v1.40.0

What's Changed

• Added CRL tool to CLI by @smittals2 in #1976
• Allow ASN1_get_object to parse indefinite and universal by @justsmth in #1994
• Expose a bit of lhash/conf for Ruby by @samuel40791765 in #1987
• Addition of generic NIST-DSA PKEY and ASN1 to support ML-DSA by @jakemas in #1963
• Implement PKCS7_dataInit and PKCS7_dataFinal by @WillChilds-Klein in #1816
• Minor improvement to DSA (ASN1) + DSA Tests by @justsmth in #1990
• Test cleanup by @justsmth in #2000
• Add internal APIs for ML-DSA by @jakemas in #1999
• [EC] Unify scalar_mul_base point for ec_nistp curves by @dkostic in #2003
• Add Clang 19 to CI by @justsmth in #1998
• Adding the OpenSSL s_client tool by @smittals2 in #1959
• [EC] Unify scalar_mul_public for ec_nistp curves by @dkostic in #2004
• Implement PKCS7_encrypt and PKC7_decrypt by @WillChilds-Klein in #1996
• Upstream merge 2024-11-11 by @andrewhop in #1985
• Adding -verify and expanding -x509 options for our OpenSSL tool by @smittals2 in #1951
• Fail FIPS rsa_keygen_pubexp on change by @justsmth in #2016
• Document TLS Server Renegotiation Behavior by @skmcgrail in #2018
• [EC] Use s2n-bignum point doubling for P-384 and P-521 by @dkostic in #2011
• Prepare for v1.40.0 release by @smittals2 in #2019

Full Changelog: v1.39.0...v1.40.0

v1.39.0

What's Changed

• fix -Wcast-function-type build issues by @vszakats in #1972
• Fix i2d behavior for i2d_SSL_SESSION by @samuel40791765 in #1966
• Support Finished-based APIs for TLS 1.3 by @samuel40791765 in #1952
• Fix sess_hits counter on the server by @samuel40791765 in #1974
• CI gcc-4.8 - use 4.8.5 tag by @justsmth in #1980
• Upstream merge 2024-10-23 by @justsmth in #1955
• Ruby Support - More EVP_PKEY_DSA by @justsmth in #1954
• Avoid compiler warning by @justsmth in #1981
• Update PQREADME to add link to the KEM readme file by @dkostic in #1973
• Add CRYPTO_sysrand benchmarks to speed.cc by @andrewhop in #1978
• Allocate 16k scratch on heap by @justsmth in #1991
• Account for cipher auth with multiple cert slots by @samuel40791765 in #1956
• Cleanup test File utilities by @justsmth in #1989
• Add Cyrus-SASL to our CI by @smittals2 in #1988
• Revert "Replace CONF's internal representation with something more typesafe" by @samuel40791765 in #1986
• Prepare release AWS-LC v1.39.0 by @justsmth in #1995

