]> git.ipfire.org Git - thirdparty/openssl.git/blame - apps/s_client.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Configure: reimplement commit#21695.
[thirdparty/openssl.git] / apps / s_client.c
CommitLineData
d02b48c6 1/* apps/s_client.c */
58964a49 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
d02b48c6
RE		 3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
a661b653 58/* ====================================================================
b1277b99 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
a661b653
BM		 60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
ddac1974
NL		 111/* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
113 *
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116 * license.
117 *
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
121 *
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
125 *
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
130 *
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135 * OTHERWISE.
136 */
d02b48c6 137
1b1a6e78 138#include <assert.h>
ddac1974 139#include <ctype.h>
8c197cc5
UM		 140#include <stdio.h>
141#include <stdlib.h>
142#include <string.h>
be1bd923 143#include <openssl/e_os2.h>
cf1b7d96 144#ifdef OPENSSL_NO_STDIO
8c197cc5
UM		 145#define APPS_WIN16
146#endif
147
7d7d2cbc
UM		 148/* With IPv6, it looks like Digital has mixed up the proper order of
149 recursive header file inclusion, resulting in the compiler complaining
150 that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
151 is needed to have fileno() declared correctly... So let's define u_int */
bc36ee62 152#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
7d7d2cbc
UM		 153#define __U_INT
154typedef unsigned int u_int;
155#endif
156
d02b48c6 157#define USE_SOCKETS
d02b48c6 158#include "apps.h"
ec577822
BM		 159#include <openssl/x509.h>
160#include <openssl/ssl.h>
161#include <openssl/err.h>
162#include <openssl/pem.h>
1372965e 163#include <openssl/rand.h>
67c8e7f4 164#include <openssl/ocsp.h>
1e26a8ba 165#include <openssl/bn.h>
edc032b5
BL		 166#ifndef OPENSSL_NO_SRP
167#include <openssl/srp.h>
168#endif
d02b48c6 169#include "s_apps.h"
36d16f8e 170#include "timeouts.h"
d02b48c6 171
bc36ee62 172#if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
75e0770d 173/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
7d7d2cbc
UM		 174#undef FIONBIO
175#endif
176
4700aea9
UM		 177#if defined(OPENSSL_SYS_BEOS_R5)
178#include <fcntl.h>
179#endif
180
d02b48c6
RE		 181#undef PROG
182#define PROG s_client_main
183
184/*#define SSL_HOST_NAME "www.netscape.com" */
185/*#define SSL_HOST_NAME "193.118.187.102" */
186#define SSL_HOST_NAME "localhost"
187
188/*#define TEST_CERT "client.pem" */ /* no default cert. */
189
190#undef BUFSIZZ
191#define BUFSIZZ 1024*8
192
193extern int verify_depth;
194extern int verify_error;
5d20c4fb 195extern int verify_return_error;
d02b48c6
RE		 196
197#ifdef FIONBIO
198static int c_nbio=0;
199#endif
200static int c_Pause=0;
201static int c_debug=0;
6434abbf
DSH		 202#ifndef OPENSSL_NO_TLSEXT
203static int c_tlsextdebug=0;
67c8e7f4 204static int c_status_req=0;
6434abbf 205#endif
a661b653 206static int c_msg=0;
6d02d8e4 207static int c_showcerts=0;
d02b48c6 208
d02b48c6
RE		 209static void sc_usage(void);
210static void print_stuff(BIO *berr,SSL *con,int full);
0702150f 211#ifndef OPENSSL_NO_TLSEXT
67c8e7f4 212static int ocsp_resp_cb(SSL *s, void *arg);
0702150f 213#endif
d02b48c6
RE		 214static BIO *bio_c_out=NULL;
215static int c_quiet=0;
ce301b6b 216static int c_ign_eof=0;
d02b48c6 217
ddac1974
NL		 218#ifndef OPENSSL_NO_PSK
219/* Default PSK identity and key */
220static char *psk_identity="Client_identity";
f3b7bdad 221/*char *psk_key=NULL; by default PSK is not used */
ddac1974
NL		 222
223static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
224 unsigned int max_identity_len, unsigned char *psk,
225 unsigned int max_psk_len)
226 {
227 unsigned int psk_len = 0;
228 int ret;
229 BIGNUM *bn=NULL;
230
231 if (c_debug)
232 BIO_printf(bio_c_out, "psk_client_cb\n");
233 if (!hint)
234 {
235 /* no ServerKeyExchange message*/
236 if (c_debug)
237 BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n");
238 }
239 else if (c_debug)
240 BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
241
242 /* lookup PSK identity and PSK key based on the given identity hint here */
0ed6b526 243 ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity);
a0aa8b4b 244 if (ret < 0 || (unsigned int)ret > max_identity_len)
ddac1974
NL		 245 goto out_err;
246 if (c_debug)
247 BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret);
248 ret=BN_hex2bn(&bn, psk_key);
249 if (!ret)
250 {
251 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
252 if (bn)
253 BN_free(bn);
254 return 0;
255 }
256
a0aa8b4b 257 if ((unsigned int)BN_num_bytes(bn) > max_psk_len)
ddac1974
NL		 258 {
259 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
260 max_psk_len, BN_num_bytes(bn));
261 BN_free(bn);
262 return 0;
263 }
264
265 psk_len=BN_bn2bin(bn, psk);
266 BN_free(bn);
267 if (psk_len == 0)
268 goto out_err;
269
270 if (c_debug)
271 BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len);
272
273 return psk_len;
274 out_err:
275 if (c_debug)
276 BIO_printf(bio_err, "Error in PSK client callback\n");
277 return 0;
278 }
279#endif
280
6b691a5c 281static void sc_usage(void)
d02b48c6 282 {
b6cff93d 283 BIO_printf(bio_err,"usage: s_client args\n");
d02b48c6
RE		 284 BIO_printf(bio_err,"\n");
285 BIO_printf(bio_err," -host host - use -connect instead\n");
286 BIO_printf(bio_err," -port port - use -connect instead\n");
287 BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
288
289 BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n");
290 BIO_printf(bio_err," -cert arg - certificate file to use, PEM format assumed\n");
826a42a0
DSH		 291 BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
292 BIO_printf(bio_err," -key arg - Private key file to use, in cert file if\n");
d02b48c6 293 BIO_printf(bio_err," not specified but cert file is.\n");
826a42a0
DSH		 294 BIO_printf(bio_err," -keyform arg - key format (PEM or DER) PEM default\n");
295 BIO_printf(bio_err," -pass arg - private key file pass phrase source\n");
d02b48c6
RE		 296 BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
297 BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n");
298 BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n");
299 BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n");
6d02d8e4 300 BIO_printf(bio_err," -showcerts - show all certificates in the chain\n");
d02b48c6 301 BIO_printf(bio_err," -debug - extra output\n");
02a00bb0
AP		 302#ifdef WATT32
303 BIO_printf(bio_err," -wdebug - WATT-32 tcp debugging\n");
304#endif
a661b653 305 BIO_printf(bio_err," -msg - Show protocol messages\n");
d02b48c6
RE		 306 BIO_printf(bio_err," -nbio_test - more ssl protocol testing\n");
307 BIO_printf(bio_err," -state - print the 'ssl' states\n");
308#ifdef FIONBIO
309 BIO_printf(bio_err," -nbio - Run with non-blocking IO\n");
1bdb8633 310#endif
1bdb8633 311 BIO_printf(bio_err," -crlf - convert LF from terminal into CRLF\n");
d02b48c6 312 BIO_printf(bio_err," -quiet - no s_client output\n");
ce301b6b 313 BIO_printf(bio_err," -ign_eof - ignore input eof (default when -quiet)\n");
020d67fb 314 BIO_printf(bio_err," -no_ign_eof - don't ignore input eof\n");
ddac1974
NL		 315#ifndef OPENSSL_NO_PSK
316 BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
317 BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n");
79bd20fd 318# ifndef OPENSSL_NO_JPAKE
f3b7bdad
BL		 319 BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n");
320# endif
edc032b5
BL		 321#endif
322#ifndef OPENSSL_NO_SRP
323 BIO_printf(bio_err," -srpuser user - SRP authentification for 'user'\n");
324 BIO_printf(bio_err," -srppass arg - password for 'user'\n");
