Merge branch 'tmp-enum' into 'master'

build: minor fixes

See merge request gnutls/gnutls!1287

14 files changed, 61 insertions, 22 deletions

diff --git a/.gitignore b/.gitignore
index 88c4d33b68..2b23292693 100644
--- a/.gitignore
+++ b/.gitignore
@@ -344,6 +344,7 @@ tests/atfork
 tests/auto-verify
 tests/base64
 tests/base64-raw
+tests/buffer
 tests/cert
 tests/cert-key-exchange
 tests/cert-status
@@ -353,6 +354,7 @@ tests/certificate_set_x509_crl
 tests/certuniqueid
 tests/chainverify
 tests/chainverify-unsorted
+tests/cipher-alignment
 tests/cipher-test
 tests/client
 tests/client-fastopen
@@ -376,6 +378,7 @@ tests/cve-2009-1416
 tests/dane
 tests/dane-strcodes
 tests/datefudge-check
+tests/dh-compute
 tests/dh-params
 tests/dhepskself
 tests/dhex509self
@@ -386,6 +389,7 @@ tests/dtls-client-with-seccomp
 tests/dtls-etm
 tests/dtls-handshake-versions
 tests/dtls-max-record
+tests/dtls-pthread
 tests/dtls-record-check
 tests/dtls-rehandshake-anon
 tests/dtls-rehandshake-cert
@@ -402,9 +406,11 @@ tests/dtls1.0-cert-key-exchange
 tests/dtls1.2-cert-key-exchange
 tests/dtls10-cert-key-exchange
 tests/dtls12-cert-key-exchange
+tests/dtls_hello_random_value
 tests/duplicate-extensions
 tests/eagain
 tests/eagain-auto-auth
+tests/ecdh-compute
 tests/empty_retrieve_function
 tests/fallback-scsv
 tests/finished
@@ -414,6 +420,7 @@ tests/fips-test
 tests/gc
 tests/global-init
 tests/global-init-override
+tests/gnutls-ids
 tests/gnutls-strcodes
 tests/gnutls_ext_raw_parse
 tests/gnutls_ext_raw_parse_dtls
@@ -454,6 +461,7 @@ tests/key-usage-ecdhe-rsa
 tests/key-usage-rsa
 tests/keygen
 tests/keylog-env
+tests/keylog-func
 tests/libpkcs11mock1.la
 tests/libpkcs11mock2.la
 tests/libutils.la
@@ -521,6 +529,8 @@ tests/mini-x509-ipaddr
 tests/mini-x509-kx
 tests/mini-x509-rehandshake
 tests/mini-xssl
+tests/missingissuer
+tests/missingissuer_aia
 tests/moredn
 tests/mpi
 tests/multi-alerts
@@ -537,6 +547,7 @@ tests/ocsp
 tests/ocsp-filename-memleak
 tests/ocsp-resp
 tests/oids
+tests/openconnect-dtls12
 tests/openpgp-auth
 tests/openpgp-auth2
 tests/openpgp-callback
@@ -617,6 +628,7 @@ tests/privkey-keygen
 tests/privkey-verify-broken
 tests/psk-file
 tests/pskself
+tests/pskself2
 tests/pubkey-import-export
 tests/random-art
 tests/rawpk-api
@@ -643,6 +655,8 @@ tests/resume-with-previous-stek
 tests/resume-with-record-size-limit
 tests/resume-with-stek-expiration
 tests/resume-x509
+tests/rfc7633-missing
+tests/rfc7633-ok
 tests/rng-fork
 tests/rng-no-onload
 tests/rng-op-key
