v1.46.1

What's Changed

• Improve tool-openssl compatability for x509 and verify subcommands by @skmcgrail in #2196
• Refactor AWS_LC_FIPS_failure to always exist by @andrewhop in #2200
• Add pq-tls interop test with BoringSSL by @chockalingamc in #2199
• Fix C++98 compatibility in our header files by @samuel40791765 in #2193
• Enable RSA keygen becnhmarks by default by @andrewhop in #2206
• Update pairwise consistency test failures to support gracefully continiung by @andrewhop in #2201
• Simplify IsFlag check logic by @skmcgrail in #2209
• Remove access() call from Snapsafe detection by @smittals2 in #2197
• Prepare release v1.46.1 by @smittals2 in #2210

Full Changelog: v1.46.0...v1.46.1

v1.46.0

What's Changed

• Validate or define ARM HWCAP2_XXX macros by @justsmth in #2164
• CAST and PCT for ML-DSA by @jakemas in #2148
• Ensure service indicator is incremented only once, update RSA and ED25519 to ensure the state is locked by @andrewhop in #2112
• Move PQDSA to FIPSMODULE by @jakemas in #2166
• Ensure enabling local symbols doesn't change the module hash by @andrewhop in #2169
• Migrate 2nd batch of CI jobs by @nhatnghiho in #2091
• Add new CAST tests to break-kat.go by @andrewhop in #2173
• Update benchmark to skip chunk sizes that doesn't work with the algorithm by @andrewhop in #2146
• Add EVP API Support for ED25519ph by @skmcgrail in #2144
• Fix Nginx build by @smittals2 in #2181
• Update BORINGSSL_FIPS_abort to AWS_LC_FIPS_failure which takes a message by @andrewhop in #2182
• Remove DEPENDS from add_custom_command as CMake made the behavior clear by @andrewhop in #2178
• Add msl to ARMConstantTweak and recognise ldrsw to prevent delocator errors by @jakemas in #2177
• Setup X509 CodeBuild Project for Limbo Report Generation by @skmcgrail in #2171
• Update PQREADME.md by @jakemas in #2151
• Expand spki fuzz corpus by @justsmth in #2187
• Move ML-DSA to fipsmodule by @jakemas in #2175
• Add integration patches/CI for Ruby main and 3.3 by @samuel40791765 in #2071
• MacOS-12 GH runner no longer supported by @justsmth in #2190
• Make install_shared_and_static test more robust by @smittals2 in #2179
• SCRUTINICE fixes by @smittals2 in #2180
• Add suport for asl and rol to match existing support for asr and ror by @andrewhop in #2185
• Refactor TLS 1.3 cipher selection and fix SSL_get_ciphers by @smittals2 in #2092
• Update pkcs8_corpus files to include ML-DSA by @jakemas in #2191
• Add runtime options to break the pairwise consistency test for Ed, ML-KEM, and ML-DSA by @andrewhop in #2192
• ML-KEM: Move FIPS-abort upon PCT failure to top-level ML-KEM API by @hanno-becker in #2195
• Simplify OpenSSH mainline build by @smittals2 in #2158
• Add SPARCV9 target by @psumbera in #2202
• Prepare release v1.46.0 by @justsmth in #2204

Full Changelog: v1.45.0...v1.46.0

v1.45.0

What's Changed

• Cross library PQ interop test with s2n-tls by @chockalingamc in #2138
• Fix policy grant on ECR resource policy by @skmcgrail in #2159
• Add support for PKCS12_set_mac by @samuel40791765 in #2128
• SHA3 and SHAKE - New API Design by @manastasova in #2098
• ML-DSA private keys from seeds by @jakemas in #2157
• Wrap pointers to s2n-bignum functions - delocator fix by @nebeid in #2165
• Prepare AWS-LC v1.45.0 by @samuel40791765 in #2172

New Contributors

• @chockalingamc made their first contribution in #2138

Full Changelog: v1.44.0...v1.45.0

v1.44.0

What's Changed

• Minor symbols to work with Ruby's mainline by @samuel40791765 in #2132
• ACVP test harness for ML-DSA by @jakemas in #2127
• Remove remaining support for Trusty and Fuchsia operating systems by @torben-hansen in #2136
• Avoid mixing SSE and AVX in XTS-mode AVX512 implementation by @torben-hansen in #2140
• Support for ML-DSA public key generation from private key by @jakemas in #2142
• Ed25519ph and Ed25519ctx Support by @skmcgrail in #2120
• Check for MIPSEB in target.h by @justsmth in #2143
• Optimize x86/aarch64 MD5 implementation by @olivergillespie in #2137
• Support keypair calculation for PQDSA PKEY by @jakemas in #2145
• Only SHA3/SHAKE Init Updates via FIPS202 API layer by @manastasova in #2101
• Delete OpenVPN mainline patch from our integration build by @smittals2 in #2149
• Prepare Docker image for CI integration jobs by @nhatnghiho in #2126
• Add support for PKCS7_set/get_detached by @samuel40791765 in #2134
• Fix issue with ML-DSA key parsing by @samuel40791765 in #2152
• Prepare AWS-LC v1.44.0 by @samuel40791765 in #2153

