.gitlab-ci.yml: removed unnecessary options from minimal build

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

pubkey: print the failed signature algorithm when verification fails

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls-cli: added option to allow verification with broken algorithms

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tls sessions will not fail of insecure algorithms which are explicitly enabled

That is, if DSA-SHA1 is allowed, do not propagate errors from
gnutls_pubkey_verify_data2() due to SHA1 considered insecure, but rather
ignore such errors.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: mini-record-2: made more robust

It will no longer close the session prior to peer processing
all messages. This prevents the peer stopping processing
prior to all messages being received.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: mini-record: made more robust

It will no longer use a stream socket as this can does not work
well with damaged records (they may end up merged).

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

record: reject 0-byte long ciphertext

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

record: added sanity checking in the record layer version copy

Previously we assumed that an active session had always a version
set, however there have been reports of evolution crashing in
that particular point. Although, this could have been due to
memory corruption, be careful and check for invalid input.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

record: more precise calculation of max recv size

Previously we were using a rough calculation of the max recv size
based on maximum values. Now we calculate the exact maximum value once
the epoch is initialized and enforce it throughout the session.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

decryption: use the same error code on all cases

This eases testing using tlsfuzzer.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls-serv: allow receiving requests up to 16kb

This makes gnutls-serv useful for few tlsfuzzer test cases.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

max_record_recv_size: removed call to gnutls_compression_get()

We no longer support compression.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Print the requested CA names when in debug mode

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls-http-serv: do not set the obsolete PGP options

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: updated documentation on client authentication [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: explicitly state intended usage of priorities on server-side

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: use the default priorities in server example

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added unit tests for gnutls_priority_set*()

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Documented use gnutls_priority_set2().

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

priorities: share priority structures across sessions

As the contents of the priority cache grows, it makes sense to shared
these structures across many sessions (in server side) rather than
copying them to a session. All overrides of the priority contents
were moved to session->internals. On client side where gnutls_priority_set_direct()
is more commonly used, ensure that the set priority is deinitialized.

That also introduces gnutls_priority_set2() which does not copy the priority
contents by default.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

set_client_ciphersuite: use the new internal APIs

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

.gitignore: ignore new tests

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: added unit testing for server/client cipher negotiation

This verifies that the expected algorithm (cipher) is negotiated.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: added unit testing for server ciphersuite/KX negotiation

This verifies whether the ciphersuite negotiation will detect and
reject incompatible data present in credentials.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

doc: corrected typo

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Renamed fields of sign_algorithm_st

The new names better reflect the reality with signature algorithms
in TLS 1.3, and correct the initial naming error.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: simplified signature algorithm list generation

Similarly to ciphersuites, that also utilizes a cache of signature algorithms
on the priority structure which is used to quickly generate the signature
algorithm list.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Eliminated access to obsolete priority cache fields

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: simplified the client-side ciphersuite negotiation

This takes advantage of the ciphersuite cache in priorities structure
while keeping the same ciphersuite selection checks in place.

The previous ciphersuite selection checks kept:
 * Removing SRP ciphersuites when no SRP credentials are set
 * Removing ciphersuites when no corresponding to KX credentials were set
 * SCSV addition in SSL 3.0 and fallback SCSV

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: simplified the server-side ciphersuite negotiation

This eliminates all the back and forth loops in the previous code
while keeping the same ciphersuite selection checks in place.

The ciphersuite selection tests that were kept:
 * Check if key exchange supports the server public key and key usage flags
 * Check if DH or other parameters required for the ciphersuite are present
 * Find appropriate certificate for the credentials and ciphersuite
 * Check whether a curve is negotiated for the ECDH ciphersuites

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

priority: include a cache of supported ciphersuites

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

removed unused cipher-suite and KX related functions

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

algorithm/kx: sorted key exchange algorithms based on current trends

That optimizes linear search for the common options.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Removed unused functions

These were identified using callcatcher.
  http://www.skynet.ie/~caolan/Packages/callcatcher.html

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

fuzz: added make update command [ci skip]

This allows updating the fuzzer corpus from openssl using a single
command.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

fuzz: added corpora from openssl [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

fuzz: undid changes related to boringssl server/client corpus format [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

fuzz: included verbatim corpus from boringssl

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

fuzz: gnutls-client-fuzzer: read directly from memory [ci skip]

Also updated to read the prefixed boringssl corpus files.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

fuzz: gnutls-server-fuzzer: read directly from memory [ci skip]

Also updated to read the prefixed boring ssl corpus files.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

priority_options.gperf: modified for gperf 3.1

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tlsfuzzer: enabled ALPN tests

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

updated tlsfuzzer

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

ext/alpn: added stricter checks on field lengths

That is, no longer tolerate empty fields, and error on invalid
lengths.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls-serv: added the --alpn and --alpn-fatal options

This allows specifying ALPN protocols supported by server, allowing
to test the ALPN negotiation.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

fuzz: updated server with multiple keys (ECDSA, RSA) and DH parameters [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

OCSP: find_signercert: improved DER length calculation

Previously we were assuming a fixed amount of length bytes which
is not correct for all possible lengths. Use libtasn1 to decode
the length field.

