Also support Clang compiler

Author: justsmth

.github/workflows/windows-alt.yml

@@ -13,6 +13,8 @@ permissions:
   contents: read
 
 jobs:
+  # MinGW GCC does not support FIPS because it lacks support for MSVC-specific
+  # pragmas (code_seg, data_seg, etc.) required for FIPS section placement.
   mingw:
     if: github.repository_owner == 'aws'
     runs-on: windows-latest
@@ -52,6 +54,13 @@ jobs:
   clang:
     if: github.repository_owner == 'aws'
     runs-on: windows-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        fips:
+          - 0
+          - 1
+    name: clang${{ matrix.fips == 1 && ' FIPS' || '' }}
     steps:
       - name: Install NASM
         uses: ilammy/setup-nasm@v1.5.1
@@ -73,6 +82,8 @@ jobs:
             CMAKE_SYSTEM_NAME=Windows \
             CMAKE_SYSTEM_PROCESSOR=x86_64 \
             CMAKE_BUILD_TYPE=Release \
+            BUILD_SHARED_LIBS=${{ matrix.fips }} \
+            FIPS=${{ matrix.fips }} \
       - name: Build Project
         run: cmake --build ./build --target all
       - name: Run tests
@@ -85,7 +96,14 @@ jobs:
         target:
           - x64
           - x64_arm64
+        fips:
+          - 0
+          - 1
+        exclude:
+          - target: x64_arm64
+            fips: 1
     runs-on: windows-latest
+    name: clang-cl-msbuild ${{ matrix.target }}${{ matrix.fips == 1 && ' FIPS' || '' }}
     env:
       CMAKE_GENERATOR: "Visual Studio 17 2022"
       CMAKE_GENERATOR_TOOLSET: "ClangCL,host=x64"
@@ -104,6 +122,8 @@ jobs:
         with:
           options: |
             CMAKE_BUILD_TYPE=Release \
+            BUILD_SHARED_LIBS=${{ matrix.fips }} \
+            FIPS=${{ matrix.fips }} \
       - if: ${{ matrix.target  == 'x64_arm64' }}
         name: Setup CMake
         uses: threeal/cmake-action@v1.3.0
@@ -113,6 +133,9 @@ jobs:
             CMAKE_SYSTEM_NAME=Windows \
             CMAKE_SYSTEM_PROCESSOR=ARM64 \
             CMAKE_BUILD_TYPE=Release \
+      - if: ${{ matrix.fips == 1 }}
+        name: Build FIPS module
+        run: cmake --build ./build --target fips_empty_main
       - name: Build Project
         run: cmake --build ./build --target all_tests
       - if: ${{ matrix.target  == 'x64' }}
@@ -126,7 +149,14 @@ jobs:
         target:
           - x64
           - x64_arm64
+        fips:
+          - 0
+          - 1
+        exclude:
+          - target: x64_arm64
+            fips: 1
     runs-on: windows-latest
+    name: clang-cl-ninja ${{ matrix.target }}${{ matrix.fips == 1 && ' FIPS' || '' }}
     steps:
       - if: ${{ matrix.target  == 'x64' }}
         name: Install NASM
@@ -147,6 +177,8 @@ jobs:
           cxx-compiler: clang-cl
           options: |
             CMAKE_BUILD_TYPE=Release \
+            BUILD_SHARED_LIBS=${{ matrix.fips }} \
+            FIPS=${{ matrix.fips }} \
       - if: ${{ matrix.target  == 'x64_arm64' }}
         name: Setup CMake
         uses: threeal/cmake-action@v1.3.0
@@ -193,7 +225,6 @@ jobs:
         run:
           ./tests/ci/run_cross_mingw_tests.sh x86_64 w64-mingw32 "-DCMAKE_BUILD_TYPE=Release"
   msys2:
-    name: msys2 ${{ matrix.sys }} - ${{ matrix.generator }}
     if: github.repository_owner == 'aws'
     runs-on: windows-latest
     strategy:
@@ -207,6 +238,15 @@ jobs:
           - 'Ninja'
           - 'MinGW Makefiles'
           - 'MSYS Makefiles'
+        fips:
+          - 0
+          # FIPS is excluded for all msys2 configurations. The MinGW toolchain
+          # (used by all msys2 environments including clang64) does not support
+          # PE grouped sections ($a/$b/$z ordering), __declspec(allocate()), or
+          # COFF .lib archives — all of which are required for FIPS section
+          # placement. FIPS on Windows requires the MSVC toolchain (link.exe or
+          # lld-link in MSVC mode).
+    name: msys2 ${{ matrix.sys }} - ${{ matrix.generator }}${{ matrix.fips == 1 && ' FIPS' || '' }}
     steps:
       - name: Install MSYS2
         uses: msys2/setup-msys2@v2