New Contributors

• @olivergillespie made their first contribution in #2137

Full Changelog: v1.43.0...v1.44.0

v1.43.0

What's Changed

• Keccak1600_Squeeze/Absorb Layer (rename) by @manastasova in #2097
• Move ML-DSA to FIPSMODULE by @jakemas in #2095
• Fixes varios issues with rebuilding CI Docker images by @skmcgrail in #2077
• New Year New Broken Mirrors by @skmcgrail in #2102
• Update speed.cc to use the same jitter function as rand.c by @andrewhop in #2100
• Move mldsa and pqdsa out of fipsmodule by @jakemas in #2104
• Remove dilithium flag by @jakemas in #2106
• Add x509-limbo patch and reporting tool by @skmcgrail in #2049
• Allow TLS PSK without server certificate by @WillChilds-Klein in #2083
• Align guard macros for OPENSSL_cpuid_setup by @justsmth in #2111
• Init variable to avoid "may be used uninitialized" warning by @manastasova in #2114
• SCRUTINICE fixes by @smittals2 in #2103
• Remove jent_read_entropy_safe usage from AWS-LC (main) by @smittals2 in #2110
• CDK: Add scrutinice permissions by @justsmth in #2118
• Address Scrutinice findings by @justsmth in #2121
• Finalize ML-DSA asn.1 module by @jakemas in #2117
• Align BN_bn2hex behavior with OpenSSL by @samuel40791765 in #2122
• Upstream merge 2025 01 02 by @nebeid in #2090
• ExternalMu mode for pre-hash ML-DSA by @jakemas in #2113
• Upstream merge 2025 01 17 by @justsmth in #2125
• Add more debug logging to channelID test failures by @andrewhop in #2130
• Compress crypto_test_data.cc by @justsmth in #2123
• Prepare AWS-LC v1.43.0 by @justsmth in #2133

Full Changelog: v1.42.0...v1.43.0

AWS-LC FIPS v3.0.0

What's New

This is our third annual update to the AWS-LC-FIPS module. Our team has made numerous improvements since AWS-LC-FIPS v2.0. See our blog post for details!

v1.42.0

What's Changed

• Address fips hash using adrp instead of adr to increase reach by @dkostic in #2053
• Just use releasecheck with tcpdump ci by @samuel40791765 in #2055
• Use older image with gcc-13 for alpine linux ci by @samuel40791765 in #2054
• [EC] P-256/384/521 s2n-bignum scalar multiplication by @dkostic in #2036
• Bring in testing changes from upstream commit 5ee4e95 by @WillChilds-Klein in #2048
• Add integration script and CI for ruby 3.1 and 3.2 by @samuel40791765 in #1563
• Fuzzing PKCS7 encrypted inputs by @justsmth in #2027
• [EC] Use s2n-bignum's modular inversion for P-256/384/521 by @dkostic in #2057
• Add fuzz testing for PKCS7_verify by @justsmth in #2051
• Prune hanging instances longer than 2 hours by @samuel40791765 in #2061
• Update BoringSSL benchmark to use C++17 by @andrewhop in #2063
• Add PKCS7_print_ctx as a no-op by @samuel40791765 in #2064
• Extend documentation for basic BN_foo functions by @torben-hansen in #2066
• Modified posix builds to enable dilithium by default by @jakemas in #2034
• Upstream merge 2024 12 13 by @samuel40791765 in #2060
• Fix CI for aws-lc-rs by @justsmth in #2073
• Rehaul PQDSA Test Suite by @jakemas in #2062
• Migrate 1st batch of jobs by @nhatnghiho in #2067
• No PR license statement check on a merge by @justsmth in #2074
• [EC] ec_nistp P-256 C scalar_mul_{base|public} by @dkostic in #2033
• Fix tpm2-tss CI job by @justsmth in #2076
• Remove algorithms from testmodulewrapper that are now used in the real modulewrapper by @andrewhop in #2069
• Fix python tests for upstream PR 128036 by @WillChilds-Klein in #2080
• ML-DSA unique names by @jakemas in #2072
• aws-lc-rs scripts now use nightly by @justsmth in #2087
• Add more test coverage for Ruby/OpenSSL gem by @samuel40791765 in #2085
• Add more logging for SSL_ERROR_SYSCALL errors in bssl_shim.cc by @andrewhop in #2079
• Only need libunwind for testing by @justsmth in #2093
• CMake, use 'NOT WIN32' instead of 'UNIX' by @justsmth in #2075
• Provide FIPS_is_entropy_cpu_jitter() by @justsmth in #2088
• Update ML-KEM's internal header files to use unique include guards by @andrewhop in #2078
• alignas(16) unsupported w/ GCC 7.2 for ARM32 by @justsmth in #2086
• Prepare release v1.42.0 by @justsmth in #2094

