diff --git a/src/AppleTLSSession.cc b/src/AppleTLSSession.cc index 89961430..57c48990 100644 --- a/src/AppleTLSSession.cc +++ b/src/AppleTLSSession.cc @@ -35,6 +35,7 @@ #include "AppleTLSSession.h" +#include #include #include @@ -95,160 +96,215 @@ namespace { } } -#define SUITE(s) { s, #s } +#define SUITE(s, n) { n, #s } static struct { SSLCipherSuite suite; const char *name; } kSuites[] = { - SUITE(SSL_NULL_WITH_NULL_NULL), - SUITE(SSL_RSA_WITH_NULL_MD5), - SUITE(SSL_RSA_WITH_NULL_SHA), - SUITE(SSL_RSA_EXPORT_WITH_RC4_40_MD5), - SUITE(SSL_RSA_WITH_RC4_128_MD5), - SUITE(SSL_RSA_WITH_RC4_128_SHA), - SUITE(SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5), - SUITE(SSL_RSA_WITH_IDEA_CBC_SHA), - SUITE(SSL_RSA_EXPORT_WITH_DES40_CBC_SHA), - SUITE(SSL_RSA_WITH_DES_CBC_SHA), - SUITE(SSL_RSA_WITH_3DES_EDE_CBC_SHA), - SUITE(SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA), - SUITE(SSL_DH_DSS_WITH_DES_CBC_SHA), - SUITE(SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA), - SUITE(SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA), - SUITE(SSL_DH_RSA_WITH_DES_CBC_SHA), - SUITE(SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA), - SUITE(SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA), - SUITE(SSL_DHE_DSS_WITH_DES_CBC_SHA), - SUITE(SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA), - SUITE(SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA), - SUITE(SSL_DHE_RSA_WITH_DES_CBC_SHA), - SUITE(SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA), - SUITE(SSL_DH_anon_EXPORT_WITH_RC4_40_MD5), - SUITE(SSL_DH_anon_WITH_RC4_128_MD5), - SUITE(SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA), - SUITE(SSL_DH_anon_WITH_DES_CBC_SHA), - SUITE(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA), - SUITE(SSL_FORTEZZA_DMS_WITH_NULL_SHA), - SUITE(SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA), - SUITE(TLS_RSA_WITH_AES_128_CBC_SHA), - SUITE(TLS_DH_DSS_WITH_AES_128_CBC_SHA), - SUITE(TLS_DH_RSA_WITH_AES_128_CBC_SHA), - SUITE(TLS_DHE_DSS_WITH_AES_128_CBC_SHA), - SUITE(TLS_DHE_RSA_WITH_AES_128_CBC_SHA), - SUITE(TLS_DH_anon_WITH_AES_128_CBC_SHA), - SUITE(TLS_RSA_WITH_AES_256_CBC_SHA), - SUITE(TLS_DH_DSS_WITH_AES_256_CBC_SHA), - SUITE(TLS_DH_RSA_WITH_AES_256_CBC_SHA), - SUITE(TLS_DHE_DSS_WITH_AES_256_CBC_SHA), - SUITE(TLS_DHE_RSA_WITH_AES_256_CBC_SHA), - SUITE(TLS_DH_anon_WITH_AES_256_CBC_SHA), - SUITE(TLS_ECDH_ECDSA_WITH_NULL_SHA), - SUITE(TLS_ECDH_ECDSA_WITH_RC4_128_SHA), - SUITE(TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA), - SUITE(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA), - SUITE(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA), - SUITE(TLS_ECDHE_ECDSA_WITH_NULL_SHA), - SUITE(TLS_ECDHE_ECDSA_WITH_RC4_128_SHA), - SUITE(TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA), - SUITE(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA), - SUITE(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA), - SUITE(TLS_ECDH_RSA_WITH_NULL_SHA), - SUITE(TLS_ECDH_RSA_WITH_RC4_128_SHA), - SUITE(TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA), - SUITE(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA), - SUITE(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA), - SUITE(TLS_ECDHE_RSA_WITH_NULL_SHA), - SUITE(TLS_ECDHE_RSA_WITH_RC4_128_SHA), - SUITE(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA), - SUITE(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA), - SUITE(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA), - SUITE(TLS_ECDH_anon_WITH_NULL_SHA), - SUITE(TLS_ECDH_anon_WITH_RC4_128_SHA), - SUITE(SSL_RSA_WITH_RC2_CBC_MD5), - SUITE(SSL_RSA_WITH_IDEA_CBC_MD5), - SUITE(SSL_RSA_WITH_DES_CBC_MD5), - SUITE(SSL_RSA_WITH_3DES_EDE_CBC_MD5), + // From