1 /* 2 * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include <stdlib.h> 12 #include <string.h> 13 #include "apps.h" 14 #include "progs.h" 15 #include <openssl/err.h> 16 #include <openssl/ssl.h> 17 #include "s_apps.h" 18 19 typedef enum OPTION_choice { 20 OPT_COMMON, 21 OPT_STDNAME, 22 OPT_CONVERT, 23 OPT_SSL3, 24 OPT_TLS1, 25 OPT_TLS1_1, 26 OPT_TLS1_2, 27 OPT_TLS1_3, 28 OPT_PSK, 29 OPT_SRP, 30 OPT_CIPHERSUITES, 31 OPT_V, OPT_UPPER_V, OPT_S, OPT_PROV_ENUM 32 } OPTION_CHOICE; 33 34 const OPTIONS ciphers_options[] = { 35 {OPT_HELP_STR, 1, '-', "Usage: %s [options] [cipher]\n"}, 36 37 OPT_SECTION("General"), 38 {"help", OPT_HELP, '-', "Display this summary"}, 39 40 OPT_SECTION("Output"), 41 {"v", OPT_V, '-', "Verbose listing of the SSL/TLS ciphers"}, 42 {"V", OPT_UPPER_V, '-', "Even more verbose"}, 43 {"stdname", OPT_STDNAME, '-', "Show standard cipher names"}, 44 {"convert", OPT_CONVERT, 's', "Convert standard name into OpenSSL name"}, 45 46 OPT_SECTION("Cipher specification"), 47 {"s", OPT_S, '-', "Only supported ciphers"}, 48 #ifndef OPENSSL_NO_SSL3 49 {"ssl3", OPT_SSL3, '-', "Ciphers compatible with SSL3"}, 50 #endif 51 #ifndef OPENSSL_NO_TLS1 52 {"tls1", OPT_TLS1, '-', "Ciphers compatible with TLS1"}, 53 #endif 54 #ifndef OPENSSL_NO_TLS1_1 55 {"tls1_1", OPT_TLS1_1, '-', "Ciphers compatible with TLS1.1"}, 56 #endif 57 #ifndef OPENSSL_NO_TLS1_2 58 {"tls1_2", OPT_TLS1_2, '-', "Ciphers compatible with TLS1.2"}, 59 #endif 60 #ifndef OPENSSL_NO_TLS1_3 61 {"tls1_3", OPT_TLS1_3, '-', "Ciphers compatible with TLS1.3"}, 62 #endif 63 #ifndef OPENSSL_NO_PSK 64 {"psk", OPT_PSK, '-', "Include ciphersuites requiring PSK"}, 65 #endif 66 #ifndef OPENSSL_NO_SRP 67 {"srp", OPT_SRP, '-', "(deprecated) Include ciphersuites requiring SRP"}, 68 #endif 69 {"ciphersuites", OPT_CIPHERSUITES, 's', 70 "Configure the TLSv1.3 ciphersuites to use"}, 71 OPT_PROV_OPTIONS, 72 73 OPT_PARAMETERS(), 74 {"cipher", 0, 0, "Cipher string to decode (optional)"}, 75 {NULL} 76 }; 77 78 #ifndef OPENSSL_NO_PSK 79 static unsigned int dummy_psk(SSL *ssl, const char *hint, char *identity, 80 unsigned int max_identity_len, 81 unsigned char *psk, 82 unsigned int max_psk_len) 83 { 84 return 0; 85 } 86 #endif 87 88 int ciphers_main(int argc, char **argv) 89 { 90 SSL_CTX *ctx = NULL; 91 SSL *ssl = NULL; 92 STACK_OF(SSL_CIPHER) *sk = NULL; 93 const SSL_METHOD *meth = TLS_server_method(); 94 int ret = 1, i, verbose = 0, Verbose = 0, use_supported = 0; 95 int stdname = 0; 96 #ifndef OPENSSL_NO_PSK 97 int psk = 0; 98 #endif 99 #ifndef OPENSSL_NO_SRP 100 int srp = 0; 101 #endif 102 const char *p; 103 char *ciphers = NULL, *prog, *convert = NULL, *ciphersuites = NULL; 104 char buf[512]; 105 OPTION_CHOICE o; 106 int min_version = 0, max_version = 0; 107 108 prog = opt_init(argc, argv, ciphers_options); 109 while ((o = opt_next()) != OPT_EOF) { 110 switch (o) { 111 case OPT_EOF: 112 case OPT_ERR: 113 opthelp: 114 BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); 115 goto end; 116 case OPT_HELP: 117 opt_help(ciphers_options); 118 ret = 0; 119 goto end; 120 case OPT_V: 121 verbose = 1; 122 break; 123 case OPT_UPPER_V: 124 verbose = Verbose = 1; 125 break; 126 case OPT_S: 127 use_supported = 1; 128 break; 129 case OPT_STDNAME: 130 stdname = verbose = 1; 131 break; 132 case OPT_CONVERT: 133 convert = opt_arg(); 134 break; 135 case OPT_SSL3: 136 min_version = SSL3_VERSION; 137 max_version = SSL3_VERSION; 138 break; 139 case