Merge commit 'f527ed0e74dce05a7f2819a982b4c3170b4a3a97'

.gitignore

@@ -419,6 +419,7 @@ tests/fallback-scsv
 tests/finished
 tests/fips-mode-pthread
 tests/fips-override-test
+tests/fips-rsa-key-sizes
 tests/fips-test
 tests/gc
 tests/global-init
@@ -863,6 +864,7 @@ tests/tls13-without-timeout-func
 tests/tls13/anti_replay
 tests/tls13/change_cipher_spec
 tests/tls13/compress-cert
+tests/tls13/compress-cert-cli
 tests/tls13/compress-cert-neg
 tests/tls13/compress-cert-neg2
 tests/tls13/cookie

.gitlab-ci.yml

@@ -29,7 +29,7 @@ variables:
   CHECKJOBS: 16
 
 cache:
-  key: "$CI_JOB_NAME-ver25"
+  key: "$CI_JOB_NAME-ver26"
   paths:
     - cache/
 
@@ -50,6 +50,8 @@ default:
     - *prepare-ccache
     - ccache -s
 
+  interruptible: true
+
 .bootstrap:
   stage: bootstrap
   tags:
@@ -366,6 +368,37 @@ fedora-minimal/test:
   needs:
     - fedora-minimal/build
 
+fedora-interop/test:
+  extends:
+    - .test
+    - .fedora
+  dependencies:
+    - fedora-minimal/build
+  needs:
+    - fedora-minimal/build
+  parallel:
+    matrix:
+      - COMPONENT:
+          - openssl
+          #- nss # currently fails on Fedora due to NSS bug
+        TYPE:
+          - 2way
+          #- 3way # these tests take too long, plan is to split them
+          #- 4way
+          #- 5way
+          #- p256
+          #- p384
+          #- p521
+          #- rsae
+          #- rsapss
+  allow_failure: true
+  script:
+    - cd tests/suite/tls-interoperability/
+    - echo "Tests to run:"
+    - tmt run plans -n interop tests -f "tag:interop-gnutls" -f "tag:interop-$TYPE" -f "tag:interop-$COMPONENT"  discover -v
+    - echo "Run the tests:"
+    - tmt run -a plans -n interop tests -f "tag:interop-gnutls" -f "tag:interop-$TYPE" -f "tag:interop-$COMPONENT" provision -h local execute -h tmt --interactive
+
 fedora-SSL-3.0/build:
   extends:
     - .build

.gitmodules

@@ -25,3 +25,6 @@
 [submodule "devel/cligen"]
 	path = cligen
 	url = https://gitlab.com/gnutls/cligen.git
+[submodule "tests/suite/tls-interoperability"]
+	path = tests/suite/tls-interoperability
+	url = https://gitlab.com/redhat-crypto/tests/interop.git

NEWS

@@ -5,6 +5,32 @@ Copyright (C) 2000-2016 Free Software Foundation, Inc.
 Copyright (C) 2013-2019 Nikos Mavrogiannopoulos
 See the end for copying conditions.
 
+* Version 3.7.8 (released 2022-09-27)
+
+** libgnutls: In FIPS140 mode, RSA signature verification is an approved
+   operation if the key has modulus with known sizes (1024, 1280,
+   1536, and 1792 bits), in addition to any modulus sizes larger than
+   2048 bits, according to SP800-131A rev2.
+
+** libgnutls: gnutls_session_channel_binding performs additional checks when
+   GNUTLS_CB_TLS_EXPORTER is requested. According to RFC9622 4.2, the
+   "tls-exporter" channel binding is only usable when the handshake is
+   bound to a unique master secret (i.e., either TLS 1.3 or extended
+   master secret extension is negotiated). Otherwise the function now
+   returns error.
+
+** libgnutls: usage of the following functions, which are designed to
+   loosen restrictions imposed by allowlisting mode of configuration,
+   has been additionally restricted. Invoking them is now only allowed
+   if system-wide TLS priority string has not been initialized yet:
+gnutls_digest_set_secure
+gnutls_sign_set_secure
+gnutls_sign_set_secure_for_certs
+gnutls_protocol_set_enabled
+
+** API and ABI modifications:
+No changes since last version.
+
 * Version 3.7.7 (released 2022-07-28)
 
