fuzz: added PEM base64 decoder and encoder fuzzers [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

fuzz: openpgp fuzzer always succeeds when no support is present [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

lib/system/fastopen: simplified TCP fast open for OSX

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

lib/system/fastopen: Add TCP Fast Open for OSX

Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

doc: removed incorrect comment

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

gnutls_dh_get_pubkey: fixed operation under PSK authentication

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: test gnutls_dh_get_pubkey in PSK auth

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: combined and enhanced DH params tests

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: added DH parameter check in X.509 auth

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: added basic test on gnutls_dh_params_cpy

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: test gnutls_dh_get_pubkey in anonymous auth

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: added basic unit test on gnutls_random_art()

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

doc: fixed documentation for various function parameters

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

.gitlab-ci.yml: removed the coverage run under pkcs11 trust store

It was causing inaccurate total coverage numbers.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

.gitlab-ci.yml: added runs under the PKCS#11 trust store in fedora

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: use gnutls_global_init instead of global_init

The reason is to force initialization of the PKCS#11 backend,
and thus support for any PKCS#11 trust store when setup.
This fixes running the test suite in Fedora.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added checks with certificates that contain invalid time field

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

x509/time: reject invalid dates in local mktime()

Resolves #135

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: added newline in error message

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added basic check for systemkey tool

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

systemkey: improved error message on unsupported systems

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: enhanced tofu trustdb checks

Include checks which store and load commitments from the user's home
directory.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: do not run pkgconfig test in systems with invalid libidn flags

This prevents our test from failing, due to invalid flags found in
a dependency of ours.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: fixed tpmtool and psktool documentation

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added unit tests for the base64 raw decoding functions

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_pem_base64_decode: allow decoding raw base64 data

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

x509/output: do not print usage entry when there is none

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: improved printing of the key PIN and key ID

That is, on private keys use the same format when printing
the public Key ID and public key PIN, as when printing it
in certificates.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

.gitlab-ci.yml: fixed freebsd build project restriction

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: print the key PIN on private and public keys

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_pem_base64_encode2: do raw base64 when msg is NULL

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

.gitlab-ci.yml: simplified CI setup

This makes builds independent by reducing interactions between
artifacts of builds.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

fuzz: do not enable the openpgp fuzzer when openpgp is disabled

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

serv: fixed carriage return stripping in strip()

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Mark with (void) the remove() function and other unchecked functions

This allows static analysers to properly warn on unchecked return values.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls-cli: fixed minor coverity identified issues

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: fixed newline skip code in smime-to-p7 code

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added unit test for the certtool smime conversion functionality

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: fixed minor issues pointed out by coverity

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls-cli: better resource management in benchmark cmd

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

is_level_acceptable: ensure issuer is not dereferenced when null

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: guard the value of tl before gnutls_pkcs7_verify

This utilizes assert() as it cannot be triggered in practice.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Avoid using ASN1_MAX_NAME_SIZE directly

Since ASN1_MAX_NAME_SIZE refers to a single element in the asn1
tree, it is not suitable to hold the maximum combined name. Instead
use a local definition of MAX_NAME_SIZE, which is a multiple of
the ASN1_MAX_NAME_SIZE.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_x509_crq_set_challenge_password: don't accept null password

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Mark with (void) the functions where the returned value is not checked intentionally

This allows static analysers to properly warn on unchecked return values.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

removed duplicate code

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake/record: mark with comments all expected fall-through switches

This reduces warnings from static analysers like coverity and makes
explicit the intention.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutlsxx.cpp: fixed misleading indentation issues

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: document intended fallthrough

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: fixed possible buffer overflow to avoid spurious complaints

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

x509.h: added macro for inhibit any policy

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

NEWS: updated

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: documented the inhibit any policy extension

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added PKCS#12 unit test with AES file

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added unit test for inhibit anypolicy generation

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

supported_exts: inhibit anypolicy is listed as supported

Since we don't support certificate verification based on policies,
we make sure we do not reject any certificates based on the inhibit
any policy extension being present.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: added template option inhibit_anypolicy_skip_certs

This option writes the inhibit anyPolicy option in a certificate.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

x509: output the inhibit anyPolicy value

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

documented the GNUTLS_X509_OID_POLICY_ANY macro

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

x509: added function to set and retrieve inhibit anypolicy extension value

That is, introduced:
 * gnutls_x509_crt_get_inhibit_anypolicy
 * gnutls_x509_crt_set_inhibit_anypolicy

Resolves #180

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_x509_write_uint32: ensure we prepend leading zero when writing

