feature: remove openssl-1.0.2-fips fips mode support

[lrstewart]

Release Summary:

Remove support for enabling fips mode with openssl-1.0.2-fips

Description of changes:

My previous PRs just removed openssl-1.0.2-fips builds and removed the illusion of fips-mode testing. This PR actually removes support for using fips mode + openssl-1.0.2-fips from the library. If a customer was still using openssl-1.0.2-fips, this change would break them.

Call-outs:

I could change the definition of s2n_libcrypto_is_fips to instead no longer consider openssl-1.0.2-fips as fips, but that would just silently disable fips mode. If someone out there is still using openssl-1.0.2-fips in fips mode, we should break loudly and with a clear error message.

Testing:

I found a host with a working copy of openssl-1.0.2-fips. It was old enough that it had plenty of other issues, but I got a working copy of s2n-tls built. It behaved as expected:

% ./bin/s2nd localhost 8888
libcrypto: OpenSSL 1.0.2k-fips  26 Jan 2017
Listening on localhost:8888

 % ./bin/s2nd localhost 8888 --enter-fips-mode
s2nd entered FIPS mode
[17475] Error running s2n_init(): 'FIPS mode is not supported for the libcrypto' : 'Error encountered in s2n_fips.c:61'

Old Testing

Testing this is a little tricky. I've been unsuccessful in getting a build of openssl-1.0.2-fips where I can actually enable FIPS mode (our old CI builds don't work-- one of the fun things I found while investigating our fips mode testing).

I can verify that for openssl-1.0.2-fips, things still work when FIPS mode isn't enabled:

$ ./build/bin/s2nd localhost 8888
libcrypto: OpenSSL 1.0.2v-fips-dev  xx XXX xxxx
Listening on localhost:8888

With fips mode enabled, the best I've managed is hacky testing with awslc by defining OPENSSL_FIPS myself at the top of s2n_fips.h.

For awslc-fips (which is always in fips mode) that produces:

$ ./build/bin/s2nd localhost 8888
[204097] Error running s2n_init(): 'FIPS mode is not supported for the libcrypto' : 'Error encountered in /home/ubuntu/s2n-tls/crypto/s2n_fips.c:63'

And for non-fips awslc (which is never in fips mode), that produces:

$ ./build/bin/s2nd localhost 8888
libcrypto: AWS-LC 1.36.0
Listening on localhost:8888

To test this in our CI, we'd have to either a) add back an openssl-1.0.2-fips build AND successfully enable fips mode or b) do something hacky like build our unit tests with OPENSSL_FIPS defined when building with awslc (because awslc will define the legacy functions). I'm not convinced we want to do either one of those just for an openssl-1.0.2-fips warning :/

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.