From 07f5f270b2dc20ebd493ae357a3fcc99e918a3a4 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Tue, 27 Nov 2018 13:47:46 +0100
Subject: Fix session description info printing

This fixes a truncation issue in session description information printing
for certain ciphersuites, and adds a limited testing of expected description
strings for certain ciphersuites.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
 lib/session.c             |  2 +-
 tests/cipher-neg-common.c | 14 +++++++++
 tests/tls12-cipher-neg.c  | 78 +++++++++++++++++++++++++++++++----------------
 tests/tls13-cipher-neg.c  | 42 ++++++++++++++++---------
 4 files changed, 95 insertions(+), 41 deletions(-)

diff --git a/lib/session.c b/lib/session.c
index 5d862198b5..a7ac943153 100644
--- a/lib/session.c
+++ b/lib/session.c
@@ -317,7 +317,7 @@ void gnutls_session_force_valid(gnutls_session_t session)
 	session->internals.invalid_connection = 0;
 }
 
-#define DESC_SIZE 64
+#define DESC_SIZE 96
 
 /**
  * gnutls_session_get_desc:
diff --git a/tests/cipher-neg-common.c b/tests/cipher-neg-common.c
index a855147359..bfbda8b05b 100644
--- a/tests/cipher-neg-common.c
+++ b/tests/cipher-neg-common.c
@@ -26,6 +26,7 @@ typedef struct test_case_st {
 	int group;
 	const char *client_prio;
 	const char *server_prio;
+	const char *desc;
 	unsigned not_on_fips;
 } test_case_st;
 
@@ -73,6 +74,19 @@ static void try(test_case_st *test)
 	sret = gnutls_cipher_get(client);
 	cret = gnutls_cipher_get(server);
 
+	if (test->desc) {
+		char *desc1 = gnutls_session_get_desc(server);
+		char *desc2 = gnutls_session_get_desc(client);
+
+		if (strcmp(desc1, desc2) != 0)
+			fail("server and client session description don't match (%s, %s)\n", desc1, desc2);
+
+		if (strcmp(desc1, test->desc) != 0)
+			fail("session and expected session description don't match (%s, %s)\n", desc1, test->desc);
+		gnutls_free(desc1);
+		gnutls_free(desc2);
+	}
+
 	if (sret != cret) {
 		fail("%s: client negotiated different cipher than server (%s, %s)!\n",
 			test->name, gnutls_cipher_get_name(cret),
diff --git a/tests/tls12-cipher-neg.c b/tests/tls12-cipher-neg.c
index 3e2352d677..1986604251 100644
--- a/tests/tls12-cipher-neg.c
+++ b/tests/tls12-cipher-neg.c
@@ -43,166 +43,192 @@ test_case_st tests[] = {
 		.not_on_fips = 1,
 		.cipher = GNUTLS_CIPHER_NULL,
 		.server_prio = "NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2:%SERVER_PRECEDENCE",
-		.client_prio = "NORMAL:+NULL"
+		.client_prio = "NORMAL:+NULL",
+		.desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(NULL)-(SHA1)",
 	},
 	{
 		.name = "client TLS 1.2: NULL (client)",
 		.not_on_fips = 1,
 		.cipher = GNUTLS_CIPHER_NULL,
 		.server_prio = "NORMAL:+NULL",
-		.client_prio = "NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2"
+		.client_prio = "NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2",
+		.desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(NULL)-(SHA1)",
 	},
 	{
 		.name = "server TLS 1.2: AES-128-GCM (server)",
 		.cipher = GNUTLS_CIPHER_AES_128_GCM,
 		.server_prio = "NORMAL:-CIPHER-ALL:+AES-128-GCM:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2:%SERVER_PRECEDENCE",
-		.client_prio = "NORMAL:+AES-128-GCM"
+		.client_prio = "NORMAL:+AES-128-GCM",
+		.desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(AES-128-GCM)"
 	},
 	{
 		.name = "both TLS 1.2: AES-128-GCM (server)",
