diff --git a/crypto/obj/obj_dat.h b/crypto/obj/obj_dat.h index b3da0e89..dceaf03d 100644 --- a/crypto/obj/obj_dat.h +++ b/crypto/obj/obj_dat.h @@ -57,7 +57,7 @@ /* This file is generated by crypto/obj/objects.go. */ -#define NUM_NID 950 +#define NUM_NID 959 static const uint8_t kObjectData[] = { /* NID_rsadsi */ @@ -3444,6 +3444,16 @@ static const ASN1_OBJECT kObjects[NUM_NID] = { {"dh-cofactor-kdf", "dh-cofactor-kdf", NID_dh_cofactor_kdf, 0, NULL, 0}, {"X25519", "X25519", NID_X25519, 0, NULL, 0}, {"ED25519", "ED25519", NID_ED25519, 3, &kObjectData[6175], 0}, + {"ChaCha20-Poly1305", "chacha20-poly1305", NID_chacha20_poly1305, 0, NULL, + 0}, + {"KxRSA", "kx-rsa", NID_kx_rsa, 0, NULL, 0}, + {"KxECDHE", "kx-ecdhe", NID_kx_ecdhe, 0, NULL, 0}, + {"KxPSK", "kx-psk", NID_kx_psk, 0, NULL, 0}, + {"AuthRSA", "auth-rsa", NID_auth_rsa, 0, NULL, 0}, + {"AuthECDSA", "auth-ecdsa", NID_auth_ecdsa, 0, NULL, 0}, + {"AuthPSK", "auth-psk", NID_auth_psk, 0, NULL, 0}, + {"KxANY", "kx-any", NID_kx_any, 0, NULL, 0}, + {"AuthANY", "auth-any", NID_auth_any, 0, NULL, 0}, }; static const unsigned kNIDsInShortNameOrder[] = { @@ -3474,6 +3484,10 @@ static const unsigned kNIDsInShortNameOrder[] = { 426 /* AES-256-ECB */, 428 /* AES-256-OFB */, 914 /* AES-256-XTS */, + 958 /* AuthANY */, + 955 /* AuthECDSA */, + 956 /* AuthPSK */, + 954 /* AuthRSA */, 91 /* BF-CBC */, 93 /* BF-CFB */, 92 /* BF-ECB */, @@ -3505,6 +3519,7 @@ static const unsigned kNIDsInShortNameOrder[] = { 13 /* CN */, 141 /* CRLReason */, 417 /* CSPName */, + 950 /* ChaCha20-Poly1305 */, 367 /* CrlID */, 391 /* DC */, 31 /* DES-CBC */, @@ -3547,6 +3562,10 @@ static const unsigned kNIDsInShortNameOrder[] = { 645 /* ITU-T */, 646 /* JOINT-ISO-ITU-T */, 773 /* KISA */, + 957 /* KxANY */, + 952 /* KxECDHE */, + 953 /* KxPSK */, + 951 /* KxRSA */, 15 /* L */, 856 /* LocalKeySet */, 3 /* MD2 */, @@ -4570,6 +4589,10 @@ static const unsigned kNIDsInLongNameOrder[] = { 484 /* associatedDomain */, 485 /* associatedName */, 501 /* audio */, + 958 /* auth-any */, + 955 /* auth-ecdsa */, + 956 /* auth-psk */, + 954 /* auth-rsa */, 882 /* authorityRevocationList */, 91 /* bf-cbc */, 93 /* bf-cfb */, @@ -4640,6 +4663,7 @@ static const unsigned kNIDsInLongNameOrder[] = { 677 /* certicom-arc */, 517 /* certificate extensions */, 883 /* certificateRevocationList */, + 950 /* chacha20-poly1305 */, 54 /* challengePassword */, 407 /* characteristic-two-field */, 395 /* clearance */, @@ -4982,6 +5006,10 @@ static const unsigned kNIDsInLongNameOrder[] = { 646 /* joint-iso-itu-t */, 150 /* keyBag */, 773 /* kisa */, + 957 /* kx-any */, + 952 /* kx-ecdhe */, + 953 /* kx-psk */, + 951 /* kx-rsa */, 477 /* lastModifiedBy */, 476 /* lastModifiedTime */, 157 /* localKeyID */, diff --git a/crypto/obj/obj_mac.num b/crypto/obj/obj_mac.num index 572a01b0..6dbc0f13 100644 --- a/crypto/obj/obj_mac.num +++ b/crypto/obj/obj_mac.num @@ -938,3 +938,12 @@ dh_std_kdf 946 dh_cofactor_kdf 947 X25519 948 ED25519 949 +chacha20_poly1305 950 +kx_rsa 951 +kx_ecdhe 952 +kx_psk 953 +auth_rsa 954 +auth_ecdsa 955 +auth_psk 956 +kx_any 957 +auth_any 958 diff --git a/crypto/obj/objects.txt b/crypto/obj/objects.txt index 03056deb..f1a63955 100644 --- a/crypto/obj/objects.txt +++ b/crypto/obj/objects.txt @@ -1336,3 +1336,19 @@ secg-scheme 14 3 : dhSinglePass-cofactorDH-sha512kdf-scheme # See draft-ietf-curdle-pkix-04. 