CipherSuite.h (10.9) + SUITE(SSL_NULL_WITH_NULL_NULL, 0x0000), + SUITE(SSL_RSA_WITH_NULL_MD5, 0x0001), + SUITE(SSL_RSA_WITH_NULL_SHA, 0x0002), + SUITE(SSL_RSA_EXPORT_WITH_RC4_40_MD5, 0x0003), + SUITE(SSL_RSA_WITH_RC4_128_MD5, 0x0004), + SUITE(SSL_RSA_WITH_RC4_128_SHA, 0x0005), + SUITE(SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, 0x0006), + SUITE(SSL_RSA_WITH_IDEA_CBC_SHA, 0x0007), + SUITE(SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, 0x0008), + SUITE(SSL_RSA_WITH_DES_CBC_SHA, 0x0009), + SUITE(SSL_RSA_WITH_3DES_EDE_CBC_SHA, 0x000A), + SUITE(SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, 0x000B), + SUITE(SSL_DH_DSS_WITH_DES_CBC_SHA, 0x000C), + SUITE(SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA, 0x000D), + SUITE(SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, 0x000E), + SUITE(SSL_DH_RSA_WITH_DES_CBC_SHA, 0x000F), + SUITE(SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA, 0x0010), + SUITE(SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, 0x0011), + SUITE(SSL_DHE_DSS_WITH_DES_CBC_SHA, 0x0012), + SUITE(SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, 0x0013), + SUITE(SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, 0x0014), + SUITE(SSL_DHE_RSA_WITH_DES_CBC_SHA, 0x0015), + SUITE(SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 0x0016), + SUITE(SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, 0x0017), + SUITE(SSL_DH_anon_WITH_RC4_128_MD5, 0x0018), + SUITE(SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, 0x0019), + SUITE(SSL_DH_anon_WITH_DES_CBC_SHA, 0x001A), + SUITE(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, 0x001B), + SUITE(SSL_FORTEZZA_DMS_WITH_NULL_SHA, 0x001C), + SUITE(SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, 0x001D), -#if defined(__MAC_10_8) - SUITE(TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA), - SUITE(TLS_DHE_DSS_WITH_AES_128_CBC_SHA256), - SUITE(TLS_DHE_DSS_WITH_AES_128_GCM_SHA256), - SUITE(TLS_DHE_DSS_WITH_AES_256_CBC_SHA256), - SUITE(TLS_DHE_DSS_WITH_AES_256_GCM_SHA384), - SUITE(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA), - SUITE(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256), - SUITE(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256), - SUITE(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256), - SUITE(TLS_DHE_RSA_WITH_AES_256_GCM_SHA384), - SUITE(TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA), - SUITE(TLS_DH_DSS_WITH_AES_128_CBC_SHA256), - SUITE(TLS_DH_DSS_WITH_AES_128_GCM_SHA256), - SUITE(TLS_DH_DSS_WITH_AES_256_CBC_SHA256), - SUITE(TLS_DH_DSS_WITH_AES_256_GCM_SHA384), - SUITE(TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA), - SUITE(TLS_DH_RSA_WITH_AES_128_CBC_SHA256), - SUITE(TLS_DH_RSA_WITH_AES_128_GCM_SHA256), - SUITE(TLS_DH_RSA_WITH_AES_256_CBC_SHA256), - SUITE(TLS_DH_RSA_WITH_AES_256_GCM_SHA384), - SUITE(TLS_DH_anon_WITH_3DES_EDE_CBC_SHA), - SUITE(TLS_DH_anon_WITH_AES_128_CBC_SHA256), - SUITE(TLS_DH_anon_WITH_AES_128_GCM_SHA256), - SUITE(TLS_DH_anon_WITH_AES_256_CBC_SHA256), - SUITE(TLS_DH_anon_WITH_AES_256_GCM_SHA384), - SUITE(TLS_DH_anon_WITH_RC4_128_MD5), - SUITE(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256), - SUITE(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), - SUITE(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