db: introduce gnutls_db_check_entry_expire_time

This would be particularly useful when the same database is used to
store long-lived TLS 1.2 session data and short-lived TLS 1.3
anti-replay entries.  Note that the existing gnutls_db_check_entry
doesn't fit in this use-case, as it takes gnutls_session_t as the
argument.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

8 files changed, 55 insertions, 2 deletions

diff --git a/doc/Makefile.am b/doc/Makefile.am
index b939121898..bac1e5825c 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -877,6 +877,8 @@ FUNCS += functions/gnutls_crypto_register_mac
 FUNCS += functions/gnutls_crypto_register_mac.short
 FUNCS += functions/gnutls_db_check_entry
 FUNCS += functions/gnutls_db_check_entry.short
+FUNCS += functions/gnutls_db_check_entry_expire_time
+FUNCS += functions/gnutls_db_check_entry_expire_time.short
 FUNCS += functions/gnutls_db_check_entry_time
 FUNCS += functions/gnutls_db_check_entry_time.short
 FUNCS += functions/gnutls_db_get_default_cache_expiration
diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am
index 9047790c83..8a6025ccaa 100644
--- a/doc/manpages/Makefile.am
+++ b/doc/manpages/Makefile.am
@@ -240,6 +240,7 @@ APIMANS += gnutls_crypto_register_cipher.3
 APIMANS += gnutls_crypto_register_digest.3
 APIMANS += gnutls_crypto_register_mac.3
 APIMANS += gnutls_db_check_entry.3
+APIMANS += gnutls_db_check_entry_expire_time.3
 APIMANS += gnutls_db_check_entry_time.3
 APIMANS += gnutls_db_get_default_cache_expiration.3
 APIMANS += gnutls_db_get_ptr.3
diff --git a/lib/db.c b/lib/db.c
index a029f351cd..e01e5b94c5 100644
--- a/lib/db.c
+++ b/lib/db.c
@@ -30,6 +30,7 @@
 #include <session_pack.h>
 #include <datum.h>
 #include "ext/server_name.h"
+#include <intprops.h>
 
 /**
  * gnutls_db_set_retrieve_function:
@@ -155,6 +156,8 @@ unsigned gnutls_db_get_default_cache_expiration(void)
  *
  * Returns: Returns %GNUTLS_E_EXPIRED, if the database entry has
  *   expired or 0 otherwise.
+ *
+ * Deprecated: This function is deprecated.
  **/
 int
 gnutls_db_check_entry(gnutls_session_t session,
@@ -166,7 +169,6 @@ gnutls_db_check_entry(gnutls_session_t session,
 /**
  * gnutls_db_check_entry_time:
  * @entry: is a pointer to a #gnutls_datum_t type.
- * @t: is the time of the session handshake
  *
  * This function returns the time that this entry was active.
  * It can be used for database entry expiration.
@@ -191,6 +193,40 @@ time_t gnutls_db_check_entry_time(gnutls_datum_t * entry)
 	return t;
 }
 
+/**
+ * gnutls_db_check_entry_expire_time:
+ * @entry: is a pointer to a #gnutls_datum_t type.
+ *
+ * This function returns the time that this entry will expire.
+ * It can be used for database entry expiration.
+ *
+ * Returns: The time this entry will expire, or zero on error.
+ *
+ * Since: 3.6.5
+ **/
+time_t gnutls_db_check_entry_expire_time(gnutls_datum_t *entry)
+{
+	uint32_t t;
+	uint32_t e;
+	uint32_t magic;
+
+	if (entry->size < 12)
+		return gnutls_assert_val(0);
+
+	magic = _gnutls_read_uint32(entry->data);
+
+	if (magic != PACKED_SESSION_MAGIC)
+		return gnutls_assert_val(0);
+
+	t = _gnutls_read_uint32(&entry->data[4]);
+	e = _gnutls_read_uint32(&entry->data[8]);
+
+	if (INT_ADD_OVERFLOW(t, e))
+		return gnutls_assert_val(0);
+
+	return t + e;
+}
+
 /* Checks if both db_store and db_retrieve functions have
  * been set up.
  */
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 0dc173394c..1c07ff33a5 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -1799,6 +1799,7 @@ void *gnutls_db_get_ptr(gnutls_session_t session);
 int gnutls_db_check_entry(gnutls_session_t session,
 			  gnutls_datum_t session_entry);
 time_t gnutls_db_check_entry_time(gnutls_datum_t * entry);
+time_t gnutls_db_check_entry_expire_time(gnutls_datum_t * entry);
 
