[Test] Bump to upstream v4.20.0, and update to latest upstream BoringSSL commit

.github/workflows/ci.yml

@@ -18,8 +18,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - name: Install Rust
-        run: rustup update stable && rustup default stable
+      - name: Install Rustfmt
+        run: rustup default stable && rustup component add rustfmt
       - name: Check formatting
         run: cargo fmt --all -- --check
 
@@ -31,10 +31,11 @@ jobs:
         with:
           submodules: 'recursive'
       - name: Install Rust
-        run: rustup update stable && rustup default stable
+        run: rustup update --no-self-update stable && rustup default stable && rustup component add clippy
       - name: Get rust version
         id: rust-version
-        run: echo "::set-output name=version::$(rustc --version)"
+        run: |
+          echo "version=$(rustc --version)" >> $GITHUB_OUTPUT
       - name: Cache cargo index
         uses: actions/cache@v4
         with:
@@ -58,6 +59,10 @@ jobs:
           key: clippy-target-${{ runner.os }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }}
       - name: Run clippy
         run: cargo clippy --all --all-targets
+      - name: Check docs
+        run: cargo doc --no-deps -p boring -p boring-sys --features rpk,pq-experimental,underscore-wildcards
+        env:
+          DOCS_RS: 1
   test:
     name: Test
     runs-on: ${{ matrix.os }}
@@ -141,8 +146,8 @@ jobs:
           apt_packages: gcc-arm-linux-gnueabi g++-arm-linux-gnueabi
           check_only: true
           custom_env:
-            CC: arm-linux-gnueabi-gcc
-            CXX: arm-linux-gnueabi-g++
+            CC_arm-unknown-linux-gnueabi: arm-linux-gnueabi-gcc
+            CXX_arm-unknown-linux-gnueabi: arm-linux-gnueabi-g++
             CARGO_TARGET_ARM_UNKNOWN_LINUX_GNUEABI_LINKER: arm-linux-gnueabi-g++
         - thing: aarch64-linux
           target: aarch64-unknown-linux-gnu
@@ -151,8 +156,8 @@ jobs:
           apt_packages: crossbuild-essential-arm64
           check_only: true
           custom_env:
-            CC: aarch64-linux-gnu-gcc
-            CXX: aarch64-linux-gnu-g++
+            CC_aarch64_unknown_linux_gnu: aarch64-linux-gnu-gcc
+            CXX_aarch64_unknown_linux_gnu: aarch64-linux-gnu-g++
             CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER: aarch64-linux-gnu-g++
         - thing: arm64-macos
           target: aarch64-apple-darwin

Cargo.toml

@@ -8,7 +8,7 @@ members = [
 resolver = "2"
 
 [workspace.package]
-version = "4.18.0"
+version = "4.20.0"
 repository = "https://github.com/cloudflare/boring"
 edition = "2021"
 
@@ -19,16 +19,17 @@ tag-prefix = ""
 publish = false
 
 [workspace.dependencies]
-boring-sys = { version = "4.18.0", path = "./boring-sys" }
-boring = { version = "4.18.0", path = "./boring" }
-tokio-boring = { version = "4.18.0", path = "./tokio-boring" }
+boring-sys = { version = "4.19.0", path = "./boring-sys" }
+boring = { version = "4.19.0", path = "./boring" }
+tokio-boring = { version = "4.19.0", path = "./tokio-boring" }
 
 bindgen = { version = "0.72.0", default-features = false, features = ["runtime"] }
+bitflags = "2.9"
+brotli = "8.0"
 bytes = "1"
-cmake = "0.1.18"
+cmake = "0.1.54"
 fs_extra = "1.3.0"
 fslock = "0.2"
-bitflags = "2.4"
 foreign-types = "0.5"
 libc = "0.2"
 hex = "0.4"
@@ -48,5 +49,3 @@ openssl-macros = "0.1.1"
 tower = "0.4"
 tower-layer = "0.3"
 tower-service = "0.3"
-autocfg = "1.3.0"
-brotli = "6.0"