325 BIO_printf(bio_err," -srp_lateuser - SRP username into second ClientHello message\n");
326 BIO_printf(bio_err," -srp_moregroups - Tolerate other than the known g N values.\n");
327 BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
ddac1974 328#endif
d02b48c6
RE		 329 BIO_printf(bio_err," -ssl2 - just use SSLv2\n");
330 BIO_printf(bio_err," -ssl3 - just use SSLv3\n");
7409d7ad 331 BIO_printf(bio_err," -tls1_2 - just use TLSv1.2\n");
637f374a 332 BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n");
58964a49 333 BIO_printf(bio_err," -tls1 - just use TLSv1\n");
36d16f8e 334 BIO_printf(bio_err," -dtls1 - just use DTLSv1\n");
046f2101 335 BIO_printf(bio_err," -mtu - set the link layer MTU\n");
7409d7ad 336 BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
d02b48c6 337 BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n");
836f9960 338 BIO_printf(bio_err," -serverpref - Use server's cipher preferences (only SSLv2)\n");
657e60fa 339 BIO_printf(bio_err," -cipher - preferred cipher to use, use the 'openssl ciphers'\n");
dfeab068 340 BIO_printf(bio_err," command to see what is available\n");
135c0af1
RL		 341 BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
342 BIO_printf(bio_err," for those protocols that support it, where\n");
343 BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n");
d5bbead4
BL		 344 BIO_printf(bio_err," only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
345 BIO_printf(bio_err," are supported.\n");
0b13e9f0 346#ifndef OPENSSL_NO_ENGINE
5270e702 347 BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n");
0b13e9f0 348#endif
52b621db 349 BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
014f62b6
DSH		 350 BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n");
351 BIO_printf(bio_err," -sess_in arg - file to read SSL session from\n");
ed3883d2
BM		 352#ifndef OPENSSL_NO_TLSEXT
353 BIO_printf(bio_err," -servername host - Set TLS extension servername in ClientHello\n");
d24a9c8f 354 BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
67c8e7f4 355 BIO_printf(bio_err," -status - request certificate status from server\n");
d24a9c8f 356 BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
bf48836c 357# ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 358 BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
359# endif
ed3883d2 360#endif
2942dde5 361 BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
d02b48c6
RE		 362 }
363
ed3883d2
BM		 364#ifndef OPENSSL_NO_TLSEXT
365
366/* This is a context that we pass to callbacks */
367typedef struct tlsextctx_st {
368 BIO * biodebug;
369 int ack;
370} tlsextctx;
371
372
b1277b99
BM		 373static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
374 {
ed3883d2 375 tlsextctx * p = (tlsextctx *) arg;
8de5b7f5 376 const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
ed3883d2
BM		 377 if (SSL_get_servername_type(s) != -1)
378 p->ack = !SSL_session_reused(s) && hn != NULL;
379 else
f1fd4544 380 BIO_printf(bio_err,"Can't use SSL_get_servername\n");
ed3883d2 381
241520e6 382 return SSL_TLSEXT_ERR_OK;
b1277b99 383 }
ee2ffc27 384
edc032b5
BL		 385#ifndef OPENSSL_NO_SRP
386
387/* This is a context that we pass to all callbacks */
388typedef struct srp_arg_st
389 {
390 char *srppassin;
391 char *srplogin;
392 int msg; /* copy from c_msg */
393 int debug; /* copy from c_debug */
394 int amp; /* allow more groups */
395 int strength /* minimal size for N */ ;
396 } SRP_ARG;
397
398#define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
399
400static int SRP_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g)
401 {
402 BN_CTX *bn_ctx = BN_CTX_new();
403 BIGNUM *p = BN_new();
404 BIGNUM *r = BN_new();
405 int ret =
406 g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
d70fcb96 407 BN_is_prime_ex(N,SRP_NUMBER_ITERATIONS_FOR_PRIME,bn_ctx,NULL) &&
edc032b5
BL		 408 p != NULL && BN_rshift1(p, N) &&
409
410 /* p = (N-1)/2 */
d70fcb96 411 BN_is_prime_ex(p,SRP_NUMBER_ITERATIONS_FOR_PRIME,bn_ctx,NULL) &&
edc032b5
BL		 412 r != NULL &&
413
414 /* verify g^((N-1)/2) == -1 (mod N) */
415 BN_mod_exp(r, g, p, N, bn_ctx) &&
416 BN_add_word(r, 1) &&
417 BN_cmp(r, N) == 0;
418
419 if(r)
420 BN_free(r);
421 if(p)
422 BN_free(p);
423 if(bn_ctx)
424 BN_CTX_free(bn_ctx);
425 return ret;
426 }
427
428static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
429 {
430 SRP_ARG *srp_arg = (SRP_ARG *)arg;
431 BIGNUM *N = NULL, *g = NULL;
432 if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s)))
433 return 0;
434 if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1)
435 {
436 BIO_printf(bio_err, "SRP parameters:\n");
437 BIO_printf(bio_err,"\tN="); BN_print(bio_err,N);
438 BIO_printf(bio_err,"\n\tg="); BN_print(bio_err,g);
439 BIO_printf(bio_err,"\n");
440 }
441
442 if (SRP_check_known_gN_param(g,N))
443 return 1;
444
445 if (srp_arg->amp == 1)
446 {
447 if (srp_arg->debug)
448 BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n");
449
450/* The srp_moregroups must be used with caution, testing primes costs time.
451 Implementors should rather add the value to the known ones.
452 The minimal size has already been tested.
453*/
454 if (BN_num_bits(g) <= BN_BITS && SRP_Verify_N_and_g(N,g))
455 return 1;
456 }
457 BIO_printf(bio_err, "SRP param N and g rejected.\n");
458 return 0;
459 }
460
461#define PWD_STRLEN 1024
462
463static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
464 {
465 SRP_ARG *srp_arg = (SRP_ARG *)arg;
466 char *pass = (char *)OPENSSL_malloc(PWD_STRLEN+1);
467 PW_CB_DATA cb_tmp;
468 int l;
469
470 cb_tmp.password = (char *)srp_arg->srppassin;
471 cb_tmp.prompt_info = "SRP user";
472 if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp))<0)
473 {
474 BIO_printf (bio_err, "Can't read Password\n");
475 OPENSSL_free(pass);
476 return NULL;
477 }
478 *(pass+l)= '\0';
479
480 return pass;
481 }
482
483static char * MS_CALLBACK missing_srp_username_callback(SSL *s, void *arg)
484 {
485 SRP_ARG *srp_arg = (SRP_ARG *)arg;
486 return BUF_strdup(srp_arg->srplogin);
487 }
488
489#endif
490
bf48836c 491# ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 492/* This the context that we pass to next_proto_cb */
493typedef struct tlsextnextprotoctx_st {
494 unsigned char *data;
495 unsigned short len;
496 int status;
497} tlsextnextprotoctx;
498
499static tlsextnextprotoctx next_proto;
500
501static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
502 {
503 tlsextnextprotoctx *ctx = arg;
504
505 if (!c_quiet)
506 {
507 /* We can assume that |in| is syntactically valid. */
508 unsigned i;
509 BIO_printf(bio_c_out, "Protocols advertised by server: ");
510 for (i = 0; i < inlen; )
511 {
512 if (i)
513 BIO_write(bio_c_out, ", ", 2);
514 BIO_write(bio_c_out, &in[i + 1], in[i]);
515 i += in[i] + 1;
516 }
517 BIO_write(bio_c_out, "\n", 1);
518 }
519
520 ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
521 return SSL_TLSEXT_ERR_OK;
522 }
bf48836c 523# endif /* ndef OPENSSL_NO_NEXTPROTONEG */
ed3883d2
BM		 524#endif
525
85c67492
RL		 526enum
527{
528 PROTO_OFF = 0,
529 PROTO_SMTP,
530 PROTO_POP3,
531 PROTO_IMAP,
d5bbead4 532 PROTO_FTP,
640b86cb 533 PROTO_XMPP
85c67492
RL		 534};
535
667ac4ec
RE		 536int MAIN(int, char **);
537
6b691a5c 538int MAIN(int argc, char **argv)
d02b48c6 539 {
ef51b4b9 540 unsigned int off=0, clr=0;
67b6f1ca 541 SSL *con=NULL;
4f7a2ab8
DSH		 542#ifndef OPENSSL_NO_KRB5
543 KSSL_CTX *kctx;
544#endif
d02b48c6 545 int s,k,width,state=0;
135c0af1 546 char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
d02b48c6
RE		 547 int cbuf_len,cbuf_off;
548 int sbuf_len,sbuf_off;
549 fd_set readfds,writefds;
550 short port=PORT;
551 int full_log=1;
552 char *host=SSL_HOST_NAME;
553 char *cert_file=NULL,*key_file=NULL;
826a42a0
DSH		 554 int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
