From 1542d9cb55486ebab7199aeaa2ea6a51771ef76d Mon Sep 17 00:00:00 2001
From: Kornel <kornel@cloudflare.com>
Date: Fri, 17 Oct 2025 16:33:43 +0100
Subject: [PATCH 1/4] Update GitHub Actions versions

---
 .github/workflows/ci.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4a47b9b..bb77aee 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -17,7 +17,7 @@ jobs:
     name: rustfmt
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v5
       - uses: sfackler/actions/rustup@master
       - uses: sfackler/actions/rustfmt@master
 
@@ -32,25 +32,25 @@ jobs:
     name: test-${{ matrix.os }}
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v5
       - uses: sfackler/actions/rustup@master
         with:
           version: 1.80.0
       - run: echo "::set-output name=version::$(rustc --version)"
         id: rust-version
-      - uses: actions/cache@v1
+      - uses: actions/cache@v4
         with:
           path: ~/.cargo/registry/index
           key: index-${{ runner.os }}-${{ github.run_number }}
           restore-keys: |
             index-${{ runner.os }}-
       - run: cargo generate-lockfile
-      - uses: actions/cache@v1
+      - uses: actions/cache@v4
         with:
           path: ~/.cargo/registry/cache
           key: registry-${{ runner.os }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }}
       - run: cargo fetch
-      - uses: actions/cache@v1
+      - uses: actions/cache@v4
         with:
           path: target
           key: target-${{ runner.os }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }}

From 56dc8cbbe1bb1d9d80da084e548991057b717e32 Mon Sep 17 00:00:00 2001
From: Kornel <kornel@cloudflare.com>
Date: Fri, 17 Oct 2025 17:00:33 +0100
Subject: [PATCH 2/4] Fix race condition in import_options test

---
 src/imp/security_framework.rs | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/imp/security_framework.rs b/src/imp/security_framework.rs
index 302791a..a95e3ab 100644
--- a/src/imp/security_framework.rs
+++ b/src/imp/security_framework.rs
@@ -199,9 +199,12 @@ impl Identity {
             }
         });
 
-        let keychain = match *TEMP_KEYCHAIN.lock().unwrap() {
-            Some((ref keychain, _)) => keychain.clone(),
-            ref mut lock @ None => {
+        // keep it locked during import()
+        let keychain = &mut *TEMP_KEYCHAIN.lock().unwrap();
+
+        let keychain = match keychain {
+            Some((keychain, _)) => keychain.clone(),
+            lock @ None => {
                 let dir =
                     tempfile::TempDir::new().map_err(|_| Error(base::Error::from(errSecIO)))?;
 

From 596a0ebc2d525567912164f56ed1005f608f8cad Mon Sep 17 00:00:00 2001
From: Kornel <kornel@cloudflare.com>
Date: Fri, 17 Oct 2025 16:23:18 +0100
Subject: [PATCH 3/4] Upgrade to Edition 2021

---
 Cargo.toml                    |  1 +
 src/imp/openssl.rs            | 25 +++++++++++--------------
 src/imp/schannel.rs           | 27 ++++++++++++++-------------
 src/imp/security_framework.rs | 30 +++++++++++++-----------------
 4 files changed, 39 insertions(+), 44 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index e6a49eb..ea9625a 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -7,6 +7,7 @@ description = "A wrapper over a platform's native TLS implementation"
 repository = "https://github.com/sfackler/rust-native-tls"
 readme = "README.md"
 rust-version = "1.80.0"
+edition = "2021"
 
 [package.metadata.docs.rs]
 features = ["alpn"]
diff --git a/src/imp/openssl.rs b/src/imp/openssl.rs
index 4e096c1..a755924 100644
--- a/src/imp/openssl.rs
+++ b/src/imp/openssl.rs
@@ -1,23 +1,20 @@
-extern crate openssl;
-extern crate openssl_probe;
-
-use self::openssl::error::ErrorStack;
-use self::openssl::hash::MessageDigest;
-use self::openssl::nid::Nid;
-use self::openssl::pkcs12::Pkcs12;
-use self::openssl::pkey::{PKey, Private};
-use self::openssl::ssl::{
+use openssl::error::ErrorStack;
+use openssl::hash::MessageDigest;
+use openssl::nid::Nid;
+use openssl::pkcs12::Pkcs12;
+use openssl::pkey::{PKey, Private};
+use openssl::ssl::{
     self, MidHandshakeSslStream, SslAcceptor, SslConnector, SslContextBuilder, SslMethod,
     SslVerifyMode,
 };
-use self::openssl::x509::{store::X509StoreBuilder, X509VerifyResult, X509};
-use self::openssl_probe::ProbeResult;
+use openssl::x509::{store::X509StoreBuilder, X509VerifyResult, X509};
+use openssl_probe::ProbeResult;
 use std::error;
 use std::fmt;
 use std::io;
 use std::sync::LazyLock;
 
