]> git.ipfire.org Git - thirdparty/openssl.git/blame - apps/s_client.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
New location on website for binaries.
[thirdparty/openssl.git] / apps / s_client.c
CommitLineData
d02b48c6 1/* apps/s_client.c */
58964a49 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
d02b48c6
RE		 3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
a661b653 58/* ====================================================================
b1277b99 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
a661b653
BM		 60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
ddac1974
NL		 111/* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
113 *
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116 * license.
117 *
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
121 *
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
125 *
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
130 *
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135 * OTHERWISE.
136 */
d02b48c6 137
1b1a6e78 138#include <assert.h>
ddac1974 139#include <ctype.h>
8c197cc5
UM		 140#include <stdio.h>
141#include <stdlib.h>
142#include <string.h>
be1bd923 143#include <openssl/e_os2.h>
cf1b7d96 144#ifdef OPENSSL_NO_STDIO
8c197cc5
UM		 145#define APPS_WIN16
146#endif
147
7d7d2cbc
UM		 148/* With IPv6, it looks like Digital has mixed up the proper order of
149 recursive header file inclusion, resulting in the compiler complaining
150 that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
151 is needed to have fileno() declared correctly... So let's define u_int */
bc36ee62 152#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
7d7d2cbc
UM		 153#define __U_INT
154typedef unsigned int u_int;
155#endif
156
d02b48c6 157#define USE_SOCKETS
d02b48c6 158#include "apps.h"
ec577822
BM		 159#include <openssl/x509.h>
160#include <openssl/ssl.h>
161#include <openssl/err.h>
162#include <openssl/pem.h>
1372965e 163#include <openssl/rand.h>
67c8e7f4 164#include <openssl/ocsp.h>
1e26a8ba 165#include <openssl/bn.h>
edc032b5
BL		 166#ifndef OPENSSL_NO_SRP
167#include <openssl/srp.h>
168#endif
d02b48c6 169#include "s_apps.h"
36d16f8e 170#include "timeouts.h"
d02b48c6 171
bc36ee62 172#if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
75e0770d 173/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
7d7d2cbc
UM		 174#undef FIONBIO
175#endif
176
4700aea9
UM		 177#if defined(OPENSSL_SYS_BEOS_R5)
178#include <fcntl.h>
179#endif
180
d02b48c6
RE		 181#undef PROG
182#define PROG s_client_main
183
184/*#define SSL_HOST_NAME "www.netscape.com" */
185/*#define SSL_HOST_NAME "193.118.187.102" */
186#define SSL_HOST_NAME "localhost"
187
188/*#define TEST_CERT "client.pem" */ /* no default cert. */
189
190#undef BUFSIZZ
191#define BUFSIZZ 1024*8
192
193extern int verify_depth;
194extern int verify_error;
5d20c4fb 195extern int verify_return_error;
2a7cbe77 196extern int verify_quiet;
d02b48c6
RE		 197
198#ifdef FIONBIO
199static int c_nbio=0;
200#endif
201static int c_Pause=0;
202static int c_debug=0;
6434abbf
DSH		 203#ifndef OPENSSL_NO_TLSEXT
204static int c_tlsextdebug=0;
67c8e7f4 205static int c_status_req=0;
6434abbf 206#endif
a661b653 207static int c_msg=0;
6d02d8e4 208static int c_showcerts=0;
d02b48c6 209
e0af0405
BL		 210static char *keymatexportlabel=NULL;
211static int keymatexportlen=20;
212
d02b48c6
RE		 213static void sc_usage(void);
214static void print_stuff(BIO *berr,SSL *con,int full);
0702150f 215#ifndef OPENSSL_NO_TLSEXT
67c8e7f4 216static int ocsp_resp_cb(SSL *s, void *arg);
0702150f 217#endif
d02b48c6 218static BIO *bio_c_out=NULL;
93ab9e42 219static BIO *bio_c_msg=NULL;
d02b48c6 220static int c_quiet=0;
ce301b6b 221static int c_ign_eof=0;
2a7cbe77 222static int c_brief=0;
d02b48c6 223
ddac1974
NL		 224#ifndef OPENSSL_NO_PSK
225/* Default PSK identity and key */
226static char *psk_identity="Client_identity";
f3b7bdad 227/*char *psk_key=NULL; by default PSK is not used */
ddac1974
NL		 228
229static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
230 unsigned int max_identity_len, unsigned char *psk,
231 unsigned int max_psk_len)
232 {
233 unsigned int psk_len = 0;
234 int ret;
235 BIGNUM *bn=NULL;
236
237 if (c_debug)
238 BIO_printf(bio_c_out, "psk_client_cb\n");
239 if (!hint)
240 {
241 /* no ServerKeyExchange message*/
242 if (c_debug)
243 BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n");
244 }
245 else if (c_debug)
246 BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
247
248 /* lookup PSK identity and PSK key based on the given identity hint here */
0ed6b526 249 ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity);
a0aa8b4b 250 if (ret < 0 || (unsigned int)ret > max_identity_len)
ddac1974
NL		 251 goto out_err;
252 if (c_debug)
253 BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret);
254 ret=BN_hex2bn(&bn, psk_key);
255 if (!ret)
256 {
257 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
258 if (bn)
259 BN_free(bn);
260 return 0;
261 }
262
a0aa8b4b 263 if ((unsigned int)BN_num_bytes(bn) > max_psk_len)
ddac1974
NL		 264 {
265 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
266 max_psk_len, BN_num_bytes(bn));
267 BN_free(bn);
268 return 0;
269 }
270
271 psk_len=BN_bn2bin(bn, psk);
272 BN_free(bn);
273 if (psk_len == 0)
274 goto out_err;
275
276 if (c_debug)
277 BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len);
278
279 return psk_len;
280 out_err:
281 if (c_debug)
282 BIO_printf(bio_err, "Error in PSK client callback\n");
283 return 0;
284 }
285#endif
286
6b691a5c 287static void sc_usage(void)
d02b48c6 288 {
b6cff93d 289 BIO_printf(bio_err,"usage: s_client args\n");
d02b48c6
RE		 290 BIO_printf(bio_err,"\n");
291 BIO_printf(bio_err," -host host - use -connect instead\n");
292 BIO_printf(bio_err," -port port - use -connect instead\n");
a9351320
GT		 293 BIO_printf(bio_err," -connect host:port - connect over TCP/IP (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
294 BIO_printf(bio_err," -unix path - connect over unix domain sockets\n");
d02b48c6 295 BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n");
ee724df7 296 BIO_printf(bio_err," -verify_return_error - return verification errors\n");
d02b48c6 297 BIO_printf(bio_err," -cert arg - certificate file to use, PEM format assumed\n");
826a42a0
DSH		 298 BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
299 BIO_printf(bio_err," -key arg - Private key file to use, in cert file if\n");
d02b48c6 300 BIO_printf(bio_err," not specified but cert file is.\n");
826a42a0
DSH		 301 BIO_printf(bio_err," -keyform arg - key format (PEM or DER) PEM default\n");
302 BIO_printf(bio_err," -pass arg - private key file pass phrase source\n");
d02b48c6
RE		 303 BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
304 BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n");
6d3d5793 305 BIO_printf(bio_err," -trusted_first - Use local CA's first when building trust chain\n");
d02b48c6
RE		 306 BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n");
307 BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n");
ee724df7 308 BIO_printf(bio_err," -prexit - print session information even on connection failure\n");
6d02d8e4 309 BIO_printf(bio_err," -showcerts - show all certificates in the chain\n");
d02b48c6 310 BIO_printf(bio_err," -debug - extra output\n");
f642ebc1
RS		 311#ifdef WATT32
312 BIO_printf(bio_err," -wdebug - WATT-32 tcp debugging\n");
313#endif
a661b653 314 BIO_printf(bio_err," -msg - Show protocol messages\n");
d02b48c6
RE		 315 BIO_printf(bio_err," -nbio_test - more ssl protocol testing\n");
316 BIO_printf(bio_err," -state - print the 'ssl' states\n");
317#ifdef FIONBIO
318 BIO_printf(bio_err," -nbio - Run with non-blocking IO\n");
1bdb8633 319#endif
1bdb8633 320 BIO_printf(bio_err," -crlf - convert LF from terminal into CRLF\n");
d02b48c6 321 BIO_printf(bio_err," -quiet - no s_client output\n");
ce301b6b 322 BIO_printf(bio_err," -ign_eof - ignore input eof (default when -quiet)\n");
020d67fb 323 BIO_printf(bio_err," -no_ign_eof - don't ignore input eof\n");
ddac1974
NL		 324#ifndef OPENSSL_NO_PSK
325 BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
326 BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n");
79bd20fd 327# ifndef OPENSSL_NO_JPAKE
f3b7bdad
BL		 328 BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n");
329# endif
edc032b5
BL		 330#endif
331#ifndef OPENSSL_NO_SRP
332 BIO_printf(bio_err," -srpuser user - SRP authentification for 'user'\n");
333 BIO_printf(bio_err," -srppass arg - password for 'user'\n");
334 BIO_printf(bio_err," -srp_lateuser - SRP username into second ClientHello message\n");
335 BIO_printf(bio_err," -srp_moregroups - Tolerate other than the known g N values.\n");
336 BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
ddac1974 337#endif
d02b48c6 338 BIO_printf(bio_err," -ssl2 - just use SSLv2\n");
3881d810 339#ifndef OPENSSL_NO_SSL3_METHOD
d02b48c6 340 BIO_printf(bio_err," -ssl3 - just use SSLv3\n");
3881d810 341#endif
7409d7ad 342 BIO_printf(bio_err," -tls1_2 - just use TLSv1.2\n");
637f374a 343 BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n");
58964a49 344 BIO_printf(bio_err," -tls1 - just use TLSv1\n");
36d16f8e 345 BIO_printf(bio_err," -dtls1 - just use DTLSv1\n");
cf6da053 346 BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n");
046f2101 347 BIO_printf(bio_err," -mtu - set the link layer MTU\n");
7409d7ad 348 BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
d02b48c6 349 BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n");
836f9960 350 BIO_printf(bio_err," -serverpref - Use server's cipher preferences (only SSLv2)\n");
657e60fa 351 BIO_printf(bio_err," -cipher - preferred cipher to use, use the 'openssl ciphers'\n");
dfeab068 352 BIO_printf(bio_err," command to see what is available\n");
135c0af1
RL		 353 BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
354 BIO_printf(bio_err," for those protocols that support it, where\n");
355 BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n");
d5bbead4
BL		 356 BIO_printf(bio_err," only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
357 BIO_printf(bio_err," are supported.\n");
b98af49d 358 BIO_printf(bio_err," -xmpphost host - When used with \"-starttls xmpp\" specifies the virtual host.\n");
0b13e9f0 359#ifndef OPENSSL_NO_ENGINE
5270e702 360 BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n");
0b13e9f0 361#endif
52b621db 362 BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
014f62b6
DSH		 363 BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n");
364 BIO_printf(bio_err," -sess_in arg - file to read SSL session from\n");
ed3883d2
BM		 365#ifndef OPENSSL_NO_TLSEXT
366 BIO_printf(bio_err," -servername host - Set TLS extension servername in ClientHello\n");
d24a9c8f 367 BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
67c8e7f4 368 BIO_printf(bio_err," -status - request certificate status from server\n");
d24a9c8f 369 BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
36086186 370 BIO_printf(bio_err," -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n");
bf48836c 371# ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 372 BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
373# endif
2911575c 374 BIO_printf(bio_err," -alpn arg - enable ALPN extension, considering named protocols supported (comma-separated list)\n");
ed3883d2 375#endif
2942dde5 376 BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
be81f4dd 377 BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
e0af0405
BL		 378 BIO_printf(bio_err," -keymatexport label - Export keying material using label\n");
379 BIO_printf(bio_err," -keymatexportlen len - Export len bytes of keying material (default 20)\n");
d02b48c6
RE		 380 }
381
ed3883d2
BM		 382#ifndef OPENSSL_NO_TLSEXT
383
384/* This is a context that we pass to callbacks */
385typedef struct tlsextctx_st {
386 BIO * biodebug;
387 int ack;
388} tlsextctx;
389
390
b1277b99
BM		 391static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
392 {
ed3883d2 393 tlsextctx * p = (tlsextctx *) arg;
8de5b7f5 394 const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
ed3883d2
BM		 395 if (SSL_get_servername_type(s) != -1)
396 p->ack = !SSL_session_reused(s) && hn != NULL;
397 else
f1fd4544 398 BIO_printf(bio_err,"Can't use SSL_get_servername\n");
ed3883d2 399
241520e6 400 return SSL_TLSEXT_ERR_OK;
b1277b99 401 }
ee2ffc27 402
edc032b5
BL		 403#ifndef OPENSSL_NO_SRP
404
405/* This is a context that we pass to all callbacks */
406typedef struct srp_arg_st
407 {
408 char *srppassin;
409 char *srplogin;
410 int msg; /* copy from c_msg */
411 int debug; /* copy from c_debug */
412 int amp; /* allow more groups */
413 int strength /* minimal size for N */ ;
414 } SRP_ARG;
415
416#define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
417
f2fc3075 418static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g)
edc032b5
BL		 419 {
420 BN_CTX *bn_ctx = BN_CTX_new();
421 BIGNUM *p = BN_new();
422 BIGNUM *r = BN_new();
423 int ret =
424 g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
f2fc3075 425 BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
edc032b5
BL		 426 p != NULL && BN_rshift1(p, N) &&
427
428 /* p = (N-1)/2 */
f2fc3075 429 BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
edc032b5
BL		 430 r != NULL &&
431
432 /* verify g^((N-1)/2) == -1 (mod N) */
433 BN_mod_exp(r, g, p, N, bn_ctx) &&
434 BN_add_word(r, 1) &&
435 BN_cmp(r, N) == 0;
436
437 if(r)
438 BN_free(r);
439 if(p)
440 BN_free(p);
441 if(bn_ctx)
442 BN_CTX_free(bn_ctx);
443 return ret;
444 }
445
f2fc3075
DSH		 446/* This callback is used here for two purposes:
447 - extended debugging
448 - making some primality tests for unknown groups
449 The callback is only called for a non default group.
450
451 An application does not need the call back at all if
452 only the stanard groups are used. In real life situations,
453 client and server already share well known groups,
454 thus there is no need to verify them.
455 Furthermore, in case that a server actually proposes a group that
456 is not one of those defined in RFC 5054, it is more appropriate
457 to add the group to a static list and then compare since
458 primality tests are rather cpu consuming.
459*/
460
edc032b5
BL		 461static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
462 {
463 SRP_ARG *srp_arg = (SRP_ARG *)arg;
464 BIGNUM *N = NULL, *g = NULL;
465 if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s)))
466 return 0;
467 if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1)
468 {
469 BIO_printf(bio_err, "SRP parameters:\n");
470 BIO_printf(bio_err,"\tN="); BN_print(bio_err,N);
471 BIO_printf(bio_err,"\n\tg="); BN_print(bio_err,g);
472 BIO_printf(bio_err,"\n");
473 }
474
475 if (SRP_check_known_gN_param(g,N))
476 return 1;
477
478 if (srp_arg->amp == 1)
479 {
480 if (srp_arg->debug)
481 BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n");
482
f2fc3075 483/* The srp_moregroups is a real debugging feature.
edc032b5
BL		 484 Implementors should rather add the value to the known ones.
485 The minimal size has already been tested.
486*/
f2fc3075 487 if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g))
edc032b5
BL		 488 return 1;
489 }
490 BIO_printf(bio_err, "SRP param N and g rejected.\n");
491 return 0;
492 }
493
494#define PWD_STRLEN 1024
495
496static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
497 {
498 SRP_ARG *srp_arg = (SRP_ARG *)arg;
499 char *pass = (char *)OPENSSL_malloc(PWD_STRLEN+1);
500 PW_CB_DATA cb_tmp;
501 int l;
502
503 cb_tmp.password = (char *)srp_arg->srppassin;
504 cb_tmp.prompt_info = "SRP user";
505 if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp))<0)
506 {
507 BIO_printf (bio_err, "Can't read Password\n");
508 OPENSSL_free(pass);
509 return NULL;
510 }
511 *(pass+l)= '\0';
512
513 return pass;
514 }
515
edc032b5 516#endif
333f926d 517 char *srtp_profiles = NULL;
edc032b5 518
bf48836c 519# ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 520/* This the context that we pass to next_proto_cb */
521typedef struct tlsextnextprotoctx_st {
522 unsigned char *data;
523 unsigned short len;
524 int status;
525} tlsextnextprotoctx;
526
527static tlsextnextprotoctx next_proto;
528
529static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
530 {
531 tlsextnextprotoctx *ctx = arg;
532
533 if (!c_quiet)
534 {
535 /* We can assume that |in| is syntactically valid. */
536 unsigned i;
537 BIO_printf(bio_c_out, "Protocols advertised by server: ");
538 for (i = 0; i < inlen; )
539 {
540 if (i)
541 BIO_write(bio_c_out, ", ", 2);
542 BIO_write(bio_c_out, &in[i + 1], in[i]);
543 i += in[i] + 1;
544 }
545 BIO_write(bio_c_out, "\n", 1);
546 }
547
548 ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
549 return SSL_TLSEXT_ERR_OK;
550 }
bf48836c 551# endif /* ndef OPENSSL_NO_NEXTPROTONEG */
a398f821 552
0cfefe4b
DSH		 553static int serverinfo_cli_parse_cb(SSL* s, unsigned int ext_type,
554 const unsigned char* in, size_t inlen,
555 int* al, void* arg)
a398f821
T		 556 {
557 char pem_name[100];
558 unsigned char ext_buf[4 + 65536];
559
560 /* Reconstruct the type/len fields prior to extension data */
561 ext_buf[0] = ext_type >> 8;
562 ext_buf[1] = ext_type & 0xFF;
563 ext_buf[2] = inlen >> 8;
564 ext_buf[3] = inlen & 0xFF;
565 memcpy(ext_buf+4, in, inlen);
566
70d416ec
BL		 567 BIO_snprintf(pem_name, sizeof(pem_name), "SERVERINFO FOR EXTENSION %d",
568 ext_type);
a398f821
T		 569 PEM_write_bio(bio_c_out, pem_name, "", ext_buf, 4 + inlen);
570 return 1;
571 }
572
ed3883d2
BM		 573#endif
574
85c67492
RL		 575enum
576{
577 PROTO_OFF = 0,
578 PROTO_SMTP,
579 PROTO_POP3,
580 PROTO_IMAP,
d5bbead4 581 PROTO_FTP,
640b86cb 582 PROTO_XMPP
85c67492
RL		 583};
584
667ac4ec
RE		 585int MAIN(int, char **);
586
6b691a5c 587int MAIN(int argc, char **argv)
d02b48c6 588 {
74ecfab4 589 int build_chain = 0;
67b6f1ca 590 SSL *con=NULL;
4f7a2ab8
DSH		 591#ifndef OPENSSL_NO_KRB5
592 KSSL_CTX *kctx;
593#endif
d02b48c6 594 int s,k,width,state=0;
135c0af1 595 char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
d02b48c6
RE		 596 int cbuf_len,cbuf_off;
597 int sbuf_len,sbuf_off;
598 fd_set readfds,writefds;
599 short port=PORT;
600 int full_log=1;
601 char *host=SSL_HOST_NAME;
a9351320 602 const char *unix_path = NULL;
b98af49d 603 char *xmpphost = NULL;
4e71d952 604 char *cert_file=NULL,*key_file=NULL,*chain_file=NULL;
826a42a0
DSH		 605 int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
606 char *passarg = NULL, *pass = NULL;
607 X509 *cert = NULL;
608 EVP_PKEY *key = NULL;
4e71d952 609 STACK_OF(X509) *chain = NULL;
5d2e07f1 610 char *CApath=NULL,*CAfile=NULL;
a5afc0a8
DSH		 611 char *chCApath=NULL,*chCAfile=NULL;
612 char *vfyCApath=NULL,*vfyCAfile=NULL;
5d2e07f1 613 int reconnect=0,badop=0,verify=SSL_VERIFY_NONE;
1bdb8633 614 int crlf=0;
c7ac31e2 615 int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
d02b48c6
RE		 616 SSL_CTX *ctx=NULL;
617 int ret=1,in_init=1,i,nbio_test=0;
85c67492 618 int starttls_proto = PROTO_OFF;
db99779b
DSH		 619 int prexit = 0;
620 X509_VERIFY_PARAM *vpm = NULL;
621 int badarg = 0;
4ebb342f 622 const SSL_METHOD *meth=NULL;
b1277b99 623 int socket_type=SOCK_STREAM;
d02b48c6 624 BIO *sbio;
52b621db 625 char *inrand=NULL;
85c67492 626 int mbuf_len=0;
b972fbaa 627 struct timeval timeout, *timeoutp;
0b13e9f0 628#ifndef OPENSSL_NO_ENGINE
5270e702 629 char *engine_id=NULL;
59d2d48f 630 char *ssl_client_engine_id=NULL;
70531c14 631 ENGINE *ssl_client_engine=NULL;
0b13e9f0 632#endif
70531c14 633 ENGINE *e=NULL;
4700aea9 634#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
06f4536a 635 struct timeval tv;
4700aea9
UM		 636#if defined(OPENSSL_SYS_BEOS_R5)
637 int stdin_set = 0;
638#endif
06f4536a 639#endif
ed3883d2
BM		 640#ifndef OPENSSL_NO_TLSEXT
641 char *servername = NULL;
642 tlsextctx tlsextcbp =
643 {NULL,0};
bf48836c 644# ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 645 const char *next_proto_neg_in = NULL;
646# endif
2911575c 647 const char *alpn_in = NULL;
a398f821
T		 648# define MAX_SI_TYPES 100
649 unsigned short serverinfo_types[MAX_SI_TYPES];
650 int serverinfo_types_count = 0;
ed3883d2 651#endif
6434abbf
DSH		 652 char *sess_in = NULL;
653 char *sess_out = NULL;
36d16f8e 654 struct sockaddr peer;
6c61726b 655 int peerlen = sizeof(peer);
cf6da053 656 int fallback_scsv = 0;
36d16f8e 657 int enable_timeouts = 0 ;
b1277b99 658 long socket_mtu = 0;
79bd20fd 659#ifndef OPENSSL_NO_JPAKE
b252cf0d
DSH		 660static char *jpake_secret = NULL;
661#define no_jpake !jpake_secret
662#else
663#define no_jpake 1
ed551cdd 664#endif
edc032b5
BL		 665#ifndef OPENSSL_NO_SRP
666 char * srppass = NULL;
667 int srp_lateuser = 0;
668 SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
669#endif
3208fc59 670 SSL_EXCERT *exc = NULL;
36d16f8e 671
5d2e07f1
DSH		 672 SSL_CONF_CTX *cctx = NULL;
673 STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
a70da5b3 674
fdb78f3d
DSH		 675 char *crl_file = NULL;
676 int crl_format = FORMAT_PEM;
0090a686 677 int crl_download = 0;
fdb78f3d 678 STACK_OF(X509_CRL) *crls = NULL;
e03c5b59 679 int sdebug = 0;
fdb78f3d 680
d02b48c6 681 meth=SSLv23_client_method();
d02b48c6
RE		 682
683 apps_startup();
58964a49 684 c_Pause=0;
d02b48c6 685 c_quiet=0;
ce301b6b 686 c_ign_eof=0;
d02b48c6 687 c_debug=0;
a661b653 688 c_msg=0;
6d02d8e4 689 c_showcerts=0;
d02b48c6
RE		 690
691 if (bio_err == NULL)
692 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
693
3647bee2
DSH		 694 if (!load_config(bio_err, NULL))
695 goto end;
5d2e07f1
DSH		 696 cctx = SSL_CONF_CTX_new();
697 if (!cctx)
698 goto end;
699 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
700 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE);
3647bee2 701
26a3a48d 702 if ( ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
135c0af1
RL		 703 ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
704 ((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
d02b48c6
RE		 705 {
706 BIO_printf(bio_err,"out of memory\n");
707 goto end;
708 }
709
710 verify_depth=0;
711 verify_error=X509_V_OK;
