engine: Initial skeleton structure#353
Open
walterchris wants to merge 7 commits into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Introduces an initial skeleton for an OpenSSL 1.1.x ENGINE plugin in the plugins/ossl_engine/ area, including a raw FFI sys crate (bindgen-generated bindings), a planned safe wrapper crate, and a stub engine crate intended to integrate with azihsm_api.
Changes:
- Added
openssl-sys-enginecrate with a bindgen-basedbuild.rsand a minimalwrapper.h. - Added
openssl-enginecrate as a placeholder for safe abstractions over the ENGINE API. - Added
azihsm_enginecrate stub intended to become the dynamic ENGINE implementation. - Registered the new crates in the workspace and added
bindgen/pkg-configto workspace dependencies.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| plugins/ossl_engine/openssl-sys-engine/wrapper.h | Bindgen wrapper header + exported constants for binding generation. |
| plugins/ossl_engine/openssl-sys-engine/src/lib.rs | Sys crate entrypoint that includes generated bindings. |
| plugins/ossl_engine/openssl-sys-engine/build.rs | pkg-config discovery + bindgen generation for OpenSSL ENGINE-related APIs. |
| plugins/ossl_engine/openssl-sys-engine/Cargo.toml | New sys crate manifest (build-deps: bindgen, pkg-config). |
| plugins/ossl_engine/openssl-engine/src/lib.rs | Stub safe-wrapper crate re-exporting the sys crate. |
| plugins/ossl_engine/openssl-engine/Cargo.toml | New wrapper crate manifest. |
| plugins/ossl_engine/engine/src/lib.rs | Stub AZIHSM ENGINE crate documentation. |
| plugins/ossl_engine/engine/Cargo.toml | New ENGINE crate manifest (cdylib + lib). |
| Cargo.toml | Adds new workspace members and workspace deps for bindgen/pkg-config. |
walterchris
force-pushed
the
engine/initialSkeleton
branch
from
82f7db1 to
038303f
Compare
walterchris
force-pushed
the
engine/initialSkeleton
branch
from
22b9563 to
1ef55ab
Compare
walterchris
force-pushed
the
engine/initialSkeleton
branch
from
47d8cd7 to
46df0d2
Compare
walterchris
force-pushed
the
engine/initialSkeleton
branch
from
46df0d2 to
8ae5e2d
Compare
walterchris
force-pushed
the
engine/initialSkeleton
branch
from
e36bdfb to
a458ca4
Compare
walterchris
force-pushed
the
engine/initialSkeleton
branch
from
d871ece to
5a180df
Compare
walterchris
force-pushed
the
engine/initialSkeleton
branch
from
5a180df to
957764b
Compare
Enable the provider to be built and tested against both OpenSSL 3.0.3 and 3.5.0 in parallel. No new provider features — this lays the structural groundwork for upcoming 3.5-only functionality. The provider's existing version guards (#if OPENSSL_VERSION_MINOR == 0) already handle the polyfill exclusion correctly on 3.5. All 69 integration tests (27 CLI + 42 CAPI) pass on both versions. Key changes: - CI matrix on provider_integration job (3.0.3 + 3.5.0) - xtask --openssl-version flag for local multi-version testing - Fix: CAPI harness now sets LD_LIBRARY_PATH on openssl subprocesses (was relying on system libs being ABI-compatible — breaks on 3.5) - Version gating helpers for future 3.5-only tests (C++ preprocessor guards, shell skip_below_ossl_3_5 helper) Signed-off-by: Jens Topp <jens.topp@9elements.com>
Make OpenSSL version mismatches structurally impossible: each ABI version's
build artifacts and OpenSSL install live in a separate target subtree, so
versions can coexist and switching needs no `cargo clean`.
Three coordinated layers:
1. `.cargo/config.toml` defaults `target-dir = "target/ossl-abi-3-0"`, so
plain `cargo build` and IDE/rust-analyzer work out of the box for the
default OpenSSL 3.0 ABI.
2. Provider `build.rs` extracts the ABI from `CARGO_TARGET_DIR`, validates
it against the supported list (3-0, 3-5), and derives `OPENSSL_DIR` from
the path. Raw `cargo build` outside the convention fails with a clear,
actionable panic message — silent version mismatches become impossible.
3. xtask sets `CARGO_TARGET_DIR=target/ossl-abi-{major}-{minor}` from the
`--openssl-version` flag (default 3.0.3). Added the flag to `setup`,
`build`, and `integration-tests` so the same value drives install,
build, and tests.
Other changes:
- Resolve Corrosion deadlock: build.rs now redirects CMake's nested cargo
probe (`cargo rustc --print=native-static-libs`) to a separate target dir
under <OUT_DIR>/corrosion-target/, so it doesn't contend on the outer
cargo's target-dir lock.
- xtask integration-tests now sets OPENSSL_LIB to a `:`-separated list
(openssl/lib + cargo debug dir) so libazihsm_api_native.so is resolved
from Cargo's build, not Corrosion's stale parallel build. The CAPI
harness accepts this list form.
- env.sh and the CAPI harness honour CARGO_TARGET_DIR when deriving the
provider .so path.
- CI workflow uses matrix entries `{ openssl-version, openssl-abi }` to
drive both the install path and the target dir, with continue-on-error
for the 3.5.0 entry while support stabilises.
- Documentation: top-level README, xtask README, and provider README all
reflect the new flow, leading with `cargo xtask build --openssl-version
<ver>` as the recommended path.
