Add OpenSSL 1.1.0's cipher property functions.
Other projects are starting to use them. Having two APIs for the same
thing is silly, so deprecate all our old ones.
Change-Id: Iaf6b6995bc9e4b624140d5c645000fbf2cb08162
Reviewed-on: https://boringssl-review.googlesource.com/19064
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/crypto/obj/obj_dat.h b/crypto/obj/obj_dat.h
index b3da0e8..dceaf03 100644
--- a/crypto/obj/obj_dat.h
+++ b/crypto/obj/obj_dat.h
@@ -57,7 +57,7 @@
/* This file is generated by crypto/obj/objects.go. */
-#define NUM_NID 950
+#define NUM_NID 959
static const uint8_t kObjectData[] = {
/* NID_rsadsi */
@@ -3444,6 +3444,16 @@
{"dh-cofactor-kdf", "dh-cofactor-kdf", NID_dh_cofactor_kdf, 0, NULL, 0},
{"X25519", "X25519", NID_X25519, 0, NULL, 0},
{"ED25519", "ED25519", NID_ED25519, 3, &kObjectData[6175], 0},
+ {"ChaCha20-Poly1305", "chacha20-poly1305", NID_chacha20_poly1305, 0, NULL,
+ 0},
+ {"KxRSA", "kx-rsa", NID_kx_rsa, 0, NULL, 0},
+ {"KxECDHE", "kx-ecdhe", NID_kx_ecdhe, 0, NULL, 0},
+ {"KxPSK", "kx-psk", NID_kx_psk, 0, NULL, 0},
+ {"AuthRSA", "auth-rsa", NID_auth_rsa, 0, NULL, 0},
+ {"AuthECDSA", "auth-ecdsa", NID_auth_ecdsa, 0, NULL, 0},
+ {"AuthPSK", "auth-psk", NID_auth_psk, 0, NULL, 0},
+ {"KxANY", "kx-any", NID_kx_any, 0, NULL, 0},
+ {"AuthANY", "auth-any", NID_auth_any, 0, NULL, 0},
};
static const unsigned kNIDsInShortNameOrder[] = {
@@ -3474,6 +3484,10 @@
426 /* AES-256-ECB */,
428 /* AES-256-OFB */,
914 /* AES-256-XTS */,
+ 958 /* AuthANY */,
+ 955 /* AuthECDSA */,
+ 956 /* AuthPSK */,
+ 954 /* AuthRSA */,
91 /* BF-CBC */,
93 /* BF-CFB */,
92 /* BF-ECB */,
@@ -3505,6 +3519,7 @@
13 /* CN */,
141 /* CRLReason */,
417 /* CSPName */,
+ 950 /* ChaCha20-Poly1305 */,
367 /* CrlID */,
391 /* DC */,
31 /* DES-CBC */,
@@ -3547,6 +3562,10 @@
645 /* ITU-T */,
646 /* JOINT-ISO-ITU-T */,
773 /* KISA */,
+ 957 /* KxANY */,
+ 952 /* KxECDHE */,
+ 953 /* KxPSK */,
+ 951 /* KxRSA */,
15 /* L */,
856 /* LocalKeySet */,
3 /* MD2 */,
@@ -4570,6 +4589,10 @@
484 /* associatedDomain */,
485 /* associatedName */,
501 /* audio */,
+ 958 /* auth-any */,
+ 955 /* auth-ecdsa */,
+ 956 /* auth-psk */,
+ 954 /* auth-rsa */,
882 /* authorityRevocationList */,
91 /* bf-cbc */,
93 /* bf-cfb */,
@@ -4640,6 +4663,7 @@
677 /* certicom-arc */,
517 /* certificate extensions */,
883 /* certificateRevocationList */,
+ 950 /* chacha20-poly1305 */,
54 /* challengePassword */,
407 /* characteristic-two-field */,
395 /* clearance */,
@@ -4982,6 +5006,10 @@
646 /* joint-iso-itu-t */,
150 /* keyBag */,
773 /* kisa */,
+ 957 /* kx-any */,
+ 952 /* kx-ecdhe */,
+ 953 /* kx-psk */,