New Contributors

• @vszakats made their first contribution in #1972

Full Changelog: v1.38.0...v1.39.0

v1.38.0

What's Changed

• 800-131Ar1: length of the key-derivation key shall be at least 112 bits. by @skmcgrail in #1924
• Marshalling/Unmarshalling DH public keys by @justsmth in #1916
• Also prune SSM documents from ec2-test-framework by @samuel40791765 in #1925
• Use illegal_parameter instead of decode_error for invalid key shares by @justsmth in #1923
• Add null check in dh testing by @torben-hansen in #1937
• DH paramgen callback by @justsmth in #1928
• Upstream merge 2024 10 17 by @torben-hansen in #1934
• Remove old Intel CPU types by @justsmth in #1942
• Remove retries on PCT failure in EC and RSA key generation. by @nebeid in #1938
• Add p4p, bump up time by @justsmth in #1943
• PQ README by @jakemas in #1932
• bump mysql CI to 9.1.0 by @justsmth in #1939
• HKDF, HKDF_expand, and PBKDF Truncated SHA2-512 by @skmcgrail in #1946
• Missing functionality + Adding Nmap to our CI by @smittals2 in #1915
• Fix FIPS.md typo by @justsmth in #1950
• Support encode or decode ∞ like OpenSSL by @samuel40791765 in #1930
• Expand support for EVP_PKEY_HMAC by @justsmth in #1933
• Add PKCS7-internal BIO_f_cipher by @WillChilds-Klein in #1836
• Add PKCS7-internal BIO_f_md by @WillChilds-Klein in #1886
• Ruby Support - DSA custom md by @justsmth in #1953
• Add support for POINT_CONVERSION_HYBRID by @samuel40791765 in #1936
• Fixes for Coverity Alerts by @smittals2 in #1960
• Also test w/ gcc 4.8 by @justsmth in #1962
• Actually add support for SSL_get_server/peer_tmp_key by @samuel40791765 in #1945
• Coverity Fix Null Check by @smittals2 in #1965
• ML-KEM keygen Pairwise Consistency Test by @dkostic in #1964
• EDDSA PCT by @torben-hansen in #1968
• Expose AES_cfb1_encrypt and AES_cfb8_encrypt by @skmcgrail in #1967

Full Changelog: v1.37.0...v1.38.0

v1.37.0

What's Changed

• Remove special s2n-bignum symbol handling sauce from build by @torben-hansen in #1903
• ML-KEM FIPS 203 destruction of intermediate values by @dkostic in #1883
• Create mutable EC_GROUP API for OpenSSL compatibility by @samuel40791765 in #1860
• Update Dilithium from crystals upstream by @jakemas in #1894
• Upstream merge 2024 09 16 by @andrewhop in #1862
• Add Alpine-Linux-x86 to GitHub Actions CI by @kexgaber in #1753
• P159598331 coverity cleanup by @skmcgrail in #1908
• add support for EVP_PKEY_CTX callback functions by @samuel40791765 in #1905
• Remove duplicate s2n-bignum prefix include option by @torben-hansen in #1909
• Handle Windows not supporting static array dimension by @torben-hansen in #1912
• Update FIPS docs w/ certs by @justsmth in #1900
• ML-DSA parameter refactor by @jakemas in #1910
• Implement more EVP_PKEY_DH functionality by @justsmth in #1880
• Add EC_GROUP mutablility to custom curves by @samuel40791765 in #1881
• Avoid allocating EVP_PKEY on size checks by @geedo0 in #1911
• build: fix pkgconfig files by @theoparis in #1913
• P161732527 coverity cleanup by @samuel40791765 in #1918
• Align X509 PARTIAL_CHAIN behavior with 1.1.1 by @samuel40791765 in #1917
• Add 2024 FIPS and fix build issues on older arm FIPS by @torben-hansen in #1920
• Prepare 1.37.0 release by @torben-hansen in #1927

New Contributors

• @theoparis made their first contribution in #1913

Full Changelog: v1.36.1...v1.37.0

AWS-LC-FIPS-2.0.17

What's Changed

• Align X509 PARTIAL_CHAIN behavior with 1.1.1 (#1917) by @samuel40791765 in #1921
• Prepare v2.0.17 release by @samuel40791765 in #1922

Full Changelog: AWS-LC-FIPS-2.0.16...AWS-LC-FIPS-2.0.17

AWS-LC-FIPS-2.0.16

What's Changed

• Map certs with ITUT X509 to our RSA implementation (#1754) by @nebeid in #1893
• Pin the version of aws-lc-verification to a known working version by @andrewhop in #1895

Full Changelog: AWS-LC-FIPS-2.0.15...AWS-LC-FIPS-2.0.16

v1.36.1

What's Changed

• Fix pkg-config files by @skmcgrail in #1890
• Remove nginx-tests patch now that upstream supports AWS-LC by @andrewhop in #1898
• Improve build and fix X509 test failures for Ruby by @samuel40791765 in #1887
• Use larger instance for c6g fips by @samuel40791765 in #1899
• Fix OCSP timebomb in tests by @samuel40791765 in #1891
• Github action asserting license statement in PR description by @torben-hansen in #1892
• Detect all Apple M* CPUs and enable the wide multiplier assembly implementations by @andrewhop in #1901
• Add and move OCSP no-op flags to own section by @samuel40791765 in #1902
• Prepare release 1.36.1 by @justsmth in #1906

