Date: Mon, 17 Oct 2016 20:28:16 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 213577] databases/mariadb101-server: Use arc4random instead of RAND_SSLeay to unbreak data encryption at rest with LibreSSL Message-ID: <bug-213577-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D213577 Bug ID: 213577 Summary: databases/mariadb101-server: Use arc4random instead of RAND_SSLeay to unbreak data encryption at rest with LibreSSL Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Keywords: patch Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: brnrd@freebsd.org Reporter: grembo@FreeBSD.org Flags: maintainer-feedback?(brnrd@freebsd.org) Assignee: brnrd@freebsd.org Created attachment 175879 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D175879&action= =3Dedit Patch to replace RAND_SSLeay by arc4random_buf if LibreSSL is detected When using data encryption at rest on MariaDB built with LibreSSL like described here https://mariadb.com/kb/en/mariadb/data-at-rest-encryption/ the following error occurs and mysql-server won't start: 2016-10-17 17:45:32 34426872832 [ERROR] InnoDB: Redo log crypto: generate 16-byte random number as crypto msg failed. 2016-10-17 17:45:32 804006400 InnoDB: Assertion failure in thread 34426872= 832 in file log0crypt.cc line 379 This is due to my_random_bytes using OpenSSL's deprecated RAND_* functions, which exist in LibreSSL for ABI compatibility, but have been disabled, see also: http://man.openbsd.org/OpenBSD-current/man3/RAND_set_rand_method.3 and the implementation of RAND_SSLeay here: https://github.com/libressl/libressl/blob/master/src/crypto/rand/rand_lib.c= #L36 The attached patch fixes this by replacing the random function with arc4random_buf (which AFAIK should be non-blocking and should always be preferred). Right now the fix is only applied if LibreSSL is detected. I feel like it w= ould be better to always use arc4random on *BSD and push that fix upstream, but = this might require a lot more effort and discussion than just fixing it in the FreeBSD ports tree and for LibreSSL. p.s. I created and tested the patch on 10.1.17, which was the current versi= on until like 90 minutes ago, but it should apply and build cleanly anyway. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-213577-13>