v1.48.2

What's Changed

• Add public wrapper to internal bn_minimal_width function by @smittals2 in #2245
• Add LibRdKafka to our CI by @smittals2 in #2225
• Adding no-op X509_TRUST_cleanup for select application compatibility by @kingstjo in #2257
• Remove unused CMake options for break tests by @andrewhop in #2249
• Update EVP_PKEY ED keygen to use an internal function that can return the result of the PWCT by @andrewhop in #2256
• Added ML-DSA to break-kat framework by @jakemas in #2253
• Add CMAC benchmark for AWS-LC by @andrewhop in #2218
• Update internal IANA values of PQ SupportedGroups by @alexw91 in #2235
• Add missing algorithms to benchmark by @nhatnghiho in #2056
• Update patch for Postgres by @samuel40791765 in #2232
• Revert BIO_get_mem_data back to macro by @skmcgrail in #2261
• Add IbmTpm to our CI by @smittals2 in #2231

New Contributors

• @kingstjo made their first contribution in #2257

Full Changelog: v1.48.1...1.48.2

v1.48.1

What's Changed

• Move OCSP ASN1 type functions to public header by @skmcgrail in #2239
• Make BIO_get_mem_data a function again by @skmcgrail in #2246
• Prepare v1.48.1 by @skmcgrail in #2252

Full Changelog: v1.48.0...v1.48.1

v1.48.0

What's Changed

• Remove BORINGSSL_FIPS_BREAK_FFC_DH by @andrewhop in #2216
• Increase required CMake version to 3.5 by @andrewhop in #2219
• Coverity Fix by @smittals2 in #2236
• Check pagesize is non-negative in AES-XTS test by @nebeid in #2237
• Don't 'dllexport' Windows symbols on static build by @justsmth in #2238
• Update to using Clang 18 on Windows by @justsmth in #2240
• Enforce FIPS callback is only enabled for static builds by @andrewhop in #2241
• Migrate last batch of jobs by @nhatnghiho in #2214
• Prepare for release v.1.48.0 by @andrewhop in #2248

Full Changelog: v1.47.0...v1.48.0

v1.47.0

What's Changed

• Modify SSL to inherit ciphersuites from SSL_CTX at initialization by @smittals2 in #2198
• Avoid duplicated definition of standalone test executable variables by @torben-hansen in #2212
• Migrate 3rd batch of CI jobs by @nhatnghiho in #2183
• SHAKE Incremental Byte Squeezes && EVP_ Tests by @manastasova in #2155
• Add guidance around certificate auto-chaining in TLS by @skmcgrail in #2205
• Add utility for querying and comparing the BORINGSSL_bcm_text_hash by @skmcgrail in #2217
• Move Ed25519ph into module boundary by @skmcgrail in #2186
• Add support to define a callback for FIPS test failures instead of aborting the process by @andrewhop in #2162
• Add SSL_CTX_use_cert_and_key by @smittals2 in #2163
• Update ABI Diff Action to work correctly on push events by @skmcgrail in #2188
• Use AWSLC_SOURCE_DIR and AWSLC_BINARY_DIR by @justsmth in #2208
• Reset DTLS1_BITMAP without resorting to memset by @skmcgrail in #2223
• Integration test for libssh2 by @justsmth in #2222
• Fix out-of-bound (OOB) input read in AES-XTS Decrypt in AVX-512 implementation by @nebeid in #2227
• Integration test for libgit2 by @justsmth in #2215
• Add support to export ML-DSA key-pairs in seed format by @jakemas in #2194
• Bump version, preparing for release v1.47.0 by @nebeid in #2229

Full Changelog: v1.46.1...v1.47.0

v1.46.1

What's Changed

• Improve tool-openssl compatability for x509 and verify subcommands by @skmcgrail in #2196
• Refactor AWS_LC_FIPS_failure to always exist by @andrewhop in #2200
• Add pq-tls interop test with BoringSSL by @chockalingamc in #2199
• Fix C++98 compatibility in our header files by @samuel40791765 in #2193
• Enable RSA keygen becnhmarks by default by @andrewhop in #2206
• Update pairwise consistency test failures to support gracefully continiung by @andrewhop in #2201
• Simplify IsFlag check logic by @skmcgrail in #2209
• Remove access() call from Snapsafe detection by @smittals2 in #2197
• Prepare release v1.46.1 by @smittals2 in #2210

