rpms / bind

Clone
Source Code
GIT

Blame bind-9.11-rt31459.patch

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f7 f8 f9 main private-fleite-IT101669-branch private-mruprich-bind-branch private-pemensik-master-P4 rawhide
  1.   f31
  2.   bind-9.11-rt31459.patch
Blob History Raw
dee096a 
From 5c29299e43db5a4e6f8b1b07af84dfe1687c4c2b Mon Sep 17 00:00:00 2001
6e9104c 
From: Evan Hunt <each@isc.org>
6e9104c 
Date: Tue, 12 Sep 2017 19:05:46 -0700
6e9104c 
Subject: [PATCH] rebased rt31459c
6e9104c
6e9104c 
[rt31459d] update the newer tools
6e9104c
6e9104c 
[rt31459d] setup entropy in dns_lib_init()
6e9104c
6e9104c 
[rt31459d] silence compiler warning
6e9104c
6e9104c 
DNS_OPENSSL_LIBS -> DST_OPENSSL_LIBS
6e9104c
6e9104c 
Include new unit test
6e9104c 
---
6e9104c 
 bin/confgen/keygen.c                     |   7 +
6e9104c 
 bin/dnssec/dnssec-dsfromkey.c            |   8 +-
6e9104c 
 bin/dnssec/dnssec-importkey.c            |   8 +-
6e9104c 
 bin/dnssec/dnssec-revoke.c               |   8 +-
6e9104c 
 bin/dnssec/dnssec-settime.c              |   8 +-
6e9104c 
 bin/dnssec/dnssec-signzone.c             |  11 +-
6e9104c 
 bin/dnssec/dnssec-verify.c               |   8 +-
6e9104c 
 bin/dnssec/dnssectool.c                  |  11 +-
6e9104c 
 bin/named/server.c                       |   6 +
2a46633 
 bin/nsupdate/nsupdate.c                  |  14 +-
6e9104c 
 bin/tests/makejournal.c                  |   6 +-
833ef7b 
 bin/tests/system/pipelined/pipequeries.c |  20 +-
6e9104c 
 bin/tests/system/pipelined/tests.sh      |   4 +-
6e9104c 
 bin/tests/system/rsabigexponent/bigkey.c |   4 +
1e41691 
 bin/tests/system/tkey/keycreate.c        |  26 ++-
1e41691 
 bin/tests/system/tkey/keydelete.c        |  26 ++-
6e9104c 
 bin/tests/system/tkey/tests.sh           |   8 +-
6e9104c 
 bin/tools/mdig.c                         |   3 +-
1e41691 
 configure                                | 250 +++++++++++++----------
1e41691 
 configure.ac                             |  77 ++++++-
1e41691 
 lib/dns/dst_api.c                        |  21 +-
6e9104c 
 lib/dns/include/dst/dst.h                |   8 +
ad7b3b8 
 lib/dns/lib.c                            |  15 +-
1e41691 
 lib/dns/openssl_link.c                   |  72 ++++++-
1e41691 
 lib/dns/pkcs11.c                         |  29 ++-
6e9104c 
 lib/dns/tests/Kyuafile                   |   1 +
6e9104c 
 lib/dns/tests/Makefile.in                |   7 +
1e41691 
 lib/dns/tests/dstrandom_test.c           | 115 +++++++++++
6e9104c 
 lib/dns/win32/libdns.def.in              |   7 +
6e9104c 
 lib/isc/entropy.c                        |  24 +++
6e9104c 
 lib/isc/include/isc/entropy.h            |  12 ++
6e9104c 
 lib/isc/include/isc/platform.h.in        |   5 +
6e9104c 
 lib/isc/include/isc/types.h              |   2 +
6e9104c 
 lib/isc/pk11.c                           |  12 +-
6e9104c 
 lib/isc/win32/include/isc/platform.h.in  |   5 +
371a1e3 
 win32utils/Configure                     |  28 ++-
833ef7b 
 36 files changed, 701 insertions(+), 175 deletions(-)
6e9104c 
 create mode 100644 lib/dns/tests/dstrandom_test.c
6e9104c
6e9104c 
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
ad7b3b8 
index 5015abb..295e16f 100644
6e9104c 
--- a/bin/confgen/keygen.c
6e9104c 
+++ b/bin/confgen/keygen.c
6e9104c 
@@ -165,6 +165,13 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
6e9104c 
 		randomfile = NULL;
6e9104c 
 		open_keyboard = ISC_ENTROPY_KEYBOARDYES;
6e9104c 
 	}
6e9104c 
+#ifdef ISC_PLATFORM_CRYPTORANDOM
6e9104c 
+	if (randomfile != NULL &&
6e9104c 
+	    strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
6e9104c 
+		randomfile = NULL;
ad7b3b8 
+		isc_entropy_usehook(ectx, true);
6e9104c 
+	}
6e9104c 
+#endif
6e9104c 
 	DO("start entropy source", isc_entropy_usebestsource(ectx,
6e9104c 
 							     &entropy_source,
6e9104c 
 							     randomfile,
6e9104c 
diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c
0163153 
index d9d6bb9..de4b15f 100644
6e9104c 
--- a/bin/dnssec/dnssec-dsfromkey.c
6e9104c 
+++ b/bin/dnssec/dnssec-dsfromkey.c
0163153 
@@ -498,14 +498,14 @@ main(int argc, char **argv) {
6e9104c
6e9104c 
 	if (ectx == NULL)
6e9104c 
 		setup_entropy(mctx, NULL, &ectx);
6e9104c 
-	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
6e9104c 
-	if (result != ISC_R_SUCCESS)
6e9104c 
-		fatal("could not initialize hash");
6e9104c 
 	result = dst_lib_init(mctx, ectx,
6e9104c 
 			      ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
6e9104c 
 	if (result != ISC_R_SUCCESS)
6e9104c 
 		fatal("could not initialize dst: %s",
6e9104c 
 		      isc_result_totext(result));
6e9104c 
+	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
6e9104c 
+	if (result != ISC_R_SUCCESS)
6e9104c 
+		fatal("could not initialize hash");
6e9104c 
 	isc_entropy_stopcallbacksources(ectx);
6e9104c
6e9104c 
 	setup_logging(mctx, &log;;
0163153 
@@ -574,8 +574,8 @@ main(int argc, char **argv) {
6e9104c 
 	if (dns_rdataset_isassociated(&rdataset))
6e9104c 
 		dns_rdataset_disassociate(&rdataset);
6e9104c 
 	cleanup_logging(&log;;
6e9104c 
-	dst_lib_destroy();
6e9104c 
 	isc_hash_destroy();
6e9104c 
+	dst_lib_destroy();
6e9104c 
 	cleanup_entropy(&ectx);
6e9104c 
 	dns_name_destroy();
6e9104c 
 	if (verbose > 10)
6e9104c 
diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c
0163153 
index d65a514..04b3094 100644
6e9104c 
--- a/bin/dnssec/dnssec-importkey.c
6e9104c 
+++ b/bin/dnssec/dnssec-importkey.c
0163153 
@@ -404,14 +404,14 @@ main(int argc, char **argv) {
6e9104c
6e9104c 
 	if (ectx == NULL)
6e9104c 
 		setup_entropy(mctx, NULL, &ectx);
6e9104c 
-	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
6e9104c 
-	if (result != ISC_R_SUCCESS)
6e9104c 
-		fatal("could not initialize hash");
6e9104c 
 	result = dst_lib_init(mctx, ectx,
6e9104c 
 			      ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
6e9104c 
 	if (result != ISC_R_SUCCESS)
6e9104c 
 		fatal("could not initialize dst: %s",
6e9104c 
 		      isc_result_totext(result));
6e9104c 
+	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
6e9104c 
+	if (result != ISC_R_SUCCESS)
6e9104c 
+		fatal("could not initialize hash");
6e9104c 
 	isc_entropy_stopcallbacksources(ectx);
6e9104c
6e9104c 
 	setup_logging(mctx, &log;;
0163153 
@@ -455,8 +455,8 @@ main(int argc, char **argv) {
6e9104c 
 	if (dns_rdataset_isassociated(&rdataset))
6e9104c 
 		dns_rdataset_disassociate(&rdataset);
6e9104c 
 	cleanup_logging(&log;;
6e9104c 
-	dst_lib_destroy();
6e9104c 
 	isc_hash_destroy();
6e9104c 
+	dst_lib_destroy();
6e9104c 
 	cleanup_entropy(&ectx);
6e9104c 
 	dns_name_destroy();
6e9104c 
 	if (verbose > 10)
6e9104c 
diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c
1e41691 
index 7d82dbf..10f9359 100644
6e9104c 
--- a/bin/dnssec/dnssec-revoke.c
6e9104c 
+++ b/bin/dnssec/dnssec-revoke.c
ad7b3b8 
@@ -184,14 +184,14 @@ main(int argc, char **argv) {
6e9104c
6e9104c 
 	if (ectx == NULL)
6e9104c 
 		setup_entropy(mctx, NULL, &ectx);
6e9104c 
-	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
6e9104c 
-	if (result != ISC_R_SUCCESS)
6e9104c 
-		fatal("Could not initialize hash");
6e9104c 
 	result = dst_lib_init2(mctx, ectx, engine,
6e9104c 
 			       ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
6e9104c 
 	if (result != ISC_R_SUCCESS)
6e9104c 
 		fatal("Could not initialize dst: %s",
6e9104c 
 		      isc_result_totext(result));
6e9104c 
+	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
6e9104c 
+	if (result != ISC_R_SUCCESS)
6e9104c 
+		fatal("Could not initialize hash");
6e9104c 
 	isc_entropy_stopcallbacksources(ectx);
6e9104c
6e9104c 
 	result = dst_key_fromnamedfile(filename, dir,
ad7b3b8 
@@ -273,8 +273,8 @@ main(int argc, char **argv) {
6e9104c
6e9104c 
 cleanup:
6e9104c 
 	dst_key_free(&key);
6e9104c 
-	dst_lib_destroy();
6e9104c 
 	isc_hash_destroy();
6e9104c 
+	dst_lib_destroy();
6e9104c 
 	cleanup_entropy(&ectx);
6e9104c 
 	if (verbose > 10)
6e9104c 
 		isc_mem_stats(mctx, stdout);
6e9104c 
diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
0163153 
index 7afcaee..1cfa511 100644
6e9104c 
--- a/bin/dnssec/dnssec-settime.c
6e9104c 
+++ b/bin/dnssec/dnssec-settime.c
0163153 
@@ -380,14 +380,14 @@ main(int argc, char **argv) {
6e9104c
6e9104c 
 	if (ectx == NULL)
6e9104c 
 		setup_entropy(mctx, NULL, &ectx);
6e9104c 
-	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
6e9104c 
-	if (result != ISC_R_SUCCESS)
6e9104c 
-		fatal("Could not initialize hash");
6e9104c 
 	result = dst_lib_init2(mctx, ectx, engine,
6e9104c 
 			       ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
6e9104c 
 	if (result != ISC_R_SUCCESS)
6e9104c 
 		fatal("Could not initialize dst: %s",
6e9104c 
 		      isc_result_totext(result));
6e9104c 
+	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
6e9104c 
+	if (result != ISC_R_SUCCESS)
6e9104c 
+		fatal("Could not initialize hash");
6e9104c 
 	isc_entropy_stopcallbacksources(ectx);
6e9104c
6e9104c 
 	if (predecessor != NULL) {
0163153 
@@ -672,8 +672,8 @@ main(int argc, char **argv) {
6e9104c 
 	if (prevkey != NULL)
6e9104c 
 		dst_key_free(&prevkey);
6e9104c 
 	dst_key_free(&key);
6e9104c 
-	dst_lib_destroy();
6e9104c 
 	isc_hash_destroy();
6e9104c 
+	dst_lib_destroy();
6e9104c 
 	cleanup_entropy(&ectx);
6e9104c 
 	if (verbose > 10)
6e9104c 
 		isc_mem_stats(mctx, stdout);
6e9104c 
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
dee096a 
index 319a805..27ae4d4 100644
6e9104c 
--- a/bin/dnssec/dnssec-signzone.c
6e9104c 
+++ b/bin/dnssec/dnssec-signzone.c
ad7b3b8 
@@ -3460,14 +3460,15 @@ main(int argc, char *argv[]) {
6e9104c 
 	if (!pseudorandom)
6e9104c 
 		eflags |= ISC_ENTROPY_GOODONLY;
6e9104c
6e9104c 
-	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
6e9104c 
-	if (result != ISC_R_SUCCESS)
6e9104c 
-		fatal("could not create hash context");
6e9104c 
-
6e9104c 
 	result = dst_lib_init2(mctx, ectx, engine, eflags);
6e9104c 
 	if (result != ISC_R_SUCCESS)
6e9104c 
 		fatal("could not initialize dst: %s",
6e9104c 
 		      isc_result_totext(result));
6e9104c 
+
6e9104c 
+	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
6e9104c 
+	if (result != ISC_R_SUCCESS)
6e9104c 
+		fatal("could not create hash context");
6e9104c 
+
6e9104c 
 	isc_stdtime_get(&now;;
6e9104c
6e9104c 
 	if (startstr != NULL) {
ad7b3b8 
@@ -3879,8 +3880,8 @@ main(int argc, char *argv[]) {
6e9104c 
 	dns_master_styledestroy(&dsstyle, mctx);
6e9104c
6e9104c 
 	cleanup_logging(&log;;
6e9104c 
-	dst_lib_destroy();
6e9104c 
 	isc_hash_destroy();
6e9104c 
+	dst_lib_destroy();
6e9104c 
 	cleanup_entropy(&ectx);
6e9104c 
 	dns_name_destroy();
6e9104c 
 	if (verbose > 10)
6e9104c 
diff --git a/bin/dnssec/dnssec-verify.c b/bin/dnssec/dnssec-verify.c
ad7b3b8 
