diff --git a/Cargo.toml b/Cargo.toml index 69cb586e..3dc3bf2a 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -40,5 +40,3 @@ linked_hash_set = "0.1" openssl-macros = "0.1.1" autocfg = "1.3.0" brotli = "8" -flate2 = "1" -zstd = "0.13" diff --git a/boring/Cargo.toml b/boring/Cargo.toml index 581bd5fc..4badf126 100644 --- a/boring/Cargo.toml +++ b/boring/Cargo.toml @@ -77,18 +77,12 @@ kx-client-pq-preferred = ["kx-safe-default", "kx-client-pq-supported"] # Implies "kx-safe-default". kx-client-nist-required = ["kx-safe-default"] -# Certificate compression -cert-compression = ["flate2", "brotli", "zstd"] - [dependencies] bitflags = { workspace = true } foreign-types = { workspace = true } openssl-macros = { workspace = true } libc = { workspace = true } boring-sys = { workspace = true } -brotli = { workspace = true, optional = true } -flate2 = { workspace = true, optional = true } -zstd = { workspace = true, optional = true } [dev-dependencies] hex = { workspace = true } diff --git a/boring/src/ssl/cert_compression.rs b/boring/src/ssl/cert_compression.rs deleted file mode 100644 index a52f5c45..00000000 --- a/boring/src/ssl/cert_compression.rs +++ /dev/null @@ -1,195 +0,0 @@ -use boring_sys as ffi; -use std::{io::Read, slice}; - -/// IANA assigned identifier of compression algorithm. -/// See https://www.rfc-editor.org/rfc/rfc8879.html#name-compression-algorithms -#[deprecated( - since = "4.15.13", - note = "This enum is deprecated and will be removed in a future version. \ - Use `boring::ssl::CertificateCompressionAlgorithm` instead." -)] -#[repr(u16)] -#[derive(Debug, Copy, Clone, PartialEq, Eq)] -pub enum CertCompressionAlgorithm { - /// The Brotli compression algorithm. - Brotli = ffi::TLSEXT_cert_compression_brotli as _, - /// The zlib compression algorithm. - Zlib = ffi::TLSEXT_cert_compression_zlib as _, - /// The Zstandard compression algorithm. - Zstd = ffi::TLSEXT_cert_compression_zstd as _, -} - -impl CertCompressionAlgorithm { - /// Returns the compression function for the algorithm. - pub(crate) fn compression_fn(&self) -> ffi::ssl_cert_compression_func_t { - match &self { - Self::Brotli => Some(brotli_compressor), - Self::Zlib => Some(zlib_compressor), - Self::Zstd => Some(zstd_compressor), - } - } - - /// Returns the decompression function for the algorithm. - pub(crate) fn decompression_fn(&self) -> ffi::ssl_cert_decompression_func_t { - match &self { - Self::Brotli => Some(brotli_decompressor), - Self::Zlib => Some(zlib_decompressor), - Self::Zstd => Some(zstd_decompressor), - } - } -} - -extern "C" fn brotli_compressor( - _ssl: *mut ffi::SSL, - buffer: *mut ffi::CBB, - in_: *const u8, - in_len: usize, -) -> ::std::os::raw::c_int { - let mut uncompressed = unsafe { slice::from_raw_parts(in_, in_len) }; - let mut compressed = Vec::new(); - - let params = brotli::enc::encode::BrotliEncoderInitParams(); - - if brotli::BrotliCompress(&mut uncompressed, &mut compressed, ¶ms).is_err() { - return 0; - } - - unsafe { ffi::CBB_add_bytes(buffer, compressed.as_ptr(), compressed.len()) } -} - -extern "C" fn zlib_compressor( - _ssl: *mut ffi::SSL, - out: *mut ffi::CBB, - in_: *const u8, - in_len: usize, -) -> ::std::os::raw::c_int { - let mut uncompressed = unsafe { slice::from_raw_parts(in_, in_len) }; - let