1/* 2 * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10#include <stdio.h> 11#include <stdlib.h> 12#include <string.h> 13#include "apps.h" 14#include "progs.h" 15#include <openssl/err.h> 16#include <openssl/ssl.h> 17#include "s_apps.h" 18 19typedef enum OPTION_choice { 20 OPT_COMMON, 21 OPT_STDNAME, 22 OPT_CONVERT, 23 OPT_SSL3, 24 OPT_TLS1, 25 OPT_TLS1_1, 26 OPT_TLS1_2, 27 OPT_TLS1_3, 28 OPT_PSK, 29 OPT_SRP, 30 OPT_CIPHERSUITES, 31 OPT_V, OPT_UPPER_V, OPT_S, OPT_PROV_ENUM 32} OPTION_CHOICE; 33 34const OPTIONS ciphers_options[] = { 35 {OPT_HELP_STR, 1, '-', "Usage: %s [options] [cipher]\n"}, 36 37 OPT_SECTION("General"), 38 {"help", OPT_HELP, '-', "Display this summary"}, 39 40 OPT_SECTION("Output"), 41 {"v", OPT_V, '-', "Verbose listing of the SSL/TLS ciphers"}, 42 {"V", OPT_UPPER_V, '-', "Even more verbose"}, 43 {"stdname", OPT_STDNAME, '-', "Show standard cipher names"}, 44 {"convert", OPT_CONVERT, 's', "Convert standard name into OpenSSL name"}, 45 46 OPT_SECTION("Cipher specification"), 47 {"s", OPT_S, '-', "Only supported ciphers"}, 48#ifndef OPENSSL_NO_SSL3 49 {"ssl3", OPT_SSL3, '-', "Ciphers compatible with SSL3"}, 50#endif 51#ifndef OPENSSL_NO_TLS1 52 {"tls1", OPT_TLS1, '-', "Ciphers compatible with TLS1"}, 53#endif 54#ifndef OPENSSL_NO_TLS1_1 55 {"tls1_1", OPT_TLS1_1, '-', "Ciphers compatible with TLS1.1"}, 56#endif 57#ifndef OPENSSL_NO_TLS1_2 58 {"tls1_2", OPT_TLS1_2, '-', "Ciphers compatible with TLS1.2"}, 59#endif 60#ifndef OPENSSL_NO_TLS1_3 61 {"tls1_3", OPT_TLS1_3, '-', "Ciphers compatible with TLS1.3"}, 62#endif 63#ifndef OPENSSL_NO_PSK 64 {"psk", OPT_PSK, '-', "Include ciphersuites requiring PSK"}, 65#endif 66#ifndef OPENSSL_NO_SRP 67 {"srp", OPT_SRP, '-', "(deprecated) Include ciphersuites requiring SRP"}, 68#endif 69 {"ciphersuites", OPT_CIPHERSUITES, 's', 70 "Configure the TLSv1.3 ciphersuites to use"}, 71 OPT_PROV_OPTIONS, 72 73 OPT_PARAMETERS(), 74 {"cipher", 0, 0, "Cipher string to decode (optional)"}, 75 {NULL} 76}; 77 78#ifndef OPENSSL_NO_PSK 79static unsigned int dummy_psk(SSL *ssl, const char *hint, char *identity, 80 unsigned int max_identity_len, 81 unsigned char *psk, 82 unsigned int max_psk_len) 83{ 84 return 0; 85} 86#endif 87 88int ciphers_main(int argc, char **argv) 89{ 90 SSL_CTX *ctx = NULL; 91 SSL *ssl = NULL; 92 STACK_OF(SSL_CIPHER) *sk = NULL; 93 const SSL_METHOD *meth = TLS_server_method(); 94 int ret = 1, i, verbose = 0, Verbose = 0, use_supported = 0; 95 int stdname = 0; 96#ifndef OPENSSL_NO_PSK 97 int psk = 0; 98#endif 99#ifndef OPENSSL_NO_SRP 100 int srp = 0; 101#endif 102 const char *p; 103 char *ciphers = NULL, *prog, *convert = NULL, *ciphersuites = NULL; 104 char buf[512]; 105 OPTION_CHOICE o; 106 int min_version = 0, max_version = 0; 107 108 prog = opt_init(argc, argv, ciphers_options); 109 while ((o = opt_next()) != OPT_EOF) { 110 switch (o) { 111 case OPT_EOF: 112 case OPT_ERR: 113 opthelp: 114 BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); 115 goto end; 116 case OPT_HELP: 117 opt_help(ciphers_options); 118 ret = 0; 119 goto end; 120 case OPT_V: 121 verbose = 1; 122 break; 123 case OPT_UPPER_V: 124 verbose = Verbose = 1; 125 break; 126 case OPT_S: 127 use_supported = 1; 128 break; 129 case OPT_STDNAME: 130 stdname = verbose = 1; 131 break; 132 case OPT_CONVERT: 133 convert = opt_arg(); 134 break; 135 case OPT_SSL3: 136 min_version = SSL3_VERSION; 137 max_version = SSL3_VERSION; 138 break; 139 case