Support standard RFC cipher suite names alongside OpenSSL ones.
Both Conscrypt and Netty have a lot of logic to map between the two
kinds of names. WebRTC needed an SSL_CIPHER_get_rfc_name for something.
Just have both in the library. Also deprecate SSL_CIPHER_get_rfc_name
in favor of SSL_CIPHER_standard_name, which matches upstream if built
with enable-ssl-trace. And, unlike SSL_CIPHER_get_rfc_name, this does
not require dealing with the malloc.
(Strangely this decreases bssl's binary size, even though we're carrying
more strings around. It seems the old SSL_CIPHER_get_rfc_name was
somewhat large in comparison. Regardless, a consumer that disliked 30
short strings probably also disliked the OpenSSL names. That would be
better solved by opaquifying SSL_CIPHER and adding a less stringy API
for configuring cipher lists. That's something we can explore later if
needed.)
I also made the command-line tool print out the standard names since
they're more standard. May as well push folks towards those going
forward.
Change-Id: Ieeb3d63e67ef4da87458e68d130166a4c1090596
Reviewed-on: https://boringssl-review.googlesource.com/17324
Reviewed-by: Robert Sloan <varomodt@google.com>
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 52056ef..295f381 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1246,7 +1246,12 @@
* supports |cipher|. */
OPENSSL_EXPORT uint16_t SSL_CIPHER_get_max_version(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_get_name returns the OpenSSL name of |cipher|. */
+/* SSL_CIPHER_standard_name returns the standard IETF name for |cipher|. For
+ * example, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256". */
+OPENSSL_EXPORT const char *SSL_CIPHER_standard_name(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_get_name returns the OpenSSL name of |cipher|. For example,
+ * "ECDHE-RSA-AES128-GCM-SHA256". */
OPENSSL_EXPORT const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher);
/* SSL_CIPHER_get_kx_name returns a string that describes the key-exchange
@@ -1254,12 +1259,6 @@
* ciphers return the string "GENERIC". */
OPENSSL_EXPORT const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_get_rfc_name returns a newly-allocated string with the standard
- * name for |cipher| or NULL on error. For example,
- * "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256". The caller is responsible for
- * calling |OPENSSL_free| on the result. */
-OPENSSL_EXPORT char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher);
-
/* SSL_CIPHER_get_bits returns the strength, in bits, of |cipher|. If
* |out_alg_bits| is not NULL, it writes the number of bits consumed by the
* symmetric algorithm to |*out_alg_bits|. */
@@ -1295,10 +1294,10 @@
* |!| deletes all matching ciphers, enabled or not, from either list. Deleted
* ciphers will not matched by future operations.
*
- * A selector may be a specific cipher (using the OpenSSL name for the cipher)
- * or one or more rules separated by |+|. The final selector matches the
- * intersection of each rule. For instance, |AESGCM+aECDSA| matches
- * ECDSA-authenticated AES-GCM ciphers.
+ * A selector may be a specific cipher (using either the standard or OpenSSL
+ * name for the cipher) or one or more rules separated by |+|. The final
+ * selector matches the intersection of each rule. For instance, |AESGCM+aECDSA|
+ * matches ECDSA-authenticated AES-GCM ciphers.
*
* Available cipher rules are:
*
@@ -3386,13 +3385,20 @@
* The description includes a trailing newline and has the form:
* AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
*
- * Consider |SSL_CIPHER_get_name| or |SSL_CIPHER_get_rfc_name| instead. */
+ * Consider |SSL_CIPHER_standard_name| or |SSL_CIPHER_get_name| instead. */
OPENSSL_EXPORT const char *SSL_CIPHER_description(const SSL_CIPHER *cipher,
char *buf, int len);
/* SSL_CIPHER_get_version returns the string "TLSv1/SSLv3". */
OPENSSL_EXPORT const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher);
+/* SSL_CIPHER_get_rfc_name returns a newly-allocated string containing the
+ * result of |SSL_CIPHER_standard_name| or NULL on error. The caller is
+ * responsible for calling |OPENSSL_free| on the result.
