Merge in upstream v4.18.0

Author: akonradi-signal

.github/workflows/ci.yml

@@ -242,7 +242,7 @@ jobs:
 
   test-fips:
     name: Test FIPS integration
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
       with:
@@ -342,7 +342,7 @@ jobs:
 
   test-features:
     name: Test features
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
       with:

Cargo.toml

@@ -8,7 +8,7 @@ members = [
 resolver = "2"
 
 [workspace.package]
-version = "4.15.0"
+version = "4.18.0"
 repository = "https://github.com/cloudflare/boring"
 edition = "2021"
 
@@ -19,11 +19,11 @@ tag-prefix = ""
 publish = false
 
 [workspace.dependencies]
-boring-sys = { version = "4.15.0", path = "./boring-sys" }
-boring = { version = "4.15.0", path = "./boring" }
-tokio-boring = { version = "4.15.0", path = "./tokio-boring" }
+boring-sys = { version = "4.18.0", path = "./boring-sys" }
+boring = { version = "4.18.0", path = "./boring" }
+tokio-boring = { version = "4.18.0", path = "./tokio-boring" }
 
-bindgen = { version = "0.70.1", default-features = false, features = ["runtime"] }
+bindgen = { version = "0.72.0", default-features = false, features = ["runtime"] }
 bytes = "1"
 cmake = "0.1.18"
 fs_extra = "1.3.0"

RELEASE_NOTES

@@ -1,3 +1,49 @@
+4.18.0
+- 2025-05-29 Add set_verify_param
+- 2025-05-28 Add support for X509_STORE_CTX_get0_untrusted
+- 2025-06-02 Add X509VerifyParamRef::copy_from (#361)
+- 2025-06-02 Fix X509VerifyContextRef::set_verify_param (#358)
+- 2025-06-02 Ensure we call X509_STORE_CTX_cleanup on error path too (#360)
+- 2025-06-02 Add mutable ex_data APIs for X509StoreContext
+- 2025-06-02 Add X509StoreContextRef::init_without_cleanup
+- 2025-06-04 Rename to reset_with_context_data
+- 2025-06-05 Avoid panicking in error handling
+- 2025-06-05 Don't unwrap when Result can be returned instead
+- 2025-06-04 Make X509Store shareable between contexts
+- 2025-06-05 Sprinkle #[must_use] (#368)
+- 2025-06-05 Expose SSL_set1_groups to Efficiently Set Curves on SSL Session (#346)
+- 2025-06-09 Upgrade bindgen to v0.72.0
+- 2025-06-13 Expose PKey::raw_{private,public}_key (#364)
+- 2025-06-10 Don't link binaries on docs.rs
+- 2025-06-11 Use cargo:warning for warnings
+
+4.17.0
+- 2025-05-27 Revert "feat(x509): Implement `Clone` for `X509Store` (#339)" (#353)
+- 2025-05-14 Update bindgen from 0.70.1 -> 0.71.1.
+- 2025-05-19 Add `X509_STORE_CTX_get0_cert` interface
+- 2025-05-18 boring(ssl): use `corresponds` macro in `add_certificate_compression_algorithm`
+- 2025-02-14 Update Cargo.toml
+- 2025-02-13 build: Fix the build for 32-bit Linux platform
+- 2025-05-20 rustfmt ;(
+- 2025-05-20 Fix linking SystemFunction036 from advapi32 in Rust 1.87
+- 2025-05-20 Clippy
+- 2025-05-01 add SslCurve::X25519_MLKEM768 constant
+- 2025-04-17 Use ubuntu-latest for all ci jobs
+- 2025-04-16 fix clippy error
+- 2025-04-15 expose SSL_set_compliance_policy
+- 2025-04-07 feat(x509): Implement `Clone` for `X509Store` (#339)
+
+4.16.0
+- 2025-03-31 Add fips-precompiled feature to support newer versions of FIPS (#338)
+- 2025-03-18 Document linking to C++ standard library (#335)
+- 2025-03-18 Revert "Remove "fips-no-compat", decouple "fips-compat" from "fips"" (#334)
+- 2025-03-11 boring: Disable `SslCurve` API with "fips" feature
+- 2025-03-11 boring-sys: Ignore patches when boringSSL is precompiled
+- 2025-03-13 Remove "fips-no-compat", decouple "fips-compat" from "fips"
+- 2025-03-14 Add feature "fips-no-compat"
+- 2025-03-10 Advertise X25519MLKEM768 with "kx-client-pq-preferred" (#329)
+- 2025-03-10 Update to actions/cache@v4 (#328)
+- 2025-02-28 Add missing release notes entry (#324)
 
 4.15.0
 - 2025-02-27 Expose API to enable certificate compression. (#241)
@@ -517,7 +563,7 @@
 - 2019-12-01 Change *const to *mut to try if it fixes tests
 - 2019-12-01 move EVP_PKCS82PKEY into evp module
 - 2019-12-01 Support for PKCS#8 unencrypted private key deserialization
-- 2019-11-23 Update openssl/src/hash.rs
+- 2019-11-23 Update openssl/src/hash.rs
 - 2019-11-22 Add EVP_md_null() and MessageDigest::md_null()
 - 2019-11-22 Fix up base64 docs
 - 2019-11-22 Cleanup

boring-sys/Cargo.toml

@@ -57,9 +57,19 @@ features = ["rpk", "pq-experimental", "underscore-wildcards"]
 rustdoc-args = ["--cfg", "docsrs"]
 
 [features]
-# Use a FIPS-validated version of boringssl.
+# Compile boringssl using the FIPS build flag if building boringssl from
+# scratch.
+#
+# See
+# https://boringssl.googlesource.com/boringssl/+/master/crypto/fipsmodule/FIPS.md
+# for instructions and more details on the boringssl FIPS flag.
 fips = []
 
+# Use a precompiled FIPS-validated version of BoringSSL. Meant to be used with
+# FIPS-20230428 or newer. Users must set `BORING_BSSL_FIPS_PATH` to use this
+# feature, or else the build will fail.
+fips-precompiled = []
+
 # Link with precompiled FIPS-validated `bcm.o` module.
 fips-link-precompiled = []
 

boring-sys/build/config.rs

@@ -16,6 +16,7 @@ pub(crate) struct Config {
 
 pub(crate) struct Features {
     pub(crate) fips: bool,
+    pub(crate) fips_precompiled: bool,
     pub(crate) fips_link_precompiled: bool,
     pub(crate) pq_experimental: bool,
     pub(crate) rpk: bool,
@@ -35,6 +36,7 @@ pub(crate) struct Env {
     pub(crate) android_ndk_home: Option<PathBuf>,
     pub(crate) cmake_toolchain_file: Option<PathBuf>,
     pub(crate) cpp_runtime_lib: Option<OsString>,
+    pub(crate) docs_rs: bool,
 }
 
 impl Config {
@@ -47,11 +49,7 @@ impl Config {
         let target_os = env::var("CARGO_CFG_TARGET_OS").unwrap();
 
         let features = Features::from_env();
-        let env = Env::from_env(
-            &host,
-            &target,
-            features.fips || features.fips_link_precompiled,
-        );
+        let env = Env::from_env(&host, &target, features.is_fips_like());
 
         let mut is_bazel = false;
         if let Some(src_path) = &env.source_path {
@@ -80,6 +78,10 @@ impl Config {
             panic!("`fips` and `rpk` features are mutually exclusive");
         }
 
+        if self.features.fips_precompiled && self.features.rpk {
+            panic!("`fips-precompiled` and `rpk` features are mutually exclusive");
+        }
+
         let is_precompiled_native_lib = self.env.path.is_some();
         let is_external_native_lib_source =
             !is_precompiled_native_lib && self.env.source_path.is_none();
@@ -96,30 +98,47 @@ impl Config {
             || self.features.underscore_wildcards;
 
         let patches_required = features_with_patches_enabled && !self.env.assume_patched;
-        let build_from_sources_required = self.features.fips_link_precompiled || patches_required;
 
-        if is_precompiled_native_lib && build_from_sources_required {
-            panic!("precompiled BoringSSL was provided, so FIPS configuration or optional patches can't be applied");
+        if is_precompiled_native_lib && patches_required {
+            println!(
+                "cargo:warning=precompiled BoringSSL was provided, so patches will be ignored"
+            );
+        }
+
+        // todo(rmehra): should this even be a restriction? why not let people link a custom bcm.o?
+        // precompiled boringssl will include libcrypto.a
+        if is_precompiled_native_lib && self.features.fips_link_precompiled {
+            panic!("precompiled BoringSSL was provided, so FIPS configuration can't be applied");
+        }
+
+        if !is_precompiled_native_lib && self.features.fips_precompiled {
+            panic!("`fips-precompiled` feature requires `BORING_BSSL_FIPS_PATH` to be set");
         }
     }
 }
 
 impl Features {
     fn from_env() -> Self {
         let fips = env::var_os("CARGO_FEATURE_FIPS").is_some();
+        let fips_precompiled = env::var_os("CARGO_FEATURE_FIPS_PRECOMPILED").is_some();
         let fips_link_precompiled = env::var_os("CARGO_FEATURE_FIPS_LINK_PRECOMPILED").is_some();
         let pq_experimental = env::var_os("CARGO_FEATURE_PQ_EXPERIMENTAL").is_some();
         let rpk = env::var_os("CARGO_FEATURE_RPK").is_some();
         let underscore_wildcards = env::var_os("CARGO_FEATURE_UNDERSCORE_WILDCARDS").is_some();
 
         Self {
             fips,
+            fips_precompiled,
             fips_link_precompiled,
             pq_experimental,
             rpk,
             underscore_wildcards,
         }
     }
+
+    pub(crate) fn is_fips_like(&self) -> bool {
+        self.fips || self.fips_precompiled || self.fips_link_precompiled
+    }
 }
 
 impl Env {
@@ -133,9 +152,10 @@ impl Env {
         let target_var = |name: &str| {
             let kind = if host == target { "HOST" } else { "TARGET" };
 
-            var(&format!("{}_{}", name, target))
-                .or_else(|| var(&format!("{}_{}", name, target_with_underscores)))
-                .or_else(|| var(&format!("{}_{}", kind, name)))
+            // TODO(rmehra): look for just `name` first, as most people just set that
+            var(&format!("{name}_{target}"))
+                .or_else(|| var(&format!("{name}_{target_with_underscores}")))
+                .or_else(|| var(&format!("{kind}_{name}")))
                 .or_else(|| var(name))
         };
 
@@ -166,6 +186,7 @@ impl Env {
             android_ndk_home: target_var("ANDROID_NDK_HOME").map(Into::into),
             cmake_toolchain_file: target_var("CMAKE_TOOLCHAIN_FILE").map(Into::into),
             cpp_runtime_lib: target_var("BORING_BSSL_RUST_CPPLIB"),
+            docs_rs: var("DOCS_RS").is_some(),
         }
     }
 }