On 25/01/13 03:00, Howard Chu wrote: >> Hi! >> >> >> I have been digging on this issue and I found the ultimate cause of this >> problem. >> >> >> When sudo/su/passwd/<insert-any-setuid-program-that-calls-getpwent()> on >> a system configured with PAM/LDAPs it chains into libldap, which uses >> GnuTLS/libgcrypt to manage the TLS channel. >> >> >> The problem is that when OpenLDAP calls gnutls_global_init(), this >> function does nothing because OpenLDAP had previously already >> initialized libgcrypt at some point on the stack (probably by mistake). > > For the record, there is no mistake in OpenLDAP. And also for the > record, we on the OpenLDAP Project warned you guys multiple times that > GnuTLS/libgcrypt are broken by design, and should not be used. (E.g. as > I noted here > https://bugs.launchpad.net/debian/+source/sudo/+bug/423252/comments/62) > > The libgcrypt documentation states in section 2.5 that you *must* set > the thread callbacks before calling *any* other libgcrypt functions. > libldap's code does that. It's not our fault that libgcrypt's design is > so broken that even when you use it as documented it doesn't work. We've > been telling you for *years* that GnuTLS is broken by design. >
I agree with you. But, keep in mind that GnuTLS not longer supports libgcrypt (they even removed the code from their repository). They now only support libnettle. So there is no point at all in trying to fix GnuTLS now. The upstream OpenLDAP project should probably have to remove support for libgcrypt from their code. And about the idea of patching the GnuTLS version that Debian Wheezy ships (with libgcrypt support) I'm afraid that this could break some unrelated package that relies in this broken design of GnuTLS/libgcrypt. And for Wheezy+1 GnuTLS will have to migrate to the new version (with nettle), so IMHO there is no point in fixing it now. On the other hand, I feel like this small patch for OpenLDAP is the less intrusive approach to make things just work for Wheezy. Regards! --------
signature.asc
Description: OpenPGP digital signature
