Accepting request 1320661 from devel:libraries:c_c++

OBS-URL: https://build.opensuse.org/request/show/1320661 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s2n?expand=0&rev=34
- Update to version 1.6.1
2025-12-01 10:14:49 +00:00 · 2025-11-30 14:18:21 +00:00 · 2025-11-11 18:20:57 +00:00 · 2025-11-11 08:27:59 +00:00 · 2025-09-30 15:42:53 +00:00 · 2025-09-30 07:58:15 +00:00
4 changed files with 665 additions and 4 deletions
--- a/s2n.changes
+++ b/s2n.changes
@@ -1,3 +1,664 @@
+-------------------------------------------------------------------
+Wed Nov 26 12:54:08 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 1.6.1
+  * test: add memory profiler test (#5329)
+  * docs: comments for blob, stuffer methods (#5326)
+  * refactor: remove unused s2n_socket_set_read_size method (#5594)
+  * chore: Rust bindings release 0.3.29 (#5595)
+  * feat(integration): enable CodeBuild and Nix for rust integration tests (#5578)
+  * fix: update action user name (#5600)
+  * fix: update memory usage test assertions (#5592)
+  * docs: update pull request template (#5591)
+  * Revert "feat: basic security policy builder interface (#5493)" (#5599)
+  * docs: add dev docs on handshake and io (#5596)
+  * ci: PR conventional commit lint GHA (#5603)
+  * fix(ci): add `build` to the validate-pr-title CI job (#5610)
+  * build(deps): bump the all-gha-updates group across 1 directory with 2 updates (#5605)
+  * test(integration): add dynamic record sizing test (#5608)
+  * ci: update cmake version (#5612)
+  * ci: exclude `validate-pr-title` from merge queue (#5613)
+  * feat: add pure ML-KEM support (#5586)
+  * fix(ci): check Amazon copyright statement (#5611)
+  * ci: move the integnix job to us-west-2 (#5604)
+  * fix: replace `uint8_t` in for loops (#5619)
+  * refactor(harness): Extend handshake logic to support TLS 1.2 (#5614)
+  * test: require both MLKem and MLDsa capabilities for pure MLKEM tests (#5621)
+  * ci: add rust integration test to codebuild start script (#5623)
+  * docs: Adds note about serialization error case (#5617)
+  * fix: enable -Wcast-qual flag for libcrypto=awslc (#4735)
+
+-------------------------------------------------------------------
+Wed Nov  5 14:07:47 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 1.6.0
+  * docs: Small doc changes for KTLS (#5521)
+  * ci: install missing rust component for gitthub action workflows (#5528)
+  * refactor(aws-kms-tls-auth): add hmac based psk derivation (#5519)
+  * chore: bindings release 0.3.27 (#5526)
+  * fix(usage-guide): Update book.toml for mdbook 0.5 release (#5535)
+  * bindings(rust): bump extended crates MSRV to 1.72.0 (#5534)
+  * feat(bindings): expose cert validation callback (#5357)
+  * chore: bindings release 0.3.28 (#5540)
+  * chore: add new team member (#5542)
+  * fix: validate protocol version during connection deserialization (#5523)
+  * chore(bindings): revert dependency pins (#5544)
+  * refactor(aws-kms-tls-auth): psk provider using HMAC psks (#5530)
+  * chore: update bindgen version to v0.69.0 (#5396)
+  * refactor 1/2: Fix security policy version in tests to numbered string (#5549)
+  * refactor: add psk receiver (#5552)
+  * build(deps): update rtshark requirement from 3.1.0 to 4.0.0 in /tests/pcap
+    in the all-cargo-updates group across 1 directory (#5555)
+  * fix(aws-kms-tls-auth): supress logging & version bump (#5554)
+  * refactor 2/2: Fix security policy version in tests to numbered string (#5553)
+  * fix(test): Reduce s2n_security_policies_test duration (#5558)
+  * docs: update nix integration test instructions for uvinteg function (#5550)
+  * build(deps): bump the all-gha-updates group across 1 directory with 4 updates (#5548)
+  * build(deps): update zeroize requirement from =1.7.0 to =1.8.2
+    in /bindings/rust/extended (#5537)
+  * build(deps): update regex requirement from =1.9.6 to =1.12.1
+    in /bindings/rust/extended (#5556)
+  * feat: Improve supported cipher suites in RFC9151 policy (#5559)
+  * ci: pin to older kissat version to unblock CBMC (#5581)
+  * fix: update test broken by Openssl dhe generation change (#5580)
+  * feat: output utility for security policy (#5502)
+  * feat: add PQ only policy support (#5545)
+  * fix: update test_pq_only policy snapshot (#5583)
+  * refactor: Adds tls13 ciphersuites to default/default_fips policy (#5560)
+  * build(deps): bump the all-gha-updates group in /.github/workflows
+    with 2 updates (#5585)
+  * ci: scope down GitHub Token permissions (#5570)
+
+-------------------------------------------------------------------
