Align TLS 1.3 cipher suite names with OpenSSL.
There are two naming conventions for TLS cipher suites, the standard
IETF names (SSL_CIPHER_standard_name) and the ad-hoc OpenSSL names
(SSL_CIPHER_get_name). When we added TLS 1.3, we had to come up with
OpenSSL-style names for the cipher suites.
OpenSSL-style names use hyphens rather than underscores (and omit
underscores in odd places), so the natural name for
TLS_AES_128_GCM_SHA256 would have been "AES128-GCM-SHA256". However,
that name is already taken by TLS_RSA_WITH_AES_128_GCM_SHA256 because
OpenSSL's naming convention treats the legacy RSA key exchange as
default. Instead, we used an "AEAD-" prefix to indicate the ciphers only
specified the AEAD.
Since then, OpenSSL has implemented TLS 1.3. Instead, they simply made
the OpenSSL-style name match the standard name starting TLS 1.3,
underscores and all. (This is why openssl s_client will return very
different-looking cipher names in TLS 1.2 and TLS 1.3.)
Align with OpenSSL and do the same.
Update-Note: SSL_CIPHER_get_name will return different values for TLS
1.3 ciphers than before. Note that we did not allow TLS 1.3 ciphers to
be configured at all, so no cipher suite configurations will need to
change, but code logging or asserting on the result of a TLS connection
may observe differences.
It is also recommended that consumers replace uses of
SSL_CIPHER_get_name with SSL_CIPHER_standard_name which gives a much
more consistent naming convention. (BoringSSL supports both standard and
OpenSSL names in the cipher suite configuration, so there's no need to
use OpenSSL names at all.)
Change-Id: I40b1de0689dd7b32af88602acc063934f2877999
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/36764
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index c0247ca..690a388 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1296,7 +1296,8 @@
OPENSSL_EXPORT const char *SSL_CIPHER_standard_name(const SSL_CIPHER *cipher);
// SSL_CIPHER_get_name returns the OpenSSL name of |cipher|. For example,
-// "ECDHE-RSA-AES128-GCM-SHA256".
+// "ECDHE-RSA-AES128-GCM-SHA256". Callers are recommended to use
+// |SSL_CIPHER_standard_name| instead.
OPENSSL_EXPORT const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher);
// SSL_CIPHER_get_kx_name returns a string that describes the key-exchange
@@ -1399,7 +1400,7 @@
// based on client preferences. An equal-preference is specified with square
// brackets, combining multiple selectors separated by |. For example:
//
-// [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]
+// [TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]
//
// Once an equal-preference group is used, future directives must be
// opcode-less. Inside an equal-preference group, spaces are not allowed.
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index f7766f2..e3209b6 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -611,9 +611,9 @@
"ECDHE-PSK-CHACHA20-POLY1305"
// TLS 1.3 ciphersuites from RFC 8446.
-#define TLS1_TXT_AES_128_GCM_SHA256 "AEAD-AES128-GCM-SHA256"
-#define TLS1_TXT_AES_256_GCM_SHA384 "AEAD-AES256-GCM-SHA384"
-#define TLS1_TXT_CHACHA20_POLY1305_SHA256 "AEAD-CHACHA20-POLY1305-SHA256"
+#define TLS1_TXT_AES_128_GCM_SHA256 "TLS_AES_128_GCM_SHA256"
+#define TLS1_TXT_AES_256_GCM_SHA384 "TLS_AES_256_GCM_SHA384"
+#define TLS1_TXT_CHACHA20_POLY1305_SHA256 "TLS_CHACHA20_POLY1305_SHA256"
#define TLS_CT_RSA_SIGN 1