Full Changelog: v1.36.0...v1.36.1

v1.36.0

What's Changed

• Check for null return pointers in pem_test.cc by @andrewhop in #1855
• Quell static-analysis concern about div-by-0 by @justsmth in #1866
• Update s2n-bignum subtree by @torben-hansen in #1865
• Add return checks on SHA3 functions in ML-KEM by @manastasova in #1859
• Map certs with ITUT X509 to our RSA implementation by @samuel40791765 in #1754
• ML-KEM encapsulation key modulus check by @dkostic in #1868
• Add docker image for gcc 7.2 by @justsmth in #1863
• ML-KEM decapsulation key hash check by @dkostic in #1873
• support building on illumos systems by @iliana in #1854
• Update Service Indicator to handle custom crypto through *_METHOD structs by @smittals2 in #1857
• Extend #1869, update Intel SDE; Enable Linux AVX512 IFMA usage by @justinwsmith in #1871
• Adding a runtime dis/enabler of DIT Capability on AArch64. by @nebeid in #1783
• Fix flaky ssl BadKemKeyShare tests by @dkostic in #1876
• ML-KEM encaps key modulus check optimization by @dkostic in #1874
• Add KBKDF counter HMAC KAT to self-test. by @nebeid in #1882
• Add explanation for FIPS 203 encaps and decaps input validation by @dkostic in #1884
• Prepare release v1.36.0 by @justsmth in #1885

New Contributors

• @iliana made their first contribution in #1854

Full Changelog: v1.35.1...v1.36.0

v1.35.1

What's Changed

• More tweaks for Ruby integration by @samuel40791765 in #1852
• Implementation of EVP_PKEY_CTX_ctrl_str for various key types by @justsmth in #1850
• Add MLKEM768 Hybrid Groups to libssl by @alexw91 in #1849
• add support for PEM_write_bio_PrivateKey_traditional by @samuel40791765 in #1845
• Update s2n-bignum subtree by @torben-hansen in #1861
• Add asserts in testing to fix Coverity alert by @smittals2 in #1864
• Disable CRYPTO_is_AVX512IFMA_capable by @justsmth in #1858

