]> git.ipfire.org Git - thirdparty/openssl.git/blame - apps/s_client.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add support for application defined signature algorithms for use with
[thirdparty/openssl.git] / apps / s_client.c
CommitLineData
d02b48c6 1/* apps/s_client.c */
58964a49 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
d02b48c6
RE		 3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
a661b653 58/* ====================================================================
b1277b99 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
a661b653
BM		 60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
ddac1974
NL		 111/* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
113 *
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116 * license.
117 *
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
121 *
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
125 *
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
130 *
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135 * OTHERWISE.
136 */
d02b48c6 137
1b1a6e78 138#include <assert.h>
ddac1974 139#include <ctype.h>
8c197cc5
UM		 140#include <stdio.h>
141#include <stdlib.h>
142#include <string.h>
be1bd923 143#include <openssl/e_os2.h>
cf1b7d96 144#ifdef OPENSSL_NO_STDIO
8c197cc5
UM		 145#define APPS_WIN16
146#endif
147
7d7d2cbc
UM		 148/* With IPv6, it looks like Digital has mixed up the proper order of
149 recursive header file inclusion, resulting in the compiler complaining
150 that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
151 is needed to have fileno() declared correctly... So let's define u_int */
bc36ee62 152#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
7d7d2cbc
UM		 153#define __U_INT
154typedef unsigned int u_int;
155#endif
156
d02b48c6 157#define USE_SOCKETS
d02b48c6 158#include "apps.h"
ec577822
BM		 159#include <openssl/x509.h>
160#include <openssl/ssl.h>
161#include <openssl/err.h>
162#include <openssl/pem.h>
1372965e 163#include <openssl/rand.h>
67c8e7f4 164#include <openssl/ocsp.h>
1e26a8ba 165#include <openssl/bn.h>
edc032b5
BL		 166#ifndef OPENSSL_NO_SRP
167#include <openssl/srp.h>
168#endif
d02b48c6 169#include "s_apps.h"
36d16f8e 170#include "timeouts.h"
d02b48c6 171
bc36ee62 172#if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
75e0770d 173/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
7d7d2cbc
UM		 174#undef FIONBIO
175#endif
176
4700aea9
UM		 177#if defined(OPENSSL_SYS_BEOS_R5)
178#include <fcntl.h>
179#endif
180
d02b48c6
RE		 181#undef PROG
182#define PROG s_client_main
183
184/*#define SSL_HOST_NAME "www.netscape.com" */
185/*#define SSL_HOST_NAME "193.118.187.102" */
186#define SSL_HOST_NAME "localhost"
187
188/*#define TEST_CERT "client.pem" */ /* no default cert. */
189
190#undef BUFSIZZ
191#define BUFSIZZ 1024*8
192
193extern int verify_depth;
194extern int verify_error;
5d20c4fb 195extern int verify_return_error;
d02b48c6
RE		 196
197#ifdef FIONBIO
198static int c_nbio=0;
199#endif
200static int c_Pause=0;
201static int c_debug=0;
6434abbf
DSH		 202#ifndef OPENSSL_NO_TLSEXT
203static int c_tlsextdebug=0;
67c8e7f4 204static int c_status_req=0;
a9e1c50b 205static int c_proof_debug=0;
6434abbf 206#endif
a661b653 207static int c_msg=0;
6d02d8e4 208static int c_showcerts=0;
d02b48c6 209
e0af0405
BL		 210static char *keymatexportlabel=NULL;
211static int keymatexportlen=20;
212
d02b48c6
RE		 213static void sc_usage(void);
214static void print_stuff(BIO *berr,SSL *con,int full);
0702150f 215#ifndef OPENSSL_NO_TLSEXT
67c8e7f4 216static int ocsp_resp_cb(SSL *s, void *arg);
a9e1c50b 217static int audit_proof_cb(SSL *s, void *arg);
0702150f 218#endif
d02b48c6 219static BIO *bio_c_out=NULL;
93ab9e42 220static BIO *bio_c_msg=NULL;
d02b48c6 221static int c_quiet=0;
ce301b6b 222static int c_ign_eof=0;
d02b48c6 223
ddac1974
NL		 224#ifndef OPENSSL_NO_PSK
225/* Default PSK identity and key */
226static char *psk_identity="Client_identity";
f3b7bdad 227/*char *psk_key=NULL; by default PSK is not used */
ddac1974
NL		 228
229static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
230 unsigned int max_identity_len, unsigned char *psk,
231 unsigned int max_psk_len)
232 {
233 unsigned int psk_len = 0;
234 int ret;
235 BIGNUM *bn=NULL;
236
237 if (c_debug)
238 BIO_printf(bio_c_out, "psk_client_cb\n");
239 if (!hint)
240 {
241 /* no ServerKeyExchange message*/
242 if (c_debug)
243 BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n");
244 }
245 else if (c_debug)
246 BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
247
248 /* lookup PSK identity and PSK key based on the given identity hint here */
0ed6b526 249 ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity);
a0aa8b4b 250 if (ret < 0 || (unsigned int)ret > max_identity_len)
