Skip to content
aws-lc-rs tests

Use explicit check for X509 path length #11570

Sign in to view logs

Use explicit check for X509 path length

Use explicit check for X509 path length #11570

Workflow file for this run

.github/workflows/aws-lc-rs.yml at 2c74614
name: aws-lc-rs tests
on:
push:
branches: [ '*' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref_name }}
cancel-in-progress: true
env:
GOPROXY: https://proxy.golang.org,direct
RUST_BACKTRACE: 1
permissions:
contents: read
jobs:
# Full bindings pre-generation test on Linux (x86_64-unknown-linux-gnu)
aws-lc-rs-linux:
if: github.repository_owner == 'aws'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
repository: aws/aws-lc-rs
path: ./aws-lc-rs
submodules: 'recursive'
- name: Remove aws-lc submodule from crate directory
working-directory: ./aws-lc-rs/aws-lc-sys
shell: bash
run: rm -rf aws-lc
- uses: actions/checkout@v4
with:
path: ./aws-lc-rs/aws-lc-sys/aws-lc
- uses: dtolnay/rust-toolchain@stable
with:
components: 'rustfmt'
- uses: actions/setup-go@v4
with:
go-version: '>=1.20'
- name: Install ripgrep
run: cargo install --force --locked ripgrep --features pcre2
- name: No-prefix build
working-directory: ./aws-lc-rs
env:
AWS_LC_SYS_NO_PREFIX: "1"
AWS_LC_SYS_C_STD: "99"
run: cargo test -p aws-lc-sys --features bindgen
- name: Collect symbols
working-directory: ./aws-lc-rs
run: |
rm -rf ./aws-lc-sys/symbols/* ./aws-lc-sys/generated-include/*
mkdir -p ./aws-lc-sys/symbols ./aws-lc-sys/generated-include/openssl
./scripts/build/collect_symbols.sh -c aws-lc-sys
- name: Generate prefix headers
working-directory: ./aws-lc-rs
run: ./scripts/generate/_generate_prefix_headers.sh -c aws-lc-sys
- name: Update sys-crate metadata
working-directory: ./aws-lc-rs
run: ./scripts/ci/update_sys_crate_metadata.sh aws-lc-sys
- name: Update cc-builder source configuration
working-directory: ./aws-lc-rs
run: |
./aws-lc-sys/scripts/cc_builder/universal.sh
./aws-lc-sys/scripts/cc_builder/linux_x86_64.sh
- name: Clean
working-directory: ./aws-lc-rs
run: cargo clean
- name: Generate bindings
working-directory: ./aws-lc-rs
env:
AWS_LC_SYS_PREGENERATING_BINDINGS: "1"
run: cargo test -p aws-lc-sys --features bindgen
- name: Test with cc-builder
working-directory: ./aws-lc-rs
env:
AWS_LC_SYS_CMAKE_BUILDER: "0"
run: |
cargo clean
cargo test -p aws-lc-sys
cargo test -p aws-lc-rs
# Full bindings pre-generation test on macOS (aarch64-apple-darwin)
aws-lc-rs-macos:
if: github.repository_owner == 'aws'
runs-on: macos-latest
steps:
- uses: actions/checkout@v4
with:
repository: aws/aws-lc-rs
path: ./aws-lc-rs
submodules: 'recursive'
- name: Remove aws-lc submodule from crate directory
working-directory: ./aws-lc-rs/aws-lc-sys
shell: bash
run: rm -rf aws-lc
- uses: actions/checkout@v4
with:
path: ./aws-lc-rs/aws-lc-sys/aws-lc
- uses: dtolnay/rust-toolchain@stable
with:
components: 'rustfmt'
- uses: actions/setup-go@v4
with:
go-version: '>=1.20'
- name: Install Bash and ripgrep
run: brew install bash ripgrep
- name: No-prefix build
working-directory: ./aws-lc-rs