+Fri Sep 26 06:39:02 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 1.5.27
+  * docs(usage guide): description connection serialization (#5504)
+  * test(integv2): trim bloated cases (#5453)
+  * test: Adds test for serializing a previously-serialized connection (#5495)
+  * chore: bindings release 0.3.26 (#5509)
+  * build(deps): bump the all-gha-updates group in /.github/workflows
+    with 4 updates (#5497)
+  * ci: fix clippy (#5516)
+  * chore: delete files in preparation for refactor (#5517)
+  * chore(ci): Update older integ job to prep for deprecation (#5501)
+  * ci: pin libloading which requires MSRV 1.71 (#5520)
+  * chore(ci): add openssl-1.0.2-fips gcc-4.8 job (#5512)
+  * chore(ci): add sanitizer jobs for openssl-1.0.2-fips (#5508)
+  * ci: remove duplicate buildspec (#5228)
+  * feat: Add key update to ktls feature (#5484)
+
+-------------------------------------------------------------------
+Fri Sep 19 08:33:56 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 1.5.26
+  * chore(nix): Move nix integ jobs to ec2 fleets (#5461)
+  * chore: Adds build file to get new codebuild project running in CI (#5476)
+  * build(deps): bump the all-gha-updates group across
+    1 directory with 3 updates (#5479)
+  * chore(nix): switch to nixpkgs libressl (#5467)
+  * chore(release): release s2n-tls v0.3.25 (#5486)
+  * ci: tweak ruff ci failure message (#5485)
+  * refactor: signature scheme name adjustment (#5472)
+  * feat: add method to get signature scheme name (#5471)
+  * Fix HKDF on big-endian (#5478)
+  * refactor(tls-harness): avoid implicit shutdown of ossl connection (#5474)
+  * fix: no server signature scheme expected with rsa kex (#5481)
+  * feat: add pure mlkem_1024 definition (#5468)
+  * feat(integration): add utilities for capability assertions (#5475)
+  * build(deps): bump nixbuild/nix-quick-install-action from 32 to 33
+    in /.github/workflows in the all-gha-updates group (#5487)
+  * feat: 'latest' option for strict policy (#5488)
+  * chore: pin to older pytest-rerunfailures (#5494)
+  * refactor: move new default policies to separate file (#5492)
+  * feat: basic security policy builder interface (#5493)
+  * chore: bump instance size for Valgrind (#5500)
+  * chore(nix): Flip awslc to upstream flake. (#5317)
+  * ci: only use git fetch for nix jobs (#5506)
+  * feat: add async public key support (#5473)
+
+-------------------------------------------------------------------
+Tue Sep  2 08:18:36 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 1.5.25
+  * chore: bindings release 0.3.24 by @johubertj in (#5455)
+  * chore: apply clippy fixes by @johubertj in (#5459)
+  * Add fixed version of the rfc9151 policy by @Mark-Simulacrum in (#5277)
+  * test(integration): add record padding test by @jmayclin in (#5451)
+  * refactor(stuffer): Rename s2n_stuffer_has_pem_encapsulated_block
+    by @alice-aws in (#5465)
+  * ci: don't include tls/extensions in SAW build by @lrstewart in (#5466)
+  * ci: fix wikipedia network test + better error message by @lrstewart in (#5470)
+  * refactor: setup replacement default policies by @lrstewart in (#5464)
+  * Add TLSv1.3 (classical + PQ) policies for CloudFront Upstream
+    by @WillChilds-Klein in (#5460)
+
+-------------------------------------------------------------------
+Tue Aug  5 08:11:20 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 1.5.24
+  * refactor(bench): unify IO methods (#5434)
+  * test(bench): add api for mutual auth handshake (#5437)
+  * chore: bindings release 0.3.23 (#5439)
+  * ci: document how to manually run the codebuild jobs (#5441)
+  * chore: add Awslc fips next to CI (#5349)
+  * feat: add integration test for secp384r1_mlkem_1024 (#5438)
+  * fix(typo): fix a typo in codebuild.yml (#5445)
+  * build(deps): update criterion requirement from 0.6 to 0.7 in
+    /bindings/rust/standard (#5442)
+  * chore(ci): tell crt to not check submodule version (#5450)
+  * Add AWS-CRT-SDK-TLSv1.0-2025-PQ (#5403)
+  * chore(ci): once a week, clean the nix store for the kTLS job. (#5430)
+  * refactor(tls-harness): separate benchmark abstractions (#5444)
+
+-------------------------------------------------------------------
+Fri Aug  1 13:58:11 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 1.5.23
+  * fix(ci): adding set -e to prevent nix develop to hide failing tests (#5393)
+  * chore: release 0.3.22 (#5397)
+  * docs: note that s2n_shutdown may keep reading (#5370)
+  * feat(aws-kms-tls-auth): add codec and parsing (#5398)
+  * ci: start codebuild jobs from github actions (#5383)
