Daiki Ueno [Mon, 20 Jan 2025 05:18:10 +0000 (14:18 +0900)]
leancrypto: support leancrypto for post-quantum algorithms
This adds support for leancrypto as an additional and the preferred
backend for now, until Nettle gains the proper support for PQC
algorithms. There are a few advantages over liboqs, namely:
- It already has required input validations for ML-KEM as in FIPS 203,
such as Modulus check, which are currently missing in liboqs
- It provides an API to generate ML-KEM/ML-DSA key pairs from a seed,
which is required to support the seed-only private key format proposed
in draft-ietf-lamps-dilithium-certificates-05 and later
- No need to avoid undesired OpenSSL dependency; all the symmetric
algorithms are natively implemented by leancrypto itself
As the supposed use-case of this is to statically link leancrypto with
GnuTLS, this doesn't support loading leancrypto with dlopen.
Daiki Ueno [Tue, 21 Jan 2025 22:45:46 +0000 (07:45 +0900)]
datum, mem, str: add helper functions to steal pointers
This introduces 3 new inline functions, namely _gnutls_steal_datum,
_gnutls_steal_buffer, and _gnutls_steal_pointer, to return a copy of
data structure and reset the original pointer. Those would enable to
return a populated data structure upon success; otherwise free the
partially filled data structure in a single code path, e.g.,
```c
gnutls_datum_t tmp_result = { NULL, 0 };
// Calculate tmp_result
...
if (error)
goto cleanup;
// Propagate tmp_result to *result
*result = _gnutls_steal_datum(&tmp_result);
Daiki Ueno [Thu, 16 Jan 2025 02:46:14 +0000 (11:46 +0900)]
pkcs8: remove HAVE_LIBOQS ifdefs
The key encoding and decoding operations currently do not use liboqs
functions. Remove unnecessary HAVE_LIBOQS ifdefs so it will be easier
to port to other implementations.
Daiki Ueno [Sun, 12 Jan 2025 02:34:13 +0000 (11:34 +0900)]
gnulib: work around misinteractions between close and fchdir modules
This caused a build failure on mingw. The workaround was suggested by
Bruno Haible in:
<https://lists.gnu.org/archive/html/bug-gnulib/2024-12/msg00179.html>
Daiki Ueno [Fri, 10 Jan 2025 08:39:18 +0000 (17:39 +0900)]
configure: run autoupdate
This fixes the warnings generated by autoupdate:
configure.ac:55: warning: AC_PROG_CC_C99 is obsolete; use AC_PROG_CC
configure.ac:139: warning: The preprocessor macro `STDC_HEADERS' is obsolete.
Except in unusual embedded environments, you can safely include all
ISO C90 headers unconditionally.
Maxim Cournoyer [Sun, 22 Dec 2024 02:29:59 +0000 (11:29 +0900)]
doc: Fix races in a parallel build.
* configure.ac: Use AC_PROG_MKDIR_P macro.
* doc/Makefile.am (stamp_functions, stamp_enums): Use the MKDIR_P
variable it defines.
(error_codes.texi, algorithms.texi, alerts.texi): Add dependency on
errcodes via a prerequisite, not a make invocation
(DISTCLEANFILES): Register the newly depended upon binaries.
Daiki Ueno [Tue, 14 Jan 2025 02:25:34 +0000 (11:25 +0900)]
algorithms: centrally define KEM algorithm sizes in group entries
This switches to define the public key and ciphertext sizes of ML-KEM
algorithms in gnutls_group_entry_st, instead of deriving those from
the algorithm name at the usage in the TLS key shares.
Daiki Ueno [Tue, 14 Jan 2025 02:15:13 +0000 (11:15 +0900)]
algorithms: rename GNUTLS_{PK,SIGN}_ML_DSA_* to GNUTLS_*_MLDSA*
To be consistent with ML-KEM algorithms, omit underscores in ML-DSA
gnutls_pk_algorithm_t and gnutls_sign_algorithm_t enum definitions,
while keeping hyphens in the human readable names.
