Add OpenSSL 1.1.0's cipher property functions.

Other projects are starting to use them. Having two APIs for the same thing is silly, so deprecate all our old ones. Change-Id: Iaf6b6995bc9e4b624140d5c645000fbf2cb08162 Reviewed-on: https://boringssl-review.googlesource.com/19064 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-08-10 16:06:27 -04:00 · 2017-08-10 16:06:27 -04:00 · 348f0d8db9
commit 348f0d8db9
parent bd70845a80
7 changed files with 357 additions and 66 deletions
--- a/crypto/obj/obj_dat.h
+++ b/crypto/obj/obj_dat.h
@ -57,7 +57,7 @@
 /* This file is generated by crypto/obj/objects.go. */


-#define NUM_NID 950
+#define NUM_NID 959

 static const uint8_t kObjectData[] = {
    /* NID_rsadsi */
@ -3444,6 +3444,16 @@ static const ASN1_OBJECT kObjects[NUM_NID] = {
    {"dh-cofactor-kdf", "dh-cofactor-kdf", NID_dh_cofactor_kdf, 0, NULL, 0},
    {"X25519", "X25519", NID_X25519, 0, NULL, 0},
    {"ED25519", "ED25519", NID_ED25519, 3, &kObjectData[6175], 0},
+    {"ChaCha20-Poly1305", "chacha20-poly1305", NID_chacha20_poly1305, 0, NULL,
+     0},
+    {"KxRSA", "kx-rsa", NID_kx_rsa, 0, NULL, 0},
+    {"KxECDHE", "kx-ecdhe", NID_kx_ecdhe, 0, NULL, 0},
+    {"KxPSK", "kx-psk", NID_kx_psk, 0, NULL, 0},
+    {"AuthRSA", "auth-rsa", NID_auth_rsa, 0, NULL, 0},
+    {"AuthECDSA", "auth-ecdsa", NID_auth_ecdsa, 0, NULL, 0},
+    {"AuthPSK", "auth-psk", NID_auth_psk, 0, NULL, 0},
+    {"KxANY", "kx-any", NID_kx_any, 0, NULL, 0},
+    {"AuthANY", "auth-any", NID_auth_any, 0, NULL, 0},
 };

 static const unsigned kNIDsInShortNameOrder[] = {
@ -3474,6 +3484,10 @@ static const unsigned kNIDsInShortNameOrder[] = {
    426 /* AES-256-ECB */,
    428 /* AES-256-OFB */,
    914 /* AES-256-XTS */,
+    958 /* AuthANY */,
+    955 /* AuthECDSA */,
+    956 /* AuthPSK */,
+    954 /* AuthRSA */,
    91 /* BF-CBC */,
    93 /* BF-CFB */,
    92 /* BF-ECB */,
@ -3505,6 +3519,7 @@ static const unsigned kNIDsInShortNameOrder[] = {
    13 /* CN */,
    141 /* CRLReason */,
    417 /* CSPName */,
+    950 /* ChaCha20-Poly1305 */,
    367 /* CrlID */,
    391 /* DC */,
    31 /* DES-CBC */,
@ -3547,6 +3562,10 @@ static const unsigned kNIDsInShortNameOrder[] = {
    645 /* ITU-T */,
    646 /* JOINT-ISO-ITU-T */,
    773 /* KISA */,
+    957 /* KxANY */,
+    952 /* KxECDHE */,
+    953 /* KxPSK */,
+    951 /* KxRSA */,
    15 /* L */,
    856 /* LocalKeySet */,
    3 /* MD2 */,
@ -4570,6 +4589,10 @@ static const unsigned kNIDsInLongNameOrder[] = {
    484 /* associatedDomain */,
    485 /* associatedName */,
    501 /* audio */,
+    958 /* auth-any */,
+    955 /* auth-ecdsa */,
+    956 /* auth-psk */,
+    954 /* auth-rsa */,
    882 /* authorityRevocationList */,
    91 /* bf-cbc */,
    93 /* bf-cfb */,
@ -4640,6 +4663,7 @@ static const unsigned kNIDsInLongNameOrder[] = {
    677 /* certicom-arc */,
    517 /* certificate extensions */,
    883 /* certificateRevocationList */,
+    950 /* chacha20-poly1305 */,
    54 /* challengePassword */,
    407 /* characteristic-two-field */,
    395 /* clearance */,
@ -4982,6 +5006,10 @@ static const unsigned kNIDsInLongNameOrder[] = {
    646 /* joint-iso-itu-t */,
    150 /* keyBag */,
    773 /* kisa */,
+    957 /* kx-any */,
+    952 /* kx-ecdhe */,
+    953 /* kx-psk */,
+    951 /* kx-rsa */,
    477 /* lastModifiedBy */,
    476 /* lastModifiedTime */,
    157 /* localKeyID */,
--- a/crypto/obj/obj_mac.num
+++ b/crypto/obj/obj_mac.num
@ -938,3 +938,12 @@ dh_std_kdf		946
 dh_cofactor_kdf		947
 X25519		948
 ED25519		949
+chacha20_poly1305		950
+kx_rsa		951
+kx_ecdhe		952
+kx_psk		953
+auth_rsa		954
+auth_ecdsa		955
+auth_psk		956
+kx_any		957
+auth_any		958
--- a/crypto/obj/objects.txt
+++ b/crypto/obj/objects.txt
@ -1336,3 +1336,19 @@ secg-scheme 14 3 : dhSinglePass-cofactorDH-sha512kdf-scheme