index 4c293bf..3263cbc 100644
6e9104c 
--- a/bin/dnssec/dnssec-verify.c
6e9104c 
+++ b/bin/dnssec/dnssec-verify.c
ad7b3b8 
@@ -281,15 +281,15 @@ main(int argc, char *argv[]) {
6e9104c 
 	if (ectx == NULL)
6e9104c 
 		setup_entropy(mctx, NULL, &ectx);
6e9104c
6e9104c 
-	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
6e9104c 
-	if (result != ISC_R_SUCCESS)
6e9104c 
-		fatal("could not create hash context");
6e9104c 
-
6e9104c 
 	result = dst_lib_init2(mctx, ectx, engine, ISC_ENTROPY_BLOCKING);
6e9104c 
 	if (result != ISC_R_SUCCESS)
6e9104c 
 		fatal("could not initialize dst: %s",
6e9104c 
 		      isc_result_totext(result));
6e9104c
6e9104c 
+	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
6e9104c 
+	if (result != ISC_R_SUCCESS)
6e9104c 
+		fatal("could not create hash context");
6e9104c 
+
6e9104c 
 	isc_stdtime_get(&now;;
6e9104c
6e9104c 
 	rdclass = strtoclass(classname);
6e9104c 
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
dee096a 
index 618ec5b..5654435 100644
6e9104c 
--- a/bin/dnssec/dnssectool.c
6e9104c 
+++ b/bin/dnssec/dnssectool.c
ad7b3b8 
@@ -34,6 +34,7 @@
6e9104c 
 #include <isc/heap.h>
6e9104c 
 #include <isc/list.h>
6e9104c 
 #include <isc/mem.h>
6e9104c 
+#include <isc/platform.h>
6e9104c 
 #include <isc/print.h>
6e9104c 
 #include <isc/string.h>
6e9104c 
 #include <isc/time.h>
ad7b3b8 
@@ -235,7 +236,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
6e9104c 
 	if (*ectx == NULL) {
6e9104c 
 		result = isc_entropy_create(mctx, ectx);
6e9104c 
 		if (result != ISC_R_SUCCESS)
6e9104c 
-			fatal("could not create entropy object");
6e9104c 
+			fatal("could not create entropy object: %s",
6e9104c 
+			      isc_result_totext(result));
6e9104c 
 		ISC_LIST_INIT(sources);
6e9104c 
 	}
6e9104c
ad7b3b8 
@@ -244,6 +246,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
6e9104c 
 		randomfile = NULL;
6e9104c 
 	}
6e9104c
6e9104c 
+#ifdef ISC_PLATFORM_CRYPTORANDOM
6e9104c 
+	if (randomfile != NULL &&
6e9104c 
+	    strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
6e9104c 
+		randomfile = NULL;
ad7b3b8 
+		isc_entropy_usehook(*ectx, true);
6e9104c 
+	}
6e9104c 
+#endif
6e9104c 
 	result = isc_entropy_usebestsource(*ectx, &source, randomfile,
6e9104c 
 					   usekeyboard);
6e9104c
6e9104c 
diff --git a/bin/named/server.c b/bin/named/server.c
dee096a 
index 4e503e5..f27071f 100644
6e9104c 
--- a/bin/named/server.c
6e9104c 
+++ b/bin/named/server.c
ad7b3b8 
@@ -36,6 +36,7 @@
6e9104c 
 #include <isc/lex.h>
6e9104c 
 #include <isc/meminfo.h>
6e9104c 
 #include <isc/parseint.h>
6e9104c 
+#include <isc/platform.h>
6e9104c 
 #include <isc/portset.h>
6e9104c 
 #include <isc/print.h>
6e9104c 
 #include <isc/random.h>
0163153 
@@ -8217,6 +8218,10 @@ load_configuration(const char *filename, ns_server_t *server,
6e9104c 
 				      "no source of entropy found");
6e9104c 
 		} else {
6e9104c 
 			const char *randomdev = cfg_obj_asstring(obj);
6e9104c 
+#ifdef ISC_PLATFORM_CRYPTORANDOM
6e9104c 
+			if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0)
ad7b3b8 
+				isc_entropy_usehook(ns_g_entropy, true);
6e9104c 
+#else
6e9104c 
 			int level = ISC_LOG_ERROR;
6e9104c 
 			result = isc_entropy_createfilesource(ns_g_entropy,
6e9104c 
 							      randomdev);
0163153 
@@ -8251,6 +8256,7 @@ load_configuration(const char *filename, ns_server_t *server,
6e9104c 
 				}
6e9104c 
 				isc_entropy_detach(&ns_g_fallbackentropy);
6e9104c 
 			}
6e9104c 
+#endif
6e9104c 
 #endif
6e9104c 
 		}
12763cd
6e9104c 
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
2a46633 
index bbb3936..0286987 100644
6e9104c 
--- a/bin/nsupdate/nsupdate.c
6e9104c 
+++ b/bin/nsupdate/nsupdate.c
2a46633 
@@ -272,7 +272,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
6e9104c 
 	if (*ectx == NULL) {
6e9104c 
 		result = isc_entropy_create(mctx, ectx);
6e9104c 
 		if (result != ISC_R_SUCCESS)
6e9104c 
-			fatal("could not create entropy object");
6e9104c 
+			fatal("could not create entropy object: %s",
6e9104c 
+			      isc_result_totext(result));
6e9104c 
 		ISC_LIST_INIT(sources);
6e9104c 
 	}
6e9104c
2a46633 
@@ -281,6 +282,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
6e9104c 
 		randomfile = NULL;
6e9104c 
 	}
6e9104c
6e9104c 
+#ifdef ISC_PLATFORM_CRYPTORANDOM
6e9104c 
+	if (randomfile != NULL &&
6e9104c 
+	    strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
6e9104c 
+		randomfile = NULL;
ad7b3b8 
+		isc_entropy_usehook(*ectx, true);
6e9104c 
+	}
6e9104c 
+#endif
6e9104c 
 	result = isc_entropy_usebestsource(*ectx, &source, randomfile,
6e9104c 
 					   usekeyboard);
6e9104c
2a46633 
@@ -979,11 +987,11 @@ setup_system(void) {
6e9104c 
 		}
6e9104c 
 	}
6e9104c
6e9104c 
-	setup_entropy(gmctx, NULL, &entropy);
6e9104c 
+	if (entropy == NULL)
6e9104c 
+		setup_entropy(gmctx, NULL, &entropy);
6e9104c
6e9104c 
 	result = isc_hash_create(gmctx, entropy, DNS_NAME_MAXWIRE);
6e9104c 
 	check_result(result, "isc_hash_create");
6e9104c 
-	isc_hash_init();
6e9104c
6e9104c 
 	result = dns_dispatchmgr_create(gmctx, entropy, &dispatchmgr);
6e9104c 
 	check_result(result, "dns_dispatchmgr_create");
6e9104c 
diff --git a/bin/tests/makejournal.c b/bin/tests/makejournal.c
ad7b3b8 
index 61a41b0..acc71a1 100644
6e9104c 
--- a/bin/tests/makejournal.c
6e9104c 
+++ b/bin/tests/makejournal.c
ad7b3b8 
@@ -102,12 +102,12 @@ main(int argc, char **argv) {
6e9104c 
 	CHECK(isc_mem_create(0, 0, &mctx));
6e9104c 
 	CHECK(isc_entropy_create(mctx, &ectx));
6e9104c
6e9104c 
-	CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
ad7b3b8 
-	hash_active = true;
6e9104c 
-
6e9104c 
 	CHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING));
ad7b3b8 
 	dst_active = true;
6e9104c
6e9104c 
+	CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
ad7b3b8 
+	hash_active = true;
6e9104c 
+
6e9104c 
 	CHECK(isc_log_create(mctx, &lctx, &logconfig));
6e9104c 
 	isc_log_registercategories(lctx, categories);
6e9104c 
 	isc_log_setcontext(lctx);
6e9104c 
diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c
833ef7b 
index c6ab7f8..f0a6ff2 100644
6e9104c 
--- a/bin/tests/system/pipelined/pipequeries.c
6e9104c 
+++ b/bin/tests/system/pipelined/pipequeries.c
ad7b3b8 
@@ -204,6 +204,7 @@ sendqueries(isc_task_t *task, isc_event_t *event) {
6e9104c
6e9104c 
 int
6e9104c 
 main(int argc, char *argv[]) {
6e9104c 
+	char *randomfile = NULL;
6e9104c 
 	isc_sockaddr_t bind_any;
6e9104c 
 	struct in_addr inaddr;
6e9104c 
 	isc_result_t result;
833ef7b 
@@ -222,7 +223,7 @@ main(int argc, char *argv[]) {
833ef7b 
 	int c;
6e9104c
ad7b3b8 
 	isc_commandline_errprint = false;
6e9104c 
-	while ((c = isc_commandline_parse(argc, argv, "p:")) != -1) {
833ef7b 
+	while ((c = isc_commandline_parse(argc, argv, "p:r:")) != -1) {
6e9104c 
 		switch (c) {
6e9104c 
 		case 'p':
6e9104c 
 			result = isc_parse_uint16(&port,
833ef7b 
@@ -233,6 +234,9 @@ main(int argc, char *argv[]) {
6e9104c 
 				exit(1);
6e9104c 
 			}
6e9104c 
 			break;
6e9104c 
+		case 'r':
6e9104c 
+			randomfile = isc_commandline_argument;
6e9104c 
+			break;
6e9104c 
 		case '?':
6e9104c 
 			fprintf(stderr, "%s: invalid argument '%c'",
6e9104c 
 				argv[0], c);
833ef7b 
@@ -275,10 +279,18 @@ main(int argc, char *argv[]) {
6e9104c
6e9104c 
 	ectx = NULL;
6e9104c 
 	RUNCHECK(isc_entropy_create(mctx, &ectx));
6e9104c 
-	RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data"));
6e9104c 
-	RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
6e9104c 
+#ifdef ISC_PLATFORM_CRYPTORANDOM
6e9104c 
+	if (randomfile != NULL &&
6e9104c 
+	    strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
6e9104c 
+		randomfile = NULL;
ad7b3b8 
+		isc_entropy_usehook(ectx, true);
6e9104c 
+	}
6e9104c 
+#endif
6e9104c 
+	if (randomfile != NULL)
6e9104c 
+		RUNCHECK(isc_entropy_createfilesource(ectx, randomfile));
6e9104c
6e9104c 
 	RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY));
6e9104c 
+	RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
6e9104c
6e9104c 
 	taskmgr = NULL;
6e9104c 
 	RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr));
833ef7b 
@@ -331,8 +343,8 @@ main(int argc, char *argv[]) {
6e9104c 
 	isc_task_detach(&task);
6e9104c 
 	isc_taskmgr_destroy(&taskmgr);
6e9104c
6e9104c 
-	dst_lib_destroy();
6e9104c 
 	isc_hash_destroy();
6e9104c 
+	dst_lib_destroy();
6e9104c 
 	isc_entropy_detach(&ectx);
6e9104c
6e9104c 
 	isc_log_destroy(&lctx);
6e9104c 
diff --git a/bin/tests/system/pipelined/tests.sh b/bin/tests/system/pipelined/tests.sh
1e41691 
index 61f1ff7..ed1302a 100644
6e9104c 
--- a/bin/tests/system/pipelined/tests.sh
6e9104c 
+++ b/bin/tests/system/pipelined/tests.sh
6e9104c 
@@ -19,7 +19,7 @@ status=0
6e9104c
6e9104c 
 echo_i "check pipelined TCP queries"
6e9104c 
 ret=0
6e9104c 
-$PIPEQUERIES -p ${PORT} < input > raw || ret=1
6e9104c 
+$PIPEQUERIES -p ${PORT} -r $RANDFILE < input > raw || ret=1
6e9104c 
 awk '{ print $1 " " $5 }' < raw > output
6e9104c 
 sort < output > output-sorted
1e41691 
 $DIFF ref output-sorted || { ret=1 ; echo_i "diff sorted failed"; }
6e9104c 
@@ -43,7 +43,7 @@ status=`expr $status + $ret`
6e9104c
6e9104c 
 echo_i "check keep-response-order"
6e9104c 
 ret=0
6e9104c 
-$PIPEQUERIES -p ${PORT} ++ < inputb > rawb || ret=1
6e9104c 
+$PIPEQUERIES -p ${PORT} -r $RANDFILE ++ < inputb > rawb || ret=1
6e9104c 
 awk '{ print $1 " " $5 }' < rawb > outputb
1e41691 
 $DIFF refb outputb || ret=1
6e9104c 
 if [ $ret != 0 ]; then echo_i "failed"; fi
6e9104c 
diff --git a/bin/tests/system/rsabigexponent/bigkey.c b/bin/tests/system/rsabigexponent/bigkey.c
ad7b3b8 
index 4462f2e..f06268d 100644
6e9104c 
--- a/bin/tests/system/rsabigexponent/bigkey.c
6e9104c 
+++ b/bin/tests/system/rsabigexponent/bigkey.c
6e9104c 
@@ -20,6 +20,7 @@
6e9104c 
 #include <isc/buffer.h>
6e9104c 
 #include <isc/entropy.h>
6e9104c 
 #include <isc/mem.h>
6e9104c 
+#include <isc/platform.h>
6e9104c 
 #include <isc/print.h>
6e9104c 
 #include <isc/region.h>
6e9104c 
 #include <isc/stdio.h>
6e9104c 
@@ -183,6 +184,9 @@ main(int argc, char **argv) {
6e9104c
6e9104c 
 	CHECK(isc_mem_create(0, 0, &mctx), "isc_mem_create()");
6e9104c 
 	CHECK(isc_entropy_create(mctx, &ectx), "isc_entropy_create()");
6e9104c 
+#ifdef ISC_PLATFORM_CRYPTORANDOM
ad7b3b8 
+	isc_entropy_usehook(ectx, true);
6e9104c 
+#endif
6e9104c 
 	CHECK(isc_entropy_usebestsource(ectx, &source,
6e9104c 
 					"../random.data",
6e9104c 
 					ISC_ENTROPY_KEYBOARDNO),
6e9104c 
diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c
ad7b3b8 
index 653c951..fe8698e 100644
6e9104c 
--- a/bin/tests/system/tkey/keycreate.c
6e9104c 
+++ b/bin/tests/system/tkey/keycreate.c
6e9104c 
@@ -206,6 +206,7 @@ sendquery(isc_task_t *task, isc_event_t *event) {
6e9104c 
 int
6e9104c 
 main(int argc, char *argv[]) {
6e9104c 
