Skip to content

Commit

Permalink
Add RPK and PQ crypto features
Browse files Browse the repository at this point in the history
  • Loading branch information
inikulin committed Jul 7, 2023
1 parent 8f48855 commit c4e8a94
Show file tree
Hide file tree
Showing 26 changed files with 4,626 additions and 45 deletions.
13 changes: 13 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -197,3 +197,16 @@ jobs:
run: ln -s clang clang++-12
- run: cargo test --features fips
name: Run tests

test-rpk:
name: Test RPK
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v2
with:
submodules: 'recursive'
- name: Install Rust (rustup)
run: rustup update stable --no-self-update && rustup default stable
shell: bash
- run: cargo test --features rpk
name: Run tests
1 change: 1 addition & 0 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,4 @@ members = [
"tokio-boring",
"hyper-boring"
]
resolver = "2"
11 changes: 10 additions & 1 deletion boring-sys/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ documentation = "https://docs.rs/boring-sys"
links = "boringssl"
readme = "README.md"
categories = ["cryptography", "external-ffi-bindings"]
edition = "2018"
edition = "2021"
include = [
"/*.md",
"/*.toml",
Expand All @@ -24,12 +24,21 @@ include = [
"/deps/boringssl/LICENSE",
"/build.rs",
"/src",
"/patches",
"/scripts"
]

[build-dependencies]
bindgen = { version = "0.65.1", default-features = false, features = ["runtime"] }
cmake = "0.1"
fslock = "0.2.1"

[features]
# Use a FIPS-validated version of boringssl.
fips = []

# Enables Raw public key API (https://datatracker.ietf.org/doc/html/rfc7250)
rpk = []

# Enables post-quantum crypto (https://blog.cloudflare.com/post-quantum-for-all/)
post-quantum = []
112 changes: 87 additions & 25 deletions boring-sys/build.rs
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
use fslock::LockFile;
use std::env;
use std::io;
use std::io::Write;
use std::path::{Path, PathBuf};
use std::process::Command;

Expand Down Expand Up @@ -285,7 +289,6 @@ fn get_extra_clang_args_for_bindgen() -> Vec<String> {
#[allow(clippy::single_match)]
match os.as_ref() {
"ios" => {
use std::io::Write;
// When cross-compiling for iOS, tell bindgen to use iOS sysroot,
// and *don't* use system headers of the host macOS.
let sdk = get_ios_sdk_name();
Expand Down Expand Up @@ -325,28 +328,93 @@ fn get_extra_clang_args_for_bindgen() -> Vec<String> {
params
}

fn main() {
use std::env;
fn ensure_patches_applied() -> io::Result<()> {
let mut lock_file = LockFile::open(&PathBuf::from(BORING_SSL_PATH).join(".patch_lock"))?;

lock_file.lock()?;

let mut cmd = Command::new("git");

cmd.args(["reset", "--hard"])
.current_dir(PathBuf::from(env!("CARGO_MANIFEST_DIR")).join(BORING_SSL_PATH));

run_command(&mut cmd)?;

if cfg!(feature = "post-quantum") {
println!("cargo:warning=applying post quantum crypto patch to boringssl");
run_apply_patch_script("scripts/apply_pq_patch.sh", "")?;
}

if cfg!(feature = "rpk") {
println!("cargo:warning=applying RPK patch to boringssl");
run_apply_patch_script("scripts/apply_rpk_patch.sh", "src")?;
}

Ok(())
}

fn run_command(command: &mut Command) -> io::Result<()> {
let exit_status = command.spawn()?.wait()?;

if !exit_status.success() {
let err = match exit_status.code() {
Some(code) => format!("{:?} exited with status: {}", command, code),
None => format!("{:?} was terminated by signal", command),
};

return Err(io::Error::new(io::ErrorKind::Other, err));
}

Ok(())
}

fn run_apply_patch_script(
script_path: impl AsRef<Path>,
from_dir: impl AsRef<Path>,
) -> io::Result<()> {
let manifest_dir = PathBuf::from(env!("CARGO_MANIFEST_DIR"));

let src_path = manifest_dir
.join(BORING_SSL_PATH)
.join(from_dir)
.canonicalize()?;

let cmd_path = manifest_dir.join(script_path).canonicalize()?;

let mut cmd = Command::new(cmd_path);
cmd.current_dir(src_path);
run_command(&mut cmd)?;

Ok(())
}

fn main() {
println!("cargo:rerun-if-env-changed=BORING_BSSL_PATH");
let bssl_dir = std::env::var("BORING_BSSL_PATH").unwrap_or_else(|_| {
if !Path::new(BORING_SSL_PATH).join("CMakeLists.txt").exists() {
println!("cargo:warning=fetching boringssl git submodule");
// fetch the boringssl submodule
let status = Command::new("git")
.args([
"submodule",
"update",
"--init",
"--recursive",
BORING_SSL_PATH,
])
.status();
if !status.map_or(false, |status| status.success()) {
panic!("failed to fetch submodule - consider running `git submodule update --init --recursive deps/boringssl` yourself");
}

#[cfg(all(feature = "fips", feature = "rpk"))]
compile_error!("`fips` and `rpk` features are mutually exclusive");

if !Path::new(BORING_SSL_PATH).join("CMakeLists.txt").exists() {
println!("cargo:warning=fetching boringssl git submodule");
// fetch the boringssl submodule
let status = Command::new("git")
.args([
"submodule",
"update",
"--init",
"--recursive",
BORING_SSL_PATH,
])
.status();

if !status.map_or(false, |status| status.success()) {
panic!("failed to fetch submodule - consider running `git submodule update --init --recursive deps/boringssl` yourself");
}
}

ensure_patches_applied().unwrap();

let bssl_dir = std::env::var("BORING_BSSL_PATH").unwrap_or_else(|_| {
let mut cfg = get_boringssl_cmake_config();

if cfg!(feature = "fuzzing") {
Expand Down Expand Up @@ -385,12 +453,6 @@ fn main() {
println!("cargo:rustc-link-lib=static=crypto");
println!("cargo:rustc-link-lib=static=ssl");

// MacOS: Allow cdylib to link with undefined symbols
let target_os = std::env::var("CARGO_CFG_TARGET_OS").unwrap();
if target_os == "macos" {
println!("cargo:rustc-cdylib-link-arg=-Wl,-undefined,dynamic_lookup");
}

println!("cargo:rerun-if-env-changed=BORING_BSSL_INCLUDE_PATH");
let include_path = std::env::var("BORING_BSSL_INCLUDE_PATH").unwrap_or_else(|_| {
if cfg!(feature = "fips") {
Expand Down
Loading

0 comments on commit c4e8a94

Please sign in to comment.