Release v1.14.0

What's Changed

• Fix formal verification CI by @samuel40791765 in #1130
• Pull in the latest changes from s2n-bignum (2023-07-25) by @aqjune-aws in #1114
• Upstream merge 2023 07 28 by @samuel40791765 in #1122
• Implementation passive entropy by @torben-hansen in #1125
• add curl integration test CI dimension by @samuel40791765 in #1134
• Retrieve multiple certificate slot for TLS1.2/1.3 based on negotiated sigalgs by @samuel40791765 in #1120
• ABI Diff GitHub Action by @skmcgrail in #1116
• Add vzeroupper instruction for AVX512 optimization in AES-XTS by @shirsing0712 in #1115
• Avoid UB in test shim by @torben-hansen in #1140
• Simplify the Kyber prefix build by @andrewhop in #1131
• Pull in the latest changes from s2n-bignum (2023-08-04) by @aqjune-aws in #1139
• Detect GCM-SIV alignment change by @justsmth in #1144
• Retrieve multiple certificate slot for TLS1.0/1.1 based on negotiated sigalgs by @samuel40791765 in #1138
• Update for Release v1.14.0 by @justsmth in #1150

New Contributors

• @aqjune-aws made their first contribution in #1114

Full Changelog: v1.13.0...v1.14.0

AWS-LC-FIPS-1.1.2

What's Changed

• [FIPS-2021-10-20] Detect GCM-SIV alignment change by @justsmth in #1147
• [FIPS-2021-10-20] Release v1.1.2 by @justsmth in #1151

Full Changelog: AWS-LC-FIPS-1.1.1...AWS-LC-FIPS-1.1.2

Release AWS-LC-FIPS-1.1.1

What's Changed

• Fix handling of EXFLAG_INVALID_POLICY on the leaf. by @andrewhop in #913
• [fips-2021-10-20] Backport CVE-2023-3446, CVE-2023-3817 fixes for DH_check by @skmcgrail in #1127

Full Changelog: AWS-LC-FIPS-1.1.0...AWS-LC-FIPS-1.1.1

Release v1.13.0

What's Changed

• EVP API ECDHE speed tool support by @torben-hansen in #1080
• fix rust sanity check CI by @samuel40791765 in #1106
• Silence static analyser by validating pointer prior to function call by @torben-hansen in #1107
• Improve LICENSE readability by @skmcgrail in #1110
• add back CERT_PKEY structure and refactor pointers by @samuel40791765 in #1086
• Turn on tests in CI dimension for mySQL by @samuel40791765 in #1063
• Fix DH_check() excessive time with oversized modulus by @skmcgrail in #1109
• Add GitHub CODEOWNERS by @skmcgrail in #1103
• Add BoringSSL Dispatch Test for aarch64 by @billbo-yang in #1093
• Run additional HAProxy tests by @andrewhop in #1097
• Add webhook event support for push to main and fips branches by @skmcgrail in #1082
• Remove CRNGT by @torben-hansen in #1112
• Make dispatch tests use corruptible registers on aarch64. by @nebeid in #1118
• Allow SSL_CTX to use the new multiple certificate slots internally by @samuel40791765 in #1100
• Upstream merge 2023 07 18 by @nebeid in #1101
• tweak back error string functions with exclamation marks by @samuel40791765 in #1117
• Support changing OPENSSL_armcap with environment variable on Apple 64-bit ARM systems by @billbo-yang in #1045
• Abstract fips entropy functions by @torben-hansen in #1113
• Silence static analyser with additional checks by @samuel40791765 in #1123
• Fix Excessive time spent checking DH q parameter value by @skmcgrail in #1121

Full Changelog: v1.12.1...v1.12.2

v1.12.1

What's Changed

• Disable two "Visual Studio 17 2022" warnings by @justsmth in #1087
• Add HAProxy to our CI by @andrewhop in #1083
• Align OCSP behavior with OpenSSL for nginx by @samuel40791765 in #1077
• Merge and remove duplicate yml files in CI by @samuel40791765 in #1088
• Missing export symbols for OCSP by @samuel40791765 in #1091
• Turn on shared library build with HAProxy by @andrewhop in #1092
• Allow SHA3 digests with EC key types by @skmcgrail in #1094
• Release v1.12.1 by @andrewhop in #1095

Full Changelog: v1.12.0...v1.12.1

Release v1.12.0

What's Changed

• Update CI README to include Valgrind on AArch64 by @nebeid in #1066
• Additional tests for failure modes for KEM API by @dkostic in #1048
• Fix potential NULL pointer dereference by @dkostic in #1067
• add integration build CI dimension for mySQL by @samuel40791765 in #1051
• add integration test CI dimension for MariaDB by @samuel40791765 in #1046
• Add SSL_get0_verified_chain by @andrewhop in #1055
• Add OSSL_HANDSHAKE_STATE enum for OpenSSL compatability by @andrewhop in #1070
• Upstream merge 2023-06-26 by @dkostic in #1072
• Fix DISABLE_PERL=on builds for non-assembly optimized platforms by @skmcgrail in #1068
• Fix BORINGSSL_PREFIX build for ppc64le by @skmcgrail in #1069
• align X509_VERIFY_PARAM host and email behavior with OpenSSL by @samuel40791765 in #1062
• Use build-in string-copy function by @torben-hansen in #1078
• Light tidy up of required dependency versions by @torben-hansen in #1076
• Remove unused variable declaration in ssl_test.cc by @dkostic in #1073
• Upstream merge 2023-06-27 by @torben-hansen in #1075
• Reapply "Remove support for "old-style" X509V3_EXT_METHODs" by @samuel40791765 in #1065
• Make PRNG model slightly more readable by @torben-hansen in #1079
• Add back custom extension support for libssl by @andrewhop in #1071
• Save leaf certificate in SSL early to avoid losing external data by @samuel40791765 in #1074
• Mark include as PUBLIC not SYSTEM PUBLIC by @skmcgrail in #1081
• Release v1.12.0 by @skmcgrail in #1085

