]> git.ipfire.org Git - thirdparty/openssl.git/blame - apps/s_client.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
curves can be set in both client and server
[thirdparty/openssl.git] / apps / s_client.c
CommitLineData
d02b48c6 1/* apps/s_client.c */
58964a49 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
d02b48c6
RE		 3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
a661b653 58/* ====================================================================
b1277b99 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
a661b653
BM		 60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
ddac1974
NL		 111/* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
113 *
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116 * license.
117 *
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
121 *
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
125 *
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
130 *
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135 * OTHERWISE.
136 */
d02b48c6 137
1b1a6e78 138#include <assert.h>
ddac1974 139#include <ctype.h>
8c197cc5
UM		 140#include <stdio.h>
141#include <stdlib.h>
142#include <string.h>
be1bd923 143#include <openssl/e_os2.h>
cf1b7d96 144#ifdef OPENSSL_NO_STDIO
8c197cc5
UM		 145#define APPS_WIN16
146#endif
147
7d7d2cbc
UM		 148/* With IPv6, it looks like Digital has mixed up the proper order of
149 recursive header file inclusion, resulting in the compiler complaining
150 that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
151 is needed to have fileno() declared correctly... So let's define u_int */
bc36ee62 152#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
7d7d2cbc
UM		 153#define __U_INT
154typedef unsigned int u_int;
155#endif
156
d02b48c6 157#define USE_SOCKETS
d02b48c6 158#include "apps.h"
ec577822
BM		 159#include <openssl/x509.h>
160#include <openssl/ssl.h>
161#include <openssl/err.h>
162#include <openssl/pem.h>
1372965e 163#include <openssl/rand.h>
67c8e7f4 164#include <openssl/ocsp.h>
1e26a8ba 165#include <openssl/bn.h>
edc032b5
BL		 166#ifndef OPENSSL_NO_SRP
167#include <openssl/srp.h>
168#endif
d02b48c6 169#include "s_apps.h"
36d16f8e 170#include "timeouts.h"
d02b48c6 171
bc36ee62 172#if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
75e0770d 173/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
7d7d2cbc
UM		 174#undef FIONBIO
175#endif
176
4700aea9
UM		 177#if defined(OPENSSL_SYS_BEOS_R5)
178#include <fcntl.h>
179#endif
180
d02b48c6
RE		 181#undef PROG
182#define PROG s_client_main
183
184/*#define SSL_HOST_NAME "www.netscape.com" */
185/*#define SSL_HOST_NAME "193.118.187.102" */
186#define SSL_HOST_NAME "localhost"
187
188/*#define TEST_CERT "client.pem" */ /* no default cert. */
189
190#undef BUFSIZZ
191#define BUFSIZZ 1024*8
192
193extern int verify_depth;
194extern int verify_error;
5d20c4fb 195extern int verify_return_error;
2a7cbe77 196extern int verify_quiet;
d02b48c6
RE		 197
198#ifdef FIONBIO
199static int c_nbio=0;
200#endif
201static int c_Pause=0;
202static int c_debug=0;
6434abbf
DSH		 203#ifndef OPENSSL_NO_TLSEXT
204static int c_tlsextdebug=0;
67c8e7f4 205static int c_status_req=0;
a9e1c50b 206static int c_proof_debug=0;
6434abbf 207#endif
a661b653 208static int c_msg=0;
6d02d8e4 209static int c_showcerts=0;
d02b48c6 210
e0af0405
BL		 211static char *keymatexportlabel=NULL;
212static int keymatexportlen=20;
213
d02b48c6
RE		 214static void sc_usage(void);
215static void print_stuff(BIO *berr,SSL *con,int full);
0702150f 216#ifndef OPENSSL_NO_TLSEXT
67c8e7f4 217static int ocsp_resp_cb(SSL *s, void *arg);
a9e1c50b 218static int audit_proof_cb(SSL *s, void *arg);
0702150f 219#endif
d02b48c6 220static BIO *bio_c_out=NULL;
93ab9e42 221static BIO *bio_c_msg=NULL;
d02b48c6 222static int c_quiet=0;
ce301b6b 223static int c_ign_eof=0;
2a7cbe77 224static int c_brief=0;
d02b48c6 225
ddac1974
NL		 226#ifndef OPENSSL_NO_PSK
227/* Default PSK identity and key */
228static char *psk_identity="Client_identity";
f3b7bdad 229/*char *psk_key=NULL; by default PSK is not used */
ddac1974
NL		 230
231static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
232 unsigned int max_identity_len, unsigned char *psk,
233 unsigned int max_psk_len)
234 {
235 unsigned int psk_len = 0;
236 int ret;
237 BIGNUM *bn=NULL;
238
239 if (c_debug)
240 BIO_printf(bio_c_out, "psk_client_cb\n");
241 if (!hint)
242 {
243 /* no ServerKeyExchange message*/
244 if (c_debug)
245 BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n");
246 }
247 else if (c_debug)
248 BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
249
250 /* lookup PSK identity and PSK key based on the given identity hint here */
0ed6b526 251 ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity);
a0aa8b4b 252 if (ret < 0 || (unsigned int)ret > max_identity_len)
ddac1974
NL		 253 goto out_err;
254 if (c_debug)
255 BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret);
256 ret=BN_hex2bn(&bn, psk_key);
257 if (!ret)
258 {
259 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
260 if (bn)
261 BN_free(bn);
262 return 0;
263 }
264
a0aa8b4b 265 if ((unsigned int)BN_num_bytes(bn) > max_psk_len)
ddac1974
NL		 266 {
267 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
268 max_psk_len, BN_num_bytes(bn));
269 BN_free(bn);
270 return 0;
271 }
272
273 psk_len=BN_bn2bin(bn, psk);
274 BN_free(bn);
275 if (psk_len == 0)
276 goto out_err;
277
278 if (c_debug)
279 BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len);
280
281 return psk_len;
282 out_err:
283 if (c_debug)
284 BIO_printf(bio_err, "Error in PSK client callback\n");
285 return 0;
286 }
287#endif
288
6b691a5c 289static void sc_usage(void)
d02b48c6 290 {
b6cff93d 291 BIO_printf(bio_err,"usage: s_client args\n");
d02b48c6
RE		 292 BIO_printf(bio_err,"\n");
293 BIO_printf(bio_err," -host host - use -connect instead\n");
294 BIO_printf(bio_err," -port port - use -connect instead\n");
295 BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
7c8ac505
DSH		 296 BIO_printf(bio_err," -checkhost host - check peer certificate matches \"host\"\n");
297 BIO_printf(bio_err," -checkemail email - check peer certificate matches \"email\"\n");
298 BIO_printf(bio_err," -checkip ipaddr - check peer certificate matches \"ipaddr\"\n");
d02b48c6
RE		 299
300 BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n");
301 BIO_printf(bio_err," -cert arg - certificate file to use, PEM format assumed\n");
826a42a0
DSH		 302 BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
303 BIO_printf(bio_err," -key arg - Private key file to use, in cert file if\n");
d02b48c6 304 BIO_printf(bio_err," not specified but cert file is.\n");
826a42a0
DSH		 305 BIO_printf(bio_err," -keyform arg - key format (PEM or DER) PEM default\n");
306 BIO_printf(bio_err," -pass arg - private key file pass phrase source\n");
d02b48c6
RE		 307 BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
308 BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n");
309 BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n");
310 BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n");
6d02d8e4 311 BIO_printf(bio_err," -showcerts - show all certificates in the chain\n");
d02b48c6 312 BIO_printf(bio_err," -debug - extra output\n");
02a00bb0
AP		 313#ifdef WATT32
314 BIO_printf(bio_err," -wdebug - WATT-32 tcp debugging\n");
315#endif
a661b653 316 BIO_printf(bio_err," -msg - Show protocol messages\n");
d02b48c6
RE		 317 BIO_printf(bio_err," -nbio_test - more ssl protocol testing\n");
318 BIO_printf(bio_err," -state - print the 'ssl' states\n");
319#ifdef FIONBIO
320 BIO_printf(bio_err," -nbio - Run with non-blocking IO\n");
1bdb8633 321#endif
1bdb8633 322 BIO_printf(bio_err," -crlf - convert LF from terminal into CRLF\n");
d02b48c6 323 BIO_printf(bio_err," -quiet - no s_client output\n");
ce301b6b 324 BIO_printf(bio_err," -ign_eof - ignore input eof (default when -quiet)\n");
020d67fb 325 BIO_printf(bio_err," -no_ign_eof - don't ignore input eof\n");
ddac1974
NL		 326#ifndef OPENSSL_NO_PSK
327 BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
328 BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n");
79bd20fd 329# ifndef OPENSSL_NO_JPAKE
f3b7bdad
BL		 330 BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n");
331# endif
edc032b5
BL		 332#endif
333#ifndef OPENSSL_NO_SRP
334 BIO_printf(bio_err," -srpuser user - SRP authentification for 'user'\n");
335 BIO_printf(bio_err," -srppass arg - password for 'user'\n");
