Pull in release v4.15.0 plus the CI fix from upstream 'cloudflare/boring'

Author: andrew-signal

.github/workflows/ci.yml

@@ -36,7 +36,7 @@ jobs:
         id: rust-version
         run: echo "::set-output name=version::$(rustc --version)"
       - name: Cache cargo index
-        uses: actions/cache@v1
+        uses: actions/cache@v4
         with:
           path: ~/.cargo/registry/index
           key: index-${{ runner.os }}-${{ github.run_number }}
@@ -45,14 +45,14 @@ jobs:
       - name: Create lockfile
         run: cargo generate-lockfile
       - name: Cache cargo registry
-        uses: actions/cache@v1
+        uses: actions/cache@v4
         with:
           path: ~/.cargo/registry/cache
           key: registry-${{ runner.os }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }}
       - name: Fetch dependencies
         run: cargo fetch
       - name: Cache target directory
-        uses: actions/cache@v1
+        uses: actions/cache@v4
         with:
           path: target
           key: clippy-target-${{ runner.os }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }}

Cargo.toml

@@ -8,7 +8,7 @@ members = [
 resolver = "2"
 
 [workspace.package]
-version = "4.13.0"
+version = "4.15.0"
 repository = "https://github.com/cloudflare/boring"
 edition = "2021"
 
@@ -19,9 +19,9 @@ tag-prefix = ""
 publish = false
 
 [workspace.dependencies]
-boring-sys = { version = "4.13.0", path = "./boring-sys" }
-boring = { version = "4.13.0", path = "./boring" }
-tokio-boring = { version = "4.13.0", path = "./tokio-boring" }
+boring-sys = { version = "4.15.0", path = "./boring-sys" }
+boring = { version = "4.15.0", path = "./boring" }
+tokio-boring = { version = "4.15.0", path = "./tokio-boring" }
 
 bindgen = { version = "0.70.1", default-features = false, features = ["runtime"] }
 bytes = "1"
@@ -44,9 +44,9 @@ hyper = "1"
 hyper-util = "0.1.6"
 hyper_old = { package = "hyper", version = "0.14", default-features = false }
 linked_hash_set = "0.1"
-once_cell = "1.0"
 openssl-macros = "0.1.1"
 tower = "0.4"
 tower-layer = "0.3"
 tower-service = "0.3"
 autocfg = "1.3.0"
+brotli = "6.0"

RELEASE_NOTES

@@ -1,3 +1,37 @@
+
+4.15.0
+- 2025-02-27 Expose API to enable certificate compression. (#241)
+- 2025-02-23 Fix lifetimes in ssl::select_next_proto
+- 2025-02-23 Revert cmake bump (for now) as it is overly restrictive (#321)
+- 2025-02-21 Introduce a builder pattern for SslEchKeys + make set_ech_keys take a reference (#320)
+- 2025-02-21 Revert "Refactor!: Remove strict `TokioIo` response requirement from `hyper_boring::v1::HttpsConnector`"
+- 2025-02-21 Revert "Refactor!: Introduce a Cargo feature for optional Hyper 0 support"
+- 2025-02-21 Address clippy lints
+- 2025-02-21 Actually expose SslEchKeys
+
+4.14.0
+- 2025-02-19 Bump cmake-rs to improve Mac OS build parallelism
+- 2025-02-19 Expose SSL_CTX_set1_ech_keys from SslContextRef
+- 2024-01-27 Set CMAKE_BUILD_PARALLEL_LEVEL to available_parallelism
+- 2025-02-14 build: Fix the build for 32-bit Linux platform (#312)
+- 2024-11-30 Use corresponds macro
+- 2025-02-12 Expose SSL_set_enable_ech_grease
+- 2025-02-12 Clean up ECH tests
+- 2025-02-10 Expose client/server-side ECH
+- 2025-02-10 Expose EVP_HPKE_KEY
+- 2025-02-10 Clean up boring_sys::init()
+- 2024-11-27 Detailed error codes
+- 2025-02-04 chore: Fix docs on SslRef::replace_ex_data
+- 2025-01-22 fix manual_c_str_literals clippy warning
+- 2025-01-22 replace once_cell with LazyLock
+- 2025-01-13 RTG-3333 Support X25519MLKEM768 by default, but don't sent it as client
+- 2024-07-31 Allow dead_code instead of disabling clippy entirely for bindgen
+- 2024-11-12 Remove INVALID_CALL from mid-handshake error message
+- 2024-08-16 Fix bug with accessing memzero'd X509StoreContext in tests
+- 2024-08-16 Support linking with a runtime cpp library
+- 2024-12-06 Refactor!: Introduce a Cargo feature for optional Hyper 0 support
+- 2024-12-06 Refactor!: Remove strict `TokioIo` response requirement from `hyper_boring::v1::HttpsConnector`
+
 4.13.0
 - 2024-11-26 Sync X509StoreBuilder with openssl
 - 2024-11-26 Sync X509VerifyFlags with openssl
@@ -6,15 +40,15 @@
 - 2024-11-28 Clippy
 - 2024-03-11 Fix Windows build
 