-use {Protocol, TlsAcceptorBuilder, TlsConnectorBuilder};
+use crate::{Protocol, TlsAcceptorBuilder, TlsConnectorBuilder};
 
 static PROBE_RESULT: LazyLock<ProbeResult> = LazyLock::new(openssl_probe::probe);
 
@@ -27,7 +24,7 @@ fn supported_protocols(
     max: Option<Protocol>,
     ctx: &mut SslContextBuilder,
 ) -> Result<(), ErrorStack> {
-    use self::openssl::ssl::SslVersion;
+    use openssl::ssl::SslVersion;
 
     fn cvt(p: Protocol) -> SslVersion {
         match p {
@@ -50,7 +47,7 @@ fn supported_protocols(
     max: Option<Protocol>,
     ctx: &mut SslContextBuilder,
 ) -> Result<(), ErrorStack> {
-    use self::openssl::ssl::SslOptions;
+    use openssl::ssl::SslOptions;
 
     let no_ssl_mask = SslOptions::NO_SSLV2
         | SslOptions::NO_SSLV3
diff --git a/src/imp/schannel.rs b/src/imp/schannel.rs
index 62e5042..8314a27 100644
--- a/src/imp/schannel.rs
+++ b/src/imp/schannel.rs
@@ -1,16 +1,14 @@
-extern crate schannel;
-
-use self::schannel::cert_context::{CertContext, HashAlgorithm, KeySpec};
-use self::schannel::cert_store::{CertAdd, CertStore, Memory, PfxImportOptions};
-use self::schannel::crypt_prov::{AcquireOptions, ProviderType};
-use self::schannel::schannel_cred::{Direction, Protocol, SchannelCred};
-use self::schannel::tls_stream;
+use schannel::cert_context::{CertContext, HashAlgorithm, KeySpec};
+use schannel::cert_store::{CertAdd, CertStore, Memory, PfxImportOptions};
+use schannel::crypt_prov::{AcquireOptions, ProviderType};
+use schannel::schannel_cred::{Direction, Protocol, SchannelCred};
+use schannel::tls_stream;
 use std::error;
 use std::fmt;
 use std::io;
 use std::str;
 
-use {TlsAcceptorBuilder, TlsConnectorBuilder};
+use crate::{TlsAcceptorBuilder, TlsConnectorBuilder};
 
 const SEC_E_NO_CREDENTIALS: u32 = 0x8009030E;
 
@@ -21,7 +19,10 @@ static PROTOCOLS: &'static [Protocol] = &[
     Protocol::Tls12,
 ];
 
-fn convert_protocols(min: Option<::Protocol>, max: Option<::Protocol>) -> &'static [Protocol] {
+fn convert_protocols(
+    min: Option<crate::Protocol>,
+    max: Option<crate::Protocol>,
+) -> &'static [Protocol] {
     let mut protocols = PROTOCOLS;
     if let Some(p) = max.and_then(|max| protocols.get(..=max as usize)) {
         protocols = p;
@@ -236,8 +237,8 @@ impl<S> From<io::Error> for HandshakeError<S> {
 pub struct TlsConnector {
     cert: Option<CertContext>,
     roots: CertStore,
-    min_protocol: Option<::Protocol>,
-    max_protocol: Option<::Protocol>,
+    min_protocol: Option<crate::Protocol>,
+    max_protocol: Option<crate::Protocol>,
     use_sni: bool,
     accept_invalid_hostnames: bool,
     accept_invalid_certs: bool,
@@ -327,8 +328,8 @@ impl TlsConnector {
 #[derive(Clone)]
 pub struct TlsAcceptor {
     cert: CertContext,
-    min_protocol: Option<::Protocol>,
-    max_protocol: Option<::Protocol>,
+    min_protocol: Option<crate::Protocol>,
+    max_protocol: Option<crate::Protocol>,
 }
 
