v1.73.0

What's Changed

• Silence two stringop-overflow false-positives by @torben-hansen in #3201
• Fix grpc CI by @nhatnghiho in #3196
• Handle allocation failures in add_string's section strdup and stack push by @justsmth in #3187
• Add WaitForFileAccessible to fix intermittent Windows test failures by @justsmth in #3178
• Handle id-pkix-ocsp-nocheck in OCSP responder verification by @dkostic in #3169
• tool/s_client: fix -verify depth and missing CA store by @justsmth in #3189
• Fix FIPS build under MSAN by broadening integrity-test guards by @justsmth in #3167
• Scope _STL_EXTRA_DISABLED_WARNINGS to C++ to fix Ninja + clang-cl builds by @justsmth in #3199
• Add EVP_PKEY_kem_get_type public accessor for KEM key NID by @justsmth in #3179
• Dilently drop handshake fragments at the far edge of the seq window by @torben-hansen in #3203
• Align X.509 Limbo local patch with upstream changes by @torben-hansen in #3206
• Implement EVP_PKEY_get_private_seed to return seed representation of private key by @torben-hansen in #3200
• Rework order for initialisation of digest object. If memory allocation fails, object is now not in a corrupted state. by @torben-hansen in #3205
• Ensure correct bio memory buffer type is assigned by @torben-hansen in #3204
• ci: harden zig wrappers against libc++ ABI drift and opaque failures by @justsmth in #3190
• ci: add Dependabot configuration by @justsmth in #3191
• Fixes several issues across X509 and EVP parsing/comparison code by @torben-hansen in #3213
• Bump golang.org/x/crypto from 0.31.0 to 0.50.0 in the gomod-root group by @dependabot[bot] in #3214
• Bump the github-actions group with 17 updates by @dependabot[bot] in #3218
• Bump the cargo-ci-lambda group across 1 directory with 10 updates by @dependabot[bot] in #3217
• Bump the pip-ci group across 1 directory with 4 updates by @dependabot[bot] in #3216
• Support non-empty context strings in ML-DSA EVP sign/verify by @jakemas in #3135
• ci: pin zig x86_64-windows job to windows-2022 by @justsmth in #3222
• Reject URIs containing '@' in name constraint checking by @nhatnghiho in #3202
• Fix thread-local DRBG cleanup deadlock at process exit by @justsmth in #3220
• Fix shared library install on Windows: place DLLs in bin directory by @justsmth in #3225
• Prepare 1.73.0 by @nhatnghiho in #3226

Full Changelog: v1.72.1...v1.73.0

v1.72.1

What's Changed

• Bump minimum Go version to 1.20 and update Go dependencies by @justsmth in #3159
• Fix intermittent CA test failure on Windows CI when TEMP is unset by @justsmth in #3161
• ssl: invalidate X509 leaf/chain caches in cert_set_chain_and_key and … by @justsmth in #3117
• Bump Go version in gcc-4.8 Docker image from 1.18.10 to 1.22.12 by @justsmth in #3168
• Generalize SSL test runner idle-timeout retry to all tests by @justsmth in #3163
• Improve test portability for OPENSSL_NO_SOCK, OPENSSL_THREADS, and OPENSSL_NO_TTY by @justsmth in #3146
• Add CI for Zig compiler support by @justsmth in #3142
• Fix intermittent ImplDispatchTest.AEAD_AES_GCM failure in gcc-4.8 CI by @justsmth in #3170
• Mitigate intermittent SSL runner timeouts on FreeBSD CI by @justsmth in #3171
• BoringSSL: Don't support parameterless DSA keys in SPKIs AND Set an EVP_PKEY's algorithm and data together by @nebeid in #3057
• ci: add gh-pages workflow for API documentation by @dougch in #3177
• docs: update platform support tables by @dougch in #3176
• Map rsaesOaep SPKI to RSA in parse_key_type by @crlorentzen in #3181
• Bump MySQL version to 9.7.0 by @nhatnghiho in #3185
• ci: pin cryptography to source builds in pyopenssl integration by @justsmth in #3193
• Update NID_rsaesOaep test certificate by @crlorentzen in #3194
• Prepare v1.72.1 by @justsmth in #3192

