po: lib/x509/ocsp.c added to translatable files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: corrected various typos

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: use 3.6.xx to be consistent with other version references

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: getfuncs.pl: distinguish between different typedef types

That allows to properly distinguish a struct from a one liner
typedef.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

check_ocsp_response: print OCSP response actual error on debug log

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

x509/cert: reorganized

Split functionality related to certificate credentials and
session certificate handling in cert-cred.c and cert-session.c

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added unit test for gnutls_ocsp_resp_list_import2

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: updated

* document the new behavior of gnutls_certificate_set_ocsp_status_request_file
* updated text on OCSP stapled responses

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added ocsptool sanity check program

This checks its functionality in loading and exporting PEM
and DER structures.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: enhanced OCSP tests

* Run tests under TLS1.2 and TLS1.3
* Verify whether multiple OCSP responses are received in client
  side, under TLS1.3.
* Verify that OCSP status responses can be sent by
  client under TLS1.3
* Verify operation of gnutls_certificate_retrieve_function3
* Verify operation when multiple OCSP responses by file are set

Resolves #307
Resolves #291

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

cert auth: use a single callback to call for OCSP

That is, when selecting the certificate to use, point to
the callback to use as well (whether it being the global or
a specific) one, for OCSP.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ocsp: introduced gnutls_certificate_get_ocsp_expiration()

This is a function to allow obtaining the validity of the OCSP responses
already set in the credential structures.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ocsp: enhanced the OCSP response loading APIs

Introduced gnutls_certificate_set_ocsp_status_request_file2() and
gnutls_certificate_set_ocsp_status_request_mem(). These functions
behave as the equivalent certificate loading functions and pre-load
the OCSP response provided as a file, either in DER or in PEM form.

In addition, ensure that if the server is provided a problematic OCSP
response, or the OCSP response is not renewed before it is invalid, we
will not provide it to the clients.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls-serv: allow loading multiple OCSP responses

That is, allow specifying multiple 'ocsp-response' options on
command line. In addition introduce the option 'ignore-ocsp-response-errors'
which will set the GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK flag
prior to importing the response.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

cert: introduced flag GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK

This allows reverting the new semantics of checking the loaded
OCSP response against the certificates present and return
to the 3.5.x semantics.

That option is also useful for debugging as it allows setting
an arbitrary response and checking gnutls' client behavior with that.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_certificate_set_ocsp_status_request_file: match input response to certificates

That is, iterate through the certificate chain to figure to which
certificate the response corresponds to, and assign it to it.
That allows for applications to re-use this function to set
multiple responses when available.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ocsp: moved non-extension related functions to ocsp-api.c

That keeps ext/status_response.c clear of items that are
not related with the extension handling.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_ocsp_status_request_get2: allow operation under TLS1.3 for server side

Under TLS1.3 it is possible for both client and server to send the
status request extension in certificate message.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

select_sign_algorithm: check KX type only on pre-TLS1.3

That, when selecting a certificate under TLS1.3, considers
the negotiated signature algorithms for compatibility with the
certificate to be selected.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

rename _gnutls_selected_certs_set -> selected_certs_set

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ocsp: send all the OCSP responses under TLS1.3

That is, any responses set by the caller application (directly
or via a callback), will be sent to the peer.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

introduced gnutls_certificate_retrieve_function3

That allows a certificate callback to provide OCSP responses in addition
to certificates. That also introduces a flags option which currently
accepts GNUTLS_CERT_RETR_DEINIT_ALL which allows the callback to
specify whether the provided data should be deinitialized.

To simplify the certificate callback code, all previous (now legacy)
callbacks are implemented as wrappers over the new callback function.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_ocsp_resp_list_import2: introduced

That is, introduced function to to import multiple OCSP PEM
responses into a list.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ocsptool: import and export OCSP responses in PEM format

That also modifies the 'request-info' and 'response-info' commands
to check the 'outfile' parameter and if set, to store the corresponding
structure into that file. Currently for OCSP requests there is no
printing of PEM data.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ocsp: introduced gnutls_ocsp_resp_import2 and gnutls_ocsp_resp_export2

These allow importing and exporting an OCSP response to PEM format,
in addition to DER.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_x509_cert_verify_peers: verify all received OCSP responses

That is, when verifying the server's certificate, take into account
all present OCSP responses.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_ocsp_status_request_get2: added function

The function extends gnutls_ocsp_status_request_get() to
retrieve more than a single responses.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tls13/certificate: parse OCSP status response and save responses in auth info struct