555 char *passarg = NULL, *pass = NULL;
556 X509 *cert = NULL;
557 EVP_PKEY *key = NULL;
d02b48c6
RE		 558 char *CApath=NULL,*CAfile=NULL,*cipher=NULL;
559 int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0;
1bdb8633 560 int crlf=0;
c7ac31e2 561 int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
d02b48c6
RE		 562 SSL_CTX *ctx=NULL;
563 int ret=1,in_init=1,i,nbio_test=0;
85c67492 564 int starttls_proto = PROTO_OFF;
db99779b
DSH		 565 int prexit = 0;
566 X509_VERIFY_PARAM *vpm = NULL;
567 int badarg = 0;
4ebb342f 568 const SSL_METHOD *meth=NULL;
b1277b99 569 int socket_type=SOCK_STREAM;
d02b48c6 570 BIO *sbio;
52b621db 571 char *inrand=NULL;
85c67492 572 int mbuf_len=0;
b972fbaa 573 struct timeval timeout, *timeoutp;
0b13e9f0 574#ifndef OPENSSL_NO_ENGINE
5270e702 575 char *engine_id=NULL;
59d2d48f 576 char *ssl_client_engine_id=NULL;
70531c14 577 ENGINE *ssl_client_engine=NULL;
0b13e9f0 578#endif
70531c14 579 ENGINE *e=NULL;
4700aea9 580#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
06f4536a 581 struct timeval tv;
4700aea9
UM		 582#if defined(OPENSSL_SYS_BEOS_R5)
583 int stdin_set = 0;
584#endif
06f4536a 585#endif
ed3883d2
BM		 586#ifndef OPENSSL_NO_TLSEXT
587 char *servername = NULL;
588 tlsextctx tlsextcbp =
589 {NULL,0};
bf48836c 590# ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 591 const char *next_proto_neg_in = NULL;
592# endif
ed3883d2 593#endif
6434abbf
DSH		 594 char *sess_in = NULL;
595 char *sess_out = NULL;
36d16f8e 596 struct sockaddr peer;
6c61726b 597 int peerlen = sizeof(peer);
36d16f8e 598 int enable_timeouts = 0 ;
b1277b99 599 long socket_mtu = 0;
79bd20fd 600#ifndef OPENSSL_NO_JPAKE
6caa4edd 601 char *jpake_secret = NULL;
ed551cdd 602#endif
edc032b5
BL		 603#ifndef OPENSSL_NO_SRP
604 char * srppass = NULL;
605 int srp_lateuser = 0;
606 SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
607#endif
36d16f8e 608
cf1b7d96 609#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
d02b48c6 610 meth=SSLv23_client_method();
cf1b7d96 611#elif !defined(OPENSSL_NO_SSL3)
d02b48c6 612 meth=SSLv3_client_method();
cf1b7d96 613#elif !defined(OPENSSL_NO_SSL2)
d02b48c6
RE		 614 meth=SSLv2_client_method();
615#endif
616
617 apps_startup();
58964a49 618 c_Pause=0;
d02b48c6 619 c_quiet=0;
ce301b6b 620 c_ign_eof=0;
d02b48c6 621 c_debug=0;
a661b653 622 c_msg=0;
6d02d8e4 623 c_showcerts=0;
d02b48c6
RE		 624
625 if (bio_err == NULL)
626 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
627
3647bee2
DSH		 628 if (!load_config(bio_err, NULL))
629 goto end;
630
26a3a48d 631 if ( ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
135c0af1
RL		 632 ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
633 ((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
d02b48c6
RE		 634 {
635 BIO_printf(bio_err,"out of memory\n");
636 goto end;
637 }
638
639 verify_depth=0;
640 verify_error=X509_V_OK;
641#ifdef FIONBIO
642 c_nbio=0;
643#endif
644
645 argc--;
646 argv++;
647 while (argc >= 1)
648 {
649 if (strcmp(*argv,"-host") == 0)
650 {
651 if (--argc < 1) goto bad;
652 host= *(++argv);
653 }
654 else if (strcmp(*argv,"-port") == 0)
655 {
656 if (--argc < 1) goto bad;
657 port=atoi(*(++argv));
658 if (port == 0) goto bad;
659 }
660 else if (strcmp(*argv,"-connect") == 0)
661 {
662 if (--argc < 1) goto bad;
663 if (!extract_host_port(*(++argv),&host,NULL,&port))
664 goto bad;
665 }
666 else if (strcmp(*argv,"-verify") == 0)
667 {
668 verify=SSL_VERIFY_PEER;
669 if (--argc < 1) goto bad;
670 verify_depth=atoi(*(++argv));
671 BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
672 }
673 else if (strcmp(*argv,"-cert") == 0)
674 {
675 if (--argc < 1) goto bad;
676 cert_file= *(++argv);
677 }
6434abbf
DSH		 678 else if (strcmp(*argv,"-sess_out") == 0)
679 {
680 if (--argc < 1) goto bad;
681 sess_out = *(++argv);
682 }
683 else if (strcmp(*argv,"-sess_in") == 0)
684 {
685 if (--argc < 1) goto bad;
686 sess_in = *(++argv);
687 }
826a42a0
DSH		 688 else if (strcmp(*argv,"-certform") == 0)
689 {
690 if (--argc < 1) goto bad;
691 cert_format = str2fmt(*(++argv));
692 }
db99779b
DSH		 693 else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
694 {
695 if (badarg)
696 goto bad;
697 continue;
698 }
5d20c4fb
DSH		 699 else if (strcmp(*argv,"-verify_return_error") == 0)
700 verify_return_error = 1;
c3ed3b6e
DSH		 701 else if (strcmp(*argv,"-prexit") == 0)
702 prexit=1;
1bdb8633
BM		 703 else if (strcmp(*argv,"-crlf") == 0)
704 crlf=1;
d02b48c6 705 else if (strcmp(*argv,"-quiet") == 0)
ce301b6b 706 {
d02b48c6 707 c_quiet=1;
ce301b6b
RL		 708 c_ign_eof=1;
709 }
710 else if (strcmp(*argv,"-ign_eof") == 0)
711 c_ign_eof=1;
020d67fb
LJ		 712 else if (strcmp(*argv,"-no_ign_eof") == 0)
713 c_ign_eof=0;
d02b48c6
RE		 714 else if (strcmp(*argv,"-pause") == 0)
715 c_Pause=1;
716 else if (strcmp(*argv,"-debug") == 0)
717 c_debug=1;
6434abbf
DSH		 718#ifndef OPENSSL_NO_TLSEXT
719 else if (strcmp(*argv,"-tlsextdebug") == 0)
720 c_tlsextdebug=1;
67c8e7f4
DSH		 721 else if (strcmp(*argv,"-status") == 0)
722 c_status_req=1;
6434abbf 723#endif
02a00bb0
AP		 724#ifdef WATT32
725 else if (strcmp(*argv,"-wdebug") == 0)
726 dbug_init();
727#endif
a661b653
BM		 728 else if (strcmp(*argv,"-msg") == 0)
729 c_msg=1;
6d02d8e4
BM		 730 else if (strcmp(*argv,"-showcerts") == 0)
731 c_showcerts=1;
d02b48c6
RE		 732 else if (strcmp(*argv,"-nbio_test") == 0)
733 nbio_test=1;
734 else if (strcmp(*argv,"-state") == 0)
735 state=1;
ddac1974
NL		 736#ifndef OPENSSL_NO_PSK
737 else if (strcmp(*argv,"-psk_identity") == 0)
738 {
739 if (--argc < 1) goto bad;
740 psk_identity=*(++argv);
741 }
742 else if (strcmp(*argv,"-psk") == 0)
743 {
744 size_t j;
745
746 if (--argc < 1) goto bad;
747 psk_key=*(++argv);
748 for (j = 0; j < strlen(psk_key); j++)
749 {
750 if (isxdigit((int)psk_key[j]))
751 continue;
752 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
753 goto bad;
754 }
755 }
756#endif
edc032b5
BL		 757#ifndef OPENSSL_NO_SRP
758 else if (strcmp(*argv,"-srpuser") == 0)
759 {
760 if (--argc < 1) goto bad;
761 srp_arg.srplogin= *(++argv);
762 meth=TLSv1_client_method();
763 }
764 else if (strcmp(*argv,"-srppass") == 0)
765 {
766 if (--argc < 1) goto bad;
767 srppass= *(++argv);
768 meth=TLSv1_client_method();
769 }
770 else if (strcmp(*argv,"-srp_strength") == 0)
771 {
772 if (--argc < 1) goto bad;
773 srp_arg.strength=atoi(*(++argv));
774 BIO_printf(bio_err,"SRP minimal length for N is %d\n",srp_arg.strength);
775 meth=TLSv1_client_method();
776 }
777 else if (strcmp(*argv,"-srp_lateuser") == 0)
778 {
779 srp_lateuser= 1;
780 meth=TLSv1_client_method();
781 }
782 else if (strcmp(*argv,"-srp_moregroups") == 0)
783 {
784 srp_arg.amp=1;
785 meth=TLSv1_client_method();
786 }
787#endif
cf1b7d96 788#ifndef OPENSSL_NO_SSL2
d02b48c6
RE		 789 else if (strcmp(*argv,"-ssl2") == 0)
790 meth=SSLv2_client_method();
791#endif
cf1b7d96 792#ifndef OPENSSL_NO_SSL3
d02b48c6
RE		 793 else if (strcmp(*argv,"-ssl3") == 0)
794 meth=SSLv3_client_method();
58964a49 795#endif
cf1b7d96 796#ifndef OPENSSL_NO_TLS1
7409d7ad
DSH		 797 else if (strcmp(*argv,"-tls1_2") == 0)
798 meth=TLSv1_2_client_method();
637f374a
DSH		 799 else if (strcmp(*argv,"-tls1_1") == 0)
800 meth=TLSv1_1_client_method();
58964a49
RE		 801 else if (strcmp(*argv,"-tls1") == 0)
802 meth=TLSv1_client_method();
36d16f8e
BL		 803#endif
804#ifndef OPENSSL_NO_DTLS1
805 else if (strcmp(*argv,"-dtls1") == 0)
806 {
807 meth=DTLSv1_client_method();
b1277b99 808 socket_type=SOCK_DGRAM;
36d16f8e
BL		 809 }
810 else if (strcmp(*argv,"-timeout") == 0)
811 enable_timeouts=1;
812 else if (strcmp(*argv,"-mtu") == 0)
813 {
814 if (--argc < 1) goto bad;
b1277b99 815 socket_mtu = atol(*(++argv));
36d16f8e 816 }
d02b48c6
RE		 817#endif
818 else if (strcmp(*argv,"-bugs") == 0)
819 bugs=1;
826a42a0
DSH		 820 else if (strcmp(*argv,"-keyform") == 0)
821 {