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Added helper functions to parse the inhibit anyPolicy X.509 extension

That introduces:
 * gnutls_x509_ext_export_inhibit_anypolicy
 * gnutls_x509_ext_import_inhibit_anypolicy

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added unit test for PKCS#12 with file that uses PBES1 with no salt

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added basic check for system trust store

This checks whether the gnutls_certificate_set_x509_system_trust()
and thus the trust list equivalent function operate as expected
and return a positive number of certificates. The test is ignored
in systems where these functions return GNUTLS_E_UNIMPLEMENTED_FEATURE.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

gnutls_x509_trust_list_add_system_trust: Add macOS keychain support

Also don't check for a default_trust_store_file in configure when building on
macOS (unless explicitly asked to with --with-default-trust-store-file=xxx),
because otherwise it finds /etc/ssl/cert.pem: This file is new (since
10.12.2?), which means libraries built on the newest OS version wouldn't work
the same way on an older versions (and vice versa).  "/etc/ssl/cert.pem" also
doesn't seem to reflect additions and deletions from the user's or system's
trusted roots keychain (in my limited testing).

Signed-off-by: David Caldwell <david@porkrind.org>

Rename uint64 to gnutls_uint64 to avoid conflict with macOS

Signed-off-by: David Caldwell <david@porkrind.org>

mpi: openpgp integer scanning was put into conditional

That is, no longer include that code when compiling without openpgp
support.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Moved all openpgp-related variables and definitions into ifdef blocks

This allows compilation with -Werror even if openpgp is disabled.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

OpenPGP authentication is disabled by default

The flag --enable-openpgp-authenticationcan be used to revert
this change.

Resolves #178

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tools: remove outfile when exited on error

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: added examples on verifying certificates

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: improved documentation

Incorporated comments made in Lenka Horakova's thesis study.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added unit test for PKCS#12 with file that uses PBES1 with no salt

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: add unit test for PKCS#12 with file that uses SHA512 for MAC

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

pkcs12: increased the maximum salt size

This accomodates for files which have salt sizes up to 256 bytes.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_pkcs12_string_to_key: allow SHA384 and SHA512

The previous implementation of the function was restricted to SHA1 and
SHA256. Extended to allow SHA384 and SHA512 as well.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

PKCS#12: added support for files with zero salt length in MAC

Resolves #191
Resolves #190

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added unit test for PKCS#12 with file with no salt in MAC

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: verify that the encryption OID is printed

That is, verify whether certtool --p12-info will print the
actual encryption OID on unsupported files, rather than the
generic PBES2 algorithm.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_pkcs8_info: return the encryption algorithm OID on failure

When failing to import a structure due to an unsupported encryption
algorithm OID, return the unsupported OID instead of the generic
PBES2 OID.

Resolves: #193

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_transport_set_pull_timeout_function: doc update [ci skip]

Clarified when this function should be set. Based on suggestion by
Sean Greenslade.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Use NORMAL priority for SSLv23_*_method.

Instead of enforcing TLS1.0/SSL3.0 use gnutls NORMAL priority for
SSLv23_*_methods.

http://bugs.debian.org/857436

.gitlab-ci.yml: renamed dist build to doc-dist

This better describes the name of the build.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

.gitlab-ci.yml: combined minimal and no-tools builds

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

.gitlab-ci.yml: combined static analyser runs

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

.gitlab-ci.yml: reduced builds and stages

That is an improvement to run the CI faster.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: added unit test for gnutls_priority_get_cipher_suite_index

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

gnutls-cli: eliminate leak on --list option

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

gnutls_priority_get_cipher_suite_index: fixed returned protocols

That is no longer return indexes for ciphersuites which would not have
been available due to TLS version mismatch in the priorities cache.

Resolves #146

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: Copy template out of ${srcdir}

Otherwise, out of tree builds will fail to copy the template.

Signed-off-by: Matt Turner <mattst88@gmail.com>

gnutls_cipher_get_tag_size: document behavior on non-AEAD ciphers

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

doc: make a note that parts of the crypto API are in Core API

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: added checks with problematic PKCS#12 files

These check whether parsing of unsupported files (e.g., with RC2-128),
will succeed. This serves as functionality check for gnutls_pkcs8_info.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_pkcs8_info: do not free oid on GNUTLS_E_UNKNOWN_CIPHER_TYPE

The documented behavior of the function was to return a valid
OID in that case.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Makefile.am: dropped .clcopying from dist files [ci skip]

It is no longer being used.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>