]> git.ipfire.org Git - thirdparty/openssl.git/blame - apps/s_client.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Make ecdsatest work with nonces.
[thirdparty/openssl.git] / apps / s_client.c
CommitLineData
d02b48c6 1/* apps/s_client.c */
58964a49 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
d02b48c6
RE		 3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
a661b653 58/* ====================================================================
b1277b99 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
a661b653
BM		 60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
ddac1974
NL		 111/* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
113 *
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116 * license.
117 *
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
121 *
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
125 *
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
130 *
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135 * OTHERWISE.
136 */
d02b48c6 137
1b1a6e78 138#include <assert.h>
ddac1974 139#include <ctype.h>
8c197cc5
UM		 140#include <stdio.h>
141#include <stdlib.h>
142#include <string.h>
be1bd923 143#include <openssl/e_os2.h>
cf1b7d96 144#ifdef OPENSSL_NO_STDIO
8c197cc5
UM		 145#define APPS_WIN16
146#endif
147
7d7d2cbc
UM		 148/* With IPv6, it looks like Digital has mixed up the proper order of
149 recursive header file inclusion, resulting in the compiler complaining
150 that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
151 is needed to have fileno() declared correctly... So let's define u_int */
bc36ee62 152#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
7d7d2cbc
UM		 153#define __U_INT
154typedef unsigned int u_int;
155#endif
156
d02b48c6 157#define USE_SOCKETS
d02b48c6 158#include "apps.h"
ec577822
BM		 159#include <openssl/x509.h>
160#include <openssl/ssl.h>
161#include <openssl/err.h>
162#include <openssl/pem.h>
1372965e 163#include <openssl/rand.h>
67c8e7f4 164#include <openssl/ocsp.h>
1e26a8ba 165#include <openssl/bn.h>
edc032b5
BL		 166#ifndef OPENSSL_NO_SRP
167#include <openssl/srp.h>
168#endif
d02b48c6 169#include "s_apps.h"
36d16f8e 170#include "timeouts.h"
d02b48c6 171
bc36ee62 172#if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
75e0770d 173/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
7d7d2cbc
UM		 174#undef FIONBIO
175#endif
176
4700aea9
UM		 177#if defined(OPENSSL_SYS_BEOS_R5)
178#include <fcntl.h>
179#endif
180
d02b48c6
RE		 181#undef PROG
182#define PROG s_client_main
183
184/*#define SSL_HOST_NAME "www.netscape.com" */
185/*#define SSL_HOST_NAME "193.118.187.102" */
186#define SSL_HOST_NAME "localhost"
187
188/*#define TEST_CERT "client.pem" */ /* no default cert. */
189
190#undef BUFSIZZ
191#define BUFSIZZ 1024*8
192
193extern int verify_depth;
194extern int verify_error;
5d20c4fb 195extern int verify_return_error;
2a7cbe77 196extern int verify_quiet;
d02b48c6
RE		 197
198#ifdef FIONBIO
199static int c_nbio=0;
200#endif
201static int c_Pause=0;
202static int c_debug=0;
6434abbf
DSH		 203#ifndef OPENSSL_NO_TLSEXT
204static int c_tlsextdebug=0;
67c8e7f4 205static int c_status_req=0;
a9e1c50b 206static int c_proof_debug=0;
6434abbf 207#endif
a661b653 208static int c_msg=0;
6d02d8e4 209static int c_showcerts=0;
d02b48c6 210
e0af0405
BL		 211static char *keymatexportlabel=NULL;
212static int keymatexportlen=20;
213
d02b48c6
RE		 214static void sc_usage(void);
215static void print_stuff(BIO *berr,SSL *con,int full);
0702150f 216#ifndef OPENSSL_NO_TLSEXT
67c8e7f4 217static int ocsp_resp_cb(SSL *s, void *arg);
a9e1c50b 218static int audit_proof_cb(SSL *s, void *arg);
0702150f 219#endif
d02b48c6 220static BIO *bio_c_out=NULL;
93ab9e42 221static BIO *bio_c_msg=NULL;
d02b48c6 222static int c_quiet=0;
ce301b6b 223static int c_ign_eof=0;
2a7cbe77 224static int c_brief=0;
d02b48c6 225
ddac1974
NL		 226#ifndef OPENSSL_NO_PSK
227/* Default PSK identity and key */
228static char *psk_identity="Client_identity";
f3b7bdad 229/*char *psk_key=NULL; by default PSK is not used */
ddac1974
NL		 230
231static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
232 unsigned int max_identity_len, unsigned char *psk,
233 unsigned int max_psk_len)
234 {
235 unsigned int psk_len = 0;
236 int ret;
237 BIGNUM *bn=NULL;
238
239 if (c_debug)
240 BIO_printf(bio_c_out, "psk_client_cb\n");
241 if (!hint)
242 {
243 /* no ServerKeyExchange message*/
244 if (c_debug)
245 BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n");
246 }
247 else if (c_debug)
248 BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
249
250 /* lookup PSK identity and PSK key based on the given identity hint here */
0ed6b526 251 ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity);
a0aa8b4b 252 if (ret < 0 || (unsigned int)ret > max_identity_len)
ddac1974
NL		 253 goto out_err;
254 if (c_debug)
255 BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret);
256 ret=BN_hex2bn(&bn, psk_key);
257 if (!ret)
258 {
259 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
260 if (bn)
261 BN_free(bn);
262 return 0;
263 }
264
a0aa8b4b 265 if ((unsigned int)BN_num_bytes(bn) > max_psk_len)
ddac1974
NL		 266 {
267 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
268 max_psk_len, BN_num_bytes(bn));
269 BN_free(bn);
270 return 0;
271 }
272
273 psk_len=BN_bn2bin(bn, psk);
274 BN_free(bn);
275 if (psk_len == 0)
276 goto out_err;
277
278 if (c_debug)
279 BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len);
280
281 return psk_len;
282 out_err:
283 if (c_debug)
284 BIO_printf(bio_err, "Error in PSK client callback\n");
285 return 0;
286 }
287#endif
288
6b691a5c 289static void sc_usage(void)
d02b48c6 290 {
b6cff93d 291 BIO_printf(bio_err,"usage: s_client args\n");
d02b48c6
RE		 292 BIO_printf(bio_err,"\n");
293 BIO_printf(bio_err," -host host - use -connect instead\n");
294 BIO_printf(bio_err," -port port - use -connect instead\n");
295 BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
d02b48c6
RE		 296 BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n");
297 BIO_printf(bio_err," -cert arg - certificate file to use, PEM format assumed\n");
826a42a0
DSH		 298 BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
299 BIO_printf(bio_err," -key arg - Private key file to use, in cert file if\n");
d02b48c6 300 BIO_printf(bio_err," not specified but cert file is.\n");
826a42a0
DSH		 301 BIO_printf(bio_err," -keyform arg - key format (PEM or DER) PEM default\n");
302 BIO_printf(bio_err," -pass arg - private key file pass phrase source\n");
d02b48c6
RE		 303 BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
304 BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n");
305 BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n");
306 BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n");
6d02d8e4 307 BIO_printf(bio_err," -showcerts - show all certificates in the chain\n");
d02b48c6 308 BIO_printf(bio_err," -debug - extra output\n");
02a00bb0
AP		 309#ifdef WATT32
310 BIO_printf(bio_err," -wdebug - WATT-32 tcp debugging\n");
311#endif
a661b653 312 BIO_printf(bio_err," -msg - Show protocol messages\n");
d02b48c6
RE		 313 BIO_printf(bio_err," -nbio_test - more ssl protocol testing\n");
314 BIO_printf(bio_err," -state - print the 'ssl' states\n");
315#ifdef FIONBIO
316 BIO_printf(bio_err," -nbio - Run with non-blocking IO\n");
1bdb8633 317#endif
1bdb8633 318 BIO_printf(bio_err," -crlf - convert LF from terminal into CRLF\n");
d02b48c6 319 BIO_printf(bio_err," -quiet - no s_client output\n");
ce301b6b 320 BIO_printf(bio_err," -ign_eof - ignore input eof (default when -quiet)\n");
020d67fb 321 BIO_printf(bio_err," -no_ign_eof - don't ignore input eof\n");
ddac1974
NL		 322#ifndef OPENSSL_NO_PSK
323 BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
324 BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n");
79bd20fd 325# ifndef OPENSSL_NO_JPAKE
f3b7bdad
BL		 326 BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n");
327# endif
edc032b5
BL		 328#endif
329#ifndef OPENSSL_NO_SRP
330 BIO_printf(bio_err," -srpuser user - SRP authentification for 'user'\n");
331 BIO_printf(bio_err," -srppass arg - password for 'user'\n");
332 BIO_printf(bio_err," -srp_lateuser - SRP username into second ClientHello message\n");
333 BIO_printf(bio_err," -srp_moregroups - Tolerate other than the known g N values.\n");
334 BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
ddac1974 335#endif
d02b48c6
RE		 336 BIO_printf(bio_err," -ssl2 - just use SSLv2\n");
337 BIO_printf(bio_err," -ssl3 - just use SSLv3\n");
7409d7ad 338 BIO_printf(bio_err," -tls1_2 - just use TLSv1.2\n");
637f374a 339 BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n");
58964a49 340 BIO_printf(bio_err," -tls1 - just use TLSv1\n");
36d16f8e 341 BIO_printf(bio_err," -dtls1 - just use DTLSv1\n");
046f2101 342 BIO_printf(bio_err," -mtu - set the link layer MTU\n");
7409d7ad 343 BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
d02b48c6 344 BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n");
836f9960 345 BIO_printf(bio_err," -serverpref - Use server's cipher preferences (only SSLv2)\n");
657e60fa 346 BIO_printf(bio_err," -cipher - preferred cipher to use, use the 'openssl ciphers'\n");
dfeab068 347 BIO_printf(bio_err," command to see what is available\n");
135c0af1
RL		 348 BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
349 BIO_printf(bio_err," for those protocols that support it, where\n");
350 BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n");
d5bbead4
BL		 351 BIO_printf(bio_err," only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
352 BIO_printf(bio_err," are supported.\n");
0b13e9f0 353#ifndef OPENSSL_NO_ENGINE
5270e702 354 BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n");
0b13e9f0 355#endif
52b621db 356 BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
014f62b6
DSH		 357 BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n");
358 BIO_printf(bio_err," -sess_in arg - file to read SSL session from\n");
ed3883d2
BM		 359#ifndef OPENSSL_NO_TLSEXT
360 BIO_printf(bio_err," -servername host - Set TLS extension servername in ClientHello\n");
d24a9c8f 361 BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
67c8e7f4 362 BIO_printf(bio_err," -status - request certificate status from server\n");
d24a9c8f 363 BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
a9e1c50b 364 BIO_printf(bio_err," -proof_debug - request an audit proof and print its hex dump\n");
bf48836c 365# ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 366 BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
367# endif
a398f821
T		 368#ifndef OPENSSL_NO_TLSEXT
369 BIO_printf(bio_err," -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n");
370#endif
ed3883d2 371#endif
2942dde5 372 BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
be81f4dd 373 BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
e0af0405
BL		 374 BIO_printf(bio_err," -keymatexport label - Export keying material using label\n");
375 BIO_printf(bio_err," -keymatexportlen len - Export len bytes of keying material (default 20)\n");
d02b48c6
RE		 376 }
377
ed3883d2
BM		 378#ifndef OPENSSL_NO_TLSEXT
379
380/* This is a context that we pass to callbacks */
381typedef struct tlsextctx_st {
382 BIO * biodebug;
383 int ack;
384} tlsextctx;
385
386
b1277b99
BM		 387static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
388 {
ed3883d2 389 tlsextctx * p = (tlsextctx *) arg;
8de5b7f5 390 const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
ed3883d2
BM		 391 if (SSL_get_servername_type(s) != -1)
392 p->ack = !SSL_session_reused(s) && hn != NULL;
393 else
f1fd4544 394 BIO_printf(bio_err,"Can't use SSL_get_servername\n");
ed3883d2 395
241520e6 396 return SSL_TLSEXT_ERR_OK;
b1277b99 397 }
ee2ffc27 398
edc032b5
BL		 399#ifndef OPENSSL_NO_SRP
400
401/* This is a context that we pass to all callbacks */
402typedef struct srp_arg_st
403 {
404 char *srppassin;
405 char *srplogin;
406 int msg; /* copy from c_msg */
407 int debug; /* copy from c_debug */
408 int amp; /* allow more groups */
409 int strength /* minimal size for N */ ;
410 } SRP_ARG;
411
412#define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
413
f2fc3075 414static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g)
edc032b5
BL		 415 {
416 BN_CTX *bn_ctx = BN_CTX_new();
417 BIGNUM *p = BN_new();
418 BIGNUM *r = BN_new();
419 int ret =
420 g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
f2fc3075 421 BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
edc032b5
BL		 422 p != NULL && BN_rshift1(p, N) &&
423
424 /* p = (N-1)/2 */
f2fc3075 425 BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
edc032b5
BL		 426 r != NULL &&
427
428 /* verify g^((N-1)/2) == -1 (mod N) */
429 BN_mod_exp(r, g, p, N, bn_ctx) &&
430 BN_add_word(r, 1) &&
431 BN_cmp(r, N) == 0;
432
433 if(r)
434 BN_free(r);
435 if(p)
436 BN_free(p);
437 if(bn_ctx)
438 BN_CTX_free(bn_ctx);
439 return ret;
440 }
441
f2fc3075
DSH		 442/* This callback is used here for two purposes:
