Add EVP_AEAD API for XAES-256-GCM with Key Commitment #2853
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### Description of changes: File cleanups will come later, just getting this out of the pipeline so the velocity of deployment can keep pace. These images are only relevant to the FIPS branches at this point that still reference them, and the Android device farm build. Both of those will be solved soon. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
### Issues: Resolves P326912985 ### Description of changes: Fix bind9 CI job By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license. Co-authored-by: Sanketh Menda <[email protected]>
### Issues: Resolves P321757685 ### Description of changes: Fix a scrutiny warning with an unchecked return value By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license. Co-authored-by: Sanketh Menda <[email protected]>
### Issues: Addresses: V1998659133 ### Description of changes: Fix Apache httpd CI By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
### Issues: Resolves V1998660903 ### Description of changes: Fix tpm2-tss CI job -- updates the patches. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
…ng IAM policies (aws#2824) By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
### Description of changes: Fix failing OCSP tests, blocking CI. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
### Description of changes: Fix HAProxy CI failures By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
### Description of changes: Migrate the Android image build to GitHub workflow managed docker image build. I also have added a helper action `./.github/actions/configure-aws-credentials` which will handle logging into the OIDC base-role and then will perform a chained assume role with those credentials to the target roleName. So this is the first workflow that is specifically using the OIDC docker image build role that I will also migrate the other workflows to use, and eventually all workflows that need privileged access to pull container images etc. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
### Issues: Addresses: P334723467 ### Description of changes: Avoid potential dereferenceof NULL return from `OBJ_nid2ln`. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
### Issues: N/A -- AWS-LC does not have a systematic way to track and sync cryptographic test vectors from external sources like Wycheproof. ### Description of changes: This PR adds `third_party/vectors/` with: - `sync.py` - python script to sync existing vectors and add new ones - `sources.toml` - straightforward config of upstream sources - `vectorslib/` - utility functions (will host upcoming conversion logic) - `upstream/` - unmodified upstream test vectors (always checked in for transparency) - `upstream/wycheproof/`- initial import from Wycheproof including `LICENSE` and `aes_gcm_test.json` ### Call-outs: - conversion hasn't yet been implemented, `convert_sources()` is a placeholder - will be implemented in the next PR - `--check` mode is documented but not yet implemented ### Testing: Manually tested: - `./sync.py --new wycheproof/testvectors_v1/aes_gcm_test.json` successfully adds new file - `./sync.py` verifies existing files are in sync with upstream - successfully handles error cases: invalid source names, missing files, and duplicate files By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
Add incremental length random input message tests for AES-XTS encryption/decryption ## Issues: N/A ## Description of changes: AWS-LC's current AES-XTS tests use fixed-size test vectors but do not systematically verify that encryption and decryption work correctly across different message lengths. This PR adds a new test that generates