1/*
2 * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License").  You may not use
5 * this file except in compliance with the License.  You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <stdio.h>
11#include <stdlib.h>
12#include <string.h>
13#include "apps.h"
14#include "progs.h"
15#include <openssl/err.h>
16#include <openssl/ssl.h>
17
18typedef enum OPTION_choice {
19    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
20    OPT_STDNAME,
21    OPT_CONVERT,
22    OPT_SSL3,
23    OPT_TLS1,
24    OPT_TLS1_1,
25    OPT_TLS1_2,
26    OPT_TLS1_3,
27    OPT_PSK,
28    OPT_SRP,
29    OPT_CIPHERSUITES,
30    OPT_V, OPT_UPPER_V, OPT_S
31} OPTION_CHOICE;
32
33const OPTIONS ciphers_options[] = {
34    {"help", OPT_HELP, '-', "Display this summary"},
35    {"v", OPT_V, '-', "Verbose listing of the SSL/TLS ciphers"},
36    {"V", OPT_UPPER_V, '-', "Even more verbose"},
37    {"s", OPT_S, '-', "Only supported ciphers"},
38#ifndef OPENSSL_NO_SSL3
39    {"ssl3", OPT_SSL3, '-', "SSL3 mode"},
40#endif
41#ifndef OPENSSL_NO_TLS1
42    {"tls1", OPT_TLS1, '-', "TLS1 mode"},
43#endif
44#ifndef OPENSSL_NO_TLS1_1
45    {"tls1_1", OPT_TLS1_1, '-', "TLS1.1 mode"},
46#endif
47#ifndef OPENSSL_NO_TLS1_2
48    {"tls1_2", OPT_TLS1_2, '-', "TLS1.2 mode"},
49#endif
50#ifndef OPENSSL_NO_TLS1_3
51    {"tls1_3", OPT_TLS1_3, '-', "TLS1.3 mode"},
52#endif
53    {"stdname", OPT_STDNAME, '-', "Show standard cipher names"},
54#ifndef OPENSSL_NO_PSK
55    {"psk", OPT_PSK, '-', "include ciphersuites requiring PSK"},
56#endif
57#ifndef OPENSSL_NO_SRP
58    {"srp", OPT_SRP, '-', "include ciphersuites requiring SRP"},
59#endif
60    {"convert", OPT_CONVERT, 's', "Convert standard name into OpenSSL name"},
61    {"ciphersuites", OPT_CIPHERSUITES, 's',
62     "Configure the TLSv1.3 ciphersuites to use"},
63    {NULL}
64};
65
66#ifndef OPENSSL_NO_PSK
67static unsigned int dummy_psk(SSL *ssl, const char *hint, char *identity,
68                              unsigned int max_identity_len,
69                              unsigned char *psk,
70                              unsigned int max_psk_len)
71{
72    return 0;
73}
74#endif
75#ifndef OPENSSL_NO_SRP
76static char *dummy_srp(SSL *ssl, void *arg)
77{
78    return "";
79}
80#endif
81
82int ciphers_main(int argc, char **argv)
83{
84    SSL_CTX *ctx = NULL;
85    SSL *ssl = NULL;
86    STACK_OF(SSL_CIPHER) *sk = NULL;
87    const SSL_METHOD *meth = TLS_server_method();
88    int ret = 1, i, verbose = 0, Verbose = 0, use_supported = 0;
89    int stdname = 0;
90#ifndef OPENSSL_NO_PSK
91    int psk = 0;
92#endif
93#ifndef OPENSSL_NO_SRP
94    int srp = 0;
95#endif
96    const char *p;
97    char *ciphers = NULL, *prog, *convert = NULL, *ciphersuites = NULL;
98    char buf[512];
99    OPTION_CHOICE o;
100    int min_version = 0, max_version = 0;
101
102    prog = opt_init(argc, argv, ciphers_options);
103    while ((o = opt_next()) != OPT_EOF) {
104        switch (o) {
105        case OPT_EOF:
106        case OPT_ERR:
107 opthelp:
108            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
109            goto end;
110        case OPT_HELP:
111            opt_help(ciphers_options);
112            ret = 0;
113            goto end;
114        case OPT_V:
115            verbose = 1;
116            break;
117        case OPT_UPPER_V:
118            verbose = Verbose = 1;
119            break;
120        case OPT_S:
121            use_supported = 1;
122            break;
123        case OPT_STDNAME:
124            stdname = verbose = 1;
125            break;
126        case OPT_CONVERT:
127            convert = opt_arg();
128            break;
129        case OPT_SSL3:
130            min_version = SSL3_VERSION;
131            max_version = SSL3_VERSION;
132            break;
133        case OPT_TLS1:
134            min_version = TLS1_VERSION;
135            max_version = TLS1_VERSION;
136            break;
137        case OPT_TLS1_1:
138            min_version = TLS1_1_VERSION;