ddac1974
NL		 251 goto out_err;
252 if (c_debug)
253 BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret);
254 ret=BN_hex2bn(&bn, psk_key);
255 if (!ret)
256 {
257 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
258 if (bn)
259 BN_free(bn);
260 return 0;
261 }
262
a0aa8b4b 263 if ((unsigned int)BN_num_bytes(bn) > max_psk_len)
ddac1974
NL		 264 {
265 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
266 max_psk_len, BN_num_bytes(bn));
267 BN_free(bn);
268 return 0;
269 }
270
271 psk_len=BN_bn2bin(bn, psk);
272 BN_free(bn);
273 if (psk_len == 0)
274 goto out_err;
275
276 if (c_debug)
277 BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len);
278
279 return psk_len;
280 out_err:
281 if (c_debug)
282 BIO_printf(bio_err, "Error in PSK client callback\n");
283 return 0;
284 }
285#endif
286
6b691a5c 287static void sc_usage(void)
d02b48c6 288 {
b6cff93d 289 BIO_printf(bio_err,"usage: s_client args\n");
d02b48c6
RE		 290 BIO_printf(bio_err,"\n");
291 BIO_printf(bio_err," -host host - use -connect instead\n");
292 BIO_printf(bio_err," -port port - use -connect instead\n");
293 BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
294
295 BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n");
296 BIO_printf(bio_err," -cert arg - certificate file to use, PEM format assumed\n");
826a42a0
DSH		 297 BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
298 BIO_printf(bio_err," -key arg - Private key file to use, in cert file if\n");
d02b48c6 299 BIO_printf(bio_err," not specified but cert file is.\n");
826a42a0
DSH		 300 BIO_printf(bio_err," -keyform arg - key format (PEM or DER) PEM default\n");
301 BIO_printf(bio_err," -pass arg - private key file pass phrase source\n");
d02b48c6
RE		 302 BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
303 BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n");
304 BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n");
305 BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n");
6d02d8e4 306 BIO_printf(bio_err," -showcerts - show all certificates in the chain\n");
d02b48c6 307 BIO_printf(bio_err," -debug - extra output\n");
02a00bb0
AP		 308#ifdef WATT32
309 BIO_printf(bio_err," -wdebug - WATT-32 tcp debugging\n");
310#endif
a661b653 311 BIO_printf(bio_err," -msg - Show protocol messages\n");
d02b48c6
RE		 312 BIO_printf(bio_err," -nbio_test - more ssl protocol testing\n");
313 BIO_printf(bio_err," -state - print the 'ssl' states\n");
314#ifdef FIONBIO
315 BIO_printf(bio_err," -nbio - Run with non-blocking IO\n");
1bdb8633 316#endif
1bdb8633 317 BIO_printf(bio_err," -crlf - convert LF from terminal into CRLF\n");
d02b48c6 318 BIO_printf(bio_err," -quiet - no s_client output\n");
ce301b6b 319 BIO_printf(bio_err," -ign_eof - ignore input eof (default when -quiet)\n");
020d67fb 320 BIO_printf(bio_err," -no_ign_eof - don't ignore input eof\n");
ddac1974
NL		 321#ifndef OPENSSL_NO_PSK
322 BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
323 BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n");
79bd20fd 324# ifndef OPENSSL_NO_JPAKE
f3b7bdad
BL		 325 BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n");
326# endif
edc032b5
BL		 327#endif
328#ifndef OPENSSL_NO_SRP
329 BIO_printf(bio_err," -srpuser user - SRP authentification for 'user'\n");
330 BIO_printf(bio_err," -srppass arg - password for 'user'\n");
331 BIO_printf(bio_err," -srp_lateuser - SRP username into second ClientHello message\n");
332 BIO_printf(bio_err," -srp_moregroups - Tolerate other than the known g N values.\n");
333 BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
ddac1974 334#endif
d02b48c6
RE		 335 BIO_printf(bio_err," -ssl2 - just use SSLv2\n");
336 BIO_printf(bio_err," -ssl3 - just use SSLv3\n");
7409d7ad 337 BIO_printf(bio_err," -tls1_2 - just use TLSv1.2\n");
637f374a 338 BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n");
58964a49 339 BIO_printf(bio_err," -tls1 - just use TLSv1\n");
36d16f8e 340 BIO_printf(bio_err," -dtls1 - just use DTLSv1\n");
046f2101 341 BIO_printf(bio_err," -mtu - set the link layer MTU\n");
7409d7ad 342 BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
d02b48c6 343 BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n");
836f9960 344 BIO_printf(bio_err," -serverpref - Use server's cipher preferences (only SSLv2)\n");
657e60fa 345 BIO_printf(bio_err," -cipher - preferred cipher to use, use the 'openssl ciphers'\n");
dfeab068 346 BIO_printf(bio_err," command to see what is available\n");
135c0af1
RL		 347 BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
348 BIO_printf(bio_err," for those protocols that support it, where\n");
349 BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n");
d5bbead4
BL		 350 BIO_printf(bio_err," only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
