min
/
boring2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add "fips-compat" feature (#286) 

This adds a feature to build against a BoringSSL version compatible with
the current boringssl-fips, but _without_ actually enabling the `fips`
feature.

This can be useful to use with `fips-link-precompiled` while using a
custom BoringSSL version based on the older FIPS branch.
This commit is contained in:
Alessandro Ghedini 2024-10-17 17:58:02 +01:00 committed by GitHub
parent d3177a4300
commit a57cb3a997
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 21 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
boring/Cargo.toml
View File

@ -19,7 +19,12 @@ rustdoc-args = ["--cfg", "docsrs"]
# Controlling the build # Controlling the build
# Use a FIPS-validated version of boringssl. # Use a FIPS-validated version of boringssl.
fips = ["boring-sys/fips"] fips = ["fips-compat", "boring-sys/fips"]
# Build with compatibility for the BoringSSL FIPS version, without enabling the
# `fips` feature itself (useful e.g. if `fips-link-precompiled` is used with an
# older BoringSSL version).
fips-compat = []
# Link with precompiled FIPS-validated `bcm.o` module. # Link with precompiled FIPS-validated `bcm.o` module.
fips-link-precompiled = ["boring-sys/fips-link-precompiled"] fips-link-precompiled = ["boring-sys/fips-link-precompiled"]

4
boring/src/bio.rs
View File

@ -19,9 +19,9 @@ impl<'a> Drop for MemBioSlice<'a> {
impl<'a> MemBioSlice<'a> { impl<'a> MemBioSlice<'a> {
pub fn new(buf: &'a [u8]) -> Result<MemBioSlice<'a>, ErrorStack> { pub fn new(buf: &'a [u8]) -> Result<MemBioSlice<'a>, ErrorStack> {
#[cfg(not(feature = "fips"))] #[cfg(not(feature = "fips-compat"))]
type BufLen = isize; type BufLen = isize;
#[cfg(feature = "fips")] #[cfg(feature = "fips-compat")]
type BufLen = libc::c_int; type BufLen = libc::c_int;
ffi::init(); ffi::init();