Resolves: #223

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

OCSP: check the subject public key identifier field to figure issuer

Normally when attempting to match the 'Responder Key ID' in an OCSP response
against the issuer certificate we check (according to RFC6960) against the
hash of the SPKI field. However, in few certificates (see commit:
"added ECDSA OCSP response verification"), that may not be the case. In that
certificate, that value matches the Subject Public Key identifier field
but not the hash.

To account for these certificates, we enhance the matching to also consider
the Subject Public Key identifier field.

Relates: #223

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

OCSP: added more verbose debug logging on verification

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added ECDSA OCSP response verification

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

.travis.yml: do not fail on brew install failures

brew install seems to fail on several occasions when a newer package
is available than the installed. Ignore those errors rather than
failing build.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added check on saving certs and OCSP responses

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

gnutls-cli: save OCSP response at the time certificate is saved

That ensures that we always save the OCSP response, even when certificate
verification fails.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

moved compression-related APIs to compat.h

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: removed any references to compression and documented change

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: removed tests related to zlib support

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Removed support for compression mechanisms

They are not required for TLS 1.3, and are deprecated for TLS 1.2.
We eliminate them in order to reduce the complexity in the record
packet handling.

Resolves #212

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls-cli: be less verbose in OCSP error messages

Previously we were reporting "No issuer found" if any certificate
in a chain could not be verified. That was confusing information
and not strictly necessary. No longer print that.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls-cli: improved error message of OCSP failure

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: ocsptool: added test of --verify-response with --load-chain

This utilizes the provided chain to find the signer of the
OCSP response.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

ocsp: print response's signature algorithm in compact listing

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ocsptool: verify_response will print information on the response

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ocsptool: doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ocsptool: allow combining --load-trust with --verify-response

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ocsptool: --load-chain will sort the input chain

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

ocsptool: introduced --verify-allow-broken option

This allows verification to succeed even when broken algorithms are
involved.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

ocsptool: the --verify-response can be combined with --load-chain

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

gnutls_certificate_verification_status_print: mention OCSP in error messages

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

ocsptool: added --load-chain option

This option allows to directly verify all the members of a certificate
chain.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: enabled X25519 interop tests with openssl 1.1.0

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

NORMAL priority: no longer enable the smaller curves by default

They are not widely enabled by web servers, and they provide no
advantage over X25519.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

NORMAL priority: enable X25519 curve

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

pkcs11: cleanups in pkcs11_login()

Use pkcs11_rv_to_err() to return the right error code map after
PKCS#11 calls; separate checks for already log in status for SO and
user login.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: pkcs11-mock: reset state when requesting reauth

That is, for the MOCK_FLAG_SAFENET_ALWAYS_AUTH flag we ensure that
GetSessionInfo() will return the right state when authentication
is required for the first time.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

pkcs11: improved handling of HSMs without CKU_CONTEXT_SPECIFIC support

That is, when the HSM returns CKR_USER_NOT_LOGGED_IN, switch
to CKU_USER, instead of relying to a fallback within pkcs11_login().
That simplifies login logic.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: added unit test for safenet protectserver HSM's PKCS#11 support

That is, detect whether the absence of C_Login will fallback to CKU_USER
after CKU_CONTEXT_SPECIFIC is tried.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

pkcs11: simplified pkcs11_login()

By cleanups, as well as including the reauth flag in the flags option.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

pkcs11: the GNUTLS_PKCS11_OBJ_FLAG_LOGIN will force a login

That is, even in tokens which do not have a CKF_LOGIN_REQUIRED flag
a login will be forced. This allows operation on the safenet HSMs
which do not set that flag.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Handle specially safenet HSMs which cannot handle CKU_CONTEXT_SPECIFIC

These HSMs do not support CKA_ALWAYS_AUTHENTICATE, nor understand CKU_CONTEXT_SPECIFIC,
but rather return CKR_USER_NOT_LOGGED_IN on the first private key operation.
Try to discover that state by calling C_Login when CKR_USER_NOT_LOGGED_IN
is seen, and retrying with CKU_USER after CKU_CONTEXT_SPECIFIC login fails.
See discussion in https://github.com/OpenSC/libp11/issues/160

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Added documentation to legacy openpgp functions

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Removed unnecessary certificate type functionality

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

NEWS: doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: removed references to openpgp

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

po: removed openpgp/output.c

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

guile: removed openpgp related tests

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

fuzz: removed the openpgp certificate fuzzer

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tools: removed options for openpgp support

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Removed support for openpgp certificates and keys

Resolves #178

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: removed openpgp related tests

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added reproducer for assertion trigger

This relates to handshakes with support for RSA-PSS.
Found with oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2132

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

nettle: ported fix for assertion failure in pss_verify_mgf1

Backport the upstream fix from:
https://git.lysator.liu.se/nettle/nettle/commit/b1252fedf6ee1dbb8468d1d3f177711a16e83e52

Signed-off-by: Daiki Ueno <dueno@redhat.com>

.gitlab-ci.yml: keep logs of tests in abi build

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

doc: simplified the default client example

Removed optional paths.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added reproducer for OCSP response found test cases

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>