Merge patch (#8)

2024-08-12 09:56:42 +08:00 · 2024-08-12 09:56:42 +08:00 · 9523ac82c9
parent 72b343def1
commit 9523ac82c9
17 changed files with 269 additions and 15 deletions
--- a/Cargo.toml
+++ b/Cargo.toml
@ -19,9 +19,9 @@ tag-prefix = ""
 publish = false

 [workspace.dependencies]
-boring-sys = { version = "4.9.1", path = "./boring-sys" }
-boring = { version = "4.9.1", path = "./boring" }
-tokio-boring = { version = "4.9.1", path = "./tokio-boring" }
+boring-sys = { version = "4.9.1", path = "./boring-sys", package = "rboring-sys" }
+boring = { version = "4.9.1", path = "./boring", package = "rboring"}
+tokio-boring = { version = "4.9.1", path = "./tokio-boring", package = "tokio-rboring"}

 bindgen = { version = "0.68.1", default-features = false, features = ["runtime"] }
 cmake = "0.1.18"
@ -37,7 +37,7 @@ tokio = "1"
 anyhow = "1"
 antidote = "1.0.0"
 http = "0.2"
-hyper = { version = "0.14", default-features = false }
+hyper = { package = "rhyper", version = "0.14", default-features = false }
 linked_hash_set = "0.1"
 once_cell = "1.0"
 tower = "0.4"
--- a/README.md
+++ b/README.md
@ -2,6 +2,8 @@

 [![crates.io](https://img.shields.io/crates/v/boring.svg)](https://crates.io/crates/boring)

+This project is forked from cloudflare [boring](https://github.com/cloudflare/boring)
+
 BoringSSL bindings for the Rust programming language and TLS adapters for [tokio](https://github.com/tokio-rs/tokio)
 and [hyper](https://github.com/hyperium/hyper) built on top of it.

--- a/boring-sys/Cargo.toml
+++ b/boring-sys/Cargo.toml
@ -1,5 +1,5 @@
 [package]
-name = "boring-sys"
+name = "rboring-sys"
 version = { workspace = true }
 authors = ["Alex Crichton <alex@alexcrichton.com>",
           "Steven Fackler <sfackler@gmail.com>",
--- a/boring-sys/build/main.rs
+++ b/boring-sys/build/main.rs
@ -481,6 +481,9 @@ fn ensure_patches_applied(config: &Config) -> io::Result<()> {
        run_command(Command::new("git").arg("init").current_dir(src_path))?;
    }

+    println!("cargo:warning=applying old ciphers patch to boringssl");
+    apply_patch(config, "boringssl-old-ciphers.patch")?;
+
    if config.features.pq_experimental {
        println!("cargo:warning=applying experimental post quantum crypto patch to boringssl");
        apply_patch(config, "boring-pq.patch")?;
@ -501,11 +504,7 @@ fn ensure_patches_applied(config: &Config) -> io::Result<()> {

 fn apply_patch(config: &Config, patch_name: &str) -> io::Result<()> {
    let src_path = get_boringssl_source_path(config);
-    let cmd_path = config
-        .manifest_dir
-        .join("patches")
-        .join(patch_name)
-        .canonicalize()?;
+    let cmd_path = config.manifest_dir.join("patches").join(patch_name);

    let mut args = vec!["apply", "-v", "--whitespace=fix"];

