WL#16169: XDevAPI: Update allowed cipher list.

Change-Id: I9948aa3919ad0e7300d25cd4539148d9640c6a04

Author: rsomla1

cdk/foundation/connection_openssl.cc

@@ -84,59 +84,58 @@ POP_SYS_WARNINGS_CDK
 
 
 /*
-  Default list of ciphers. By default we allow only ciphers that are approved
-  by the OSSA page (the link below). Lists of mandatory and approved ciphers
-  defined below should be kept in sync with requirements on this
-  page.
+  The "tls_ciphers.h" header defines cipher list macros:
 
-  https://confluence.oraclecorp.com/confluence/display/GPS/Approved+Security+Technologies%3A+Standards+-+TLS+Ciphers+and+Versions
-*/
+  - TLS_CIPHERS_MANDATORY(X)
+  - TLS_CIPHERS_APPROVED(X)
+  - TLS_CIPHERS_UNACCEPTABLE(X)
 
-#define TLS_CIPHERS_MANDATORY(X) \
-  X("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",  "ECDHE-ECDSA-AES128-GCM-SHA256") \
-  X("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",  "ECDHE-ECDSA-AES256-GCM-SHA384") \
-  X("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",    "ECDHE-RSA-AES128-GCM-SHA256") \
+  Each of these macros calls X(A,B) for each cipher in the list where A is
+  the IANA name of the cipher while B is OpenSSL name of the same cipher (both
+  A and B are string listerals). For example:
 
-/*
-  Note: Empty OpenSSL name means TLSv1.3+ cipher suite which is handled
-  differently from pre-TLSv1.3 suites that have OpenSSL specific names.
+  X("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256")
+
+  If there is no OpenSSL name for the cipher then B is the empty string "".
+
+  These list should be kept in sync with info given on the OSSA page [1].
+
+  [1] https://confluence.oraclecorp.com/confluence/display/GPS/Approved+Security+Technologies%3A+Standards+-+TLS+Ciphers+and+Versions
 */
 
-#define TLS_CIPHERS_APPROVED(X) \
-  X("TLS_AES_128_GCM_SHA256", "") \
-  X("TLS_AES_256_GCM_SHA384", "") \
-  X("TLS_CHACHA20_POLY1305_SHA256", "") \
-  X("TLS_AES_128_CCM_SHA256", "") \
-  X("TLS_AES_128_CCM_8_SHA256", "") \
-  X("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "ECDHE-RSA-AES256-GCM-SHA384") \
-  X("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "ECDHE-ECDSA-AES256-SHA384") \
-  X("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "ECDHE-RSA-AES256-SHA384") \
-  X("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "DHE-RSA-AES128-GCM-SHA256") \
-  X("TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", "DHE-DSS-AES128-GCM-SHA256") \
-  X("TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "DHE-RSA-AES128-SHA256") \
-  X("TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", "DHE-DSS-AES128-SHA256") \
-  X("TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", "DHE-DSS-AES256-GCM-SHA384") \
-  X("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "DHE-RSA-AES256-GCM-SHA384") \
-  X("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "ECDHE-ECDSA-CHACHA20-POLY1305") \
-  X("TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "ECDHE-RSA-CHACHA20-POLY1305") \
+#include "tls_ciphers.h"
 
 
 // Note: these deprecated ciphers are temporarily allowed to make it possible
 // to connect to old servers based on YaSSL.
+// TODO: Remove this list
 
 #define TLS_CIPHERS_COMPAT(X) \
-  X("TLS_DH_DSS_WITH_AES_128_GCM_SHA256", "DH-DSS-AES128-GCM-SHA256") \
   X("TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256","ECDH-ECDSA-AES128-GCM-SHA256") \
-  X("TLS_DH_DSS_WITH_AES_256_GCM_SHA384","DH-DSS-AES256-GCM-SHA384") \
   X("TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384","ECDH-ECDSA-AES256-GCM-SHA384") \
-  X("TLS_DH_RSA_WITH_AES_128_GCM_SHA256","DH-RSA-AES128-GCM-SHA256") \
   X("TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256","ECDH-RSA-AES128-GCM-SHA256") \
-  X("TLS_DH_RSA_WITH_AES_256_GCM_SHA384","DH-RSA-AES256-GCM-SHA384") \
   X("TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384","ECDH-RSA-AES256-GCM-SHA384") \
   X("TLS_DHE_RSA_WITH_AES_256_CBC_SHA", "DHE-RSA-AES256-SHA") \
   X("TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "DHE-RSA-AES128-SHA") \
   X("TLS_RSA_WITH_AES_256_CBC_SHA", "AES256-SHA")
 
