Add OpenSSL 1.1.0's cipher property functions.

Other projects are starting to use them. Having two APIs for the same thing is silly, so deprecate all our old ones. Change-Id: Iaf6b6995bc9e4b624140d5c645000fbf2cb08162 Reviewed-on: https://boringssl-review.googlesource.com/19064 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 år sedan · 348f0d8db9
--- a/crypto/obj/obj_dat.h
+++ b/crypto/obj/obj_dat.h
@@ -57,7 +57,7 @@
 /* This file is generated by crypto/obj/objects.go. */


 #define NUM_NID 950
 #define NUM_NID 959

 static const uint8_t kObjectData[] = {
    /* NID_rsadsi */
@@ -3444,6 +3444,16 @@ static const ASN1_OBJECT kObjects[NUM_NID] = {
    {"dh-cofactor-kdf", "dh-cofactor-kdf", NID_dh_cofactor_kdf, 0, NULL, 0},
    {"X25519", "X25519", NID_X25519, 0, NULL, 0},
    {"ED25519", "ED25519", NID_ED25519, 3, &kObjectData[6175], 0},
    {"ChaCha20-Poly1305", "chacha20-poly1305", NID_chacha20_poly1305, 0, NULL,
     0},
    {"KxRSA", "kx-rsa", NID_kx_rsa, 0, NULL, 0},
    {"KxECDHE", "kx-ecdhe", NID_kx_ecdhe, 0, NULL, 0},
    {"KxPSK", "kx-psk", NID_kx_psk, 0, NULL, 0},
    {"AuthRSA", "auth-rsa", NID_auth_rsa, 0, NULL, 0},
    {"AuthECDSA", "auth-ecdsa", NID_auth_ecdsa, 0, NULL, 0},
    {"AuthPSK", "auth-psk", NID_auth_psk, 0, NULL, 0},
    {"KxANY", "kx-any", NID_kx_any, 0, NULL, 0},
    {"AuthANY", "auth-any", NID_auth_any, 0, NULL, 0},
 };

 static const unsigned kNIDsInShortNameOrder[] = {
@@ -3474,6 +3484,10 @@ static const unsigned kNIDsInShortNameOrder[] = {
    426 /* AES-256-ECB */,
    428 /* AES-256-OFB */,
    914 /* AES-256-XTS */,
    958 /* AuthANY */,
    955 /* AuthECDSA */,
    956 /* AuthPSK */,
    954 /* AuthRSA */,
    91 /* BF-CBC */,
    93 /* BF-CFB */,
    92 /* BF-ECB */,
@@ -3505,6 +3519,7 @@ static const unsigned kNIDsInShortNameOrder[] = {
    13 /* CN */,
    141 /* CRLReason */,
    417 /* CSPName */,
    950 /* ChaCha20-Poly1305 */,
    367 /* CrlID */,
    391 /* DC */,
    31 /* DES-CBC */,
@@ -3547,6 +3562,10 @@ static const unsigned kNIDsInShortNameOrder[] = {
    645 /* ITU-T */,
    646 /* JOINT-ISO-ITU-T */,
    773 /* KISA */,
    957 /* KxANY */,
    952 /* KxECDHE */,
    953 /* KxPSK */,
    951 /* KxRSA */,
    15 /* L */,
    856 /* LocalKeySet */,
    3 /* MD2 */,
@@ -4570,6 +4589,10 @@ static const unsigned kNIDsInLongNameOrder[] = {
    484 /* associatedDomain */,
    485 /* associatedName */,
    501 /* audio */,
    958 /* auth-any */,
    955 /* auth-ecdsa */,
    956 /* auth-psk */,
    954 /* auth-rsa */,
    882 /* authorityRevocationList */,
    91 /* bf-cbc */,
    93 /* bf-cfb */,
@@ -4640,6 +4663,7 @@ static const unsigned kNIDsInLongNameOrder[] = {
    677 /* certicom-arc */,
    517 /* certificate extensions */,
    883 /* certificateRevocationList */,
    950 /* chacha20-poly1305 */,
    54 /* challengePassword */,
    407 /* characteristic-two-field */,
    395 /* clearance */,
@@ -4982,6 +5006,10 @@ static const unsigned kNIDsInLongNameOrder[] = {
    646 /* joint-iso-itu-t */,
    150 /* keyBag */,
    773 /* kisa */,
    957 /* kx-any */,
    952 /* kx-ecdhe */,
    953 /* kx-psk */,
    951 /* kx-rsa */,
    477 /* lastModifiedBy */,
    476 /* lastModifiedTime */,
    157 /* localKeyID */,
--- a/crypto/obj/obj_mac.num
+++ b/crypto/obj/obj_mac.num
@@ -938,3 +938,12 @@ dh_std_kdf		946
 dh_cofactor_kdf		947
 X25519		948
 ED25519		949
 chacha20_poly1305		950
 kx_rsa		951
 kx_ecdhe		952
 kx_psk		953
 auth_rsa		954
 auth_ecdsa		955
 auth_psk		956
 kx_any		957
 auth_any		958
--- a/crypto/obj/objects.txt
+++ b/crypto/obj/objects.txt
@@ -1336,3 +1336,19 @@ secg-scheme 14 3 : dhSinglePass-cofactorDH-sha512kdf-scheme

