signatures: distinguish RSA-PSS signatures with RSA PKCS#1 1.5 certificates from "pure"

This change enhances signature algorithms to have a private key algorithm
parameter. That is, to allow signature algorithms operating with a private
key of type X while the public key is of type Y. That is useful for the
RSA-PSS signatures which are of two types; one which is seen from servers
having PKCS#1 1.5 certificates, the other with RSA-PSS certificates, while
both utilize RSA-PSS private keys.

This is a draft-ietf-tls-tls13-23 change.

Resolves #400

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Server hello format follows TLS1.2 format

Also version negotiation was moved to supported_versions extension,
and session ID is set by client following appendix D.4.

This is a draft-ietf-tls-tls13-22 change.

Resolves #393, #389, #397

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Renumbered the key share extension to 51

This is a draft-ietf-tls-tls13-23 change.

Resolves #398

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

record: ignore any ChangeCipherSpec messages under TLS1.3 handshake

Also send ChangeCipherSpec messages under TLS1.3 handshake.

This is a draft-ietf-tls-tls13-22 change.

Resolves #395

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

record: send 0x0303 under TLS1.3

This is a draft-ietf-tls-tls13-22 change.

Resolves #396

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

cryptodev: fix prototype of cryptodev_mac_fast [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

cryptodev: added missing macro [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Merge branch 'tmp-fix-re-encoding' into 'master'

Avoid re-encoding of certificates

See merge request gnutls/gnutls!608

tests: added unit tests of gnutls_x509_crt_export

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

gnutls_x509_crt_export2: avoid re-encoding

That prevents possible re-encoding issues in libtasn1 or ambiguously
formatted DER data, from affecting verbatim usage of certificates.

Relates #403

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: added reproducer with DER re-encoding error on client side

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

cfg.mk: update-po rule uses commit -s

This makes it produce a commit message which can be sent to
the repo (Signed-off-by is mandatory).

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Sync with TP.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

CONTRIBUTING.md: added more info about gnulib

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Merge branch 'tmp-fuzzer-coverage' into 'master'

Improve fuzzer coverage report creation

See merge request gnutls/gnutls!609

Improve fuzzer coverage report creation

Merge branch 'tmp-rsa-pss-fix' into 'master'

_gnutls_find_rsa_pss_salt_size: add a validity check for salt size

Closes #402

See merge request gnutls/gnutls!607

pkcs11: set the modulus bits on RSA keys

That value is necessary when using RSA-PSS keys.

Relates #402

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

gnutls_privkey_import_ext4: enhanced with GNUTLS_PRIVKEY_INFO_PK_ALGO_BITS flag

That flag is utilized by the information function to obtain the
value of the parameters (e.g., modulus). That information is necessary
to safely handle RSA-PSS keys.

For RSA-PSS keys this is a regression since 3.6.0 where this API was
introduced, but as this change is necessary and 3.6.x is not yet marked
as stable, it should be acceptable.

Relates #402

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_find_rsa_pss_salt_size: add a validity check for salt size

That is, in order to reject invalid parameters.

Resolves #402

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: eliminated destructive tests

That adds a dependency to p11-kit 0.23.10 for the test suite.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

configure: simplified nettle version check

Relates #401

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls-cli: do not ask any questions with --strict-tofu

Signed-off-by: Łukasz Stelmach <stlman@poczta.fm>

Update oss-fuzz corpora

Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

drbg-aes: use the new nettle APIs for AES

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

accelerated: padlock: use the new nettle APIs

Also remove any ifdefs for nettle (it is not conditionally compiled in),
and do not register accelerators for AES-192-CBC. That cipher is widely
ignored to bother.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_ext_raw_parse: introduced function

That function can be combined with callbacks like
gnutls_handshake_set_hook_function() for applications to
be able to process messages when necessary.

Resolves #382

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

fuzz: added TLS1.3 client and server traces [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

fuzz: enable fuzzer target in afl examples and add missing script [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

fuzz: fixes in README file [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

updated Since version in new function entries as well as map file versions

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

fuzz: enable TLS1.3 in server and client fuzzers

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

record: new gnutls_record_send2 function

This adds a new function gnutls_record_send2() which takes an extra
argument to specify the padding size of the record.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