env:
AWS_LC_SYS_NO_PREFIX: "1"
AWS_LC_SYS_C_STD: "99"
run: cargo test -p aws-lc-sys --features bindgen
- name: Collect symbols
working-directory: ./aws-lc-rs
run: |
rm -rf ./aws-lc-sys/symbols/* ./aws-lc-sys/generated-include/*
mkdir -p ./aws-lc-sys/symbols ./aws-lc-sys/generated-include/openssl
./scripts/build/collect_symbols.sh -c aws-lc-sys
- name: Generate prefix headers
working-directory: ./aws-lc-rs
shell: /opt/homebrew/bin/bash {0}
run: ./scripts/generate/_generate_prefix_headers.sh -c aws-lc-sys
- name: Update sys-crate metadata
working-directory: ./aws-lc-rs
shell: /opt/homebrew/bin/bash {0}
run: ./scripts/ci/update_sys_crate_metadata.sh aws-lc-sys
- name: Update cc-builder source configuration
working-directory: ./aws-lc-rs
shell: /opt/homebrew/bin/bash {0}
run: |
./aws-lc-sys/scripts/cc_builder/universal.sh
./aws-lc-sys/scripts/cc_builder/apple_aarch64.sh
- name: Clean
working-directory: ./aws-lc-rs
run: cargo clean
- name: Generate bindings
working-directory: ./aws-lc-rs
env:
AWS_LC_SYS_PREGENERATING_BINDINGS: "1"
run: cargo test -p aws-lc-sys --features bindgen
- name: Test with cc-builder
working-directory: ./aws-lc-rs
env:
AWS_LC_SYS_CMAKE_BUILDER: "0"
run: |
cargo clean
cargo test -p aws-lc-sys
cargo test -p aws-lc-rs
# Full bindings pre-generation test on Windows (x86_64-pc-windows-msvc)
aws-lc-rs-windows:
if: github.repository_owner == 'aws'
runs-on: windows-latest
steps:
- uses: actions/checkout@v4
with:
repository: aws/aws-lc-rs
path: ./aws-lc-rs
submodules: 'recursive'
- name: Remove aws-lc submodule from crate directory
working-directory: ./aws-lc-rs/aws-lc-sys
shell: bash
run: rm -rf aws-lc
- uses: actions/checkout@v4
with:
path: ./aws-lc-rs/aws-lc-sys/aws-lc
- uses: dtolnay/rust-toolchain@stable
with:
toolchain: stable
target: x86_64-pc-windows-msvc
components: 'rustfmt'
- uses: ilammy/setup-nasm@v1
- uses: actions/setup-go@v4
with:
go-version: '>=1.20'
- name: No-prefix build
env:
AWS_LC_SYS_NO_PREFIX: "1"
AWS_LC_SYS_C_STD: "99"
working-directory: ./aws-lc-rs
run: cargo test -p aws-lc-sys --features bindgen --target x86_64-pc-windows-msvc
- name: Delete current symbol files and headers
working-directory: ./aws-lc-rs
shell: bash
run: |
rm -rf ./aws-lc-sys/symbols/* ./aws-lc-sys/generated-include/*
mkdir -p ./aws-lc-sys/symbols ./aws-lc-sys/generated-include/openssl
- name: Collect symbols
working-directory: ./aws-lc-rs
shell: bash
run: ./scripts/build/collect_symbols.sh -c aws-lc-sys -t x86_64-pc-windows-msvc
- name: Generate prefix headers
working-directory: ./aws-lc-rs
shell: bash
run: ./scripts/generate/_generate_prefix_headers.sh -c aws-lc-sys
- name: Update sys-crate metadata
working-directory: ./aws-lc-rs
shell: bash
run: ./scripts/ci/update_sys_crate_metadata.sh aws-lc-sys
- name: Install ripgrep
run: cargo install --force --locked ripgrep --features pcre2
- name: Update cc-builder source configuration
working-directory: ./aws-lc-rs
shell: bash
run: |
./aws-lc-sys/scripts/cc_builder/universal.sh
./aws-lc-sys/scripts/cc_builder/win_x86_64.sh
- name: Clean
