tests: rehandshake tests were restricted to TLS1.2

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: reduce assert printouts in common cases

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: accept hello retry request in client side

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

buf: _gnutls_buffer_pop_data made easier to use

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: simplified version parsing

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: send hello retry request when no key share matches

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ext: do not advertize post handshake authentication

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: check TLS1.3 record layer packet modification

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: split set_client_random to gen and set

This aligns with set_server_random() and gen_server_random().

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

handshake: only attempt to detect downgrade attacks if TLS1.3 is supported

Otherwise, connections under TLS 1.2 may fail, even if client never enabled
TLS 1.3 support.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

nettle/pk: explicitly mark intentional fallthrough in switch cases

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

key share: removed duplicate message

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: fix warning in rng-sigint.c

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: improved tls-session-supplemental

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

kx: moved to new buffer API

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: moved to the new mbuffer API

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: use the new buffer type in TLS 1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: new helper functions to use gnutls_buffer_st to generate mbuffers

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tlsfuzzer: disable non TLS1.3-ready tests

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added tests for TLS1.3 record generation / parsing

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: introduced basic TLS1.3 key exchange test suite

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

record: adjusted overhead calculation for TLS1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

priority: include groups into priority when having a TLS1.3-only session

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

priority: do include all the version's signature semantics

This resolves issue, which prevented handling certain types
of TLS1.3-only signatures, depending on the order of enabled
protocols.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ext/key_share: corrected release of MPI parameters

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ext/signature: explicitly prevent RSA/DSA and SHA1 signatures on TLS1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

hello ext: reduce verbosity

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

constate.h: removed non-existing function

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

record: any alert is fatal under TLS1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: introduced functions to obtain currently parsed message

This allows the extension handling code to operate differently
on different messages.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

supported_versions: print the received versions

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: introduced server side handshake [2/2]

That is, send server certificate verify and receive
certificate and certificate verify messages. In addition
introduced flags to mark the expected, or sent messages.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

cs: select certificate under TLS1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: introduced server side handshake [1/2]

That is, send certificate request and certificate in server side

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ciphersuites: introduce a maximum supported TLS/DTLS version

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: properly set the default record version

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: send encrypted extensions handshake message

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: parse new session ticket message

That does not include extension handling.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

str: added _gnutls_buffer_pop_prefix24 and _gnutls_buffer_pop_prefix8

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

str: use assert to mark impossible cases

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

str: allow creating a read-only buffer

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_session_get_desc: more descriptive name for TLS1.3 ciphersuites

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: generate application keys

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

constate: added _gnutls_epoch_dup

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

constate: indentation fixes

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: added basic support for TLS 1.3 handshake in client side

That does not include support for client certificates as it
requires extension handling improvements in order for extensions
to be context sensitive (now they cannot distinguish whether the
parsing routine is called during client hello or certificate request
reading)

This does not include proper parsing of extensions present in
the certificate message.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: added parsing of encrypted extensions

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

crypto-api: introduce internal version of AEAD API

This allows to initialize the TLS 1.3 connection state without
additional allocations as required by the external API.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

record: added TLS 1.3 record parsing and key derivation

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: introduced TLS 1.3 handshake client state machine outline

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: separate the hello extensions from others

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

hello_ext.h: removed non-existant function definition

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: files renamed to hello_ext

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: renamed hello extension handling functions appropriately

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: simplified semantics of store and check functions

That is, _gnutls_extension_list_check was made a boolean function,
and both were renamed to more appropriate names such as,
_gnutls_hello_ext_is_present, _gnutls_hello_ext_save.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extension: renamed functions to reflect purpose

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: use the low-level extension parsing code for hello parsing

That's a step towards unification of TLS-type extension handling
for TLS 1.3.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extv: introduced a low-level extension parsing code

This will simplify the parsing and handling of extensions throughout
the TLS 1.3 message contents.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: simplified the extension tracking

Instead of keep a list of the received TLS extension IDs, use the bits
in a variable to mark the received extensions. That reduces the
overall memory usage due to extension tracking.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: use an internal extension ID independent of the TLS id

