1 /* 2 * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include <stdlib.h> 12 #include <string.h> 13 #include "apps.h" 14 #include "progs.h" 15 #include <openssl/err.h> 16 #include <openssl/ssl.h> 17 #include "s_apps.h" 18 19 typedef enum OPTION_choice { 20 OPT_COMMON, 21 OPT_STDNAME, 22 OPT_CONVERT, 23 OPT_SSL3, 24 OPT_TLS1, 25 OPT_TLS1_1, 26 OPT_TLS1_2, 27 OPT_TLS1_3, 28 OPT_PSK, 29 OPT_SRP, 30 OPT_CIPHERSUITES, 31 OPT_V, 32 OPT_UPPER_V, 33 OPT_S, 34 OPT_PROV_ENUM 35 } OPTION_CHOICE; 36 37 const OPTIONS ciphers_options[] = { 38 { OPT_HELP_STR, 1, '-', "Usage: %s [options] [cipher]\n" }, 39 40 OPT_SECTION("General"), 41 { "help", OPT_HELP, '-', "Display this summary" }, 42 43 OPT_SECTION("Output"), 44 { "v", OPT_V, '-', "Verbose listing of the SSL/TLS ciphers" }, 45 { "V", OPT_UPPER_V, '-', "Even more verbose" }, 46 { "stdname", OPT_STDNAME, '-', "Show standard cipher names" }, 47 { "convert", OPT_CONVERT, 's', "Convert standard name into OpenSSL name" }, 48 49 OPT_SECTION("Cipher specification"), 50 { "s", OPT_S, '-', "Only supported ciphers" }, 51 #ifndef OPENSSL_NO_SSL3 52 { "ssl3", OPT_SSL3, '-', "Ciphers compatible with SSL3" }, 53 #endif 54 #ifndef OPENSSL_NO_TLS1 55 { "tls1", OPT_TLS1, '-', "Ciphers compatible with TLS1" }, 56 #endif 57 #ifndef OPENSSL_NO_TLS1_1 58 { "tls1_1", OPT_TLS1_1, '-', "Ciphers compatible with TLS1.1" }, 59 #endif 60 #ifndef OPENSSL_NO_TLS1_2 61 { "tls1_2", OPT_TLS1_2, '-', "Ciphers compatible with TLS1.2" }, 62 #endif 63 #ifndef OPENSSL_NO_TLS1_3 64 { "tls1_3", OPT_TLS1_3, '-', "Ciphers compatible with TLS1.3" }, 65 #endif 66 #ifndef OPENSSL_NO_PSK 67 { "psk", OPT_PSK, '-', "Include ciphersuites requiring PSK" }, 68 #endif 69 #ifndef OPENSSL_NO_SRP 70 { "srp", OPT_SRP, '-', "(deprecated) Include ciphersuites requiring SRP" }, 71 #endif 72 { "ciphersuites", OPT_CIPHERSUITES, 's', 73 "Configure the TLSv1.3 ciphersuites to use" }, 74 OPT_PROV_OPTIONS, 75 76 OPT_PARAMETERS(), 77 { "cipher", 0, 0, "Cipher string to decode (optional)" }, 78 { NULL } 79 }; 80 81 #ifndef OPENSSL_NO_PSK 82 static unsigned int dummy_psk(SSL *ssl, const char *hint, char *identity, 83 unsigned int max_identity_len, 84 unsigned char *psk, 85 unsigned int max_psk_len) 86 { 87 return 0; 88 } 89 #endif 90 91 int ciphers_main(int argc, char **argv) 92 { 93 SSL_CTX *ctx = NULL; 94 SSL *ssl = NULL; 95 STACK_OF(SSL_CIPHER) *sk = NULL; 96 const SSL_METHOD *meth = TLS_server_method(); 97 int ret = 1, i, verbose = 0, Verbose = 0, use_supported = 0; 98 int stdname = 0; 99 #ifndef OPENSSL_NO_PSK 100 int psk = 0; 101 #endif 102 #ifndef OPENSSL_NO_SRP 103 int srp = 0; 104 #endif 105 const char *p; 106 char *ciphers = NULL, *prog, *convert = NULL, *ciphersuites = NULL; 107 char buf[512]; 108 OPTION_CHOICE o; 109 int min_version = 0, max_version = 0; 110 111 prog = opt_init(argc, argv, ciphers_options); 112 while ((o = opt_next()) != OPT_EOF) { 113 switch (o) { 114 case OPT_EOF: 115 case OPT_ERR: 116 opthelp: 117 BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); 118 goto end; 119 case OPT_HELP: 120 opt_help(ciphers_options); 121 ret = 0; 122 goto end; 123 case OPT_V: 124 verbose = 1; 125 break; 126 case OPT_UPPER_V: 127 verbose = Verbose = 1; 128 break; 129 case OPT_S: 130 use_supported = 1; 131 break; 132 case OPT_STDNAME: 133 stdname = verbose = 1; 134 break; 135 case OPT_CONVERT: 136 convert = opt_arg(); 137 break; 138 case OPT_SSL3: 139 min_version = SSL3_VERSION; 140 max_version = SSL3_VERSION; 