handshake: described the epoch reference counting [ci skip]

It is used only in DTLS where multiple handshake states may be
active.

Resolves #421

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: tls12-rehandshake-cert-3: run multiple rehandshake tests

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Merge branch 'tmp-disable-tls13' into 'master'

Disable TLS1.3 under certain priority strings

See merge request gnutls/gnutls!617

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ANON,SRP,NULL ciphersuites: when set do not negotiate TLS1.3 or later

The reason is that these ciphersuites cannot be negotiated using TLS1.3.
There is a different strategy followed for these.

 * NULL ciphersuites: they are not something normally enabled and used
   for debugging purposes mostly. When set both in client and server side
   only TLS1.2 can be used.

 * SRP ciphersuites: they are used on client side when the client is actually
   performing a username-password authentication with SRP. On server side we
   can have indeed a server support SRP and non-SRP. In that case we limit
   both on TLS1.2. That an unfortunate restriction, but is not a regression
   and IMHO these servers would most likely be phased out as very few would
   want to stick to TLS1.2 connections for SRP; or we may have an SRP update
   for TLS1.3 which could lift that limitation in the future.

 * ANON ciphersuites: they are used in certain client/server setups where very
   basic level of security is required, and in opportunistic encryption scenarios.
   There is a difference in the handling of these cases. In the case of Anon-only
   server/clients they provide the session with anonymous credentials structure; in
   the case of opportunistic encryption they provide both certificate and anonymous
   credentials. Thus we allow the protocol (TLS1.3) be in the priorities, but if we
   see no certificate or PSK credentials we disable TLS1.3 negotiation.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ext/pre_shared_key: cleanups in error handling

This addresses a memory leak found via oss-fuzz. It also
sets the right index on the selected PSK, and returns the
right server error code on incorrect key file.

Addresses:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7465

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

ext/psk_ke_modes: corrected data access

That also improves the if-checks.

Issue and reproducer discovered via oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7470

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

fuzz: added client and server traces for TLS 1.3 draft-26 [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

doc: corrected space-tab issues in examples

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

constate: fixed key generation for TLS1.3

This amends 62ea232f180b980a0d4b6462c468706db6cc4700, and
removes invalid NULL checks, as well as corrects the key
set for server side.

This is verified against openssl master, but does not include
automated test suite; it will be tested as part of #328

Resolves #419

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

doc: re-organized and modernized examples

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: updated for TLS1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

fuzz: added PSK traces with TLS1.3

Relates: #359

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Merge branch 'tmp-psk-tls1.3' into 'master'

TLS1.3: add support for PSK key exchange

Closes #414 and #125

See merge request gnutls/gnutls!615

psk: save the username on auth info struct under TLS1.3

Add the necessary tests to verify that gnutls_psk_server_get_username()
reports the right username under TLS1.2 and TLS1.3.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: enhanced test suite for TLS1.3 and PSK

That includes tests with unknown usernames and connections with wrong key
and updates to fastopen.sh to use certificate auth, making it applicable
under TLS1.3.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

priority: added GROUP-DH-ALL and GROUP-EC-ALL

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

dumbfw: account for extension data padding

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Simplified the _gnutls13_psk_ext_parser interface and added unit tests

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Added support for out-of-band Pre-shared keys under TLS1.3

That adds support for pre-shared keys with and without Diffie-Hellman
key exchange. That's a modified version of initial Ander's patch.

Resolves #414
Resolves #125

Signed-off-by: Ander Juaristi <a@juaristi.eus>
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.org>

certtool: key-type desc was moved along the privkey functionality [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_record_can_use_length_hiding: corrected return type

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

encrypt_packet_tls13: reverted to original API

That allows more uniformity across encrypt/decrypt, and
across different protocol handling.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Merge branch 'tmp-nettle-version-check-update' into 'master'

nettle: corrected typo in version check for compatibility mode with 3.3

See merge request gnutls/gnutls!614

nettle: corrected typo in version check for compatibility mode with 3.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Merge branch 'tmp-draft-ietf-tls13-26' into 'master'

Move to draft-ietf-tls-tls13-26

Closes #409, #378, and #410

See merge request gnutls/gnutls!611

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

protocols: bumped TLS1.3 protocol to draft -26

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

record: added AAD data when encrypting or decrypting

This is a requirement of draft-ietf-tls-tls13-25

Resolves #409

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

priorities: disable any key exchange methods if there is no TLS1.2 or earlier

That is, because TLS1.2 has specific requirements in the ordering of
curves/groups if certain ciphersuites (ECDHE/DHE) are present, and
by being able to eliminate them early we simplify the negotiation
for TLS1.3-only clients/servers.

