Clean-up legacy FIPS options

Per BoringSSL's FIPS policy, its `main` branch is the "update branch"
for FedRAMP compliance's purposes.

This means that we can stop using a specific BoringSSL branch when
enabling FIPS, as well as a number of hacks that allowed us to build
more recent BoringSSL versions with an older pre-compiled FIPS modules.

This also required slightly updating the main BoringSSL submodule, as
the previous version had an issue when building with the FIPS option
enabled. This is turn required some changes to the PQ patch as well as
some APIs that don't seem to be exposed publicly, as well as changing
some paths in the other patches.

In order to allow a smooth upgrade of internal projects, the `fips-compat`
feature is reduced in scope and renamed to `legacy-compat-deprecated` so
that we can incrementally upgrade internal BoringSSL forks. In practice
this shouldn't really be something anyone else would need, since in
order to work it requires a specific mix of BoringSSL version and
backported patches.

Author: ghedo

.github/workflows/ci.yml

@@ -18,8 +18,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - name: Install Rust
-        run: rustup update stable && rustup default stable
+      - name: Install stable toolchain
+        uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: stable
+          components: rustfmt
       - name: Check formatting
         run: cargo fmt --all -- --check
 
@@ -30,8 +33,11 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: 'recursive'
-      - name: Install Rust
-        run: rustup update stable && rustup default stable
+      - name: Install stable toolchain
+        uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: stable
+          components: clippy
       - name: Get rust version
         id: rust-version
         run: echo "::set-output name=version::$(rustc --version)"
@@ -201,6 +207,10 @@ jobs:
       run: rustup update ${{ matrix.rust }} --no-self-update && rustup default ${{ matrix.rust }}
       shell: bash
     - run: rustup target add ${{ matrix.target }}
+    - name: Install golang
+      uses: actions/setup-go@v5
+      with:
+        go-version: '>=1.22.0'
     - name: Install target-specific APT dependencies
       if: "matrix.apt_packages != ''"
       run: sudo apt update && sudo apt install -y ${{ matrix.apt_packages }}
@@ -254,18 +264,10 @@ jobs:
     - name: Install Rust (rustup)
       run: rustup update stable --no-self-update && rustup default stable
       shell: bash
-    - name: Install Clang-12
-      uses: KyleMayes/install-llvm-action@v1
-      with:
-        version: "12.0.0"
-        directory: ${{ runner.temp }}/llvm
     - name: Install golang
       uses: actions/setup-go@v5
       with:
         go-version: '>=1.22.0'
-    - name: Add clang++-12 link
-      working-directory: ${{ runner.temp }}/llvm/bin
-      run: ln -s clang clang++-12
     - name: Run tests
       run: cargo test --features fips
     - name: Test boring-sys cargo publish (FIPS)
@@ -295,6 +297,10 @@ jobs:
     - name: Install Rust (rustup)
       run: rustup update stable --no-self-update && rustup default stable && rustup target add ${{ matrix.target }}
       shell: bash
+    - name: Install golang
+      uses: actions/setup-go@v5
+      with:
+        go-version: '>=1.22.0'
     - name: Install ${{ matrix.target }} toolchain
       run: brew tap messense/macos-cross-toolchains && brew install ${{ matrix.target }}
     - name: Set BORING_BSSL_SYSROOT

.gitmodules

@@ -2,6 +2,3 @@
 	path = boring-sys/deps/boringssl
 	url = https://github.com/google/boringssl.git
 	ignore = dirty
-[submodule "boring-sys/deps/boringssl-fips"]
-	path = boring-sys/deps/boringssl-fips
-	url = https://github.com/google/boringssl.git

boring-sys/Cargo.toml

@@ -18,35 +18,22 @@ include = [
     "/*.toml",
     "/LICENSE-MIT",
     "/cmake/*.cmake",
-    # boringssl (non-FIPS)
-    "/deps/boringssl/src/util/32-bit-toolchain.cmake",
     "/deps/boringssl/**/*.[chS]",
     "/deps/boringssl/**/*.asm",
-    "/deps/boringssl/sources.json",
-    "/deps/boringssl/src/crypto/obj/obj_mac.num",
-    "/deps/boringssl/src/crypto/obj/objects.txt",
+    "/deps/boringssl/**/*.pl",
+    "/deps/boringssl/**/*.go",
+    "/deps/boringssl/**/*.cmake",
+    "/deps/boringssl/**/go.mod",
+    "/deps/boringssl/**/go.sum",
+    "/deps/boringssl/crypto/obj/obj_mac.num",
+    "/deps/boringssl/crypto/obj/objects.txt",
+    "/deps/boringssl/crypto/err/*.errordata",
     "/deps/boringssl/**/*.bzl",
-    "/deps/boringssl/src/**/*.cc",
+    "/deps/boringssl/**/*.cc",
     "/deps/boringssl/**/CMakeLists.txt",
     "/deps/boringssl/**/sources.cmake",
+    "/deps/boringssl/**/util/go_tests.txt",
     "/deps/boringssl/LICENSE",
-    # boringssl (FIPS)
-    "/deps/boringssl-fips/src/util/32-bit-toolchain.cmake",
-    "/deps/boringssl-fips/**/*.[chS]",
-    "/deps/boringssl-fips/**/*.asm",
-    "/deps/boringssl-fips/**/*.pl",
-    "/deps/boringssl-fips/**/*.go",
-    "/deps/boringssl-fips/**/go.mod",
-    "/deps/boringssl-fips/**/go.sum",
-    "/deps/boringssl-fips/sources.json",
-    "/deps/boringssl-fips/crypto/obj/obj_mac.num",
-    "/deps/boringssl-fips/crypto/obj/objects.txt",
-    "/deps/boringssl-fips/crypto/err/*.errordata",
-    "/deps/boringssl-fips/**/*.bzl",
-    "/deps/boringssl-fips/**/*.cc",
-    "/deps/boringssl-fips/**/CMakeLists.txt",
-    "/deps/boringssl-fips/**/sources.cmake",
-    "/deps/boringssl-fips/LICENSE",
     "/build/*",
     "/src",
     "/patches",
@@ -65,14 +52,6 @@ rustdoc-args = ["--cfg", "docsrs"]
 # for instructions and more details on the boringssl FIPS flag.
 fips = []
 
