Rebase: Added API for setting cipher suites in TLSConfiguration (#293)

* Rebase: Added API for setting cipher suites in TLSConfiguration

Motivation:

Issue-207 for adding an API for setting a cipher suite while also preserving the string based declaration.
Additions to TLSConfiguration and SSLContext to allow safe access to ciphers on a context.

Modifications:

Additions to TLSConfiguration and SSLContext to allow safe access to ciphers on a context.
Added test cases in TLSConfigurationTest.

Result:

Additional API for Issue-207.
Simplified and safer access to STACK_OF(SSL_CIPHER) on a context.

* Addressed all feedback expect for memberwise init.

Motivation:

Addressed all feedback from previous feedback except for memberwise init.

Modifications:

Changes to SSLContext and TLS Configuration.

Result:

Resolved all feedback except for memberwise init.

* Addressed duplicating the memberwise init.

Motivation:

Addressing feedback for memberwise init.

Modifications:

Changes to TLSConfiguration init.

Result:

Reduced code surface.

* Added additional cipher suite tests

Motivation:

Added additional cipher suites tests per feedback.

Modifications:

Added tests to TLSConfigurationTests.

Result:

Additional cipher suite tests.

Co-authored-by: Johannes Weiss <[email protected]>

Author: agnosticdev

Sources/NIOSSL/SSLContext.swift

@@ -502,6 +502,90 @@ extension NIOSSLContext {
     }
 }
 
+// For accessing STACK_OF(SSL_CIPHER) from a SSLContext
+extension NIOSSLContext {
+    /// A collection of buffers representing a STACK_OF(SSL_CIPHER)
+    struct NIOTLSCipherBuffers {
+        private let basePointer: OpaquePointer
+
+        fileprivate init(basePointer: OpaquePointer) {
+            self.basePointer = basePointer
+        }
+    }
+
+    /// Invokes a block with a collection of pointers to STACK_OF(SSL_CIPHER).
+    ///
+    /// The pointers are only guaranteed to be valid for the duration of this call.  This method aligns with the RandomAccessCollection protocol
+    /// to access UInt16 pointers at a specific index.  This pointer is used to safely access id values of the cipher to create a new NIOTLSCipher.
+    fileprivate func withStackOfCipherSuiteBuffers<Result>(_ body: (NIOTLSCipherBuffers?) throws -> Result) rethrows -> Result {
+        guard let stackPointer = CNIOBoringSSL_SSL_CTX_get_ciphers(self.sslContext) else {
+            return try body(nil)
+        }
+        return try body(NIOTLSCipherBuffers(basePointer: stackPointer))
+    }
+
+    /// Access cipher suites applied to the context
+    internal var cipherSuites: [NIOTLSCipher] {
+        return self.withStackOfCipherSuiteBuffers { buffers in
+            guard let buffers = buffers else {
+                return []
+            }
+            return Array(buffers)
+        }
+    }
+}
+
+extension NIOSSLContext.NIOTLSCipherBuffers: RandomAccessCollection {
+    
+    struct Index: Hashable, Comparable, Strideable {
+        typealias Stride = Int
+
+        fileprivate var index: Int
+
+        fileprivate init(_ index: Int) {
+            self.index = index
+        }
+
+        static func < (lhs: Index, rhs: Index) -> Bool {
+            return lhs.index < rhs.index
+        }
+
+        func advanced(by n: NIOSSLContext.NIOTLSCipherBuffers.Index.Stride) -> NIOSSLContext.NIOTLSCipherBuffers.Index {
+            var result = self
+            result.index += n
+            return result
+        }
+
+        func distance(to other: NIOSSLContext.NIOTLSCipherBuffers.Index) -> NIOSSLContext.NIOTLSCipherBuffers.Index.Stride {
+            return other.index - self.index
+        }
+    }
+
+    typealias Element = NIOTLSCipher
+
+    var startIndex: Index {
+        return Index(0)
+    }
+
+    var endIndex: Index {
+        return Index(self.count)
+    }
+
+    var count: Int {
+        return CNIOBoringSSL_sk_SSL_CIPHER_num(self.basePointer)
+    }
+    
+    subscript(position: Index) -> NIOTLSCipher {
+        precondition(position < self.endIndex)
+        precondition(position >= self.startIndex)
+        guard let ptr = CNIOBoringSSL_sk_SSL_CIPHER_value(self.basePointer, position.index) else {
+            preconditionFailure("Unable to locate backing pointer.")
+        }
+        let cipherID = CNIOBoringSSL_SSL_CIPHER_get_protocol_id(ptr)
+        return NIOTLSCipher(cipherID)
+    }
+}
+
 extension Optional where Wrapped == String {
     internal func withCString<Result>(_ body: (UnsafePointer<CChar>?) throws -> Result) rethrows -> Result {
         switch self {

Sources/NIOSSL/TLSConfiguration.swift

@@ -81,6 +81,43 @@ public enum NIOSSLAdditionalTrustRoots {
     case certificates([NIOSSLCertificate])
 }
 
+/// Available ciphers to use for TLS instead of a string based representation.
+public struct NIOTLSCipher: RawRepresentable, Hashable {
+    public init(rawValue: UInt16) {
+        self.rawValue = rawValue
+    }
+    
+    public init(_ rawValue: RawValue) {
+        self.rawValue = rawValue
+    }
+    
+    public var rawValue: UInt16
+    public typealias RawValue = UInt16
+    
+    public static let TLS_RSA_WITH_AES_128_CBC_SHA                    = NIOTLSCipher(rawValue: 0x2F)
+    public static let TLS_RSA_WITH_AES_256_CBC_SHA                    = NIOTLSCipher(rawValue: 0x35)
+    public static let TLS_RSA_WITH_AES_128_GCM_SHA256                 = NIOTLSCipher(rawValue: 0x9C)
+    public static let TLS_RSA_WITH_AES_256_GCM_SHA384                 = NIOTLSCipher(rawValue: 0x9D)
+    public static let TLS_AES_128_GCM_SHA256                          = NIOTLSCipher(rawValue: 0x1301)
+    public static let TLS_AES_256_GCM_SHA384                          = NIOTLSCipher(rawValue: 0x1302)
+    public static let TLS_CHACHA20_POLY1305_SHA256                    = NIOTLSCipher(rawValue: 0x1303)
+    public static let TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA            = NIOTLSCipher(rawValue: 0xC009)
+    public static let TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA            = NIOTLSCipher(rawValue: 0xC00A)
+    public static let TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA              = NIOTLSCipher(rawValue: 0xC013)
+    public static let TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA              = NIOTLSCipher(rawValue: 0xC014)
+    public static let TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256         = NIOTLSCipher(rawValue: 0xC02B)
+    public static let TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384         = NIOTLSCipher(rawValue: 0xC02C)
+    public static let TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256           = NIOTLSCipher(rawValue: 0xC02F)
+    public static let TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384           = NIOTLSCipher(rawValue: 0xC030)
+    public static let TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256     = NIOTLSCipher(rawValue: 0xCCA8)
+    public static let TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256   = NIOTLSCipher(rawValue: 0xCCA9)
+    
+    var standardName: String {
+        let boringSSLCipher = CNIOBoringSSL_SSL_get_cipher_by_value(self.rawValue)
+        return String(cString: CNIOBoringSSL_SSL_CIPHER_standard_name(boringSSLCipher))
+    }
+}
+
 /// Formats NIOSSL supports for serializing keys and certificates.
 public enum NIOSSLSerializationFormats {
     case pem
@@ -200,7 +237,21 @@ public struct TLSConfiguration {
 
     /// The pre-TLS1.3 cipher suites supported by this handler. This uses the OpenSSL cipher string format.
     /// TLS 1.3 cipher suites cannot be configured.
-    public var cipherSuites: String
+    public var cipherSuites: String = defaultCipherSuites
+    
+    /// Public property used to set the internal cipherSuites from NIOTLSCipher.
+    public var cipherSuiteValues: [NIOTLSCipher] {
+        get {
+            guard let sslContext = try? NIOSSLContext(configuration: self) else {
+                return []
+            }
+            return sslContext.cipherSuites
+        }
+        set {
+            let assignedCiphers = newValue.map { $0.standardName }
+            self.cipherSuites = assignedCiphers.joined(separator: ":")
+        }
+    }
 
     /// Allowed algorithms to verify signatures. Passing nil means, that a built-in set of algorithms will be used.
     public var verifySignatureAlgorithms : [SignatureAlgorithm]?
@@ -252,7 +303,8 @@ public struct TLSConfiguration {
     /// Whether renegotiation is supported.
     public var renegotiationSupport: NIORenegotiationSupport
 
-    private init(cipherSuites: String,
+    private init(cipherSuiteValues: [NIOTLSCipher] = [],
+                 cipherSuites: String = defaultCipherSuites,
                  verifySignatureAlgorithms: [SignatureAlgorithm]?,
                  signingSignatureAlgorithms: [SignatureAlgorithm]?,
                  minimumTLSVersion: TLSVersion,
@@ -281,6 +333,42 @@ public struct TLSConfiguration {
         self.renegotiationSupport = renegotiationSupport
         self.applicationProtocols = applicationProtocols
         self.keyLogCallback = keyLogCallback
+        if !cipherSuiteValues.isEmpty {
+            self.cipherSuiteValues = cipherSuiteValues
+        }
+    }
+    
+    /// Create a TLS configuration for use with server-side contexts. This allows setting the `NIOTLSCipher` property specifically.
+    ///
+    /// This provides sensible defaults while requiring that you provide any data that is necessary
+    /// for server-side function. For client use, try `forClient` instead.
+    public static func forServer(certificateChain: [NIOSSLCertificateSource],
+                                 privateKey: NIOSSLPrivateKeySource,
+                                 cipherSuites: [NIOTLSCipher],
+                                 verifySignatureAlgorithms: [SignatureAlgorithm]? = nil,
+                                 signingSignatureAlgorithms: [SignatureAlgorithm]? = nil,
+                                 minimumTLSVersion: TLSVersion = .tlsv1,
+                                 maximumTLSVersion: TLSVersion? = nil,
+                                 certificateVerification: CertificateVerification = .none,
+                                 trustRoots: NIOSSLTrustRoots = .default,
+                                 applicationProtocols: [String] = [],
+                                 shutdownTimeout: TimeAmount = .seconds(5),
+                                 keyLogCallback: NIOSSLKeyLogCallback? = nil,
+                                 additionalTrustRoots: [NIOSSLAdditionalTrustRoots] = []) -> TLSConfiguration {
+        return TLSConfiguration(cipherSuiteValues: cipherSuites,
+                                verifySignatureAlgorithms: verifySignatureAlgorithms,
+                                signingSignatureAlgorithms: signingSignatureAlgorithms,
+                                minimumTLSVersion: minimumTLSVersion,
+                                maximumTLSVersion: maximumTLSVersion,
+                                certificateVerification: certificateVerification,
+                                trustRoots: trustRoots,
+                                certificateChain: certificateChain,
+                                privateKey: privateKey,
+                                applicationProtocols: applicationProtocols,
+                                shutdownTimeout: shutdownTimeout,
+                                keyLogCallback: keyLogCallback,
+                                renegotiationSupport: .none,  // Servers never support renegotiation: there's no point.
+                                additionalTrustRoots: additionalTrustRoots)
     }
 