-4.12.0 
+4.12.0
 - 2024-11-20 Add bindings for SSL_CB_ACCEPT_EXIT and SSL_CB_CONNECT_EXIT
 - 2024-10-22 (ci): brew link x86 toolchain for macos13 runner
 - 2024-10-22 Skip bindgen 0.70's layout tests before Rust 1.77
 - 2024-10-18 Add `set_cert_verify_callback` (`SSL_CTX_set_cert_verify`)
 
 4.11.0
 - 2024-10-17 boring-sys: include HPKE header file for bindgen
-- 2024-10-17 Add "fips-compat" feature
+- 2024-10-17 Add "fips-compat" feature (#286)
 - 2024-09-25 Create semgrep.yml
 
 4.10.3
@@ -47,6 +81,7 @@
 - 2024-08-04 Properly handle `Option<i32>` in `SslRef::set_curves`
 
 4.9.0
+- 2024-08-02 Actually Release 4.9.0
 - 2024-08-02 Guard against empty strings given to select_next_proto (#252)
 - 2024-08-01 Document `SslCurve::nid()`
 - 2024-08-01 Add SslCurve::to_nid() and remove SslCurveId

boring-sys/Cargo.toml

@@ -19,6 +19,7 @@ include = [
     "/LICENSE-MIT",
     "/cmake/*.cmake",
     # boringssl (non-FIPS)
+    "/deps/boringssl/src/util/32-bit-toolchain.cmake",
     "/deps/boringssl/**/*.[chS]",
     "/deps/boringssl/**/*.asm",
     "/deps/boringssl/sources.json",
@@ -30,6 +31,7 @@ include = [
     "/deps/boringssl/**/sources.cmake",
     "/deps/boringssl/LICENSE",
     # boringssl (FIPS)
+    "/deps/boringssl-fips/src/util/32-bit-toolchain.cmake",
     "/deps/boringssl-fips/**/*.[chS]",
     "/deps/boringssl-fips/**/*.asm",
     "/deps/boringssl-fips/**/*.pl",

boring-sys/build/config.rs

@@ -34,6 +34,7 @@ pub(crate) struct Env {
     pub(crate) opt_level: Option<OsString>,
     pub(crate) android_ndk_home: Option<PathBuf>,
     pub(crate) cmake_toolchain_file: Option<PathBuf>,
+    pub(crate) cpp_runtime_lib: Option<OsString>,
 }
 
 impl Config {
@@ -164,6 +165,7 @@ impl Env {
             opt_level: target_var("OPT_LEVEL"),
             android_ndk_home: target_var("ANDROID_NDK_HOME").map(Into::into),
             cmake_toolchain_file: target_var("CMAKE_TOOLCHAIN_FILE").map(Into::into),
+            cpp_runtime_lib: target_var("BORING_BSSL_RUST_CPPLIB"),
         }
     }
 }

boring-sys/build/main.rs

@@ -1,4 +1,5 @@
 use fslock::LockFile;
+use std::env;
 use std::ffi::OsString;
 use std::fs;
 use std::io;
@@ -575,6 +576,10 @@ fn built_boring_source_path(config: &Config) -> &PathBuf {
 
         let mut cfg = get_boringssl_cmake_config(config);
 
+        if let Ok(threads) = std::thread::available_parallelism() {
+            cfg.env("CMAKE_BUILD_PARALLEL_LEVEL", threads.to_string());
+        }
+
         if config.features.fips {
             let (clang, clangxx) = verify_fips_clang_version();
             cfg.define("CMAKE_C_COMPILER", clang)
@@ -636,6 +641,22 @@ fn link_in_precompiled_bcm_o(config: &Config) {
     .unwrap();
 }
 
