Daiki Ueno [Wed, 29 Jan 2025 02:57:44 +0000 (11:57 +0900)]
key_share: send illegal_parameter when parsing EC key share fails
When the received EC key share is malformed,
_gnutls_ecc_ansi_x962_import returns GNUTLS_E_PARSING_ERROR or
GNUTLS_E_MEMORY_ERROR, which maps to an internal_error alert. This
explicitly return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER to send
illegal_parameter instead, in compliance with the RFC.
Daiki Ueno [Mon, 20 Jan 2025 05:18:10 +0000 (14:18 +0900)]
leancrypto: support leancrypto for post-quantum algorithms
This adds support for leancrypto as an additional and the preferred
backend for now, until Nettle gains the proper support for PQC
algorithms. There are a few advantages over liboqs, namely:
- It already has required input validations for ML-KEM as in FIPS 203,
such as Modulus check, which are currently missing in liboqs
- It provides an API to generate ML-KEM/ML-DSA key pairs from a seed,
which is required to support the seed-only private key format proposed
in draft-ietf-lamps-dilithium-certificates-05 and later
- No need to avoid undesired OpenSSL dependency; all the symmetric
algorithms are natively implemented by leancrypto itself
As the supposed use-case of this is to statically link leancrypto with
GnuTLS, this doesn't support loading leancrypto with dlopen.
Daiki Ueno [Tue, 21 Jan 2025 22:45:46 +0000 (07:45 +0900)]
datum, mem, str: add helper functions to steal pointers
This introduces 3 new inline functions, namely _gnutls_steal_datum,
_gnutls_steal_buffer, and _gnutls_steal_pointer, to return a copy of
data structure and reset the original pointer. Those would enable to
return a populated data structure upon success; otherwise free the
partially filled data structure in a single code path, e.g.,
```c
gnutls_datum_t tmp_result = { NULL, 0 };
// Calculate tmp_result
...
if (error)
goto cleanup;
// Propagate tmp_result to *result
*result = _gnutls_steal_datum(&tmp_result);
Daiki Ueno [Thu, 16 Jan 2025 02:46:14 +0000 (11:46 +0900)]
pkcs8: remove HAVE_LIBOQS ifdefs
The key encoding and decoding operations currently do not use liboqs
functions. Remove unnecessary HAVE_LIBOQS ifdefs so it will be easier
to port to other implementations.
Daiki Ueno [Sun, 12 Jan 2025 02:34:13 +0000 (11:34 +0900)]
gnulib: work around misinteractions between close and fchdir modules
This caused a build failure on mingw. The workaround was suggested by
Bruno Haible in:
<https://lists.gnu.org/archive/html/bug-gnulib/2024-12/msg00179.html>
Daiki Ueno [Fri, 10 Jan 2025 08:39:18 +0000 (17:39 +0900)]
configure: run autoupdate
This fixes the warnings generated by autoupdate:
configure.ac:55: warning: AC_PROG_CC_C99 is obsolete; use AC_PROG_CC
configure.ac:139: warning: The preprocessor macro `STDC_HEADERS' is obsolete.
Except in unusual embedded environments, you can safely include all
ISO C90 headers unconditionally.
Maxim Cournoyer [Sun, 22 Dec 2024 02:29:59 +0000 (11:29 +0900)]
doc: Fix races in a parallel build.
* configure.ac: Use AC_PROG_MKDIR_P macro.
* doc/Makefile.am (stamp_functions, stamp_enums): Use the MKDIR_P
variable it defines.
(error_codes.texi, algorithms.texi, alerts.texi): Add dependency on
errcodes via a prerequisite, not a make invocation
(DISTCLEANFILES): Register the newly depended upon binaries.
Daiki Ueno [Tue, 14 Jan 2025 02:25:34 +0000 (11:25 +0900)]
algorithms: centrally define KEM algorithm sizes in group entries
This switches to define the public key and ciphertext sizes of ML-KEM
algorithms in gnutls_group_entry_st, instead of deriving those from
the algorithm name at the usage in the TLS key shares.
