hpke: stop exposing testing functions from public API

This removes gnutls_hpke_set_seq, which was unused, and renames
gnutls_hpke_get_seq and gnutls_hpke_set_ikme to be clear that they are
testing functions.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

diff --git a/NEWS b/NEWS
index f19019b0270275ef0b0177bff0bff7dc628ff422..ca763e96246b1feb71eafda1130c85a45b0547d3 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -41,10 +41,7 @@ gnutls_hpke_encap: New function
 gnutls_hpke_seal: New function
 gnutls_hpke_decap: New function
 gnutls_hpke_open: New function
-gnutls_hpke_set_ikme: New function
 gnutls_hpke_generate_keypair: New function
-gnutls_hpke_get_seq: New function
-gnutls_hpke_set_seq: New function
 gnutls_hpke_export: New function
 
 * Version 3.8.12 (released 2026-02-09)

diff --git a/devel/symbols.last b/devel/symbols.last
index 0b38f48f3a44e9b6e834162bcdd6adeec4269939..ecb18d429573c04578a34ad087ff2cfb1bc6f757 100644 (file)
--- a/devel/symbols.last
+++ b/devel/symbols.last
@@ -343,12 +343,9 @@ gnutls_hpke_encap@GNUTLS_3_8_13
 gnutls_hpke_export@GNUTLS_3_8_13
 gnutls_hpke_generate_keypair@GNUTLS_3_8_13
 gnutls_hpke_get_enc_size@GNUTLS_3_8_13
-gnutls_hpke_get_seq@GNUTLS_3_8_13
 gnutls_hpke_init@GNUTLS_3_8_13
 gnutls_hpke_open@GNUTLS_3_8_13
 gnutls_hpke_seal@GNUTLS_3_8_13
-gnutls_hpke_set_ikme@GNUTLS_3_8_13
-gnutls_hpke_set_seq@GNUTLS_3_8_13
 gnutls_idna_map@GNUTLS_3_4
 gnutls_idna_reverse_map@GNUTLS_3_4
 gnutls_init@GNUTLS_3_4

diff --git a/doc/Makefile.am b/doc/Makefile.am
index d6bb57793daf72aa1735deeacd7ebf8239d1ad71..cf368f4203eedc2901032fde9c1fa5c9659e59ea 100644 (file)
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -1242,18 +1242,12 @@ FUNCS += functions/gnutls_hpke_generate_keypair
 FUNCS += functions/gnutls_hpke_generate_keypair.short
 FUNCS += functions/gnutls_hpke_get_enc_size
 FUNCS += functions/gnutls_hpke_get_enc_size.short
-FUNCS += functions/gnutls_hpke_get_seq
-FUNCS += functions/gnutls_hpke_get_seq.short
 FUNCS += functions/gnutls_hpke_init
 FUNCS += functions/gnutls_hpke_init.short
 FUNCS += functions/gnutls_hpke_open
 FUNCS += functions/gnutls_hpke_open.short
 FUNCS += functions/gnutls_hpke_seal
 FUNCS += functions/gnutls_hpke_seal.short
-FUNCS += functions/gnutls_hpke_set_ikme
-FUNCS += functions/gnutls_hpke_set_ikme.short
-FUNCS += functions/gnutls_hpke_set_seq
-FUNCS += functions/gnutls_hpke_set_seq.short
 FUNCS += functions/gnutls_idna_map
 FUNCS += functions/gnutls_idna_map.short
 FUNCS += functions/gnutls_idna_reverse_map

diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am
index a61c7e7370940f3e48f5298e254b457136cfb04a..39fe45b0cfa21cdf01f644e2c9c0529c296cf258 100644 (file)
--- a/doc/manpages/Makefile.am
+++ b/doc/manpages/Makefile.am
@@ -452,12 +452,9 @@ APIMANS += gnutls_hpke_encap.3
 APIMANS += gnutls_hpke_export.3
 APIMANS += gnutls_hpke_generate_keypair.3
 APIMANS += gnutls_hpke_get_enc_size.3
-APIMANS += gnutls_hpke_get_seq.3
 APIMANS += gnutls_hpke_init.3
 APIMANS += gnutls_hpke_open.3
 APIMANS += gnutls_hpke_seal.3
-APIMANS += gnutls_hpke_set_ikme.3
-APIMANS += gnutls_hpke_set_seq.3
 APIMANS += gnutls_idna_map.3
 APIMANS += gnutls_idna_reverse_map.3
 APIMANS += gnutls_init.3

diff --git a/lib/hpke/hpke.c b/lib/hpke/hpke.c
index 53f29326cdc579357c3aa47e8655c28de86224fa..7733a051ac715c8acac6b2ad13c9ad043f0b8ebf 100644 (file)
--- a/lib/hpke/hpke.c
+++ b/lib/hpke/hpke.c
@@ -69,6 +69,11 @@ struct gnutls_hpke_context_st {
        uint64_t seq;
 };
 
