ENV vars for OPENSSL_NO_ASM

.github/workflows/tests.yml

@@ -174,10 +174,12 @@ jobs:
         working-directory: ./aws-lc-rs
         run: cargo test ${{ matrix.args }} --lib --bins --tests --examples --target x86_64-unknown-linux-gnu --features asan
 
-  build-env-test:
+  build-env-static-test:
     if: github.repository_owner == 'aws'
-    name: aws-lc-rs build-env-test
+    name: aws-lc-rs build-env-static-test
     runs-on: ${{ matrix.os }}
+    env:
+      AWS_LC_SYS_STATIC: ${{ matrix.static }}
     strategy:
       fail-fast: false
       matrix:
@@ -188,14 +190,10 @@ jobs:
         with:
           submodules: 'recursive'
       - uses: dtolnay/rust-toolchain@stable
-        id: toolchain
-      - name: Set Rust toolchain override
-        run: rustup override set ${{ steps.toolchain.outputs.name }}
       - name: Run cargo test
-        working-directory: ./aws-lc-rs
         # Doc-tests fail to link with dynamic build
         # See: https://github.com/rust-lang/cargo/issues/8531
-        run: AWS_LC_SYS_STATIC=${{ matrix.static }}  cargo test --tests
+        run: cargo test -p aws-lc-rs --tests
 
   build-env-external-bindgen-test:
     if: github.repository_owner == 'aws'
@@ -225,10 +223,12 @@ jobs:
       - name: Run cargo test
         run: cargo test --tests -p aws-lc-rs --no-default-features --features aws-lc-sys
 
-  build-env-fips-test:
+  build-env-fips-static-test:
     if: github.repository_owner == 'aws'
-    name: aws-lc-rs build-env-fips-test
+    name: aws-lc-rs build-env-fips-static-test
     runs-on: ${{ matrix.os }}
+    env:
+      AWS_LC_FIPS_SYS_STATIC: ${{ matrix.static }}
     strategy:
       fail-fast: false
       matrix:
@@ -239,18 +239,91 @@ jobs:
         with:
           submodules: 'recursive'
       - uses: dtolnay/rust-toolchain@stable
-        id: toolchain
-      - name: Set Rust toolchain override
-        run: rustup override set ${{ steps.toolchain.outputs.name }}
+      - name: Install ninja-build tool
+        uses: seanmiddleditch/gha-setup-ninja@v4
       - uses: actions/setup-go@v4
         with:
           go-version: '>=1.18'
       - name: Run cargo test
-        working-directory: ./aws-lc-rs
         if: ${{ matrix.os == 'ubuntu-latest' || matrix.static != 1 }}
         # Doc-tests fail to link with dynamic build
         # See: https://github.com/rust-lang/cargo/issues/8531
-        run: AWS_LC_FIPS_SYS_STATIC=${{ matrix.static }} cargo test --tests --features fips
+        run: cargo test -p aws-lc-rs --tests --no-default-features --features fips
+
+  build-env-no-asm-test:
+    if: github.repository_owner == 'aws'
+    name: build-env-no-asm-test
+    runs-on: ${{ matrix.os }}
+    env:
+      AWS_LC_SYS_NO_ASM: 1
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ ubuntu-latest, macos-12, macos-13-xlarge, windows-latest ]
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          submodules: 'recursive'
+      - uses: dtolnay/rust-toolchain@stable
+      - name: Run cargo test
+        run: cargo test -p aws-lc-rs
+      - name: Release build
+        if: ${{ matrix.os != 'windows-latest' }}
+        run: |
+          if cargo build -p aws-lc-rs --release; then
+            exit 1
+          else
+            exit 0
+          fi
+      - name: Release build
+        if: ${{ matrix.os == 'windows-latest' }}
+        shell: pwsh
+        run: |
+          if (cargo build -p aws-lc-rs --release) {
+            exit 1
+          } else {
+            exit 0
+          }
+
+  build-env-fips-no-asm-test:
+    if: github.repository_owner == 'aws'
+    name: aws-lc-rs build-env-fips-no-asm-test
+    runs-on: ${{ matrix.os }}
+    env:
+      AWS_LC_FIPS_SYS_NO_ASM: 1
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ ubuntu-latest, macos-12, macos-13-xlarge, windows-latest ]
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          submodules: 'recursive'
+      - uses: dtolnay/rust-toolchain@stable
+      - name: Install ninja-build tool
+        uses: seanmiddleditch/gha-setup-ninja@v4
+      - uses: actions/setup-go@v4
+        with:
+          go-version: '>=1.18'
+      - name: Run cargo test
+        run: cargo test -p aws-lc-rs --tests --no-default-features --features fips
+      - name: Release build
+        if: ${{ matrix.os != 'windows-latest' }}
+        run: |
+          if cargo build -p aws-lc-rs --release --no-default-features --features fips; then
+            exit 1
+          else
+            exit 0
+          fi
+      - name: Release build
+        if: ${{ matrix.os == 'windows-latest' }}
+        shell: pwsh
+        run: |
+          if (cargo build -p aws-lc-rs --release --no-default-features --features fips) {
+            exit 1
+          } else {
+            exit 0
+          }
 