+ 951 /* kx-rsa */,
477 /* lastModifiedBy */,
476 /* lastModifiedTime */,
157 /* localKeyID */,
diff --git a/crypto/obj/obj_mac.num b/crypto/obj/obj_mac.num
index 572a01b..6dbc0f1 100644
--- a/crypto/obj/obj_mac.num
+++ b/crypto/obj/obj_mac.num
@@ -938,3 +938,12 @@
dh_cofactor_kdf 947
X25519 948
ED25519 949
+chacha20_poly1305 950
+kx_rsa 951
+kx_ecdhe 952
+kx_psk 953
+auth_rsa 954
+auth_ecdsa 955
+auth_psk 956
+kx_any 957
+auth_any 958
diff --git a/crypto/obj/objects.txt b/crypto/obj/objects.txt
index 03056de..f1a6395 100644
--- a/crypto/obj/objects.txt
+++ b/crypto/obj/objects.txt
@@ -1336,3 +1336,19 @@
# See draft-ietf-curdle-pkix-04.
1 3 101 112 : ED25519
+
+ : ChaCha20-Poly1305 : chacha20-poly1305
+
+# NIDs for TLS 1.2 cipher suite key exchanges.
+ : KxRSA : kx-rsa
+ : KxECDHE : kx-ecdhe
+ : KxPSK : kx-psk
+
+# NIDs for TLS 1.2 cipher suite authentication types.
+ : AuthRSA : auth-rsa
+ : AuthECDSA : auth-ecdsa
+ : AuthPSK : auth-psk
+
+# TLS 1.3 cipher suites do not specify key exchange or authentication.
+ : KxANY : kx-any
+ : AuthANY : auth-any
diff --git a/include/openssl/nid.h b/include/openssl/nid.h
index bc0ee33..afeb2de 100644
--- a/include/openssl/nid.h
+++ b/include/openssl/nid.h
@@ -4198,6 +4198,42 @@
#define NID_ED25519 949
#define OBJ_ED25519 1L, 3L, 101L, 112L
+#define SN_chacha20_poly1305 "ChaCha20-Poly1305"
+#define LN_chacha20_poly1305 "chacha20-poly1305"
+#define NID_chacha20_poly1305 950
+
+#define SN_kx_rsa "KxRSA"
+#define LN_kx_rsa "kx-rsa"
+#define NID_kx_rsa 951
+
+#define SN_kx_ecdhe "KxECDHE"
+#define LN_kx_ecdhe "kx-ecdhe"
+#define NID_kx_ecdhe 952
+
+#define SN_kx_psk "KxPSK"
+#define LN_kx_psk "kx-psk"
+#define NID_kx_psk 953
+
+#define SN_auth_rsa "AuthRSA"
+#define LN_auth_rsa "auth-rsa"
+#define NID_auth_rsa 954
+
+#define SN_auth_ecdsa "AuthECDSA"
+#define LN_auth_ecdsa "auth-ecdsa"
+#define NID_auth_ecdsa 955
+
+#define SN_auth_psk "AuthPSK"
+#define LN_auth_psk "auth-psk"
+#define NID_auth_psk 956
+
+#define SN_kx_any "KxANY"
+#define LN_kx_any "kx-any"
+#define NID_kx_any 957
+
+#define SN_auth_any "AuthANY"
+#define LN_auth_any "auth-any"
+#define NID_auth_any 958
+
#if defined(__cplusplus)
} /* extern C */
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index c989dd6..63651b5 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1200,56 +1200,36 @@
* get the cipher suite value. */
OPENSSL_EXPORT uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_is_AES returns one if |cipher| uses AES (either GCM or CBC
- * mode). */
-OPENSSL_EXPORT int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher);
-
-/* SSL_CIPHER_has_SHA1_HMAC returns one if |cipher| uses HMAC-SHA1. */
-OPENSSL_EXPORT int SSL_CIPHER_has_SHA1_HMAC(const SSL_CIPHER *cipher);
-
-/* SSL_CIPHER_has_SHA256_HMAC returns one if |cipher| uses HMAC-SHA256. */
-OPENSSL_EXPORT int SSL_CIPHER_has_SHA256_HMAC(const SSL_CIPHER *cipher);
-
-/* SSL_CIPHER_has_SHA384_HMAC returns one if |cipher| uses HMAC-SHA384. */
-OPENSSL_EXPORT int SSL_CIPHER_has_SHA384_HMAC(const SSL_CIPHER *cipher);
-
-/* SSL_CIPHER_is_AEAD returns one if |cipher| uses an AEAD cipher. */
-OPENSSL_EXPORT int SSL_CIPHER_is_AEAD(const SSL_CIPHER *cipher);
-
-/* SSL_CIPHER_is_AESGCM returns one if |cipher| uses AES-GCM. */
-OPENSSL_EXPORT int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher);
-
-/* SSL_CIPHER_is_AES128GCM returns one if |cipher| uses 128-bit AES-GCM. */
-OPENSSL_EXPORT int SSL_CIPHER_is_AES128GCM(const SSL_CIPHER *cipher);
-
-/* SSL_CIPHER_is_AES128CBC returns one if |cipher| uses 128-bit AES in CBC
- * mode. */
-OPENSSL_EXPORT int SSL_CIPHER_is_AES128CBC(const SSL_CIPHER *cipher);
-
-/* SSL_CIPHER_is_AES256CBC returns one if |cipher| uses 256-bit AES in CBC
- * mode. */
-OPENSSL_EXPORT int SSL_CIPHER_is_AES256CBC(const SSL_CIPHER *cipher);
-
-/* SSL_CIPHER_is_CHACHA20POLY1305 returns one if |cipher| uses
- * CHACHA20_POLY1305. Note this includes both the RFC 7905 and
- * draft-agl-tls-chacha20poly1305-04 versions. */
-OPENSSL_EXPORT int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher);
-
-/* SSL_CIPHER_is_NULL returns one if |cipher| does not encrypt. */
-OPENSSL_EXPORT int SSL_CIPHER_is_NULL(const SSL_CIPHER *cipher);
+/* SSL_CIPHER_is_aead returns one if |cipher| uses an AEAD cipher. */
+OPENSSL_EXPORT int SSL_CIPHER_is_aead(const SSL_CIPHER *cipher);
/* SSL_CIPHER_is_block_cipher returns one if |cipher| is a block cipher. */
OPENSSL_EXPORT int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_is_ECDSA returns one if |cipher| uses ECDSA. */
-OPENSSL_EXPORT int SSL_CIPHER_is_ECDSA(const SSL_CIPHER *cipher);
+/* SSL_CIPHER_get_cipher_nid returns the NID for |cipher|'s bulk
+ * cipher. Possible values are |NID_aes_128_gcm|, |NID_aes_256_gcm|,
+ * |NID_chacha20_poly1305|, |NID_aes_128_cbc|, |NID_aes_256_cbc|, and
+ * |NID_des_ede3_cbc|. */
+OPENSSL_EXPORT int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_is_ECDHE returns one if |cipher| uses ECDHE. */
-OPENSSL_EXPORT int SSL_CIPHER_is_ECDHE(const SSL_CIPHER *cipher);
+/* SSL_CIPHER_get_digest_nid returns the NID for |cipher|'s HMAC if it is a
+ * legacy cipher suite. For modern AEAD-based ciphers (see
+ * |SSL_CIPHER_is_aead|), it returns |NID_undef|.
+ *
+ * Note this function only returns the legacy HMAC digest, not the PRF hash. */
+OPENSSL_EXPORT int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_is_static_RSA returns one if |cipher| uses the static RSA key
- * exchange. */
-OPENSSL_EXPORT int SSL_CIPHER_is_static_RSA(const SSL_CIPHER *cipher);
+/* SSL_CIPHER_get_kx_nid returns the NID for |cipher|'s key exchange. This may
+ * be |NID_kx_rsa|, |NID_kx_ecdhe|, or |NID_kx_psk| for TLS 1.2. In TLS 1.3,
+ * cipher suites do not specify the key exchange, so this function returns
+ * |NID_kx_any|. */
+OPENSSL_EXPORT int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_get_auth_nid returns the NID for |cipher|'s authentication
+ * type. This may be |NID_auth_rsa|, |NID_auth_ecdsa|, or |NID_auth_psk| for TLS
+ * 1.2. In TLS 1.3, cipher suites do not specify authentication, so this
+ * function returns |NID_auth_any|. */
+OPENSSL_EXPORT int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *cipher);
/* SSL_CIPHER_get_min_version returns the minimum protocol version required
* for |cipher|. */
@@ -3983,6 +3963,64 @@
* the session. */
OPENSSL_EXPORT SSL_SESSION *SSL_get1_session(SSL *ssl);
+/* TODO(davidben): Convert all the callers of these old |SSL_CIPHER| functions
+ * and remove them. */
+
+/* SSL_CIPHER_is_AEAD calls |SSL_CIPHER_is_aead|. */
+OPENSSL_EXPORT int SSL_CIPHER_is_AEAD(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_is_AES returns one if |cipher| uses AES (either GCM or CBC
+ * mode). Use |SSL_CIPHER_get_cipher_nid| instead. */
+OPENSSL_EXPORT int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_has_SHA1_HMAC returns one if |cipher| uses HMAC-SHA1. Use
+ * |SSL_CIPHER_get_digest_nid| instead. */
+OPENSSL_EXPORT int SSL_CIPHER_has_SHA1_HMAC(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_has_SHA256_HMAC returns one if |cipher| uses HMAC-SHA256. Use
+ * |SSL_CIPHER_get_digest_nid| instead. */
+OPENSSL_EXPORT int SSL_CIPHER_has_SHA256_HMAC(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_has_SHA384_HMAC returns one if |cipher| uses HMAC-SHA384. Use
+ * |SSL_CIPHER_get_digest_nid| instead. */
+OPENSSL_EXPORT int SSL_CIPHER_has_SHA384_HMAC(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_is_AESGCM returns one if |cipher| uses AES-GCM. Use
+ * |SSL_CIPHER_get_cipher_nid| instead. */
+OPENSSL_EXPORT int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_is_AES128GCM returns one if |cipher| uses 128-bit AES-GCM. Use
+ * |SSL_CIPHER_get_cipher_nid| instead. */
+OPENSSL_EXPORT int SSL_CIPHER_is_AES128GCM(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_is_AES128CBC returns one if |cipher| uses 128-bit AES in CBC
+ * mode. Use |SSL_CIPHER_get_cipher_nid| instead. */
+OPENSSL_EXPORT int SSL_CIPHER_is_AES128CBC(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_is_AES256CBC returns one if |cipher| uses 256-bit AES in CBC
+ * mode. Use |SSL_CIPHER_get_cipher_nid| instead. */
+OPENSSL_EXPORT int SSL_CIPHER_is_AES256CBC(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_is_CHACHA20POLY1305 returns one if |cipher| uses
+ * CHACHA20_POLY1305. Use |SSL_CIPHER_get_cipher_nid| instead. */
+OPENSSL_EXPORT int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_is_NULL returns one if |cipher| does not encrypt. Use
+ * |SSL_CIPHER_get_cipher_nid| instead. */
+OPENSSL_EXPORT int SSL_CIPHER_is_NULL(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_is_ECDSA returns one if |cipher| uses ECDSA. Use
+ * |SSL_CIPHER_get_auth_nid| instead. */
+OPENSSL_EXPORT int SSL_CIPHER_is_ECDSA(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_is_ECDHE returns one if |cipher| uses ECDHE. Use
+ * |SSL_CIPHER_get_kx_nid| instead. */
+OPENSSL_EXPORT int SSL_CIPHER_is_ECDHE(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_is_static_RSA returns one if |cipher| uses the static RSA key
+ * exchange. Use |SSL_CIPHER_get_kx_nid| instead. */
+OPENSSL_EXPORT int SSL_CIPHER_is_static_RSA(const SSL_CIPHER *cipher);
+
/* Private structures.
