chore(ssl): remove deprecated code (#98)

2025-10-21 13:15:12 +08:00 · 2025-10-21 13:15:12 +08:00 · 5ddfb2e097
parent d7805d6053
commit 5ddfb2e097
4 changed files with 22 additions and 41 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -67,7 +67,7 @@ jobs:
      - name: Run clippy
        run: cargo clippy --all --all-targets
      - name: Check docs
-        run: cargo doc --no-deps -p boring2 -p boring-sys2 --features pq-experimental,underscore-wildcards
+        run: cargo doc --no-deps -p boring2 -p boring-sys2 --features underscore-wildcards
        env:
          DOCS_RS: 1
  test:
@ -300,8 +300,6 @@ jobs:
        submodules: 'recursive'
    - name: Install Rust (rustup)
      run: rustup update stable --no-self-update && rustup default stable
-    - name: Run `kx-safe-default` tests
-      run: cargo test --features kx-safe-default
    - name: Run `underscore-wildcards` tests
      run: cargo test --features underscore-wildcards

--- a/boring-sys/build/main.rs
+++ b/boring-sys/build/main.rs
@ -303,7 +303,7 @@ fn get_boringssl_cmake_config(config: &Config) -> cmake::Config {
                    config
                        .manifest_dir
                        .join(src_path)
-                        .join("util/32-bit-toolchain.cmake")
+                        .join("src/util/32-bit-toolchain.cmake")
                        .as_os_str(),
                );
            }
--- a/boring-sys/patches/underscore-wildcards.patch
+++ b/boring-sys/patches/underscore-wildcards.patch
@ -1,10 +1,21 @@
 https://github.com/google/boringssl/compare/master...cloudflare:boringssl:underscore-wildcards

-diff --git a/crypto/x509/x509_test.cc b/crypto/x509/x509_test.cc
-index 9699b5a75..b0e9b34a6 100644
--- a/crypto/x509/x509_test.cc
-+++ b/crypto/x509/x509_test.cc
-@@ -4420,6 +4420,31 @@ TEST(X509Test, Names) {
+--- a/src/crypto/x509v3/v3_utl.c
+++ b/src/crypto/x509v3/v3_utl.c
+@@ -790,7 +790,9 @@ static int wildcard_match(const unsigned char *prefix, size_t prefix_len,
+   // Check that the part matched by the wildcard contains only
+   // permitted characters and only matches a single label.
+   for (p = wildcard_start; p != wildcard_end; ++p) {
+-    if (!OPENSSL_isalnum(*p) && *p != '-') {
+    if (!OPENSSL_isalnum(*p) && *p != '-' &&
+        !(*p == '_' &&
+          (flags & X509_CHECK_FLAG_UNDERSCORE_WILDCARDS))) {
+       return 0;
+     }
+   }
+--- a/src/crypto/x509/x509_test.cc
+++ b/src/crypto/x509/x509_test.cc
+@@ -4500,6 +4500,31 @@ TEST(X509Test, Names) {
           /*invalid_emails=*/{},
           /*flags=*/0,
       },
@ -36,26 +47,9 @@ index 9699b5a75..b0e9b34a6 100644
   };
 
   size_t i = 0;
-diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c
-index bbc82e283..e61e1901d 100644
--- a/crypto/x509v3/v3_utl.c
-+++ b/crypto/x509v3/v3_utl.c
-@@ -790,7 +790,9 @@ static int wildcard_match(const unsigned char *prefix, size_t prefix_len,
-   // Check that the part matched by the wildcard contains only
-   // permitted characters and only matches a single label.
-   for (p = wildcard_start; p != wildcard_end; ++p) {
-    if (!OPENSSL_isalnum(*p) && *p != '-') {
-+    if (!OPENSSL_isalnum(*p) && *p != '-' &&
-+        !(*p == '_' &&
-+          (flags & X509_CHECK_FLAG_UNDERSCORE_WILDCARDS))) {
-       return 0;
-     }
-   }
-diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
-index 2a2e02c2e..24e0604b0 100644
--- a/include/openssl/x509v3.h
-+++ b/include/openssl/x509v3.h
-@@ -939,6 +939,8 @@ OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x);
+--- a/src/include/openssl/x509c3.h
+++ b/src/include/openssl/x509v3.h
+@@ -4497,6 +4497,8 @@ OPENSSL_EXPORT int X509_PURPOSE_get_id(const X509_PURPOSE *);
 #define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
 // Skip the subject common name fallback if subjectAltNames is missing.
 #define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20
@ -64,3 +58,4 @@ index 2a2e02c2e..24e0604b0 100644
 
 OPENSSL_EXPORT int X509_check_host(X509 *x, const char *chk, size_t chklen,
                                    unsigned int flags, char **peername);
+-- 
--- a/boring/src/ssl/mod.rs
+++ b/boring/src/ssl/mod.rs
@ -1913,18 +1913,6 @@ impl SslContextBuilder {
        unsafe { ffi::SSL_CTX_set_preserve_tls13_cipher_list(self.as_ptr(), enable as _) }
    }

-    /// Sets whether the ChaCha20 preference should be enabled.
-    ///
-    /// Controls the priority of TLS 1.3 cipher suites. When set to `true`, the client prefers:
-    /// AES_128_GCM, CHACHA20_POLY1305, then AES_256_GCM. Useful in environments with specific
-    /// encryption requirements.
-    #[deprecated(note = "use `set_preserve_tls13_cipher_list` instead")]
-    #[cfg(not(feature = "fips"))]
-    #[corresponds(SSL_CTX_set_prefer_chacha20)]
-    pub fn set_prefer_chacha20(&mut self, enable: bool) {
-        unsafe { ffi::SSL_CTX_set_preserve_tls13_cipher_list(self.as_ptr(), enable as _) }
-    }
-
    /// Sets the indices of the extensions to be permuted.
    #[corresponds(SSL_CTX_set_extension_order)]
    pub fn set_extension_permutation(