doc: Fix races in a parallel build.

* configure.ac: Use AC_PROG_MKDIR_P macro.
* doc/Makefile.am (stamp_functions, stamp_enums): Use the MKDIR_P
variable it defines.
(error_codes.texi, algorithms.texi, alerts.texi): Add dependency on
errcodes via a prerequisite, not a make invocation
(DISTCLEANFILES): Register the newly depended upon binaries.

Fixes: <https://gitlab.com/gnutls/gnutls/-/issues/1635>
Signed-off-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>

Merge branch 'SecP384r1MLKEM1024' into 'master'

Add MLKEM-1024 and SecP384r1MLKEM1024.

See merge request gnutls/gnutls!1919

key_share: support SecP384r1MLKEM1024 group

Signed-off-by: Loganaden Velvindron <logan@cyberstorm.mu>
Signed-off-by: Jaykishan Mutkawoa <jay@cyberstorm.mu>
Signed-off-by: Kavish Nadan <kn@cyberstorm.mu>

Merge branch 'wip/dueno/mldsa-followup' into 'master'

Follow-up on ML-KEM and ML-DSA support

See merge request gnutls/gnutls!1916

x509: stop using version field of MLDSAPrivateKey

Previously we indicated the used ML-DSA algorithm in the version field
of MLDSAPrivateKey, though this information is also available in
privateKeyAlgorithm field as OID. With this change, the version field
is always set to 1 to be compatible with OneAsymmetricKey with a
non-empty publicKey field. When decoding, if the version is 1, the
public key is read from publicKey field; otherwise it will be
extracted from the privateKey field to interoperate with the other
implementations such as OpenSSL/oqsprovider.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

NEWS: add entry for ML-DSA support

Signed-off-by: Daiki Ueno <ueno@gnu.org>

tests: add basic tests for ML-DSA usage with certtool

Signed-off-by: Daiki Ueno <ueno@gnu.org>

nettle: ensure liboqs is loaded for signing operations with ML-DSA

Signed-off-by: Daiki Ueno <ueno@gnu.org>

algorithms: document ML-KEM/ML-DSA in public enums

Signed-off-by: Daiki Ueno <ueno@gnu.org>

algorithms: rename GNUTLS_PK_MLKEM768 to GNUTLS_PK_ML_KEM_768

To be consistent with ML-DSA algorithms, this renames
GNUTLS_PK_MLKEM768 to GNUTLS_PK_ML_KEM_768, while the old name is
preserved through a compatibility macro.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

certtool: enable ML-DSA private key generation

Signed-off-by: Daiki Ueno <ueno@gnu.org>

algorithms: expose ML-DSA algorithm entries regardless of liboqs

Also this omits mapping between ML-DSA-44 and secparams, as there is
no way to express an algorithm is at security level category 2, which
uses a hash collision search instead of a brute-force key search on
AES. See Appendix B of draft-ietf-lamps-dilithium-certificates for
further details.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

fips: perform pair-wise consistency test for ML-DSA

Also mark the signature creation and verification operation as
non-approved, as the current version of liboqs doesn't implement
sufficient checks for input.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'wip/dueno/minor-fixes' into 'master'

Assorted minor improvements to the build infrastructure

See merge request gnutls/gnutls!1915

.gitlab-ci.yml: bump cache version

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Update year of copyright notices in doc/gnutls.texi

Signed-off-by: Daiki Ueno <ueno@gnu.org>

configure: cache results of AC_*_IFELSE checks

This make the configure process a little faster when --cache-file is
given from the previous build, as it avoids running compilers, etc.,
as well as makes the features configurable through cached variables.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

configure: fix output for checking whether dlopen(SONAME) works

Signed-off-by: Daiki Ueno <ueno@gnu.org>

tests: fix "fail" function usage

The "fail" shell function takes a PID as the first argument.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

tests: fix tense in messages

Signed-off-by: Daiki Ueno <ueno@gnu.org>

build: error "make distcheck" if bootstrap is called with --skip-po

This prevents mistakes when creating a tarball, as in 3.8.7.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'find-p11-kit-trust-via-pkg-config' into 'master'

tests: Find p11-kit module directory via pkg-config.

See merge request gnutls/gnutls!1913

Merge branch 'add-missing-test-skip-conditions' into 'master'

Skip tests when dependencies are missing

See merge request gnutls/gnutls!1910

tests: Find p11-kit module directory via pkg-config.

