db: introduce gnutls_db_check_entry_expire_time

This would be particularly useful when the same database is used to
store long-lived TLS 1.2 session data and short-lived TLS 1.3
anti-replay entries.  Note that the existing gnutls_db_check_entry
doesn't fit in this use-case, as it takes gnutls_session_t as the
argument.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

4 files changed, 43 insertions, 1 deletions

diff --git a/lib/db.c b/lib/db.c
index a029f351cd..e01e5b94c5 100644
--- a/lib/db.c
+++ b/lib/db.c
@@ -30,6 +30,7 @@
 #include <session_pack.h>
 #include <datum.h>
 #include "ext/server_name.h"
+#include <intprops.h>
 
 /**
  * gnutls_db_set_retrieve_function:
@@ -155,6 +156,8 @@ unsigned gnutls_db_get_default_cache_expiration(void)
  *
  * Returns: Returns %GNUTLS_E_EXPIRED, if the database entry has
  *   expired or 0 otherwise.
+ *
+ * Deprecated: This function is deprecated.
  **/
 int
 gnutls_db_check_entry(gnutls_session_t session,
@@ -166,7 +169,6 @@ gnutls_db_check_entry(gnutls_session_t session,
 /**
  * gnutls_db_check_entry_time:
  * @entry: is a pointer to a #gnutls_datum_t type.
- * @t: is the time of the session handshake
  *
  * This function returns the time that this entry was active.
  * It can be used for database entry expiration.
@@ -191,6 +193,40 @@ time_t gnutls_db_check_entry_time(gnutls_datum_t * entry)
 	return t;
 }
 
+/**
+ * gnutls_db_check_entry_expire_time:
+ * @entry: is a pointer to a #gnutls_datum_t type.
+ *
+ * This function returns the time that this entry will expire.
+ * It can be used for database entry expiration.
+ *
+ * Returns: The time this entry will expire, or zero on error.
+ *
+ * Since: 3.6.5
+ **/
+time_t gnutls_db_check_entry_expire_time(gnutls_datum_t *entry)
+{
+	uint32_t t;
+	uint32_t e;
+	uint32_t magic;
+
+	if (entry->size < 12)
+		return gnutls_assert_val(0);
+
+	magic = _gnutls_read_uint32(entry->data);
+
+	if (magic != PACKED_SESSION_MAGIC)
+		return gnutls_assert_val(0);
+
+	t = _gnutls_read_uint32(&entry->data[4]);
+	e = _gnutls_read_uint32(&entry->data[8]);
+
+	if (INT_ADD_OVERFLOW(t, e))
+		return gnutls_assert_val(0);
+
+	return t + e;
+}
+
 /* Checks if both db_store and db_retrieve functions have
  * been set up.
  */
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 0dc173394c..1c07ff33a5 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -1799,6 +1799,7 @@ void *gnutls_db_get_ptr(gnutls_session_t session);
 int gnutls_db_check_entry(gnutls_session_t session,
 			  gnutls_datum_t session_entry);
 time_t gnutls_db_check_entry_time(gnutls_datum_t * entry);
+time_t gnutls_db_check_entry_expire_time(gnutls_datum_t * entry);
 
   /**
    * gnutls_handshake_hook_func:
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index edcfa46575..cfa87a6b26 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -1254,6 +1254,7 @@ GNUTLS_3_6_5
 	gnutls_record_get_max_early_data_size;
 	gnutls_record_send_early_data;
 	gnutls_record_recv_early_data;
+	gnutls_db_check_entry_expire_time;
 } GNUTLS_3_6_4;
 
 GNUTLS_FIPS140_3_4 {
diff --git a/lib/session_pack.c b/lib/session_pack.c
index 54c1c15d5a..1869f7740b 100644
--- a/lib/session_pack.c
+++ b/lib/session_pack.c
@@ -104,6 +104,7 @@ _gnutls_session_pack(gnutls_session_t session,
 
 	BUFFER_APPEND_NUM(&sb, PACKED_SESSION_MAGIC);
 	BUFFER_APPEND_NUM(&sb, session->security_parameters.timestamp);
+	BUFFER_APPEND_NUM(&sb, session->internals.expire_time);
 	BUFFER_APPEND(&sb, &id, 1);
 
 	switch (id) {
@@ -190,6 +191,7 @@ _gnutls_session_unpack(gnutls_session_t session,
 	int ret;
 	gnutls_buffer_st sb;
 	uint32_t magic;
+	uint32_t expire_time;
 	uint8_t id;
 
 	_gnutls_buffer_init(&sb);
@@ -220,6 +222,8 @@ _gnutls_session_unpack(gnutls_session_t session,
 	BUFFER_POP_NUM(&sb,
 		       session->internals.resumed_security_parameters.
 		       timestamp);
+	BUFFER_POP_NUM(&sb, expire_time);
+	(void) expire_time;
 	BUFFER_POP(&sb, &id, 1);
 
 	switch (id) {