Fixed some spelling issues. [ci skip]

Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>

Added extra extension flag to docs.
Added description of default pack and unpack functions.

Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>

Removed section about Heartbleed.
Referenced new functions _gnutls_hello_ext_set_datum / _gnutls_hello_ext_get_datum for manipulation extension data.

Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>

Fixed typo and incorrect function references.

Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>

Updated documentation on Hello extensions.

Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>

Merge branch 'tmp-pkcs11-raw' into 'master'

gnutls_pkcs11_token_get_ptr, gnutls_pkcs11_obj_get_ptr: introduced

See merge request gnutls/gnutls!640

pkcs11: consistent/clear naming of find obj callbacks and structs

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_pkcs11_token_get_ptr, gnutls_pkcs11_obj_get_ptr: introduced

This allows an application to open a PKCS#11 token using a URI,
and use it directly, bypassing gnutls. That is useful to take
advantage of PKCS#11 functionality not wrapped by gnutls but
still use PKCS#11 URIs to identify the token.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

CONTRIBUTING.md: document why gnulib is kept separate [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

certtool: split long prompt for serial

Signed-off-by: Martin Sucha <anty.sk+git@gmail.com>

doc: add note about CRL numbers to man page

Signed-off-by: Martin Sucha <anty.sk+git@gmail.com>

certtool: ask again until serial/crl number is valid

Signed-off-by: Martin Sucha <anty.sk+git@gmail.com>

tests: remove check for broken datefudge

This check is not necessary with Fedora 28 build image
currently used for CI as it contains datefudge 1.22
as well.

Signed-off-by: Martin Sucha <anty.sk+git@gmail.com>

certtool: remove extra function

I did not notice strip_nl previously.

Signed-off-by: Martin Sucha <anty.sk+git@gmail.com>

tests: add negative tests for certtool crl numbers

Signed-off-by: Martin Sucha <anty.sk+git@gmail.com>

doc: add NEWS about serial and CRL numbers

Signed-off-by: Martin Sucha <anty.sk+git@gmail.com>

doc: add hex format to example template

Signed-off-by: Martin Sucha <anty.sk+git@gmail.com>

certtool: use larger serial and CRL numbers

Serial/CRL numbers can be up to 20 octets in length
as per RFC 5280, so it should be possible to use
such numbers as input to certtool. certtool
only allowed to specify 63-bit numbers in
template file or interactively (even though
it generated larger numbers in batch mode
by default).

This patch allows large numbers to be specified
as a hexadecimal string. Parsing of decimal numbers
larger than native integers would require adding
dependency on libgmp directly to certtool or
extending the API exposed by GnuTLS library with parsing
functions. Since most tools (including GnuTLS) display
serial numbers in hexadecimal, it is not worth the
trouble to support large decimal numbers.

Default values are unified between batch mode and
interactive input and their size is extended.

CA/Browser forum recommends CAs to include at least
64 bits of random data in the certificate serial
numbers in Baseline Requirements[1] section 7.1, but
gnutls adds only 32 bits. Some other
implementations generate default serial numbers
with more entropy as well, here is the current state
as of May 2018:

+----------------+-------------------------------+
| Implementation | Random bits in default serial |
+----------------+-------------------------------+
| OpenSSL [2]    | 159                           |
| CFSSL [3]      | 159                           |
| wolfSSL [4]    | 128                           |
| GnuTLS         | 32                            |
| Mbed TLS [5]   | 0 (defaults to 1)             |
+----------------+-------------------------------+

The 20 octet field size can fit numbers up to 159 bits
since the most significant bit must be zero as numbers
in DER encoding are in two's complement and the serial
and CRL numbers must be positive.

Default serial numbers are extended to full 159 bits
allowed by the field size and are completely random,
which matches other implementations.

CRL numbers have the same size requirements, but also
need to be monotonic (RFC 5280, section 5.2.3). That's
why timestamp is used in them. The timestamp portion
is extended from 31 bits to 39 bits as 31 bits will
overflow in year 2038. The rest of the available space
up to 159 bits allowed in the 20 octet limit is filled
with random bits.

Since the new CRL numbers are larger, the requirement for them
to be monotonically increasing is preserved when upgrading to a
newer version. This does not hold the other way around though,
so after using a newer version of certtool to generate a CRL
with default number and publishing it, it's not possible
to use older version anymore to generate subsequent CRLs.
Unfortunately, there is no easy workaround for users of older
certtool, since it is not possible to specify CRL numbers
greater than 63 bits manually prior to this change.
Users intending to downgrade to older version later are advised
to specify the CRL numbers in new version of certtool
manually with values they are smaller than what would get
generated by default in the old version.

grep does not recognize CRLF line endings generated
in tests using MinGW, so we need to convert those to
LF endings for $ in the regex to match test output
correctly.

datefudge 1.21 that is present in Fedora 26
image trims the timestamp to 32 bits. That bug was
fixed in datefudge 1.22 available in the Debian image,
so we check if datefudge behaves correctly
and skip the test that uses more than 32 bits if
datefudge is broken.

