From 27aaa7cb3114644e6ababc3f3f85f4f8d092d7c4 Mon Sep 17 00:00:00 2001 From: Kornel Date: Tue, 6 Jan 2026 13:31:24 +0000 Subject: [PATCH 1/4] Cleaner include path check --- boring-sys/build/main.rs | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/boring-sys/build/main.rs b/boring-sys/build/main.rs index 0f7053cb8..35d5bd249 100644 --- a/boring-sys/build/main.rs +++ b/boring-sys/build/main.rs @@ -658,15 +658,15 @@ fn generate_bindings(config: &Config) { .clang_arg("--sysroot") .clang_arg(sysroot.display().to_string()); - let c_target = format!( - "{}-{}-{}", - &config.target_arch, &config.target_os, &config.target_env - ); - // we need to add special platform header file with env for support cross building - let header = format!("{}/usr/include/{}", sysroot.display(), c_target); - if PathBuf::from(&header).is_dir() { - builder = builder.clang_arg("-I").clang_arg(&header); + let target_include_dir = sysroot.join(format!( + "usr/include/{}-{}-{}", + config.target_arch, config.target_os, config.target_env + )); + if target_include_dir.is_dir() { + builder = builder + .clang_arg("-I") + .clang_arg(target_include_dir.display().to_string()); } } From 39151a968650df78525e14345e39b1f78006ce0c Mon Sep 17 00:00:00 2001 From: Kornel Date: Mon, 29 Dec 2025 18:23:24 +0000 Subject: [PATCH 2/4] Avoid unicode chars --- hyper-boring/src/v1.rs | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/hyper-boring/src/v1.rs b/hyper-boring/src/v1.rs index f4cb0168d..392344ea4 100644 --- a/hyper-boring/src/v1.rs +++ b/hyper-boring/src/v1.rs @@ -253,15 +253,12 @@ where // If `host` is an IPv6 address, we must strip away the square brackets that surround // it (otherwise, boring will fail to parse the host as an IP address, eventually // causing the handshake to fail due a hostname verification error). - if !host.is_empty() { - let last = host.len() - 1; - let mut chars = host.chars(); - - if let (Some('['), Some(']')) = (chars.next(), chars.last()) { - if host[1..last].parse::().is_ok() { - host = &host[1..last]; - } - } + if let Some(ipv6) = host + .strip_prefix('[') + .and_then(|h| h.strip_suffix(']')) + .filter(|h| h.parse::().is_ok()) + { + host = ipv6; } let ssl = inner.setup_ssl(&uri, host)?; From 2a4d0dfbb57f65e8e1c31db38ded67a851e004ab Mon Sep 17 00:00:00 2001 From: Kornel Date: Tue, 6 Jan 2026 12:59:18 +0000 Subject: [PATCH 3/4] Clippy --- boring-sys/build/main.rs | 2 +- boring/src/dsa.rs | 2 +- boring/src/ssl/error.rs | 1 + boring/src/ssl/mod.rs | 7 +++++-- boring/src/ssl/test/ech.rs | 6 +++--- boring/src/ssl/test/mod.rs | 8 ++++---- boring/src/ssl/test/session.rs | 4 ++-- boring/src/ssl/test/session_resumption.rs | 4 ++-- boring/src/x509/store.rs | 1 + boring/src/x509/tests/mod.rs | 2 +- boring/src/x509/tests/trusted_first.rs | 2 +- hyper-boring/src/cache.rs | 5 ++--- hyper-boring/src/v1.rs | 7 +++---- hyper-boring/tests/v1.rs | 6 +++--- tokio-boring/tests/async_get_session.rs | 4 ++-- 15 files changed, 32 insertions(+), 29 deletions(-) diff --git a/boring-sys/build/main.rs b/boring-sys/build/main.rs index 35d5bd249..5e744cd6a 