]> git.ipfire.org Git - thirdparty/openssl.git/blame - apps/s_client.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add a no-opt 64-bit target.
[thirdparty/openssl.git] / apps / s_client.c
CommitLineData
d02b48c6 1/* apps/s_client.c */
58964a49 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
d02b48c6
RE		 3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
a661b653 58/* ====================================================================
b1277b99 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
a661b653
BM		 60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
ddac1974
NL		 111/* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
113 *
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116 * license.
117 *
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
121 *
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
125 *
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
130 *
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135 * OTHERWISE.
136 */
d02b48c6 137
1b1a6e78 138#include <assert.h>
ddac1974 139#include <ctype.h>
8c197cc5
UM		 140#include <stdio.h>
141#include <stdlib.h>
142#include <string.h>
be1bd923 143#include <openssl/e_os2.h>
cf1b7d96 144#ifdef OPENSSL_NO_STDIO
8c197cc5
UM		 145#define APPS_WIN16
146#endif
147
7d7d2cbc
UM		 148/* With IPv6, it looks like Digital has mixed up the proper order of
149 recursive header file inclusion, resulting in the compiler complaining
150 that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
151 is needed to have fileno() declared correctly... So let's define u_int */
bc36ee62 152#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
7d7d2cbc
UM		 153#define __U_INT
154typedef unsigned int u_int;
155#endif
156
d02b48c6 157#define USE_SOCKETS
d02b48c6 158#include "apps.h"
ec577822
BM		 159#include <openssl/x509.h>
160#include <openssl/ssl.h>
161#include <openssl/err.h>
162#include <openssl/pem.h>
1372965e 163#include <openssl/rand.h>
67c8e7f4 164#include <openssl/ocsp.h>
1e26a8ba 165#include <openssl/bn.h>
edc032b5
BL		 166#ifndef OPENSSL_NO_SRP
167#include <openssl/srp.h>
168#endif
d02b48c6 169#include "s_apps.h"
36d16f8e 170#include "timeouts.h"
d02b48c6 171
bc36ee62 172#if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
75e0770d 173/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
7d7d2cbc
UM		 174#undef FIONBIO
175#endif
176
4700aea9
UM		 177#if defined(OPENSSL_SYS_BEOS_R5)
178#include <fcntl.h>
179#endif
180
d02b48c6
RE		 181#undef PROG
182#define PROG s_client_main
183
184/*#define SSL_HOST_NAME "www.netscape.com" */
185/*#define SSL_HOST_NAME "193.118.187.102" */
186#define SSL_HOST_NAME "localhost"
187
188/*#define TEST_CERT "client.pem" */ /* no default cert. */
189
190#undef BUFSIZZ
191#define BUFSIZZ 1024*8
192
193extern int verify_depth;
194extern int verify_error;
5d20c4fb 195extern int verify_return_error;
2a7cbe77 196extern int verify_quiet;
d02b48c6
RE		 197
198#ifdef FIONBIO
199static int c_nbio=0;
200#endif
201static int c_Pause=0;
202static int c_debug=0;
6434abbf
DSH		 203#ifndef OPENSSL_NO_TLSEXT
204static int c_tlsextdebug=0;
67c8e7f4 205static int c_status_req=0;
a9e1c50b 206static int c_proof_debug=0;
6434abbf 207#endif
a661b653 208static int c_msg=0;
6d02d8e4 209static int c_showcerts=0;
d02b48c6 210
e0af0405
BL		 211static char *keymatexportlabel=NULL;
212static int keymatexportlen=20;
213
d02b48c6
RE		 214static void sc_usage(void);
215static void print_stuff(BIO *berr,SSL *con,int full);
0702150f 216#ifndef OPENSSL_NO_TLSEXT
67c8e7f4 217static int ocsp_resp_cb(SSL *s, void *arg);
a9e1c50b 218static int audit_proof_cb(SSL *s, void *arg);
0702150f 219#endif
d02b48c6 220static BIO *bio_c_out=NULL;
93ab9e42 221static BIO *bio_c_msg=NULL;
d02b48c6 222static int c_quiet=0;
ce301b6b 223static int c_ign_eof=0;
2a7cbe77 224static int c_brief=0;
d02b48c6 225
ddac1974
NL		 226#ifndef OPENSSL_NO_PSK
227/* Default PSK identity and key */
228static char *psk_identity="Client_identity";
f3b7bdad 229/*char *psk_key=NULL; by default PSK is not used */
ddac1974
NL		 230
231static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
232 unsigned int max_identity_len, unsigned char *psk,
233 unsigned int max_psk_len)
234 {
235 unsigned int psk_len = 0;
236 int ret;
237 BIGNUM *bn=NULL;
238
239 if (c_debug)
240 BIO_printf(bio_c_out, "psk_client_cb\n");
241 if (!hint)
242 {
243 /* no ServerKeyExchange message*/
244 if (c_debug)
245 BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n");
246 }
247 else if (c_debug)
248 BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
249
250 /* lookup PSK identity and PSK key based on the given identity hint here */
0ed6b526 251 ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity);
a0aa8b4b 252 if (ret < 0 || (unsigned int)ret > max_identity_len)
ddac1974
NL		 253 goto out_err;
254 if (c_debug)
255 BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret);
256 ret=BN_hex2bn(&bn, psk_key);
257 if (!ret)
258 {
259 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
260 if (bn)
261 BN_free(bn);
262 return 0;
263 }
264
a0aa8b4b 265 if ((unsigned int)BN_num_bytes(bn) > max_psk_len)
ddac1974
NL		 266 {
267 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
268 max_psk_len, BN_num_bytes(bn));
269 BN_free(bn);
270 return 0;
271 }
272
273 psk_len=BN_bn2bin(bn, psk);
274 BN_free(bn);
275 if (psk_len == 0)
276 goto out_err;
277
278 if (c_debug)
279 BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len);
280
281 return psk_len;
282 out_err:
283 if (c_debug)
284 BIO_printf(bio_err, "Error in PSK client callback\n");
285 return 0;
286 }
287#endif
288
6b691a5c 289static void sc_usage(void)
d02b48c6 290 {
b6cff93d 291 BIO_printf(bio_err,"usage: s_client args\n");
d02b48c6
RE		 292 BIO_printf(bio_err,"\n");
293 BIO_printf(bio_err," -host host - use -connect instead\n");
294 BIO_printf(bio_err," -port port - use -connect instead\n");
295 BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
d02b48c6
RE		 296 BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n");
297 BIO_printf(bio_err," -cert arg - certificate file to use, PEM format assumed\n");
826a42a0
DSH		 298 BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
299 BIO_printf(bio_err," -key arg - Private key file to use, in cert file if\n");
d02b48c6 300 BIO_printf(bio_err," not specified but cert file is.\n");
826a42a0
DSH		 301 BIO_printf(bio_err," -keyform arg - key format (PEM or DER) PEM default\n");
302 BIO_printf(bio_err," -pass arg - private key file pass phrase source\n");
d02b48c6
RE		 303 BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
304 BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n");
305 BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n");
306 BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n");
6d02d8e4 307 BIO_printf(bio_err," -showcerts - show all certificates in the chain\n");
d02b48c6 308 BIO_printf(bio_err," -debug - extra output\n");
02a00bb0
AP		 309#ifdef WATT32
310 BIO_printf(bio_err," -wdebug - WATT-32 tcp debugging\n");
311#endif
a661b653 312 BIO_printf(bio_err," -msg - Show protocol messages\n");
d02b48c6
RE		 313 BIO_printf(bio_err," -nbio_test - more ssl protocol testing\n");
314 BIO_printf(bio_err," -state - print the 'ssl' states\n");
315#ifdef FIONBIO
316 BIO_printf(bio_err," -nbio - Run with non-blocking IO\n");
1bdb8633 317#endif
1bdb8633 318 BIO_printf(bio_err," -crlf - convert LF from terminal into CRLF\n");
d02b48c6 319 BIO_printf(bio_err," -quiet - no s_client output\n");
ce301b6b 320 BIO_printf(bio_err," -ign_eof - ignore input eof (default when -quiet)\n");
020d67fb 321 BIO_printf(bio_err," -no_ign_eof - don't ignore input eof\n");
ddac1974
NL		 322#ifndef OPENSSL_NO_PSK
323 BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
324 BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n");
79bd20fd 325# ifndef OPENSSL_NO_JPAKE
f3b7bdad
BL		 326 BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n");
327# endif
edc032b5
BL		 328#endif
329#ifndef OPENSSL_NO_SRP
330 BIO_printf(bio_err," -srpuser user - SRP authentification for 'user'\n");
331 BIO_printf(bio_err," -srppass arg - password for 'user'\n");
332 BIO_printf(bio_err," -srp_lateuser - SRP username into second ClientHello message\n");
333 BIO_printf(bio_err," -srp_moregroups - Tolerate other than the known g N values.\n");
334 BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
ddac1974 335#endif
d02b48c6
RE		 336 BIO_printf(bio_err," -ssl2 - just use SSLv2\n");
337 BIO_printf(bio_err," -ssl3 - just use SSLv3\n");
7409d7ad 338 BIO_printf(bio_err," -tls1_2 - just use TLSv1.2\n");
637f374a 339 BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n");
58964a49 340 BIO_printf(bio_err," -tls1 - just use TLSv1\n");
36d16f8e 341 BIO_printf(bio_err," -dtls1 - just use DTLSv1\n");
046f2101 342 BIO_printf(bio_err," -mtu - set the link layer MTU\n");
7409d7ad 343 BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
d02b48c6 344 BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n");
836f9960 345 BIO_printf(bio_err," -serverpref - Use server's cipher preferences (only SSLv2)\n");
657e60fa 346 BIO_printf(bio_err," -cipher - preferred cipher to use, use the 'openssl ciphers'\n");
dfeab068 347 BIO_printf(bio_err," command to see what is available\n");
135c0af1
RL		 348 BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
349 BIO_printf(bio_err," for those protocols that support it, where\n");
350 BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n");
d5bbead4
BL		 351 BIO_printf(bio_err," only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
352 BIO_printf(bio_err," are supported.\n");
0b13e9f0 353#ifndef OPENSSL_NO_ENGINE
5270e702 354 BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n");
0b13e9f0 355#endif
52b621db 356 BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
014f62b6
DSH		 357 BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n");
358 BIO_printf(bio_err," -sess_in arg - file to read SSL session from\n");
ed3883d2
BM		 359#ifndef OPENSSL_NO_TLSEXT
360 BIO_printf(bio_err," -servername host - Set TLS extension servername in ClientHello\n");
d24a9c8f 361 BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
67c8e7f4 362 BIO_printf(bio_err," -status - request certificate status from server\n");
d24a9c8f 363 BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
a9e1c50b 364 BIO_printf(bio_err," -proof_debug - request an audit proof and print its hex dump\n");
bf48836c 365# ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27 366 BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
6f017a8f 367 BIO_printf(bio_err," -alpn arg - enable ALPN extension, considering named protocols supported (comma-separated list)\n");
ee2ffc27 368# endif
a398f821
T		 369#ifndef OPENSSL_NO_TLSEXT
370 BIO_printf(bio_err," -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n");
371#endif
ed3883d2 372#endif
2942dde5 373 BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
be81f4dd 374 BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
e0af0405
BL		 375 BIO_printf(bio_err," -keymatexport label - Export keying material using label\n");
376 BIO_printf(bio_err," -keymatexportlen len - Export len bytes of keying material (default 20)\n");
d02b48c6
RE		 377 }
378
ed3883d2
BM		 379#ifndef OPENSSL_NO_TLSEXT
380
381/* This is a context that we pass to callbacks */
382typedef struct tlsextctx_st {
383 BIO * biodebug;
384 int ack;
385} tlsextctx;
386
387
b1277b99
BM		 388static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
389 {
ed3883d2 390 tlsextctx * p = (tlsextctx *) arg;
8de5b7f5 391 const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
ed3883d2
BM		 392 if (SSL_get_servername_type(s) != -1)
393 p->ack = !SSL_session_reused(s) && hn != NULL;
394 else
f1fd4544 395 BIO_printf(bio_err,"Can't use SSL_get_servername\n");
ed3883d2 396
241520e6 397 return SSL_TLSEXT_ERR_OK;
b1277b99 398 }
ee2ffc27 399
edc032b5
BL		 400#ifndef OPENSSL_NO_SRP
401
402/* This is a context that we pass to all callbacks */
403typedef struct srp_arg_st
404 {
405 char *srppassin;
406 char *srplogin;
407 int msg; /* copy from c_msg */
408 int debug; /* copy from c_debug */
409 int amp; /* allow more groups */
410 int strength /* minimal size for N */ ;
411 } SRP_ARG;
412
413#define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
414
f2fc3075 415static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g)
edc032b5
BL		 416 {
417 BN_CTX *bn_ctx = BN_CTX_new();
418 BIGNUM *p = BN_new();
419 BIGNUM *r = BN_new();
420 int ret =
421 g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
f2fc3075 422 BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
edc032b5
BL		 423 p != NULL && BN_rshift1(p, N) &&
424
425 /* p = (N-1)/2 */
f2fc3075 426 BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
edc032b5
BL		 427 r != NULL &&
428
429 /* verify g^((N-1)/2) == -1 (mod N) */
430 BN_mod_exp(r, g, p, N, bn_ctx) &&
431 BN_add_word(r, 1) &&
432 BN_cmp(r, N) == 0;
433
434 if(r)
435 BN_free(r);
436 if(p)
437 BN_free(p);
438 if(bn_ctx)
439 BN_CTX_free(bn_ctx);
440 return ret;
441 }
442
f2fc3075
DSH		 443/* This callback is used here for two purposes:
