Allow external bindgen for fips; more prefixing; bump aws-lc-fips-sys…

… to v0.12.8 (#388)

.github/workflows/fips-bindings-generator.yml

@@ -33,7 +33,7 @@ jobs:
         run: brew install bash coreutils
       - name: No-prefix build for ${{ matrix.os }}
         env:
-          AWS_LC_FIPS_SYS_INTERNAL_NO_PREFIX: "1"
+          AWS_LC_FIPS_SYS_NO_PREFIX: "1"
         run: |
           cargo test -p aws-lc-fips-sys --features bindgen,ssl
       - name: Collect symbols
@@ -61,7 +61,7 @@ jobs:
         run: cargo install cross --locked --git https://github.com/cross-rs/cross
       - name: No-prefix build for ${{ matrix.target }}
         env:
-          AWS_LC_FIPS_SYS_INTERNAL_NO_PREFIX: "1"
+          AWS_LC_FIPS_SYS_NO_PREFIX: "1"
         run: |
           cross test -p aws-lc-fips-sys --features bindgen,ssl --target ${{ matrix.target }}
       - name: Collect symbols
@@ -111,7 +111,7 @@ jobs:
         run: brew install bash coreutils
       - name: Generate bindings for ${{ matrix.os }}
         env:
-          AWS_LC_RUST_INTERNAL_BINDGEN: "1"
+          AWS_LC_FIPS_SYS_INTERNAL_BINDGEN: "1"
         run: |
           cargo test -p aws-lc-fips-sys --features bindgen,ssl
       - name: Commit & Push changes
@@ -134,7 +134,7 @@ jobs:
         run: cargo install cross --locked --git https://github.com/cross-rs/cross
       - name: Generate bindings for ${{ matrix.target }}
         env:
-          AWS_LC_RUST_INTERNAL_BINDGEN: "1"
+          AWS_LC_FIPS_SYS_INTERNAL_BINDGEN: "1"
         run: |
           cross test -p aws-lc-fips-sys --features bindgen,ssl --target ${{ matrix.target }}
       - name: Commit & Push changes

.github/workflows/tests.yml

@@ -224,6 +224,37 @@ jobs:
         # See: https://github.com/rust-lang/cargo/issues/8531
         run: AWS_LC_FIPS_SYS_STATIC=${{ matrix.static }} cargo test --tests --features fips
 
+  build-env-fips-external-bindgen-test:
+    if: github.repository_owner == 'aws'
+    name: aws-lc-rs FIPS - External bindgen test
+    runs-on: ${{ matrix.os }}
+    env:
+      AWS_LC_FIPS_SYS_EXTERNAL_BINDGEN: 1
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ ubuntu-latest, macos-12, macos-13-xlarge, windows-latest ]
+    steps:
+      - if: ${{ matrix.os == 'windows-latest' }}
+        uses: ilammy/setup-nasm@v1
+      - uses: actions/checkout@v3
+        with:
+          submodules: 'recursive'
+      - uses: dtolnay/rust-toolchain@stable
+      - name: Install ninja-build tool
+        uses: seanmiddleditch/gha-setup-ninja@v4
+      - uses: actions/setup-go@v4
+        with:
+          go-version: '>=1.18'
+      - name: Install bindgen-cli
+        run: cargo install --locked bindgen-cli
+      - name: Remove bindings
+        run: |
+          rm ./aws-lc-fips-sys/src/x86_64* 
+          rm ./aws-lc-fips-sys/src/aarch64*
+      - name: Run cargo test
+        run: cargo test --tests -p aws-lc-rs --no-default-features --features fips
+
   careful:
     if: github.repository_owner == 'aws'
     name: Run carefully

Cross.toml

@@ -3,6 +3,10 @@ dockerfile = "./docker/linux-cross/Dockerfile"
 
