gnutls_pubkey_verify_hash2: corrected operation with RSA-PSS keys

That is, do not check the flag GNUTLS_VERIFY_USE_RSA_PSS, as we
already have enough information to determine whether an RSA-PSS
signature is used (the sign algorithm). Also return the code
GNUTLS_E_INCOMPATIBLE_SIG_WITH_KEY when a signature algorithm
incompatible with the public key is encountered.

In addition, fixed few misplacements of GNUTLS_PK_RSA_PSS in switch
cases.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Introduced gnutls_sign_supports_pk_algorithm()

This function allows to test whether a combination of public key
algorithm and signature algorithm are supported. This is introduced
for RSA-PSS signatures which can be generated by a GNUTLS_PK_RSA key
or by a GNUTLS_PK_RSA_PSS key.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

x509: implement RSA-PSS signature scheme

This patch enables RSA-PSS signature scheme in the X.509 functions and
certtool.

When creating RSA-PSS signature, there are 3 different scenarios:

a. both a private key and a certificate are RSA-PSS
b. the private key is RSA, while the certificate is RSA-PSS
c. both the private key and the certificate are RSA

For (a) and (b), the RSA-PSS parameters are read from the certificate.
Any conflicts in parameters between the private key and the certificate
are reported as an error.

For (c), the sign functions, such as gnutls_x509_crt_privkey_sign() or
gnutls_privkey_sign_data(), shall be instructed to generate an RSA-PSS
signature.  This can be done with the new flag
GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS.

Verification is similar to signing, except for the case (c), use the
flag GNUTLS_VERIFY_USE_RSA_PSS instead of
GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS.

From the command line, certtool has a couple of new options: --rsa-pss
and --rsa-pss-sign.  The --rsa-pss option indicates that the generated
private key or certificate is restricted to RSA-PSS, while the
--rsa-pss-sign option indicates that the generated certificate is signed
with RSA-PSS.

For simplicity, there is no means of choosing arbitrary salt length.
When it is not given by a private key or a certificate, it is
automatically calculated from the underlying hash algorithm and the
RSA modulus bits.

[minor naming changes by nmav]

Signed-off-by: Daiki Ueno <dueno@redhat.com>
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

fuzz: added RSA-PSS certificate

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

build: import files from Nettle for RSA-PSS

Signed-off-by: Daiki Ueno <dueno@redhat.com>

libtasn1: updated to 4.11

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added unit tests for gnutls_de/encode_rs_value

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

pk: exported gnutls_decode_rs_value() and gnutls_encode_rs_value()

These functions allow encoding to and from a Dss-Sig-Value.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: skip x86-specific tests when not in x86

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

updated auto-generated files

tests: tls-fuzzer: corrected unlocking at tls-fuzzer-cert.sh

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

examples: made a comment that getpass() output needs to be sanitized

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: avoid printing legacy options in --help

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Makefile: improved code coverage extraction from lcov output

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

configure: warn when building as static library [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_ocsp_status_request_enable_client: removed support for problematic parameters

Removed support for responder_id and extensions parameters. These
had very difficult semantics to use and the underlying implementation
had encoding errors, meaning there was no interoperation with other
clients. Given that issue it means there are no applications depending on
these parameters; ignore these parameters completely and no longer send
either responder_id or extensions.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_ocsp_status_request_enable_client: documented requirements for parameters

That is, the fact that extensions and responder_id parameters must be
allocated, and are assigned to the session.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ext/status_request: Removed the parsing of responder IDs from client extension

These values were never used by gnutls, nor were accessible to applications,
and as such there is not reason to parse them.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ext/status_request: ensure response IDs are properly deinitialized

That is, do not attempt to loop through the array if there is no array
allocated.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tlsfuzzer: enabled ocsp stapling test

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tlsfuzzer: updated to latest version

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

self-tests: limit compatibility API checks to vectors with plaintext

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: on cipher override do not run the compatibility checks

That is, because we introduce a cipher using the new AEAD API which
does not provide compatibility hooks.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

self-tests: introduced flag GNUTLS_SELF_TEST_FLAG_NO_COMPAT

This allows skipping the compatibility APIs when running self tests.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

self-tests: all parameter was replaced by flags

This allows to introduce more options than just check all
ciphers.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

aarch64: fix AES-GCM in-place encryption and decryption

Resolves #204

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

crypto: self-tests: enhance to include compatibility APIs

That is, run the compatibility gnutls_cipher_* APIs on self tests
for AEAD ciphers in addition to the AEAD API.