 # See draft-ietf-curdle-pkix-04.
 1 3 101 112 : ED25519

 : ChaCha20-Poly1305 : chacha20-poly1305

 # NIDs for TLS 1.2 cipher suite key exchanges.
 : KxRSA : kx-rsa
 : KxECDHE : kx-ecdhe
 : KxPSK : kx-psk

 # NIDs for TLS 1.2 cipher suite authentication types.
 : AuthRSA : auth-rsa
 : AuthECDSA : auth-ecdsa
 : AuthPSK : auth-psk

 # TLS 1.3 cipher suites do not specify key exchange or authentication.
 : KxANY : kx-any
 : AuthANY : auth-any
--- a/include/openssl/nid.h
+++ b/include/openssl/nid.h
@@ -4198,6 +4198,42 @@ extern "C" {
 #define NID_ED25519 949
 #define OBJ_ED25519 1L, 3L, 101L, 112L

 #define SN_chacha20_poly1305 "ChaCha20-Poly1305"
 #define LN_chacha20_poly1305 "chacha20-poly1305"
 #define NID_chacha20_poly1305 950

 #define SN_kx_rsa "KxRSA"
 #define LN_kx_rsa "kx-rsa"
 #define NID_kx_rsa 951

 #define SN_kx_ecdhe "KxECDHE"
 #define LN_kx_ecdhe "kx-ecdhe"
 #define NID_kx_ecdhe 952

 #define SN_kx_psk "KxPSK"
 #define LN_kx_psk "kx-psk"
 #define NID_kx_psk 953

 #define SN_auth_rsa "AuthRSA"
 #define LN_auth_rsa "auth-rsa"
 #define NID_auth_rsa 954

 #define SN_auth_ecdsa "AuthECDSA"
 #define LN_auth_ecdsa "auth-ecdsa"
 #define NID_auth_ecdsa 955

 #define SN_auth_psk "AuthPSK"
 #define LN_auth_psk "auth-psk"
 #define NID_auth_psk 956

 #define SN_kx_any "KxANY"
 #define LN_kx_any "kx-any"
 #define NID_kx_any 957

 #define SN_auth_any "AuthANY"
 #define LN_auth_any "auth-any"
 #define NID_auth_any 958


 #if defined(__cplusplus)
 } /* extern C */
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1200,56 +1200,36 @@ OPENSSL_EXPORT const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value);
 * get the cipher suite value. */
 OPENSSL_EXPORT uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher);

 /* SSL_CIPHER_is_AES returns one if |cipher| uses AES (either GCM or CBC
 * mode). */
 OPENSSL_EXPORT int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher);

 /* SSL_CIPHER_has_SHA1_HMAC returns one if |cipher| uses HMAC-SHA1. */
 OPENSSL_EXPORT int SSL_CIPHER_has_SHA1_HMAC(const SSL_CIPHER *cipher);