 		.cipher = GNUTLS_CIPHER_AES_128_GCM,
 		.server_prio = "NORMAL:-CIPHER-ALL:+AES-128-GCM:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2:%SERVER_PRECEDENCE",
-		.client_prio = "NORMAL:+AES-128-GCM:+VERS-TLS1.2"
+		.client_prio = "NORMAL:+AES-128-GCM:+VERS-TLS1.2",
+		.desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(AES-128-GCM)"
 	},
 	{
 		.name = "client TLS 1.2: AES-128-GCM (client)",
 		.cipher = GNUTLS_CIPHER_AES_128_GCM,
 		.server_prio = "NORMAL:+AES-128-GCM",
-		.client_prio = "NORMAL:-CIPHER-ALL:+AES-128-GCM:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2"
+		.client_prio = "NORMAL:-CIPHER-ALL:+AES-128-GCM:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2",
+		.desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(AES-128-GCM)"
 	},
 	{
 		.name = "both TLS 1.2: AES-128-GCM (client)",
 		.cipher = GNUTLS_CIPHER_AES_128_GCM,
 		.server_prio = "NORMAL:+AES-128-GCM:+VERS-TLS1.2",
-		.client_prio = "NORMAL:-CIPHER-ALL:+AES-128-GCM:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2"
+		.client_prio = "NORMAL:-CIPHER-ALL:+AES-128-GCM:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2",
+		.desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(AES-128-GCM)"
 	},
 	{
 		.name = "server TLS 1.2: AES-128-CCM (server)",
 		.cipher = GNUTLS_CIPHER_AES_128_CCM,
 		.server_prio = "NORMAL:-CIPHER-ALL:+AES-128-CCM:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2:%SERVER_PRECEDENCE",
-		.client_prio = "NORMAL:+AES-128-CCM"
+		.client_prio = "NORMAL:+AES-128-CCM",
+		.desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(AES-128-CCM)"
 	},
 	{
 		.name = "both TLS 1.2: AES-128-CCM (server)",
 		.cipher = GNUTLS_CIPHER_AES_128_CCM,
 		.server_prio = "NORMAL:-CIPHER-ALL:+AES-128-CCM:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2:%SERVER_PRECEDENCE",
-		.client_prio = "NORMAL:+AES-128-CCM:+VERS-TLS1.2"
+		.client_prio = "NORMAL:+AES-128-CCM:+VERS-TLS1.2",
+		.desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(AES-128-CCM)"
 	},
 	{
 		.name = "client TLS 1.2: AES-128-CCM (client)",
 		.cipher = GNUTLS_CIPHER_AES_128_CCM,
 		.server_prio = "NORMAL:+AES-128-CCM",
-		.client_prio = "NORMAL:-CIPHER-ALL:+AES-128-CCM:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2"
+		.client_prio = "NORMAL:-CIPHER-ALL:+AES-128-CCM:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2",
+		.desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(AES-128-CCM)"
 	},
 	{
 		.name = "both TLS 1.2: AES-128-CCM (client)",
 		.cipher = GNUTLS_CIPHER_AES_128_CCM,
 		.server_prio = "NORMAL:+AES-128-CCM:+VERS-TLS1.2",
-		.client_prio = "NORMAL:-CIPHER-ALL:+AES-128-CCM:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2"
+		.client_prio = "NORMAL:-CIPHER-ALL:+AES-128-CCM:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2",
+		.desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(AES-128-CCM)"
 	},
 	{
 		.name = "server TLS 1.2: CHACHA20-POLY (server)",
 		.cipher = GNUTLS_CIPHER_CHACHA20_POLY1305,
 		.not_on_fips = 1,
 		.server_prio = "NORMAL:-CIPHER-ALL:+CHACHA20-POLY1305:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2:%SERVER_PRECEDENCE",
-		.client_prio = "NORMAL:+CHACHA20-POLY1305"
+		.client_prio = "NORMAL:+CHACHA20-POLY1305",
+		.desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(CHACHA20-POLY1305)"
 	},
 	{
 		.name = "both TLS 1.2: CHACHA20-POLY (server)",
 		.cipher = GNUTLS_CIPHER_CHACHA20_POLY1305,
