***************************************************************************/
#include "curl_setup.h"
-#if defined(USE_MBEDTLS) || defined(USE_BEARSSL)
+#if defined(USE_SECTRANSP) || defined(USE_MBEDTLS) || defined(USE_BEARSSL)
#include "cipher_suite.h"
#include "curl_printf.h"
#include "strcase.h"
"CAMELLIA128" "\0"
"CAMELLIA256" "\0"
#endif
+#if defined(USE_SECTRANSP)
+ "40" "\0"
+ "ADH" "\0"
+ "AECDH" "\0"
+ "anon" "\0"
+ "DES40" "\0"
+ "DH" "\0"
+ "DSS" "\0"
+ "EDH" "\0"
+ "EXP" "\0"
+ "EXPORT" "\0"
+ "IDEA" "\0"
+ "RC2" "\0"
+ "RC4" "\0"
+#endif
;
/* Indexes of above cs_txt */
enum {
CS_TXT_IDX_CAMELLIA,
CS_TXT_IDX_CAMELLIA128,
CS_TXT_IDX_CAMELLIA256,
+#endif
+#if defined(USE_SECTRANSP)
+ CS_TXT_IDX_40,
+ CS_TXT_IDX_ADH,
+ CS_TXT_IDX_AECDH,
+ CS_TXT_IDX_anon,
+ CS_TXT_IDX_DES40,
+ CS_TXT_IDX_DH,
+ CS_TXT_IDX_DSS,
+ CS_TXT_IDX_EDH,
+ CS_TXT_IDX_EXP,
+ CS_TXT_IDX_EXPORT,
+ CS_TXT_IDX_IDEA,
+ CS_TXT_IDX_RC2,
+ CS_TXT_IDX_RC4,
#endif
CS_TXT_LEN,
};
CS_ENTRY(0xCCA8, ECDHE,RSA,CHACHA20,POLY1305,,,,),
CS_ENTRY(0xCCA9, TLS,ECDHE,ECDSA,WITH,CHACHA20,POLY1305,SHA256,),
CS_ENTRY(0xCCA9, ECDHE,ECDSA,CHACHA20,POLY1305,,,,),
-#if defined(USE_MBEDTLS)
+#if defined(USE_SECTRANSP) || defined(USE_MBEDTLS)
CS_ENTRY(0x0001, TLS,RSA,WITH,NULL,MD5,,,),
CS_ENTRY(0x0001, NULL,MD5,,,,,,),
CS_ENTRY(0x0002, TLS,RSA,WITH,NULL,SHA,,,),
CS_ENTRY(0xCCAB, TLS,PSK,WITH,CHACHA20,POLY1305,SHA256,,),
CS_ENTRY(0xCCAB, PSK,CHACHA20,POLY1305,,,,,),
#endif
-#if defined(USE_BEARSSL)
+#if defined(USE_SECTRANSP) || defined(USE_BEARSSL)
CS_ENTRY(0x000A, TLS,RSA,WITH,3DES,EDE,CBC,SHA,),
CS_ENTRY(0x000A, DES,CBC3,SHA,,,,,),
CS_ENTRY(0xC003, TLS,ECDH,ECDSA,WITH,3DES,EDE,CBC,SHA),
CS_ENTRY(0xC012, TLS,ECDHE,RSA,WITH,3DES,EDE,CBC,SHA),
CS_ENTRY(0xC012, ECDHE,RSA,DES,CBC3,SHA,,,),
#endif
+#if defined(USE_MBEDTLS) || defined(USE_BEARSSL)
CS_ENTRY(0xC09C, TLS,RSA,WITH,AES,128,CCM,,),
CS_ENTRY(0xC09C, AES128,CCM,,,,,,),
CS_ENTRY(0xC09D, TLS,RSA,WITH,AES,256,CCM,,),
CS_ENTRY(0xC0AE, ECDHE,ECDSA,AES128,CCM8,,,,),
CS_ENTRY(0xC0AF, TLS,ECDHE,ECDSA,WITH,AES,256,CCM,8),
CS_ENTRY(0xC0AF, ECDHE,ECDSA,AES256,CCM8,,,,),
+#endif
+#if defined(USE_SECTRANSP)
+ /* entries marked bc are backward compatible aliases for old openssl names */
+ CS_ENTRY(0x0003, TLS,RSA,EXPORT,WITH,RC4,40,MD5,),
+ CS_ENTRY(0x0003, EXP,RC4,MD5,,,,,),
+ CS_ENTRY(0x0004, TLS,RSA,WITH,RC4,128,MD5,,),
+ CS_ENTRY(0x0004, RC4,MD5,,,,,,),
+ CS_ENTRY(0x0005, TLS,RSA,WITH,RC4,128,SHA,,),
+ CS_ENTRY(0x0005, RC4,SHA,,,,,,),
+ CS_ENTRY(0x0006, TLS,RSA,EXPORT,WITH,RC2,CBC,40,MD5),
+ CS_ENTRY(0x0006, EXP,RC2,CBC,MD5,,,,),
+ CS_ENTRY(0x0007, TLS,RSA,WITH,IDEA,CBC,SHA,,),
+ CS_ENTRY(0x0007, IDEA,CBC,SHA,,,,,),
+ CS_ENTRY(0x0008, TLS,RSA,EXPORT,WITH,DES40,CBC,SHA,),
+ CS_ENTRY(0x0008, EXP,DES,CBC,SHA,,,,),
+ CS_ENTRY(0x0009, TLS,RSA,WITH,DES,CBC,SHA,,),
+ CS_ENTRY(0x0009, DES,CBC,SHA,,,,,),
+ CS_ENTRY(0x000B, TLS,DH,DSS,EXPORT,WITH,DES40,CBC,SHA),
+ CS_ENTRY(0x000B, EXP,DH,DSS,DES,CBC,SHA,,),
+ CS_ENTRY(0x000C, TLS,DH,DSS,WITH,DES,CBC,SHA,),
+ CS_ENTRY(0x000C, DH,DSS,DES,CBC,SHA,,,),
+ CS_ENTRY(0x000D, TLS,DH,DSS,WITH,3DES,EDE,CBC,SHA),
+ CS_ENTRY(0x000D, DH,DSS,DES,CBC3,SHA,,,),
+ CS_ENTRY(0x000E, TLS,DH,RSA,EXPORT,WITH,DES40,CBC,SHA),
+ CS_ENTRY(0x000E, EXP,DH,RSA,DES,CBC,SHA,,),
+ CS_ENTRY(0x000F, TLS,DH,RSA,WITH,DES,CBC,SHA,),
+ CS_ENTRY(0x000F, DH,RSA,DES,CBC,SHA,,,),
+ CS_ENTRY(0x0010, TLS,DH,RSA,WITH,3DES,EDE,CBC,SHA),
+ CS_ENTRY(0x0010, DH,RSA,DES,CBC3,SHA,,,),
+ CS_ENTRY(0x0011, TLS,DHE,DSS,EXPORT,WITH,DES40,CBC,SHA),
+ CS_ENTRY(0x0011, EXP,DHE,DSS,DES,CBC,SHA,,),
+ CS_ENTRY(0x0011, EXP,EDH,DSS,DES,CBC,SHA,,), /* bc */
+ CS_ENTRY(0x0012, TLS,DHE,DSS,WITH,DES,CBC,SHA,),
+ CS_ENTRY(0x0012, DHE,DSS,DES,CBC,SHA,,,),
+ CS_ENTRY(0x0012, EDH,DSS,DES,CBC,SHA,,,), /* bc */
+ CS_ENTRY(0x0013, TLS,DHE,DSS,WITH,3DES,EDE,CBC,SHA),
+ CS_ENTRY(0x0013, DHE,DSS,DES,CBC3,SHA,,,),
+ CS_ENTRY(0x0013, EDH,DSS,DES,CBC3,SHA,,,), /* bc */
+ CS_ENTRY(0x0014, TLS,DHE,RSA,EXPORT,WITH,DES40,CBC,SHA),
+ CS_ENTRY(0x0014, EXP,DHE,RSA,DES,CBC,SHA,,),
+ CS_ENTRY(0x0014, EXP,EDH,RSA,DES,CBC,SHA,,), /* bc */
+ CS_ENTRY(0x0015, TLS,DHE,RSA,WITH,DES,CBC,SHA,),
+ CS_ENTRY(0x0015, DHE,RSA,DES,CBC,SHA,,,),
+ CS_ENTRY(0x0015, EDH,RSA,DES,CBC,SHA,,,), /* bc */
+ CS_ENTRY(0x0016, TLS,DHE,RSA,WITH,3DES,EDE,CBC,SHA),
+ CS_ENTRY(0x0016, DHE,RSA,DES,CBC3,SHA,,,),
+ CS_ENTRY(0x0016, EDH,RSA,DES,CBC3,SHA,,,), /* bc */
+ CS_ENTRY(0x0017, TLS,DH,anon,EXPORT,WITH,RC4,40,MD5),
+ CS_ENTRY(0x0017, EXP,ADH,RC4,MD5,,,,),
+ CS_ENTRY(0x0018, TLS,DH,anon,WITH,RC4,128,MD5,),
+ CS_ENTRY(0x0018, ADH,RC4,MD5,,,,,),
+ CS_ENTRY(0x0019, TLS,DH,anon,EXPORT,WITH,DES40,CBC,SHA),
+ CS_ENTRY(0x0019, EXP,ADH,DES,CBC,SHA,,,),
+ CS_ENTRY(0x001A, TLS,DH,anon,WITH,DES,CBC,SHA,),
+ CS_ENTRY(0x001A, ADH,DES,CBC,SHA,,,,),
+ CS_ENTRY(0x001B, TLS,DH,anon,WITH,3DES,EDE,CBC,SHA),
+ CS_ENTRY(0x001B, ADH,DES,CBC3,SHA,,,,),
+ CS_ENTRY(0x0030, TLS,DH,DSS,WITH,AES,128,CBC,SHA),
+ CS_ENTRY(0x0030, DH,DSS,AES128,SHA,,,,),
+ CS_ENTRY(0x0031, TLS,DH,RSA,WITH,AES,128,CBC,SHA),
+ CS_ENTRY(0x0031, DH,RSA,AES128,SHA,,,,),
+ CS_ENTRY(0x0032, TLS,DHE,DSS,WITH,AES,128,CBC,SHA),
+ CS_ENTRY(0x0032, DHE,DSS,AES128,SHA,,,,),
+ CS_ENTRY(0x0034, TLS,DH,anon,WITH,AES,128,CBC,SHA),
+ CS_ENTRY(0x0034, ADH,AES128,SHA,,,,,),
+ CS_ENTRY(0x0036, TLS,DH,DSS,WITH,AES,256,CBC,SHA),
+ CS_ENTRY(0x0036, DH,DSS,AES256,SHA,,,,),
+ CS_ENTRY(0x0037, TLS,DH,RSA,WITH,AES,256,CBC,SHA),
+ CS_ENTRY(0x0037, DH,RSA,AES256,SHA,,,,),
+ CS_ENTRY(0x0038, TLS,DHE,DSS,WITH,AES,256,CBC,SHA),
+ CS_ENTRY(0x0038, DHE,DSS,AES256,SHA,,,,),
