]> git.ipfire.org Git - thirdparty/openssl.git/blame - apps/s_client.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Flag to disable automatic copying of contexts.
[thirdparty/openssl.git] / apps / s_client.c
CommitLineData
d02b48c6 1/* apps/s_client.c */
58964a49 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
d02b48c6
RE		 3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
a661b653 58/* ====================================================================
b1277b99 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
a661b653
BM		 60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
ddac1974
NL		 111/* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
113 *
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116 * license.
117 *
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
121 *
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
125 *
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
130 *
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135 * OTHERWISE.
136 */
d02b48c6 137
1b1a6e78 138#include <assert.h>
ddac1974 139#include <ctype.h>
8c197cc5
UM		 140#include <stdio.h>
141#include <stdlib.h>
142#include <string.h>
be1bd923 143#include <openssl/e_os2.h>
cf1b7d96 144#ifdef OPENSSL_NO_STDIO
8c197cc5
UM		 145#define APPS_WIN16
146#endif
147
7d7d2cbc
UM		 148/* With IPv6, it looks like Digital has mixed up the proper order of
149 recursive header file inclusion, resulting in the compiler complaining
150 that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
151 is needed to have fileno() declared correctly... So let's define u_int */
bc36ee62 152#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
7d7d2cbc
UM		 153#define __U_INT
154typedef unsigned int u_int;
155#endif
156
d02b48c6 157#define USE_SOCKETS
d02b48c6 158#include "apps.h"
ec577822
BM		 159#include <openssl/x509.h>
160#include <openssl/ssl.h>
161#include <openssl/err.h>
162#include <openssl/pem.h>
1372965e 163#include <openssl/rand.h>
67c8e7f4 164#include <openssl/ocsp.h>
1e26a8ba 165#include <openssl/bn.h>
edc032b5
BL		 166#ifndef OPENSSL_NO_SRP
167#include <openssl/srp.h>
168#endif
d02b48c6 169#include "s_apps.h"
36d16f8e 170#include "timeouts.h"
d02b48c6 171
bc36ee62 172#if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
75e0770d 173/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
7d7d2cbc
UM		 174#undef FIONBIO
175#endif
176
4700aea9
UM		 177#if defined(OPENSSL_SYS_BEOS_R5)
178#include <fcntl.h>
179#endif
180
d02b48c6
RE		 181#undef PROG
182#define PROG s_client_main
183
184/*#define SSL_HOST_NAME "www.netscape.com" */
185/*#define SSL_HOST_NAME "193.118.187.102" */
186#define SSL_HOST_NAME "localhost"
187
188/*#define TEST_CERT "client.pem" */ /* no default cert. */
189
190#undef BUFSIZZ
191#define BUFSIZZ 1024*8
192
193extern int verify_depth;
194extern int verify_error;
5d20c4fb 195extern int verify_return_error;
2a7cbe77 196extern int verify_quiet;
d02b48c6
RE		 197
198#ifdef FIONBIO
199static int c_nbio=0;
200#endif
201static int c_Pause=0;
202static int c_debug=0;
6434abbf
DSH		 203#ifndef OPENSSL_NO_TLSEXT
204static int c_tlsextdebug=0;
67c8e7f4 205static int c_status_req=0;
6434abbf 206#endif
a661b653 207static int c_msg=0;
6d02d8e4 208static int c_showcerts=0;
d02b48c6 209
e0af0405
BL		 210static char *keymatexportlabel=NULL;
211static int keymatexportlen=20;
212
d02b48c6
RE		 213static void sc_usage(void);
214static void print_stuff(BIO *berr,SSL *con,int full);
0702150f 215#ifndef OPENSSL_NO_TLSEXT
67c8e7f4 216static int ocsp_resp_cb(SSL *s, void *arg);
36086186
SD		 217static int c_auth = 0;
218static int c_auth_require_reneg = 0;
0702150f 219#endif
d02b48c6 220static BIO *bio_c_out=NULL;
93ab9e42 221static BIO *bio_c_msg=NULL;
d02b48c6 222static int c_quiet=0;
ce301b6b 223static int c_ign_eof=0;
2a7cbe77 224static int c_brief=0;
d02b48c6 225
36086186
SD		 226#ifndef OPENSSL_NO_TLSEXT
227
67c408ce
SD		 228static unsigned char *generated_supp_data = NULL;
229
1769dfab 230static const unsigned char *most_recent_supplemental_data = NULL;
67c408ce 231static size_t most_recent_supplemental_data_length = 0;
36086186
SD		 232
233static int server_provided_server_authz = 0;
234static int server_provided_client_authz = 0;
235
236static const unsigned char auth_ext_data[]={TLSEXT_AUTHZDATAFORMAT_dtcp};
237
238static int suppdata_cb(SSL *s, unsigned short supp_data_type,
239 const unsigned char *in,
240 unsigned short inlen, int *al,
241 void *arg);
242
243static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
244 const unsigned char **out,
245 unsigned short *outlen, void *arg);
246
247static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
248 const unsigned char **out, unsigned short *outlen,
249 void *arg);
250
251static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
252 const unsigned char *in,
253 unsigned short inlen, int *al,
254 void *arg);
255#endif
256
ddac1974
NL		 257#ifndef OPENSSL_NO_PSK
258/* Default PSK identity and key */
259static char *psk_identity="Client_identity";
f3b7bdad 260/*char *psk_key=NULL; by default PSK is not used */
ddac1974
NL		 261
262static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
263 unsigned int max_identity_len, unsigned char *psk,
264 unsigned int max_psk_len)
265 {
266 unsigned int psk_len = 0;
267 int ret;
268 BIGNUM *bn=NULL;
269
270 if (c_debug)
271 BIO_printf(bio_c_out, "psk_client_cb\n");
272 if (!hint)
273 {
274 /* no ServerKeyExchange message*/
275 if (c_debug)
276 BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n");
277 }
278 else if (c_debug)
279 BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
280
281 /* lookup PSK identity and PSK key based on the given identity hint here */
0ed6b526 282 ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity);
a0aa8b4b 283 if (ret < 0 || (unsigned int)ret > max_identity_len)
ddac1974
NL		 284 goto out_err;
285 if (c_debug)
286 BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret);
287 ret=BN_hex2bn(&bn, psk_key);
288 if (!ret)
289 {
290 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
291 if (bn)
292 BN_free(bn);
293 return 0;
294 }
295
a0aa8b4b 296 if ((unsigned int)BN_num_bytes(bn) > max_psk_len)
ddac1974
NL		 297 {
298 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
299 max_psk_len, BN_num_bytes(bn));
300 BN_free(bn);
301 return 0;
302 }
303
304 psk_len=BN_bn2bin(bn, psk);
305 BN_free(bn);
306 if (psk_len == 0)
307 goto out_err;
308
309 if (c_debug)
310 BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len);
311
312 return psk_len;
313 out_err:
314 if (c_debug)
315 BIO_printf(bio_err, "Error in PSK client callback\n");
316 return 0;
317 }
318#endif
319
6b691a5c 320static void sc_usage(void)
d02b48c6 321 {
b6cff93d 322 BIO_printf(bio_err,"usage: s_client args\n");
d02b48c6
RE		 323 BIO_printf(bio_err,"\n");
324 BIO_printf(bio_err," -host host - use -connect instead\n");
325 BIO_printf(bio_err," -port port - use -connect instead\n");
326 BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
d02b48c6
RE		 327 BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n");
328 BIO_printf(bio_err," -cert arg - certificate file to use, PEM format assumed\n");
826a42a0
DSH		 329 BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
330 BIO_printf(bio_err," -key arg - Private key file to use, in cert file if\n");
d02b48c6 331 BIO_printf(bio_err," not specified but cert file is.\n");
826a42a0
DSH		 332 BIO_printf(bio_err," -keyform arg - key format (PEM or DER) PEM default\n");
333 BIO_printf(bio_err," -pass arg - private key file pass phrase source\n");
d02b48c6
RE		 334 BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
335 BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n");
336 BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n");
337 BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n");
6d02d8e4 338 BIO_printf(bio_err," -showcerts - show all certificates in the chain\n");
d02b48c6 339 BIO_printf(bio_err," -debug - extra output\n");
02a00bb0
AP		 340#ifdef WATT32
341 BIO_printf(bio_err," -wdebug - WATT-32 tcp debugging\n");
342#endif
a661b653 343 BIO_printf(bio_err," -msg - Show protocol messages\n");
d02b48c6
RE		 344 BIO_printf(bio_err," -nbio_test - more ssl protocol testing\n");
345 BIO_printf(bio_err," -state - print the 'ssl' states\n");
346#ifdef FIONBIO
347 BIO_printf(bio_err," -nbio - Run with non-blocking IO\n");
1bdb8633 348#endif
1bdb8633 349 BIO_printf(bio_err," -crlf - convert LF from terminal into CRLF\n");
d02b48c6 350 BIO_printf(bio_err," -quiet - no s_client output\n");
ce301b6b 351 BIO_printf(bio_err," -ign_eof - ignore input eof (default when -quiet)\n");
020d67fb 352 BIO_printf(bio_err," -no_ign_eof - don't ignore input eof\n");
ddac1974
NL		 353#ifndef OPENSSL_NO_PSK
354 BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
355 BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n");
79bd20fd 356# ifndef OPENSSL_NO_JPAKE
f3b7bdad
BL		 357 BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n");
358# endif
edc032b5
BL		 359#endif
360#ifndef OPENSSL_NO_SRP
361 BIO_printf(bio_err," -srpuser user - SRP authentification for 'user'\n");
362 BIO_printf(bio_err," -srppass arg - password for 'user'\n");
363 BIO_printf(bio_err," -srp_lateuser - SRP username into second ClientHello message\n");
364 BIO_printf(bio_err," -srp_moregroups - Tolerate other than the known g N values.\n");
365 BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
ddac1974 366#endif
d02b48c6
RE		 367 BIO_printf(bio_err," -ssl2 - just use SSLv2\n");
368 BIO_printf(bio_err," -ssl3 - just use SSLv3\n");
7409d7ad 369 BIO_printf(bio_err," -tls1_2 - just use TLSv1.2\n");
637f374a 370 BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n");
58964a49 371 BIO_printf(bio_err," -tls1 - just use TLSv1\n");
36d16f8e 372 BIO_printf(bio_err," -dtls1 - just use DTLSv1\n");
046f2101 373 BIO_printf(bio_err," -mtu - set the link layer MTU\n");
7409d7ad 374 BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
d02b48c6 375 BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n");
836f9960 376 BIO_printf(bio_err," -serverpref - Use server's cipher preferences (only SSLv2)\n");
657e60fa 377 BIO_printf(bio_err," -cipher - preferred cipher to use, use the 'openssl ciphers'\n");
dfeab068 378 BIO_printf(bio_err," command to see what is available\n");
135c0af1
RL		 379 BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
380 BIO_printf(bio_err," for those protocols that support it, where\n");
381 BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n");
d5bbead4
BL		 382 BIO_printf(bio_err," only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
383 BIO_printf(bio_err," are supported.\n");
b98af49d 384 BIO_printf(bio_err," -xmpphost host - When used with \"-starttls xmpp\" specifies the virtual host.\n");
0b13e9f0 385#ifndef OPENSSL_NO_ENGINE
5270e702 386 BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n");
0b13e9f0 387#endif
52b621db 388 BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
014f62b6
DSH		 389 BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n");
390 BIO_printf(bio_err," -sess_in arg - file to read SSL session from\n");
ed3883d2
BM		 391#ifndef OPENSSL_NO_TLSEXT
392 BIO_printf(bio_err," -servername host - Set TLS extension servername in ClientHello\n");
d24a9c8f 393 BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
67c8e7f4 394 BIO_printf(bio_err," -status - request certificate status from server\n");
d24a9c8f 395 BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
36086186
SD		 396 BIO_printf(bio_err," -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n");
397 BIO_printf(bio_err," -auth - send and receive RFC 5878 TLS auth extensions and supplemental data\n");
398 BIO_printf(bio_err," -auth_require_reneg - Do not send TLS auth extensions until renegotiation\n");
bf48836c 399# ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27 400 BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
6f017a8f 401 BIO_printf(bio_err," -alpn arg - enable ALPN extension, considering named protocols supported (comma-separated list)\n");
ee2ffc27 402# endif
ed3883d2 403#endif
2942dde5 404 BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
be81f4dd 405 BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
e0af0405
BL		 406 BIO_printf(bio_err," -keymatexport label - Export keying material using label\n");
407 BIO_printf(bio_err," -keymatexportlen len - Export len bytes of keying material (default 20)\n");
d02b48c6
RE		 408 }
409
ed3883d2
BM		 410#ifndef OPENSSL_NO_TLSEXT
411
412/* This is a context that we pass to callbacks */
413typedef struct tlsextctx_st {
414 BIO * biodebug;
415 int ack;
416} tlsextctx;
417
418
b1277b99
BM		 419static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
420 {
ed3883d2 421 tlsextctx * p = (tlsextctx *) arg;
8de5b7f5 422 const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
ed3883d2
BM		 423 if (SSL_get_servername_type(s) != -1)
424 p->ack = !SSL_session_reused(s) && hn != NULL;
425 else
f1fd4544 426 BIO_printf(bio_err,"Can't use SSL_get_servername\n");
ed3883d2 427
241520e6 428 return SSL_TLSEXT_ERR_OK;
b1277b99 429 }
ee2ffc27 430
edc032b5
BL		 431#ifndef OPENSSL_NO_SRP
432
433/* This is a context that we pass to all callbacks */
434typedef struct srp_arg_st
435 {
436 char *srppassin;
437 char *srplogin;
438 int msg; /* copy from c_msg */
439 int debug; /* copy from c_debug */
440 int amp; /* allow more groups */
441 int strength /* minimal size for N */ ;
442 } SRP_ARG;
443
444#define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
445
f2fc3075 446static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g)
edc032b5
BL		 447 {
448 BN_CTX *bn_ctx = BN_CTX_new();
449 BIGNUM *p = BN_new();
450 BIGNUM *r = BN_new();
451 int ret =
452 g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
f2fc3075 453 BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
edc032b5
BL		 454 p != NULL && BN_rshift1(p, N) &&
455
456 /* p = (N-1)/2 */
f2fc3075 457 BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
edc032b5
BL		 458 r != NULL &&
459
460 /* verify g^((N-1)/2) == -1 (mod N) */
461 BN_mod_exp(r, g, p, N, bn_ctx) &&
462 BN_add_word(r, 1) &&
463 BN_cmp(r, N) == 0;
464
465 if(r)
466 BN_free(r);
467 if(p)
468 BN_free(p);
469 if(bn_ctx)
470 BN_CTX_free(bn_ctx);
471 return ret;
472 }
473
f2fc3075
DSH		 474/* This callback is used here for two purposes:
475 - extended debugging
476 - making some primality tests for unknown groups
477 The callback is only called for a non default group.
478
479 An application does not need the call back at all if
480 only the stanard groups are used. In real life situations,
481 client and server already share well known groups,
482 thus there is no need to verify them.
483 Furthermore, in case that a server actually proposes a group that
484 is not one of those defined in RFC 5054, it is more appropriate
485 to add the group to a static list and then compare since
486 primality tests are rather cpu consuming.
487*/
488
edc032b5
BL		 489static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
490 {
491 SRP_ARG *srp_arg = (SRP_ARG *)arg;
492 BIGNUM *N = NULL, *g = NULL;
493 if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s)))
494 return 0;
495 if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1)
496 {
497 BIO_printf(bio_err, "SRP parameters:\n");
498 BIO_printf(bio_err,"\tN="); BN_print(bio_err,N);
499 BIO_printf(bio_err,"\n\tg="); BN_print(bio_err,g);
500 BIO_printf(bio_err,"\n");
501 }
502
503 if (SRP_check_known_gN_param(g,N))
504 return 1;
505
506 if (srp_arg->amp == 1)
507 {
508 if (srp_arg->debug)
509 BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n");
510
f2fc3075 511/* The srp_moregroups is a real debugging feature.
edc032b5
BL		 512 Implementors should rather add the value to the known ones.
513 The minimal size has already been tested.
514*/
f2fc3075 515 if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g))
edc032b5
BL		 516 return 1;
517 }
518 BIO_printf(bio_err, "SRP param N and g rejected.\n");
519 return 0;
520 }
521
522#define PWD_STRLEN 1024
523
524static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
525 {
526 SRP_ARG *srp_arg = (SRP_ARG *)arg;
527 char *pass = (char *)OPENSSL_malloc(PWD_STRLEN+1);
528 PW_CB_DATA cb_tmp;
529 int l;
530
531 cb_tmp.password = (char *)srp_arg->srppassin;
532 cb_tmp.prompt_info = "SRP user";
533 if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp))<0)
534 {
535 BIO_printf (bio_err, "Can't read Password\n");
536 OPENSSL_free(pass);
537 return NULL;
538 }
539 *(pass+l)= '\0';
540
541 return pass;
542 }
543
edc032b5 544#endif
333f926d 545 char *srtp_profiles = NULL;
edc032b5 546
bf48836c 547# ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 548/* This the context that we pass to next_proto_cb */
549typedef struct tlsextnextprotoctx_st {
550 unsigned char *data;
551 unsigned short len;
552 int status;
553} tlsextnextprotoctx;
554
555static tlsextnextprotoctx next_proto;
556
557static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
558 {
559 tlsextnextprotoctx *ctx = arg;
560
561 if (!c_quiet)
562 {
563 /* We can assume that |in| is syntactically valid. */
564 unsigned i;
565 BIO_printf(bio_c_out, "Protocols advertised by server: ");
566 for (i = 0; i < inlen; )
567 {
568 if (i)
569 BIO_write(bio_c_out, ", ", 2);
570 BIO_write(bio_c_out, &in[i + 1], in[i]);
571 i += in[i] + 1;
572 }
573 BIO_write(bio_c_out, "\n", 1);
574 }
575
576 ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
577 return SSL_TLSEXT_ERR_OK;
578 }
bf48836c 579# endif /* ndef OPENSSL_NO_NEXTPROTONEG */
a398f821
T		 580
581static int serverinfo_cli_cb(SSL* s, unsigned short ext_type,
582 const unsigned char* in, unsigned short inlen,
583 int* al, void* arg)
584 {
585 char pem_name[100];
586 unsigned char ext_buf[4 + 65536];
587
588 /* Reconstruct the type/len fields prior to extension data */
589 ext_buf[0] = ext_type >> 8;
590 ext_buf[1] = ext_type & 0xFF;
591 ext_buf[2] = inlen >> 8;
592 ext_buf[3] = inlen & 0xFF;
593 memcpy(ext_buf+4, in, inlen);
594
70d416ec
BL		 595 BIO_snprintf(pem_name, sizeof(pem_name), "SERVERINFO FOR EXTENSION %d",
596 ext_type);
a398f821
T		 597 PEM_write_bio(bio_c_out, pem_name, "", ext_buf, 4 + inlen);
598 return 1;
599 }
600
ed3883d2
BM		 601#endif
602
85c67492
RL		 603enum
604{
605 PROTO_OFF = 0,
606 PROTO_SMTP,
607 PROTO_POP3,
608 PROTO_IMAP,
d5bbead4 609 PROTO_FTP,
640b86cb 610 PROTO_XMPP
85c67492
RL		 611};
612
667ac4ec
RE		 613int MAIN(int, char **);
614
6b691a5c 615int MAIN(int argc, char **argv)
d02b48c6 616 {
74ecfab4 617 int build_chain = 0;
67b6f1ca 618 SSL *con=NULL;
4f7a2ab8
DSH		 619#ifndef OPENSSL_NO_KRB5
620 KSSL_CTX *kctx;
621#endif
d02b48c6 622 int s,k,width,state=0;
135c0af1 623 char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
d02b48c6
RE		 624 int cbuf_len,cbuf_off;
625 int sbuf_len,sbuf_off;
626 fd_set readfds,writefds;
627 short port=PORT;
628 int full_log=1;
629 char *host=SSL_HOST_NAME;
b98af49d 630 char *xmpphost = NULL;
4e71d952 631 char *cert_file=NULL,*key_file=NULL,*chain_file=NULL;
826a42a0
DSH		 632 int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
633 char *passarg = NULL, *pass = NULL;
634 X509 *cert = NULL;
635 EVP_PKEY *key = NULL;
4e71d952 636 STACK_OF(X509) *chain = NULL;
5d2e07f1 637 char *CApath=NULL,*CAfile=NULL;
a5afc0a8
DSH		 638 char *chCApath=NULL,*chCAfile=NULL;
639 char *vfyCApath=NULL,*vfyCAfile=NULL;
5d2e07f1 640 int reconnect=0,badop=0,verify=SSL_VERIFY_NONE;
1bdb8633 641 int crlf=0;
c7ac31e2 642 int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
d02b48c6
RE		 643 SSL_CTX *ctx=NULL;
644 int ret=1,in_init=1,i,nbio_test=0;
85c67492 645 int starttls_proto = PROTO_OFF;
db99779b
DSH		 646 int prexit = 0;
647 X509_VERIFY_PARAM *vpm = NULL;
648 int badarg = 0;
4ebb342f 649 const SSL_METHOD *meth=NULL;
b1277b99 650 int socket_type=SOCK_STREAM;
d02b48c6 651 BIO *sbio;
52b621db 652 char *inrand=NULL;
85c67492 653 int mbuf_len=0;
b972fbaa 654 struct timeval timeout, *timeoutp;
0b13e9f0 655#ifndef OPENSSL_NO_ENGINE
5270e702 656 char *engine_id=NULL;
59d2d48f 657 char *ssl_client_engine_id=NULL;
70531c14 658 ENGINE *ssl_client_engine=NULL;
0b13e9f0 659#endif
70531c14 660 ENGINE *e=NULL;
4700aea9 661#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
06f4536a 662 struct timeval tv;
4700aea9
UM		 663#if defined(OPENSSL_SYS_BEOS_R5)
664 int stdin_set = 0;
665#endif
06f4536a 666#endif
ed3883d2
BM		 667#ifndef OPENSSL_NO_TLSEXT
668 char *servername = NULL;
669 tlsextctx tlsextcbp =
670 {NULL,0};
bf48836c 671# ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27 672 const char *next_proto_neg_in = NULL;
6f017a8f 673 const char *alpn_in = NULL;
ee2ffc27 674# endif
a398f821
T		 675# define MAX_SI_TYPES 100
676 unsigned short serverinfo_types[MAX_SI_TYPES];
677 int serverinfo_types_count = 0;
ed3883d2 678#endif
6434abbf
DSH		 679 char *sess_in = NULL;
680 char *sess_out = NULL;
36d16f8e 681 struct sockaddr peer;
6c61726b 682 int peerlen = sizeof(peer);
36d16f8e 683 int enable_timeouts = 0 ;
b1277b99 684 long socket_mtu = 0;
79bd20fd 685#ifndef OPENSSL_NO_JPAKE
b252cf0d
DSH		 686static char *jpake_secret = NULL;
687#define no_jpake !jpake_secret
688#else
689#define no_jpake 1
ed551cdd 690#endif
edc032b5
BL		 691#ifndef OPENSSL_NO_SRP
692 char * srppass = NULL;
693 int srp_lateuser = 0;
694 SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
695#endif
3208fc59 696 SSL_EXCERT *exc = NULL;
36d16f8e 697
5d2e07f1
DSH		 698 SSL_CONF_CTX *cctx = NULL;
699 STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
a70da5b3 700
fdb78f3d
DSH		 701 char *crl_file = NULL;
702 int crl_format = FORMAT_PEM;
0090a686 703 int crl_download = 0;
fdb78f3d
DSH		 704 STACK_OF(X509_CRL) *crls = NULL;
705
d02b48c6 706 meth=SSLv23_client_method();
d02b48c6
RE		 707
708 apps_startup();
58964a49 709 c_Pause=0;
d02b48c6 710 c_quiet=0;
ce301b6b 711 c_ign_eof=0;
d02b48c6 712 c_debug=0;
a661b653 713 c_msg=0;
6d02d8e4 714 c_showcerts=0;
d02b48c6
RE		 715
716 if (bio_err == NULL)
717 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
718
3647bee2
DSH		 719 if (!load_config(bio_err, NULL))
720 goto end;
5d2e07f1
DSH		 721 cctx = SSL_CONF_CTX_new();
722 if (!cctx)
723 goto end;
724 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
725 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE);
3647bee2 726
26a3a48d 727 if ( ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
135c0af1
RL		 728 ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
729 ((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
d02b48c6
RE		 730 {
731 BIO_printf(bio_err,"out of memory\n");
