Remove 'boringssl-vendored' feature

Author: cjpatton

.github/workflows/nightly.yml

@@ -25,8 +25,6 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
-        with:
-          submodules: 'recursive'
 
       - name: Install nightly toolchain
         uses: dtolnay/rust-toolchain@master
@@ -66,14 +64,21 @@ jobs:
 
   fuzz:
     runs-on: ubuntu-latest
+    # `quiche-fuzz` calls `RAND_reset_for_fuzzing`, which BoringSSL only
+    # exports when built with `FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION`.
+    # `boring-sys` doesn't expose a feature for that, but cmake-rs (via
+    # cc-rs) honors `CFLAGS`/`CXXFLAGS`/`ASMFLAGS`, so inject the define
+    # there. This forces a from-scratch BoringSSL build with the
+    # fuzzer-mode RNG path enabled.
+    env:
+      CFLAGS: "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION"
+      CXXFLAGS: "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION"
     # Only run on "pull_request" event for external PRs. This is to avoid
     # duplicate builds for PRs created from internal branches.
     if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
-        with:
-          submodules: 'recursive'
 
       - name: Install nightly toolchain
         uses: dtolnay/rust-toolchain@master
@@ -100,8 +105,6 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
-        with:
-          submodules: 'recursive'
 
       - name: Install nightly toolchain
         uses: dtolnay/rust-toolchain@master
@@ -119,8 +122,6 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
-        with:
-          submodules: 'recursive'
 
       - name: Install nightly toolchain
         uses: dtolnay/rust-toolchain@master

.github/workflows/stable.yml

@@ -22,7 +22,6 @@ jobs:
     strategy:
       matrix:
         tls-feature:
-          - "" # default, boringssl-vendored
           - "boringssl-boring-crate"
           - "openssl"
     # Only run on "pull_request" event for external PRs. This is to avoid
@@ -31,8 +30,6 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
-        with:
-          submodules: 'recursive'
 
       - name: Install stable toolchain
         uses: dtolnay/rust-toolchain@master
@@ -46,7 +43,7 @@ jobs:
           sudo apt-get install libexpat1-dev libfreetype6-dev libfontconfig1-dev
 
       - name: Unused dependency check
-        if: ${{ matrix.tls-feature == '' }}
+        if: ${{ matrix.tls-feature == 'boringssl-boring-crate' }}
         uses: bnjbvr/cargo-machete@main
 
       - name: Build OpenSSL
@@ -65,10 +62,12 @@ jobs:
         run: cargo test --verbose --all-targets --features=${{ matrix.tls-feature }} ${{ env.DEFAULT_OPTIONS }}
 
       # tokio-quiche requires the `boring` crate, so don't run its tests when
-      # building without it.
+      # building without it. `--no-default-features` disables the
+      # `boringssl-boring-crate` default so the openssl backend is the only
+      # TLS backend in the build.
       - name: Run cargo test
         if: ${{ matrix.tls-feature != 'boringssl-boring-crate' }}
-        run: cargo test --verbose --all-targets --features=${{ matrix.tls-feature }} ${{ env.NO_BORING_OPTIONS }}
+        run: cargo test --verbose --all-targets --no-default-features --features=${{ matrix.tls-feature }} ${{ env.NO_BORING_OPTIONS }}
 
       # Need to run doc tests separately.
       # (https://github.com/rust-lang/cargo/issues/6669)
@@ -80,10 +79,12 @@ jobs:
       # (https://github.com/rust-lang/cargo/issues/6669)
       #
       # tokio-quiche requires the `boring` crate, so don't run its tests when
-      # building without it.
+      # building without it. `--no-default-features` disables the
+      # `boringssl-boring-crate` default so the openssl backend is the only
+      # TLS backend in the build.
       - name: Run cargo doc test
         if: ${{ matrix.tls-feature != 'boringssl-boring-crate' }}
-        run: cargo test --verbose --doc --features=${{ matrix.tls-feature }} ${{ env.NO_BORING_OPTIONS }}
+        run: cargo test --verbose --doc --no-default-features --features=${{ matrix.tls-feature }} ${{ env.NO_BORING_OPTIONS }}
 
       # NOTE: this is disabled as it fails when building changes that bump
       # version of local crates (e.g. when doing a `qlog` release) that have not
@@ -92,12 +93,22 @@ jobs:
       # - name: Run cargo package
       #   run: cargo package --verbose --workspace --exclude=quiche_apps --allow-dirty
 
-      - name: Run cargo clippy
+      - name: Run cargo clippy (boring)
+        if: ${{ matrix.tls-feature == 'boringssl-boring-crate' }}
         run: cargo clippy --features=${{ matrix.tls-feature }} ${{ env.DEFAULT_OPTIONS }} -- -D warnings
 
