From 867f2b3b9995848faa566add7a155309ba92fc5a Mon Sep 17 00:00:00 2001 From: Christopher Patton Date: Tue, 11 Mar 2025 08:17:41 -0700 Subject: [PATCH] boring-sys: Ignore patches when boringSSL is precompiled Internal users often have two builds for `boring`, one using a precompiled build of boringSSL and another built from source with patches applied. However the features that enable these builds are mutually exclusive. For example, the `"pq-experimental"` feature is required to build the source with all of the necessary codepoints for PQ key exchange, but if this feature is enabled and a precompiled boringSSL is provided, then the build will fail. This means users will have to also control their builds with mutually exclusive features. An alternative is to *ignore* features that enable patches whenever a precompiled boringSSL is provided. This is a little different from the "assume patched" environment variable, which applies whenever we're building from source. --- boring-sys/build/config.rs | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/boring-sys/build/config.rs b/boring-sys/build/config.rs index 28a43ccc..19a63f52 100644 --- a/boring-sys/build/config.rs +++ b/boring-sys/build/config.rs @@ -96,10 +96,15 @@ impl Config { || self.features.underscore_wildcards; let patches_required = features_with_patches_enabled && !self.env.assume_patched; - let build_from_sources_required = self.features.fips_link_precompiled || patches_required; - if is_precompiled_native_lib && build_from_sources_required { - panic!("precompiled BoringSSL was provided, so FIPS configuration or optional patches can't be applied"); + if is_precompiled_native_lib && patches_required { + println!( + "cargo:warning=precompiled BoringSSL was provided, so patches will be ignored" + ); + } + + if is_precompiled_native_lib && self.features.fips_link_precompiled { + panic!("precompiled BoringSSL was provided, so FIPS configuration can't be applied"); } } }