[1] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.2.pdf
[2] https://github.com/openssl/openssl/blob/6ebb49f3f9c9333611192561979bb799fa1eb76d/apps/apps.c#L1513
[3] https://github.com/cloudflare/cfssl/blob/5d63dbd981b5c408effbb58c442d54761ff94fbd/signer/local/local.go#L295
[4] https://github.com/wolfSSL/wolfssl/blob/d60b16c5b8c19cc61db4a5c3f5e085a7a158cd28/wolfcrypt/src/asn.c#L9791
[5] https://github.com/ARMmbed/mbedtls/blob/84a1107818aaddfd2abe4c5a3478cf84ab2e26b4/programs/x509/cert_write.c#L81

Signed-off-by: Martin Sucha <anty.sk+git@gmail.com>

Merge branch 'tmp-prohibit-tls-dtls-mix' into 'master'

Added the notion of TLS-only and DTLS-only extensions

Closes #440

See merge request gnutls/gnutls!634

handshake: do not send TLS extensions under DTLS and vice versa

That is, introduce the notion of TLS-only and DTLS-only extensions,
providing a framework to prevent sending extensions which are registered
for example for TLS 1.3, under DTLS and vice versa.

Resolves #440

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_ext_raw_parse: introduced GNUTLS_EXT_RAW_FLAG_DTLS_CLIENT_HELLO

This allows parsing extensions from a DTLS client hello.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: fix serv location in testcompat-main-openssl

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests/suite: add missing file to dist

Signed-off-by: Andreas Metzler <ametzler@bebt.de>

Allow running of test against installed gnutls-serv

Signed-off-by: Andreas Metzler <ametzler@bebt.de>

gnutls_certificate_set_retrieve_function3: updated documentation

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

pcert: added functionality to retrieve lists

That introduces gnutls_pcert_list_import_x509_file() and
gnutls_x509_crt_list_import_url().

Resolves #373

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: sanity-cpp: fixes for win32

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

.gitlab-ci.yml: bumped version of cache due to addition of CXXFLAGS

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: fix failures in cxx example

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

cxx: bring few modern functions, and allow to get the raw session

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Merge branch 'master' into 'master'

New C++ interfaces for passing flags while construction

Closes #438

See merge request gnutls/gnutls!637

New constructors for classes client_session() and server_session() provide passing flags. Closes #438.

Signed-off-by: Philippe Widmer <pw@earthwave.ch>

tests: mini-record-timing: updated to work under newer gnutls [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: key_update: improved error checking and increased timeout

That is to avoid reaching the maximum number of key updates per second.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

.gitlab-ci.yml: moved fedora CI builds to F28

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: testcompat-openssl: disable DSS ciphersuites under SSL3.0

Previously if openssl wouldn't support DSS, we would only disable
DSS under TLS1.0 or later, not under SSL 3.0. This fixes interoperability
with Fedora28 openssl.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Makefile.am: optimized the abi-check configure step

Also ensured that the same build flags are applied in both builds
for ABI checking.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

several updates to address issues found by clang static analyzer

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

nettle: fix casts which result to warnings in newer gcc

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: updated for GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER from handshake

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

handshake: use GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER consistently

Also treat GNUTLS_E_ILLEGAL_PARAMETER as a synonym if returned during
a connection.

Relates #442

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

CONTRIBUTING.md: documented status of C++ library [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: cookie: fixed exit condition [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

.gitlab-ci.yml: fixes in win32 builds

Relates #439

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: honor --ask-pass when loading a private key

This also improves the password prompt when the password requested
is not for a smart card.

Resolves: #436

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

.gitlab-ci.yml: Disable full test suite for cross builds

Disable the full test suite for cross CI builds to speed them up.

Signed-off-by: Michael Weiser <michael.weiser@gmx.de>

.gitlab-ci.yml: Expire all build log artifacts

Signed-off-by: Michael Weiser <michael.weiser@gmx.de>

Use configured CC for pkg-config test

Using the configured compiler aids in running the test suite under qemu
or in a multlib scenario.

Signed-off-by: Michael Weiser <michael.weiser@gmx.de>

Add Debian-based qemu cross CI targets

Signed-off-by: Michael Weiser <michael.weiser@gmx.de>

updated-auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

fuzzer: added fresh TLS1.3 server trace

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

gnutls-serv: all skipping DTLS cookie request

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

gnutls-cli: corrected data written by server trace

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: post handshake auth: test more combinations

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

post_handshake_auth: send extension irrespective of certificates being present

The feature does not necessarily require certificates to be present
and an empty cert can be presented. Furthermore, the certificates
can be set later on the credentials structure.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Merge branch 'tmp-openssl-suite' into 'master'

Added testsuite for TLS1.3 interoperability with openssl

Closes #228 and #427

See merge request gnutls/gnutls!621

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added interop tests with openssl under TLS1.3

