Merge pull request #1565 from Altinity/revert-1560-features/25.3/fips-ch-binary-extended-testing

Revert "SSL/ACVP Test Integration for FIPS - second try"

Author: Enmk

contrib/openssl-cmake/CMakeLists.txt

@@ -42,11 +42,6 @@ docker cp $id:$lib_dir/build/ssl/libssl.a $OUTPUT_DIR
 docker cp $id:$lib_dir/build/crypto/libcrypto.a $OUTPUT_DIR
 docker cp $id:$lib_dir/include $OUTPUT_DIR
 
-# Extract pre-built test harness libraries (symbol-localized, with libstdc++ baked in)
-docker cp $id:/harness-output/libawslc_shim.a $OUTPUT_DIR
-docker cp $id:/harness-output/libawslc_handshaker.a $OUTPUT_DIR
-docker cp $id:/harness-output/libawslc_acvp_server.a $OUTPUT_DIR
-
 docker rm $id"
 )
 
@@ -75,12 +70,7 @@ execute_process(COMMAND ${CMAKE_COMMAND} -E make_directory "${AWSLC_BINARIES_DIR
 
 add_custom_target(build-awslc
     COMMENT "Build AWS-LC in FIPS mode with docker"
-    DEPENDS
-        ${AWSLC_BINARIES_DIR}/libssl.a
-        ${AWSLC_BINARIES_DIR}/libcrypto.a
-        ${AWSLC_BINARIES_DIR}/libawslc_shim.a
-        ${AWSLC_BINARIES_DIR}/libawslc_handshaker.a
-        ${AWSLC_BINARIES_DIR}/libawslc_acvp_server.a
+    DEPENDS ${AWSLC_BINARIES_DIR}/libssl.a ${AWSLC_BINARIES_DIR}/libcrypto.a
 )
 
 if(ARCH_AARCH64)
@@ -93,20 +83,7 @@ add_custom_command(
     OUTPUT
         "${AWSLC_BUILD_DIR}/output/libssl.a"
         "${AWSLC_BUILD_DIR}/output/libcrypto.a"
-        "${AWSLC_BUILD_DIR}/output/libawslc_shim.a"
-        "${AWSLC_BUILD_DIR}/output/libawslc_handshaker.a"
-        "${AWSLC_BUILD_DIR}/output/libawslc_acvp_server.a"
     COMMENT "Building AWS-LC in FIPS mode using docker"
-    # Copy test harness build inputs into the Docker context directory
-    COMMAND ${CMAKE_COMMAND} -E copy
-        ${ClickHouse_SOURCE_DIR}/programs/ssl-common/posix_spawn_2.c
-        ${AWSLC_BUILD_DIR}/posix_spawn_2.c
-    COMMAND ${CMAKE_COMMAND} -E copy
-        ${ClickHouse_SOURCE_DIR}/programs/ssl-common/glibc_compat.c
-        ${AWSLC_BUILD_DIR}/glibc_compat.c
-    COMMAND ${CMAKE_COMMAND} -E copy
-        ${CMAKE_CURRENT_SOURCE_DIR}/build_test_harness.sh
-        ${AWSLC_BUILD_DIR}/build_test_harness.sh
     COMMAND bash -c "chmod +x ${AWSLC_BUILD_DIR}/build_awclc_fips.sh"
     COMMAND bash -c "${AWSLC_BUILD_DIR}/build_awclc_fips.sh ${AWSLC_BINARIES_DIR} ${DOCKERFILE_PATH}"
     WORKING_DIRECTORY ${AWSLC_BUILD_DIR}
@@ -115,9 +92,6 @@ add_custom_command(
         ${AWSLC_BUILD_DIR}/build_awclc_fips.sh
         ${AWSLC_BUILD_DIR}/check_version.c
         ${DOCKERFILE_PATH}
-        ${ClickHouse_SOURCE_DIR}/programs/ssl-common/posix_spawn_2.c
-        ${ClickHouse_SOURCE_DIR}/programs/ssl-common/glibc_compat.c
-        ${CMAKE_CURRENT_SOURCE_DIR}/build_test_harness.sh
 )
 
 add_library(crypto UNKNOWN IMPORTED GLOBAL)
@@ -156,45 +130,6 @@ target_compile_options(ssl INTERFACE
 target_compile_options(global-group INTERFACE "-Wno-deprecated-declarations")
 target_compile_options(global-group INTERFACE "-Wno-poison-system-directories")
 
