0x676e67 · 0x676e67 · May 30, 2025 · Mar 31, 2025 · Apr 3, 2025 · Apr 7, 2025
diff --git a/Cargo.toml b/Cargo.toml
@@ -22,7 +22,7 @@ boring-sys = { package = "boring-sys2", version = "4.15.13", path = "./boring-sy
 boring = { package = "boring2", version = "4.15.13", path = "./boring" }
 tokio-boring = { package = "tokio-boring2", version = "4.15.13", path = "./tokio-boring" }
 
-bindgen = { version = "0.70.1", default-features = false, features = ["runtime"] }
+bindgen = { version = "0.71.1", default-features = false, features = ["runtime"] }
 bytes = "1"
 cmake = "0.1.18"
 fs_extra = "1.3.0"

diff --git a/RELEASE_NOTES b/RELEASE_NOTES
@@ -1,4 +1,32 @@
 
+4.17.0
+- 2025-05-27 Revert "feat(x509): Implement `Clone` for `X509Store` (#339)" (#353)
+- 2025-05-14 Update bindgen from 0.70.1 -> 0.71.1.
+- 2025-05-19 Add `X509_STORE_CTX_get0_cert` interface
+- 2025-05-18 boring(ssl): use `corresponds` macro in `add_certificate_compression_algorithm`
+- 2025-02-14 Update Cargo.toml
+- 2025-02-13 build: Fix the build for 32-bit Linux platform
+- 2025-05-20 rustfmt ;(
+- 2025-05-20 Fix linking SystemFunction036 from advapi32 in Rust 1.87
+- 2025-05-20 Clippy
+- 2025-05-01 add SslCurve::X25519_MLKEM768 constant
+- 2025-04-17 Use ubuntu-latest for all ci jobs
+- 2025-04-16 fix clippy error
+- 2025-04-15 expose SSL_set_compliance_policy
+- 2025-04-07 feat(x509): Implement `Clone` for `X509Store` (#339)
+
+4.16.0
+- 2025-03-31 Add fips-precompiled feature to support newer versions of FIPS (#338)
+- 2025-03-18 Document linking to C++ standard library (#335)
+- 2025-03-18 Revert "Remove "fips-no-compat", decouple "fips-compat" from "fips"" (#334)
+- 2025-03-11 boring: Disable `SslCurve` API with "fips" feature
+- 2025-03-11 boring-sys: Ignore patches when boringSSL is precompiled
+- 2025-03-13 Remove "fips-no-compat", decouple "fips-compat" from "fips"
+- 2025-03-14 Add feature "fips-no-compat"
+- 2025-03-10 Advertise X25519MLKEM768 with "kx-client-pq-preferred" (#329)
+- 2025-03-10 Update to actions/cache@v4 (#328)
+- 2025-02-28 Add missing release notes entry (#324)
+
 4.15.0
 - 2025-02-27 Expose API to enable certificate compression. (#241)
 - 2025-02-23 Fix lifetimes in ssl::select_next_proto

diff --git a/boring-sys/Cargo.toml b/boring-sys/Cargo.toml
@@ -58,9 +58,19 @@ features = ["pq-experimental", "underscore-wildcards"]
 rustdoc-args = ["--cfg", "docsrs"]
 
 [features]
-# Use a FIPS-validated version of boringssl.
+# Compile boringssl using the FIPS build flag if building boringssl from
+# scratch.
+#
+# See
+# https://boringssl.googlesource.com/boringssl/+/master/crypto/fipsmodule/FIPS.md
+# for instructions and more details on the boringssl FIPS flag.
 fips = []
 
+# Use a precompiled FIPS-validated version of BoringSSL. Meant to be used with
+# FIPS-20230428 or newer. Users must set `BORING_BSSL_FIPS_PATH` to use this
+# feature, or else the build will fail.
+fips-precompiled = []
+
 # Link with precompiled FIPS-validated `bcm.o` module.
 fips-link-precompiled = []
 

diff --git a/boring-sys/build/config.rs b/boring-sys/build/config.rs
@@ -16,6 +16,7 @@ pub(crate) struct Config {
 
 pub(crate) struct Features {
     pub(crate) fips: bool,
+    pub(crate) fips_precompiled: bool,
     pub(crate) fips_link_precompiled: bool,
     pub(crate) pq_experimental: bool,
     pub(crate) rpk: bool,
@@ -47,11 +48,7 @@ impl Config {
         let target_os = env::var("CARGO_CFG_TARGET_OS").unwrap();
 
         let features = Features::from_env();
-        let env = Env::from_env(
-            &host,
-            &target,
-            features.fips || features.fips_link_precompiled,
-        );
+        let env = Env::from_env(&host, &target, features.is_fips_like());
 
         let mut is_bazel = false;
         if let Some(src_path) = &env.source_path {
@@ -80,6 +77,10 @@ impl Config {
             panic!("`fips` and `rpk` features are mutually exclusive");
         }
 
