]> git.saurik.com Git - apple/security.git/blobdiff - sslViewer/sslAppUtils.cpp
projects / apple / security.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Security-59306.101.1.tar.gz
[apple/security.git] / sslViewer / sslAppUtils.cpp
diff --git a/sslViewer/sslAppUtils.cpp b/sslViewer/sslAppUtils.cpp
index 9bdd6329b81af480feed1c01da0ea224217dca93..fae362bafdff028d1ec2346d44f69ac4387fd7ee 100644 (file)
--- a/sslViewer/sslAppUtils.cpp
+++ b/sslViewer/sslAppUtils.cpp
@@ -25,108 +25,143 @@
 
 const char *sslGetCipherSuiteString(SSLCipherSuite cs)
 {
 
 const char *sslGetCipherSuiteString(SSLCipherSuite cs)
 {
-       static char noSuite[40];
-       
-       switch(cs) {
-               case SSL_NULL_WITH_NULL_NULL:
-                       return "SSL_NULL_WITH_NULL_NULL";
-               case SSL_RSA_WITH_NULL_MD5:
-                       return "SSL_RSA_WITH_NULL_MD5";
-               case SSL_RSA_WITH_NULL_SHA:
-                       return "SSL_RSA_WITH_NULL_SHA";
-               case SSL_RSA_EXPORT_WITH_RC4_40_MD5:
-                       return "SSL_RSA_EXPORT_WITH_RC4_40_MD5";
-               case SSL_RSA_WITH_RC4_128_MD5:
-                       return "SSL_RSA_WITH_RC4_128_MD5";
-               case SSL_RSA_WITH_RC4_128_SHA:
-                       return "SSL_RSA_WITH_RC4_128_SHA";
-               case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5:
-                       return "SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5";
-               case SSL_RSA_WITH_IDEA_CBC_SHA:
-                       return "SSL_RSA_WITH_IDEA_CBC_SHA";
-               case SSL_RSA_EXPORT_WITH_DES40_CBC_SHA:
-                       return "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA";
-               case SSL_RSA_WITH_DES_CBC_SHA:
-                       return "SSL_RSA_WITH_DES_CBC_SHA";
-               case SSL_RSA_WITH_3DES_EDE_CBC_SHA:
-                       return "SSL_RSA_WITH_3DES_EDE_CBC_SHA";
-               case SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA:
-                       return "SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA";
-               case SSL_DH_DSS_WITH_DES_CBC_SHA:
-                       return "SSL_DH_DSS_WITH_DES_CBC_SHA";
-               case SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA:
-                       return "SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA";
-               case SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA:
-                       return "SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA";
-               case SSL_DH_RSA_WITH_DES_CBC_SHA:
-                       return "SSL_DH_RSA_WITH_DES_CBC_SHA";
-               case SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA:
-                       return "SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA";
-               case SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA:
-                       return "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA";
-               case SSL_DHE_DSS_WITH_DES_CBC_SHA:
-                       return "SSL_DHE_DSS_WITH_DES_CBC_SHA";
-               case SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA:
-                       return "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA";
-               case SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA:
-                       return "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA";
-               case SSL_DHE_RSA_WITH_DES_CBC_SHA:
-                       return "SSL_DHE_RSA_WITH_DES_CBC_SHA";
-               case SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
-                       return "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA";
-               case SSL_DH_anon_EXPORT_WITH_RC4_40_MD5:
-                       return "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5";
-               case SSL_DH_anon_WITH_RC4_128_MD5:
-                       return "SSL_DH_anon_WITH_RC4_128_MD5";
-               case SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA:
-                       return "SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA";
-               case SSL_DH_anon_WITH_DES_CBC_SHA:
-                       return "SSL_DH_anon_WITH_DES_CBC_SHA";
-               case SSL_DH_anon_WITH_3DES_EDE_CBC_SHA:
-                       return "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA";
-               case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
-                       return "SSL_FORTEZZA_DMS_WITH_NULL_SHA";
-               case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
-                       return "SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA";
-               case SSL_RSA_WITH_RC2_CBC_MD5:
-                       return "SSL_RSA_WITH_RC2_CBC_MD5";
-               case SSL_RSA_WITH_IDEA_CBC_MD5:
-                       return "SSL_RSA_WITH_IDEA_CBC_MD5";
-               case SSL_RSA_WITH_DES_CBC_MD5:
-                       return "SSL_RSA_WITH_DES_CBC_MD5";
-               case SSL_RSA_WITH_3DES_EDE_CBC_MD5:
-                       return "SSL_RSA_WITH_3DES_EDE_CBC_MD5";
-               case SSL_NO_SUCH_CIPHERSUITE:
-                       return "SSL_NO_SUCH_CIPHERSUITE";
-               case TLS_RSA_WITH_AES_128_CBC_SHA:
-                       return "TLS_RSA_WITH_AES_128_CBC_SHA";
-               case TLS_DH_DSS_WITH_AES_128_CBC_SHA:
-                       return "TLS_DH_DSS_WITH_AES_128_CBC_SHA";
-               case TLS_DH_RSA_WITH_AES_128_CBC_SHA:
-                       return "TLS_DH_RSA_WITH_AES_128_CBC_SHA";
-               case TLS_DHE_DSS_WITH_AES_128_CBC_SHA:
-                       return "TLS_DHE_DSS_WITH_AES_128_CBC_SHA";
-               case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
-                       return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA";
-               case TLS_DH_anon_WITH_AES_128_CBC_SHA:
-                       return "TLS_DH_anon_WITH_AES_128_CBC_SHA";
-               case TLS_RSA_WITH_AES_256_CBC_SHA:
-                       return "TLS_RSA_WITH_AES_256_CBC_SHA";
-               case TLS_DH_DSS_WITH_AES_256_CBC_SHA:
-                       return "TLS_DH_DSS_WITH_AES_256_CBC_SHA";
-               case TLS_DH_RSA_WITH_AES_256_CBC_SHA:
-                       return "TLS_DH_RSA_WITH_AES_256_CBC_SHA";
-               case TLS_DHE_DSS_WITH_AES_256_CBC_SHA:
-                       return "TLS_DHE_DSS_WITH_AES_256_CBC_SHA";
-               case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
-                       return "TLS_DHE_RSA_WITH_AES_256_CBC_SHA";
-               case TLS_DH_anon_WITH_AES_256_CBC_SHA:
-                       return "TLS_DH_anon_WITH_AES_256_CBC_SHA";
+    static char noSuite[40];
 
