Bug 694 - Unbound configure script can make bad choices when not detecting LibreSSL
Unbound configure script can make bad choices when not detecting LibreSSL
Product: unbound
Classification: Unclassified
Component: server
x86_64 All
: P5 major
Assigned To: unbound team
Depends on:
  Show dependency treegraph
Reported: 2015-08-11 02:40 CEST by Brent Cook
Modified: 2015-08-11 09:31 CEST (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Brent Cook 2015-08-11 02:40:17 CEST
I am trying to help a LibreSSL user track down an issue building LibreSSL 2.2.2 against Unbound 1.5.4. During diagnosis, I discovered that Unbound's configure script uses grep to look for particular strings in opensslv.h before it will probe the OS for particular header file definitions.

The issue is described in more detail here: https://github.com/libressl-portable/portable/issues/120#issuecomment-129263256

Essentially, the LibreSSL-only check declarations of reallocarray and other functions causes code to be built incorrectly. I suggest that the check for header definitions be done unconditionally. Otherwise, side-effects such as pointer truncation can occur:

util/config_file.c:1040:11: warning: cast to 'int *' from smaller integer type 'int'
        *avail = (int*)reallocarray(NULL, (size_t)num, sizeof(int));

There is a proposed patch inline on the other issue, which fixes the problem for me.

$ diff -uw configure.ac.orig configure.ac
--- configure.ac.orig   2015-08-09 17:14:57.000000000 -0700
+++ configure.ac    2015-08-09 17:15:03.000000000 -0700
@@ -566,15 +566,7 @@
-if grep OPENSSL_VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
-   AC_MSG_RESULT([yes])
-   AC_DEFINE([HAVE_LIBRESSL], [1], [Define if we have LibreSSL])
-   # libressl provides these compat functions, but they may also be
-   # declared by the OS in libc.  See if they have been declared.
-   AC_MSG_RESULT([no])
 AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode])
@@ -1261,7 +1253,6 @@
 char *strptime(const char *s, const char *format, struct tm *tm);

 size_t strlcpy(char *dst, const char *src, size_t siz);
 #  endif
@@ -1277,7 +1268,6 @@
 void *reallocarray(void *ptr, size_t nmemb, size_t size);
 #  endif
-#endif /* HAVE_LIBRESSL */
 void explicit_bzero(void* buf, size_t len);
 int getentropy(void* buf, size_t len);
Comment 1 Wouter Wijngaards 2015-08-11 09:31:45 CEST
Hi Brent,

Fixed.  Thank you for the report.

Instead of your patch, I used this one, from Christian Neukirchen.  I think this one is more portable to non-LibreSSL systems.  It works with LibreSSL 2.0.0 and 2.2.2 and OpenSSL too.

-if grep OPENSSL_VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
+if grep -e OPENSSL_VERSION_TEXT -e LIBRESSL_VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then

Best regards, Wouter