Accepting request 1319769 from Cloud:Tools

- Update to version 2.4.1
  * Add cafile override for eusc-de-east-1 in efs-utils.conf
- Refresh fix-cargo-checksums.patch
- Refresh initialize-arrays-as-arrays.patch
- Refresh support-relro-in-delocator.patch (forwarded request 1319744 from glaubitz)

OBS-URL: https://build.opensuse.org/request/show/1319769
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/aws-efs-utils?expand=0&rev=25

_service

@@ -0,0 +1,20 @@
+<?xml version="1.0"?>
+<services>
+  <service name="tar_scm" mode="manual">
+    <param name="url">https://github.com/aws/efs-utils.git</param>
+    <param name="scm">git</param>
+    <param name="revision">v2.4.1</param>
+    <param name="versionformat">@PARENT_TAG@</param>
+  </service>
+  <service name="recompress" mode="disabled">
+    <param name="file">efs-utils-*.tar</param>
+    <param name="compression">gz</param>
+  </service>
+  <service name="cargo_vendor" mode="manual">
+   <param name="compression">gz</param>
+   <param name="custom-root">src/proxy</param>
+   <param name="i-accept-the-risk">RUSTSEC-2022-0013 RUSTSEC-2022-0006</param>
+   <param name="srcdir">efs-utils</param>
+   <param name="update">true</param>
+  </service>
+</services>

aws-efs-utils.changes

@@ -1,3 +1,104 @@
+-------------------------------------------------------------------
+Mon Nov 24 13:21:24 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 2.4.1
+  * Add cafile override for eusc-de-east-1 in efs-utils.conf
+- Refresh fix-cargo-checksums.patch
+- Refresh initialize-arrays-as-arrays.patch
+- Refresh support-relro-in-delocator.patch
+
+-------------------------------------------------------------------
+Fri Nov  7 14:01:13 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 2.4.0
+  * Upgrade s2n-tls version in efs-proxy to use AWS-LC
+  * Add ubuntu24 and macOS Tahoe support efs-utils
+- Add clang-devel to BuildRequires
+- Add cmake to BuildRequires
+- Add golang(API) >= 1.24 to BuildRequires
+- Add initialize-arrays-as-arrays.patch to fix build with newer GCC
+- Add support-relro-in-delocator.patch to fix build with newer GCC
+- Add fix-cargo-checksums.patch to fix cargo checksums after patching
+
+-------------------------------------------------------------------
+Fri Oct 24 11:13:56 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Use RUSTFLAGS over CC/CXX to overwrite default linker on SLE-15
+
+-------------------------------------------------------------------
+Fri Aug 15 06:25:25 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 2.3.3 (bsc#1248055, CVE-2025-55159)
+  * Add environment variable support for AWS profiles and regions
+  * Regenerate Cargo.lock with rust 1.70.0
+  * Update circle-ci config
+  * Fix AWS Env Variable Test and Code Style Issue
+  * Remove CentOS 8 and Ubuntu 16.04 from verified Linux distribution list
+- from version 2.3.2
+  * Update version in amazon-efs-utils.spec to 2.3.1
+  * Fix incorrect package version
+
+-------------------------------------------------------------------
+Thu Jul 10 11:29:00 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Add gcc13 and gcc13-c++ to BuildRequires for SLE-15
+- Set CC=gcc-13 and CXX=g++-13 for SLE-15
+- Remove unused build dependencies python-flake8, python-mccabe,
+  python-pycodestyle and python-pyflakes from BuildRequires
+
+-------------------------------------------------------------------
+Tue Jul  8 09:30:32 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Remove BuildArch field to set build architecture to any
+- Use %cargo_install for installing efs-proxy
+- Update install location for efs-proxy in %files section
+
+-------------------------------------------------------------------
+Fri Jul  4 09:15:25 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Add cargo-packaging to BuildRequires
+- Use %cargo_build for building Rust code
+
+-------------------------------------------------------------------
+Fri Jun 27 19:41:53 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Limit recompress service to efs-utils-*.tar
+- Remove commented fields from _service file
+- Switch source service from obs_scm to tar_scm
+
+-------------------------------------------------------------------
+Fri Jun 27 13:56:03 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 2.3.1
+  * Fix backtrace version to resolve ubuntu and rhel build issues
+  * Pin Cargo.lock to avoid unexpected error across images
+- from version 2.3.0
+  * Add support for pod-identity credentials in the credentials chain
+  * Enable mounting with IPv6 when using with the 'stunnel' mount option
+- Build and install efs-proxy binary (bsc#1240044)
+  * Add cargo, libopenssl-devel and rust to BuildRequires
+  * Adjust starting directory for find command to exclude src/proxy
+  * Enable vendoring for Rust dependencies of efs-proxy
+  * Include efs-proxy binary in %files section
+  * Replace upstream tarball with SCM-generated source
+
+-------------------------------------------------------------------
+Mon Mar 31 09:42:29 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 2.2.1
+  * Readme Updates
+  * Update log4rs to mitigate CVE-2020-35881
+- from version 2.2.0
+  * Use region-specific domain suffixes for dns endpoints where missing
+  * Merge PR #211 - Amend Debian control to use binary architecture
+- from version 2.1.0
+  * Add mount option for specifying region
+  * Add new ISO regions to config file
+- from version 2.0.4
+  * Add retry logic to and increase timeout for EC2 metadata token
+    retrieval requests
+- Update BuildRequires from requirements.txt
+
 -------------------------------------------------------------------
 Wed Jul 31 11:04:49 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
 