Full Changelog: v1.11.0...v1.12.0

Release v1.11.0

What's Changed

• Merge pull request #1064 from samuel40791765/upstream-merge-2023-06-15
• Allow cleanup of thread-local data before dlclose (#1057)
• add -Wmissing-braces to build (#1061)
• Change the Jitter entropy recovery mechanism (#1058)
• Merge OCSP request feature branch to main (#1054)
• Fix aesni-xts-avx512 to support Perl v5.8.8 (#1053)
• Merge pull request #1041 from skmcgrail/upstream-merge-2023-05-30
• Simplify speed.cc if/defs for different libcryptos (#1047)
• AES-XTS optimization using vAES and vPCLMULQDQ (#1004)
• Split up integration test ci dimension (#1036)
• Ensure CodeBuild always has GOPROXY set via buildspec. (#1043)
• Add Support for RSA SigGen w/ SHA2-512/256 & PKCS1v1.5 to the ACVP Tool (#1022)
• set rsa pkcs1v1.5 and ecdsa sig/ver with SHA512/256 to not approved (#1038)
• Document X509_NAME_oneline function behavior. (#1040)
• Add additional DH groups from RFC 7919 (#1039)
• Add function for KEM key check (#1030)
• Zeroize unused Dilithium key buffers (#1031)
• Add ASN1_TIME_to_tm (#1035)
• Expose TLS prf (#1033)
• Add few compatability functions needed for HAProxy (#1032)
• quiet unused arguments on Android to silence --noexecstack related warnings (#1028)
• Add support for multiple filters for bssl speed application (#1023)
• Add LDTs to ACVP Tool (#1029)
• Fix RSA and ECDSA SigGen w/ SHA2-512/256 (#1020)
• Add support for EVP_aes_256_wrap (#1007)
• add support for SSL_get_key_update_type and SSL_KEY_UPDATE_NONE (#1011)
• Add AES CTR benchmark (#1024)
• Delete leftover comments about KEMs/Kyber (#1013)
• Add support for SSL_(read/peek/write)_ex (#1010)
• Reduce the ARM fuzz time to get the CI to pass in under an hour (#1021)
• Update speed.cc to support older versions of AWS-LC that have missing APIs. (#1018)
• Add additional no-op symbols for support mySQL (#1002)
• Revert "Temporarily remove dilithium KATs and fuzz corpus" (#1016)

Release v1.10.0

What's Changed

• Upstream merge 2023 04 14 by @skmcgrail in #958
• Remove cruft from generate build script by @torben-hansen in #976
• Retire Armv7 x25519 implementation by @torben-hansen in #973
• P-384/521 runtime check for s2n-bignum on aarch64 by @dkostic in #983
• Update EVP AES GCM and XTS benchmarks to reuse the key and cipher during the benchmark by @andrewhop in #965
• test case when xts mode key and tweak init is done separately by @torben-hansen in #974
• Add GitHub Action for testing commits with aws-lc-rs by @skmcgrail in #971
• Add DH_check support to perf tool by @torben-hansen in #982
• Add missing symbols for postgres by @samuel40791765 in #979
• Upstream merge 2023-05-01 by @torben-hansen in #987
• Add benchmarks for EC_KEY_generate_key(_fips) by @samuel40791765 in #969
• Fix device farm CI build with boto3 by @samuel40791765 in #990
• Fix memory various minor memory leaks in speed.cc by @andrewhop in #988
• Enable valgrind tests on AArch64 by setting ARMCAP via static defines to avoid reading from MIDR_EL1. by @nebeid in #978
• Fix two trailing new-lines in PR template by @torben-hansen in #998
• Support OpenBSD on arm64 by @knightjoel in #962
• Add Postgres integration test CI by @samuel40791765 in #986
• P-384/521 fallback to small implementation when OPENSSL_SMALL is set by @dkostic in #984
• Upstream merge 2023 05 05 by @samuel40791765 in #997
• AWS CodeBuild GitHub Job Pruner by @skmcgrail in #980
• Minor fixes pointed out by static analysis by @samuel40791765 in #995
• Add Openssh integration tests to CI by @justsmth in #942
• Add support for X509_get0_pubkey by @samuel40791765 in #1000
• Fix incorrect lambda CodeBuild policy permission by @skmcgrail in #1001
• Check HWCAP_CPUID before reading MIDR_EL1 on aarch64 by @lilybarrowman in #1006
• Only build acvp/modulewrapper with BUILD_TESTING by @justsmth in #1012
• Run FIPS break tests as a part of the CI by @andrewhop in #1005
• Fix for building on aarch64 with 32-bit OS by @dkostic in #1015
• Merge integrate-pq into main by @WillChilds-Klein in #897
• Upstream merge 2023-05-12 by @dkostic in #1008
• Fix typo's and clarify some language by @torben-hansen in #993
• Bump AWSLC_VERSION_NUMBER_STRING to 1.10.0 by @andrewhop in #1019

New Contributors

• @lilybarrowman made their first contribution in #1006

Full Changelog: v1.9.0...v1.10.0

Release v1.9.0

• Provide a compile option to disable AVX512-specific optimizations (#945)
• aesv8-armx.pl: Avoid buffer overread in AES-XTS decryption (#970)

Release v1.8.0

• Improves support for OpenSSH (#894)
• Bug fix: Added back ASN1_STRING_clear_free which was incorrectly removed in v1.7.0. (#936)
• Bug fix: BORINGSSL_function_hit array size did not match updated header definition (#934)