working-directory: ./aws-lc-rs
run: cargo clean
- name: Generate bindings
env:
AWS_LC_SYS_PREGENERATING_BINDINGS: "1"
working-directory: ./aws-lc-rs
run: cargo test -p aws-lc-sys --features bindgen --target x86_64-pc-windows-msvc
- name: Test with cc-builder
working-directory: ./aws-lc-rs
env:
AWS_LC_SYS_CMAKE_BUILDER: "0"
run: |
cargo clean
cargo test -p aws-lc-sys --target x86_64-pc-windows-msvc
cargo test -p aws-lc-rs --target x86_64-pc-windows-msvc
# CMake Rust bindings generation tests
cmake-rust-bindings:
if: github.repository_owner == 'aws'
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
name: linux
- os: ubuntu-latest
name: linux-prefix
prefix: AWSLC_PREFIX
- os: macos-latest
name: macos
- os: macos-latest
name: macos-prefix
prefix: AWSLC_PREFIX
- os: windows-latest
name: windows
- os: ubuntu-latest
name: linux-no-ssl
build_libssl: OFF
runs-on: ${{ matrix.os }}
name: cmake-rust-bindings (${{ matrix.name }})
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
with:
components: 'rustfmt'
- uses: ilammy/setup-nasm@v1
if: runner.os == 'Windows'
- uses: actions/setup-go@v4
with:
go-version: '>=1.20'
- name: Install bindgen-cli
run: cargo install --force --locked bindgen-cli
# Prefix builds need a non-prefixed build first to collect symbols
- name: Generate prefix symbols file
if: matrix.prefix
shell: bash
run: |
cmake -B build-noprefix -DBUILD_TESTING=OFF
cmake --build build-noprefix
go run ./util/read_symbols.go build-noprefix/crypto/libcrypto.a > symbols.txt
go run ./util/read_symbols.go build-noprefix/ssl/libssl.a >> symbols.txt
echo "Collected $(wc -l < symbols.txt) symbols"
- name: Configure with Rust bindings generation
shell: bash
run: |
cmake_args="-DGENERATE_RUST_BINDINGS=ON -DBUILD_TESTING=OFF"
if [ -n "${{ matrix.prefix }}" ]; then
cmake_args="$cmake_args -DBORINGSSL_PREFIX=${{ matrix.prefix }}"
cmake_args="$cmake_args -DBORINGSSL_PREFIX_SYMBOLS=$(pwd)/symbols.txt"
fi
if [ "${{ matrix.build_libssl }}" = "OFF" ]; then
cmake_args="$cmake_args -DBUILD_LIBSSL=OFF"
fi
cmake -B build $cmake_args
- name: Build libraries
run: cmake --build build --config Release
- name: Generate bindings
run: cmake --build build --target rust_bindings --config Release --verbose
- name: Verify bindings file exists
shell: bash
run: |
if [ ! -f build/rust/aws_lc_bindings.rs ]; then
echo "ERROR: Rust bindings file was not generated"
exit 1
fi
echo "Generated bindings file size: $(wc -c < build/rust/aws_lc_bindings.rs) bytes"
echo "Generated bindings line count: $(wc -l < build/rust/aws_lc_bindings.rs) lines"
- name: Verify bindings content
shell: bash
run: |
# Verify SSL bindings based on BUILD_LIBSSL setting (defaults to ON)
if [ "${{ matrix.build_libssl }}" != "OFF" ]; then
if ! grep -q "pub fn SSL_new" build/rust/aws_lc_bindings.rs; then
echo "ERROR: Expected SSL_new function not found"
exit 1
fi
else
if grep -q "pub fn SSL_new" build/rust/aws_lc_bindings.rs; then
echo "ERROR: Unexpected SSL_new found in BUILD_LIBSSL=OFF build"
exit 1
fi
echo "Confirmed: SSL bindings correctly excluded"
