[Pkg-openldap-devel] Bug#745231: Bug#745231: openldap: Consider switching to gnutls3

[Ryan Tandy]

On 19/04/14 05:48 AM, Andreas Metzler wrote:
> Hello,

Hi Andreas, thanks for starting the conversation about this!

> given that gmp has been dual-licensed LGPLv3+/GPLv2+ it should be
> possible to switch openldap over to the newer version of gnutls.

> Upstream's 0205e83f4670d10ad3c6ae4b8fc5ec1d0c7020c0 lets the Debian
> package build successfully (including testsuite).

And TLS with a server certificate seems to work, as does SASL EXTERNAL 
authentication with a client certificate. Good!

> However even with patch there is still some work to be done.
> libraries/libldap/tls_g.c has some gcrypt related code that should be
> simply unnecessary with gnutls3, therefore it should not link against
> libgcrypt either.

I see two remaining gcrypt calls in tls_g.c.

161:	gcry_control (GCRYCTL_SET_THREAD_CBS, &tlsg_thread_cbs);

It sounds like nettle itself doesn't need such callbacks, but even so I 
suspect this should be replaced with a gnutls_global_set_mutex call in 
order to keep using the internal threading abstraction, as per the 
gnutls NEWS.

174:	gcry_control( GCRYCTL_SET_RNDEGD_SOCKET, lo->ldo_tls_randfile ))

And for that, it looks like nettle uses a hard-coded list of possible 
locations for that socket, so I guess there's no replacement call. Well, 
the manpage already says the randfile option doesn't work under gnutls, 
I guess this will make it true again. :)

> (Except for contrib/slapd-modules/smbk5pwd/smbk5pwd.c).

Right, that one actually uses gcrypt, it's not just there for gnutls. 
I'll have a look later at how much work porting that will be, and I'll 
send this information upstream too.

thanks,
Ryan