 ** libgnutls: Fixed double free during verification of pkcs7 signatures.

bootstrap.conf

@@ -23,7 +23,7 @@ gnulib_tool_option_extras="--without-tests --avoid=alignof-tests --avoid=lock-te
 use_libtool=1
 checkout_only_file=
 local_gl_dir=gl/override/
-required_submodules="tests/suite/tls-fuzzer/python-ecdsa tests/suite/tls-fuzzer/tlsfuzzer tests/suite/tls-fuzzer/tlslite-ng cligen devel/abi-dump devel/nettle devel/openssl devel/libtasn1"
+required_submodules="tests/suite/tls-fuzzer/python-ecdsa tests/suite/tls-fuzzer/tlsfuzzer tests/suite/tls-fuzzer/tlslite-ng tests/suite/tls-interoperability cligen devel/abi-dump devel/nettle devel/openssl devel/libtasn1"
 
 # Those modules are common to lib/ and src/.
 common_modules="

cfg.mk

@@ -212,31 +212,31 @@ lib/accelerated/x86/elf/%.s: devel/perlasm/%.pl .submodule.stamp
 	cat $<.license $@.tmp > $@ && rm -f $@.tmp
 	echo "" >> $@
 	echo ".section .note.GNU-stack,\"\",%progbits" >> $@
-	sed -i 's/OPENSSL_ia32cap_P/_gnutls_x86_cpuid_s/g' $@
+	sed -i 's/OPENSSL_ia32cap_P/GNUTLS_x86_cpuid_s/g' $@
 
 lib/accelerated/x86/coff/%-x86.s: devel/perlasm/%-x86.pl .submodule.stamp 
 	CC=gcc perl $< coff \
 		$(if $(findstring $(<F),$(PL_NEEDS_FPIC)),-fPIC) \
 		$@.tmp
 	cat $<.license $@.tmp > $@ && rm -f $@.tmp
 	echo "" >> $@
-	sed -i 's/OPENSSL_ia32cap_P/_gnutls_x86_cpuid_s/g' $@
+	sed -i 's/OPENSSL_ia32cap_P/GNUTLS_x86_cpuid_s/g' $@
 
 lib/accelerated/x86/coff/%-x86_64.s: devel/perlasm/%-x86_64.pl .submodule.stamp 
 	CC=gcc perl $< mingw64 \
 		$(if $(findstring $(<F),$(PL_NEEDS_FPIC)),-fPIC) \
 		$@.tmp
 	cat $<.license $@.tmp > $@ && rm -f $@.tmp
 	echo "" >> $@
-	sed -i 's/OPENSSL_ia32cap_P/_gnutls_x86_cpuid_s/g' $@
+	sed -i 's/OPENSSL_ia32cap_P/GNUTLS_x86_cpuid_s/g' $@
 
 lib/accelerated/x86/macosx/%.s: devel/perlasm/%.pl .submodule.stamp 
 	CC=gcc perl $< macosx \
 		$(if $(findstring $(<F),$(PL_NEEDS_FPIC)),-fPIC) \
 		$@.tmp
 	cat $<.license $@.tmp > $@ && rm -f $@.tmp
 	echo "" >> $@
-	sed -i 's/OPENSSL_ia32cap_P/_gnutls_x86_cpuid_s/g' $@
+	sed -i 's/OPENSSL_ia32cap_P/GNUTLS_x86_cpuid_s/g' $@
 
 lib/accelerated/aarch64/elf/%.s: devel/perlasm/%.pl .submodule.stamp 
 	rm -f $@tmp

configure.ac

@@ -23,7 +23,7 @@ dnl Process this file with autoconf to produce a configure script.
 AC_PREREQ(2.64)
 
 dnl when updating version also update LT_REVISION in m4/hooks.m4
-AC_INIT([GnuTLS], [3.7.7], [[email protected]])
+AC_INIT([GnuTLS], [3.7.8], [[email protected]])
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_MACRO_DIRS([m4 src/gl/m4 lib/unistring/m4])
 AC_CANONICAL_HOST

doc/cha-bib.texi

@@ -275,4 +275,8 @@ Computer Science No. 1465 (Rafael Hirschfeld, ed.), February 1998),
 pages 178--183, available from
 @url{https://people.csail.mit.edu/rivest/Rivest-CanWeEliminateCertificateRevocationLists.pdf}.
 