* tests/p11-kit-load.sh (P11_MODULE_PATH): New variable; use it to
locate p11-kit-trust.so.
* tests/p11-kit-trust.sh (PKG_CONFIG, P11_MODULE_PATH): Likewise.

Signed-off-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>

build: Skip tls-fuzzer when python-six is not available.

* configure.ac [HAVE_PYTHON_SIX]: New conditional.
* tests/suite/Makefile.am (scripts_to_test)
[HAVE_PYTHON_SIX]: Conditionally include tls-fuzzer test scripts.

Signed-off-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>

tests: Skip multi-ticket-reception test when valgrind is not available.

This test would hang when attempting to run without valgrind
available.

* tests/suite/multi-ticket-reception.sh: Skip when VALGRIND is not set.

Signed-off-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>

Merge branch 'add-bison-to-bootstrap-conf-buildreq' into 'master'

bootstrap.conf: Require the 'bison' command.

See merge request gnutls/gnutls!1909

configure.ac: Ensure Python is available when it's needed.

* configure.ac: Use AM_PATH_PYTHON only when needed, and ensure it
then succeeds.

Signed-off-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>

bootstrap.conf: Sort requirements.

* bootstrap.conf (buildreq): Sort.

Signed-off-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>

bootstrap.conf: Require the 'wget' command.

wget is used to retrieve translation files.

* bootstrap.conf (buildreq): Register wget.

Signed-off-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>

bootstrap.conf: Require the 'bison' command.

* bootstrap.conf (buildreq): Register bison.

Fixes: <https://gitlab.com/gnutls/gnutls/-/issues/1196>
Signed-off-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>

Merge branch 'client_early_data_size' into 'master'

Set default value of early date size for client to 0

See merge request gnutls/gnutls!1906

Set default value of early date size for client to 0

This commit sets the default value of "early_data_size" to 0 for
the client. "early_data_size" is set to a non-zero value when the
server sends the relevant extension in a session ticket to the
client.

This makes it easy for the client to determine if a server
supports early data.

Link: https://gitlab.com/gnutls/gnutls/-/issues/1619
Signed-off-by: Sahil Siddiq <sahilcdq@proton.me>

Merge branch 'wip/dueno/hybrid-kx-liboqs-followup2' into 'master'

groups: represent hybrid groups with an array of IDs

Closes #1604

See merge request gnutls/gnutls!1904

Merge branch 'wip/dueno/print-nc-import-error' into 'master'

x509: print errors when importing name constraints fails

Closes #1596

See merge request gnutls/gnutls!1902

groups: represent hybrid groups with an array of IDs

Previously, the supported_groups array contained externally defined
elements, which is legitimate in C99 but caused error with Clang:

  groups.c:93:2: error: initializer element is not a compile-time constant
          group_x25519,
          ^~~~~~~~~~~~

This reworks the array definition of indirection through group
IDs (gnutls_group_t, i.e., integer).

This also makes pqc-hybrid-kx test more exhaustive.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'interop-fix' into 'master'

fix tmt provision -h local

See merge request gnutls/gnutls!1905

fix tmt provision -h local

TMT started requiring --feeling-safe for local provisioning.

Signed-off-by: Stanislav Zidek <szidek@redhat.com>

x509: print errors when importing name constraints fails

Like printing SCTS, report any error to stdout when iterating over
name constraints in a certificate.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'pqc' into 'master'

Add experimental support for post-quantum algorithms in X.509 certificates

See merge request gnutls/gnutls!1786

Merge branch 'fips/mark-eddsa-approved' into 'master'

fips: mark EdDSA as approved in FIPS mode

See merge request gnutls/gnutls!1897

Merge branch 'fips/no_dsa_selfcheck' into 'master'

fips: Remove DSA selftest check in FIPS mode.

See merge request gnutls/gnutls!1901

As DSA is not-approved in FIPS 140-3, there is no need to run a self test on it.

Signed-off-by: Angel Yankov <angel.yankov@suse.com>

Removed support for Falcon algorithms

Signed-off-by: David Dudas <david.dudas03@e-uvt.ro>

fips: mark EdDSA as approved in FIPS mode

FIPS 186-5 approves EdDSA.

Signed-off-by: Po-Hsing Wu <pohsingwu@synology.com>

Removed support for Sphincs algorithms

Signed-off-by: David Dudas <david.dudas03@e-uvt.ro>

Added SHA3x4 callbacks for liboqs.

Signed-off-by: David Dudas <david.dudas03@e-uvt.ro>

Moved ML-DSA algorithms from the experimtental algorithms to non-exeperimental algorithms.