Relates #378

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_supported_ecc_recv_params: take into account precedence

That is, when %SERVER_PRECEDENCE is given in the priority string make
sure that the negotiated curve of DH group respects the server's priorities.
That's very relevant under TLS1.3 as ciphersuite negotiation itself, where
%SERVER_PRECEDENCE applied, does contain only the cipher algorithm and MAC
unlike TLS1.2 which included key exchange as well.

Resolves #378

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

supported_versions: cannot be used to negotiate pre-TLS1.3

This is a requirement of draft-ietf-tls-tls13-26

Resolves #410

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

doc: mention gnutls_privkey_import_ext4 in upgrade from 3.5.x

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

doc: added since field in gnutls_record_send2() description

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Makefile.am: reduce automake warnings and corrected version

That is, avoid using the := syntax, set the right version variable
and use a hidden file for abi-check cache stamp.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

The abi-check target was updated to check against the last tag

As abi-dumper and abi-compliance-checker tools are not reliable when
run across different systems, we now compare the previous tag ABI with the
current compiled library. That is in contrast with the previous behavior
of storing the output files of abi-dumper, which can become obsolete on
a CI update.

That also moves the ABI check only on the CI, and not in the 'make dist' rule
as it takes significant time to run.

This relates to an issue reported against libidn2's use of abi-compliance-checker
but it affects gnutls as they share similar code:
https://gitlab.com/libidn/libidn2/issues/42

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

nettle/pk: include nettle/version.h

That enables the nettle version macros to operate.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: avoid duplicate runs of tests when not necessary

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: moved invalid-cert reproducer into fuzz/ reproducers

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: testpkcs11.sh was moved to the main tests

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: long-crl.sh was moved to main suite

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: suite: dropped ocsp-coverage and cert-coverage

These tests are duplicates of fuzz/gnutls_ocsp_resp/req_parser_fuzzer
and gnutls_x509_parser_fuzzer.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: testsrn.sh was removed as duplicate of safe-renegotation/ tests

Also safe-renegotiation tests were made TLS1.2-only as they do not
apply to TLS1.3.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: pkcs7-cat: moved to main suite

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: updated for TLS1.3 inclusion

This moves the test to use a specific version or test multiple
TLS versions if applicable.

Resolves #413

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: mini-record-retvals was split into return vals checking and alerts checking

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: client-fast-open: updated for TLS1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: removed unused test

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: auto-verify: update for TLS1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Merge branch 'tmp-nmav-draft-ietf-tls-tls13-22' into 'master'

Move to draft-ietf-tls-tls-23

Closes #391, #400, #393, #389, #397, #398, #395, and #396

See merge request gnutls/gnutls!610

tlsfuzzer: updated to the latest version

Also enabled the RSA-PSS tests.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

alert: send the appropriate alert on GNUTLS_E_ERROR_IN_FINISHED_PACKET

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Bumped TLS1.3 draft version to -23

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Hello retry request matches server hello

That also distinguishes between them by using the special random value,
and implements the version check as in draft-ietf-tls-tls13-24.

Resolves #391 #390 #392

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added negative tests for RSA-PSS key exchange

Relates #400

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

signatures: distinguish RSA-PSS signatures with RSA PKCS#1 1.5 certificates from "pure"

This change enhances signature algorithms to have a private key algorithm
parameter. That is, to allow signature algorithms operating with a private
key of type X while the public key is of type Y. That is useful for the
RSA-PSS signatures which are of two types; one which is seen from servers
having PKCS#1 1.5 certificates, the other with RSA-PSS certificates, while
both utilize RSA-PSS private keys.

This is a draft-ietf-tls-tls13-23 change.

Resolves #400

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Server hello format follows TLS1.2 format

Also version negotiation was moved to supported_versions extension,
and session ID is set by client following appendix D.4.

This is a draft-ietf-tls-tls13-22 change.

Resolves #393, #389, #397

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Renumbered the key share extension to 51

This is a draft-ietf-tls-tls13-23 change.