New Contributors

• @crlorentzen made their first contribution in #3181

Full Changelog: v1.72.0...v1.72.1

v1.72.0

What's Changed

• Reject point at infinity in EC_KEY_set_public_key by @nebeid in #3101
• Add SSL_use_cert_and_key for per-connection cert/key setting by @geedo0 in #3114
• Add Optimized and HOL Light verified AVX2 Keccak x4 by @manastasova in #3020
• Fix intermittent WIN32_rename failures in openssl ca CLI tool due to transient file locks by @justsmth in #3100
• Remove redundant definitions by @torben-hansen in #3118
• fipsmodule/ml-kem: Import mlkem-native v1.1.0 by @hanno-becker in #3090
• Zeroize sensitive stack buffers in DRBG, X25519, Ed25519, ECDSA, ECDH… by @justsmth in #3121
• Fix entropy source selection for Apple cross-compilation targets by @justsmth in #3113
• WIN32_rename: fix errno mapping and increase retry budget for transient failures by @justsmth in #3124
• openssl-tool CLI: CA cleanup by @justsmth in #3120
• Exclude OCSPIntegrationTest from normal CI test runs by @justsmth in #3128
• Fix PostgreSQL integration SSL test failures for upstream error string changes by @justsmth in #3125
• Fix Windows ARM64 FIPS build; add Clang support for Windows FIPS by @justsmth in #3013
• Hardening fixes for ML-DSA digest mode, XTS key comparison, and urandom fd by @justsmth in #3129
• Fix bind9 integration test for upstream build system changes by @justsmth in #3126
• Consistently set outlen to zero for all error paths by @torben-hansen in #3104
• Add -msg and -servername support to openssl s_client by @geedo0 in #3098
• Add NULL pointer validation to ML-KEM EVP encapsulate/decapsulate by @dkostic in #3132
• Add openssl version -a and -p flag support by @geedo0 in #3092
• Rename __AWS_LC_ENSURE to AWS_LC_ENSURE to avoid reserved identifier by @torben-hansen in #3137
• Upgrade custom libc++ to LLVM 19 and add sanitizer support to build_and_test.sh by @justsmth in #3131
• Upgrade CI sanitizer jobs from Clang 15 to Clang 19 by @justsmth in #3148
• Fix CMake install dir defaults on macOS/Windows when CMAKE_INSTALL_LIBDIR is specified by @justsmth in #3069
• Update PyOpenSSL patch w/ PR #2897 by @WillChilds-Klein in #3145
• Harden OCSP response printing and fix integer overflow in x509v3_bytes_to_hex by @justsmth in #3127
• Increase SSL test runner idle timeout for FreeBSD CI by @justsmth in #3144
• Fix Clang 19 GCC runtime detection on AL2023 aarch64 by @justsmth in #3150
• Fix Clang 19 C++ header detection on AL2023 aarch64 by @justsmth in #3152
• Fix Clang 19 C++ headers and LLVM tool version mismatches on AL2023 by @justsmth in #3157
• Small fixes for RSA_METHOD and EVP_PKEY_derive_set_peer by @dkostic in #3130
• Add OPENSSL_INIT_ATFORK compatibility stub by @geedo0 in #3134
• Bound ReadConsoleW by stack buffer size by @WillChilds-Klein in #3154
• Change ML-KEM PKCS#8 encoding from expanded to seed form by @geedo0 in #3149
• Add missing error return for short metadata keys by @WillChilds-Klein in #3151
• Lower default SSL peek test rounds and remove CI workarounds by @justsmth in #3155
• Check RSA-PSS digest algorithms for X509 by @skmcgrail in #3138
• Shard valgrind CI job to avoid GitHub Actions timeout by @justsmth in #3158
• Update target.h to support Loongarch64 ABI1.0 architecture by @binLep in #3093
• Make some more half-empty EVP_PKEY states impossible by @nebeid in #3056
• Prepare v1.72.0 by @geedo0 in #3162