_gnutls_record_overhead: count content type octet in plaintext

In TLS 1.3, TLSInnerPlaintext has the 'type' field followed by the
padding.  Exclude it from the overhead calculation.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

tests: check extended record padding work with TLS 1.3

Signed-off-by: Daiki Ueno <dueno@redhat.com>

range: make length hiding always usable under TLS 1.3

This patch reintroduce the extended record padding mode removed in
commit 7df219f0.  Under TLS 1.3, the padding mode can be implemented
in the record protocol.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

tests: re-enable mini-record-range test

This test was previously disabled as part of NEW_PADDING extension
removal (commit 7df219f0).  Even though the extension is not usable,
gnutls_record_send_range() should work with the standard TLS block
cipher padding.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

doc: fix mention of gnutls_record_send_range()

Signed-off-by: Daiki Ueno <dueno@redhat.com>

po: lib/x509/ocsp.c added to translatable files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: corrected various typos

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: use 3.6.xx to be consistent with other version references

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: getfuncs.pl: distinguish between different typedef types

That allows to properly distinguish a struct from a one liner
typedef.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

check_ocsp_response: print OCSP response actual error on debug log

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

x509/cert: reorganized

Split functionality related to certificate credentials and
session certificate handling in cert-cred.c and cert-session.c

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added unit test for gnutls_ocsp_resp_list_import2

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: updated

* document the new behavior of gnutls_certificate_set_ocsp_status_request_file
* updated text on OCSP stapled responses

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added ocsptool sanity check program

This checks its functionality in loading and exporting PEM
and DER structures.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: enhanced OCSP tests

* Run tests under TLS1.2 and TLS1.3
* Verify whether multiple OCSP responses are received in client
  side, under TLS1.3.
* Verify that OCSP status responses can be sent by
  client under TLS1.3
* Verify operation of gnutls_certificate_retrieve_function3
* Verify operation when multiple OCSP responses by file are set

Resolves #307
Resolves #291

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

cert auth: use a single callback to call for OCSP

That is, when selecting the certificate to use, point to
the callback to use as well (whether it being the global or
a specific) one, for OCSP.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ocsp: introduced gnutls_certificate_get_ocsp_expiration()

This is a function to allow obtaining the validity of the OCSP responses
already set in the credential structures.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ocsp: enhanced the OCSP response loading APIs

Introduced gnutls_certificate_set_ocsp_status_request_file2() and
gnutls_certificate_set_ocsp_status_request_mem(). These functions
behave as the equivalent certificate loading functions and pre-load
the OCSP response provided as a file, either in DER or in PEM form.

In addition, ensure that if the server is provided a problematic OCSP
response, or the OCSP response is not renewed before it is invalid, we
will not provide it to the clients.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls-serv: allow loading multiple OCSP responses

That is, allow specifying multiple 'ocsp-response' options on
command line. In addition introduce the option 'ignore-ocsp-response-errors'
which will set the GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK flag
prior to importing the response.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

cert: introduced flag GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK

This allows reverting the new semantics of checking the loaded
OCSP response against the certificates present and return
to the 3.5.x semantics.

That option is also useful for debugging as it allows setting
an arbitrary response and checking gnutls' client behavior with that.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_certificate_set_ocsp_status_request_file: match input response to certificates

That is, iterate through the certificate chain to figure to which
certificate the response corresponds to, and assign it to it.
That allows for applications to re-use this function to set
multiple responses when available.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ocsp: moved non-extension related functions to ocsp-api.c

That keeps ext/status_response.c clear of items that are
not related with the extension handling.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_ocsp_status_request_get2: allow operation under TLS1.3 for server side

Under TLS1.3 it is possible for both client and server to send the
status request extension in certificate message.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

select_sign_algorithm: check KX type only on pre-TLS1.3

That, when selecting a certificate under TLS1.3, considers
the negotiated signature algorithms for compatibility with the
certificate to be selected.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

rename _gnutls_selected_certs_set -> selected_certs_set

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ocsp: send all the OCSP responses under TLS1.3

That is, any responses set by the caller application (directly
or via a callback), will be sent to the peer.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

introduced gnutls_certificate_retrieve_function3

That allows a certificate callback to provide OCSP responses in addition
to certificates. That also introduces a flags option which currently
accepts GNUTLS_CERT_RETR_DEINIT_ALL which allows the callback to
specify whether the provided data should be deinitialized.