--- a/boring-sys/deps/boringssl-fips
+++ b/boring-sys/deps/boringssl-fips
@ -1 +0,0 @@
-Subproject commit 853ca1ea1168dff08011e5d42d94609cc0ca2e27
--- a/boring-sys/patches/boringssl-old-ciphers.patch
+++ b/boring-sys/patches/boringssl-old-ciphers.patch
@ -0,0 +1,242 @@
+diff -u1 -Nar --exclude build --exclude tags boringssl-d24a38200fef19150eef00cad35b138936c08767/src/ssl/internal.h boringssl/src/ssl/internal.h
+--- boringssl-d24a38200fef19150eef00cad35b138936c08767/src/ssl/internal.h	2023-09-27 05:13:00.000000000 +0300
+++ boringssl/src/ssl/internal.h	2024-02-29 20:02:32.711209565 +0200
+@@ -577,4 +577,9 @@
+ #define SSL_SHA256 0x00000002u
+// curl-impersonate:
+// SSL_SHA384 was removed in
+// https://boringssl-review.googlesource.com/c/boringssl/+/27944/
+// but restored to impersonate browsers with older ciphers.
+#define SSL_SHA384 0x00000004u
+ // SSL_AEAD is set for all AEADs.
+-#define SSL_AEAD 0x00000004u
+#define SSL_AEAD 0x00000008u
+ 
+diff -u1 -Nar --exclude build --exclude tags boringssl-d24a38200fef19150eef00cad35b138936c08767/src/ssl/ssl_cipher.cc boringssl/src/ssl/ssl_cipher.cc
+--- boringssl-d24a38200fef19150eef00cad35b138936c08767/src/ssl/ssl_cipher.cc	2023-09-27 05:13:00.000000000 +0300
+++ boringssl/src/ssl/ssl_cipher.cc	2024-02-29 20:02:32.711209565 +0200
+@@ -199,2 +199,33 @@
+ 
+    // curl-impersonate: Ciphers 3C, 3D were removed in
+    // https://boringssl-review.googlesource.com/c/boringssl/+/27944/
+    // but restored here to impersonate browsers with older ciphers. They are
+    // not expected to actually work; but just to be included in the TLS
+    // Client Hello.
+ 
+    // TLS v1.2 ciphersuites
+ 
+    // Cipher 3C
+    {
+     TLS1_TXT_RSA_WITH_AES_128_SHA256,
+     "TLS_RSA_WITH_AES_128_CBC_SHA256",
+     TLS1_CK_RSA_WITH_AES_128_SHA256,
+     SSL_kRSA,
+     SSL_aRSA,
+     SSL_AES128,
+     SSL_SHA256,
+     SSL_HANDSHAKE_MAC_SHA256,
+    },
+    // Cipher 3D
+    {
+     TLS1_TXT_RSA_WITH_AES_256_SHA256,
+     "TLS_RSA_WITH_AES_256_CBC_SHA256",
+     TLS1_CK_RSA_WITH_AES_256_SHA256,
+     SSL_kRSA,
+     SSL_aRSA,
+     SSL_AES256,
+     SSL_SHA256,
+     SSL_HANDSHAKE_MAC_SHA256,
+    },
+
+     // PSK cipher suites.
+@@ -289,2 +320,19 @@
+ 
+    // curl-impersonate: Cipher C008 was missing from BoringSSL,
+    // probably because it is weak. Add it back from OpenSSL (ssl/s3_lib.c)
+    // where it is called ECDHE-ECDSA-DES-CBC3-SHA.
+    // It's not supposed to really work but just appear in the TLS client hello.
+ 
+    // Cipher C008
+    {
+     "ECDHE-ECDSA-DES-CBC3-SHA",
+     "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
+     0x0300C008,
+     SSL_kECDHE,
+     SSL_aECDSA,
+     SSL_3DES,
+     SSL_SHA1,
+     SSL_HANDSHAKE_MAC_DEFAULT,
+    },
+
+     // Cipher C009
+@@ -313,2 +361,17 @@
+ 
+    // curl-impersonate: Cipher C012 was missing from BoringSSL,
+    // probably because it is weak. Add it back from OpenSSL (ssl/s3_lib.c)
+    // where it is called ECDHE-RSA-DES-CBC3-SHA
+    // It's not supposed to really work but just appear in the TLS client hello.
+    {
+     "ECDHE-RSA-DES-CBC3-SHA",
+     "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
+     0x0300C012,
+     SSL_kECDHE,
+     SSL_aRSA,
+     SSL_3DES,
+     SSL_SHA1,
+     SSL_HANDSHAKE_MAC_DEFAULT,
+    },
+
+     // Cipher C013
+@@ -337,2 +400,33 @@
+ 
+    // curl-impersonate: Ciphers C023, C024, C028 were removed in
+    // https://boringssl-review.googlesource.com/c/boringssl/+/27944/
+    // but restored here to impersonate browsers with older ciphers. They are
+    // not expected to actually work; but just to be included in the TLS
+    // Client Hello.
+
+    // HMAC based TLS v1.2 ciphersuites from RFC5289
+
+    // Cipher C023
+    {
+     TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
+     "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+     TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
+     SSL_kECDHE,
+     SSL_aECDSA,
+     SSL_AES128,
+     SSL_SHA256,
+     SSL_HANDSHAKE_MAC_SHA256,
+    },
+    // Cipher C024
+    {
+     TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
+     "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
+     TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
+     SSL_kECDHE,
+     SSL_aECDSA,
+     SSL_AES256,
+     SSL_SHA384,
+     SSL_HANDSHAKE_MAC_SHA384,
+    },
+
+     // Cipher C027
+@@ -349,2 +443,14 @@
+ 
