PKCS8/PKCS12: enforce a maximum number of iterations

This prevents denial of service through very large iteration
counts. Issue found via oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=434

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Do not attempt to parse a 32-bit integer if a packet is not 4 bytes.

    This addresses:
      https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=737

Signed-off-by: Alex Gaynor <alex.gaynor@gmail.com>

Revert ".gitlab-ci.yml: include coverage statistics of FIPS140-2 code"

This reverts commit 603772688c4e37dae437b4cede12e25b9dd9f678.
The commit introduced a long wait for the coverage build without
and significant benefit (the extend of the FIPS140 code is limited
to have any impact on the overall coverage).

sysrng-linux: define _rnd_get_system_entropy unconditionally

This fixes compilation in systems without getrandom().

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: dtls-stress: use X.509 certificates instead of openpgp

This will allow the test tool to operate even after openpgp certificates
are deprecated.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

.gitlab-ci.yml: added build without openpgp support

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Added openpgp stub file

That allows disabling openpgp authentication and at the same time
retaining ABI compatibility with versions including openpgp.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: split PKCS#12 encoding from decoding tests

Enhanced PKCS#12 encoding tests, with the encoding of a file
which contains a cert, a key and a CRL.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added PKCS#12 file decoding containing a CRL

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: enhance to allow writing CRLs in PKCS#12 files

In addition fallback to DER when --load-crl fails importing a PEM
encoded CRL due to PEM issues.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added CRL decoding unit tests using certtool

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: enhanced basic tests in CRL parsing

That tests gnutls_x509_crl_get_crt_serial().

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Rewritten gnutls_x509_rdn_get() and gnutls_x509_rdn_get2()

The new code re-uses the gnutls_x509_dn APIs instead of re-implementing.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added checks for the old DN decoding functions

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: do not run tests which require openpgp when it is disabled

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

.gitlab-ci.yml: include coverage html output as artifact

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: x509-verify: print the keys on failure

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_privkey_export_x509: doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: split sign-verify test to RSA and ECDSA parts

This allows parallelist and also helps identifying easier the
culprit on an error.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: adjusted for the removal of HMAC-MD5

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

priority: do not enable HMAC-MD5 by default

While HMAC-MD5 is not yet broken, it is not used by any non-broken
or non-NULL ciphersuites (is only used with NULL and RC4), and as there
is not plan to introduce new ciphersuites with that MAC algorithm, there
is no point to include it in the default set of allowed algorithms.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: converted FIPS140-2 mode checks in Makefiles to run-time in scripts

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

gnutls.h: introduced GNUTLS_E_TLS_PACKET_DECODING_ERROR [ci skip]

This is an alias to GNUTLS_E_UNEXPECTED_PACKET_LENGTH. That
allows distinguishing the alert from GNUTLS_E_RECORD_OVERFLOW.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: crq: ignore lines for Security Level

This allows running the test under FIPS140-2 mode.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

ax_code_coverage.m4: updated

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

.gitlab-ci.yml: initialize submodules where needed (for tlsfuzzer run)

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

.gitlab-ci.yml: include subdirs of suite/ in artifacts

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ext/signature: error on invalid extension format

That is, if an extension containing no signature algorithms is
encountered, treat that as an error. This is an RFC5246 requirement,
since the minimum "supported_signature_algorithms" length is 2.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

_gnutls_proc_x509_server_crt: return GNUTLS_E_CERTIFICATE_ERROR on parsing error

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

alert: GNUTLS_E_NO_CERTIFICATE_FOUND maps to GNUTLS_A_DECODE_ERROR

This is the closest to use alert when no certificate is found; at least
it is closer according to tlsfuzzer and rfc5246 text on insuficient_security
alert.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

read_client_hello: use integer for extensions size

As we do not read the value directly, but rather assign to it
the remaining data, we ensure that there are no overflows if
we have additional data past the extensions field. The integer
can hold more than 2^24 which is the maximum handshake packet
size.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ext/signature: reject an extension with padded data

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ext/signature: reject an extension size of zero

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_record_recv: do not accept a client hello while handshake is in progress