822 if (--argc < 1) goto bad;
823 key_format = str2fmt(*(++argv));
824 }
825 else if (strcmp(*argv,"-pass") == 0)
826 {
827 if (--argc < 1) goto bad;
828 passarg = *(++argv);
829 }
d02b48c6
RE		 830 else if (strcmp(*argv,"-key") == 0)
831 {
832 if (--argc < 1) goto bad;
833 key_file= *(++argv);
834 }
835 else if (strcmp(*argv,"-reconnect") == 0)
836 {
837 reconnect=5;
838 }
839 else if (strcmp(*argv,"-CApath") == 0)
840 {
841 if (--argc < 1) goto bad;
842 CApath= *(++argv);
843 }
844 else if (strcmp(*argv,"-CAfile") == 0)
845 {
846 if (--argc < 1) goto bad;
847 CAfile= *(++argv);
848 }
7409d7ad
DSH		 849 else if (strcmp(*argv,"-no_tls1_2") == 0)
850 off|=SSL_OP_NO_TLSv1_2;
637f374a
DSH		 851 else if (strcmp(*argv,"-no_tls1_1") == 0)
852 off|=SSL_OP_NO_TLSv1_1;
58964a49
RE		 853 else if (strcmp(*argv,"-no_tls1") == 0)
854 off|=SSL_OP_NO_TLSv1;
855 else if (strcmp(*argv,"-no_ssl3") == 0)
856 off|=SSL_OP_NO_SSLv3;
857 else if (strcmp(*argv,"-no_ssl2") == 0)
858 off|=SSL_OP_NO_SSLv2;
566dda07
DSH		 859 else if (strcmp(*argv,"-no_comp") == 0)
860 { off|=SSL_OP_NO_COMPRESSION; }
6434abbf
DSH		 861#ifndef OPENSSL_NO_TLSEXT
862 else if (strcmp(*argv,"-no_ticket") == 0)
863 { off|=SSL_OP_NO_TICKET; }
bf48836c 864# ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 865 else if (strcmp(*argv,"-nextprotoneg") == 0)
866 {
867 if (--argc < 1) goto bad;
868 next_proto_neg_in = *(++argv);
869 }
870# endif
6434abbf 871#endif
836f9960
LJ		 872 else if (strcmp(*argv,"-serverpref") == 0)
873 off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
2942dde5
DSH		 874 else if (strcmp(*argv,"-legacy_renegotiation") == 0)
875 off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
ef51b4b9
DSH		 876 else if (strcmp(*argv,"-legacy_server_connect") == 0)
877 { off|=SSL_OP_LEGACY_SERVER_CONNECT; }
878 else if (strcmp(*argv,"-no_legacy_server_connect") == 0)
879 { clr|=SSL_OP_LEGACY_SERVER_CONNECT; }
d02b48c6
RE		 880 else if (strcmp(*argv,"-cipher") == 0)
881 {
882 if (--argc < 1) goto bad;
883 cipher= *(++argv);
884 }
885#ifdef FIONBIO
886 else if (strcmp(*argv,"-nbio") == 0)
887 { c_nbio=1; }
888#endif
135c0af1
RL		 889 else if (strcmp(*argv,"-starttls") == 0)
890 {
891 if (--argc < 1) goto bad;
892 ++argv;
893 if (strcmp(*argv,"smtp") == 0)
85c67492 894 starttls_proto = PROTO_SMTP;
4f17dfcd 895 else if (strcmp(*argv,"pop3") == 0)
85c67492
RL		 896 starttls_proto = PROTO_POP3;
897 else if (strcmp(*argv,"imap") == 0)
898 starttls_proto = PROTO_IMAP;
899 else if (strcmp(*argv,"ftp") == 0)
900 starttls_proto = PROTO_FTP;
d5bbead4
BL		 901 else if (strcmp(*argv, "xmpp") == 0)
902 starttls_proto = PROTO_XMPP;
135c0af1
RL		 903 else
904 goto bad;
905 }
0b13e9f0 906#ifndef OPENSSL_NO_ENGINE
5270e702
RL		 907 else if (strcmp(*argv,"-engine") == 0)
908 {
909 if (--argc < 1) goto bad;
910 engine_id = *(++argv);
911 }
59d2d48f
DSH		 912 else if (strcmp(*argv,"-ssl_client_engine") == 0)
913 {
914 if (--argc < 1) goto bad;
915 ssl_client_engine_id = *(++argv);
916 }
0b13e9f0 917#endif
52b621db
LJ		 918 else if (strcmp(*argv,"-rand") == 0)
919 {
920 if (--argc < 1) goto bad;
921 inrand= *(++argv);
922 }
ed3883d2
BM		 923#ifndef OPENSSL_NO_TLSEXT
924 else if (strcmp(*argv,"-servername") == 0)
925 {
926 if (--argc < 1) goto bad;
927 servername= *(++argv);
928 /* meth=TLSv1_client_method(); */
929 }
930#endif
79bd20fd 931#ifndef OPENSSL_NO_JPAKE
6caa4edd
BL		 932 else if (strcmp(*argv,"-jpake") == 0)
933 {
934 if (--argc < 1) goto bad;
935 jpake_secret = *++argv;
936 }
ed551cdd 937#endif
d02b48c6
RE		 938 else
939 {
940 BIO_printf(bio_err,"unknown option %s\n",*argv);
941 badop=1;
942 break;
943 }
944 argc--;
945 argv++;
946 }
947 if (badop)
948 {
949bad:
950 sc_usage();
951 goto end;
952 }
953
79bd20fd 954#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
f3b7bdad
BL		 955 if (jpake_secret)
956 {
957 if (psk_key)
958 {
959 BIO_printf(bio_err,
960 "Can't use JPAKE and PSK together\n");
961 goto end;
962 }
963 psk_identity = "JPAKE";
964 }
965
966 if (cipher)
967 {
968 BIO_printf(bio_err, "JPAKE sets cipher to PSK\n");
969 goto end;
970 }
971 cipher = "PSK";
972#endif
973
cead7f36
RL		 974 OpenSSL_add_ssl_algorithms();
975 SSL_load_error_strings();
976
bf48836c 977#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
ee2ffc27
BL		 978 next_proto.status = -1;
979 if (next_proto_neg_in)
980 {
981 next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
982 if (next_proto.data == NULL)
983 {
984 BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
985 goto end;
986 }
987 }
988 else
989 next_proto.data = NULL;
990#endif
991
0b13e9f0 992#ifndef OPENSSL_NO_ENGINE
cead7f36 993 e = setup_engine(bio_err, engine_id, 1);
59d2d48f
DSH		 994 if (ssl_client_engine_id)
995 {
996 ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
997 if (!ssl_client_engine)
998 {
999 BIO_printf(bio_err,
1000 "Error getting client auth engine\n");
1001 goto end;
1002 }
1003 }
1004
0b13e9f0 1005#endif
826a42a0
DSH		 1006 if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
1007 {
1008 BIO_printf(bio_err, "Error getting password\n");
1009 goto end;
1010 }
1011
1012 if (key_file == NULL)
1013 key_file = cert_file;
1014
abbc186b
DSH		 1015
1016 if (key_file)
1017
826a42a0 1018 {
abbc186b
DSH		 1019
1020 key = load_key(bio_err, key_file, key_format, 0, pass, e,
1021 "client certificate private key file");
1022 if (!key)
1023 {
1024 ERR_print_errors(bio_err);
1025 goto end;
1026 }
1027
826a42a0
DSH		 1028 }
1029
abbc186b 1030 if (cert_file)
826a42a0 1031
826a42a0 1032 {
abbc186b
DSH		 1033 cert = load_cert(bio_err,cert_file,cert_format,
1034 NULL, e, "client certificate file");
1035
1036 if (!cert)
1037 {
1038 ERR_print_errors(bio_err);
1039 goto end;
1040 }
826a42a0 1041 }
cead7f36 1042
52b621db
LJ		 1043 if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
1044 && !RAND_status())
1045 {
1046 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
1047 }
1048 if (inrand != NULL)
1049 BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
1050 app_RAND_load_files(inrand));
a31011e8 1051
d02b48c6
RE		 1052 if (bio_c_out == NULL)
1053 {
a661b653 1054 if (c_quiet && !c_debug && !c_msg)
d02b48c6
RE		 1055 {
1056 bio_c_out=BIO_new(BIO_s_null());
1057 }
1058 else
1059 {
1060 if (bio_c_out == NULL)
1061 bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
1062 }
1063 }
1064
edc032b5
BL		 1065#ifndef OPENSSL_NO_SRP
1066 if(!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL))
1067 {
1068 BIO_printf(bio_err, "Error getting password\n");
1069 goto end;
1070 }
1071#endif
1072
d02b48c6
RE		 1073 ctx=SSL_CTX_new(meth);
1074 if (ctx == NULL)
1075 {
1076 ERR_print_errors(bio_err);
1077 goto end;
1078 }
1079
db99779b
DSH		 1080 if (vpm)
1081 SSL_CTX_set1_param(ctx, vpm);
1082
59d2d48f
DSH		 1083#ifndef OPENSSL_NO_ENGINE
1084 if (ssl_client_engine)
1085 {
1086 if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine))
1087 {
1088 BIO_puts(bio_err, "Error setting client auth engine\n");
1089 ERR_print_errors(bio_err);
1090 ENGINE_free(ssl_client_engine);
1091 goto end;
1092 }
1093 ENGINE_free(ssl_client_engine);
1094 }
1095#endif
1096
ddac1974 1097#ifndef OPENSSL_NO_PSK
79bd20fd
DSH		 1098#ifdef OPENSSL_NO_JPAKE
1099 if (psk_key != NULL)
1100#else
f3b7bdad 1101 if (psk_key != NULL || jpake_secret)
79bd20fd 1102#endif
ddac1974
NL		 1103 {
1104 if (c_debug)
f3b7bdad 1105 BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");
ddac1974
NL		 1106 SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
1107 }
1108#endif
58964a49
RE		 1109 if (bugs)
1110 SSL_CTX_set_options(ctx,SSL_OP_ALL|off);
1111 else
1112 SSL_CTX_set_options(ctx,off);
ef51b4b9
DSH		 1113
1114 if (clr)
1115 SSL_CTX_clear_options(ctx, clr);
36d16f8e
BL		 1116 /* DTLS: partial reads end up discarding unread UDP bytes :-(
1117 * Setting read ahead solves this problem.