*
diff --git a/ssl/ssl_cipher.cc b/ssl/ssl_cipher.cc
index fbcabd5..de4a4b4 100644
--- a/ssl/ssl_cipher.cc
+++ b/ssl/ssl_cipher.cc
@@ -1455,10 +1455,80 @@
return (cipher->algorithm_mac & SSL_SHA384) != 0;
}
-int SSL_CIPHER_is_AEAD(const SSL_CIPHER *cipher) {
+int SSL_CIPHER_is_aead(const SSL_CIPHER *cipher) {
return (cipher->algorithm_mac & SSL_AEAD) != 0;
}
+int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *cipher) {
+ switch (cipher->algorithm_enc) {
+ case SSL_eNULL:
+ return NID_undef;
+ case SSL_3DES:
+ return NID_des_ede3_cbc;
+ case SSL_AES128:
+ return NID_aes_128_cbc;
+ case SSL_AES256:
+ return NID_aes_256_cbc;
+ case SSL_AES128GCM:
+ return NID_aes_128_gcm;
+ case SSL_AES256GCM:
+ return NID_aes_256_gcm;
+ case SSL_CHACHA20POLY1305:
+ return NID_chacha20_poly1305;
+ }
+ assert(0);
+ return NID_undef;
+}
+
+int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *cipher) {
+ switch (cipher->algorithm_mac) {
+ case SSL_AEAD:
+ return NID_undef;
+ case SSL_SHA1:
+ return NID_sha1;
+ case SSL_SHA256:
+ return NID_sha256;
+ case SSL_SHA384:
+ return NID_sha384;
+ }
+ assert(0);
+ return NID_undef;
+}
+
+int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *cipher) {
+ switch (cipher->algorithm_mkey) {
+ case SSL_kRSA:
+ return NID_kx_rsa;
+ case SSL_kECDHE:
+ return NID_kx_ecdhe;
+ case SSL_kPSK:
+ return NID_kx_psk;
+ case SSL_kGENERIC:
+ return NID_kx_any;
+ }
+ assert(0);
+ return NID_undef;
+}
+
+int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *cipher) {
+ switch (cipher->algorithm_auth) {
+ case SSL_aRSA:
+ return NID_auth_rsa;
+ case SSL_aECDSA:
+ return NID_auth_ecdsa;
+ case SSL_aPSK:
+ return NID_auth_psk;
+ case SSL_aGENERIC:
+ return NID_auth_any;
+ }
+ assert(0);
+ return NID_undef;
+}
+
+int SSL_CIPHER_is_AEAD(const SSL_CIPHER *cipher) {
+ return SSL_CIPHER_is_aead(cipher);
+}
+
int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher) {
return (cipher->algorithm_enc & (SSL_AES128GCM | SSL_AES256GCM)) != 0;
}
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
index 88c2ed2..898cd04 100644
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@@ -786,30 +786,119 @@
ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &DTLSv1_2_method);
}
-TEST(SSLTest, CipherGetStandardName) {
+TEST(SSLTest, CipherProperties) {
static const struct {
int id;
const char *standard_name;
+ int cipher_nid;
+ int digest_nid;
+ int kx_nid;
+ int auth_nid;
} kTests[] = {
- {SSL3_CK_RSA_DES_192_CBC3_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA"},
- {TLS1_CK_RSA_WITH_AES_128_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA"},
- {TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"},
- {TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
- "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"},
- {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"},
- {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"},
