Merge branch 'release-v0.7.0' into release

2015-11-16 21:11:00 -08:00 · 2015-11-16 21:11:00 -08:00 · 094e8e5b3e
parent 38b0defd91 82547f53d7
commit 094e8e5b3e
22 changed files with 967 additions and 428 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -1,4 +1,5 @@
 language: rust
 sudo: false
 rust:
 - nightly
 - beta
@ -8,10 +9,10 @@ os:
 - linux
 env:
  global:
-    - FEATURES="tlsv1_2 tlsv1_1 dtlsv1 dtlsv1_2 sslv2 aes_xts npn alpn aes_ctr"
+    - FEATURES="tlsv1_2 tlsv1_1 dtlsv1 dtlsv1_2 sslv2 sslv3 aes_xts aes_ctr npn alpn rfc5114 ecdh_auto"
 before_install:
 - (test $TRAVIS_OS_NAME == "osx" || ./openssl/test/build.sh)
 script:
 - (test $TRAVIS_OS_NAME != "osx" || (cd openssl && cargo test))
- (test $TRAVIS_OS_NAME == "osx" || (cd openssl && OPENSSL_LIB_DIR=/usr/lib OPENSSL_INCLUDE_DIR=/usr/include LD_LIBRARY_PATH=/usr/lib:$LD_LIBRARY_PATH cargo test))
+- (test $TRAVIS_OS_NAME == "osx" || (cd openssl && OPENSSL_LIB_DIR=$HOME/openssl/lib OPENSSL_INCLUDE_DIR=$HOME/openssl/include LD_LIBRARY_PATH=$HOME/openssl/lib:$LD_LIBRARY_PATH PATH=$HOME/openssl/bin:$PATH cargo test))
- (test $TRAVIS_OS_NAME == "osx" || (cd openssl && OPENSSL_LIB_DIR=/usr/lib OPENSSL_INCLUDE_DIR=/usr/include LD_LIBRARY_PATH=/usr/lib:$LD_LIBRARY_PATH cargo test --features "$FEATURES"))
+- (test $TRAVIS_OS_NAME == "osx" || (cd openssl && OPENSSL_LIB_DIR=$HOME/openssl/lib OPENSSL_INCLUDE_DIR=$HOME/openssl/include LD_LIBRARY_PATH=$HOME/openssl/lib:$LD_LIBRARY_PATH PATH=$HOME/openssl/bin:$PATH cargo test --features "$FEATURES"))
--- a/README.md
+++ b/README.md
@ -2,7 +2,7 @@
 [![Build Status](https://travis-ci.org/sfackler/rust-openssl.svg?branch=master)](https://travis-ci.org/sfackler/rust-openssl)
-[Documentation](https://sfackler.github.io/rust-openssl/doc/v0.6.7/openssl).
+[Documentation](https://sfackler.github.io/rust-openssl/doc/v0.7.0/openssl).
 ## Building
--- a/openssl-sys-extras/Cargo.toml
+++ b/openssl-sys-extras/Cargo.toml
@ -0,0 +1,21 @@
 [package]
 name = "openssl-sys-extras"
 version = "0.7.0"
 authors = ["Steven Fackler <sfackler@gmail.com>"]
 license = "MIT"
 description = "Extra FFI bindings to OpenSSL that require a C shim"
 repository = "https://github.com/sfackler/rust-openssl"
 documentation = "https://sfackler.github.io/rust-openssl/doc/v0.7.0/openssl_sys_extras"
 links = "openssl_shim"
 build = "build.rs"
 [features]
 ecdh_auto = []
 [dependencies]
 libc = "0.2"
 openssl-sys = { version = "0.7", path = "../openssl-sys" }
 [build-dependencies]
 gcc = "0.3"
--- a/openssl-sys-extras/build.rs
+++ b/openssl-sys-extras/build.rs
@ -0,0 +1,77 @@
 extern crate gcc;
 use std::env;
 use std::path::PathBuf;
 use std::fs::File;
 use std::io::Write as IoWrite;
 use std::fmt::Write;
 fn main() {
    let options_shim_file = generate_options_shim();
    let mut config = gcc::Config::new();
    if let Some(paths) = env::var_os("DEP_OPENSSL_INCLUDE") {
        for path in env::split_paths(&paths) {
            config.include(PathBuf::from(path));
        }
    }
    config.file("src/openssl_shim.c")
        .file(options_shim_file)
        .compile("libopenssl_shim.a");
 }
 macro_rules! import_options {
    ( $( $name:ident $val:expr  )* ) => {
       &[ $( (stringify!($name),$val), )* ]
    };
 }
 fn generate_options_shim() -> PathBuf {
    let options: &[(&'static str,u64)]=include!("src/ssl_options.rs");
    let mut shim = String::new();
    writeln!(shim,"#include <stdint.h>").unwrap();
    writeln!(shim,"#include <openssl/ssl.h>").unwrap();
    for &(name,value) in options {
        writeln!(shim,"#define RUST_{} UINT64_C({})",name,value).unwrap();
        writeln!(shim,"#ifndef {}",name).unwrap();
        writeln!(shim,"# define {} 0",name).unwrap();
        writeln!(shim,"#endif").unwrap();
    }
    writeln!(shim,"#define COPY_MASK ( \\").unwrap();
    let mut it=options.iter().peekable();
    while let Some(&(name,_))=it.next()  {
        let eol=match it.peek() {
            Some(_) => " | \\",
            None    => " )"
        };
        writeln!(shim,"    ((RUST_{0}==(uint64_t)(uint32_t){0})?RUST_{0}:UINT64_C(0)){1}",name,eol).unwrap();
    }
    writeln!(shim,"long rust_openssl_ssl_ctx_options_rust_to_c(uint64_t rustval) {{").unwrap();
    writeln!(shim,"    long cval=rustval&COPY_MASK;").unwrap();
    for &(name,_) in options {
        writeln!(shim,"    if (rustval&RUST_{0}) cval|={0};",name).unwrap();
    }
    writeln!(shim,"    return cval;").unwrap();
    writeln!(shim,"}}").unwrap();
    writeln!(shim,"uint64_t rust_openssl_ssl_ctx_options_c_to_rust(long cval) {{").unwrap();
    writeln!(shim,"    uint64_t rustval=cval&COPY_MASK;").unwrap();
    for &(name,_) in options {
        writeln!(shim,"    if (cval&{0}) rustval|=RUST_{0};",name).unwrap();
    }
    writeln!(shim,"    return rustval;").unwrap();
    writeln!(shim,"}}").unwrap();
    let out_dir = env::var("OUT_DIR").unwrap();
    let dest_file = PathBuf::from(&out_dir).join("ssl_ctx_options_shim.c");
    let mut f = File::create(&dest_file).unwrap();
    f.write_all(shim.as_bytes()).unwrap();
    dest_file
 }
--- a/openssl-sys-extras/src/lib.rs
+++ b/openssl-sys-extras/src/lib.rs
@ -0,0 +1,68 @@
 #![allow(non_upper_case_globals, non_snake_case)]
 #![doc(html_root_url="https://sfackler.github.io/rust-openssl/doc/v0.7.0")]
 extern crate openssl_sys;
 extern crate libc;
 use libc::{c_int, c_uint, c_long, c_char};
 use openssl_sys::{HMAC_CTX, EVP_MD, ENGINE, SSL_CTX, BIO, X509, stack_st_X509_EXTENSION, SSL, DH};
 macro_rules! import_options {
    ( $( $name:ident $val:expr  )* ) => {
       $( pub const $name: u64 = $val; )*
    };
 }
 include!("ssl_options.rs");
 pub unsafe fn SSL_CTX_set_options(ssl: *mut SSL_CTX, op: u64) -> u64 {
    rust_openssl_ssl_ctx_options_c_to_rust(SSL_CTX_set_options_shim(ssl, rust_openssl_ssl_ctx_options_rust_to_c(op)))
 }
 pub unsafe fn SSL_CTX_get_options(ssl: *mut SSL_CTX) -> u64 {
    rust_openssl_ssl_ctx_options_c_to_rust(SSL_CTX_get_options_shim(ssl))
 }
 pub unsafe fn SSL_CTX_clear_options(ssl: *mut SSL_CTX, op: u64) -> u64 {
    rust_openssl_ssl_ctx_options_c_to_rust(SSL_CTX_clear_options_shim(ssl, rust_openssl_ssl_ctx_options_rust_to_c(op)))
 }
 extern {
    fn rust_openssl_ssl_ctx_options_rust_to_c(rustval: u64) -> c_long;
    fn rust_openssl_ssl_ctx_options_c_to_rust(cval: c_long) -> u64;
    // Pre-1.0 versions of these didn't return anything, so the shims bridge that gap
    #[cfg_attr(not(target_os = "nacl"), link_name = "HMAC_Init_ex_shim")]
    pub fn HMAC_Init_ex(ctx: *mut HMAC_CTX, key: *const u8, keylen: c_int, md: *const EVP_MD, imple: *const ENGINE) -> c_int;
    #[cfg_attr(not(target_os = "nacl"), link_name = "HMAC_Final_shim")]
    pub fn HMAC_Final(ctx: *mut HMAC_CTX, output: *mut u8, len: *mut c_uint) -> c_int;
    #[cfg_attr(not(target_os = "nacl"), link_name = "HMAC_Update_shim")]
    pub fn HMAC_Update(ctx: *mut HMAC_CTX, input: *const u8, len: c_uint) -> c_int;
    // This isn't defined in < 1.0 so we copy the implementation there
    pub fn HMAC_CTX_copy(dst: *mut HMAC_CTX, src: *const HMAC_CTX) -> c_int;
    // These functions are defined in OpenSSL as macros, so we shim them
    #[link_name = "BIO_eof_shim"]
    pub fn BIO_eof(b: *mut BIO) -> c_int;
    #[link_name = "BIO_set_nbio_shim"]
    pub fn BIO_set_nbio(b: *mut BIO, enabled: c_long) -> c_long;
    #[link_name = "BIO_set_mem_eof_return_shim"]
    pub fn BIO_set_mem_eof_return(b: *mut BIO, v: c_int);
    pub fn SSL_CTX_set_options_shim(ctx: *mut SSL_CTX, options: c_long) -> c_long;
    pub fn SSL_CTX_get_options_shim(ctx: *mut SSL_CTX) -> c_long;
    pub fn SSL_CTX_clear_options_shim(ctx: *mut SSL_CTX, options: c_long) -> c_long;
    #[link_name = "SSL_CTX_add_extra_chain_cert_shim"]
    pub fn SSL_CTX_add_extra_chain_cert(ctx: *mut SSL_CTX, x509: *mut X509) -> c_long;
    #[link_name = "SSL_CTX_set_read_ahead_shim"]
    pub fn SSL_CTX_set_read_ahead(ctx: *mut SSL_CTX, m: c_long) -> c_long;
    #[cfg(feature = "ecdh_auto")]
    #[link_name = "SSL_CTX_set_ecdh_auto_shim"]
    pub fn SSL_CTX_set_ecdh_auto(ssl: *mut SSL_CTX, onoff: c_int) -> c_int;
    #[link_name = "SSL_set_tlsext_host_name_shim"]
    pub fn SSL_set_tlsext_host_name(s: *mut SSL, name: *const c_char) -> c_long;
    #[link_name = "SSL_CTX_set_tmp_dh_shim"]
    pub fn SSL_CTX_set_tmp_dh(s: *mut SSL, dh: *const DH) -> c_long;
    #[link_name = "X509_get_extensions_shim"]
    pub fn X509_get_extensions(x: *mut X509) -> *mut stack_st_X509_EXTENSION;
 }
--- a/openssl-sys-extras/src/openssl_shim.c
+++ b/openssl-sys-extras/src/openssl_shim.c
@ -83,6 +83,10 @@ int BIO_eof_shim(BIO *b) {
    return BIO_eof(b);
 }
 long BIO_set_nbio_shim(BIO *b, long enabled) {
    return BIO_set_nbio(b, enabled);
 }
 void BIO_set_mem_eof_return_shim(BIO *b, int v) {
    BIO_set_mem_eof_return(b, v);
 }
--- a/openssl-sys-extras/src/ssl_options.rs
+++ b/openssl-sys-extras/src/ssl_options.rs
--- a/openssl-sys/Cargo.toml
+++ b/openssl-sys/Cargo.toml
@ -1,12 +1,12 @@
 [package]
 name = "openssl-sys"
-version = "0.6.7"
+version = "0.7.0"
 authors = ["Alex Crichton <alex@alexcrichton.com>",
           "Steven Fackler <sfackler@gmail.com>"]
 license = "MIT"
 description = "FFI bindings to OpenSSL"
 repository = "https://github.com/sfackler/rust-openssl"
-documentation = "https://sfackler.github.io/rust-openssl/doc/v0.6.7/openssl_sys"
+documentation = "https://sfackler.github.io/rust-openssl/doc/v0.7.0/openssl_sys"
 links = "openssl"
 build = "build.rs"
@ -17,15 +17,15 @@ tlsv1_1 = []
 dtlsv1 = []
 dtlsv1_2 = []
 sslv2 = []
 sslv3 = []
 aes_xts = []
 aes_ctr = []
 npn = []
 alpn = []
 rfc5114 = []
 ecdh_auto = []
 [dependencies]
-libc = "0.1"
+libc = "0.2"
