Bump to v4.13.0 from upstream

.github/workflows/ci.yml

@@ -113,16 +113,22 @@ jobs:
           target: aarch64-apple-ios
           os: macos-latest
           check_only: true
+          custom_env:
+            IPHONEOS_DEPLOYMENT_TARGET: 17.5
           # It's... theoretically possible to run tests on iPhone Simulator,
           # but for now, make sure that BoringSSL only builds.
         - thing: aarch64-ios-sim
           target: aarch64-apple-ios-sim
           os: macos-latest
           check_only: true
+          custom_env:
+            IPHONEOS_DEPLOYMENT_TARGET: 17.5
         - thing: x86_64-ios
           target: x86_64-apple-ios
           os: macos-latest
           check_only: true
+          custom_env:
+            IPHONEOS_DEPLOYMENT_TARGET: 17.5
         - thing: i686-linux
           target: i686-unknown-linux-gnu
           rust: stable
@@ -313,16 +319,16 @@ jobs:
       uses: actions/setup-go@v5
       with:
         go-version: '>=1.22.0'
+    - name: Install ${{ matrix.target }} toolchain
+      run: brew tap messense/macos-cross-toolchains && brew install ${{ matrix.target }} && brew link x86_64-unknown-linux-gnu
     - name: Install Clang-12
       uses: KyleMayes/install-llvm-action@v1
       with:
         version: "12.0.0"
         directory: ${{ runner.temp }}/llvm
     - name: Add clang++-12 link
       working-directory: ${{ runner.temp }}/llvm/bin
-      run: ln -s clang clang++-12
-    - name: Install ${{ matrix.target }} toolchain
-      run: brew tap messense/macos-cross-toolchains && brew install --overwrite [email protected] && brew install ${{ matrix.target }}
+      run: ln -s clang++ clang++-12
     - name: Set BORING_BSSL_FIPS_COMPILER_EXTERNAL_TOOLCHAIN
       run: echo "BORING_BSSL_FIPS_COMPILER_EXTERNAL_TOOLCHAIN=$(brew --prefix ${{ matrix.target }})/toolchain" >> $GITHUB_ENV
       shell: bash
@@ -360,3 +366,5 @@ jobs:
       name: Run `rpk,underscore-wildcards` tests
     - run: cargo test --features pq-experimental,rpk,underscore-wildcards
       name: Run `pq-experimental,rpk,underscore-wildcards` tests
+    - run: cargo test -p hyper-boring --features hyper1
+      name: Run hyper 1.0 tests for hyper-boring

.github/workflows/semgrep.yml

@@ -0,0 +1,23 @@
+on:
+  pull_request: {}
+  workflow_dispatch: {}
+  push:
+    branches:
+      - master
+  schedule:
+    - cron: "0 0 * * *"
+name: Semgrep config
+jobs:
+  semgrep:
+    name: semgrep/ci
+    runs-on: ubuntu-latest
+    env:
+      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+      SEMGREP_URL: https://cloudflare.semgrep.dev
+      SEMGREP_APP_URL: https://cloudflare.semgrep.dev
+      SEMGREP_VERSION_CHECK_URL: https://cloudflare.semgrep.dev/api/check-version
+    container:
+      image: semgrep/semgrep
+    steps:
+      - uses: actions/checkout@v4
+      - run: semgrep ci

Cargo.toml

@@ -8,7 +8,7 @@ members = [
 resolver = "2"
 
 [workspace.package]
-version = "4.9.0"
+version = "4.13.0"
 repository = "https://github.com/cloudflare/boring"
 edition = "2021"
 
@@ -19,11 +19,12 @@ tag-prefix = ""
 publish = false
 
 [workspace.dependencies]
-boring-sys = { version = "4.9.0", path = "./boring-sys", default-features = false }
-boring = { version = "4.9.0", path = "./boring" }
-tokio-boring = { version = "4.9.0", path = "./tokio-boring" }
+boring-sys = { version = "4.13.0", path = "./boring-sys" }
+boring = { version = "4.13.0", path = "./boring" }
+tokio-boring = { version = "4.13.0", path = "./tokio-boring" }
 
 bindgen = { version = "0.70.1", default-features = false, features = ["runtime"] }
+bytes = "1"
 cmake = "0.1.18"
 fs_extra = "1.3.0"
 fslock = "0.2"
@@ -36,10 +37,16 @@ futures = "0.3"
 tokio = "1"
 anyhow = "1"
 antidote = "1.0.0"
-http = "0.2"
-hyper = { version = "0.14", default-features = false }
+http = "1"
+http-body-util = "0.1.2"
+http_old = { package = "http", version = "0.2" }
+hyper = "1"
+hyper-util = "0.1.6"
+hyper_old = { package = "hyper", version = "0.14", default-features = false }
 linked_hash_set = "0.1"
 once_cell = "1.0"
+openssl-macros = "0.1.1"
 tower = "0.4"
 tower-layer = "0.3"
+tower-service = "0.3"
 autocfg = "1.3.0"

