aws-crt 0.1.9 → 0.2.0

data/aws-crt-ffi/crt/aws-lc/tests/ci/integration/README.md

@@ -0,0 +1,12 @@
+# Integration CI for AWS-LC
+We're adding backend support for more open source projects. This folder contains integration scripts and patches to test within our CI, until we add official support within these projects.
+
+## Updating a failed patch
+Most of these integration scripts pin to the main branch. This causes some expected churn in the patches when relevant code within the projects are updated. To update an outdated patch, follow the steps below:
+
+1. Run the corresponding test script that's failing to patch. (e.g. `./tests/ci/integration/run_nginx_integration.sh`)
+2. `cd` into the `SCRATCH_FOLDER` defined by the script. This will be in the same or one level above your local aws-lc directory.
+3. Check out the patch that was failing and fix it. Once the conflicts are resolved, run `git diff > temp.patch` to save your new patch.
+4. Move your patch to the patch directory the test script is using (e.g. `mv temp.patch ../../aws-lc/tests/ci/integration/nginx_patch/temp.patch`. Remember to remove the original failing patch, so the script doesn't fail again.
+5. Rerun the integration test script. If the build and tests pass, rename the new integration patch to something more suitable and ship it.
+

data/aws-crt-ffi/crt/aws-lc/tests/ci/integration/nginx_patch/aws-lc-nginx.patch

@@ -12,10 +12,10 @@ index c062f91..447f003 100644
  #include <openssl/chacha.h>
  #else
 diff --git a/src/event/quic/ngx_event_quic.c b/src/event/quic/ngx_event_quic.c
-index 6852bb0..9a6f335 100644
+index b0cf056..c1ba43f 100644
 --- a/src/event/quic/ngx_event_quic.c
 +++ b/src/event/quic/ngx_event_quic.c
-@@ -960,7 +960,7 @@ ngx_quic_handle_payload(ngx_connection_t *c, ngx_quic_header_t *pkt)
+@@ -969,7 +969,7 @@ ngx_quic_handle_payload(ngx_connection_t *c, ngx_quic_header_t *pkt)
          return NGX_DECLINED;
      }
  
@@ -25,10 +25,19 @@ index 6852bb0..9a6f335 100644
  
      if (pkt->level == ssl_encryption_application && !c->ssl->handshaked) {
 diff --git a/src/event/quic/ngx_event_quic_protection.c b/src/event/quic/ngx_event_quic_protection.c
-index 5bc3c20..910ef8f 100644
+index 88e6954..cd67eac 100644
 --- a/src/event/quic/ngx_event_quic_protection.c
 +++ b/src/event/quic/ngx_event_quic_protection.c
-@@ -51,7 +51,7 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers,
+@@ -30,7 +30,7 @@ static uint64_t ngx_quic_parse_pn(u_char **pos, ngx_int_t len, u_char *mask,
+ 
+ static ngx_int_t ngx_quic_crypto_open(ngx_quic_secret_t *s, ngx_str_t *out,
+     u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log);
+-#ifndef OPENSSL_IS_BORINGSSL
++#if !defined (OPENSSL_IS_BORINGSSL) && !defined (OPENSSL_IS_AWSLC)
+ static ngx_int_t ngx_quic_crypto_common(ngx_quic_secret_t *s, ngx_str_t *out,
+     u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log);
+ #endif
+@@ -55,7 +55,7 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers)
      switch (id) {
  
      case TLS1_3_CK_AES_128_GCM_SHA256:
@@ -37,7 +46,7 @@ index 5bc3c20..910ef8f 100644
          ciphers->c = EVP_aead_aes_128_gcm();
  #else
          ciphers->c = EVP_aes_128_gcm();
-@@ -62,7 +62,7 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers,
+@@ -66,7 +66,7 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers)
          break;
  
      case TLS1_3_CK_AES_256_GCM_SHA384:
@@ -46,7 +55,7 @@ index 5bc3c20..910ef8f 100644
          ciphers->c = EVP_aead_aes_256_gcm();
  #else
          ciphers->c = EVP_aes_256_gcm();
-@@ -73,12 +73,12 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers,
+@@ -77,12 +77,12 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers)
          break;
  
      case TLS1_3_CK_CHACHA20_POLY1305_SHA256:
@@ -61,7 +70,7 @@ index 5bc3c20..910ef8f 100644
          ciphers->hp = (const EVP_CIPHER *) EVP_aead_chacha20_poly1305();
  #else
          ciphers->hp = EVP_chacha20();
-@@ -87,7 +87,7 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers,
+@@ -91,7 +91,7 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers)
          len = 32;
          break;
  