 [build-dependencies]
 pkg-config = "0.3"
@ -39,3 +39,17 @@ libressl-pnacl-sys = "2.1.0"
 libressl-pnacl-sys = "2.1.0"
 [target.arm-unknown-nacl.dependencies]
 libressl-pnacl-sys = "2.1.0"
 # Only here to make sure we link to these in a static build on Windows
 [target.i686-pc-windows-gnu]
 user32-sys = "0.1"
 gdi32-sys = "0.1"
 [target.x86_64-pc-windows-gnu]
 user32-sys = "0.1"
 gdi32-sys = "0.1"
 [target.i686-pc-windows-msvc]
 user32-sys = "0.1"
 gdi32-sys = "0.1"
 [target.x86_64-pc-windows-msvc]
 user32-sys = "0.1"
 gdi32-sys = "0.1"
--- a/openssl-sys/build.rs
+++ b/openssl-sys/build.rs
@ -2,10 +2,6 @@ extern crate pkg_config;
 extern crate gcc;
 use std::env;
 use std::fmt::Write as FmtWrite;
 use std::path::PathBuf;
 use std::fs::File;
 use std::io::Write;
 fn main() {
    let target = env::var("TARGET").unwrap();
@ -20,7 +16,8 @@ fn main() {
        // rustc doesn't seem to work with pkg-config's output in mingw64
        if !target.contains("windows") {
            if let Ok(info) = pkg_config::find_library("openssl") {
-                build_openssl_shim(&info.include_paths);
+                let paths = env::join_paths(info.include_paths).unwrap();
                println!("cargo:include={}", paths.to_str().unwrap());
                return;
            }
        }
@ -59,82 +56,9 @@ fn main() {
        println!("cargo:rustc-link-lib={}={}", mode, lib);
    }
    let mut include_dirs = vec![];
    if let Some(include_dir) = include_dir {
        println!("cargo:include={}", include_dir);
        include_dirs.push(PathBuf::from(&include_dir));
    }
    build_openssl_shim(&include_dirs);
 }
 macro_rules! import_options {
    ( $( $name:ident $val:expr  )* ) => {
       &[ $( (stringify!($name),$val), )* ]
    };
 }
 fn generate_options_shim() -> PathBuf {
    let options: &[(&'static str,u64)]=include!("src/ssl_options.rs");
    let mut shim = String::new();
    writeln!(shim,"#include <stdint.h>").unwrap();
    writeln!(shim,"#include <openssl/ssl.h>").unwrap();
    for &(name,value) in options {
        writeln!(shim,"#define RUST_{} UINT64_C({})",name,value).unwrap();
        writeln!(shim,"#ifndef {}",name).unwrap();
        writeln!(shim,"# define {} 0",name).unwrap();
        writeln!(shim,"#endif").unwrap();
    }
    writeln!(shim,"#define COPY_MASK ( \\").unwrap();
    let mut it=options.iter().peekable();
    while let Some(&(name,_))=it.next()  {
        let eol=match it.peek() {
            Some(_) => " | \\",
            None    => " )"
        };
        writeln!(shim,"    ((RUST_{0}==(uint64_t)(uint32_t){0})?RUST_{0}:UINT64_C(0)){1}",name,eol).unwrap();
    }
    writeln!(shim,"long rust_openssl_ssl_ctx_options_rust_to_c(uint64_t rustval) {{").unwrap();
    writeln!(shim,"    long cval=rustval&COPY_MASK;").unwrap();
    for &(name,_) in options {
        writeln!(shim,"    if (rustval&RUST_{0}) cval|={0};",name).unwrap();
    }
    writeln!(shim,"    return cval;").unwrap();
    writeln!(shim,"}}").unwrap();
    writeln!(shim,"uint64_t rust_openssl_ssl_ctx_options_c_to_rust(long cval) {{").unwrap();
    writeln!(shim,"    uint64_t rustval=cval&COPY_MASK;").unwrap();
    for &(name,_) in options {
        writeln!(shim,"    if (cval&{0}) rustval|=RUST_{0};",name).unwrap();
    }
    writeln!(shim,"    return rustval;").unwrap();
    writeln!(shim,"}}").unwrap();
    let out_dir = env::var("OUT_DIR").unwrap();
    let dest_file = PathBuf::from(&out_dir).join("ssl_ctx_options_shim.c");
    let mut f = File::create(&dest_file).unwrap();
    f.write_all(shim.as_bytes()).unwrap();
    dest_file
 }
 fn build_openssl_shim(include_paths: &[PathBuf]) {
    let options_shim_file = generate_options_shim();
    let mut config = gcc::Config::new();
    for path in include_paths {
        config.include(path);
    }
    config.file("src/openssl_shim.c")
        .file(options_shim_file)
        .compile("libopenssl_shim.a");
 }
 fn get_mingw_in_path() -> Option<Vec<String>> {
--- a/openssl-sys/src/lib.rs
+++ b/openssl-sys/src/lib.rs
@ -1,6 +1,6 @@
 #![allow(non_camel_case_types, non_upper_case_globals, non_snake_case)]
 #![allow(dead_code)]
-#![doc(html_root_url="https://sfackler.github.io/rust-openssl/doc/v0.6.7")]
+#![doc(html_root_url="https://sfackler.github.io/rust-openssl/doc/v0.7.0")]
 extern crate libc;
@ -159,14 +159,6 @@ pub const SSL_TLSEXT_ERR_ALERT_WARNING: c_int = 1;
 pub const SSL_TLSEXT_ERR_ALERT_FATAL: c_int = 2;
 pub const SSL_TLSEXT_ERR_NOACK: c_int = 3;
 macro_rules! import_options {
    ( $( $name:ident $val:expr  )* ) => {
       $( pub const $name: u64 = $val; )*
    };
 }
 include!("ssl_options.rs");
 #[cfg(any(feature = "npn", feature = "alpn"))]
 pub const OPENSSL_NPN_UNSUPPORTED: c_int = 0;
 #[cfg(any(feature = "npn", feature = "alpn"))]
@ -238,16 +230,14 @@ pub const X509_V_OK: c_int = 0;
 static mut MUTEXES: *mut Vec<Mutex<()>> = 0 as *mut Vec<Mutex<()>>;
 static mut GUARDS: *mut Vec<Option<MutexGuard<'static, ()>>> = 0 as *mut Vec<Option<MutexGuard<'static, ()>>>;
-extern fn locking_function(mode: c_int, n: c_int, _file: *const c_char,
+unsafe extern fn locking_function(mode: c_int, n: c_int, _file: *const c_char,
                               _line: c_int) {
-    unsafe {
+    let mutex = &(*MUTEXES)[n as usize];
        let mutex = &(*MUTEXES)[n as usize];
-        if mode & CRYPTO_LOCK != 0 {
+    if mode & CRYPTO_LOCK != 0 {
-            (*GUARDS)[n as usize] = Some(mutex.lock().unwrap());
+        (*GUARDS)[n as usize] = Some(mutex.lock().unwrap());
-        } else {
+    } else {
-            &(*GUARDS)[n as usize].take();
+        &(*GUARDS)[n as usize].take();
        }
    }
 }
@ -270,29 +260,27 @@ pub fn init() {
            GUARDS = mem::transmute(guards);
            CRYPTO_set_locking_callback(locking_function);
-            rust_openssl_set_id_callback();
+            set_id_callback();
        }
    })
 }
-pub unsafe fn SSL_CTX_set_options(ssl: *mut SSL_CTX, op: u64) -> u64 {
+#[cfg(unix)]
-    rust_openssl_ssl_ctx_options_c_to_rust(SSL_CTX_set_options_shim(ssl, rust_openssl_ssl_ctx_options_rust_to_c(op)))
+fn set_id_callback() {
    unsafe extern "C" fn thread_id() -> c_ulong {
        libc::pthread_self() as c_ulong
    }
    unsafe {
        CRYPTO_set_id_callback(thread_id);
    }
 }
-pub unsafe fn SSL_CTX_get_options(ssl: *mut SSL_CTX) -> u64 {
+#[cfg(not(unix))]
-    rust_openssl_ssl_ctx_options_c_to_rust(SSL_CTX_get_options_shim(ssl))
+fn set_id_callback() {}
 }
 pub unsafe fn SSL_CTX_clear_options(ssl: *mut SSL_CTX, op: u64) -> u64 {
    rust_openssl_ssl_ctx_options_c_to_rust(SSL_CTX_clear_options_shim(ssl, rust_openssl_ssl_ctx_options_rust_to_c(op)))
 }
 // True functions
 extern "C" {
    fn rust_openssl_ssl_ctx_options_rust_to_c(rustval: u64) -> c_long;
    fn rust_openssl_ssl_ctx_options_c_to_rust(cval: c_long) -> u64;
    fn rust_openssl_set_id_callback();
    pub fn ASN1_INTEGER_set(dest: *mut ASN1_INTEGER, value: c_long) -> c_int;
    pub fn ASN1_STRING_type_new(ty: c_int) -> *mut ASN1_STRING;
    pub fn ASN1_TIME_free(tm: *mut ASN1_TIME);
@ -375,10 +363,11 @@ extern "C" {
    pub fn BN_bn2hex(a: *mut BIGNUM) -> *const c_char;
    pub fn CRYPTO_num_locks() -> c_int;
-    pub fn CRYPTO_set_locking_callback(func: extern "C" fn(mode: c_int,
+    pub fn CRYPTO_set_locking_callback(func: unsafe extern "C" fn(mode: c_int,
-                                                           n: c_int,
+                                                                  n: c_int,
-                                                           file: *const c_char,
+                                                                  file: *const c_char,
-                                                           line: c_int));
+                                                                  line: c_int));
    pub fn CRYPTO_set_id_callback(func: unsafe extern "C" fn() -> c_ulong);
    pub fn CRYPTO_free(buf: *mut c_void);
    pub fn CRYPTO_memcmp(a: *const c_void, b: *const c_void,
                         len: size_t) -> c_int;
@ -465,25 +454,6 @@ extern "C" {
    pub fn HMAC_CTX_init(ctx: *mut HMAC_CTX);
    pub fn HMAC_CTX_cleanup(ctx: *mut HMAC_CTX);
    pub fn HMAC_CTX_copy(dst: *mut HMAC_CTX, src: *const HMAC_CTX) -> c_int;
    // Pre-1.0 versions of these didn't return anything, so the shims bridge that gap
    #[cfg_attr(not(target_os = "nacl"), link_name = "HMAC_Init_ex_shim")]
    pub fn HMAC_Init_ex(ctx: *mut HMAC_CTX, key: *const u8, keylen: c_int, md: *const EVP_MD, imple: *const ENGINE) -> c_int;
    #[cfg_attr(not(target_os = "nacl"), link_name = "HMAC_Final_shim")]
    pub fn HMAC_Final(ctx: *mut HMAC_CTX, output: *mut u8, len: *mut c_uint) -> c_int;
    #[cfg_attr(not(target_os = "nacl"), link_name = "HMAC_Update_shim")]
    pub fn HMAC_Update(ctx: *mut HMAC_CTX, input: *const u8, len: c_uint) -> c_int;
    /// Deprecated - use the non "_shim" version
    #[cfg_attr(target_os = "nacl", link_name = "HMAC_Init_ex")]
    pub fn HMAC_Init_ex_shim(ctx: *mut HMAC_CTX, key: *const u8, keylen: c_int, md: *const EVP_MD, imple: *const ENGINE) -> c_int;
    /// Deprecated - use the non "_shim" version
    #[cfg_attr(target_os = "nacl", link_name = "HMAC_Final")]
    pub fn HMAC_Final_shim(ctx: *mut HMAC_CTX, output: *mut u8, len: *mut c_uint) -> c_int;
    /// Deprecated - use the non "_shim" version
    #[cfg_attr(target_os = "nacl", link_name = "HMAC_Update")]
    pub fn HMAC_Update_shim(ctx: *mut HMAC_CTX, input: *const u8, len: c_uint) -> c_int;
    pub fn PEM_read_bio_DHparams(bio: *mut BIO, out: *mut *mut DH, callback: Option<PasswordCallback>,
                             user_data: *mut c_void) -> *mut DH;
