1 files changed, 42 insertions, 24 deletions

diff --git a/apps/ciphers.c b/apps/ciphers.c
index aade3fbf5671..42a0bb79f651 100644
--- a/apps/ciphers.c
+++ b/apps/ciphers.c
@@ -1,7 +1,7 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * in the file LICENSE in the source distribution or at
  * https://www.openssl.org/source/license.html
@@ -14,9 +14,10 @@
 #include "progs.h"
 #include <openssl/err.h>
 #include <openssl/ssl.h>
+#include "s_apps.h"
 
 typedef enum OPTION_choice {
-    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_COMMON,
     OPT_STDNAME,
     OPT_CONVERT,
     OPT_SSL3,
@@ -27,39 +28,50 @@ typedef enum OPTION_choice {
     OPT_PSK,
     OPT_SRP,
     OPT_CIPHERSUITES,
-    OPT_V, OPT_UPPER_V, OPT_S
+    OPT_V, OPT_UPPER_V, OPT_S, OPT_PROV_ENUM
 } OPTION_CHOICE;
 
 const OPTIONS ciphers_options[] = {
+    {OPT_HELP_STR, 1, '-', "Usage: %s [options] [cipher]\n"},
+
+    OPT_SECTION("General"),
     {"help", OPT_HELP, '-', "Display this summary"},
+
+    OPT_SECTION("Output"),
     {"v", OPT_V, '-', "Verbose listing of the SSL/TLS ciphers"},
     {"V", OPT_UPPER_V, '-', "Even more verbose"},
+    {"stdname", OPT_STDNAME, '-', "Show standard cipher names"},
+    {"convert", OPT_CONVERT, 's', "Convert standard name into OpenSSL name"},
+
+    OPT_SECTION("Cipher specification"),
     {"s", OPT_S, '-', "Only supported ciphers"},
 #ifndef OPENSSL_NO_SSL3
-    {"ssl3", OPT_SSL3, '-', "SSL3 mode"},
+    {"ssl3", OPT_SSL3, '-', "Ciphers compatible with SSL3"},
 #endif
 #ifndef OPENSSL_NO_TLS1
-    {"tls1", OPT_TLS1, '-', "TLS1 mode"},
+    {"tls1", OPT_TLS1, '-', "Ciphers compatible with TLS1"},
 #endif
 #ifndef OPENSSL_NO_TLS1_1
-    {"tls1_1", OPT_TLS1_1, '-', "TLS1.1 mode"},
+    {"tls1_1", OPT_TLS1_1, '-', "Ciphers compatible with TLS1.1"},
 #endif
 #ifndef OPENSSL_NO_TLS1_2
-    {"tls1_2", OPT_TLS1_2, '-', "TLS1.2 mode"},
+    {"tls1_2", OPT_TLS1_2, '-', "Ciphers compatible with TLS1.2"},
 #endif
 #ifndef OPENSSL_NO_TLS1_3
-    {"tls1_3", OPT_TLS1_3, '-', "TLS1.3 mode"},
+    {"tls1_3", OPT_TLS1_3, '-', "Ciphers compatible with TLS1.3"},
 #endif
-    {"stdname", OPT_STDNAME, '-', "Show standard cipher names"},
 #ifndef OPENSSL_NO_PSK
-    {"psk", OPT_PSK, '-', "include ciphersuites requiring PSK"},
+    {"psk", OPT_PSK, '-', "Include ciphersuites requiring PSK"},
 #endif
 #ifndef OPENSSL_NO_SRP
-    {"srp", OPT_SRP, '-', "include ciphersuites requiring SRP"},
+    {"srp", OPT_SRP, '-', "(deprecated) Include ciphersuites requiring SRP"},
 #endif
-    {"convert", OPT_CONVERT, 's', "Convert standard name into OpenSSL name"},
     {"ciphersuites", OPT_CIPHERSUITES, 's',
      "Configure the TLSv1.3 ciphersuites to use"},
+    OPT_PROV_OPTIONS,
+
+    OPT_PARAMETERS(),
+    {"cipher", 0, 0, "Cipher string to decode (optional)"},
     {NULL}
 };
 
@@ -72,12 +84,6 @@ static unsigned int dummy_psk(SSL *ssl, const char *hint, char *identity,
     return 0;
 }
 #endif
-#ifndef OPENSSL_NO_SRP
-static char *dummy_srp(SSL *ssl, void *arg)
-{
-    return "";
-}
-#endif
 
 int ciphers_main(int argc, char **argv)
 {
@@ -159,13 +165,18 @@ int ciphers_main(int argc, char **argv)
         case OPT_CIPHERSUITES:
             ciphersuites = opt_arg();
             break;
+        case OPT_PROV_CASES:
+            if (!opt_provider(o))
+                goto end;
+            break;
         }
     }
+
+    /* Optional arg is cipher name. */
     argv = opt_rest();
     argc = opt_num_rest();
-
     if (argc == 1)
-        ciphers = *argv;
+        ciphers = argv[0];
     else if (argc != 0)
         goto opthelp;
 
@@ -176,7 +187,7 @@ int ciphers_main(int argc, char **argv)
         goto end;
     }
 
-    ctx = SSL_CTX_new(meth);
+    ctx = SSL_CTX_new_ex(app_get0_libctx(), app_get0_propq(), meth);
     if (ctx == NULL)
         goto err;
     if (SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
@@ -190,7 +201,7 @@ int ciphers_main(int argc, char **argv)
 #endif
 #ifndef OPENSSL_NO_SRP
     if (srp)
-        SSL_CTX_set_srp_client_pwd_callback(ctx, dummy_srp);
+        set_up_dummy_srp(ctx);
 #endif
 
     if (ciphersuites != NULL && !SSL_CTX_set_ciphersuites(ctx, ciphersuites)) {
@@ -216,6 +227,10 @@ int ciphers_main(int argc, char **argv)
     if (!verbose) {
         for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
             const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i);
+
+            if (!ossl_assert(c != NULL))
+                continue;
+
             p = SSL_CIPHER_get_name(c);
             if (p == NULL)
                 break;
@@ -231,6 +246,9 @@ int ciphers_main(int argc, char **argv)
 
             c = sk_SSL_CIPHER_value(sk, i);
 
+            if (!ossl_assert(c != NULL))
+                continue;
+
             if (Verbose) {
                 unsigned long id = SSL_CIPHER_get_id(c);
                 int id0 = (int)(id >> 24);
@@ -248,7 +266,7 @@ int ciphers_main(int argc, char **argv)
                 const char *nm = SSL_CIPHER_standard_name(c);
                 if (nm == NULL)
                     nm = "UNKNOWN";
-                BIO_printf(bio_out, "%s - ", nm);
+                BIO_printf(bio_out, "%-45s - ", nm);
             }
             BIO_puts(bio_out, SSL_CIPHER_description(c, buf, sizeof(buf)));
         }