RELEASE_NOTES

@@ -1,3 +1,24 @@
+4.20.0
+- 2025-08-26 Support TARGET_CC and CC_{target}
+- 2025-08-26 Fix swapped host/target args
+- 2025-06-13 CStr UTF-8 improvements
+- 2025-09-26 Skip Rust version detection for bindgen
+- 2025-09-26 Upgrade deps
+- 2025-06-13 Ensure that ERR_LIB type can be named
+- 2025-06-13 Add more reliable library_reason()
+- 2025-09-30 pq: fix MSVC C4146 warning
+- 2025-10-14 Freebsd build
+- 2025-10-01 Fix string data conversion in ErrorStack::put()
+
+4.19.0
+- 2025-09-03 Add binding for X509_check_ip_asc
+- 2025-06-13 Use ERR_clear_error
+- 2025-06-13 Error descriptions and docs
+- 2025-06-13 Boring doesn't use function codes
+- 2025-09-03 Fix patched docs.rs builds
+- 2025-09-03 Test docs.rs docs
+- 2025-09-03 Fix doc links
+
 4.18.0
 - 2025-05-29 Add set_verify_param
 - 2025-05-28 Add support for X509_STORE_CTX_get0_untrusted

boring-sys/Cargo.toml

@@ -13,6 +13,7 @@ build = "build/main.rs"
 readme = "README.md"
 categories = ["cryptography", "external-ffi-bindings"]
 edition = { workspace = true }
+rust-version = "1.77"
 include = [
     "/*.md",
     "/*.toml",
@@ -89,7 +90,6 @@ pq-experimental = []
 underscore-wildcards = []
 
 [build-dependencies]
-autocfg = { workspace = true }
 bindgen = { workspace = true }
 cmake = { workspace = true }
 fs_extra = { workspace = true }

boring-sys/build/config.rs

@@ -36,6 +36,9 @@ pub(crate) struct Env {
     pub(crate) android_ndk_home: Option<PathBuf>,
     pub(crate) cmake_toolchain_file: Option<PathBuf>,
     pub(crate) cpp_runtime_lib: Option<OsString>,
+    /// C compiler (ignored if using FIPS)
+    pub(crate) cc: Option<OsString>,
+    pub(crate) cxx: Option<OsString>,
     pub(crate) docs_rs: bool,
 }
 
@@ -51,10 +54,10 @@ impl Config {
         let features = Features::from_env();
         let env = Env::from_env(&host, &target, features.is_fips_like());
 
-        let mut is_bazel = false;
-        if let Some(src_path) = &env.source_path {
-            is_bazel = src_path.join("src").exists();
-        }
+        let is_bazel = env
+            .source_path
+            .as_ref()
+            .is_some_and(|path| path.join("src").exists());
 
         let config = Self {
             manifest_dir,
@@ -142,22 +145,19 @@ impl Features {
 }
 
 impl Env {
-    fn from_env(target: &str, host: &str, is_fips_like: bool) -> Self {
+    fn from_env(host: &str, target: &str, is_fips_like: bool) -> Self {
         const NORMAL_PREFIX: &str = "BORING_BSSL";
         const FIPS_PREFIX: &str = "BORING_BSSL_FIPS";
 
+        let var_prefix = if host == target { "HOST" } else { "TARGET" };
         let target_with_underscores = target.replace('-', "_");
 
-        // Logic stolen from cmake-rs.
-        let target_var = |name: &str| {
-            let kind = if host == target { "HOST" } else { "TARGET" };
-
-            // TODO(rmehra): look for just `name` first, as most people just set that
+        let target_only_var = |name: &str| {
             var(&format!("{name}_{target}"))
                 .or_else(|| var(&format!("{name}_{target_with_underscores}")))
-                .or_else(|| var(&format!("{kind}_{name}")))
-                .or_else(|| var(name))
+                .or_else(|| var(&format!("{var_prefix}_{name}")))
         };
+        let target_var = |name: &str| target_only_var(name).or_else(|| var(name));
 
         let boringssl_var = |name: &str| {
             // The passed name is the non-fips version of the environment variable,
@@ -186,6 +186,9 @@ impl Env {
             android_ndk_home: target_var("ANDROID_NDK_HOME").map(Into::into),
             cmake_toolchain_file: target_var("CMAKE_TOOLCHAIN_FILE").map(Into::into),
             cpp_runtime_lib: target_var("BORING_BSSL_RUST_CPPLIB"),
+            // matches the `cc` crate
+            cc: target_only_var("CC"),
+            cxx: target_only_var("CXX"),
             docs_rs: var("DOCS_RS").is_some(),
         }
     }