 # See draft-ietf-curdle-pkix-04.
 1 3 101 112 : ED25519
+
+ : ChaCha20-Poly1305 : chacha20-poly1305
+
+# NIDs for TLS 1.2 cipher suite key exchanges.
+ : KxRSA : kx-rsa
+ : KxECDHE : kx-ecdhe
+ : KxPSK : kx-psk
+
+# NIDs for TLS 1.2 cipher suite authentication types.
+ : AuthRSA : auth-rsa
+ : AuthECDSA : auth-ecdsa
+ : AuthPSK : auth-psk
+
+# TLS 1.3 cipher suites do not specify key exchange or authentication.
+ : KxANY : kx-any
+ : AuthANY : auth-any
--- a/include/openssl/nid.h
+++ b/include/openssl/nid.h
@ -4198,6 +4198,42 @@ extern "C" {
 #define NID_ED25519 949
 #define OBJ_ED25519 1L, 3L, 101L, 112L

+#define SN_chacha20_poly1305 "ChaCha20-Poly1305"
+#define LN_chacha20_poly1305 "chacha20-poly1305"
+#define NID_chacha20_poly1305 950
+
+#define SN_kx_rsa "KxRSA"
+#define LN_kx_rsa "kx-rsa"
+#define NID_kx_rsa 951
+
+#define SN_kx_ecdhe "KxECDHE"
+#define LN_kx_ecdhe "kx-ecdhe"
+#define NID_kx_ecdhe 952
+
+#define SN_kx_psk "KxPSK"
+#define LN_kx_psk "kx-psk"
+#define NID_kx_psk 953
+
+#define SN_auth_rsa "AuthRSA"
+#define LN_auth_rsa "auth-rsa"
+#define NID_auth_rsa 954
+
+#define SN_auth_ecdsa "AuthECDSA"
+#define LN_auth_ecdsa "auth-ecdsa"
+#define NID_auth_ecdsa 955
+
+#define SN_auth_psk "AuthPSK"
+#define LN_auth_psk "auth-psk"
+#define NID_auth_psk 956
+
+#define SN_kx_any "KxANY"
+#define LN_kx_any "kx-any"
+#define NID_kx_any 957
+
+#define SN_auth_any "AuthANY"
+#define LN_auth_any "auth-any"
+#define NID_auth_any 958
+

 #if defined(__cplusplus)
 } /* extern C */
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@ -1200,56 +1200,36 @@ OPENSSL_EXPORT const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value);
 * get the cipher suite value. */
 OPENSSL_EXPORT uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher);