That provides support of OCSP status response under TLS 1.3.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ext/status_request: allow more than a single OCSP response to be received

That change allows for arbitrary number of OCSP responses
which is required in TLS1.3. The received list is now stored
in auth structure, and thus packed with it on resumption data.
The status response extension data, are now only used on server
side, when temporarily storing the OCSP response to send.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_copy_certificate_auth_info: simplified and avoid multiple allocations

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: updated to account for HMAC-SHA384 and CAMELLIA removal

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

priorities: provide a more consistent "story" for default cipher settings

Current settings in NORMAL priorities which were affected:
 * Enabled ciphers:
  - AES-GCM
  - CHACHA20-POLY1305
  - AES-CCM
  - AES-CBC

 * Enabled signature algorithms:
  - RSA-SHA256
  - RSA-PSS-SHA256
  - ECDSA-SHA256 / ECDSA-SECP256R1-SHA256
  - EDDSA-ED25519
  - RSA-SHA384
  - RSA-PSS-SHA384
  - ECDSA-SHA384 / ECDSA-SECP384R1-SHA384
  - RSA-SHA512
  - RSA-PSS-SHA512
  - ECDSA-SHA512 / ECDSA-SECP521R1-SHA512
  - RSA-SHA1
  - ECDSA-SHA1

Removed:
 * Ciphersuites utilizing HMAC-SHA384. That MAC is only used on "legacy"
   type of ciphersuites, and doesn't provide any advantage over HMAC-SHA256.
 * Ciphersuites utilizing CAMELLIA were removed. TLS1.3 doesn't define any
   CAMELLIA ciphersuites, and thus provide consistent defaults across
   protocols.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certificate request: corrected parsing of signature algorithms

That fixes an issue in TLS 1.3 certificate request message parsing.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tlsfuzzer: updated to latest master

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

doc: documented hsk_flags "lifetime" and its reset

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

session state: TLS1.2 and TLS1.3 state is stored as union

That is, to reduce memory usage as these protocol cannot be used
in parallel.

Relates: #281

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

session state: organized key exchange keys into structures

That is, with the view of separating the data needed for
TLS1.2 and earlier and TLS1.3.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

record state: avoid memory allocations for stored keys

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: ffdhe flags merged with handshake flags

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: false start flag merged with hsk_flags

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: use hsk_flags in TLS1.2 and TLS1.3

The flags provide a more transparent view of the received
and expected messages.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: added text on TLS1.3 rekey and reauthentication

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: re-enabled post-handshake auth tests

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: added support for post-handshake authentication

That is:
 * introduced a gnutls_init() flag for clients to enable post-handshake
   authentication
 * introduced gnutls_reauth() function, to be called by servers to request
   authentication, and by clients to perform authentication

Resolves #562

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_record_set_state: use const for seq_number

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added test suite on key limits

This checks whether key update occurs for the expected ciphersuites.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_record_get_state: doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Introduce key usage limits under TLS1.3

That introduces a transparent key update for sending key after
the safety limit is reached.

Resolves #130

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: removed unused variables and introduced temporal vars in macros

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: check gnutls_rehandshake() and gnutls_handshake() under TLS1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_*handshake: wrap gnutls_session_key_update under TLS 1.3

The semantics of the gnutls_handshake() and gnutls_rehandshake() functions
were tied to TLS 1.2 and earlier behavior. This patch attempts to merge
the two different semantics as follows:

TLS1.2:
 * gnutls_rehandshake: sends a hello request message (asks the peer for a re-handshake)
                       in server side; invalid to be called in client side.

 * gnutls_handshake: performs a re-handshake in either client or server side;
                     in server side it is expected to be called after
                     gnutls_rehandshake().

TLS1.3:
 * gnutls_rehandshake: in server side sends a key update and asks the peer to re-key
                       as well; remains invalid to be called in client side.

 * gnutls_handshake: sends a key update and asks the peer to re-key as well;
                     in client side; is a no-op when called in server side.

Relates #131

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: added unit tests with TLS1.3 key update

Relates #131

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: introduced gnutls_session_key_update()

This function allows updating keys of the session and notifying
the peer.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: added TLS1.3 passive key update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

keylogfile: write TLS 1.3 secrets

Signed-off-by: Daiki Ueno <dueno@redhat.com>

_gnutls_nss_keylog_write: define new internal API

This patch turns the write_nss_key_log function to an internal
API (with a different name) so that it can be called from other places
implementing TLS 1.3 key scheduling.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

tls-fuzzer: enabled the large hello checks

These were previously not working because tls-fuzzer was not TLS1.3-ready.
This is addressed at the current update, and as such we enable them.

