file handle exhaustion with openvpn and pam_ldap

Werner Koch wk at
Mon Oct 26 09:55:54 CET 2009

On Sun, 25 Oct 2009 09:35, ametzler at said:

> When using openvpn and pam_ldap against an LDAP server with TLS
> support on every authentication, a file handle to /dev/urandom is
> created but never released. (libldap-2.4-2 is using gnutls, openvpn
> isn't.)

The problem is that you can't load/unload/load libgcrypt using dlopen
tricks.  This is simply not defined unless dlopen/dlclose implements a
complete process initialization/termination.  True, there is a function
to terminate the secure memory which needs to be called before the
process terminates but this is not a complete shutdown of libgcrypt, the
OS needs to cleanup some of the resources.

The documentation os FIPS required state machine says:

  [The state transition from] Operational to Shutdown is an artifical
  state without any direct action in Libgcrypt.  When reaching the
  Shutdown state the library is deinitialized and can't return to any
  other state again.

Thus to change this you would need to implement the required OS parts in
your dlopen/dlclose.



Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

More information about the Gcrypt-devel mailing list