tests: ip-utils: added include for FreeBSD compilation

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

.gitlab-ci.yml: enable more cppcheck tests

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: updated tlsfuzzer to reduce rsa-pss failures

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

crq: doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added unit test for gnutls_x509_crq_sign

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added verification checks into crl_apis

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_x509_crl_verify: check next update field for presence

If not present do not attempt to utilize its value.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added verification check into crt_apis

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added unit test for gnutls_x509_crt_sign

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_x509_crq_sign: undeprecate

After the updates of the function semantics, it is no longer
needed to deprecate it.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_x509_crl_sign: undeprecate

After the updates of the function semantics, it is no longer
needed to deprecate it.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_x509_crq_sign: no longer sign with SHA1

Modify the behavior of the functions to sign with an appropriate
to the public key hash algorithm. That although it modifies the
semantics of the functions, it allows them to be useful even after
SHA1 is considered insecure.

In addition to that, the functions which accept a hash algorithm, will
accept a null hash, which instructs the function to select a
reasonable choice.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_x509_*_sign: no longer sign with SHA1

Modify the behavior of the functions to sign with an appropriate
to the public key hash algorithm. That although it modifies the
semantics of the functions, it allows them to be useful even after
SHA1 is considered insecure.

In addition to that, the functions which accept a hash algorithm, will
accept a null hash, which instructs the function to select a
reasonable choice.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc: document the change of gnutls_x509_crt_sign

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: tolerate leaks in opensc-pkcs11 when present

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added reproducer for safe renegotiation failure with openssl

Relates #259

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

handshake: check SCSVs prior to resuming a session

This ensures that extensions which are also available as SCSVs
are parsed prior to resuming a session. This resolves an issue
with openssl sending SCSV instead of an extension for the safe
renegotiation.

Relates #259

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Use $(LIBDL) instead of hardcoding -ldl.

cmocka: require 1.0.1

This prevents failures in test suite due to insufficient cmocka
library version.

Resolves #268

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tlslite-ng: updated to latest version

This addresses issues with RSA-PSS signing.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

cli-debug-args.def: Fix typo

Signed-off-by: Avinash Sonawane <rootkea@gmail.com>

latex: handle the deprecated function mark [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

.gitlab-ci.yml: give more specific name to windows job artifacts [ci skip]

This allows a more descriptive name to any downloaded artifacts.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tools: removed re-using PIN message when in non-verbose mode

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

p11tool: print public or private key algorithm

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_pkcs11_privkey_generate3: doc update [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: check whether generated private keys are marked private

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: added unit test of p11tool with --set-pin

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: check whether generated or copied keys are marked as sensitive

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

updated auto-generated files

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

p11tool: allow obtaining PIN from command line on operations

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: eliminate global use of default_dig

Use instead the cinfo->hash field which is already used
by p11tool.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: krb5-test: disable valgrind mem leak checks for negative checks

Resolves #192

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: check whether p11tool signing with RSA-PSS works

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

p11tool: allow signing with RSA-PSS and specifying an explicit hash

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

sign_params_to_flags: moved to certtool-common.c

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: hash_to_id moved to certtool-common.c

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Fix some typos [ci skip]

occurence -> occurrence
sucessful -> successful

Signed-off-by: Andreas Metzler <ametzler@bebt.de>

Fixed segmentation faults caused by accessing NULL pointers during mutex operations. This bug was triggered while setting priorities.

Signed-off-by: Tom Vrancken <email@tomvrancken.nl>

p11tool: explicitly mark generated keys as sensitive

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: windows: warning: function declaration isn't a prototype

Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

tests: warning: implicit declaration of function

Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

m4: updated ax_code_coverage.m4 [ci skip]

This version fixes a bug which prevented including the branch coverage
into output.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

fuzzer: Enhance code coverage of gnutls_base64_encoder_fuzzer

Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

fuzzer: Add script 'view-coverage'

This helper script is for viewing the code coverage of
single (or combined) fuzzers running with all his corpora.

It helps optimizing the code coverage by hand-crafting corpora
and/or dictionaries.

Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

fuzzer: Change CFLAGS -O0 to -O1 in fuzz/README.md

Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

fuzzer: Update corpora from oss-fuzz

Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

tlslite: updated to latest version

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: do not ask about RSA encryption in non-RSA keys

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

fuzz: work-around libtool file name

fuzzers utilize argv[0] to discover the name the reproducers are stored
in. However libtool creates a script which later runs the executable.
Try to detect that situation and use the right paths.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

dh params: document DH param setting functions as deprecated

They are no longer useful after the RFC7919 DH parameter negotiation.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: introduced unit test of gnutls_memset()

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

fuzz: removed -static ldflag completely

It is not necessary for building the fuzzer, and was causing
issues in MacOSX systems.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

.gitlab-ci.yml: use the same flags in the tags and non-tags windows builds

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: p11-kit-trust is not compiled in windows

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

fuzz: temporarily disable -static build of fuzz/ in MacOSX

This allows running the MacOSX CI tests on travis.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: verify the output size of gnutls_x509_privkey_export

That is, make sure that gnutls_x509_privkey_export() and
gnutls_x509_privkey_export2() agrees with the strlen()
value on the data.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

.travis.yml: print failed log files in fuzz after failure

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

hooks.m4: reduce the gap between minor soversion of 3.5.x and 3.6.0

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: make mini-record more friendly for OSes with limited buffers

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

pull/push backends: ECONNRESET is translated to GNUTLS_E_PREMATURE_TERMINATION

This returns a more reasonable error code on platforms where
this errno is set.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tests: gnutls_x509_privkey_import: address issue on error path

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

sed: use it in a portable way in makefiles

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

configure: disable hardware acceleration on aarch64/ilp32 mode

Our included assembly code for aarch64 is not suitable for that
data mode.

Resolves #252

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

create_tls_random: avoid warning in fuzzying mode

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

configure.ac: removed conditional FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION

Instead rely only on the definition, to make fuzzying mode to be
enabled even if --enable-fuzzer-target is not specified, but defined
b the compiler.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

rnd-fuzzer: use ifdef instead of conditional compilation

This allows compiling in fuzzying mode even when --enable-fuzzer-target
is not specified on configure, but the definition is present.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

fuzzer: Update base64 fuzzers + corpora

Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

fuzzer: Fix include path in run-clang.sh [skip ci]

Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

gnutls_x509_privkey_export: use _gnutls_copy_string on PEM data

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Corrected argument names of functions to correspond to declaration

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

lib: use casts and be explicit on intentional enumeration use

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls-cli-debug: do not run non-FIPS cipher tests when in FIPS mode

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added basic test for the operation of gnutls-cli-debug

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: verify the presence of GNUTLS_SFLAGS_RFC7919 flag in server and client mode

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls-cli-debug: check whether RFC7919 is supported

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_session_get_flags: introduced GNUTLS_SFLAGS_RFC7919

This allows checking whether the DHE parameters used were negotiated
using RFC7919.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls_auth_*: check cs parameter for validity prior to use

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

certtool: simplified certificate PEM printing

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gnutls-cli: fixed bounds check on benchmark-tls

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

lib: removed legacy debugging code

That code was code from the initial versions of gnutls. It was neither
used nor updated for long time.

Relates #248

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

fuzz: added missing files into dist [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: added missing files in dist [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: do not suppress stderr errors on servers startup

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

abi-check: added check for 3.6.0 ABI compatibility

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

gnutls_x509_crl_get_issuer_dn: removed unnecessary const

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

certtool: fixed documentation of sign-params

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

README.md: mention lockfile-progs dependency

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

tests: tls-neg-ext4-key: explicitly restrict to TLS 1.2, 1.1 and 1.0

This allows testing all signature types used in the protocol.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

sign APIs: introduce RSA-RAW signing algorithm

This ensures that there is a signing algorithm for all the operations
we support. Previously, we required GNUTLS_SIGN_UNKNOWN to be acceptable
by signing functions to accomodate for raw RSA operations. Now we make
that explicit and in the process clean-up the API.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

removed devel/fuzz; functionality moved to fuzz/ [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

fuzzer: Add 'make -C fuzz coverage' [ci skip]

This reports how much code is covered by fuzzing.

Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

_gnutls_recv_server_certificate_status: use the same type in subtracted values

This ensures that there are no issues with subtracting those values.
Note that the second is read from an uint24_t and thus it is always
positive regardless its type.

Resolves #245

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>