443 - extended debugging
444 - making some primality tests for unknown groups
445 The callback is only called for a non default group.
446
447 An application does not need the call back at all if
448 only the stanard groups are used. In real life situations,
449 client and server already share well known groups,
450 thus there is no need to verify them.
451 Furthermore, in case that a server actually proposes a group that
452 is not one of those defined in RFC 5054, it is more appropriate
453 to add the group to a static list and then compare since
454 primality tests are rather cpu consuming.
455*/
456
edc032b5
BL		 457static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
458 {
459 SRP_ARG *srp_arg = (SRP_ARG *)arg;
460 BIGNUM *N = NULL, *g = NULL;
461 if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s)))
462 return 0;
463 if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1)
464 {
465 BIO_printf(bio_err, "SRP parameters:\n");
466 BIO_printf(bio_err,"\tN="); BN_print(bio_err,N);
467 BIO_printf(bio_err,"\n\tg="); BN_print(bio_err,g);
468 BIO_printf(bio_err,"\n");
469 }
470
471 if (SRP_check_known_gN_param(g,N))
472 return 1;
473
474 if (srp_arg->amp == 1)
475 {
476 if (srp_arg->debug)
477 BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n");
478
f2fc3075 479/* The srp_moregroups is a real debugging feature.
edc032b5
BL		 480 Implementors should rather add the value to the known ones.
481 The minimal size has already been tested.
482*/
f2fc3075 483 if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g))
edc032b5
BL		 484 return 1;
485 }
486 BIO_printf(bio_err, "SRP param N and g rejected.\n");
487 return 0;
488 }
489
490#define PWD_STRLEN 1024
491
492static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
493 {
494 SRP_ARG *srp_arg = (SRP_ARG *)arg;
495 char *pass = (char *)OPENSSL_malloc(PWD_STRLEN+1);
496 PW_CB_DATA cb_tmp;
497 int l;
498
499 cb_tmp.password = (char *)srp_arg->srppassin;
500 cb_tmp.prompt_info = "SRP user";
501 if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp))<0)
502 {
503 BIO_printf (bio_err, "Can't read Password\n");
504 OPENSSL_free(pass);
505 return NULL;
506 }
507 *(pass+l)= '\0';
508
509 return pass;
510 }
511
edc032b5 512#endif
333f926d 513 char *srtp_profiles = NULL;
edc032b5 514
bf48836c 515# ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 516/* This the context that we pass to next_proto_cb */
517typedef struct tlsextnextprotoctx_st {
518 unsigned char *data;
519 unsigned short len;
520 int status;
521} tlsextnextprotoctx;
522
523static tlsextnextprotoctx next_proto;
524
525static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
526 {
527 tlsextnextprotoctx *ctx = arg;
528
529 if (!c_quiet)
530 {
531 /* We can assume that |in| is syntactically valid. */
532 unsigned i;
533 BIO_printf(bio_c_out, "Protocols advertised by server: ");
534 for (i = 0; i < inlen; )
535 {
536 if (i)
537 BIO_write(bio_c_out, ", ", 2);
538 BIO_write(bio_c_out, &in[i + 1], in[i]);
539 i += in[i] + 1;
540 }
541 BIO_write(bio_c_out, "\n", 1);
542 }
543
544 ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
545 return SSL_TLSEXT_ERR_OK;
546 }
bf48836c 547# endif /* ndef OPENSSL_NO_NEXTPROTONEG */
a398f821
T		 548
549static int serverinfo_cli_cb(SSL* s, unsigned short ext_type,
550 const unsigned char* in, unsigned short inlen,
551 int* al, void* arg)
552 {
553 char pem_name[100];
554 unsigned char ext_buf[4 + 65536];
555
556 /* Reconstruct the type/len fields prior to extension data */
557 ext_buf[0] = ext_type >> 8;
558 ext_buf[1] = ext_type & 0xFF;
559 ext_buf[2] = inlen >> 8;
560 ext_buf[3] = inlen & 0xFF;
561 memcpy(ext_buf+4, in, inlen);
562
563 BIO_snprintf(pem_name, sizeof(pem_name), "SERVER_INFO %d", ext_type);
564 PEM_write_bio(bio_c_out, pem_name, "", ext_buf, 4 + inlen);
565 return 1;
566 }
567
ed3883d2
BM		 568#endif
569
85c67492
RL		 570enum
571{
572 PROTO_OFF = 0,
573 PROTO_SMTP,
574 PROTO_POP3,
575 PROTO_IMAP,
d5bbead4 576 PROTO_FTP,
640b86cb 577 PROTO_XMPP
85c67492
RL		 578};
579
667ac4ec
RE		 580int MAIN(int, char **);
581
6b691a5c 582int MAIN(int argc, char **argv)
d02b48c6 583 {
74ecfab4 584 int build_chain = 0;
67b6f1ca 585 SSL *con=NULL;
4f7a2ab8
DSH		 586#ifndef OPENSSL_NO_KRB5
587 KSSL_CTX *kctx;
588#endif
d02b48c6 589 int s,k,width,state=0;
135c0af1 590 char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
d02b48c6
RE		 591 int cbuf_len,cbuf_off;
592 int sbuf_len,sbuf_off;
593 fd_set readfds,writefds;
594 short port=PORT;
595 int full_log=1;
596 char *host=SSL_HOST_NAME;
4e71d952 597 char *cert_file=NULL,*key_file=NULL,*chain_file=NULL;
826a42a0
DSH		 598 int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
599 char *passarg = NULL, *pass = NULL;
600 X509 *cert = NULL;
601 EVP_PKEY *key = NULL;
4e71d952 602 STACK_OF(X509) *chain = NULL;
5d2e07f1 603 char *CApath=NULL,*CAfile=NULL;
a5afc0a8
DSH		 604 char *chCApath=NULL,*chCAfile=NULL;
605 char *vfyCApath=NULL,*vfyCAfile=NULL;
5d2e07f1 606 int reconnect=0,badop=0,verify=SSL_VERIFY_NONE;
1bdb8633 607 int crlf=0;
c7ac31e2 608 int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
d02b48c6
RE		 609 SSL_CTX *ctx=NULL;
610 int ret=1,in_init=1,i,nbio_test=0;
85c67492 611 int starttls_proto = PROTO_OFF;
db99779b
DSH		 612 int prexit = 0;
613 X509_VERIFY_PARAM *vpm = NULL;
614 int badarg = 0;
4ebb342f 615 const SSL_METHOD *meth=NULL;
b1277b99 616 int socket_type=SOCK_STREAM;
d02b48c6 617 BIO *sbio;
52b621db 618 char *inrand=NULL;
85c67492 619 int mbuf_len=0;
b972fbaa 620 struct timeval timeout, *timeoutp;
0b13e9f0 621#ifndef OPENSSL_NO_ENGINE
5270e702 622 char *engine_id=NULL;
59d2d48f 623 char *ssl_client_engine_id=NULL;
70531c14 624 ENGINE *ssl_client_engine=NULL;
0b13e9f0 625#endif
70531c14 626 ENGINE *e=NULL;
4700aea9 627#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
06f4536a 628 struct timeval tv;
4700aea9
UM		 629#if defined(OPENSSL_SYS_BEOS_R5)
630 int stdin_set = 0;
631#endif
06f4536a 632#endif
ed3883d2
BM		 633#ifndef OPENSSL_NO_TLSEXT
634 char *servername = NULL;
635 tlsextctx tlsextcbp =
636 {NULL,0};
bf48836c 637# ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 638 const char *next_proto_neg_in = NULL;
639# endif
a398f821
T		 640# define MAX_SI_TYPES 100
641 unsigned short serverinfo_types[MAX_SI_TYPES];
642 int serverinfo_types_count = 0;
ed3883d2 643#endif
6434abbf
DSH		 644 char *sess_in = NULL;
645 char *sess_out = NULL;
36d16f8e 646 struct sockaddr peer;
6c61726b 647 int peerlen = sizeof(peer);
36d16f8e 648 int enable_timeouts = 0 ;
b1277b99 649 long socket_mtu = 0;
79bd20fd 650#ifndef OPENSSL_NO_JPAKE
b252cf0d
DSH		 651static char *jpake_secret = NULL;
652#define no_jpake !jpake_secret
653#else
654#define no_jpake 1
ed551cdd 655#endif
edc032b5
BL		 656#ifndef OPENSSL_NO_SRP
657 char * srppass = NULL;
658 int srp_lateuser = 0;
659 SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
660#endif
3208fc59 661 SSL_EXCERT *exc = NULL;
36d16f8e 662
5d2e07f1
DSH		 663 SSL_CONF_CTX *cctx = NULL;
664 STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
a70da5b3 665
fdb78f3d
DSH		 666 char *crl_file = NULL;
667 int crl_format = FORMAT_PEM;
0090a686 668 int crl_download = 0;
fdb78f3d
DSH		 669 STACK_OF(X509_CRL) *crls = NULL;
670
d02b48c6 671 meth=SSLv23_client_method();
d02b48c6
RE		 672
673 apps_startup();
58964a49 674 c_Pause=0;
d02b48c6 675 c_quiet=0;
ce301b6b 676 c_ign_eof=0;
d02b48c6 677 c_debug=0;
a661b653 678 c_msg=0;
6d02d8e4 679 c_showcerts=0;
d02b48c6
RE		 680
681 if (bio_err == NULL)
682 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
683
3647bee2
DSH		 684 if (!load_config(bio_err, NULL))
685 goto end;
5d2e07f1
DSH		 686 cctx = SSL_CONF_CTX_new();
687 if (!cctx)
688 goto end;
689 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
690 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE);
3647bee2 691
26a3a48d 692 if ( ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
135c0af1
RL		 693 ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
694 ((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
