cloudflare · kornelski · Sep 26, 2025 · Sep 26, 2025 · Sep 26, 2025
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -18,8 +18,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - name: Install Rust
-        run: rustup update stable && rustup default stable
+      - name: Install Rustfmt
+        run: rustup default stable && rustup component add rustfmt
       - name: Check formatting
         run: cargo fmt --all -- --check
 
@@ -31,7 +31,7 @@ jobs:
         with:
           submodules: 'recursive'
       - name: Install Rust
-        run: rustup update stable && rustup default stable
+        run: rustup update --no-self-update stable && rustup default stable && rustup component add clippy
       - name: Get rust version
         id: rust-version
         run: echo "::set-output name=version::$(rustc --version)"

diff --git a/boring-sys/build/config.rs b/boring-sys/build/config.rs
@@ -54,10 +54,10 @@ impl Config {
         let features = Features::from_env();
         let env = Env::from_env(&host, &target, features.is_fips_like());
 
-        let mut is_bazel = false;
-        if let Some(src_path) = &env.source_path {
-            is_bazel = src_path.join("src").exists();
-        }
+        let is_bazel = env
+            .source_path
+            .as_ref()
+            .is_some_and(|path| path.join("src").exists());
 
         let config = Self {
             manifest_dir,

diff --git a/boring-sys/build/main.rs b/boring-sys/build/main.rs
@@ -152,7 +152,7 @@ fn get_boringssl_source_path(config: &Config) -> &PathBuf {
 ///
 /// MSVC generator on Windows place static libs in a target sub-folder,
 /// so adjust library location based on platform and build target.
-/// See issue: https://github.com/alexcrichton/cmake-rs/issues/18
+/// See issue: <https://github.com/alexcrichton/cmake-rs/issues/18>
 fn get_boringssl_platform_output_path(config: &Config) -> String {
     if config.target.ends_with("-msvc") {
         // Code under this branch should match the logic in cmake-rs
@@ -193,7 +193,7 @@ fn get_boringssl_platform_output_path(config: &Config) -> String {
     }
 }
 
-/// Returns a new cmake::Config for building BoringSSL.
+/// Returns a new `cmake::Config` for building BoringSSL.
 ///
 /// It will add platform-specific parameters if needed.
 fn get_boringssl_cmake_config(config: &Config) -> cmake::Config {
@@ -340,7 +340,7 @@ fn get_boringssl_cmake_config(config: &Config) -> cmake::Config {
     boringssl_cmake
 }
 
-/// Verify that the toolchains match https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3678.pdf
+/// Verify that the toolchains match <https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3678.pdf>
 /// See "Installation Instructions" under section 12.1.
 // TODO: maybe this should also verify the Go and Ninja versions? But those haven't been an issue in practice ...
 fn verify_fips_clang_version() -> (&'static str, &'static str) {

diff --git a/boring/examples/mk_certs.rs b/boring/examples/mk_certs.rs
@@ -147,7 +147,7 @@ fn real_main() -> Result<(), ErrorStack> {
     match ca_cert.issued(&cert) {
         Ok(()) => println!("Certificate verified!"),
         Err(ver_err) => println!("Failed to verify certificate: {ver_err}"),
-    };
+    }
 
     Ok(())
 }
@@ -156,5 +156,5 @@ fn main() {
     match real_main() {
         Ok(()) => println!("Finished."),
         Err(e) => println!("Error: {e}"),
-    };
+    }
 }
diff --git a/boring/src/dh.rs b/boring/src/dh.rs
@@ -32,7 +32,7 @@ where
     }
 
     to_der! {
-        /// Serializes the parameters into a DER-encoded PKCS#3 DHparameter structure.
+        /// Serializes the parameters into a DER-encoded PKCS#3 `DHparameter` structure.
         #[corresponds(i2d_DHparams)]
         params_to_der,
         ffi::i2d_DHparams

diff --git a/boring/src/ssl/async_callbacks.rs b/boring/src/ssl/async_callbacks.rs
@@ -95,7 +95,7 @@ impl SslContextBuilder {
             let finish = fut_result.or(Err(SelectCertError::ERROR))?;
 
             finish(client_hello).or(Err(SelectCertError::ERROR))
-        })
+        });
     }
 
     /// Configures a custom private key method on the context.
@@ -144,7 +144,7 @@ impl SslContextBuilder {
             }
         };
 
-        self.set_get_session_callback(async_callback)
+        self.set_get_session_callback(async_callback);
     }
 
     /// Configures certificate verification.
@@ -167,7 +167,7 @@ impl SslContextBuilder {
     where
         F: Fn(&mut SslRef) -> Result<BoxCustomVerifyFuture, SslAlert> + Send + Sync + 'static,
     {
-        self.set_custom_verify_callback(mode, async_custom_verify_callback(callback))
+        self.set_custom_verify_callback(mode, async_custom_verify_callback(callback));
     }
 }
 
@@ -176,7 +176,7 @@ impl SslRef {
     where
         F: Fn(&mut SslRef) -> Result<BoxCustomVerifyFuture, SslAlert> + Send + Sync + 'static,
     {
-        self.set_custom_verify_callback(mode, async_custom_verify_callback(callback))
+        self.set_custom_verify_callback(mode, async_custom_verify_callback(callback));
     }
 
