diff options
| author | grembo <grembo@FreeBSD.org> | 2016-11-06 00:56:00 +0800 |
|---|---|---|
| committer | grembo <grembo@FreeBSD.org> | 2016-11-06 00:56:00 +0800 |
| commit | 36c3569fffd6e9b75e501c67ba3963dc7452814a (patch) | |
| tree | 88632ce8be57a8f5bff44741073a5b461bd2b90c /databases | |
| parent | 47c7bd997ccd0a41ecfc14d3cbff387a5b543e23 (diff) | |
| download | freebsd-ports-gnome-36c3569fffd6e9b75e501c67ba3963dc7452814a.tar.gz freebsd-ports-gnome-36c3569fffd6e9b75e501c67ba3963dc7452814a.tar.zst freebsd-ports-gnome-36c3569fffd6e9b75e501c67ba3963dc7452814a.zip | |
Fix data encryption at rest when building with LibreSSL
Replace RAND_SSLeay->bytes with arc4random_buf when using LibreSSL, as
it supports RAND_SSLeay only for ABI compatibility [0].
Note that the code in question in mariadb mentions that RAND_bytes
isn't guaranteed to not block and therefore uses these functions directly.
As LibreSSL implements RAND_bytes in terms of arc4random_buf, which
shouldn't block, the patch could also use RAND_bytes instead of
using arc4random_buf directly, but the current version of the patch
has been tested in production and might be less confusing overall.
Bumped revision, as this fixes a runtime problem.
[0]
https://github.com/libressl/libressl/blob/master/src/crypto/rand/rand_lib.c#L36
PR: 213577
Approved by: ssl blanket
Diffstat (limited to 'databases')
| -rw-r--r-- | databases/mariadb101-server/Makefile | 1 | ||||
| -rw-r--r-- | databases/mariadb101-server/files/patch-mysys_ssl-my_crypt.cc | 25 |
2 files changed, 26 insertions, 0 deletions
diff --git a/databases/mariadb101-server/Makefile b/databases/mariadb101-server/Makefile index 83975fe97d50..2f7b44ede2fe 100644 --- a/databases/mariadb101-server/Makefile +++ b/databases/mariadb101-server/Makefile @@ -2,6 +2,7 @@ PORTNAME?= mariadb PORTVERSION= 10.1.18 +PORTREVISION= 1 CATEGORIES= databases ipv6 MASTER_SITES= http://ftp.osuosl.org/pub/${SITESDIR}/ \ http://mirrors.supportex.net/${SITESDIR}/ \ diff --git a/databases/mariadb101-server/files/patch-mysys_ssl-my_crypt.cc b/databases/mariadb101-server/files/patch-mysys_ssl-my_crypt.cc new file mode 100644 index 000000000000..16db8b34fb6a --- /dev/null +++ b/databases/mariadb101-server/files/patch-mysys_ssl-my_crypt.cc @@ -0,0 +1,25 @@ +--- mysys_ssl/my_crypt.cc.orig 2016-08-29 16:38:54.000000000 +0200 ++++ mysys_ssl/my_crypt.cc 2016-10-17 19:14:45.146531847 +0200 +@@ -275,10 +275,14 @@ + return MY_AES_OK; + } + #else ++#include <openssl/opensslv.h> + #include <openssl/rand.h> + + int my_random_bytes(uchar *buf, int num) + { ++#if defined(LIBRESSL_VERSION_NUMBER) ++ arc4random_buf(buf, num); ++#else + /* + Unfortunately RAND_bytes manual page does not provide any guarantees + in relation to blocking behavior. Here we explicitly use SSLeay random +@@ -288,6 +292,7 @@ + RAND_METHOD *rand = RAND_SSLeay(); + if (rand == NULL || rand->bytes(buf, num) != 1) + return MY_AES_OPENSSL_ERROR; ++#endif + return MY_AES_OK; + } + #endif |