@@ -70,7 +79,7 @@ index 5bc3c20..910ef8f 100644
      case TLS1_3_CK_AES_128_CCM_SHA256:
          ciphers->c = EVP_aes_128_ccm();
          ciphers->hp = EVP_aes_128_ctr();
-@@ -223,7 +223,7 @@ static ngx_int_t
+@@ -259,7 +259,7 @@ static ngx_int_t
  ngx_hkdf_expand(u_char *out_key, size_t out_len, const EVP_MD *digest,
      const uint8_t *prk, size_t prk_len, const u_char *info, size_t info_len)
  {
@@ -79,7 +88,7 @@ index 5bc3c20..910ef8f 100644
  
      if (HKDF_expand(out_key, out_len, digest, prk, prk_len, info, info_len)
          == 0)
-@@ -285,7 +285,7 @@ ngx_hkdf_extract(u_char *out_key, size_t *out_len, const EVP_MD *digest,
+@@ -321,7 +321,7 @@ ngx_hkdf_extract(u_char *out_key, size_t *out_len, const EVP_MD *digest,
      const u_char *secret, size_t secret_len, const u_char *salt,
      size_t salt_len)
  {
@@ -88,35 +97,71 @@ index 5bc3c20..910ef8f 100644
  
      if (HKDF_extract(out_key, out_len, digest, secret, secret_len, salt,
                       salt_len)
-@@ -348,7 +348,7 @@ ngx_quic_tls_open(const ngx_quic_cipher_t *cipher, ngx_quic_secret_t *s,
-     ngx_str_t *out, u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log)
+@@ -384,7 +384,7 @@ ngx_quic_crypto_init(const ngx_quic_cipher_t *cipher, ngx_quic_secret_t *s,
+     ngx_quic_md_t *key, ngx_int_t enc, ngx_log_t *log)
  {
  
 -#ifdef OPENSSL_IS_BORINGSSL
 +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
      EVP_AEAD_CTX  *ctx;
  
-     ctx = EVP_AEAD_CTX_new(cipher, s->key.data, s->key.len,
-@@ -453,7 +453,7 @@ ngx_quic_tls_seal(const ngx_quic_cipher_t *cipher, ngx_quic_secret_t *s,
-     ngx_str_t *out, u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log)
+     ctx = EVP_AEAD_CTX_new(cipher, key->data, key->len,
+@@ -444,7 +444,7 @@ static ngx_int_t
+ ngx_quic_crypto_open(ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce,
+     ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log)
  {
- 
 -#ifdef OPENSSL_IS_BORINGSSL
 +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
-     EVP_AEAD_CTX  *ctx;
+     if (EVP_AEAD_CTX_open(s->ctx, out->data, &out->len, out->len, nonce,
+                           s->iv.len, in->data, in->len, ad->data, ad->len)
+         != 1)
+@@ -464,7 +464,7 @@ ngx_int_t
+ ngx_quic_crypto_seal(ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce,
+     ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log)
+ {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+     if (EVP_AEAD_CTX_seal(s->ctx, out->data, &out->len, out->len, nonce,
+                           s->iv.len, in->data, in->len, ad->data, ad->len)
+         != 1)
+@@ -480,7 +480,7 @@ ngx_quic_crypto_seal(ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce,
+ }
+ 
+ 
+-#ifndef OPENSSL_IS_BORINGSSL
++#if !defined (OPENSSL_IS_BORINGSSL) && !defined (OPENSSL_IS_AWSLC)
  
-     ctx = EVP_AEAD_CTX_new(cipher, s->key.data, s->key.len,
-@@ -572,7 +572,7 @@ ngx_quic_tls_hp(ngx_log_t *log, const EVP_CIPHER *cipher,
+ static ngx_int_t
+ ngx_quic_crypto_common(ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce,
+@@ -559,7 +559,7 @@ void
+ ngx_quic_crypto_cleanup(ngx_quic_secret_t *s)
+ {
+     if (s->ctx) {
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+         EVP_AEAD_CTX_free(s->ctx);
+ #else
+         EVP_CIPHER_CTX_free(s->ctx);
+@@ -575,7 +575,7 @@ ngx_quic_crypto_hp_init(const EVP_CIPHER *cipher, ngx_quic_secret_t *s,
+ {
      EVP_CIPHER_CTX  *ctx;
-     u_char           zero[NGX_QUIC_HP_LEN] = {0};
+ 
+-#ifdef OPENSSL_IS_BORINGSSL
++#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+     if (cipher == (EVP_CIPHER *) EVP_aead_chacha20_poly1305()) {
+         /* no EVP interface */
+         s->hp_ctx = NULL;
+@@ -610,7 +610,7 @@ ngx_quic_crypto_hp(ngx_quic_secret_t *s, u_char *out, u_char *in,
+ 
+     ctx = s->hp_ctx;
  
