AWS-LC-FIPS-2.0.11

What's Changed

• Add DRAFT 2.0.0 fips security policy by @justsmth in #1598

• Backport X509 certificate verification optimizations to AWS-LC-FIPS-2.x by @samuel40791765 in #1611

  • 31d5dce: Stop using time_t internally. For publicly exposed and used
    inputs that rely on time_t, _posix versions are added to
    support providing times as an int64_t, and internal
    use is changed to use the _posix version.
  • 4e32cc5: When looking for the issuer of a certificate, if the current
    certificate candidate is expired, X509_verify_cert will
    continue searching for a valid cert. An expired certificate is
    only returned if no valid certificates are found. This lets
    AWS-LC gain feature parity with OpenSSL 1.1.1.
  • 9bed1c9: Tweak test introduced by 4e32cc5.

• AWS-LC-FIPS-2.0.11 release preparation by @samuel40791765 in #1614

Full Changelog: AWS-LC-FIPS-2.0.10...AWS-LC-FIPS-2.0.11

Release v1.28.0

What's Changed

• Revert "Trim some unused XN_FLAG_* values" by @samuel40791765 in #1582
• [EC] Unify point doubling for P-256/384/521 by @dkostic in #1567
• Enable x86_64 AES-GCM proof in AWS-LC CI by @pennyannn in #1592
• Update the formal verification section in README by @pennyannn in #1570
• fix X509V3_EXT_METHODs for ocsp nonce extension by @samuel40791765 in #1603
• Prepare for release v1.28.0 by @samuel40791765 in #1604
• CI update for ubuntu 24.04 by @justsmth in #1599
• Upstream merge 2024 05 10 by @nebeid in #1590

Full Changelog: v1.27.0...v1.28.0

Release v1.27.0

What's Changed

• Implement DEPRECATED RSA_pkey_ctx_ctrl by @WillChilds-Klein in #1575
• Minor GitHub Action cleanup by @justsmth in #1565
• Support reading additional data from underlying BIO for each call to SSL_read by @andrewhop in #1517
• Enforce minimum go version when runnign cmake if go is not disabled by @andrewhop in #1580
• Implement low-level derand API for Kyber by @dkostic in #1552
• Cross-compile w/ MinGW; set _WIN32_WINNT by @justsmth in #1576
• Migrate to v4 of the codecov/codecov-action action by @andrewhop in #1553
• Add support for BIO_read/write_ex; Update MySQL CI to 8.4; by @samuel40791765 in #1568
• Fix MySQL version tag alarm by @samuel40791765 in #1585
• Fix CI - tpm2-tss and ntp by @justsmth in #1589
• Windows build with clang-cl; CI for Windows/ARM64 build by @justsmth in #1538
• Give X509_STORE an ex_data by @samuel40791765 in #1583
• ppc64le: support OPENSSL_ppccap ENV variable by @justsmth in #1569
• Prepare for release v1.27.0 by @justsmth in #1593

Full Changelog: v1.26.0...v1.27.0

AWS-LC-FIPS-2.0.10

What's Changed

• Backport vpinsrq delocate support to AWS-LC-FIPS-2.x by @skmcgrail in #1571
• Backport ARM CPUID guard for Android by @skmcgrail in #1579

Full Changelog: AWS-LC-FIPS-2.0.9...AWS-LC-FIPS-2.0.10

Release v1.26.0

What's Changed

• Define OPENSSL_NO_TLS_PHA, typedef PSK callback signatures by @WillChilds-Klein in #1526
• Upstream merge 2024 04 16 by @torben-hansen in #1535
• [ML-KEM] Add experimental support for ML-KEM-512-IPD by @dkostic in #1516
• Remove redundant test exec libraries by @justsmth in #1544
• Support vpinsrq in delocater by @torben-hansen in #1543
• Fix skipped tests in Mariadb integration CI by @samuel40791765 in #1533
• Fix the NTP integration test (NTP website changed) by @dkostic in #1548
• Add EC point add/dbl to speed.cc by @dkostic in #1545
• Add SHA3-256 KAT to FIPS self-test by @justsmth in #1549
• Basic GH CI build/test with full range of gcc/clang by @justsmth in #1546
• Link porting guide table to header documentation by @samuel40791765 in #1540
• Add dependency to python3-six in github action grpc by @fabrice102 in #1554
• Avoid 'z' format with MSVCRT by @justsmth in #1559
• Remove duplicate X509_OBJECT_new and X509_OBJECT_free declarations by @andrewhop in #1560
• Update x25519_test.cc array initialization to avoid a bug with a GCC 13 warning by @andrewhop in #1555
• Fix ec2 CI testing framework by @samuel40791765 in #1541
• Cleanup remaing duplicate symbol definitions and turn Wredundant-decls on by @andrewhop in #1561
• CI for other MacOS versions by @justsmth in #1558
• Centralize handling of s2n-bignum alt/non-alt function selection by @dkostic in #1547
• Migrate from FreeBSD to __FreeBSD_version by @andrewhop in #1562
• Remove comments about overread for entropy generation by @fabrice102 in #1551
• OpenBSD 7.4 and 7.5 Support by @skmcgrail in #1437
• ppc64le: EVP_has_aes_hardware is false w/ no-asm by @justsmth in #1566
• Changed SSL_client_hello_get0_ciphers to align with OpenSSL behavior by @smittals2 in #1542
• Minor functions to build with Ruby's cipher module by @samuel40791765 in #1564
• v1.26.0 Release Preparation by @skmcgrail in #1572