732 goto end;
733 }
734
735 verify_depth=0;
736 verify_error=X509_V_OK;
737#ifdef FIONBIO
738 c_nbio=0;
739#endif
740
741 argc--;
742 argv++;
743 while (argc >= 1)
744 {
745 if (strcmp(*argv,"-host") == 0)
746 {
747 if (--argc < 1) goto bad;
748 host= *(++argv);
749 }
750 else if (strcmp(*argv,"-port") == 0)
751 {
752 if (--argc < 1) goto bad;
753 port=atoi(*(++argv));
754 if (port == 0) goto bad;
755 }
756 else if (strcmp(*argv,"-connect") == 0)
757 {
758 if (--argc < 1) goto bad;
759 if (!extract_host_port(*(++argv),&host,NULL,&port))
760 goto bad;
761 }
b98af49d
CALP		 762 else if (strcmp(*argv,"-xmpphost") == 0)
763 {
764 if (--argc < 1) goto bad;
765 xmpphost= *(++argv);
766 }
d02b48c6
RE		 767 else if (strcmp(*argv,"-verify") == 0)
768 {
769 verify=SSL_VERIFY_PEER;
770 if (--argc < 1) goto bad;
771 verify_depth=atoi(*(++argv));
2a7cbe77
DSH		 772 if (!c_quiet)
773 BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
d02b48c6
RE		 774 }
775 else if (strcmp(*argv,"-cert") == 0)
776 {
777 if (--argc < 1) goto bad;
778 cert_file= *(++argv);
779 }
fdb78f3d
DSH		 780 else if (strcmp(*argv,"-CRL") == 0)
781 {
782 if (--argc < 1) goto bad;
783 crl_file= *(++argv);
784 }
0090a686
DSH		 785 else if (strcmp(*argv,"-crl_download") == 0)
786 crl_download = 1;
6434abbf
DSH		 787 else if (strcmp(*argv,"-sess_out") == 0)
788 {
789 if (--argc < 1) goto bad;
790 sess_out = *(++argv);
791 }
792 else if (strcmp(*argv,"-sess_in") == 0)
793 {
794 if (--argc < 1) goto bad;
795 sess_in = *(++argv);
796 }
826a42a0
DSH		 797 else if (strcmp(*argv,"-certform") == 0)
798 {
799 if (--argc < 1) goto bad;
800 cert_format = str2fmt(*(++argv));
801 }
fdb78f3d
DSH		 802 else if (strcmp(*argv,"-CRLform") == 0)
803 {
804 if (--argc < 1) goto bad;
805 crl_format = str2fmt(*(++argv));
806 }
db99779b
DSH		 807 else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
808 {
809 if (badarg)
810 goto bad;
811 continue;
812 }
5d20c4fb
DSH		 813 else if (strcmp(*argv,"-verify_return_error") == 0)
814 verify_return_error = 1;
2a7cbe77
DSH		 815 else if (strcmp(*argv,"-verify_quiet") == 0)
816 verify_quiet = 1;
817 else if (strcmp(*argv,"-brief") == 0)
818 {
819 c_brief = 1;
820 verify_quiet = 1;
821 c_quiet = 1;
822 }
3208fc59
DSH		 823 else if (args_excert(&argv, &argc, &badarg, bio_err, &exc))
824 {
825 if (badarg)
826 goto bad;
827 continue;
828 }
5d2e07f1
DSH		 829 else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args))
830 {
831 if (badarg)
832 goto bad;
833 continue;
834 }
c3ed3b6e
DSH		 835 else if (strcmp(*argv,"-prexit") == 0)
836 prexit=1;
1bdb8633
BM		 837 else if (strcmp(*argv,"-crlf") == 0)
838 crlf=1;
d02b48c6 839 else if (strcmp(*argv,"-quiet") == 0)
ce301b6b 840 {
d02b48c6 841 c_quiet=1;
ce301b6b
RL		 842 c_ign_eof=1;
843 }
844 else if (strcmp(*argv,"-ign_eof") == 0)
845 c_ign_eof=1;
020d67fb
LJ		 846 else if (strcmp(*argv,"-no_ign_eof") == 0)
847 c_ign_eof=0;
d02b48c6
RE		 848 else if (strcmp(*argv,"-pause") == 0)
849 c_Pause=1;
850 else if (strcmp(*argv,"-debug") == 0)
851 c_debug=1;
6434abbf
DSH		 852#ifndef OPENSSL_NO_TLSEXT
853 else if (strcmp(*argv,"-tlsextdebug") == 0)
854 c_tlsextdebug=1;
67c8e7f4
DSH		 855 else if (strcmp(*argv,"-status") == 0)
856 c_status_req=1;
36086186
SD		 857 else if (strcmp(*argv,"-auth") == 0)
858 c_auth = 1;
859 else if (strcmp(*argv,"-auth_require_reneg") == 0)
860 c_auth_require_reneg = 1;
6434abbf 861#endif
02a00bb0
AP		 862#ifdef WATT32
863 else if (strcmp(*argv,"-wdebug") == 0)
864 dbug_init();
865#endif
a661b653
BM		 866 else if (strcmp(*argv,"-msg") == 0)
867 c_msg=1;
93ab9e42
DSH		 868 else if (strcmp(*argv,"-msgfile") == 0)
869 {
870 if (--argc < 1) goto bad;
871 bio_c_msg = BIO_new_file(*(++argv), "w");
872 }
873#ifndef OPENSSL_NO_SSL_TRACE
874 else if (strcmp(*argv,"-trace") == 0)
875 c_msg=2;
876#endif
6d02d8e4
BM		 877 else if (strcmp(*argv,"-showcerts") == 0)
878 c_showcerts=1;
d02b48c6
RE		 879 else if (strcmp(*argv,"-nbio_test") == 0)
880 nbio_test=1;
881 else if (strcmp(*argv,"-state") == 0)
882 state=1;
ddac1974
NL		 883#ifndef OPENSSL_NO_PSK
884 else if (strcmp(*argv,"-psk_identity") == 0)
885 {
886 if (--argc < 1) goto bad;
887 psk_identity=*(++argv);
888 }
889 else if (strcmp(*argv,"-psk") == 0)
890 {
891 size_t j;
892
893 if (--argc < 1) goto bad;
894 psk_key=*(++argv);
895 for (j = 0; j < strlen(psk_key); j++)
896 {
a50bce82 897 if (isxdigit((unsigned char)psk_key[j]))
ddac1974
NL		 898 continue;
899 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
900 goto bad;
901 }
902 }
903#endif
edc032b5
BL		 904#ifndef OPENSSL_NO_SRP
905 else if (strcmp(*argv,"-srpuser") == 0)
906 {
907 if (--argc < 1) goto bad;
908 srp_arg.srplogin= *(++argv);
909 meth=TLSv1_client_method();
910 }
911 else if (strcmp(*argv,"-srppass") == 0)
912 {
913 if (--argc < 1) goto bad;
914 srppass= *(++argv);
915 meth=TLSv1_client_method();
916 }
917 else if (strcmp(*argv,"-srp_strength") == 0)
918 {
919 if (--argc < 1) goto bad;
920 srp_arg.strength=atoi(*(++argv));
921 BIO_printf(bio_err,"SRP minimal length for N is %d\n",srp_arg.strength);
922 meth=TLSv1_client_method();
923 }
924 else if (strcmp(*argv,"-srp_lateuser") == 0)
925 {
926 srp_lateuser= 1;
927 meth=TLSv1_client_method();
928 }
929 else if (strcmp(*argv,"-srp_moregroups") == 0)
930 {
931 srp_arg.amp=1;
932 meth=TLSv1_client_method();
933 }
934#endif
cf1b7d96 935#ifndef OPENSSL_NO_SSL2
d02b48c6
RE		 936 else if (strcmp(*argv,"-ssl2") == 0)
937 meth=SSLv2_client_method();
938#endif
cf1b7d96 939#ifndef OPENSSL_NO_SSL3
d02b48c6
RE		 940 else if (strcmp(*argv,"-ssl3") == 0)
941 meth=SSLv3_client_method();
58964a49 942#endif
cf1b7d96 943#ifndef OPENSSL_NO_TLS1
7409d7ad
DSH		 944 else if (strcmp(*argv,"-tls1_2") == 0)
945 meth=TLSv1_2_client_method();
637f374a
DSH		 946 else if (strcmp(*argv,"-tls1_1") == 0)
947 meth=TLSv1_1_client_method();
58964a49
RE		 948 else if (strcmp(*argv,"-tls1") == 0)
949 meth=TLSv1_client_method();
36d16f8e
BL		 950#endif
951#ifndef OPENSSL_NO_DTLS1
c6913eeb
DSH		 952 else if (strcmp(*argv,"-dtls") == 0)
953 {
954 meth=DTLS_client_method();
955 socket_type=SOCK_DGRAM;
956 }
36d16f8e
BL		 957 else if (strcmp(*argv,"-dtls1") == 0)
958 {
959 meth=DTLSv1_client_method();
b1277b99 960 socket_type=SOCK_DGRAM;
36d16f8e 961 }
c3b344e3
DSH		 962 else if (strcmp(*argv,"-dtls1_2") == 0)
963 {
964 meth=DTLSv1_2_client_method();
965 socket_type=SOCK_DGRAM;
966 }
36d16f8e
BL		 967 else if (strcmp(*argv,"-timeout") == 0)
968 enable_timeouts=1;
969 else if (strcmp(*argv,"-mtu") == 0)
970 {
971 if (--argc < 1) goto bad;
b1277b99 972 socket_mtu = atol(*(++argv));
36d16f8e 973 }
d02b48c6 974#endif
826a42a0
DSH		 975 else if (strcmp(*argv,"-keyform") == 0)
976 {
977 if (--argc < 1) goto bad;
978 key_format = str2fmt(*(++argv));
979 }
980 else if (strcmp(*argv,"-pass") == 0)
981 {
982 if (--argc < 1) goto bad;
983 passarg = *(++argv);
984 }
4e71d952
DSH		 985 else if (strcmp(*argv,"-cert_chain") == 0)
986 {
987 if (--argc < 1) goto bad;
988 chain_file= *(++argv);
989 }
d02b48c6
RE		 990 else if (strcmp(*argv,"-key") == 0)
991 {
992 if (--argc < 1) goto bad;
993 key_file= *(++argv);
994 }
995 else if (strcmp(*argv,"-reconnect") == 0)
996 {
997 reconnect=5;
998 }
999 else if (strcmp(*argv,"-CApath") == 0)
1000 {
1001 if (--argc < 1) goto bad;
1002 CApath= *(++argv);
1003 }
a5afc0a8
DSH		 1004 else if (strcmp(*argv,"-chainCApath") == 0)
1005 {
1006 if (--argc < 1) goto bad;
1007 chCApath= *(++argv);
1008 }
1009 else if (strcmp(*argv,"-verifyCApath") == 0)
1010 {
1011 if (--argc < 1) goto bad;
1012 vfyCApath= *(++argv);
1013 }
74ecfab4
DSH		 1014 else if (strcmp(*argv,"-build_chain") == 0)
1015 build_chain = 1;
d02b48c6
RE		 1016 else if (strcmp(*argv,"-CAfile") == 0)
1017 {
1018 if (--argc < 1) goto bad;
1019 CAfile= *(++argv);
1020 }
a5afc0a8
DSH		 1021 else if (strcmp(*argv,"-chainCAfile") == 0)
1022 {
1023 if (--argc < 1) goto bad;
1024 chCAfile= *(++argv);
1025 }
1026 else if (strcmp(*argv,"-verifyCAfile") == 0)
1027 {
1028 if (--argc < 1) goto bad;
1029 vfyCAfile= *(++argv);
1030 }
6434abbf 1031#ifndef OPENSSL_NO_TLSEXT
bf48836c 1032# ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 1033 else if (strcmp(*argv,"-nextprotoneg") == 0)
1034 {
