sdk-bump, go-update, rust-update, third party package update

Twoliter.lock

@@ -4,7 +4,7 @@ project-vendor = "Bottlerocket"
 
 [sdk]
 name = "bottlerocket-sdk"
-version = "0.64.0"
+version = "0.65.0"
 vendor = "bottlerocket"
-source = "public.ecr.aws/bottlerocket/bottlerocket-sdk:v0.64.0"
-digest = "kRW2MsSo3jA+rAEO/Mp5gW8Q4/pd62bbB/lT4d5Jzak="
+source = "public.ecr.aws/bottlerocket/bottlerocket-sdk:v0.65.0"
+digest = "g03GUrm333pxmItqDrr3kPVELf0gHj8An8Yz9/GG5Ms="

Twoliter.toml

@@ -7,5 +7,5 @@ registry = "public.ecr.aws/bottlerocket"
 
 [sdk]
 name = "bottlerocket-sdk"
-version = "0.64.0"
+version = "0.65.0"
 vendor = "bottlerocket"

packages/amazon-ssm-agent/amazon-ssm-agent.spec

@@ -68,8 +68,6 @@ Conflicts: (%{_cross_os}image-feature(no-fips) or %{name}-plugin-bin)
 %autosetup -n %{gorepo}-%{version} -p1
 
 %build
-export GO_MAJOR="1.24"
-
 %set_cross_go_flags
 
 go build -ldflags "${GOLDFLAGS}" -o amazon-ssm-agent \

packages/aws-iam-authenticator/Cargo.toml

@@ -12,8 +12,8 @@ path = "../packages.rs"
 releases-url = "https://github.com/kubernetes-sigs/aws-iam-authenticator/releases"
 
 [[package.metadata.build-package.external-files]]
-url = "https://github.com/kubernetes-sigs/aws-iam-authenticator/archive/v0.7.5/aws-iam-authenticator-0.7.5.tar.gz"
-sha512 = "9818dac7c6f651fb04b80e5ea363d2ce35dcc1988d78f67a0320f592ddff20fb286033bf6112f5e9a08736b3c341dab64895654f914b3a53a35f6c0ebd74fa91"
+url = "https://github.com/kubernetes-sigs/aws-iam-authenticator/archive/v0.7.8/aws-iam-authenticator-0.7.8.tar.gz"
+sha512 = "63dc40f7ad3f1de4cb4fa3bcda793fe73276fb477f5e001593698cd272fd7d06ff19b3dd73b29b682ef91b25870abae5241e658032d21f647f9b091509e1d5a8"
 bundle-modules = [ "go" ]
 
 [build-dependencies]

packages/aws-iam-authenticator/aws-iam-authenticator.spec

@@ -2,7 +2,7 @@
 %global gorepo aws-iam-authenticator
 %global goimport %{goproject}/%{gorepo}
 
-%global gover 0.7.5
+%global gover 0.7.8
 %global rpmver %{gover}
 
 %global _dwz_low_mem_die_limit 0
@@ -53,7 +53,7 @@ Conflicts: (%{_cross_os}image-feature(no-fips) or %{name}-bin)
 
 %build
 %set_cross_go_flags
-export GO_MAJOR="1.24"
+export GO_MAJOR="1.25"
 go build -ldflags="${GOLDFLAGS}" -o aws-iam-authenticator ./cmd/aws-iam-authenticator
 gofips build -ldflags="${GOLDFLAGS}" -o fips/aws-iam-authenticator ./cmd/aws-iam-authenticator
 

packages/cni-plugins/cni-plugins.spec

@@ -48,7 +48,7 @@ Conflicts: (%{_cross_os}image-feature(no-fips) or %{name}-bin)
 
 %build
 %cross_go_configure %{goimport}
-export GO_MAJOR="1.23"
+
 for d in $(find plugins -mindepth 2 -maxdepth 2 -type d ! -name windows) ; do
   go build -ldflags="${GOLDFLAGS}" -o "bin/${d##*/}" %{goimport}/${d}
   gofips build -ldflags="${GOLDFLAGS}" -o "fips/bin/${d##*/}" %{goimport}/${d}

packages/ecr-credential-provider-1.30/ecr-credential-provider-1.30.spec

@@ -54,8 +54,6 @@ Conflicts: (%{_cross_os}image-feature(no-fips) or %{name}-bin)
 %build
 %set_cross_go_flags
 
-export GO_MAJOR="1.23"
-
 go build -ldflags="${GOLDFLAGS}" -o=ecr-credential-provider cmd/ecr-credential-provider/*.go
 gofips build -ldflags="${GOLDFLAGS}" -o=fips/ecr-credential-provider cmd/ecr-credential-provider/*.go
 

packages/ecs-gpu-init/ecs-gpu-init.spec

@@ -19,8 +19,6 @@ BuildRequires: %{_cross_os}glibc-devel
 cp -r %{_builddir}/sources/%{workspace_name}/* .
 