crypto/CMakeLists.txt

@@ -628,15 +628,15 @@ endfunction()
 if(FIPS_SHARED)
   # Rewrite libcrypto.so, libcrypto.dylib, or crypto.dll to inject the correct module
   # hash value. For now we support the FIPS build only on Linux, macOS, iOS, and Windows.
-  if(MSVC AND ARCH STREQUAL "aarch64")
-    # On ARM64 Windows, ASLR is mandatory and cannot be disabled. The linker
-    # resolves ADRP immediates differently when building two separate DLLs
-    # (precrypto.dll vs crypto.dll), even when the FIPS module code comes from
-    # the same bcm.lib. This makes the two-DLL capture_hash approach produce a
-    # hash mismatch. Instead we use a single-DLL approach: build crypto.dll
-    # once with a placeholder hash, run fips_empty_main.exe (which triggers the
-    # integrity check, computes the real hash, and prints it), then binary-patch
-    # the placeholder in crypto.dll with the captured hash.
+  if(WIN32)
+    # On Windows we use a single-DLL approach: build crypto.dll once with a
+    # placeholder hash, run fips_empty_main.exe (which triggers the integrity
+    # check, computes the real hash, and prints it), then binary-patch the
+    # placeholder in crypto.dll with the captured hash.
+    #
+    # This avoids building two separate DLLs (precrypto.dll vs crypto.dll)
+    # whose linker output might differ — as happens on ARM64 (mandatory ASLR
+    # causes ADRP immediate differences) and with Clang's lld-link.
     build_libcrypto(NAME crypto MODULE_SOURCE $<TARGET_OBJECTS:fipsmodule> SET_OUTPUT_NAME)
 
     add_executable(fips_empty_main fipsmodule/fips_empty_main.c)
@@ -651,34 +651,6 @@ if(FIPS_SHARED)
         -patch-dll $<TARGET_FILE:crypto>
       WORKING_DIRECTORY ${AWSLC_SOURCE_DIR}
     )
-  elseif(MSVC)
-    # On x64 Windows we use capture_hash.go to capture the computed integrity
-    # value that the module prints on its first (failing) run, then embed that
-    # value in generated_fips_shared_support.c for the final crypto.dll.
-    # See FIPS.md for a full explanation of the process.
-    build_libcrypto(NAME precrypto MODULE_SOURCE $<TARGET_OBJECTS:fipsmodule>)
-    add_executable(fips_empty_main fipsmodule/fips_empty_main.c)
-    target_link_libraries(fips_empty_main PUBLIC precrypto)
-    target_add_awslc_include_paths(TARGET fips_empty_main SCOPE PRIVATE)
-    add_custom_command(OUTPUT generated_fips_shared_support.c
-            COMMAND ${GO_EXECUTABLE} run
-            ${AWSLC_SOURCE_DIR}/util/fipstools/capture_hash/capture_hash.go
-            -in-executable $<TARGET_FILE:fips_empty_main> > ${CMAKE_CURRENT_BINARY_DIR}/generated_fips_shared_support.c
-            WORKING_DIRECTORY ${AWSLC_SOURCE_DIR}
-            DEPENDS fips_empty_main ${AWSLC_SOURCE_DIR}/util/fipstools/capture_hash/capture_hash.go
-            )
-    add_library(
-      generated_fipsmodule
-
-      OBJECT
-
-      generated_fips_shared_support.c
-      ${AWSLC_SOURCE_DIR}/crypto/fipsmodule/cpucap/cpucap.c
-    )
-    target_compile_definitions(generated_fipsmodule PRIVATE BORINGSSL_IMPLEMENTATION S2N_BN_HIDE_SYMBOLS)
-    target_add_awslc_include_paths(TARGET generated_fipsmodule SCOPE PRIVATE)
-
-    build_libcrypto(NAME crypto MODULE_SOURCE $<TARGET_OBJECTS:generated_fipsmodule> SET_OUTPUT_NAME)
   else()
     # On Apple and Linux platforms inject_hash.go can parse libcrypto and inject
     # the hash directly into the final library.

