Corrected session resuming in certificate authentication. gnutls_deinit,

does not remove the session entry any more if it is invalid. Added
gnutls_db_remove_session() function, which does this.

5 files changed, 95 insertions, 44 deletions

diff --git a/lib/gnutls.h.in.in b/lib/gnutls.h.in.in
index 107cb50511..5aa93fc1e9 100644
--- a/lib/gnutls.h.in.in
+++ b/lib/gnutls.h.in.in
@@ -167,6 +167,7 @@ void gnutls_db_set_cache_expiration( GNUTLS_STATE state, int seconds);
 
 int  gnutls_db_set_name( GNUTLS_STATE state, const char* filename);	
 int  gnutls_db_clean( GNUTLS_STATE state);
+void  gnutls_db_remove_session( GNUTLS_STATE state);
 void gnutls_db_set_retrieve_func( GNUTLS_STATE, GNUTLS_DB_RETR_FUNC);
 void gnutls_db_set_remove_func( GNUTLS_STATE, GNUTLS_DB_REMOVE_FUNC);
 void gnutls_db_set_store_func( GNUTLS_STATE, GNUTLS_DB_STORE_FUNC);
diff --git a/lib/gnutls_db.c b/lib/gnutls_db.c
index 56d6b48618..4ce1bb5385 100644
--- a/lib/gnutls_db.c
+++ b/lib/gnutls_db.c
@@ -1,5 +1,5 @@
 /*
- *      Copyright (C) 2000 Nikos Mavroyanopoulos
+ *      Copyright (C) 2000,2002 Nikos Mavroyanopoulos
  *
  * This file is part of GNUTLS.
  *
@@ -263,17 +263,29 @@ gnutls_datum key = { state->security_parameters.session_id, state->security_para
 gnutls_datum content;
 int ret = 0;
 
-	if (state->gnutls_internals.resumable==RESUME_FALSE) 
+	if (state->gnutls_internals.resumable==RESUME_FALSE) {
+		gnutls_assert();
 		return GNUTLS_E_INVALID_SESSION;
-
-	if (state->security_parameters.session_id==NULL || state->security_parameters.session_id_size==0)
+	}
+	
+	if (state->security_parameters.session_id==NULL || state->security_parameters.session_id_size==0) {
+		gnutls_assert();
 		return GNUTLS_E_INVALID_SESSION;
-
+	}
+	
 /* allocate space for data */
 	content.size = _gnutls_session_size( state);
-	content.data = gnutls_malloc( content.size);
-	if (content.data==NULL) return GNUTLS_E_MEMORY_ERROR;
+	if (content.size < 0) {
+		gnutls_assert();
+		return content.size;
+	}
 
+	content.data = gnutls_malloc( content.size);
+	if (content.data==NULL) {
+		gnutls_assert();
+		return GNUTLS_E_MEMORY_ERROR;
+	}
+	
 /* copy data */
 	ret = _gnutls_session_pack( state, &content);
 	if (ret < 0) {
@@ -298,12 +310,16 @@ int ret;
 	data = _gnutls_retrieve_session( state, key);
 
 	if (data.data==NULL) {
+		gnutls_assert();
 		return GNUTLS_E_INVALID_SESSION;
 	}
 
 	/* expiration check is performed inside */
 	ret = gnutls_session_set_data( state, data.data, data.size);
-
+	if (ret < 0) {
+		gnutls_assert();
+	}
+	
 	/* Note: Data is not allocated with gnutls_malloc
 	 */
 	free(data.data);
@@ -342,19 +358,24 @@ datum content = {session_data.data, session_data.size};
 #endif
 int ret = 0;
 
-	if (state->gnutls_internals.resumable==RESUME_FALSE) 
+	if (state->gnutls_internals.resumable==RESUME_FALSE) {
+		gnutls_assert();
 		return GNUTLS_E_INVALID_SESSION;
-
+	}
+	
 	if (GNUTLS_DBNAME==NULL && _gnutls_db_func_is_ok(state)!=0) {
 		return GNUTLS_E_DB_ERROR;
 	}
 	
-	if (session_id.data==NULL || session_id.size==0)
+	if (session_id.data==NULL || session_id.size==0) {
+		gnutls_assert();
 		return GNUTLS_E_INVALID_SESSION;
-
-	if (session_data.data==NULL || session_data.size==0)
+	}
+	
+	if (session_data.data==NULL || session_data.size==0) {
+		gnutls_assert();
 		return GNUTLS_E_INVALID_SESSION;
-
+	}
 	/* if we can't read why bother writing? */
 