 /* SSL_CIPHER_has_SHA256_HMAC returns one if |cipher| uses HMAC-SHA256. */
 OPENSSL_EXPORT int SSL_CIPHER_has_SHA256_HMAC(const SSL_CIPHER *cipher);

 /* SSL_CIPHER_has_SHA384_HMAC returns one if |cipher| uses HMAC-SHA384. */
 OPENSSL_EXPORT int SSL_CIPHER_has_SHA384_HMAC(const SSL_CIPHER *cipher);

 /* SSL_CIPHER_is_AEAD returns one if |cipher| uses an AEAD cipher. */
 OPENSSL_EXPORT int SSL_CIPHER_is_AEAD(const SSL_CIPHER *cipher);

 /* SSL_CIPHER_is_AESGCM returns one if |cipher| uses AES-GCM. */
 OPENSSL_EXPORT int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher);

 /* SSL_CIPHER_is_AES128GCM returns one if |cipher| uses 128-bit AES-GCM. */
 OPENSSL_EXPORT int SSL_CIPHER_is_AES128GCM(const SSL_CIPHER *cipher);

 /* SSL_CIPHER_is_AES128CBC returns one if |cipher| uses 128-bit AES in CBC
 * mode. */
 OPENSSL_EXPORT int SSL_CIPHER_is_AES128CBC(const SSL_CIPHER *cipher);

 /* SSL_CIPHER_is_AES256CBC returns one if |cipher| uses 256-bit AES in CBC
 * mode. */
 OPENSSL_EXPORT int SSL_CIPHER_is_AES256CBC(const SSL_CIPHER *cipher);

 /* SSL_CIPHER_is_CHACHA20POLY1305 returns one if |cipher| uses
 * CHACHA20_POLY1305. Note this includes both the RFC 7905 and
 * draft-agl-tls-chacha20poly1305-04 versions. */
 OPENSSL_EXPORT int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher);

 /* SSL_CIPHER_is_NULL returns one if |cipher| does not encrypt. */
 OPENSSL_EXPORT int SSL_CIPHER_is_NULL(const SSL_CIPHER *cipher);
 /* SSL_CIPHER_is_aead returns one if |cipher| uses an AEAD cipher. */
 OPENSSL_EXPORT int SSL_CIPHER_is_aead(const SSL_CIPHER *cipher);

 /* SSL_CIPHER_is_block_cipher returns one if |cipher| is a block cipher. */
 OPENSSL_EXPORT int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher);

 /* SSL_CIPHER_is_ECDSA returns one if |cipher| uses ECDSA. */
 OPENSSL_EXPORT int SSL_CIPHER_is_ECDSA(const SSL_CIPHER *cipher);
 /* SSL_CIPHER_get_cipher_nid returns the NID for |cipher|'s bulk
 * cipher. Possible values are |NID_aes_128_gcm|, |NID_aes_256_gcm|,
 * |NID_chacha20_poly1305|, |NID_aes_128_cbc|, |NID_aes_256_cbc|, and
 * |NID_des_ede3_cbc|. */
 OPENSSL_EXPORT int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *cipher);

 /* SSL_CIPHER_is_ECDHE returns one if |cipher| uses ECDHE. */
 OPENSSL_EXPORT int SSL_CIPHER_is_ECDHE(const SSL_CIPHER *cipher);
 /* SSL_CIPHER_get_digest_nid returns the NID for |cipher|'s HMAC if it is a
 * legacy cipher suite. For modern AEAD-based ciphers (see
 * |SSL_CIPHER_is_aead|), it returns |NID_undef|.
 *
 * Note this function only returns the legacy HMAC digest, not the PRF hash. */
 OPENSSL_EXPORT int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *cipher);

 /* SSL_CIPHER_is_static_RSA returns one if |cipher| uses the static RSA key
 * exchange. */
 OPENSSL_EXPORT int SSL_CIPHER_is_static_RSA(const SSL_CIPHER *cipher);
 /* SSL_CIPHER_get_kx_nid returns the NID for |cipher|'s key exchange. This may
 * be |NID_kx_rsa|, |NID_kx_ecdhe|, or |NID_kx_psk| for TLS 1.2. In TLS 1.3,
 * cipher suites do not specify the key exchange, so this function returns
 * |NID_kx_any|. */
 OPENSSL_EXPORT int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *cipher);

