Introduce a new set of env variables specific to FIPS builds #170
+375
−266
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
BoringSSL checkouts for FIPS-validated builds and for normal builds can be quite different, enough for them to not build with their expected
fips
orfips-link-precompiled
feature settings, for example when they are both used as runtime dependencies and build dependencies. When using cargo's resolver 2, the user then needs to make sure that boring is compiled with the same FIPS-related features for both kind of dependencies, which can sometimes be difficult.For this reason, this PR introduces a new set of variables prefixed by
BORING_BSSL_FIPS_
instead ofBORING_BSSL_
:BORING_BSSL_FIPS_PATH
BORING_BSSL_FIPS_INCLUDE_PATH
BORING_BSSL_FIPS_SOURCE_PATH
BORING_BSSL_FIPS_PRECOMPILED_BCM_O
While at it, the prefix were normalized, as
BORING_BSSL_FIPS_PRECOMPILED_BCM_O
used to beBORING_SSL_PRECOMPILED_BCM_O
(note how it was prefixed withBORING_SSL_
instead ofBORING_BSSL_
).To support this work, the build script was refactored and a helper struct
Config
was introduced to help navigating how the env variables and the various feature flags were used. Now they are all struct fields that can be tracked easily with rust-analyzer.