712#ifdef FIONBIO
713 c_nbio=0;
714#endif
715
716 argc--;
717 argv++;
718 while (argc >= 1)
719 {
720 if (strcmp(*argv,"-host") == 0)
721 {
722 if (--argc < 1) goto bad;
723 host= *(++argv);
724 }
725 else if (strcmp(*argv,"-port") == 0)
726 {
727 if (--argc < 1) goto bad;
728 port=atoi(*(++argv));
729 if (port == 0) goto bad;
730 }
731 else if (strcmp(*argv,"-connect") == 0)
732 {
733 if (--argc < 1) goto bad;
734 if (!extract_host_port(*(++argv),&host,NULL,&port))
735 goto bad;
736 }
a9351320
GT		 737 else if (strcmp(*argv,"-unix") == 0)
738 {
739 if (--argc < 1) goto bad;
740 unix_path = *(++argv);
741 }
b98af49d
CALP		 742 else if (strcmp(*argv,"-xmpphost") == 0)
743 {
744 if (--argc < 1) goto bad;
745 xmpphost= *(++argv);
746 }
d02b48c6
RE		 747 else if (strcmp(*argv,"-verify") == 0)
748 {
749 verify=SSL_VERIFY_PEER;
750 if (--argc < 1) goto bad;
751 verify_depth=atoi(*(++argv));
2a7cbe77
DSH		 752 if (!c_quiet)
753 BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
d02b48c6
RE		 754 }
755 else if (strcmp(*argv,"-cert") == 0)
756 {
757 if (--argc < 1) goto bad;
758 cert_file= *(++argv);
759 }
fdb78f3d
DSH		 760 else if (strcmp(*argv,"-CRL") == 0)
761 {
762 if (--argc < 1) goto bad;
763 crl_file= *(++argv);
764 }
0090a686
DSH		 765 else if (strcmp(*argv,"-crl_download") == 0)
766 crl_download = 1;
6434abbf
DSH		 767 else if (strcmp(*argv,"-sess_out") == 0)
768 {
769 if (--argc < 1) goto bad;
770 sess_out = *(++argv);
771 }
772 else if (strcmp(*argv,"-sess_in") == 0)
773 {
774 if (--argc < 1) goto bad;
775 sess_in = *(++argv);
776 }
826a42a0
DSH		 777 else if (strcmp(*argv,"-certform") == 0)
778 {
779 if (--argc < 1) goto bad;
780 cert_format = str2fmt(*(++argv));
781 }
fdb78f3d
DSH		 782 else if (strcmp(*argv,"-CRLform") == 0)
783 {
784 if (--argc < 1) goto bad;
785 crl_format = str2fmt(*(++argv));
786 }
db99779b
DSH		 787 else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
788 {
789 if (badarg)
790 goto bad;
791 continue;
792 }
5d20c4fb
DSH		 793 else if (strcmp(*argv,"-verify_return_error") == 0)
794 verify_return_error = 1;
2a7cbe77
DSH		 795 else if (strcmp(*argv,"-verify_quiet") == 0)
796 verify_quiet = 1;
797 else if (strcmp(*argv,"-brief") == 0)
798 {
799 c_brief = 1;
800 verify_quiet = 1;
801 c_quiet = 1;
802 }
3208fc59
DSH		 803 else if (args_excert(&argv, &argc, &badarg, bio_err, &exc))
804 {
805 if (badarg)
806 goto bad;
807 continue;
808 }
5d2e07f1
DSH		 809 else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args))
810 {
811 if (badarg)
812 goto bad;
813 continue;
814 }
c3ed3b6e
DSH		 815 else if (strcmp(*argv,"-prexit") == 0)
816 prexit=1;
1bdb8633
BM		 817 else if (strcmp(*argv,"-crlf") == 0)
818 crlf=1;
d02b48c6 819 else if (strcmp(*argv,"-quiet") == 0)
ce301b6b 820 {
d02b48c6 821 c_quiet=1;
ce301b6b
RL		 822 c_ign_eof=1;
823 }
824 else if (strcmp(*argv,"-ign_eof") == 0)
825 c_ign_eof=1;
020d67fb
LJ		 826 else if (strcmp(*argv,"-no_ign_eof") == 0)
827 c_ign_eof=0;
d02b48c6
RE		 828 else if (strcmp(*argv,"-pause") == 0)
829 c_Pause=1;
830 else if (strcmp(*argv,"-debug") == 0)
831 c_debug=1;
6434abbf
DSH		 832#ifndef OPENSSL_NO_TLSEXT
833 else if (strcmp(*argv,"-tlsextdebug") == 0)
834 c_tlsextdebug=1;
67c8e7f4
DSH		 835 else if (strcmp(*argv,"-status") == 0)
836 c_status_req=1;
f642ebc1
RS		 837#endif
838#ifdef WATT32
839 else if (strcmp(*argv,"-wdebug") == 0)
840 dbug_init();
02a00bb0 841#endif
a661b653
BM		 842 else if (strcmp(*argv,"-msg") == 0)
843 c_msg=1;
93ab9e42
DSH		 844 else if (strcmp(*argv,"-msgfile") == 0)
845 {
846 if (--argc < 1) goto bad;
847 bio_c_msg = BIO_new_file(*(++argv), "w");
848 }
849#ifndef OPENSSL_NO_SSL_TRACE
850 else if (strcmp(*argv,"-trace") == 0)
851 c_msg=2;
852#endif
e03c5b59
DSH		 853 else if (strcmp(*argv,"-security_debug") == 0)
854 { sdebug=1; }
855 else if (strcmp(*argv,"-security_debug_verbose") == 0)
856 { sdebug=2; }
6d02d8e4
BM		 857 else if (strcmp(*argv,"-showcerts") == 0)
858 c_showcerts=1;
d02b48c6
RE		 859 else if (strcmp(*argv,"-nbio_test") == 0)
860 nbio_test=1;
861 else if (strcmp(*argv,"-state") == 0)
862 state=1;
ddac1974
NL		 863#ifndef OPENSSL_NO_PSK
864 else if (strcmp(*argv,"-psk_identity") == 0)
865 {
866 if (--argc < 1) goto bad;
867 psk_identity=*(++argv);
868 }
869 else if (strcmp(*argv,"-psk") == 0)
870 {
871 size_t j;
872
873 if (--argc < 1) goto bad;
874 psk_key=*(++argv);
875 for (j = 0; j < strlen(psk_key); j++)
876 {
a50bce82 877 if (isxdigit((unsigned char)psk_key[j]))
ddac1974
NL		 878 continue;
879 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
880 goto bad;
881 }
882 }
883#endif
edc032b5
BL		 884#ifndef OPENSSL_NO_SRP
885 else if (strcmp(*argv,"-srpuser") == 0)
886 {
887 if (--argc < 1) goto bad;
888 srp_arg.srplogin= *(++argv);
889 meth=TLSv1_client_method();
890 }
891 else if (strcmp(*argv,"-srppass") == 0)
892 {
893 if (--argc < 1) goto bad;
894 srppass= *(++argv);
895 meth=TLSv1_client_method();
896 }
897 else if (strcmp(*argv,"-srp_strength") == 0)
898 {
899 if (--argc < 1) goto bad;
900 srp_arg.strength=atoi(*(++argv));
901 BIO_printf(bio_err,"SRP minimal length for N is %d\n",srp_arg.strength);
902 meth=TLSv1_client_method();
903 }
904 else if (strcmp(*argv,"-srp_lateuser") == 0)
905 {
906 srp_lateuser= 1;
907 meth=TLSv1_client_method();
908 }
909 else if (strcmp(*argv,"-srp_moregroups") == 0)
910 {
911 srp_arg.amp=1;
912 meth=TLSv1_client_method();
913 }
914#endif
cf1b7d96 915#ifndef OPENSSL_NO_SSL2
d02b48c6
RE		 916 else if (strcmp(*argv,"-ssl2") == 0)
917 meth=SSLv2_client_method();
918#endif
3881d810 919#ifndef OPENSSL_NO_SSL3_METHOD
d02b48c6
RE		 920 else if (strcmp(*argv,"-ssl3") == 0)
921 meth=SSLv3_client_method();
58964a49 922#endif
cf1b7d96 923#ifndef OPENSSL_NO_TLS1
7409d7ad
DSH		 924 else if (strcmp(*argv,"-tls1_2") == 0)
925 meth=TLSv1_2_client_method();
637f374a
DSH		 926 else if (strcmp(*argv,"-tls1_1") == 0)
927 meth=TLSv1_1_client_method();
58964a49
RE		 928 else if (strcmp(*argv,"-tls1") == 0)
929 meth=TLSv1_client_method();
36d16f8e
BL		 930#endif
931#ifndef OPENSSL_NO_DTLS1
c6913eeb
DSH		 932 else if (strcmp(*argv,"-dtls") == 0)
933 {
934 meth=DTLS_client_method();
935 socket_type=SOCK_DGRAM;
936 }
36d16f8e
BL		 937 else if (strcmp(*argv,"-dtls1") == 0)
938 {
939 meth=DTLSv1_client_method();
b1277b99 940 socket_type=SOCK_DGRAM;
36d16f8e 941 }
c3b344e3
DSH		 942 else if (strcmp(*argv,"-dtls1_2") == 0)
943 {
944 meth=DTLSv1_2_client_method();
945 socket_type=SOCK_DGRAM;
946 }
36d16f8e
BL		 947 else if (strcmp(*argv,"-timeout") == 0)
948 enable_timeouts=1;
949 else if (strcmp(*argv,"-mtu") == 0)
950 {
951 if (--argc < 1) goto bad;
b1277b99 952 socket_mtu = atol(*(++argv));
36d16f8e 953 }
d02b48c6 954#endif
fb0e87fb
BM		 955 else if (strcmp(*argv,"-fallback_scsv") == 0)
956 {
957 fallback_scsv = 1;
958 }
826a42a0
DSH		 959 else if (strcmp(*argv,"-keyform") == 0)
960 {
961 if (--argc < 1) goto bad;
962 key_format = str2fmt(*(++argv));
963 }
964 else if (strcmp(*argv,"-pass") == 0)
965 {
966 if (--argc < 1) goto bad;
967 passarg = *(++argv);
968 }
4e71d952
DSH		 969 else if (strcmp(*argv,"-cert_chain") == 0)
970 {
971 if (--argc < 1) goto bad;
972 chain_file= *(++argv);
973 }
d02b48c6
RE		 974 else if (strcmp(*argv,"-key") == 0)
975 {
976 if (--argc < 1) goto bad;
977 key_file= *(++argv);
978 }
979 else if (strcmp(*argv,"-reconnect") == 0)
980 {
981 reconnect=5;
982 }
983 else if (strcmp(*argv,"-CApath") == 0)
984 {
985 if (--argc < 1) goto bad;
986 CApath= *(++argv);
987 }
a5afc0a8
DSH		 988 else if (strcmp(*argv,"-chainCApath") == 0)
989 {
990 if (--argc < 1) goto bad;
991 chCApath= *(++argv);
992 }
993 else if (strcmp(*argv,"-verifyCApath") == 0)
994 {
995 if (--argc < 1) goto bad;
996 vfyCApath= *(++argv);
997 }
74ecfab4
DSH		 998 else if (strcmp(*argv,"-build_chain") == 0)
999 build_chain = 1;
d02b48c6
RE		 1000 else if (strcmp(*argv,"-CAfile") == 0)
1001 {
1002 if (--argc < 1) goto bad;
1003 CAfile= *(++argv);
1004 }
a5afc0a8
DSH		 1005 else if (strcmp(*argv,"-chainCAfile") == 0)
1006 {
1007 if (--argc < 1) goto bad;
1008 chCAfile= *(++argv);
1009 }
1010 else if (strcmp(*argv,"-verifyCAfile") == 0)
1011 {
1012 if (--argc < 1) goto bad;
1013 vfyCAfile= *(++argv);
1014 }
6434abbf 1015#ifndef OPENSSL_NO_TLSEXT
bf48836c 1016# ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 1017 else if (strcmp(*argv,"-nextprotoneg") == 0)
1018 {
1019 if (--argc < 1) goto bad;
1020 next_proto_neg_in = *(++argv);