+ CS_ENTRY(0x003A, TLS,DH,anon,WITH,AES,256,CBC,SHA),
+ CS_ENTRY(0x003A, ADH,AES256,SHA,,,,,),
+ CS_ENTRY(0x003E, TLS,DH,DSS,WITH,AES,128,CBC,SHA256),
+ CS_ENTRY(0x003E, DH,DSS,AES128,SHA256,,,,),
+ CS_ENTRY(0x003F, TLS,DH,RSA,WITH,AES,128,CBC,SHA256),
+ CS_ENTRY(0x003F, DH,RSA,AES128,SHA256,,,,),
+ CS_ENTRY(0x0040, TLS,DHE,DSS,WITH,AES,128,CBC,SHA256),
+ CS_ENTRY(0x0040, DHE,DSS,AES128,SHA256,,,,),
+ CS_ENTRY(0x0068, TLS,DH,DSS,WITH,AES,256,CBC,SHA256),
+ CS_ENTRY(0x0068, DH,DSS,AES256,SHA256,,,,),
+ CS_ENTRY(0x0069, TLS,DH,RSA,WITH,AES,256,CBC,SHA256),
+ CS_ENTRY(0x0069, DH,RSA,AES256,SHA256,,,,),
+ CS_ENTRY(0x006A, TLS,DHE,DSS,WITH,AES,256,CBC,SHA256),
+ CS_ENTRY(0x006A, DHE,DSS,AES256,SHA256,,,,),
+ CS_ENTRY(0x006C, TLS,DH,anon,WITH,AES,128,CBC,SHA256),
+ CS_ENTRY(0x006C, ADH,AES128,SHA256,,,,,),
+ CS_ENTRY(0x006D, TLS,DH,anon,WITH,AES,256,CBC,SHA256),
+ CS_ENTRY(0x006D, ADH,AES256,SHA256,,,,,),
+ CS_ENTRY(0x008A, TLS,PSK,WITH,RC4,128,SHA,,),
+ CS_ENTRY(0x008A, PSK,RC4,SHA,,,,,),
+ CS_ENTRY(0x008B, TLS,PSK,WITH,3DES,EDE,CBC,SHA,),
+ CS_ENTRY(0x008B, PSK,3DES,EDE,CBC,SHA,,,),
+ CS_ENTRY(0x008E, TLS,DHE,PSK,WITH,RC4,128,SHA,),
+ CS_ENTRY(0x008E, DHE,PSK,RC4,SHA,,,,),
+ CS_ENTRY(0x008F, TLS,DHE,PSK,WITH,3DES,EDE,CBC,SHA),
+ CS_ENTRY(0x008F, DHE,PSK,3DES,EDE,CBC,SHA,,),
+ CS_ENTRY(0x0092, TLS,RSA,PSK,WITH,RC4,128,SHA,),
+ CS_ENTRY(0x0092, RSA,PSK,RC4,SHA,,,,),
+ CS_ENTRY(0x0093, TLS,RSA,PSK,WITH,3DES,EDE,CBC,SHA),
+ CS_ENTRY(0x0093, RSA,PSK,3DES,EDE,CBC,SHA,,),
+ CS_ENTRY(0x00A0, TLS,DH,RSA,WITH,AES,128,GCM,SHA256),
+ CS_ENTRY(0x00A0, DH,RSA,AES128,GCM,SHA256,,,),
+ CS_ENTRY(0x00A1, TLS,DH,RSA,WITH,AES,256,GCM,SHA384),
+ CS_ENTRY(0x00A1, DH,RSA,AES256,GCM,SHA384,,,),
+ CS_ENTRY(0x00A2, TLS,DHE,DSS,WITH,AES,128,GCM,SHA256),
+ CS_ENTRY(0x00A2, DHE,DSS,AES128,GCM,SHA256,,,),
+ CS_ENTRY(0x00A3, TLS,DHE,DSS,WITH,AES,256,GCM,SHA384),
+ CS_ENTRY(0x00A3, DHE,DSS,AES256,GCM,SHA384,,,),
+ CS_ENTRY(0x00A4, TLS,DH,DSS,WITH,AES,128,GCM,SHA256),
+ CS_ENTRY(0x00A4, DH,DSS,AES128,GCM,SHA256,,,),
+ CS_ENTRY(0x00A5, TLS,DH,DSS,WITH,AES,256,GCM,SHA384),
+ CS_ENTRY(0x00A5, DH,DSS,AES256,GCM,SHA384,,,),
+ CS_ENTRY(0x00A6, TLS,DH,anon,WITH,AES,128,GCM,SHA256),
+ CS_ENTRY(0x00A6, ADH,AES128,GCM,SHA256,,,,),
+ CS_ENTRY(0x00A7, TLS,DH,anon,WITH,AES,256,GCM,SHA384),
+ CS_ENTRY(0x00A7, ADH,AES256,GCM,SHA384,,,,),
+ CS_ENTRY(0xC002, TLS,ECDH,ECDSA,WITH,RC4,128,SHA,),
+ CS_ENTRY(0xC002, ECDH,ECDSA,RC4,SHA,,,,),
+ CS_ENTRY(0xC007, TLS,ECDHE,ECDSA,WITH,RC4,128,SHA,),
+ CS_ENTRY(0xC007, ECDHE,ECDSA,RC4,SHA,,,,),
+ CS_ENTRY(0xC00C, TLS,ECDH,RSA,WITH,RC4,128,SHA,),
+ CS_ENTRY(0xC00C, ECDH,RSA,RC4,SHA,,,,),
+ CS_ENTRY(0xC011, TLS,ECDHE,RSA,WITH,RC4,128,SHA,),
+ CS_ENTRY(0xC011, ECDHE,RSA,RC4,SHA,,,,),
+ CS_ENTRY(0xC015, TLS,ECDH,anon,WITH,NULL,SHA,,),
+ CS_ENTRY(0xC015, AECDH,NULL,SHA,,,,,),
+ CS_ENTRY(0xC016, TLS,ECDH,anon,WITH,RC4,128,SHA,),
+ CS_ENTRY(0xC016, AECDH,RC4,SHA,,,,,),
+ CS_ENTRY(0xC017, TLS,ECDH,anon,WITH,3DES,EDE,CBC,SHA),
+ CS_ENTRY(0xC017, AECDH,DES,CBC3,SHA,,,,),
+ CS_ENTRY(0xC018, TLS,ECDH,anon,WITH,AES,128,CBC,SHA),
+ CS_ENTRY(0xC018, AECDH,AES128,SHA,,,,,),
+ CS_ENTRY(0xC019, TLS,ECDH,anon,WITH,AES,256,CBC,SHA),
+ CS_ENTRY(0xC019, AECDH,AES256,SHA,,,,,),
+#endif
#if defined(USE_MBEDTLS)
/* entries marked ns are "non-standard", they are not in openssl */
CS_ENTRY(0x0041, TLS,RSA,WITH,CAMELLIA,128,CBC,SHA,),
return r;
}
-#endif /* defined(USE_MBEDTLS) || defined(USE_BEARSSL) */
+#endif /* defined(USE_SECTRANSP) || defined(USE_MBEDTLS) || \
+ defined(USE_BEARSSL) */
#include "curl_setup.h"
-#if defined(USE_MBEDTLS) || defined(USE_BEARSSL)
+#if defined(USE_SECTRANSP) || defined(USE_MBEDTLS) || defined(USE_BEARSSL)
#include <stdint.h>
/* Lookup IANA id for cipher suite string, returns 0 if not recognized */
int Curl_cipher_suite_get_str(uint16_t id, char *buf, size_t buf_size,
bool prefer_rfc);
-#endif /* defined(USE_MBEDTLS) || defined(USE_BEARSSL) */
+#endif /* defined(USE_SECTRANSP) || defined(USE_MBEDTLS) || \
+ defined(USE_BEARSSL) */
#endif /* HEADER_CURL_CIPHER_SUITE_H */
#include "curl_setup.h"
+#ifdef USE_SECTRANSP
+
#include "urldata.h" /* for the Curl_easy definition */
#include "curl_base64.h"
#include "strtok.h"
#include "strcase.h"
#include "x509asn1.h"
#include "strerror.h"
-
-#ifdef USE_SECTRANSP
+#include "cipher_suite.h"
#ifdef __clang__
#pragma clang diagnostic push
};
struct st_cipher {
- const char *name; /* Cipher suite IANA name. It starts with "TLS_" prefix */
- const char *alias_name; /* Alias name is the same as OpenSSL cipher name */
- SSLCipherSuite num; /* Cipher suite code/number defined in IANA registry */
+ uint16_t num; /* Cipher suite code/number defined in IANA registry */
bool weak; /* Flag to mark cipher as weak based on previous implementation
of Secure Transport back-end by CURL */
};
-/* Macro to initialize st_cipher data structure: stringify id to name, cipher
- number/id, 'weak' suite flag
+/* Macro to initialize st_cipher data structure: cipher number/id,
+ 'weak' suite flag
*/
-#define CIPHER_DEF(num, alias, weak) \
- { #num, alias, num, weak }
+#define CIPHER_DEF(num, weak) { num, weak }
/*
- Macro to initialize st_cipher data structure with name, code (IANA cipher
- number/id value), and 'weak' suite flag. The first 28 cipher suite numbers
- have the same IANA code for both SSL and TLS standards: numbers 0x0000 to
- 0x001B. They have different names though. The first 4 letters of the cipher
- suite name are the protocol name: "SSL_" or "TLS_", rest of the IANA name is
- the same for both SSL and TLS cipher suite name.