-/* SSL_CIPHER_is_AES returns one if |cipher| uses AES (either GCM or CBC
- * mode). */
-OPENSSL_EXPORT int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher);
-
-/* SSL_CIPHER_has_SHA1_HMAC returns one if |cipher| uses HMAC-SHA1. */
-OPENSSL_EXPORT int SSL_CIPHER_has_SHA1_HMAC(const SSL_CIPHER *cipher);
-
-/* SSL_CIPHER_has_SHA256_HMAC returns one if |cipher| uses HMAC-SHA256. */
-OPENSSL_EXPORT int SSL_CIPHER_has_SHA256_HMAC(const SSL_CIPHER *cipher);
-
-/* SSL_CIPHER_has_SHA384_HMAC returns one if |cipher| uses HMAC-SHA384. */
-OPENSSL_EXPORT int SSL_CIPHER_has_SHA384_HMAC(const SSL_CIPHER *cipher);
-
-/* SSL_CIPHER_is_AEAD returns one if |cipher| uses an AEAD cipher. */
-OPENSSL_EXPORT int SSL_CIPHER_is_AEAD(const SSL_CIPHER *cipher);
-
-/* SSL_CIPHER_is_AESGCM returns one if |cipher| uses AES-GCM. */
-OPENSSL_EXPORT int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher);
-
-/* SSL_CIPHER_is_AES128GCM returns one if |cipher| uses 128-bit AES-GCM. */
-OPENSSL_EXPORT int SSL_CIPHER_is_AES128GCM(const SSL_CIPHER *cipher);
-
-/* SSL_CIPHER_is_AES128CBC returns one if |cipher| uses 128-bit AES in CBC
- * mode. */
-OPENSSL_EXPORT int SSL_CIPHER_is_AES128CBC(const SSL_CIPHER *cipher);
-
-/* SSL_CIPHER_is_AES256CBC returns one if |cipher| uses 256-bit AES in CBC
- * mode. */
-OPENSSL_EXPORT int SSL_CIPHER_is_AES256CBC(const SSL_CIPHER *cipher);
-
-/* SSL_CIPHER_is_CHACHA20POLY1305 returns one if |cipher| uses
- * CHACHA20_POLY1305. Note this includes both the RFC 7905 and
- * draft-agl-tls-chacha20poly1305-04 versions. */
-OPENSSL_EXPORT int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher);
-
-/* SSL_CIPHER_is_NULL returns one if |cipher| does not encrypt. */
-OPENSSL_EXPORT int SSL_CIPHER_is_NULL(const SSL_CIPHER *cipher);
+/* SSL_CIPHER_is_aead returns one if |cipher| uses an AEAD cipher. */
+OPENSSL_EXPORT int SSL_CIPHER_is_aead(const SSL_CIPHER *cipher);

 /* SSL_CIPHER_is_block_cipher returns one if |cipher| is a block cipher. */
 OPENSSL_EXPORT int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher);

-/* SSL_CIPHER_is_ECDSA returns one if |cipher| uses ECDSA. */
-OPENSSL_EXPORT int SSL_CIPHER_is_ECDSA(const SSL_CIPHER *cipher);
+/* SSL_CIPHER_get_cipher_nid returns the NID for |cipher|'s bulk
+ * cipher. Possible values are |NID_aes_128_gcm|, |NID_aes_256_gcm|,
+ * |NID_chacha20_poly1305|, |NID_aes_128_cbc|, |NID_aes_256_cbc|, and
+ * |NID_des_ede3_cbc|. */
+OPENSSL_EXPORT int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *cipher);

-/* SSL_CIPHER_is_ECDHE returns one if |cipher| uses ECDHE. */
-OPENSSL_EXPORT int SSL_CIPHER_is_ECDHE(const SSL_CIPHER *cipher);
+/* SSL_CIPHER_get_digest_nid returns the NID for |cipher|'s HMAC if it is a
+ * legacy cipher suite. For modern AEAD-based ciphers (see
+ * |SSL_CIPHER_is_aead|), it returns |NID_undef|.
+ *
+ * Note this function only returns the legacy HMAC digest, not the PRF hash. */
+OPENSSL_EXPORT int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *cipher);