+@item @anchor{RFC9266}[RFC9266]
+S. Whited, "Channel Bindings for TLS 1.3",
+July 2022, available from @url{https://www.ietf.org/rfc/rfc9266.txt}.
+
 @end table

doc/cha-gtls-app.texi

@@ -2201,9 +2201,12 @@ background and discussion see @xcite{RFC5056}.
 
 In @acronym{GnuTLS} you can extract a channel binding using the
 @funcref{gnutls_session_channel_binding} function.  Currently only the
-type @code{GNUTLS_CB_TLS_UNIQUE} is supported, which corresponds to
-the @code{tls-unique} channel binding for TLS defined in
-@xcite{RFC5929}.
+following types are supported:
+
+@itemize
+@item @code{GNUTLS_CB_TLS_UNIQUE}: corresponds to the @code{tls-unique} channel binding for TLS defined in @xcite{RFC5929}
+@item @code{GNUTLS_CB_TLS_EXPORTER}: corresponds to the @code{tls-exporter} channel binding for TLS defined in @xcite{RFC9266}
+@end itemize
 
 The following example describes how to print the channel binding data.
 Note that it must be run after a successful TLS handshake.

doc/latex/gnutls.bib

@@ -538,3 +538,17 @@ @misc{rfc4418
     url="https://www.ietf.org/rfc/rfc4418.txt",
 }
 
+@misc{rfc9266,
+    series =    {Request for Comments},
+    number =    9266,
+    howpublished =  {RFC 9266},
+    publisher = {RFC Editor},
+    doi =       {10.17487/RFC9266},
+    url =       {https://www.rfc-editor.org/info/rfc9266},
+    author =    {Sam Whited},
+    title =     {{Channel Bindings for TLS 1.3}},
+    pagetotal = 7,
+    year =      2022,
+    month =     jul,
+    abstract =  {This document defines a channel binding type, tls-exporter, that is compatible with TLS 1.3 in accordance with RFC 5056, "On the Use of Channel Bindings to Secure Channels". Furthermore, it updates the default channel binding to the new binding for versions of TLS greater than 1.2. This document updates RFCs 5801, 5802, 5929, and 7677.},
+}

lib/accelerated/x86/coff/aesni-x86.s

@@ -2873,7 +2873,7 @@ __aesni_set_encrypt_key:
 .L112pic:
 	popl	%ebx
 	leal	.Lkey_const-.L112pic(%ebx),%ebx
-	leal	__gnutls_x86_cpuid_s,%ebp
+	leal	_GNUTLS_x86_cpuid_s,%ebp
 	movups	(%eax),%xmm0
 	xorps	%xmm4,%xmm4
 	movl	4(%ebp),%ebp
@@ -3251,5 +3251,5 @@ _aesni_set_decrypt_key:
 .byte	83,45,78,73,44,32,67,82,89,80,84,79,71,65,77,83
 .byte	32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115
 .byte	115,108,46,111,114,103,62,0
-.comm	__gnutls_x86_cpuid_s,16
+.comm	_GNUTLS_x86_cpuid_s,16
 