 
-               default:
-                       sprintf(noSuite, "Unknown (%d)", (unsigned)cs);
-                       return noSuite; 
-       }
+    switch (cs) {
+            /* TLS cipher suites, RFC 2246 */
+        case SSL_NULL_WITH_NULL_NULL:               return "TLS_NULL_WITH_NULL_NULL";
+        case SSL_RSA_WITH_NULL_MD5:                 return "TLS_RSA_WITH_NULL_MD5";
+        case SSL_RSA_WITH_NULL_SHA:                 return "TLS_RSA_WITH_NULL_SHA";
+        case SSL_RSA_EXPORT_WITH_RC4_40_MD5:        return "TLS_RSA_EXPORT_WITH_RC4_40_MD5";
+        case SSL_RSA_WITH_RC4_128_MD5:              return "TLS_RSA_WITH_RC4_128_MD5";
+        case SSL_RSA_WITH_RC4_128_SHA:              return "TLS_RSA_WITH_RC4_128_SHA";
+        case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5:    return "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5";
+        case SSL_RSA_WITH_IDEA_CBC_SHA:             return "TLS_RSA_WITH_IDEA_CBC_SHA";
+        case SSL_RSA_EXPORT_WITH_DES40_CBC_SHA:     return "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA";
+        case SSL_RSA_WITH_DES_CBC_SHA:              return "TLS_RSA_WITH_DES_CBC_SHA";
+        case SSL_RSA_WITH_3DES_EDE_CBC_SHA:         return "TLS_RSA_WITH_3DES_EDE_CBC_SHA";
+        case SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA:  return "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA";
+        case SSL_DH_DSS_WITH_DES_CBC_SHA:           return "TLS_DH_DSS_WITH_DES_CBC_SHA";
+        case SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA:      return "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA";
+        case SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA:  return "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA";
+        case SSL_DH_RSA_WITH_DES_CBC_SHA:           return "TLS_DH_RSA_WITH_DES_CBC_SHA";
+        case SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA:      return "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA";
+        case SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: return "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA";
+        case SSL_DHE_DSS_WITH_DES_CBC_SHA:          return "TLS_DHE_DSS_WITH_DES_CBC_SHA";
+        case SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA:     return "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA";
+        case SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: return "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA";
+        case SSL_DHE_RSA_WITH_DES_CBC_SHA:          return "TLS_DHE_RSA_WITH_DES_CBC_SHA";
+        case SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA:     return "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA";
+        case SSL_DH_anon_EXPORT_WITH_RC4_40_MD5:    return "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5";
+        case SSL_DH_anon_WITH_RC4_128_MD5:          return "TLS_DH_anon_WITH_RC4_128_MD5";
+        case SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA: return "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA";
+        case SSL_DH_anon_WITH_DES_CBC_SHA:          return "TLS_DH_anon_WITH_DES_CBC_SHA";
+        case SSL_DH_anon_WITH_3DES_EDE_CBC_SHA:     return "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA";
+
+            /* SSLv3 Fortezza cipher suites, from NSS */
+        case SSL_FORTEZZA_DMS_WITH_NULL_SHA:        return "SSL_FORTEZZA_DMS_WITH_NULL_SHA";
+        case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:return "SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA";
+
+            /* TLS addenda using AES-CBC, RFC 3268 */
+        case TLS_RSA_WITH_AES_128_CBC_SHA:          return "TLS_RSA_WITH_AES_128_CBC_SHA";
+        case TLS_DH_DSS_WITH_AES_128_CBC_SHA:       return "TLS_DH_DSS_WITH_AES_128_CBC_SHA";
+        case TLS_DH_RSA_WITH_AES_128_CBC_SHA:       return "TLS_DH_RSA_WITH_AES_128_CBC_SHA";
+        case TLS_DHE_DSS_WITH_AES_128_CBC_SHA:      return "TLS_DHE_DSS_WITH_AES_128_CBC_SHA";
+        case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:      return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA";
+        case TLS_DH_anon_WITH_AES_128_CBC_SHA:      return "TLS_DH_anon_WITH_AES_128_CBC_SHA";
+        case TLS_RSA_WITH_AES_256_CBC_SHA:          return "TLS_RSA_WITH_AES_256_CBC_SHA";
+        case TLS_DH_DSS_WITH_AES_256_CBC_SHA:       return "TLS_DH_DSS_WITH_AES_256_CBC_SHA";
+        case TLS_DH_RSA_WITH_AES_256_CBC_SHA:       return "TLS_DH_RSA_WITH_AES_256_CBC_SHA";
