support building with no default providers

Also tack a `cargo test --no-default-features` into CI to make sure we
don't regress. The integration tests that use client.c/server.c can't
support this build type: they require a built-in provider.

.github/workflows/test.yaml

@@ -129,6 +129,12 @@ jobs:
           ! nm build/tests/client | grep '__asan_init' 
           ! nm build/tests/server | grep '__asan_init' 
 
+      # Our integration tests rely on a built-in provider being enabled.
+      # Double-check the library/unit tests work without any providers to
+      # support downstream use-cases that bring their own external one.
+      - name: Test no built-in provider build
+        run: cargo test --no-default-features --locked
+
   valgrind:
     name: Valgrind
     runs-on: ubuntu-latest

README.md

@@ -74,14 +74,15 @@ implementing the cryptography required for TLS. By default, both will use
 [`aws-lc-rs`][], but [`*ring*`][] is available as an opt-in choice.
 
 It is **not** presently supported to build with both cryptography providers
-activated, or with neither provider activated.
+activated.
 
 Select the cryptography provider using `--no-default-features` and `--features`:
 
 ```bash
 cargo capi install                                       # aws-lc-rs default
 cargo capi install --features=aws-lc-rs                  # aws-lc-rs explicit
 cargo capi install --no-default-features --features=ring # ring
+cargo capi install --no-default-features                 # no built-in provider
 ```
 
 ##### Cryptography Provider build requirements

src/acceptor.rs

@@ -508,7 +508,7 @@ impl rustls_accepted_alert {
     }
 }
 
-#[cfg(test)]
+#[cfg(all(test, any(feature = "ring", feature = "aws-lc-rs")))]
 mod tests {
     use std::cmp::min;
     use std::collections::VecDeque;
@@ -752,7 +752,7 @@ mod tests {
         // Sort to ensure consistent comparison
         signature_schemes.sort();
 
-        #[cfg_attr(feature = "ring", allow(unused_mut))]
+        #[cfg_attr(not(feature = "aws-lc-rs"), allow(unused_mut))]
         let mut expected_schemes = vec![
             SignatureScheme::RSA_PKCS1_SHA256,
             SignatureScheme::ECDSA_NISTP256_SHA256,

src/cipher.rs

@@ -59,7 +59,7 @@ pub extern "C" fn rustls_supported_ciphersuite_protocol_version(
     }
 }
 
-#[cfg(test)]
+#[cfg(all(test, any(feature = "ring", feature = "aws-lc-rs")))]
 mod tests {
     use crate::crypto_provider::{
         rustls_default_crypto_provider_ciphersuites_get,

src/client.rs

@@ -787,7 +787,7 @@ impl rustls_client_config {
     }
 }
 
-#[cfg(test)]
+#[cfg(all(test, any(feature = "ring", feature = "aws-lc-rs")))]
 mod tests {
     use std::ptr::{null, null_mut};
 

src/crypto_provider.rs

@@ -576,7 +576,7 @@ fn provider_from_crate_features() -> Option<CryptoProvider> {
     None
 }
 
-#[cfg(all(test, not(miri)))]
+#[cfg(all(test, not(miri), any(feature = "aws-lc-rs", feature = "ring")))]
 mod tests {
     use std::ptr;
 
@@ -622,8 +622,8 @@ mod tests {
         assert_ne!(buff, vec![0; 32]);
     }
 
-    #[cfg(feature = "aws-lc-rs")]
     #[test]
+    #[cfg(feature = "aws-lc-rs")]
     fn test_hpke_aws_lc_rs() {
         let hpke = rustls_supported_hpke();
         assert!(!hpke.is_null());
@@ -636,8 +636,8 @@ mod tests {
         let (_, _) = suite.setup_sealer(&[0xC0, 0xFF, 0xEE], &pk).unwrap();
     }
 
-    #[cfg(not(feature = "aws-lc-rs"))]
     #[test]
+    #[cfg(not(feature = "aws-lc-rs"))]
     fn test_hpke_not_aws_lc_rs() {
         assert!(rustls_supported_hpke().is_null());
     }

src/server.rs

@@ -768,7 +768,7 @@ impl rustls_server_config_builder {
     }
 }
 
-#[cfg(test)]
+#[cfg(all(test, any(feature = "ring", feature = "aws-lc-rs")))]
 mod tests {
     use std::ptr::{null, null_mut};