-# ── Test harness IMPORTED libraries ──────────────────────────────────────────
-# These archives are built inside Docker (build_test_harness.sh), partially
-# linked with libstdc++ via `ld -r`, and symbol-localized so only the entry
-# point is globally visible.  No --allow-multiple-definition needed.
-
-add_library(awslc_shim STATIC IMPORTED GLOBAL)
-add_dependencies(awslc_shim build-awslc)
-set_target_properties(awslc_shim PROPERTIES
-    IMPORTED_LOCATION "${AWSLC_BINARIES_DIR}/libawslc_shim.a")
-
-add_library(awslc_handshaker STATIC IMPORTED GLOBAL)
-add_dependencies(awslc_handshaker build-awslc)
-set_target_properties(awslc_handshaker PROPERTIES
-    IMPORTED_LOCATION "${AWSLC_BINARIES_DIR}/libawslc_handshaker.a")
-
-add_library(awslc_acvp_server STATIC IMPORTED GLOBAL)
-add_dependencies(awslc_acvp_server build-awslc)
-set_target_properties(awslc_acvp_server PROPERTIES
-    IMPORTED_LOCATION "${AWSLC_BINARIES_DIR}/libawslc_acvp_server.a")
-
-# ── Test harness program libraries ───────────────────────────────────────────
-# Linked into the main clickhouse binary via clickhouse_program_install()
-# in programs/CMakeLists.txt.  The entry-point .cpp files stay in programs/.
-
-add_library(clickhouse-ssl-shim-lib
-    ${ClickHouse_SOURCE_DIR}/programs/ssl-shim/SslShim.cpp)
-target_link_libraries(clickhouse-ssl-shim-lib PRIVATE awslc_shim ssl crypto)
-add_dependencies(clickhouse-ssl-shim-lib build-awslc)
-
-add_library(clickhouse-ssl-handshaker-lib
-    ${ClickHouse_SOURCE_DIR}/programs/ssl-handshaker/SslHandshaker.cpp)
-target_link_libraries(clickhouse-ssl-handshaker-lib PRIVATE awslc_handshaker ssl crypto)
-add_dependencies(clickhouse-ssl-handshaker-lib build-awslc)
-
-add_library(clickhouse-acvp-server-lib
-    ${ClickHouse_SOURCE_DIR}/programs/acvp-server/AcvpServer.cpp)
-target_link_libraries(clickhouse-acvp-server-lib PRIVATE awslc_acvp_server crypto)
-add_dependencies(clickhouse-acvp-server-lib build-awslc)
-
 else() # FIPS_CLICKHOUSE
 
 

contrib/openssl-cmake/Dockerfile

@@ -30,9 +30,3 @@ RUN test $(/aws-lc-AWS-LC-FIPS-2.0.0/build/tool/bssl isfips) = 1
 
 # execute all test
 RUN find /aws-lc-AWS-LC-FIPS-2.0.0/build -iname '*test*' -type f -executable -print -exec {} \;
-
-# Build test harness libraries for ClickHouse FIPS testing integration
-COPY posix_spawn_2.c glibc_compat.c /tmp/
-COPY build_test_harness.sh /tmp/
-RUN chmod +x /tmp/build_test_harness.sh && \
-    /tmp/build_test_harness.sh /aws-lc-AWS-LC-FIPS-2.0.0 /harness-output

contrib/openssl-cmake/Dockerfile.aarch64

@@ -30,9 +30,3 @@ RUN test $(/aws-lc-AWS-LC-FIPS-2.0.0/build/tool/bssl isfips) = 1
 
