Releases: aws/aws-lc
Releases · aws/aws-lc
v1.71.0
What's Changed
- Fixes for
PKCS12_set_macby @justsmth in #3079 - Allow zero-length PEM passwords in callback paths by @geedo0 in #3073
- Relicense OpenSSL Sources to Apache-2.0, Cleanup Sources and LICENSE file Details by @skmcgrail in #3091
- Harden HMAC error paths: fix resource leaks, state bugs, and missing cleansing by @justsmth in #3081
- Fix modulewrapper memory leak by @justsmth in #3094
- Distribution Packaging Improvements by @skmcgrail in #3042
- Add bounds checks for
size_ttointtruncation inRSA_METHODcalls by @justsmth in #3084 - Clean up sensitive stack buffers and minor fixes in PKCS#8 by @justsmth in #3067
- More NULL checks in bio_ssl.cc by @justsmth in #3076
- Reject IPv6 literal URIs in name constraint checking by @justsmth in #3045
- Abort on
RAND_bytesfailure by @justsmth in #3078 - Fix race condition in
new_certs_diroutput path by @justsmth in #3095 - Fall back to EVP_{marshal,parse} in {i2d,d2i}_{Public,Private}Key by @WillChilds-Klein in #2897
- Fix stale
key_methodpointer after private key switch inCERTby @justsmth in #3085 - Clean up on X509_STORE_CTX_add_custom_crit_oid error paths by @samuel40791765 in #3088
- Correct purpose setting for OCSP_request_verify by @samuel40791765 in #3089
- Correct types finished-based APIs for TLS 1.3 by @samuel40791765 in #3087
- Fix issues in
pass_util.ccpassword handling by @justsmth in #3032 - Use explicit check for X509 path length by @nhatnghiho in #3080
- Prepare v1.71.0 by @samuel40791765 in #3102
- BoringSSL: Const-correct the kPrintMethods table and Update citations from RFC 3447 to RFC 8017 by @nebeid in #3026
- Fix CN fallback handling in name constraints checking by @samuel40791765 in #3107
- Fix CRL distribution point scope check logic in crl_crldp_check by @samuel40791765 in #3105
Full Changelog: v1.70.0...v1.71.0
Contributors
skmcgrail, WillChilds-Klein, and 5 other contributors
Assets 2
AWS-LC-FIPS-3.3.0
What's Changed
- Prepare v3.3.0 by @samuel40791765 in #3103
- Fix CRL distribution point scope check logic in crl_crldp_check by @samuel40791765 in #3106
Full Changelog: AWS-LC-FIPS-3.2.0...AWS-LC-FIPS-3.3.0
Contributors
samuel40791765
Assets 2
v1.70.0
What's Changed
- Cache peer CA names on client side after handshake by @WillChilds-Klein in #2994
- Add NULL checks for MakeUnique in SSL cipher list inheritance by @geedo0 in #3065
- Fix gRPC integration by @justsmth in #3070
- Latent memory leaks in KEM_KEY setter functions by @justsmth in #3041
- Fix PKCS8_decrypt to handle all negative pass_len values by @geedo0 in #3039
- Fix PKCS12_verify_mac OOB read with invalid password_len by @geedo0 in #3051
- Cleanup EVP_DH asn1 parsing by @justsmth in #3047
- Add INT_MAX bounds check before EVP_CipherUpdate in PKCS8/PKCS12 encryption by @geedo0 in #3043
- Fix PKCS8_encrypt crash when pass is NULL with negative pass_len_in by @geedo0 in #3052
- Fix CMake 4.0 CI jobs by @justsmth in #3068
- IWYU: guard stdint.h in fips_shared_support.c by @skmcgrail in #3027
- Use proper function type for different callback types by @torben-hansen in #3066
- Zeroize intermediate values for ed25519 by @justsmth in #3075
- Bump github.com/cloudflare/circl from 1.6.2 to 1.6.3 in /util/vecgen by @dependabot[bot] in #3046
- Fix sizeof-on-pointer bugs in FIPS assertion failure messages by @justsmth in #3074
- Remove dead declarations in public headers by @skmcgrail in #3053
- TLS Transfer Serialization Findings by @skmcgrail in #3071
- XOF fixes by @manastasova in #3064
- Add a test that arbitrary curves can be wrapped in EVP_PKEY by @nebeid in #3055
- Improve type safety and bounds checking in EVP cipher ctrl handlers by @justsmth in #3034
- Fix uninitialized EVP_MD_CTX and harden bn_dup_into by @justsmth in #3033
- Add ACVP Support for KAS-ECC by @nhatnghiho in #3010
- Add ACVP Support for KTS-IFC by @nhatnghiho in #3009
- Various Small Additions to ACVP Tool by @nhatnghiho in #3024
- Clean up CLI code by @nhatnghiho in #2927
- Fix NetBSD AArch64 CPU feature detection on big.LITTLE systems by @justsmth in #3082
- Prepare v1.70.0 by @nhatnghiho in #3086
Full Changelog: v1.69.0...v1.70.0
Contributors
skmcgrail, WillChilds-Klein, and 7 other contributors
Assets 2
v1.69.0
What's Changed
- Fix FIPS delocator handling of floating-point immediates on aarch64 by @justsmth in #3029
- Fix link in README.md by @ofek in #2945
- Various PKCS7 fixups by @WillChilds-Klein in #3035
- Fix error reporting and document EC explicit params single-cert beha… by @justsmth in #3044
- Fix PKCS7 verify content memleak by @WillChilds-Klein in #3036
- Retain flag after custom critical extensions check by @samuel40791765 in #3030
- Update ACVP documentation by @samuel40791765 in #2960
- Fix error return values for no-op UI_xxx stub functions by @justsmth in #3025
- Key state consistency in PQDSA_KEY setter functions by @justsmth in #3040
- Simplify
d2i_PKCS7by removing redundant BER-to-DER conversion by @justsmth in #3037 - Prepare v1.69.0 by @torben-hansen in #3049
- Ensure all signer certificate chains are verified by @torben-hansen in #3059
- Use CRYPTO_memcmp instead of OPENSSL_memcmp for tag verification by @torben-hansen in #3060
- Return correct error value when parsing PKCS7 authenticated attributes fails by @torben-hansen in #3061
New Contributors
Full Changelog: v1.68.0...v1.69.0
Contributors
WillChilds-Klein, ofek, and 3 other contributors
Assets 2
AWS-LC-FIPS-3.2.0
What's Changed
- [Cherry-pick 2024] Offer P521 for signature_algorithms in client Hello by @samuel40791765 in #2975
- [FIPS 3.x] Address Reported Bug Findings by @skmcgrail in #3005
- Prepare v3.2.0 by @torben-hansen in #3050
- Use CRYPTO_memcmp instead of OPENSSL_memcmp for tag verification by @torben-hansen in #3062
Full Changelog: AWS-LC-FIPS-3.1.0...AWS-LC-FIPS-3.2.0
Contributors
skmcgrail, samuel40791765, and torben-hansen
Assets 2
v1.68.0
What's Changed
- Bump urllib3 from 2.6.0 to 2.6.3 in /tests/ci by @dependabot[bot] in #2932
- Add weekly automated check for outdated third-party test vectors by @sgmenda in #2933
- Enable Hybrid PQ KeyShares by default by @alexw91 in #2531
- Remove AVX conditional from cmake script by @torben-hansen in #2958
- openssl-ca command implementation for self-sign certificates by @skmcgrail in #2937
- Initial Framework for Using Doxygen to Document Public Header Files by @m271828 in #2908
- Move md4 out of FIPS module by @torben-hansen in #2956
- Fix image-build-windows workflow to only push on workflow_call and workflow_dispatch by @skmcgrail in #2961