 #ifdef HAVE_LIBGDBM
@@ -364,13 +385,16 @@ int ret = 0;
 			/* cannot open db for writing. This may happen if multiple
 			 * instances try to write. 
 			 */
+			gnutls_assert();
 			return GNUTLS_E_AGAIN;
 		}
 		ret = gdbm_store( dbf, key, content, GDBM_INSERT);
-
+		if (ret<0) {
+			gnutls_assert();
+		}
 		gdbm_close(dbf);
 
-		return GNUTLS_E_UNIMPLEMENTED_FEATURE;
+		return 0; /*GNUTLS_E_UNIMPLEMENTED_FEATURE;*/
 	}
 	else 
 #endif
@@ -393,12 +417,15 @@ datum content;
 gnutls_datum ret = { NULL, 0 };
 
 	if (GNUTLS_DBNAME==NULL && _gnutls_db_func_is_ok(state)!=0) {
+		gnutls_assert();
 		return ret;
 	}
 	
-	if (session_id.data==NULL || session_id.size==0)
+	if (session_id.data==NULL || session_id.size==0) {
+		gnutls_assert();
 		return ret;
-
+	}
+	
 	/* if we can't read why bother writing? */
 #ifdef HAVE_LIBGDBM
 	if (GNUTLS_DBF!=NULL) { /* use gdbm */
@@ -410,7 +437,6 @@ gnutls_datum ret = { NULL, 0 };
 		if (state->gnutls_internals.db_retrieve_func!=NULL)
 			ret = state->gnutls_internals.db_retrieve_func( state->gnutls_internals.db_ptr, session_id);
 
-
 	return ret;
 
 }
@@ -455,3 +481,20 @@ int ret = 0;
 	return (ret == 0 ? ret : GNUTLS_E_DB_ERROR);
 
 }
+
+/**
+  * gnutls_db_remove_session - This function will remove the current session data from the db
+  * @state: is a &GNUTLS_STATE structure.
+  *
+  * This function will remove the current session data from the session
+  * database. This will prevent future handshakes reusing these session
+  * data. This function should be called if a session was terminated
+  * abnormaly.
+  *
+  **/
+void gnutls_db_remove_session(GNUTLS_STATE state) {
+	/* if the session has failed abnormally it has 
+	 * to be removed from the db 
+	 */
+	_gnutls_db_remove_session( state, state->security_parameters.session_id, state->security_parameters.session_id_size);
+}
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 2eaf78b831..9dd51a53c8 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -32,9 +32,9 @@
 #define READ_DEBUG
 #define HANDSHAKE_DEBUG // Prints some information on handshake 
 #define X509_DEBUG
-#define RECORD_DEBUG
+#define RECORD_DEBUG*/
 #define DEBUG
-*/
+
 
 /* It might be a good idea to replace int with void*
  * here.
diff --git a/lib/gnutls_session_pack.c b/lib/gnutls_session_pack.c
index a76bce3393..d5b5dfa99e 100644
--- a/lib/gnutls_session_pack.c
+++ b/lib/gnutls_session_pack.c
@@ -81,9 +81,11 @@ int _gnutls_session_pack(GNUTLS_STATE state, gnutls_datum * packed_session)
 	case GNUTLS_CRD_ANON:{
 			ANON_CLIENT_AUTH_INFO info =
 			    _gnutls_get_auth_info(state);
-			if (info == NULL && state->gnutls_key->auth_info_size!=0)
+			if (info == NULL && state->gnutls_key->auth_info_size!=0) {
+				gnutls_assert();
 				return GNUTLS_E_INVALID_PARAMETERS;
-
+			}
+			
 			packed_session->size =
 			    PACK_HEADER_SIZE + state->gnutls_key->auth_info_size + sizeof(uint32);
 
@@ -102,8 +104,10 @@ int _gnutls_session_pack(GNUTLS_STATE state, gnutls_datum * packed_session)
 	case GNUTLS_CRD_CERTIFICATE:{
 			CERTIFICATE_AUTH_INFO info =
 			    _gnutls_get_auth_info(state);
-			if (info == NULL)
+			if (info == NULL && state->gnutls_key->auth_info_size!=0) {
+				gnutls_assert();
 				return GNUTLS_E_INVALID_PARAMETERS;
+			}
 
 			ret =
 			    _gnutls_pack_certificate_auth_info(info,
@@ -149,9 +153,6 @@ int _gnutls_session_size( GNUTLS_STATE state)
 		CERTIFICATE_AUTH_INFO info =
 		    _gnutls_get_auth_info(state);
 	