336 BIO_printf(bio_err," -srp_lateuser - SRP username into second ClientHello message\n");
337 BIO_printf(bio_err," -srp_moregroups - Tolerate other than the known g N values.\n");
338 BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
ddac1974 339#endif
d02b48c6
RE		 340 BIO_printf(bio_err," -ssl2 - just use SSLv2\n");
341 BIO_printf(bio_err," -ssl3 - just use SSLv3\n");
7409d7ad 342 BIO_printf(bio_err," -tls1_2 - just use TLSv1.2\n");
637f374a 343 BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n");
58964a49 344 BIO_printf(bio_err," -tls1 - just use TLSv1\n");
36d16f8e 345 BIO_printf(bio_err," -dtls1 - just use DTLSv1\n");
046f2101 346 BIO_printf(bio_err," -mtu - set the link layer MTU\n");
7409d7ad 347 BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
d02b48c6 348 BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n");
836f9960 349 BIO_printf(bio_err," -serverpref - Use server's cipher preferences (only SSLv2)\n");
657e60fa 350 BIO_printf(bio_err," -cipher - preferred cipher to use, use the 'openssl ciphers'\n");
dfeab068 351 BIO_printf(bio_err," command to see what is available\n");
135c0af1
RL		 352 BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
353 BIO_printf(bio_err," for those protocols that support it, where\n");
354 BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n");
d5bbead4
BL		 355 BIO_printf(bio_err," only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
356 BIO_printf(bio_err," are supported.\n");
0b13e9f0 357#ifndef OPENSSL_NO_ENGINE
5270e702 358 BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n");
0b13e9f0 359#endif
52b621db 360 BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
014f62b6
DSH		 361 BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n");
362 BIO_printf(bio_err," -sess_in arg - file to read SSL session from\n");
ed3883d2
BM		 363#ifndef OPENSSL_NO_TLSEXT
364 BIO_printf(bio_err," -servername host - Set TLS extension servername in ClientHello\n");
d24a9c8f 365 BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
67c8e7f4 366 BIO_printf(bio_err," -status - request certificate status from server\n");
d24a9c8f 367 BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
a9e1c50b 368 BIO_printf(bio_err," -proof_debug - request an audit proof and print its hex dump\n");
bf48836c 369# ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 370 BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
371# endif
ed3883d2 372#endif
2942dde5 373 BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
be81f4dd 374 BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
e0af0405
BL		 375 BIO_printf(bio_err," -keymatexport label - Export keying material using label\n");
376 BIO_printf(bio_err," -keymatexportlen len - Export len bytes of keying material (default 20)\n");
d02b48c6
RE		 377 }
378
ed3883d2
BM		 379#ifndef OPENSSL_NO_TLSEXT
380
381/* This is a context that we pass to callbacks */
382typedef struct tlsextctx_st {
383 BIO * biodebug;
384 int ack;
385} tlsextctx;
386
387
b1277b99
BM		 388static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
389 {
ed3883d2 390 tlsextctx * p = (tlsextctx *) arg;
8de5b7f5 391 const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
ed3883d2
BM		 392 if (SSL_get_servername_type(s) != -1)
393 p->ack = !SSL_session_reused(s) && hn != NULL;
394 else
f1fd4544 395 BIO_printf(bio_err,"Can't use SSL_get_servername\n");
ed3883d2 396
241520e6 397 return SSL_TLSEXT_ERR_OK;
b1277b99 398 }
ee2ffc27 399
edc032b5
BL		 400#ifndef OPENSSL_NO_SRP
401
402/* This is a context that we pass to all callbacks */
403typedef struct srp_arg_st
404 {
405 char *srppassin;
406 char *srplogin;
407 int msg; /* copy from c_msg */
408 int debug; /* copy from c_debug */
409 int amp; /* allow more groups */
410 int strength /* minimal size for N */ ;
411 } SRP_ARG;
412
413#define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
414
f2fc3075 415static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g)
edc032b5
BL		 416 {
417 BN_CTX *bn_ctx = BN_CTX_new();
418 BIGNUM *p = BN_new();
419 BIGNUM *r = BN_new();
420 int ret =
421 g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
f2fc3075 422 BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
edc032b5
BL		 423 p != NULL && BN_rshift1(p, N) &&
424
425 /* p = (N-1)/2 */
f2fc3075 426 BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
edc032b5
BL		 427 r != NULL &&
428
429 /* verify g^((N-1)/2) == -1 (mod N) */
430 BN_mod_exp(r, g, p, N, bn_ctx) &&
431 BN_add_word(r, 1) &&
432 BN_cmp(r, N) == 0;
433
434 if(r)
435 BN_free(r);
436 if(p)
437 BN_free(p);
438 if(bn_ctx)
439 BN_CTX_free(bn_ctx);
440 return ret;
441 }
442
f2fc3075
DSH		 443/* This callback is used here for two purposes:
444 - extended debugging
445 - making some primality tests for unknown groups
446 The callback is only called for a non default group.
447
448 An application does not need the call back at all if
449 only the stanard groups are used. In real life situations,
450 client and server already share well known groups,
451 thus there is no need to verify them.
452 Furthermore, in case that a server actually proposes a group that
453 is not one of those defined in RFC 5054, it is more appropriate
454 to add the group to a static list and then compare since
455 primality tests are rather cpu consuming.
456*/
457
edc032b5
BL		 458static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
459 {
460 SRP_ARG *srp_arg = (SRP_ARG *)arg;
461 BIGNUM *N = NULL, *g = NULL;
462 if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s)))
463 return 0;
464 if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1)
465 {
466 BIO_printf(bio_err, "SRP parameters:\n");
467 BIO_printf(bio_err,"\tN="); BN_print(bio_err,N);
468 BIO_printf(bio_err,"\n\tg="); BN_print(bio_err,g);
469 BIO_printf(bio_err,"\n");
470 }
471
472 if (SRP_check_known_gN_param(g,N))
473 return 1;
474
475 if (srp_arg->amp == 1)
476 {
477 if (srp_arg->debug)
478 BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n");
479
f2fc3075 480/* The srp_moregroups is a real debugging feature.
edc032b5
BL		 481 Implementors should rather add the value to the known ones.
482 The minimal size has already been tested.
483*/
f2fc3075 484 if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g))
edc032b5
BL		 485 return 1;
486 }
487 BIO_printf(bio_err, "SRP param N and g rejected.\n");
488 return 0;
489 }
490
491#define PWD_STRLEN 1024
492
493static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
494 {
495 SRP_ARG *srp_arg = (SRP_ARG *)arg;
496 char *pass = (char *)OPENSSL_malloc(PWD_STRLEN+1);
497 PW_CB_DATA cb_tmp;
498 int l;
499
500 cb_tmp.password = (char *)srp_arg->srppassin;
501 cb_tmp.prompt_info = "SRP user";
502 if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp))<0)
503 {
504 BIO_printf (bio_err, "Can't read Password\n");
505 OPENSSL_free(pass);
506 return NULL;
507 }
508 *(pass+l)= '\0';
509
510 return pass;
511 }
512
edc032b5 513#endif
333f926d 514 char *srtp_profiles = NULL;
edc032b5 515
bf48836c 516# ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 517/* This the context that we pass to next_proto_cb */
518typedef struct tlsextnextprotoctx_st {
519 unsigned char *data;
520 unsigned short len;
521 int status;
522} tlsextnextprotoctx;
523
524static tlsextnextprotoctx next_proto;
525
526static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
527 {
528 tlsextnextprotoctx *ctx = arg;
529
530 if (!c_quiet)
531 {
532 /* We can assume that |in| is syntactically valid. */
533 unsigned i;
534 BIO_printf(bio_c_out, "Protocols advertised by server: ");
535 for (i = 0; i < inlen; )
536 {
537 if (i)
538 BIO_write(bio_c_out, ", ", 2);
539 BIO_write(bio_c_out, &in[i + 1], in[i]);
540 i += in[i] + 1;
541 }
542 BIO_write(bio_c_out, "\n", 1);
543 }
544
545 ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
546 return SSL_TLSEXT_ERR_OK;
547 }
bf48836c 548# endif /* ndef OPENSSL_NO_NEXTPROTONEG */
ed3883d2
BM		 549#endif
550
85c67492
RL		 551enum
552{
553 PROTO_OFF = 0,
554 PROTO_SMTP,
555 PROTO_POP3,
556 PROTO_IMAP,
d5bbead4 557 PROTO_FTP,
640b86cb 558 PROTO_XMPP
85c67492
RL		 559};
560
667ac4ec
RE		 561int MAIN(int, char **);
562
6b691a5c 563int MAIN(int argc, char **argv)
d02b48c6 564 {
74ecfab4 565 int build_chain = 0;
67b6f1ca 566 SSL *con=NULL;
4f7a2ab8
DSH		 567#ifndef OPENSSL_NO_KRB5
568 KSSL_CTX *kctx;
569#endif
d02b48c6 570 int s,k,width,state=0;
135c0af1 571 char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
d02b48c6
RE		 572 int cbuf_len,cbuf_off;