 [build.env]
 passthrough = [
-    "AWS_LC_SYS_INTERNAL_NO_PREFIX", "AWS_LC_RUST_INTERNAL_BINDGEN", "AWS_LC_FIPS_SYS_INTERNAL_NO_PREFIX", "GOPROXY",
-    "AWS_LC_FIPS_SYS_STATIC", "AWS_LC_SYS_STATIC", "AWS_LC_SYS_CMAKE_BUILDER", "AWS_LC_SYS_CC_SRC_COLLECTOR"
+    "AWS_LC_SYS_NO_PREFIX", "AWS_LC_FIPS_SYS_NO_PREFIX",
+    "AWS_LC_SYS_INTERNAL_BINDGEN", "AWS_LC_FIPS_SYS_INTERNAL_BINDGEN",
+    "AWS_LC_SYS_EXTERNAL_BINDGEN", "AWS_LC_FIPS_SYS_EXTERNAL_BINDGEN",
+    "AWS_LC_SYS_STATIC", "AWS_LC_FIPS_SYS_STATIC",
+    "AWS_LC_SYS_CMAKE_BUILDER", "AWS_LC_SYS_CC_SRC_COLLECTOR",
+    "GOPROXY",
 ]

aws-lc-fips-sys/CMakeLists.txt

@@ -18,6 +18,7 @@ if (BUILD_SHARED_LIBS AND FIPS)
     # as cmake crate will postfix the C/CXX flags after our disablement nullifying them.
     set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fno-function-sections -fno-data-sections")
     set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fno-function-sections -fno-data-sections")
+    add_definitions(-DBORINGSSL_SHARED_LIBRARY)
 endif()
 
 add_subdirectory(aws-lc aws-lc EXCLUDE_FROM_ALL)
@@ -60,4 +61,8 @@ if (BORINGSSL_PREFIX)
         set(TARGET_PREFIX "lib${BORINGSSL_PREFIX}")
     endif()
     set_my_target_properties(PREFIX ${TARGET_PREFIX})
+
+    # This BORINGSSL_PREFIX has an "_" appended, so we must remove it
+    string(REGEX REPLACE "_$" "" BORINGSSL_PREFIX_MACRO ${BORINGSSL_PREFIX})
+    add_definitions(-DBORINGSSL_PREFIX=${BORINGSSL_PREFIX_MACRO})
 endif ()

aws-lc-fips-sys/Cargo.toml

@@ -1,8 +1,8 @@
 [package]
 name = "aws-lc-fips-sys"
 description = "AWS-LC is a general-purpose cryptographic library maintained by the AWS Cryptography team for AWS and their customers. This is the FIPS validated version of AWS-LC."
-version = "0.12.7"
-links = "aws_lc_fips_0_12_7"
+version = "0.12.8"
+links = "aws_lc_fips_0_12_8"
 authors = ["AWS-LC"]
 edition = "2021"
 repository = "https://github.com/aws/aws-lc-rs"

aws-lc-fips-sys/builder/bindgen.rs

@@ -1,10 +1,7 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0 OR ISC
 
-use crate::{
-    get_aws_lc_fips_sys_includes_path, get_aws_lc_include_path, get_generated_include_path,
-    get_rust_include_path,
-};
+use crate::{get_rust_include_path, BindingOptions, COPYRIGHT};
 use bindgen::callbacks::{ItemInfo, ParseCallbacks};
 use std::fmt::Debug;
 use std::path::Path;
@@ -34,47 +31,6 @@ impl ParseCallbacks for StripPrefixCallback {
     }
 }
 
-fn add_header_include_path(args: &mut Vec<String>, path: String) {
-    args.push("-I".to_string());
-    args.push(path);
-}
-
-fn prepare_clang_args(manifest_dir: &Path, options: &BindingOptions) -> Vec<String> {
-    let mut clang_args: Vec<String> = Vec::new();
-
-    add_header_include_path(
-        &mut clang_args,
-        get_rust_include_path(manifest_dir).display().to_string(),
-    );
-
-    if options.build_prefix.is_some() {
-        add_header_include_path(
-            &mut clang_args,
-            get_generated_include_path(manifest_dir)
-                .display()
-                .to_string(),
-        );
-    }
-
-    add_header_include_path(
-        &mut clang_args,
-        get_aws_lc_include_path(manifest_dir).display().to_string(),
-    );
-
-    if let Some(include_paths) = get_aws_lc_fips_sys_includes_path() {
-        for path in include_paths {
-            add_header_include_path(&mut clang_args, path.display().to_string());
-        }
-    }
-
-    clang_args
-}
-
-const COPYRIGHT: &str = r"
-// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0 OR ISC
-";
-
 const PRELUDE: &str = r"
 #![allow(
     unused_imports,
@@ -97,15 +53,8 @@ const PRELUDE: &str = r"
 )]
 ";
 