 		.not_on_fips = 1,
 		.server_prio = "NORMAL:-CIPHER-ALL:+CHACHA20-POLY1305:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2:%SERVER_PRECEDENCE",
-		.client_prio = "NORMAL:+CHACHA20-POLY1305:+VERS-TLS1.2"
+		.client_prio = "NORMAL:+CHACHA20-POLY1305:+VERS-TLS1.2",
+		.desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(CHACHA20-POLY1305)"
 	},
 	{
 		.name = "client TLS 1.2: CHACHA20-POLY (client)",
 		.cipher = GNUTLS_CIPHER_CHACHA20_POLY1305,
 		.not_on_fips = 1,
 		.server_prio = "NORMAL:+CHACHA20-POLY1305",
-		.client_prio = "NORMAL:-CIPHER-ALL:+CHACHA20-POLY1305:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2"
+		.client_prio = "NORMAL:-CIPHER-ALL:+CHACHA20-POLY1305:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2",
+		.desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(CHACHA20-POLY1305)"
 	},
 	{
 		.name = "both TLS 1.2: CHACHA20-POLY (client)",
 		.cipher = GNUTLS_CIPHER_CHACHA20_POLY1305,
 		.not_on_fips = 1,
 		.server_prio = "NORMAL:+CHACHA20-POLY1305:+VERS-TLS1.2",
-		.client_prio = "NORMAL:-CIPHER-ALL:+CHACHA20-POLY1305:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2"
+		.client_prio = "NORMAL:-CIPHER-ALL:+CHACHA20-POLY1305:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2",
+		.desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(CHACHA20-POLY1305)"
 	},
 	{
 		.name = "server TLS 1.2: AES-128-CBC (server)",
 		.cipher = GNUTLS_CIPHER_AES_128_CBC,
 		.server_prio = "NORMAL:-CIPHER-ALL:+AES-128-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2:%SERVER_PRECEDENCE",
-		.client_prio = "NORMAL:+AES-128-CBC"
+		.client_prio = "NORMAL:+AES-128-CBC",
+		.desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(AES-128-CBC)-(SHA1)"
 	},
 	{
 		.name = "both TLS 1.2: AES-128-CBC (server)",
 		.cipher = GNUTLS_CIPHER_AES_128_CBC,
 		.server_prio = "NORMAL:-CIPHER-ALL:+AES-128-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2:%SERVER_PRECEDENCE",
-		.client_prio = "NORMAL:+AES-128-CBC:+VERS-TLS1.2"
+		.client_prio = "NORMAL:+AES-128-CBC:+VERS-TLS1.2",
+		.desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(AES-128-CBC)-(SHA1)"
 	},
 	{
 		.name = "client TLS 1.2: AES-128-CBC (client)",
 		.cipher = GNUTLS_CIPHER_AES_128_CBC,
 		.server_prio = "NORMAL:+AES-128-CBC",
-		.client_prio = "NORMAL:-CIPHER-ALL:+AES-128-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2"
+		.client_prio = "NORMAL:-CIPHER-ALL:+AES-128-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2",
+		.desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(AES-128-CBC)-(SHA1)"
 	},
 	{
 		.name = "both TLS 1.2: AES-128-CBC (client)",
 		.cipher = GNUTLS_CIPHER_AES_128_CBC,
 		.server_prio = "NORMAL:+AES-128-CBC:+VERS-TLS1.2",
-		.client_prio = "NORMAL:-CIPHER-ALL:+AES-128-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2"
+		.client_prio = "NORMAL:-CIPHER-ALL:+AES-128-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2",
+		.desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(AES-128-CBC)-(SHA1)"
 	},
 	{
 		.name = "server TLS 1.2: 3DES-CBC (server)",
 		.cipher = GNUTLS_CIPHER_3DES_CBC,
 		.server_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2:%SERVER_PRECEDENCE",
-		.client_prio = "NORMAL:+3DES-CBC"
+		.client_prio = "NORMAL:+3DES-CBC",
+		.desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(3DES-CBC)-(SHA1)"
 	},
 	{
 		.name = "both TLS 1.2: 3DES-CBC (server)",