1021 }
2911575c 1022# endif
6f017a8f
AL		 1023 else if (strcmp(*argv,"-alpn") == 0)
1024 {
1025 if (--argc < 1) goto bad;
1026 alpn_in = *(++argv);
1027 }
a398f821
T		 1028 else if (strcmp(*argv,"-serverinfo") == 0)
1029 {
1030 char *c;
1031 int start = 0;
1032 int len;
1033
1034 if (--argc < 1) goto bad;
1035 c = *(++argv);
1036 serverinfo_types_count = 0;
1037 len = strlen(c);
1038 for (i = 0; i <= len; ++i)
1039 {
1040 if (i == len || c[i] == ',')
1041 {
1042 serverinfo_types[serverinfo_types_count]
1043 = atoi(c+start);
1044 serverinfo_types_count++;
1045 start = i+1;
1046 }
1047 if (serverinfo_types_count == MAX_SI_TYPES)
1048 break;
1049 }
1050 }
6434abbf 1051#endif
d02b48c6
RE		 1052#ifdef FIONBIO
1053 else if (strcmp(*argv,"-nbio") == 0)
1054 { c_nbio=1; }
1055#endif
135c0af1
RL		 1056 else if (strcmp(*argv,"-starttls") == 0)
1057 {
1058 if (--argc < 1) goto bad;
1059 ++argv;
1060 if (strcmp(*argv,"smtp") == 0)
85c67492 1061 starttls_proto = PROTO_SMTP;
4f17dfcd 1062 else if (strcmp(*argv,"pop3") == 0)
85c67492
RL		 1063 starttls_proto = PROTO_POP3;
1064 else if (strcmp(*argv,"imap") == 0)
1065 starttls_proto = PROTO_IMAP;
1066 else if (strcmp(*argv,"ftp") == 0)
1067 starttls_proto = PROTO_FTP;
d5bbead4
BL		 1068 else if (strcmp(*argv, "xmpp") == 0)
1069 starttls_proto = PROTO_XMPP;
135c0af1
RL		 1070 else
1071 goto bad;
1072 }
0b13e9f0 1073#ifndef OPENSSL_NO_ENGINE
5270e702
RL		 1074 else if (strcmp(*argv,"-engine") == 0)
1075 {
1076 if (--argc < 1) goto bad;
1077 engine_id = *(++argv);
1078 }
59d2d48f
DSH		 1079 else if (strcmp(*argv,"-ssl_client_engine") == 0)
1080 {
1081 if (--argc < 1) goto bad;
1082 ssl_client_engine_id = *(++argv);
1083 }
0b13e9f0 1084#endif
52b621db
LJ		 1085 else if (strcmp(*argv,"-rand") == 0)
1086 {
1087 if (--argc < 1) goto bad;
1088 inrand= *(++argv);
1089 }
ed3883d2
BM		 1090#ifndef OPENSSL_NO_TLSEXT
1091 else if (strcmp(*argv,"-servername") == 0)
1092 {
1093 if (--argc < 1) goto bad;
1094 servername= *(++argv);
1095 /* meth=TLSv1_client_method(); */
1096 }
1097#endif
79bd20fd 1098#ifndef OPENSSL_NO_JPAKE
6caa4edd
BL		 1099 else if (strcmp(*argv,"-jpake") == 0)
1100 {
1101 if (--argc < 1) goto bad;
1102 jpake_secret = *++argv;
1103 }
ed551cdd 1104#endif
333f926d
BL		 1105 else if (strcmp(*argv,"-use_srtp") == 0)
1106 {
1107 if (--argc < 1) goto bad;
1108 srtp_profiles = *(++argv);
1109 }
e0af0405
BL		 1110 else if (strcmp(*argv,"-keymatexport") == 0)
1111 {
1112 if (--argc < 1) goto bad;
1113 keymatexportlabel= *(++argv);
1114 }
1115 else if (strcmp(*argv,"-keymatexportlen") == 0)
1116 {
1117 if (--argc < 1) goto bad;
1118 keymatexportlen=atoi(*(++argv));
1119 if (keymatexportlen == 0) goto bad;
1120 }
333f926d 1121 else
d02b48c6
RE		 1122 {
1123 BIO_printf(bio_err,"unknown option %s\n",*argv);
1124 badop=1;
1125 break;
1126 }
1127 argc--;
1128 argv++;
1129 }
1130 if (badop)
1131 {
1132bad:
1133 sc_usage();
1134 goto end;
1135 }
1136
a9351320
GT		 1137 if (unix_path && (socket_type != SOCK_STREAM))
1138 {
1139 BIO_printf(bio_err, "Can't use unix sockets and datagrams together\n");
1140 goto end;
1141 }
79bd20fd 1142#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
f3b7bdad
BL		 1143 if (jpake_secret)
1144 {
1145 if (psk_key)
1146 {
1147 BIO_printf(bio_err,
1148 "Can't use JPAKE and PSK together\n");
1149 goto end;
1150 }
1151 psk_identity = "JPAKE";
1152 }
f3b7bdad
BL		 1153#endif
1154
cead7f36
RL		 1155 OpenSSL_add_ssl_algorithms();
1156 SSL_load_error_strings();
1157
bf48836c 1158#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
ee2ffc27
BL		 1159 next_proto.status = -1;
1160 if (next_proto_neg_in)
1161 {
1162 next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
1163 if (next_proto.data == NULL)
1164 {
1165 BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
1166 goto end;
1167 }
1168 }
1169 else
1170 next_proto.data = NULL;
1171#endif
1172
0b13e9f0 1173#ifndef OPENSSL_NO_ENGINE
cead7f36 1174 e = setup_engine(bio_err, engine_id, 1);
59d2d48f
DSH		 1175 if (ssl_client_engine_id)
1176 {
1177 ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
1178 if (!ssl_client_engine)
1179 {
1180 BIO_printf(bio_err,
1181 "Error getting client auth engine\n");
1182 goto end;
1183 }
1184 }
1185
0b13e9f0 1186#endif
826a42a0
DSH		 1187 if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
1188 {
1189 BIO_printf(bio_err, "Error getting password\n");
1190 goto end;
1191 }
1192
1193 if (key_file == NULL)
1194 key_file = cert_file;
1195
abbc186b
DSH		 1196
1197 if (key_file)
1198
826a42a0 1199 {
abbc186b
DSH		 1200
1201 key = load_key(bio_err, key_file, key_format, 0, pass, e,
1202 "client certificate private key file");
1203 if (!key)
1204 {
1205 ERR_print_errors(bio_err);
1206 goto end;
1207 }
1208
826a42a0
DSH		 1209 }
1210
abbc186b 1211 if (cert_file)
826a42a0 1212
826a42a0 1213 {
abbc186b
DSH		 1214 cert = load_cert(bio_err,cert_file,cert_format,
1215 NULL, e, "client certificate file");
1216
1217 if (!cert)
1218 {
1219 ERR_print_errors(bio_err);
1220 goto end;
1221 }
826a42a0 1222 }
cead7f36 1223
4e71d952
DSH		 1224 if (chain_file)
1225 {
1226 chain = load_certs(bio_err, chain_file,FORMAT_PEM,
1227 NULL, e, "client certificate chain");
1228 if (!chain)
1229 goto end;
1230 }
1231
fdb78f3d
DSH		 1232 if (crl_file)
1233 {
1234 X509_CRL *crl;
1235 crl = load_crl(crl_file, crl_format);
1236 if (!crl)
1237 {
1238 BIO_puts(bio_err, "Error loading CRL\n");
1239 ERR_print_errors(bio_err);
1240 goto end;
1241 }
1242 crls = sk_X509_CRL_new_null();
1243 if (!crls || !sk_X509_CRL_push(crls, crl))
1244 {
1245 BIO_puts(bio_err, "Error adding CRL\n");
1246 ERR_print_errors(bio_err);
1247 X509_CRL_free(crl);
1248 goto end;
1249 }
1250 }
1251
3208fc59
DSH		 1252 if (!load_excert(&exc, bio_err))
1253 goto end;
1254
52b621db
LJ		 1255 if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
1256 && !RAND_status())
1257 {
1258 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
1259 }
1260 if (inrand != NULL)
1261 BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
1262 app_RAND_load_files(inrand));
a31011e8 1263
d02b48c6
RE		 1264 if (bio_c_out == NULL)
1265 {
1740c9fb 1266 if (c_quiet && !c_debug)
d02b48c6
RE		 1267 {
1268 bio_c_out=BIO_new(BIO_s_null());
1740c9fb
DSH		 1269 if (c_msg && !bio_c_msg)
1270 bio_c_msg=BIO_new_fp(stdout,BIO_NOCLOSE);
d02b48c6
RE		 1271 }
1272 else
1273 {
1274 if (bio_c_out == NULL)
1275 bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
1276 }
1277 }
1278
edc032b5
BL		 1279#ifndef OPENSSL_NO_SRP
1280 if(!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL))
1281 {
1282 BIO_printf(bio_err, "Error getting password\n");
1283 goto end;
1284 }
1285#endif
1286
d02b48c6
RE		 1287 ctx=SSL_CTX_new(meth);
1288 if (ctx == NULL)
1289 {
1290 ERR_print_errors(bio_err);
1291 goto end;
1292 }
1293
e03c5b59
DSH		 1294 if (sdebug)
1295 ssl_ctx_security_debug(ctx, bio_err, sdebug);
1296
db99779b
DSH		 1297 if (vpm)
1298 SSL_CTX_set1_param(ctx, vpm);
1299
b252cf0d 1300 if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1, no_jpake))
5d2e07f1
DSH		 1301 {
1302 ERR_print_errors(bio_err);
1303 goto end;
1304 }
1305
0090a686
DSH		 1306 if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
1307 crls, crl_download))
a5afc0a8
DSH		 1308 {
1309 BIO_printf(bio_err, "Error loading store locations\n");
1310 ERR_print_errors(bio_err);
1311 goto end;
1312 }
1313
59d2d48f
DSH		 1314#ifndef OPENSSL_NO_ENGINE
1315 if (ssl_client_engine)
1316 {
1317 if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine))
1318 {
1319 BIO_puts(bio_err, "Error setting client auth engine\n");
1320 ERR_print_errors(bio_err);
1321 ENGINE_free(ssl_client_engine);
1322 goto end;
1323 }
1324 ENGINE_free(ssl_client_engine);
1325 }
1326#endif
1327
ddac1974 1328#ifndef OPENSSL_NO_PSK
79bd20fd
DSH		 1329#ifdef OPENSSL_NO_JPAKE
1330 if (psk_key != NULL)
1331#else
f3b7bdad 1332 if (psk_key != NULL || jpake_secret)
79bd20fd 1333#endif
ddac1974
NL		 1334 {
1335 if (c_debug)
f3b7bdad 1336 BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");
ddac1974
NL		 1337 SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
1338 }
333f926d
BL		 1339 if (srtp_profiles != NULL)
1340 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
ddac1974 1341#endif
3208fc59 1342 if (exc) ssl_ctx_set_excert(ctx, exc);
36d16f8e
BL		 1343 /* DTLS: partial reads end up discarding unread UDP bytes :-(
1344 * Setting read ahead solves this problem.