Full Changelog: v1.35.0...v1.35.1

v1.35.0

What's Changed

• Use OPENSSL_STATIC_ASSERT which handles all the platform/compiler/C s… by @andrewhop in #1791
• ML-KEM refactor by @dkostic in #1763
• ML-KEM-IPD to ML-KEM as defined in FIPS 203 by @dkostic in #1796
• Add KDA OneStep testing to ACVP by @skmcgrail in #1792
• Updating erroneous documentation for BIO_get_mem_data and subsequent usage by @smittals2 in #1752
• No-op impls for several EVP_PKEY_CTX functions by @justsmth in #1759
• Drop "ipd" suffix from ML-KEM related code by @dkostic in #1797
• Upstream merge 2024 08 19 by @skmcgrail in #1781
• ML-KEM move to the FIPS module by @dkostic in #1802
• Reduce collision probability for variable names by @torben-hansen in #1804
• Refactor ENGINE API and memory around METHOD structs by @smittals2 in #1776
• bn: Move x86-64 argument-based dispatching of bn_mul_mont to C. by @justsmth in #1795
• Check at runtime that the tool is loading the same libcrypto it was built with by @andrewhop in #1716
• Avoid matching prefixes of a symbol as arm registers by @torben-hansen in #1807
• Add CI for FreeBSD by @justsmth in #1787
• Move curve25519 implementations to fips module except spake25519 by @torben-hansen in #1809
• Add CAST for SP 800-56Cr2 One-Step function by @skmcgrail in #1803
• Remove custom PKCS7 ASN1 functions, add new structs by @WillChilds-Klein in #1726
• NASM use default debug format by @justsmth in #1747
• Add KDF in counter mode ACVP Testing by @skmcgrail in #1810
• add support for OCSP_request_verify by @samuel40791765 in #1778
• Fix GitHub/CodeBuild Purge Lambda by @justsmth in #1808
• KBKDF_ctr_hmac FIPS Service Indicator by @skmcgrail in #1798
• Update x509 tool to write all output to common BIO which is a file or stdout by @andrewhop in #1800
• Add ML-KEM to speed.cc, bump AWSLC_API_VERSION to 30 by @andrewhop in #1817
• Add EVP_PKEY_asn1_* functions by @justsmth in #1751
• Improve portability of CI integration script by @torben-hansen in #1815
• Upstream merge 2024 08 23 by @justsmth in #1799
• Replace ECDSA_METHOD with EC_KEY_METHOD and add the associated API by @smittals2 in #1785
• Cherrypick "Add some barebones support for DH in EVP" by @samuel40791765 in #1813
• Add KDA OneStep (SSKDF_digest and SSKDF_hmac) to FIPS indicator by @skmcgrail in #1793
• Add EVP_Digest one-shot test XOFs by @WillChilds-Klein in #1820
• Wire-up ACVP Testing for SHA3 Signatures with RSA by @skmcgrail in #1805
• Make SHA3 (not SHAKE) Approved for EVP_DigestSign/Verify, RSA and ECDSA. by @nebeid in #1821
• Begin tracking RelWithDebInfo library statistics by @andrewhop in #1822
• Move EVP ed25519 function table under FIPS module by @torben-hansen in #1826
• Avoid C11 Atomics on Windows by @justsmth in #1824
• Improve pre-sandbox setup by @torben-hansen in #1825
• Add OCSP round trip integration test with minor fixes by @samuel40791765 in #1811
• Add various PKCS7 getters and setters by @WillChilds-Klein in #1780
• Run clang-format on pkcs7 code by @WillChilds-Klein in #1830
• Move KEM API and ML-KEM definitions to FIPS module by @torben-hansen in #1828
• fix socat integration CI by @samuel40791765 in #1833
• Retire out-of-module KEM folder by @torben-hansen in #1832
• Refactor RSA_METHOD and expand API by @smittals2 in #1790
• Update benchmark documentation in tool/readme.md by @andrewhop in #1812
• Pre jail unit test by @torben-hansen in #1835
• Move EVP KEM implementation to in-module and correct OID by @torben-hansen in #1838
• More minor symbols Ruby depends on by @samuel40791765 in #1837
• ED25519 Power-on Self Test / CAST / KAT by @skmcgrail in #1834
• ACVP ML-KEM testing by @skmcgrail in #1840
• ACVP ECDSA SHA3 Digest Testing by @skmcgrail in #1819
• ML-KEM Service Indicator for EVP_PKEY_keygen, EVP_PKEY_encapsulate, EVP_PKEY_decapsulate by @skmcgrail in #1844
• Add ML-KEM CAST for KeyGen, Encaps, and Decaps by @skmcgrail in #1846
• ED25519 Service Indicator by @skmcgrail in #1829
• Update Allowed RSA KeySize Generation to FIPS 186-5 specification by @skmcgrail in #1823
• Add ED25519 ACVP Testing by @skmcgrail in #1818
• Make EDDSA/Ed25519 POST lazy initalized by @skmcgrail in #1848
• add support for PEM Parameters without ASN1 hooks by @samuel40791765 in #1831
• Add OpenVPN tip of main to CI by @smittals2 in #1843
• Ensure SSE2 is enabled when using optimized assembly for 32-bit x86 by @graebm in #1841
• Add support for EVP_PKEY_CTX_ctrl_str - Step #1 by @justsmth in #1842
• Added SHA3/SHAKE XOF functionality by @jakemas in #1839
• Migrated ML-KEM SHA3/SHAKE usage to fipsmodule by @jakemas in #1851
• AVX-512 support for RSA Signing by @pittma in #1273

Full Changelog: v1.34.2...v1.35.0