google · jonasfj · May 21, 2026 · Jun 28, 2025 · Jul 26, 2025 · Jan 7, 2026
diff --git a/.github/workflows/update-boringssl.yml b/.github/workflows/update-boringssl.yml
@@ -0,0 +1,96 @@
+name: update-boringssl
+
+on:
+  workflow_dispatch:
+    inputs:
+      revision:
+        description: Optional BoringSSL revision SHA. Leave empty for latest.
+        required: false
+        type: string
+  schedule:
+    - cron: '0 9 * * 1'
+
+permissions:
+  contents: write
+  pull-requests: write
+
+concurrency:
+  group: update-boringssl
+  cancel-in-progress: false
+
+jobs:
+  roll:
+    name: Roll BoringSSL
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: subosito/flutter-action@v2
+        with:
+          channel: stable
+          cache: true
+
+      - name: Install system dependencies
+        run: |
+          sudo apt-get update -y
+          sudo apt-get install -y jq ninja-build libgtk-3-dev
+          flutter config --no-analytics
+
+      - name: Configure git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+      - name: Run BoringSSL roll script
+        id: roll
+        shell: bash
+        run: |
+          set -euo pipefail
+          revision='${{ github.event.inputs.revision || '' }}'
+          if [[ -n "$revision" ]]; then
+            bash ./tool/bump-boringssl-revision.sh "$revision"
+          else
+            bash ./tool/bump-boringssl-revision.sh
+          fi
+
+          new_revision="$(tr -d ' \t\n\r' < tool/REVISION)"
+          echo "revision=$new_revision" >> "$GITHUB_OUTPUT"
+          echo "short_revision=${new_revision:0:8}" >> "$GITHUB_OUTPUT"
+
+      - name: Check for changes
+        id: changes
+        shell: bash
+        run: |
+          if git diff --quiet; then
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Create pull request
+        if: steps.changes.outputs.changed == 'true'
+        uses: peter-evans/create-pull-request@v7
+        with:
+          branch: "update-boringssl-${{ steps.roll.outputs.short_revision }}"
+          delete-branch: true
+          commit-message: "chore: update BoringSSL to ${{ steps.roll.outputs.short_revision }}"
+          title: "chore: update BoringSSL to ${{ steps.roll.outputs.short_revision }}"
+          body: |
+            Updates vendored BoringSSL to `${{ steps.roll.outputs.revision }}` using `tool/bump-boringssl-revision.sh`.
+
+            This workflow is intentionally thin: it just provisions the environment, runs the script, and opens a PR if the script produced a diff.
+          labels: |
+            dependencies
+            boringssl-update
+
+      - name: Summary
+        shell: bash
+        run: |
+          if [[ '${{ steps.changes.outputs.changed }}' == 'true' ]]; then
+            echo "Created or updated a PR for BoringSSL revision ${{ steps.roll.outputs.revision }}"
+          else
+            echo "No vendored changes were produced for BoringSSL revision ${{ steps.roll.outputs.revision }}"
+          fi
diff --git a/lib/src/boringssl/lookup/lookup.dart b/lib/src/boringssl/lookup/lookup.dart
@@ -28,8 +28,13 @@ export 'symbols.generated.dart' show Sym;
 )
 external Pointer<Void> _nativeWebcryptoLookupSymbol(int index);
 
-/// Resolve lookup from native assets first, then fall back to the legacy
-/// runtime loading strategy used by `flutter pub run webcrypto:setup`.
+@Native<Size Function()>(
+  symbol: 'webcrypto_get_CBB_size',
+  assetId: 'package:webcrypto/webcrypto.dart',
+)
+external int _nativeWebcryptoGetCbbSize();
+
+/// Resolve lookup from the bundled native asset for `package:webcrypto`.
 Pointer<T> lookup<T extends NativeType>(String symbolName) {
   final sym = symFromString(symbolName);
   return _nativeWebcryptoLookupSymbol(sym.index).cast<T>();
@@ -38,6 +43,9 @@ Pointer<T> lookup<T extends NativeType>(String symbolName) {
 /// Gives access to BoringSSL symbols.
 final BoringSsl ssl = BoringSsl.fromLookup(lookup);
 
+/// Gets the native `sizeof(CBB)` value from the bundled helper library.
+int nativeWebcryptoGetCbbSize() => _nativeWebcryptoGetCbbSize();
+
 /// ERR_GET_LIB returns the library code for the error. This is one of the
 /// ERR_LIB_* values.
 ///

diff --git a/lib/src/boringssl/lookup/utils.dart b/lib/src/boringssl/lookup/utils.dart
@@ -69,9 +69,9 @@ lookupLibraryInDotDartTool() {
 
 /// Find the `.dart_tool/` folder, returns `null` if unable to find it.
 Uri? _findDotDartTool() {
-  // HACK: We have no good mechanism for finding the library created by:
-  //         flutter pub run webcrypto:setup
-  //       So we search relative to the script path and CWD.
+  // HACK: We have no good mechanism for finding the legacy
+  // `.dart_tool/webcrypto/` output, so we search relative to the script path
+  // and CWD.
 
