fuzz: documented location for OCSP-related reproducers

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ocsp: added sanity check in returned length

This addresses:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1492

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: added/modernized text on AEAD ciphers [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: improved duplicate extension test

Instead of sending two duplicate extensions of which one is invalid,
send two valid ones instead. That way, we avoid the possibility of false
positives due to the validation code of the extension contents.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: verify that duplicate extensions are rejected

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

TLS extensions: added duplicate extension check on server side

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_init: better naming for internal function

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added unit test for overriding TLS extensions

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

TLS extensions: mark each extension which cannot be overriden

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

TLS extensions: combined the extension data and resumed data structures

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

removed type extension_priv_data_t

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_int.h: groupped extension structures together

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

TLS extensions: several simplifications

This allows extensions set by the application to override some
of the internal ones.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

.gitlab-ci.yml: FreeBSD system is no longer available; disabling for CI [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: added reference to privkey export functions

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added basic unit tests for the export_*_raw2() functions

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

corrected typo in x962 functions

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

pkcs11: do not set leading zeros on integers

PKCS#11 defines integers as unsigned having most significant byte
first, e.g., 32768 = 0x80 0x00. This is interpreted literraly by
some HSMs which do not accept an integer with a leading zero.

Resolves: #215

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Introduced functions to export integers with no leading zero

That is introduced the flag GNUTLS_EXPORT_FLAG_NO_LZ and:
 * gnutls_pubkey_export_rsa_raw2
 * gnutls_pubkey_export_dsa_raw2
 * gnutls_pubkey_export_ecc_raw2
 * gnutls_privkey_export_rsa_raw2
 * gnutls_privkey_export_dsa_raw2
 * gnutls_privkey_export_ecc_raw2

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

nettle: use older GMP macros for mpz_mod_2exp and mpz_div_2exp

These ensure that compilation will succeed even when building with gmp-mini.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_ucs2_to_utf8: use void* as pointer type to avoid compiler assumptions on alignment [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ciphersuites: removed unused function

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

nettle/cipher: document that ctx_ptr is 16-byte aligned, and use void* to avoid compiler assumptions

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: corrected typo in strcmp() use

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_x509_privkey_reinit: ensure fields will not be re-used

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: improved error message when public key cannot be figured [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

updated auto-generated files for new signing API

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: simplify handshake by using the new signing API

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: introduced unit tests of the new signing API

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

abstract API: introduced new signing functions

That is, the gnutls_privkey_sign_data2() and gnutls_privkey_sign_hash2().
The new functions perform signing with input the signature algorithm instead
of the hash algorithm; that allows to use algorithms where the hash algorithm
is not used, or the public key algorithm may be different than the key's.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

pkix: removed unused definition

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_privkey_st: removed unused element

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_session_get_desc: improved ciphersuite description

That is, separated the key exchange from the signature algorithm
used by the server, and list them in different fields.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: key-import-export: use cert-common.h

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: simplified CPPFLAGS of tests using internal gnutls funcs

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: key-exchange: added error checking in gnutls_certificate_set_x509_key_mem

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_check_key_cert_match: account for RSA and RSA-PSS mismatches

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: fix DER export with --p7-info

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

psktool: minor documentation updates

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added basic functionality check for psktool

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

psktool: increased default key size to 256-bits

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

psktool: do not assume any default key file

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

clarify documentation and arguments for psktool

 * psktool's -p argument should really be short for --pskfile, not
   --passwd.  there is no passwd involved.

 * the example documentation switches names halfway through, which is
   confusing.

 * there is no prompt for a password.  do not mention it in the
   example.

tests: added unit test to verify that certificates with non-DER strict time fields are accepted

Also removed the old strict compliance DER test.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Tolerate DER time encoding errors

It seems that openssl generated certificates may contain invalid
formatted times, and gnutls will no longer parse them. Ignore such
formatting errors when DER decoding.

We should reconsider this in the future (#207)

Resolves #196

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: enhanced OID tests with OIDs for SHA3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: enhanced OID tests with OIDs for RSA-PSS

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

.gitlab-ci.yml: added aarch64 build based on Debian

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

_gnutls_PRF: was made inline function

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added low-level unit tests on TLS 1.0 and 1.2 PRFs

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

prf: implement the TLS 1.0 and 1.2 PRFs using nettle

That simplifies the existing PRF code and moves it in the
crypto-backend component.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: refer to the site for commercial support options

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: mini-record-retvals: include AES-CBC tests

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: eliminated build warnings

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: combined tables of sign-verify tests

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Only accept known public key algorithms in the GNUTLS_PRIVKEY_EXT private keys

The reason is that this API, assumes very low level primitives which
are not available for the newer RSA-PSS private keys.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

_gnutls_privkey_*_sign_params: added support for GNUTLS_PRIVKEY_EXT keys

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: added basic test on "external" keys with gnutls_privkey_import_ext2()

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

gnutls_x509_privkey_sign_data: wrap over gnutls_privkey_sign_data()

That will allow this function to operate with the new key types.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added unit tests for the gnutls_x509_* sign/verify APIs

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added tests signature validation using the sign/verify_data APIs

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Separated use of GNUTLS_PRIVKEY_FLAG_PROVABLE and GNUTLS_PRIVKEY_SIGN_FLAG_REPRODUCIBLE

For simplicity, rename GNUTLS_PRIVKEY_SIGN_FLAG_REPRODUCIBLE to GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_privkey_find_sign_params: renamed and simplified

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_privkey_sign_hash: removed duplicate code

The same code was available in _gnutls_privkey_find_sign_params().