351 BIO_printf(bio_err," are supported.\n");
0b13e9f0 352#ifndef OPENSSL_NO_ENGINE
5270e702 353 BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n");
0b13e9f0 354#endif
52b621db 355 BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
014f62b6
DSH		 356 BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n");
357 BIO_printf(bio_err," -sess_in arg - file to read SSL session from\n");
ed3883d2
BM		 358#ifndef OPENSSL_NO_TLSEXT
359 BIO_printf(bio_err," -servername host - Set TLS extension servername in ClientHello\n");
d24a9c8f 360 BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
67c8e7f4 361 BIO_printf(bio_err," -status - request certificate status from server\n");
d24a9c8f 362 BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
a9e1c50b 363 BIO_printf(bio_err," -proof_debug - request an audit proof and print its hex dump\n");
bf48836c 364# ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 365 BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
366# endif
ed3883d2 367#endif
2942dde5 368 BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
be81f4dd 369 BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
e0af0405
BL		 370 BIO_printf(bio_err," -keymatexport label - Export keying material using label\n");
371 BIO_printf(bio_err," -keymatexportlen len - Export len bytes of keying material (default 20)\n");
d02b48c6
RE		 372 }
373
ed3883d2
BM		 374#ifndef OPENSSL_NO_TLSEXT
375
376/* This is a context that we pass to callbacks */
377typedef struct tlsextctx_st {
378 BIO * biodebug;
379 int ack;
380} tlsextctx;
381
382
b1277b99
BM		 383static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
384 {
ed3883d2 385 tlsextctx * p = (tlsextctx *) arg;
8de5b7f5 386 const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
ed3883d2
BM		 387 if (SSL_get_servername_type(s) != -1)
388 p->ack = !SSL_session_reused(s) && hn != NULL;
389 else
f1fd4544 390 BIO_printf(bio_err,"Can't use SSL_get_servername\n");
ed3883d2 391
241520e6 392 return SSL_TLSEXT_ERR_OK;
b1277b99 393 }
ee2ffc27 394
edc032b5
BL		 395#ifndef OPENSSL_NO_SRP
396
397/* This is a context that we pass to all callbacks */
398typedef struct srp_arg_st
399 {
400 char *srppassin;
401 char *srplogin;
402 int msg; /* copy from c_msg */
403 int debug; /* copy from c_debug */
404 int amp; /* allow more groups */
405 int strength /* minimal size for N */ ;
406 } SRP_ARG;
407
408#define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
409
f2fc3075 410static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g)
edc032b5
BL		 411 {
412 BN_CTX *bn_ctx = BN_CTX_new();
413 BIGNUM *p = BN_new();
414 BIGNUM *r = BN_new();
415 int ret =
416 g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
f2fc3075 417 BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
edc032b5
BL		 418 p != NULL && BN_rshift1(p, N) &&
419
420 /* p = (N-1)/2 */
f2fc3075 421 BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
edc032b5
BL		 422 r != NULL &&
423
424 /* verify g^((N-1)/2) == -1 (mod N) */
425 BN_mod_exp(r, g, p, N, bn_ctx) &&
426 BN_add_word(r, 1) &&
427 BN_cmp(r, N) == 0;
428
429 if(r)
430 BN_free(r);
431 if(p)
432 BN_free(p);
433 if(bn_ctx)
434 BN_CTX_free(bn_ctx);
435 return ret;
436 }
437
f2fc3075
DSH		 438/* This callback is used here for two purposes:
439 - extended debugging
440 - making some primality tests for unknown groups
441 The callback is only called for a non default group.
442
443 An application does not need the call back at all if
444 only the stanard groups are used. In real life situations,
445 client and server already share well known groups,
446 thus there is no need to verify them.
447 Furthermore, in case that a server actually proposes a group that
448 is not one of those defined in RFC 5054, it is more appropriate
449 to add the group to a static list and then compare since
450 primality tests are rather cpu consuming.
451*/
452
edc032b5
BL		 453static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
454 {
455 SRP_ARG *srp_arg = (SRP_ARG *)arg;
456 BIGNUM *N = NULL, *g = NULL;
457 if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s)))
458 return 0;
459 if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1)
460 {
461 BIO_printf(bio_err, "SRP parameters:\n");
462 BIO_printf(bio_err,"\tN="); BN_print(bio_err,N);
463 BIO_printf(bio_err,"\n\tg="); BN_print(bio_err,g);
464 BIO_printf(bio_err,"\n");
465 }
466
467 if (SRP_check_known_gN_param(g,N))
468 return 1;
469
470 if (srp_arg->amp == 1)
471 {
472 if (srp_arg->debug)
473 BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n");
474
f2fc3075 475/* The srp_moregroups is a real debugging feature.
edc032b5
BL		 476 Implementors should rather add the value to the known ones.