1345 */
b1277b99 1346 if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
d02b48c6 1347
6f017a8f
AL		 1348#if !defined(OPENSSL_NO_TLSEXT)
1349# if !defined(OPENSSL_NO_NEXTPROTONEG)
ee2ffc27
BL		 1350 if (next_proto.data)
1351 SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
6f017a8f
AL		 1352# endif
1353 if (alpn_in)
1354 {
1355 unsigned short alpn_len;
1356 unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in);
1357
1358 if (alpn == NULL)
1359 {
1360 BIO_printf(bio_err, "Error parsing -alpn argument\n");
1361 goto end;
1362 }
1363 SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len);
a8989362 1364 OPENSSL_free(alpn);
6f017a8f 1365 }
ee2ffc27 1366#endif
a398f821 1367#ifndef OPENSSL_NO_TLSEXT
0cfefe4b 1368 for (i = 0; i < serverinfo_types_count; i++)
a398f821 1369 {
0cfefe4b
DSH		 1370 SSL_CTX_add_client_custom_ext(ctx,
1371 serverinfo_types[i],
1372 NULL, NULL, NULL,
1373 serverinfo_cli_parse_cb,
1374 NULL);
a398f821
T		 1375 }
1376#endif
ee2ffc27 1377
d02b48c6 1378 if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
d02b48c6
RE		 1379#if 0
1380 else
1381 SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
1382#endif
1383
1384 SSL_CTX_set_verify(ctx,verify,verify_callback);
d02b48c6
RE		 1385
1386 if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
1387 (!SSL_CTX_set_default_verify_paths(ctx)))
1388 {
657e60fa 1389 /* BIO_printf(bio_err,"error setting default verify locations\n"); */
d02b48c6 1390 ERR_print_errors(bio_err);
58964a49 1391 /* goto end; */
d02b48c6
RE		 1392 }
1393
0090a686 1394 ssl_ctx_add_crls(ctx, crls, crl_download);
fdb78f3d 1395
4e71d952 1396 if (!set_cert_key_stuff(ctx,cert,key,chain,build_chain))
74ecfab4
DSH		 1397 goto end;
1398
ed3883d2 1399#ifndef OPENSSL_NO_TLSEXT
b1277b99
BM		 1400 if (servername != NULL)
1401 {
ed3883d2
BM		 1402 tlsextcbp.biodebug = bio_err;
1403 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1404 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
b1277b99 1405 }
edc032b5
BL		 1406#ifndef OPENSSL_NO_SRP
1407 if (srp_arg.srplogin)
1408 {
f2fc3075 1409 if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
edc032b5
BL		 1410 {
1411 BIO_printf(bio_err,"Unable to set SRP username\n");
1412 goto end;
1413 }
1414 srp_arg.msg = c_msg;
1415 srp_arg.debug = c_debug ;
1416 SSL_CTX_set_srp_cb_arg(ctx,&srp_arg);
1417 SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
1418 SSL_CTX_set_srp_strength(ctx, srp_arg.strength);
1419 if (c_msg || c_debug || srp_arg.amp == 0)
1420 SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb);
1421 }
1422
1423#endif
ed3883d2 1424#endif
d02b48c6 1425
82fc1d9c 1426 con=SSL_new(ctx);
6434abbf
DSH		 1427 if (sess_in)
1428 {
1429 SSL_SESSION *sess;
1430 BIO *stmp = BIO_new_file(sess_in, "r");
1431 if (!stmp)
1432 {
1433 BIO_printf(bio_err, "Can't open session file %s\n",
1434 sess_in);
1435 ERR_print_errors(bio_err);
1436 goto end;
1437 }
1438 sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
1439 BIO_free(stmp);
1440 if (!sess)
1441 {
1442 BIO_printf(bio_err, "Can't open session file %s\n",
1443 sess_in);
1444 ERR_print_errors(bio_err);
1445 goto end;
1446 }
1447 SSL_set_session(con, sess);
1448 SSL_SESSION_free(sess);
1449 }
cf6da053
BM		 1450
1451 if (fallback_scsv)
1452 SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV);
1453
ed3883d2 1454#ifndef OPENSSL_NO_TLSEXT
b1277b99
BM		 1455 if (servername != NULL)
1456 {
a13c20f6 1457 if (!SSL_set_tlsext_host_name(con,servername))
b1277b99 1458 {
ed3883d2
BM		 1459 BIO_printf(bio_err,"Unable to set TLS servername extension.\n");
1460 ERR_print_errors(bio_err);
1461 goto end;
b1277b99 1462 }
ed3883d2 1463 }
ed3883d2 1464#endif
cf1b7d96 1465#ifndef OPENSSL_NO_KRB5
4f7a2ab8 1466 if (con && (kctx = kssl_ctx_new()) != NULL)
f9b3bff6 1467 {
4f7a2ab8
DSH		 1468 SSL_set0_kssl_ctx(con, kctx);
1469 kssl_ctx_setstring(kctx, KSSL_SERVER, host);
f9b3bff6 1470 }
cf1b7d96 1471#endif /* OPENSSL_NO_KRB5 */
58964a49 1472/* SSL_set_cipher_list(con,"RC4-MD5"); */
761772d7
BM		 1473#if 0
1474#ifdef TLSEXT_TYPE_opaque_prf_input
86d4bc3a 1475 SSL_set_tlsext_opaque_prf_input(con, "Test client", 11);
761772d7
BM		 1476#endif
1477#endif
d02b48c6
RE		 1478
1479re_start:
9cd86abb
DSH		 1480#ifdef NO_SYS_UN_H
1481 if (init_client(&s,host,port,socket_type) == 0)
1482#else
a9351320
GT		 1483 if ((!unix_path && (init_client(&s,host,port,socket_type) == 0)) ||
1484 (unix_path && (init_client_unix(&s,unix_path) == 0)))
9cd86abb 1485#endif
d02b48c6 1486 {
58964a49 1487 BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
d02b48c6
RE		 1488 SHUTDOWN(s);
1489 goto end;
1490 }
1491 BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
1492
1493#ifdef FIONBIO
1494 if (c_nbio)
1495 {
1496 unsigned long l=1;
1497 BIO_printf(bio_c_out,"turning on non blocking io\n");
58964a49
RE		 1498 if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
1499 {
1500 ERR_print_errors(bio_err);
1501 goto end;
1502 }
d02b48c6
RE		 1503 }
1504#endif
08557cf2 1505 if (c_Pause & 0x01) SSL_set_debug(con, 1);
36d16f8e 1506
c3b344e3 1507 if (socket_type == SOCK_DGRAM)
36d16f8e 1508 {
36d16f8e
BL		 1509
1510 sbio=BIO_new_dgram(s,BIO_NOCLOSE);
6c61726b 1511 if (getsockname(s, &peer, (void *)&peerlen) < 0)
36d16f8e
BL		 1512 {
1513 BIO_printf(bio_err, "getsockname:errno=%d\n",
1514 get_last_socket_error());
1515 SHUTDOWN(s);
1516 goto end;
1517 }
1518
710069c1 1519 (void)BIO_ctrl_set_connected(sbio, 1, &peer);
36d16f8e 1520
b1277b99 1521 if (enable_timeouts)
36d16f8e
BL		 1522 {
1523 timeout.tv_sec = 0;
1524 timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1525 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1526
1527 timeout.tv_sec = 0;
1528 timeout.tv_usec = DGRAM_SND_TIMEOUT;
1529 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1530 }
1531
464ce920 1532 if (socket_mtu)
36d16f8e 1533 {
464ce920
MC		 1534 if(socket_mtu < DTLS_get_link_min_mtu(con))
1535 {
1536 BIO_printf(bio_err,"MTU too small. Must be at least %ld\n",
1537 DTLS_get_link_min_mtu(con));
1538 BIO_free(sbio);
1539 goto shut;
1540 }
36d16f8e 1541 SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
464ce920
MC		 1542 if(!DTLS_set_link_mtu(con, socket_mtu))
1543 {
1544 BIO_printf(bio_err, "Failed to set MTU\n");
1545 BIO_free(sbio);
1546 goto shut;
1547 }
36d16f8e
BL		 1548 }
1549 else
1550 /* want to do MTU discovery */
1551 BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1552 }
1553 else
1554 sbio=BIO_new_socket(s,BIO_NOCLOSE);
1555
d02b48c6
RE		 1556 if (nbio_test)
1557 {
1558 BIO *test;
1559
1560 test=BIO_new(BIO_f_nbio_test());
1561 sbio=BIO_push(test,sbio);
1562 }
1563
1564 if (c_debug)
1565 {
08557cf2 1566 SSL_set_debug(con, 1);
25495640 1567 BIO_set_callback(sbio,bio_dump_callback);
7806f3dd 1568 BIO_set_callback_arg(sbio,(char *)bio_c_out);
d02b48c6 1569 }
a661b653
BM		 1570 if (c_msg)
1571 {
93ab9e42
DSH		 1572#ifndef OPENSSL_NO_SSL_TRACE
1573 if (c_msg == 2)
1574 SSL_set_msg_callback(con, SSL_trace);
1575 else
1576#endif
1577 SSL_set_msg_callback(con, msg_cb);
1578 SSL_set_msg_callback_arg(con, bio_c_msg ? bio_c_msg : bio_c_out);
a661b653 1579 }
6434abbf
DSH		 1580#ifndef OPENSSL_NO_TLSEXT
1581 if (c_tlsextdebug)
1582 {
1583 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1584 SSL_set_tlsext_debug_arg(con, bio_c_out);
1585 }
67c8e7f4
DSH		 1586 if (c_status_req)
1587 {
1588 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
1589 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
1590 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
1591#if 0
1592{
1593STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null();
1594OCSP_RESPID *id = OCSP_RESPID_new();
1595id->value.byKey = ASN1_OCTET_STRING_new();
1596id->type = V_OCSP_RESPID_KEY;
1597ASN1_STRING_set(id->value.byKey, "Hello World", -1);
1598sk_OCSP_RESPID_push(ids, id);
1599SSL_set_tlsext_status_ids(con, ids);
1600}
1601#endif
1602 }
6434abbf 1603#endif
79bd20fd 1604#ifndef OPENSSL_NO_JPAKE
6caa4edd
BL		 1605 if (jpake_secret)