- The second part of the problem is that macOS/iOS SDKs don't define all TLS
+ The first 28 cipher suite numbers have the same IANA code for both SSL and
+ TLS standards: numbers 0x0000 to 0x001B. They have different names though.
+ The first 4 letters of the cipher suite name are the protocol name: "SSL_" or
+ "TLS_", rest of the IANA name is the same for both SSL and TLS cipher suite
+ name.
+ For the first 28 cipher suite numbers macOS/iOS SDKs don't define all TLS
codes but only 12 of them. The SDK defines all SSL codes though, i.e. SSL_NUM
constant is always defined for those 28 ciphers while TLS_NUM is defined only
for 12 of the first 28 ciphers. Those 12 TLS cipher codes match to
corresponding SSL enum value and represent the same cipher suite. Therefore
we'll use the SSL enum value for those cipher suites because it is defined
for all 28 of them.
- We make internal data consistent and based on TLS names, i.e. all st_cipher
- item names start with the "TLS_" prefix.
- Summarizing all the above, those 28 first ciphers are presented in our table
- with both TLS and SSL names. Their cipher numbers are assigned based on the
- SDK enum value for the SSL cipher, which matches to IANA TLS number.
*/
-#define CIPHER_DEF_SSLTLS(num_wo_prefix, alias, weak) \
- { "TLS_" #num_wo_prefix, alias, SSL_##num_wo_prefix, weak }
/*
Cipher suites were marked as weak based on the following:
#define CIPHER_STRONG_ENOUGH FALSE
/* Please do not change the order of the first ciphers available for SSL.
- Do not insert and do not delete any of them. Code below
- depends on their order and continuity.
+ Do not insert and do not delete any of them.
If you add a new cipher, please maintain order by number, i.e.
insert in between existing items to appropriate place based on
cipher suite IANA number
static const struct st_cipher ciphertable[] = {
/* SSL version 3.0 and initial TLS 1.0 cipher suites.
Defined since SDK 10.2.8 */
- CIPHER_DEF_SSLTLS(NULL_WITH_NULL_NULL, /* 0x0000 */
- NULL,
- CIPHER_WEAK_NOT_ENCRYPTED),
- CIPHER_DEF_SSLTLS(RSA_WITH_NULL_MD5, /* 0x0001 */
- "NULL-MD5",
- CIPHER_WEAK_NOT_ENCRYPTED),
- CIPHER_DEF_SSLTLS(RSA_WITH_NULL_SHA, /* 0x0002 */
- "NULL-SHA",
- CIPHER_WEAK_NOT_ENCRYPTED),
- CIPHER_DEF_SSLTLS(RSA_EXPORT_WITH_RC4_40_MD5, /* 0x0003 */
- "EXP-RC4-MD5",
- CIPHER_WEAK_RC_ENCRYPTION),
- CIPHER_DEF_SSLTLS(RSA_WITH_RC4_128_MD5, /* 0x0004 */
- "RC4-MD5",
- CIPHER_WEAK_RC_ENCRYPTION),
- CIPHER_DEF_SSLTLS(RSA_WITH_RC4_128_SHA, /* 0x0005 */
- "RC4-SHA",
- CIPHER_WEAK_RC_ENCRYPTION),
- CIPHER_DEF_SSLTLS(RSA_EXPORT_WITH_RC2_CBC_40_MD5, /* 0x0006 */
- "EXP-RC2-CBC-MD5",
- CIPHER_WEAK_RC_ENCRYPTION),
- CIPHER_DEF_SSLTLS(RSA_WITH_IDEA_CBC_SHA, /* 0x0007 */
- "IDEA-CBC-SHA",
- CIPHER_WEAK_IDEA_ENCRYPTION),
- CIPHER_DEF_SSLTLS(RSA_EXPORT_WITH_DES40_CBC_SHA, /* 0x0008 */
- "EXP-DES-CBC-SHA",
- CIPHER_WEAK_DES_ENCRYPTION),
- CIPHER_DEF_SSLTLS(RSA_WITH_DES_CBC_SHA, /* 0x0009 */
- "DES-CBC-SHA",
- CIPHER_WEAK_DES_ENCRYPTION),
- CIPHER_DEF_SSLTLS(RSA_WITH_3DES_EDE_CBC_SHA, /* 0x000A */
- "DES-CBC3-SHA",
- CIPHER_WEAK_3DES_ENCRYPTION),
- CIPHER_DEF_SSLTLS(DH_DSS_EXPORT_WITH_DES40_CBC_SHA, /* 0x000B */
- "EXP-DH-DSS-DES-CBC-SHA",
- CIPHER_WEAK_DES_ENCRYPTION),
- CIPHER_DEF_SSLTLS(DH_DSS_WITH_DES_CBC_SHA, /* 0x000C */
- "DH-DSS-DES-CBC-SHA",
- CIPHER_WEAK_DES_ENCRYPTION),
- CIPHER_DEF_SSLTLS(DH_DSS_WITH_3DES_EDE_CBC_SHA, /* 0x000D */
- "DH-DSS-DES-CBC3-SHA",
- CIPHER_WEAK_3DES_ENCRYPTION),
- CIPHER_DEF_SSLTLS(DH_RSA_EXPORT_WITH_DES40_CBC_SHA, /* 0x000E */
- "EXP-DH-RSA-DES-CBC-SHA",
- CIPHER_WEAK_DES_ENCRYPTION),
- CIPHER_DEF_SSLTLS(DH_RSA_WITH_DES_CBC_SHA, /* 0x000F */
- "DH-RSA-DES-CBC-SHA",
- CIPHER_WEAK_DES_ENCRYPTION),
- CIPHER_DEF_SSLTLS(DH_RSA_WITH_3DES_EDE_CBC_SHA, /* 0x0010 */
- "DH-RSA-DES-CBC3-SHA",
- CIPHER_WEAK_3DES_ENCRYPTION),
- CIPHER_DEF_SSLTLS(DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, /* 0x0011 */
- "EXP-EDH-DSS-DES-CBC-SHA",
- CIPHER_WEAK_DES_ENCRYPTION),
- CIPHER_DEF_SSLTLS(DHE_DSS_WITH_DES_CBC_SHA, /* 0x0012 */
- "EDH-DSS-CBC-SHA",
- CIPHER_WEAK_DES_ENCRYPTION),
- CIPHER_DEF_SSLTLS(DHE_DSS_WITH_3DES_EDE_CBC_SHA, /* 0x0013 */
- "DHE-DSS-DES-CBC3-SHA",
- CIPHER_WEAK_3DES_ENCRYPTION),
- CIPHER_DEF_SSLTLS(DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, /* 0x0014 */
- "EXP-EDH-RSA-DES-CBC-SHA",
- CIPHER_WEAK_DES_ENCRYPTION),
- CIPHER_DEF_SSLTLS(DHE_RSA_WITH_DES_CBC_SHA, /* 0x0015 */
- "EDH-RSA-DES-CBC-SHA",
- CIPHER_WEAK_DES_ENCRYPTION),
- CIPHER_DEF_SSLTLS(DHE_RSA_WITH_3DES_EDE_CBC_SHA, /* 0x0016 */
- "DHE-RSA-DES-CBC3-SHA",
- CIPHER_WEAK_3DES_ENCRYPTION),
- CIPHER_DEF_SSLTLS(DH_anon_EXPORT_WITH_RC4_40_MD5, /* 0x0017 */
- "EXP-ADH-RC4-MD5",
- CIPHER_WEAK_ANON_AUTH),
- CIPHER_DEF_SSLTLS(DH_anon_WITH_RC4_128_MD5, /* 0x0018 */
- "ADH-RC4-MD5",
- CIPHER_WEAK_ANON_AUTH),
- CIPHER_DEF_SSLTLS(DH_anon_EXPORT_WITH_DES40_CBC_SHA, /* 0x0019 */
- "EXP-ADH-DES-CBC-SHA",
- CIPHER_WEAK_ANON_AUTH),
- CIPHER_DEF_SSLTLS(DH_anon_WITH_DES_CBC_SHA, /* 0x001A */
- "ADH-DES-CBC-SHA",
- CIPHER_WEAK_ANON_AUTH),
- CIPHER_DEF_SSLTLS(DH_anon_WITH_3DES_EDE_CBC_SHA, /* 0x001B */
- "ADH-DES-CBC3-SHA",
- CIPHER_WEAK_3DES_ENCRYPTION),
+ CIPHER_DEF(SSL_RSA_WITH_NULL_MD5, /* 0x0001 */
+ CIPHER_WEAK_NOT_ENCRYPTED),
+ CIPHER_DEF(SSL_RSA_WITH_NULL_SHA, /* 0x0002 */
+ CIPHER_WEAK_NOT_ENCRYPTED),
+ CIPHER_DEF(SSL_RSA_EXPORT_WITH_RC4_40_MD5, /* 0x0003 */
+ CIPHER_WEAK_RC_ENCRYPTION),
+ CIPHER_DEF(SSL_RSA_WITH_RC4_128_MD5, /* 0x0004 */
+ CIPHER_WEAK_RC_ENCRYPTION),
+ CIPHER_DEF(SSL_RSA_WITH_RC4_128_SHA, /* 0x0005 */
+ CIPHER_WEAK_RC_ENCRYPTION),
+ CIPHER_DEF(SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, /* 0x0006 */
+ CIPHER_WEAK_RC_ENCRYPTION),
+ CIPHER_DEF(SSL_RSA_WITH_IDEA_CBC_SHA, /* 0x0007 */
+ CIPHER_WEAK_IDEA_ENCRYPTION),
+ CIPHER_DEF(SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, /* 0x0008 */
+ CIPHER_WEAK_DES_ENCRYPTION),
+ CIPHER_DEF(SSL_RSA_WITH_DES_CBC_SHA, /* 0x0009 */
+ CIPHER_WEAK_DES_ENCRYPTION),
+ CIPHER_DEF(SSL_RSA_WITH_3DES_EDE_CBC_SHA, /* 0x000A */
+ CIPHER_WEAK_3DES_ENCRYPTION),
+ CIPHER_DEF(SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, /* 0x000B */
+ CIPHER_WEAK_DES_ENCRYPTION),
+ CIPHER_DEF(SSL_DH_DSS_WITH_DES_CBC_SHA, /* 0x000C */
+ CIPHER_WEAK_DES_ENCRYPTION),
+ CIPHER_DEF(SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA, /* 0x000D */
+ CIPHER_WEAK_3DES_ENCRYPTION),
+ CIPHER_DEF(SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, /* 0x000E */
+ CIPHER_WEAK_DES_ENCRYPTION),
+ CIPHER_DEF(SSL_DH_RSA_WITH_DES_CBC_SHA, /* 0x000F */
+ CIPHER_WEAK_DES_ENCRYPTION),
+ CIPHER_DEF(SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA, /* 0x0010 */
+ CIPHER_WEAK_3DES_ENCRYPTION),
+ CIPHER_DEF(SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, /* 0x0011 */
+ CIPHER_WEAK_DES_ENCRYPTION),
+ CIPHER_DEF(SSL_DHE_DSS_WITH_DES_CBC_SHA, /* 0x0012 */
+ CIPHER_WEAK_DES_ENCRYPTION),
+ CIPHER_DEF(SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, /* 0x0013 */
+ CIPHER_WEAK_3DES_ENCRYPTION),
+ CIPHER_DEF(SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, /* 0x0014 */
+ CIPHER_WEAK_DES_ENCRYPTION),
+ CIPHER_DEF(SSL_DHE_RSA_WITH_DES_CBC_SHA, /* 0x0015 */
+ CIPHER_WEAK_DES_ENCRYPTION),
+ CIPHER_DEF(SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, /* 0x0016 */
