broken linkage for three dnssec- tools
I discovered some weird breakage in my production build of BIND 9.14.3: three of the dnssec
command-line tools were not linked correctly against OpenSSL, whereas everything else was.
$ ldd /home/named/bin/* | grep OPENSSL
/home/named/bin/dnssec-importkey: /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1: version `OPENSSL_1_1_1' not found (required by /home/BIND/9.14.3+0/lib/libdns.so.1309)
/home/named/bin/dnssec-revoke: /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1: version `OPENSSL_1_1_1' not found (required by /home/BIND/9.14.3+0/lib/libdns.so.1309)
/home/named/bin/dnssec-settime: /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1: version `OPENSSL_1_1_1' not found (required by /home/BIND/9.14.3+0/lib/libdns.so.1309)
The broken binaries have the wrong run-time linker path. Here's a comparison between a broken tool (dnssec-settime) and a working one (dnssec-verify):
$ objdump -p /home/named/bin/dnssec-settime | grep RUNPATH
RUNPATH /home/BIND/9.14.3+0/lib
$ objdump -p /home/named/bin/dnssec-verify | grep RUNPATH
RUNPATH /home/BIND/OpenSSL-1.1.1c/lib:/home/BIND/9.14.3+0/lib
In the Makefile I can see that the broken tools are built differently from the working ones.
https://gitlab.isc.org/isc-projects/bind9/blob/master/bin/dnssec/Makefile.in
My build script uses the following commands. I'm not installing BIND or OpenSSL in the usual places so that I can have multiple versions installed in case I need to roll back. The operating system is Debian Stretch amd64.
export LD_RUN_PATH=$PREFIX/lib:$OpenSSL/lib
# I am probably being a bit paranoid about pinning defaults...
./configure --enable-option-checking=fatal \
--enable-backtrace \
--enable-full-report \
--enable-largefile \
--disable-dnstap \
--with-cmocka=no \
--with-libfstrm=no \
--with-geoip=no \
--with-gssapi=no \
--with-libidn2=no \
--with-libjson=yes \
--with-libtool=yes \
--with-libxml2=yes \
--with-lmdb=no \
--with-openssl=$OpenSSL \
--with-pkcs11=no \
--with-protobuf-c=no \
--with-purify=no \
--with-python=yes \
--with-readline=yes \
--with-tuning=$tuning \
--with-zlib=yes \
--prefix=$PREFIX \
--mandir=$PREFIX/man \
--localstatedir=/home/named/var \
--sysconfdir=/home/named/etc
# todo: add -fstack-clash-protection when it is supported
make EXT_CFLAGS="-fPIE -pie \
-Wp,-D_FORTIFY_SOURCE=2 \
-Wl,-z,relro \
-Wl,-z,now \
-Wl,-R,$OpenSSL/lib \
-fstack-protector-strong \
--param=ssp-buffer-size=4" \
-j all
make install DESTDIR=$destdir
Although 9.15 and 9.14 have the same odd difference in the Makefile between the broken tools and the working ones, my test build of 9.15 works OK. It uses somewhat different flags that I think became necessary when OpenSSL was made mandatory.
OPENSSL_CFLAGS="-I$OpenSSL/include" \
OPENSSL_LIBS="-L$OpenSSL/lib -Wl,-R,$OpenSSL/lib -lcrypto " \
./configure --lots --of --long --options --omitted --for --brevity
make EXT_CFLAGS="-fPIE -pie -Wl,-z,relro -Wl,-z,now \
-Wp,-D_FORTIFY_SOURCE=2 \
-fstack-protector-strong --param=ssp-buffer-size=4" \
-j20 all
make install DESTDIR=$dest
```