Relates #204

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

crypto-api: refuse to run gnutls_cipher_init() in full AEAD modes

That is, there are AEAD modes like CCM that can only be used through
the AEAD API. Always refuse calls to gnutls_cipher_init() in these
modes.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: corrected error in gnutls_x509_privkey_sign_data parameters [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

sysrng-linux: improved detection of getrandom()

The getrandom() call is defined in sys/random.h.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

gnutls-cli: use 16k buffers in --benchmark-tls-ciphers

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

gnutls-cli: cleaned up --benchmark-ciphers output

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

gnutls-cli: no longer include arcfour in benchmarks

This cipher is considered broken and no longer included in
the default set of ciphers.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

documented the make files-update make option

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: added TLS server test for multi-key usage

That is, a server which utilizes both RSA and ECDSA keys.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

p11tool: mark provider opts as deprecated

That is, to avoid listing that option in p11tool --help, as it is
only useful for debugging very low level interfaces with PKCS#11
parameter passing.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

gnutls-serv: allow user to specify multiple x509certile/x509keyfile

Instead of adding more and more variants like x509dsakeyfile or
x509ecckeyfile (counting eddsa and gost in future), allow user to
specify x509certfile/x509keyfile multiple times. Keep the old
options as compatibility options.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Fix two memory leaks in debug output of gnutls tools

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Don't let GnuTLS headers in NETTLE_CFLAGS override local headers

Change order of CFLAGS so that local headers always come before ones in
$(NETTLE_CFLAGS).

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

find_signer: eliminate memory leak

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: add test for signing with certificate list

Signing with one certificate, but includes the other certificates
inside the PKCS#7 structure.

Signed-off-by: Karl Tarbe <karl.tarbe@cyber.ee>

certtool: allow multiple certificates in --p7-sign

Signed-off-by: Karl Tarbe <karl.tarbe@cyber.ee>

Fix autoconf progress message concerning heartbeat [ci skip]

doc: corrected typo [ci skip]

Reported by Andreas Metzler.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

test: corrected typo preventing the run of openpgp test [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

pkcs11_override_cert_exts: do not use CKA_X_DISTRUSTED flag when retrieving

This flag was introduced in order for reducing the number of duplicate
stapled extensions returned by p11-kit. Unfortunately that fix was bogus
and in fact it resulted to p11-kit not returning any stapled extensions.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added unit test for p11-kit trust store

This verifies whether an Example Root CA can be read together
with its stapled extensions.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

p11tool: added the --provider-opts option

This option allows passing parameters to the PKCS#11 module
loading process, i.e., passed to gnutls_pkcs11_add_provider().

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

pkcs11_add_provider: allow passing parameters to p11-kit trust module

When the @params argument of gnutls_pkcs11_add_provider() starts with
'p11-kit:' the specified provider is loaded as an unmanaged module
and the rest of parameters are being passed opaque to the module. This
allows loading for example the p11-kit trust module with a custom path
for the trust database.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: introduced checks in alternative chain discovery

These cope with alternative chain discovery in the case of insecure
algorithm found in the chain.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: modified pkcs1-pad to account for alt path search

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

gnutls_x509_trust_list_verify_crt2: treat signers with insecure algorithms as unknown

The reason is that many servers utilize a legacy chain to improve compatibility
with old clients and that chain often contains insecure algorithm. In that case
try to construct alternative paths. To maintain compatibility with previous
versions, we ensure that the same error code (verification status) is returned
in these cases as before by sending the cached error if the alternative path fails
too.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Makefile: files-update directive will update the auto-generated files in src/

This simplifies the update of files generated by autogen.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: added check for gnutls-cli's sni-hostname option

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

gnutls-cli: introduced --sni-hostname option

This allows overriding the value set on the TLS server name indication
extension.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Makefile: added phony targets to .PHONY [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

fuzz: doc update [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

errors.h: _gnutls_cert_log will only print on non-null certificates

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

rsa-psk: Use the correct username datum

In rsa-psk we properly request username for the case the
application uses a callback, but later we use the username
cached in the credentials structure. This will lead to empty
username issues.

Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>

tests: added check for PSK client callback in RSA-PSK

This check verifies whether gnutls_psk_client_credentials_function
is operational, and the parameters sent are taken into account
by the server.

Relates !364

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: simplified name of mini-rsa-psk check

In addition modernize the used APIs and added explicit check
on the received by the server username value.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: utilize the email_protection_key template option

This ensures that generated certificates and requests will
include that key purpose when the option is present.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: introduced the email_protection_key option

This option was introduced in documentation for certtool without
an implementation of it. It is a shortcut for option
key_purpose_oid = 1.3.6.1.5.5.7.3.4

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls-cli: Use CRLF with --starttls-proto=smtp.

Closes https://gitlab.com/gnutls/gnutls/issues/200

doc: remove libidn from instructions and add libidn2

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

added newline in debug messages [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Removed support for libidn1

Currently we support both IDNA2003 and IDNA2008. However, IDNA2003
is already obsolete by registrars and NICs, thus there is no reason
to continue supporting it. We switch to IDNA2008 exclusively using libidn2.

Resolves #194

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

updated minitasn1

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls.h: introduced GNUTLS_E_ASN1_TIME_ERROR

This corresponds to libtasn1 ASN1_TIME_ENCODING_ERROR and
indicates an error in the DER or BER encoding of time field.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_pkcs12_simple_parse: set to null vars after deinitialization

This avoids having the variables being deinitialized twice during
cleanup.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: enhance with checks to verify that textual IPs are not matched

That verifies that the hostname check verification function will
not succeed if given textual IPs, and the certificate contains
textual IPs in DNSname or in the CN fields.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_x509_crt_check_hostname2: no match dns fields against IPs

Previously we were checking textual IP address matching against
the DNS fields. This match was non-standard and was intended to
work around few broken servers. However that also led to not
evaluating and IP constraints for that IP. No longer follow that
broken behavior.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: check against symbols present only in IDNA2003

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_idna_map: fallback to IDNA2008 transitional encoding on failure

This aligns with the behavior of firefox, which maps to IDNA2008, and
fallbacks to IDNA2003 if that fails (e.g., mapping doesn't exist).

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

fuzz: fix leaks in PKCS#12 fuzzer

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

pkcs12: release CRL data on error path

This addresses issue:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1295

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: added gnutls_ext_flags_t enumeration

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_base64_decode: corrected leak on decoding error

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: fixed expected error code in base64 check

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: ensure no leaks on pkcs12_info() error paths

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added reproducer for mem leak in PKCS#12 decoding

This relates to:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1173

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

pkcs12: eliminate mem leaks in _pkcs12_decode_safe_contents

This makes sure we deinitialize previously available elements.
This addresses:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1173

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

cleanups in _pkcs12_decode_safe_contents

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

pkcs12: clean ups in PKCS#12 parsing

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Added explicit check for the bounds of the generated 'd'.

This is according to FIPS186-4 sec. B.3.1.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

fips140-2: enhanced check of generated parameters

That is, replaced all assert() calls with if statements to allow
gracefull fail.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

dsa-fips.h: include nettle/bignum.h to allow compilation under nettle-mini

Relates #197

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added base64 reproducer of mem leak

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls.h: introduced flag GNUTLS_EXT_FLAG_OVERRIDE_INTERNAL [ci skip]

This flag is expected to be used by applications which handle
custom extensions that are not currently supported in gnutls, but
support for them may be added in the future.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

_gnutls_base64_decode: addressed memory leak in decoding

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_pem_base64_decode: allow decoding raw base64 data

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: check whether gnutls_pem_base64_decode2 decodes with null argument

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Revert "gnutls_pem_base64_decode: allow decoding raw base64 data"

This reverts commit fa86fc6892d6551340f24da6a6af4f484a62b884.

doc: clarifications on custom thread override [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>