Allow displaying ciphers according to protocol version

Instead of only using the default client method, allow selecting a specific protocol version and display the supported ciphers accordingly. This removes the noop status of -tls1 and adds -tls1_{1,2,3} as in other commands. ok jsing
author: tb <> 2022-07-19 16:07:35 +0000
committer: tb <> 2022-07-19 16:07:35 +0000
commit: 0aecb4d519c70c00b5f9c6f955ac8ccee66a1f44 (patch)
tree: fe332c4c61e29ac07143845673a4dd35f693c483 /src/usr.bin
parent: 5f54900fa27ee42d497164e68e2090cf4a6fd9b9 (diff)
download: openbsd-0aecb4d519c70c00b5f9c6f955ac8ccee66a1f44.tar.gz
openbsd-0aecb4d519c70c00b5f9c6f955ac8ccee66a1f44.tar.bz2
openbsd-0aecb4d519c70c00b5f9c6f955ac8ccee66a1f44.zip
1 files changed, 39 insertions, 4 deletions
diff --git a/src/usr.bin/openssl/ciphers.c b/src/usr.bin/openssl/ciphers.c
index 92805c3691..e0e870459c 100644
--- a/src/usr.bin/openssl/ciphers.c
+++ b/src/usr.bin/openssl/ciphers.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ciphers.c,v 1.13 2022/07/14 08:37:17 tb Exp $ */
+/* $OpenBSD: ciphers.c,v 1.14 2022/07/19 16:07:35 tb Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -28,6 +28,7 @@ struct {
        int usage;
        int use_supported;
        int verbose;
+        int version;
 } ciphers_config;
 static const struct option ciphers_options[] = {
@@ -49,7 +50,31 @@ static const struct option ciphers_options[] = {
        },
        {
                .name = "tls1",
-                .type = OPTION_DISCARD,
+                .desc = "Use TLS protocol version 1",
+                .type = OPTION_VALUE,
+                .opt.value = &ciphers_config.version,
+                .value = TLS1_VERSION,
+        },
+        {
+                .name = "tls1_1",
+                .desc = "Use TLS protocol version 1.1",
+                .type = OPTION_VALUE,
+                .opt.value = &ciphers_config.version,
+                .value = TLS1_1_VERSION,
+        },
+        {
+                .name = "tls1_2",
+                .desc = "Use TLS protocol version 1.2",
+                .type = OPTION_VALUE,
+                .opt.value = &ciphers_config.version,
+                .value = TLS1_2_VERSION,
+        },
+        {
+                .name = "tls1_3",
+                .desc = "Use TLS protocol version 1.3",
+                .type = OPTION_VALUE,
+                .opt.value = &ciphers_config.version,
+                .value = TLS1_3_VERSION,
        },
        {
                .name = "v",
@@ -71,7 +96,8 @@ static const struct option ciphers_options[] = {
 static void
 ciphers_usage(void)
 {
-        fprintf(stderr, "usage: ciphers [-hsVv] [cipherlist]\n");
+        fprintf(stderr, "usage: ciphers [-hsVv] [-tls1] [-tls1_1] [-tls1_2] "
+            "[-tls1_3] [cipherlist]\n");
        options_usage(ciphers_options);
 }
@@ -108,9 +134,18 @@ ciphers_main(int argc, char **argv)
                return (1);
        }
-        if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
+        if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL)
                goto err;
+        if (ciphers_config.version != 0) {
+                if (!SSL_CTX_set_min_proto_version(ssl_ctx,
+                    ciphers_config.version))
+                        goto err;
+                if (!SSL_CTX_set_max_proto_version(ssl_ctx,
+                    ciphers_config.version))
