Store the verifier in a Box

These objects are seldom created.

examples/internal/bogo_shim.rs

@@ -135,8 +135,6 @@ impl rustls::ServerCertVerifier for NoVerification {
     }
 }
 
-static NO_VERIFICATION: NoVerification = NoVerification {};
-
 fn make_server_cfg(opts: &Options) -> Arc<rustls::ServerConfig> {
     let mut cfg = rustls::ServerConfig::new();
     let persist = rustls::ServerSessionMemoryCache::new(32);
@@ -149,7 +147,7 @@ fn make_server_cfg(opts: &Options) -> Arc<rustls::ServerConfig> {
     if opts.offer_no_client_cas || opts.require_any_client_cert {
         cfg.client_auth_offer = true;
         cfg.dangerous()
-            .set_certificate_verifier(&NO_VERIFICATION);
+            .set_certificate_verifier(Box::new(NoVerification {}));
     }
 
     if opts.require_any_client_cert {
@@ -190,7 +188,7 @@ fn make_client_cfg(opts: &Options) -> Arc<rustls::ClientConfig> {
     }
 
     cfg.dangerous()
-        .set_certificate_verifier(&NO_VERIFICATION);
+        .set_certificate_verifier(Box::new(NoVerification {}));
 
     if !opts.protocols.is_empty() {
         cfg.set_protocols(&opts.protocols);

examples/tlsclient.rs

@@ -393,8 +393,6 @@ mod danger {
             Ok(())
         }
     }
-
-    pub static NO_CERT_VERIFICATION: NoCertificateVerification = NoCertificateVerification {};
 }
 
 #[cfg(feature = "dangerous_configuration")]
@@ -402,7 +400,7 @@ fn apply_dangerous_options(args: &Args, cfg: &mut rustls::ClientConfig) {
     if args.flag_insecure {
         cfg
             .dangerous()
-            .set_certificate_verifier(&danger::NO_CERT_VERIFICATION)
+            .set_certificate_verifier(Box::new(danger::NoCertificateVerification {}));
     }
 }
 

src/client.rs

@@ -191,7 +191,7 @@ pub struct ClientConfig {
     pub versions: Vec<ProtocolVersion>,
 
     /// How to verify the server certificate chain.
-    verifier: &'static verify::ServerCertVerifier,
+    verifier: Box<verify::ServerCertVerifier>,
 }
 
 impl ClientConfig {
@@ -208,13 +208,13 @@ impl ClientConfig {
             client_auth_cert_resolver: Box::new(FailResolveClientCert {}),
             enable_tickets: true,
             versions: vec![ProtocolVersion::TLSv1_3, ProtocolVersion::TLSv1_2],
-            verifier: &verify::WEB_PKI
+            verifier: Box::new(verify::WebPKIVerifier {})
         }
     }
 
     #[doc(hidden)]
-    pub fn get_verifier(&self) -> &'static verify::ServerCertVerifier {
-        self.verifier
+    pub fn get_verifier(&self) -> &verify::ServerCertVerifier {
+        self.verifier.as_ref()
     }
 
     /// Set the ALPN protocol list to the given protocol names.
@@ -271,14 +271,17 @@ impl ClientConfig {
 /// Container for unsafe APIs
 #[cfg(feature = "dangerous_configuration")]
 pub mod danger {
+    use super::ClientConfig;
+    use super::verify::ServerCertVerifier;
+
     pub struct DangerousClientConfig<'a> {
-        pub cfg: &'a mut super::ClientConfig
+        pub cfg: &'a mut ClientConfig
     }
 
     impl<'a> DangerousClientConfig<'a> {
         /// Overrides the default `ServerCertVerifier` with something else.
         pub fn set_certificate_verifier(&mut self,
-                                        verifier: &'static super::verify::ServerCertVerifier) {
+                                        verifier: Box<ServerCertVerifier>) {
             self.cfg.verifier = verifier;
         }
     }

src/server.rs

@@ -130,7 +130,7 @@ pub struct ServerConfig {
     pub versions: Vec<ProtocolVersion>,
 
     /// How to verify client certificates.
-    verifier: &'static verify::ClientCertVerifier,
+    verifier: Box<verify::ClientCertVerifier>,
 }
 
 /// Something which never stores sessions.
@@ -270,13 +270,13 @@ impl ServerConfig {
             client_auth_offer: false,
             client_auth_mandatory: false,
             versions: vec![ ProtocolVersion::TLSv1_3, ProtocolVersion::TLSv1_2 ],
-            verifier: &verify::WEB_PKI
+            verifier: Box::new(verify::WebPKIVerifier {}),
         }
     }
 
     #[doc(hidden)]
-    pub fn get_verifier(&self) -> &'static verify::ClientCertVerifier {
-        self.verifier
+    pub fn get_verifier(&self) -> &verify::ClientCertVerifier {
+        self.verifier.as_ref()
     }
 
     /// Sets the session persistence layer to `persist`.
@@ -331,14 +331,17 @@ impl ServerConfig {
 /// Container for unsafe APIs
 #[cfg(feature = "dangerous_configuration")]
 pub mod danger {
+    use super::ServerConfig;
+    use super::verify::ClientCertVerifier;
+
     pub struct DangerousServerConfig<'a> {
-        pub cfg: &'a mut super::ServerConfig
+        pub cfg: &'a mut ServerConfig
     }
 
     impl<'a> DangerousServerConfig<'a> {
         /// Overrides the default `ClientCertVerifier` with something else.
         pub fn set_certificate_verifier(&mut self,
-                                        verifier: &'static super::verify::ClientCertVerifier) {
+                                        verifier: Box<ClientCertVerifier>) {
             self.cfg.verifier = verifier;
         }
     }

src/verify.rs

@@ -46,7 +46,6 @@ pub trait ClientCertVerifier : Send + Sync {
 }
 
 pub struct WebPKIVerifier {}
-pub static WEB_PKI: WebPKIVerifier = WebPKIVerifier {};
 
 impl ServerCertVerifier for WebPKIVerifier {
     fn verify_server_cert(&self,

src/verifybench.rs

@@ -35,7 +35,7 @@ fn bench<Fsetup, Ftest, S>(count: usize, name: &'static str, f_setup: Fsetup, f_
              times.iter().min().unwrap() / 1000);
 }
 
-static V: &'static verify::WebPKIVerifier = &verify::WEB_PKI;
+static V: &'static verify::WebPKIVerifier = &verify::WebPKIVerifier {};
 
 #[test]
 fn test_reddit_cert() {