Merge branch 'master' into mbedtls-sys-auto-2.28.7_old-bindgen

fortanix · Sep 17, 2024 · 641bce9 · 641bce9
2 parents 2c9e914 + 5da749c
commit 641bce9
Show file tree

Hide file tree

Showing 13 changed files with 145 additions and 78 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -66,6 +66,12 @@ jobs:
         toolchain: ${{ matrix.rust }}
         targets: ${{ matrix.target }}
 
+    - name: Install cargo-nextest
+      uses: taiki-e/install-action@v2
+      with:
+        tool: [email protected]
+        checksum: true
+
     - name: Run tests
       run: |
         # Set LIBCLANG_PATH for bindgen to access clang library under windows-2019
@@ -76,7 +82,7 @@ jobs:
         ./ci_tools.sh
         ./ci.sh
       env:
-        TRAVIS_RUST_VERSION: ${{ matrix.rust }}
+        RUST_VERSION: ${{ matrix.rust }}
         TARGET: ${{ matrix.target }}
         MATRIX_OS: ${{ matrix.os }}
         ZLIB_INSTALLED: ${{ matrix.target == 'x86_64-unknown-linux-gnu' && 'true' || '' }}

diff --git a/ci.sh b/ci.sh
@@ -4,8 +4,8 @@ cd "$(dirname "$0")"
 
 repo_root=$(readlink -f $(dirname "${BASH_SOURCE[0]}"))
 
-if [ -z $TRAVIS_RUST_VERSION ]; then
-    echo "Expected TRAVIS_RUST_VERSION to be set in env"
+if [ -z $RUST_VERSION ]; then
+    echo "Expected RUST_VERSION to be set in env"
     exit 1
 fi
 
@@ -17,11 +17,11 @@ export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_LINKER=/tmp/aarch64-linux-musl-cr
 export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_RUNNER=qemu-aarch64
 
 cd "${repo_root}/mbedtls"
-case "$TRAVIS_RUST_VERSION" in
-    stable|beta|nightly|nightly-2021-09-08)
+case "$RUST_VERSION" in
+    stable|beta|nightly)
         # Install the rust toolchain
-        rustup default $TRAVIS_RUST_VERSION
-        rustup target add --toolchain $TRAVIS_RUST_VERSION $TARGET
+        rustup default $RUST_VERSION
+        rustup target add --toolchain $RUST_VERSION $TARGET
         printenv
 
         if [ "$TARGET" != "x86_64-fortanix-unknown-sgx" ]; then
@@ -38,10 +38,13 @@ case "$TRAVIS_RUST_VERSION" in
                 cargo test --features force_aesni_support --target $TARGET
             fi
 
-            # no_std tests only are able to run on x86 platform
-            if [ "$TARGET" == "x86_64-unknown-linux-gnu" ] || [[ "$TARGET" =~ ^x86_64-pc-windows- ]]; then
-                cargo test --no-default-features --features ssl,no_std_deps,rdrand,time --target $TARGET
-                cargo test --no-default-features --features no_std_deps --target $TARGET
+                # no_std tests only are able to run on x86 platform
+                if [ "$TARGET" == "x86_64-unknown-linux-gnu" ] || [[ "$TARGET" =~ ^x86_64-pc-windows- ]]; then
+                    cargo nextest run --no-default-features --features "$FEAT"no_std_deps,rdrand,time --target $TARGET
+                    cargo nextest run --no-default-features --features "$FEAT"no_std_deps --target $TARGET
+                fi
+            else
+                cargo +$RUST_VERSION test --no-run --features "$FEAT" --target=$TARGET
             fi
         else
             cargo +$TRAVIS_RUST_VERSION test --no-run --features --target=$TARGET
@@ -70,8 +73,8 @@ case "$TRAVIS_RUST_VERSION" in
         fi
         ;;
     *)
-        # Default case: If TRAVIS_RUST_VERSION does not match any of the above
-        echo "Unknown version $TRAVIS_RUST_VERSION"
+        # Default case: If RUST_VERSION does not match any of the above
+        echo "Unknown version $RUST_VERSION"
         exit 1
         ;;
 esac
diff --git a/ci_local.sh b/ci_local.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+set -e
+cd "$(dirname "$0")"
+
+# This script needs cargo-binstall installed
+# Please check: https://github.com/cargo-bins/cargo-binstall
+
+cargo binstall [email protected] --secure
+
+./ci_tools.sh
+
+# Array containing the configurations (rust and target)
+# Please comment out other options if you do not want to test them
+configs=(
+    "stable|x86_64-unknown-linux-gnu"
+    "stable|x86_64-fortanix-unknown-sgx"
+    "stable|aarch64-unknown-linux-musl"
+    "nightly|x86_64-unknown-linux-gnu"
+    "beta|x86_64-unknown-linux-gnu"
+)
+
+# Path to the script to run
+given_script="./ci.sh"
+
+# Iterate over each configuration
+for config in "${configs[@]}"; do
+    # Split the configuration into rust and target using IFS (Internal Field Separator)
+    IFS='|' read -r rust target <<< "$config"
+    echo "Running $given_script with RUST_VERSION=$rust and TARGET=$target"
+
+    # Export the variables to be used in the given script
+    export RUST_VERSION=$rust
+    export TARGET=$target
+
+    # Run the given script with the set environment variables
+    $given_script
+
+    echo "Finished running $given_script with RUST_VERSION=$rust and TARGET=$target"
+done
+
+
diff --git a/ci_tools.sh b/ci_tools.sh
@@ -15,7 +15,7 @@ check_sha512() {
         Linux)
             sha512sum -c <<< "$hash *$file"
             ;;
-        Darwin)
+        Darwin*)
             shasum -a 512 -c <<< "$hash *$file"
             ;;
         MINGW64_NT-*)
@@ -28,25 +28,6 @@ check_sha512() {
     esac
 }
 
