### Description of changes: 
* Set version to AWS-LC-FIPS v3.0.0

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

)

### Description of changes: 

Previously this script always used the head of aws-lc-verification which
will have diverged from this branch since the code on the FIPS 2024
branch is a snapshot of AWS-LC. I picked
awslabs/aws-lc-verification@b19e155
since it's the most recent commit and known to be working.

### Testing:

This will hopefully get the CI to pass.

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

…e submodules with depth 1 (#1904)

### Description of changes: 
Talked with @pennyannn and they setup a specific branch in the
verification repo so now that branch should always work with this 2024
FIPS branch and stay in sync with it.

### Testing:
Ran locally and verified it got the right branch and is a little faster.

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

FIPS 203 Section 3.3 requires destruction of intermediate values.
AWS-LC ML-KEM implementation allocates intermediate values
only on stack, so this destruction seems a bit silly, but we do it
anyway for compliance.

…cks (#1931)

Cherry-pick #1924

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

Some consumers noticed that a behavior difference between AWS-LC and
OpenSSL when the trust store contains certificates that are issued by
other certificates that are also in the trust store. A common example of
this would be the trust store containing both the intermediate and the
root for the cert chain (`leaf -> intermediate -> root`). The default
settings of AWS-LC and OpenSSL require `root` to be self signed for the
chain to be verified.

Many TLS implementations set the `X509_V_FLAG_PARTIAL_CHAIN` flag
however, which allows non self signed certificates to be trusted in the
trust store. When `X509_V_FLAG_PARTIAL_CHAIN` is set, OpenSSL 1.1.1 will
only verify leaf and intermediate, since intermediate is a trusted
certificate. However, AWS-LC will continue building a certificate chain
and include root within the chain of trust. This causes a behavioral
difference with `X509_STORE_CTX_get0_chain`, where AWS-LC will return
all 3 certificates (`leaf -> intermediate -> root`) and OpenSSL 1.1.1
will only return the first two (`leaf -> intermediate `).

Our upstream forked a bit before OpenSSL 1.0.2, so we don't have the new
behavior. This described behavioral difference was introduced in
openssl/openssl@d9b8b89 (along with many others), but the commit
introduces too many backwards incompatible changes for us to take as a
whole.
This subtle difference was due to [OpenSSL 1.1.1 continuously checking
for trust while the chain's being established. The search for the next
valid cert breaks early as soon as a valid chain has been built. Our
current behavior builds the chain with all possible certs first and only
breaks the loop if the final cert in the chain is self-signed. We can
inherit this part of 1.1.1's new behavior to fix this issue.

### Call-outs:
I don't believe this really changes our X509 chain building or
verification by much. We're only adding an additional check for trust
while the chain is being established and the final chain still needs to
go through the same building/verification process that exists in AWS-LC
today.

### Testing:
Specific test for new behavior in `X509_V_FLAG_PARTIAL_CHAIN`

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

(cherry picked from commit 9fbfa70)

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

FIPS review: The module should enter an error state if PCT fails in EC
or RSA key generation, so there should be no retries and it aborts. This
is to avoid that other threads would continue to use the module.

(cherry picked from commit 90d2a34 on
main, PR #1938)

…1947)

### Description of changes:
* ACVP testing for SHA2-512/224 and SHA2-512/256 for PBKDF and KDA:
HKDF.
* Update service indicator for PBKDF, HKDF, and HKDF_expand (KBKDF
feedback mode) to support SHA2-512/224 and SHA2-512/256 as approved
algorithms.

(cherry picked from commit d93711c)

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

This change implements the ML-KEM Pairwise Consistency Test (PCT)
for key generation as required by FIPS 140-3 Implementation Guidance.
This effectively triples the runtime of key generation.

Cherry-pick of #1968

Per 10.3.A, Ed25519 needs a PCT. Only implement for FIPS build type and make it a simple sign-verify cycle. Abort on failure.

### Issues:
Addresses CryptoAlg-2802

### Description of changes: 
Update FIPS.md:
* Include v3.0.0 draft security policies.
* Add links to v2.0 security policies on NIST website.

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

)

### Issues:
`P186365975`

### Description of changes:
These changes remove any usage of jent_read_entropy_safe function from
AWS-LC. This function has an implementation vulnerability described
[here](https://github.com/smuellerDD/jitterentropy-library/blob/c62c88645f27716f78e1267a182cff40e96081c2/SECURITY.md#2024-12-30).

jent_read_entropy_safe is now unused in our codebase, however, it is
still present in the Jitter code. These changes are outside the FIPS
boundary and do not impact the FIPS integrity hash.

### Call-outs:
Point out areas that need special attention or support during the review
process. Discuss architecture or design changes.

### Testing:
How is this change tested (unit tests, fuzz tests, etc.)? Are there any
testing steps to be verified by the reviewer?

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

### Notice
This change does not modify the FIPS module boundary. This change only
avoids having CMake check for the availability of `Libunwind` when no
tests are being built.

### Description of changes:
* Libunwind is only needed when building tests.
* See same change made for main: #2093

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.