From 7ddb106c205501fb6ed0823a871be417bbe18729 Mon Sep 17 00:00:00 2001 From: Anthony Ramine Date: Tue, 10 Oct 2023 12:00:24 +0200 Subject: [PATCH] Introduce a new set of env variables for FIPS-like builds Builds using feature fips or fips-link-precompiled now read variables prefixed by BORING_BSSL_FIPS_ instead of BORING_BSSL_. This helps complex builds where build dependencies also use boring, where we may not want to use fips there. Without those separate variables, the boring build for the build dependencies end up relying on e.g. BORING_BSSL_PATH, causing errors if this path is a boring checkout intended for fips builds, while the fips feature isn't enabled for the build dependency. --- boring-sys/Cargo.toml | 12 ++++++------ boring-sys/build/config.rs | 32 ++++++++++++++++++++++++-------- boring-sys/build/main.rs | 2 +- boring/Cargo.toml | 12 ++++++------ boring/src/lib.rs | 24 ++++++++++++++++++------ hyper-boring/Cargo.toml | 10 +++++----- tokio-boring/Cargo.toml | 10 +++++----- 7 files changed, 65 insertions(+), 37 deletions(-) diff --git a/boring-sys/Cargo.toml b/boring-sys/Cargo.toml index 7ffc2c9b..20fd892f 100644 --- a/boring-sys/Cargo.toml +++ b/boring-sys/Cargo.toml @@ -68,15 +68,15 @@ rpk = [] # enables support for PQ key exchange. This feature is necessary in order to # compile the bindings for the default branch of boringSSL (`deps/boringssl`). # Alternatively, a version of boringSSL that implements the same feature set -# can be provided by setting `BORING_BSSL_SOURCE_PATH`. +# can be provided by setting `BORING_BSSL{,_FIPS}_SOURCE_PATH`. pq-experimental = [] -# Disables git patching of the BoringSSL sources for features like `rpk` and `pq-experimental`, but -# keeps the related Rust API. +# Disables git patching of the BoringSSL sources for features like `rpk` and `pq-experimental`, +# but keeps the related Rust API. # -# Supposed to be used with either pre-compiled BoringSSL (via `BORING_BSSL_PATH` env variable) or -# with custom BoringSSL sources (via `BORING_BSSL_SOURCE_PATH` env variable) already containing -# required patches. +# Supposed to be used with either pre-compiled BoringSSL (via `BORING_BSSL{,_FIPS}_PATH` env +# variable) or with custom BoringSSL sources (via `BORING_BSSL{,_FIPS}_SOURCE_PATH` env variable) +# already containing required patches. no-patches = [] [build-dependencies] diff --git a/boring-sys/build/config.rs b/boring-sys/build/config.rs index c0e23d96..a927f42a 100644 --- a/boring-sys/build/config.rs +++ b/boring-sys/build/config.rs @@ -43,7 +43,7 @@ impl Config { let target_os = env::var("CARGO_CFG_TARGET_OS").unwrap(); let features = Features::from_env(); - let env = Env::from_env(); + let env = Env::from_env(features.fips || features.fips_link_precompiled); let config = Self { manifest_dir, @@ -73,8 +73,8 @@ impl Config { if self.features.no_patches && is_external_native_lib_source { panic!( - "`no-patches` feature is supposed to be used with `BORING_BSSL_PATH`\ - or `BORING_BSSL_SOURCE_PATH` env variables" + "`no-patches` feature is supposed to be used with `BORING_BSSL{{,_FIPS}}_PATH`\ + or `BORING_BSSL{{,_FIPS}}_SOURCE_PATH` env variables" ); } @@ -107,12 +107,28 @@ impl Features { } impl Env { - fn from_env() -> Self { + fn from_env(is_fips_like: bool) -> Self { + const NORMAL_PREFIX: &str = "BORING_BSSL"; + const FIPS_PREFIX: &str = "BORING_BSSL_FIPS"; + + let boringssl_var = |name: &str| { + // The passed name is the non-fips version of the environment variable, + // to help look for them in the repository. + assert!