Files
wolfssl/wrapper/rust/wolfssl-wolfcrypt/build.rs
T
2026-04-17 15:52:07 -04:00

504 lines
20 KiB
Rust

extern crate bindgen;
use regex::Regex;
use std::env;
use std::fs;
use std::io::{self, Read, Result};
use std::path::{Path,PathBuf};
/// Perform crate build.
fn main() {
if let Err(e) = run_build() {
eprintln!("Build failed: {}", e);
std::process::exit(1);
}
}
/// Perform all build steps.
///
/// Returns `Ok(())` if successful, or an error if any step fails.
fn run_build() -> Result<()> {
generate_bindings()?;
generate_fips_aliases()?;
setup_wolfssl_link()?;
scan_cfg()?;
Ok(())
}
fn crate_dir() -> Result<String> {
Ok(std::env::current_dir()?.display().to_string())
}
fn wolfssl_repo_base_dir() -> Result<String> {
Ok(format!("{}/../../..", crate_dir()?))
}
fn wolfssl_repo_lib_dir() -> Result<String> {
Ok(format!("{}/src/.libs", wolfssl_repo_base_dir()?))
}
/// Returns the include directory for wolfssl headers.
///
/// If `WOLFSSL_PREFIX` is set, returns `{WOLFSSL_PREFIX}/include`.
/// Otherwise falls back to the repo root if it exists (for in-tree host builds).
fn wolfssl_include_dir() -> Result<Option<String>> {
if let Ok(prefix) = env::var("WOLFSSL_PREFIX") {
let include_dir = format!("{}/include", prefix);
let wolfssl_dir = Path::new(&include_dir).join("wolfssl");
if !wolfssl_dir.is_dir() {
println!("cargo:warning=WOLFSSL_PREFIX is set but {} does not exist", wolfssl_dir.display());
return Ok(None);
}
Ok(Some(include_dir))
} else {
let base = wolfssl_repo_base_dir()?;
let base_path = Path::new(&base);
// Treat this as an in-tree wolfSSL repo only if the expected layout exists.
let wolfssl_dir = base_path.join("wolfssl");
let wolfssl_options = wolfssl_dir.join("options.h");
if wolfssl_options.is_file() {
Ok(Some(base))
} else {
Ok(None)
}
}
}
/// Returns the library directory for libwolfssl.
///
/// If `WOLFSSL_PREFIX` is set, returns `{WOLFSSL_PREFIX}/lib`.
/// Otherwise falls back to the in-tree build output directory if it exists.
fn wolfssl_lib_dir() -> Result<Option<String>> {
if let Ok(prefix) = env::var("WOLFSSL_PREFIX") {
Ok(Some(format!("{}/lib", prefix)))
} else {
let repo_lib_dir = wolfssl_repo_lib_dir()?;
if Path::new(&repo_lib_dir).exists() {
Ok(Some(repo_lib_dir))
} else {
Ok(None)
}
}
}
fn bindings_path() -> String {
PathBuf::from(env::var("OUT_DIR").unwrap()).join("bindings.rs").display().to_string()
}
/// Map a Rust target triple to the equivalent clang target triple.
///
/// Rust triples embed ISA extensions in the arch component
/// (e.g. `riscv64imac-unknown-none-elf`) while clang uses only the base arch
/// (e.g. `riscv64-unknown-elf`). Bare-metal targets use `<arch>-<vendor>-elf`
/// in clang convention.
fn rust_target_to_clang_target(rust_target: &str) -> String {
let parts: Vec<&str> = rust_target.splitn(4, '-').collect();
if parts.len() < 3 {
return rust_target.to_string();
}
// Strip ISA extensions: riscv64imac → riscv64, riscv32imac → riscv32
let arch = if parts[0].starts_with("riscv64") {
"riscv64"
} else if parts[0].starts_with("riscv32") {
"riscv32"
} else {
parts[0]
};
let vendor = parts[1];
let os = parts[2];
let abi = parts.get(3).copied().unwrap_or("");
// Bare-metal: (os=none, abi=elf) → <arch>-<vendor>-elf
if os == "none" && abi == "elf" {
format!("{}-{}-elf", arch, vendor)
} else if abi.is_empty() {
format!("{}-{}-{}", arch, vendor, os)
} else {
format!("{}-{}-{}-{}", arch, vendor, os, abi)
}
}
/// Return the sysroot path for a bare-metal clang target triple, if it exists.