+  * ci: Migrate Duvet GitHub Action to duvet-action repo (#5400)
+  * feat(aws-kms-tls-auth): add psk identity (#5402)
+  * feat: add ML-KEM-1024 kem definition (#5367)
+  * Flip Nix integration tests to use uv/pytest (#5352)
+  * feat(aws-kms-tls-auth): add provider & receiver structs (#5408)
+  * ci: require repo write permissions for codebuild (#5421)
+  * docs(aws-kms-tls-auth): add readme (#5409)
+  * docs(aws-kms-tls-auth): clarify security impact of failure modes (#5424)
+  * ci: run rustfmt/clippy on standard crates (#5333)
+  * feat: add secp384r1_mlkem_1024 kem group (#5395)
+  * feat(bench): add generic shutdown functionality (#5426)
+  * chore: Nix Corretto version bump/upstream (#5427)
+  * feature: update default_pq to support secp384r1_mlkem_1024 (#5433)
+  * build(deps): bump cross-platform-actions/action from 0.28.0 to 0.29.0
+    in /.github/workflows in the all-gha-updates group (#5435)
+
+-------------------------------------------------------------------
+Fri Jul 11 10:59:37 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 1.5.22
+  * chore(ci): add a cargo timing buildspec (#5176)
+  * build(deps): update pprof requirement from 0.14 to 0.15
+    in /bindings/rust/standard (#5334)
+  * refactor(examples): remove connection pool (#5353)
+  * ci: Fix the sslyze test for nix (#5283)
+  * Include application message in Debug impl (#5359)
+  * build: prevent needless rebuild with S2N_INTERN_LIBCRYPTO=ON and Ninja (#5356)
+  * build(deps): bump baptiste0928/cargo-install from 3.3.0 to 3.3.1
+    in /.github/workflows in the all-gha-updates group (#5361)
+  * tests(integv2): fix flaky session resumption test (#5362)
+  * tests(integ): add more debug logging (#5363)
+  * build(deps): bump nixbuild/nix-quick-install-action from 30 to 31
+    in /.github/workflows in the all-gha-updates group (#5366)
+  * build(deps): bump nixbuild/nix-quick-install-action from 31 to 32
+    in /.github/workflows in the all-gha-updates group (#5371)
+  * fix: policy util should ignore deprecated TLS1.2 kems if missing (#5372)
+  * chore: apply clippy and fmt fixes (#5386)
+  * feature: new TLS1.2 + FIPS CRT security policy (#5375)
+
+-------------------------------------------------------------------
+Wed Jul  2 07:39:00 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 1.5.21
+  * feat(bindings): expose custom critical extension API (#5337)
+  * tests(integ): fix nondeterministic ocsp test shutdown behavior (#5340)
+  * chore: Bindings release 0.3.20 (#5344)
+  * ci: workaround for nix + gnutls + ubuntu24 issue (#5345)
+  * fix: do not use "digest and sign" for ML-DSA in FIPS mode (#5348)
+
+-------------------------------------------------------------------
+Tue Jun  3 09:17:03 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 1.5.20
+  * feat(examples): add key log example (#5314)
+  * build(deps): bump the all-gha-updates group across 1 directory
+    with 3 updates (#5315)
+  * Add CertificateRequest certificate selection callback (#5318)
+  * CertificateRequest Rust bindings (#5331)
+  * chore: bindings release 0.3.20 (#5332)
+  * fix(benches): reuse config for handshakes (#5319)
+  * feat: add custom critical extension support (#5321)
+  * ci: Use official libcrypto verification model repository (#5336)
+  * chore(ci): Pin parking_lot_core, lock_api (#5338)
+
+-------------------------------------------------------------------
+Tue May 27 06:59:27 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 1.5.19
+  * Remove unused negotiate_kem function causing build failure (#5316)
+  * chore: Bump nixpkgs version to 24.11 (#5294)
+  * tests: policy snapshot test (#5309)
+  * fix(benches): use session ticket for resumption (#5305)
+  * feature: release ML-DSA support (#5307)
+  * feature: support for ML-DSA handshake signatures (#5303)
+  * tests: turn verbose mode off by default in integ tests (#5286)
+  * Revert "build: add pull requests limit for dependabot" (#5302)
+  * chore: Update Apache test certificates from RSA1024 to RSA2048 (#5285)
+  * feature: add crypto support for mldsa signing (#5272)
+  * refactor: remove conn->client_hello_version (#5278)
+  * build(deps): unpin test-log because of MSRV updates (#5300)
+  * build: add pull requests limit for dependabot (#5299)
+  * chore: bindings release 0.3.19 (#5298)
+  * build(deps): update strum requirement from 0.25 to 0.27
+    in /bindings/rust/standard (#5292)
+  * build(deps): update test-log-macros requirement from =0.2.14
+    to =0.2.17 in /bindings/rust/standard (#5290)
+  * feat: Add `as_ptr()` API for Config (#5274)
