[gnutls-devel] GnuTLS | Add registration API for KDF / PRF / TLS 1.3 HKDF backends (#1891)

[Read-only notification of GnuTLS library development activities]

Issue created by Thomas Bechtold: https://gitlab.com/gnutls/gnutls/-/work_items/1891



## Description of the feature:
GnuTLS supports runtime backend override for cipher, MAC, digest, RNG, and PK via the `gnutls_crypto_*_register` family. It does not for KDF (HKDF/PBKDF2), PRF (TLS 1.2),
and TLS 1.3 HKDF-Expand-Label — there are no registration hooks for these, and the in-tree HKDF/PRF implementations call Nettle's HMAC functions directly rather than
going through `_gnutls_mac_backend()`, so registering a MAC override does not affect them.

Proposal: add `gnutls_crypto_{kdf,prf,tls13_hkdf}_register` mirroring the existing pattern, plus one public `gnutls_load_crypto_provider(path)` for runtime provider loading.
All-additive ABI (no removals, no exported-signature changes, no SONAME bump). Off-by-default — caller must invoke explicitly. Provider callbacks may return `GNUTLS_E_NEED_FALLBACK` to delegate to the in-tree backend, matching the existing PK trampoline fallback pattern.

## Applications that this feature may be relevant to:
- FIPS-validated GnuTLS backed by OpenSSL's FIPS module — no distribution ships this today. Would let consumers reuse existing OpenSSL FIPS validation instead of revalidating GnuTLS per-distro.
- Post-quantum vendor backends — generalizes leancrypto integration (MR !1925) from static link to runtime load.
- HSM symmetric crypto offload (related to #367) — generalizes the PKCS#11 in-tree dispatch.

## Is this feature implemented in other libraries (and which)
Yes — wolfSSL's gnutls-wolfssl (https://github.com/wolfssl/gnutls-wolfssl) does exactly this for wolfCrypt. They maintain a forked GnuTLS with the same four added symbols and the same call-site dispatch changes (~2300 lines), installed to /opt/gnutls to avoid colliding with system GnuTLS. Without these hooks upstream, every external-backend deployment ends up forking libgnutls. Related: #367 (PKCS#11/HSM), !1925 (leancrypto).

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/work_items/1891
You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-8h0buf7bbriwmlovqoag1fw76-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20260522/a9465c36/attachment.html>