 -#ifdef OPENSSL_IS_BORINGSSL
 +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
      uint32_t         cnt;
  
-     ngx_memcpy(&cnt, in, sizeof(uint32_t));
+     if (ctx == NULL) {
 diff --git a/src/event/quic/ngx_event_quic_protection.h b/src/event/quic/ngx_event_quic_protection.h
-index 2d30067..c83ae14 100644
+index 34cfee6..20cd910 100644
 --- a/src/event/quic/ngx_event_quic_protection.h
 +++ b/src/event/quic/ngx_event_quic_protection.h
 @@ -24,7 +24,7 @@
@@ -126,10 +171,10 @@ index 2d30067..c83ae14 100644
 -#ifdef OPENSSL_IS_BORINGSSL
 +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
  #define ngx_quic_cipher_t             EVP_AEAD
+ #define ngx_quic_crypto_ctx_t         EVP_AEAD_CTX
  #else
- #define ngx_quic_cipher_t             EVP_CIPHER
 diff --git a/src/event/quic/ngx_event_quic_ssl.c b/src/event/quic/ngx_event_quic_ssl.c
-index c719a1d..87e86fc 100644
+index 7872783..163e0c5 100644
 --- a/src/event/quic/ngx_event_quic_ssl.c
 +++ b/src/event/quic/ngx_event_quic_ssl.c
 @@ -11,6 +11,7 @@

data/aws-crt-ffi/crt/aws-lc/tests/ci/integration/run_crt_integration.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+set -exu
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+source tests/ci/common_posix_setup.sh
+
+# Assumes script is executed from the root of aws-lc directory
+SCRATCH_FOLDER=${SYS_ROOT}/SCRATCH_AWSLC_CRT_TEST
+
+# Make script execution idempotent.
+mkdir -p ${SCRATCH_FOLDER}
+rm -rf ${SCRATCH_FOLDER}/*
+cd ${SCRATCH_FOLDER}
+
+git clone --recursive https://github.com/awslabs/aws-crt-cpp.git
+
+cd aws-crt-cpp
+# The CRT has a submodule for AWS-LC, overwrite that with the local version
+rm -rf crt/aws-lc/*
+cp -r ${SRC_ROOT}/* crt/aws-lc/
+
+# Don't pre-build AWS-LC, the CRT will build all of it's dependencies how it wants them built
+mkdir build && cd build
+${CMAKE_COMMAND} -GNinja ../
+ninja
+ninja test