+  * tests: reduce integ test flakiness + improve debugability (#5282)
+  * build(deps): update env_logger requirement from 0.10 to 0.11
+    in /bindings/rust/standard (#5296)
+  * build(deps): bump aws-actions/configure-aws-credentials from 4.1.0
+    to 4.2.0 in /.github/workflows in the all-gha-updates group (#5297)
+  * tests: fix flaky test_serialization (#5288)
+  * chore: bump standard MSRV to 1.82.0 (#5295)
+  * chore: Add comments to track dependency requirements (#5287)
+  * tests: improve coverage for s2n_stream_cipher_null (#5268)
+  * build(deps): bump astral-sh/setup-uv from 5 to 6 in /.github/workflows
+    in the all-gha-updates group (#5273)
+  * chore: bindings release 0.3.18 (#5284)
+  * ci: fix expectations when using system default libcrypto (#5279)
+  * ci: handle 429 from yahoo.com network integ test (#5280)
+
+-------------------------------------------------------------------
+Tue May  6 12:44:35 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 1.5.18
+  * build: add -Wa,-mbranches-within-32B-boundaries compiler flag (#5267)
+  * build(deps): bump JulienKode/team-labeler-action from 1.3.0 to 2.0.0
+    in /.github/workflows in the all-gha-updates group (#5252)
+  * refactor: remove unused hash methods (#5269)
+  * Add 20250414 security policy (#5253)
+  * feature: add support for configuring (but not yet using) ml-dsa certs (#5263)
+  * tests: add ml-dsa test certs from RFC (#5261)
+  * refactor: cleanup hash to better support multiple implementations (#5258)
+  * chore: bindings release 0.3.17 (#5260)
+  * chore: add new team member (#5259)
+  * ci: add awslcfips to nix jobs (#5205)
+  * chore(ci): revert nix installer pin (#5251)
+
+-------------------------------------------------------------------
+Wed Apr 23 12:43:13 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 1.5.17
+  * ci: use correct openssl version for updated AL2023 version (#5255)
+  * ci: pytest generate junit reports (#5235)
+  * feat: Expose `as_ptr()` for external build (#5229)
+  * doc: tainted stuffer reset operation (#5231)
+  * fix: make -fPIC flag private (#5227)
+  * Revert "ci: exclude new setuptools (#5215)" (#5226)
+  * refactor: remove legacy pkey impls (#5241)
+  * chore: bindings release 0.3.16 (#5242)
+  * fix: tainted handshake.io and add large client hello test (#5208)
+  * ci: rebalance integV2 testcases (#5232)
+  * chore: Fix new clippy warning (#5243)
+  * ci: pin nix installer to older version (#5245)
+
+-------------------------------------------------------------------
+Wed Apr  9 09:16:43 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 1.5.16
+  * ci: add ruff linting (#5182)
+  * feat(bindings): expose certificate match api (#5220)
+  * refactor: add evp pkey size/encrypt/decrypt methods (#5225)
+  * ci: add openssl-3.0-fips to general batch (#5207)
+  * refactor: implement match the same for all pkeys (#5224)
+  * ci: Fix cppcheck build (#5238)
+  * fix: tighten session ticket lifetime (#5217)
+  * refactor(bindings): use implicit linking for aws-lc (#5218)
+  * docs: fix openssl-3.0-fips provider requirements documentation (#5214)
+  * ci: add openssl-3.0-fips to valgrind (#5211)
+  * chore: bindings release 0.3.15 (#5221)
+  * feat: add s2n_connection_get_key_exchange_group (#5209)
+  * fix: Update README.md to include Rust bindings docs (#5212)
+  * ci: exclude new setuptools (#5215)
+  * Remove PQ TLS 1.2 from all Security Policies (#5194)
+  * chore: binding release 0.3.14 (#5210)
+  * chore: deprecate s2n_set (#5155)
+  * fix: handshake message length integer overflow in s2n_handshake_finish_header (#5206)
+  * ci: add openssl-3.0-fips to asan build properly (#5204)
+  * ci: add libcrypto openssl-3.0-fips to integ tests (#5202)
+
+-------------------------------------------------------------------
+Wed Apr  2 15:14:55 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 1.5.15
+  * feature: openssl-3.0-fips support (#5191)
+  * ci: defend against unset version number in awslc installer (#5195)
+  * fix: openssl-3.0-fips should use libcrypto HKDF (#5183)
+  * fix: remove unnecessary RC4 restriction (#5170)
+  * fix: openssl-3.0-fips should use separate private rand (#5184)
+  * ci: move openssl3fips build to existing asan build (#5181)
+  * chore: include Need By Date section in github issue template (#5187)
+  * ci: cleanup awslc-fips versioning (#5156)
+  * chore: bump linting action Ubuntu version (#5186)
+  * build(deps): update aws-lc-rs version to remove paste deps (#5192)
+  * test: fix self-talk pkey offload test for openssl-3.0-fips (#5175)
