New Versioning Policy
Check out VERSIONING.md to learn about our new versioning scheme.
What's Changed
- Test key import in EVPTest a bit more extensively by @nebeid in #3058
- Add OPENSSL_cleanse to zero stack secrets before return by @prasden in #3227
- Fix: Apply COHABITANT_HEADERS logic to location of tool binaries by @edmundlod in #3116
- Fix wherelen handling in BIO_ADDR_rawmake AF_UNIX path by @samuel40791765 in #3233
- Harden PKCS7 and OCSP error handling by @prasden in #3237
- Reject len < -1 in ASN1_mbstring_ncopy by @samuel40791765 in #3232
- Free existing union arm by current type in PKCS7_set_type by @samuel40791765 in #3231
- Ensure no trailing data for PKCS8 EVP_parse_private_key by @torben-hansen in #3242
- Include trailing NUL in BIO_ADDR_rawaddress AF_UNIX length by @samuel40791765 in #3236
- Reject negative pass_len in PEM_ASN1_write_bio by @samuel40791765 in #3228
- Check parameters before comparing pqdsa public keys by @samuel40791765 in #3229
- Free existing responderId union arm in OCSP_RESPID setters by @samuel40791765 in #3234
- Release cipher_data on error path too for EVP_CTRL_INIT and EVP_CTRL_COPY by @torben-hansen in #3243
- ci: declare contents: read on zig compiler workflow by @arpitjain099 in #3249
- Add new review workflow by @nhatnghiho in #3230
- Log versioning and library names druing cmake build step by @torben-hansen in #3254
- Tighten OCSP_parse_url URL parsing by @prasden in #3238
- Add SHRT_MAX caps to bound iteration and input lengths by @prasden in #3240
- Fix correctness findings from penpal testing by @prasden in #3235
- Document new versioning scheme and bump mainline to v5.0.0 by @samuel40791765 in #3212
- Decouple the FIPS version number from the AWS-LC version number by @samuel40791765 in #3211
- Bump the github-actions group with 2 updates by @dependabot[bot] in #3258
- Bump time from 0.3.36 to 0.3.47 in /tests/ci/lambda by @dependabot[bot] in #3248
- tool-openssl/s_client: default SNI to -connect host to match OpenSSL by @alexw91 in #3209
- Reject undersized buffer in pkey_dsa_sign by @nebeid in #3112
- Drop obsolete test_pkey_rsa.rb hunk from Ruby 3.4 patch by @geedo0 in #3260
- Enable Windows 7 compat path on MinGW builds by @justsmth in #3239
- Add
getauxvalavailability detection with/proc/self/auxvfallback for uclibc targets by @justsmth in #3250 - Prefer CRLs with specific IDP match by @nhatnghiho in #3264
- Fix manylinux1 build: O_CLOEXEC fallback in getauxval shim by @justsmth in #3268
- Gate Linux specific code to fix compilation on AIX by @pgimalac in #3265
- BoringSSL: Harden nc_email name constraint checking by @nebeid in #3266
- Fix python 3.13 patch by @WillChilds-Klein in #3271
- Make rustfmt optional for Rust bindings generation by @justsmth in #3270
- Skip MariaDB socket conflict test unable to run as root by @WillChilds-Klein in #3274
- use /map: linker flag to avoid running a binary to capture the hash by @yoavwizstein in #3133
- Add inline documentation for API contracts by @nebeid in #3267
- ML-DSA support as a TLS 1.3 signature scheme by @dkostic in #3251
- Make FIPS compiler wrapper unconditional by @justsmth in #3269
New Contributors
- @edmundlod made their first contribution in #3116
- @arpitjain099 made their first contribution in #3249
- @pgimalac made their first contribution in #3265
- @yoavwizstein made their first contribution in #3133
Full Changelog: v1.73.0...v5.0.0