From 1ec7f7e6f222a1e89eb121e3976a6f3b0b61f1da Mon Sep 17 00:00:00 2001
From: Hannes Laimer <h.laimer@proxmox.com>
Date: Tue, 11 Jan 2022 12:39:35 +0100
Subject: [PATCH] config: add tls ciphers to NodeConfig

for TLS 1.3 and for TLS <= 1.2

Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
---
 pbs-api-types/src/lib.rs | 41 ++++++++++++++++++++++++++++++++++++++++
 src/config/node.rs       | 26 ++++++++++++++++++++++++-
 2 files changed, 66 insertions(+), 1 deletion(-)

diff --git a/pbs-api-types/src/lib.rs b/pbs-api-types/src/lib.rs
index e3c3df11..4ef8eea1 100644
--- a/pbs-api-types/src/lib.rs
+++ b/pbs-api-types/src/lib.rs
@@ -99,6 +99,20 @@ mod local_macros {
     macro_rules! DNS_ALIAS_NAME {
         () => (concat!(r"(?:(?:", DNS_ALIAS_LABEL!() , r"\.)*", DNS_ALIAS_LABEL!(), ")"))
     }
+    macro_rules! OPENSSL_CIPHERSUITE_RE { 
+        () => (
+            r"TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|TLS_AES_128_GCM_SHA256|TLS_AES_128_CCM_8_SHA256|TLS_AES_128_CCM_SHA256"
+        ) 
+    }
+    macro_rules! OPENSSL_CIPHER_STRING_RE { 
+        () => (concat!(
+            r"([!\-+]?(COMPLEMENTOFDEFAULT|ALL|COMPLEMENTOFALL|HIGH|MEDIUM|LOW|[ae]?NULL|[ka]?RSA|",
+            "kDH[rdE]?|kEDH|DHE?|EDH|ADH|kEECDH|kECDHE|ECDH|ECDHE|EECDH|AECDH|a?DSS|aDH|a?ECDSA|",
+            "SSLv3|AES(128|256)?|GCM|AESGCM|AESCCM|AESCCM8|ARIA(128|256)?|CAMELLIA(128|256)?|",
+            "CHACHA20|3?DES|RC[24]|IDEA|SEED|MD5|SHA(1|256|384)?|aGOST(01)?|kGOST|GOST94|GOST89MAC|",
+            "[ak]?PSK|kECDHEPSK|kDHEPSK|kRSAPSK|SUITEB(128|128ONLY|192)?|CBC3?|POLY1305))+"
+        )) 
+    }
 }
 
 const_regex! {
@@ -123,6 +137,22 @@ const_regex! {
 
     pub FINGERPRINT_SHA256_REGEX = r"^(?:[0-9a-fA-F][0-9a-fA-F])(?::[0-9a-fA-F][0-9a-fA-F]){31}$";
 
+    pub OPENSSL_CIPHERS_TLS_1_2_REGEX = concat!(
+        r"^((",
+        OPENSSL_CIPHER_STRING_RE!(),
+        ")([: ,](",
+        OPENSSL_CIPHER_STRING_RE!(),
+        "))*)$"
+    );
+    
+    pub OPENSSL_CIPHERS_TLS_1_3_REGEX = concat!(
+        r"^((",
+        OPENSSL_CIPHERSUITE_RE!(),
+        ")(:(",
+        OPENSSL_CIPHERSUITE_RE!(),
+        "))*)$"
+    );
+
     /// Regex for safe identifiers.
     ///
     /// This
@@ -159,6 +189,9 @@ pub const BLOCKDEVICE_NAME_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&B
 pub const SUBSCRIPTION_KEY_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&SUBSCRIPTION_KEY_REGEX);
 pub const SYSTEMD_DATETIME_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&SYSTEMD_DATETIME_REGEX);
 pub const HOSTNAME_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&HOSTNAME_REGEX);
+pub const OPENSSL_CIPHERS_TLS_1_2_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&OPENSSL_CIPHERS_TLS_1_2_REGEX);
+pub const OPENSSL_CIPHERS_TLS_1_3_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&OPENSSL_CIPHERS_TLS_1_3_REGEX);
+
 
 pub const DNS_ALIAS_FORMAT: ApiStringFormat =
     ApiStringFormat::Pattern(&DNS_ALIAS_REGEX);
@@ -188,6 +221,14 @@ pub const HOSTNAME_SCHEMA: Schema = StringSchema::new("Hostname (as defined in R
     .format(&HOSTNAME_FORMAT)
     .schema();
 