Signed-off-by: David Dudas <david.dudas03@e-uvt.ro>

Changed from Dilithium to ML-DSA

Signed-off-by: David Dudas <david.dudas03@e-uvt.ro>

Add experimental support for post-quantum digital signature algorithms in X.509 certificates

- Dilithium
- Falcon
- Sphincs family

Signed-off-by: David Dudas <david.dudas03@e-uvt.ro>

Merge branch 'wip/dueno/assorted-fixes' into 'master'

Assorted fixes

See merge request gnutls/gnutls!1894

liboqs: don't call OQS_destroy if the version is 0.11.0

OQS_destroy in liboqs 0.11.0 unconditionally calls OpenSSL functions
for cleanup; see:
https://github.com/open-quantum-safe/liboqs/pull/1982

As it doesn't do anything other than that so far, just skip it for
now.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

liboqs: add SHA3x4 callbacks

Signed-off-by: David Dudas <david.dudas03@e-uvt.ro>
Modified-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'fips/p192-disabled' into 'master'

fips: Mark operations using P-192 as not approved

See merge request gnutls/gnutls!1887

Merge branch 'fips/rsa2048' into 'master'

fips: Allow SigVer only with RSA keys with modulus >= 2048 bits

See merge request gnutls/gnutls!1889

Merge branch gnutls:master into fips/p192-disabled

fips: Allow SigVer only with RSA keys with modulus >= 2048 bits

This is for easier complience with FIPS 186-5,
otherwise it would be necessary to justify how
the timestamp is provided to prove that only
pre-existing signatures can be verified in compliance
with FIPS 186-5.

Signed-off-by: Angel Yankov <angel.yankov@suse.com>

Merge branch 'fips/gnutls_hash_fast_approved' into 'master'

fips: Mark gnutls_hash_fast as approved in FIPS SLI

See merge request gnutls/gnutls!1888

dlwrap: regenerate files

Signed-off-by: Daiki Ueno <ueno@gnu.org>

gnutls_privkey_get_spki: avoid NULL dereference in invalid call

Reported and solution suggested by David Meliksetyan in:
https://gitlab.com/gnutls/gnutls/-/issues/1579

Signed-off-by: Daiki Ueno <ueno@gnu.org>

gnutls-cli-debug: skip GOST and X25519 tests in FIPS mode

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'wip/dueno/release-3.8.8' into 'master'

Release 3.8.8

See merge request gnutls/gnutls!1893

Release 3.8.8

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Fixed the check at src/benchmark-tls.c

Signed-off-by: David Meliksetyan <d.meliksetyan@fobos-nt.ru>
Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'wip/dueno/dlwrap-doc' into 'master'

dlwrap: clarify the code generation is one time only [ci skip]

Closes #1581

See merge request gnutls/gnutls!1878

dlwrap: clarify the code generation is one time only [ci skip]

This makes it clear that dlwrap is not a build-time dependency but a
one-time passive code generator.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

devel/generate-dlwrap.sh: remove --clang-resource-dir option

The option is automatically inferred in dlwrap 0.3.6.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'wip/dueno/kem-group-ordering' into 'master'

key_share: detect overlap of PK types in hybrid groups

Closes #1602

See merge request gnutls/gnutls!1892

priority: give KEM groups precedence over EC(DH) groups in TLS 1.3

Signed-off-by: Daiki Ueno <ueno@gnu.org>

key_share: detect overlap of PK types in hybrid groups

The client limits sending the key_share extension to at most one from
each public key type. To support hybrid groups, the logic needs to be
extedended to check all siblings.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

_gnutls_session_supports_group: return boolean instead of error code

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'wip/dueno/liboqs-update' into 'master'

Update liboqs version requirement to 0.11.0 to support final version of ML-KEM

See merge request gnutls/gnutls!1883

groups: register SecP256r1MLKEM768 and X25519MLKEM768

This adds entries for SecP256r1MLKEM768 and X25519MLKEM768
post-quantum hybrid key agreement schemes as defined in
draft-kwiatkowski-tls-ecdhe-mlkem.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

key_share: rework hybrid algorithms handling

Previously we put 2 public key algorithms in a single
gnutls_group_entry_st, with pk and pk2 fields. That turned to be not
flexible enough to handle the cases where the number of combinations
increases or the order of algorithms is swapped. This changes the
representation with a linked list so one can easily construct and
traverse any combinations.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