+ *
+ * Use |SSL_CIPHER_standard_name| instead. */
+OPENSSL_EXPORT char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher);
+
typedef void COMP_METHOD;
/* SSL_COMP_get_compression_methods returns NULL. */
@@ -3890,6 +3896,8 @@
struct ssl_cipher_st {
/* name is the OpenSSL name for the cipher. */
const char *name;
+ /* standard_name is the IETF name for the cipher. */
+ const char *standard_name;
/* id is the cipher suite value bitwise OR-d with 0x03000000. */
uint32_t id;
diff --git a/ssl/ssl_cipher.c b/ssl/ssl_cipher.c
index 01bb872..562c1f3 100644
--- a/ssl/ssl_cipher.c
+++ b/ssl/ssl_cipher.c
@@ -160,6 +160,7 @@
/* Cipher 02 */
{
SSL3_TXT_RSA_NULL_SHA,
+ "TLS_RSA_WITH_NULL_SHA",
SSL3_CK_RSA_NULL_SHA,
SSL_kRSA,
SSL_aRSA,
@@ -171,6 +172,7 @@
/* Cipher 0A */
{
SSL3_TXT_RSA_DES_192_CBC3_SHA,
+ "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
SSL3_CK_RSA_DES_192_CBC3_SHA,
SSL_kRSA,
SSL_aRSA,
@@ -185,6 +187,7 @@
/* Cipher 2F */
{
TLS1_TXT_RSA_WITH_AES_128_SHA,
+ "TLS_RSA_WITH_AES_128_CBC_SHA",
TLS1_CK_RSA_WITH_AES_128_SHA,
SSL_kRSA,
SSL_aRSA,
@@ -196,6 +199,7 @@
/* Cipher 35 */
{
TLS1_TXT_RSA_WITH_AES_256_SHA,
+ "TLS_RSA_WITH_AES_256_CBC_SHA",
TLS1_CK_RSA_WITH_AES_256_SHA,
SSL_kRSA,
SSL_aRSA,
@@ -210,6 +214,7 @@
/* Cipher 3C */
{
TLS1_TXT_RSA_WITH_AES_128_SHA256,
+ "TLS_RSA_WITH_AES_128_CBC_SHA256",
TLS1_CK_RSA_WITH_AES_128_SHA256,
SSL_kRSA,
SSL_aRSA,
@@ -221,6 +226,7 @@
/* Cipher 3D */
{
TLS1_TXT_RSA_WITH_AES_256_SHA256,
+ "TLS_RSA_WITH_AES_256_CBC_SHA256",
TLS1_CK_RSA_WITH_AES_256_SHA256,
SSL_kRSA,
SSL_aRSA,
@@ -234,6 +240,7 @@
/* Cipher 8C */
{
TLS1_TXT_PSK_WITH_AES_128_CBC_SHA,
+ "TLS_PSK_WITH_AES_128_CBC_SHA",
TLS1_CK_PSK_WITH_AES_128_CBC_SHA,
SSL_kPSK,
SSL_aPSK,
@@ -245,6 +252,7 @@
/* Cipher 8D */
{
TLS1_TXT_PSK_WITH_AES_256_CBC_SHA,
+ "TLS_PSK_WITH_AES_256_CBC_SHA",
TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
SSL_kPSK,
SSL_aPSK,
@@ -258,6 +266,7 @@
/* Cipher 9C */
{
TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
+ "TLS_RSA_WITH_AES_128_GCM_SHA256",
TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
SSL_kRSA,
SSL_aRSA,
@@ -269,6 +278,7 @@
/* Cipher 9D */
{
TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
+ "TLS_RSA_WITH_AES_256_GCM_SHA384",
TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
SSL_kRSA,
SSL_aRSA,
@@ -282,6 +292,7 @@
/* Cipher 1301 */
{
TLS1_TXT_AES_128_GCM_SHA256,
+ "TLS_AES_128_GCM_SHA256",
TLS1_CK_AES_128_GCM_SHA256,
SSL_kGENERIC,
SSL_aGENERIC,
@@ -293,6 +304,7 @@
/* Cipher 1302 */
{
TLS1_TXT_AES_256_GCM_SHA384,
+ "TLS_AES_256_GCM_SHA384",
TLS1_CK_AES_256_GCM_SHA384,
SSL_kGENERIC,
SSL_aGENERIC,
@@ -304,6 +316,7 @@
/* Cipher 1303 */
{
TLS1_TXT_CHACHA20_POLY1305_SHA256,
+ "TLS_CHACHA20_POLY1305_SHA256",
TLS1_CK_CHACHA20_POLY1305_SHA256,
SSL_kGENERIC,
SSL_aGENERIC,
@@ -315,6 +328,7 @@
/* Cipher C009 */
{
TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+ "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
SSL_kECDHE,
SSL_aECDSA,
@@ -326,6 +340,7 @@
/* Cipher C00A */
{
TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+ "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
SSL_kECDHE,
SSL_aECDSA,