random inputs of incremental lengths and verify that `encrypt(decrypt(input)) == input` for each length. This ensures that AES-XTS correctly handles messages of varying sizes, particularly: - Messages at and above the minimum length (16 bytes) - Messages that require ciphertext stealing (non-block-aligned sizes) - Messages of various sizes up to the practical maximum The tests also add explicit length equality checks between plaintext and ciphertext to catch potential length-related bugs early. ## Call-outs: The test provides better confidence in correctness across different input sizes. ## Testing: `./crypto/crypto_test --gtest_filter=XTSTest.EncryptDecryptRand.` By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
- Change: On a V1/V2 machine, when we detect we're on it, we set the bit N1 to 1 as well - On an N1 machine, we will only set the bit N1 as we do now - Change: When we check if we're on N1, we check that N1 is set but both V1 and V2 are 0 - When we check if we're on V1/V2, we check their respective bit as we do now - Benefit: On a V2 machine, we can set to 0 the bit V1, leaving the bit N1 on and now the code path will think it's on an N1 machine and N1 Keccka-4x code path can be tested on V1 or V2. - Without this change, we cannot set bit N1 on a V2 machine; we will get a fatal error like the one below. That's because we can unset an existing capability but we cannot set a non-existing one. - Rationale: we can think of the N1 capabilities as a subset of those of V1 and V2, so enabling its bit is semantically valid Testing: 4 different benchmarking results for Keccak-4x are showing on Graviton 4 (V2) with various capability settings ``` # To find the default capabilities $ OPENSSL_armcap=0xFFFF ./tool/bssl speed -filter SHAKE256-x4 Fatal Error: HW capability found: 0x3C8FD, but HW capability requested: 0xFFFF. # Bit assignment # 7: N1, 11: SHA3, 12: V1, 14: V2 # default benchmark of SHAKE256-4x $ ./tool/bssl speed -filter SHAKE256-x4 Did 1464000 SHAKE256-x4 (Absorb) (16 bytes) operations in 1000040us (1463941.4 ops/sec): 23.4 MB/s Did 823000 SHAKE256-x4 (Absorb) (256 bytes) operations in 1000725us (822403.8 ops/sec): 210.5 MB/s Did 183000 SHAKE256-x4 (Absorb) (1350 bytes) operations in 1003286us (182400.6 ops/sec): 246.2 MB/s Did 31000 SHAKE256-x4 (Absorb) (8192 bytes) operations in 1010747us (30670.4 ops/sec): 251.3 MB/s Did 16000 SHAKE256-x4 (Absorb) (16384 bytes) operations in 1033110us (15487.2 ops/sec): 253.7 MB/s Did 1473000 SHAKE256-x4 (Squeeze) (16 bytes) operations in 1000369us (1472456.7 ops/sec): 23.6 MB/s Did 778000 SHAKE256-x4 (Squeeze) (256 bytes) operations in 1000773us (777399.1 ops/sec): 199.0 MB/s Did 164000 SHAKE256-x4 (Squeeze) (1350 bytes) operations in 1004048us (163338.8 ops/sec): 220.5 MB/s Did 28000 SHAKE256-x4 (Squeeze) (8192 bytes) operations in 1033405us (27094.9 ops/sec): 222.0 MB/s Did 14000 SHAKE256-x4 (Squeeze) (16384 bytes) operations in 1024232us (13668.8 ops/sec): 223.9 MB/s # V2 code path (same as default). This can work on V1 as well using `OPENSSL_armcap=0x107D` $ OPENSSL_armcap=0x407D ./tool/bssl speed -filter SHAKE256-x4 Did 1455000 SHAKE256-x4 (Absorb) (16 bytes) operations in 1000628us (1454086.8 ops/sec): 23.3 MB/s Did 824000 SHAKE256-x4 (Absorb) (256 bytes) operations in 1000359us (823704.3 ops/sec): 210.9 MB/s Did 183000 SHAKE256-x4 (Absorb) (1350 bytes) operations in 1002131us (182610.9 ops/sec): 246.5 MB/s Did 31000 SHAKE256-x4 (Absorb) (8192 bytes) operations in 1009942us (30694.8 ops/sec): 251.5 MB/s Did 16000 SHAKE256-x4 (Absorb) (16384 bytes) operations in 1032534us (15495.9 ops/sec): 253.9 MB/s Did 1465000 SHAKE256-x4 (Squeeze) (16 bytes) operations in 1000080us (1464882.8 ops/sec): 23.4 MB/s Did 777000 