444 - extended debugging
445 - making some primality tests for unknown groups
446 The callback is only called for a non default group.
447
448 An application does not need the call back at all if
449 only the stanard groups are used. In real life situations,
450 client and server already share well known groups,
451 thus there is no need to verify them.
452 Furthermore, in case that a server actually proposes a group that
453 is not one of those defined in RFC 5054, it is more appropriate
454 to add the group to a static list and then compare since
455 primality tests are rather cpu consuming.
456*/
457
edc032b5
BL		 458static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
459 {
460 SRP_ARG *srp_arg = (SRP_ARG *)arg;
461 BIGNUM *N = NULL, *g = NULL;
462 if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s)))
463 return 0;
464 if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1)
465 {
466 BIO_printf(bio_err, "SRP parameters:\n");
467 BIO_printf(bio_err,"\tN="); BN_print(bio_err,N);
468 BIO_printf(bio_err,"\n\tg="); BN_print(bio_err,g);
469 BIO_printf(bio_err,"\n");
470 }
471
472 if (SRP_check_known_gN_param(g,N))
473 return 1;
474
475 if (srp_arg->amp == 1)
476 {
477 if (srp_arg->debug)
478 BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n");
479
f2fc3075 480/* The srp_moregroups is a real debugging feature.
edc032b5
BL		 481 Implementors should rather add the value to the known ones.
482 The minimal size has already been tested.
483*/
f2fc3075 484 if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g))
edc032b5
BL		 485 return 1;
486 }
487 BIO_printf(bio_err, "SRP param N and g rejected.\n");
488 return 0;
489 }
490
491#define PWD_STRLEN 1024
492
493static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
494 {
495 SRP_ARG *srp_arg = (SRP_ARG *)arg;
496 char *pass = (char *)OPENSSL_malloc(PWD_STRLEN+1);
497 PW_CB_DATA cb_tmp;
498 int l;
499
500 cb_tmp.password = (char *)srp_arg->srppassin;
501 cb_tmp.prompt_info = "SRP user";
502 if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp))<0)
503 {
504 BIO_printf (bio_err, "Can't read Password\n");
505 OPENSSL_free(pass);
506 return NULL;
507 }
508 *(pass+l)= '\0';
509
510 return pass;
511 }
512
edc032b5 513#endif
333f926d 514 char *srtp_profiles = NULL;
edc032b5 515
bf48836c 516# ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 517/* This the context that we pass to next_proto_cb */
518typedef struct tlsextnextprotoctx_st {
519 unsigned char *data;
520 unsigned short len;
521 int status;
522} tlsextnextprotoctx;
523
524static tlsextnextprotoctx next_proto;
525
526static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
527 {
528 tlsextnextprotoctx *ctx = arg;
529
530 if (!c_quiet)
531 {
532 /* We can assume that |in| is syntactically valid. */
533 unsigned i;
534 BIO_printf(bio_c_out, "Protocols advertised by server: ");
535 for (i = 0; i < inlen; )
536 {
537 if (i)
538 BIO_write(bio_c_out, ", ", 2);
539 BIO_write(bio_c_out, &in[i + 1], in[i]);
540 i += in[i] + 1;
541 }
542 BIO_write(bio_c_out, "\n", 1);
543 }
544
545 ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
546 return SSL_TLSEXT_ERR_OK;
547 }
bf48836c 548# endif /* ndef OPENSSL_NO_NEXTPROTONEG */
a398f821
T		 549
550static int serverinfo_cli_cb(SSL* s, unsigned short ext_type,
551 const unsigned char* in, unsigned short inlen,
552 int* al, void* arg)
553 {
554 char pem_name[100];
555 unsigned char ext_buf[4 + 65536];
556
557 /* Reconstruct the type/len fields prior to extension data */
558 ext_buf[0] = ext_type >> 8;
559 ext_buf[1] = ext_type & 0xFF;
560 ext_buf[2] = inlen >> 8;
561 ext_buf[3] = inlen & 0xFF;
562 memcpy(ext_buf+4, in, inlen);
563
564 BIO_snprintf(pem_name, sizeof(pem_name), "SERVER_INFO %d", ext_type);
565 PEM_write_bio(bio_c_out, pem_name, "", ext_buf, 4 + inlen);
566 return 1;
567 }
568
ed3883d2
BM		 569#endif
570
85c67492
RL		 571enum
572{
573 PROTO_OFF = 0,
574 PROTO_SMTP,
575 PROTO_POP3,
576 PROTO_IMAP,
d5bbead4 577 PROTO_FTP,
640b86cb 578 PROTO_XMPP
85c67492
RL		 579};
580
667ac4ec
RE		 581int MAIN(int, char **);
582
6b691a5c 583int MAIN(int argc, char **argv)
d02b48c6 584 {
74ecfab4 585 int build_chain = 0;
67b6f1ca 586 SSL *con=NULL;
4f7a2ab8
DSH		 587#ifndef OPENSSL_NO_KRB5
588 KSSL_CTX *kctx;
589#endif
d02b48c6 590 int s,k,width,state=0;
135c0af1 591 char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
d02b48c6
RE		 592 int cbuf_len,cbuf_off;
593 int sbuf_len,sbuf_off;
594 fd_set readfds,writefds;
595 short port=PORT;
596 int full_log=1;
597 char *host=SSL_HOST_NAME;
4e71d952 598 char *cert_file=NULL,*key_file=NULL,*chain_file=NULL;
826a42a0
DSH		 599 int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
600 char *passarg = NULL, *pass = NULL;
601 X509 *cert = NULL;
602 EVP_PKEY *key = NULL;
4e71d952 603 STACK_OF(X509) *chain = NULL;
5d2e07f1 604 char *CApath=NULL,*CAfile=NULL;
a5afc0a8
DSH		 605 char *chCApath=NULL,*chCAfile=NULL;
606 char *vfyCApath=NULL,*vfyCAfile=NULL;
5d2e07f1 607 int reconnect=0,badop=0,verify=SSL_VERIFY_NONE;
1bdb8633 608 int crlf=0;
c7ac31e2 609 int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
d02b48c6
RE		 610 SSL_CTX *ctx=NULL;
611 int ret=1,in_init=1,i,nbio_test=0;
85c67492 612 int starttls_proto = PROTO_OFF;
db99779b
DSH		 613 int prexit = 0;
614 X509_VERIFY_PARAM *vpm = NULL;
615 int badarg = 0;
4ebb342f 616 const SSL_METHOD *meth=NULL;
b1277b99 617 int socket_type=SOCK_STREAM;
d02b48c6 618 BIO *sbio;
52b621db 619 char *inrand=NULL;
85c67492 620 int mbuf_len=0;
b972fbaa 621 struct timeval timeout, *timeoutp;
0b13e9f0 622#ifndef OPENSSL_NO_ENGINE
5270e702 623 char *engine_id=NULL;
59d2d48f 624 char *ssl_client_engine_id=NULL;
70531c14 625 ENGINE *ssl_client_engine=NULL;
0b13e9f0 626#endif
70531c14 627 ENGINE *e=NULL;
4700aea9 628#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
06f4536a 629 struct timeval tv;
4700aea9
UM		 630#if defined(OPENSSL_SYS_BEOS_R5)
631 int stdin_set = 0;
632#endif
06f4536a 633#endif
ed3883d2
BM		 634#ifndef OPENSSL_NO_TLSEXT
635 char *servername = NULL;
636 tlsextctx tlsextcbp =
637 {NULL,0};
bf48836c 638# ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27 639 const char *next_proto_neg_in = NULL;
6f017a8f 640 const char *alpn_in = NULL;
ee2ffc27 641# endif
a398f821
T		 642# define MAX_SI_TYPES 100
643 unsigned short serverinfo_types[MAX_SI_TYPES];
644 int serverinfo_types_count = 0;
ed3883d2 645#endif
6434abbf
DSH		 646 char *sess_in = NULL;
647 char *sess_out = NULL;
36d16f8e 648 struct sockaddr peer;
6c61726b 649 int peerlen = sizeof(peer);
36d16f8e 650 int enable_timeouts = 0 ;
b1277b99 651 long socket_mtu = 0;
79bd20fd 652#ifndef OPENSSL_NO_JPAKE
b252cf0d
DSH		 653static char *jpake_secret = NULL;
654#define no_jpake !jpake_secret
655#else
656#define no_jpake 1
ed551cdd 657#endif
edc032b5
BL		 658#ifndef OPENSSL_NO_SRP
659 char * srppass = NULL;
660 int srp_lateuser = 0;
661 SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
662#endif
3208fc59 663 SSL_EXCERT *exc = NULL;
36d16f8e 664
5d2e07f1
DSH		 665 SSL_CONF_CTX *cctx = NULL;
666 STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
a70da5b3 667
fdb78f3d
DSH		 668 char *crl_file = NULL;
669 int crl_format = FORMAT_PEM;
0090a686 670 int crl_download = 0;
fdb78f3d
DSH		 671 STACK_OF(X509_CRL) *crls = NULL;
672
d02b48c6 673 meth=SSLv23_client_method();
d02b48c6
RE		 674
675 apps_startup();
58964a49 676 c_Pause=0;
d02b48c6 677 c_quiet=0;
ce301b6b 678 c_ign_eof=0;
d02b48c6 679 c_debug=0;
a661b653 680 c_msg=0;
6d02d8e4 681 c_showcerts=0;
d02b48c6
RE		 682
683 if (bio_err == NULL)
684 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
685
3647bee2
DSH		 686 if (!load_config(bio_err, NULL))
687 goto end;
5d2e07f1
DSH		 688 cctx = SSL_CONF_CTX_new();
689 if (!cctx)
690 goto end;
691 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
692 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE);
3647bee2 693
26a3a48d 694 if ( ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
135c0af1
RL		 695 ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
696 ((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
d02b48c6