1118 */
b1277b99 1119 if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
d02b48c6 1120
bf48836c 1121#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
ee2ffc27
BL		 1122 if (next_proto.data)
1123 SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
1124#endif
1125
d02b48c6
RE		 1126 if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
1127 if (cipher != NULL)
fabce041 1128 if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
657e60fa 1129 BIO_printf(bio_err,"error setting cipher list\n");
fabce041
DSH		 1130 ERR_print_errors(bio_err);
1131 goto end;
1132 }
d02b48c6
RE		 1133#if 0
1134 else
1135 SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
1136#endif
1137
1138 SSL_CTX_set_verify(ctx,verify,verify_callback);
826a42a0 1139 if (!set_cert_key_stuff(ctx,cert,key))
d02b48c6
RE		 1140 goto end;
1141
1142 if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
1143 (!SSL_CTX_set_default_verify_paths(ctx)))
1144 {
657e60fa 1145 /* BIO_printf(bio_err,"error setting default verify locations\n"); */
d02b48c6 1146 ERR_print_errors(bio_err);
58964a49 1147 /* goto end; */
d02b48c6
RE		 1148 }
1149
ed3883d2 1150#ifndef OPENSSL_NO_TLSEXT
b1277b99
BM		 1151 if (servername != NULL)
1152 {
ed3883d2
BM		 1153 tlsextcbp.biodebug = bio_err;
1154 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1155 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
b1277b99 1156 }
edc032b5
BL		 1157#ifndef OPENSSL_NO_SRP
1158 if (srp_arg.srplogin)
1159 {
1160 if (srp_lateuser)
1161 SSL_CTX_set_srp_missing_srp_username_callback(ctx,missing_srp_username_callback);
1162 else if (!SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
1163 {
1164 BIO_printf(bio_err,"Unable to set SRP username\n");
1165 goto end;
1166 }
1167 srp_arg.msg = c_msg;
1168 srp_arg.debug = c_debug ;
1169 SSL_CTX_set_srp_cb_arg(ctx,&srp_arg);
1170 SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
1171 SSL_CTX_set_srp_strength(ctx, srp_arg.strength);
1172 if (c_msg || c_debug || srp_arg.amp == 0)
1173 SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb);
1174 }
1175
1176#endif
ed3883d2 1177#endif
d02b48c6 1178
82fc1d9c 1179 con=SSL_new(ctx);
6434abbf
DSH		 1180 if (sess_in)
1181 {
1182 SSL_SESSION *sess;
1183 BIO *stmp = BIO_new_file(sess_in, "r");
1184 if (!stmp)
1185 {
1186 BIO_printf(bio_err, "Can't open session file %s\n",
1187 sess_in);
1188 ERR_print_errors(bio_err);
1189 goto end;
1190 }
1191 sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
1192 BIO_free(stmp);
1193 if (!sess)
1194 {
1195 BIO_printf(bio_err, "Can't open session file %s\n",
1196 sess_in);
1197 ERR_print_errors(bio_err);
1198 goto end;
1199 }
1200 SSL_set_session(con, sess);
1201 SSL_SESSION_free(sess);
1202 }
ed3883d2 1203#ifndef OPENSSL_NO_TLSEXT
b1277b99
BM		 1204 if (servername != NULL)
1205 {
a13c20f6 1206 if (!SSL_set_tlsext_host_name(con,servername))
b1277b99 1207 {
ed3883d2
BM		 1208 BIO_printf(bio_err,"Unable to set TLS servername extension.\n");
1209 ERR_print_errors(bio_err);
1210 goto end;
b1277b99 1211 }
ed3883d2 1212 }
ed3883d2 1213#endif
cf1b7d96 1214#ifndef OPENSSL_NO_KRB5
4f7a2ab8 1215 if (con && (kctx = kssl_ctx_new()) != NULL)
f9b3bff6 1216 {
4f7a2ab8
DSH		 1217 SSL_set0_kssl_ctx(con, kctx);
1218 kssl_ctx_setstring(kctx, KSSL_SERVER, host);
f9b3bff6 1219 }
cf1b7d96 1220#endif /* OPENSSL_NO_KRB5 */
58964a49 1221/* SSL_set_cipher_list(con,"RC4-MD5"); */
761772d7
BM		 1222#if 0
1223#ifdef TLSEXT_TYPE_opaque_prf_input
86d4bc3a 1224 SSL_set_tlsext_opaque_prf_input(con, "Test client", 11);
761772d7
BM		 1225#endif
1226#endif
d02b48c6
RE		 1227
1228re_start:
1229
b1277b99 1230 if (init_client(&s,host,port,socket_type) == 0)
d02b48c6 1231 {
58964a49 1232 BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
d02b48c6
RE		 1233 SHUTDOWN(s);
1234 goto end;
1235 }
1236 BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
1237
1238#ifdef FIONBIO
1239 if (c_nbio)
1240 {
1241 unsigned long l=1;
1242 BIO_printf(bio_c_out,"turning on non blocking io\n");
58964a49
RE		 1243 if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
1244 {
1245 ERR_print_errors(bio_err);
1246 goto end;
1247 }
d02b48c6
RE		 1248 }
1249#endif
08557cf2 1250 if (c_Pause & 0x01) SSL_set_debug(con, 1);
36d16f8e
BL		 1251
1252 if ( SSL_version(con) == DTLS1_VERSION)
1253 {
36d16f8e
BL		 1254
1255 sbio=BIO_new_dgram(s,BIO_NOCLOSE);
6c61726b 1256 if (getsockname(s, &peer, (void *)&peerlen) < 0)
36d16f8e
BL		 1257 {
1258 BIO_printf(bio_err, "getsockname:errno=%d\n",
1259 get_last_socket_error());
1260 SHUTDOWN(s);
1261 goto end;
1262 }
1263
710069c1 1264 (void)BIO_ctrl_set_connected(sbio, 1, &peer);
36d16f8e 1265
b1277b99 1266 if (enable_timeouts)
36d16f8e
BL		 1267 {
1268 timeout.tv_sec = 0;
1269 timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1270 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1271
1272 timeout.tv_sec = 0;
1273 timeout.tv_usec = DGRAM_SND_TIMEOUT;
1274 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1275 }
1276
046f2101 1277 if (socket_mtu > 28)
36d16f8e
BL		 1278 {
1279 SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
046f2101 1280 SSL_set_mtu(con, socket_mtu - 28);
36d16f8e
BL		 1281 }
1282 else
1283 /* want to do MTU discovery */
1284 BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1285 }
1286 else
1287 sbio=BIO_new_socket(s,BIO_NOCLOSE);
1288
d02b48c6
RE		 1289 if (nbio_test)
1290 {
1291 BIO *test;
1292
1293 test=BIO_new(BIO_f_nbio_test());
1294 sbio=BIO_push(test,sbio);
1295 }
1296
1297 if (c_debug)
1298 {
08557cf2 1299 SSL_set_debug(con, 1);
25495640 1300 BIO_set_callback(sbio,bio_dump_callback);
7806f3dd 1301 BIO_set_callback_arg(sbio,(char *)bio_c_out);
d02b48c6 1302 }
a661b653
BM		 1303 if (c_msg)
1304 {
1305 SSL_set_msg_callback(con, msg_cb);
1306 SSL_set_msg_callback_arg(con, bio_c_out);
1307 }
6434abbf
DSH		 1308#ifndef OPENSSL_NO_TLSEXT
1309 if (c_tlsextdebug)
1310 {
1311 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1312 SSL_set_tlsext_debug_arg(con, bio_c_out);
1313 }
67c8e7f4
DSH		 1314 if (c_status_req)
1315 {
1316 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
1317 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
1318 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
1319#if 0
1320{
1321STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null();
1322OCSP_RESPID *id = OCSP_RESPID_new();
1323id->value.byKey = ASN1_OCTET_STRING_new();
1324id->type = V_OCSP_RESPID_KEY;
1325ASN1_STRING_set(id->value.byKey, "Hello World", -1);
1326sk_OCSP_RESPID_push(ids, id);
1327SSL_set_tlsext_status_ids(con, ids);
1328}
1329#endif
1330 }
6434abbf 1331#endif
79bd20fd 1332#ifndef OPENSSL_NO_JPAKE
6caa4edd
BL		 1333 if (jpake_secret)
1334 jpake_client_auth(bio_c_out, sbio, jpake_secret);
ed551cdd 1335#endif
6caa4edd 1336
d02b48c6
RE		 1337 SSL_set_bio(con,sbio,sbio);
1338 SSL_set_connect_state(con);
1339
1340 /* ok, lets connect */
1341 width=SSL_get_fd(con)+1;
1342
1343 read_tty=1;
1344 write_tty=0;
1345 tty_on=0;
1346 read_ssl=1;
1347 write_ssl=1;
1348
1349 cbuf_len=0;
1350 cbuf_off=0;
1351 sbuf_len=0;
1352 sbuf_off=0;
1353
135c0af1 1354 /* This is an ugly hack that does a lot of assumptions */
ee373e7f