+pub const OPENSSL_CIPHERS_TLS_1_2_SCHEMA: Schema = StringSchema::new("OpenSSL cipher string list used by the proxy for TLS <= 1.2")
+    .format(&OPENSSL_CIPHERS_TLS_1_2_FORMAT)
+    .schema();
+
+pub const OPENSSL_CIPHERS_TLS_1_3_SCHEMA: Schema = StringSchema::new("OpenSSL ciphersuites list used by the proxy for TLSv1.3")
+    .format(&OPENSSL_CIPHERS_TLS_1_3_FORMAT)
+    .schema();
+
 pub const DNS_NAME_FORMAT: ApiStringFormat =
     ApiStringFormat::Pattern(&DNS_NAME_REGEX);
 
diff --git a/src/config/node.rs b/src/config/node.rs
index 4f2ab029..3f7adb1a 100644
--- a/src/config/node.rs
+++ b/src/config/node.rs
@@ -1,5 +1,6 @@
 use std::collections::HashSet;
 
+use openssl::ssl::{SslAcceptor, SslMethod};
 use anyhow::{bail, Error};
 use serde::{Deserialize, Serialize};
 
@@ -7,7 +8,7 @@ use proxmox_schema::{api, ApiStringFormat, ApiType, Updater};
 
 use proxmox_http::ProxyConfig;
 
-use pbs_api_types::EMAIL_SCHEMA;
+use pbs_api_types::{EMAIL_SCHEMA, OPENSSL_CIPHERS_TLS_1_2_SCHEMA, OPENSSL_CIPHERS_TLS_1_3_SCHEMA};
 use pbs_buildcfg::configdir;
 use pbs_config::{open_backup_lockfile, BackupLockGuard};
 
@@ -91,6 +92,14 @@ pub struct AcmeConfig {
             schema: EMAIL_SCHEMA,
             optional: true,
         },
+        "ciphers-tls13": {
+            schema: OPENSSL_CIPHERS_TLS_1_3_SCHEMA,
+            optional: true,
+        },
+        "ciphers-tls12": {
+            schema: OPENSSL_CIPHERS_TLS_1_2_SCHEMA,
+            optional: true,
+        },
     },
 )]
 #[derive(Deserialize, Serialize, Updater)]
@@ -121,6 +130,14 @@ pub struct NodeConfig {
     
     #[serde(skip_serializing_if = "Option::is_none")]
     pub email_from: Option<String>,
+
+    /// List of SSL ciphers for tls 1.3 that will be used by the proxy. (Proxy has to be restarted for changes to take effect)
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub ciphers_tls13: Option<String>,
+    
+    /// List of SSL ciphers for tls <= 1.2 that will be used by the proxy. (Proxy has to be restarted for changes to take effect)
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub ciphers_tls12: Option<String>,
 }
 
 impl NodeConfig {
@@ -172,6 +189,13 @@ impl NodeConfig {
                 bail!("duplicate domain '{}' in ACME config", domain.domain);
             }
         }
+        let mut dummy_acceptor = SslAcceptor::mozilla_intermediate_v5(SslMethod::tls()).unwrap();
+        if let Some(ciphers) = self.ciphers_tls13.as_deref() {
+            dummy_acceptor.set_ciphersuites(ciphers)?;
+        }
+        if let Some(ciphers) = self.ciphers_tls12.as_deref() {
+            dummy_acceptor.set_cipher_list(ciphers)?;
+        }
 
         Ok(())
     }