@@ -693,6 +707,7 @@ tests/set_x509_key_file_ocsp_multi
 tests/set_x509_key_file_ocsp_multi2
 tests/set_x509_key_mem
 tests/set_x509_key_utf8
+tests/set_x509_ocsp_multi_cli
 tests/set_x509_ocsp_multi_invalid
 tests/set_x509_ocsp_multi_pem
 tests/set_x509_ocsp_multi_unknown
@@ -705,10 +720,12 @@ tests/sign-md5-rep
 tests/sign-pk-api
 tests/sign-verify
 tests/sign-verify-data
+tests/sign-verify-data-newapi
 tests/sign-verify-deterministic
 tests/sign-verify-ed25519-rfc8080
 tests/sign-verify-ext
 tests/sign-verify-ext4
+tests/sign-verify-newapi
 tests/simple
 tests/slow/cipher-api-test
 tests/slow/cipher-compat
@@ -722,6 +739,8 @@ tests/slow/hash-large
 tests/slow/keygen
 tests/slow/mac-override
 tests/softhsm-*.db/
+tests/softhsm-neg-no-key.config
+tests/softhsm-post-handshake-with-cert-pkcs11.config
 tests/spki
 tests/spki-abstract
 tests/srp
@@ -767,7 +786,10 @@ tests/suite/testpkcs11.debug
 tests/suite/testtpm.sh
 tests/suite/tlslite
 tests/suite/x509paths/X509tests
+tests/system-override-hash
+tests/system-override-sig
 tests/system-prio-file
+tests/time
 tests/tls-client-with-seccomp
 tests/tls-crt_type-neg
 tests/tls-etm
@@ -777,6 +799,7 @@ tests/tls-force-etm
 tests/tls-max-record
 tests/tls-neg-ext-key
 tests/tls-neg-ext4-key
+tests/tls-pthread
 tests/tls-record-size-limit
 tests/tls-record-size-limit-asym
 tests/tls-rehandshake-anon
@@ -827,6 +850,7 @@ tests/tls13-rehandshake-cert
 tests/tls13-resume-psk
 tests/tls13-resume-x509
 tests/tls13-server-kx-neg
+tests/tls13-without-timeout-func
 tests/tls13/anti_replay
 tests/tls13/change_cipher_spec
 tests/tls13/cookie
@@ -837,6 +861,7 @@ tests/tls13/key_share
 tests/tls13/key_update
 tests/tls13/key_update_multiple
 tests/tls13/multi-ocsp
+tests/tls13/no-auto-send-ticket
 tests/tls13/no-psk-exts
 tests/tls13/ocsp-client
 tests/tls13/post-handshake-with-cert
@@ -851,7 +876,7 @@ tests/tls13/psk-dumbfw
 tests/tls13/psk-ext
 tests/tls13/supported_versions
 tests/tls13/tls12-no-tls13-exts
-tests/tls13/no-auto-send-ticket
+tests/tls_hello_random_value
 tests/tlsext-decoding
 tests/tlsfeature-crt
 tests/tlsfeature-ext
@@ -871,6 +896,7 @@ tests/x509-dn
 tests/x509-dn-decode
 tests/x509-dn-decode-compat
 tests/x509-extensions
+tests/x509-server-verify
 tests/x509-verify-with-crl
 tests/x509_altname
 tests/x509cert
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 86b2d589fb..628dd367b1 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -7,7 +7,7 @@ stages:
 # name to allow expiration of old caches.
 
