introduced gnutls_certificate_retrieve_function3

That allows a certificate callback to provide OCSP responses in addition
to certificates. That also introduces a flags option which currently
accepts GNUTLS_CERT_RETR_DEINIT_ALL which allows the callback to
specify whether the provided data should be deinitialized.

To simplify the certificate callback code, all previous (now legacy)
callbacks are implemented as wrappers over the new callback function.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_ocsp_resp_list_import2: introduced

That is, introduced function to to import multiple OCSP PEM
responses into a list.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ocsptool: import and export OCSP responses in PEM format

That also modifies the 'request-info' and 'response-info' commands
to check the 'outfile' parameter and if set, to store the corresponding
structure into that file. Currently for OCSP requests there is no
printing of PEM data.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ocsp: introduced gnutls_ocsp_resp_import2 and gnutls_ocsp_resp_export2

These allow importing and exporting an OCSP response to PEM format,
in addition to DER.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_x509_cert_verify_peers: verify all received OCSP responses

That is, when verifying the server's certificate, take into account
all present OCSP responses.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_ocsp_status_request_get2: added function

The function extends gnutls_ocsp_status_request_get() to
retrieve more than a single responses.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tls13/certificate: parse OCSP status response and save responses in auth info struct

That provides support of OCSP status response under TLS 1.3.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ext/status_request: allow more than a single OCSP response to be received

That change allows for arbitrary number of OCSP responses
which is required in TLS1.3. The received list is now stored
in auth structure, and thus packed with it on resumption data.
The status response extension data, are now only used on server
side, when temporarily storing the OCSP response to send.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_copy_certificate_auth_info: simplified and avoid multiple allocations

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: updated to account for HMAC-SHA384 and CAMELLIA removal

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

priorities: provide a more consistent "story" for default cipher settings

Current settings in NORMAL priorities which were affected:
 * Enabled ciphers:
  - AES-GCM
  - CHACHA20-POLY1305
  - AES-CCM
  - AES-CBC

 * Enabled signature algorithms:
  - RSA-SHA256
  - RSA-PSS-SHA256
  - ECDSA-SHA256 / ECDSA-SECP256R1-SHA256
  - EDDSA-ED25519
  - RSA-SHA384
  - RSA-PSS-SHA384
  - ECDSA-SHA384 / ECDSA-SECP384R1-SHA384
  - RSA-SHA512
  - RSA-PSS-SHA512
  - ECDSA-SHA512 / ECDSA-SECP521R1-SHA512
  - RSA-SHA1
  - ECDSA-SHA1

Removed:
 * Ciphersuites utilizing HMAC-SHA384. That MAC is only used on "legacy"
   type of ciphersuites, and doesn't provide any advantage over HMAC-SHA256.
 * Ciphersuites utilizing CAMELLIA were removed. TLS1.3 doesn't define any
   CAMELLIA ciphersuites, and thus provide consistent defaults across
   protocols.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certificate request: corrected parsing of signature algorithms

That fixes an issue in TLS 1.3 certificate request message parsing.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tlsfuzzer: updated to latest master

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

doc: documented hsk_flags "lifetime" and its reset

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

session state: TLS1.2 and TLS1.3 state is stored as union

That is, to reduce memory usage as these protocol cannot be used
in parallel.

Relates: #281

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

session state: organized key exchange keys into structures

That is, with the view of separating the data needed for
TLS1.2 and earlier and TLS1.3.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

record state: avoid memory allocations for stored keys

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: ffdhe flags merged with handshake flags

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: false start flag merged with hsk_flags

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: use hsk_flags in TLS1.2 and TLS1.3

The flags provide a more transparent view of the received
and expected messages.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: added text on TLS1.3 rekey and reauthentication

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: re-enabled post-handshake auth tests

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: added support for post-handshake authentication

That is:
 * introduced a gnutls_init() flag for clients to enable post-handshake
   authentication
 * introduced gnutls_reauth() function, to be called by servers to request
   authentication, and by clients to perform authentication

Resolves #562

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_record_set_state: use const for seq_number

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added test suite on key limits

This checks whether key update occurs for the expected ciphersuites.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_record_get_state: doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Introduce key usage limits under TLS1.3

That introduces a transparent key update for sending key after
the safety limit is reached.

Resolves #130

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: removed unused variables and introduced temporal vars in macros

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: check gnutls_rehandshake() and gnutls_handshake() under TLS1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_*handshake: wrap gnutls_session_key_update under TLS 1.3

The semantics of the gnutls_handshake() and gnutls_rehandshake() functions
were tied to TLS 1.2 and earlier behavior. This patch attempts to merge
the two different semantics as follows:

TLS1.2:
 * gnutls_rehandshake: sends a hello request message (asks the peer for a re-handshake)
                       in server side; invalid to be called in client side.

 * gnutls_handshake: performs a re-handshake in either client or server side;
                     in server side it is expected to be called after
                     gnutls_rehandshake().

TLS1.3:
 * gnutls_rehandshake: in server side sends a key update and asks the peer to re-key
                       as well; remains invalid to be called in client side.

 * gnutls_handshake: sends a key update and asks the peer to re-key as well;
                     in client side; is a no-op when called in server side.

Relates #131

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: added unit tests with TLS1.3 key update

Relates #131

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: introduced gnutls_session_key_update()

This function allows updating keys of the session and notifying
the peer.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: added TLS1.3 passive key update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

keylogfile: write TLS 1.3 secrets

Signed-off-by: Daiki Ueno <dueno@redhat.com>

_gnutls_nss_keylog_write: define new internal API

This patch turns the write_nss_key_log function to an internal
API (with a different name) so that it can be called from other places
implementing TLS 1.3 key scheduling.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

tls-fuzzer: enabled the large hello checks

These were previously not working because tls-fuzzer was not TLS1.3-ready.
This is addressed at the current update, and as such we enable them.

