signalapp
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 26 additions & 48 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 26 additions & 48 deletions
diff --git a/‎Cargo.toml‎
Lines changed: 7 additions & 8 deletions b/‎Cargo.toml‎
Lines changed: 7 additions & 8 deletions
diff --git a/‎RELEASE_NOTES‎
Lines changed: 29 additions & 0 deletions b/‎RELEASE_NOTES‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎boring-sys/Cargo.toml‎
Lines changed: 1 addition & 1 deletion b/‎boring-sys/Cargo.toml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎boring-sys/build/config.rs‎
Lines changed: 15 additions & 12 deletions b/‎boring-sys/build/config.rs‎
Lines changed: 15 additions & 12 deletions
@@ -4,10 +4,11 @@ on:
   pull_request:
     branches:
       - main
+      - v4.x
   push:
     branches:
       - main
-
+      - v4.x
 env:
   RUSTFLAGS: -Dwarnings
   RUST_BACKTRACE: 1
@@ -18,8 +19,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - name: Install Rust
-        run: rustup update stable && rustup default stable
+      - name: Install Rustfmt
+        run: rustup default stable && rustup component add rustfmt
       - name: Check formatting
         run: cargo fmt --all -- --check
 
@@ -31,10 +32,11 @@ jobs:
         with:
           submodules: 'recursive'
       - name: Install Rust
-        run: rustup update stable && rustup default stable
+        run: rustup update --no-self-update stable && rustup default stable && rustup component add clippy
       - name: Get rust version
         id: rust-version
-        run: echo "::set-output name=version::$(rustc --version)"
+        run: |
+          echo "version=$(rustc --version)" >> $GITHUB_OUTPUT
       - name: Cache cargo index
         uses: actions/cache@v4
         with:
@@ -58,6 +60,21 @@ jobs:
           key: clippy-target-${{ runner.os }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }}
       - name: Run clippy
         run: cargo clippy --all --all-targets
+      - name: Check docs
+        run: cargo doc --no-deps -p boring -p boring-sys --features rpk,pq-experimental,underscore-wildcards
+        env:
+          CARGO_BUILD_RUSTDOCFLAGS: "--cfg=docsrs"
+          RUST_BOOTSTRAP: 1
+          DOCS_RS: 1
+      - name: Cargo.toml boring versions consistency
+        shell: bash
+        run: |
+          WORKSPACE_VERSION=$(grep -F '[workspace.package]' -A1 Cargo.toml | grep -F version | grep -Eo '".*"')
+          if [[ -z "$WORKSPACE_VERSION" ]]; then echo 2>&1 "error: can't find boring version"; exit 1; fi
+          if grep -E 'boring.* =' Cargo.toml | grep -vF "$WORKSPACE_VERSION"; then
+            echo 2>&1 "error: boring dependencies must match workspace version $WORKSPACE_VERSION"
+            exit 1
+          fi
   test:
     name: Test
     runs-on: ${{ matrix.os }}
@@ -141,8 +158,8 @@ jobs:
           apt_packages: gcc-arm-linux-gnueabi g++-arm-linux-gnueabi
           check_only: true
           custom_env:
-            CC: arm-linux-gnueabi-gcc
-            CXX: arm-linux-gnueabi-g++
+            CC_arm-unknown-linux-gnueabi: arm-linux-gnueabi-gcc
+            CXX_arm-unknown-linux-gnueabi: arm-linux-gnueabi-g++
             CARGO_TARGET_ARM_UNKNOWN_LINUX_GNUEABI_LINKER: arm-linux-gnueabi-g++
         - thing: aarch64-linux
           target: aarch64-unknown-linux-gnu
@@ -151,8 +168,8 @@ jobs:
           apt_packages: crossbuild-essential-arm64
           check_only: true
           custom_env:
-            CC: aarch64-linux-gnu-gcc
-            CXX: aarch64-linux-gnu-g++
+            CC_aarch64_unknown_linux_gnu: aarch64-linux-gnu-gcc
+            CXX_aarch64_unknown_linux_gnu: aarch64-linux-gnu-g++
             CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER: aarch64-linux-gnu-g++
         - thing: arm64-macos
           target: aarch64-apple-darwin
@@ -301,45 +318,6 @@ jobs:
     - name: Build for ${{ matrix.target }}
       run: cargo build --target ${{ matrix.target }} --all-targets
 
