aws · dougch · Feb 28, 2025 · Mar 3, 2025 · Mar 3, 2025 · Mar 4, 2025
@@ -16,31 +16,28 @@ set -eu
 pushd "$(pwd)"
 
 usage() {
-    echo "install_awslc.sh build_dir install_dir is_fips"
+    echo -e "\ninstall_awslc.sh build_dir install_dir"
+    echo -e "\tIf you need FIPS, use the FIPS specific install script.\n"
     exit 1
 }
 
-if [ "$#" -ne "3" ]; then
+if [ "$#" -ne "2" ]; then
     usage
 fi
 
 BUILD_DIR=$1
 INSTALL_DIR=$2
-IS_FIPS=$3
+GH_RELEASE_URL="https://api.github.com/repos/aws/aws-lc/releases"
 
 if [[ ! -f "$(which clang)" ]]; then
   echo "Could not find clang"
   exit 1
 fi
 
-# These tags represents the latest versions that S2N is compatible
-# with. It prevents our build system from breaking when AWS-LC
-# is updated, last done on 2023-02-22.
-if [ "$IS_FIPS" == "1" ]; then
-  AWSLC_VERSION=AWS-LC-FIPS-1.0.3
-else
-  AWSLC_VERSION=v1.36.0
-fi
+# Ask GitHub for the latest v1.x release.
+AWSLC_VERSION=$(curl --silent "$GH_RELEASE_URL" | \
+        grep -Po '"tag_name": "\Kv1\..*?(?=")' |head -1)
+
 mkdir -p "$BUILD_DIR"||true
 cd "$BUILD_DIR"
 echo "Checking out tag=$AWSLC_VERSION"
@@ -57,16 +54,12 @@ install_awslc() {
       -DCMAKE_BUILD_TYPE=relwithdebinfo \
       -DCMAKE_INSTALL_PREFIX="${INSTALL_DIR}" \
       -DCMAKE_C_COMPILER=$(which clang) \
-      -DCMAKE_CXX_COMPILER=$(which clang++) \
-      -DFIPS="${IS_FIPS}"
+      -DCMAKE_CXX_COMPILER=$(which clang++)
     ninja -j "$(nproc)" -C build install
     ninja -C build clean
 }
 
-if [ "$IS_FIPS" != "1" ]; then
-  install_awslc 0
-fi
-
+install_awslc 0
 install_awslc 1
 
 exit 0
@@ -4,7 +4,8 @@
 set -eu
 
 usage() {
-    echo "install_awslc_fips.sh build_dir install_dir version"
+    echo -e "\ninstall_awslc_fips.sh build_dir install_dir version"
+    echo -e "\tversion: 2022|2024|next\n"
     exit 1
 }
 
@@ -48,14 +49,22 @@ check_dep go
 BUILD_DIR=$1
 INSTALL_DIR=$2
 VERSION=$3
+GH_RELEASE_URL="https://api.github.com/repos/aws/aws-lc/releases"
 
-# Map version to a specific feature branch/tag.
+# Map version to the latest release of the certificate year.
+# Note: since the next FIPS validation will be split off from main
+# building main with FIPS enabled is the next candidate FIPS branch.
 case $VERSION in
   "2022")
-    AWSLC_BRANCH=AWS-LC-FIPS-2.0.17
+    AWSLC_BRANCH=$(curl --silent $GH_RELEASE_URL \
+      |grep -Po '"tag_name": "\KAWS-LC-FIPS-2.*?(?=")' |head -1)
     ;;
   "2024")
-    AWSLC_BRANCH=AWS-LC-FIPS-3.0.0
+    AWSLC_BRANCH=$(curl --silent $GH_RELEASE_URL \
+      |grep -Po '"tag_name": "\KAWS-LC-FIPS-3.*?(?=")' |head -1)
+    ;;
+  "next")
+    AWSLC_BRANCH=main
     ;;
   *)
     echo "Unknown version: $VERSION"

@@ -60,14 +60,14 @@ fi
 
 # Download and Install AWS-LC
 if [[ "$S2N_LIBCRYPTO" == "awslc" && ! -d "$AWSLC_INSTALL_DIR" ]]; then
-    codebuild/bin/install_awslc.sh "$(mktemp -d)" "$AWSLC_INSTALL_DIR" "0" > /dev/null ;
+    codebuild/bin/install_awslc.sh "$(mktemp -d)" "$AWSLC_INSTALL_DIR" > /dev/null ;
 fi
 