 	char *ourkeyname;
6e9104c 
+	char *randomfile;
6e9104c 
 	isc_taskmgr_t *taskmgr;
6e9104c 
 	isc_timermgr_t *timermgr;
6e9104c 
 	isc_socketmgr_t *socketmgr;
6e9104c 
@@ -225,10 +226,21 @@ main(int argc, char *argv[]) {
6e9104c
6e9104c 
 	RUNCHECK(isc_app_start());
6e9104c
6e9104c 
+	randomfile = NULL;
6e9104c 
+
6e9104c 
 	if (argc < 2) {
6e9104c 
 		fprintf(stderr, "I:no DH key provided\n");
6e9104c 
 		exit(-1);
6e9104c 
 	}
6e9104c 
+	if (strcmp(argv[1], "-r") == 0) {
6e9104c 
+		if (argc < 4) {
6e9104c 
+			fprintf(stderr, "I:no DH key provided\n");
6e9104c 
+			exit(-1);
6e9104c 
+		}
6e9104c 
+		randomfile = argv[2];
6e9104c 
+		argv += 2;
6e9104c 
+		argc -= 2;
6e9104c 
+	}
6e9104c 
 	ourkeyname = argv[1];
6e9104c
6e9104c 
 	if (argc >= 3)
6e9104c 
@@ -242,14 +254,22 @@ main(int argc, char *argv[]) {
6e9104c
6e9104c 
 	ectx = NULL;
6e9104c 
 	RUNCHECK(isc_entropy_create(mctx, &ectx));
6e9104c 
-	RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data"));
6e9104c 
-	RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
6e9104c 
+#ifdef ISC_PLATFORM_CRYPTORANDOM
6e9104c 
+	if (randomfile != NULL &&
6e9104c 
+	    strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
6e9104c 
+		randomfile = NULL;
ad7b3b8 
+		isc_entropy_usehook(ectx, true);
6e9104c 
+	}
6e9104c 
+#endif
6e9104c 
+	if (randomfile != NULL)
6e9104c 
+		RUNCHECK(isc_entropy_createfilesource(ectx, randomfile));
6e9104c
6e9104c 
 	log = NULL;
6e9104c 
 	logconfig = NULL;
6e9104c 
 	RUNCHECK(isc_log_create(mctx, &log, &logconfig));
6e9104c
6e9104c 
 	RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY));
6e9104c 
+	RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
6e9104c
6e9104c 
 	taskmgr = NULL;
6e9104c 
 	RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr));
6e9104c 
@@ -328,8 +348,8 @@ main(int argc, char *argv[]) {
6e9104c
6e9104c 
 	isc_log_destroy(&log;;
6e9104c
6e9104c 
-	dst_lib_destroy();
6e9104c 
 	isc_hash_destroy();
6e9104c 
+	dst_lib_destroy();
6e9104c 
 	isc_entropy_detach(&ectx);
6e9104c
6e9104c 
 	isc_mem_destroy(&mctx);
6e9104c 
diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
ad7b3b8 
index 70a40c3..2146f9b 100644
6e9104c 
--- a/bin/tests/system/tkey/keydelete.c
6e9104c 
+++ b/bin/tests/system/tkey/keydelete.c
6e9104c 
@@ -136,6 +136,7 @@ sendquery(isc_task_t *task, isc_event_t *event) {
6e9104c 
 int
6e9104c 
 main(int argc, char **argv) {
6e9104c 
 	char *keyname;
6e9104c 
+	char *randomfile;
6e9104c 
 	isc_taskmgr_t *taskmgr;
6e9104c 
 	isc_timermgr_t *timermgr;
6e9104c 
 	isc_socketmgr_t *socketmgr;
6e9104c 
@@ -156,10 +157,21 @@ main(int argc, char **argv) {
6e9104c
6e9104c 
 	RUNCHECK(isc_app_start());
6e9104c
6e9104c 
+	randomfile = NULL;
6e9104c 
+
6e9104c 
 	if (argc < 2) {
6e9104c 
 		fprintf(stderr, "I:no key to delete\n");
6e9104c 
 		exit(-1);
6e9104c 
 	}
6e9104c 
+	if (strcmp(argv[1], "-r") == 0) {
6e9104c 
+		if (argc < 4) {
6e9104c 
+			fprintf(stderr, "I:no DH key provided\n");
6e9104c 
+			exit(-1);
6e9104c 
+		}
6e9104c 
+		randomfile = argv[2];
6e9104c 
+		argv += 2;
6e9104c 
+		argc -= 2;
6e9104c 
+	}
6e9104c 
 	keyname = argv[1];
6e9104c
6e9104c 
 	dns_result_register();
6e9104c 
@@ -169,14 +181,22 @@ main(int argc, char **argv) {
6e9104c
6e9104c 
 	ectx = NULL;
6e9104c 
 	RUNCHECK(isc_entropy_create(mctx, &ectx));
6e9104c 
-	RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data"));
6e9104c 
-	RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
6e9104c 
+#ifdef ISC_PLATFORM_CRYPTORANDOM
6e9104c 
+	if (randomfile != NULL &&
6e9104c 
+	    strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
6e9104c 
+		randomfile = NULL;
ad7b3b8 
+		isc_entropy_usehook(ectx, true);
6e9104c 
+	}
6e9104c 
+#endif
6e9104c 
+	if (randomfile != NULL)
6e9104c 
+		RUNCHECK(isc_entropy_createfilesource(ectx, randomfile));
6e9104c
6e9104c 
 	log = NULL;
6e9104c 
 	logconfig = NULL;
6e9104c 
 	RUNCHECK(isc_log_create(mctx, &log, &logconfig));
6e9104c
6e9104c 
 	RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY));
6e9104c 
+	RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
6e9104c
6e9104c 
 	taskmgr = NULL;
6e9104c 
 	RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr));
ad7b3b8 
@@ -264,8 +284,8 @@ main(int argc, char **argv) {
6e9104c
6e9104c 
 	isc_log_destroy(&log;;
6e9104c
6e9104c 
-	dst_lib_destroy();
6e9104c 
 	isc_hash_destroy();
6e9104c 
+	dst_lib_destroy();
6e9104c 
 	isc_entropy_detach(&ectx);
6e9104c
6e9104c 
 	isc_mem_destroy(&mctx);
6e9104c 
diff --git a/bin/tests/system/tkey/tests.sh b/bin/tests/system/tkey/tests.sh
6e9104c 
index 9f90dd7..fad6c83 100644
6e9104c 
--- a/bin/tests/system/tkey/tests.sh
6e9104c 
+++ b/bin/tests/system/tkey/tests.sh
6e9104c 
@@ -33,7 +33,7 @@ for owner in . foo.example.
6e9104c 
 do
6e9104c 
 	echo "I:creating new key using owner name \"$owner\""
6e9104c 
 	ret=0
6e9104c 
-	keyname=`$KEYCREATE $dhkeyname $owner` || ret=1
6e9104c 
+	keyname=`$KEYCREATE -r $RANDFILE $dhkeyname $owner` || ret=1
6e9104c 
 	if [ $ret != 0 ]; then
6e9104c 
 		echo "I:failed"
6e9104c 
 		status=`expr $status + $ret`
6e9104c 
@@ -55,7 +55,7 @@ do
6e9104c
6e9104c 
 	echo "I:deleting new key"
6e9104c 
 	ret=0
6e9104c 
-	$KEYDELETE $keyname || ret=1
6e9104c 
+	$KEYDELETE -r $RANDFILE $keyname || ret=1
6e9104c 
 	if [ $ret != 0 ]; then
6e9104c 
 		echo "I:failed"
6e9104c 
 	fi
6e9104c 
@@ -75,7 +75,7 @@ done
6e9104c
6e9104c 
 echo "I:creating new key using owner name bar.example."
6e9104c 
 ret=0
6e9104c 
-keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1
6e9104c 
+keyname=`$KEYCREATE -r $RANDFILE $dhkeyname bar.example.` || ret=1
6e9104c 
 if [ $ret != 0 ]; then
6e9104c 
         echo "I:failed"
6e9104c 
 	status=`expr $status + $ret`
6e9104c 
@@ -116,7 +116,7 @@ status=`expr $status + $ret`
6e9104c
6e9104c 
 echo "I:recreating the bar.example. key"
6e9104c 
 ret=0
6e9104c 
-keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1
6e9104c 
+keyname=`$KEYCREATE -r $RANDFILE $dhkeyname bar.example.` || ret=1
6e9104c 
 if [ $ret != 0 ]; then
6e9104c 
         echo "I:failed"
6e9104c 
 	status=`expr $status + $ret`
6e9104c 
diff --git a/bin/tools/mdig.c b/bin/tools/mdig.c
12763cd 
index bf6dbb6..0416b21 100644
6e9104c 
--- a/bin/tools/mdig.c
6e9104c 
+++ b/bin/tools/mdig.c
843e5f5 
@@ -1972,12 +1972,11 @@ main(int argc, char *argv[]) {
6e9104c
6e9104c 
 	ectx = NULL;
6e9104c 
 	RUNCHECK(isc_entropy_create(mctx, &ectx));
6e9104c 
+	RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY));
6e9104c 
 	RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
6e9104c 
 	RUNCHECK(isc_entropy_getdata(ectx, cookie_secret,
6e9104c 
 				     sizeof(cookie_secret), NULL, 0));
6e9104c
6e9104c 
-	RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY));
6e9104c 
-
6e9104c 
 	ISC_LIST_INIT(queries);
ad7b3b8 
 	parse_args(false, argc, argv);
6e9104c 
 	if (server == NULL)
6e9104c 
diff --git a/configure b/configure
dee096a 
index 6d05371..33689c9 100755
6e9104c 
--- a/configure
6e9104c 
+++ b/configure
6e9104c 
@@ -640,6 +640,7 @@ ac_includes_default="\
6e9104c
6e9104c 
 ac_subst_vars='LTLIBOBJS
6e9104c 
 LIBOBJS
6e9104c 
+LIBDIR_SUFFIX
6e9104c 
 BUILD_LIBS
6e9104c 
 BUILD_LDFLAGS
6e9104c 
 BUILD_CPPFLAGS
dee096a 
@@ -823,6 +824,7 @@ LIBXML2_CFLAGS
6e9104c 
 NZDTARGETS
6e9104c 
 NZDSRCS
6e9104c 
 NZD_TOOLS
6e9104c 
+ISC_PLATFORM_CRYPTORANDOM
6e9104c 
 PKCS11_TEST
6e9104c 
 PKCS11_ED25519
6e9104c 
 PKCS11_GOST
dee096a 
@@ -1047,6 +1049,7 @@ with_eddsa
6e9104c 
 with_aes
6e9104c 
 enable_openssl_hash
6e9104c 
 with_cc_alg
6e9104c 
+enable_crypto_rand
6e9104c 
 with_lmdb
6e9104c 
 with_libxml2
6e9104c 
 with_libjson
dee096a 
@@ -1749,6 +1752,7 @@ Optional Features:
6e9104c 
   --enable-threads        enable multithreading
6e9104c 
   --enable-native-pkcs11  use native PKCS11 for all crypto [default=no]
6e9104c 
   --enable-openssl-hash   use OpenSSL for hash functions [default=no]
6e9104c 
+  --enable-crypto-rand    use the crypto provider for random [default=yes]
6e9104c 
   --enable-largefile      64-bit file support
6e9104c 
   --enable-backtrace      log stack backtrace on abort [default=yes]
6e9104c 
   --enable-symtable       use internal symbol table for backtrace
dee096a 
@@ -17144,6 +17148,7 @@ case "$use_openssl" in
6e9104c 
 $as_echo "disabled because of native PKCS11" >&6; }
6e9104c 
 		DST_OPENSSL_INC=""
6e9104c 
 		CRYPTO="-DPKCS11CRYPTO"
6e9104c 
+		CRYPTOLIB="pkcs11"
6e9104c 
 		OPENSSLECDSALINKOBJS=""
6e9104c 
 		OPENSSLECDSALINKSRCS=""
6e9104c 
 		OPENSSLEDDSALINKOBJS=""
dee096a 
@@ -17158,6 +17163,7 @@ $as_echo "disabled because of native PKCS11" >&6; }
6e9104c 
 $as_echo "no" >&6; }
6e9104c 
 		DST_OPENSSL_INC=""
6e9104c 
 		CRYPTO=""
6e9104c 
+		CRYPTOLIB=""
6e9104c 
 		OPENSSLECDSALINKOBJS=""
6e9104c 
 		OPENSSLECDSALINKSRCS=""
6e9104c 
 		OPENSSLEDDSALINKOBJS=""
dee096a 
@@ -17170,6 +17176,7 @@ $as_echo "no" >&6; }
6e9104c 
 	auto)
6e9104c 
 		DST_OPENSSL_INC=""
6e9104c 
 		CRYPTO=""
6e9104c 
+		CRYPTOLIB=""
6e9104c 
 		OPENSSLECDSALINKOBJS=""
6e9104c 
 		OPENSSLECDSALINKSRCS=""
6e9104c 
 		OPENSSLEDDSALINKOBJS=""
dee096a 
@@ -17179,7 +17186,7 @@ $as_echo "no" >&6; }
6e9104c 
 		OPENSSLLINKOBJS=""
6e9104c 
 		OPENSSLLINKSRCS=""
6e9104c 
 		as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
6e9104c 
-If you don't want OpenSSL, use --without-openssl" "$LINENO" 5
6e9104c 
+If you do not want OpenSSL, use --without-openssl" "$LINENO" 5
6e9104c 
 		;;
6e9104c 
 	*)
6e9104c 
 		if test "yes" = "$want_native_pkcs11"
dee096a 
@@ -17210,6 +17217,7 @@ $as_echo "not found" >&6; }
6e9104c 
 			as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5
6e9104c 
 		fi
6e9104c 
 		CRYPTO='-DOPENSSL'
6e9104c 
+		CRYPTOLIB="openssl"
6e9104c 
 		if test "/usr" = "$use_openssl"
6e9104c 
 		then
6e9104c 
 			DST_OPENSSL_INC=""
dee096a 
@@ -17835,8 +17843,6 @@ fi
6e9104c 
 # Use OpenSSL for hash functions
6e9104c 
 #
6e9104c
6e9104c 
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for using OpenSSL for hash functions" >&5
6e9104c 
-$as_echo_n "checking for using OpenSSL for hash functions... " >&6; }
6e9104c 
 ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
6e9104c 
 case $want_openssl_hash in
6e9104c 
 	yes)
dee096a 
@@ -18211,6 +18217,86 @@ if test "rt" = "$have_clock_gt"; then
6e9104c 
 	LIBS="-lrt $LIBS"
6e9104c 
 fi
6e9104c
6e9104c 
+#
6e9104c 
+# Use the crypto provider (OpenSSL/PKCS#11) for random functions
6e9104c 
+#
6e9104c 
+
6e9104c 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for using the crypto library (vs. builtin) for random functions" >&5
6e9104c 
+$as_echo_n "checking for using the crypto library (vs. builtin) for random functions... " >&6; }
6e9104c 
+# Check whether --enable-crypto-rand was given.
