Fix x64

Author: justsmth

crypto/CMakeLists.txt

@@ -629,13 +629,14 @@ endfunction()
 if(FIPS_SHARED)
   # Rewrite libcrypto.so, libcrypto.dylib, or crypto.dll to inject the correct module
   # hash value. For now we support the FIPS build only on Linux, macOS, iOS, and Windows.
-  if(MSVC)
-    # On Windows, inject_hash.go parses the PE DLL to find the .fipstx and
-    # .fipsco sections, computes the integrity hash, and replaces the
-    # placeholder value directly in the DLL file.  This single-DLL approach
-    # avoids the hash mismatch that occurs with the two-DLL capture_hash
-    # method on ARM64 where mandatory ASLR causes the linker to resolve
-    # COFF relocations to different addresses in precrypto.dll vs crypto.dll.
+  if(MSVC AND ARCH STREQUAL "aarch64")
+    # On ARM64 Windows, ASLR is mandatory and cannot be disabled.  The linker
+    # resolves COFF relocations to different addresses when building two
+    # separate DLLs (precrypto.dll vs crypto.dll), so the two-DLL
+    # capture_hash approach produces a hash mismatch.  Instead we use
+    # inject_hash.go which parses the single crypto.dll PE file, finds the
+    # .fipstx and .fipsco sections, computes the integrity hash from the
+    # on-disk content, and replaces the placeholder value directly in the file.
     build_libcrypto(NAME crypto MODULE_SOURCE $<TARGET_OBJECTS:fipsmodule> SET_OUTPUT_NAME)
 
     add_custom_command(
@@ -645,6 +646,34 @@ if(FIPS_SHARED)
       -o $<TARGET_FILE:crypto> -in-object $<TARGET_FILE:crypto>
       WORKING_DIRECTORY ${AWSLC_SOURCE_DIR}
     )
+  elseif(MSVC)
+    # On x64 Windows we use capture_hash.go to capture the computed integrity
+    # value that the module prints on its first (failing) run, then embed that
+    # value in generated_fips_shared_support.c for the final crypto.dll.
+    # See FIPS.md for a full explanation of the process.
+    build_libcrypto(NAME precrypto MODULE_SOURCE $<TARGET_OBJECTS:fipsmodule>)
+    add_executable(fips_empty_main fipsmodule/fips_empty_main.c)
+    target_link_libraries(fips_empty_main PUBLIC precrypto)
+    target_add_awslc_include_paths(TARGET fips_empty_main SCOPE PRIVATE)
+    add_custom_command(OUTPUT generated_fips_shared_support.c
+            COMMAND ${GO_EXECUTABLE} run
+            ${AWSLC_SOURCE_DIR}/util/fipstools/capture_hash/capture_hash.go
+            -in-executable $<TARGET_FILE:fips_empty_main> > generated_fips_shared_support.c
+            WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
+            DEPENDS fips_empty_main ${AWSLC_SOURCE_DIR}/util/fipstools/capture_hash/capture_hash.go
+            )
+    add_library(
+      generated_fipsmodule
+
+      OBJECT
+
+      generated_fips_shared_support.c
+      ${AWSLC_SOURCE_DIR}/crypto/fipsmodule/cpucap/cpucap.c
+    )
+    target_compile_definitions(generated_fipsmodule PRIVATE BORINGSSL_IMPLEMENTATION S2N_BN_HIDE_SYMBOLS)
+    target_add_awslc_include_paths(TARGET generated_fipsmodule SCOPE PRIVATE)
+
+    build_libcrypto(NAME crypto MODULE_SOURCE $<TARGET_OBJECTS:generated_fipsmodule> SET_OUTPUT_NAME)
   else()
     # On Apple and Linux platforms inject_hash.go can parse libcrypto and inject
     # the hash directly into the final library.