anti_replay: moved new add function into anti_replay structure

The new function was not sharing anything with the existing
gnutls_db_* backend, and moving it to anti_replay structure
is more clean and allows for deviations from the old API
conventions (e.g., now we can pass pointers for efficiency
and pass the expiration time as part of the call).

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_x509_read_eddsa_pubkey(): sanity check the input values

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

gnutls_x509_privkey_import_ecc_raw(): fail on invalid sizes

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: verify whether certificate request levels behave consistently

This verifies whether the behavior of GNUTLS_CERT_IGNORE, GNUTLS_CERT_REQUEST
and GNUTLS_CERT_REQUIRE is consistent accross protocols.

Relates #615

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

doc: minor updates in elliptic curve documentation

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: added a test for detecting duplicate early data

Resolves #610

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Merge branch 'pkcs7-ber' into 'master'

pkcs7: allow BER encoding when parsing encapContentInfo.eContent

See merge request gnutls/gnutls!803

tests: add testfile from RFC4134 Section 4.5

Add test example demonstrating indefinite-length BER encoding of PKCS#7
data.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

pkcs7: allow BER encoding when parsing encapContentInfo.eContent

CMS specification explicitly allows BER encoding in CMS files. RFC 4134
example 4.5 uses BER indefinite encoding.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Merge branch 'tmp-autogen-bak' into 'master'

build: remove autogen .bak files from repository

See merge request gnutls/gnutls!801

Merge branch 'no-session-ticket' into 'master'

configure.ac: drop obsolete info line

Closes #616

See merge request gnutls/gnutls!804

configure.ac: drop obsolete info line

Since 4b567871 there is no `ac_enable_session_tickets` variable, so
let's drop obsolete remnants.

Closes #616

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Noted-by: Dilyan Palauzov

build: minor cleanup of mech-list.h generation

Signed-off-by: Daiki Ueno <dueno@redhat.com>

README-ci.freebsd.md: require autogen

Signed-off-by: Daiki Ueno <dueno@redhat.com>

build: remove autogen .bak files from the repository

While the .bak files are necessary for not requiring autogen on
deployment environment, they are not needed for development and may
cause conflict when other developers use different version of
autogen. This removes those files from the repository and require
autogen at make dist time.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

build: use suffix rules for generating .bak files

Signed-off-by: Daiki Ueno <dueno@redhat.com>

build: use AM_MISSING_PROG for autogen

That makes error message more friendly when autogen is not installed
on developing environment.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

Merge branch 'tpm12_fix_memory_leak' into 'master'

tpm: Fix memory leak in encode_tpmkey_url

See merge request gnutls/gnutls!800

tpm: Fix memory leak in encode_tpmkey_url

When returning the key URL in encode_tpm_key_url we do not need to allocate
a separate buffer for the URL since we return the allocated buffer from
_gnutls_buffer_to_datum().

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

Merge branch 'tmp-0rtt' into 'master'

add support for 0-RTT

Closes #127

See merge request gnutls/gnutls!775

Merge branch 'tmp-f29' into 'master'

.gitlab-ci.yml: move to fedora29 for CI

Closes #607

See merge request gnutls/gnutls!794

doc: mention 0-RTT

Signed-off-by: Daiki Ueno <dueno@redhat.com>

serv: enable anti-replay when early data is used

Signed-off-by: Daiki Ueno <dueno@redhat.com>

TLS 1.3: implement anti-replay measure using ClientHello recording

This implements ClientHello recording outlined in section 8.2 of RFC
8446.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

db: introduce gnutls_db_set_add_function

This adds a way to store an entry if it is not found in the database,
so that the implementation can provide atomic test-and-set.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

db: introduce gnutls_db_check_entry_expire_time

This would be particularly useful when the same database is used to
store long-lived TLS 1.2 session data and short-lived TLS 1.3
anti-replay entries.  Note that the existing gnutls_db_check_entry
doesn't fit in this use-case, as it takes gnutls_session_t as the
argument.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

tls13/session_ticket: record timestamp in ticket

This is needed for implementing freshness checks outlined in 8.3 of
RFC 8446.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

str: suppress compiler warning when time_t is 32-bit

Signed-off-by: Daiki Ueno <dueno@redhat.com>

testcompat-tls13-openssl: exercise early data transmission

Signed-off-by: Daiki Ueno <dueno@redhat.com>

tests: add tests for early data

Signed-off-by: Daiki Ueno <dueno@redhat.com>

cli: add --earlydata option

Signed-off-by: Daiki Ueno <dueno@redhat.com>

serv: add --earlydata option

Signed-off-by: Daiki Ueno <dueno@redhat.com>

record: introduce new API functions for early data

This introduces gnutls_record_get_max_early_data_size(),
gnutls_record_send_early_data(), and gnutls_record_recv_early_data()
functions.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

handshake: handle early data

This plumbers early data handling in the handshake processes, which
consists of:
- traffic key updates taking into account of client_early_traffic_secret
- early data buffering in both server and client
- the EndOfEarlyData message handling
- making use of max_early_data_size extension in NewSessionTicket