RELEASE_NOTES

@@ -1,16 +1,64 @@
+4.13.0
+- 2024-11-26 Sync X509StoreBuilder with openssl
+- 2024-11-26 Sync X509VerifyFlags with openssl
+- 2021-11-21 More corresponds from openssl
+- 2024-11-28 Work around Rust settings inconsistent iOS SDK version
+- 2024-11-28 Clippy
+- 2024-03-11 Fix Windows build
+
+4.12.0 
+- 2024-11-20 Add bindings for SSL_CB_ACCEPT_EXIT and SSL_CB_CONNECT_EXIT
+- 2024-10-22 (ci): brew link x86 toolchain for macos13 runner
+- 2024-10-22 Skip bindgen 0.70's layout tests before Rust 1.77
+- 2024-10-18 Add `set_cert_verify_callback` (`SSL_CTX_set_cert_verify`)
+
+4.11.0
+- 2024-10-17 boring-sys: include HPKE header file for bindgen
+- 2024-10-17 Add "fips-compat" feature
+- 2024-09-25 Create semgrep.yml
+
+4.10.3
+- 2024-09-21 Set MSRV to 1.70 (#279)
+
+4.10.2
+- 2024-09-18 boring-pq.patch Fix by not updating crypto_test_data.cc
+
+4.10.1
+- 2024-09-18 Don't support X25519MLKEM768 by default (yet)
+
+4.10.0
+- 2024-09-18 Implement optional Hyper 1 support in hyper-boring (#246)
+- 2024-09-17 Add post-quantum key agreement X25519MLKEM768
+- 2024-09-10 Revert "PQ: fix timing sidechannels and add IPDWing"
+- 2024-09-17 Update bindgen to 0.70.1
+- 2024-09-17 Expose SSL(_CTX)_set1_curves_list (#270)
+- 2024-09-11 Expose SSL_CTX_set_info_callback (#266)
+- 2024-09-03 Use ForeignType::into_ptr wherever applicable
+- 2024-08-19 Expose RSAPSS public key Id type
+- 2024-08-15 Fix macos FIPS crossbuild
+- 2024-08-15 Add tests for X509Ref::subject_key_id, X509Ref::authority_key_id, and X509NameRef::print_ex
+- 2024-08-14 Expose X509NameRef::print_ex
+- 2024-08-13 Introduce `corresponds` macro from openssl-macros
+- 2024-08-14 Introduce ForeignTypeExt and ForeignTypeRefExt
+- 2024-08-09 Expose mTLS related APIs
+- 2024-08-14 chore(boring-sys): Fix git apply patch on Windows (#261)
+
+4.9.1
+- 2024-08-04 Properly handle `Option<i32>` in `SslRef::set_curves`
+
 4.9.0
-- 2024-08-02   Guard against empty strings given to select_next_proto (#252)
-- 2024-08-01   Document `SslCurve::nid()`
-- 2024-08-01   Add SslCurve::to_nid() and remove SslCurveId
-- 2024-07-23   Fix x509_check_host return value
-- 2024-07-29   Fix clippy lints re: docs indentation + unused feature
-- 2024-07-29   Ignore clippy / rustfmt on autogenerated code
-- 2024-07-26   Clean up legacy const_fn feature gates
-- 2024-07-22   Impl From for SslVersion
-- 2024-06-03   Split SSL curve identifiers into a separate enum.
-- 2024-07-23   (ci): Fix macos crossbuild action by forcing brew link w [email protected]
-- 2024-07-09   Expose set_permute_extensions
-- 2024-06-24   PQ: fix timing sidechannels and add IPDWing
+- 2024-08-02 Guard against empty strings given to select_next_proto (#252)
+- 2024-08-01 Document `SslCurve::nid()`
+- 2024-08-01 Add SslCurve::to_nid() and remove SslCurveId
+- 2024-07-23 Fix x509_check_host return value
+- 2024-07-29 Fix clippy lints re: docs indentation + unused feature
+- 2024-07-29 Ignore clippy / rustfmt on autogenerated code
+- 2024-07-26 Clean up legacy const_fn feature gates
+- 2024-07-23 Impl From for SslVersion
+- 2024-06-03 Split SSL curve identifiers into a separate enum.
+- 2024-07-23 (ci): Fix macos crossbuild action by forcing brew link w [email protected]
+- 2024-07-09 Expose set_permute_extensions
+- 2024-06-24 PQ: fix timing sidechannels and add IPDWing
 
 4.8.0
 - 2024-06-28 Expose hmac_sha1 function
@@ -25,6 +73,8 @@
 - 2024-06-18 Add NIDs for cipher authentication types
 - 2024-06-14 Impl From for SslSignatureAlgorithm
 - 2024-03-27 Updates license field to valid SPDX format
+
+4.7.0
 - 2024-05-31 Fix crosscompile
 - 2024-05-30 Expose hmac_sha256/512 functions
 
@@ -40,8 +90,6 @@
 - 2024-03-21 Add getters for client hello message
 - 2024-01-25 Removes vestigial build script
 - 2024-02-02 Introduce and use read_uninit and write_uninit duplicated from openssl-0.10.61 and tokio-openssl-0.6.4
-
-4.3.0
 - 2024-02-07 Introduce SslRef::set_private_key
 