That is, do not return GNUTLS_E_REHANDSHAKE, while we are within
a handshake process.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

read_client_hello: fail early on illegally formatted message

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_parse_extensions: do not fail on empty extensions field

On the other hand, fail if an empty extensions field is seen, but
the client hello contains data nevertheless, or if the extensions
field is padded with additional unaccounted data.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

alert: GNUTLS_E_PK_INVALID_PUBKEY maps to GNUTLS_A_ILLEGAL_PARAMETER

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

alerts: separated record overflow from decode error alerts

Introduced GNUTLS_E_RECORD_OVERFLOW.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

auth: failures of _gnutls_mpi_init_scan_nz map to GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER

That ensures that the right alert is send when illegal
parameters are received (e.g., zero length).

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: updated tlsproxy to latest version

testsuite: added tlsfuzzer

This enhances the testsuite by running all the tlsfuzzer
fuzzer tests which require no certificates from server.

https://github.com/tomato42/tlsfuzzer

tests: converted compile-time checks for FIPS140 mode to run-time

This allows running the complete test suite even when the library
is compiled in FIPS140-2 mode, as long as the run-time is not at
this mode.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

.gitlab-ci.yml: include coverage statistics of FIPS140-2 code

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

.gitlab-ci.yml: include FIPS140-2 code into static analyzer runs

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

nettle/rnd-fips: combined the FIPS-compliant generators to two

This brings the FIPS generators in par with the non-FIPS chacha-based ones.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

nettle/rnd: use two random generators instead of 3

That combines the levels GNUTLS_RND_RANDOM and GNUTLS_RND_KEY, while
at the same time makes sure that backtracking is impossible on the
GNUTLS_RND_KEY level, by reinitializing the RNG after a call requesting
data for the GNUTLS_RND_KEY level.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: updated the PRNG documentation to utilize two PRNG instances

Also move the random generator discussion to internals section.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: document the state of PRNG in GnuTLS 3.6.0

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

nettle/pk: corrected call to gnutls_rnd() for rnd_nonce_func

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: decoupled the random generator operational tests from the forking ones

That also corrects the fact that not all tests were run for all generators,
and allows to run the tests in parallel.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

nettle/rnd: specify different limits for rekey in PRNGs

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

nettle/pk: use the GNUTLS_RND_RANDOM level for DH/DSA params

This are not long term keys and do not require the key level.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: added check to verify that including crypto.h is sufficient

That is, sufficient to use its functionality, and including additional
headers isn't necessary.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

crypto.h: include gnutls.h to obtain required types

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

rnd: reduce calls to _rnd_get_system_entropy

That is, no longer obtain the initial nonces for the RNG
via _rnd_get_system_entropy() but instead use time-based ones
which are typically faster kernel calls. This reduces the number
of expensive system calls done during thread and
process initialization.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

rnd: when reseeding the generators use the next best generator

That is, use the RANDOM level to obtain keys to reseed the
NONCE level, and the KEY level to reseed the RANDOM. The KEY
level is reseeded using the system random generator.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: verify whether crypto operations fail

That is verify whether a signature operation will fail if
the library is in error state.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Added _gnutls_lib_force_operational

This allows recovering from _gnutls_lib_simulate_error() which in
turn allows more advanced tests. Not documented, and intended to
be an internal symbol only.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

pk: always use _gnutls_switch_lib_state

This avoids relying on abort() for RNG errors in PK wrappers.
We use instead the library state originally added for FIPS140-2
support, and if the state indicates failure the operation will
fail.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

rnd: switched to 3 chacha-based PRNGs for all security levels

Chacha was selected because it is already present in TLS protocol
as algorithm, meaning that re-using would improve CPU caching,
and it is a comparable in performance algorithm to the existing
PRNG used for nonces (salsa20). The yarrow generator was removed
because we are primarily seeding from system devices which are
sufficiently trustworthy to offload us from coping with the
handling of multiple sources of input. As such it allows
us to switch to a simpler PRNG such as a stream cipher like Chacha.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

rnd: aligned type of data counter with input data type (size_t)

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

random: keep global list of initialized contexts

This allows to properly deinitialize all random generator
contexts on library deinitialization.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

rnd: removed call of _rnd_system_entropy_deinit on deinit

This was already being done in _gnutls_rnd_deinit().

