Merge branch 'wip/dueno/fipscontext' into 'master'

fips: add functions to inspect thread-local FIPS operation state

See merge request gnutls/gnutls!1465

cipher-api-test: mention why it is written using fork

Signed-off-by: Daiki Ueno <ueno@gnu.org>

fips: plumb service indicator to symmetric key crypto operations

Signed-off-by: Daiki Ueno <ueno@gnu.org>
Co-authored-by: Pedro Monreal <pmonrealgonzalez@suse.de>

fips: plumb service indicator to public key crypto operations

This installs service indicator state transitions in certain public
key operations in gnutls_crypto_pk_st, namely:

* fallible operations
  - encrypt
  - sign
  - generate_keys
  - derive

* infallible operations
  - decrypt, decrypt2
  - verify

other operations, such as generate_params, are not considered as
crypto operation.  Note that fallible operations above mean that those
return value could indicate error, while infallible operations do not
have distinction between errors and failures: decrypt/verify failures
are treated as a successful completion of the operation.

Signed-off-by: Daiki Ueno <ueno@gnu.org>
Co-authored-by: Pedro Monreal <pmonrealgonzalez@suse.de>

_gnutls_pkcs_generate_key: use HMAC-SHA256 for PBKDF2

Signed-off-by: Daiki Ueno <ueno@gnu.org>

pkcs12: determine iteration count for MAC at build time

Signed-off-by: Daiki Ueno <ueno@gnu.org>

pkcs7: determine iteration count for PBKDF2 at build time

Signed-off-by: Daiki Ueno <ueno@gnu.org>

certtool: --to-p12: use modern algorithms by default

Currently certtool uses PKCS12-3DES-SHA1 for encrypting keys in
PKCS#12, while it is suggested to migrate to more modern algorithms,
namely AES-128-CBC with PBKDF2 and SHA-256:
https://bugzilla.redhat.com/show_bug.cgi?id=1759982

Signed-off-by: Daiki Ueno <ueno@gnu.org>

fips: add functions to inspect thread-local FIPS operation state

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'tmp-2022-gtkdoc' into 'master'

Fix gtk-doc build, Debian bug #1003075

See merge request gnutls/gnutls!1507

Drop unquoted angle brackets in gtk-doc comment.

Signed-off-by: Andreas Metzler <ametzler@bebt.de>

Fix gtk-doc build, use http URI in sgml master.

Signed-off-by: Andreas Metzler <ametzler@bebt.de>

Merge branch 'p11tool-always-auth' into 'master'

p11tool: add --mark-always-authenticate option

See merge request gnutls/gnutls!1504

p11tool: add --mark-always-authenticate option

Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

Merge branch 'copyright' into 'master'

doc: updated copyrights for 2022

See merge request gnutls/gnutls!1505

doc: updated copyrights for 2022

Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

accelerated: fix CPU feature detection for Intel CPUs

This fixes read_cpuid_vals to correctly read the CPUID quadruple, as
well as to set the bit the ustream CRYPTOGAMS uses to identify Intel
CPUs.

Suggested by Rafael Gieschke in:
https://gitlab.com/gnutls/gnutls/-/issues/1282

Signed-off-by: Daiki Ueno <ueno@gnu.org>

padlock: reset _gnutls_x86_cpuid_s only after padlock check succeeds

Otherwise it clears _gnutls_x86_cpuid_s which may already hold valid
CPUID detected for Intel and AMD CPUs.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'wip/dueno/nettle-hash' into 'master'

wrap_nettle_hash_fast: avoid calling _update with zero-length input

See merge request gnutls/gnutls!1503

Merge branch 'wip/dueno/hash-copy-doc' into 'master'

gnutls_{hash,hmac}_copy: mention the functions do not always work

See merge request gnutls/gnutls!1502

wrap_nettle_hash_fast: avoid calling _update with zero-length input

As Nettle's hash update functions internally call memcpy, providing
zero-length input may cause undefined behavior.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

gnutls_{hash,hmac}_copy: mention the functions do not always work

It is known that some built-in accelerated implementation, such as
AF_ALG, does not support copying hash/hmac contexts.  This expands the
documentation to suggest checking the return value of those functions.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

tests: extend system-override-curves-allowlist with key generation

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

tests: tweak system-override-curves-allowlist insignificantly

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Merge branch 'tpm2-dep-correction' into 'master'

