Add -srp option to ciphers command. RT#4224 Reviewed-by: Richard Levitte <levitte@openssl.org>
diff --git a/apps/ciphers.c b/apps/ciphers.c index 924c015..44f4216 100644 --- a/apps/ciphers.c +++ b/apps/ciphers.c
@@ -70,6 +70,7 @@ OPT_TLS1_1, OPT_TLS1_2, OPT_PSK, + OPT_SRP, OPT_V, OPT_UPPER_V, OPT_S } OPTION_CHOICE; @@ -96,6 +97,9 @@ #ifndef OPENSSL_NO_PSK {"psk", OPT_PSK, '-', "include ciphersuites requiring PSK"}, #endif +#ifndef OPENSSL_NO_SRP + {"srp", OPT_SRP, '-', "include ciphersuites requiring SRP"}, +#endif {NULL} }; @@ -108,6 +112,12 @@ return 0; } #endif +#ifndef OPENSSL_NO_SRP +static char *dummy_srp(SSL *ssl, void *arg) +{ + return ""; +} +#endif int ciphers_main(int argc, char **argv) { @@ -122,6 +132,9 @@ #ifndef OPENSSL_NO_PSK int psk = 0; #endif +#ifndef OPENSSL_NO_SRP + int srp = 0; +#endif const char *p; char *ciphers = NULL, *prog; char buf[512]; @@ -174,6 +187,10 @@ #ifndef OPENSSL_NO_PSK psk = 1; #endif + case OPT_SRP: +#ifndef OPENSSL_NO_SRP + srp = 1; +#endif break; } } @@ -197,6 +214,10 @@ if (psk) SSL_CTX_set_psk_client_callback(ctx, dummy_psk); #endif +#ifndef OPENSSL_NO_SRP + if (srp) + SSL_CTX_set_srp_client_pwd_callback(ctx, dummy_srp); +#endif if (ciphers != NULL) { if (!SSL_CTX_set_cipher_list(ctx, ciphers)) { BIO_printf(bio_err, "Error in cipher list\n");
diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod index 9788fa3..f1d0656 100644 --- a/doc/apps/ciphers.pod +++ b/doc/apps/ciphers.pod
@@ -17,6 +17,7 @@ [B<-tls1_2>] [B<-s>] [B<-psk>] +[B<-srp>] [B<-stdname>] [B<cipherlist>] @@ -37,13 +38,12 @@ =item B<-s> Only list supported ciphers: those consistent with the security level, and -minimum and maximum protocol version. -This is closer to the actual cipher list an application will support. +minimum and maximum protocol version. This is closer to the actual cipher list +an application will support. -This program does not set up support for SRP and so SRP based ciphers will -always be excluded when using this option. -PSK ciphers are not enabled by default and it requires the B<-psk> to enable -them. +PSK and SRP ciphers are not enabled by default: they require B<-psk> or B<-srp> +to enable them. + It also does not change the default list of supported signature algorithms. On a server the list of supported ciphers might also exclude other ciphers @@ -56,6 +56,10 @@ When combined with B<-s> includes cipher suites which require PSK. +=item B<-srp> + +When combined with B<-s> includes cipher suites which require SRP. + =item B<-v> Verbose output: For each ciphersuite, list details as provided by