Clean-up legacy FIPS options

Per BoringSSL's FIPS policy, its `main` branch is the "update branch"
for FedRAMP compliance's purposes.

This means that we can stop using a specific BoringSSL branch when
enabling FIPS, as well as a number of hacks that allowed us to build
more recent BoringSSL versions with an older pre-compiled FIPS modules.

This also required slightly updating the main BoringSSL submodule, as
the previous version had an issue when building with the FIPS option
enabled. This is turn required some changes to the PQ patch as well as
some APIs that don't seem to be exposed publicly, as well as changing
some paths in the other patches.

In order to allow a smooth upgrade of internal projects, the `fips-compat`
feature is reduced in scope and renamed to `legacy-compat-deprecated` so
that we can incrementally upgrade internal BoringSSL forks. In practice
this shouldn't really be something anyone else would need, since in
order to work it requires a specific mix of BoringSSL version and
backported patches.

.github/workflows/ci.yml

@@ -202,6 +202,10 @@ jobs:
       run: rustup update ${{ matrix.rust }} --no-self-update && rustup default ${{ matrix.rust }}
       shell: bash
     - run: rustup target add ${{ matrix.target }}
+    - name: Install golang
+      uses: actions/setup-go@v5
+      with:
+        go-version: '>=1.22.0'
     - name: Install target-specific APT dependencies
       if: "matrix.apt_packages != ''"
       run: sudo apt update && sudo apt install -y ${{ matrix.apt_packages }}
@@ -255,18 +259,10 @@ jobs:
     - name: Install Rust (rustup)
       run: rustup update stable --no-self-update && rustup default stable
       shell: bash
-    - name: Install Clang-12
-      uses: KyleMayes/install-llvm-action@v1
-      with:
-        version: "12.0.0"
-        directory: ${{ runner.temp }}/llvm
     - name: Install golang
       uses: actions/setup-go@v5
       with:
         go-version: '>=1.22.0'
-    - name: Add clang++-12 link
-      working-directory: ${{ runner.temp }}/llvm/bin
-      run: ln -s clang clang++-12
     - name: Run tests
       run: cargo test --features fips
     - name: Test boring-sys cargo publish (FIPS)
@@ -296,6 +292,10 @@ jobs:
     - name: Install Rust (rustup)
       run: rustup update stable --no-self-update && rustup default stable && rustup target add ${{ matrix.target }}
       shell: bash
+    - name: Install golang
+      uses: actions/setup-go@v5
+      with:
+        go-version: '>=1.22.0'
     - name: Install ${{ matrix.target }} toolchain
       run: brew tap messense/macos-cross-toolchains && brew install ${{ matrix.target }}
     - name: Set BORING_BSSL_SYSROOT

.gitmodules

@@ -2,6 +2,3 @@
 	path = boring-sys/deps/boringssl
 	url = https://github.com/google/boringssl.git
 	ignore = dirty
-[submodule "boring-sys/deps/boringssl-fips"]
-	path = boring-sys/deps/boringssl-fips
-	url = https://github.com/google/boringssl.git

boring-sys/Cargo.toml

@@ -19,35 +19,22 @@ include = [
     "/*.toml",
     "/LICENSE-MIT",
     "/cmake/*.cmake",
-    # boringssl (non-FIPS)
-    "/deps/boringssl/src/util/32-bit-toolchain.cmake",
     "/deps/boringssl/**/*.[chS]",
     "/deps/boringssl/**/*.asm",
-    "/deps/boringssl/sources.json",
+    "/deps/boringssl/**/*.pl",
-    "/deps/boringssl/src/crypto/obj/obj_mac.num",
+    "/deps/boringssl/**/*.go",
-    "/deps/boringssl/src/crypto/obj/objects.txt",
+    "/deps/boringssl/**/*.cmake",
+    "/deps/boringssl/**/go.mod",
+    "/deps/boringssl/**/go.sum",
+    "/deps/boringssl/crypto/obj/obj_mac.num",
+    "/deps/boringssl/crypto/obj/objects.txt",
+    "/deps/boringssl/crypto/err/*.errordata",
     "/deps/boringssl/**/*.bzl",
-    "/deps/boringssl/src/**/*.cc",
+    "/deps/boringssl/**/*.cc",
     "/deps/boringssl/**/CMakeLists.txt",
     "/deps/boringssl/**/sources.cmake",
+    "/deps/boringssl/**/util/go_tests.txt",
     "/deps/boringssl/LICENSE",
-    # boringssl (FIPS)
-    "/deps/boringssl-fips/src/util/32-bit-toolchain.cmake",
-    "/deps/boringssl-fips/**/*.[chS]",
-    "/deps/boringssl-fips/**/*.asm",
-    "/deps/boringssl-fips/**/*.pl",
-    "/deps/boringssl-fips/**/*.go",
-    "/deps/boringssl-fips/**/go.mod",
-    "/deps/boringssl-fips/**/go.sum",
-    "/deps/boringssl-fips/sources.json",
-    "/deps/boringssl-fips/crypto/obj/obj_mac.num",
-    "/deps/boringssl-fips/crypto/obj/objects.txt",
-    "/deps/boringssl-fips/crypto/err/*.errordata",
-    "/deps/boringssl-fips/**/*.bzl",
-    "/deps/boringssl-fips/**/*.cc",
-    "/deps/boringssl-fips/**/CMakeLists.txt",
-    "/deps/boringssl-fips/**/sources.cmake",
-    "/deps/boringssl-fips/LICENSE",
     "/build/*",
     "/src",
     "/patches",
@@ -66,14 +53,6 @@ rustdoc-args = ["--cfg", "docsrs"]
 # for instructions and more details on the boringssl FIPS flag.
 fips = []
 
-# Use a precompiled FIPS-validated version of BoringSSL. Meant to be used with
-# FIPS-20230428 or newer. Users must set `BORING_BSSL_FIPS_PATH` to use this
-# feature, or else the build will fail.
-fips-precompiled = []
-
-# Link with precompiled FIPS-validated `bcm.o` module.
-fips-link-precompiled = []
-
 # Enables Raw public key API (https://datatracker.ietf.org/doc/html/rfc7250)
 rpk = []
 

boring-sys/build/config.rs

@@ -16,8 +16,6 @@ pub(crate) struct Config {
 
 pub(crate) struct Features {
     pub(crate) fips: bool,
-    pub(crate) fips_precompiled: bool,
-    pub(crate) fips_link_precompiled: bool,
     pub(crate) pq_experimental: bool,
     pub(crate) rpk: bool,
     pub(crate) underscore_wildcards: bool,
@@ -27,7 +25,6 @@ pub(crate) struct Env {
     pub(crate) path: Option<PathBuf>,
     pub(crate) include_path: Option<PathBuf>,
     pub(crate) source_path: Option<PathBuf>,
-    pub(crate) precompiled_bcm_o: Option<PathBuf>,
     pub(crate) assume_patched: bool,
     pub(crate) sysroot: Option<PathBuf>,
     pub(crate) compiler_external_toolchain: Option<PathBuf>,
@@ -81,10 +78,6 @@ impl Config {
             panic!("`fips` and `rpk` features are mutually exclusive");
         }
 
