From 5d6ca7e19c0507afae1bfe1a1d9590477a7e1302 Mon Sep 17 00:00:00 2001
From: Ivan Nikulin <inikulin@cloudflare.com>
Date: Wed, 30 Aug 2023 18:41:03 +0100
Subject: [PATCH] Introduce `no-patches` feature

---
 boring-sys/Cargo.toml   |  8 +++++++
 boring-sys/build.rs     | 52 +++++++++++++++++++++++++++--------------
 boring/Cargo.toml       |  8 +++++++
 hyper-boring/Cargo.toml |  8 +++++++
 tokio-boring/Cargo.toml |  8 +++++++
 5 files changed, 67 insertions(+), 17 deletions(-)

diff --git a/boring-sys/Cargo.toml b/boring-sys/Cargo.toml
index dbf73f0a..b37a91dc 100644
--- a/boring-sys/Cargo.toml
+++ b/boring-sys/Cargo.toml
@@ -66,6 +66,14 @@ rpk = []
 # Enables experimental post-quantum crypto (https://blog.cloudflare.com/post-quantum-for-all/)
 pq-experimental = []
 
+# Disables git patching of the BoringSSL sources for features like `rpk` and `pq-experimental`, but
+# keeps the related Rust API. 
+# 
+# Supposed to be used with either pre-compiled BoringSSL (via `BORING_BSSL_PATH` env variable) or 
+# with custom BoringSSL sources (via `BORING_BSSL_SOURCE_PATH` env variable) already containing 
+# required patches.
+no-patches = []
+
 [build-dependencies]
 bindgen = { workspace = true }
 cmake = { workspace = true }
diff --git a/boring-sys/build.rs b/boring-sys/build.rs
index 75191996..428eb4ee 100644
--- a/boring-sys/build.rs
+++ b/boring-sys/build.rs
@@ -509,7 +509,14 @@ fn run_command(command: &mut Command) -> io::Result<Output> {
 }
 
 fn build_boring_from_sources() -> String {
-    ensure_patches_applied().unwrap();
+    if cfg!(feature = "no-patches") {
+        println!(
+            "cargo:warning=skipping git patches application, provided\
+             native BoringSSL is expected to have the patches included"
+        );
+    } else {
+        ensure_patches_applied().unwrap();
+    }
 
     let mut cfg = get_boringssl_cmake_config();
 
@@ -574,6 +581,31 @@ fn link_in_precompiled_bcm_o(bssl_dir: &str) {
     .unwrap();
 }
 
+fn check_feature_compatibility() {
+    #[cfg(all(feature = "fips", feature = "rpk"))]
+    compile_error!("`fips` and `rpk` features are mutually exclusive");
+
+    let no_patches_enabled = cfg!(feature = "no-patches");
+    let is_external_native_lib_source =
+        env::var("BORING_BSSL_PATH").is_err() && env::var("BORING_BSSL_SOURCE_PATH").is_err();
+
+    if no_patches_enabled && is_external_native_lib_source {
+        panic!(
+            "`no-patches` feature is supposed to be used with `BORING_BSSL_PATH`\
+            or `BORING_BSSL_SOURCE_PATH` env variables"
+        )
+    }
+
+    let features_with_patches_enabled = cfg!(any(feature = "rpk", feature = "pq-experimental"));
+    let patches_required = features_with_patches_enabled && !no_patches_enabled;
+    let build_from_sources_required = cfg!(feature = "fips-link-precompiled") || patches_required;
+    let is_precompiled_native_lib = env::var("BORING_BSSL_PATH").is_ok();
+
+    if is_precompiled_native_lib && build_from_sources_required {
+        panic!("precompiled BoringSSL was provided, so FIPS configuration or optional patches can't be applied");
+    }
+}
+
 fn main() {
     println!("cargo:rerun-if-env-changed=BORING_BSSL_PATH");
     println!("cargo:rerun-if-env-changed=BORING_BSSL_INCLUDE_PATH");
@@ -581,23 +613,9 @@ fn main() {
     println!("cargo:rerun-if-env-changed=BORING_SSL_PRECOMPILED_BCM_O");
     println!("cargo:rerun-if-env-changed=BORINGSSL_BUILD_DIR");
 