d02b48c6
RE		 695 {
696 BIO_printf(bio_err,"out of memory\n");
697 goto end;
698 }
699
700 verify_depth=0;
701 verify_error=X509_V_OK;
702#ifdef FIONBIO
703 c_nbio=0;
704#endif
705
706 argc--;
707 argv++;
708 while (argc >= 1)
709 {
710 if (strcmp(*argv,"-host") == 0)
711 {
712 if (--argc < 1) goto bad;
713 host= *(++argv);
714 }
715 else if (strcmp(*argv,"-port") == 0)
716 {
717 if (--argc < 1) goto bad;
718 port=atoi(*(++argv));
719 if (port == 0) goto bad;
720 }
721 else if (strcmp(*argv,"-connect") == 0)
722 {
723 if (--argc < 1) goto bad;
724 if (!extract_host_port(*(++argv),&host,NULL,&port))
725 goto bad;
726 }
727 else if (strcmp(*argv,"-verify") == 0)
728 {
729 verify=SSL_VERIFY_PEER;
730 if (--argc < 1) goto bad;
731 verify_depth=atoi(*(++argv));
2a7cbe77
DSH		 732 if (!c_quiet)
733 BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
d02b48c6
RE		 734 }
735 else if (strcmp(*argv,"-cert") == 0)
736 {
737 if (--argc < 1) goto bad;
738 cert_file= *(++argv);
739 }
fdb78f3d
DSH		 740 else if (strcmp(*argv,"-CRL") == 0)
741 {
742 if (--argc < 1) goto bad;
743 crl_file= *(++argv);
744 }
0090a686
DSH		 745 else if (strcmp(*argv,"-crl_download") == 0)
746 crl_download = 1;
6434abbf
DSH		 747 else if (strcmp(*argv,"-sess_out") == 0)
748 {
749 if (--argc < 1) goto bad;
750 sess_out = *(++argv);
751 }
752 else if (strcmp(*argv,"-sess_in") == 0)
753 {
754 if (--argc < 1) goto bad;
755 sess_in = *(++argv);
756 }
826a42a0
DSH		 757 else if (strcmp(*argv,"-certform") == 0)
758 {
759 if (--argc < 1) goto bad;
760 cert_format = str2fmt(*(++argv));
761 }
fdb78f3d
DSH		 762 else if (strcmp(*argv,"-CRLform") == 0)
763 {
764 if (--argc < 1) goto bad;
765 crl_format = str2fmt(*(++argv));
766 }
db99779b
DSH		 767 else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
768 {
769 if (badarg)
770 goto bad;
771 continue;
772 }
5d20c4fb
DSH		 773 else if (strcmp(*argv,"-verify_return_error") == 0)
774 verify_return_error = 1;
2a7cbe77
DSH		 775 else if (strcmp(*argv,"-verify_quiet") == 0)
776 verify_quiet = 1;
777 else if (strcmp(*argv,"-brief") == 0)
778 {
779 c_brief = 1;
780 verify_quiet = 1;
781 c_quiet = 1;
782 }
3208fc59
DSH		 783 else if (args_excert(&argv, &argc, &badarg, bio_err, &exc))
784 {
785 if (badarg)
786 goto bad;
787 continue;
788 }
5d2e07f1
DSH		 789 else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args))
790 {
791 if (badarg)
792 goto bad;
793 continue;
794 }
c3ed3b6e
DSH		 795 else if (strcmp(*argv,"-prexit") == 0)
796 prexit=1;
1bdb8633
BM		 797 else if (strcmp(*argv,"-crlf") == 0)
798 crlf=1;
d02b48c6 799 else if (strcmp(*argv,"-quiet") == 0)
ce301b6b 800 {
d02b48c6 801 c_quiet=1;
ce301b6b
RL		 802 c_ign_eof=1;
803 }
804 else if (strcmp(*argv,"-ign_eof") == 0)
805 c_ign_eof=1;
020d67fb
LJ		 806 else if (strcmp(*argv,"-no_ign_eof") == 0)
807 c_ign_eof=0;
d02b48c6
RE		 808 else if (strcmp(*argv,"-pause") == 0)
809 c_Pause=1;
810 else if (strcmp(*argv,"-debug") == 0)
811 c_debug=1;
6434abbf
DSH		 812#ifndef OPENSSL_NO_TLSEXT
813 else if (strcmp(*argv,"-tlsextdebug") == 0)
814 c_tlsextdebug=1;
67c8e7f4
DSH		 815 else if (strcmp(*argv,"-status") == 0)
816 c_status_req=1;
a9e1c50b
BL		 817 else if (strcmp(*argv,"-proof_debug") == 0)
818 c_proof_debug=1;
6434abbf 819#endif
02a00bb0
AP		 820#ifdef WATT32
821 else if (strcmp(*argv,"-wdebug") == 0)
822 dbug_init();
823#endif
a661b653
BM		 824 else if (strcmp(*argv,"-msg") == 0)
825 c_msg=1;
93ab9e42
DSH		 826 else if (strcmp(*argv,"-msgfile") == 0)
827 {
828 if (--argc < 1) goto bad;
829 bio_c_msg = BIO_new_file(*(++argv), "w");
830 }
831#ifndef OPENSSL_NO_SSL_TRACE
832 else if (strcmp(*argv,"-trace") == 0)
833 c_msg=2;
834#endif
6d02d8e4
BM		 835 else if (strcmp(*argv,"-showcerts") == 0)
836 c_showcerts=1;
d02b48c6
RE		 837 else if (strcmp(*argv,"-nbio_test") == 0)
838 nbio_test=1;
839 else if (strcmp(*argv,"-state") == 0)
840 state=1;
ddac1974
NL		 841#ifndef OPENSSL_NO_PSK
842 else if (strcmp(*argv,"-psk_identity") == 0)
843 {
844 if (--argc < 1) goto bad;
845 psk_identity=*(++argv);
846 }
847 else if (strcmp(*argv,"-psk") == 0)
848 {
849 size_t j;
850
851 if (--argc < 1) goto bad;
852 psk_key=*(++argv);
853 for (j = 0; j < strlen(psk_key); j++)
854 {
a50bce82 855 if (isxdigit((unsigned char)psk_key[j]))
ddac1974
NL		 856 continue;
857 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
858 goto bad;
859 }
860 }
861#endif
edc032b5
BL		 862#ifndef OPENSSL_NO_SRP
863 else if (strcmp(*argv,"-srpuser") == 0)
864 {
865 if (--argc < 1) goto bad;
866 srp_arg.srplogin= *(++argv);
867 meth=TLSv1_client_method();
868 }
869 else if (strcmp(*argv,"-srppass") == 0)
870 {
871 if (--argc < 1) goto bad;
872 srppass= *(++argv);
873 meth=TLSv1_client_method();
874 }
875 else if (strcmp(*argv,"-srp_strength") == 0)
876 {
877 if (--argc < 1) goto bad;
878 srp_arg.strength=atoi(*(++argv));
879 BIO_printf(bio_err,"SRP minimal length for N is %d\n",srp_arg.strength);
880 meth=TLSv1_client_method();
881 }
882 else if (strcmp(*argv,"-srp_lateuser") == 0)
883 {
884 srp_lateuser= 1;
885 meth=TLSv1_client_method();
886 }
887 else if (strcmp(*argv,"-srp_moregroups") == 0)
888 {
889 srp_arg.amp=1;
890 meth=TLSv1_client_method();
891 }
892#endif
cf1b7d96 893#ifndef OPENSSL_NO_SSL2
d02b48c6
RE		 894 else if (strcmp(*argv,"-ssl2") == 0)
895 meth=SSLv2_client_method();
896#endif
cf1b7d96 897#ifndef OPENSSL_NO_SSL3
d02b48c6
RE		 898 else if (strcmp(*argv,"-ssl3") == 0)
899 meth=SSLv3_client_method();
58964a49 900#endif
cf1b7d96 901#ifndef OPENSSL_NO_TLS1
7409d7ad
DSH		 902 else if (strcmp(*argv,"-tls1_2") == 0)
903 meth=TLSv1_2_client_method();
637f374a
DSH		 904 else if (strcmp(*argv,"-tls1_1") == 0)
905 meth=TLSv1_1_client_method();
58964a49
RE		 906 else if (strcmp(*argv,"-tls1") == 0)
907 meth=TLSv1_client_method();
36d16f8e
BL		 908#endif
909#ifndef OPENSSL_NO_DTLS1
c6913eeb
DSH		 910 else if (strcmp(*argv,"-dtls") == 0)
911 {
912 meth=DTLS_client_method();
913 socket_type=SOCK_DGRAM;
914 }
36d16f8e
BL		 915 else if (strcmp(*argv,"-dtls1") == 0)
916 {
917 meth=DTLSv1_client_method();
b1277b99 918 socket_type=SOCK_DGRAM;
36d16f8e 919 }
c3b344e3
DSH		 920 else if (strcmp(*argv,"-dtls1_2") == 0)
921 {
922 meth=DTLSv1_2_client_method();
923 socket_type=SOCK_DGRAM;
924 }
36d16f8e
BL		 925 else if (strcmp(*argv,"-timeout") == 0)
926 enable_timeouts=1;
927 else if (strcmp(*argv,"-mtu") == 0)
928 {
929 if (--argc < 1) goto bad;
b1277b99 930 socket_mtu = atol(*(++argv));
36d16f8e 931 }
d02b48c6 932#endif
826a42a0
DSH		 933 else if (strcmp(*argv,"-keyform") == 0)
934 {
935 if (--argc < 1) goto bad;
936 key_format = str2fmt(*(++argv));
937 }
938 else if (strcmp(*argv,"-pass") == 0)
939 {
940 if (--argc < 1) goto bad;
941 passarg = *(++argv);
942 }
4e71d952
DSH		 943 else if (strcmp(*argv,"-cert_chain") == 0)
944 {
945 if (--argc < 1) goto bad;
946 chain_file= *(++argv);
947 }
d02b48c6
RE		 948 else if (strcmp(*argv,"-key") == 0)
949 {
950 if (--argc < 1) goto bad;
951 key_file= *(++argv);
952 }
953 else if (strcmp(*argv,"-reconnect") == 0)
954 {
955 reconnect=5;
956 }
957 else if (strcmp(*argv,"-CApath") == 0)
958 {
959 if (--argc < 1) goto bad;
960 CApath= *(++argv);
961 }
a5afc0a8
DSH		 962 else if (strcmp(*argv,"-chainCApath") == 0)
963 {
964 if (--argc < 1) goto bad;
965 chCApath= *(++argv);
966 }
967 else if (strcmp(*argv,"-verifyCApath") == 0)
968 {
969 if (--argc < 1) goto bad;
970 vfyCApath= *(++argv);
971 }
74ecfab4
DSH		 972 else if (strcmp(*argv,"-build_chain") == 0)
973 build_chain = 1;
d02b48c6
RE		 974 else if (strcmp(*argv,"-CAfile") == 0)
975 {
976 if (--argc < 1) goto bad;
977 CAfile= *(++argv);
978 }
a5afc0a8
DSH		 979 else if (strcmp(*argv,"-chainCAfile") == 0)
980 {
981 if (--argc < 1) goto bad;
982 chCAfile= *(++argv);
983 }
984 else if (strcmp(*argv,"-verifyCAfile") == 0)
985 {
986 if (--argc < 1) goto bad;
987 vfyCAfile= *(++argv);
988 }
6434abbf 989#ifndef OPENSSL_NO_TLSEXT
bf48836c 990# ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 991 else if (strcmp(*argv,"-nextprotoneg") == 0)
992 {
993 if (--argc < 1) goto bad;