+/* For testing purposes */
+extern int _gnutls_hpke_get_seq(gnutls_hpke_context_t ctx, uint64_t *seq);
+extern int _gnutls_hpke_set_ikme(gnutls_hpke_context_t ctx,
+                                const gnutls_datum_t *ikme);
+
 static bool is_auth_mode(gnutls_hpke_mode_t mode)
 {
        return mode == GNUTLS_HPKE_MODE_AUTH ||
@@ -1222,7 +1227,7 @@ cleanup:
 }
 
 /**
- * gnutls_hpke_set_ikme:
+ * _gnutls_hpke_set_ikme:
  * @ctx: The HPKE context to set the IKME for.
  * @ikme: A pointer to a gnutls_datum_t structure containing the IKME value and its size.
  *
@@ -1232,7 +1237,7 @@ cleanup:
  *
  * It returns 0 on success, or a negative error code on failure.
  */
-int gnutls_hpke_set_ikme(gnutls_hpke_context_t ctx, const gnutls_datum_t *ikme)
+int _gnutls_hpke_set_ikme(gnutls_hpke_context_t ctx, const gnutls_datum_t *ikme)
 {
        if (ctx == NULL || ikme == NULL || ikme->data == NULL) {
                return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
@@ -1305,7 +1310,7 @@ int gnutls_hpke_generate_keypair(gnutls_hpke_kem_t kem,
 }
 
 /**
- * gnutls_hpke_get_seq:
+ * _gnutls_hpke_get_seq:
  * @ctx: The HPKE context to get the sequence number from.
  * @seq: A pointer to a uint64_t variable where the current sequence number will be stored.
  *
@@ -1315,7 +1320,7 @@ int gnutls_hpke_generate_keypair(gnutls_hpke_kem_t kem,
  *
  * It returns 0 on success, or a negative error code on failure.
  */
-int gnutls_hpke_get_seq(gnutls_hpke_context_t ctx, uint64_t *seq)
+int _gnutls_hpke_get_seq(gnutls_hpke_context_t ctx, uint64_t *seq)
 {
        if (ctx == NULL || seq == NULL) {
                return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
@@ -1325,32 +1330,6 @@ int gnutls_hpke_get_seq(gnutls_hpke_context_t ctx, uint64_t *seq)
        return 0;
 }
 
-/**
- * gnutls_hpke_set_seq:
- * @ctx: The HPKE context to set the sequence number for.
- * @seq: The sequence number to set in the context.
- *
- * This function sets the sequence number in the HPKE context. The sequence number is used to derive unique nonces for
- * encryption and decryption operations in HPKE. The function checks that the provided parameters are valid and that the
- * context is properly initialized and that the role of the context is Receiver, as only the receiver should be setting
- * the sequence number (the sender's sequence number is managed internally by gnutls_hpke_seal()).
- *
- * It returns 0 on success, or a negative error code on failure.
- */
-int gnutls_hpke_set_seq(gnutls_hpke_context_t ctx, uint64_t seq)
-{
-       if (ctx == NULL) {
-               return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-       }
-
-       if (ctx->role == GNUTLS_HPKE_ROLE_SENDER) {
-               return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-       }
-
-       ctx->seq = seq;
-       return 0;
-}
-
 /**
  * gnutls_hpke_export:
  * @ctx: The HPKE context to use for exporting the secret.

diff --git a/lib/includes/gnutls/hpke.h b/lib/includes/gnutls/hpke.h
index 6865e4993044ca37bbb499c4410e9cbc3d7a9865..66c2aebc974db198bbcf6bacc479de31deebd35e 100644 (file)
--- a/lib/includes/gnutls/hpke.h
+++ b/lib/includes/gnutls/hpke.h
@@ -132,16 +132,11 @@ int gnutls_hpke_open(gnutls_hpke_context_t ctx, const gnutls_datum_t *aad,
                     const gnutls_datum_t *ciphertext,
                     gnutls_datum_t *plaintext);
 
