[FIPS 4.0 CHERRY PICK] Generate Rust Bindings (#2999)

[justsmth]

Originally: #2999

• Cherry-picked from main: 167015c
• Minor conflicts resolved in CMakeLists.txt and aws-lc-rs.yml.

---

Issues:

• Addresses: V2090958423

Description of changes:

This adds CMake support for generating Rust FFI bindings from the AWS-LC public C headers using bindgen-cli. This is intended for use by downstream Rust consumers so that bindings can be generated directly from the CMake build system.

New CMake option: -DGENERATE_RUST_BINDINGS=ON (off by default)

When enabled, the build:

1. Validates that bindgen-cli (≥0.69.5) and rustfmt are available
2. Auto-discovers all public OpenSSL headers and generates a rust_wrapper.h aggregation header
3. Invokes bindgen to produce aws_lc_bindings.rs in the build directory
4. Supports the existing BORINGSSL_PREFIX mechanism — uses --prefix-link-name so Rust-side function names stay unprefixed while #[link_name] attributes carry the prefix for the linker
5. During install, the bindings are placed at $INSTALL_DIR/share/rust/aws_lc_bindings.rs

Files added:

• cmake/rust_bindings.cmake — Module containing the header discovery, prefix formatting, and bindgen invocation logic
• cmake/rust_wrapper.h.in — Template header that aggregates all public headers for bindgen input

Call-outs:

• The prefix symbols header (boringssl_prefix_symbols.h) is intentionally excluded from bindgen's input. The rationale is documented in the module-level comment in cmake/rust_bindings.cmake.
• The rust_bindings target is not part of ALL. It is built on-demand when explicitly requested (--target rust_bindings) or automatically during cmake --install.
• Platform-specific symbol prefix formatting (Apple/Win32 leading underscore) is handled by get_symbol_prefix_format().

Testing:

CI workflow added in .github/workflows/aws-lc-rs.yml (cmake-rust-bindings job) covering:

• Linux (no prefix)
• Linux with BORINGSSL_PREFIX=AWSLC
• macOS (no prefix)
• macOS with BORINGSSL_PREFIX=AWSLC
• Windows (no prefix)

Each matrix entry verifies that bindings are generated, contain expected symbols, have correct prefix behavior, and compile as valid Rust.

Call-outs:

Point out areas that need special attention or support during the review process. Discuss architecture or design changes.

Testing:

How is this change tested (unit tests, fuzz tests, etc.)? Are there any testing steps to be verified by the reviewer?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.73%. Comparing base (d6d2288) to head (5ba9148).

Additional details and impacted files

@@               Coverage Diff                @@
##           fips-2025-09-12    #3048   +/-   ##
================================================
  Coverage            78.73%   78.73%           
================================================
  Files                  667      667           
  Lines               113072   113072           
  Branches             16056    16057    +1     
================================================
+ Hits                 89028    89031    +3     
+ Misses               23271    23266    -5     
- Partials               773      775    +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.