Avoid feature unification for bogo

It is no longer possible for rustls-post-quantum and rustls/fips
to co-exist.  Bleed that fact into bogo's crate features.

admin/all-workspace-members is a helper to assist running a
command many times for each workspace member, while avoiding
unification.

Hoist clippy calls into a script for use from CI

Author: ctz

.github/workflows/build.yml

@@ -215,6 +215,12 @@ jobs:
         env:
           BOGO_SHIM_PROVIDER: aws-lc-rs-fips
 
+      - name: Run test suite (post-quantum)
+        working-directory: bogo
+        run: ./runme
+        env:
+          BOGO_SHIM_PROVIDER: post-quantum
+
   fuzz:
     name: Smoke-test fuzzing targets
     runs-on: ubuntu-latest
@@ -430,11 +436,6 @@ jobs:
   clippy:
     name: Clippy
     runs-on: ubuntu-latest
-    env:
-      # - we want to be free of any warnings, so deny them
-      # - disable incompatible_msrv as it does not understand that we apply our
-      #   MSRV to the just the core crate.
-      CLIPPY_PARAMS: --deny warnings --allow clippy::incompatible_msrv
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
@@ -449,12 +450,10 @@ jobs:
         uses: dtolnay/rust-toolchain@stable
         with:
           components: clippy
-        # because examples enable rustls' features, `--workspace --no-default-features` is not
-        # the same as `--package rustls --no-default-features` so run it separately
-      - run: cargo clippy --locked --package rustls --no-default-features --all-targets -- $CLIPPY_PARAMS
-      - run: cargo clippy --locked --workspace --all-features --all-targets -- $CLIPPY_PARAMS
-        # not part of the workspace
-      - run: cargo clippy --locked --manifest-path=fuzz/Cargo.toml --all-features --all-targets -- $CLIPPY_PARAMS
+      # - we want to be free of any warnings, so deny them
+      # - disable incompatible_msrv as it does not understand that we apply our
+      #   MSRV to the just the core crate.
+      - run: ./admin/clippy -- --deny warnings --allow clippy::incompatible_msrv
 
   clippy-nightly:
     name: Clippy (Nightly)
@@ -473,9 +472,8 @@ jobs:
         uses: dtolnay/rust-toolchain@nightly
         with:
           components: clippy
-      - run: cargo clippy --locked --package rustls --no-default-features --all-targets
-      - run: cargo clippy --locked --workspace --all-features --all-targets
-      - run: cargo clippy --locked --manifest-path=fuzz/Cargo.toml --all-features --all-targets
+      # do not deny warnings, as nightly clippy sometimes has false negatives
+      - run: ./admin/clippy
 
   check-external-types:
     name: Validate external types appearing in public API
@@ -524,4 +522,3 @@ jobs:
         run: cargo test --locked -- --include-ignored
         env:
           RUST_BACKTRACE: 1
-          

.github/workflows/daily-tests.yml

@@ -129,7 +129,7 @@ jobs:
         run: cargo run --locked -p rustls-provider-example --example client
 
       - name: Check rustls-post-quantum client
-        run: cargo run --locked -p rustls-post-quantum --example client | grep 'kex=X25519MLKEM768'
+        run: cargo run --locked --manifest-path=rustls-post-quantum/Cargo.toml --example client | grep 'kex=X25519MLKEM768'
 
 
   feature-powerset:

Cargo.lock

@@ -14,18 +14,23 @@ members = [
   "provider-example",
   # the main library and tests
   "rustls",
-  # experimental post-quantum algorithm support
-  "rustls-post-quantum",
   # rustls cryptography provider integration tests
   "rustls-provider-test",
 ]
+
+## Deliberately not included in `members`:
+exclude = [
+  # `cargo fuzz` integration (requires nightly)
+  "fuzz",
+  # experimental post-quantum algorithm support
+  # (conflicting feature requirements with `rustls`)
+  "rustls-post-quantum",
+]
+
 default-members = [
-  "bogo",
   "examples",
   "rustls",
-  "rustls-post-quantum",
 ]
-exclude = ["admin/rustfmt"]
 resolver = "2"
 
 [profile.bench]

Cargo.toml

@@ -0,0 +1,38 @@
+#!/usr/bin/env python3
+
+"""
+Usage: admin/all-workspace-members
+
+Prints the set of all workspace members by package name, suitable
+for passing to cargo with the `-p`/`--package` option.
+
+"Workspace members" are computed by cargo, and included as
+the `workspace_members` item returned from `cargo metadata`.
+See
+<https://doc.rust-lang.org/cargo/reference/workspaces.html#the-members-and-exclude-fields>
+for documentation on what makes a package a workspace member
+or not.
+"""
+
+import subprocess
+import argparse
+import json
+
+
+def workspace_packages():
+    js = json.loads(
+        subprocess.check_output(
+            ["cargo", "metadata", "--no-deps", "--format-version=1"]
+        )
+    )
+    members = js["workspace_members"]
+    packages = [p for p in js["packages"] if p["id"] in members]
+    return packages
+
+
+if __name__ == "__main__":
+    ap = argparse.ArgumentParser(description=__doc__)
+    opts = ap.parse_args()
+
+    for p in workspace_packages():
+        print(p["name"])