LJ		 1355 /* We do have to handle multi-line responses which may come
1356 in a single packet or not. We therefore have to use
1357 BIO_gets() which does need a buffering BIO. So during
1358 the initial chitchat we do push a buffering BIO into the
1359 chain that is removed again later on to not disturb the
1360 rest of the s_client operation. */
85c67492 1361 if (starttls_proto == PROTO_SMTP)
135c0af1 1362 {
8d72476e 1363 int foundit=0;
ee373e7f
LJ		 1364 BIO *fbio = BIO_new(BIO_f_buffer());
1365 BIO_push(fbio, sbio);
85c67492
RL		 1366 /* wait for multi-line response to end from SMTP */
1367 do
1368 {
ee373e7f 1369 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
85c67492
RL		 1370 }
1371 while (mbuf_len>3 && mbuf[3]=='-');
8d72476e 1372 /* STARTTLS command requires EHLO... */
ee373e7f 1373 BIO_printf(fbio,"EHLO openssl.client.net\r\n");
710069c1 1374 (void)BIO_flush(fbio);
8d72476e
LJ		 1375 /* wait for multi-line response to end EHLO SMTP response */
1376 do
1377 {
ee373e7f 1378 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
8d72476e
LJ		 1379 if (strstr(mbuf,"STARTTLS"))
1380 foundit=1;
1381 }
1382 while (mbuf_len>3 && mbuf[3]=='-');
710069c1 1383 (void)BIO_flush(fbio);
ee373e7f
LJ		 1384 BIO_pop(fbio);
1385 BIO_free(fbio);
8d72476e
LJ		 1386 if (!foundit)
1387 BIO_printf(bio_err,
1388 "didn't found starttls in server response,"
1389 " try anyway...\n");
135c0af1
RL		 1390 BIO_printf(sbio,"STARTTLS\r\n");
1391 BIO_read(sbio,sbuf,BUFSIZZ);
1392 }
85c67492 1393 else if (starttls_proto == PROTO_POP3)
4f17dfcd
LJ		 1394 {
1395 BIO_read(sbio,mbuf,BUFSIZZ);
1396 BIO_printf(sbio,"STLS\r\n");
1397 BIO_read(sbio,sbuf,BUFSIZZ);
1398 }
85c67492
RL		 1399 else if (starttls_proto == PROTO_IMAP)
1400 {
8d72476e 1401 int foundit=0;
ee373e7f
LJ		 1402 BIO *fbio = BIO_new(BIO_f_buffer());
1403 BIO_push(fbio, sbio);
1404 BIO_gets(fbio,mbuf,BUFSIZZ);
8d72476e 1405 /* STARTTLS command requires CAPABILITY... */
ee373e7f 1406 BIO_printf(fbio,". CAPABILITY\r\n");
710069c1 1407 (void)BIO_flush(fbio);
8d72476e
LJ		 1408 /* wait for multi-line CAPABILITY response */
1409 do
1410 {
ee373e7f 1411 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
8d72476e
LJ		 1412 if (strstr(mbuf,"STARTTLS"))
1413 foundit=1;
1414 }
ee373e7f 1415 while (mbuf_len>3 && mbuf[0]!='.');
710069c1 1416 (void)BIO_flush(fbio);
ee373e7f
LJ		 1417 BIO_pop(fbio);
1418 BIO_free(fbio);
8d72476e
LJ		 1419 if (!foundit)
1420 BIO_printf(bio_err,
1421 "didn't found STARTTLS in server response,"
1422 " try anyway...\n");
1423 BIO_printf(sbio,". STARTTLS\r\n");
85c67492
RL		 1424 BIO_read(sbio,sbuf,BUFSIZZ);
1425 }
1426 else if (starttls_proto == PROTO_FTP)
1427 {
ee373e7f
LJ		 1428 BIO *fbio = BIO_new(BIO_f_buffer());
1429 BIO_push(fbio, sbio);
85c67492
RL		 1430 /* wait for multi-line response to end from FTP */
1431 do
1432 {
ee373e7f 1433 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
85c67492
RL		 1434 }
1435 while (mbuf_len>3 && mbuf[3]=='-');
710069c1 1436 (void)BIO_flush(fbio);
ee373e7f
LJ		 1437 BIO_pop(fbio);
1438 BIO_free(fbio);
85c67492
RL		 1439 BIO_printf(sbio,"AUTH TLS\r\n");
1440 BIO_read(sbio,sbuf,BUFSIZZ);
1441 }
d5bbead4
BL		 1442 if (starttls_proto == PROTO_XMPP)
1443 {
1444 int seen = 0;
1445 BIO_printf(sbio,"<stream:stream "
1446 "xmlns:stream='http://etherx.jabber.org/streams' "
1447 "xmlns='jabber:client' to='%s' version='1.0'>", host);
1448 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1449 mbuf[seen] = 0;
1450 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'"))
1451 {
1452 if (strstr(mbuf, "/stream:features>"))
1453 goto shut;
1454 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1455 mbuf[seen] = 0;
1456 }
1457 BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
1458 seen = BIO_read(sbio,sbuf,BUFSIZZ);
1459 sbuf[seen] = 0;
1460 if (!strstr(sbuf, "<proceed"))
1461 goto shut;
1462 mbuf[0] = 0;
1463 }
135c0af1 1464
d02b48c6
RE		 1465 for (;;)
1466 {
1467 FD_ZERO(&readfds);
1468 FD_ZERO(&writefds);
1469
b972fbaa
DSH		 1470 if ((SSL_version(con) == DTLS1_VERSION) &&
1471 DTLSv1_get_timeout(con, &timeout))
1472 timeoutp = &timeout;
1473 else
1474 timeoutp = NULL;
1475
58964a49 1476 if (SSL_in_init(con) && !SSL_total_renegotiations(con))
d02b48c6
RE		 1477 {
1478 in_init=1;
1479 tty_on=0;
1480 }
1481 else
1482 {
1483 tty_on=1;
1484 if (in_init)
1485 {
1486 in_init=0;
761772d7 1487#if 0 /* This test doesn't really work as intended (needs to be fixed) */
ed3883d2 1488#ifndef OPENSSL_NO_TLSEXT
b166f13e
BM		 1489 if (servername != NULL && !SSL_session_reused(con))
1490 {
1491 BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not ");
1492 }
761772d7 1493#endif
ed3883d2 1494#endif
6434abbf
DSH		 1495 if (sess_out)
1496 {
1497 BIO *stmp = BIO_new_file(sess_out, "w");
1498 if (stmp)
1499 {
1500 PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con));
1501 BIO_free(stmp);
1502 }
1503 else
1504 BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
1505 }
d02b48c6
RE		 1506 print_stuff(bio_c_out,con,full_log);
1507 if (full_log > 0) full_log--;
1508
4f17dfcd 1509 if (starttls_proto)
135c0af1
RL		 1510 {
1511 BIO_printf(bio_err,"%s",mbuf);
1512 /* We don't need to know any more */
85c67492 1513 starttls_proto = PROTO_OFF;
135c0af1
RL		 1514 }
1515
d02b48c6
RE		 1516 if (reconnect)
1517 {
1518 reconnect--;
1519 BIO_printf(bio_c_out,"drop connection and then reconnect\n");
1520 SSL_shutdown(con);
1521 SSL_set_connect_state(con);
1522 SHUTDOWN(SSL_get_fd(con));
1523 goto re_start;
1524 }
1525 }
1526 }
1527
c7ac31e2
BM		 1528 ssl_pending = read_ssl && SSL_pending(con);
1529
1530 if (!ssl_pending)
d02b48c6 1531 {
4700aea9 1532#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)
c7ac31e2
BM		 1533 if (tty_on)
1534 {
7bf7333d
DSH		 1535 if (read_tty) openssl_fdset(fileno(stdin),&readfds);
1536 if (write_tty) openssl_fdset(fileno(stdout),&writefds);
c7ac31e2 1537 }
c7ac31e2 1538 if (read_ssl)
7bf7333d 1539 openssl_fdset(SSL_get_fd(con),&readfds);
c7ac31e2 1540 if (write_ssl)
7bf7333d 1541 openssl_fdset(SSL_get_fd(con),&writefds);
06f4536a
DSH		 1542#else
1543 if(!tty_on || !write_tty) {
1544 if (read_ssl)
7bf7333d 1545 openssl_fdset(SSL_get_fd(con),&readfds);
06f4536a 1546 if (write_ssl)
7bf7333d 1547 openssl_fdset(SSL_get_fd(con),&writefds);
06f4536a
DSH		 1548 }
1549#endif
c7ac31e2
BM		 1550/* printf("mode tty(%d %d%d) ssl(%d%d)\n",
1551 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
d02b48c6 1552
75e0770d 1553 /* Note: under VMS with SOCKETSHR the second parameter
7d7d2cbc
UM		 1554 * is currently of type (int *) whereas under other
1555 * systems it is (void *) if you don't have a cast it
1556 * will choke the compiler: if you do have a cast then
1557 * you can either go for (int *) or (void *).
1558 */
3d7c4a5a
RL		 1559#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1560 /* Under Windows/DOS we make the assumption that we can
06f4536a
DSH		 1561 * always write to the tty: therefore if we need to
1562 * write to the tty we just fall through. Otherwise
1563 * we timeout the select every second and see if there
1564 * are any keypresses. Note: this is a hack, in a proper
1565 * Windows application we wouldn't do this.