-/* SSL_CIPHER_is_static_RSA returns one if |cipher| uses the static RSA key
- * exchange. */
-OPENSSL_EXPORT int SSL_CIPHER_is_static_RSA(const SSL_CIPHER *cipher);
+/* SSL_CIPHER_get_kx_nid returns the NID for |cipher|'s key exchange. This may
+ * be |NID_kx_rsa|, |NID_kx_ecdhe|, or |NID_kx_psk| for TLS 1.2. In TLS 1.3,
+ * cipher suites do not specify the key exchange, so this function returns
+ * |NID_kx_any|. */
+OPENSSL_EXPORT int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_get_auth_nid returns the NID for |cipher|'s authentication
+ * type. This may be |NID_auth_rsa|, |NID_auth_ecdsa|, or |NID_auth_psk| for TLS
+ * 1.2. In TLS 1.3, cipher suites do not specify authentication, so this
+ * function returns |NID_auth_any|. */
+OPENSSL_EXPORT int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *cipher);

 /* SSL_CIPHER_get_min_version returns the minimum protocol version required
 * for |cipher|. */
@ -3983,6 +3963,64 @@ OPENSSL_EXPORT SSL_SESSION *SSL_get_session(const SSL *ssl);
 * the session. */
 OPENSSL_EXPORT SSL_SESSION *SSL_get1_session(SSL *ssl);

+/* TODO(davidben): Convert all the callers of these old |SSL_CIPHER| functions
+ * and remove them. */
+
+/* SSL_CIPHER_is_AEAD calls |SSL_CIPHER_is_aead|. */
+OPENSSL_EXPORT int SSL_CIPHER_is_AEAD(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_is_AES returns one if |cipher| uses AES (either GCM or CBC
+ * mode). Use |SSL_CIPHER_get_cipher_nid| instead. */
+OPENSSL_EXPORT int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_has_SHA1_HMAC returns one if |cipher| uses HMAC-SHA1. Use
+ * |SSL_CIPHER_get_digest_nid| instead. */
+OPENSSL_EXPORT int SSL_CIPHER_has_SHA1_HMAC(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_has_SHA256_HMAC returns one if |cipher| uses HMAC-SHA256. Use
+ * |SSL_CIPHER_get_digest_nid| instead. */
+OPENSSL_EXPORT int SSL_CIPHER_has_SHA256_HMAC(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_has_SHA384_HMAC returns one if |cipher| uses HMAC-SHA384. Use
+ * |SSL_CIPHER_get_digest_nid| instead. */
+OPENSSL_EXPORT int SSL_CIPHER_has_SHA384_HMAC(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_is_AESGCM returns one if |cipher| uses AES-GCM. Use
+ * |SSL_CIPHER_get_cipher_nid| instead. */
+OPENSSL_EXPORT int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_is_AES128GCM returns one if |cipher| uses 128-bit AES-GCM. Use
+ * |SSL_CIPHER_get_cipher_nid| instead. */
+OPENSSL_EXPORT int SSL_CIPHER_is_AES128GCM(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_is_AES128CBC returns one if |cipher| uses 128-bit AES in CBC
+ * mode. Use |SSL_CIPHER_get_cipher_nid| instead. */
+OPENSSL_EXPORT int SSL_CIPHER_is_AES128CBC(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_is_AES256CBC returns one if |cipher| uses 256-bit AES in CBC
+ * mode. Use |SSL_CIPHER_get_cipher_nid| instead. */
+OPENSSL_EXPORT int SSL_CIPHER_is_AES256CBC(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_is_CHACHA20POLY1305 returns one if |cipher| uses
+ * CHACHA20_POLY1305. Use |SSL_CIPHER_get_cipher_nid| instead. */
+OPENSSL_EXPORT int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_is_NULL returns one if |cipher| does not encrypt. Use
+ * |SSL_CIPHER_get_cipher_nid| instead. */
+OPENSSL_EXPORT int SSL_CIPHER_is_NULL(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_is_ECDSA returns one if |cipher| uses ECDSA. Use
+ * |SSL_CIPHER_get_auth_nid| instead. */
+OPENSSL_EXPORT int SSL_CIPHER_is_ECDSA(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_is_ECDHE returns one if |cipher| uses ECDHE. Use
+ * |SSL_CIPHER_get_kx_nid| instead. */
+OPENSSL_EXPORT int SSL_CIPHER_is_ECDHE(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_is_static_RSA returns one if |cipher| uses the static RSA key
+ * exchange. Use |SSL_CIPHER_get_kx_nid| instead. */
+OPENSSL_EXPORT int SSL_CIPHER_is_static_RSA(const SSL_CIPHER *cipher);
+