@ -513,8 +483,13 @@ extern "C" {
    pub fn RAND_bytes(buf: *mut u8, num: c_int) -> c_int;
    pub fn RSA_generate_key(modsz: c_int, e: c_ulong, cb: *const c_void, cbarg: *const c_void) -> *mut RSA;
    pub fn RSA_generate_key_ex(rsa: *mut RSA, bits: c_int, e: *mut BIGNUM, cb: *const c_void) -> c_int;
    pub fn RSA_private_decrypt(flen: c_int, from: *const u8, to: *mut u8, k: *mut RSA,
                               pad: c_int) -> c_int;
    pub fn RSA_public_decrypt(flen: c_int, from: *const u8, to: *mut u8, k: *mut RSA,
                               pad: c_int) -> c_int;
    pub fn RSA_private_encrypt(flen: c_int, from: *const u8, to: *mut u8, k: *mut RSA,
                              pad: c_int) -> c_int;
    pub fn RSA_public_encrypt(flen: c_int, from: *const u8, to: *mut u8, k: *mut RSA,
                              pad: c_int) -> c_int;
    pub fn RSA_sign(t: c_int, m: *const u8, mlen: c_uint, sig: *mut u8, siglen: *mut c_uint,
@ -673,28 +648,6 @@ extern "C" {
    pub fn d2i_RSA_PUBKEY(k: *const *mut RSA, buf: *const *const u8, len: c_uint) -> *mut RSA;
    pub fn i2d_RSAPrivateKey(k: *mut RSA, buf: *const *mut u8) -> c_int;
    pub fn d2i_RSAPrivateKey(k: *const *mut RSA, buf: *const *const u8, len: c_uint) -> *mut RSA;
    // These functions are defined in OpenSSL as macros, so we shim them
    #[link_name = "BIO_eof_shim"]
    pub fn BIO_eof(b: *mut BIO) -> c_int;
    #[link_name = "BIO_set_mem_eof_return_shim"]
    pub fn BIO_set_mem_eof_return(b: *mut BIO, v: c_int);
    pub fn SSL_CTX_set_options_shim(ctx: *mut SSL_CTX, options: c_long) -> c_long;
    pub fn SSL_CTX_get_options_shim(ctx: *mut SSL_CTX) -> c_long;
    pub fn SSL_CTX_clear_options_shim(ctx: *mut SSL_CTX, options: c_long) -> c_long;
    #[link_name = "SSL_CTX_add_extra_chain_cert_shim"]
    pub fn SSL_CTX_add_extra_chain_cert(ctx: *mut SSL_CTX, x509: *mut X509) -> c_long;
    #[link_name = "SSL_CTX_set_read_ahead_shim"]
    pub fn SSL_CTX_set_read_ahead(ctx: *mut SSL_CTX, m: c_long) -> c_long;
    #[cfg(feature = "ecdh_auto")]
    #[link_name = "SSL_CTX_set_ecdh_auto_shim"]
    pub fn SSL_CTX_set_ecdh_auto(ssl: *mut SSL_CTX, onoff: c_int) -> c_int;
    #[link_name = "SSL_set_tlsext_host_name_shim"]
    pub fn SSL_set_tlsext_host_name(s: *mut SSL, name: *const c_char) -> c_long;
    #[link_name = "SSL_CTX_set_tmp_dh_shim"]
    pub fn SSL_CTX_set_tmp_dh(s: *mut SSL, dh: *const DH) -> c_long;
    #[link_name = "X509_get_extensions_shim"]
    pub fn X509_get_extensions(x: *mut X509) -> *mut stack_st_X509_EXTENSION;
 }
 pub mod probe;
--- a/openssl/Cargo.toml
+++ b/openssl/Cargo.toml
@ -1,11 +1,11 @@
 [package]
 name = "openssl"
-version = "0.6.7"
+version = "0.7.0"
 authors = ["Steven Fackler <sfackler@gmail.com>"]
 license = "Apache-2.0"
 description = "OpenSSL bindings"
 repository = "https://github.com/sfackler/rust-openssl"
-documentation = "https://sfackler.github.io/rust-openssl/doc/v0.6.7/openssl"
+documentation = "https://sfackler.github.io/rust-openssl/doc/v0.7.0/openssl"
 readme = "../README.md"
 keywords = ["crypto", "tls", "ssl", "dtls"]
@ -15,22 +15,23 @@ tlsv1_1 = ["openssl-sys/tlsv1_1"]
 dtlsv1 = ["openssl-sys/dtlsv1"]
 dtlsv1_2 = ["openssl-sys/dtlsv1_2"]
 sslv2 = ["openssl-sys/sslv2"]
 sslv3 = ["openssl-sys/sslv3"]
 aes_xts = ["openssl-sys/aes_xts"]
 aes_ctr = ["openssl-sys/aes_ctr"]
 npn = ["openssl-sys/npn"]
 alpn = ["openssl-sys/alpn"]
 rfc5114 = ["openssl-sys/rfc5114"]
-ecdh_auto = ["openssl-sys/ecdh_auto"]
+ecdh_auto = ["openssl-sys-extras/ecdh_auto"]
 [dependencies.openssl-sys]
 path = "../openssl-sys"
 version = "0.6.7"
 [dependencies]
 bitflags = ">= 0.2, < 0.4"
 lazy_static = "0.1"
-libc = "0.1"
+libc = "0.2"
 openssl-sys = { version = "0.7", path = "../openssl-sys" }
 openssl-sys-extras = { version = "0.7", path = "../openssl-sys-extras" }
 [dev-dependencies]
 rustc-serialize = "0.3"
-net2 = "0.2.13"
+net2 = "0.2.16"
 winapi = "0.2"
 ws2_32-sys = "0.2"
--- a/openssl/src/bio/mod.rs
+++ b/openssl/src/bio/mod.rs
@ -5,6 +5,7 @@ use std::ptr;
 use std::cmp;
 use ffi;
 use ffi_extras;
 use ssl::error::{SslError};
 pub struct MemBio {
@ -60,7 +61,7 @@ impl MemBio {
    /// Sets the BIO's EOF state.
    pub fn set_eof(&self, eof: bool) {
        let v = if eof { 0 } else { -1 };
-        unsafe { ffi::BIO_set_mem_eof_return(self.bio, v); }
+        unsafe { ffi_extras::BIO_set_mem_eof_return(self.bio, v); }
    }
 }
@ -72,7 +73,7 @@ impl Read for MemBio {
        };
        if ret <= 0 {
-            let is_eof = unsafe { ffi::BIO_eof(self.bio) };
+            let is_eof = unsafe { ffi_extras::BIO_eof(self.bio) };
            if is_eof != 0 {
                Ok(0)
            } else {
--- a/openssl/src/crypto/hmac.rs
+++ b/openssl/src/crypto/hmac.rs
@ -21,6 +21,7 @@ use std::io::prelude::*;
 use crypto::hash::Type;
 use ffi;
 use ffi_extras;
 #[derive(PartialEq, Copy, Clone)]
 enum State {
@ -88,9 +89,10 @@ impl HMAC {
    #[inline]
    fn init_once(&mut self, md: *const ffi::EVP_MD, key: &[u8]) {
        unsafe {
-            let r = ffi::HMAC_Init_ex(&mut self.ctx,
+            let r = ffi_extras::HMAC_Init_ex(&mut self.ctx,
-                                      key.as_ptr(), key.len() as c_int,
+                                             key.as_ptr(),
-                                      md, 0 as *const _);
+                                             key.len() as c_int,
                                             md, 0 as *const _);
            assert_eq!(r, 1);
        }
        self.state = Reset;
@ -106,9 +108,9 @@ impl HMAC {
        // If the key and/or md is not supplied it's reused from the last time
        // avoiding redundant initializations
        unsafe {
-            let r = ffi::HMAC_Init_ex(&mut self.ctx,
+            let r = ffi_extras::HMAC_Init_ex(&mut self.ctx,
-                                      0 as *const _, 0,
+                                             0 as *const _, 0,
-                                      0 as *const _, 0 as *const _);
+                                             0 as *const _, 0 as *const _);
            assert_eq!(r, 1);
        }
        self.state = Reset;
@ -120,7 +122,7 @@ impl HMAC {
            self.init();
        }
        unsafe {
-            let r = ffi::HMAC_Update(&mut self.ctx, data.as_ptr(), data.len() as c_uint);
+            let r = ffi_extras::HMAC_Update(&mut self.ctx, data.as_ptr(), data.len() as c_uint);
            assert_eq!(r, 1);
        }
        self.state = Updated;
@ -135,7 +137,7 @@ impl HMAC {
        let mut res: Vec<u8> = repeat(0).take(md_len).collect();
        unsafe {
            let mut len = 0;
-            let r = ffi::HMAC_Final(&mut self.ctx, res.as_mut_ptr(), &mut len);
+            let r = ffi_extras::HMAC_Final(&mut self.ctx, res.as_mut_ptr(), &mut len);
            self.state = Finalized;
            assert_eq!(len as usize, md_len);
            assert_eq!(r, 1);
@ -168,7 +170,7 @@ impl Clone for HMAC {
        let mut ctx: ffi::HMAC_CTX;
        unsafe {
            ctx = ::std::mem::uninitialized();
-            let r = ffi::HMAC_CTX_copy(&mut ctx, &self.ctx);
+            let r = ffi_extras::HMAC_CTX_copy(&mut ctx, &self.ctx);
            assert_eq!(r, 1);
        }
        HMAC { ctx: ctx, type_: self.type_, state: self.state }
@ -181,7 +183,7 @@ impl Drop for HMAC {
            if self.state != Finalized {
                let mut buf: Vec<u8> = repeat(0).take(self.type_.md_len()).collect();
                let mut len = 0;
-                ffi::HMAC_Final(&mut self.ctx, buf.as_mut_ptr(), &mut len);
+                ffi_extras::HMAC_Final(&mut self.ctx, buf.as_mut_ptr(), &mut len);
            }
            ffi::HMAC_CTX_cleanup(&mut self.ctx);
        }
--- a/openssl/src/crypto/pkey.rs
+++ b/openssl/src/crypto/pkey.rs
@ -276,7 +276,36 @@ impl PKey {
        }
    }
-    pub fn encrypt_with_padding(&self, s: &[u8], padding: EncryptionPadding) -> Vec<u8> {
+    pub fn private_encrypt_with_padding(&self, s: &[u8], padding: EncryptionPadding) -> Vec<u8> {
        unsafe {
            let rsa = ffi::EVP_PKEY_get1_RSA(self.evp);
            if rsa.is_null() {
                panic!("Could not get RSA key for encryption");
            }
            let len = ffi::RSA_size(rsa);
            assert!(s.len() < self.max_data());
            let mut r = repeat(0u8).take(len as usize + 1).collect::<Vec<_>>();
            let rv = ffi::RSA_private_encrypt(
                s.len() as c_int,
                s.as_ptr(),
                r.as_mut_ptr(),
                rsa,
                openssl_padding_code(padding));
            if rv < 0 as c_int {
                // println!("{:?}", SslError::get());
                vec!()
            } else {
                r.truncate(rv as usize);
                r
            }
        }
    }
    pub fn public_encrypt_with_padding(&self, s: &[u8], padding: EncryptionPadding) -> Vec<u8> {
        unsafe {
            let rsa = ffi::EVP_PKEY_get1_RSA(self.evp);
            if rsa.is_null() {
@ -304,7 +333,7 @@ impl PKey {
        }
    }
-    pub fn decrypt_with_padding(&self, s: &[u8], padding: EncryptionPadding) -> Vec<u8> {
+    pub fn private_decrypt_with_padding(&self, s: &[u8], padding: EncryptionPadding) -> Vec<u8> {
        unsafe {
            let rsa = ffi::EVP_PKEY_get1_RSA(self.evp);
            if rsa.is_null() {
@ -332,16 +361,78 @@ impl PKey {
        }
    }
-    /**
+    pub fn public_decrypt_with_padding(&self, s: &[u8], padding: EncryptionPadding) -> Vec<u8> {
-     * Encrypts data using OAEP padding, returning the encrypted data. The
+        unsafe {
-     * supplied data must not be larger than max_data().