1606 jpake_client_auth(bio_c_out, sbio, jpake_secret);
ed551cdd 1607#endif
6caa4edd 1608
d02b48c6
RE		 1609 SSL_set_bio(con,sbio,sbio);
1610 SSL_set_connect_state(con);
1611
1612 /* ok, lets connect */
1613 width=SSL_get_fd(con)+1;
1614
1615 read_tty=1;
1616 write_tty=0;
1617 tty_on=0;
1618 read_ssl=1;
1619 write_ssl=1;
1620
1621 cbuf_len=0;
1622 cbuf_off=0;
1623 sbuf_len=0;
1624 sbuf_off=0;
1625
135c0af1 1626 /* This is an ugly hack that does a lot of assumptions */
ee373e7f
LJ		 1627 /* We do have to handle multi-line responses which may come
1628 in a single packet or not. We therefore have to use
1629 BIO_gets() which does need a buffering BIO. So during
1630 the initial chitchat we do push a buffering BIO into the
1631 chain that is removed again later on to not disturb the
1632 rest of the s_client operation. */
85c67492 1633 if (starttls_proto == PROTO_SMTP)
135c0af1 1634 {
8d72476e 1635 int foundit=0;
ee373e7f
LJ		 1636 BIO *fbio = BIO_new(BIO_f_buffer());
1637 BIO_push(fbio, sbio);
85c67492
RL		 1638 /* wait for multi-line response to end from SMTP */
1639 do
1640 {
ee373e7f 1641 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
85c67492
RL		 1642 }
1643 while (mbuf_len>3 && mbuf[3]=='-');
8d72476e 1644 /* STARTTLS command requires EHLO... */
ee373e7f 1645 BIO_printf(fbio,"EHLO openssl.client.net\r\n");
710069c1 1646 (void)BIO_flush(fbio);
8d72476e
LJ		 1647 /* wait for multi-line response to end EHLO SMTP response */
1648 do
1649 {
ee373e7f 1650 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
8d72476e
LJ		 1651 if (strstr(mbuf,"STARTTLS"))
1652 foundit=1;
1653 }
1654 while (mbuf_len>3 && mbuf[3]=='-');
710069c1 1655 (void)BIO_flush(fbio);
ee373e7f
LJ		 1656 BIO_pop(fbio);
1657 BIO_free(fbio);
8d72476e
LJ		 1658 if (!foundit)
1659 BIO_printf(bio_err,
1660 "didn't found starttls in server response,"
1661 " try anyway...\n");
135c0af1
RL		 1662 BIO_printf(sbio,"STARTTLS\r\n");
1663 BIO_read(sbio,sbuf,BUFSIZZ);
1664 }
85c67492 1665 else if (starttls_proto == PROTO_POP3)
4f17dfcd
LJ		 1666 {
1667 BIO_read(sbio,mbuf,BUFSIZZ);
1668 BIO_printf(sbio,"STLS\r\n");
1669 BIO_read(sbio,sbuf,BUFSIZZ);
1670 }
85c67492
RL		 1671 else if (starttls_proto == PROTO_IMAP)
1672 {
8d72476e 1673 int foundit=0;
ee373e7f
LJ		 1674 BIO *fbio = BIO_new(BIO_f_buffer());
1675 BIO_push(fbio, sbio);
1676 BIO_gets(fbio,mbuf,BUFSIZZ);
8d72476e 1677 /* STARTTLS command requires CAPABILITY... */
ee373e7f 1678 BIO_printf(fbio,". CAPABILITY\r\n");
710069c1 1679 (void)BIO_flush(fbio);
8d72476e
LJ		 1680 /* wait for multi-line CAPABILITY response */
1681 do
1682 {
ee373e7f 1683 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
8d72476e
LJ		 1684 if (strstr(mbuf,"STARTTLS"))
1685 foundit=1;
1686 }
ee373e7f 1687 while (mbuf_len>3 && mbuf[0]!='.');
710069c1 1688 (void)BIO_flush(fbio);
ee373e7f
LJ		 1689 BIO_pop(fbio);
1690 BIO_free(fbio);
8d72476e
LJ		 1691 if (!foundit)
1692 BIO_printf(bio_err,
1693 "didn't found STARTTLS in server response,"
1694 " try anyway...\n");
1695 BIO_printf(sbio,". STARTTLS\r\n");
85c67492
RL		 1696 BIO_read(sbio,sbuf,BUFSIZZ);
1697 }
1698 else if (starttls_proto == PROTO_FTP)
1699 {
ee373e7f
LJ		 1700 BIO *fbio = BIO_new(BIO_f_buffer());
1701 BIO_push(fbio, sbio);
85c67492
RL		 1702 /* wait for multi-line response to end from FTP */
1703 do
1704 {
ee373e7f 1705 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
85c67492
RL		 1706 }
1707 while (mbuf_len>3 && mbuf[3]=='-');
710069c1 1708 (void)BIO_flush(fbio);
ee373e7f
LJ		 1709 BIO_pop(fbio);
1710 BIO_free(fbio);
85c67492
RL		 1711 BIO_printf(sbio,"AUTH TLS\r\n");
1712 BIO_read(sbio,sbuf,BUFSIZZ);
1713 }
d5bbead4
BL		 1714 if (starttls_proto == PROTO_XMPP)
1715 {
1716 int seen = 0;
1717 BIO_printf(sbio,"<stream:stream "
1718 "xmlns:stream='http://etherx.jabber.org/streams' "
d2625fd6
BL		 1719 "xmlns='jabber:client' to='%s' version='1.0'>", xmpphost ?
1720 xmpphost : host);
d5bbead4
BL		 1721 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1722 mbuf[seen] = 0;
4e48c775
CALP		 1723 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") &&
1724 !strstr(mbuf, "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
d5bbead4 1725 {
d5bbead4 1726 seen = BIO_read(sbio,mbuf,BUFSIZZ);
4249d4ba
CALP		 1727
1728 if (seen <= 0)
1729 goto shut;
1730
d5bbead4
BL		 1731 mbuf[seen] = 0;
1732 }
1733 BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
1734 seen = BIO_read(sbio,sbuf,BUFSIZZ);
1735 sbuf[seen] = 0;
1736 if (!strstr(sbuf, "<proceed"))
1737 goto shut;
1738 mbuf[0] = 0;
1739 }
135c0af1 1740
d02b48c6
RE		 1741 for (;;)
1742 {
1743 FD_ZERO(&readfds);
1744 FD_ZERO(&writefds);
1745
b972fbaa
DSH		 1746 if ((SSL_version(con) == DTLS1_VERSION) &&
1747 DTLSv1_get_timeout(con, &timeout))
1748 timeoutp = &timeout;
1749 else
1750 timeoutp = NULL;
1751
58964a49 1752 if (SSL_in_init(con) && !SSL_total_renegotiations(con))
d02b48c6
RE		 1753 {
1754 in_init=1;
1755 tty_on=0;
1756 }
1757 else
1758 {
1759 tty_on=1;
1760 if (in_init)
1761 {
1762 in_init=0;
761772d7 1763#if 0 /* This test doesn't really work as intended (needs to be fixed) */
ed3883d2 1764#ifndef OPENSSL_NO_TLSEXT
b166f13e
BM		 1765 if (servername != NULL && !SSL_session_reused(con))
1766 {
1767 BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not ");
1768 }
761772d7 1769#endif
ed3883d2 1770#endif
6434abbf
DSH		 1771 if (sess_out)
1772 {
1773 BIO *stmp = BIO_new_file(sess_out, "w");
1774 if (stmp)
1775 {
1776 PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con));
1777 BIO_free(stmp);
1778 }
1779 else
1780 BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
1781 }
2a7cbe77
DSH		 1782 if (c_brief)
1783 {
1784 BIO_puts(bio_err,
1785 "CONNECTION ESTABLISHED\n");
1786 print_ssl_summary(bio_err, con);
1787 }
67c408ce 1788
d02b48c6
RE		 1789 print_stuff(bio_c_out,con,full_log);
1790 if (full_log > 0) full_log--;
1791
4f17dfcd 1792 if (starttls_proto)
135c0af1
RL		 1793 {
1794 BIO_printf(bio_err,"%s",mbuf);
1795 /* We don't need to know any more */
85c67492 1796 starttls_proto = PROTO_OFF;
135c0af1
RL		 1797 }
1798
d02b48c6
RE		 1799 if (reconnect)
1800 {
1801 reconnect--;
1802 BIO_printf(bio_c_out,"drop connection and then reconnect\n");
1803 SSL_shutdown(con);
1804 SSL_set_connect_state(con);
1805 SHUTDOWN(SSL_get_fd(con));
1806 goto re_start;
1807 }
1808 }
1809 }
1810
c7ac31e2
BM		 1811 ssl_pending = read_ssl && SSL_pending(con);
1812
1813 if (!ssl_pending)
d02b48c6 1814 {
4700aea9 1815#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)
c7ac31e2
BM		 1816 if (tty_on)
1817 {
7bf7333d
DSH		 1818 if (read_tty) openssl_fdset(fileno(stdin),&readfds);
1819 if (write_tty) openssl_fdset(fileno(stdout),&writefds);
c7ac31e2 1820 }
c7ac31e2 1821 if (read_ssl)
7bf7333d 1822 openssl_fdset(SSL_get_fd(con),&readfds);
c7ac31e2 1823 if (write_ssl)
7bf7333d 1824 openssl_fdset(SSL_get_fd(con),&writefds);
06f4536a
DSH		 1825#else
1826 if(!tty_on || !write_tty) {
1827 if (read_ssl)
7bf7333d 1828 openssl_fdset(SSL_get_fd(con),&readfds);
06f4536a 1829 if (write_ssl)
7bf7333d 1830 openssl_fdset(SSL_get_fd(con),&writefds);
06f4536a
DSH		 1831 }
1832#endif
c7ac31e2
BM		 1833/* printf("mode tty(%d %d%d) ssl(%d%d)\n",
1834 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
d02b48c6 1835
75e0770d 1836 /* Note: under VMS with SOCKETSHR the second parameter
7d7d2cbc
UM		 1837 * is currently of type (int *) whereas under other
1838 * systems it is (void *) if you don't have a cast it
1839 * will choke the compiler: if you do have a cast then
1840 * you can either go for (int *) or (void *).
1841 */
3d7c4a5a
RL		 1842#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1843 /* Under Windows/DOS we make the assumption that we can
06f4536a
DSH		 1844 * always write to the tty: therefore if we need to
1845 * write to the tty we just fall through. Otherwise
1846 * we timeout the select every second and see if there
1847 * are any keypresses. Note: this is a hack, in a proper
1848 * Windows application we wouldn't do this.