Daiki Ueno [Tue, 14 Jan 2025 02:15:13 +0000 (11:15 +0900)]
algorithms: rename GNUTLS_{PK,SIGN}_ML_DSA_* to GNUTLS_*_MLDSA*
To be consistent with ML-KEM algorithms, omit underscores in ML-DSA
gnutls_pk_algorithm_t and gnutls_sign_algorithm_t enum definitions,
while keeping hyphens in the human readable names.
Daiki Ueno [Tue, 7 Jan 2025 03:36:19 +0000 (12:36 +0900)]
x509: stop using version field of MLDSAPrivateKey
Previously we indicated the used ML-DSA algorithm in the version field
of MLDSAPrivateKey, though this information is also available in
privateKeyAlgorithm field as OID. With this change, the version field
is always set to 1 to be compatible with OneAsymmetricKey with a
non-empty publicKey field. When decoding, if the version is 1, the
public key is read from publicKey field; otherwise it will be
extracted from the privateKey field to interoperate with the other
implementations such as OpenSSL/oqsprovider.
Daiki Ueno [Thu, 26 Dec 2024 01:28:08 +0000 (10:28 +0900)]
algorithms: rename GNUTLS_PK_MLKEM768 to GNUTLS_PK_ML_KEM_768
To be consistent with ML-DSA algorithms, this renames
GNUTLS_PK_MLKEM768 to GNUTLS_PK_ML_KEM_768, while the old name is
preserved through a compatibility macro.
Daiki Ueno [Thu, 26 Dec 2024 01:38:33 +0000 (10:38 +0900)]
algorithms: expose ML-DSA algorithm entries regardless of liboqs
Also this omits mapping between ML-DSA-44 and secparams, as there is
no way to express an algorithm is at security level category 2, which
uses a hash collision search instead of a brute-force key search on
AES. See Appendix B of draft-ietf-lamps-dilithium-certificates for
further details.
Daiki Ueno [Tue, 24 Dec 2024 07:57:54 +0000 (16:57 +0900)]
fips: perform pair-wise consistency test for ML-DSA
Also mark the signature creation and verification operation as
non-approved, as the current version of liboqs doesn't implement
sufficient checks for input.
Daiki Ueno [Tue, 24 Dec 2024 01:15:45 +0000 (10:15 +0900)]
configure: cache results of AC_*_IFELSE checks
This make the configure process a little faster when --cache-file is
given from the previous build, as it avoids running compilers, etc.,
as well as makes the features configurable through cached variables.
Maxim Cournoyer [Tue, 24 Dec 2024 11:44:12 +0000 (20:44 +0900)]
tests: Find p11-kit module directory via pkg-config.
* tests/p11-kit-load.sh (P11_MODULE_PATH): New variable; use it to
locate p11-kit-trust.so.
* tests/p11-kit-trust.sh (PKG_CONFIG, P11_MODULE_PATH): Likewise.
Maxim Cournoyer [Sat, 21 Dec 2024 15:00:39 +0000 (00:00 +0900)]
build: Skip tls-fuzzer when python-six is not available.
* configure.ac [HAVE_PYTHON_SIX]: New conditional.
* tests/suite/Makefile.am (scripts_to_test)
[HAVE_PYTHON_SIX]: Conditionally include tls-fuzzer test scripts.
Sahil Siddiq [Thu, 12 Dec 2024 12:59:39 +0000 (18:29 +0530)]
Set default value of early date size for client to 0
This commit sets the default value of "early_data_size" to 0 for
the client. "early_data_size" is set to a non-zero value when the
server sends the relevant extension in a session ticket to the
client.
This makes it easy for the client to determine if a server
supports early data.
Angel Yankov [Thu, 24 Oct 2024 12:00:28 +0000 (15:00 +0300)]
fips: Allow SigVer only with RSA keys with modulus >= 2048 bits
This is for easier complience with FIPS 186-5,
otherwise it would be necessary to justify how
the timestamp is provided to prove that only
pre-existing signatures can be verified in compliance
with FIPS 186-5.
projects / thirdparty / gnutls.git / log