+            let rsa = ffi::EVP_PKEY_get1_RSA(self.evp);
-     */
+            if rsa.is_null() {
-    pub fn encrypt(&self, s: &[u8]) -> Vec<u8> { self.encrypt_with_padding(s, EncryptionPadding::OAEP) }
+                panic!("Could not get RSA key for decryption");
            }
            let len = ffi::RSA_size(rsa);
            assert_eq!(s.len() as c_int, ffi::RSA_size(rsa));
            let mut r = repeat(0u8).take(len as usize + 1).collect::<Vec<_>>();
            let rv = ffi::RSA_public_decrypt(
                s.len() as c_int,
                s.as_ptr(),
                r.as_mut_ptr(),
                rsa,
                openssl_padding_code(padding));
            if rv < 0 as c_int {
                vec!()
            } else {
                r.truncate(rv as usize);
                r
            }
        }
    }
    /**
-     * Decrypts data, expecting OAEP padding, returning the decrypted data.
+     * Encrypts data with the public key, using OAEP padding, returning the encrypted data. The
     * supplied data must not be larger than max_data().
     */
-    pub fn decrypt(&self, s: &[u8]) -> Vec<u8> { self.decrypt_with_padding(s, EncryptionPadding::OAEP) }
+    pub fn encrypt(&self, s: &[u8]) -> Vec<u8> { self.public_encrypt_with_padding(s, EncryptionPadding::OAEP) }
    /**
     * Encrypts data with the public key, using provided padding, returning the encrypted data. The
     * supplied data must not be larger than max_data().
     */
    pub fn encrypt_with_padding(&self, s: &[u8], padding: EncryptionPadding) -> Vec<u8> { self.public_encrypt_with_padding(s, padding) }
    /**
     * Encrypts data with the public key, using OAEP padding, returning the encrypted data. The
     * supplied data must not be larger than max_data().
     */
    pub fn public_encrypt(&self, s: &[u8]) -> Vec<u8> { self.public_encrypt_with_padding(s, EncryptionPadding::OAEP) }
    /**
     * Decrypts data with the public key, using PKCS1v15 padding, returning the decrypted data.
     */
    pub fn public_decrypt(&self, s: &[u8]) -> Vec<u8> { self.public_decrypt_with_padding(s, EncryptionPadding::PKCS1v15) }
    /**
     * Decrypts data with the private key, expecting OAEP padding, returning the decrypted data.
     */
    pub fn decrypt(&self, s: &[u8]) -> Vec<u8> { self.private_decrypt_with_padding(s, EncryptionPadding::OAEP) }
    /**
     * Decrypts data with the private key, using provided padding, returning the encrypted data. The
     * supplied data must not be larger than max_data().
     */
    pub fn decrypt_with_padding(&self, s: &[u8], padding: EncryptionPadding) -> Vec<u8> { self.private_decrypt_with_padding(s, padding) }
    /**
     * Decrypts data with the private key, expecting OAEP padding, returning the decrypted data.
     */
    pub fn private_decrypt(&self, s: &[u8]) -> Vec<u8> { self.private_decrypt_with_padding(s, EncryptionPadding::OAEP) }
    /**
     * Encrypts data with the private key, using PKCS1v15 padding, returning the encrypted data. The
     * supplied data must not be larger than max_data().
     */
    pub fn private_encrypt(&self, s: &[u8]) -> Vec<u8> { self.private_encrypt_with_padding(s, EncryptionPadding::PKCS1v15) }
    /**
     * Signs data, using OpenSSL's default scheme and adding sha256 ASN.1 information to the
@ -493,26 +584,38 @@ mod tests {
    }
    #[test]
-    fn test_encrypt() {
+    fn test_private_encrypt() {
        let mut k0 = super::PKey::new();
        let mut k1 = super::PKey::new();
        let msg = vec!(0xdeu8, 0xadu8, 0xd0u8, 0x0du8);
        k0.gen(512);
        k1.load_pub(&k0.save_pub());
-        let emsg = k1.encrypt(&msg);
+        let emsg = k0.private_encrypt(&msg);
-        let dmsg = k0.decrypt(&emsg);
+        let dmsg = k1.public_decrypt(&emsg);
        assert!(msg == dmsg);
    }
    #[test]
-    fn test_encrypt_pkcs() {
+    fn test_public_encrypt() {
        let mut k0 = super::PKey::new();
        let mut k1 = super::PKey::new();
        let msg = vec!(0xdeu8, 0xadu8, 0xd0u8, 0x0du8);
        k0.gen(512);
        k1.load_pub(&k0.save_pub());
-        let emsg = k1.encrypt_with_padding(&msg, super::EncryptionPadding::PKCS1v15);
+        let emsg = k1.public_encrypt(&msg);
-        let dmsg = k0.decrypt_with_padding(&emsg, super::EncryptionPadding::PKCS1v15);
+        let dmsg = k0.private_decrypt(&emsg);
        assert!(msg == dmsg);
    }
    #[test]
    fn test_public_encrypt_pkcs() {
        let mut k0 = super::PKey::new();
        let mut k1 = super::PKey::new();
        let msg = vec!(0xdeu8, 0xadu8, 0xd0u8, 0x0du8);
        k0.gen(512);
        k1.load_pub(&k0.save_pub());
        let emsg = k1.public_encrypt_with_padding(&msg, super::EncryptionPadding::PKCS1v15);
        let dmsg = k0.private_decrypt_with_padding(&emsg, super::EncryptionPadding::PKCS1v15);
        assert!(msg == dmsg);
    }
--- a/openssl/src/crypto/symm.rs
+++ b/openssl/src/crypto/symm.rs
@ -1,5 +1,4 @@
 use std::iter::repeat;
 use std::convert::AsRef;
 use libc::{c_int};
 use crypto::symm_internal::evpc;
@ -75,7 +74,7 @@ impl Crypter {
    /**
     * Initializes this crypter.
     */
-    pub fn init<T: AsRef<[u8]>>(&self, mode: Mode, key: &[u8], iv: T) {
+    pub fn init(&self, mode: Mode, key: &[u8], iv: &[u8]) {
        unsafe {
            let mode = match mode {
                Mode::Encrypt => 1 as c_int,
@ -87,7 +86,7 @@ impl Crypter {
                self.ctx,
                self.evp,
                key.as_ptr(),
-                iv.as_ref().as_ptr(),
+                iv.as_ptr(),
                mode
            );
        }
@ -146,7 +145,7 @@ impl Drop for Crypter {
 * Encrypts data, using the specified crypter type in encrypt mode with the
 * specified key and iv; returns the resulting (encrypted) data.
 */
-pub fn encrypt<T: AsRef<[u8]>>(t: Type, key: &[u8], iv: T, data: &[u8]) -> Vec<u8> {
+pub fn encrypt(t: Type, key: &[u8], iv: &[u8], data: &[u8]) -> Vec<u8> {
    let c = Crypter::new(t);
    c.init(Mode::Encrypt, key, iv);
    let mut r = c.update(data);
@ -159,7 +158,7 @@ pub fn encrypt<T: AsRef<[u8]>>(t: Type, key: &[u8], iv: T, data: &[u8]) -> Vec<u
 * Decrypts data, using the specified crypter type in decrypt mode with the
 * specified key and iv; returns the resulting (decrypted) data.
 */
-pub fn decrypt<T: AsRef<[u8]>>(t: Type, key: &[u8], iv: T, data: &[u8]) -> Vec<u8> {
+pub fn decrypt(t: Type, key: &[u8], iv: &[u8], data: &[u8]) -> Vec<u8> {
    let c = Crypter::new(t);
    c.init(Mode::Decrypt, key, iv);
    let mut r = c.update(data);
--- a/openssl/src/lib.rs
+++ b/openssl/src/lib.rs
@ -1,4 +1,4 @@
-#![doc(html_root_url="https://sfackler.github.io/rust-openssl/doc/v0.6.7")]
+#![doc(html_root_url="https://sfackler.github.io/rust-openssl/doc/v0.7.0")]
 #[macro_use]
 extern crate bitflags;
@ -6,6 +6,7 @@ extern crate libc;
 #[macro_use]
 extern crate lazy_static;
 extern crate openssl_sys as ffi;
 extern crate openssl_sys_extras as ffi_extras;
 #[cfg(test)]
 extern crate rustc_serialize as serialize;
--- a/openssl/src/ssl/error.rs
+++ b/openssl/src/ssl/error.rs
@ -17,7 +17,20 @@ pub enum SslError {
    /// The SSL session has been closed by the other end
    SslSessionClosed,
    /// An error in the OpenSSL library
-    OpenSslErrors(Vec<OpensslError>)
+    OpenSslErrors(Vec<OpensslError>),
 }
 /// An error on a nonblocking stream.
 #[derive(Debug)]
 pub enum NonblockingSslError {
    /// A standard SSL error occurred.
    SslError(SslError),
    /// The OpenSSL library wants data from the remote socket;
    /// the caller should wait for read readiness.
    WantRead,
    /// The OpenSSL library wants to send data to the remote socket;
    /// the caller should wait for write readiness.
