PoC: Make it possible to write code that interacts with OpenSSL in Rust

.circleci/build-wheel.sh

@@ -23,8 +23,8 @@ if [[ "${PYBIN}" =~ $REGEX ]]; then
     PY_LIMITED_API="--py-limited-api=cp3${BASH_REMATCH[1]}"
 fi
 
-LDFLAGS="-L/opt/pyca/cryptography/openssl/lib" \
-       CFLAGS="-I/opt/pyca/cryptography/openssl/include -Wl,--exclude-libs,ALL" \
+OPENSSL_DIR="/opt/pyca/cryptography/openssl" \
+       RUSTFLAGS="-Clink-arg=-Wl,--exclude-libs,ALL" \
        ../../.venv/bin/python setup.py bdist_wheel "$PY_LIMITED_API"
 
 auditwheel repair --plat "${PLATFORM}" -w wheelhouse/ dist/cryptography*.whl

.github/workflows/ci.yml

@@ -110,8 +110,9 @@ jobs:
         if: matrix.PYTHON.OPENSSL && steps.ossl-cache.outputs.cache-hit != 'true'
       - name: Set CFLAGS/LDFLAGS
         run: |
-          echo "CFLAGS=${CFLAGS} -Werror=implicit-function-declaration -I${OSSL_PATH}/include" >> $GITHUB_ENV
-          echo "LDFLAGS=${LDFLAGS} -L${OSSL_PATH}/lib -L${OSSL_PATH}/lib64 -Wl,-rpath=${OSSL_PATH}/lib -Wl,-rpath=${OSSL_PATH}/lib64" >> $GITHUB_ENV
+          echo "OPENSSL_DIR=${OSSL_PATH}" >> $GITHUB_ENV
+          echo "CFLAGS=${CFLAGS} -Werror=implicit-function-declaration" >> $GITHUB_ENV
+          echo "RUSTFLAGS=-Clink-arg=-Wl,-rpath=${OSSL_PATH}/lib -Clink-arg=-Wl,-rpath=${OSSL_PATH}/lib64" >> $GITHUB_ENV
         if: matrix.PYTHON.OPENSSL
       - name: Tests
         run: |
@@ -188,8 +189,7 @@ jobs:
           - {VERSION: "3.9", TOXENV: "py39"}
         RUST:
           # Cover MSRV (and likely next MSRV) and in-dev versions
-          - 1.41.0
-          - 1.45.0
+          - 1.48.0
           - beta
     name: "${{ matrix.PYTHON.TOXENV }} with Rust ${{ matrix.RUST }}"
     timeout-minutes: 15
@@ -284,7 +284,7 @@ jobs:
           repository: "google/wycheproof"
           path: "wycheproof"
           ref: "master"
-      - run: python -m pip install tox coverage
+      - run: python -m pip install tox coverage cffi
       - name: Tests
         run: |
             tox -r --  --color=yes --wycheproof-root=wycheproof
@@ -381,8 +381,9 @@ jobs:
       - name: Tests
         run: |
           CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS=1 \
-            LDFLAGS="${HOME}/openssl-macos-x86-64/lib/libcrypto.a ${HOME}/openssl-macos-x86-64/lib/libssl.a" \
-            CFLAGS="-I${HOME}/openssl-macos-x86-64/include -Werror -Wno-error=deprecated-declarations -Wno-error=incompatible-pointer-types-discards-qualifiers -Wno-error=unused-function -Wno-error=unused-command-line-argument -mmacosx-version-min=10.10 -march=core2 $EXTRA_CFLAGS" \
+            OPENSSL_DIR="${HOME}/openssl-macos-x86-64" \
+            OPENSSL_STATIC=1 \
+            CFLAGS="-Werror -Wno-error=deprecated-declarations -Wno-error=incompatible-pointer-types-discards-qualifiers -Wno-error=unused-function -Wno-error=unused-command-line-argument -mmacosx-version-min=10.10 -march=core2 $EXTRA_CFLAGS" \
             tox -r --  --color=yes --wycheproof-root=wycheproof
         env:
           TOXENV: ${{ matrix.PYTHON.TOXENV }}
@@ -442,8 +443,7 @@ jobs:
       - name: Download OpenSSL
         run: |
             python .github/workflows/download_openssl.py windows openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}
-            echo "INCLUDE=C:/openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}/include;$INCLUDE" >> $GITHUB_ENV
-            echo "LIB=C:/openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}/lib;$LIB" >> $GITHUB_ENV
+            echo "OPENSSL_DIR=C:/openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}" >> $GITHUB_ENV
             echo "CL=${{ matrix.PYTHON.CL_FLAGS }}" >> $GITHUB_ENV
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.zuul.playbooks/playbooks/tox/pre.yaml