SHAKE256-x4 (Squeeze) (256 bytes) operations in 1000265us (776794.1 ops/sec): 198.9 MB/s Did 164000 SHAKE256-x4 (Squeeze) (1350 bytes) operations in 1005024us (163180.2 ops/sec): 220.3 MB/s Did 28000 SHAKE256-x4 (Squeeze) (8192 bytes) operations in 1031505us (27144.8 ops/sec): 222.4 MB/s Did 14000 SHAKE256-x4 (Squeeze) (16384 bytes) operations in 1022396us (13693.3 ops/sec): 224.4 MB/s # N1 code path $ OPENSSL_armcap=0xFD ./tool/bssl speed -filter SHAKE256-x4 Did 1297000 SHAKE256-x4 (Absorb) (16 bytes) operations in 1000558us (1296276.7 ops/sec): 20.7 MB/s Did 714000 SHAKE256-x4 (Absorb) (256 bytes) operations in 1001360us (713030.3 ops/sec): 182.5 MB/s Did 156000 SHAKE256-x4 (Absorb) (1350 bytes) operations in 1000112us (155982.5 ops/sec): 210.6 MB/s Did 27000 SHAKE256-x4 (Absorb) (8192 bytes) operations in 1032464us (26151.0 ops/sec): 214.2 MB/s Did 14000 SHAKE256-x4 (Absorb) (16384 bytes) operations in 1060417us (13202.4 ops/sec): 216.3 MB/s Did 1303000 SHAKE256-x4 (Squeeze) (16 bytes) operations in 1000588us (1302234.3 ops/sec): 20.8 MB/s Did 681000 SHAKE256-x4 (Squeeze) (256 bytes) operations in 1000333us (680773.3 ops/sec): 174.3 MB/s Did 143000 SHAKE256-x4 (Squeeze) (1350 bytes) operations in 1003421us (142512.5 ops/sec): 192.4 MB/s Did 24000 SHAKE256-x4 (Squeeze) (8192 bytes) operations in 1014605us (23654.5 ops/sec): 193.8 MB/s Did 12000 SHAKE256-x4 (Squeeze) (16384 bytes) operations in 1005765us (11931.2 ops/sec): 195.5 MB/s # SHA-3 extension code path (used on M processors) $ OPENSSL_armcap=0x87D ./tool/bssl speed -filter SHAKE256-x4 Did 762000 SHAKE256-x4 (Absorb) (16 bytes) operations in 1000347us (761735.7 ops/sec): 12.2 MB/s Did 410000 SHAKE256-x4 (Absorb) (256 bytes) operations in 1001014us (409584.7 ops/sec): 104.9 MB/s Did 87000 SHAKE256-x4 (Absorb) (1350 bytes) operations in 1007343us (86365.8 ops/sec): 116.6 MB/s Did 15000 SHAKE256-x4 (Absorb) (8192 bytes) operations in 1046478us (14333.8 ops/sec): 117.4 MB/s Did 7290 SHAKE256-x4 (Absorb) (16384 bytes) operations in 1008399us (7229.3 ops/sec): 118.4 MB/s Did 762000 SHAKE256-x4 (Squeeze) (16 bytes) operations in 1000376us (761713.6 ops/sec): 12.2 MB/s Did 396000 SHAKE256-x4 (Squeeze) (256 bytes) operations in 1000504us (395800.5 ops/sec): 101.3 MB/s Did 82000 SHAKE256-x4 (Squeeze) (1350 bytes) operations in 1004520us (81631.0 ops/sec): 110.2 MB/s Did 14000 SHAKE256-x4 (Squeeze) (8192 bytes) operations in 1038071us (13486.6 ops/sec): 110.5 MB/s Did 6840 SHAKE256-x4 (Squeeze) (16384 bytes) operations in 1005651us (6801.6 ops/sec): 111.4 MB/s # fallback to Perl assembly $ OPENSSL_armcap=0x7D ./tool/bssl speed -filter SHAKE256-x4 Did 793000 SHAKE256-x4 (Absorb) (16 bytes) operations in 1000394us (792687.7 ops/sec): 12.7 MB/s Did 426000 SHAKE256-x4 (Absorb) (256 bytes) operations in 1000583us (425751.8 ops/sec): 109.0 MB/s Did 91000 SHAKE256-x4 (Absorb) (1350 bytes) operations in 1009347us (90157.3 ops/sec): 121.7 MB/s Did 15000 SHAKE256-x4 (Absorb) (8192 bytes) operations in 1001652us (14975.3 ops/sec): 122.7 MB/s Did 7570 SHAKE256-x4 (Absorb) (16384 bytes) operations in 1001905us (7555.6 ops/sec): 123.8 MB/s Did 795000 SHAKE256-x4 (Squeeze) (16 bytes) operations in 1001123us (794108.2 ops/sec): 12.7 MB/s Did 412000 SHAKE256-x4 (Squeeze) (256 bytes) operations in 1001381us (411431.8 ops/sec): 105.3 MB/s Did 86000 SHAKE256-x4 (Squeeze) (1350 bytes) operations in 1011160us (85050.8 ops/sec): 114.8 MB/s Did 15000 SHAKE256-x4 (Squeeze) (8192 bytes) operations in 1067129us (14056.4 ops/sec): 115.2 MB/s Did 7634 SHAKE256-x4 (Squeeze) (16384 bytes) operations in 1077150us (7087.2 ops/sec): 116.1 MB/s # Note: N1 is picked up even if the bit of SHA3 is set $ OPENSSL_armcap=0x8FD ./tool/bssl speed -filter SHAKE256-x4 Did 1298000 SHAKE256-x4 (Absorb) (16 bytes) operations in 1000455us (1297409.7 ops/sec): 20.8 MB/s Did 714000 SHAKE256-x4 (Absorb) (256 bytes) operations in 1001327us (713053.8 ops/sec): 182.5 MB/s Did 157000 SHAKE256-x4 (Absorb) (1350 bytes) operations in 1006211us (156030.9 ops/sec): 210.6 MB/s Did 27000 SHAKE256-x4 (Absorb) (8192 bytes) operations in 1032000us (26162.8 ops/sec): 214.3 MB/s Did 14000 SHAKE256-x4 (Absorb) (16384 bytes) operations in 1059878us (13209.1 ops/sec): 216.4 MB/s Did 1303000 SHAKE256-x4 (Squeeze) (16 bytes) operations in 1000746us (1302028.7 ops/sec): 20.8 MB/s Did 681000 SHAKE256-x4 (Squeeze) (256 bytes) operations in 1000193us (680868.6 ops/sec): 174.3 MB/s Did 143000 SHAKE256-x4 (Squeeze) (1350 bytes) operations in 1003264us (142534.8 ops/sec): 192.4 MB/s Did 24000 SHAKE256-x4 (Squeeze) (8192 bytes) operations in 1014346us (23660.6 ops/sec): 193.8 MB/s Did 12000 SHAKE256-x4 (Squeeze) (16384 bytes) operations in 1005506us (11934.3 ops/sec): 195.5 MB/s ``` By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
) ### Description of changes: Android Image Build workflow Uses OIDC, since I use that workflow as a reusable workflow in a top-level workflow, that top-level workflow itself must also have OIDC token permissions. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
### Issues: Addresses: aws/aws-lc-rs#950 ### Description of changes: Some Linux platforms/environments might not have `__NR_getrandom` defined, which causes build failures. ### Testing: Added new CI test. I verified that this test currently fails on main, matching the issue reported: https://github.com/aws/aws-lc/actions/runs/19438524836/job/55615707244#step:4:305 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
### Description of changes: OpenSSL 1.1.1 has logic [here](https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/ssl/ssl_lib.c#L2588) to set an error code to indicate that no cipher match was found if zero ciphers are set given a cipher configuration string. This adds an error code to similarly to match this scenario when attempting set a user provided cipher configuration string, rather then the just the presence of the vague "INVALID_COMMAND" that comes internally from the cipher string parser. #### Before ``` ./openssl s_client -connect amazon:443 -cipher LOW:KEY Failed setting cipher list 902517376:error:1000009e:SSL routines:OPENSSL_internal:INVALID_COMMAND:/home/mcgrails/workspace/aws-lc/ssl/ssl_cipher.cc:1172: ``` #### After ``` ./openssl s_client -connect amazon:443 -cipher LOW:KEY Failed setting cipher list 902517376:error:1000009e:SSL routines:OPENSSL_internal:INVALID_COMMAND:/home/mcgrails/workspace/aws-lc/ssl/ssl_cipher.cc:1172: 902517376:error:100000b1:SSL routines:OPENSSL_internal:NO_CIPHER_MATCH:/home/mcgrails/workspace/aws-lc/ssl/ssl_lib.cc:2263: ``` By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
### Issues: Addresses aws#2459 ### Description of changes: Continuation of the fixes. ### Call-outs: This doesn't fix everything, something else is still messing up the stack for a few other calls which creates an issue for the C function: <img width="1038" height="231" alt="image" src="https://github.com/user-attachments/assets/6002ea77-fb1e-4511-b035-cc36aff668e7" /> ### Testing: Before: <img width="1204" height="457" alt="image" src="https://github.com/user-attachments/assets/d58d5ec8-6cd1-4835-9a6c-1094de0bb781" /> After: <img width="1210" height="461" alt="image" src="https://github.com/user-attachments/assets/516b678a-2f42-4ef8-88c4-78cff267e220" /> By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
### Issues: Addresses aws#2459 ### Description of changes: Add more missing CFI directives. ### Call-outs: Point out areas that need special attention or support during the review process. Discuss architecture or design changes. ### Testing: Before: <img width="1205" height="520" alt="image" src="https://github.com/user-attachments/assets/b270969a-5108-4226-8526-1ed36b643b1e" /> After: <img width="1208" height="524" alt="image" src="https://github.com/user-attachments/assets/858f2002-a471-4dbb-ade7-3c76538262fb" /> By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.66 to 0.10.73. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sfackler/rust-openssl/releases">openssl's releases</a>.</em></p> <blockquote> <h2>openssl-v0.10.73</h2> <h2>What's Changed</h2> <ul> <li>test against openssl 3.5.0 by <a href="https://github.com/alex"><code>@alex</code></a> in <a href="https://redirect.github.com/sfackler/rust-openssl/pull/2392">sfackler/rust-openssl#2392</a></li> <li>Support Libressl 4.1 by <a href="https://github.com/botovq"><code>@botovq</code></a> in <a href="https://redirect.github.com/sfackler/rust-openssl/pull/2398">sfackler/rust-openssl#2398</a></li> <li>Release openssl-sys v0.9.108 by <a href="https://github.com/alex"><code>@alex</code></a> in <a href="https://redirect.github.com/sfackler/rust-openssl/pull/2399">sfackler/rust-openssl#2399</a></li> <li>Replace ctest2 with ctest by <a href="https://github.com/botovq"><code>@botovq</code></a> in <a href="https://redirect.github.com/sfackler/rust-openssl/pull/2403">sfackler/rust-openssl#2403</a></li> <li>fixed building on the latest boringssl by <a href="https://github.com/alex"><code>@alex</code></a> in <a href="https://redirect.github.com/sfackler/rust-openssl/pull/2414">sfackler/rust-openssl#2414</a></li> <li>Release openssl v0.10.73 and openssl-sys v0.9.109 by <a href="https://github.com/alex"><code>@alex</code></a> in <a href="https://redirect.github.com/sfackler/rust-openssl/pull/2415">sfackler/rust-openssl#2415</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.72...openssl-v0.10.73">https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.72...openssl-v0.10.73</a></p> <h2>openssl-v0.10.72</h2> <h2>What's Changed</h2> <ul> <li>make set_rsa_oaep_md visible to boringssl config by <a href="https://github.com/frncs-rss"><code>@frncs-rss</code></a> in <a href="https://redirect.github.com/sfackler/rust-openssl/pull/2372">sfackler/rust-openssl#2372</a></li> <li>Fix typo in openssl-sys build script by <a href="https://github.com/rushilmehra"><code>@rushilmehra</code></a> in <a href="https://redirect.github.com/sfackler/rust-openssl/pull/2375">sfackler/rust-openssl#2375</a></li> <li>Unify the two BoringSSL codepaths a bit and simplify init by <a href="https://github.com/davidben"><code>@davidben</code></a> in <a href="https://redirect.github.com/sfackler/rust-openssl/pull/2377">sfackler/rust-openssl#2377</a></li> <li>pkey_ctx: Fix link to the corresponding OpenSSL function by <a href="https://github.com/Jakuje"><code>@Jakuje</code></a> in <a href="https://redirect.github.com/sfackler/rust-openssl/pull/2378">sfackler/rust-openssl#2378</a></li> <li>fix test on MSRV by <a href="https://github.com/alex"><code>@alex</code></a> in <a href="https://redirect.github.com/sfackler/rust-openssl/pull/2383">sfackler/rust-openssl#2383</a></li> <li>Add support for AWS-LC to openssl and openssl-sys crates by <a href="https://github.com/skmcgrail"><code>@skmcgrail</code></a> in <a href="https://redirect.github.com/sfackler/rust-openssl/pull/1805">sfackler/rust-openssl#1805</a></li> <li>Enable additional capabilities for AWS-LC by <a href="https://github.com/skmcgrail"><code>@skmcgrail</code></a> in <a href="https://redirect.github.com/sfackler/rust-openssl/pull/2386">sfackler/rust-openssl#2386</a></li> <li>Use --experimental with bindgen-cli with aws-lc build by <a