    WantWrite,
 }
 impl fmt::Display for SslError {
@ -59,6 +72,35 @@ impl error::Error for SslError {
    }
 }
 impl fmt::Display for NonblockingSslError {
    fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result {
        fmt.write_str(error::Error::description(self))
    }
 }
 impl error::Error for NonblockingSslError {
    fn description(&self) -> &str {
        match *self {
            NonblockingSslError::SslError(ref e) => e.description(),
            NonblockingSslError::WantRead => "The OpenSSL library wants data from the remote socket",
            NonblockingSslError::WantWrite => "The OpenSSL library want to send data to the remote socket",
        }
    }
    fn cause(&self) -> Option<&error::Error> {
        match *self {
            NonblockingSslError::SslError(ref e) => e.cause(),
            _ => None
        }
    }
 }
 impl From<SslError> for NonblockingSslError {
    fn from(e: SslError) -> NonblockingSslError {
        NonblockingSslError::SslError(e)
    }
 }
 /// An error from the OpenSSL library
 #[derive(Debug, Clone, PartialEq, Eq)]
 pub enum OpensslError {
--- a/openssl/src/ssl/mod.rs
+++ b/openssl/src/ssl/mod.rs
@ -21,8 +21,9 @@ use std::slice;
 use bio::{MemBio};
 use ffi;
 use ffi_extras;
 use dh::DH;
-use ssl::error::{SslError, SslSessionClosed, StreamError, OpenSslErrors};
+use ssl::error::{NonblockingSslError, SslError, SslSessionClosed, StreamError, OpenSslErrors};
 use x509::{X509StoreContext, X509FileType, X509};
 use crypto::pkey::PKey;
@ -51,43 +52,43 @@ pub fn init() {
 bitflags! {
    flags SslContextOptions: u64 {
-        const SSL_OP_MICROSOFT_SESS_ID_BUG                    = ffi::SSL_OP_MICROSOFT_SESS_ID_BUG,
+        const SSL_OP_MICROSOFT_SESS_ID_BUG                    = ffi_extras::SSL_OP_MICROSOFT_SESS_ID_BUG,
-        const SSL_OP_NETSCAPE_CHALLENGE_BUG                   = ffi::SSL_OP_NETSCAPE_CHALLENGE_BUG,
+        const SSL_OP_NETSCAPE_CHALLENGE_BUG                   = ffi_extras::SSL_OP_NETSCAPE_CHALLENGE_BUG,
-        const SSL_OP_LEGACY_SERVER_CONNECT                    = ffi::SSL_OP_LEGACY_SERVER_CONNECT,
+        const SSL_OP_LEGACY_SERVER_CONNECT                    = ffi_extras::SSL_OP_LEGACY_SERVER_CONNECT,
-        const SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG         = ffi::SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG,
+        const SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG         = ffi_extras::SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG,
-        const SSL_OP_TLSEXT_PADDING                           = ffi::SSL_OP_TLSEXT_PADDING,
+        const SSL_OP_TLSEXT_PADDING                           = ffi_extras::SSL_OP_TLSEXT_PADDING,
-        const SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER               = ffi::SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER,
+        const SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER               = ffi_extras::SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER,
-        const SSL_OP_SAFARI_ECDHE_ECDSA_BUG                   = ffi::SSL_OP_SAFARI_ECDHE_ECDSA_BUG,
+        const SSL_OP_SAFARI_ECDHE_ECDSA_BUG                   = ffi_extras::SSL_OP_SAFARI_ECDHE_ECDSA_BUG,
-        const SSL_OP_SSLEAY_080_CLIENT_DH_BUG                 = ffi::SSL_OP_SSLEAY_080_CLIENT_DH_BUG,
+        const SSL_OP_SSLEAY_080_CLIENT_DH_BUG                 = ffi_extras::SSL_OP_SSLEAY_080_CLIENT_DH_BUG,
-        const SSL_OP_TLS_D5_BUG                               = ffi::SSL_OP_TLS_D5_BUG,
+        const SSL_OP_TLS_D5_BUG                               = ffi_extras::SSL_OP_TLS_D5_BUG,
-        const SSL_OP_TLS_BLOCK_PADDING_BUG                    = ffi::SSL_OP_TLS_BLOCK_PADDING_BUG,
+        const SSL_OP_TLS_BLOCK_PADDING_BUG                    = ffi_extras::SSL_OP_TLS_BLOCK_PADDING_BUG,
-        const SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS              = ffi::SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS,
+        const SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS              = ffi_extras::SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS,
-        const SSL_OP_NO_QUERY_MTU                             = ffi::SSL_OP_NO_QUERY_MTU,
+        const SSL_OP_NO_QUERY_MTU                             = ffi_extras::SSL_OP_NO_QUERY_MTU,
-        const SSL_OP_COOKIE_EXCHANGE                          = ffi::SSL_OP_COOKIE_EXCHANGE,
+        const SSL_OP_COOKIE_EXCHANGE                          = ffi_extras::SSL_OP_COOKIE_EXCHANGE,
-        const SSL_OP_NO_TICKET                                = ffi::SSL_OP_NO_TICKET,
+        const SSL_OP_NO_TICKET                                = ffi_extras::SSL_OP_NO_TICKET,
-        const SSL_OP_CISCO_ANYCONNECT                         = ffi::SSL_OP_CISCO_ANYCONNECT,
+        const SSL_OP_CISCO_ANYCONNECT                         = ffi_extras::SSL_OP_CISCO_ANYCONNECT,
-        const SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION   = ffi::SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION,
+        const SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION   = ffi_extras::SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION,
-        const SSL_OP_NO_COMPRESSION                           = ffi::SSL_OP_NO_COMPRESSION,
+        const SSL_OP_NO_COMPRESSION                           = ffi_extras::SSL_OP_NO_COMPRESSION,
-        const SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION        = ffi::SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION,
+        const SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION        = ffi_extras::SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION,
-        const SSL_OP_SINGLE_ECDH_USE                          = ffi::SSL_OP_SINGLE_ECDH_USE,
+        const SSL_OP_SINGLE_ECDH_USE                          = ffi_extras::SSL_OP_SINGLE_ECDH_USE,
-        const SSL_OP_SINGLE_DH_USE                            = ffi::SSL_OP_SINGLE_DH_USE,
+        const SSL_OP_SINGLE_DH_USE                            = ffi_extras::SSL_OP_SINGLE_DH_USE,
-        const SSL_OP_CIPHER_SERVER_PREFERENCE                 = ffi::SSL_OP_CIPHER_SERVER_PREFERENCE,
+        const SSL_OP_CIPHER_SERVER_PREFERENCE                 = ffi_extras::SSL_OP_CIPHER_SERVER_PREFERENCE,
-        const SSL_OP_TLS_ROLLBACK_BUG                         = ffi::SSL_OP_TLS_ROLLBACK_BUG,
+        const SSL_OP_TLS_ROLLBACK_BUG                         = ffi_extras::SSL_OP_TLS_ROLLBACK_BUG,
-        const SSL_OP_NO_SSLV2                                 = ffi::SSL_OP_NO_SSLv2,
+        const SSL_OP_NO_SSLV2                                 = ffi_extras::SSL_OP_NO_SSLv2,
-        const SSL_OP_NO_SSLV3                                 = ffi::SSL_OP_NO_SSLv3,
+        const SSL_OP_NO_SSLV3                                 = ffi_extras::SSL_OP_NO_SSLv3,
-        const SSL_OP_NO_DTLSV1                                = ffi::SSL_OP_NO_DTLSv1,
+        const SSL_OP_NO_DTLSV1                                = ffi_extras::SSL_OP_NO_DTLSv1,
-        const SSL_OP_NO_TLSV1                                 = ffi::SSL_OP_NO_TLSv1,
+        const SSL_OP_NO_TLSV1                                 = ffi_extras::SSL_OP_NO_TLSv1,
-        const SSL_OP_NO_DTLSV1_2                              = ffi::SSL_OP_NO_DTLSv1_2,
+        const SSL_OP_NO_DTLSV1_2                              = ffi_extras::SSL_OP_NO_DTLSv1_2,
-        const SSL_OP_NO_TLSV1_2                               = ffi::SSL_OP_NO_TLSv1_2,
+        const SSL_OP_NO_TLSV1_2                               = ffi_extras::SSL_OP_NO_TLSv1_2,
-        const SSL_OP_NO_TLSV1_1                               = ffi::SSL_OP_NO_TLSv1_1,
+        const SSL_OP_NO_TLSV1_1                               = ffi_extras::SSL_OP_NO_TLSv1_1,
-        const SSL_OP_NETSCAPE_CA_DN_BUG                       = ffi::SSL_OP_NETSCAPE_CA_DN_BUG,
+        const SSL_OP_NETSCAPE_CA_DN_BUG                       = ffi_extras::SSL_OP_NETSCAPE_CA_DN_BUG,
-        const SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG          = ffi::SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG,
+        const SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG          = ffi_extras::SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG,
-        const SSL_OP_CRYPTOPRO_TLSEXT_BUG                     = ffi::SSL_OP_CRYPTOPRO_TLSEXT_BUG,
+        const SSL_OP_CRYPTOPRO_TLSEXT_BUG                     = ffi_extras::SSL_OP_CRYPTOPRO_TLSEXT_BUG,
-        const SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG              = ffi::SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG,
+        const SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG              = ffi_extras::SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG,
-        const SSL_OP_MSIE_SSLV2_RSA_PADDING                   = ffi::SSL_OP_MSIE_SSLV2_RSA_PADDING,
+        const SSL_OP_MSIE_SSLV2_RSA_PADDING                   = ffi_extras::SSL_OP_MSIE_SSLV2_RSA_PADDING,
-        const SSL_OP_PKCS1_CHECK_1                            = ffi::SSL_OP_PKCS1_CHECK_1,
+        const SSL_OP_PKCS1_CHECK_1                            = ffi_extras::SSL_OP_PKCS1_CHECK_1,
-        const SSL_OP_PKCS1_CHECK_2                            = ffi::SSL_OP_PKCS1_CHECK_2,
+        const SSL_OP_PKCS1_CHECK_2                            = ffi_extras::SSL_OP_PKCS1_CHECK_2,
-        const SSL_OP_EPHEMERAL_RSA                            = ffi::SSL_OP_EPHEMERAL_RSA,
+        const SSL_OP_EPHEMERAL_RSA                            = ffi_extras::SSL_OP_EPHEMERAL_RSA,
        const SSL_OP_ALL         = SSL_OP_MICROSOFT_SESS_ID_BUG.bits|SSL_OP_NETSCAPE_CHALLENGE_BUG.bits
                                  |SSL_OP_LEGACY_SERVER_CONNECT.bits|SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG.bits
                                  |SSL_OP_TLSEXT_PADDING.bits|SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER.bits
@ -109,6 +110,7 @@ pub enum SslMethod {
    /// Support the SSLv2, SSLv3, TLSv1, TLSv1.1, and TLSv1.2 protocols depending on what the
    /// linked OpenSSL library supports.
    Sslv23,
    #[cfg(feature = "sslv3")]
    /// Only support the SSLv3 protocol.
    Sslv3,
    /// Only support the TLSv1 protocol.
@ -132,6 +134,7 @@ impl SslMethod {
        match *self {
            #[cfg(feature = "sslv2")]
            SslMethod::Sslv2 => ffi::SSLv2_method(),
            #[cfg(feature = "sslv3")]
            SslMethod::Sslv3 => ffi::SSLv3_method(),
            SslMethod::Tlsv1 => ffi::TLSv1_method(),
            SslMethod::Sslv23 => ffi::SSLv23_method(),
@ -150,6 +153,7 @@ impl SslMethod {
        match method {
            #[cfg(feature = "sslv2")]
            x if x == ffi::SSLv2_method() => Some(SslMethod::Sslv2),
            #[cfg(feature = "sslv3")]
            x if x == ffi::SSLv3_method() => Some(SslMethod::Sslv3),
            x if x == ffi::TLSv1_method() => Some(SslMethod::Tlsv1),
            x if x == ffi::SSLv23_method() => Some(SslMethod::Sslv23),
@ -490,13 +494,13 @@ impl SslContext {
    pub fn set_read_ahead(&self, m: u32) {
        unsafe {
-            ffi::SSL_CTX_set_read_ahead(self.ctx, m as c_long);
+            ffi_extras::SSL_CTX_set_read_ahead(self.ctx, m as c_long);
        }
    }
    pub fn set_tmp_dh(&self, dh: DH) -> Result<(),SslError> {
        wrap_ssl_result(unsafe {
-            ffi::SSL_CTX_set_tmp_dh(self.ctx, dh.raw()) as i32
+            ffi_extras::SSL_CTX_set_tmp_dh(self.ctx, dh.raw()) as i32
        })
    }
@ -543,7 +547,7 @@ impl SslContext {
    pub fn add_extra_chain_cert(&mut self, cert: &X509) -> Result<(),SslError> {
        wrap_ssl_result(
            unsafe {
-                ffi::SSL_CTX_add_extra_chain_cert(self.ctx, cert.get_handle()) as c_int
+                ffi_extras::SSL_CTX_add_extra_chain_cert(self.ctx, cert.get_handle()) as c_int
            })
    }
@ -589,21 +593,21 @@ impl SslContext {
    pub fn set_ecdh_auto(&mut self, onoff: bool) -> Result<(),SslError> {
        wrap_ssl_result(
            unsafe {
-                ffi::SSL_CTX_set_ecdh_auto(self.ctx, onoff as c_int)
+                ffi_extras::SSL_CTX_set_ecdh_auto(self.ctx, onoff as c_int)
            })
    }
    pub fn set_options(&mut self, option: SslContextOptions) -> SslContextOptions {
        let raw_bits = option.bits();
        let ret = unsafe {
-            ffi::SSL_CTX_set_options(self.ctx, raw_bits)
+            ffi_extras::SSL_CTX_set_options(self.ctx, raw_bits)
        };
        SslContextOptions::from_bits(ret).unwrap()
    }
    pub fn get_options(&mut self) -> SslContextOptions {
        let ret = unsafe {
-            ffi::SSL_CTX_get_options(self.ctx)
+            ffi_extras::SSL_CTX_get_options(self.ctx)
        };
        SslContextOptions::from_bits(ret).unwrap()
    }
@ -611,7 +615,7 @@ impl SslContext {
    pub fn clear_options(&mut self, option: SslContextOptions) -> SslContextOptions {
        let raw_bits = option.bits();
        let ret = unsafe {
-            ffi::SSL_CTX_clear_options(self.ctx, raw_bits)
+            ffi_extras::SSL_CTX_clear_options(self.ctx, raw_bits)
        };
        SslContextOptions::from_bits(ret).unwrap()
    }
@ -698,10 +702,11 @@ pub struct Ssl {
 unsafe impl Send for Ssl {}
 unsafe impl Sync for Ssl {}
 // TODO: put useful information here
 impl fmt::Debug for Ssl {
    fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result {
-        write!(fmt, "Ssl")
+        fmt.debug_struct("Ssl")
            .field("state", &self.state_string_long())
            .finish()
    }
 }
@ -718,24 +723,6 @@ impl Ssl {
        Ok(ssl)
    }
    pub fn get_state_string(&self) -> &'static str {
        let state = unsafe {
            let ptr = ffi::SSL_state_string(self.ssl);
            CStr::from_ptr(ptr)
        };
        str::from_utf8(state.to_bytes()).unwrap()
    }
    pub fn get_state_string_long(&self) -> &'static str {
        let state = unsafe {
            let ptr = ffi::SSL_state_string_long(self.ssl);
            CStr::from_ptr(ptr)
        };
        str::from_utf8(state.to_bytes()).unwrap()
    }
    fn get_rbio<'a>(&'a self) -> MemBioRef<'a> {
        unsafe { self.wrap_bio(ffi::SSL_get_rbio(self.ssl)) }
    }
@ -778,10 +765,28 @@ impl Ssl {
        }
    }
-    /// Set the host name to be used with SNI (Server Name Indication).