Signed-off-by: Daiki Ueno <dueno@redhat.com>

session_pack: record max_early_data_size in session data

max_early_data_size sent as part of NST should be recorded and
restored when the session data is set back on the session.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

record: fix memleak when rejecting early data

The "discard" label previously used assumes that the decrypted record
is already added to record_recv_buffer.  It is not the case when
rejecting early data.  Release the allocated memory manually and
return early.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

constate: add epoch_rel argument to _gnutls_epoch_dup

This is necessary for handling early data.  Previously,
_gnutls_epoch_dup() copied the parameters from EPOCH_READ_CURRENT,
while the client only sets EPOCH_WRITE_CURRENT when sending early
data.  This allows caller to specify from which epoch the parameters
are copied.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

handshake: refactor early secret derivation

Signed-off-by: Daiki Ueno <dueno@redhat.com>

handshake: record transcript hash for ClientHello

This is necessary to compute client_early_traffic_secret and
early_exporter_master_secret in TLS 1.3.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

ext/pre_shared_key: use predefined macros for secret labels

Signed-off-by: Daiki Ueno <dueno@redhat.com>

Merge branch 'args-std-def' into 'master'

src: args-std.def: substitute variables using configure

Closes #567

See merge request gnutls/gnutls!793

Merge branch 'tmp-remove-gl-memxor' into 'master'

Unconditionally include nettle/memxor.h

Closes #605

See merge request gnutls/gnutls!797

Unconditionally include nettle/memxor.h

Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

gnutls-cli: use assert to mark impossible path

This avoids static analyzers from complaining.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

pkcs12: cleanups, and two memory leak fixes

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tls13: use system's openssl for interop testing

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Added checks to avoid false negatives reported by static analyzers

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

src: update autogenerated .bak files

Update files to include proper year, version, etc.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

src: include .bak files in EXTRA_DIST

Including .bak files in EXTRA_DIST allows us to stop hand-generating
these files in distribution. Instead they are directly copied from the
source tree.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

src: update .bak files during -args.c/.h regeneration

To ease updating of .bak files, update them when regenerating
Autogen'erated source files.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

doc: fix texi generation in out-of-tree builds

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

src: mark autogen'ed sources as nodist_

Mark autogenerated sources as not distributable. We are distributing
.bak files instead.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Makefile.am: drop manpages regeneration from dist-hook

There is no need anymore to regenerate tools manpages, they will be
generated automatically from doc/manpages/Makefile.am.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

manpages: fix manpages distribution

It seems that dist_man_MANS does not work properly with Automake
conditionals. Automake will not distribute files which are conditionally
disabled at this make run. As released tarballs include all manpages
already, let's include them unconditionally.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

manpages: fix tools manpages generation

Pass additional include path to let autogen find common arguments
template.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

manpages: un-unroll the loop

Replace unrolled loop over header files with for-loop to simplify
Makefile.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

configure.ac: merge autogen/libopts checks

Move handling of autogen/libopts to a single place. Enforce usage of
local libopts if autogen is not found.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

doc: fix documentation generation in out-of-tree builds

gtk-doc will not process gnutls.h.in file, so we need to point it to
generated gnutls.h file, found inside builddir.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

cfg.mk: fix ChangeLog generation on out-of-tree builds

ChangeLog regeneration does not work for out-of-tree build, so let's fix
that.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

src: args-std.def: substitute variables using configure

Use standard way (configure script) to substiture variables in
args-std.def file, instead of manually replacing them in dist-hook.

Fixes #567

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Initialize output var to avoid false negative from static analyzers

This was identified by clang analyzer's on _gnutls_x509_dn_to_string
and _gnutls_x509_decode_string.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

.gitlab-ci.yml: move to fedora29 for CI

This also moves the x86 CI builds to the debian cross infrastructure
as we have a more reliable way of generating a 32-bit image.

Resolves #607

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tpmtool: Support --srk-well-known for SRK with 20 zero bytes password

Implement --srk-well-known for SRK with 20 zero bytes password.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

Merge branch 'tmp-fix-ci-runs' into 'master'

This fixes the recent issue with openssl interop testing in CI

See merge request gnutls/gnutls!798

testcompat-openssl: do not test DSS or small curves with 1.1.1

DSA uses 1024-bit parameters, and these together with curves of
less than 256 bits are not accepted by debian's openssl.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc/credentials: increased key size in RSA client cert

This is used by the test suite and recent openssl in debian requires
a larger certificates.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: allow --update-certificate to replace public key

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

README.md: updated instructions to apply to fedora29

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Merge branch 'tmp-ignore-ctypes' into 'master'

gnutls_priority_init: ignore CTYPE-OPENPGP options

Closes #593

See merge request gnutls/gnutls!789

Merge branch 'tmp-fix-record-size-limit-tls12' into 'master'

ext/record_size_limit: handle the extension in TLS 1.2 ServerHello

Closes #599

See merge request gnutls/gnutls!791

Merge branch 'ajuaristi-update-docs' into 'master'

Update docs for session ticket key rotation

Closes #581

See merge request gnutls/gnutls!768

Update docs for session ticket key rotation [ci skip]

Fix #581.