That commit also enables the SNI resumption tests.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

hkdf: refer to nettle's hkdf.h when available

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_prf_rfc5705: apply the context limits only under TLS1.2 or earlier

These limits do not exist under TLS1.3.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_prf_raw: fail under TLS1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: included behavioral test of gnutls_prf under TLS1.3

Resolves #330

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_prf: prevent usage under TLS1.3

Only allow its use when it is documented to have the same output
as gnutls_rfc5705() and in that case make it a wrapper to it.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_prf_rfc5705: calculate exporter using HKDF if TLS 1.3

Signed-off-by: Daiki Ueno <dueno@redhat.com>

handshake-tls13: derive and store exporter_master_secret

Signed-off-by: Daiki Ueno <dueno@redhat.com>

_tls13_derive_secret: define secret argument

TLS 1.3 exporters need to derive a secret from exporter_master_secret
or early_exporter_master_secret, not the handshake or application
secret stored in temp_secret.  Add a new argument @secret to
_tls13_derive_secret to specify any secret.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

session state: combined srp and dh prime bits variables

They were being used for the same purpose, and SRP as well as
DH, do not overlap to require two different variables.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

session state: mark mod_auth_st_int as constant

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

dtls: cookie is stored dynamically when needed rather than in pre-allocated size

That reduces the number of bytes used in cases where DTLS is not in use or
we are in server-side.

Relates #281

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

removed legacy/unused rsa-related structures/functions

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

lib: simplify adding groups according to prioritites

There is little point, remembering if EC or DHE came first and then
adding necessary groups checking that flag. Instead just add groups at
the time first EC or DHE ciphersuite is met.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: added unit test for RDNs in cert callback

This verifies whether the RDNs received at the callbacks under
TLS1.2 and TLS1.3 have the expected values (corresponding to the
certificates used).

Resolves #297

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_auth*_get_type: use gnutls_kx_get to retrieve key exchange

That allows the functions to operate under TLS 1.3 which have
no key exchange as part of the ciphersuite.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: check certificate callbacks under TLS 1.2 and 1.3

Resolves #278

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added unit tests for client certificate under TLS1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: handle the certificate authorities extension

That is, when sending or receiving the certificate request message.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: added support for client certificates

That is, receive and parse a certificate request, certificate
verify, as well as certificate in server side.

That way, client certificates

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: return GNUTLS_E_NO_CERTIFICATE_FOUND when no certificate is found in TLS1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: send certificate request when requested

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added check for client hello random value after HRR

That way we ensure that we follow the tls1.3 draft which requires
the second client hello to be identical to the initial one.

Resolves #299

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: treat reply to HRR as a reply to hello verify request

That is, re-use the client random value on the client hello which
is a reply to a hello retry request.

Relates #299

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added key share behavioral test

This verifies whether the gnutls_init() flags GNUTLS_KEY_SHARE_TOP,
GNUTLS_KEY_SHARE_TOP2, GNUTLS_KEY_SHARE_TOP3 behave as advertized.

Resolves #284

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

key share: added flags to gnutls_init() to modify its default behavior

That way the application can adjust the range of keys generated
during client hello attempting to guess the server's algorithm.

Applications are intentionally not given the option to select the
algorithm in the key share, but rather chose from the prioritized
list of groups, to avoid a disconnect between the prioritized
groups, and the key share sent.

Relates #284

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: initialize buffer prior to use

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added tests for TLS1.2- rollback detection

That is, tests which check
 * whether the server's generated values under TLS1.2- match the expected
 * whether the client would fail on negotiation if the rollback values are detected

Resolves #293

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_set_server_random: corrected TLS1.2 and TLS1.1 rollback detection

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: renamed _gnutls_hello_ext_*sdata to _gnutls_hello_ext_*priv

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

server_name: use the new API for ext data setting

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: enhanced extension lib with pack and unpack functions

That allows the functionality to be used for the majority of extensions.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: check the correct handling of cookie extension in client side

Resolves #218

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: allow receiving and sending extensions which were not advertised by client side

That is needed due to the special treatment of the cookie extension,
which is sent by the server in HRR even if it was not advertised by
the client.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: optimized gid_to_ext_entry() map on known extensions

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: avoid double loop when parsing received extensions

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: avoid looping to discover location of saved data

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: added support for reading and sending cookie extension

That introduces an internal API to associate data to an extension.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: document the GNUTLS_E_NO_COMMON_KEY_SHARE usage

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: added unit test for hello retry request support

Resolves #285

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>