Boring 5 prep

boring/examples/mk_certs.rs

@@ -43,18 +43,19 @@ fn mk_ca_cert() -> Result<(X509, PKey<Private>), ErrorStack> {
     let not_after = Asn1Time::days_from_now(365)?;
     cert_builder.set_not_after(&not_after)?;
 
-    cert_builder.append_extension(BasicConstraints::new().critical().ca().build()?)?;
+    cert_builder.append_extension(BasicConstraints::new().critical().ca().build()?.as_ref())?;
     cert_builder.append_extension(
         KeyUsage::new()
             .critical()
             .key_cert_sign()
             .crl_sign()
-            .build()?,
+            .build()?
+            .as_ref(),
     )?;
 
     let subject_key_identifier =
         SubjectKeyIdentifier::new().build(&cert_builder.x509v3_context(None, None))?;
-    cert_builder.append_extension(subject_key_identifier)?;
+    cert_builder.append_extension(&subject_key_identifier)?;
 
     cert_builder.sign(&privkey, MessageDigest::sha256())?;
     let cert = cert_builder.build();
@@ -106,32 +107,33 @@ fn mk_ca_signed_cert(
     let not_after = Asn1Time::days_from_now(365)?;
     cert_builder.set_not_after(&not_after)?;
 
-    cert_builder.append_extension(BasicConstraints::new().build()?)?;
+    cert_builder.append_extension(BasicConstraints::new().build()?.as_ref())?;
 
     cert_builder.append_extension(
         KeyUsage::new()
             .critical()
             .non_repudiation()
             .digital_signature()
             .key_encipherment()
-            .build()?,
+            .build()?
+            .as_ref(),
     )?;
 
     let subject_key_identifier =
         SubjectKeyIdentifier::new().build(&cert_builder.x509v3_context(Some(ca_cert), None))?;
-    cert_builder.append_extension(subject_key_identifier)?;
+    cert_builder.append_extension(&subject_key_identifier)?;
 
     let auth_key_identifier = AuthorityKeyIdentifier::new()
         .keyid(false)
         .issuer(false)
         .build(&cert_builder.x509v3_context(Some(ca_cert), None))?;
-    cert_builder.append_extension(auth_key_identifier)?;
+    cert_builder.append_extension(&auth_key_identifier)?;
 
     let subject_alt_name = SubjectAlternativeName::new()
         .dns("*.example.com")
         .dns("hello.com")
         .build(&cert_builder.x509v3_context(Some(ca_cert), None))?;
-    cert_builder.append_extension(subject_alt_name)?;
+    cert_builder.append_extension(&subject_alt_name)?;
 
     cert_builder.sign(ca_privkey, MessageDigest::sha256())?;
     let cert = cert_builder.build();

boring/src/pkcs12.rs

@@ -259,7 +259,7 @@ mod test {
             .unwrap();
         builder.set_subject_name(&name).unwrap();
         builder.set_issuer_name(&name).unwrap();
-        builder.append_extension(key_usage).unwrap();
+        builder.append_extension(&key_usage).unwrap();
         builder.set_pubkey(&pkey).unwrap();
         builder.sign(&pkey, MessageDigest::sha256()).unwrap();
         let cert = builder.build();

boring/src/ssl/mod.rs

@@ -2595,32 +2595,13 @@ impl Ssl {
         }
     }
 
-    /// Creates a new `Ssl`.
-    ///
-    // FIXME should take &SslContextRef
-    #[corresponds(SSL_new)]
-    pub fn new(ctx: &SslContext) -> Result<Ssl, ErrorStack> {
-        unsafe {
-            let ptr = cvt_p(ffi::SSL_new(ctx.as_ptr()))?;
-            let mut ssl = Ssl::from_ptr(ptr);
-            ssl.set_ex_data(*SESSION_CTX_INDEX, ctx.clone());
-
-            Ok(ssl)
-        }
-    }
-
     /// Creates a new [`Ssl`].
-    ///
-    /// This function does the same as [`Self:new`] except that it takes &[SslContextRef].
-    // Both functions exist for backward compatibility (no breaking API).
     #[corresponds(SSL_new)]
-    pub fn new_from_ref(ctx: &SslContextRef) -> Result<Ssl, ErrorStack> {
+    pub fn new(ctx: &SslContextRef) -> Result<Ssl, ErrorStack> {
         unsafe {
             let ptr = cvt_p(ffi::SSL_new(ctx.as_ptr()))?;
             let mut ssl = Ssl::from_ptr(ptr);
-            SSL_CTX_up_ref(ctx.as_ptr());
-            let ctx_owned = SslContext::from_ptr(ctx.as_ptr());
-            ssl.set_ex_data(*SESSION_CTX_INDEX, ctx_owned);
+            ssl.set_ex_data(*SESSION_CTX_INDEX, ctx.to_owned());
 