-# function for downloading pre-built `cargo-nextest` on various platforms
-download_cargo_nextest() {
-    local platform="$1"
-    local cargo_nextest_hash="$2"
-    local url="$3"
-    echo "Check if need to download pre-built $platform 'cargo-nextest'"
-    if ! check_sha512 "${cargo_nextest_hash}" "${CARGO_HOME:-$HOME/.cargo}/bin/cargo-nextest"; then
-        case $platform in
-            MINGW64-*)
-                curl -LsSf "$url" -o temp.zip && unzip -d "${CARGO_HOME:-$HOME/.cargo}/bin" temp.zip && rm temp.zip
-                ;;
-            *)
-                curl -LsSf "$url" | tar zxf - -C "${CARGO_HOME:-$HOME/.cargo}/bin"
-                ;;
-        esac
-        check_sha512 "${cargo_nextest_hash}" "${CARGO_HOME:-$HOME/.cargo}/bin/cargo-nextest"
-    fi
-}
-
 aarch64_cross_toolchain_hash=c8ee0e7fd58f5ec6811e3cec5fcdd8fc47cb2b49fb50e9d7717696ddb69c812547b5f389558f62dfbf9db7d6ad808a5a515cc466b8ea3e9ab3daeb20ba1adf33
 # save to directory that will be cached
 aarch64_cross_toolchain_save_path=${repo_root}/target/aarch64-linux-musl-cross.tgz
@@ -59,24 +40,3 @@ if [ "$TARGET" == "aarch64-unknown-linux-musl" ]; then
     tar -xf ${aarch64_cross_toolchain_save_path} -C /tmp;
 fi
 
