[gnutls-devel] GnuTLS | GnuTLS leaks file descriptors in child processes (#985)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Sat May 9 18:53:55 CEST 2020

Daiki Ueno commented:

Indeed.  However, this doesn't apply every `fopen` in `lib/`. GnuTLS has the [design](https://www.gnutls.org/manual/gnutls.html#Thread-safety) that prohibits access to a single `gnutls_session_t` object from multiple threads, and also the global initialization within the ELF constructor should be protected.

According to `git grep`, there are the following occurrences of `fopen`:
lib/auth/psk_passwd.c:  fd = fopen(cred->password_file, "r");
lib/auth/srp_passwd.c:  fd = fopen(pconf_file, "r");
lib/auth/srp_passwd.c:  fd = fopen(cred->password_file, "r");
lib/file.c:     fd = fopen(file, "r");
lib/fips.c:     fd = fopen(FIPS_KERNEL_FILE, "r");
lib/inih/ini.c:    file = fopen(filename, "r");
lib/kx.c:                       keylog = fopen(keylogfile, "a");
lib/minitasn1/structure.c:  file = fopen (output_file_name, "w");
lib/pkcs11.c:   fp = fopen(configfile, "r");
lib/verify-tofu.c:      fd = fopen(file, "rb");
lib/verify-tofu.c:      fd = fopen(db_name, "ab+");
lib/verify-tofu.c:      fd = fopen(db_name, "ab+");

I think the calls in `lib/auth/*` and `lib/file.c` can only reach from the `gnutls_session_t` interface.  Similarly, the calls in `lib/fips.c` and `lib/inih/ini.c` are only reachable from the ELF constructor, and the function calling `fopen` in `lib/minitasn1/structure.c` is not used at all.

The others (keylogfile, PKCS#11 config, and TOFU) might be still problematic, though.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/985#note_339470410
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200509/a2044f0e/attachment-0001.html>

More information about the Gnutls-devel mailing list