1035 if (--argc < 1) goto bad;
1036 next_proto_neg_in = *(++argv);
1037 }
6f017a8f
AL		 1038 else if (strcmp(*argv,"-alpn") == 0)
1039 {
1040 if (--argc < 1) goto bad;
1041 alpn_in = *(++argv);
1042 }
ee2ffc27 1043# endif
a398f821
T		 1044 else if (strcmp(*argv,"-serverinfo") == 0)
1045 {
1046 char *c;
1047 int start = 0;
1048 int len;
1049
1050 if (--argc < 1) goto bad;
1051 c = *(++argv);
1052 serverinfo_types_count = 0;
1053 len = strlen(c);
1054 for (i = 0; i <= len; ++i)
1055 {
1056 if (i == len || c[i] == ',')
1057 {
1058 serverinfo_types[serverinfo_types_count]
1059 = atoi(c+start);
1060 serverinfo_types_count++;
1061 start = i+1;
1062 }
1063 if (serverinfo_types_count == MAX_SI_TYPES)
1064 break;
1065 }
1066 }
6434abbf 1067#endif
d02b48c6
RE		 1068#ifdef FIONBIO
1069 else if (strcmp(*argv,"-nbio") == 0)
1070 { c_nbio=1; }
1071#endif
135c0af1
RL		 1072 else if (strcmp(*argv,"-starttls") == 0)
1073 {
1074 if (--argc < 1) goto bad;
1075 ++argv;
1076 if (strcmp(*argv,"smtp") == 0)
85c67492 1077 starttls_proto = PROTO_SMTP;
4f17dfcd 1078 else if (strcmp(*argv,"pop3") == 0)
85c67492
RL		 1079 starttls_proto = PROTO_POP3;
1080 else if (strcmp(*argv,"imap") == 0)
1081 starttls_proto = PROTO_IMAP;
1082 else if (strcmp(*argv,"ftp") == 0)
1083 starttls_proto = PROTO_FTP;
d5bbead4
BL		 1084 else if (strcmp(*argv, "xmpp") == 0)
1085 starttls_proto = PROTO_XMPP;
135c0af1
RL		 1086 else
1087 goto bad;
1088 }
0b13e9f0 1089#ifndef OPENSSL_NO_ENGINE
5270e702
RL		 1090 else if (strcmp(*argv,"-engine") == 0)
1091 {
1092 if (--argc < 1) goto bad;
1093 engine_id = *(++argv);
1094 }
59d2d48f
DSH		 1095 else if (strcmp(*argv,"-ssl_client_engine") == 0)
1096 {
1097 if (--argc < 1) goto bad;
1098 ssl_client_engine_id = *(++argv);
1099 }
0b13e9f0 1100#endif
52b621db
LJ		 1101 else if (strcmp(*argv,"-rand") == 0)
1102 {
1103 if (--argc < 1) goto bad;
1104 inrand= *(++argv);
1105 }
ed3883d2
BM		 1106#ifndef OPENSSL_NO_TLSEXT
1107 else if (strcmp(*argv,"-servername") == 0)
1108 {
1109 if (--argc < 1) goto bad;
1110 servername= *(++argv);
1111 /* meth=TLSv1_client_method(); */
1112 }
1113#endif
79bd20fd 1114#ifndef OPENSSL_NO_JPAKE
6caa4edd
BL		 1115 else if (strcmp(*argv,"-jpake") == 0)
1116 {
1117 if (--argc < 1) goto bad;
1118 jpake_secret = *++argv;
1119 }
ed551cdd 1120#endif
333f926d
BL		 1121 else if (strcmp(*argv,"-use_srtp") == 0)
1122 {
1123 if (--argc < 1) goto bad;
1124 srtp_profiles = *(++argv);
1125 }
e0af0405
BL		 1126 else if (strcmp(*argv,"-keymatexport") == 0)
1127 {
1128 if (--argc < 1) goto bad;
1129 keymatexportlabel= *(++argv);
1130 }
1131 else if (strcmp(*argv,"-keymatexportlen") == 0)
1132 {
1133 if (--argc < 1) goto bad;
1134 keymatexportlen=atoi(*(++argv));
1135 if (keymatexportlen == 0) goto bad;
1136 }
333f926d 1137 else
d02b48c6
RE		 1138 {
1139 BIO_printf(bio_err,"unknown option %s\n",*argv);
1140 badop=1;
1141 break;
1142 }
1143 argc--;
1144 argv++;
1145 }
1146 if (badop)
1147 {
1148bad:
1149 sc_usage();
1150 goto end;
1151 }
1152
79bd20fd 1153#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
f3b7bdad
BL		 1154 if (jpake_secret)
1155 {
1156 if (psk_key)
1157 {
1158 BIO_printf(bio_err,
1159 "Can't use JPAKE and PSK together\n");
1160 goto end;
1161 }
1162 psk_identity = "JPAKE";
1163 }
f3b7bdad
BL		 1164#endif
1165
cead7f36
RL		 1166 OpenSSL_add_ssl_algorithms();
1167 SSL_load_error_strings();
1168
bf48836c 1169#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
ee2ffc27
BL		 1170 next_proto.status = -1;
1171 if (next_proto_neg_in)
1172 {
1173 next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
1174 if (next_proto.data == NULL)
1175 {
1176 BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
1177 goto end;
1178 }
1179 }
1180 else
1181 next_proto.data = NULL;
1182#endif
1183
0b13e9f0 1184#ifndef OPENSSL_NO_ENGINE
cead7f36 1185 e = setup_engine(bio_err, engine_id, 1);
59d2d48f
DSH		 1186 if (ssl_client_engine_id)
1187 {
1188 ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
1189 if (!ssl_client_engine)
1190 {
1191 BIO_printf(bio_err,
1192 "Error getting client auth engine\n");
1193 goto end;
1194 }
1195 }
1196
0b13e9f0 1197#endif
826a42a0
DSH		 1198 if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
1199 {
1200 BIO_printf(bio_err, "Error getting password\n");
1201 goto end;
1202 }
1203
1204 if (key_file == NULL)
1205 key_file = cert_file;
1206
abbc186b
DSH		 1207
1208 if (key_file)
1209
826a42a0 1210 {
abbc186b
DSH		 1211
1212 key = load_key(bio_err, key_file, key_format, 0, pass, e,
1213 "client certificate private key file");
1214 if (!key)
1215 {
1216 ERR_print_errors(bio_err);
1217 goto end;
1218 }
1219
826a42a0
DSH		 1220 }
1221
abbc186b 1222 if (cert_file)
826a42a0 1223
826a42a0 1224 {
abbc186b
DSH		 1225 cert = load_cert(bio_err,cert_file,cert_format,
1226 NULL, e, "client certificate file");
1227
1228 if (!cert)
1229 {
1230 ERR_print_errors(bio_err);
1231 goto end;
1232 }
826a42a0 1233 }
cead7f36 1234
4e71d952
DSH		 1235 if (chain_file)
1236 {
1237 chain = load_certs(bio_err, chain_file,FORMAT_PEM,
1238 NULL, e, "client certificate chain");
1239 if (!chain)
1240 goto end;
1241 }
1242
fdb78f3d
DSH		 1243 if (crl_file)
1244 {
1245 X509_CRL *crl;
1246 crl = load_crl(crl_file, crl_format);
1247 if (!crl)
1248 {
1249 BIO_puts(bio_err, "Error loading CRL\n");
1250 ERR_print_errors(bio_err);
1251 goto end;
1252 }
1253 crls = sk_X509_CRL_new_null();
1254 if (!crls || !sk_X509_CRL_push(crls, crl))
1255 {
1256 BIO_puts(bio_err, "Error adding CRL\n");
1257 ERR_print_errors(bio_err);
1258 X509_CRL_free(crl);
1259 goto end;
1260 }
1261 }
1262
3208fc59
DSH		 1263 if (!load_excert(&exc, bio_err))
1264 goto end;
1265
52b621db
LJ		 1266 if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
1267 && !RAND_status())
1268 {
1269 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
1270 }
1271 if (inrand != NULL)
1272 BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
1273 app_RAND_load_files(inrand));
a31011e8 1274
d02b48c6
RE		 1275 if (bio_c_out == NULL)
1276 {
1740c9fb 1277 if (c_quiet && !c_debug)
d02b48c6
RE		 1278 {
1279 bio_c_out=BIO_new(BIO_s_null());
1740c9fb
DSH		 1280 if (c_msg && !bio_c_msg)
1281 bio_c_msg=BIO_new_fp(stdout,BIO_NOCLOSE);
d02b48c6
RE		 1282 }
1283 else
1284 {
1285 if (bio_c_out == NULL)
1286 bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
1287 }
1288 }
1289
edc032b5
BL		 1290#ifndef OPENSSL_NO_SRP
1291 if(!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL))
1292 {
1293 BIO_printf(bio_err, "Error getting password\n");
1294 goto end;
1295 }
1296#endif
1297
d02b48c6
RE		 1298 ctx=SSL_CTX_new(meth);
1299 if (ctx == NULL)
1300 {
1301 ERR_print_errors(bio_err);
1302 goto end;
1303 }
1304
db99779b
DSH		 1305 if (vpm)
1306 SSL_CTX_set1_param(ctx, vpm);
1307
b252cf0d 1308 if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1, no_jpake))
5d2e07f1
DSH		 1309 {
1310 ERR_print_errors(bio_err);
1311 goto end;
1312 }
1313
0090a686
DSH		 1314 if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
1315 crls, crl_download))
a5afc0a8
DSH		 1316 {
1317 BIO_printf(bio_err, "Error loading store locations\n");
1318 ERR_print_errors(bio_err);
1319 goto end;
1320 }
1321
59d2d48f
DSH		 1322#ifndef OPENSSL_NO_ENGINE
1323 if (ssl_client_engine)
1324 {
1325 if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine))
1326 {
1327 BIO_puts(bio_err, "Error setting client auth engine\n");
1328 ERR_print_errors(bio_err);
1329 ENGINE_free(ssl_client_engine);
1330 goto end;
1331 }
1332 ENGINE_free(ssl_client_engine);
1333 }
1334#endif
1335
ddac1974 1336#ifndef OPENSSL_NO_PSK
79bd20fd
DSH		 1337#ifdef OPENSSL_NO_JPAKE
1338 if (psk_key != NULL)
1339#else
f3b7bdad 1340 if (psk_key != NULL || jpake_secret)
79bd20fd 1341#endif
ddac1974
NL		 1342 {
1343 if (c_debug)
f3b7bdad 1344 BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");
ddac1974
NL		 1345 SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
1346 }
333f926d
BL		 1347 if (srtp_profiles != NULL)
1348 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
ddac1974 1349#endif
3208fc59 1350 if (exc) ssl_ctx_set_excert(ctx, exc);
36d16f8e
BL		 1351 /* DTLS: partial reads end up discarding unread UDP bytes :-(
1352 * Setting read ahead solves this problem.