100644 --- a/boring-sys/build/main.rs +++ b/boring-sys/build/main.rs @@ -722,7 +722,7 @@ fn ensure_err_lib_enum_is_named(source_code: &mut Vec) { let src = String::from_utf8_lossy(source_code); let enum_type = src .split_once("ERR_LIB_SSL:") - .and_then(|(_, def)| Some(def.split_once("=")?.0)) + .and_then(|(_, def)| Some(def.split_once('=')?.0)) .unwrap_or("_bindgen_ty_1"); source_code.extend_from_slice( diff --git a/boring/src/dsa.rs b/boring/src/dsa.rs index be13da9fa..ca7efaf32 100644 --- a/boring/src/dsa.rs +++ b/boring/src/dsa.rs @@ -300,7 +300,7 @@ mod test { let mut ctx = BigNumContext::new().unwrap(); let mut calc = BigNum::new().unwrap(); calc.mod_exp(g, priv_key, p, &mut ctx).unwrap(); - assert_eq!(&calc, pub_key) + assert_eq!(&calc, pub_key); } #[test] diff --git a/boring/src/ssl/error.rs b/boring/src/ssl/error.rs index 2209c503a..1766724cb 100644 --- a/boring/src/ssl/error.rs +++ b/boring/src/ssl/error.rs @@ -79,6 +79,7 @@ impl ErrorCode { } #[corresponds(SSL_error_description)] + #[must_use] pub fn description(self) -> Option<&'static str> { unsafe { let msg = ffi::SSL_error_description(self.0); diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs index 99a26fb1c..85ac7a4c1 100644 --- a/boring/src/ssl/mod.rs +++ b/boring/src/ssl/mod.rs @@ -1658,7 +1658,7 @@ impl SslContextBuilder { C: CertificateCompressor, { const { - assert!(C::CAN_COMPRESS || C::CAN_DECOMPRESS, "Either compression or decompression must be supported for algorithm to be registered") + assert!(C::CAN_COMPRESS || C::CAN_DECOMPRESS, "Either compression or decompression must be supported for algorithm to be registered"); }; let success = unsafe { ffi::SSL_CTX_add_cert_compression_alg( @@ -1705,7 +1705,7 @@ impl SslContextBuilder { decrypt: Some(callbacks::raw_decrypt::), complete: Some(callbacks::raw_complete::), }, - ) + ); } } @@ -2327,6 +2327,7 @@ impl SslContextRef { } /// Returns `true` if context is configured for X.509 certificates. + #[must_use] pub fn has_x509_support(&self) -> bool { self.ex_data(*X509_FLAG_INDEX).copied().unwrap_or_default() } @@ -2351,6 +2352,7 @@ impl SslContextRef { /// Returns the list of server certificate types. #[corresponds(SSL_CTX_get0_server_certificate_types)] #[cfg(feature = "rpk")] + #[must_use] pub fn server_certificate_types(&self) -> Option<&[CertificateType]> { let mut types = ptr::null(); let mut types_len = 0; @@ -4644,6 +4646,7 @@ impl SslCredentialBuilder { } } + #[must_use] pub fn build(self) -> SslCredential { self.0 } diff --git a/boring/src/ssl/test/ech.rs b/boring/src/ssl/test/ech.rs index d2797d427..db4d43149 100644 --- a/boring/src/ssl/test/ech.rs +++ b/boring/src/ssl/test/ech.rs @@ -40,7 +40,7 @@ fn ech() { let (_server, client) = bootstrap_ech(ECH_CONFIG, ECH_KEY, ECH_CONFIG_LIST); let ssl_stream = client.connect(); - assert!(ssl_stream.ssl().ech_accepted()) + assert!(ssl_stream.ssl().ech_accepted()); } #[test] @@ -57,7 +57,7 @@ fn ech_rejection() { Some(b"ech.com".to_vec().as_ref()) ); assert!(failed_ssl_stream.ssl().get_ech_retry_configs().is_some()); - assert!