ci: add openssl-3.0-fips builds

[lrstewart]

Release Summary:

Resolved issues:

Required for first step of #5036

Description of changes:

In order to add openssl-3.0-fips to our CI, we first need a build script to use to update the codebuild image(s).

Call-outs:

• Adding openssl-3.0-fips to nix is out of scope of this PR, but will need to be done in the future. We can use nix for the unit and most integ tests, but all the other jobs still use the codebuild images.
• Adding builds that use openssl-3.0-fips is out of scope of this PR, because we need to update the codebuild images using this script first.

Testing:

For now this is manually tested.

Running successfully builds openssl-3.0.fips using:

$ ./codebuild/bin/install_openssl_3_0.sh "$(mktemp -d)" /home/ubuntu/s2n-tls/test-deps/openssl-3.0-fips linux fips

I can then successfully build s2n-tls using that version as the libcrypto with:

$ cmake . -Bbuild  -DCMAKE_PREFIX_PATH=/home/ubuntu/s2n-tls/test-deps/openssl-3.0-fips

And confirm that fips mode is enabled when s2n_libcrypto_is_fips is updated to call EVP_default_properties_is_fips_enabled for Openssl-3:

$ ./build/bin/s2nd localhost 8888 --enter-fips-mode
libcrypto: OpenSSL 3.0.9 30 May 2023
s2nd entered FIPS mode
Listening on localhost:8888

If the openssl config file isn't touched so fips isn't enabled, we can still successfully use the libcrypto:

$ ./build/bin/s2nd localhost 8888 --enter-fips-mode
libcrypto: OpenSSL 3.0.9 30 May 2023
FIPS mode not enabled: libcrypto does not support FIPS

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[lrstewart]

I just reordered the arguments here so I could wrap the line :P

[dougch]

Thanks for not creating two scripts!

minor Nit: we're asking Configure to do some things it says are deprecated:

***** Deprecated options: no-ripemd, no-ssl2, no-hw

[lrstewart]

I was trying to avoid committing the entire config file, but I think it's unavoidable.

Turns out my "just prepend the right sections" solution wasn't /actually/ working. The error I was getting from the drbg wasn't a valid fips issue, it was a provider configuration issue. To properly configure this, we have to replace sections instead of just duplicating them ;_; The script to modify an existing config would be pretty complicated and fragile, so I think the only option is to commit a manually modified config and use that one.

I've updated the testing section-- the drbg error is gone, and everything is initializing correctly (with s2n_libcrypto_is_fips updated to account for Openssl3).

[lrstewart]

This pushd is kind of a duplicate. We do pushd above to make the links, and previously I just moved the popd down below this logic. But I suspect that was confusing Sam based on #5037 (comment), which is a sign it probably would have confused future devs too. Might as well make it very clear this code depends on being in the install directory.