- Remove FIPS counter framework and other tidying up by @torben-hansen in #2947
- Model Device Farm CI Resources in CDK by @skmcgrail in #2965
- Adds a new randomness generation API by @torben-hansen in #2963
- Migrate Android Testing to GitHub Actions by @skmcgrail in #2969
- Ensure pkcs7 checks ASN1_TYPE->type by @skmcgrail in #2968
- Fix checkout logic for android-omnibus by @skmcgrail in #2970
- Add missing env vars to check-vectors workflow step by @sgmenda in #2962
- Shorten Windows Build Directory Path by @skmcgrail in #2974
- Bump mysql cluster version by @WillChilds-Klein in #2967
- Integrate Wycheproof ML-DSA test vectors by @sgmenda in #2973
- Simplify FIPS conditional in top-level build script by @torben-hansen in #2976
- Fix aws-lc-rs CI job by @justsmth in #2966
- Add method to get type of ML-DSA instance configured under EVP PKEY by @torben-hansen in #2980
- Nmap build needs liblinear by @justsmth in #2985
- Disable SLP vectorizer for FIPS shared library builds on GCC 14+ by @geedo0 in #2977
- Update Wycheproof ECDSA test vectors and fix workflow typo by @sgmenda in #2972
- Address some CMake findings by @skmcgrail in #2979
- Bump bytes from 1.7.1 to 1.11.1 in /tests/ci/lambda by @dependabot[bot] in #2983
- Support GCC 4.8 for aarch64 by @justsmth in #2964
- Free potential memory before assigning new pointer by @torben-hansen in #2989
- Add PyOpenSSL integration test by @WillChilds-Klein in #2992
- Ensure index argument is not negative in ASN1_BIT_STRING_set_bit by @torben-hansen in #2987
- Ensure no overflow in signed output length in do_buf by @torben-hansen in #2988
- Remove redundant CPython 3.9 integration test by @WillChilds-Klein in #2996
- Ensure public key is set before verifying through ML-DSA verify by @torben-hansen in #2990
- Correct CCM nids in object definition by @torben-hansen in #2991
- Address Reported Bug Findings by @skmcgrail in #3000
- Fix CI: gcc-4.8 by @justsmth in #3011
- Fix Windows CI: use
cd /din run_windows_tests.bat to handle cross-drive paths by @justsmth in #3012 - Fix OPENSSL_memchr per C23 by @justsmth in #3008
- Fix argument order in
hmac_copyby @justsmth in #3014 - Miscellaneous CI improvements by @skmcgrail in #2978
- Fix CI: mariadb by @justsmth in #3015
- Update Ubuntu 24:04 image compiler verification by @skmcgrail in #3017
- Support WASM/Emscripten by @justsmth in #2959
- Generate Rust Bindings by @justsmth in #2999
Full Changelog: v1.67.0...v1.68.0
Contributors
skmcgrail, WillChilds-Klein, and 7 other contributors
Assets 2
v1.67.0
What's Changed
- Migrate Wycheproof test vectors for ECDSA, RSA PKCS#1, and some more by @sgmenda in #2887
- increase timeout for SDE tests by @sgmenda in #2936
- Rename volatile state/memory to unique state/memory by @torben-hansen in #2935
- Fix failing Windows Docker image build by @nhatnghiho in #2931
- Service Indicator: Add error call trampoline to avoid delocator issue by @jakemas in #2920
- Add support for Big Endian in ACVP tool by @samuel40791765 in #2938
- AES-GCM: Add function pointer trampolines to avoid delocator issue by @jakemas in #2919
- Use already defined macro for no inline by @torben-hansen in #2942
- Remove Kyber completely by @torben-hansen in #2941
- Windows 7 support by @justsmth in #2940
