min
/
boring2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: Allow overriding AES encryption for Encrypted Client Hello (#57)

This commit is contained in:
0x676e67 2025-03-07 11:02:38 +08:00 committed by GitHub
parent 888a72ef43
commit d69d6b9cb3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 54 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
boring-sys/patches/boringssl-44b3df6f03d85c901767250329c571db405122d5.patch
View File

@ -4270,7 +4270,7 @@ index 4dd8841b1..23ffcd446 100644
#if defined(__cplusplus) #if defined(__cplusplus)
} /* extern C */ } /* extern C */
diff --git a/src/include/openssl/ssl.h b/src/include/openssl/ssl.h diff --git a/src/include/openssl/ssl.h b/src/include/openssl/ssl.h
index 53aa9b453..ea01fd665 100644 index 53aa9b453..0000201ab 100644
--- a/src/include/openssl/ssl.h --- a/src/include/openssl/ssl.h
+++ b/src/include/openssl/ssl.h +++ b/src/include/openssl/ssl.h
@@ -718,6 +718,12 @@ OPENSSL_EXPORT int SSL_version(const SSL *ssl); @@ -718,6 +718,12 @@ OPENSSL_EXPORT int SSL_version(const SSL *ssl);
@ -4310,7 +4310,7 @@ index 53aa9b453..ea01fd665 100644
// Certificate compression. // Certificate compression.
// //
@@ -4570,6 +4586,27 @@ OPENSSL_EXPORT void SSL_CTX_set_permute_extensions(SSL_CTX *ctx, int enabled); @@ -4570,6 +4586,39 @@ OPENSSL_EXPORT void SSL_CTX_set_permute_extensions(SSL_CTX *ctx, int enabled);
// permute extensions. For now, this is only implemented for the ClientHello. // permute extensions. For now, this is only implemented for the ClientHello.
OPENSSL_EXPORT void SSL_set_permute_extensions(SSL *ssl, int enabled); OPENSSL_EXPORT void SSL_set_permute_extensions(SSL *ssl, int enabled);
@ -4334,11 +4334,23 @@ index 53aa9b453..ea01fd665 100644
+// SSL_CTX_set_key_shares_limit configures whether sockets on |ctx| should +// SSL_CTX_set_key_shares_limit configures whether sockets on |ctx| should
+// send three key shares. +// send three key shares.
+OPENSSL_EXPORT void SSL_CTX_set_key_shares_limit(SSL_CTX *ctx, uint8_t limit); +OPENSSL_EXPORT void SSL_CTX_set_key_shares_limit(SSL_CTX *ctx, uint8_t limit);
+
+
+// SSL_CTX_set_aes_hw_override sets |override_value| to
+// override checking for aes hardware support. If |override_value|
+// is set to true, the library will behave as if aes hardware support is
+// present. If it is set to false, the library will behave as if aes hardware
+// support is not present.
+OPENSSL_EXPORT void SSL_CTX_set_aes_hw_override(SSL_CTX *ctx, int override_value);
+
+// SSL_set_aes_hw_override acts the same as
+// |SSL_CTX_set_aes_override| but only configures a single |SSL*|.
+OPENSSL_EXPORT void SSL_set_aes_hw_override(SSL *ssl, int override_value);
+ +
// SSL_max_seal_overhead returns the maximum overhead, in bytes, of sealing a // SSL_max_seal_overhead returns the maximum overhead, in bytes, of sealing a
// record with |ssl|. // record with |ssl|.
OPENSSL_EXPORT size_t SSL_max_seal_overhead(const SSL *ssl); OPENSSL_EXPORT size_t SSL_max_seal_overhead(const SSL *ssl);
@@ -4874,6 +4911,10 @@ OPENSSL_EXPORT int SSL_CTX_set1_sigalgs_list(SSL_CTX *ctx, const char *str); @@ -4874,6 +4923,10 @@ OPENSSL_EXPORT int SSL_CTX_set1_sigalgs_list(SSL_CTX *ctx, const char *str);
// more convenient to codesearch for specific algorithm values. // more convenient to codesearch for specific algorithm values.
OPENSSL_EXPORT int SSL_set1_sigalgs_list(SSL *ssl, const char *str); OPENSSL_EXPORT int SSL_set1_sigalgs_list(SSL *ssl, const char *str);
@ -4349,7 +4361,7 @@ index 53aa9b453..ea01fd665 100644
#define SSL_set_app_data(s, arg) (SSL_set_ex_data(s, 0, (char *)(arg))) #define SSL_set_app_data(s, arg) (SSL_set_ex_data(s, 0, (char *)(arg)))
#define SSL_get_app_data(s) (SSL_get_ex_data(s, 0)) #define SSL_get_app_data(s) (SSL_get_ex_data(s, 0))
#define SSL_SESSION_set_app_data(s, a) \ #define SSL_SESSION_set_app_data(s, a) \
@@ -4926,7 +4967,6 @@ DEFINE_STACK_OF(SSL_COMP) @@ -4926,7 +4979,6 @@ DEFINE_STACK_OF(SSL_COMP)
#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0 #define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0