994 next_proto_neg_in = *(++argv);
995 }
996# endif
a398f821
T		 997 else if (strcmp(*argv,"-serverinfo") == 0)
998 {
999 char *c;
1000 int start = 0;
1001 int len;
1002
1003 if (--argc < 1) goto bad;
1004 c = *(++argv);
1005 serverinfo_types_count = 0;
1006 len = strlen(c);
1007 for (i = 0; i <= len; ++i)
1008 {
1009 if (i == len || c[i] == ',')
1010 {
1011 serverinfo_types[serverinfo_types_count]
1012 = atoi(c+start);
1013 serverinfo_types_count++;
1014 start = i+1;
1015 }
1016 if (serverinfo_types_count == MAX_SI_TYPES)
1017 break;
1018 }
1019 }
6434abbf 1020#endif
d02b48c6
RE		 1021#ifdef FIONBIO
1022 else if (strcmp(*argv,"-nbio") == 0)
1023 { c_nbio=1; }
1024#endif
135c0af1
RL		 1025 else if (strcmp(*argv,"-starttls") == 0)
1026 {
1027 if (--argc < 1) goto bad;
1028 ++argv;
1029 if (strcmp(*argv,"smtp") == 0)
85c67492 1030 starttls_proto = PROTO_SMTP;
4f17dfcd 1031 else if (strcmp(*argv,"pop3") == 0)
85c67492
RL		 1032 starttls_proto = PROTO_POP3;
1033 else if (strcmp(*argv,"imap") == 0)
1034 starttls_proto = PROTO_IMAP;
1035 else if (strcmp(*argv,"ftp") == 0)
1036 starttls_proto = PROTO_FTP;
d5bbead4
BL		 1037 else if (strcmp(*argv, "xmpp") == 0)
1038 starttls_proto = PROTO_XMPP;
135c0af1
RL		 1039 else
1040 goto bad;
1041 }
0b13e9f0 1042#ifndef OPENSSL_NO_ENGINE
5270e702
RL		 1043 else if (strcmp(*argv,"-engine") == 0)
1044 {
1045 if (--argc < 1) goto bad;
1046 engine_id = *(++argv);
1047 }
59d2d48f
DSH		 1048 else if (strcmp(*argv,"-ssl_client_engine") == 0)
1049 {
1050 if (--argc < 1) goto bad;
1051 ssl_client_engine_id = *(++argv);
1052 }
0b13e9f0 1053#endif
52b621db
LJ		 1054 else if (strcmp(*argv,"-rand") == 0)
1055 {
1056 if (--argc < 1) goto bad;
1057 inrand= *(++argv);
1058 }
ed3883d2
BM		 1059#ifndef OPENSSL_NO_TLSEXT
1060 else if (strcmp(*argv,"-servername") == 0)
1061 {
1062 if (--argc < 1) goto bad;
1063 servername= *(++argv);
1064 /* meth=TLSv1_client_method(); */
1065 }
1066#endif
79bd20fd 1067#ifndef OPENSSL_NO_JPAKE
6caa4edd
BL		 1068 else if (strcmp(*argv,"-jpake") == 0)
1069 {
1070 if (--argc < 1) goto bad;
1071 jpake_secret = *++argv;
1072 }
ed551cdd 1073#endif
333f926d
BL		 1074 else if (strcmp(*argv,"-use_srtp") == 0)
1075 {
1076 if (--argc < 1) goto bad;
1077 srtp_profiles = *(++argv);
1078 }
e0af0405
BL		 1079 else if (strcmp(*argv,"-keymatexport") == 0)
1080 {
1081 if (--argc < 1) goto bad;
1082 keymatexportlabel= *(++argv);
1083 }
1084 else if (strcmp(*argv,"-keymatexportlen") == 0)
1085 {
1086 if (--argc < 1) goto bad;
1087 keymatexportlen=atoi(*(++argv));
1088 if (keymatexportlen == 0) goto bad;
1089 }
333f926d 1090 else
d02b48c6
RE		 1091 {
1092 BIO_printf(bio_err,"unknown option %s\n",*argv);
1093 badop=1;
1094 break;
1095 }
1096 argc--;
1097 argv++;
1098 }
1099 if (badop)
1100 {
1101bad:
1102 sc_usage();
1103 goto end;
1104 }
1105
79bd20fd 1106#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
f3b7bdad
BL		 1107 if (jpake_secret)
1108 {
1109 if (psk_key)
1110 {
1111 BIO_printf(bio_err,
1112 "Can't use JPAKE and PSK together\n");
1113 goto end;
1114 }
1115 psk_identity = "JPAKE";
1116 }
f3b7bdad
BL		 1117#endif
1118
cead7f36
RL		 1119 OpenSSL_add_ssl_algorithms();
1120 SSL_load_error_strings();
1121
bf48836c 1122#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
ee2ffc27
BL		 1123 next_proto.status = -1;
1124 if (next_proto_neg_in)
1125 {
1126 next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
1127 if (next_proto.data == NULL)
1128 {
1129 BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
1130 goto end;
1131 }
1132 }
1133 else
1134 next_proto.data = NULL;
1135#endif
1136
0b13e9f0 1137#ifndef OPENSSL_NO_ENGINE
cead7f36 1138 e = setup_engine(bio_err, engine_id, 1);
59d2d48f
DSH		 1139 if (ssl_client_engine_id)
1140 {
1141 ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
1142 if (!ssl_client_engine)
1143 {
1144 BIO_printf(bio_err,
1145 "Error getting client auth engine\n");
1146 goto end;
1147 }
1148 }
1149
0b13e9f0 1150#endif
826a42a0
DSH		 1151 if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
1152 {
1153 BIO_printf(bio_err, "Error getting password\n");
1154 goto end;
1155 }
1156
1157 if (key_file == NULL)
1158 key_file = cert_file;
1159
abbc186b
DSH		 1160
1161 if (key_file)
1162
826a42a0 1163 {
abbc186b
DSH		 1164
1165 key = load_key(bio_err, key_file, key_format, 0, pass, e,
1166 "client certificate private key file");
1167 if (!key)
1168 {
1169 ERR_print_errors(bio_err);
1170 goto end;
1171 }
1172
826a42a0
DSH		 1173 }
1174
abbc186b 1175 if (cert_file)
826a42a0 1176
826a42a0 1177 {
abbc186b
DSH		 1178 cert = load_cert(bio_err,cert_file,cert_format,
1179 NULL, e, "client certificate file");
1180
1181 if (!cert)
1182 {
1183 ERR_print_errors(bio_err);
1184 goto end;
1185 }
826a42a0 1186 }
cead7f36 1187
4e71d952
DSH		 1188 if (chain_file)
1189 {
1190 chain = load_certs(bio_err, chain_file,FORMAT_PEM,
1191 NULL, e, "client certificate chain");
1192 if (!chain)
1193 goto end;
1194 }
1195
fdb78f3d
DSH		 1196 if (crl_file)
1197 {
1198 X509_CRL *crl;
1199 crl = load_crl(crl_file, crl_format);
1200 if (!crl)
1201 {
1202 BIO_puts(bio_err, "Error loading CRL\n");
1203 ERR_print_errors(bio_err);
1204 goto end;
1205 }
1206 crls = sk_X509_CRL_new_null();
1207 if (!crls || !sk_X509_CRL_push(crls, crl))
1208 {
1209 BIO_puts(bio_err, "Error adding CRL\n");
1210 ERR_print_errors(bio_err);
1211 X509_CRL_free(crl);
1212 goto end;
1213 }
1214 }
1215
3208fc59
DSH		 1216 if (!load_excert(&exc, bio_err))
1217 goto end;
1218
52b621db
LJ		 1219 if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
1220 && !RAND_status())
1221 {
1222 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
1223 }
1224 if (inrand != NULL)
1225 BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
1226 app_RAND_load_files(inrand));
a31011e8 1227
d02b48c6
RE		 1228 if (bio_c_out == NULL)
1229 {
1740c9fb 1230 if (c_quiet && !c_debug)
d02b48c6
RE		 1231 {
1232 bio_c_out=BIO_new(BIO_s_null());
1740c9fb
DSH		 1233 if (c_msg && !bio_c_msg)
1234 bio_c_msg=BIO_new_fp(stdout,BIO_NOCLOSE);
d02b48c6
RE		 1235 }
1236 else
1237 {
1238 if (bio_c_out == NULL)
1239 bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
1240 }
1241 }
1242
edc032b5
BL		 1243#ifndef OPENSSL_NO_SRP
1244 if(!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL))
1245 {
1246 BIO_printf(bio_err, "Error getting password\n");
1247 goto end;
1248 }
1249#endif
1250
d02b48c6
RE		 1251 ctx=SSL_CTX_new(meth);
1252 if (ctx == NULL)
1253 {
1254 ERR_print_errors(bio_err);
1255 goto end;
1256 }
1257
db99779b
DSH		 1258 if (vpm)
1259 SSL_CTX_set1_param(ctx, vpm);
1260
b252cf0d 1261 if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1, no_jpake))
5d2e07f1
DSH		 1262 {
1263 ERR_print_errors(bio_err);
1264 goto end;
1265 }
1266
0090a686
DSH		 1267 if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
1268 crls, crl_download))
a5afc0a8
DSH		 1269 {
1270 BIO_printf(bio_err, "Error loading store locations\n");
1271 ERR_print_errors(bio_err);
1272 goto end;
1273 }
1274
59d2d48f
DSH		 1275#ifndef OPENSSL_NO_ENGINE
1276 if (ssl_client_engine)
1277 {
1278 if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine))
1279 {
1280 BIO_puts(bio_err, "Error setting client auth engine\n");
1281 ERR_print_errors(bio_err);
1282 ENGINE_free(ssl_client_engine);
1283 goto end;
1284 }
1285 ENGINE_free(ssl_client_engine);
1286 }
1287#endif
1288
ddac1974 1289#ifndef OPENSSL_NO_PSK
79bd20fd
DSH		 1290#ifdef OPENSSL_NO_JPAKE
1291 if (psk_key != NULL)
1292#else
f3b7bdad 1293 if (psk_key != NULL || jpake_secret)
79bd20fd 1294#endif
ddac1974
NL		 1295 {
1296 if (c_debug)
f3b7bdad 1297 BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");
ddac1974
NL		 1298 SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
1299 }
333f926d
BL		 1300 if (srtp_profiles != NULL)
1301 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
ddac1974 1302#endif
3208fc59 1303 if (exc) ssl_ctx_set_excert(ctx, exc);
36d16f8e
BL		 1304 /* DTLS: partial reads end up discarding unread UDP bytes :-(
1305 * Setting read ahead solves this problem.