   // Find script directory
   Uri root = Platform.script.resolve('./');

diff --git a/lib/src/impl_ffi/impl_ffi.dart b/lib/src/impl_ffi/impl_ffi.dart
@@ -29,7 +29,8 @@ import 'package:webcrypto/src/third_party/boringssl/generated_bindings.dart';
 import '../jsonwebkey.dart' show JsonWebKey;
 import '../webcrypto/webcrypto.dart';
 import '../impl_interface/impl_interface.dart';
-import '../boringssl/lookup/lookup.dart' show ssl, ERR_GET_LIB, ERR_GET_REASON;
+import '../boringssl/lookup/lookup.dart'
+    show ssl, nativeWebcryptoGetCbbSize, ERR_GET_LIB, ERR_GET_REASON;
 
 part 'impl_ffi.aescbc.dart';
 part 'impl_ffi.aesctr.dart';

diff --git a/lib/src/impl_ffi/impl_ffi.utils.dart b/lib/src/impl_ffi/impl_ffi.utils.dart
@@ -308,12 +308,14 @@ extension on _Scope {
 
   ffi.Pointer<CBS> createCBS(List<int> data) {
     final cbs = this<CBS>();
-    ssl.CBS_init(cbs, dataAsPointer(data), data.length);
+    cbs.ref.data = dataAsPointer(data);
+    cbs.ref.len = data.length;
     return cbs;
   }
 
   ffi.Pointer<CBB> createCBB([int sizeHint = 4096]) {
-    final cbb = this<CBB>();
+    final cbbSize = nativeWebcryptoGetCbbSize();
+    final cbb = allocate<ffi.Uint8>(cbbSize).cast<CBB>();
     ssl.CBB_zero(cbb);
     _checkOp(ssl.CBB_init(cbb, sizeHint) == 1, fallback: 'allocation failure');
     defer(() => ssl.CBB_cleanup(cbb));

diff --git a/lib/src/third_party/boringssl/ffigen.yaml b/lib/src/third_party/boringssl/ffigen.yaml
@@ -11,9 +11,9 @@ headers:
     - '../../../../third_party/boringssl/src/include/openssl/cipher.h'
     - '../../../../third_party/boringssl/src/include/openssl/crypto.h'
     - '../../../../third_party/boringssl/src/include/openssl/digest.h'
-    - '../../../../third_party/boringssl/src/include/openssl/ec_key.h'
     - '../../../../third_party/boringssl/src/include/openssl/ec.h'
     - '../../../../third_party/boringssl/src/include/openssl/ecdh.h'
+    - '../../../../third_party/boringssl/src/include/openssl/ec_key.h'
     - '../../../../third_party/boringssl/src/include/openssl/ecdsa.h'
     - '../../../../third_party/boringssl/src/include/openssl/err.h'
     - '../../../../third_party/boringssl/src/include/openssl/evp.h'

diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
@@ -12,33 +12,34 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Build script used by `flutter pub run webcrypto:setup` to create
-# `.dart_tool/webcrypto/webcrypto.{so|dylib|dll}` for use by `flutter test`.
-#
-# When running as a plugin platform specific build scripts will be used:
-#  - `android/CMakeLists.txt`, for Android,
-#  -  TODO: `ios/podspec...`
-#
-# This script is very similar to platform specific build scripts.
+# Build script used by native hooks and local tooling to create the shared
+# `webcrypto` library for the current host platform.
 
 cmake_minimum_required(VERSION 3.10.0)
 project(webcrypto)
 
+# Set C++ standard to C++17 for BoringSSL compatibility
+set(CMAKE_CXX_STANDARD 17)
+set(CMAKE_CXX_STANDARD_REQUIRED ON)
+
 enable_language(ASM)
 
 # Set as required by ../third_party/boringssl/sources.cmake included below
 set(BORINGSSL_ROOT ../third_party/boringssl/)
 