-# Use a precompiled FIPS-validated version of BoringSSL. Meant to be used with
-# FIPS-20230428 or newer. Users must set `BORING_BSSL_FIPS_PATH` to use this
-# feature, or else the build will fail.
-fips-precompiled = []
-
-# Link with precompiled FIPS-validated `bcm.o` module.
-fips-link-precompiled = []
-
 # Enables Raw public key API (https://datatracker.ietf.org/doc/html/rfc7250)
 rpk = []
 

boring-sys/build/config.rs

@@ -16,8 +16,6 @@ pub(crate) struct Config {
 
 pub(crate) struct Features {
     pub(crate) fips: bool,
-    pub(crate) fips_precompiled: bool,
-    pub(crate) fips_link_precompiled: bool,
     pub(crate) pq_experimental: bool,
     pub(crate) rpk: bool,
     pub(crate) underscore_wildcards: bool,
@@ -27,7 +25,6 @@ pub(crate) struct Env {
     pub(crate) path: Option<PathBuf>,
     pub(crate) include_path: Option<PathBuf>,
     pub(crate) source_path: Option<PathBuf>,
-    pub(crate) precompiled_bcm_o: Option<PathBuf>,
     pub(crate) assume_patched: bool,
     pub(crate) sysroot: Option<PathBuf>,
     pub(crate) compiler_external_toolchain: Option<PathBuf>,
@@ -78,10 +75,6 @@ impl Config {
             panic!("`fips` and `rpk` features are mutually exclusive");
         }
 
-        if self.features.fips_precompiled && self.features.rpk {
-            panic!("`fips-precompiled` and `rpk` features are mutually exclusive");
-        }
-
         let is_precompiled_native_lib = self.env.path.is_some();
         let is_external_native_lib_source =
             !is_precompiled_native_lib && self.env.source_path.is_none();
@@ -104,40 +97,26 @@ impl Config {
                 "cargo:warning=precompiled BoringSSL was provided, so patches will be ignored"
             );
         }
-
-        // todo(rmehra): should this even be a restriction? why not let people link a custom bcm.o?
-        // precompiled boringssl will include libcrypto.a
-        if is_precompiled_native_lib && self.features.fips_link_precompiled {
-            panic!("precompiled BoringSSL was provided, so FIPS configuration can't be applied");
-        }
-
-        if !is_precompiled_native_lib && self.features.fips_precompiled {
-            panic!("`fips-precompiled` feature requires `BORING_BSSL_FIPS_PATH` to be set");
-        }
     }
 }
 
 impl Features {
     fn from_env() -> Self {
         let fips = env::var_os("CARGO_FEATURE_FIPS").is_some();
-        let fips_precompiled = env::var_os("CARGO_FEATURE_FIPS_PRECOMPILED").is_some();
-        let fips_link_precompiled = env::var_os("CARGO_FEATURE_FIPS_LINK_PRECOMPILED").is_some();
         let pq_experimental = env::var_os("CARGO_FEATURE_PQ_EXPERIMENTAL").is_some();
         let rpk = env::var_os("CARGO_FEATURE_RPK").is_some();
         let underscore_wildcards = env::var_os("CARGO_FEATURE_UNDERSCORE_WILDCARDS").is_some();
 
         Self {
             fips,
-            fips_precompiled,
-            fips_link_precompiled,
             pq_experimental,
             rpk,
             underscore_wildcards,
         }
     }
 
     pub(crate) fn is_fips_like(&self) -> bool {
-        self.fips || self.fips_precompiled || self.fips_link_precompiled
+        self.fips
     }
 }
 
@@ -175,7 +154,6 @@ impl Env {
             path: boringssl_var("BORING_BSSL_PATH").map(PathBuf::from),
             include_path: boringssl_var("BORING_BSSL_INCLUDE_PATH").map(PathBuf::from),
             source_path: boringssl_var("BORING_BSSL_SOURCE_PATH").map(PathBuf::from),
-            precompiled_bcm_o: boringssl_var("BORING_BSSL_PRECOMPILED_BCM_O").map(PathBuf::from),
             assume_patched: boringssl_var("BORING_BSSL_ASSUME_PATCHED")
                 .is_some_and(|v| !v.is_empty()),
             sysroot: boringssl_var("BORING_BSSL_SYSROOT").map(PathBuf::from),