Date: Sat, 5 Nov 2016 16:56:00 +0000 (UTC) From: Michael Gmelin <grembo@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r425398 - in head/databases/mariadb101-server: . files Message-ID: <201611051656.uA5Gu0TK085812@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: grembo Date: Sat Nov 5 16:56:00 2016 New Revision: 425398 URL: https://svnweb.freebsd.org/changeset/ports/425398 Log: Fix data encryption at rest when building with LibreSSL Replace RAND_SSLeay->bytes with arc4random_buf when using LibreSSL, as it supports RAND_SSLeay only for ABI compatibility [0]. Note that the code in question in mariadb mentions that RAND_bytes isn't guaranteed to not block and therefore uses these functions directly. As LibreSSL implements RAND_bytes in terms of arc4random_buf, which shouldn't block, the patch could also use RAND_bytes instead of using arc4random_buf directly, but the current version of the patch has been tested in production and might be less confusing overall. Bumped revision, as this fixes a runtime problem. [0] https://github.com/libressl/libressl/blob/master/src/crypto/rand/rand_lib.c#L36 PR: 213577 Approved by: ssl blanket Added: head/databases/mariadb101-server/files/patch-mysys_ssl-my_crypt.cc (contents, props changed) Modified: head/databases/mariadb101-server/Makefile Modified: head/databases/mariadb101-server/Makefile ============================================================================== --- head/databases/mariadb101-server/Makefile Sat Nov 5 16:54:58 2016 (r425397) +++ head/databases/mariadb101-server/Makefile Sat Nov 5 16:56:00 2016 (r425398) @@ -2,6 +2,7 @@ PORTNAME?= mariadb PORTVERSION= 10.1.18 +PORTREVISION= 1 CATEGORIES= databases ipv6 MASTER_SITES= http://ftp.osuosl.org/pub/${SITESDIR}/ \ http://mirrors.supportex.net/${SITESDIR}/ \ Added: head/databases/mariadb101-server/files/patch-mysys_ssl-my_crypt.cc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/databases/mariadb101-server/files/patch-mysys_ssl-my_crypt.cc Sat Nov 5 16:56:00 2016 (r425398) @@ -0,0 +1,25 @@ +--- mysys_ssl/my_crypt.cc.orig 2016-08-29 16:38:54.000000000 +0200 ++++ mysys_ssl/my_crypt.cc 2016-10-17 19:14:45.146531847 +0200 +@@ -275,10 +275,14 @@ + return MY_AES_OK; + } + #else ++#include <openssl/opensslv.h> + #include <openssl/rand.h> + + int my_random_bytes(uchar *buf, int num) + { ++#if defined(LIBRESSL_VERSION_NUMBER) ++ arc4random_buf(buf, num); ++#else + /* + Unfortunately RAND_bytes manual page does not provide any guarantees + in relation to blocking behavior. Here we explicitly use SSLeay random +@@ -288,6 +292,7 @@ + RAND_METHOD *rand = RAND_SSLeay(); + if (rand == NULL || rand->bytes(buf, num) != 1) + return MY_AES_OPENSSL_ERROR; ++#endif + return MY_AES_OK; + } + #endif
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201611051656.uA5Gu0TK085812>