mut compressed = Vec::new(); - - let params = flate2::Compression::default(); - - let mut encoder = flate2::bufread::ZlibEncoder::new(&mut uncompressed, params); - if encoder.read_to_end(&mut compressed).is_err() { - return 0; - } - - unsafe { ffi::CBB_add_bytes(out, compressed.as_ptr(), compressed.len()) } -} - -extern "C" fn zstd_compressor( - _ssl: *mut ffi::SSL, - out: *mut ffi::CBB, - in_: *const u8, - in_len: usize, -) -> ::std::os::raw::c_int { - let mut uncompressed = unsafe { slice::from_raw_parts(in_, in_len) }; - - let compressed = if let Ok(compressed) = zstd::encode_all(&mut uncompressed, 3) { - compressed - } else { - return 0; - }; - - unsafe { ffi::CBB_add_bytes(out, compressed.as_ptr(), compressed.len()) } -} - -extern "C" fn brotli_decompressor( - _ssl: *mut ffi::SSL, - buffer: *mut *mut ffi::CRYPTO_BUFFER, - uncompressed_len: usize, - in_: *const u8, - in_len: usize, -) -> ::std::os::raw::c_int { - let compressed = unsafe { slice::from_raw_parts(in_, in_len) }; - let mut uncompressed = Vec::with_capacity(uncompressed_len); - - if brotli::BrotliDecompress(&mut &compressed[..], &mut uncompressed).is_err() { - return 0; - } - - if uncompressed.len() != uncompressed_len { - return 0; - } - - unsafe { - *buffer = ffi::CRYPTO_BUFFER_new( - uncompressed.as_ptr(), - uncompressed_len, - std::ptr::null_mut(), - ); - - if buffer.is_null() { - return 0; - } - } - - 1 -} - -extern "C" fn zlib_decompressor( - _ssl: *mut ffi::SSL, - buffer: *mut *mut ffi::CRYPTO_BUFFER, - uncompressed_len: usize, - in_: *const u8, - in_len: usize, -) -> ::std::os::raw::c_int { - let mut compressed = unsafe { slice::from_raw_parts(in_, in_len) }; - let mut uncompressed = Vec::with_capacity(uncompressed_len); - - let mut decoder = flate2::bufread::ZlibDecoder::new(&mut compressed); - if decoder.read_to_end(&mut uncompressed).is_err() { - return 0; - } - - if uncompressed.len() != uncompressed_len { - return 0; - } - - unsafe { - *buffer = ffi::CRYPTO_BUFFER_new( - uncompressed.as_ptr(), - uncompressed_len, - std::ptr::null_mut(), - ); - - if buffer.is_null() { - return 0; - } - } - - 1 -} - -extern "C" fn zstd_decompressor( - _ssl: *mut ffi::SSL, - buffer: *mut *mut ffi::CRYPTO_BUFFER, - uncompressed_len: usize, - in_: *const u8, - in_len: usize, -) -> ::std::os::raw::c_int { - let mut compressed = unsafe { slice::from_raw_parts(in_, in_len) }; - - let uncompressed = if let Ok(uncompressed) = zstd::decode_all(&mut compressed) { - uncompressed - } else { - return 0; - }; - - if uncompressed.len() != uncompressed_len { - return 0; - } - - unsafe { - *buffer = ffi::CRYPTO_BUFFER_new( - uncompressed.as_ptr(), - uncompressed_len, - std::ptr::null_mut(), - ); - - if buffer.is_null() { - return 0; - } - } - - 1 -} diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs index bf08a862..1d0fe4b8 100644 --- a/boring/src/ssl/mod.rs +++ b/boring/src/ssl/mod.rs @@ -103,12 +103,6 @@ pub use self::async_callbacks::{ BoxCustomVerifyFuture, BoxGetSessionFinish, BoxGetSessionFuture, BoxPrivateKeyMethodFinish, BoxPrivateKeyMethodFuture, BoxSelectCertFinish, BoxSelectCertFuture, ExDataFuture, }; -#[deprecated( - since = "4.15.13", - note = "Use `boring2::ssl::CertificateCompressionAlgorithm` instead" -)] -#[cfg(feature = "cert-compression")] -pub use self::cert_compression::CertCompressionAlgorithm; pub use self::connector::{ ConnectConfiguration, SslAcceptor, SslAcceptorBuilder, SslConnector, SslConnectorBuilder, }; @@ -119,8 +113,6 @@ pub use self::error::{Error, ErrorCode, HandshakeError}; mod async_callbacks; mod bio; mod callbacks; -#[cfg(feature = "cert-compression")] -mod cert_compression; mod connector; #[cfg(not(feature = "fips"))] mod ech; @@ -1198,20 +1190,6 @@ impl SslContextBuilder { } } - /// Sets a custom certificate store for verifying peer certificates. - #[deprecated(since = "4.15.13", note = "Use `set_verify_cert_store` instead.")] - #[corresponds(SSL_CTX_set1_verify_cert_store)] - pub fn set_verify_cert_store_ref( - &mut self, - cert_store: &'static X509Store, - ) -> Result<(), ErrorStack> { - unsafe { - cvt(ffi::SSL_CTX_set1_verify_cert_store(self.as_ptr(), cert_store.as_ptr()) as c_int)?; - - Ok(()) - } - } - /// Use [`set_cert_store_builder`] or [`set_cert_store_ref`] instead. /// /// Replaces the context's certificate store. @@ -1435,28 +1413,6 @@ impl SslContextBuilder { unsafe { cvt(ffi::SSL_CTX_use_PrivateKey(self.as_ptr(), key.as_ptr())).map(|_| ()) } } - /// Sets whether a certificate compression algorithm should be used. - #[deprecated( - since = "4.15.13", - note = "Use `add_certificate_compression_algorithm` instead." - )] - #[cfg(feature = "cert-compression")] - #[corresponds(SSL_CTX_add_cert_compression_alg)] - pub fn add_cert_compression_alg( - &mut self, - alg: CertCompressionAlgorithm, - ) -> Result<(), ErrorStack> { - unsafe { - cvt(ffi::SSL_CTX_add_cert_compression_alg( - self.as_ptr(), - alg as _, - alg.compression_fn(), - alg.decompression_fn(), - )) - .map(|_| ()) - } - } - /// Sets the list of supported ciphers for protocols before TLSv1.3. /// /// The `set_ciphersuites` method controls the cipher suites for TLSv1.3 in OpenSSL. @@ -1997,13 +1953,6 @@ impl SslContextBuilder { unsafe { ffi::SSL_CTX_set_aes_hw_override(self.as_ptr(), enable as _) } } - /// Sets whether the context should enable there key share extension. - #[deprecated(since = "4.13.8", note = "use `set_key_shares_limit` instead")] - #[corresponds(SSL_CTX_set_key_shares_limit)] - pub fn set_key_shares_length_limit(&mut self, limit: u8) { - self.set_key_shares_limit(limit) - } - /// Sets the indices of the extensions to be permuted. /// /// The indices must be in the range [0, 25). @@ -2032,25 +1981,6 @@ impl SslContextBuilder { } } - /// Sets the indices of the extensions to be permuted. - /// - /// The indices must be in the range [0, 25). - /// Extension duplication will be verified by the user. - /// If duplication occurs, TLS connection failure may occur. - #[deprecated(since = "4.15.13", note = "use `set_extension_permutation` instead")] - #[corresponds(SSL_CTX_set_extension_permutation)] - #[cfg(not(feature = "fips-compat"))] - pub fn set_extension_permutation_indices(&mut self, indices: &[u8]) -> Result<(), ErrorStack> { - unsafe { - cvt(ffi::SSL_CTX_set_extension_permutation( - self.as_ptr(), - indices.as_ptr() as *const _, - indices.len() as _, - )) - .map(|_| ()) - } - } - /// Configures whether ClientHello extensions should be permuted. /// /// Note: This is gated to non-fips because the fips feature builds with a separate