1353 */
b1277b99 1354 if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
d02b48c6 1355
6f017a8f
AL		 1356#if !defined(OPENSSL_NO_TLSEXT)
1357# if !defined(OPENSSL_NO_NEXTPROTONEG)
ee2ffc27
BL		 1358 if (next_proto.data)
1359 SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
6f017a8f
AL		 1360# endif
1361 if (alpn_in)
1362 {
1363 unsigned short alpn_len;
1364 unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in);
1365
1366 if (alpn == NULL)
1367 {
1368 BIO_printf(bio_err, "Error parsing -alpn argument\n");
1369 goto end;
1370 }
1371 SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len);
a8989362 1372 OPENSSL_free(alpn);
6f017a8f 1373 }
ee2ffc27 1374#endif
a398f821
T		 1375#ifndef OPENSSL_NO_TLSEXT
1376 if (serverinfo_types_count)
1377 {
1378 for (i = 0; i < serverinfo_types_count; i++)
1379 {
1380 SSL_CTX_set_custom_cli_ext(ctx,
1381 serverinfo_types[i],
1382 NULL,
1383 serverinfo_cli_cb,
1384 NULL);
1385 }
1386 }
1387#endif
ee2ffc27 1388
d02b48c6 1389 if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
d02b48c6
RE		 1390#if 0
1391 else
1392 SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
1393#endif
1394
1395 SSL_CTX_set_verify(ctx,verify,verify_callback);
d02b48c6
RE		 1396
1397 if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
1398 (!SSL_CTX_set_default_verify_paths(ctx)))
1399 {
657e60fa 1400 /* BIO_printf(bio_err,"error setting default verify locations\n"); */
d02b48c6 1401 ERR_print_errors(bio_err);
58964a49 1402 /* goto end; */
d02b48c6
RE		 1403 }
1404
0090a686 1405 ssl_ctx_add_crls(ctx, crls, crl_download);
fdb78f3d 1406
4e71d952 1407 if (!set_cert_key_stuff(ctx,cert,key,chain,build_chain))
74ecfab4
DSH		 1408 goto end;
1409
ed3883d2 1410#ifndef OPENSSL_NO_TLSEXT
b1277b99
BM		 1411 if (servername != NULL)
1412 {
ed3883d2
BM		 1413 tlsextcbp.biodebug = bio_err;
1414 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1415 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
b1277b99 1416 }
edc032b5
BL		 1417#ifndef OPENSSL_NO_SRP
1418 if (srp_arg.srplogin)
1419 {
f2fc3075 1420 if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
edc032b5
BL		 1421 {
1422 BIO_printf(bio_err,"Unable to set SRP username\n");
1423 goto end;
1424 }
1425 srp_arg.msg = c_msg;
1426 srp_arg.debug = c_debug ;
1427 SSL_CTX_set_srp_cb_arg(ctx,&srp_arg);
1428 SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
1429 SSL_CTX_set_srp_strength(ctx, srp_arg.strength);
1430 if (c_msg || c_debug || srp_arg.amp == 0)
1431 SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb);
1432 }
1433
1434#endif
36086186
SD		 1435 if (c_auth)
1436 {
1437 SSL_CTX_set_custom_cli_ext(ctx, TLSEXT_TYPE_client_authz, authz_tlsext_generate_cb, authz_tlsext_cb, bio_err);
1438 SSL_CTX_set_custom_cli_ext(ctx, TLSEXT_TYPE_server_authz, authz_tlsext_generate_cb, authz_tlsext_cb, bio_err);
1439 SSL_CTX_set_cli_supp_data(ctx, TLSEXT_SUPPLEMENTALDATATYPE_authz_data, suppdata_cb, auth_suppdata_generate_cb, bio_err);
1440 }
ed3883d2 1441#endif
d02b48c6 1442
82fc1d9c 1443 con=SSL_new(ctx);
6434abbf
DSH		 1444 if (sess_in)
1445 {
1446 SSL_SESSION *sess;
1447 BIO *stmp = BIO_new_file(sess_in, "r");
1448 if (!stmp)
1449 {
1450 BIO_printf(bio_err, "Can't open session file %s\n",
1451 sess_in);
1452 ERR_print_errors(bio_err);
1453 goto end;
1454 }
1455 sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
1456 BIO_free(stmp);
1457 if (!sess)
1458 {
1459 BIO_printf(bio_err, "Can't open session file %s\n",
1460 sess_in);
1461 ERR_print_errors(bio_err);
1462 goto end;
1463 }
1464 SSL_set_session(con, sess);
1465 SSL_SESSION_free(sess);
1466 }
ed3883d2 1467#ifndef OPENSSL_NO_TLSEXT
b1277b99
BM		 1468 if (servername != NULL)
1469 {
a13c20f6 1470 if (!SSL_set_tlsext_host_name(con,servername))
b1277b99 1471 {
ed3883d2
BM		 1472 BIO_printf(bio_err,"Unable to set TLS servername extension.\n");
1473 ERR_print_errors(bio_err);
1474 goto end;
b1277b99 1475 }
ed3883d2 1476 }
ed3883d2 1477#endif
cf1b7d96 1478#ifndef OPENSSL_NO_KRB5
4f7a2ab8 1479 if (con && (kctx = kssl_ctx_new()) != NULL)
f9b3bff6 1480 {
4f7a2ab8
DSH		 1481 SSL_set0_kssl_ctx(con, kctx);
1482 kssl_ctx_setstring(kctx, KSSL_SERVER, host);
f9b3bff6 1483 }
cf1b7d96 1484#endif /* OPENSSL_NO_KRB5 */
58964a49 1485/* SSL_set_cipher_list(con,"RC4-MD5"); */
761772d7
BM		 1486#if 0
1487#ifdef TLSEXT_TYPE_opaque_prf_input
86d4bc3a 1488 SSL_set_tlsext_opaque_prf_input(con, "Test client", 11);
761772d7
BM		 1489#endif
1490#endif
d02b48c6
RE		 1491
1492re_start:
1493
b1277b99 1494 if (init_client(&s,host,port,socket_type) == 0)
d02b48c6 1495 {
58964a49 1496 BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
d02b48c6
RE		 1497 SHUTDOWN(s);
1498 goto end;
1499 }
1500 BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
1501
1502#ifdef FIONBIO
1503 if (c_nbio)
1504 {
1505 unsigned long l=1;
1506 BIO_printf(bio_c_out,"turning on non blocking io\n");
58964a49
RE		 1507 if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
1508 {
1509 ERR_print_errors(bio_err);
1510 goto end;
1511 }
d02b48c6
RE		 1512 }
1513#endif
08557cf2 1514 if (c_Pause & 0x01) SSL_set_debug(con, 1);
36d16f8e 1515
c3b344e3 1516 if (socket_type == SOCK_DGRAM)
36d16f8e 1517 {
36d16f8e
BL		 1518
1519 sbio=BIO_new_dgram(s,BIO_NOCLOSE);
6c61726b 1520 if (getsockname(s, &peer, (void *)&peerlen) < 0)
36d16f8e
BL		 1521 {
1522 BIO_printf(bio_err, "getsockname:errno=%d\n",
1523 get_last_socket_error());
1524 SHUTDOWN(s);
1525 goto end;
1526 }
1527
710069c1 1528 (void)BIO_ctrl_set_connected(sbio, 1, &peer);
36d16f8e 1529
b1277b99 1530 if (enable_timeouts)
36d16f8e
BL		 1531 {
1532 timeout.tv_sec = 0;
1533 timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1534 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1535
1536 timeout.tv_sec = 0;
1537 timeout.tv_usec = DGRAM_SND_TIMEOUT;
1538 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1539 }
1540
046f2101 1541 if (socket_mtu > 28)
36d16f8e
BL		 1542 {
1543 SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
046f2101 1544 SSL_set_mtu(con, socket_mtu - 28);
36d16f8e
BL		 1545 }
1546 else
1547 /* want to do MTU discovery */
1548 BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1549 }
1550 else
1551 sbio=BIO_new_socket(s,BIO_NOCLOSE);
1552
d02b48c6
RE		 1553 if (nbio_test)
1554 {
1555 BIO *test;
1556
1557 test=BIO_new(BIO_f_nbio_test());
1558 sbio=BIO_push(test,sbio);
1559 }
1560
1561 if (c_debug)
1562 {
08557cf2 1563 SSL_set_debug(con, 1);
25495640 1564 BIO_set_callback(sbio,bio_dump_callback);
7806f3dd 1565 BIO_set_callback_arg(sbio,(char *)bio_c_out);
d02b48c6 1566 }
a661b653
BM		 1567 if (c_msg)
1568 {
93ab9e42
DSH		 1569#ifndef OPENSSL_NO_SSL_TRACE
1570 if (c_msg == 2)
1571 SSL_set_msg_callback(con, SSL_trace);
1572 else
1573#endif
1574 SSL_set_msg_callback(con, msg_cb);
1575 SSL_set_msg_callback_arg(con, bio_c_msg ? bio_c_msg : bio_c_out);
a661b653 1576 }
6434abbf
DSH		 1577#ifndef OPENSSL_NO_TLSEXT
1578 if (c_tlsextdebug)
1579 {
1580 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1581 SSL_set_tlsext_debug_arg(con, bio_c_out);
1582 }
67c8e7f4
DSH		 1583 if (c_status_req)
1584 {
1585 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
1586 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
1587 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
1588#if 0
1589{
1590STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null();
1591OCSP_RESPID *id = OCSP_RESPID_new();
1592id->value.byKey = ASN1_OCTET_STRING_new();
1593id->type = V_OCSP_RESPID_KEY;
1594ASN1_STRING_set(id->value.byKey, "Hello World", -1);
1595sk_OCSP_RESPID_push(ids, id);
1596SSL_set_tlsext_status_ids(con, ids);
1597}
1598#endif
1599 }
6434abbf 1600#endif
79bd20fd 1601#ifndef OPENSSL_NO_JPAKE
6caa4edd
BL		 1602 if (jpake_secret)
1603 jpake_client_auth(bio_c_out, sbio, jpake_secret);
ed551cdd 1604#endif
6caa4edd 1605
d02b48c6
RE		 1606 SSL_set_bio(con,sbio,sbio);
1607 SSL_set_connect_state(con);
1608
1609 /* ok, lets connect */
1610 width=SSL_get_fd(con)+1;
1611