1306 */
b1277b99 1307 if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
d02b48c6 1308
bf48836c 1309#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
ee2ffc27
BL		 1310 if (next_proto.data)
1311 SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
1312#endif
a398f821
T		 1313#ifndef OPENSSL_NO_TLSEXT
1314 if (serverinfo_types_count)
1315 {
1316 for (i = 0; i < serverinfo_types_count; i++)
1317 {
1318 SSL_CTX_set_custom_cli_ext(ctx,
1319 serverinfo_types[i],
1320 NULL,
1321 serverinfo_cli_cb,
1322 NULL);
1323 }
1324 }
1325#endif
ee2ffc27 1326
d02b48c6 1327 if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
d02b48c6
RE		 1328#if 0
1329 else
1330 SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
1331#endif
1332
1333 SSL_CTX_set_verify(ctx,verify,verify_callback);
d02b48c6
RE		 1334
1335 if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
1336 (!SSL_CTX_set_default_verify_paths(ctx)))
1337 {
657e60fa 1338 /* BIO_printf(bio_err,"error setting default verify locations\n"); */
d02b48c6 1339 ERR_print_errors(bio_err);
58964a49 1340 /* goto end; */
d02b48c6
RE		 1341 }
1342
0090a686 1343 ssl_ctx_add_crls(ctx, crls, crl_download);
fdb78f3d 1344
4e71d952 1345 if (!set_cert_key_stuff(ctx,cert,key,chain,build_chain))
74ecfab4
DSH		 1346 goto end;
1347
ed3883d2 1348#ifndef OPENSSL_NO_TLSEXT
b1277b99
BM		 1349 if (servername != NULL)
1350 {
ed3883d2
BM		 1351 tlsextcbp.biodebug = bio_err;
1352 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1353 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
b1277b99 1354 }
edc032b5
BL		 1355#ifndef OPENSSL_NO_SRP
1356 if (srp_arg.srplogin)
1357 {
f2fc3075 1358 if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
edc032b5
BL		 1359 {
1360 BIO_printf(bio_err,"Unable to set SRP username\n");
1361 goto end;
1362 }
1363 srp_arg.msg = c_msg;
1364 srp_arg.debug = c_debug ;
1365 SSL_CTX_set_srp_cb_arg(ctx,&srp_arg);
1366 SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
1367 SSL_CTX_set_srp_strength(ctx, srp_arg.strength);
1368 if (c_msg || c_debug || srp_arg.amp == 0)
1369 SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb);
1370 }
1371
1372#endif
a9e1c50b
BL		 1373 if (c_proof_debug)
1374 SSL_CTX_set_tlsext_authz_server_audit_proof_cb(ctx,
1375 audit_proof_cb);
ed3883d2 1376#endif
d02b48c6 1377
82fc1d9c 1378 con=SSL_new(ctx);
6434abbf
DSH		 1379 if (sess_in)
1380 {
1381 SSL_SESSION *sess;
1382 BIO *stmp = BIO_new_file(sess_in, "r");
1383 if (!stmp)
1384 {
1385 BIO_printf(bio_err, "Can't open session file %s\n",
1386 sess_in);
1387 ERR_print_errors(bio_err);
1388 goto end;
1389 }
1390 sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
1391 BIO_free(stmp);
1392 if (!sess)
1393 {
1394 BIO_printf(bio_err, "Can't open session file %s\n",
1395 sess_in);
1396 ERR_print_errors(bio_err);
1397 goto end;
1398 }
1399 SSL_set_session(con, sess);
1400 SSL_SESSION_free(sess);
1401 }
ed3883d2 1402#ifndef OPENSSL_NO_TLSEXT
b1277b99
BM		 1403 if (servername != NULL)
1404 {
a13c20f6 1405 if (!SSL_set_tlsext_host_name(con,servername))
b1277b99 1406 {
ed3883d2
BM		 1407 BIO_printf(bio_err,"Unable to set TLS servername extension.\n");
1408 ERR_print_errors(bio_err);
1409 goto end;
b1277b99 1410 }
ed3883d2 1411 }
ed3883d2 1412#endif
cf1b7d96 1413#ifndef OPENSSL_NO_KRB5
4f7a2ab8 1414 if (con && (kctx = kssl_ctx_new()) != NULL)
f9b3bff6 1415 {
4f7a2ab8
DSH		 1416 SSL_set0_kssl_ctx(con, kctx);
1417 kssl_ctx_setstring(kctx, KSSL_SERVER, host);
f9b3bff6 1418 }
cf1b7d96 1419#endif /* OPENSSL_NO_KRB5 */
58964a49 1420/* SSL_set_cipher_list(con,"RC4-MD5"); */
761772d7
BM		 1421#if 0
1422#ifdef TLSEXT_TYPE_opaque_prf_input
86d4bc3a 1423 SSL_set_tlsext_opaque_prf_input(con, "Test client", 11);
761772d7
BM		 1424#endif
1425#endif
d02b48c6
RE		 1426
1427re_start:
1428
b1277b99 1429 if (init_client(&s,host,port,socket_type) == 0)
d02b48c6 1430 {
58964a49 1431 BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
d02b48c6
RE		 1432 SHUTDOWN(s);
1433 goto end;
1434 }
1435 BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
1436
1437#ifdef FIONBIO
1438 if (c_nbio)
1439 {
1440 unsigned long l=1;
1441 BIO_printf(bio_c_out,"turning on non blocking io\n");
58964a49
RE		 1442 if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
1443 {
1444 ERR_print_errors(bio_err);
1445 goto end;
1446 }
d02b48c6
RE		 1447 }
1448#endif
08557cf2 1449 if (c_Pause & 0x01) SSL_set_debug(con, 1);
36d16f8e 1450
c3b344e3 1451 if (socket_type == SOCK_DGRAM)
36d16f8e 1452 {
36d16f8e
BL		 1453
1454 sbio=BIO_new_dgram(s,BIO_NOCLOSE);
6c61726b 1455 if (getsockname(s, &peer, (void *)&peerlen) < 0)
36d16f8e
BL		 1456 {
1457 BIO_printf(bio_err, "getsockname:errno=%d\n",
1458 get_last_socket_error());
1459 SHUTDOWN(s);
1460 goto end;
1461 }
1462
710069c1 1463 (void)BIO_ctrl_set_connected(sbio, 1, &peer);
36d16f8e 1464
b1277b99 1465 if (enable_timeouts)
36d16f8e
BL		 1466 {
1467 timeout.tv_sec = 0;
1468 timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1469 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1470
1471 timeout.tv_sec = 0;
1472 timeout.tv_usec = DGRAM_SND_TIMEOUT;
1473 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1474 }
1475
046f2101 1476 if (socket_mtu > 28)
36d16f8e
BL		 1477 {
1478 SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
046f2101 1479 SSL_set_mtu(con, socket_mtu - 28);
36d16f8e
BL		 1480 }
1481 else
1482 /* want to do MTU discovery */
1483 BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1484 }
1485 else
1486 sbio=BIO_new_socket(s,BIO_NOCLOSE);
1487
d02b48c6
RE		 1488 if (nbio_test)
1489 {
1490 BIO *test;
1491
1492 test=BIO_new(BIO_f_nbio_test());
1493 sbio=BIO_push(test,sbio);
1494 }
1495
1496 if (c_debug)
1497 {
08557cf2 1498 SSL_set_debug(con, 1);
25495640 1499 BIO_set_callback(sbio,bio_dump_callback);
7806f3dd 1500 BIO_set_callback_arg(sbio,(char *)bio_c_out);
d02b48c6 1501 }
a661b653
BM		 1502 if (c_msg)
1503 {
93ab9e42
DSH		 1504#ifndef OPENSSL_NO_SSL_TRACE
1505 if (c_msg == 2)
1506 SSL_set_msg_callback(con, SSL_trace);
1507 else
1508#endif
1509 SSL_set_msg_callback(con, msg_cb);
1510 SSL_set_msg_callback_arg(con, bio_c_msg ? bio_c_msg : bio_c_out);
a661b653 1511 }
6434abbf
DSH		 1512#ifndef OPENSSL_NO_TLSEXT
1513 if (c_tlsextdebug)
1514 {
1515 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1516 SSL_set_tlsext_debug_arg(con, bio_c_out);
1517 }
67c8e7f4
DSH		 1518 if (c_status_req)
1519 {
1520 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
1521 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
1522 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
1523#if 0
1524{
1525STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null();
1526OCSP_RESPID *id = OCSP_RESPID_new();
1527id->value.byKey = ASN1_OCTET_STRING_new();
1528id->type = V_OCSP_RESPID_KEY;
1529ASN1_STRING_set(id->value.byKey, "Hello World", -1);
1530sk_OCSP_RESPID_push(ids, id);
1531SSL_set_tlsext_status_ids(con, ids);
1532}
1533#endif
1534 }
6434abbf 1535#endif
79bd20fd 1536#ifndef OPENSSL_NO_JPAKE
6caa4edd
BL		 1537 if (jpake_secret)
1538 jpake_client_auth(bio_c_out, sbio, jpake_secret);
ed551cdd 1539#endif
6caa4edd 1540
d02b48c6
RE		 1541 SSL_set_bio(con,sbio,sbio);
1542 SSL_set_connect_state(con);
1543
1544 /* ok, lets connect */
1545 width=SSL_get_fd(con)+1;
1546
1547 read_tty=1;
1548 write_tty=0;
1549 tty_on=0;
1550 read_ssl=1;
1551 write_ssl=1;
1552
1553 cbuf_len=0;
1554 cbuf_off=0;
1555 sbuf_len=0;
1556 sbuf_off=0;
