From f0910a43d4ac576574a4efc4cc7c331d3f281203 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Mon, 5 Nov 2018 20:51:33 +0100
Subject: .gitlab-ci.yml: move to fedora29 for CI

This also moves the x86 CI builds to the debian cross infrastructure
as we have a more reliable way of generating a 32-bit image.

Resolves #607

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---
 .gitlab-ci.yml | 76 ++++++++++++++++++++++++++++++++++------------------------
 1 file changed, 45 insertions(+), 31 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index d86bb5c17a..3e53b95a9b 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -7,7 +7,7 @@ stages:
 # name to allow expiration of old caches.
 
 cache:
-  key: "$CI_JOB_NAME-ver6"
+  key: "$CI_JOB_NAME-ver7"
   paths:
     - cache/
 
@@ -28,8 +28,9 @@ variables:
   BUILD_IMAGES_PROJECT: gnutls/build-images
   DEBIAN_BUILD: buildenv-debian
   DEBIAN_CROSS_BUILD: buildenv-debian-cross
-  FEDORA_BUILD: buildenv-f28
-  FEDORA_X86_BUILD: buildenv-f28-x86
+  DEBIAN_X86_CROSS_BUILD: buildenv-debian-x86-cross
+  FEDORA28_BUILD: buildenv-f28
+  FEDORA_BUILD: buildenv-f29
   CPPCHECK_OPTIONS: "--enable=warning --enable=style --enable=performance --enable=portability --std=c99 --suppressions-list=devel/cppcheck.suppressions --template='{id}:{file}:{line},{severity},{message}'"
   GET_SOURCES_ATTEMPTS: "3"
 
@@ -112,10 +113,11 @@ minimal.Fedora.x86_64:
   - tags
   retry: 1
 
-# This enables SSL3.0 and SHA-1 support
+# This enables SSL3.0 and SHA-1 support, and runs interop tests
+# with openssl 1.1.0, which include legacy algorithms like DSA.
 SSL-3.0.Fedora.x86_64:
   stage: stage1-testing
-  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA28_BUILD
   script:
   - ./bootstrap
   - mkdir -p build && cd build &&
@@ -397,32 +399,6 @@ FreeBSD.x86_64:
       - tests/*/*.log
   retry: 1
 
-Fedora.x86:
-  stage: stage1-testing
-  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_X86_BUILD
-  script:
-  - ./bootstrap
-  - mkdir -p build && cd build &&
-    CC="ccache gcc -m32" PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig/ TIME_T_32_BIT_OK=yes
-    ../configure --disable-gcc-warnings --host=i686-redhat-linux --target=i686-redhat-linux
-      --libdir=/usr/lib --disable-cxx --disable-non-suiteb-curves --enable-seccomp-tests
-      --disable-full-test-suite --disable-doc --disable-guile --cache-file ../cache/config.cache &&
-    make -j$(nproc) && make check -j$(nproc) SKIP_DATEFUDGE_CHECK=1 &&
-    make pic-check
-  tags:
-  - shared
-  except:
-  - tags
-  artifacts:
-    expire_in: 1 week
-    when: on_failure
-    paths:
-      - build/*.log
-      - build/tests/*.log
-      - build/tests/*/*.log
-      - build/tests/suite/*/*.log
-  retry: 1
-
 # Two runs, one with normal backend and another with pkcs11 trust store
 ubsan-Werror.Fedora.x86_64:
   stage: stage1-testing
@@ -482,6 +458,44 @@ Debian.x86_64:
       - build/tests/suite/*/*.log
   retry: 1
 
