Introduce a new set of env variables for FIPS-like builds

Builds using feature fips or fips-link-precompiled now
read variables prefixed by BORING_BSSL_FIPS_ instead of
BORING_BSSL_. This helps complex builds where build dependencies
also use boring, where we may not want to use fips there.

Without those separate variables, the boring build for the
build dependencies end up relying on e.g. BORING_BSSL_PATH,
causing errors if this path is a boring checkout intended for
fips builds, while the fips feature isn't enabled for
the build dependency.

boring-sys/Cargo.toml

@@ -68,15 +68,15 @@ rpk = []
 # enables support for PQ key exchange. This feature is necessary in order to
 # compile the bindings for the default branch of boringSSL (`deps/boringssl`).
 # Alternatively, a version of boringSSL that implements the same feature set
-# can be provided by setting `BORING_BSSL_SOURCE_PATH`.
+# can be provided by setting `BORING_BSSL{,_FIPS}_SOURCE_PATH`.
 pq-experimental = []
 
-# Disables git patching of the BoringSSL sources for features like `rpk` and `pq-experimental`, but
-# keeps the related Rust API. 
+# Disables git patching of the BoringSSL sources for features like `rpk` and `pq-experimental`,
+# but keeps the related Rust API.
 # 
-# Supposed to be used with either pre-compiled BoringSSL (via `BORING_BSSL_PATH` env variable) or 
-# with custom BoringSSL sources (via `BORING_BSSL_SOURCE_PATH` env variable) already containing 
-# required patches.
+# Supposed to be used with either pre-compiled BoringSSL (via `BORING_BSSL{,_FIPS}_PATH` env
+# variable) or  with custom BoringSSL sources (via `BORING_BSSL{,_FIPS}_SOURCE_PATH` env variable)
+# already containing required patches.
 no-patches = []
 
 [build-dependencies]

boring-sys/build/config.rs

@@ -43,7 +43,7 @@ impl Config {
         let target_os = env::var("CARGO_CFG_TARGET_OS").unwrap();
 
         let features = Features::from_env();
-        let env = Env::from_env();
+        let env = Env::from_env(features.fips || features.fips_link_precompiled);
 
         let config = Self {
             manifest_dir,
@@ -73,8 +73,8 @@ impl Config {
 
         if self.features.no_patches && is_external_native_lib_source {
             panic!(
-                "`no-patches` feature is supposed to be used with `BORING_BSSL_PATH`\
-                or `BORING_BSSL_SOURCE_PATH` env variables"
+                "`no-patches` feature is supposed to be used with `BORING_BSSL{{,_FIPS}}_PATH`\
+                or `BORING_BSSL{{,_FIPS}}_SOURCE_PATH` env variables"
             );
         }
 
@@ -107,12 +107,28 @@ impl Features {
 }
 
 impl Env {
-    fn from_env() -> Self {
+    fn from_env(is_fips_like: bool) -> Self {
+        const NORMAL_PREFIX: &str = "BORING_BSSL";
+        const FIPS_PREFIX: &str = "BORING_BSSL_FIPS";
+
+        let boringssl_var = |name: &str| {
+            // The passed name is the non-fips version of the environment variable,
+            // to help look for them in the repository.
+            assert!(name.starts_with(NORMAL_PREFIX));
+
+            if is_fips_like {
+                var(&name.replace(NORMAL_PREFIX, FIPS_PREFIX))
+            } else {
+                var(name)
+            }
+            .map(PathBuf::from)
+        };
+
         Self {
-            path: var("BORING_BSSL_PATH").map(Into::into),
-            include_path: var("BORING_BSSL_INCLUDE_PATH").map(Into::into),
-            source_path: var("BORING_BSSL_SOURCE_PATH").map(Into::into),
-            precompiled_bcm_o: var("BORING_BSSL_PRECOMPILED_BCM_O").map(Into::into),
+            path: boringssl_var("BORING_BSSL_PATH"),
+            include_path: boringssl_var("BORING_BSSL_INCLUDE_PATH"),
+            source_path: boringssl_var("BORING_BSSL_SOURCE_PATH"),
+            precompiled_bcm_o: boringssl_var("BORING_BSSL_PRECOMPILED_BCM_O"),
             debug: var("DEBUG"),
             opt_level: var("OPT_LEVEL"),
             android_ndk_home: var("ANDROID_NDK_HOME").map(Into::into),