+                        goto err;
+        }
        if (cipherlist != NULL) {
                if (SSL_CTX_set_cipher_list(ssl_ctx, cipherlist) == 0)
                        goto err;
author	tb <>	2022-07-19 16:07:35 +0000
committer	tb <>	2022-07-19 16:07:35 +0000
commit	0aecb4d519c70c00b5f9c6f955ac8ccee66a1f44 (patch)
tree	fe332c4c61e29ac07143845673a4dd35f693c483 /src/usr.bin
parent	5f54900fa27ee42d497164e68e2090cf4a6fd9b9 (diff)
download	openbsd-0aecb4d519c70c00b5f9c6f955ac8ccee66a1f44.tar.gz openbsd-0aecb4d519c70c00b5f9c6f955ac8ccee66a1f44.tar.bz2 openbsd-0aecb4d519c70c00b5f9c6f955ac8ccee66a1f44.zip

diff --git a/src/usr.bin/openssl/ciphers.c b/src/usr.bin/openssl/ciphers.c index 92805c3691..e0e870459c 100644 --- a/src/usr.bin/openssl/ciphers.c +++ b/src/usr.bin/openssl/ciphers.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ciphers.c,v 1.13 2022/07/14 08:37:17 tb Exp $ */	1	/* $OpenBSD: ciphers.c,v 1.14 2022/07/19 16:07:35 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -28,6 +28,7 @@ struct {
28	int usage;	28	int usage;
29	int use_supported;	29	int use_supported;
30	int verbose;	30	int verbose;
		31	int version;
31	} ciphers_config;	32	} ciphers_config;
32		33
33	static const struct option ciphers_options[] = {	34	static const struct option ciphers_options[] = {
@@ -49,7 +50,31 @@ static const struct option ciphers_options[] = {
49	},	50	},
50	{	51	{
51	.name = "tls1",	52	.name = "tls1",
52	.type = OPTION_DISCARD,	53	.desc = "Use TLS protocol version 1",
		54	.type = OPTION_VALUE,
		55	.opt.value = &ciphers_config.version,
		56	.value = TLS1_VERSION,
		57	},
		58	{
		59	.name = "tls1_1",
		60	.desc = "Use TLS protocol version 1.1",
		61	.type = OPTION_VALUE,
		62	.opt.value = &ciphers_config.version,
		63	.value = TLS1_1_VERSION,
		64	},
		65	{
		66	.name = "tls1_2",
		67	.desc = "Use TLS protocol version 1.2",
		68	.type = OPTION_VALUE,
		69	.opt.value = &ciphers_config.version,
		70	.value = TLS1_2_VERSION,
		71	},
		72	{
		73	.name = "tls1_3",
		74	.desc = "Use TLS protocol version 1.3",
		75	.type = OPTION_VALUE,
		76	.opt.value = &ciphers_config.version,
		77	.value = TLS1_3_VERSION,
53	},	78	},
54	{	79	{
55	.name = "v",	80	.name = "v",
@@ -71,7 +96,8 @@ static const struct option ciphers_options[] = {
71	static void	96	static void
72	ciphers_usage(void)	97	ciphers_usage(void)
73	{	98	{
74	fprintf(stderr, "usage: ciphers [-hsVv] [cipherlist]\n");	99	fprintf(stderr, "usage: ciphers [-hsVv] [-tls1] [-tls1_1] [-tls1_2] "
		100	"[-tls1_3] [cipherlist]\n");
75	options_usage(ciphers_options);	101	options_usage(ciphers_options);
76	}	102	}
77		103
@@ -108,9 +134,18 @@ ciphers_main(int argc, char **argv)
108	return (1);	134	return (1);
109	}	135	}
110		136
111	if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)	137	if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL)
112	goto err;	138	goto err;
113		139
		140	if (ciphers_config.version != 0) {
		141	if (!SSL_CTX_set_min_proto_version(ssl_ctx,
		142	ciphers_config.version))
		143	goto err;
		144	if (!SSL_CTX_set_max_proto_version(ssl_ctx,
		145	ciphers_config.version))
		146	goto err;
		147	}
		148
114	if (cipherlist != NULL) {	149	if (cipherlist != NULL) {
115	if (SSL_CTX_set_cipher_list(ssl_ctx, cipherlist) == 0)	150	if (SSL_CTX_set_cipher_list(ssl_ctx, cipherlist) == 0)
116	goto err;	151	goto err;