-        if self.features.fips_precompiled && self.features.rpk {
-            panic!("`fips-precompiled` and `rpk` features are mutually exclusive");
-        }
-
         let is_precompiled_native_lib = self.env.path.is_some();
         let is_external_native_lib_source =
             !is_precompiled_native_lib && self.env.source_path.is_none();
@@ -107,32 +100,18 @@ impl Config {
                 "cargo:warning=precompiled BoringSSL was provided, so patches will be ignored"
             );
         }
-
-        // todo(rmehra): should this even be a restriction? why not let people link a custom bcm.o?
-        // precompiled boringssl will include libcrypto.a
-        if is_precompiled_native_lib && self.features.fips_link_precompiled {
-            panic!("precompiled BoringSSL was provided, so FIPS configuration can't be applied");
-        }
-
-        if !is_precompiled_native_lib && self.features.fips_precompiled {
-            panic!("`fips-precompiled` feature requires `BORING_BSSL_FIPS_PATH` to be set");
-        }
     }
 }
 
 impl Features {
     fn from_env() -> Self {
         let fips = env::var_os("CARGO_FEATURE_FIPS").is_some();
-        let fips_precompiled = env::var_os("CARGO_FEATURE_FIPS_PRECOMPILED").is_some();
-        let fips_link_precompiled = env::var_os("CARGO_FEATURE_FIPS_LINK_PRECOMPILED").is_some();
         let pq_experimental = env::var_os("CARGO_FEATURE_PQ_EXPERIMENTAL").is_some();
         let rpk = env::var_os("CARGO_FEATURE_RPK").is_some();
         let underscore_wildcards = env::var_os("CARGO_FEATURE_UNDERSCORE_WILDCARDS").is_some();
 
         Self {
             fips,
-            fips_precompiled,
-            fips_link_precompiled,
             pq_experimental,
             rpk,
             underscore_wildcards,
@@ -140,7 +119,7 @@ impl Features {
     }
 
     pub(crate) fn is_fips_like(&self) -> bool {
-        self.fips || self.fips_precompiled || self.fips_link_precompiled
+        self.fips
     }
 }
 
@@ -175,7 +154,6 @@ impl Env {
             path: boringssl_var("BORING_BSSL_PATH").map(PathBuf::from),
             include_path: boringssl_var("BORING_BSSL_INCLUDE_PATH").map(PathBuf::from),
             source_path: boringssl_var("BORING_BSSL_SOURCE_PATH").map(PathBuf::from),
-            precompiled_bcm_o: boringssl_var("BORING_BSSL_PRECOMPILED_BCM_O").map(PathBuf::from),
             assume_patched: boringssl_var("BORING_BSSL_ASSUME_PATCHED")
                 .is_some_and(|v| !v.is_empty()),
             sysroot: boringssl_var("BORING_BSSL_SYSROOT").map(PathBuf::from),

boring-sys/build/main.rs

@@ -50,6 +50,7 @@ const CMAKE_PARAMS_APPLE: &[(&str, &[(&str, &str)])] = &[
         &[
             ("CMAKE_OSX_ARCHITECTURES", "arm64"),
             ("CMAKE_OSX_SYSROOT", "iphoneos"),
+            ("CMAKE_MACOSX_BUNDLE", "OFF"),
         ],
     ),
     (
@@ -57,6 +58,7 @@ const CMAKE_PARAMS_APPLE: &[(&str, &[(&str, &str)])] = &[
         &[
             ("CMAKE_OSX_ARCHITECTURES", "arm64"),
             ("CMAKE_OSX_SYSROOT", "iphonesimulator"),
+            ("CMAKE_MACOSX_BUNDLE", "OFF"),
         ],
     ),
     (
@@ -64,6 +66,7 @@ const CMAKE_PARAMS_APPLE: &[(&str, &[(&str, &str)])] = &[
         &[
             ("CMAKE_OSX_ARCHITECTURES", "x86_64"),
             ("CMAKE_OSX_SYSROOT", "iphonesimulator"),
+            ("CMAKE_MACOSX_BUNDLE", "OFF"),
         ],
     ),
     // macOS
@@ -114,11 +117,7 @@ fn get_boringssl_source_path(config: &Config) -> &PathBuf {
     static SOURCE_PATH: OnceLock<PathBuf> = OnceLock::new();
 
     SOURCE_PATH.get_or_init(|| {
-        let submodule_dir = if config.features.fips {
+        let submodule_dir = "boringssl";
-            "boringssl-fips"
-        } else {
-            "boringssl"
-        };
 
         let src_path = config.out_dir.join(submodule_dir);
 
@@ -304,7 +303,7 @@ fn get_boringssl_cmake_config(config: &Config) -> cmake::Config {
                     config
                         .manifest_dir
                         .join(src_path)
-                        .join("src/util/32-bit-toolchain.cmake")
+                        .join("util/32-bit-toolchain.cmake")
                         .as_os_str(),
                 );
             }
@@ -340,55 +339,6 @@ fn get_boringssl_cmake_config(config: &Config) -> cmake::Config {
     boringssl_cmake
 }
 
-/// Verify that the toolchains match <https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3678.pdf>
-/// See "Installation Instructions" under section 12.1.
-// TODO: maybe this should also verify the Go and Ninja versions? But those haven't been an issue in practice ...
-fn verify_fips_clang_version() -> (&'static str, &'static str) {
-    fn version(tool: &str) -> Option<String> {
-        let output = match Command::new(tool).arg("--version").output() {
-            Ok(o) => o,
-            Err(e) => {
-                println!("cargo:warning=missing {tool}, trying other compilers: {e}");
-                // NOTE: hard-codes that the loop below checks the version
-                return None;
-            }
-        };
-        if !output.status.success() {
-            return Some(String::new());
-        }
-        let output = std::str::from_utf8(&output.stdout).expect("invalid utf8 output");
-        Some(output.lines().next().expect("empty output").to_string())
-    }
-
-    const REQUIRED_CLANG_VERSION: &str = "12.0.0";
-    for (cc, cxx) in [
-        ("clang-12", "clang++-12"),
-        ("clang", "clang++"),
-        ("cc", "c++"),
-    ] {
-        let (Some(cc_version), Some(cxx_version)) = (version(cc), version(cxx)) else {
-            continue;
-        };
-
-        if cc_version.contains(REQUIRED_CLANG_VERSION) {
-            assert!(
-                cxx_version.contains(REQUIRED_CLANG_VERSION),
-                "mismatched versions of cc and c++"
-            );
-            return (cc, cxx);
-        } else if cc == "cc" {
-            panic!(
-                "unsupported clang version \"{cc_version}\": FIPS requires clang {REQUIRED_CLANG_VERSION}"
-            );
-        } else if !cc_version.is_empty() {
-            println!(
-                "cargo:warning=FIPS requires clang version {REQUIRED_CLANG_VERSION}, skipping incompatible version \"{cc_version}\""
-            );
-        }
-    }
-    unreachable!()
-}
-
 fn pick_best_android_ndk_toolchain(toolchains_dir: &Path) -> std::io::Result<OsString> {
     let toolchains = std::fs::read_dir(toolchains_dir)?.collect::<Result<Vec<_>, _>>()?;
     // First look for one of the toolchains that Google has documented.
@@ -591,66 +541,17 @@ fn built_boring_source_path(config: &Config) -> &PathBuf {
         }
 
         if config.features.fips {
-            let (clang, clangxx) = verify_fips_clang_version();
+            cfg.define("CMAKE_C_COMPILER", "clang")
-            cfg.define("CMAKE_C_COMPILER", clang)
+                .define("CMAKE_CXX_COMPILER", "clang++")
-                .define("CMAKE_CXX_COMPILER", clangxx)
+                .define("CMAKE_ASM_COMPILER", "clang")
-                .define("CMAKE_ASM_COMPILER", clang)
                 .define("FIPS", "1");
         }
 
