Universal bindings

Author: justsmth

aws-lc-rs/Cargo.toml

@@ -47,7 +47,7 @@ fips = ["dep:aws-lc-fips-sys"]
 
 [dependencies]
 untrusted = { workspace = true, optional = true }
-aws-lc-sys = { version = "0.32.0", path = "../aws-lc-sys", optional = true }
+aws-lc-sys = { version = "0.32.0", path = "../aws-lc-sys", default-features = false, optional = true }
 aws-lc-fips-sys = { version = "0.13.1", path = "../aws-lc-fips-sys", optional = true }
 zeroize.workspace = true
 

aws-lc-sys/.cargo/config.toml

@@ -0,0 +1,2 @@
+[profile.dev.build-override]
+debug = true

aws-lc-sys/Cargo.toml

@@ -60,9 +60,11 @@ build = "builder/main.rs"
 
 [features]
 asan = []
-ssl = ['bindgen']
+ssl = ['bindgen', 'all-bindings']
 bindgen = ["dep:bindgen"] # Generate the bindings on the targeted platform as a fallback mechanism.
 prebuilt-nasm = []
+all-bindings = []
+default = ['all-bindings']
 
 [build-dependencies]
 cmake.workspace = true

aws-lc-sys/builder/main.rs

@@ -283,11 +283,20 @@ fn prefix_string() -> String {
     format!("aws_lc_{}", VERSION.to_string().replace('.', "_"))
 }
 
-#[cfg(feature = "bindgen")]
+#[cfg(all(feature = "bindgen", feature = "all-bindings"))]
 fn target_platform_prefix(name: &str) -> String {
     format!("{}_{}", effective_target().replace('-', "_"), name)
 }
 
+#[cfg(all(feature = "bindgen", not(feature = "all-bindings")))]
+fn target_platform_prefix(name: &str) -> String {
+    if target_vendor() == "apple" {
+        format!("universal_apple_{}", name.replace('-', "-"))
+    } else {
+        format!("universal_{}", name.replace('-', "-"))
+    }
+}
+
 pub(crate) struct TestCommandResult {
     #[allow(dead_code)]
     stderr: Box<str>,
@@ -355,11 +364,12 @@ fn generate_src_bindings(manifest_dir: &Path, prefix: &Option<String>, src_bindi
 
 fn emit_rustc_cfg(cfg: &str) {
     let cfg = cfg.replace('-', "_");
+    emit_warning(format!("Emitting configuration: cargo:rustc-cfg={cfg}"));
     println!("cargo:rustc-cfg={cfg}");
 }
 
-fn emit_warning(message: &str) {
-    println!("cargo:warning={message}");
+fn emit_warning<T: AsRef<str>>(message: T) {
+    println!("cargo:warning={}", message.as_ref());
 }
 
 #[allow(dead_code)]
@@ -527,25 +537,39 @@ fn initialize() {
     if !is_external_bindgen_requested().unwrap_or(false)
         && (is_pregenerating_bindings() || !has_bindgen_feature())
     {
-        let target = effective_target();
-        let supported_platform = match target.as_str() {
-            "aarch64-apple-darwin"
-            | "aarch64-linux-android"
-            | "aarch64-pc-windows-msvc"
-            | "aarch64-unknown-linux-gnu"
-            | "aarch64-unknown-linux-musl"
-            | "i686-pc-windows-msvc"
-            | "i686-unknown-linux-gnu"
-            | "riscv64gc-unknown-linux-gnu"
-            | "x86_64-apple-darwin"
-            | "x86_64-pc-windows-gnu"
-            | "x86_64-pc-windows-msvc"
-            | "x86_64-unknown-linux-gnu"
-            | "x86_64-unknown-linux-musl" => Some(target),
-            _ => None,
-        };
-        if let Some(platform) = supported_platform {
-            emit_rustc_cfg(platform.as_str());
+        #[cfg(feature = "all-bindings")]
+        {
+            let target = effective_target();
+            let supported_platform = match target.as_str() {
+                "aarch64-apple-darwin"
+                | "aarch64-linux-android"
+                | "aarch64-pc-windows-msvc"
+                | "aarch64-unknown-linux-gnu"
+                | "aarch64-unknown-linux-musl"
+                | "i686-pc-windows-msvc"
+                | "i686-unknown-linux-gnu"
+                | "riscv64gc-unknown-linux-gnu"
+                | "x86_64-apple-darwin"
+                | "x86_64-pc-windows-gnu"
+                | "x86_64-pc-windows-msvc"
+                | "x86_64-unknown-linux-gnu"
+                | "x86_64-unknown-linux-musl" => Some(target),
+                _ => None,
+            };
+            if let Some(platform) = supported_platform {
+                emit_rustc_cfg(platform.as_str());
+                unsafe {
+                    PREGENERATED = true;
+                }
+            }
+        }
+        #[cfg(not(feature = "all-bindings"))]
+        {
+            if target_vendor() == "apple" {
+                emit_rustc_cfg("universal-apple");
+            } else {
+                emit_rustc_cfg("universal");
+            }
             unsafe {
                 PREGENERATED = true;
             }
@@ -712,6 +736,9 @@ fn main() {
                 .join("src")
                 .join(format!("{}.rs", target_platform_prefix("crypto")));
             if is_external_bindgen_requested().unwrap_or(false) {
+                if is_pregenerating_bindings() {
+                    panic!("Pregenrated bindings not supported using external bindgen.")
+                }
                 invoke_external_bindgen(&manifest_dir, &prefix, &src_bindings_path).unwrap();
             } else {
                 generate_src_bindings(&manifest_dir, &prefix, &src_bindings_path);