RE		 697 {
698 BIO_printf(bio_err,"out of memory\n");
699 goto end;
700 }
701
702 verify_depth=0;
703 verify_error=X509_V_OK;
704#ifdef FIONBIO
705 c_nbio=0;
706#endif
707
708 argc--;
709 argv++;
710 while (argc >= 1)
711 {
712 if (strcmp(*argv,"-host") == 0)
713 {
714 if (--argc < 1) goto bad;
715 host= *(++argv);
716 }
717 else if (strcmp(*argv,"-port") == 0)
718 {
719 if (--argc < 1) goto bad;
720 port=atoi(*(++argv));
721 if (port == 0) goto bad;
722 }
723 else if (strcmp(*argv,"-connect") == 0)
724 {
725 if (--argc < 1) goto bad;
726 if (!extract_host_port(*(++argv),&host,NULL,&port))
727 goto bad;
728 }
729 else if (strcmp(*argv,"-verify") == 0)
730 {
731 verify=SSL_VERIFY_PEER;
732 if (--argc < 1) goto bad;
733 verify_depth=atoi(*(++argv));
2a7cbe77
DSH		 734 if (!c_quiet)
735 BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
d02b48c6
RE		 736 }
737 else if (strcmp(*argv,"-cert") == 0)
738 {
739 if (--argc < 1) goto bad;
740 cert_file= *(++argv);
741 }
fdb78f3d
DSH		 742 else if (strcmp(*argv,"-CRL") == 0)
743 {
744 if (--argc < 1) goto bad;
745 crl_file= *(++argv);
746 }
0090a686
DSH		 747 else if (strcmp(*argv,"-crl_download") == 0)
748 crl_download = 1;
6434abbf
DSH		 749 else if (strcmp(*argv,"-sess_out") == 0)
750 {
751 if (--argc < 1) goto bad;
752 sess_out = *(++argv);
753 }
754 else if (strcmp(*argv,"-sess_in") == 0)
755 {
756 if (--argc < 1) goto bad;
757 sess_in = *(++argv);
758 }
826a42a0
DSH		 759 else if (strcmp(*argv,"-certform") == 0)
760 {
761 if (--argc < 1) goto bad;
762 cert_format = str2fmt(*(++argv));
763 }
fdb78f3d
DSH		 764 else if (strcmp(*argv,"-CRLform") == 0)
765 {
766 if (--argc < 1) goto bad;
767 crl_format = str2fmt(*(++argv));
768 }
db99779b
DSH		 769 else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
770 {
771 if (badarg)
772 goto bad;
773 continue;
774 }
5d20c4fb
DSH		 775 else if (strcmp(*argv,"-verify_return_error") == 0)
776 verify_return_error = 1;
2a7cbe77
DSH		 777 else if (strcmp(*argv,"-verify_quiet") == 0)
778 verify_quiet = 1;
779 else if (strcmp(*argv,"-brief") == 0)
780 {
781 c_brief = 1;
782 verify_quiet = 1;
783 c_quiet = 1;
784 }
3208fc59
DSH		 785 else if (args_excert(&argv, &argc, &badarg, bio_err, &exc))
786 {
787 if (badarg)
788 goto bad;
789 continue;
790 }
5d2e07f1
DSH		 791 else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args))
792 {
793 if (badarg)
794 goto bad;
795 continue;
796 }
c3ed3b6e
DSH		 797 else if (strcmp(*argv,"-prexit") == 0)
798 prexit=1;
1bdb8633
BM		 799 else if (strcmp(*argv,"-crlf") == 0)
800 crlf=1;
d02b48c6 801 else if (strcmp(*argv,"-quiet") == 0)
ce301b6b 802 {
d02b48c6 803 c_quiet=1;
ce301b6b
RL		 804 c_ign_eof=1;
805 }
806 else if (strcmp(*argv,"-ign_eof") == 0)
807 c_ign_eof=1;
020d67fb
LJ		 808 else if (strcmp(*argv,"-no_ign_eof") == 0)
809 c_ign_eof=0;
d02b48c6
RE		 810 else if (strcmp(*argv,"-pause") == 0)
811 c_Pause=1;
812 else if (strcmp(*argv,"-debug") == 0)
813 c_debug=1;
6434abbf
DSH		 814#ifndef OPENSSL_NO_TLSEXT
815 else if (strcmp(*argv,"-tlsextdebug") == 0)
816 c_tlsextdebug=1;
67c8e7f4
DSH		 817 else if (strcmp(*argv,"-status") == 0)
818 c_status_req=1;
a9e1c50b
BL		 819 else if (strcmp(*argv,"-proof_debug") == 0)
820 c_proof_debug=1;
6434abbf 821#endif
02a00bb0
AP		 822#ifdef WATT32
823 else if (strcmp(*argv,"-wdebug") == 0)
824 dbug_init();
825#endif
a661b653
BM		 826 else if (strcmp(*argv,"-msg") == 0)
827 c_msg=1;
93ab9e42
DSH		 828 else if (strcmp(*argv,"-msgfile") == 0)
829 {
830 if (--argc < 1) goto bad;
831 bio_c_msg = BIO_new_file(*(++argv), "w");
832 }
833#ifndef OPENSSL_NO_SSL_TRACE
834 else if (strcmp(*argv,"-trace") == 0)
835 c_msg=2;
836#endif
6d02d8e4
BM		 837 else if (strcmp(*argv,"-showcerts") == 0)
838 c_showcerts=1;
d02b48c6
RE		 839 else if (strcmp(*argv,"-nbio_test") == 0)
840 nbio_test=1;
841 else if (strcmp(*argv,"-state") == 0)
842 state=1;
ddac1974
NL		 843#ifndef OPENSSL_NO_PSK
844 else if (strcmp(*argv,"-psk_identity") == 0)
845 {
846 if (--argc < 1) goto bad;
847 psk_identity=*(++argv);
848 }
849 else if (strcmp(*argv,"-psk") == 0)
850 {
851 size_t j;
852
853 if (--argc < 1) goto bad;
854 psk_key=*(++argv);
855 for (j = 0; j < strlen(psk_key); j++)
856 {
a50bce82 857 if (isxdigit((unsigned char)psk_key[j]))
ddac1974
NL		 858 continue;
859 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
860 goto bad;
861 }
862 }
863#endif
edc032b5
BL		 864#ifndef OPENSSL_NO_SRP
865 else if (strcmp(*argv,"-srpuser") == 0)
866 {
867 if (--argc < 1) goto bad;
868 srp_arg.srplogin= *(++argv);
869 meth=TLSv1_client_method();
870 }
871 else if (strcmp(*argv,"-srppass") == 0)
872 {
873 if (--argc < 1) goto bad;
874 srppass= *(++argv);
875 meth=TLSv1_client_method();
876 }
877 else if (strcmp(*argv,"-srp_strength") == 0)
878 {
879 if (--argc < 1) goto bad;
880 srp_arg.strength=atoi(*(++argv));
881 BIO_printf(bio_err,"SRP minimal length for N is %d\n",srp_arg.strength);
882 meth=TLSv1_client_method();
883 }
884 else if (strcmp(*argv,"-srp_lateuser") == 0)
885 {
886 srp_lateuser= 1;
887 meth=TLSv1_client_method();
888 }
889 else if (strcmp(*argv,"-srp_moregroups") == 0)
890 {
891 srp_arg.amp=1;
892 meth=TLSv1_client_method();
893 }
894#endif
cf1b7d96 895#ifndef OPENSSL_NO_SSL2
d02b48c6
RE		 896 else if (strcmp(*argv,"-ssl2") == 0)
897 meth=SSLv2_client_method();
898#endif
cf1b7d96 899#ifndef OPENSSL_NO_SSL3
d02b48c6
RE		 900 else if (strcmp(*argv,"-ssl3") == 0)
901 meth=SSLv3_client_method();
58964a49 902#endif
cf1b7d96 903#ifndef OPENSSL_NO_TLS1
7409d7ad
DSH		 904 else if (strcmp(*argv,"-tls1_2") == 0)
905 meth=TLSv1_2_client_method();
637f374a
DSH		 906 else if (strcmp(*argv,"-tls1_1") == 0)
907 meth=TLSv1_1_client_method();
58964a49
RE		 908 else if (strcmp(*argv,"-tls1") == 0)
909 meth=TLSv1_client_method();
36d16f8e
BL		 910#endif
911#ifndef OPENSSL_NO_DTLS1
c6913eeb
DSH		 912 else if (strcmp(*argv,"-dtls") == 0)
913 {
914 meth=DTLS_client_method();
915 socket_type=SOCK_DGRAM;
916 }
36d16f8e
BL		 917 else if (strcmp(*argv,"-dtls1") == 0)
918 {
919 meth=DTLSv1_client_method();
b1277b99 920 socket_type=SOCK_DGRAM;
36d16f8e 921 }
c3b344e3
DSH		 922 else if (strcmp(*argv,"-dtls1_2") == 0)
923 {
924 meth=DTLSv1_2_client_method();
925 socket_type=SOCK_DGRAM;
926 }
36d16f8e
BL		 927 else if (strcmp(*argv,"-timeout") == 0)
928 enable_timeouts=1;
929 else if (strcmp(*argv,"-mtu") == 0)
930 {
931 if (--argc < 1) goto bad;
b1277b99 932 socket_mtu = atol(*(++argv));
36d16f8e 933 }
d02b48c6 934#endif
826a42a0
DSH		 935 else if (strcmp(*argv,"-keyform") == 0)
936 {
937 if (--argc < 1) goto bad;
938 key_format = str2fmt(*(++argv));
939 }
940 else if (strcmp(*argv,"-pass") == 0)
941 {
942 if (--argc < 1) goto bad;
943 passarg = *(++argv);
944 }
4e71d952
DSH		 945 else if (strcmp(*argv,"-cert_chain") == 0)
946 {
947 if (--argc < 1) goto bad;
948 chain_file= *(++argv);
949 }
d02b48c6
RE		 950 else if (strcmp(*argv,"-key") == 0)
951 {
952 if (--argc < 1) goto bad;
953 key_file= *(++argv);
954 }
955 else if (strcmp(*argv,"-reconnect") == 0)
956 {
957 reconnect=5;
958 }
959 else if (strcmp(*argv,"-CApath") == 0)
960 {
961 if (--argc < 1) goto bad;
962 CApath= *(++argv);
963 }
a5afc0a8
DSH		 964 else if (strcmp(*argv,"-chainCApath") == 0)
965 {
966 if (--argc < 1) goto bad;
967 chCApath= *(++argv);
968 }
969 else if (strcmp(*argv,"-verifyCApath") == 0)
970 {
971 if (--argc < 1) goto bad;
972 vfyCApath= *(++argv);
973 }
74ecfab4
DSH		 974 else if (strcmp(*argv,"-build_chain") == 0)
975 build_chain = 1;
d02b48c6
RE		 976 else if (strcmp(*argv,"-CAfile") == 0)
977 {
978 if (--argc < 1) goto bad;
979 CAfile= *(++argv);
980 }
a5afc0a8
DSH		 981 else if (strcmp(*argv,"-chainCAfile") == 0)
982 {
983 if (--argc < 1) goto bad;
984 chCAfile= *(++argv);
985 }
986 else if (strcmp(*argv,"-verifyCAfile") == 0)
987 {
988 if (--argc < 1) goto bad;
989 vfyCAfile= *(++argv);
990 }
6434abbf 991#ifndef OPENSSL_NO_TLSEXT
bf48836c 992# ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 993 else if (strcmp(*argv,"-nextprotoneg") == 0)
994 {
995 if (--argc < 1) goto bad;
996 next_proto_neg_in = *(++argv);
997 }
6f017a8f
AL		 998 else if (strcmp(*argv,"-alpn") == 0)