Full Changelog: v1.46.0...v1.46.1

v1.46.0

What's Changed

• Validate or define ARM HWCAP2_XXX macros by @justsmth in #2164
• CAST and PCT for ML-DSA by @jakemas in #2148
• Ensure service indicator is incremented only once, update RSA and ED25519 to ensure the state is locked by @andrewhop in #2112
• Move PQDSA to FIPSMODULE by @jakemas in #2166
• Ensure enabling local symbols doesn't change the module hash by @andrewhop in #2169
• Migrate 2nd batch of CI jobs by @nhatnghiho in #2091
• Add new CAST tests to break-kat.go by @andrewhop in #2173
• Update benchmark to skip chunk sizes that doesn't work with the algorithm by @andrewhop in #2146
• Add EVP API Support for ED25519ph by @skmcgrail in #2144
• Fix Nginx build by @smittals2 in #2181
• Update BORINGSSL_FIPS_abort to AWS_LC_FIPS_failure which takes a message by @andrewhop in #2182
• Remove DEPENDS from add_custom_command as CMake made the behavior clear by @andrewhop in #2178
• Add msl to ARMConstantTweak and recognise ldrsw to prevent delocator errors by @jakemas in #2177
• Setup X509 CodeBuild Project for Limbo Report Generation by @skmcgrail in #2171
• Update PQREADME.md by @jakemas in #2151
• Expand spki fuzz corpus by @justsmth in #2187
• Move ML-DSA to fipsmodule by @jakemas in #2175
• Add integration patches/CI for Ruby main and 3.3 by @samuel40791765 in #2071
• MacOS-12 GH runner no longer supported by @justsmth in #2190
• Make install_shared_and_static test more robust by @smittals2 in #2179
• SCRUTINICE fixes by @smittals2 in #2180
• Add suport for asl and rol to match existing support for asr and ror by @andrewhop in #2185
• Refactor TLS 1.3 cipher selection and fix SSL_get_ciphers by @smittals2 in #2092
• Update pkcs8_corpus files to include ML-DSA by @jakemas in #2191
• Add runtime options to break the pairwise consistency test for Ed, ML-KEM, and ML-DSA by @andrewhop in #2192
• ML-KEM: Move FIPS-abort upon PCT failure to top-level ML-KEM API by @hanno-becker in #2195
• Simplify OpenSSH mainline build by @smittals2 in #2158
• Add SPARCV9 target by @psumbera in #2202
• Prepare release v1.46.0 by @justsmth in #2204

Full Changelog: v1.45.0...v1.46.0

v1.45.0

What's Changed

• Cross library PQ interop test with s2n-tls by @chockalingamc in #2138
• Fix policy grant on ECR resource policy by @skmcgrail in #2159
• Add support for PKCS12_set_mac by @samuel40791765 in #2128
• SHA3 and SHAKE - New API Design by @manastasova in #2098
• ML-DSA private keys from seeds by @jakemas in #2157
• Wrap pointers to s2n-bignum functions - delocator fix by @nebeid in #2165
• Prepare AWS-LC v1.45.0 by @samuel40791765 in #2172

New Contributors

• @chockalingamc made their first contribution in #2138

Full Changelog: v1.44.0...v1.45.0

v1.44.0

What's Changed

• Minor symbols to work with Ruby's mainline by @samuel40791765 in #2132
• ACVP test harness for ML-DSA by @jakemas in #2127
• Remove remaining support for Trusty and Fuchsia operating systems by @torben-hansen in #2136
• Avoid mixing SSE and AVX in XTS-mode AVX512 implementation by @torben-hansen in #2140
• Support for ML-DSA public key generation from private key by @jakemas in #2142
• Ed25519ph and Ed25519ctx Support by @skmcgrail in #2120
• Check for MIPSEB in target.h by @justsmth in #2143
• Optimize x86/aarch64 MD5 implementation by @olivergillespie in #2137
• Support keypair calculation for PQDSA PKEY by @jakemas in #2145
• Only SHA3/SHAKE Init Updates via FIPS202 API layer by @manastasova in #2101
• Delete OpenVPN mainline patch from our integration build by @smittals2 in #2149
• Prepare Docker image for CI integration jobs by @nhatnghiho in #2126
• Add support for PKCS7_set/get_detached by @samuel40791765 in #2134
• Fix issue with ML-DSA key parsing by @samuel40791765 in #2152
• Prepare AWS-LC v1.44.0 by @samuel40791765 in #2153

New Contributors

• @olivergillespie made their first contribution in #2137

Full Changelog: v1.43.0...v1.44.0

v1.43.0

What's Changed

• Keccak1600_Squeeze/Absorb Layer (rename) by @manastasova in #2097
• Move ML-DSA to FIPSMODULE by @jakemas in #2095
• Fixes varios issues with rebuilding CI Docker images by @skmcgrail in #2077
• New Year New Broken Mirrors by @skmcgrail in #2102
• Update speed.cc to use the same jitter function as rand.c by @andrewhop in #2100
• Move mldsa and pqdsa out of fipsmodule by @jakemas in #2104
• Remove dilithium flag by @jakemas in #2106
• Add x509-limbo patch and reporting tool by @skmcgrail in #2049
• Allow TLS PSK without server certificate by @WillChilds-Klein in #2083
• Align guard macros for OPENSSL_cpuid_setup by @justsmth in #2111
• Init variable to avoid "may be used uninitialized" warning by @manastasova in #2114
• SCRUTINICE fixes by @smittals2 in #2103
• Remove jent_read_entropy_safe usage from AWS-LC (main) by @smittals2 in #2110
• CDK: Add scrutinice permissions by @justsmth in #2118
• Address Scrutinice findings by @justsmth in #2121
• Finalize ML-DSA asn.1 module by @jakemas in #2117
• Align BN_bn2hex behavior with OpenSSL by @samuel40791765 in #2122
• Upstream merge 2025 01 02 by @nebeid in #2090
• ExternalMu mode for pre-hash ML-DSA by @jakemas in #2113
• Upstream merge 2025 01 17 by @justsmth in #2125
• Add more debug logging to channelID test failures by @andrewhop in #2130
• Compress crypto_test_data.cc by @justsmth in #2123
• Prepare AWS-LC v1.43.0 by @justsmth in #2133

Full Changelog: v1.42.0...v1.43.0

AWS-LC FIPS v3.0.0

What's New

This is our third annual update to the AWS-LC-FIPS module. Our team has made numerous improvements since AWS-LC-FIPS v2.0. See our blog post for details!