New Contributors

• @nhatnghiho made their first contribution in #2067

Full Changelog: v1.41.1...v1.42.0

v1.41.1

What's Changed

• Upstream merge 2024 12 02 by @nebeid in #2030
• Universal abi used in amm functions, no need for OS differentiation by @pittma in #1869
• s2n-bignum update 2024-12-10 by @dkostic in #2050
• Prepare release 1.41.1 by @justsmth in #2052

Full Changelog: v1.41.0...v1.41.1

v1.41.0

What's Changed

• Allow constructed strings in BER parsing by @WillChilds-Klein in #2015
• Fix python 3.13 patch by @WillChilds-Klein in #2026
• Update aws-lc-nginx.patch by @robvanoostenrijk in #2023
• Fix segfault in PKCS7 test by @justsmth in #2025
• Expose BN_set_flags as a no-op by @samuel40791765 in #2021
• Ran minimise_corpora.sh by @justsmth in #2024
• Fix strongSwan CI by @geedo0 in #2028
• Coverity fixes for P173127397 by @skmcgrail in #2014
• Add ML-DSA-44 and ML-DSA-87 to PQDSA API by @jakemas in #2009
• strdup is not C99 by @justsmth in #2008
• Fix CI issues with ML-DSA by @jakemas in #2031
• Upstream merge 2024 11 18 by @skmcgrail in #2012
• Fix perl handling of paths w/ spaces by @justsmth in #2005
• Revert "Trim some redundant Arm feature detection files" by @knightjoel in #1979
• Only abort when RSA PWCT fail in FIPS by @samuel40791765 in #2020
• Move PQDSA to FIPS module by @jakemas in #2032
• Implement PKCS7_verify, update PKCS7_sign by @WillChilds-Klein in #1993
• Add AWS-LC-FIPS v3.0 policy docs by @justsmth in #2043
• Initialize arrays as arrays by @justsmth in #2042
• Add blowfish names to EVP_CIPHER API by @WillChilds-Klein in #2041
• Use SHA256 as default digest for OCSP signing by @samuel40791765 in #2038
• Allow build on Solaris by @psumbera in #2035
• Deprecate recently added PKCS7 functions by @WillChilds-Klein in #2039
• Prevent accidental null dereference by @torben-hansen in #2046
• Link to NIST website by @justsmth in #2045
• Added FIPS 204 documentation, cleanse intermediate values by @jakemas in #2017
• Switch ML-DSA to use AWS-LC SHA3 by @jakemas in #2001
• Update FIPS v3.0 draft security policy by @justsmth in #2047

New Contributors

• @robvanoostenrijk made their first contribution in #2023
• @psumbera made their first contribution in #2035

Full Changelog: v1.40.0...v1.41.0

v1.40.0

What's Changed

• Added CRL tool to CLI by @smittals2 in #1976
• Allow ASN1_get_object to parse indefinite and universal by @justsmth in #1994
• Expose a bit of lhash/conf for Ruby by @samuel40791765 in #1987
• Addition of generic NIST-DSA PKEY and ASN1 to support ML-DSA by @jakemas in #1963
• Implement PKCS7_dataInit and PKCS7_dataFinal by @WillChilds-Klein in #1816
• Minor improvement to DSA (ASN1) + DSA Tests by @justsmth in #1990
• Test cleanup by @justsmth in #2000
• Add internal APIs for ML-DSA by @jakemas in #1999
• [EC] Unify scalar_mul_base point for ec_nistp curves by @dkostic in #2003
• Add Clang 19 to CI by @justsmth in #1998
• Adding the OpenSSL s_client tool by @smittals2 in #1959
• [EC] Unify scalar_mul_public for ec_nistp curves by @dkostic in #2004
• Implement PKCS7_encrypt and PKC7_decrypt by @WillChilds-Klein in #1996
• Upstream merge 2024-11-11 by @andrewhop in #1985
• Adding -verify and expanding -x509 options for our OpenSSL tool by @smittals2 in #1951
• Fail FIPS rsa_keygen_pubexp on change by @justsmth in #2016
• Document TLS Server Renegotiation Behavior by @skmcgrail in #2018
• [EC] Use s2n-bignum point doubling for P-384 and P-521 by @dkostic in #2011
• Prepare for v1.40.0 release by @smittals2 in #2019

Full Changelog: v1.39.0...v1.40.0