Full_Name: Ryan Tandy Version: master OS: Debian URL: https://github.com/rtandy/openldap/compare/openldap:master...rtandy:remove-g... Submission from: (NULL) (70.66.128.207) Submitted by: ryan
The GnuTLS documentation https://gnutls.org/manual/html_node/Core-TLS-API.html#gnutls_005fglobal_005fset_005fmutex states:
Do not call this function from a library, or preferably from any application
unless really needed to.
I disobeyed that guidance in commit 829027945, because I wasn't sure that GnuTLS's own threading support would cover all the platforms libldap does. This choice caused some bugs, e.g. https://bugs.debian.org/803197 and https://www.openldap.org/its/?findid=8797.
I don't know how to find out for sure whether anyone builds libldap with GnuTLS on a system where it lacks native mutexes. I think at this point I would rather fix the known broken cases, over the risk of potentially breaking a theoretical setup I'm not sure actually exists.
Therefore: I now propose applying this change for 2.5.
I made this change as a distro patch in Debian 10 (buster), and no Debian or Ubuntu users have reported any regressions so far. I also did some local testing with slapd and slapd-mtread on the GnuTLS versions shipped in the last few releases of Debian.
I have not tested any non-Linux platforms yet. For completeness, I should probably try this on at least FreeBSD and Solaris. I kind of assume GnuTLS system mutexes are going to work anywhere LMDB already does.
Rationale for the change, from the commit message:
Since GnuTLS moved to implicit initialization on library load, calling this function deinitializes GnuTLS and then re-initializes it.
When GnuTLS uses /dev/urandom as an entropy source (getrandom() not available, or older versions of GnuTLS), and the application closed all file descriptors at startup, this could result in GnuTLS opening /dev/urandom over one of the application's file descriptors when re-initialized.
Additionally, the custom mutex functions are never reset, so if libldap is unloaded (for example via dlclose()) after calling this, its code may be unmapped and the application could crash when GnuTLS calls the mutex functions.
On typical systems, GnuTLS system mutexes are probably the same as what libldap uses anyway.
IPR:
The attached patch file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch were developed by Ryan Tandy ryan@nardis.ca. I have not assigned rights and/or interest in this work to any party.
I, Ryan Tandy, hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice.
-
ryan@openldap.org