6e9104c 
+if test "${enable_crypto_rand+set}" = set; then :
6e9104c 
+  enableval=$enable_crypto_rand; want_crypto_rand="$enableval"
6e9104c 
+else
6e9104c 
+  want_crypto_rand="auto"
6e9104c 
+fi
6e9104c 
+
6e9104c 
+if test "$want_crypto_rand" = "auto"
6e9104c 
+then
6e9104c 
+	case "$CRYPTOLIB" in
6e9104c 
+	"")
6e9104c 
+		want_crypto_rand="no"
6e9104c 
+		;;
6e9104c 
+	pkcs11)
6e9104c 
+		want_crypto_rand="yes"
6e9104c 
+		;;
6e9104c 
+	openssl)
6e9104c 
+		saved_cflags="$CFLAGS"
6e9104c 
+		saved_libs="$LIBS"
6e9104c 
+		CFLAGS="$CFLAGS $DST_OPENSSL_INC"
6e9104c 
+		LIBS="$LIBS $DST_OPENSSL_LIBS"
6e9104c 
+		if test "$cross_compiling" = yes; then :
6e9104c 
+  want_crypto_rand="yes"
6e9104c 
+else
6e9104c 
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
6e9104c 
+/* end confdefs.h.  */
6e9104c 
+
6e9104c 
+#include <openssl/rand.h>
6e9104c 
+
6e9104c 
+unsigned char buf[128];
6e9104c 
+
6e9104c 
+int main()
6e9104c 
+{
6e9104c 
+	if (RAND_bytes(buf, 128) != 1)
6e9104c 
+		return (1);
6e9104c 
+	return (0);
6e9104c 
+}
6e9104c 
+
6e9104c 
+_ACEOF
6e9104c 
+if ac_fn_c_try_run "$LINENO"; then :
6e9104c 
+  want_crypto_rand="yes"
6e9104c 
+else
6e9104c 
+  want_crypto_rand="no"
6e9104c 
+fi
6e9104c 
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
6e9104c 
+  conftest.$ac_objext conftest.beam conftest.$ac_ext
6e9104c 
+fi
6e9104c 
+
6e9104c 
+		CFLAGS="$saved_cflags"
6e9104c 
+		LIBS="$saved_libs"
6e9104c 
+		;;
6e9104c 
+	*)
6e9104c 
+		as_fn_error $? "Unknown crypto library define $CRYPTOLIB" "$LINENO" 5
6e9104c 
+		;;
6e9104c 
+	esac
6e9104c 
+fi
6e9104c 
+case $want_crypto_rand in
6e9104c 
+	yes)
6e9104c 
+		if test "$CRYPTOLIB" = ""
6e9104c 
+		then
6e9104c 
+			as_fn_error $? "No crypto library for random functions" "$LINENO" 5
6e9104c 
+		fi
6e9104c 
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: \"$CRYPTOLIB\"" >&5
6e9104c 
+$as_echo "\"$CRYPTOLIB\"" >&6; }
6e9104c 
+		ISC_PLATFORM_CRYPTORANDOM="#define ISC_PLATFORM_CRYPTORANDOM \"$CRYPTOLIB\""
6e9104c 
+		;;
6e9104c 
+	no)
6e9104c 
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
6e9104c 
+$as_echo "no" >&6; }
6e9104c 
+		ISC_PLATFORM_CRYPTORANDOM="#undef ISC_PLATFORM_CRYPTORANDOM"
6e9104c 
+		;;
6e9104c 
+esac
6e9104c 
+
6e9104c 
+
6e9104c 
 #
6e9104c 
 # was --with-lmdb specified?
6e9104c 
 #
dee096a 
@@ -20441,9 +20527,12 @@ _ACEOF
6e9104c 
 if ac_fn_c_try_compile "$LINENO"; then :
6e9104c 
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for flags" >&5
6e9104c 
 $as_echo "size_t for buflen; int for flags" >&6; }
6e9104c 
-	 $as_echo "#define IRS_GETNAMEINFO_SOCKLEN_T size_t" >>confdefs.h
6e9104c 
+	# Changed to solve multilib conflict on Fedora
6e9104c 
+	# AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, size_t)
6e9104c 
+	# AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, size_t)
6e9104c 
+	 $as_echo "#define IRS_GETNAMEINFO_SOCKLEN_T socklen_t" >>confdefs.h
6e9104c
6e9104c 
-	 $as_echo "#define IRS_GETNAMEINFO_BUFLEN_T size_t" >>confdefs.h
6e9104c 
+	 $as_echo "#define IRS_GETNAMEINFO_BUFLEN_T socklen_t" >>confdefs.h
6e9104c
6e9104c 
 	 $as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h
6e9104c
dee096a 
@@ -21758,12 +21847,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
6e9104c 
 ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
6e9104c 
 ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
6e9104c 
 if test "yes" = "$use_atomic"; then
6e9104c 
-	have_atomic=yes		# set default
6e9104c 
-	case "$host" in
6e9104c 
-	i[3456]86-*)
6e9104c 
-		# XXX: some old x86 architectures actually do not support
6e9104c 
-		#      (some of) these operations.  Do we need stricter checks?
6e9104c 
-		# The cast to long int works around a bug in the HP C Compiler
6e9104c 
+	# The cast to long int works around a bug in the HP C Compiler
6e9104c 
 # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
6e9104c 
 # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
6e9104c 
 # This bug is HP SR number 8606223364.
dee096a 
@@ -21796,6 +21880,11 @@ cat >>confdefs.h <<_ACEOF
6e9104c 
 _ACEOF
6e9104c
6e9104c
6e9104c 
+	have_atomic=yes		# set default
6e9104c 
+	case "$host" in
6e9104c 
+	i[3456]86-*)
6e9104c 
+		# XXX: some old x86 architectures actually do not support
6e9104c 
+		#      (some of) these operations.  Do we need stricter checks?
6e9104c 
 		if test $ac_cv_sizeof_void_p = 8; then
6e9104c 
 			arch=x86_64
6e9104c 
 			have_xaddq=yes
dee096a 
@@ -21804,39 +21893,6 @@ _ACEOF
6e9104c 
 		fi
6e9104c 
 	;;
6e9104c 
 	x86_64-*|amd64-*)
6e9104c 
-		# The cast to long int works around a bug in the HP C Compiler
6e9104c 
-# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
6e9104c 
-# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
6e9104c 
-# This bug is HP SR number 8606223364.
6e9104c 
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of void *" >&5
6e9104c 
-$as_echo_n "checking size of void *... " >&6; }
6e9104c 
-if ${ac_cv_sizeof_void_p+:} false; then :
6e9104c 
-  $as_echo_n "(cached) " >&6
6e9104c 
-else
6e9104c 
-  if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (void *))" "ac_cv_sizeof_void_p"        "$ac_includes_default"; then :
6e9104c 
-
6e9104c 
-else
6e9104c 
-  if test "$ac_cv_type_void_p" = yes; then
6e9104c 
-     { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
6e9104c 
-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
6e9104c 
-as_fn_error 77 "cannot compute sizeof (void *)
6e9104c 
-See \`config.log' for more details" "$LINENO" 5; }
6e9104c 
-   else
6e9104c 
-     ac_cv_sizeof_void_p=0
6e9104c 
-   fi
6e9104c 
-fi
6e9104c 
-
6e9104c 
-fi
6e9104c 
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_void_p" >&5
6e9104c 
-$as_echo "$ac_cv_sizeof_void_p" >&6; }
6e9104c 
-
6e9104c 
-
6e9104c 
-
6e9104c 
-cat >>confdefs.h <<_ACEOF
6e9104c 
-#define SIZEOF_VOID_P $ac_cv_sizeof_void_p
6e9104c 
-_ACEOF
6e9104c 
-
6e9104c 
-
6e9104c 
 		if test $ac_cv_sizeof_void_p = 8; then
6e9104c 
 			arch=x86_64
6e9104c 
 			have_xaddq=yes
dee096a 
@@ -21867,6 +21923,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; }
6e9104c 
 $as_echo "$arch" >&6; }
6e9104c 
 fi
6e9104c
6e9104c 
+if test ! "$arch" = "x86_64" -a "$have_xaddq" = "yes"; then
6e9104c 
+	as_fn_error $? "XADDQ present but disabled by Fedora patch!" "$LINENO" 5
6e9104c 
+fi
6e9104c 
+
6e9104c 
 if test "yes" = "$have_atomic"; then
6e9104c 
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline assembly code" >&5
6e9104c 
 $as_echo_n "checking compiler support for inline assembly code... " >&6; }
dee096a 
@@ -24421,6 +24481,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS"
6e9104c 
 #
6e9104c 
 dlzdir='${DLZ_DRIVER_DIR}'
6e9104c
6e9104c 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for target libdir" >&5
6e9104c 
+$as_echo_n "checking for target libdir... " >&6; }
6e9104c 
+if test "$cross_compiling" = yes; then :
6e9104c 
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
6e9104c 
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
6e9104c 
+as_fn_error $? "cannot run test program while cross compiling
6e9104c 
+See \`config.log' for more details" "$LINENO" 5; }
6e9104c 
+else
6e9104c 
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
6e9104c 
+/* end confdefs.h.  */
6e9104c 
+int main(void) {exit((sizeof(void *) == 8) ? 0 : 1);}
6e9104c 
+_ACEOF
6e9104c 
+if ac_fn_c_try_run "$LINENO"; then :
6e9104c 
+  target_lib=lib64
6e9104c 
+else
6e9104c 
+  target_lib=lib
6e9104c 
+fi
6e9104c 
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
6e9104c 
+  conftest.$ac_objext conftest.beam conftest.$ac_ext
6e9104c 
+fi
6e9104c 
+
6e9104c 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: \"$target_lib\"" >&5
6e9104c 
+$as_echo "\"$target_lib\"" >&6; }
6e9104c 
+
6e9104c 
 #
6e9104c 
 # Private autoconf macro to simplify configuring drivers:
6e9104c 
 #
dee096a 
@@ -24751,11 +24835,11 @@ $as_echo "no" >&6; }
6e9104c 
 $as_echo "using mysql with libs ${mysql_lib} and includes ${mysql_include}" >&6; }
6e9104c 
 		;;
6e9104c 
 	*)
6e9104c 
-		if test -d "$use_dlz_mysql/lib/mysql"
6e9104c 
+		if test -d $use_dlz_mysql/${target_lib}/mysql
6e9104c 
 		then
6e9104c 
-			mysql_lib="$use_dlz_mysql/lib/mysql"
6e9104c 
+			mysql_lib=$use_dlz_mysql/${target_lib}/mysql
6e9104c 
 		else
6e9104c 
-			mysql_lib="$use_dlz_mysql/lib"
6e9104c 
+			mysql_lib=$use_dlz_mysql/${target_lib}
6e9104c 
 		fi
6e9104c
6e9104c 
 	CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL"
dee096a 
@@ -24840,7 +24924,7 @@ $as_echo "" >&6; }
6e9104c 
 			# Check other locations for includes.
6e9104c 
 			# Order is important (sigh).
6e9104c
6e9104c 
-			bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /db"
6e9104c 
+			bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /libdb /db"
6e9104c 
 			# include a blank element first
6e9104c 
 			for d in "" $bdb_incdirs
6e9104c 
 			do
dee096a 
@@ -24865,57 +24949,9 @@ $as_echo "" >&6; }
6e9104c 
 			bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
6e9104c 
 			for d in $bdb_libnames
6e9104c 
 			do
6e9104c 
-				if test "$dd" = "/usr"
ad7b3b8 
-				then
6e9104c 
-					as_ac_Lib=`$as_echo "ac_cv_lib_$d''_db_create" | $as_tr_sh`
6e9104c 
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for db_create in -l$d" >&5
6e9104c 
-$as_echo_n "checking for db_create in -l$d... " >&6; }
6e9104c 
-if eval \${$as_ac_Lib+:} false; then :
6e9104c 
-  $as_echo_n "(cached) " >&6
6e9104c 
-else
6e9104c 
-  ac_check_lib_save_LIBS=$LIBS
6e9104c 
-LIBS="-l$d  $LIBS"
6e9104c 
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
6e9104c 
-/* end confdefs.h.  */
6e9104c 
-
6e9104c 
-/* Override any GCC internal prototype to avoid an error.