@@ -337,6 +352,7 @@
/* Cipher C013 */
{
TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+ "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
SSL_kECDHE,
SSL_aRSA,
@@ -348,6 +364,7 @@
/* Cipher C014 */
{
TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+ "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
SSL_kECDHE,
SSL_aRSA,
@@ -362,6 +379,7 @@
/* Cipher C023 */
{
TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
+ "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
SSL_kECDHE,
SSL_aECDSA,
@@ -373,6 +391,7 @@
/* Cipher C024 */
{
TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
+ "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
SSL_kECDHE,
SSL_aECDSA,
@@ -384,6 +403,7 @@
/* Cipher C027 */
{
TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
+ "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
SSL_kECDHE,
SSL_aRSA,
@@ -395,6 +415,7 @@
/* Cipher C028 */
{
TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
+ "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
SSL_kECDHE,
SSL_aRSA,
@@ -409,6 +430,7 @@
/* Cipher C02B */
{
TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
SSL_kECDHE,
SSL_aECDSA,
@@ -420,6 +442,7 @@
/* Cipher C02C */
{
TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
SSL_kECDHE,
SSL_aECDSA,
@@ -431,6 +454,7 @@
/* Cipher C02F */
{
TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
SSL_kECDHE,
SSL_aRSA,
@@ -442,6 +466,7 @@
/* Cipher C030 */
{
TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
SSL_kECDHE,
SSL_aRSA,
@@ -455,6 +480,7 @@
/* Cipher C035 */
{
TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA,
+ "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
SSL_kECDHE,
SSL_aPSK,
@@ -466,6 +492,7 @@
/* Cipher C036 */
{
TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA,
+ "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA,
SSL_kECDHE,
SSL_aPSK,
@@ -479,6 +506,7 @@
/* Cipher CCA8 */
{
TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+ "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
SSL_kECDHE,
SSL_aRSA,
@@ -490,6 +518,7 @@
/* Cipher CCA9 */
{
TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+ "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
SSL_kECDHE,
SSL_aECDSA,
@@ -501,6 +530,7 @@
/* Cipher CCAB */
{
TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
+ "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
SSL_kECDHE,
SSL_aPSK,
@@ -1089,8 +1119,8 @@
ch = *l;
buf = l;
buf_len = 0;
- while (((ch >= 'A') && (ch <= 'Z')) || ((ch >= '0') && (ch <= '9')) ||
- ((ch >= 'a') && (ch <= 'z')) || (ch == '-') || (ch == '.')) {
+ while ((ch >= 'A' && ch <= 'Z') || (ch >= '0' && ch <= '9') ||
+ (ch >= 'a' && ch <= 'z') || ch == '-' || ch == '.' || ch == '_') {
ch = *(++l);
buf_len++;
}
@@ -1111,7 +1141,8 @@
if (!multi && ch != '+') {
for (j = 0; j < kCiphersLen; j++) {
const SSL_CIPHER *cipher = &kCiphers[j];
- if (rule_equals(cipher->name, buf, buf_len)) {
+ if (rule_equals(cipher->name, buf, buf_len) ||
+ rule_equals(cipher->standard_name, buf, buf_len)) {
cipher_id = cipher->id;
break;
}
@@ -1447,6 +1478,10 @@
return "(NONE)";
}
+const char *SSL_CIPHER_standard_name(const SSL_CIPHER *cipher) {
