ci: remove openssl-1.0.2-fips builds (#4995)

Author: lrstewart

codebuild/bin/install_default_dependencies.sh

@@ -43,10 +43,6 @@ if [[ "$S2N_LIBCRYPTO" == "openssl-1.0.2" && ! -d "$OPENSSL_1_0_2_INSTALL_DIR" ]
     codebuild/bin/install_openssl_1_0_2.sh "$(mktemp -d)" "$OPENSSL_1_0_2_INSTALL_DIR" "$OS_NAME" > /dev/null ;
 fi
 
-# Download and Install the Openssl FIPS module and Openssl 1.0.2-fips
-if [[ "$S2N_LIBCRYPTO" == "openssl-1.0.2-fips" ]] && [[ ! -d "$OPENSSL_1_0_2_FIPS_INSTALL_DIR" ]]; then
-    codebuild/bin/install_openssl_1_0_2_fips.sh "$(mktemp -d)" "$OPENSSL_1_0_2_FIPS_INSTALL_DIR" "$OS_NAME" ; fi
-
 # Download and Install LibreSSL
 if [[ "$S2N_LIBCRYPTO" == "libressl" && ! -d "$LIBRESSL_INSTALL_DIR" ]]; then
     mkdir -p "$LIBRESSL_INSTALL_DIR"||true

codebuild/bin/install_openssl_1_0_2_fips.sh

@@ -49,10 +49,6 @@ case "${S2N_BUILD_PRESET-default}" in
         : "${S2N_LIBCRYPTO:=openssl-1.0.2}"
         : "${GCC_VERSION:=6}"
         ;;
-    "openssl-1.0.2-fips")
-        : "${S2N_LIBCRYPTO:=openssl-1.0.2-fips}"
-        : "${GCC_VERSION:=6}"
-        ;;
     "openssl-1.1.1_gcc4-8")
         : "${S2N_LIBCRYPTO:=openssl-1.1.1}"
         : "${GCC_VERSION:=4.8}"

codebuild/bin/s2n_set_build_preset.sh

@@ -42,7 +42,6 @@ source codebuild/bin/s2n_set_build_preset.sh
 : "${OPENSSL_3_0_INSTALL_DIR:=$TEST_DEPS_DIR/openssl-3.0}"
 : "${OPENSSL_1_0_2_INSTALL_DIR:=$TEST_DEPS_DIR/openssl-1.0.2}"
 : "${OQS_OPENSSL_1_1_1_INSTALL_DIR:=$TEST_DEPS_DIR/oqs_openssl-1.1.1}"
-: "${OPENSSL_1_0_2_FIPS_INSTALL_DIR:=$TEST_DEPS_DIR/openssl-1.0.2-fips}"
 : "${BORINGSSL_INSTALL_DIR:=$TEST_DEPS_DIR/boringssl}"
 : "${AWSLC_INSTALL_DIR:=$TEST_DEPS_DIR/awslc}"
 : "${AWSLC_FIPS_INSTALL_DIR:=$TEST_DEPS_DIR/awslc-fips}"
@@ -99,7 +98,6 @@ export SCAN_BUILD_INSTALL_DIR
 export OPENSSL_1_1_1_INSTALL_DIR
 export OPENSSL_3_0_INSTALL_DIR
 export OPENSSL_1_0_2_INSTALL_DIR
-export OPENSSL_1_0_2_FIPS_INSTALL_DIR
 export OQS_OPENSSL_1_1_1_INSTALL_DIR
 export BORINGSSL_INSTALL_DIR
 export AWSLC_INSTALL_DIR
@@ -128,10 +126,6 @@ if [[ -z $S2N_LIBCRYPTO ]]; then export LIBCRYPTO_ROOT=$OPENSSL_1_1_1_INSTALL_DI
 if [[ "$S2N_LIBCRYPTO" == "openssl-1.1.1" ]]; then export LIBCRYPTO_ROOT=$OPENSSL_1_1_1_INSTALL_DIR ; fi
 if [[ "$S2N_LIBCRYPTO" == "openssl-3.0" ]]; then export LIBCRYPTO_ROOT=$OPENSSL_3_0_INSTALL_DIR ; fi
 if [[ "$S2N_LIBCRYPTO" == "openssl-1.0.2" ]]; then export LIBCRYPTO_ROOT=$OPENSSL_1_0_2_INSTALL_DIR ; fi
-if [[ "$S2N_LIBCRYPTO" == "openssl-1.0.2-fips" ]]; then
-    export LIBCRYPTO_ROOT=$OPENSSL_1_0_2_FIPS_INSTALL_DIR ;
-    export S2N_TEST_IN_FIPS_MODE=1 ;
-fi
 if [[ "$S2N_LIBCRYPTO" == "boringssl" ]]; then export LIBCRYPTO_ROOT=$BORINGSSL_INSTALL_DIR ; fi
 
