diff --git a/boring-sys/Cargo.toml b/boring-sys/Cargo.toml index 7ffc2c9b..20fd892f 100644 --- a/boring-sys/Cargo.toml +++ b/boring-sys/Cargo.toml @@ -68,15 +68,15 @@ rpk = [] # enables support for PQ key exchange. This feature is necessary in order to # compile the bindings for the default branch of boringSSL (`deps/boringssl`). # Alternatively, a version of boringSSL that implements the same feature set -# can be provided by setting `BORING_BSSL_SOURCE_PATH`. +# can be provided by setting `BORING_BSSL{,_FIPS}_SOURCE_PATH`. pq-experimental = [] -# Disables git patching of the BoringSSL sources for features like `rpk` and `pq-experimental`, but -# keeps the related Rust API. +# Disables git patching of the BoringSSL sources for features like `rpk` and `pq-experimental`, +# but keeps the related Rust API. # -# Supposed to be used with either pre-compiled BoringSSL (via `BORING_BSSL_PATH` env variable) or -# with custom BoringSSL sources (via `BORING_BSSL_SOURCE_PATH` env variable) already containing -# required patches. +# Supposed to be used with either pre-compiled BoringSSL (via `BORING_BSSL{,_FIPS}_PATH` env +# variable) or with custom BoringSSL sources (via `BORING_BSSL{,_FIPS}_SOURCE_PATH` env variable) +# already containing required patches. no-patches = [] [build-dependencies] diff --git a/boring-sys/build/config.rs b/boring-sys/build/config.rs index c0e23d96..a927f42a 100644 --- a/boring-sys/build/config.rs +++ b/boring-sys/build/config.rs @@ -43,7 +43,7 @@ impl Config { let target_os = env::var("CARGO_CFG_TARGET_OS").unwrap(); let features = Features::from_env(); - let env = Env::from_env(); + let env = Env::from_env(features.fips || features.fips_link_precompiled); let config = Self { manifest_dir, @@ -73,8 +73,8 @@ impl Config { if self.features.no_patches && is_external_native_lib_source { panic!( - "`no-patches` feature is supposed to be used with `BORING_BSSL_PATH`\ - or `BORING_BSSL_SOURCE_PATH` env variables" + "`no-patches` feature is supposed to be used with `BORING_BSSL{{,_FIPS}}_PATH`\ + or `BORING_BSSL{{,_FIPS}}_SOURCE_PATH` env variables" ); } @@ -107,12 +107,28 @@ impl Features { } impl Env { - fn from_env() -> Self { + fn from_env(is_fips_like: bool) -> Self { + const NORMAL_PREFIX: &str = "BORING_BSSL"; + const FIPS_PREFIX: &str = "BORING_BSSL_FIPS"; + + let boringssl_var = |name: &str| { + // The passed name is the non-fips version of the environment variable, + // to help look for them in the repository. + assert!(name.starts_with(NORMAL_PREFIX)); + + if is_fips_like { + var(&name.replace(NORMAL_PREFIX, FIPS_PREFIX)) + } else { + var(name) + } + .map(PathBuf::from) + }; + Self { - path: var("BORING_BSSL_PATH").map(Into::into), - include_path: var("BORING_BSSL_INCLUDE_PATH").map(Into::into), - source_path: var("BORING_BSSL_SOURCE_PATH").map(Into::into), - precompiled_bcm_o: var("BORING_BSSL_PRECOMPILED_BCM_O").map(Into::into), + path: boringssl_var("BORING_BSSL_PATH"), + include_path: boringssl_var("BORING_BSSL_INCLUDE_PATH"), + source_path: boringssl_var("BORING_BSSL_SOURCE_PATH"), + precompiled_bcm_o: boringssl_var("BORING_BSSL_PRECOMPILED_BCM_O"), debug: var("DEBUG"), opt_level: var("OPT_LEVEL"), android_ndk_home: var("ANDROID_NDK_HOME").map(Into::into), diff --git a/boring-sys/build/main.rs b/boring-sys/build/main.rs index a9319f30..d990a258 100644 --- a/boring-sys/build/main.rs +++ b/boring-sys/build/main.rs @@ -529,7 +529,7 @@ fn link_in_precompiled_bcm_o(config: &Config) { let bssl_dir = built_boring_source_path(config); let bcm_o_src_path = config.env.precompiled_bcm_o.as_ref() - .expect("`fips-link-precompiled` requires `BORING_BSSL_PRECOMPILED_BCM_O` env variable to be specified"); + .expect("`fips-link-precompiled` requires `BORING_BSSL_FIPS_PRECOMPILED_BCM_O` env variable to be specified"); let libcrypto_path = bssl_dir .join("build/crypto/libcrypto.a") diff --git a/boring/Cargo.toml b/boring/Cargo.toml index 8d983fe8..717960b9 100644 --- a/boring/Cargo.toml +++ b/boring/Cargo.toml @@ -31,15 +31,15 @@ rpk = ["boring-sys/rpk"] # exchange. This feature is necessary in order to compile the bindings for the # default branch of boringSSL. Alternatively, a version of boringSSL that # implements the same feature set can be provided by setting -# `BORING_BSSL_SOURCE_PATH`. +# `BORING_BSSL{,_FIPS}_SOURCE_PATH`. pq-experimental = ["boring-sys/pq-experimental"] -# Disables git patching of the BoringSSL sources for features like `rpk` and `pq-experimental`, but -# keeps the related Rust API. +# Disables git patching of the BoringSSL sources for features like `rpk` and `pq-experimental`, +# but keeps the related Rust API. # -# Supposed to be used with either pre-compiled BoringSSL (via `BORING_BSSL_PATH` env variable) or -# with custom BoringSSL sources (via `BORING_BSSL_SOURCE_PATH` env variable) already containing -# required patches. +# Supposed to be used with either pre-compiled BoringSSL (via `BORING_BSSL{,_FIPS}_PATH` env +# variable) or with custom BoringSSL sources (via `BORING_BSSL{,_FIPS}_SOURCE_PATH` env variable) +# already containing required patches. no-patches = ["boring-sys/no-patches"] # Controlling key exchange preferences at compile time diff --git a/boring/src/lib.rs b/boring/src/lib.rs index d5d86268..27c1ebcd 100644 --- a/boring/src/lib.rs +++ b/boring/src/lib.rs @@ -18,18 +18,26 @@ //! //! # Compilation and linking options //! +//! ## Environment variables +//! +//! This crate uses various environment variables to tweak how boring is built. The variables +//! are all prefixed by `BORING_BSSL_` for non-FIPS builds, and by `BORING_BSSL_FIPS_` for FIPS builds. +//! //! ## Support for pre-built binaries or custom source //! //! While this crate can build BoringSSL on its own, you may want to provide pre-built binaries instead. -//! To do so, specify the environment variable `BORING_BSSL_PATH` with the path to the binaries. +//! To do so, specify the environment variable `BORING_BSSL{,_FIPS}_PATH` with the path to the binaries. //! -//! You can also provide specific headers by setting `BORING_BSSL_INCLUDE_PATH`. +//! You can also provide specific headers by setting `BORING_BSSL{,_FIPS}_INCLUDE_PATH`. //! -//! _Notes_: The crate will look for headers in the `$BORING_BSSL_INCLUDE_PATH/openssl/` folder, make sure to place your headers there. +//! _Notes_: The crate will look for headers in the`$BORING_BSSL{,_FIPS}_INCLUDE_PATH/openssl/` +//! folder, make sure to place your headers there. //! -//! In alternative a different path for the BoringSSL source code directory can be specified by setting `BORING_BSSL_SOURCE_PATH` which will automatically be compiled during the build process. +//! In alternative a different path for the BoringSSL source code directory can be specified by setting +//! `BORING_BSSL{,_FIPS}_SOURCE_PATH` which will