pool/aws-lc
SHA256
16
0
Fork 0
Code Issues Pull Requests Activity
Files
factory
aws-lc/aws-lc.changes
Richard Rahl 9d6fa696ad - Update to version 1.67.0: 
* Migrate Wycheproof test vectors for ECDSA, RSA PKCS#1, and some more
  * Rename volatile state/memory to unique state/memory
  * Service Indicator: Add error call trampoline to avoid delocator issue
  * Add support for Big Endian in ACVP tool
  * AES-GCM: Add function pointer trampolines to avoid delocator issue
  * Use already defined macro for no inline
  * Remove Kyber completely
  * Import mldsa-native
  * Use existing session context if new is actually NULL
  * Integrate Wycheproof ML-KEM test vectors
  * Avoid cross-compilation build failure
  * Cleanup pass on Go code in repository
  * Update patch for nmap
- remove vendor-fix.patch, as upstream finally fixed the issue

OBS-URL: https://build.opensuse.org/package/show/security:tls/aws-lc?expand=0&rev=19
2026-01-30 12:23:20 +00:00

455 lines
18 KiB
Plaintext
Raw Permalink Blame History

-------------------------------------------------------------------
Fri Jan 30 11:59:39 UTC 2026 - Richard Rahl <rrahl0@opensuse.org>
- Update to version 1.67.0:
* Migrate Wycheproof test vectors for ECDSA, RSA PKCS#1, and some more
* Rename volatile state/memory to unique state/memory
* Service Indicator: Add error call trampoline to avoid delocator issue
* Add support for Big Endian in ACVP tool
* AES-GCM: Add function pointer trampolines to avoid delocator issue
* Use already defined macro for no inline
* Remove Kyber completely
* Import mldsa-native
* Use existing session context if new is actually NULL
* Integrate Wycheproof ML-KEM test vectors
* Avoid cross-compilation build failure
* Cleanup pass on Go code in repository
* Update patch for nmap
- remove vendor-fix.patch, as upstream finally fixed the issue
-------------------------------------------------------------------
Fri Jan 9 10:05:01 UTC 2026 - Richard Rahl <rrahl0@opensuse.org>
- Update to version 1.66.2:
* Fix incorrect assembler directive in AArch64 code
* Fix the libwebsockets integration test script
* Remove pkcs8 expected in test
* Add randomized unit testing for EVP_CIPHERs
* fix(target): fix mipseb 64bit compile
* Consolidate FORMAT_DER/PEM in tool-openssl
* Replace password string with proper class
* Fix ppc64le; Improve platform detection
-------------------------------------------------------------------
Sun Dec 21 23:21:09 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
- Update to version 1.66.1:
* Iterate through all DNS entries in connect CLI
* Fix socat integration test
* Remove OPENSSL_NO_BF for real
* Add openssl genpkey cli utility tool
* Add stdin support for pkcs8 tool
* Fix extension processing order in x509 cli
* ML-DSA: Missing Private Key Validation Checks
- Update to version 1.66.0:
* Add encap/decapKeyCheck support in ACVP
* Clarify comments and API behaviour for equal-preference for TLS 1.3
* Add support for external contexts in ML-DSA ACVP
* Route ML-DSA ACVP to the right APIs
* Add sha1 CLI
* Fix openssl comparison tests
* tool-openssl: pkcs8 error output on decrypt
* Add RSA_X931_PADDING to rsa.h
* Blowfish OFB Block Cipher Mode Support
* Run ACCP integration tests on aarch64
* Support stdin for openssl rsa tool
* Remove rsa expected in test
* [tool-openssl] basic asn1parse support
* Several CLI Fixes
* Implement enc CLI
- Update to version 1.65.1:
* Adjust image-build-android concurrency group
* s_client: Add TLS 1.2 and 1.3 protocol selection flags
* Add EVP_bf_cfb64
* Add conversion and traceability for third-party test vectors
* Verify size of mlen in ML-DSA external mu mode
* Replicate OpenSSL 1.1.1 behavior for BIO_s_mem BIO_NOCLOSE
* Add ACVP support for AES CFB128
* Add support for HMAC-SHA3 to ACVP tool