#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0 #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0
#define SSL_OP_NO_COMPRESSION 0 #define SSL_OP_NO_COMPRESSION 0
@ -4357,7 +4369,7 @@ index 53aa9b453..ea01fd665 100644
#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0 #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0
#define SSL_OP_NO_SSLv2 0 #define SSL_OP_NO_SSLv2 0
#define SSL_OP_NO_SSLv3 0 #define SSL_OP_NO_SSLv3 0
@@ -5779,6 +5819,7 @@ BSSL_NAMESPACE_END @@ -5779,6 +5831,7 @@ BSSL_NAMESPACE_END
#define SSL_R_ECH_REJECTED 319 #define SSL_R_ECH_REJECTED 319
#define SSL_R_INVALID_OUTER_EXTENSION 320 #define SSL_R_INVALID_OUTER_EXTENSION 320
#define SSL_R_INCONSISTENT_ECH_NEGOTIATION 321 #define SSL_R_INCONSISTENT_ECH_NEGOTIATION 321
@ -6322,7 +6334,7 @@ index 09a9ad380..9c583b5ec 100644
return nullptr; return nullptr;
} }
diff --git a/src/ssl/ssl_lib.cc b/src/ssl/ssl_lib.cc diff --git a/src/ssl/ssl_lib.cc b/src/ssl/ssl_lib.cc
index 838761af5..d187cf56c 100644 index 838761af5..6f96d6eee 100644
--- a/src/ssl/ssl_lib.cc --- a/src/ssl/ssl_lib.cc
+++ b/src/ssl/ssl_lib.cc +++ b/src/ssl/ssl_lib.cc
@@ -537,7 +537,8 @@ ssl_ctx_st::ssl_ctx_st(const SSL_METHOD *ssl_method) @@ -537,7 +537,8 @@ ssl_ctx_st::ssl_ctx_st(const SSL_METHOD *ssl_method)
@ -6369,7 +6381,7 @@ index 838761af5..d187cf56c 100644
assert(ssl); assert(ssl);
} }
@@ -2134,6 +2140,28 @@ void SSL_enable_ocsp_stapling(SSL *ssl) { @@ -2134,6 +2140,46 @@ void SSL_enable_ocsp_stapling(SSL *ssl) {
ssl->config->ocsp_stapling_enabled = true; ssl->config->ocsp_stapling_enabled = true;
} }
@ -6394,11 +6406,29 @@ index 838761af5..d187cf56c 100644
+void SSL_CTX_set_key_shares_limit(SSL_CTX *ctx, uint8_t limit) { +void SSL_CTX_set_key_shares_limit(SSL_CTX *ctx, uint8_t limit) {
+ ctx->key_shares_limit = limit; + ctx->key_shares_limit = limit;
+} +}
+
+void SSL_CTX_set_aes_hw_override(SSL_CTX *ctx, int override_value) {
+ if (!ctx) {
+ return;
+ }
+
+ ctx->aes_hw_override = true;
+ ctx->aes_hw_override_value = !!override_value;
+}
+
+void SSL_set_aes_hw_override(SSL *ssl, int override_value) {
+ if (!ssl->config) {
+ return;
+ }
+
+ ssl->config->aes_hw_override = true;
+ ssl->config->aes_hw_override_value = !!override_value;
+}
+ +
void SSL_get0_signed_cert_timestamp_list(const SSL *ssl, const uint8_t **out, void SSL_get0_signed_cert_timestamp_list(const SSL *ssl, const uint8_t **out,
size_t *out_len) { size_t *out_len) {
SSL_SESSION *session = SSL_get_session(ssl); SSL_SESSION *session = SSL_get_session(ssl);
@@ -2327,6 +2355,13 @@ int SSL_has_application_settings(const SSL *ssl) { @@ -2327,6 +2373,13 @@ int SSL_has_application_settings(const SSL *ssl) {
return session && session->has_application_settings; return session && session->has_application_settings;
} }
@ -6412,7 +6442,7 @@ index 838761af5..d187cf56c 100644
int SSL_CTX_add_cert_compression_alg(SSL_CTX *ctx, uint16_t alg_id, int SSL_CTX_add_cert_compression_alg(SSL_CTX *ctx, uint16_t alg_id,
ssl_cert_compression_func_t compress, ssl_cert_compression_func_t compress,
ssl_cert_decompression_func_t decompress) { ssl_cert_decompression_func_t decompress) {
@@ -2939,6 +2974,24 @@ void SSL_set_permute_extensions(SSL *ssl, int enabled) { @@ -2939,6 +2992,24 @@ void SSL_set_permute_extensions(SSL *ssl, int enabled) {
ssl->config->permute_extensions = !!enabled; ssl->config->permute_extensions = !!enabled;
} }
@ -6437,7 +6467,7 @@ index 838761af5..d187cf56c 100644
int32_t SSL_get_ticket_age_skew(const SSL *ssl) { int32_t SSL_get_ticket_age_skew(const SSL *ssl) {
return ssl->s3->ticket_age_skew; return ssl->s3->ticket_age_skew;
} }
@@ -3151,7 +3204,7 @@ namespace fips202205 { @@ -3151,7 +3222,7 @@ namespace fips202205 {
// Section 3.3.1 // Section 3.3.1
// "The server shall be configured to only use cipher suites that are // "The server shall be configured to only use cipher suites that are
// composed entirely of NIST approved algorithms" // composed entirely of NIST approved algorithms"

