Feature flags of Boring crate // Lib.rs

Cargo Features

Boring has no features set by default.

[dependencies]
boring = { version = "4.16.0", features = ["fips", "fips-compat", "fips-precompiled", "fips-link-precompiled", "rpk", "pq-experimental", "underscore-wildcards", "kx-safe-default", "kx-client-pq-supported", "kx-client-pq-preferred", "kx-client-nist-required"] }

fips = fips-compat: Controlling the build

NOTE: This feature is deprecated. It is needed for the submoduled boringssl-fips, which is extremely old and requires modifications to the bindings, as some newer APIs don't exist and some function signatures have changed. It is highly recommended to use fips-precompiled instead.

This feature sets fips-compat on behalf of the user to guarantee bindings compatibility with the submoduled boringssl-fips.

Use a FIPS-validated version of BoringSSL.

Enables fips of boring-sys
fips-compat fips?: Build with compatibility for the submoduled boringssl-fips, without enabling the fips feature itself (useful e.g. if fips-link-precompiled is used with an older BoringSSL version).
fips-precompiled: Use a precompiled FIPS-validated version of BoringSSL. Meant to be used with FIPS-20230428 or newer. Users must set BORING_BSSL_FIPS_PATH to use this feature, or else the build will fail.

Enables fips-precompiled of boring-sys
fips-link-precompiled: Link with precompiled FIPS-validated bcm.o module.

Enables fips-link-precompiled of boring-sys
rpk: Enables Raw public key API (https://datatracker.ietf.org/doc/html/rfc7250) This feature is necessary in order to compile the bindings for the default branch of boringSSL. Alternatively, a version of boringSSL that implements the same feature set can be provided by setting BORING_BSSL{,_FIPS}_SOURCE_PATH and BORING_BSSL{,_FIPS}_ASSUME_PATCHED.

Enables rpk of boring-sys
pq-experimental: Applies a patch to the boringSSL source code that enables support for PQ key exchange. This feature is necessary in order to compile the bindings for the default branch of boringSSL. Alternatively, a version of boringSSL that implements the same feature set can be provided by setting BORING_BSSL{,_FIPS}_SOURCE_PATH and BORING_BSSL{,_FIPS}_ASSUME_PATCHED.

Enables pq-experimental of boring-sys
underscore-wildcards: Applies a patch to enable ffi::X509_CHECK_FLAG_UNDERSCORE_WILDCARDS. Same caveats as those for pq-experimental feature apply.

Enables underscore-wildcards of boring-sys
kx-safe-default kx-client-nist-required? kx-client-pq-preferred? kx-client-pq-supported?: Controlling key exchange preferences at compile time
Choose key exchange preferences at compile time. This prevents the user from choosing their own preferences.
kx-client-pq-supported kx-client-pq-preferred? = kx-safe-default: Support PQ key exchange. The client will prefer classical key exchange, but will upgrade to PQ key exchange if requested by the server. This is the safest option if you don't know if the peer supports PQ key exchange. This feature implies "kx-safe-default".
kx-client-pq-preferred = kx-client-pq-supported, kx-safe-default: Prefer PQ key exchange. The client will prefer PQ exchange, but fallback to classical key exchange if requested by the server. This is the best option if you know the peer supports PQ key exchange. This feature implies "kx-safe-default" and "kx-client-pq-supported".
kx-client-nist-required = kx-safe-default: Disable key exchange involving non-NIST key exchange on the client side.
Implies "kx-safe-default".