1849 */
4ec19e20 1850 i=0;
06f4536a
DSH		 1851 if(!write_tty) {
1852 if(read_tty) {
1853 tv.tv_sec = 1;
1854 tv.tv_usec = 0;
1855 i=select(width,(void *)&readfds,(void *)&writefds,
1856 NULL,&tv);
3d7c4a5a 1857#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
0bf23d9b
RL		 1858 if(!i && (!_kbhit() || !read_tty) ) continue;
1859#else
a9ef75c5 1860 if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
0bf23d9b 1861#endif
06f4536a 1862 } else i=select(width,(void *)&readfds,(void *)&writefds,
b972fbaa 1863 NULL,timeoutp);
06f4536a 1864 }
47c1735a
RL		 1865#elif defined(OPENSSL_SYS_NETWARE)
1866 if(!write_tty) {
1867 if(read_tty) {
1868 tv.tv_sec = 1;
1869 tv.tv_usec = 0;
1870 i=select(width,(void *)&readfds,(void *)&writefds,
1871 NULL,&tv);
1872 } else i=select(width,(void *)&readfds,(void *)&writefds,
b972fbaa 1873 NULL,timeoutp);
47c1735a 1874 }
4700aea9
UM		 1875#elif defined(OPENSSL_SYS_BEOS_R5)
1876 /* Under BeOS-R5 the situation is similar to DOS */
1877 i=0;
1878 stdin_set = 0;
1879 (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
1880 if(!write_tty) {
1881 if(read_tty) {
1882 tv.tv_sec = 1;
1883 tv.tv_usec = 0;
1884 i=select(width,(void *)&readfds,(void *)&writefds,
1885 NULL,&tv);
1886 if (read(fileno(stdin), sbuf, 0) >= 0)
1887 stdin_set = 1;
1888 if (!i && (stdin_set != 1 || !read_tty))
1889 continue;
1890 } else i=select(width,(void *)&readfds,(void *)&writefds,
b972fbaa 1891 NULL,timeoutp);
4700aea9
UM		 1892 }
1893 (void)fcntl(fileno(stdin), F_SETFL, 0);
06f4536a 1894#else
7d7d2cbc 1895 i=select(width,(void *)&readfds,(void *)&writefds,
b972fbaa 1896 NULL,timeoutp);
06f4536a 1897#endif
c7ac31e2
BM		 1898 if ( i < 0)
1899 {
1900 BIO_printf(bio_err,"bad select %d\n",
58964a49 1901 get_last_socket_error());
c7ac31e2
BM		 1902 goto shut;
1903 /* goto end; */
1904 }
d02b48c6
RE		 1905 }
1906
b972fbaa
DSH		 1907 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
1908 {
478b50cf 1909 BIO_printf(bio_err,"TIMEOUT occurred\n");
b972fbaa
DSH		 1910 }
1911
c7ac31e2 1912 if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
d02b48c6
RE		 1913 {
1914 k=SSL_write(con,&(cbuf[cbuf_off]),
1915 (unsigned int)cbuf_len);
1916 switch (SSL_get_error(con,k))
1917 {
1918 case SSL_ERROR_NONE:
1919 cbuf_off+=k;
1920 cbuf_len-=k;
1921 if (k <= 0) goto end;
1922 /* we have done a write(con,NULL,0); */
1923 if (cbuf_len <= 0)
1924 {
1925 read_tty=1;
1926 write_ssl=0;
1927 }
1928 else /* if (cbuf_len > 0) */
1929 {
1930 read_tty=0;
1931 write_ssl=1;
1932 }
1933 break;
1934 case SSL_ERROR_WANT_WRITE:
1935 BIO_printf(bio_c_out,"write W BLOCK\n");
1936 write_ssl=1;
1937 read_tty=0;
1938 break;
1939 case SSL_ERROR_WANT_READ:
1940 BIO_printf(bio_c_out,"write R BLOCK\n");
1941 write_tty=0;
1942 read_ssl=1;
1943 write_ssl=0;
1944 break;
1945 case SSL_ERROR_WANT_X509_LOOKUP:
1946 BIO_printf(bio_c_out,"write X BLOCK\n");
1947 break;
1948 case SSL_ERROR_ZERO_RETURN:
1949 if (cbuf_len != 0)
1950 {
1951 BIO_printf(bio_c_out,"shutdown\n");
0e1dba93 1952 ret = 0;
d02b48c6
RE		 1953 goto shut;
1954 }
1955 else
1956 {
1957 read_tty=1;
1958 write_ssl=0;
1959 break;
1960 }
1961
1962 case SSL_ERROR_SYSCALL:
1963 if ((k != 0) || (cbuf_len != 0))
1964 {
1965 BIO_printf(bio_err,"write:errno=%d\n",
58964a49 1966 get_last_socket_error());
d02b48c6
RE		 1967 goto shut;
1968 }
1969 else
1970 {
1971 read_tty=1;
1972 write_ssl=0;
1973 }
1974 break;
1975 case SSL_ERROR_SSL:
1976 ERR_print_errors(bio_err);
1977 goto shut;
1978 }
1979 }
4700aea9
UM		 1980#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
1981 /* Assume Windows/DOS/BeOS can always write */
06f4536a
DSH		 1982 else if (!ssl_pending && write_tty)
1983#else
c7ac31e2 1984 else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
06f4536a 1985#endif
d02b48c6 1986 {
a53955d8
UM		 1987#ifdef CHARSET_EBCDIC
1988 ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
1989#endif
ffa10187 1990 i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len);
d02b48c6
RE		 1991
1992 if (i <= 0)
1993 {
1994 BIO_printf(bio_c_out,"DONE\n");
0e1dba93 1995 ret = 0;
d02b48c6
RE		 1996 goto shut;
1997 /* goto end; */
1998 }
1999
2000 sbuf_len-=i;;
2001 sbuf_off+=i;
2002 if (sbuf_len <= 0)
2003 {
2004 read_ssl=1;
2005 write_tty=0;
2006 }
2007 }
c7ac31e2 2008 else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
d02b48c6 2009 {
58964a49
RE		 2010#ifdef RENEG
2011{ static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
2012#endif
dfeab068 2013#if 1
58964a49 2014 k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
dfeab068
RE		 2015#else
2016/* Demo for pending and peek :-) */
2017 k=SSL_read(con,sbuf,16);
2018{ char zbuf[10240];
2019printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
2020}
2021#endif
d02b48c6
RE		 2022
2023 switch (SSL_get_error(con,k))
2024 {
2025 case SSL_ERROR_NONE:
2026 if (k <= 0)
2027 goto end;
2028 sbuf_off=0;
2029 sbuf_len=k;
2030
2031 read_ssl=0;
2032 write_tty=1;
2033 break;
2034 case SSL_ERROR_WANT_WRITE:
2035 BIO_printf(bio_c_out,"read W BLOCK\n");
2036 write_ssl=1;
2037 read_tty=0;
2038 break;
2039 case SSL_ERROR_WANT_READ:
2040 BIO_printf(bio_c_out,"read R BLOCK\n");
2041 write_tty=0;
2042 read_ssl=1;
2043 if ((read_tty == 0) && (write_ssl == 0))
2044 write_ssl=1;
2045 break;
2046 case SSL_ERROR_WANT_X509_LOOKUP:
2047 BIO_printf(bio_c_out,"read X BLOCK\n");
2048 break;
2049 case SSL_ERROR_SYSCALL:
0e1dba93 2050 ret=get_last_socket_error();
2537d469 2051 if (c_brief)
66d9f2e5
DSH		 2052 BIO_puts(bio_err, "CONNECTION CLOSED BY SERVER\n");
2053 else
2054 BIO_printf(bio_err,"read:errno=%d\n",ret);
d02b48c6
RE		 2055 goto shut;
2056 case SSL_ERROR_ZERO_RETURN:
2057 BIO_printf(bio_c_out,"closed\n");
0e1dba93 2058 ret=0;
d02b48c6
RE		 2059 goto shut;
2060 case SSL_ERROR_SSL:
2061 ERR_print_errors(bio_err);
2062 goto shut;
dfeab068 2063 /* break; */
d02b48c6
RE		 2064 }
2065 }
2066
3d7c4a5a
RL		 2067#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
2068#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
0bf23d9b
RL		 2069 else if (_kbhit())
2070#else
a9ef75c5 2071 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
0bf23d9b 2072#endif
4d8743f4 2073#elif defined (OPENSSL_SYS_NETWARE)
ffa10187 2074 else if (_kbhit())
4700aea9
UM		 2075#elif defined(OPENSSL_SYS_BEOS_R5)
2076 else if (stdin_set)
06f4536a 2077#else
d02b48c6 2078 else if (FD_ISSET(fileno(stdin),&readfds))
06f4536a 2079#endif
d02b48c6 2080 {
1bdb8633
BM		 2081 if (crlf)
2082 {
2083 int j, lf_num;
2084
ffa10187 2085 i=raw_read_stdin(cbuf,BUFSIZZ/2);
1bdb8633
BM		 2086 lf_num = 0;
2087 /* both loops are skipped when i <= 0 */
2088 for (j = 0; j < i; j++)
2089 if (cbuf[j] == '\n')
2090 lf_num++;
2091 for (j = i-1; j >= 0; j--)
2092 {
2093 cbuf[j+lf_num] = cbuf[j];
2094 if (cbuf[j] == '\n')
2095 {
2096 lf_num--;
2097 i++;
2098 cbuf[j+lf_num] = '\r';
2099 }
2100 }
2101 assert(lf_num == 0);
2102 }
2103 else
ffa10187 2104 i=raw_read_stdin(cbuf,BUFSIZZ);
d02b48c6 2105
ce301b6b 2106 if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
d02b48c6
RE		 2107 {
2108 BIO_printf(bio_err,"DONE\n");
0e1dba93 2109 ret=0;
d02b48c6
RE		 2110 goto shut;
2111 }
2112
ce301b6b 2113 if ((!c_ign_eof) && (cbuf[0] == 'R'))
d02b48c6 2114 {
3bb307c1 2115 BIO_printf(bio_err,"RENEGOTIATING\n");
d02b48c6 2116 SSL_renegotiate(con);
3bb307c1 2117 cbuf_len=0;
d02b48c6 2118 }
4817504d
DSH		 2119#ifndef OPENSSL_NO_HEARTBEATS
2120 else if ((!c_ign_eof) && (cbuf[0] == 'B'))
2121 {
2122 BIO_printf(bio_err,"HEARTBEATING\n");
2123 SSL_heartbeat(con);
2124 cbuf_len=0;
2125 }
2126#endif
d02b48c6
RE		 2127 else
2128 {
2129 cbuf_len=i;
2130 cbuf_off=0;
a53955d8
UM		 2131#ifdef CHARSET_EBCDIC
2132 ebcdic2ascii(cbuf, cbuf, i);
2133#endif
d02b48c6
RE		 2134 }
2135
d02b48c6 2136 write_ssl=1;
3bb307c1 2137 read_tty=0;
d02b48c6 2138 }
d02b48c6 2139 }
0e1dba93
DSH		 2140
2141 ret=0;
d02b48c6 2142shut:
b166f13e
BM		 2143 if (in_init)
2144 print_stuff(bio_c_out,con,full_log);
d02b48c6
RE		 2145 SSL_shutdown(con);
2146 SHUTDOWN(SSL_get_fd(con));
d02b48c6 2147end:
d916ba1b
NL		 2148 if (con != NULL)
2149 {
2150 if (prexit != 0)
2151 print_stuff(bio_c_out,con,1);
2152 SSL_free(con);
2153 }
dd251659
DSH		 2154#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
2155 if (next_proto.data)
2156 OPENSSL_free(next_proto.data);
2157#endif
d02b48c6 2158 if (ctx != NULL) SSL_CTX_free(ctx);
826a42a0
DSH		 2159 if (cert)
2160 X509_free(cert);
fdb78f3d
DSH		 2161 if (crls)
2162 sk_X509_CRL_pop_free(crls, X509_CRL_free);
826a42a0
DSH		 2163 if (key)
2164 EVP_PKEY_free(key);
4e71d952
DSH		 2165 if (chain)
2166 sk_X509_pop_free(chain, X509_free);
826a42a0
DSH		 2167 if (pass)
2168 OPENSSL_free(pass);
22b5d7c8
DSH		 2169 if (vpm)