             Ok(ssl)
         }
@@ -3807,26 +3788,23 @@ where
 }
 
 impl<S: Read + Write> SslStream<S> {
-    fn new_base(ssl: Ssl, stream: S) -> Self {
-        unsafe {
-            let (bio, method) = bio::new(stream).unwrap();
-            ffi::SSL_set_bio(ssl.as_ptr(), bio, bio);
-
-            SslStream {
-                ssl: ManuallyDrop::new(ssl),
-                method: ManuallyDrop::new(method),
-                _p: PhantomData,
-            }
-        }
-    }
-
     /// Creates a new `SslStream`.
     ///
     /// This function performs no IO; the stream will not have performed any part of the handshake
     /// with the peer. The `connect` and `accept` methods can be used to
     /// explicitly perform the handshake.
     pub fn new(ssl: Ssl, stream: S) -> Result<Self, ErrorStack> {
-        Ok(Self::new_base(ssl, stream))
+        let (bio, method) = bio::new(stream)?;
+
+        unsafe {
+            ffi::SSL_set_bio(ssl.as_ptr(), bio, bio);
+        }
+
+        Ok(SslStream {
+            ssl: ManuallyDrop::new(ssl),
+            method: ManuallyDrop::new(method),
+            _p: PhantomData,
+        })
     }
 
     /// Constructs an `SslStream` from a pointer to the underlying OpenSSL `SSL` struct.
@@ -3838,7 +3816,7 @@ impl<S: Read + Write> SslStream<S> {
     /// The caller must ensure the pointer is valid.
     pub unsafe fn from_raw_parts(ssl: *mut ffi::SSL, stream: S) -> Self {
         let ssl = Ssl::from_ptr(ssl);
-        Self::new_base(ssl, stream)
+        Self::new(ssl, stream).unwrap()
     }
 
     /// Like `read`, but takes a possibly-uninitialized slice.
@@ -4106,7 +4084,7 @@ where
     /// Begin creating an `SslStream` atop `stream`
     pub fn new(ssl: Ssl, stream: S) -> Self {
         Self {
-            inner: SslStream::new_base(ssl, stream),
+            inner: SslStream::new(ssl, stream).unwrap(),
         }
     }
 

boring/src/x509/mod.rs

@@ -342,16 +342,9 @@ impl X509Builder {
         }
     }
 
-    /// Adds an X509 extension value to the certificate.
-    ///
-    /// This works just as `append_extension` except it takes ownership of the `X509Extension`.
-    pub fn append_extension(&mut self, extension: X509Extension) -> Result<(), ErrorStack> {
-        self.append_extension2(&extension)
-    }
-
     /// Adds an X509 extension value to the certificate.
     #[corresponds(X509_add_ext)]
-    pub fn append_extension2(&mut self, extension: &X509ExtensionRef) -> Result<(), ErrorStack> {
+    pub fn append_extension(&mut self, extension: &X509ExtensionRef) -> Result<(), ErrorStack> {
         unsafe {
             cvt(ffi::X509_add_ext(self.0.as_ptr(), extension.as_ptr(), -1))?;
             Ok(())

boring/src/x509/tests/mod.rs

@@ -250,34 +250,36 @@ fn x509_builder() {
         .unwrap();
 
     let basic_constraints = BasicConstraints::new().critical().ca().build().unwrap();
-    builder.append_extension(basic_constraints).unwrap();
+    builder
+        .append_extension(basic_constraints.as_ref())
+        .unwrap();
     let key_usage = KeyUsage::new()
         .digital_signature()
         .key_encipherment()
         .build()
         .unwrap();
-    builder.append_extension(key_usage).unwrap();
+    builder.append_extension(&key_usage).unwrap();
     let ext_key_usage = ExtendedKeyUsage::new()
         .client_auth()
         .server_auth()
         .other("2.999.1")
         .build()
         .unwrap();
-    builder.append_extension(ext_key_usage).unwrap();
+    builder.append_extension(&ext_key_usage).unwrap();
     let subject_key_identifier = SubjectKeyIdentifier::new()
         .build(&builder.x509v3_context(None, None))
         .unwrap();
-    builder.append_extension(subject_key_identifier).unwrap();
+    builder.append_extension(&subject_key_identifier).unwrap();
     let authority_key_identifier = AuthorityKeyIdentifier::new()
         .keyid(true)
         .build(&builder.x509v3_context(None, None))
         .unwrap();
-    builder.append_extension(authority_key_identifier).unwrap();
+    builder.append_extension(&authority_key_identifier).unwrap();
     let subject_alternative_name = SubjectAlternativeName::new()
         .dns("example.com")
         .build(&builder.x509v3_context(None, None))
         .unwrap();
-    builder.append_extension(subject_alternative_name).unwrap();
+    builder.append_extension(&subject_alternative_name).unwrap();
 
     builder.sign(&pkey, MessageDigest::sha256()).unwrap();