(!failed_ssl_stream.ssl().ech_accepted()) + assert!(!failed_ssl_stream.ssl().ech_accepted()); } #[test] @@ -69,5 +69,5 @@ fn ech_grease() { client.ssl().set_enable_ech_grease(true); let ssl_stream = client.connect(); - assert!(!ssl_stream.ssl().ech_accepted()) + assert!(!ssl_stream.ssl().ech_accepted()); } diff --git a/boring/src/ssl/test/mod.rs b/boring/src/ssl/test/mod.rs index e6c61cf85..324163897 100644 --- a/boring/src/ssl/test/mod.rs +++ b/boring/src/ssl/test/mod.rs @@ -1010,7 +1010,7 @@ fn test_set_compliance() { assert_eq!(ciphers.len(), FIPS_CIPHERS.len()); for cipher in ciphers.into_iter().zip(FIPS_CIPHERS) { - assert_eq!(cipher.0.name(), cipher.1) + assert_eq!(cipher.0.name(), cipher.1); } let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); @@ -1029,7 +1029,7 @@ fn test_set_compliance() { assert_eq!(ciphers.len(), WPA3_192_CIPHERS.len()); for cipher in ciphers.into_iter().zip(WPA3_192_CIPHERS) { - assert_eq!(cipher.0.name(), cipher.1) + assert_eq!(cipher.0.name(), cipher.1); } ctx.set_compliance_policy(CompliancePolicy::NONE) @@ -1092,7 +1092,7 @@ fn test_ssl_set_compliance() { assert_eq!(ciphers.len(), FIPS_CIPHERS.len()); for cipher in ciphers.into_iter().zip(FIPS_CIPHERS) { - assert_eq!(cipher.0.name(), cipher.1) + assert_eq!(cipher.0.name(), cipher.1); } let ctx = SslContext::builder(SslMethod::tls()).unwrap().build(); @@ -1112,7 +1112,7 @@ fn test_ssl_set_compliance() { assert_eq!(ciphers.len(), WPA3_192_CIPHERS.len()); for cipher in ciphers.into_iter().zip(WPA3_192_CIPHERS) { - assert_eq!(cipher.0.name(), cipher.1) + assert_eq!(cipher.0.name(), cipher.1); } ssl.set_compliance_policy(CompliancePolicy::NONE) diff --git a/boring/src/ssl/test/session.rs b/boring/src/ssl/test/session.rs index 23c0f4d5d..97ed8c1c3 100644 --- a/boring/src/ssl/test/session.rs +++ b/boring/src/ssl/test/session.rs @@ -49,7 +49,7 @@ fn new_get_session_callback() { .ctx() .set_session_cache_mode(SslSessionCacheMode::SERVER | SslSessionCacheMode::NO_INTERNAL); server.ctx().set_new_session_callback(|_, session| { - SERVER_SESSION_DER.set(session.to_der().unwrap()).unwrap() + SERVER_SESSION_DER.set(session.to_der().unwrap()).unwrap(); }); unsafe { server.ctx().set_get_session_callback(|_, id| { @@ -76,7 +76,7 @@ fn new_get_session_callback() { .ctx() .set_session_cache_mode(SslSessionCacheMode::CLIENT); client.ctx().set_new_session_callback(|_, session| { - CLIENT_SESSION_DER.set(session.to_der().unwrap()).unwrap() + CLIENT_SESSION_DER.set(session.to_der().unwrap()).unwrap(); }); let client = client.build(); diff --git a/boring/src/ssl/test/session_resumption.rs b/boring/src/ssl/test/session_resumption.rs index 808abe304..5c65c53ce 100644 --- a/boring/src/ssl/test/session_resumption.rs +++ b/boring/src/ssl/test/session_resumption.rs @@ -61,7 +61,7 @@ fn custom_callback_success() { unsafe { server .ctx() - .set_ticket_key_callback(test_success_tickey_key_callback) + .set_ticket_key_callback(test_success_tickey_key_callback); }; let server = server.build(); @@ -106,7 +106,7 @@ fn custom_callback_unrecognized_decryption_ticket() { unsafe { server .ctx() - .set_ticket_key_callback(test_noop_tickey_key_callback) + .set_ticket_key_callback(test_noop_tickey_key_callback); }; let server = server.build(); diff --git a/boring/src/x509/store.rs b/boring/src/x509/store.rs index e7621e739..1c2fd0ff1 100644 --- a/boring/src/x509/store.rs +++ b/boring/src/x509/store.rs @@ -177,6 +177,7 @@ impl X509StoreRef { } #[test] +#[allow(clippy::redundant_clone)] #[should_panic = "Shared X509Store can't be mutated"] fn set_cert_store_pevents_mutability() { use crate::ssl::*; diff --git a/boring/src/x509/tests/mod.rs b/boring/src/x509/tests/mod.rs index 371cd9b63..2a1b3fd56 100644 --- a/boring/src/x509/tests/mod.rs +++ b/boring/src/x509/tests/mod.rs @@ -73,7 +73,7 @@ fn test_subject_read_cn() { let cert = X509::from_pem(cert).unwrap(); let subject = cert.subject_name(); let cn = subject.entries_by_nid(Nid::COMMONNAME).next().unwrap(); - assert_eq!(cn.data().as_slice(), b"foobar.com") + assert_eq!(cn.data().as_slice(), b"foobar.com"); } #[test] diff --git a/boring/src/x509/tests/trusted_first.rs b/boring/src/x509/tests/trusted_first.rs index 187a49b0b..ad660a3b1 100644 --- a/boring/src/x509/tests/trusted_first.rs +++ b/boring/src/x509/tests/trusted_first.rs @@ -60,7 +60,7 @@ fn test_verify_cert() { assert_eq!( Ok(()), verify(&leaf, &[&root1], &[&intermediate, &root1_cross], |param| { - param.clear_flags(X509VerifyFlags::TRUSTED_FIRST) + param.clear_flags(X509VerifyFlags::TRUSTED_FIRST); }) ); } diff --git a/hyper-boring/src/cache.rs b/hyper-boring/src/cache.rs index 185c3dc41..ad0bddbb5 100644 --- a/hyper-boring/src/cache.rs +++ b/hyper-boring/src/cache.rs @@ -86,9 +86,8 @@ impl SessionCache { } pub fn remove(&mut self, session: &SslSessionRef) { - let key = match self.reverse.remove(session.id()) { - Some(key) => key, - None => return, + let Some(key) = self.reverse.remove(session.id()) else { + return; }; if let Entry::Occupied(mut sessions) = self.sessions.entry(key) { diff --git a/hyper-boring/src/v1.rs b/hyper-boring/src/v1.rs index 392344ea4..38b454229 100644 --- a/hyper-boring/src/v1.rs +++ b/hyper-boring/src/v1.rs @@ -113,7 +113,7 @@ impl HttpsLayer { /// /// The session cache configuration of `ssl` will be overwritten. pub fn with_connector(ssl: SslConnectorBuilder) -> Result { - Self::with_connector_and_settings(ssl, Default::default()) + Self::with_connector_and_settings(ssl, HttpsLayerSettings::default()) } /// Creates a new `HttpsLayer` with settings @@ -243,9 +243,8 @@ where let f = async { let conn = connect.await.map_err(Into::into)?.into_inner(); - let (inner, uri) = match tls_setup { - Some((inner, uri)) => (inner, uri), - None => return Ok(MaybeHttpsStream::Http(conn)), + let Some((inner, uri)) = tls_setup else { + return Ok(MaybeHttpsStream::Http(conn)); }; let mut host = uri.host().ok_or("URI missing host")?; diff --git a/hyper-boring/tests/v1.rs b/hyper-boring/tests/v1.rs index 4082d2cef..1965959f3 100644 --- a/hyper-boring/tests/v1.rs +++ b/hyper-boring/tests/v1.rs @@ -78,7 +78,7 @@ async fn localhost() { let file = File::create("../target/keyfile.log").unwrap(); ssl.set_keylog_callback(move |_, line| { - let _ = writeln!