-      - name: Run cargo clippy on examples
+      - name: Run cargo clippy
+        if: ${{ matrix.tls-feature != 'boringssl-boring-crate' }}
+        run: cargo clippy --no-default-features --features=${{ matrix.tls-feature }} ${{ env.NO_BORING_OPTIONS }} -- -D warnings
+
+      - name: Run cargo clippy on examples (boring)
+        if: ${{ matrix.tls-feature == 'boringssl-boring-crate' }}
         run: cargo clippy --examples --features=${{ matrix.tls-feature }} ${{ env.DEFAULT_OPTIONS }} -- -D warnings
 
+      - name: Run cargo clippy on examples
+        if: ${{ matrix.tls-feature != 'boringssl-boring-crate' }}
+        run: cargo clippy --examples --no-default-features --features=${{ matrix.tls-feature }} ${{ env.NO_BORING_OPTIONS }} -- -D warnings
+
       - name: Run cargo doc
         run: cargo doc --no-deps --all-features --document-private-items
 
@@ -119,8 +130,6 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
-        with:
-          submodules: 'recursive'
 
       - name: Install stable toolchain
         uses: dtolnay/rust-toolchain@master
@@ -148,8 +157,6 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
-        with:
-          submodules: 'recursive'
 
       - name: Install stable toolchain
         uses: dtolnay/rust-toolchain@master
@@ -192,8 +199,6 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
-        with:
-          submodules: 'recursive'
 
       - name: Install stable toolchain
         uses: dtolnay/rust-toolchain@master
@@ -275,8 +280,6 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
-        with:
-          submodules: 'recursive'
 
       - name: Install stable toolchain
         uses: dtolnay/rust-toolchain@master
@@ -290,7 +293,7 @@ jobs:
         run: cargo-binstall -y cross
 
       - name: Run cargo test using cross
-        run: cross test --target=${{ matrix.target }} --verbose --all-targets ${{ env.NO_BORING_OPTIONS }} --exclude qlog-dancer
+        run: cross test --target=${{ matrix.target }} --verbose --all-targets ${{ env.NO_BORING_OPTIONS }} --exclude qlog-dancer --features=boringssl-boring-crate
 
   http3_test:
     runs-on: ubuntu-latest
@@ -300,8 +303,6 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
-        with:
-          submodules: 'recursive'
 
       - name: Install stable toolchain
         uses: dtolnay/rust-toolchain@master
@@ -323,8 +324,6 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
-        with:
-          submodules: 'recursive'
 
       - name: Build Docker images
         run: make docker-build
@@ -351,8 +350,6 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
-        with:
-          submodules: 'recursive'
 
       - name: Install stable toolchain for the target
         uses: dtolnay/rust-toolchain@master

.gitmodules

@@ -98,7 +98,7 @@ quiche  datagram-socket  qlog-dancer        (Layer 1)
 ## FEATURE FLAGS
 
 ```
-quiche:        default=boringssl-vendored | boringssl-boring-crate | openssl
+quiche:        default=boringssl-boring-crate | openssl
                qlog, gcongestion, internal, ffi, fuzzing, sfv, custom-client-dcid
 tokio-quiche:  fuzzing, quiche_internal, gcongestion, zero-copy, rpk
                (hardcodes: quiche/boringssl-boring-crate + quiche/qlog)
@@ -109,12 +109,12 @@ h3i:           async (enables tokio-quiche dependency)
 
 ```bash
 # Dev
-cargo build                                           # build workspace (vendored BoringSSL)
+cargo build                                           # build workspace (BoringSSL via boring crate)
 cargo test --all-targets --features=async,ffi,qlog --workspace  # full test suite
 cargo test --doc --features=async,ffi,qlog --workspace          # doc tests (separate!)
 
 # Lint
-cargo clippy --features=boringssl-vendored --workspace -- -D warnings
+cargo clippy --features=boringssl-boring-crate --workspace -- -D warnings
 cargo +nightly fmt -- --check                                  
 
 # Fuzz
@@ -126,10 +126,9 @@ make docker-build                                     # quiche-base + quiche-qns
 
 ## NOTES
 
-- **Git submodules required**: `git submodule update --init --recursive` for BoringSSL.
 - **MSRV 1.85**: `rust-version` field in Cargo.toml.
 - **Doc tests are separate**: `cargo test --all-targets` does NOT run doc tests (cargo#6669).
-- **`QUICHE_BSSL_PATH`**: env var to skip vendored BoringSSL build (use pre-built).
+- **BoringSSL via boring crate**: `boring-sys` vendors and builds BoringSSL itself (cmake required).
 - **`RUSTFLAGS="-D warnings"`**: CI enforces; all warnings are errors.
 - **Cargo.lock is gitignored** (library project).
 - **Dual CI**: GitHub Actions (real) + GitLab CI (no-op stub).