384), - SUITE(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384), - SUITE(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256), - SUITE(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256), - SUITE(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384), - SUITE(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384), - SUITE(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256), - SUITE(TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256), - SUITE(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384), - SUITE(TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384), - SUITE(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256), - SUITE(TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256), - SUITE(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384), - SUITE(TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384), - SUITE(TLS_EMPTY_RENEGOTIATION_INFO_SCSV), - SUITE(TLS_NULL_WITH_NULL_NULL), - SUITE(TLS_RSA_WITH_3DES_EDE_CBC_SHA), - SUITE(TLS_RSA_WITH_AES_128_CBC_SHA256), - SUITE(TLS_RSA_WITH_AES_128_GCM_SHA256), - SUITE(TLS_RSA_WITH_AES_256_CBC_SHA256), - SUITE(TLS_RSA_WITH_AES_256_GCM_SHA384), - SUITE(TLS_RSA_WITH_NULL_MD5), - SUITE(TLS_RSA_WITH_NULL_SHA), - SUITE(TLS_RSA_WITH_NULL_SHA256), - SUITE(TLS_RSA_WITH_RC4_128_MD5), - SUITE(TLS_RSA_WITH_RC4_128_SHA), -#endif + SUITE(TLS_RSA_WITH_AES_128_CBC_SHA, 0x002F), + SUITE(TLS_DH_DSS_WITH_AES_128_CBC_SHA, 0x0030), + SUITE(TLS_DH_RSA_WITH_AES_128_CBC_SHA, 0x0031), + SUITE(TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 0x0032), + SUITE(TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 0x0033), + SUITE(TLS_DH_anon_WITH_AES_128_CBC_SHA, 0x0034), + SUITE(TLS_RSA_WITH_AES_256_CBC_SHA, 0x0035), + SUITE(TLS_DH_DSS_WITH_AES_256_CBC_SHA, 0x0036), + SUITE(TLS_DH_RSA_WITH_AES_256_CBC_SHA, 0x0037), + SUITE(TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 0x0038), + SUITE(TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 0x0039), + SUITE(TLS_DH_anon_WITH_AES_256_CBC_SHA, 0x003A), - SUITE(SSL_NO_SUCH_CIPHERSUITE) + SUITE(TLS_ECDH_ECDSA_WITH_NULL_SHA, 0xC001), + SUITE(TLS_ECDH_ECDSA_WITH_RC4_128_SHA, 0xC002), + SUITE(TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, 0xC003), + SUITE(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 0xC004), + SUITE(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, 0xC005), + SUITE(TLS_ECDHE_ECDSA_WITH_NULL_SHA, 0xC006), + SUITE(TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 0xC007), + SUITE(TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, 0xC008), + SUITE(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 0xC009), + SUITE(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 0xC00A), + SUITE(TLS_ECDH_RSA_WITH_NULL_SHA, 0xC00B), + SUITE(TLS_ECDH_RSA_WITH_RC4_128_SHA, 0xC00C), + SUITE(TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, 0xC00D), + SUITE(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, 0xC00E), + SUITE(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, 0xC00F), + SUITE(TLS_ECDHE_RSA_WITH_NULL_SHA, 0xC010), + SUITE(TLS_ECDHE_RSA_WITH_RC4_128_SHA, 0xC011), + SUITE(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 0xC012), + SUITE(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0xC013), + SUITE(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0xC014), + SUITE(TLS_ECDH_anon_WITH_NULL_SHA, 0xC015), + SUITE(TLS_ECDH_anon_WITH_RC4_128_SHA, 0xC016), + SUITE(TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, 