href="https://github.com/skmcgrail"><code>@skmcgrail</code></a> in <a href="https://redirect.github.com/sfackler/rust-openssl/pull/2389">sfackler/rust-openssl#2389</a></li> <li>Fixed two UAFs and bumped versions for release by <a href="https://github.com/alex"><code>@alex</code></a> in <a href="https://redirect.github.com/sfackler/rust-openssl/pull/2390">sfackler/rust-openssl#2390</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Jakuje"><code>@Jakuje</code></a> made their first contribution in <a href="https://redirect.github.com/sfackler/rust-openssl/pull/2378">sfackler/rust-openssl#2378</a></li> <li><a href="https://github.com/skmcgrail"><code>@skmcgrail</code></a> made their first contribution in <a href="https://redirect.github.com/sfackler/rust-openssl/pull/1805">sfackler/rust-openssl#1805</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.71...openssl-v0.10.72">https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.71...openssl-v0.10.72</a></p> <h2>openssl-v0.10.71</h2> <h2>What's Changed</h2> <ul> <li>Expose rc2 ciphers on symm::Cipher by <a href="https://github.com/alex"><code>@alex</code></a> in <a href="https://redirect.github.com/sfackler/rust-openssl/pull/2361">sfackler/rust-openssl#2361</a></li> <li>add full Apache license file to openssl by <a href="https://github.com/frncs-rss"><code>@frncs-rss</code></a> in <a href="https://redirect.github.com/sfackler/rust-openssl/pull/2366">sfackler/rust-openssl#2366</a></li> <li>Release openssl v0.10.71 and openssl-sys v0.9.106 by <a href="https://github.com/alex"><code>@alex</code></a> in <a href="https://redirect.github.com/sfackler/rust-openssl/pull/2369">sfackler/rust-openssl#2369</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/frncs-rss"><code>@frncs-rss</code></a> made their first contribution in <a href="https://redirect.github.com/sfackler/rust-openssl/pull/2366">sfackler/rust-openssl#2366</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.70...openssl-v0.10.71">https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.70...openssl-v0.10.71</a></p> <h2>openssl v0.10.70</h2> <h2>What's Changed</h2> <ul> <li>Attempt to fix CI by pinning to the Ubuntu 22.04 image by <a href="https://github.com/alex"><code>@alex</code></a> in <a href="https://redirect.github.com/sfackler/rust-openssl/pull/2357">sfackler/rust-openssl#2357</a></li> <li>Remove EC_METHOD and EC_GROUP_new for LibreSSL 4.1 by <a href="https://github.com/botovq"><code>@botovq</code></a> in <a href="https://redirect.github.com/sfackler/rust-openssl/pull/2356">sfackler/rust-openssl#2356</a></li> <li>Test against 3.4.0 final release by <a href="https://github.com/alex"><code>@alex</code></a> in <a href="https://redirect.github.com/sfackler/rust-openssl/pull/2359">sfackler/rust-openssl#2359</a></li> <li>Expose <code>SslMethod::{dtls_client,dtls_server}</code> by <a href="https://github.com/alex"><code>@alex</code></a> in <a href="https://redirect.github.com/sfackler/rust-openssl/pull/2358">sfackler/rust-openssl#2358</a></li> <li>Fix lifetimes in ssl::select_next_proto by <a href="https://github.com/sfackler"><code>@sfackler</code></a> in <a href="https://redirect.github.com/sfackler/rust-openssl/pull/2360">sfackler/rust-openssl#2360</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/sfackler/rust-openssl/commit/e6209d43c55a972b602972a8f219d60c5fb2fe70"><code>e6209d4</code></a> Merge pull request <a href="https://redirect.github.com/sfackler/rust-openssl/issues/2415">#2415</a> from alex/bump-version</li> <li><a href="https://github.com/sfackler/rust-openssl/commit/9ca6cfe2e68e676afb9f160a6efc656473d26e6c"><code>9ca6cfe</code></a> Release openssl v0.10.73 and openssl-sys v0.9.109</li> <li><a