+ return cipher->standard_name;
+}
+
const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher) {
if (cipher == NULL) {
return "";
@@ -1483,79 +1518,12 @@
}
}
-static const char *ssl_cipher_get_enc_name(const SSL_CIPHER *cipher) {
- switch (cipher->algorithm_enc) {
- case SSL_3DES:
- return "3DES_EDE_CBC";
- case SSL_AES128:
- return "AES_128_CBC";
- case SSL_AES256:
- return "AES_256_CBC";
- case SSL_AES128GCM:
- return "AES_128_GCM";
- case SSL_AES256GCM:
- return "AES_256_GCM";
- case SSL_CHACHA20POLY1305:
- return "CHACHA20_POLY1305";
- break;
- default:
- assert(0);
- return "UNKNOWN";
- }
-}
-
-static const char *ssl_cipher_get_prf_name(const SSL_CIPHER *cipher) {
- switch (cipher->algorithm_prf) {
- case SSL_HANDSHAKE_MAC_DEFAULT:
- /* Before TLS 1.2, the PRF component is the hash used in the HMAC, which
- * is SHA-1 for all supported ciphers. */
- assert(cipher->algorithm_mac == SSL_SHA1);
- return "SHA";
- case SSL_HANDSHAKE_MAC_SHA256:
- return "SHA256";
- case SSL_HANDSHAKE_MAC_SHA384:
- return "SHA384";
- }
- assert(0);
- return "UNKNOWN";
-}
-
char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher) {
if (cipher == NULL) {
return NULL;
}
- const char *kx_name = SSL_CIPHER_get_kx_name(cipher);
- const char *enc_name = ssl_cipher_get_enc_name(cipher);
- const char *prf_name = ssl_cipher_get_prf_name(cipher);
-
- /* The final name is TLS_{kx_name}_WITH_{enc_name}_{prf_name} or
- * TLS_{enc_name}_{prf_name} depending on whether the cipher is AEAD-only. */
- size_t len = 4 + strlen(enc_name) + 1 + strlen(prf_name) + 1;
-
- if (cipher->algorithm_mkey != SSL_kGENERIC) {
- len += strlen(kx_name) + 6;
- }
-
- char *ret = OPENSSL_malloc(len);
- if (ret == NULL) {
- return NULL;
- }
-
- if (BUF_strlcpy(ret, "TLS_", len) >= len ||
- (cipher->algorithm_mkey != SSL_kGENERIC &&
- (BUF_strlcat(ret, kx_name, len) >= len ||
- BUF_strlcat(ret, "_WITH_", len) >= len)) ||
- BUF_strlcat(ret, enc_name, len) >= len ||
- BUF_strlcat(ret, "_", len) >= len ||
- BUF_strlcat(ret, prf_name, len) >= len) {
- assert(0);
- OPENSSL_free(ret);
- return NULL;
- }
-
- assert(strlen(ret) + 1 == len);
- return ret;
+ return OPENSSL_strdup(SSL_CIPHER_standard_name(cipher));
}
int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *out_alg_bits) {
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
index 72b624a..31899a5 100644
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@@ -177,6 +177,20 @@
},
false,
},
+ // Standard names may be used instead of OpenSSL names.
+ {
+ "[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|"
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]:"
+ "[TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]:"
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+ {
+ {TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 1},
+ {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0},
+ {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
+ {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
+ },
+ false,
+ },
// @STRENGTH performs a stable strength-sort of the selected ciphers and
// only the selected ciphers.
