v1.65.0

What's Changed

• Use new images for fuzzing and x509 by @skmcgrail in #2804
• Disable old Windows jobs by @skmcgrail in #2812
• Remove unused Wycheproof test vectors by @sgmenda-aws in #2792
• Fix openldap; regenerate configure script by @justsmth in #2818
• Setup OIDC for exchanging GitHub Token for AWS Credentials by @skmcgrail in #2819
• Remove Docker Image build infrastructure from CodePipeline by @skmcgrail in #2822
• Fix bind9 CI failure by @justsmth in #2817
• [SCRUTINICE] Fix unchecked return value by @nhatnghiho in #2773
• Fix apache httpd; keep pytest <7.0 by @justsmth in #2825
• Fix tpm2-tss CI; update patches by @justsmth in #2827
• Refactor the staging repository to make the name consistent for writing IAM policies by @skmcgrail in #2824
• Fix OCSP CI failure by @justsmth in #2828
• Fix HAProxy CI failures by @justsmth in #2829
• Android Docker Image Build by @skmcgrail in #2830
• Fix workflow permissions for formal verification & windows by @skmcgrail in #2831
• [SCRUTINICE] Avoid NULL dereference by @justsmth in #2823
• Add infrastructure for managing third-party test vectors by @sgmenda-aws in #2811
• AES-XTS Enc Dec test on rand incremental length inputs by @manastasova in #2795
• Make N1 cpucap a subset of that of V1 and V2 by @nebeid in #2815
• Grant OIDC Token Permissions to Top-Level Image Build Workflow by @skmcgrail in #2837
• Guard for __NR_getrandom use by @justsmth in #2834
• Set SSL_R_NO_CIPHER_MATCH when failing to set ciphers by @skmcgrail in #2840
• Add CFI directives to chacha-armv8.pl by @andrewhop in #2633
• Add CFI directives in aesv8-armx.pl by @andrewhop in #2634
• Bump openssl from 0.10.66 to 0.10.73 in /tests/ci/lambda by @dependabot[bot] in #2550
• Match req CLI behavior with OpenSSL by @nhatnghiho in #2836
• Add authorization environments by @skmcgrail in #2843
• Adjust script to handle other event types by @skmcgrail in #2845
• Prepare AWS-LC v1.65.0 by @justsmth in #2844

Full Changelog: v1.64.0...v1.65.0

v1.64.0

What's Changed

• Update max polyz value by @jakemas in #2787
• ECR Repositories for Android and Formal Verification Images by @skmcgrail in #2794
• Support more "openssl rsa" options by @justsmth in #2777
• Remove python codebuild patches by @WillChilds-Klein in #2793
• Additional options for "openssl c_client" by @justsmth in #2791
• GitHub-based Formal Verification Image Build by @skmcgrail in #2796
• Use C++11 atomics to update session stats by @justsmth in #2786
• Support "openssl dhparam" by @justsmth in #2790
• Add scrutinice pull permissions for aws-lc/amazonlinux repository by @skmcgrail in #2799
• Use GitHub-based Verification Images by @skmcgrail in #2798
• Remove dead code by @torben-hansen in #2797
• Rename snapsafe to VM UBE by @torben-hansen in #2800
• Bump MySQL version tag to 9.5.0 by @samuel40791765 in #2768
• Migrate to macos-15-intel by @samuel40791765 in #2802
• Use right compiler with ruby CI by @samuel40791765 in #2801
• Migrate analytics job to be GitHub triggered by @skmcgrail in #2779
• Support NetBSD by @justsmth in #2754
• Make poly_chknorm constant flow by @jakemas in #2788
• Rename fork to fork UBE by @torben-hansen in #2803
• Extend grv asan timeout for Golang to allow completion by @torben-hansen in #2805
• Implement more options for req CLI by @nhatnghiho in #2775
• Ensure HMAC_Init_ex reinitializes data properly by @samuel40791765 in #2806
• Prepare release v1.64.0 by @justsmth in #2810

Full Changelog: v1.63.0...v1.64.0

v1.63.0

What's Changed

• Fix tpm2-tss CI by @samuel40791765 in #2767
• Fix Ruby integration CI by @samuel40791765 in #2765
• Migrate Windows Omnibus to GitHub Workflow by @skmcgrail in #2780
• Add compiler to 24.04 docker image by @samuel40791765 in #2783
• CI add rpmbuild job by @torben-hansen in #2774
• Failing no-op implementations for several UI functions by @justsmth in #2772
• Tool util functions in tool_util.cc by @justsmth in #2778
• AES-XTS on AArch64: Set w19 earlier before cipher-stealing of 1 block + tail. by @nebeid in #2785
• Prepare release v1.63.0 by @torben-hansen in #2789

Bug fixes

• Fixed a bug in the AES-XTS-256 aarch64 architecture implementation. For input lengths of 17-31 bytes there was a 50% probability that an encryption operation would result in corrupted ciphertext. The resulting ciphertext would result in corrupted plaintext when performing a decrypt operation.

Full Changelog: v1.62.1...v1.63.0

v1.62.1

Post release edit

• This release contains a bug in the AES-XTS implementation on aarch64 platforms affecting input lengths of 17 to 31 bytes.

What's Changed

• Implement ecparam CLI tool by @kingstjo in #2718
• CodeBuild Setup for GitHub Docker Image Builds by @skmcgrail in #2745
• Add Docker Image Build Workflows by @skmcgrail in #2746
• Add ecr:BatchImportUpstreamImage for first-time cache pull-thru by @skmcgrail in #2747
• Use New Docker Images in GitHub Workflows by @skmcgrail in #2752
• Add OPENSSL_NO_UI_CONSOLE macro by @smittals2 in #2751
• Cipher-stealing: no need for re-loading round keys; they're still in registers. by @nebeid in #2734
• Fix windows CI job by @justsmth in #2744
• Consolidate GitHub CodeBuild Projects by @skmcgrail in #2757
• Don't log feature probe error message unless requested by @torben-hansen in #2755
• Implement more options for x509 CLI by @nhatnghiho in #2735
• AWS CodeBuild Fleets Setup by @skmcgrail in #2758
• ci: scope down GitHub Token permissions by @AdnaneKhan in #2762
• Fix librelp integration CI by @nhatnghiho in #2766
• Implement -passin for dgst cli by @nhatnghiho in #2763
• AL2023 x509-limbo container by @skmcgrail in #2761
• Migrate Graviton2 and Graviton4 from EC2 Test Framework by @skmcgrail in #2759
• Add Windows Docker Image Build by @skmcgrail in #2760
• Do no consider warnings fatal in CPU Jitter for LTO build by @torben-hansen in #2769
• Add more options to genrsa by @smittals2 in #2770
• Prepare v1.62.1 by @torben-hansen in #2771

New Contributors

• @AdnaneKhan made their first contribution in #2762

Full Changelog: v1.62.0...v1.62.1

v1.62.0

Post release edit

• This release contains a bug in the AES-XTS implementation on aarch64 platforms affecting input lengths of 17 to 31 bytes.

What's Changed

• nginx now supports AWS-LC by @samuel40791765 in #2714
• Fix tests that assume X25519 will be negotiated by @alexw91 in #2682
• Fixing a bug in ML-DSA poly_uniform function by @dkostic in #2721
• Migrate integration omnibus by @skmcgrail in #2715
• Delete util/bot directory by @justsmth in #2723
• Don't ignore CMAKE_C_FLAGS w/ MSVC by @justsmth in #2722
• Bump urllib3 from 2.2.3 to 2.5.0 in /tests/ci by @dependabot[bot] in #2551
• Type fix in mldsa by @manastasova in #2308
• Centralize password handling tool-openssl by @kingstjo in #2555
• crypto/pem: replace strncmp with CRYPTO_memcmp to fix -Wstring-compare error by @R3hankhan123 in #2724
• Implement dgst CLI command by @nhatnghiho in #2638
• Add ASN.1 decoding for ML-KEM private keys as seeds by @jakemas in #2707
• Implement genrsa command by @kingstjo in #2535
• Move udiv and sencond tweak calculations to when needed by @nebeid in #2726
• Add null check on RSA key checks by @samuel40791765 in #2727
• Implement workaround for FORTIFY_SOURCE warning with jitterentropy by @skmcgrail in #2728
• Implement coverity suggestions by @skmcgrail in #2730
• Add minimal EC CLI tool implementation by @kingstjo in #2640
• Adding pkeyutl tool to the CLI by @smittals2 in #2575
• Add CI dimensions for legacy AVX512 flags by @smittals2 in #2732
• Fix Libwebsockets CI by @smittals2 in #2737
• Add option ENABLE_SOURCE_MODIFICATION by @justsmth in #2739
• Simple script to build/run tests by @justsmth in #2736
• Add build-time option to opt-out of CPU Jitter Entropy by @torben-hansen in #2733
• Prepare v1.62.0 by @justsmth in #2743

