handshake: treat reply to HRR as a reply to hello verify request

That is, re-use the client random value on the client hello which
is a reply to a hello retry request.

Relates #299

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added key share behavioral test

This verifies whether the gnutls_init() flags GNUTLS_KEY_SHARE_TOP,
GNUTLS_KEY_SHARE_TOP2, GNUTLS_KEY_SHARE_TOP3 behave as advertized.

Resolves #284

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

key share: added flags to gnutls_init() to modify its default behavior

That way the application can adjust the range of keys generated
during client hello attempting to guess the server's algorithm.

Applications are intentionally not given the option to select the
algorithm in the key share, but rather chose from the prioritized
list of groups, to avoid a disconnect between the prioritized
groups, and the key share sent.

Relates #284

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: initialize buffer prior to use

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added tests for TLS1.2- rollback detection

That is, tests which check
 * whether the server's generated values under TLS1.2- match the expected
 * whether the client would fail on negotiation if the rollback values are detected

Resolves #293

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_set_server_random: corrected TLS1.2 and TLS1.1 rollback detection

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: renamed _gnutls_hello_ext_*sdata to _gnutls_hello_ext_*priv

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

server_name: use the new API for ext data setting

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: enhanced extension lib with pack and unpack functions

That allows the functionality to be used for the majority of extensions.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: check the correct handling of cookie extension in client side

Resolves #218

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: allow receiving and sending extensions which were not advertised by client side

That is needed due to the special treatment of the cookie extension,
which is sent by the server in HRR even if it was not advertised by
the client.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: optimized gid_to_ext_entry() map on known extensions

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: avoid double loop when parsing received extensions

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: avoid looping to discover location of saved data

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: added support for reading and sending cookie extension

That introduces an internal API to associate data to an extension.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: document the GNUTLS_E_NO_COMMON_KEY_SHARE usage

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: added unit test for hello retry request support

Resolves #285

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: rehandshake tests were restricted to TLS1.2

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: reduce assert printouts in common cases

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: accept hello retry request in client side

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

buf: _gnutls_buffer_pop_data made easier to use

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: simplified version parsing

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: send hello retry request when no key share matches

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ext: do not advertize post handshake authentication

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: check TLS1.3 record layer packet modification

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: split set_client_random to gen and set

This aligns with set_server_random() and gen_server_random().

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

handshake: only attempt to detect downgrade attacks if TLS1.3 is supported

Otherwise, connections under TLS 1.2 may fail, even if client never enabled
TLS 1.3 support.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

nettle/pk: explicitly mark intentional fallthrough in switch cases

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

key share: removed duplicate message

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: fix warning in rng-sigint.c

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: improved tls-session-supplemental

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

kx: moved to new buffer API

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: moved to the new mbuffer API

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: use the new buffer type in TLS 1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: new helper functions to use gnutls_buffer_st to generate mbuffers

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tlsfuzzer: disable non TLS1.3-ready tests

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added tests for TLS1.3 record generation / parsing

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: introduced basic TLS1.3 key exchange test suite

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

record: adjusted overhead calculation for TLS1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

priority: include groups into priority when having a TLS1.3-only session

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

priority: do include all the version's signature semantics

This resolves issue, which prevented handling certain types
of TLS1.3-only signatures, depending on the order of enabled
protocols.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ext/key_share: corrected release of MPI parameters

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ext/signature: explicitly prevent RSA/DSA and SHA1 signatures on TLS1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

hello ext: reduce verbosity

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

constate.h: removed non-existing function

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

record: any alert is fatal under TLS1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: introduced functions to obtain currently parsed message

This allows the extension handling code to operate differently
on different messages.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

supported_versions: print the received versions

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: introduced server side handshake [2/2]

That is, send server certificate verify and receive
certificate and certificate verify messages. In addition
introduced flags to mark the expected, or sent messages.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

cs: select certificate under TLS1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: introduced server side handshake [1/2]

That is, send certificate request and certificate in server side

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ciphersuites: introduce a maximum supported TLS/DTLS version

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: properly set the default record version

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: send encrypted extensions handshake message

