[Bacula-devel] data encryption problem in FreeBSD

Thu, 21 May 2015 21:58:39 -0700 

I've been looking more into the failure mentioned in
<http://osdir.com/ml/bacula/2015-05/msg00171.html> whereby trying to
enable data encryption in the FD fails, *unless* the fd is running in
the foreground (via the -f flag).

(Bacula 7.0.5 running on FreeBSD 9.3, which is the version on which
the current stable FreeNAS is based.)

I've tracked things down in Bacula code to the call to EVP_CipherInit_ex
at around line 1307 in src/lib/crypto.c in crypto_cipher_new().  That call
fails, however we don't get any diagnostics; openssl_post_errors() in
openssl.c doesn't record anything because ERR_get_error() never returns
non-zero.

I attached to both the backgrounded and non-backgrounded processes
via truss to look for differences.  Here in the foreground (working)
process we see:

  open("/mnt/pool1/local/etc/bacula/testfile",O_RDONLY,00) = 10 (0xa)
  ioctl(3,CRIOGET,0xff7fb25c)                      = 0 (0x0)

Bacula opens the file to be backed up, and the ioctl appears to be the
first system call made in EVP_CipherInit_ex (file descriptor 3 is,
I believe, /dev/crypto).  The CRIOGET ioctl looks like it dups the
original file descriptor. (Why, I don't know.) The 3rd arg is the
address of the int that is the target of the dup.

Now the failing case:

  open("/mnt/pool1/local/etc/bacula/testfile",O_RDONLY,00) = 10 (0xa)
  ioctl(3,CRIOGET,0xff5fa25c)         ERR#25 'Inappropriate ioctl for 
device'

WTF? So it makes it look like in at least FreeBSD 9.3 /dev/crypto file
descriptors can't be cloned unless it is a foreground process.  You would
think that this is something that was noticed a long time ago.

I'm wondering, with all the OpenSSL updates recently, if this is a case
where a newer OpenSSL was backported and this regression was missed.

Does my assessment sound feasible?  Does anyone have Bacula 7.0.5
installed on a more recent FreeBSD and is able to validate if data
encryption works?  (This doesn't seem to impact network encryption.)

Devin


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Bacula-devel mailing list
Bacula-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-devel

Reply via email to