 /* Private structures.
 *
--- a/ssl/ssl_cipher.cc
+++ b/ssl/ssl_cipher.cc
@ -1455,10 +1455,80 @@ int SSL_CIPHER_has_SHA384_HMAC(const SSL_CIPHER *cipher) {
  return (cipher->algorithm_mac & SSL_SHA384) != 0;
 }

-int SSL_CIPHER_is_AEAD(const SSL_CIPHER *cipher) {
+int SSL_CIPHER_is_aead(const SSL_CIPHER *cipher) {
  return (cipher->algorithm_mac & SSL_AEAD) != 0;
 }

+int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *cipher) {
+  switch (cipher->algorithm_enc) {
+    case SSL_eNULL:
+      return NID_undef;
+    case SSL_3DES:
+      return NID_des_ede3_cbc;
+    case SSL_AES128:
+      return NID_aes_128_cbc;
+    case SSL_AES256:
+      return NID_aes_256_cbc;
+    case SSL_AES128GCM:
+      return NID_aes_128_gcm;
+    case SSL_AES256GCM:
+      return NID_aes_256_gcm;
+    case SSL_CHACHA20POLY1305:
+      return NID_chacha20_poly1305;
+  }
+  assert(0);
+  return NID_undef;
+}
+
+int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *cipher) {
+  switch (cipher->algorithm_mac) {
+    case SSL_AEAD:
+      return NID_undef;
+    case SSL_SHA1:
+      return NID_sha1;
+    case SSL_SHA256:
+      return NID_sha256;
+    case SSL_SHA384:
+      return NID_sha384;
+  }
+  assert(0);
+  return NID_undef;
+}
+
+int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *cipher) {
+  switch (cipher->algorithm_mkey) {
+    case SSL_kRSA:
+      return NID_kx_rsa;
+    case SSL_kECDHE:
+      return NID_kx_ecdhe;
+    case SSL_kPSK:
+      return NID_kx_psk;
+    case SSL_kGENERIC:
+      return NID_kx_any;
+  }
+  assert(0);
+  return NID_undef;
+}
+
+int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *cipher) {
+  switch (cipher->algorithm_auth) {
+    case SSL_aRSA:
+      return NID_auth_rsa;
+    case SSL_aECDSA:
+      return NID_auth_ecdsa;
+    case SSL_aPSK:
+      return NID_auth_psk;
+    case SSL_aGENERIC:
+      return NID_auth_any;
+  }
+  assert(0);
+  return NID_undef;
+}
+
+int SSL_CIPHER_is_AEAD(const SSL_CIPHER *cipher) {
+  return SSL_CIPHER_is_aead(cipher);
+}
+
 int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher) {
  return (cipher->algorithm_enc & (SSL_AES128GCM | SSL_AES256GCM)) != 0;
 }
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@ -786,30 +786,119 @@ TEST(SSLTest, DefaultVersion) {
  ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &DTLSv1_2_method);
 }