+ CIPHER_WEAK_3DES_ENCRYPTION),
+ CIPHER_DEF(SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, /* 0x0017 */
+ CIPHER_WEAK_ANON_AUTH),
+ CIPHER_DEF(SSL_DH_anon_WITH_RC4_128_MD5, /* 0x0018 */
+ CIPHER_WEAK_ANON_AUTH),
+ CIPHER_DEF(SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, /* 0x0019 */
+ CIPHER_WEAK_ANON_AUTH),
+ CIPHER_DEF(SSL_DH_anon_WITH_DES_CBC_SHA, /* 0x001A */
+ CIPHER_WEAK_ANON_AUTH),
+ CIPHER_DEF(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, /* 0x001B */
+ CIPHER_WEAK_3DES_ENCRYPTION),
CIPHER_DEF(SSL_FORTEZZA_DMS_WITH_NULL_SHA, /* 0x001C */
- NULL,
CIPHER_WEAK_NOT_ENCRYPTED),
CIPHER_DEF(SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, /* 0x001D */
- NULL,
CIPHER_STRONG_ENOUGH),
#if CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7
/* RFC 4785 - Pre-Shared Key (PSK) Ciphersuites with NULL Encryption */
CIPHER_DEF(TLS_PSK_WITH_NULL_SHA, /* 0x002C */
- "PSK-NULL-SHA",
CIPHER_WEAK_NOT_ENCRYPTED),
CIPHER_DEF(TLS_DHE_PSK_WITH_NULL_SHA, /* 0x002D */
- "DHE-PSK-NULL-SHA",
CIPHER_WEAK_NOT_ENCRYPTED),
CIPHER_DEF(TLS_RSA_PSK_WITH_NULL_SHA, /* 0x002E */
- "RSA-PSK-NULL-SHA",
CIPHER_WEAK_NOT_ENCRYPTED),
#endif /* CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7 */
/* TLS addenda using AES, per RFC 3268. Defined since SDK 10.4u */
CIPHER_DEF(TLS_RSA_WITH_AES_128_CBC_SHA, /* 0x002F */
- "AES128-SHA",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_DH_DSS_WITH_AES_128_CBC_SHA, /* 0x0030 */
- "DH-DSS-AES128-SHA",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_DH_RSA_WITH_AES_128_CBC_SHA, /* 0x0031 */
- "DH-RSA-AES128-SHA",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_DHE_DSS_WITH_AES_128_CBC_SHA, /* 0x0032 */
- "DHE-DSS-AES128-SHA",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_DHE_RSA_WITH_AES_128_CBC_SHA, /* 0x0033 */
- "DHE-RSA-AES128-SHA",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_DH_anon_WITH_AES_128_CBC_SHA, /* 0x0034 */
- "ADH-AES128-SHA",
CIPHER_WEAK_ANON_AUTH),
CIPHER_DEF(TLS_RSA_WITH_AES_256_CBC_SHA, /* 0x0035 */
- "AES256-SHA",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_DH_DSS_WITH_AES_256_CBC_SHA, /* 0x0036 */
- "DH-DSS-AES256-SHA",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_DH_RSA_WITH_AES_256_CBC_SHA, /* 0x0037 */
- "DH-RSA-AES256-SHA",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_DHE_DSS_WITH_AES_256_CBC_SHA, /* 0x0038 */
- "DHE-DSS-AES256-SHA",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_DHE_RSA_WITH_AES_256_CBC_SHA, /* 0x0039 */
- "DHE-RSA-AES256-SHA",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_DH_anon_WITH_AES_256_CBC_SHA, /* 0x003A */
- "ADH-AES256-SHA",
CIPHER_WEAK_ANON_AUTH),
#if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS
/* TLS 1.2 addenda, RFC 5246 */
/* Server provided RSA certificate for key exchange. */
CIPHER_DEF(TLS_RSA_WITH_NULL_SHA256, /* 0x003B */
- "NULL-SHA256",
CIPHER_WEAK_NOT_ENCRYPTED),
CIPHER_DEF(TLS_RSA_WITH_AES_128_CBC_SHA256, /* 0x003C */
- "AES128-SHA256",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_RSA_WITH_AES_256_CBC_SHA256, /* 0x003D */
- "AES256-SHA256",
CIPHER_STRONG_ENOUGH),
/* Server-authenticated (and optionally client-authenticated)
Diffie-Hellman. */
CIPHER_DEF(TLS_DH_DSS_WITH_AES_128_CBC_SHA256, /* 0x003E */
- "DH-DSS-AES128-SHA256",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_DH_RSA_WITH_AES_128_CBC_SHA256, /* 0x003F */
- "DH-RSA-AES128-SHA256",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, /* 0x0040 */
- "DHE-DSS-AES128-SHA256",
CIPHER_STRONG_ENOUGH),
/* TLS 1.2 addenda, RFC 5246 */
CIPHER_DEF(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, /* 0x0067 */
- "DHE-RSA-AES128-SHA256",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_DH_DSS_WITH_AES_256_CBC_SHA256, /* 0x0068 */
- "DH-DSS-AES256-SHA256",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_DH_RSA_WITH_AES_256_CBC_SHA256, /* 0x0069 */
- "DH-RSA-AES256-SHA256",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, /* 0x006A */
- "DHE-DSS-AES256-SHA256",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, /* 0x006B */
- "DHE-RSA-AES256-SHA256",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_DH_anon_WITH_AES_128_CBC_SHA256, /* 0x006C */
- "ADH-AES128-SHA256",
CIPHER_WEAK_ANON_AUTH),
CIPHER_DEF(TLS_DH_anon_WITH_AES_256_CBC_SHA256, /* 0x006D */
- "ADH-AES256-SHA256",
CIPHER_WEAK_ANON_AUTH),
#endif /* CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS */
#if CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7
/* Addendum from RFC 4279, TLS PSK */
CIPHER_DEF(TLS_PSK_WITH_RC4_128_SHA, /* 0x008A */
- "PSK-RC4-SHA",
CIPHER_WEAK_RC_ENCRYPTION),
CIPHER_DEF(TLS_PSK_WITH_3DES_EDE_CBC_SHA, /* 0x008B */
- "PSK-3DES-EDE-CBC-SHA",
CIPHER_WEAK_3DES_ENCRYPTION),
CIPHER_DEF(TLS_PSK_WITH_AES_128_CBC_SHA, /* 0x008C */
- "PSK-AES128-CBC-SHA",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_PSK_WITH_AES_256_CBC_SHA, /* 0x008D */
- "PSK-AES256-CBC-SHA",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_DHE_PSK_WITH_RC4_128_SHA, /* 0x008E */
- "DHE-PSK-RC4-SHA",
CIPHER_WEAK_RC_ENCRYPTION),
CIPHER_DEF(TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA, /* 0x008F */
- "DHE-PSK-3DES-EDE-CBC-SHA",
CIPHER_WEAK_3DES_ENCRYPTION),
CIPHER_DEF(TLS_DHE_PSK_WITH_AES_128_CBC_SHA, /* 0x0090 */
- "DHE-PSK-AES128-CBC-SHA",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_DHE_PSK_WITH_AES_256_CBC_SHA, /* 0x0091 */
- "DHE-PSK-AES256-CBC-SHA",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_RSA_PSK_WITH_RC4_128_SHA, /* 0x0092 */
- "RSA-PSK-RC4-SHA",
CIPHER_WEAK_RC_ENCRYPTION),
CIPHER_DEF(TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA, /* 0x0093 */
- "RSA-PSK-3DES-EDE-CBC-SHA",
CIPHER_WEAK_3DES_ENCRYPTION),
CIPHER_DEF(TLS_RSA_PSK_WITH_AES_128_CBC_SHA, /* 0x0094 */
- "RSA-PSK-AES128-CBC-SHA",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_RSA_PSK_WITH_AES_256_CBC_SHA, /* 0x0095 */
- "RSA-PSK-AES256-CBC-SHA",
CIPHER_STRONG_ENOUGH),
#endif /* CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7 */
/* Addenda from rfc 5288 AES Galois Counter Mode (GCM) Cipher Suites
for TLS. */
CIPHER_DEF(TLS_RSA_WITH_AES_128_GCM_SHA256, /* 0x009C */
- "AES128-GCM-SHA256",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_RSA_WITH_AES_256_GCM_SHA384, /* 0x009D */
- "AES256-GCM-SHA384",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, /* 0x009E */
- "DHE-RSA-AES128-GCM-SHA256",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, /* 0x009F */
- "DHE-RSA-AES256-GCM-SHA384",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_DH_RSA_WITH_AES_128_GCM_SHA256, /* 0x00A0 */
- "DH-RSA-AES128-GCM-SHA256",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_DH_RSA_WITH_AES_256_GCM_SHA384, /* 0x00A1 */
- "DH-RSA-AES256-GCM-SHA384",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, /* 0x00A2 */
- "DHE-DSS-AES128-GCM-SHA256",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, /* 0x00A3 */
- "DHE-DSS-AES256-GCM-SHA384",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_DH_DSS_WITH_AES_128_GCM_SHA256, /* 0x00A4 */
- "DH-DSS-AES128-GCM-SHA256",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_DH_DSS_WITH_AES_256_GCM_SHA384, /* 0x00A5 */