+  * test: reduce parameter selection (#5161)
+  * chore: add inline noqa suppression (#5159)
+  * ci: make start_codebuild.sh work for forks (#5178)
+  * test(integv2): add partial support for OpenSSL 3.0 provider (#5131)
+  * (docs): Improve PQ docs (#5173)
+  * ci: use ruff --diff instead of --check (#5177)
+  * chore: pin once_cell version to unblock the CI (#5174)
+  * fix(ruff): resolve linting errors detected by Ruff (#5140)
+  * fix: mark chachapoly as unavailable with openssl-3.0-fips (#5168)
+  * tests: fix flaky ja4 test (#5169)
+  * chore: update git blame ignore commit ID (#5164)
+  * style: fix redundant return (#5150)
+  * build(deps): bump nixbuild/nix-quick-install-action from 29 to 30
+    in /.github/workflows in the all-gha-updates group (#5153)
+  * refactor: add libcrypto PRF impl for openssl-3.0-fips (#5158)
+  * chore: binding release 0.3.13 (#5167)
+  * chore(ci): pin symbolic-common (#5166)
+
+-------------------------------------------------------------------
+Fri Mar 14 09:44:47 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 1.5.14
+  * tests: try to make s2n_mem_usage_test more useful (#5139)
+  * chore: git-blame-ignore ruff formatting (#5151)
+  * chore(bindings): change in rustup behavior (#5160)
+  * refactor: remove unused prf hmac impls (#5148)
+  * chore(ci): make the awslc fips install script version aware (#5100)
+  * fix: memory leak during STEK rotation (#5146)
+  * refactor: add alternative EVP signing method (#5141)
+  * refactor: cleanup prf header (#5144)
+  * feat(bindings): expose context on cert chain (#5132)
+  * Ruff Formatting and add to CI (#5138)
+  * chore(nix): Add aws-lc-fips 2022/4 (#5109)
+  * test(integv2): fixes to allow test_record_padding to partially run (#5099)
+  * build(deps): update rtshark requirement from 2.9.0 to 3.1.0 in /tests/pcap
+    in the all-cargo-updates group across 1 directory (#5087)
+  * tests: use sig schemes as source of truth for valid hash+sig algs (#5129)
+- from version 1.5.13
+  * ci: always set values for command line defines (#5126)
+  * fix: update callback return value (#5136)
+  * refactor: always use EVP hashing (#5121)
+  * ci: add check for third-party-src in disable rand override buildspec (#5137)
+  * feat: add async cert validation support (#5110)
+  * chore: remove unused well-known-endpoints.py (#5127)
+  * fix(bindings): remove mutation behind Arc (#5124)
+  * chore: binding release 0.3.12 (#5128)
+  * refactor: use EVP_MD_fetch() if available (#5116)
+  * feat: Option to disable RAND engine override (#5108)
+  * fix(bindings): make Context borrow immutable (#5071)
+  * build(deps): update rand requirement (#5125)
+  * chore: fix a typo in API comments (#5123)
+  * bindings: unpin openssl crate from a specific patch version (#5120)
+  * refactor: move "s2n_libcrypto_is" methods into s2n_libcrypto.h (#5117)
+  * Add new security policy (20250211) (#5111)
+  * Revert "refactor: remove unused evp support for md5+sha1 (#5106)" (#5118)
+  * ci: add default provider to openssl-3.0-fips (#5114)
+  * fix: don't enable custom random for openssl fips (#5093)
+  * fix: allow b64 decoding using libcrypto for sidechannel resistance (#5103)
+  * refactor: remove unused evp support for md5+sha1 (#5106)
+  * refactor: remove s2n_hmac_is_available (#5104)
+  * build(deps): bump aws-actions/configure-aws-credentials from 4.0.2 to 4.1.0
+    in /.github/workflows in the all-gha-updates group across 1 directory (#5107)
+  * fix(integrationv2): Skip unsupported client auth tests (#5096)
+  * chore: bindings release 0.3.11 (#5098)
+  * chore: ktls buildspec (#5083)
+  * Fixed formatting for debugging statements (#5094)
+  * feat(bindings): add external psk apis (#5061)
+  * test: add minimal openssl-3.0-fips test (#5081)
+- from version 1.5.12
+  * fix(ci): Allow validate_start_codebuild to run on pushes to main (#5080)
+  * fix: don't use DEPENDS with add_custom_command(TARGET) (#5074)
+  * fix: error for uninit psk, check for all-zero psk (#5084)
+  * fix: calculation of session ticket age (#5001)
+  * fix: add support for `S2N_INTERN_LIBCRYPTO` with FetchContent (#5076)
+  * fix(integration): Update PQ integration test expectations (#5082)
+  * ci: fix dependabot, commit & check Cargo.toml (#5065)
+  * docs(s2n-tls-hyper): Add hyper client/server example (#5069)
+  * docs(integv2): add architecture diagram (#5072)
+  * fix(bindings): prevent temp connection free after panic (#5067)
+  * ci: Emit benchmark metrics from scheduled runs (#5064)
+  * ci: change rust-toolchain format to toml (#5070)
+  * Revert "ci: remove openssl-1.0.2-fips builds (#4995)" (#5060)
