[Bug 213577] databases/mariadb101-server: Use arc4random instead of RAND_SSLeay to unbreak data encryption at rest with LibreSSL

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Mon Oct 17 20:28:17 UTC 2016 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213577

            Bug ID: 213577
           Summary: databases/mariadb101-server: Use arc4random instead of
                    RAND_SSLeay to unbreak data encryption at rest with
                    LibreSSL
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Keywords: patch
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: brnrd at freebsd.org
          Reporter: grembo at FreeBSD.org
             Flags: maintainer-feedback?(brnrd at freebsd.org)
          Assignee: brnrd at freebsd.org

Created attachment 175879
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=175879&action=edit
Patch to replace RAND_SSLeay by arc4random_buf if LibreSSL is detected

When using data encryption at rest on MariaDB built with LibreSSL like
described here

https://mariadb.com/kb/en/mariadb/data-at-rest-encryption/

the following error occurs and mysql-server won't start:

2016-10-17 17:45:32 34426872832 [ERROR] InnoDB: Redo log crypto: generate
16-byte random number as crypto msg failed.
2016-10-17 17:45:32 804006400  InnoDB: Assertion failure in thread 34426872832
in file log0crypt.cc line 379

This is due to my_random_bytes using OpenSSL's deprecated RAND_* functions,
which exist in LibreSSL for ABI compatibility, but have been disabled, see
also:

http://man.openbsd.org/OpenBSD-current/man3/RAND_set_rand_method.3 and the
implementation of RAND_SSLeay here:
https://github.com/libressl/libressl/blob/master/src/crypto/rand/rand_lib.c#L36

The attached patch fixes this by replacing the random function with
arc4random_buf (which AFAIK should be non-blocking and should always be
preferred).

Right now the fix is only applied if LibreSSL is detected. I feel like it would
be better to always use arc4random on *BSD and push that fix upstream, but this
might require a lot more effort and discussion than just fixing it in the
FreeBSD ports tree and for LibreSSL.

p.s. I created and tested the patch on 10.1.17, which was the current version
until like 90 minutes ago, but it should apply and build cleanly anyway.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-ports-bugs mailing list