Signed-off-by: Ander Juaristi <a@juaristi.eus>

ext/record_size_limit: handle the extension in TLS 1.2 ServerHello

Previously it had assumed that TLS 1.2 servers don't send the
extension, while actually it can be present in ServerHello.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

gnutls_priority_init: ignore CTYPE-OPENPGP options

In GnuTLS 3.6.0 we dropped support for openpgp keys, however
the CTYPE-OPENPGP is often seen in applications, sometimes
as -CTYPE-OPENPGP to ensure it is not enabled. We simply
ignore this priority string when seen, to avoid preventing
these applications from running.

Resolves #593

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

gnutls_priority_init: fixed indentation according to project rules

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Merge branch 'tmp-fix-priority-set' into 'master'

gnutls_priority_set: do not override the version after handshake is complete

See merge request gnutls/gnutls!777

gnutls_priority_set: re-organized

The sanity tests we moved prior to setting these priorities
and the %GNUTLS_E_NO_PRIORITIES_WERE_SET error code is returned
consistently to indicate that the existing priorities were not
overwritten.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_priority_set: do not override the version after handshake is complete

When an application would re-set priorities prior to a rehandshake
we would override the negotiated version with the highest supported,
something which may lead to issues. This disables that unnecessary
version override. See:

https://bugzilla.redhat.com/show_bug.cgi?id=1634736

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls-serv: use default priorities when none are given

This makes it in par with gnutls-cli.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Merge branch 'tmp-cli-reduce-output' into 'master'

gnutls-cli: reduce printed session information

See merge request gnutls/gnutls!784

Merge branch 'gost-selfcheck' into 'master'

self-tests: add GOST public key tests

Closes #492

See merge request gnutls/gnutls!788

self-tests: add GOST public key tests

Test vectors provided in standard are not that usefull (they use
unsupported curves with a != -3), so these test vectors were generated
by hand.

Fixes #492

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

NEWS: added CMAC entries [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Merge branch 'cmac' into 'master'

Add support for AES CMAC mac

Closes #351

See merge request gnutls/gnutls!786

Add NEWS entry about AES-CMAC

Signed-off-by: Simo Sorce <simo@redhat.com>

Add selftests for CMAC

Signed-off-by: Simo Sorce <simo@redhat.com>

Vendor in CMAC functionality from Nettle

If nettle's CMAC is not available, use a vendored in version from master.
This is necessary as long as we need to link against 3.4 for ABI
compatibility reasons.

Signed-off-by: Simo Sorce <simo@redhat.com>

Add CMAC Support

Signed-off-by: Simo Sorce <simo@redhat.com>

Merge branch 'gost-selfcheck' into 'master'

Selftests for symmetric GOST algorithms

See merge request gnutls/gnutls!787

NEWS: Add entry mentioning fix of S-BOXes for CryptoPro-B,-C,-D variants

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

self-tests: add GOST symmetric algorithms tests

Add tests for:
 - GOST 28147-89 CFB cipher
 - GOST R 34.11-94 hash function
 - Streebog-256/-512 hash functions
 - HMAC using GOST R 34.11-94/Streebog functions

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

nettle: fix s-boxes selection for rare GOST 28147-89 variants

gost28147-89 code contained c&p error, which resulted in using S-BOX
CryptoPro-A instead of -B, -C, -D. Fix that.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

doc update [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Merge branch 'cfb8' into 'master'

Add support for AES CFB8 cipher

Closes #357

See merge request gnutls/gnutls!783

Merge branch 'tmp-session-ticket-timestamp' into 'master'

TLS 1.3: calculate ticket age based on higher precision time

See merge request gnutls/gnutls!785

ext/pre_shared_key: don't assume ob_ticket_age < ticket_age_add

Previously, the server treated the condition as error, while it is
possible that ob_ticket_age may have wrapped round by 2^32.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

tls13/session_ticket: calculate ticket_age in milliseconds

Previously we calculated ticket age from the current wall clock in
seconds, multiplying by 1000.  This is conceptually wrong, because
ticket age is designed to be in milliseconds.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

str: add macros to encode/decode struct timespec value

Signed-off-by: Daiki Ueno <dueno@redhat.com>

system: provide a means to replace gettime implementation

While gettime() is extensively used in the code, the library
previously hadn't provided a way to replace it for testing.  This adds
a new internal function _gnutls_global_set_gettime_function and makes
use of it through virt-time.h.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

Add selftest for CFB8