+Debian.cross.i686-linux-gnu:
+  stage: stage1-testing
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_X86_CROSS_BUILD
+  script:
+  - build=$(dpkg-architecture -qDEB_HOST_GNU_TYPE)
+  - host=i686-linux-gnu
+  # not setting CC_FOR_BUILD paired with qemu-user/binfmt somehow causes
+  # config.guess to detect the target as the build platform and not activate
+  # cross-compile mode even though --build is given
+  - export CC_FOR_BUILD="ccache gcc"
+  - export CC="ccache $host-gcc"
+  - ./bootstrap
+  - mkdir -p build
+  - cd build
+  # Debian's softhsm package is not multiarch yet. Missing softhsm libraries
+  # for the target will cause the test suite to fail when p11-kit is enabled.
+  - dash ../configure --build=$build --host=$host --disable-gcc-warnings
+      --cache-file ../cache/config.cache --disable-doc --disable-guile
+      --without-p11-kit --disable-full-test-suite
+  - make -j$(nproc)
+  - make check -j$(nproc)
+  - cd ..
+  tags:
+  - shared
+  - docker
+  except:
+  - tags
+  artifacts:
+    expire_in: 1 week
+    when: on_failure
+    paths:
+      - build/guile/tests/*.log
+      - build/*.log
+      - build/tests/*.log
+      - build/tests/*/*.log
+      - build/tests/suite/*/*.log
+  retry: 1
+
 .Debian.cross.template: &Debian_cross_template
   stage: stage1-testing
   image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_CROSS_BUILD
-- 
cgit v1.2.1


From 59497c0e3550f65956809962ab9e6c5c723abeeb Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Fri, 9 Nov 2018 20:07:24 +0100
Subject: Initialize output var to avoid false negative from static analyzers

This was identified by clang analyzer's on _gnutls_x509_dn_to_string
and _gnutls_x509_decode_string.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---
 lib/x509/common.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/lib/x509/common.c b/lib/x509/common.c
index b0ee8b80cc..060c2aede1 100644
--- a/lib/x509/common.c
+++ b/lib/x509/common.c
@@ -441,7 +441,7 @@ _gnutls_x509_dn_to_string(const char *oid, void *value,
 {
 	const struct oid_to_string *oentry;
 	int ret;
-	gnutls_datum_t tmp;
+	gnutls_datum_t tmp = {NULL, 0};
 
 	if (value == NULL || value_size <= 0) {
 		gnutls_assert();
@@ -633,6 +633,9 @@ _gnutls_x509_decode_string(unsigned int etype,
 	unsigned int str_size, len;
 	gnutls_datum_t td;
 
+	output->data = NULL;
+	output->size = 0;
+
 	if (allow_ber)
 		ret =
 		    asn1_decode_simple_ber(etype, der, der_size, &str, &str_size, NULL);
-- 
cgit v1.2.1


From f3da49beff97b399325f4616b6096d7bbdec268d Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Fri, 9 Nov 2018 20:11:42 +0100
Subject: Added checks to avoid false negatives reported by static analyzers

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---
 lib/x509/dn.c   | 2 ++
 lib/x509/x509.c | 9 +++++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/lib/x509/dn.c b/lib/x509/dn.c
index 07b9d94b6b..828bd9059d 100644
--- a/lib/x509/dn.c
+++ b/lib/x509/dn.c
@@ -286,6 +286,8 @@ _gnutls_x509_parse_dn(ASN1_TYPE asn1_struct,
 		goto cleanup;
 	}
 
+	assert(dn.data != NULL);
+
 	if (buf) {
 		memcpy(buf, dn.data, dn.size);
 		buf[dn.size] = 0;
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index 1880f6acc3..6fe6cd91c3 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -154,6 +154,9 @@ gnutls_x509_crt_equals2(gnutls_x509_crt_t cert1,
 {
 	bool result;
 
+	if (cert1 == NULL || der == NULL)
+		return 0;
+
 	if (cert1->der.size == 0 || cert1->modified) {
 		gnutls_datum_t tmp1;
 		int ret;
@@ -4196,8 +4199,10 @@ void gnutls_x509_crt_set_pin_function(gnutls_x509_crt_t crt,
 				      gnutls_pin_callback_t fn,
 				      void *userdata)
 {
-	crt->pin.cb = fn;
-	crt->pin.data = userdata;
+	if (crt) {
+		crt->pin.cb = fn;
+		crt->pin.data = userdata;
+	}
 }
 
