cloudflare · kornelski · Dec 29, 2025 · Dec 29, 2025
diff --git a/boring-sys/build/main.rs b/boring-sys/build/main.rs
@@ -135,7 +135,8 @@ fn get_boringssl_source_path(config: &Config) -> &PathBuf {
         }
 
         let _ = fs::remove_dir_all(&src_path);
-        fs_extra::dir::copy(submodule_path, &config.out_dir, &Default::default()).unwrap();
+        fs_extra::dir::copy(submodule_path, &config.out_dir, &Default::default())
+            .expect("out dir copy");
 
         // NOTE: .git can be both file and dir, depening on whether it was copied from a submodule
         // or created by the patches code.
@@ -370,31 +371,23 @@ fn get_extra_clang_args_for_bindgen(config: &Config) -> Vec<String> {
     let mut params = Vec::new();
 
     // Add platform-specific parameters.
-    #[allow(clippy::single_match)]
     match &*config.target_os {
         "ios" | "macos" => {
             // When cross-compiling for Apple targets, tell bindgen to use SDK sysroot,
             // and *don't* use system headers of the host macOS.
             let sdk = get_apple_sdk_name(config);
-            let output = std::process::Command::new("xcrun")
-                .args(["--show-sdk-path", "--sdk", sdk])
-                .output()
-                .unwrap();
-            if !output.status.success() {
-                if let Some(exit_code) = output.status.code() {
-                    println!("cargo:warning=xcrun failed: exit code {exit_code}");
-                } else {
-                    println!("cargo:warning=xcrun failed: killed");
+            match run_command(Command::new("xcrun").args(["--show-sdk-path", "--sdk", sdk])) {
+                Ok(output) => {
+                    let sysroot = std::str::from_utf8(&output.stdout).expect("xcrun output");
+                    params.push("-isysroot".to_string());
+                    // There is typically a newline at the end which confuses clang.
+                    params.push(sysroot.trim_end().to_string());
+                }
+                Err(e) => {
+                    println!("cargo:warning={e}");
+                    // Uh... let's try anyway, I guess?
                 }
-                std::io::stderr().write_all(&output.stderr).unwrap();
-                // Uh... let's try anyway, I guess?
-                return params;
             }
-            let mut sysroot = String::from_utf8(output.stdout).unwrap();
-            // There is typically a newline at the end which confuses clang.
-            sysroot.truncate(sysroot.trim_end().len());
-            params.push("-isysroot".to_string());
-            params.push(sysroot);
         }
         "android" => {
             let mut android_sysroot = config
@@ -405,20 +398,18 @@ fn get_extra_clang_args_for_bindgen(config: &Config) -> Vec<String> {
 
             android_sysroot.extend(["toolchains", "llvm", "prebuilt"]);
 
-            let toolchain = match pick_best_android_ndk_toolchain(&android_sysroot) {
-                Ok(toolchain) => toolchain,
+            match pick_best_android_ndk_toolchain(&android_sysroot) {
+                Ok(toolchain) => {
+                    android_sysroot.push(toolchain);
+                    android_sysroot.push("sysroot");
+                    params.push("--sysroot".to_string());
+                    params.push(android_sysroot.into_os_string().into_string().unwrap());
+                }
                 Err(e) => {
-                    println!(
-                        "cargo:warning=failed to find prebuilt Android NDK toolchain for bindgen: {e}"
-                    );
+                    println!("cargo:warning=failed to find prebuilt Android NDK toolchain for bindgen: {e}");
                     // Uh... let's try anyway, I guess?
-                    return params;
                 }
-            };
-            android_sysroot.push(toolchain);
-            android_sysroot.push("sysroot");
-            params.push("--sysroot".to_string());
-            params.push(android_sysroot.into_os_string().into_string().unwrap());
+            }
         }
         _ => {}
     }
@@ -502,8 +493,8 @@ fn apply_patch(config: &Config, patch_name: &str) -> io::Result<()> {
 fn run_command(command: &mut Command) -> io::Result<Output> {
     let out = command.output()?;
 
-    println!("{}", std::str::from_utf8(&out.stdout).unwrap());
-    eprintln!("{}", std::str::from_utf8(&out.stderr).unwrap());
+    std::io::stderr().write_all(&out.stderr)?;
+    std::io::stdout().write_all(&out.stdout)?;
 
     if !out.status.success() {
         let err = match out.status.code() {

diff --git a/boring/src/macros.rs b/boring/src/macros.rs
@@ -7,7 +7,8 @@ macro_rules! private_key_from_pem {
             unsafe {
                 ffi::init();
                 let bio = crate::bio::MemBioSlice::new(pem)?;
-                let passphrase = ::std::ffi::CString::new(passphrase).unwrap();
+                let passphrase = ::std::ffi::CString::new(passphrase)
+                    .map_err(crate::error::ErrorStack::internal_error)?;
                 cvt_p($f(bio.as_ptr(),
                          ptr::null_mut(),
                          None,

diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs
@@ -1453,7 +1453,9 @@ impl SslContextBuilder {
         unsafe { cvt(ffi::SSL_CTX_use_PrivateKey(self.as_ptr(), key.as_ptr())).map(|_| ()) }
     }
 
-    /// Sets the list of supported ciphers for protocols before TLSv1.3.
+    /// Sets the list of supported ciphers for protocols before TLSv1.3, ignoring meaningless entries.
+    ///
+    /// See [`SslContextBuilder::set_strict_cipher_list()`].
     ///
     /// The `set_ciphersuites` method controls the cipher suites for TLSv1.3 in OpenSSL.
     /// BoringSSL doesn't implement `set_ciphersuites`.
@@ -1464,7 +1466,7 @@ impl SslContextBuilder {
     /// [`ciphers`]: https://www.openssl.org/docs/manmaster/apps/ciphers.html
     #[corresponds(SSL_CTX_set_cipher_list)]
     pub fn set_cipher_list(&mut self, cipher_list: &str) -> Result<(), ErrorStack> {
-        let cipher_list = CString::new(cipher_list).unwrap();
+        let cipher_list = CString::new(cipher_list).map_err(ErrorStack::internal_error)?;
         unsafe {
             cvt(ffi::SSL_CTX_set_cipher_list(
                 self.as_ptr(),
@@ -1484,8 +1486,9 @@ impl SslContextBuilder {
     /// See [`ciphers`] for details on the format.
     ///
     /// [`ciphers`]: <https://docs.openssl.org/master/man1/openssl-ciphers/>.
+    #[corresponds(SSL_CTX_set_strict_cipher_list)]
     pub fn set_strict_cipher_list(&mut self, cipher_list: &str) -> Result<(), ErrorStack> {
-        let cipher_list = CString::new(cipher_list).unwrap();
+        let cipher_list = CString::new(cipher_list).map_err(ErrorStack::internal_error)?;
         unsafe {
             cvt(ffi::SSL_CTX_set_strict_cipher_list(
                 self.as_ptr(),