Bump boring to v5, align FIPS to SP 800-52r2, clean up features

- Bump boring/boring-sys from v4 to v5 (zero API breaks) - Merge fips/fips-only into a single fips feature that both enables FIPS-validated BoringSSL and restricts algorithms to SP 800-52r2 - Tighten FIPS KX groups to P-256 and P-384 only (aligned with boring's fips202205 compliance policy) - Remove ECDSA_P521_SHA512 from FIPS signature verification set - Simplify fips feature to forward boring/fips only (drop redundant boring-sys/fips) - Add fips-precompiled as deprecated alias matching boring's naming - Change default features to empty (TLS 1.2 now requires explicit tls12 feature opt-in) - Gate TLS 1.2 code paths properly so the crate compiles and passes tests with default (TLS 1.3 only) features - Update README to reflect current state: boring v5, feature docs, FIPS mode documentation, workspace structure
2026-04-10 12:09:47 +02:00 · 2026-04-10 12:09:47 +02:00 · 271acbb315
commit 271acbb315
parent 490340afa7
11 changed files with 273 additions and 77 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -9,10 +9,9 @@ on:
 env:
  CARGO_TERM_COLOR: always
  RUSTFLAGS: -Dwarnings
-  FEATURES: "logging,tls12"

 jobs:
-  build:
+  fmt:
    runs-on: ubuntu-latest

    steps:
@ -21,9 +20,57 @@ jobs:
      run: sudo apt-get install -y cmake clang
    - name: Check fmt
      run: make fmt
-    - name: Lint
-      run: make lint
-    - name: Tests usual
-      run: make test
-    - name: Build usual
-      run: make build
+
+  test-default:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v3
+    - name: Install dependencies
+      run: sudo apt-get install -y cmake clang
+    - name: Lint (default features)
+      run: make lint FEATURES=""
+    - name: Test (default features)
+      run: make test FEATURES=""
+    - name: Build (default features)
+      run: make build FEATURES=""
+
+  test-tls12:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v3
+    - name: Install dependencies
+      run: sudo apt-get install -y cmake clang
+    - name: Lint (tls12)
+      run: make lint FEATURES="tls12"
+    - name: Test (tls12)
+      run: make test FEATURES="tls12"
+    - name: Build (tls12)
+      run: make build FEATURES="tls12"
+
+  test-logging-tls12:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v3
+    - name: Install dependencies
+      run: sudo apt-get install -y cmake clang
+    - name: Lint (logging,tls12)
+      run: make lint FEATURES="logging,tls12"
+    - name: Test (logging,tls12)
+      run: make test FEATURES="logging,tls12"
+    - name: Build (logging,tls12)
+      run: make build FEATURES="logging,tls12"
+
+  check-fips:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v3
+    - name: Install dependencies
+      run: sudo apt-get install -y cmake clang
+    - name: Check (fips)
+      run: cargo check -p boring-rustls-provider --all-targets --features fips
+    - name: Check (fips-precompiled)
+      run: cargo check -p boring-rustls-provider --all-targets --features fips-precompiled