-if [[ "$S2N_LIBCRYPTO" == "awslc-fips" && ! -d "$AWSLC_FIPS_INSTALL_DIR" ]]; then
-    codebuild/bin/install_awslc.sh "$(mktemp -d)" "$AWSLC_FIPS_INSTALL_DIR" "1" > /dev/null ;
-fi
 if [[ "$S2N_LIBCRYPTO" == "awslc-fips-2022" && ! -d "$AWSLC_FIPS_2022_INSTALL_DIR" ]]; then
-    codebuild/bin/install_awslc_fips_2022.sh "$(mktemp -d)" "$AWSLC_FIPS_2022_INSTALL_DIR" > /dev/null ;
+    codebuild/bin/install_awslc.sh "$(mktemp -d)" "$AWSLC_FIPS_2022_INSTALL_DIR" "2022" > /dev/null ;
+fi
+if [[ "$S2N_LIBCRYPTO" == "awslc-fips-2024" && ! -d "$AWSLC_FIPS_2024_INSTALL_DIR" ]]; then
+    codebuild/bin/install_awslc_fips_2024.sh "$(mktemp -d)" "$AWSLC_FIPS_2024_INSTALL_DIR" "2024" > /dev/null ;
 fi
 
 if [[ "$TESTS" == "integrationv2" || "$TESTS" == "ALL" ]]; then

@@ -21,12 +21,12 @@ case "${S2N_BUILD_PRESET-default}" in
         : "${S2N_LIBCRYPTO:=awslc}"
         : "${GCC_VERSION:=9}"
         ;;
-    "awslc-fips_gcc4-8")
-        : "${S2N_LIBCRYPTO:=awslc-fips}"
+    "awslc-fips-2022_gcc4-8")
+        : "${S2N_LIBCRYPTO:=awslc-fips-2022}"
         : "${GCC_VERSION:=4.8}"
         ;;
-    "awslc-fips_gcc9")
-        : "${S2N_LIBCRYPTO:=awslc-fips}"
+    "awslc-fips-2022_gcc9")
+        : "${S2N_LIBCRYPTO:=awslc-fips-2022}"
         : "${GCC_VERSION:=9}"
         ;;
     "awslc-fips-2022_gcc6")

@@ -45,7 +45,6 @@ source codebuild/bin/s2n_set_build_preset.sh
 : "${OPENSSL_1_0_2_FIPS_INSTALL_DIR:=$TEST_DEPS_DIR/openssl-1.0.2-fips}"
 : "${BORINGSSL_INSTALL_DIR:=$TEST_DEPS_DIR/boringssl}"
 : "${AWSLC_INSTALL_DIR:=$TEST_DEPS_DIR/awslc}"
-: "${AWSLC_FIPS_INSTALL_DIR:=$TEST_DEPS_DIR/awslc-fips}"
 : "${AWSLC_FIPS_2022_INSTALL_DIR:=$TEST_DEPS_DIR/awslc-fips-2022}"
 : "${AWSLC_FIPS_2024_INSTALL_DIR:=$TEST_DEPS_DIR/awslc-fips-2024}"
 : "${LIBRESSL_INSTALL_DIR:=$TEST_DEPS_DIR/libressl}"

@@ -33,7 +33,7 @@ phases:
       # We need to modify the usual install so that the library can link to musl.
       # If this becomes a problem, we can switch to more official cross compilation.
       - CFLAGS="-U_FORTIFY_SOURCE -D_FILE_OFFSET_BITS=32"
-      - ./codebuild/bin/install_awslc.sh $(mktemp -d) $CODEBUILD_SRC_DIR/$LIBCRYPTO_DIR 0
+      - ./codebuild/bin/install_awslc.sh $(mktemp -d) $CODEBUILD_SRC_DIR/$LIBCRYPTO_DIR
   build:
     on-failure: ABORT
     commands:

@@ -29,7 +29,7 @@ batch:
         variables:
           S2N_BUILD_PRESET:
             - awslc_gcc9
-            - awslc-fips_gcc4-8
+            - awslc-fips-2022_gcc4-8
             - awslc-fips-2022_gcc6
             - openssl-1.0.2
             - openssl-1.0.2-fips

@@ -27,7 +27,7 @@ batch:
         compute-type: BUILD_GENERAL1_LARGE
         image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu24
         variables:
-          S2N_LIBCRYPTO: awslc-fips
+          S2N_LIBCRYPTO: awslc-fips-2022
           COMPILER: gcc
     - identifier: gcc_openssl_3_0
       env: