feat(tls): implement ciphers and TLS version filtering options

chessbyte · chessbyte · commit f5e0a3638962 · 2025-12-13T13:09:12.000-05:00
- Add min_version/max_version options to filter TLS protocol versions
- Add ciphers option to filter cipher suites using OpenSSL-style names
- Implement reverse mapping from OpenSSL cipher names to rustls suites
- Update build_client_config to apply cipher and version filtering
diff --git a/modules/llrt_tls/src/config.rs b/modules/llrt_tls/src/config.rs
@@ -6,13 +6,94 @@ use once_cell::sync::Lazy;
 use rustls::{
     crypto::ring,
     pki_types::{pem::PemObject, CertificateDer, PrivateKeyDer},
-    ClientConfig, RootCertStore, SupportedProtocolVersion,
+    CipherSuite, ClientConfig, RootCertStore, SupportedCipherSuite, SupportedProtocolVersion,
 };
 #[cfg(feature = "webpki-roots")]
 use webpki_roots::TLS_SERVER_ROOTS;
 
 use crate::no_verification::NoCertificateVerification;
 
+/// Parse TLS version string to rustls SupportedProtocolVersion
+fn parse_tls_version(version: &str) -> Option<&'static SupportedProtocolVersion> {
+    match version {
+        "TLSv1.2" | "TLSv1_2" => Some(&rustls::version::TLS12),
+        "TLSv1.3" | "TLSv1_3" => Some(&rustls::version::TLS13),
+        _ => None,
+    }
+}
+
+/// Get TLS versions filtered by min/max version options
+fn get_filtered_tls_versions(
+    min_version: Option<&str>,
+    max_version: Option<&str>,
+) -> Option<Vec<&'static SupportedProtocolVersion>> {
+    // All supported versions in order (oldest to newest)
+    const ALL_VERSIONS: [&SupportedProtocolVersion; 2] =
+        [&rustls::version::TLS12, &rustls::version::TLS13];
+
+    let min_idx = min_version
+        .and_then(parse_tls_version)
+        .and_then(|v| ALL_VERSIONS.iter().position(|&x| std::ptr::eq(x, v)))
+        .unwrap_or(0);
+
+    let max_idx = max_version
+        .and_then(parse_tls_version)
+        .and_then(|v| ALL_VERSIONS.iter().position(|&x| std::ptr::eq(x, v)))
+        .unwrap_or(ALL_VERSIONS.len() - 1);
+
+    if min_idx > max_idx {
+        return None; // Invalid range
+    }
+
+    let versions: Vec<_> = ALL_VERSIONS[min_idx..=max_idx].to_vec();
+    if versions.is_empty() {
+        None
+    } else {
+        Some(versions)
+    }
+}
+
+/// Parse OpenSSL-style cipher name to rustls CipherSuite
+fn openssl_name_to_cipher_suite(name: &str) -> Option<CipherSuite> {
+    use CipherSuite::*;
+    match name.trim() {
+        // TLS 1.3 cipher suites
+        "TLS_AES_256_GCM_SHA384" => Some(TLS13_AES_256_GCM_SHA384),
+        "TLS_AES_128_GCM_SHA256" => Some(TLS13_AES_128_GCM_SHA256),
+        "TLS_CHACHA20_POLY1305_SHA256" => Some(TLS13_CHACHA20_POLY1305_SHA256),
+        // TLS 1.2 cipher suites
+        "ECDHE-ECDSA-AES256-GCM-SHA384" => Some(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384),
+        "ECDHE-ECDSA-AES128-GCM-SHA256" => Some(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256),
+        "ECDHE-ECDSA-CHACHA20-POLY1305" => Some(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256),
+        "ECDHE-RSA-AES256-GCM-SHA384" => Some(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384),
+        "ECDHE-RSA-AES128-GCM-SHA256" => Some(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256),
+        "ECDHE-RSA-CHACHA20-POLY1305" => Some(TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256),
+        _ => None,
+    }
+}
+
+/// Filter cipher suites based on OpenSSL-style cipher string
+fn filter_cipher_suites(
+    cipher_string: &str,
+    available: &[SupportedCipherSuite],
+) -> Vec<SupportedCipherSuite> {
+    // Parse cipher string (colon or comma separated)
+    let requested: Vec<CipherSuite> = cipher_string
+        .split([':', ','])
+        .filter_map(openssl_name_to_cipher_suite)
+        .collect();
+
+    if requested.is_empty() {
+        return available.to_vec();
+    }
+
+    // Filter available suites to only those requested, preserving requested order
+    requested
+        .iter()
+        .filter_map(|&suite| available.iter().find(|s| s.suite() == suite).copied())
+        .collect()
+}
+
 static EXTRA_CA_CERTS: OnceLock<Vec<CertificateDer<'static>>> = OnceLock::new();
 
 pub fn set_extra_ca_certs(certs: Vec<CertificateDer<'static>>) {
@@ -59,11 +140,12 @@ pub struct BuildClientConfigOptions {
     pub key: Option<Vec<u8>>,
     /// Key log callback for debugging TLS connections
     pub key_log: Option<Arc<dyn rustls::KeyLog>>,
-    /// Cipher suites (OpenSSL format) - currently unused, reserved for future
+    /// Cipher suites in OpenSSL format (colon or comma separated)
+    /// e.g., "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384"
     pub ciphers: Option<String>,
-    /// Minimum TLS version (e.g., "TLSv1.2") - currently unused, reserved for future
+    /// Minimum TLS version: "TLSv1.2" or "TLSv1.3"
     pub min_version: Option<String>,
-    /// Maximum TLS version (e.g., "TLSv1.3") - currently unused, reserved for future
+    /// Maximum TLS version: "TLSv1.2" or "TLSv1.3"
     pub max_version: Option<String>,
 }
 
@@ -85,14 +167,42 @@ impl Default for BuildClientConfigOptions {
 pub fn build_client_config(
     options: BuildClientConfigOptions,
 ) -> Result<ClientConfig, Box<dyn std::error::Error + Send + Sync>> {
-    let provider = Arc::new(ring::default_provider());
+    let default_provider = ring::default_provider();
+
+    // Filter cipher suites if specified
+    let provider = if let Some(ref cipher_string) = options.ciphers {
+        let filtered = filter_cipher_suites(cipher_string, &default_provider.cipher_suites);
+        if filtered.is_empty() {
+            Arc::new(default_provider)
+        } else {
+            Arc::new(rustls::crypto::CryptoProvider {
+                cipher_suites: filtered,
+                ..default_provider
+            })
+        }
+    } else {
+        Arc::new(default_provider)
+    };
+
     let builder = ClientConfig::builder_with_provider(provider.clone());
 
-    // TLS versions
-    let builder = match get_tls_versions() {
-        Some(versions) => builder.with_protocol_versions(&versions),
-        None => builder.with_safe_default_protocol_versions(),
-    }?;
+    // TLS versions - check options first, then global setting, then defaults
+    let builder = if options.min_version.is_some() || options.max_version.is_some() {
+        // Use per-connection version filtering
+        match get_filtered_tls_versions(
+            options.min_version.as_deref(),
+            options.max_version.as_deref(),
+        ) {
+            Some(versions) => builder.with_protocol_versions(&versions)?,
+            None => builder.with_safe_default_protocol_versions()?,
+        }
+    } else {
+        // Fall back to global TLS version setting
+        match get_tls_versions() {
+            Some(versions) => builder.with_protocol_versions(&versions)?,
+            None => builder.with_safe_default_protocol_versions()?,
+        }
+    };
 
     // Certificate verification
     let builder = if !options.reject_unauthorized {