README: document tpm2-tss-engine test dependency

See merge request gnutls/gnutls!1498

README: document tpm2-tss-engine test dependency

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Merge branch 'ktls_api' into 'master'

ktls: API

See merge request gnutls/gnutls!1477

Merge branch 'aarch64-sha384' into 'master'

use sha384_digest in lib/accelerated/aarch64/sha-aarch64.c sha384

See merge request gnutls/gnutls!1497

use sha384_digest in lib/accelerated/aarch64/sha-aarch64.c sha384

Mirrors https://gitlab.com/gnutls/gnutls/-/merge_requests/1466

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

ktls: flags

ktls enum flags API

Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>

KTLS: API

ktls is enabled by default, we can check if inicialization was
succesfull with gnutls_transport_is_ktls_enabled

Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>

Merge branch 'fix-asan-out-of-tree' into 'master'

tests: fix out of tree builds with ASAN

See merge request gnutls/gnutls!1496

Merge branch 'wip/dueno/sct' into 'master'

Minor cleanup on the new X509 CT code

See merge request gnutls/gnutls!1495

.gitignore: ignore tests/x509cert-ct

Signed-off-by: Daiki Ueno <ueno@gnu.org>

X509 CT: defer filling in the length field

This eliminates the need of precalculating the payload size, to make
it easier to adapt to new format.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

tests: fix out of tree builds with ASAN

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Merge branch 'test-allowlisting-proto-tcp' into 'master'

test for gnutls_protocol_set_enabled, TCP

See merge request gnutls/gnutls!1494

tests: add protocol-set-allowlist

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

tests: add tcp_connect to utils

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

X509 CT: use size_t for array index instead of unsigned

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'aja-certificate-transparency' into 'master'

Read Certificate Transparency (RFC 6962) SCT extension

Closes #232

See merge request gnutls/gnutls!1367

Update symbols

Signed-off-by: Ander Juaristi <a@juaristi.eus>

devel: Suppress new API functions

Signed-off-by: Ander Juaristi <a@juaristi.eus>

x509 CT: Add tests

Signed-off-by: Ander Juaristi <a@juaristi.eus>

x509 CT: implement new public API

This commit implements import and export functions for the X.509
Certificate Transparency Signed Certificate Timestamp (SCT) extension
(RFC 6962).

A new constant GNUTLS_X509EXT_OID_CT_SCT is introduced
with the value "1.3.6.1.4.1.11129.2.4.2".

The following new public API functions are introduced:

    - gnutls_x509_ext_ct_scts_init
    - gnutls_x509_ext_ct_scts_deinit
    - gnutls_x509_ext_ct_import_scts
    - gnutls_x509_ext_ct_export_scts
    - gnutls_x509_ct_sct_get_version
    - gnutls_x509_ct_sct_get

Signed-off-by: Ander Juaristi <a@juaristi.eus>

Merge branch 'wip/dueno/abi-check-latest' into 'master'

build: stop running abi-dump-latest at "make files-update"

See merge request gnutls/gnutls!1491

devel/libgnutls.abignore: ignore drbg_aes_* functions

These functions are only defined when compiled with
--enable-fips140-mode.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'wip/dueno/config-allowlisting' into 'master'

priority: support allowlisting in configuration file

Closes #1172

See merge request gnutls/gnutls!1427

priority: support allowlisting in configuration file

This adds a new mode of interpreting the [overrides] section.  If
"override-mode" is set to "allowlisting" in the [global] section, all
the algorithms (hashes, signature algorithms, curves, and versions)
are initially marked as insecure/disabled.  Then the user can enable
them by specifying allowlisting keywords such as "secure-hash" in the
[overrides] section.

Signed-off-by: Daiki Ueno <ueno@gnu.org>
Co-authored-by: Alexander Sosedkin <asosedkin@redhat.com>

Merge branch 'wip/dueno/valgrind-tests' into 'master'

build: update to use the latest valgrind-tests module from Gnulib

Closes #1253

See merge request gnutls/gnutls!1488

CONTRIBUTING.md: clarify how to introduce new API

Signed-off-by: Daiki Ueno <ueno@gnu.org>

release-steps: "make abi-dump-latest" at release time

Signed-off-by: Daiki Ueno <ueno@gnu.org>

build: stop running abi-dump-latest at "make files-update"

The procedure of registering ABI updates has changed in
bd3c78b9d10937adb1855b85bca1864972a1c986.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

build: update to use the latest valgrind-tests module from Gnulib

This adjust the existing valgrind invocations in the test suite with:
https://www.gnu.org/software/gnulib/manual/html_node/Valgrind-options.html

