tlsfuzzer: enabled test for ECDHE without the supported groups/EC extension

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Set a default supported curve

RFC4492 and draft-ietf-tls-rfc4492bis-17 mention:
"A client that proposes ECC cipher suites may choose not to include these
extensions.  In this case, the server is free to choose any one of
the elliptic curves or point formats listed in Section 5."

As such, we set a default curve to be used in the case the
server encounters a handshake with no supported groups/curves
extension.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tlsfuzzer: removed duplicate tests

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tlsfuzzer: fixed comment fields

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls-cli: use FFDHE3072 parameters for benchmarking

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_figure_dh_params: do not use have_ffdhe flag

This flag is intended to indicate whether the peer has advertized
at least one FFDHE group, and not whether we have negotiated FFDHE.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added unit test for group listings in priority structure

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: updated cipher-listings.sh for the new groups listing

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: documented the use of RFC7919 and groups

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tlsfuzzer: enabled RFC7919 FFDHE tests

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: enhanced server key exchange tests with explicit DH param setting

That is, not only check the DH parameter setting using the known_dh_params()
functions, but also with the explicit setting --set_server_dh_params().

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: updated for post-RFC7919 behavior of library

That is, it is no longer necessary to set DH parameters on a
credentials structure, and thus previously expected to fail
connections may succeed even without DH parameters.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added RFC7919 FFDHE unit tests

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

cli,serv: do not print any information on compression

Compression is always NULL.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

cli,serv: no longer print parameters when FFDHE groups are used

The negotiated RFC7919 group is now printed as part of the Description string,
and there is no reason to print more information on parameters defined by
the protocol.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls-cli: print the supported groups instead of curves

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_priority_ecc_curve_list: avoid including groups into elliptic curves list

This provides a mostly-compatible behavior of gnutls_priority_ecc_curve_list()
in order to avoid keeping additional information for elliptic curves in the
priority cache. This approach will always return the supported curves, if the set
groups are prioritized with the elliptic curve variants set first. This
is the default in the built-in priorities, and to most common setups.

Items which are non-valid curves will not be returned.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: moved group negotiation after ciphersuite selection

This allows to cope with situations where the peer prioritizes a
supported group which doesn't map to a supported ciphersuite.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

security_parameters: ease access to group information by keeping pointer to it

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

security_parameters: simplified contents by keeping pointer to cipher_suite_entry_st

That, in addition to simplifying the contents, it allows faster access
to ciphersuite's properties.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

TLS: introduced support for RFC7919 groups

That replaces the EC curve extension negotiation with
the negotiated groups extensions, introduces handling
for groups as priority strings, as well as using and
checking of RFC7919 DH parameters once negotiated.

Resolves: #37

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls-cli: use gnutls_priority_set

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: modified gnutls_priority_set2() tests for gnutls_priority_set()

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_priority_set: use reference counting

That eliminates the need for gnutls_priority_set2() which is now
removed.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Introduced atomic.h to simplify handling of atomic integers

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Revert "Documented use gnutls_priority_set2()."

This reverts commit b4aed16ee30f76211c13b075149bb87c012f9bf6.

tlsfuzzer: enabled test-ecdsa-sig-flexibility.py

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

algorithms/mac: marked RIPEMD160 as insecure for certificates

This is an algorithm which is not really used in Internet PKI
and due to that has seen no public cryptanalysis. As such
we disable it for certificate verification to prevent it from
being used as an attack vector.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: partially reverted SHA1 broken tests

SHA1 is now considered broken only for certificates, hence
OCSP or raw signing tests no longer need to use GNUTLS_VERIFY_ALLOW_BROKEN
in the cases where certificate verification is not performed.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

x509/verify: reject SHA1 in signature algorithms for certificate verification

That is, we now use gnutls_sign_is_secure2() with GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS
flag for checking the validity of the signature algorithm, when
verifying signatures in certificates.

Resolves #229

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added unit tests for gnutls_sign_is_secure2()

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_sign_is_secure2: introduced

This function exports the ability to check the validity of
a signature algorithm for signing certificates.

That also introduces the flag GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS
which when specified will cause the function to return whether
the algorithm is secure for signing certificates.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_digest_is_secure_for_certs: introduced

This is a macro to allow checking the security of a hash algorithm
with respect to signing certificates.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

mac: re-organized the hash algorithms table

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added reproducer with ed25519 private key

Found with oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2689

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Ensure that public key parameters are initialized on import

Previously we depended on initialization during the _init()
call, however, there can be cases where this re-initialization
is needed (e.g., on multiple tries to load a key).

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_decode_pkcs8_eddsa_key: ensure that the key size read matches the curve size

That is, in the newly introduced ed25519 keys we didn't check
whether the input size in the PKCS#8 file matched the curve
size.

Found using oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2689

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tlsfuzzer: enabled SNI and other tests from master

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: updated to reflect the fact that invalid dns names are rejected

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

server_name: several simplifications of the code base

The existing code was written with the intention of supporting multiple
server names, however that was never happened, and this extension is
currently only used for DNS server names. Remove unneeded extensibility.