aws-efs-utils.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package aws-efs-utils
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -23,53 +23,71 @@
 %endif
 %global _sitelibdir %{%{pythons}_sitelib}
 Name:           aws-efs-utils
-Version:        2.0.3
+Version:        2.4.1
 Release:        0
 Summary:        Utilities for using the EFS file systems
 License:        MIT
 Group:          System/Management
 URL:            https://github.com/aws/efs-utils
-Source0:        %{url}/archive/v%{version}.tar.gz#/efs-utils-%{version}.tar.gz
+Source0:        efs-utils-v%{version}.tar.gz
+Source1:        vendor.tar.gz
 Patch0:         disable_mount_efs_test.patch
 Patch1:         harden_amazon-efs-mount-watchdog.service.patch
 Patch2:         skip-styletest.patch
 Patch3:         use_mock_from_unittest.patch
-BuildRequires:  %{pythons}-attrs >= 17.4.0
-BuildRequires:  %{pythons}-botocore >= 1.17.53
-BuildRequires:  %{pythons}-coverage >= 4.5.4
-BuildRequires:  openssl
-#BuildRequires:  %{pythons}-flake8 >= 3.7.9
-BuildRequires:  %{pythons}-flake8
-BuildRequires:  %{pythons}-mccabe >= 0.6.1
+# PATCH-FIX-UPSTREAM - Initialize arrays as arrays - https://github.com/aws/aws-lc/pull/2042
+Patch4:         initialize-arrays-as-arrays.patch
+# PATCH-FIX-UPSTREAM - Support relro in delocator - https://github.com/aws/aws-lc/pull/2455
+Patch5:         support-relro-in-delocator.patch
+# PATCH-FIX-OPENSUSE - fix cargo checksums after patching
+Patch6:         fix-cargo-checksums.patch
+BuildRequires:  %{pythons}-botocore >= 1.34.140
+BuildRequires:  %{pythons}-coverage >= 7.6.0
 BuildRequires:  %{pythons}-pbr >= 3.1.1
 BuildRequires:  %{pythons}-pluggy >= 0.13.0
 BuildRequires:  %{pythons}-py >= 1.11.0
-BuildRequires:  %{pythons}-pycodestyle >= 2.5.0
-BuildRequires:  %{pythons}-pyflakes >= 2.1.1
-BuildRequires:  %{pythons}-pytest >= 4.6.7
-BuildRequires:  %{pythons}-pytest-cov >= 2.8.1
-BuildRequires:  %{pythons}-pytest-html >= 1.19.0
-BuildRequires:  %{pythons}-pytest-metadata >= 1.7.0
-BuildRequires:  %{pythons}-pytest-mock >= 1.11.2
+BuildRequires:  %{pythons}-pytest >= 8.2.2
+BuildRequires:  %{pythons}-pytest-cov >= 5.0.0
+BuildRequires:  %{pythons}-pytest-html >= 4.1.1
+BuildRequires:  %{pythons}-pytest-metadata >= 3.1.1
+BuildRequires:  %{pythons}-pytest-mock >= 3.14.0
+BuildRequires:  cargo
+BuildRequires:  cargo-packaging
+BuildRequires:  clang-devel
+BuildRequires:  cmake
+%if 0%{?suse_version} <= 1500
+BuildRequires:  gcc13
+BuildRequires:  gcc13-c++
+%endif
+BuildRequires:  libopenssl-devel
+BuildRequires:  openssl
+BuildRequires:  rust
 BuildRequires:  systemd-rpm-macros
+BuildRequires:  golang(API) >= 1.24
 BuildRequires:  pkgconfig(systemd)
 Requires:       nfs-utils
 Requires:       stunnel >= 4.56
-BuildArch:      noarch
 
 %description
 This package provides utilities for using the EFS file systems.
 
 %prep
-%setup -n efs-utils-%{version}
+%setup -n efs-utils-v%{version} -a1
 %patch -P 0 -p1
-find . -name "*.py" -exec sed -i 's/env python3/python3/' {} +
+find src/mount_efs src/watchdog -name "*.py" -exec sed -i 's/env python3/python3/' {} +
 %patch -P 1 -p1
 %patch -P 2
 %patch -P 3 -p1
+%patch -P 4 -p1
+%patch -P 5 -p1
+%patch -P 6 -p1
 
 %build
-# No build required
+%if 0%{?suse_version} <= 1500
+export RUSTFLAGS=" -C linker=/usr/bin/gcc-13"
+%endif
+cd src/proxy
+%cargo_build
 
 %check
 make test
@@ -77,7 +95,7 @@ make test
 %install
 mkdir -p %{buildroot}%{_sysconfdir}/amazon/efs
 mkdir -p %{buildroot}%{_unitdir}
-install -p -m 644 %{_builddir}/efs-utils-%{version}/dist/amazon-efs-mount-watchdog.service %{buildroot}%{_unitdir}
+install -p -m 644 %{_builddir}/efs-utils-v%{version}/dist/amazon-efs-mount-watchdog.service %{buildroot}%{_unitdir}
 
 mkdir -p %{buildroot}%{_bindir}
 mkdir -p %{buildroot}%{_sbindir}
@@ -85,11 +103,17 @@ mkdir -p %{buildroot}%{_localstatedir}/log/amazon/efs
 mkdir -p %{buildroot}%{_mandir}/man8
 mkdir -p %{buildroot}%{_sysconfdir}/amazon/efs
 
