Release: v1.5.7

Weekly release for November 01 2024

Summary

• Adds the s2n_connection_get_certificate_match() API, which allows users to determine whether the server was able to provide the client with a certificate chain that matched the client's SNI extension.
• Adds the s2n_cleanup_final() API, which allows users to completely cleanup and deinitialize s2n-tls, regardless of the s2n-tls atexit configuration.
• Fixes poll_flush() in the rust bindings to properly flush pending send data without producing an error.

What's Changed

• (feat): Adds certificate match metrics API by @maddeleine in #4844
• chore: grant duvet more permissions by @dougch in #4854
• chore: bindings release 0.3.5 by @toidiu in #4860
• test(bindings): Consolidate test pems by @goatgoose in #4858
• feat: Adds cleanup_final by @maddeleine in #4853
• fix(bindings): correct poll_flush implementation by @lrstewart in #4859
• docs: update fips documentation to specify supported libcrypto by @toidiu in #4857
• fix: close all /dev/urandom open fds by @boquan-fang in #4835

Full Changelog: v1.5.6...v1.5.7

Release: v1.5.6

Weekly release for October 23 2024

What's Changed

• chore: remove make fuzz and AFL fuzz by @jouho in #4808
• docs: update stateful resumption doc by @jouho in #4818
• Add ML-KEM Feature Probe and Test by @alexw91 in #4823
• ci: Add ubuntu24 with a new cmake buildspec by @dougch in #4824
• feature: bump cert authorities max size to 20kb by @lrstewart in #4832
• ci: add more libcryptos for fuzz batch & follow cmake idioms by @jouho in #4795
• chore: Adds print statements to help debug s2n_dynamic_load_test by @maddeleine in #4836
• Add initial support for MLKEM768 (without any new Security Policies) by @alexw91 in #4816
• ci: update ubuntu versions by @boquan-fang in #4828
• Update FIPS rules for ML-KEM by @alexw91 in #4829
• fix: some open AF_UNIX sockets in forked child processes by @boquan-fang in #4834
• ci: Re-enable asan and ubsan for fuzz tests by @jouho in #4840
• fix: fix s2n_io_pair_close_one_end by @boquan-fang in #4841
• chore: flip 2 GHAs to use short lived creds. by @dougch in #4839
• bindings: pin openssl crate to 0.10.66 by @camshaft in #4849
• fix: fix opened AF_UNIX sockets that didn't call s2n_io_pair_close by @boquan-fang in #4833
• Add new MLKEM TLS Policies by @alexw91 in #4830
• chore: remove unused compile definition by @jmayclin in #4815
• chore(GHA): Update duvet arguments by @dougch in #4850
• chore: Fix failing OIDC workflows; cleanup unused actions by @dougch in #4848

Full Changelog: v1.5.5...v1.5.6

Release: v1.5.5

What's Changed

• feat(bindings): add set receive buffering to the rust bindings by @zz85 in #4817
• feat: add s2n_cleanup_thread by @WesleyRosenblum in #4584
• chore: bindings release 0.3.4 by @jouho in #4819
• chore: bump awslc(non FIPS) to 1.36.0 by @dougch in #4821

Full Changelog: v1.5.4...v1.5.5

Release: v1.5.4

Weekly release for October 03 2024

What's Changed

• chore(bindings): pin unicode-width by @lrstewart in #4785
• fix: update ja4 compliance by @lrstewart in #4773
• docs: clarify pre-TLS1.2 support by @lrstewart in #4780
• chore: bindings release 0.3.3 by @jouho in #4791
• test: disallow explict use of "default" policy in tests by @toidiu in #4750
• Al2023 codebuild by @dougch in #4756
• ci: add buildspec file for scheduled fuzzing by @jouho in #4763
• fix: don't iterate over certs if not validating certs by @lrstewart in #4797
• fix(bindings): handle failures from wipe by @lrstewart in #4798
• ci: use temporary directory for s2n_head build by @lrstewart in #4771
• fix: pem parsing should allow single dashes in comments by @lrstewart in #4787
• refactor: clean up CMakelists.txt by @jmayclin in #4779
• test: only build requested unit tests in nix by @lrstewart in #4770
• docs: Update certificate loading documentation by @goatgoose in #4790
• ci: run clippy on all features by @lrstewart in #4809
• ci: use clang to build awslc by @dougch in #4794
• ci: check for s2n_array_len in loop bounds by @lrstewart in #4802
• Revert "test: disallow explict use of "default" policy in tests (#4750)" by @toidiu in #4812
• CI: Adding CTest memcheck to CodeBuild by @boquan-fang in #4776
• refactor(bindings): add general bindings error context by @lrstewart in #4811
• Update PQ code to be generic over EVP_KEM API's by @alexw91 in #4810
• feature(bindings): scheduled renegotiation via poll_recv by @lrstewart in #4764
• refactor: make s2n_array_len constant by @lrstewart in #4801

