f82cc71bfb- Update to 3.8.9 - libgnutls: leancrypto was added as an interim option for PQC The library can now be built with leancrypto instead of liboqs for post-quantum cryptography (PQC), when configured with --with-leancrypto option instead of --with-liboqs. - libgnutls: Experimental support for ML-DSA signature algorithm The library and certtool now support ML-DSA signature algorithm as defined in FIPS 204 and based on draft-ietf-lamps-dilithium-certificates-04. This feature is currently marked as experimental and can only be enabled when compiled with --with-leancrypto or --with-liboqs. Contributed by David Dudas. - libgnutls: Support for ML-KEM-1024 key encapsulation mechanism The support for ML-KEM post-quantum key encapsulation mechanisms has been extended to cover ML-KEM-1024, in addition to ML-KEM-768. MLKEM1024 is only offered as SecP384r1MLKEM1024 hybrid as per draft-kwiatkowski-tls-ecdhe-mlkem-03. - libgnutls: Fix potential DoS in handling certificates with numerous name constraints, as a follow-up of CVE-2024-12133 in libtasn1. The bundled copy of libtasn1 has also been updated to the latest 4.20.0 release to complete the fix. Reported by Bing Shi (#1553). [GNUTLS-SA-2025-02-07, CVSS: medium] [bsc#1236974, CVE-2024-12243 - Licensing information moved to REAMDE.md, COPYING, COPYING.LESSERv2 * Rebased gnutls-FIPS-140-3-references.patch * Rebased gnutls-FIPS-TLS_KDF_selftest.patch * Rebased gnutls-FIPS-jitterentropy.patch * Rebased gnutls-disable-flaky-test-dtls-resume.patch * Rebased gnutls-srp-test-SIGPIPE.patch * Rebased gnutls-3.5.11-skip-trust-store-tests.patch * Add gnutls-set-cligen-python-interp.patchPedro Monreal Gonzalez2025-02-24 12:46:22 +00:00
1c06047e0cAccepting request 1224137 from security:tls
Ana Guerrero
2024-11-15 14:37:54 +00:00
0e88121289- Update to 3.8.8: - libgnutls: Experimental support for X25519MLKEM768 and SecP256r1MLKEM768 key exchange in TLS 1.3: The support for post-quantum key exchanges has been extended to cover the final standard of ML-KEM, following draft-kwiatkowski-tls-ecdhe-mlkem. The minimum supported version of liboqs is bumped to 0.11.0. - libgnutls: All records included in an OCSP response are now checked in TLS: Previously, when multiple records are provided in a single OCSP response, only the first record was considered; now all those records are examined until the server certificate matches. - libgnutls: Handling of malformed compress_certificate extension is now more standard compliant: The server behavior of receiving a malformed compress_certificate extension now more strictly follows RFC 8879; return illegal_parameter alert instead of bad_certificate, as well as overlong extension data is properly rejected. - build: More flexible library linking options for compression libraries, TPM, and liboqs support: The configure options, --with-zstd, --with-brotli, --with-zlib, --with-tpm2, and --with-liboqs now take 4 states: yes/link/dlopen/no, to specify how the libraries are linked or loaded. * Rebase gnutls-FIPS-140-3-references.patchPedro Monreal Gonzalez2024-11-14 09:41:10 +00:00
e4c415ffa3Accepting request 1204664 from security:tls
Ana Guerrero
2024-10-01 15:11:13 +00:00
fb6da79b80- Build with liboqs to support the X25519Kyber768 post-quantum key exchange algorithm.Pedro Monreal Gonzalez2024-09-30 06:48:36 +00:00
e5c41cf446Accepting request 1198672 from security:tls
Ana Guerrero
2024-09-05 13:46:14 +00:00
b97f6df6c5- Update to 3.8.7: * libgnutls: New configure option to compile out DSA support The --disable-dsa configure option has been added to completely disable DSA algorithm support. * libgnutls: Experimental support for X25519Kyber768Draft00 key exchange in TLS. For testing purposes, the hybrid post-quantum key exchange defined in draft-tls-westerbaan-xyber768d00 has been implemented using liboqs. Since the algorithm is still not finalized, the support of this key exchange is disabled by default and can be enabled with the --with-liboqs configure option. * Rebase patches: - gnutls-FIPS-140-3-references.patch - gnutls-FIPS-HMAC-nettle-hogweed-gmp.patchPedro Monreal Gonzalez2024-09-04 09:29:34 +00:00
e6e90a5708- Update to 3.8.6: * libgnutls: PBMAC1 is now supported as a MAC mechanism for PKCS#12 To be compliant with FIPS 140-3, PKCS#12 files with MAC based on PBKDF2 (PBMAC1) is now supported, according to the specification proposed in draft-ietf-lamps-pkcs12-pbmac1. * libgnutls: SHA3 extendable output functions (XOF) are now supported SHA3 XOF, SHAKE128 and SHAKE256, are now usable through a new public API gnutls_hash_squeeze. * API and ABI modifications: - gnutls_pkcs12_generate_mac3: New function - gnutls_pkcs12_flags_t: New enum - gnutls_hash_squeeze: New function * Rebase patches: - gnutls-FIPS-140-3-references.patch - gnutls-FIPS-jitterentropy.patchPedro Monreal Gonzalez2024-07-25 09:27:01 +00:00
5f0bfcd373Accepting request 1165545 from security:tls
Ana Guerrero
2024-04-08 15:37:29 +00:00
ea12736003Accepting request 1165440 from home:pmonrealgonzalez:branches:security:tlsPedro Monreal Gonzalez2024-04-05 10:43:46 +00:00
8b77a4e97eAccepting request 1163122 from security:tls
Ana Guerrero
2024-03-28 12:52:41 +00:00
a4ac49a50aAccepting request 1161324 from home:pmonrealgonzalez:branches:security:tlsPedro Monreal Gonzalez2024-03-27 18:58:32 +00:00
91b174ffe3Accepting request 1151783 from security:tls
Ana Guerrero
2024-02-27 21:45:15 +00:00
Dominique Leuenberger
Angel Yankov
Pedro Monreal Gonzalez
Ana Guerrero
Marcus Meissner
Otto Hollmann
OBS User buildservice-autocommit
Richard Brown
Jason Sikes
Tomáš Chvátal
Vítězslav Čížek