boring icon indicating copy to clipboard operation
boring copied to clipboard
verified publisher icon cloudflare

Add fips-precompiled feature to support newer versions of FIPS

Open rushilmehra opened this issue 9 months ago • 1 comments

Newer versions of FIPS don't need any special casing in our bindings, unlike the submoduled boringssl-fips. In addition, many users currently use FIPS by precompiling BoringSSL with the proper build tools and passing that in to the bindings.

Until we adopt the Update Stream pattern for FIPS, there are two main use cases:

  1. Passing an unmodified, precompiled FIPS validated version of boringssl (fips-precompiled)

  2. Passing a custom source directory of boringssl meant to be linked with a FIPS validated bcm.o. This is mainly useful if you carry custom patches but still want to use a FIPS validated BoringCrypto. (fips-link-precompiled)

This commit introduces the fips-precompiled feature and removes the fips-no-compat feature.

rushilmehra avatar Mar 20 '25 22:03 rushilmehra

Second, in my build environment, it looks like the linker is failing to find libcrypto:

I fixed the build issues

I think we should just disable these APIs, i.e., via #[cfg(not(any(feature = "fips", feature = "fips-precompiled")))].

I've done this, but the real issue here is that the PQ patch in our internal FIPS precompiled package and the patch we ship in this repo have diverged.

@bwesterb Do you have thoughts here? Do we want to continue maintaining the PQ patch in this repo, or can public users of the crate just rely on the PQ codepoints that are in boringssl HEAD?

rushilmehra avatar Mar 23 '25 23:03 rushilmehra