To simplify the certificate callback code, all previous (now legacy)
callbacks are implemented as wrappers over the new callback function.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_ocsp_resp_list_import2: introduced

That is, introduced function to to import multiple OCSP PEM
responses into a list.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ocsptool: import and export OCSP responses in PEM format

That also modifies the 'request-info' and 'response-info' commands
to check the 'outfile' parameter and if set, to store the corresponding
structure into that file. Currently for OCSP requests there is no
printing of PEM data.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ocsp: introduced gnutls_ocsp_resp_import2 and gnutls_ocsp_resp_export2

These allow importing and exporting an OCSP response to PEM format,
in addition to DER.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_x509_cert_verify_peers: verify all received OCSP responses

That is, when verifying the server's certificate, take into account
all present OCSP responses.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_ocsp_status_request_get2: added function

The function extends gnutls_ocsp_status_request_get() to
retrieve more than a single responses.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tls13/certificate: parse OCSP status response and save responses in auth info struct

That provides support of OCSP status response under TLS 1.3.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ext/status_request: allow more than a single OCSP response to be received

That change allows for arbitrary number of OCSP responses
which is required in TLS1.3. The received list is now stored
in auth structure, and thus packed with it on resumption data.
The status response extension data, are now only used on server
side, when temporarily storing the OCSP response to send.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_copy_certificate_auth_info: simplified and avoid multiple allocations

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: updated to account for HMAC-SHA384 and CAMELLIA removal

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

priorities: provide a more consistent "story" for default cipher settings

Current settings in NORMAL priorities which were affected:
 * Enabled ciphers:
  - AES-GCM
  - CHACHA20-POLY1305
  - AES-CCM
  - AES-CBC

 * Enabled signature algorithms:
  - RSA-SHA256
  - RSA-PSS-SHA256
  - ECDSA-SHA256 / ECDSA-SECP256R1-SHA256
  - EDDSA-ED25519
  - RSA-SHA384
  - RSA-PSS-SHA384
  - ECDSA-SHA384 / ECDSA-SECP384R1-SHA384
  - RSA-SHA512
  - RSA-PSS-SHA512
  - ECDSA-SHA512 / ECDSA-SECP521R1-SHA512
  - RSA-SHA1
  - ECDSA-SHA1

Removed:
 * Ciphersuites utilizing HMAC-SHA384. That MAC is only used on "legacy"
   type of ciphersuites, and doesn't provide any advantage over HMAC-SHA256.
 * Ciphersuites utilizing CAMELLIA were removed. TLS1.3 doesn't define any
   CAMELLIA ciphersuites, and thus provide consistent defaults across
   protocols.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certificate request: corrected parsing of signature algorithms

That fixes an issue in TLS 1.3 certificate request message parsing.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tlsfuzzer: updated to latest master

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

doc: documented hsk_flags "lifetime" and its reset

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

session state: TLS1.2 and TLS1.3 state is stored as union

That is, to reduce memory usage as these protocol cannot be used
in parallel.

Relates: #281

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

session state: organized key exchange keys into structures

That is, with the view of separating the data needed for
TLS1.2 and earlier and TLS1.3.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

record state: avoid memory allocations for stored keys

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: ffdhe flags merged with handshake flags

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: false start flag merged with hsk_flags

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: use hsk_flags in TLS1.2 and TLS1.3

The flags provide a more transparent view of the received
and expected messages.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: added text on TLS1.3 rekey and reauthentication

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: re-enabled post-handshake auth tests

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: added support for post-handshake authentication

That is:
 * introduced a gnutls_init() flag for clients to enable post-handshake
   authentication
 * introduced gnutls_reauth() function, to be called by servers to request
   authentication, and by clients to perform authentication

Resolves #562

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_record_set_state: use const for seq_number

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added test suite on key limits

This checks whether key update occurs for the expected ciphersuites.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_record_get_state: doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Introduce key usage limits under TLS1.3

That introduces a transparent key update for sending key after
the safety limit is reached.

Resolves #130

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: removed unused variables and introduced temporal vars in macros

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: check gnutls_rehandshake() and gnutls_handshake() under TLS1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_*handshake: wrap gnutls_session_key_update under TLS 1.3

The semantics of the gnutls_handshake() and gnutls_rehandshake() functions
were tied to TLS 1.2 and earlier behavior. This patch attempts to merge
the two different semantics as follows:

TLS1.2:
 * gnutls_rehandshake: sends a hello request message (asks the peer for a re-handshake)
                       in server side; invalid to be called in client side.

 * gnutls_handshake: performs a re-handshake in either client or server side;
                     in server side it is expected to be called after
                     gnutls_rehandshake().

TLS1.3:
 * gnutls_rehandshake: in server side sends a key update and asks the peer to re-key
                       as well; remains invalid to be called in client side.

 * gnutls_handshake: sends a key update and asks the peer to re-key as well;
                     in client side; is a no-op when called in server side.

Relates #131

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: added unit tests with TLS1.3 key update

Relates #131

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: introduced gnutls_session_key_update()

This function allows updating keys of the session and notifying
the peer.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: added TLS1.3 passive key update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>