- "DH-DSS-AES256-GCM-SHA384",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_DH_anon_WITH_AES_128_GCM_SHA256, /* 0x00A6 */
- "ADH-AES128-GCM-SHA256",
CIPHER_WEAK_ANON_AUTH),
CIPHER_DEF(TLS_DH_anon_WITH_AES_256_GCM_SHA384, /* 0x00A7 */
- "ADH-AES256-GCM-SHA384",
CIPHER_WEAK_ANON_AUTH),
#endif /* CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS */
#if CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7
/* RFC 5487 - PSK with SHA-256/384 and AES GCM */
CIPHER_DEF(TLS_PSK_WITH_AES_128_GCM_SHA256, /* 0x00A8 */
- "PSK-AES128-GCM-SHA256",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_PSK_WITH_AES_256_GCM_SHA384, /* 0x00A9 */
- "PSK-AES256-GCM-SHA384",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, /* 0x00AA */
- "DHE-PSK-AES128-GCM-SHA256",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, /* 0x00AB */
- "DHE-PSK-AES256-GCM-SHA384",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_RSA_PSK_WITH_AES_128_GCM_SHA256, /* 0x00AC */
- "RSA-PSK-AES128-GCM-SHA256",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_RSA_PSK_WITH_AES_256_GCM_SHA384, /* 0x00AD */
- "RSA-PSK-AES256-GCM-SHA384",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_PSK_WITH_AES_128_CBC_SHA256, /* 0x00AE */
- "PSK-AES128-CBC-SHA256",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_PSK_WITH_AES_256_CBC_SHA384, /* 0x00AF */
- "PSK-AES256-CBC-SHA384",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_PSK_WITH_NULL_SHA256, /* 0x00B0 */
- "PSK-NULL-SHA256",
CIPHER_WEAK_NOT_ENCRYPTED),
CIPHER_DEF(TLS_PSK_WITH_NULL_SHA384, /* 0x00B1 */
- "PSK-NULL-SHA384",
CIPHER_WEAK_NOT_ENCRYPTED),
CIPHER_DEF(TLS_DHE_PSK_WITH_AES_128_CBC_SHA256, /* 0x00B2 */
- "DHE-PSK-AES128-CBC-SHA256",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_DHE_PSK_WITH_AES_256_CBC_SHA384, /* 0x00B3 */
- "DHE-PSK-AES256-CBC-SHA384",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_DHE_PSK_WITH_NULL_SHA256, /* 0x00B4 */
- "DHE-PSK-NULL-SHA256",
CIPHER_WEAK_NOT_ENCRYPTED),
CIPHER_DEF(TLS_DHE_PSK_WITH_NULL_SHA384, /* 0x00B5 */
- "DHE-PSK-NULL-SHA384",
CIPHER_WEAK_NOT_ENCRYPTED),
CIPHER_DEF(TLS_RSA_PSK_WITH_AES_128_CBC_SHA256, /* 0x00B6 */
- "RSA-PSK-AES128-CBC-SHA256",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_RSA_PSK_WITH_AES_256_CBC_SHA384, /* 0x00B7 */
- "RSA-PSK-AES256-CBC-SHA384",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_RSA_PSK_WITH_NULL_SHA256, /* 0x00B8 */
- "RSA-PSK-NULL-SHA256",
CIPHER_WEAK_NOT_ENCRYPTED),
CIPHER_DEF(TLS_RSA_PSK_WITH_NULL_SHA384, /* 0x00B9 */
- "RSA-PSK-NULL-SHA384",
CIPHER_WEAK_NOT_ENCRYPTED),
#endif /* CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7 */
/* RFC 5746 - Secure Renegotiation. This is not a real suite,
it is a response to initiate negotiation again */
CIPHER_DEF(TLS_EMPTY_RENEGOTIATION_INFO_SCSV, /* 0x00FF */
- NULL,
CIPHER_STRONG_ENOUGH),
#if CURL_BUILD_MAC_10_13 || CURL_BUILD_IOS_11
Cipher alias name matches to OpenSSL cipher name, and for
TLS 1.3 ciphers */
CIPHER_DEF(TLS_AES_128_GCM_SHA256, /* 0x1301 */
- NULL, /* The OpenSSL cipher name matches to the IANA name */
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_AES_256_GCM_SHA384, /* 0x1302 */
- NULL, /* The OpenSSL cipher name matches to the IANA name */
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_CHACHA20_POLY1305_SHA256, /* 0x1303 */
- NULL, /* The OpenSSL cipher name matches to the IANA name */
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_AES_128_CCM_SHA256, /* 0x1304 */
- NULL, /* The OpenSSL cipher name matches to the IANA name */
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_AES_128_CCM_8_SHA256, /* 0x1305 */
- NULL, /* The OpenSSL cipher name matches to the IANA name */
CIPHER_STRONG_ENOUGH),
#endif /* CURL_BUILD_MAC_10_13 || CURL_BUILD_IOS_11 */
#if CURL_BUILD_MAC_10_6 || CURL_BUILD_IOS
/* ECDSA addenda, RFC 4492 */
CIPHER_DEF(TLS_ECDH_ECDSA_WITH_NULL_SHA, /* 0xC001 */
- "ECDH-ECDSA-NULL-SHA",
CIPHER_WEAK_NOT_ENCRYPTED),
CIPHER_DEF(TLS_ECDH_ECDSA_WITH_RC4_128_SHA, /* 0xC002 */
- "ECDH-ECDSA-RC4-SHA",
CIPHER_WEAK_RC_ENCRYPTION),
CIPHER_DEF(TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, /* 0xC003 */
- "ECDH-ECDSA-DES-CBC3-SHA",
CIPHER_WEAK_3DES_ENCRYPTION),
CIPHER_DEF(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, /* 0xC004 */
- "ECDH-ECDSA-AES128-SHA",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, /* 0xC005 */
- "ECDH-ECDSA-AES256-SHA",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_NULL_SHA, /* 0xC006 */
- "ECDHE-ECDSA-NULL-SHA",
CIPHER_WEAK_NOT_ENCRYPTED),
CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, /* 0xC007 */
- "ECDHE-ECDSA-RC4-SHA",
CIPHER_WEAK_RC_ENCRYPTION),
CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, /* 0xC008 */
- "ECDHE-ECDSA-DES-CBC3-SHA",
CIPHER_WEAK_3DES_ENCRYPTION),
CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, /* 0xC009 */
- "ECDHE-ECDSA-AES128-SHA",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, /* 0xC00A */
- "ECDHE-ECDSA-AES256-SHA",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_ECDH_RSA_WITH_NULL_SHA, /* 0xC00B */
- "ECDH-RSA-NULL-SHA",
CIPHER_WEAK_NOT_ENCRYPTED),
CIPHER_DEF(TLS_ECDH_RSA_WITH_RC4_128_SHA, /* 0xC00C */
- "ECDH-RSA-RC4-SHA",
CIPHER_WEAK_RC_ENCRYPTION),
CIPHER_DEF(TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, /* 0xC00D */
- "ECDH-RSA-DES-CBC3-SHA",
CIPHER_WEAK_3DES_ENCRYPTION),
CIPHER_DEF(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, /* 0xC00E */
- "ECDH-RSA-AES128-SHA",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, /* 0xC00F */
- "ECDH-RSA-AES256-SHA",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_ECDHE_RSA_WITH_NULL_SHA, /* 0xC010 */
- "ECDHE-RSA-NULL-SHA",
CIPHER_WEAK_NOT_ENCRYPTED),
CIPHER_DEF(TLS_ECDHE_RSA_WITH_RC4_128_SHA, /* 0xC011 */
- "ECDHE-RSA-RC4-SHA",
CIPHER_WEAK_RC_ENCRYPTION),
CIPHER_DEF(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, /* 0xC012 */
- "ECDHE-RSA-DES-CBC3-SHA",
CIPHER_WEAK_3DES_ENCRYPTION),
CIPHER_DEF(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, /* 0xC013 */
- "ECDHE-RSA-AES128-SHA",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, /* 0xC014 */
- "ECDHE-RSA-AES256-SHA",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_ECDH_anon_WITH_NULL_SHA, /* 0xC015 */
- "AECDH-NULL-SHA",
CIPHER_WEAK_ANON_AUTH),
CIPHER_DEF(TLS_ECDH_anon_WITH_RC4_128_SHA, /* 0xC016 */
- "AECDH-RC4-SHA",
CIPHER_WEAK_ANON_AUTH),
CIPHER_DEF(TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, /* 0xC017 */
- "AECDH-DES-CBC3-SHA",
CIPHER_WEAK_3DES_ENCRYPTION),
CIPHER_DEF(TLS_ECDH_anon_WITH_AES_128_CBC_SHA, /* 0xC018 */
- "AECDH-AES128-SHA",
CIPHER_WEAK_ANON_AUTH),
CIPHER_DEF(TLS_ECDH_anon_WITH_AES_256_CBC_SHA, /* 0xC019 */
- "AECDH-AES256-SHA",
CIPHER_WEAK_ANON_AUTH),
#endif /* CURL_BUILD_MAC_10_6 || CURL_BUILD_IOS */
/* Addenda from rfc 5289 Elliptic Curve Cipher Suites with
HMAC SHA-256/384. */
CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, /* 0xC023 */
- "ECDHE-ECDSA-AES128-SHA256",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, /* 0xC024 */
- "ECDHE-ECDSA-AES256-SHA384",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, /* 0xC025 */
- "ECDH-ECDSA-AES128-SHA256",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, /* 0xC026 */
- "ECDH-ECDSA-AES256-SHA384",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, /* 0xC027 */
