From 85cf1b04c7f9dfc766052f4544b57309ab6b7924 Mon Sep 17 00:00:00 2001
From: Kornel <kornel@cloudflare.com>
Date: Wed, 7 Jan 2026 20:42:05 +0000
Subject: [PATCH 1/5] Cross-platform Cargo registry cache

---
 .gitattributes           |  1 +
 .github/workflows/ci.yml | 38 ++++++++++++++++++++++----------------
 2 files changed, 23 insertions(+), 16 deletions(-)
 create mode 100644 .gitattributes

diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 000000000..a7bce3105
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1 @@
+*.toml text eol=lf
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 77c85a4d2..ea6a151e9 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -28,6 +28,8 @@ jobs:
   clippy:
     name: clippy
     runs-on: ubuntu-latest
+    env:
+      CARGO_HOME: ${{ github.workspace }}/.cache/cargo
     steps:
       - uses: actions/checkout@v4
         with:
@@ -36,15 +38,17 @@ jobs:
         run: rustup toolchain add stable --no-self-update --component clippy && rustup default stable
       - name: Get rust version
         id: rust-version
+        shell: bash
         run: |
           echo "version=$(rustc --version)" >> $GITHUB_OUTPUT
       - name: Cache cargo index
         uses: actions/cache@v4
         with:
           path: |
-            ~/.cargo/registry/index
-            ~/.cargo/registry/cache
+            .cache/cargo/registry/index
+            .cache/cargo/registry/cache
           key: index-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.toml') }}
+          enableCrossOsArchive: true
       - name: Fetch dependencies
         run: cargo fetch
       - name: Cache target directory
@@ -188,15 +192,28 @@ jobs:
           os: windows-latest
           # CI's Windows doesn't have required root certs
           extra_test_args: --workspace --exclude tokio-boring --exclude hyper-boring
-
+    env:
+      CARGO_HOME: ${{ github.workspace }}/.cache/cargo
     steps:
     - uses: actions/checkout@v4
       with:
         submodules: 'recursive'
     - name: Install Rust (rustup)
-      run: rustup update ${{ matrix.rust }} --no-self-update && rustup default ${{ matrix.rust }}
+      run: rustup update ${{ matrix.rust }} --no-self-update && rustup default ${{ matrix.rust }} && rustup target add ${{ matrix.target }}
+      shell: bash
+    - name: Get rust version
+      id: rust-version
       shell: bash
-    - run: rustup target add ${{ matrix.target }}
+      run: |
+        echo "version=$(rustc --version)" >> $GITHUB_OUTPUT
+    - name: Prepopulate cargo index
+      uses: actions/cache/restore@v4
+      with:
+        path: |
+          .cache/cargo/registry/index
+          .cache/cargo/registry/cache
+        key: index-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.toml') }}
+        enableCrossOsArchive: true
     - name: Install golang
       uses: actions/setup-go@v5
       with:
@@ -221,17 +238,6 @@ jobs:
     - name: Set Android Linker path
       if: endsWith(matrix.thing, '-android')
       run: echo "CARGO_TARGET_$(echo ${{ matrix.target }} | tr \\-a-z _A-Z)_LINKER=$ANDROID_NDK/toolchains/llvm/prebuilt/linux-x86_64/bin/$(echo ${{ matrix.target }} | sed s/armv7/armv7a/)21-clang++" >> "$GITHUB_ENV"
-    - name: Get rust version
-      id: rust-version
-      run: |
-        echo "version=$(rustc --version)" >> $GITHUB_OUTPUT
-    - name: Prepopulate cargo index
-      uses: actions/cache/restore@v4
-      with:
-        path: |
-          ~/.cargo/registry/index
-          ~/.cargo/registry/cache
-        key: index-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.toml') }}
     - name: Build tests
       # We `build` because we want the linker to verify we are cross-compiling correctly for check-only targets.
       run: cargo build --target ${{ matrix.target }} --tests ${{ matrix.extra_test_args }}

From d224f2a784c1a46d5993454302e1eb819a356f08 Mon Sep 17 00:00:00 2001
From: Kornel <kornel@cloudflare.com>
Date: Fri, 16 Jan 2026 17:12:32 +0000
Subject: [PATCH 2/5] cargo publish is target-specific

---
 .github/workflows/ci.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ea6a151e9..b93891d90 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -259,7 +259,9 @@ jobs:
       #
       # Both of these may no longer be the case after updating the BoringSSL
       # submodules to a new revision, so it's important to test this on CI.
-      run: cargo publish --dry-run -p boring-sys
+      run: cargo publish --dry-run --target ${{ matrix.target }} -p boring-sys
+      shell: bash
+      env: ${{ matrix.custom_env }}
 
   test-fips:
     name: Test FIPS integration

From 8b17dc5f3e86ea18b691487e07ba703c1b0a17a2 Mon Sep 17 00:00:00 2001
From: Kornel <kornel@cloudflare.com>
Date: Fri, 16 Jan 2026 17:28:34 +0000
Subject: [PATCH 3/5] Include err.h in FFI bindings

---
 boring-sys/build/main.rs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/boring-sys/build/main.rs b/boring-sys/build/main.rs
index 798d5984b..6f53cd827 100644
--- a/boring-sys/build/main.rs
+++ b/boring-sys/build/main.rs
@@ -679,6 +679,7 @@ fn generate_bindings(config: &Config) {
         "curve25519.h",
         "des.h",
         "dtls1.h",
+        "err.h",
         "hkdf.h",
         "hpke.h",
         "hmac.h",