+  * feat(bench): impl into for base config type (#5056)
+  * refactor: cleanup CBMC proofs after #5048 (#5058)
+  * ci: Adding integ tests back to integv2 (#5054)
+  * refactor: remove openssl-1.0.2-fips 'allow md5' logic (#5048)
+  * ci: pin duvet version (#5057)
+  * build(deps): bump cross-platform-actions/action from 0.26.0 to 0.27.0
+    in /.github/workflows in the all-gha-updates group (#5053)
+  * chore: fix typos (#5052)
+  * chore: bump osx Openssl to latest (#5041)
+  * chore: bindings release for 0.3.10 (#5046)
+  * fix: initial config should not influence sslv2 (#4987)
+  * ci: add openssl-3.0-fips builds (#5037)
+  * Add Security Policy Deprecation API (#5034)
+  * docs: add C / s2n-tls-sys doc references to s2n-tls docs (#5012)
+  * test: add sslv2 client hello test w/ jvm (#5019)
+  * ci: add timeout for cbmc proof (#5038)
+  * fix(bindings): Specify correct minimum versions (#5028)
+
+-------------------------------------------------------------------
+Mon Feb  3 10:32:39 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 1.5.11
+  * fix: add build specs to copyright check (#5025)
+  * chore: run more checks on pushes to main (#4963)
+  * feature: remove openssl-1.0.2-fips fips mode support (#5030)
+  * tests: make integV2 locally runnable (#5029)
+  * chore: improve the dashboard comment query (#5016)
+  * refactor(bin): remove references to FIPS_mode_set (#5026)
+  * ci: improve output of validate_start_codebuild_script (#5031)
+  * chore: remove unused test utils (#5005)
+  * ci: keep start_codebuild.sh up-to-date (#5023)
+  * ci: commit integrationv2 small batch spec (#5020)
+  * fix(bindings/bench): Prevent IO from going out of scope (#5007)
+  * chore: remove unused imports (#5017)
+  * fix: don't prefix empty string when interning (#5015)
+  * Migrate PQ Python code to TLS 1.3 (#4999)
+  * ci: config logging for integration tests (#4751)
+  * ci: add script to help launch stuck codebuild jobs (#5004)
+  * chore(s2n-tls-hyper): Publish s2n-tls-hyper (#5000)
+  * chore: add new team member (#5006)
+  * Migrate PQ Rust code to TLS 1.3 (#4998)
+  * ci: remove S2N_TEST_IN_FIPS_MODE (#4994)
+  * ci: remove openssl-1.0.2-fips builds (#4995)
+  * ci: correctly read environment variable from CodeBuild
+    configuration for scheduled fuzz test (#4990)
+  * fix: add coverage for all ticket formats (#4997)
+  * ci: fix regression test paths (#4996)
+  * ci: run fuzz tests in parallel and generate coverage report (#4960)
+  * chore: move hyper to a newer MSRV (#4983)
+  * chore: remove toidiu from teams.yml (#4985)
+  * feat(s2n-tls-hyper): Allow plain HTTP connections (#4978)
+  * chore(binding): release 0.3.9 (#4982)
+  * refactor(bindings/bench): make harness own IO (#4847)
+  * refactor(s2n-tls-hyper): Add HttpsConnector builder (#4976)
+
+-------------------------------------------------------------------
+Tue Jan  7 10:19:36 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 1.5.10
+  * refactor(bench): remove historical benchmarks (#4940)
+  * fix: pem parsing detection of last cert errors (#4908)
+  * docs: specify s2n_blob growable conditions (#4943)
+  * chore(bindings): move tokio examples to dedicated folder (#4954)
+  * chore: fix GHA for merge-queue (#4973)
+  * chore(binding): release 0.3.8 (#4969)
+  * (chore): Installs Nix in AL2023 Buildspec (#4934)
+  * build(deps): bump the all-gha-updates group in /.github/workflows with 5 updates (#4961)
+  * feat(s2n-tls-hyper): Add support for negotiating HTTP/2 (#4924)
+  * tests: allow TLS1.2 with RSA-PSS certs in integ tests (#4949)
+  * ci: update CRT test ubuntu version to ubuntu24 (#4964)
+  * feat(bindings): enable application owned certs (#4937)
+  * ci: batch dependabot updates (#4959)
+  * ci(refactor): deprecate Omnibus (#4953)
+  * build(deps): bump actions/cache from 2.1.4 to 4.1.2 in /.github/workflows (#4928)
+  * build(deps): bump peaceiris/actions-gh-pages from 3 to 4 in /.github/workflows (#4921)
+  * build(deps): bump cross-platform-actions/action from 0.23.0 to 0.26.0 in /.github/workflows (#4951)
+  * build(deps): bump github/codeql-action from 2 to 3 in /.github/workflows (#4917)
+  * ci: add change directory to third-party-src logic (#4950)
+  * feat: TLS1.2 support for RSA-PSS certificates (#4927)
+  * feat: feature probe S2N_LIBCRYPTO_SUPPORTS_ENGINE (#4878)
+  * test(bindings): run unit tests under asan (#4948)
+  * ci(refactor): remove ASAN from Omnibus and GeneralBatch (#4946)
+  * ci(refactor): remove fuzz tests from Omnibus (#4945)