   build-env-fips-external-bindgen-test:
     if: github.repository_owner == 'aws'

aws-lc-fips-sys/builder/cmake_builder.rs

@@ -2,7 +2,10 @@
 // SPDX-License-Identifier: Apache-2.0 OR ISC
 
 use crate::OutputLib::{Crypto, RustWrapper, Ssl};
-use crate::{execute_command, target, target_arch, target_os, target_vendor, OutputLibType};
+use crate::{
+    cargo_env, execute_command, is_no_asm, target, target_arch, target_os, target_vendor,
+    OutputLibType,
+};
 use std::collections::HashMap;
 use std::env;
 use std::ffi::OsStr;
@@ -84,10 +87,18 @@ impl CmakeBuilder {
         } else {
             cmake_cfg.define("BUILD_SHARED_LIBS", "0");
         }
+        let opt_level = cargo_env("OPT_LEVEL");
 
-        let opt_level = env::var("OPT_LEVEL").unwrap_or_else(|_| "0".to_string());
-        if opt_level.ne("0") {
-            if opt_level.eq("1") || opt_level.eq("2") {
+        if is_no_asm() {
+            if opt_level == "0" {
+                cmake_cfg.define("OPENSSL_NO_ASM", "1");
+            } else {
+                panic!("AWS_LC_FIPS_SYS_NO_ASM only allowed for debug builds!")
+            }
+        }
+
+        if opt_level != "0" {
+            if opt_level == "1" || opt_level == "2" {
                 cmake_cfg.define("CMAKE_BUILD_TYPE", "relwithdebinfo");
             } else {
                 cmake_cfg.define("CMAKE_BUILD_TYPE", "release");
@@ -192,7 +203,11 @@ impl crate::Builder for CmakeBuilder {
             eprintln!("Missing dependency: perl is required for FIPS.");
             missing_dependency = true;
         }
-        if target_os() == "windows" && target_arch() == "x86_64" && !test_nasm_command() {
+        if target_os() == "windows"
+            && target_arch() == "x86_64"
+            && !test_nasm_command()
+            && !is_no_asm()
+        {
             eprintln!("Missing dependency: nasm is required for FIPS.");
             missing_dependency = true;
         }

aws-lc-fips-sys/builder/main.rs

@@ -275,14 +275,15 @@ static mut PREGENERATED: bool = false;
 static mut AWS_LC_FIPS_SYS_NO_PREFIX: bool = false;
 static mut AWS_LC_FIPS_SYS_INTERNAL_BINDGEN: bool = false;
 static mut AWS_LC_FIPS_SYS_EXTERNAL_BINDGEN: bool = false;
-
+static mut AWS_LC_FIPS_SYS_NO_ASM: bool = false;
 fn initialize() {
     unsafe {
         AWS_LC_FIPS_SYS_NO_PREFIX = env_var_to_bool("AWS_LC_FIPS_SYS_NO_PREFIX").unwrap_or(false);
         AWS_LC_FIPS_SYS_INTERNAL_BINDGEN =
             env_var_to_bool("AWS_LC_FIPS_SYS_INTERNAL_BINDGEN").unwrap_or(false);
         AWS_LC_FIPS_SYS_EXTERNAL_BINDGEN =
             env_var_to_bool("AWS_LC_FIPS_SYS_EXTERNAL_BINDGEN").unwrap_or(false);
+        AWS_LC_FIPS_SYS_NO_ASM = env_var_to_bool("AWS_LC_FIPS_SYS_NO_ASM").unwrap_or(false);
     }
 
     if !is_external_bindgen() && (is_internal_bindgen() || !has_bindgen_feature()) {
@@ -325,6 +326,10 @@ fn is_external_bindgen() -> bool {
     unsafe { AWS_LC_FIPS_SYS_EXTERNAL_BINDGEN }
 }
 
