Add support for aws-lc-sys or aws-lc-fips-sys

Author: skmcgrail

openssl-sys/Cargo.toml

@@ -18,10 +18,14 @@ rust-version = "1.63.0"
 [features]
 vendored = ['openssl-src']
 unstable_boringssl = ['bssl-sys']
+aws-lc = ['aws-lc-sys']
+aws-lc-fips = ['aws-lc-fips-sys']
 
 [dependencies]
 libc = "0.2"
 bssl-sys = { version = "0.1.0", optional = true }
+aws-lc-sys = { version = "0", features = ["ssl"], optional = true }
+aws-lc-fips-sys = { version = "0", features = ["ssl", "bindgen"], optional = true }
 
 [build-dependencies]
 bindgen = { version = "0.69.0", optional = true, features = ["experimental"] }

openssl-sys/build/main.rs

@@ -71,6 +71,47 @@ fn check_ssl_kind() {
         // BoringSSL does not have any build logic, exit early
         std::process::exit(0);
     }
+
+    let is_aws_lc = cfg!(feature = "aws-lc");
+    let is_aws_lc_fips = cfg!(feature = "aws-lc-fips");
+
+    if is_aws_lc || is_aws_lc_fips {
+        println!("cargo:rustc-cfg=awslc");
+        println!("cargo:awslc=true");
+
+        let env_var_prefix = match (is_aws_lc, is_aws_lc_fips) {
+            (true, false) => "DEP_AWS_LC_",
+            (false, true) => "DEP_AWS_LC_FIPS_",
+            _ => {
+                panic!("aws-lc and aws-lc-fips are mutually exclusive features!");
+            }
+        };
+
+        let mut version = None;
+        for (name, _) in std::env::vars() {
+            if let Some(name) = name.strip_prefix(env_var_prefix) {
+                if let Some(name) = name.strip_suffix("_INCLUDE") {
+                    version = Some(name.to_owned());
+                    break;
+                }
+            }
+        }
+        let version = version.expect("aws-lc version detected");
+
+        if let Ok(vars) = std::env::var(format!("{env_var_prefix}{version}_CONF")) {
+            for var in vars.split(',') {
+                println!("cargo:rustc-cfg=osslconf=\"{var}\"");
+            }
+            println!("cargo:conf={vars}");
+        }
+
+        if let Ok(val) = std::env::var(format!("{env_var_prefix}{version}_INCLUDE")) {
+            println!("cargo:include={val}");
+        }
+
+        // AWS-LC does not have any build logic, exit early
+        std::process::exit(0);
+    }
 }
 
 fn main() {
@@ -79,6 +120,7 @@ fn main() {
     println!("cargo:rustc-check-cfg=cfg(openssl)");
     println!("cargo:rustc-check-cfg=cfg(libressl)");
     println!("cargo:rustc-check-cfg=cfg(boringssl)");
+    println!("cargo:rustc-check-cfg=cfg(awslc)");
 
     println!("cargo:rustc-check-cfg=cfg(libressl250)");
     println!("cargo:rustc-check-cfg=cfg(libressl251)");

openssl-sys/src/evp.rs

@@ -7,7 +7,7 @@ pub const PKCS5_SALT_LEN: c_int = 8;
 pub const PKCS12_DEFAULT_ITER: c_int = 2048;
 
 pub const EVP_PKEY_RSA: c_int = NID_rsaEncryption;
-#[cfg(any(ossl111, libressl310, boringssl))]
+#[cfg(any(ossl111, libressl310, boringssl, awslc))]
 pub const EVP_PKEY_RSA_PSS: c_int = NID_rsassaPss;
 pub const EVP_PKEY_DSA: c_int = NID_dsa;
 pub const EVP_PKEY_DH: c_int = NID_dhKeyAgreement;
@@ -313,7 +313,7 @@ pub unsafe fn EVP_PKEY_CTX_add1_hkdf_info(
     )
 }
 
-#[cfg(all(not(ossl300), not(boringssl)))]
+#[cfg(not(any(ossl300, boringssl, awslc)))]
 pub unsafe fn EVP_PKEY_CTX_set_signature_md(cxt: *mut EVP_PKEY_CTX, md: *mut EVP_MD) -> c_int {
     EVP_PKEY_CTX_ctrl(
         cxt,

openssl-sys/src/handwritten/ec.rs

@@ -103,7 +103,7 @@ extern "C" {
 
     pub fn EC_POINT_dup(p: *const EC_POINT, group: *const EC_GROUP) -> *mut EC_POINT;
 
-    #[cfg(any(ossl111, boringssl, libressl350))]
+    #[cfg(any(ossl111, boringssl, libressl350, awslc))]
     pub fn EC_POINT_get_affine_coordinates(
         group: *const EC_GROUP,
         p: *const EC_POINT,

openssl-sys/src/lib.rs

@@ -29,6 +29,22 @@ mod boringssl {
 #[cfg(boringssl)]
 pub use boringssl::*;
 