+  * refactor: add a s2n_libcrypto_is_openssl() helper function (#4930)
+  * fix(s2n-tls-hyper): Add proper IPv6 address formatting (#4938)
+  * ci: add openssl-1.0.2-fips to fuzz test (#4942)
+  * ci(refactor): remove Valgrind checks from omnibus and generalBatch (#4913)
+  * fix(bindings): address clippy issues from 1.83 (#4941)
+  * test: pin tests to explicit TLS 1.2/TLS 1.3 policy (#4926)
+  * (chore): Fixes team-label github action (#4935)
+  * chore: add new team member (#4939)
+  * upgrade cmake version to 3.9 (#4933)
+  * ci: add awslc-fips and openssl-1.0.2-fips to valgrind (#4912)
+  * chore(bindings): feature gate network testsa and relax http status assertions (#4907)
+  * chore: Ocsp timeout adjustment (#4866)
+  * build(deps): bump aws-actions/configure-aws-credentials from 4.0.1 to 4.0.2 in /.github/workflows (#4892)
+  * test: expand s2n_record_read testing to both TLS1.3 and TLS1.2 (#4903)
+  * test: pin optional client auth test to a TLS 1.2 policy (#4914)
+  * feat: add alert mappings for certificate errors (#4919)
+  * doc: document generating bindings with prebuilt libs2n (#4872)
+  * ci: Move kTLS test out of GeneralBatch (#4904)
+  * build(deps): bump actions/checkout from 3 to 4 in /.github/workflows (#4888)
+  * test(s2n-tls-hyper): matching on s2n-tls error (#4906)
+  * build(deps): bump nixbuild/nix-quick-install-action from 21 to 29 in /.github/workflows (#4890)
+  * build(deps): bump JulienKode/team-labeler-action from 0.1.1 to 1.3 in /.github/workflows (#4889)
+  * tests: pin tests to a numbered TLS1.2 policy (#4905)
+  * test: remove load system certs functionality for s2n_default_tls13_config (#4897)
+  * doc: add information about s2n-tls software architecture (#4868)
+  * ci: grant dependabot status update permissions (#4898)
+  * ci: fixes for cargo audit (#4895)
+  * test(s2n-tls-hyper): Add localhost http tests (#4838)
+  * test: add rust well-known-endpoint tests (#4884)
+  * chore: bindings release 0.3.7 (#4894)
+  * chore: add a cargo audit action (#4862)
+  * ci: add open fds valgrind check (#4851)
+
+-------------------------------------------------------------------
+Thu Nov 21 11:11:40 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 1.5.9
+  * feat: Reworking cleanup behavior (#4871)
+  * chore: broaden use of flaky mark (#4865)
+  * chore: configure dependabot (#4861)
+- from version 1.5.8
+  * fix: fix open AF_INET sockets in s2n_self_talk_ktls_test.c (#4852)
+  * chore: update github PR template (#4885)
+  * feat: add new security policy `20241106` (#4874)
+  * chore: remove unused benchmarks (#4869)
+  * ci: Clean dup source tree for CRT (#4882)
+  * ci: remove www.mozilla.com from well-known to unblock CI (#4880)
+  * fix: move prelude inclusion as PRIVATE (#4876)
+  * build: add s2n_prelude.h to consolidate defines (#4465)
+  * chore: bindings release 0.3.6 (#4867)
+  * doc: fix incorrect README references (#4863)
+  * fix: typo in comment of s2n_self_talk_tls13_test (#4864)
+
+-------------------------------------------------------------------
+Mon Nov  4 14:02:24 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 1.5.7
+  * fix: close all /dev/urandom open fds (#4835)
+  * docs: update fips documentation to specify supported libcrypto (#4857)
+  * fix(bindings): correct poll_flush implementation (#4859)
+  * feat: Adds cleanup_final (#4853)
+  * test(bindings): Consolidate test pems (#4858)
+  * chore: bindings release 0.3.5 (#4860)
+  * chore: grant duvet action more permissions (#4854)
+  * (feat): Adds certificate match metrics API (#4844)
+
+-------------------------------------------------------------------
+Thu Oct 24 12:58:26 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 1.5.6
+  * chore: Fix failing OIDC workflows; cleanup unused actions (#4848)
+  * chore(GHA): Update duvet arguments (#4850)
+  * chore: remove unused compile definition (#4815)
+  * Add new MLKEM TLS Policies (#4830)
+  * fix: fix opened AF_UNIX sockets that didn't call s2n_io_pair_close (#4833)
+  * bindings: pin openssl crate to 0.10.66 (#4849)
+  * chore: flip 2 GHAs to use short lived creds. (#4839)
+  * fix: fix s2n_io_pair_close_one_end (#4841)
+  * ci: Re-enable asan and ubsan for fuzz tests (#4840)
+  * fix: some open AF_UNIX sockets in forked child processes (#4834)
+  * Update FIPS rules for ML-KEM (#4829)
+  * ci: update ubuntu versions (#4828)
+  * Add initial support for MLKEM768 (without any new Security Policies) (#4816)
+  * chore: Adds print statements to help debug s2n_dynamic_load_test (#4836)
+  * ci: add more libcryptos for fuzz batch & follow cmake idioms (#4795)