New Contributors

• @binLep made their first contribution in #3093

Full Changelog: v1.71.0...v1.72.0

v1.71.0

What's Changed

• Fixes for PKCS12_set_mac by @justsmth in #3079
• Allow zero-length PEM passwords in callback paths by @geedo0 in #3073
• Relicense OpenSSL Sources to Apache-2.0, Cleanup Sources and LICENSE file Details by @skmcgrail in #3091
• Harden HMAC error paths: fix resource leaks, state bugs, and missing cleansing by @justsmth in #3081
• Fix modulewrapper memory leak by @justsmth in #3094
• Distribution Packaging Improvements by @skmcgrail in #3042
• Add bounds checks for size_t to int truncation in RSA_METHOD calls by @justsmth in #3084
• Clean up sensitive stack buffers and minor fixes in PKCS#8 by @justsmth in #3067
• More NULL checks in bio_ssl.cc by @justsmth in #3076
• Reject IPv6 literal URIs in name constraint checking by @justsmth in #3045
• Abort on RAND_bytes failure by @justsmth in #3078
• Fix race condition in new_certs_dir output path by @justsmth in #3095
• Fall back to EVP_{marshal,parse} in {i2d,d2i}_{Public,Private}Key by @WillChilds-Klein in #2897
• Fix stale key_method pointer after private key switch in CERT by @justsmth in #3085
• Clean up on X509_STORE_CTX_add_custom_crit_oid error paths by @samuel40791765 in #3088
• Correct purpose setting for OCSP_request_verify by @samuel40791765 in #3089
• Correct types finished-based APIs for TLS 1.3 by @samuel40791765 in #3087
• Fix issues in pass_util.cc password handling by @justsmth in #3032
• Use explicit check for X509 path length by @nhatnghiho in #3080
• Prepare v1.71.0 by @samuel40791765 in #3102
• BoringSSL: Const-correct the kPrintMethods table and Update citations from RFC 3447 to RFC 8017 by @nebeid in #3026
• Fix CN fallback handling in name constraints checking by @samuel40791765 in #3107
• Fix CRL distribution point scope check logic in crl_crldp_check by @samuel40791765 in #3105

Full Changelog: v1.70.0...v1.71.0

AWS-LC-FIPS-3.3.0

What's Changed

• Prepare v3.3.0 by @samuel40791765 in #3103
• Fix CRL distribution point scope check logic in crl_crldp_check by @samuel40791765 in #3106

Full Changelog: AWS-LC-FIPS-3.2.0...AWS-LC-FIPS-3.3.0

v1.70.0

What's Changed

• Cache peer CA names on client side after handshake by @WillChilds-Klein in #2994
• Add NULL checks for MakeUnique in SSL cipher list inheritance by @geedo0 in #3065
• Fix gRPC integration by @justsmth in #3070
• Latent memory leaks in KEM_KEY setter functions by @justsmth in #3041
• Fix PKCS8_decrypt to handle all negative pass_len values by @geedo0 in #3039
• Fix PKCS12_verify_mac OOB read with invalid password_len by @geedo0 in #3051
• Cleanup EVP_DH asn1 parsing by @justsmth in #3047
• Add INT_MAX bounds check before EVP_CipherUpdate in PKCS8/PKCS12 encryption by @geedo0 in #3043
• Fix PKCS8_encrypt crash when pass is NULL with negative pass_len_in by @geedo0 in #3052
• Fix CMake 4.0 CI jobs by @justsmth in #3068
• IWYU: guard stdint.h in fips_shared_support.c by @skmcgrail in #3027
• Use proper function type for different callback types by @torben-hansen in #3066
• Zeroize intermediate values for ed25519 by @justsmth in #3075
• Bump github.com/cloudflare/circl from 1.6.2 to 1.6.3 in /util/vecgen by @dependabot[bot] in #3046
• Fix sizeof-on-pointer bugs in FIPS assertion failure messages by @justsmth in #3074
• Remove dead declarations in public headers by @skmcgrail in #3053
• TLS Transfer Serialization Findings by @skmcgrail in #3071
• XOF fixes by @manastasova in #3064
• Add a test that arbitrary curves can be wrapped in EVP_PKEY by @nebeid in #3055
• Improve type safety and bounds checking in EVP cipher ctrl handlers by @justsmth in #3034
• Fix uninitialized EVP_MD_CTX and harden bn_dup_into by @justsmth in #3033
• Add ACVP Support for KAS-ECC by @nhatnghiho in #3010
• Add ACVP Support for KTS-IFC by @nhatnghiho in #3009
• Various Small Additions to ACVP Tool by @nhatnghiho in #3024
• Clean up CLI code by @nhatnghiho in #2927
• Fix NetBSD AArch64 CPU feature detection on big.LITTLE systems by @justsmth in #3082
• Prepare v1.70.0 by @nhatnghiho in #3086