477 The minimal size has already been tested.
478*/
f2fc3075 479 if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g))
edc032b5
BL		 480 return 1;
481 }
482 BIO_printf(bio_err, "SRP param N and g rejected.\n");
483 return 0;
484 }
485
486#define PWD_STRLEN 1024
487
488static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
489 {
490 SRP_ARG *srp_arg = (SRP_ARG *)arg;
491 char *pass = (char *)OPENSSL_malloc(PWD_STRLEN+1);
492 PW_CB_DATA cb_tmp;
493 int l;
494
495 cb_tmp.password = (char *)srp_arg->srppassin;
496 cb_tmp.prompt_info = "SRP user";
497 if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp))<0)
498 {
499 BIO_printf (bio_err, "Can't read Password\n");
500 OPENSSL_free(pass);
501 return NULL;
502 }
503 *(pass+l)= '\0';
504
505 return pass;
506 }
507
edc032b5 508#endif
333f926d 509 char *srtp_profiles = NULL;
edc032b5 510
bf48836c 511# ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 512/* This the context that we pass to next_proto_cb */
513typedef struct tlsextnextprotoctx_st {
514 unsigned char *data;
515 unsigned short len;
516 int status;
517} tlsextnextprotoctx;
518
519static tlsextnextprotoctx next_proto;
520
521static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
522 {
523 tlsextnextprotoctx *ctx = arg;
524
525 if (!c_quiet)
526 {
527 /* We can assume that |in| is syntactically valid. */
528 unsigned i;
529 BIO_printf(bio_c_out, "Protocols advertised by server: ");
530 for (i = 0; i < inlen; )
531 {
532 if (i)
533 BIO_write(bio_c_out, ", ", 2);
534 BIO_write(bio_c_out, &in[i + 1], in[i]);
535 i += in[i] + 1;
536 }
537 BIO_write(bio_c_out, "\n", 1);
538 }
539
540 ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
541 return SSL_TLSEXT_ERR_OK;
542 }
bf48836c 543# endif /* ndef OPENSSL_NO_NEXTPROTONEG */
ed3883d2
BM		 544#endif
545
85c67492
RL		 546enum
547{
548 PROTO_OFF = 0,
549 PROTO_SMTP,
550 PROTO_POP3,
551 PROTO_IMAP,
d5bbead4 552 PROTO_FTP,
640b86cb 553 PROTO_XMPP
85c67492
RL		 554};
555
667ac4ec
RE		 556int MAIN(int, char **);
557
6b691a5c 558int MAIN(int argc, char **argv)
d02b48c6 559 {
ef51b4b9 560 unsigned int off=0, clr=0;
67b6f1ca 561 SSL *con=NULL;
4f7a2ab8
DSH		 562#ifndef OPENSSL_NO_KRB5
563 KSSL_CTX *kctx;
564#endif
d02b48c6 565 int s,k,width,state=0;
135c0af1 566 char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
d02b48c6
RE		 567 int cbuf_len,cbuf_off;
568 int sbuf_len,sbuf_off;
569 fd_set readfds,writefds;
570 short port=PORT;
571 int full_log=1;
572 char *host=SSL_HOST_NAME;
573 char *cert_file=NULL,*key_file=NULL;
826a42a0
DSH		 574 int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
575 char *passarg = NULL, *pass = NULL;
576 X509 *cert = NULL;
577 EVP_PKEY *key = NULL;
d02b48c6
RE		 578 char *CApath=NULL,*CAfile=NULL,*cipher=NULL;
579 int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0;
1bdb8633 580 int crlf=0;
c7ac31e2 581 int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
d02b48c6
RE		 582 SSL_CTX *ctx=NULL;
583 int ret=1,in_init=1,i,nbio_test=0;
85c67492 584 int starttls_proto = PROTO_OFF;
db99779b
DSH		 585 int prexit = 0;
586 X509_VERIFY_PARAM *vpm = NULL;
587 int badarg = 0;
4ebb342f 588 const SSL_METHOD *meth=NULL;
b1277b99 589 int socket_type=SOCK_STREAM;
d02b48c6 590 BIO *sbio;
52b621db 591 char *inrand=NULL;
85c67492 592 int mbuf_len=0;
b972fbaa 593 struct timeval timeout, *timeoutp;
0b13e9f0 594#ifndef OPENSSL_NO_ENGINE
5270e702 595 char *engine_id=NULL;
59d2d48f 596 char *ssl_client_engine_id=NULL;
70531c14 597 ENGINE *ssl_client_engine=NULL;
0b13e9f0 598#endif
70531c14 599 ENGINE *e=NULL;
4700aea9 600#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
06f4536a 601 struct timeval tv;
4700aea9
UM		 602#if defined(OPENSSL_SYS_BEOS_R5)
603 int stdin_set = 0;
604#endif
06f4536a 605#endif
ed3883d2
BM		 606#ifndef OPENSSL_NO_TLSEXT
607 char *servername = NULL;
d0595f17 608 char *curves=NULL;
0f229cce 609 char *sigalgs=NULL;
ed3883d2
BM		 610 tlsextctx tlsextcbp =
611 {NULL,0};
bf48836c 612# ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 613 const char *next_proto_neg_in = NULL;
614# endif
ed3883d2 615#endif
6434abbf
DSH		 616 char *sess_in = NULL;
617 char *sess_out = NULL;
36d16f8e 618 struct sockaddr peer;
6c61726b 619 int peerlen = sizeof(peer);
36d16f8e 620 int enable_timeouts = 0 ;
b1277b99 621 long socket_mtu = 0;
