[gnutls-help] Session resumption/unpack error while getting timestamp, expired sessions/db clean questions

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Jan 27 16:14:19 CET 2014 

On Mon, Jan 27, 2014 at 11:38 AM, Jonathan Roudiere
<jonathan.roudiere at gmail.com> wrote:
> Hello Nikos,
> On GnuTLS 3.2.x stable release, when session db cache is used,
> timestamp can't be got through gnutls_db_check_entry_time().
> - When session are packed into _gnutls_session_pack() magic number
> (PACKED_SESSION_MAGIC) - and security_parameters.timestamp - are
> copied in big endian order (through BUFFER_APPEND_NUM(), ...
> _gnutls_write_uint32() ... _gnutls_buffer_append_data()) but when they
> are unpacked in gnutls_db_check_entry_time() they are memcopied
> without any treatment thus on x86 they are badly unpacked and this
> forbid to get timestamp.

Hello Jonathan,
 Thank you for reporting that. I've committed a fix and a test program
to allow detecting similar issues.

> - Else, db remove function is never called internally by GnuTLS even
> if timestamp is checked against expire_time when a session is unpacked
> through _gnutls_session_unpack(). In _gnutls_server_restore_session()
> a comment specifies "expiration check is performed inside" but no
> action are taken in order to remove expired session from the cache/db.

Indeed. The time check is in unpack_security_parameters() so
resumption will be prevented.

> Is GnuTLS should not remove session from cache/db in this case ? I
> have patched GnuTLS in order to call the db_remove_func function from
> _gnutls_server_restore_session(), I don't know if this hurt GnuTLS
> design and should be done in another place or not at all (initially
> patch was against _gnutls_session_unpack()).

The idea is for the one having control of the DB to do periodical
purges independently of
gnutls'  usage. That is why gnutls_db_check_entry_time() is provided
(at least that was the idea).
Now about removing a session from _gnutls_server_restore_session(). I
don't think this is good,
a session may be resumed multiple times (e.g., a browser downloading
different images from
a server in several resumed sessions from the initial one).

> - Last question, expire_time is set on session itself so why it is not
> packed with the session data in order to check it when session is
> unpacked ? and to provide a function like gnutls_db_check_entry_time()
> which will return remaining time or GNUTLS_E_EXPIRED.

For simplicity. The idea of gnutls_db_check_entry_time() is to be
called periodically for all
stored sessions, so it would have to quickly determine the time of the
session without any
significant parsing.

regards,
Nikos

More information about the Gnutls-help mailing list