6e9104c 
-   Use char because int might match the return type of a GCC
6e9104c 
-   builtin and then its argument prototype would still apply.  */
6e9104c 
-#ifdef __cplusplus
6e9104c 
-extern "C"
6e9104c 
-#endif
6e9104c 
-char db_create ();
6e9104c 
-int
6e9104c 
-main ()
6e9104c 
-{
6e9104c 
-return db_create ();
6e9104c 
-  ;
6e9104c 
-  return 0;
6e9104c 
-}
6e9104c 
-_ACEOF
6e9104c 
-if ac_fn_c_try_link "$LINENO"; then :
6e9104c 
-  eval "$as_ac_Lib=yes"
6e9104c 
-else
6e9104c 
-  eval "$as_ac_Lib=no"
6e9104c 
-fi
6e9104c 
-rm -f core conftest.err conftest.$ac_objext \
6e9104c 
-    conftest$ac_exeext conftest.$ac_ext
6e9104c 
-LIBS=$ac_check_lib_save_LIBS
6e9104c 
-fi
6e9104c 
-eval ac_res=\$$as_ac_Lib
6e9104c 
-	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
6e9104c 
-$as_echo "$ac_res" >&6; }
6e9104c 
-if eval test \"x\$"$as_ac_Lib"\" = x"yes"; then :
6e9104c 
-  dlz_bdb_libs="-l${d}"
6e9104c 
-fi
6e9104c 
-
6e9104c 
-					if test $dlz_bdb_libs != "yes"
6e9104c 
-					then
6e9104c 
-						break
6e9104c 
-					fi
6e9104c 
-				elif test -f "$dd/lib/lib${d}.so"
ad7b3b8 
+				if test -f "$dd/${target_lib}/lib${d}.so"
ad7b3b8 
 				then
6e9104c 
-					dlz_bdb_libs="-L${dd}/lib -l${d}"
6e9104c 
+					dlz_bdb_libs="-L${dd}/${target_lib}/libdb -l${d}"
6e9104c 
 					break
6e9104c 
 				fi
6e9104c 
 			done
dee096a 
@@ -25074,10 +25110,10 @@ $as_echo "no" >&6; }
6e9104c 
 		DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include"
6e9104c 
 		DLZ_DRIVER_LDAP_INCLUDES="-I$use_dlz_ldap/include"
6e9104c 
 	fi
6e9104c 
-	if test -n "-L$use_dlz_ldap/lib -lldap -llber"
6e9104c 
+	if test -n "-L$use_dlz_ldap/${target_lib} -lldap -llber"
6e9104c 
 	then
6e9104c 
-		DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS -L$use_dlz_ldap/lib -lldap -llber"
6e9104c 
-		DLZ_DRIVER_LDAP_LIBS="-L$use_dlz_ldap/lib -lldap -llber"
6e9104c 
+		DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS -L$use_dlz_ldap/${target_lib} -lldap -llber"
6e9104c 
+		DLZ_DRIVER_LDAP_LIBS="-L$use_dlz_ldap/${target_lib} -lldap -llber"
6e9104c 
 	fi
6e9104c
6e9104c
dee096a 
@@ -25163,11 +25199,11 @@ fi
6e9104c 
 		odbcdirs="/usr /usr/local /usr/pkg"
6e9104c 
 		for d in $odbcdirs
6e9104c 
 		do
6e9104c 
-			if test -f $d/include/sql.h -a -f $d/lib/libodbc.a
6e9104c 
+			if test -f $d/include/sql.h -a -f $d/${target_lib}/libodbc.a
6e9104c 
 			then
6e9104c 
 				use_dlz_odbc=$d
6e9104c 
 				dlz_odbc_include="-I$use_dlz_odbc/include"
6e9104c 
-				dlz_odbc_libs="-L$use_dlz_odbc/lib -lodbc"
6e9104c 
+				dlz_odbc_libs="-L$use_dlz_odbc/${target_lib} -lodbc"
6e9104c 
 				break
6e9104c 
 			fi
6e9104c 
 		done
dee096a 
@@ -25442,6 +25478,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS"
6e9104c
6e9104c
6e9104c
6e9104c 
+
6e9104c 
+
6e9104c 
 #
6e9104c 
 # Commands to run at the end of config.status.
6e9104c 
 # Don't just put these into configure, it won't work right if somebody
dee096a 
@@ -27819,6 +27857,8 @@ report() {
6e9104c 
 	    echo "    IPv6 support (--enable-ipv6)"
6e9104c 
 	test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
6e9104c 
 		echo "    OpenSSL cryptography/DNSSEC (--with-openssl)"
6e9104c 
+        test "no" = "$want_crypto_rand" || \
6e9104c 
+                echo "    Crypto provider entropy source (--enable-crypto-rand)"
6e9104c 
 	test "X$PYTHON" = "X" || echo "    Python tools (--with-python)"
6e9104c 
 	test "X$XMLSTATS" = "X" || echo "    XML statistics (--with-libxml2)"
6e9104c 
 	test "X$JSONSTATS" = "X" || echo "    JSON statistics (--with-libjson)"
dee096a 
@@ -27859,6 +27899,8 @@ report() {
6e9104c 
 	echo "    Very verbose query trace logging (--enable-querytrace)"
1e41691 
     test "no" = "$with_cmocka" || echo "    CMocka Unit Testing Framework (--with-cmocka)"
6e9104c
6e9104c 
+    echo "    Cryptographic library for DNSSEC: $CRYPTOLIB"
6e9104c 
+
6e9104c 
     echo "    Dynamically loadable zone (DLZ) drivers:"
6e9104c 
     test "no" = "$use_dlz_bdb" || \
6e9104c 
 	echo "        Berkeley DB (--with-dlz-bdb)"
dee096a 
@@ -27906,6 +27948,8 @@ report() {
6e9104c 
 	echo "    ECDSA algorithm support (--with-ecdsa)"
6e9104c 
     test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
6e9104c 
 	echo "    EDDSA algorithm support (--with-eddsa)"
6e9104c 
+    test "yes" = "$want_crypto_rand" || \
6e9104c 
+        echo "    Crypto provider entropy source (--enable-crypto-rand)"
6e9104c
6e9104c 
     test "yes" = "$enable_seccomp" || \
6e9104c 
 	echo "    Use libseccomp system call filtering (--enable-seccomp)"
1e41691 
diff --git a/configure.ac b/configure.ac
dee096a 
index d10cde5..68bead8 100644
1e41691 
--- a/configure.ac
1e41691 
+++ b/configure.ac
0163153 
@@ -1550,6 +1550,7 @@ case "$use_openssl" in
6e9104c 
 		AC_MSG_RESULT(disabled because of native PKCS11)
6e9104c 
 		DST_OPENSSL_INC=""
6e9104c 
 		CRYPTO="-DPKCS11CRYPTO"
6e9104c 
+		CRYPTOLIB="pkcs11"
6e9104c 
 		OPENSSLECDSALINKOBJS=""
6e9104c 
 		OPENSSLECDSALINKSRCS=""
6e9104c 
 		OPENSSLEDDSALINKOBJS=""
0163153 
@@ -1563,6 +1564,7 @@ case "$use_openssl" in
6e9104c 
 		AC_MSG_RESULT(no)
6e9104c 
 		DST_OPENSSL_INC=""
6e9104c 
 		CRYPTO=""
6e9104c 
+		CRYPTOLIB=""
6e9104c 
 		OPENSSLECDSALINKOBJS=""
6e9104c 
 		OPENSSLECDSALINKSRCS=""
6e9104c 
 		OPENSSLEDDSALINKOBJS=""
0163153 
@@ -1575,6 +1577,7 @@ case "$use_openssl" in
6e9104c 
 	auto)
6e9104c 
 		DST_OPENSSL_INC=""
6e9104c 
 		CRYPTO=""
6e9104c 
+		CRYPTOLIB=""
6e9104c 
 		OPENSSLECDSALINKOBJS=""
6e9104c 
 		OPENSSLECDSALINKSRCS=""
6e9104c 
 		OPENSSLEDDSALINKOBJS=""
0163153 
@@ -1585,7 +1588,7 @@ case "$use_openssl" in
6e9104c 
 		OPENSSLLINKSRCS=""
6e9104c 
 		AC_MSG_ERROR(
6e9104c 
 [OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
6e9104c 
-If you don't want OpenSSL, use --without-openssl])
6e9104c 
+If you do not want OpenSSL, use --without-openssl])
6e9104c 
 		;;
6e9104c 
 	*)
6e9104c 
 		if test "yes" = "$want_native_pkcs11"
0163153 
@@ -1615,6 +1618,7 @@ If you don't want OpenSSL, use --without-openssl])
6e9104c 
 			AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found])
6e9104c 
 		fi
6e9104c 
 		CRYPTO='-DOPENSSL'
6e9104c 
+		CRYPTOLIB="openssl"
6e9104c 
 		if test "/usr" = "$use_openssl"
6e9104c 
 		then
6e9104c 
 			DST_OPENSSL_INC=""
0163153 
@@ -2050,7 +2054,6 @@ fi
6e9104c 
 # Use OpenSSL for hash functions
6e9104c 
 #
6e9104c
6e9104c 
-AC_MSG_CHECKING(for using OpenSSL for hash functions)
6e9104c 
 ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
6e9104c 
 case $want_openssl_hash in
6e9104c 
 	yes)
0163153 
@@ -2322,6 +2325,67 @@ if test "rt" = "$have_clock_gt"; then
6e9104c 
 	LIBS="-lrt $LIBS"
6e9104c 
 fi
6e9104c
6e9104c 
+#
6e9104c 
+# Use the crypto provider (OpenSSL/PKCS#11) for random functions
6e9104c 
+#
6e9104c 
+
6e9104c 
+AC_MSG_CHECKING(for using the crypto library (vs. builtin) for random functions)
6e9104c 
+AC_ARG_ENABLE(crypto-rand,
6e9104c 
+	[  --enable-crypto-rand    use the crypto provider for random [[default=yes]]],
6e9104c 
+	want_crypto_rand="$enableval", want_crypto_rand="auto")
6e9104c 
+if test "$want_crypto_rand" = "auto"
6e9104c 
+then
6e9104c 
+	case "$CRYPTOLIB" in
6e9104c 
+	"")
6e9104c 
+		want_crypto_rand="no"
6e9104c 
+		;;
6e9104c 
+	pkcs11)
6e9104c 
+		want_crypto_rand="yes"
6e9104c 
+		;;
6e9104c 
+	openssl)
6e9104c 
+		saved_cflags="$CFLAGS"
6e9104c 
+		saved_libs="$LIBS"
6e9104c 
+		CFLAGS="$CFLAGS $DST_OPENSSL_INC"
6e9104c 
+		LIBS="$LIBS $DST_OPENSSL_LIBS"
6e9104c 
+		AC_TRY_RUN([
6e9104c 
+#include <openssl/rand.h>
6e9104c 
+
6e9104c 
+unsigned char buf[128];
6e9104c 
+
6e9104c 
+int main()
6e9104c 
+{
6e9104c 
+	if (RAND_bytes(buf, 128) != 1)
6e9104c 
+		return (1);
6e9104c 
+	return (0);
6e9104c 
+}
6e9104c 
+],
6e9104c 
+		[want_crypto_rand="yes"],
6e9104c 
+		[want_crypto_rand="no"],
6e9104c 
+		[want_crypto_rand="yes"])
6e9104c 
+		CFLAGS="$saved_cflags"
6e9104c 
+		LIBS="$saved_libs"
6e9104c 
+		;;
6e9104c 
+	*)
6e9104c 
+		AC_MSG_ERROR([Unknown crypto library define $CRYPTOLIB])
6e9104c 
+		;;
6e9104c 
+	esac
6e9104c 
+fi
6e9104c 
+case $want_crypto_rand in
6e9104c 
+	yes)
6e9104c 
+		if test "$CRYPTOLIB" = ""
6e9104c 
+		then
6e9104c 
+			AC_MSG_ERROR([No crypto library for random functions])
6e9104c 
+		fi
6e9104c 
+		AC_MSG_RESULT(["$CRYPTOLIB"])
6e9104c 
+		ISC_PLATFORM_CRYPTORANDOM="#define ISC_PLATFORM_CRYPTORANDOM \"$CRYPTOLIB\""
6e9104c 
+		;;
6e9104c 
+	no)
6e9104c 
+		AC_MSG_RESULT(no)
6e9104c 
+		ISC_PLATFORM_CRYPTORANDOM="#undef ISC_PLATFORM_CRYPTORANDOM"
6e9104c 
+		;;
6e9104c 
+esac
6e9104c 
+AC_SUBST(ISC_PLATFORM_CRYPTORANDOM)
6e9104c 
+
6e9104c 
 #
6e9104c 
 # was --with-lmdb specified?
6e9104c 
 #
dee096a 
@@ -4098,12 +4162,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
6e9104c 
 ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
6e9104c 
 ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
6e9104c 
 if test "yes" = "$use_atomic"; then
6e9104c 
+	AC_CHECK_SIZEOF([void *])
6e9104c 
 	have_atomic=yes		# set default
6e9104c 
 	case "$host" in
6e9104c 
 	[i[3456]86-*])