141 break; 142 case OPT_TLS1: 143 min_version = TLS1_VERSION; 144 max_version = TLS1_VERSION; 145 break; 146 case OPT_TLS1_1: 147 min_version = TLS1_1_VERSION; 148 max_version = TLS1_1_VERSION; 149 break; 150 case OPT_TLS1_2: 151 min_version = TLS1_2_VERSION; 152 max_version = TLS1_2_VERSION; 153 break; 154 case OPT_TLS1_3: 155 min_version = TLS1_3_VERSION; 156 max_version = TLS1_3_VERSION; 157 break; 158 case OPT_PSK: 159 #ifndef OPENSSL_NO_PSK 160 psk = 1; 161 #endif 162 break; 163 case OPT_SRP: 164 #ifndef OPENSSL_NO_SRP 165 srp = 1; 166 #endif 167 break; 168 case OPT_CIPHERSUITES: 169 ciphersuites = opt_arg(); 170 break; 171 case OPT_PROV_CASES: 172 if (!opt_provider(o)) 173 goto end; 174 break; 175 } 176 } 177 178 /* Optional arg is cipher name. */ 179 argv = opt_rest(); 180 if (opt_num_rest() == 1) 181 ciphers = argv[0]; 182 else if (!opt_check_rest_arg(NULL)) 183 goto opthelp; 184 185 if (convert != NULL) { 186 BIO_printf(bio_out, "OpenSSL cipher name: %s\n", 187 OPENSSL_cipher_name(convert)); 188 ret = 0; 189 goto end; 190 } 191 192 ctx = SSL_CTX_new_ex(app_get0_libctx(), app_get0_propq(), meth); 193 if (ctx == NULL) 194 goto err; 195 if (SSL_CTX_set_min_proto_version(ctx, min_version) == 0) 196 goto err; 197 if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0) 198 goto err; 199 200 #ifndef OPENSSL_NO_PSK 201 if (psk) 202 SSL_CTX_set_psk_client_callback(ctx, dummy_psk); 203 #endif 204 #ifndef OPENSSL_NO_SRP 205 if (srp) 206 set_up_dummy_srp(ctx); 207 #endif 208 209 if (ciphersuites != NULL && !SSL_CTX_set_ciphersuites(ctx, ciphersuites)) { 210 BIO_printf(bio_err, "Error setting TLSv1.3 ciphersuites\n"); 211 goto err; 212 } 213 214 if (ciphers != NULL) { 215 if (!SSL_CTX_set_cipher_list(ctx, ciphers)) { 216 BIO_printf(bio_err, "Error in cipher list\n"); 217 goto err; 218 } 219 } 220 ssl = SSL_new(ctx); 221 if (ssl == NULL) 222 goto err; 223 224 if (use_supported) 225 sk = SSL_get1_supported_ciphers(ssl); 226 else 227 sk = SSL_get_ciphers(ssl); 228 229 if (!verbose) { 230 for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { 231 const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i); 232 233 if (!ossl_assert(c != NULL)) 234 continue; 235 236 p = SSL_CIPHER_get_name(c); 237 if (p == NULL) 238 break; 239 if (i != 0) 240 BIO_printf(bio_out, ":"); 241 BIO_printf(bio_out, "%s", p); 242 } 243 BIO_printf(bio_out, "\n"); 244 } else { 245 246 for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { 247 const SSL_CIPHER *c; 248 249 c = sk_SSL_CIPHER_value(sk, i); 250 251 if (!ossl_assert(c != NULL)) 252 continue; 253 254 if (Verbose) { 255 unsigned long id = SSL_CIPHER_get_id(c); 256 int id0 = (int)(id >> 24); 257 int id1 = (int)((id >> 16) & 0xffL); 258 int id2 = (int)((id >> 8) & 0xffL); 259 int id3 = (int)(id & 0xffL); 260 261 if ((id & 0xff000000L) == 0x03000000L) 262 BIO_printf(bio_out, " 0x%02X,0x%02X - ", id2, id3); /* SSL3 263 * cipher */ 264 else 265 BIO_printf(bio_out, "0x%02X,0x%02X,0x%02X,0x%02X - ", id0, id1, id2, id3); /* whatever */ 266 } 267 if (stdname) { 268 const char *nm = SSL_CIPHER_standard_name(c); 269 if (nm == NULL) 270 nm = "UNKNOWN"; 271 BIO_printf(bio_out, "%-45s - ", nm); 272 } 273 BIO_puts(bio_out, SSL_CIPHER_description(c, buf, sizeof(buf))); 274 } 275 } 276 277 ret = 0; 278 goto end; 279 err: 280 ERR_print_errors(bio_err); 281 end: 282 if (use_supported) 283 sk_SSL_CIPHER_free(sk); 284 SSL_CTX_free(ctx); 285 SSL_free(ssl); 286 return ret; 287 } 288