0xC017), + SUITE(TLS_ECDH_anon_WITH_AES_128_CBC_SHA, 0xC018), + SUITE(TLS_ECDH_anon_WITH_AES_256_CBC_SHA, 0xC019), + + SUITE(TLS_NULL_WITH_NULL_NULL, 0x0000), + + SUITE(TLS_RSA_WITH_NULL_MD5, 0x0001), + SUITE(TLS_RSA_WITH_NULL_SHA, 0x0002), + SUITE(TLS_RSA_WITH_RC4_128_MD5, 0x0004), + SUITE(TLS_RSA_WITH_RC4_128_SHA, 0x0005), + SUITE(TLS_RSA_WITH_3DES_EDE_CBC_SHA, 0x000A), + SUITE(TLS_RSA_WITH_NULL_SHA256, 0x003B), + SUITE(TLS_RSA_WITH_AES_128_CBC_SHA256, 0x003C), + SUITE(TLS_RSA_WITH_AES_256_CBC_SHA256, 0x003D), + + SUITE(TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA, 0x000D), + SUITE(TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA, 0x0010), + SUITE(TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, 0x0013), + SUITE(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 0x0016), + SUITE(TLS_DH_DSS_WITH_AES_128_CBC_SHA256, 0x003E), + SUITE(TLS_DH_RSA_WITH_AES_128_CBC_SHA256, 0x003F), + SUITE(TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, 0x0040), + SUITE(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, 0x0067), + SUITE(TLS_DH_DSS_WITH_AES_256_CBC_SHA256, 0x0068), + SUITE(TLS_DH_RSA_WITH_AES_256_CBC_SHA256, 0x0069), + SUITE(TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, 0x006A), + SUITE(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, 0x006B), + + SUITE(TLS_DH_anon_WITH_RC4_128_MD5, 0x0018), + SUITE(TLS_DH_anon_WITH_3DES_EDE_CBC_SHA, 0x001B), + SUITE(TLS_DH_anon_WITH_AES_128_CBC_SHA256, 0x006C), + SUITE(TLS_DH_anon_WITH_AES_256_CBC_SHA256, 0x006D), + + SUITE(TLS_PSK_WITH_RC4_128_SHA, 0x008A), + SUITE(TLS_PSK_WITH_3DES_EDE_CBC_SHA, 0x008B), + SUITE(TLS_PSK_WITH_AES_128_CBC_SHA, 0x008C), + SUITE(TLS_PSK_WITH_AES_256_CBC_SHA, 0x008D), + SUITE(TLS_DHE_PSK_WITH_RC4_128_SHA, 0x008E), + SUITE(TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA, 0x008F), + SUITE(TLS_DHE_PSK_WITH_AES_128_CBC_SHA, 0x0090), + SUITE(TLS_DHE_PSK_WITH_AES_256_CBC_SHA, 0x0091), + SUITE(TLS_RSA_PSK_WITH_RC4_128_SHA, 0x0092), + SUITE(TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA, 0x0093), + SUITE(TLS_RSA_PSK_WITH_AES_128_CBC_SHA, 0x0094), + SUITE(TLS_RSA_PSK_WITH_AES_256_CBC_SHA, 0x0095), + + SUITE(TLS_PSK_WITH_NULL_SHA, 0x002C), + SUITE(TLS_DHE_PSK_WITH_NULL_SHA, 0x002D), + SUITE(TLS_RSA_PSK_WITH_NULL_SHA, 0x002E), + + SUITE(TLS_RSA_WITH_AES_128_GCM_SHA256, 0x009C), + SUITE(TLS_RSA_WITH_AES_256_GCM_SHA384, 0x009D), + SUITE(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, 0x009E), + SUITE(TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, 0x009F), + SUITE(TLS_DH_RSA_WITH_AES_128_GCM_SHA256, 0x00A0), + SUITE(TLS_DH_RSA_WITH_AES_256_GCM_SHA384, 0x00A1), + SUITE(TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, 0x00A2), + SUITE(TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, 0x00A3), + SUITE(TLS_DH_DSS_WITH_AES_128_GCM_SHA256, 0x00A4), + SUITE(TLS_DH_DSS_WITH_AES_256_GCM_SHA384, 0x00A5), + SUITE(TLS_DH_anon_WITH_AES_128_GCM_SHA256, 0x00A6), + SUITE(TLS_DH_anon_WITH_AES_256_GCM_SHA384, 0x00A7), + + SUITE(TLS_PSK_WITH_AES_128_GCM_SHA256, 0x00A8), + SUITE(TLS_PSK_WITH_AES_256_GCM_SHA384, 0x00A9), + SUITE(TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, 0x00AA), + SUITE(TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, 0x00AB), + SUITE(TLS_RSA_PSK_WITH_AES_128_GCM_SHA256, 0x00AC), + SUITE(TLS_RSA_PSK_WITH_AES_256_GCM_SHA384, 0x00AD), + + SUITE(TLS_PSK_WITH_AES_128_CBC_SHA256, 0x00AE), + SUITE(TLS_PSK_WITH_AES_256_CBC_SHA384, 0x00AF), + SUITE(TLS_PSK_WITH_NULL_SHA256, 0x00B0), + SUITE(TLS_PSK_WITH_NULL_SHA384, 