-        if config.features.fips_link_precompiled {
-            cfg.define("FIPS", "1");
-        }
-
         cfg.build_target("ssl").build();
         cfg.build_target("crypto").build()
     })
 }
 
-fn link_in_precompiled_bcm_o(config: &Config) {
-    println!("cargo:warning=linking in precompiled `bcm.o` module");
-
-    let bssl_dir = built_boring_source_path(config);
-    let bcm_o_src_path = config.env.precompiled_bcm_o.as_ref()
-        .expect("`fips-link-precompiled` requires `BORING_BSSL_FIPS_PRECOMPILED_BCM_O` env variable to be specified");
-
-    let libcrypto_path = bssl_dir
-        .join("build/crypto/libcrypto.a")
-        .canonicalize()
-        .unwrap();
-
-    let bcm_o_dst_path = bssl_dir.join("build/bcm-fips.o");
-
-    fs::copy(bcm_o_src_path, &bcm_o_dst_path).unwrap();
-
-    // check that fips module is named as expected
-    let out = run_command(
-        Command::new("ar")
-            .arg("t")
-            .arg(&libcrypto_path)
-            .arg("bcm.o"),
-    )
-    .unwrap();
-
-    assert_eq!(
-        String::from_utf8(out.stdout).unwrap().trim(),
-        "bcm.o",
-        "failed to verify FIPS module name"
-    );
-
-    // insert fips bcm.o before bcm.o into libcrypto.a,
-    // so for all duplicate symbols the older fips bcm.o is used
-    // (this causes the need for extra linker flags to deal with duplicate symbols)
-    // (as long as the newer module does not define new symbols, one may also remove it,
-    // but once there are new symbols it would cause missing symbols at linking stage)
-    run_command(
-        Command::new("ar")
-            .args(["rb", "bcm.o"])
-            .args([&libcrypto_path, &bcm_o_dst_path]),
-    )
-    .unwrap();
-}
-
 fn get_cpp_runtime_lib(config: &Config) -> Option<String> {
     if let Some(ref cpp_lib) = config.env.cpp_runtime_lib {
         return cpp_lib.clone().into_string().ok();
@@ -709,10 +610,6 @@ fn emit_link_directives(config: &Config) {
         );
     }
 
-    if config.features.fips_link_precompiled {
-        link_in_precompiled_bcm_o(config);
-    }
-
     if let Some(cpp_lib) = get_cpp_runtime_lib(config) {
         println!("cargo:rustc-link-lib={cpp_lib}");
     }
@@ -785,7 +682,6 @@ fn generate_bindings(config: &Config) {
         "des.h",
         "dtls1.h",
         "hkdf.h",
-        #[cfg(not(feature = "fips"))]
         "hpke.h",
         "hmac.h",
         "hrss.h",

boring-sys/deps/boringssl

@@ -1 +1 @@
-Subproject commit 44b3df6f03d85c901767250329c571db405122d5
+Subproject commit 478b28ab12f2001a03261624261fd041f5439706

boring-sys/deps/boringssl-fips

@@ -1 +0,0 @@
-Subproject commit 853ca1ea1168dff08011e5d42d94609cc0ca2e27

boring-sys/patches/rpk.patch

@@ -1,7 +1,7 @@
-diff --git a/src/include/openssl/ssl.h b/src/include/openssl/ssl.h
+diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
-index 53aa9b453..87309c3e1 100644
+index 003e0a5f7..b8f8d49c8 100644
---- a/src/include/openssl/ssl.h
+--- a/include/openssl/ssl.h
-+++ b/src/include/openssl/ssl.h
++++ b/include/openssl/ssl.h
 @@ -138,6 +138,25 @@
   * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
   * OTHERWISE.
@@ -28,7 +28,7 @@ index 53aa9b453..87309c3e1 100644
  
  #ifndef OPENSSL_HEADER_SSL_H
  #define OPENSSL_HEADER_SSL_H
-@@ -1136,6 +1155,16 @@ OPENSSL_EXPORT int SSL_CTX_set_chain_and_key(
+@@ -1138,6 +1157,16 @@ OPENSSL_EXPORT int SSL_CTX_set_chain_and_key(
      SSL_CTX *ctx, CRYPTO_BUFFER *const *certs, size_t num_certs,
      EVP_PKEY *privkey, const SSL_PRIVATE_KEY_METHOD *privkey_method);
  
@@ -45,7 +45,7 @@ index 53aa9b453..87309c3e1 100644
  // SSL_set_chain_and_key sets the certificate chain and private key for a TLS
  // client or server. References to the given |CRYPTO_BUFFER| and |EVP_PKEY|
  // objects are added as needed. Exactly one of |privkey| or |privkey_method|
-@@ -1144,6 +1173,16 @@ OPENSSL_EXPORT int SSL_set_chain_and_key(
+@@ -1146,6 +1175,16 @@ OPENSSL_EXPORT int SSL_set_chain_and_key(
      SSL *ssl, CRYPTO_BUFFER *const *certs, size_t num_certs, EVP_PKEY *privkey,
      const SSL_PRIVATE_KEY_METHOD *privkey_method);
  
@@ -62,8 +62,8 @@ index 53aa9b453..87309c3e1 100644
  // SSL_CTX_get0_chain returns the list of |CRYPTO_BUFFER|s that were set by
  // |SSL_CTX_set_chain_and_key|. Reference counts are not incremented by this
  // call. The return value may be |NULL| if no chain has been set.
-@@ -3023,6 +3062,21 @@ OPENSSL_EXPORT void SSL_get0_peer_application_settings(const SSL *ssl,
+@@ -3041,6 +3080,21 @@ OPENSSL_EXPORT int SSL_has_application_settings(const SSL *ssl);
- OPENSSL_EXPORT int SSL_has_application_settings(const SSL *ssl);
+ OPENSSL_EXPORT void SSL_set_alps_use_new_codepoint(SSL *ssl, int use_new);
  
  
 +// Server Certificate Type.
@@ -84,10 +84,10 @@ index 53aa9b453..87309c3e1 100644
  // Certificate compression.
  //
  // Certificates in TLS 1.3 can be compressed (RFC 8879). BoringSSL supports this
-diff --git a/src/include/openssl/tls1.h b/src/include/openssl/tls1.h
+diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
-index 772fb87a3..be605c1aa 100644
+index c1207a3b7..ac6ed222a 100644
---- a/src/include/openssl/tls1.h
+--- a/include/openssl/tls1.h
-+++ b/src/include/openssl/tls1.h
++++ b/include/openssl/tls1.h
 @@ -146,6 +146,25 @@
   * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
   * OTHERWISE.
@@ -124,10 +124,10 @@ index 772fb87a3..be605c1aa 100644
  // ExtensionType value from RFC 7685
  #define TLSEXT_TYPE_padding 21
  
-diff --git a/src/ssl/extensions.cc b/src/ssl/extensions.cc
+diff --git a/ssl/extensions.cc b/ssl/extensions.cc
-index 5ee280221..2692e5478 100644
+index b13400097..8694712fd 100644
---- a/src/ssl/extensions.cc
+--- a/ssl/extensions.cc
-+++ b/src/ssl/extensions.cc
++++ b/ssl/extensions.cc
 @@ -105,6 +105,25 @@
   * This product includes cryptographic software written by Eric Young
   * (eay@cryptsoft.com).  This product includes software written by Tim
@@ -154,7 +154,7 @@ index 5ee280221..2692e5478 100644
  