crypto/fipsmodule/CMakeLists.txt

@@ -634,7 +634,33 @@ elseif(FIPS_SHARED)
       DEPENDS  fips_msvc_start.obj fips_msvc_end.obj bcm_library
       WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
     )
+  elseif(WIN32 AND CMAKE_C_COMPILER_ID MATCHES "Clang")
+    # Windows with Clang (not clang-cl): use llvm-lib to combine object files
+    # into a static library. Similar to the MSVC case, we use start/end markers
+    # to control symbol placement in the FIPS grouped sections.
+    set(BCM_NAME bcm.lib)
+    get_filename_component(COMPILER_DIR "${CMAKE_C_COMPILER}" DIRECTORY)
+    find_program(LIB_TOOL "llvm-lib" "llvm-lib.exe" HINTS "${COMPILER_DIR}" REQUIRED)
+
+    add_custom_command(
+      OUTPUT fips_windows_start.obj
+      COMMAND ${CMAKE_C_COMPILER} -c -DAWSLC_FIPS_SHARED_START -o fips_windows_start.obj ${CMAKE_CURRENT_SOURCE_DIR}/fips_shared_library_marker.c
+      DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/fips_shared_library_marker.c
+    )
+    add_custom_command(
+      OUTPUT fips_windows_end.obj
+      COMMAND ${CMAKE_C_COMPILER} -c -DAWSLC_FIPS_SHARED_END -o fips_windows_end.obj ${CMAKE_CURRENT_SOURCE_DIR}/fips_shared_library_marker.c
+      DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/fips_shared_library_marker.c
+    )
+
+    add_custom_command(
+      OUTPUT ${BCM_NAME}
+      COMMAND ${LIB_TOOL} /nologo fips_windows_start.obj "\"$<JOIN:$<TARGET_OBJECTS:bcm_library>,\" \">\"" fips_windows_end.obj /OUT:${BCM_NAME}
+      DEPENDS bcm_library fips_windows_start.obj fips_windows_end.obj
+      WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
+    )
   else()
+    # Linux/Unix: use ld -r with a linker script to create a relocatable object file.
     set(BCM_NAME bcm.o)
     # fips_shared.lds does not have 'clang' prefix because we want to keep merging any changes from upstream.
     set(FIPS_CUSTOM_LINKER_SCRIPT "${CMAKE_CURRENT_SOURCE_DIR}/fips_shared.lds")

crypto/fipsmodule/bcm.c

@@ -26,8 +26,9 @@
 
 // On Windows place the bcm code in a specific section that uses Grouped Sections
 // to control the order. $b section will place bcm in between the start/end markers
-// which are in $a and $z.
-#if defined(BORINGSSL_FIPS) && defined(OPENSSL_WINDOWS)
+// which are in $a and $z. These pragmas are supported by MSVC and Clang on Windows,
+// but not by MinGW GCC.
+#if defined(BORINGSSL_FIPS) && (defined(_MSC_VER) || (defined(__clang__) && defined(_WIN32)))
 #pragma code_seg(".fipstx$b")
 #pragma data_seg(".fipsda$b")
 #pragma const_seg(".fipsco$b")
@@ -264,7 +265,7 @@ WEAK_SYMBOL_FUNC(void, AWS_LC_fips_failure_callback, (const char* message))
 #endif
 #endif
 
