doc: document the non-portability of NONE priority string

See merge request !731

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Fixes for issues identified by static analyzers

Closes #518

See merge request !729

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

This addresses issue with travis compilation on MacOSX.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

gnutls_memset: use explicit_bzero

Closes #230

See merge request !728

That is, use the glibc function when available and the second
parameter is zero.

Resolves #230Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

use a consistent method to mark fall-through in switch cases

Closes #306

See merge request !726

Also document that method in contribution guide.

Resolves #306Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tlsfuzzer: update to the latest version to enable more TLS 1.3 tests

Closes #537

See merge request !727

Previously, if server is configured without PSK credentials and the
client authenticated with PSK, the server crashed with:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b190ba in server_recv_params (session=0x636fc0, data=0x634e6e "",
    len=46, pskcred=0x0) at pre_shared_key.c:523
523                             prf = pskcred->binder_algo;
Signed-off-by: Daiki Ueno <dueno@redhat.com>

Also enable test-tls13-ffdhe-sanity.py,
test-tls13-session-resumption.py, and
test-tls13-unrecognised-groups.py.
Signed-off-by: Daiki Ueno <dueno@redhat.com>

Previously, when server received a ClientHello that does include only
groups from unassigned ranges in supported_groups, it aborted the
connection with an illegal_parameter.

Resolves #537Signed-off-by: Daiki Ueno <dueno@redhat.com>

Signed-off-by: Daiki Ueno <dueno@redhat.com>

Corrected the importing of ECDSA public keys

Closes #538

See merge request !725

This seems to be a regression since EdDSA support. The call to
_gnutls_x509_get_pk_algorithm() in public key import was unnecessary
and in fact it was overriding the available curve with a curve associated
with the OID. As the ECDSA OID doesn't include the curve, that had the
result of deleting the already read curve.

Resolves #538Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

That is, when we respond to a Hello Retry Request as client, we put
the TLS1.2 version on the second client hello to send a hello that is
as close as possible to the original hello. That effectively separates
the handling of TLS1.2 rehandshake and TLS1.3 hello retry request
when sending a client hello.

Resolves #535Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

resumption: keep persistent session identifiers

Closes #484

See merge request !721

The message "If your browser supports session resuming, then you should
see the same session ID, when you press the reload button", is now printed
again even under TLS1.3.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

With the introduction of session ticket support (TLS1.2) and
TLS1.3, session identifiers have no persistency on server or
client side. Improve the situation by introducing persistent
session identifiers on server side in a backwards compatible
way.

Resolves #484Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Fix interleaved handshake handling in TLS 1.3

Closes #272

See merge request !708

Signed-off-by: Daiki Ueno <dueno@redhat.com>

Those tests were previously disabled because splitting of handshake
messages in a very short (< 4 bytes) fragments is not implemented.
Signed-off-by: Daiki Ueno <dueno@redhat.com>

Signed-off-by: Daiki Ueno <dueno@redhat.com>

If the received record doesn't even complete the handshake
header (i.e., the record size < 4), keep it in a temporary buffer and
let the caller receive more records.  Once enough amount of data is
received, move the already received records back to record_buffer and
proceed to the normal processing.

Fixes: #272Signed-off-by: Daiki Ueno <dueno@redhat.com>

This is similar to _mbuffer_enqueue, but adds an element to the
beginning of the buffer.

This is to make the incomplete header handling case easier.
Signed-off-by: Daiki Ueno <dueno@redhat.com>

If `remain > 0` is true, `recv_buf[0].length > 0` always holds.
Combine those conditions and remove the `remain` utilizing MIN().

This is to make the incomplete header handling case easier.
Signed-off-by: Daiki Ueno <dueno@redhat.com>

Previously, to calculate the fragment length, it added/subtracted one
to the ending offset back and forth; that was not easier to read and
couldn't handle empty payload messages in TLS.
Signed-off-by: Daiki Ueno <dueno@redhat.com>

TLS 1.3: ignore "early_data" extension

Closes #512

See merge request !706

Also enable test-tls13-0rtt-garbage.py.
Signed-off-by: Daiki Ueno <dueno@redhat.com>

As 0-RTT is still not implemented in GnuTLS, the server responds with
1-RTT, by skipping decryption failure up to max_early_data_size, as
suggested in 4.2.10 Early Data Detection.

Resolves #512Signed-off-by: Daiki Ueno <dueno@redhat.com>

This is particularly useful when displaying information about a
certificate trust store.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

tls1.3: server returns early on handshake when no cert is provided by client

Closes #481 and #457

See merge request !711