- {TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
- "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"},
- {TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
- "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA"},
- {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"},
- {TLS1_CK_AES_256_GCM_SHA384, "TLS_AES_256_GCM_SHA384"},
- {TLS1_CK_AES_128_GCM_SHA256, "TLS_AES_128_GCM_SHA256"},
- {TLS1_CK_CHACHA20_POLY1305_SHA256, "TLS_CHACHA20_POLY1305_SHA256"},
+ {
+ SSL3_CK_RSA_DES_192_CBC3_SHA,
+ "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+ NID_des_ede3_cbc,
+ NID_sha1,
+ NID_kx_rsa,
+ NID_auth_rsa,
+ },
+ {
+ TLS1_CK_RSA_WITH_AES_128_SHA,
+ "TLS_RSA_WITH_AES_128_CBC_SHA",
+ NID_aes_128_cbc,
+ NID_sha1,
+ NID_kx_rsa,
+ NID_auth_rsa,
+ },
+ {
+ TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
+ "TLS_PSK_WITH_AES_256_CBC_SHA",
+ NID_aes_256_cbc,
+ NID_sha1,
+ NID_kx_psk,
+ NID_auth_psk,
+ },
+ {
+ TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
+ "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+ NID_aes_128_cbc,
+ NID_sha256,
+ NID_kx_ecdhe,
+ NID_auth_rsa,
+ },
+ {
+ TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
+ "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
+ NID_aes_256_cbc,
+ NID_sha384,
+ NID_kx_ecdhe,
+ NID_auth_rsa,
+ },
+ {
+ TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+ NID_aes_128_gcm,
+ NID_undef,
+ NID_kx_ecdhe,
+ NID_auth_rsa,
+ },
+ {
+ TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+ NID_aes_128_gcm,
+ NID_undef,
+ NID_kx_ecdhe,
+ NID_auth_ecdsa,
+ },
+ {
+ TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+ NID_aes_256_gcm,
+ NID_undef,
+ NID_kx_ecdhe,
+ NID_auth_ecdsa,
+ },
+ {
+ TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
+ "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
+ NID_aes_128_cbc,
+ NID_sha1,
+ NID_kx_ecdhe,
+ NID_auth_psk,
+ },
+ {
+ TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+ "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+ NID_chacha20_poly1305,
+ NID_undef,
+ NID_kx_ecdhe,
+ NID_auth_rsa,
+ },
+ {
+ TLS1_CK_AES_256_GCM_SHA384,
+ "TLS_AES_256_GCM_SHA384",
+ NID_aes_256_gcm,
+ NID_undef,
+ NID_kx_any,
+ NID_auth_any,
+ },
+ {
+ TLS1_CK_AES_128_GCM_SHA256,
+ "TLS_AES_128_GCM_SHA256",
+ NID_aes_128_gcm,
+ NID_undef,
+ NID_kx_any,
+ NID_auth_any,
+ },
+ {
+ TLS1_CK_CHACHA20_POLY1305_SHA256,
+ "TLS_CHACHA20_POLY1305_SHA256",
+ NID_chacha20_poly1305,
+ NID_undef,
+ NID_kx_any,
+ NID_auth_any,
+ },
};
for (const auto &t : kTests) {
@@ -822,6 +911,11 @@
bssl::UniquePtr<char> rfc_name(SSL_CIPHER_get_rfc_name(cipher));
ASSERT_TRUE(rfc_name);
EXPECT_STREQ(t.standard_name, rfc_name.get());
+
+ EXPECT_EQ(t.cipher_nid, SSL_CIPHER_get_cipher_nid(cipher));
+ EXPECT_EQ(t.digest_nid, SSL_CIPHER_get_digest_nid(cipher));
+ EXPECT_EQ(t.kx_nid, SSL_CIPHER_get_kx_nid(cipher));
+ EXPECT_EQ(t.auth_nid, SSL_CIPHER_get_auth_nid(cipher));
}
}