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

str: rename _gnutls_buffer_pop_prefix to _gnutls_buffer_pop_prefix32

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

str: rename _gnutls_buffer_pop_datum_prefix to _gnutls_buffer_pop_datum_prefix32

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

security params: store PRF when packing session

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: simplify by storing a pointer to PRF mac entry

That way, we avoid multiple function calls to obtain information
such as hash size, and other MAC properties.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ext/signature: improved TLS 1.3 signature algorithm negotiation

That is, we introduce a simpler way to handle multiple versions
of a single signature algorithm.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

str: added helper functions to read prefixed data with 8 or 16-bit headers

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ecc: do not warn on receiving extension on client side

This extension can be received used under TLS 1.3 on the client side.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Added TLS 1.3 HKDF key derivation functionality

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: include extension number in debugging message

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: check behavior on the extension hello flags

That is, verify whether the various combinations of
GNUTLS_EXT_FLAG_CLIENT_HELLO,
GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO
work as expected with regards to sending and receiving
extensions.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

extensions: apply extension msg type restrictions

That is, on the extension parsing functions ensure that
no extension which are not valid for the currently
received message are parsed.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

extensions: mark the message validity of each supported extension

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

extensions: type renamed to id for clarity

We were previously using the variable named 'type' to indicate the
extension ID. With TLS 1.3, extensions are also given an applicability
type (which message the extension applies to), and thus renamed the
variable for clarity.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: guile: don't use VERS-TLS-ALL

That is, avoid enabling experimental protocols.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

.gitlab-ci.yml: abi-coverage: include guile logs

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

nettle: added HKDF functions

They are being included conditionally depending on the RSA-PSS feature
(RSA-PSS and HKDF are expected to be introduced at the same version).

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls-cli-debug: use explicit TLS versions rather than TLS-ALL

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

_gnutls_server_select_suite: don't set auth callbacks for TLS 1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

supported_versions: print negotiated protocol

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Negotiate draft-TLS1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: added the TLS 1.3 ciphersuites

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: print negotiated version after its negotiation (for TLS1.3)

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: fix TLS version to 1.2 for tests which used VERS-TLS-ALL

This allows the test suite to run, even when TLS1.3 is still
experimental.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Added support for key share extension

This enables TLS 1.3 key exchange based on the key share extension.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: always accept TLS 1.2 in client hello if we have later protocols enabled

That is because after TLS 1.3 there is no negotiation of the version using
the Client Hello field, but with an extension.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

require nettle 3.3 or later

This will simplify handling of the x25519 key exchange.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

str: added function to append fixed-size MPI

This is used in TLS 1.3 which introduces a new MPI over-the-wire
format.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: resumption tests were restricted to TLS 1.2

TLS 1.3 implements resumption is a different way, so we should
introduce new resumption tests once that support is in place.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

ext/post_handshake: restrict the use of this extension to TLS 1.3 or later

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: optimizations and enhancements in session version handling

This introduces the following new functions:
const version_entry_st *_gnutls_legacy_version_max(gnutls_session_t session);
const version_entry_st *_gnutls_version_max(gnutls_session_t session);

which replace their previous counterparts.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: check for post-handshake extension in TLS 1.2-only sessions

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added unit tests for post-handshake-auth extension

These test whether this extension is seen under TLS 1.3 in client
hello, and whether it is not present in server hello.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: send client and server hellos according to TLS 1.3

That is, when TLS 1.3 is negotiated the compression algorithms and
session ID fields are no longer sent.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Added support for post handshake auth extension

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: updated for new behavior of disabling protocols on missing signature algorithms

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: verify that no signature algorithms with (D)TLS 1.2 will cause an error

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

priorities: when no signature algorithms eliminate (D)TLS 1.2 or later

If an application intentionally disables all signature algorithms, ensure
that we can operate by eliminating protocol options which require these
signature algorithms to be set.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: safer use of gnutls_bye in _test_cli_serv()

In addition make sure we check gnutls_priority_set() for errors.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added checks for special signature algorithms

This tests the behavior when signature algorithms only available
under TLS1.3 are present in a TLS 1.2 session.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: verify that +SIGN-ECDSA-SECP256R1-SHA256 has no effect when combined with TLS1.2

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>