79bd20fd 622#ifndef OPENSSL_NO_JPAKE
6caa4edd 623 char *jpake_secret = NULL;
ed551cdd 624#endif
edc032b5
BL		 625#ifndef OPENSSL_NO_SRP
626 char * srppass = NULL;
627 int srp_lateuser = 0;
628 SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
629#endif
36d16f8e 630
d02b48c6 631 meth=SSLv23_client_method();
d02b48c6
RE		 632
633 apps_startup();
58964a49 634 c_Pause=0;
d02b48c6 635 c_quiet=0;
ce301b6b 636 c_ign_eof=0;
d02b48c6 637 c_debug=0;
a661b653 638 c_msg=0;
6d02d8e4 639 c_showcerts=0;
d02b48c6
RE		 640
641 if (bio_err == NULL)
642 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
643
3647bee2
DSH		 644 if (!load_config(bio_err, NULL))
645 goto end;
646
26a3a48d 647 if ( ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
135c0af1
RL		 648 ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
649 ((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
d02b48c6
RE		 650 {
651 BIO_printf(bio_err,"out of memory\n");
652 goto end;
653 }
654
655 verify_depth=0;
656 verify_error=X509_V_OK;
657#ifdef FIONBIO
658 c_nbio=0;
659#endif
660
661 argc--;
662 argv++;
663 while (argc >= 1)
664 {
665 if (strcmp(*argv,"-host") == 0)
666 {
667 if (--argc < 1) goto bad;
668 host= *(++argv);
669 }
670 else if (strcmp(*argv,"-port") == 0)
671 {
672 if (--argc < 1) goto bad;
673 port=atoi(*(++argv));
674 if (port == 0) goto bad;
675 }
676 else if (strcmp(*argv,"-connect") == 0)
677 {
678 if (--argc < 1) goto bad;
679 if (!extract_host_port(*(++argv),&host,NULL,&port))
680 goto bad;
681 }
682 else if (strcmp(*argv,"-verify") == 0)
683 {
684 verify=SSL_VERIFY_PEER;
685 if (--argc < 1) goto bad;
686 verify_depth=atoi(*(++argv));
687 BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
688 }
689 else if (strcmp(*argv,"-cert") == 0)
690 {
691 if (--argc < 1) goto bad;
692 cert_file= *(++argv);
693 }
6434abbf
DSH		 694 else if (strcmp(*argv,"-sess_out") == 0)
695 {
696 if (--argc < 1) goto bad;
697 sess_out = *(++argv);
698 }
699 else if (strcmp(*argv,"-sess_in") == 0)
700 {
701 if (--argc < 1) goto bad;
702 sess_in = *(++argv);
703 }
826a42a0
DSH		 704 else if (strcmp(*argv,"-certform") == 0)
705 {
706 if (--argc < 1) goto bad;
707 cert_format = str2fmt(*(++argv));
708 }
db99779b
DSH		 709 else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
710 {
711 if (badarg)
712 goto bad;
713 continue;
714 }
5d20c4fb
DSH		 715 else if (strcmp(*argv,"-verify_return_error") == 0)
716 verify_return_error = 1;
c3ed3b6e
DSH		 717 else if (strcmp(*argv,"-prexit") == 0)
718 prexit=1;
1bdb8633
BM		 719 else if (strcmp(*argv,"-crlf") == 0)
720 crlf=1;
d02b48c6 721 else if (strcmp(*argv,"-quiet") == 0)
ce301b6b 722 {
d02b48c6 723 c_quiet=1;
ce301b6b
RL		 724 c_ign_eof=1;
725 }
726 else if (strcmp(*argv,"-ign_eof") == 0)
727 c_ign_eof=1;
020d67fb
LJ		 728 else if (strcmp(*argv,"-no_ign_eof") == 0)
729 c_ign_eof=0;
d02b48c6
RE		 730 else if (strcmp(*argv,"-pause") == 0)
731 c_Pause=1;
732 else if (strcmp(*argv,"-debug") == 0)
733 c_debug=1;
6434abbf
DSH		 734#ifndef OPENSSL_NO_TLSEXT
735 else if (strcmp(*argv,"-tlsextdebug") == 0)
736 c_tlsextdebug=1;
67c8e7f4
DSH		 737 else if (strcmp(*argv,"-status") == 0)
738 c_status_req=1;
a9e1c50b
BL		 739 else if (strcmp(*argv,"-proof_debug") == 0)
740 c_proof_debug=1;
6434abbf 741#endif
02a00bb0
AP		 742#ifdef WATT32
743 else if (strcmp(*argv,"-wdebug") == 0)
744 dbug_init();
745#endif
a661b653
BM		 746 else if (strcmp(*argv,"-msg") == 0)
747 c_msg=1;
93ab9e42
DSH		 748 else if (strcmp(*argv,"-msgfile") == 0)
749 {
750 if (--argc < 1) goto bad;
751 bio_c_msg = BIO_new_file(*(++argv), "w");
752 }
753#ifndef OPENSSL_NO_SSL_TRACE
754 else if (strcmp(*argv,"-trace") == 0)
755 c_msg=2;
756#endif
6d02d8e4
BM		 757 else if (strcmp(*argv,"-showcerts") == 0)
758 c_showcerts=1;
d02b48c6
RE		 759 else if (strcmp(*argv,"-nbio_test") == 0)
760 nbio_test=1;
761 else if (strcmp(*argv,"-state") == 0)
762 state=1;
ddac1974
NL		 763#ifndef OPENSSL_NO_PSK
764 else if (strcmp(*argv,"-psk_identity") == 0)
765 {
766 if (--argc < 1) goto bad;
767 psk_identity=*(++argv);
768 }
769 else if (strcmp(*argv,"-psk") == 0)
770 {
771 size_t j;
772
773 if (--argc < 1) goto bad;
774 psk_key=*(++argv);
775 for (j = 0; j < strlen(psk_key); j++)
776 {
a50bce82 777 if (isxdigit((unsigned char)psk_key[j]))
ddac1974
NL		 778 continue;