-TEST(SSLTest, CipherGetStandardName) {
+TEST(SSLTest, CipherProperties) {
  static const struct {
    int id;
    const char *standard_name;
+    int cipher_nid;
+    int digest_nid;
+    int kx_nid;
+    int auth_nid;
  } kTests[] = {
-      {SSL3_CK_RSA_DES_192_CBC3_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA"},
-      {TLS1_CK_RSA_WITH_AES_128_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA"},
-      {TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
-       "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"},
-      {TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
-       "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"},
-      {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-       "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"},
-      {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-       "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"},
-      {TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-       "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"},
-      {TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
-       "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA"},
-      {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
-       "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"},
-      {TLS1_CK_AES_256_GCM_SHA384, "TLS_AES_256_GCM_SHA384"},
-      {TLS1_CK_AES_128_GCM_SHA256, "TLS_AES_128_GCM_SHA256"},
-      {TLS1_CK_CHACHA20_POLY1305_SHA256, "TLS_CHACHA20_POLY1305_SHA256"},
+      {
+          SSL3_CK_RSA_DES_192_CBC3_SHA,
+          "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+          NID_des_ede3_cbc,
+          NID_sha1,
+          NID_kx_rsa,
+          NID_auth_rsa,
+      },
+      {
+          TLS1_CK_RSA_WITH_AES_128_SHA,
+          "TLS_RSA_WITH_AES_128_CBC_SHA",
+          NID_aes_128_cbc,
+          NID_sha1,
+          NID_kx_rsa,
+          NID_auth_rsa,
+      },
+      {
+          TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
+          "TLS_PSK_WITH_AES_256_CBC_SHA",
+          NID_aes_256_cbc,
+          NID_sha1,
+          NID_kx_psk,
+          NID_auth_psk,
+      },
+      {
+          TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
+          "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+          NID_aes_128_cbc,
+          NID_sha256,
+          NID_kx_ecdhe,
+          NID_auth_rsa,
+      },
+      {
+          TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
+          "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
+          NID_aes_256_cbc,
+          NID_sha384,
+          NID_kx_ecdhe,
+          NID_auth_rsa,
+      },
+      {
+          TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+          "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+          NID_aes_128_gcm,
+          NID_undef,
+          NID_kx_ecdhe,
+          NID_auth_rsa,
+      },
+      {
+          TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+          "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+          NID_aes_128_gcm,
+          NID_undef,
+          NID_kx_ecdhe,
+          NID_auth_ecdsa,
+      },
+      {
+          TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+          "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+          NID_aes_256_gcm,
+          NID_undef,
+          NID_kx_ecdhe,
+          NID_auth_ecdsa,
+      },
+      {
+          TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
+          "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
+          NID_aes_128_cbc,
+          NID_sha1,
+          NID_kx_ecdhe,
+          NID_auth_psk,
+      },
+      {
+          TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+          "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+          NID_chacha20_poly1305,
+          NID_undef,
+          NID_kx_ecdhe,
+          NID_auth_rsa,
+      },
+      {
+          TLS1_CK_AES_256_GCM_SHA384,
+          "TLS_AES_256_GCM_SHA384",
+          NID_aes_256_gcm,
+          NID_undef,
+          NID_kx_any,
+          NID_auth_any,
+      },
+      {
+          TLS1_CK_AES_128_GCM_SHA256,
+          "TLS_AES_128_GCM_SHA256",
+          NID_aes_128_gcm,
+          NID_undef,
+          NID_kx_any,
+          NID_auth_any,
+      },
+      {
+          TLS1_CK_CHACHA20_POLY1305_SHA256,
+          "TLS_CHACHA20_POLY1305_SHA256",
+          NID_chacha20_poly1305,
+          NID_undef,
+          NID_kx_any,
+          NID_auth_any,
+      },
  };

  for (const auto &t : kTests) {
@ -822,6 +911,11 @@ TEST(SSLTest, CipherGetStandardName) {
    bssl::UniquePtr<char> rfc_name(SSL_CIPHER_get_rfc_name(cipher));
    ASSERT_TRUE(rfc_name);
    EXPECT_STREQ(t.standard_name, rfc_name.get());
+
+    EXPECT_EQ(t.cipher_nid, SSL_CIPHER_get_cipher_nid(cipher));
+    EXPECT_EQ(t.digest_nid, SSL_CIPHER_get_digest_nid(cipher));
+    EXPECT_EQ(t.kx_nid, SSL_CIPHER_get_kx_nid(cipher));
+    EXPECT_EQ(t.auth_nid, SSL_CIPHER_get_auth_nid(cipher));
  }
 }