-    #[cfg(all(feature = "fips", feature = "rpk"))]
-    compile_error!("`fips` and `rpk` features are mutually exclusive");
+    check_feature_compatibility();
 
-    let bssl_dir = env::var("BORING_BSSL_PATH");
-
-    if bssl_dir.is_ok()
-        && cfg!(any(
-            feature = "fips",
-            feature = "fips-link-precompiled",
-            feature = "rpk",
-            feature = "pq-experimental"
-        ))
-    {
-        panic!("precompiled BoringSSL was provided, so FIPS configuration or optional patches can't be applied");
-    }
-
-    let bssl_dir = bssl_dir.unwrap_or_else(|_| build_boring_from_sources());
+    let bssl_dir = env::var("BORING_BSSL_PATH").unwrap_or_else(|_| build_boring_from_sources());
     let build_path = get_boringssl_platform_output_path();
 
     if cfg!(any(feature = "fips", feature = "fips-link-precompiled")) {
diff --git a/boring/Cargo.toml b/boring/Cargo.toml
index af1a20cf..7cf00d0e 100644
--- a/boring/Cargo.toml
+++ b/boring/Cargo.toml
@@ -28,6 +28,14 @@ rpk = ["boring-sys/rpk"]
 # Enables experimental post-quantum crypto (https://blog.cloudflare.com/post-quantum-for-all/)
 pq-experimental = ["boring-sys/pq-experimental"]
 
+# Disables git patching of the BoringSSL sources for features like `rpk` and `pq-experimental`, but
+# keeps the related Rust API. 
+# 
+# Supposed to be used with either pre-compiled BoringSSL (via `BORING_BSSL_PATH` env variable) or 
+# with custom BoringSSL sources (via `BORING_BSSL_SOURCE_PATH` env variable) already containing 
+# required patches.
+no-patches = ["boring-sys/no-patches"]
+
 [dependencies]
 bitflags = { workspace = true }
 foreign-types = { workspace = true }
diff --git a/hyper-boring/Cargo.toml b/hyper-boring/Cargo.toml
index 9396c25c..321f3a60 100644
--- a/hyper-boring/Cargo.toml
+++ b/hyper-boring/Cargo.toml
@@ -31,6 +31,14 @@ rpk = ["tokio-boring/rpk"]
 # Enables experimental post-quantum crypto (https://blog.cloudflare.com/post-quantum-for-all/)
 pq-experimental = ["tokio-boring/pq-experimental"]
 
+# Disables git patching of the BoringSSL sources for features like `rpk` and `pq-experimental`, but
+# keeps the related Rust API. 
+# 
+# Supposed to be used with either pre-compiled BoringSSL (via `BORING_BSSL_PATH` env variable) or 
+# with custom BoringSSL sources (via `BORING_BSSL_SOURCE_PATH` env variable) already containing 
+# required patches.
+no-patches = ["tokio-boring/no-patches"]
+
 
 [dependencies]
 antidote = { workspace = true }
diff --git a/tokio-boring/Cargo.toml b/tokio-boring/Cargo.toml
index 15220348..73d5c8ec 100644
--- a/tokio-boring/Cargo.toml
+++ b/tokio-boring/Cargo.toml
@@ -28,6 +28,14 @@ rpk = ["boring/rpk"]
 # Enables experimental post-quantum crypto (https://blog.cloudflare.com/post-quantum-for-all/)
 pq-experimental = ["boring/pq-experimental"]
 
+# Disables git patching of the BoringSSL sources for features like `rpk` and `pq-experimental`, but
+# keeps the related Rust API. 
+# 
+# Supposed to be used with either pre-compiled BoringSSL (via `BORING_BSSL_PATH` env variable) or 
+# with custom BoringSSL sources (via `BORING_BSSL_SOURCE_PATH` env variable) already containing 
+# required patches.
+no-patches = ["boring/no-patches"]
+
 [dependencies]
 boring = { workspace = true }
 boring-sys = { workspace = true }