From b4790be09f7d34aa6487fcbaf46c4e25676d4268 Mon Sep 17 00:00:00 2001
From: Daniel McCarney <daniel@binaryparadox.net>
Date: Sat, 14 Dec 2024 22:01:52 -0500
Subject: [PATCH] support building with no default providers

Also tack a `cargo test --no-default-features` into CI to make sure we
don't regress. The integration tests that use client.c/server.c can't
support this build type: they require a built-in provider.
---
 .github/workflows/test.yaml | 6 ++++++
 README.md                   | 3 ++-
 src/acceptor.rs             | 4 ++--
 src/cipher.rs               | 2 +-
 src/client.rs               | 2 +-
 src/crypto_provider.rs      | 6 +++---
 src/server.rs               | 2 +-
 7 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index 75e3e76c..48bec2ae 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -129,6 +129,12 @@ jobs:
           ! nm build/tests/client | grep '__asan_init' 
           ! nm build/tests/server | grep '__asan_init' 
 
+      # Our integration tests rely on a built-in provider being enabled.
+      # Double-check the library/unit tests work without any providers to
+      # support downstream use-cases that bring their own external one.
+      - name: Test no built-in provider build
+        run: cargo test --no-default-features --locked
+
   valgrind:
     name: Valgrind
     runs-on: ubuntu-latest
diff --git a/README.md b/README.md
index 0f4f9ff2..f233fe50 100644
--- a/README.md
+++ b/README.md
@@ -74,7 +74,7 @@ implementing the cryptography required for TLS. By default, both will use
 [`aws-lc-rs`][], but [`*ring*`][] is available as an opt-in choice.
 
 It is **not** presently supported to build with both cryptography providers
-activated, or with neither provider activated.
+activated.
 
 Select the cryptography provider using `--no-default-features` and `--features`:
 
@@ -82,6 +82,7 @@ Select the cryptography provider using `--no-default-features` and `--features`:
 cargo capi install                                       # aws-lc-rs default
 cargo capi install --features=aws-lc-rs                  # aws-lc-rs explicit
 cargo capi install --no-default-features --features=ring # ring
+cargo capi install --no-default-features                 # no built-in provider
 ```
 
 ##### Cryptography Provider build requirements
diff --git a/src/acceptor.rs b/src/acceptor.rs
index 50e2bf13..4395397a 100644
--- a/src/acceptor.rs
+++ b/src/acceptor.rs
@@ -508,7 +508,7 @@ impl rustls_accepted_alert {
     }
 }
 
-#[cfg(test)]
+#[cfg(all(test, any(feature = "ring", feature = "aws-lc-rs")))]
 mod tests {
     use std::cmp::min;
     use std::collections::VecDeque;
@@ -752,7 +752,7 @@ mod tests {
         // Sort to ensure consistent comparison
         signature_schemes.sort();
 
-        #[cfg_attr(feature = "ring", allow(unused_mut))]
+        #[cfg_attr(not(feature = "aws-lc-rs"), allow(unused_mut))]
         let mut expected_schemes = vec![
             SignatureScheme::RSA_PKCS1_SHA256,
             SignatureScheme::ECDSA_NISTP256_SHA256,
diff --git a/src/cipher.rs b/src/cipher.rs
index 097a019b..5b91581f 100644
--- a/src/cipher.rs
+++ b/src/cipher.rs
@@ -59,7 +59,7 @@ pub extern "C" fn rustls_supported_ciphersuite_protocol_version(
     }
 }
 
-#[cfg(test)]
+#[cfg(all(test, any(feature = "ring", feature = "aws-lc-rs")))]
 mod tests {
     use crate::crypto_provider::{
         rustls_default_crypto_provider_ciphersuites_get,
diff --git a/src/client.rs b/src/client.rs
index 28f942d0..e44208e7 100644
--- a/src/client.rs
+++ b/src/client.rs
@@ -787,7 +787,7 @@ impl rustls_client_config {
     }
 }
 
-#[cfg(test)]
+#[cfg(all(test, any(feature = "ring", feature = "aws-lc-rs")))]
 mod tests {
     use std::ptr::{null, null_mut};
 
diff --git a/src/crypto_provider.rs b/src/crypto_provider.rs
index d84f6357..bea9bbd3 100644
--- a/src/crypto_provider.rs
+++ b/src/crypto_provider.rs
@@ -576,7 +576,7 @@ fn provider_from_crate_features() -> Option<CryptoProvider> {
     None
 }
 
-#[cfg(all(test, not(miri)))]
+#[cfg(all(test, not(miri), any(feature = "aws-lc-rs", feature = "ring")))]
 mod tests {
     use std::ptr;
 
@@ -622,8 +622,8 @@ mod tests {
         assert_ne!(buff, vec![0; 32]);
     }
 
-    #[cfg(feature = "aws-lc-rs")]
     #[test]
+    #[cfg(feature = "aws-lc-rs")]
     fn test_hpke_aws_lc_rs() {
         let hpke = rustls_supported_hpke();
         assert!(!hpke.is_null());
@@ -636,8 +636,8 @@ mod tests {
         let (_, _) = suite.setup_sealer(&[0xC0, 0xFF, 0xEE], &pk).unwrap();
     }
 
-    #[cfg(not(feature = "aws-lc-rs"))]
     #[test]
+    #[cfg(not(feature = "aws-lc-rs"))]
     fn test_hpke_not_aws_lc_rs() {
         assert!(rustls_supported_hpke().is_null());
     }
diff --git a/src/server.rs b/src/server.rs
index 944dc14c..a5c595d2 100644
--- a/src/server.rs
+++ b/src/server.rs
@@ -768,7 +768,7 @@ impl rustls_server_config_builder {
     }
 }
 
-#[cfg(test)]
+#[cfg(all(test, any(feature = "ring", feature = "aws-lc-rs")))]
 mod tests {
     use std::ptr::{null, null_mut};