Skip to content

SSL/ACVP Test Integration for FIPS#1503

Open
DimensionWieldr wants to merge 5 commits intoAltinity:releases/25.3.8-fipsfrom
DimensionWieldr:releases/25.3.8-fips-ssl
Open

SSL/ACVP Test Integration for FIPS#1503
DimensionWieldr wants to merge 5 commits intoAltinity:releases/25.3.8-fipsfrom
DimensionWieldr:releases/25.3.8-fips-ssl

Conversation

@DimensionWieldr
Copy link
Collaborator

@DimensionWieldr DimensionWieldr commented Mar 10, 2026
edited
Loading

Changelog category (leave one):

  • Testing/Packaging Improvement

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

  • The AWS-LC SSL test runner can be run against the ClickHouse FIPS binary: ./runner_binary -shim-path .../build/programs/clickhouse-ssl-shim -handshaker-path .../build/programs/clickhouse-ssl-handshaker
  • The AWS-LC ACVP tests can be run against the ClickHouse FIPS binary: go run check_expected.go -tool .../aws-lc/build/acvptool -module-wrappers "modulewrapper:/whereveryoubuiltCH/programs/clickhouse-acvp-server,testmodulewrapper:/aws-lc/build/testmodulewrapper" -tests tests.json
  • The musl-based posix_spawn in the glibc-compat layer never applied file actions (close/dup2/open/chdir). The child process now runs the full file-actions list before exec, so split-handshake tests work when the shim spawns the handshaker.
  • Added clickhouse-ssl-shim, clickhouse-ssl-handshaker, and clickhouse-acvp-server as modes of the main binary (same pattern as other tools). They wrap the unmodified AWS-LC shim/handshaker logic (or act as a module wrapper for ACVP) and are built only when FIPS_CLICKHOUSE=ON and AWSLC_SRC_DIR is set.

CI/CD Options

Exclude tests:

  • Fast test
  • Integration Tests
  • Stateless tests
  • Stateful tests
  • Performance tests
  • All with ASAN
  • All with TSAN
  • All with MSAN
  • All with UBSAN
  • All with Coverage
  • All with Aarch64
  • All Regression
  • Disable CI Cache

Regression jobs to run:

  • Fast suites (mostly <1h)
  • Aggregate Functions (2h)
  • Alter (1.5h)
  • Benchmark (30m)
  • ClickHouse Keeper (1h)
  • Iceberg (2h)
  • LDAP (1h)
  • Parquet (1.5h)
  • RBAC (1.5h)
  • SSL Server (1h)
  • S3 (2h)
  • Tiered Storage (2h)

@DimensionWieldr
ssl-shim non-split pass, split-handshake fails
725cfd7 
Made-with: Cursor
Signed-off-by: Julian Huang <jhuang@altinity.com>
@DimensionWieldr
Integrated CH SSL tests!
f4233e2 
Signed-off-by: Julian Huang <jhuang@altinity.com>
@DimensionWieldr DimensionWieldr force-pushed the releases/25.3.8-fips-ssl branch from b1703f1 to f4233e2 Compare March 10, 2026 21:08
zvonand
zvonand reviewed Mar 10, 2026
View reviewed changes
Copy link
Collaborator

@zvonand zvonand left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we have two identic glibc_compat.c files? Can it be moved into one place?

@DimensionWieldr
Deduplicate glibc_compat.c and add gtest include path for ssl-shim/ha…
6396426 
…ndshaker

Move the identical glibc_compat.c files from ssl-shim/ and ssl-handshaker/
into a shared programs/ssl-common/ directory. Also add the gtest include
path required by test_util.cc to both CMakeLists.

Signed-off-by: Julian Huang <jhuang@altinity.com>
@DimensionWieldr
Remove unnecessary gtest include path from ssl-shim/handshaker
4e4f1cf 
The FIPS 2.0.0 shim sources do not include any gtest headers,
so this include path is not needed.

Signed-off-by: Julian Huang <jhuang@altinity.com>
@DimensionWieldr DimensionWieldr force-pushed the releases/25.3.8-fips-ssl branch from 7e737fe to 4e4f1cf Compare March 11, 2026 00:27
@svb-alt svb-alt added fips Work related to Altinity FIPS releases fips-25.3 labels Mar 11, 2026
@DimensionWieldr
ACVP compat
5f2cf93 
Signed-off-by: Julian Huang <jhuang@altinity.com>
@DimensionWieldr DimensionWieldr changed the title SSL Test Integration for FIPS SSL/ACVP Test Integration for FIPS Mar 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zvonand zvonand zvonand left review comments

Assignees

No one assigned

Labels

fips Work related to Altinity FIPS releases fips-25.3

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@DimensionWieldr @zvonand @svb-alt