gnutls PQC support with leancrypto?

When GnuTLS 3.8.9 gets released, would you consider adding Post-Quantum Cryptography (PQC) support with --with-leancrypto?

This could be done in two ways:

import a leancrypto 1.2.0 package as a dependency
build leancrypto as part of the gnutls package and statically link it. this seems to be the preferred approach. (here you can see how gnutls builds a minimal leancrypto static lib for their CI testing.)

I have been running gnutls with statically linked leancrypto (and before that with liboqs) without issues.

Either way, the PQC algorithms are not (yet) enabled by default, so there will be no adverse effects. The user has to enable the new algorithms explicitly. Example:

$ wget -q -O - --ciphers NORMAL https://cloudflare.com/cdn-cgi/trace | grep kex
kex=X25519
$ wget -q -O - --ciphers NORMAL:+GROUP-X25519-MLKEM768 https://cloudflare.com/cdn-cgi/trace | grep kex
kex=X25519MLKEM768

Edited Feb 08, 2025 by Geert Hendrickx

Admin message

gnutls PQC support with leancrypto?