(name.starts_with(NORMAL_PREFIX)); + + if is_fips_like { + var(&name.replace(NORMAL_PREFIX, FIPS_PREFIX)) + } else { + var(name) + } + .map(PathBuf::from) + }; + Self { - path: var("BORING_BSSL_PATH").map(Into::into), - include_path: var("BORING_BSSL_INCLUDE_PATH").map(Into::into), - source_path: var("BORING_BSSL_SOURCE_PATH").map(Into::into), - precompiled_bcm_o: var("BORING_BSSL_PRECOMPILED_BCM_O").map(Into::into), + path: boringssl_var("BORING_BSSL_PATH"), + include_path: boringssl_var("BORING_BSSL_INCLUDE_PATH"), + source_path: boringssl_var("BORING_BSSL_SOURCE_PATH"), + precompiled_bcm_o: boringssl_var("BORING_BSSL_PRECOMPILED_BCM_O"), debug: var("DEBUG"), opt_level: var("OPT_LEVEL"), android_ndk_home: var("ANDROID_NDK_HOME").map(Into::into), diff --git a/boring-sys/build/main.rs b/boring-sys/build/main.rs index a9319f30..d990a258 100644 --- a/boring-sys/build/main.rs +++ b/boring-sys/build/main.rs @@ -529,7 +529,7 @@ fn link_in_precompiled_bcm_o(config: &Config) { let bssl_dir = built_boring_source_path(config); let bcm_o_src_path = config.env.precompiled_bcm_o.as_ref() - .expect("`fips-link-precompiled` requires `BORING_BSSL_PRECOMPILED_BCM_O` env variable to be specified"); + .expect("`fips-link-precompiled` requires `BORING_BSSL_FIPS_PRECOMPILED_BCM_O` env variable to be specified"); let libcrypto_path = bssl_dir .join("build/crypto/libcrypto.a") diff --git a/boring/Cargo.toml b/boring/Cargo.toml index 8d983fe8..717960b9 100644 --- a/boring/Cargo.toml +++ b/boring/Cargo.toml @@ -31,15 +31,15 @@ rpk = ["boring-sys/rpk"] # exchange. This feature is necessary in order to compile the bindings for the # default branch of boringSSL. Alternatively, a version of boringSSL that # implements the same feature set can be provided by setting -# `BORING_BSSL_SOURCE_PATH`. +# `BORING_BSSL{,_FIPS}_SOURCE_PATH`. pq-experimental = ["boring-sys/pq-experimental"] -# Disables git patching of the BoringSSL sources for features like `rpk` and `pq-experimental`, but -# keeps the related Rust API. +# Disables git patching of the BoringSSL sources for features like `rpk` and `pq-experimental`, +# but keeps the related Rust API. # -# Supposed to be used with either pre-compiled BoringSSL (via `BORING_BSSL_PATH` env variable) or -# with custom BoringSSL sources (via `BORING_BSSL_SOURCE_PATH` env variable) already containing -# required patches. +# Supposed to be used with either pre-compiled BoringSSL (via `BORING_BSSL{,_FIPS}_PATH` env +# variable) or with custom BoringSSL sources (via `BORING_BSSL{,_FIPS}_SOURCE_PATH` env variable) +# already containing required patches. no-patches = ["boring-sys/no-patches"] # Controlling key exchange preferences at compile time diff --git a/boring/src/lib.rs b/boring/src/lib.rs index d5d86268..27c1ebcd 100644 --- a/boring/src/lib.rs +++ b/boring/src/lib.rs @@ -18,18 +18,26 @@ //! //! # Compilation and linking options //! +//! ## Environment variables +//! +//! This crate uses various environment variables to tweak how boring is built. The variables +//! are all prefixed by `BORING_BSSL_` for non-FIPS builds, and by `BORING_BSSL_FIPS_` for FIPS builds. +//! //! ## Support for pre-built binaries or custom source //! //! While this crate can build BoringSSL on its own, you may want to provide pre-built binaries instead. -//! To do so, specify the environment variable `BORING_BSSL_PATH` with the path to the binaries. +//! To do so, specify the environment variable `BORING_BSSL{,_FIPS}_PATH` with the path to the binaries. //! -//! You can also provide specific headers by setting `BORING_BSSL_INCLUDE_PATH`. +//! You can also provide specific headers by setting `BORING_BSSL{,_FIPS}_INCLUDE_PATH`. //! -//! _Notes_: The crate will look for headers in the `$BORING_BSSL_INCLUDE_PATH/openssl/` folder, make sure to place your headers there. +//! _Notes_: The crate will look for headers in the`$BORING_BSSL{,_FIPS}_INCLUDE_PATH/openssl/` +//! folder, make sure to place your headers