automatically be compiled during the build process. //! -//! _Warning_: When providing a different version of BoringSSL make sure to use a compatible one, the crate relies on the presence of certain functions. +//! _Warning_: When providing a different version of BoringSSL make sure to use a compatible one, the +//! crate relies on the presence of certain functions. //! //! ## Building with a FIPS-validated module //! @@ -44,11 +52,15 @@ //! ``` //! //! ## Linking current BoringSSL version with precompiled FIPS-validated module (`bcm.o`) +//! //! It's possible to link latest supported version of BoringSSL with FIPS-validated crypto module //! (`bcm.o`). To enable this compilation option one should enable `fips-link-precompiled` -//! compilation feature and provide a `BORING_BSSL_PRECOMPILED_BCM_O` env variable with a path to the +//! compilation feature and provide a `BORING_BSSL_FIPS_PRECOMPILED_BCM_O` env variable with a path to the //! precompiled FIPS-validated `bcm.o` module. //! +//! Note that `BORING_BSSL_PRECOMPILED_BCM_O` is never used, as linking BoringSSL with precompiled non-FIPS +//! module is not supported. +//! //! # Optional patches //! //! ## Raw Public Key diff --git a/hyper-boring/Cargo.toml b/hyper-boring/Cargo.toml index 321f3a60..07d0a182 100644 --- a/hyper-boring/Cargo.toml +++ b/hyper-boring/Cargo.toml @@ -31,12 +31,12 @@ rpk = ["tokio-boring/rpk"] # Enables experimental post-quantum crypto (https://blog.cloudflare.com/post-quantum-for-all/) pq-experimental = ["tokio-boring/pq-experimental"] -# Disables git patching of the BoringSSL sources for features like `rpk` and `pq-experimental`, but -# keeps the related Rust API. +# Disables git patching of the BoringSSL sources for features like `rpk` and `pq-experimental`, +# but keeps the related Rust API. # -# Supposed to be used with either pre-compiled BoringSSL (via `BORING_BSSL_PATH` env variable) or -# with custom BoringSSL sources (via `BORING_BSSL_SOURCE_PATH` env variable) already containing -# required patches. +# Supposed to be used with either pre-compiled BoringSSL (via `BORING_BSSL{,_FIPS}_PATH` env +# variable) or with custom BoringSSL sources (via `BORING_BSSL{,_FIPS}_SOURCE_PATH` env variable) +# already containing required patches. no-patches = ["tokio-boring/no-patches"] diff --git a/tokio-boring/Cargo.toml b/tokio-boring/Cargo.toml index 509ab6f7..31a967b3 100644 --- a/tokio-boring/Cargo.toml +++ b/tokio-boring/Cargo.toml @@ -28,12 +28,12 @@ rpk = ["boring/rpk"] # Enables experimental post-quantum crypto (https://blog.cloudflare.com/post-quantum-for-all/) pq-experimental = ["boring/pq-experimental"] -# Disables git patching of the BoringSSL sources for features like `rpk` and `pq-experimental`, but -# keeps the related Rust API. +# Disables git patching of the BoringSSL sources for features like `rpk` and `pq-experimental`, +# but keeps the related Rust API. # -# Supposed to be used with either pre-compiled BoringSSL (via `BORING_BSSL_PATH` env variable) or -# with custom BoringSSL sources (via `BORING_BSSL_SOURCE_PATH` env variable) already containing -# required patches. +# Supposed to be used with either pre-compiled BoringSSL (via `BORING_BSSL{,_FIPS}_PATH` env +# variable) or with custom BoringSSL sources (via `BORING_BSSL{,_FIPS}_SOURCE_PATH` env variable) +# already containing required patches. no-patches = ["boring/no-patches"] [dependencies]