In addition, removed conversion of client provided server name (DNS) to
IDNA. Clients not providing valid names are violating the spec and
that conversion step not only wastes resources, but increases
the attack surface of a server.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

server_name: be strict in decoding errors

That is, return error when a malformed extension is seen.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tlsfuzzer: enabled RSA-PSS checks on certificate verify

Relates: #208

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tlsfuzzer: enabled test-extended-master-secret-extension.py

That allows testing the extended master secret behavior.

Resolves: #231

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ext_master_secret: return proper error code on decoding error

Proper meaning that it maps to the alert 'decode error' rather
than illegal parameter. According to tlsfuzzer the former is more
suitable.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls-cli: re-use priorities for both client and server on benchmarks

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls-cli: re-use priorities when measuring performance

This avoids measuring cache misses due to priority processing time.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: enhanced SSL3.0 openssl detection in testcompat-openssl

That disables SSL 3.0 testing in openssl versions which cannot negotiated
it (see https://bugzilla.redhat.com/show_bug.cgi?id=1471783 for rationale)
and corrects a typo in the variable name and printed message.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

.gitlab-ci.yml: document that the x86 build is our openssl 1.0.x compat testing as well

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: disable ARCFOUR interop tests if openssl doesn't support the cipher

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: testcompat-openssl: 3DES is explicitly enabled for SSL 3.0

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Use gcc's attribute to mark fallthrough statements

gcc7 is more verbose on fallthrough warnings, and this patch set
cleans up the current state by making use of the attribute when
necessary.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

configure: do not utilize the -Wno-format-truncation gcc warning

The warnings it produces have little value in our use of string functions.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

.gitlab-ci.yml: switched to fedora 26 for CI builds

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: introduced tests on public key import-export

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added sign/verification test using rfc8080 keys

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: verify that a server with an ed25519 key will fail when client does not advertise it

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: privkey-keygen: added unit test for Ed25519 keys

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

privkey_sign_and_hash_data: in pre-hashed schemes, allow empty hash algorithm

In these schemes the hash algorithm is fixed in the signature algorithm
and thus the empty (unknown) value will act as a wildcard.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added private key parameter verification in key-import-export checks

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

nettle: wrap_nettle_pk_verify_priv_params: verify whether public key matches private

This enables gnutls_privkey_verify_params() for Ed25519 keys.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

CONTRIBUTING.md: specified rules on boolean functions

Based on suggestion by Hubert Kario.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

priority: enabled Ed25519 signature by default

As our implementation interoperates with boringssl's implementation
of Ed25519, we can now enable it.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: return better error code on unwanted algorithm

That is, when a signature algorithm is available which was not
asked by the peer, then return GNUTLS_E_UNWANTED_ALGORITHM
instead of the UNKNOWN_ALGORITHM.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added check on Ed25519 chain verification

This chain was generated using certtool, and passed verification
with OpenSSL's implementation (commit: db0f35dda18403accabe98e7780f3dfc516f49de)

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls-cli: added RSA-PSS signatures in benchmark

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

privkey_sign_and_hash_data: added sanity check on param validity

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls-cli: added benchmark on X25519-Ed25519 key exchange

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: pkcs7: added ed25519 basic signing and verification checks

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

privkey_sign_and_hash_data: handle prehashed signatures

This allows this function to handle ed25519, i.e., allows it
to operate for PKCS#7 signatures.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

pkcs7: improved syntax in if-clause

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: enhanced OID tests for Ed25519 OIDs

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: key-import-export: added Ed25519 key import/export checks

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: replaced rsa-pss/eddsa certtool options with --key-type

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: introduced the --key-type option

This replaces the --rsa-pss and --eddsa options.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Renamed GNUTLS_PK_ECDHX to GNUTLS_PK_ECDH_X25519

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: parse and interpret an EdDSA public key

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added TLS handshake test with EdDSA25519 certificates

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Allowed Ed25519 signing in TLS handshakes

This follows draft-ietf-tls-rfc4492bis-17

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added tests on EdDSA signature validation using the sign/verify_data APIs

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: Added unit test on EdDSA key parsing

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added Ed25519 key and certificate generation tests

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Added support for EdDSA (Ed25519) curve keys

This adds support for draft-ietf-curdle-pkix-04.

Resolves #25

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

parse_pem_cert_mem: fixed issue resulting to accessing past the input data

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

supported_exts.h: make sure that the generated function is static

That avoids compiler warnings due to missing prototype.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tlsfuzzer: enabled chacha20 tests

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

updated tlsfuzzer

That fixes issue detecting connection termination from gnutls-serv
in chacha20 test.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: csr-invalid.der: modify the SPKI OID to use SECP384R1

That avoids false positives in error detection in 'crq' test due to
SECP224R1 not being supported in our CI platforms.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

x509/output: do not attempt to print the key ID on unknown SPKI algorithms

On unknown algorithms, it is not always possible to parse the SPKI
field. Instead avoid printing errors.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

.gitlab-ci.yml: corrected location of artifacts in aarch64 build

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: certtool-rsa-pss: use unique temp files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_buffer_append_data_prefix: cleanup

This eliminates a misleading code that assumed that the called functions
will return the appended size. Always return zero on success which is
what the existing callers assume.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>