999 {
1000 if (--argc < 1) goto bad;
1001 alpn_in = *(++argv);
1002 }
ee2ffc27 1003# endif
a398f821
T		 1004 else if (strcmp(*argv,"-serverinfo") == 0)
1005 {
1006 char *c;
1007 int start = 0;
1008 int len;
1009
1010 if (--argc < 1) goto bad;
1011 c = *(++argv);
1012 serverinfo_types_count = 0;
1013 len = strlen(c);
1014 for (i = 0; i <= len; ++i)
1015 {
1016 if (i == len || c[i] == ',')
1017 {
1018 serverinfo_types[serverinfo_types_count]
1019 = atoi(c+start);
1020 serverinfo_types_count++;
1021 start = i+1;
1022 }
1023 if (serverinfo_types_count == MAX_SI_TYPES)
1024 break;
1025 }
1026 }
6434abbf 1027#endif
d02b48c6
RE		 1028#ifdef FIONBIO
1029 else if (strcmp(*argv,"-nbio") == 0)
1030 { c_nbio=1; }
1031#endif
135c0af1
RL		 1032 else if (strcmp(*argv,"-starttls") == 0)
1033 {
1034 if (--argc < 1) goto bad;
1035 ++argv;
1036 if (strcmp(*argv,"smtp") == 0)
85c67492 1037 starttls_proto = PROTO_SMTP;
4f17dfcd 1038 else if (strcmp(*argv,"pop3") == 0)
85c67492
RL		 1039 starttls_proto = PROTO_POP3;
1040 else if (strcmp(*argv,"imap") == 0)
1041 starttls_proto = PROTO_IMAP;
1042 else if (strcmp(*argv,"ftp") == 0)
1043 starttls_proto = PROTO_FTP;
d5bbead4
BL		 1044 else if (strcmp(*argv, "xmpp") == 0)
1045 starttls_proto = PROTO_XMPP;
135c0af1
RL		 1046 else
1047 goto bad;
1048 }
0b13e9f0 1049#ifndef OPENSSL_NO_ENGINE
5270e702
RL		 1050 else if (strcmp(*argv,"-engine") == 0)
1051 {
1052 if (--argc < 1) goto bad;
1053 engine_id = *(++argv);
1054 }
59d2d48f
DSH		 1055 else if (strcmp(*argv,"-ssl_client_engine") == 0)
1056 {
1057 if (--argc < 1) goto bad;
1058 ssl_client_engine_id = *(++argv);
1059 }
0b13e9f0 1060#endif
52b621db
LJ		 1061 else if (strcmp(*argv,"-rand") == 0)
1062 {
1063 if (--argc < 1) goto bad;
1064 inrand= *(++argv);
1065 }
ed3883d2
BM		 1066#ifndef OPENSSL_NO_TLSEXT
1067 else if (strcmp(*argv,"-servername") == 0)
1068 {
1069 if (--argc < 1) goto bad;
1070 servername= *(++argv);
1071 /* meth=TLSv1_client_method(); */
1072 }
1073#endif
79bd20fd 1074#ifndef OPENSSL_NO_JPAKE
6caa4edd
BL		 1075 else if (strcmp(*argv,"-jpake") == 0)
1076 {
1077 if (--argc < 1) goto bad;
1078 jpake_secret = *++argv;
1079 }
ed551cdd 1080#endif
333f926d
BL		 1081 else if (strcmp(*argv,"-use_srtp") == 0)
1082 {
1083 if (--argc < 1) goto bad;
1084 srtp_profiles = *(++argv);
1085 }
e0af0405
BL		 1086 else if (strcmp(*argv,"-keymatexport") == 0)
1087 {
1088 if (--argc < 1) goto bad;
1089 keymatexportlabel= *(++argv);
1090 }
1091 else if (strcmp(*argv,"-keymatexportlen") == 0)
1092 {
1093 if (--argc < 1) goto bad;
1094 keymatexportlen=atoi(*(++argv));
1095 if (keymatexportlen == 0) goto bad;
1096 }
333f926d 1097 else
d02b48c6
RE		 1098 {
1099 BIO_printf(bio_err,"unknown option %s\n",*argv);
1100 badop=1;
1101 break;
1102 }
1103 argc--;
1104 argv++;
1105 }
1106 if (badop)
1107 {
1108bad:
1109 sc_usage();
1110 goto end;
1111 }
1112
79bd20fd 1113#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
f3b7bdad
BL		 1114 if (jpake_secret)
1115 {
1116 if (psk_key)
1117 {
1118 BIO_printf(bio_err,
1119 "Can't use JPAKE and PSK together\n");
1120 goto end;
1121 }
1122 psk_identity = "JPAKE";
1123 }
f3b7bdad
BL		 1124#endif
1125
cead7f36
RL		 1126 OpenSSL_add_ssl_algorithms();
1127 SSL_load_error_strings();
1128
bf48836c 1129#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
ee2ffc27
BL		 1130 next_proto.status = -1;
1131 if (next_proto_neg_in)
1132 {
1133 next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
1134 if (next_proto.data == NULL)
1135 {
1136 BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
1137 goto end;
1138 }
1139 }
1140 else
1141 next_proto.data = NULL;
1142#endif
1143
0b13e9f0 1144#ifndef OPENSSL_NO_ENGINE
cead7f36 1145 e = setup_engine(bio_err, engine_id, 1);
59d2d48f
DSH		 1146 if (ssl_client_engine_id)
1147 {
1148 ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
1149 if (!ssl_client_engine)
1150 {
1151 BIO_printf(bio_err,
1152 "Error getting client auth engine\n");
1153 goto end;
1154 }
1155 }
1156
0b13e9f0 1157#endif
826a42a0
DSH		 1158 if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
1159 {
1160 BIO_printf(bio_err, "Error getting password\n");
1161 goto end;
1162 }
1163
1164 if (key_file == NULL)
1165 key_file = cert_file;
1166
abbc186b
DSH		 1167
1168 if (key_file)
1169
826a42a0 1170 {
abbc186b
DSH		 1171
1172 key = load_key(bio_err, key_file, key_format, 0, pass, e,
1173 "client certificate private key file");
1174 if (!key)
1175 {
1176 ERR_print_errors(bio_err);
1177 goto end;
1178 }
1179
826a42a0
DSH		 1180 }
1181
abbc186b 1182 if (cert_file)
826a42a0 1183
826a42a0 1184 {
abbc186b
DSH		 1185 cert = load_cert(bio_err,cert_file,cert_format,
1186 NULL, e, "client certificate file");
1187
1188 if (!cert)
1189 {
1190 ERR_print_errors(bio_err);
1191 goto end;
1192 }
826a42a0 1193 }
cead7f36 1194
4e71d952
DSH		 1195 if (chain_file)
1196 {
1197 chain = load_certs(bio_err, chain_file,FORMAT_PEM,
1198 NULL, e, "client certificate chain");
1199 if (!chain)
1200 goto end;
1201 }
1202
fdb78f3d
DSH		 1203 if (crl_file)
1204 {
1205 X509_CRL *crl;
1206 crl = load_crl(crl_file, crl_format);
1207 if (!crl)
1208 {
1209 BIO_puts(bio_err, "Error loading CRL\n");
1210 ERR_print_errors(bio_err);
1211 goto end;
1212 }
1213 crls = sk_X509_CRL_new_null();
1214 if (!crls || !sk_X509_CRL_push(crls, crl))
1215 {
1216 BIO_puts(bio_err, "Error adding CRL\n");
1217 ERR_print_errors(bio_err);
1218 X509_CRL_free(crl);
1219 goto end;
1220 }
1221 }
1222
3208fc59
DSH		 1223 if (!load_excert(&exc, bio_err))
1224 goto end;
1225
52b621db
LJ		 1226 if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
1227 && !RAND_status())
1228 {
1229 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
1230 }
1231 if (inrand != NULL)
1232 BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
1233 app_RAND_load_files(inrand));
a31011e8 1234
d02b48c6
RE		 1235 if (bio_c_out == NULL)
1236 {
1740c9fb 1237 if (c_quiet && !c_debug)
d02b48c6
RE		 1238 {
1239 bio_c_out=BIO_new(BIO_s_null());
1740c9fb
DSH		 1240 if (c_msg && !bio_c_msg)
1241 bio_c_msg=BIO_new_fp(stdout,BIO_NOCLOSE);
d02b48c6
RE		 1242 }
1243 else
1244 {
1245 if (bio_c_out == NULL)
1246 bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
1247 }
1248 }
1249
edc032b5
BL		 1250#ifndef OPENSSL_NO_SRP
1251 if(!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL))
1252 {
1253 BIO_printf(bio_err, "Error getting password\n");
1254 goto end;
1255 }
1256#endif
1257
d02b48c6
RE		 1258 ctx=SSL_CTX_new(meth);
1259 if (ctx == NULL)
1260 {
1261 ERR_print_errors(bio_err);
1262 goto end;
1263 }
1264
db99779b
DSH		 1265 if (vpm)
1266 SSL_CTX_set1_param(ctx, vpm);
1267
b252cf0d 1268 if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1, no_jpake))
5d2e07f1
DSH		 1269 {
1270 ERR_print_errors(bio_err);
1271 goto end;
1272 }
1273
0090a686
DSH		 1274 if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
1275 crls, crl_download))
a5afc0a8
DSH		 1276 {
1277 BIO_printf(bio_err, "Error loading store locations\n");
1278 ERR_print_errors(bio_err);
1279 goto end;
1280 }
1281
59d2d48f
DSH		 1282#ifndef OPENSSL_NO_ENGINE
1283 if (ssl_client_engine)
1284 {
1285 if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine))
1286 {
1287 BIO_puts(bio_err, "Error setting client auth engine\n");
1288 ERR_print_errors(bio_err);
1289 ENGINE_free(ssl_client_engine);
1290 goto end;
1291 }
1292 ENGINE_free(ssl_client_engine);
1293 }
1294#endif
1295
ddac1974 1296#ifndef OPENSSL_NO_PSK
79bd20fd
DSH		 1297#ifdef OPENSSL_NO_JPAKE
1298 if (psk_key != NULL)
1299#else
f3b7bdad 1300 if (psk_key != NULL || jpake_secret)
79bd20fd 1301#endif
ddac1974
NL		 1302 {
1303 if (c_debug)
f3b7bdad 1304 BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");
ddac1974
NL		 1305 SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
1306 }
333f926d
BL		 1307 if (srtp_profiles != NULL)
1308 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
ddac1974 1309#endif
3208fc59 1310 if (exc) ssl_ctx_set_excert(ctx, exc);
36d16f8e
BL		 1311 /* DTLS: partial reads end up discarding unread UDP bytes :-(
1312 * Setting read ahead solves this problem.