Signed-off-by: Jens Topp <jens.topp@9elements.com>
…dirs The NGINX test harness defaulted to `target/debug/azihsm_provider.so` — breaks in CI where artifacts live in `target/ossl-abi-3-0/debug/`. Honour CARGO_TARGET_DIR (already set at job level), same fix we applied to the CAPI harness in the previous commit. Also update the stale "build the provider first" hint in both harnesses to point at `cargo xtask build --openssl-version <ver>`. Signed-off-by: Jens Topp <jens.topp@9elements.com>
The provider's build.rs always invoked CMake, which in turn drives Corrosion to compile azihsm_api_native and its full dependency tree. This is wasted work for `cargo clippy` / `cargo check`: they only type-check Rust source, they don't link, so they don't need the provider's .so or the linked native lib. The wasted invocation predates the OpenSSL ABI work. On main, the cost was bounded because outer cargo (clippy) and inner cargo (Corrosion's build of azihsm_api_native) shared the same target directory — so deps compiled by clippy were reused by Corrosion. The earlier deadlock fix in build.rs (which redirects Corrosion's nested cargo to <OUT_DIR>/corrosion-target/) splits those into separate target dirs. Outer cargo writes to target/ossl-abi-<major>-<minor>/, inner cargo to corrosion-target/. No more sharing → every dep gets compiled twice during clippy. On the GitHub Actions runner this pushed the clippy job past 2 hours. Detect clippy via RUSTC_WORKSPACE_WRAPPER (cargo sets it to the path of clippy-driver) and early-return before invoking CMake. Strictly faster than the pre-existing behaviour as well, since the wasted CMake work was always there. Signed-off-by: Jens Topp <jens.topp@9elements.com>
walterchris
force-pushed
the
engine/initialSkeleton
branch
from
957764b to
5e3ef4b
Compare
The same two-part fix applied to plugins/ossl_prov/build.rs is needed
here: api/tests/cpp/CMakeLists.txt also uses corrosion_import_crate,
so api/tests/build.rs has the same flock() deadlock when CARGO_TARGET_DIR
is set, and the same wasted CMake work under clippy/check.
Fix:
- Detect clippy via RUSTC_WORKSPACE_WRAPPER and early-return.
- Redirect Corrosion's nested cargo to <OUT_DIR>/corrosion-target/
via the CMake child process's CARGO_TARGET_DIR env.
Signed-off-by: Jens Topp <jens.topp@9elements.com>
walterchris
force-pushed
the
engine/initialSkeleton
branch
from
5e3ef4b to
9f84af4
Compare
walterchris
force-pushed
the
engine/initialSkeleton
branch
from
9f84af4 to
46d013b
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 25 out of 25 changed files in this pull request and generated 3 comments.
Comments suppressed due to low confidence (1)
xtask/src/precheck.rs:237
IntegrationTest::parse_from([])relies on clap defaults (currently OpenSSL 3.0.3) and ignores any version selection the caller may have intended via env vars or prior setup. If precheck is meant to run provider integration tests for a specific ABI, pass an explicitopenssl_versionintoIntegrationTest(or parse fromOPENSSL_VERSION/CARGO_TARGET_DIR) rather than instantiating it with empty args.
// OSSL Provider integration tests (CLI + C API, Linux only)
#[cfg(target_os = "linux")]
integration_tests::IntegrationTest::parse_from::<[&str; 0], &str>([])
.run(ctx.clone())?;
46d013b to
e0976b2
Compare
cargo llvm-cov isolates coverage artifacts by appending `llvm-cov-target` to CARGO_TARGET_DIR. With CARGO_TARGET_DIR=target/ossl-abi-3-0, that becomes target/ossl-abi-3-0/llvm-cov-target — the ossl-abi-3-0 segment is now in the parent, not the leaf. The previous validation in plugins/ossl_prov/build.rs checked only the leaf, so cargo xtask precheck --coverage failed. Fix: Search the path ancestors for the ossl-abi-<major>-<minor> segment instead. Derive OPENSSL_DIR from that segment's directory rather than from the leaf so it still resolves to <abi_dir>/openssl whether the build sits in abi_dir or a sub-tree underneath. Signed-off-by: Jens Topp <jens.topp@9elements.com>
walterchris
force-pushed
the
engine/initialSkeleton
branch
from
e0976b2 to
067822f
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 58 out of 58 changed files in this pull request and generated 1 comment.
Comments suppressed due to low confidence (2)
plugins/ossl_engine/openssl-sys-engine/build.rs:98
- These link directives also use
cargo::instead ofcargo:. When the build script selects the xtask-installed OpenSSL (skipping pkg-config), Cargo won’t receive therustc-link-lib/rustc-link-searchmetadata and the crate is likely to fail to link. Usecargo:rustc-link-libandcargo:rustc-link-searchhere.
xtask/src/setup.rs:55 - Doc says
openssl_versionis ignored whenOPENSSL_DIRis already set, butsetupstill uses it to setCARGO_TARGET_DIR(ABI leaf) and then proceeds with the OpenSSL install flow. Either align the behavior with the doc (skip usingopenssl_versionwhenOPENSSL_DIRis set) or adjust the doc to clarify that the flag still affects target-dir routing even when using a custom OPENSSL_DIR.
walterchris
force-pushed
the
engine/initialSkeleton
branch
from
067822f to
1dba265
Compare
This commit adds the skeleton code for the OpenSSL engine. It also adds the precheck target to download and install openSSL 1.1.1w which is necessary for the engine. This commit introduces three crates: - openssl-sys-engine: Auto-generated C bindings - openssl-engine: Safe wrappers - engine: The actual engine code Signed-off-by: Christian Walter <christian.walter@9elements.com>
walterchris
force-pushed
the
engine/initialSkeleton
branch
from
1dba265 to
0c7df16
Compare
jenstopp
force-pushed
the
azihsm-sdk-ossl-3-5
branch
2 times, most recently
from
24fc7ed to
ecc22f2
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.