+        case TLS_DHE_DSS_WITH_AES_256_CBC_SHA:      return "TLS_DHE_DSS_WITH_AES_256_CBC_SHA";
+        case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:      return "TLS_DHE_RSA_WITH_AES_256_CBC_SHA";
+        case TLS_DH_anon_WITH_AES_256_CBC_SHA:      return "TLS_DH_anon_WITH_AES_256_CBC_SHA";
+
+            /* ECDSA addenda, RFC 4492 */
+        case TLS_ECDH_ECDSA_WITH_NULL_SHA:          return "TLS_ECDH_ECDSA_WITH_NULL_SHA";
+        case TLS_ECDH_ECDSA_WITH_RC4_128_SHA:       return "TLS_ECDH_ECDSA_WITH_RC4_128_SHA";
+        case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA:  return "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA";
+        case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA:   return "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA";
+        case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA:   return "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA";
+        case TLS_ECDHE_ECDSA_WITH_NULL_SHA:         return "TLS_ECDHE_ECDSA_WITH_NULL_SHA";
+        case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA:      return "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA";
+        case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: return "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA";
+        case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:  return "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA";
+        case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:  return "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA";
+        case TLS_ECDH_RSA_WITH_NULL_SHA:            return "TLS_ECDH_RSA_WITH_NULL_SHA";
+        case TLS_ECDH_RSA_WITH_RC4_128_SHA:         return "TLS_ECDH_RSA_WITH_RC4_128_SHA";
+        case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA:    return "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA";
+        case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA:     return "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA";
+        case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA:     return "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA";
+        case TLS_ECDHE_RSA_WITH_NULL_SHA:           return "TLS_ECDHE_RSA_WITH_NULL_SHA";
+        case TLS_ECDHE_RSA_WITH_RC4_128_SHA:        return "TLS_ECDHE_RSA_WITH_RC4_128_SHA";
+        case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:   return "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA";
+        case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:    return "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA";
+        case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:    return "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA";
+        case TLS_ECDH_anon_WITH_NULL_SHA:           return "TLS_ECDH_anon_WITH_NULL_SHA";
+        case TLS_ECDH_anon_WITH_RC4_128_SHA:        return "TLS_ECDH_anon_WITH_RC4_128_SHA";
+        case TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA:   return "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA";
+        case TLS_ECDH_anon_WITH_AES_128_CBC_SHA:    return "TLS_ECDH_anon_WITH_AES_128_CBC_SHA";
+        case TLS_ECDH_anon_WITH_AES_256_CBC_SHA:    return "TLS_ECDH_anon_WITH_AES_256_CBC_SHA";
+
+            /* TLS 1.2 addenda, RFC 5246 */
+        case TLS_RSA_WITH_AES_128_CBC_SHA256:       return "TLS_RSA_WITH_AES_128_CBC_SHA256";
+        case TLS_RSA_WITH_AES_256_CBC_SHA256:       return "TLS_RSA_WITH_AES_256_CBC_SHA256";
+        case TLS_DH_DSS_WITH_AES_128_CBC_SHA256:    return "TLS_DH_DSS_WITH_AES_128_CBC_SHA256";
+        case TLS_DH_RSA_WITH_AES_128_CBC_SHA256:    return "TLS_DH_RSA_WITH_AES_128_CBC_SHA256";
+        case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256:   return "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256";
+        case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:   return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256";
+        case TLS_DH_DSS_WITH_AES_256_CBC_SHA256:    return "TLS_DH_DSS_WITH_AES_256_CBC_SHA256";
+        case TLS_DH_RSA_WITH_AES_256_CBC_SHA256:    return "TLS_DH_RSA_WITH_AES_256_CBC_SHA256";
+        case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256:   return "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256";
+        case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:   return "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256";
+        case TLS_DH_anon_WITH_AES_128_CBC_SHA256:   return "TLS_DH_anon_WITH_AES_128_CBC_SHA256";
