diff options
author | Daiki Ueno <dueno@redhat.com> | 2018-11-08 17:54:11 +0100 |
---|---|---|
committer | Daiki Ueno <dueno@redhat.com> | 2018-11-12 14:08:42 +0100 |
commit | 0a590e15e17383c5b18650465266da5f4cfd2af1 (patch) | |
tree | ca150883b7b934d4e772177f2bbbb9f3280b4918 | |
parent | a5105a99f8bdc8b530ae2bf62535ce1b7ec0319c (diff) | |
download | gnutls-0a590e15e17383c5b18650465266da5f4cfd2af1.tar.gz |
db: introduce gnutls_db_check_entry_expire_time
This would be particularly useful when the same database is used to
store long-lived TLS 1.2 session data and short-lived TLS 1.3
anti-replay entries. Note that the existing gnutls_db_check_entry
doesn't fit in this use-case, as it takes gnutls_session_t as the
argument.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
-rw-r--r-- | doc/Makefile.am | 2 | ||||
-rw-r--r-- | doc/manpages/Makefile.am | 1 | ||||
-rw-r--r-- | lib/db.c | 38 | ||||
-rw-r--r-- | lib/includes/gnutls/gnutls.h.in | 1 | ||||
-rw-r--r-- | lib/libgnutls.map | 1 | ||||
-rw-r--r-- | lib/session_pack.c | 4 | ||||
-rw-r--r-- | symbols.last | 1 | ||||
-rw-r--r-- | tests/resume.c | 9 |
8 files changed, 55 insertions, 2 deletions
diff --git a/doc/Makefile.am b/doc/Makefile.am index b939121898..bac1e5825c 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -877,6 +877,8 @@ FUNCS += functions/gnutls_crypto_register_mac FUNCS += functions/gnutls_crypto_register_mac.short FUNCS += functions/gnutls_db_check_entry FUNCS += functions/gnutls_db_check_entry.short +FUNCS += functions/gnutls_db_check_entry_expire_time +FUNCS += functions/gnutls_db_check_entry_expire_time.short FUNCS += functions/gnutls_db_check_entry_time FUNCS += functions/gnutls_db_check_entry_time.short FUNCS += functions/gnutls_db_get_default_cache_expiration diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am index 9047790c83..8a6025ccaa 100644 --- a/doc/manpages/Makefile.am +++ b/doc/manpages/Makefile.am @@ -240,6 +240,7 @@ APIMANS += gnutls_crypto_register_cipher.3 APIMANS += gnutls_crypto_register_digest.3 APIMANS += gnutls_crypto_register_mac.3 APIMANS += gnutls_db_check_entry.3 +APIMANS += gnutls_db_check_entry_expire_time.3 APIMANS += gnutls_db_check_entry_time.3 APIMANS += gnutls_db_get_default_cache_expiration.3 APIMANS += gnutls_db_get_ptr.3 @@ -30,6 +30,7 @@ #include <session_pack.h> #include <datum.h> #include "ext/server_name.h" +#include <intprops.h> /** * gnutls_db_set_retrieve_function: @@ -155,6 +156,8 @@ unsigned gnutls_db_get_default_cache_expiration(void) * * Returns: Returns %GNUTLS_E_EXPIRED, if the database entry has * expired or 0 otherwise. + * + * Deprecated: This function is deprecated. **/ int gnutls_db_check_entry(gnutls_session_t session, @@ -166,7 +169,6 @@ gnutls_db_check_entry(gnutls_session_t session, /** * gnutls_db_check_entry_time: * @entry: is a pointer to a #gnutls_datum_t type. - * @t: is the time of the session handshake * * This function returns the time that this entry was active. * It can be used for database entry expiration. @@ -191,6 +193,40 @@ time_t gnutls_db_check_entry_time(gnutls_datum_t * entry) return t; } +/** + * gnutls_db_check_entry_expire_time: + * @entry: is a pointer to a #gnutls_datum_t type. + * + * This function returns the time that this entry will expire. + * It can be used for database entry expiration. + * + * Returns: The time this entry will expire, or