573 int sbuf_len,sbuf_off;
574 fd_set readfds,writefds;
575 short port=PORT;
576 int full_log=1;
577 char *host=SSL_HOST_NAME;
578 char *cert_file=NULL,*key_file=NULL;
826a42a0
DSH		 579 int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
580 char *passarg = NULL, *pass = NULL;
581 X509 *cert = NULL;
582 EVP_PKEY *key = NULL;
5d2e07f1
DSH		 583 char *CApath=NULL,*CAfile=NULL;
584 int reconnect=0,badop=0,verify=SSL_VERIFY_NONE;
1bdb8633 585 int crlf=0;
c7ac31e2 586 int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
d02b48c6
RE		 587 SSL_CTX *ctx=NULL;
588 int ret=1,in_init=1,i,nbio_test=0;
85c67492 589 int starttls_proto = PROTO_OFF;
db99779b
DSH		 590 int prexit = 0;
591 X509_VERIFY_PARAM *vpm = NULL;
592 int badarg = 0;
4ebb342f 593 const SSL_METHOD *meth=NULL;
b1277b99 594 int socket_type=SOCK_STREAM;
d02b48c6 595 BIO *sbio;
52b621db 596 char *inrand=NULL;
85c67492 597 int mbuf_len=0;
b972fbaa 598 struct timeval timeout, *timeoutp;
0b13e9f0 599#ifndef OPENSSL_NO_ENGINE
5270e702 600 char *engine_id=NULL;
59d2d48f 601 char *ssl_client_engine_id=NULL;
70531c14 602 ENGINE *ssl_client_engine=NULL;
0b13e9f0 603#endif
70531c14 604 ENGINE *e=NULL;
4700aea9 605#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
06f4536a 606 struct timeval tv;
4700aea9
UM		 607#if defined(OPENSSL_SYS_BEOS_R5)
608 int stdin_set = 0;
609#endif
06f4536a 610#endif
ed3883d2
BM		 611#ifndef OPENSSL_NO_TLSEXT
612 char *servername = NULL;
613 tlsextctx tlsextcbp =
614 {NULL,0};
bf48836c 615# ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 616 const char *next_proto_neg_in = NULL;
617# endif
ed3883d2 618#endif
6434abbf
DSH		 619 char *sess_in = NULL;
620 char *sess_out = NULL;
36d16f8e 621 struct sockaddr peer;
6c61726b 622 int peerlen = sizeof(peer);
36d16f8e 623 int enable_timeouts = 0 ;
b1277b99 624 long socket_mtu = 0;
79bd20fd 625#ifndef OPENSSL_NO_JPAKE
6caa4edd 626 char *jpake_secret = NULL;
ed551cdd 627#endif
edc032b5
BL		 628#ifndef OPENSSL_NO_SRP
629 char * srppass = NULL;
630 int srp_lateuser = 0;
631 SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
632#endif
3208fc59 633 SSL_EXCERT *exc = NULL;
36d16f8e 634
a70da5b3
DSH		 635 unsigned char *checkhost = NULL, *checkemail = NULL;
636 char *checkip = NULL;
5d2e07f1
DSH		 637 SSL_CONF_CTX *cctx = NULL;
638 STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
a70da5b3 639
d02b48c6 640 meth=SSLv23_client_method();
d02b48c6
RE		 641
642 apps_startup();
58964a49 643 c_Pause=0;
d02b48c6 644 c_quiet=0;
ce301b6b 645 c_ign_eof=0;
d02b48c6 646 c_debug=0;
a661b653 647 c_msg=0;
6d02d8e4 648 c_showcerts=0;
d02b48c6
RE		 649
650 if (bio_err == NULL)
651 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
652
3647bee2
DSH		 653 if (!load_config(bio_err, NULL))
654 goto end;
5d2e07f1
DSH		 655 cctx = SSL_CONF_CTX_new();
656 if (!cctx)
657 goto end;
658 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
659 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE);
3647bee2 660
26a3a48d 661 if ( ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
135c0af1
RL		 662 ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
663 ((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
d02b48c6
RE		 664 {
665 BIO_printf(bio_err,"out of memory\n");
666 goto end;
667 }
668
669 verify_depth=0;
670 verify_error=X509_V_OK;
671#ifdef FIONBIO
672 c_nbio=0;
673#endif
674
675 argc--;
676 argv++;
677 while (argc >= 1)
678 {
679 if (strcmp(*argv,"-host") == 0)
680 {
681 if (--argc < 1) goto bad;
682 host= *(++argv);
683 }
684 else if (strcmp(*argv,"-port") == 0)
685 {
686 if (--argc < 1) goto bad;
687 port=atoi(*(++argv));
688 if (port == 0) goto bad;
689 }
690 else if (strcmp(*argv,"-connect") == 0)
691 {
692 if (--argc < 1) goto bad;
693 if (!extract_host_port(*(++argv),&host,NULL,&port))
694 goto bad;
695 }
696 else if (strcmp(*argv,"-verify") == 0)
697 {
698 verify=SSL_VERIFY_PEER;
699 if (--argc < 1) goto bad;
700 verify_depth=atoi(*(++argv));
2a7cbe77
DSH		 701 if (!c_quiet)
702 BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
d02b48c6
RE		 703 }
704 else if (strcmp(*argv,"-cert") == 0)
705 {
706 if (--argc < 1) goto bad;
707 cert_file= *(++argv);
708 }
6434abbf
DSH		 709 else if (strcmp(*argv,"-sess_out") == 0)
710 {
711 if (--argc < 1) goto bad;
712 sess_out = *(++argv);
713 }
714 else if (strcmp(*argv,"-sess_in") == 0)
715 {
716 if (--argc < 1) goto bad;
717 sess_in = *(++argv);
718 }
826a42a0
DSH		 719 else if (strcmp(*argv,"-certform") == 0)
720 {
721 if (--argc < 1) goto bad;
722 cert_format = str2fmt(*(++argv));
723 }
db99779b
DSH		 724 else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
725 {
726 if (badarg)
727 goto bad;
728 continue;
729 }
5d20c4fb
DSH		 730 else if (strcmp(*argv,"-verify_return_error") == 0)
731 verify_return_error = 1;
2a7cbe77
DSH		 732 else if (strcmp(*argv,"-verify_quiet") == 0)
733 verify_quiet = 1;
734 else if (strcmp(*argv,"-brief") == 0)
735 {
736 c_brief = 1;
737 verify_quiet = 1;
738 c_quiet = 1;
739 }
3208fc59
DSH		 740 else if (args_excert(&argv, &argc, &badarg, bio_err, &exc))
741 {
742 if (badarg)
743 goto bad;
744 continue;
745 }
5d2e07f1
DSH		 746 else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args))
747 {
748 if (badarg)
749 goto bad;
750 continue;
751 }
c3ed3b6e
DSH		 752 else if (strcmp(*argv,"-prexit") == 0)
753 prexit=1;
1bdb8633
BM		 754 else if (strcmp(*argv,"-crlf") == 0)
755 crlf=1;
d02b48c6 756 else if (strcmp(*argv,"-quiet") == 0)
ce301b6b 757 {
d02b48c6 758 c_quiet=1;
ce301b6b
RL		 759 c_ign_eof=1;
760 }
761 else if (strcmp(*argv,"-ign_eof") == 0)
762 c_ign_eof=1;
020d67fb
LJ		 763 else if (strcmp(*argv,"-no_ign_eof") == 0)
764 c_ign_eof=0;
d02b48c6
RE		 765 else if (strcmp(*argv,"-pause") == 0)
766 c_Pause=1;
767 else if (strcmp(*argv,"-debug") == 0)
768 c_debug=1;
6434abbf
DSH		 769#ifndef OPENSSL_NO_TLSEXT
770 else if (strcmp(*argv,"-tlsextdebug") == 0)
771 c_tlsextdebug=1;
67c8e7f4
DSH		 772 else if (strcmp(*argv,"-status") == 0)
773 c_status_req=1;
a9e1c50b
BL		 774 else if (strcmp(*argv,"-proof_debug") == 0)
775 c_proof_debug=1;
6434abbf 776#endif
02a00bb0
AP		 777#ifdef WATT32
778 else if (strcmp(*argv,"-wdebug") == 0)
779 dbug_init();
780#endif
a661b653
BM		 781 else if (strcmp(*argv,"-msg") == 0)
782 c_msg=1;
93ab9e42
DSH		 783 else if (strcmp(*argv,"-msgfile") == 0)
784 {
785 if (--argc < 1) goto bad;
786 bio_c_msg = BIO_new_file(*(++argv), "w");
787 }
788#ifndef OPENSSL_NO_SSL_TRACE
789 else if (strcmp(*argv,"-trace") == 0)
790 c_msg=2;
791#endif
6d02d8e4
BM		 792 else if (strcmp(*argv,"-showcerts") == 0)
793 c_showcerts=1;
d02b48c6
RE		 794 else if (strcmp(*argv,"-nbio_test") == 0)
795 nbio_test=1;
796 else if (strcmp(*argv,"-state") == 0)
797 state=1;
ddac1974
NL		 798#ifndef OPENSSL_NO_PSK
799 else if (strcmp(*argv,"-psk_identity") == 0)
800 {
801 if (--argc < 1) goto bad;
802 psk_identity=*(++argv);
803 }
804 else if (strcmp(*argv,"-psk") == 0)
805 {
806 size_t j;
807
808 if (--argc < 1) goto bad;
809 psk_key=*(++argv);
810 for (j = 0; j < strlen(psk_key); j++)
811 {
a50bce82 812 if (isxdigit((unsigned char)psk_key[j]))
ddac1974
NL		 813 continue;
814 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
815 goto bad;
816 }
817 }
818#endif
edc032b5
BL		 819#ifndef OPENSSL_NO_SRP
820 else if (strcmp(*argv,"-srpuser") == 0)
821 {
822 if (--argc < 1) goto bad;
823 srp_arg.srplogin= *(++argv);
824 meth=TLSv1_client_method();
825 }
826 else if (strcmp(*argv,"-srppass") == 0)
827 {
828 if (--argc < 1) goto bad;
829 srppass= *(++argv);
830 meth=TLSv1_client_method();
831 }
832 else if (strcmp(*argv,"-srp_strength") == 0)
833 {
834 if (--argc < 1) goto bad;
835 srp_arg.strength=atoi(*(++argv));
836 BIO_printf(bio_err,"SRP minimal length for N is %d\n",srp_arg.strength);
837 meth=TLSv1_client_method();
838 }
839 else if (strcmp(*argv,"-srp_lateuser") == 0)
840 {
841 srp_lateuser= 1;
842 meth=TLSv1_client_method();
843 }
844 else if (strcmp(*argv,"-srp_moregroups") == 0)
845 {
846 srp_arg.amp=1;
847 meth=TLSv1_client_method();
848 }
849#endif
cf1b7d96 850#ifndef OPENSSL_NO_SSL2
d02b48c6
RE		 851 else if (strcmp(*argv,"-ssl2") == 0)
852 meth=SSLv2_client_method();
853#endif
cf1b7d96 854#ifndef OPENSSL_NO_SSL3
d02b48c6
RE		 855 else if (strcmp(*argv,"-ssl3") == 0)
856 meth=SSLv3_client_method();
58964a49 857#endif
cf1b7d96 858#ifndef OPENSSL_NO_TLS1
7409d7ad
DSH		 859 else if (strcmp(*argv,"-tls1_2") == 0)
860 meth=TLSv1_2_client_method();
637f374a
DSH		 861 else if (strcmp(*argv,"-tls1_1") == 0)