-install -p -m 644 %{_builddir}/efs-utils-%{version}/dist/efs-utils.conf %{buildroot}%{_sysconfdir}/amazon/efs
-install -p -m 444 %{_builddir}/efs-utils-%{version}/dist/efs-utils.crt %{buildroot}%{_sysconfdir}/amazon/efs
-install -p -m 755 %{_builddir}/efs-utils-%{version}/src/mount_efs/__init__.py %{buildroot}%{_sbindir}/mount.efs
-install -p -m 755 %{_builddir}/efs-utils-%{version}/src/watchdog/__init__.py %{buildroot}%{_bindir}/amazon-efs-mount-watchdog
-install -p -m 644 %{_builddir}/efs-utils-%{version}/man/mount.efs.8 %{buildroot}%{_mandir}/man8
+install -p -m 644 %{_builddir}/efs-utils-v%{version}/dist/efs-utils.conf %{buildroot}%{_sysconfdir}/amazon/efs
+install -p -m 444 %{_builddir}/efs-utils-v%{version}/dist/efs-utils.crt %{buildroot}%{_sysconfdir}/amazon/efs
+install -p -m 755 %{_builddir}/efs-utils-v%{version}/src/mount_efs/__init__.py %{buildroot}%{_sbindir}/mount.efs
+install -p -m 755 %{_builddir}/efs-utils-v%{version}/src/watchdog/__init__.py %{buildroot}%{_bindir}/amazon-efs-mount-watchdog
+install -p -m 644 %{_builddir}/efs-utils-v%{version}/man/mount.efs.8 %{buildroot}%{_mandir}/man8
+
+%if 0%{?suse_version} <= 1500
+export RUSTFLAGS=" -C linker=/usr/bin/gcc-13"
+%endif
+cd src/proxy
+%cargo_install
 
 # Create rc-link
 for srv_name in %{buildroot}%{_unitdir}/*.service; do rc_name=$(basename -s '.service' $srv_name); ln -s service %{buildroot}%{_sbindir}/rc$rc_name; done
@@ -114,6 +138,7 @@ for srv_name in %{buildroot}%{_unitdir}/*.service; do rc_name=$(basename -s '.se
 %{_sysconfdir}/amazon
 %config %{_sysconfdir}/amazon/efs/efs-utils.conf
 %config %{_sysconfdir}/amazon/efs/efs-utils.crt
+%{_bindir}/efs-proxy
 %{_sbindir}/mount.efs
 %{_bindir}/amazon-efs-mount-watchdog
 %{_sbindir}/rcamazon-efs-mount-watchdog

efs-utils-2.0.3.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:7489b85737e2a91006b99461d34e4f67c3d101a105a0cf78235d554e2b736f0d
-size 165557

efs-utils-v2.4.1.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2b68cacb771947ed4f06b6abfbdff8da9d0389f6669a18301269c81958fdedb1
+size 223337

initialize-arrays-as-arrays.patch

@@ -0,0 +1,27 @@
+diff -Nru vendor.orig/src/proxy/vendor/aws-lc-fips-sys-0.13.10/aws-lc/crypto/fipsmodule/self_check/self_check.c vendor/src/proxy/vendor/aws-lc-fips-sys-0.13.10/aws-lc/crypto/fipsmodule/self_check/self_check.c
+--- vendor.orig/src/proxy/vendor/aws-lc-fips-sys-0.13.10/aws-lc/crypto/fipsmodule/self_check/self_check.c	1970-01-01 01:00:00.000000000 +0100
++++ vendor/src/proxy/vendor/aws-lc-fips-sys-0.13.10/aws-lc/crypto/fipsmodule/self_check/self_check.c	2025-11-24 14:09:10.073187291 +0100
+@@ -1706,7 +1706,8 @@
+ }
+ 
+ static int boringssl_self_test_fast(void) {
+-  static const uint8_t kAESKey[16] = "BoringCrypto Key";
++  static const uint8_t kAESKey[16] =  {'B', 'o', 'r', 'i', 'n', 'g', 'C', 'r',
++                                       'y', 'p', 't', 'o', ' ', 'K', 'e', 'y'};
+   // Older versions of the gcc release build on ARM will optimize out the
+   // assembly label for kAESIV, if we define it with {0}. The assembler
+   // will set the value of kAESIV to another static constant in the
+@@ -1856,8 +1857,11 @@
+       0x3f, 0x17, 0x4c, 0xf4, 0x78, 0x7a, 0x4f, 0x1a, 0x40, 0xc2, 0xb5, 0x0b,
+       0xab, 0xe1, 0x4a, 0xae, 0x53, 0x0b, 0xe5, 0x88, 0x6d, 0x91, 0x0a, 0x27,
+   };
+-  static const uint8_t kDRBGPersonalization[18] = "BCMPersonalization";
+-  static const uint8_t kDRBGAD[16] = "BCM DRBG KAT AD ";
++  static const uint8_t kDRBGPersonalization[18] = {
++      'B', 'C', 'M', 'P', 'e', 'r', 's', 'o', 'n',
++      'a', 'l', 'i', 'z', 'a', 't', 'i', 'o', 'n'};
++  static const uint8_t kDRBGAD[16] = {'B', 'C', 'M', ' ', 'D', 'R', 'B', 'G',
++                                      ' ', 'K', 'A', 'T', ' ', 'A', 'D', ' '};
+   static const uint8_t kDRBGOutput[64] = {
+       0x19, 0x1f, 0x2b, 0x49, 0x76, 0x85, 0xfd, 0x51, 0xb6, 0x56, 0xbc,
+       0x1c, 0x7d, 0xd5, 0xdd, 0x44, 0x76, 0xa3, 0x5e, 0x17, 0x9b, 0x8e,