-int gnutls_hpke_set_ikme(gnutls_hpke_context_t ctx, const gnutls_datum_t *ikme);
-
 int gnutls_hpke_generate_keypair(gnutls_hpke_kem_t kem,
                                 const gnutls_datum_t *ikm,
                                 gnutls_privkey_t privkey,
                                 gnutls_pubkey_t pubkey);
 
-int gnutls_hpke_get_seq(gnutls_hpke_context_t ctx, uint64_t *seq);
-int gnutls_hpke_set_seq(gnutls_hpke_context_t ctx, uint64_t seq);
-
 int gnutls_hpke_export(gnutls_hpke_context_t ctx,
                       const gnutls_datum_t *exporter_context, const size_t L,
                       gnutls_datum_t *secret);

diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index f6ffdcf1a0bb5ce3950ab714e6881e63ab3ac849..7a48bf95a563f822e3656d23fed61def051e958c 100644 (file)
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -1475,10 +1475,7 @@ GNUTLS_3_8_13
     gnutls_hpke_get_enc_size;
     gnutls_hpke_seal;
     gnutls_hpke_open;
-    gnutls_hpke_set_ikme;
     gnutls_hpke_generate_keypair;
-    gnutls_hpke_get_seq;
-    gnutls_hpke_set_seq;
     gnutls_hpke_export;
  local:
        *;
@@ -1596,4 +1593,7 @@ GNUTLS_PRIVATE_3_4 {
        _gnutls_pathbuf_deinit;
        # needed by tests/pkcs11/eddsa-ecpoint-encodings
        _gnutls_pubkey_import_ecc_eddsa;
+       # needed by tests/hpke-tests
+        _gnutls_hpke_get_seq;
+       _gnutls_hpke_set_ikme;
 } GNUTLS_3_4;

diff --git a/tests/hpke-tests.c b/tests/hpke-tests.c
index 7e1b9b7fca738be7bbd97b61d8cba6e9310e0a68..280106fdcb36f7feac3a2b641ae960826c623c6f 100644 (file)
--- a/tests/hpke-tests.c
+++ b/tests/hpke-tests.c
@@ -36,6 +36,10 @@
 #include <stdbool.h>
 #include <stdint.h>
 
+extern int _gnutls_hpke_get_seq(gnutls_hpke_context_t ctx, uint64_t *seq);
+extern int _gnutls_hpke_set_ikme(gnutls_hpke_context_t ctx,
+                                const gnutls_datum_t *ikme);
+
 static unsigned char info[] = { 0x4f, 0x64, 0x65, 0x20, 0x6f, 0x6e, 0x20,
                                0x61, 0x20, 0x47, 0x72, 0x65, 0x63, 0x69,
                                0x61, 0x6e, 0x20, 0x55, 0x72, 0x6e };
@@ -126,9 +130,9 @@ static void test_hpke(const hpke_test_parameters_st *params)
                     gnutls_strerror(ret));
        }
 
-       ret = gnutls_hpke_set_ikme(sender_ctx, &params->ikmE);
+       ret = _gnutls_hpke_set_ikme(sender_ctx, &params->ikmE);
        if (ret < 0) {
-               fail("gnutls_hpke_set_ikme (mode %d, kem: %d, kdf: %d, aead: %d) failed: %s\n",
+               fail("_gnutls_hpke_set_ikme (mode %d, kem: %d, kdf: %d, aead: %d) failed: %s\n",
                     params->mode, params->kem, params->kdf, params->aead,
                     gnutls_strerror(ret));
        }
@@ -235,9 +239,9 @@ static void test_hpke(const hpke_test_parameters_st *params)
                }
 
                uint64_t seq;
-               ret = gnutls_hpke_get_seq(receiver_ctx, &seq);
+               ret = _gnutls_hpke_get_seq(receiver_ctx, &seq);
                if (ret < 0) {
-                       fail("gnutls_hpke_get_seq (mode %d, kem: %d, kdf: %d, aead: %d) failed: %s\n",
+                       fail("_gnutls_hpke_get_seq (mode %d, kem: %d, kdf: %d, aead: %d) failed: %s\n",
                             params->mode, params->kem, params->kdf,
                             params->aead, gnutls_strerror(ret));
                }