1313 */
b1277b99 1314 if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
d02b48c6 1315
6f017a8f
AL		 1316#if !defined(OPENSSL_NO_TLSEXT)
1317# if !defined(OPENSSL_NO_NEXTPROTONEG)
ee2ffc27
BL		 1318 if (next_proto.data)
1319 SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
6f017a8f
AL		 1320# endif
1321 if (alpn_in)
1322 {
1323 unsigned short alpn_len;
1324 unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in);
1325
1326 if (alpn == NULL)
1327 {
1328 BIO_printf(bio_err, "Error parsing -alpn argument\n");
1329 goto end;
1330 }
1331 SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len);
1332 }
ee2ffc27 1333#endif
a398f821
T		 1334#ifndef OPENSSL_NO_TLSEXT
1335 if (serverinfo_types_count)
1336 {
1337 for (i = 0; i < serverinfo_types_count; i++)
1338 {
1339 SSL_CTX_set_custom_cli_ext(ctx,
1340 serverinfo_types[i],
1341 NULL,
1342 serverinfo_cli_cb,
1343 NULL);
1344 }
1345 }
1346#endif
ee2ffc27 1347
d02b48c6 1348 if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
d02b48c6
RE		 1349#if 0
1350 else
1351 SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
1352#endif
1353
1354 SSL_CTX_set_verify(ctx,verify,verify_callback);
d02b48c6
RE		 1355
1356 if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
1357 (!SSL_CTX_set_default_verify_paths(ctx)))
1358 {
657e60fa 1359 /* BIO_printf(bio_err,"error setting default verify locations\n"); */
d02b48c6 1360 ERR_print_errors(bio_err);
58964a49 1361 /* goto end; */
d02b48c6
RE		 1362 }
1363
0090a686 1364 ssl_ctx_add_crls(ctx, crls, crl_download);
fdb78f3d 1365
4e71d952 1366 if (!set_cert_key_stuff(ctx,cert,key,chain,build_chain))
74ecfab4
DSH		 1367 goto end;
1368
ed3883d2 1369#ifndef OPENSSL_NO_TLSEXT
b1277b99
BM		 1370 if (servername != NULL)
1371 {
ed3883d2
BM		 1372 tlsextcbp.biodebug = bio_err;
1373 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1374 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
b1277b99 1375 }
edc032b5
BL		 1376#ifndef OPENSSL_NO_SRP
1377 if (srp_arg.srplogin)
1378 {
f2fc3075 1379 if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
edc032b5
BL		 1380 {
1381 BIO_printf(bio_err,"Unable to set SRP username\n");
1382 goto end;
1383 }
1384 srp_arg.msg = c_msg;
1385 srp_arg.debug = c_debug ;
1386 SSL_CTX_set_srp_cb_arg(ctx,&srp_arg);
1387 SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
1388 SSL_CTX_set_srp_strength(ctx, srp_arg.strength);
1389 if (c_msg || c_debug || srp_arg.amp == 0)
1390 SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb);
1391 }
1392
1393#endif
a9e1c50b
BL		 1394 if (c_proof_debug)
1395 SSL_CTX_set_tlsext_authz_server_audit_proof_cb(ctx,
1396 audit_proof_cb);
ed3883d2 1397#endif
d02b48c6 1398
82fc1d9c 1399 con=SSL_new(ctx);
6434abbf
DSH		 1400 if (sess_in)
1401 {
1402 SSL_SESSION *sess;
1403 BIO *stmp = BIO_new_file(sess_in, "r");
1404 if (!stmp)
1405 {
1406 BIO_printf(bio_err, "Can't open session file %s\n",
1407 sess_in);
1408 ERR_print_errors(bio_err);
1409 goto end;
1410 }
1411 sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
1412 BIO_free(stmp);
1413 if (!sess)
1414 {
1415 BIO_printf(bio_err, "Can't open session file %s\n",
1416 sess_in);
1417 ERR_print_errors(bio_err);
1418 goto end;
1419 }
1420 SSL_set_session(con, sess);
1421 SSL_SESSION_free(sess);
1422 }
ed3883d2 1423#ifndef OPENSSL_NO_TLSEXT
b1277b99
BM		 1424 if (servername != NULL)
1425 {
a13c20f6 1426 if (!SSL_set_tlsext_host_name(con,servername))
b1277b99 1427 {
ed3883d2
BM		 1428 BIO_printf(bio_err,"Unable to set TLS servername extension.\n");
1429 ERR_print_errors(bio_err);
1430 goto end;
b1277b99 1431 }
ed3883d2 1432 }
ed3883d2 1433#endif
cf1b7d96 1434#ifndef OPENSSL_NO_KRB5
4f7a2ab8 1435 if (con && (kctx = kssl_ctx_new()) != NULL)
f9b3bff6 1436 {
4f7a2ab8
DSH		 1437 SSL_set0_kssl_ctx(con, kctx);
1438 kssl_ctx_setstring(kctx, KSSL_SERVER, host);
f9b3bff6 1439 }
cf1b7d96 1440#endif /* OPENSSL_NO_KRB5 */
58964a49 1441/* SSL_set_cipher_list(con,"RC4-MD5"); */
761772d7
BM		 1442#if 0
1443#ifdef TLSEXT_TYPE_opaque_prf_input
86d4bc3a 1444 SSL_set_tlsext_opaque_prf_input(con, "Test client", 11);
761772d7
BM		 1445#endif
1446#endif
d02b48c6
RE		 1447
1448re_start:
1449
b1277b99 1450 if (init_client(&s,host,port,socket_type) == 0)
d02b48c6 1451 {
58964a49 1452 BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
d02b48c6
RE		 1453 SHUTDOWN(s);
1454 goto end;
1455 }
1456 BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
1457
1458#ifdef FIONBIO
1459 if (c_nbio)
1460 {
1461 unsigned long l=1;
1462 BIO_printf(bio_c_out,"turning on non blocking io\n");
58964a49
RE		 1463 if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
1464 {
1465 ERR_print_errors(bio_err);
1466 goto end;
1467 }
d02b48c6
RE		 1468 }
1469#endif
08557cf2 1470 if (c_Pause & 0x01) SSL_set_debug(con, 1);
36d16f8e 1471
c3b344e3 1472 if (socket_type == SOCK_DGRAM)
36d16f8e 1473 {
36d16f8e
BL		 1474
1475 sbio=BIO_new_dgram(s,BIO_NOCLOSE);
6c61726b 1476 if (getsockname(s, &peer, (void *)&peerlen) < 0)
36d16f8e
BL		 1477 {
1478 BIO_printf(bio_err, "getsockname:errno=%d\n",
1479 get_last_socket_error());
1480 SHUTDOWN(s);
1481 goto end;
1482 }
1483
710069c1 1484 (void)BIO_ctrl_set_connected(sbio, 1, &peer);
36d16f8e 1485
b1277b99 1486 if (enable_timeouts)
36d16f8e
BL		 1487 {
1488 timeout.tv_sec = 0;
1489 timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1490 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1491
1492 timeout.tv_sec = 0;
1493 timeout.tv_usec = DGRAM_SND_TIMEOUT;
1494 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1495 }
1496
046f2101 1497 if (socket_mtu > 28)
36d16f8e
BL		 1498 {
1499 SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
046f2101 1500 SSL_set_mtu(con, socket_mtu - 28);
36d16f8e
BL		 1501 }
1502 else
1503 /* want to do MTU discovery */
1504 BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1505 }
1506 else
1507 sbio=BIO_new_socket(s,BIO_NOCLOSE);
1508
d02b48c6
RE		 1509 if (nbio_test)
1510 {
1511 BIO *test;
1512
1513 test=BIO_new(BIO_f_nbio_test());
1514 sbio=BIO_push(test,sbio);
1515 }
1516
1517 if (c_debug)
1518 {
08557cf2 1519 SSL_set_debug(con, 1);
25495640 1520 BIO_set_callback(sbio,bio_dump_callback);
7806f3dd 1521 BIO_set_callback_arg(sbio,(char *)bio_c_out);
d02b48c6 1522 }
a661b653
BM		 1523 if (c_msg)
1524 {
93ab9e42
DSH		 1525#ifndef OPENSSL_NO_SSL_TRACE
1526 if (c_msg == 2)
1527 SSL_set_msg_callback(con, SSL_trace);
1528 else
1529#endif
1530 SSL_set_msg_callback(con, msg_cb);
1531 SSL_set_msg_callback_arg(con, bio_c_msg ? bio_c_msg : bio_c_out);
a661b653 1532 }
6434abbf
DSH		 1533#ifndef OPENSSL_NO_TLSEXT
1534 if (c_tlsextdebug)
1535 {
1536 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1537 SSL_set_tlsext_debug_arg(con, bio_c_out);
1538 }
67c8e7f4
DSH		 1539 if (c_status_req)
1540 {
1541 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
1542 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
1543 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
1544#if 0
1545{
1546STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null();
1547OCSP_RESPID *id = OCSP_RESPID_new();
1548id->value.byKey = ASN1_OCTET_STRING_new();
1549id->type = V_OCSP_RESPID_KEY;
1550ASN1_STRING_set(id->value.byKey, "Hello World", -1);
1551sk_OCSP_RESPID_push(ids, id);
1552SSL_set_tlsext_status_ids(con, ids);
1553}
1554#endif
1555 }
6434abbf 1556#endif
79bd20fd 1557#ifndef OPENSSL_NO_JPAKE
6caa4edd
BL		 1558 if (jpake_secret)
1559 jpake_client_auth(bio_c_out, sbio, jpake_secret);
ed551cdd 1560#endif
6caa4edd 1561
d02b48c6
RE		 1562 SSL_set_bio(con,sbio,sbio);
1563 SSL_set_connect_state(con);
1564
1565 /* ok, lets connect */
