From 9523ac82c95b39ab303b69722f5b0779bbaa704e Mon Sep 17 00:00:00 2001 From: 0x676e67 Date: Mon, 12 Aug 2024 09:56:42 +0800 Subject: [PATCH] Merge patch (#8) --- Cargo.toml | 8 +- README.md | 2 + boring-sys/Cargo.toml | 2 +- boring-sys/build/main.rs | 9 +- boring-sys/deps/boringssl-fips | 1 - .../patches/boringssl-old-ciphers.patch | 242 ++++++++++++++++++ boring/Cargo.toml | 2 +- boring/examples/fips_enabled.rs | 2 + boring/examples/mk_certs.rs | 2 +- hyper-boring/Cargo.toml | 2 +- tokio-boring/Cargo.toml | 2 +- tokio-boring/examples/simple-async.rs | 1 + tokio-boring/tests/async_get_session.rs | 2 + .../tests/async_private_key_method.rs | 2 + .../tests/async_select_certificate.rs | 2 + tokio-boring/tests/client_server.rs | 2 + tokio-boring/tests/common/mod.rs | 1 + 17 files changed, 269 insertions(+), 15 deletions(-) delete mode 160000 boring-sys/deps/boringssl-fips create mode 100644 boring-sys/patches/boringssl-old-ciphers.patch diff --git a/Cargo.toml b/Cargo.toml index 3836084b..9723a25e 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -19,9 +19,9 @@ tag-prefix = "" publish = false [workspace.dependencies] -boring-sys = { version = "4.9.1", path = "./boring-sys" } -boring = { version = "4.9.1", path = "./boring" } -tokio-boring = { version = "4.9.1", path = "./tokio-boring" } +boring-sys = { version = "4.9.1", path = "./boring-sys", package = "rboring-sys" } +boring = { version = "4.9.1", path = "./boring", package = "rboring"} +tokio-boring = { version = "4.9.1", path = "./tokio-boring", package = "tokio-rboring"} bindgen = { version = "0.68.1", default-features = false, features = ["runtime"] } cmake = "0.1.18" @@ -37,7 +37,7 @@ tokio = "1" anyhow = "1" antidote = "1.0.0" http = "0.2" -hyper = { version = "0.14", default-features = false } +hyper = { package = "rhyper", version = "0.14", default-features = false } linked_hash_set = "0.1" once_cell = "1.0" tower = "0.4" diff --git a/README.md b/README.md index 37ebcc63..ab30c202 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,8 @@ [![crates.io](https://img.shields.io/crates/v/boring.svg)](https://crates.io/crates/boring) +This project is forked from cloudflare [boring](https://github.com/cloudflare/boring) + BoringSSL bindings for the Rust programming language and TLS adapters for [tokio](https://github.com/tokio-rs/tokio) and [hyper](https://github.com/hyperium/hyper) built on top of it. diff --git a/boring-sys/Cargo.toml b/boring-sys/Cargo.toml index c1471f20..a1684f3d 100644 --- a/boring-sys/Cargo.toml +++ b/boring-sys/Cargo.toml @@ -1,5 +1,5 @@ [package] -name = "boring-sys" +name = "rboring-sys" version = { workspace = true } authors = ["Alex Crichton ", "Steven Fackler ", diff --git a/boring-sys/build/main.rs b/boring-sys/build/main.rs index 4d2ab6c0..46d7d70d 100644 --- a/boring-sys/build/main.rs +++ b/boring-sys/build/main.rs @@ -481,6 +481,9 @@ fn ensure_patches_applied(config: &Config) -> io::Result<()> { run_command(Command::new("git").arg("init").current_dir(src_path))?; } + println!("cargo:warning=applying old ciphers patch to boringssl"); + apply_patch(config, "boringssl-old-ciphers.patch")?; + if config.features.pq_experimental { println!