779 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
780 goto bad;
781 }
782 }
783#endif
edc032b5
BL		 784#ifndef OPENSSL_NO_SRP
785 else if (strcmp(*argv,"-srpuser") == 0)
786 {
787 if (--argc < 1) goto bad;
788 srp_arg.srplogin= *(++argv);
789 meth=TLSv1_client_method();
790 }
791 else if (strcmp(*argv,"-srppass") == 0)
792 {
793 if (--argc < 1) goto bad;
794 srppass= *(++argv);
795 meth=TLSv1_client_method();
796 }
797 else if (strcmp(*argv,"-srp_strength") == 0)
798 {
799 if (--argc < 1) goto bad;
800 srp_arg.strength=atoi(*(++argv));
801 BIO_printf(bio_err,"SRP minimal length for N is %d\n",srp_arg.strength);
802 meth=TLSv1_client_method();
803 }
804 else if (strcmp(*argv,"-srp_lateuser") == 0)
805 {
806 srp_lateuser= 1;
807 meth=TLSv1_client_method();
808 }
809 else if (strcmp(*argv,"-srp_moregroups") == 0)
810 {
811 srp_arg.amp=1;
812 meth=TLSv1_client_method();
813 }
814#endif
cf1b7d96 815#ifndef OPENSSL_NO_SSL2
d02b48c6
RE		 816 else if (strcmp(*argv,"-ssl2") == 0)
817 meth=SSLv2_client_method();
818#endif
cf1b7d96 819#ifndef OPENSSL_NO_SSL3
d02b48c6
RE		 820 else if (strcmp(*argv,"-ssl3") == 0)
821 meth=SSLv3_client_method();
58964a49 822#endif
cf1b7d96 823#ifndef OPENSSL_NO_TLS1
7409d7ad
DSH		 824 else if (strcmp(*argv,"-tls1_2") == 0)
825 meth=TLSv1_2_client_method();
637f374a
DSH		 826 else if (strcmp(*argv,"-tls1_1") == 0)
827 meth=TLSv1_1_client_method();
58964a49
RE		 828 else if (strcmp(*argv,"-tls1") == 0)
829 meth=TLSv1_client_method();
36d16f8e
BL		 830#endif
831#ifndef OPENSSL_NO_DTLS1
832 else if (strcmp(*argv,"-dtls1") == 0)
833 {
834 meth=DTLSv1_client_method();
b1277b99 835 socket_type=SOCK_DGRAM;
36d16f8e
BL		 836 }
837 else if (strcmp(*argv,"-timeout") == 0)
838 enable_timeouts=1;
839 else if (strcmp(*argv,"-mtu") == 0)
840 {
841 if (--argc < 1) goto bad;
b1277b99 842 socket_mtu = atol(*(++argv));
36d16f8e 843 }
d02b48c6
RE		 844#endif
845 else if (strcmp(*argv,"-bugs") == 0)
846 bugs=1;
826a42a0
DSH		 847 else if (strcmp(*argv,"-keyform") == 0)
848 {
849 if (--argc < 1) goto bad;
850 key_format = str2fmt(*(++argv));
851 }
852 else if (strcmp(*argv,"-pass") == 0)
853 {
854 if (--argc < 1) goto bad;
855 passarg = *(++argv);
856 }
d02b48c6
RE		 857 else if (strcmp(*argv,"-key") == 0)
858 {
859 if (--argc < 1) goto bad;
860 key_file= *(++argv);
861 }
862 else if (strcmp(*argv,"-reconnect") == 0)
863 {
864 reconnect=5;
865 }
866 else if (strcmp(*argv,"-CApath") == 0)
867 {
868 if (--argc < 1) goto bad;
869 CApath= *(++argv);
870 }
871 else if (strcmp(*argv,"-CAfile") == 0)
872 {
873 if (--argc < 1) goto bad;
874 CAfile= *(++argv);
875 }
7409d7ad
DSH		 876 else if (strcmp(*argv,"-no_tls1_2") == 0)
877 off|=SSL_OP_NO_TLSv1_2;
637f374a
DSH		 878 else if (strcmp(*argv,"-no_tls1_1") == 0)
879 off|=SSL_OP_NO_TLSv1_1;
58964a49
RE		 880 else if (strcmp(*argv,"-no_tls1") == 0)
881 off|=SSL_OP_NO_TLSv1;
882 else if (strcmp(*argv,"-no_ssl3") == 0)
883 off|=SSL_OP_NO_SSLv3;
884 else if (strcmp(*argv,"-no_ssl2") == 0)
885 off|=SSL_OP_NO_SSLv2;
566dda07
DSH		 886 else if (strcmp(*argv,"-no_comp") == 0)
887 { off|=SSL_OP_NO_COMPRESSION; }
6434abbf
DSH		 888#ifndef OPENSSL_NO_TLSEXT
889 else if (strcmp(*argv,"-no_ticket") == 0)
890 { off|=SSL_OP_NO_TICKET; }
bf48836c 891# ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 892 else if (strcmp(*argv,"-nextprotoneg") == 0)
893 {
894 if (--argc < 1) goto bad;
895 next_proto_neg_in = *(++argv);
896 }
897# endif
6434abbf 898#endif
836f9960
LJ		 899 else if (strcmp(*argv,"-serverpref") == 0)
900 off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
2942dde5
DSH		 901 else if (strcmp(*argv,"-legacy_renegotiation") == 0)
902 off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
ef51b4b9
DSH		 903 else if (strcmp(*argv,"-legacy_server_connect") == 0)
904 { off|=SSL_OP_LEGACY_SERVER_CONNECT; }
905 else if (strcmp(*argv,"-no_legacy_server_connect") == 0)
906 { clr|=SSL_OP_LEGACY_SERVER_CONNECT; }
d02b48c6
RE		 907 else if (strcmp(*argv,"-cipher") == 0)
908 {
909 if (--argc < 1) goto bad;
910 cipher= *(++argv);
911 }
912#ifdef FIONBIO
913 else if (strcmp(*argv,"-nbio") == 0)
914 { c_nbio=1; }
915#endif
135c0af1
RL		 916 else if (strcmp(*argv,"-starttls") == 0)
917 {
918 if (--argc < 1) goto bad;
919 ++argv;
920 if (strcmp(*argv,"smtp") == 0)
85c67492 921 starttls_proto = PROTO_SMTP;
