SSL/ACVP Test Integration for FIPS

[DimensionWieldr]

Changelog category (leave one):

• Testing/Packaging Improvement

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

• The AWS-LC SSL test runner can be run against the ClickHouse FIPS binary: ./runner_binary -shim-path .../build/programs/clickhouse-ssl-shim -handshaker-path .../build/programs/clickhouse-ssl-handshaker
• The AWS-LC ACVP tests can be run against the ClickHouse FIPS binary: go run check_expected.go -tool .../aws-lc/build/acvptool -module-wrappers "modulewrapper:/whereveryoubuiltCH/programs/clickhouse-acvp-server,testmodulewrapper:/aws-lc/build/testmodulewrapper" -tests tests.json
• The musl-based posix_spawn in the glibc-compat layer never applied file actions (close/dup2/open/chdir). The child process now runs the full file-actions list before exec, so split-handshake tests work when the shim spawns the handshaker.
• Added clickhouse-ssl-shim, clickhouse-ssl-handshaker, and clickhouse-acvp-server as modes of the main binary (same pattern as other tools). They wrap the unmodified AWS-LC shim/handshaker logic (or act as a module wrapper for ACVP) and are built only when FIPS_CLICKHOUSE=ON and AWSLC_SRC_DIR is set.

CI/CD Options

Exclude tests:

• Fast test
• Integration Tests
• Stateless tests
• Stateful tests
• Performance tests
• All with ASAN
• All with TSAN
• All with MSAN
• All with UBSAN
• All with Coverage
• All with Aarch64
• All Regression
• Disable CI Cache

Regression jobs to run:

• Fast suites (mostly <1h)
• Aggregate Functions (2h)
• Alter (1.5h)
• Benchmark (30m)
• ClickHouse Keeper (1h)
• Iceberg (2h)
• LDAP (1h)
• Parquet (1.5h)
• RBAC (1.5h)
• SSL Server (1h)
• S3 (2h)
• Tiered Storage (2h)

[zvonand]

Why do we have two identic glibc_compat.c files? Can it be moved into one place?

[vzakaznikov]

Quick review notes (actionable):

1. Build-guard mismatch can break linking

• programs/main.cpp registers ssl-shim / ssl-handshaker / acvp-server under #if defined(FIPS_CLICKHOUSE).
• But the corresponding targets are only created when FIPS_CLICKHOUSE AND DEFINED AWSLC_SRC_DIR (and Linux-only for handshaker/acvp).
• This can produce unresolved entrypoints in some valid config combos.
• Suggested fix: gate main.cpp declarations/registrations with the same conditions as target creation.

2. Global --allow-multiple-definition is broader than needed

• programs/CMakeLists.txt applies target_link_options(clickhouse ... --allow-multiple-definition) to the main binary whenever FIPS+AWSLC is enabled.
• This can mask unintended duplicate-symbol regressions outside the shim/handshaker scope.
• Suggested fix: constrain this to the smallest possible link boundary (or switch to a narrower symbol/target strategy).

The posix_spawn file-actions restoration itself looks necessary and directionally correct.

[vzakaznikov]

Follow-up finding on posix_spawn:

I checked upstream musl, and yes — the original full implementation includes the full file-actions path (addclose, adddup2, addopen, addchdir_np, addfchdir_np) plus additional safety logic.

For the split-handshake path in AWS-LC (which relies on posix_spawn_file_actions_addclose/adddup2 before posix_spawn), upstream musl behavior is a direct fit and should work for this PR’s intended use.

Useful upstream references:

• musl posix_spawn.c (full implementation): https://git.musl-libc.org/cgit/musl/tree/src/process/posix_spawn.c
• musl spawn.h (API/attrs/actions definitions): https://git.musl-libc.org/cgit/musl/tree/include/spawn.h

Notably, upstream also has robustness around file-actions potentially clobbering the internal error-reporting pipe fd during spawn.