Full Changelog: v1.25.0...v1.26.0

Release v1.25.0

What's Changed

• Added u16 endian loading/storing functions, SSL_CIPHER_find, and SSL_client_hello_get0_ciphers by @smittals2 in #1482
• Update EVP cipher APIs to gracefully handle null EVP_CIPHER_CTX by @andrewhop in #1398
• Upstream merge 2024 04 11 by @samuel40791765 in #1527
• Adding OPENSSL_secure_zalloc and BIO_s_secmem by @smittals2 in #1476
• Release build for MinGW CI; Fix GCC 12/13 warnings by @justsmth in #1536
• AWS-LC v1.25.0 by @justsmth in #1537

Full Changelog: v1.24.1...v1.25.0

Release v1.24.1

What's Changed

• Fix python CI patches by @WillChilds-Klein in #1524
• Document no-op functions and flags in AWS-LC by @samuel40791765 in #1473
• Use larger ARM hosts for long CodeBuild jobs by @andrewhop in #1529
• Align GitHub workflow/job run conditions by @justsmth in #1532
• Add macho parser for use by C inject_hash by @billbo-yang in #1435
• Add non-fips/fips ci for gcc-10 by @samuel40791765 in #1525
• Bump mysql integration CI to 8.3 by @samuel40791765 in #1508
• Remove guard for big-endian support by @justsmth in #1531
• rand_fork_unsafe_buffering_enabled always 0 on Windows by @justinwsmith in #1528
• MinGW: mitigate potential abort on rwlocks using PTHREAD_RWLOCK_INITIALIZER by @justinwsmith in #1530
• Bump to v1.24.1 by @justsmth in #1534

Full Changelog: v1.24.0...v1.24.1

Release v1.24.0

What's Changed

• Add ASN1_i2d_bio and ASN1_i2d_bio_of back by @samuel40791765 in #1486
• Provide an API to turn off blinding for RSA by @amirhosv in #1479
• Error Codes for NodeJS compatibility added by @smittals2 in #1475
• Adding No-op functions required for NodeJS compatability by @smittals2 in #1474
• Only enable dilithium and secp256k1 benchmark if AWS-LC API supports it by @andrewhop in #1495
• Update the BoringSSL benchmark to install libdecrepit by @andrewhop in #1505
• Update patches and build methods for integration CI by @samuel40791765 in #1507
• Fix overscoped json policies in CI by @samuel40791765 in #1494
• RSA key check consolidation part 2 by @dkostic in #1502
• Add integration CI for tpm2-tools by @samuel40791765 in #1487
• Attempt to fix rust sanity check by @samuel40791765 in #1512
• Always install libdecrepit for BoringSSL benchmark by @andrewhop in #1513
• Various minor functions to support mysql 8.3 by @samuel40791765 in #1496
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 cipher suite support by @skmcgrail in #1455
• Cherry-pick 3 RSA related commits from upstream by @dkostic in #1510
• Support for MinGW on Windows by @justinwsmith in #1492
• Upstream merge 2024-03-11 by @andrewhop in #1488
• [ML-KEM] Import ml-kem-ipd source code from Crystals repo by @dkostic in #1514
• Upstream merge 2024 03 18 by @nebeid in #1501
• Fix CPython patches by @WillChilds-Klein in #1515
• Clarify documentation around SSL_MODE_NO_AUTO_CHAIN by @samuel40791765 in #1509
• RSA key pair-wise consistency test with approved APIs by @dkostic in #1518
• Upstream merge 2024-03-21 by @justsmth in #1506
• Add NULL checks to EVP_MD_CTX_cleanse/cleanup by @dkostic in #1519
• add support for X509_get_signature_info by @samuel40791765 in #1504
• allow empty lists in SSL_CTX_set_ciphersuites by @samuel40791765 in #1511
• aws-lc-rs CI step must use CMake to build by @justsmth in #1523
• Bump to v1.24.0 by @justsmth in #1522

New Contributors

• @amirhosv made their first contribution in #1479
• @smittals2 made their first contribution in #1475
• @justinwsmith made their first contribution in #1492

Full Changelog: v1.23.0...v1.24.0

Release: v1.23.0

What's Changed

• Aws lc s2n bignum update 2024 03 06 by @aqjune-aws in #1478
• Add updated porting guide for AWS-LC by @samuel40791765 in #1463
• Add more platforms to CI by @justsmth in #1467
• Adds CI job to test strongSwan integration by @geedo0 in #1472
• Update go.cmake to use PROJECT_SOURCE_DIR by @andrewhop in #1484
• Update return type for EVP_EncodeUpdate by @samuel40791765 in #1481
• Pin Monit CI to a specific release by @samuel40791765 in #1490
• Remove SSL Proxy API version update reminders by @samuel40791765 in #1491
• RSA key check consolidation part 1b by @dkostic in #1480
• Remove build patch for bind9 by @samuel40791765 in #1497
• Update return value from EVP_Encode_Update in one error case by @nebeid in #1499
• Bump the release version number string to 1.23.0 by @dkostic in #1500

Full Changelog: v1.22.0...v1.23.0

AWS-LC-FIPS-2.0.9

What's Changed

Backporting of 2 build fixes from main:

• [Backport] Use x30 instead of lr which otherwise trip some versions of gcc by @justsmth in #1489
• [Backport] Update go.cmake to use PROJECT_SOURCE_DIR by @justsmth in #1485

Other changes

• FIPS 2.0.9 release version number update by @justsmth in #1493

Full Changelog: AWS-LC-FIPS-2.0.8...AWS-LC-FIPS-2.0.9