(&file, "{}", line); + let _ = writeln!(&file, "{line}"); }); let ssl = HttpsConnector::with_connector(connector, ssl).unwrap(); @@ -86,7 +86,7 @@ async fn localhost() { for _ in 0..3 { let resp = client - .get(format!("https://foobar.com:{}", port).parse().unwrap()) + .get(format!("https://foobar.com:{port}").parse().unwrap()) .await .unwrap(); assert!(resp.status().is_success(), "{}", resp.status()); @@ -149,7 +149,7 @@ async fn alpn_h2() { let client = Client::builder(TokioExecutor::new()).build::<_, Empty>(ssl); let resp = client - .get(format!("https://foobar.com:{}", port).parse().unwrap()) + .get(format!("https://foobar.com:{port}").parse().unwrap()) .await .unwrap(); assert!(resp.status().is_success(), "{}", resp.status()); diff --git a/tokio-boring/tests/async_get_session.rs b/tokio-boring/tests/async_get_session.rs index 0ab9b396e..177d84940 100644 --- a/tokio-boring/tests/async_get_session.rs +++ b/tokio-boring/tests/async_get_session.rs @@ -26,7 +26,7 @@ async fn test() { builder .set_session_cache_mode(SslSessionCacheMode::SERVER | SslSessionCacheMode::NO_INTERNAL); builder.set_new_session_callback(|_, session| { - SERVER_SESSION_DER.set(session.to_der().unwrap()).unwrap() + SERVER_SESSION_DER.set(session.to_der().unwrap()).unwrap(); }); unsafe { @@ -49,7 +49,7 @@ async fn test() { let connector = create_connector(|builder| { builder.set_session_cache_mode(SslSessionCacheMode::CLIENT); builder.set_new_session_callback(|_, session| { - CLIENT_SESSION_DER.set(session.to_der().unwrap()).unwrap() + CLIENT_SESSION_DER.set(session.to_der().unwrap()).unwrap(); }); builder.set_ca_file("tests/cert.pem") From e4b3c6f7476090f1de803397f2370228bc5d3b79 Mon Sep 17 00:00:00 2001 From: Kornel Date: Mon, 19 Jan 2026 23:22:07 +0000 Subject: [PATCH 4/4] MaybeUninit is stable now --- boring/src/sha.rs | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/boring/src/sha.rs b/boring/src/sha.rs index f0f9b15c1..4bea478b9 100644 --- a/boring/src/sha.rs +++ b/boring/src/sha.rs @@ -54,7 +54,6 @@ use std::mem::MaybeUninit; /// SHA1 is known to be insecure - it should not be used unless required for /// compatibility with existing systems. #[inline] -#[allow(deprecated)] // https://github.com/rust-lang/rust/issues/63566 #[must_use] pub fn sha1(data: &[u8]) -> [u8; 20] { unsafe { @@ -66,7 +65,6 @@ pub fn sha1(data: &[u8]) -> [u8; 20] { /// Computes the SHA224 hash of some data. #[inline] -#[allow(deprecated)] // https://github.com/rust-lang/rust/issues/63566 #[must_use] pub fn sha224(data: &[u8]) -> [u8; 28] { unsafe { @@ -78,7 +76,6 @@ pub fn sha224(data: &[u8]) -> [u8; 28] { /// Computes the SHA256 hash of some data. #[inline] -#[allow(deprecated)] // https://github.com/rust-lang/rust/issues/63566 #[must_use] pub fn sha256(data: &[u8]) -> [u8; 32] { unsafe { @@ -90,7 +87,6 @@ pub fn sha256(data: &[u8]) -> [u8; 32] { /// Computes the SHA384 hash of some data. #[inline] -#[allow(deprecated)] // https://github.com/rust-lang/rust/issues/63566 #[must_use] pub fn sha384(data: &[u8]) -> [u8; 