From 5ddfb2e097d658f44b4b55aafd86ddf96d4b0f77 Mon Sep 17 00:00:00 2001
From: 0x676e67 <gngppz@gmail.com>
Date: Tue, 21 Oct 2025 13:15:12 +0800
Subject: [PATCH] chore(ssl): remove deprecated code (#98)

---
 .github/workflows/ci.yml                      |  4 +-
 boring-sys/build/main.rs                      |  2 +-
 boring-sys/patches/underscore-wildcards.patch | 45 +++++++++----------
 boring/src/ssl/mod.rs                         | 12 -----
 4 files changed, 22 insertions(+), 41 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 39186781..0cdd52aa 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -67,7 +67,7 @@ jobs:
       - name: Run clippy
         run: cargo clippy --all --all-targets
       - name: Check docs
-        run: cargo doc --no-deps -p boring2 -p boring-sys2 --features pq-experimental,underscore-wildcards
+        run: cargo doc --no-deps -p boring2 -p boring-sys2 --features underscore-wildcards
         env:
           DOCS_RS: 1
   test:
@@ -300,8 +300,6 @@ jobs:
         submodules: 'recursive'
     - name: Install Rust (rustup)
       run: rustup update stable --no-self-update && rustup default stable
-    - name: Run `kx-safe-default` tests
-      run: cargo test --features kx-safe-default
     - name: Run `underscore-wildcards` tests
       run: cargo test --features underscore-wildcards
 
diff --git a/boring-sys/build/main.rs b/boring-sys/build/main.rs
index 251149dc..c995a580 100644
--- a/boring-sys/build/main.rs
+++ b/boring-sys/build/main.rs
@@ -303,7 +303,7 @@ fn get_boringssl_cmake_config(config: &Config) -> cmake::Config {
                     config
                         .manifest_dir
                         .join(src_path)
-                        .join("util/32-bit-toolchain.cmake")
+                        .join("src/util/32-bit-toolchain.cmake")
                         .as_os_str(),
                 );
             }
diff --git a/boring-sys/patches/underscore-wildcards.patch b/boring-sys/patches/underscore-wildcards.patch
index 38e406a2..1338c785 100644
--- a/boring-sys/patches/underscore-wildcards.patch
+++ b/boring-sys/patches/underscore-wildcards.patch
@@ -1,10 +1,21 @@
 https://github.com/google/boringssl/compare/master...cloudflare:boringssl:underscore-wildcards
 
-diff --git a/crypto/x509/x509_test.cc b/crypto/x509/x509_test.cc
-index 9699b5a75..b0e9b34a6 100644
---- a/crypto/x509/x509_test.cc
-+++ b/crypto/x509/x509_test.cc
-@@ -4420,6 +4420,31 @@ TEST(X509Test, Names) {
+--- a/src/crypto/x509v3/v3_utl.c
++++ b/src/crypto/x509v3/v3_utl.c
+@@ -790,7 +790,9 @@ static int wildcard_match(const unsigned char *prefix, size_t prefix_len,
+   // Check that the part matched by the wildcard contains only
+   // permitted characters and only matches a single label.
+   for (p = wildcard_start; p != wildcard_end; ++p) {
+-    if (!OPENSSL_isalnum(*p) && *p != '-') {
++    if (!OPENSSL_isalnum(*p) && *p != '-' &&
++        !(*p == '_' &&
++          (flags & X509_CHECK_FLAG_UNDERSCORE_WILDCARDS))) {
+       return 0;
+     }
+   }
+--- a/src/crypto/x509/x509_test.cc
++++ b/src/crypto/x509/x509_test.cc
+@@ -4500,6 +4500,31 @@ TEST(X509Test, Names) {
            /*invalid_emails=*/{},
            /*flags=*/0,
        },
@@ -36,26 +47,9 @@ index 9699b5a75..b0e9b34a6 100644
    };
  
    size_t i = 0;
-diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c
-index bbc82e283..e61e1901d 100644
---- a/crypto/x509v3/v3_utl.c
-+++ b/crypto/x509v3/v3_utl.c
-@@ -790,7 +790,9 @@ static int wildcard_match(const unsigned char *prefix, size_t prefix_len,
-   // Check that the part matched by the wildcard contains only
-   // permitted characters and only matches a single label.
-   for (p = wildcard_start; p != wildcard_end; ++p) {
--    if (!OPENSSL_isalnum(*p) && *p != '-') {
-+    if (!OPENSSL_isalnum(*p) && *p != '-' &&
-+        !(*p == '_' &&
-+          (flags & X509_CHECK_FLAG_UNDERSCORE_WILDCARDS))) {
-       return 0;
-     }
-   }
-diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
-index 2a2e02c2e..24e0604b0 100644
---- a/include/openssl/x509v3.h
-+++ b/include/openssl/x509v3.h
-@@ -939,6 +939,8 @@ OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x);
+--- a/src/include/openssl/x509c3.h
++++ b/src/include/openssl/x509v3.h
+@@ -4497,6 +4497,8 @@ OPENSSL_EXPORT int X509_PURPOSE_get_id(const X509_PURPOSE *);
  #define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
  // Skip the subject common name fallback if subjectAltNames is missing.
  #define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20
@@ -64,3 +58,4 @@ index 2a2e02c2e..24e0604b0 100644
  
  OPENSSL_EXPORT int X509_check_host(X509 *x, const char *chk, size_t chklen,
                                     unsigned int flags, char **peername);
+-- 
\ No newline at end of file
diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs
index afe22511..9340d881 100644
--- a/boring/src/ssl/mod.rs
+++ b/boring/src/ssl/mod.rs
@@ -1913,18 +1913,6 @@ impl SslContextBuilder {
         unsafe { ffi::SSL_CTX_set_preserve_tls13_cipher_list(self.as_ptr(), enable as _) }
     }
 
-    /// Sets whether the ChaCha20 preference should be enabled.
-    ///
-    /// Controls the priority of TLS 1.3 cipher suites. When set to `true`, the client prefers:
-    /// AES_128_GCM, CHACHA20_POLY1305, then AES_256_GCM. Useful in environments with specific
-    /// encryption requirements.
-    #[deprecated(note = "use `set_preserve_tls13_cipher_list` instead")]
-    #[cfg(not(feature = "fips"))]
-    #[corresponds(SSL_CTX_set_prefer_chacha20)]
-    pub fn set_prefer_chacha20(&mut self, enable: bool) {
-        unsafe { ffi::SSL_CTX_set_preserve_tls13_cipher_list(self.as_ptr(), enable as _) }
-    }
-
     /// Sets the indices of the extensions to be permuted.
     #[corresponds(SSL_CTX_set_extension_order)]
     pub fn set_extension_permutation(