- Import mldsa-native by @jakemas in #2902
- Use existing session context if new is actually NULL by @torben-hansen in #2946
- Integrate Wycheproof ML-KEM test vectors by @sgmenda in #2891
- Avoid cross-compilation build failure by @justsmth in #2944
- Cleanup pass on Go code in repository by @skmcgrail in #2951
- Update patch for nmap. by @justsmth in #2954
- Fix CMake CI jobs by @justsmth in #2953
- Bump FreeBSD testing to v14.2 and v15.0 by @justsmth in #2955
- Prepare v1.67.0 by @justsmth in #2952
Full Changelog: v1.66.2...v1.67.0
Contributors
skmcgrail, samuel40791765, and 5 other contributors
Assets 2
v1.66.2
What's Changed
- Speed up legacy AVX CI by @samuel40791765 in #2876
- Fix incorrect assembler directive in AArch64 code by @awshkulkar in #2910
- Fix the libwebsockets integration test script by @dkostic in #2912
- Remove pkcs8 expected in test by @samuel40791765 in #2924
- Add randomized unit testing for EVP_CIPHERs by @dkostic in #2922
- fix(target): fix mipseb 64bit compile by @cathaysia in #2923
- Consolidate FORMAT_DER/PEM in tool-openssl by @samuel40791765 in #2929
- Replace password string with proper class by @samuel40791765 in #2925
- Fix ppc64le; Improve platform detection by @justsmth in #2926
- Prepare v1.66.2 by @justsmth in #2930
New Contributors
- @awshkulkar made their first contribution in #2910
- @cathaysia made their first contribution in #2923
Full Changelog: v1.66.1...v1.66.2
Contributors
samuel40791765, dkostic, and 3 other contributors
Assets 2
v1.66.1
What's Changed
- Iterate through all DNS entries in connect CLI by @geedo0 in #2906
- Fix socat integration test by @dkostic in #2911
- Remove OPENSSL_NO_BF for real by @skmcgrail in #2914
- Add openssl genpkey cli utility tool by @samuel40791765 in #2907
- Add stdin support for pkcs8 tool by @samuel40791765 in #2915
- Fix extension processing order in x509 cli by @nhatnghiho in #2916
- ML-DSA: Missing Private Key Validation Checks by @sgmenda in #2874
- Prepare v1.66.1 by @justsmth in #2918
Full Changelog: v1.66.0...v1.66.1
Contributors
skmcgrail, geedo0, and 5 other contributors
Assets 2
v1.66.0
What's Changed
- Add encap/decapKeyCheck support in ACVP by @samuel40791765 in #2872
- Clarify comments and API behaviour for equal-preference for TLS 1.3 by @torben-hansen in #2873
- Add support for external contexts in ML-DSA ACVP by @samuel40791765 in #2880
- Route ML-DSA ACVP to the right APIs by @samuel40791765 in #2884
- Add sha1 CLI by @nhatnghiho in #2885
- Fix openssl comparison tests by @justsmth in #2888
- tool-openssl: pkcs8 error output on decrypt by @justsmth in #2883
- Add RSA_X931_PADDING to rsa.h by @justsmth in #2889
- Bump urllib3 from 2.5.0 to 2.6.0 in /tests/ci by @dependabot[bot] in #2886
- Run ACCP integration tests on aarch64 by @WillChilds-Klein in #2894
- Blowfish OFB Block Cipher Mode Support by @skmcgrail in #2892
- Support stdin for openssl rsa tool by @samuel40791765 in #2899
- Remove rsa expected in test by @samuel40791765 in #2901
- [tool-openssl] basic asn1parse support by @skmcgrail in #2882
- Several CLI Fixes by @nhatnghiho in #2898
- Implement enc CLI by @nhatnghiho in #2877
- Prepare v1.66.0 release by @skmcgrail in #2900
Full Changelog: v1.65.1...v1.66.0
Contributors
skmcgrail, WillChilds-Klein, and 5 other contributors