.gitlab-ci.yml: preserve timestamp around bootstrap

Signed-off-by: Daiki Ueno <ueno@gnu.org>

.gitlab-ci.yml: take advantage of git submodules in GitLab CI

GitLab CI has support for automatic checkout of submodules, though it
requires some modifications to .gitmodules:
https://docs.gitlab.com/ee/ci/git_submodules.html

Signed-off-by: Daiki Ueno <ueno@gnu.org>

.gitlab-ci.yml: use artifacts:untracked

The "artifacts:untracked" enables to efficiently archive build
artifacts:
https://docs.gitlab.com/ee/ci/yaml/#artifactsuntracked

Also copy files with bootstrap, as symlinks are excluded from the
artifacts.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

gnulib: update git submodule

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'master' into 'master'

fix possible out-of-bounds access

See merge request gnutls/gnutls!1699

Merge branch 'new-interop-tests' into 'master'

add new interop tests

See merge request gnutls/gnutls!1702

use xrealloc replace realloc in src/serv.c which just for test.

Signed-off-by: xuraoqing <609179072@qq.com>

add new interop tests

Signed-off-by: Peter Leitmann <pleitman@redhat.com>

Merge branch 'zfridric_devel2' into 'master'

Release 3.8.0

See merge request gnutls/gnutls!1701

Release 3.8.0

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

fix possible out-of-bounds access

Signed-off-by: xuraoqing <609179072@qq.com>

Merge branch 'timing-leak-fix' into 'master'

auth/rsa: side-step potential side-channel

Closes #1050

See merge request gnutls/gnutls!1698

document the CVE fix

Signed-off-by: Hubert Kario <hkario@redhat.com>

rsa: remove dead code

since the `ok` variable isn't used any more, we can remove all code
used to calculate it

Signed-off-by: Hubert Kario <hkario@redhat.com>

auth/rsa: side-step potential side-channel

Remove branching that depends on secret data.

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
Signed-off-by: Hubert Kario <hkario@redhat.com>
Tested-by: Hubert Kario <hkario@redhat.com>

Merge branch 'master' into 'master'

remove inoperative variable

See merge request gnutls/gnutls!1697

remove inoperative variable

Signed-off-by: xuraoqing <609179072@qq.com>

Merge branch 'zfridric_devel2' into 'master'

Revert commit f7160e4f

Closes #1446

See merge request gnutls/gnutls!1695

socket: set pull/push functions on windows

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Merge branch 'zfridric_devel3' into 'master'

Add compression dlls to mingw archive

Closes #1441

See merge request gnutls/gnutls!1694

Add missing dll to mingw archive

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Merge branch 'zfridric_devel3' into 'master'

gnutlsxx: become header-only library

See merge request gnutls/gnutls!1693

Indent cpp header

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

gnutlsxx: add source file for shared library

The compiler will not produce a shared library from a header, so a
source file is necessary when producing the gnutlsxx shared library.

Signed-off-by: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>

gnutlsxx: remove unnecessary linking from makefiles

Signed-off-by: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>

gnutlsxx: become header-only library

This patch removes the old gnutlsxx library and instead moves all the
definitions of the source file `gnutlsxx.c` to the header file
`gnutlsxx.h`. However, both the C and the C++ library are built. (as
before.)

The user of the C++ interface has two options to choose from:

1. include `gnutlsxx.h` in their application and link against the C
   library. (the default.)
2. include `gnutlsxx.h` in their application, compile with the
   GNUTLS_GNUTLSXX_NO_HEADERONLY macro defined and link against the C++
   library.

