From 8b8e5bed233a2d8106296c8e460be252719e0fdd Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Tue, 14 Jan 2014 14:55:21 +0000
Subject: [PATCH] Allow return of supported ciphers.

New function ssl_cipher_disabled.

Check for disabled client ciphers using ssl_cipher_disabled.

New function to return only supported ciphers.

New option to ciphers utility to print only supported ciphers.
---
 apps/ciphers.c | 15 ++++++++++++---
 ssl/s3_clnt.c  |  4 +---
 ssl/ssl.h      |  1 +
 ssl/ssl_lib.c  | 32 ++++++++++++++++++++++++++++----
 ssl/ssl_locl.h |  1 +
 ssl/t1_lib.c   |  8 ++++++++
 6 files changed, 51 insertions(+), 10 deletions(-)

diff --git a/apps/ciphers.c b/apps/ciphers.c
index c9abf1a05a..52da70245a 100644
--- a/apps/ciphers.c
+++ b/apps/ciphers.c
@@ -85,6 +85,7 @@ int MAIN(int argc, char **argv)
 	{
 	int ret=1,i;
 	int verbose=0,Verbose=0;
+	int use_supported = 0;
 #ifndef OPENSSL_NO_SSL_TRACE
 	int stdname = 0;
 #endif
@@ -129,6 +130,8 @@ int MAIN(int argc, char **argv)
 			verbose=1;
 		else if (strcmp(*argv,"-V") == 0)
 			verbose=Verbose=1;
+		else if (strcmp(*argv,"-s") == 0)
+			use_supported = 1;
 #ifndef OPENSSL_NO_SSL_TRACE
 		else if (strcmp(*argv,"-stdname") == 0)
 			stdname=verbose=1;
@@ -179,12 +182,17 @@ int MAIN(int argc, char **argv)
 	ssl=SSL_new(ctx);
 	if (ssl == NULL) goto err;
 
+	if (use_supported)
+		sk=SSL_get1_supported_ciphers(ssl);
+	else
+		sk=SSL_get_ciphers(ssl);
 
 	if (!verbose)
 		{
-		for (i=0; ; i++)
+		for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
 			{
-			p=SSL_get_cipher_list(ssl,i);
+			SSL_CIPHER *c = sk_SSL_CIPHER_value(sk,i);
+			p = SSL_CIPHER_get_name(c);
 			if (p == NULL) break;
 			if (i != 0) BIO_printf(STDout,":");
 			BIO_printf(STDout,"%s",p);
@@ -193,7 +201,6 @@ int MAIN(int argc, char **argv)
 		}
 	else /* verbose */
 		{
-		sk=SSL_get_ciphers(ssl);
 
 		for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
 			{
@@ -237,6 +244,8 @@ err:
 		ERR_print_errors(bio_err);
 		}
 end:
+	if (use_supported && sk)
+		sk_SSL_CIPHER_free(sk);
 	if (ctx != NULL) SSL_CTX_free(ctx);
 	if (ssl != NULL) SSL_free(ssl);
 	if (STDout != NULL) BIO_free_all(STDout);
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 9755a0feb2..70c6533268 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1079,9 +1079,7 @@ int ssl3_get_server_hello(SSL *s)
 	/* If it is a disabled cipher we didn't send it in client hello,
 	 * so return an error.
 	 */
-	if (c->algorithm_ssl & ct->mask_ssl ||
-		c->algorithm_mkey & ct->mask_k ||
-		c->algorithm_auth & ct->mask_a)
+	if (ssl_cipher_disabled(s, c))
 		{
 		al=SSL_AD_ILLEGAL_PARAMETER;
 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
diff --git a/ssl/ssl.h b/ssl/ssl.h
index c6b1ac35f9..9c200b798e 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -2378,6 +2378,7 @@ const SSL_METHOD *DTLS_server_method(void);	/* DTLS 1.0 and 1.2 */
 const SSL_METHOD *DTLS_client_method(void);	/* DTLS 1.0 and 1.2 */
 
 STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s);
+STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s);
 
 int SSL_do_handshake(SSL *s);
 int SSL_renegotiate(SSL *s);
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index cc9b965778..1b8c0f42bc 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1342,6 +1342,33 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
 	return(NULL);
 	}
 
+STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s)
+	{
+	STACK_OF(SSL_CIPHER) *sk = NULL, *ciphers;
+	int i;
+	ciphers = SSL_get_ciphers(s);
+	if (!ciphers)
+		return NULL;
+	ssl_set_client_disabled(s);
+	for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++)
+		{
+		const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
+		if (!ssl_cipher_disabled(s, c))
+			{
+			if (!sk)
+				sk = sk_SSL_CIPHER_new_null();
+			if (!sk)
+				return NULL;
+			if (!sk_SSL_CIPHER_push(sk, c))
+				{
+				sk_SSL_CIPHER_free(sk);
+				return NULL;
+				}
+			}
+		}
+	return sk;
+	}
+
 /** return a STACK of the ciphers available for the SSL and in order of
  * algorithm id */
 STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s)
@@ -1459,7 +1486,6 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
 	{
 	int i,j=0;
 	SSL_CIPHER *c;
-	CERT *ct = s->cert;
 	unsigned char *q;
 	int no_scsv = s->renegotiate;
 	/* Set disabled masks for this session */
@@ -1472,9 +1498,7 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
 		{
 		c=sk_SSL_CIPHER_value(sk,i);
 		/* Skip disabled ciphers */
-		if (c->algorithm_ssl & ct->mask_ssl ||
-			c->algorithm_mkey & ct->mask_k ||
-			c->algorithm_auth & ct->mask_a)
+		if (ssl_cipher_disabled(s, c))
 			continue;
 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
 		if (c->id == SSL3_CK_SCSV)
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index cd397f45d2..07ea0d2972 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1331,6 +1331,7 @@ size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs);
 int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
 				const unsigned char *sig, EVP_PKEY *pkey);
 void ssl_set_client_disabled(SSL *s);
+int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c);
 
 int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen);
 int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al);
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index c9e489898a..37cc6f6abf 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1093,6 +1093,14 @@ void ssl_set_client_disabled(SSL *s)
 	c->valid = 1;
 	}
 
+int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c)
+	{
+	CERT *ct = s->cert;
+	if (c->algorithm_ssl & ct->mask_ssl || c->algorithm_mkey & ct->mask_k || c->algorithm_auth & ct->mask_a)
+		return 1;
+	return 0;
+	}
+
 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit, int *al)
 	{
 	int extdatalen=0;
-- 
2.34.1