Remove 'boringssl-vendored' feature

Author: cjpatton

.github/workflows/nightly.yml

@@ -25,8 +25,6 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
-        with:
-          submodules: 'recursive'
 
       - name: Install nightly toolchain
         uses: dtolnay/rust-toolchain@master
@@ -66,14 +64,21 @@ jobs:
 
   fuzz:
     runs-on: ubuntu-latest
+    # `quiche-fuzz` calls `RAND_reset_for_fuzzing`, which BoringSSL only
+    # exports when built with `FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION`.
+    # `boring-sys` doesn't expose a feature for that, but cmake-rs (via
+    # cc-rs) honors `CFLAGS`/`CXXFLAGS`/`ASMFLAGS`, so inject the define
+    # there. This forces a from-scratch BoringSSL build with the
+    # fuzzer-mode RNG path enabled.
+    env:
+      CFLAGS: "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION"
+      CXXFLAGS: "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION"
     # Only run on "pull_request" event for external PRs. This is to avoid
     # duplicate builds for PRs created from internal branches.
     if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
-        with:
-          submodules: 'recursive'
 
       - name: Install nightly toolchain
         uses: dtolnay/rust-toolchain@master
@@ -100,8 +105,6 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
-        with:
-          submodules: 'recursive'
 
       - name: Install nightly toolchain
         uses: dtolnay/rust-toolchain@master
@@ -119,8 +122,6 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
-        with:
-          submodules: 'recursive'
 
       - name: Install nightly toolchain
         uses: dtolnay/rust-toolchain@master

.github/workflows/stable.yml

@@ -22,7 +22,6 @@ jobs:
     strategy:
       matrix:
         tls-feature:
-          - "" # default, boringssl-vendored
           - "boringssl-boring-crate"
           - "openssl"
     # Only run on "pull_request" event for external PRs. This is to avoid
@@ -31,8 +30,6 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
-        with:
-          submodules: 'recursive'
 
       - name: Install stable toolchain
         uses: dtolnay/rust-toolchain@master
@@ -46,7 +43,7 @@ jobs:
           sudo apt-get install libexpat1-dev libfreetype6-dev libfontconfig1-dev
 
       - name: Unused dependency check
-        if: ${{ matrix.tls-feature == '' }}
+        if: ${{ matrix.tls-feature == 'boringssl-boring-crate' }}
         uses: bnjbvr/cargo-machete@main
 
       - name: Build OpenSSL
@@ -65,10 +62,12 @@ jobs:
         run: cargo test --verbose --all-targets --features=${{ matrix.tls-feature }} ${{ env.DEFAULT_OPTIONS }}
 
       # tokio-quiche requires the `boring` crate, so don't run its tests when
-      # building without it.
+      # building without it. `--no-default-features` disables the
+      # `boringssl-boring-crate` default so the openssl backend is the only
+      # TLS backend in the build.
       - name: Run cargo test
         if: ${{ matrix.tls-feature != 'boringssl-boring-crate' }}
-        run: cargo test --verbose --all-targets --features=${{ matrix.tls-feature }} ${{ env.NO_BORING_OPTIONS }}
+        run: cargo test --verbose --all-targets --no-default-features --features=${{ matrix.tls-feature }} ${{ env.NO_BORING_OPTIONS }}
 
       # Need to run doc tests separately.
       # (https://github.com/rust-lang/cargo/issues/6669)
@@ -80,10 +79,12 @@ jobs:
       # (https://github.com/rust-lang/cargo/issues/6669)
       #
       # tokio-quiche requires the `boring` crate, so don't run its tests when
-      # building without it.
+      # building without it. `--no-default-features` disables the
+      # `boringssl-boring-crate` default so the openssl backend is the only
+      # TLS backend in the build.
       - name: Run cargo doc test
         if: ${{ matrix.tls-feature != 'boringssl-boring-crate' }}
-        run: cargo test --verbose --doc --features=${{ matrix.tls-feature }} ${{ env.NO_BORING_OPTIONS }}
+        run: cargo test --verbose --doc --no-default-features --features=${{ matrix.tls-feature }} ${{ env.NO_BORING_OPTIONS }}
 
