Release v1.32.0

What's Changed

• Update HMAC to fail when null value is passed to out parameter by @kexgaber in #1662
• Add EC seed functions as deprecated no-ops by @samuel40791765 in #1674
• Remove source patches for python main integration test by @WillChilds-Klein in #1681
• extend ec2-test-framework instance timeout by @samuel40791765 in #1688
• Add initial x509 tool by @ecdeye in #1666
• add support for EC_POINT_bn2point by @samuel40791765 in #1645
• Improve gcc-4.8 support/testing by @justsmth in #1665
• ec_nistp table generation for scalar multiplication by @dkostic in #1669
• Remove dead tail code from (non-SHA3) AES-GCM AArch64 kernel by @hanno-becker in #1639
• Set ret to NULL before return in EC_POINT_bn2point by @samuel40791765 in #1692
• Add CI script to build and test ACCP by @sp717 in #1684
• Update patch for tpm2-tss by @justsmth in #1698
• Update tcpdump integ test by @justsmth in #1699
• Add support for parsing ECPKParameter PEM files by @samuel40791765 in #1670
• add ECPKParameters_print as no-op by @samuel40791765 in #1686
• AES-GCM AArch64: Store swapped Htable values by @hanno-becker in #1403
• Add test to ensure sequence numbers are allowed to increase by more than one by @maddeleine in #1667
• Upstream: Add Intel Indirect Branch Tracking support by @justsmth in #1659
• Fix Windows/ARM64 assembly build by @justsmth in #1697
• Prepare release v1.32.0 by @justsmth in #1700

New Contributors

• @kexgaber made their first contribution in #1662
• @hanno-becker made their first contribution in #1639
• @sp717 made their first contribution in #1684
• @maddeleine made their first contribution in #1667

Full Changelog: v1.31.0...v1.32.0

AWS-LC-FIPS-2.0.14

What's Changed

• [fips-2022-11-02] Make SSL_select_next_proto more robust to invalid calls. by @skmcgrail in #1680
• Include FIPS mode in OpenSSL_version return value by @WillChilds-Klein in #1689
• AWS-LC-FIPS-2.0.14 release preparation by @WillChilds-Klein in #1701

Full Changelog: AWS-LC-FIPS-2.0.13...AWS-LC-FIPS-2.0.14

Release v1.31.0

What's Changed

• Add point add/dbl to ec_nistp_felem_meth and rename it to ec_nistp_meth by @dkostic in #1654
• Added constant_time_select array and entry_from_table by @dkostic in #1660
• Use params to build_compilation_database.sh by @justsmth in #1647
• Replace OPENSSL_NO_TLS_PHA with SSL_VERIFY_POST_HANDSHAKE by @WillChilds-Klein in #1668
• Make DH_check consistent with OpenSSL by @dkostic in #1642
• Update ACVP SHAKE test implementations by @billbo-yang in #1663
• [main] Make SSL_select_next_proto more robust to invalid calls. by @skmcgrail in #1675
• Better support legacy DES customers by @andrewhop in #1671
• AT_HWCAP2 not always defined by @justsmth in #1682
• Added generic EC scalar rwnaf encoding for ec_nistp by @dkostic in #1664
• Prepare for release v1.31.0 by @andrewhop in #1683

Full Changelog: v1.30.1...v1.31.0

Release v1.30.1

What's Changed

• Revert _CET_ENDBR by @justsmth in #1656
• Prepare for release v1.30.1 by @justsmth in #1657
• Fix for loading JCA stripped private keys by @dkostic in #1658

Full Changelog: v1.30.0...v1.30.1

AWS-LC-FIPS-2.0.13

What's Changed

• Snapsafe-type uniqueness breaking event detection (#1640) by @justsmth in #1648
• (FIPS Backport) Close FD in Snapsafe test function (#1649) by @justsmth in #1652
• (FIPS Backport) Add EVP_md_null and SSL_set_ciphersuites (#1637) by @WillChilds-Klein in #1653
• AWS-LC-FIPS-2.0.13 release preparation by @justsmth in #1655

Full Changelog: AWS-LC-FIPS-2.0.12...AWS-LC-FIPS-2.0.13

Release v1.30.0

What's Changed

• Move SSL_CIPHER_get_version test to SSLVersionTest.Version by @WillChilds-Klein in #1631
• Fix AES key size for AES256 in ABI test by @andrewhop in #1629
• Upstream merge 2024 06 03 by @samuel40791765 in #1621
• [EC] Unify point addition for P-256/384/521 by @dkostic in #1602
• Upstream Merge: Add Intel Indirect Branch Tracking support by @justsmth in #1628
• align gcc version with curl's CI by @samuel40791765 in #1633
• Add support for NETSCAPE_SPKI_print by @samuel40791765 in #1624
• More minor symbols for Ruby support by @samuel40791765 in #1581
• Upstream merge 2024-06-13 by @dkostic in #1636
• NIST.SP.800-56Cr2 One-Step Key Derivation by @skmcgrail in #1607
• OpenVPN error codes, SSL_get_peer_signature_* funcs, and first patch file by @smittals2 in #1584
• Require newer assembler for _CET_ENDBR by @justsmth in #1641
• Patch for OpenVPN certificate setting behavioral difference by @smittals2 in #1643
• Add de-randomized ML-KEM modes to experimental EVP API by @jakemas in #1578
• Add EVP_md_null and SSL_set_ciphersuites by @WillChilds-Klein in #1637
• Snapsafe-type uniqueness breaking event detection by @justsmth in #1640
• Prepare for release v1.30.0 by @justsmth in #1646
• Close FD in Snapsafe test function by @justsmth in #1649

Full Changelog: v1.29.0...v1.30.0

AWS-LC-FIPS-2.0.12

What's Changed

• [Backport] Prevent non-constant-time code in Kyber-R3 implementation by @geedo0 in #1632
• AWS-LC-FIPS-2.0.12 release preparation by @geedo0 in #1635

Full Changelog: AWS-LC-FIPS-2.0.11...AWS-LC-FIPS-2.0.12

Release v1.29.0

What's Changed

• Fix mariadb ssl_crl patch by @samuel40791765 in #1606
• Add all_fuzz_tests build target by @justsmth in #1605
• add support for X509_CRL_http_nbio by @samuel40791765 in #1596
• Cleanse the right amount of bytes in HMAC. by @nebeid in #1613
• Pin aws-lc-rs integ to nightly-2024-05-22 by @justsmth in #1612
• Fix NTP integ test by @justsmth in #1616
• Remove special aarch64 valgrind logic by @justsmth in #1618
• add back ASN1_dup with tests by @samuel40791765 in #1591
• Upstream merge 2024 05 17 by @justsmth in #1600
• Add libevent to GitHub integration CI by @andrewhop in #1615
• Add support for ocsp get id by @ecdeye in #1609
• Disable CI for gcc-14/FIPS until relocation issue is resolved by @justsmth in #1622
• Update for FIPS documentation by @justsmth in #1610
• Fix SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR behavior by @samuel40791765 in #1620
• Fixes for building with -pedantic by @justsmth in #1608
• Script for creating compilation database by @justsmth in #1617
• Update ec2-test-framework to use gv2 by @samuel40791765 in #1623
• Prevent non-constant-time code in Kyber-R3 and ML-KEM implementation by @geedo0 in #1619
• Add integration tests for OpenSSL-linking 3p modules by @WillChilds-Klein in #1587
• Implement SSL_CIPHER_get_version for recent TLS versions by @WillChilds-Klein in #1627
• Prepare for release 1.29.0 by @justsmth in #1626
• Use 'nasm' not 'yasm' by @justsmth in #1630

New Contributors

• @ecdeye made their first contribution in #1609

Full Changelog: v1.28.0...v1.29.0

AWS-LC-FIPS-2.0.11

What's Changed

• Add DRAFT 2.0.0 fips security policy by @justsmth in #1598

• Backport X509 certificate verification optimizations to AWS-LC-FIPS-2.x by @samuel40791765 in #1611

  • 31d5dce: Stop using time_t internally. For publicly exposed and used
    inputs that rely on time_t, _posix versions are added to
    support providing times as an int64_t, and internal
    use is changed to use the _posix version.
  • 4e32cc5: When looking for the issuer of a certificate, if the current
    certificate candidate is expired, X509_verify_cert will
    continue searching for a valid cert. An expired certificate is
    only returned if no valid certificates are found. This lets
    AWS-LC gain feature parity with OpenSSL 1.1.1.
  • 9bed1c9: Tweak test introduced by 4e32cc5.

• AWS-LC-FIPS-2.0.11 release preparation by @samuel40791765 in #1614

Full Changelog: AWS-LC-FIPS-2.0.10...AWS-LC-FIPS-2.0.11

Release v1.28.0

What's Changed

• Revert "Trim some unused XN_FLAG_* values" by @samuel40791765 in #1582
• [EC] Unify point doubling for P-256/384/521 by @dkostic in #1567
• Enable x86_64 AES-GCM proof in AWS-LC CI by @pennyannn in #1592
• Update the formal verification section in README by @pennyannn in #1570
• fix X509V3_EXT_METHODs for ocsp nonce extension by @samuel40791765 in #1603
• Prepare for release v1.28.0 by @samuel40791765 in #1604
• CI update for ubuntu 24.04 by @justsmth in #1599
• Upstream merge 2024 05 10 by @nebeid in #1590

Full Changelog: v1.27.0...v1.28.0