1 3 101 112 : ED25519 + + : ChaCha20-Poly1305 : chacha20-poly1305 + +# NIDs for TLS 1.2 cipher suite key exchanges. + : KxRSA : kx-rsa + : KxECDHE : kx-ecdhe + : KxPSK : kx-psk + +# NIDs for TLS 1.2 cipher suite authentication types. + : AuthRSA : auth-rsa + : AuthECDSA : auth-ecdsa + : AuthPSK : auth-psk + +# TLS 1.3 cipher suites do not specify key exchange or authentication. + : KxANY : kx-any + : AuthANY : auth-any diff --git a/include/openssl/nid.h b/include/openssl/nid.h index bc0ee338..afeb2dea 100644 --- a/include/openssl/nid.h +++ b/include/openssl/nid.h @@ -4198,6 +4198,42 @@ extern "C" { #define NID_ED25519 949 #define OBJ_ED25519 1L, 3L, 101L, 112L +#define SN_chacha20_poly1305 "ChaCha20-Poly1305" +#define LN_chacha20_poly1305 "chacha20-poly1305" +#define NID_chacha20_poly1305 950 + +#define SN_kx_rsa "KxRSA" +#define LN_kx_rsa "kx-rsa" +#define NID_kx_rsa 951 + +#define SN_kx_ecdhe "KxECDHE" +#define LN_kx_ecdhe "kx-ecdhe" +#define NID_kx_ecdhe 952 + +#define SN_kx_psk "KxPSK" +#define LN_kx_psk "kx-psk" +#define NID_kx_psk 953 + +#define SN_auth_rsa "AuthRSA" +#define LN_auth_rsa "auth-rsa" +#define NID_auth_rsa 954 + +#define SN_auth_ecdsa "AuthECDSA" +#define LN_auth_ecdsa "auth-ecdsa" +#define NID_auth_ecdsa 955 + +#define SN_auth_psk "AuthPSK" +#define LN_auth_psk "auth-psk" +#define NID_auth_psk 956 + +#define SN_kx_any "KxANY" +#define LN_kx_any "kx-any" +#define NID_kx_any 957 + +#define SN_auth_any "AuthANY" +#define LN_auth_any "auth-any" +#define NID_auth_any 958 + #if defined(__cplusplus) } /* extern C */ diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index c989dd61..63651b5c 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -1200,56 +1200,36 @@ OPENSSL_EXPORT const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value); * get the cipher suite value. */ OPENSSL_EXPORT uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher); -/* SSL_CIPHER_is_AES returns one if |cipher| uses AES (either GCM or CBC - * mode). */ -OPENSSL_EXPORT int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher); - -/* SSL_CIPHER_has_SHA1_HMAC returns one if |cipher| uses HMAC-SHA1. */ -OPENSSL_EXPORT int SSL_CIPHER_has_SHA1_HMAC(const SSL_CIPHER *cipher); - -/* SSL_CIPHER_has_SHA256_HMAC returns one if |cipher| uses HMAC-SHA256. */ -OPENSSL_EXPORT int SSL_CIPHER_has_SHA256_HMAC(const SSL_CIPHER *cipher); - -/* SSL_CIPHER_has_SHA384_HMAC returns one if |cipher| uses HMAC-SHA384. */ -OPENSSL_EXPORT int SSL_CIPHER_has_SHA384_HMAC(const SSL_CIPHER *cipher); - -/* SSL_CIPHER_is_AEAD returns one if |cipher| uses an AEAD cipher. */ -OPENSSL_EXPORT int SSL_CIPHER_is_AEAD(const SSL_CIPHER *cipher); - -/* SSL_CIPHER_is_AESGCM returns one if |cipher| uses AES-GCM. */ -OPENSSL_EXPORT int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher); - -/* SSL_CIPHER_is_AES128GCM returns one if |cipher| uses 128-bit AES-GCM. */ -OPENSSL_EXPORT int SSL_CIPHER_is_AES128GCM(const SSL_CIPHER *cipher); - -/* SSL_CIPHER_is_AES128CBC returns one if |cipher| uses 128-bit AES in CBC - * mode. */ -OPENSSL_EXPORT int SSL_CIPHER_is_AES128CBC(const SSL_CIPHER *cipher); - -/* SSL_CIPHER_is_AES256CBC returns one if |cipher| uses 256-bit AES in CBC - * mode. */ -OPENSSL_EXPORT int SSL_CIPHER_is_AES256CBC(const SSL_CIPHER *cipher); - -/* SSL_CIPHER_is_CHACHA20POLY1305 returns one if |cipher| uses - * CHACHA20_POLY1305. Note this includes both the RFC 7905 and - * draft-agl-tls-chacha20poly1305-04 versions. */ -OPENSSL_EXPORT int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher); - -/* SSL_CIPHER_is_NULL returns one if |cipher| does not encrypt. */ -OPENSSL_EXPORT int SSL_CIPHER_is_NULL(const SSL_CIPHER *cipher); +/* SSL_CIPHER_is_aead returns one if |cipher| uses an AEAD cipher. */ +OPENSSL_EXPORT int SSL_CIPHER_is_aead(const SSL_CIPHER *cipher); /* SSL_CIPHER_is_block_cipher returns one if |cipher| is a block cipher. */ OPENSSL_EXPORT int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher); -/* SSL_CIPHER_is_ECDSA returns one if |cipher| uses ECDSA. */ -OPENSSL_EXPORT int SSL_CIPHER_is_ECDSA(const SSL_CIPHER *cipher); +/* SSL_CIPHER_get_cipher_nid returns the NID for |cipher|'s bulk + * cipher. Possible values are |NID_aes_128_gcm|, |NID_aes_256_gcm|, + * |NID_chacha20_poly1305|, |NID_aes_128_cbc|, |NID_aes_256_cbc|, and + * |NID_des_ede3_cbc|. */ +OPENSSL_EXPORT int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *cipher); -/* SSL_CIPHER_is_ECDHE returns one if |cipher| uses ECDHE. */ -OPENSSL_EXPORT int SSL_CIPHER_is_ECDHE(const SSL_CIPHER *cipher); +/* SSL_CIPHER_get_digest_nid returns the NID for |cipher|'s HMAC if it is a + * legacy cipher suite. For modern AEAD-based ciphers (see + * |SSL_CIPHER_is_aead|), it returns |NID_undef|. + * + * Note this function only returns the legacy HMAC digest, not the PRF hash. */ +OPENSSL_EXPORT int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *cipher); -/* SSL_CIPHER_is_static_RSA returns one if |cipher| uses the static RSA key - * exchange. */ -OPENSSL_EXPORT int SSL_CIPHER_is_static_RSA(const SSL_CIPHER *cipher); +/* SSL_CIPHER_get_kx_nid returns the NID for |cipher|'s key exchange. This may + * be |NID_kx_rsa|, |NID_kx_ecdhe|, or |NID_kx_psk| for TLS 1.2. In TLS 1.3, + * cipher suites do not specify the key exchange, so this function returns + * |NID_kx_any|. */ +OPENSSL_EXPORT int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *cipher); + +/* SSL_CIPHER_get_auth_nid returns the NID for |cipher|'s authentication + * type. This may be |NID_auth_rsa|, |NID_auth_ecdsa|, or |NID_auth_psk| for TLS + * 1.2. In TLS 1.3, cipher suites do not specify authentication, so this + * function returns |NID_auth_any|. */ +OPENSSL_EXPORT int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *cipher); /* SSL_CIPHER_get_min_version returns the minimum protocol version required * for |cipher|. */ @@ -3983,6 +3963,64 @@ OPENSSL_EXPORT SSL_SESSION *SSL_get_session(const SSL *ssl); * the session. */ OPENSSL_EXPORT SSL_SESSION *SSL_get1_session(SSL *ssl); +/* TODO(davidben): Convert all the callers of these old |SSL_CIPHER| functions + * and remove them. */ + +/* SSL_CIPHER_is_AEAD calls |SSL_CIPHER_is_aead|. */ +OPENSSL_EXPORT int SSL_CIPHER_is_AEAD(const SSL_CIPHER *cipher); + +/* SSL_CIPHER_is_AES returns one if |cipher| uses AES (either GCM or CBC + * mode). Use |SSL_CIPHER_get_cipher_nid| instead. */ +OPENSSL_EXPORT int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher); + +/* SSL_CIPHER_has_SHA1_HMAC returns one if |cipher| uses HMAC-SHA1. Use + * |SSL_CIPHER_get_digest_nid| instead. */ +OPENSSL_EXPORT int SSL_CIPHER_has_SHA1_HMAC(const SSL_CIPHER *cipher); + +/* SSL_CIPHER_has_SHA256_HMAC returns one if |cipher| uses HMAC-SHA256. Use + * |SSL_CIPHER_get_digest_nid| instead. */ +OPENSSL_EXPORT int SSL_CIPHER_has_SHA256_HMAC(const SSL_CIPHER *cipher); + +/* SSL_CIPHER_has_SHA384_HMAC returns one if |cipher| uses HMAC-SHA384. Use + * |SSL_CIPHER_get_digest_nid| instead. */ +OPENSSL_EXPORT int SSL_CIPHER_has_SHA384_HMAC(const SSL_CIPHER *cipher); + +/* SSL_CIPHER_is_AESGCM returns one if |cipher| uses AES-GCM. Use + * |SSL_CIPHER_get_cipher_nid| instead. */ +OPENSSL_EXPORT int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher); + +/* SSL_CIPHER_is_AES128GCM returns one if |cipher| uses 128-bit AES-GCM. Use + * |SSL_CIPHER_get_cipher_nid| instead. */ +OPENSSL_EXPORT int SSL_CIPHER_is_AES128GCM(const SSL_CIPHER *cipher); + +/* SSL_CIPHER_is_AES128CBC returns one if |cipher| uses 128-bit AES in CBC + * mode. Use |SSL_CIPHER_get_cipher_nid| instead. */ +OPENSSL_EXPORT int SSL_CIPHER_is_AES128CBC(const SSL_CIPHER *cipher); + +/* SSL_CIPHER_is_AES256CBC returns one if |cipher| uses 256-bit AES in CBC + * mode. Use |SSL_CIPHER_get_cipher_nid| instead. */ +OPENSSL_EXPORT int SSL_CIPHER_is_AES256CBC(const SSL_CIPHER *cipher); + +/* SSL_CIPHER_is_CHACHA20POLY1305 returns one if |cipher| uses + * CHACHA20_POLY1305. Use |SSL_CIPHER_get_cipher_nid| instead. */ +OPENSSL_EXPORT int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher); + +/* SSL_CIPHER_is_NULL returns one if |cipher| does not encrypt. Use + * |SSL_CIPHER_get_cipher_nid| instead. */ +OPENSSL_EXPORT int SSL_CIPHER_is_NULL(const SSL_CIPHER *cipher); + +/* SSL_CIPHER_is_ECDSA returns one if |cipher| uses ECDSA. Use + * |SSL_CIPHER_get_auth_nid| instead. */ +OPENSSL_EXPORT int SSL_CIPHER_is_ECDSA(const SSL_CIPHER *cipher); + +/* SSL_CIPHER_is_ECDHE returns one if |cipher| uses ECDHE. Use + * |SSL_CIPHER_get_kx_nid| instead. */ +OPENSSL_EXPORT int SSL_CIPHER_is_ECDHE(const SSL_CIPHER *cipher); + +/* SSL_CIPHER_is_static_RSA returns one if |cipher| uses the static RSA key + * exchange. Use |SSL_CIPHER_get_kx_nid| instead. */ +OPENSSL_EXPORT int SSL_CIPHER_is_static_RSA(const SSL_CIPHER *cipher); + /* Private structures. * diff --git a/ssl/ssl_cipher.cc b/ssl/ssl_cipher.cc index fbcabd55..de4a4b49 100644 --- a/ssl/ssl_cipher.cc +++ b/ssl/ssl_cipher.cc @@ -1455,10 +1455,80 @@ int SSL_CIPHER_has_SHA384_HMAC(const SSL_CIPHER *cipher) { return (cipher->algorithm_mac & SSL_SHA384) != 0; } -int SSL_CIPHER_is_AEAD(const SSL_CIPHER *cipher) { +int SSL_CIPHER_is_aead(const SSL_CIPHER *cipher) { return (cipher->algorithm_mac & SSL_AEAD) != 0; } +int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *cipher) { + switch (cipher->algorithm_enc) { + case SSL_eNULL: + return NID_undef; + case SSL_3DES: + return NID_des_ede3_cbc; + case SSL_AES128: + return NID_aes_128_cbc; + case SSL_AES256: + return NID_aes_256_cbc; + case SSL_AES128GCM: + return NID_aes_128_gcm; + case SSL_AES256GCM: + return NID_aes_256_gcm; + case SSL_CHACHA20POLY1305: + return NID_chacha20_poly1305; + } + assert(0); + return NID_undef; +} + +int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *cipher) { + switch (cipher->algorithm_mac) { + case SSL_AEAD: + return NID_undef; + case SSL_SHA1: + return NID_sha1; + case SSL_SHA256: + return NID_sha256; + case SSL_SHA384: + return NID_sha384; + } + assert(0); + return NID_undef; +} + +int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *cipher) { + switch (cipher->algorithm_mkey) { + case SSL_kRSA: + return NID_kx_rsa; + case SSL_kECDHE: + return NID_kx_ecdhe; + case SSL_kPSK: + return NID_kx_psk; + case SSL_kGENERIC: + return NID_kx_any; + } + assert(0); + return NID_undef; +} + +int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *cipher) { + switch (cipher->algorithm_auth) { + case SSL_aRSA: + return NID_auth_rsa; + case SSL_aECDSA: + return NID_auth_ecdsa; + case SSL_aPSK: + return NID_auth_psk; + case SSL_aGENERIC: + return NID_auth_any; + } + assert(0); + return NID_undef; +} + +int SSL_CIPHER_is_AEAD(const SSL_CIPHER *cipher) { + return SSL_CIPHER_is_aead(cipher); +} + int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher) { return (cipher->algorithm_enc & (SSL_AES128GCM | SSL_AES256GCM)) != 0; } diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc index 88c2ed24..898cd04b 100644 --- a/ssl/ssl_test.cc +++ b/ssl/ssl_test.cc @@ -786,30 +786,119 @@ TEST(SSLTest, DefaultVersion) { ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &DTLSv1_2_method); } -TEST(SSLTest, CipherGetStandardName) { +TEST(SSLTest, CipherProperties) { static const struct { int id; const char *standard_name; + int cipher_nid; + int digest_nid; + int kx_nid; + int