862 meth=TLSv1_1_client_method();
58964a49
RE		 863 else if (strcmp(*argv,"-tls1") == 0)
864 meth=TLSv1_client_method();
36d16f8e
BL		 865#endif
866#ifndef OPENSSL_NO_DTLS1
867 else if (strcmp(*argv,"-dtls1") == 0)
868 {
869 meth=DTLSv1_client_method();
b1277b99 870 socket_type=SOCK_DGRAM;
36d16f8e
BL		 871 }
872 else if (strcmp(*argv,"-timeout") == 0)
873 enable_timeouts=1;
874 else if (strcmp(*argv,"-mtu") == 0)
875 {
876 if (--argc < 1) goto bad;
b1277b99 877 socket_mtu = atol(*(++argv));
36d16f8e 878 }
d02b48c6 879#endif
826a42a0
DSH		 880 else if (strcmp(*argv,"-keyform") == 0)
881 {
882 if (--argc < 1) goto bad;
883 key_format = str2fmt(*(++argv));
884 }
885 else if (strcmp(*argv,"-pass") == 0)
886 {
887 if (--argc < 1) goto bad;
888 passarg = *(++argv);
889 }
d02b48c6
RE		 890 else if (strcmp(*argv,"-key") == 0)
891 {
892 if (--argc < 1) goto bad;
893 key_file= *(++argv);
894 }
895 else if (strcmp(*argv,"-reconnect") == 0)
896 {
897 reconnect=5;
898 }
899 else if (strcmp(*argv,"-CApath") == 0)
900 {
901 if (--argc < 1) goto bad;
902 CApath= *(++argv);
903 }
74ecfab4
DSH		 904 else if (strcmp(*argv,"-build_chain") == 0)
905 build_chain = 1;
d02b48c6
RE		 906 else if (strcmp(*argv,"-CAfile") == 0)
907 {
908 if (--argc < 1) goto bad;
909 CAfile= *(++argv);
910 }
6434abbf 911#ifndef OPENSSL_NO_TLSEXT
bf48836c 912# ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 913 else if (strcmp(*argv,"-nextprotoneg") == 0)
914 {
915 if (--argc < 1) goto bad;
916 next_proto_neg_in = *(++argv);
917 }
918# endif
6434abbf 919#endif
d02b48c6
RE		 920#ifdef FIONBIO
921 else if (strcmp(*argv,"-nbio") == 0)
922 { c_nbio=1; }
923#endif
135c0af1
RL		 924 else if (strcmp(*argv,"-starttls") == 0)
925 {
926 if (--argc < 1) goto bad;
927 ++argv;
928 if (strcmp(*argv,"smtp") == 0)
85c67492 929 starttls_proto = PROTO_SMTP;
4f17dfcd 930 else if (strcmp(*argv,"pop3") == 0)
85c67492
RL		 931 starttls_proto = PROTO_POP3;
932 else if (strcmp(*argv,"imap") == 0)
933 starttls_proto = PROTO_IMAP;
934 else if (strcmp(*argv,"ftp") == 0)
935 starttls_proto = PROTO_FTP;
d5bbead4
BL		 936 else if (strcmp(*argv, "xmpp") == 0)
937 starttls_proto = PROTO_XMPP;
135c0af1
RL		 938 else
939 goto bad;
940 }
0b13e9f0 941#ifndef OPENSSL_NO_ENGINE
5270e702
RL		 942 else if (strcmp(*argv,"-engine") == 0)
943 {
944 if (--argc < 1) goto bad;
945 engine_id = *(++argv);
946 }
59d2d48f
DSH		 947 else if (strcmp(*argv,"-ssl_client_engine") == 0)
948 {
949 if (--argc < 1) goto bad;
950 ssl_client_engine_id = *(++argv);
951 }
0b13e9f0 952#endif
52b621db
LJ		 953 else if (strcmp(*argv,"-rand") == 0)
954 {
955 if (--argc < 1) goto bad;
956 inrand= *(++argv);
957 }
ed3883d2
BM		 958#ifndef OPENSSL_NO_TLSEXT
959 else if (strcmp(*argv,"-servername") == 0)
960 {
961 if (--argc < 1) goto bad;
962 servername= *(++argv);
963 /* meth=TLSv1_client_method(); */
964 }
965#endif
a70da5b3
DSH		 966 else if (strcmp(*argv,"-checkhost") == 0)
967 {
968 if (--argc < 1) goto bad;
969 checkhost=(unsigned char *)*(++argv);
970 }
971 else if (strcmp(*argv,"-checkemail") == 0)
972 {
973 if (--argc < 1) goto bad;
974 checkemail=(unsigned char *)*(++argv);
975 }
976 else if (strcmp(*argv,"-checkip") == 0)
977 {
978 if (--argc < 1) goto bad;
979 checkip=*(++argv);
980 }
79bd20fd 981#ifndef OPENSSL_NO_JPAKE
6caa4edd
BL		 982 else if (strcmp(*argv,"-jpake") == 0)
983 {
984 if (--argc < 1) goto bad;
985 jpake_secret = *++argv;
986 }
ed551cdd 987#endif
333f926d
BL		 988 else if (strcmp(*argv,"-use_srtp") == 0)
989 {
990 if (--argc < 1) goto bad;
991 srtp_profiles = *(++argv);
992 }
e0af0405
BL		 993 else if (strcmp(*argv,"-keymatexport") == 0)
994 {
995 if (--argc < 1) goto bad;
996 keymatexportlabel= *(++argv);
997 }
998 else if (strcmp(*argv,"-keymatexportlen") == 0)
999 {
1000 if (--argc < 1) goto bad;
1001 keymatexportlen=atoi(*(++argv));
1002 if (keymatexportlen == 0) goto bad;
1003 }
333f926d 1004 else
d02b48c6
RE		 1005 {
1006 BIO_printf(bio_err,"unknown option %s\n",*argv);
1007 badop=1;
1008 break;
1009 }
1010 argc--;
1011 argv++;
1012 }
1013 if (badop)
1014 {
1015bad:
1016 sc_usage();
1017 goto end;
1018 }
1019
79bd20fd 1020#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
f3b7bdad
BL		 1021 if (jpake_secret)
1022 {
1023 if (psk_key)
1024 {
1025 BIO_printf(bio_err,
1026 "Can't use JPAKE and PSK together\n");
1027 goto end;
1028 }
1029 psk_identity = "JPAKE";
1030 }
1031
1032 if (cipher)
1033 {
1034 BIO_printf(bio_err, "JPAKE sets cipher to PSK\n");
1035 goto end;
1036 }
1037 cipher = "PSK";
1038#endif
1039
cead7f36
RL		 1040 OpenSSL_add_ssl_algorithms();
1041 SSL_load_error_strings();
1042
bf48836c 1043#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
ee2ffc27
BL		 1044 next_proto.status = -1;
1045 if (next_proto_neg_in)
1046 {
1047 next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
1048 if (next_proto.data == NULL)
1049 {
1050 BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
1051 goto end;
1052 }
1053 }
1054 else
1055 next_proto.data = NULL;
1056#endif
1057
0b13e9f0 1058#ifndef OPENSSL_NO_ENGINE
cead7f36 1059 e = setup_engine(bio_err, engine_id, 1);
59d2d48f
DSH		 1060 if (ssl_client_engine_id)
1061 {
1062 ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
1063 if (!ssl_client_engine)
1064 {
1065 BIO_printf(bio_err,
1066 "Error getting client auth engine\n");
1067 goto end;
1068 }
1069 }
1070
0b13e9f0 1071#endif
826a42a0
DSH		 1072 if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
1073 {
1074 BIO_printf(bio_err, "Error getting password\n");
1075 goto end;
1076 }
1077
1078 if (key_file == NULL)
1079 key_file = cert_file;
1080
abbc186b
DSH		 1081
1082 if (key_file)
1083
826a42a0 1084 {
abbc186b
DSH		 1085
1086 key = load_key(bio_err, key_file, key_format, 0, pass, e,
1087 "client certificate private key file");
1088 if (!key)
1089 {
1090 ERR_print_errors(bio_err);
1091 goto end;
1092 }
1093
826a42a0
DSH		 1094 }
1095
abbc186b 1096 if (cert_file)
826a42a0 1097
826a42a0 1098 {
abbc186b
DSH		 1099 cert = load_cert(bio_err,cert_file,cert_format,
1100 NULL, e, "client certificate file");
1101
1102 if (!cert)
1103 {
1104 ERR_print_errors(bio_err);
1105 goto end;
1106 }
826a42a0 1107 }
cead7f36 1108
3208fc59
DSH		 1109 if (!load_excert(&exc, bio_err))
1110 goto end;
1111
52b621db
LJ		 1112 if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
1113 && !RAND_status())
1114 {
1115 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
1116 }
1117 if (inrand != NULL)
1118 BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
1119 app_RAND_load_files(inrand));
a31011e8 1120
d02b48c6
RE		 1121 if (bio_c_out == NULL)
1122 {
a661b653 1123 if (c_quiet && !c_debug && !c_msg)
d02b48c6
RE		 1124 {
1125 bio_c_out=BIO_new(BIO_s_null());
1126 }
1127 else
1128 {
1129 if (bio_c_out == NULL)
1130 bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
1131 }
1132 }
1133
edc032b5
BL		 1134#ifndef OPENSSL_NO_SRP
1135 if(!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL))
1136 {
1137 BIO_printf(bio_err, "Error getting password\n");
1138 goto end;
1139 }
1140#endif
1141
d02b48c6
RE		 1142 ctx=SSL_CTX_new(meth);
1143 if (ctx == NULL)
1144 {
1145 ERR_print_errors(bio_err);
1146 goto end;
1147 }
1148
db99779b
DSH		 1149 if (vpm)
1150 SSL_CTX_set1_param(ctx, vpm);
1151
191b3f0b 1152 if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1))
5d2e07f1
DSH		 1153 {
1154 ERR_print_errors(bio_err);
1155 goto end;
1156 }
1157
59d2d48f
DSH		 1158#ifndef OPENSSL_NO_ENGINE
1159 if (ssl_client_engine)
1160 {
1161 if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine))
1162 {
1163 BIO_puts(bio_err, "Error setting client auth engine\n");
1164 ERR_print_errors(bio_err);
1165 ENGINE_free(ssl_client_engine);
1166 goto end;
1167 }
1168 ENGINE_free(ssl_client_engine);
1169 }
1170#endif
1171
ddac1974 1172#ifndef OPENSSL_NO_PSK
79bd20fd
DSH		 1173#ifdef OPENSSL_NO_JPAKE
1174 if (psk_key != NULL)
1175#else
f3b7bdad 1176 if (psk_key != NULL || jpake_secret)
79bd20fd 1177#endif
ddac1974
NL		 1178 {
1179 if (c_debug)
f3b7bdad 1180 BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");
ddac1974
NL		 1181 SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
1182 }
333f926d
BL		 1183 if (srtp_profiles != NULL)
1184 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
ddac1974 1185#endif
3208fc59 1186 if (exc) ssl_ctx_set_excert(ctx, exc);
36d16f8e
BL		 1187 /* DTLS: partial reads end up discarding unread UDP bytes :-(
1188 * Setting read ahead solves this problem.