  #include <openssl/ssl.h>
  
-@@ -3094,6 +3113,146 @@ bool ssl_negotiate_alps(SSL_HANDSHAKE *hs, uint8_t *out_alert,
+@@ -3108,6 +3127,146 @@ bool ssl_negotiate_alps(SSL_HANDSHAKE *hs, uint8_t *out_alert,
    return true;
  }
  
@@ -301,9 +301,9 @@ index 5ee280221..2692e5478 100644
  // kExtensions contains all the supported extensions.
  static const struct tls_extension kExtensions[] = {
    {
-@@ -3267,6 +3426,13 @@ static const struct tls_extension kExtensions[] = {
+@@ -3289,6 +3448,13 @@ static const struct tls_extension kExtensions[] = {
      ignore_parse_clienthello,
-     ext_alps_add_serverhello,
+     ext_alps_add_serverhello_old,
    },
 +  {
 +    TLSEXT_TYPE_server_certificate_type,
@@ -315,10 +315,10 @@ index 5ee280221..2692e5478 100644
  };
  
  #define kNumExtensions (sizeof(kExtensions) / sizeof(struct tls_extension))
-diff --git a/src/ssl/handshake.cc b/src/ssl/handshake.cc
+diff --git a/ssl/handshake.cc b/ssl/handshake.cc
-index 8d5a23872..b9ac70dfe 100644
+index 8d5a23872..c8ca629e8 100644
---- a/src/ssl/handshake.cc
+--- a/ssl/handshake.cc
-+++ b/src/ssl/handshake.cc
++++ b/ssl/handshake.cc
 @@ -109,6 +109,25 @@
   * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
   * ECC cipher suite support in OpenSSL originally developed by
@@ -345,14 +345,14 @@ index 8d5a23872..b9ac70dfe 100644
  
  #include <openssl/ssl.h>
  
-@@ -150,6 +169,7 @@ SSL_HANDSHAKE::SSL_HANDSHAKE(SSL *ssl_arg)
+@@ -148,6 +167,7 @@ SSL_HANDSHAKE::SSL_HANDSHAKE(SSL *ssl_arg)
+       handback(false),
+       hints_requested(false),
        cert_compression_negotiated(false),
 +      server_certificate_type_negotiated(false),
        apply_jdk11_workaround(false),
        can_release_private_key(false),
        channel_id_negotiated(false) {
-   assert(ssl);
- 
 @@ -365,7 +385,21 @@ enum ssl_verify_result_t ssl_verify_peer_cert(SSL_HANDSHAKE *hs) {
  
    uint8_t alert = SSL_AD_CERTIFICATE_UNKNOWN;
@@ -376,10 +376,10 @@ index 8d5a23872..b9ac70dfe 100644
      ret = hs->config->custom_verify_callback(ssl, &alert);
      switch (ret) {
        case ssl_verify_ok:
-diff --git a/src/ssl/internal.h b/src/ssl/internal.h
+diff --git a/ssl/internal.h b/ssl/internal.h
-index 1e6da2153..f04888384 100644
+index c9facb699..d7363e729 100644
---- a/src/ssl/internal.h
+--- a/ssl/internal.h
-+++ b/src/ssl/internal.h
++++ b/ssl/internal.h
 @@ -138,6 +138,25 @@
   * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
   * OTHERWISE.
@@ -406,7 +406,7 @@ index 1e6da2153..f04888384 100644
  
  #ifndef OPENSSL_HEADER_SSL_INTERNAL_H
  #define OPENSSL_HEADER_SSL_INTERNAL_H
-@@ -1286,6 +1305,8 @@ int ssl_write_buffer_flush(SSL *ssl);
+@@ -1311,6 +1330,8 @@ int ssl_write_buffer_flush(SSL *ssl);
  // configured.
  bool ssl_has_certificate(const SSL_HANDSHAKE *hs);
  
@@ -415,7 +415,7 @@ index 1e6da2153..f04888384 100644
  // ssl_parse_cert_chain parses a certificate list from |cbs| in the format used
  // by a TLS Certificate message. On success, it advances |cbs| and returns
  // true. Otherwise, it returns false and sets |*out_alert| to an alert to send
-@@ -1887,6 +1908,8 @@ struct SSL_HANDSHAKE {
+@@ -1912,6 +1933,8 @@ struct SSL_HANDSHAKE {
    // |cert_compression_negotiated| is true.
    uint16_t cert_compression_alg_id;
  
@@ -424,7 +424,7 @@ index 1e6da2153..f04888384 100644
    // ech_hpke_ctx is the HPKE context used in ECH. On the server, it is
    // initialized if |ech_status| is |ssl_ech_accepted|. On the client, it is
    // initialized if |selected_ech_config| is not nullptr.
-@@ -2037,6 +2060,8 @@ struct SSL_HANDSHAKE {
+@@ -2062,6 +2085,8 @@ struct SSL_HANDSHAKE {
    // cert_compression_negotiated is true iff |cert_compression_alg_id| is valid.
    bool cert_compression_negotiated : 1;
  
@@ -433,7 +433,7 @@ index 1e6da2153..f04888384 100644
    // apply_jdk11_workaround is true if the peer is probably a JDK 11 client
    // which implemented TLS 1.3 incorrectly.
    bool apply_jdk11_workaround : 1;
-@@ -3049,6 +3074,9 @@ struct SSL_CONFIG {
+@@ -3074,6 +3099,9 @@ struct SSL_CONFIG {
    // along with their corresponding ALPS values.
    GrowableArray<ALPSConfig> alps_configs;
  
@@ -443,7 +443,7 @@ index 1e6da2153..f04888384 100644
    // Contains the QUIC transport params that this endpoint will send.
    Array<uint8_t> quic_transport_params;
  
-@@ -3648,6 +3676,9 @@ struct ssl_ctx_st {
+@@ -3666,6 +3694,9 @@ struct ssl_ctx_st {
    // format.
    bssl::Array<uint8_t> alpn_client_proto_list;
  
@@ -453,10 +453,10 @@ index 1e6da2153..f04888384 100644
    // SRTP profiles we are willing to do from RFC 5764
    bssl::UniquePtr<STACK_OF(SRTP_PROTECTION_PROFILE)> srtp_profiles;
  
-diff --git a/src/ssl/ssl_cert.cc b/src/ssl/ssl_cert.cc
+diff --git a/ssl/ssl_cert.cc b/ssl/ssl_cert.cc
 index aa46a8bb6..d90840fce 100644
---- a/src/ssl/ssl_cert.cc
+--- a/ssl/ssl_cert.cc
-+++ b/src/ssl/ssl_cert.cc
++++ b/ssl/ssl_cert.cc
 @@ -111,6 +111,25 @@
   * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
   * ECC cipher suite support in OpenSSL originally developed by
@@ -573,10 +573,10 @@ index aa46a8bb6..d90840fce 100644
  const STACK_OF(CRYPTO_BUFFER)* SSL_CTX_get0_chain(const SSL_CTX *ctx) {
    return ctx->cert->chain.get();
  }
-diff --git a/src/ssl/ssl_lib.cc b/src/ssl/ssl_lib.cc
+diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
-index 838761af5..e4f1a12b7 100644
+index 58b68e675..384debbd3 100644
---- a/src/ssl/ssl_lib.cc
+--- a/ssl/ssl_lib.cc
-+++ b/src/ssl/ssl_lib.cc
++++ b/ssl/ssl_lib.cc
 @@ -137,6 +137,25 @@
   * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
   * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
@@ -615,8 +615,8 @@ index 838761af5..e4f1a12b7 100644
    if (!ssl->method->ssl_new(ssl.get()) ||
        !ssl->ctx->x509_method->ssl_new(ssl->s3->hs.get())) {
      return nullptr;
-@@ -3140,6 +3164,53 @@ int SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg) {
+@@ -3249,6 +3273,53 @@ int SSL_set1_curves_list(SSL *ssl, const char *curves) {
-   return 1;
+   return SSL_set1_groups_list(ssl, curves);
  }
  
