telegraf/plugins/common/tls/utils.go

package tls

import (
	"errors"
	"fmt"
	"sort"
	"strings"
)

var ErrCipherUnsupported = errors.New("unsupported cipher")

// InsecureCiphers returns the list of insecure ciphers among the list of given ciphers
func InsecureCiphers(ciphers []string) []string {
	var insecure []string

	for _, c := range ciphers {
		cipher := strings.ToUpper(c)
		if _, ok := tlsCipherMapInsecure[cipher]; ok {
			insecure = append(insecure, c)
		}
	}

	return insecure
}

// Ciphers returns the list of supported ciphers
func Ciphers() (secure, insecure []string) {
	for c := range tlsCipherMapSecure {
		secure = append(secure, c)
	}

	for c := range tlsCipherMapInsecure {
		insecure = append(insecure, c)
	}

	return secure, insecure
}

// ParseCiphers returns a `[]uint16` by received `[]string` key that represents ciphers from crypto/tls.
// If some of ciphers in received list doesn't exists  ParseCiphers returns nil with error
func ParseCiphers(ciphers []string) ([]uint16, error) {
	suites := make([]uint16, 0)
	added := make(map[uint16]bool, len(ciphers))
	for _, c := range ciphers {
		// Handle meta-keywords
		switch c {
		case "all":
			for _, id := range tlsCipherMapInsecure {
				if added[id] {
					continue
				}
				suites = append(suites, id)
				added[id] = true
			}
			for _, id := range tlsCipherMapSecure {
				if added[id] {
					continue
				}
				suites = append(suites, id)
				added[id] = true
			}
		case "insecure":
			for _, id := range tlsCipherMapInsecure {
				if added[id] {
					continue
				}
				suites = append(suites, id)
				added[id] = true
			}
		case "secure":
			for _, id := range tlsCipherMapSecure {
				if added[id] {
					continue
				}
				suites = append(suites, id)
				added[id] = true
			}
		default:
			cipher := strings.ToUpper(c)
			id, ok := tlsCipherMapSecure[cipher]
			if !ok {
				idInsecure, ok := tlsCipherMapInsecure[cipher]
				if !ok {
					return nil, fmt.Errorf("%q %w", cipher, ErrCipherUnsupported)
				}
				id = idInsecure
			}
			if added[id] {
				continue
			}
			suites = append(suites, id)
			added[id] = true
		}
	}

	return suites, nil
}

// ParseTLSVersion returns a `uint16` by received version string key that represents tls version from crypto/tls.
// If version isn't supported ParseTLSVersion returns 0 with error
func ParseTLSVersion(version string) (uint16, error) {
	if v, ok := tlsVersionMap[version]; ok {
		return v, nil
	}

	available := make([]string, 0, len(tlsVersionMap))
	for n := range tlsVersionMap {
		available = append(available, n)
	}
	sort.Strings(available)
	return 0, fmt.Errorf("unsupported version %q (available: %s)", version, strings.Join(available, ","))
}
Adding upstream version 1.34.4. Signed-off-by: Daniel Baumann <daniel@debian.org> 2025-05-24 07:26:29 +02:00			`package tls`

			`import (`
			`"errors"`
			`"fmt"`
			`"sort"`
			`"strings"`
			`)`

			`var ErrCipherUnsupported = errors.New("unsupported cipher")`

			`// InsecureCiphers returns the list of insecure ciphers among the list of given ciphers`
			`func InsecureCiphers(ciphers []string) []string {`
			`var insecure []string`

			`for _, c := range ciphers {`
			`cipher := strings.ToUpper(c)`
			`if _, ok := tlsCipherMapInsecure[cipher]; ok {`
			`insecure = append(insecure, c)`
			`}`
			`}`

			`return insecure`
			`}`

			`// Ciphers returns the list of supported ciphers`
			`func Ciphers() (secure, insecure []string) {`
			`for c := range tlsCipherMapSecure {`
			`secure = append(secure, c)`
			`}`

			`for c := range tlsCipherMapInsecure {`
			`insecure = append(insecure, c)`
			`}`

			`return secure, insecure`
			`}`

			// ParseCiphers returns a `[]uint16` by received `[]string` key that represents ciphers from crypto/tls.
			`// If some of ciphers in received list doesn't exists ParseCiphers returns nil with error`
			`func ParseCiphers(ciphers []string) ([]uint16, error) {`
			`suites := make([]uint16, 0)`
			`added := make(map[uint16]bool, len(ciphers))`
			`for _, c := range ciphers {`
			`// Handle meta-keywords`
			`switch c {`
			`case "all":`
			`for _, id := range tlsCipherMapInsecure {`
			`if added[id] {`
			`continue`
			`}`
			`suites = append(suites, id)`
			`added[id] = true`
			`}`
			`for _, id := range tlsCipherMapSecure {`
			`if added[id] {`
			`continue`
			`}`
			`suites = append(suites, id)`
			`added[id] = true`
			`}`
			`case "insecure":`
			`for _, id := range tlsCipherMapInsecure {`
			`if added[id] {`
			`continue`
			`}`
			`suites = append(suites, id)`
			`added[id] = true`
			`}`
			`case "secure":`
			`for _, id := range tlsCipherMapSecure {`
			`if added[id] {`
			`continue`
			`}`
			`suites = append(suites, id)`
			`added[id] = true`
			`}`
			`default:`
			`cipher := strings.ToUpper(c)`
			`id, ok := tlsCipherMapSecure[cipher]`
			`if !ok {`
			`idInsecure, ok := tlsCipherMapInsecure[cipher]`
			`if !ok {`
			`return nil, fmt.Errorf("%q %w", cipher, ErrCipherUnsupported)`
			`}`
			`id = idInsecure`
			`}`
			`if added[id] {`
			`continue`
			`}`
			`suites = append(suites, id)`
			`added[id] = true`
			`}`
			`}`

			`return suites, nil`
			`}`

			// ParseTLSVersion returns a `uint16` by received version string key that represents tls version from crypto/tls.
			`// If version isn't supported ParseTLSVersion returns 0 with error`
			`func ParseTLSVersion(version string) (uint16, error) {`
			`if v, ok := tlsVersionMap[version]; ok {`
			`return v, nil`
			`}`

			`available := make([]string, 0, len(tlsVersionMap))`
			`for n := range tlsVersionMap {`
			`available = append(available, n)`
			`}`
			`sort.Strings(available)`
			`return 0, fmt.Errorf("unsupported version %q (available: %s)", version, strings.Join(available, ","))`
			`}`