-# download pre-built `cargo-nextest`
-kernel=$(uname)
-architecture=$(uname -m)
-case "$kernel-$architecture" in
-  Linux-x86_64 | Linux-amd64)
-    download_cargo_nextest "amd64" "d22ce5799f3056807fd0cd8223a290c7153a5f084d5ab931fce755c2cabd33f79c0f75542eb724fe07a7ca083f415ec1f84edc46584b06df43d97a0ff91018da" "https://get.nexte.st/0.9.52/linux"
-    ;;
-  Linux-arm64)
-    download_cargo_nextest "arm64" "cff3297c84560de8693e7f887fcf6cf33ab0036e27a9debf2b0a0832094555335f34dc30d0f9d1128ce8472dcb4594a3cf33be2357b19dcc94269b58090cc1a9" "https://get.nexte.st/0.9.52/linux-arm"
-    ;;
-  Darwin-x86_64)
-    download_cargo_nextest "Darwin-amd64" "0bb8b77ce019de3d06ee6b7382d830ed67309f187781e0de3866a0635879b494c7db48d55eee7553cfaa0bfca59abd8f8540a6d81ed703f06f9c81514d20073d" "https://get.nexte.st/0.9.52/mac"
-    ;;
-  MINGW64_NT-*-x86_64)
-    download_cargo_nextest "MINGW64-amd64" "3ffd504a4ef0b4b5e988457e6c525e62bd030d46b8f303f1c4e83a9a8ba89aef34bb239e23f391d1dddb75bea6ff074499153b2c71b06338a05d74916408de9c" "https://get.nexte.st/0.9.52/windows"
-    ;;
-  *)
-    echo "Unknown platform '$kernel-$architecture'"
-    exit 1
-    ;;
-esac
diff --git a/mbedtls-platform-support/Cargo.toml b/mbedtls-platform-support/Cargo.toml
@@ -44,3 +44,9 @@ custom_gmtime_r = ["mbedtls-sys-auto/custom_gmtime_r", "chrono"]
 custom_time = ["mbedtls-sys-auto/custom_time", "chrono"]
 force_aesni_support = ["mbedtls-sys-auto/custom_has_support","mbedtls-sys-auto/aes_alt", "aesni"]
 aesni = ["mbedtls-sys-auto/aesni"]
+
+[lints.rust]
+unexpected_cfgs = { level = "warn", check-cfg = [
+    'cfg(sys_threading_component, values("custom"))',
+    'cfg(sys_time_component, values("custom"))',
+] }
diff --git a/mbedtls-sys/Cargo.toml b/mbedtls-sys/Cargo.toml
@@ -72,3 +72,10 @@ custom_time = ["time"]
 custom_gmtime_r = ["time"]
 # deprecated features, these don't do anything anymore, can be removed on major version bump
 pthread = ["threading"]
+
+[lints.rust]
+unexpected_cfgs = { level = "warn", check-cfg = [
+    'cfg(std_component, values("fs"))',
+    'cfg(threading_component, values("pthread"))',
+    'cfg(time_component, values("custom", "libc"))',
+] }
diff --git a/mbedtls-sys/build/cmake.rs b/mbedtls-sys/build/cmake.rs
@@ -28,11 +28,16 @@ impl super::BuildConfig {
             cmk.define("CMAKE_C_COMPILER_FORCED", "TRUE");
         }
 
+        println!("cargo:rerun-if-env-changed=RUST_MBED_C_COMPILER_BAREMETAL");
+        let c_compiler_baremetal = std::env::var("RUST_MBED_C_COMPILER_BAREMETAL")
+            .map(|val| val == "1")
+            .unwrap_or_default();
+
         let target = std::env::var("TARGET").expect("TARGET environment variable should be set in build scripts");
         // thumbv6m-none-eabi, thumbv7em-none-eabi, thumbv7em-none-eabihf,
         // thumbv7m-none-eabi probably use arm-none-eabi-gcc which can cause the
         // cmake compiler test to fail.
-        if target.starts_with("thumbv") && target.contains("none-eabi") {
+        if target.starts_with("thumbv") && target.contains("none-eabi") || c_compiler_baremetal {
             // When building on Linux, -rdynamic flag is added automatically. Changing the
             // CMAKE_SYSTEM_NAME to Generic avoids this.
             cmk.define("CMAKE_SYSTEM_NAME", "Generic");

diff --git a/mbedtls-sys/build/features.rs b/mbedtls-sys/build/features.rs
@@ -36,21 +36,21 @@ impl Features {
             self.with_feature("c_compiler").unwrap().insert("freestanding");
         }
         if let Some(components) = self.with_feature("threading") {
-            if !have_custom_threading && env_have_target_cfg("family", "unix") {
+            if !have_custom_threading && env_have_target_family("unix") {
                 components.insert("pthread");
             } else {
                 components.insert("custom");
             }
         }
         if let Some(components) = self.with_feature("std") {
-            if env_have_target_cfg("family", "unix") || env_have_target_cfg("family", "windows") {
+            if env_have_target_family("unix") || env_have_target_family("windows") {
                 components.insert("net");
                 components.insert("fs");
                 components.insert("entropy");
             }
         }
         if let Some(components) = self.with_feature("time") {
-            if !have_custom_gmtime_r && (env_have_target_cfg("family", "unix") || env_have_target_cfg("family", "windows")) {
+            if !have_custom_gmtime_r && (env_have_target_family("unix") || env_have_target_family("windows")) {
                 components.insert("libc");
             } else {
                 components.insert("custom");
@@ -100,6 +100,10 @@ fn env_have_target_cfg(var: &'static str, value: &'static str) -> bool {
     env::var_os(env).map_or(false, |s| s == value)
 }
 
