On Mon, Jan 27, 2014 at 11:38 AM, Jonathan Roudiere <[email protected]> wrote: > Hello Nikos, > On GnuTLS 3.2.x stable release, when session db cache is used, > timestamp can't be got through gnutls_db_check_entry_time(). > - When session are packed into _gnutls_session_pack() magic number > (PACKED_SESSION_MAGIC) - and security_parameters.timestamp - are > copied in big endian order (through BUFFER_APPEND_NUM(), ... > _gnutls_write_uint32() ... _gnutls_buffer_append_data()) but when they > are unpacked in gnutls_db_check_entry_time() they are memcopied > without any treatment thus on x86 they are badly unpacked and this > forbid to get timestamp.
Hello Jonathan, Thank you for reporting that. I've committed a fix and a test program to allow detecting similar issues. > - Else, db remove function is never called internally by GnuTLS even > if timestamp is checked against expire_time when a session is unpacked > through _gnutls_session_unpack(). In _gnutls_server_restore_session() > a comment specifies "expiration check is performed inside" but no > action are taken in order to remove expired session from the cache/db. Indeed. The time check is in unpack_security_parameters() so resumption will be prevented. > Is GnuTLS should not remove session from cache/db in this case ? I > have patched GnuTLS in order to call the db_remove_func function from > _gnutls_server_restore_session(), I don't know if this hurt GnuTLS > design and should be done in another place or not at all (initially > patch was against _gnutls_session_unpack()). The idea is for the one having control of the DB to do periodical purges independently of gnutls' usage. That is why gnutls_db_check_entry_time() is provided (at least that was the idea). Now about removing a session from _gnutls_server_restore_session(). I don't think this is good, a session may be resumed multiple times (e.g., a browser downloading different images from a server in several resumed sessions from the initial one). > - Last question, expire_time is set on session itself so why it is not > packed with the session data in order to check it when session is > unpacked ? and to provide a function like gnutls_db_check_entry_time() > which will return remaining time or GNUTLS_E_EXPIRED. For simplicity. The idea of gnutls_db_check_entry_time() is to be called periodically for all stored sessions, so it would have to quickly determine the time of the session without any significant parsing. regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