- "ECDHE-RSA-AES128-SHA256",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, /* 0xC028 */
- "ECDHE-RSA-AES256-SHA384",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, /* 0xC029 */
- "ECDH-RSA-AES128-SHA256",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, /* 0xC02A */
- "ECDH-RSA-AES256-SHA384",
CIPHER_STRONG_ENOUGH),
/* Addenda from rfc 5289 Elliptic Curve Cipher Suites with
SHA-256/384 and AES Galois Counter Mode (GCM) */
CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, /* 0xC02B */
- "ECDHE-ECDSA-AES128-GCM-SHA256",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, /* 0xC02C */
- "ECDHE-ECDSA-AES256-GCM-SHA384",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, /* 0xC02D */
- "ECDH-ECDSA-AES128-GCM-SHA256",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, /* 0xC02E */
- "ECDH-ECDSA-AES256-GCM-SHA384",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, /* 0xC02F */
- "ECDHE-RSA-AES128-GCM-SHA256",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, /* 0xC030 */
- "ECDHE-RSA-AES256-GCM-SHA384",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, /* 0xC031 */
- "ECDH-RSA-AES128-GCM-SHA256",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, /* 0xC032 */
- "ECDH-RSA-AES256-GCM-SHA384",
CIPHER_STRONG_ENOUGH),
#endif /* CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS */
#if CURL_BUILD_MAC_10_15 || CURL_BUILD_IOS_13
/* ECDHE_PSK Cipher Suites for Transport Layer Security (TLS), RFC 5489 */
CIPHER_DEF(TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, /* 0xC035 */
- "ECDHE-PSK-AES128-CBC-SHA",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA, /* 0xC036 */
- "ECDHE-PSK-AES256-CBC-SHA",
CIPHER_STRONG_ENOUGH),
#endif /* CURL_BUILD_MAC_10_15 || CURL_BUILD_IOS_13 */
/* Addenda from rfc 7905 ChaCha20-Poly1305 Cipher Suites for
Transport Layer Security (TLS). */
CIPHER_DEF(TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, /* 0xCCA8 */
- "ECDHE-RSA-CHACHA20-POLY1305",
CIPHER_STRONG_ENOUGH),
CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, /* 0xCCA9 */
- "ECDHE-ECDSA-CHACHA20-POLY1305",
CIPHER_STRONG_ENOUGH),
#endif /* CURL_BUILD_MAC_10_13 || CURL_BUILD_IOS_11 */
/* ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS),
RFC 7905 */
CIPHER_DEF(TLS_PSK_WITH_CHACHA20_POLY1305_SHA256, /* 0xCCAB */
- "PSK-CHACHA20-POLY1305",
CIPHER_STRONG_ENOUGH),
#endif /* CURL_BUILD_MAC_10_15 || CURL_BUILD_IOS_13 */
/* Tags for SSL 2 cipher kinds which are not specified for SSL 3.
Defined since SDK 10.2.8 */
CIPHER_DEF(SSL_RSA_WITH_RC2_CBC_MD5, /* 0xFF80 */
- NULL,
CIPHER_WEAK_RC_ENCRYPTION),
CIPHER_DEF(SSL_RSA_WITH_IDEA_CBC_MD5, /* 0xFF81 */
- NULL,
CIPHER_WEAK_IDEA_ENCRYPTION),
CIPHER_DEF(SSL_RSA_WITH_DES_CBC_MD5, /* 0xFF82 */
- NULL,
CIPHER_WEAK_DES_ENCRYPTION),
CIPHER_DEF(SSL_RSA_WITH_3DES_EDE_CBC_MD5, /* 0xFF83 */
- NULL,
CIPHER_WEAK_3DES_ENCRYPTION),
};
return rtn;
}
-CF_INLINE const char *TLSCipherNameForNumber(SSLCipherSuite cipher)
-{
- /* The first ciphers in the ciphertable are continuous. Here we do small
- optimization and instead of loop directly get SSL name by cipher number.
- */
- size_t i;
- if(cipher <= SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA) {
- return ciphertable[cipher].name;
- }
- /* Iterate through the rest of the ciphers */
- for(i = SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA + 1; i < NUM_OF_CIPHERS;
- ++i) {
- if(ciphertable[i].num == cipher) {
- return ciphertable[i].name;
- }
- }
- return ciphertable[SSL_NULL_WITH_NULL_NULL].name;
-}
-
#if CURL_BUILD_MAC
CF_INLINE void GetDarwinVersionNumber(int *major, int *minor)
{
return true;
}
-static bool sectransp_is_separator(char c)
+static int sectransp_cipher_suite_get_str(uint16_t id, char *buf,
+ size_t buf_size, bool prefer_rfc)
{
- /* Return whether character is a cipher list separator. */
- switch(c) {
- case ' ':
- case '\t':
- case ':':
- case ',':
- case ';':
- return true;
- }
- return false;
+ /* are these fortezza suites even supported ? */
+ if(id == SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA)
+ msnprintf(buf, buf_size, "%s", "SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA");
+ else if(id == SSL_FORTEZZA_DMS_WITH_NULL_SHA)
+ msnprintf(buf, buf_size, "%s", "SSL_FORTEZZA_DMS_WITH_NULL_SHA");
+ /* can TLS_EMPTY_RENEGOTIATION_INFO_SCSV even be set ? */
+ else if(id == TLS_EMPTY_RENEGOTIATION_INFO_SCSV)
+ msnprintf(buf, buf_size, "%s", "TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
+ /* do we still need to support these SSL2-only ciphers ? */
+ else if(id == SSL_RSA_WITH_RC2_CBC_MD5)
+ msnprintf(buf, buf_size, "%s", "SSL_RSA_WITH_RC2_CBC_MD5");
+ else if(id == SSL_RSA_WITH_IDEA_CBC_MD5)
+ msnprintf(buf, buf_size, "%s", "SSL_RSA_WITH_IDEA_CBC_MD5");
+ else if(id == SSL_RSA_WITH_DES_CBC_MD5)
+ msnprintf(buf, buf_size, "%s", "SSL_RSA_WITH_DES_CBC_MD5");
+ else if(id == SSL_RSA_WITH_3DES_EDE_CBC_MD5)
+ msnprintf(buf, buf_size, "%s", "SSL_RSA_WITH_3DES_EDE_CBC_MD5");
+ else
+ return Curl_cipher_suite_get_str(id, buf, buf_size, prefer_rfc);
+ return 0;
+}
+
+static uint16_t sectransp_cipher_suite_walk_str(const char **str,
+ const char **end)
+{
+ uint16_t id = Curl_cipher_suite_walk_str(str, end);
+ size_t len = *end - *str;
+
+ if(!id) {
+ /* are these fortezza suites even supported ? */
+ if(strncasecompare("SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA", *str, len))
+ id = SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA;
+ else if(strncasecompare("SSL_FORTEZZA_DMS_WITH_NULL_SHA", *str, len))
+ id = SSL_FORTEZZA_DMS_WITH_NULL_SHA;
+ /* can TLS_EMPTY_RENEGOTIATION_INFO_SCSV even be set ? */
+ else if(strncasecompare("TLS_EMPTY_RENEGOTIATION_INFO_SCSV", *str, len))
+ id = TLS_EMPTY_RENEGOTIATION_INFO_SCSV;
+ /* do we still need to support these SSL2-only ciphers ? */
+ else if(strncasecompare("SSL_RSA_WITH_RC2_CBC_MD5", *str, len))
+ id = SSL_RSA_WITH_RC2_CBC_MD5;
+ else if(strncasecompare("SSL_RSA_WITH_IDEA_CBC_MD5", *str, len))
+ id = SSL_RSA_WITH_IDEA_CBC_MD5;
+ else if(strncasecompare("SSL_RSA_WITH_DES_CBC_MD5", *str, len))
+ id = SSL_RSA_WITH_DES_CBC_MD5;
+ else if(strncasecompare("SSL_RSA_WITH_3DES_EDE_CBC_MD5", *str, len))
+ id = SSL_RSA_WITH_3DES_EDE_CBC_MD5;
+ }
+ return id;
}
static CURLcode sectransp_set_default_ciphers(struct Curl_easy *data,
SSLContextRef ssl_ctx,
const char *ciphers)
{
- size_t ciphers_count = 0;
- const char *cipher_start = ciphers;
- OSStatus err = noErr;
- SSLCipherSuite selected_ciphers[NUM_OF_CIPHERS];
-
- if(!ciphers)
- return CURLE_OK;
-
- while(sectransp_is_separator(*ciphers)) /* Skip initial separators. */
- ciphers++;
- if(!*ciphers)
- return CURLE_OK;
-
- cipher_start = ciphers;
- while(*cipher_start && ciphers_count < NUM_OF_CIPHERS) {
- bool cipher_found = FALSE;
- size_t cipher_len = 0;
- const char *cipher_end = NULL;
- bool tls_name = FALSE;
- size_t i;
-
- /* Skip separators */
- while(sectransp_is_separator(*cipher_start))
- cipher_start++;
- if(*cipher_start == '\0') {
- break;
- }
- /* Find last position of a cipher in the ciphers string */
- cipher_end = cipher_start;
- while(*cipher_end != '\0' && !sectransp_is_separator(*cipher_end)) {
- ++cipher_end;
- }
-
- /* IANA cipher names start with the TLS_ or SSL_ prefix.
