Bug#643948: nslcd: daemon hang during machine boot process

Arthur de Jong adejong at debian.org
Sat Nov 30 22:48:52 UTC 2013 

Followup-For: Bug #643948
Package: libgcrypt11
Version: 1.5.3-2

On Thu, 2013-05-23 at 20:34 +0200, Arthur de Jong wrote:
> Today, for the first time I ran into this problem on my own system. From
> the logs:

Again a crash today, from syslog:

Nov 30 19:05:09 sorbet nslcd[2307]: version 0.9.1 starting
Nov 30 19:05:14 sorbet nslcd[2307]: accepting connections
Nov 30 19:05:15 sorbet nslcd[2307]: Libgcrypt notice: state transition Power-On => Fatal-Error
Nov 30 19:05:15 sorbet nslcd[2307]: Libgcrypt error: invalid state transition Fatal-Error => Fatal-Error
Nov 30 19:05:15 sorbet nslcd[2307]: Libgcrypt terminated the application
Nov 30 19:05:15 sorbet nslcd[2307]: Libgcrypt error: invalid state transition Fatal-Error => Fatal-Error
Nov 30 19:05:15 sorbet nslcd[2307]: Libgcrypt terminated the application
Nov 30 19:05:15 sorbet nslcd[2307]: Libgcrypt error: fatal error in file visibility.c, line 1283, function gcry_create_nonce: called in non-operational state

I can't find many more avenues to investigate this, except digging
through the code. I would appreciate a few pointers though.

So far my system doesn't seem to be in FIPS mode (I certainly didn't
consciously configured it that way):

$ cat /proc/sys/crypto/fips_enabled 
0
$ cat /etc/gcrypt/fips_enabled
cat: /etc/gcrypt/fips_enabled: No such file or directory
$ grep -r GCRYCTL_FORCE_FIPS_MODE nss-pam-ldapd openldap
[nothing]

The nslcd process is multi-threaded so there could be a case where
multiple threads are started and are initialising gnutls and in turn
gcrypt and some race condition is happening.

For this I could add some code, as a workaround, to nslcd that would
initialise gcrypt before going multi-threaded (however, that would
probably cause problems for libldap that probably want to do the same).

The difficult bit is that this is not easy to reproduce. This seems to
happen once every few months at most and so far only during boot.

The only similar issue I could find was this (also without resolution):
  http://jira.freeswitch.org/browse/FS-3438

Any input on how to move forward with this, test workarounds, gather
more information or make this easier to reproduce is appreciated.

Thanks,

Versions of relevant packages:
ii  libc6              2.17-97
ii  libgssapi-krb5-2   1.11.3+dfsg-3
ii  libldap-2.4-2      2.4.31-1+nmu2+b1
ii  libgcrypt11        1.5.3-2
ii  libgnutls26        2.12.23-8
ii  libsasl2-2         2.1.25.dfsg1-17
ii  libgpg-error0      1.12-0.2
ii  multiarch-support  2.17-97

-- 
-- arthur - adejong at debian.org - http://people.debian.org/~adejong --
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20131130/56f030c0/attachment.sig>

More information about the Pkg-gnutls-maint mailing list