Addresses Ref #1381

Signed-off-by: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>

Merge branch 'zfridric_devel3' into 'master'

Add code indentation

Closes #1419

See merge request gnutls/gnutls!1692

Silence 'make syntax-check'

Co-authored-by: Simon Josefsson <simon@josefsson.org>
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

NEWS: mention code indentation

Co-authored-by: Simon Josefsson <simon@josefsson.org>
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Indent code

Co-authored-by: Simon Josefsson <simon@josefsson.org>
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Check code indentation in 'check_commit'

Co-authored-by: Simon Josefsson <simon@josefsson.org>
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Deal with '# define' for indent -ppi1

Co-authored-by: Simon Josefsson <simon@josefsson.org>
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Fix indent errors

Co-authored-by: Simon Josefsson <simon@josefsson.org>
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Add code indentation scripts

Co-authored-by: Simon Josefsson <simon@josefsson.org>
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Merge branch 'wip/dueno/coverage' into 'master'

.gitlab-ci.yml: take advantage of GitLab code coverage visualization

See merge request gnutls/gnutls!1691

.gitlab-ci.yml: take advantage of GitLab code coverage visualization

This switches to using gcovr instead of our custom coverage generation
rule to take advantage of "Test coverage visualization" in GitLab:
https://docs.gitlab.com/ee/ci/testing/test_coverage_visualization.html

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'wip/dueno/ci-fixes3' into 'master'

.gitlab-ci.yml: consolidate duplicate "aggressive" targets

See merge request gnutls/gnutls!1690

.gitlab-ci.yml: consolidate duplicate "aggressive" targets

The UB+ASAN-Werror.Fedora.x86_64.gcc-aggressive shared almost same
tasks with UB+ASAN-Werror-aggressive.Fedora.x86_64.gcc, except the
former explicitly specified --disable-hardware-acceleration.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'wip/dueno/ca-path' into 'master'

trust: make filesystem path construction flexible

Closes #1280

See merge request gnutls/gnutls!1493

.gitlab-ci.yml: disable cppcheck for now

The current version of cppcheck hangs at the usage of Gnulib's
intprops module:
https://trac.cppcheck.net/ticket/10192

Signed-off-by: Daiki Ueno <ueno@gnu.org>

trust: make filesystem path construction flexible

To handle pathnames longer than the fixed length (previously 256),
this adds a set of internal API functions around the gnutls_pathbuf_st
struct, which enables to safely and efficiently construct pathnames.
The new API initially uses the statically allocated buffer and starts
allocating memory on heap only after the limit has reached.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'zfridric_devel2' into 'master'

Forbid uncolicited CompressedCertificate messages

Closes #1440

See merge request gnutls/gnutls!1678

Fix error codes for unsolicited compressed certificate

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Update year of copyright notices in doc/gnutls.texi

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Merge branch 'wip/dueno/srtp' into 'master'

srtp: support AES-GCM profiles

Closes #1266

See merge request gnutls/gnutls!1685

Merge branch 'wip/dueno/max-record-send-size' into 'master'

build: remove MAX_RECORD_SEND_SIZE in favor of max_record_send_size

Closes #815

See merge request gnutls/gnutls!1684

Forbid unsolicited CompressedCertificate message

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Fail when received cert is compressed with disabled method

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Slight reformating of compress_certificate code

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

build: suppress ABI change for GNUTLS_SRTP_AEAD_AES_*_GCM additions

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'debian-texlive' into 'master'

doc: Fix Debian package name texlive-plain-generic

See merge request gnutls/gnutls!1689

Merge branch 'install-md-fixes' into 'master'

doc: Fix several minor issues in INSTALL.md

See merge request gnutls/gnutls!1688

Merge branch 'https' into 'master'

Prefer HTTPS to HTTP in URLs

See merge request gnutls/gnutls!1687

doc: Fix Debian package name texlive-plain-generic

The package texlive-generic-recommended is a transitional dummy package for
texlive-plain-generic in Debian buster (currently oldstable).
See: https://packages.debian.org/texlive-generic-recommended

Signed-off-by: Stefan Kangas <stefankangas@gmail.com>

doc: Fix several minor issues in INSTALL.md

- Fix reference to moved file.
- Fix a dead link, and a typo.
- Use two spaces between sentences, and no trailing whitespace.