- make --suppressions option to per directory, using AM_VALGRINDFLAGS
- use LOG_VALGRIND for LOG_COMPILER
- quote '$(LOG_VALGRIND)' in TESTS_ENVIRONMENT
- move gl_VALGRIND_TESTS_DEFAULT_NO call before gl_INIT

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'fix_non_vla_02' into 'master'

sockets: fixed building for Windows with compilers without VLA support (alternative version)

See merge request gnutls/gnutls!1490

sockets: fixed compiler warning on Windows x32

Signed-off-by: Evgeny Grin <k2k@narod.ru>

sockets: fixed building for Windows with compilers without VLA support

Signed-off-by: Evgeny Grin <k2k@narod.ru>

priority: refactor config file parsing

This adds the following refactoring:

- avoid side-effects during parsing the config file, by separating
  application phase; the parsed configuration can be applied globally
  with cfg_apply, after validation
- make _gnutls_*_mark_{disabled,insecure} take an ID instead of the
  name

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'wip/dueno/thr' into 'master'

locks: couple of improvements using Gnulib glthread

See merge request gnutls/gnutls!1485

locks: deprecate gnutls_global_set_mutex

As the library now uses static mutexes, rwlocks, and onces, it doesn't
make much sense to only replace dynamic mutex usage.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

locks: use once execution for on-demand initialization of globals

This makes sure that the global variables are initialized only once.
Most of those variables are initialized at ELF constructor, though a
couple of occasions they are initialized on-demand: the global keylog
file pointer and TPM2 TCTI context.  To properly protect the
initialization this patch uses gl_once provided by Gnulib.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

locks: rework rwlock primitives

Remove GNUTLS_STATIC_RWLOCK_*LOCK macros and respect return values of
rwlock primitives.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

pkcs11: switch to using static mutex

Signed-off-by: Daiki Ueno <ueno@gnu.org>

verify-tofu: switch to using static mutex for locking

Signed-off-by: Daiki Ueno <ueno@gnu.org>

locks: replace custom mutex wrappers with "glthread/lock.h"

As Gnulib provides portability wrappers of mutex implementations, we
don't need to provide similar wrappers by ourselves.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'wip/dueno/tpm2' into 'master'

Port openconnect TPM2 code

Closes #594

See merge request gnutls/gnutls!1460

Port openconnect TPM2 code

This introduces transparent loading of TPM2 keys which are in PEM
form by gnutls_privkey_import_x509_raw() and higher level functions
which wrap it.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Co-authored-by: David Woodhouse <dwmw2@infradead.org>
Co-authored-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'abs-top-builddir-fix' into 'master'

tests: pass $abs_top_builddir more consistently

See merge request gnutls/gnutls!1484

tests: set $abs_top_builddir in more places

`$abs_top_builddir` has been used all across tests' subdirectories
(through tests/scripts/common.sh)
but has only been defined for tests/suite/ ones.
Defining it in other Makefiles where `top_builddir` is being passed.

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Merge branch 'wip/dueno/system_wide_priority_strings_init' into 'master'

priority: rework config reloading logic and locking

See merge request gnutls/gnutls!1483

priority: rework config reloading logic and locking

The previous reloading logic relied on the existence of [priority]
section (in the initial loading) as an indicator whether the file is
loaded.  This didn't work well in the following cases:
- when the section didn't exist initially and then is added later
- when the section existed initially and then is removed later
To handle these cases, this change adds a new flag
system_priority_file_loaded which can be used together with the mtime
check.

This also adds an rwlock to protect global configuration.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Revert "priority: fix potential race in reloading system-wide config"

This reverts commit 890c6937a3cfb4a0704bc815324221ec4cb89840.
Considering the entire logic around reloading the config file, the fix
was suboptimal.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'wip/dueno/abi-dump-release' into 'master'

devel: update release procedure taking into account of abi-dump

See merge request gnutls/gnutls!1481

Merge branch 'wip/dueno/priority-race' into 'master'

priority: fix potential race in reloading system-wide config

See merge request gnutls/gnutls!1482

priority: fix potential race in reloading system-wide config

_gnutls_update_system_priorities is called from gnutls_priority_set*
functions every time when the SYSTEM keyword is used and updates a
global variable system_wide_priority_strings if the configuration
changes.  Although the critical path is protected with mtime check, it
should also hold a lock to avoid occasional race condition in
multi-thread programs.  This also clears
system_wide_priority_strings_init upon unloading and before reloading
the config file (thanks to Alexander Sosedkin).