* Move dk to Tests in ML-KEM ACVP
- Update to version 1.65.0:
* Use new images for fuzzing and x509
* Remove unused Wycheproof test vectors
* Fix openldap; regenerate configure script
* Fix unchecked return value
* Avoid NULL dereference
* AES-XTS Enc Dec test on rand incremental length inputs
* Make N1 cpucap a subset of that of V1 and V2
* Set SSL_R_NO_CIPHER_MATCH when failing to set ciphers
* Add CFI directives to chacha-armv8.pl
* Add CFI directives in aesv8-armx.pl
* Match req CLI behavior with OpenSSL
* Adjust script to handle other event types
- Update to version 1.64.0:
* Update max polyz value
* Support more "openssl rsa" options
* Additional options for "openssl c_client"
* Use C++11 atomics to update session stats
* Support "openssl dhparam"
* Remove dead code
* Rename snapsafe to VM UBE
* Extend grv asan timeout for Golang to allow completion
* Implement more options for req CLI
* Ensure HMAC_Init_ex reinitializes data properly
- enable more tests, by exposing openssl/bssl tools
- add skip-test.patch, skipping tool_openssl_test, as for some reason,
a lot of features in that tool are not available
-------------------------------------------------------------------
Sat Nov 1 10:04:21 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
- Update to version 1.63.0:
* Failing no-op implementations for several UI functions
* Tool util functions in tool_util.cc
* AES-XTS on AArch64: Set w19 earlier before cipher-stealing of 1 block +
tail
-------------------------------------------------------------------
Sun Oct 19 13:24:28 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
- update to version 1.62.0:
* nginx now supports AWS-LC
* Fix tests that assume X25519 will be negotiated
* Fixing a bug in ML-DSA poly_uniform function
* Migrate integration omnibus
* Delete util/bot directory
* Type fix in mldsa
* Centralize password handling tool-openssl
* crypto/pem: replace strncmp with CRYPTO_memcmp to fix -Wstring-compare error
* Implement dgst CLI command
* Add ASN.1 decoding for ML-KEM private keys as seeds
* Implement genrsa command
* Move udiv and sencond tweak calculations to when needed
* Add null check on RSA key checks
* Implement workaround for FORTIFY_SOURCE warning with jitterentropy
* Implement coverity suggestions
* Add minimal EC CLI tool implementation
* Adding pkeyutl tool to the CLI
* Add option ENABLE_SOURCE_MODIFICATION
* Simple script to build/run tests
* Add build-time option to opt-out of CPU Jitter Entropy
-------------------------------------------------------------------
Tue Oct 7 11:49:42 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
- update to version 1.61.4:
* Pin PyCA version in python integration tests
* Check compiler for 'linux/random.h'
- update to version 1.61.3:
* Remove jitter entropy tests folder
-------------------------------------------------------------------
Sat Sep 20 14:52:18 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
- update to version 1.61.2:
* Fix build when path has spaces
* Fix test issues with run_minimal_tests
- update to version 1.61.1:
* Fix duplicate test names in CodeBuild integration tests
-------------------------------------------------------------------
Tue Sep 16 13:22:56 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
- update to version 1.61.0:
* Apply additional X509 validation checks on certificates sourced from trust store
* Reorganizing compatibility tests, rework certificates for better groking
* Additional X.509 Behavior Compatibility Tests
* Add Support for IPv4 and IPv6 X.509 Certificate Name Constraints
* Merge main to x509
* Reintroduce support for validating DNS commonName subjects when name constraints are present.
* Support client-side hostname checks with leading .