+fn get_cpp_runtime_lib(config: &Config) -> Option<String> {
+    if let Some(ref cpp_lib) = config.env.cpp_runtime_lib {
+        return cpp_lib.clone().into_string().ok();
+    }
+
+    // TODO(rmehra): figure out how to do this for windows
+    if env::var_os("CARGO_CFG_UNIX").is_some() {
+        match env::var("CARGO_CFG_TARGET_OS").unwrap().as_ref() {
+            "macos" | "ios" => Some("c++".into()),
+            _ => Some("stdc++".into()),
+        }
+    } else {
+        None
+    }
+}
+
 fn main() {
     let config = Config::from_env();
     let bssl_dir = built_boring_source_path(&config);
@@ -673,6 +694,9 @@ fn main() {
         link_in_precompiled_bcm_o(&config);
     }
 
+    if let Some(cpp_lib) = get_cpp_runtime_lib(&config) {
+        println!("cargo:rustc-link-lib={}", cpp_lib);
+    }
     println!("cargo:rustc-link-lib=static=crypto");
     println!("cargo:rustc-link-lib=static=ssl");
 

boring-sys/src/lib.rs

@@ -16,9 +16,11 @@ use std::convert::TryInto;
 use std::ffi::c_void;
 use std::os::raw::{c_char, c_int, c_uint, c_ulong};
 
-#[allow(dead_code)]
-#[allow(clippy::all)]
-#[rustfmt::skip]
+#[allow(
+    clippy::useless_transmute,
+    clippy::derive_partial_eq_without_eq,
+    dead_code
+)]
 mod generated {
     include!(concat!(env!("OUT_DIR"), "/bindings.rs"));
 }
@@ -46,18 +48,7 @@ pub const fn ERR_GET_REASON(l: c_uint) -> c_int {
 }
 
 pub fn init() {
-    use std::ptr;
-    use std::sync::Once;
-
-    // explicitly initialize to work around https://github.com/openssl/openssl/issues/3505
-    static INIT: Once = Once::new();
-
-    let init_options = OPENSSL_INIT_LOAD_SSL_STRINGS;
-
-    INIT.call_once(|| {
-        assert_eq!(
-            unsafe { OPENSSL_init_ssl(init_options.try_into().unwrap(), ptr::null_mut()) },
-            1
-        )
-    });
+    unsafe {
+        CRYPTO_library_init();
+    }
 }

boring/Cargo.toml

@@ -10,7 +10,7 @@ readme = "README.md"
 keywords = ["crypto", "tls", "ssl", "dtls"]
 categories = ["cryptography", "api-bindings"]
 edition = { workspace = true }
-rust-version = "1.70"
+rust-version = "1.80"
 
 [package.metadata.docs.rs]
 features = ["rpk", "pq-experimental", "underscore-wildcards"]
@@ -74,11 +74,11 @@ kx-client-nist-required = ["kx-safe-default"]
 [dependencies]
 bitflags = { workspace = true }
 foreign-types = { workspace = true }
-once_cell = { workspace = true }
 openssl-macros = { workspace = true }
 libc = { workspace = true }
 boring-sys = { workspace = true }
 
 [dev-dependencies]
 hex = { workspace = true }
 rusty-hook = { workspace = true }
+brotli = { workspace = true }

boring/src/derive.rs

@@ -1,6 +1,7 @@
 //! Shared secret derivation.
 use crate::ffi;
 use foreign_types::ForeignTypeRef;
+use openssl_macros::corresponds;
 use std::marker::PhantomData;
 use std::ptr;
 
@@ -25,10 +26,7 @@ impl Drop for Deriver<'_> {
 #[allow(clippy::len_without_is_empty)]
 impl<'a> Deriver<'a> {
     /// Creates a new `Deriver` using the provided private key.
-    ///
-    /// This corresponds to [`EVP_PKEY_derive_init`].
-    ///
-    /// [`EVP_PKEY_derive_init`]: https://www.openssl.org/docs/man1.0.2/crypto/EVP_PKEY_derive_init.html
+    #[corresponds(EVP_PKEY_derive_init)]
     pub fn new<T>(key: &'a PKeyRef<T>) -> Result<Deriver<'a>, ErrorStack>
     where
         T: HasPrivate,
@@ -41,10 +39,7 @@ impl<'a> Deriver<'a> {
     }
 
