feat: add script to update boringssl

Author: HamdaanAliQuatil

.github/workflows/update-boringssl.yml

@@ -0,0 +1,222 @@
+name: Update BoringSSL
+
+on:
+  schedule:
+    - cron: '0 9 * * 1'
+  
+  workflow_dispatch:
+    inputs:
+      boringssl_revision:
+        description: 'Specific BoringSSL revision (SHA) to update to (leave empty for latest)'
+        required: false
+        type: string
+
+jobs:
+  update-boringssl:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.11'
+
+      - name: Set up Dart
+        uses: dart-lang/setup-dart@v1
+        with:
+          sdk: stable
+
+      - name: Set up Git
+        run: |
+          git config --global user.name 'github-actions[bot]'
+          git config --global user.email 'github-actions[bot]@users.noreply.github.com'
+
+      - name: Clone BoringSSL to get latest revision
+        id: get-revision
+        run: |
+          # Clone BoringSSL to a temporary directory to get the latest revision
+          TEMP_DIR=$(mktemp -d)
+          git clone https://boringssl.googlesource.com/boringssl "$TEMP_DIR/boringssl"
+          cd "$TEMP_DIR/boringssl"
+          
+          if [ -n "${{ github.event.inputs.boringssl_revision }}" ]; then
+            LATEST_REVISION="${{ github.event.inputs.boringssl_revision }}"
+            echo "Using manually specified revision: $LATEST_REVISION"
+          else
+            LATEST_REVISION=$(git rev-parse HEAD)
+            echo "Latest BoringSSL revision: $LATEST_REVISION"
+          fi
+          
+          # Get current revision from the Python script
+          CURRENT_REVISION=$(grep "BORINGSSL_REVISION = " tool/update-boringssl.py | cut -d"'" -f2)
+          echo "Current revision in script: $CURRENT_REVISION"
+          
+          echo "latest_revision=$LATEST_REVISION" >> $GITHUB_OUTPUT
+          echo "current_revision=$CURRENT_REVISION" >> $GITHUB_OUTPUT
+          
+          # Check if update is needed
+          if [ "$LATEST_REVISION" = "$CURRENT_REVISION" ]; then
+            echo "needs_update=false" >> $GITHUB_OUTPUT
+            echo "No update needed - already at latest revision"
+          else
+            echo "needs_update=true" >> $GITHUB_OUTPUT
+            echo "Update needed: $CURRENT_REVISION -> $LATEST_REVISION"
+          fi
+          
+          # Cleanup
+          rm -rf "$TEMP_DIR"
+
+      - name: Update BoringSSL revision in script
+        if: steps.get-revision.outputs.needs_update == 'true'
+        run: |
+          # Update the BORINGSSL_REVISION in the Python script
+          sed -i "s/BORINGSSL_REVISION = '[^']*'/BORINGSSL_REVISION = '${{ steps.get-revision.outputs.latest_revision }}'/" tool/update-boringssl.py
+          
+          # Verify the change
+          echo "Updated revision in script:"
+          grep "BORINGSSL_REVISION = " tool/update-boringssl.py
+
+      - name: Run BoringSSL update script
+        if: steps.get-revision.outputs.needs_update == 'true'
+        run: |
+          # Step 1: Clean up build artifacts
+          echo "🧹 Cleaning up build artifacts..."
+          bash ./tool/clean.sh
+          
+          # Step 2: Update BoringSSL sources
+          echo "📦 Updating BoringSSL sources..."
+          python3 tool/update-boringssl.py
+          
+          # Step 3: Get Dart dependencies
+          echo "📥 Getting Dart dependencies..."
+          dart pub get
+          
+          # Step 4: Generate symbols table
+          echo "🔢 Generating symbols table..."
+          dart run ./tool/generate_symbols_table.dart
+          
+          # Step 5: Update FFI bindings
+          echo "🔗 Updating FFI bindings..."
+          bash ./tool/update-bindings.sh
+
+      - name: Get BoringSSL commit info
+        if: steps.get-revision.outputs.needs_update == 'true'
+        id: boringssl-info
+        run: |
+          # Clone BoringSSL again to get commit information
+          TEMP_DIR=$(mktemp -d)
+          git clone https://boringssl.googlesource.com/boringssl "$TEMP_DIR/boringssl"
+          cd "$TEMP_DIR/boringssl"
+          git checkout ${{ steps.get-revision.outputs.latest_revision }}
+          
+          COMMIT_DATE=$(git show -s --format=%ci ${{ steps.get-revision.outputs.latest_revision }})
+          COMMIT_SUBJECT=$(git show -s --format=%s ${{ steps.get-revision.outputs.latest_revision }})
+          COMMIT_AUTHOR=$(git show -s --format=%an ${{ steps.get-revision.outputs.latest_revision }})