data/aws-crt-ffi/crt/aws-lc/tests/ci/integration/run_monit_integration.sh

@@ -0,0 +1,56 @@
+#!/bin/bash -exu
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+source tests/ci/common_posix_setup.sh
+
+# Set up environment.
+
+# SYS_ROOT
+#  - SRC_ROOT(aws-lc)
+#    - SCRATCH_FOLDER
+#      - monit
+#      - AWS_LC_BUILD_FOLDER
+#      - AWS_LC_INSTALL_FOLDER
+#      - MONIT_BUILD_FOLDER
+
+# Assumes script is executed from the root of aws-lc directory
+SCRATCH_FOLDER="${SRC_ROOT}/MONIT_BUILD_ROOT"
+MONIT_SRC_FOLDER="${SCRATCH_FOLDER}/monit"
+MONIT_BUILD_FOLDER="${SCRATCH_FOLDER}/monit-aws-lc"
+AWS_LC_BUILD_FOLDER="${SCRATCH_FOLDER}/aws-lc-build"
+AWS_LC_INSTALL_FOLDER="${SCRATCH_FOLDER}/aws-lc-install"
+
+function monit_build() {
+  ./bootstrap  
+  ./configure --with-ssl-static="${AWS_LC_INSTALL_FOLDER}"
+  make -j ${NUM_CPU_THREADS}
+}
+
+# Monit doesn't run any tests verifying ssl behavior, but it shouldn't hurt to run the brief tests.
+function monit_run_tests() {
+  pushd libmonit
+  # TimeTest will fail on a machine not in CET timezone.
+  # https://bitbucket.org/tildeslash/monit/src/def6b462259586358be3c86d76a299c80744df39/libmonit/test/TimeTest.c#lines-24
+  sed -i 's/TimeTest && //g' test/test.sh
+  make verify
+  popd
+}
+
+mkdir -p ${SCRATCH_FOLDER}
+rm -rf ${SCRATCH_FOLDER}/*
+cd ${SCRATCH_FOLDER}
+
+git clone https://bitbucket.org/tildeslash/monit.git ${MONIT_SRC_FOLDER} --depth 1
+mkdir -p ${AWS_LC_BUILD_FOLDER} ${AWS_LC_INSTALL_FOLDER} ${MONIT_BUILD_FOLDER}
+ls
+
+aws_lc_build ${SRC_ROOT} ${AWS_LC_BUILD_FOLDER} ${AWS_LC_INSTALL_FOLDER} -DBUILD_TESTING=OFF
+
+# Build monit from source.
+pushd ${MONIT_SRC_FOLDER}
+
+monit_build
+monit_run_tests
+popd
+

data/aws-crt-ffi/crt/aws-lc/tests/ci/integration/sslproxy_patch/aws-lc-sslproxy.patch

@@ -6,7 +6,7 @@ index 7dbac6e..58a47d5 100644
  
  #if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20501000L
  #define TMP_SESS_FILE "pki/session-libressl-2.5.0.pem"
-+#elif defined(AWSLC_API_VERSION) && AWSLC_API_VERSION == 22
++#elif defined(OPENSSL_IS_AWSLC)
 +#define TMP_SESS_FILE "pki/session-aws-lc-1.15.0.pem"
  #else
  #define TMP_SESS_FILE "pki/session.pem"
@@ -19,7 +19,7 @@ index 754b7d3..1cd3294 100644
  
  #if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20501000L
  #define TMP_SESS_FILE "pki/session-libressl-2.5.0.pem"
-+#elif defined(AWSLC_API_VERSION) && AWSLC_API_VERSION == 22
++#elif defined(OPENSSL_IS_AWSLC)
 +#define TMP_SESS_FILE "pki/session-aws-lc-1.15.0.pem"
  #else
  #define TMP_SESS_FILE "pki/session.pem"