6e9104c 
 		# XXX: some old x86 architectures actually do not support
6e9104c 
 		#      (some of) these operations.  Do we need stricter checks?
6e9104c 
-		AC_CHECK_SIZEOF([void *])
6e9104c 
 		if test $ac_cv_sizeof_void_p = 8; then
6e9104c 
 			arch=x86_64
6e9104c 
 			have_xaddq=yes
dee096a 
@@ -4112,7 +4176,6 @@ if test "yes" = "$use_atomic"; then
6e9104c 
 		fi
6e9104c 
 	;;
6e9104c 
 	x86_64-*|amd64-*)
6e9104c 
-		AC_CHECK_SIZEOF([void *])
6e9104c 
 		if test $ac_cv_sizeof_void_p = 8; then
6e9104c 
 			arch=x86_64
6e9104c 
 			have_xaddq=yes
dee096a 
@@ -5518,6 +5581,8 @@ report() {
6e9104c 
 	    echo "    IPv6 support (--enable-ipv6)"
6e9104c 
 	test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
6e9104c 
 		echo "    OpenSSL cryptography/DNSSEC (--with-openssl)"
6e9104c 
+        test "no" = "$want_crypto_rand" || \
6e9104c 
+                echo "    Crypto provider entropy source (--enable-crypto-rand)"
6e9104c 
 	test "X$PYTHON" = "X" || echo "    Python tools (--with-python)"
6e9104c 
 	test "X$XMLSTATS" = "X" || echo "    XML statistics (--with-libxml2)"
6e9104c 
 	test "X$JSONSTATS" = "X" || echo "    JSON statistics (--with-libjson)"
dee096a 
@@ -5558,6 +5623,8 @@ report() {
6e9104c 
 	echo "    Very verbose query trace logging (--enable-querytrace)"
1e41691 
     test "no" = "$with_cmocka" || echo "    CMocka Unit Testing Framework (--with-cmocka)"
6e9104c
6e9104c 
+    echo "    Cryptographic library for DNSSEC: $CRYPTOLIB"
6e9104c 
+
6e9104c 
     echo "    Dynamically loadable zone (DLZ) drivers:"
6e9104c 
     test "no" = "$use_dlz_bdb" || \
6e9104c 
 	echo "        Berkeley DB (--with-dlz-bdb)"
dee096a 
@@ -5605,6 +5672,8 @@ report() {
6e9104c 
 	echo "    ECDSA algorithm support (--with-ecdsa)"
6e9104c 
     test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
6e9104c 
 	echo "    EDDSA algorithm support (--with-eddsa)"
6e9104c 
+    test "yes" = "$want_crypto_rand" || \
6e9104c 
+        echo "    Crypto provider entropy source (--enable-crypto-rand)"
6e9104c
6e9104c 
     test "yes" = "$enable_seccomp" || \
6e9104c 
 	echo "    Use libseccomp system call filtering (--enable-seccomp)"
6e9104c 
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
0163153 
index 65bf25d..1eccbe7 100644
6e9104c 
--- a/lib/dns/dst_api.c
6e9104c 
+++ b/lib/dns/dst_api.c
12763cd 
@@ -277,6 +277,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
6e9104c 
 #ifdef GSSAPI
6e9104c 
 	RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));
6e9104c 
 #endif
6e9104c 
+#if defined(OPENSSL) || defined(PKCS11CRYPTO)
6e9104c 
+#ifdef ISC_PLATFORM_CRYPTORANDOM
6e9104c 
+	if (dst_entropy_pool != NULL)
6e9104c 
+		isc_entropy_sethook(dst_random_getdata);
6e9104c 
+#endif
6e9104c 
+#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */
ad7b3b8 
 	dst_initialized = true;
6e9104c 
 	return (ISC_R_SUCCESS);
6e9104c
12763cd 
@@ -296,11 +302,19 @@ dst_lib_destroy(void) {
6e9104c 
 	for (i = 0; i < DST_MAX_ALGS; i++)
6e9104c 
 		if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL)
6e9104c 
 			dst_t_func[i]->cleanup();
6e9104c 
+#if defined(OPENSSL) || defined(PKCS11CRYPTO)
6e9104c 
+#ifdef ISC_PLATFORM_CRYPTORANDOM
6e9104c 
+	if (dst_entropy_pool != NULL) {
ad7b3b8 
+		isc_entropy_usehook(dst_entropy_pool, false);
6e9104c 
+		isc_entropy_sethook(NULL);
6e9104c 
+	}
6e9104c 
+#endif
6e9104c 
 #ifdef OPENSSL
6e9104c 
 	dst__openssl_destroy();
6e9104c 
 #elif PKCS11CRYPTO
6e9104c 
 	(void) dst__pkcs11_destroy();
6e9104c 
 #endif /* if OPENSSL, elif PKCS11CRYPTO */
6e9104c 
+#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */
6e9104c 
 	if (dst__memory_pool != NULL)
6e9104c 
 		isc_mem_detach(&dst__memory_pool);
6e9104c 
 	if (dst_entropy_pool != NULL)
12763cd 
@@ -2002,13 +2016,17 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) {
6e9104c 
 		flags &= ~ISC_ENTROPY_GOODONLY;
6e9104c 
 	else
6e9104c 
 		flags |= ISC_ENTROPY_BLOCKING;
6e9104c 
+#ifdef ISC_PLATFORM_CRYPTORANDOM
6e9104c 
+	return (dst_random_getdata(buf, len, NULL, flags));
6e9104c 
+#else
6e9104c 
 	return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
6e9104c 
+#endif
6e9104c 
 #endif /* PKCS11CRYPTO */
6e9104c 
 }
6e9104c
6e9104c 
 unsigned int
6e9104c 
 dst__entropy_status(void) {
6e9104c 
-#ifndef PKCS11CRYPTO
6e9104c 
+#if !defined(PKCS11CRYPTO) && !defined(ISC_PLATFORM_CRYPTORANDOM)
6e9104c 
 #ifdef GSSAPI
6e9104c 
 	unsigned int flags = dst_entropy_flags;
6e9104c 
 	isc_result_t ret;
12763cd 
@@ -2031,6 +2049,7 @@ dst__entropy_status(void) {
6e9104c 
 #endif
6e9104c 
 	return (isc_entropy_status(dst_entropy_pool));
6e9104c 
 #else
6e9104c 
+	/* Doesn't matter as it is not used in this case. */
6e9104c 
 	return (0);
6e9104c 
 #endif
6e9104c 
 }
6e9104c 
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
1e41691 
index 1924e74..6813c96 100644
6e9104c 
--- a/lib/dns/include/dst/dst.h
6e9104c 
+++ b/lib/dns/include/dst/dst.h
1e41691 
@@ -159,6 +159,14 @@ dst_lib_destroy(void);
6e9104c 
  * Releases all resources allocated by DST.
6e9104c 
  */
6e9104c
6e9104c 
+isc_result_t
6e9104c 
+dst_random_getdata(void *data, unsigned int length,
6e9104c 
+		   unsigned int *returned, unsigned int flags);
6e9104c 
+/*%<
6e9104c 
+ * \brief Return data from the crypto random generator.
6e9104c 
+ * Specialization of isc_entropy_getdata().
6e9104c 
+ */
6e9104c 
+
ad7b3b8 
 bool
6e9104c 
 dst_algorithm_supported(unsigned int alg);
6e9104c 
 /*%<
6e9104c 
diff --git a/lib/dns/lib.c b/lib/dns/lib.c
ad7b3b8 
index 304814b..60543c4 100644
6e9104c 
--- a/lib/dns/lib.c
6e9104c 
+++ b/lib/dns/lib.c
ad7b3b8 
@@ -18,6 +18,7 @@
ad7b3b8 
 #include <stdbool.h>
6e9104c 
 #include <stddef.h>
6e9104c
6e9104c 
+#include <isc/entropy.h>
6e9104c 
 #include <isc/hash.h>
6e9104c 
 #include <isc/mem.h>
6e9104c 
 #include <isc/msgcat.h>
ad7b3b8 
@@ -78,6 +79,7 @@ static unsigned int references = 0;
6e9104c 
 static void
6e9104c 
 initialize(void) {
6e9104c 
 	isc_result_t result;
6e9104c 
+	isc_entropy_t *ectx = NULL;
6e9104c
ad7b3b8 
 	REQUIRE(initialize_done == false);
6e9104c
ad7b3b8 
@@ -88,11 +90,14 @@ initialize(void) {
6e9104c 
 	result = dns_ecdb_register(dns_g_mctx, &dbimp);
6e9104c 
 	if (result != ISC_R_SUCCESS)
6e9104c 
 		goto cleanup_mctx;
6e9104c 
-	result = isc_hash_create(dns_g_mctx, NULL, DNS_NAME_MAXWIRE);
6e9104c 
+	result = isc_entropy_create(dns_g_mctx, &ectx);
6e9104c 
 	if (result != ISC_R_SUCCESS)
6e9104c 
 		goto cleanup_db;
6e9104c 
+	result = isc_hash_create(dns_g_mctx, NULL, DNS_NAME_MAXWIRE);
6e9104c 
+	if (result != ISC_R_SUCCESS)
6e9104c 
+		goto cleanup_ectx;
6e9104c
6e9104c 
-	result = dst_lib_init(dns_g_mctx, NULL, 0);
6e9104c 
+	result = dst_lib_init(dns_g_mctx, ectx, 0);
6e9104c 
 	if (result != ISC_R_SUCCESS)
6e9104c 
 		goto cleanup_hash;
6e9104c
ad7b3b8 
@@ -100,11 +105,17 @@ initialize(void) {
6e9104c 
 	if (result != ISC_R_SUCCESS)
6e9104c 
 		goto cleanup_dst;
6e9104c
6e9104c 
+	isc_hash_init();
6e9104c 
+	isc_entropy_detach(&ectx);
6e9104c 
+
ad7b3b8 
 	initialize_done = true;
6e9104c 
 	return;
6e9104c
6e9104c 
   cleanup_dst:
6e9104c 
 	dst_lib_destroy();
6e9104c 
+  cleanup_ectx:
6e9104c 
+	if (ectx != NULL)
6e9104c 
+		isc_entropy_detach(&ectx);
6e9104c 
   cleanup_hash:
6e9104c 
 	isc_hash_destroy();
6e9104c 
   cleanup_db:
6e9104c 
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
0163153 
index 13e838f..ffe0a69 100644
6e9104c 
--- a/lib/dns/openssl_link.c
6e9104c 
+++ b/lib/dns/openssl_link.c
6e9104c 
@@ -31,6 +31,7 @@
6e9104c 
 #include <isc/mem.h>
6e9104c 
 #include <isc/mutex.h>
6e9104c 
 #include <isc/mutexblock.h>
6e9104c 
+#include <isc/platform.h>
6e9104c 
 #include <isc/string.h>
6e9104c 
 #include <isc/thread.h>
6e9104c 
 #include <isc/util.h>
6e9104c 
@@ -46,8 +47,6 @@
6e9104c 
 #include <openssl/engine.h>
6e9104c 
 #endif
6e9104c
6e9104c 
-static RAND_METHOD *rm = NULL;
6e9104c 
-
6e9104c 
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
6e9104c 
 static isc_mutex_t *locks = NULL;
6e9104c 
 static int nlocks;
6e9104c 
@@ -57,6 +56,9 @@ static int nlocks;
6e9104c 
 static ENGINE *e = NULL;
6e9104c 
 #endif
6e9104c
6e9104c 
+#ifndef ISC_PLATFORM_CRYPTORANDOM
6e9104c 
+static RAND_METHOD *rm = NULL;
6e9104c 
+
6e9104c 
 static int
6e9104c 
 entropy_get(unsigned char *buf, int num) {
6e9104c 
 	isc_result_t result;
6e9104c 
@@ -102,6 +104,7 @@ entropy_add(const void *buf, int num, double entropy) {
6e9104c 
 	return (1);
6e9104c 
 }
6e9104c 
 #endif
6e9104c 
+#endif /* !ISC_PLATFORM_CRYPTORANDOM */
6e9104c
0163153 
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
6e9104c 
 static void
1e41691 
@@ -192,7 +195,7 @@ _set_thread_id(CRYPTO_THREADID *id)
6e9104c 
 isc_result_t
6e9104c 
 dst__openssl_init(const char *engine) {
6e9104c 
 	isc_result_t result;
6e9104c 
-#if !defined(OPENSSL_NO_ENGINE)
6e9104c 
+#if !defined(OPENSSL_NO_ENGINE) && !defined(ISC_PLATFORM_CRYPTORANDOM)
6e9104c 
 	ENGINE *re;
6e9104c 
 #else
6e9104c 
 	UNUSED(engine);
1e41691 
@@ -222,6 +225,7 @@ dst__openssl_init(const char *engine) {
6e9104c 
 	ERR_load_crypto_strings();
6e9104c 
 #endif
6e9104c
6e9104c 
+#ifndef ISC_PLATFORM_CRYPTORANDOM
6e9104c 
 	rm = mem_alloc(sizeof(RAND_METHOD) FILELINE);
6e9104c 
 	if (rm == NULL) {
6e9104c 
 		result = ISC_R_NOMEMORY;
1e41691 
@@ -233,6 +237,7 @@ dst__openssl_init(const char *engine) {
6e9104c 
 	rm->add = entropy_add;
6e9104c 
 	rm->pseudorand = entropy_getpseudo;
6e9104c 
 	rm->status = entropy_status;
6e9104c 
+#endif
6e9104c
6e9104c 
 #if !defined(OPENSSL_NO_ENGINE)
6e9104c 
 #if !defined(CONF_MFLAGS_DEFAULT_SECTION)
1e41691 
@@ -266,6 +271,7 @@ dst__openssl_init(const char *engine) {
6e9104c 
 		}
6e9104c 
 	}
6e9104c
6e9104c 
+#ifndef ISC_PLATFORM_CRYPTORANDOM
6e9104c 
 	re = ENGINE_get_default_RAND();
6e9104c 
 	if (re == NULL) {
6e9104c 
 		re = ENGINE_new();
1e41691 
@@ -278,9 +284,21 @@ dst__openssl_init(const char *engine) {
6e9104c 
 		ENGINE_free(re);
6e9104c 
 	} else
6e9104c 
 		ENGINE_finish(re);
6e9104c 
+#endif
6e9104c 
 #else
6e9104c 
+#ifndef ISC_PLATFORM_CRYPTORANDOM
6e9104c 
 	RAND_set_rand_method(rm);
6e9104c 
+#endif
6e9104c 
 #endif /* !defined(OPENSSL_NO_ENGINE) */
6e9104c 
+
6e9104c 
+	/* Protect ourselves against unseeded PRNG */
6e9104c 
+	if (RAND_status() != 1) {
6e9104c 
+		FATAL_ERROR(__FILE__, __LINE__,
6e9104c 
+			    "OpenSSL pseudorandom number generator "
6e9104c 
+			    "cannot be initialized (see the `PRNG not "
6e9104c 
+			    "seeded' message in the OpenSSL FAQ)");
6e9104c 
+	}
6e9104c 
+
6e9104c 
 	return (ISC_R_SUCCESS);
6e9104c
6e9104c 
 #if !defined(OPENSSL_NO_ENGINE)
1e41691 
@@ -288,10 +306,14 @@ dst__openssl_init(const char *engine) {
6e9104c 
 	if (e != NULL)
6e9104c 
 		ENGINE_free(e);
6e9104c 
 	e = NULL;
6e9104c 
+#ifndef ISC_PLATFORM_CRYPTORANDOM
6e9104c 
 	mem_free(rm FILELINE);
6e9104c 
 	rm = NULL;
6e9104c 
 #endif
6e9104c 
+#endif
6e9104c 
+#ifndef ISC_PLATFORM_CRYPTORANDOM
6e9104c 
  cleanup_mutexinit:
6e9104c 
+#endif
6e9104c 
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
6e9104c 
 	CRYPTO_set_locking_callback(NULL);
6e9104c 
 	DESTROYMUTEXBLOCK(locks, nlocks);
1e41691 
@@ -306,14 +328,17 @@ void
6e9104c 
 dst__openssl_destroy(void) {
6e9104c 
 #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
6e9104c 
 	OPENSSL_cleanup();
6e9104c 
+#ifndef ISC_PLATFORM_CRYPTORANDOM
6e9104c 
 	if (rm != NULL) {
6e9104c 
 		mem_free(rm FILELINE);
6e9104c 
 		rm = NULL;
6e9104c 
 	}
6e9104c 
+#endif
6e9104c 
 #else
6e9104c 
 	/*
6e9104c 
 	 * Sequence taken from apps_shutdown() in <apps/apps.h>.