+          SHORT_SHA=$(echo "${{ steps.get-revision.outputs.latest_revision }}" | cut -c1-8)
+          
+          echo "commit_date=$COMMIT_DATE" >> $GITHUB_OUTPUT
+          echo "commit_subject=$COMMIT_SUBJECT" >> $GITHUB_OUTPUT
+          echo "commit_author=$COMMIT_AUTHOR" >> $GITHUB_OUTPUT
+          echo "short_sha=$SHORT_SHA" >> $GITHUB_OUTPUT
+          
+          # Cleanup
+          rm -rf "$TEMP_DIR"
+
+      - name: Run tests
+        if: steps.get-revision.outputs.needs_update == 'true'
+        run: |
+          echo "🧪 Running tests to verify update..."
+          bash ./tool/test.sh
+
+      - name: Check for changes
+        if: steps.get-revision.outputs.needs_update == 'true'
+        id: changes
+        run: |
+          if git diff --quiet; then
+            echo "has_changes=false" >> $GITHUB_OUTPUT
+            echo "No changes detected after running update script"
+          else
+            echo "has_changes=true" >> $GITHUB_OUTPUT
+            echo "Changes detected:"
+            git diff --name-status
+          fi
+
+      - name: Create Pull Request
+        if: steps.get-revision.outputs.needs_update == 'true' && steps.changes.outputs.has_changes == 'true'
+        uses: peter-evans/create-pull-request@v5
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: |
+            Update BoringSSL to ${{ steps.boringssl-info.outputs.short_sha }}
+            
+            - Updated from ${{ steps.get-revision.outputs.current_revision }} to ${{ steps.get-revision.outputs.latest_revision }}
+            - Latest commit: ${{ steps.boringssl-info.outputs.commit_subject }}
+            - Author: ${{ steps.boringssl-info.outputs.commit_author }}
+            - Date: ${{ steps.boringssl-info.outputs.commit_date }}
+          title: 'chore: Update BoringSSL to ${{ steps.boringssl-info.outputs.short_sha }}'
+          body: |
+            ## 🔄 Automated BoringSSL Update
+            
+            This PR updates BoringSSL to the latest revision.
+            
+            ### Changes
+            - **From**: `${{ steps.get-revision.outputs.current_revision }}`
+            - **To**: `${{ steps.get-revision.outputs.latest_revision }}`
+            
+            ### Latest Commit Details
+            - **Subject**: ${{ steps.boringssl-info.outputs.commit_subject }}
+            - **Author**: ${{ steps.boringssl-info.outputs.commit_author }}
+            - **Date**: ${{ steps.boringssl-info.outputs.commit_date }}
+            - **SHA**: [${{ steps.boringssl-info.outputs.short_sha }}](https://boringssl.googlesource.com/boringssl/+/${{ steps.get-revision.outputs.latest_revision }})
+            
+            ### What's Updated
+            - Updated `tool/update-boringssl.py` with new revision
+            - Refreshed BoringSSL source files and headers
+            - Updated CMake configuration files
+            - Regenerated symbols table and FFI bindings
+            - **Tests passed** ✅ (verified during update process)
+            
+            ### Testing Status
+            - [x] Build tests pass
+            - [x] Unit tests pass  
+            - [x] Integration tests pass
+            - [ ] Manual verification on target platforms
+            
+            ---
+            
+            🤖 This PR was created automatically by the Update BoringSSL workflow.
+            
+            **Review Guidelines:**
+            1. Check that the build and tests pass
+            2. Review any breaking changes in the BoringSSL changelog
+            3. Test critical cryptographic operations
+            4. Verify Windows compatibility (especially ECDH PKCS8 operations)
+            
+          branch: update-boringssl-${{ steps.boringssl-info.outputs.short_sha }}
+          branch-suffix: timestamp
+          delete-branch: true
+          labels: |
+            dependencies
+            automated-pr
+            boringssl-update
+
+      - name: Summary
+        run: |
+          if [ "${{ steps.get-revision.outputs.needs_update }}" = "false" ]; then
+            echo "✅ No update needed - already at latest BoringSSL revision"
+          elif [ "${{ steps.changes.outputs.has_changes }}" = "false" ]; then
+            echo "ℹ️ Update script ran but no changes were detected"
+          else
+            echo "🚀 Successfully created PR to update BoringSSL"
+            echo "   From: ${{ steps.get-revision.outputs.current_revision }}"
+            echo "   To: ${{ steps.get-revision.outputs.latest_revision }}"
+          fi