OPT_TLS1: 140 min_version = TLS1_VERSION; 141 max_version = TLS1_VERSION; 142 break; 143 case OPT_TLS1_1: 144 min_version = TLS1_1_VERSION; 145 max_version = TLS1_1_VERSION; 146 break; 147 case OPT_TLS1_2: 148 min_version = TLS1_2_VERSION; 149 max_version = TLS1_2_VERSION; 150 break; 151 case OPT_TLS1_3: 152 min_version = TLS1_3_VERSION; 153 max_version = TLS1_3_VERSION; 154 break; 155 case OPT_PSK: 156 #ifndef OPENSSL_NO_PSK 157 psk = 1; 158 #endif 159 break; 160 case OPT_SRP: 161 #ifndef OPENSSL_NO_SRP 162 srp = 1; 163 #endif 164 break; 165 case OPT_CIPHERSUITES: 166 ciphersuites = opt_arg(); 167 break; 168 case OPT_PROV_CASES: 169 if (!opt_provider(o)) 170 goto end; 171 break; 172 } 173 } 174 175 /* Optional arg is cipher name. */ 176 argv = opt_rest(); 177 argc = opt_num_rest(); 178 if (argc == 1) 179 ciphers = argv[0]; 180 else if (argc != 0) 181 goto opthelp; 182 183 if (convert != NULL) { 184 BIO_printf(bio_out, "OpenSSL cipher name: %s\n", 185 OPENSSL_cipher_name(convert)); 186 ret = 0; 187 goto end; 188 } 189 190 ctx = SSL_CTX_new_ex(app_get0_libctx(), app_get0_propq(), meth); 191 if (ctx == NULL) 192 goto err; 193 if (SSL_CTX_set_min_proto_version(ctx, min_version) == 0) 194 goto err; 195 if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0) 196 goto err; 197 198 #ifndef OPENSSL_NO_PSK 199 if (psk) 200 SSL_CTX_set_psk_client_callback(ctx, dummy_psk); 201 #endif 202 #ifndef OPENSSL_NO_SRP 203 if (srp) 204 set_up_dummy_srp(ctx); 205 #endif 206 207 if (ciphersuites != NULL && !SSL_CTX_set_ciphersuites(ctx, ciphersuites)) { 208 BIO_printf(bio_err, "Error setting TLSv1.3 ciphersuites\n"); 209 goto err; 210 } 211 212 if (ciphers != NULL) { 213 if (!SSL_CTX_set_cipher_list(ctx, ciphers)) { 214 BIO_printf(bio_err, "Error in cipher list\n"); 215 goto err; 216 } 217 } 218 ssl = SSL_new(ctx); 219 if (ssl == NULL) 220 goto err; 221 222 if (use_supported) 223 sk = SSL_get1_supported_ciphers(ssl); 224 else 225 sk = SSL_get_ciphers(ssl); 226 227 if (!verbose) { 228 for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { 229 const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i); 230 231 if (!ossl_assert(c != NULL)) 232 continue; 233 234 p = SSL_CIPHER_get_name(c); 235 if (p == NULL) 236 break; 237 if (i != 0) 238 BIO_printf(bio_out, ":"); 239 BIO_printf(bio_out, "%s", p); 240 } 241 BIO_printf(bio_out, "\n"); 242 } else { 243 244 for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { 245 const SSL_CIPHER *c; 246 247 c = sk_SSL_CIPHER_value(sk, i); 248 249 if (!ossl_assert(c != NULL)) 250 continue; 251 252 if (Verbose) { 253 unsigned long id = SSL_CIPHER_get_id(c); 254 int id0 = (int)(id >> 24); 255 int id1 = (int)((id >> 16) & 0xffL); 256 int id2 = (int)((id >> 8) & 0xffL); 257 int id3 = (int)(id & 0xffL); 258 259 if ((id & 0xff000000L) == 0x03000000L) 260 BIO_printf(bio_out, " 0x%02X,0x%02X - ", id2, id3); /* SSL3 261 * cipher */ 262 else 263 BIO_printf(bio_out, "0x%02X,0x%02X,0x%02X,0x%02X - ", id0, id1, id2, id3); /* whatever */ 264 } 265 if (stdname) { 266 const char *nm = SSL_CIPHER_standard_name(c); 267 if (nm == NULL) 268 nm = "UNKNOWN"; 269 BIO_printf(bio_out, "%-45s - ", nm); 270 } 271 BIO_puts(bio_out, SSL_CIPHER_description(c, buf, sizeof(buf))); 272 } 273 } 274 275 ret = 0; 276 goto end; 277 err: 278 ERR_print_errors(bio_err); 279 end: 280 if (use_supported) 281 sk_SSL_CIPHER_free(sk); 282 SSL_CTX_free(ctx); 283 SSL_free(ssl); 284 return ret; 285 } 286