18
boring/src/ssl/mod.rs
View File

@ -774,10 +774,10 @@ impl SslCurve {
/// A compliance policy. /// A compliance policy.
#[derive(Debug, Copy, Clone, PartialEq, Eq)] #[derive(Debug, Copy, Clone, PartialEq, Eq)]
#[cfg(not(feature = "fips"))] #[cfg(not(feature = "fips-compat"))]
pub struct CompliancePolicy(ffi::ssl_compliance_policy_t); pub struct CompliancePolicy(ffi::ssl_compliance_policy_t);
#[cfg(not(feature = "fips"))] #[cfg(not(feature = "fips-compat"))]
impl CompliancePolicy { impl CompliancePolicy {
/// Does nothing, however setting this does not undo other policies, so trying to set this is an error. /// Does nothing, however setting this does not undo other policies, so trying to set this is an error.
pub const NONE: Self = Self(ffi::ssl_compliance_policy_t::ssl_compliance_policy_none); pub const NONE: Self = Self(ffi::ssl_compliance_policy_t::ssl_compliance_policy_none);
@ -1469,7 +1469,7 @@ impl SslContextBuilder {
#[corresponds(SSL_CTX_set_alpn_protos)] #[corresponds(SSL_CTX_set_alpn_protos)]
pub fn set_alpn_protos(&mut self, protocols: &[u8]) -> Result<(), ErrorStack> { pub fn set_alpn_protos(&mut self, protocols: &[u8]) -> Result<(), ErrorStack> {
unsafe { unsafe {
#[cfg_attr(not(feature = "fips"), allow(clippy::unnecessary_cast))] #[cfg_attr(not(feature = "fips-compat"), allow(clippy::unnecessary_cast))]
{ {
assert!(protocols.len() <= ProtosLen::MAX as usize); assert!(protocols.len() <= ProtosLen::MAX as usize);
} }
@ -1813,7 +1813,7 @@ impl SslContextBuilder {
/// version of BoringSSL which doesn't yet include these APIs. /// version of BoringSSL which doesn't yet include these APIs.
/// Once the submoduled fips commit is upgraded, these gates can be removed. /// Once the submoduled fips commit is upgraded, these gates can be removed.
#[corresponds(SSL_CTX_set_permute_extensions)] #[corresponds(SSL_CTX_set_permute_extensions)]
#[cfg(not(feature = "fips"))] #[cfg(not(feature = "fips-compat"))]
pub fn set_permute_extensions(&mut self, enabled: bool) { pub fn set_permute_extensions(&mut self, enabled: bool) {
unsafe { ffi::SSL_CTX_set_permute_extensions(self.as_ptr(), enabled as _) } unsafe { ffi::SSL_CTX_set_permute_extensions(self.as_ptr(), enabled as _) }
} }
@ -1888,7 +1888,7 @@ impl SslContextBuilder {
/// ///
/// This feature isn't available in the certified version of BoringSSL. /// This feature isn't available in the certified version of BoringSSL.
#[corresponds(SSL_CTX_set_compliance_policy)] #[corresponds(SSL_CTX_set_compliance_policy)]
#[cfg(not(feature = "fips"))] #[cfg(not(feature = "fips-compat"))]
pub fn set_compliance_policy(&mut self, policy: CompliancePolicy) -> Result<(), ErrorStack> { pub fn set_compliance_policy(&mut self, policy: CompliancePolicy) -> Result<(), ErrorStack> {
unsafe { cvt_0i(ffi::SSL_CTX_set_compliance_policy(self.as_ptr(), policy.0)).map(|_| ()) } unsafe { cvt_0i(ffi::SSL_CTX_set_compliance_policy(self.as_ptr(), policy.0)).map(|_| ()) }
} }
@ -2160,9 +2160,9 @@ impl SslContextRef {
#[derive(Debug)] #[derive(Debug)]
pub struct GetSessionPendingError; pub struct GetSessionPendingError;
#[cfg(not(feature = "fips"))] #[cfg(not(feature = "fips-compat"))]
type ProtosLen = usize; type ProtosLen = usize;
#[cfg(feature = "fips")] #[cfg(feature = "fips-compat")]
type ProtosLen = libc::c_uint; type ProtosLen = libc::c_uint;
/// Information about the state of a cipher. /// Information about the state of a cipher.
@ -2883,7 +2883,7 @@ impl SslRef {
/// Note: This is gated to non-fips because the fips feature builds with a separate /// Note: This is gated to non-fips because the fips feature builds with a separate
/// version of BoringSSL which doesn't yet include these APIs. /// version of BoringSSL which doesn't yet include these APIs.
/// Once the submoduled fips commit is upgraded, these gates can be removed. /// Once the submoduled fips commit is upgraded, these gates can be removed.
#[cfg(not(feature = "fips"))] #[cfg(not(feature = "fips-compat"))]
pub fn set_permute_extensions(&mut self, enabled: bool) { pub fn set_permute_extensions(&mut self, enabled: bool) {
unsafe { ffi::SSL_set_permute_extensions(self.as_ptr(), enabled as _) } unsafe { ffi::SSL_set_permute_extensions(self.as_ptr(), enabled as _) }
} }
@ -2894,7 +2894,7 @@ impl SslRef {
#[corresponds(SSL_set_alpn_protos)] #[corresponds(SSL_set_alpn_protos)]
pub fn set_alpn_protos(&mut self, protocols: &[u8]) -> Result<(), ErrorStack> { pub fn set_alpn_protos(&mut self, protocols: &[u8]) -> Result<(), ErrorStack> {
unsafe { unsafe {
#[cfg_attr(not(feature = "fips"), allow(clippy::unnecessary_cast))] #[cfg_attr(not(feature = "fips-compat"), allow(clippy::unnecessary_cast))]
{ {
assert!(protocols.len() <= ProtosLen::MAX as usize); assert!(protocols.len() <= ProtosLen::MAX as usize);
} }

4
boring/src/x509/mod.rs
View File

@ -981,9 +981,9 @@ impl X509NameBuilder {
} }
} }
#[cfg(not(feature = "fips"))] #[cfg(not(feature = "fips-compat"))]
type ValueLen = isize; type ValueLen = isize;
#[cfg(feature = "fips")] #[cfg(feature = "fips-compat")]
type ValueLen = i32; type ValueLen = i32;
foreign_type_and_impl_send_sync! { foreign_type_and_impl_send_sync! {

4
boring/src/x509/tests/trusted_first.rs
View File

@ -15,7 +15,7 @@ fn test_verify_cert() {
assert_eq!(Ok(()), verify(&leaf, &[&root1], &[&intermediate], |_| {})); assert_eq!(Ok(()), verify(&leaf, &[&root1], &[&intermediate], |_| {}));
#[cfg(not(feature = "fips"))] #[cfg(not(feature = "fips-compat"))]
assert_eq!( assert_eq!(
Ok(()), Ok(()),
verify( verify(
@ -26,7 +26,7 @@ fn test_verify_cert() {
) )
); );
#[cfg(feature = "fips")] #[cfg(feature = "fips-compat")]
assert_eq!( assert_eq!(
Err(X509VerifyError::CERT_HAS_EXPIRED), Err(X509VerifyError::CERT_HAS_EXPIRED),
verify( verify(