From 4e43e80408e25ff4b10f2a78b77783593ea15766 Mon Sep 17 00:00:00 2001 From: Mikhail Koviazin Date: Thu, 26 Feb 2026 13:49:09 +0100 Subject: [PATCH 1/2] try to build AWS-LC FIPS on aarch64 --- contrib/openssl-cmake/CMakeLists.txt | 10 ++++++-- contrib/openssl-cmake/Dockerfile.aarch64 | 32 ++++++++++++++++++++++++ 2 files changed, 40 insertions(+), 2 deletions(-) create mode 100644 contrib/openssl-cmake/Dockerfile.aarch64 diff --git a/contrib/openssl-cmake/CMakeLists.txt b/contrib/openssl-cmake/CMakeLists.txt index 4468ab658ea7..c13a25db7c55 100644 --- a/contrib/openssl-cmake/CMakeLists.txt +++ b/contrib/openssl-cmake/CMakeLists.txt @@ -80,19 +80,25 @@ add_custom_target(build-awslc DEPENDS ${AWSLC_BINARIES_DIR}/libssl.a ${AWSLC_BINARIES_DIR}/libcrypto.a ) +if(ARCH_AARCH64) + set(DOCKERFILE_PATH ${CMAKE_CURRENT_SOURCE_DIR}/Dockerfile.aarch64) +else() + set(DOCKERFILE_PATH ${CMAKE_CURRENT_SOURCE_DIR}/Dockerfile) +endif() + add_custom_command( OUTPUT "${AWSLC_BUILD_DIR}/output/libssl.a" "${AWSLC_BUILD_DIR}/output/libcrypto.a" COMMENT "Building AWS-LC in FIPS mode using Docker" COMMAND bash -c "chmod +x ${AWSLC_BUILD_DIR}/build_awclc_fips.sh" - COMMAND bash -c "${AWSLC_BUILD_DIR}/build_awclc_fips.sh ${AWSLC_BINARIES_DIR} ${CMAKE_CURRENT_SOURCE_DIR}/Dockerfile" + COMMAND bash -c "${AWSLC_BUILD_DIR}/build_awclc_fips.sh ${AWSLC_BINARIES_DIR} ${DOCKERFILE_PATH}" WORKING_DIRECTORY ${AWSLC_BUILD_DIR} USES_TERMINAL # To stream output DEPENDS ${AWSLC_BUILD_DIR}/build_awclc_fips.sh ${AWSLC_BUILD_DIR}/check_version.c - ${CMAKE_CURRENT_SOURCE_DIR}/Dockerfile + ${DOCKERFILE_PATH} ) add_library(crypto UNKNOWN IMPORTED GLOBAL) diff --git a/contrib/openssl-cmake/Dockerfile.aarch64 b/contrib/openssl-cmake/Dockerfile.aarch64 new file mode 100644 index 000000000000..818e8e4d82a6 --- /dev/null +++ b/contrib/openssl-cmake/Dockerfile.aarch64 @@ -0,0 +1,32 @@ +FROM --platform=linux/aarch64 ubuntu:22.04 + + +RUN apt-get update && \ + apt-get install -y \ + build-essential \ + cmake \ + golang \ + unzip + +ADD --checksum=sha256:6241ec2f13a5f80224ee9cd8592ed66a97d426481066feaa4efc6f24e60bbc96 \ + https://github.com/aws/aws-lc/archive/refs/tags/AWS-LC-FIPS-2.0.0.zip . + +RUN unzip -q AWS-LC-FIPS-2.0.0.zip -d . + +RUN cd /aws-lc-AWS-LC-FIPS-2.0.0 \ + && mkdir -p ./build \ + && cd ./build \ + && cmake -DFIPS=1 -DGO_EXECUTABLE=`which go` .. \ + && make + +# Check that version is reported correctly +COPY check_version.c /tmp/check_version.c +RUN cd /aws-lc-AWS-LC-FIPS-2.0.0/build \ + && gcc /tmp/check_version.c -o ./check_version -L./ssl -l:libssl.a -L./crypto -l:libcrypto.a \ + && ./check_version 'AWS-LC FIPS 2.0.0' + +#check is in FIPS mode +RUN test $(/aws-lc-AWS-LC-FIPS-2.0.0/build/tool/bssl isfips) = 1 + +# execute all test +RUN find /aws-lc-AWS-LC-FIPS-2.0.0/build -iname '*test*' -type f -executable -print -exec {} \; From 9e84d4f272617dc85980d00b49e8ec3c3b0f798e Mon Sep 17 00:00:00 2001 From: Mikhail Koviazin Date: Thu, 26 Feb 2026 14:56:47 +0100 Subject: [PATCH 2/2] libssh: disable HAVE_OPENSSL_CRYPTO_CTR128_ENCRYPT for aarch64 as well --- contrib/libssh-cmake/linux/aarch64/config.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/libssh-cmake/linux/aarch64/config.h b/contrib/libssh-cmake/linux/aarch64/config.h index e65ccb8ba3e6..3299f5d1afb8 100644 --- a/contrib/libssh-cmake/linux/aarch64/config.h +++ b/contrib/libssh-cmake/linux/aarch64/config.h @@ -118,7 +118,7 @@ #define HAVE_OPENSSL_CRYPTO_THREADID_SET_CALLBACK 1 /* Define to 1 if you have the `CRYPTO_ctr128_encrypt' function. */ -#define HAVE_OPENSSL_CRYPTO_CTR128_ENCRYPT 1 +#undef HAVE_OPENSSL_CRYPTO_CTR128_ENCRYPT /* Define to 1 if you have the `EVP_CIPHER_CTX_new' function. */ #define HAVE_OPENSSL_EVP_CIPHER_CTX_NEW 1