 cache:
-  key: "$CI_JOB_NAME-ver15"
+  key: "$CI_JOB_NAME-ver16"
   paths:
     - cache/
 
diff --git a/lib/algorithms.h b/lib/algorithms.h
index 9cdb3abf7a..7a051b6365 100644
--- a/lib/algorithms.h
+++ b/lib/algorithms.h
@@ -174,11 +174,24 @@ inline static int _gnutls_mac_get_key_size(const mac_entry_st * e)
 		return e->key_size;
 }
 
+inline static gnutls_digest_algorithm_t
+_gnutls_mac_to_dig(gnutls_mac_algorithm_t mac)
+{
+	if (unlikely(mac >= GNUTLS_MAC_AEAD))
+		return GNUTLS_DIG_UNKNOWN;
+
+	return (gnutls_digest_algorithm_t)mac;
+}
+
+#define MAC_TO_DIG(mac) _gnutls_mac_to_dig(mac)
+
 /* Functions for digests. */
 #define _gnutls_x509_digest_to_oid _gnutls_x509_mac_to_oid
 #define _gnutls_digest_get_name _gnutls_mac_get_name
 #define _gnutls_hash_get_algo_len _gnutls_mac_get_algo_len
 
+#define DIG_TO_MAC(dig) (gnutls_mac_algorithm_t)(dig)
+
 /* Security against pre-image attacks */
 inline static int _gnutls_digest_is_secure(const mac_entry_st * e)
 {
diff --git a/lib/algorithms/sign.c b/lib/algorithms/sign.c
index 0d8d1a89c9..2728a54478 100644
--- a/lib/algorithms/sign.c
+++ b/lib/algorithms/sign.c
@@ -797,7 +797,7 @@ _gnutls_sign_get_hash_strength(gnutls_sign_algorithm_t sign)
 	if (unlikely(se == NULL))
 		return 0;
 
-	me = mac_to_entry(se->hash);
+	me = hash_to_entry(se->hash);
 	if (unlikely(me == NULL))
 		return 0;
 
diff --git a/lib/crypto-api.c b/lib/crypto-api.c
index adef4bee7b..bd600ef166 100644
--- a/lib/crypto-api.c
+++ b/lib/crypto-api.c
@@ -588,7 +588,7 @@ int
 gnutls_hash_init(gnutls_hash_hd_t * dig,
 		 gnutls_digest_algorithm_t algorithm)
 {
-	if (is_mac_algo_forbidden(algorithm))
+	if (is_mac_algo_forbidden(DIG_TO_MAC(algorithm)))
 		return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
 
 	*dig = gnutls_malloc(sizeof(digest_hd_st));
@@ -684,7 +684,7 @@ int
 gnutls_hash_fast(gnutls_digest_algorithm_t algorithm,
 		 const void *ptext, size_t ptext_len, void *digest)
 {
-	if (is_mac_algo_forbidden(algorithm))
+	if (is_mac_algo_forbidden(DIG_TO_MAC(algorithm)))
 		return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
 
 	return _gnutls_hash_fast(algorithm, ptext, ptext_len, digest);
diff --git a/lib/hash_int.c b/lib/hash_int.c
index 8c528d5f90..59eddeba37 100644
--- a/lib/hash_int.c
+++ b/lib/hash_int.c
@@ -80,7 +80,7 @@ int _gnutls_digest_exists(gnutls_digest_algorithm_t algo)
 {
 	const gnutls_crypto_digest_st *cc = NULL;
 
-	if (is_mac_algo_forbidden(algo))
+	if (is_mac_algo_forbidden(DIG_TO_MAC(algo)))
 		return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
 
 	cc = _gnutls_get_crypto_digest(algo);
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index ccf403b007..57a8560ede 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -917,7 +917,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
 
 			/* This call will return a valid MAC entry and
 			 * getters will check that is not null anyway. */
-			me = mac_to_entry(_gnutls_gost_digest(pk_params->algo));
+			me = hash_to_entry(_gnutls_gost_digest(pk_params->algo));
 			if (_gnutls_mac_get_algo_len(me) != vdata->size) {
 				gnutls_assert();
 				_gnutls_debug_log
@@ -987,7 +987,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
 				ret = _gnutls_ecdsa_compute_k(k,
 							      curve_id,
 							      pk_params->params[ECC_K],
-							      sign_params->dsa_dig,
+							      DIG_TO_MAC(sign_params->dsa_dig),
 							      vdata->data,
 							      vdata->size);
 				if (ret < 0)
@@ -1056,7 +1056,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
 				ret = _gnutls_dsa_compute_k(k,
 							    pub.q,
 							    TOMPZ(priv),
-							    sign_params->dsa_dig,
+							    DIG_TO_MAC(sign_params->dsa_dig),
 							    vdata->data,
 							    vdata->size);
 				if (ret < 0)
@@ -1312,7 +1312,7 @@ _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo,
 