Full Changelog: v1.69.0...v1.70.0

v1.69.0

What's Changed

• Fix FIPS delocator handling of floating-point immediates on aarch64 by @justsmth in #3029
• Fix link in README.md by @ofek in #2945
• Various PKCS7 fixups by @WillChilds-Klein in #3035
• Fix error reporting and document EC explicit params single-cert beha… by @justsmth in #3044
• Fix PKCS7 verify content memleak by @WillChilds-Klein in #3036
• Retain flag after custom critical extensions check by @samuel40791765 in #3030
• Update ACVP documentation by @samuel40791765 in #2960
• Fix error return values for no-op UI_xxx stub functions by @justsmth in #3025
• Key state consistency in PQDSA_KEY setter functions by @justsmth in #3040
• Simplify d2i_PKCS7 by removing redundant BER-to-DER conversion by @justsmth in #3037
• Prepare v1.69.0 by @torben-hansen in #3049
• Ensure all signer certificate chains are verified by @torben-hansen in #3059
• Use CRYPTO_memcmp instead of OPENSSL_memcmp for tag verification by @torben-hansen in #3060
• Return correct error value when parsing PKCS7 authenticated attributes fails by @torben-hansen in #3061

New Contributors

• @ofek made their first contribution in #2945

Full Changelog: v1.68.0...v1.69.0

AWS-LC-FIPS-3.2.0

What's Changed

• [Cherry-pick 2024] Offer P521 for signature_algorithms in client Hello by @samuel40791765 in #2975
• [FIPS 3.x] Address Reported Bug Findings by @skmcgrail in #3005
• Prepare v3.2.0 by @torben-hansen in #3050
• Use CRYPTO_memcmp instead of OPENSSL_memcmp for tag verification by @torben-hansen in #3062