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: parse new session ticket message

That does not include extension handling.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

str: added _gnutls_buffer_pop_prefix24 and _gnutls_buffer_pop_prefix8

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

str: use assert to mark impossible cases

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

str: allow creating a read-only buffer

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_session_get_desc: more descriptive name for TLS1.3 ciphersuites

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: generate application keys

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

constate: added _gnutls_epoch_dup

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

constate: indentation fixes

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: added basic support for TLS 1.3 handshake in client side

That does not include support for client certificates as it
requires extension handling improvements in order for extensions
to be context sensitive (now they cannot distinguish whether the
parsing routine is called during client hello or certificate request
reading)

This does not include proper parsing of extensions present in
the certificate message.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: added parsing of encrypted extensions

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

crypto-api: introduce internal version of AEAD API

This allows to initialize the TLS 1.3 connection state without
additional allocations as required by the external API.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

record: added TLS 1.3 record parsing and key derivation

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: introduced TLS 1.3 handshake client state machine outline

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: separate the hello extensions from others

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

hello_ext.h: removed non-existant function definition

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: files renamed to hello_ext

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: renamed hello extension handling functions appropriately

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: simplified semantics of store and check functions

That is, _gnutls_extension_list_check was made a boolean function,
and both were renamed to more appropriate names such as,
_gnutls_hello_ext_is_present, _gnutls_hello_ext_save.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extension: renamed functions to reflect purpose

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: use the low-level extension parsing code for hello parsing

That's a step towards unification of TLS-type extension handling
for TLS 1.3.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extv: introduced a low-level extension parsing code

This will simplify the parsing and handling of extensions throughout
the TLS 1.3 message contents.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: simplified the extension tracking

Instead of keep a list of the received TLS extension IDs, use the bits
in a variable to mark the received extensions. That reduces the
overall memory usage due to extension tracking.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: use an internal extension ID independent of the TLS id

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

str: rename _gnutls_buffer_pop_prefix to _gnutls_buffer_pop_prefix32

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

str: rename _gnutls_buffer_pop_datum_prefix to _gnutls_buffer_pop_datum_prefix32

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

security params: store PRF when packing session

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: simplify by storing a pointer to PRF mac entry

That way, we avoid multiple function calls to obtain information
such as hash size, and other MAC properties.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ext/signature: improved TLS 1.3 signature algorithm negotiation

That is, we introduce a simpler way to handle multiple versions
of a single signature algorithm.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

str: added helper functions to read prefixed data with 8 or 16-bit headers

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ecc: do not warn on receiving extension on client side

This extension can be received used under TLS 1.3 on the client side.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Added TLS 1.3 HKDF key derivation functionality

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: include extension number in debugging message

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: check behavior on the extension hello flags

That is, verify whether the various combinations of
GNUTLS_EXT_FLAG_CLIENT_HELLO,
GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO
work as expected with regards to sending and receiving
extensions.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: apply extension msg type restrictions

That is, on the extension parsing functions ensure that
no extension which are not valid for the currently
received message are parsed.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

extensions: mark the message validity of each supported extension

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

extensions: type renamed to id for clarity

We were previously using the variable named 'type' to indicate the
extension ID. With TLS 1.3, extensions are also given an applicability
type (which message the extension applies to), and thus renamed the
variable for clarity.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: guile: don't use VERS-TLS-ALL

That is, avoid enabling experimental protocols.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

.gitlab-ci.yml: abi-coverage: include guile logs

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

nettle: added HKDF functions

They are being included conditionally depending on the RSA-PSS feature
(RSA-PSS and HKDF are expected to be introduced at the same version).

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls-cli-debug: use explicit TLS versions rather than TLS-ALL

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_server_select_suite: don't set auth callbacks for TLS 1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

supported_versions: print negotiated protocol

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Negotiate draft-TLS1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: added the TLS 1.3 ciphersuites

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: print negotiated version after its negotiation (for TLS1.3)

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: fix TLS version to 1.2 for tests which used VERS-TLS-ALL

This allows the test suite to run, even when TLS1.3 is still
experimental.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>