+        case TLS_DH_anon_WITH_AES_256_CBC_SHA256:   return "TLS_DH_anon_WITH_AES_256_CBC_SHA256";
+
+            /* TLS addenda using AES-GCM, RFC 5288 */
+        case TLS_RSA_WITH_AES_128_GCM_SHA256:       return "TLS_RSA_WITH_AES_128_GCM_SHA256";
+        case TLS_RSA_WITH_AES_256_GCM_SHA384:       return "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256";
+        case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:   return "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256";
+        case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:   return "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384";
+        case TLS_DH_RSA_WITH_AES_128_GCM_SHA256:    return "TLS_DH_RSA_WITH_AES_128_GCM_SHA256";
+        case TLS_DH_RSA_WITH_AES_256_GCM_SHA384:    return "TLS_DH_RSA_WITH_AES_256_GCM_SHA384";
+        case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256:   return "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256";
+        case TLS_DHE_DSS_WITH_AES_256_GCM_SHA384:   return "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384";
+        case TLS_DH_DSS_WITH_AES_128_GCM_SHA256:    return "TLS_DH_DSS_WITH_AES_128_GCM_SHA256";
+        case TLS_DH_DSS_WITH_AES_256_GCM_SHA384:    return "TLS_DH_DSS_WITH_AES_256_GCM_SHA384";
+        case TLS_DH_anon_WITH_AES_128_GCM_SHA256:   return "TLS_DH_anon_WITH_AES_128_GCM_SHA256";
+        case TLS_DH_anon_WITH_AES_256_GCM_SHA384:   return "TLS_DH_anon_WITH_AES_256_GCM_SHA384";
+
+            /* ECDSA addenda, RFC 5289 */
+        case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:   return "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256";
+        case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:   return "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384";
+        case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256:    return "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256";
+        case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384:    return "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384";
+        case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:     return "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256";
+        case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:     return "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384";
+        case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256:      return "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256";
+        case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384:      return "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384";
+        case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:   return "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256";
+        case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:   return "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384";
+        case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256:    return "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256";
+        case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384:    return "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384";
+        case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:     return "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256";
+        case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:     return "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384";
+        case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256:      return "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256";
+        case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384:      return "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384";
+            
+            /*
+             * Tags for SSL 2 cipher kinds which are not specified for SSL 3.
+             */
+        case SSL_RSA_WITH_RC2_CBC_MD5:              return "TLS_RSA_WITH_RC2_CBC_MD5";
+        case SSL_RSA_WITH_IDEA_CBC_MD5:             return "TLS_RSA_WITH_IDEA_CBC_MD5";
+        case SSL_RSA_WITH_DES_CBC_MD5:              return "TLS_RSA_WITH_DES_CBC_MD5";
+        case SSL_RSA_WITH_3DES_EDE_CBC_MD5:         return "TLS_RSA_WITH_3DES_EDE_CBC_MD5";
+        case SSL_NO_SUCH_CIPHERSUITE:               return "SSL_NO_SUCH_CIPHERSUITE";
+            
+        default:
+            snprintf(noSuite, sizeof(noSuite), "Unknown ciphersuite 0x%04x", (unsigned)cs);
+            return noSuite;
+    }
 }
 
