CI: scripts: add support for AWS-LC-FIPS in build-ssl.sh

Allow the build-ssl.sh script to build AWS-LC-FIPS.

Example:

  sudo AWS_LC_FIPS_VERSION=3.0.0 BUILDSSL_DESTDIR=/opt/awslc-fips-3.0.0/ ./scripts/build-ssl.sh

scripts/build-ssl.sh

@@ -146,6 +146,34 @@ build_aws_lc () {
     fi
 }
 
+download_aws_lc_fips () {
+    if [ ! -f "${BUILDSSL_TMPDIR}/aws-lc-${AWS_LC_FIPS_VERSION}.tar.gz" ]; then
+        mkdir -p "${BUILDSSL_TMPDIR}"
+        wget -q -O "${BUILDSSL_TMPDIR}/aws-lc-fips-${AWS_LC_FIPS_VERSION}.tar.gz" \
+          "https://github.com/aws/aws-lc/archive/refs/tags/AWS-LC-FIPS-${AWS_LC_FIPS_VERSION}.tar.gz"
+    fi
+}
+
+
+# require GO + Perl for FIPS mode
+build_aws_lc_fips () {
+    if [ "$(cat ${BUILDSSL_DESTDIR}/.aws_lc_fips-version)" != "${AWS_LC_FIPS_VERSION}" ]; then
+        mkdir -p "${BUILDSSL_TMPDIR}/aws-lc-fips-${AWS_LC_FIPS_VERSION}/"
+        tar zxf "${BUILDSSL_TMPDIR}/aws-lc-fips-${AWS_LC_FIPS_VERSION}.tar.gz" -C "${BUILDSSL_TMPDIR}/aws-lc-fips-${AWS_LC_FIPS_VERSION}/" --strip-components=1
+        (
+           cd "${BUILDSSL_TMPDIR}/aws-lc-fips-${AWS_LC_FIPS_VERSION}/"
+           mkdir -p build
+           cd build
+           cmake -version
+           cmake -DCMAKE_BUILD_TYPE=Release -DFIPS=1 -DBUILD_SHARED_LIBS=1 \
+             -DBUILD_TESTING=0 -DCMAKE_INSTALL_PREFIX=${BUILDSSL_DESTDIR} ..
+           make -j$(nproc)
+           make install
+        )
+        echo "${AWS_LC_FIPS_VERSION}" > "${BUILDSSL_DESTDIR}/.aws_lc_fips-version"
+    fi
+}
+
 download_quictls () {
     if [ ! -d "${BUILDSSL_TMPDIR}/quictls" ]; then
         git clone --depth=1 https://github.com/quictls/openssl ${BUILDSSL_TMPDIR}/quictls
@@ -215,6 +243,11 @@ if [ ! -z ${AWS_LC_VERSION+x} ]; then
   build_aws_lc
 fi
 
+if [ ! -z ${AWS_LC_FIPS_VERSION+x} ]; then
+	download_aws_lc_fips
+	build_aws_lc_fips
+fi
+
 if [ ! -z ${QUICTLS+x} ]; then
         download_quictls
         build_quictls