* Verify leaf certificate public key rather then leaving it to the caller
* Support for explicit curve parameter on EC public keys where parameters match supported curves
* Add x86 Keccak implementation
* Gate EC explicit curve parameters for X.509 behind flag
* Update CPU Jitter Entropy dependency to version 3.6.3
* Fix benchmarking issues with FIPS main
* Add standalone MLKEM supported groups
* Document and statically assert counters can't overflow
* TLS Transfer Serialization Improvements
* Fix ternary operator in github workflow
* Merge x509 branch into main
* Address clang-ci comments on new x509 code
* Implement snapsafe fallback entropy source
* Rand small fixes
* Import s2n-bignum 2025-09-05-04
* Refactor iOS CI script
* Re-import mlkem-native for addition of CFI directives
* Fix typo in ssl_transfer_asn1
* Fix for zig build
* Update SSLProxy patch
* ML-DSA service indicator
* Add aes-xts AArch64 implementation that will eventually be imported from s2n-bignum.
* Fix Keccak MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX flag
* Increase SSLBuffer size to INT_MAX
* Wrap compiler when FIPS w/ clang v20+
* Test ACCP in FIPS mode as well as non-FIPS
* fix: Allow zero-length passwords in PEM key decryption
* Use CheckCCompilerFlag to test -Wno-cast-function-type
* Make X509 CodeBuild webhook more resilient
- update to version 1.60.0:
* Anchor CodeBuild account-id patterns
* Implement read/write timeouts for BIO datagram
* Migrate from CodeBuild account actor filter to pull request comment filter
based on GitHub permissions
* Implement ragdoll
* Add expandedKey ASN.1 encoding for KEM keys
-------------------------------------------------------------------
Fri Aug 29 11:30:05 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
- update to version 1.59.0:
* Support other field for PKCS7
* Add CFI directives to armv8-mont
* Add back RC4_options from decrepit
* Apache httpd integration test
* Fix clang-21 compile error
* Fix MariaDB integration test
* ML-KEM: Re-import mlkem-native
* ML-KEM: import and enable x86_64 backend from mlkem-native
* X509_REQ_verify for MLDSA44 and MLDSA87
* Remove BIT_INTERLEAVE support
* ML-KEM: Fix mlkem-native importer.sh
* Add CFI directives in md5-armv8.pl
-------------------------------------------------------------------
Thu Aug 14 12:47:07 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
- update to version 1.58.1:
* Add support for EVP_PKEY_param_check
* Move check-linkage.sh to util
-------------------------------------------------------------------
Tue Aug 12 18:33:26 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
- update to version 1.58.0:
* Add EVP_PKEY_check and EVP_PKEY_public_check
* Rewrite 4-fold batched SHAKE to be amenable to batched Keccak-F1600 assembly
* Fix Win64 unwind info alignment
* Migrate MSVC tests to CodeBuild
* Add optimized + verified hybrid AArch64 assembly for batched SHA3/SHAKE
* target.h: more clearly check for ppc64 endianness
* Impl SSL_client_hello_get1_extensions_present and friends
* Implement SSL_set_verify_result
* ML-DSA constant-time hardening for caddq, poly_chknorm, decompose
-------------------------------------------------------------------
Mon Aug 11 11:13:59 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
- update to version 1.57.1:
* Resolve issue with conflicting pkg-config variables
- update to version 1.57.0:
* Preparation for Adopting SONAME and ABI Versioning
* Offer P521 for signature_algorithms in client Hello
* ML-KEM: Import AArch64 backend from mlkem-native
* Add back X509_STORE_get_verify_cb and X509_STORE_set_lookup_crls_cb
* Explicitly test that input length is as expected for ed25519ph
* Fix Libwebsocket Build
* Return NULL when a NULL or empty string is passed to NETSCAPE_SPKI_b64_decode
* Reimplement SSL_clear_num_renegotiations
* ABI monitoring GitHub workflow improvements
* Migrate Openssl-tool parameter parsing
* Add HMAC SHA3 benchmarks
* Re-import s2n-bignum after merge of ML-KEM/Keccak functionality