data/aws-crt-ffi/crt/aws-lc/tests/ci/run_ec2_test_framework.sh

@@ -0,0 +1,135 @@
+#!/usr/bin/env bash
+set -exo pipefail
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+# Please run from project root folder!
+# You'll want to set the codebuild env variables set if running locally
+source tests/ci/common_ssm_setup.sh
+
+AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+
+# Cleanup AWS resources.
+cleanup() {
+  set +e
+  aws ec2 terminate-instances --instance-ids "${instance_id}"
+  aws ssm delete-document --name "${ssm_doc_name}"
+}
+
+generate_ssm_document_file() {
+  # use sed to replace placeholder values inside preexisting document
+  sed -e "s,{AWS_ACCOUNT_ID},${AWS_ACCOUNT_ID},g" \
+    -e "s,{PR_NUM},${CODEBUILD_WEBHOOK_TRIGGER},g" \
+    -e "s,{COMMIT_ID},${CODEBUILD_SOURCE_VERSION},g" \
+    -e "s,{GITHUB_REPO},${CODEBUILD_SOURCE_REPO_URL},g" \
+    -e "s,{ECR_DOCKER_TAG},${ecr_docker_tag},g" \
+    tests/ci/cdk/cdk/ssm/general_test_run_ssm_document.yaml \
+    > "tests/ci/cdk/cdk/ssm/${ec2_ami_id}_ssm_document.yaml"
+}
+
+#$1 for ami, $2 for instance-type, echos the instance id so we can capture the output
+create_ec2_instances() {
+  local instance_id
+  instance_id="$(aws ec2 run-instances --image-id "$1" --count 1 \
+    --instance-type "$2" --security-group-ids "${sg_id}" --subnet-id "${subnet_id}" \
+    --block-device-mappings 'DeviceName="/dev/sda1",Ebs={DeleteOnTermination=True,VolumeSize=200}' \
+    --tag-specifications 'ResourceType="instance",Tags=[{Key="aws-lc",Value="aws-lc-ci-ec2-test-framework-ec2-x86-instance"}]' \
+    --iam-instance-profile Name=aws-lc-ci-ec2-test-framework-ec2-profile \
+    --placement 'AvailabilityZone=us-west-2a' \
+    --instance-initiated-shutdown-behavior terminate \
+    --query Instances[*].InstanceId --output text)"
+  echo "${instance_id}"
+}
+
+trap cleanup EXIT
+
+# print some information for reference
+echo GitHub PR Number: "${CODEBUILD_WEBHOOK_TRIGGER}"
+echo GitHub Commit Version: "${CODEBUILD_SOURCE_VERSION}"
+echo AWS Account ID: "${AWS_ACCOUNT_ID}"
+echo GitHub Repo Link: "${CODEBUILD_SOURCE_REPO_URL}"
+export ec2_ami_id="$1"
+export ec2_instance_type="$2"
+export ecr_docker_tag="$3"
+export s3_bucket_name="aws-lc-codebuild"
+
+# Get resources for ec2 instances. These were created with the cdk script.
+vpc_id="$(aws ec2 describe-vpcs --filter Name=tag:Name,Values=aws-lc-ci-ec2-test-framework/aws-lc-ci-ec2-test-framework-ec2-vpc --query Vpcs[*].VpcId --output text)"
+sg_id="$(aws ec2 describe-security-groups --filter Name=vpc-id,Values="${vpc_id}" --filter Name=group-name,Values=codebuild_ec2_sg --query SecurityGroups[*].GroupId --output text)"
+subnet_id="$(aws ec2 describe-subnets --filter Name=vpc-id,Values="${vpc_id}" --filter Name=state,Values=available --filter Name=tag:Name,Values=aws-lc-ci-ec2-test-framework/aws-lc-ci-ec2-test-framework-ec2-vpc/PrivateSubnet1 --query Subnets[*].SubnetId --output text)"
+
+# create the ssm documents that will be used for the various ssm commands
+generate_ssm_document_file
+
+# create ec2 instances
+instance_id=$(create_ec2_instances "${ec2_ami_id}" "${ec2_instance_type}")
+if [[ -z "${instance_id}" ]];  then
+  exit 1
+fi
+
+# Give a few minutes for the ec2 instance to be ready
+sleep 60
+for i in {1..30}; do
+  status=$(aws ssm describe-instance-information --filter Key="InstanceIds",Values="${instance_id}" \
+    --query InstanceInformationList[*].PingStatus --output text)
+  if [ "${status}" == Online ]; then
+    break
+  fi
+  echo "Wait for instances to be able to run the SSM commands"
+
+  # if we've hit the 30 minute mark and still aren't ready, then something has gone wrong
+  if [ "${i}" = 30 ]; then exit 1; fi
+  sleep 60
+done
+
+
+# Create, and run ssm command.
+ssm_doc_name=$(create_ssm_document "${ec2_ami_id}")
+
+cloudwatch_group_name="aws-lc-ci-ec2-test-framework-cw-logs"
+ec2_test_ssm_command_id=$(run_ssm_command "${ssm_doc_name}" "${instance_id}" ${cloudwatch_group_name})
+
+run_url="https://${AWS_REGION}.console.aws.amazon.com/cloudwatch/home?region=${AWS_REGION}\
+#logsV2:log-groups/log-group/${cloudwatch_group_name}/log-events/\
+${ec2_test_ssm_command_id}\$252F${instance_id}\$252FrunShellScript\$252Fstdout"
+
+echo "Actual Run in EC2 can be observered at CloudWatch URL: ${run_url}"
+
+# Give some time for the commands to run
+done=false
+success=false
+for i in {1..45}; do
+  echo "${i}: Continue to wait 2 min for SSM commands to finish."
+  sleep 120
+
+  ssm_command_status="$(aws ssm list-commands --command-id "${ec2_test_ssm_command_id}" --query Commands[*].Status --output text)"
+  ssm_target_count="$(aws ssm list-commands --command-id "${ec2_test_ssm_command_id}" --query Commands[*].TargetCount --output text)"
+  ssm_completed_count="$(aws ssm list-commands --command-id "${ec2_test_ssm_command_id}" --query Commands[*].CompletedCount --output text)"
+  if [[ ${ssm_command_status} == 'Success' && ${ssm_completed_count} == "${ssm_target_count}" ]]; then
+    echo "SSM command ${ec2_test_ssm_command_id} finished successfully."
+    success=true
+    done=true
+  elif [[ ${ssm_command_status} == 'Failed' && ${ssm_completed_count} == "${ssm_target_count}" ]]; then
+    echo "SSM command ${ec2_test_ssm_command_id} failed."
+    done=true
+  else
+    # Still running.
+    done=false
+  fi
+
+  # if after the loop finish and done is still true, then we're done
+  if [ "${done}" = true ]; then
+    echo "EC2 SSM command has finished."
+
+    # if success is still true here, then none of the commands failed
+    if [ "${success}" == true ]; then
+      echo "EC2 SSM command succeeded!"
+      exit 0
+    else
+      echo "EC2 SSM command failed!"
+      exit 1
+    fi
+    break
+  fi
+done
+exit 1