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'wip/asosedki/gitlab-ci-speed-up-cppcheck' into 'master'

.gitlab-ci.yml: add caching to cppcheck

See merge request gnutls/gnutls!1480

.gitlab-ci.yml: add caching to cppcheck

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

devel: update release procedure taking into account of abi-dump

As the *.abi files have been moved into a separate repository, we need
an extra step to update the repository for new release.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'wip/asosedki/hash-filters-prf' into 'master'

make insecure-hash filter out ciphersuites on ->prf as well

See merge request gnutls/gnutls!1479

NEWS: add a notice of insecure-hash filtering ciphersuites on PRF

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

tests: add system-override-hash-influences-prf

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

priority: filter out ciphersuites with prf blocked by insecure-hash

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

priority: refactor ciphersuite filtering

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Merge branch 'ktls' into 'master'

ktls: basic implementation of SW mode

See merge request gnutls/gnutls!1451

ktls: basic implementation of SW mode

ktls enables us to offload encryption/decryption to the kernel

prerequisites:
- configured with `--enable-ktls`
- tls module `modprobe tls` check with 'lsmod | grep tls'
- per connection:
gnutls_transport_set_int{2} must be set

When prerequisities are met then ktls is used by default.

If GnuTLS encounters a error during KTLS initialization, it will
not use ktls and fallback to userspace.

Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>

Merge branch 'wip/dueno/abi-dump' into 'master'

devel: move .abi files into a separate repository

See merge request gnutls/gnutls!1478

devel: make use of abidw --drop-private-types

This will produce more compact abixml output.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

devel: move .abi files into a separate repository

Changes to the .abi files are a bit too noisy to track in the main
repository.  This moves the files out of this repository and embed it
as a git submodule.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'mingw64-detection' into 'master'

fix mingw64 detection

See merge request gnutls/gnutls!1476

fix mingw64 detection

__MINGW64__ is only defined for 64 bits builds of mingw64 [1].
The intended test what to only use the CertEnumCRLsInStoreFunc via LoadLibrary
for some ancient mingw32 build and never for mingw64.

__MINGW64_VERSION_MAJOR is a proper define to identify mingw64 against mingw32.

[1] https://sourceforge.net/p/predef/wiki/Compilers/

Co-authored-by: Johannes Kauffmann <johanneskauffmann@hotmail.com>
Signed-off-by: Steve Lhomme <robux4@ycbcr.xyz>

Merge branch 'x25519-and-x448' into 'master'

certtool: generate, parse, and manipulate X25519 and X448 pubkeys, privkeys, and certificates

See merge request gnutls/gnutls!1428

Merge branch 'wip/dueno/shake' into 'master'

wrap_nettle_hash_exists: add missing hash algorithms

See merge request gnutls/gnutls!1473

wrap_nettle_hash_exists: add missing hash algorithms

This adds SHAKE-128, SHAKE-256, and RIPEMD-160 to the supported
algorithms by nettle.  While SHAKEs are not a hash algorithm but an
XOF, it would be consistent to report they are implemented.

The simple test is expanded to exercise the code
path (gnutls_digest_get_id → wrap_nettle_hash_exists).

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'wip/dueno/oss-fuzz-focal' into 'master'

fuzz: explicitly supply LDFLAGS to clang++ command line

See merge request gnutls/gnutls!1474

fuzz: explicitly supply LDFLAGS to clang++ command line

This prevented fuzzer programs being linked in Ubuntu 20.03, used in
oss-fuzz.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

lib/x509: Avoid memcpy when string is empty

This fixes an ASAN warning in fuzz/gnutls_private_key_parser_fuzzer
when run against the malformed private key
fuzz/gnutls_private_key_parser_fuzzer.in/10a5c92fa30ddb6cbb4286d7699b2b7a7e032b17

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

NEWS: added news about certtool handling x448 and x25519

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

tests: add test for generating x25519 and x448 certificates

These certs should work just fine for the purposes of cryptographic
e-mail (S/MIME).

These usage flags are also used in the end-entity certificates found
in https://datatracker.ietf.org/doc/draft-ietf-lamps-samples/

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

tests: update details about sample X25519 certificate

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

certtool: add x448 and x25519 for --key-type

This is a simple extension of the certtool command-line interface.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>