boring-sys/build/main.rs

@@ -152,7 +152,7 @@ fn get_boringssl_source_path(config: &Config) -> &PathBuf {
 ///
 /// MSVC generator on Windows place static libs in a target sub-folder,
 /// so adjust library location based on platform and build target.
-/// See issue: https://github.com/alexcrichton/cmake-rs/issues/18
+/// See issue: <https://github.com/alexcrichton/cmake-rs/issues/18>
 fn get_boringssl_platform_output_path(config: &Config) -> String {
     if config.target.ends_with("-msvc") {
         // Code under this branch should match the logic in cmake-rs
@@ -193,7 +193,7 @@ fn get_boringssl_platform_output_path(config: &Config) -> String {
     }
 }
 
-/// Returns a new cmake::Config for building BoringSSL.
+/// Returns a new `cmake::Config` for building BoringSSL.
 ///
 /// It will add platform-specific parameters if needed.
 fn get_boringssl_cmake_config(config: &Config) -> cmake::Config {
@@ -216,6 +216,15 @@ fn get_boringssl_cmake_config(config: &Config) -> cmake::Config {
             .define("CMAKE_ASM_COMPILER_TARGET", &config.target);
     }
 
+    if !config.features.fips {
+        if let Some(cc) = &config.env.cc {
+            boringssl_cmake.define("CMAKE_C_COMPILER", cc);
+        }
+        if let Some(cxx) = &config.env.cxx {
+            boringssl_cmake.define("CMAKE_CXX_COMPILER", cxx);
+        }
+    }
+
     if let Some(sysroot) = &config.env.sysroot {
         boringssl_cmake.define("CMAKE_SYSROOT", sysroot);
     }
@@ -331,7 +340,7 @@ fn get_boringssl_cmake_config(config: &Config) -> cmake::Config {
     boringssl_cmake
 }
 
-/// Verify that the toolchains match https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3678.pdf
+/// Verify that the toolchains match <https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3678.pdf>
 /// See "Installation Instructions" under section 12.1.
 // TODO: maybe this should also verify the Go and Ninja versions? But those haven't been an issue in practice ...
 fn verify_fips_clang_version() -> (&'static str, &'static str) {
@@ -468,6 +477,24 @@ fn get_extra_clang_args_for_bindgen(config: &Config) -> Vec<String> {
 }
 
 fn ensure_patches_applied(config: &Config) -> io::Result<()> {
+    if config.env.assume_patched || config.env.path.is_some() {
+        println!(
+            "cargo:warning=skipping git patches application, provided\
+            native BoringSSL is expected to have the patches included"
+        );
+        return Ok(());
+    } else if config.env.source_path.is_some()
+        && (config.features.rpk
+            || config.features.pq_experimental
+            || config.features.underscore_wildcards)
+    {
+        panic!(
+            "BORING_BSSL_ASSUME_PATCHED must be set when setting
+               BORING_BSSL_SOURCE_PATH and using any of the following
+               features: rpk, pq-experimental, underscore-wildcards"
+        );
+    }
+
     let mut lock_file = LockFile::open(&config.out_dir.join(".patch_lock"))?;
     let src_path = get_boringssl_source_path(config);
     let has_git = src_path.join(".git").exists();
@@ -552,25 +579,6 @@ fn built_boring_source_path(config: &Config) -> &PathBuf {
     static BUILD_SOURCE_PATH: OnceLock<PathBuf> = OnceLock::new();
 
     BUILD_SOURCE_PATH.get_or_init(|| {
-        if config.env.assume_patched {
-            println!(
-                "cargo:warning=skipping git patches application, provided\
-                native BoringSSL is expected to have the patches included"
-            );
-        } else if config.env.source_path.is_some()
-            && (config.features.rpk
-                || config.features.pq_experimental
-                || config.features.underscore_wildcards)
-        {
-            panic!(
-                "BORING_BSSL_ASSUME_PATCHED must be set when setting
-                   BORING_BSSL_SOURCE_PATH and using any of the following
-                   features: rpk, pq-experimental, underscore-wildcards"
-            );
-        } else {
-            ensure_patches_applied(config).unwrap();
-        }
-
         let mut cfg = get_boringssl_cmake_config(config);
 