 impl TlsAcceptor {
diff --git a/src/imp/security_framework.rs b/src/imp/security_framework.rs
index a95e3ab..26dccbb 100644
--- a/src/imp/security_framework.rs
+++ b/src/imp/security_framework.rs
@@ -1,16 +1,12 @@
-extern crate libc;
-extern crate security_framework;
-extern crate security_framework_sys;
-
-use self::security_framework::base;
-use self::security_framework::certificate::SecCertificate;
-use self::security_framework::identity::SecIdentity;
-use self::security_framework::import_export::{ImportedIdentity, Pkcs12ImportOptions};
-use self::security_framework::random::SecRandom;
-use self::security_framework::secure_transport::{
+use security_framework::base;
+use security_framework::certificate::SecCertificate;
+use security_framework::identity::SecIdentity;
+use security_framework::import_export::{ImportedIdentity, Pkcs12ImportOptions};
+use security_framework::random::SecRandom;
+use security_framework::secure_transport::{
     self, ClientBuilder, SslConnectionType, SslContext, SslProtocol, SslProtocolSide,
 };
-use self::security_framework_sys::base::{errSecIO, errSecParam};
+use security_framework_sys::base::{errSecIO, errSecParam};
 use std::error;
 use std::fmt;
 use std::io;
@@ -24,28 +20,28 @@ use std::sync::Once;
     target_os = "tvos",
     target_os = "visionos"
 )))]
-use self::security_framework::os::macos::certificate::{PropertyType, SecCertificateExt};
+use security_framework::os::macos::certificate::{PropertyType, SecCertificateExt};
 #[cfg(not(any(
     target_os = "ios",
     target_os = "watchos",
     target_os = "tvos",
     target_os = "visionos"
 )))]
-use self::security_framework::os::macos::certificate_oids::CertificateOid;
+use security_framework::os::macos::certificate_oids::CertificateOid;
 #[cfg(not(any(
     target_os = "ios",
     target_os = "watchos",
     target_os = "tvos",
     target_os = "visionos"
 )))]
-use self::security_framework::os::macos::identity::SecIdentityExt;
+use security_framework::os::macos::identity::SecIdentityExt;
 #[cfg(not(any(
     target_os = "ios",
     target_os = "watchos",
     target_os = "tvos",
     target_os = "visionos"
 )))]
-use self::security_framework::os::macos::import_export::{
+use security_framework::os::macos::import_export::{
     ImportOptions, Pkcs12ImportOptionsExt, SecItems,
 };
 #[cfg(not(any(
@@ -54,9 +50,9 @@ use self::security_framework::os::macos::import_export::{
     target_os = "tvos",
     target_os = "visionos"
 )))]
-use self::security_framework::os::macos::keychain::{self, KeychainSettings, SecKeychain};
+use security_framework::os::macos::keychain::{self, KeychainSettings, SecKeychain};
 
-use {Protocol, TlsAcceptorBuilder, TlsConnectorBuilder};
+use crate::{Protocol, TlsAcceptorBuilder, TlsConnectorBuilder};
 
 static SET_AT_EXIT: Once = Once::new();
 

From 96a59b973cc47d025ac254e34f6ceed28a6bf50c Mon Sep 17 00:00:00 2001
From: Kornel <kornel@cloudflare.com>
Date: Fri, 17 Oct 2025 16:27:20 +0100
Subject: [PATCH 4/4] Simplify module declarations

---
 src/imp/openssl.rs |  1 +
 src/lib.rs         | 17 ++++++-----------
 2 files changed, 7 insertions(+), 11 deletions(-)

diff --git a/src/imp/openssl.rs b/src/imp/openssl.rs
index a755924..84fcf14 100644
--- a/src/imp/openssl.rs
+++ b/src/imp/openssl.rs
@@ -15,6 +15,7 @@ use std::io;
 use std::sync::LazyLock;
 
 use crate::{Protocol, TlsAcceptorBuilder, TlsConnectorBuilder};
+use log::debug;
 
 static PROBE_RESULT: LazyLock<ProbeResult> = LazyLock::new(openssl_probe::probe);
 
diff --git a/src/lib.rs b/src/lib.rs
index 30c53ff..3d701b4 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -103,17 +103,12 @@ use std::fmt;
 use std::io;
 use std::result;
 
-#[cfg(not(any(target_os = "windows", target_vendor = "apple")))]
-#[macro_use]
-extern crate log;
-#[cfg(target_vendor = "apple")]
-#[path = "imp/security_framework.rs"]
-mod imp;
-#[cfg(target_os = "windows")]
-#[path = "imp/schannel.rs"]
-mod imp;
-#[cfg(not(any(target_vendor = "apple", target_os = "windows")))]
-#[path = "imp/openssl.rs"]
+#[cfg_attr(target_vendor = "apple", path = "imp/security_framework.rs")]
+#[cfg_attr(target_os = "windows", path = "imp/schannel.rs")]
+#[cfg_attr(
+    not(any(target_vendor = "apple", target_os = "windows")),
+    path = "imp/openssl.rs"
+)]
 mod imp;
 
 #[cfg(test)]