aws-lc-sys/builder/sys_bindgen.rs

@@ -1,7 +1,7 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0 OR ISC
 
-use crate::{get_rust_include_path, BindingOptions, COPYRIGHT, PRELUDE};
+use crate::{emit_warning, get_rust_include_path, BindingOptions, COPYRIGHT, PRELUDE};
 use bindgen::callbacks::{ItemInfo, ParseCallbacks};
 use std::fmt::Debug;
 use std::path::Path;
@@ -31,6 +31,48 @@ impl ParseCallbacks for StripPrefixCallback {
     }
 }
 
+const ALLOWED_HEADERS: [&str; 29] = [
+    "aes.h",
+    "aead.h",
+    "base.h",
+    "bn.h",
+    "boringssl_prefix_symbols.h",
+    "boringssl_prefix_symbols_asm.h",
+    "boringssl_prefix_symbols_nasm.inc",
+    "bytestring.h",
+    "chacha.h",
+    "cipher.h",
+    "crypto.h",
+    "curve25519.h",
+    "digest.h",
+    "ec.h",
+    "ec_key.h",
+    "ecdh.h",
+    "ecdsa.h",
+    "err.h",
+    "evp.h",
+    "hkdf.h",
+    "hmac.h",
+    "is_awslc.h",
+    "kdf.h",
+    "mem.h",
+    "nid.h",
+    "poly1305.h",
+    "rand.h",
+    "rsa.h",
+    "sha.h",
+];
+
+const BLOCKED_FUNCTIONS: [&str; 5] = [
+    "BN_print_fp",
+    "CBS_parse_generalized_time",
+    "CBS_parse_utc_time",
+    "ERR_print_errors_fp",
+    "RSA_print_fp",
+];
+
+const BLOCKED_TYPES: [&str; 4] = ["FILE", "fpos_t", "tm", "__sFILE"];
+
 fn prepare_bindings_builder(manifest_dir: &Path, options: &BindingOptions) -> bindgen::Builder {
     let clang_args = crate::prepare_clang_args(manifest_dir, options);
 
@@ -39,7 +81,6 @@ fn prepare_bindings_builder(manifest_dir: &Path, options: &BindingOptions) -> bi
         .derive_debug(true)
         .derive_default(true)
         .derive_eq(true)
-        .allowlist_file(r".*(/|\\)openssl((/|\\)[^/\\]+)+\.h")
         .allowlist_file(r".*(/|\\)rust_wrapper\.h")
         .rustified_enum(r"point_conversion_form_t")
         .rust_target(bindgen::RustTarget::stable(70, 0).unwrap())
@@ -59,6 +100,23 @@ fn prepare_bindings_builder(manifest_dir: &Path, options: &BindingOptions) -> bi
                 .to_string(),
         );
 
+    if cfg!(feature = "all-bindings") {
+        builder = builder.allowlist_file(r".*(/|\\)openssl((/|\\)[^/\\]+)+\.h");
+    } else {
+        for header in ALLOWED_HEADERS {
+            emit_warning(format!("Allowed header: {header}").as_str());
+            builder = builder.allowlist_file(format!("{}{}", r".*(/|\\)openssl(/|\\)", header));
+        }
+        for function in BLOCKED_FUNCTIONS {
+            emit_warning(format!("Blocked function: {function}").as_str());
+            builder = builder.blocklist_function(function);
+        }
+        for tipe in BLOCKED_TYPES {
+            emit_warning(format!("Opaque type: {tipe}").as_str());
+            builder = builder.blocklist_type(tipe);
+        }
+    }
+
     if !options.disable_prelude {
         builder = builder.raw_line(PRELUDE);
     }

aws-lc-sys/src/lib.rs

@@ -4,8 +4,6 @@
 #![cfg_attr(not(clippy), allow(unexpected_cfgs))]
 #![cfg_attr(not(clippy), allow(unknown_lints))]
 