         let num_jobs = std::env::var("NUM_JOBS").ok().or_else(|| {
@@ -651,7 +659,7 @@ fn get_cpp_runtime_lib(config: &Config) -> Option<String> {
     // TODO(rmehra): figure out how to do this for windows
     if env::var_os("CARGO_CFG_UNIX").is_some() {
         match env::var("CARGO_CFG_TARGET_OS").unwrap().as_ref() {
-            "macos" | "ios" => Some("c++".into()),
+            "macos" | "ios" | "freebsd" => Some("c++".into()),
             _ => Some("stdc++".into()),
         }
     } else {
@@ -661,6 +669,7 @@ fn get_cpp_runtime_lib(config: &Config) -> Option<String> {
 
 fn main() {
     let config = Config::from_env();
+    ensure_patches_applied(&config).unwrap();
     if !config.env.docs_rs {
         emit_link_directives(&config);
     }
@@ -732,12 +741,8 @@ fn generate_bindings(config: &Config) {
         }
     });
 
-    // bindgen 0.70 replaced the run-time layout tests with compile-time ones,
-    // but they depend on std::mem::offset_of, stabilized in 1.77.
-    let supports_layout_tests = autocfg::new().probe_rustc_version(1, 77);
-    let Ok(target_rust_version) = bindgen::RustTarget::stable(68, 0) else {
-        panic!("bindgen does not recognize target rust version");
-    };
+    let target_rust_version =
+        bindgen::RustTarget::stable(77, 0).expect("bindgen does not recognize target rust version");
 
     let mut builder = bindgen::Builder::default()
         .rust_target(target_rust_version) // bindgen MSRV is 1.70, so this is enough
@@ -753,7 +758,7 @@ fn generate_bindings(config: &Config) {
         .generate_comments(true)
         .fit_macro_constants(false)
         .size_t_is_usize(true)
-        .layout_tests(supports_layout_tests)
+        .layout_tests(config.env.debug.is_some())
         .prepend_enum_name(true)
         .blocklist_type("max_align_t") // Not supported by bindgen on all targets, not used by BoringSSL
         .clang_args(get_extra_clang_args_for_bindgen(config))
@@ -805,7 +810,24 @@ fn generate_bindings(config: &Config) {
     }
 
     let bindings = builder.generate().expect("Unable to generate bindings");
+    let mut source_code = Vec::new();
     bindings
-        .write_to_file(config.out_dir.join("bindings.rs"))
-        .expect("Couldn't write bindings!");
+        .write(Box::new(&mut source_code))
+        .expect("Couldn't serialize bindings!");
+    ensure_err_lib_enum_is_named(&mut source_code);
+    fs::write(config.out_dir.join("bindings.rs"), source_code).expect("Couldn't write bindings!");
+}
+
+/// err.h has anonymous `enum { ERR_LIB_NONE = 1 }`, which makes a dodgy `_bindgen_ty_1` name
+fn ensure_err_lib_enum_is_named(source_code: &mut Vec<u8>) {
+    let src = String::from_utf8_lossy(source_code);
+    let enum_type = src
+        .split_once("ERR_LIB_SSL:")
+        .and_then(|(_, def)| Some(def.split_once("=")?.0))
+        .unwrap_or("_bindgen_ty_1");
+
+    source_code.extend_from_slice(
+        format!("\n/// Newtype for [`ERR_LIB_SSL`] constants\npub use {enum_type} as ErrLib;\n")
+            .as_bytes(),
+    );
 }

boring-sys/patches/boring-pq.patch

@@ -940,7 +940,7 @@ index 776c085f9..ccb5b3d9b 100644
 +  for(i=0;i<len;i++)
 +    r |= a[i] ^ b[i];
 +
-+  return (-(uint64_t)r) >> 63;
++  return (0-(uint64_t)r) >> 63;
 +}
 +
 +/*************************************************

boring/examples/mk_certs.rs

@@ -147,7 +147,7 @@ fn real_main() -> Result<(), ErrorStack> {
     match ca_cert.issued(&cert) {
         Ok(()) => println!("Certificate verified!"),
         Err(ver_err) => println!("Failed to verify certificate: {ver_err}"),
-    };
+    }
 
     Ok(())
 }
@@ -156,5 +156,5 @@ fn main() {
     match real_main() {
         Ok(()) => println!("Finished."),
         Err(e) => println!("Error: {e}"),
-    };
+    }
 }