 /* SSL_CIPHER_get_auth_nid returns the NID for |cipher|'s authentication
 * type. This may be |NID_auth_rsa|, |NID_auth_ecdsa|, or |NID_auth_psk| for TLS
 * 1.2. In TLS 1.3, cipher suites do not specify authentication, so this
 * function returns |NID_auth_any|. */
 OPENSSL_EXPORT int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *cipher);

 /* SSL_CIPHER_get_min_version returns the minimum protocol version required
 * for |cipher|. */
@@ -3983,6 +3963,64 @@ OPENSSL_EXPORT SSL_SESSION *SSL_get_session(const SSL *ssl);
 * the session. */
 OPENSSL_EXPORT SSL_SESSION *SSL_get1_session(SSL *ssl);

 /* TODO(davidben): Convert all the callers of these old |SSL_CIPHER| functions
 * and remove them. */

 /* SSL_CIPHER_is_AEAD calls |SSL_CIPHER_is_aead|. */
 OPENSSL_EXPORT int SSL_CIPHER_is_AEAD(const SSL_CIPHER *cipher);

 /* SSL_CIPHER_is_AES returns one if |cipher| uses AES (either GCM or CBC
 * mode). Use |SSL_CIPHER_get_cipher_nid| instead. */
 OPENSSL_EXPORT int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher);

 /* SSL_CIPHER_has_SHA1_HMAC returns one if |cipher| uses HMAC-SHA1. Use
 * |SSL_CIPHER_get_digest_nid| instead. */
 OPENSSL_EXPORT int SSL_CIPHER_has_SHA1_HMAC(const SSL_CIPHER *cipher);

 /* SSL_CIPHER_has_SHA256_HMAC returns one if |cipher| uses HMAC-SHA256. Use
 * |SSL_CIPHER_get_digest_nid| instead. */
 OPENSSL_EXPORT int SSL_CIPHER_has_SHA256_HMAC(const SSL_CIPHER *cipher);

 /* SSL_CIPHER_has_SHA384_HMAC returns one if |cipher| uses HMAC-SHA384. Use
 * |SSL_CIPHER_get_digest_nid| instead. */
 OPENSSL_EXPORT int SSL_CIPHER_has_SHA384_HMAC(const SSL_CIPHER *cipher);

 /* SSL_CIPHER_is_AESGCM returns one if |cipher| uses AES-GCM. Use
 * |SSL_CIPHER_get_cipher_nid| instead. */
 OPENSSL_EXPORT int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher);

 /* SSL_CIPHER_is_AES128GCM returns one if |cipher| uses 128-bit AES-GCM. Use
 * |SSL_CIPHER_get_cipher_nid| instead. */
 OPENSSL_EXPORT int SSL_CIPHER_is_AES128GCM(const SSL_CIPHER *cipher);

 /* SSL_CIPHER_is_AES128CBC returns one if |cipher| uses 128-bit AES in CBC
 * mode. Use |SSL_CIPHER_get_cipher_nid| instead. */
 OPENSSL_EXPORT int SSL_CIPHER_is_AES128CBC(const SSL_CIPHER *cipher);

 /* SSL_CIPHER_is_AES256CBC returns one if |cipher| uses 256-bit AES in CBC
 * mode. Use |SSL_CIPHER_get_cipher_nid| instead. */
 OPENSSL_EXPORT int SSL_CIPHER_is_AES256CBC(const SSL_CIPHER *cipher);

 /* SSL_CIPHER_is_CHACHA20POLY1305 returns one if |cipher| uses
 * CHACHA20_POLY1305. Use |SSL_CIPHER_get_cipher_nid| instead. */
 OPENSSL_EXPORT int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher);