New Contributors

• @R3hankhan123 made their first contribution in #2724

Full Changelog: v1.61.4...v1.62.0

v1.61.4

What's Changed

• Pin PyCA version in python integration tests by @WillChilds-Klein in #2706
• Migrate linux-x86 jobs to self-hosted runners by @skmcgrail in #2708
• Migrate Linux ARM omnibus by @skmcgrail in #2711
• Fixes for android CI tests by @nhatnghiho in #2713
• Check compiler for 'linux/random.h' by @justsmth in #2716
• Prepare 1.61.4 by @justsmth in #2717

Full Changelog: v1.61.3...v1.61.4

v1.61.3

What's Changed

• Remove jitter entropy tests folder by @torben-hansen in #2702
• CodeBuild GitHub Actions Runner Project by @skmcgrail in #2704
• Prepare v1.61.3 by @torben-hansen in #2705

Full Changelog: v1.61.2...v1.61.3

v1.61.2

What's Changed

• Update Android CI config by @justsmth in #2687
• Fix build when path has spaces by @justsmth in #2696
• Fix test issues with run_minimal_tests by @samuel40791765 in #2695
• Fix illumos/OpenSolaris by @justsmth in #2698
• Windows/MSBuild doesn't provide 'all' target by @justsmth in #2697
• Prepare v1.61.2 by @justsmth in #2699

Full Changelog: v1.61.1...v1.61.2

v1.61.1

What's Changed

• Use /FI for MSVC forced-includes by @justsmth in #2684
• More arm64 CI tests by @justsmth in #2674
• Fix duplicate test names in CodeBuild integration tests by @nhatnghiho in #2686
• Support FIPS build for Windows/ARM64 by @justsmth in #2688
• Prepare v1.61.1 by @justsmth in #2685

Full Changelog: v1.61.0...v1.61.1

v1.61.0

What's Changed

• Apply additional X509 validation checks on certificates sourced from trust store by @skmcgrail in #2230
• Reorganizing compatibility tests, rework certificates for better groking by @skmcgrail in #2305
• Additional X.509 Behavior Compatibility Tests by @skmcgrail in #2312
• Add Support for IPv4 and IPv6 X.509 Certificate Name Constraints by @skmcgrail in #2340
• Merge main to x509 by @skmcgrail in #2390
• Reintroduce support for validating DNS commonName subjects when name constraints are present. by @skmcgrail in #2376
• Support client-side hostname checks with leading . by @skmcgrail in #2403
• Verify leaf certificate public key rather then leaving it to the caller by @skmcgrail in #2438
• Support for explicit curve parameter on EC public keys where parameters match supported curves by @skmcgrail in #2642
• Add x86 Keccak implementation by @manastasova in #2619
• Gate EC explicit curve parameters for X.509 behind flag by @skmcgrail in #2648
• Update CPU Jitter Entropy dependency to version 3.6.3 by @torben-hansen in #2654
• Fix benchmarking issues with FIPS main by @samuel40791765 in #2655
• Add standalone MLKEM supported groups by @alexw91 in #2589
• Document and statically assert counters can't overflow by @torben-hansen in #2658
• TLS Transfer Serialization Improvements by @skmcgrail in #2616
• Fix ternary operator in github workflow by @torben-hansen in #2653
• Merge x509 branch into main by @skmcgrail in #2660
• Address clang-ci comments on new x509 code by @skmcgrail in #2662
• Implement snapsafe fallback entropy source by @torben-hansen in #2651
• Rand small fixes by @torben-hansen in #2664
• Import s2n-bignum 2025-09-05-04 by @dkostic in #2667
• Refactor iOS CI script by @justsmth in #2637
• Re-import mlkem-native for addition of CFI directives by @hanno-becker in #2659
• Fix typo in ssl_transfer_asn1 by @samuel40791765 in #2665
• Fix for zig build by @justsmth in #2668
• Update SSLProxy patch by @skmcgrail in #2663
• ML-DSA service indicator by @jakemas in #2666
• Add aes-xts AArch64 implementation that will eventually be imported from s2n-bignum. by @nebeid in #2632
• Fix Keccak MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX flag by @manastasova in #2670
• Increase SSLBuffer size to INT_MAX by @samuel40791765 in #2673
• Wrap compiler when FIPS w/ clang v20+ by @justsmth in #2671
• Test ACCP in FIPS mode as well as non-FIPS by @WillChilds-Klein in #2669
• fix: Allow zero-length passwords in PEM key decryption by @kingstjo in #2677
• Use CheckCCompilerFlag to test -Wno-cast-function-type by @justsmth in #2678
• Make X509 CodeBuild webhook more resilient by @skmcgrail in #2680
• Prepare AWS-LC v1.61.0 by @justsmth in #2681

Full Changelog: v1.60.0...v1.61.0