support-relro-in-delocator.patch

@@ -0,0 +1,750 @@
+diff -Nru vendor.orig/src/proxy/vendor/aws-lc-fips-sys-0.13.10/aws-lc/util/fipstools/delocate/delocate.go vendor/src/proxy/vendor/aws-lc-fips-sys-0.13.10/aws-lc/util/fipstools/delocate/delocate.go
+--- vendor.orig/src/proxy/vendor/aws-lc-fips-sys-0.13.10/aws-lc/util/fipstools/delocate/delocate.go	1970-01-01 01:00:00.000000000 +0100
++++ vendor/src/proxy/vendor/aws-lc-fips-sys-0.13.10/aws-lc/util/fipstools/delocate/delocate.go	2025-11-24 14:12:32.149960336 +0100
+@@ -27,6 +27,7 @@
+ 	"sort"
+ 	"strconv"
+ 	"strings"
++	"unicode"
+ 
+ 	"boringssl.googlesource.com/boringssl/util/ar"
+ 	"boringssl.googlesource.com/boringssl/util/fipstools/fipscommon"
+@@ -97,6 +98,10 @@
+ 	// cpuCapUniqueSymbols represents the set of unique symbols for each
+ 	// discovered occurrence of OPENSSL_ia32cap_P.
+ 	cpuCapUniqueSymbols []*cpuCapUniqueSymbol
++	// relroLocalLabelToFuncMap contain mappings between local symbols found in
++	// relro sections and their corresponding function symbol. e.g. ".LC53" ->
++	// "aead_aes_gcm_seal_scatter".
++	relroLocalLabelToFuncMap map[string]string
+ 	// redirectors maps from out-call symbol name to the name of a
+ 	// redirector function for that symbol. E.g. “memcpy” ->
+ 	// “bcm_redirector_memcpy”.
+@@ -205,6 +210,41 @@
+ 	return nil
+ }
+ 
++// skippedLine writes skipped line transform information to the output file.
++func (d *delocation) skippedLine(node *node32) {
++	if isNewLine(d.currentInput.contents, node) {
++		d.output.WriteString(fmt.Sprintf("# SKIPPED newline\n"))
++	} else {
++		d.output.WriteString(fmt.Sprintf("# SKIPPED %s\n", d.currentInput.contents[node.begin:node.end]))
++	}
++}
++
++// maybeSkipRelroStatement determines if a statement under a relro section can
++// be skipped
++func (d *delocation) maybeSkipRelroStatement(node *node32) bool {
++
++	if !isEndOfRelroSection(d.currentInput.contents, node) {
++		d.skippedLine(node)
++		return true
++	}
++
++	return false
++}
++
++// skipRelroSection identifies the relro section and skips all statements under
++// that section. It moves the AST node pointer to the last statement skipped.
++func (d *delocation) skipRelroSection(statement *node32) *node32 {
++	previousStatement := statement
++	for ; statement != nil; statement = statement.next {
++		if !d.maybeSkipRelroStatement(statement) {
++			break
++		}
++		previousStatement = statement
++	}
++
++	return previousStatement
++}
++
+ func (d *delocation) processDirective(statement, directive *node32) (*node32, error) {
+ 	assertNodeType(directive, ruleDirectiveName)
+ 	directiveName := d.contents(directive)
+@@ -244,14 +284,13 @@
+ 	case "section":
+ 		section := args[0]
+ 
+-		if section == ".data.rel.ro" {
+-			// In a normal build, this is an indication of a
+-			// problem but any references from the module to this
+-			// section will result in a relocation and thus will
+-			// break the integrity check. ASAN can generate these
+-			// sections and so we will likely have to work around
+-			// that in the future.
+-			return nil, errors.New(".data.rel.ro section found in module")
++		if strings.HasPrefix(section, ".data.rel.ro") {
++			d.skippedLine(statement)
++			statement = d.skipRelroSection(statement.next)
++			if statement != nil {
++				break
++			}
++			return nil, fmt.Errorf("Failed to skip relro section %s", section)
+ 		}
+ 
+ 		sectionType, ok := sectionType(section)
+@@ -722,7 +761,7 @@
+ /* ppc64le
+ 
+ [PABI]: “64-Bit ELF V2 ABI Specification. Power Architecture.” March 21st,
+-        2017
++				2017
+ 
+ (Also useful is “Power ISA Version 2.07 B”. Note that version three of that
+ document is /not/ good as that's POWER9 specific.)
+@@ -735,8 +774,8 @@
+ A pointer to the TOC is maintained in r2 and the following pattern is used to
+ load the address of an element into a register:
+ 
+-  addis <address register>, 2, foo@toc@ha
+-  addi <address register>, <address register>, foo@toc@l
++	addis <address register>, 2, foo@toc@ha
++	addi <address register>, <address register>, foo@toc@l
+ 
+ The “addis” instruction shifts a signed constant left 16 bits and adds the
+ result to its second argument, saving the result in the first argument. The
+@@ -765,8 +804,8 @@
+ r12 and store it in r2. For example:
+ 
+ foo:
+-  addis 2, 12, .TOC. - foo@ha
+-  addi  2, 2,  .TOC. - foo@l
++	addis 2, 12, .TOC. - foo@ha
++	addi  2, 2,  .TOC. - foo@l
+ 
+ (It's worth noting that the '@' operator binds very loosely, so the 3rd
+ arguments parse as (.TOC. - foo)@ha and (.TOC. - foo)@l.)
+@@ -779,9 +818,9 @@
+ Firstly, calling, say, memcpy (which we assume to be in a different module)
+ won't actually jump directly to memcpy, or even a PLT resolution function.
+ It'll call a synthesised function that:
+-  a) saves r2 in the caller's stack frame
+-  b) loads the address of memcpy@PLT into r12
+-  c) jumps to r12.
++	a) saves r2 in the caller's stack frame
++	b) loads the address of memcpy@PLT into r12
++	c) jumps to r12.
+ 
+ As this synthesised function loads memcpy@PLT, a call to memcpy from the
+ compiled code just references “memcpy” directly, not “memcpy@PLT”.
+@@ -1413,6 +1452,12 @@
+ 	return node != nil && node.pegRule == ruleBaseIndexScale && d.contents(node) == "(%rip)"
+ }
+ 
++type RelroRewrite struct {
++	isRelroRewrite bool
++	symbol string
++	mappedSymbol string
++}
++
+ func (d *delocation) processIntelInstruction(statement, instruction *node32) (*node32, error) {
+ 	assertNodeType(instruction, ruleInstructionName)
+ 	instructionName := d.contents(instruction)
+@@ -1479,7 +1524,40 @@
+ 
+ 			switch section {
+ 			case "":
+-				if _, knownSymbol := d.symbols[symbol]; knownSymbol {
++				if _, knownSymbol := d.relroLocalLabelToFuncMap[symbol]; knownSymbol {
++					// Move instruction dereferencing known relro local symbol. Assume
++					// this form:
++					// 	movq .Labc(%rip), %xmm
++					// relroLocalLabelToFuncMap contains the mapping .Labc->foo. 
++					// Transform to
++					// 	leaq .Lfoo_local_target(%rip), %reg
++					// 	movq %reg, %xmm
++					// This requires picking an un-used register for the register reg,
++					// that doesn't disturb the code-execution. It can't be the target
++					// register, because this can be a vector register that you can't lea
++					// to. Instead pick a suitable register, save on stack, and reload
++					// a posteriori.
++					// First sanity check number of arguments
++					if len(argNodes) != 2 {
++						panic(fmt.Sprintf("Expected only two arguments\n"))
++					}
++
++					// Get the function symbol that is relocated in a relro section
++					symbol = localTargetName(d.relroLocalLabelToFuncMap[symbol])
++
++					// Transform the opcode and arguments
++					instructionName = "leaq"
++					targetReg := d.contents(argNodes[1])
++					saveRegWrapper, tempReg := saveRegister(d.output, []string{targetReg})
++					wrappers = append(wrappers, saveRegWrapper)
++					wrappers = append(wrappers, func(k func()) {
++											d.output.WriteString(fmt.Sprintf("\tleaq\t%s(%%rip), %s\n", symbol, tempReg))
++											d.output.WriteString(fmt.Sprintf("\tmovq\t%s, %s\n", tempReg, targetReg))
++										})
++					// This will cause the "replacement" string to be set below. But since
++					// we are using wrappers, it's not used.
++					changed = true
++				} else if _, knownSymbol := d.symbols[symbol]; knownSymbol {
+ 					symbol = localTargetName(symbol)
+ 					changed = true
+ 				}
+@@ -1835,6 +1913,274 @@
+ 	w.WriteString(".size " + funcName + ", .-" + funcName + "\n")
+ }
+ 
++func isNewLine(file string, node *node32) bool {
++	statementName := file[node.begin:node.end];
++	if statementName == "\n" {
++		return true
++	}
++	return false
++}
++
++// isEndOfRelroSection determines if we have reached the end of a relro section.
++// Returns true if we have, false otherwise.
++func isEndOfRelroSection(file string, lineRootNode *node32) bool {
++
++	// The method used to determine whether we have reached the end of a relro
++	// section is to match on all patterns we know the relro section build from.
++	// If we cannot match such a pattern, or if we meet an unexpected pattern,
++	// we return true.
++
++	/* Relro section pattern
++	Statement "\n"
++	*/
++	if isNewLine(file, lineRootNode) {
++		return false
++	}
++
++	nodeNext := lineRootNode.up
++
++	/* Relro section pattern
++	Statement "\t.align 8\n"
++		WS "\t"
++		Directive ".align 8"
++		 DirectiveName "align"
++		 WS " "
++		 Args "8"
++			Arg "8"
++	*/
++	if matchPatternSearchSubtree(nodeNext, func(node *node32) bool {
++			directiveName := file[node.begin:node.end];
++			if directiveName == "align" {
++				return true
++			}
++			return false
++		}, ruleDirective, ruleDirectiveName) {
++		return false
++	}
++
++	/* Relro section pattern
++	 Statement ".LC0:"
++		Label ".LC0:"
++		 LocalSymbol ".LC0"
++	*/
++	if matchPatternSearchSubtree(nodeNext, func(node *node32) bool {
++			symbolName := file[node.begin:node.end];
++			if strings.HasPrefix(symbolName, ".L")  {
++				return true
++			}
++			return false
++		}, ruleLabel, ruleLocalSymbol) {
++		return false
++	}
++
++	/* Relro section pattern
++	 Statement "\t.quad\tfoo_init\n"
++		WS "\t"
++		LabelContainingDirective ".quad\tfoo_init"
++		 LabelContainingDirectiveName ".quad"
++		 WS "\t"
++		 SymbolArgs "foo_init"	<-- function symbol
++			SymbolArg "foo_init"
++			 SymbolExpr "foo_init"
++				SymbolAtom "foo_init"
++				 SymbolName "foo_init"
++	*/
++	if matchPatternSearchSubtree(nodeNext, func(node *node32) bool {