- If the 4th symbol of the cipher is '_' we look for a cipher in the
- table by its (TLS) name.
- Otherwise, we try to match cipher by an alias. */
- if(cipher_start[3] == '_') {
- tls_name = TRUE;
- }
- /* Iterate through the cipher table and look for the cipher, starting
- the cipher number 0x01 because the 0x00 is not the real cipher */
- cipher_len = cipher_end - cipher_start;
- for(i = 1; i < NUM_OF_CIPHERS; ++i) {
- const char *table_cipher_name = NULL;
- if(tls_name) {
- table_cipher_name = ciphertable[i].name;
- }
- else if(ciphertable[i].alias_name) {
- table_cipher_name = ciphertable[i].alias_name;
- }
- else {
- continue;
- }
- /* Compare a part of the string between separators with a cipher name
- in the table and make sure we matched the whole cipher name */
- if(strncmp(cipher_start, table_cipher_name, cipher_len) == 0
- && table_cipher_name[cipher_len] == '\0') {
- selected_ciphers[ciphers_count] = ciphertable[i].num;
- ++ciphers_count;
- cipher_found = TRUE;
- break;
+ size_t count = 0, i;
+ const char *ptr, *end;
+ OSStatus err;
+ SSLCipherSuite selected[NUM_OF_CIPHERS];
+
+ for(ptr = ciphers; ptr[0] != '\0' && count < NUM_OF_CIPHERS; ptr = end) {
+ uint16_t id = sectransp_cipher_suite_walk_str(&ptr, &end);
+
+ /* Check if cipher is supported */
+ if(id) {
+ for(i = 0; i < NUM_OF_CIPHERS && ciphertable[i].num != id; i++);
+ if(i == NUM_OF_CIPHERS)
+ id = 0;
+ }
+ if(!id) {
+ if(ptr[0] != '\0') {
+ infof(data, "SSL: unknown cipher in list: \"%.*s\"", (int) (end - ptr),
+ ptr);
+ /* Perhaps we should be more lenient like the other SSL backends and
+ continue with the ciphers we do recognize. */
+ return CURLE_SSL_CIPHER;
}
+ continue;
}
- if(!cipher_found) {
- /* It would be more human-readable if we print the wrong cipher name
- but we don't want to allocate any additional memory and copy the name
- into it, then add it into logs.
- Also, we do not modify an original cipher list string. We just point
- to positions where cipher starts and ends in the cipher list string.
- The message is a bit cryptic and longer than necessary but can be
- understood by humans. */
- failf(data, "SSL: cipher string \"%s\" contains unsupported cipher name"
- " starting position %zd and ending position %zd",
- ciphers,
- cipher_start - ciphers,
- cipher_end - ciphers);
- return CURLE_SSL_CIPHER;
- }
- if(*cipher_end) {
- cipher_start = cipher_end + 1;
- }
- else {
- break;
- }
+
+ selected[count++] = id;
}
+
+ if(count == 0) {
+ failf(data, "SSL: no supported cipher in list");
+ return CURLE_SSL_CIPHER;
+ }
+
/* All cipher suites in the list are found. Report to logs as-is */
infof(data, "SSL: Setting cipher suites list \"%s\"", ciphers);
- err = SSLSetEnabledCiphers(ssl_ctx, selected_ciphers, ciphers_count);
+ err = SSLSetEnabledCiphers(ssl_ctx, selected, count);
if(err != noErr) {
failf(data, "SSL: SSLSetEnabledCiphers() failed: OSStatus %d", err);
return CURLE_SSL_CIPHER;
return CURLE_SSL_CONNECT_ERROR;
}
else {
+ char cipher_str[64];
/* we have been connected fine, we're not waiting for anything else. */
connssl->connecting_state = ssl_connect_3;
/* Informational message */
(void)SSLGetNegotiatedCipher(backend->ssl_ctx, &cipher);
(void)SSLGetNegotiatedProtocolVersion(backend->ssl_ctx, &protocol);
+
+ sectransp_cipher_suite_get_str((uint16_t) cipher, cipher_str,
+ sizeof(cipher_str), true);
switch(protocol) {
case kSSLProtocol2:
- infof(data, "SSL 2.0 connection using %s",
- TLSCipherNameForNumber(cipher));
+ infof(data, "SSL 2.0 connection using %s", cipher_str);
break;
case kSSLProtocol3:
- infof(data, "SSL 3.0 connection using %s",
- TLSCipherNameForNumber(cipher));
+ infof(data, "SSL 3.0 connection using %s", cipher_str);
break;
case kTLSProtocol1:
- infof(data, "TLS 1.0 connection using %s",
- TLSCipherNameForNumber(cipher));
+ infof(data, "TLS 1.0 connection using %s", cipher_str);
break;
#if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS
case kTLSProtocol11:
- infof(data, "TLS 1.1 connection using %s",
- TLSCipherNameForNumber(cipher));
+ infof(data, "TLS 1.1 connection using %s", cipher_str);
break;
case kTLSProtocol12:
- infof(data, "TLS 1.2 connection using %s",
- TLSCipherNameForNumber(cipher));
+ infof(data, "TLS 1.2 connection using %s", cipher_str);
break;
#endif /* CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS */
#if CURL_BUILD_MAC_10_13 || CURL_BUILD_IOS_11
case kTLSProtocol13:
- infof(data, "TLS 1.3 connection using %s",
- TLSCipherNameForNumber(cipher));
+ infof(data, "TLS 1.3 connection using %s", cipher_str);
break;
#endif /* CURL_BUILD_MAC_10_13 || CURL_BUILD_IOS_11 */
default:
{
}
-#if defined(USE_MBEDTLS) || defined(USE_BEARSSL)
+#if defined(USE_SECTRANSP) || defined(USE_MBEDTLS) || defined(USE_BEARSSL)
struct test_cs_entry {
uint16_t id;
"ECDHE-RSA-CHACHA20-POLY1305" },
{ 0xCCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"ECDHE-ECDSA-CHACHA20-POLY1305" },
-#if defined(USE_MBEDTLS)
+#if defined(USE_SECTRANSP) || defined(USE_MBEDTLS)
{ 0x0001, "TLS_RSA_WITH_NULL_MD5",
"NULL-MD5" },
{ 0x0002, "TLS_RSA_WITH_NULL_SHA",
{ 0xCCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256",
"PSK-CHACHA20-POLY1305" },
#endif
-#if defined(USE_BEARSSL)
+#if defined(USE_SECTRANSP) || defined(USE_BEARSSL)
{ 0x000A, "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
"DES-CBC3-SHA" },
{ 0xC003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
{ 0xC012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
"ECDHE-RSA-DES-CBC3-SHA" },
#endif
+#if defined(USE_MBEDTLS) || defined(USE_BEARSSL)
{ 0xC09C, "TLS_RSA_WITH_AES_128_CCM",
"AES128-CCM" },
{ 0xC09D, "TLS_RSA_WITH_AES_256_CCM",
"ECDHE-ECDSA-AES128-CCM8" },
{ 0xC0AF, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8",
"ECDHE-ECDSA-AES256-CCM8" },
+#endif
+#if defined(USE_SECTRANSP)
+ { 0x0003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
+ "EXP-RC4-MD5" },
+ { 0x0004, "TLS_RSA_WITH_RC4_128_MD5",
+ "RC4-MD5" },
+ { 0x0005, "TLS_RSA_WITH_RC4_128_SHA",
+ "RC4-SHA" },
+ { 0x0006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
+ "EXP-RC2-CBC-MD5" },
+ { 0x0007, "TLS_RSA_WITH_IDEA_CBC_SHA",
+ "IDEA-CBC-SHA" },
+ { 0x0008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
+ "EXP-DES-CBC-SHA" },
+ { 0x0009, "TLS_RSA_WITH_DES_CBC_SHA",
+ "DES-CBC-SHA" },
+ { 0x000B, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
+ "EXP-DH-DSS-DES-CBC-SHA" },
+ { 0x000C, "TLS_DH_DSS_WITH_DES_CBC_SHA",
+ "DH-DSS-DES-CBC-SHA" },
+ { 0x000D, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
+ "DH-DSS-DES-CBC3-SHA" },
+ { 0x000E, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
+ "EXP-DH-RSA-DES-CBC-SHA" },
+ { 0x000F, "TLS_DH_RSA_WITH_DES_CBC_SHA",
+ "DH-RSA-DES-CBC-SHA" },
+ { 0x0010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
+ "DH-RSA-DES-CBC3-SHA" },
+ { 0x0011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
+ "EXP-DHE-DSS-DES-CBC-SHA" },
+ { 0x0012, "TLS_DHE_DSS_WITH_DES_CBC_SHA",
+ "DHE-DSS-DES-CBC-SHA" },
+ { 0x0013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
+ "DHE-DSS-DES-CBC3-SHA" },
+ { 0x0014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
+ "EXP-DHE-RSA-DES-CBC-SHA" },