 /* 
 }
 
 /* 
@@ -136,7 +171,9 @@ const char *sslGetCipherSuiteString(SSLCipherSuite cs)
 const char *sslGetProtocolVersionString(SSLProtocol prot)
 {
        static char noProt[20];
 const char *sslGetProtocolVersionString(SSLProtocol prot)
 {
        static char noProt[20];
-       
+    
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
        switch(prot) {
                case kSSLProtocolUnknown:
                        return "kSSLProtocolUnknown";
        switch(prot) {
                case kSSLProtocolUnknown:
                        return "kSSLProtocolUnknown";
@@ -158,6 +195,7 @@ const char *sslGetProtocolVersionString(SSLProtocol prot)
                        sprintf(noProt, "Unknown (%d)", (unsigned)prot);
                        return noProt;  
        }
                        sprintf(noProt, "Unknown (%d)", (unsigned)prot);
                        return noProt;  
        }
+#pragma clang diagnostic pop
 }
 
 /* 
 }
 
 /* 
@@ -260,7 +298,7 @@ const char *sslGetSSLErrString(OSStatus err)
                case errSSLPeerInternalError:
                        return "errSSLPeerInternalError";
                case errSSLPeerUserCancelled:
                case errSSLPeerInternalError:
                        return "errSSLPeerInternalError";
                case errSSLPeerUserCancelled:
-                       return "errSSLPeerUserCancelled";
+                       return "errSSLPeerUserCanceled";
                case errSSLPeerNoRenegotiation:
                        return "errSSLPeerNoRenegotiation";
                case errSSLHostNameMismatch:
                case errSSLPeerNoRenegotiation:
                        return "errSSLPeerNoRenegotiation";
                case errSSLHostNameMismatch:
@@ -316,6 +354,8 @@ const char *sslGetClientCertStateString(SSLClientCertificateState state)
 {
        static char noState[20];
        
 {
        static char noState[20];
        
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
        switch(state) {
                case kSSLClientCertNone:
                        return "ClientCertNone";
        switch(state) {
                case kSSLClientCertNone:
                        return "ClientCertNone";
@@ -329,7 +369,7 @@ const char *sslGetClientCertStateString(SSLClientCertificateState state)
                        sprintf(noState, "Unknown (%d)", (unsigned)state);
                        return noState; 
        }
                        sprintf(noState, "Unknown (%d)", (unsigned)state);
                        return noState; 
        }
-
+#pragma clang diagnostic pop
 }
 
 /*
 }
 
 /*
@@ -412,11 +452,11 @@ CFArrayRef getSslCerts(
        CFArrayAppendValue(certificates, cert);
        require_noerr(SecTrustCreateWithCertificates(certificates, NULL, &trust),
                errOut);
        CFArrayAppendValue(certificates, cert);
        require_noerr(SecTrustCreateWithCertificates(certificates, NULL, &trust),
                errOut);
-       SecTrustResultType tresult;
-       require_noerr(SecTrustEvaluate(trust, &tresult), errOut);
 