     /// Sets the peer key used for secret derivation.
-    ///
-    /// This corresponds to [`EVP_PKEY_derive_set_peer`]:
-    ///
-    /// [`EVP_PKEY_derive_set_peer`]: https://www.openssl.org/docs/man1.0.2/crypto/EVP_PKEY_derive_init.html
+    #[corresponds(EVP_PKEY_derive_set_peer)]
     pub fn set_peer<T>(&mut self, key: &'a PKeyRef<T>) -> Result<(), ErrorStack>
     where
         T: HasPublic,
@@ -55,10 +50,7 @@ impl<'a> Deriver<'a> {
     /// Returns the size of the shared secret.
     ///
     /// It can be used to size the buffer passed to [`Deriver::derive`].
-    ///
-    /// This corresponds to [`EVP_PKEY_derive`].
-    ///
-    /// [`Deriver::derive`]: #method.derive
+    #[corresponds(EVP_PKEY_derive)]
     /// [`EVP_PKEY_derive`]: https://www.openssl.org/docs/man1.0.2/crypto/EVP_PKEY_derive_init.html
     pub fn len(&mut self) -> Result<usize, ErrorStack> {
         unsafe {
@@ -70,10 +62,7 @@ impl<'a> Deriver<'a> {
     /// Derives a shared secret between the two keys, writing it into the buffer.
     ///
     /// Returns the number of bytes written.
-    ///
-    /// This corresponds to [`EVP_PKEY_derive`].
-    ///
-    /// [`EVP_PKEY_derive`]: https://www.openssl.org/docs/man1.0.2/crypto/EVP_PKEY_derive_init.html
+    #[corresponds(EVP_PKEY_derive)]
     pub fn derive(&mut self, buf: &mut [u8]) -> Result<usize, ErrorStack> {
         let mut len = buf.len();
         unsafe {

boring/src/dh.rs

@@ -1,6 +1,7 @@
 use crate::error::ErrorStack;
 use crate::ffi;
 use foreign_types::{ForeignType, ForeignTypeRef};
+use openssl_macros::corresponds;
 use std::mem;
 use std::ptr;
 
@@ -25,20 +26,14 @@ where
         /// Serializes the parameters into a PEM-encoded PKCS#3 DHparameter structure.
         ///
         /// The output will have a header of `-----BEGIN DH PARAMETERS-----`.
-        ///
-        /// This corresponds to [`PEM_write_bio_DHparams`].
-        ///
-        /// [`PEM_write_bio_DHparams`]: https://www.openssl.org/docs/manmaster/man3/PEM_write_bio_DHparams.html
+        #[corresponds(PEM_write_bio_DHparams)]
         params_to_pem,
         ffi::PEM_write_bio_DHparams
     }
 
     to_der! {
         /// Serializes the parameters into a DER-encoded PKCS#3 DHparameter structure.
-        ///
-        /// This corresponds to [`i2d_DHparams`].
-        ///
-        /// [`i2d_DHparams`]: https://www.openssl.org/docs/man1.1.0/crypto/i2d_DHparams.html
+        #[corresponds(i2d_DHparams)]
         params_to_der,
         ffi::i2d_DHparams
     }
@@ -58,21 +53,15 @@ impl Dh<Params> {
         /// Deserializes a PEM-encoded PKCS#3 DHpararameters structure.
         ///
         /// The input should have a header of `-----BEGIN DH PARAMETERS-----`.
-        ///
-        /// This corresponds to [`PEM_read_bio_DHparams`].
-        ///
-        /// [`PEM_read_bio_DHparams`]: https://www.openssl.org/docs/man1.0.2/crypto/PEM_read_bio_DHparams.html
+        #[corresponds(PEM_read_bio_DHparams)]
         params_from_pem,
         Dh<Params>,
         ffi::PEM_read_bio_DHparams
     }
 
     from_der! {
         /// Deserializes a DER-encoded PKCS#3 DHparameters structure.
-        ///
-        /// This corresponds to [`d2i_DHparams`].
-        ///
-        /// [`d2i_DHparams`]: https://www.openssl.org/docs/man1.1.0/crypto/d2i_DHparams.html
+        #[corresponds(d2i_DHparams)]
         params_from_der,
         Dh<Params>,
         ffi::d2i_DHparams,