+        if self.features.fips_precompiled && self.features.rpk {
+            panic!("`fips-precompiled` and `rpk` features are mutually exclusive");
+        }
+
         let is_precompiled_native_lib = self.env.path.is_some();
         let is_external_native_lib_source =
             !is_precompiled_native_lib && self.env.source_path.is_none();
@@ -103,28 +104,40 @@ impl Config {
             );
         }
 
+        // todo(rmehra): should this even be a restriction? why not let people link a custom bcm.o?
+        // precompiled boringssl will include libcrypto.a
         if is_precompiled_native_lib && self.features.fips_link_precompiled {
             panic!("precompiled BoringSSL was provided, so FIPS configuration can't be applied");
         }
+
+        if !is_precompiled_native_lib && self.features.fips_precompiled {
+            panic!("`fips-precompiled` feature requires `BORING_BSSL_FIPS_PATH` to be set");
+        }
     }
 }
 
 impl Features {
     fn from_env() -> Self {
         let fips = env::var_os("CARGO_FEATURE_FIPS").is_some();
+        let fips_precompiled = env::var_os("CARGO_FEATURE_FIPS_PRECOMPILED").is_some();
         let fips_link_precompiled = env::var_os("CARGO_FEATURE_FIPS_LINK_PRECOMPILED").is_some();
         let pq_experimental = env::var_os("CARGO_FEATURE_PQ_EXPERIMENTAL").is_some();
         let rpk = env::var_os("CARGO_FEATURE_RPK").is_some();
         let underscore_wildcards = env::var_os("CARGO_FEATURE_UNDERSCORE_WILDCARDS").is_some();
 
         Self {
             fips,
+            fips_precompiled,
             fips_link_precompiled,
             pq_experimental,
             rpk,
             underscore_wildcards,
         }
     }
+
+    pub(crate) fn is_fips_like(&self) -> bool {
+        self.fips || self.fips_precompiled || self.fips_link_precompiled
+    }
 }
 
 impl Env {
@@ -138,6 +151,7 @@ impl Env {
         let target_var = |name: &str| {
             let kind = if host == target { "HOST" } else { "TARGET" };
 
+            // TODO(rmehra): look for just `name` first, as most people just set that
             var(&format!("{}_{}", name, target))
                 .or_else(|| var(&format!("{}_{}", name, target_with_underscores)))
                 .or_else(|| var(&format!("{}_{}", kind, name)))

diff --git a/boring-sys/build/main.rs b/boring-sys/build/main.rs
@@ -661,13 +661,14 @@ fn main() {
     let bssl_dir = built_boring_source_path(&config);
     let build_path = get_boringssl_platform_output_path(&config);
 
-    if config.is_bazel || (config.features.fips && config.env.path.is_some()) {
+    if config.is_bazel || (config.features.is_fips_like() && config.env.path.is_some()) {
         println!(
             "cargo:rustc-link-search=native={}/lib/{}",
             bssl_dir.display(),
             build_path
         );
     } else {
+        // todo(rmehra): clean this up, I think these are pretty redundant
         println!(
             "cargo:rustc-link-search=native={}/build/crypto/{}",
             bssl_dir.display(),
@@ -699,6 +700,11 @@ fn main() {
     println!("cargo:rustc-link-lib=static=crypto");
     println!("cargo:rustc-link-lib=static=ssl");
 
