min
/
boring2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

chore: Disable extended permutation deduplication verification (#30) 

* chore: Disable extended permutation deduplication verification

* Update docs
This commit is contained in:
0x676e67 2024-12-20 14:38:42 +08:00 committed by GitHub
parent f8e01e3d0c
commit d6e1792a7f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 9 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
boring/src/ssl/mod.rs
View File

@ -597,20 +597,6 @@ impl ExtensionType {
ExtensionType::APPLICATION_SETTINGS, ExtensionType::APPLICATION_SETTINGS,
ExtensionType::RECORD_SIZE_LIMIT, ExtensionType::RECORD_SIZE_LIMIT,
]; ];
fn has_duplicates(indices: &[u8]) -> bool {
if indices.len() > ExtensionType::BORING_SSLEXTENSION_PERMUTATION.len() {
return true;
}
for i in 0..indices.len() {
for j in i + 1..indices.len() {
if indices[i] == indices[j] {
return true;
}
}
}
false
}
} }
impl From<u16> for ExtensionType { impl From<u16> for ExtensionType {
@ -1934,12 +1920,18 @@ impl SslContextBuilder {
/// Sets the indices of the extensions to be permuted. /// Sets the indices of the extensions to be permuted.
/// ///
/// The indices must be in the range [0, 25). /// The indices must be in the range [0, 25).
/// Extension duplication will be verified by the user.
/// If duplication occurs, TLS connection failure may occur.
#[corresponds(SSL_CTX_set_extension_permutation)] #[corresponds(SSL_CTX_set_extension_permutation)]
#[cfg(not(feature = "fips-compat"))] #[cfg(not(feature = "fips-compat"))]
pub fn set_extension_permutation( pub fn set_extension_permutation(
&mut self, &mut self,
shuffled: &[ExtensionType], shuffled: &[ExtensionType],
) -> Result<(), ErrorStack> { ) -> Result<(), ErrorStack> {
if shuffled.len() > ExtensionType::BORING_SSLEXTENSION_PERMUTATION.len() {
return Ok(());
}
let mut indices = Vec::with_capacity(shuffled.len()); let mut indices = Vec::with_capacity(shuffled.len());
for &ext in shuffled { for &ext in shuffled {
if let Some(index) = ExtensionType::BORING_SSLEXTENSION_PERMUTATION if let Some(index) = ExtensionType::BORING_SSLEXTENSION_PERMUTATION
@ -1950,10 +1942,6 @@ impl SslContextBuilder {
} }
} }
if ExtensionType::has_duplicates(&indices) {
return Ok(());
}
unsafe { unsafe {
cvt(ffi::SSL_CTX_set_extension_permutation( cvt(ffi::SSL_CTX_set_extension_permutation(
self.as_ptr(), self.as_ptr(),
@ -1967,10 +1955,12 @@ impl SslContextBuilder {
/// Sets the indices of the extensions to be permuted. /// Sets the indices of the extensions to be permuted.
/// ///
/// The indices must be in the range [0, 25). /// The indices must be in the range [0, 25).
/// Extension duplication will be verified by the user.
/// If duplication occurs, TLS connection failure may occur.
#[corresponds(SSL_CTX_set_extension_permutation)] #[corresponds(SSL_CTX_set_extension_permutation)]
#[cfg(not(feature = "fips-compat"))] #[cfg(not(feature = "fips-compat"))]
pub fn set_extension_permutation_indices(&mut self, indices: &[u8]) -> Result<(), ErrorStack> { pub fn set_extension_permutation_indices(&mut self, indices: &[u8]) -> Result<(), ErrorStack> {
if ExtensionType::has_duplicates(&indices) { if indices.len() > ExtensionType::BORING_SSLEXTENSION_PERMUTATION.len() {
return Ok(()); return Ok(());
} }