Release: v1.5.13

Weekly release for February 22 2025

Release Summary

• Add bindings for the External PSK functionality.
• Adds 20250211, a TLS 1.3-exclusive security policy intended for RFC 9151 migration.
• A breaking change was made to the renegotiation callback interface. This only affects Rust customers using the unstable-renegotiate
  feature.
• Adds an option to prevent s2n-tls from overriding the libcrypto RAND engine.
• Adds async support to s2n_cert_validation_callback.
• Reduced connection memory usage by an estimated 4 to 5 percent.
• A successful cert validation callback should return only S2N_SUCCESS. Previously, both 0 and any positive return value were considered successful.

What's Changed

• test: add minimal openssl-3.0-fips test by @lrstewart in #5081
• feat(bindings): add external psk apis by @jmayclin in #5061
• Fixed formatting for debugging statements by @johubertj in #5094
• chore: ktls buildspec by @dougch in #5083
• chore: bindings release 0.3.11 by @goatgoose in #5098
• fix(integrationv2): Skip unsupported client auth tests by @goatgoose in #5096
• build(deps): bump aws-actions/configure-aws-credentials from 4.0.2 to 4.1.0 in /.github/workflows in the all-gha-updates group across 1 directory by @dependabot in #5107
• refactor: remove s2n_hmac_is_available by @lrstewart in #5104
• refactor: remove unused evp support for md5+sha1 by @lrstewart in #5106
• fix: allow b64 decoding using libcrypto for sidechannel resistance by @jmayclin in #5103
• fix: don't enable custom random for openssl fips by @jmayclin in #5093
• ci: add default provider to openssl-3.0-fips by @lrstewart in #5114
• Revert "refactor: remove unused evp support for md5+sha1 (#5106)" by @lrstewart in #5118
• Add new security policy (20250211) by @Mark-Simulacrum in #5111
• refactor: move "s2n_libcrypto_is" methods into s2n_libcrypto.h by @lrstewart in #5117
• bindings: unpin openssl crate from a specific patch version by @boquan-fang in #5120
• chore: fix a typo in API comments by @boquan-fang in #5123
• build(deps): update rand requirement by @boquan-fang in #5125
• fix(bindings): make Context borrow immutable by @jmayclin in #5071
• feat: Option to disable RAND engine override by @goatgoose in #5108
• refactor: use EVP_MD_fetch() if available by @lrstewart in #5116
• chore: binding release 0.3.12 by @boquan-fang in #5128
• fix(bindings): remove mutation behind Arc by @jmayclin in #5124
• chore: remove unused well-known-endpoints.py by @jmayclin in #5127
• feat: add async cert validation support by @CarolYeh910 in #5110
• ci: add check for third-party-src in disable rand override buildspec by @boquan-fang in #5137
• refactor: always use EVP hashing by @lrstewart in #5121
• fix: update callback return value by @CarolYeh910 in #5136
• ci: always set values for command line defines by @lrstewart in #5126

Full Changelog: v1.5.12...v1.5.13