7
boring/src/ssl/connector.rs
View File

@ -275,6 +275,13 @@ impl ConnectConfiguration {
unsafe { ffi::SSL_set_enable_ech_grease(self.as_ptr(), enable as _) } unsafe { ffi::SSL_set_enable_ech_grease(self.as_ptr(), enable as _) }
} }
/// Sets whether the aes hardware override should be enabled.
#[cfg(not(feature = "fips"))]
#[corresponds(SSL_set_aes_hw_override)]
pub fn set_aes_hw_override(&mut self, enable: bool) {
unsafe { ffi::SSL_set_aes_hw_override(self.as_ptr(), enable as _) }
}
/// Adds application settings. /// Adds application settings.
/// ///
/// # Arguments /// # Arguments

7
boring/src/ssl/mod.rs
View File

@ -1863,6 +1863,13 @@ impl SslContextBuilder {
unsafe { ffi::SSL_CTX_set_key_shares_limit(self.as_ptr(), limit as _) } unsafe { ffi::SSL_CTX_set_key_shares_limit(self.as_ptr(), limit as _) }
} }
/// Sets whether the aes hardware override should be enabled.
#[cfg(not(feature = "fips"))]
#[corresponds(SSL_CTX_set_aes_hw_override)]
pub fn set_aes_hw_override(&mut self, enable: bool) {
unsafe { ffi::SSL_CTX_set_aes_hw_override(self.as_ptr(), enable as _) }
}
/// Sets whether the context should enable there key share extension. /// Sets whether the context should enable there key share extension.
#[deprecated(since = "4.13.8", note = "use `set_key_shares_limit` instead")] #[deprecated(since = "4.13.8", note = "use `set_key_shares_limit` instead")]
#[corresponds(SSL_CTX_set_key_shares_limit)] #[corresponds(SSL_CTX_set_key_shares_limit)]