+fn is_no_asm() -> bool {
+    unsafe { AWS_LC_FIPS_SYS_NO_ASM }
+}
+
 fn has_bindgen_feature() -> bool {
     cfg!(feature = "bindgen")
 }

aws-lc-sys/builder/cmake_builder.rs

@@ -3,7 +3,8 @@
 
 use crate::OutputLib::{Crypto, RustWrapper, Ssl};
 use crate::{
-    execute_command, target, target_arch, target_env, target_os, target_vendor, OutputLibType,
+    cargo_env, execute_command, is_no_asm, target, target_arch, target_env, target_os,
+    target_vendor, OutputLibType,
 };
 use std::env;
 use std::ffi::OsStr;
@@ -105,6 +106,15 @@ impl CmakeBuilder {
         cmake_cfg.define("DISABLE_PERL", "ON");
         cmake_cfg.define("DISABLE_GO", "ON");
 
+        if is_no_asm() {
+            let opt_level = cargo_env("OPT_LEVEL");
+            if opt_level == "0" {
+                cmake_cfg.define("OPENSSL_NO_ASM", "1");
+            } else {
+                panic!("AWS_LC_SYS_NO_ASM only allowed for debug builds!")
+            }
+        }
+
         if target_vendor() == "apple" {
             if target_os().to_lowercase() == "ios" {
                 cmake_cfg.define("CMAKE_SYSTEM_NAME", "iOS");
@@ -151,7 +161,11 @@ impl crate::Builder for CmakeBuilder {
     fn check_dependencies(&self) -> Result<(), String> {
         let mut missing_dependency = false;
 
-        if target_os() == "windows" && target_arch() == "x86_64" && !test_nasm_command() {
+        if target_os() == "windows"
+            && target_arch() == "x86_64"
+            && !test_nasm_command()
+            && !is_no_asm()
+        {
             eprintln!("Missing dependency: nasm");
             missing_dependency = true;
         }

aws-lc-sys/builder/main.rs

@@ -283,6 +283,10 @@ fn get_builder(prefix: &Option<String>, manifest_dir: &Path, out_dir: &Path) ->
         };
         builder.check_dependencies().unwrap();
         return builder;
+    } else if is_no_asm() {
+        let builder = cmake_builder_builder();
+        builder.check_dependencies().unwrap();
+        return builder;
     } else if !is_bindgen_required() {
         let cc_builder = cc_builder_builder();
         if cc_builder.check_dependencies().is_ok() {
@@ -303,6 +307,7 @@ static mut PREGENERATED: bool = false;
 static mut AWS_LC_SYS_NO_PREFIX: bool = false;
 static mut AWS_LC_SYS_INTERNAL_BINDGEN: bool = false;
 static mut AWS_LC_SYS_EXTERNAL_BINDGEN: bool = false;
+static mut AWS_LC_SYS_NO_ASM: bool = false;
 
 fn initialize() {
     unsafe {
@@ -311,6 +316,7 @@ fn initialize() {
             env_var_to_bool("AWS_LC_SYS_INTERNAL_BINDGEN").unwrap_or(false);
         AWS_LC_SYS_EXTERNAL_BINDGEN =
             env_var_to_bool("AWS_LC_SYS_EXTERNAL_BINDGEN").unwrap_or(false);
+        AWS_LC_SYS_NO_ASM = env_var_to_bool("AWS_LC_SYS_NO_ASM").unwrap_or(false);
     }
 
     if !is_external_bindgen() && (is_internal_bindgen() || !has_bindgen_feature()) {
@@ -354,6 +360,10 @@ fn is_external_bindgen() -> bool {
     unsafe { AWS_LC_SYS_EXTERNAL_BINDGEN }
 }
 
+fn is_no_asm() -> bool {
+    unsafe { AWS_LC_SYS_NO_ASM }
+}
+
 fn has_bindgen_feature() -> bool {
     cfg!(feature = "bindgen")
 }