 4.4.1
@@ -52,6 +100,8 @@
 - 2024-01-16 Expose `set_compliance_policy` and `get_ciphers`
 - 2024-01-08 Expose SSL_get_error
 - 2023-12-20 Fix support for fips-link-precompiled
+
+4.3.0
 - 2024-01-03 Introduce X509Flags
 - 2024-01-03 Move x509 tests to a subdirectory
 - 2024-01-02 Rearrange imports in x509 module
@@ -94,6 +144,8 @@
 - 2023-11-02 Remove Sync trait bounds on callback futures
 - 2023-10-30 Update Cargo.toml
 - 2023-10-26 hyper and tokio "full" feature for dev builds only
+
+4.0.0-rc.1
 - 2023-10-26 Specify exact versions of dependent crates in the workspace manifest
 - 2023-10-16 Add CI for cross-building from macOS
 - 2023-10-16 Introduce BORING_BSSL_SYSROOT and BORING_BSSL_EXTERNAL_TOOLCHAIN

boring-sys/Cargo.toml

@@ -55,9 +55,6 @@ features = ["rpk", "pq-experimental", "underscore-wildcards"]
 rustdoc-args = ["--cfg", "docsrs"]
 
 [features]
-default = ["ssl"]
-ssl = []
-
 # Use a FIPS-validated version of boringssl.
 fips = []
 
@@ -85,3 +82,6 @@ bindgen = { workspace = true }
 cmake = { workspace = true }
 fs_extra = { workspace = true }
 fslock = { workspace = true }
+
+[lints.rust]
+unexpected_cfgs = { level = "allow", check-cfg = ['cfg(const_fn)'] }

boring-sys/build/config.rs

@@ -20,7 +20,6 @@ pub(crate) struct Features {
     pub(crate) pq_experimental: bool,
     pub(crate) rpk: bool,
     pub(crate) underscore_wildcards: bool,
-    pub(crate) ssl: bool,
 }
 
 pub(crate) struct Env {
@@ -111,15 +110,13 @@ impl Features {
         let pq_experimental = env::var_os("CARGO_FEATURE_PQ_EXPERIMENTAL").is_some();
         let rpk = env::var_os("CARGO_FEATURE_RPK").is_some();
         let underscore_wildcards = env::var_os("CARGO_FEATURE_UNDERSCORE_WILDCARDS").is_some();
-        let ssl = env::var_os("CARGO_FEATURE_SSL").is_some();
 
         Self {
             fips,
             fips_link_precompiled,
             pq_experimental,
             rpk,
             underscore_wildcards,
-            ssl,
         }
     }
 }

boring-sys/build/main.rs

@@ -501,12 +501,16 @@ fn ensure_patches_applied(config: &Config) -> io::Result<()> {
 
 fn apply_patch(config: &Config, patch_name: &str) -> io::Result<()> {
     let src_path = get_boringssl_source_path(config);
+    #[cfg(not(windows))]
     let cmd_path = config
         .manifest_dir
         .join("patches")
         .join(patch_name)
         .canonicalize()?;
 
+    #[cfg(windows)]
+    let cmd_path = config.manifest_dir.join("patches").join(patch_name);
+
     let mut args = vec!["apply", "-v", "--whitespace=fix"];
 
     // non-bazel versions of BoringSSL have no src/ dir
@@ -583,9 +587,7 @@ fn built_boring_source_path(config: &Config) -> &PathBuf {
             cfg.define("FIPS", "1");
         }
 
-        if config.features.ssl {
-            cfg.build_target("ssl").build();
-        }
+        cfg.build_target("ssl").build();
         cfg.build_target("crypto").build()
     })
 }
@@ -661,16 +663,18 @@ fn main() {
             bssl_dir.display(),
             build_path
         );
+        println!(
+            "cargo:rustc-link-search=native={}/build",
+            bssl_dir.display(),
+        );
     }
 
     if config.features.fips_link_precompiled {
         link_in_precompiled_bcm_o(&config);
     }
 
     println!("cargo:rustc-link-lib=static=crypto");
-    if config.features.ssl {
-        println!("cargo:rustc-link-lib=static=ssl");
-    }
+    println!("cargo:rustc-link-lib=static=ssl");
 
     let include_path = config.env.include_path.clone().unwrap_or_else(|| {
         if let Some(bssl_path) = &config.env.path {
@@ -692,6 +696,7 @@ fn main() {
     let supports_layout_tests = autocfg::new().probe_rustc_version(1, 77);
 
     let mut builder = bindgen::Builder::default()
+        .rust_target(bindgen::RustTarget::Stable_1_68) // bindgen MSRV is 1.70, so this is enough
         .derive_copy(true)
         .derive_debug(true)
         .derive_default(true)
@@ -731,6 +736,8 @@ fn main() {
         "des.h",
         "dtls1.h",
         "hkdf.h",
+        #[cfg(not(feature = "fips"))]
+        "hpke.h",
         "hmac.h",
         "hrss.h",
         "md4.h",