Gate compliance policy apis:

Isaiah Becker-Mayer · Isaiah Becker-Mayer · commit 69d40839ccbc · 2024-01-24T10:57:07.000-08:00
The SSL_CTX_set_compliance_policy and ssl_compliance_policy_t apis are not
available in the fips validated hash of the boringssl library (boring-sys/deps/boringssl-fips).
This adds back the feature gate for these apis.
diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs
@@ -703,8 +703,10 @@ impl SslCurve {
 
 /// A compliance policy.
 #[derive(Debug, Copy, Clone, PartialEq, Eq)]
+#[cfg(not(feature = "fips"))]
 pub struct CompliancePolicy(ffi::ssl_compliance_policy_t);
 
+#[cfg(not(feature = "fips"))]
 impl CompliancePolicy {
     /// Does nothing, however setting this does not undo other policies, so trying to set this is an error.
     pub const NONE: Self = Self(ffi::ssl_compliance_policy_t::ssl_compliance_policy_none);
@@ -824,10 +826,6 @@ impl SslContextBuilder {
             init();
             let ctx = cvt_p(ffi::SSL_CTX_new(method.as_ptr()))?;
 
-            #[cfg(feature = "fips")]
-            ctx.set_compliance_policy(CompliancePolicy::FIPS_202205)
-                .unwrap();
-
             #[cfg(feature = "rpk")]
             {
                 Ok(SslContextBuilder::from_ptr(ctx, false))
@@ -1898,6 +1896,8 @@ impl SslContextBuilder {
     /// This corresponds to [`SSL_CTX_set_compliance_policy`]
     ///
     /// [`SSL_CTX_set_compliance_policy`] https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_CTX_set_compliance_policy
+    /// This feature isn't available in the certified version of BoringSSL.
+    #[cfg(not(feature = "fips"))]
     pub fn set_compliance_policy(&mut self, policy: CompliancePolicy) -> Result<(), ErrorStack> {
         unsafe { cvt_0i(ffi::SSL_CTX_set_compliance_policy(self.as_ptr(), policy.0)).map(|_| ()) }
     }
diff --git a/boring/src/ssl/test/mod.rs b/boring/src/ssl/test/mod.rs
@@ -21,6 +21,7 @@ use crate::ssl::{
 use crate::x509::verify::X509CheckFlags;
 use crate::x509::{X509Name, X509};
 
+#[cfg(not(feature = "fips"))]
 use super::CompliancePolicy;
 
 mod custom_verify;
@@ -947,6 +948,7 @@ fn test_get_ciphers() {
 }
 
 #[test]
+#[cfg(not(feature = "fips"))]
 fn test_set_compliance() {
     let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
     ctx.set_compliance_policy(CompliancePolicy::FIPS_202205)