///
/// Queries the cross-compiler for its sysroot via `--print-sysroot` rather
/// than assuming a fixed install prefix. Tries the candidate compiler names
/// `<arch>-<vendor>-elf-gcc` and `<arch>-elf-gcc` (vendor omitted) in order.
/// Returns `None` if no suitable compiler is found or its sysroot is invalid.
fn bare_metal_sysroot(clang_target: &str) -> Option<String> {
let parts: Vec<&str> = clang_target.splitn(3, '-').collect();
if parts.len() < 3 || !clang_target.ends_with("-elf") {
return None;
}
let (arch, vendor) = (parts[0], parts[1]);
let candidates = [
format!("{}-{}-elf-gcc", arch, vendor),
format!("{}-elf-gcc", arch),
];
for compiler in &candidates {
if let Ok(output) = std::process::Command::new(compiler)
.arg("--print-sysroot")
.output()
&& output.status.success() {
let sysroot = String::from_utf8_lossy(&output.stdout).trim().to_string();
if !sysroot.is_empty() && sysroot != "/" && Path::new(&sysroot).exists() {
return Some(sysroot);
}
}
}
None
}
/// Generate Rust bindings for the wolfssl C library using bindgen.
///
/// Returns `Ok(())` if successful, or an error if binding generation fails.
fn generate_bindings() -> Result<()> {
let mut builder = bindgen::Builder::default()
.header("headers.h")
.parse_callbacks(Box::new(bindgen::CargoCallbacks::new()))
.use_core();
if let Some(include_dir) = wolfssl_include_dir()? {
builder = builder.clang_arg(format!("-I{}", include_dir));
}
// When cross-compiling, tell clang the target so it generates correct
// type layouts and evaluates architecture-specific preprocessor guards.
let target = env::var("TARGET").unwrap();
let host = env::var("HOST").unwrap();
if target != host {
let clang_target = rust_target_to_clang_target(&target);
builder = builder.clang_arg(format!("--target={}", clang_target));
if target.ends_with("-none-elf") {
// For bare-metal targets, add the toolchain C runtime headers
// (newlib's time.h etc.) using -idirafter so they appear after
// clang's own built-in includes. This lets clang's stdatomic.h
// take priority over newlib's incompatible version.
if let Some(sysroot) = bare_metal_sysroot(&clang_target) {
builder = builder
.clang_arg("-ffreestanding")
.clang_arg(format!("-idirafter{}/include", sysroot));
}
}
}
let bindings = builder
.generate()
.map_err(|_| io::Error::other("Failed to generate bindings"))?;
bindings
.write_to_file(bindings_path())
.map_err(|e| {
io::Error::other(format!("Couldn't write bindings: {}", e))
})
}
/// Generate FIPS symbol aliases.
///
/// Since Rust can't use fips.h's #defines which map the "regular" wc function
/// name to the _fips variant, and since bindgen has only seen the _fips
/// variant, we will generate aliases that allow the non-_fips variant function
/// name to be called without the _fips prefix by Rust sources in a manner
/// similar to which C sources would be able to call the non-_fips variant
/// function name.