     /// Sets the task waker to be used in async callbacks installed on this `Ssl`.

diff --git a/boring/src/ssl/callbacks.rs b/boring/src/ssl/callbacks.rs
@@ -399,7 +399,7 @@ pub(super) unsafe extern "C" fn raw_remove_session<F>(
         .ex_data(SslContext::cached_ex_index::<F>())
         .expect("BUG: remove session callback missing");
 
-    callback(ctx, session)
+    callback(ctx, session);
 }
 
 type DataPtr = *const c_uchar;

diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs
@@ -1841,7 +1841,7 @@ impl SslContextBuilder {
             + Sync
             + Send,
     {
-        self.set_psk_client_callback(callback)
+        self.set_psk_client_callback(callback);
     }
 
     /// Sets the callback for providing an identity and pre-shared key for a TLS-PSK server.
@@ -3217,7 +3217,7 @@ impl SslRef {
 
     /// Returns a short string describing the state of the session.
     ///
-    /// Returns empty string if the state wasn't valid UTF-8
+    /// Returns empty string if the state wasn't valid UTF-8.
     #[corresponds(SSL_state_string)]
     #[must_use]
     pub fn state_string(&self) -> &'static str {
@@ -3231,7 +3231,7 @@ impl SslRef {
 
     /// Returns a longer string describing the state of the session.
     ///
-    /// Returns empty string if the state wasn't valid UTF-8
+    /// Returns empty string if the state wasn't valid UTF-8.
     #[corresponds(SSL_state_string_long)]
     #[must_use]
     pub fn state_string_long(&self) -> &'static str {
@@ -4034,10 +4034,11 @@ impl<S> MidHandshakeSslStream<S> {
             Ok(self.stream)
         } else {
             self.error = self.stream.make_error(ret);
-            match self.error.would_block() {
-                true => Err(HandshakeError::WouldBlock(self)),
-                false => Err(HandshakeError::Failure(self)),
-            }
+            Err(if self.error.would_block() {
+                HandshakeError::WouldBlock(self)
+            } else {
+                HandshakeError::Failure(self)
+            })
         }
     }
 }
@@ -4461,16 +4462,11 @@ where
             Ok(stream)
         } else {
             let error = stream.make_error(ret);
-            match error.would_block() {
-                true => Err(HandshakeError::WouldBlock(MidHandshakeSslStream {
-                    stream,
-                    error,
-                })),
-                false => Err(HandshakeError::Failure(MidHandshakeSslStream {
-                    stream,
-                    error,
-                })),
-            }
+            Err(if error.would_block() {
+                HandshakeError::WouldBlock(MidHandshakeSslStream { stream, error })
+            } else {
+                HandshakeError::Failure(MidHandshakeSslStream { stream, error })
+            })
         }
     }
 }

diff --git a/boring/src/string.rs b/boring/src/string.rs
@@ -15,7 +15,7 @@ foreign_type_and_impl_send_sync! {
 
     /// # Safety
     ///
-    /// MUST be UTF-8
+    /// MUST be UTF-8.
     pub struct OpensslString;
 }
 

diff --git a/boring/src/x509/mod.rs b/boring/src/x509/mod.rs
@@ -864,7 +864,7 @@ impl fmt::Debug for X509 {
 
         if let Ok(public_key) = &self.public_key() {
             debug_struct.field("public_key", public_key);
-        };
+        }
         // TODO: Print extensions once they are supported on the X509 struct.
 
         debug_struct.finish()
@@ -1535,7 +1535,7 @@ impl X509VerifyError {
 
     /// Return a human readable error string from the verification error.
     ///
-    /// Returns empty string if the message was not UTF-8
+    /// Returns empty string if the message was not UTF-8.
     #[corresponds(X509_verify_cert_error_string)]
     #[allow(clippy::trivially_copy_pass_by_ref)]
     #[must_use]

diff --git a/boring/src/x509/tests/trusted_first.rs b/boring/src/x509/tests/trusted_first.rs
@@ -61,7 +61,7 @@ fn test_verify_cert() {
         Ok(()),
         verify(&leaf, &[&root1], &[&intermediate, &root1_cross], |param| {
             param.clear_flags(X509Flags::TRUSTED_FIRST)
-        },)
+        })
     );
 }
 

diff --git a/tokio-boring/src/bridge.rs b/tokio-boring/src/bridge.rs
@@ -22,7 +22,7 @@ impl<S> AsyncStreamBridge<S> {
     }
 
     pub(crate) fn set_waker(&mut self, ctx: Option<&mut Context<'_>>) {
-        self.waker = ctx.map(|ctx| ctx.waker().clone())
+        self.waker = ctx.map(|ctx| ctx.waker().clone());
     }
 
     /// # Panics
-Original file line number
+Diff line change
@@ Expand Up / @@ -61,7 +61,7 @@ fn test_verify_cert() { @@
             Ok(()),
             verify(&leaf, &[&root1], &[&intermediate, &root1_cross], |param| {
                 param.clear_flags(X509Flags::TRUSTED_FIRST)
-            },)
+            })
         );
     }
@@ Expand Down @@