min
/
boring2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

chore(ssl): remove deprecated code (#98)

This commit is contained in:
0x676e67 2025-10-21 13:15:12 +08:00 committed by GitHub
parent d7805d6053
commit 5ddfb2e097
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 22 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/ci.yml vendored
View File

@ -67,7 +67,7 @@ jobs:
- name: Run clippy - name: Run clippy
run: cargo clippy --all --all-targets run: cargo clippy --all --all-targets
- name: Check docs - name: Check docs
run: cargo doc --no-deps -p boring2 -p boring-sys2 --features pq-experimental,underscore-wildcards run: cargo doc --no-deps -p boring2 -p boring-sys2 --features underscore-wildcards
env: env:
DOCS_RS: 1 DOCS_RS: 1
test: test:
@ -300,8 +300,6 @@ jobs:
submodules: 'recursive' submodules: 'recursive'
- name: Install Rust (rustup) - name: Install Rust (rustup)
run: rustup update stable --no-self-update && rustup default stable run: rustup update stable --no-self-update && rustup default stable
- name: Run `kx-safe-default` tests
run: cargo test --features kx-safe-default
- name: Run `underscore-wildcards` tests - name: Run `underscore-wildcards` tests
run: cargo test --features underscore-wildcards run: cargo test --features underscore-wildcards

2
boring-sys/build/main.rs
View File

@ -303,7 +303,7 @@ fn get_boringssl_cmake_config(config: &Config) -> cmake::Config {
config config
.manifest_dir .manifest_dir
.join(src_path) .join(src_path)
.join("util/32-bit-toolchain.cmake") .join("src/util/32-bit-toolchain.cmake")
.as_os_str(), .as_os_str(),
); );
} }

45
boring-sys/patches/underscore-wildcards.patch
View File

@ -1,10 +1,21 @@
https://github.com/google/boringssl/compare/master...cloudflare:boringssl:underscore-wildcards https://github.com/google/boringssl/compare/master...cloudflare:boringssl:underscore-wildcards
diff --git a/crypto/x509/x509_test.cc b/crypto/x509/x509_test.cc --- a/src/crypto/x509v3/v3_utl.c
index 9699b5a75..b0e9b34a6 100644 +++ b/src/crypto/x509v3/v3_utl.c
--- a/crypto/x509/x509_test.cc @@ -790,7 +790,9 @@ static int wildcard_match(const unsigned char *prefix, size_t prefix_len,
+++ b/crypto/x509/x509_test.cc // Check that the part matched by the wildcard contains only
@@ -4420,6 +4420,31 @@ TEST(X509Test, Names) { // permitted characters and only matches a single label.
for (p = wildcard_start; p != wildcard_end; ++p) {
- if (!OPENSSL_isalnum(*p) && *p != '-') {
+ if (!OPENSSL_isalnum(*p) && *p != '-' &&
+ !(*p == '_' &&
+ (flags & X509_CHECK_FLAG_UNDERSCORE_WILDCARDS))) {
return 0;
}
}
--- a/src/crypto/x509/x509_test.cc
+++ b/src/crypto/x509/x509_test.cc
@@ -4500,6 +4500,31 @@ TEST(X509Test, Names) {
/*invalid_emails=*/{}, /*invalid_emails=*/{},
/*flags=*/0, /*flags=*/0,
}, },
@ -36,26 +47,9 @@ index 9699b5a75..b0e9b34a6 100644
}; };
size_t i = 0; size_t i = 0;
diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c --- a/src/include/openssl/x509c3.h
index bbc82e283..e61e1901d 100644 +++ b/src/include/openssl/x509v3.h
--- a/crypto/x509v3/v3_utl.c @@ -4497,6 +4497,8 @@ OPENSSL_EXPORT int X509_PURPOSE_get_id(const X509_PURPOSE *);
+++ b/crypto/x509v3/v3_utl.c
@@ -790,7 +790,9 @@ static int wildcard_match(const unsigned char *prefix, size_t prefix_len,
// Check that the part matched by the wildcard contains only
// permitted characters and only matches a single label.
for (p = wildcard_start; p != wildcard_end; ++p) {
- if (!OPENSSL_isalnum(*p) && *p != '-') {
+ if (!OPENSSL_isalnum(*p) && *p != '-' &&
+ !(*p == '_' &&
+ (flags & X509_CHECK_FLAG_UNDERSCORE_WILDCARDS))) {
return 0;
}
}
diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
index 2a2e02c2e..24e0604b0 100644
--- a/include/openssl/x509v3.h
+++ b/include/openssl/x509v3.h
@@ -939,6 +939,8 @@ OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x);
#define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0 #define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
// Skip the subject common name fallback if subjectAltNames is missing. // Skip the subject common name fallback if subjectAltNames is missing.
#define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20 #define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20
@ -64,3 +58,4 @@ index 2a2e02c2e..24e0604b0 100644
OPENSSL_EXPORT int X509_check_host(X509 *x, const char *chk, size_t chklen, OPENSSL_EXPORT int X509_check_host(X509 *x, const char *chk, size_t chklen,
unsigned int flags, char **peername); unsigned int flags, char **peername);
--

12
boring/src/ssl/mod.rs
View File

@ -1913,18 +1913,6 @@ impl SslContextBuilder {
unsafe { ffi::SSL_CTX_set_preserve_tls13_cipher_list(self.as_ptr(), enable as _) } unsafe { ffi::SSL_CTX_set_preserve_tls13_cipher_list(self.as_ptr(), enable as _) }
} }
/// Sets whether the ChaCha20 preference should be enabled.
///
/// Controls the priority of TLS 1.3 cipher suites. When set to `true`, the client prefers:
/// AES_128_GCM, CHACHA20_POLY1305, then AES_256_GCM. Useful in environments with specific
/// encryption requirements.
#[deprecated(note = "use `set_preserve_tls13_cipher_list` instead")]
#[cfg(not(feature = "fips"))]
#[corresponds(SSL_CTX_set_prefer_chacha20)]
pub fn set_prefer_chacha20(&mut self, enable: bool) {
unsafe { ffi::SSL_CTX_set_preserve_tls13_cipher_list(self.as_ptr(), enable as _) }
}
/// Sets the indices of the extensions to be permuted. /// Sets the indices of the extensions to be permuted.
#[corresponds(SSL_CTX_set_extension_order)] #[corresponds(SSL_CTX_set_extension_order)]
pub fn set_extension_permutation( pub fn set_extension_permutation(