admin/all-workspace-members

@@ -0,0 +1,39 @@
+#!/bin/bash
+
+# Runs clippy on every package in this repo.
+#
+# Passes through any extra arguments to each invocation.
+#
+# Exits non-zero if any clippy invocation exits non-zero,
+# but always runs them all.
+
+rc=0
+script_args="$@"
+
+function run_clippy() {
+  if ! ( set -x ; cargo clippy --locked "$@" $script_args ) ; then
+    rc=$PIPESTATUS
+  fi
+}
+
+# because examples enable rustls' features, `--workspace --no-default-features` is not
+# the same as `--package rustls --no-default-features` so run it separately
+run_clippy --package rustls --no-default-features --all-targets
+
+# run all workspace members (individually, because we don't want feature unification)
+for p in $(admin/all-workspace-members) ; do
+  # `bogo` is allergic to `--all-features`
+  if [ "$p" == "bogo" ] ; then
+    ALL_FEATURES="--features fips"
+  else
+    ALL_FEATURES="--all-features"
+  fi
+
+  run_clippy --package $p $ALL_FEATURES --all-targets
+done
+
+# not part of the workspace
+run_clippy --manifest-path=fuzz/Cargo.toml --all-features --all-targets
+run_clippy --manifest-path=rustls-post-quantum/Cargo.toml --all-features --all-targets
+
+exit $rc

admin/clippy

@@ -6,5 +6,10 @@ edition = "2021"
 [dependencies]
 base64 = "0.22"
 env_logger = "0.10" # 0.11 requires 1.71 MSRV even as a dev-dep (due to manifest features)
-rustls = { path = "../rustls", features = ["aws_lc_rs", "fips", "ring", "tls12"] }
-rustls-post-quantum = { path = "../rustls-post-quantum" }
+rustls = { path = "../rustls", features = ["aws_lc_rs", "ring", "tls12"] }
+rustls-post-quantum = { path = "../rustls-post-quantum", optional = true }
+
+[features]
+default = []
+post-quantum = ["dep:rustls-post-quantum"]
+fips = ["rustls/fips"]

bogo/Cargo.toml

@@ -5,20 +5,22 @@
 
 set -xe
 
-cargo run -- -print-rustls-provider
-
 case ${BOGO_SHIM_PROVIDER:-aws-lc-rs} in
   ring)
       cpp -P -DRING config.json.in > config.json
+      cargo run -- -print-rustls-provider
       ;;
   aws-lc-rs)
       cpp -P -DAWS_LC_RS config.json.in > config.json
+      cargo run -- -print-rustls-provider
       ;;
   aws-lc-rs-fips)
       cpp -P -DAWS_LC_RS -DFIPS config.json.in > config.json
+      cargo run --features fips -- -print-rustls-provider
       ;;
   post-quantum)
       cpp -P -DAWS_LC_RS -DPOST_QUANTUM config.json.in > config.json
+      cargo run --features post-quantum -- -print-rustls-provider
       ;;
   existing)
       ;;

bogo/runme

@@ -17,7 +17,9 @@ use rustls::client::{
 };
 use rustls::crypto::aws_lc_rs::hpke;
 use rustls::crypto::hpke::{Hpke, HpkePublicKey};
-use rustls::crypto::{aws_lc_rs, ring, CryptoProvider, SupportedKxGroup};
+#[cfg(feature = "post-quantum")]
+use rustls::crypto::SupportedKxGroup;
+use rustls::crypto::{aws_lc_rs, ring, CryptoProvider};
 use rustls::internal::msgs::codec::{Codec, Reader};
 use rustls::internal::msgs::handshake::EchConfigPayload;
 use rustls::internal::msgs::persist::ServerSessionValue;
@@ -210,7 +212,9 @@ impl Options {
 #[derive(Clone, Copy, Debug, PartialEq)]
 enum SelectedProvider {
     AwsLcRs,
+    #[cfg_attr(not(feature = "fips"), allow(dead_code))]
     AwsLcRsFips,
+    #[cfg_attr(not(feature = "post-quantum"), allow(dead_code))]
     PostQuantum,
     Ring,
 }
@@ -222,7 +226,9 @@ impl SelectedProvider {
             .as_deref()
         {
             None | Some("aws-lc-rs") => Self::AwsLcRs,
+            #[cfg(feature = "fips")]
             Some("aws-lc-rs-fips") => Self::AwsLcRsFips,
+            #[cfg(feature = "post-quantum")]
             Some("post-quantum") => Self::PostQuantum,
             Some("ring") => Self::Ring,
             Some(other) => panic!("unrecognised value for BOGO_SHIM_PROVIDER: {other:?}"),
@@ -1535,6 +1541,7 @@ pub fn main() {
                 opts.groups.get_or_insert(Vec::new()).push(group);
 
                 // if X25519MLKEM768 is requested, insert it from rustls_post_quantum
+                #[cfg(feature = "post-quantum")]
                 if group == rustls_post_quantum::X25519MLKEM768.name() && opts.selected_provider == SelectedProvider::PostQuantum {
                     opts.provider.kx_groups.insert(0, &rustls_post_quantum::X25519MLKEM768);
                 }
@@ -1552,6 +1559,7 @@ pub fn main() {
             "-install-one-cert-compression-alg" => {
                 opts.install_cert_compression_algs = CompressionAlgs::One(args.remove(0).parse::<u16>().unwrap());
             }
+            #[cfg(feature = "fips")]
             "-fips-202205" if opts.selected_provider == SelectedProvider::AwsLcRsFips => {
                 opts.provider = rustls::crypto::default_fips_provider();
             }