+  * feature: bump cert authorities max size to 20kb (#4832)
+  * ci: Add ubuntu24 with a new cmake buildspec (#4824)
+  * Add ML-KEM Feature Probe and Test (#4823)
+  * docs: update stateful resumption doc (#4818)
+  * chore: remove make fuzz and AFL fuzz (#4808)
+- from version 1.5.5
+  * chore: bump awslc(non FIPS) to 1.36.0 (#4821)
+  * chore: bindings release 0.3.4 (#4819)
+  * feat: add s2n_cleanup_thread (#4584)
+  * feat(bindings): add set receive buffering to the rust bindings (#4817)
+- from version 1.5.4
+  * refactor: make s2n_array_len constant (#4801)
+  * feature(bindings): scheduled renegotiation via poll_recv (#4764)
+  * Update PQ code to be generic over EVP_KEM API's (#4810)
+  * refactor(bindings): add general bindings error context (#4811)
+  * ci: adding CTest memcheck to CodeBuild (#4776)
+  * Revert "test: disallow explict use of "default" policy in tests (#4750)" (#4812)
+  * ci: check for s2n_array_len in loop bounds  (#4802)
+  * ci: use clang to build awslc (#4794)
+  * ci: run clippy on all features (#4809)
+  * docs: Update certificate loading documentation (#4790)
+  * test: only build requested unit tests in nix (#4770)
+  * refactor: clean up CMakelists.txt (#4779)
+  * fix: pem parsing should allow single dashes in comments (#4787)
+  * ci: use temporary directory for s2n_head build (#4771)
+  * fix(bindings): handle failures from wipe (#4798)
+  * fix: don't iterate over certs if not validating certs (#4797)
+  * ci: add buildspec file for scheduled fuzzing (#4763)
+  * Al2023 codebuild (#4756)
+  * test: disallow explict use of "default" policy in tests (#4750)
+  * chore: bindings release 0.3.3 (#4791)
+  * docs: clarify pre-TLS1.2 support (#4780)
+  * fix: update ja4 compliance (#4773)
+  * chore(bindings): pin unicode-width (#4785)
+- from version 1.5.3
+  * ci: refactor fuzz buildspec (#4783)
+  * docs(bindings): example for Policy::from_version (#4731)
+  * test: refactor pcap test to use version from rtshark (#4774)
+  * test: use seccomp on handshake test (#4768)
+  * ci: use newer version of libFuzzer (#4762)
+  * test: avoid mutating static configs in tests (#4749)
+  * chore(bindings): release 0.3.2 (#4760)
+  * ci: Emit CloudWatch metrics from rust benchmarks (#4742)
+  * CI: enable fuzz test build with cmake (#4743)
+  * fix: update handling of ja4 alpn edge cases (#4755)
+  * fix(bindings): update cc and unpin jobserver (#4758)
+  * fix: add missing null-checks in s2n_connection.c (#4754)
+- from version 1.5.2
+  * refactor: replace memcmp to s2n_constant_time_equals (#4709)
+  * tests(pcap): fix support for older tshark versions (#4744)
+  * refactor: move s2n_result functions inline (#4739)
+  * refactor: make s2n_stuffer_read_hex match s2n_stuffer_read (#4726)
+  * ci:Al2023 CodeBuild script (#4737)
+  * Update to CBMC 6.2.0 (#4746)
+  * docs: add test readme (#4718)
+  * tests(pcaps): download additional pcaps (#4728)
+  * ci: Add UBSAN test to the sanitizer (#4740)
+  * chore(integrationv2): add license header (#4732)
+  * fix: Cleanup libcrypto errors (#4733)
+  * fix(ci): update CBMC proofs' Makefile.common (#4703)
+  * ci: add separate license check (#4727)
+  * chore: cleanup old docker dev build (#4729)
+  * fix: resolve UBSAN violations in the codebase (#4722)
+  * refactor: minor fixes for common fingerprint code (#4712)
+  * tests: add JA4 pcap tests (#4714)
+  * fix: correct JA4 alpn parsing (#4721)
+  * chore: bump versions of aws-lc and aws-lc-fips (#4716)
+  * fix: Reorder PR and Mainline in Regression Test Runner (#4720)
+  * docs: Add a supported platforms section (#4695)
+  * chore(bindings): release 0.3.1 (#4719)
+  * test: add a harness for session resumption in regression test (#4706)
+  * fix(bindings): ConfigPool should always yield associated connections (#4708)
+
 -------------------------------------------------------------------
 Mon Aug 26 15:23:53 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>

--- a/s2n.spec
+++ b/s2n.spec
@@ -19,7 +19,7 @@
 %define library_version 1.0.0
 %define library_soversion 0unstable
 Name:           s2n
-Version:        1.5.1
+Version:        1.6.1
 Release:        0
 Summary:        AWS implementation of the TLS/SSL protocols
 License:        Apache-2.0
--- a/v1.5.1.tar.gz
+++ b/v1.5.1.tar.gz
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d79710d6ef089097a3b84fc1e5cec2f08d1ec46e93b1d400df59fcfc859e15a3
-size 4885628
--- a/v1.6.1.tar.gz
+++ b/v1.6.1.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d913741fd8329b2ff4f9f153cb1b4a0a88e788f0217f28ded1f207db6fabd5eb
+size 5119769