Improve support for alpine linux (#675)

* Add alpine linux docker image

* Support alpine via ???-unknown-linux-musl bindings

* Setup GitHub CI

* Satiate clippy

* Add clippy-fix make target

.github/docker_images/alpine-3.20/Dockerfile

@@ -0,0 +1,39 @@
+FROM alpine:3.20
+
+VOLUME ["/aws_lc_rs"]
+
+WORKDIR /
+
+RUN apk add \
+	alpine-sdk \
+	bash \
+	boost-dev \
+	build-base \
+	busybox-suid \
+	clang-dev \
+	cargo \
+	curl \
+	cmake \
+	openssl-dev
+
+ARG UID
+RUN adduser -u $UID -S -s /bin/sh -G abuild satoshi
+USER satoshi
+WORKDIR /home/satoshi
+ENV CARGO_HTTP_MULTIPLEXING=false
+
+# If needed, setup Rust environment for user
+#RUN cd "${HOME}" && \
+#    curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > ./rustup.sh && \
+#    chmod +x ./rustup.sh && \
+#    ./rustup.sh -y && \
+#    . "${HOME}/.cargo/env" && \
+#    echo '. "${HOME}/.cargo/env"' >> ${HOME}/.profile && \
+#    cargo install --locked bindgen-cli && \
+#    rustup component add rustfmt clippy && \
+#    rm ./rustup.sh
+
+COPY aws_lc_rs_build.sh /
+COPY entry.sh /
+
+ENTRYPOINT ["/entry.sh"]

.github/docker_images/alpine-3.20/aws_lc_rs_build.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+set -ex -o pipefail
+
+SRC_DIR="${SRC_DIR:-/aws_lc_rs}"
+
+pushd "${SRC_DIR}"
+
+cargo test -p aws-lc-rs
+cargo clean
+
+popd # ${SRC_DIR}

.github/docker_images/alpine-3.20/build_image.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+set -ex
+
+SCRIPT_DIR=$(cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd)
+
+# Ubuntu:
+# sudo apt-get install jq
+
+# Amazon Linux:
+# sudo yum install jq
+
+# Log Docker hub limit https://docs.docker.com/docker-hub/download-rate-limit/#how-can-i-check-my-current-rate
+TOKEN=$(curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:ratelimitpreview/test:pull" | jq -r .token)
+curl --head -H "Authorization: Bearer $TOKEN" https://registry-1.docker.io/v2/ratelimitpreview/test/manifests/latest
+
+EXTRA_ARGS=()
+if [[ -n "${GOPROXY:+x}" ]]; then
+    EXTRA_ARGS=("--build-arg" "GOPROXY=${GOPROXY}" "${EXTRA_ARGS[@]}")
+fi
+
+pushd "${SCRIPT_DIR}"
+docker build -t alpine:3.20 . --build-arg UID=$(id -u) --load "${EXTRA_ARGS[@]}"
+popd

.github/docker_images/alpine-3.20/entry.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+set -ex -o pipefail
+
+/aws_lc_rs_build.sh "${argv[@]}"

.github/workflows/cross.yml

@@ -312,3 +312,19 @@ jobs:
       - name: Build
         run: |
           docker run -v "${{ github.workspace }}:/aws_lc_rs" ohos:5.0.0
+
+  alpine-linux:
+    runs-on: ubuntu-latest
+    env:
+      DOCKER_BUILDKIT: 1
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: "recursive"
+      - name: Build Docker Image
+        working-directory: .github/docker_images/alpine-3.20
+        run: |
+          ./build_image.sh
+      - name: Build
+        run: |
+          docker run -v "${{ github.workspace }}:/aws_lc_rs" alpine:3.20

aws-lc-fips-sys/builder/cmake_builder.rs

@@ -396,7 +396,7 @@ impl crate::Builder for CmakeBuilder {
         } else {
             eprintln!("Missing dependency: cmake");
             missing_dependency = true;
-        };
+        }
 
         if missing_dependency {
             return Err("Required build dependency is missing. Halting build.".to_owned());

aws-lc-rs/Makefile

@@ -45,9 +45,12 @@ msrv:
 clippy:
 	cargo +nightly clippy --all-targets --features bindgen,fips,unstable -- -W clippy::all  -W clippy::pedantic
 