 %build
-export GO_MAJOR="1.23"
-
 %set_cross_go_flags
 # We don't set `-Wl,-z,now`, because the binary uses lazy loading
 # to load the NVIDIA libraries in the host

packages/kubernetes-1.31/kubernetes-1.31.spec

@@ -145,8 +145,6 @@ cp third_party/forked/golang/PATENTS PATENTS.golang
 %build
 export FORCE_HOST_GO=1
 
-export GO_MAJOR="1.23"
-
 # Build codegen programs with the host toolchain.
 make hack/update-codegen.sh
 

packages/kubernetes-1.32/kubernetes-1.32.spec

@@ -144,8 +144,6 @@ cp third_party/forked/golang/PATENTS PATENTS.golang
 %build
 export FORCE_HOST_GO=1
 
-export GO_MAJOR="1.23"
-
 # Build codegen programs with the host toolchain.
 make hack/update-codegen.sh
 

packages/libcrypto/1013-cherry-pick-Add-back-X509_STORE_get_verify_cb-and-X5.patch

@@ -0,0 +1,197 @@
+From c9723d6b75f415c8ba46f95876b8fa14ca787857 Mon Sep 17 00:00:00 2001
+From: Sean McGrail <[email protected]>
+Date: Thu, 31 Jul 2025 15:13:47 -0700
+Subject: [PATCH] [cherry-pick] Add back X509_STORE_get_verify_cb and
+ X509_STORE_set_lookup_crls_cb (#2587)
+
+Cherry-picks https://github.com/aws/aws-lc/pull/2581
+
+This change is outside of the FIPS module and does not affect its hash.
+
+---
+
+### Issues:
+Addresses V1681685441
+
+### Description of changes:
+The following symbols were removed as part of two upstream merges in
+2024, which broke the ability to build the Azure SDK for C++ on both
+main and in the FIPS 3.x release. This was previously supported in the
+FIPS 2.x line, and was a bit unexpected. This partially reverts these
+commits to include back the necessary symbols.
+
+X509_STORE_get_verify_cb:
+
+https://github.com/aws/aws-lc/commit/884ad006425903bea38cf249352dd74f9f0597f7
+X509_STORE_set_lookup_crls_cb:
+
+https://github.com/aws/aws-lc/commit/d0c25d154621528a50fcf2e01095460d6459da8c
+
+https://github.com/aws/aws-lc/pull/1527 and
+https://github.com/aws/aws-lc/pull/1621
+
+By submitting this pull request, I confirm that my contribution is made
+under the terms of the Apache 2.0 license and the ISC license.
+---
+ crypto/x509/internal.h   |  2 ++
+ crypto/x509/x509_lu.c    | 13 +++++++++++++
+ crypto/x509/x509_test.cc | 39 +++++++++++++++++++++++++++++++++++++++
+ crypto/x509/x509_vfy.c   |  8 +++++++-
+ include/openssl/x509.h   | 13 +++++++++++++
+ 5 files changed, 74 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/x509/internal.h b/crypto/x509/internal.h
+index 2bb1fd45f..c72d97d1e 100644
+--- a/crypto/x509/internal.h
++++ b/crypto/x509/internal.h
+@@ -308,6 +308,7 @@ struct x509_store_st {
+
+   // Callbacks for various operations
+   X509_STORE_CTX_verify_cb verify_cb;       // error callback
++  X509_STORE_CTX_lookup_crls_fn lookup_crls;
+   X509_STORE_CTX_get_crl_fn get_crl;        // retrieve CRL
+   X509_STORE_CTX_check_crl_fn check_crl;    // Check CRL validity
+
+@@ -342,6 +343,7 @@ struct x509_store_ctx_st {
+
+   // Callbacks for various operations
+   X509_STORE_CTX_verify_cb verify_cb;       // error callback
++  X509_STORE_CTX_lookup_crls_fn lookup_crls;
+   X509_STORE_CTX_get_crl_fn get_crl;        // retrieve CRL
+   X509_STORE_CTX_check_crl_fn check_crl;    // Check CRL validity
+   X509_STORE_CTX_verify_crit_oids_cb
+diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c
+index 6daed4501..976d68845 100644
+--- a/crypto/x509/x509_lu.c
++++ b/crypto/x509/x509_lu.c
+@@ -642,6 +642,19 @@ void X509_STORE_set_verify_cb(X509_STORE *ctx,
+   ctx->verify_cb = verify_cb;
+ }
+
++X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(X509_STORE *ctx) {
++  return ctx->verify_cb;
++}
++
++X509_STORE_CTX_lookup_crls_fn X509_STORE_get_lookup_crls(X509_STORE *ctx) {
++  return ctx->lookup_crls;
++}
++
++void X509_STORE_set_lookup_crls(X509_STORE *ctx,
++                                X509_STORE_CTX_lookup_crls_fn lookup_crls) {
++  ctx->lookup_crls = lookup_crls;
++}
++
+ void X509_STORE_set_get_crl(X509_STORE *ctx,
+                             X509_STORE_CTX_get_crl_fn get_crl) {
+   ctx->get_crl = get_crl;