("cargo:warning=applying experimental post quantum crypto patch to boringssl"); apply_patch(config, "boring-pq.patch")?; @@ -501,11 +504,7 @@ fn ensure_patches_applied(config: &Config) -> io::Result<()> { fn apply_patch(config: &Config, patch_name: &str) -> io::Result<()> { let src_path = get_boringssl_source_path(config); - let cmd_path = config - .manifest_dir - .join("patches") - .join(patch_name) - .canonicalize()?; + let cmd_path = config.manifest_dir.join("patches").join(patch_name); let mut args = vec!["apply", "-v", "--whitespace=fix"]; diff --git a/boring-sys/deps/boringssl-fips b/boring-sys/deps/boringssl-fips deleted file mode 160000 index 853ca1ea..00000000 --- a/boring-sys/deps/boringssl-fips +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 853ca1ea1168dff08011e5d42d94609cc0ca2e27 diff --git a/boring-sys/patches/boringssl-old-ciphers.patch b/boring-sys/patches/boringssl-old-ciphers.patch new file mode 100644 index 00000000..d5a81dcc --- /dev/null +++ b/boring-sys/patches/boringssl-old-ciphers.patch @@ -0,0 +1,242 @@ +diff -u1 -Nar --exclude build --exclude tags boringssl-d24a38200fef19150eef00cad35b138936c08767/src/ssl/internal.h boringssl/src/ssl/internal.h +--- boringssl-d24a38200fef19150eef00cad35b138936c08767/src/ssl/internal.h 2023-09-27 05:13:00.000000000 +0300 ++++ boringssl/src/ssl/internal.h 2024-02-29 20:02:32.711209565 +0200 +@@ -577,4 +577,9 @@ + #define SSL_SHA256 0x00000002u ++// curl-impersonate: ++// SSL_SHA384 was removed in ++// https://boringssl-review.googlesource.com/c/boringssl/+/27944/ ++// but restored to impersonate browsers with older ciphers. ++#define SSL_SHA384 0x00000004u + // SSL_AEAD is set for all AEADs. +-#define SSL_AEAD 0x00000004u ++#define SSL_AEAD 0x00000008u + +diff -u1 -Nar --exclude build --exclude tags boringssl-d24a38200fef19150eef00cad35b138936c08767/src/ssl/ssl_cipher.cc boringssl/src/ssl/ssl_cipher.cc +--- boringssl-d24a38200fef19150eef00cad35b138936c08767/src/ssl/ssl_cipher.cc 2023-09-27 05:13:00.000000000 +0300 ++++ boringssl/src/ssl/ssl_cipher.cc 2024-02-29 20:02:32.711209565 +0200 +@@ -199,2 +199,33 @@ + ++ // curl-impersonate: Ciphers 3C, 3D were removed in ++ // https://boringssl-review.googlesource.com/c/boringssl/+/27944/ ++ // but restored here to impersonate browsers with older ciphers. They are ++ // not expected to actually work; but just to be included in the TLS ++ // Client Hello. ++ ++ // TLS v1.2 ciphersuites ++ ++ // Cipher 3C ++ { ++ TLS1_TXT_RSA_WITH_AES_128_SHA256, ++ "TLS_RSA_WITH_AES_128_CBC_SHA256", ++ TLS1_CK_RSA_WITH_AES_128_SHA256, ++ SSL_kRSA, ++ SSL_aRSA, ++ SSL_AES128, ++ SSL_SHA256, ++ SSL_HANDSHAKE_MAC_SHA256, ++ }, ++ // Cipher 3D ++ { ++ TLS1_TXT_RSA_WITH_AES_256_SHA256, ++ "TLS_RSA_WITH_AES_256_CBC_SHA256", ++ TLS1_CK_RSA_WITH_AES_256_SHA256, ++ SSL_kRSA, ++ SSL_aRSA, ++ SSL_AES256, ++ SSL_SHA256, ++ SSL_HANDSHAKE_MAC_SHA256, ++ }, ++ + // PSK cipher suites. +@@ -289,2 +320,19 @@ + ++ // curl-impersonate: Cipher C008 was missing from BoringSSL, ++ // probably because it is weak. Add it back from OpenSSL (ssl/s3_lib.c) ++ // where it is called ECDHE-ECDSA-DES-CBC3-SHA. ++ // It's not supposed to really work but just appear in the TLS client hello. ++ ++ // Cipher C008 ++ { ++ "ECDHE-ECDSA-DES-CBC3-SHA", ++ "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", ++ 0x0300C008, ++ SSL_kECDHE, ++ SSL_aECDSA, ++ SSL_3DES, ++ SSL_SHA1, ++ SSL_HANDSHAKE_MAC_DEFAULT, ++ }, ++ + // Cipher C009 +@@ -313,2 +361,17 @@ + ++ // curl-impersonate: Cipher C012 was missing from BoringSSL, ++ // probably because it is weak. Add it back from OpenSSL (ssl/s3_lib.c) ++ // where it is called ECDHE-RSA-DES-CBC3-SHA ++ // It's not supposed to really work but just appear in the TLS client hello. ++ { ++ "ECDHE-RSA-DES-CBC3-SHA", ++ "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", ++ 0x0300C012, ++ SSL_kECDHE, ++ SSL_aRSA, ++ SSL_3DES, ++ SSL_SHA1, ++ SSL_HANDSHAKE_MAC_DEFAULT, ++ }, ++ + // Cipher C013 +@@ -337,2 +400,33 @@ + ++ // curl-impersonate: Ciphers C023, C024, C028 were removed in ++ // https://boringssl-review.googlesource.com/c/boringssl/+/27944/ ++ // but restored here to impersonate browsers with older ciphers. They are ++ // not expected to actually work; but just to be included in the TLS ++ // Client Hello. ++ ++ // HMAC based TLS v1.2 ciphersuites from RFC5289 ++ ++ // Cipher C023 ++ { ++ TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256, ++ "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", ++ TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, ++ SSL_kECDHE, ++ SSL_aECDSA, ++ SSL_AES128, ++ SSL_SHA256, ++ SSL_HANDSHAKE_MAC_SHA256, ++ }, ++ // Cipher C024 ++ { ++ TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384, ++ "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", ++ TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, ++ SSL_kECDHE, ++ SSL_aECDSA, ++ SSL_AES256, ++ SSL_SHA384, ++ SSL_HANDSHAKE_MAC_SHA384, ++ }, ++ + // Cipher C027 +@@ -349,2 +443,14 @@ + ++ // Cipher C028 ++ { ++ TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384, ++ "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", ++ TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, ++ SSL_kECDHE, ++ SSL_aRSA, ++ SSL_AES256, ++ SSL_SHA384, ++ SSL_HANDSHAKE_MAC_SHA384, ++ }, ++ + // GCM based TLS v1.2 ciphersuites from RFC 5289 +@@ -555,2 +661,7 @@ + {"SHA1", ~0u, ~0u, ~0u, SSL_SHA1, 0}, ++ // curl-impersonate: ++ // Removed in https://boringssl-review.googlesource.com/c/boringssl/+/27944/ ++ // but restored to impersonate browsers with older ciphers. ++ {"SHA256", ~0u, ~0u, ~0u, SSL_SHA256, 0}, ++ {"SHA384", ~0u, ~0u, ~0u, SSL_SHA384, 0}, + {"SHA", ~0u, ~0u, ~0u, SSL_SHA1, 0}, +@@ -1170,2 +1281,10 @@ + SSL3_CK_RSA_DES_192_CBC3_SHA & 0xffff, ++ // curl-impersonate: add legacy cipehrs. ++ TLS1_CK_RSA_WITH_AES_128_SHA256 & 0xffff, ++ TLS1_CK_RSA_WITH_AES_256_SHA256 & 0xffff, ++ 0x0300C008 & 0xffff, ++ 0x0300C012 & 0xffff, ++ TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256 & 0xffff, ++ TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384 & 0xffff, ++ TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384 & 0xffff, + }; +diff -u1 -Nar --exclude build --exclude tags boringssl-d24a38200fef19150eef00cad35b138936c08767/src/ssl/ssl_privkey.cc