OPT_TLS1: 140 min_version = TLS1_VERSION; 141 max_version = TLS1_VERSION; 142 break; 143 case OPT_TLS1_1: 144 min_version = TLS1_1_VERSION; 145 max_version = TLS1_1_VERSION; 146 break; 147 case OPT_TLS1_2: 148 min_version = TLS1_2_VERSION; 149 max_version = TLS1_2_VERSION; 150 break; 151 case OPT_TLS1_3: 152 min_version = TLS1_3_VERSION; 153 max_version = TLS1_3_VERSION; 154 break; 155 case OPT_PSK: 156#ifndef OPENSSL_NO_PSK 157 psk = 1; 158#endif 159 break; 160 case OPT_SRP: 161#ifndef OPENSSL_NO_SRP 162 srp = 1; 163#endif 164 break; 165 case OPT_CIPHERSUITES: 166 ciphersuites = opt_arg(); 167 break; 168 case OPT_PROV_CASES: 169 if (!opt_provider(o)) 170 goto end; 171 break; 172 } 173 } 174 175 /* Optional arg is cipher name. */ 176 argv = opt_rest(); 177 argc = opt_num_rest(); 178 if (argc == 1) 179 ciphers = argv[0]; 180 else if (argc != 0) 181 goto opthelp; 182 183 if (convert != NULL) { 184 BIO_printf(bio_out, "OpenSSL cipher name: %s\n", 185 OPENSSL_cipher_name(convert)); 186 ret = 0; 187 goto end; 188 } 189 190 ctx = SSL_CTX_new_ex(app_get0_libctx(), app_get0_propq(), meth); 191 if (ctx == NULL) 192 goto err; 193 if (SSL_CTX_set_min_proto_version(ctx, min_version) == 0) 194 goto err; 195 if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0) 196 goto err; 197 198#ifndef OPENSSL_NO_PSK 199 if (psk) 200 SSL_CTX_set_psk_client_callback(ctx, dummy_psk); 201#endif 202#ifndef OPENSSL_NO_SRP 203 if (srp) 204 set_up_dummy_srp(ctx); 205#endif 206 207 if (ciphersuites != NULL && !SSL_CTX_set_ciphersuites(ctx, ciphersuites)) { 208 BIO_printf(bio_err, "Error setting TLSv1.3 ciphersuites\n"); 209 goto err; 210 } 211 212 if (ciphers != NULL) { 213 if (!SSL_CTX_set_cipher_list(ctx, ciphers)) { 214 BIO_printf(bio_err, "Error in cipher list\n"); 215 goto err; 216 } 217 } 218 ssl = SSL_new(ctx); 219 if (ssl == NULL) 220 goto err; 221 222 if (use_supported) 223 sk = SSL_get1_supported_ciphers(ssl); 224 else 225 sk = SSL_get_ciphers(ssl); 226 227 if (!verbose) { 228 for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { 229 const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i); 230 231 if (!ossl_assert(c != NULL)) 232 continue; 233 234 p = SSL_CIPHER_get_name(c); 235 if (p == NULL) 236 break; 237 if (i != 0) 238 BIO_printf(bio_out, ":"); 239 BIO_printf(bio_out, "%s", p); 240 } 241 BIO_printf(bio_out, "\n"); 242 } else { 243 244 for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { 245 const SSL_CIPHER *c; 246 247 c = sk_SSL_CIPHER_value(sk, i); 248 249 if (!ossl_assert(c != NULL)) 250 continue; 251 252 if (Verbose) { 253 unsigned long id = SSL_CIPHER_get_id(c); 254 int id0 = (int)(id >> 24); 255 int id1 = (int)((id >> 16) & 0xffL); 256 int id2 = (int)((id >> 8) & 0xffL); 257 int id3 = (int)(id & 0xffL); 258 259 if ((id & 0xff000000L) == 0x03000000L) 260 BIO_printf(bio_out, " 0x%02X,0x%02X - ", id2, id3); /* SSL3 261 * cipher */ 262 else 263 BIO_printf(bio_out, "0x%02X,0x%02X,0x%02X,0x%02X - ", id0, id1, id2, id3); /* whatever */ 264 } 265 if (stdname) { 266 const char *nm = SSL_CIPHER_standard_name(c); 267 if (nm == NULL) 268 nm = "UNKNOWN"; 269 BIO_printf(bio_out, "%-45s - ", nm); 270 } 271 BIO_puts(bio_out, SSL_CIPHER_description(c, buf, sizeof(buf))); 272 } 273 } 274 275 ret = 0; 276 goto end; 277 err: 278 ERR_print_errors(bio_err); 279 end: 280 if (use_supported) 281 sk_SSL_CIPHER_free(sk); 282 SSL_CTX_free(ctx); 283 SSL_free(ssl); 284 return ret; 285} 286