+fn env_have_target_family(value: &'static str) -> bool {
+    env::var("CARGO_CFG_TARGET_FAMILY").map_or(false, |var| var.split(",").any(|s| s == value))
+}
+
 fn env_have_feature(feature: &'static str) -> bool {
     let env = format!("CARGO_FEATURE_{}", feature).to_uppercase().replace("-", "_");
     env::var_os(env).is_some()

diff --git a/mbedtls/Cargo.toml b/mbedtls/Cargo.toml
@@ -151,4 +151,13 @@ harness = false
 
 [[bench]]
 name = "cipher"
-harness = false
+harness = false
+
+[lints.rust]
+unexpected_cfgs = { level = "warn", check-cfg = [
+    'cfg(nightly)',
+    'cfg(sys_threading_component, values("custom"))',
+    'cfg(sys_time_component, values("custom"))',
+    'cfg(sys_std_component, values("entropy", "net"))',
+    'cfg(time_component, values("custom", "libc"))',
+] }
diff --git a/mbedtls/build.rs b/mbedtls/build.rs
@@ -6,22 +6,43 @@
  * option. This file may not be copied, modified, or distributed except
  * according to those terms. */
 
+use std::collections::hash_map::DefaultHasher;
 use std::collections::{HashMap, HashSet};
-use std::env;
+use std::hash::{Hash, Hasher};
 
 use rustc_version::Channel;
+use std::env;
 
-/// Return the crate hash that Cargo will be passing to `rustc -C metadata=`.
-// If there's a panic in this code block, that means Cargo's way of running the
-// build script has changed, and this code should be updated to handle the new
-// case.
-fn get_compilation_metadata_hash() -> String {
+/// Retrieves or generates a metadata value used for symbol name mangling to ensure unique C symbols.
+/// When building with Cargo, the metadata value is extracted from the OUT_DIR environment variable.
+/// For Bazel builds, this method generate the suffix by hashing part of the crate OUT_DIR,
+/// which are sufficient for ensuring symbol uniqueness.
+fn get_compilation_symbol_suffix() -> String {
     let out_dir: std::path::PathBuf = std::env::var_os("OUT_DIR").unwrap().into();
-    let mut out_dir_it = out_dir.iter().rev();
-    assert_eq!(out_dir_it.next().unwrap(), "out");
-    let crate_ = out_dir_it.next().unwrap().to_string_lossy();
-    assert!(crate_.starts_with("mbedtls-"));
-    crate_[8..].to_owned()
+    let mut out_dir_it_rev = out_dir.iter().rev();
+    if out_dir_it_rev.next().map_or(false, |p| p == "out") {
+        // If Cargo is used as build system.
+        let crate_ = out_dir_it_rev
+            .next()
+            .expect("Expected OUT_DIR to have at least 2 components")
+            .to_str()
+            .expect("Expected second to last component of OUT_DIR to be a valid UTF-8 string");
+        assert!(
+            crate_.starts_with("mbedtls-"),
+            "Expected second to last component of OUT_DIR to start with 'mbedtls-'"
+        );
+        return crate_[8..].to_owned(); // Return the part after "mbedtls-"
+    } else if out_dir.iter().rfind(|p| *p == "bazel-out").is_some() {
+        // If Bazel is used as build system.
+        let mut hasher = DefaultHasher::new();
+        // Reverse the iterator and hash until we find "bazel-out"
+        for p in out_dir.iter().rev().take_while(|p| *p != "bazel-out") {
+            p.hash(&mut hasher);
+        }
+        return format!("{:016x}", hasher.finish());
+    } else {
+        panic!("unexpected OUT_DIR format: {}", out_dir.display());
+    }
 }
 
