boring2/boring/Cargo.toml

[package]
name = "boring2"
version = { workspace = true }
authors = ["Steven Fackler <sfackler@gmail.com>", "Ivan Nikulin <ifaaan@gmail.com>"]
license = "Apache-2.0"
description = "BoringSSL bindings"
repository = { workspace = true }
documentation = "https://docs.rs/boring2"
readme = "README.md"
keywords = ["crypto", "tls", "ssl", "dtls"]
categories = ["cryptography", "api-bindings"]
edition = { workspace = true }
rust-version = "1.80"

[package.metadata.docs.rs]
features = ["pq-experimental", "underscore-wildcards"]
rustdoc-args = ["--cfg", "docsrs"]

[features]
# Controlling the build

# NOTE: This feature is deprecated. It is needed for the submoduled
# boringssl-fips, which is extremely old and requires modifications to the
# bindings, as some newer APIs don't exist and some function signatures have
# changed. It is highly recommended to use `fips-precompiled` instead.
#
# This feature sets `fips-compat` on behalf of the user to guarantee bindings
# compatibility with the submoduled boringssl-fips.
#
# Use a FIPS-validated version of BoringSSL.
fips = ["fips-compat", "boring-sys/fips"]

# Build with compatibility for the submoduled boringssl-fips, without enabling
# the `fips` feature itself (useful e.g. if `fips-link-precompiled` is used
# with an older BoringSSL version).
fips-compat = []

# Use a precompiled FIPS-validated version of BoringSSL. Meant to be used with
# FIPS-20230428 or newer. Users must set `BORING_BSSL_FIPS_PATH` to use this
# feature, or else the build will fail.
fips-precompiled = ["boring-sys/fips-precompiled"]

# Link with precompiled FIPS-validated `bcm.o` module.
fips-link-precompiled = ["boring-sys/fips-link-precompiled"]

# Applies a patch to the boringSSL source code that enables support for PQ key
# exchange. This feature is necessary in order to compile the bindings for the
# default branch of boringSSL. Alternatively, a version of boringSSL that
# implements the same feature set can be provided by setting
# `BORING_BSSL{,_FIPS}_SOURCE_PATH` and `BORING_BSSL{,_FIPS}_ASSUME_PATCHED`.
pq-experimental = ["boring-sys/pq-experimental"]

# Applies a patch to enable
# `ffi::X509_CHECK_FLAG_UNDERSCORE_WILDCARDS`. Same caveats as
# those for `pq-experimental` feature apply.
underscore-wildcards = ["boring-sys/underscore-wildcards"]

# Add a prefix to all symbols in libcrypto and libssl to prevent conflicts
# with other OpenSSL or BoringSSL versions that might be linked in the same process.
prefix-symbols = ["boring-sys/prefix-symbols"]

# Controlling key exchange preferences at compile time

# Choose key exchange preferences at compile time. This prevents the user from
# choosing their own preferences.
kx-safe-default = []

# Support PQ key exchange. The client will prefer classical key exchange, but
# will upgrade to PQ key exchange if requested by the server. This is the
# safest option if you don't know if the peer supports PQ key exchange. This
# feature implies "kx-safe-default".
kx-client-pq-supported = ["kx-safe-default"]

# Prefer PQ key exchange. The client will prefer PQ exchange, but fallback to
# classical key exchange if requested by the server. This is the best option if
# you know the peer supports PQ key exchange. This feature implies
# "kx-safe-default" and "kx-client-pq-supported".
kx-client-pq-preferred = ["kx-safe-default", "kx-client-pq-supported"]

# Disable key exchange involving non-NIST key exchange on the client side.
# Implies "kx-safe-default".
kx-client-nist-required = ["kx-safe-default"]

[dependencies]
bitflags = { workspace = true }
foreign-types = { workspace = true }
openssl-macros = { workspace = true }
libc = { workspace = true }
boring-sys = { workspace = true }

[dev-dependencies]
hex = { workspace = true }
rusty-hook = { workspace = true }
brotli = { workspace = true }