0x00B1), + + SUITE(TLS_DHE_PSK_WITH_AES_128_CBC_SHA256, 0x00B2), + SUITE(TLS_DHE_PSK_WITH_AES_256_CBC_SHA384, 0x00B3), + SUITE(TLS_DHE_PSK_WITH_NULL_SHA256, 0x00B4), + SUITE(TLS_DHE_PSK_WITH_NULL_SHA384, 0x00B5), + + SUITE(TLS_RSA_PSK_WITH_AES_128_CBC_SHA256, 0x00B6), + SUITE(TLS_RSA_PSK_WITH_AES_256_CBC_SHA384, 0x00B7), + SUITE(TLS_RSA_PSK_WITH_NULL_SHA256, 0x00B8), + SUITE(TLS_RSA_PSK_WITH_NULL_SHA384, 0x00B9), + + SUITE(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 0xC023), + SUITE(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 0xC024), + SUITE(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, 0xC025), + SUITE(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, 0xC026), + SUITE(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 0xC027), + SUITE(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, 0xC028), + SUITE(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, 0xC029), + SUITE(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, 0xC02A), + + SUITE(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0xC02B), + SUITE(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 0xC02C), + SUITE(TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, 0xC02D), + SUITE(TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, 0xC02E), + SUITE(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0xC02F), + SUITE(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 0xC030), + SUITE(TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, 0xC031), + SUITE(TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, 0xC032), + + SUITE(TLS_EMPTY_RENEGOTIATION_INFO_SCSV, 0x00FF), + SUITE(SSL_RSA_WITH_RC2_CBC_MD5, 0xFF80), + SUITE(SSL_RSA_WITH_IDEA_CBC_MD5, 0xFF81), + SUITE(SSL_RSA_WITH_DES_CBC_MD5, 0xFF82), + SUITE(SSL_RSA_WITH_3DES_EDE_CBC_MD5, 0xFF83), + SUITE(SSL_NO_SUCH_CIPHERSUITE, 0xFFFF) }; #undef SUITE - static inline const char* suiteToString(const SSLCipherSuite suite) + static inline std::string suiteToString(const SSLCipherSuite suite) { for (auto & s : kSuites) { if (s.suite == suite) { return s.name; } } - return "Unknown suite"; + std::stringstream ss; + ss << "Unknown suite (0x" << std::hex << suite << ") like TLS_NULL_WITH_NULL_NULL"; + return ss.str(); } static const char* kBlocked[] = { - "NULL", "anon", "MD5", "EXPORT", "DES", "IDEA", "NO_SUCH", "EMPTY" + "NULL", "anon", "MD5", "EXPORT", "DES", "IDEA", "NO_SUCH", "EMPTY", "PSK" }; static inline bool isBlockedSuite(SSLCipherSuite suite) { - const char* name = suiteToString(suite); + using namespace aria2; + + // Don't care about SSL2 suites! + std::string name = suiteToString(suite); for (auto& blocked : kBlocked) { - if (strstr(name, blocked)) { + if (strstr(name.c_str(), blocked)) { + A2_LOG_DEBUG(fmt("Removing blocked cipher suite: %s", name.c_str())); return true; } } @@ -344,7 +400,7 @@ AppleTLSSession::AppleTLSSession(AppleTLSContext* ctx) return; } for (const auto& suite: enabled) { - A2_LOG_INFO(fmt("AppleTLS: Enabled suite %s", suiteToString(suite))); + A2_LOG_INFO(fmt("AppleTLS: Enabled suite %s", suiteToString(suite).c_str())); } if (SSLSetEnabledCiphers(sslCtx_, &enabled[0], enabled.size()) != noErr) { A2_LOG_ERROR("AppleTLS: Failed to set enabled ciphers list"); @@ -613,7 +669,7 @@ int AppleTLSSession::tlsConnect(const std::string& hostname, std::string& handsh A2_LOG_INFO(fmt("AppleTLS: Connected to %s with %s (%s)", hostname.c_str(), protoToString(proto), - suiteToString(suite))); + suiteToString(suite).c_str())); return TLS_ERR_OK; }