   /**
    * gnutls_handshake_hook_func:
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index edcfa46575..cfa87a6b26 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -1254,6 +1254,7 @@ GNUTLS_3_6_5
 	gnutls_record_get_max_early_data_size;
 	gnutls_record_send_early_data;
 	gnutls_record_recv_early_data;
+	gnutls_db_check_entry_expire_time;
 } GNUTLS_3_6_4;
 
 GNUTLS_FIPS140_3_4 {
diff --git a/lib/session_pack.c b/lib/session_pack.c
index 54c1c15d5a..1869f7740b 100644
--- a/lib/session_pack.c
+++ b/lib/session_pack.c
@@ -104,6 +104,7 @@ _gnutls_session_pack(gnutls_session_t session,
 
 	BUFFER_APPEND_NUM(&sb, PACKED_SESSION_MAGIC);
 	BUFFER_APPEND_NUM(&sb, session->security_parameters.timestamp);
+	BUFFER_APPEND_NUM(&sb, session->internals.expire_time);
 	BUFFER_APPEND(&sb, &id, 1);
 
 	switch (id) {
@@ -190,6 +191,7 @@ _gnutls_session_unpack(gnutls_session_t session,
 	int ret;
 	gnutls_buffer_st sb;
 	uint32_t magic;
+	uint32_t expire_time;
 	uint8_t id;
 
 	_gnutls_buffer_init(&sb);
@@ -220,6 +222,8 @@ _gnutls_session_unpack(gnutls_session_t session,
 	BUFFER_POP_NUM(&sb,
 		       session->internals.resumed_security_parameters.
 		       timestamp);
+	BUFFER_POP_NUM(&sb, expire_time);
+	(void) expire_time;
 	BUFFER_POP(&sb, &id, 1);
 
 	switch (id) {
diff --git a/symbols.last b/symbols.last
index 65a578b358..f966ae1a42 100644
--- a/symbols.last
+++ b/symbols.last
@@ -137,6 +137,7 @@ gnutls_crypto_register_cipher@GNUTLS_3_4
 gnutls_crypto_register_digest@GNUTLS_3_4
 gnutls_crypto_register_mac@GNUTLS_3_4
 gnutls_db_check_entry@GNUTLS_3_4
+gnutls_db_check_entry_expire_time@GNUTLS_3_6_5
 gnutls_db_check_entry_time@GNUTLS_3_4
 gnutls_db_get_default_cache_expiration@GNUTLS_3_4
 gnutls_db_get_ptr@GNUTLS_3_4
diff --git a/tests/resume.c b/tests/resume.c
index 0e582f603d..5e545cc658 100644
--- a/tests/resume.c
+++ b/tests/resume.c
@@ -995,7 +995,7 @@ static void wrap_db_deinit(void)
 static int
 wrap_db_store(void *dbf, gnutls_datum_t key, gnutls_datum_t data)
 {
-	time_t t, now = time(0);
+	time_t t, e, now = time(0);
 
 #ifdef DEBUG_CACHE
 	if (debug) {
@@ -1021,6 +1021,13 @@ wrap_db_store(void *dbf, gnutls_datum_t key, gnutls_datum_t data)
 		exit(1);
 	}
 
+	/* check the correctness of gnutls_db_check_entry_expire_time() */
+	e = gnutls_db_check_entry_expire_time(&data);
+	if (e < t) {
+		fail("Time returned by gnutls_db_check_entry_expire_time is bogus\n");
+		exit(1);
+	}
+
 	if (cache_db == NULL)
 		return -1;