From 138a6ad356adc933fad0f1c65b85da18982ee351 Mon Sep 17 00:00:00 2001
From: Samuel Chiang <sachiang@amazon.com>
Date: Fri, 31 Jan 2025 18:30:09 -0800
Subject: [PATCH 1/3] Prepare AWS-LC v1.44.0 (#2153)

Prepare AWS-LC v1.44.0

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.
---
 crypto/fipsmodule/service_indicator/service_indicator_test.cc | 4 ++--
 include/openssl/base.h                                        | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/crypto/fipsmodule/service_indicator/service_indicator_test.cc b/crypto/fipsmodule/service_indicator/service_indicator_test.cc
index d6e01f9620..10a312d469 100644
--- a/crypto/fipsmodule/service_indicator/service_indicator_test.cc
+++ b/crypto/fipsmodule/service_indicator/service_indicator_test.cc
@@ -5296,7 +5296,7 @@ TEST(ServiceIndicatorTest, ED25519SigGenVerify) {
 // Since this is running in FIPS mode it should end in FIPS
 // Update this when the AWS-LC version number is modified
 TEST(ServiceIndicatorTest, AWSLCVersionString) {
-  ASSERT_STREQ(awslc_version_string(), "AWS-LC FIPS 1.43.0");
+  ASSERT_STREQ(awslc_version_string(), "AWS-LC FIPS 1.44.0");
 }
 
 #else
@@ -5339,6 +5339,6 @@ TEST(ServiceIndicatorTest, BasicTest) {
 // Since this is not running in FIPS mode it shouldn't end in FIPS
 // Update this when the AWS-LC version number is modified
 TEST(ServiceIndicatorTest, AWSLCVersionString) {
-  ASSERT_STREQ(awslc_version_string(), "AWS-LC 1.43.0");
+  ASSERT_STREQ(awslc_version_string(), "AWS-LC 1.44.0");
 }
 #endif // AWSLC_FIPS
diff --git a/include/openssl/base.h b/include/openssl/base.h
index 15a7d9e1fa..02bdc84c6a 100644
--- a/include/openssl/base.h
+++ b/include/openssl/base.h
@@ -122,7 +122,7 @@ extern "C" {
 // ServiceIndicatorTest.AWSLCVersionString
 // Note: there are two versions of this test. Only one test is compiled
 // depending on FIPS mode.
-#define AWSLC_VERSION_NUMBER_STRING "1.43.0"
+#define AWSLC_VERSION_NUMBER_STRING "1.44.0"
 
 #if defined(BORINGSSL_SHARED_LIBRARY)
 

From 6c613fa9b33d999c0c8cac380b4d0e8223768ad1 Mon Sep 17 00:00:00 2001
From: Chocka Chidambaram <chockalingamc@users.noreply.github.com>
Date: Mon, 3 Feb 2025 15:03:12 -0500
Subject: [PATCH 2/3] Cross library PQ interop test with s2n-tls (#2138)

### Description of changes:
Adding cross library PQ interop test with s2n-tls

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

---------

Co-authored-by: Chocka Chidambaram <chockal@amazon.com>
---
 .../github_ci_integration_omnibus.yaml        | 10 +++
 .../ci/integration/run_pq_tls_integration.sh  | 65 +++++++++++++++++++
 2 files changed, 75 insertions(+)
 create mode 100755 tests/ci/integration/run_pq_tls_integration.sh