6e9104c 
 	 */
6e9104c 
+#ifndef ISC_PLATFORM_CRYPTORANDOM
6e9104c 
 	if (rm != NULL) {
6e9104c 
 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
6e9104c 
 		RAND_cleanup();
1e41691 
@@ -321,6 +346,7 @@ dst__openssl_destroy(void) {
6e9104c 
 		mem_free(rm FILELINE);
6e9104c 
 		rm = NULL;
6e9104c 
 	}
6e9104c 
+#endif
6e9104c 
 #if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
6e9104c 
 	CONF_modules_free();
6e9104c 
 #endif
1e41691 
@@ -456,11 +482,45 @@ dst__openssl_getengine(const char *engine) {
6e9104c 
 }
6e9104c 
 #endif
6e9104c
6e9104c 
-#else /* OPENSSL */
6e9104c 
+isc_result_t
6e9104c 
+dst_random_getdata(void *data, unsigned int length,
6e9104c 
+		   unsigned int *returned, unsigned int flags) {
6e9104c 
+#ifdef ISC_PLATFORM_CRYPTORANDOM
6e9104c 
+#ifndef DONT_REQUIRE_DST_LIB_INIT
6e9104c 
+	INSIST(dst__memory_pool != NULL);
6e9104c 
+#endif
6e9104c 
+	REQUIRE(data != NULL);
6e9104c 
+	REQUIRE(length > 0);
6e9104c
6e9104c 
-#include <isc/util.h>
6e9104c 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
6e9104c 
+	if ((flags & ISC_ENTROPY_GOODONLY) == 0) {
6e9104c 
+		if (RAND_pseudo_bytes((unsigned char *)data, (int)length) < 0)
6e9104c 
+			return (dst__openssl_toresult2("RAND_pseudo_bytes",
6e9104c 
+						       DST_R_OPENSSLFAILURE));
6e9104c 
+	} else {
6e9104c 
+		if (RAND_bytes((unsigned char *)data, (int)length) != 1)
6e9104c 
+			return (dst__openssl_toresult2("RAND_bytes",
6e9104c 
+						       DST_R_OPENSSLFAILURE));
6e9104c 
+	}
6e9104c 
+#else
6e9104c 
+	UNUSED(flags);
6e9104c
6e9104c 
-EMPTY_TRANSLATION_UNIT
6e9104c 
+	if (RAND_bytes((unsigned char *)data, (int)length) != 1)
6e9104c 
+		return (dst__openssl_toresult2("RAND_bytes",
6e9104c 
+					       DST_R_OPENSSLFAILURE));
6e9104c 
+#endif
6e9104c 
+	if (returned != NULL)
6e9104c 
+		*returned = length;
6e9104c 
+	return (ISC_R_SUCCESS);
6e9104c 
+#else
6e9104c 
+	UNUSED(data);
6e9104c 
+	UNUSED(length);
6e9104c 
+	UNUSED(returned);
6e9104c 
+	UNUSED(flags);
6e9104c 
+
6e9104c 
+	return (ISC_R_NOTIMPLEMENTED);
6e9104c 
+#endif
6e9104c 
+}
6e9104c
6e9104c 
 #endif /* OPENSSL */
6e9104c 
 /*! \file */
6e9104c 
diff --git a/lib/dns/pkcs11.c b/lib/dns/pkcs11.c
6e9104c 
index 5a2c502..8eaef53 100644
6e9104c 
--- a/lib/dns/pkcs11.c
6e9104c 
+++ b/lib/dns/pkcs11.c
6e9104c 
@@ -13,12 +13,15 @@
6e9104c
6e9104c 
 #include <config.h>
6e9104c
6e9104c 
+#include <isc/util.h>
6e9104c 
+
6e9104c 
 #include <dns/log.h>
6e9104c 
 #include <dns/result.h>
6e9104c
6e9104c 
 #include <pk11/pk11.h>
6e9104c 
 #include <pk11/internal.h>
6e9104c
6e9104c 
+#include "dst_internal.h"
6e9104c 
 #include "dst_pkcs11.h"
6e9104c
6e9104c 
 isc_result_t
6e9104c 
@@ -34,12 +37,32 @@ dst__pkcs11_toresult(const char *funcname, const char *file, int line,
6e9104c 
 	return (fallback);
6e9104c 
 }
6e9104c
6e9104c 
+isc_result_t
6e9104c 
+dst_random_getdata(void *data, unsigned int length,
6e9104c 
+		   unsigned int *returned, unsigned int flags) {
6e9104c 
+#ifdef ISC_PLATFORM_CRYPTORANDOM
6e9104c 
+	isc_result_t ret;
6e9104c
6e9104c 
-#else /* PKCS11CRYPTO */
6e9104c 
+#ifndef DONT_REQUIRE_DST_LIB_INIT
6e9104c 
+	INSIST(dst__memory_pool != NULL);
6e9104c 
+#endif
6e9104c 
+	REQUIRE(data != NULL);
6e9104c 
+	REQUIRE(length > 0);
6e9104c 
+	UNUSED(flags);
6e9104c
6e9104c 
-#include <isc/util.h>
6e9104c 
+	ret = pk11_rand_bytes(data, (int) length);
6e9104c 
+	if ((ret == ISC_R_SUCCESS) && (returned != NULL))
6e9104c 
+		*returned = length;
6e9104c 
+	return (ret);
6e9104c 
+#else
6e9104c 
+	UNUSED(data);
6e9104c 
+	UNUSED(length);
6e9104c 
+	UNUSED(returned);
6e9104c 
+	UNUSED(flags);
6e9104c
6e9104c 
-EMPTY_TRANSLATION_UNIT
6e9104c 
+	return (ISC_R_NOTIMPLEMENTED);
6e9104c 
+#endif
6e9104c 
+}
6e9104c
6e9104c 
 #endif /* PKCS11CRYPTO */
6e9104c 
 /*! \file */
6e9104c 
diff --git a/lib/dns/tests/Kyuafile b/lib/dns/tests/Kyuafile
1e41691 
index 937b548..f3c0e38 100644
6e9104c 
--- a/lib/dns/tests/Kyuafile
6e9104c 
+++ b/lib/dns/tests/Kyuafile
1e41691 
@@ -10,6 +10,7 @@ tap_test_program{name='dh_test'}
1e41691 
 tap_test_program{name='dispatch_test'}
1e41691 
 tap_test_program{name='dnstap_test'}
1e41691 
 tap_test_program{name='dst_test'}
1e41691 
+tap_test_program{name='dstrandom_test'}
1e41691 
 tap_test_program{name='geoip_test'}
1e41691 
 tap_test_program{name='gost_test'}
1e41691 
 tap_test_program{name='keytable_test'}
6e9104c 
diff --git a/lib/dns/tests/Makefile.in b/lib/dns/tests/Makefile.in
371a1e3 
index 90dc3a6..7671e1d 100644
6e9104c 
--- a/lib/dns/tests/Makefile.in
6e9104c 
+++ b/lib/dns/tests/Makefile.in
1e41691 
@@ -37,6 +37,7 @@ SRCS =		acl_test.c \
6e9104c 
 		dnstap_test.c \
6e9104c 
 		dst_test.c \
6e9104c 
 		dnstest.c \
6e9104c 
+		dstrandom_test.c \
6e9104c 
 		geoip_test.c \
6e9104c 
 		gost_test.c \
6e9104c 
 		keytable_test.c \
1e41691 
@@ -69,6 +70,7 @@ TARGETS =	acl_test@EXEEXT@ \
6e9104c 
 		dh_test@EXEEXT@ \
6e9104c 
 		dispatch_test@EXEEXT@ \
6e9104c 
 		dnstap_test@EXEEXT@ \
6e9104c 
+		dstrandom_test@EXEEXT@ \
6e9104c 
 		dst_test@EXEEXT@ \
6e9104c 
 		geoip_test@EXEEXT@ \
6e9104c 
 		gost_test@EXEEXT@ \
1e41691 
@@ -258,6 +260,11 @@ zt_test@EXEEXT@: zt_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
1e41691 
 		${LDFLAGS} -o $@ zt_test.@O@ dnstest.@O@ \
1e41691 
 		${DNSLIBS} ${ISCLIBS} ${LIBS}
6e9104c
6e9104c 
+dstrandom_test@EXEEXT@: dstrandom_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
6e9104c 
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
6e9104c 
+			dstrandom_test.@O@ ${DNSLIBS} \
6e9104c 
+			${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
6e9104c 
+
6e9104c 
 unit::
6e9104c 
 	sh ${top_builddir}/unit/unittest.sh
6e9104c
6e9104c 
diff --git a/lib/dns/tests/dstrandom_test.c b/lib/dns/tests/dstrandom_test.c
6e9104c 
new file mode 100644
1e41691 
index 0000000..bd3d164
6e9104c 
--- /dev/null
6e9104c 
+++ b/lib/dns/tests/dstrandom_test.c
1e41691 
@@ -0,0 +1,115 @@
6e9104c 
+/*
ad7b3b8 
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
6e9104c 
+ *
ad7b3b8 
+ * This Source Code Form is subject to the terms of the Mozilla Public
ad7b3b8 
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
ad7b3b8 
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
6e9104c 
+ *
ad7b3b8 
+ * See the COPYRIGHT file distributed with this work for additional
ad7b3b8 
+ * information regarding copyright ownership.
6e9104c 
+ */
6e9104c 
+
6e9104c 
+#include <config.h>
6e9104c 
+
1e41691 
+#if HAVE_CMOCKA
1e41691 
+
1e41691 
+#include <stdarg.h>
1e41691 
+#include <stddef.h>
1e41691 
+#include <setjmp.h>
6e9104c 
+
1e41691 
+#include <stdlib.h>
6e9104c 
+#include <stdio.h>
6e9104c 
+#include <string.h>
ad7b3b8 
+#include <unistd.h>
6e9104c 
+
1e41691 
+#define UNIT_TESTING
1e41691 
+#include <cmocka.h>
1e41691 
+
6e9104c 
+#include <isc/entropy.h>
6e9104c 
+#include <isc/mem.h>
1e41691 
+#include <isc/print.h>
6e9104c 
+#include <isc/platform.h>
6e9104c 
+#include <isc/util.h>
6e9104c 
+
6e9104c 
+#include <dst/dst.h>
6e9104c 
+
6e9104c 
+isc_mem_t *mctx = NULL;
6e9104c 
+isc_entropy_t *ectx = NULL;
6e9104c 
+unsigned char buffer[128];
6e9104c 
+
1e41691 
+/* isc_entropy_getdata() examples */
1e41691 
+static void
1e41691 
+isc_entropy_getdata_test(void **state) {
6e9104c 
+	isc_result_t result;
6e9104c 
+	unsigned int returned, status;
1e41691 
+	const char *randomfile = "testdata/dstrandom/random.data";
6e9104c 
+	int ret;
1e41691 
+
1e41691 
+	UNUSED(state);
6e9104c 
+
6e9104c 
+	isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
6e9104c 
+	result = isc_mem_create(0, 0, &mctx);
1e41691 
+	assert_int_equal(result, ISC_R_SUCCESS);
6e9104c 
+	result = isc_entropy_create(mctx, &ectx);
1e41691 
+	assert_int_equal(result, ISC_R_SUCCESS);
6e9104c 
+	result = dst_lib_init(mctx, ectx, 0);
1e41691 
+	assert_int_equal(result, ISC_R_SUCCESS);
6e9104c 
+
6e9104c 
+#ifdef ISC_PLATFORM_CRYPTORANDOM
ad7b3b8 
+	isc_entropy_usehook(ectx, true);
6e9104c 
+
6e9104c 
+	returned = 0;
6e9104c 
+	result = isc_entropy_getdata(ectx, buffer, sizeof(buffer),
6e9104c 
+				     &returned, 0);
1e41691 
+	assert_int_equal(result, ISC_R_SUCCESS);
1e41691 
+	assert_int_equal(returned, sizeof(buffer));
6e9104c 
+
6e9104c 
+	status = isc_entropy_status(ectx);
1e41691 
+	assert_int_equal(status, 0);
6e9104c 
+
ad7b3b8 
+	isc_entropy_usehook(ectx, false);
6e9104c 
+#endif
6e9104c 
+
6e9104c 
+	ret = chdir(TESTS);
1e41691 
+	assert_int_equal(ret, 0);
6e9104c 
+
6e9104c 
+	result = isc_entropy_createfilesource(ectx, randomfile);
1e41691 
+	assert_int_equal(result, ISC_R_SUCCESS);
6e9104c 
+
6e9104c 
+	returned = 0;
6e9104c 
+	result = isc_entropy_getdata(ectx, buffer, sizeof(buffer),
6e9104c 
+				     &returned, 0);
1e41691 
+	assert_int_equal(result, ISC_R_SUCCESS);
1e41691 
+	assert_int_equal(returned, sizeof(buffer));
6e9104c 
+
6e9104c 
+	status = isc_entropy_status(ectx);
1e41691 
+	assert_true(status > 0);
6e9104c 
+
6e9104c 
+	dst_lib_destroy();
6e9104c 
+	isc_entropy_detach(&ectx);
1e41691 
+	assert_null(ectx);
1e41691 
+
6e9104c 
+	isc_mem_destroy(&mctx);
1e41691 
+	assert_null(mctx);
6e9104c 
+}
6e9104c 
+
1e41691 
+int
1e41691 
+main(void) {
1e41691 
+	const struct CMUnitTest tests[] = {
1e41691 
+		cmocka_unit_test(isc_entropy_getdata_test),
1e41691 
+	};
6e9104c 
+
1e41691 
+	return (cmocka_run_group_tests(tests, NULL, NULL));
6e9104c 
+}
6e9104c 
+
1e41691 
+#else /* HAVE_CMOCKA */
1e41691 
+
1e41691 
+#include <stdio.h>
1e41691 
+
1e41691 
+int
1e41691 
+main(void) {
1e41691 
+	printf("1..0 # Skipped: cmocka not available\n");
1e41691 
+	return (0);
1e41691 
+}
1e41691 
+
1e41691 
+#endif
6e9104c 
diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in
0163153 
index 63be973..40b21fa 100644
6e9104c 
--- a/lib/dns/win32/libdns.def.in
6e9104c 
+++ b/lib/dns/win32/libdns.def.in
0163153 
@@ -1485,6 +1485,13 @@ dst_lib_destroy
6e9104c 
 dst_lib_init
6e9104c 
 dst_lib_init2
6e9104c 
 dst_lib_initmsgcat
6e9104c 
+@IF PKCS11
6e9104c 
+dst_random_getdata
6e9104c 
+@ELSE PKCS11
6e9104c 
+@IF OPENSSL
6e9104c 
+dst_random_getdata
6e9104c 
+@END OPENSSL
6e9104c 
+@END PKCS11
6e9104c 
 dst_region_computeid
6e9104c 
 dst_region_computerid
6e9104c 
 dst_result_register
6e9104c 
diff --git a/lib/isc/entropy.c b/lib/isc/entropy.c
dee096a 
index 907e470..451544d 100644
6e9104c 
--- a/lib/isc/entropy.c
6e9104c 
+++ b/lib/isc/entropy.c
ad7b3b8 
@@ -104,11 +104,15 @@ struct isc_entropy {
ad7b3b8 
 	uint32_t			initialized;
ad7b3b8 
 	uint32_t			initcount;
6e9104c 
 	isc_entropypool_t		pool;
ad7b3b8 
+	bool				usehook;
6e9104c 
 	unsigned int			nsources;
6e9104c 
 	isc_entropysource_t	       *nextsource;
6e9104c 
 	ISC_LIST(isc_entropysource_t)	sources;
6e9104c 
 };
6e9104c
6e9104c 
+/*% Global Hook */
6e9104c 
+static isc_entropy_getdata_t hook;
6e9104c 
+
6e9104c 
 /*% Sample Queue */
6e9104c 
 typedef struct {
ad7b3b8 
 	uint32_t	last_time;	/*%< last time recorded */
ad7b3b8 
@@ -557,6 +561,11 @@ isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length,
6e9104c
6e9104c 
 	LOCK(&ent->lock);
6e9104c
6e9104c 
+	if (ent->usehook && (hook != NULL)) {
6e9104c 
+		UNLOCK(&ent->lock);
6e9104c 
+		return (hook(data, length, returned, flags));
6e9104c 
+	}
6e9104c 
+
6e9104c 
 	remain = length;
6e9104c 
 	buf = data;
6e9104c 
 	total = 0;
ad7b3b8 
@@ -708,6 +717,7 @@ isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp) {
6e9104c 
 	ent->refcnt = 1;
6e9104c 
 	ent->initialized = 0;
6e9104c 
 	ent->initcount = 0;
ad7b3b8 
+	ent->usehook = false;
6e9104c 
 	ent->magic = ENTROPY_MAGIC;
6e9104c
6e9104c 
 	isc_entropypool_init(&ent->pool);
6e9104c 
@@ -1286,3 +1296,17 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
6e9104c 
 	 */
6e9104c 
 	return (final_result);
6e9104c 
 }
6e9104c 
+
6e9104c 
+void
ad7b3b8 
+isc_entropy_usehook(isc_entropy_t *ectx, bool onoff) {
6e9104c 
+	REQUIRE(VALID_ENTROPY(ectx));
6e9104c 
+
6e9104c 
+	LOCK(&ectx->lock);
6e9104c 
+	ectx->usehook = onoff;
6e9104c 
+	UNLOCK(&ectx->lock);
6e9104c 
+}
6e9104c 
+
6e9104c 
+void
6e9104c 
+isc_entropy_sethook(isc_entropy_getdata_t myhook) {
6e9104c 
+	hook = myhook;
6e9104c 
+}
6e9104c 
diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h
dee096a 
index e8733db..c40a18c 100644
6e9104c 
--- a/lib/isc/include/isc/entropy.h
6e9104c 
+++ b/lib/isc/include/isc/entropy.h
dee096a 
@@ -302,6 +302,18 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
6e9104c 
  *	isc_entropy_createcallbacksource().