+namespace
+{
+  // Check that ciphers in the _COMPAT list are not listed as _UNACCEPTABLE.
+
+  constexpr bool compat_check(std::string_view cipher)
+  {
+    #define COMPAT_CHECK(X,...) if (cipher == X) return false;
+    TLS_CIPHERS_COMPAT(COMPAT_CHECK)
+    return true;
+  }
+
+  #define COMPAT_CHECK1(X,...) \
+  static_assert(compat_check(X), "bad compatibility cipher: " X);
+
+  TLS_CIPHERS_UNACCEPTABLE(COMPAT_CHECK1)
+}
+
 
 #define TLS_CIPHERS_DEFAULT(X) \
   TLS_CIPHERS_MANDATORY(X) \

cdk/foundation/tls_ciphers.h

@@ -0,0 +1,210 @@
+// Generated from the OSSA cipher list
+// version: 3.3
+// date: 2024-01-10
+
+#define TLS_CIPHERS_MANDATORY(X) \
+  X("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256") \
+  X("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "ECDHE-ECDSA-AES256-GCM-SHA384") \
+  X("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "ECDHE-RSA-AES128-GCM-SHA256") \
+  X("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256") \
+  X("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "ECDHE-ECDSA-AES256-GCM-SHA384") \
+  X("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "ECDHE-RSA-AES128-GCM-SHA256") \
+  X("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256") \
+  X("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "ECDHE-ECDSA-AES256-GCM-SHA384") \
+  X("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "ECDHE-RSA-AES128-GCM-SHA256") \
+  X("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256") \
+  X("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "ECDHE-ECDSA-AES256-GCM-SHA384") \
+  X("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "ECDHE-RSA-AES128-GCM-SHA256") \
+  X("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256") \
+  X("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "ECDHE-ECDSA-AES256-GCM-SHA384") \
+  X("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "ECDHE-RSA-AES128-GCM-SHA256") \
+
+#define TLS_CIPHERS_APPROVED(X) \
+  X("TLS_AES_128_GCM_SHA256", "") \
+  X("TLS_AES_256_GCM_SHA384", "") \
+  X("TLS_CHACHA20_POLY1305_SHA256", "") \
+  X("TLS_AES_128_CCM_SHA256", "") \
+  X("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "ECDHE-RSA-AES256-GCM-SHA384") \
+  X("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "ECDHE-ECDSA-CHACHA20-POLY1305") \
+  X("TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "ECDHE-RSA-CHACHA20-POLY1305") \
+  X("TLS_ECDHE_ECDSA_WITH_AES_256_CCM", "ECDHE-ECDSA-AES256-CCM") \
+  X("TLS_ECDHE_ECDSA_WITH_AES_128_CCM", "ECDHE-ECDSA-AES128-CCM") \
+  X("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "DHE-RSA-AES128-GCM-SHA256") \
+  X("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "DHE-RSA-AES256-GCM-SHA384") \
+  X("TLS_DHE_RSA_WITH_AES_256_CCM", "DHE-RSA-AES256-CCM") \
+  X("TLS_DHE_RSA_WITH_AES_128_CCM", "DHE-RSA-AES128-CCM") \
+  X("TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "DHE-RSA-CHACHA20-POLY1305") \
+  X("TLS_AES_128_GCM_SHA256", "") \
+  X("TLS_AES_256_GCM_SHA384", "") \
+  X("TLS_CHACHA20_POLY1305_SHA256", "") \
+  X("TLS_AES_128_CCM_SHA256", "") \
+  X("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "ECDHE-RSA-AES256-GCM-SHA384") \
