Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update boringssl-fips to fips-20220613 tag #214

Draft
wants to merge 24 commits into
base: master
Choose a base branch
from

Conversation

reedloden
Copy link

Go's BoringCrypto has moved to using BoringSSL's fips-20220613 tag.

Swap to using the same tag, which requires using Clang 14.0.x and Ninja.

This also enables the FIPS compliance policy by default when in FIPS mode.

Fixes #203.

jentfoo and others added 21 commits January 2, 2024 16:05
This lets us customize the Ssl of each connection,
like set_callback which lets us customize the ConnectConfiguration
a step earlier.
For now it has a single associated constant, X509Flags::TRUSTED_FIRST.
This feature expects a recent boringssl checkout (such as the one
found in boring-sys/deps/boringssl), so it should not be using
the same bindings as the fips feature, which are based on
boring-sys/deps/boringssl-fips, which is older and with a different
API.
Ninja is a required build component, as per the BoringSSL build directions.

Using Ninja will also fix this error:
> clang-12: error: no such file or directory: 'MAKE_ASM_FLAGS'

PR is mostly cribbed from cloudflare#76.
* BoringCrypto just installs the latest Clang 14.0.x release, so match
* Install Ninja for CI to pass
* Only require Ninja for FIPS builds (FIPS build requires Ninja)
* Bump actions/* versions to address EOL warnings

Should consider requiring Ninja for all builds, as per cloudflare#76, as upstream
recommends it.
Isaiah Becker-Mayer added 2 commits January 23, 2024 12:24
The SSL_CTX_set_compliance_policy and ssl_compliance_policy_t apis are not
available in the fips validated hash of the boringssl library (boring-sys/deps/boringssl-fips).
This adds back the feature gate for these apis.
@ibeckermayer ibeckermayer force-pushed the reed/fips-20220613 branch 6 times, most recently from f178d8d to 48f8c67 Compare January 24, 2024 20:45
@ibeckermayer ibeckermayer force-pushed the reed/fips-20220613 branch 11 times, most recently from ccd7808 to 6fb6a1e Compare January 24, 2024 23:32
@pmerrison
Copy link

I just wanted to let you know that the tag referenced in this PR now has a CMVP certificate in case it was a pre-req for this moving forward

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Bump BoringSSL version to fips-20220613 to match upstream Go
6 participants