[gnutls-devel] GnuTLS | GnuTLS leaks file descriptors in child processes (#985)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Sat May 9 18:53:55 CEST 2020
Daiki Ueno commented:
Indeed. However, this doesn't apply every `fopen` in `lib/`. GnuTLS has the [design](https://www.gnutls.org/manual/gnutls.html#Thread-safety) that prohibits access to a single `gnutls_session_t` object from multiple threads, and also the global initialization within the ELF constructor should be protected.
According to `git grep`, there are the following occurrences of `fopen`:
```
lib/auth/psk_passwd.c: fd = fopen(cred->password_file, "r");
lib/auth/srp_passwd.c: fd = fopen(pconf_file, "r");
lib/auth/srp_passwd.c: fd = fopen(cred->password_file, "r");
lib/file.c: fd = fopen(file, "r");
lib/fips.c: fd = fopen(FIPS_KERNEL_FILE, "r");
lib/inih/ini.c: file = fopen(filename, "r");
lib/kx.c: keylog = fopen(keylogfile, "a");
lib/minitasn1/structure.c: file = fopen (output_file_name, "w");
lib/pkcs11.c: fp = fopen(configfile, "r");
lib/verify-tofu.c: fd = fopen(file, "rb");
lib/verify-tofu.c: fd = fopen(db_name, "ab+");
lib/verify-tofu.c: fd = fopen(db_name, "ab+");
```
I think the calls in `lib/auth/*` and `lib/file.c` can only reach from the `gnutls_session_t` interface. Similarly, the calls in `lib/fips.c` and `lib/inih/ini.c` are only reachable from the ELF constructor, and the function calling `fopen` in `lib/minitasn1/structure.c` is not used at all.
The others (keylogfile, PKCS#11 config, and TOFU) might be still problematic, though.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/985#note_339470410
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200509/a2044f0e/attachment-0001.html>
More information about the Gnutls-devel
mailing list