+    // Cipher C028
+    {
+     TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
+     "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
+     TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
+     SSL_kECDHE,
+     SSL_aRSA,
+     SSL_AES256,
+     SSL_SHA384,
+     SSL_HANDSHAKE_MAC_SHA384,
+    },
+
+     // GCM based TLS v1.2 ciphersuites from RFC 5289
+@@ -555,2 +661,7 @@
+     {"SHA1", ~0u, ~0u, ~0u, SSL_SHA1, 0},
+    // curl-impersonate:
+    // Removed in https://boringssl-review.googlesource.com/c/boringssl/+/27944/
+    // but restored to impersonate browsers with older ciphers.
+    {"SHA256", ~0u, ~0u, ~0u, SSL_SHA256, 0},
+    {"SHA384", ~0u, ~0u, ~0u, SSL_SHA384, 0},
+     {"SHA", ~0u, ~0u, ~0u, SSL_SHA1, 0},
+@@ -1170,2 +1281,10 @@
+       SSL3_CK_RSA_DES_192_CBC3_SHA & 0xffff,
+      // curl-impersonate: add legacy cipehrs.
+      TLS1_CK_RSA_WITH_AES_128_SHA256 & 0xffff,
+      TLS1_CK_RSA_WITH_AES_256_SHA256 & 0xffff,
+      0x0300C008 & 0xffff,
+      0x0300C012 & 0xffff,
+      TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256 & 0xffff,
+      TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384 & 0xffff,
+      TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384 & 0xffff,
+   };
+diff -u1 -Nar --exclude build --exclude tags boringssl-d24a38200fef19150eef00cad35b138936c08767/src/ssl/ssl_privkey.cc boringssl/src/ssl/ssl_privkey.cc
+--- boringssl-d24a38200fef19150eef00cad35b138936c08767/src/ssl/ssl_privkey.cc	2023-09-27 05:13:00.000000000 +0300
+++ boringssl/src/ssl/ssl_privkey.cc	2024-02-29 21:26:15.518023534 +0200
+@@ -560,40 +560,45 @@
+ 
+-static int compare_uint16_t(const void *p1, const void *p2) {
+-  uint16_t u1 = *((const uint16_t *)p1);
+-  uint16_t u2 = *((const uint16_t *)p2);
+-  if (u1 < u2) {
+-    return -1;
+-  } else if (u1 > u2) {
+-    return 1;
+-  } else {
+-    return 0;
+-  }
+-}
+-
+-static bool sigalgs_unique(Span<const uint16_t> in_sigalgs) {
+-  if (in_sigalgs.size() < 2) {
+-    return true;
+-  }
+-
+-  Array<uint16_t> sigalgs;
+-  if (!sigalgs.CopyFrom(in_sigalgs)) {
+-    return false;
+-  }
+-
+-  qsort(sigalgs.data(), sigalgs.size(), sizeof(uint16_t), compare_uint16_t);
+-
+-  for (size_t i = 1; i < sigalgs.size(); i++) {
+-    if (sigalgs[i - 1] == sigalgs[i]) {
+-      OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_SIGNATURE_ALGORITHM);
+-      return false;
+-    }
+-  }
+-
+-  return true;
+-}
+// curl-impersonate: Remove the uniqueness check. Older Safari versions (15)
+// send out duplicated algorithm prefs.
+// static int compare_uint16_t(const void *p1, const void *p2) {
+//   uint16_t u1 = *((const uint16_t *)p1);
+//   uint16_t u2 = *((const uint16_t *)p2);
+//   if (u1 < u2) {
+//     return -1;
+//   } else if (u1 > u2) {
+//     return 1;
+//   } else {
+//     return 0;
+//   }
+// }
+
+// static bool sigalgs_unique(Span<const uint16_t> in_sigalgs) {
+//   if (in_sigalgs.size() < 2) {
+//     return true;
+//   }
+// 
+//   Array<uint16_t> sigalgs;
+//   if (!sigalgs.CopyFrom(in_sigalgs)) {
+//     return false;
+//   }
+// 
+//   qsort(sigalgs.data(), sigalgs.size(), sizeof(uint16_t), compare_uint16_t);
+// 
+//   for (size_t i = 1; i < sigalgs.size(); i++) {
+//     if (sigalgs[i - 1] == sigalgs[i]) {
+//       OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_SIGNATURE_ALGORITHM);
+//       return false;
+//     }
+//   }
+// 
+//   return true;
+// }
+ 
+ static bool set_sigalg_prefs(Array<uint16_t> *out, Span<const uint16_t> prefs) {
+-  if (!sigalgs_unique(prefs)) {
+-    return false;
+-  }
+  // curl-impersonate: Remove the uniqueness check. Older Safari versions (15)
+  // send out duplicated algorithm prefs.
+
+  // if (!sigalgs_unique(prefs)) {
+  //   return false;
+  // }
+ 
--- a/boring/Cargo.toml
+++ b/boring/Cargo.toml
@ -1,5 +1,5 @@
 [package]
-name = "boring"
+name = "rboring"
 version = { workspace = true }
 authors = ["Steven Fackler <sfackler@gmail.com>", "Ivan Nikulin <ifaaan@gmail.com>"]
 license = "Apache-2.0"
--- a/boring/examples/fips_enabled.rs
+++ b/boring/examples/fips_enabled.rs
@ -1,3 +1,5 @@
+use rboring as boring;
+
 fn main() {
    println!("boring::fips::enabled(): {}", boring::fips::enabled());
 }
--- a/boring/examples/mk_certs.rs
+++ b/boring/examples/mk_certs.rs
@ -1,7 +1,7 @@
 //! A program that generates ca certs, certs verified by the ca, and public
 //! and private keys.

