[Pkg-openldap-devel] Bug#803197: gnutls library re-init clobbers fd closed by application

Sat Jan 30 23:51:54 UTC 2016

Hi gnutls team,

https://bugs.debian.org/803197 was reported against libldap in Debian.

When libldap is linked with gnutls, and SOGo is configured to use LDAP 
with TLS security as its authentication backend, when the first LDAP 
request is made and libldap initializes TLS, gnutls closes a file 
descriptor used by the application and opens /dev/urandom over it.

I am attaching a test program that demonstrates this. On a Debian 
system, install libldap2-dev, and link it with -lldap. I verified the 
problem with current Debian unstable (gnutls 3.4.8-2).

Quoting myself in the bug linked above, what happens is:

> 1. libraries are loaded
> 2. gnutls' constructor does the global init, open("/dev/urandom") -> 3
> 3. WOWatchDogApplicationMain runs, closes everything
> 4. libldap goes to set up gnutls
> 5. gnutls prepares to re-init itself, closes the remembered urandom fd
> 6. things go downhill from here.

Now libldap's TLS setup calls gnutls_global_set_mutex followed by 
gnutls_global_init. This happens lazily, when TLS is first used on an 
LDAP connection. In the case of SOGo this is when a user actually 
attempts to log in.

I am aware that this runs contrary to the gnutls documentation in at 
least two ways: first, that applications that close all fds should 
immediately call gnutls_global_init, and second, that 
gnutls_global_set_mutex should not be called by libraries. However, 
please consider that SOGo and Sope do not actually use gnutls and are 
not even aware that it is being loaded; it is only an implementation 
detail that libldap links it, so without seriously re-designing how 
libldap works, or adding explicit knowledge of gnutls to Sope, I don't 
see a way to move the gnutls_global_init call earlier.

As far as removing the gnutls_global_set_mutex call from libldap, if 
it's not possible to address this from the gnutls side, I'm willing to 
bring this up with openldap upstream. However, it looks like it 
currently supports threading on more platforms than gnutls on its own 
does, so removing that might be considered a regression.

I see that gnutls attempts to sanity-check the urandom fd during 
initialization. I wonder if you would consider adding a similar check 
during de-init, before closing the remembered fd, and avoid touching it 
if there's a possibility the application closed it _and_ reused it?

The Sope authors have committed a workaround for this in the mean time:

https://github.com/inverse-inc/sope/pull/32

however they would prefer to revert that eventually.

thanks,
Ryan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fd-clobber.c
Type: text/x-csrc
Size: 1430 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20160130/c47bf066/attachment-0001.c>