Skip to content

boring-sys: Ignore patches when boringSSL is precompiled #331

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kornelski merged 2 commits into from
Mar 16, 2025
Merged

boring-sys: Ignore patches when boringSSL is precompiled #331

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9410ee3
boring-sys: Ignore patches when boringSSL is precompiled
cjpatton Mar 11, 2025
90121f0
boring: Disable `SslCurve` API with "fips" feature
cjpatton Mar 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 8 additions & 3 deletions boring-sys/build/config.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,10 +96,15 @@ impl Config {
|| self.features.underscore_wildcards;

let patches_required = features_with_patches_enabled && !self.env.assume_patched;
let build_from_sources_required = self.features.fips_link_precompiled || patches_required;

if is_precompiled_native_lib && build_from_sources_required {
panic!("precompiled BoringSSL was provided, so FIPS configuration or optional patches can't be applied");
if is_precompiled_native_lib && patches_required {
println!(
"cargo:warning=precompiled BoringSSL was provided, so patches will be ignored"
);
}

if is_precompiled_native_lib && self.features.fips_link_precompiled {
panic!("precompiled BoringSSL was provided, so FIPS configuration can't be applied");
}
}
}
Expand Down
14 changes: 7 additions & 7 deletions boring/src/ssl/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -718,15 +718,15 @@ impl SslCurve {
pub const X25519_KYBER768_DRAFT00: SslCurve =
SslCurve(ffi::SSL_CURVE_X25519_KYBER768_DRAFT00 as _);

#[cfg(feature = "pq-experimental")]
#[cfg(all(not(feature = "fips"), feature = "pq-experimental"))]
Copy link
Collaborator Author

@cjpatton cjpatton Mar 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not(feature = "fips") prevents us from building this code whenever "fips" is enabled. This is necessary because this API is too new for older boringSSL builds.

We could weaken this constraint to not(feature = "fips-compat"), but this is somewhat of a broader change than what this PR is trying to do.

Note: this is not a breaking change because "fips" and "pq-experimental" were previously mutually exclusive.

pub const X25519_KYBER768_DRAFT00_OLD: SslCurve =
SslCurve(ffi::SSL_CURVE_X25519_KYBER768_DRAFT00_OLD as _);
Comment on lines +721 to 723
Copy link
Collaborator Author

@cjpatton cjpatton Mar 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alternatively we could just remove these non-standard APIs from the bindings.


#[cfg(feature = "pq-experimental")]
#[cfg(all(not(feature = "fips"), feature = "pq-experimental"))]
pub const X25519_KYBER512_DRAFT00: SslCurve =
SslCurve(ffi::SSL_CURVE_X25519_KYBER512_DRAFT00 as _);

#[cfg(feature = "pq-experimental")]
#[cfg(all(not(feature = "fips"), feature = "pq-experimental"))]
pub const P256_KYBER768_DRAFT00: SslCurve = SslCurve(ffi::SSL_CURVE_P256_KYBER768_DRAFT00 as _);

/// Returns the curve name
Expand Down Expand Up @@ -761,13 +761,13 @@ impl SslCurve {
ffi::SSL_CURVE_X25519 => Some(ffi::NID_X25519),
#[cfg(not(any(feature = "fips", feature = "fips-no-compat")))]
ffi::SSL_CURVE_X25519_KYBER768_DRAFT00 => Some(ffi::NID_X25519Kyber768Draft00),
#[cfg(feature = "pq-experimental")]
#[cfg(all(not(feature = "fips"), feature = "pq-experimental"))]
ffi::SSL_CURVE_X25519_KYBER768_DRAFT00_OLD => Some(ffi::NID_X25519Kyber768Draft00Old),
#[cfg(feature = "pq-experimental")]
#[cfg(all(not(feature = "fips"), feature = "pq-experimental"))]
ffi::SSL_CURVE_X25519_KYBER512_DRAFT00 => Some(ffi::NID_X25519Kyber512Draft00),
#[cfg(feature = "pq-experimental")]
#[cfg(all(not(feature = "fips"), feature = "pq-experimental"))]
ffi::SSL_CURVE_P256_KYBER768_DRAFT00 => Some(ffi::NID_P256Kyber768Draft00),
#[cfg(feature = "pq-experimental")]
#[cfg(all(not(feature = "fips"), feature = "pq-experimental"))]
ffi::SSL_CURVE_X25519_MLKEM768 => Some(ffi::NID_X25519MLKEM768),
_ => None,
}
Expand Down
Loading