From d69d6b9cb3c2a04fa6b288a70a78e58ba169784f Mon Sep 17 00:00:00 2001
From: 0x676e67 <gngppz@gmail.com>
Date: Fri, 7 Mar 2025 11:02:38 +0800
Subject: [PATCH] feat: Allow overriding AES encryption for Encrypted Client
 Hello (#57)

---
 ...df6f03d85c901767250329c571db405122d5.patch | 50 +++++++++++++++----
 boring/src/ssl/connector.rs                   |  7 +++
 boring/src/ssl/mod.rs                         |  7 +++
 3 files changed, 54 insertions(+), 10 deletions(-)

diff --git a/boring-sys/patches/boringssl-44b3df6f03d85c901767250329c571db405122d5.patch b/boring-sys/patches/boringssl-44b3df6f03d85c901767250329c571db405122d5.patch
index 6fc56be4..90dc001a 100644
--- a/boring-sys/patches/boringssl-44b3df6f03d85c901767250329c571db405122d5.patch
+++ b/boring-sys/patches/boringssl-44b3df6f03d85c901767250329c571db405122d5.patch
@@ -4270,7 +4270,7 @@ index 4dd8841b1..23ffcd446 100644
  #if defined(__cplusplus)
  } /* extern C */
 diff --git a/src/include/openssl/ssl.h b/src/include/openssl/ssl.h
-index 53aa9b453..ea01fd665 100644
+index 53aa9b453..0000201ab 100644
 --- a/src/include/openssl/ssl.h
 +++ b/src/include/openssl/ssl.h
 @@ -718,6 +718,12 @@ OPENSSL_EXPORT int SSL_version(const SSL *ssl);
@@ -4310,7 +4310,7 @@ index 53aa9b453..ea01fd665 100644
  
  // Certificate compression.
  //
-@@ -4570,6 +4586,27 @@ OPENSSL_EXPORT void SSL_CTX_set_permute_extensions(SSL_CTX *ctx, int enabled);
+@@ -4570,6 +4586,39 @@ OPENSSL_EXPORT void SSL_CTX_set_permute_extensions(SSL_CTX *ctx, int enabled);
  // permute extensions. For now, this is only implemented for the ClientHello.
  OPENSSL_EXPORT void SSL_set_permute_extensions(SSL *ssl, int enabled);
  
@@ -4334,11 +4334,23 @@ index 53aa9b453..ea01fd665 100644
 +// SSL_CTX_set_key_shares_limit configures whether sockets on |ctx| should
 +// send three key shares.
 +OPENSSL_EXPORT void SSL_CTX_set_key_shares_limit(SSL_CTX *ctx, uint8_t limit);
++
++
++// SSL_CTX_set_aes_hw_override sets |override_value| to
++// override checking for aes hardware support. If |override_value|
++// is set to true, the library will behave as if aes hardware support is
++// present. If it is set to false, the library will behave as if aes hardware
++// support is not present.
++OPENSSL_EXPORT void SSL_CTX_set_aes_hw_override(SSL_CTX *ctx, int override_value);
++
++// SSL_set_aes_hw_override acts the same as
++// |SSL_CTX_set_aes_override| but only configures a single |SSL*|.
++OPENSSL_EXPORT void SSL_set_aes_hw_override(SSL *ssl, int override_value);
 +
  // SSL_max_seal_overhead returns the maximum overhead, in bytes, of sealing a
  // record with |ssl|.
  OPENSSL_EXPORT size_t SSL_max_seal_overhead(const SSL *ssl);
-@@ -4874,6 +4911,10 @@ OPENSSL_EXPORT int SSL_CTX_set1_sigalgs_list(SSL_CTX *ctx, const char *str);
+@@ -4874,6 +4923,10 @@ OPENSSL_EXPORT int SSL_CTX_set1_sigalgs_list(SSL_CTX *ctx, const char *str);
  // more convenient to codesearch for specific algorithm values.
  OPENSSL_EXPORT int SSL_set1_sigalgs_list(SSL *ssl, const char *str);
  
@@ -4349,7 +4361,7 @@ index 53aa9b453..ea01fd665 100644
  #define SSL_set_app_data(s, arg) (SSL_set_ex_data(s, 0, (char *)(arg)))
  #define SSL_get_app_data(s) (SSL_get_ex_data(s, 0))
  #define SSL_SESSION_set_app_data(s, a) \
-@@ -4926,7 +4967,6 @@ DEFINE_STACK_OF(SSL_COMP)
+@@ -4926,7 +4979,6 @@ DEFINE_STACK_OF(SSL_COMP)
  #define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0
  #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0
  #define SSL_OP_NO_COMPRESSION 0
@@ -4357,7 +4369,7 @@ index 53aa9b453..ea01fd665 100644
  #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0
  #define SSL_OP_NO_SSLv2 0
  #define SSL_OP_NO_SSLv3 0
-@@ -5779,6 +5819,7 @@ BSSL_NAMESPACE_END
+@@ -5779,6 +5831,7 @@ BSSL_NAMESPACE_END
  #define SSL_R_ECH_REJECTED 319
  #define SSL_R_INVALID_OUTER_EXTENSION 320
  #define SSL_R_INCONSISTENT_ECH_NEGOTIATION 321
@@ -6322,7 +6334,7 @@ index 09a9ad380..9c583b5ec 100644
        return nullptr;
    }
 diff --git a/src/ssl/ssl_lib.cc b/src/ssl/ssl_lib.cc
-index 838761af5..d187cf56c 100644
+index 838761af5..6f96d6eee 100644
 --- a/src/ssl/ssl_lib.cc
 +++ b/src/ssl/ssl_lib.cc
 @@ -537,7 +537,8 @@ ssl_ctx_st::ssl_ctx_st(const SSL_METHOD *ssl_method)
@@ -6369,7 +6381,7 @@ index 838761af5..d187cf56c 100644
    assert(ssl);
  }
  