 +int SSL_CTX_set_server_raw_public_key_certificate(SSL_CTX *ctx,
@@ -669,10 +669,10 @@ index 838761af5..e4f1a12b7 100644
  namespace fips202205 {
  
  // (References are to SP 800-52r2):
-diff --git a/src/ssl/tls13_both.cc b/src/ssl/tls13_both.cc
+diff --git a/ssl/tls13_both.cc b/ssl/tls13_both.cc
 index 5ab5a1c93..79135613e 100644
---- a/src/ssl/tls13_both.cc
+--- a/ssl/tls13_both.cc
-+++ b/src/ssl/tls13_both.cc
++++ b/ssl/tls13_both.cc
 @@ -11,6 +11,25 @@
   * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
   * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
@@ -750,10 +750,10 @@ index 5ab5a1c93..79135613e 100644
    if (!ssl_has_certificate(hs)) {
      return ssl_add_message_cbb(ssl, cbb.get());
    }
-diff --git a/src/ssl/tls13_server.cc b/src/ssl/tls13_server.cc
+diff --git a/ssl/tls13_server.cc b/ssl/tls13_server.cc
-index 9d26f4e00..a92689761 100644
+index 707cf846b..6916606c2 100644
---- a/src/ssl/tls13_server.cc
+--- a/ssl/tls13_server.cc
-+++ b/src/ssl/tls13_server.cc
++++ b/ssl/tls13_server.cc
 @@ -11,6 +11,25 @@
   * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
   * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

boring-sys/patches/underscore-wildcards.patch

@@ -1,21 +1,10 @@
 https://github.com/google/boringssl/compare/master...cloudflare:boringssl:underscore-wildcards
 
---- a/src/crypto/x509v3/v3_utl.c
+diff --git a/crypto/x509/x509_test.cc b/crypto/x509/x509_test.cc
-+++ b/src/crypto/x509v3/v3_utl.c
+index 9699b5a75..b0e9b34a6 100644
-@@ -790,7 +790,9 @@ static int wildcard_match(const unsigned char *prefix, size_t prefix_len,
+--- a/crypto/x509/x509_test.cc
-   // Check that the part matched by the wildcard contains only
++++ b/crypto/x509/x509_test.cc
-   // permitted characters and only matches a single label.
+@@ -4420,6 +4420,31 @@ TEST(X509Test, Names) {
-   for (p = wildcard_start; p != wildcard_end; ++p) {
--    if (!OPENSSL_isalnum(*p) && *p != '-') {
-+    if (!OPENSSL_isalnum(*p) && *p != '-' &&
-+        !(*p == '_' &&
-+          (flags & X509_CHECK_FLAG_UNDERSCORE_WILDCARDS))) {
-       return 0;
-     }
-   }
---- a/src/crypto/x509/x509_test.cc
-+++ b/src/crypto/x509/x509_test.cc
-@@ -4500,6 +4500,31 @@ TEST(X509Test, Names) {
            /*invalid_emails=*/{},
            /*flags=*/0,
        },
@@ -47,9 +36,26 @@ https://github.com/google/boringssl/compare/master...cloudflare:boringssl:unders
    };
  
    size_t i = 0;
---- a/src/include/openssl/x509c3.h
+diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c
-+++ b/src/include/openssl/x509v3.h
+index bbc82e283..e61e1901d 100644
-@@ -4497,6 +4497,8 @@ OPENSSL_EXPORT int X509_PURPOSE_get_id(const X509_PURPOSE *);
+--- a/crypto/x509v3/v3_utl.c
++++ b/crypto/x509v3/v3_utl.c
+@@ -790,7 +790,9 @@ static int wildcard_match(const unsigned char *prefix, size_t prefix_len,
+   // Check that the part matched by the wildcard contains only
+   // permitted characters and only matches a single label.
+   for (p = wildcard_start; p != wildcard_end; ++p) {
+-    if (!OPENSSL_isalnum(*p) && *p != '-') {
++    if (!OPENSSL_isalnum(*p) && *p != '-' &&
++        !(*p == '_' &&
++          (flags & X509_CHECK_FLAG_UNDERSCORE_WILDCARDS))) {
+       return 0;
+     }
+   }
+diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
+index 2a2e02c2e..24e0604b0 100644
+--- a/include/openssl/x509v3.h
++++ b/include/openssl/x509v3.h
+@@ -939,6 +939,8 @@ OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x);
  #define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
  // Skip the subject common name fallback if subjectAltNames is missing.
  #define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20
@@ -58,4 +64,3 @@ https://github.com/google/boringssl/compare/master...cloudflare:boringssl:unders
  
  OPENSSL_EXPORT int X509_check_host(X509 *x, const char *chk, size_t chklen,
                                     unsigned int flags, char **peername);
--- 

boring/Cargo.toml

@@ -19,29 +19,11 @@ rustdoc-args = ["--cfg", "docsrs"]
 [features]
 # Controlling the build
 
-# NOTE: This feature is deprecated. It is needed for the submoduled
-# boringssl-fips, which is extremely old and requires modifications to the
-# bindings, as some newer APIs don't exist and some function signatures have
-# changed. It is highly recommended to use `fips-precompiled` instead.
-#
-# This feature sets `fips-compat` on behalf of the user to guarantee bindings
-# compatibility with the submoduled boringssl-fips.
-#
 # Use a FIPS-validated version of BoringSSL.
-fips = ["fips-compat", "boring-sys/fips"]
+fips = ["boring-sys/fips"]
 
-# Build with compatibility for the submoduled boringssl-fips, without enabling
+# **DO NOT USE** This will be removed without warning in future releases.
-# the `fips` feature itself (useful e.g. if `fips-link-precompiled` is used
+legacy-compat-deprecated = []
-# with an older BoringSSL version).
-fips-compat = []
-
-# Use a precompiled FIPS-validated version of BoringSSL. Meant to be used with
-# FIPS-20230428 or newer. Users must set `BORING_BSSL_FIPS_PATH` to use this
-# feature, or else the build will fail.
-fips-precompiled = ["boring-sys/fips-precompiled"]
-
-# Link with precompiled FIPS-validated `bcm.o` module.
-fips-link-precompiled = ["boring-sys/fips-link-precompiled"]
 