///
/// Returns `Ok(())` if successful, or an error if generation fails.
fn generate_fips_aliases() -> Result<()> {
let binding = read_file(bindings_path())?;
let out_dir = PathBuf::from(env::var("OUT_DIR").unwrap());
let aliases_path = out_dir.join("fips_aliases.rs");
let mut aliases = String::new();
// Find all _fips symbol names
let fips_sym_re = Regex::new(r"pub fn (wc_\w+)_fips\s*\(").unwrap();
for cap in fips_sym_re.captures_iter(&binding) {
let mut base_name = &cap[1];
let fips_name = format!("{}_fips", base_name);
// Exception mappings: (standard_name, fips_name)
// For cases where FIPS name doesn't follow the simple <name>_fips pattern
let exceptions: &[(&str, &str)] = &[
// _ex suffix changed to Ex before _fips
("wc_InitRsaKey_ex", "wc_InitRsaKeyEx_fips"),
("wc_RsaPublicEncrypt_ex", "wc_RsaPublicEncryptEx_fips"),
("wc_RsaPrivateDecryptInline_ex", "wc_RsaPrivateDecryptInlineEx_fips"),
("wc_RsaPrivateDecrypt_ex", "wc_RsaPrivateDecryptEx_fips"),
("wc_RsaPSS_Sign_ex", "wc_RsaPSS_SignEx_fips"),
("wc_RsaPSS_VerifyInline_ex", "wc_RsaPSS_VerifyInlineEx_fips"),
("wc_RsaPSS_Verify_ex", "wc_RsaPSS_VerifyEx_fips"),
("wc_RsaPSS_CheckPadding_ex", "wc_RsaPSS_CheckPaddingEx_fips"),
("wc_DhSetKey_ex", "wc_DhSetKeyEx_fips"),
("wc_DhCheckPubKey_ex", "wc_DhCheckPubKeyEx_fips"),
("wc_DhCheckPrivKey_ex", "wc_DhCheckPrivKeyEx_fips"),
// Name change
("wc_PRF_TLS", "wc_PRF_TLSv12_fips"),
];
// Handle exceptions
for (exc_base_name, exc_fips_name) in exceptions {
if fips_name == *exc_fips_name {
base_name = exc_base_name;
break;
}
}
// Check if the non-_fips version exists in bindings
let non_fips_pattern = format!(r"pub fn {}\s*\(", regex::escape(base_name));
let non_fips_re = Regex::new(&non_fips_pattern).unwrap();
if non_fips_re.is_match(&binding) {
// Add any new known names defined with both a _fips suffix and not
// here. Warn if any new ones are discovered.
let known_both = &[
"wc_AesGcmEncrypt",
"wc_AesCcmEncrypt",
];
if !known_both.contains(&base_name) {
println!("cargo:warning=Skipping FIPS symbols alias for {}", base_name);
}
} else {
// Only alias if the base name doesn't already exist
aliases.push_str(&format!("pub use {} as {};\n", fips_name, base_name));
}
}
fs::write(&aliases_path, aliases)?;
Ok(())
}
/// Instruct cargo to link against wolfssl C library
///
/// Returns `Ok(())` if successful, or an error if any step fails.
fn setup_wolfssl_link() -> Result<()> {
if let Some(lib_dir) = wolfssl_lib_dir()? {
println!("cargo:rustc-link-search={}", lib_dir);
// Prefer a shared library if present, otherwise fall back to static.
let has_shared = Path::new(&lib_dir).join("libwolfssl.so").exists()
|| Path::new(&lib_dir).join("libwolfssl.dylib").exists();
if has_shared {
println!("cargo:rustc-link-lib=wolfssl");
// Only set rpath where a dynamic linker exists (not bare-metal).
let target = env::var("TARGET").unwrap();
if !target.ends_with("-none-elf") {
println!("cargo:rustc-link-arg=-Wl,-rpath,{}", lib_dir);
}
} else {
println!("cargo:rustc-link-lib=static=wolfssl");
}
} else {
// No local lib dir found; rely on whatever is installed system-wide.