+diff --git a/crypto/x509/x509_test.cc b/crypto/x509/x509_test.cc
+index 5a1eb32a1..11995c8fa 100644
+--- a/crypto/x509/x509_test.cc
++++ b/crypto/x509/x509_test.cc
+@@ -31,6 +31,7 @@
+ #include <openssl/err.h>
+ #include <openssl/nid.h>
+ #include <openssl/pem.h>
++#include <openssl/pkcs7.h>
+ #include <openssl/pool.h>
+ #include <openssl/rand.h>
+ #include <openssl/x509.h>
+@@ -8384,3 +8385,41 @@ TEST(X509Test, X509MultipleCustomExtensions) {
+   // Check that |EXFLAG_CRITICAL| has been removed after validation.
+   EXPECT_FALSE(X509_get_extension_flags(cert.get()) & EXFLAG_CRITICAL);
+ }
++
++TEST(X509Test, StoreVerifyCallback) {
++  bssl::UniquePtr<X509_STORE> store(X509_STORE_new());
++  ASSERT_TRUE(store);
++
++  // Initially verify callback should be null
++  EXPECT_EQ(nullptr, X509_STORE_get_verify_cb(store.get()));
++
++  // Store the callback pointer for comparison
++  X509_STORE_CTX_verify_cb verify_cb = [](int ok, X509_STORE_CTX *ctx) -> int {
++    return 1;
++  };
++
++  // Set a custom verify callback
++  X509_STORE_set_verify_cb(store.get(), verify_cb);
++
++  // Verify callback should now be set and match the stored pointer
++  EXPECT_EQ(verify_cb, X509_STORE_get_verify_cb(store.get()));
++}
++
++TEST(X509Test, StoreLookupCRLs) {
++  bssl::UniquePtr<X509_STORE> store(X509_STORE_new());
++  ASSERT_TRUE(store);
++
++  // Initially lookup_crls callback should be null
++  EXPECT_EQ(nullptr, X509_STORE_get_lookup_crls(store.get()));
++
++  X509_STORE_CTX_lookup_crls_fn lookup_crls = [](X509_STORE_CTX *ctx,
++                                                 X509_NAME *nm) {
++    return sk_X509_CRL_new_null();
++  };
++
++  // Set the custom lookup_crls callback
++  X509_STORE_set_lookup_crls(store.get(), lookup_crls);
++
++  // Lookup_crls callback should now be set and match the stored pointer
++  EXPECT_EQ(lookup_crls, X509_STORE_get_lookup_crls(store.get()));
++}
+diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
+index f9fde323e..84fc5d6cb 100644
+--- a/crypto/x509/x509_vfy.c
++++ b/crypto/x509/x509_vfy.c
+@@ -1257,7 +1257,7 @@ static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x) {
+   }
+
+   // Lookup CRLs from store
+-  skcrl = X509_STORE_CTX_get1_crls(ctx, nm);
++  skcrl = ctx->lookup_crls(ctx, nm);
+
+   // If no CRLs found and a near match from get_crl_sk use that
+   if (!skcrl && crl) {
+@@ -1760,6 +1760,12 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
+     ctx->check_crl = check_crl;
+   }
+
++  if (store->lookup_crls) {
++    ctx->lookup_crls = store->lookup_crls;
++  } else {
++    ctx->lookup_crls = X509_STORE_get1_crls;
++  }
++
+   ctx->verify_custom_crit_oids = null_verify_custom_crit_oids_callback;
+
+   return 1;
+diff --git a/include/openssl/x509.h b/include/openssl/x509.h
+index 8a8247279..607409046 100644
+--- a/include/openssl/x509.h
++++ b/include/openssl/x509.h
+@@ -2369,6 +2369,17 @@ OPENSSL_EXPORT int X509_STORE_set_purpose(X509_STORE *store, int purpose);
+ OPENSSL_EXPORT int X509_STORE_set_trust(X509_STORE *store, int trust);
+
+
++typedef STACK_OF(X509_CRL) *(*X509_STORE_CTX_lookup_crls_fn)(
++    X509_STORE_CTX *ctx, X509_NAME *nm);
++
++OPENSSL_EXPORT X509_STORE_CTX_lookup_crls_fn X509_STORE_get_lookup_crls(X509_STORE *ctx);
++
++OPENSSL_EXPORT void X509_STORE_set_lookup_crls(
++    X509_STORE *ctx, X509_STORE_CTX_lookup_crls_fn lookup_crls);
++
++#define X509_STORE_set_lookup_crls_cb(ctx, func) \
++  X509_STORE_set_lookup_crls((ctx), (func))
++
+ // Certificate verification.
+ //
+ // An |X509_STORE_CTX| object represents a single certificate verification
+@@ -4344,6 +4355,8 @@ typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *);
+ OPENSSL_EXPORT void X509_STORE_CTX_set_verify_cb(
+     X509_STORE_CTX *ctx, int (*verify_cb)(int ok, X509_STORE_CTX *ctx));
+
++OPENSSL_EXPORT X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(X509_STORE *ctx);
++
+ // X509_STORE_set_verify_cb acts like |X509_STORE_CTX_set_verify_cb| but sets
+ // the verify callback for any |X509_STORE_CTX| created from this |X509_STORE|
+ //