 # Enables Raw public key API (https://datatracker.ietf.org/doc/html/rfc7250)
 # This feature is necessary in order to compile the bindings for the

boring/src/bio.rs

@@ -19,9 +19,9 @@ impl Drop for MemBioSlice<'_> {
 
 impl<'a> MemBioSlice<'a> {
     pub fn new(buf: &'a [u8]) -> Result<MemBioSlice<'a>, ErrorStack> {
-        #[cfg(not(feature = "fips-compat"))]
+        #[cfg(not(feature = "legacy-compat-deprecated"))]
         type BufLen = isize;
-        #[cfg(feature = "fips-compat")]
+        #[cfg(feature = "legacy-compat-deprecated")]
         type BufLen = libc::c_int;
 
         ffi::init();

boring/src/fips.rs

@@ -15,16 +15,8 @@ pub fn enabled() -> bool {
 
 #[test]
 fn is_enabled() {
-    #[cfg(any(
+    #[cfg(feature = "fips")]
-        feature = "fips",
-        feature = "fips-precompiled",
-        feature = "fips-link-precompiled"
-    ))]
     assert!(enabled());
-    #[cfg(not(any(
+    #[cfg(not(feature = "fips"))]
-        feature = "fips",
-        feature = "fips-precompiled",
-        feature = "fips-link-precompiled"
-    )))]
     assert!(!enabled());
 }

boring/src/lib.rs

@@ -137,7 +137,6 @@ pub mod error;
 pub mod ex_data;
 pub mod fips;
 pub mod hash;
-#[cfg(not(feature = "fips"))]
 pub mod hpke;
 pub mod memcmp;
 pub mod nid;

boring/src/ssl/mod.rs

@@ -104,7 +104,6 @@ pub use self::async_callbacks::{
 pub use self::connector::{
     ConnectConfiguration, SslAcceptor, SslAcceptorBuilder, SslConnector, SslConnectorBuilder,
 };
-#[cfg(not(feature = "fips"))]
 pub use self::ech::{SslEchKeys, SslEchKeysRef};
 pub use self::error::{Error, ErrorCode, HandshakeError};
 
@@ -112,7 +111,6 @@ mod async_callbacks;
 mod bio;
 mod callbacks;
 mod connector;
-#[cfg(not(feature = "fips"))]
 mod ech;
 mod error;
 mod mut_only;
@@ -708,45 +706,32 @@ pub struct SslCurveNid(c_int);
 pub struct SslCurve(c_int);
 
 impl SslCurve {
-    pub const SECP224R1: SslCurve = SslCurve(ffi::SSL_CURVE_SECP224R1 as _);
+    pub const SECP224R1: SslCurve = SslCurve(ffi::SSL_GROUP_SECP224R1 as _);
 
-    pub const SECP256R1: SslCurve = SslCurve(ffi::SSL_CURVE_SECP256R1 as _);
+    pub const SECP256R1: SslCurve = SslCurve(ffi::SSL_GROUP_SECP256R1 as _);
 
-    pub const SECP384R1: SslCurve = SslCurve(ffi::SSL_CURVE_SECP384R1 as _);
+    pub const SECP384R1: SslCurve = SslCurve(ffi::SSL_GROUP_SECP384R1 as _);
 
-    pub const SECP521R1: SslCurve = SslCurve(ffi::SSL_CURVE_SECP521R1 as _);
+    pub const SECP521R1: SslCurve = SslCurve(ffi::SSL_GROUP_SECP521R1 as _);
 
-    pub const X25519: SslCurve = SslCurve(ffi::SSL_CURVE_X25519 as _);
+    pub const X25519: SslCurve = SslCurve(ffi::SSL_GROUP_X25519 as _);
 
-    #[cfg(not(any(feature = "fips", feature = "fips-precompiled")))]
     pub const X25519_KYBER768_DRAFT00: SslCurve =
-        SslCurve(ffi::SSL_CURVE_X25519_KYBER768_DRAFT00 as _);
+        SslCurve(ffi::SSL_GROUP_X25519_KYBER768_DRAFT00 as _);
 
-    #[cfg(all(
+    #[cfg(feature = "pq-experimental")]
-        not(any(feature = "fips", feature = "fips-precompiled")),
-        feature = "pq-experimental"
-    ))]
     pub const X25519_KYBER768_DRAFT00_OLD: SslCurve =
-        SslCurve(ffi::SSL_CURVE_X25519_KYBER768_DRAFT00_OLD as _);
+        SslCurve(ffi::SSL_GROUP_X25519_KYBER768_DRAFT00_OLD as _);
 
-    #[cfg(all(
+    #[cfg(feature = "pq-experimental")]
-        not(any(feature = "fips", feature = "fips-precompiled")),
-        feature = "pq-experimental"
-    ))]
     pub const X25519_KYBER512_DRAFT00: SslCurve =
-        SslCurve(ffi::SSL_CURVE_X25519_KYBER512_DRAFT00 as _);
+        SslCurve(ffi::SSL_GROUP_X25519_KYBER512_DRAFT00 as _);
 
-    #[cfg(all(
+    #[cfg(feature = "pq-experimental")]
-        not(any(feature = "fips", feature = "fips-precompiled")),
+    pub const P256_KYBER768_DRAFT00: SslCurve = SslCurve(ffi::SSL_GROUP_P256_KYBER768_DRAFT00 as _);
-        feature = "pq-experimental"
-    ))]
-    pub const P256_KYBER768_DRAFT00: SslCurve = SslCurve(ffi::SSL_CURVE_P256_KYBER768_DRAFT00 as _);
 
-    #[cfg(all(
+    #[cfg(feature = "pq-experimental")]
-        not(any(feature = "fips", feature = "fips-precompiled")),
+    pub const X25519_MLKEM768: SslCurve = SslCurve(ffi::SSL_GROUP_X25519_MLKEM768 as _);
-        feature = "pq-experimental"
-    ))]
-    pub const X25519_MLKEM768: SslCurve = SslCurve(ffi::SSL_CURVE_X25519_MLKEM768 as _);
 
     /// Returns the curve name
     #[corresponds(SSL_get_curve_name)]
@@ -766,7 +751,7 @@ impl SslCurve {
     // against the absence of the `kx-safe-default` feature and thus this function is never used.
     //
     // **NOTE**: This function only exists because the version of boringssl we currently use does
-    // not expose SSL_CTX_set1_group_ids. Because `SslRef::curve()` returns the public SSL_CURVE id
+    // not expose SSL_CTX_set1_group_ids. Because `SslRef::curve()` returns the public SSL_GROUP id
     // as opposed to the internal NID, but `SslContextBuilder::set_curves()` requires the internal
     // NID, we need this mapping in place to avoid breaking changes to the public API. Once the
     // underlying boringssl version is upgraded, this should be removed in favor of the new
@@ -774,33 +759,20 @@ impl SslCurve {
     #[allow(dead_code)]
     pub fn nid(&self) -> Option<SslCurveNid> {
         match self.0 {
-            ffi::SSL_CURVE_SECP224R1 => Some(ffi::NID_secp224r1),
+            ffi::SSL_GROUP_SECP224R1 => Some(ffi::NID_secp224r1),
-            ffi::SSL_CURVE_SECP256R1 => Some(ffi::NID_X9_62_prime256v1),
+            ffi::SSL_GROUP_SECP256R1 => Some(ffi::NID_X9_62_prime256v1),
-            ffi::SSL_CURVE_SECP384R1 => Some(ffi::NID_secp384r1),
+            ffi::SSL_GROUP_SECP384R1 => Some(ffi::NID_secp384r1),
-            ffi::SSL_CURVE_SECP521R1 => Some(ffi::NID_secp521r1),
+            ffi::SSL_GROUP_SECP521R1 => Some(ffi::NID_secp521r1),
-            ffi::SSL_CURVE_X25519 => Some(ffi::NID_X25519),
+            ffi::SSL_GROUP_X25519 => Some(ffi::NID_X25519),
-            #[cfg(not(any(feature = "fips", feature = "fips-precompiled")))]
+            ffi::SSL_GROUP_X25519_KYBER768_DRAFT00 => Some(ffi::NID_X25519Kyber768Draft00),
-            ffi::SSL_CURVE_X25519_KYBER768_DRAFT00 => Some(ffi::NID_X25519Kyber768Draft00),
+            #[cfg(feature = "pq-experimental")]
-            #[cfg(all(
+            ffi::SSL_GROUP_X25519_KYBER768_DRAFT00_OLD => Some(ffi::NID_X25519Kyber768Draft00Old),
-                not(any(feature = "fips", feature = "fips-precompiled")),
+            #[cfg(feature = "pq-experimental")]
-                feature = "pq-experimental"
+            ffi::SSL_GROUP_X25519_KYBER512_DRAFT00 => Some(ffi::NID_X25519Kyber512Draft00),
-            ))]
+            #[cfg(feature = "pq-experimental")]
-            ffi::SSL_CURVE_X25519_KYBER768_DRAFT00_OLD => Some(ffi::NID_X25519Kyber768Draft00Old),
+            ffi::SSL_GROUP_P256_KYBER768_DRAFT00 => Some(ffi::NID_P256Kyber768Draft00),
-            #[cfg(all(
+            #[cfg(feature = "pq-experimental")]
-                not(any(feature = "fips", feature = "fips-precompiled")),
+            ffi::SSL_GROUP_X25519_MLKEM768 => Some(ffi::NID_X25519MLKEM768),
-                feature = "pq-experimental"
-            ))]
-            ffi::SSL_CURVE_X25519_KYBER512_DRAFT00 => Some(ffi::NID_X25519Kyber512Draft00),
-            #[cfg(all(
-                not(any(feature = "fips", feature = "fips-precompiled")),
-                feature = "pq-experimental"
-            ))]
-            ffi::SSL_CURVE_P256_KYBER768_DRAFT00 => Some(ffi::NID_P256Kyber768Draft00),
-            #[cfg(all(
-                not(any(feature = "fips", feature = "fips-precompiled")),
-                feature = "pq-experimental"
-            ))]
-            ffi::SSL_CURVE_X25519_MLKEM768 => Some(ffi::NID_X25519MLKEM768),
             _ => None,
         }
         .map(SslCurveNid)
@@ -809,12 +781,11 @@ impl SslCurve {
 