diff --git a/tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml b/tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml
index ce5c38d2aa..5af3d89741 100644
--- a/tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml
+++ b/tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml
@@ -250,3 +250,13 @@ batch:
         image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-22.04_gcc-12x_latest
         variables:
           AWS_LC_CI_TARGET: "tests/ci/integration/run_ntp_integration.sh"
+
+    - identifier: pq_tls_integration_x86_64
+      buildspec: tests/ci/codebuild/common/run_simple_target.yml
+      env:
+        type: LINUX_CONTAINER
+        privileged-mode: false
+        compute-type: BUILD_GENERAL1_SMALL
+        image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-22.04_gcc-12x_latest
+        variables:
+          AWS_LC_CI_TARGET: "tests/ci/integration/run_pq_tls_integration.sh"
diff --git a/tests/ci/integration/run_pq_tls_integration.sh b/tests/ci/integration/run_pq_tls_integration.sh
new file mode 100755
index 0000000000..b44425c70e
--- /dev/null
+++ b/tests/ci/integration/run_pq_tls_integration.sh
@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+set -ex
+
+source tests/ci/common_posix_setup.sh
+
+SCRATCH_FOLDER=${SYS_ROOT}/"pq-tls-scratch"
+
+AWS_LC_BUILD_FOLDER="${SCRATCH_FOLDER}/aws-lc-build"
+AWS_LC_INSTALL_FOLDER="${SCRATCH_FOLDER}/aws-lc-install"
+
+S2N_URL='https://github.com/aws/s2n-tls.git'
+S2N_BRANCH='main'
+S2N_TLS_SRC_FOLDER="${SCRATCH_FOLDER}/s2n-tls"
+S2N_TLS_BUILD_FOLDER="${SCRATCH_FOLDER}/s2n-tls-build"
+
+rm -rf "${SCRATCH_FOLDER:?}"
+mkdir -p "$SCRATCH_FOLDER"
+
+echo "build and install aws-lc"
+aws_lc_build "$SRC_ROOT" "$AWS_LC_BUILD_FOLDER" "$AWS_LC_INSTALL_FOLDER" -DCMAKE_BUILD_TYPE=RelWithDebInfo -DBUILD_TESTING=OFF
+
+echo "clone s2n_tls"
+git clone --depth 1 --branch "$S2N_BRANCH" "$S2N_URL" "$S2N_TLS_SRC_FOLDER"
+
+echo "build s2n_tls with aws-lc"
+cd "$S2N_TLS_SRC_FOLDER"
+cmake . "-B$S2N_TLS_BUILD_FOLDER" -GNinja \
+  -DCMAKE_BUILD_TYPE=Release \
+  -DCMAKE_PREFIX_PATH="$AWS_LC_INSTALL_FOLDER"
+ninja -C "$S2N_TLS_BUILD_FOLDER" -j "$NUM_CPU_THREADS"
+
+for GROUP in X25519MLKEM768 SecP256r1MLKEM768; do
+  echo "TLS Handshake: aws-lc server (bssl) with s2n-tls client (s2nc) for group $GROUP"
+  "$AWS_LC_BUILD_FOLDER"/tool/bssl s_server -curves $GROUP -accept 45000 -debug \
+    &> "$AWS_LC_BUILD_FOLDER"/s_server_out &
+  sleep 2 # to allow for the server to startup in the background thread
+  S_PID=$!
+  # Relying on s2nc behavior that it exits after the first handshake
+  "$S2N_TLS_BUILD_FOLDER"/bin/s2nc -c default_pq -i localhost 45000 &> "$S2N_TLS_BUILD_FOLDER"/s2nc_out
+  wait $S_PID || true
+  cat "$AWS_LC_BUILD_FOLDER"/s_server_out
+  cat "$S2N_TLS_BUILD_FOLDER"/s2nc_out
+  grep "libcrypto" "$S2N_TLS_BUILD_FOLDER"/s2nc_out | grep "AWS-LC"
+  grep "CONNECTED" "$S2N_TLS_BUILD_FOLDER"/s2nc_out
+  grep "KEM Group" "$S2N_TLS_BUILD_FOLDER"/s2nc_out | grep "$GROUP"
+
+  echo "TLS Handshake: s2n-tls server (s2nd) with aws-lc client (bssl) for group $GROUP"
+  "$S2N_TLS_BUILD_FOLDER"/bin/s2nd -c default_pq -i localhost 45000 &> "$S2N_TLS_BUILD_FOLDER"/s2nd_out &
+  sleep 2 # to allow for the server to startup in the background thread
+  S_PID=$!
+  # bssl s_client normally does not exit after a handshake, but when run as a background process
+  # seems to exit by closing the connection after the first handshake. Relying on that behavior here.
+  "$AWS_LC_BUILD_FOLDER"/tool/bssl s_client -curves $GROUP -connect localhost:45000 -debug \
+    &> "$AWS_LC_BUILD_FOLDER"/s_client_out &
+  wait $S_PID || true
+  cat "$S2N_TLS_BUILD_FOLDER"/s2nd_out
+  cat "$AWS_LC_BUILD_FOLDER"/s_client_out
+  grep "libcrypto" "$S2N_TLS_BUILD_FOLDER"/s2nd_out | grep "AWS-LC"
+  grep "CONNECTED" "$S2N_TLS_BUILD_FOLDER"/s2nd_out
+  grep "KEM Group" "$S2N_TLS_BUILD_FOLDER"/s2nd_out | grep "$GROUP"
+done
+
+rm -rf "${SCRATCH_FOLDER:?}"

From cc9c9f04c7b7d53bb0018e8c91185d26c9ed269c Mon Sep 17 00:00:00 2001
From: Sean McGrail <549813+skmcgrail@users.noreply.github.com>
Date: Mon, 3 Feb 2025 23:34:53 +0000
Subject: [PATCH 3/3] Fix policy grant on ECR resource policy (#2159)

### Testing:
Validated the YAML output with `cdk synth`.

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.
---
 tests/ci/cdk/cdk/ecr_stack.py     |  5 +++--
 tests/ci/cdk/util/iam_policies.py | 11 -----------
 2 files changed, 3 insertions(+), 13 deletions(-)

diff --git a/tests/ci/cdk/cdk/ecr_stack.py b/tests/ci/cdk/cdk/ecr_stack.py
index 542de0f32e..ff8a4b54ed 100644
--- a/tests/ci/cdk/cdk/ecr_stack.py
+++ b/tests/ci/cdk/cdk/ecr_stack.py
@@ -11,5 +11,6 @@ class EcrStack(Stack):
     def __init__(self, scope: Construct, id: str, repo_name: str, **kwargs) -> None:
         super().__init__(scope, id, **kwargs)
 
-        ecr.Repository(scope=self, id=id, repository_name=repo_name).grant_pull_push(
-            iam.ServicePrincipal("codebuild.amazonaws.com"))
+        repo = ecr.Repository(scope=self, id=id, repository_name=repo_name)
+        repo.grant_pull_push(iam.ServicePrincipal("codebuild.amazonaws.com"))
+        repo.grant_pull(iam.ArnPrincipal("arn:aws:iam::222961743098:role/scrutini-ecr"))
diff --git a/tests/ci/cdk/util/iam_policies.py b/tests/ci/cdk/util/iam_policies.py
index a9202ce6bf..2558fff73a 100644
--- a/tests/ci/cdk/util/iam_policies.py
+++ b/tests/ci/cdk/util/iam_policies.py
@@ -207,17 +207,6 @@ def ecr_power_user_policy_in_json(ecr_repo_names):
                     "ecr:PutImage"
                 ],
                 "Resource": ecr_arns
-            },
-            {
-                "Sid": "scrutinice",
-                "Effect": "Allow",
-                "Principal": {
-                    "AWS": "arn:aws:iam::222961743098:role/scrutini-ecr"
-                },
-                "Action": [
-                    "ecr:BatchGetImage",
-                    "ecr:GetDownloadUrlForLayer"
-                ]
             }
         ]
     }