1566 width=SSL_get_fd(con)+1;
1567
1568 read_tty=1;
1569 write_tty=0;
1570 tty_on=0;
1571 read_ssl=1;
1572 write_ssl=1;
1573
1574 cbuf_len=0;
1575 cbuf_off=0;
1576 sbuf_len=0;
1577 sbuf_off=0;
1578
135c0af1 1579 /* This is an ugly hack that does a lot of assumptions */
ee373e7f
LJ		 1580 /* We do have to handle multi-line responses which may come
1581 in a single packet or not. We therefore have to use
1582 BIO_gets() which does need a buffering BIO. So during
1583 the initial chitchat we do push a buffering BIO into the
1584 chain that is removed again later on to not disturb the
1585 rest of the s_client operation. */
85c67492 1586 if (starttls_proto == PROTO_SMTP)
135c0af1 1587 {
8d72476e 1588 int foundit=0;
ee373e7f
LJ		 1589 BIO *fbio = BIO_new(BIO_f_buffer());
1590 BIO_push(fbio, sbio);
85c67492
RL		 1591 /* wait for multi-line response to end from SMTP */
1592 do
1593 {
ee373e7f 1594 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
85c67492
RL		 1595 }
1596 while (mbuf_len>3 && mbuf[3]=='-');
8d72476e 1597 /* STARTTLS command requires EHLO... */
ee373e7f 1598 BIO_printf(fbio,"EHLO openssl.client.net\r\n");
710069c1 1599 (void)BIO_flush(fbio);
8d72476e
LJ		 1600 /* wait for multi-line response to end EHLO SMTP response */
1601 do
1602 {
ee373e7f 1603 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
8d72476e
LJ		 1604 if (strstr(mbuf,"STARTTLS"))
1605 foundit=1;
1606 }
1607 while (mbuf_len>3 && mbuf[3]=='-');
710069c1 1608 (void)BIO_flush(fbio);
ee373e7f
LJ		 1609 BIO_pop(fbio);
1610 BIO_free(fbio);
8d72476e
LJ		 1611 if (!foundit)
1612 BIO_printf(bio_err,
1613 "didn't found starttls in server response,"
1614 " try anyway...\n");
135c0af1
RL		 1615 BIO_printf(sbio,"STARTTLS\r\n");
1616 BIO_read(sbio,sbuf,BUFSIZZ);
1617 }
85c67492 1618 else if (starttls_proto == PROTO_POP3)
4f17dfcd
LJ		 1619 {
1620 BIO_read(sbio,mbuf,BUFSIZZ);
1621 BIO_printf(sbio,"STLS\r\n");
1622 BIO_read(sbio,sbuf,BUFSIZZ);
1623 }
85c67492
RL		 1624 else if (starttls_proto == PROTO_IMAP)
1625 {
8d72476e 1626 int foundit=0;
ee373e7f
LJ		 1627 BIO *fbio = BIO_new(BIO_f_buffer());
1628 BIO_push(fbio, sbio);
1629 BIO_gets(fbio,mbuf,BUFSIZZ);
8d72476e 1630 /* STARTTLS command requires CAPABILITY... */
ee373e7f 1631 BIO_printf(fbio,". CAPABILITY\r\n");
710069c1 1632 (void)BIO_flush(fbio);
8d72476e
LJ		 1633 /* wait for multi-line CAPABILITY response */
1634 do
1635 {
ee373e7f 1636 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
8d72476e
LJ		 1637 if (strstr(mbuf,"STARTTLS"))
1638 foundit=1;
1639 }
ee373e7f 1640 while (mbuf_len>3 && mbuf[0]!='.');
710069c1 1641 (void)BIO_flush(fbio);
ee373e7f
LJ		 1642 BIO_pop(fbio);
1643 BIO_free(fbio);
8d72476e
LJ		 1644 if (!foundit)
1645 BIO_printf(bio_err,
1646 "didn't found STARTTLS in server response,"
1647 " try anyway...\n");
1648 BIO_printf(sbio,". STARTTLS\r\n");
85c67492
RL		 1649 BIO_read(sbio,sbuf,BUFSIZZ);
1650 }
1651 else if (starttls_proto == PROTO_FTP)
1652 {
ee373e7f
LJ		 1653 BIO *fbio = BIO_new(BIO_f_buffer());
1654 BIO_push(fbio, sbio);
85c67492
RL		 1655 /* wait for multi-line response to end from FTP */
1656 do
1657 {
ee373e7f 1658 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
85c67492
RL		 1659 }
1660 while (mbuf_len>3 && mbuf[3]=='-');
710069c1 1661 (void)BIO_flush(fbio);
ee373e7f
LJ		 1662 BIO_pop(fbio);
1663 BIO_free(fbio);
85c67492
RL		 1664 BIO_printf(sbio,"AUTH TLS\r\n");
1665 BIO_read(sbio,sbuf,BUFSIZZ);
1666 }
d5bbead4
BL		 1667 if (starttls_proto == PROTO_XMPP)
1668 {
1669 int seen = 0;
1670 BIO_printf(sbio,"<stream:stream "
1671 "xmlns:stream='http://etherx.jabber.org/streams' "
1672 "xmlns='jabber:client' to='%s' version='1.0'>", host);
1673 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1674 mbuf[seen] = 0;
1675 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'"))
1676 {
1677 if (strstr(mbuf, "/stream:features>"))
1678 goto shut;
1679 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1680 mbuf[seen] = 0;
1681 }
1682 BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
1683 seen = BIO_read(sbio,sbuf,BUFSIZZ);
1684 sbuf[seen] = 0;
1685 if (!strstr(sbuf, "<proceed"))
1686 goto shut;
1687 mbuf[0] = 0;
1688 }
135c0af1 1689
d02b48c6
RE		 1690 for (;;)
1691 {
1692 FD_ZERO(&readfds);
1693 FD_ZERO(&writefds);
1694
b972fbaa
DSH		 1695 if ((SSL_version(con) == DTLS1_VERSION) &&
1696 DTLSv1_get_timeout(con, &timeout))
1697 timeoutp = &timeout;
1698 else
1699 timeoutp = NULL;
1700
58964a49 1701 if (SSL_in_init(con) && !SSL_total_renegotiations(con))
d02b48c6
RE		 1702 {
1703 in_init=1;
1704 tty_on=0;
1705 }
1706 else
1707 {
1708 tty_on=1;
1709 if (in_init)
1710 {
1711 in_init=0;
761772d7 1712#if 0 /* This test doesn't really work as intended (needs to be fixed) */
ed3883d2 1713#ifndef OPENSSL_NO_TLSEXT
b166f13e
BM		 1714 if (servername != NULL && !SSL_session_reused(con))
1715 {
1716 BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not ");
1717 }
761772d7 1718#endif
ed3883d2 1719#endif
6434abbf
DSH		 1720 if (sess_out)
1721 {
1722 BIO *stmp = BIO_new_file(sess_out, "w");
1723 if (stmp)
1724 {
1725 PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con));
1726 BIO_free(stmp);
1727 }
1728 else
1729 BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
1730 }
2a7cbe77
DSH		 1731 if (c_brief)
1732 {
1733 BIO_puts(bio_err,
1734 "CONNECTION ESTABLISHED\n");
1735 print_ssl_summary(bio_err, con);
1736 }
d02b48c6
RE		 1737 print_stuff(bio_c_out,con,full_log);
1738 if (full_log > 0) full_log--;
1739
4f17dfcd 1740 if (starttls_proto)
135c0af1
RL		 1741 {
1742 BIO_printf(bio_err,"%s",mbuf);
1743 /* We don't need to know any more */
85c67492 1744 starttls_proto = PROTO_OFF;
135c0af1
RL		 1745 }
1746
d02b48c6
RE		 1747 if (reconnect)
1748 {
1749 reconnect--;
1750 BIO_printf(bio_c_out,"drop connection and then reconnect\n");
1751 SSL_shutdown(con);
1752 SSL_set_connect_state(con);
1753 SHUTDOWN(SSL_get_fd(con));
1754 goto re_start;
1755 }
1756 }
1757 }
1758
c7ac31e2
BM		 1759 ssl_pending = read_ssl && SSL_pending(con);
1760
1761 if (!ssl_pending)
d02b48c6 1762 {
4700aea9 1763#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)
c7ac31e2
BM		 1764 if (tty_on)
1765 {
7bf7333d
DSH		 1766 if (read_tty) openssl_fdset(fileno(stdin),&readfds);
1767 if (write_tty) openssl_fdset(fileno(stdout),&writefds);
c7ac31e2 1768 }
c7ac31e2 1769 if (read_ssl)
7bf7333d 1770 openssl_fdset(SSL_get_fd(con),&readfds);
c7ac31e2 1771 if (write_ssl)
7bf7333d 1772 openssl_fdset(SSL_get_fd(con),&writefds);
06f4536a
DSH		 1773#else
1774 if(!tty_on || !write_tty) {
1775 if (read_ssl)
7bf7333d 1776 openssl_fdset(SSL_get_fd(con),&readfds);
06f4536a 1777 if (write_ssl)
7bf7333d 1778 openssl_fdset(SSL_get_fd(con),&writefds);
06f4536a
DSH		 1779 }
1780#endif
c7ac31e2
BM		 1781/* printf("mode tty(%d %d%d) ssl(%d%d)\n",
1782 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
d02b48c6 1783
75e0770d 1784 /* Note: under VMS with SOCKETSHR the second parameter
7d7d2cbc
UM		 1785 * is currently of type (int *) whereas under other
1786 * systems it is (void *) if you don't have a cast it
1787 * will choke the compiler: if you do have a cast then
1788 * you can either go for (int *) or (void *).
1789 */
3d7c4a5a
RL		 1790#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1791 /* Under Windows/DOS we make the assumption that we can
06f4536a
DSH		 1792 * always write to the tty: therefore if we need to
1793 * write to the tty we just fall through. Otherwise
1794 * we timeout the select every second and see if there
1795 * are any keypresses. Note: this is a hack, in a proper
1796 * Windows application we wouldn't do this.
