svn commit: r425398 - in head/databases/mariadb101-server: . files

Michael Gmelin grembo at FreeBSD.org
Sat Nov 5 16:56:02 UTC 2016 

Author: grembo
Date: Sat Nov  5 16:56:00 2016
New Revision: 425398
URL: https://svnweb.freebsd.org/changeset/ports/425398

Log:
  Fix data encryption at rest when building with LibreSSL
  
  Replace RAND_SSLeay->bytes with arc4random_buf when using LibreSSL, as
  it supports RAND_SSLeay only for ABI compatibility [0].
  
  Note that the code in question in mariadb mentions that RAND_bytes
  isn't guaranteed to not block and therefore uses these functions directly.
  As LibreSSL implements RAND_bytes in terms of arc4random_buf, which
  shouldn't block, the patch could also use RAND_bytes instead of
  using arc4random_buf directly, but the current version of the patch
  has been tested in production and might be less confusing overall.
  
  Bumped revision, as this fixes a runtime problem.
  
  [0]
  https://github.com/libressl/libressl/blob/master/src/crypto/rand/rand_lib.c#L36
  
  PR:		213577
  Approved by:	ssl blanket

Added:
  head/databases/mariadb101-server/files/patch-mysys_ssl-my_crypt.cc   (contents, props changed)
Modified:
  head/databases/mariadb101-server/Makefile

Modified: head/databases/mariadb101-server/Makefile
==============================================================================
--- head/databases/mariadb101-server/Makefile	Sat Nov  5 16:54:58 2016	(r425397)
+++ head/databases/mariadb101-server/Makefile	Sat Nov  5 16:56:00 2016	(r425398)
@@ -2,6 +2,7 @@
 
 PORTNAME?=	mariadb
 PORTVERSION=	10.1.18
+PORTREVISION=	1
 CATEGORIES=	databases ipv6
 MASTER_SITES=	http://ftp.osuosl.org/pub/${SITESDIR}/ \
 		http://mirrors.supportex.net/${SITESDIR}/ \

Added: head/databases/mariadb101-server/files/patch-mysys_ssl-my_crypt.cc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/databases/mariadb101-server/files/patch-mysys_ssl-my_crypt.cc	Sat Nov  5 16:56:00 2016	(r425398)
@@ -0,0 +1,25 @@
+--- mysys_ssl/my_crypt.cc.orig	2016-08-29 16:38:54.000000000 +0200
++++ mysys_ssl/my_crypt.cc	2016-10-17 19:14:45.146531847 +0200
+@@ -275,10 +275,14 @@
+   return MY_AES_OK;
+ }
+ #else
++#include <openssl/opensslv.h>
+ #include <openssl/rand.h>
+ 
+ int my_random_bytes(uchar *buf, int num)
+ {
++#if defined(LIBRESSL_VERSION_NUMBER)
++  arc4random_buf(buf, num);
++#else
+   /*
+     Unfortunately RAND_bytes manual page does not provide any guarantees
+     in relation to blocking behavior. Here we explicitly use SSLeay random
+@@ -288,6 +292,7 @@
+   RAND_METHOD *rand = RAND_SSLeay();
+   if (rand == NULL || rand->bytes(buf, num) != 1)
+     return MY_AES_OPENSSL_ERROR;
++#endif
+   return MY_AES_OK;
+ }
+ #endif

More information about the svn-ports-all mailing list