 			/* This call will return a valid MAC entry and
 			 * getters will check that is not null anyway. */
-			me = mac_to_entry(_gnutls_gost_digest(pk_params->algo));
+			me = hash_to_entry(_gnutls_gost_digest(pk_params->algo));
 			if (_gnutls_mac_get_algo_len(me) != vdata->size)
 				return gnutls_assert_val(GNUTLS_E_PK_SIG_VERIFY_FAILED);
 
diff --git a/lib/tls-sig.c b/lib/tls-sig.c
index 779e02c18f..7d2b04323e 100644
--- a/lib/tls-sig.c
+++ b/lib/tls-sig.c
@@ -160,7 +160,7 @@ _gnutls_handshake_sign_data10(gnutls_session_t session,
 	dconcat.data = concat;
 	dconcat.size = _gnutls_hash_get_algo_len(me);
 
-	ret = gnutls_privkey_sign_hash(pkey, me->id, GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA,
+	ret = gnutls_privkey_sign_hash(pkey, MAC_TO_DIG(me->id), GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA,
 				       &dconcat, signature);
 	if (ret < 0) {
 		gnutls_assert();
@@ -788,7 +788,7 @@ _gnutls_handshake_sign_crt_vrfy10(gnutls_session_t session,
 	dconcat.data = concat;
 	dconcat.size = _gnutls_hash_get_algo_len(me);
 
-	ret = gnutls_privkey_sign_hash(pkey, me->id, GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA,
+	ret = gnutls_privkey_sign_hash(pkey, MAC_TO_DIG(me->id), GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA,
 				       &dconcat, signature);
 	if (ret < 0) {
 		gnutls_assert();
diff --git a/lib/tls13-sig.c b/lib/tls13-sig.c
index e15d8305e2..b14390e353 100644
--- a/lib/tls13-sig.c
+++ b/lib/tls13-sig.c
@@ -104,7 +104,7 @@ _gnutls13_handshake_verify_data(gnutls_session_t session,
 		goto cleanup;
 	}
 
-	ret = gnutls_hash_fast(session->security_parameters.prf->id,
+	ret = gnutls_hash_fast(MAC_TO_DIG(session->security_parameters.prf->id),
 			       session->internals.handshake_hash_buffer.data,
 			       session->internals.handshake_hash_buffer_prev_len,
 			       prefix);
@@ -186,7 +186,7 @@ _gnutls13_handshake_sign_data(gnutls_session_t session,
 		goto cleanup;
 	}
 
-	ret = gnutls_hash_fast(session->security_parameters.prf->id,
+	ret = gnutls_hash_fast(MAC_TO_DIG(session->security_parameters.prf->id),
 			       session->internals.handshake_hash_buffer.data,
 			       session->internals.handshake_hash_buffer.length,
 			       tmp);
diff --git a/lib/tls13/finished.c b/lib/tls13/finished.c
index 35ab87f9af..68eab993ea 100644
--- a/lib/tls13/finished.c
+++ b/lib/tls13/finished.c
@@ -45,7 +45,7 @@ int _gnutls13_compute_finished(const mac_entry_st *prf,
 	if (ret < 0)
 		return gnutls_assert_val(ret);
 
-	ret = gnutls_hash_fast(prf->id,
+	ret = gnutls_hash_fast(MAC_TO_DIG(prf->id),
 			       handshake_hash_buffer->data,
 			       handshake_hash_buffer->length,
 			       ts_hash);
diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c
index cdb284026a..2dc0823905 100644
--- a/lib/x509/pkcs12.c
+++ b/lib/x509/pkcs12.c
@@ -1098,7 +1098,7 @@ int gnutls_pkcs12_verify_mac(gnutls_pkcs12_t pkcs12, const char *pass)
 		return _gnutls_asn2err(result);
 	}
 