1189 */
b1277b99 1190 if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
d02b48c6 1191
bf48836c 1192#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
ee2ffc27
BL		 1193 if (next_proto.data)
1194 SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
1195#endif
1196
d02b48c6 1197 if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
d02b48c6
RE		 1198#if 0
1199 else
1200 SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
1201#endif
1202
1203 SSL_CTX_set_verify(ctx,verify,verify_callback);
d02b48c6
RE		 1204
1205 if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
1206 (!SSL_CTX_set_default_verify_paths(ctx)))
1207 {
657e60fa 1208 /* BIO_printf(bio_err,"error setting default verify locations\n"); */
d02b48c6 1209 ERR_print_errors(bio_err);
58964a49 1210 /* goto end; */
d02b48c6
RE		 1211 }
1212
74ecfab4
DSH		 1213 if (!set_cert_key_stuff(ctx,cert,key, NULL, build_chain))
1214 goto end;
1215
ed3883d2 1216#ifndef OPENSSL_NO_TLSEXT
b1277b99
BM		 1217 if (servername != NULL)
1218 {
ed3883d2
BM		 1219 tlsextcbp.biodebug = bio_err;
1220 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1221 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
b1277b99 1222 }
edc032b5
BL		 1223#ifndef OPENSSL_NO_SRP
1224 if (srp_arg.srplogin)
1225 {
f2fc3075 1226 if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
edc032b5
BL		 1227 {
1228 BIO_printf(bio_err,"Unable to set SRP username\n");
1229 goto end;
1230 }
1231 srp_arg.msg = c_msg;
1232 srp_arg.debug = c_debug ;
1233 SSL_CTX_set_srp_cb_arg(ctx,&srp_arg);
1234 SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
1235 SSL_CTX_set_srp_strength(ctx, srp_arg.strength);
1236 if (c_msg || c_debug || srp_arg.amp == 0)
1237 SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb);
1238 }
1239
1240#endif
a9e1c50b
BL		 1241 if (c_proof_debug)
1242 SSL_CTX_set_tlsext_authz_server_audit_proof_cb(ctx,
1243 audit_proof_cb);
ed3883d2 1244#endif
d02b48c6 1245
82fc1d9c 1246 con=SSL_new(ctx);
6434abbf
DSH		 1247 if (sess_in)
1248 {
1249 SSL_SESSION *sess;
1250 BIO *stmp = BIO_new_file(sess_in, "r");
1251 if (!stmp)
1252 {
1253 BIO_printf(bio_err, "Can't open session file %s\n",
1254 sess_in);
1255 ERR_print_errors(bio_err);
1256 goto end;
1257 }
1258 sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
1259 BIO_free(stmp);
1260 if (!sess)
1261 {
1262 BIO_printf(bio_err, "Can't open session file %s\n",
1263 sess_in);
1264 ERR_print_errors(bio_err);
1265 goto end;
1266 }
1267 SSL_set_session(con, sess);
1268 SSL_SESSION_free(sess);
1269 }
ed3883d2 1270#ifndef OPENSSL_NO_TLSEXT
b1277b99
BM		 1271 if (servername != NULL)
1272 {
a13c20f6 1273 if (!SSL_set_tlsext_host_name(con,servername))
b1277b99 1274 {
ed3883d2
BM		 1275 BIO_printf(bio_err,"Unable to set TLS servername extension.\n");
1276 ERR_print_errors(bio_err);
1277 goto end;
b1277b99 1278 }
ed3883d2 1279 }
ed3883d2 1280#endif
cf1b7d96 1281#ifndef OPENSSL_NO_KRB5
4f7a2ab8 1282 if (con && (kctx = kssl_ctx_new()) != NULL)
f9b3bff6 1283 {
4f7a2ab8
DSH		 1284 SSL_set0_kssl_ctx(con, kctx);
1285 kssl_ctx_setstring(kctx, KSSL_SERVER, host);
f9b3bff6 1286 }
cf1b7d96 1287#endif /* OPENSSL_NO_KRB5 */
58964a49 1288/* SSL_set_cipher_list(con,"RC4-MD5"); */
761772d7
BM		 1289#if 0
1290#ifdef TLSEXT_TYPE_opaque_prf_input
86d4bc3a 1291 SSL_set_tlsext_opaque_prf_input(con, "Test client", 11);
761772d7
BM		 1292#endif
1293#endif
d02b48c6
RE		 1294
1295re_start:
1296
b1277b99 1297 if (init_client(&s,host,port,socket_type) == 0)
d02b48c6 1298 {
58964a49 1299 BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
d02b48c6
RE		 1300 SHUTDOWN(s);
1301 goto end;
1302 }
1303 BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
1304
1305#ifdef FIONBIO
1306 if (c_nbio)
1307 {
1308 unsigned long l=1;
1309 BIO_printf(bio_c_out,"turning on non blocking io\n");
58964a49
RE		 1310 if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
1311 {
1312 ERR_print_errors(bio_err);
1313 goto end;
1314 }
d02b48c6
RE		 1315 }
1316#endif
08557cf2 1317 if (c_Pause & 0x01) SSL_set_debug(con, 1);
36d16f8e
BL		 1318
1319 if ( SSL_version(con) == DTLS1_VERSION)
1320 {
36d16f8e
BL		 1321
1322 sbio=BIO_new_dgram(s,BIO_NOCLOSE);
6c61726b 1323 if (getsockname(s, &peer, (void *)&peerlen) < 0)
36d16f8e
BL		 1324 {
1325 BIO_printf(bio_err, "getsockname:errno=%d\n",
1326 get_last_socket_error());
1327 SHUTDOWN(s);
1328 goto end;
1329 }
1330
710069c1 1331 (void)BIO_ctrl_set_connected(sbio, 1, &peer);
36d16f8e 1332
b1277b99 1333 if (enable_timeouts)
36d16f8e
BL		 1334 {
1335 timeout.tv_sec = 0;
1336 timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1337 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1338
1339 timeout.tv_sec = 0;
1340 timeout.tv_usec = DGRAM_SND_TIMEOUT;
1341 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1342 }
1343
046f2101 1344 if (socket_mtu > 28)
36d16f8e
BL		 1345 {
1346 SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
046f2101 1347 SSL_set_mtu(con, socket_mtu - 28);
36d16f8e
BL		 1348 }
1349 else
1350 /* want to do MTU discovery */
1351 BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1352 }
1353 else
1354 sbio=BIO_new_socket(s,BIO_NOCLOSE);
1355
d02b48c6
RE		 1356 if (nbio_test)
1357 {
1358 BIO *test;
1359
1360 test=BIO_new(BIO_f_nbio_test());
1361 sbio=BIO_push(test,sbio);
1362 }
1363
1364 if (c_debug)
1365 {
08557cf2 1366 SSL_set_debug(con, 1);
25495640 1367 BIO_set_callback(sbio,bio_dump_callback);
7806f3dd 1368 BIO_set_callback_arg(sbio,(char *)bio_c_out);
d02b48c6 1369 }
a661b653
BM		 1370 if (c_msg)
1371 {
93ab9e42
DSH		 1372#ifndef OPENSSL_NO_SSL_TRACE
1373 if (c_msg == 2)
1374 SSL_set_msg_callback(con, SSL_trace);
1375 else
1376#endif
1377 SSL_set_msg_callback(con, msg_cb);
1378 SSL_set_msg_callback_arg(con, bio_c_msg ? bio_c_msg : bio_c_out);
a661b653 1379 }
6434abbf
DSH		 1380#ifndef OPENSSL_NO_TLSEXT
1381 if (c_tlsextdebug)
1382 {
1383 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1384 SSL_set_tlsext_debug_arg(con, bio_c_out);
1385 }
67c8e7f4
DSH		 1386 if (c_status_req)
1387 {
1388 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
1389 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
1390 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
1391#if 0
1392{
1393STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null();
1394OCSP_RESPID *id = OCSP_RESPID_new();
1395id->value.byKey = ASN1_OCTET_STRING_new();
1396id->type = V_OCSP_RESPID_KEY;
1397ASN1_STRING_set(id->value.byKey, "Hello World", -1);
1398sk_OCSP_RESPID_push(ids, id);
1399SSL_set_tlsext_status_ids(con, ids);
1400}
1401#endif
1402 }
6434abbf 1403#endif
79bd20fd 1404#ifndef OPENSSL_NO_JPAKE
6caa4edd
BL		 1405 if (jpake_secret)
1406 jpake_client_auth(bio_c_out, sbio, jpake_secret);
ed551cdd 1407#endif
6caa4edd 1408
d02b48c6
RE		 1409 SSL_set_bio(con,sbio,sbio);
1410 SSL_set_connect_state(con);
1411
1412 /* ok, lets connect */
1413 width=SSL_get_fd(con)+1;
1414
1415 read_tty=1;
1416 write_tty=0;
1417 tty_on=0;
1418 read_ssl=1;
1419 write_ssl=1;
1420
1421 cbuf_len=0;
1422 cbuf_off=0;
1423 sbuf_len=0;
1424 sbuf_off=0;
1425
135c0af1 1426 /* This is an ugly hack that does a lot of assumptions */
ee373e7f
LJ		 1427 /* We do have to handle multi-line responses which may come
1428 in a single packet or not. We therefore have to use