1797 */
4ec19e20 1798 i=0;
06f4536a
DSH		 1799 if(!write_tty) {
1800 if(read_tty) {
1801 tv.tv_sec = 1;
1802 tv.tv_usec = 0;
1803 i=select(width,(void *)&readfds,(void *)&writefds,
1804 NULL,&tv);
3d7c4a5a 1805#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
0bf23d9b
RL		 1806 if(!i && (!_kbhit() || !read_tty) ) continue;
1807#else
a9ef75c5 1808 if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
0bf23d9b 1809#endif
06f4536a 1810 } else i=select(width,(void *)&readfds,(void *)&writefds,
b972fbaa 1811 NULL,timeoutp);
06f4536a 1812 }
47c1735a
RL		 1813#elif defined(OPENSSL_SYS_NETWARE)
1814 if(!write_tty) {
1815 if(read_tty) {
1816 tv.tv_sec = 1;
1817 tv.tv_usec = 0;
1818 i=select(width,(void *)&readfds,(void *)&writefds,
1819 NULL,&tv);
1820 } else i=select(width,(void *)&readfds,(void *)&writefds,
b972fbaa 1821 NULL,timeoutp);
47c1735a 1822 }
4700aea9
UM		 1823#elif defined(OPENSSL_SYS_BEOS_R5)
1824 /* Under BeOS-R5 the situation is similar to DOS */
1825 i=0;
1826 stdin_set = 0;
1827 (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
1828 if(!write_tty) {
1829 if(read_tty) {
1830 tv.tv_sec = 1;
1831 tv.tv_usec = 0;
1832 i=select(width,(void *)&readfds,(void *)&writefds,
1833 NULL,&tv);
1834 if (read(fileno(stdin), sbuf, 0) >= 0)
1835 stdin_set = 1;
1836 if (!i && (stdin_set != 1 || !read_tty))
1837 continue;
1838 } else i=select(width,(void *)&readfds,(void *)&writefds,
b972fbaa 1839 NULL,timeoutp);
4700aea9
UM		 1840 }
1841 (void)fcntl(fileno(stdin), F_SETFL, 0);
06f4536a 1842#else
7d7d2cbc 1843 i=select(width,(void *)&readfds,(void *)&writefds,
b972fbaa 1844 NULL,timeoutp);
06f4536a 1845#endif
c7ac31e2
BM		 1846 if ( i < 0)
1847 {
1848 BIO_printf(bio_err,"bad select %d\n",
58964a49 1849 get_last_socket_error());
c7ac31e2
BM		 1850 goto shut;
1851 /* goto end; */
1852 }
d02b48c6
RE		 1853 }
1854
b972fbaa
DSH		 1855 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
1856 {
1857 BIO_printf(bio_err,"TIMEOUT occured\n");
1858 }
1859
c7ac31e2 1860 if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
d02b48c6
RE		 1861 {
1862 k=SSL_write(con,&(cbuf[cbuf_off]),
1863 (unsigned int)cbuf_len);
1864 switch (SSL_get_error(con,k))
1865 {
1866 case SSL_ERROR_NONE:
1867 cbuf_off+=k;
1868 cbuf_len-=k;
1869 if (k <= 0) goto end;
1870 /* we have done a write(con,NULL,0); */
1871 if (cbuf_len <= 0)
1872 {
1873 read_tty=1;
1874 write_ssl=0;
1875 }
1876 else /* if (cbuf_len > 0) */
1877 {
1878 read_tty=0;
1879 write_ssl=1;
1880 }
1881 break;
1882 case SSL_ERROR_WANT_WRITE:
1883 BIO_printf(bio_c_out,"write W BLOCK\n");
1884 write_ssl=1;
1885 read_tty=0;
1886 break;
1887 case SSL_ERROR_WANT_READ:
1888 BIO_printf(bio_c_out,"write R BLOCK\n");
1889 write_tty=0;
1890 read_ssl=1;
1891 write_ssl=0;
1892 break;
1893 case SSL_ERROR_WANT_X509_LOOKUP:
1894 BIO_printf(bio_c_out,"write X BLOCK\n");
1895 break;
1896 case SSL_ERROR_ZERO_RETURN:
1897 if (cbuf_len != 0)
1898 {
1899 BIO_printf(bio_c_out,"shutdown\n");
0e1dba93 1900 ret = 0;
d02b48c6
RE		 1901 goto shut;
1902 }
1903 else
1904 {
1905 read_tty=1;
1906 write_ssl=0;
1907 break;
1908 }
1909
1910 case SSL_ERROR_SYSCALL:
1911 if ((k != 0) || (cbuf_len != 0))
1912 {
1913 BIO_printf(bio_err,"write:errno=%d\n",
58964a49 1914 get_last_socket_error());
d02b48c6
RE		 1915 goto shut;
1916 }
1917 else
1918 {
1919 read_tty=1;
1920 write_ssl=0;
1921 }
1922 break;
1923 case SSL_ERROR_SSL:
1924 ERR_print_errors(bio_err);
1925 goto shut;
1926 }
1927 }
4700aea9
UM		 1928#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
1929 /* Assume Windows/DOS/BeOS can always write */
06f4536a
DSH		 1930 else if (!ssl_pending && write_tty)
1931#else
c7ac31e2 1932 else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
06f4536a 1933#endif
d02b48c6 1934 {
a53955d8
UM		 1935#ifdef CHARSET_EBCDIC
1936 ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
1937#endif
ffa10187 1938 i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len);
d02b48c6
RE		 1939
1940 if (i <= 0)
1941 {
1942 BIO_printf(bio_c_out,"DONE\n");
0e1dba93 1943 ret = 0;
d02b48c6
RE		 1944 goto shut;
1945 /* goto end; */
1946 }
1947
1948 sbuf_len-=i;;
1949 sbuf_off+=i;
1950 if (sbuf_len <= 0)
1951 {
1952 read_ssl=1;
1953 write_tty=0;
1954 }
1955 }
c7ac31e2 1956 else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
d02b48c6 1957 {
58964a49
RE		 1958#ifdef RENEG
1959{ static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
1960#endif
dfeab068 1961#if 1
58964a49 1962 k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
dfeab068
RE		 1963#else
1964/* Demo for pending and peek :-) */
1965 k=SSL_read(con,sbuf,16);
1966{ char zbuf[10240];
1967printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
1968}
1969#endif
d02b48c6
RE		 1970
1971 switch (SSL_get_error(con,k))
1972 {
1973 case SSL_ERROR_NONE:
1974 if (k <= 0)
1975 goto end;
1976 sbuf_off=0;
1977 sbuf_len=k;
1978
1979 read_ssl=0;
1980 write_tty=1;
1981 break;
1982 case SSL_ERROR_WANT_WRITE:
1983 BIO_printf(bio_c_out,"read W BLOCK\n");
1984 write_ssl=1;
1985 read_tty=0;
1986 break;
1987 case SSL_ERROR_WANT_READ:
1988 BIO_printf(bio_c_out,"read R BLOCK\n");
1989 write_tty=0;
1990 read_ssl=1;
1991 if ((read_tty == 0) && (write_ssl == 0))
1992 write_ssl=1;
1993 break;
1994 case SSL_ERROR_WANT_X509_LOOKUP:
1995 BIO_printf(bio_c_out,"read X BLOCK\n");
1996 break;
1997 case SSL_ERROR_SYSCALL:
0e1dba93 1998 ret=get_last_socket_error();
2537d469 1999 if (c_brief)
66d9f2e5
DSH		 2000 BIO_puts(bio_err, "CONNECTION CLOSED BY SERVER\n");
2001 else
2002 BIO_printf(bio_err,"read:errno=%d\n",ret);
d02b48c6
RE		 2003 goto shut;
2004 case SSL_ERROR_ZERO_RETURN:
2005 BIO_printf(bio_c_out,"closed\n");
0e1dba93 2006 ret=0;
d02b48c6
RE		 2007 goto shut;
2008 case SSL_ERROR_SSL:
2009 ERR_print_errors(bio_err);
2010 goto shut;
dfeab068 2011 /* break; */
d02b48c6
RE		 2012 }
2013 }
2014
3d7c4a5a
RL		 2015#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
2016#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
0bf23d9b
RL		 2017 else if (_kbhit())
2018#else
a9ef75c5 2019 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
0bf23d9b 2020#endif
4d8743f4 2021#elif defined (OPENSSL_SYS_NETWARE)
ffa10187 2022 else if (_kbhit())
4700aea9
UM		 2023#elif defined(OPENSSL_SYS_BEOS_R5)
2024 else if (stdin_set)
06f4536a 2025#else
d02b48c6 2026 else if (FD_ISSET(fileno(stdin),&readfds))
06f4536a 2027#endif
d02b48c6 2028 {
1bdb8633
BM		 2029 if (crlf)
2030 {
2031 int j, lf_num;
2032
ffa10187 2033 i=raw_read_stdin(cbuf,BUFSIZZ/2);
1bdb8633
BM		 2034 lf_num = 0;
2035 /* both loops are skipped when i <= 0 */
2036 for (j = 0; j < i; j++)
2037 if (cbuf[j] == '\n')
2038 lf_num++;
2039 for (j = i-1; j >= 0; j--)
2040 {
2041 cbuf[j+lf_num] = cbuf[j];
2042 if (cbuf[j] == '\n')
2043 {
2044 lf_num--;
2045 i++;
2046 cbuf[j+lf_num] = '\r';
2047 }
2048 }
2049 assert(lf_num == 0);
2050 }
2051 else
ffa10187 2052 i=raw_read_stdin(cbuf,BUFSIZZ);
d02b48c6 2053
ce301b6b 2054 if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
d02b48c6
RE		 2055 {
2056 BIO_printf(bio_err,"DONE\n");
0e1dba93 2057 ret=0;
d02b48c6
RE		 2058 goto shut;
2059 }
2060
ce301b6b 2061 if ((!c_ign_eof) && (cbuf[0] == 'R'))
d02b48c6 2062 {
3bb307c1 2063 BIO_printf(bio_err,"RENEGOTIATING\n");
d02b48c6 2064 SSL_renegotiate(con);
3bb307c1 2065 cbuf_len=0;
d02b48c6 2066 }
4817504d
DSH		 2067#ifndef OPENSSL_NO_HEARTBEATS
2068 else if ((!c_ign_eof) && (cbuf[0] == 'B'))
2069 {
2070 BIO_printf(bio_err,"HEARTBEATING\n");
2071 SSL_heartbeat(con);
2072 cbuf_len=0;
2073 }
2074#endif
d02b48c6
RE		 2075 else
2076 {
2077 cbuf_len=i;
2078 cbuf_off=0;
a53955d8
UM		 2079#ifdef CHARSET_EBCDIC
2080 ebcdic2ascii(cbuf, cbuf, i);
2081#endif
d02b48c6
RE		 2082 }
2083
d02b48c6 2084 write_ssl=1;
3bb307c1 2085 read_tty=0;
d02b48c6 2086 }
d02b48c6 2087 }
0e1dba93
DSH		 2088
2089 ret=0;
d02b48c6 2090shut:
b166f13e
BM		 2091 if (in_init)
2092 print_stuff(bio_c_out,con,full_log);
d02b48c6
RE		 2093 SSL_shutdown(con);
2094 SHUTDOWN(SSL_get_fd(con));
d02b48c6 2095end:
d916ba1b
NL		 2096 if (con != NULL)
2097 {
2098 if (prexit != 0)
2099 print_stuff(bio_c_out,con,1);
2100 SSL_free(con);
2101 }
dd251659
DSH		 2102#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
2103 if (next_proto.data)
2104 OPENSSL_free(next_proto.data);
2105#endif
d02b48c6 2106 if (ctx != NULL) SSL_CTX_free(ctx);
826a42a0
DSH		 2107 if (cert)
2108 X509_free(cert);
fdb78f3d
DSH		 2109 if (crls)
2110 sk_X509_CRL_pop_free(crls, X509_CRL_free);
826a42a0
DSH		 2111 if (key)
2112 EVP_PKEY_free(key);
4e71d952
DSH		 2113 if (chain)
2114 sk_X509_pop_free(chain, X509_free);
826a42a0
DSH		 2115 if (pass)
2116 OPENSSL_free(pass);
22b5d7c8
DSH		 2117 if (vpm)
2118 X509_VERIFY_PARAM_free(vpm);
3208fc59 2119 ssl_excert_free(exc);
5d2e07f1
DSH		 2120 if (ssl_args)
2121 sk_OPENSSL_STRING_free(ssl_args);
2122 if (cctx)
2123 SSL_CONF_CTX_free(cctx);
b252cf0d
DSH		 2124#ifndef OPENSSL_NO_JPAKE
2125 if (jpake_secret && psk_key)
2126 OPENSSL_free(psk_key);