boringssl/src/ssl/ssl_privkey.cc +--- boringssl-d24a38200fef19150eef00cad35b138936c08767/src/ssl/ssl_privkey.cc 2023-09-27 05:13:00.000000000 +0300 ++++ boringssl/src/ssl/ssl_privkey.cc 2024-02-29 21:26:15.518023534 +0200 +@@ -560,40 +560,45 @@ + +-static int compare_uint16_t(const void *p1, const void *p2) { +- uint16_t u1 = *((const uint16_t *)p1); +- uint16_t u2 = *((const uint16_t *)p2); +- if (u1 < u2) { +- return -1; +- } else if (u1 > u2) { +- return 1; +- } else { +- return 0; +- } +-} +- +-static bool sigalgs_unique(Span in_sigalgs) { +- if (in_sigalgs.size() < 2) { +- return true; +- } +- +- Array sigalgs; +- if (!sigalgs.CopyFrom(in_sigalgs)) { +- return false; +- } +- +- qsort(sigalgs.data(), sigalgs.size(), sizeof(uint16_t), compare_uint16_t); +- +- for (size_t i = 1; i < sigalgs.size(); i++) { +- if (sigalgs[i - 1] == sigalgs[i]) { +- OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_SIGNATURE_ALGORITHM); +- return false; +- } +- } +- +- return true; +-} ++// curl-impersonate: Remove the uniqueness check. Older Safari versions (15) ++// send out duplicated algorithm prefs. ++// static int compare_uint16_t(const void *p1, const void *p2) { ++// uint16_t u1 = *((const uint16_t *)p1); ++// uint16_t u2 = *((const uint16_t *)p2); ++// if (u1 < u2) { ++// return -1; ++// } else if (u1 > u2) { ++// return 1; ++// } else { ++// return 0; ++// } ++// } ++ ++// static bool sigalgs_unique(Span in_sigalgs) { ++// if (in_sigalgs.size() < 2) { ++// return true; ++// } ++// ++// Array sigalgs; ++// if (!sigalgs.CopyFrom(in_sigalgs)) { ++// return false; ++// } ++// ++// qsort(sigalgs.data(), sigalgs.size(), sizeof(uint16_t), compare_uint16_t); ++// ++// for (size_t i = 1; i < sigalgs.size(); i++) { ++// if (sigalgs[i - 1] == sigalgs[i]) { ++// OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_SIGNATURE_ALGORITHM); ++// return false; ++// } ++// } ++// ++// return true; ++// } + + static bool set_sigalg_prefs(Array *out, Span prefs) { +- if (!sigalgs_unique(prefs)) { +- return false; +- } ++ // curl-impersonate: Remove the uniqueness check. Older Safari versions (15) ++ // send out duplicated algorithm prefs. ++ ++ // if (!sigalgs_unique(prefs)) { ++ // return false; ++ // } + diff --git a/boring/Cargo.toml b/boring/Cargo.toml index 0a576ab4..98441b6c 100644 --- a/boring/Cargo.toml +++ b/boring/Cargo.toml @@ -1,5 +1,5 @@ [package] -name = "boring" +name = "rboring" version = { workspace = true } authors = ["Steven Fackler ", "Ivan Nikulin "] license = "Apache-2.0" diff --git a/boring/examples/fips_enabled.rs b/boring/examples/fips_enabled.rs index 7a57aee4..92a164df 100644 --- a/boring/examples/fips_enabled.rs +++ b/boring/examples/fips_enabled.rs @@ -1,3 +1,5 @@ +use rboring as boring; + fn main() { println!