fi
if [ -n "${{ matrix.prefix }}" ]; then
# Prefix builds: link_name attributes should contain the prefix.
# The exact format varies by platform (e.g., _PREFIX_ on macOS vs PREFIX_ on Linux).
if ! grep -q 'link_name.*${{ matrix.prefix }}_' build/rust/aws_lc_bindings.rs; then
echo "ERROR: Expected prefixed link_name attributes not found"
exit 1
fi
if ! grep -B1 "pub fn SSL_new" build/rust/aws_lc_bindings.rs | grep -q 'link_name.*${{ matrix.prefix }}_'; then
echo "ERROR: SSL_new should have ${{ matrix.prefix }}_ prefixed link_name"
exit 1
fi
else
# Non-prefix builds should not have link_name attributes
if grep -q '#\[link_name' build/rust/aws_lc_bindings.rs; then
echo "ERROR: Unexpected link_name attributes found in no-prefix build"
exit 1
fi
fi
echo "Bindings content verification passed"
- name: Verify bindings build and link
shell: bash
run: |
mkdir -p "${RUNNER_TEMP}/test-bindings/src"
cat > "${RUNNER_TEMP}/test-bindings/Cargo.toml" << 'EOF'
[package]
name = "test-bindings"
version = "0.1.0"
edition = "2021"
[[bin]]
name = "test-bindings"
path = "src/main.rs"
EOF
cat > "${RUNNER_TEMP}/test-bindings/build.rs" << 'EOF'
use std::env;
fn main() {
let build_dir = env::var("CMAKE_BUILD_DIR").expect("CMAKE_BUILD_DIR must be set");
// Library search paths for single-config generators (Unix Makefiles, Ninja)
println!("cargo:rustc-link-search=native={}/crypto", build_dir);
println!("cargo:rustc-link-search=native={}/ssl", build_dir);
// Library search paths for multi-config generators (Visual Studio)
println!("cargo:rustc-link-search=native={}/crypto/Release", build_dir);
println!("cargo:rustc-link-search=native={}/ssl/Release", build_dir);
println!("cargo:rustc-link-lib=static=crypto");
if env::var("INCLUDE_SSL").unwrap_or_default() == "1" {
println!("cargo:rustc-link-lib=static=ssl");
}
// Platform-specific system library dependencies required by aws-lc
let target_family = env::var("CARGO_CFG_TARGET_FAMILY").unwrap_or_default();
let target_os = env::var("CARGO_CFG_TARGET_OS").unwrap_or_default();
if target_family == "unix" {
println!("cargo:rustc-link-lib=dylib=pthread");
}
if target_os == "windows" {
println!("cargo:rustc-link-lib=dylib=ws2_32");
}
}
EOF
cat > "${RUNNER_TEMP}/test-bindings/src/main.rs" << 'EOF'
#![allow(clippy::all)]
#![allow(non_upper_case_globals)]
#![allow(non_camel_case_types)]
#![allow(non_snake_case)]
#![allow(dead_code)]
#![allow(improper_ctypes)]
#![allow(unpredictable_function_pointer_comparisons)]
include!(concat!(env!("BINDINGS_PATH"), "/aws_lc_bindings.rs"));
fn main() {
unsafe { CRYPTO_library_init(); }
println!("Bindings link test passed");
}
EOF
cd "${RUNNER_TEMP}/test-bindings"
include_ssl="0"
if [ "${{ matrix.build_libssl }}" != "OFF" ]; then
include_ssl="1"
fi
export CMAKE_BUILD_DIR="${GITHUB_WORKSPACE}/build"
export BINDINGS_PATH="${GITHUB_WORKSPACE}/build/rust"
export INCLUDE_SSL="${include_ssl}"
cargo run
echo "Bindings build, link, and run test passed"