1612 read_tty=1;
1613 write_tty=0;
1614 tty_on=0;
1615 read_ssl=1;
1616 write_ssl=1;
1617
1618 cbuf_len=0;
1619 cbuf_off=0;
1620 sbuf_len=0;
1621 sbuf_off=0;
1622
135c0af1 1623 /* This is an ugly hack that does a lot of assumptions */
ee373e7f
LJ		 1624 /* We do have to handle multi-line responses which may come
1625 in a single packet or not. We therefore have to use
1626 BIO_gets() which does need a buffering BIO. So during
1627 the initial chitchat we do push a buffering BIO into the
1628 chain that is removed again later on to not disturb the
1629 rest of the s_client operation. */
85c67492 1630 if (starttls_proto == PROTO_SMTP)
135c0af1 1631 {
8d72476e 1632 int foundit=0;
ee373e7f
LJ		 1633 BIO *fbio = BIO_new(BIO_f_buffer());
1634 BIO_push(fbio, sbio);
85c67492
RL		 1635 /* wait for multi-line response to end from SMTP */
1636 do
1637 {
ee373e7f 1638 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
85c67492
RL		 1639 }
1640 while (mbuf_len>3 && mbuf[3]=='-');
8d72476e 1641 /* STARTTLS command requires EHLO... */
ee373e7f 1642 BIO_printf(fbio,"EHLO openssl.client.net\r\n");
710069c1 1643 (void)BIO_flush(fbio);
8d72476e
LJ		 1644 /* wait for multi-line response to end EHLO SMTP response */
1645 do
1646 {
ee373e7f 1647 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
8d72476e
LJ		 1648 if (strstr(mbuf,"STARTTLS"))
1649 foundit=1;
1650 }
1651 while (mbuf_len>3 && mbuf[3]=='-');
710069c1 1652 (void)BIO_flush(fbio);
ee373e7f
LJ		 1653 BIO_pop(fbio);
1654 BIO_free(fbio);
8d72476e
LJ		 1655 if (!foundit)
1656 BIO_printf(bio_err,
1657 "didn't found starttls in server response,"
1658 " try anyway...\n");
135c0af1
RL		 1659 BIO_printf(sbio,"STARTTLS\r\n");
1660 BIO_read(sbio,sbuf,BUFSIZZ);
1661 }
85c67492 1662 else if (starttls_proto == PROTO_POP3)
4f17dfcd
LJ		 1663 {
1664 BIO_read(sbio,mbuf,BUFSIZZ);
1665 BIO_printf(sbio,"STLS\r\n");
1666 BIO_read(sbio,sbuf,BUFSIZZ);
1667 }
85c67492
RL		 1668 else if (starttls_proto == PROTO_IMAP)
1669 {
8d72476e 1670 int foundit=0;
ee373e7f
LJ		 1671 BIO *fbio = BIO_new(BIO_f_buffer());
1672 BIO_push(fbio, sbio);
1673 BIO_gets(fbio,mbuf,BUFSIZZ);
8d72476e 1674 /* STARTTLS command requires CAPABILITY... */
ee373e7f 1675 BIO_printf(fbio,". CAPABILITY\r\n");
710069c1 1676 (void)BIO_flush(fbio);
8d72476e
LJ		 1677 /* wait for multi-line CAPABILITY response */
1678 do
1679 {
ee373e7f 1680 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
8d72476e
LJ		 1681 if (strstr(mbuf,"STARTTLS"))
1682 foundit=1;
1683 }
ee373e7f 1684 while (mbuf_len>3 && mbuf[0]!='.');
710069c1 1685 (void)BIO_flush(fbio);
ee373e7f
LJ		 1686 BIO_pop(fbio);
1687 BIO_free(fbio);
8d72476e
LJ		 1688 if (!foundit)
1689 BIO_printf(bio_err,
1690 "didn't found STARTTLS in server response,"
1691 " try anyway...\n");
1692 BIO_printf(sbio,". STARTTLS\r\n");
85c67492
RL		 1693 BIO_read(sbio,sbuf,BUFSIZZ);
1694 }
1695 else if (starttls_proto == PROTO_FTP)
1696 {
ee373e7f
LJ		 1697 BIO *fbio = BIO_new(BIO_f_buffer());
1698 BIO_push(fbio, sbio);
85c67492
RL		 1699 /* wait for multi-line response to end from FTP */
1700 do
1701 {
ee373e7f 1702 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
85c67492
RL		 1703 }
1704 while (mbuf_len>3 && mbuf[3]=='-');
710069c1 1705 (void)BIO_flush(fbio);
ee373e7f
LJ		 1706 BIO_pop(fbio);
1707 BIO_free(fbio);
85c67492
RL		 1708 BIO_printf(sbio,"AUTH TLS\r\n");
1709 BIO_read(sbio,sbuf,BUFSIZZ);
1710 }
d5bbead4
BL		 1711 if (starttls_proto == PROTO_XMPP)
1712 {
1713 int seen = 0;
1714 BIO_printf(sbio,"<stream:stream "
1715 "xmlns:stream='http://etherx.jabber.org/streams' "
d2625fd6
BL		 1716 "xmlns='jabber:client' to='%s' version='1.0'>", xmpphost ?
1717 xmpphost : host);
d5bbead4
BL		 1718 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1719 mbuf[seen] = 0;
4e48c775
CALP		 1720 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") &&
1721 !strstr(mbuf, "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
d5bbead4 1722 {
d5bbead4 1723 seen = BIO_read(sbio,mbuf,BUFSIZZ);
4249d4ba
CALP		 1724
1725 if (seen <= 0)
1726 goto shut;
1727
d5bbead4
BL		 1728 mbuf[seen] = 0;
1729 }
1730 BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
1731 seen = BIO_read(sbio,sbuf,BUFSIZZ);
1732 sbuf[seen] = 0;
1733 if (!strstr(sbuf, "<proceed"))
1734 goto shut;
1735 mbuf[0] = 0;
1736 }
135c0af1 1737
d02b48c6
RE		 1738 for (;;)
1739 {
1740 FD_ZERO(&readfds);
1741 FD_ZERO(&writefds);
1742
b972fbaa
DSH		 1743 if ((SSL_version(con) == DTLS1_VERSION) &&
1744 DTLSv1_get_timeout(con, &timeout))
1745 timeoutp = &timeout;
1746 else
1747 timeoutp = NULL;
1748
58964a49 1749 if (SSL_in_init(con) && !SSL_total_renegotiations(con))
d02b48c6
RE		 1750 {
1751 in_init=1;
1752 tty_on=0;
1753 }
1754 else
1755 {
1756 tty_on=1;
1757 if (in_init)
1758 {
1759 in_init=0;
761772d7 1760#if 0 /* This test doesn't really work as intended (needs to be fixed) */
ed3883d2 1761#ifndef OPENSSL_NO_TLSEXT
b166f13e
BM		 1762 if (servername != NULL && !SSL_session_reused(con))
1763 {
1764 BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not ");
1765 }
761772d7 1766#endif
ed3883d2 1767#endif
6434abbf
DSH		 1768 if (sess_out)
1769 {
1770 BIO *stmp = BIO_new_file(sess_out, "w");
1771 if (stmp)
1772 {
1773 PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con));
1774 BIO_free(stmp);
1775 }
1776 else
1777 BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
1778 }
2a7cbe77
DSH		 1779 if (c_brief)
1780 {
1781 BIO_puts(bio_err,
1782 "CONNECTION ESTABLISHED\n");
1783 print_ssl_summary(bio_err, con);
1784 }
67c408ce
SD		 1785 /*handshake is complete - free the generated supp data allocated in the callback */
1786 if (generated_supp_data)
1787 {
1788 OPENSSL_free(generated_supp_data);
1789 generated_supp_data = NULL;
1790 }
1791
d02b48c6
RE		 1792 print_stuff(bio_c_out,con,full_log);
1793 if (full_log > 0) full_log--;
1794
4f17dfcd 1795 if (starttls_proto)
135c0af1
RL		 1796 {
1797 BIO_printf(bio_err,"%s",mbuf);
1798 /* We don't need to know any more */
85c67492 1799 starttls_proto = PROTO_OFF;
135c0af1
RL		 1800 }
1801
d02b48c6
RE		 1802 if (reconnect)
1803 {
1804 reconnect--;
1805 BIO_printf(bio_c_out,"drop connection and then reconnect\n");
1806 SSL_shutdown(con);
1807 SSL_set_connect_state(con);
1808 SHUTDOWN(SSL_get_fd(con));
1809 goto re_start;
1810 }
1811 }
1812 }
1813
c7ac31e2
BM		 1814 ssl_pending = read_ssl && SSL_pending(con);
1815
1816 if (!ssl_pending)
d02b48c6 1817 {
4700aea9 1818#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)
c7ac31e2
BM		 1819 if (tty_on)
1820 {
7bf7333d
DSH		 1821 if (read_tty) openssl_fdset(fileno(stdin),&readfds);
1822 if (write_tty) openssl_fdset(fileno(stdout),&writefds);
c7ac31e2 1823 }
c7ac31e2 1824 if (read_ssl)
7bf7333d 1825 openssl_fdset(SSL_get_fd(con),&readfds);
c7ac31e2 1826 if (write_ssl)
7bf7333d 1827 openssl_fdset(SSL_get_fd(con),&writefds);
06f4536a
DSH		 1828#else
1829 if(!tty_on || !write_tty) {
1830 if (read_ssl)
7bf7333d 1831 openssl_fdset(SSL_get_fd(con),&readfds);
06f4536a 1832 if (write_ssl)
7bf7333d 1833 openssl_fdset(SSL_get_fd(con),&writefds);
06f4536a
DSH		 1834 }
1835#endif
c7ac31e2
BM		 1836/* printf("mode tty(%d %d%d) ssl(%d%d)\n",
1837 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
d02b48c6 1838
75e0770d 1839 /* Note: under VMS with SOCKETSHR the second parameter
7d7d2cbc
UM		 1840 * is currently of type (int *) whereas under other
1841 * systems it is (void *) if you don't have a cast it
1842 * will choke the compiler: if you do have a cast then
1843 * you can either go for (int *) or (void *).
1844 */
3d7c4a5a
RL		 1845#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1846 /* Under Windows/DOS we make the assumption that we can
06f4536a
DSH		 1847 * always write to the tty: therefore if we need to
1848 * write to the tty we just fall through. Otherwise
1849 * we timeout the select every second and see if there
1850 * are any keypresses. Note: this is a hack, in a proper
1851 * Windows application we wouldn't do this.
