tests: wrap ADD_SYSCALL for getrandom in test for SYS_getrandom

Closes #703

See merge request !926

Signed-off-by: R. Andrew Bailey <bailey@akamai.com>

bootstrap.conf: do not override GNULIB_SRCDIR

See merge request !925

This was not set in all of our CI platforms, and was causing
issues in MacOSX.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

x509: corrected issue in the algorithm parameters comparison

Closes #698

See merge request !921

Fix uninitialized warning in pkcs11.c

See merge request !906

Each certificate has two fields to set the signature algorithm
and parameters used for the digital signature. One of the fields is
authenticated and the other is not. It is required from RFC5280 to
enforce the equality of these fields, but currently due to an issue
we wouldn't enforce the equality of the parameters fields. This
fix corrects the issue.

We also move an RSA-PSS certificate in chainverify that was relying
on invalid parameters, to this set of invalid certificates.

Resolves: #698Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Fix 32bit overflow issue in src/serv-args.def

Closes #700

See merge request !922

Fixing this warning seen on 32bit architectures:

serv-args.c: In function 'doOptMaxearlydata':
serv-args.c:1431:14: warning: overflow in conversion from 'long long int' to 'long int' changes value from '4294967296' to '0' [-Woverflow]
         { 1, 4294967296 } };
              ^~~~~~~~~~
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Remove typedef'ing ssize_t in gnutls.h

Closes #688

See merge request !916

Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Use inet_pton() from gnulib

See merge request !913

Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

.triage-policies.yml: added [ci skip]

See merge request !908

bootstrap: refuse to bootstrap if any new dependencies bring gnulib's network stack

See merge request !919

If gnulib's network stack is brought (due to a dependency) in the library
it will make the library unusable to non-gnulib using applications. This
prevents windows applications for example to use gnutls, and so on. Even
more it is quite hard to catch that issue because our testsuite uses
gnulib as well. Instead we try to catch the these modules at import time.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

When negotiating TLS1.3 enforce certificate key usage

Closes #690

See merge request !902

Use inet_ntop() from gnulib

See merge request !912

Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

The API could return 0 or 1 matching certificates. The case of zero
can only happen in client side.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

That is, we require a signing certificate when negotiating
TLS1.3, or when sending a client certificate (on all cases).
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

This only takes into account certificates in the credentials structure.
If certificates are provided in a callback, these must be checked by
the provider. For that we assume that the credentials structure is
filled when associated with a session; if not then the fallback mechanism
will not work and the handshake will fail.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

That is, we require a signing certificate when negotiating
TLS1.3, or when sending a client certificate (on all cases).

Before we would not perform any checks under TLS1.3 or when client
certificates are sent, assuming that the certificates used will always
be signing ones. However if the user sets up incorrectly a decryption
certificate we would use it for signing. This fix makes sure that an
error is returned early when these scenarios are detected.

Resolves: #690Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

This adds a set of policies regarding issues and merge requests
to be enforced by the gitlab-triage bot. That is:
 - Issues without any label for more than a month are marked
   with needs attention label
 - Issues with needinfo label are closed if they are not updated
   within a month
 - Merge requests marked as WIP with no update within 5 months
   are closed.

These rules are not enforced automatically; we have to schedule
a run of the gitlab-triage bot.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

build: pass NETTLE_LIBS together with HOGWEED_LIBS

See merge request !903

build: do not generate mech-list.h if p11-kit is not available

See merge request !904

Compiling GnuTLS with no p11-kit installed will result in a serie of
warnings during build time because mech-list.h will be generated even if
pkcs11 tool compilation is disabled. Move mech-list.h generation to
happen only if pkcs11 is enabled, thus removing these warnings.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

libhogweed might depend on exact non-system-wide nettle, so let's pass
NETTLE_LIBS flags together when using HOGWEED_LIBS.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Amend error code when SNI name is not accepted

Closes #683

See merge request !891

An illegal/disallowed SNI server name previously generated
the misleading message "An illegal parameter has been received.".

This commit changes it to
  "A disallowed SNI server name has been received.".
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

lib/nettle: replace nettle-stdint.h with just stdint.h

See merge request !901

Fix 'make glimport' and update CONTRIBUTING.md

See merge request !900

Nettle library is going to drop nettle-stdint.h. Replace this include
with with just <stdint.h>.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Fix unused var warning in guile/src/core.c

See merge request !895

build: detect previous supported guile

See merge request !898

.gitignore: add test files

See merge request !899

Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>