       # NOTE: this is disabled as it fails when building changes that bump
       # version of local crates (e.g. when doing a `qlog` release) that have not
@@ -93,11 +94,21 @@ jobs:
       #   run: cargo package --verbose --workspace --exclude=quiche_apps --allow-dirty
 
       - name: Run cargo clippy
+        if: ${{ matrix.tls-feature == 'boringssl-boring-crate' }}
         run: cargo clippy --features=${{ matrix.tls-feature }} ${{ env.DEFAULT_OPTIONS }} -- -D warnings
 
+      - name: Run cargo clippy
+        if: ${{ matrix.tls-feature != 'boringssl-boring-crate' }}
+        run: cargo clippy --no-default-features --features=${{ matrix.tls-feature }} ${{ env.NO_BORING_OPTIONS }} -- -D warnings
+
       - name: Run cargo clippy on examples
+        if: ${{ matrix.tls-feature == 'boringssl-boring-crate' }}
         run: cargo clippy --examples --features=${{ matrix.tls-feature }} ${{ env.DEFAULT_OPTIONS }} -- -D warnings
 
+      - name: Run cargo clippy on examples
+        if: ${{ matrix.tls-feature != 'boringssl-boring-crate' }}
+        run: cargo clippy --examples --no-default-features --features=${{ matrix.tls-feature }} ${{ env.NO_BORING_OPTIONS }} -- -D warnings
+
       - name: Run cargo doc
         run: cargo doc --no-deps --all-features --document-private-items
 
@@ -119,8 +130,6 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
-        with:
-          submodules: 'recursive'
 
       - name: Install stable toolchain
         uses: dtolnay/rust-toolchain@master
@@ -148,8 +157,6 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
-        with:
-          submodules: 'recursive'
 
       - name: Install stable toolchain
         uses: dtolnay/rust-toolchain@master
@@ -192,8 +199,6 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
-        with:
-          submodules: 'recursive'
 
       - name: Install stable toolchain
         uses: dtolnay/rust-toolchain@master
@@ -275,8 +280,6 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
-        with:
-          submodules: 'recursive'
 
       - name: Install stable toolchain
         uses: dtolnay/rust-toolchain@master
@@ -290,7 +293,7 @@ jobs:
         run: cargo-binstall -y cross
 
       - name: Run cargo test using cross
-        run: cross test --target=${{ matrix.target }} --verbose --all-targets ${{ env.NO_BORING_OPTIONS }} --exclude qlog-dancer
+        run: cross test --target=${{ matrix.target }} --verbose --all-targets ${{ env.NO_BORING_OPTIONS }} --exclude qlog-dancer --features=boringssl-boring-crate
 
   http3_test:
     runs-on: ubuntu-latest
@@ -300,8 +303,6 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
-        with:
-          submodules: 'recursive'
 
       - name: Install stable toolchain
         uses: dtolnay/rust-toolchain@master
@@ -323,8 +324,6 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
-        with:
-          submodules: 'recursive'
 
       - name: Build Docker images
         run: make docker-build
@@ -351,8 +350,6 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
-        with:
-          submodules: 'recursive'
 
       - name: Install stable toolchain for the target
         uses: dtolnay/rust-toolchain@master

.gitmodules

@@ -98,7 +98,7 @@ quiche  datagram-socket  qlog-dancer        (Layer 1)
 ## FEATURE FLAGS
 
 ```
-quiche:        default=boringssl-vendored | boringssl-boring-crate | openssl
+quiche:        default=boringssl-boring-crate | openssl
                qlog, gcongestion, internal, ffi, fuzzing, sfv, custom-client-dcid
 tokio-quiche:  fuzzing, quiche_internal, gcongestion, zero-copy, rpk
                (hardcodes: quiche/boringssl-boring-crate + quiche/qlog)
@@ -109,12 +109,12 @@ h3i:           async (enables tokio-quiche dependency)
 
 ```bash
 # Dev
-cargo build                                           # build workspace (vendored BoringSSL)
+cargo build                                           # build workspace (BoringSSL via boring crate)
 cargo test --all-targets --features=async,ffi,qlog --workspace  # full test suite
 cargo test --doc --features=async,ffi,qlog --workspace          # doc tests (separate!)
 