{
@@ -730,43 +744,42 @@
ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &DTLSv1_2_method);
}
-typedef struct {
- int id;
- const char *rfc_name;
-} CIPHER_RFC_NAME_TEST;
+TEST(SSLTest, CipherGetStandardName) {
+ static const struct {
+ int id;
+ const char *standard_name;
+ } kTests[] = {
+ {SSL3_CK_RSA_DES_192_CBC3_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA"},
+ {TLS1_CK_RSA_WITH_AES_128_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA"},
+ {TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
+ "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"},
+ {TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
+ "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"},
+ {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"},
+ {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"},
+ {TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"},
+ {TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
+ "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA"},
+ {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+ "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"},
+ {TLS1_CK_AES_256_GCM_SHA384, "TLS_AES_256_GCM_SHA384"},
+ {TLS1_CK_AES_128_GCM_SHA256, "TLS_AES_128_GCM_SHA256"},
+ {TLS1_CK_CHACHA20_POLY1305_SHA256, "TLS_CHACHA20_POLY1305_SHA256"},
+ };
-static const CIPHER_RFC_NAME_TEST kCipherRFCNameTests[] = {
- {SSL3_CK_RSA_DES_192_CBC3_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA"},
- {TLS1_CK_RSA_WITH_AES_128_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA"},
- {TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"},
- {TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
- "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"},
- {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"},
- {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"},
- {TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
- "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"},
- {TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
- "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA"},
- {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"},
- {TLS1_CK_AES_256_GCM_SHA384, "TLS_AES_256_GCM_SHA384"},
- {TLS1_CK_AES_128_GCM_SHA256, "TLS_AES_128_GCM_SHA256"},
- {TLS1_CK_CHACHA20_POLY1305_SHA256, "TLS_CHACHA20_POLY1305_SHA256"},
-};
-
-TEST(SSLTest, CipherGetRFCName) {
- for (const CIPHER_RFC_NAME_TEST &t : kCipherRFCNameTests) {
- SCOPED_TRACE(t.rfc_name);
+ for (const auto &t : kTests) {
+ SCOPED_TRACE(t.standard_name);
const SSL_CIPHER *cipher = SSL_get_cipher_by_value(t.id & 0xffff);
ASSERT_TRUE(cipher);
+ EXPECT_STREQ(t.standard_name, SSL_CIPHER_standard_name(cipher));
+
bssl::UniquePtr<char> rfc_name(SSL_CIPHER_get_rfc_name(cipher));
ASSERT_TRUE(rfc_name);
-
- EXPECT_STREQ(t.rfc_name, rfc_name.get());
+ EXPECT_STREQ(t.standard_name, rfc_name.get());
}
}
diff --git a/tool/ciphers.cc b/tool/ciphers.cc
index 6370b78..3a7e23d 100644
--- a/tool/ciphers.cc
+++ b/tool/ciphers.cc
@@ -52,7 +52,7 @@
printf(" ");
}
- printf("%s\n", SSL_CIPHER_get_name(cipher));
+ printf("%s\n", SSL_CIPHER_standard_name(cipher));
if (!in_group && last_in_group) {
printf("]\n");
diff --git a/tool/transport_common.cc b/tool/transport_common.cc
index b7ad5ff..cf1d5f8 100644
--- a/tool/transport_common.cc
+++ b/tool/transport_common.cc
@@ -251,7 +251,7 @@
fprintf(stderr, " Version: %s\n", SSL_get_version(ssl));
fprintf(stderr, " Resumed session: %s\n",
SSL_session_reused(ssl) ? "yes" : "no");
- fprintf(stderr, " Cipher: %s\n", SSL_CIPHER_get_name(cipher));
+ fprintf(stderr, " Cipher: %s\n", SSL_CIPHER_standard_name(cipher));
uint16_t curve = SSL_get_curve_id(ssl);
if (curve != 0) {
fprintf(stderr, " ECDHE curve: %s\n", SSL_get_curve_name(curve));