boring-sys/build/main.rs

@@ -529,7 +529,7 @@ fn link_in_precompiled_bcm_o(config: &Config) {
 
     let bssl_dir = built_boring_source_path(config);
     let bcm_o_src_path = config.env.precompiled_bcm_o.as_ref()
-        .expect("`fips-link-precompiled` requires `BORING_BSSL_PRECOMPILED_BCM_O` env variable to be specified");
+        .expect("`fips-link-precompiled` requires `BORING_BSSL_FIPS_PRECOMPILED_BCM_O` env variable to be specified");
 
     let libcrypto_path = bssl_dir
         .join("build/crypto/libcrypto.a")

boring/Cargo.toml

@@ -31,15 +31,15 @@ rpk = ["boring-sys/rpk"]
 # exchange. This feature is necessary in order to compile the bindings for the
 # default branch of boringSSL. Alternatively, a version of boringSSL that
 # implements the same feature set can be provided by setting
-# `BORING_BSSL_SOURCE_PATH`.
+# `BORING_BSSL{,_FIPS}_SOURCE_PATH`.
 pq-experimental = ["boring-sys/pq-experimental"]
 
-# Disables git patching of the BoringSSL sources for features like `rpk` and `pq-experimental`, but
-# keeps the related Rust API.
+# Disables git patching of the BoringSSL sources for features like `rpk` and `pq-experimental`,
+# but keeps the related Rust API.
 #
-# Supposed to be used with either pre-compiled BoringSSL (via `BORING_BSSL_PATH` env variable) or
-# with custom BoringSSL sources (via `BORING_BSSL_SOURCE_PATH` env variable) already containing
-# required patches.
+# Supposed to be used with either pre-compiled BoringSSL (via `BORING_BSSL{,_FIPS}_PATH` env
+# variable) or with custom BoringSSL sources (via `BORING_BSSL{,_FIPS}_SOURCE_PATH` env variable)
+# already containing required patches.
 no-patches = ["boring-sys/no-patches"]
 
