Google Git
Sign in
boringssl / boringssl.git / 6fff386492d9f316f5f780ff9d0ddaf1700f98a9^! / . / include / openssl / ssl.h
commit6fff386492d9f316f5f780ff9d0ddaf1700f98a9[log] [tgz]
authorDavid Benjamin <davidben@google.com>Wed Jun 21 21:07:04 2017 -0400
committerCQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>Thu Jun 22 02:45:37 2017 +0000
tree5885c6a7cef196c20ebebb175663240580d1ddb5
parentcd60bf0e0a5a710a90d68a7496ef9540305bfd32 [diff] [blame]
Support standard RFC cipher suite names alongside OpenSSL ones.

Both Conscrypt and Netty have a lot of logic to map between the two
kinds of names. WebRTC needed an SSL_CIPHER_get_rfc_name for something.
Just have both in the library. Also deprecate SSL_CIPHER_get_rfc_name
in favor of SSL_CIPHER_standard_name, which matches upstream if built
with enable-ssl-trace. And, unlike SSL_CIPHER_get_rfc_name, this does
not require dealing with the malloc.

(Strangely this decreases bssl's binary size, even though we're carrying
more strings around. It seems the old SSL_CIPHER_get_rfc_name was
somewhat large in comparison. Regardless, a consumer that disliked 30
short strings probably also disliked the OpenSSL names. That would be
better solved by opaquifying SSL_CIPHER and adding a less stringy API
for configuring cipher lists. That's something we can explore later if
needed.)

I also made the command-line tool print out the standard names since
they're more standard. May as well push folks towards those going
forward.

Change-Id: Ieeb3d63e67ef4da87458e68d130166a4c1090596
Reviewed-on: https://boringssl-review.googlesource.com/17324
Reviewed-by: Robert Sloan <varomodt@google.com>
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 52056ef..295f381 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h

@@ -1246,7 +1246,12 @@
  * supports |cipher|. */
 OPENSSL_EXPORT uint16_t SSL_CIPHER_get_max_version(const SSL_CIPHER *cipher);
 
-/* SSL_CIPHER_get_name returns the OpenSSL name of |cipher|. */
+/* SSL_CIPHER_standard_name returns the standard IETF name for |cipher|. For
+ * example, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256". */
+OPENSSL_EXPORT const char *SSL_CIPHER_standard_name(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_get_name returns the OpenSSL name of |cipher|. For example,
+ * "ECDHE-RSA-AES128-GCM-SHA256". */
 OPENSSL_EXPORT const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher);
 
 /* SSL_CIPHER_get_kx_name returns a string that describes the key-exchange
@@ -1254,12 +1259,6 @@
  * ciphers return the string "GENERIC". */
 OPENSSL_EXPORT const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher);
 
-/* SSL_CIPHER_get_rfc_name returns a newly-allocated string with the standard
- * name for |cipher| or NULL on error. For example,
- * "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256". The caller is responsible for
- * calling |OPENSSL_free| on the result. */
-OPENSSL_EXPORT char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher);
-
 /* SSL_CIPHER_get_bits returns the strength, in bits, of |cipher|. If
  * |out_alg_bits| is not NULL, it writes the number of bits consumed by the
  * symmetric algorithm to |*out_alg_bits|. */
@@ -1295,10 +1294,10 @@
  *   |!| deletes all matching ciphers, enabled or not, from either list. Deleted
  *   ciphers will not matched by future operations.
  *
- * A selector may be a specific cipher (using the OpenSSL name for the cipher)
- * or one or more rules separated by |+|. The final selector matches the
- * intersection of each rule. For instance, |AESGCM+aECDSA| matches
- * ECDSA-authenticated AES-GCM ciphers.
+ * A selector may be a specific cipher (using either the standard or OpenSSL
+ * name for the cipher) or one or more rules separated by |+|. The final
+ * selector matches the intersection of each rule. For instance, |AESGCM+aECDSA|
+ * matches ECDSA-authenticated AES-GCM ciphers.
  *
  * Available cipher rules are:
  *
@@ -3386,13 +3385,20 @@
  * The description includes a trailing newline and has the form:
  * AES128-SHA              Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
  *
- * Consider |SSL_CIPHER_get_name| or |SSL_CIPHER_get_rfc_name| instead. */
+ * Consider |SSL_CIPHER_standard_name| or |SSL_CIPHER_get_name| instead. */
 OPENSSL_EXPORT const char *SSL_CIPHER_description(const SSL_CIPHER *cipher,
                                                   char *buf, int len);
 
 /* SSL_CIPHER_get_version returns the string "TLSv1/SSLv3". */
 OPENSSL_EXPORT const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher);
 
+/* SSL_CIPHER_get_rfc_name returns a newly-allocated string containing the
+ * result of |SSL_CIPHER_standard_name| or NULL on error. The caller is
+ * responsible for calling |OPENSSL_free| on the result.
+ *
+ * Use |SSL_CIPHER_standard_name| instead. */
+OPENSSL_EXPORT char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher);
+
 typedef void COMP_METHOD;
 
 /* SSL_COMP_get_compression_methods returns NULL. */
@@ -3890,6 +3896,8 @@
 struct ssl_cipher_st {
   /* name is the OpenSSL name for the cipher. */
   const char *name;
+  /* standard_name is the IETF name for the cipher. */
+  const char *standard_name;
   /* id is the cipher suite value bitwise OR-d with 0x03000000. */
   uint32_t id;