1566 */
4ec19e20 1567 i=0;
06f4536a
DSH		 1568 if(!write_tty) {
1569 if(read_tty) {
1570 tv.tv_sec = 1;
1571 tv.tv_usec = 0;
1572 i=select(width,(void *)&readfds,(void *)&writefds,
1573 NULL,&tv);
3d7c4a5a 1574#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
0bf23d9b
RL		 1575 if(!i && (!_kbhit() || !read_tty) ) continue;
1576#else
a9ef75c5 1577 if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
0bf23d9b 1578#endif
06f4536a 1579 } else i=select(width,(void *)&readfds,(void *)&writefds,
b972fbaa 1580 NULL,timeoutp);
06f4536a 1581 }
47c1735a
RL		 1582#elif defined(OPENSSL_SYS_NETWARE)
1583 if(!write_tty) {
1584 if(read_tty) {
1585 tv.tv_sec = 1;
1586 tv.tv_usec = 0;
1587 i=select(width,(void *)&readfds,(void *)&writefds,
1588 NULL,&tv);
1589 } else i=select(width,(void *)&readfds,(void *)&writefds,
b972fbaa 1590 NULL,timeoutp);
47c1735a 1591 }
4700aea9
UM		 1592#elif defined(OPENSSL_SYS_BEOS_R5)
1593 /* Under BeOS-R5 the situation is similar to DOS */
1594 i=0;
1595 stdin_set = 0;
1596 (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
1597 if(!write_tty) {
1598 if(read_tty) {
1599 tv.tv_sec = 1;
1600 tv.tv_usec = 0;
1601 i=select(width,(void *)&readfds,(void *)&writefds,
1602 NULL,&tv);
1603 if (read(fileno(stdin), sbuf, 0) >= 0)
1604 stdin_set = 1;
1605 if (!i && (stdin_set != 1 || !read_tty))
1606 continue;
1607 } else i=select(width,(void *)&readfds,(void *)&writefds,
b972fbaa 1608 NULL,timeoutp);
4700aea9
UM		 1609 }
1610 (void)fcntl(fileno(stdin), F_SETFL, 0);
06f4536a 1611#else
7d7d2cbc 1612 i=select(width,(void *)&readfds,(void *)&writefds,
b972fbaa 1613 NULL,timeoutp);
06f4536a 1614#endif
c7ac31e2
BM		 1615 if ( i < 0)
1616 {
1617 BIO_printf(bio_err,"bad select %d\n",
58964a49 1618 get_last_socket_error());
c7ac31e2
BM		 1619 goto shut;
1620 /* goto end; */
1621 }
d02b48c6
RE		 1622 }
1623
b972fbaa
DSH		 1624 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
1625 {
1626 BIO_printf(bio_err,"TIMEOUT occured\n");
1627 }
1628
c7ac31e2 1629 if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
d02b48c6
RE		 1630 {
1631 k=SSL_write(con,&(cbuf[cbuf_off]),
1632 (unsigned int)cbuf_len);
1633 switch (SSL_get_error(con,k))
1634 {
1635 case SSL_ERROR_NONE:
1636 cbuf_off+=k;
1637 cbuf_len-=k;
1638 if (k <= 0) goto end;
1639 /* we have done a write(con,NULL,0); */
1640 if (cbuf_len <= 0)
1641 {
1642 read_tty=1;
1643 write_ssl=0;
1644 }
1645 else /* if (cbuf_len > 0) */
1646 {
1647 read_tty=0;
1648 write_ssl=1;
1649 }
1650 break;
1651 case SSL_ERROR_WANT_WRITE:
1652 BIO_printf(bio_c_out,"write W BLOCK\n");
1653 write_ssl=1;
1654 read_tty=0;
1655 break;
1656 case SSL_ERROR_WANT_READ:
1657 BIO_printf(bio_c_out,"write R BLOCK\n");
1658 write_tty=0;
1659 read_ssl=1;
1660 write_ssl=0;
1661 break;
1662 case SSL_ERROR_WANT_X509_LOOKUP:
1663 BIO_printf(bio_c_out,"write X BLOCK\n");
1664 break;
1665 case SSL_ERROR_ZERO_RETURN:
1666 if (cbuf_len != 0)
1667 {
1668 BIO_printf(bio_c_out,"shutdown\n");
0e1dba93 1669 ret = 0;
d02b48c6
RE		 1670 goto shut;
1671 }
1672 else
1673 {
1674 read_tty=1;
1675 write_ssl=0;
1676 break;
1677 }
1678
1679 case SSL_ERROR_SYSCALL:
1680 if ((k != 0) || (cbuf_len != 0))
1681 {
1682 BIO_printf(bio_err,"write:errno=%d\n",
58964a49 1683 get_last_socket_error());
d02b48c6
RE		 1684 goto shut;
1685 }
1686 else
1687 {
1688 read_tty=1;
1689 write_ssl=0;
1690 }
1691 break;
1692 case SSL_ERROR_SSL:
1693 ERR_print_errors(bio_err);
1694 goto shut;
1695 }
1696 }
4700aea9
UM		 1697#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
1698 /* Assume Windows/DOS/BeOS can always write */
06f4536a
DSH		 1699 else if (!ssl_pending && write_tty)
1700#else
c7ac31e2 1701 else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
06f4536a 1702#endif
d02b48c6 1703 {
a53955d8
UM		 1704#ifdef CHARSET_EBCDIC
1705 ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
1706#endif
ffa10187 1707 i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len);
d02b48c6
RE		 1708
1709 if (i <= 0)
1710 {
1711 BIO_printf(bio_c_out,"DONE\n");
0e1dba93 1712 ret = 0;
d02b48c6
RE		 1713 goto shut;
1714 /* goto end; */
1715 }
1716
1717 sbuf_len-=i;;
1718 sbuf_off+=i;
1719 if (sbuf_len <= 0)
1720 {
1721 read_ssl=1;
1722 write_tty=0;
1723 }
1724 }
c7ac31e2 1725 else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
d02b48c6 1726 {
58964a49
RE		 1727#ifdef RENEG
1728{ static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
1729#endif
dfeab068 1730#if 1
58964a49 1731 k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
dfeab068
RE		 1732#else
1733/* Demo for pending and peek :-) */
1734 k=SSL_read(con,sbuf,16);
1735{ char zbuf[10240];
1736printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
1737}
1738#endif
d02b48c6
RE		 1739
1740 switch (SSL_get_error(con,k))
1741 {
1742 case SSL_ERROR_NONE:
1743 if (k <= 0)
1744 goto end;
1745 sbuf_off=0;
1746 sbuf_len=k;
1747
1748 read_ssl=0;
1749 write_tty=1;
1750 break;
1751 case SSL_ERROR_WANT_WRITE:
1752 BIO_printf(bio_c_out,"read W BLOCK\n");
1753 write_ssl=1;
1754 read_tty=0;
1755 break;
1756 case SSL_ERROR_WANT_READ:
1757 BIO_printf(bio_c_out,"read R BLOCK\n");
1758 write_tty=0;
1759 read_ssl=1;
1760 if ((read_tty == 0) && (write_ssl == 0))
1761 write_ssl=1;
1762 break;
1763 case SSL_ERROR_WANT_X509_LOOKUP:
1764 BIO_printf(bio_c_out,"read X BLOCK\n");
1765 break;
1766 case SSL_ERROR_SYSCALL:
0e1dba93
DSH		 1767 ret=get_last_socket_error();
1768 BIO_printf(bio_err,"read:errno=%d\n",ret);
d02b48c6
RE		 1769 goto shut;
1770 case SSL_ERROR_ZERO_RETURN:
1771 BIO_printf(bio_c_out,"closed\n");
0e1dba93 1772 ret=0;
d02b48c6
RE		 1773 goto shut;
1774 case SSL_ERROR_SSL:
1775 ERR_print_errors(bio_err);
1776 goto shut;
dfeab068 1777 /* break; */
d02b48c6
RE		 1778 }
1779 }
1780
3d7c4a5a
RL		 1781#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1782#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
0bf23d9b
RL		 1783 else if (_kbhit())
1784#else
a9ef75c5 1785 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
0bf23d9b 1786#endif
4d8743f4 1787#elif defined (OPENSSL_SYS_NETWARE)
ffa10187 1788 else if (_kbhit())
4700aea9
UM		 1789#elif defined(OPENSSL_SYS_BEOS_R5)
1790 else if (stdin_set)
06f4536a 1791#else
d02b48c6 1792 else if (FD_ISSET(fileno(stdin),&readfds))
06f4536a 1793#endif
d02b48c6 1794 {
1bdb8633
BM		 1795 if (crlf)
1796 {
1797 int j, lf_num;
1798
ffa10187 1799 i=raw_read_stdin(cbuf,BUFSIZZ/2);
1bdb8633
BM		 1800 lf_num = 0;
1801 /* both loops are skipped when i <= 0 */
1802 for (j = 0; j < i; j++)
1803 if (cbuf[j] == '\n')
1804 lf_num++;
1805 for (j = i-1; j >= 0; j--)
1806 {
1807 cbuf[j+lf_num] = cbuf[j];
1808 if (cbuf[j] == '\n')
1809 {
1810 lf_num--;
1811 i++;
1812 cbuf[j+lf_num] = '\r';
1813 }
1814 }
1815 assert(lf_num == 0);
1816 }
1817 else
ffa10187 1818 i=raw_read_stdin(cbuf,BUFSIZZ);
d02b48c6 1819
ce301b6b 1820 if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
d02b48c6
RE		 1821 {
1822 BIO_printf(bio_err,"DONE\n");
0e1dba93 1823 ret=0;
d02b48c6
RE		 1824 goto shut;
1825 }
1826
ce301b6b 1827 if ((!c_ign_eof) && (cbuf[0] == 'R'))
d02b48c6 1828 {
3bb307c1 1829 BIO_printf(bio_err,"RENEGOTIATING\n");
d02b48c6 1830 SSL_renegotiate(con);
3bb307c1 1831 cbuf_len=0;
d02b48c6
RE		 1832 }
1833 else
1834 {
1835 cbuf_len=i;
1836 cbuf_off=0;
a53955d8
UM		 1837#ifdef CHARSET_EBCDIC