Resolves #398

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

record: ignore any ChangeCipherSpec messages under TLS1.3 handshake

Also send ChangeCipherSpec messages under TLS1.3 handshake.

This is a draft-ietf-tls-tls13-22 change.

Resolves #395

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

record: send 0x0303 under TLS1.3

This is a draft-ietf-tls-tls13-22 change.

Resolves #396

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

cryptodev: fix prototype of cryptodev_mac_fast [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

cryptodev: added missing macro [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Merge branch 'tmp-fix-re-encoding' into 'master'

Avoid re-encoding of certificates

See merge request gnutls/gnutls!608

tests: added unit tests of gnutls_x509_crt_export

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

gnutls_x509_crt_export2: avoid re-encoding

That prevents possible re-encoding issues in libtasn1 or ambiguously
formatted DER data, from affecting verbatim usage of certificates.

Relates #403

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: added reproducer with DER re-encoding error on client side

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

cfg.mk: update-po rule uses commit -s

This makes it produce a commit message which can be sent to
the repo (Signed-off-by is mandatory).

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Sync with TP.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

CONTRIBUTING.md: added more info about gnulib

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Merge branch 'tmp-fuzzer-coverage' into 'master'

Improve fuzzer coverage report creation

See merge request gnutls/gnutls!609

Improve fuzzer coverage report creation

Merge branch 'tmp-rsa-pss-fix' into 'master'

_gnutls_find_rsa_pss_salt_size: add a validity check for salt size

Closes #402

See merge request gnutls/gnutls!607

pkcs11: set the modulus bits on RSA keys

That value is necessary when using RSA-PSS keys.

Relates #402

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

gnutls_privkey_import_ext4: enhanced with GNUTLS_PRIVKEY_INFO_PK_ALGO_BITS flag

That flag is utilized by the information function to obtain the
value of the parameters (e.g., modulus). That information is necessary
to safely handle RSA-PSS keys.

For RSA-PSS keys this is a regression since 3.6.0 where this API was
introduced, but as this change is necessary and 3.6.x is not yet marked
as stable, it should be acceptable.

Relates #402

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_find_rsa_pss_salt_size: add a validity check for salt size

That is, in order to reject invalid parameters.

Resolves #402

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: eliminated destructive tests

That adds a dependency to p11-kit 0.23.10 for the test suite.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

configure: simplified nettle version check

Relates #401

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls-cli: do not ask any questions with --strict-tofu

Signed-off-by: Łukasz Stelmach <stlman@poczta.fm>

Update oss-fuzz corpora

Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

drbg-aes: use the new nettle APIs for AES

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

accelerated: padlock: use the new nettle APIs

Also remove any ifdefs for nettle (it is not conditionally compiled in),
and do not register accelerators for AES-192-CBC. That cipher is widely
ignored to bother.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_ext_raw_parse: introduced function

That function can be combined with callbacks like
gnutls_handshake_set_hook_function() for applications to
be able to process messages when necessary.

Resolves #382

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

fuzz: added TLS1.3 client and server traces [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

fuzz: enable fuzzer target in afl examples and add missing script [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

fuzz: fixes in README file [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

updated Since version in new function entries as well as map file versions

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

fuzz: enable TLS1.3 in server and client fuzzers

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

record: new gnutls_record_send2 function

This adds a new function gnutls_record_send2() which takes an extra
argument to specify the padding size of the record.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

_gnutls_record_overhead: count content type octet in plaintext

In TLS 1.3, TLSInnerPlaintext has the 'type' field followed by the
padding.  Exclude it from the overhead calculation.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

tests: check extended record padding work with TLS 1.3

Signed-off-by: Daiki Ueno <dueno@redhat.com>

range: make length hiding always usable under TLS 1.3

This patch reintroduce the extended record padding mode removed in
commit 7df219f0.  Under TLS 1.3, the padding mode can be implemented
in the record protocol.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

tests: re-enable mini-record-range test

This test was previously disabled as part of NEW_PADDING extension
removal (commit 7df219f0).  Even though the extension is not usable,
gnutls_record_send_range() should work with the standard TLS block
cipher padding.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

doc: fix mention of gnutls_record_send_range()

Signed-off-by: Daiki Ueno <dueno@redhat.com>