Daiki Ueno [Tue, 7 Jan 2025 03:36:19 +0000 (12:36 +0900)]
x509: stop using version field of MLDSAPrivateKey
Previously we indicated the used ML-DSA algorithm in the version field
of MLDSAPrivateKey, though this information is also available in
privateKeyAlgorithm field as OID. With this change, the version field
is always set to 1 to be compatible with OneAsymmetricKey with a
non-empty publicKey field. When decoding, if the version is 1, the
public key is read from publicKey field; otherwise it will be
extracted from the privateKey field to interoperate with the other
implementations such as OpenSSL/oqsprovider.
Daiki Ueno [Thu, 26 Dec 2024 01:28:08 +0000 (10:28 +0900)]
algorithms: rename GNUTLS_PK_MLKEM768 to GNUTLS_PK_ML_KEM_768
To be consistent with ML-DSA algorithms, this renames
GNUTLS_PK_MLKEM768 to GNUTLS_PK_ML_KEM_768, while the old name is
preserved through a compatibility macro.
Daiki Ueno [Thu, 26 Dec 2024 01:38:33 +0000 (10:38 +0900)]
algorithms: expose ML-DSA algorithm entries regardless of liboqs
Also this omits mapping between ML-DSA-44 and secparams, as there is
no way to express an algorithm is at security level category 2, which
uses a hash collision search instead of a brute-force key search on
AES. See Appendix B of draft-ietf-lamps-dilithium-certificates for
further details.
Daiki Ueno [Tue, 24 Dec 2024 07:57:54 +0000 (16:57 +0900)]
fips: perform pair-wise consistency test for ML-DSA
Also mark the signature creation and verification operation as
non-approved, as the current version of liboqs doesn't implement
sufficient checks for input.
Daiki Ueno [Tue, 24 Dec 2024 01:15:45 +0000 (10:15 +0900)]
configure: cache results of AC_*_IFELSE checks
This make the configure process a little faster when --cache-file is
given from the previous build, as it avoids running compilers, etc.,
as well as makes the features configurable through cached variables.
Maxim Cournoyer [Tue, 24 Dec 2024 11:44:12 +0000 (20:44 +0900)]
tests: Find p11-kit module directory via pkg-config.
* tests/p11-kit-load.sh (P11_MODULE_PATH): New variable; use it to
locate p11-kit-trust.so.
* tests/p11-kit-trust.sh (PKG_CONFIG, P11_MODULE_PATH): Likewise.
Maxim Cournoyer [Sat, 21 Dec 2024 15:00:39 +0000 (00:00 +0900)]
build: Skip tls-fuzzer when python-six is not available.
* configure.ac [HAVE_PYTHON_SIX]: New conditional.
* tests/suite/Makefile.am (scripts_to_test)
[HAVE_PYTHON_SIX]: Conditionally include tls-fuzzer test scripts.
Sahil Siddiq [Thu, 12 Dec 2024 12:59:39 +0000 (18:29 +0530)]
Set default value of early date size for client to 0
This commit sets the default value of "early_data_size" to 0 for
the client. "early_data_size" is set to a non-zero value when the
server sends the relevant extension in a session ticket to the
client.
This makes it easy for the client to determine if a server
supports early data.
Angel Yankov [Thu, 24 Oct 2024 12:00:28 +0000 (15:00 +0300)]
fips: Allow SigVer only with RSA keys with modulus >= 2048 bits
This is for easier complience with FIPS 186-5,
otherwise it would be necessary to justify how
the timestamp is provided to prove that only
pre-existing signatures can be verified in compliance
with FIPS 186-5.
Daiki Ueno [Fri, 1 Nov 2024 01:50:56 +0000 (10:50 +0900)]
key_share: detect overlap of PK types in hybrid groups
The client limits sending the key_share extension to at most one from
each public key type. To support hybrid groups, the logic needs to be
extedended to check all siblings.
Daiki Ueno [Wed, 9 Oct 2024 08:09:04 +0000 (17:09 +0900)]
key_share: rework hybrid algorithms handling
Previously we put 2 public key algorithms in a single
gnutls_group_entry_st, with pk and pk2 fields. That turned to be not
flexible enough to handle the cases where the number of combinations
increases or the order of algorithms is swapped. This changes the
representation with a linked list so one can easily construct and
traverse any combinations.
projects / thirdparty / gnutls.git / log