zero on error. + * + * Since: 3.6.5 + **/ +time_t gnutls_db_check_entry_expire_time(gnutls_datum_t *entry) +{ + uint32_t t; + uint32_t e; + uint32_t magic; + + if (entry->size < 12) + return gnutls_assert_val(0); + + magic = _gnutls_read_uint32(entry->data); + + if (magic != PACKED_SESSION_MAGIC) + return gnutls_assert_val(0); + + t = _gnutls_read_uint32(&entry->data[4]); + e = _gnutls_read_uint32(&entry->data[8]); + + if (INT_ADD_OVERFLOW(t, e)) + return gnutls_assert_val(0); + + return t + e; +} + /* Checks if both db_store and db_retrieve functions have * been set up. */ diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index 0dc173394c..1c07ff33a5 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -1799,6 +1799,7 @@ void *gnutls_db_get_ptr(gnutls_session_t session); int gnutls_db_check_entry(gnutls_session_t session, gnutls_datum_t session_entry); time_t gnutls_db_check_entry_time(gnutls_datum_t * entry); +time_t gnutls_db_check_entry_expire_time(gnutls_datum_t * entry); /** * gnutls_handshake_hook_func: diff --git a/lib/libgnutls.map b/lib/libgnutls.map index edcfa46575..cfa87a6b26 100644 --- a/lib/libgnutls.map +++ b/lib/libgnutls.map @@ -1254,6 +1254,7 @@ GNUTLS_3_6_5 gnutls_record_get_max_early_data_size; gnutls_record_send_early_data; gnutls_record_recv_early_data; + gnutls_db_check_entry_expire_time; } GNUTLS_3_6_4; GNUTLS_FIPS140_3_4 { diff --git a/lib/session_pack.c b/lib/session_pack.c index 54c1c15d5a..1869f7740b 100644 --- a/lib/session_pack.c +++ b/lib/session_pack.c @@ -104,6 +104,7 @@ _gnutls_session_pack(gnutls_session_t session, BUFFER_APPEND_NUM(&sb, PACKED_SESSION_MAGIC); BUFFER_APPEND_NUM(&sb, session->security_parameters.timestamp); + BUFFER_APPEND_NUM(&sb, session->internals.expire_time); BUFFER_APPEND(&sb, &id, 1); switch (id) { @@ -190,6 +191,7 @@ _gnutls_session_unpack(gnutls_session_t session, int ret; gnutls_buffer_st sb; uint32_t magic; + uint32_t expire_time; uint8_t id; _gnutls_buffer_init(&sb); @@ -220,6 +222,8 @@ _gnutls_session_unpack(gnutls_session_t session, BUFFER_POP_NUM(&sb, session->internals.resumed_security_parameters. timestamp); + BUFFER_POP_NUM(&sb, expire_time); + (void) expire_time; BUFFER_POP(&sb, &id, 1); switch (id) { diff --git a/symbols.last b/symbols.last index 65a578b358..f966ae1a42 100644 --- a/symbols.last +++ b/symbols.last @@ -137,6 +137,7 @@ gnutls_crypto_register_cipher@GNUTLS_3_4 gnutls_crypto_register_digest@GNUTLS_3_4 gnutls_crypto_register_mac@GNUTLS_3_4 gnutls_db_check_entry@GNUTLS_3_4 +gnutls_db_check_entry_expire_time@GNUTLS_3_6_5 gnutls_db_check_entry_time@GNUTLS_3_4 gnutls_db_get_default_cache_expiration@GNUTLS_3_4 gnutls_db_get_ptr@GNUTLS_3_4 diff --git a/tests/resume.c b/tests/resume.c index 0e582f603d..5e545cc658 100644 --- a/tests/resume.c +++ b/tests/resume.c @@ -995,7 +995,7 @@ static void wrap_db_deinit(void) static int wrap_db_store(void *dbf, gnutls_datum_t key, gnutls_datum_t data) { - time_t t, now = time(0); + time_t t, e, now = time(0); #ifdef DEBUG_CACHE if (debug) { @@ -1021,6 +1021,13 @@ wrap_db_store(void *dbf, gnutls_datum_t key, gnutls_datum_t data) exit(1); } + /* check the correctness of gnutls_db_check_entry_expire_time() */ + e = gnutls_db_check_entry_expire_time(&data); + if (e < t) { + fail("Time returned by gnutls_db_check_entry_expire_time is bogus\n"); + exit(1); + } + if (cache_db == NULL) return -1; |