 /// A compliance policy.
 #[derive(Debug, Copy, Clone, PartialEq, Eq)]
-#[cfg(not(feature = "fips-compat"))]
 pub struct CompliancePolicy(ffi::ssl_compliance_policy_t);
 
-#[cfg(not(feature = "fips-compat"))]
 impl CompliancePolicy {
     /// Does nothing, however setting this does not undo other policies, so trying to set this is an error.
+    #[cfg(not(feature = "legacy-compat-deprecated"))]
     pub const NONE: Self = Self(ffi::ssl_compliance_policy_t::ssl_compliance_policy_none);
 
     /// Configures a TLS connection to try and be compliant with NIST requirements, but does not guarantee success.
@@ -824,6 +795,7 @@ impl CompliancePolicy {
 
     /// Partially configures a TLS connection to be compliant with WPA3. Callers must enforce certificate chain requirements themselves.
     /// Use of this policy is less secure than the default and not recommended.
+    #[cfg(not(feature = "legacy-compat-deprecated"))]
     pub const WPA3_192_202304: Self =
         Self(ffi::ssl_compliance_policy_t::ssl_compliance_policy_wpa3_192_202304);
 }
@@ -1609,7 +1581,10 @@ impl SslContextBuilder {
     #[corresponds(SSL_CTX_set_alpn_protos)]
     pub fn set_alpn_protos(&mut self, protocols: &[u8]) -> Result<(), ErrorStack> {
         unsafe {
-            #[cfg_attr(not(feature = "fips-compat"), allow(clippy::unnecessary_cast))]
+            #[cfg_attr(
+                not(feature = "legacy-compat-deprecated"),
+                allow(clippy::unnecessary_cast)
+            )]
             {
                 assert!(protocols.len() <= ProtosLen::MAX as usize);
             }
@@ -2009,7 +1984,6 @@ impl SslContextBuilder {
     /// version of BoringSSL which doesn't yet include these APIs.
     /// Once the submoduled fips commit is upgraded, these gates can be removed.
     #[corresponds(SSL_CTX_set_permute_extensions)]
-    #[cfg(not(feature = "fips-compat"))]
     pub fn set_permute_extensions(&mut self, enabled: bool) {
         unsafe { ffi::SSL_CTX_set_permute_extensions(self.as_ptr(), enabled as _) }
     }
@@ -2087,7 +2061,6 @@ impl SslContextBuilder {
     ///
     /// This feature isn't available in the certified version of BoringSSL.
     #[corresponds(SSL_CTX_set_compliance_policy)]
-    #[cfg(not(feature = "fips-compat"))]
     pub fn set_compliance_policy(&mut self, policy: CompliancePolicy) -> Result<(), ErrorStack> {
         unsafe { cvt_0i(ffi::SSL_CTX_set_compliance_policy(self.as_ptr(), policy.0)).map(|_| ()) }
     }
@@ -2108,7 +2081,6 @@ impl SslContextBuilder {
     /// ECHConfigs to allow stale DNS caches to update. Unlike most `SSL_CTX` APIs, this function
     /// is safe to call even after the `SSL_CTX` has been associated with connections on various
     /// threads.
-    #[cfg(not(feature = "fips"))]
     #[corresponds(SSL_CTX_set1_ech_keys)]
     pub fn set_ech_keys(&self, keys: &SslEchKeys) -> Result<(), ErrorStack> {
         unsafe { cvt(ffi::SSL_CTX_set1_ech_keys(self.as_ptr(), keys.as_ptr())).map(|_| ()) }
@@ -2376,7 +2348,6 @@ impl SslContextRef {
     /// ECHConfigs to allow stale DNS caches to update. Unlike most `SSL_CTX` APIs, this function
     /// is safe to call even after the `SSL_CTX` has been associated with connections on various
     /// threads.
-    #[cfg(not(feature = "fips"))]
     #[corresponds(SSL_CTX_set1_ech_keys)]
     pub fn set_ech_keys(&self, keys: &SslEchKeys) -> Result<(), ErrorStack> {
         unsafe { cvt(ffi::SSL_CTX_set1_ech_keys(self.as_ptr(), keys.as_ptr())).map(|_| ()) }
@@ -2390,9 +2361,9 @@ impl SslContextRef {
 #[derive(Debug)]
 pub struct GetSessionPendingError;
 
-#[cfg(not(feature = "fips-compat"))]
+#[cfg(not(feature = "legacy-compat-deprecated"))]
 type ProtosLen = usize;
-#[cfg(feature = "fips-compat")]
+#[cfg(feature = "legacy-compat-deprecated")]
 type ProtosLen = libc::c_uint;
 