+clippy-fix:
+	cargo +nightly clippy --all-targets --features bindgen,fips,unstable --fix --allow-dirty -- -W clippy::all  -W clippy::pedantic
+
 ci: format clippy msrv test coverage api-diff-pub
 
 readme:
 	cargo readme | tee README.md
 
-.PHONY: asan asan-fips asan-release ci clippy coverage coverage-fips test msrv clippy
+.PHONY: asan asan-fips asan-release ci clippy coverage coverage-fips test msrv clippy clippy-fix

aws-lc-rs/src/agreement.rs

@@ -720,7 +720,7 @@ fn ec_key_ecdh<'a>(
 
     if 1 != unsafe { EVP_PKEY_derive_init(*pkey_ctx.as_mut()) } {
         return Err(Unspecified);
-    };
+    }
 
     if 1 != unsafe { EVP_PKEY_derive_set_peer(*pkey_ctx.as_mut(), *pub_key.as_mut()) } {
         return Err(Unspecified);
@@ -751,7 +751,7 @@ fn x25519_diffie_hellman<'a>(
 
     if 1 != unsafe { EVP_PKEY_derive_init(*pkey_ctx.as_mut()) } {
         return Err(());
-    };
+    }
 
     let mut pub_key = try_parse_x25519_public_key_bytes(peer_pub_key)?;
 

aws-lc-rs/src/cbb.rs

@@ -26,7 +26,7 @@ impl LcCBB<'static> {
 
         if 1 != unsafe { CBB_finish(self.as_mut_ptr(), &mut out_data, &mut out_len) } {
             return Err(Unspecified);
-        };
+        }
 
         let out_data = LcPtr::new(out_data)?;
         let slice = unsafe { std::slice::from_raw_parts(*out_data.as_const(), out_len) };

aws-lc-rs/src/digest/digest_ctx.rs

@@ -18,7 +18,7 @@ impl DigestContext {
         unsafe {
             if 1 != EVP_DigestInit_ex(dc.as_mut_ptr(), *evp_md_type, null_mut()) {
                 return Err(Unspecified);
-            };
+            }
             Ok(dc)
         }
     }
@@ -65,7 +65,7 @@ impl DigestContext {
             // https://github.com/aws/aws-lc/blob/98ccf4a316401112943bed604562102ad52efac6/include/openssl/digest.h#L280
             if 1 != EVP_MD_CTX_copy(dc.as_mut_ptr(), self.as_ptr()) {
                 return Err("EVP_MD_CTX_copy failed");
-            };
+            }
             Ok(Self(dc.assume_init()))
         }
     }

aws-lc-rs/src/hkdf.rs

@@ -252,7 +252,7 @@ impl PrkMode {
                     return Err(Unspecified);
                 }
             }
-        };
+        }
 
         Ok(())
     }

aws-lc-rs/src/hmac.rs

@@ -306,7 +306,7 @@ impl Key {
                 null_mut(),
             ) {
                 return Err(Unspecified);
-            };
+            }
             let result = Self {
                 algorithm,
                 ctx: LcHmacCtx(ctx.assume_init()),

aws-lc-rs/src/key_wrap.rs

@@ -404,7 +404,7 @@ impl KeyWrapPadded for KeyEncryptionKey<AesBlockCipher> {
             )
         }) {
             return Err(Unspecified);
-        };
+        }
 
         Ok(&mut output[..out_len])
     }

aws-lc-rs/src/rsa/encryption.rs

@@ -43,7 +43,7 @@ impl PrivateDecryptingKey {
     fn validate_key(key: &LcPtr<EVP_PKEY>) -> Result<(), Unspecified> {
         if !is_rsa_key(key) {
             return Err(Unspecified);
-        };
+        }
         match key.key_size_bits() {
             2048..=8192 => Ok(()),
             _ => Err(Unspecified),
@@ -152,7 +152,7 @@ impl PublicEncryptingKey {
     fn validate_key(key: &LcPtr<EVP_PKEY>) -> Result<(), Unspecified> {
         if !is_rsa_key(key) {
             return Err(Unspecified);
-        };
+        }
         match key.key_size_bits() {
             2048..=8192 => Ok(()),
             _ => Err(Unspecified),

aws-lc-rs/src/rsa/encryption/oaep.rs

@@ -136,7 +136,7 @@ impl OaepPublicEncryptingKey {
             )
         }) {
             return Err(Unspecified);
-        };
+        }
 
         Ok(&mut ciphertext[..out_len])
     }
@@ -240,7 +240,7 @@ impl OaepPrivateDecryptingKey {
             )
         }) {
             return Err(Unspecified);
-        };
+        }
 
         Ok(&mut plaintext[..out_len])
     }
@@ -280,15 +280,15 @@ fn configure_oaep_crypto_operation(
     if 1 != unsafe { EVP_PKEY_CTX_set_rsa_padding(*evp_pkey_ctx.as_mut(), RSA_PKCS1_OAEP_PADDING) }
     {
         return Err(Unspecified);
-    };
+    }
 
     if 1 != unsafe { EVP_PKEY_CTX_set_rsa_oaep_md(*evp_pkey_ctx.as_mut(), oaep_hash_fn()) } {
         return Err(Unspecified);
-    };
+    }
 
     if 1 != unsafe { EVP_PKEY_CTX_set_rsa_mgf1_md(*evp_pkey_ctx.as_mut(), mgf1_hash_fn()) } {
         return Err(Unspecified);
-    };
+    }
 
     let label = label.unwrap_or(&[0u8; 0]);
 