AGENTS.md

@@ -56,7 +56,11 @@ octets = { version = "0.3.5", path = "./octets" }
 parking_lot = { version = "0.12.1", default-features = false }
 pin-project = { version = "1.0.12" }
 qlog = { version = "0.17.0", path = "./qlog" }
-quiche = { version = "0.28.0", path = "./quiche" }
+# `default-features = false` so that workspace members can each pick the
+# TLS backend they want via their own feature flags. Members that want
+# the default backend (`boringssl-boring-crate`) opt back in by adding
+# `boringssl-boring-crate` to their feature list.
+quiche = { version = "0.28.0", path = "./quiche", default-features = false }
 regex = { version = "1.4.2" }
 ring = { version = "0.17.8" }
 rstest = { version = "0.26.1" }

Cargo.toml

@@ -27,3 +27,14 @@ pre-build = [
     "ln -sf /usr/bin/gcc /usr/local/bin/i686-linux-gnu-gcc",
     "ln -sf /usr/bin/g++ /usr/local/bin/i686-linux-gnu-g++",
 ]
+
+# BoringSSL's x86 assembly requires SSE2. `boring-sys`'s cmake build
+# doesn't add `-msse2` for i686 targets, so inject it via the
+# target-scoped `CFLAGS`/`CXXFLAGS` env vars. `cc-rs` (and through it,
+# `cmake-rs`) honors these and passes them along to BoringSSL's cmake
+# build.
+[target.i686-unknown-linux-gnu.env]
+passthrough = [
+    "CFLAGS_i686_unknown_linux_gnu=-msse2 -mfpmath=sse",
+    "CXXFLAGS_i686_unknown_linux_gnu=-msse2 -mfpmath=sse",
+]

Cross.toml

@@ -15,7 +15,10 @@ COPY quiche/ ./quiche/
 COPY task-killswitch ./task-killswitch/
 COPY tokio-quiche ./tokio-quiche/
 
-RUN apt-get update && apt-get install -y cmake && rm -rf /var/lib/apt/lists/*
+# `cmake` and `clang` are needed by `boring-sys`: it builds BoringSSL via
+# cmake and runs `bindgen` (which loads `libclang`) to generate FFI
+# bindings.
+RUN apt-get update && apt-get install -y cmake clang && rm -rf /var/lib/apt/lists/*
 
 RUN cargo build --release --manifest-path apps/Cargo.toml
 

Dockerfile

@@ -312,7 +312,7 @@ Once the Rust build environment is setup, the quiche source code can be fetched
 using git:
 
 ```bash
- $ git clone --recursive https://github.com/cloudflare/quiche
+ $ git clone https://github.com/cloudflare/quiche
 ```
 
 and then built using cargo:
@@ -327,27 +327,18 @@ cargo can also be used to run the testsuite:
  $ cargo test
 ```
 
-Note that [BoringSSL], which is used to implement QUIC's cryptographic handshake
-based on TLS, needs to be built and linked to quiche. This is done automatically
-when building quiche using cargo, but requires the `cmake` command to be
-available during the build process. On Windows you also need
-[NASM](https://www.nasm.us/). The [official BoringSSL
-documentation](https://github.com/google/boringssl/blob/master/BUILDING.md) has
-more details.
-
-In alternative you can use your own custom build of BoringSSL by configuring
-the BoringSSL directory with the ``QUICHE_BSSL_PATH`` environment variable:
-
-```bash
- $ QUICHE_BSSL_PATH="/path/to/boringssl" cargo build --examples
-```
+[BoringSSL], which is used to implement QUIC's cryptographic handshake based on
+TLS, is provided by the [boring] crate, which vendors and builds its own copy
+of BoringSSL automatically when building quiche using cargo.
 
 Alternatively you can use [OpenSSL/quictls]. To enable quiche to use this vendor
 the ``openssl`` feature can be added to the ``--feature`` list. Be aware that
 ``0-RTT`` is not supported if this vendor is used.
 
 [BoringSSL]: https://boringssl.googlesource.com/boringssl/
 
+[boring]: https://crates.io/crates/boring
+
 [OpenSSL/quictls]: https://github.com/quictls/openssl
 
 ### Building for Android

README.md

@@ -19,10 +19,13 @@ qlog = ["quiche/qlog"]
 # Use BoringSSL provided by the boring crate.
 boringssl-boring-crate = ["quiche/boringssl-boring-crate"]
 
+# Use OpenSSL/quictls.
+openssl = ["quiche/openssl"]
+
 # Enable sfv support.
 sfv = ["quiche/sfv"]
 
-default = ["qlog", "sfv"]
+default = ["qlog", "sfv", "boringssl-boring-crate"]
 
 [dependencies]
 docopt = "1"

apps/Cargo.toml

@@ -25,7 +25,7 @@ mio = { workspace = true, features = ["net", "os-poll"] }
 multimap = "0.10"
 octets = { workspace = true }
 qlog = { workspace = true }
-quiche = { features = ["internal", "qlog"], workspace = true }
+quiche = { features = ["boringssl-boring-crate", "internal", "qlog"], workspace = true }
 ring = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }