Update boringssl-fips to fips-20220613 tag
#214
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This lets us customize the Ssl of each connection, like set_callback which lets us customize the ConnectConfiguration a step earlier.
For now it has a single associated constant, X509Flags::TRUSTED_FIRST.
This feature expects a recent boringssl checkout (such as the one found in boring-sys/deps/boringssl), so it should not be using the same bindings as the fips feature, which are based on boring-sys/deps/boringssl-fips, which is older and with a different API.
Rebase against upstream master
Ninja is a required build component, as per the BoringSSL build directions. Using Ninja will also fix this error: > clang-12: error: no such file or directory: 'MAKE_ASM_FLAGS' PR is mostly cribbed from cloudflare#76.
Use Ninja to build BoringSSL
* BoringCrypto just installs the latest Clang 14.0.x release, so match * Install Ninja for CI to pass * Only require Ninja for FIPS builds (FIPS build requires Ninja) * Bump actions/* versions to address EOL warnings Should consider requiring Ninja for all builds, as per cloudflare#76, as upstream recommends it.
ibeckermayer
force-pushed
the
reed/fips-20220613
branch
from
1db54d2
to
28b12c1
Compare
The SSL_CTX_set_compliance_policy and ssl_compliance_policy_t apis are not available in the fips validated hash of the boringssl library (boring-sys/deps/boringssl-fips). This adds back the feature gate for these apis.
ibeckermayer
force-pushed
the
reed/fips-20220613
branch
6 times, most recently
from
f178d8d
to
48f8c67
Compare
ibeckermayer
force-pushed
the
reed/fips-20220613
branch
11 times, most recently
from
ccd7808
to
6fb6a1e
Compare
ibeckermayer
force-pushed
the
reed/fips-20220613
branch
from
6fb6a1e
to
83055ff
Compare
|
I just wanted to let you know that the tag referenced in this PR now has a CMVP certificate in case it was a pre-req for this moving forward |
5 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Go's BoringCrypto has moved to using BoringSSL's
fips-20220613tag.Swap to using the same tag, which requires using Clang 14.0.x and Ninja.
This also enables the FIPS compliance policy by default when in FIPS mode.
Fixes #203.