 /**
-- 
cgit v1.2.1


From 5c7db52d2471d13d6c8e6c2e763d3ba2560d6cad Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Fri, 9 Nov 2018 07:44:02 +0100
Subject: tls13: use system's openssl for interop testing

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---
 .gitlab-ci.yml                          | 4 +---
 configure.ac                            | 6 ++++++
 tests/suite/Makefile.am                 | 6 +++++-
 tests/suite/testcompat-tls13-openssl.sh | 8 +++-----
 4 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 3e53b95a9b..7565a4204e 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -64,8 +64,6 @@ abi/coverage.Debian:
   - make -j$(nproc)
   - make abi-check
   - make pic-check
-  - cd devel/openssl && ./config enable-tls1_3 && make -j$(nproc) && cd ../..
-  - make -C tests/suite TESTS=testcompat-tls13-openssl.sh check
   - make -j$(nproc) check
   - make local-code-coverage-output || true
   tags:
@@ -121,7 +119,7 @@ SSL-3.0.Fedora.x86_64:
   script:
   - ./bootstrap
   - mkdir -p build && cd build &&
-    dash ../configure --disable-gcc-warnings --cache-file ../cache/config.cache --enable-sha1-support --enable-ssl3-support --enable-seccomp-tests --disable-doc --disable-guile &&
+    dash ../configure --disable-tls13-interop --disable-gcc-warnings --cache-file ../cache/config.cache --enable-sha1-support --enable-ssl3-support --enable-seccomp-tests --disable-doc --disable-guile &&
     make -j$(nproc) && make check -j$(nproc)
   - cd ..
   tags:
diff --git a/configure.ac b/configure.ac
index 3f87907516..31a5da83ca 100644
--- a/configure.ac
+++ b/configure.ac
@@ -187,6 +187,12 @@ esac
 
 fi
 
+AC_ARG_ENABLE(tls13-interop,
+  AS_HELP_STRING([--disable-tls13-interop], [disable TLS1.3 interoperability testing with openssl]),
+    enable_tls13_interop=$enableval, enable_tls13_interop=yes)
+
+AM_CONDITIONAL(ENABLE_TLS13_INTEROP, test "$enable_tls13_interop" != "no")
+
 dnl Check for iovec type
 AC_CHECK_MEMBERS([struct iovec.iov_base],
       [
diff --git a/tests/suite/Makefile.am b/tests/suite/Makefile.am
index f43fe90eee..f6e413ee56 100644
--- a/tests/suite/Makefile.am
+++ b/tests/suite/Makefile.am
@@ -111,6 +111,10 @@ scripts_to_test += tls-fuzzer/tls-fuzzer-nocert-ssl3.sh
 TESTS_ENVIRONMENT += ENABLE_SSL3=1
 endif
 
+if ENABLE_TLS13_INTEROP
+scripts_to_test += testcompat-tls13-openssl.sh
+endif
+
 if ENABLE_DANE
 scripts_to_test += testdane.sh
 endif
@@ -129,7 +133,7 @@ scripts_to_test += eagain.sh
 endif
 endif
 
-nodist_check_SCRIPTS = $(scripts_to_test) testcompat-tls13-openssl.sh
+nodist_check_SCRIPTS = $(scripts_to_test)
 
 TESTS = $(scripts_to_test) prime-check
 
diff --git a/tests/suite/testcompat-tls13-openssl.sh b/tests/suite/testcompat-tls13-openssl.sh
index b28aad5bf0..8f385f515e 100755
--- a/tests/suite/testcompat-tls13-openssl.sh
+++ b/tests/suite/testcompat-tls13-openssl.sh
@@ -55,9 +55,7 @@ check_for_datefudge
 
 PORT="${PORT:-${RPORT}}"
 
