feat: Removal of rpk support

Author: 0x676e67

boring-sys/Cargo.toml

@@ -61,9 +61,6 @@ fips = []
 # Link with precompiled FIPS-validated `bcm.o` module.
 fips-link-precompiled = []
 
-# Enables Raw public key API (https://datatracker.ietf.org/doc/html/rfc7250)
-rpk = []
-
 # Applies a patch (`patches/boring-pq.patch`) to the boringSSL source code that
 # enables support for PQ key exchange. This feature is necessary in order to
 # compile the bindings for the default branch of boringSSL (`deps/boringssl`).

boring/Cargo.toml

@@ -30,13 +30,6 @@ fips-compat = []
 # Link with precompiled FIPS-validated `bcm.o` module.
 fips-link-precompiled = ["boring-sys/fips-link-precompiled"]
 
-# Enables Raw public key API (https://datatracker.ietf.org/doc/html/rfc7250)
-# This feature is necessary in order to compile the bindings for the
-# default branch of boringSSL. Alternatively, a version of boringSSL that
-# implements the same feature set can be provided by setting
-# `BORING_BSSL{,_FIPS}_SOURCE_PATH` and `BORING_BSSL{,_FIPS}_ASSUME_PATCHED`.
-rpk = ["boring-sys/rpk"]
-
 # Applies a patch to the boringSSL source code that enables support for PQ key
 # exchange. This feature is necessary in order to compile the bindings for the
 # default branch of boringSSL. Alternatively, a version of boringSSL that

boring/src/lib.rs

@@ -63,11 +63,6 @@
 //!
 //! # Optional patches
 //!
-//! ## Raw Public Key
-//!
-//! The crate can be compiled with [RawPublicKey](https://datatracker.ietf.org/doc/html/rfc7250)
-//! support by turning on `rpk` compilation feature.
-//!
 //! ## Experimental post-quantum cryptography
 //!
 //! The crate can be compiled with [post-quantum cryptography](https://blog.cloudflare.com/post-quantum-for-all/)

boring/src/ssl/connector.rs

@@ -24,17 +24,13 @@ ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
 ";
 
 enum ContextType {
-    WithMethod(SslMethod),
-    #[cfg(feature = "rpk")]
-    Rpk,
+    WithMethod(SslMethod)
 }
 
 #[allow(clippy::inconsistent_digit_grouping)]
 fn ctx(ty: ContextType) -> Result<SslContextBuilder, ErrorStack> {
     let mut ctx = match ty {
-        ContextType::WithMethod(method) => SslContextBuilder::new(method),
-        #[cfg(feature = "rpk")]
-        ContextType::Rpk => SslContextBuilder::new_rpk(),
+        ContextType::WithMethod(method) => SslContextBuilder::new(method)
     }?;
 
     let mut opts = SslOptions::ALL
@@ -99,17 +95,6 @@ impl SslConnector {
         Ok(SslConnectorBuilder(ctx))
     }
 
-    /// Creates a new builder for TLS connections with raw public key.
-    #[cfg(feature = "rpk")]
-    pub fn rpk_builder() -> Result<SslConnectorBuilder, ErrorStack> {
-        let mut ctx = ctx(ContextType::Rpk)?;
-        ctx.set_cipher_list(
-            "DEFAULT:!aNULL:!eNULL:!MD5:!3DES:!DES:!RC4:!IDEA:!SEED:!aDSS:!SRP:!PSK",
-        )?;
-
-        Ok(SslConnectorBuilder(ctx))
-    }
-
     /// Initiates a client-side TLS session on a stream.
     ///
     /// The domain is used for SNI and hostname verification.
@@ -231,13 +216,7 @@ impl ConnectConfiguration {
             self.ssl.set_hostname(domain)?;
         }
 
-        #[cfg(feature = "rpk")]
-        let verify_hostname = !self.ssl.ssl_context().is_rpk() && self.verify_hostname;
-
-        #[cfg(not(feature = "rpk"))]
-        let verify_hostname = self.verify_hostname;
-
-        if verify_hostname {
+        if self.verify_hostname {
             setup_verify_hostname(&mut self.ssl, domain)?;
         }
 
@@ -299,21 +278,6 @@ impl DerefMut for ConnectConfiguration {
 pub struct SslAcceptor(SslContext);
 
 impl SslAcceptor {
-    /// Creates a new builder configured to connect to clients that support Raw Public Keys.
-    #[cfg(feature = "rpk")]
-    pub fn rpk() -> Result<SslAcceptorBuilder, ErrorStack> {
-        let mut ctx = ctx(ContextType::Rpk)?;
-        ctx.set_options(SslOptions::NO_TLSV1 | SslOptions::NO_TLSV1_1);
-        let dh = Dh::params_from_pem(FFDHE_2048.as_bytes())?;
-        ctx.set_tmp_dh(&dh)?;
-        ctx.set_cipher_list(
-            "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:\
-             ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
-             DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
-        )?;
-        Ok(SslAcceptorBuilder(ctx))
-    }
-
     /// Creates a new builder configured to connect to non-legacy clients. This should generally be
     /// considered a reasonable default choice.
     ///

boring/src/ssl/error.rs

@@ -200,12 +200,6 @@ fn fmt_mid_handshake_error(
     f: &mut fmt::Formatter,
     prefix: &str,
 ) -> fmt::Result {
-    #[cfg(feature = "rpk")]
-    if s.ssl().ssl_context().is_rpk() {
-        write!(f, "{}", prefix)?;
-        return write!(f, " {}", s.error());
-    }
-
     match s.ssl().verify_result() {
         // INVALID_CALL is returned if no verification took place,
         // such as before a cert is sent.