1557
135c0af1 1558 /* This is an ugly hack that does a lot of assumptions */
ee373e7f
LJ		 1559 /* We do have to handle multi-line responses which may come
1560 in a single packet or not. We therefore have to use
1561 BIO_gets() which does need a buffering BIO. So during
1562 the initial chitchat we do push a buffering BIO into the
1563 chain that is removed again later on to not disturb the
1564 rest of the s_client operation. */
85c67492 1565 if (starttls_proto == PROTO_SMTP)
135c0af1 1566 {
8d72476e 1567 int foundit=0;
ee373e7f
LJ		 1568 BIO *fbio = BIO_new(BIO_f_buffer());
1569 BIO_push(fbio, sbio);
85c67492
RL		 1570 /* wait for multi-line response to end from SMTP */
1571 do
1572 {
ee373e7f 1573 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
85c67492
RL		 1574 }
1575 while (mbuf_len>3 && mbuf[3]=='-');
8d72476e 1576 /* STARTTLS command requires EHLO... */
ee373e7f 1577 BIO_printf(fbio,"EHLO openssl.client.net\r\n");
710069c1 1578 (void)BIO_flush(fbio);
8d72476e
LJ		 1579 /* wait for multi-line response to end EHLO SMTP response */
1580 do
1581 {
ee373e7f 1582 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
8d72476e
LJ		 1583 if (strstr(mbuf,"STARTTLS"))
1584 foundit=1;
1585 }
1586 while (mbuf_len>3 && mbuf[3]=='-');
710069c1 1587 (void)BIO_flush(fbio);
ee373e7f
LJ		 1588 BIO_pop(fbio);
1589 BIO_free(fbio);
8d72476e
LJ		 1590 if (!foundit)
1591 BIO_printf(bio_err,
1592 "didn't found starttls in server response,"
1593 " try anyway...\n");
135c0af1
RL		 1594 BIO_printf(sbio,"STARTTLS\r\n");
1595 BIO_read(sbio,sbuf,BUFSIZZ);
1596 }
85c67492 1597 else if (starttls_proto == PROTO_POP3)
4f17dfcd
LJ		 1598 {
1599 BIO_read(sbio,mbuf,BUFSIZZ);
1600 BIO_printf(sbio,"STLS\r\n");
1601 BIO_read(sbio,sbuf,BUFSIZZ);
1602 }
85c67492
RL		 1603 else if (starttls_proto == PROTO_IMAP)
1604 {
8d72476e 1605 int foundit=0;
ee373e7f
LJ		 1606 BIO *fbio = BIO_new(BIO_f_buffer());
1607 BIO_push(fbio, sbio);
1608 BIO_gets(fbio,mbuf,BUFSIZZ);
8d72476e 1609 /* STARTTLS command requires CAPABILITY... */
ee373e7f 1610 BIO_printf(fbio,". CAPABILITY\r\n");
710069c1 1611 (void)BIO_flush(fbio);
8d72476e
LJ		 1612 /* wait for multi-line CAPABILITY response */
1613 do
1614 {
ee373e7f 1615 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
8d72476e
LJ		 1616 if (strstr(mbuf,"STARTTLS"))
1617 foundit=1;
1618 }
ee373e7f 1619 while (mbuf_len>3 && mbuf[0]!='.');
710069c1 1620 (void)BIO_flush(fbio);
ee373e7f
LJ		 1621 BIO_pop(fbio);
1622 BIO_free(fbio);
8d72476e
LJ		 1623 if (!foundit)
1624 BIO_printf(bio_err,
1625 "didn't found STARTTLS in server response,"
1626 " try anyway...\n");
1627 BIO_printf(sbio,". STARTTLS\r\n");
85c67492
RL		 1628 BIO_read(sbio,sbuf,BUFSIZZ);
1629 }
1630 else if (starttls_proto == PROTO_FTP)
1631 {
ee373e7f
LJ		 1632 BIO *fbio = BIO_new(BIO_f_buffer());
1633 BIO_push(fbio, sbio);
85c67492
RL		 1634 /* wait for multi-line response to end from FTP */
1635 do
1636 {
ee373e7f 1637 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
85c67492
RL		 1638 }
1639 while (mbuf_len>3 && mbuf[3]=='-');
710069c1 1640 (void)BIO_flush(fbio);
ee373e7f
LJ		 1641 BIO_pop(fbio);
1642 BIO_free(fbio);
85c67492
RL		 1643 BIO_printf(sbio,"AUTH TLS\r\n");
1644 BIO_read(sbio,sbuf,BUFSIZZ);
1645 }
d5bbead4
BL		 1646 if (starttls_proto == PROTO_XMPP)
1647 {
1648 int seen = 0;
1649 BIO_printf(sbio,"<stream:stream "
1650 "xmlns:stream='http://etherx.jabber.org/streams' "
1651 "xmlns='jabber:client' to='%s' version='1.0'>", host);
1652 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1653 mbuf[seen] = 0;
1654 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'"))
1655 {
1656 if (strstr(mbuf, "/stream:features>"))
1657 goto shut;
1658 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1659 mbuf[seen] = 0;
1660 }
1661 BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
1662 seen = BIO_read(sbio,sbuf,BUFSIZZ);
1663 sbuf[seen] = 0;
1664 if (!strstr(sbuf, "<proceed"))
1665 goto shut;
1666 mbuf[0] = 0;
1667 }
135c0af1 1668
d02b48c6
RE		 1669 for (;;)
1670 {
1671 FD_ZERO(&readfds);
1672 FD_ZERO(&writefds);
1673
b972fbaa
DSH		 1674 if ((SSL_version(con) == DTLS1_VERSION) &&
1675 DTLSv1_get_timeout(con, &timeout))
1676 timeoutp = &timeout;
1677 else
1678 timeoutp = NULL;
1679
58964a49 1680 if (SSL_in_init(con) && !SSL_total_renegotiations(con))
d02b48c6
RE		 1681 {
1682 in_init=1;
1683 tty_on=0;
1684 }
1685 else
1686 {
1687 tty_on=1;
1688 if (in_init)
1689 {
1690 in_init=0;
761772d7 1691#if 0 /* This test doesn't really work as intended (needs to be fixed) */
ed3883d2 1692#ifndef OPENSSL_NO_TLSEXT
b166f13e
BM		 1693 if (servername != NULL && !SSL_session_reused(con))
1694 {
1695 BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not ");
1696 }
761772d7 1697#endif
ed3883d2 1698#endif
6434abbf
DSH		 1699 if (sess_out)
1700 {
1701 BIO *stmp = BIO_new_file(sess_out, "w");
1702 if (stmp)
1703 {
1704 PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con));
1705 BIO_free(stmp);
1706 }
1707 else
1708 BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
1709 }
2a7cbe77
DSH		 1710 if (c_brief)
1711 {
1712 BIO_puts(bio_err,
1713 "CONNECTION ESTABLISHED\n");
1714 print_ssl_summary(bio_err, con);
1715 }
d02b48c6
RE		 1716 print_stuff(bio_c_out,con,full_log);
1717 if (full_log > 0) full_log--;
1718
4f17dfcd 1719 if (starttls_proto)
135c0af1
RL		 1720 {
1721 BIO_printf(bio_err,"%s",mbuf);
1722 /* We don't need to know any more */
85c67492 1723 starttls_proto = PROTO_OFF;
135c0af1
RL		 1724 }
1725
d02b48c6
RE		 1726 if (reconnect)
1727 {
1728 reconnect--;
1729 BIO_printf(bio_c_out,"drop connection and then reconnect\n");
1730 SSL_shutdown(con);
1731 SSL_set_connect_state(con);
1732 SHUTDOWN(SSL_get_fd(con));
1733 goto re_start;
1734 }
1735 }
1736 }
1737
c7ac31e2
BM		 1738 ssl_pending = read_ssl && SSL_pending(con);
1739
1740 if (!ssl_pending)
d02b48c6 1741 {
4700aea9 1742#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)
c7ac31e2
BM		 1743 if (tty_on)
1744 {
7bf7333d
DSH		 1745 if (read_tty) openssl_fdset(fileno(stdin),&readfds);
1746 if (write_tty) openssl_fdset(fileno(stdout),&writefds);
c7ac31e2 1747 }
c7ac31e2 1748 if (read_ssl)
7bf7333d 1749 openssl_fdset(SSL_get_fd(con),&readfds);
c7ac31e2 1750 if (write_ssl)
7bf7333d 1751 openssl_fdset(SSL_get_fd(con),&writefds);
06f4536a
DSH		 1752#else
1753 if(!tty_on || !write_tty) {
1754 if (read_ssl)
7bf7333d 1755 openssl_fdset(SSL_get_fd(con),&readfds);
06f4536a 1756 if (write_ssl)
7bf7333d 1757 openssl_fdset(SSL_get_fd(con),&writefds);
06f4536a
DSH		 1758 }
1759#endif
c7ac31e2
BM		 1760/* printf("mode tty(%d %d%d) ssl(%d%d)\n",
1761 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
d02b48c6 1762
75e0770d 1763 /* Note: under VMS with SOCKETSHR the second parameter
7d7d2cbc
UM		 1764 * is currently of type (int *) whereas under other
1765 * systems it is (void *) if you don't have a cast it
1766 * will choke the compiler: if you do have a cast then
1767 * you can either go for (int *) or (void *).
1768 */
3d7c4a5a
RL		 1769#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1770 /* Under Windows/DOS we make the assumption that we can
06f4536a
DSH		 1771 * always write to the tty: therefore if we need to
1772 * write to the tty we just fall through. Otherwise
1773 * we timeout the select every second and see if there
1774 * are any keypresses. Note: this is a hack, in a proper
1775 * Windows application we wouldn't do this.