-extern crate boring;
+extern crate rboring as boring;

 use boring::asn1::Asn1Time;
 use boring::bn::{BigNum, MsbOption};
--- a/hyper-boring/Cargo.toml
+++ b/hyper-boring/Cargo.toml
@ -1,5 +1,5 @@
 [package]
-name = "hyper-boring"
+name = "hyper-rboring"
 version = { workspace = true }
 authors = ["Steven Fackler <sfackler@gmail.com>", "Ivan Nikulin <ifaaan@gmail.com>"]
 edition = { workspace = true }
--- a/tokio-boring/Cargo.toml
+++ b/tokio-boring/Cargo.toml
@ -1,5 +1,5 @@
 [package]
-name = "tokio-boring"
+name = "tokio-rboring"
 version = { workspace = true }
 authors = ["Alex Crichton <alex@alexcrichton.com>", "Ivan Nikulin <ifaaan@gmail.com>"]
 license = "MIT OR Apache-2.0"
--- a/tokio-boring/examples/simple-async.rs
+++ b/tokio-boring/examples/simple-async.rs
@ -1,5 +1,6 @@
 use boring::ssl;
 use tokio::net::TcpListener;
+use tokio_rboring as tokio_boring;

 #[tokio::main]
 async fn main() -> anyhow::Result<()> {
--- a/tokio-boring/tests/async_get_session.rs
+++ b/tokio-boring/tests/async_get_session.rs
@ -1,3 +1,5 @@
+use tokio_rboring as tokio_boring;
+
 use boring::ssl::{SslOptions, SslRef, SslSession, SslSessionCacheMode, SslVersion};
 use futures::future;
 use std::sync::atomic::{AtomicBool, Ordering};
--- a/tokio-boring/tests/async_private_key_method.rs
+++ b/tokio-boring/tests/async_private_key_method.rs
@ -1,3 +1,5 @@
+use tokio_rboring as tokio_boring;
+
 use boring::hash::MessageDigest;
 use boring::pkey::PKey;
 use boring::rsa::Padding;
--- a/tokio-boring/tests/async_select_certificate.rs
+++ b/tokio-boring/tests/async_select_certificate.rs
@ -1,3 +1,5 @@
+use tokio_rboring as tokio_boring;
+
 use boring::ssl::ClientHello;
 use futures::future;
 use tokio::task::yield_now;
--- a/tokio-boring/tests/client_server.rs
+++ b/tokio-boring/tests/client_server.rs
@ -1,3 +1,5 @@
+use tokio_rboring as tokio_boring;
+
 use boring::ssl::{SslConnector, SslMethod};
 use futures::future;
 use std::net::ToSocketAddrs;
--- a/tokio-boring/tests/common/mod.rs
+++ b/tokio-boring/tests/common/mod.rs
@ -10,6 +10,7 @@ use std::pin::Pin;
 use tokio::io::{AsyncReadExt, AsyncWrite, AsyncWriteExt};
 use tokio::net::{TcpListener, TcpStream};
 use tokio_boring::{HandshakeError, SslStream};
+use tokio_rboring as tokio_boring;

 pub(crate) fn create_server(
    setup: impl FnOnce(&mut SslAcceptorBuilder),
				`@ -1 +0,0 @@`
				`Subproject commit 853ca1ea1168dff08011e5d42d94609cc0ca2e27`