 /* SSL_CIPHER_is_NULL returns one if |cipher| does not encrypt. Use
 * |SSL_CIPHER_get_cipher_nid| instead. */
 OPENSSL_EXPORT int SSL_CIPHER_is_NULL(const SSL_CIPHER *cipher);

 /* SSL_CIPHER_is_ECDSA returns one if |cipher| uses ECDSA. Use
 * |SSL_CIPHER_get_auth_nid| instead. */
 OPENSSL_EXPORT int SSL_CIPHER_is_ECDSA(const SSL_CIPHER *cipher);

 /* SSL_CIPHER_is_ECDHE returns one if |cipher| uses ECDHE. Use
 * |SSL_CIPHER_get_kx_nid| instead. */
 OPENSSL_EXPORT int SSL_CIPHER_is_ECDHE(const SSL_CIPHER *cipher);

 /* SSL_CIPHER_is_static_RSA returns one if |cipher| uses the static RSA key
 * exchange. Use |SSL_CIPHER_get_kx_nid| instead. */
 OPENSSL_EXPORT int SSL_CIPHER_is_static_RSA(const SSL_CIPHER *cipher);


 /* Private structures.
 *
--- a/ssl/ssl_cipher.cc
+++ b/ssl/ssl_cipher.cc
@@ -1455,10 +1455,80 @@ int SSL_CIPHER_has_SHA384_HMAC(const SSL_CIPHER *cipher) {
  return (cipher->algorithm_mac & SSL_SHA384) != 0;
 }

 int SSL_CIPHER_is_AEAD(const SSL_CIPHER *cipher) {
 int SSL_CIPHER_is_aead(const SSL_CIPHER *cipher) {
  return (cipher->algorithm_mac & SSL_AEAD) != 0;
 }

 int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *cipher) {
  switch (cipher->algorithm_enc) {
    case SSL_eNULL:
      return NID_undef;
    case SSL_3DES:
      return NID_des_ede3_cbc;
    case SSL_AES128:
      return NID_aes_128_cbc;
    case SSL_AES256:
      return NID_aes_256_cbc;
    case SSL_AES128GCM:
      return NID_aes_128_gcm;
    case SSL_AES256GCM:
      return NID_aes_256_gcm;
    case SSL_CHACHA20POLY1305:
      return NID_chacha20_poly1305;
  }
  assert(0);
  return NID_undef;
 }

 int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *cipher) {
  switch (cipher->algorithm_mac) {
    case SSL_AEAD:
      return NID_undef;
    case SSL_SHA1:
      return NID_sha1;
    case SSL_SHA256:
      return NID_sha256;
    case SSL_SHA384:
      return NID_sha384;
  }
  assert(0);
  return NID_undef;
 }

 int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *cipher) {
  switch (cipher->algorithm_mkey) {
    case SSL_kRSA:
      return NID_kx_rsa;
    case SSL_kECDHE:
      return NID_kx_ecdhe;
    case SSL_kPSK:
      return NID_kx_psk;
    case SSL_kGENERIC:
      return NID_kx_any;
  }
  assert(0);
  return NID_undef;
 }

 int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *cipher) {
  switch (cipher->algorithm_auth) {
    case SSL_aRSA:
      return NID_auth_rsa;
    case SSL_aECDSA:
      return NID_auth_ecdsa;
    case SSL_aPSK:
      return NID_auth_psk;
    case SSL_aGENERIC:
      return NID_auth_any;
  }
  assert(0);
  return NID_undef;
 }

 int SSL_CIPHER_is_AEAD(const SSL_CIPHER *cipher) {
  return SSL_CIPHER_is_aead(cipher);
 }

 int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher) {
  return (cipher->algorithm_enc & (SSL_AES128GCM | SSL_AES256GCM)) != 0;
 }
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@@ -786,30 +786,119 @@ TEST(SSLTest, DefaultVersion) {
  ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &DTLSv1_2_method);
 }

