Updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

str-idna: cleanups in IDNA handling

Ensure safe operation even with broken libidn2, and make
sure that we properly allocate memory to caller, even on complex
library configuration.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

fuzz: added run-afl helper script

This script which allows running the fuzzying tests
locally using american fuzzy lop.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

fuzz: Added IDNA encoding/decoding fuzzying units

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Move IDNA functionality to str-idna.c from str-unicode.c

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: use the exported API for IDNA testing

In addition group together the tests which require libidn2 >= 0.14.
This allows the tests to succeed.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tools: depend on gnutls_idna_map() instead of using directly libidn/libidn2

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Exported gnutls_idna_map() and gnutls_idna_reverse_map()

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

.gitlab-ci.yml: added run with IDNA2003

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: simplified str-idna

This separates the directions that are tested (utf-8 -> punycode
and vice versa).

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

configure: added flag to force IDNA2003

That allows to compile with libidn even if libidn2 is present, and
can be used to check IDNA2003 support.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Add support for libidn2 (IDNA 2008 + TR46)

Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

pkcs7 decryption: addressed memory leak in PBES1-DES-CBC-MD5 handling

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

minitasn1: updated to libtasn1 4.10

configure: do not disable valgrind tests unless explicitly specified

... or unless we are in release build.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Makefile.am: increased the number of releases to perform ABI checks with

That is added 3.4.0, 3.4.17 and 3.5.8.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: verify that a written certificate will inherit its ID from privkey

That is, whether p11tool will do the right thing and figure the proper
ID to use for a certificate object, if the public key is available.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

p11tool: re-use ID from corresponding objects when writing certificates

That is when writing a certificate which has a corresponding public key,
or private key in the token, ensure that we use the same ID for the
objects. That eases the work of someone writing objects to certificates,
and does not require him to manually detect the object IDs.

Resolves #160

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

.gitlab-ci.yml: add Fedora/x86_64/no-tools

Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

valgrind: support separate builddir for suppressions.valgrind

Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

configure: remove void statement

Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

tests: skip tests that requires tools if tools are disabled

building with --disable-tools should not cause test failure.

Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

doc: improved documentation on DH parameters [ci skip]

Revert "tests: suite: pkcs11: skip if no softhsm"

This reverts commit 276a6ee44d80d4d3b144a78794020c177be8f0ea.
The reason is to avoid having changes in softhsm packaging, result
to skipping large parts of the test suite without someone noticing.

_decode_pkcs8_dsa_key: ensure that the P value is non-zero

When decoding a DSA private key, and constructing the public key
ensure that P is non-zero, and thus can be used as modulus.

Issue found using oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=393

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added private key causing FPE

Issue found using oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=393

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_decrypt_pbes1_des_md5_data: ensure that encrypted data size is a multiple of blocksize

That prevents incorrect data reaching nettle which has only
assertion checks (leading to an abort).

Issue found using oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=389

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added PKCS#8 key which causes undefined behavior on import

Issue found using oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=389

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added certificate which reproduces a leak in gnutls_x509_ext_import_aia

Issue found using oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=385

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

x509: eliminated memory leak on gnutls_x509_ext_import_aia

Issue found using oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=385

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update

tests: added check which ensures a client cannot receive during handshake

Relates #158

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added check which ensures a client cannot transmit during handshake

Relates #158

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: cleanup error reporting in handshake-false-start

Refuse to receive data during handshake

This prevents buggy applications from receiving non-authenticated data
that may have arrived during the handshake.

Relates #158

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Refuse to send data during handshake

That prevents buggy applications from transmitting sensitive data during
handshake.

Resolves #158

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Disable AVX support when it is not supported by the CPU

This mostly affects virtual systems. Reported by Frank Chen.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

opencdk: improved error code checking in the stream reading functions

This amends 49be4f7b82eba2363bb8d4090950dad976a77a3a

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

minitasn1: updated to latest git version

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: removed references to OpenPGP functions and enumerations

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: removed documentation related to OpenPGP and guile

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

doc: removed documentation related to OpenPGP

Also added section explaining why OpenPGP is being deprecated.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

openpgp.h: all openpgp functionality was marked as deprecated

This is to prevent new applications using that functionality.
As the OpenPGP certificate for HTTPS (or TLS in general) never got
any traction, GnuTLS is the only implementation supporting it,
and the quality of the OpenPGP supporting code is questionable,
we deprecate that code with the intention to drop it completely
when an opportunity is given.

Relates #102

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added missing file

CONTRIBUTING.md: Improve instructions on git-template [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: remove bash usage

Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

tests: suite: chain: support separate builddir

Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

tests: skip tests that requires tools if tools are disabled

building with --disable-tools should not cause test failure.

Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

gitignore: update [ci skip]

Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

gitignore: sort()

Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

opencdk: added error checking in the stream reading functions

This addresses an out of memory error. Issue found using oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=337

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added test case with invalid openpgp cert

This triggers an out of memory error. Issue found using oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=337

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

opencdk: cdk_pk_get_keyid: fix stack overflow

Issue found using oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=340

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added test case with invalid openpgp cert

This triggers a memory error. Issue found using oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=340

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added test case with invalid openpgp cert

This triggers a memory error. Issue found using oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=346

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

opencdk: read_attribute: added more precise checks when reading stream

That addresses heap read overflows found using oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=338
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=346

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added test case with invalid openpgp cert

This triggers a memory error. Issue found using oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=338

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: openpgp-cert-parser: simplified

auth rsa: eliminated memory leak on pkcs-1 formatting attack path

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added reproducer for server issues

This allows to reproduce issues found on server side, by adding
a transcript in server-interesting. Currently it contains values
found using oss-fuzz.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_decode_pkcs8_dsa_key: fixed memory leak on error path

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

decode_private_key_info: eliminate memory leaks on error path

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_x509_read_dsa_params: update params structure parameters size on successful read

That will allow proper deinitialization of the parameters even if
the structure fill up doesn't succeed.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added test with private key that causes memory leak

Issue found using oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=371

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_pkcs12_string_to_key: avoid division by zero when salt_size = 0

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added test with PKCS#8 key that signals FPE

Issue found using oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=376

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: skip tests that requires tools if tools are disabled

building with --disable-tools should not cause test failure.

Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

tests: cert-tests: pkcs12 drop builddir usage

sync with other tests

Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

tests: suite: pkcs11: skip if no softhsm

similar to other tests

Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

gnutls_x509_ext_import_policies: fixed memory leak on error path

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added test case with invalid X.509 cert

This triggers a memory leak. Issue found using oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=294

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

x509 output: fixed memory leak in AIA extension printing

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added test case with invalid X.509 cert

Issue found using oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=300

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: document how to enhance the testsuite with issues found

status_request: eliminated leak on error path

Issue found using oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=269

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

proc_server_kx: eliminated leak on error path

Issue found using oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=272

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added reproducer for client issues

This allows to reproduce issues found on client handling, by adding
a transcript in client-interesting. Currently it contains values
found using oss-fuzz.

The client3.disabled transcript is disabled because it depends
on a fix in nettle.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: do not run key-tests under leak sanitizer

The reason is that we cannot distinguish between a memory leak on
application failure (which is followed by exit- thus should be ignored)
and an address sanitizer issue (which should never be ignored).
As such we disable leak detection with asan and rely on valgrind.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: illegal-rsa: don't hide stderr

tests: added suite for checking PKCS#7 structure import

The initial (problematic) structures have been obtained from oss-fuzz
project.

fuzz: added basic Makefile to assist in reproducing [ci skip]

Also updated README.md

Simplified contribution policy [ci skip]

Also added a template to assist in the required steps to contribute.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_x509_get_signature: fix memory leak on error path

tests: added test case with invalid X.509 certificate

This certificate causes a memory leak while printing.

Issue found using oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=280

Relates #156

valgrind: use different exit code to signify error

This allows the test suite to differentiate between valgrind and expected
errors from tools.

tests: cert-tests: force asan to return an error code other than one on failure

gnutls_pkcs8_info: addressed memory leak on error path

certtool: pkcs8_info_int: fix memory leak

wrap_nettle_mpi_modm: bail on a modulus that is zero

Relates #156

tests: added test for invalid private keys

Also force asan to return an error code other than one (the normally
expected for invalid keys).

x509: address leak in print_altname - cert printing

tests: added certificate to reproduce memory leak

Found by oss-fuzz project:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=299

Relates #156

tests: added test case with invalid PKCS#8 data

Issue found using oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=363

Relates #156

nettle: added a safety net on wrap_nettle_cipher_setiv()

Return error if attempting to set invalid IV size.

pkcs7 decrypt: require a valid IV size on all ciphers

That is, do not accept the IV size present in the structure as valid
without checking.

Relates #156

fuzz: added a PBES1 PKCS#8 private key file into corpus

pkcs8: pkcs8_key_info() will correctly detect non-encrypted files

certtool: don't print PKCS#8 information when outputting DER data

Corrected a leak in OpenPGP sub-packet parsing.

Signed-off-by: Alex Gaynor <alex.gaynor@gmail.com>

doc: fixed copyright date in gnutls.texi