 		.cipher = GNUTLS_CIPHER_3DES_CBC,
 		.server_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2:%SERVER_PRECEDENCE",
-		.client_prio = "NORMAL:+3DES-CBC:+VERS-TLS1.2"
+		.client_prio = "NORMAL:+3DES-CBC:+VERS-TLS1.2",
+		.desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(3DES-CBC)-(SHA1)"
 	},
 	{
 		.name = "client TLS 1.2: 3DES-CBC (client)",
 		.cipher = GNUTLS_CIPHER_3DES_CBC,
 		.server_prio = "NORMAL:+3DES-CBC",
-		.client_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2"
+		.client_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2",
+		.desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(3DES-CBC)-(SHA1)"
 	},
 	{
 		.name = "both TLS 1.2: 3DES-CBC (client)",
 		.cipher = GNUTLS_CIPHER_3DES_CBC,
 		.server_prio = "NORMAL:+3DES-CBC:+VERS-TLS1.2",
-		.client_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2"
+		.client_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2",
+		.desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(3DES-CBC)-(SHA1)"
 	},
 	{
 		.name = "server TLS 1.2: ARCFOUR-128 (server)",
 		.cipher = GNUTLS_CIPHER_ARCFOUR_128,
 		.not_on_fips = 1,
 		.server_prio = "NORMAL:-CIPHER-ALL:+ARCFOUR-128:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2:%SERVER_PRECEDENCE",
-		.client_prio = "NORMAL:+ARCFOUR-128"
+		.client_prio = "NORMAL:+ARCFOUR-128",
+		.desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(ARCFOUR-128)-(SHA1)"
 	},
 	{
 		.name = "both TLS 1.2: ARCFOUR-128 (server)",
 		.cipher = GNUTLS_CIPHER_ARCFOUR_128,
 		.not_on_fips = 1,
 		.server_prio = "NORMAL:-CIPHER-ALL:+ARCFOUR-128:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2:%SERVER_PRECEDENCE",
-		.client_prio = "NORMAL:+ARCFOUR-128:+VERS-TLS1.2"
+		.client_prio = "NORMAL:+ARCFOUR-128:+VERS-TLS1.2",
+		.desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(ARCFOUR-128)-(SHA1)"
 	},
 	{
 		.name = "client TLS 1.2: ARCFOUR-128 (client)",
 		.cipher = GNUTLS_CIPHER_ARCFOUR_128,
 		.not_on_fips = 1,
 		.server_prio = "NORMAL:+ARCFOUR-128",
-		.client_prio = "NORMAL:-CIPHER-ALL:+ARCFOUR-128:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2"
+		.client_prio = "NORMAL:-CIPHER-ALL:+ARCFOUR-128:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2",
+		.desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(ARCFOUR-128)-(SHA1)"
 	},
 	{
 		.name = "both TLS 1.2: ARCFOUR-128 (client)",
 		.cipher = GNUTLS_CIPHER_ARCFOUR_128,
 		.not_on_fips = 1,
 		.server_prio = "NORMAL:+ARCFOUR-128:+VERS-TLS1.2",
-		.client_prio = "NORMAL:-CIPHER-ALL:+ARCFOUR-128:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2"
+		.client_prio = "NORMAL:-CIPHER-ALL:+ARCFOUR-128:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2",
+		.desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(ARCFOUR-128)-(SHA1)"
 	}
 };
 
diff --git a/tests/tls13-cipher-neg.c b/tests/tls13-cipher-neg.c
index df8d8de035..ac173bc54f 100644
--- a/tests/tls13-cipher-neg.c
+++ b/tests/tls13-cipher-neg.c
@@ -49,98 +49,112 @@ test_case_st tests[] = {
 		.not_on_fips = 1,
 		.cipher = GNUTLS_CIPHER_NULL,
 		.server_prio = SPRIO":+VERS-TLS1.2:-CIPHER-ALL:+NULL:+CIPHER-ALL:%SERVER_PRECEDENCE:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-ALL",
-		.client_prio = CPRIO":+VERS-TLS1.2:+NULL:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP384R1:+GROUP-SECP521R1:+GROUP-SECP256R1"
+		.client_prio = CPRIO":+VERS-TLS1.2:+NULL:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP384R1:+GROUP-SECP521R1:+GROUP-SECP256R1",
+		.desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(NULL)-(SHA1)",
 	},
 	{
 		.name = "client TLS 1.3: NULL (client)",
 		.not_on_fips = 1,
 		.cipher = GNUTLS_CIPHER_NULL,
 		.server_prio = SPRIO":+VERS-TLS1.2:+NULL:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP384R1:+GROUP-SECP521R1:+GROUP-SECP256R1",
-		.client_prio = CPRIO":-CIPHER-ALL:+NULL:+CIPHER-ALL:+VERS-TLS1.2:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-ALL"
+		.client_prio = CPRIO":-CIPHER-ALL:+NULL:+CIPHER-ALL:+VERS-TLS1.2:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-ALL",
+		.desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(NULL)-(SHA1)",
 	},
 	{
 		.name = "server TLS 1.3: AES-128-GCM with SECP256R1 (server)",
 		.cipher = GNUTLS_CIPHER_AES_128_GCM,
 		.group = GNUTLS_GROUP_SECP256R1,
 		.server_prio = SPRIO":-CIPHER-ALL:+AES-128-GCM:+CIPHER-ALL:%SERVER_PRECEDENCE:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-ALL",
-		.client_prio = CPRIO":+AES-128-GCM:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP384R1:+GROUP-SECP521R1:+GROUP-SECP256R1"
+		.client_prio = CPRIO":+AES-128-GCM:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP384R1:+GROUP-SECP521R1:+GROUP-SECP256R1",
+		.desc = "(TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM)",
 	},
 	{
 		.name = "both TLS 1.3: AES-128-GCM with X25519 (server)",
 		.cipher = GNUTLS_CIPHER_AES_128_GCM,
 		.group = GNUTLS_GROUP_X25519,
 		.server_prio = SPRIO":-CIPHER-ALL:+AES-128-GCM:+CIPHER-ALL:%SERVER_PRECEDENCE:-GROUP-ALL:+GROUP-X25519:+GROUP-ALL",
-		.client_prio = CPRIO":+AES-128-GCM:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP384R1:+GROUP-SECP521R1:+GROUP-SECP256R1:+GROUP-ALL"
+		.client_prio = CPRIO":+AES-128-GCM:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP384R1:+GROUP-SECP521R1:+GROUP-SECP256R1:+GROUP-ALL",
+		.desc = "(TLS1.3)-(ECDHE-X25519)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM)",
 	},
 	{
 		.name = "client TLS 1.3: AES-128-GCM with SECP256R1 (client)",
 		.cipher = GNUTLS_CIPHER_AES_128_GCM,
 		.group = GNUTLS_GROUP_SECP256R1,
 		.server_prio = SPRIO":+AES-128-GCM:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP384R1:+GROUP-SECP521R1:+GROUP-SECP256R1",
-		.client_prio = CPRIO":-CIPHER-ALL:+AES-128-GCM:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-ALL"
+		.client_prio = CPRIO":-CIPHER-ALL:+AES-128-GCM:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-ALL",
+		.desc = "(TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM)",
 	},
 	{
 		.name = "both TLS 1.3: AES-128-GCM with X25519 (client)",
 		.cipher = GNUTLS_CIPHER_AES_128_GCM,
 		.group = GNUTLS_GROUP_X25519,
 		.server_prio = SPRIO":+AES-128-GCM:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP384R1:+GROUP-SECP521R1:+GROUP-SECP256R1:+GROUP-ALL",
-		.client_prio = CPRIO":-CIPHER-ALL:+AES-128-GCM:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X25519:+GROUP-ALL"
+		.client_prio = CPRIO":-CIPHER-ALL:+AES-128-GCM:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X25519:+GROUP-ALL",
+		.desc = "(TLS1.3)-(ECDHE-X25519)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM)",
 	},
 	{
 		.name = "server TLS 1.3: AES-128-CCM and FFDHE2048 (server)",
 		.cipher = GNUTLS_CIPHER_AES_128_CCM,
 		.group = GNUTLS_GROUP_FFDHE2048,