+    pub fn state_string(&self) -> &'static str {
        let state = unsafe {
            let ptr = ffi::SSL_state_string(self.ssl);
            CStr::from_ptr(ptr)
        };
        str::from_utf8(state.to_bytes()).unwrap()
    }
    pub fn state_string_long(&self) -> &'static str {
        let state = unsafe {
            let ptr = ffi::SSL_state_string_long(self.ssl);
            CStr::from_ptr(ptr)
        };
        str::from_utf8(state.to_bytes()).unwrap()
    }
    /// Sets the host name to be used with SNI (Server Name Indication).
    pub fn set_hostname(&self, hostname: &str) -> Result<(), SslError> {
        let cstr = CString::new(hostname).unwrap();
-        let ret = unsafe { ffi::SSL_set_tlsext_host_name(self.ssl, cstr.as_ptr()) };
+        let ret = unsafe { ffi_extras::SSL_set_tlsext_host_name(self.ssl, cstr.as_ptr()) };
        // For this case, 0 indicates failure.
        if ret == 0 {
@ -791,7 +796,8 @@ impl Ssl {
        }
    }
-    pub fn get_peer_certificate(&self) -> Option<X509> {
+    /// Returns the certificate of the peer, if present.
    pub fn peer_certificate(&self) -> Option<X509> {
        unsafe {
            let ptr = ffi::SSL_get_peer_certificate(self.ssl);
            if ptr.is_null() {
@ -809,7 +815,7 @@ impl Ssl {
    ///
    /// This method needs the `npn` feature.
    #[cfg(feature = "npn")]
-    pub fn get_selected_npn_protocol(&self) -> Option<&[u8]> {
+    pub fn selected_npn_protocol(&self) -> Option<&[u8]> {
        unsafe {
            let mut data: *const c_uchar = ptr::null();
            let mut len: c_uint = 0;
@ -832,7 +838,7 @@ impl Ssl {
    ///
    /// This method needs the `alpn` feature.
    #[cfg(feature = "alpn")]
-    pub fn get_selected_alpn_protocol(&self) -> Option<&[u8]> {
+    pub fn selected_alpn_protocol(&self) -> Option<&[u8]> {
        unsafe {
            let mut data: *const c_uchar = ptr::null();
            let mut len: c_uint = 0;
@ -848,13 +854,32 @@ impl Ssl {
        }
    }
-    /// pending() takes into account only bytes from the TLS/SSL record that is currently being processed (if any).
+    /// Returns the number of bytes remaining in the currently processed TLS
    /// record.
    pub fn pending(&self) -> usize {
        unsafe {
            ffi::SSL_pending(self.ssl) as usize
        }
    }
    /// Returns the compression currently in use.
    ///
    /// The result will be either None, indicating no compression is in use, or
    /// a string with the compression name.
    pub fn compression(&self) -> Option<String> {
        let ptr = unsafe { ffi::SSL_get_current_compression(self.ssl) };
        if ptr == ptr::null() {
            return None;
        }
        let meth = unsafe { ffi::SSL_COMP_get_name(ptr) };
        let s = unsafe {
            String::from_utf8(CStr::from_ptr(meth).to_bytes().to_vec()).unwrap()
        };
        Some(s)
    }
    pub fn get_ssl_method(&self) -> Option<SslMethod> {
        unsafe {
            let method = ffi::SSL_get_ssl_method(self.ssl);
@ -1179,7 +1204,10 @@ impl SslStream<net::TcpStream> {
 impl<S> fmt::Debug for SslStream<S> where S: fmt::Debug {
    fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result {
-        write!(fmt, "SslStream {{ stream: {:?}, ssl: {:?} }}", self.kind.stream(), self.kind.ssl())
+        fmt.debug_struct("SslStream")
            .field("stream", &self.kind.stream())
            .field("ssl", &self.kind.ssl())
            .finish()
    }
 }
@ -1270,42 +1298,11 @@ impl<S: Read+Write> SslStream<S> {
        })
    }
    /// # Deprecated
    pub fn new_server(ssl: &SslContext, stream: S) -> Result<SslStream<S>, SslError> {
        SslStream::accept_generic(ssl, stream)
    }
    /// # Deprecated
    pub fn new_server_from(ssl: Ssl, stream: S) -> Result<SslStream<S>, SslError> {
        SslStream::accept_generic(ssl, stream)
    }
    /// # Deprecated
    pub fn new_from(ssl: Ssl, stream: S) -> Result<SslStream<S>, SslError> {
        SslStream::connect_generic(ssl, stream)
    }
    /// # Deprecated
    pub fn new(ctx: &SslContext, stream: S) -> Result<SslStream<S>, SslError> {
        SslStream::connect_generic(ctx, stream)
    }
    /// # Deprecated
    #[doc(hidden)]
    pub fn get_inner(&mut self) -> &mut S {
        self.get_mut()
    }
    /// Returns a reference to the underlying stream.
    pub fn get_ref(&self) -> &S {
        self.kind.stream()
    }
    /// Return the certificate of the peer
    pub fn get_peer_certificate(&self) -> Option<X509> {
        self.kind.ssl().get_peer_certificate()
    }
    /// Returns a mutable reference to the underlying stream.
    ///
    /// ## Warning
@ -1316,56 +1313,9 @@ impl<S: Read+Write> SslStream<S> {
        self.kind.mut_stream()
    }
-    /// Get the compression currently in use.  The result will be
+    /// Returns the OpenSSL `Ssl` object associated with this stream.
-    /// either None, indicating no compression is in use, or a string
+    pub fn ssl(&self) -> &Ssl {
-    /// with the compression name.
+        self.kind.ssl()
    pub fn get_compression(&self) -> Option<String> {
        let ptr = unsafe { ffi::SSL_get_current_compression(self.kind.ssl().ssl) };
        if ptr == ptr::null() {
            return None;
        }
        let meth = unsafe { ffi::SSL_COMP_get_name(ptr) };
        let s = unsafe {
            String::from_utf8(CStr::from_ptr(meth).to_bytes().to_vec()).unwrap()
        };
        Some(s)
    }
    /// Returns the protocol selected by performing Next Protocol Negotiation, if any.
    ///
    /// The protocol's name is returned is an opaque sequence of bytes. It is up to the client
    /// to interpret it.
    ///
    /// This method needs the `npn` feature.
    #[cfg(feature = "npn")]
    pub fn get_selected_npn_protocol(&self) -> Option<&[u8]> {
        self.kind.ssl().get_selected_npn_protocol()
    }
    /// Returns the protocol selected by performing ALPN, if any.
    ///
    /// The protocol's name is returned is an opaque sequence of bytes. It is up to the client
    /// to interpret it.
    ///
    /// This method needs the `alpn` feature.
    #[cfg(feature = "alpn")]
    pub fn get_selected_alpn_protocol(&self) -> Option<&[u8]> {
        self.kind.ssl().get_selected_alpn_protocol()
    }
    /// pending() takes into account only bytes from the TLS/SSL record that is currently being processed (if any).
    pub fn pending(&self) -> usize {
        self.kind.ssl().pending()
    }
    pub fn get_state_string(&self) -> &'static str {
        self.kind.ssl().get_state_string()
    }
    pub fn get_state_string_long(&self) -> &'static str {
        self.kind.ssl().get_state_string_long()
    }
 }
@ -1465,3 +1415,232 @@ impl<S> MaybeSslStream<S> where S: Read+Write {
        }
    }
 }
 /// An SSL stream wrapping a nonblocking socket.
 #[derive(Clone)]
 pub struct NonblockingSslStream<S> {
    stream: S,
    ssl: Arc<Ssl>,
 }
 impl NonblockingSslStream<net::TcpStream> {
    pub fn try_clone(&self) -> io::Result<NonblockingSslStream<net::TcpStream>> {
        Ok(NonblockingSslStream {
            stream: try!(self.stream.try_clone()),
            ssl: self.ssl.clone(),
        })
    }
 }
 impl<S> NonblockingSslStream<S> {
    fn new_base(ssl: Ssl, stream: S, sock: c_int) -> Result<NonblockingSslStream<S>, SslError> {
        unsafe {
            let bio = try_ssl_null!(ffi::BIO_new_socket(sock, 0));
            ffi_extras::BIO_set_nbio(bio, 1);
            ffi::SSL_set_bio(ssl.ssl, bio, bio);
        }
        Ok(NonblockingSslStream {
            stream: stream,
            ssl: Arc::new(ssl),
        })
    }
    fn make_error(&self, ret: c_int) -> NonblockingSslError {
        match self.ssl.get_error(ret) {
            LibSslError::ErrorSsl => NonblockingSslError::SslError(SslError::get()),
            LibSslError::ErrorSyscall => {
                let err = SslError::get();
                let count = match err {
                    SslError::OpenSslErrors(ref v) => v.len(),
                    _ => unreachable!(),
                };
                let ssl_error = if count == 0 {
                    if ret == 0 {
                        SslError::StreamError(io::Error::new(io::ErrorKind::ConnectionAborted,
                                                             "unexpected EOF observed"))
                    } else {
                        SslError::StreamError(io::Error::last_os_error())
                    }
                } else {
                    err
                };
                ssl_error.into()
            },
            LibSslError::ErrorWantWrite => NonblockingSslError::WantWrite,
            LibSslError::ErrorWantRead => NonblockingSslError::WantRead,
            err => panic!("unexpected error {:?} with ret {}", err, ret),
        }
    }
    /// Returns a reference to the underlying stream.
    pub fn get_ref(&self) -> &S {
        &self.stream
    }
    /// Returns a mutable reference to the underlying stream.
    ///
    /// ## Warning
    ///
    /// It is inadvisable to read from or write to the underlying stream as it
    /// will most likely corrupt the SSL session.
    pub fn get_mut(&mut self) -> &mut S {
        &mut self.stream
    }
    /// Returns a reference to the Ssl.
    pub fn ssl(&self) -> &Ssl {
        &self.ssl
    }
 }
 #[cfg(unix)]
 impl<S: Read+Write+::std::os::unix::io::AsRawFd> NonblockingSslStream<S> {
    /// Create a new nonblocking client ssl connection on wrapped `stream`.
    ///
    /// Note that this method will most likely not actually complete the SSL
    /// handshake because doing so requires several round trips; the handshake will
    /// be completed in subsequent read/write calls managed by your event loop.
    pub fn connect<T: IntoSsl>(ssl: T, stream: S) -> Result<NonblockingSslStream<S>, SslError> {
        let ssl = try!(ssl.into_ssl());
        let fd = stream.as_raw_fd() as c_int;
        let ssl = try!(NonblockingSslStream::new_base(ssl, stream, fd));
        let ret = ssl.ssl.connect();
        if ret > 0 {
            Ok(ssl)
        } else {
            // WantRead/WantWrite is okay here; we'll finish the handshake in
            // subsequent send/recv calls.
            match ssl.make_error(ret) {
                NonblockingSslError::WantRead | NonblockingSslError::WantWrite => Ok(ssl),
                NonblockingSslError::SslError(other) => Err(other),
            }
        }
    }
    /// Create a new nonblocking server ssl connection on wrapped `stream`.
    ///
    /// Note that this method will most likely not actually complete the SSL
    /// handshake because doing so requires several round trips; the handshake will
    /// be completed in subsequent read/write calls managed by your event loop.
    pub fn accept<T: IntoSsl>(ssl: T, stream: S) -> Result<NonblockingSslStream<S>, SslError> {
        let ssl = try!(ssl.into_ssl());
        let fd = stream.as_raw_fd() as c_int;
        let ssl = try!(NonblockingSslStream::new_base(ssl, stream, fd));
        let ret = ssl.ssl.accept();
        if ret > 0 {
            Ok(ssl)
        } else {
            // WantRead/WantWrite is okay here; we'll finish the handshake in
            // subsequent send/recv calls.
            match ssl.make_error(ret) {
                NonblockingSslError::WantRead | NonblockingSslError::WantWrite => Ok(ssl),
                NonblockingSslError::SslError(other) => Err(other),
            }
        }
    }
 }
 #[cfg(unix)]
 impl<S: ::std::os::unix::io::AsRawFd> ::std::os::unix::io::AsRawFd for NonblockingSslStream<S> {
    fn as_raw_fd(&self) -> ::std::os::unix::io::RawFd {
        self.stream.as_raw_fd()
    }
 }
 #[cfg(windows)]
 impl<S: Read+Write+::std::os::windows::io::AsRawSocket> NonblockingSslStream<S> {
    /// Create a new nonblocking client ssl connection on wrapped `stream`.
