From 857a0549eec7070ff72386014151743cf8b06502 Mon Sep 17 00:00:00 2001
From: Ryan Tandy <ryan@nardis.ca>
Date: Fri, 22 Jan 2021 03:54:40 +0000
Subject: [PATCH] Do not call gnutls_global_set_mutex()

Bug-Debian: https://bugs.debian.org/803197
Forwarded: no

Since GnuTLS moved to implicit initialization on library load, calling
this function deinitializes GnuTLS and then re-initializes it.

When GnuTLS uses /dev/urandom as an entropy source (getrandom() not
available, or older versions of GnuTLS), and the application closed all
file descriptors at startup, this could result in GnuTLS opening
/dev/urandom over one of the application's file descriptors when
re-initialized.

Additionally, the custom mutex functions are never reset, so if libldap
is unloaded (for example via dlclose()) after calling this, its code
may be unmapped and the application could crash when GnuTLS calls the
mutex functions.

The default behaviour of GnuTLS, using pthreads, should be suitable on
all Debian systems, and is probably the same as what libldap uses
anyway.

Gbp-Pq: Name no-gnutls_global_set_mutex
---
 libraries/libldap/tls_g.c | 43 +--------------------------------------
 1 file changed, 1 insertion(+), 42 deletions(-)

diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
index 0266ff19..8303047b 100644
--- a/libraries/libldap/tls_g.c
+++ b/libraries/libldap/tls_g.c
@@ -67,51 +67,10 @@ static int tlsg_cert_verify( tlsg_session *s );
 
 #ifdef LDAP_R_COMPILE
 
-static int
-tlsg_mutex_init( void **priv )
-{
-	int err = 0;
-	ldap_pvt_thread_mutex_t *lock = LDAP_MALLOC( sizeof( ldap_pvt_thread_mutex_t ));
-
-	if ( !lock )
-		err = ENOMEM;
-	if ( !err ) {
-		err = ldap_pvt_thread_mutex_init( lock );
-		if ( err )
-			LDAP_FREE( lock );
-		else
-			*priv = lock;
-	}
-	return err;
-}
-
-static int
-tlsg_mutex_destroy( void **lock )
-{
-	int err = ldap_pvt_thread_mutex_destroy( *lock );
-	LDAP_FREE( *lock );
-	return err;
-}
-
-static int
-tlsg_mutex_lock( void **lock )
-{
-	return ldap_pvt_thread_mutex_lock( *lock );
-}
-
-static int
-tlsg_mutex_unlock( void **lock )
-{
-	return ldap_pvt_thread_mutex_unlock( *lock );
-}
-
 static void
 tlsg_thr_init( void )
 {
-	gnutls_global_set_mutex (tlsg_mutex_init,
-		tlsg_mutex_destroy,
-		tlsg_mutex_lock,
-		tlsg_mutex_unlock);
+	/* do nothing */
 }
 #endif /* LDAP_R_COMPILE */
 
-- 
2.30.2