auth_nid; } kTests[] = { - {SSL3_CK_RSA_DES_192_CBC3_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}, - {TLS1_CK_RSA_WITH_AES_128_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA"}, - {TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"}, - {TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"}, - {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}, - {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"}, - {TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"}, - {TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA, - "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA"}, - {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"}, - {TLS1_CK_AES_256_GCM_SHA384, "TLS_AES_256_GCM_SHA384"}, - {TLS1_CK_AES_128_GCM_SHA256, "TLS_AES_128_GCM_SHA256"}, - {TLS1_CK_CHACHA20_POLY1305_SHA256, "TLS_CHACHA20_POLY1305_SHA256"}, + { + SSL3_CK_RSA_DES_192_CBC3_SHA, + "TLS_RSA_WITH_3DES_EDE_CBC_SHA", + NID_des_ede3_cbc, + NID_sha1, + NID_kx_rsa, + NID_auth_rsa, + }, + { + TLS1_CK_RSA_WITH_AES_128_SHA, + "TLS_RSA_WITH_AES_128_CBC_SHA", + NID_aes_128_cbc, + NID_sha1, + NID_kx_rsa, + NID_auth_rsa, + }, + { + TLS1_CK_PSK_WITH_AES_256_CBC_SHA, + "TLS_PSK_WITH_AES_256_CBC_SHA", + NID_aes_256_cbc, + NID_sha1, + NID_kx_psk, + NID_auth_psk, + }, + { + TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + NID_aes_128_cbc, + NID_sha256, + NID_kx_ecdhe, + NID_auth_rsa, + }, + { + TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", + NID_aes_256_cbc, + NID_sha384, + NID_kx_ecdhe, + NID_auth_rsa, + }, + { + TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + NID_aes_128_gcm, + NID_undef, + NID_kx_ecdhe, + NID_auth_rsa, + }, + { + TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + NID_aes_128_gcm, + NID_undef, + NID_kx_ecdhe, + NID_auth_ecdsa, + }, + { + TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + NID_aes_256_gcm, + NID_undef, + NID_kx_ecdhe, + NID_auth_ecdsa, + }, + { + TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA, + "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA", + NID_aes_128_cbc, + NID_sha1, + NID_kx_ecdhe, + NID_auth_psk, + }, + { + TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + NID_chacha20_poly1305, + NID_undef, + NID_kx_ecdhe, + NID_auth_rsa, + }, + { + TLS1_CK_AES_256_GCM_SHA384, + "TLS_AES_256_GCM_SHA384", + NID_aes_256_gcm, + NID_undef, + NID_kx_any, + NID_auth_any, + }, + { + TLS1_CK_AES_128_GCM_SHA256, + "TLS_AES_128_GCM_SHA256", + NID_aes_128_gcm, + NID_undef, + NID_kx_any, + NID_auth_any, + }, + { + TLS1_CK_CHACHA20_POLY1305_SHA256, + "TLS_CHACHA20_POLY1305_SHA256", + NID_chacha20_poly1305, + NID_undef, + NID_kx_any, + NID_auth_any, + }, }; for (const auto &t : kTests) { @@ -822,6 +911,11 @@ TEST(SSLTest, CipherGetStandardName) { bssl::UniquePtr rfc_name(SSL_CIPHER_get_rfc_name(cipher)); ASSERT_TRUE(rfc_name); EXPECT_STREQ(t.standard_name, rfc_name.get()); + + EXPECT_EQ(t.cipher_nid, SSL_CIPHER_get_cipher_nid(cipher)); + EXPECT_EQ(t.digest_nid, SSL_CIPHER_get_digest_nid(cipher)); + EXPECT_EQ(t.kx_nid, SSL_CIPHER_get_kx_nid(cipher)); + EXPECT_EQ(t.auth_nid, SSL_CIPHER_get_auth_nid(cipher)); } }