     /// Create a TLS configuration for use with server-side contexts.
@@ -377,6 +465,40 @@ public struct TLSConfiguration {
                                 renegotiationSupport: .none,  // Servers never support renegotiation: there's no point.
                                 additionalTrustRoots: additionalTrustRoots)
     }
+    
+    /// Creates a TLS configuration for use with client-side contexts. This allows setting the `NIOTLSCipher` property specifically.
+    ///
+    /// This provides sensible defaults, and can be used without customisation. For server-side
+    /// contexts, you should use `forServer` instead.
+    public static func forClient(cipherSuites: [NIOTLSCipher],
+                                 verifySignatureAlgorithms: [SignatureAlgorithm]? = nil,
+                                 signingSignatureAlgorithms: [SignatureAlgorithm]? = nil,
+                                 minimumTLSVersion: TLSVersion = .tlsv1,
+                                 maximumTLSVersion: TLSVersion? = nil,
+                                 certificateVerification: CertificateVerification = .fullVerification,
+                                 trustRoots: NIOSSLTrustRoots = .default,
+                                 certificateChain: [NIOSSLCertificateSource] = [],
+                                 privateKey: NIOSSLPrivateKeySource? = nil,
+                                 applicationProtocols: [String] = [],
+                                 shutdownTimeout: TimeAmount = .seconds(5),
+                                 keyLogCallback: NIOSSLKeyLogCallback? = nil,
+                                 renegotiationSupport: NIORenegotiationSupport = .none,
+                                 additionalTrustRoots: [NIOSSLAdditionalTrustRoots] = []) -> TLSConfiguration {
+        return TLSConfiguration(cipherSuiteValues: cipherSuites,
+                                verifySignatureAlgorithms: verifySignatureAlgorithms,
+                                signingSignatureAlgorithms: signingSignatureAlgorithms,
+                                minimumTLSVersion: minimumTLSVersion,
+                                maximumTLSVersion: maximumTLSVersion,
+                                certificateVerification: certificateVerification,
+                                trustRoots: trustRoots,
+                                certificateChain: certificateChain,
+                                privateKey: privateKey,
+                                applicationProtocols: applicationProtocols,
+                                shutdownTimeout: shutdownTimeout,
+                                keyLogCallback: keyLogCallback,
+                                renegotiationSupport: renegotiationSupport,
+                                additionalTrustRoots: additionalTrustRoots)
+    }
 
     /// Creates a TLS configuration for use with client-side contexts.
     ///

Tests/NIOSSLTests/TLSConfigurationTest+XCTest.swift

@@ -46,6 +46,18 @@ extension TLSConfigurationTest {
                 ("testTheSameHashValue", testTheSameHashValue),
                 ("testDifferentHashValues", testDifferentHashValues),
                 ("testDifferentCallbacksNotEqual", testDifferentCallbacksNotEqual),
+                ("testCompatibleCipherSuite", testCompatibleCipherSuite),
+                ("testNonCompatibleCipherSuite", testNonCompatibleCipherSuite),
+                ("testDefaultWithRSACipherSuite", testDefaultWithRSACipherSuite),
+                ("testDefaultWithECDHERSACipherSuite", testDefaultWithECDHERSACipherSuite),
+                ("testStringBasedCipherSuite", testStringBasedCipherSuite),
+                ("testMultipleCompatibleCipherSuites", testMultipleCompatibleCipherSuites),
+                ("testMultipleCompatibleCipherSuitesWithStringBasedCipher", testMultipleCompatibleCipherSuitesWithStringBasedCipher),
+                ("testMultipleClientCipherSuitesWithDefaultCipher", testMultipleClientCipherSuitesWithDefaultCipher),
+                ("testNonCompatibleClientCiphersWithServerStringBasedCiphers", testNonCompatibleClientCiphersWithServerStringBasedCiphers),
+                ("testSettingCiphersWithCipherSuiteValues", testSettingCiphersWithCipherSuiteValues),
+                ("testSettingCiphersWithCipherSuitesString", testSettingCiphersWithCipherSuitesString),
+                ("testDefaultCipherSuiteValues", testDefaultCipherSuiteValues),
            ]
    }
 }