println!("cargo:rustc-link-lib=wolfssl");
}
Ok(())
}
fn read_file(path: String) -> Result<String> {
let mut file = fs::File::open(path)?;
let mut content = String::new();
file.read_to_string(&mut content)?;
Ok(content)
}
fn check_cfg(binding: &str, function_name: &str, cfg_name: &str) -> bool {
let pattern = format!(r"\b{}(_fips)?\b", function_name);
let re = match Regex::new(&pattern) {
Ok(r) => r,
Err(e) => {
eprintln!("Error compiling regex '{}': {}", pattern, e);
std::process::exit(1);
}
};
println!("cargo::rustc-check-cfg=cfg({})", cfg_name);
if re.is_match(binding) {
println!("cargo:rustc-cfg={}", cfg_name);
true
} else {
false
}
}
fn scan_cfg() -> Result<()> {
let binding = read_file(bindings_path())?;
/* aes */
check_cfg(&binding, "wc_AesSetKey", "aes");
check_cfg(&binding, "wc_AesCbcEncrypt", "aes_cbc");
check_cfg(&binding, "wc_AesCcmSetKey", "aes_ccm");
check_cfg(&binding, "wc_AesCfbEncrypt", "aes_cfb");
check_cfg(&binding, "wc_AesCtrEncrypt", "aes_ctr");
check_cfg(&binding, "wc_AesCtsEncrypt", "aes_cts");
check_cfg(&binding, "wc_AesCfbDecrypt", "aes_decrypt");
check_cfg(&binding, "wc_AesEaxInit", "aes_eax");
check_cfg(&binding, "wc_AesEcbEncrypt", "aes_ecb");
check_cfg(&binding, "wc_AesGcmSetKey", "aes_gcm");
check_cfg(&binding, "wc_AesGcmInit", "aes_gcm_stream");
check_cfg(&binding, "wc_AesOfbEncrypt", "aes_ofb");
check_cfg(&binding, "wc_AesXtsInit", "aes_xts");
check_cfg(&binding, "wc_AesXtsEncryptInit", "aes_xts_stream");
check_cfg(&binding, "WC_AES_BLOCK_SIZE", "aes_wc_block_size");
/* blake2 */
check_cfg(&binding, "wc_InitBlake2b", "blake2b");
check_cfg(&binding, "wc_Blake2bHmac", "blake2b_hmac");
check_cfg(&binding, "wc_InitBlake2s", "blake2s");
check_cfg(&binding, "wc_Blake2sHmac", "blake2s_hmac");
/* chacha20_poly1305 */
check_cfg(&binding, "wc_ChaCha20Poly1305_Encrypt", "chacha20_poly1305");
check_cfg(&binding, "wc_XChaCha20Poly1305_Encrypt", "xchacha20_poly1305");
/* cmac */
check_cfg(&binding, "wc_InitCmac", "cmac");
/* curve25519 */
check_cfg(&binding, "wc_curve25519_make_pub", "curve25519");
check_cfg(&binding, "wc_curve25519_make_pub_blind", "curve25519_blinding");
/* dh */
check_cfg(&binding, "wc_InitDhKey", "dh");
check_cfg(&binding, "wc_DhGenerateParams", "dh_keygen");
check_cfg(&binding, "wc_Dh_ffdhe2048_Get", "dh_ffdhe_2048");
check_cfg(&binding, "wc_Dh_ffdhe3072_Get", "dh_ffdhe_3072");
check_cfg(&binding, "wc_Dh_ffdhe4096_Get", "dh_ffdhe_4096");
check_cfg(&binding, "wc_Dh_ffdhe6144_Get", "dh_ffdhe_6144");
check_cfg(&binding, "wc_Dh_ffdhe8192_Get", "dh_ffdhe_8192");
/* ecc */
check_cfg(&binding, "wc_ecc_init", "ecc");
check_cfg(&binding, "wc_ecc_export_point_der_compressed", "ecc_comp_key");
check_cfg(&binding, "wc_ecc_shared_secret", "ecc_dh");