48] { unsafe { @@ -102,7 +98,6 @@ pub fn sha384(data: &[u8]) -> [u8; 48] { /// Computes the SHA512 hash of some data. #[inline] -#[allow(deprecated)] // https://github.com/rust-lang/rust/issues/63566 #[must_use] pub fn sha512(data: &[u8]) -> [u8; 64] { unsafe { @@ -114,7 +109,6 @@ pub fn sha512(data: &[u8]) -> [u8; 64] { /// Computes the SHA512-256 hash of some data. #[inline] -#[allow(deprecated)] // https://github.com/rust-lang/rust/issues/63566 #[must_use] pub fn sha512_256(data: &[u8]) -> [u8; 32] { unsafe { @@ -143,7 +137,6 @@ impl Default for Sha1 { impl Sha1 { /// Creates a new hasher. #[inline] - #[allow(deprecated)] // https://github.com/rust-lang/rust/issues/63566 #[must_use] pub fn new() -> Sha1 { unsafe { @@ -165,7 +158,6 @@ impl Sha1 { /// Returns the hash of the data. #[inline] - #[allow(deprecated)] // https://github.com/rust-lang/rust/issues/63566 #[must_use] pub fn finish(mut self) -> [u8; 20] { unsafe { @@ -190,7 +182,6 @@ impl Default for Sha224 { impl Sha224 { /// Creates a new hasher. #[inline] - #[allow(deprecated)] // https://github.com/rust-lang/rust/issues/63566 #[must_use] pub fn new() -> Sha224 { unsafe { @@ -212,7 +203,6 @@ impl Sha224 { /// Returns the hash of the data. #[inline] - #[allow(deprecated)] // https://github.com/rust-lang/rust/issues/63566 #[must_use] pub fn finish(mut self) -> [u8; 28] { unsafe { @@ -237,7 +227,6 @@ impl Default for Sha256 { impl Sha256 { /// Creates a new hasher. #[inline] - #[allow(deprecated)] // https://github.com/rust-lang/rust/issues/63566 #[must_use] pub fn new() -> Sha256 { unsafe { @@ -259,7 +248,6 @@ impl Sha256 { /// Returns the hash of the data. #[inline] - #[allow(deprecated)] // https://github.com/rust-lang/rust/issues/63566 #[must_use] pub fn finish(mut self) -> [u8; 32] { unsafe { @@ -284,7 +272,6 @@ impl Default for Sha384 { impl Sha384 { /// Creates a new hasher. #[inline] - #[allow(deprecated)] // https://github.com/rust-lang/rust/issues/63566 #[must_use] pub fn new() -> Sha384 { unsafe { @@ -306,7 +293,6 @@ impl Sha384 { /// Returns the hash of the data. #[inline] - #[allow(deprecated)] // https://github.com/rust-lang/rust/issues/63566 #[must_use] pub fn finish(mut self) -> [u8; 48] { unsafe { @@ -331,7 +317,6 @@ impl Default for Sha512 { impl Sha512 { /// Creates a new hasher. #[inline] - #[allow(deprecated)] // https://github.com/rust-lang/rust/issues/63566 #[must_use] pub fn new() -> Sha512 { unsafe { @@ -353,7 +338,6 @@ impl Sha512 { /// Returns the hash of the data. #[inline] - #[allow(deprecated)] // https://github.com/rust-lang/rust/issues/63566 #[must_use] pub fn finish(mut self) -> [u8; 64] { unsafe { @@ -378,7 +362,6 @@ impl Default for Sha512_256 { impl Sha512_256 { /// Creates a new hasher. #[inline] - #[allow(deprecated)] // https://github.com/rust-lang/rust/issues/63566 #[must_use] pub fn new() -> Sha512_256 { unsafe { @@ -400,7 +383,6 @@ impl Sha512_256 { /// Returns the hash of the data. #[inline] - #[allow(deprecated)] // https://github.com/rust-lang/rust/issues/63566 #[must_use] pub fn finish(mut self) -> [u8; 32] { unsafe {