-export LD_LIBRARY_PATH=${abs_top_srcdir}/devel/openssl
-echo LD_LIBRARY_PATH=$LD_LIBRARY_PATH
-SERV=../../devel/openssl/apps/openssl
+SERV=openssl
 OPENSSL_CLI="$SERV"
 
 if test -z "$OUTPUT";then
@@ -347,14 +345,14 @@ _EOF_
 	echo_cmd "${PREFIX}Checking TLS 1.3 with post handshake auth..."
 
 	eval "${GETPORT}"
-	launch_server $$ --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" #>>${OUTPUT} 2>&1
+	launch_server $$ --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1
 	PID=$!
 	wait_server ${PID}
 
 	expect - >/dev/null <<_EOF_
 set timeout 10
 set os_error_flag 1
-spawn ${OPENSSL_CLI} s_client -force_pha -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}"
+spawn ${OPENSSL_CLI} s_client -enable_pha -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}"
 
 expect "SSL-Session" {send "**REAUTH**\n"} timeout {exit 1}
 expect {
-- 
cgit v1.2.1


From f18c09c68108873abb7881c96068b2449a548290 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Sat, 10 Nov 2018 07:46:24 +0100
Subject: pkcs12: cleanups, and two memory leak fixes

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---
 lib/x509/pkcs12.c | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c
index 414f9aa3d3..1f5b4bdf88 100644
--- a/lib/x509/pkcs12.c
+++ b/lib/x509/pkcs12.c
@@ -446,16 +446,17 @@ _pkcs12_decode_safe_contents(const gnutls_datum_t * content,
 		    || bag_type == GNUTLS_BAG_CRL
 		    || bag_type == GNUTLS_BAG_SECRET) {
 			gnutls_datum_t tmp = bag->element[i].data;
+			bag->element[i].data.data = NULL;
+			bag->element[i].data.size = 0;
 
 			result =
 			    _pkcs12_decode_crt_bag(bag_type, &tmp,
 						   &bag->element[i].data);
+			_gnutls_free_datum(&tmp);
 			if (result < 0) {
 				gnutls_assert();
 				goto cleanup;
 			}
-
-			_gnutls_free_datum(&tmp);
 		}
 
 		/* read the bag attributes
@@ -1212,12 +1213,8 @@ pkcs12_try_gost:
 		goto cleanup;
 	}
 
-	_gnutls_free_datum(&tmp);
-	_gnutls_free_datum(&salt);
-
-	return 0;
-
-      cleanup:
+	result = 0;
+ cleanup:
 	_gnutls_free_datum(&tmp);
 	_gnutls_free_datum(&salt);
 	return result;
@@ -2024,12 +2021,13 @@ gnutls_pkcs12_mac_info(gnutls_pkcs12_t pkcs12, unsigned int *mac,
 				memcpy(salt, dsalt.data, dsalt.size);
 		} else {
 			*salt_size = dsalt.size;
-			return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
+			ret = gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
+			goto cleanup;
 		}
 	}
 
 	ret = 0;
-      cleanup:
+ cleanup:
 	_gnutls_free_datum(&tmp);
 	_gnutls_free_datum(&dsalt);
 	return ret;
-- 
cgit v1.2.1


From 6a89f5858d57966c33a8d37b2176e9f650f64e63 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Sat, 10 Nov 2018 10:54:32 +0100
Subject: gnutls-cli: use assert to mark impossible path

This avoids static analyzers from complaining.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---
 src/cli.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/cli.c b/src/cli.c
index 5f82e1486f..60de6bc68f 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -40,6 +40,7 @@
 #include <fcntl.h>
 #include <netdb.h>
 #include <ctype.h>
+#include <assert.h>
 
 /* Get TCP_FASTOPEN */
 #ifdef HAVE_NETINET_TCP_H
@@ -914,6 +915,8 @@ bool parse_for_inline_commands_in_buffer(char *buffer, size_t bytes,
 		inline_cmds->new_buffer_ptr = buffer + bytes;
 	}
 
+	assert(local_buffer_ptr != NULL);
+
 	inline_cmds->current_ptr = local_buffer_ptr;
 
 	if (local_buffer_ptr[0] == inline_commands_prefix[0]
-- 
cgit v1.2.1