-#[derive(Default)]
-pub(crate) struct BindingOptions {
-    pub build_prefix: Option<String>,
-    pub include_ssl: bool,
-    pub disable_prelude: bool,
-}
-
 fn prepare_bindings_builder(manifest_dir: &Path, options: &BindingOptions) -> bindgen::Builder {
-    let clang_args = prepare_clang_args(manifest_dir, options);
+    let clang_args = crate::prepare_clang_args(manifest_dir, options);
 
     let mut builder = bindgen::Builder::default()
         .derive_copy(true)

aws-lc-fips-sys/builder/cmake_builder.rs

@@ -2,7 +2,7 @@
 // SPDX-License-Identifier: Apache-2.0 OR ISC
 
 use crate::OutputLib::{Crypto, RustWrapper, Ssl};
-use crate::{target, target_arch, target_os, target_vendor, test_command, OutputLibType};
+use crate::{execute_command, target, target_arch, target_os, target_vendor, OutputLibType};
 use std::collections::HashMap;
 use std::env;
 use std::ffi::OsStr;
@@ -16,30 +16,30 @@ pub(crate) struct CmakeBuilder {
 }
 
 fn test_perl_command() -> bool {
-    test_command("perl".as_ref(), &["--version".as_ref()]).status
+    execute_command("perl".as_ref(), &["--version".as_ref()]).status
 }
 
 fn test_go_command() -> bool {
-    let result = test_command("go".as_ref(), &["version".as_ref()]);
+    let result = execute_command("go".as_ref(), &["version".as_ref()]);
     if !result.status && result.executed {
-        eprintln!("Go stdout:\n--------\n{}\n--------", result.stdout);
+        eprintln!("Go stderr:\n--------\n{}\n--------", result.stderr);
     }
     result.status
 }
 
 fn test_ninja_command() -> bool {
-    test_command("ninja".as_ref(), &["--version".as_ref()]).status
-        || test_command("ninja-build".as_ref(), &["--version".as_ref()]).status
+    execute_command("ninja".as_ref(), &["--version".as_ref()]).status
+        || execute_command("ninja-build".as_ref(), &["--version".as_ref()]).status
 }
 
 fn test_nasm_command() -> bool {
-    test_command("nasm".as_ref(), &["-version".as_ref()]).status
+    execute_command("nasm".as_ref(), &["-version".as_ref()]).status
 }
 
 fn find_cmake_command() -> Option<&'static OsStr> {
-    if test_command("cmake3".as_ref(), &["--version".as_ref()]).status {
+    if execute_command("cmake3".as_ref(), &["--version".as_ref()]).status {
         Some("cmake3".as_ref())
-    } else if test_command("cmake".as_ref(), &["--version".as_ref()]).status {
+    } else if execute_command("cmake".as_ref(), &["--version".as_ref()]).status {
         Some("cmake".as_ref())
     } else {
         None
@@ -161,7 +161,7 @@ impl CmakeBuilder {
     fn collect_vcvarsall_bat(&self) -> Result<HashMap<String, String>, String> {
         let mut map: HashMap<String, String> = HashMap::new();
         let script_path = self.manifest_dir.join("builder").join("printenv.bat");
-        let result = test_command(script_path.as_os_str(), &[]);
+        let result = execute_command(script_path.as_os_str(), &[]);
         if !result.status {
             eprintln!("{}", result.stdout);
             return Err("Failed to run vcvarsall.bat.".to_owned());