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

GNUTLS_E_INSUFFICIENT_SECURITY: moved to fatal errors

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tls-sig: re-organize and simplify the TLS signature generation and verification

That makes sure that the high level APIs are used when possible, and
separate the TLS 1.2 from other code paths. This will allow supporting
signature schemes like EdDSA and others.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: modify tests to allow signatures with SHA1

There were several tests that were utilizing SHA1 signatures but were
not failing due to the bug in gnutls_pubkey_verify_hash2().

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_pubkey_verify_hash2: do not allow GNUTLS_VERIFY_USE_TLS1_RSA with non-RSA keys

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_pubkey_verify_hash2: check for broken signature algorithms

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_pubkey_verify_data2: do not utilize GNUTLS_VERIFY_USE_RSA_PSS

This flag is not required for verification since the signature algorithm
is sufficient to detect RSA-PSS without requiring any flags.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: do not utilize GNUTLS_VERIFY_USE_RSA_PSS

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: do not ask for password when exporting to PKCS#8 implicitly

Previously --generate-privkey wouldn't ask for password unless --pkcs8
was explicitly given. Keep that behavior, and do not ask for any password
even if we need to export to PKCS#8 for some key types. Always require
the --pkcs8 option to encrypt with password.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: mention RSA-PSS-SHA* signature algorithms

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: replaced rsa-pss-sign with sign-params option

This option could accomodate future enhancements/additions in
certificate signining.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: better documentation on rsa-pss-sign

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

replaced MAX_SIGNATURE_ALGORITHMS macro with MAX_ALGOS

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added unit test for gnutls_sign_supports_pk_algorithm()

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tls-fuzzer: ignore the incomplete RSA-PSS tests

These tests fail because tls-fuzzer currently does not properly implement
RSA-PSS.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: verify that generated RSA-PSS keys can be read with certtool -k

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: use PKCS#8 format for generated RSA-PSS keys

An RSA-PSS key has additional parameters which cannot be stored
in the "standard" PKCS#1 format. For that when asked to generate
an RSA-PSS key, we export to the PKCS#8 form.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: x509sign-verify: include ECDSA and RSA-PSS key tests

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tlsfuzzer: the test-certificate-verify-malformed check now passes

Previously it was expecting a different alert code than gnutls returned.
Now gnutls returns the expected alert code (GNUTLS_A_DECRYPT_ERROR)
on malformed signatures.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

alert: map GNUTLS_E_PK_SIG_VERIFY_FAILED to GNUTLS_A_DECRYPT_ERROR

This makes server respond with GNUTLS_A_DECRYPT_ERROR on malformed signatures,
which is the expected behavior. Hinted by Hubert Kario.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Increased the maximum number of signature algorithms

That allows including all the existing signatures including DSA.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

x509sign-verify: corrected test to perform RSA tests on RSA keys

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added tests for RSA-PSS key exchange under TLS 1.2

That includes tests with RSA and RSA-PSS server and client certificates.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

publickey: map RSA ciphersuites to GNUTLS_PK_RSA_PSS

That is in addition to GNUTLS_PK_RSA

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Rework KX -> PK mappings

GOST VKO and PSS keys would support several public keys, so change
the previous 1:1 kx->pk mapping into 1:many.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added TLS 1.2 tests with RSA-PSS signatures on RSA certificates

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_privkey_sign_hash: use the GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS flag

That is, the privkey_sign_hash() function was made static (no users other
than the same file), and gnutls_privkey_sign_hash will take into account
the GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS, if specified.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tls-sig: sign with RSA-PSS when requested by negotiated signature algorithm

That is, when signing a TLS message, take into account the
negotiated signature algorithm, in addition to the hash algorithm
to decide which flags to pass to gnutls_privkey_sign_hash(). This
allows signing the handshake messages with RSA-PSS even when an RSA
key is present.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

priority: enabled RSA-PSS signatures by default

They are prioritized low on the list to reduce compatibility
issues in case they are wrongly implemented in gnutls or in the
peer implementation. To be revised when more elaborate compatibility
tests are made.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ext/signature: accept compatible algorithms with PK

That is instead of using a 1-1 mapping of signature algorithms
to public key algorithms, use gnutls_sign_supports_pk_algorithm()
to determine whether algorithms match. That way we can allow
GNUTLS_SIGN_RSA_PSS_SHA256 under GNUTLS_PK_RSA and GNUTLS_PK_RSA_PSS
keys.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>