2170 X509_VERIFY_PARAM_free(vpm);
3208fc59 2171 ssl_excert_free(exc);
5d2e07f1
DSH		 2172 if (ssl_args)
2173 sk_OPENSSL_STRING_free(ssl_args);
2174 if (cctx)
2175 SSL_CONF_CTX_free(cctx);
b252cf0d
DSH		 2176#ifndef OPENSSL_NO_JPAKE
2177 if (jpake_secret && psk_key)
2178 OPENSSL_free(psk_key);
2179#endif
4579924b
RL		 2180 if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
2181 if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
2182 if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
d02b48c6
RE		 2183 if (bio_c_out != NULL)
2184 {
2185 BIO_free(bio_c_out);
2186 bio_c_out=NULL;
2187 }
93ab9e42
DSH		 2188 if (bio_c_msg != NULL)
2189 {
2190 BIO_free(bio_c_msg);
2191 bio_c_msg=NULL;
2192 }
c04f8cf4 2193 apps_shutdown();
1c3e4a36 2194 OPENSSL_EXIT(ret);
d02b48c6
RE		 2195 }
2196
2197
6b691a5c 2198static void print_stuff(BIO *bio, SSL *s, int full)
d02b48c6 2199 {
58964a49 2200 X509 *peer=NULL;
d02b48c6 2201 char *p;
7d727231 2202 static const char *space=" ";
d02b48c6 2203 char buf[BUFSIZ];
f73e07cf
BL		 2204 STACK_OF(X509) *sk;
2205 STACK_OF(X509_NAME) *sk2;
babb3798 2206 const SSL_CIPHER *c;
d02b48c6
RE		 2207 X509_NAME *xn;
2208 int j,i;
09b6c2ef 2209#ifndef OPENSSL_NO_COMP
d8ec0dcf 2210 const COMP_METHOD *comp, *expansion;
09b6c2ef 2211#endif
e0af0405 2212 unsigned char *exportedkeymat;
d02b48c6
RE		 2213
2214 if (full)
2215 {
bc2e519a
BM		 2216 int got_a_chain = 0;
2217
d02b48c6
RE		 2218 sk=SSL_get_peer_cert_chain(s);
2219 if (sk != NULL)
2220 {
bc2e519a
BM		 2221 got_a_chain = 1; /* we don't have it for SSL2 (yet) */
2222
dfeab068 2223 BIO_printf(bio,"---\nCertificate chain\n");
f73e07cf 2224 for (i=0; i<sk_X509_num(sk); i++)
d02b48c6 2225 {
f73e07cf 2226 X509_NAME_oneline(X509_get_subject_name(
54a656ef 2227 sk_X509_value(sk,i)),buf,sizeof buf);
d02b48c6 2228 BIO_printf(bio,"%2d s:%s\n",i,buf);
f73e07cf 2229 X509_NAME_oneline(X509_get_issuer_name(
54a656ef 2230 sk_X509_value(sk,i)),buf,sizeof buf);
d02b48c6 2231 BIO_printf(bio," i:%s\n",buf);
6d02d8e4 2232 if (c_showcerts)
f73e07cf 2233 PEM_write_bio_X509(bio,sk_X509_value(sk,i));
d02b48c6
RE		 2234 }
2235 }
2236
2237 BIO_printf(bio,"---\n");
2238 peer=SSL_get_peer_certificate(s);
2239 if (peer != NULL)
2240 {
2241 BIO_printf(bio,"Server certificate\n");
bc2e519a 2242 if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
6d02d8e4 2243 PEM_write_bio_X509(bio,peer);
d02b48c6 2244 X509_NAME_oneline(X509_get_subject_name(peer),
54a656ef 2245 buf,sizeof buf);
d02b48c6
RE		 2246 BIO_printf(bio,"subject=%s\n",buf);
2247 X509_NAME_oneline(X509_get_issuer_name(peer),
54a656ef 2248 buf,sizeof buf);
d02b48c6 2249 BIO_printf(bio,"issuer=%s\n",buf);
d02b48c6
RE		 2250 }
2251 else
2252 BIO_printf(bio,"no peer certificate available\n");
2253
f73e07cf 2254 sk2=SSL_get_client_CA_list(s);
d91f8c3c 2255 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
d02b48c6
RE		 2256 {
2257 BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
f73e07cf 2258 for (i=0; i<sk_X509_NAME_num(sk2); i++)
d02b48c6 2259 {
f73e07cf 2260 xn=sk_X509_NAME_value(sk2,i);
d02b48c6
RE		 2261 X509_NAME_oneline(xn,buf,sizeof(buf));
2262 BIO_write(bio,buf,strlen(buf));
2263 BIO_write(bio,"\n",1);
2264 }
2265 }
2266 else
2267 {
2268 BIO_printf(bio,"---\nNo client certificate CA names sent\n");
2269 }
54a656ef 2270 p=SSL_get_shared_ciphers(s,buf,sizeof buf);
d02b48c6
RE		 2271 if (p != NULL)
2272 {
67a47285
BM		 2273 /* This works only for SSL 2. In later protocol
2274 * versions, the client does not know what other
2275 * ciphers (in addition to the one to be used
2276 * in the current connection) the server supports. */
2277
d02b48c6
RE		 2278 BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
2279 j=i=0;
2280 while (*p)
2281 {
2282 if (*p == ':')
2283 {
58964a49 2284 BIO_write(bio,space,15-j%25);
d02b48c6
RE		 2285 i++;
2286 j=0;
2287 BIO_write(bio,((i%3)?" ":"\n"),1);
2288 }
2289 else
2290 {
2291 BIO_write(bio,p,1);
2292 j++;
2293 }
2294 p++;
2295 }
2296 BIO_write(bio,"\n",1);
2297 }
2298
9f27b1ee 2299 ssl_print_sigalgs(bio, s);
33a8de69 2300 ssl_print_tmp_key(bio, s);
e7f8ff43 2301
d02b48c6
RE		 2302 BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
2303 BIO_number_read(SSL_get_rbio(s)),
2304 BIO_number_written(SSL_get_wbio(s)));
2305 }
08557cf2 2306 BIO_printf(bio,(SSL_cache_hit(s)?"---\nReused, ":"---\nNew, "));
d02b48c6
RE		 2307 c=SSL_get_current_cipher(s);
2308 BIO_printf(bio,"%s, Cipher is %s\n",
2309 SSL_CIPHER_get_version(c),
2310 SSL_CIPHER_get_name(c));
a8236c8c
DSH		 2311 if (peer != NULL) {
2312 EVP_PKEY *pktmp;
2313 pktmp = X509_get_pubkey(peer);
58964a49 2314 BIO_printf(bio,"Server public key is %d bit\n",
a8236c8c
DSH		 2315 EVP_PKEY_bits(pktmp));
2316 EVP_PKEY_free(pktmp);
2317 }
5430200b
DSH		 2318 BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
2319 SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
09b6c2ef 2320#ifndef OPENSSL_NO_COMP
f44e184e 2321 comp=SSL_get_current_compression(s);
d8ec0dcf 2322 expansion=SSL_get_current_expansion(s);
f44e184e
RL		 2323 BIO_printf(bio,"Compression: %s\n",
2324 comp ? SSL_COMP_get_name(comp) : "NONE");
2325 BIO_printf(bio,"Expansion: %s\n",
d8ec0dcf 2326 expansion ? SSL_COMP_get_name(expansion) : "NONE");
09b6c2ef 2327#endif
71fa4513 2328
57559471 2329#ifdef SSL_DEBUG
a2f9200f
DSH		 2330 {
2331 /* Print out local port of connection: useful for debugging */
2332 int sock;
2333 struct sockaddr_in ladd;
2334 socklen_t ladd_size = sizeof(ladd);
2335 sock = SSL_get_fd(s);
2336 getsockname(sock, (struct sockaddr *)&ladd, &ladd_size);
2337 BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port));
2338 }
2339#endif
2340
6f017a8f
AL		 2341#if !defined(OPENSSL_NO_TLSEXT)
2342# if !defined(OPENSSL_NO_NEXTPROTONEG)
71fa4513
BL		 2343 if (next_proto.status != -1) {
2344 const unsigned char *proto;
2345 unsigned int proto_len;
2346 SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
2347 BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
2348 BIO_write(bio, proto, proto_len);
2349 BIO_write(bio, "\n", 1);
2350 }
2911575c 2351# endif
6f017a8f
AL		 2352 {
2353 const unsigned char *proto;
2354 unsigned int proto_len;
2355 SSL_get0_alpn_selected(s, &proto, &proto_len);
2356 if (proto_len > 0)
2357 {
2358 BIO_printf(bio, "ALPN protocol: ");
2359 BIO_write(bio, proto, proto_len);
2360 BIO_write(bio, "\n", 1);
2361 }
2362 else
2363 BIO_printf(bio, "No ALPN negotiated\n");
2364 }
71fa4513
BL		 2365#endif
2366
333f926d
BL		 2367 {
2368 SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s);
2369
2370 if(srtp_profile)
2371 BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n",
2372 srtp_profile->name);
2373 }
2374
d02b48c6 2375 SSL_SESSION_print(bio,SSL_get_session(s));
be81f4dd
DSH		 2376 if (keymatexportlabel != NULL)
2377 {
e0af0405
BL		 2378 BIO_printf(bio, "Keying material exporter:\n");
2379 BIO_printf(bio, " Label: '%s'\n", keymatexportlabel);
2380 BIO_printf(bio, " Length: %i bytes\n", keymatexportlen);
2381 exportedkeymat = OPENSSL_malloc(keymatexportlen);
be81f4dd
DSH		 2382 if (exportedkeymat != NULL)
2383 {
2384 if (!SSL_export_keying_material(s, exportedkeymat,
2385 keymatexportlen,
2386 keymatexportlabel,
2387 strlen(keymatexportlabel),
2388 NULL, 0, 0))
2389 {
2390 BIO_printf(bio, " Error\n");
2391 }
2392 else
2393 {
e0af0405
BL		 2394 BIO_printf(bio, " Keying material: ");
2395 for (i=0; i<keymatexportlen; i++)
2396 BIO_printf(bio, "%02X",
2397 exportedkeymat[i]);
2398 BIO_printf(bio, "\n");
be81f4dd 2399 }
e0af0405 2400 OPENSSL_free(exportedkeymat);
be81f4dd 2401 }
e0af0405 2402 }
d02b48c6 2403 BIO_printf(bio,"---\n");
58964a49
RE		 2404 if (peer != NULL)
2405 X509_free(peer);
41ebed27 2406 /* flush, or debugging output gets mixed with http response */
710069c1 2407 (void)BIO_flush(bio);
d02b48c6
RE		 2408 }
2409
0702150f
DSH		 2410#ifndef OPENSSL_NO_TLSEXT
2411
67c8e7f4
DSH		 2412static int ocsp_resp_cb(SSL *s, void *arg)
2413 {
2414 const unsigned char *p;
2415 int len;
2416 OCSP_RESPONSE *rsp;
2417 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
2418 BIO_puts(arg, "OCSP response: ");
2419 if (!p)
2420 {
2421 BIO_puts(arg, "no response sent\n");
2422 return 1;
2423 }
2424 rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
2425 if (!rsp)
2426 {
2427 BIO_puts(arg, "response parse error\n");
2428 BIO_dump_indent(arg, (char *)p, len, 4);
2429 return 0;
2430 }
2431 BIO_puts(arg, "\n======================================\n");
2432 OCSP_RESPONSE_print(arg, rsp, 0);
2433 BIO_puts(arg, "======================================\n");
2434 OCSP_RESPONSE_free(rsp);
2435 return 1;
2436 }
0702150f
DSH		 2437
2438#endif
A mirror of the official openssl repository