6e9104c 
  */
6e9104c
6e9104c 
+void
ad7b3b8 
+isc_entropy_usehook(isc_entropy_t *ectx, bool onoff);
6e9104c 
+/*!<
6e9104c 
+ * \brief Mark/unmark the given entropy structure as being hooked.
6e9104c 
+ */
6e9104c 
+
6e9104c 
+void
6e9104c 
+isc_entropy_sethook(isc_entropy_getdata_t myhook);
6e9104c 
+/*!<
6e9104c 
+ * \brief Set the getdata hook (e.g., for a crypto random generator).
6e9104c 
+ */
6e9104c 
+
6e9104c 
 ISC_LANG_ENDDECLS
6e9104c
6e9104c 
 #endif /* ISC_ENTROPY_H */
6e9104c 
diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in
dee096a 
index 61960f1..d22993d 100644
6e9104c 
--- a/lib/isc/include/isc/platform.h.in
6e9104c 
+++ b/lib/isc/include/isc/platform.h.in
0163153 
@@ -359,6 +359,11 @@
6e9104c 
  */
6e9104c 
 @ISC_PLATFORM_HAVESTRINGSH@
6e9104c
6e9104c 
+/*
6e9104c 
+ * Define if the random functions are provided by crypto.
6e9104c 
+ */
6e9104c 
+@ISC_PLATFORM_CRYPTORANDOM@
6e9104c 
+
6e9104c 
 /*
6e9104c 
  * Define if the hash functions must be provided by OpenSSL.
6e9104c 
  */
6e9104c 
diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h
0163153 
index da9d66f..4205400 100644
6e9104c 
--- a/lib/isc/include/isc/types.h
6e9104c 
+++ b/lib/isc/include/isc/types.h
0163153 
@@ -97,6 +97,8 @@ typedef struct isc_time			isc_time_t;		/*%< Time */
6e9104c 
 typedef struct isc_timer		isc_timer_t;		/*%< Timer */
6e9104c 
 typedef struct isc_timermgr		isc_timermgr_t;		/*%< Timer Manager */
6e9104c
6e9104c 
+typedef isc_result_t (*isc_entropy_getdata_t)(void *, unsigned int,
6e9104c 
+					      unsigned int *, unsigned int);
6e9104c 
 typedef void (*isc_taskaction_t)(isc_task_t *, isc_event_t *);
6e9104c 
 typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *, int);
6e9104c
6e9104c 
diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
0163153 
index 68aebdc..4b85527 100644
6e9104c 
--- a/lib/isc/pk11.c
6e9104c 
+++ b/lib/isc/pk11.c
ad7b3b8 
@@ -321,14 +321,16 @@ pk11_rand_seed_fromfile(const char *randomfile) {
6e9104c 
 	ret = isc_stdio_open(randomfile, "r", &stream);
6e9104c 
 	if (ret != ISC_R_SUCCESS)
6e9104c 
 		goto cleanup;
6e9104c 
-	ret = isc_stdio_read(seed, 1, SEEDSIZE, stream, &cc);
6e9104c 
-	if (ret!= ISC_R_SUCCESS)
6e9104c 
-		goto cleanup;
6e9104c 
+	while (ret == ISC_R_SUCCESS) {
6e9104c 
+		ret = isc_stdio_read(seed, 1, SEEDSIZE, stream, &cc);
6e9104c 
+		if ((ret != ISC_R_SUCCESS) && (ret != ISC_R_EOF))
6e9104c 
+			goto cleanup;
6e9104c 
+		(void) pkcs_C_SeedRandom(ctx.session, seed, (CK_ULONG) cc);
6e9104c 
+	}
6e9104c 
 	ret = isc_stdio_close(stream);
6e9104c 
 	stream = NULL;
6e9104c 
-	if (ret!= ISC_R_SUCCESS)
6e9104c 
+	if (ret != ISC_R_SUCCESS)
6e9104c 
 		goto cleanup;
6e9104c 
-	(void) pkcs_C_SeedRandom(ctx.session, seed, (CK_ULONG) cc);
6e9104c
6e9104c 
     cleanup:
6e9104c 
 	if (stream != NULL)
6e9104c 
diff --git a/lib/isc/win32/include/isc/platform.h.in b/lib/isc/win32/include/isc/platform.h.in
0163153 
index 8ade705..fa72f9d 100644
6e9104c 
--- a/lib/isc/win32/include/isc/platform.h.in
6e9104c 
+++ b/lib/isc/win32/include/isc/platform.h.in
0163153 
@@ -73,6 +73,11 @@
6e9104c 
 #define ISC_PLATFORM_NORETURN_PRE __declspec(noreturn)
6e9104c 
 #define ISC_PLATFORM_NORETURN_POST
6e9104c
6e9104c 
+/*
6e9104c 
+ * Define if the random functions are provided by crypto.
6e9104c 
+ */
6e9104c 
+@ISC_PLATFORM_CRYPTORANDOM@
6e9104c 
+
6e9104c 
 /*
6e9104c 
  * Define if the hash functions must be provided by OpenSSL.
6e9104c 
  */
6e9104c 
diff --git a/win32utils/Configure b/win32utils/Configure
dee096a 
index 79d682e..6c78cb2 100644
6e9104c 
--- a/win32utils/Configure
6e9104c 
+++ b/win32utils/Configure
12763cd 
@@ -382,6 +382,7 @@ my @substdefh = ("ALLOW_FILTER_AAAA",
6e9104c 
 my %configdefp;
6e9104c
6e9104c 
 my @substdefp = ("ISC_PLATFORM_BUSYWAITNOP",
6e9104c 
+                 "ISC_PLATFORM_CRYPTORANDOM",
6e9104c 
                  "ISC_PLATFORM_HAVEATOMICSTORE",
6e9104c 
                  "ISC_PLATFORM_HAVEATOMICSTOREQ",
6e9104c 
                  "ISC_PLATFORM_HAVECMPXCHG",
12763cd 
@@ -517,7 +518,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER");
6e9104c
6e9104c 
 # enable-xxx/disable-xxx
6e9104c
6e9104c 
-my @enablelist = ("developer",
6e9104c 
+my @enablelist = ("crypto-rand",
6e9104c 
+                  "developer",
6e9104c 
                   "fixed-rrset",
6e9104c 
                   "intrinsics",
6e9104c 
                   "isc-spnego",
0163153 
@@ -580,6 +582,7 @@ my @help = (
6e9104c 
 "\nOptional Features:\n",
dee096a 
 "  enable-intrinsics     enable intrinsic/atomic functions [default=yes]\n",
6e9104c 
 "  enable-native-pkcs11  use native PKCS#11 for all crypto [default=no]\n",
6e9104c 
+"  enable-crypto-rand    use crypto provider for random [default=yes]\n",
6e9104c 
 "  enable-openssl-hash   use OpenSSL for hash functions [default=yes]\n",
6e9104c 
 "  enable-isc-spnego     use SPNEGO from lib/dns [default=yes]\n",
6e9104c 
 "  enable-filter-aaaa    enable filtering of AAAA records [default=yes]\n",
0163153 
@@ -628,7 +631,9 @@ my $want_clean = "no";
6e9104c 
 my $want_unknown = "no";
6e9104c 
 my $unknown_value;
6e9104c 
 my $enable_intrinsics = "yes";
6e9104c 
+my $cryptolib = "";
6e9104c 
 my $enable_native_pkcs11 = "no";
6e9104c 
+my $enable_crypto_rand = "yes";
6e9104c 
 my $enable_openssl_hash = "auto";
6e9104c 
 my $enable_filter_aaaa = "yes";
6e9104c 
 my $enable_isc_spnego = "yes";
0163153 
@@ -847,6 +852,10 @@ sub myenable {
6e9104c 
         if ($val =~ /^yes$/i) {
6e9104c 
             $enable_native_pkcs11 = "yes";
6e9104c 
         }
6e9104c 
+    } elsif ($key =~ /^crypto-rand$/i) {
6e9104c 
+        if ($val =~ /^no$/i) {
6e9104c 
+            $enable_crypto_rand = "no";
6e9104c 
+        }
6e9104c 
     } elsif ($key =~ /^openssl-hash$/i) {
6e9104c 
         if ($val =~ /^yes$/i) {
6e9104c 
             $enable_openssl_hash = "yes";
0163153 
@@ -1153,6 +1162,11 @@ if ($verbose) {
6e9104c 
     } else {
6e9104c 
         print "native-pkcs11: disabled\n";
6e9104c 
     }
6e9104c 
+    if ($enable_crypto_rand eq "yes") {
6e9104c 
+        print "crypto-rand: enabled\n";
6e9104c 
+    } else {
6e9104c 
+        print "crypto-rand: disabled\n";
6e9104c 
+    }
6e9104c 
     if ($enable_openssl_hash eq "yes") {
6e9104c 
         print "openssl-hash: enabled\n";
6e9104c 
     } else {
0163153 
@@ -1510,6 +1524,7 @@ if ($enable_intrinsics eq "yes") {
6e9104c
6e9104c 
 # enable-native-pkcs11
6e9104c 
 if ($enable_native_pkcs11 eq "yes") {
6e9104c 
+    $cryptolib = "pkcs11";
6e9104c 
     if ($use_openssl eq "auto") {
6e9104c 
         $use_openssl = "no";
6e9104c 
     }
0163153 
@@ -1719,6 +1734,7 @@ if ($use_openssl eq "yes") {
6e9104c 
         $openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]");
6e9104c 
     }
6e9104c
6e9104c 
+    $cryptolib = "openssl";
6e9104c 
     $configcond{"OPENSSL"} = 1;
6e9104c 
     $configdefd{"CRYPTO"} = "OPENSSL";
6e9104c 
     $configvar{"OPENSSL_PATH"} = "$openssl_path";
0163153 
@@ -2290,6 +2306,15 @@ if ($use_aes eq "yes") {
6e9104c 
 }
6e9104c
843e5f5
6e9104c 
+# enable-crypto-rand
6e9104c 
+if ($enable_crypto_rand eq "yes") {
6e9104c 
+    if (($use_openssl eq "no") && ($enable_native_pkcs11 eq "no")) {
6e9104c 
+        die "No crypto provider for random functions\n";
6e9104c 
+    }
6e9104c 
+    $configdefp{"ISC_PLATFORM_CRYPTORANDOM"} = "\"$cryptolib\"";
6e9104c 
+}
6e9104c 
+print "Cryptographic library for DNSSEC: $cryptolib";
6e9104c 
+
6e9104c 
 # enable-openssl-hash
6e9104c 
 if ($enable_openssl_hash eq "yes") {
6e9104c 
     if ($use_openssl eq "no") {
0163153 
@@ -3665,6 +3690,7 @@ exit 0;
6e9104c 
 #  --enable-developer partially supported
6e9104c 
 #  --enable-newstats (9.9/9.9sub only)
6e9104c 
 #  --enable-native-pkcs11 supported
6e9104c 
+#  --enable-crypto-rand supported
6e9104c 
 #  --enable-openssl-version-check included without a way to disable it
6e9104c 
 #  --enable-openssl-hash supported
6e9104c 
 #  --enable-threads included without a way to disable it
6e9104c 
--
dee096a 
2.21.1
6e9104c
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.