    ///
    /// Note that this method will most likely not actually complete the SSL
    /// handshake because doing so requires several round trips; the handshake will
    /// be completed in subsequent read/write calls managed by your event loop.
    pub fn connect<T: IntoSsl>(ssl: T, stream: S) -> Result<NonblockingSslStream<S>, SslError> {
        let ssl = try!(ssl.into_ssl());
        let fd = stream.as_raw_socket() as c_int;
        let ssl = try!(NonblockingSslStream::new_base(ssl, stream, fd));
        let ret = ssl.ssl.connect();
        if ret > 0 {
            Ok(ssl)
        } else {
            // WantRead/WantWrite is okay here; we'll finish the handshake in
            // subsequent send/recv calls.
            match ssl.make_error(ret) {
                NonblockingSslError::WantRead | NonblockingSslError::WantWrite => Ok(ssl),
                NonblockingSslError::SslError(other) => Err(other),
            }
        }
    }
    /// Create a new nonblocking server ssl connection on wrapped `stream`.
    ///
    /// Note that this method will most likely not actually complete the SSL
    /// handshake because doing so requires several round trips; the handshake will
    /// be completed in subsequent read/write calls managed by your event loop.
    pub fn accept<T: IntoSsl>(ssl: T, stream: S) -> Result<NonblockingSslStream<S>, SslError> {
        let ssl = try!(ssl.into_ssl());
        let fd = stream.as_raw_socket() as c_int;
        let ssl = try!(NonblockingSslStream::new_base(ssl, stream, fd));
        let ret = ssl.ssl.accept();
        if ret > 0 {
            Ok(ssl)
        } else {
            // WantRead/WantWrite is okay here; we'll finish the handshake in
            // subsequent send/recv calls.
            match ssl.make_error(ret) {
                NonblockingSslError::WantRead | NonblockingSslError::WantWrite => Ok(ssl),
                NonblockingSslError::SslError(other) => Err(other),
            }
        }
    }
 }
 impl<S: Read+Write> NonblockingSslStream<S> {
    /// Read bytes from the SSL stream into `buf`.
    ///
    /// Given the SSL state machine, this method may return either `WantWrite`
    /// or `WantRead` to indicate that your event loop should respectively wait
    /// for write or read readiness on the underlying stream.  Upon readiness,
    /// repeat your `read()` call with the same arguments each time until you
    /// receive an `Ok(count)`.
    ///
    /// An `SslError` return value, is terminal; do not re-attempt your read.
    ///
    /// As expected of a nonblocking API, this method will never block your
    /// thread on I/O.
    ///
    /// On a return value of `Ok(count)`, count is the number of decrypted
    /// plaintext bytes copied into the `buf` slice.
    pub fn read(&mut self, buf: &mut [u8]) -> Result<usize, NonblockingSslError> {
        let ret = self.ssl.read(buf);
        if ret >= 0 {
            Ok(ret as usize)
        } else {
            Err(self.make_error(ret))
        }
    }
    /// Write bytes from `buf` to the SSL stream.
    ///
    /// Given the SSL state machine, this method may return either `WantWrite`
    /// or `WantRead` to indicate that your event loop should respectively wait
    /// for write or read readiness on the underlying stream.  Upon readiness,
    /// repeat your `write()` call with the same arguments each time until you
    /// receive an `Ok(count)`.
    ///
    /// An `SslError` return value, is terminal; do not re-attempt your write.
    ///
    /// As expected of a nonblocking API, this method will never block your
    /// thread on I/O.
    ///
    /// Given a return value of `Ok(count)`, count is the number of plaintext bytes
    /// from the `buf` slice that were encrypted and written onto the stream.
    pub fn write(&mut self, buf: &[u8]) -> Result<usize, NonblockingSslError> {
        let ret = self.ssl.write(buf);
        if ret > 0 {
            Ok(ret as usize)
        } else {
            Err(self.make_error(ret))
        }
    }
 }
--- a/openssl/src/ssl/tests/mod.rs
+++ b/openssl/src/ssl/tests/mod.rs
@ -4,17 +4,21 @@ use std::fs::File;
 use std::io::prelude::*;
 use std::io::{self, BufReader};
 use std::iter;
 use std::mem;
 use std::net::{TcpStream, TcpListener, SocketAddr};
 use std::path::Path;
 use std::process::{Command, Child, Stdio, ChildStdin};
 use std::thread;
 use net2::TcpStreamExt;
 use crypto::hash::Type::{SHA256};
 use ssl;
 use ssl::SslMethod;
 use ssl::SslMethod::Sslv23;
 use ssl::{SslContext, SslStream, VerifyCallback};
 use ssl::SSL_VERIFY_PEER;
 use ssl::SslMethod::Sslv23;
 use ssl::SslMethod;
 use ssl::error::NonblockingSslError;
 use ssl::{SslContext, SslStream, VerifyCallback, NonblockingSslStream};
 use x509::X509StoreContext;
 use x509::X509FileType;
 use x509::X509;
@ -29,6 +33,8 @@ use ssl::SslMethod::Sslv2;
 #[cfg(feature="dtlsv1")]
 use net2::UdpSocketExt;
 mod select;
 fn next_addr() -> SocketAddr {
    use std::sync::atomic::{AtomicUsize, ATOMIC_USIZE_INIT, Ordering};
    static PORT: AtomicUsize = ATOMIC_USIZE_INIT;
@ -331,7 +337,8 @@ run_test!(verify_trusted_get_error_err, |method, stream| {
 });
 run_test!(verify_callback_data, |method, stream| {
-    fn callback(_preverify_ok: bool, x509_ctx: &X509StoreContext, node_id: &Vec<u8>) -> bool {
+    fn callback(_preverify_ok: bool, x509_ctx: &X509StoreContext,
                node_id: &Vec<u8>) -> bool {
        let cert = x509_ctx.get_current_cert();
        match cert {
            None => false,
@ -416,10 +423,6 @@ run_test!(set_ctx_options, |method, _| {
    let mut ctx = SslContext::new(method).unwrap();
    let opts = ctx.set_options(ssl::SSL_OP_NO_TICKET);
    assert!(opts.contains(ssl::SSL_OP_NO_TICKET));
    assert!(!opts.contains(ssl::SSL_OP_CISCO_ANYCONNECT));
    let more_opts = ctx.set_options(ssl::SSL_OP_CISCO_ANYCONNECT);
    assert!(more_opts.contains(ssl::SSL_OP_NO_TICKET));
    assert!(more_opts.contains(ssl::SSL_OP_CISCO_ANYCONNECT));
 });
 run_test!(clear_ctx_options, |method, _| {
@ -452,7 +455,7 @@ fn test_write_direct() {
 run_test!(get_peer_certificate, |method, stream| {
    let stream = SslStream::connect_generic(&SslContext::new(method).unwrap(),
                                            stream).unwrap();
-    let cert = stream.get_peer_certificate().unwrap();
+    let cert = stream.ssl().peer_certificate().unwrap();
    let fingerprint = cert.fingerprint(SHA256).unwrap();
    let node_hash_str = "db400bb62f1b1f29c3b8f323b8f7d9dea724fdcd67104ef549c772ae3749655b";
    let node_id = node_hash_str.from_hex().unwrap();
@ -501,14 +504,14 @@ fn test_pending() {
    let mut buf = [0u8; 16*1024];
    stream.read(&mut buf[..1]).unwrap();
-    let pending = stream.pending();
+    let pending = stream.ssl().pending();
    let len = stream.read(&mut buf[1..]).unwrap();
    assert_eq!(pending, len);
    stream.read(&mut buf[..1]).unwrap();
-    let pending = stream.pending();
+    let pending = stream.ssl().pending();
    let len = stream.read(&mut buf[1..]).unwrap();
    assert_eq!(pending, len);
 }
@ -517,8 +520,8 @@ fn test_pending() {
 fn test_state() {
    let (_s, tcp) = Server::new();
    let stream = SslStream::connect_generic(&SslContext::new(Sslv23).unwrap(), tcp).unwrap();
-    assert_eq!(stream.get_state_string(), "SSLOK ");
+    assert_eq!(stream.ssl().state_string(), "SSLOK ");
-    assert_eq!(stream.get_state_string_long(), "SSL negotiation finished successfully");
+    assert_eq!(stream.ssl().state_string_long(), "SSL negotiation finished successfully");
 }
 /// Tests that connecting with the client using ALPN, but the server not does not
@ -534,13 +537,13 @@ fn test_connect_with_unilateral_alpn() {
        Ok(_) => {}
        Err(err) => panic!("Unexpected error {:?}", err)
    }
-    let stream = match SslStream::new(&ctx, stream) {
+    let stream = match SslStream::connect(&ctx, stream) {
        Ok(stream) => stream,
        Err(err) => panic!("Expected success, got {:?}", err)
    };
    // Since the socket to which we connected is not configured to use ALPN,
    // there should be no selected protocol...
-    assert!(stream.get_selected_alpn_protocol().is_none());
+    assert!(stream.ssl().selected_alpn_protocol().is_none());
 }
 /// Tests that connecting with the client using NPN, but the server not does not
@ -562,7 +565,7 @@ fn test_connect_with_unilateral_npn() {
    };
    // Since the socket to which we connected is not configured to use NPN,
    // there should be no selected protocol...
-    assert!(stream.get_selected_npn_protocol().is_none());
+    assert!(stream.ssl().selected_npn_protocol().is_none());
 }
 /// Tests that when both the client as well as the server use ALPN and their
@ -578,13 +581,13 @@ fn test_connect_with_alpn_successful_multiple_matching() {
        Ok(_) => {}
        Err(err) => panic!("Unexpected error {:?}", err)
    }
-    let stream = match SslStream::new(&ctx, stream) {
+    let stream = match SslStream::connect(&ctx, stream) {
        Ok(stream) => stream,
        Err(err) => panic!("Expected success, got {:?}", err)
    };
    // The server prefers "http/1.1", so that is chosen, even though the client
    // would prefer "spdy/3.1"
-    assert_eq!(b"http/1.1", stream.get_selected_alpn_protocol().unwrap());
+    assert_eq!(b"http/1.1", stream.ssl().selected_alpn_protocol().unwrap());
 }
 /// Tests that when both the client as well as the server use NPN and their
@ -606,7 +609,7 @@ fn test_connect_with_npn_successful_multiple_matching() {
    };
    // The server prefers "http/1.1", so that is chosen, even though the client
    // would prefer "spdy/3.1"
-    assert_eq!(b"http/1.1", stream.get_selected_npn_protocol().unwrap());
+    assert_eq!(b"http/1.1", stream.ssl().selected_npn_protocol().unwrap());
 }
 /// Tests that when both the client as well as the server use ALPN and their
@ -623,13 +626,13 @@ fn test_connect_with_alpn_successful_single_match() {
        Ok(_) => {}
        Err(err) => panic!("Unexpected error {:?}", err)
    }
-    let stream = match SslStream::new(&ctx, stream) {
+    let stream = match SslStream::connect(&ctx, stream) {
        Ok(stream) => stream,
        Err(err) => panic!("Expected success, got {:?}", err)
    };
    // The client now only supports one of the server's protocols, so that one
    // is used.
-    assert_eq!(b"spdy/3.1", stream.get_selected_alpn_protocol().unwrap());
+    assert_eq!(b"spdy/3.1", stream.ssl().selected_alpn_protocol().unwrap());
 }
@ -653,7 +656,7 @@ fn test_connect_with_npn_successful_single_match() {
    };
    // The client now only supports one of the server's protocols, so that one
    // is used.
-    assert_eq!(b"spdy/3.1", stream.get_selected_npn_protocol().unwrap());
+    assert_eq!(b"spdy/3.1", stream.ssl().selected_npn_protocol().unwrap());
 }
 /// Tests that when the `SslStream` is created as a server stream, the protocols
@ -694,7 +697,7 @@ fn test_npn_server_advertise_multiple() {
        Err(err) => panic!("Expected success, got {:?}", err)
    };
    // SPDY is selected since that's the only thing the client supports.