+  X("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "ECDHE-ECDSA-CHACHA20-POLY1305") \
+  X("TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "ECDHE-RSA-CHACHA20-POLY1305") \
+  X("TLS_ECDHE_ECDSA_WITH_AES_256_CCM", "ECDHE-ECDSA-AES256-CCM") \
+  X("TLS_ECDHE_ECDSA_WITH_AES_128_CCM", "ECDHE-ECDSA-AES128-CCM") \
+  X("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "DHE-RSA-AES128-GCM-SHA256") \
+  X("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "DHE-RSA-AES256-GCM-SHA384") \
+  X("TLS_DHE_RSA_WITH_AES_256_CCM", "DHE-RSA-AES256-CCM") \
+  X("TLS_DHE_RSA_WITH_AES_128_CCM", "DHE-RSA-AES128-CCM") \
+  X("TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "DHE-RSA-CHACHA20-POLY1305") \
+  X("TLS_AES_128_GCM_SHA256", "") \
+  X("TLS_AES_256_GCM_SHA384", "") \
+  X("TLS_CHACHA20_POLY1305_SHA256", "") \
+  X("TLS_AES_128_CCM_SHA256", "") \
+  X("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "ECDHE-RSA-AES256-GCM-SHA384") \
+  X("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "ECDHE-ECDSA-CHACHA20-POLY1305") \
+  X("TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "ECDHE-RSA-CHACHA20-POLY1305") \
+  X("TLS_ECDHE_ECDSA_WITH_AES_256_CCM", "ECDHE-ECDSA-AES256-CCM") \
+  X("TLS_ECDHE_ECDSA_WITH_AES_128_CCM", "ECDHE-ECDSA-AES128-CCM") \
+  X("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "DHE-RSA-AES128-GCM-SHA256") \
+  X("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "DHE-RSA-AES256-GCM-SHA384") \
+  X("TLS_DHE_RSA_WITH_AES_256_CCM", "DHE-RSA-AES256-CCM") \
+  X("TLS_DHE_RSA_WITH_AES_128_CCM", "DHE-RSA-AES128-CCM") \
+  X("TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "DHE-RSA-CHACHA20-POLY1305") \
+  X("TLS_AES_128_GCM_SHA256", "") \
+  X("TLS_AES_256_GCM_SHA384", "") \
+  X("TLS_CHACHA20_POLY1305_SHA256", "") \
+  X("TLS_AES_128_CCM_SHA256", "") \
+  X("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "ECDHE-RSA-AES256-GCM-SHA384") \
+  X("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "ECDHE-ECDSA-CHACHA20-POLY1305") \
+  X("TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "ECDHE-RSA-CHACHA20-POLY1305") \
+  X("TLS_ECDHE_ECDSA_WITH_AES_256_CCM", "ECDHE-ECDSA-AES256-CCM") \
+  X("TLS_ECDHE_ECDSA_WITH_AES_128_CCM", "ECDHE-ECDSA-AES128-CCM") \
+  X("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "DHE-RSA-AES128-GCM-SHA256") \
+  X("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "DHE-RSA-AES256-GCM-SHA384") \
+  X("TLS_DHE_RSA_WITH_AES_256_CCM", "DHE-RSA-AES256-CCM") \
+  X("TLS_DHE_RSA_WITH_AES_128_CCM", "DHE-RSA-AES128-CCM") \
+  X("TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "DHE-RSA-CHACHA20-POLY1305") \
+  X("TLS_AES_128_GCM_SHA256", "") \
+  X("TLS_AES_256_GCM_SHA384", "") \
+  X("TLS_CHACHA20_POLY1305_SHA256", "") \
+  X("TLS_AES_128_CCM_SHA256", "") \
+  X("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "ECDHE-RSA-AES256-GCM-SHA384") \
+  X("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "ECDHE-ECDSA-CHACHA20-POLY1305") \
+  X("TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "ECDHE-RSA-CHACHA20-POLY1305") \
+  X("TLS_ECDHE_ECDSA_WITH_AES_256_CCM", "ECDHE-ECDSA-AES256-CCM") \
+  X("TLS_ECDHE_ECDSA_WITH_AES_128_CCM", "ECDHE-ECDSA-AES128-CCM") \
+  X("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "DHE-RSA-AES128-GCM-SHA256") \
+  X("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "DHE-RSA-AES256-GCM-SHA384") \
+  X("TLS_DHE_RSA_WITH_AES_256_CCM", "DHE-RSA-AES256-CCM") \
+  X("TLS_DHE_RSA_WITH_AES_128_CCM", "DHE-RSA-AES128-CCM") \
+  X("TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "DHE-RSA-CHACHA20-POLY1305") \
+
+#define TLS_CIPHERS_UNACCEPTABLE(X) \
+  X("TLS_ECDH_anon_WITH_NULL_SHA", "AECDH-NULL-SHA") \
+  X("TLS_ECDHE_RSA_WITH_NULL_SHA", "ECDHE-RSA-NULL-SHA") \
+  X("TLS_ECDHE_ECDSA_WITH_NULL_SHA", "ECDHE-ECDSA-NULL-SHA") \
+  X("TLS_GOSTR341001_WITH_NULL_GOSTR3411", "GOST94-NULL-GOST94") \
+  X("TLS_GOSTR341094_WITH_NULL_GOSTR3411", "GOST2001-GOST89-GOST89") \
+  X("TLS_ECDH_RSA_WITH_NULL_SHA", "ECDH-RSA-NULL-SHA") \
+  X("TLS_ECDH_ECDSA_WITH_NULL_SHA", "ECDH-ECDSA-NULL-SHA") \
+  X("TLS_RSA_WITH_NULL_SHA256", "NULL-SHA256") \
+  X("TLS_RSA_WITH_NULL_SHA", "NULL-SHA") \
+  X("TLS_RSA_WITH_NULL_MD5", "NULL-MD5") \
+  X("TLS_ECDH_anon_WITH_AES_256_CBC_SHA", "AECDH-AES256-SHA") \
+  X("TLS_DH_anon_WITH_AES_256_GCM_SHA384", "ADH-AES256-GCM-SHA384") \
+  X("TLS_DH_anon_WITH_AES_256_CBC_SHA256", "ADH-AES256-SHA256") \
+  X("TLS_DH_anon_WITH_AES_256_CBC_SHA", "ADH-AES256-SHA") \
+  X("TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256", "ADH-CAMELLIA256-SHA256") \
+  X("TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA", "ADH-CAMELLIA256-SHA") \
+  X("TLS_ECDH_anon_WITH_AES_128_CBC_SHA", "AECDH-AES128-SHA") \
+  X("TLS_DH_anon_WITH_AES_128_GCM_SHA256", "ADH-AES128-GCM-SHA256") \
+  X("TLS_DH_anon_WITH_AES_128_CBC_SHA256", "ADH-AES128-SHA256") \
+  X("TLS_DH_anon_WITH_AES_128_CBC_SHA", "ADH-AES128-SHA") \
+  X("TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256", "ADH-CAMELLIA128-SHA256") \
+  X("TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA", "AADH-CAMELLIA128-SHA") \
+  X("TLS_ECDH_anon_WITH_RC4_128_SHA", "AECDH-RC4-SHA") \
+  X("TLS_DH_anon_WITH_RC4_128_MD5", "ADH-RC4-MD5") \
+  X("TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA", "AECDH-DES-CBC3-SHA") \
+  X("TLS_DH_anon_WITH_3DES_EDE_CBC_SHA", "ADH-DES-CBC3-SHA") \
+  X("TLS_DH_anon_WITH_DES_CBC_SHA", "ADH-DES-CBC-SHA") \
+  X("SSL_RSA_EXPORT_WITH_RC4_40_MD5", "EXP-RC4-MD5") \
+  X("SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5", "EXP-RC2-CBC-MD5") \
+  X("SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", "EXP-DES-CBC-SHA") \
+  X("SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA", "") \
+  X("SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA", "") \
+  X("TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA", "EXP-DH-DSS-DES-CBC-SHA") \
+  X("TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA", "EXP-DH-RSA-DES-CBC-SHA") \
+  X("SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", "EXP-EDH-DSS-DES-CBC-SHA") \
+  X("SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", "EXP-EDH-RSA-DES-CBC-SHA") \
+  X("SSL_DH_anon_EXPORT_WITH_RC4_40_MD5", "EXP-ADH-RC4-MD5") \