data/aws-crt-ffi/crt/aws-lc/tests/ci/run_fips_tests.sh

@@ -15,10 +15,22 @@ if [[ ("$(uname -s)" == 'Linux'*) && (("$(uname -p)" == 'x86_64'*) || ("$(uname
   echo "Testing AWS-LC static library in FIPS Release mode."
   fips_build_and_test -DCMAKE_BUILD_TYPE=Release
 
-  echo "Testing AWS-LC static breakable build"
+  echo "Testing AWS-LC static breakable release build"
   run_build -DFIPS=1 -DCMAKE_C_FLAGS="-DBORINGSSL_FIPS_BREAK_TESTS"
   cd $SRC_ROOT
-  ./util/fipstools/test-break-kat.sh
+  MODULE_HASH=$(./util/fipstools/test-break-kat.sh |\
+                    (egrep "Hash of module was:.* ([a-f0-9]*)" || true))
+
+  echo "Testing AWS-LC static breakable release build while keeping local symbols"
+  echo "to check that module hash didn't change."
+  run_build -DFIPS=1 -DKEEP_ASM_LOCAL_SYMBOLS=1 -DCMAKE_C_FLAGS="-DBORINGSSL_FIPS_BREAK_TESTS"
+  cd $SRC_ROOT
+  ./util/fipstools/test-break-kat.sh || grep -i hash
+  MODULE_HASH_LOCALSYMS=$(./util/fipstools/test-break-kat.sh |\
+                              (egrep "Hash of module was:.* ([a-f0-9]*)" || true))
+  if [ "$MODULE_HASH" == "$MODULE_HASH_LOCALSYMS" ]; then
+    echo "Module hash didn't change"
+  fi
 
   # These build parameters may be needed by our aws-lc-fips-sys Rust package
   run_build -DFIPS=1 -DBUILD_LIBSSL=OFF -DBUILD_TESTING=OFF

data/aws-crt-ffi/crt/aws-lc/tests/ci/run_tests_with_sde.sh

@@ -1,9 +1,12 @@
-#!/bin/bash -ex
+#!/usr/bin/env bash
+set -ex
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0 OR ISC
 
 source tests/ci/common_posix_setup.sh
 
+sde_getenforce_check
+
 echo "Testing AWS-LC in debug mode under Intel's SDE."
 build_and_test_with_sde
 

data/aws-crt-ffi/crt/aws-lc/tests/ci/run_tests_with_sde_asan.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+set -ex
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+source tests/ci/common_posix_setup.sh
+
+sde_getenforce_check
+
+echo "Testing AWS-LC in debug mode under Intel's SDE with address sanitizer."
+build_and_test_with_sde -DASAN=1
+
+echo "Testing AWS-LC in release mode under Intel's SDE with address sanitizer."
+build_and_test_with_sde -DCMAKE_BUILD_TYPE=Release -DASAN=1

data/aws-crt-ffi/crt/aws-lc/tests/ci/run_windows_tests.bat

@@ -3,11 +3,26 @@ set SRC_ROOT=%cd%
 set BUILD_DIR=%SRC_ROOT%\test_build_dir
 
 @rem %1 contains the path to the setup batch file for the version of of visual studio that was passed in from the build spec file.
-@rem x64 comes from the architecture options https://docs.microsoft.com/en-us/cpp/build/building-on-the-command-line
+@rem %2 specifies the architecture option to build against: https://docs.microsoft.com/en-us/cpp/build/building-on-the-command-line
+@rem %3 is to indicate running SDE simulation tests. If not set, SDE tests are not run.
 set MSVC_PATH=%1
-call %MSVC_PATH% x64 || goto error
+set ARCH_OPTION=%2
+if "%~3"=="" ( set RUN_SDE=false ) else ( set RUN_SDE=%3 )
+call %MSVC_PATH% %ARCH_OPTION% || goto error
 SET
 
