From 6763e1a62cc964ae90a3be1680d61d9b327a165e Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Thu, 14 Jul 2022 08:07:54 +0000
Subject: [PATCH] Add -s option to openssl ciphers

With this option, the command only shows the ciphers supported by the
SSL method.

ok beck jsing
---
 usr.bin/openssl/ciphers.c | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/usr.bin/openssl/ciphers.c b/usr.bin/openssl/ciphers.c
index a20f19c3afd..6a96dfcc923 100644
--- a/usr.bin/openssl/ciphers.c
+++ b/usr.bin/openssl/ciphers.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ciphers.c,v 1.10 2019/07/14 03:30:45 guenther Exp $ */
+/* $OpenBSD: ciphers.c,v 1.11 2022/07/14 08:07:54 tb Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -26,6 +26,7 @@
 
 struct {
 	int usage;
+	int use_supported;
 	int verbose;
 } ciphers_config;
 
@@ -40,6 +41,12 @@ static const struct option ciphers_options[] = {
 		.type = OPTION_FLAG,
 		.opt.flag = &ciphers_config.usage,
 	},
+	{
+		.name = "s",
+		.desc = "Only list ciphers that are supported by the TLS method",
+		.type = OPTION_FLAG,
+		.opt.flag = &ciphers_config.use_supported,
+	},
 	{
 		.name = "tls1",
 		.desc = "This option is deprecated since it is the default",
@@ -65,7 +72,7 @@ static const struct option ciphers_options[] = {
 static void
 ciphers_usage(void)
 {
-	fprintf(stderr, "usage: ciphers [-hVv] [-tls1] [cipherlist]\n");
+	fprintf(stderr, "usage: ciphers [-hsVv] [-tls1] [cipherlist]\n");
 	options_usage(ciphers_options);
 }
 
@@ -74,6 +81,7 @@ ciphers_main(int argc, char **argv)
 {
 	char *cipherlist = NULL;
 	STACK_OF(SSL_CIPHER) *ciphers;
+	STACK_OF(SSL_CIPHER) *supported_ciphers = NULL;
 	const SSL_CIPHER *cipher;
 	SSL_CTX *ssl_ctx = NULL;
 	SSL *ssl = NULL;
@@ -112,8 +120,15 @@ ciphers_main(int argc, char **argv)
 	if ((ssl = SSL_new(ssl_ctx)) == NULL)
 		goto err;
 
-	if ((ciphers = SSL_get_ciphers(ssl)) == NULL)
-		goto err;
+	if (ciphers_config.use_supported) {
+		if ((supported_ciphers =
+		    SSL_get1_supported_ciphers(ssl)) == NULL)
+			goto err;
+		ciphers = supported_ciphers;
+	} else {
+		if ((ciphers = SSL_get_ciphers(ssl)) == NULL)
+			goto err;
+	}
 
 	for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
 		cipher = sk_SSL_CIPHER_value(ciphers, i);
@@ -145,6 +160,7 @@ ciphers_main(int argc, char **argv)
 	rv = 1;
 
  done:
+	sk_SSL_CIPHER_free(supported_ciphers);
 	SSL_CTX_free(ssl_ctx);
 	SSL_free(ssl);
 
-- 
2.20.1