1507689c5b
* Add rerun-if-env-changed instructions for BORING_* variables * Use X509_get0_notBefore() and X509_get0_notAfter() instead of X509_getm_notBefore() and X509_getm_notAfter(). According to https://www.openssl.org/docs/man1.1.0/man3/X509_getm_notBefore.html, "X509_getm_notBefore() and X509_getm_notAfter() are similar to X509_get0_notBefore() and X509_get0_notAfter() except they return non-constant mutable references to the associated date field of the certificate". * Only update boringssl submodule if BORING_BSSL_PATH not provided * Allow BORING_BSSL_LIB_PATH to control link search * Add fips feature * Use X509_set_notAfter unconditionally for FIPS compatibility This is equivalent according to https://boringssl.googlesource.com/boringssl/+/c947efabcbc38dcf93e8ad0e6a76206cf0ec8072 The version of boringssl that's FIPS-certified doesn't have `X509_set1_notAfter`. The only difference between that and `X509_set_notAfter` is whether they're const-correct, which doesn't seem worth having two different code-paths. * Check out fips commit automatically * Verify the version of the compiler used for building boringssl NIST specifies that it needs to be 7.0.1; I originally tried building with clang 10 and it failed. Theoretically this should check the versions of Go and Ninja too, but they haven't given me trouble in practice. Example error: ``` Compiling boring-sys v1.1.1 (/home/jnelson/work/boring/boring-sys) error: failed to run custom build command for `boring-sys v1.1.1 (/home/jnelson/work/boring/boring-sys)` Caused by: process didn't exit successfully: `/home/jnelson/work/boring/target/debug/build/boring-sys-31b8ce53031cfd83/build-script-build` (exit status: 101) --- stdout cargo:rerun-if-env-changed=BORING_BSSL_PATH --- stderr warning: missing clang-7, trying other compilers: Permission denied (os error 13) warning: FIPS requires clang version 7.0.1, skipping incompatible version "clang version 10.0.0-4ubuntu1 " thread 'main' panicked at 'unsupported clang version "cc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0": FIPS requires clang 7.0.1', boring-sys/build.rs:216:13 note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace ``` * Add Github actions workflow testing FIPS Co-authored-by: Joshua Nelson <jnelson@cloudflare.com> |
||
|---|---|---|
| .. | ||
| deps | ||
| src | ||
| CHANGELOG.md | ||
| Cargo.toml | ||
| LICENSE-MIT | ||
| README.md | ||
| build.rs | ||
README.md
boring
BoringSSL bindings for the Rust programming language and TLS adapters for tokio and hyper built on top of it.
Release Support
By default, the crate statically links with the latest BoringSSL master branch.
Support for pre-built binaries
While this crate can build BoringSSL on its own, you may want to provide pre-built binaries instead.
To do so, specify the environment variable BORING_BSSL_PATH with the path to the binaries.
You can also provide specific headers by setting BORING_BSSL_INCLUDE_PATH.
Notes: The crate will look for headers in the $BORING_BSSL_INCLUDE_PATH/openssl/ folder, make sure to place your headers there.
Warning: When providing a different version of BoringSSL make sure to use a compatible one, the crate relies on the presence of certain functions.
Building with a FIPS-validated module
Only BoringCrypto module version ae223d6138807a13006342edfeef32e813246b39, as
certified with certificate
3678
is supported by this crate. Support is enabled by this crate's fips feature.
boring-sys comes with a test that FIPS is enabled/disabled depending on the feature flag. You can run it as follows:
$ cargo test --features fips fips::is_enabled
Contribution
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed under the terms of both the Apache License, Version 2.0 and the MIT license without any additional terms or conditions.
Accolades
The project is based on a fork of rust-openssl.