Full Changelog: v1.5.3...v1.5.4

Release: v1.5.3

Weekly release for September 20 2024

What's Changed

• fix: add missing null-checks in s2n_connection.c by @jouho in #4754
• fix(bindings): unpin jobserver by @toidiu in #4758
• fix: update handling of ja4 alpn edge cases by @lrstewart in #4755
• CI: enable fuzz test build with cmake by @jouho in #4743
• ci: Emit CloudWatch metrics from rust benchmarks by @goatgoose in #4742
• chore(bindings): release 0.3.2 by @dougch in #4760
• test: avoid mutating static configs in tests by @toidiu in #4749
• ci: use newer version of libFuzzer by @jouho in #4762
• test: use seccomp on handshake test by @lrstewart in #4768
• test: refactor pcap test to use version from rtshark by @lrstewart in #4774
• docs(bindings): example for Policy::from_version by @jmayclin in #4731
• ci: refactor fuzz buildspec by @jouho in #4783

Full Changelog: v1.5.2...v1.5.3

Release: v1.5.2

Weekly release for September 06 2024

What's Changed

• fix(bindings): ConfigPool should always yield associated connections by @jmayclin in #4708
• Adding a harness for session resumption in regression test by @kaukabrizvi in #4706
• chore(bindings): release 0.3.1 by @dougch in #4719
• docs: Add a supported platforms section by @dougch in #4695
• Reorder PR and Mainline in Regression Test Runner by @kaukabrizvi in #4720
• chore: bump versions of aws-lc and aws-lc-fips by @dougch in #4716
• fix: correct JA4 alpn parsing by @lrstewart in #4721
• tests: add JA4 pcap tests by @lrstewart in #4714
• refactor: minor fixes for common fingerprint code by @lrstewart in #4712
• fix: resolve UBSAN violations in the codebase by @boquan-fang in #4722
• chore: cleanup old docker dev build by @dougch in #4729
• ci: add separate license check by @jmayclin in #4727
• fix(ci): update CBMC proofs' Makefile.common by @tautschnig in #4703
• fix: Cleanup libcrypto errors by @goatgoose in #4733
• chore(integrationv2): add license header by @jmayclin in #4732
• ci: Add UBSAN test to the sanitizer by @boquan-fang in #4740
• tests(pcaps): download additional pcaps by @lrstewart in #4728
• docs: add test readme by @jmayclin in #4718
• Update to CBMC 6.2.0 by @rod-chapman in #4746
• ci:Al2023 CodeBuild script by @dougch in #4737
• refactor: make s2n_stuffer_read_hex match s2n_stuffer_read by @lrstewart in #4726
• refactor: move s2n_result functions inline by @camshaft in #4739
• tests(pcap): fix support for older tshark versions by @lrstewart in #4744
• Replace memcmp to s2n_constant_time_equals by @boquan-fang in #4709

Full Changelog: v1.5.1...v1.5.2

Release: v1.5.1

Weekly release for August 20 2024

What's Changed

• docs: add pq to usage guide by @lrstewart in #4677
• chore: remove unused benchmarks by @jmayclin in #4696
• Modify regression threshold to configurable percentage by @kaukabrizvi in #4698
• New s2n core member by @boquan-fang in #4707
• Add s2n_signature_preferences_20240521 by @raycoll in #4565
• fix: Initial config influences client hello parsing by @maddeleine in #4676
• ci(nix): Startup/configure apache for renegotiate test under nix by @dougch in #4592
• fix: building for AL2 by @lucykorea414 in #4679
• Clarify s2nc/s2nd PQ output by @lrstewart in #4702
• feat: JA4 fingerprinting by @lrstewart in #4669
• Add performance regression tests in CI by @kaukabrizvi in #4701

New Contributors

• @boquan-fang made their first contribution in #4707
• @lucykorea414 made their first contribution in #4679

Full Changelog: v1.5.0...v1.5.1

Release: v1.5.0

Weekly release for August 9 2024

Note: The minor version has been bumped in this release due to a commit that makes a backwards-incompatible change to the session resumption ticket schema.

What's Changed

• refactor: move stuffer hex methods out of testlib by @lrstewart in #4653
• fix: pin tokio-macros version by @lrstewart in #4658
• Refactor some s2n_resume functions by @maddeleine in #4648
• fix: allow for clock skew in resumption by @jmayclin in #4650
• fix: new clippy lints by @jmayclin in #4666
• ci(nix): Setup a head build for the cross_compatibility integ test by @dougch in #4567
• Set up regression benchmark for scalar performance by @kaukabrizvi in #4649
• refactor: clean up other hex methods by @lrstewart in #4664
• fix: add missing corpus files for s2n_deserialize_resumption_state_test by @jouho in #4672
• fix: default s2nc should accept default s2nd cert by @lrstewart in #4670
• ci: move fuzz corpus to S3 by @jouho in #4665
• feat(bindings): add renegotiate to the rust bindings by @lrstewart in #4668
• fix: SSLv3 handshake with openssl-1.0.2-fips fails by @jouho in #4644
• refactor: switch JA3 to use stuffer hex methods by @lrstewart in #4662
• feat(bindings): Add hyper compatibility crate by @goatgoose in #4617
• chore(bindings): release 0.2.10 by @WesleyRosenblum in #4683
• fix: don't fail for 0 blinding delay by @lrstewart in #4671
• test(cbmc): add stuffer hex proofs by @lrstewart in #4659
• Adopt CBMC 6.1 and cbmc-viewer 3.9 by @rod-chapman in #4661
• fix: zip corpus files before uploading to s3 by @jouho in #4685
• docs: update blinding docs by @lrstewart in #4686
• fix(bindings): enforce waker contract on poll operations by @camshaft in #4688
• chore: Bump rust bindings to 0.2.11 by @maddeleine in #4690
• feat: Changes ticket encryption scheme to be nonce-reuse resistant by @maddeleine in #4663
• ci: store fuzz artifacts in s3 by @jouho in #4678
• chore: document OpenSSL-FIPS restriction on RSA key size by @jouho in #4654
• Enabling differential performance benchmarking by @kaukabrizvi in #4667
• fix(ci): partially revert checking out head from current clone. by @dougch in #4693
• fix: upload fuzz output to s3 when test fails by @jouho in #4694
• chore: Rust bindings bump v0.3.0 by @maddeleine in #4697