+@echo on
+if /i "%RUN_SDE%" == "false " (
+	goto :run_basic_tests
+) else if /i "%RUN_SDE%" == "true " (
+	goto :run_sde_tests
+) else (
+	@rem Unrecognized option
+	goto error
+)
+goto :EOF
+
+:run_basic_tests
 @rem Run the same builds as run_posix_tests.sh
 @rem Check which version of MSVC we're building with: remove 14.0 from the path to the compiler and check if it matches the
 @rem original string. MSVC 14 has an issue with a missing DLL that causes the debug unit tests to fail
@@ -23,8 +38,13 @@ call :build_and_test Release "-DBUILD_SHARED_LIBS=1" || goto error
 call :build_and_test Release "-DBUILD_SHARED_LIBS=1 -DFIPS=1" || goto error
 @rem For FIPS on Windows we also have a RelWithDebInfo build to generate debug symbols.
 call :build_and_test RelWithDebInfo "-DBUILD_SHARED_LIBS=1 -DFIPS=1" || goto error
+exit /b 0
 
-goto :EOF
+:run_sde_tests
+@rem Run and test the same dimensions as our Linux SDE tests.
+call :build_and_test_with_sde Debug "" || goto error
+call :build_and_test_with_sde Release "" || goto error
+exit /b 0
 
 @rem %1 is the build type (e.g. Release/Debug)
 @rem %2 is the additional full CMake args
@@ -34,6 +54,14 @@ call :build %1 %2 || goto error
 call :test %1 %2 || goto error
 exit /b 0
 
+@rem %1 is the build type (e.g. Release/Debug)
+@rem %2 is the additional full CMake args
+:build_and_test_with_sde
+@echo on
+call :build %1 %2 || goto error
+call :test_with_sde %1 %2 || goto error
+exit /b 0
+
 @rem Use the same parameters as build_and_test
 :build
 @echo on
@@ -57,6 +85,14 @@ ninja run_tests || goto error
 @echo  LOG: %date%-%time% %1 %2 tests complete
 exit /b %errorlevel%
 
+@rem Runs the SDE simulator tests, this assumes the build is complete
+:test_with_sde
+@echo on
+@echo  LOG: %date%-%time% %1 %2 build finished, starting tests with SDE
+ninja run_tests_with_sde || goto error
+@echo  LOG: %date%-%time% %1 %2 SDE tests complete
+exit /b %errorlevel%
+
 :error
 echo Failed with error #%errorlevel%.
 exit /b 1

data/aws-crt-ffi/crt/aws-lc/third_party/fiat/README.md

@@ -1,8 +1,23 @@
-# Fiat
+# Fiat Cryptography
 
-This directory contains code generated by
-[Fiat](https://github.com/mit-plv/fiat-crypto) and thus these files are
-licensed under the MIT license. (See LICENSE file.)
+The files in this directory are generated using [Fiat
+Cryptography](https://github.com/mit-plv/fiat-crypto) from the associated
+library of arithmetic-implementation templates. These files are included under
+the MIT license. (See LICENSE file.)
 
-The files are imported from the `fiat-c/src` directory of the Fiat repository.
-Their contents are `#include`d into source files, so we rename them to `.h`.
+Some files are included directly from the `fiat-c/src` directory of the Fiat
+Cryptography repository. Their contents are `#include`d into source files, so
+we rename them to `.h`. Implementations that use saturated arithmetic on 64-bit
+words are further manually edited to use platform-appropriate incantations for
+operations such as addition with carry; these changes are marked with "`NOTE:
+edited after generation`".
+
+# CryptOpt
+
+Files in the `asm` directory are compiled from Fiat-Cryptography templates
+using [CryptOpt](https://github.com/0xADE1A1DE/CryptOpt). These generated
+assembly files have been edited to support call-stack unwinding. The modified
+files have been checked for functional correctness using the CryptOpt
+translation validator that is included in the Fiat-Cryptography repository.
+Correct unwinding and manual assembler-directive changes related to object-file
+conventions are validated using unit tests.