Signed-off-by: Stefan Kangas <stefankangas@gmail.com>

Merge branch 'typos' into 'master'

Fix typos

See merge request gnutls/gnutls!1686

Sync GPL/LGPL license files from Gnulib

Signed-off-by: Stefan Kangas <stefankangas@gmail.com>

Replace FSF snail mail addresses with URL

This is the latest recommendation, as described here:
https://www.gnu.org/licenses/gpl-howto.html

Signed-off-by: Stefan Kangas <stefankangas@gmail.com>

Prefer HTTPS to HTTP in URLs

This mostly updates NEWS and license links.  All links have been
manually tested and confirmed working.

Signed-off-by: Stefan Kangas <stefankangas@gmail.com>

Fix typos

Signed-off-by: Stefan Kangas <stefankangas@gmail.com>

srtp: support AES-GCM profiles

This adds support for SRTP_AEAD_AES_128_GCM and SRTP_AEAD_AES_256_GCM
profiles defined in RFC 7714.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

build: remove MAX_RECORD_SEND_SIZE in favor of max_record_send_size

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'wip/dueno/ccs-value' into 'master'

record: enable check on CCS content also in TLS 1.2

Closes #1439

See merge request gnutls/gnutls!1677

record: enable check on CCS content also in TLS 1.2

This generilizes the value check of Change Cipher Spec for all TLS
protocol versions including TLS 1.2 or earlier.  It also fixes the
logic of the check so the value is decrypted before being examined,
according to the RFC.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'wip/dueno/disable-srp' into 'master'

build: disable SRP authentication by default

Closes #943

See merge request gnutls/gnutls!1681

tests: conditionalize SRP tests

Signed-off-by: Daiki Ueno <ueno@gnu.org>

build: disable SRP authentication by default

SRP authentication in TLS is not up to date with the latest TLS
standards and its ciphersuites are based on the CBC mode and SHA-1.
This makes the feature disabled by default at compile time, though the
users are still be able to enable it with --enable-srp-authentication
configure option.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'new-interop-tests' into 'master'

Added new interoperability tests

See merge request gnutls/gnutls!1680

Merge branch 'master' into 'master'

fix obtain credential type based on the key exchange type fail；fix log print key mac size error

See merge request gnutls/gnutls!1670

Merge branch 'wip/dueno/disable-heartbeat' into 'master'

build: disable TLS heartbeat extension by default

Closes #743

See merge request gnutls/gnutls!1682

.gitlab-ci.yml: ensure libtasn1-tools is installed

With recent DNF, removing libtasn1-devel causes libtasn1-tools to be
removed.  Manually reinstall it in that case.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

build: disable TLS heartbeat extension by default

The heartbeat extension in TLS (RFC 6520) is not widely used given
other implementations dropped support for it. This makes it disabled
by default, though the users are able to enable it back with the
--enable-heartbeat-support configure option.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'wip/dueno/c99' into 'master'

Minor build fixes

See merge request gnutls/gnutls!1683

fix memory leak when process client ecdh key exchage

Signed-off-by: xuraoqing <xuraoqing@huawei.com>

cert-auth: alloc_and_load_x509_certs: check requested cert count

... instead of pointer. Otherwise GCC analyzer treats it as
-Wanalyzer-null-dereference in the caller side.  While that shouldn't
happen, it would be nice to make the code handle it robustly.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

build: avoid using implicit int to adhere to C99

Otherwise -Wstrict-prototypes now emits the following warnings:

  mini-dtls-large.c:30:5: error: function declaration isn't a prototype [-Werror=strict-prototypes]
     30 | int main()
        |     ^~~~
  mini-dtls-large.c: In function 'main':
  mini-dtls-large.c:30:5: error: old-style function definition [-Werror=old-style-definition]
  cc1: all warnings being treated as errors