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Removed locks from internal rng

Also made the rng back-end to be thread-safe.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Use a thread local random generator.

This allows accessing the per-thread random generator in
a lock-free way, at the cost of additional memory per thread.
The default random generator imposes around 640 bytes per thread
on 64-bit architectures.

Resolves: #141

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Makefile.am: added missing file

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

.gitlab-ci.yml: execute initialization stage unconditionally [ci skip]

This step is required both in tags and commit runs.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

datum.h: documented behavior of datum functions

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

_gnutls_set_strdatum: always return an allocated string on success

That prevents returning NULL to functions which require a string.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Enforce the max packet length for OpenPGP subpackets as well

This addresses:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=392

Signed-off-by: Alex Gaynor <alex.gaynor@gmail.com>

doc: corrected typo [ci skip]

It was pointed out by morozov@eags.ru.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

doc update

tests: do not generate certificates with serial being zero

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: check whether a certificate with illegal version is rejected

That is, whether a certificate with version zero fails to import.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

gnutls_x509_crt_set_version: do not allow writing illegal versions

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

x509: reject illegal certificate versions

Resolves #182

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

gnutls_x509_crt_set_serial: refuse to write all-zero serial number

This is prohibited by RFC5280.

Relates #181

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

gnutls_x509_crt_set_serial: document the 20-byte limit for serial sizes

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

doc update

tests: chainverify: incorporated the tests for unknown critical extensions

These check whether unknown critical extensions are detected during verification,
and whether the flag GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS, is honored
during verification.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

x509.h: introduced flag GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS

That flag signals the verification process, not to fail on unknown critical
extensions. This can be used when the critical extension checking in a chain
is handled externally.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: verify that critical extensions can be stored

That is, ensure that we don't repeat the regression of
certtool not processing free-form critical extensions when no
other free-form extensions are present.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added verification for unknown critical extensions

This tests whether unknown critical extensions will cause a verification
failure.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

x509/verify: refuse to verify certificates with unknown critical extensions

That is, introduced flag GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS, which is
set when the chain under verification contains unsupported extensions marked
as critical.

Resolves: #177

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

.gitlab-ci.yml: run tests under a FIPS140 mode simulation

That is, in FIPS140-2/Fedora/x86_64 build, run tests under a normal
run (when library is compiled with FIPS140-2 support but not enabled
on run time), and also run tests under a run-time that simulates
FIPS140-2 support.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

crypto-self-tests: modified exported functions to work under fips140-2 mode

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: skip tests which cannot be run in FIPS140-2 mode

This allows the test suite to be run in FIPS140-2 mode.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_pk_params_copy: copy the provable algorithm used

This is affected utilization of generated RSA keys under FIPS140-2 mode
which utilizes provable generation.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_session_ticket_key_generate: fixed operation under FIPS140-2 mode

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: priorities: enhanced for test to work under FIPS140-2 mode

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls-cli: print the ciphers, MACs and KXs when priority string is given

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_priority_get_cipher_suite_index: do not return values for non-existent ciphers

That is, do return only the enabled algorithms in states like FIPS140-2,
rather than returning the set that would have been enabled if these
restrictions wouldn't be in place.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

README.md: removed info that gnutls is a gnu project [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: doc update [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added test cases with invalid openpgp certs

These certificates contain invalid secret key sub-packets.
These trigger invalid memory accesses:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=360
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=354

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

opencdk: do not parse any secret keys in packet when reading a certificate

This reduces the attack surface on the parsers, and prevents any bugs
in the secret key parser to be exploitable by inserting secret key
sub-packets into an openpgp certificate.

This addresses:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=354
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=360

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: crt_apis: added tests for writing/reading unique IDs

That is check the functionality of:
 - gnutls_x509_crt_get_subject_unique_id
 - gnutls_x509_crt_get_issuer_unique_id
 - gnutls_x509_crt_set_issuer_unique_id
 - gnutls_x509_crt_set_subject_unique_id

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>