        CFIndex certCount, ix;
        // We need at least 1 certificate
 
        CFIndex certCount, ix;
        // We need at least 1 certificate
+    // SecTrustGetCertificateCount implicitly does a trust evaluation to determine
+    // the number of certs in the chain.
        require(certCount = SecTrustGetCertificateCount(trust), errOut);
 
        // Build a result where element 0 is the identity and the other elements
        require(certCount = SecTrustGetCertificateCount(trust), errOut);
 
        // Build a result where element 0 is the identity and the other elements
@@ -760,6 +800,9 @@ CFArrayRef sslKcRefToCertArray(
 }
 #endif
 
 }
 #endif
 
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+
 OSStatus addTrustedSecCert(
        SSLContextRef           ctx,
        SecCertificateRef       secCert, 
 OSStatus addTrustedSecCert(
        SSLContextRef           ctx,
        SecCertificateRef       secCert, 
@@ -786,108 +829,22 @@ OSStatus addTrustedSecCert(
        return ortn;
 }
 
        return ortn;
 }
 
-#if 0
-OSStatus sslReadAnchor(
-       const char                      *anchorFile,
-       SecCertificateRef       *certRef)
-{
-       OSStatus ortn;
-       SecCertificateRef secCert;
-       unsigned char *certData;
-       unsigned certLen;
-       CSSM_DATA cert;
-       
-       if(readFile(anchorFile, &certData, &certLen)) {
-               return -1;
-       }
-       cert.Data = certData;
-       cert.Length = certLen;
-       ortn = SecCertificateCreateFromData(&cert,
-                       CSSM_CERT_X_509v3,
-                       CSSM_CERT_ENCODING_DER,
-                       &secCert);
-       free(certData);
-       if(ortn) {
-               printf("***SecCertificateCreateFromData returned %d\n", (int)ortn);
-               return ortn;
-       }
-       *certRef = secCert;
-       return errSecSuccess;
-}
-#endif
+#pragma clang diagnostic pop
 
 OSStatus sslAddTrustedRoot(
        SSLContextRef   ctx,
        const char              *anchorFile, 
        bool            replaceAnchors)
 {
 
 OSStatus sslAddTrustedRoot(
        SSLContextRef   ctx,
        const char              *anchorFile, 
        bool            replaceAnchors)
 {
-#if 0
-       OSStatus ortn;
-       SecCertificateRef secCert;
-       
-       ortn = sslReadAnchor(anchorFile, &secCert);
-       if(ortn) {
-               printf("***Error reading %s. SSLSetTrustedRoots skipped.\n",
-                       anchorFile);
-               return ortn;
-       }
-       return addTrustedSecCert(ctx, secCert, replaceAnchors);
-#else
        return 0;
        return 0;
-#endif
 }
 
 }
 
-#if 0
-/* Per 3537606 this is no longer necessary */
-/*
- * Assume incoming identity contains a root (e.g., created by
- * certtool) and add that cert to ST's trusted anchors. This
- * enables ST's verify of the incoming chain to succeed without 
- * a kludgy "AllowAnyRoot" specification.
- */
-OSStatus addIdentityAsTrustedRoot(
-       SSLContextRef   ctx,
-       CFArrayRef              identArray)
-{
-       CFIndex numItems = CFArrayGetCount(identArray);
-       if(numItems == 0) {
-               printf("***addIdentityAsTrustedRoot: empty identArray\n");
-               return errSecParam;
-       }
-       
-       /* Root should be the last item - could be identity, could be cert */
-       CFTypeRef theItem = CFArrayGetValueAtIndex(identArray, numItems - 1);
-       if(CFGetTypeID(theItem) == SecIdentityGetTypeID()) {
-               /* identity */
-               SecCertificateRef certRef;
-               OSStatus ortn = SecIdentityCopyCertificate(
-                       (SecIdentityRef)theItem, &certRef);
-               if(ortn) {
-                       cssmPerror("SecIdentityCopyCertificate", ortn);
-                       printf("***Error gettting cert from identity\n");
-                       return ortn;
-               }
-               ortn = addTrustedSecCert(ctx, certRef, false);
-               CFRelease(certRef);
-               return ortn;
-       }
-       else if(CFGetTypeID(theItem) == SecCertificateGetTypeID()) {
-               /* certificate */
-               return addTrustedSecCert(ctx, (SecCertificateRef)theItem, false);
-       }
-       else {
-               printf("***Bogus item in identity array\n");
-               return errSecParam;
-       }
-}
-#else
 OSStatus addIdentityAsTrustedRoot(
        SSLContextRef   ctx,
        CFArrayRef              identArray)
 {
        return errSecSuccess;
 }   
 OSStatus addIdentityAsTrustedRoot(
        SSLContextRef   ctx,
        CFArrayRef              identArray)
 {
        return errSecSuccess;
 }   
-#endif
 