139            max_version = TLS1_1_VERSION;
140            break;
141        case OPT_TLS1_2:
142            min_version = TLS1_2_VERSION;
143            max_version = TLS1_2_VERSION;
144            break;
145        case OPT_TLS1_3:
146            min_version = TLS1_3_VERSION;
147            max_version = TLS1_3_VERSION;
148            break;
149        case OPT_PSK:
150#ifndef OPENSSL_NO_PSK
151            psk = 1;
152#endif
153            break;
154        case OPT_SRP:
155#ifndef OPENSSL_NO_SRP
156            srp = 1;
157#endif
158            break;
159        case OPT_CIPHERSUITES:
160            ciphersuites = opt_arg();
161            break;
162        }
163    }
164    argv = opt_rest();
165    argc = opt_num_rest();
166
167    if (argc == 1)
168        ciphers = *argv;
169    else if (argc != 0)
170        goto opthelp;
171
172    if (convert != NULL) {
173        BIO_printf(bio_out, "OpenSSL cipher name: %s\n",
174                   OPENSSL_cipher_name(convert));
175        ret = 0;
176        goto end;
177    }
178
179    ctx = SSL_CTX_new(meth);
180    if (ctx == NULL)
181        goto err;
182    if (SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
183        goto err;
184    if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0)
185        goto err;
186
187#ifndef OPENSSL_NO_PSK
188    if (psk)
189        SSL_CTX_set_psk_client_callback(ctx, dummy_psk);
190#endif
191#ifndef OPENSSL_NO_SRP
192    if (srp)
193        SSL_CTX_set_srp_client_pwd_callback(ctx, dummy_srp);
194#endif
195
196    if (ciphersuites != NULL && !SSL_CTX_set_ciphersuites(ctx, ciphersuites)) {
197        BIO_printf(bio_err, "Error setting TLSv1.3 ciphersuites\n");
198        goto err;
199    }
200
201    if (ciphers != NULL) {
202        if (!SSL_CTX_set_cipher_list(ctx, ciphers)) {
203            BIO_printf(bio_err, "Error in cipher list\n");
204            goto err;
205        }
206    }
207    ssl = SSL_new(ctx);
208    if (ssl == NULL)
209        goto err;
210
211    if (use_supported)
212        sk = SSL_get1_supported_ciphers(ssl);
213    else
214        sk = SSL_get_ciphers(ssl);
215
216    if (!verbose) {
217        for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
218            const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i);
219            p = SSL_CIPHER_get_name(c);
220            if (p == NULL)
221                break;
222            if (i != 0)
223                BIO_printf(bio_out, ":");
224            BIO_printf(bio_out, "%s", p);
225        }
226        BIO_printf(bio_out, "\n");
227    } else {
228
229        for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
230            const SSL_CIPHER *c;
231
232            c = sk_SSL_CIPHER_value(sk, i);
233
234            if (Verbose) {
235                unsigned long id = SSL_CIPHER_get_id(c);
236                int id0 = (int)(id >> 24);
237                int id1 = (int)((id >> 16) & 0xffL);
238                int id2 = (int)((id >> 8) & 0xffL);
239                int id3 = (int)(id & 0xffL);
240
241                if ((id & 0xff000000L) == 0x03000000L)
242                    BIO_printf(bio_out, "          0x%02X,0x%02X - ", id2, id3); /* SSL3
243                                                                                  * cipher */
244                else
245                    BIO_printf(bio_out, "0x%02X,0x%02X,0x%02X,0x%02X - ", id0, id1, id2, id3); /* whatever */
246            }
247            if (stdname) {
248                const char *nm = SSL_CIPHER_standard_name(c);
249                if (nm == NULL)
250                    nm = "UNKNOWN";
251                BIO_printf(bio_out, "%s - ", nm);
252            }
253            BIO_puts(bio_out, SSL_CIPHER_description(c, buf, sizeof(buf)));
254        }
255    }
256
257    ret = 0;
258    goto end;
259 err:
260    ERR_print_errors(bio_err);
261 end:
262    if (use_supported)
263        sk_SSL_CIPHER_free(sk);
264    SSL_CTX_free(ctx);
265    SSL_free(ssl);
266    return ret;
267}
268