 if [[ "$S2N_LIBCRYPTO" == "awslc" ]]; then export LIBCRYPTO_ROOT=$AWSLC_INSTALL_DIR ; fi

codebuild/bin/s2n_setup_env.sh

@@ -68,14 +68,4 @@ batch:
         privileged-mode: true
         variables:
           S2N_LIBCRYPTO: openssl-3.0
-          COMPILER: clang
-    - identifier: clang_openssl_1_0_2_fips
-      buildspec: codebuild/spec/buildspec_fuzz.yml
-      debug-session: true
-      env:
-        compute-type: BUILD_GENERAL1_XLARGE
-        image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu22codebuild
-        privileged-mode: true
-        variables:
-          S2N_LIBCRYPTO: openssl-1.0.2-fips
-          COMPILER: clang          
+          COMPILER: clang    

codebuild/spec/buildspec_fuzz_batch.yml

@@ -50,13 +50,6 @@ batch:
         variables:
           S2N_LIBCRYPTO: openssl-1.0.2
           COMPILER: gcc
-    - identifier: gcc_openssl_1_0_2_fips
-      env:
-        compute-type: BUILD_GENERAL1_LARGE
-        image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu22codebuild
-        variables:
-          S2N_LIBCRYPTO: openssl-1.0.2-fips
-          COMPILER: gcc
 
 phases:
   pre_build:

codebuild/spec/buildspec_valgrind.yml

@@ -227,11 +227,6 @@ def invalid_sslyze_scan_parameters(*args, **kwargs):
             sslyze.ScanCommand.SESSION_RENEGOTIATION
         ]:
             return True
-    # BUG_IN_SSLYZE error for session resumption scan with openssl 1.0.2 fips
-    if "openssl-1.0.2-fips" in get_flag(S2N_PROVIDER_VERSION):
-        if scan_command == sslyze.ScanCommand.SESSION_RESUMPTION:
-            return True
-
     return invalid_test_parameters(*args, **kwargs)
 
 
@@ -313,11 +308,6 @@ def invalid_certificate_scans_parameters(*args, **kwargs):
         # SSLyze curves scan errors when given ECDSA certs
         if "ECDSA" in certificate.name:
             return True
-
-        # SSLyze curves scan fails to validate with openssl 1.0.2 fips
-        if "openssl-1.0.2-fips" in get_flag(S2N_PROVIDER_VERSION):
-            return True
-
     return invalid_test_parameters(*args, **kwargs)
 
 

tests/integrationv2/test_sslyze.py

@@ -80,7 +80,6 @@ S2N_RESULT s2n_check_supported_libcrypto(const char *s2n_libcrypto)
         { .libcrypto = "boringssl", .is_openssl = false },
         { .libcrypto = "libressl", .is_openssl = false },
         { .libcrypto = "openssl-1.0.2", .is_openssl = true },
-        { .libcrypto = "openssl-1.0.2-fips", .is_openssl = true },
         { .libcrypto = "openssl-1.1.1", .is_openssl = true },
         { .libcrypto = "openssl-3.0", .is_openssl = true },
     };