-  cross-build-fips:
-    name: Cross build from macOS to Linux (FIPS)
-    runs-on: macos-13 # Need an Intel (x86_64) runner for Clang 12.0.0
-    strategy:
-      matrix:
-        include:
-          - target: x86_64-unknown-linux-gnu
-    steps:
-    - uses: actions/checkout@v4
-      with:
-        submodules: 'recursive'
-    - name: Install Rust (rustup)
-      run: rustup update stable --no-self-update && rustup default stable && rustup target add ${{ matrix.target }}
-      shell: bash
-    - name: Install golang
-      uses: actions/setup-go@v5
-      with:
-        go-version: '>=1.22.0'
-    - name: Install ${{ matrix.target }} toolchain
-      run: brew tap messense/macos-cross-toolchains && brew install ${{ matrix.target }} && brew link x86_64-unknown-linux-gnu
-    - name: Install Clang-12
-      uses: KyleMayes/install-llvm-action@v1
-      with:
-        version: "12.0.0"
-        directory: ${{ runner.temp }}/llvm
-    - name: Add clang++-12 link
-      working-directory: ${{ runner.temp }}/llvm/bin
-      run: ln -s clang++ clang++-12
-    - name: Set BORING_BSSL_FIPS_COMPILER_EXTERNAL_TOOLCHAIN
-      run: echo "BORING_BSSL_FIPS_COMPILER_EXTERNAL_TOOLCHAIN=$(brew --prefix ${{ matrix.target }})/toolchain" >> $GITHUB_ENV
-      shell: bash
-    - name: Set BORING_BSSL_FIPS_SYSROOT
-      run: echo "BORING_BSSL_FIPS_SYSROOT=$BORING_BSSL_FIPS_COMPILER_EXTERNAL_TOOLCHAIN/${{ matrix.target }}/sysroot" >> $GITHUB_ENV
-      shell: bash
-    - name: Set CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_LINKER
-      run: echo "CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_LINKER=${{ matrix.target }}-gcc" >> $GITHUB_ENV
-    - name: Build for ${{ matrix.target }}
-      run: cargo build --target ${{ matrix.target }} --all-targets --features fips
-
   test-features:
     name: Test features
     runs-on: ubuntu-latest
 
@@ -8,7 +8,7 @@ members = [
 resolver = "2"
 
 [workspace.package]
-version = "4.18.0"
+version = "4.21.1"
 repository = "https://github.com/cloudflare/boring"
 edition = "2021"
 
@@ -19,16 +19,17 @@ tag-prefix = ""
 publish = false
 
 [workspace.dependencies]
-boring-sys = { version = "4.18.0", path = "./boring-sys" }
-boring = { version = "4.18.0", path = "./boring" }
-tokio-boring = { version = "4.18.0", path = "./tokio-boring" }
+boring-sys = { version = "4.21.1", path = "./boring-sys" }
+boring = { version = "4.21.1", path = "./boring" }
+tokio-boring = { version = "4.21.1", path = "./tokio-boring" }
 
 bindgen = { version = "0.72.0", default-features = false, features = ["runtime"] }
+bitflags = "2.9"
+brotli = "8.0"
 bytes = "1"
-cmake = "0.1.18"
+cmake = "0.1.54"
 fs_extra = "1.3.0"
 fslock = "0.2"
-bitflags = "2.4"
 foreign-types = "0.5"
 libc = "0.2"
 hex = "0.4"
@@ -48,5 +49,3 @@ openssl-macros = "0.1.1"
 tower = "0.4"
 tower-layer = "0.3"
 tower-service = "0.3"
-autocfg = "1.3.0"
-brotli = "6.0"
@@ -1,3 +1,32 @@
+4.21.0
+
+- 2026-01-05 Warn about set_curves() removal
+- 2026-01-05 Deprecate set_ex_data()
+- 2026-01-05 Fix build with --no-default-features
+- 2026-01-05 Make set_curves_list always available
+- 2026-01-19 Use fips-build-compatible ERR_add_error_data
+
+4.20.0
+- 2025-08-26 Support TARGET_CC and CC_{target}
+- 2025-08-26 Fix swapped host/target args
+- 2025-06-13 CStr UTF-8 improvements
+- 2025-09-26 Skip Rust version detection for bindgen
+- 2025-09-26 Upgrade deps
+- 2025-06-13 Ensure that ERR_LIB type can be named
+- 2025-06-13 Add more reliable library_reason()
+- 2025-09-30 pq: fix MSVC C4146 warning
+- 2025-10-14 Freebsd build
+- 2025-10-01 Fix string data conversion in ErrorStack::put()
+
+4.19.0
+- 2025-09-03 Add binding for X509_check_ip_asc
+- 2025-06-13 Use ERR_clear_error
+- 2025-06-13 Error descriptions and docs
+- 2025-06-13 Boring doesn't use function codes
+- 2025-09-03 Fix patched docs.rs builds
+- 2025-09-03 Test docs.rs docs
+- 2025-09-03 Fix doc links
+
 4.18.0
 - 2025-05-29 Add set_verify_param
 - 2025-05-28 Add support for X509_STORE_CTX_get0_untrusted
 