 # execute all test
 RUN find /aws-lc-AWS-LC-FIPS-2.0.0/build -iname '*test*' -type f -executable -print -exec {} \;
-
-# Build test harness libraries for ClickHouse FIPS testing integration
-COPY posix_spawn_2.c glibc_compat.c /tmp/
-COPY build_test_harness.sh /tmp/
-RUN chmod +x /tmp/build_test_harness.sh && \
-    /tmp/build_test_harness.sh /aws-lc-AWS-LC-FIPS-2.0.0 /harness-output

contrib/openssl-cmake/build_test_harness.sh

@@ -62,12 +62,6 @@ else()
     message(STATUS "ClickHouse keeper-client mode: OFF")
 endif()
 
-if (FIPS_CLICKHOUSE AND CMAKE_SYSTEM_NAME STREQUAL "Linux")
-    set(ENABLE_CLICKHOUSE_SSL_SHIM 1)
-    set(ENABLE_CLICKHOUSE_SSL_HANDSHAKER 1)
-    set(ENABLE_CLICKHOUSE_ACVP_SERVER 1)
-endif()
-
 configure_file (config_tools.h.in ${CONFIG_INCLUDE_PATH}/config_tools.h)
 
 macro(clickhouse_target_link_split_lib target name)
@@ -231,16 +225,6 @@ if (ENABLE_CLICKHOUSE_KEEPER_CLIENT)
     list(APPEND CLICKHOUSE_BUNDLE clickhouse-keeper-client)
 endif ()
 
-if (ENABLE_CLICKHOUSE_SSL_SHIM)
-    clickhouse_program_install(clickhouse-ssl-shim ssl-shim)
-endif()
-if (ENABLE_CLICKHOUSE_SSL_HANDSHAKER)
-    clickhouse_program_install(clickhouse-ssl-handshaker ssl-handshaker)
-endif()
-if (ENABLE_CLICKHOUSE_ACVP_SERVER)
-    clickhouse_program_install(clickhouse-acvp-server acvp-server)
-endif()
-
 add_custom_target (clickhouse-bundle ALL DEPENDS ${CLICKHOUSE_BUNDLE})
 
 if (USE_BINARY_HASH)

programs/CMakeLists.txt

@@ -5,6 +5,3 @@
 #cmakedefine01 ENABLE_CLICKHOUSE_KEEPER
 #cmakedefine01 ENABLE_CLICKHOUSE_KEEPER_CLIENT
 #cmakedefine01 ENABLE_CLICKHOUSE_KEEPER_CONVERTER
-#cmakedefine01 ENABLE_CLICKHOUSE_SSL_SHIM
-#cmakedefine01 ENABLE_CLICKHOUSE_SSL_HANDSHAKER
-#cmakedefine01 ENABLE_CLICKHOUSE_ACVP_SERVER

programs/acvp-server/AcvpServer.cpp

@@ -64,16 +64,6 @@ int mainEntryClickHouseKeeperBench(int argc, char ** argv);
 int mainEntryClickHouseKeeperDataDumper(int argc, char ** argv);
 #endif
 
-#if ENABLE_CLICKHOUSE_SSL_SHIM
-int mainEntryClickHouseSslShim(int argc, char ** argv);
-#endif
-#if ENABLE_CLICKHOUSE_SSL_HANDSHAKER
-int mainEntryClickHouseSslHandshaker(int argc, char ** argv);
-#endif
-#if ENABLE_CLICKHOUSE_ACVP_SERVER
-int mainEntryClickHouseAcvpServer(int argc, char ** argv);
-#endif
-
 // install
 int mainEntryClickHouseInstall(int argc, char ** argv);
 int mainEntryClickHouseStart(int argc, char ** argv);
@@ -125,15 +115,6 @@ std::pair<std::string_view, MainFunc> clickhouse_applications[] =
 #endif
 #if USE_NURAFT
     {"keeper-data-dumper", mainEntryClickHouseKeeperDataDumper},
-#endif
-#if ENABLE_CLICKHOUSE_SSL_SHIM
-    {"ssl-shim", mainEntryClickHouseSslShim},
-#endif
-#if ENABLE_CLICKHOUSE_SSL_HANDSHAKER
-    {"ssl-handshaker", mainEntryClickHouseSslHandshaker},
-#endif
-#if ENABLE_CLICKHOUSE_ACVP_SERVER
-    {"acvp-server", mainEntryClickHouseAcvpServer},
 #endif
     // install
     {"install", mainEntryClickHouseInstall},