Signed-off-by: Daiki Ueno <ueno@gnu.org>

new interop-tests

Signed-off-by: Peter Leitmann <pleitman@redhat.com>

Merge branch 'wip/dueno/stubs' into 'master'

srp: provide stubs of public functions even if SRP is disabled

See merge request gnutls/gnutls!1679

build: remove code guarded with no longer defined ENABLE_RSA_EXPORT

Signed-off-by: Daiki Ueno <ueno@gnu.org>

build: remove checks on no longer defined ENABLE_OPENPGP

Signed-off-by: Daiki Ueno <ueno@gnu.org>

srp: provide stubs of public functions even if SRP is disabled

This adds stub definitions of public SRP functions even if SRP is
disabled with --disable-srp-authentication, to preserve the ABI.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'zfridric_devel' into 'master'

Use soname instead of file name in fipshmac sections

See merge request gnutls/gnutls!1675

fix log print server write mac key size error

Signed-off-by: xuraoqing <xuraoqing@huawei.com>

fix log print client write mac key size error

Signed-off-by: xuraoqing <xuraoqing@huawei.com>

fix get credential type with key exchange algorithm fail

Signed-off-by: xuraoqing <xuraoqing@huawei.com>

Use soname instead of file name in fipshmac sections

Using fipshmac program with an argument, for example:
fipshmac /usr/lib64/libgnutls.so.30.28.1
would create a section [libgnutls.so.30.28.1]
and the internal comparison with soname would fail.

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Merge branch 'wip/dueno/memleak-fixes' into 'master'

Fix memory leaks in tools and tests

Closes #1433 and #1430

See merge request gnutls/gnutls!1672

Merge branch 'fix/ktls_fallback' into 'master'

KTLS: Invalidate session on ktls error

See merge request gnutls/gnutls!1664

KTLS: Invalidate session on ktls error

We invalidate the session if an KTLS related error occurs after it was
initialized i.e. keys were set on the interfaces.

As of now this only affects key_update() which should be fixed via a
kernel patch. Thus future fallback mechanism implementation is not likely
as that would require yet another kernel patch.

Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>

Merge branch 'ktls_ciphersuites' into 'master'

KTLS: additional ciphersuites

See merge request gnutls/gnutls!1676

KTLS: add ciphersuites (tests)

Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>

KTLS: add ciphersuites

* TLS_AES_128_CCM_SHA256
* TLS_CHACHA20_POLY1305_SHA256

Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>

Merge branch 'wip/dueno/fipshmac-followup2' into 'master'

fips: rename .gnutls.hmac back to .libgnutls.so.*.hmac

Closes #1435

See merge request gnutls/gnutls!1674

fips: rename .gnutls.hmac back to .libgnutls.so.*.hmac

Using a GnuTLS specific construction of .hmac file name causes a
problem with dracut, which expects that .hmac files are installed
alongside the corresponding shared libraries.

To preserve backward compatibility, this renames the file name back to
.libgnutls.so.*.hmac, while the content remains the same covering all
the dependent libraries (libgnutls, libhogweed, libnettle, and
libgmp).

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'wip/dueno/ktls-fixes2' into 'master'

Minor fixes on KTLS

Closes #1382

See merge request gnutls/gnutls!1673

Merge branch 'wip/dueno/gnulib' into 'master'

gnulib: update git submodule

See merge request gnutls/gnutls!1509

priority: accept "ktls = false" in configuration file

Signed-off-by: Daiki Ueno <ueno@gnu.org>

src: print KTLS enablement status in gnutls-serv/gnutls-cli

Signed-off-by: Daiki Ueno <ueno@gnu.org>

includes: move KTLS function definition out of <gnutls/socket.h>

<gnutls/socket.h> is meant for the functions that depend on
<sys/socket.h>, which is not available on Windows platforms.

As the KTLS API doesn't rely on <sys/socket.h>, move the function and
enum to <gnutls/gnutls.h>.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

tests: fix memory leak in resume-with-previous-stek

Signed-off-by: Daiki Ueno <ueno@gnu.org>