1429 BIO_gets() which does need a buffering BIO. So during
1430 the initial chitchat we do push a buffering BIO into the
1431 chain that is removed again later on to not disturb the
1432 rest of the s_client operation. */
85c67492 1433 if (starttls_proto == PROTO_SMTP)
135c0af1 1434 {
8d72476e 1435 int foundit=0;
ee373e7f
LJ		 1436 BIO *fbio = BIO_new(BIO_f_buffer());
1437 BIO_push(fbio, sbio);
85c67492
RL		 1438 /* wait for multi-line response to end from SMTP */
1439 do
1440 {
ee373e7f 1441 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
85c67492
RL		 1442 }
1443 while (mbuf_len>3 && mbuf[3]=='-');
8d72476e 1444 /* STARTTLS command requires EHLO... */
ee373e7f 1445 BIO_printf(fbio,"EHLO openssl.client.net\r\n");
710069c1 1446 (void)BIO_flush(fbio);
8d72476e
LJ		 1447 /* wait for multi-line response to end EHLO SMTP response */
1448 do
1449 {
ee373e7f 1450 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
8d72476e
LJ		 1451 if (strstr(mbuf,"STARTTLS"))
1452 foundit=1;
1453 }
1454 while (mbuf_len>3 && mbuf[3]=='-');
710069c1 1455 (void)BIO_flush(fbio);
ee373e7f
LJ		 1456 BIO_pop(fbio);
1457 BIO_free(fbio);
8d72476e
LJ		 1458 if (!foundit)
1459 BIO_printf(bio_err,
1460 "didn't found starttls in server response,"
1461 " try anyway...\n");
135c0af1
RL		 1462 BIO_printf(sbio,"STARTTLS\r\n");
1463 BIO_read(sbio,sbuf,BUFSIZZ);
1464 }
85c67492 1465 else if (starttls_proto == PROTO_POP3)
4f17dfcd
LJ		 1466 {
1467 BIO_read(sbio,mbuf,BUFSIZZ);
1468 BIO_printf(sbio,"STLS\r\n");
1469 BIO_read(sbio,sbuf,BUFSIZZ);
1470 }
85c67492
RL		 1471 else if (starttls_proto == PROTO_IMAP)
1472 {
8d72476e 1473 int foundit=0;
ee373e7f
LJ		 1474 BIO *fbio = BIO_new(BIO_f_buffer());
1475 BIO_push(fbio, sbio);
1476 BIO_gets(fbio,mbuf,BUFSIZZ);
8d72476e 1477 /* STARTTLS command requires CAPABILITY... */
ee373e7f 1478 BIO_printf(fbio,". CAPABILITY\r\n");
710069c1 1479 (void)BIO_flush(fbio);
8d72476e
LJ		 1480 /* wait for multi-line CAPABILITY response */
1481 do
1482 {
ee373e7f 1483 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
8d72476e
LJ		 1484 if (strstr(mbuf,"STARTTLS"))
1485 foundit=1;
1486 }
ee373e7f 1487 while (mbuf_len>3 && mbuf[0]!='.');
710069c1 1488 (void)BIO_flush(fbio);
ee373e7f
LJ		 1489 BIO_pop(fbio);
1490 BIO_free(fbio);
8d72476e
LJ		 1491 if (!foundit)
1492 BIO_printf(bio_err,
1493 "didn't found STARTTLS in server response,"
1494 " try anyway...\n");
1495 BIO_printf(sbio,". STARTTLS\r\n");
85c67492
RL		 1496 BIO_read(sbio,sbuf,BUFSIZZ);
1497 }
1498 else if (starttls_proto == PROTO_FTP)
1499 {
ee373e7f
LJ		 1500 BIO *fbio = BIO_new(BIO_f_buffer());
1501 BIO_push(fbio, sbio);
85c67492
RL		 1502 /* wait for multi-line response to end from FTP */
1503 do
1504 {
ee373e7f 1505 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
85c67492
RL		 1506 }
1507 while (mbuf_len>3 && mbuf[3]=='-');
710069c1 1508 (void)BIO_flush(fbio);
ee373e7f
LJ		 1509 BIO_pop(fbio);
1510 BIO_free(fbio);
85c67492
RL		 1511 BIO_printf(sbio,"AUTH TLS\r\n");
1512 BIO_read(sbio,sbuf,BUFSIZZ);
1513 }
d5bbead4
BL		 1514 if (starttls_proto == PROTO_XMPP)
1515 {
1516 int seen = 0;
1517 BIO_printf(sbio,"<stream:stream "
1518 "xmlns:stream='http://etherx.jabber.org/streams' "
1519 "xmlns='jabber:client' to='%s' version='1.0'>", host);
1520 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1521 mbuf[seen] = 0;
1522 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'"))
1523 {
1524 if (strstr(mbuf, "/stream:features>"))
1525 goto shut;
1526 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1527 mbuf[seen] = 0;
1528 }
1529 BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
1530 seen = BIO_read(sbio,sbuf,BUFSIZZ);
1531 sbuf[seen] = 0;
1532 if (!strstr(sbuf, "<proceed"))
1533 goto shut;
1534 mbuf[0] = 0;
1535 }
135c0af1 1536
d02b48c6
RE		 1537 for (;;)
1538 {
1539 FD_ZERO(&readfds);
1540 FD_ZERO(&writefds);
1541
b972fbaa
DSH		 1542 if ((SSL_version(con) == DTLS1_VERSION) &&
1543 DTLSv1_get_timeout(con, &timeout))
1544 timeoutp = &timeout;
1545 else
1546 timeoutp = NULL;
1547
58964a49 1548 if (SSL_in_init(con) && !SSL_total_renegotiations(con))
d02b48c6
RE		 1549 {
1550 in_init=1;
1551 tty_on=0;
1552 }
1553 else
1554 {
1555 tty_on=1;
1556 if (in_init)
1557 {
1558 in_init=0;
761772d7 1559#if 0 /* This test doesn't really work as intended (needs to be fixed) */
ed3883d2 1560#ifndef OPENSSL_NO_TLSEXT
b166f13e
BM		 1561 if (servername != NULL && !SSL_session_reused(con))
1562 {
1563 BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not ");
1564 }
761772d7 1565#endif
ed3883d2 1566#endif
6434abbf
DSH		 1567 if (sess_out)
1568 {
1569 BIO *stmp = BIO_new_file(sess_out, "w");
1570 if (stmp)
1571 {
1572 PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con));
1573 BIO_free(stmp);
1574 }
1575 else
1576 BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
1577 }
2a7cbe77
DSH		 1578 if (c_brief)
1579 {
1580 BIO_puts(bio_err,
1581 "CONNECTION ESTABLISHED\n");
1582 print_ssl_summary(bio_err, con);
1583 }
a70da5b3
DSH		 1584 print_ssl_cert_checks(bio_err, con, checkhost,
1585 checkemail, checkip);
d02b48c6
RE		 1586 print_stuff(bio_c_out,con,full_log);
1587 if (full_log > 0) full_log--;
1588
4f17dfcd 1589 if (starttls_proto)
135c0af1
RL		 1590 {
1591 BIO_printf(bio_err,"%s",mbuf);
1592 /* We don't need to know any more */
85c67492 1593 starttls_proto = PROTO_OFF;
135c0af1
RL		 1594 }
1595
d02b48c6
RE		 1596 if (reconnect)
1597 {
1598 reconnect--;
1599 BIO_printf(bio_c_out,"drop connection and then reconnect\n");
1600 SSL_shutdown(con);
1601 SSL_set_connect_state(con);
1602 SHUTDOWN(SSL_get_fd(con));
1603 goto re_start;
1604 }
1605 }
1606 }
1607
c7ac31e2
BM		 1608 ssl_pending = read_ssl && SSL_pending(con);
1609
1610 if (!ssl_pending)
d02b48c6 1611 {
4700aea9 1612#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)
c7ac31e2
BM		 1613 if (tty_on)
1614 {
7bf7333d
DSH		 1615 if (read_tty) openssl_fdset(fileno(stdin),&readfds);
1616 if (write_tty) openssl_fdset(fileno(stdout),&writefds);
c7ac31e2 1617 }
c7ac31e2 1618 if (read_ssl)
7bf7333d 1619 openssl_fdset(SSL_get_fd(con),&readfds);
c7ac31e2 1620 if (write_ssl)
7bf7333d 1621 openssl_fdset(SSL_get_fd(con),&writefds);
06f4536a
DSH		 1622#else
1623 if(!tty_on || !write_tty) {
1624 if (read_ssl)
7bf7333d 1625 openssl_fdset(SSL_get_fd(con),&readfds);
06f4536a 1626 if (write_ssl)
7bf7333d 1627 openssl_fdset(SSL_get_fd(con),&writefds);
06f4536a
DSH		 1628 }
1629#endif
c7ac31e2
BM		 1630/* printf("mode tty(%d %d%d) ssl(%d%d)\n",
1631 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
d02b48c6 1632
75e0770d 1633 /* Note: under VMS with SOCKETSHR the second parameter
7d7d2cbc
UM		 1634 * is currently of type (int *) whereas under other
1635 * systems it is (void *) if you don't have a cast it
1636 * will choke the compiler: if you do have a cast then
1637 * you can either go for (int *) or (void *).
1638 */
3d7c4a5a
RL		 1639#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1640 /* Under Windows/DOS we make the assumption that we can
06f4536a
DSH		 1641 * always write to the tty: therefore if we need to
1642 * write to the tty we just fall through. Otherwise
1643 * we timeout the select every second and see if there
1644 * are any keypresses. Note: this is a hack, in a proper
1645 * Windows application we wouldn't do this.