* Integrate formally verified AArch64 Keccak-x1 assembly
* Add a couple more no-ops for legacy builds
- remove soname.patch, as upstream formally introduced a soname
- adjust the lib names
- add the crypto lib as a requires to the devel package
-------------------------------------------------------------------
Wed Jul 23 13:51:05 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
- update to version 1.56.0:
* Export BIO_f_md for consumers
* Remove obsolete python main patch
* Remove redundant conditions
* Implement pkcs8 cli
* Export BF_cfb64_encrypt
* Add pkey command to CLI tool
* Improve OpenSSL compatibility
* Fix PKCS12 Error Code
* Use SP 800-56Arev3 Section 5.6.2.1.4.b instead of
ECDSA PCT method
* Minimize the nginx patch even further
* Add LC contributors to allowlist
* Align -help return codes in tool-openssl CLI to match Openssl
* Dynamically link AWS-LC in cpython integration tests
* Add missing x509 CI to list of tests
* docs: Add FIPS documentation to BUILDING.md and README.md
* Implement SSL_CTX_set_client_hello_cb for ClientHello callback
* tool-openssl: Fix warning 'strnlen' specified bound 4096 exceeds
source size 128
* Pull in SSL_get_negotiated_group and TLSEXT_nid_unknown
from upstream
* Document non-support of TLS 1.3
- update to version 1.55.0:
* Add SSL_CTRL defines for SSL_*_tlsext_status_type
* Implement HMAC over SHA3 truncated variants
* Temporarily allowlist the webhook actors to AWS-LC
* Rework memory BIOs and implement BIO_seek
* s2n-bignum: Add prefix header to _s2n_bignum_internal.h
-------------------------------------------------------------------
Mon Jun 30 12:50:18 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
- update to 1.54.0:
* Rename SSL test files to match Scrutinice filter
* Order tool output
* Fix Console Test Suite Execution Locally
* Re-remove afunix.h
* Note a couple of typoed struct names that we'll leave alone
* Document that EVP_PKEY_CTX_set_rsa_keygen_pubexp takes ownership
* Remove sys headers from bio.h
* rwlock race tests is not a GoogleTest executable
* Add two new APIs to expose TLS 1.3 traffic secrets for kTLS
* Intentionally redefine iovec in headers as CI
- update to 1.53.1:
* Add timeouts to PQ TLS Integ Tests
* Split ssl handshake tests
* Add password prompting support & EVP_read_pw_string
* Impl BIO_ADDR_xxx functions
* Update mlkem-native to v1
- update to 1.53.0:
* Add build with hardened flag
* Openssl tool output ordered
* [SCRUTINICE] Remove redundant condition check
* Support relro in delocator
* Explicitly don't allow buffers aliasing in ctr-drbg implementation
* Remove unused Windows afunix.h
* Revert "Rework memory BIOs and implement BIO_seek (2nd try) (#2433)"
* Use max_cert_list for TLSv1.3 NewSessionTicket
* ML-KEM memory safety
* Improve support for multilib-style distros in our test scripts
* Fix Ru
* Add hardened build back in
* Fix OCSP integration test failures
* Fix some theoretical missing earlyclobber markers in inline assembly
* Simplify sshkdf and kbkdf
* Run 3p module tests on python 3.13, add patch for 3.14
* Fix service indicator in HKDF, more paranoid zeroization, and simplify logic
= make it so that the patch adapts to the version
- exclude %{arm} as those are not suppported and don't build
-------------------------------------------------------------------
Fri Jun 13 18:50:39 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
- adapt soname.patch to also give a version to libcrypto (fixes boo#1244562)
- bump soversion to actual aws-lc version
-------------------------------------------------------------------
Wed Jun 11 11:22:45 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
- conflict the correct package
-------------------------------------------------------------------
Wed Jun 4 13:37:07 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
- Update to 1.52.1:
* Increase default salt from 8 to 16 bytes for PKCS#8 & PKCS#12
* fix(nix): Make sure bssl is in the PATH; workaround nix build failure…
