Replace feature no-patches with BORING_BSSL{,_FIPS}_ASSUME_PATCHED

Feature no-patches is ever only useful when setting other env variables BORING_BSSL{,_FIPS}{,_SOURCE}_PATH, and it has no impact on the APIs provided by any of the boring crates, so we may as well make it an env variable itself so downstream users have less features to propagate across their own crate graph.
cloudflare · Oct 23, 2023 · 9ac7a89 · 9ac7a89
1 parent 4b4efd1
commit 9ac7a89
Show file tree

Hide file tree

Showing 6 changed files with 17 additions and 46 deletions.
diff --git a/boring-sys/Cargo.toml b/boring-sys/Cargo.toml
@@ -71,14 +71,6 @@ rpk = []
 # can be provided by setting `BORING_BSSL{,_FIPS}_SOURCE_PATH`.
 pq-experimental = []
 
-# Disables git patching of the BoringSSL sources for features like `rpk` and `pq-experimental`,
-# but keeps the related Rust API.
-# 
-# Supposed to be used with either pre-compiled BoringSSL (via `BORING_BSSL{,_FIPS}_PATH` env
-# variable) or  with custom BoringSSL sources (via `BORING_BSSL{,_FIPS}_SOURCE_PATH` env variable)
-# already containing required patches.
-no-patches = []
-
 [build-dependencies]
 bindgen = { workspace = true }
 cmake = { workspace = true }

diff --git a/boring-sys/build/config.rs b/boring-sys/build/config.rs
@@ -15,7 +15,6 @@ pub(crate) struct Config {
 }
 
 pub(crate) struct Features {
-    pub(crate) no_patches: bool,
     pub(crate) fips: bool,
     pub(crate) fips_link_precompiled: bool,
     pub(crate) pq_experimental: bool,
@@ -27,6 +26,7 @@ pub(crate) struct Env {
     pub(crate) include_path: Option<PathBuf>,
     pub(crate) source_path: Option<PathBuf>,
     pub(crate) precompiled_bcm_o: Option<PathBuf>,
+    pub(crate) assume_patched: bool,
     pub(crate) debug: Option<OsString>,
     pub(crate) opt_level: Option<OsString>,
     pub(crate) android_ndk_home: Option<PathBuf>,
@@ -71,15 +71,15 @@ impl Config {
         let is_external_native_lib_source =
             !is_precompiled_native_lib && self.env.source_path.is_none();
 
-        if self.features.no_patches && is_external_native_lib_source {
+        if self.env.assume_patched && is_external_native_lib_source {
             panic!(
-                "`no-patches` feature is supposed to be used with `BORING_BSSL{{,_FIPS}}_PATH`\
-                or `BORING_BSSL{{,_FIPS}}_SOURCE_PATH` env variables"
+                "`BORING_BSSL_{{,_FIPS}}_ASSUME_PATCHED` env variable is supposed to be used with\
+                `BORING_BSSL{{,_FIPS}}_PATH` or `BORING_BSSL{{,_FIPS}}_SOURCE_PATH` env variables"
             );
         }
 
         let features_with_patches_enabled = self.features.rpk || self.features.pq_experimental;
-        let patches_required = features_with_patches_enabled && !self.features.no_patches;
+        let patches_required = features_with_patches_enabled && !self.env.assume_patched;
         let build_from_sources_required = self.features.fips_link_precompiled || patches_required;
 
         if is_precompiled_native_lib && build_from_sources_required {
@@ -90,14 +90,12 @@ impl Config {
 
 impl Features {
     fn from_env() -> Self {
-        let no_patches = env::var_os("CARGO_FEATURE_NO_PATCHES").is_some();
         let fips = env::var_os("CARGO_FEATURE_FIPS").is_some();
         let fips_link_precompiled = env::var_os("CARGO_FEATURE_FIPS_LINK_PRECOMPILED").is_some();
         let pq_experimental = env::var_os("CARGO_FEATURE_PQ_EXPERIMENTAL").is_some();
         let rpk = env::var_os("CARGO_FEATURE_RPK").is_some();
 
         Self {
-            no_patches,
             fips,
             fips_link_precompiled,
             pq_experimental,
@@ -121,14 +119,15 @@ impl Env {
             } else {
                 var(name)
             }
-            .map(PathBuf::from)
         };
 