1852 */
4ec19e20 1853 i=0;
06f4536a
DSH		 1854 if(!write_tty) {
1855 if(read_tty) {
1856 tv.tv_sec = 1;
1857 tv.tv_usec = 0;
1858 i=select(width,(void *)&readfds,(void *)&writefds,
1859 NULL,&tv);
3d7c4a5a 1860#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
0bf23d9b
RL		 1861 if(!i && (!_kbhit() || !read_tty) ) continue;
1862#else
a9ef75c5 1863 if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
0bf23d9b 1864#endif
06f4536a 1865 } else i=select(width,(void *)&readfds,(void *)&writefds,
b972fbaa 1866 NULL,timeoutp);
06f4536a 1867 }
47c1735a
RL		 1868#elif defined(OPENSSL_SYS_NETWARE)
1869 if(!write_tty) {
1870 if(read_tty) {
1871 tv.tv_sec = 1;
1872 tv.tv_usec = 0;
1873 i=select(width,(void *)&readfds,(void *)&writefds,
1874 NULL,&tv);
1875 } else i=select(width,(void *)&readfds,(void *)&writefds,
b972fbaa 1876 NULL,timeoutp);
47c1735a 1877 }
4700aea9
UM		 1878#elif defined(OPENSSL_SYS_BEOS_R5)
1879 /* Under BeOS-R5 the situation is similar to DOS */
1880 i=0;
1881 stdin_set = 0;
1882 (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
1883 if(!write_tty) {
1884 if(read_tty) {
1885 tv.tv_sec = 1;
1886 tv.tv_usec = 0;
1887 i=select(width,(void *)&readfds,(void *)&writefds,
1888 NULL,&tv);
1889 if (read(fileno(stdin), sbuf, 0) >= 0)
1890 stdin_set = 1;
1891 if (!i && (stdin_set != 1 || !read_tty))
1892 continue;
1893 } else i=select(width,(void *)&readfds,(void *)&writefds,
b972fbaa 1894 NULL,timeoutp);
4700aea9
UM		 1895 }
1896 (void)fcntl(fileno(stdin), F_SETFL, 0);
06f4536a 1897#else
7d7d2cbc 1898 i=select(width,(void *)&readfds,(void *)&writefds,
b972fbaa 1899 NULL,timeoutp);
06f4536a 1900#endif
c7ac31e2
BM		 1901 if ( i < 0)
1902 {
1903 BIO_printf(bio_err,"bad select %d\n",
58964a49 1904 get_last_socket_error());
c7ac31e2
BM		 1905 goto shut;
1906 /* goto end; */
1907 }
d02b48c6
RE		 1908 }
1909
b972fbaa
DSH		 1910 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
1911 {
478b50cf 1912 BIO_printf(bio_err,"TIMEOUT occurred\n");
b972fbaa
DSH		 1913 }
1914
c7ac31e2 1915 if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
d02b48c6
RE		 1916 {
1917 k=SSL_write(con,&(cbuf[cbuf_off]),
1918 (unsigned int)cbuf_len);
1919 switch (SSL_get_error(con,k))
1920 {
1921 case SSL_ERROR_NONE:
1922 cbuf_off+=k;
1923 cbuf_len-=k;
1924 if (k <= 0) goto end;
1925 /* we have done a write(con,NULL,0); */
1926 if (cbuf_len <= 0)
1927 {
1928 read_tty=1;
1929 write_ssl=0;
1930 }
1931 else /* if (cbuf_len > 0) */
1932 {
1933 read_tty=0;
1934 write_ssl=1;
1935 }
1936 break;
1937 case SSL_ERROR_WANT_WRITE:
1938 BIO_printf(bio_c_out,"write W BLOCK\n");
1939 write_ssl=1;
1940 read_tty=0;
1941 break;
1942 case SSL_ERROR_WANT_READ:
1943 BIO_printf(bio_c_out,"write R BLOCK\n");
1944 write_tty=0;
1945 read_ssl=1;
1946 write_ssl=0;
1947 break;
1948 case SSL_ERROR_WANT_X509_LOOKUP:
1949 BIO_printf(bio_c_out,"write X BLOCK\n");
1950 break;
1951 case SSL_ERROR_ZERO_RETURN:
1952 if (cbuf_len != 0)
1953 {
1954 BIO_printf(bio_c_out,"shutdown\n");
0e1dba93 1955 ret = 0;
d02b48c6
RE		 1956 goto shut;
1957 }
1958 else
1959 {
1960 read_tty=1;
1961 write_ssl=0;
1962 break;
1963 }
1964
1965 case SSL_ERROR_SYSCALL:
1966 if ((k != 0) || (cbuf_len != 0))
1967 {
1968 BIO_printf(bio_err,"write:errno=%d\n",
58964a49 1969 get_last_socket_error());
d02b48c6
RE		 1970 goto shut;
1971 }
1972 else
1973 {
1974 read_tty=1;
1975 write_ssl=0;
1976 }
1977 break;
1978 case SSL_ERROR_SSL:
1979 ERR_print_errors(bio_err);
1980 goto shut;
1981 }
1982 }
4700aea9
UM		 1983#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
1984 /* Assume Windows/DOS/BeOS can always write */
06f4536a
DSH		 1985 else if (!ssl_pending && write_tty)
1986#else
c7ac31e2 1987 else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
06f4536a 1988#endif
d02b48c6 1989 {
a53955d8
UM		 1990#ifdef CHARSET_EBCDIC
1991 ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
1992#endif
ffa10187 1993 i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len);
d02b48c6
RE		 1994
1995 if (i <= 0)
1996 {
1997 BIO_printf(bio_c_out,"DONE\n");
0e1dba93 1998 ret = 0;
d02b48c6
RE		 1999 goto shut;
2000 /* goto end; */
2001 }
2002
2003 sbuf_len-=i;;
2004 sbuf_off+=i;
2005 if (sbuf_len <= 0)
2006 {
2007 read_ssl=1;
2008 write_tty=0;
2009 }
2010 }
c7ac31e2 2011 else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
d02b48c6 2012 {
58964a49
RE		 2013#ifdef RENEG
2014{ static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
2015#endif
dfeab068 2016#if 1
58964a49 2017 k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
dfeab068
RE		 2018#else
2019/* Demo for pending and peek :-) */
2020 k=SSL_read(con,sbuf,16);
2021{ char zbuf[10240];
2022printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
2023}
2024#endif
d02b48c6
RE		 2025
2026 switch (SSL_get_error(con,k))
2027 {
2028 case SSL_ERROR_NONE:
2029 if (k <= 0)
2030 goto end;
2031 sbuf_off=0;
2032 sbuf_len=k;
2033
2034 read_ssl=0;
2035 write_tty=1;
2036 break;
2037 case SSL_ERROR_WANT_WRITE:
2038 BIO_printf(bio_c_out,"read W BLOCK\n");
2039 write_ssl=1;
2040 read_tty=0;
2041 break;
2042 case SSL_ERROR_WANT_READ:
2043 BIO_printf(bio_c_out,"read R BLOCK\n");
2044 write_tty=0;
2045 read_ssl=1;
2046 if ((read_tty == 0) && (write_ssl == 0))
2047 write_ssl=1;
2048 break;
2049 case SSL_ERROR_WANT_X509_LOOKUP:
2050 BIO_printf(bio_c_out,"read X BLOCK\n");
2051 break;
2052 case SSL_ERROR_SYSCALL:
0e1dba93 2053 ret=get_last_socket_error();
2537d469 2054 if (c_brief)
66d9f2e5
DSH		 2055 BIO_puts(bio_err, "CONNECTION CLOSED BY SERVER\n");
2056 else
2057 BIO_printf(bio_err,"read:errno=%d\n",ret);
d02b48c6
RE		 2058 goto shut;
2059 case SSL_ERROR_ZERO_RETURN:
2060 BIO_printf(bio_c_out,"closed\n");
0e1dba93 2061 ret=0;
d02b48c6
RE		 2062 goto shut;
2063 case SSL_ERROR_SSL:
2064 ERR_print_errors(bio_err);
2065 goto shut;
dfeab068 2066 /* break; */
d02b48c6
RE		 2067 }
2068 }
2069
3d7c4a5a
RL		 2070#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
2071#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
0bf23d9b
RL		 2072 else if (_kbhit())
2073#else
a9ef75c5 2074 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
0bf23d9b 2075#endif
4d8743f4 2076#elif defined (OPENSSL_SYS_NETWARE)
ffa10187 2077 else if (_kbhit())
4700aea9
UM		 2078#elif defined(OPENSSL_SYS_BEOS_R5)
2079 else if (stdin_set)
06f4536a 2080#else
d02b48c6 2081 else if (FD_ISSET(fileno(stdin),&readfds))
06f4536a 2082#endif
d02b48c6 2083 {
1bdb8633
BM		 2084 if (crlf)
2085 {
2086 int j, lf_num;
2087
ffa10187 2088 i=raw_read_stdin(cbuf,BUFSIZZ/2);
1bdb8633
BM		 2089 lf_num = 0;
2090 /* both loops are skipped when i <= 0 */
2091 for (j = 0; j < i; j++)
2092 if (cbuf[j] == '\n')
2093 lf_num++;
2094 for (j = i-1; j >= 0; j--)
2095 {
2096 cbuf[j+lf_num] = cbuf[j];
2097 if (cbuf[j] == '\n')
2098 {
2099 lf_num--;
2100 i++;
2101 cbuf[j+lf_num] = '\r';
2102 }
2103 }
2104 assert(lf_num == 0);
2105 }
2106 else
ffa10187 2107 i=raw_read_stdin(cbuf,BUFSIZZ);
d02b48c6 2108
ce301b6b 2109 if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
d02b48c6
RE		 2110 {
2111 BIO_printf(bio_err,"DONE\n");
0e1dba93 2112 ret=0;
d02b48c6
RE		 2113 goto shut;
2114 }
2115
ce301b6b 2116 if ((!c_ign_eof) && (cbuf[0] == 'R'))
d02b48c6 2117 {
3bb307c1 2118 BIO_printf(bio_err,"RENEGOTIATING\n");
d02b48c6 2119 SSL_renegotiate(con);
3bb307c1 2120 cbuf_len=0;
d02b48c6 2121 }
4817504d
DSH		 2122#ifndef OPENSSL_NO_HEARTBEATS
2123 else if ((!c_ign_eof) && (cbuf[0] == 'B'))
2124 {
2125 BIO_printf(bio_err,"HEARTBEATING\n");
2126 SSL_heartbeat(con);
2127 cbuf_len=0;
2128 }
2129#endif
d02b48c6
RE		 2130 else
2131 {
2132 cbuf_len=i;
2133 cbuf_off=0;
a53955d8
UM		 2134#ifdef CHARSET_EBCDIC
2135 ebcdic2ascii(cbuf, cbuf, i);
2136#endif
d02b48c6
RE		 2137 }
2138
d02b48c6 2139 write_ssl=1;
3bb307c1 2140 read_tty=0;
d02b48c6 2141 }
d02b48c6 2142 }
0e1dba93
DSH		 2143
2144 ret=0;
d02b48c6 2145shut:
b166f13e
BM		 2146 if (in_init)
2147 print_stuff(bio_c_out,con,full_log);
d02b48c6
RE		 2148 SSL_shutdown(con);
2149 SHUTDOWN(SSL_get_fd(con));
d02b48c6 2150end:
d916ba1b
NL		 2151 if (con != NULL)
2152 {
2153 if (prexit != 0)
2154 print_stuff(bio_c_out,con,1);
2155 SSL_free(con);
2156 }
dd251659
DSH		 2157#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
2158 if (next_proto.data)
2159 OPENSSL_free(next_proto.data);
2160#endif
d02b48c6 2161 if (ctx != NULL) SSL_CTX_free(ctx);
826a42a0
DSH		 2162 if (cert)
2163 X509_free(cert);
fdb78f3d
DSH		 2164 if (crls)
2165 sk_X509_CRL_pop_free(crls, X509_CRL_free);
826a42a0
DSH		 2166 if (key)
2167 EVP_PKEY_free(key);
4e71d952
DSH		 2168 if (chain)
2169 sk_X509_pop_free(chain, X509_free);
826a42a0
DSH		 2170 if (pass)
2171 OPENSSL_free(pass);
22b5d7c8
DSH		 2172 if (vpm)
2173 X509_VERIFY_PARAM_free(vpm);
3208fc59 2174 ssl_excert_free(exc);
5d2e07f1
DSH		 2175 if (ssl_args)
2176 sk_OPENSSL_STRING_free(ssl_args);
2177 if (cctx)
2178 SSL_CONF_CTX_free(cctx);
b252cf0d
DSH		 2179#ifndef OPENSSL_NO_JPAKE
2180 if (jpake_secret && psk_key)
2181 OPENSSL_free(psk_key);
2182#endif
4579924b
RL		 2183 if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
2184 if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
2185 if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
d02b48c6
RE		 2186 if (bio_c_out != NULL)
2187 {
2188 BIO_free(bio_c_out);
2189 bio_c_out=NULL;
2190 }
93ab9e42
DSH		 2191 if (bio_c_msg != NULL)
2192 {
2193 BIO_free(bio_c_msg);
2194 bio_c_msg=NULL;
2195 }
c04f8cf4 2196 apps_shutdown();
1c3e4a36 2197 OPENSSL_EXIT(ret);
d02b48c6
RE		 2198 }
2199
2200
6b691a5c 2201static void print_stuff(BIO *bio, SSL *s, int full)
d02b48c6 2202 {
58964a49 2203 X509 *peer=NULL;
d02b48c6 2204 char *p;
7d727231 2205 static const char *space=" ";
d02b48c6 2206 char buf[BUFSIZ];
f73e07cf
BL		 2207 STACK_OF(X509) *sk;
2208 STACK_OF(X509_NAME) *sk2;
babb3798 2209 const SSL_CIPHER *c;
d02b48c6
RE		 2210 X509_NAME *xn;