+#[cfg(any(feature = "aws-lc", feature = "aws-lc-fips-sys"))]
+mod aws_lc {
+    #[cfg(feature = "aws-lc-fips")]
+    extern crate aws_lc_fips_sys as aws_lc;
+    #[cfg(feature = "aws-lc")]
+    extern crate aws_lc_sys as aws_lc;
+    pub use aws_lc::*;
+
+    // TODO: AWS-LC doesn't currently expose this in it's public headers
+    extern "C" {
+        pub fn OCSP_ONEREQ_free(r: *mut OCSP_ONEREQ);
+    }
+}
+#[cfg(any(feature = "aws-lc", feature = "aws-lc-fips-sys"))]
+pub use aws_lc::*;
+
 #[cfg(openssl)]
 #[path = "."]
 mod openssl {

openssl-sys/src/ocsp.rs

@@ -10,18 +10,18 @@ pub const OCSP_REVOKED_STATUS_CESSATIONOFOPERATION: c_int = 5;
 pub const OCSP_REVOKED_STATUS_CERTIFICATEHOLD: c_int = 6;
 pub const OCSP_REVOKED_STATUS_REMOVEFROMCRL: c_int = 8;
 
-pub const OCSP_NOCERTS: c_ulong = 0x1;
-pub const OCSP_NOINTERN: c_ulong = 0x2;
-pub const OCSP_NOSIGS: c_ulong = 0x4;
-pub const OCSP_NOCHAIN: c_ulong = 0x8;
-pub const OCSP_NOVERIFY: c_ulong = 0x10;
-pub const OCSP_NOEXPLICIT: c_ulong = 0x20;
-pub const OCSP_NOCASIGN: c_ulong = 0x40;
-pub const OCSP_NODELEGATED: c_ulong = 0x80;
-pub const OCSP_NOCHECKS: c_ulong = 0x100;
-pub const OCSP_TRUSTOTHER: c_ulong = 0x200;
-pub const OCSP_RESPID_KEY: c_ulong = 0x400;
-pub const OCSP_NOTIME: c_ulong = 0x800;
+pub const OCSP_NOCERTS: c_int = 0x1;
+pub const OCSP_NOINTERN: c_int = 0x2;
+pub const OCSP_NOSIGS: c_int = 0x4;
+pub const OCSP_NOCHAIN: c_int = 0x8;
+pub const OCSP_NOVERIFY: c_int = 0x10;
+pub const OCSP_NOEXPLICIT: c_int = 0x20;
+pub const OCSP_NOCASIGN: c_int = 0x40;
+pub const OCSP_NODELEGATED: c_int = 0x80;
+pub const OCSP_NOCHECKS: c_int = 0x100;
+pub const OCSP_TRUSTOTHER: c_int = 0x200;
+pub const OCSP_RESPID_KEY: c_int = 0x400;
+pub const OCSP_NOTIME: c_int = 0x800;
 
 pub const OCSP_RESPONSE_STATUS_SUCCESSFUL: c_int = 0;
 pub const OCSP_RESPONSE_STATUS_MALFORMEDREQUEST: c_int = 1;

openssl/Cargo.toml

@@ -21,6 +21,8 @@ v111 = []
 vendored = ['ffi/vendored']
 bindgen = ['ffi/bindgen']
 unstable_boringssl = ["ffi/unstable_boringssl"]
+aws-lc = ["ffi/aws-lc"]
+aws-lc-fips = ["ffi/aws-lc-fips"]
 default = []
 
 [dependencies]

openssl/build.rs

@@ -11,6 +11,7 @@ fn main() {
 
     println!("cargo:rustc-check-cfg=cfg(libressl)");
     println!("cargo:rustc-check-cfg=cfg(boringssl)");
+    println!("cargo:rustc-check-cfg=cfg(awslc)");
 
     println!("cargo:rustc-check-cfg=cfg(libressl250)");
     println!("cargo:rustc-check-cfg=cfg(libressl251)");
@@ -53,6 +54,10 @@ fn main() {
         println!("cargo:rustc-cfg=boringssl");
     }
 
