ci: cleanup awslc-fips versioning

codebuild/bin/install_awslc.sh

@@ -16,17 +16,17 @@ set -eu
 pushd "$(pwd)"
 
 usage() {
-    echo "install_awslc.sh build_dir install_dir is_fips"
+    echo -e "\ninstall_awslc.sh build_dir install_dir"
+    echo -e "\tIf you need FIPS, use the FIPS specific install script.\n"
     exit 1
 }
 
-if [ "$#" -ne "3" ]; then
+if [ "$#" -ne "2" ]; then
     usage
 fi
 
 BUILD_DIR=$1
 INSTALL_DIR=$2
-IS_FIPS=$3
 
 if [[ ! -f "$(which clang)" ]]; then
   echo "Could not find clang"
@@ -35,12 +35,9 @@ fi
 
 # These tags represents the latest versions that S2N is compatible
 # with. It prevents our build system from breaking when AWS-LC
-# is updated, last done on 2023-02-22.
-if [ "$IS_FIPS" == "1" ]; then
-  AWSLC_VERSION=AWS-LC-FIPS-1.0.3
-else
-  AWSLC_VERSION=v1.36.0
-fi
+# is updated.
+AWSLC_VERSION=v1.47.0
+
 mkdir -p "$BUILD_DIR"||true
 cd "$BUILD_DIR"
 echo "Checking out tag=$AWSLC_VERSION"
@@ -57,16 +54,12 @@ install_awslc() {
       -DCMAKE_BUILD_TYPE=relwithdebinfo \
       -DCMAKE_INSTALL_PREFIX="${INSTALL_DIR}" \
       -DCMAKE_C_COMPILER=$(which clang) \
-      -DCMAKE_CXX_COMPILER=$(which clang++) \
-      -DFIPS="${IS_FIPS}"
+      -DCMAKE_CXX_COMPILER=$(which clang++)
     ninja -j "$(nproc)" -C build install
     ninja -C build clean
 }
 
-if [ "$IS_FIPS" != "1" ]; then
-  install_awslc 0
-fi
-
+install_awslc 0
 install_awslc 1
 
 exit 0

codebuild/bin/install_awslc_fips.sh

@@ -4,7 +4,8 @@
 set -eu
 
 usage() {
-    echo "install_awslc_fips.sh build_dir install_dir version"
+    echo -e "\ninstall_awslc_fips.sh build_dir install_dir version"
+    echo -e "\tversion: 2022|2024|next\n"
     exit 1
 }
 
@@ -50,12 +51,17 @@ INSTALL_DIR=$2
 VERSION=$3
 
 # Map version to a specific feature branch/tag.
+# Note: since the next FIPS validation will be split off from main
+# building main with FIPS enabled is essentially the next FIPS release.
 case $VERSION in
   "2022")
-    AWSLC_BRANCH=AWS-LC-FIPS-2.0.17
+    AWSLC_BRANCH=fips-2022-11-02
     ;;
   "2024")
-    AWSLC_BRANCH=AWS-LC-FIPS-3.0.0
+    AWSLC_BRANCH=fips-2024-09-27
+    ;;
+  "next")
+    AWSLC_BRANCH=main
     ;;
   *)
     echo "Unknown version: $VERSION"

codebuild/bin/install_default_dependencies.sh

@@ -60,14 +60,14 @@ fi
 
 # Download and Install AWS-LC
 if [[ "$S2N_LIBCRYPTO" == "awslc" && ! -d "$AWSLC_INSTALL_DIR" ]]; then
-    codebuild/bin/install_awslc.sh "$(mktemp -d)" "$AWSLC_INSTALL_DIR" "0" > /dev/null ;
+    codebuild/bin/install_awslc.sh "$(mktemp -d)" "$AWSLC_INSTALL_DIR" > /dev/null ;
 fi
 
-if [[ "$S2N_LIBCRYPTO" == "awslc-fips" && ! -d "$AWSLC_FIPS_INSTALL_DIR" ]]; then
-    codebuild/bin/install_awslc.sh "$(mktemp -d)" "$AWSLC_FIPS_INSTALL_DIR" "1" > /dev/null ;
-fi
 if [[ "$S2N_LIBCRYPTO" == "awslc-fips-2022" && ! -d "$AWSLC_FIPS_2022_INSTALL_DIR" ]]; then
-    codebuild/bin/install_awslc_fips_2022.sh "$(mktemp -d)" "$AWSLC_FIPS_2022_INSTALL_DIR" > /dev/null ;
+    codebuild/bin/install_awslc.sh "$(mktemp -d)" "$AWSLC_FIPS_2022_INSTALL_DIR" "2022" > /dev/null ;
+fi
+if [[ "$S2N_LIBCRYPTO" == "awslc-fips-2024" && ! -d "$AWSLC_FIPS_2024_INSTALL_DIR" ]]; then
+    codebuild/bin/install_awslc_fips_2024.sh "$(mktemp -d)" "$AWSLC_FIPS_2024_INSTALL_DIR" "2024" > /dev/null ;
 fi
 
 if [[ "$TESTS" == "integrationv2" || "$TESTS" == "ALL" ]]; then

codebuild/spec/buildspec_musl.yml

@@ -33,7 +33,7 @@ phases:
       # We need to modify the usual install so that the library can link to musl.
       # If this becomes a problem, we can switch to more official cross compilation.
       - CFLAGS="-U_FORTIFY_SOURCE -D_FILE_OFFSET_BITS=32"
-      - ./codebuild/bin/install_awslc.sh $(mktemp -d) $CODEBUILD_SRC_DIR/$LIBCRYPTO_DIR 0
+      - ./codebuild/bin/install_awslc.sh $(mktemp -d) $CODEBUILD_SRC_DIR/$LIBCRYPTO_DIR
   build:
     on-failure: ABORT
     commands: