Remove ossl111 feature gate

openssl-sys/build.rs

@@ -194,7 +194,6 @@ fn main() {
     cfgs.push("ossl110");
     cfgs.push("ossl110f");
     cfgs.push("ossl110g");
-    cfgs.push("ossl111");
 
     for cfg in cfgs {
         println!("cargo:rustc-cfg={}", cfg);

openssl-sys/src/evp.rs

@@ -7,13 +7,9 @@ pub const EVP_PKEY_RSA: c_int = NID_rsaEncryption;
 pub const EVP_PKEY_DSA: c_int = NID_dsa;
 pub const EVP_PKEY_DH: c_int = NID_dhKeyAgreement;
 pub const EVP_PKEY_EC: c_int = NID_X9_62_id_ecPublicKey;
-#[cfg(ossl111)]
 pub const EVP_PKEY_X25519: c_int = NID_X25519;
-#[cfg(ossl111)]
 pub const EVP_PKEY_ED25519: c_int = NID_ED25519;
-#[cfg(ossl111)]
 pub const EVP_PKEY_X448: c_int = NID_X448;
-#[cfg(ossl111)]
 pub const EVP_PKEY_ED448: c_int = NID_ED448;
 
 pub const EVP_CTRL_GCM_SET_IVLEN: c_int = 0x9;
@@ -54,7 +50,6 @@ extern "C" {
     pub fn EVP_DigestFinal_ex(ctx: *mut EVP_MD_CTX, res: *mut u8, n: *mut u32) -> c_int;
     pub fn EVP_DigestInit(ctx: *mut EVP_MD_CTX, typ: *const EVP_MD) -> c_int;
     pub fn EVP_DigestFinal(ctx: *mut EVP_MD_CTX, res: *mut u8, n: *mut u32) -> c_int;
-    #[cfg(ossl111)]
     pub fn EVP_DigestFinalXOF(ctx: *mut EVP_MD_CTX, res: *mut u8, len: usize) -> c_int;
 
     pub fn EVP_BytesToKey(
@@ -155,27 +150,24 @@ extern "C" {
     pub fn EVP_PKEY_size(pkey: *const EVP_PKEY) -> c_int;
 }
 
-cfg_if! {
+extern "C" {
-    if #[cfg(ossl111)] {
+    pub fn EVP_DigestSign(
-        extern "C" {
+        ctx: *mut EVP_MD_CTX,
-            pub fn EVP_DigestSign(
+        sigret: *mut c_uchar,
-                ctx: *mut EVP_MD_CTX,
+        siglen: *mut size_t,
-                sigret: *mut c_uchar,
+        tbs: *const c_uchar,
-                siglen: *mut size_t,
+        tbslen: size_t,
-                tbs: *const c_uchar,
+    ) -> c_int;
-                tbslen: size_t
-            ) -> c_int;
 
-            pub fn EVP_DigestVerify(
+    pub fn EVP_DigestVerify(
-                ctx: *mut EVP_MD_CTX,
+        ctx: *mut EVP_MD_CTX,
-                sigret: *const c_uchar,
+        sigret: *const c_uchar,
-                siglen: size_t,
+        siglen: size_t,
-                tbs: *const c_uchar,
+        tbs: *const c_uchar,
-                tbslen: size_t
+        tbslen: size_t,
-            ) -> c_int;
+    ) -> c_int;
-        }
-    }
 }
+
 cfg_if! {
     if #[cfg(any(ossl102, libressl280))] {
         extern "C" {
@@ -348,33 +340,29 @@ extern "C" {
     pub fn EVP_PKCS82PKEY(p8: *mut PKCS8_PRIV_KEY_INFO) -> *mut EVP_PKEY;
 }
 
-cfg_if! {
+extern "C" {
-    if #[cfg(any(ossl111))] {
+    pub fn EVP_PKEY_get_raw_public_key(
-        extern "C" {
+        pkey: *const EVP_PKEY,
-            pub fn EVP_PKEY_get_raw_public_key(
+        ppub: *mut c_uchar,
-                pkey: *const EVP_PKEY,
+        len: *mut size_t,
-                ppub: *mut c_uchar,
+    ) -> c_int;
-                len: *mut size_t,
+    pub fn EVP_PKEY_new_raw_public_key(
-            ) -> c_int;
+        ttype: c_int,
-            pub fn EVP_PKEY_new_raw_public_key(
+        e: *mut ENGINE,
-                ttype: c_int,
+        key: *const c_uchar,
-                e: *mut ENGINE,
+        keylen: size_t,
-                key: *const c_uchar,
+    ) -> *mut EVP_PKEY;
-                keylen: size_t,
+    pub fn EVP_PKEY_get_raw_private_key(
-            ) -> *mut EVP_PKEY;
+        pkey: *const EVP_PKEY,
-            pub fn EVP_PKEY_get_raw_private_key(
+        ppriv: *mut c_uchar,
-                pkey: *const EVP_PKEY,
+        len: *mut size_t,
-                ppriv: *mut c_uchar,
+    ) -> c_int;
-                len: *mut size_t,
+    pub fn EVP_PKEY_new_raw_private_key(
-            ) -> c_int;
+        ttype: c_int,
-            pub fn EVP_PKEY_new_raw_private_key(
+        e: *mut ENGINE,
-                ttype: c_int,
+        key: *const c_uchar,
-                e: *mut ENGINE,
+        keylen: size_t,
-                key: *const c_uchar,
+    ) -> *mut EVP_PKEY;
-                keylen: size_t,
-            ) -> *mut EVP_PKEY;
-        }
-    }
 }
 
 extern "C" {

openssl-sys/src/lib.rs

@@ -95,10 +95,7 @@ pub fn init() {
     // explicitly initialize to work around https://github.com/openssl/openssl/issues/3505
     static INIT: Once = Once::new();
 
-    #[cfg(not(ossl111b))]
     let init_options = OPENSSL_INIT_LOAD_SSL_STRINGS;
-    #[cfg(ossl111b)]
-    let init_options = OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_NO_ATEXIT;
 
     INIT.call_once(|| unsafe {
         OPENSSL_init_ssl(init_options, ptr::null_mut());

openssl-sys/src/obj_mac.rs

@@ -910,11 +910,7 @@ pub const NID_rc4_hmac_md5: c_int = 915;
 pub const NID_aes_128_cbc_hmac_sha1: c_int = 916;
 pub const NID_aes_192_cbc_hmac_sha1: c_int = 917;
 pub const NID_aes_256_cbc_hmac_sha1: c_int = 918;
-#[cfg(ossl111)]
 pub const NID_X25519: c_int = 1034;
-#[cfg(ossl111)]
 pub const NID_X448: c_int = 1035;
-#[cfg(ossl111)]
 pub const NID_ED25519: c_int = 1087;
-#[cfg(ossl111)]
 pub const NID_ED448: c_int = 1088;

openssl-sys/src/rand.rs

@@ -2,9 +2,5 @@ use libc::*;
 
 extern "C" {
     pub fn RAND_bytes(buf: *mut u8, num: size_t) -> c_int;
-
-    #[cfg(ossl111)]
-    pub fn RAND_keep_random_devices_open(keep: c_int);
-
     pub fn RAND_status() -> c_int;
 }

openssl-sys/src/ssl.rs

@@ -105,85 +105,6 @@ pub struct SRTP_PROTECTION_PROFILE {
 
 stack!(stack_st_SRTP_PROTECTION_PROFILE);
 
-#[cfg(ossl111)]
-pub const SSL_EXT_TLS_ONLY: c_uint = 0x0001;
-/* This extension is only allowed in DTLS */
-#[cfg(ossl111)]
-pub const SSL_EXT_DTLS_ONLY: c_uint = 0x0002;
-/* Some extensions may be allowed in DTLS but we don't implement them for it */
-#[cfg(ossl111)]
-pub const SSL_EXT_TLS_IMPLEMENTATION_ONLY: c_uint = 0x0004;
-/* Most extensions are not defined for SSLv3 but EXT_TYPE_renegotiate is */
-#[cfg(ossl111)]
-pub const SSL_EXT_SSL3_ALLOWED: c_uint = 0x0008;
-/* Extension is only defined for TLS1.2 and below */
-#[cfg(ossl111)]
-pub const SSL_EXT_TLS1_2_AND_BELOW_ONLY: c_uint = 0x0010;
-/* Extension is only defined for TLS1.3 and above */
-#[cfg(ossl111)]
-pub const SSL_EXT_TLS1_3_ONLY: c_uint = 0x0020;
-/* Ignore this extension during parsing if we are resuming */
-#[cfg(ossl111)]
-pub const SSL_EXT_IGNORE_ON_RESUMPTION: c_uint = 0x0040;
-#[cfg(ossl111)]
-pub const SSL_EXT_CLIENT_HELLO: c_uint = 0x0080;
-/* Really means TLS1.2 or below */
-#[cfg(ossl111)]
-pub const SSL_EXT_TLS1_2_SERVER_HELLO: c_uint = 0x0100;
-#[cfg(ossl111)]
-pub const SSL_EXT_TLS1_3_SERVER_HELLO: c_uint = 0x0200;
-#[cfg(ossl111)]
-pub const SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS: c_uint = 0x0400;
-#[cfg(ossl111)]
-pub const SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST: c_uint = 0x0800;
-#[cfg(ossl111)]
-pub const SSL_EXT_TLS1_3_CERTIFICATE: c_uint = 0x1000;
-#[cfg(ossl111)]
-pub const SSL_EXT_TLS1_3_NEW_SESSION_TICKET: c_uint = 0x2000;
-#[cfg(ossl111)]
-pub const SSL_EXT_TLS1_3_CERTIFICATE_REQUEST: c_uint = 0x4000;
-
-#[cfg(ossl111)]
-pub type SSL_custom_ext_add_cb_ex = Option<
-    unsafe extern "C" fn(
-        ssl: *mut ::SSL,
-        ext_type: c_uint,
-        context: c_uint,
-        out: *mut *const c_uchar,
-        outlen: *mut size_t,
-        x: *mut ::X509,
-        chainidx: size_t,
-        al: *mut c_int,
-        add_arg: *mut c_void,
-    ) -> c_int,
->;
-
-#[cfg(ossl111)]
-pub type SSL_custom_ext_free_cb_ex = Option<
-    unsafe extern "C" fn(
-        ssl: *mut ::SSL,
-        ext_type: c_uint,
-        context: c_uint,
-        out: *mut *const c_uchar,
-        add_arg: *mut c_void,
-    ),
->;
-
-#[cfg(ossl111)]
-pub type SSL_custom_ext_parse_cb_ex = Option<
-    unsafe extern "C" fn(
-        ssl: *mut ::SSL,
-        ext_type: c_uint,
-        context: c_uint,
-        input: *const c_uchar,
-        inlen: size_t,
-        x: *mut ::X509,
-        chainidx: size_t,
-        al: *mut c_int,
-        parse_arg: *mut c_void,
-    ) -> c_int,
->;
-
 pub const SSL_OP_LEGACY_SERVER_CONNECT: c_uint = 0x00000004;
 
 pub const SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS: c_uint = 0x00000800;
@@ -202,9 +123,6 @@ cfg_if! {
     }
 }
 
-#[cfg(ossl111)]
-pub const SSL_OP_ENABLE_MIDDLEBOX_COMPAT: c_uint = 0x00100000;
-
 pub const SSL_OP_CIPHER_SERVER_PREFERENCE: c_uint = 0x00400000;
 
 pub const SSL_OP_TLS_ROLLBACK_BUG: c_uint = 0x00800000;
@@ -292,9 +210,6 @@ extern "C" {
     pub fn SSL_CTX_set_mode(ctx: *mut SSL_CTX, op: c_uint) -> c_uint;
 }
 
-#[cfg(ossl111)]
-pub const SSL_COOKIE_LENGTH: c_int = 4096;
-
 extern "C" {
     pub fn SSL_CTX_get_options(ctx: *const SSL_CTX) -> c_uint;
     pub fn SSL_CTX_set_options(ctx: *mut SSL_CTX, op: c_uint) -> c_uint;
@@ -348,18 +263,6 @@ cfg_if! {
 }
 
 extern "C" {
-    #[cfg(ossl111)]
-    pub fn SSL_CTX_set_stateless_cookie_verify_cb(
-        s: *mut SSL_CTX,
-        cb: Option<
-            unsafe extern "C" fn(
-                ssl: *mut SSL,
-                cookie: *const c_uchar,
-                cookie_len: size_t,
-            ) -> c_int,
-        >,
-    );
-
     pub fn SSL_CTX_set_next_protos_advertised_cb(
         ssl: *mut SSL_CTX,
         cb: extern "C" fn(
@@ -448,23 +351,8 @@ extern "C" {
     );
 }
 
-#[cfg(ossl111)]
-pub type SSL_CTX_keylog_cb_func =
-    Option<unsafe extern "C" fn(ssl: *const SSL, line: *const c_char)>;
-
 extern "C" {
-    #[cfg(ossl111)]
+    pub fn SSL_CTX_set_keylog_callback(ctx: *mut SSL_CTX, cb:  Option<unsafe extern "C" fn(ssl: *const SSL, line: *const c_char)>);
-    pub fn SSL_CTX_set_keylog_callback(ctx: *mut SSL_CTX, cb: SSL_CTX_keylog_cb_func);
-
-    #[cfg(ossl111)]
-    pub fn SSL_CTX_set_max_early_data(ctx: *mut SSL_CTX, max_early_data: u32) -> c_int;
-    #[cfg(ossl111)]
-    pub fn SSL_CTX_get_max_early_data(ctx: *const SSL_CTX) -> u32;
-    #[cfg(ossl111)]
-    pub fn SSL_set_max_early_data(ctx: *mut SSL, max_early_data: u32) -> c_int;
-    #[cfg(ossl111)]
-    pub fn SSL_get_max_early_data(ctx: *const SSL) -> u32;
-
     pub fn SSL_get_finished(s: *const SSL, buf: *mut c_void, count: size_t) -> size_t;
     pub fn SSL_get_peer_finished(s: *const SSL, buf: *mut c_void, count: size_t) -> size_t;
 
@@ -488,8 +376,6 @@ pub const SSL_ERROR_WANT_READ: c_int = 2;
 pub const SSL_ERROR_WANT_WRITE: c_int = 3;
 pub const SSL_ERROR_WANT_X509_LOOKUP: c_int = 4;
 pub const SSL_ERROR_ZERO_RETURN: c_int = 6;
-#[cfg(ossl111)]
-pub const SSL_ERROR_WANT_CLIENT_HELLO_CB: c_int = 11;
 pub const SSL_VERIFY_NONE: c_int = 0;
 pub const SSL_VERIFY_PEER: c_int = 1;
 pub const SSL_VERIFY_FAIL_IF_NO_PEER_CERT: c_int = 2;
@@ -499,8 +385,6 @@ pub const SSL_CTRL_GET_SESSION_REUSED: c_int = 8;
 pub const SSL_CTRL_OPTIONS: c_int = 32;
 #[cfg(any(libressl, all(ossl101, not(ossl110))))]
 pub const SSL_CTRL_CLEAR_OPTIONS: c_int = 77;
-#[cfg(ossl111)]
-pub const SSL_CTRL_SET_GROUPS_LIST: c_int = 92;
 #[cfg(any(libressl, all(ossl102, not(ossl110))))]
 pub const SSL_CTRL_SET_ECDH_AUTO: c_int = 94;
 
@@ -546,18 +430,13 @@ cfg_if! {
     }
 }
 extern "C" {
-    #[cfg(ossl111)]
-    pub fn SSL_CIPHER_get_handshake_digest(cipher: *const ::SSL_CIPHER) -> *const ::EVP_MD;
     pub fn SSL_CIPHER_get_name(cipher: *const SSL_CIPHER) -> *const c_char;
-    #[cfg(ossl111)]
     pub fn SSL_CIPHER_standard_name(cipher: *const SSL_CIPHER) -> *const c_char;
 
     pub fn SSL_pending(ssl: *const SSL) -> c_int;
     pub fn SSL_set_bio(ssl: *mut SSL, rbio: *mut BIO, wbio: *mut BIO);
     pub fn SSL_get_rbio(ssl: *const SSL) -> *mut BIO;
     pub fn SSL_get_wbio(ssl: *const SSL) -> *mut BIO;
-    #[cfg(ossl111)]
-    pub fn SSL_set_ciphersuites(ssl: *mut ::SSL, str: *const c_char) -> c_int;
     pub fn SSL_set_verify(
         ssl: *mut SSL,
         mode: c_int,
@@ -593,11 +472,6 @@ extern "C" {
     #[cfg(ossl110)]
     pub fn SSL_SESSION_get_protocol_version(s: *const SSL_SESSION) -> u16;
 
-    #[cfg(ossl111)]
-    pub fn SSL_SESSION_set_max_early_data(ctx: *mut SSL_SESSION, max_early_data: u32) -> c_int;
-    #[cfg(ossl111)]
-    pub fn SSL_SESSION_get_max_early_data(ctx: *const SSL_SESSION) -> u32;
-
     pub fn SSL_SESSION_get_id(s: *const SSL_SESSION, len: *mut c_uint) -> *const c_uchar;
     #[cfg(any(ossl110, libressl273))]
     pub fn SSL_SESSION_up_ref(ses: *mut SSL_SESSION) -> c_int;
@@ -637,62 +511,15 @@ extern "C" {
     pub fn SSL_get0_param(ssl: *mut SSL) -> *mut X509_VERIFY_PARAM;
 }
 
-#[cfg(ossl111)]
-pub const SSL_CLIENT_HELLO_SUCCESS: c_int = 1;
-#[cfg(ossl111)]
-pub const SSL_CLIENT_HELLO_ERROR: c_int = 0;
-#[cfg(ossl111)]
-pub const SSL_CLIENT_HELLO_RETRY: c_int = -1;
-
-#[cfg(ossl111)]
-pub type SSL_client_hello_cb_fn =
-    Option<unsafe extern "C" fn(s: *mut SSL, al: *mut c_int, arg: *mut c_void) -> c_int>;
 extern "C" {
-    #[cfg(ossl111)]
-    pub fn SSL_client_hello_get1_extensions_present(
-        s: *mut SSL,
-        out: *mut *mut c_int,
-        outlen: *mut size_t,
-    ) -> c_int;
-    #[cfg(ossl111)]
-    pub fn SSL_client_hello_get0_ext(
-        s: *mut SSL,
-        type_: c_uint,
-        out: *mut *const c_uchar,
-        outlen: *mut size_t,
-    ) -> c_int;
-
     pub fn SSL_free(ssl: *mut SSL);
     pub fn SSL_accept(ssl: *mut SSL) -> c_int;
-    #[cfg(ossl111)]
-    pub fn SSL_stateless(s: *mut SSL) -> c_int;
     pub fn SSL_connect(ssl: *mut SSL) -> c_int;
     pub fn SSL_read(ssl: *mut SSL, buf: *mut c_void, num: c_int) -> c_int;
-    #[cfg(ossl111)]
-    pub fn SSL_read_early_data(
-        s: *mut ::SSL,
-        buf: *mut c_void,
-        num: size_t,
-        readbytes: *mut size_t,
-    ) -> c_int;
 }
 
-#[cfg(ossl111)]
-pub const SSL_READ_EARLY_DATA_ERROR: c_int = 0;
-#[cfg(ossl111)]
-pub const SSL_READ_EARLY_DATA_SUCCESS: c_int = 1;
-#[cfg(ossl111)]
-pub const SSL_READ_EARLY_DATA_FINISH: c_int = 2;
-
 extern "C" {
     pub fn SSL_write(ssl: *mut SSL, buf: *const c_void, num: c_int) -> c_int;
-    #[cfg(ossl111)]
-    pub fn SSL_write_early_data(
-        s: *mut SSL,
-        buf: *const c_void,
-        num: size_t,
-        written: *mut size_t,
-    ) -> c_int;
 }
 
 cfg_if! {
@@ -868,10 +695,6 @@ extern "C" {
 
 cfg_if! {
     if #[cfg(osslconf = "OPENSSL_NO_COMP")] {
-    } else if #[cfg(ossl111b)] {
-        extern "C" {
-            pub fn SSL_get_current_compression(ssl: *const SSL) -> *const COMP_METHOD;
-        }
     } else {
         extern "C" {
             pub fn SSL_get_current_compression(ssl: *mut SSL) -> *const COMP_METHOD;
@@ -911,8 +734,6 @@ cfg_if! {
 
 #[cfg(ossl110)]
 pub const OPENSSL_INIT_LOAD_SSL_STRINGS: u64 = 0x00200000;
-#[cfg(ossl111b)]
-pub const OPENSSL_INIT_NO_ATEXIT: u64 = 0x00080000;
 
 extern "C" {
     #[cfg(ossl110)]

openssl-sys/src/tls1.rs

@@ -29,17 +29,6 @@ extern "C" {
         use_context: c_int,
     ) -> c_int;
 
-    #[cfg(ossl111)]
-    pub fn SSL_export_keying_material_early(
-        s: *mut ::SSL,
-        out: *mut c_uchar,
-        olen: size_t,
-        label: *const c_char,
-        llen: size_t,
-        context: *const c_uchar,
-        contextlen: size_t,
-    ) -> c_int;
-
     pub fn SSL_set_tlsext_host_name(s: *mut SSL, name: *const c_char) -> c_int;
     pub fn SSL_set_tlsext_status_type(s: *mut SSL, type_: c_int) -> c_int;
     pub fn SSL_get_tlsext_status_ocsp_resp(ssl: *const SSL, resp: *mut *const c_uchar) -> size_t;

openssl/build.rs

@@ -8,7 +8,6 @@ fn main() {
     cfgs.push("ossl110");
     cfgs.push("ossl110f");
     cfgs.push("ossl110g");
-    cfgs.push("ossl111");
 
     for cfg in cfgs {
         println!("cargo:rustc-cfg={}", cfg);

openssl/src/hash.rs

@@ -218,7 +218,6 @@ impl Hasher {
 
     /// Writes the hash of the data into the supplied buf and resets the XOF hasher.
     /// The hash will be as long as the buf.
-    #[cfg(ossl111)]
     pub fn finish_xof(&mut self, buf: &mut [u8]) -> Result<(), ErrorStack> {
         if self.state == Finalized {
             self.init()?;
@@ -330,7 +329,6 @@ pub fn hash(t: MessageDigest, data: &[u8]) -> Result<DigestBytes, ErrorStack> {
 }
 
 /// Computes the hash of the `data` with the XOF hasher `t` and stores it in `buf`.
-#[cfg(ossl111)]
 pub fn hash_xof(t: MessageDigest, data: &[u8], buf: &mut [u8]) -> Result<(), ErrorStack> {
     let mut h = Hasher::new(t)?;
     h.update(data)?;

openssl/src/pkey.rs

@@ -80,14 +80,9 @@ impl Id {
     pub const DSA: Id = Id(ffi::EVP_PKEY_DSA);
     pub const DH: Id = Id(ffi::EVP_PKEY_DH);
     pub const EC: Id = Id(ffi::EVP_PKEY_EC);
-
-    #[cfg(ossl111)]
     pub const ED25519: Id = Id(ffi::EVP_PKEY_ED25519);
-    #[cfg(ossl111)]
     pub const ED448: Id = Id(ffi::EVP_PKEY_ED448);
-    #[cfg(ossl111)]
     pub const X25519: Id = Id(ffi::EVP_PKEY_X25519);
-    #[cfg(ossl111)]
     pub const X448: Id = Id(ffi::EVP_PKEY_X448);
 
     /// Creates a `Id` from an integer representation.
@@ -295,9 +290,7 @@ impl<T> fmt::Debug for PKey<T> {
             Id::DSA => "DSA",
             Id::DH => "DH",
             Id::EC => "EC",
-            #[cfg(ossl111)]
             Id::ED25519 => "Ed25519",
-            #[cfg(ossl111)]
             Id::ED448 => "Ed448",
             _ => "unknown",
         };

openssl/src/rand.rs

@@ -40,20 +40,6 @@ pub fn rand_bytes(buf: &mut [u8]) -> Result<(), ErrorStack> {
     }
 }
 
-/// Controls random device file descriptor behavior.
-///
-/// Requires OpenSSL 1.1.1 or newer.
-///
-/// This corresponds to [`RAND_keep_random_devices_open`].
-///
-/// [`RAND_keep_random_devices_open`]: https://www.openssl.org/docs/manmaster/man3/RAND_keep_random_devices_open.html
-#[cfg(ossl111)]
-pub fn keep_random_devices_open(keep: bool) {
-    unsafe {
-        ffi::RAND_keep_random_devices_open(keep as c_int);
-    }
-}
-
 #[cfg(test)]
 mod tests {
     use super::rand_bytes;

openssl/src/sign.rs

@@ -257,20 +257,6 @@ impl<'a> Signer<'a> {
         self.len_intern()
     }
 
-    #[cfg(not(ossl111))]
-    fn len_intern(&self) -> Result<usize, ErrorStack> {
-        unsafe {
-            let mut len = 0;
-            cvt(ffi::EVP_DigestSignFinal(
-                self.md_ctx,
-                ptr::null_mut(),
-                &mut len,
-            ))?;
-            Ok(len)
-        }
-    }
-
-    #[cfg(ossl111)]
     fn len_intern(&self) -> Result<usize, ErrorStack> {
         unsafe {
             let mut len = 0;
@@ -327,7 +313,6 @@ impl<'a> Signer<'a> {
     /// OpenSSL documentation at [`EVP_DigestSign`].
     ///
     /// [`EVP_DigestSign`]: https://www.openssl.org/docs/man1.1.1/man3/EVP_DigestSign.html
-    #[cfg(ossl111)]
     pub fn sign_oneshot(
         &mut self,
         sig_buf: &mut [u8],
@@ -349,7 +334,6 @@ impl<'a> Signer<'a> {
     /// Returns the signature.
     ///
     /// This is a simple convenience wrapper over `len` and `sign_oneshot`.
-    #[cfg(ossl111)]
     pub fn sign_oneshot_to_vec(&mut self, data_buf: &[u8]) -> Result<Vec<u8>, ErrorStack> {
         let mut sig_buf = vec![0; self.len()?];
         let len = self.sign_oneshot(&mut sig_buf, data_buf)?;
@@ -561,7 +545,6 @@ impl<'a> Verifier<'a> {
     /// OpenSSL documentation at [`EVP_DigestVerify`].
     ///
     /// [`EVP_DigestVerify`]: https://www.openssl.org/docs/man1.1.1/man3/EVP_DigestVerify.html
-    #[cfg(ossl111)]
     pub fn verify_oneshot(&mut self, signature: &[u8], buf: &[u8]) -> Result<bool, ErrorStack> {
         unsafe {
             let r = ffi::EVP_DigestVerify(
@@ -687,7 +670,6 @@ mod test {
     }
 
     #[test]
-    #[cfg(ossl111)]
     fn rsa_sign_verify() {
         let key = include_bytes!("../test/rsa.pem");
         let private_key = Rsa::private_key_from_pem(key).unwrap();

openssl/src/ssl/callbacks.rs

@@ -1,17 +1,12 @@
 use ffi;
 use foreign_types::ForeignType;
 use foreign_types::ForeignTypeRef;
-#[cfg(any(ossl111, not(osslconf = "OPENSSL_NO_PSK")))]
 use libc::c_char;
-#[cfg(ossl111)]
-use libc::size_t;
 use libc::{c_int, c_uchar, c_uint, c_void};
-#[cfg(any(ossl111, not(osslconf = "OPENSSL_NO_PSK")))]
 use std::ffi::CStr;
 use std::mem;
 use std::ptr;
 use std::slice;
-#[cfg(ossl111)]
 use std::str;
 use std::sync::Arc;
 
@@ -359,7 +354,6 @@ where
     }
 }
 
-#[cfg(ossl111)]
 pub unsafe extern "C" fn raw_keylog<F>(ssl: *const ffi::SSL, line: *const c_char)
 where
     F: Fn(&SslRef, &str) + 'static + Sync + Send,
@@ -373,22 +367,4 @@ where
     let line = str::from_utf8_unchecked(line);
 
     callback(ssl, line);
-}
-
-#[cfg(ossl111)]
-pub unsafe extern "C" fn raw_stateless_cookie_verify<F>(
-    ssl: *mut ffi::SSL,
-    cookie: *const c_uchar,
-    cookie_len: size_t,
-) -> c_int
-where
-    F: Fn(&mut SslRef, &[u8]) -> bool + 'static + Sync + Send,
-{
-    let ssl = SslRef::from_ptr_mut(ssl);
-    let callback = ssl
-        .ssl_context()
-        .ex_data(SslContext::cached_ex_index::<F>())
-        .expect("BUG: stateless cookie verify callback missing") as *const F;
-    let slice = slice::from_raw_parts(cookie as *const c_uchar as *const u8, cookie_len as usize);
-    (*callback)(ssl, slice) as c_int
 }

openssl/src/ssl/connector.rs

@@ -241,7 +241,6 @@ impl SslAcceptor {
     pub fn mozilla_intermediate(method: SslMethod) -> Result<SslAcceptorBuilder, ErrorStack> {
         let mut ctx = ctx(method)?;
         ctx.set_options(SslOptions::CIPHER_SERVER_PREFERENCE);
-        #[cfg(ossl111)]
         ctx.set_options(SslOptions::NO_TLSV1_3);
         let dh = Dh::params_from_pem(FFDHE_2048.as_bytes())?;
         ctx.set_tmp_dh(&dh)?;
@@ -271,7 +270,6 @@ impl SslAcceptor {
         ctx.set_options(
             SslOptions::CIPHER_SERVER_PREFERENCE | SslOptions::NO_TLSV1 | SslOptions::NO_TLSV1_1,
         );
-        #[cfg(ossl111)]
         ctx.set_options(SslOptions::NO_TLSV1_3);
         setup_curves(&mut ctx)?;
         ctx.set_cipher_list(

openssl/src/ssl/error.rs

@@ -33,12 +33,6 @@ impl ErrorCode {
     /// An error occurred in the SSL library.
     pub const SSL: ErrorCode = ErrorCode(ffi::SSL_ERROR_SSL);
 
-    /// The client hello callback indicated that it needed to be retried.
-    ///
-    /// Requires OpenSSL 1.1.1 or newer.
-    #[cfg(ossl111)]
-    pub const WANT_CLIENT_HELLO_CB: ErrorCode = ErrorCode(ffi::SSL_ERROR_WANT_CLIENT_HELLO_CB);
-
     pub fn from_raw(raw: c_int) -> ErrorCode {
         ErrorCode(raw)
     }

openssl/src/ssl/mod.rs

@@ -84,8 +84,6 @@ use ec::EcKey;
 use ec::EcKeyRef;
 use error::ErrorStack;
 use ex_data::Index;
-#[cfg(ossl111)]
-use hash::MessageDigest;
 #[cfg(ossl110)]
 use nid::Nid;
 use pkey::{HasPrivate, PKeyRef, Params, Private};
@@ -196,13 +194,6 @@ bitflags! {
         /// Requires OpenSSL 1.1.0h or newer.
         #[cfg(ossl110h)]
         const NO_RENEGOTIATION = ffi::SSL_OP_NO_RENEGOTIATION;
-
-        /// Enable TLSv1.3 Compatibility mode.
-        ///
-        /// Requires OpenSSL 1.1.1 or newer. This is on by default in 1.1.1, but a future version
-        /// may have this disabled by default.
-        #[cfg(ossl111)]
-        const ENABLE_MIDDLEBOX_COMPAT = ffi::SSL_OP_ENABLE_MIDDLEBOX_COMPAT;
     }
 }
 
@@ -369,36 +360,6 @@ bitflags! {
     }
 }
 
-#[cfg(ossl111)]
-bitflags! {
-    /// Which messages and under which conditions an extension should be added or expected.
-    pub struct ExtensionContext: c_uint {
-        /// This extension is only allowed in TLS
-        const TLS_ONLY = ffi::SSL_EXT_TLS_ONLY;
-        /// This extension is only allowed in DTLS
-        const DTLS_ONLY = ffi::SSL_EXT_DTLS_ONLY;
-        /// Some extensions may be allowed in DTLS but we don't implement them for it
-        const TLS_IMPLEMENTATION_ONLY = ffi::SSL_EXT_TLS_IMPLEMENTATION_ONLY;
-        /// Most extensions are not defined for SSLv3 but EXT_TYPE_renegotiate is
-        const SSL3_ALLOWED = ffi::SSL_EXT_SSL3_ALLOWED;
-        /// Extension is only defined for TLS1.2 and below
-        const TLS1_2_AND_BELOW_ONLY = ffi::SSL_EXT_TLS1_2_AND_BELOW_ONLY;
-        /// Extension is only defined for TLS1.3 and above
-        const TLS1_3_ONLY = ffi::SSL_EXT_TLS1_3_ONLY;
-        /// Ignore this extension during parsing if we are resuming
-        const IGNORE_ON_RESUMPTION = ffi::SSL_EXT_IGNORE_ON_RESUMPTION;
-        const CLIENT_HELLO = ffi::SSL_EXT_CLIENT_HELLO;
-        /// Really means TLS1.2 or below
-        const TLS1_2_SERVER_HELLO = ffi::SSL_EXT_TLS1_2_SERVER_HELLO;
-        const TLS1_3_SERVER_HELLO = ffi::SSL_EXT_TLS1_3_SERVER_HELLO;
-        const TLS1_3_ENCRYPTED_EXTENSIONS = ffi::SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
-        const TLS1_3_HELLO_RETRY_REQUEST = ffi::SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST;
-        const TLS1_3_CERTIFICATE = ffi::SSL_EXT_TLS1_3_CERTIFICATE;
-        const TLS1_3_NEW_SESSION_TICKET = ffi::SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
-        const TLS1_3_CERTIFICATE_REQUEST = ffi::SSL_EXT_TLS1_3_CERTIFICATE_REQUEST;
-    }
-}
-
 /// An identifier of the format of a certificate or key file.
 #[derive(Copy, Clone)]
 pub struct SslFiletype(c_int);
@@ -529,22 +490,6 @@ impl AlpnError {
     pub const NOACK: AlpnError = AlpnError(ffi::SSL_TLSEXT_ERR_NOACK);
 }
 
-/// The result of a client hello callback.
-///
-/// Requires OpenSSL 1.1.1 or newer.
-#[cfg(ossl111)]
-#[derive(Debug, Copy, Clone, PartialEq, Eq)]
-pub struct ClientHelloResponse(c_int);
-
-#[cfg(ossl111)]
-impl ClientHelloResponse {
-    /// Continue the handshake.
-    pub const SUCCESS: ClientHelloResponse = ClientHelloResponse(ffi::SSL_CLIENT_HELLO_SUCCESS);
-
-    /// Return from the handshake with an `ErrorCode::WANT_CLIENT_HELLO_CB` error.
-    pub const RETRY: ClientHelloResponse = ClientHelloResponse(ffi::SSL_CLIENT_HELLO_RETRY);
-}
-
 /// An SSL/TLS protocol version.
 #[derive(Debug, Copy, Clone, PartialEq, Eq)]
 pub struct SslVersion(u16);
@@ -563,9 +508,6 @@ impl SslVersion {
     pub const TLS1_2: SslVersion = SslVersion(ffi::TLS1_2_VERSION);
 
     /// TLSv1.3
-    ///
-    /// Requires OpenSSL 1.1.1 or newer.
-    #[cfg(ossl111)]
     pub const TLS1_3: SslVersion = SslVersion(ffi::TLS1_3_VERSION);
 }
 
@@ -1419,7 +1361,6 @@ impl SslContextBuilder {
     /// This corresponds to [`SSL_CTX_set_keylog_callback`].
     ///
     /// [`SSL_CTX_set_keylog_callback`]: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_keylog_callback.html
-    #[cfg(ossl111)]
     pub fn set_keylog_callback<F>(&mut self, callback: F)
     where
         F: Fn(&SslRef, &str) + 'static + Sync + Send,
@@ -1444,30 +1385,6 @@ impl SslContextBuilder {
         }
     }
 
-    /// Sets the callback for verifying an application cookie for TLS1.3
-    /// stateless handshakes.
-    ///
-    /// The callback will be called with the SSL context and the cookie supplied by the
-    /// client. It should return true if and only if the cookie is valid.
-    ///
-    /// Note that the OpenSSL implementation independently verifies the integrity of
-    /// application cookies using an HMAC before invoking the supplied callback.
-    ///
-    /// This corresponds to `SSL_CTX_set_stateless_cookie_verify_cb`.
-    #[cfg(ossl111)]
-    pub fn set_stateless_cookie_verify_cb<F>(&mut self, callback: F)
-    where
-        F: Fn(&mut SslRef, &[u8]) -> bool + 'static + Sync + Send,
-    {
-        unsafe {
-            self.set_ex_data(SslContext::cached_ex_index::<F>(), callback);
-            ffi::SSL_CTX_set_stateless_cookie_verify_cb(
-                self.as_ptr(),
-                Some(raw_stateless_cookie_verify::<F>),
-            )
-        }
-    }
-
     /// Sets the extra data at the specified index.
     ///
     /// This can be used to provide data to callbacks registered with the context. Use the
@@ -1488,24 +1405,6 @@ impl SslContextBuilder {
         }
     }
 
-    /// Sets the maximum amount of early data that will be accepted on incoming connections.
-    ///
-    /// Defaults to 0.
-    ///
-    /// Requires OpenSSL 1.1.1 or newer.
-    ///
-    /// This corresponds to [`SSL_CTX_set_max_early_data`].
-    ///
-    /// [`SSL_CTX_set_max_early_data`]: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_max_early_data.html
-    #[cfg(ossl111)]
-    pub fn set_max_early_data(&mut self, bytes: u32) -> Result<(), ErrorStack> {
-        if unsafe { ffi::SSL_CTX_set_max_early_data(self.as_ptr(), bytes) } == 1 {
-            Ok(())
-        } else {
-            Err(ErrorStack::get())
-        }
-    }
-
     /// Sets the context's session cache size limit, returning the previous limit.
     ///
     /// A value of 0 means that the cache size is unbounded.
@@ -1689,18 +1588,6 @@ impl SslContextRef {
         }
     }
 
-    /// Gets the maximum amount of early data that will be accepted on incoming connections.
-    ///
-    /// Requires OpenSSL 1.1.1 or newer.
-    ///
-    /// This corresponds to [`SSL_CTX_get_max_early_data`].
-    ///
-    /// [`SSL_CTX_get_max_early_data`]: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_get_max_early_data.html
-    #[cfg(ossl111)]
-    pub fn max_early_data(&self) -> u32 {
-        unsafe { ffi::SSL_CTX_get_max_early_data(self.as_ptr()) }
-    }
-
     /// Adds a session to the context's cache.
     ///
     /// Returns `true` if the session was successfully added to the cache, and `false` if it was already present.
@@ -1827,7 +1714,6 @@ impl SslCipherRef {
     /// This corresponds to [`SSL_CIPHER_standard_name`].
     ///
     /// [`SSL_CIPHER_standard_name`]: https://www.openssl.org/docs/manmaster/man3/SSL_CIPHER_get_name.html
-    #[cfg(ossl111)]
     pub fn standard_name(&self) -> Option<&'static str> {
         unsafe {
             let ptr = ffi::SSL_CIPHER_standard_name(self.as_ptr());
@@ -1884,25 +1770,6 @@ impl SslCipherRef {
         }
     }
 
-    /// Returns the handshake digest of the cipher.
-    ///
-    /// Requires OpenSSL 1.1.1 or newer.
-    ///
-    /// This corresponds to [`SSL_CIPHER_get_handshake_digest`].
-    ///
-    /// [`SSL_CIPHER_get_handshake_digest`]: https://www.openssl.org/docs/man1.1.1/man3/SSL_CIPHER_get_handshake_digest.html
-    #[cfg(ossl111)]
-    pub fn handshake_digest(&self) -> Option<MessageDigest> {
-        unsafe {
-            let ptr = ffi::SSL_CIPHER_get_handshake_digest(self.as_ptr());
-            if ptr.is_null() {
-                None
-            } else {
-                Some(MessageDigest::from_ptr(ptr))
-            }
-        }
-    }
-
     /// Returns the NID corresponding to the cipher.
     ///
     /// Requires OpenSSL 1.1.0 or newer.
@@ -2001,18 +1868,6 @@ impl SslSessionRef {
         unsafe { SSL_SESSION_get_master_key(self.as_ptr(), buf.as_mut_ptr(), buf.len()) }
     }
 
-    /// Gets the maximum amount of early data that can be sent on this session.
-    ///
-    /// Requires OpenSSL 1.1.1 or newer.
-    ///
-    /// This corresponds to [`SSL_SESSION_get_max_early_data`].
-    ///
-    /// [`SSL_SESSION_get_max_early_data`]: https://www.openssl.org/docs/man1.1.1/man3/SSL_SESSION_get_max_early_data.html
-    #[cfg(ossl111)]
-    pub fn max_early_data(&self) -> u32 {
-        unsafe { ffi::SSL_SESSION_get_max_early_data(self.as_ptr()) }
-    }
-
     /// Returns the time at which the session was established, in seconds since the Unix epoch.
     ///
     /// This corresponds to [`SSL_SESSION_get_time`].
@@ -2735,37 +2590,6 @@ impl SslRef {
         }
     }
 
-    /// Derives keying material for application use in accordance to RFC 5705.
-    ///
-    /// This function is only usable with TLSv1.3, wherein there is no distinction between an empty context and no
-    /// context. Therefore, unlike `export_keying_material`, `context` must always be supplied.
-    ///
-    /// Requires OpenSSL 1.1.1 or newer.
-    ///
-    /// This corresponds to [`SSL_export_keying_material_early`].
-    ///
-    /// [`SSL_export_keying_material_early`]: https://www.openssl.org/docs/manmaster/man3/SSL_export_keying_material_early.html
-    #[cfg(ossl111)]
-    pub fn export_keying_material_early(
-        &self,
-        out: &mut [u8],
-        label: &str,
-        context: &[u8],
-    ) -> Result<(), ErrorStack> {
-        unsafe {
-            cvt(ffi::SSL_export_keying_material_early(
-                self.as_ptr(),
-                out.as_mut_ptr() as *mut c_uchar,
-                out.len(),
-                label.as_ptr() as *const c_char,
-                label.len(),
-                context.as_ptr() as *const c_uchar,
-                context.len(),
-            ))
-            .map(|_| ())
-        }
-    }
-
     /// Sets the session to be used.
     ///
     /// This should be called before the handshake to attempt to reuse a previously established
@@ -2901,34 +2725,6 @@ impl SslRef {
         }
     }
 
-    /// Sets the maximum amount of early data that will be accepted on this connection.
-    ///
-    /// Requires OpenSSL 1.1.1 or newer.
-    ///
-    /// This corresponds to [`SSL_set_max_early_data`].
-    ///
-    /// [`SSL_set_max_early_data`]: https://www.openssl.org/docs/man1.1.1/man3/SSL_set_max_early_data.html
-    #[cfg(ossl111)]
-    pub fn set_max_early_data(&mut self, bytes: u32) -> Result<(), ErrorStack> {
-        if unsafe { ffi::SSL_set_max_early_data(self.as_ptr(), bytes) } == 1 {
-            Ok(())
-        } else {
-            Err(ErrorStack::get())
-        }
-    }
-
-    /// Gets the maximum amount of early data that can be sent on this connection.
-    ///
-    /// Requires OpenSSL 1.1.1 or newer.
-    ///
-    /// This corresponds to [`SSL_get_max_early_data`].
-    ///
-    /// [`SSL_get_max_early_data`]: https://www.openssl.org/docs/man1.1.1/man3/SSL_get_max_early_data.html
-    #[cfg(ossl111)]
-    pub fn max_early_data(&self) -> u32 {
-        unsafe { ffi::SSL_get_max_early_data(self.as_ptr()) }
-    }
-
     /// Copies the contents of the last Finished message sent to the peer into the provided buffer.
     ///
     /// The total size of the message is returned, so this can be used to determine the size of the
@@ -3292,30 +3088,6 @@ where
         }
     }
 
-    /// Perform a stateless server-side handshake
-    ///
-    /// Requires that cookie generation and verification callbacks were
-    /// set on the SSL context.
-    ///
-    /// Returns `Ok(true)` if a complete ClientHello containing a valid cookie
-    /// was read, in which case the handshake should be continued via
-    /// `accept`. If a HelloRetryRequest containing a fresh cookie was
-    /// transmitted, `Ok(false)` is returned instead. If the handshake cannot
-    /// proceed at all, `Err` is returned.
-    ///
-    /// This corresponds to [`SSL_stateless`]
-    ///
-    /// [`SSL_stateless`]: https://www.openssl.org/docs/manmaster/man3/SSL_stateless.html
-    #[cfg(ossl111)]
-    pub fn stateless(&mut self) -> Result<bool, ErrorStack> {
-        match unsafe { ffi::SSL_stateless(self.inner.ssl.as_ptr()) } {
-            1 => Ok(true),
-            0 => Ok(false),
-            -1 => Err(ErrorStack::get()),
-            _ => unreachable!(),
-        }
-    }
-
     /// Configure as an outgoing stream from a client.
     ///
     /// This corresponds to [`SSL_set_connect_state`].
@@ -3408,66 +3180,6 @@ where
             }
         }
     }
-
-    /// Read application data transmitted by a client before handshake
-    /// completion.
-    ///
-    /// Useful for reducing latency, but vulnerable to replay attacks. Call
-    /// `set_accept_state` first.
-    ///
-    /// Returns `Ok(0)` if all early data has been read.
-    ///
-    /// Requires OpenSSL 1.1.1 or newer.
-    ///
-    /// This corresponds to [`SSL_read_early_data`].
-    ///
-    /// [`SSL_read_early_data`]: https://www.openssl.org/docs/manmaster/man3/SSL_read_early_data.html
-    #[cfg(ossl111)]
-    pub fn read_early_data(&mut self, buf: &mut [u8]) -> Result<usize, Error> {
-        let mut read = 0;
-        let ret = unsafe {
-            ffi::SSL_read_early_data(
-                self.inner.ssl.as_ptr(),
-                buf.as_ptr() as *mut c_void,
-                buf.len(),
-                &mut read,
-            )
-        };
-        match ret {
-            ffi::SSL_READ_EARLY_DATA_ERROR => Err(self.inner.make_error(ret)),
-            ffi::SSL_READ_EARLY_DATA_SUCCESS => Ok(read),
-            ffi::SSL_READ_EARLY_DATA_FINISH => Ok(0),
-            _ => unreachable!(),
-        }
-    }
-
-    /// Send data to the server without blocking on handshake completion.
-    ///
-    /// Useful for reducing latency, but vulnerable to replay attacks. Call
-    /// `set_connect_state` first.
-    ///
-    /// Requires OpenSSL 1.1.1 or newer.
-    ///
-    /// This corresponds to [`SSL_write_early_data`].
-    ///
-    /// [`SSL_write_early_data`]: https://www.openssl.org/docs/manmaster/man3/SSL_write_early_data.html
-    #[cfg(ossl111)]
-    pub fn write_early_data(&mut self, buf: &[u8]) -> Result<usize, Error> {
-        let mut written = 0;
-        let ret = unsafe {
-            ffi::SSL_write_early_data(
-                self.inner.ssl.as_ptr(),
-                buf.as_ptr() as *const c_void,
-                buf.len(),
-                &mut written,
-            )
-        };
-        if ret > 0 {
-            Ok(written as usize)
-        } else {
-            Err(self.inner.make_error(ret))
-        }
-    }
 }
 
 impl<S> SslStreamBuilder<S> {

openssl/src/ssl/test/mod.rs

@@ -23,10 +23,7 @@ use pkey::PKey;
 use srtp::SrtpProfileId;
 use ssl;
 use ssl::test::server::Server;
-#[cfg(any(ossl110, ossl111, libressl261))]
 use ssl::SslVersion;
-#[cfg(ossl111)]
-use ssl::{ClientHelloResponse, ExtensionContext};
 use ssl::{
     Error, HandshakeError, MidHandshakeSslStream, ShutdownResult, ShutdownState, Ssl, SslAcceptor,
     SslAcceptorBuilder, SslConnector, SslContext, SslContextBuilder, SslFiletype, SslMethod,
@@ -793,7 +790,6 @@ fn connector_client_server_mozilla_intermediate_v5() {
     test_mozilla_server(SslAcceptor::mozilla_intermediate_v5);
 }
 
-
 #[test]
 fn shutdown() {
     let mut server = Server::builder();
@@ -907,7 +903,6 @@ fn active_session() {
     assert_eq!(copied, len);
 }
 
-
 #[test]
 fn new_session_callback() {
     static CALLED_BACK: AtomicBool = AtomicBool::new(false);