4f17dfcd 922 else if (strcmp(*argv,"pop3") == 0)
85c67492
RL		 923 starttls_proto = PROTO_POP3;
924 else if (strcmp(*argv,"imap") == 0)
925 starttls_proto = PROTO_IMAP;
926 else if (strcmp(*argv,"ftp") == 0)
927 starttls_proto = PROTO_FTP;
d5bbead4
BL		 928 else if (strcmp(*argv, "xmpp") == 0)
929 starttls_proto = PROTO_XMPP;
135c0af1
RL		 930 else
931 goto bad;
932 }
0b13e9f0 933#ifndef OPENSSL_NO_ENGINE
5270e702
RL		 934 else if (strcmp(*argv,"-engine") == 0)
935 {
936 if (--argc < 1) goto bad;
937 engine_id = *(++argv);
938 }
59d2d48f
DSH		 939 else if (strcmp(*argv,"-ssl_client_engine") == 0)
940 {
941 if (--argc < 1) goto bad;
942 ssl_client_engine_id = *(++argv);
943 }
0b13e9f0 944#endif
52b621db
LJ		 945 else if (strcmp(*argv,"-rand") == 0)
946 {
947 if (--argc < 1) goto bad;
948 inrand= *(++argv);
949 }
ed3883d2
BM		 950#ifndef OPENSSL_NO_TLSEXT
951 else if (strcmp(*argv,"-servername") == 0)
952 {
953 if (--argc < 1) goto bad;
954 servername= *(++argv);
955 /* meth=TLSv1_client_method(); */
956 }
d0595f17
DSH		 957 else if (strcmp(*argv,"-curves") == 0)
958 {
959 if (--argc < 1) goto bad;
960 curves= *(++argv);
961 }
0f229cce
DSH		 962 else if (strcmp(*argv,"-sigalgs") == 0)
963 {
964 if (--argc < 1) goto bad;
965 sigalgs= *(++argv);
966 }
ed3883d2 967#endif
79bd20fd 968#ifndef OPENSSL_NO_JPAKE
6caa4edd
BL		 969 else if (strcmp(*argv,"-jpake") == 0)
970 {
971 if (--argc < 1) goto bad;
972 jpake_secret = *++argv;
973 }
ed551cdd 974#endif
333f926d
BL		 975 else if (strcmp(*argv,"-use_srtp") == 0)
976 {
977 if (--argc < 1) goto bad;
978 srtp_profiles = *(++argv);
979 }
e0af0405
BL		 980 else if (strcmp(*argv,"-keymatexport") == 0)
981 {
982 if (--argc < 1) goto bad;
983 keymatexportlabel= *(++argv);
984 }
985 else if (strcmp(*argv,"-keymatexportlen") == 0)
986 {
987 if (--argc < 1) goto bad;
988 keymatexportlen=atoi(*(++argv));
989 if (keymatexportlen == 0) goto bad;
990 }
333f926d 991 else
d02b48c6
RE		 992 {
993 BIO_printf(bio_err,"unknown option %s\n",*argv);
994 badop=1;
995 break;
996 }
997 argc--;
998 argv++;
999 }
1000 if (badop)
1001 {
1002bad:
1003 sc_usage();
1004 goto end;
1005 }
1006
79bd20fd 1007#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
f3b7bdad
BL		 1008 if (jpake_secret)
1009 {
1010 if (psk_key)
1011 {
1012 BIO_printf(bio_err,
1013 "Can't use JPAKE and PSK together\n");
1014 goto end;
1015 }
1016 psk_identity = "JPAKE";
1017 }
1018
1019 if (cipher)
1020 {
1021 BIO_printf(bio_err, "JPAKE sets cipher to PSK\n");
1022 goto end;
1023 }
1024 cipher = "PSK";
1025#endif
1026
cead7f36
RL		 1027 OpenSSL_add_ssl_algorithms();
1028 SSL_load_error_strings();
1029
bf48836c 1030#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
ee2ffc27
BL		 1031 next_proto.status = -1;
1032 if (next_proto_neg_in)
1033 {
1034 next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
1035 if (next_proto.data == NULL)
1036 {
1037 BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
1038 goto end;
1039 }
1040 }
1041 else
1042 next_proto.data = NULL;
1043#endif
1044
0b13e9f0 1045#ifndef OPENSSL_NO_ENGINE
cead7f36 1046 e = setup_engine(bio_err, engine_id, 1);
59d2d48f
DSH		 1047 if (ssl_client_engine_id)
1048 {
1049 ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
1050 if (!ssl_client_engine)
1051 {
1052 BIO_printf(bio_err,
1053 "Error getting client auth engine\n");
1054 goto end;
1055 }
1056 }
1057
0b13e9f0 1058#endif
826a42a0
DSH		 1059 if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
1060 {
1061 BIO_printf(bio_err, "Error getting password\n");
1062 goto end;
1063 }
1064
1065 if (key_file == NULL)
1066 key_file = cert_file;
1067
abbc186b
DSH		 1068
1069 if (key_file)
1070
826a42a0 1071 {
abbc186b
DSH		 1072
1073 key = load_key(bio_err, key_file, key_format, 0, pass, e,
1074 "client certificate private key file");
1075 if (!key)
1076 {
1077 ERR_print_errors(bio_err);
1078 goto end;
1079 }
1080
826a42a0
DSH		 1081 }
1082
abbc186b 1083 if (cert_file)
826a42a0 1084
826a42a0 1085 {
abbc186b
DSH		 1086 cert = load_cert(bio_err,cert_file,cert_format,
1087 NULL, e, "client certificate file");
1088
1089 if (!cert)
1090 {
1091 ERR_print_errors(bio_err);
1092 goto end;
1093 }
826a42a0 1094 }
cead7f36 1095
52b621db
LJ		 1096 if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
1097 && !RAND_status())
1098 {
