ITS#9069 Do not call gnutls_global_set_mutex()

Since GnuTLS moved to implicit initialization on library load, calling
this function deinitializes GnuTLS and then re-initializes it.

When GnuTLS uses /dev/urandom as an entropy source (getrandom() not
available, or older versions of GnuTLS), and the application closed all
file descriptors at startup, this could result in GnuTLS opening
/dev/urandom over one of the application's file descriptors when
re-initialized.

Additionally, the custom mutex functions are never reset, so if libldap
is unloaded (for example via dlclose()) after calling this, its code may
be unmapped and the application could crash when GnuTLS calls the mutex
functions.

On typical systems, GnuTLS system mutexes are probably the same as what
libldap uses anyway.
This commit is contained in:
Ryan Tandy 2019-08-27 17:58:44 -07:00
parent dc3e450104
commit 63c82c0ed7

View File

@ -69,51 +69,10 @@ static int tlsg_cert_verify( tlsg_session *s );
#ifdef LDAP_R_COMPILE
static int
tlsg_mutex_init( void **priv )
{
int err = 0;
ldap_pvt_thread_mutex_t *lock = LDAP_MALLOC( sizeof( ldap_pvt_thread_mutex_t ));
if ( !lock )
err = ENOMEM;
if ( !err ) {
err = ldap_pvt_thread_mutex_init( lock );
if ( err )
LDAP_FREE( lock );
else
*priv = lock;
}
return err;
}
static int
tlsg_mutex_destroy( void **lock )
{
int err = ldap_pvt_thread_mutex_destroy( *lock );
LDAP_FREE( *lock );
return err;
}
static int
tlsg_mutex_lock( void **lock )
{
return ldap_pvt_thread_mutex_lock( *lock );
}
static int
tlsg_mutex_unlock( void **lock )
{
return ldap_pvt_thread_mutex_unlock( *lock );
}
static void
tlsg_thr_init( void )
{
gnutls_global_set_mutex (tlsg_mutex_init,
tlsg_mutex_destroy,
tlsg_mutex_lock,
tlsg_mutex_unlock);
/* do nothing */
}
#endif /* LDAP_R_COMPILE */