2211 int j,i;
09b6c2ef 2212#ifndef OPENSSL_NO_COMP
d8ec0dcf 2213 const COMP_METHOD *comp, *expansion;
09b6c2ef 2214#endif
e0af0405 2215 unsigned char *exportedkeymat;
d02b48c6
RE		 2216
2217 if (full)
2218 {
bc2e519a
BM		 2219 int got_a_chain = 0;
2220
d02b48c6
RE		 2221 sk=SSL_get_peer_cert_chain(s);
2222 if (sk != NULL)
2223 {
bc2e519a
BM		 2224 got_a_chain = 1; /* we don't have it for SSL2 (yet) */
2225
dfeab068 2226 BIO_printf(bio,"---\nCertificate chain\n");
f73e07cf 2227 for (i=0; i<sk_X509_num(sk); i++)
d02b48c6 2228 {
f73e07cf 2229 X509_NAME_oneline(X509_get_subject_name(
54a656ef 2230 sk_X509_value(sk,i)),buf,sizeof buf);
d02b48c6 2231 BIO_printf(bio,"%2d s:%s\n",i,buf);
f73e07cf 2232 X509_NAME_oneline(X509_get_issuer_name(
54a656ef 2233 sk_X509_value(sk,i)),buf,sizeof buf);
d02b48c6 2234 BIO_printf(bio," i:%s\n",buf);
6d02d8e4 2235 if (c_showcerts)
f73e07cf 2236 PEM_write_bio_X509(bio,sk_X509_value(sk,i));
d02b48c6
RE		 2237 }
2238 }
2239
2240 BIO_printf(bio,"---\n");
2241 peer=SSL_get_peer_certificate(s);
2242 if (peer != NULL)
2243 {
2244 BIO_printf(bio,"Server certificate\n");
bc2e519a 2245 if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
6d02d8e4 2246 PEM_write_bio_X509(bio,peer);
d02b48c6 2247 X509_NAME_oneline(X509_get_subject_name(peer),
54a656ef 2248 buf,sizeof buf);
d02b48c6
RE		 2249 BIO_printf(bio,"subject=%s\n",buf);
2250 X509_NAME_oneline(X509_get_issuer_name(peer),
54a656ef 2251 buf,sizeof buf);
d02b48c6 2252 BIO_printf(bio,"issuer=%s\n",buf);
d02b48c6
RE		 2253 }
2254 else
2255 BIO_printf(bio,"no peer certificate available\n");
2256
f73e07cf 2257 sk2=SSL_get_client_CA_list(s);
d91f8c3c 2258 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
d02b48c6
RE		 2259 {
2260 BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
f73e07cf 2261 for (i=0; i<sk_X509_NAME_num(sk2); i++)
d02b48c6 2262 {
f73e07cf 2263 xn=sk_X509_NAME_value(sk2,i);
d02b48c6
RE		 2264 X509_NAME_oneline(xn,buf,sizeof(buf));
2265 BIO_write(bio,buf,strlen(buf));
2266 BIO_write(bio,"\n",1);
2267 }
2268 }
2269 else
2270 {
2271 BIO_printf(bio,"---\nNo client certificate CA names sent\n");
2272 }
54a656ef 2273 p=SSL_get_shared_ciphers(s,buf,sizeof buf);
d02b48c6
RE		 2274 if (p != NULL)
2275 {
67a47285
BM		 2276 /* This works only for SSL 2. In later protocol
2277 * versions, the client does not know what other
2278 * ciphers (in addition to the one to be used
2279 * in the current connection) the server supports. */
2280
d02b48c6
RE		 2281 BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
2282 j=i=0;
2283 while (*p)
2284 {
2285 if (*p == ':')
2286 {
58964a49 2287 BIO_write(bio,space,15-j%25);
d02b48c6
RE		 2288 i++;
2289 j=0;
2290 BIO_write(bio,((i%3)?" ":"\n"),1);
2291 }
2292 else
2293 {
2294 BIO_write(bio,p,1);
2295 j++;
2296 }
2297 p++;
2298 }
2299 BIO_write(bio,"\n",1);
2300 }
2301
9f27b1ee 2302 ssl_print_sigalgs(bio, s);
33a8de69 2303 ssl_print_tmp_key(bio, s);
e7f8ff43 2304
d02b48c6
RE		 2305 BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
2306 BIO_number_read(SSL_get_rbio(s)),
2307 BIO_number_written(SSL_get_wbio(s)));
2308 }
08557cf2 2309 BIO_printf(bio,(SSL_cache_hit(s)?"---\nReused, ":"---\nNew, "));
d02b48c6
RE		 2310 c=SSL_get_current_cipher(s);
2311 BIO_printf(bio,"%s, Cipher is %s\n",
2312 SSL_CIPHER_get_version(c),
2313 SSL_CIPHER_get_name(c));
a8236c8c
DSH		 2314 if (peer != NULL) {
2315 EVP_PKEY *pktmp;
2316 pktmp = X509_get_pubkey(peer);
58964a49 2317 BIO_printf(bio,"Server public key is %d bit\n",
a8236c8c
DSH		 2318 EVP_PKEY_bits(pktmp));
2319 EVP_PKEY_free(pktmp);
2320 }
5430200b
DSH		 2321 BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
2322 SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
09b6c2ef 2323#ifndef OPENSSL_NO_COMP
f44e184e 2324 comp=SSL_get_current_compression(s);
d8ec0dcf 2325 expansion=SSL_get_current_expansion(s);
f44e184e
RL		 2326 BIO_printf(bio,"Compression: %s\n",
2327 comp ? SSL_COMP_get_name(comp) : "NONE");
2328 BIO_printf(bio,"Expansion: %s\n",
d8ec0dcf 2329 expansion ? SSL_COMP_get_name(expansion) : "NONE");
09b6c2ef 2330#endif
71fa4513 2331
57559471 2332#ifdef SSL_DEBUG
a2f9200f
DSH		 2333 {
2334 /* Print out local port of connection: useful for debugging */
2335 int sock;
2336 struct sockaddr_in ladd;
2337 socklen_t ladd_size = sizeof(ladd);
2338 sock = SSL_get_fd(s);
2339 getsockname(sock, (struct sockaddr *)&ladd, &ladd_size);
2340 BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port));
2341 }
2342#endif
2343
6f017a8f
AL		 2344#if !defined(OPENSSL_NO_TLSEXT)
2345# if !defined(OPENSSL_NO_NEXTPROTONEG)
71fa4513
BL		 2346 if (next_proto.status != -1) {
2347 const unsigned char *proto;
2348 unsigned int proto_len;
2349 SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
2350 BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
2351 BIO_write(bio, proto, proto_len);
2352 BIO_write(bio, "\n", 1);
2353 }
6f017a8f
AL		 2354 {
2355 const unsigned char *proto;
2356 unsigned int proto_len;
2357 SSL_get0_alpn_selected(s, &proto, &proto_len);
2358 if (proto_len > 0)
2359 {
2360 BIO_printf(bio, "ALPN protocol: ");
2361 BIO_write(bio, proto, proto_len);
2362 BIO_write(bio, "\n", 1);
2363 }
2364 else
2365 BIO_printf(bio, "No ALPN negotiated\n");
2366 }
2367# endif
71fa4513
BL		 2368#endif
2369
333f926d
BL		 2370 {
2371 SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s);
2372
2373 if(srtp_profile)
2374 BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n",
2375 srtp_profile->name);
2376 }
2377
d02b48c6 2378 SSL_SESSION_print(bio,SSL_get_session(s));
be81f4dd
DSH		 2379 if (keymatexportlabel != NULL)
2380 {
e0af0405
BL		 2381 BIO_printf(bio, "Keying material exporter:\n");
2382 BIO_printf(bio, " Label: '%s'\n", keymatexportlabel);
2383 BIO_printf(bio, " Length: %i bytes\n", keymatexportlen);
2384 exportedkeymat = OPENSSL_malloc(keymatexportlen);
be81f4dd
DSH		 2385 if (exportedkeymat != NULL)
2386 {
2387 if (!SSL_export_keying_material(s, exportedkeymat,
2388 keymatexportlen,
2389 keymatexportlabel,
2390 strlen(keymatexportlabel),
2391 NULL, 0, 0))
2392 {
2393 BIO_printf(bio, " Error\n");
2394 }
2395 else
2396 {
e0af0405
BL		 2397 BIO_printf(bio, " Keying material: ");
2398 for (i=0; i<keymatexportlen; i++)
2399 BIO_printf(bio, "%02X",
2400 exportedkeymat[i]);
2401 BIO_printf(bio, "\n");
be81f4dd 2402 }
e0af0405 2403 OPENSSL_free(exportedkeymat);
be81f4dd 2404 }
e0af0405 2405 }
d02b48c6 2406 BIO_printf(bio,"---\n");
58964a49
RE		 2407 if (peer != NULL)
2408 X509_free(peer);
41ebed27 2409 /* flush, or debugging output gets mixed with http response */
710069c1 2410 (void)BIO_flush(bio);
d02b48c6
RE		 2411 }
2412
0702150f
DSH		 2413#ifndef OPENSSL_NO_TLSEXT
2414
67c8e7f4
DSH		 2415static int ocsp_resp_cb(SSL *s, void *arg)
2416 {
2417 const unsigned char *p;
2418 int len;
2419 OCSP_RESPONSE *rsp;
2420 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
2421 BIO_puts(arg, "OCSP response: ");
2422 if (!p)
2423 {
2424 BIO_puts(arg, "no response sent\n");
2425 return 1;
2426 }
2427 rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
2428 if (!rsp)
2429 {
2430 BIO_puts(arg, "response parse error\n");
2431 BIO_dump_indent(arg, (char *)p, len, 4);
2432 return 0;
2433 }
2434 BIO_puts(arg, "\n======================================\n");
2435 OCSP_RESPONSE_print(arg, rsp, 0);
2436 BIO_puts(arg, "======================================\n");
2437 OCSP_RESPONSE_free(rsp);
2438 return 1;
2439 }
0702150f 2440
36086186
SD		 2441static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
2442 const unsigned char *in,
2443 unsigned short inlen, int *al,
2444 void *arg)
a9e1c50b 2445 {
36086186 2446 if (TLSEXT_TYPE_server_authz == ext_type)
5eda213e
BL		 2447 server_provided_server_authz
2448 = (memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL);
36086186
SD		 2449
2450 if (TLSEXT_TYPE_client_authz == ext_type)
5eda213e
BL		 2451 server_provided_client_authz
2452 = (memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL);
36086186
SD		 2453
2454 return 1;
2455 }
2456
2457static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
2458 const unsigned char **out, unsigned short *outlen,
2459 void *arg)
2460 {
2461 if (c_auth)
a9e1c50b 2462 {
67c408ce
SD		 2463 /*if auth_require_reneg flag is set, only send extensions if
2464 renegotiation has occurred */
36086186
SD		 2465 if (!c_auth_require_reneg || (c_auth_require_reneg && SSL_num_renegotiations(s)))
2466 {
2467 *out = auth_ext_data;
2468 *outlen = 1;
2469 return 1;
2470 }
2471 }
a6a48e87 2472 /* no auth extension to send */
36086186
SD		 2473 return -1;
2474 }
2475
2476static int suppdata_cb(SSL *s, unsigned short supp_data_type,
2477 const unsigned char *in,
2478 unsigned short inlen, int *al,
2479 void *arg)
2480 {
2481 if (supp_data_type == TLSEXT_SUPPLEMENTALDATATYPE_authz_data)
2482 {
2483 most_recent_supplemental_data = in;
2484 most_recent_supplemental_data_length = inlen;
a9e1c50b
BL		 2485 }
2486 return 1;
2487 }
36086186
SD		 2488
2489static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
2490 const unsigned char **out,
2491 unsigned short *outlen, void *arg)
2492 {
36086186
SD		 2493 if (c_auth && server_provided_client_authz && server_provided_server_authz)
2494 {
67c408ce
SD		 2495 /*if auth_require_reneg flag is set, only send supplemental data if
2496 renegotiation has occurred */
5eda213e
BL		 2497 if (!c_auth_require_reneg
2498 || (c_auth_require_reneg && SSL_num_renegotiations(s)))
36086186 2499 {
67c408ce
SD		 2500 generated_supp_data = OPENSSL_malloc(10);
2501 memcpy(generated_supp_data, "5432154321", 10);
2502 *out = generated_supp_data;
36086186
SD		 2503 *outlen = 10;
2504 return 1;
2505 }
2506 }
a6a48e87 2507 /* no supplemental data to send */
36086186
SD		 2508 return -1;
2509 }
2510
0702150f 2511#endif
A mirror of the official openssl repository