That commit also enables the SNI resumption tests.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

hkdf: refer to nettle's hkdf.h when available

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_prf_rfc5705: apply the context limits only under TLS1.2 or earlier

These limits do not exist under TLS1.3.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_prf_raw: fail under TLS1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: included behavioral test of gnutls_prf under TLS1.3

Resolves #330

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_prf: prevent usage under TLS1.3

Only allow its use when it is documented to have the same output
as gnutls_rfc5705() and in that case make it a wrapper to it.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_prf_rfc5705: calculate exporter using HKDF if TLS 1.3

Signed-off-by: Daiki Ueno <dueno@redhat.com>

handshake-tls13: derive and store exporter_master_secret

Signed-off-by: Daiki Ueno <dueno@redhat.com>

_tls13_derive_secret: define secret argument

TLS 1.3 exporters need to derive a secret from exporter_master_secret
or early_exporter_master_secret, not the handshake or application
secret stored in temp_secret.  Add a new argument @secret to
_tls13_derive_secret to specify any secret.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

session state: combined srp and dh prime bits variables

They were being used for the same purpose, and SRP as well as
DH, do not overlap to require two different variables.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

session state: mark mod_auth_st_int as constant

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

dtls: cookie is stored dynamically when needed rather than in pre-allocated size

That reduces the number of bytes used in cases where DTLS is not in use or
we are in server-side.

Relates #281

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

removed legacy/unused rsa-related structures/functions

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

lib: simplify adding groups according to prioritites

There is little point, remembering if EC or DHE came first and then
adding necessary groups checking that flag. Instead just add groups at
the time first EC or DHE ciphersuite is met.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: added unit test for RDNs in cert callback

This verifies whether the RDNs received at the callbacks under
TLS1.2 and TLS1.3 have the expected values (corresponding to the
certificates used).

Resolves #297

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_auth*_get_type: use gnutls_kx_get to retrieve key exchange

That allows the functions to operate under TLS 1.3 which have
no key exchange as part of the ciphersuite.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: check certificate callbacks under TLS 1.2 and 1.3

Resolves #278

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added unit tests for client certificate under TLS1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: handle the certificate authorities extension

That is, when sending or receiving the certificate request message.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: added support for client certificates

That is, receive and parse a certificate request, certificate
verify, as well as certificate in server side.

That way, client certificates

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: return GNUTLS_E_NO_CERTIFICATE_FOUND when no certificate is found in TLS1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: send certificate request when requested

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added check for client hello random value after HRR

That way we ensure that we follow the tls1.3 draft which requires
the second client hello to be identical to the initial one.

Resolves #299

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: treat reply to HRR as a reply to hello verify request

That is, re-use the client random value on the client hello which
is a reply to a hello retry request.

Relates #299

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added key share behavioral test

This verifies whether the gnutls_init() flags GNUTLS_KEY_SHARE_TOP,
GNUTLS_KEY_SHARE_TOP2, GNUTLS_KEY_SHARE_TOP3 behave as advertized.

Resolves #284

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

key share: added flags to gnutls_init() to modify its default behavior

That way the application can adjust the range of keys generated
during client hello attempting to guess the server's algorithm.

Applications are intentionally not given the option to select the
algorithm in the key share, but rather chose from the prioritized
list of groups, to avoid a disconnect between the prioritized
groups, and the key share sent.

Relates #284

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: initialize buffer prior to use

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added tests for TLS1.2- rollback detection

That is, tests which check
 * whether the server's generated values under TLS1.2- match the expected
 * whether the client would fail on negotiation if the rollback values are detected

Resolves #293

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_set_server_random: corrected TLS1.2 and TLS1.1 rollback detection

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: renamed _gnutls_hello_ext_*sdata to _gnutls_hello_ext_*priv

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

server_name: use the new API for ext data setting

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: enhanced extension lib with pack and unpack functions

That allows the functionality to be used for the majority of extensions.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: check the correct handling of cookie extension in client side

Resolves #218

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: allow receiving and sending extensions which were not advertised by client side

That is needed due to the special treatment of the cookie extension,
which is sent by the server in HRR even if it was not advertised by
the client.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: optimized gid_to_ext_entry() map on known extensions

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: avoid double loop when parsing received extensions

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: avoid looping to discover location of saved data

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: added support for reading and sending cookie extension

That introduces an internal API to associate data to an extension.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: document the GNUTLS_E_NO_COMMON_KEY_SHARE usage

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: added unit test for hello retry request support

Resolves #285

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: rehandshake tests were restricted to TLS1.2

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: reduce assert printouts in common cases

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: accept hello retry request in client side

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

buf: _gnutls_buffer_pop_data made easier to use

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: simplified version parsing

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: send hello retry request when no key share matches

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ext: do not advertize post handshake authentication

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: check TLS1.3 record layer packet modification

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: split set_client_random to gen and set

This aligns with set_server_random() and gen_server_random().

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

handshake: only attempt to detect downgrade attacks if TLS1.3 is supported

Otherwise, connections under TLS 1.2 may fail, even if client never enabled
TLS 1.3 support.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

nettle/pk: explicitly mark intentional fallthrough in switch cases

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

key share: removed duplicate message

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: fix warning in rng-sigint.c

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: improved tls-session-supplemental

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

kx: moved to new buffer API

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: moved to the new mbuffer API

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: use the new buffer type in TLS 1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: new helper functions to use gnutls_buffer_st to generate mbuffers

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tlsfuzzer: disable non TLS1.3-ready tests

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added tests for TLS1.3 record generation / parsing

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: introduced basic TLS1.3 key exchange test suite

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

record: adjusted overhead calculation for TLS1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>