From 2345c2f988b20871034fd7a5c646d353cb521bfd Mon Sep 17 00:00:00 2001 From: Eliza Weisman Date: Fri, 25 Aug 2023 14:29:55 -0700 Subject: [PATCH] boring-sys: include all files needed to build FIPS This commit modifies the Cargo `include` field for `boring-sys` to include all the files necessary to actually build the FIPS-certified revision of BoringSSL. Currently, some of these files are missing (see #157 for details on this). This branch improves on my previous approach in PR #158, which switched from using a Cargo `include` to a Cargo `exclude`. Using `exclude` rather than `include` resulted in a much larger crates.io package, but at the time, I thought this was less likely to result in breakage in the future, because I was concerned about the inability to verify that the set of excludes/includes can build a new pinned `boringssl` git revision without having to actually publish a crates.io release. However, as @nox pointed out in [this comment][1], `cargo package` can be used to verify a build with the `exclude`s/`include`s applied. This branch therefore adds `cargo package` steps to CI that check that the package can actually be built. This way, we are able to make a much smaller change to the included files, resulting in a smaller package published to crates.io. On this branch, the package is 6.7MiB compressed, which is not much larger than it was previously: ``` Finished dev [unoptimized + debuginfo] target(s) in 55.65s Packaged 1851 files, 33.7MiB (6.7MiB compressed) ``` Fixes #157 Closes #158 [1]: https://github.com/cloudflare/boring/pull/158#issuecomment-1693067112, --- boring-sys/Cargo.toml | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/boring-sys/Cargo.toml b/boring-sys/Cargo.toml index 063c2f9b..dbf73f0a 100644 --- a/boring-sys/Cargo.toml +++ b/boring-sys/Cargo.toml @@ -17,6 +17,7 @@ include = [ "/*.toml", "/LICENSE-MIT", "/cmake/*.cmake", + # boringssl (non-FIPS) "/deps/boringssl/**/*.[chS]", "/deps/boringssl/**/*.asm", "/deps/boringssl/sources.json", @@ -27,16 +28,22 @@ include = [ "/deps/boringssl/**/CMakeLists.txt", "/deps/boringssl/**/sources.cmake", "/deps/boringssl/LICENSE", + # boringssl (FIPS) "/deps/boringssl-fips/**/*.[chS]", "/deps/boringssl-fips/**/*.asm", - "/deps/boringssl/sources.json", - "/deps/boringssl/src/crypto/obj/obj_mac.num", - "/deps/boringssl/src/crypto/obj/objects.txt", + "/deps/boringssl-fips/**/*.pl", + "/deps/boringssl-fips/**/*.go", + "/deps/boringssl-fips/**/go.mod", + "/deps/boringssl-fips/**/go.sum", + "/deps/boringssl-fips/sources.json", + "/deps/boringssl-fips/crypto/obj/obj_mac.num", + "/deps/boringssl-fips/crypto/obj/objects.txt", + "/deps/boringssl-fips/crypto/err/*.errordata", "/deps/boringssl-fips/**/*.bzl", - "/deps/boringssl-fips/src/**/*.cc", + "/deps/boringssl-fips/**/*.cc", "/deps/boringssl-fips/**/CMakeLists.txt", "/deps/boringssl-fips/**/sources.cmake", - "/deps/boringssl/LICENSE", + "/deps/boringssl-fips/LICENSE", "/build.rs", "/src", "/patches",