy contexts may be
89a891
+ * configured to use it, or not, by calling isc_entropy_usehook().
89a891
  */
89a891
 
89a891
 ISC_LANG_ENDDECLS
89a891
diff --git a/lib/isc/include/isc/random.h b/lib/isc/include/isc/random.h
10d019
index f8aed34..17c551b 100644
89a891
--- a/lib/isc/include/isc/random.h
89a891
+++ b/lib/isc/include/isc/random.h
89a891
@@ -9,8 +9,6 @@
89a891
  * information regarding copyright ownership.
89a891
  */
89a891
 
89a891
-/* $Id: random.h,v 1.20 2009/01/17 23:47:43 tbox Exp $ */
89a891
-
89a891
 #ifndef ISC_RANDOM_H
89a891
 #define ISC_RANDOM_H 1
89a891
 
89a891
@@ -21,13 +19,23 @@
89a891
 #include <isc/mutex.h>
89a891
 
89a891
 /*! \file isc/random.h
89a891
- * \brief Implements a random state pool which will let the caller return a
89a891
- * series of possibly non-reproducible random values.
89a891
+ * \brief Implements pseudo random number generators.
89a891
+ *
89a891
+ * Two pseudo-random number generators are implemented, in isc_random_*
89a891
+ * and isc_rng_*. Neither one is very strong; they should not be used
89a891
+ * in cryptography functions.
89a891
+ *
89a891
+ * isc_random_* is based on arc4random if it is available on the system.
89a891
+ * Otherwise it is based on the posix srand() and rand() functions.
89a891
+ * It is useful for jittering values a bit here and there, such as
89a891
+ * timeouts, etc, but should not be relied upon to generate
89a891
+ * unpredictable sequences (for example, when choosing transaction IDs).
89a891
  *
89a891
- * Note that the
89a891
- * strength of these numbers is not all that high, and should not be
89a891
- * used in cryptography functions.  It is useful for jittering values
89a891
- * a bit here and there, such as timeouts, etc.
89a891
+ * isc_rng_* is based on ChaCha20, and is seeded and stirred from the
89a891
+ * system entropy source. It is stronger than isc_random_* and can
89a891
+ * be used for generating unpredictable sequences. It is still not as
89a891
+ * good as using system entropy directly (see entropy.h) and should not
89a891
+ * be used for cryptographic functions such as key generation.
89a891
  */
89a891
 
89a891
 ISC_LANG_BEGINDECLS
89a891
@@ -115,8 +123,8 @@ isc_rng_random(isc_rng_t *rngctx);
10d019
 uint16_t
10d019
 isc_rng_uniformrandom(isc_rng_t *rngctx, uint16_t upper_bound);
89a891
 /*%<
89a891
- * Returns a uniformly distributed pseudo random 16-bit unsigned
89a891
- * integer.
89a891
+ * Returns a uniformly distributed pseudo-random 16-bit unsigned integer
89a891
+ * less than 'upper_bound'.
89a891
  */
89a891
 
89a891
 ISC_LANG_ENDDECLS
89a891
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
10d019
index 03890a3..7bad989 100644
89a891
--- a/lib/isccfg/namedconf.c
89a891
+++ b/lib/isccfg/namedconf.c
10d019
@@ -1109,7 +1109,7 @@ options_clauses[] = {
89a891
 	{ "pid-file", &cfg_type_qstringornone, 0 },
89a891
 	{ "port", &cfg_type_uint32, 0 },
89a891
 	{ "querylog", &cfg_type_boolean, 0 },
89a891
-	{ "random-device", &cfg_type_qstring, 0 },
89a891
+	{ "random-device", &cfg_type_qstringornone, 0 },
89a891
 	{ "recursing-file", &cfg_type_qstring, 0 },
89a891
 	{ "recursive-clients", &cfg_type_uint32, 0 },
89a891
 	{ "reserved-sockets", &cfg_type_uint32, 0 },
89a891
-- 
89a891
2.20.1
89a891