AdGuardHome/internal/aghtls/aghtls.go

// Package aghtls contains utilities for work with TLS.
package aghtls

import (
	"crypto/tls"
	"fmt"
)

// SaferCipherSuites returns a set of default cipher suites with vulnerable and
// weak cipher suites removed.
func SaferCipherSuites() (safe []uint16) {
	for _, s := range tls.CipherSuites() {
		switch s.ID {
		case
			tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
			tls.TLS_RSA_WITH_AES_128_CBC_SHA,
			tls.TLS_RSA_WITH_AES_256_CBC_SHA,
			tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
			tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
			tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
			// Less safe 3DES and CBC suites, go on.
		default:
			safe = append(safe, s.ID)
		}
	}

	return safe
}

// ParseCipherIDs returns a set of cipher suites with the cipher names provided
func ParseCipherIDs(ciphers []string) (userCiphers []uint16, err error) {
	for _, cipher := range ciphers {
		exists, cipherID := CipherExists(cipher)
		if exists {
			userCiphers = append(userCiphers, cipherID)
		} else {
			return nil, fmt.Errorf("unknown cipher : %s ", cipher)
		}
	}

	return userCiphers, nil
}

// CipherExists returns cipherid if exists, else return false in boolean
func CipherExists(cipher string) (exists bool, cipherID uint16) {
	for _, s := range tls.CipherSuites() {
		if s.Name == cipher {
			return true, s.ID
		}
	}

	return false, 0
}
Pull request: all: imp tls cipher selection Closes #2993. Squashed commit of the following: commit 6c521e56de024bf92ab7489ed2289da6bce1f3dc Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Tue Jan 25 21:39:48 2022 +0300 all: imp tls cipher selection 2022-01-26 11:39:34 +00:00			`// Package aghtls contains utilities for work with TLS.`
			`package aghtls`

added support for User prefered Ciphers 2022-09-22 03:58:46 +01:00			`import (`
			`"crypto/tls"`
changed based on review 1. exit AG is user defined cipher is invalid 2. updated changelog 3. golang naming tweaks 2022-10-06 17:07:15 +01:00			`"fmt"`
added support for User prefered Ciphers 2022-09-22 03:58:46 +01:00			`)`
Pull request: all: imp tls cipher selection Closes #2993. Squashed commit of the following: commit 6c521e56de024bf92ab7489ed2289da6bce1f3dc Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Tue Jan 25 21:39:48 2022 +0300 all: imp tls cipher selection 2022-01-26 11:39:34 +00:00
			`// SaferCipherSuites returns a set of default cipher suites with vulnerable and`
			`// weak cipher suites removed.`
			`func SaferCipherSuites() (safe []uint16) {`
Pull request: all: fix chlog, imp Merge in DNS/adguard-home from fix-chlog to master Squashed commit of the following: commit e69da2f574923b95ac3d0fa9057fffe2a716b5be Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Wed Jan 26 14:41:04 2022 +0300 all: fix chlog, imp 2022-01-26 11:47:50 +00:00			`for _, s := range tls.CipherSuites() {`
Pull request: all: imp tls cipher selection Closes #2993. Squashed commit of the following: commit 6c521e56de024bf92ab7489ed2289da6bce1f3dc Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Tue Jan 25 21:39:48 2022 +0300 all: imp tls cipher selection 2022-01-26 11:39:34 +00:00			`switch s.ID {`
			`case`
			`tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,`
			`tls.TLS_RSA_WITH_AES_128_CBC_SHA,`
			`tls.TLS_RSA_WITH_AES_256_CBC_SHA,`
			`tls.TLS_RSA_WITH_AES_128_CBC_SHA256,`
			`tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,`
			`tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,`
			`tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,`
			`tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,`
Revert "adding TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA to safe cipher suite" This reverts commit fe0c53ec439940635864a9d1bc4687245dbe4373. 2022-09-22 03:23:39 +01:00			`tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,`
Pull request: all: imp tls cipher selection Closes #2993. Squashed commit of the following: commit 6c521e56de024bf92ab7489ed2289da6bce1f3dc Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Tue Jan 25 21:39:48 2022 +0300 all: imp tls cipher selection 2022-01-26 11:39:34 +00:00			`tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,`
			`tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:`
			`// Less safe 3DES and CBC suites, go on.`
			`default:`
			`safe = append(safe, s.ID)`
			`}`
			`}`

			`return safe`
			`}`
added support for User prefered Ciphers 2022-09-22 03:58:46 +01:00
changes done as per review comments 2022-10-04 19:42:53 +01:00			`// ParseCipherIDs returns a set of cipher suites with the cipher names provided`
changed based on review 1. exit AG is user defined cipher is invalid 2. updated changelog 3. golang naming tweaks 2022-10-06 17:07:15 +01:00			`func ParseCipherIDs(ciphers []string) (userCiphers []uint16, err error) {`
			`for _, cipher := range ciphers {`
			`exists, cipherID := CipherExists(cipher)`
			`if exists {`
			`userCiphers = append(userCiphers, cipherID)`
changes done as per review comments 2022-10-04 19:42:53 +01:00			`} else {`
changed based on review 1. exit AG is user defined cipher is invalid 2. updated changelog 3. golang naming tweaks 2022-10-06 17:07:15 +01:00			`return nil, fmt.Errorf("unknown cipher : %s ", cipher)`
			`}`
			`}`

			`return userCiphers, nil`
			`}`

			`// CipherExists returns cipherid if exists, else return false in boolean`
			`func CipherExists(cipher string) (exists bool, cipherID uint16) {`
			`for _, s := range tls.CipherSuites() {`
			`if s.Name == cipher {`
			`return true, s.ID`
added support for User prefered Ciphers 2022-09-22 03:58:46 +01:00			`}`
			`}`

changed based on review 1. exit AG is user defined cipher is invalid 2. updated changelog 3. golang naming tweaks 2022-10-06 17:07:15 +01:00			`return false, 0`
added support for User prefered Ciphers 2022-09-22 03:58:46 +01:00			`}`