lib/accelerated/x86/coff/aesni-x86_64.s

@@ -1258,7 +1258,7 @@ aesni_ctr32_encrypt_blocks:
 	leaq	7(%r8),%r9
 	movl	%r10d,96+12(%rsp)
 	bswapl	%r9d
-	movl	_gnutls_x86_cpuid_s+4(%rip),%r10d
+	movl	GNUTLS_x86_cpuid_s+4(%rip),%r10d
 	xorl	%ebp,%r9d
 	andl	$71303168,%r10d
 	movl	%r9d,112+12(%rsp)
@@ -3869,7 +3869,7 @@ aesni_cbc_encrypt:
 	movdqa	%xmm5,%xmm14
 	movdqu	80(%rdi),%xmm7
 	movdqa	%xmm6,%xmm15
-	movl	_gnutls_x86_cpuid_s+4(%rip),%r9d
+	movl	GNUTLS_x86_cpuid_s+4(%rip),%r9d
 	cmpq	$0x70,%rdx
 	jbe	.Lcbc_dec_six_or_seven
 
@@ -4418,7 +4418,7 @@ __aesni_set_encrypt_key:
 	movl	$268437504,%r10d
 	movups	(%rcx),%xmm0
 	xorps	%xmm4,%xmm4
-	andl	_gnutls_x86_cpuid_s+4(%rip),%r10d
+	andl	GNUTLS_x86_cpuid_s+4(%rip),%r10d
 	leaq	16(%r8),%rax
 	cmpl	$256,%edx
 	je	.L14rounds

lib/accelerated/x86/coff/ghash-x86_64.s

@@ -997,7 +997,7 @@ gcm_ghash_clmul:
 	jz	.Lodd_tail
 
 	movdqu	16(%rdx),%xmm6
-	movl	_gnutls_x86_cpuid_s+4(%rip),%eax
+	movl	GNUTLS_x86_cpuid_s+4(%rip),%eax
 	cmpq	$0x30,%r9
 	jb	.Lskip4x
 

lib/accelerated/x86/coff/sha1-ssse3-x86_64.s

@@ -53,9 +53,9 @@ sha1_block_data_order:
 	movq	%r8,%rdx
 
 
-	movl	_gnutls_x86_cpuid_s+0(%rip),%r9d
-	movl	_gnutls_x86_cpuid_s+4(%rip),%r8d
-	movl	_gnutls_x86_cpuid_s+8(%rip),%r10d
+	movl	GNUTLS_x86_cpuid_s+0(%rip),%r9d
+	movl	GNUTLS_x86_cpuid_s+4(%rip),%r8d
+	movl	GNUTLS_x86_cpuid_s+8(%rip),%r10d
 	testl	$512,%r8d
 	jz	.Lialu
 	testl	$536870912,%r10d

lib/accelerated/x86/coff/sha256-ssse3-x86_64.s

@@ -53,7 +53,7 @@ sha256_block_data_order:
 	movq	%r8,%rdx
 
 
-	leaq	_gnutls_x86_cpuid_s(%rip),%r11
+	leaq	GNUTLS_x86_cpuid_s(%rip),%r11
 	movl	0(%r11),%r9d
 	movl	4(%r11),%r10d
 	movl	8(%r11),%r11d

lib/accelerated/x86/coff/sha512-ssse3-x86_64.s

@@ -53,7 +53,7 @@ sha512_block_data_order:
 	movq	%r8,%rdx
 
 
-	leaq	_gnutls_x86_cpuid_s(%rip),%r11
+	leaq	GNUTLS_x86_cpuid_s(%rip),%r11
 	movl	0(%r11),%r9d
 	movl	4(%r11),%r10d
 	movl	8(%r11),%r11d

lib/accelerated/x86/elf/aesni-x86.s

@@ -2892,7 +2892,7 @@ _aesni_set_encrypt_key:
 .L112pic:
 	popl	%ebx
 	leal	.Lkey_const-.L112pic(%ebx),%ebx
-	leal	_gnutls_x86_cpuid_s-.Lkey_const(%ebx),%ebp
+	leal	GNUTLS_x86_cpuid_s-.Lkey_const(%ebx),%ebp
 	movups	(%eax),%xmm0
 	xorps	%xmm4,%xmm4
 	movl	4(%ebp),%ebp
@@ -3273,6 +3273,6 @@ aesni_set_decrypt_key:
 .byte	83,45,78,73,44,32,67,82,89,80,84,79,71,65,77,83
 .byte	32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115
 .byte	115,108,46,111,114,103,62,0
-.comm	_gnutls_x86_cpuid_s,16,4
+.comm	GNUTLS_x86_cpuid_s,16,4
 