-			if (info == NULL)
-				return GNUTLS_E_INVALID_PARAMETERS;
-	
 			pack_size += _gnutls_pack_certificate_auth_info_size( info);
 		}
 		break;
@@ -242,8 +243,11 @@ int _gnutls_session_unpack(GNUTLS_STATE state,
 			    READuint32(&packed_session->
 				       data[PACK_HEADER_SIZE]);
 			
-			if (pack_size == 0) break;
-
+			if (pack_size == 0) {
+				state->gnutls_key->auth_info = NULL;
+				state->gnutls_key->auth_info_size = 0;
+				break;
+			}
 			if (pack_size < sizeof(CERTIFICATE_AUTH_INFO_INT)) {
 				gnutls_assert();
 				return GNUTLS_E_DB_ERROR;
@@ -312,25 +316,32 @@ int _gnutls_pack_certificate_auth_info( CERTIFICATE_AUTH_INFO info,
 				   gnutls_datum * packed_session)
 {
 	uint32 pos, i;
+	int info_size;
+
 	packed_session->size = _gnutls_pack_certificate_auth_info_size( info);
 
+	if (info==NULL) info_size = 0;
+	else info_size = sizeof(CERTIFICATE_AUTH_INFO_INT);
+
 	packed_session->data[0] = GNUTLS_CRD_CERTIFICATE;
 	WRITEuint32( packed_session->size-PACK_HEADER_SIZE-sizeof(uint32), &packed_session->data[PACK_HEADER_SIZE]);
 
+	if (info!=NULL) {
+		memcpy(&packed_session->data[PACK_HEADER_SIZE + sizeof(uint32)],
+		       info, sizeof(CERTIFICATE_AUTH_INFO_INT));
+	}
 
-	memcpy(&packed_session->data[PACK_HEADER_SIZE + sizeof(uint32)],
-	       info, sizeof(CERTIFICATE_AUTH_INFO_INT));
-	
-	pos = PACK_HEADER_SIZE + sizeof(uint32) + sizeof(CERTIFICATE_AUTH_INFO_INT);
+	pos = PACK_HEADER_SIZE + sizeof(uint32) + info_size;
 
-	for (i=0;i<info->ncerts;i++) {
-		WRITEuint32( info->raw_certificate_list[i].size, &packed_session->data[pos]);
-		pos += sizeof(uint32);
+	if (info!=NULL) {
+		for (i=0;i<info->ncerts;i++) {
+			WRITEuint32( info->raw_certificate_list[i].size, &packed_session->data[pos]);
+			pos += sizeof(uint32);
 		
-		memcpy(&packed_session->data[pos], info->raw_certificate_list[i].data, info->raw_certificate_list[i].size);
-		pos += info->raw_certificate_list[i].size;
+			memcpy(&packed_session->data[pos], info->raw_certificate_list[i].data, info->raw_certificate_list[i].size);
+			pos += info->raw_certificate_list[i].size;
+		}
 	}
-
 	
 	return 0;
 }
@@ -341,7 +352,7 @@ static int _gnutls_pack_certificate_auth_info_size( CERTIFICATE_AUTH_INFO info)
 	int i;
 
 	if (info == NULL)
-		return 0;
+		return sizeof(uint32) + PACK_HEADER_SIZE;
 
 	for (i=0;i<info->ncerts;i++) {
 		pack_size += sizeof(uint32) + info->raw_certificate_list[i].size;
diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c
index 923d07f4b4..d7e73be099 100644
--- a/lib/gnutls_state.c
+++ b/lib/gnutls_state.c
@@ -193,10 +193,6 @@ int default_protocol_list[] = { GNUTLS_TLS1, 0 };
   **/
 void gnutls_deinit(GNUTLS_STATE state)
 {
-	/* if the session has failed abnormally it has to be removed from the db */
-	if ( state->gnutls_internals.resumable==RESUME_FALSE) {
-		_gnutls_db_remove_session( state, state->security_parameters.session_id, state->security_parameters.session_id_size);
-	}
 
 	/* remove auth info firstly */
 	_gnutls_free_auth_info(state );