2127#endif
4579924b
RL		 2128 if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
2129 if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
2130 if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
d02b48c6
RE		 2131 if (bio_c_out != NULL)
2132 {
2133 BIO_free(bio_c_out);
2134 bio_c_out=NULL;
2135 }
93ab9e42
DSH		 2136 if (bio_c_msg != NULL)
2137 {
2138 BIO_free(bio_c_msg);
2139 bio_c_msg=NULL;
2140 }
c04f8cf4 2141 apps_shutdown();
1c3e4a36 2142 OPENSSL_EXIT(ret);
d02b48c6
RE		 2143 }
2144
2145
6b691a5c 2146static void print_stuff(BIO *bio, SSL *s, int full)
d02b48c6 2147 {
58964a49 2148 X509 *peer=NULL;
d02b48c6 2149 char *p;
7d727231 2150 static const char *space=" ";
d02b48c6 2151 char buf[BUFSIZ];
f73e07cf
BL		 2152 STACK_OF(X509) *sk;
2153 STACK_OF(X509_NAME) *sk2;
babb3798 2154 const SSL_CIPHER *c;
d02b48c6
RE		 2155 X509_NAME *xn;
2156 int j,i;
09b6c2ef 2157#ifndef OPENSSL_NO_COMP
d8ec0dcf 2158 const COMP_METHOD *comp, *expansion;
09b6c2ef 2159#endif
e0af0405 2160 unsigned char *exportedkeymat;
d02b48c6
RE		 2161
2162 if (full)
2163 {
bc2e519a
BM		 2164 int got_a_chain = 0;
2165
d02b48c6
RE		 2166 sk=SSL_get_peer_cert_chain(s);
2167 if (sk != NULL)
2168 {
bc2e519a
BM		 2169 got_a_chain = 1; /* we don't have it for SSL2 (yet) */
2170
dfeab068 2171 BIO_printf(bio,"---\nCertificate chain\n");
f73e07cf 2172 for (i=0; i<sk_X509_num(sk); i++)
d02b48c6 2173 {
f73e07cf 2174 X509_NAME_oneline(X509_get_subject_name(
54a656ef 2175 sk_X509_value(sk,i)),buf,sizeof buf);
d02b48c6 2176 BIO_printf(bio,"%2d s:%s\n",i,buf);
f73e07cf 2177 X509_NAME_oneline(X509_get_issuer_name(
54a656ef 2178 sk_X509_value(sk,i)),buf,sizeof buf);
d02b48c6 2179 BIO_printf(bio," i:%s\n",buf);
6d02d8e4 2180 if (c_showcerts)
f73e07cf 2181 PEM_write_bio_X509(bio,sk_X509_value(sk,i));
d02b48c6
RE		 2182 }
2183 }
2184
2185 BIO_printf(bio,"---\n");
2186 peer=SSL_get_peer_certificate(s);
2187 if (peer != NULL)
2188 {
2189 BIO_printf(bio,"Server certificate\n");
bc2e519a 2190 if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
6d02d8e4 2191 PEM_write_bio_X509(bio,peer);
d02b48c6 2192 X509_NAME_oneline(X509_get_subject_name(peer),
54a656ef 2193 buf,sizeof buf);
d02b48c6
RE		 2194 BIO_printf(bio,"subject=%s\n",buf);
2195 X509_NAME_oneline(X509_get_issuer_name(peer),
54a656ef 2196 buf,sizeof buf);
d02b48c6 2197 BIO_printf(bio,"issuer=%s\n",buf);
d02b48c6
RE		 2198 }
2199 else
2200 BIO_printf(bio,"no peer certificate available\n");
2201
f73e07cf 2202 sk2=SSL_get_client_CA_list(s);
d91f8c3c 2203 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
d02b48c6
RE		 2204 {
2205 BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
f73e07cf 2206 for (i=0; i<sk_X509_NAME_num(sk2); i++)
d02b48c6 2207 {
f73e07cf 2208 xn=sk_X509_NAME_value(sk2,i);
d02b48c6
RE		 2209 X509_NAME_oneline(xn,buf,sizeof(buf));
2210 BIO_write(bio,buf,strlen(buf));
2211 BIO_write(bio,"\n",1);
2212 }
2213 }
2214 else
2215 {
2216 BIO_printf(bio,"---\nNo client certificate CA names sent\n");
2217 }
54a656ef 2218 p=SSL_get_shared_ciphers(s,buf,sizeof buf);
d02b48c6
RE		 2219 if (p != NULL)
2220 {
67a47285
BM		 2221 /* This works only for SSL 2. In later protocol
2222 * versions, the client does not know what other
2223 * ciphers (in addition to the one to be used
2224 * in the current connection) the server supports. */
2225
d02b48c6
RE		 2226 BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
2227 j=i=0;
2228 while (*p)
2229 {
2230 if (*p == ':')
2231 {
58964a49 2232 BIO_write(bio,space,15-j%25);
d02b48c6
RE		 2233 i++;
2234 j=0;
2235 BIO_write(bio,((i%3)?" ":"\n"),1);
2236 }
2237 else
2238 {
2239 BIO_write(bio,p,1);
2240 j++;
2241 }
2242 p++;
2243 }
2244 BIO_write(bio,"\n",1);
2245 }
2246
9f27b1ee 2247 ssl_print_sigalgs(bio, s);
33a8de69 2248 ssl_print_tmp_key(bio, s);
e7f8ff43 2249
d02b48c6
RE		 2250 BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
2251 BIO_number_read(SSL_get_rbio(s)),
2252 BIO_number_written(SSL_get_wbio(s)));
2253 }
08557cf2 2254 BIO_printf(bio,(SSL_cache_hit(s)?"---\nReused, ":"---\nNew, "));
d02b48c6
RE		 2255 c=SSL_get_current_cipher(s);
2256 BIO_printf(bio,"%s, Cipher is %s\n",
2257 SSL_CIPHER_get_version(c),
2258 SSL_CIPHER_get_name(c));
a8236c8c
DSH		 2259 if (peer != NULL) {
2260 EVP_PKEY *pktmp;
2261 pktmp = X509_get_pubkey(peer);
58964a49 2262 BIO_printf(bio,"Server public key is %d bit\n",
a8236c8c
DSH		 2263 EVP_PKEY_bits(pktmp));
2264 EVP_PKEY_free(pktmp);
2265 }
5430200b
DSH		 2266 BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
2267 SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
09b6c2ef 2268#ifndef OPENSSL_NO_COMP
f44e184e 2269 comp=SSL_get_current_compression(s);
d8ec0dcf 2270 expansion=SSL_get_current_expansion(s);
f44e184e
RL		 2271 BIO_printf(bio,"Compression: %s\n",
2272 comp ? SSL_COMP_get_name(comp) : "NONE");
2273 BIO_printf(bio,"Expansion: %s\n",
d8ec0dcf 2274 expansion ? SSL_COMP_get_name(expansion) : "NONE");
09b6c2ef 2275#endif
71fa4513 2276
57559471 2277#ifdef SSL_DEBUG
a2f9200f
DSH		 2278 {
2279 /* Print out local port of connection: useful for debugging */
2280 int sock;
2281 struct sockaddr_in ladd;
2282 socklen_t ladd_size = sizeof(ladd);
2283 sock = SSL_get_fd(s);
2284 getsockname(sock, (struct sockaddr *)&ladd, &ladd_size);
2285 BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port));
2286 }
2287#endif
2288
6f017a8f
AL		 2289#if !defined(OPENSSL_NO_TLSEXT)
2290# if !defined(OPENSSL_NO_NEXTPROTONEG)
71fa4513
BL		 2291 if (next_proto.status != -1) {
2292 const unsigned char *proto;
2293 unsigned int proto_len;
2294 SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
2295 BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
2296 BIO_write(bio, proto, proto_len);
2297 BIO_write(bio, "\n", 1);
2298 }
6f017a8f
AL		 2299 {
2300 const unsigned char *proto;
2301 unsigned int proto_len;
2302 SSL_get0_alpn_selected(s, &proto, &proto_len);
2303 if (proto_len > 0)
2304 {
2305 BIO_printf(bio, "ALPN protocol: ");
2306 BIO_write(bio, proto, proto_len);
2307 BIO_write(bio, "\n", 1);
2308 }
2309 else
2310 BIO_printf(bio, "No ALPN negotiated\n");
2311 }
2312# endif
71fa4513
BL		 2313#endif
2314
333f926d
BL		 2315 {
2316 SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s);
2317
2318 if(srtp_profile)
2319 BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n",
2320 srtp_profile->name);
2321 }
2322
d02b48c6 2323 SSL_SESSION_print(bio,SSL_get_session(s));
be81f4dd
DSH		 2324 if (keymatexportlabel != NULL)
2325 {
e0af0405
BL		 2326 BIO_printf(bio, "Keying material exporter:\n");
2327 BIO_printf(bio, " Label: '%s'\n", keymatexportlabel);
2328 BIO_printf(bio, " Length: %i bytes\n", keymatexportlen);
2329 exportedkeymat = OPENSSL_malloc(keymatexportlen);
be81f4dd
DSH		 2330 if (exportedkeymat != NULL)
2331 {
2332 if (!SSL_export_keying_material(s, exportedkeymat,
2333 keymatexportlen,
2334 keymatexportlabel,
2335 strlen(keymatexportlabel),
2336 NULL, 0, 0))
2337 {
2338 BIO_printf(bio, " Error\n");
2339 }
2340 else
2341 {
e0af0405
BL		 2342 BIO_printf(bio, " Keying material: ");
2343 for (i=0; i<keymatexportlen; i++)
2344 BIO_printf(bio, "%02X",
2345 exportedkeymat[i]);
2346 BIO_printf(bio, "\n");
be81f4dd 2347 }
e0af0405 2348 OPENSSL_free(exportedkeymat);
be81f4dd 2349 }
e0af0405 2350 }
d02b48c6 2351 BIO_printf(bio,"---\n");
58964a49
RE		 2352 if (peer != NULL)
2353 X509_free(peer);
41ebed27 2354 /* flush, or debugging output gets mixed with http response */
710069c1 2355 (void)BIO_flush(bio);
d02b48c6
RE		 2356 }
2357
0702150f
DSH		 2358#ifndef OPENSSL_NO_TLSEXT
2359
67c8e7f4
DSH		 2360static int ocsp_resp_cb(SSL *s, void *arg)
2361 {
2362 const unsigned char *p;
2363 int len;
2364 OCSP_RESPONSE *rsp;
2365 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
2366 BIO_puts(arg, "OCSP response: ");
2367 if (!p)
2368 {
2369 BIO_puts(arg, "no response sent\n");
2370 return 1;
2371 }
2372 rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
2373 if (!rsp)
2374 {
2375 BIO_puts(arg, "response parse error\n");
2376 BIO_dump_indent(arg, (char *)p, len, 4);
2377 return 0;
2378 }
2379 BIO_puts(arg, "\n======================================\n");
2380 OCSP_RESPONSE_print(arg, rsp, 0);
2381 BIO_puts(arg, "======================================\n");
2382 OCSP_RESPONSE_free(rsp);
2383 return 1;
2384 }
0702150f 2385
a9e1c50b
BL		 2386static int audit_proof_cb(SSL *s, void *arg)
2387 {
2388 const unsigned char *proof;
2389 size_t proof_len;
2390 size_t i;
2391 SSL_SESSION *sess = SSL_get_session(s);
2392
2393 proof = SSL_SESSION_get_tlsext_authz_server_audit_proof(sess,
2394 &proof_len);
2395 if (proof != NULL)
2396 {
2397 BIO_printf(bio_c_out, "Audit proof: ");
2398 for (i = 0; i < proof_len; ++i)
2399 BIO_printf(bio_c_out, "%02X", proof[i]);
2400 BIO_printf(bio_c_out, "\n");
2401 }
2402 else
2403 {
2404 BIO_printf(bio_c_out, "No audit proof found.\n");
2405 }
2406 return 1;
2407 }
0702150f 2408#endif
A mirror of the official openssl repository