 /*
  * Lists of SSLCipherSuites used in sslSetCipherRestrictions. Note that the 
 
 /*
  * Lists of SSLCipherSuites used in sslSetCipherRestrictions. Note that the 
@@ -1101,6 +1058,8 @@ OSStatus sslSetEnabledCiphers(
        unsigned inDex = 0;                     // index into ciphers
        
        /* first get all the supported ciphers */
        unsigned inDex = 0;                     // index into ciphers
        
        /* first get all the supported ciphers */
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
        ortn = SSLGetNumberSupportedCiphers(ctx, &numSupported);
        if(ortn) {
                printSslErrStr("SSLGetNumberSupportedCiphers", ortn);
        ortn = SSLGetNumberSupportedCiphers(ctx, &numSupported);
        if(ortn) {
                printSslErrStr("SSLGetNumberSupportedCiphers", ortn);
@@ -1138,6 +1097,7 @@ OSStatus sslSetEnabledCiphers(
        if(ortn) {
                printSslErrStr("SSLSetEnabledCiphers", ortn);
        }
        if(ortn) {
                printSslErrStr("SSLSetEnabledCiphers", ortn);
        }
+#pragma clang diagnostic pop
        free(enabled);
        free(supported);
        return ortn;
        free(enabled);
        free(supported);
        return ortn;
@@ -1614,3 +1574,44 @@ extern const char *sslCurveString(
                        return unk;
        }
 }
                        return unk;
        }
 }
+
+
+
+
+#include <Security/SecCertificatePriv.h>
+#include <Security/SecKey.h>
+
+SecKeyRef create_private_key_from_der(bool ecdsa, const unsigned char *pkey_der, size_t pkey_der_len)
+{
+    SecKeyRef privKey;
+    CFErrorRef error = NULL;
+    CFDataRef keyData = CFDataCreate(kCFAllocatorDefault, pkey_der, pkey_der_len);
+    CFMutableDictionaryRef parameters = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, NULL, NULL);
+    CFDictionarySetValue(parameters, kSecAttrKeyType, ecdsa?kSecAttrKeyTypeECSECPrimeRandom:kSecAttrKeyTypeRSA);
+    CFDictionarySetValue(parameters, kSecAttrKeyClass, kSecAttrKeyClassPrivate);
+    privKey = SecKeyCreateWithData(keyData, parameters, &error);
+    CFReleaseNull(keyData);
+    CFReleaseNull(parameters);
+    CFReleaseNull(error);
+    return privKey;
+}
+
+CFArrayRef chain_from_der(bool ecdsa, const unsigned char *pkey_der, size_t pkey_der_len, const unsigned char *cert_der, size_t cert_der_len)
+{
+    SecKeyRef pkey = NULL;
+    SecCertificateRef cert = NULL;
+    SecIdentityRef ident = NULL;
+    CFArrayRef items = NULL;
+
+    require(pkey = create_private_key_from_der(ecdsa, pkey_der, pkey_der_len), errOut);
+    require(cert = SecCertificateCreateWithBytes(kCFAllocatorDefault, cert_der, cert_der_len), errOut);
+    require(ident = SecIdentityCreate(kCFAllocatorDefault, cert, pkey), errOut);
+    require(items = CFArrayCreate(kCFAllocatorDefault, (const void **)&ident, 1, &kCFTypeArrayCallBacks), errOut);
+
+errOut:
+    CFReleaseSafe(pkey);
+    CFReleaseSafe(cert);
+    CFReleaseSafe(ident);
+    return items;
+}
+
mirror of Security