 		.server_prio = SPRIO":-CIPHER-ALL:+AES-128-CCM:+CIPHER-ALL:%SERVER_PRECEDENCE:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-ALL",
-		.client_prio = CPRIO":+AES-128-CCM"
+		.client_prio = CPRIO":+AES-128-CCM",
+		.desc = "(TLS1.3)-(DHE-FFDHE2048)-(RSA-PSS-RSAE-SHA256)-(AES-128-CCM)",
 	},
 	{
 		.name = "both TLS 1.3: AES-128-CCM and FFDHE 2048 (server)",
 		.cipher = GNUTLS_CIPHER_AES_128_CCM,
 		.group = GNUTLS_GROUP_FFDHE2048,
 		.server_prio = SPRIO":-CIPHER-ALL:+AES-128-CCM:+CIPHER-ALL:%SERVER_PRECEDENCE:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-ALL",
-		.client_prio = CPRIO":+AES-128-CCM:+VERS-TLS1.3"
+		.client_prio = CPRIO":+AES-128-CCM:+VERS-TLS1.3",
+		.desc = "(TLS1.3)-(DHE-FFDHE2048)-(RSA-PSS-RSAE-SHA256)-(AES-128-CCM)",
 	},
 	{
 		.name = "client TLS 1.3: AES-128-CCM and FFDHE 2048 (client)",
 		.cipher = GNUTLS_CIPHER_AES_128_CCM,
 		.group = GNUTLS_GROUP_FFDHE2048,
 		.server_prio = SPRIO":+AES-128-CCM",
-		.client_prio = CPRIO":-CIPHER-ALL:+AES-128-CCM:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-ALL"
+		.client_prio = CPRIO":-CIPHER-ALL:+AES-128-CCM:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-ALL",
+		.desc = "(TLS1.3)-(DHE-FFDHE2048)-(RSA-PSS-RSAE-SHA256)-(AES-128-CCM)",
 	},
 	{
 		.name = "both TLS 1.3: AES-128-CCM and FFDHE 2048 (client)",
 		.cipher = GNUTLS_CIPHER_AES_128_CCM,
 		.group = GNUTLS_GROUP_FFDHE2048,
 		.server_prio = SPRIO":+AES-128-CCM:+VERS-TLS1.3",
-		.client_prio = CPRIO":-CIPHER-ALL:+AES-128-CCM:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-ALL"
+		.client_prio = CPRIO":-CIPHER-ALL:+AES-128-CCM:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-ALL",
+		.desc = "(TLS1.3)-(DHE-FFDHE2048)-(RSA-PSS-RSAE-SHA256)-(AES-128-CCM)",
 	},
 	{
 		.name = "server TLS 1.3: CHACHA20-POLY (server)",
 		.cipher = GNUTLS_CIPHER_CHACHA20_POLY1305,
 		.not_on_fips = 1,
 		.server_prio = SPRIO":-CIPHER-ALL:+CHACHA20-POLY1305:+CIPHER-ALL:%SERVER_PRECEDENCE",
-		.client_prio = CPRIO":+CHACHA20-POLY1305"
+		.client_prio = CPRIO":+CHACHA20-POLY1305",
+		.desc = "(TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(CHACHA20-POLY1305)",
 	},
 	{
 		.name = "both TLS 1.3: CHACHA20-POLY (server)",
 		.cipher = GNUTLS_CIPHER_CHACHA20_POLY1305,
 		.not_on_fips = 1,
 		.server_prio = SPRIO":-CIPHER-ALL:+CHACHA20-POLY1305:+CIPHER-ALL:%SERVER_PRECEDENCE",
-		.client_prio = CPRIO":+CHACHA20-POLY1305:+VERS-TLS1.3"
+		.client_prio = CPRIO":+CHACHA20-POLY1305:+VERS-TLS1.3",
+		.desc = "(TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(CHACHA20-POLY1305)",
 	},
 	{
 		.name = "client TLS 1.3: CHACHA20-POLY (client)",
 		.cipher = GNUTLS_CIPHER_CHACHA20_POLY1305,
 		.not_on_fips = 1,
 		.server_prio = SPRIO":+CHACHA20-POLY1305",
-		.client_prio = CPRIO":-CIPHER-ALL:+CHACHA20-POLY1305:+CIPHER-ALL"
+		.client_prio = CPRIO":-CIPHER-ALL:+CHACHA20-POLY1305:+CIPHER-ALL",
+		.desc = "(TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(CHACHA20-POLY1305)",
 	},
 	{
 		.name = "both TLS 1.3: CHACHA20-POLY (client)",
 		.cipher = GNUTLS_CIPHER_CHACHA20_POLY1305,
 		.not_on_fips = 1,
 		.server_prio = SPRIO":+CHACHA20-POLY1305",
-		.client_prio = CPRIO":-CIPHER-ALL:+CHACHA20-POLY1305:+CIPHER-ALL"
+		.client_prio = CPRIO":-CIPHER-ALL:+CHACHA20-POLY1305:+CIPHER-ALL",
+		.desc = "(TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(CHACHA20-POLY1305)",
 	}
 };
 
-- 
cgit v1.2.1