1776 */
4ec19e20 1777 i=0;
06f4536a
DSH		 1778 if(!write_tty) {
1779 if(read_tty) {
1780 tv.tv_sec = 1;
1781 tv.tv_usec = 0;
1782 i=select(width,(void *)&readfds,(void *)&writefds,
1783 NULL,&tv);
3d7c4a5a 1784#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
0bf23d9b
RL		 1785 if(!i && (!_kbhit() || !read_tty) ) continue;
1786#else
a9ef75c5 1787 if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
0bf23d9b 1788#endif
06f4536a 1789 } else i=select(width,(void *)&readfds,(void *)&writefds,
b972fbaa 1790 NULL,timeoutp);
06f4536a 1791 }
47c1735a
RL		 1792#elif defined(OPENSSL_SYS_NETWARE)
1793 if(!write_tty) {
1794 if(read_tty) {
1795 tv.tv_sec = 1;
1796 tv.tv_usec = 0;
1797 i=select(width,(void *)&readfds,(void *)&writefds,
1798 NULL,&tv);
1799 } else i=select(width,(void *)&readfds,(void *)&writefds,
b972fbaa 1800 NULL,timeoutp);
47c1735a 1801 }
4700aea9
UM		 1802#elif defined(OPENSSL_SYS_BEOS_R5)
1803 /* Under BeOS-R5 the situation is similar to DOS */
1804 i=0;
1805 stdin_set = 0;
1806 (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
1807 if(!write_tty) {
1808 if(read_tty) {
1809 tv.tv_sec = 1;
1810 tv.tv_usec = 0;
1811 i=select(width,(void *)&readfds,(void *)&writefds,
1812 NULL,&tv);
1813 if (read(fileno(stdin), sbuf, 0) >= 0)
1814 stdin_set = 1;
1815 if (!i && (stdin_set != 1 || !read_tty))
1816 continue;
1817 } else i=select(width,(void *)&readfds,(void *)&writefds,
b972fbaa 1818 NULL,timeoutp);
4700aea9
UM		 1819 }
1820 (void)fcntl(fileno(stdin), F_SETFL, 0);
06f4536a 1821#else
7d7d2cbc 1822 i=select(width,(void *)&readfds,(void *)&writefds,
b972fbaa 1823 NULL,timeoutp);
06f4536a 1824#endif
c7ac31e2
BM		 1825 if ( i < 0)
1826 {
1827 BIO_printf(bio_err,"bad select %d\n",
58964a49 1828 get_last_socket_error());
c7ac31e2
BM		 1829 goto shut;
1830 /* goto end; */
1831 }
d02b48c6
RE		 1832 }
1833
b972fbaa
DSH		 1834 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
1835 {
1836 BIO_printf(bio_err,"TIMEOUT occured\n");
1837 }
1838
c7ac31e2 1839 if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
d02b48c6
RE		 1840 {
1841 k=SSL_write(con,&(cbuf[cbuf_off]),
1842 (unsigned int)cbuf_len);
1843 switch (SSL_get_error(con,k))
1844 {
1845 case SSL_ERROR_NONE:
1846 cbuf_off+=k;
1847 cbuf_len-=k;
1848 if (k <= 0) goto end;
1849 /* we have done a write(con,NULL,0); */
1850 if (cbuf_len <= 0)
1851 {
1852 read_tty=1;
1853 write_ssl=0;
1854 }
1855 else /* if (cbuf_len > 0) */
1856 {
1857 read_tty=0;
1858 write_ssl=1;
1859 }
1860 break;
1861 case SSL_ERROR_WANT_WRITE:
1862 BIO_printf(bio_c_out,"write W BLOCK\n");
1863 write_ssl=1;
1864 read_tty=0;
1865 break;
1866 case SSL_ERROR_WANT_READ:
1867 BIO_printf(bio_c_out,"write R BLOCK\n");
1868 write_tty=0;
1869 read_ssl=1;
1870 write_ssl=0;
1871 break;
1872 case SSL_ERROR_WANT_X509_LOOKUP:
1873 BIO_printf(bio_c_out,"write X BLOCK\n");
1874 break;
1875 case SSL_ERROR_ZERO_RETURN:
1876 if (cbuf_len != 0)
1877 {
1878 BIO_printf(bio_c_out,"shutdown\n");
0e1dba93 1879 ret = 0;
d02b48c6
RE		 1880 goto shut;
1881 }
1882 else
1883 {
1884 read_tty=1;
1885 write_ssl=0;
1886 break;
1887 }
1888
1889 case SSL_ERROR_SYSCALL:
1890 if ((k != 0) || (cbuf_len != 0))
1891 {
1892 BIO_printf(bio_err,"write:errno=%d\n",
58964a49 1893 get_last_socket_error());
d02b48c6
RE		 1894 goto shut;
1895 }
1896 else
1897 {
1898 read_tty=1;
1899 write_ssl=0;
1900 }
1901 break;
1902 case SSL_ERROR_SSL:
1903 ERR_print_errors(bio_err);
1904 goto shut;
1905 }
1906 }
4700aea9
UM		 1907#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
1908 /* Assume Windows/DOS/BeOS can always write */
06f4536a
DSH		 1909 else if (!ssl_pending && write_tty)
1910#else
c7ac31e2 1911 else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
06f4536a 1912#endif
d02b48c6 1913 {
a53955d8
UM		 1914#ifdef CHARSET_EBCDIC
1915 ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
1916#endif
ffa10187 1917 i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len);
d02b48c6
RE		 1918
1919 if (i <= 0)
1920 {
1921 BIO_printf(bio_c_out,"DONE\n");
0e1dba93 1922 ret = 0;
d02b48c6
RE		 1923 goto shut;
1924 /* goto end; */
1925 }
1926
1927 sbuf_len-=i;;
1928 sbuf_off+=i;
1929 if (sbuf_len <= 0)
1930 {
1931 read_ssl=1;
1932 write_tty=0;
1933 }
1934 }
c7ac31e2 1935 else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
d02b48c6 1936 {
58964a49
RE		 1937#ifdef RENEG
1938{ static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
1939#endif
dfeab068 1940#if 1
58964a49 1941 k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
dfeab068
RE		 1942#else
1943/* Demo for pending and peek :-) */
1944 k=SSL_read(con,sbuf,16);
1945{ char zbuf[10240];
1946printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
1947}
1948#endif
d02b48c6
RE		 1949
1950 switch (SSL_get_error(con,k))
1951 {
1952 case SSL_ERROR_NONE:
1953 if (k <= 0)
1954 goto end;
1955 sbuf_off=0;
1956 sbuf_len=k;
1957
1958 read_ssl=0;
1959 write_tty=1;
1960 break;
1961 case SSL_ERROR_WANT_WRITE:
1962 BIO_printf(bio_c_out,"read W BLOCK\n");
1963 write_ssl=1;
1964 read_tty=0;
1965 break;
1966 case SSL_ERROR_WANT_READ:
1967 BIO_printf(bio_c_out,"read R BLOCK\n");
1968 write_tty=0;
1969 read_ssl=1;
1970 if ((read_tty == 0) && (write_ssl == 0))
1971 write_ssl=1;
1972 break;
1973 case SSL_ERROR_WANT_X509_LOOKUP:
1974 BIO_printf(bio_c_out,"read X BLOCK\n");
1975 break;
1976 case SSL_ERROR_SYSCALL:
0e1dba93 1977 ret=get_last_socket_error();
2537d469 1978 if (c_brief)
66d9f2e5
DSH		 1979 BIO_puts(bio_err, "CONNECTION CLOSED BY SERVER\n");
1980 else
1981 BIO_printf(bio_err,"read:errno=%d\n",ret);
d02b48c6
RE		 1982 goto shut;
1983 case SSL_ERROR_ZERO_RETURN:
1984 BIO_printf(bio_c_out,"closed\n");
0e1dba93 1985 ret=0;
d02b48c6
RE		 1986 goto shut;
1987 case SSL_ERROR_SSL:
1988 ERR_print_errors(bio_err);
1989 goto shut;
dfeab068 1990 /* break; */
d02b48c6
RE		 1991 }
1992 }
1993
3d7c4a5a
RL		 1994#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1995#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
0bf23d9b
RL		 1996 else if (_kbhit())
1997#else
a9ef75c5 1998 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
0bf23d9b 1999#endif
4d8743f4 2000#elif defined (OPENSSL_SYS_NETWARE)
ffa10187 2001 else if (_kbhit())
4700aea9
UM		 2002#elif defined(OPENSSL_SYS_BEOS_R5)
2003 else if (stdin_set)
06f4536a 2004#else
d02b48c6 2005 else if (FD_ISSET(fileno(stdin),&readfds))
06f4536a 2006#endif
d02b48c6 2007 {
1bdb8633
BM		 2008 if (crlf)
2009 {
2010 int j, lf_num;
2011
ffa10187 2012 i=raw_read_stdin(cbuf,BUFSIZZ/2);
1bdb8633
BM		 2013 lf_num = 0;
2014 /* both loops are skipped when i <= 0 */
2015 for (j = 0; j < i; j++)
2016 if (cbuf[j] == '\n')
2017 lf_num++;
2018 for (j = i-1; j >= 0; j--)
2019 {
2020 cbuf[j+lf_num] = cbuf[j];
2021 if (cbuf[j] == '\n')
2022 {
2023 lf_num--;
2024 i++;
2025 cbuf[j+lf_num] = '\r';
2026 }
2027 }
2028 assert(lf_num == 0);
2029 }
2030 else
ffa10187 2031 i=raw_read_stdin(cbuf,BUFSIZZ);
d02b48c6 2032
ce301b6b 2033 if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
d02b48c6
RE		 2034 {
2035 BIO_printf(bio_err,"DONE\n");
0e1dba93 2036 ret=0;
d02b48c6
RE		 2037 goto shut;
2038 }
2039
ce301b6b 2040 if ((!c_ign_eof) && (cbuf[0] == 'R'))
d02b48c6 2041 {
3bb307c1 2042 BIO_printf(bio_err,"RENEGOTIATING\n");
d02b48c6 2043 SSL_renegotiate(con);
3bb307c1 2044 cbuf_len=0;
d02b48c6 2045 }
4817504d
DSH		 2046#ifndef OPENSSL_NO_HEARTBEATS
2047 else if ((!c_ign_eof) && (cbuf[0] == 'B'))
2048 {
2049 BIO_printf(bio_err,"HEARTBEATING\n");
2050 SSL_heartbeat(con);
2051 cbuf_len=0;
2052 }
2053#endif
d02b48c6
RE		 2054 else
2055 {
2056 cbuf_len=i;
2057 cbuf_off=0;
a53955d8
UM		 2058#ifdef CHARSET_EBCDIC
2059 ebcdic2ascii(cbuf, cbuf, i);
2060#endif
d02b48c6
RE		 2061 }
2062
d02b48c6 2063 write_ssl=1;
3bb307c1 2064 read_tty=0;
d02b48c6 2065 }
d02b48c6 2066 }
0e1dba93
DSH		 2067
2068 ret=0;
d02b48c6 2069shut:
b166f13e
BM		 2070 if (in_init)
2071 print_stuff(bio_c_out,con,full_log);
d02b48c6
RE		 2072 SSL_shutdown(con);
2073 SHUTDOWN(SSL_get_fd(con));
d02b48c6 2074end:
d916ba1b
NL		 2075 if (con != NULL)
2076 {
2077 if (prexit != 0)
2078 print_stuff(bio_c_out,con,1);
2079 SSL_free(con);
2080 }
dd251659
DSH		 2081#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
2082 if (next_proto.data)
2083 OPENSSL_free(next_proto.data);
2084#endif
d02b48c6 2085 if (ctx != NULL) SSL_CTX_free(ctx);
826a42a0
DSH		 2086 if (cert)
2087 X509_free(cert);
fdb78f3d
DSH		 2088 if (crls)
2089 sk_X509_CRL_pop_free(crls, X509_CRL_free);
826a42a0
DSH		 2090 if (key)
2091 EVP_PKEY_free(key);
4e71d952
DSH		 2092 if (chain)
2093 sk_X509_pop_free(chain, X509_free);
826a42a0
DSH		 2094 if (pass)
2095 OPENSSL_free(pass);
22b5d7c8
DSH		 2096 if (vpm)
2097 X509_VERIFY_PARAM_free(vpm);
3208fc59 2098 ssl_excert_free(exc);
5d2e07f1