1646 */
4ec19e20 1647 i=0;
06f4536a
DSH		 1648 if(!write_tty) {
1649 if(read_tty) {
1650 tv.tv_sec = 1;
1651 tv.tv_usec = 0;
1652 i=select(width,(void *)&readfds,(void *)&writefds,
1653 NULL,&tv);
3d7c4a5a 1654#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
0bf23d9b
RL		 1655 if(!i && (!_kbhit() || !read_tty) ) continue;
1656#else
a9ef75c5 1657 if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
0bf23d9b 1658#endif
06f4536a 1659 } else i=select(width,(void *)&readfds,(void *)&writefds,
b972fbaa 1660 NULL,timeoutp);
06f4536a 1661 }
47c1735a
RL		 1662#elif defined(OPENSSL_SYS_NETWARE)
1663 if(!write_tty) {
1664 if(read_tty) {
1665 tv.tv_sec = 1;
1666 tv.tv_usec = 0;
1667 i=select(width,(void *)&readfds,(void *)&writefds,
1668 NULL,&tv);
1669 } else i=select(width,(void *)&readfds,(void *)&writefds,
b972fbaa 1670 NULL,timeoutp);
47c1735a 1671 }
4700aea9
UM		 1672#elif defined(OPENSSL_SYS_BEOS_R5)
1673 /* Under BeOS-R5 the situation is similar to DOS */
1674 i=0;
1675 stdin_set = 0;
1676 (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
1677 if(!write_tty) {
1678 if(read_tty) {
1679 tv.tv_sec = 1;
1680 tv.tv_usec = 0;
1681 i=select(width,(void *)&readfds,(void *)&writefds,
1682 NULL,&tv);
1683 if (read(fileno(stdin), sbuf, 0) >= 0)
1684 stdin_set = 1;
1685 if (!i && (stdin_set != 1 || !read_tty))
1686 continue;
1687 } else i=select(width,(void *)&readfds,(void *)&writefds,
b972fbaa 1688 NULL,timeoutp);
4700aea9
UM		 1689 }
1690 (void)fcntl(fileno(stdin), F_SETFL, 0);
06f4536a 1691#else
7d7d2cbc 1692 i=select(width,(void *)&readfds,(void *)&writefds,
b972fbaa 1693 NULL,timeoutp);
06f4536a 1694#endif
c7ac31e2
BM		 1695 if ( i < 0)
1696 {
1697 BIO_printf(bio_err,"bad select %d\n",
58964a49 1698 get_last_socket_error());
c7ac31e2
BM		 1699 goto shut;
1700 /* goto end; */
1701 }
d02b48c6
RE		 1702 }
1703
b972fbaa
DSH		 1704 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
1705 {
1706 BIO_printf(bio_err,"TIMEOUT occured\n");
1707 }
1708
c7ac31e2 1709 if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
d02b48c6
RE		 1710 {
1711 k=SSL_write(con,&(cbuf[cbuf_off]),
1712 (unsigned int)cbuf_len);
1713 switch (SSL_get_error(con,k))
1714 {
1715 case SSL_ERROR_NONE:
1716 cbuf_off+=k;
1717 cbuf_len-=k;
1718 if (k <= 0) goto end;
1719 /* we have done a write(con,NULL,0); */
1720 if (cbuf_len <= 0)
1721 {
1722 read_tty=1;
1723 write_ssl=0;
1724 }
1725 else /* if (cbuf_len > 0) */
1726 {
1727 read_tty=0;
1728 write_ssl=1;
1729 }
1730 break;
1731 case SSL_ERROR_WANT_WRITE:
1732 BIO_printf(bio_c_out,"write W BLOCK\n");
1733 write_ssl=1;
1734 read_tty=0;
1735 break;
1736 case SSL_ERROR_WANT_READ:
1737 BIO_printf(bio_c_out,"write R BLOCK\n");
1738 write_tty=0;
1739 read_ssl=1;
1740 write_ssl=0;
1741 break;
1742 case SSL_ERROR_WANT_X509_LOOKUP:
1743 BIO_printf(bio_c_out,"write X BLOCK\n");
1744 break;
1745 case SSL_ERROR_ZERO_RETURN:
1746 if (cbuf_len != 0)
1747 {
1748 BIO_printf(bio_c_out,"shutdown\n");
0e1dba93 1749 ret = 0;
d02b48c6
RE		 1750 goto shut;
1751 }
1752 else
1753 {
1754 read_tty=1;
1755 write_ssl=0;
1756 break;
1757 }
1758
1759 case SSL_ERROR_SYSCALL:
1760 if ((k != 0) || (cbuf_len != 0))
1761 {
1762 BIO_printf(bio_err,"write:errno=%d\n",
58964a49 1763 get_last_socket_error());
d02b48c6
RE		 1764 goto shut;
1765 }
1766 else
1767 {
1768 read_tty=1;
1769 write_ssl=0;
1770 }
1771 break;
1772 case SSL_ERROR_SSL:
1773 ERR_print_errors(bio_err);
1774 goto shut;
1775 }
1776 }
4700aea9
UM		 1777#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
1778 /* Assume Windows/DOS/BeOS can always write */
06f4536a
DSH		 1779 else if (!ssl_pending && write_tty)
1780#else
c7ac31e2 1781 else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
06f4536a 1782#endif
d02b48c6 1783 {
a53955d8
UM		 1784#ifdef CHARSET_EBCDIC
1785 ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
1786#endif
ffa10187 1787 i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len);
d02b48c6
RE		 1788
1789 if (i <= 0)
1790 {
1791 BIO_printf(bio_c_out,"DONE\n");
0e1dba93 1792 ret = 0;
d02b48c6
RE		 1793 goto shut;
1794 /* goto end; */
1795 }
1796
1797 sbuf_len-=i;;
1798 sbuf_off+=i;
1799 if (sbuf_len <= 0)
1800 {
1801 read_ssl=1;
1802 write_tty=0;
1803 }
1804 }
c7ac31e2 1805 else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
d02b48c6 1806 {
58964a49
RE		 1807#ifdef RENEG
1808{ static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
1809#endif
dfeab068 1810#if 1
58964a49 1811 k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
dfeab068
RE		 1812#else
1813/* Demo for pending and peek :-) */
1814 k=SSL_read(con,sbuf,16);
1815{ char zbuf[10240];
1816printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
1817}
1818#endif
d02b48c6
RE		 1819
1820 switch (SSL_get_error(con,k))
1821 {
1822 case SSL_ERROR_NONE:
1823 if (k <= 0)
1824 goto end;
1825 sbuf_off=0;
1826 sbuf_len=k;
1827
1828 read_ssl=0;
1829 write_tty=1;
1830 break;
1831 case SSL_ERROR_WANT_WRITE:
1832 BIO_printf(bio_c_out,"read W BLOCK\n");
1833 write_ssl=1;
1834 read_tty=0;
1835 break;
1836 case SSL_ERROR_WANT_READ:
1837 BIO_printf(bio_c_out,"read R BLOCK\n");
1838 write_tty=0;
1839 read_ssl=1;
1840 if ((read_tty == 0) && (write_ssl == 0))
1841 write_ssl=1;
1842 break;
1843 case SSL_ERROR_WANT_X509_LOOKUP:
1844 BIO_printf(bio_c_out,"read X BLOCK\n");
1845 break;
1846 case SSL_ERROR_SYSCALL:
0e1dba93
DSH		 1847 ret=get_last_socket_error();
1848 BIO_printf(bio_err,"read:errno=%d\n",ret);
d02b48c6
RE		 1849 goto shut;
1850 case SSL_ERROR_ZERO_RETURN:
1851 BIO_printf(bio_c_out,"closed\n");
0e1dba93 1852 ret=0;
d02b48c6
RE		 1853 goto shut;
1854 case SSL_ERROR_SSL:
1855 ERR_print_errors(bio_err);
1856 goto shut;
dfeab068 1857 /* break; */
d02b48c6
RE		 1858 }
1859 }
1860
3d7c4a5a
RL		 1861#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1862#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
0bf23d9b
RL		 1863 else if (_kbhit())
1864#else
a9ef75c5 1865 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
0bf23d9b 1866#endif
4d8743f4 1867#elif defined (OPENSSL_SYS_NETWARE)
ffa10187 1868 else if (_kbhit())
4700aea9
UM		 1869#elif defined(OPENSSL_SYS_BEOS_R5)
1870 else if (stdin_set)
06f4536a 1871#else
d02b48c6 1872 else if (FD_ISSET(fileno(stdin),&readfds))
06f4536a 1873#endif
d02b48c6 1874 {
1bdb8633
BM		 1875 if (crlf)
1876 {
1877 int j, lf_num;
1878
ffa10187 1879 i=raw_read_stdin(cbuf,BUFSIZZ/2);
1bdb8633
BM		 1880 lf_num = 0;
1881 /* both loops are skipped when i <= 0 */
1882 for (j = 0; j < i; j++)
1883 if (cbuf[j] == '\n')
1884 lf_num++;
1885 for (j = i-1; j >= 0; j--)
1886 {
1887 cbuf[j+lf_num] = cbuf[j];
1888 if (cbuf[j] == '\n')
1889 {
1890 lf_num--;
1891 i++;
1892 cbuf[j+lf_num] = '\r';
1893 }
1894 }
1895 assert(lf_num == 0);
1896 }
1897 else
ffa10187 1898 i=raw_read_stdin(cbuf,BUFSIZZ);
d02b48c6 1899
ce301b6b 1900 if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
d02b48c6
RE		 1901 {
1902 BIO_printf(bio_err,"DONE\n");
0e1dba93 1903 ret=0;
d02b48c6
RE		 1904 goto shut;
1905 }
1906
ce301b6b 1907 if ((!c_ign_eof) && (cbuf[0] == 'R'))
d02b48c6 1908 {
3bb307c1 1909 BIO_printf(bio_err,"RENEGOTIATING\n");
d02b48c6 1910 SSL_renegotiate(con);
3bb307c1 1911 cbuf_len=0;
d02b48c6 1912 }
4817504d
DSH		 1913#ifndef OPENSSL_NO_HEARTBEATS
1914 else if ((!c_ign_eof) && (cbuf[0] == 'B'))
1915 {
1916 BIO_printf(bio_err,"HEARTBEATING\n");
1917 SSL_heartbeat(con);
1918 cbuf_len=0;
1919 }
1920#endif
d02b48c6
RE		 1921 else
1922 {
1923 cbuf_len=i;
1924 cbuf_off=0;
a53955d8
UM		 1925#ifdef CHARSET_EBCDIC
1926 ebcdic2ascii(cbuf, cbuf, i);
1927#endif
d02b48c6
RE		 1928 }
1929
d02b48c6 1930 write_ssl=1;
3bb307c1 1931 read_tty=0;
d02b48c6 1932 }
d02b48c6 1933 }
0e1dba93
DSH		 1934
1935 ret=0;
d02b48c6 1936shut:
b166f13e
BM		 1937 if (in_init)
1938 print_stuff(bio_c_out,con,full_log);
d02b48c6
RE		 1939 SSL_shutdown(con);
1940 SHUTDOWN(SSL_get_fd(con));
d02b48c6 1941end:
d916ba1b
NL		 1942 if (con != NULL)
1943 {
1944 if (prexit != 0)
1945 print_stuff(bio_c_out,con,1);
1946 SSL_free(con);
1947 }
dd251659
DSH		 1948#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
1949 if (next_proto.data)
1950 OPENSSL_free(next_proto.data);
1951#endif
d02b48c6 1952 if (ctx != NULL) SSL_CTX_free(ctx);
826a42a0
DSH		 1953 if (cert)
1954 X509_free(cert);
1955 if (key)
1956 EVP_PKEY_free(key);
1957 if (pass)
1958 OPENSSL_free(pass);
22b5d7c8
DSH		 1959 if (vpm)
1960 X509_VERIFY_PARAM_free(vpm);
3208fc59 1961 ssl_excert_free(exc);
5d2e07f1
DSH		 1962 if (ssl_args)
1963 sk_OPENSSL_STRING_free(ssl_args);
1964 if (cctx)