priority: take into account of KEM groups

When constructing a ciphersuite list, include hybrid PQC groups with
KEM as the first key share.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

supported_groups: give KEM groups higher priority than DH

Signed-off-by: Daiki Ueno <ueno@gnu.org>

str: add _gnutls_ro_buffer_init

Signed-off-by: Daiki Ueno <ueno@gnu.org>

pk: plumb ML-KEM 768 in addition to Kyber 768

This adds GNUTLS_PK_MLKEM768 in the regular algorithm range, while
keeping GNUTLS_PK_EXP_KYBER768 in the experimental algorithm range.
This also modifies the privkey-keygen test to skip unsupported
algorithms at run-time.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

liboqs: provide SHA2 stubs

As well as SHA3, this implements GnuTLS backed stubs for SHA2
functions, which will be necessary for SLH-DSA signature support.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

liboqs: check library version at run-time

This is to safeguard when the library is compiled with a newer liboqs
but deployed to an enviromnent with an older liboqs, which may break
ABI compatibility.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

liboqs: require version 0.11.0

liboqs 0.11.0 shipped with public headers for plugging in alternative
symmetric algorithms (e.g., sha3_ops.h), which were previously
missing.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'mangle-shake-ctx' into 'master'

nettle: mangle struct sha3_128_ctx

See merge request gnutls/gnutls!1886

fips: Mark gnutls_hash_fast as approved in FIPS SLI

There is no reason for gnutls_hash_fast to not
be approved unde the SLI as part of the approved service
Message Digest (same as gnutls_hash_init, gnutls_hash , gnutls_hash_output ).

Add a transition to state approved when using gnutls_hash_fast.

Signed-off-by: Angel Yankov <angel.yankov@suse.com>

fips: Mark operations using P-192 as not approved

P-192 is not an approved curve as of FIPS 186-5, so mark operations
using it as NOT approved in the SLI.

Signed-off-by: Angel Yankov <angel.yankov@suse.com>

nettle: mangle sha3_128_ctx

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Merge branch 'wip/dueno/hash-after-squeeze' into 'master'

hash: return error if gnutls_hash is called after squeeze

Closes #1592

See merge request gnutls/gnutls!1885

hash: return error if gnutls_hash is called after squeeze

Previously, when gnutls_hash is called after gnutls_hash_squeeze, it
hits an assertion failure in nettle:

  sha3.c:76: _nettle_sha3_update: Assertion `pos < block_size' failed.

This adds an internal function to check whether the hash context has
already been finalized with squeezing and in that case errors out.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'zfridric_devel2' into 'master'

compress_certificate: improve error checks

Closes #1584, #1585, and #1586

See merge request gnutls/gnutls!1884

compress_certificate: improve error checks

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Merge branch 'alloca' into 'master'

lib/nettle/int/nettle-internal.h: include alloca.h if configure found it

Closes #782

See merge request gnutls/gnutls!1882

lib/nettle/int/nettle-internal.h: include alloca.h if configure found it

Needed for alloca definition on Solaris, to avoid build error with gcc 14:

lib/nettle/int/nettle-internal.h:59:39: error: implicit declaration of
 function 'alloca' [-Wimplicit-function-declaration]
   59 | #define TMP_ALLOC(name, size) (name = alloca(sizeof(*name) * (size)))
      |                                       ^~~~~~

Closes #782

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

Merge branch 'zfridric_devel2' into 'master'

Ignore unknown compression algs when using CLI

Closes #1587

See merge request gnutls/gnutls!1881

Merge branch 'tests-key-material-set-dtls-eagain' into 'master'

tests/key-material-set-dtls: retry send/recv on E_AGAIN/E_INTERRUPTED

See merge request gnutls/gnutls!1880

tests/key-material-set-dtls: retry send/recv on E_AGAIN/E_INTERRUPTED

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Ignore unknown compression algs when using CLI

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Merge branch 'tests-ktls-fips-skip-chacha' into 'master'

tests/ktls: skip CHACHA20-POLY1305 in FIPS mode

See merge request gnutls/gnutls!1879

tests/ktls: skip CHACHA20-POLY1305 in FIPS mode

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Merge branch 'fix-ocsp-checking-when-multiple-records' into 'master'

check all ocsp response records for cert serial number

See merge request gnutls/gnutls!1877

fix formatting

Signed-off-by: Jeff Mattson <jmattson@sei.cmu.edu>

iterate ocsp response records for matching certificate

Signed-off-by: Jeff Mattson <jmattson@sei.cmu.edu>