rustls · ctz · May 21, 2025 · May 21, 2025 · May 21, 2025
diff --git a/MATRIX.md b/MATRIX.md
@@ -30,13 +30,13 @@
 | `SRP_Calc_A_param` [^deprecatedin_3_0] [^srp] |  |  |  |  |
 | `SSL_CIPHER_description`  |  | :white_check_mark: |  | :white_check_mark: |
 | `SSL_CIPHER_find`  |  | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| `SSL_CIPHER_get_auth_nid`  |  |  | :white_check_mark: |  |
+| `SSL_CIPHER_get_auth_nid`  |  |  | :white_check_mark: | :white_check_mark: |
 | `SSL_CIPHER_get_bits`  |  |  | :white_check_mark: | :white_check_mark: |
 | `SSL_CIPHER_get_cipher_nid`  |  |  |  |  |
 | `SSL_CIPHER_get_digest_nid`  |  |  |  |  |
 | `SSL_CIPHER_get_handshake_digest`  |  |  |  |  |
 | `SSL_CIPHER_get_id`  |  | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| `SSL_CIPHER_get_kx_nid`  |  |  |  |  |
+| `SSL_CIPHER_get_kx_nid`  |  |  |  | :white_check_mark: |
 | `SSL_CIPHER_get_name`  | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
 | `SSL_CIPHER_get_protocol_id`  |  |  |  | :white_check_mark: |
 | `SSL_CIPHER_get_version`  |  |  |  | :white_check_mark: |

diff --git a/build.rs b/build.rs
@@ -52,8 +52,10 @@ const ENTRYPOINTS: &[&str] = &[
     "SSL_check_private_key",
     "SSL_CIPHER_description",
     "SSL_CIPHER_find",
+    "SSL_CIPHER_get_auth_nid",
     "SSL_CIPHER_get_bits",
     "SSL_CIPHER_get_id",
+    "SSL_CIPHER_get_kx_nid",
     "SSL_CIPHER_get_name",
     "SSL_CIPHER_get_protocol_id",
     "SSL_CIPHER_get_version",

diff --git a/src/constants.rs b/src/constants.rs
@@ -150,3 +150,10 @@ pub fn named_group_to_nid(group: NamedGroup) -> Option<c_int> {
         _ => None,
     }
 }
+
+pub(super) const NID_AUTH_ANY: c_int = 1064;
+pub(super) const NID_AUTH_ECDSA: c_int = 1047;
+pub(super) const NID_AUTH_RSA: c_int = 1046;
+
+pub(super) const NID_KX_ANY: c_int = 1063;
+pub(super) const NID_KX_ECDHE: c_int = 1038;
diff --git a/src/entry.rs b/src/entry.rs
@@ -1550,6 +1550,18 @@ entry! {
     }
 }
 
+entry! {
+    pub fn _SSL_CIPHER_get_auth_nid(cipher: *const SSL_CIPHER) -> c_int {
+        try_ref_from_ptr!(cipher).auth
+    }
+}
+
+entry! {
+    pub fn _SSL_CIPHER_get_kx_nid(cipher: *const SSL_CIPHER) -> c_int {
+        try_ref_from_ptr!(cipher).kx
+    }
+}
+
 entry! {
     pub fn _SSL_CIPHER_get_protocol_id(cipher: *const SSL_CIPHER) -> u16 {
         try_ref_from_ptr!(cipher).protocol_id()

diff --git a/src/lib.rs b/src/lib.rs
@@ -93,6 +93,8 @@ static TLS_METHOD: SslMethod = SslMethod {
 /// Functions that return `SSL_CIPHER` give static-lifetime pointers.
 pub struct SslCipher {
     pub bits: usize,
+    pub auth: i32,
+    pub kx: i32,
     pub openssl_name: &'static CStr,
     pub standard_name: &'static CStr,
     pub version: &'static CStr,
@@ -139,6 +141,8 @@ impl SslCipher {
 
 static TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: SslCipher = SslCipher {
     rustls: &provider::cipher_suite::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+    auth: constants::NID_AUTH_ECDSA,
+    kx: constants::NID_KX_ECDHE,
     bits: 128,
     openssl_name: c"ECDHE-ECDSA-AES128-GCM-SHA256",
     standard_name: c"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
@@ -148,6 +152,8 @@ static TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: SslCipher = SslCipher {
 
 static TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: SslCipher = SslCipher {
     rustls: &provider::cipher_suite::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+    auth: constants::NID_AUTH_ECDSA,
+    kx: constants::NID_KX_ECDHE,
     bits: 256,
     openssl_name: c"ECDHE-ECDSA-AES256-GCM-SHA384",
     standard_name: c"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
@@ -157,6 +163,8 @@ static TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: SslCipher = SslCipher {
 
 static TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: SslCipher = SslCipher {
     rustls: &provider::cipher_suite::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+    auth: constants::NID_AUTH_ECDSA,
+    kx: constants::NID_KX_ECDHE,
     bits: 256,
     openssl_name: c"ECDHE-ECDSA-CHACHA20-POLY1305",
     standard_name: c"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
@@ -166,6 +174,8 @@ static TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: SslCipher = SslCipher {
 
 static TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: SslCipher = SslCipher {
     rustls: &provider::cipher_suite::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+    auth: constants::NID_AUTH_RSA,
+    kx: constants::NID_KX_ECDHE,
     bits: 128,
     openssl_name: c"ECDHE-RSA-AES128-GCM-SHA256",
     standard_name: c"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
@@ -175,6 +185,8 @@ static TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: SslCipher = SslCipher {
 
 static TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: SslCipher = SslCipher {
     rustls: &provider::cipher_suite::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+    auth: constants::NID_AUTH_RSA,
+    kx: constants::NID_KX_ECDHE,
     bits: 256,
     openssl_name: c"ECDHE-RSA-AES256-GCM-SHA384",
     standard_name: c"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
@@ -184,6 +196,8 @@ static TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: SslCipher = SslCipher {
 
 static TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: SslCipher = SslCipher {
     rustls: &provider::cipher_suite::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+    auth: constants::NID_AUTH_RSA,
+    kx: constants::NID_KX_ECDHE,
     bits: 256,
     openssl_name: c"ECDHE-RSA-CHACHA20-POLY1305",
     standard_name: c"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
@@ -193,6 +207,8 @@ static TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: SslCipher = SslCipher {
 
 static TLS13_AES_128_GCM_SHA256: SslCipher = SslCipher {
     rustls: &provider::cipher_suite::TLS13_AES_128_GCM_SHA256,
+    auth: constants::NID_AUTH_ANY,
+    kx: constants::NID_KX_ANY,
     bits: 128,
     openssl_name: c"TLS_AES_128_GCM_SHA256",
     standard_name: c"TLS_AES_128_GCM_SHA256",
@@ -202,6 +218,8 @@ static TLS13_AES_128_GCM_SHA256: SslCipher = SslCipher {
 
 static TLS13_AES_256_GCM_SHA384: SslCipher = SslCipher {
     rustls: &provider::cipher_suite::TLS13_AES_256_GCM_SHA384,
+    auth: constants::NID_AUTH_ANY,
+    kx: constants::NID_KX_ANY,
     bits: 256,
     openssl_name: c"TLS_AES_256_GCM_SHA384",
     standard_name: c"TLS_AES_256_GCM_SHA384",
@@ -211,6 +229,8 @@ static TLS13_AES_256_GCM_SHA384: SslCipher = SslCipher {
 
 static TLS13_CHACHA20_POLY1305_SHA256: SslCipher = SslCipher {
     rustls: &provider::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256,
+    auth: constants::NID_AUTH_ANY,
+    kx: constants::NID_KX_ANY,
     bits: 256,
     openssl_name: c"TLS_CHACHA20_POLY1305_SHA256",
     standard_name: c"TLS_CHACHA20_POLY1305_SHA256",

diff --git a/tests/ciphers.c b/tests/ciphers.c
@@ -8,12 +8,13 @@
 
 static void print_cipher(const SSL_CIPHER *cipher) {
   if (cipher) {
-    printf("openssl_id=0x%08x protocol_id=0x%08x ", SSL_CIPHER_get_id(cipher),
-           SSL_CIPHER_get_protocol_id(cipher));
+    printf("openssl_id=0x%08x protocol_id=0x%08x auth=%d kx=%d ",
+           SSL_CIPHER_get_id(cipher), SSL_CIPHER_get_protocol_id(cipher),
+           SSL_CIPHER_get_auth_nid(cipher), SSL_CIPHER_get_kx_nid(cipher));
   } else {
-    // SSL_CIPHER_get_id(NULL) and SSL_CIPHER_get_protocol_id(NULL) both
-    // segfault
-    printf("openssl_id=undef protocol_id=undef ");
+    // SSL_CIPHER_get_id(NULL), SSL_CIPHER_get_protocol_id(NULL),
+    // SSL_CIPHER_get_auth_nid(NULL), SSL_CIPHER_get_kx_nid(NULL) all segfault
+    printf("openssl_id=undef protocol_id=undef auth=undef kx=undef ");
   }
   int alg_bits = -1;
   printf("bits=%d ", SSL_CIPHER_get_bits(cipher, &alg_bits));