 # Lint
-cargo clippy --features=boringssl-vendored --workspace -- -D warnings
+cargo clippy --features=boringssl-boring-crate --workspace -- -D warnings
 cargo +nightly fmt -- --check                                  
 
 # Fuzz
@@ -126,10 +126,9 @@ make docker-build                                     # quiche-base + quiche-qns
 
 ## NOTES
 
-- **Git submodules required**: `git submodule update --init --recursive` for BoringSSL.
 - **MSRV 1.85**: `rust-version` field in Cargo.toml.
 - **Doc tests are separate**: `cargo test --all-targets` does NOT run doc tests (cargo#6669).
-- **`QUICHE_BSSL_PATH`**: env var to skip vendored BoringSSL build (use pre-built).
+- **BoringSSL via boring crate**: `boring-sys` vendors and builds BoringSSL itself (cmake required).
 - **`RUSTFLAGS="-D warnings"`**: CI enforces; all warnings are errors.
 - **Cargo.lock is gitignored** (library project).
 - **Dual CI**: GitHub Actions (real) + GitLab CI (no-op stub).

AGENTS.md

@@ -27,3 +27,14 @@ pre-build = [
     "ln -sf /usr/bin/gcc /usr/local/bin/i686-linux-gnu-gcc",
     "ln -sf /usr/bin/g++ /usr/local/bin/i686-linux-gnu-g++",
 ]
+
+# BoringSSL's x86 assembly requires SSE2. `boring-sys`'s cmake build
+# doesn't add `-msse2` for i686 targets, so inject it via the
+# target-scoped `CFLAGS`/`CXXFLAGS` env vars. `cc-rs` (and through it,
+# `cmake-rs`) honors these and passes them along to BoringSSL's cmake
+# build.
+[target.i686-unknown-linux-gnu.env]
+passthrough = [
+    "CFLAGS_i686_unknown_linux_gnu=-msse2 -mfpmath=sse",
+    "CXXFLAGS_i686_unknown_linux_gnu=-msse2 -mfpmath=sse",
+]

Cross.toml

@@ -15,7 +15,10 @@ COPY quiche/ ./quiche/
 COPY task-killswitch ./task-killswitch/
 COPY tokio-quiche ./tokio-quiche/
 
-RUN apt-get update && apt-get install -y cmake && rm -rf /var/lib/apt/lists/*
+# `cmake` and `clang` are needed by `boring-sys`: it builds BoringSSL via
+# cmake and runs `bindgen` (which loads `libclang`) to generate FFI
+# bindings.
+RUN apt-get update && apt-get install -y cmake clang && rm -rf /var/lib/apt/lists/*
 
 RUN cargo build --release --manifest-path apps/Cargo.toml
 

Dockerfile

@@ -312,7 +312,7 @@ Once the Rust build environment is setup, the quiche source code can be fetched
 using git:
 
 ```bash
- $ git clone --recursive https://github.com/cloudflare/quiche
+ $ git clone https://github.com/cloudflare/quiche
 ```
 
 and then built using cargo:
@@ -327,27 +327,18 @@ cargo can also be used to run the testsuite:
  $ cargo test
 ```
 
-Note that [BoringSSL], which is used to implement QUIC's cryptographic handshake
-based on TLS, needs to be built and linked to quiche. This is done automatically
-when building quiche using cargo, but requires the `cmake` command to be
-available during the build process. On Windows you also need
-[NASM](https://www.nasm.us/). The [official BoringSSL
-documentation](https://github.com/google/boringssl/blob/master/BUILDING.md) has
-more details.
-
-In alternative you can use your own custom build of BoringSSL by configuring
-the BoringSSL directory with the ``QUICHE_BSSL_PATH`` environment variable:
-
-```bash
- $ QUICHE_BSSL_PATH="/path/to/boringssl" cargo build --examples
-```
+[BoringSSL], which is used to implement QUIC's cryptographic handshake based on
+TLS, is provided by the [boring] crate, which vendors and builds its own copy
+of BoringSSL automatically when building quiche using cargo.
 
 Alternatively you can use [OpenSSL/quictls]. To enable quiche to use this vendor
 the ``openssl`` feature can be added to the ``--feature`` list. Be aware that
 ``0-RTT`` is not supported if this vendor is used.
 
 [BoringSSL]: https://boringssl.googlesource.com/boringssl/
 
+[boring]: https://crates.io/crates/boring
+
 [OpenSSL/quictls]: https://github.com/quictls/openssl
 
 ### Building for Android

README.md

@@ -35,11 +35,9 @@ src/
   minmax.rs                  Windowed min/max filter
   test_utils.rs              Pipe struct for in-memory QUIC pairs (pub via `internal` feature)
   tests.rs        (12k)      Integration tests
-  build.rs                   BoringSSL cmake build (NOTE: lives in src/, not crate root)
+  build.rs                   pkg-config / cdylib link plumbing (NOTE: lives in src/, not crate root)
 include/
   quiche.h        (1.2k)     C API header — mirrors ffi.rs
-deps/
-  boringssl/                 Git submodule
 ```
 