Full Changelog: AWS-LC-FIPS-3.1.0...AWS-LC-FIPS-3.2.0

v1.68.0

What's Changed

• Bump urllib3 from 2.6.0 to 2.6.3 in /tests/ci by @dependabot[bot] in #2932
• Add weekly automated check for outdated third-party test vectors by @sgmenda in #2933
• Enable Hybrid PQ KeyShares by default by @alexw91 in #2531
• Remove AVX conditional from cmake script by @torben-hansen in #2958
• openssl-ca command implementation for self-sign certificates by @skmcgrail in #2937
• Initial Framework for Using Doxygen to Document Public Header Files by @m271828 in #2908
• Move md4 out of FIPS module by @torben-hansen in #2956
• Fix image-build-windows workflow to only push on workflow_call and workflow_dispatch by @skmcgrail in #2961
• Remove FIPS counter framework and other tidying up by @torben-hansen in #2947
• Model Device Farm CI Resources in CDK by @skmcgrail in #2965
• Adds a new randomness generation API by @torben-hansen in #2963
• Migrate Android Testing to GitHub Actions by @skmcgrail in #2969
• Ensure pkcs7 checks ASN1_TYPE->type by @skmcgrail in #2968
• Fix checkout logic for android-omnibus by @skmcgrail in #2970
• Add missing env vars to check-vectors workflow step by @sgmenda in #2962
• Shorten Windows Build Directory Path by @skmcgrail in #2974
• Bump mysql cluster version by @WillChilds-Klein in #2967
• Integrate Wycheproof ML-DSA test vectors by @sgmenda in #2973
• Simplify FIPS conditional in top-level build script by @torben-hansen in #2976
• Fix aws-lc-rs CI job by @justsmth in #2966
• Add method to get type of ML-DSA instance configured under EVP PKEY by @torben-hansen in #2980
• Nmap build needs liblinear by @justsmth in #2985
• Disable SLP vectorizer for FIPS shared library builds on GCC 14+ by @geedo0 in #2977
• Update Wycheproof ECDSA test vectors and fix workflow typo by @sgmenda in #2972
• Address some CMake findings by @skmcgrail in #2979
• Bump bytes from 1.7.1 to 1.11.1 in /tests/ci/lambda by @dependabot[bot] in #2983
• Support GCC 4.8 for aarch64 by @justsmth in #2964
• Free potential memory before assigning new pointer by @torben-hansen in #2989
• Add PyOpenSSL integration test by @WillChilds-Klein in #2992
• Ensure index argument is not negative in ASN1_BIT_STRING_set_bit by @torben-hansen in #2987
• Ensure no overflow in signed output length in do_buf by @torben-hansen in #2988
• Remove redundant CPython 3.9 integration test by @WillChilds-Klein in #2996
• Ensure public key is set before verifying through ML-DSA verify by @torben-hansen in #2990
• Correct CCM nids in object definition by @torben-hansen in #2991
• Address Reported Bug Findings by @skmcgrail in #3000
• Fix CI: gcc-4.8 by @justsmth in #3011
• Fix Windows CI: use cd /d in run_windows_tests.bat to handle cross-drive paths by @justsmth in #3012
• Fix OPENSSL_memchr per C23 by @justsmth in #3008
• Fix argument order in hmac_copy by @justsmth in #3014
• Miscellaneous CI improvements by @skmcgrail in #2978
• Fix CI: mariadb by @justsmth in #3015
• Update Ubuntu 24:04 image compiler verification by @skmcgrail in #3017
• Support WASM/Emscripten by @justsmth in #2959
• Generate Rust Bindings by @justsmth in #2999

Full Changelog: v1.67.0...v1.68.0

v1.67.0

What's Changed

• Migrate Wycheproof test vectors for ECDSA, RSA PKCS#1, and some more by @sgmenda in #2887
• increase timeout for SDE tests by @sgmenda in #2936
• Rename volatile state/memory to unique state/memory by @torben-hansen in #2935
• Fix failing Windows Docker image build by @nhatnghiho in #2931
• Service Indicator: Add error call trampoline to avoid delocator issue by @jakemas in #2920
• Add support for Big Endian in ACVP tool by @samuel40791765 in #2938
• AES-GCM: Add function pointer trampolines to avoid delocator issue by @jakemas in #2919
• Use already defined macro for no inline by @torben-hansen in #2942
• Remove Kyber completely by @torben-hansen in #2941
• Windows 7 support by @justsmth in #2940
• Import mldsa-native by @jakemas in #2902
• Use existing session context if new is actually NULL by @torben-hansen in #2946
• Integrate Wycheproof ML-KEM test vectors by @sgmenda in #2891
• Avoid cross-compilation build failure by @justsmth in #2944
• Cleanup pass on Go code in repository by @skmcgrail in #2951
• Update patch for nmap. by @justsmth in #2954
• Fix CMake CI jobs by @justsmth in #2953
• Bump FreeBSD testing to v14.2 and v15.0 by @justsmth in #2955
• Prepare v1.67.0 by @justsmth in #2952

Full Changelog: v1.66.2...v1.67.0