Watfaq · ibigbug · Dec 31, 2023 · Dec 31, 2023 · Dec 31, 2023 · Dec 31, 2023
diff --git a/.cargo/config b/.cargo/config
@@ -3,7 +3,6 @@ target-dir = "target"
 rustflags = ["--cfg", "tokio_unstable"]
 
 [env]
-BORING_BSSL_SOURCE_PATH = { value = "deps/boringssl/src", relative = true}
 RUST_LOG = { value = "clash=trace" }
 
 [target.aarch64-unknown-linux-gnu]

diff --git a/.gitmodules b/.gitmodules
@@ -1,3 +0,0 @@
-[submodule "deps/boringssl/src"] 
-  path = deps/boringssl/src
-  url = https://github.com/google/boringssl.git

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/clash_lib/Cargo.toml b/clash_lib/Cargo.toml
@@ -12,7 +12,6 @@ bench = ["criterion"]
 [dependencies]
 tokio = { version = "1", features = ["full"] }
 tokio-util = { version = "0.7", features = ["net", "codec", "io", "compat"] }
-tokio-rustls = "0.24"
 thiserror = "1.0"
 async-trait = "0.1"
 anyhow = "1.0"
@@ -35,10 +34,11 @@ foreign-types-shared = "0.3.1"
 network-interface = "1.1.1"
 base64 = "0.21"
 uuid = { version = "1.6.1", features = ["v4", "fast-rng", "macro-diagnostics", "serde"] }
-boring = { git = "https://github.com/Watfaq/boring.git", rev = "58d5e7c66b537989bde45d20ce54aff11de1bcea" }
-boring-sys = { git = "https://github.com/Watfaq/boring.git", rev = "58d5e7c66b537989bde45d20ce54aff11de1bcea" }
-hyper-boring = { git = "https://github.com/Watfaq/boring.git", rev = "58d5e7c66b537989bde45d20ce54aff11de1bcea" }
-tokio-boring = { git = "https://github.com/Watfaq/boring.git", rev = "58d5e7c66b537989bde45d20ce54aff11de1bcea" }
+boring = "4.2.0"
+boring-sys = "4.2.0"
+hyper-boring = "4.2.0"
+tokio-boring = "4.2.0"
+
 ip_network_table-deps-treebitmap = "0.5.0"
 once_cell = "1.18.0"
 
@@ -54,7 +54,9 @@ hmac = "0.12.1"
 sha2 = "0.10.8"
 md-5 = "0.10.5"
 chacha20poly1305 = "0.10"
+aes = "0.8.3"
 aes-gcm = "0.10"
+cfb-mode = "0.8.2"
 filetime = "0.2"
 axum = { version = "0.7", features = ["ws"] }
 tower-http = { version = "0.5.0", features = ["fs", "trace", "cors"] }
@@ -78,6 +80,7 @@ hickory-server = { version = "0.24", features = ["dns-over-rustls", "dns-over-ht
 hickory-proto = { version = "0.24", features = ["dns-over-rustls", "dns-over-https-rustls"]}
 
 # DoH
+# ideally we should make a CryptoProvider with boringssl and get rid of rings
 rustls = { version  = "0.21", features=["dangerous_configuration"] }
 rustls-pemfile = "1.0.4"
 webpki-roots = "0.25"

diff --git a/clash_lib/src/common/crypto.rs b/clash_lib/src/common/crypto.rs
@@ -2,153 +2,43 @@ use std::ffi::CStr;
 
 use crate::Error;
 
+use aes::cipher::{AsyncStreamCipher, KeyIvInit};
 use aes_gcm::aes::cipher::Unsigned;
 use aes_gcm::{AeadInPlace, KeyInit};
 