@@ -13,6 +13,7 @@ build = "build/main.rs"
 readme = "README.md"
 categories = ["cryptography", "external-ffi-bindings"]
 edition = { workspace = true }
+rust-version = "1.77"
 include = [
     "/*.md",
     "/*.toml",
@@ -89,7 +90,6 @@ pq-experimental = []
 underscore-wildcards = []
 
 [build-dependencies]
-autocfg = { workspace = true }
 bindgen = { workspace = true }
 cmake = { workspace = true }
 fs_extra = { workspace = true }
 
@@ -36,6 +36,9 @@ pub(crate) struct Env {
     pub(crate) android_ndk_home: Option<PathBuf>,
     pub(crate) cmake_toolchain_file: Option<PathBuf>,
     pub(crate) cpp_runtime_lib: Option<OsString>,
+    /// C compiler (ignored if using FIPS)
+    pub(crate) cc: Option<OsString>,
+    pub(crate) cxx: Option<OsString>,
     pub(crate) docs_rs: bool,
 }
 
@@ -51,10 +54,10 @@ impl Config {
         let features = Features::from_env();
         let env = Env::from_env(&host, &target, features.is_fips_like());
 
-        let mut is_bazel = false;
-        if let Some(src_path) = &env.source_path {
-            is_bazel = src_path.join("src").exists();
-        }
+        let is_bazel = env
+            .source_path
+            .as_ref()
+            .is_some_and(|path| path.join("src").exists());
 
         let config = Self {
             manifest_dir,
@@ -142,22 +145,19 @@ impl Features {
 }
 
 impl Env {
-    fn from_env(target: &str, host: &str, is_fips_like: bool) -> Self {
+    fn from_env(host: &str, target: &str, is_fips_like: bool) -> Self {
         const NORMAL_PREFIX: &str = "BORING_BSSL";
         const FIPS_PREFIX: &str = "BORING_BSSL_FIPS";
 
+        let var_prefix = if host == target { "HOST" } else { "TARGET" };
         let target_with_underscores = target.replace('-', "_");
 
-        // Logic stolen from cmake-rs.
-        let target_var = |name: &str| {
-            let kind = if host == target { "HOST" } else { "TARGET" };
-
-            // TODO(rmehra): look for just `name` first, as most people just set that
+        let target_only_var = |name: &str| {
             var(&format!("{name}_{target}"))
                 .or_else(|| var(&format!("{name}_{target_with_underscores}")))
-                .or_else(|| var(&format!("{kind}_{name}")))
-                .or_else(|| var(name))
+                .or_else(|| var(&format!("{var_prefix}_{name}")))
         };
+        let target_var = |name: &str| target_only_var(name).or_else(|| var(name));
 
         let boringssl_var = |name: &str| {
             // The passed name is the non-fips version of the environment variable,
@@ -186,6 +186,9 @@ impl Env {
             android_ndk_home: target_var("ANDROID_NDK_HOME").map(Into::into),
             cmake_toolchain_file: target_var("CMAKE_TOOLCHAIN_FILE").map(Into::into),
             cpp_runtime_lib: target_var("BORING_BSSL_RUST_CPPLIB"),
+            // matches the `cc` crate
+            cc: target_only_var("CC"),
+            cxx: target_only_var("CXX"),
             docs_rs: var("DOCS_RS").is_some(),
         }
     }