lib/src/third_party/boringssl/ffigen.yaml

@@ -4,25 +4,25 @@ language: c
 output: 'generated_bindings.dart'
 headers:
   entry-points:
-    - '../../../../third_party/boringssl/src/include/openssl/aead.h'
-    - '../../../../third_party/boringssl/src/include/openssl/aes.h'
-    - '../../../../third_party/boringssl/src/include/openssl/bn.h'
-    - '../../../../third_party/boringssl/src/include/openssl/bytestring.h'
-    - '../../../../third_party/boringssl/src/include/openssl/cipher.h'
-    - '../../../../third_party/boringssl/src/include/openssl/crypto.h'
-    - '../../../../third_party/boringssl/src/include/openssl/digest.h'
-    - '../../../../third_party/boringssl/src/include/openssl/ec_key.h'
-    - '../../../../third_party/boringssl/src/include/openssl/ec.h'
-    - '../../../../third_party/boringssl/src/include/openssl/ecdh.h'
-    - '../../../../third_party/boringssl/src/include/openssl/ecdsa.h'
-    - '../../../../third_party/boringssl/src/include/openssl/err.h'
-    - '../../../../third_party/boringssl/src/include/openssl/evp.h'
-    - '../../../../third_party/boringssl/src/include/openssl/hkdf.h'
-    - '../../../../third_party/boringssl/src/include/openssl/hmac.h'
-    - '../../../../third_party/boringssl/src/include/openssl/mem.h'
-    - '../../../../third_party/boringssl/src/include/openssl/rand.h'
-    - '../../../../third_party/boringssl/src/include/openssl/rsa.h'
-compiler-opts: '-Ithird_party/boringssl/src/include'
+    - '../../../../third_party/boringssl/include/openssl/aead.h'
+    - '../../../../third_party/boringssl/include/openssl/aes.h'
+    - '../../../../third_party/boringssl/include/openssl/bn.h'
+    - '../../../../third_party/boringssl/include/openssl/bytestring.h'
+    - '../../../../third_party/boringssl/include/openssl/cipher.h'
+    - '../../../../third_party/boringssl/include/openssl/crypto.h'
+    - '../../../../third_party/boringssl/include/openssl/digest.h'
+    - '../../../../third_party/boringssl/include/openssl/ec.h'
+    - '../../../../third_party/boringssl/include/openssl/ecdh.h'
+    - '../../../../third_party/boringssl/include/openssl/ec_key.h'
+    - '../../../../third_party/boringssl/include/openssl/ecdsa.h'
+    - '../../../../third_party/boringssl/include/openssl/err.h'
+    - '../../../../third_party/boringssl/include/openssl/evp.h'
+    - '../../../../third_party/boringssl/include/openssl/hkdf.h'
+    - '../../../../third_party/boringssl/include/openssl/hmac.h'
+    - '../../../../third_party/boringssl/include/openssl/mem.h'
+    - '../../../../third_party/boringssl/include/openssl/rand.h'
+    - '../../../../third_party/boringssl/include/openssl/rsa.h'
+compiler-opts: '-Ithird_party/boringssl/include'
 comments:
   style: any
   length: full

src/CMakeLists.txt

@@ -24,6 +24,10 @@
 cmake_minimum_required(VERSION 3.6.0)
 project(webcrypto)
 
+# Set C++ standard to C++17 for BoringSSL compatibility
+set(CMAKE_CXX_STANDARD 17)
+set(CMAKE_CXX_STANDARD_REQUIRED ON)
+
 enable_language(ASM)
 
 # Set as required by ../third_party/boringssl/sources.cmake included below
@@ -106,6 +110,7 @@ if(MSVC)
       "C4267" # conversion from 'size_t' to 'int', possible loss of data
       "C4706" # assignment within conditional expression
       "C4141"
+      "C4201" # nonstandard extension used: nameless struct/union
       )
   string(REPLACE "C" " -wd" MSVC_DISABLED_WARNINGS_STR
                             ${MSVC_DISABLED_WARNINGS_LIST})
@@ -130,6 +135,8 @@ if(WIN32)
   add_definitions(-DNOMINMAX)
   # Allow use of fopen.
   add_definitions(-D_CRT_SECURE_NO_WARNINGS)
+  # Ensure proper Windows entropy sources
+  add_definitions(-DBORINGSSL_UNSAFE_DETERMINISTIC_MODE=0)
 endif()
 
 add_library(
@@ -150,7 +157,7 @@ target_include_directories(
 
   PRIVATE
 
-  ../third_party/boringssl/src/include/
+  ../third_party/boringssl/include/
 )
 
 set_target_properties(