* Fix path-has-spaces test
* Display X509 fingerprint after hash
- Update to 1.52.0:
* Set OPENSSL_NO_EXTERNAL_PSK_TLS13 to indicate lack of TLS 1.3 PSK
* BIO datagram functions
* Reject NewSessionTicket messages with empty tickets in TLS 1.3
* Fix socket test issues
* Remove python CI patch for main
* Remove xmlsec patch
* Mark fallible container operations as nodiscard
* Remove extra va_end in err_add_error_vdata
* Check for QUIC in SSL_process_quic_post_handshake
* Add missing symbols for Unbound
* Update mlkem-native
* Squelch clang-tidy
* Clang-tidy is still noisy
* Add back two rules for clang-tidy
* Implement BIO_dump
* Make ASN1_get_object a direct call
* Rework memory BIOs and implement BIO_seek
* ML-DSA: ASN.1 Module - add parsing of BOTH private key format
* Detection of unused results
* Fix gtest_util.sh failure detection
* Remove unused docs/configs
* ML-DSA: Add ML-DSA keyGen to break-kat.go
* Bump AWSLC_API_VERSION for X509_STORE_CTX_set_verify_crit_oids
* Revert "Rework memory BIOs and implement BIO_seek
* Resolve SSL_PRIVATE_METHOD and certificate slots functionality
- Update to 1.51.2:
* Fix prefix build when path has spaces
- Update to 1.51.1:
* nothing of relevance
- Update to 1.51.0:
* Fix ImplDispatchTest for 32-bit x86 build
* Revert "Update patch for Postgres
* Fix socat test
* Remove special s2n-bignum source code processing at buid-time
* Correct typo in malloc debug environment variable
* Fix PQ Integration tests
* Remove patch for IbmTpm
* Support allowing specific unknown critical extensions
- Update to 1.50.1:
* Expand .clang-tidy configuration
* nginx-1.28.0 aws-lc-nginx.patch
* s2n bignum import method change
* Fix a theoretical overflow in BIO_printf
* Fix tpm2-tss integration tes
- Update to 1.50.0:
* Remove FFDHE and SECLEVEL python test patches
* Remove unused ENABLE_DILITHIUM CMake option
* SSL_in_*_init macros
* Fix link to bcm.c in FIPS.md
* Make sure it builds with CMake v4.0
* Update formal verification section in README.md
* Implement legacy callback with BIO_set_callback
* Import mlkem-native
* Split out socket BIO tests
* Run clang tidy
* Reinstate indefinite length and [UNIVERSAL 0] support in crypto/asn1
* Implemented no-op CRYPTO_mem_ctrl
* SCRUTINICE Fixes
* Fix clang-tidy lints
* Reinstate support for constructed strings in crypto/asn1
* Add SecP384r1MLKEM1024
* Fix CMake (< v3.20) warning
* Add MLDSA44 and MLDSA87 to OBJ_find_sigid_algs
* Bump AWSLC_API_VERSION to account for OBJ_find_sigid_algs bug
* Add AES CBC cipher to speed.cc
* Add X509_VERIFY_PARAM_get_hostflags
* Enable IPv6 for curl integ
* Add null check for EVP_get_digestbyobj
- Update to 1.49.1:
* FIPS Integrity Hash Tooling
* Add more build options to match callback build
* Add req to OpenSSL CLI tool
- Update to 1.49.0:
* Revert "Allow constructed strings in BER parsing
* Add the rehash utility to the openssl CLI tool
* Documentation on service indicator
* Reject DSA trailing garbage in EVP layer, add test cases
* Add support for verifying PKCS7 signed attributes
* Add support for more SSL BIO functions
* Adding detection of out-of-bound pre-bound memory read to AES-XTS tests
* AES: Add function pointer trampoline to avoid delocator issue
* Cherrypick hardening DSA param checks from BoringSSL
- move services from disabled to manual
- add patches disable-integrationtest.patch (needs internet), vendor-fix.patch (go mod tidy)
and soname.patch (changes soname, so we can co-install the lib)
- rework the packages we create
-------------------------------------------------------------------
Thu Mar 27 23:23:17 UTC 2025 - Georg Pfuetzenreuter <georg.pfuetzenreuter@suse.com>
- Update to version 1.48.5
- Package OpenSSL files
- Move bssl out of devel subpackage
- Switch to obs_scm
- Cleanup
-------------------------------------------------------------------
Wed Oct 12 05:59:59 UTC 2022 - John Vandenberg <jayvdb@gmail.com>
- Initial spec for v1.3.0
Reference in New Issue View Git Blame Copy Permalink