check_cfg(&binding, "wc_ecc_sign_hash", "ecc_sign");
check_cfg(&binding, "wc_ecc_verify_hash", "ecc_verify");
check_cfg(&binding, "wc_ecc_export_x963", "ecc_export");
check_cfg(&binding, "wc_ecc_import_x963", "ecc_import");
if check_cfg(&binding, "ecc_curve_ids_ECC_CURVE_INVALID", "ecc_curve_ids") {
check_cfg(&binding, "ecc_curve_ids_ECC_SM2P256V1", "ecc_curve_sm2p256v1");
check_cfg(&binding, "ecc_curve_ids_ECC_X25519", "ecc_curve_25519");
check_cfg(&binding, "ecc_curve_ids_ECC_X448", "ecc_curve_448");
check_cfg(&binding, "ecc_curve_ids_ECC_SAKKE_1", "ecc_curve_sakke");
check_cfg(&binding, "ecc_curve_ids_ECC_CURVE_CUSTOM", "ecc_custom_curves");
} else {
check_cfg(&binding, "ecc_curve_id_ECC_SM2P256V1", "ecc_curve_sm2p256v1");
check_cfg(&binding, "ecc_curve_id_ECC_X25519", "ecc_curve_25519");
check_cfg(&binding, "ecc_curve_id_ECC_X448", "ecc_curve_448");
check_cfg(&binding, "ecc_curve_id_ECC_SAKKE_1", "ecc_curve_sakke");
check_cfg(&binding, "ecc_curve_id_ECC_CURVE_CUSTOM", "ecc_custom_curves");
}
/* ed25519 */
check_cfg(&binding, "wc_ed25519_init", "ed25519");
check_cfg(&binding, "wc_ed25519_import_public", "ed25519_import");
check_cfg(&binding, "wc_ed25519_export_public", "ed25519_export");
check_cfg(&binding, "wc_ed25519_sign_msg", "ed25519_sign");
check_cfg(&binding, "wc_ed25519_verify_msg_ex", "ed25519_verify");
check_cfg(&binding, "wc_ed25519_verify_msg_init", "ed25519_streaming_verify");
/* ed448 */
check_cfg(&binding, "wc_ed448_init", "ed448");
check_cfg(&binding, "wc_ed448_import_public", "ed448_import");
check_cfg(&binding, "wc_ed448_export_public", "ed448_export");
check_cfg(&binding, "wc_ed448_sign_msg", "ed448_sign");
check_cfg(&binding, "wc_ed448_verify_msg_ex", "ed448_verify");
check_cfg(&binding, "wc_ed448_verify_msg_init", "ed448_streaming_verify");
/* fips */
check_cfg(&binding, "wc_SetSeed_Cb_fips", "fips");
/* hkdf */
check_cfg(&binding, "wc_HKDF_Extract_ex", "hkdf");
/* hmac */
check_cfg(&binding, "wc_HmacSetKey", "hmac");
check_cfg(&binding, "wc_HmacSetKey_ex", "hmac_setkey_ex");
/* kdf */
check_cfg(&binding, "wc_PBKDF2", "kdf_pbkdf2");
check_cfg(&binding, "wc_PKCS12_PBKDF_ex", "kdf_pkcs12");
check_cfg(&binding, "wc_SRTP_KDF", "kdf_srtp");
check_cfg(&binding, "wc_SSH_KDF", "kdf_ssh");
check_cfg(&binding, "wc_Tls13_HKDF_Extract_ex", "kdf_tls13");
/* prf */
check_cfg(&binding, "wc_PRF", "prf");
/* random */
check_cfg(&binding, "wc_RNG_DRBG_Reseed", "random_hashdrbg");
check_cfg(&binding, "wc_InitRng", "random");
// When WOLFSSL_NO_MALLOC is set without WOLFSSL_STATIC_MEMORY, the
// WC_RNG struct contains an inline `drbg_data` field and wolfCrypt sets
// `rng->drbg = &rng->drbg_data` — a self-referential pointer. Rust
// moves values by memcpy, which would silently invalidate that pointer.