@@ -17,6 +17,7 @@
           - libssl-dev
           - libffi-dev
           - python3-dev
+          - pkg-config
       become: yes
       when: ansible_distribution in ['Debian', 'Ubuntu']
 

.zuul.playbooks/playbooks/wheel/roles/build-wheel-manylinux/files/build-wheels.sh

@@ -20,8 +20,8 @@ for P in ${PYTHONS}; do
         PY_LIMITED_API="--py-limited-api=cp3${BASH_REMATCH[1]}"
     fi
 
-    LDFLAGS="-L/opt/pyca/cryptography/openssl/lib" \
-           CFLAGS="-I/opt/pyca/cryptography/openssl/include -Wl,--exclude-libs,ALL" \
+    OPENSSL_DIR="/opt/pyca/cryptography/openssl" \
+           RUSTFLAGS="-Clink-arg=-Wl,--exclude-libs,ALL" \
            .venv/bin/python setup.py bdist_wheel $PY_LIMITED_API
 
     auditwheel repair --plat ${PLAT} -w wheelhouse/ dist/cryptography*.whl

pyproject.toml

@@ -30,7 +30,7 @@ warn_unused_ignores = true
 
 [[tool.mypy.overrides]]
 module = [
-    "cryptography.hazmat.bindings._openssl",
+    "cryptography.hazmat.bindings._rust._openssl",
     "pretend"
 ]
 ignore_missing_imports = true

setup.py

@@ -37,9 +37,6 @@
 try:
     # See setup.cfg for most of the config metadata.
     setup(
-        cffi_modules=[
-            "src/_cffi_src/build_openssl.py:ffi",
-        ],
         rust_extensions=[
             RustExtension(
                 "_rust",

src/_cffi_src/build_openssl.py

@@ -112,3 +112,15 @@ def _extra_compile_args(platform):
     libraries=_get_openssl_libraries(sys.platform),
     extra_compile_args=_extra_compile_args(sys.platform),
 )
+
+if __name__ == "__main__":
+    out_dir = os.getenv("OUT_DIR")
+    module_name, source, source_extension, kwds = ffi._assigned_source
+    c_file = os.path.join(out_dir, module_name + source_extension)
+    ffi.embedding_api(
+        """
+        extern "Python" void _this_is_not_used(void);
+    """
+    )
+    ffi.embedding_init_code("")
+    ffi.emit_c_code(c_file)

src/_cffi_src/openssl/cryptography.py

@@ -32,7 +32,9 @@
 #include <openssl/e_os2.h>
 #endif
 #if defined(_WIN32)
+#if !defined(WIN32_LEAN_AND_MEAN)
 #define WIN32_LEAN_AND_MEAN
+#endif
 #include <windows.h>
 #include <Wincrypt.h>
 #include <Winsock2.h>

src/_cffi_src/utils.py

@@ -73,6 +73,12 @@ def build_ffi(
     verify_source += '\n#define CRYPTOGRAPHY_PACKAGE_VERSION "{}"'.format(
         about["__version__"]
     )
+    verify_source += r"""
+
+int make_cryptography_openssl_module(void) {
+    return cffi_start_python();
+}
+"""
     ffi.cdef(cdef_source)
     ffi.set_source(
         module_name,

src/cryptography/hazmat/bindings/_rust/_openssl.pyi

@@ -0,0 +1 @@
+# An empty file to make mypy recognize this module

src/cryptography/hazmat/bindings/openssl/binding.py

@@ -11,9 +11,11 @@
 import cryptography
 from cryptography import utils
 from cryptography.exceptions import InternalError
-from cryptography.hazmat.bindings._openssl import ffi, lib
+from cryptography.hazmat.bindings._rust import _openssl
 from cryptography.hazmat.bindings.openssl._conditional import CONDITIONAL_NAMES
 
+ffi = _openssl.ffi  # type: ignore
+lib = _openssl.lib  # type: ignore
 _OpenSSLErrorWithText = typing.NamedTuple(
     "_OpenSSLErrorWithText",
     [("code", int), ("lib", int), ("reason", int), ("reason_text", bytes)],

src/rust/Cargo.toml

@@ -12,6 +12,11 @@ asn1 = { version = "0.8.7", default-features = false, features = ["derive"] }
 pem = "1.0"
 chrono = { version = "0.4", default-features = false, features = ["alloc", "clock"] }
 ouroboros = "0.13"
+openssl = "0.10.38"
+openssl-sys = "0.9.72"
+
+[build-dependencies]
+cc = "1.0.72"
 
 [features]
 extension-module = ["pyo3/extension-module"]
@@ -24,3 +29,7 @@ crate-type = ["cdylib"]
 [profile.release]
 lto = "thin"
 overflow-checks = true
+
+[patch.crates-io]
+openssl-sys = { git = "https://github.com/sfackler/rust-openssl.git" }
+openssl = { git = "https://github.com/sfackler/rust-openssl.git" }