 TEST(SSLTest, CipherGetStandardName) {
 TEST(SSLTest, CipherProperties) {
  static const struct {
    int id;
    const char *standard_name;
    int cipher_nid;
    int digest_nid;
    int kx_nid;
    int auth_nid;
  } kTests[] = {
      {SSL3_CK_RSA_DES_192_CBC3_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA"},
      {TLS1_CK_RSA_WITH_AES_128_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA"},
      {TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
       "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"},
      {TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
       "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"},
      {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
       "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"},
      {TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
       "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"},
      {TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
       "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"},
      {TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
       "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA"},
      {TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
       "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"},
      {TLS1_CK_AES_256_GCM_SHA384, "TLS_AES_256_GCM_SHA384"},
      {TLS1_CK_AES_128_GCM_SHA256, "TLS_AES_128_GCM_SHA256"},
      {TLS1_CK_CHACHA20_POLY1305_SHA256, "TLS_CHACHA20_POLY1305_SHA256"},
      {
          SSL3_CK_RSA_DES_192_CBC3_SHA,
          "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
          NID_des_ede3_cbc,
          NID_sha1,
          NID_kx_rsa,
          NID_auth_rsa,
      },
      {
          TLS1_CK_RSA_WITH_AES_128_SHA,
          "TLS_RSA_WITH_AES_128_CBC_SHA",
          NID_aes_128_cbc,
          NID_sha1,
          NID_kx_rsa,
          NID_auth_rsa,
      },
      {
          TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
          "TLS_PSK_WITH_AES_256_CBC_SHA",
          NID_aes_256_cbc,
          NID_sha1,
          NID_kx_psk,
          NID_auth_psk,
      },
      {
          TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
          "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
          NID_aes_128_cbc,
          NID_sha256,
          NID_kx_ecdhe,
          NID_auth_rsa,
      },
      {
          TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
          "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
          NID_aes_256_cbc,
          NID_sha384,
          NID_kx_ecdhe,
          NID_auth_rsa,
      },
      {
          TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
          "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
          NID_aes_128_gcm,
          NID_undef,
          NID_kx_ecdhe,
          NID_auth_rsa,
      },
      {
          TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
          "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
          NID_aes_128_gcm,
          NID_undef,
          NID_kx_ecdhe,
          NID_auth_ecdsa,
      },
      {
          TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
          "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
          NID_aes_256_gcm,
          NID_undef,
          NID_kx_ecdhe,
          NID_auth_ecdsa,
      },
      {
          TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
          "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
          NID_aes_128_cbc,
          NID_sha1,
          NID_kx_ecdhe,
          NID_auth_psk,
      },
      {
          TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
          "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
          NID_chacha20_poly1305,
          NID_undef,
          NID_kx_ecdhe,
          NID_auth_rsa,
      },
      {
          TLS1_CK_AES_256_GCM_SHA384,
          "TLS_AES_256_GCM_SHA384",
          NID_aes_256_gcm,
          NID_undef,
          NID_kx_any,
          NID_auth_any,
      },
      {
          TLS1_CK_AES_128_GCM_SHA256,
          "TLS_AES_128_GCM_SHA256",
          NID_aes_128_gcm,
          NID_undef,
          NID_kx_any,
          NID_auth_any,
      },
      {
          TLS1_CK_CHACHA20_POLY1305_SHA256,
          "TLS_CHACHA20_POLY1305_SHA256",
          NID_chacha20_poly1305,
          NID_undef,
          NID_kx_any,
          NID_auth_any,
      },
  };

  for (const auto &t : kTests) {
@@ -822,6 +911,11 @@ TEST(SSLTest, CipherGetStandardName) {
    bssl::UniquePtr<char> rfc_name(SSL_CIPHER_get_rfc_name(cipher));
    ASSERT_TRUE(rfc_name);
    EXPECT_STREQ(t.standard_name, rfc_name.get());

    EXPECT_EQ(t.cipher_nid, SSL_CIPHER_get_cipher_nid(cipher));
    EXPECT_EQ(t.digest_nid, SSL_CIPHER_get_digest_nid(cipher));
    EXPECT_EQ(t.kx_nid, SSL_CIPHER_get_kx_nid(cipher));
    EXPECT_EQ(t.auth_nid, SSL_CIPHER_get_auth_nid(cipher));
  }
 }