+  X("SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA", "EXP-ADH-DES-CBC-SHA") \
+  X("TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA", "EXP-KRB5-DES-CBC-SHA") \
+  X("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA", "EXP-KRB5-RC2-CBC-SHA") \
+  X("TLS_KRB5_EXPORT_WITH_RC4_40_SHA", "EXP-KRB5-RC4-SHA") \
+  X("TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5", "EXP-KRB5-DES-CBC-MD5") \
+  X("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5", "EXP-KRB5-RC2-CBC-MD5") \
+  X("TLS_KRB5_EXPORT_WITH_RC4_40_MD5", "EXP-KRB5-RC4-MD5") \
+  X("TLS_RSA_EXPORT_WITH_RC4_40_MD5", "EXP-RC4-MD5") \
+  X("TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5", "EXP-RC2-CBC-MD5") \
+  X("TLS_RSA_EXPORT_WITH_DES40_CBC_SHA", "") \
+  X("TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", "EXP-EDH-DSS-DES-CBC-SHA") \
+  X("TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", "EXP-EDH-RSA-DES-CBC-SHA") \
+  X("TLS_DH_anon_EXPORT_WITH_RC4_40_MD5", "EXP-ADH-RC4-MD5") \
+  X("TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA", "EXP-ADH-DES-CBC-SHA") \
+  X("TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA", "EXP1024-DES-CBC-SHA") \
+  X("TLS_RSA_EXPORT1024_WITH_RC4_56_SHA", "EXP1024-RC4-SHA") \
+  X("TLS_RSA_EXPORT1024_WITH_RC4_56_MD5", "EXP1024-RC4-MD5") \
+  X("TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5", "EXP1024-RC2-CBC-MD5") \
+  X("TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA", "EXP1024-DHE-DSS-DES-CBC-SHA") \
+  X("TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA", "EXP1024-DHE-DSS-RC4-SHA") \
+  X("SSL_CK_RC4_128_EXPORT40_WITH_MD5", "EXP-RC4-MD5") \
+  X("SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5", "EXP-RC2-CBC-MD5") \
+  X("SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5", "EXP-RC2-MD5") \
+  X("TLS_DHE_RSA_WITH_DES_CBC_SHA", "EDH-RSA-DES-CBC-SHA") \
+  X("TLS_DHE_DSS_WITH_DES_CBC_SHA", "EDH-DSS-DES-CBC-SHA") \
+  X("TLS_DH_anon_WITH_DES_CBC_SHA", "ADH-DES-CBC-SHA") \
+  X("SL_CK_DES_64_CBC_WITH_SHA", "DES-CBC-SHA") \
+  X("TLS_KRB5_WITH_DES_CBC_SHA", "KRB5-DES-CBC-SHA") \
+  X("TLS_DH_anon_WITH_RC4_128_MD5", "ADH-RC4-MD5") \
+  X("TLS_RSA_WITH_RC4_128_MD5", "RC4-MD5") \
+  X("TLS_RSA_WITH_NULL_MD5", "NULL-MD5") \
+  X("TLS_KRB5_WITH_DES_CBC_MD5", "KRB5-DES-CBC-MD5") \
+  X("TLS_KRB5_WITH_RC4_128_MD5", "KRB5-RC4-MD5") \
+  X("TLS_KRB5_WITH_IDEA_CBC_MD5", "KRB5-IDEA-CBC-MD5") \
+  X("TLS_ECDHE_RSA_WITH_RC4_128_SHA", "ECDHE-RSA-RC4-SHA") \
+  X("TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", "ECDHE-ECDSA-RC4-SHA") \
+  X("TLS_ECDH_anon_WITH_RC4_128_SHA", "AECDH-RC4-SHA") \
+  X("TLS_ECDH_RSA_WITH_RC4_128_SHA", "ECDH-RSA-RC4-SHA") \
+  X("TLS_ECDH_ECDSA_WITH_RC4_128_SHA", "ECDH-ECDSA-RC4-SHA") \
+  X("TLS_RSA_WITH_RC4_128_SHA", "RC4-SHA") \
+  X("TLS_KRB5_WITH_RC4_128_SHA", "KRB5-RC4-SHA") \
+  X("TLS_ECDH_anon_WITH_NULL_SHA", "AECDH-NULL-SHA") \
+  X("TLS_ECDH_RSA_WITH_NULL_SHA", "ECDH-RSA-NULL-SHA") \
+  X("TLS_ECDH_ECDSA_WITH_NULL_SHA", "ECDH-ECDSA-NULL-SHA") \
+  X("TLS_PSK_WITH_AES_256_CBC_SHA", "PSK-AES256-CBC-SHA") \
+  X("TLS_PSK_WITH_AES_128_CBC_SHA", "PSK-AES128-CBC-SHA") \