+    if env::var("DEP_OPENSSL_AWSLC").is_ok() {
+        println!("cargo:rustc-cfg=awslc");
+    }
+
     if let Ok(v) = env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER") {
         let version = u64::from_str_radix(&v, 16).unwrap();
 

openssl/src/aes.rs

@@ -23,7 +23,7 @@
 //! # Examples
 
 #![cfg_attr(
-    all(not(boringssl), not(osslconf = "OPENSSL_NO_DEPRECATED_3_0")),
+    all(not(boringssl), not(awslc), not(osslconf = "OPENSSL_NO_DEPRECATED_3_0")),
     doc = r#"\
 ## AES IGE
 ```rust
@@ -65,7 +65,7 @@ use libc::{c_int, c_uint};
 use std::mem::MaybeUninit;
 use std::ptr;
 
-#[cfg(not(boringssl))]
+#[cfg(not(any(boringssl, awslc)))]
 use crate::symm::Mode;
 use openssl_macros::corresponds;
 
@@ -77,7 +77,7 @@ pub struct KeyError(());
 pub struct AesKey(ffi::AES_KEY);
 
 cfg_if! {
-    if #[cfg(boringssl)] {
+    if #[cfg(any(boringssl, awslc))] {
         type AesBitType = c_uint;
         type AesSizeType = usize;
     } else {
@@ -155,7 +155,7 @@ impl AesKey {
 ///
 /// Panics if `in_` is not the same length as `out`, if that length is not a multiple of 16, or if
 /// `iv` is not at least 32 bytes.
-#[cfg(not(boringssl))]
+#[cfg(not(any(boringssl, awslc)))]
 #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))]
 #[corresponds(AES_ige_encrypt)]
 pub fn aes_ige(in_: &[u8], out: &mut [u8], key: &AesKey, iv: &mut [u8], mode: Mode) {
@@ -263,12 +263,12 @@ mod test {
     use hex::FromHex;
 
     use super::*;
-    #[cfg(not(boringssl))]
+    #[cfg(not(any(boringssl, awslc)))]
     use crate::symm::Mode;
 
     // From https://www.mgp25.com/AESIGE/
     #[test]
-    #[cfg(not(boringssl))]
+    #[cfg(not(any(boringssl, awslc)))]
     #[cfg(not(osslconf = "OPENSSL_NO_DEPRECATED_3_0"))]
     fn ige_vector_1() {
         let raw_key = "000102030405060708090A0B0C0D0E0F";

openssl/src/asn1.rs

@@ -165,7 +165,7 @@ impl Asn1Type {
 /// [`diff`]: struct.Asn1TimeRef.html#method.diff
 /// [`Asn1TimeRef`]: struct.Asn1TimeRef.html
 #[derive(Debug, Clone, PartialEq, Eq, Hash)]
-#[cfg(any(ossl102, boringssl))]
+#[cfg(any(ossl102, boringssl, awslc))]
 pub struct TimeDiff {
     /// Difference in days
     pub days: c_int,
@@ -198,7 +198,7 @@ foreign_type_and_impl_send_sync! {
 impl Asn1TimeRef {
     /// Find difference between two times
     #[corresponds(ASN1_TIME_diff)]
-    #[cfg(any(ossl102, boringssl))]
+    #[cfg(any(ossl102, boringssl, awslc))]
     pub fn diff(&self, compare: &Self) -> Result<TimeDiff, ErrorStack> {
         let mut days = 0;
         let mut secs = 0;
@@ -214,7 +214,7 @@ impl Asn1TimeRef {
 
     /// Compare two times
     #[corresponds(ASN1_TIME_compare)]
-    #[cfg(any(ossl102, boringssl))]
+    #[cfg(any(ossl102, boringssl, awslc))]
     pub fn compare(&self, other: &Self) -> Result<Ordering, ErrorStack> {
         let d = self.diff(other)?;
         if d.days > 0 || d.secs > 0 {
@@ -228,7 +228,7 @@ impl Asn1TimeRef {
     }
 }
 
-#[cfg(any(ossl102, boringssl))]
+#[cfg(any(ossl102, boringssl, awslc))]
 impl PartialEq for Asn1TimeRef {
     fn eq(&self, other: &Asn1TimeRef) -> bool {
         self.diff(other)
@@ -237,7 +237,7 @@ impl PartialEq for Asn1TimeRef {
     }
 }
 
-#[cfg(any(ossl102, boringssl))]
+#[cfg(any(ossl102, boringssl, awslc))]
 impl PartialEq<Asn1Time> for Asn1TimeRef {
     fn eq(&self, other: &Asn1Time) -> bool {
         self.diff(other)
@@ -246,7 +246,7 @@ impl PartialEq<Asn1Time> for Asn1TimeRef {
     }
 }
 
-#[cfg(any(ossl102, boringssl))]
+#[cfg(any(ossl102, boringssl, awslc))]
 impl PartialEq<Asn1Time> for &Asn1TimeRef {
