Bug#566351: libgcrypt problem

Howard Chu hyc at highlandsun.com
Thu Apr 29 15:36:57 UTC 2010

> See comment #72 of this launchpad bug report for a detailed description
> of why libgcrypts behavior causes the problem in libldap.
> https://bugs.launchpad.net/debian/+source/sudo/+bug/423252/
> https://bugs.launchpad.net/debian/+source/sudo/+bug/423252/comments/72

Note that the root cause here is that gnutls depends on libgcrypt but doesn't 
fully encapsulate it. None of the gnutls docs mention that any special 
initialization function needs to be called when using it in a threaded 
application. App writers using gnutls should not need to know that libgcrypt 
is under the covers and needs special handling. (Indeed, as illustrated in 
this bug report, apps generally won't and can't know anything about the 
underlying libraries.) So aside from deciding what fix if any is appropriate 
for libgcrypt's secmem implementation, the larger issue remains of how to make 
libgcrypt safe for use when it's nested under other libraries like gnutls. 
Saying "applications are responsible for correctly initializing libgcrypt" is 
a non-starter. libgcrypt needs to have that requirement removed, and gnutls 
needs to be more comprehensive and explicit in the steps it takes to 
initialize libgcrypt, so that gnutls callers are completely shielded from the 
lower API layers.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

More information about the Pkg-gnutls-maint mailing list