-@@ -2134,6 +2140,28 @@ void SSL_enable_ocsp_stapling(SSL *ssl) {
+@@ -2134,6 +2140,46 @@ void SSL_enable_ocsp_stapling(SSL *ssl) {
    ssl->config->ocsp_stapling_enabled = true;
  }
  
@@ -6394,11 +6406,29 @@ index 838761af5..d187cf56c 100644
 +void SSL_CTX_set_key_shares_limit(SSL_CTX *ctx, uint8_t limit) {
 +  ctx->key_shares_limit = limit;
 +}
++
++void SSL_CTX_set_aes_hw_override(SSL_CTX *ctx, int override_value) {
++  if (!ctx) {
++    return;
++  }
++  
++  ctx->aes_hw_override = true;
++  ctx->aes_hw_override_value = !!override_value;
++}
++
++void SSL_set_aes_hw_override(SSL *ssl, int override_value) {
++  if (!ssl->config) {
++    return;
++  }
++
++  ssl->config->aes_hw_override = true;
++  ssl->config->aes_hw_override_value = !!override_value;
++}
 +
  void SSL_get0_signed_cert_timestamp_list(const SSL *ssl, const uint8_t **out,
                                           size_t *out_len) {
    SSL_SESSION *session = SSL_get_session(ssl);
-@@ -2327,6 +2355,13 @@ int SSL_has_application_settings(const SSL *ssl) {
+@@ -2327,6 +2373,13 @@ int SSL_has_application_settings(const SSL *ssl) {
    return session && session->has_application_settings;
  }
  
@@ -6412,7 +6442,7 @@ index 838761af5..d187cf56c 100644
  int SSL_CTX_add_cert_compression_alg(SSL_CTX *ctx, uint16_t alg_id,
                                       ssl_cert_compression_func_t compress,
                                       ssl_cert_decompression_func_t decompress) {
-@@ -2939,6 +2974,24 @@ void SSL_set_permute_extensions(SSL *ssl, int enabled) {
+@@ -2939,6 +2992,24 @@ void SSL_set_permute_extensions(SSL *ssl, int enabled) {
    ssl->config->permute_extensions = !!enabled;
  }
  
@@ -6437,7 +6467,7 @@ index 838761af5..d187cf56c 100644
  int32_t SSL_get_ticket_age_skew(const SSL *ssl) {
    return ssl->s3->ticket_age_skew;
  }
-@@ -3151,7 +3204,7 @@ namespace fips202205 {
+@@ -3151,7 +3222,7 @@ namespace fips202205 {
  // Section 3.3.1
  // "The server shall be configured to only use cipher suites that are
  // composed entirely of NIST approved algorithms"
diff --git a/boring/src/ssl/connector.rs b/boring/src/ssl/connector.rs
index a51e5818..d29016c3 100644
--- a/boring/src/ssl/connector.rs
+++ b/boring/src/ssl/connector.rs
@@ -275,6 +275,13 @@ impl ConnectConfiguration {
         unsafe { ffi::SSL_set_enable_ech_grease(self.as_ptr(), enable as _) }
     }
 
+    /// Sets whether the aes hardware override should be enabled.
+    #[cfg(not(feature = "fips"))]
+    #[corresponds(SSL_set_aes_hw_override)]
+    pub fn set_aes_hw_override(&mut self, enable: bool) {
+        unsafe { ffi::SSL_set_aes_hw_override(self.as_ptr(), enable as _) }
+    }
+
     /// Adds application settings.
     ///
     /// # Arguments
diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs
index f6223d5b..bee784a9 100644
--- a/boring/src/ssl/mod.rs
+++ b/boring/src/ssl/mod.rs
@@ -1863,6 +1863,13 @@ impl SslContextBuilder {
         unsafe { ffi::SSL_CTX_set_key_shares_limit(self.as_ptr(), limit as _) }
     }
 
+    /// Sets whether the aes hardware override should be enabled.
+    #[cfg(not(feature = "fips"))]
+    #[corresponds(SSL_CTX_set_aes_hw_override)]
+    pub fn set_aes_hw_override(&mut self, enable: bool) {
+        unsafe { ffi::SSL_CTX_set_aes_hw_override(self.as_ptr(), enable as _) }
+    }
+
     /// Sets whether the context should enable there key share extension.
     #[deprecated(since = "4.13.8", note = "use `set_key_shares_limit` instead")]
     #[corresponds(SSL_CTX_set_key_shares_limit)]