min
/
boring2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(boring): Add add_cert_compression_alg support (#44)

This commit is contained in:
0x676e67 2025-02-07 13:37:09 +08:00 committed by GitHub
parent dbb58741f6
commit 72424152a9
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 221 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Cargo.toml
View File

@ -39,3 +39,6 @@ antidote = "1.0.0"
linked_hash_set = "0.1" linked_hash_set = "0.1"
openssl-macros = "0.1.1" openssl-macros = "0.1.1"
autocfg = "1.3.0" autocfg = "1.3.0"
brotli = "7"
flate2 = "1"
zstd = "0.13"

6
boring/Cargo.toml
View File

@ -64,12 +64,18 @@ kx-client-pq-preferred = ["kx-safe-default", "kx-client-pq-supported"]
# Implies "kx-safe-default". # Implies "kx-safe-default".
kx-client-nist-required = ["kx-safe-default"] kx-client-nist-required = ["kx-safe-default"]
# Certificate compression
cert-compression = ["flate2", "brotli", "zstd"]
[dependencies] [dependencies]
bitflags = { workspace = true } bitflags = { workspace = true }
foreign-types = { workspace = true } foreign-types = { workspace = true }
openssl-macros = { workspace = true } openssl-macros = { workspace = true }
libc = { workspace = true } libc = { workspace = true }
boring-sys = { workspace = true } boring-sys = { workspace = true }
brotli = { workspace = true, optional = true }
flate2 = { workspace = true, optional = true }
zstd = { workspace = true, optional = true }
[dev-dependencies] [dev-dependencies]
hex = { workspace = true } hex = { workspace = true }

190
boring/src/ssl/cert_compression.rs Normal file
View File

@ -0,0 +1,190 @@
use boring_sys as ffi;
use std::{io::Read, slice};
/// IANA assigned identifier of compression algorithm.
/// See https://www.rfc-editor.org/rfc/rfc8879.html#name-compression-algorithms
#[repr(u16)]
#[derive(Debug, Copy, Clone, PartialEq, Eq)]
pub enum CertCompressionAlgorithm {
/// The Brotli compression algorithm.
Brotli = ffi::TLSEXT_cert_compression_brotli as _,
/// The zlib compression algorithm.
Zlib = ffi::TLSEXT_cert_compression_zlib as _,
/// The Zstandard compression algorithm.
Zstd = ffi::TLSEXT_cert_compression_zstd as _,
}
impl CertCompressionAlgorithm {
/// Returns the compression function for the algorithm.
pub(crate) fn compression_fn(&self) -> ffi::ssl_cert_compression_func_t {
match &self {
Self::Brotli => Some(brotli_compressor),
Self::Zlib => Some(zlib_compressor),
Self::Zstd => Some(zstd_compressor),
}
}
/// Returns the decompression function for the algorithm.
pub(crate) fn decompression_fn(&self) -> ffi::ssl_cert_decompression_func_t {
match &self {
Self::Brotli => Some(brotli_decompressor),
Self::Zlib => Some(zlib_decompressor),
Self::Zstd => Some(zstd_decompressor),
}
}
}
extern "C" fn brotli_compressor(
_ssl: *mut ffi::SSL,
buffer: *mut ffi::CBB,
in_: *const u8,
in_len: usize,
) -> ::std::os::raw::c_int {
let mut uncompressed = unsafe { slice::from_raw_parts(in_, in_len) };
let mut compressed = Vec::new();
let params = brotli::enc::encode::BrotliEncoderInitParams();
if brotli::BrotliCompress(&mut uncompressed, &mut compressed, &params).is_err() {
return 0;
}
unsafe { ffi::CBB_add_bytes(buffer, compressed.as_ptr(), compressed.len()) }
}
extern "C" fn zlib_compressor(
_ssl: *mut ffi::SSL,
out: *mut ffi::CBB,
in_: *const u8,
in_len: usize,
) -> ::std::os::raw::c_int {
let mut uncompressed = unsafe { slice::from_raw_parts(in_, in_len) };
let mut compressed = Vec::new();
let params = flate2::Compression::default();
let mut encoder = flate2::bufread::ZlibEncoder::new(&mut uncompressed, params);
if encoder.read_to_end(&mut compressed).is_err() {
return 0;
}
unsafe { ffi::CBB_add_bytes(out, compressed.as_ptr(), compressed.len()) }
}
extern "C" fn zstd_compressor(
_ssl: *mut ffi::SSL,
out: *mut ffi::CBB,
in_: *const u8,
in_len: usize,
) -> ::std::os::raw::c_int {
let mut uncompressed = unsafe { slice::from_raw_parts(in_, in_len) };
let compressed = if let Ok(compressed) = zstd::encode_all(&mut uncompressed, 3) {
compressed
} else {
return 0;
};
unsafe { ffi::CBB_add_bytes(out, compressed.as_ptr(), compressed.len()) }
}
extern "C" fn brotli_decompressor(
_ssl: *mut ffi::SSL,
buffer: *mut *mut ffi::CRYPTO_BUFFER,
uncompressed_len: usize,
in_: *const u8,
in_len: usize,
) -> ::std::os::raw::c_int {
let compressed = unsafe { slice::from_raw_parts(in_, in_len) };
let mut uncompressed = Vec::with_capacity(uncompressed_len);
if brotli::BrotliDecompress(&mut &compressed[..], &mut uncompressed).is_err() {
return 0;
}
if uncompressed.len() != uncompressed_len {
return 0;
}
unsafe {
*buffer = ffi::CRYPTO_BUFFER_new(
uncompressed.as_ptr(),
uncompressed_len,
std::ptr::null_mut(),
);
if buffer.is_null() {
return 0;
}
}
1
}
extern "C" fn zlib_decompressor(
_ssl: *mut ffi::SSL,
buffer: *mut *mut ffi::CRYPTO_BUFFER,
uncompressed_len: usize,
in_: *const u8,
in_len: usize,
) -> ::std::os::raw::c_int {
let mut compressed = unsafe { slice::from_raw_parts(in_, in_len) };
let mut uncompressed = Vec::with_capacity(uncompressed_len);
let mut decoder = flate2::bufread::ZlibDecoder::new(&mut compressed);
if decoder.read_to_end(&mut uncompressed).is_err() {
return 0;
}
if uncompressed.len() != uncompressed_len {
return 0;
}
unsafe {
*buffer = ffi::CRYPTO_BUFFER_new(
uncompressed.as_ptr(),
uncompressed_len,
std::ptr::null_mut(),
);
if buffer.is_null() {
return 0;
}
}
1
}
extern "C" fn zstd_decompressor(
_ssl: *mut ffi::SSL,
buffer: *mut *mut ffi::CRYPTO_BUFFER,
uncompressed_len: usize,
in_: *const u8,
in_len: usize,
) -> ::std::os::raw::c_int {
let mut compressed = unsafe { slice::from_raw_parts(in_, in_len) };
let uncompressed = if let Ok(uncompressed) = zstd::decode_all(&mut compressed) {
uncompressed
} else {
return 0;
};
if uncompressed.len() != uncompressed_len {
return 0;
}
unsafe {
*buffer = ffi::CRYPTO_BUFFER_new(
uncompressed.as_ptr(),
uncompressed_len,
std::ptr::null_mut(),
);
if buffer.is_null() {
return 0;
}
}
1
}

