file handle exhaustion with openvpn and pam_ldap
Andreas Metzler
ametzler at downhill.at.eu.org
Mon Oct 26 13:17:57 CET 2009
On 2009-10-26 Werner Koch <wk at gnupg.org> wrote:
> On Sun, 25 Oct 2009 09:35, ametzler at downhill.at.eu.org said:
> > When using openvpn and pam_ldap against an LDAP server with TLS
> > support on every authentication, a file handle to /dev/urandom is
> > created but never released. (libldap-2.4-2 is using gnutls, openvpn
> > isn't.)
> The problem is that you can't load/unload/load libgcrypt using dlopen
> tricks. This is simply not defined unless dlopen/dlclose implements a
> complete process initialization/termination. True, there is a function
> to terminate the secure memory which needs to be called before the
> process terminates but this is not a complete shutdown of libgcrypt, the
> OS needs to cleanup some of the resources.
> The documentation os FIPS required state machine says:
> [The state transition from] Operational to Shutdown is an artifical
> state without any direct action in Libgcrypt. When reaching the
> Shutdown state the library is deinitialized and can't return to any
> other state again.
> Thus to change this you would need to implement the required OS parts in
> your dlopen/dlclose.
Hello,
just to clarify. - You are saying that:
* This issue cannot be fixed in gcrypt itself (and therefore will not
be fixed).
* The way dlopen works on $OS would need to be changed (I guess on
Linux this would be glibc.)
thanks, cu andreas
More information about the Gcrypt-devel
mailing list