 /// Information about the state of a cipher.
@@ -3161,7 +3132,6 @@ impl SslRef {
     /// Note: This is gated to non-fips because the fips feature builds with a separate
     /// version of BoringSSL which doesn't yet include these APIs.
     /// Once the submoduled fips commit is upgraded, these gates can be removed.
-    #[cfg(not(feature = "fips-compat"))]
     pub fn set_permute_extensions(&mut self, enabled: bool) {
         unsafe { ffi::SSL_set_permute_extensions(self.as_ptr(), enabled as _) }
     }
@@ -3172,7 +3142,10 @@ impl SslRef {
     #[corresponds(SSL_set_alpn_protos)]
     pub fn set_alpn_protos(&mut self, protocols: &[u8]) -> Result<(), ErrorStack> {
         unsafe {
-            #[cfg_attr(not(feature = "fips-compat"), allow(clippy::unnecessary_cast))]
+            #[cfg_attr(
+                not(feature = "legacy-compat-deprecated"),
+                allow(clippy::unnecessary_cast)
+            )]
             {
                 assert!(protocols.len() <= ProtosLen::MAX as usize);
             }
@@ -3886,7 +3859,6 @@ impl SslRef {
     /// Clients should use `get_ech_name_override` to verify the server certificate in case of ECH
     /// rejection, and follow up with `get_ech_retry_configs` to retry the connection with a fresh
     /// set of ECHConfigs. If the retry also fails, clients should report a connection failure.
-    #[cfg(not(feature = "fips"))]
     #[corresponds(SSL_set1_ech_config_list)]
     pub fn set_ech_config_list(&mut self, ech_config_list: &[u8]) -> Result<(), ErrorStack> {
         unsafe {
@@ -3905,7 +3877,6 @@ impl SslRef {
     /// Clients should call this function when handling an `SSL_R_ECH_REJECTED` error code to
     /// recover from potential key mismatches. If the result is `Some`, the client should retry the
     /// connection using the returned `ECHConfigList`.
-    #[cfg(not(feature = "fips"))]
     #[corresponds(SSL_get0_ech_retry_configs)]
     #[must_use]
     pub fn get_ech_retry_configs(&self) -> Option<&[u8]> {
@@ -3928,7 +3899,6 @@ impl SslRef {
     /// Clients should call this function during the certificate verification callback to
     /// ensure the server's certificate is valid for the public name, which is required to
     /// authenticate retry configs.
-    #[cfg(not(feature = "fips"))]
     #[corresponds(SSL_get0_ech_name_override)]
     #[must_use]
     pub fn get_ech_name_override(&self) -> Option<&[u8]> {
@@ -3946,7 +3916,6 @@ impl SslRef {
     }
 
     // Whether or not `SSL` negotiated ECH.
-    #[cfg(not(feature = "fips"))]
     #[corresponds(SSL_ech_accepted)]
     #[must_use]
     pub fn ech_accepted(&self) -> bool {
@@ -3954,7 +3923,6 @@ impl SslRef {
     }
 
     // Whether or not to enable ECH grease on `SSL`.
-    #[cfg(not(feature = "fips"))]
     #[corresponds(SSL_set_enable_ech_grease)]
     pub fn set_enable_ech_grease(&self, enable: bool) {
         let enable = if enable { 1 } else { 0 };
@@ -3965,7 +3933,6 @@ impl SslRef {
     }
 
     /// Sets the compliance policy on `SSL`.
-    #[cfg(not(feature = "fips-compat"))]
     #[corresponds(SSL_set_compliance_policy)]
     pub fn set_compliance_policy(&mut self, policy: CompliancePolicy) -> Result<(), ErrorStack> {
         unsafe { cvt_0i(ffi::SSL_set_compliance_policy(self.as_ptr(), policy.0)).map(|_| ()) }

boring/src/ssl/test/mod.rs

@@ -22,13 +22,11 @@ use crate::x509::store::X509StoreBuilder;
 use crate::x509::verify::X509CheckFlags;
 use crate::x509::{X509Name, X509};
 
-#[cfg(not(feature = "fips"))]
 use super::CompliancePolicy;
 
 mod cert_compressor;
 mod cert_verify;
 mod custom_verify;
-#[cfg(not(feature = "fips"))]
 mod ech;
 mod private_key_method;
 mod server;
@@ -1037,7 +1035,6 @@ fn test_get_ciphers() {
 }
 
 #[test]
-#[cfg(not(feature = "fips"))]
 fn test_set_compliance() {
     let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
     ctx.set_compliance_policy(CompliancePolicy::FIPS_202205)
@@ -1118,7 +1115,6 @@ fn test_info_callback() {
     assert!(CALLED_BACK.load(Ordering::Relaxed));
 }
 
-#[cfg(not(feature = "fips-compat"))]
 #[test]
 fn test_ssl_set_compliance() {
     let ctx = SslContext::builder(SslMethod::tls()).unwrap().build();

boring/src/x509/mod.rs

@@ -1120,9 +1120,9 @@ impl X509NameBuilder {
     }
 }
 
-#[cfg(not(feature = "fips-compat"))]
+#[cfg(not(feature = "legacy-compat-deprecated"))]
 type ValueLen = isize;
-#[cfg(feature = "fips-compat")]
+#[cfg(feature = "legacy-compat-deprecated")]
 type ValueLen = i32;
 
 foreign_type_and_impl_send_sync! {

boring/src/x509/tests/trusted_first.rs

@@ -15,7 +15,7 @@ fn test_verify_cert() {
 
     assert_eq!(Ok(()), verify(&leaf, &[&root1], &[&intermediate], |_| {}));
 
-    #[cfg(not(feature = "fips-compat"))]
+    #[cfg(not(feature = "legacy-compat-deprecated"))]
     assert_eq!(
         Ok(()),
         verify(
@@ -26,7 +26,7 @@ fn test_verify_cert() {
         )
     );
 
-    #[cfg(feature = "fips-compat")]
+    #[cfg(feature = "legacy-compat-deprecated")]
     assert_eq!(
         Err(X509VerifyError::CERT_HAS_EXPIRED),
         verify(

hyper-boring/Cargo.toml

@@ -17,20 +17,7 @@ rustdoc-args = ["--cfg", "docsrs"]
 
 [features]
 # Use a FIPS-validated version of boringssl.
-fips = ["tokio-boring/fips"]
+fips = ["boring/fips", "tokio-boring/fips"]
-
-# Use a FIPS build of BoringSSL, but don't set "fips-compat".
-#
-# As of boringSSL commit a430310d6563c0734ddafca7731570dfb683dc19, we no longer
-# need to make exceptions for the types of BufLen, ProtosLen, and ValueLen,
-# which means the "fips-compat" feature is no longer needed.
-#
-# TODO(cjpatton) Delete this feature and modify "fips" so that it doesn't imply
-# "fips-compat".
-fips-precompiled = ["tokio-boring/fips-precompiled"]
-
-# Link with precompiled FIPS-validated `bcm.o` module.
-fips-link-precompiled = ["tokio-boring/fips-link-precompiled"]
 
 # Enables experimental post-quantum crypto (https://blog.cloudflare.com/post-quantum-for-all/)
 pq-experimental = ["tokio-boring/pq-experimental"]

tokio-boring/Cargo.toml

@@ -19,19 +19,6 @@ rustdoc-args = ["--cfg", "docsrs"]
 # Use a FIPS-validated version of boringssl.
 fips = ["boring/fips", "boring-sys/fips"]
 
-# Use a FIPS build of BoringSSL, but don't set "fips-compat".
-#
-# As of boringSSL commit a430310d6563c0734ddafca7731570dfb683dc19, we no longer
-# need to make exceptions for the types of BufLen, ProtosLen, and ValueLen,
-# which means the "fips-compat" feature is no longer needed.
-#
-# TODO(cjpatton) Delete this feature and modify "fips" so that it doesn't imply
-# "fips-compat".
-fips-precompiled = ["boring/fips-precompiled"]
-
-# Link with precompiled FIPS-validated `bcm.o` module.
-fips-link-precompiled = ["boring/fips-link-precompiled", "boring-sys/fips-link-precompiled"]
-
 # Enables experimental post-quantum crypto (https://blog.cloudflare.com/post-quantum-for-all/)
 pq-experimental = ["boring/pq-experimental"]