refactor: Replace unsafe methods with safe methods in `ConnectConfigu…

…ration` (#398)

Cargo.toml

@@ -104,18 +104,17 @@ tokio = { version = "1", default-features = false, features = ["net","time"] }
 pin-project-lite = "0.2.0"
 ipnet = "2.11.0"
 
-# hyper util
+## util
 socket2 = { version = "0.5", features = ["all"] }
 lru = { version = "0.13", default-features = false }
 
 ## boring-tls
-boring2 = { version = "4.15.0", features = ["pq-experimental"] }
-boring-sys2 = { version = "4.15.0", features = ["pq-experimental"] }
-tokio-boring2 = { version = "4.15.0", features = ["pq-experimental"] }
-foreign-types = "0.5.0"
+boring2 = { version = "4.15.1", features = ["pq-experimental"] }
+boring-sys2 = { version = "4.15.1", features = ["pq-experimental"] }
+tokio-boring2 = { version = "4.15.1", features = ["pq-experimental"] }
 linked_hash_set = "0.1"
 
-# cert compression
+## cert compression
 brotli = "7"
 flate2 = "1"
 zstd = "0.13"

src/tls/cert/mod.rs

@@ -5,7 +5,6 @@ mod load;
 use super::{sv_handler, TlsResult};
 use boring2::{ssl::SslConnectorBuilder, x509::store::X509Store};
 use boring_sys2 as ffi;
-use foreign_types::ForeignTypeRef;
 
 /// The root certificate store.
 #[allow(missing_debug_implementations)]
@@ -38,7 +37,7 @@ impl RootCertStore {
                         sv_handler(unsafe {
                             ffi::SSL_CTX_set1_verify_cert_store(
                                 builder.as_ptr(),
-                                cert_store.as_ptr(),
+                                cert_store as *const _ as *mut _,
                             )
                         })?;
                     } else {
@@ -58,7 +57,10 @@ impl RootCertStore {
             }
             RootCertStore::Borrowed(cert_store) => {
                 sv_handler(unsafe {
-                    ffi::SSL_CTX_set1_verify_cert_store(builder.as_ptr(), cert_store.as_ptr())
+                    ffi::SSL_CTX_set1_verify_cert_store(
+                        builder.as_ptr(),
+                        cert_store as *const _ as *mut _,
+                    )
                 })?;
             }
         }

src/tls/conn/layer.rs

@@ -131,15 +131,15 @@ impl HttpsLayer {
         };
 
         let callback = Arc::new(move |conf: &mut ConnectConfiguration, _: &Uri| {
-            // Set ECH grease
-            conf.enable_ech_grease(settings.enable_ech_grease)?;
-
             // Use server name indication
             conf.set_use_server_name_indication(settings.tls_sni);
 
             // Verify hostname
             conf.set_verify_hostname(settings.verify_hostname);
 
+            // Set ECH grease
+            conf.set_enable_ech_grease(settings.enable_ech_grease);
+
             // Set ALPS
             conf.alps_protos(settings.alps_protos, settings.alps_use_new_codepoint)?;
 

src/tls/ext.rs

@@ -1,9 +1,8 @@
 use super::cert::{compression::CertCompressionAlgorithm, RootCertStore};
 use super::{sv_handler, AlpnProtos, AlpsProtos, TlsResult, TlsVersion};
 
-use boring2::ssl::{ConnectConfiguration, SslConnectorBuilder, SslRef, SslVerifyMode};
+use boring2::ssl::{ConnectConfiguration, SslConnectorBuilder, SslOptions, SslRef, SslVerifyMode};
 use boring_sys2 as ffi;
-use foreign_types::ForeignTypeRef;
 
 /// SslConnectorBuilderExt trait for `SslConnectorBuilder`.
 pub trait SslConnectorBuilderExt {
@@ -43,9 +42,6 @@ pub trait SslRefExt {
 
 /// ConnectConfigurationExt trait for `ConnectConfiguration`.
 pub trait ConnectConfigurationExt {
-    /// Configure the enable_ech_grease for the given `ConnectConfiguration`.
-    fn enable_ech_grease(&mut self, enable: bool) -> TlsResult<&mut ConnectConfiguration>;
-
     /// Configure the ALPS for the given `ConnectConfiguration`.
     fn alps_protos(
         &mut self,
@@ -115,33 +111,17 @@ impl SslConnectorBuilderExt for SslConnectorBuilder {
 }
 
 impl ConnectConfigurationExt for ConnectConfiguration {
-    #[inline]
-    fn enable_ech_grease(&mut self, enable: bool) -> TlsResult<&mut ConnectConfiguration> {
-        unsafe { ffi::SSL_set_enable_ech_grease(self.as_ptr(), enable as _) }
-        Ok(self)
-    }
-
     #[inline]
     fn alps_protos(
         &mut self,
         alps: Option<AlpsProtos>,
         new_endpoint: bool,
     ) -> TlsResult<&mut ConnectConfiguration> {
         if let Some(alps) = alps {
-            sv_handler(unsafe {
-                ffi::SSL_add_application_settings(
-                    self.as_ptr(),
-                    alps.as_ptr(),
-                    alps.len(),
-                    std::ptr::null(),
-                    0,
-                )
-            })?;
+            self.add_application_settings(alps.0)?;
 
             if new_endpoint {
-                unsafe {
-                    ffi::SSL_set_alps_use_new_codepoint(self.as_ptr(), new_endpoint as _);
-                }
+                self.set_alps_use_new_codepoint(new_endpoint);
             }
         }
 
@@ -150,8 +130,7 @@ impl ConnectConfigurationExt for ConnectConfiguration {
 
     #[inline]
     fn skip_session_ticket(&mut self) -> TlsResult<&mut ConnectConfiguration> {
-        sv_handler(unsafe { ffi::SSL_set_options(self.as_ptr(), ffi::SSL_OP_NO_TICKET as _) as _ })
-            .map(|_| self)
+        self.set_options(SslOptions::NO_TICKET).map(|_| self)
     }
 }
 

src/tls/mod.rs

@@ -176,16 +176,6 @@ impl AlpsProtos {
     pub const HTTP1: AlpsProtos = AlpsProtos(b"http/1.1");
     /// Application Settings protocol for HTTP/2
     pub const HTTP2: AlpsProtos = AlpsProtos(b"h2");
-
-    #[inline(always)]
-    pub(crate) fn as_ptr(&self) -> *const u8 {
-        self.0.as_ptr()
-    }
-
-    #[inline(always)]
-    pub(crate) fn len(&self) -> usize {
-        self.0.len()
-    }
 }
 
 /// Hyper extension carrying extra TLS layer information.