New Contributors

• @kaukabrizvi made their first contribution in #4649

Full Changelog: v1.4.18...v1.5.0

Release: v1.4.18

Weekly release for July 19 2024

What's Changed

• refactor: separate out ja3 specific logic by @lrstewart in #4578
• chore: fix CBMC proof summary count by @tautschnig in #4627
• fix: remove S2N_NO_PQ option by @kdnakt in #4622
• feat(bindings/s2n-tls): add client_hello_version by @jmayclin in #4609
• chore(bindings): release 0.2.8 by @toidiu in #4635
• api(bindings/s2n-tls)!: remove public testing feature by @jmayclin in #4623
• refactor: use feature probe for AEAD gate logic instead of AWS-LC/BoringSSL macros by @jouho in #4642
• ci(nix): Add tshark to nix devshell by @dougch in #4571
• chore: document why SHA1 is the only supported hash algorithm for cert_id generation in OCSP response by @jouho in #4625
• Refactor: change set/get_decryption_key return type to S2N_RESULT in s2n_cipher struct by @jouho in #4638
• Refactor: change init and destroy_key return type to S2N_RESULT in s2n_cipher struct by @jouho in #4639
• Refactor: change is_available return type to bool in s2n_cipher struct by @jouho in #4630
• test(pcap): handle pcaps with tcp fragmentation by @lrstewart in #4643
• refactor(bindings/s2n-tls): finish test harness refactor by @jmayclin in #4636
• feature: reusable fingerprinting interface by @lrstewart in #4628
• feat: Add API to gate session tickets to TLS1.3 only by @maddeleine in #4645
• ci: add merge_group event to GHA workflow. by @dougch in #4646
• fix: avoid cert validation on connection_set_config by @jmayclin in #4612
• Update s2n_connection_get_kem_group_name() to work with ClientHelloRe… by @alexw91 in #4652
• fix: Removing new usage of memcmp by @maddeleine in #4657
• chore: Bump Rust bindings v1.4.18 by @maddeleine in #4656

New Contributors

• @kdnakt made their first contribution in #4622

Full Changelog: v1.4.17...v1.4.18

v1.4.17

What's Changed

• chore: cleanup duplicate duvet citations by @WesleyRosenblum in #4587
• ci: fix cppcheck errors by @lrstewart in #4589
• compliance: update generate_report.sh to point to compliance directory by @WesleyRosenblum in #4588
• feature: new compatibility-focused security policy preferring ECDSA by @lrstewart in #4579
• ci(nix): Fix integ pq test in a devShell by @dougch in #4576
• chore: update s2n_stuffer_printf CBMC harness by @tautschnig in #4531
• fix: error rather than empty cipher suites by @lrstewart in #4597
• refactor(binding): more accurate naming for const str helper by @jmayclin in #4601
• Fix: update default cert chain for unit tests by @jouho in #4582
• fix(s2n_session_ticket_test): correct clock mocking by @jmayclin in #4602
• chore(bindings): fix shebang in generate.sh by @zh-jq-b in #4603
• testing(bindings): add new test helper by @jmayclin in #4596
• test: add pcap testing crate by @lrstewart in #4604
• s2n-tls rust binding: expose selected application protocol by @zh-jq-b in #4599
• chore: use CBMC version 5.95.1 by @tautschnig in #4586
• example(bindings): add async ConfigResolver by @jmayclin in #4477
• ci: shallow clone musl repo by @jmayclin in #4611
• docs: Add back suggested FIPS + TLS1.3 policy by @lrstewart in #4605
• docs: add timeout note to blinding delay docs by @lrstewart in #4621
• test(bindings/s2n-tls): refactor testing::s2n-tls tests by @jmayclin in #4613
• Perform 2-RTT Handshake to upgrade to PQ when possible by @alexw91 in #4526
• chore: make cbmc proof build more strict by adding -Werror flag by @jouho in #4606
• bug: Fixing bash error by @maddeleine in #4624

New Contributors

• @zh-jq-b made their first contribution in #4603

Full Changelog: v1.4.16...v1.4.17