1965 SSL_CONF_CTX_free(cctx);
4579924b
RL		 1966 if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
1967 if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
1968 if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
d02b48c6
RE		 1969 if (bio_c_out != NULL)
1970 {
1971 BIO_free(bio_c_out);
1972 bio_c_out=NULL;
1973 }
93ab9e42
DSH		 1974 if (bio_c_msg != NULL)
1975 {
1976 BIO_free(bio_c_msg);
1977 bio_c_msg=NULL;
1978 }
c04f8cf4 1979 apps_shutdown();
1c3e4a36 1980 OPENSSL_EXIT(ret);
d02b48c6
RE		 1981 }
1982
1983
6b691a5c 1984static void print_stuff(BIO *bio, SSL *s, int full)
d02b48c6 1985 {
58964a49 1986 X509 *peer=NULL;
d02b48c6 1987 char *p;
7d727231 1988 static const char *space=" ";
d02b48c6 1989 char buf[BUFSIZ];
f73e07cf
BL		 1990 STACK_OF(X509) *sk;
1991 STACK_OF(X509_NAME) *sk2;
babb3798 1992 const SSL_CIPHER *c;
d02b48c6
RE		 1993 X509_NAME *xn;
1994 int j,i;
09b6c2ef 1995#ifndef OPENSSL_NO_COMP
d8ec0dcf 1996 const COMP_METHOD *comp, *expansion;
09b6c2ef 1997#endif
e0af0405 1998 unsigned char *exportedkeymat;
d02b48c6
RE		 1999
2000 if (full)
2001 {
bc2e519a
BM		 2002 int got_a_chain = 0;
2003
d02b48c6
RE		 2004 sk=SSL_get_peer_cert_chain(s);
2005 if (sk != NULL)
2006 {
bc2e519a
BM		 2007 got_a_chain = 1; /* we don't have it for SSL2 (yet) */
2008
dfeab068 2009 BIO_printf(bio,"---\nCertificate chain\n");
f73e07cf 2010 for (i=0; i<sk_X509_num(sk); i++)
d02b48c6 2011 {
f73e07cf 2012 X509_NAME_oneline(X509_get_subject_name(
54a656ef 2013 sk_X509_value(sk,i)),buf,sizeof buf);
d02b48c6 2014 BIO_printf(bio,"%2d s:%s\n",i,buf);
f73e07cf 2015 X509_NAME_oneline(X509_get_issuer_name(
54a656ef 2016 sk_X509_value(sk,i)),buf,sizeof buf);
d02b48c6 2017 BIO_printf(bio," i:%s\n",buf);
6d02d8e4 2018 if (c_showcerts)
f73e07cf 2019 PEM_write_bio_X509(bio,sk_X509_value(sk,i));
d02b48c6
RE		 2020 }
2021 }
2022
2023 BIO_printf(bio,"---\n");
2024 peer=SSL_get_peer_certificate(s);
2025 if (peer != NULL)
2026 {
2027 BIO_printf(bio,"Server certificate\n");
bc2e519a 2028 if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
6d02d8e4 2029 PEM_write_bio_X509(bio,peer);
d02b48c6 2030 X509_NAME_oneline(X509_get_subject_name(peer),
54a656ef 2031 buf,sizeof buf);
d02b48c6
RE		 2032 BIO_printf(bio,"subject=%s\n",buf);
2033 X509_NAME_oneline(X509_get_issuer_name(peer),
54a656ef 2034 buf,sizeof buf);
d02b48c6 2035 BIO_printf(bio,"issuer=%s\n",buf);
d02b48c6
RE		 2036 }
2037 else
2038 BIO_printf(bio,"no peer certificate available\n");
2039
f73e07cf 2040 sk2=SSL_get_client_CA_list(s);
d91f8c3c 2041 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
d02b48c6
RE		 2042 {
2043 BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
f73e07cf 2044 for (i=0; i<sk_X509_NAME_num(sk2); i++)
d02b48c6 2045 {
f73e07cf 2046 xn=sk_X509_NAME_value(sk2,i);
d02b48c6
RE		 2047 X509_NAME_oneline(xn,buf,sizeof(buf));
2048 BIO_write(bio,buf,strlen(buf));
2049 BIO_write(bio,"\n",1);
2050 }
2051 }
2052 else
2053 {
2054 BIO_printf(bio,"---\nNo client certificate CA names sent\n");
2055 }
54a656ef 2056 p=SSL_get_shared_ciphers(s,buf,sizeof buf);
d02b48c6
RE		 2057 if (p != NULL)
2058 {
67a47285
BM		 2059 /* This works only for SSL 2. In later protocol
2060 * versions, the client does not know what other
2061 * ciphers (in addition to the one to be used
2062 * in the current connection) the server supports. */
2063
d02b48c6
RE		 2064 BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
2065 j=i=0;
2066 while (*p)
2067 {
2068 if (*p == ':')
2069 {
58964a49 2070 BIO_write(bio,space,15-j%25);
d02b48c6
RE		 2071 i++;
2072 j=0;
2073 BIO_write(bio,((i%3)?" ":"\n"),1);
2074 }
2075 else
2076 {
2077 BIO_write(bio,p,1);
2078 j++;
2079 }
2080 p++;
2081 }
2082 BIO_write(bio,"\n",1);
2083 }
2084
9f27b1ee 2085 ssl_print_sigalgs(bio, s);
33a8de69 2086 ssl_print_tmp_key(bio, s);
e7f8ff43 2087
d02b48c6
RE		 2088 BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
2089 BIO_number_read(SSL_get_rbio(s)),
2090 BIO_number_written(SSL_get_wbio(s)));
2091 }
08557cf2 2092 BIO_printf(bio,(SSL_cache_hit(s)?"---\nReused, ":"---\nNew, "));
d02b48c6
RE		 2093 c=SSL_get_current_cipher(s);
2094 BIO_printf(bio,"%s, Cipher is %s\n",
2095 SSL_CIPHER_get_version(c),
2096 SSL_CIPHER_get_name(c));
a8236c8c
DSH		 2097 if (peer != NULL) {
2098 EVP_PKEY *pktmp;
2099 pktmp = X509_get_pubkey(peer);
58964a49 2100 BIO_printf(bio,"Server public key is %d bit\n",
a8236c8c
DSH		 2101 EVP_PKEY_bits(pktmp));
2102 EVP_PKEY_free(pktmp);
2103 }
5430200b
DSH		 2104 BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
2105 SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
09b6c2ef 2106#ifndef OPENSSL_NO_COMP
f44e184e 2107 comp=SSL_get_current_compression(s);
d8ec0dcf 2108 expansion=SSL_get_current_expansion(s);
f44e184e
RL		 2109 BIO_printf(bio,"Compression: %s\n",
2110 comp ? SSL_COMP_get_name(comp) : "NONE");
2111 BIO_printf(bio,"Expansion: %s\n",
d8ec0dcf 2112 expansion ? SSL_COMP_get_name(expansion) : "NONE");
09b6c2ef 2113#endif
71fa4513 2114
57559471 2115#ifdef SSL_DEBUG
a2f9200f
DSH		 2116 {
2117 /* Print out local port of connection: useful for debugging */
2118 int sock;
2119 struct sockaddr_in ladd;
2120 socklen_t ladd_size = sizeof(ladd);
2121 sock = SSL_get_fd(s);
2122 getsockname(sock, (struct sockaddr *)&ladd, &ladd_size);
2123 BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port));
2124 }
2125#endif
2126
71fa4513
BL		 2127#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
2128 if (next_proto.status != -1) {
2129 const unsigned char *proto;
2130 unsigned int proto_len;
2131 SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
2132 BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
2133 BIO_write(bio, proto, proto_len);
2134 BIO_write(bio, "\n", 1);
2135 }
2136#endif
2137
333f926d
BL		 2138 {
2139 SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s);
2140
2141 if(srtp_profile)
2142 BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n",
2143 srtp_profile->name);
2144 }
2145
d02b48c6 2146 SSL_SESSION_print(bio,SSL_get_session(s));
be81f4dd
DSH		 2147 if (keymatexportlabel != NULL)
2148 {
e0af0405
BL		 2149 BIO_printf(bio, "Keying material exporter:\n");
2150 BIO_printf(bio, " Label: '%s'\n", keymatexportlabel);
2151 BIO_printf(bio, " Length: %i bytes\n", keymatexportlen);
2152 exportedkeymat = OPENSSL_malloc(keymatexportlen);
be81f4dd
DSH		 2153 if (exportedkeymat != NULL)
2154 {
2155 if (!SSL_export_keying_material(s, exportedkeymat,
2156 keymatexportlen,
2157 keymatexportlabel,
2158 strlen(keymatexportlabel),
2159 NULL, 0, 0))
2160 {
2161 BIO_printf(bio, " Error\n");
2162 }
2163 else
2164 {
e0af0405
BL		 2165 BIO_printf(bio, " Keying material: ");
2166 for (i=0; i<keymatexportlen; i++)
2167 BIO_printf(bio, "%02X",
2168 exportedkeymat[i]);
2169 BIO_printf(bio, "\n");
be81f4dd 2170 }
e0af0405 2171 OPENSSL_free(exportedkeymat);
be81f4dd 2172 }
e0af0405 2173 }
d02b48c6 2174 BIO_printf(bio,"---\n");
58964a49
RE		 2175 if (peer != NULL)
2176 X509_free(peer);
41ebed27 2177 /* flush, or debugging output gets mixed with http response */
710069c1 2178 (void)BIO_flush(bio);
d02b48c6
RE		 2179 }
2180
0702150f
DSH		 2181#ifndef OPENSSL_NO_TLSEXT
2182
67c8e7f4
DSH		 2183static int ocsp_resp_cb(SSL *s, void *arg)
2184 {
2185 const unsigned char *p;
2186 int len;
2187 OCSP_RESPONSE *rsp;
2188 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
2189 BIO_puts(arg, "OCSP response: ");
2190 if (!p)
2191 {
2192 BIO_puts(arg, "no response sent\n");
2193 return 1;
2194 }
2195 rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
2196 if (!rsp)
2197 {
2198 BIO_puts(arg, "response parse error\n");
2199 BIO_dump_indent(arg, (char *)p, len, 4);
2200 return 0;
2201 }
2202 BIO_puts(arg, "\n======================================\n");
2203 OCSP_RESPONSE_print(arg, rsp, 0);
2204 BIO_puts(arg, "======================================\n");
2205 OCSP_RESPONSE_free(rsp);
2206 return 1;
2207 }
0702150f 2208
a9e1c50b
BL		 2209static int audit_proof_cb(SSL *s, void *arg)
2210 {
2211 const unsigned char *proof;
2212 size_t proof_len;
2213 size_t i;
2214 SSL_SESSION *sess = SSL_get_session(s);
2215
2216 proof = SSL_SESSION_get_tlsext_authz_server_audit_proof(sess,
2217 &proof_len);
2218 if (proof != NULL)
2219 {
2220 BIO_printf(bio_c_out, "Audit proof: ");
2221 for (i = 0; i < proof_len; ++i)
2222 BIO_printf(bio_c_out, "%02X", proof[i]);
2223 BIO_printf(bio_c_out, "\n");
2224 }
2225 else
2226 {
2227 BIO_printf(bio_c_out, "No audit proof found.\n");
2228 }
2229 return 1;
2230 }
0702150f 2231#endif
A mirror of the official openssl repository