From a37c6f4832242f209be5ccca34aae939bc5546ae Mon Sep 17 00:00:00 2001
From: Kornel <kornel@cloudflare.com>
Date: Mon, 19 Jan 2026 22:41:46 +0000
Subject: [PATCH 4/5] Use fips-build-compatible ERR_add_error_data

---
 boring/src/error.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/boring/src/error.rs b/boring/src/error.rs
index 1e8f79467..5087d10fb 100644
--- a/boring/src/error.rs
+++ b/boring/src/error.rs
@@ -193,7 +193,7 @@ impl Error {
                 self.line,
             );
             if let Some(cstr) = self.data_cstr() {
-                ffi::ERR_set_error_data(cstr.as_ptr().cast_mut(), ffi::ERR_FLAG_STRING);
+                ffi::ERR_add_error_data(1, cstr.as_ptr().cast_mut());
             }
         }
     }

From 0c316cfc80bcb7e694bb7539052950e3a247e355 Mon Sep 17 00:00:00 2001
From: Kornel <kornel@cloudflare.com>
Date: Tue, 13 Jan 2026 19:31:57 +0000
Subject: [PATCH 5/5] Test MinGW32

---
 .github/workflows/ci.yml | 39 ++++++++++++++++++++++++++++++++++++++-
 1 file changed, 38 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b93891d90..42155d6c2 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -69,6 +69,7 @@ jobs:
       matrix:
         thing:
         - stable
+        - i686-mingw
         - arm-android
         - arm64-android
         - i686-android
@@ -180,6 +181,16 @@ jobs:
             LIBRARY_PATH: "C:\\msys64\\usr\\lib"
           # CI's Windows doesn't have required root certs
           extra_test_args: --workspace --exclude tokio-boring --exclude hyper-boring
+        - thing: i686-mingw
+          target: i686-pc-windows-gnu
+          rust: stable
+          os: windows-latest
+          check_only: true
+          custom_env:
+            CMAKE_GENERATOR: "MinGW Makefiles"
+            COLLECT_GCC: null
+          # CI's Windows doesn't have required root certs
+          extra_test_args: --workspace --exclude tokio-boring --exclude hyper-boring
         - thing: i686-msvc
           target: i686-pc-windows-msvc
           rust: stable-x86_64-msvc
@@ -226,6 +237,32 @@ jobs:
       if: startsWith(matrix.os, 'windows')
       run: choco install nasm
       shell: cmd
+    - name: Setup 32-bit MSYS2
+      if: matrix.thing == 'i686-mingw'
+      uses: msys2/setup-msys2@v2
+      id: msys2
+      with:
+        msystem: MINGW32
+        path-type: inherit
+        install: >-
+          mingw-w64-i686-gcc
+          mingw-w64-i686-cmake
+    - name: Setup 32-bit MSYS2 Env vars
+      if: matrix.thing == 'i686-mingw'
+      shell: bash
+      run: |
+        MSYS_ROOT='${{ steps.msys2.outputs.msys2-location }}'
+        test -d "$MSYS_ROOT\\mingw32\\bin"
+        echo >> $GITHUB_PATH "$MSYS_ROOT\\mingw32\\bin"
+        echo >> $GITHUB_PATH "$MSYS_ROOT\\usr\\bin"
+        echo >> $GITHUB_ENV CC="$MSYS_ROOT\\mingw32\\bin\\gcc"
+        echo >> $GITHUB_ENV CXX="$MSYS_ROOT\\mingw32\\bin\\g++"
+        echo >> $GITHUB_ENV AR="$MSYS_ROOT\\mingw32\\bin\\ar"
+        echo >> $GITHUB_ENV CFLAGS="-mlong-double-64 -I$MSYS_ROOT\\mingw32\\include"
+        echo >> $GITHUB_ENV CXXFLAGS="-mlong-double-64 -I$MSYS_ROOT\\mingw32\\include"
+        echo >> $GITHUB_ENV BINDGEN_EXTRA_CLANG_ARGS="-mlong-double-64 -I$MSYS_ROOT\\mingw32\\include"
+        echo >> $GITHUB_ENV LIBRARY_PATH="$MSYS_ROOT\\mingw32\\lib"
+        echo >> $GITHUB_ENV LDFLAGS="-L$MSYS_ROOT\\mingw32\\lib"
     - name: Install LLVM and Clang
       if: startsWith(matrix.os, 'windows')
       uses: KyleMayes/install-llvm-action@v1
@@ -240,7 +277,7 @@ jobs:
       run: echo "CARGO_TARGET_$(echo ${{ matrix.target }} | tr \\-a-z _A-Z)_LINKER=$ANDROID_NDK/toolchains/llvm/prebuilt/linux-x86_64/bin/$(echo ${{ matrix.target }} | sed s/armv7/armv7a/)21-clang++" >> "$GITHUB_ENV"
     - name: Build tests
       # We `build` because we want the linker to verify we are cross-compiling correctly for check-only targets.
-      run: cargo build --target ${{ matrix.target }} --tests ${{ matrix.extra_test_args }}
+      run: cargo build -v --target ${{ matrix.target }} --tests ${{ matrix.extra_test_args }}
       shell: bash
       env: ${{ matrix.custom_env }}
     - name: Run tests (skip=${{ matrix.check_only }})