         Self {
-            path: boringssl_var("BORING_BSSL_PATH"),
-            include_path: boringssl_var("BORING_BSSL_INCLUDE_PATH"),
-            source_path: boringssl_var("BORING_BSSL_SOURCE_PATH"),
-            precompiled_bcm_o: boringssl_var("BORING_BSSL_PRECOMPILED_BCM_O"),
+            path: boringssl_var("BORING_BSSL_PATH").map(PathBuf::from),
+            include_path: boringssl_var("BORING_BSSL_INCLUDE_PATH").map(PathBuf::from),
+            source_path: boringssl_var("BORING_BSSL_SOURCE_PATH").map(PathBuf::from),
+            precompiled_bcm_o: boringssl_var("BORING_BSSL_PRECOMPILED_BCM_O").map(PathBuf::from),
+            assume_patched: boringssl_var("BORING_BSSL_ASSUME_PATCHED")
+                .is_some_and(|v| !v.is_empty()),
             debug: var("DEBUG"),
             opt_level: var("OPT_LEVEL"),
             android_ndk_home: var("ANDROID_NDK_HOME").map(Into::into),

diff --git a/boring-sys/build/main.rs b/boring-sys/build/main.rs
@@ -496,7 +496,7 @@ fn built_boring_source_path(config: &Config) -> &PathBuf {
     static BUILD_SOURCE_PATH: OnceLock<PathBuf> = OnceLock::new();
 
     BUILD_SOURCE_PATH.get_or_init(|| {
-        if config.features.no_patches {
+        if config.env.assume_patched {
             println!(
                 "cargo:warning=skipping git patches application, provided\
                 native BoringSSL is expected to have the patches included"

diff --git a/boring/Cargo.toml b/boring/Cargo.toml
@@ -25,23 +25,19 @@ fips = ["boring-sys/fips"]
 fips-link-precompiled = ["boring-sys/fips-link-precompiled"]
 
 # Enables Raw public key API (https://datatracker.ietf.org/doc/html/rfc7250)
+# This feature is necessary in order to compile the bindings for the
+# default branch of boringSSL. Alternatively, a version of boringSSL that
+# implements the same feature set can be provided by setting
+# `BORING_BSSL{,_FIPS}_SOURCE_PATH` and `BORING_BSSL{,_FIPS}_ASSUME_PATCHED`.
 rpk = ["boring-sys/rpk"]
 
 # Applies a patch to the boringSSL source code that enables support for PQ key
 # exchange. This feature is necessary in order to compile the bindings for the
 # default branch of boringSSL. Alternatively, a version of boringSSL that
 # implements the same feature set can be provided by setting
-# `BORING_BSSL{,_FIPS}_SOURCE_PATH`.
+# `BORING_BSSL{,_FIPS}_SOURCE_PATH` and `BORING_BSSL{,_FIPS}_ASSUME_PATCHED`.
 pq-experimental = ["boring-sys/pq-experimental"]
 
-# Disables git patching of the BoringSSL sources for features like `rpk` and `pq-experimental`,
-# but keeps the related Rust API.
-#
-# Supposed to be used with either pre-compiled BoringSSL (via `BORING_BSSL{,_FIPS}_PATH` env
-# variable) or with custom BoringSSL sources (via `BORING_BSSL{,_FIPS}_SOURCE_PATH` env variable)
-# already containing required patches.
-no-patches = ["boring-sys/no-patches"]
-
 # Controlling key exchange preferences at compile time
 
 # Choose key exchange preferences at compile time. This prevents the user from

diff --git a/hyper-boring/Cargo.toml b/hyper-boring/Cargo.toml
@@ -28,14 +28,6 @@ fips-link-precompiled = ["tokio-boring/fips-link-precompiled"]
 # Enables experimental post-quantum crypto (https://blog.cloudflare.com/post-quantum-for-all/)
 pq-experimental = ["tokio-boring/pq-experimental"]
 
-# Disables git patching of the BoringSSL sources for features like `rpk` and `pq-experimental`,
-# but keeps the related Rust API.
-# 
-# Supposed to be used with either pre-compiled BoringSSL (via `BORING_BSSL{,_FIPS}_PATH` env
-# variable) or with custom BoringSSL sources (via `BORING_BSSL{,_FIPS}_SOURCE_PATH` env variable)
-# already containing required patches.
-no-patches = ["tokio-boring/no-patches"]
-
 [dependencies]
 antidote = { workspace = true }
 http = { workspace = true }

diff --git a/tokio-boring/Cargo.toml b/tokio-boring/Cargo.toml
@@ -25,14 +25,6 @@ fips-link-precompiled = ["boring/fips-link-precompiled", "boring-sys/fips-link-p
 # Enables experimental post-quantum crypto (https://blog.cloudflare.com/post-quantum-for-all/)
 pq-experimental = ["boring/pq-experimental"]
 
-# Disables git patching of the BoringSSL sources for features like `rpk` and `pq-experimental`,
-# but keeps the related Rust API.
-# 
-# Supposed to be used with either pre-compiled BoringSSL (via `BORING_BSSL{,_FIPS}_PATH` env
-# variable) or  with custom BoringSSL sources (via `BORING_BSSL{,_FIPS}_SOURCE_PATH` env variable)
-# already containing required patches.
-no-patches = ["boring/no-patches"]
-
 [dependencies]
 boring = { workspace = true }
 boring-sys = { workspace = true }