-pub fn aes_cfb_encrypt(key: &[u8], iv: &[u8], data: &mut Vec<u8>) -> anyhow::Result<()> {
-    unsafe {
-        data.reserve(boring_sys::EVP_MAX_BLOCK_LENGTH as _);
-        let ctx = boring_sys::EVP_CIPHER_CTX_new();
-        let rv = boring_sys::EVP_EncryptInit_ex(
-            ctx,
-            match key.len() {
-                16 => boring_sys::EVP_aes_128_cfb(),
-                24 => boring_sys::EVP_aes_192_cfb(),
-                32 => boring_sys::EVP_aes_256_cfb(),
-                _ => anyhow::bail!("invalid key length"),
-            },
-            std::ptr::null_mut(),
-            key.as_ptr(),
-            iv.as_ptr(),
-        );
-
-        if rv != 1 {
-            boring_sys::EVP_CIPHER_CTX_free(ctx);
-            return Err(Error::Crypto(
-                CStr::from_ptr(
-                    boring_sys::ERR_reason_error_string(boring_sys::ERR_get_error()) as _,
-                )
-                .to_str()
-                .expect("openssl error string is not utf8")
-                .to_owned(),
-            )
-            .into());
+pub fn aes_cfb_encrypt(key: &[u8], iv: &[u8], data: &mut [u8]) -> anyhow::Result<()> {
+    match key.len() {
+        16 => {
+            cfb_mode::Encryptor::<aes::Aes128>::new(key.into(), iv.into()).encrypt(data);
+            Ok(())
         }
-
-        let mut out_len = 0;
-        let rv = boring_sys::EVP_EncryptUpdate(
-            ctx,
-            data.as_mut_ptr(),
-            &mut out_len,
-            data.as_ptr(),
-            data.len() as _,
-        );
-
-        if rv != 1 {
-            boring_sys::EVP_CIPHER_CTX_free(ctx);
-            return Err(Error::Crypto(
-                CStr::from_ptr(
-                    boring_sys::ERR_reason_error_string(boring_sys::ERR_get_error()) as _,
-                )
-                .to_str()
-                .expect("openssl error string is not utf8")
-                .to_owned(),
-            )
-            .into());
+        24 => {
+            cfb_mode::Encryptor::<aes::Aes192>::new(key.into(), iv.into()).encrypt(data);
+            Ok(())
         }
-
-        let rv = boring_sys::EVP_EncryptFinal_ex(
-            ctx,
-            data.as_mut_ptr().offset(out_len as _),
-            &mut out_len,
-        );
-        boring_sys::EVP_CIPHER_CTX_free(ctx);
-
-        return if rv != 1 {
-            Err(Error::Crypto(
-                CStr::from_ptr(
-                    boring_sys::ERR_reason_error_string(boring_sys::ERR_get_error()) as _,
-                )
-                .to_str()
-                .expect("openssl error string is not utf8")
-                .to_owned(),
-            )
-            .into())
-        } else {
+        32 => {
+            cfb_mode::Encryptor::<aes::Aes256>::new(key.into(), iv.into()).encrypt(data);
             Ok(())
-        };
+        }
+        _ => anyhow::bail!("invalid key length"),
     }
 }
 
-pub fn aes_cfb_decrypt(key: &[u8], iv: &[u8], data: &mut Vec<u8>) -> anyhow::Result<()> {
-    unsafe {
-        let ctx = boring_sys::EVP_CIPHER_CTX_new();
-        let rv = boring_sys::EVP_DecryptInit_ex(
-            ctx,
-            match key.len() {
-                16 => boring_sys::EVP_aes_128_cfb(),
-                24 => boring_sys::EVP_aes_192_cfb(),
-                32 => boring_sys::EVP_aes_256_cfb(),
-                _ => anyhow::bail!("invalid key length"),
-            },
-            std::ptr::null_mut(),
-            key.as_ptr(),
-            iv.as_ptr(),
-        );
-
-        if rv != 1 {
-            return Err(Error::Crypto(
-                CStr::from_ptr(
-                    boring_sys::ERR_reason_error_string(boring_sys::ERR_get_error()) as _,
-                )
-                .to_str()
-                .expect("openssl error string is not utf8")
-                .to_owned(),
-            )
-            .into());
+pub fn aes_cfb_decrypt(key: &[u8], iv: &[u8], data: &mut [u8]) -> anyhow::Result<()> {
+    match key.len() {
+        16 => {
+            cfb_mode::Decryptor::<aes::Aes128>::new(key.into(), iv.into()).decrypt(data);
+            Ok(())
         }
-
-        let mut out_len = 0;
-        let rv = boring_sys::EVP_DecryptUpdate(
-            ctx,
-            data.as_mut_ptr(),
-            &mut out_len,
-            data.as_ptr(),
-            data.len() as _,
-        );
-
-        if rv != 1 {
-            return Err(Error::Crypto(
-                CStr::from_ptr(
-                    boring_sys::ERR_reason_error_string(boring_sys::ERR_get_error()) as _,
-                )
-                .to_str()
-                .expect("openssl error string is not utf8")
-                .to_owned(),
-            )
-            .into());
+        24 => {
+            cfb_mode::Decryptor::<aes::Aes192>::new(key.into(), iv.into()).decrypt(data);
+            Ok(())
         }
-
-        let rv = boring_sys::EVP_DecryptFinal_ex(
-            ctx,
-            data.as_mut_ptr().offset(out_len as _),
-            &mut out_len,
-        );
-        boring_sys::EVP_CIPHER_CTX_free(ctx);
-
-        return if rv != 1 {
-            Err(Error::Crypto(
-                CStr::from_ptr(
-                    boring_sys::ERR_reason_error_string(boring_sys::ERR_get_error()) as _,
-                )
-                .to_str()
-                .expect("openssl error string is not utf8")
-                .to_owned(),
-            )
-            .into())
-        } else {
+        32 => {
+            cfb_mode::Decryptor::<aes::Aes256>::new(key.into(), iv.into()).decrypt(data);
             Ok(())
-        };
+        }
+        _ => anyhow::bail!("invalid key length"),
     }
 }
 

diff --git a/clash_lib/src/lib.rs b/clash_lib/src/lib.rs
@@ -471,12 +471,11 @@ mod tests {
     use std::time::Duration;
 
     #[test]
-    #[ignore]
     fn start_and_stop() {
         let conf = r#"
         socks-port: 7891
         bind-address: 127.0.0.1
-        mmdb: "clash_lib/tests/data/Country.mmdb"
+        mmdb: "tests/data/Country.mmdb"
         "#;
 
         let handle = thread::spawn(|| {