 ## WHERE TO LOOK
@@ -53,7 +51,7 @@ deps/
 | TLS handshake | `tls/mod.rs` — cfg-gated per backend |
 | C bindings | `ffi.rs` + `include/quiche.h` |
 | Test harness | `test_utils.rs` (`Pipe` struct) |
-| Build system | `src/build.rs` — BoringSSL cmake, cross-compile params |
+| Build system | `src/build.rs` — pkg-config + cdylib link plumbing |
 
 ## ANTI-PATTERNS
 
@@ -66,10 +64,9 @@ deps/
 ## NOTES
 
 - `build.rs` is at `src/build.rs` (Cargo.toml: `build = "src/build.rs"`), not crate root.
-- Three TLS backends: `boringssl-vendored` (default), `boringssl-boring-crate`, `openssl` — mutually exclusive features.
+- Two TLS backends: `boringssl-boring-crate` (default, via `boring` crate), `openssl` (quictls) — mutually exclusive features.
 - `quiche::Error` is `Copy + Clone` — intentional for hot-path ergonomics.
 - `test_utils::Pipe` exposed via `internal` feature for downstream crate integration tests.
 - Tests use `rstest` with `#[values("cubic", "bbr2_gcongestion")]` parameterization for CC coverage.
-- `QUICHE_BSSL_PATH` env var skips vendored BoringSSL build.
 - Crate-type: `lib` + `staticlib` + `cdylib` — the latter two for C consumers.
 - `BufFactory` trait (`buffers.rs`) enables zero-copy buffer creation; `Connection<F>` is generic over it.

quiche/AGENTS.md

@@ -14,12 +14,6 @@ include = [
   "/*.md",
   "/*.toml",
   "/COPYING",
-  "/deps/boringssl/**/*.[chS]",
-  "/deps/boringssl/**/*.asm",
-  "/deps/boringssl/src/**/*.cc",
-  "/deps/boringssl/**/CMakeLists.txt",
-  "/deps/boringssl/**/sources.cmake",
-  "/deps/boringssl/LICENSE",
   "/examples",
   "/include",
   "/quiche.svg",
@@ -28,24 +22,14 @@ include = [
 rust-version = "1.85"
 
 [features]
-default = ["boringssl-vendored", "boringssl-pq-patch"]
+default = ["boringssl-boring-crate"]
 
 # Allow client connections to provide a custom DCID when initiating a
 # connection. Be aware that RFC 9000 places requirements for unpredictability and
 # length on the client DCID field. Enabling this feature can be dangerous if these
 # requirements are not satisfied.
 custom-client-dcid = []
 
-# Build the vendored BoringSSL library.
-boringssl-vendored = []
-
-# When building the vendored BoringSSL library, apply a patch that
-# enables post-quantum key shares (X25519MLKEM768, P256Kyber768Draft00)
-# in the default supported-groups list. This matches what `boring-sys`
-# vendors, so behavior is consistent across the two BoringSSL feature
-# paths. Has no effect without `boringssl-vendored`.
-boringssl-pq-patch = []
-
 # Use the BoringSSL library provided by the boring crate.
 boringssl-boring-crate = ["boring", "foreign-types-shared"]
 
@@ -80,7 +64,6 @@ features = ["boringssl-boring-crate", "qlog", "custom-client-dcid"]
 rustdoc-args = ["--cfg", "docsrs"]
 
 [build-dependencies]
-cmake = "0.1"
 pkg-config = { version = "0.3", optional = true }
 cdylib-link-lines = { version = "0.1", optional = true }