+    if config.target_os == "windows" {
+        // Rust 1.87.0 compat - https://github.com/rust-lang/rust/pull/138233
+        println!("cargo:rustc-link-lib=advapi32");
+    }
+
     let include_path = config.env.include_path.clone().unwrap_or_else(|| {
         if let Some(bssl_path) = &config.env.path {
             return bssl_path.join("include");
@@ -717,9 +723,12 @@ fn main() {
     // bindgen 0.70 replaced the run-time layout tests with compile-time ones,
     // but they depend on std::mem::offset_of, stabilized in 1.77.
     let supports_layout_tests = autocfg::new().probe_rustc_version(1, 77);
+    let Ok(target_rust_version) = bindgen::RustTarget::stable(68, 0) else {
+        panic!("bindgen does not recognize target rust version");
+    };
 
     let mut builder = bindgen::Builder::default()
-        .rust_target(bindgen::RustTarget::Stable_1_68) // bindgen MSRV is 1.70, so this is enough
+        .rust_target(target_rust_version) // bindgen MSRV is 1.70, so this is enough
         .derive_copy(true)
         .derive_debug(true)
         .derive_default(true)
@@ -759,7 +768,7 @@ fn main() {
         "des.h",
         "dtls1.h",
         "hkdf.h",
-        #[cfg(not(any(feature = "fips", feature = "fips-no-compat")))]
+        #[cfg(not(feature = "fips"))]
         "hpke.h",
         "hmac.h",
         "hrss.h",

diff --git a/boring-sys/src/lib.rs b/boring-sys/src/lib.rs
@@ -19,6 +19,7 @@ use std::os::raw::{c_char, c_int, c_uint, c_ulong};
 #[allow(
     clippy::useless_transmute,
     clippy::derive_partial_eq_without_eq,
+    clippy::ptr_offset_with_cast,
     dead_code
 )]
 mod generated {

diff --git a/boring/Cargo.toml b/boring/Cargo.toml
@@ -19,24 +19,27 @@ rustdoc-args = ["--cfg", "docsrs"]
 [features]
 # Controlling the build
 
-# Use a FIPS-validated version of BoringSSL. This feature sets "fips-compat".
-fips = ["fips-compat", "boring-sys/fips"]
-
-# Use a FIPS build of BoringSSL, but don't set "fips-compat".
+# NOTE: This feature is deprecated. It is needed for the submoduled
+# boringssl-fips, which is extremely old and requires modifications to the
+# bindings, as some newer APIs don't exist and some function signatures have
+# changed. It is highly recommended to use `fips-precompiled` instead.
 #
-# As of boringSSL commit a430310d6563c0734ddafca7731570dfb683dc19, we no longer
-# need to make exceptions for the types of BufLen, ProtosLen, and ValueLen,
-# which means the "fips-compat" feature is no longer needed.
+# This feature sets `fips-compat` on behalf of the user to guarantee bindings
+# compatibility with the submoduled boringssl-fips.
 #
-# TODO(cjpatton) Delete this feature and modify "fips" so that it doesn't imply
-# "fips-compat".
-fips-no-compat = ["boring-sys/fips"]
+# Use a FIPS-validated version of BoringSSL.
+fips = ["fips-compat", "boring-sys/fips"]
 
-# Build with compatibility for the BoringSSL FIPS version, without enabling the
-# `fips` feature itself (useful e.g. if `fips-link-precompiled` is used with an
-# older BoringSSL version).
+# Build with compatibility for the submoduled boringssl-fips, without enabling
+# the `fips` feature itself (useful e.g. if `fips-link-precompiled` is used
+# with an older BoringSSL version).
 fips-compat = []
 
+# Use a precompiled FIPS-validated version of BoringSSL. Meant to be used with
+# FIPS-20230428 or newer. Users must set `BORING_BSSL_FIPS_PATH` to use this
+# feature, or else the build will fail.
+fips-precompiled = ["boring-sys/fips-precompiled"]
+
 # Link with precompiled FIPS-validated `bcm.o` module.
 fips-link-precompiled = ["boring-sys/fips-link-precompiled"]
 

diff --git a/boring/src/fips.rs b/boring/src/fips.rs
@@ -16,13 +16,13 @@ pub fn enabled() -> bool {
 fn is_enabled() {
     #[cfg(any(
         feature = "fips",
-        feature = "fips-no-compat",
+        feature = "fips-precompiled",
         feature = "fips-link-precompiled"
     ))]
     assert!(enabled());
     #[cfg(not(any(
         feature = "fips",
-        feature = "fips-no-compat",
+        feature = "fips-precompiled",
         feature = "fips-link-precompiled"
     )))]
     assert!(!enabled());

diff --git a/boring/src/lib.rs b/boring/src/lib.rs
@@ -130,7 +130,7 @@ pub mod error;
 pub mod ex_data;
 pub mod fips;
 pub mod hash;
-#[cfg(not(any(feature = "fips", feature = "fips-no-compat")))]
+#[cfg(not(feature = "fips"))]
 pub mod hpke;
 pub mod memcmp;
 pub mod nid;