+  X("TLS_PSK_WITH_3DES_EDE_CBC_SHA", "PSK-3DES-EDE-CBC-SHA") \
+  X("TLS_PSK_WITH_RC4_128_SHA", "PSK-RC4-SHA") \
+  X("TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5", "EXP-RC2-CBC-MD5") \
+  X("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA", "EXP-KRB5-RC2-CBC-SHA") \
+  X("TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5", "EXP1024-RC2-CBC-MD5") \
+  X("SSL_CK_RC2_128_CBC_WITH_MD5", "RC2-CBC-MD5") \
+  X("SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5", "EXP-RC2-CBC-MD5") \
+  X("TLS_DH_RSA_WITH_AES_128_CBC_SHA256", "DH-RSA-AES128-SHA256") \
+  X("TLS_DH_RSA_WITH_AES_256_CBC_SHA256", "DH-RSA-AES256-SHA256") \
+  X("TLS_DH_DSS_WITH_AES_128_CBC_SHA256", "DH-DSS-AES128-SHA256") \
+  X("TLS_DH_DSS_WITH_AES_128_CBC_SHA", "DH-DSS-AES128-SHA") \
+  X("TLS_DH_DSS_WITH_AES_256_CBC_SHA", "DH-DSS-AES256-SHA") \
+  X("TLS_DH_DSS_WITH_AES_256_CBC_SHA256", "DH-DSS-AES256-SHA256") \
+  X("TLS_DH_RSA_WITH_AES_128_CBC_SHA", "DH-RSA-AES128-SHA") \
+  X("TLS_DH_RSA_WITH_AES_256_CBC_SHA", "DH-RSA-AES256-SHA") \
+  X("TLS_DH_DSS_WITH_AES_128_GCM_SHA256", "DH-DSS-AES128-GCM-SHA256") \
+  X("TLS_DH_DSS_WITH_AES_256_GCM_SHA384", "DH-DSS-AES256-GCM-SHA384") \
+  X("TLS_DH_RSA_WITH_AES_128_GCM_SHA256", "DH-RSA-AES128-GCM-SHA256") \
+  X("TLS_DH_RSA_WITH_AES_256_GCM_SHA384", "DH-RSA-AES256-GCM-SHA384") \
+  X("TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA", "DH-DSS-DES-CBC3-SHA") \
+  X("TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA", "DH-RSA-DES-CBC3-SHA") \
+  X("TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", "EDH-DSS-DES-CBC3-SHA") \
+  X("TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", "EDH-RSA-DES-CBC3-SHA") \
+  X("TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", "ECDH-RSA-DES-CBC3-SHA") \
+  X("TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", "ECDH-ECDSA-DES-CBC3-SHA") \
+  X("TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", "ECDHE-RSA-DES-CBC3-SHA") \
+  X("TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", "ECDHE-ECDSA-DES-CBC3-SHA") \
+  X("TLS_RSA_WITH_3DES_EDE_CBC_SHA", "DES-CBC3-SHA") \
+  X("TLS_KRB5_WITH_3DES_EDE_CBC_SHA", "KRB5-DES-CBC3-SHA") \
+  X("TLS_KRB5_WITH_3DES_EDE_CBC_MD5", "KRB5-DES-CBC3-MD5") \
+  X("TLS_KRB5_WITH_IDEA_CBC_SHA", "KRB5-IDEA-CBC-SHA") \
+
+// This comment is here to avoid "backslash-newline at end of file" compile warning.

devapi/tests/CMakeLists.txt

@@ -31,6 +31,8 @@
 # are not good for building client code that uses the connector.
 #
 
+get_filename_component(CDKDIR "${CMAKE_CURRENT_LIST_DIR}/../../cdk" ABSOLUTE)
+
 set_property(
   DIRECTORY .
   PROPERTY COMPILE_DEFINITIONS ""
@@ -57,3 +59,16 @@ ADD_NG_TEST(devapi-t
   first-t.cc crud-t.cc types-t.cc batch-t.cc ddl-t.cc session-t.cc
   bugs-t.cc test.h
 )
+
+set(TLS_CIPHERS_H "${CDKDIR}/foundation/tls_ciphers.h")
+
+if(EXISTS ${TLS_CIPHERS_H})
+
+  message(STATUS "Using cipher list defined in: ${TLS_CIPHERS_H}")
+
+  include_directories("${CDKDIR}/foundation")
+  add_compile_definitions(TLS_CIPHERS_H)
+
+else()
+  message(SEND_ERROR "The cipher list could not be found: ${TLS_CIPHERS_H}")
+endif()