@@ -315,7 +315,7 @@ fn configure_oaep_crypto_operation(
         EVP_PKEY_CTX_set0_rsa_oaep_label(*evp_pkey_ctx.as_mut(), *label_ptr, label.len())
     } {
         return Err(Unspecified);
-    };
+    }
 
     // AWS-LC owns the allocation now, so we detach it to avoid freeing it here when label_ptr goes out of scope.
     label_ptr.detach();

aws-lc-rs/src/rsa/encryption/pkcs1.rs

@@ -62,7 +62,7 @@ impl Pkcs1PublicEncryptingKey {
             )
         }) {
             return Err(Unspecified);
-        };
+        }
 
         Ok(&mut ciphertext[..out_len])
     }
@@ -149,7 +149,7 @@ impl Pkcs1PrivateDecryptingKey {
             )
         }) {
             return Err(Unspecified);
-        };
+        }
 
         Ok(&mut plaintext[..out_len])
     }
@@ -185,7 +185,7 @@ fn configure_pkcs1_crypto_operation(
 ) -> Result<(), Unspecified> {
     if 1 != unsafe { EVP_PKEY_CTX_set_rsa_padding(*evp_pkey_ctx.as_mut(), RSA_PKCS1_PADDING) } {
         return Err(Unspecified);
-    };
+    }
 
     Ok(())
 }

aws-lc-rs/src/rsa/key.rs

@@ -173,7 +173,7 @@ impl KeyPair {
     fn validate_private_key(key: &LcPtr<EVP_PKEY>) -> Result<(), KeyRejected> {
         if !is_rsa_key(key) {
             return Err(KeyRejected::unspecified());
-        };
+        }
         match key.key_size_bits() {
             2048..=8192 => Ok(()),
             _ => Err(KeyRejected::unspecified()),
@@ -489,7 +489,7 @@ pub(super) fn generate_rsa_key(size: c_int, fips: bool) -> Result<LcPtr<EVP_PKEY
 
     if 1 != unsafe { EVP_PKEY_assign_RSA(*evp_pkey.as_mut(), *rsa) } {
         return Err(Unspecified);
-    };
+    }
 
     rsa.detach();
 

aws-lc-rs/src/rsa/signature.rs

@@ -235,10 +235,10 @@ pub(super) fn compute_rsa_signature<'a>(
 pub(crate) fn configure_rsa_pkcs1_pss_padding(pctx: *mut EVP_PKEY_CTX) -> Result<(), ()> {
     if 1 != unsafe { EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) } {
         return Err(());
-    };
+    }
     if 1 != unsafe { EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST) } {
         return Err(());
-    };
+    }
     Ok(())
 }
 

aws-lc-rs/tests/aead_test.rs

@@ -167,7 +167,7 @@ fn test_aead<Seal, Open>(
                 return Ok(());
             }
             _ => (),
-        };
+        }
 
         let mut s_in_out = plaintext.clone();
         let nonce = Nonce::try_assume_unique_for_key(&nonce_bytes).unwrap();
@@ -242,7 +242,7 @@ fn test_aead<Seal, Open>(
                 Some(error) => {
                     panic!("Unexpected error test case: {error}");
                 }
-            };
+            }
         }
 
         Ok(())

aws-lc-rs/tests/ecdsa_tests.rs

@@ -84,7 +84,7 @@ fn ecdsa_from_pkcs8_test() {
                     "Input: {}",
                     test::to_hex(&input)
                 ),
-            };
+            }
 
             match (EcdsaKeyPair::from_pkcs8(this_asn1, &input), error) {
                 (Ok(_), None) => (),
@@ -93,7 +93,7 @@ fn ecdsa_from_pkcs8_test() {
                 }
                 (Ok(_), Some(e)) => panic!("Succeeded, but expected error \"{e}\""),
                 (Err(actual), Some(expected)) => assert_eq!(format!("{actual}"), expected),
-            };
+            }
 
             assert!(
                 EcdsaKeyPair::from_pkcs8(other_fixed, &input).is_err(),

aws-lc-rs/tests/ed25519_tests.rs

@@ -135,7 +135,7 @@ fn test_ed25519_from_pkcs8() {
                     test::to_hex(input)
                 );
             }
-        };
+        }
     }
 
     // Just test that we can parse the input.

aws-lc-rs/tests/rsa_test.rs

@@ -47,7 +47,7 @@ fn rsa_from_pkcs8_test() {
                     "Input: {}",
                     test::to_hex(input.as_slice())
                 ),
-            };
+            }
 
             Ok(())
         },