Summary: | databases/mariadb101-server: Use arc4random instead of RAND_SSLeay to unbreak data encryption at rest with LibreSSL | ||||||
---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | Michael Gmelin <grembo> | ||||
Component: | Individual Port(s) | Assignee: | Michael Gmelin <grembo> | ||||
Status: | Closed FIXED | ||||||
Severity: | Affects Some People | CC: | grembo | ||||
Priority: | --- | Keywords: | patch | ||||
Version: | Latest | Flags: | bugzilla:
maintainer-feedback?
(brnrd) |
||||
Hardware: | Any | ||||||
OS: | Any | ||||||
Attachments: |
|
Description
Michael Gmelin
2016-10-17 20:28:16 UTC
As I didn't hear back in two and I think this covered by the SSL blanket approval anyway, I'll go ahead and commit it myself. A commit references this bug: Author: grembo Date: Sat Nov 5 16:56:01 UTC 2016 New revision: 425398 URL: https://svnweb.freebsd.org/changeset/ports/425398 Log: Fix data encryption at rest when building with LibreSSL Replace RAND_SSLeay->bytes with arc4random_buf when using LibreSSL, as it supports RAND_SSLeay only for ABI compatibility [0]. Note that the code in question in mariadb mentions that RAND_bytes isn't guaranteed to not block and therefore uses these functions directly. As LibreSSL implements RAND_bytes in terms of arc4random_buf, which shouldn't block, the patch could also use RAND_bytes instead of using arc4random_buf directly, but the current version of the patch has been tested in production and might be less confusing overall. Bumped revision, as this fixes a runtime problem. [0] https://github.com/libressl/libressl/blob/master/src/crypto/rand/rand_lib.c#L36 PR: 213577 Approved by: ssl blanket Changes: head/databases/mariadb101-server/Makefile head/databases/mariadb101-server/files/patch-mysys_ssl-my_crypt.cc A commit references this bug: Author: brnrd Date: Sat Nov 12 00:49:05 UTC 2016 New revision: 425917 URL: https://svnweb.freebsd.org/changeset/ports/425917 Log: MFH: r424132 r425398 r425916 databases/mariadb101-server: Update to 10.1.18 - Regular update to 10.1.18 Fix data encryption at rest when building with LibreSSL Replace RAND_SSLeay->bytes with arc4random_buf when using LibreSSL, as it supports RAND_SSLeay only for ABI compatibility [0]. Note that the code in question in mariadb mentions that RAND_bytes isn't guaranteed to not block and therefore uses these functions directly. As LibreSSL implements RAND_bytes in terms of arc4random_buf, which shouldn't block, the patch could also use RAND_bytes instead of using arc4random_buf directly, but the current version of the patch has been tested in production and might be less confusing overall. Bumped revision, as this fixes a runtime problem. [0] https://github.com/libressl/libressl/blob/master/src/crypto/rand/rand_lib.c#L36 PR: 213577 Approved by: ssl blanket databases/mariadb101-server: Update to 10.1.19 - Update to 10.1.19 - Use target-OPT-on not .if exists - Remove OQGraph patches now included upstream PR: 213902 Security: 9bc14850-a070-11e6-a881-b499baebfeaf Approved by: ports-secteam (junovitch) Changes: _U branches/2016Q4/ branches/2016Q4/databases/mariadb101-server/Makefile branches/2016Q4/databases/mariadb101-server/distinfo branches/2016Q4/databases/mariadb101-server/files/patch-mysys_ssl-my_crypt.cc branches/2016Q4/databases/mariadb101-server/files/patch-storage_oqgraph_graphcore.cc branches/2016Q4/databases/mariadb101-server/files/patch-storage_oqgraph_oqgraph__shim.h |