 # Controlling key exchange preferences at compile time

boring/src/lib.rs

@@ -18,18 +18,26 @@
 //!
 //! # Compilation and linking options
 //!
+//! ## Environment variables
+//!
+//! This crate uses various environment variables to tweak how boring is built. The variables
+//! are all prefixed by `BORING_BSSL_` for non-FIPS builds, and by `BORING_BSSL_FIPS_` for FIPS builds.
+//!
 //! ## Support for pre-built binaries or custom source
 //!
 //! While this crate can build BoringSSL on its own, you may want to provide pre-built binaries instead.
-//! To do so, specify the environment variable `BORING_BSSL_PATH` with the path to the binaries.
+//! To do so, specify the environment variable `BORING_BSSL{,_FIPS}_PATH` with the path to the binaries.
 //!
-//! You can also provide specific headers by setting `BORING_BSSL_INCLUDE_PATH`.
+//! You can also provide specific headers by setting `BORING_BSSL{,_FIPS}_INCLUDE_PATH`.
 //!
-//! _Notes_: The crate will look for headers in the `$BORING_BSSL_INCLUDE_PATH/openssl/` folder, make sure to place your headers there.
+//! _Notes_: The crate will look for headers in the`$BORING_BSSL{,_FIPS}_INCLUDE_PATH/openssl/`
+//! folder, make sure to place your headers there.
 //!
-//! In alternative a different path for the BoringSSL source code directory can be specified by setting `BORING_BSSL_SOURCE_PATH` which will automatically be compiled during the build process.
+//! In alternative a different path for the BoringSSL source code directory can be specified by setting
+//! `BORING_BSSL{,_FIPS}_SOURCE_PATH` which will automatically be compiled during the build process.
 //!
-//! _Warning_: When providing a different version of BoringSSL make sure to use a compatible one, the crate relies on the presence of certain functions.
+//! _Warning_: When providing a different version of BoringSSL make sure to use a compatible one, the
+//! crate relies on the presence of certain functions.
 //!
 //! ## Building with a FIPS-validated module
 //!
@@ -44,11 +52,15 @@
 //! ```
 //!
 //! ## Linking current BoringSSL version with precompiled FIPS-validated module (`bcm.o`)
+//!
 //! It's possible to link latest supported version of BoringSSL with FIPS-validated crypto module
 //! (`bcm.o`). To enable this compilation option one should enable `fips-link-precompiled`
-//! compilation feature and provide a `BORING_BSSL_PRECOMPILED_BCM_O` env variable with a path to the
+//! compilation feature and provide a `BORING_BSSL_FIPS_PRECOMPILED_BCM_O` env variable with a path to the
 //! precompiled FIPS-validated `bcm.o` module.
 //!
+//! Note that `BORING_BSSL_PRECOMPILED_BCM_O` is never used, as linking BoringSSL with precompiled non-FIPS
+//! module is not supported.
+//!
 //! # Optional patches
 //!
 //! ## Raw Public Key

hyper-boring/Cargo.toml

@@ -31,12 +31,12 @@ rpk = ["tokio-boring/rpk"]
 # Enables experimental post-quantum crypto (https://blog.cloudflare.com/post-quantum-for-all/)
 pq-experimental = ["tokio-boring/pq-experimental"]
 
-# Disables git patching of the BoringSSL sources for features like `rpk` and `pq-experimental`, but
-# keeps the related Rust API. 
+# Disables git patching of the BoringSSL sources for features like `rpk` and `pq-experimental`,
+# but keeps the related Rust API.
 # 
-# Supposed to be used with either pre-compiled BoringSSL (via `BORING_BSSL_PATH` env variable) or 
-# with custom BoringSSL sources (via `BORING_BSSL_SOURCE_PATH` env variable) already containing 
-# required patches.
+# Supposed to be used with either pre-compiled BoringSSL (via `BORING_BSSL{,_FIPS}_PATH` env
+# variable) or with custom BoringSSL sources (via `BORING_BSSL{,_FIPS}_SOURCE_PATH` env variable)
+# already containing required patches.
 no-patches = ["tokio-boring/no-patches"]
 
 

tokio-boring/Cargo.toml

@@ -28,12 +28,12 @@ rpk = ["boring/rpk"]
 # Enables experimental post-quantum crypto (https://blog.cloudflare.com/post-quantum-for-all/)
 pq-experimental = ["boring/pq-experimental"]
 
-# Disables git patching of the BoringSSL sources for features like `rpk` and `pq-experimental`, but
-# keeps the related Rust API. 
+# Disables git patching of the BoringSSL sources for features like `rpk` and `pq-experimental`,
+# but keeps the related Rust API.
 # 
-# Supposed to be used with either pre-compiled BoringSSL (via `BORING_BSSL_PATH` env variable) or 
-# with custom BoringSSL sources (via `BORING_BSSL_SOURCE_PATH` env variable) already containing 
-# required patches.
+# Supposed to be used with either pre-compiled BoringSSL (via `BORING_BSSL{,_FIPS}_PATH` env
+# variable) or  with custom BoringSSL sources (via `BORING_BSSL{,_FIPS}_SOURCE_PATH` env variable)
+# already containing required patches.
 no-patches = ["boring/no-patches"]
 
 [dependencies]