 fn main() {
@@ -31,9 +52,9 @@ fn main() {
             println!("cargo:rustc-cfg=nightly");
         }
     }
-
-    let metadata_hash = get_compilation_metadata_hash();
-    println!("cargo:rustc-env=RUST_MBEDTLS_METADATA_HASH={}", metadata_hash);
+    let symbol_suffix = get_compilation_symbol_suffix();
+    println!("cargo:rustc-env=RUST_MBEDTLS_SYMBOL_SUFFIX={}", symbol_suffix);
+    println!("cargo:rerun-if-env-changed=CARGO_PKG_VERSION");
 
     let env_components = env::var("DEP_MBEDTLS_PLATFORM_COMPONENTS").unwrap();
     let mut sys_platform_components = HashMap::<_, HashSet<_>>::new();
@@ -48,7 +69,7 @@ fn main() {
     b.include(env::var_os("DEP_MBEDTLS_INCLUDE").unwrap());
     let config_file = format!(r#""{}""#, env::var("DEP_MBEDTLS_CONFIG_H").unwrap());
     b.define("MBEDTLS_CONFIG_FILE", Some(config_file.as_str()));
-    b.define("RUST_MBEDTLS_METADATA_HASH", Some(metadata_hash.as_str()));
+    b.define("RUST_MBEDTLS_SYMBOL_SUFFIX", Some(symbol_suffix.as_str()));
 
     b.file("src/mbedtls_malloc.c");
     if sys_platform_components

diff --git a/mbedtls/src/alloc.rs b/mbedtls/src/alloc.rs
@@ -16,9 +16,9 @@ use cstr_core::CStr;
 use mbedtls_sys::types::raw_types::{c_char, c_void};
 
 extern "C" {
-    #[link_name = concat!("forward_mbedtls_free_", env!("RUST_MBEDTLS_METADATA_HASH"))]
+    #[link_name = concat!("forward_mbedtls_free_", env!("RUST_MBEDTLS_SYMBOL_SUFFIX"))]
     pub(crate) fn mbedtls_free(n: *mut mbedtls_sys::types::raw_types::c_void);
-    #[link_name = concat!("forward_mbedtls_calloc_", env!("RUST_MBEDTLS_METADATA_HASH"))]
+    #[link_name = concat!("forward_mbedtls_calloc_", env!("RUST_MBEDTLS_SYMBOL_SUFFIX"))]
     pub(crate) fn mbedtls_calloc(
         n: mbedtls_sys::types::size_t,
         size: mbedtls_sys::types::size_t,

diff --git a/mbedtls/src/mbedtls_malloc.c b/mbedtls/src/mbedtls_malloc.c
@@ -21,10 +21,13 @@
 #define mbedtls_free      free
 #endif
 
-// Use several macros to get the preprocessor to actually replace RUST_MBEDTLS_METADATA_HASH
+// Use several macros to get the preprocessor to actually replace RUST_MBEDTLS_SYMBOL_SUFFIX.
+// This code handles cases where `mbedtls_calloc` and `mbedtls_free` may be macros instead of functions,
+// which Bindgen has trouble with. The `APPEND_METADATA_HASH` macro appends a suffix from `RUST_MBEDTLS_SYMBOL_SUFFIX`
+// to ensure proper symbol linkage, regardless of whether the original mbedtls functions are macros or symbols.
 #define append_macro_inner(a, b) a##_##b
 #define append_macro(a, b) append_macro_inner(a, b)
-#define APPEND_METADATA_HASH(f) append_macro(f, RUST_MBEDTLS_METADATA_HASH)
+#define APPEND_METADATA_HASH(f) append_macro(f, RUST_MBEDTLS_SYMBOL_SUFFIX)
 
 extern void *APPEND_METADATA_HASH(forward_mbedtls_calloc)( size_t n, size_t size ) {
     return mbedtls_calloc(n, size);

diff --git a/mbedtls/src/rng/rdrand.rs b/mbedtls/src/rng/rdrand.rs
@@ -18,6 +18,8 @@ use core::arch::x86_64::{_rdrand64_step as _rdrand_step, _rdseed64_step as _rdse
 
 // Intel documentation claims that if hardware is working RDRAND will produce
 // output after at most 10 attempts
+// https://www.intel.com/content/www/us/en/developer/articles/guide/intel-digital-random-number-generator-drng-software-implementation-guide.html
+// section 5.2.1
 const RDRAND_READ_ATTEMPTS: usize = 10;
 
 // Intel does not document the number of times RDSEED might consecutively fail,