-    assert_eq!(b"spdy/3.1", stream.get_selected_npn_protocol().unwrap());
+    assert_eq!(b"spdy/3.1", stream.ssl().selected_npn_protocol().unwrap());
 }
 /// Tests that when the `SslStream` is created as a server stream, the protocols
@ -730,12 +733,12 @@ fn test_alpn_server_advertise_multiple() {
    }
    // Now connect to the socket and make sure the protocol negotiation works...
    let stream = TcpStream::connect(localhost).unwrap();
-    let stream = match SslStream::new(&ctx, stream) {
+    let stream = match SslStream::connect(&ctx, stream) {
        Ok(stream) => stream,
        Err(err) => panic!("Expected success, got {:?}", err)
    };
    // SPDY is selected since that's the only thing the client supports.
-    assert_eq!(b"spdy/3.1", stream.get_selected_alpn_protocol().unwrap());
+    assert_eq!(b"spdy/3.1", stream.ssl().selected_alpn_protocol().unwrap());
 }
 /// Test that Servers supporting ALPN don't report a protocol when none of their protocols match
@ -771,13 +774,13 @@ fn test_alpn_server_select_none() {
    }
    // Now connect to the socket and make sure the protocol negotiation works...
    let stream = TcpStream::connect(localhost).unwrap();
-    let stream = match SslStream::new(&ctx, stream) {
+    let stream = match SslStream::connect(&ctx, stream) {
        Ok(stream) => stream,
        Err(err) => panic!("Expected success, got {:?}", err)
    };
    // Since the protocols from the server and client don't overlap at all, no protocol is selected
-    assert_eq!(None, stream.get_selected_alpn_protocol());
+    assert_eq!(None, stream.ssl().selected_alpn_protocol());
 }
@ -808,7 +811,8 @@ mod dtlsv1 {
 fn test_read_dtlsv1() {
    let (_s, stream) = Server::new_dtlsv1(Some("hello"));
-    let mut stream = SslStream::connect_generic(&SslContext::new(Dtlsv1).unwrap(), stream).unwrap();
+    let mut stream = SslStream::connect_generic(&SslContext::new(Dtlsv1).unwrap(),
                                                stream).unwrap();
    let mut buf = [0u8;100];
    assert!(stream.read(&mut buf).is_ok());
 }
@ -817,5 +821,111 @@ fn test_read_dtlsv1() {
 #[cfg(feature = "sslv2")]
 fn test_sslv2_connect_failure() {
    let (_s, tcp) = Server::new_tcp(&["-no_ssl2", "-www"]);
-    SslStream::connect_generic(&SslContext::new(Sslv2).unwrap(), tcp).err().unwrap();
+    SslStream::connect_generic(&SslContext::new(Sslv2).unwrap(),
                               tcp).err().unwrap();
 }
 fn wait_io(stream: &NonblockingSslStream<TcpStream>,
           read: bool,
           timeout_ms: u32) -> bool {
    unsafe {
        let mut set: select::fd_set = mem::zeroed();
        select::fd_set(&mut set, stream.get_ref());
        let write = if read {0 as *mut _} else {&mut set as *mut _};
        let read = if !read {0 as *mut _} else {&mut set as *mut _};
        select::select(stream.get_ref(), read, write, 0 as *mut _, timeout_ms)
               .unwrap()
    }
 }
 #[test]
 fn test_write_nonblocking() {
    let (_s, stream) = Server::new();
    stream.set_nonblocking(true).unwrap();
    let cx = SslContext::new(Sslv23).unwrap();
    let mut stream = NonblockingSslStream::connect(&cx, stream).unwrap();
    let mut iterations = 0;
    loop {
        iterations += 1;
        if iterations > 7 {
            // Probably a safe assumption for the foreseeable future of
            // openssl.
            panic!("Too many read/write round trips in handshake!!");
        }
        let result = stream.write(b"hello");
        match result {
            Ok(_) => {
                break;
            },
            Err(NonblockingSslError::WantRead) => {
                assert!(wait_io(&stream, true, 1000));
            },
            Err(NonblockingSslError::WantWrite) => {
                assert!(wait_io(&stream, false, 1000));
            },
            Err(other) => {
                panic!("Unexpected SSL Error: {:?}", other);
            },
        }
    }
    // Second write should succeed immediately--plenty of space in kernel
    // buffer, and handshake just completed.
    stream.write(" there".as_bytes()).unwrap();
 }
 #[test]
 fn test_read_nonblocking() {
    let (_s, stream) = Server::new();
    stream.set_nonblocking(true).unwrap();
    let cx = SslContext::new(Sslv23).unwrap();
    let mut stream = NonblockingSslStream::connect(&cx, stream).unwrap();
    let mut iterations = 0;
    loop {
        iterations += 1;
        if iterations > 7 {
            // Probably a safe assumption for the foreseeable future of
            // openssl.
            panic!("Too many read/write round trips in handshake!!");
        }
        let result = stream.write(b"GET /\r\n\r\n");
        match result {
            Ok(n) => {
                assert_eq!(n, 9);
                break;
            },
            Err(NonblockingSslError::WantRead) => {
                assert!(wait_io(&stream, true, 1000));
            },
            Err(NonblockingSslError::WantWrite) => {
                assert!(wait_io(&stream, false, 1000));
            },
            Err(other) => {
                panic!("Unexpected SSL Error: {:?}", other);
            },
        }
    }
    let mut input_buffer = [0u8; 1500];
    let result = stream.read(&mut input_buffer);
    let bytes_read = match result {
        Ok(n) => {
            // This branch is unlikely, but on an overloaded VM with
            // unlucky context switching, the response could actually
            // be in the receive buffer before we issue the read() syscall...
            n
        },
        Err(NonblockingSslError::WantRead) => {
            assert!(wait_io(&stream, true, 3000));
            // Second read should return application data.
            stream.read(&mut input_buffer).unwrap()
        },
        Err(other) => {
            panic!("Unexpected SSL Error: {:?}", other);
        },
    };
    assert!(bytes_read >= 5);
    assert_eq!(&input_buffer[..5], b"HTTP/");
 }
--- a/openssl/src/ssl/tests/select.rs
+++ b/openssl/src/ssl/tests/select.rs
@ -0,0 +1,72 @@
 use libc;
 pub use self::imp::*;
 #[cfg(unix)]
 mod imp {
    use std::os::unix::prelude::*;
    use std::io;
    use libc;
    pub use libc::fd_set;
    pub fn fd_set<F: AsRawFd>(set: &mut fd_set, f: &F) {
        unsafe {
            libc::FD_SET(f.as_raw_fd(), set);
        }
    }
    pub unsafe fn select<F: AsRawFd>(max: &F,
                                     read: *mut fd_set,
                                     write: *mut fd_set,
                                     error: *mut fd_set,
                                     timeout_ms: u32)
                                     -> io::Result<bool> {
        let mut timeout = libc::timeval {
            tv_sec: (timeout_ms / 1000) as libc::time_t,
            tv_usec: (timeout_ms % 1000 * 1000) as libc::suseconds_t,
        };
        let rc = libc::select(max.as_raw_fd() + 1, read, write, error, &mut timeout);
        if rc < 0 {
            Err(io::Error::last_os_error())
        } else {
            Ok(rc != 0)
        }
    }
 }
 #[cfg(windows)]
 mod imp {
    extern crate winapi;
    extern crate ws2_32;
    use std::os::windows::prelude::*;
    use std::io;
    use libc::{c_uint, c_long};
    use self::winapi::SOCKET;
    use self::winapi::winsock2;
    pub use self::winapi::winsock2::fd_set;
    pub fn fd_set<F: AsRawSocket>(set: &mut fd_set, f: &F) {
        set.fd_array[set.fd_count as usize] = f.as_raw_socket();
        set.fd_count += 1;
    }
    pub unsafe fn select<F: AsRawSocket>(_max: &F,
                                         read: *mut fd_set,
                                         write: *mut fd_set,
                                         error: *mut fd_set,
                                         timeout_ms: u32)
                                         -> io::Result<bool> {
        let mut timeout = winsock2::timeval {
            tv_sec: (timeout_ms / 1000) as c_long,
            tv_usec: (timeout_ms % 1000 * 1000) as c_long,
        };
        let rc = ws2_32::select(1, read, write, error, &mut timeout);
        if rc < 0 {
            Err(io::Error::last_os_error())
        } else {
            Ok(rc != 0)
        }
    }
 }
--- a/openssl/src/x509/mod.rs
+++ b/openssl/src/x509/mod.rs
@ -18,6 +18,7 @@ use crypto::hash::Type as HashType;
 use crypto::pkey::{PKey,Parts};
 use crypto::rand::rand_bytes;
 use ffi;
 use ffi_extras;
 use ssl::error::{SslError, StreamError};
 use nid;
@ -102,10 +103,6 @@ impl X509StoreContext {
    }
 }
 // Backwards-compatibility
 pub use self::extension::KeyUsageOption as KeyUsage;
 pub use self::extension::ExtKeyUsageOption as ExtKeyUsage;
 #[allow(non_snake_case)]
 /// Generator of private key/certificate pairs
 ///
@ -120,14 +117,15 @@ pub use self::extension::ExtKeyUsageOption as ExtKeyUsage;
 /// use std::path::Path;
 ///
 /// use openssl::crypto::hash::Type;
-/// use openssl::x509::{KeyUsage, X509Generator};
+/// use openssl::x509::X509Generator;
 /// use openssl::x509::extension::{Extension, KeyUsageOption};
 ///
 /// let gen = X509Generator::new()
 ///        .set_bitlength(2048)
 ///        .set_valid_period(365*2)
-///        .set_CN("SuperMegaCorp Inc.")
+///        .add_name("CN".to_owned(), "SuperMegaCorp Inc.".to_owned())
 ///        .set_sign_hash(Type::SHA256)
-///        .set_usage(&[KeyUsage::DigitalSignature]);
+///        .add_extension(Extension::KeyUsage(vec![KeyUsageOption::DigitalSignature]));
 ///
 /// let (cert, pkey) = gen.generate().unwrap();
 ///
@ -183,22 +181,6 @@ impl X509Generator {
        self
    }
    #[allow(non_snake_case)]
    /// (deprecated) Sets Common Name of certificate
    ///
    /// This function is deprecated, use `X509Generator.add_name` instead.
    /// Don't use this function AND the `add_name` method
    pub fn set_CN(mut self, CN: &str) -> X509Generator {
        match self.names.get_mut(0) {
            Some(&mut(_,ref mut val)) => *val=CN.to_string(),
            _ => {} /* would move push here, but borrow checker won't let me */
        }
        if self.names.len()==0 {
            self.names.push(("CN".to_string(),CN.to_string()));
        }
        self
    }
    /// Add attribute to the name of the certificate
    ///
    /// ```
@ -222,20 +204,6 @@ impl X509Generator {
        self
    }
    /// (deprecated) Sets what for certificate could be used
    ///
    /// This function is deprecated, use `X509Generator.add_extension` instead.
    pub fn set_usage(self, purposes: &[KeyUsage]) -> X509Generator {
        self.add_extension(Extension::KeyUsage(purposes.to_owned()))
    }
    /// (deprecated) Sets allowed extended usage of certificate
    ///
    /// This function is deprecated, use `X509Generator.add_extension` instead.
    pub fn set_ext_usage(self, purposes: &[ExtKeyUsage]) -> X509Generator {
        self.add_extension(Extension::ExtKeyUsage(purposes.to_owned()))
    }
    /// Add an extension to a certificate
    ///
    /// If the extension already exists, it will be replaced.
@ -400,7 +368,7 @@ impl X509Generator {
            let req = ffi::X509_to_X509_REQ(cert.handle, ptr::null_mut(), ptr::null());
            try_ssl_null!(req);
-            let exts = ffi::X509_get_extensions(cert.handle);
+            let exts = ffi_extras::X509_get_extensions(cert.handle);
            if exts != ptr::null_mut() {
                try_ssl!(ffi::X509_REQ_add_extensions(req,exts));
            }
--- a/openssl/test/build.sh
+++ b/openssl/test/build.sh
@ -3,8 +3,7 @@ set -e
 mkdir /tmp/openssl
 cd /tmp/openssl
 sudo apt-get install gcc make
 curl https://openssl.org/source/openssl-1.0.2d.tar.gz | tar --strip-components=1 -xzf -
-./config --prefix=/usr/ shared
+./config --prefix=$HOME/openssl shared
 make
-sudo make install
+make install