     fn eq(&self, other: &Asn1Time) -> bool {
         self.diff(other)
@@ -255,21 +255,21 @@ impl PartialEq<Asn1Time> for &Asn1TimeRef {
     }
 }
 
-#[cfg(any(ossl102, boringssl))]
+#[cfg(any(ossl102, boringssl, awslc))]
 impl PartialOrd for Asn1TimeRef {
     fn partial_cmp(&self, other: &Asn1TimeRef) -> Option<Ordering> {
         self.compare(other).ok()
     }
 }
 
-#[cfg(any(ossl102, boringssl))]
+#[cfg(any(ossl102, boringssl, awslc))]
 impl PartialOrd<Asn1Time> for Asn1TimeRef {
     fn partial_cmp(&self, other: &Asn1Time) -> Option<Ordering> {
         self.compare(other).ok()
     }
 }
 
-#[cfg(any(ossl102, boringssl))]
+#[cfg(any(ossl102, boringssl, awslc))]
 impl PartialOrd<Asn1Time> for &Asn1TimeRef {
     fn partial_cmp(&self, other: &Asn1Time) -> Option<Ordering> {
         self.compare(other).ok()
@@ -353,7 +353,7 @@ impl Asn1Time {
     ///
     /// Requires BoringSSL or OpenSSL 1.1.1 or newer.
     #[corresponds(ASN1_TIME_set_string_X509)]
-    #[cfg(any(ossl111, boringssl))]
+    #[cfg(any(ossl111, boringssl, awslc))]
     pub fn from_str_x509(s: &str) -> Result<Asn1Time, ErrorStack> {
         unsafe {
             let s = CString::new(s).unwrap();
@@ -366,7 +366,7 @@ impl Asn1Time {
     }
 }
 
-#[cfg(any(ossl102, boringssl))]
+#[cfg(any(ossl102, boringssl, awslc))]
 impl PartialEq for Asn1Time {
     fn eq(&self, other: &Asn1Time) -> bool {
         self.diff(other)
@@ -375,7 +375,7 @@ impl PartialEq for Asn1Time {
     }
 }
 
-#[cfg(any(ossl102, boringssl))]
+#[cfg(any(ossl102, boringssl, awslc))]
 impl PartialEq<Asn1TimeRef> for Asn1Time {
     fn eq(&self, other: &Asn1TimeRef) -> bool {
         self.diff(other)
@@ -384,7 +384,7 @@ impl PartialEq<Asn1TimeRef> for Asn1Time {
     }
 }
 
-#[cfg(any(ossl102, boringssl))]
+#[cfg(any(ossl102, boringssl, awslc))]
 impl<'a> PartialEq<&'a Asn1TimeRef> for Asn1Time {
     fn eq(&self, other: &&'a Asn1TimeRef) -> bool {
         self.diff(other)
@@ -393,21 +393,21 @@ impl<'a> PartialEq<&'a Asn1TimeRef> for Asn1Time {
     }
 }
 
-#[cfg(any(ossl102, boringssl))]
+#[cfg(any(ossl102, boringssl, awslc))]
 impl PartialOrd for Asn1Time {
     fn partial_cmp(&self, other: &Asn1Time) -> Option<Ordering> {
         self.compare(other).ok()
     }
 }
 
-#[cfg(any(ossl102, boringssl))]
+#[cfg(any(ossl102, boringssl, awslc))]
 impl PartialOrd<Asn1TimeRef> for Asn1Time {
     fn partial_cmp(&self, other: &Asn1TimeRef) -> Option<Ordering> {
         self.compare(other).ok()
     }
 }
 
-#[cfg(any(ossl102, boringssl))]
+#[cfg(any(ossl102, boringssl, awslc))]
 impl<'a> PartialOrd<&'a Asn1TimeRef> for Asn1Time {
     fn partial_cmp(&self, other: &&'a Asn1TimeRef) -> Option<Ordering> {
         self.compare(other).ok()
@@ -737,7 +737,7 @@ impl fmt::Debug for Asn1ObjectRef {
 }
 
 cfg_if! {
-    if #[cfg(any(ossl110, libressl273, boringssl))] {
+    if #[cfg(any(ossl110, libressl273, boringssl, awslc))] {
         use ffi::ASN1_STRING_get0_data;
     } else {
         #[allow(bad_style)]
@@ -808,7 +808,7 @@ mod tests {
     }
 
     #[test]
-    #[cfg(any(ossl102, boringssl))]
+    #[cfg(any(ossl102, boringssl, awslc))]
     fn time_eq() {
         let a = Asn1Time::from_str("99991231235959Z").unwrap();
         let b = Asn1Time::from_str("99991231235959Z").unwrap();
@@ -827,7 +827,7 @@ mod tests {
     }
 
     #[test]
-    #[cfg(any(ossl102, boringssl))]
+    #[cfg(any(ossl102, boringssl, awslc))]
     fn time_ord() {
         let a = Asn1Time::from_str("99991231235959Z").unwrap();
         let b = Asn1Time::from_str("99991231235959Z").unwrap();