("boring::fips::enabled(): {}", boring::fips::enabled()); } diff --git a/boring/examples/mk_certs.rs b/boring/examples/mk_certs.rs index ce0c8492..d118ecd8 100644 --- a/boring/examples/mk_certs.rs +++ b/boring/examples/mk_certs.rs @@ -1,7 +1,7 @@ //! A program that generates ca certs, certs verified by the ca, and public //! and private keys. -extern crate boring; +extern crate rboring as boring; use boring::asn1::Asn1Time; use boring::bn::{BigNum, MsbOption}; diff --git a/hyper-boring/Cargo.toml b/hyper-boring/Cargo.toml index b8c5c9d0..74fca69c 100644 --- a/hyper-boring/Cargo.toml +++ b/hyper-boring/Cargo.toml @@ -1,5 +1,5 @@ [package] -name = "hyper-boring" +name = "hyper-rboring" version = { workspace = true } authors = ["Steven Fackler ", "Ivan Nikulin "] edition = { workspace = true } diff --git a/tokio-boring/Cargo.toml b/tokio-boring/Cargo.toml index 1d5a3847..51d4bbdf 100644 --- a/tokio-boring/Cargo.toml +++ b/tokio-boring/Cargo.toml @@ -1,5 +1,5 @@ [package] -name = "tokio-boring" +name = "tokio-rboring" version = { workspace = true } authors = ["Alex Crichton ", "Ivan Nikulin "] license = "MIT OR Apache-2.0" diff --git a/tokio-boring/examples/simple-async.rs b/tokio-boring/examples/simple-async.rs index f4a69a1c..b5be619e 100644 --- a/tokio-boring/examples/simple-async.rs +++ b/tokio-boring/examples/simple-async.rs @@ -1,5 +1,6 @@ use boring::ssl; use tokio::net::TcpListener; +use tokio_rboring as tokio_boring; #[tokio::main] async fn main() -> anyhow::Result<()> { diff --git a/tokio-boring/tests/async_get_session.rs b/tokio-boring/tests/async_get_session.rs index 0ab9b396..b13268f9 100644 --- a/tokio-boring/tests/async_get_session.rs +++ b/tokio-boring/tests/async_get_session.rs @@ -1,3 +1,5 @@ +use tokio_rboring as tokio_boring; + use boring::ssl::{SslOptions, SslRef, SslSession, SslSessionCacheMode, SslVersion}; use futures::future; use std::sync::atomic::{AtomicBool, Ordering}; diff --git a/tokio-boring/tests/async_private_key_method.rs b/tokio-boring/tests/async_private_key_method.rs index 31b835c7..b0afdf86 100644 --- a/tokio-boring/tests/async_private_key_method.rs +++ b/tokio-boring/tests/async_private_key_method.rs @@ -1,3 +1,5 @@ +use tokio_rboring as tokio_boring; + use boring::hash::MessageDigest; use boring::pkey::PKey; use boring::rsa::Padding; diff --git a/tokio-boring/tests/async_select_certificate.rs b/tokio-boring/tests/async_select_certificate.rs index 91845f4e..967e38e8 100644 --- a/tokio-boring/tests/async_select_certificate.rs +++ b/tokio-boring/tests/async_select_certificate.rs @@ -1,3 +1,5 @@ +use tokio_rboring as tokio_boring; + use boring::ssl::ClientHello; use futures::future; use tokio::task::yield_now; diff --git a/tokio-boring/tests/client_server.rs b/tokio-boring/tests/client_server.rs index 925f9875..74d96541 100644 --- a/tokio-boring/tests/client_server.rs +++ b/tokio-boring/tests/client_server.rs @@ -1,3 +1,5 @@ +use tokio_rboring as tokio_boring; + use boring::ssl::{SslConnector, SslMethod}; use futures::future; use std::net::ToSocketAddrs; diff --git a/tokio-boring/tests/common/mod.rs b/tokio-boring/tests/common/mod.rs index b28917b4..8fe6c84b 100644 --- a/tokio-boring/tests/common/mod.rs +++ b/tokio-boring/tests/common/mod.rs @@ -10,6 +10,7 @@ use std::pin::Pin; use tokio::io::{AsyncReadExt, AsyncWrite, AsyncWriteExt}; use tokio::net::{TcpListener, TcpStream}; use tokio_boring::{HandshakeError, SslStream}; +use tokio_rboring as tokio_boring; pub(crate) fn create_server( setup: impl FnOnce(&mut SslAcceptorBuilder),