++			directiveName := file[node.begin:node.end];
++			if directiveName == ".quad" {
++				return true
++			}
++			return false
++		}, ruleLabelContainingDirective, ruleLabelContainingDirectiveName) {
++		return false
++	}
++
++	return true
++}
++
++// isProbablyAfunctionSymbolx86 sanity checks whether a string represents a
++// valid symbol for either ELF or MachO. Does not work for COFF.
++func isProbablyAValidSymbol(symbol string) error {
++	if len(symbol) == 0 {
++		return fmt.Errorf("function symbol %s cannot be empty", symbol)
++	}
++
++	if len(symbol) > 255 {
++		return fmt.Errorf("function symbol %q too long", symbol)
++	}
++
++	if !unicode.IsLetter(rune(symbol[0])) && symbol[0] != '_' {
++		return fmt.Errorf("function symbol %q must start with letter or underscore", symbol)
++	}
++
++	// Usually allows letters, numbers, underscores, and sometimes dots
++	for i, char := range symbol {
++		if !unicode.IsLetter(char) &&
++			 !unicode.IsDigit(char) &&
++			 char != '_' &&
++			 char != '.' {
++			return fmt.Errorf("invalid character for function symbol %q at position %d: %c", symbol, i, char)
++		}
++	}
++
++	if strings.HasPrefix(symbol, ".") {
++		return fmt.Errorf("function symbol %q cannot start with dot", symbol)
++	}
++
++	if strings.Contains(symbol, "@@") {
++		return fmt.Errorf("invalid function symbol %q format: contains @@", symbol)
++	}
++
++	return nil
++}
++
++func findLocalLabelsForRelro(file string, node *node32, relroLocalLabelToFuncMap map[string]string) error {
++	/* .data.rel.ro[.local] pattern
++	Statement "\t.align 8\n"
++		WS "\t"
++		Directive ".align 8"
++		 DirectiveName "align"
++		 WS " "
++		 Args "8"
++			Arg "8"
++	 Statement ".LC0:"
++		Label ".LC0:"
++		 LocalSymbol ".LC0"	<-- local symbol
++	 Statement "\n"
++	 Statement "\t.quad\tfoo_init\n"
++		WS "\t"
++		LabelContainingDirective ".quad\tfoo_init"
++		 LabelContainingDirectiveName ".quad"
++		 WS "\t"
++		 SymbolArgs "foo_init"	<-- function symbol
++			SymbolArg "foo_init"
++			 SymbolExpr "foo_init"
++				SymbolAtom "foo_init"
++				 SymbolName "foo_init"
++	*/
++
++	currentLineRootNode := node
++	for ; currentLineRootNode != nil; currentLineRootNode = currentLineRootNode.next {
++
++		// First, we search for a local symbol in each subtree, skipping the
++		// statement node.
++		localSymbolName := ""
++		if matchPatternSearchSubtree(currentLineRootNode.up, func(node *node32) bool {
++				symbolName := file[node.begin:node.end];
++				if _, exists := relroLocalLabelToFuncMap[symbolName]; exists {
++					panic(fmt.Sprintf("Duplicate symbol found: %q", symbolName))
++				}
++
++				// Sanity check that we have found what we expect to find
++				if !strings.HasPrefix(symbolName, ".L")  {
++					panic(fmt.Sprintf("Symbol name syntax is not what was expected: %q", symbolName))
++				}
++
++				localSymbolName = symbolName
++				return true
++			}, ruleLabel, ruleLocalSymbol) {
++
++			// Reaching this point, we have found a local symbol. Now we need to
++			// search for the function symbol. First advance to next statement/line.
++			currentLineRootNode = currentLineRootNode.next
++
++			// We might need to skip a newline
++			if isNewLine(file, currentLineRootNode) {
++				currentLineRootNode = currentLineRootNode.next
++			}
++
++			// The function name should be an argument to a directive
++			if !matchPatternSearchSubtree(currentLineRootNode.up, func(node *node32) bool {
++					functionSymbolName := file[node.begin:node.end]
++					if err := isProbablyAValidSymbol(functionSymbolName); err != nil {
++						panic(err)
++					}
++
++					relroLocalLabelToFuncMap[localSymbolName] = functionSymbolName
++					return true
++				}, ruleLabelContainingDirective, ruleSymbolArgs) {
++				return fmt.Errorf("After finding %q under a .data.rel.ro[.local] section, expected to find a function name\n", localSymbolName)
++			}
++
++			continue
++		}
++
++		// Check if we are at the end of the relro section.
++		if isEndOfRelroSection(file, currentLineRootNode) {
++			break
++		}
++	}
++
++	return nil
++}
++
++// relroLocalLabelToFuncMapping finds relro related sections and maps local
++// labels to function names. Stores the mapping in relroLocalLabelToFuncMap.
++func relroLocalLabelToFuncMapping(input inputFile, relroLocalLabelToFuncMap map[string]string) error {
++
++	/* Assumed pattern
++	Statement "\t.section\t.data.rel.ro.local\n"
++		WS "\t"
++		Directive ".section\t.data.rel.ro.local"
++		 DirectiveName "section"
++		 WS "\t"
++		 Args ".data.rel.ro.local"
++			Arg ".data.rel.ro.local"
++	*/
++
++	matchRelRoCb := func(node *node32) bool {
++		sectionType := input.contents[node.begin:node.end];
++		if strings.HasPrefix(sectionType, ".data.rel.ro") ||