22
boring/src/ssl/mod.rs
View File

@ -101,6 +101,8 @@ pub use self::async_callbacks::{
BoxCustomVerifyFuture, BoxGetSessionFinish, BoxGetSessionFuture, BoxPrivateKeyMethodFinish, BoxCustomVerifyFuture, BoxGetSessionFinish, BoxGetSessionFuture, BoxPrivateKeyMethodFinish,
BoxPrivateKeyMethodFuture, BoxSelectCertFinish, BoxSelectCertFuture, ExDataFuture, BoxPrivateKeyMethodFuture, BoxSelectCertFinish, BoxSelectCertFuture, ExDataFuture,
}; };
#[cfg(feature = "cert-compression")]
pub use self::cert_compression::CertCompressionAlgorithm;
pub use self::connector::{ pub use self::connector::{
ConnectConfiguration, SslAcceptor, SslAcceptorBuilder, SslConnector, SslConnectorBuilder, ConnectConfiguration, SslAcceptor, SslAcceptorBuilder, SslConnector, SslConnectorBuilder,
}; };
@ -109,6 +111,8 @@ pub use self::error::{Error, ErrorCode, HandshakeError};
mod async_callbacks; mod async_callbacks;
mod bio; mod bio;
mod callbacks; mod callbacks;
#[cfg(feature = "cert-compression")]
mod cert_compression;
mod connector; mod connector;
mod error; mod error;
mod mut_only; mod mut_only;
@ -1353,6 +1357,24 @@ impl SslContextBuilder {
unsafe { cvt(ffi::SSL_CTX_use_PrivateKey(self.as_ptr(), key.as_ptr())).map(|_| ()) } unsafe { cvt(ffi::SSL_CTX_use_PrivateKey(self.as_ptr(), key.as_ptr())).map(|_| ()) }
} }
/// Sets whether a certificate compression algorithm should be used.
#[cfg(feature = "cert-compression")]
#[corresponds(SSL_CTX_add_cert_compression_alg)]
pub fn add_cert_compression_alg(
&mut self,
alg: CertCompressionAlgorithm,
) -> Result<(), ErrorStack> {
unsafe {
cvt(ffi::SSL_CTX_add_cert_compression_alg(
self.as_ptr(),
alg as _,
alg.compression_fn(),
alg.decompression_fn(),
))
.map(|_| ())
}
}
/// Sets the list of supported ciphers for protocols before TLSv1.3. /// Sets the list of supported ciphers for protocols before TLSv1.3.
/// ///
/// The `set_ciphersuites` method controls the cipher suites for TLSv1.3 in OpenSSL. /// The `set_ciphersuites` method controls the cipher suites for TLSv1.3 in OpenSSL.