Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introduce a new set of env variables specific to FIPS builds #170

Merged
merged 5 commits into from
Oct 23, 2023
Merged

Conversation

nox
Copy link
Collaborator

@nox nox commented Oct 10, 2023

BoringSSL checkouts for FIPS-validated builds and for normal builds can be quite different, enough for them to not build with their expected fips or fips-link-precompiled feature settings, for example when they are both used as runtime dependencies and build dependencies. When using cargo's resolver 2, the user then needs to make sure that boring is compiled with the same FIPS-related features for both kind of dependencies, which can sometimes be difficult.

For this reason, this PR introduces a new set of variables prefixed by BORING_BSSL_FIPS_ instead of BORING_BSSL_:

  • BORING_BSSL_FIPS_PATH
  • BORING_BSSL_FIPS_INCLUDE_PATH
  • BORING_BSSL_FIPS_SOURCE_PATH
  • BORING_BSSL_FIPS_PRECOMPILED_BCM_O

While at it, the prefix were normalized, as BORING_BSSL_FIPS_PRECOMPILED_BCM_O used to be BORING_SSL_PRECOMPILED_BCM_O (note how it was prefixed with BORING_SSL_ instead of BORING_BSSL_).

To support this work, the build script was refactored and a helper struct Config was introduced to help navigating how the env variables and the various feature flags were used. Now they are all struct fields that can be tracked easily with rust-analyzer.

@nox nox force-pushed the env branch 3 times, most recently from ee99d80 to 723be81 Compare October 10, 2023 10:39
nox added 5 commits October 11, 2023 14:49
Using a struct improves navigation of the build script,
as we can rely on rust-analyzer to help us check how
a feature flag or an environment variable is used,
as opposed to grepping for multiple env::var calls
or #[cfg] attributes.

This commit also removes some obsolete blocks of code
related to the now defunct ndk-old-gcc and fuzzing features.
The current directory from a build script executed by cargo
is always the manifest dir, so we may as well only use
the manifest dir.
This means BORING_SSL_PRECOMPILED_BCM_O is now
BORING_BSSL_PRECOMPILED_BCM_O.

Prefix BORING_BSSL_ has been chosen because that's the
one that is used the most among all the variables
the build script uses.
Builds using feature fips or fips-link-precompiled now
read variables prefixed by BORING_BSSL_FIPS_ instead of
BORING_BSSL_. This helps complex builds where build dependencies
also use boring, where we may not want to use fips there.

Without those separate variables, the boring build for the
build dependencies end up relying on e.g. BORING_BSSL_PATH,
causing errors if this path is a boring checkout intended for
fips builds, while the fips feature isn't enabled for
the build dependency.
@nox nox merged commit 7ddb106 into master Oct 23, 2023
@nox nox deleted the env branch October 23, 2023 10:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants