From 510c6a9c8c616de6664b36bd3bf3f663ecf74c02 Mon Sep 17 00:00:00 2001 From: Kornel Date: Mon, 29 Dec 2025 17:03:28 +0000 Subject: [PATCH 1/2] set_strict_cipher_list docs --- boring/src/ssl/mod.rs | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs index ea54a6e25..d24c760d5 100644 --- a/boring/src/ssl/mod.rs +++ b/boring/src/ssl/mod.rs @@ -1453,7 +1453,9 @@ impl SslContextBuilder { unsafe { cvt(ffi::SSL_CTX_use_PrivateKey(self.as_ptr(), key.as_ptr())).map(|_| ()) } } - /// Sets the list of supported ciphers for protocols before TLSv1.3. + /// Sets the list of supported ciphers for protocols before TLSv1.3, ignoring meaningless entries. + /// + /// See [`SslContextBuilder::set_strict_cipher_list()`]. /// /// The `set_ciphersuites` method controls the cipher suites for TLSv1.3 in OpenSSL. /// BoringSSL doesn't implement `set_ciphersuites`. @@ -1484,6 +1486,7 @@ impl SslContextBuilder { /// See [`ciphers`] for details on the format. /// /// [`ciphers`]: . + #[corresponds(SSL_CTX_set_strict_cipher_list)] pub fn set_strict_cipher_list(&mut self, cipher_list: &str) -> Result<(), ErrorStack> { let cipher_list = CString::new(cipher_list).unwrap(); unsafe { From 73de7a44db7d5fa64acd4e036e5e25e011f3c97f Mon Sep 17 00:00:00 2001 From: Kornel Date: Mon, 29 Dec 2025 17:01:46 +0000 Subject: [PATCH 2/2] Fewer unwrap()s --- boring-sys/build/main.rs | 55 +++++++++++++++++----------------------- boring/src/macros.rs | 3 ++- boring/src/ssl/mod.rs | 4 +-- 3 files changed, 27 insertions(+), 35 deletions(-) diff --git a/boring-sys/build/main.rs b/boring-sys/build/main.rs index 41789cee3..2df9acdf5 100644 --- a/boring-sys/build/main.rs +++ b/boring-sys/build/main.rs @@ -135,7 +135,8 @@ fn get_boringssl_source_path(config: &Config) -> &PathBuf { } let _ = fs::remove_dir_all(&src_path); - fs_extra::dir::copy(submodule_path, &config.out_dir, &Default::default()).unwrap(); + fs_extra::dir::copy(submodule_path, &config.out_dir, &Default::default()) + .expect("out dir copy"); // NOTE: .git can be both file and dir, depening on whether it was copied from a submodule // or created by the patches code. @@ -370,31 +371,23 @@ fn get_extra_clang_args_for_bindgen(config: &Config) -> Vec { let mut params = Vec::new(); // Add platform-specific parameters. - #[allow(clippy::single_match)] match &*config.target_os { "ios" | "macos" => { // When cross-compiling for Apple targets, tell bindgen to use SDK sysroot, // and *don't* use system headers of the host macOS. let sdk = get_apple_sdk_name(config); - let output = std::process::Command::new("xcrun") - .args(["--show-sdk-path", "--sdk", sdk]) - .output() - .unwrap(); - if !output.status.success() { - if let Some(exit_code) = output.status.code() { - println!("cargo:warning=xcrun failed: exit code {exit_code}"); - } else { - println!("cargo:warning=xcrun failed: killed"); + match run_command(Command::new("xcrun").args(["--show-sdk-path", "--sdk", sdk])) { + Ok(output) => { + let sysroot = std::str::from_utf8(&output.stdout).expect("xcrun output"); + params.push("-isysroot".to_string()); + // There is typically a newline at the end which confuses clang. + params.push(sysroot.trim_end().to_string()); + } + Err(e) => { + println!("cargo:warning={e}"); + // Uh... let's try anyway, I guess? } - std::io::stderr().write_all(&output.stderr).unwrap(); - // Uh... let's try anyway, I guess? - return params; } - let mut sysroot = String::from_utf8(output.stdout).unwrap(); - // There is typically a newline at the end which confuses clang. - sysroot.truncate(sysroot.trim_end().len()); - params.push("-isysroot".to_string()); - params.push(sysroot); } "android" => { let mut android_sysroot = config @@ -405,20 +398,18 @@ fn get_extra_clang_args_for_bindgen(config: &Config) -> Vec { android_sysroot.extend(["toolchains", "llvm", "prebuilt"]); - let toolchain = match pick_best_android_ndk_toolchain(&android_sysroot) { - Ok(toolchain) => toolchain, + match pick_best_android_ndk_toolchain(&android_sysroot) { + Ok(toolchain) => { + android_sysroot.push(toolchain); + android_sysroot.push("sysroot"); + params.push("--sysroot".to_string()); + params.push(android_sysroot.into_os_string().into_string().unwrap()); + } Err(e) => { - println!( - "cargo:warning=failed to find prebuilt Android NDK toolchain for bindgen: {e}" - ); + println!("cargo:warning=failed to find prebuilt Android NDK toolchain for bindgen: {e}"); // Uh... let's try anyway, I guess? - return params; } - }; - android_sysroot.push(toolchain); - android_sysroot.push("sysroot"); - params.push("--sysroot".to_string()); - params.push(android_sysroot.into_os_string().into_string().unwrap()); + } } _ => {} } @@ -502,8 +493,8 @@ fn apply_patch(config: &Config, patch_name: &str) -> io::Result<()> { fn run_command(command: &mut Command) -> io::Result { let out = command.output()?; - println!("{}", std::str::from_utf8(&out.stdout).unwrap()); - eprintln!("{}", std::str::from_utf8(&out.stderr).unwrap()); + std::io::stderr().write_all(&out.stderr)?; + std::io::stdout().write_all(&out.stdout)?; if !out.status.success() { let err = match out.status.code() { diff --git a/boring/src/macros.rs b/boring/src/macros.rs index b6cbeb8fc..f0511b178 100644 --- a/boring/src/macros.rs +++ b/boring/src/macros.rs @@ -7,7 +7,8 @@ macro_rules! private_key_from_pem { unsafe { ffi::init(); let bio = crate::bio::MemBioSlice::new(pem)?; - let passphrase = ::std::ffi::CString::new(passphrase).unwrap(); + let passphrase = ::std::ffi::CString::new(passphrase) + .map_err(crate::error::ErrorStack::internal_error)?; cvt_p($f(bio.as_ptr(), ptr::null_mut(), None, diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs index d24c760d5..160f452ec 100644 --- a/boring/src/ssl/mod.rs +++ b/boring/src/ssl/mod.rs @@ -1466,7 +1466,7 @@ impl SslContextBuilder { /// [`ciphers`]: https://www.openssl.org/docs/manmaster/apps/ciphers.html #[corresponds(SSL_CTX_set_cipher_list)] pub fn set_cipher_list(&mut self, cipher_list: &str) -> Result<(), ErrorStack> { - let cipher_list = CString::new(cipher_list).unwrap(); + let cipher_list = CString::new(cipher_list).map_err(ErrorStack::internal_error)?; unsafe { cvt(ffi::SSL_CTX_set_cipher_list( self.as_ptr(), @@ -1488,7 +1488,7 @@ impl SslContextBuilder { /// [`ciphers`]: . #[corresponds(SSL_CTX_set_strict_cipher_list)] pub fn set_strict_cipher_list(&mut self, cipher_list: &str) -> Result<(), ErrorStack> { - let cipher_list = CString::new(cipher_list).unwrap(); + let cipher_list = CString::new(cipher_list).map_err(ErrorStack::internal_error)?; unsafe { cvt(ffi::SSL_CTX_set_strict_cipher_list( self.as_ptr(),