-#if defined(_MSC_VER)
+#if defined(_MSC_VER) || (defined(__clang__) && defined(_WIN32))
 #pragma section(".CRT$XCU", read)
 static void BORINGSSL_bcm_power_on_self_test(void);
 __declspec(allocate(".CRT$XCU")) void(*fips_library_init_constructor)(void) =

crypto/fipsmodule/fips_shared_library_marker.c

@@ -18,7 +18,7 @@
 #include <stdint.h>
 
 #if defined(AWSLC_FIPS_SHARED_START)
-#if defined(_MSC_VER)
+#if defined(_MSC_VER) || (defined(__clang__) && defined(_WIN32))
 #pragma code_seg(".fipstx$a")
 #pragma data_seg(".fipsda$a")
 #pragma const_seg(".fipsco$a")
@@ -34,14 +34,14 @@
 const uint8_t *BORINGSSL_bcm_text_start(void) {
   return NULL;
 }
-#if defined(_MSC_VER)
+#if defined(_MSC_VER) || (defined(__clang__) && defined(_WIN32))
 __declspec(allocate(".fipsco$a"))
 #endif
 const uint8_t BORINGSSL_bcm_rodata_start[16] =
               {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15};
 
 #elif defined(AWSLC_FIPS_SHARED_END)
-#if defined(_MSC_VER)
+#if defined(_MSC_VER) || (defined(__clang__) && defined(_WIN32))
 #pragma code_seg(".fipstx$z")
 #pragma data_seg(".fipsda$z")
 #pragma const_seg(".fipsco$z")
@@ -57,7 +57,7 @@ const uint8_t BORINGSSL_bcm_rodata_start[16] =
 const uint8_t *BORINGSSL_bcm_text_end(void){
   return NULL;
 }
-#if defined(_MSC_VER)
+#if defined(_MSC_VER) || (defined(__clang__) && defined(_WIN32))
 __declspec(allocate(".fipsco$z"))
 #endif
 const uint8_t BORINGSSL_bcm_rodata_end[16] =

crypto/fipsmodule/fips_shared_support.c

@@ -19,7 +19,7 @@
 // boundary (.fipsco). If it were placed inside the FIPS rodata boundary, the
 // integrity check would hash the expected value itself, creating a circular
 // dependency that can never be satisfied.
-#if defined(_MSC_VER)
+#if defined(_MSC_VER) || (defined(__clang__) && defined(_WIN32))
 #pragma const_seg()
 #endif
 

crypto/fipsmodule/rand/entropy/tree_drbg_jitter_entropy.c

@@ -328,7 +328,7 @@ int tree_jitter_initialize(struct entropy_source_t *entropy_source) {
   return 1;
 }
 
-#if defined(_MSC_VER)
+#if defined(_MSC_VER) || (defined(__clang__) && defined(_WIN32))
 #pragma section(".CRT$XCU", read)
 static void tree_jitter_free_global_drbg(void);
 static void windows_install_tree_jitter_free_global_drbg(void) {

crypto/internal.h

@@ -1297,7 +1297,7 @@ static inline uint64_t CRYPTO_subc_u64(uint64_t x, uint64_t y, uint64_t borrow,
 #if defined(AWSLC_FIPS_FAILURE_CALLBACK)
 void AWS_LC_FIPS_failure(const char* message);
 #else
-#if defined(_MSC_VER)
+#if defined(_MSC_VER) || (defined(__clang__) && defined(_WIN32))
 __declspec(noreturn) void AWS_LC_FIPS_failure(const char* message);
 #else
 void AWS_LC_FIPS_failure(const char* message) __attribute__((noreturn));

util/fipstools/acvp/modulewrapper/main.cc

@@ -16,7 +16,7 @@
 #include <iostream>
 #include <string>
 
-#if defined(_MSC_VER)
+#if defined(_MSC_VER) || (defined(__clang__) && defined(_WIN32))
 #include <fcntl.h>
 #include <io.h>
 #include <stdio.h>
@@ -66,7 +66,7 @@ int main(int argc, char **argv) {
     return 4;
   }
 
-#if defined(_MSC_VER)
+#if defined(_MSC_VER) || (defined(__clang__) && defined(_WIN32))
   if (_setmode(_fileno(stdin), _O_BINARY) < 0 ||
       _setmode(_fileno(stdout), _O_BINARY) < 0) {
     fprintf(stderr, "Setting binary mode to stdin/stdout failed.\n");