+ { 0x0015, "TLS_DHE_RSA_WITH_DES_CBC_SHA",
+ "DHE-RSA-DES-CBC-SHA" },
+ { 0x0016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
+ "DHE-RSA-DES-CBC3-SHA" },
+ { 0x0017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
+ "EXP-ADH-RC4-MD5" },
+ { 0x0018, "TLS_DH_anon_WITH_RC4_128_MD5",
+ "ADH-RC4-MD5" },
+ { 0x0019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
+ "EXP-ADH-DES-CBC-SHA" },
+ { 0x001A, "TLS_DH_anon_WITH_DES_CBC_SHA",
+ "ADH-DES-CBC-SHA" },
+ { 0x001B, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA",
+ "ADH-DES-CBC3-SHA" },
+ { 0x0030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
+ "DH-DSS-AES128-SHA" },
+ { 0x0031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
+ "DH-RSA-AES128-SHA" },
+ { 0x0032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
+ "DHE-DSS-AES128-SHA" },
+ { 0x0034, "TLS_DH_anon_WITH_AES_128_CBC_SHA",
+ "ADH-AES128-SHA" },
+ { 0x0036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
+ "DH-DSS-AES256-SHA" },
+ { 0x0037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
+ "DH-RSA-AES256-SHA" },
+ { 0x0038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
+ "DHE-DSS-AES256-SHA" },
+ { 0x003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA",
+ "ADH-AES256-SHA" },
+ { 0x003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
+ "DH-DSS-AES128-SHA256" },
+ { 0x003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
+ "DH-RSA-AES128-SHA256" },
+ { 0x0040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
+ "DHE-DSS-AES128-SHA256" },
+ { 0x0068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
+ "DH-DSS-AES256-SHA256" },
+ { 0x0069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
+ "DH-RSA-AES256-SHA256" },
+ { 0x006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
+ "DHE-DSS-AES256-SHA256" },
+ { 0x006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
+ "ADH-AES128-SHA256" },
+ { 0x006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256",
+ "ADH-AES256-SHA256" },
+ { 0x008A, "TLS_PSK_WITH_RC4_128_SHA",
+ "PSK-RC4-SHA" },
+ { 0x008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
+ "PSK-3DES-EDE-CBC-SHA" },
+ { 0x008E, "TLS_DHE_PSK_WITH_RC4_128_SHA",
+ "DHE-PSK-RC4-SHA" },
+ { 0x008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
+ "DHE-PSK-3DES-EDE-CBC-SHA" },
+ { 0x0092, "TLS_RSA_PSK_WITH_RC4_128_SHA",
+ "RSA-PSK-RC4-SHA" },
+ { 0x0093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
+ "RSA-PSK-3DES-EDE-CBC-SHA" },
+ { 0x00A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
+ "DH-RSA-AES128-GCM-SHA256" },
+ { 0x00A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
+ "DH-RSA-AES256-GCM-SHA384" },
+ { 0x00A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
+ "DHE-DSS-AES128-GCM-SHA256" },
+ { 0x00A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
+ "DHE-DSS-AES256-GCM-SHA384" },
+ { 0x00A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
+ "DH-DSS-AES128-GCM-SHA256" },
+ { 0x00A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
+ "DH-DSS-AES256-GCM-SHA384" },
+ { 0x00A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
+ "ADH-AES128-GCM-SHA256" },
+ { 0x00A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
+ "ADH-AES256-GCM-SHA384" },
+ { 0xC002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
+ "ECDH-ECDSA-RC4-SHA" },
+ { 0xC007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+ "ECDHE-ECDSA-RC4-SHA" },
+ { 0xC00C, "TLS_ECDH_RSA_WITH_RC4_128_SHA",
+ "ECDH-RSA-RC4-SHA" },
+ { 0xC011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+ "ECDHE-RSA-RC4-SHA" },
+ { 0xC015, "TLS_ECDH_anon_WITH_NULL_SHA",
+ "AECDH-NULL-SHA" },
+ { 0xC016, "TLS_ECDH_anon_WITH_RC4_128_SHA",
+ "AECDH-RC4-SHA" },
+ { 0xC017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
+ "AECDH-DES-CBC3-SHA" },
+ { 0xC018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
+ "AECDH-AES128-SHA" },
+ { 0xC019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
+ "AECDH-AES256-SHA" },
+ /* Backward compatible aliases (EDH vs DHE) */
+ { 0x0011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
+ "EXP-EDH-DSS-DES-CBC-SHA" },
+ { 0x0012, "TLS_DHE_DSS_WITH_DES_CBC_SHA",
+ "EDH-DSS-DES-CBC-SHA" },
+ { 0x0013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
+ "EDH-DSS-DES-CBC3-SHA" },
+ { 0x0014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
+ "EXP-EDH-RSA-DES-CBC-SHA" },
+ { 0x0015, "TLS_DHE_RSA_WITH_DES_CBC_SHA",
+ "EDH-RSA-DES-CBC-SHA" },
+ { 0x0016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
+ "EDH-RSA-DES-CBC3-SHA" },
+#endif
#if defined(USE_MBEDTLS)
/* entries marked ns are non-"standard", they are not in openssl */
{ 0x0041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
const char *str;
};
static const struct test_str_entry test_str_list[] = {
-#if defined(USE_MBEDTLS)
+#if defined(USE_SECTRANSP) || defined(USE_MBEDTLS)
{ 0x1301, "TLS_AES_128_GCM_SHA256"},
{ 0x1302, "TLS_AES_256_GCM_SHA384"},
{ 0x1303, "TLS_CHACHA20_POLY1305_SHA256"},
{ 0xC030, "ECDHE-RSA-AES256-GCM-SHA384"},
{ 0xCCA9, "ECDHE-ECDSA-CHACHA20-POLY1305"},
{ 0xCCA8, "ECDHE-RSA-CHACHA20-POLY1305"},
-#if defined(USE_MBEDTLS)
+#if defined(USE_SECTRANSP) || defined(USE_MBEDTLS)
{ 0x009E, "DHE-RSA-AES128-GCM-SHA256"},
{ 0x009F, "DHE-RSA-AES256-GCM-SHA384"},
- { 0xCCAA, "DHE-RSA-CHACHA20-POLY1305"},
#else
{ 0x0000, "DHE-RSA-AES128-GCM-SHA256"},
{ 0x0000, "DHE-RSA-AES256-GCM-SHA384"},
+#endif
+#if defined(USE_MBEDTLS)
+ { 0xCCAA, "DHE-RSA-CHACHA20-POLY1305"},
+#else
{ 0x0000, "DHE-RSA-CHACHA20-POLY1305"},
#endif
{ 0xC023, "ECDHE-ECDSA-AES128-SHA256" },
{ 0xC028, "ECDHE-RSA-AES256-SHA384" },
{ 0xC00A, "ECDHE-ECDSA-AES256-SHA" },
{ 0xC014, "ECDHE-RSA-AES256-SHA" },
-#if defined(USE_MBEDTLS)
+#if defined(USE_SECTRANSP) || defined(USE_MBEDTLS)
{ 0x0067, "DHE-RSA-AES128-SHA256" },
{ 0x006B, "DHE-RSA-AES256-SHA256" },
#else
{ 0x003D, "AES256-SHA256" },
{ 0x002F, "AES128-SHA" },
{ 0x0035, "AES256-SHA" },
-#if defined(USE_BEARSSL)
+#if defined(USE_SECTRANSP) || defined(USE_BEARSSL)
{ 0x000A, "DES-CBC3-SHA" },
#else
{ 0x0000, "DES-CBC3-SHA" },
const struct test_cs_entry *test = &test_cs_list[i];
const char *expect;
char buf[64] = "";
+ char alt[64] = "";
uint16_t id;
/* test Curl_cipher_suite_lookup_id() for rfc name */
Curl_cipher_suite_get_str(test->id, buf, sizeof(buf), false);
+ /* suites matched by EDH alias will return the DHE name */
+ if(test->id >= 0x0011 && test->id < 0x0017) {
+ if(memcmp(expect, "EDH-", 4) == 0)
+ expect = (char *) memcpy(strcpy(alt, expect), "DHE-", 4);
+ if(memcmp(expect + 4, "EDH-", 4) == 0)
+ expect = (char *) memcpy(strcpy(alt, expect) + 4, "DHE-", 4) - 4;
+ }
+
if(strcmp(buf, expect) != 0) {
fprintf(stderr, "Curl_cipher_suite_get_str FAILED for 0x%04x, "
"result = \"%s\", expected = \"%s\"\n",
}
UNITTEST_STOP
-#else /* defined(USE_MBEDTLS) || defined(USE_BEARSSL) */
+#else /* defined(USE_SECTRANSP) || defined(USE_MBEDTLS) || \
+ defined(USE_BEARSSL) */
UNITTEST_START
UNITTEST_STOP
-#endif /* defined(USE_MBEDTLS) || defined(USE_BEARSSL) */
+#endif /* defined(USE_SECTRANSP) || defined(USE_MBEDTLS) || \
+ defined(USE_BEARSSL) */
projects / thirdparty / curl.git / commitdiff
