feat: Expose extended sorting from indices (#29)

2024-12-20 14:18:16 +08:00 · 2024-12-20 14:18:16 +08:00 · f8e01e3d0c
parent f9a7334f54
commit f8e01e3d0c
2 changed files with 73 additions and 31 deletions
--- a/boring-sys/patches/boringssl-44b3df6f03d85c901767250329c571db405122d5.patch
+++ b/boring-sys/patches/boringssl-44b3df6f03d85c901767250329c571db405122d5.patch
@ -4874,7 +4874,7 @@ index ebb075351..17fcaa13c 100644
                 "Not all ciphers are included in the cipher order");
 diff --git a/src/ssl/ssl_key_share.cc b/src/ssl/ssl_key_share.cc
-index 09a9ad380..a972e8dd1 100644
+index 09a9ad380..9c583b5ec 100644
 --- a/src/ssl/ssl_key_share.cc
 +++ b/src/ssl/ssl_key_share.cc
@@ -26,6 +26,7 @@
@ -5463,7 +5463,7 @@ index 09a9ad380..a972e8dd1 100644
 +    {NID_X25519MLKEM768, SSL_CURVE_X25519_MLKEM768,
 +        "X25519MLKEM768", "X25519MLKEM768"},
 +    
-+    //unspport group but add them
+    // This is fake group id
 +    {NID_ffdhe2048, SSL_CURVE_DHE2048, "dhe2048", "ffdhe2048"},
 +    {NID_ffdhe3072, SSL_CURVE_DHE3072, "dhe3072", "ffdhe3072"},
 };
--- a/boring/src/ssl/mod.rs
+++ b/boring/src/ssl/mod.rs
@ -568,6 +568,49 @@ impl ExtensionType {
    pub const NEXT_PROTO_NEG: Self = Self(ffi::TLSEXT_TYPE_next_proto_neg as u16);
    pub const CHANNEL_ID: Self = Self(ffi::TLSEXT_TYPE_channel_id as u16);
    pub const RECORD_SIZE_LIMIT: Self = Self(ffi::TLSEXT_TYPE_record_size_limit as u16);
    /// The permutation of extension types used by BoringSSL.
    pub const BORING_SSLEXTENSION_PERMUTATION: [ExtensionType; 25] = [
        ExtensionType::SERVER_NAME,
        ExtensionType::ENCRYPTED_CLIENT_HELLO,
        ExtensionType::EXTENDED_MASTER_SECRET,
        ExtensionType::RENEGOTIATE,
        ExtensionType::SUPPORTED_GROUPS,
        ExtensionType::EC_POINT_FORMATS,
        ExtensionType::SESSION_TICKET,
        ExtensionType::APPLICATION_LAYER_PROTOCOL_NEGOTIATION,
        ExtensionType::STATUS_REQUEST,
        ExtensionType::SIGNATURE_ALGORITHMS,
        ExtensionType::NEXT_PROTO_NEG,
        ExtensionType::CERTIFICATE_TIMESTAMP,
        ExtensionType::CHANNEL_ID,
        ExtensionType::SRTP,
        ExtensionType::KEY_SHARE,
        ExtensionType::PSK_KEY_EXCHANGE_MODES,
        ExtensionType::EARLY_DATA,
        ExtensionType::SUPPORTED_VERSIONS,
        ExtensionType::COOKIE,
        ExtensionType::QUIC_TRANSPORT_PARAMETERS_STANDARD,
        ExtensionType::QUIC_TRANSPORT_PARAMETERS_LEGACY,
        ExtensionType::CERT_COMPRESSION,
        ExtensionType::DELEGATED_CREDENTIAL,
        ExtensionType::APPLICATION_SETTINGS,
        ExtensionType::RECORD_SIZE_LIMIT,
    ];
    fn has_duplicates(indices: &[u8]) -> bool {
        if indices.len() > ExtensionType::BORING_SSLEXTENSION_PERMUTATION.len() {
            return true;
        }
        for i in 0..indices.len() {
            for j in i + 1..indices.len() {
                if indices[i] == indices[j] {
                    return true;
                }
            }
        }
        false
    }
 }
 impl From<u16> for ExtensionType {
@ -1888,43 +1931,18 @@ impl SslContextBuilder {
        unsafe { ffi::SSL_CTX_set_key_shares_limit(self.as_ptr(), limit as _) }
    }
    /// Sets the indices of the extensions to be permuted.
    ///
    /// The indices must be in the range [0, 25).
    #[corresponds(SSL_CTX_set_extension_permutation)]
    #[cfg(not(feature = "fips-compat"))]
    pub fn set_extension_permutation(
        &mut self,
        shuffled: &[ExtensionType],
    ) -> Result<(), ErrorStack> {
        const BORING_SSLEXTENSION_PERMUTATION: [ExtensionType; 25] = [
            ExtensionType::SERVER_NAME,
            ExtensionType::ENCRYPTED_CLIENT_HELLO,
            ExtensionType::EXTENDED_MASTER_SECRET,
            ExtensionType::RENEGOTIATE,
            ExtensionType::SUPPORTED_GROUPS,
            ExtensionType::EC_POINT_FORMATS,
            ExtensionType::SESSION_TICKET,
            ExtensionType::APPLICATION_LAYER_PROTOCOL_NEGOTIATION,
            ExtensionType::STATUS_REQUEST,
            ExtensionType::SIGNATURE_ALGORITHMS,
            ExtensionType::NEXT_PROTO_NEG,
            ExtensionType::CERTIFICATE_TIMESTAMP,
            ExtensionType::CHANNEL_ID,
            ExtensionType::SRTP,
            ExtensionType::KEY_SHARE,
            ExtensionType::PSK_KEY_EXCHANGE_MODES,
            ExtensionType::EARLY_DATA,
            ExtensionType::SUPPORTED_VERSIONS,
            ExtensionType::COOKIE,
            ExtensionType::QUIC_TRANSPORT_PARAMETERS_STANDARD,
            ExtensionType::QUIC_TRANSPORT_PARAMETERS_LEGACY,
            ExtensionType::CERT_COMPRESSION,
            ExtensionType::DELEGATED_CREDENTIAL,
            ExtensionType::APPLICATION_SETTINGS,
            ExtensionType::RECORD_SIZE_LIMIT,
        ];
        let mut indices = Vec::with_capacity(shuffled.len());
        for &ext in shuffled {
-            if let Some(index) = BORING_SSLEXTENSION_PERMUTATION
+            if let Some(index) = ExtensionType::BORING_SSLEXTENSION_PERMUTATION
                .iter()
                .position(|&e| e == ext)
            {
@ -1932,6 +1950,30 @@ impl SslContextBuilder {
            }
        }
        if ExtensionType::has_duplicates(&indices) {
            return Ok(());
        }
        unsafe {
            cvt(ffi::SSL_CTX_set_extension_permutation(
                self.as_ptr(),
                indices.as_ptr() as *const _,
                indices.len() as _,
            ))
            .map(|_| ())
        }
    }
    /// Sets the indices of the extensions to be permuted.
    ///
    /// The indices must be in the range [0, 25).
    #[corresponds(SSL_CTX_set_extension_permutation)]
    #[cfg(not(feature = "fips-compat"))]
    pub fn set_extension_permutation_indices(&mut self, indices: &[u8]) -> Result<(), ErrorStack> {
        if ExtensionType::has_duplicates(&indices) {
            return Ok(());
        }
        unsafe {
            cvt(ffi::SSL_CTX_set_extension_permutation(
                self.as_ptr(),