DSH		 2099 if (ssl_args)
2100 sk_OPENSSL_STRING_free(ssl_args);
2101 if (cctx)
2102 SSL_CONF_CTX_free(cctx);
b252cf0d
DSH		 2103#ifndef OPENSSL_NO_JPAKE
2104 if (jpake_secret && psk_key)
2105 OPENSSL_free(psk_key);
2106#endif
4579924b
RL		 2107 if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
2108 if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
2109 if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
d02b48c6
RE		 2110 if (bio_c_out != NULL)
2111 {
2112 BIO_free(bio_c_out);
2113 bio_c_out=NULL;
2114 }
93ab9e42
DSH		 2115 if (bio_c_msg != NULL)
2116 {
2117 BIO_free(bio_c_msg);
2118 bio_c_msg=NULL;
2119 }
c04f8cf4 2120 apps_shutdown();
1c3e4a36 2121 OPENSSL_EXIT(ret);
d02b48c6
RE		 2122 }
2123
2124
6b691a5c 2125static void print_stuff(BIO *bio, SSL *s, int full)
d02b48c6 2126 {
58964a49 2127 X509 *peer=NULL;
d02b48c6 2128 char *p;
7d727231 2129 static const char *space=" ";
d02b48c6 2130 char buf[BUFSIZ];
f73e07cf
BL		 2131 STACK_OF(X509) *sk;
2132 STACK_OF(X509_NAME) *sk2;
babb3798 2133 const SSL_CIPHER *c;
d02b48c6
RE		 2134 X509_NAME *xn;
2135 int j,i;
09b6c2ef 2136#ifndef OPENSSL_NO_COMP
d8ec0dcf 2137 const COMP_METHOD *comp, *expansion;
09b6c2ef 2138#endif
e0af0405 2139 unsigned char *exportedkeymat;
d02b48c6
RE		 2140
2141 if (full)
2142 {
bc2e519a
BM		 2143 int got_a_chain = 0;
2144
d02b48c6
RE		 2145 sk=SSL_get_peer_cert_chain(s);
2146 if (sk != NULL)
2147 {
bc2e519a
BM		 2148 got_a_chain = 1; /* we don't have it for SSL2 (yet) */
2149
dfeab068 2150 BIO_printf(bio,"---\nCertificate chain\n");
f73e07cf 2151 for (i=0; i<sk_X509_num(sk); i++)
d02b48c6 2152 {
f73e07cf 2153 X509_NAME_oneline(X509_get_subject_name(
54a656ef 2154 sk_X509_value(sk,i)),buf,sizeof buf);
d02b48c6 2155 BIO_printf(bio,"%2d s:%s\n",i,buf);
f73e07cf 2156 X509_NAME_oneline(X509_get_issuer_name(
54a656ef 2157 sk_X509_value(sk,i)),buf,sizeof buf);
d02b48c6 2158 BIO_printf(bio," i:%s\n",buf);
6d02d8e4 2159 if (c_showcerts)
f73e07cf 2160 PEM_write_bio_X509(bio,sk_X509_value(sk,i));
d02b48c6
RE		 2161 }
2162 }
2163
2164 BIO_printf(bio,"---\n");
2165 peer=SSL_get_peer_certificate(s);
2166 if (peer != NULL)
2167 {
2168 BIO_printf(bio,"Server certificate\n");
bc2e519a 2169 if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
6d02d8e4 2170 PEM_write_bio_X509(bio,peer);
d02b48c6 2171 X509_NAME_oneline(X509_get_subject_name(peer),
54a656ef 2172 buf,sizeof buf);
d02b48c6
RE		 2173 BIO_printf(bio,"subject=%s\n",buf);
2174 X509_NAME_oneline(X509_get_issuer_name(peer),
54a656ef 2175 buf,sizeof buf);
d02b48c6 2176 BIO_printf(bio,"issuer=%s\n",buf);
d02b48c6
RE		 2177 }
2178 else
2179 BIO_printf(bio,"no peer certificate available\n");
2180
f73e07cf 2181 sk2=SSL_get_client_CA_list(s);
d91f8c3c 2182 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
d02b48c6
RE		 2183 {
2184 BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
f73e07cf 2185 for (i=0; i<sk_X509_NAME_num(sk2); i++)
d02b48c6 2186 {
f73e07cf 2187 xn=sk_X509_NAME_value(sk2,i);
d02b48c6
RE		 2188 X509_NAME_oneline(xn,buf,sizeof(buf));
2189 BIO_write(bio,buf,strlen(buf));
2190 BIO_write(bio,"\n",1);
2191 }
2192 }
2193 else
2194 {
2195 BIO_printf(bio,"---\nNo client certificate CA names sent\n");
2196 }
54a656ef 2197 p=SSL_get_shared_ciphers(s,buf,sizeof buf);
d02b48c6
RE		 2198 if (p != NULL)
2199 {
67a47285
BM		 2200 /* This works only for SSL 2. In later protocol
2201 * versions, the client does not know what other
2202 * ciphers (in addition to the one to be used
2203 * in the current connection) the server supports. */
2204
d02b48c6
RE		 2205 BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
2206 j=i=0;
2207 while (*p)
2208 {
2209 if (*p == ':')
2210 {
58964a49 2211 BIO_write(bio,space,15-j%25);
d02b48c6
RE		 2212 i++;
2213 j=0;
2214 BIO_write(bio,((i%3)?" ":"\n"),1);
2215 }
2216 else
2217 {
2218 BIO_write(bio,p,1);
2219 j++;
2220 }
2221 p++;
2222 }
2223 BIO_write(bio,"\n",1);
2224 }
2225
9f27b1ee 2226 ssl_print_sigalgs(bio, s);
33a8de69 2227 ssl_print_tmp_key(bio, s);
e7f8ff43 2228
d02b48c6
RE		 2229 BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
2230 BIO_number_read(SSL_get_rbio(s)),
2231 BIO_number_written(SSL_get_wbio(s)));
2232 }
08557cf2 2233 BIO_printf(bio,(SSL_cache_hit(s)?"---\nReused, ":"---\nNew, "));
d02b48c6
RE		 2234 c=SSL_get_current_cipher(s);
2235 BIO_printf(bio,"%s, Cipher is %s\n",
2236 SSL_CIPHER_get_version(c),
2237 SSL_CIPHER_get_name(c));
a8236c8c
DSH		 2238 if (peer != NULL) {
2239 EVP_PKEY *pktmp;
2240 pktmp = X509_get_pubkey(peer);
58964a49 2241 BIO_printf(bio,"Server public key is %d bit\n",
a8236c8c
DSH		 2242 EVP_PKEY_bits(pktmp));
2243 EVP_PKEY_free(pktmp);
2244 }
5430200b
DSH		 2245 BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
2246 SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
09b6c2ef 2247#ifndef OPENSSL_NO_COMP
f44e184e 2248 comp=SSL_get_current_compression(s);
d8ec0dcf 2249 expansion=SSL_get_current_expansion(s);
f44e184e
RL		 2250 BIO_printf(bio,"Compression: %s\n",
2251 comp ? SSL_COMP_get_name(comp) : "NONE");
2252 BIO_printf(bio,"Expansion: %s\n",
d8ec0dcf 2253 expansion ? SSL_COMP_get_name(expansion) : "NONE");
09b6c2ef 2254#endif
71fa4513 2255
57559471 2256#ifdef SSL_DEBUG
a2f9200f
DSH		 2257 {
2258 /* Print out local port of connection: useful for debugging */
2259 int sock;
2260 struct sockaddr_in ladd;
2261 socklen_t ladd_size = sizeof(ladd);
2262 sock = SSL_get_fd(s);
2263 getsockname(sock, (struct sockaddr *)&ladd, &ladd_size);
2264 BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port));
2265 }
2266#endif
2267
71fa4513
BL		 2268#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
2269 if (next_proto.status != -1) {
2270 const unsigned char *proto;
2271 unsigned int proto_len;
2272 SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
2273 BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
2274 BIO_write(bio, proto, proto_len);
2275 BIO_write(bio, "\n", 1);
2276 }
2277#endif
2278
333f926d
BL		 2279 {
2280 SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s);
2281
2282 if(srtp_profile)
2283 BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n",
2284 srtp_profile->name);
2285 }
2286
d02b48c6 2287 SSL_SESSION_print(bio,SSL_get_session(s));
be81f4dd
DSH		 2288 if (keymatexportlabel != NULL)
2289 {
e0af0405
BL		 2290 BIO_printf(bio, "Keying material exporter:\n");
2291 BIO_printf(bio, " Label: '%s'\n", keymatexportlabel);
2292 BIO_printf(bio, " Length: %i bytes\n", keymatexportlen);
2293 exportedkeymat = OPENSSL_malloc(keymatexportlen);
be81f4dd
DSH		 2294 if (exportedkeymat != NULL)
2295 {
2296 if (!SSL_export_keying_material(s, exportedkeymat,
2297 keymatexportlen,
2298 keymatexportlabel,
2299 strlen(keymatexportlabel),
2300 NULL, 0, 0))
2301 {
2302 BIO_printf(bio, " Error\n");
2303 }
2304 else
2305 {
e0af0405
BL		 2306 BIO_printf(bio, " Keying material: ");
2307 for (i=0; i<keymatexportlen; i++)
2308 BIO_printf(bio, "%02X",
2309 exportedkeymat[i]);
2310 BIO_printf(bio, "\n");
be81f4dd 2311 }
e0af0405 2312 OPENSSL_free(exportedkeymat);
be81f4dd 2313 }
e0af0405 2314 }
d02b48c6 2315 BIO_printf(bio,"---\n");
58964a49
RE		 2316 if (peer != NULL)
2317 X509_free(peer);
41ebed27 2318 /* flush, or debugging output gets mixed with http response */
710069c1 2319 (void)BIO_flush(bio);
d02b48c6
RE		 2320 }
2321
0702150f
DSH		 2322#ifndef OPENSSL_NO_TLSEXT
2323
67c8e7f4
DSH		 2324static int ocsp_resp_cb(SSL *s, void *arg)
2325 {
2326 const unsigned char *p;
2327 int len;
2328 OCSP_RESPONSE *rsp;
2329 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
2330 BIO_puts(arg, "OCSP response: ");
2331 if (!p)
2332 {
2333 BIO_puts(arg, "no response sent\n");
2334 return 1;
2335 }
2336 rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
2337 if (!rsp)
2338 {
2339 BIO_puts(arg, "response parse error\n");
2340 BIO_dump_indent(arg, (char *)p, len, 4);
2341 return 0;
2342 }
2343 BIO_puts(arg, "\n======================================\n");
2344 OCSP_RESPONSE_print(arg, rsp, 0);
2345 BIO_puts(arg, "======================================\n");
2346 OCSP_RESPONSE_free(rsp);
2347 return 1;
2348 }
0702150f 2349
a9e1c50b
BL		 2350static int audit_proof_cb(SSL *s, void *arg)
2351 {
2352 const unsigned char *proof;
2353 size_t proof_len;
2354 size_t i;
2355 SSL_SESSION *sess = SSL_get_session(s);
2356
2357 proof = SSL_SESSION_get_tlsext_authz_server_audit_proof(sess,
2358 &proof_len);
2359 if (proof != NULL)
2360 {
2361 BIO_printf(bio_c_out, "Audit proof: ");
2362 for (i = 0; i < proof_len; ++i)
2363 BIO_printf(bio_c_out, "%02X", proof[i]);
2364 BIO_printf(bio_c_out, "\n");
2365 }
2366 else
2367 {
2368 BIO_printf(bio_c_out, "No audit proof found.\n");
2369 }
2370 return 1;
2371 }
0702150f 2372#endif
A mirror of the official openssl repository