Support cipher suite selection

Author: cyang1

Cargo.toml

@@ -18,7 +18,7 @@ libc = "0.2"
 tempfile = "3.0"
 
 [target.'cfg(target_os = "windows")'.dependencies]
-schannel = "0.1.16"
+schannel = "0.1.19"
 
 [target.'cfg(not(any(target_os = "windows", target_os = "macos", target_os = "ios")))'.dependencies]
 log = "0.4.5"

src/imp/openssl.rs

@@ -11,14 +11,93 @@ use self::openssl::ssl::{
     SslVerifyMode,
 };
 use self::openssl::x509::{X509, store::X509StoreBuilder, X509VerifyResult};
+use std::borrow;
 use std::error;
 use std::fmt;
 use std::io;
 use std::sync::Once;
 
-use {Protocol, TlsAcceptorBuilder, TlsConnectorBuilder};
+use {
+    CipherSuiteSet, Protocol, TlsAcceptorBuilder, TlsBulkEncryptionAlgorithm, TlsConnectorBuilder,
+    TlsHashAlgorithm, TlsKeyExchangeAlgorithm, TlsSignatureAlgorithm,
+};
 use self::openssl::pkey::Private;
 
+const CIPHER_STRING_SUFFIX: &[&str] = &[
+    "!aNULL",
+    "!eNULL",
+    "!IDEA",
+    "!SEED",
+    "!SRP",
+    "!PSK",
+    "@STRENGTH",
+];
+
+fn cartesian_product(
+    xs: impl IntoIterator<Item = Vec<&'static str>>,
+    ys: impl IntoIterator<Item = &'static str> + Clone,
+) -> Vec<Vec<&'static str>> {
+    xs.into_iter()
+        .flat_map(move |x| ys.clone().into_iter().map(move |y| [&x, &[y][..]].concat()))
+        .collect()
+}
+
+fn expand_algorithms(cipher_suites: &CipherSuiteSet) -> String {
+    let mut cipher_suite_strings: Vec<Vec<&'static str>> = vec![];
+
+    cipher_suite_strings.extend(cipher_suites.key_exchange.iter().map(|alg| {
+        vec![match alg {
+            TlsKeyExchangeAlgorithm::Dhe => "DHE",
+            TlsKeyExchangeAlgorithm::Ecdhe => "ECDHE",
+            TlsKeyExchangeAlgorithm::Rsa => "kRSA",
+            TlsKeyExchangeAlgorithm::__NonExhaustive => unreachable!(),
+        }]
+    }));
+
+    cipher_suite_strings = cartesian_product(
+        cipher_suite_strings,
+        cipher_suites.signature.iter().map(|alg| match alg {
+            TlsSignatureAlgorithm::Dss => "aDSS",
+            TlsSignatureAlgorithm::Ecdsa => "aECDSA",
+            TlsSignatureAlgorithm::Rsa => "aRSA",
+            TlsSignatureAlgorithm::__NonExhaustive => unreachable!(),
+        }),
+    );
+    cipher_suite_strings = cartesian_product(
+        cipher_suite_strings,
+        cipher_suites.bulk_encryption.iter().map(|alg| match alg {
+            TlsBulkEncryptionAlgorithm::Aes128 => "AES128",
+            TlsBulkEncryptionAlgorithm::Aes256 => "AES256",
+            TlsBulkEncryptionAlgorithm::Des => "DES",
+            TlsBulkEncryptionAlgorithm::Rc2 => "RC2",
+            TlsBulkEncryptionAlgorithm::Rc4 => "RC4",
+            TlsBulkEncryptionAlgorithm::TripleDes => "3DES",
+            TlsBulkEncryptionAlgorithm::__NonExhaustive => unreachable!(),
+        }),
+    );
+    cipher_suite_strings = cartesian_product(
+        cipher_suite_strings,
+        cipher_suites.hash.iter().map(|alg| match alg {
+            TlsHashAlgorithm::Md5 => "MD5",
+            TlsHashAlgorithm::Sha1 => "SHA1",
+            TlsHashAlgorithm::Sha256 => "SHA256",
+            TlsHashAlgorithm::Sha384 => "SHA384",
+            TlsHashAlgorithm::__NonExhaustive => unreachable!(),
+        }),
+    );
+
+    cipher_suite_strings
+        .into_iter()
+        .map(move |parts| borrow::Cow::Owned(parts.join("+")))
+        .chain(
+            CIPHER_STRING_SUFFIX
+                .iter()
+                .map(|s| borrow::Cow::Borrowed(*s)),
+        )
+        .collect::<Vec<_>>()
+        .join(":")
+}
+
 #[cfg(have_min_max_version)]
 fn supported_protocols(
     min: Option<Protocol>,
@@ -262,6 +341,9 @@ impl TlsConnector {
                 connector.add_extra_chain_cert(cert.to_owned())?;
             }
         }
+        if let Some(ref cipher_suites) = builder.cipher_suites {
+            connector.set_cipher_list(&expand_algorithms(cipher_suites))?;
+        }
         supported_protocols(builder.min_protocol, builder.max_protocol, &mut connector)?;
 
         if builder.disable_built_in_roots {
@@ -412,3 +494,34 @@ impl<S: io::Read + io::Write> io::Write for TlsStream<S> {
         self.0.flush()
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn expand_algorithms_basic() {
+        assert_eq!(
+            expand_algorithms(&CipherSuiteSet {
+                key_exchange: vec![TlsKeyExchangeAlgorithm::Dhe, TlsKeyExchangeAlgorithm::Ecdhe],
+                signature: vec![TlsSignatureAlgorithm::Rsa],
+                bulk_encryption: vec![
+                    TlsBulkEncryptionAlgorithm::Aes128,
+                    TlsBulkEncryptionAlgorithm::Aes256
+                ],
+                hash: vec![TlsHashAlgorithm::Sha256, TlsHashAlgorithm::Sha384],
+            }),
+            "\
+            DHE+aRSA+AES128+SHA256:\
+            DHE+aRSA+AES128+SHA384:\
+            DHE+aRSA+AES256+SHA256:\
+            DHE+aRSA+AES256+SHA384:\
+            ECDHE+aRSA+AES128+SHA256:\
+            ECDHE+aRSA+AES128+SHA384:\
+            ECDHE+aRSA+AES256+SHA256:\
+            ECDHE+aRSA+AES256+SHA384:\
+            !aNULL:!eNULL:!IDEA:!SEED:!SRP:!PSK:@STRENGTH\
+            ",
+        );
+    }
+}

src/imp/schannel.rs

@@ -2,14 +2,86 @@ extern crate schannel;
 
 use self::schannel::cert_context::{CertContext, HashAlgorithm};
 use self::schannel::cert_store::{CertAdd, CertStore, Memory, PfxImportOptions};
-use self::schannel::schannel_cred::{Direction, Protocol, SchannelCred};
+use self::schannel::schannel_cred::{Algorithm, Direction, Protocol, SchannelCred};
 use self::schannel::tls_stream;
 use std::error;
 use std::fmt;
 use std::io;
 use std::str;
 