 .section .note.GNU-stack,"",%progbits

lib/accelerated/x86/elf/aesni-x86_64.s

@@ -1151,7 +1151,7 @@ aesni_ctr32_encrypt_blocks:
 	leaq	7(%r8),%r9
 	movl	%r10d,96+12(%rsp)
 	bswapl	%r9d
-	movl	_gnutls_x86_cpuid_s+4(%rip),%r10d
+	movl	GNUTLS_x86_cpuid_s+4(%rip),%r10d
 	xorl	%ebp,%r9d
 	andl	$71303168,%r10d
 	movl	%r9d,112+12(%rsp)
@@ -3600,7 +3600,7 @@ aesni_cbc_encrypt:
 	movdqa	%xmm5,%xmm14
 	movdqu	80(%rdi),%xmm7
 	movdqa	%xmm6,%xmm15
-	movl	_gnutls_x86_cpuid_s+4(%rip),%r9d
+	movl	GNUTLS_x86_cpuid_s+4(%rip),%r9d
 	cmpq	$0x70,%rdx
 	jbe	.Lcbc_dec_six_or_seven
 
@@ -4131,7 +4131,7 @@ __aesni_set_encrypt_key:
 	movl	$268437504,%r10d
 	movups	(%rdi),%xmm0
 	xorps	%xmm4,%xmm4
-	andl	_gnutls_x86_cpuid_s+4(%rip),%r10d
+	andl	GNUTLS_x86_cpuid_s+4(%rip),%r10d
 	leaq	16(%rdx),%rax
 	cmpl	$256,%esi
 	je	.L14rounds

lib/accelerated/x86/elf/ghash-x86_64.s

@@ -968,7 +968,7 @@ gcm_ghash_clmul:
 	jz	.Lodd_tail
 
 	movdqu	16(%rsi),%xmm6
-	movl	_gnutls_x86_cpuid_s+4(%rip),%eax
+	movl	GNUTLS_x86_cpuid_s+4(%rip),%eax
 	cmpq	$0x30,%rcx
 	jb	.Lskip4x
 

lib/accelerated/x86/elf/sha1-ssse3-x86_64.s

@@ -45,9 +45,9 @@
 .align	16
 sha1_block_data_order:
 .cfi_startproc	
-	movl	_gnutls_x86_cpuid_s+0(%rip),%r9d
-	movl	_gnutls_x86_cpuid_s+4(%rip),%r8d
-	movl	_gnutls_x86_cpuid_s+8(%rip),%r10d
+	movl	GNUTLS_x86_cpuid_s+0(%rip),%r9d
+	movl	GNUTLS_x86_cpuid_s+4(%rip),%r8d
+	movl	GNUTLS_x86_cpuid_s+8(%rip),%r10d
 	testl	$512,%r8d
 	jz	.Lialu
 	testl	$536870912,%r10d

lib/accelerated/x86/elf/sha256-ssse3-x86_64.s

@@ -45,7 +45,7 @@
 .align	16
 sha256_block_data_order:
 .cfi_startproc	
-	leaq	_gnutls_x86_cpuid_s(%rip),%r11
+	leaq	GNUTLS_x86_cpuid_s(%rip),%r11
 	movl	0(%r11),%r9d
 	movl	4(%r11),%r10d
 	movl	8(%r11),%r11d

lib/accelerated/x86/elf/sha512-ssse3-x86_64.s

@@ -45,7 +45,7 @@
 .align	16
 sha512_block_data_order:
 .cfi_startproc	
-	leaq	_gnutls_x86_cpuid_s(%rip),%r11
+	leaq	GNUTLS_x86_cpuid_s(%rip),%r11
 	movl	0(%r11),%r9d
 	movl	4(%r11),%r10d
 	movl	8(%r11),%r11d