1838 ebcdic2ascii(cbuf, cbuf, i);
1839#endif
d02b48c6
RE		 1840 }
1841
d02b48c6 1842 write_ssl=1;
3bb307c1 1843 read_tty=0;
d02b48c6 1844 }
d02b48c6 1845 }
0e1dba93
DSH		 1846
1847 ret=0;
d02b48c6 1848shut:
b166f13e
BM		 1849 if (in_init)
1850 print_stuff(bio_c_out,con,full_log);
d02b48c6
RE		 1851 SSL_shutdown(con);
1852 SHUTDOWN(SSL_get_fd(con));
d02b48c6 1853end:
d916ba1b
NL		 1854 if (con != NULL)
1855 {
1856 if (prexit != 0)
1857 print_stuff(bio_c_out,con,1);
1858 SSL_free(con);
1859 }
d02b48c6 1860 if (ctx != NULL) SSL_CTX_free(ctx);
826a42a0
DSH		 1861 if (cert)
1862 X509_free(cert);
1863 if (key)
1864 EVP_PKEY_free(key);
1865 if (pass)
1866 OPENSSL_free(pass);
4579924b
RL		 1867 if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
1868 if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
1869 if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
d02b48c6
RE		 1870 if (bio_c_out != NULL)
1871 {
1872 BIO_free(bio_c_out);
1873 bio_c_out=NULL;
1874 }
c04f8cf4 1875 apps_shutdown();
1c3e4a36 1876 OPENSSL_EXIT(ret);
d02b48c6
RE		 1877 }
1878
1879
6b691a5c 1880static void print_stuff(BIO *bio, SSL *s, int full)
d02b48c6 1881 {
58964a49 1882 X509 *peer=NULL;
d02b48c6 1883 char *p;
7d727231 1884 static const char *space=" ";
d02b48c6 1885 char buf[BUFSIZ];
f73e07cf
BL		 1886 STACK_OF(X509) *sk;
1887 STACK_OF(X509_NAME) *sk2;
babb3798 1888 const SSL_CIPHER *c;
d02b48c6
RE		 1889 X509_NAME *xn;
1890 int j,i;
09b6c2ef 1891#ifndef OPENSSL_NO_COMP
d8ec0dcf 1892 const COMP_METHOD *comp, *expansion;
09b6c2ef 1893#endif
d02b48c6
RE		 1894
1895 if (full)
1896 {
bc2e519a
BM		 1897 int got_a_chain = 0;
1898
d02b48c6
RE		 1899 sk=SSL_get_peer_cert_chain(s);
1900 if (sk != NULL)
1901 {
bc2e519a
BM		 1902 got_a_chain = 1; /* we don't have it for SSL2 (yet) */
1903
dfeab068 1904 BIO_printf(bio,"---\nCertificate chain\n");
f73e07cf 1905 for (i=0; i<sk_X509_num(sk); i++)
d02b48c6 1906 {
f73e07cf 1907 X509_NAME_oneline(X509_get_subject_name(
54a656ef 1908 sk_X509_value(sk,i)),buf,sizeof buf);
d02b48c6 1909 BIO_printf(bio,"%2d s:%s\n",i,buf);
f73e07cf 1910 X509_NAME_oneline(X509_get_issuer_name(
54a656ef 1911 sk_X509_value(sk,i)),buf,sizeof buf);
d02b48c6 1912 BIO_printf(bio," i:%s\n",buf);
6d02d8e4 1913 if (c_showcerts)
f73e07cf 1914 PEM_write_bio_X509(bio,sk_X509_value(sk,i));
d02b48c6
RE		 1915 }
1916 }
1917
1918 BIO_printf(bio,"---\n");
1919 peer=SSL_get_peer_certificate(s);
1920 if (peer != NULL)
1921 {
1922 BIO_printf(bio,"Server certificate\n");
bc2e519a 1923 if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
6d02d8e4 1924 PEM_write_bio_X509(bio,peer);
d02b48c6 1925 X509_NAME_oneline(X509_get_subject_name(peer),
54a656ef 1926 buf,sizeof buf);
d02b48c6
RE		 1927 BIO_printf(bio,"subject=%s\n",buf);
1928 X509_NAME_oneline(X509_get_issuer_name(peer),
54a656ef 1929 buf,sizeof buf);
d02b48c6 1930 BIO_printf(bio,"issuer=%s\n",buf);
d02b48c6
RE		 1931 }
1932 else
1933 BIO_printf(bio,"no peer certificate available\n");
1934
f73e07cf 1935 sk2=SSL_get_client_CA_list(s);
d91f8c3c 1936 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
d02b48c6
RE		 1937 {
1938 BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
f73e07cf 1939 for (i=0; i<sk_X509_NAME_num(sk2); i++)
d02b48c6 1940 {
f73e07cf 1941 xn=sk_X509_NAME_value(sk2,i);
d02b48c6
RE		 1942 X509_NAME_oneline(xn,buf,sizeof(buf));
1943 BIO_write(bio,buf,strlen(buf));
1944 BIO_write(bio,"\n",1);
1945 }
1946 }
1947 else
1948 {
1949 BIO_printf(bio,"---\nNo client certificate CA names sent\n");
1950 }
54a656ef 1951 p=SSL_get_shared_ciphers(s,buf,sizeof buf);
d02b48c6
RE		 1952 if (p != NULL)
1953 {
67a47285
BM		 1954 /* This works only for SSL 2. In later protocol
1955 * versions, the client does not know what other
1956 * ciphers (in addition to the one to be used
1957 * in the current connection) the server supports. */
1958
d02b48c6
RE		 1959 BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
1960 j=i=0;
1961 while (*p)
1962 {
1963 if (*p == ':')
1964 {
58964a49 1965 BIO_write(bio,space,15-j%25);
d02b48c6
RE		 1966 i++;
1967 j=0;
1968 BIO_write(bio,((i%3)?" ":"\n"),1);
1969 }
1970 else
1971 {
1972 BIO_write(bio,p,1);
1973 j++;
1974 }
1975 p++;
1976 }
1977 BIO_write(bio,"\n",1);
1978 }
1979
1980 BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
1981 BIO_number_read(SSL_get_rbio(s)),
1982 BIO_number_written(SSL_get_wbio(s)));
1983 }
08557cf2 1984 BIO_printf(bio,(SSL_cache_hit(s)?"---\nReused, ":"---\nNew, "));
d02b48c6
RE		 1985 c=SSL_get_current_cipher(s);
1986 BIO_printf(bio,"%s, Cipher is %s\n",
1987 SSL_CIPHER_get_version(c),
1988 SSL_CIPHER_get_name(c));
a8236c8c
DSH		 1989 if (peer != NULL) {
1990 EVP_PKEY *pktmp;
1991 pktmp = X509_get_pubkey(peer);
58964a49 1992 BIO_printf(bio,"Server public key is %d bit\n",
a8236c8c
DSH		 1993 EVP_PKEY_bits(pktmp));
1994 EVP_PKEY_free(pktmp);
1995 }
5430200b
DSH		 1996 BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
1997 SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
09b6c2ef 1998#ifndef OPENSSL_NO_COMP
f44e184e 1999 comp=SSL_get_current_compression(s);
d8ec0dcf 2000 expansion=SSL_get_current_expansion(s);
f44e184e
RL		 2001 BIO_printf(bio,"Compression: %s\n",
2002 comp ? SSL_COMP_get_name(comp) : "NONE");
2003 BIO_printf(bio,"Expansion: %s\n",
d8ec0dcf 2004 expansion ? SSL_COMP_get_name(expansion) : "NONE");
09b6c2ef 2005#endif
ee2ffc27 2006
bf48836c 2007#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
ee2ffc27
BL		 2008 if (next_proto.status != -1) {
2009 const unsigned char *proto;
2010 unsigned int proto_len;
2011 SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
2012 BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
2013 BIO_write(bio, proto, proto_len);
2014 BIO_write(bio, "\n", 1);
2015 }
2016#endif
2017
a2f9200f
DSH		 2018#ifdef SSL_DEBUG
2019 {
2020 /* Print out local port of connection: useful for debugging */
2021 int sock;
2022 struct sockaddr_in ladd;
2023 socklen_t ladd_size = sizeof(ladd);
2024 sock = SSL_get_fd(s);
2025 getsockname(sock, (struct sockaddr *)&ladd, &ladd_size);
2026 BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port));
2027 }
2028#endif
2029
d02b48c6
RE		 2030 SSL_SESSION_print(bio,SSL_get_session(s));
2031 BIO_printf(bio,"---\n");
58964a49
RE		 2032 if (peer != NULL)
2033 X509_free(peer);
41ebed27 2034 /* flush, or debugging output gets mixed with http response */
710069c1 2035 (void)BIO_flush(bio);
d02b48c6
RE		 2036 }
2037
0702150f
DSH		 2038#ifndef OPENSSL_NO_TLSEXT
2039
67c8e7f4
DSH		 2040static int ocsp_resp_cb(SSL *s, void *arg)
2041 {
2042 const unsigned char *p;
2043 int len;
2044 OCSP_RESPONSE *rsp;
2045 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
2046 BIO_puts(arg, "OCSP response: ");
2047 if (!p)
2048 {
2049 BIO_puts(arg, "no response sent\n");
2050 return 1;
2051 }
2052 rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
2053 if (!rsp)
2054 {
2055 BIO_puts(arg, "response parse error\n");
2056 BIO_dump_indent(arg, (char *)p, len, 4);
2057 return 0;
2058 }
2059 BIO_puts(arg, "\n======================================\n");
2060 OCSP_RESPONSE_print(arg, rsp, 0);
2061 BIO_puts(arg, "======================================\n");
2062 OCSP_RESPONSE_free(rsp);
2063 return 1;
2064 }
0702150f
DSH		 2065
2066#endif
A mirror of the official openssl repository