href="https://github.com/sfackler/rust-openssl/commit/c42d49c1cac3e4cc0b68f7ea632892b2eb71324f"><code>c42d49c</code></a> Merge pull request <a href="https://redirect.github.com/sfackler/rust-openssl/issues/2414">#2414</a> from alex/boringssl-fix</li> <li><a href="https://github.com/sfackler/rust-openssl/commit/5e24219c18c69f99b18e5a0d6d4ec4552593648f"><code>5e24219</code></a> Attempt to fix with vcpkg</li> <li><a href="https://github.com/sfackler/rust-openssl/commit/93f30ff3726b76b72044142bc817892016d0d005"><code>93f30ff</code></a> fixed building on the latest boringssl</li> <li><a href="https://github.com/sfackler/rust-openssl/commit/eb88fb0533c3593cc2fff6d03cf2befea8ecbe27"><code>eb88fb0</code></a> Merge pull request <a href="https://redirect.github.com/sfackler/rust-openssl/issues/2403">#2403</a> from botovq/ctest</li> <li><a href="https://github.com/sfackler/rust-openssl/commit/79a304a364711cbf562763f3de4d49f2af07f5e4"><code>79a304a</code></a> Replace ctest2 with ctest</li> <li><a href="https://github.com/sfackler/rust-openssl/commit/132418b3a1f7adf59f0b47261d5fe817c44359cd"><code>132418b</code></a> Merge pull request <a href="https://redirect.github.com/sfackler/rust-openssl/issues/2399">#2399</a> from alex/release-sys</li> <li><a href="https://github.com/sfackler/rust-openssl/commit/f7a692bc2fd330c925085c3f66ec9ba6ffe55211"><code>f7a692b</code></a> Release openssl-sys v0.9.108</li> <li><a href="https://github.com/sfackler/rust-openssl/commit/2f9b4965210cd42c2215cc42e6da67b7dfb772e4"><code>2f9b496</code></a> Merge pull request <a href="https://redirect.github.com/sfackler/rust-openssl/issues/2398">#2398</a> from botovq/libressl-4.1</li> <li>Additional commits viewable in <a href="https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.66...openssl-v0.10.73">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-lc/network/alerts). </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Justin W Smith <[email protected]>
### Description of changes: Some of our current implementation doesn't match the OpenSSL default behavior, resulting in some package failures. The fixes include: - Suppress private key write when `-keyout` is not provided and the config has no default output path - Use default extensions when no valid extension section is found in config - Add a fallback when no `req` section is found in config ### Testing: Cleaned up and added extra tests By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
### Issues: Addresses V2002959392 ### Description of changes: Implements the guidance provided by internal tooling by using a GitHub "deployment" environment for manually approving workflow runs on GitHub workflows that use `pull_request_target` in order to get elevated credentials in our AWS CodeBuild-managed GitHub Actions runner environment. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
### Description of changes: Prepare AWS-LC v1.65.0 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
### Description of changes: Concurrency groups can be problematic with similarly named branches, especially with `pull_request_target`, this adjusts the concurrency group so that it behaves consistently. Will make this adjustment to other workflows as I move them to `pull_request_target` in the future. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
### Changes Add the `-tls1_2` and `-tls1_3` flags to the `s_client` tool. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of Changes
kcat the end with default value to support testing cipher with key commitment without disrupting legacy code.Testing
Reuse the test vectors in #2750 with our own added key commitment values.
./crypto_test --gtest_filter='All/PerAEADTest.*'./crypto_test --gtest_filter='CipherTest.*'By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.