++			 strings.HasPrefix(sectionType, ".ldata.rel.ro") {
++			 return true
++		}
++		return false
++	}
++
++	// Iterate through input file to locate all relro sections. If we find a relro
++	// section then we extract all local symbol <-> function symbol mappings and
++	// save them in relroLocalLabelToFuncMap.
++	currentLineRootNode := input.ast.up
++	for ; currentLineRootNode != nil; currentLineRootNode = currentLineRootNode.next {
++		if matchPatternOneLine(currentLineRootNode, matchRelRoCb,
++			ruleStatement, ruleDirective, ruleArgs, ruleArg) {
++			if err := findLocalLabelsForRelro(input.contents, currentLineRootNode.next, relroLocalLabelToFuncMap); err != nil {
++				return err
++			}
++
++			continue
++		}
++
++		// Sometimes a .set directive is used to alias two local symbol. If we find
++		// one of these, check if the alias is one of our mappings. If it is,
++		// map the aliased value to the known function name.
++		if matchPatternSearchSubtree(currentLineRootNode.up, func(node *node32) bool {
++				directiveName := input.contents[node.begin:node.end];
++				if directiveName == ".set" {
++					return true
++				}
++				return false
++			}, ruleLabelContainingDirective, ruleLabelContainingDirectiveName) {
++
++			if !matchPatternSearchSubtree(currentLineRootNode.up, func(node *node32) bool {
++					labelNames := strings.Split(input.contents[node.begin:node.end], ",")
++					if _, exists := relroLocalLabelToFuncMap[labelNames[1]]; !exists {
++						// Doesn't exist, carry on.
++						return true
++					}
++					relroLocalLabelToFuncMap[labelNames[0]] = relroLocalLabelToFuncMap[labelNames[1]]
++					return true
++				}, ruleLabelContainingDirective, ruleSymbolArgs) {
++				return errors.New("Parsing error for .set directive")
++			}
++
++			continue
++		}
++	}
++
++	return nil
++}
++
+ func transform(w stringWriter, includes []string, inputs []inputFile, startEndDebugDirectives bool) error {
+ 	// symbols contains all defined symbols.
+ 	symbols := make(map[string]struct{})
+@@ -1849,6 +2195,8 @@
+ 	// checksums in .file directives. If it does so, then this script needs
+ 	// to match that behaviour otherwise warnings result.
+ 	fileDirectivesContainMD5 := false
++	// TODO
++	relroLocalLabelToFuncMap := make(map[string]string)
+ 
+ 	// OPENSSL_ia32cap_get will be synthesized by this script.
+ 	symbols["OPENSSL_ia32cap_get"] = struct{}{}
+@@ -1861,6 +2209,11 @@
+ 		w.WriteString(fmt.Sprintf("#include <%s>\n", relative))
+ 	}
+ 
++	processor := x86_64
++	if len(inputs) > 0 {
++		processor = detectProcessor(inputs[0])
++	}
++
+ 	for _, input := range inputs {
+ 		forEachPath(input.ast.up, func(node *node32) {
+ 			symbol := input.contents[node.begin:node.end]
+@@ -1923,11 +2276,12 @@
+ 				}
+ 			}
+ 		}, ruleStatement, ruleLocationDirective)
+-	}
+ 
+-	processor := x86_64
+-	if len(inputs) > 0 {
+-		processor = detectProcessor(inputs[0])
++		if processor == x86_64 {
++			if err := relroLocalLabelToFuncMapping(input, relroLocalLabelToFuncMap); err != nil {
++				return err
++			}
++		}
+ 	}
+ 
+ 	commentIndicator := "#"
+@@ -1942,6 +2296,7 @@
+ 		commentIndicator:    commentIndicator,
+ 		output:              w,
+ 		cpuCapUniqueSymbols: []*cpuCapUniqueSymbol{},
++		relroLocalLabelToFuncMap: relroLocalLabelToFuncMap,
+ 		redirectors:         make(map[string]string),
+ 		bssAccessorsNeeded:  make(map[string]string),
+ 		tocLoaders:          make(map[string]struct{}),
+@@ -2348,6 +2703,50 @@
+ 	}
+ }
+ 
++func matchPatternSearchSubtree(node *node32, matchNode func(*node32) bool, rules ...pegRule) bool {
++	if node == nil {
++		return false
++	}
++
++	rule := rules[0]
++	childRules := rules[1:]
++
++	for ; node != nil; node = node.next {
++		if rule != node.pegRule {
++			continue
++		}
++
++		if len(childRules) == 0 {
++			return matchNode(node)
++		}
++
++		if matchPatternSearchSubtree(node.up, matchNode, childRules...) {
++			return true
++		}
++	}
++
++	return false
++}
++
++func matchPatternOneLine(lineRootNode *node32, matchNode func(*node32) bool, rules ...pegRule) bool {
++	if lineRootNode == nil || len(rules) == 0 {
++		return false
++	}
++
++	rule := rules[0]
++	childRules := rules[1:]
++
++	if rule != lineRootNode.pegRule {
++		return false
++	}
++
++	if len(childRules) == 0 {
++		return matchNode(lineRootNode)
++	}
++
++	return matchPatternSearchSubtree(lineRootNode.up, matchNode, childRules...)
++}
++
+ func forEachPath(node *node32, cb func(*node32), rules ...pegRule) {
+ 	if node == nil {
+ 		return
+diff -Nru vendor.orig/src/proxy/vendor/aws-lc-fips-sys-0.13.10/aws-lc/util/fipstools/delocate/delocate_test.go vendor/src/proxy/vendor/aws-lc-fips-sys-0.13.10/aws-lc/util/fipstools/delocate/delocate_test.go
+--- vendor.orig/src/proxy/vendor/aws-lc-fips-sys-0.13.10/aws-lc/util/fipstools/delocate/delocate_test.go	1970-01-01 01:00:00.000000000 +0100