there. //! -//! In alternative a different path for the BoringSSL source code directory can be specified by setting `BORING_BSSL_SOURCE_PATH` which will automatically be compiled during the build process. +//! In alternative a different path for the BoringSSL source code directory can be specified by setting +//! `BORING_BSSL{,_FIPS}_SOURCE_PATH` which will automatically be compiled during the build process. //! -//! _Warning_: When providing a different version of BoringSSL make sure to use a compatible one, the crate relies on the presence of certain functions. +//! _Warning_: When providing a different version of BoringSSL make sure to use a compatible one, the +//! crate relies on the presence of certain functions. //! //! ## Building with a FIPS-validated module //! @@ -44,11 +52,15 @@ //! ``` //! //! ## Linking current BoringSSL version with precompiled FIPS-validated module (`bcm.o`) +//! //! It's possible to link latest supported version of BoringSSL with FIPS-validated crypto module //! (`bcm.o`). To enable this compilation option one should enable `fips-link-precompiled` -//! compilation feature and provide a `BORING_BSSL_PRECOMPILED_BCM_O` env variable with a path to the +//! compilation feature and provide a `BORING_BSSL_FIPS_PRECOMPILED_BCM_O` env variable with a path to the //! precompiled FIPS-validated `bcm.o` module. //! +//! Note that `BORING_BSSL_PRECOMPILED_BCM_O` is never used, as linking BoringSSL with precompiled non-FIPS +//! module is not supported. +//! //! # Optional patches //! //! ## Raw Public Key diff --git a/hyper-boring/Cargo.toml b/hyper-boring/Cargo.toml index 321f3a60..07d0a182 100644 --- a/hyper-boring/Cargo.toml +++ b/hyper-boring/Cargo.toml @@ -31,12 +31,12 @@ rpk = ["tokio-boring/rpk"] # Enables experimental post-quantum crypto (https://blog.cloudflare.com/post-quantum-for-all/) pq-experimental = ["tokio-boring/pq-experimental"] -# Disables git patching of the BoringSSL sources for features like `rpk` and `pq-experimental`, but -# keeps the related Rust API. +# Disables git patching of the BoringSSL sources for features like `rpk` and `pq-experimental`, +# but keeps the related Rust API. # -# Supposed to be used with either pre-compiled BoringSSL (via `BORING_BSSL_PATH` env variable) or -# with custom BoringSSL sources (via `BORING_BSSL_SOURCE_PATH` env variable) already containing -# required patches. +# Supposed to be used with either pre-compiled BoringSSL (via `BORING_BSSL{,_FIPS}_PATH` env +# variable) or with custom BoringSSL sources (via `BORING_BSSL{,_FIPS}_SOURCE_PATH` env variable) +# already containing required patches. no-patches = ["tokio-boring/no-patches"] diff --git a/tokio-boring/Cargo.toml b/tokio-boring/Cargo.toml index 509ab6f7..31a967b3 100644 --- a/tokio-boring/Cargo.toml +++ b/tokio-boring/Cargo.toml @@ -28,12 +28,12 @@ rpk = ["boring/rpk"] # Enables experimental post-quantum crypto (https://blog.cloudflare.com/post-quantum-for-all/) pq-experimental = ["boring/pq-experimental"] -# Disables git patching of the BoringSSL sources for features like `rpk` and `pq-experimental`, but -# keeps the related Rust API. +# Disables git patching of the BoringSSL sources for features like `rpk` and `pq-experimental`, +# but keeps the related Rust API. # -# Supposed to be used with either pre-compiled BoringSSL (via `BORING_BSSL_PATH` env variable) or -# with custom BoringSSL sources (via `BORING_BSSL_SOURCE_PATH` env variable) already containing -# required patches. +# Supposed to be used with either pre-compiled BoringSSL (via `BORING_BSSL{,_FIPS}_PATH` env +# variable) or with custom BoringSSL sources (via `BORING_BSSL{,_FIPS}_SOURCE_PATH` env variable) +# already containing required patches. no-patches = ["boring/no-patches"] [dependencies]