-	algo = gnutls_oid_to_digest(oid);
+	algo = DIG_TO_MAC(gnutls_oid_to_digest(oid));
 	if (algo == GNUTLS_MAC_UNKNOWN) {
  unknown_mac:
 		gnutls_assert();
@@ -1970,7 +1970,7 @@ gnutls_pkcs12_mac_info(gnutls_pkcs12_t pkcs12, unsigned int *mac,
 		*oid = (char*)tmp.data;
 	}
 
-	algo = gnutls_oid_to_digest((char*)tmp.data);
+	algo = DIG_TO_MAC(gnutls_oid_to_digest((char*)tmp.data));
 	if (algo == GNUTLS_MAC_UNKNOWN || mac_to_entry(algo) == NULL) {
 		gnutls_assert();
 		return GNUTLS_E_UNKNOWN_HASH_ALGORITHM;
diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c
index 98669e8879..0ff55ba04b 100644
--- a/lib/x509/pkcs7.c
+++ b/lib/x509/pkcs7.c
@@ -2277,7 +2277,7 @@ static int write_attributes(ASN1_TYPE c2, const char *root,
 		/* If we add any attribute we should add them all */
 		/* Add hash */
 		digest_size = _gnutls_hash_get_algo_len(me);
-		ret = gnutls_hash_fast(me->id, data->data, data->size, digest);
+		ret = gnutls_hash_fast(MAC_TO_DIG(me->id), data->data, data->size, digest);
 		if (ret < 0) {
 			gnutls_assert();
 			return ret;
diff --git a/src/certtool.c b/src/certtool.c
index 0e24ac8281..6bdfe376b1 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -1426,9 +1426,9 @@ static void cmd_parser(int argc, char **argv)
 
 	if (HAVE_OPT(VERIFY_PROFILE)) {
 		if (strcasecmp(OPT_ARG(VERIFY_PROFILE), "none")) {
-			cinfo.verification_profile = GNUTLS_PROFILE_UNKNOWN;
+			cinfo.verification_profile = (gnutls_sec_param_t)GNUTLS_PROFILE_UNKNOWN;
 		} else {
-			cinfo.verification_profile = gnutls_certificate_verification_profile_get_id(OPT_ARG(VERIFY_PROFILE));
+			cinfo.verification_profile = (gnutls_sec_param_t)gnutls_certificate_verification_profile_get_id(OPT_ARG(VERIFY_PROFILE));
 		}
 	} else if (!HAVE_OPT(VERIFY_ALLOW_BROKEN)) {
 		if (HAVE_OPT(VERIFY_CHAIN) || HAVE_OPT(VERIFY)) {
@@ -2956,7 +2956,7 @@ void generate_pkcs12(common_info_st * cinfo)
 	}
 
 	if (cinfo->hash != GNUTLS_DIG_UNKNOWN)
-		mac = cinfo->hash;
+		mac = (gnutls_mac_algorithm_t)cinfo->hash;
 	else
 		mac = GNUTLS_MAC_SHA1;
 
diff --git a/tests/slow/hash-large.c b/tests/slow/hash-large.c
index 33dc1df0da..71312ef369 100644
--- a/tests/slow/hash-large.c
+++ b/tests/slow/hash-large.c
@@ -139,7 +139,7 @@ void doit(void)
 	/* SHA1 */
 
 	err =
-	    gnutls_hash_fast(GNUTLS_MAC_SHA1, buf, size,
+	    gnutls_hash_fast(GNUTLS_DIG_SHA1, buf, size,
 			     digest);
 	if (err < 0)
 		fail("gnutls_hash_fast(SHA1) failed: %d\n", err);