-use {TlsAcceptorBuilder, TlsConnectorBuilder};
+use {
+    CipherSuiteSet, TlsAcceptorBuilder, TlsBulkEncryptionAlgorithm, TlsConnectorBuilder,
+    TlsHashAlgorithm, TlsKeyExchangeAlgorithm, TlsSignatureAlgorithm,
+};
+
+impl From<TlsKeyExchangeAlgorithm> for Algorithm {
+    fn from(other: TlsKeyExchangeAlgorithm) -> Self {
+        match other {
+            TlsKeyExchangeAlgorithm::Dhe => Algorithm::DhEphem,
+            TlsKeyExchangeAlgorithm::Ecdhe => Algorithm::EcdhEphem,
+            TlsKeyExchangeAlgorithm::Rsa => Algorithm::RsaKeyx,
+            TlsKeyExchangeAlgorithm::__NonExhaustive => unreachable!(),
+        }
+    }
+}
+
+impl From<TlsSignatureAlgorithm> for Algorithm {
+    fn from(other: TlsSignatureAlgorithm) -> Self {
+        match other {
+            TlsSignatureAlgorithm::Dss => Algorithm::DssSign,
+            TlsSignatureAlgorithm::Ecdsa => Algorithm::Ecdsa,
+            TlsSignatureAlgorithm::Rsa => Algorithm::RsaSign,
+            TlsSignatureAlgorithm::__NonExhaustive => unreachable!(),
+        }
+    }
+}
+
+impl From<TlsBulkEncryptionAlgorithm> for Algorithm {
+    fn from(other: TlsBulkEncryptionAlgorithm) -> Self {
+        match other {
+            TlsBulkEncryptionAlgorithm::Aes128 => Algorithm::Aes128,
+            TlsBulkEncryptionAlgorithm::Aes256 => Algorithm::Aes256,
+            TlsBulkEncryptionAlgorithm::Des => Algorithm::Des,
+            TlsBulkEncryptionAlgorithm::Rc2 => Algorithm::Rc2,
+            TlsBulkEncryptionAlgorithm::Rc4 => Algorithm::Rc4,
+            TlsBulkEncryptionAlgorithm::TripleDes => Algorithm::TripleDes,
+            TlsBulkEncryptionAlgorithm::__NonExhaustive => unreachable!(),
+        }
+    }
+}
+
+impl From<TlsHashAlgorithm> for Algorithm {
+    fn from(other: TlsHashAlgorithm) -> Self {
+        match other {
+            TlsHashAlgorithm::Md5 => Algorithm::Md5,
+            TlsHashAlgorithm::Sha1 => Algorithm::Sha1,
+            TlsHashAlgorithm::Sha256 => Algorithm::Sha256,
+            TlsHashAlgorithm::Sha384 => Algorithm::Sha384,
+            TlsHashAlgorithm::__NonExhaustive => unreachable!(),
+        }
+    }
+}
+
+fn expand_algorithms(cipher_suites: &CipherSuiteSet) -> Vec<Algorithm> {
+    let mut ret = vec![];
+    ret.extend(
+        cipher_suites
+            .key_exchange
+            .iter()
+            .copied()
+            .map(Algorithm::from),
+    );
+    ret.extend(cipher_suites.signature.iter().copied().map(Algorithm::from));
+    ret.extend(
+        cipher_suites
+            .bulk_encryption
+            .iter()
+            .copied()
+            .map(Algorithm::from),
+    );
+    ret.extend(cipher_suites.hash.iter().copied().map(Algorithm::from));
+    ret
+}
 
 const SEC_E_NO_CREDENTIALS: u32 = 0x8009030E;
 
@@ -186,6 +258,7 @@ pub struct TlsConnector {
     accept_invalid_hostnames: bool,
     accept_invalid_certs: bool,
     disable_built_in_roots: bool,
+    supported_algorithms: Vec<Algorithm>,
 }
 
 impl TlsConnector {
@@ -205,6 +278,10 @@ impl TlsConnector {
             accept_invalid_hostnames: builder.accept_invalid_hostnames,
             accept_invalid_certs: builder.accept_invalid_certs,
             disable_built_in_roots: builder.disable_built_in_roots,
+            supported_algorithms: match &builder.cipher_suites {
+                Some(cipher_suites) => expand_algorithms(cipher_suites),
+                None => vec![],
+            },
         })
     }
 
@@ -217,6 +294,9 @@ impl TlsConnector {
         if let Some(cert) = self.cert.as_ref() {
             builder.cert(cert.clone());
         }
+        if !self.supported_algorithms.is_empty() {
+            builder.supported_algorithms(&self.supported_algorithms);
+        }
         let cred = builder.acquire(Direction::Outbound)?;
         let mut builder = tls_stream::Builder::new();
         builder