[Pkg-openldap-devel] Bug#658896: LDAP, GnuTLS/libgcrypt
Carlos Alberto Lopez Perez
clopez at igalia.com
Mon Jan 28 20:37:57 UTC 2013
On 25/01/13 03:00, Howard Chu wrote:
>> Hi!
>>
>>
>> I have been digging on this issue and I found the ultimate cause of this
>> problem.
>>
>>
>> When sudo/su/passwd/<insert-any-setuid-program-that-calls-getpwent()> on
>> a system configured with PAM/LDAPs it chains into libldap, which uses
>> GnuTLS/libgcrypt to manage the TLS channel.
>>
>>
>> The problem is that when OpenLDAP calls gnutls_global_init(), this
>> function does nothing because OpenLDAP had previously already
>> initialized libgcrypt at some point on the stack (probably by mistake).
>
> For the record, there is no mistake in OpenLDAP. And also for the
> record, we on the OpenLDAP Project warned you guys multiple times that
> GnuTLS/libgcrypt are broken by design, and should not be used. (E.g. as
> I noted here
> https://bugs.launchpad.net/debian/+source/sudo/+bug/423252/comments/62)
>
> The libgcrypt documentation states in section 2.5 that you *must* set
> the thread callbacks before calling *any* other libgcrypt functions.
> libldap's code does that. It's not our fault that libgcrypt's design is
> so broken that even when you use it as documented it doesn't work. We've
> been telling you for *years* that GnuTLS is broken by design.
>
I agree with you.
But, keep in mind that GnuTLS not longer supports libgcrypt (they even
removed the code from their repository). They now only support libnettle.
So there is no point at all in trying to fix GnuTLS now.
The upstream OpenLDAP project should probably have to remove support for
libgcrypt from their code.
And about the idea of patching the GnuTLS version that Debian Wheezy
ships (with libgcrypt support) I'm afraid that this could break some
unrelated package that relies in this broken design of GnuTLS/libgcrypt.
And for Wheezy+1 GnuTLS will have to migrate to the new version (with
nettle), so IMHO there is no point in fixing it now.
On the other hand, I feel like this small patch for OpenLDAP is the less
intrusive approach to make things just work for Wheezy.
Regards!
--------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20130128/371a6076/attachment.pgp>
More information about the Pkg-openldap-devel
mailing list