This adds interoperability tests for:
 * PSK with elliptic curve DHE
 * RSA,RSA-PSS,secp256r1,ed25519 server certificate
 * RSA,RSA-PSS,secp256r1,ed25519 client certificate
 * X25519,SECP256R1 key share exchange
 * key share with HRR

Relates #328

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: clarified re-handshake details under TLS1.2 server

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tls13/certificate_request: corrected check of duplicate signature algorithms

Made the check local when parsing a certificate request, as we may
receive multiple requests when post-handshake authentication is
in place. Furthermore check whether this extension has been received
as this is a mandatory one. In addition handle a memory leak when
multiple peer certificates are set.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_reauth: doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls-cli: enhanced tool for TLS1.3 options

This patch allows a client to enable post-handshake
authentication, perform re-key and restrict the sent key shares.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tls13/certificate: send empty certificate instead of skipping

According to TLS1.3 spec:
   The server's certificate_list MUST always be non-empty.  A client
   will send an empty certificate_list if it does not have an
   appropriate certificate to send in response to the server's
   authentication request.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_figure_common_ciphersuite: ignore certificate check if PSK is negotiated

That is, if we are performing PSK under TLS1.3, don't bother
checking whether the certificate is compatible with the ciphersuite;
there isn't any.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tls13/certificate_verify: corrected context in signatures in client side

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls13_handshake_sign_data: avoid unnecessary copy

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: cleanup in TLS1.3 initial secret calculation

That eliminates duplicate code in server hello parsing.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

psk: compute binder which is compatible with draft-ietf-tls-tls13

Previously the computed binder values was not compatible with any
TLS1.3 draft, and was not interoperating with openssl or tlslite.

Resolves #427

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

CONTRIBUTING.md: added text on CI [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: fallback scsv: check proper fallback under TLS 1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

encrypt_packet_tls13: made size check safer

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Merge branch 'tmp-pkcs11-sensitive-fix' into 'master'

pkcs11: mark private key objects as sensitive by default

See merge request gnutls/gnutls!627

pkcs11: mark private key objects as sensitive by default

That is, to prevent accidentally creating objects which can
be exported.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Merge branch 'tmp-rsa-psk-fix' into 'master'

RSA-PSK ciphersuites: only use under TLS1.2

See merge request gnutls/gnutls!624

tests: check the behavior of TLS1.2 key exchange methods under TLS1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

psk: mark psk_ke_modes as invalid when ignored

TLS1.3 handles the receiving of pre-shared keys extension as
invalid when the psk_ke_modes extension is not received as well.
As such, when we ignore the psk_ke_modes for some reason (e.g.,
no credentials) we need to indicate that it was received. We
use the invalid mode flag for that reason, allowing the handshake
to fail later for the right reason (e.g., no credentials error rather
than illegal extension).

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

priority: handle RSA-PSK ciphersuites similar to SRP

That is, when specified disable TLS1.3.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Merge branch 'tmp-sni-hostname' into 'master'

tests: updated sni-hostname check for TLS1.3

Closes #344

See merge request gnutls/gnutls!623

Add another sni related test

As --sni-hostname does not imply --verify-hostname a hostname mismatch
still triggers an error.

Signed-off-by: Andreas Metzler <ametzler@bebt.de>

tests: sni-hostname was updated to support TLS1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

doc: Add crossreference/warning

Add pointer to --verify-hostname to --sni-hostname description.

Signed-off-by: Andreas Metzler <ametzler@bebt.de>

gnutls-cli: added option to specify the verification hostname

This enables testing various scenarios, by allowing to specify the
hostname to be used for certificate validation when connecting to
a remote host (e.g., localhost but with a certificate for example.com).

Resolves #344

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: fixes for better latex pdf generation [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

retrieve_pin: refuse to retrieve PIN from URI more than one time

That is, prevent re-using a static PIN if it has already been
known to be wrong. Introduced tests of that behavior.

Resolves #425

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: updated OCSP documentation [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls.h.in: corrected typo [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

fuzz: corrected TLS1.3 enablement [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Merge branch 'tmp-constate-fix' into 'master'

Fix re-handshake failure when interrupted by application data

Closes #426

See merge request gnutls/gnutls!620

_gnutls_epoch_new: allow re-allocation epoch next epoch

On certain cases when re-handshake is interrupted by application
data, _gnutls_epoch_new() will be called twice. Make sure that
this does not lead to an error. We also rename the function to
clarify its purpose _gnutls_epoch_setup_next().

Resolves #426

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added reproducers for receiving app data when rehandshake is expected

Relates: #426

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: eliminated exit_code variable used in few tests

It was a legacy variable for error printing that was never
used uniformly.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: eagain: moved to cmocka and enhanced for TLS1.3

That also makes macros from eagain-common.h functioning under cmocka.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: tls12-rehandshake-cert*: run multiple rehandshake tests

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Merge branch 'tmp-memleak-fix' into 'master'

tls13/finished: addressed memory leak in receiving finished packet

See merge request gnutls/gnutls!619

tls13/finished: addressed memory leak in receiving finished packet

Issue found using oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7518

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

priority: document the reasons for the order of supported groups [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>