++++ vendor/src/proxy/vendor/aws-lc-fips-sys-0.13.10/aws-lc/util/fipstools/delocate/delocate_test.go	2025-11-24 14:12:32.150568241 +0100
+@@ -56,6 +56,7 @@
+ 	{"x86_64-Sections", nil, []string{"in.s"}, "out.s", true},
+ 	{"x86_64-ThreeArg", nil, []string{"in.s"}, "out.s", true},
+ 	{"x86_64-FourArg", nil, []string{"in.s"}, "out.s", true},
++	{"x86_64-Relro", nil, []string{"in.s"}, "out.s", true},
+ 	{"aarch64-Basic", nil, []string{"in.s"}, "out.s", true},
+ }
+ 
+diff -Nru vendor.orig/src/proxy/vendor/aws-lc-fips-sys-0.13.10/aws-lc/util/fipstools/delocate/testdata/x86_64-Relro/in.s vendor/src/proxy/vendor/aws-lc-fips-sys-0.13.10/aws-lc/util/fipstools/delocate/testdata/x86_64-Relro/in.s
+--- vendor.orig/src/proxy/vendor/aws-lc-fips-sys-0.13.10/aws-lc/util/fipstools/delocate/testdata/x86_64-Relro/in.s	1970-01-01 01:00:00.000000000 +0100
++++ vendor/src/proxy/vendor/aws-lc-fips-sys-0.13.10/aws-lc/util/fipstools/delocate/testdata/x86_64-Relro/in.s	2025-11-24 14:12:32.150816192 +0100
+@@ -0,0 +1,47 @@
++	.text
++	.globl foo
++foo:
++	ret
++	.globl foofoo
++foofoo:
++	ret
++
++	# relro references.
++	movq  %rdx, %xmm1
++	movl  $419, (%rax)
++	movups  %xmm0, 4(%rax)
++	movq .L00(%rip), %xmm0
++	movl  $2, 20(%rax)
++	punpcklqdq  %xmm1, %xmm0
++	movups  %xmm0, 24(%rax)
++	addq  $8, %rsp
++
++	movq .LC02(%rip), %xmm2
++
++	.section .data.rel.ro.local,"aw"
++	.align 8
++.L00:
++	.quad foo
++.LC02:
++	.quad foofoo
++
++	# Should be left alone.
++	.section  .init_array,"aw"
++	.align 8
++	.quad oof
++
++	.section .data.rel.ro
++	.align 8
++.LD100:
++	.quad foofoofoo
++
++	# Should be left alone.
++	.section .rodata
++	.align 16
++
++	.text
++	movq .LD100(%rip), %xmm1
++
++	.globl foofoofoo
++foofoofoo:
++	ret
+diff -Nru vendor.orig/src/proxy/vendor/aws-lc-fips-sys-0.13.10/aws-lc/util/fipstools/delocate/testdata/x86_64-Relro/out.s vendor/src/proxy/vendor/aws-lc-fips-sys-0.13.10/aws-lc/util/fipstools/delocate/testdata/x86_64-Relro/out.s
+--- vendor.orig/src/proxy/vendor/aws-lc-fips-sys-0.13.10/aws-lc/util/fipstools/delocate/testdata/x86_64-Relro/out.s	1970-01-01 01:00:00.000000000 +0100
++++ vendor/src/proxy/vendor/aws-lc-fips-sys-0.13.10/aws-lc/util/fipstools/delocate/testdata/x86_64-Relro/out.s	2025-11-24 14:12:32.150897186 +0100
+@@ -0,0 +1,127 @@
++.text
++.file 1 "inserted_by_delocate.c"
++.loc 1 1 0
++.type BORINGSSL_bcm_text_hash, @object
++.size BORINGSSL_bcm_text_hash, 32
++BORINGSSL_bcm_text_hash:
++.byte 0xae
++.byte 0x2c
++.byte 0xea
++.byte 0x2a
++.byte 0xbd
++.byte 0xa6
++.byte 0xf3
++.byte 0xec
++.byte 0x97
++.byte 0x7f
++.byte 0x9b
++.byte 0xf6
++.byte 0x94
++.byte 0x9a
++.byte 0xfc
++.byte 0x83
++.byte 0x68
++.byte 0x27
++.byte 0xcb
++.byte 0xa0
++.byte 0xa0
++.byte 0x9f
++.byte 0x6b
++.byte 0x6f
++.byte 0xde
++.byte 0x52
++.byte 0xcd
++.byte 0xe2
++.byte 0xcd
++.byte 0xff
++.byte 0x31
++.byte 0x80
++BORINGSSL_bcm_text_start:
++	.text
++	.globl foo
++.Lfoo_local_target:
++foo:
++	ret
++	.globl foofoo
++.Lfoofoo_local_target:
++foofoo:
++	ret
++
++	# relro references.
++	movq  %rdx, %xmm1
++	movl  $419, (%rax)
++	movups  %xmm0, 4(%rax)
++# WAS movq .L00(%rip), %xmm0
++	leaq -128(%rsp), %rsp
++	pushq %rax
++	leaq	.Lfoo_local_target(%rip), %rax
++	movq	%rax, %xmm0
++	popq %rax
++	leaq 128(%rsp), %rsp
++	movl  $2, 20(%rax)
++	punpcklqdq  %xmm1, %xmm0
++	movups  %xmm0, 24(%rax)
++	addq  $8, %rsp
++
++# WAS movq .LC02(%rip), %xmm2
++	leaq -128(%rsp), %rsp
++	pushq %rax
++	leaq	.Lfoofoo_local_target(%rip), %rax
++	movq	%rax, %xmm2
++	popq %rax
++	leaq 128(%rsp), %rsp
++
++# SKIPPED 	.section .data.rel.ro.local,"aw"
++
++# SKIPPED 	.align 8
++
++# SKIPPED .L00:
++# SKIPPED newline
++# SKIPPED 	.quad foo
++
++# SKIPPED .LC02:
++# SKIPPED newline
++# SKIPPED 	.quad foofoo
++
++# SKIPPED newline
++	# Should be left alone.
++	.section  .init_array,"aw"
++	.align 8
++	.quad oof
++
++# SKIPPED 	.section .data.rel.ro
++
++# SKIPPED 	.align 8
++
++# SKIPPED .LD100:
++# SKIPPED newline
++# SKIPPED 	.quad foofoofoo
++
++# SKIPPED newline
++	# Should be left alone.
++# WAS .section .rodata
++.text
++	.align 16
++
++	.text
++# WAS movq .LD100(%rip), %xmm1
++	leaq -128(%rsp), %rsp
++	pushq %rax
++	leaq	.Lfoofoofoo_local_target(%rip), %rax
++	movq	%rax, %xmm1
++	popq %rax
++	leaq 128(%rsp), %rsp
++
++	.globl foofoofoo
++.Lfoofoofoo_local_target:
++foofoofoo:
++	ret
++.text
++.loc 1 2 0
++BORINGSSL_bcm_text_end:
++.type OPENSSL_ia32cap_get, @function
++.globl OPENSSL_ia32cap_get
++.LOPENSSL_ia32cap_get_local_target:
++OPENSSL_ia32cap_get:
++	leaq OPENSSL_ia32cap_P(%rip), %rax
++	ret

vendor.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:afc00c1c29b0e024097eea53a73150294363cebc7020ac5ad3d62c497b95365f
+size 62711971