// Detect this configuration and refuse to build.
if binding.contains("drbg_data") {
eprintln!(
"error: wolfSSL appears to be built with WOLFSSL_NO_MALLOC \
(without WOLFSSL_STATIC_MEMORY). This embeds a self-referential \
pointer inside WC_RNG (drbg -> drbg_data) that is incompatible \
with Rust move semantics. Please rebuild wolfSSL without \
WOLFSSL_NO_MALLOC, or enable WOLFSSL_STATIC_MEMORY."
);
std::process::exit(1);
}
/* rsa */
check_cfg(&binding, "wc_InitRsaKey", "rsa");
check_cfg(&binding, "wc_RsaDirect", "rsa_direct");
check_cfg(&binding, "wc_MakeRsaKey", "rsa_keygen");
check_cfg(&binding, "wc_RsaPSS_Sign", "rsa_pss");
check_cfg(&binding, "wc_RsaSetRNG", "rsa_setrng");
check_cfg(&binding, "WC_MGF1SHA512_224", "rsa_mgf1sha512_224");
check_cfg(&binding, "WC_MGF1SHA512_256", "rsa_mgf1sha512_256");
// Detect whether wc_RsaExportKey takes a const first arg (new API) or non-const (old API)
let re = Regex::new(r"pub fn wc_RsaExportKey(_fips)?\s*\(\s*\w+\s*:\s*\*\s*const").unwrap();
println!("cargo::rustc-check-cfg=cfg(rsa_const_api)");
if re.is_match(&binding) {
println!("cargo:rustc-cfg=rsa_const_api");
}
/* dilithium / ML-DSA */
check_cfg(&binding, "wc_dilithium_init", "dilithium");
check_cfg(&binding, "wc_dilithium_make_key", "dilithium_make_key");
check_cfg(&binding, "wc_dilithium_make_key_from_seed", "dilithium_make_key_from_seed");
check_cfg(&binding, "wc_dilithium_sign_ctx_msg", "dilithium_sign");
check_cfg(&binding, "wc_dilithium_sign_ctx_msg_with_seed", "dilithium_sign_with_seed");
check_cfg(&binding, "wc_dilithium_verify_ctx_msg", "dilithium_verify");
check_cfg(&binding, "wc_dilithium_import_public", "dilithium_import");
check_cfg(&binding, "wc_dilithium_export_public", "dilithium_export");
check_cfg(&binding, "wc_dilithium_check_key", "dilithium_check_key");
check_cfg(&binding, "DILITHIUM_LEVEL2_KEY_SIZE", "dilithium_level2");
check_cfg(&binding, "DILITHIUM_LEVEL3_KEY_SIZE", "dilithium_level3");
check_cfg(&binding, "DILITHIUM_LEVEL5_KEY_SIZE", "dilithium_level5");
/* mlkem / ML-KEM */
check_cfg(&binding, "wc_MlKemKey_Init", "mlkem");
/* lms / HSS */
check_cfg(&binding, "wc_LmsKey_Init", "lms");
check_cfg(&binding, "wc_LmsKey_MakeKey", "lms_make_key");
check_cfg(&binding, "wc_LmsParm_WC_LMS_PARM_L1_H5_W1", "lms_sha256_256");
check_cfg(&binding, "wc_LmsParm_WC_LMS_PARM_SHA256_192_L1_H5_W1", "lms_sha256_192");
/* sha */
check_cfg(&binding, "wc_InitSha", "sha");
check_cfg(&binding, "wc_InitSha224", "sha224");
check_cfg(&binding, "wc_InitSha256", "sha256");
check_cfg(&binding, "wc_InitSha384", "sha384");
check_cfg(&binding, "wc_InitSha512", "sha512");
check_cfg(&binding, "wc_HashType_WC_HASH_TYPE_SHA512_224", "sha512_224");
check_cfg(&binding, "wc_HashType_WC_HASH_TYPE_SHA512_256", "sha512_256");
check_cfg(&binding, "wc_InitSha3_224", "sha3");
check_cfg(&binding, "wc_InitShake128", "shake128");
check_cfg(&binding, "wc_InitShake256", "shake256");
Ok(())
}