-use std::os::raw::{c_char, c_long, c_void};
-
 #[allow(unused_macros)]
 macro_rules! use_bindings {
     ($bindings:ident) => {
@@ -15,79 +13,34 @@ macro_rules! use_bindings {
 }
 
 macro_rules! platform_binding {
-    ($platform:ident, $platform_crypto:ident, $platform_ssl:ident) => {
+    ($platform:ident, $platform_crypto:ident) => {
         #[cfg(all($platform, not(feature = "ssl"), not(use_bindgen_generated)))]
         use_bindings!($platform_crypto);
-        #[cfg(all($platform, feature = "ssl", not(use_bindgen_generated)))]
-        use_bindings!($platform_ssl);
     };
 }
 
-platform_binding!(
-    aarch64_linux_android,
-    aarch64_linux_android_crypto,
-    aarch64_linux_android_crypto_ssl
-);
-platform_binding!(
-    aarch64_apple_darwin,
-    aarch64_apple_darwin_crypto,
-    aarch64_apple_darwin_crypto_ssl
-);
-platform_binding!(
-    aarch64_pc_windows_msvc,
-    aarch64_pc_windows_msvc_crypto,
-    aarch64_pc_windows_msvc_crypto_ssl
-);
-platform_binding!(
-    aarch64_unknown_linux_gnu,
-    aarch64_unknown_linux_gnu_crypto,
-    aarch64_unknown_linux_gnu_crypto_ssl
-);
+platform_binding!(universal_apple, universal_apple_crypto);
+platform_binding!(universal, universal_crypto);
+
+platform_binding!(aarch64_linux_android, aarch64_linux_android_crypto);
+platform_binding!(aarch64_apple_darwin, aarch64_apple_darwin_crypto);
+platform_binding!(aarch64_pc_windows_msvc, aarch64_pc_windows_msvc_crypto);
+platform_binding!(aarch64_unknown_linux_gnu, aarch64_unknown_linux_gnu_crypto);
 platform_binding!(
     aarch64_unknown_linux_musl,
-    aarch64_unknown_linux_musl_crypto,
-    aarch64_unknown_linux_musl_crypto_ssl
-);
-platform_binding!(
-    i686_pc_windows_msvc,
-    i686_pc_windows_msvc_crypto,
-    i686_pc_windows_msvc_crypto_ssl
-);
-platform_binding!(
-    i686_unknown_linux_gnu,
-    i686_unknown_linux_gnu_crypto,
-    i686_unknown_linux_gnu_crypto_ssl
+    aarch64_unknown_linux_musl_crypto
 );
+platform_binding!(i686_pc_windows_msvc, i686_pc_windows_msvc_crypto);
+platform_binding!(i686_unknown_linux_gnu, i686_unknown_linux_gnu_crypto);
 platform_binding!(
     riscv64gc_unknown_linux_gnu,
-    riscv64gc_unknown_linux_gnu_crypto,
-    riscv64gc_unknown_linux_gnu_crypto_ssl
-);
-platform_binding!(
-    x86_64_apple_darwin,
-    x86_64_apple_darwin_crypto,
-    x86_64_apple_darwin_crypto_ssl
-);
-platform_binding!(
-    x86_64_pc_windows_gnu,
-    x86_64_pc_windows_gnu_crypto,
-    x86_64_pc_windows_gnu_crypto_ssl
-);
-platform_binding!(
-    x86_64_pc_windows_msvc,
-    x86_64_pc_windows_msvc_crypto,
-    x86_64_pc_windows_msvc_crypto_ssl
-);
-platform_binding!(
-    x86_64_unknown_linux_gnu,
-    x86_64_unknown_linux_gnu_crypto,
-    x86_64_unknown_linux_gnu_crypto_ssl
-);
-platform_binding!(
-    x86_64_unknown_linux_musl,
-    x86_64_unknown_linux_musl_crypto,
-    x86_64_unknown_linux_musl_crypto_ssl
+    riscv64gc_unknown_linux_gnu_crypto
 );
+platform_binding!(x86_64_apple_darwin, x86_64_apple_darwin_crypto);
+platform_binding!(x86_64_pc_windows_gnu, x86_64_pc_windows_gnu_crypto);
+platform_binding!(x86_64_pc_windows_msvc, x86_64_pc_windows_msvc_crypto);
+platform_binding!(x86_64_unknown_linux_gnu, x86_64_unknown_linux_gnu_crypto);
+platform_binding!(x86_64_unknown_linux_musl, x86_64_unknown_linux_musl_crypto);
 
 #[cfg(use_bindgen_generated)]
 #[allow(
@@ -138,6 +91,10 @@ pub fn ERR_GET_FUNC(packed_error: u32) -> i32 {
     unsafe { ERR_GET_FUNC_RUST(packed_error) }
 }
 
+#[cfg(feature = "all-bindings")]
+use std::os::raw::{c_char, c_long, c_void};
+
+#[cfg(feature = "all-bindings")]
 #[allow(non_snake_case, clippy::not_unsafe_ptr_arg_deref)]
 pub fn BIO_get_mem_data(b: *mut BIO, pp: *mut *mut c_char) -> c_long {
     unsafe { BIO_ctrl(b, BIO_CTRL_INFO, 0, pp.cast::<c_void>()) }