-# Import sources as generated by tool/update-boringssl.py
+# Import sources as generated by tool/bump-boringssl-revision.sh
 # This provides variables, and requires BORINGSSL_ROOT to be set.
 #  - crypto_sources
 #  - crypto_sources_linux_aarch64
 #  - crypto_sources_linux_arm
 #  - crypto_sources_linux_ppc64le
 #  - crypto_sources_linux_x86
 #  - crypto_sources_linux_x86_64
-#  - crypto_sources_mac_x86
-#  - crypto_sources_mac_x86_64
+#  - crypto_sources_apple_aarch64
+#  - crypto_sources_apple_arm
+#  - crypto_sources_apple_x86
+#  - crypto_sources_apple_x86_64
+#  - crypto_sources_win_aarch64
 #  - crypto_sources_win_x86
 #  - crypto_sources_win_x86_64
 include(
@@ -85,7 +86,7 @@ if(${CMAKE_SYSTEM_NAME} STREQUAL "Windows")
   set(PLATFORM "win")
 elseif(${CMAKE_SYSTEM_NAME} STREQUAL "Darwin" OR
        ${CMAKE_SYSTEM_NAME} STREQUAL "iOS")
-  set(PLATFORM "mac")
+  set(PLATFORM "apple")
 else()
   # Assume we're on linux or similar platform
   set(PLATFORM "linux")
@@ -108,6 +109,7 @@ if(MSVC)
       "C4267" # conversion from 'size_t' to 'int', possible loss of data
       "C4706" # assignment within conditional expression
       "C4141"
+      "C4201" # nonstandard extension used: nameless struct/union
       )
   string(REPLACE "C" " -wd" MSVC_DISABLED_WARNINGS_STR
                             ${MSVC_DISABLED_WARNINGS_LIST})
@@ -132,6 +134,8 @@ if(WIN32)
   add_definitions(-DNOMINMAX)
   # Allow use of fopen.
   add_definitions(-D_CRT_SECURE_NO_WARNINGS)
+  # Ensure proper Windows entropy sources
+  add_definitions(-DBORINGSSL_UNSAFE_DETERMINISTIC_MODE=0)
 endif()
 
 add_library(

diff --git a/src/webcrypto.c b/src/webcrypto.c
@@ -22,3 +22,7 @@
 WEBCRYPTO_EXPORT void* webcrypto_lookup_symbol(int32_t index) {
   return _webcrypto_symbol_table[index];
 }
+
+WEBCRYPTO_EXPORT size_t webcrypto_get_CBB_size(void) {
+  return sizeof(CBB);
+}
diff --git a/src/webcrypto.h b/src/webcrypto.h
@@ -14,6 +14,7 @@
  * limitations under the License.
  */
 
+#include <stddef.h>
 #include <stdint.h>
 
 // Macro for annotating all functions to be exported
@@ -26,4 +27,7 @@
 
 // Function to lookup BoringSSL symbols based on index in the Sym enum.
 // See src/symbols.yaml for details.
-WEBCRYPTO_EXPORT void* webcrypto_lookup_symbol(int32_t index);
+WEBCRYPTO_EXPORT void* webcrypto_lookup_symbol(int32_t index);
+
+// Helper function to get the size of CBB structure for FFI allocation.
+WEBCRYPTO_EXPORT size_t webcrypto_get_CBB_size(void);
diff --git a/third_party/boringssl/README.md b/third_party/boringssl/README.md
@@ -3,9 +3,8 @@
 **GENERATED FOLDER DO NOT MODIFY**
 
 This folder contains sources from BoringSSL allowing `package:webcrypto` to
-incorporate libcrypto from BoringSSL. Contents of this folder is generated
-using `tool/update-boringssl.py` which utilizes scripts and procedures from
-`src/INCORPORATING.md` to faciliate embedding of libcrypto from BoringSSL.
+incorporate libcrypto from BoringSSL. Contents of this folder are generated
+using `tool/bump-boringssl-revision.sh`.
 
 Files in this folder are subject to `LICENSE` from the BoringSSL project.
 

diff --git a/third_party/boringssl/sources.cmake b/third_party/boringssl/sources.cmake
@@ -15,7 +15,7 @@
 # **GENERATED FILE DO NOT MODIFY**
 #
 # This file is generated using:
-# `tool/update-boringssl.py`
+# `tool/bump-boringssl-revision.sh`
 
 set(crypto_sources
   ${BORINGSSL_ROOT}err_data.c

diff --git a/tool/REVISION b/tool/REVISION
@@ -0,0 +1 @@
+a873ab7906bc5b1431821864df8036068aab972d