1099 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
1100 }
1101 if (inrand != NULL)
1102 BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
1103 app_RAND_load_files(inrand));
a31011e8 1104
d02b48c6
RE		 1105 if (bio_c_out == NULL)
1106 {
a661b653 1107 if (c_quiet && !c_debug && !c_msg)
d02b48c6
RE		 1108 {
1109 bio_c_out=BIO_new(BIO_s_null());
1110 }
1111 else
1112 {
1113 if (bio_c_out == NULL)
1114 bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
1115 }
1116 }
1117
edc032b5
BL		 1118#ifndef OPENSSL_NO_SRP
1119 if(!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL))
1120 {
1121 BIO_printf(bio_err, "Error getting password\n");
1122 goto end;
1123 }
1124#endif
1125
d02b48c6
RE		 1126 ctx=SSL_CTX_new(meth);
1127 if (ctx == NULL)
1128 {
1129 ERR_print_errors(bio_err);
1130 goto end;
1131 }
1132
db99779b
DSH		 1133 if (vpm)
1134 SSL_CTX_set1_param(ctx, vpm);
1135
59d2d48f
DSH		 1136#ifndef OPENSSL_NO_ENGINE
1137 if (ssl_client_engine)
1138 {
1139 if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine))
1140 {
1141 BIO_puts(bio_err, "Error setting client auth engine\n");
1142 ERR_print_errors(bio_err);
1143 ENGINE_free(ssl_client_engine);
1144 goto end;
1145 }
1146 ENGINE_free(ssl_client_engine);
1147 }
1148#endif
1149
ddac1974 1150#ifndef OPENSSL_NO_PSK
79bd20fd
DSH		 1151#ifdef OPENSSL_NO_JPAKE
1152 if (psk_key != NULL)
1153#else
f3b7bdad 1154 if (psk_key != NULL || jpake_secret)
79bd20fd 1155#endif
ddac1974
NL		 1156 {
1157 if (c_debug)
f3b7bdad 1158 BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");
ddac1974
NL		 1159 SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
1160 }
333f926d
BL		 1161 if (srtp_profiles != NULL)
1162 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
ddac1974 1163#endif
58964a49
RE		 1164 if (bugs)
1165 SSL_CTX_set_options(ctx,SSL_OP_ALL|off);
1166 else
1167 SSL_CTX_set_options(ctx,off);
ef51b4b9
DSH		 1168
1169 if (clr)
1170 SSL_CTX_clear_options(ctx, clr);
36d16f8e
BL		 1171 /* DTLS: partial reads end up discarding unread UDP bytes :-(
1172 * Setting read ahead solves this problem.
1173 */
b1277b99 1174 if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
d02b48c6 1175
bf48836c 1176#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
ee2ffc27
BL		 1177 if (next_proto.data)
1178 SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
1179#endif
1180
d02b48c6
RE		 1181 if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
1182 if (cipher != NULL)
fabce041 1183 if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
657e60fa 1184 BIO_printf(bio_err,"error setting cipher list\n");
fabce041
DSH		 1185 ERR_print_errors(bio_err);
1186 goto end;
1187 }
d02b48c6
RE		 1188#if 0
1189 else
1190 SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
1191#endif
1192
1193 SSL_CTX_set_verify(ctx,verify,verify_callback);
fc6fc7ff 1194 if (!set_cert_key_stuff(ctx,cert,key, NULL))
d02b48c6
RE		 1195 goto end;
1196
1197 if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
1198 (!SSL_CTX_set_default_verify_paths(ctx)))
1199 {
657e60fa 1200 /* BIO_printf(bio_err,"error setting default verify locations\n"); */
d02b48c6 1201 ERR_print_errors(bio_err);
58964a49 1202 /* goto end; */
d02b48c6
RE		 1203 }
1204
ed3883d2 1205#ifndef OPENSSL_NO_TLSEXT
d0595f17
DSH		 1206 if (curves != NULL)
1207 if(!SSL_CTX_set1_curves_list(ctx,curves)) {
1208 BIO_printf(bio_err,"error setting curve list\n");
1209 ERR_print_errors(bio_err);
1210 goto end;
1211 }
0f229cce
DSH		 1212 if (sigalgs != NULL)
1213 if(!SSL_CTX_set1_sigalgs_list(ctx,sigalgs)) {
1214 BIO_printf(bio_err,"error setting signature algorithms list\n");
1215 ERR_print_errors(bio_err);
1216 goto end;
1217 }
b1277b99
BM		 1218 if (servername != NULL)
1219 {
ed3883d2
BM		 1220 tlsextcbp.biodebug = bio_err;
1221 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1222 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
b1277b99 1223 }
edc032b5
BL		 1224#ifndef OPENSSL_NO_SRP
1225 if (srp_arg.srplogin)
1226 {
f2fc3075 1227 if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
edc032b5
BL		 1228 {
1229 BIO_printf(bio_err,"Unable to set SRP username\n");
1230 goto end;
1231 }
1232 srp_arg.msg = c_msg;
1233 srp_arg.debug = c_debug ;
1234 SSL_CTX_set_srp_cb_arg(ctx,&srp_arg);
1235 SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
1236 SSL_CTX_set_srp_strength(ctx, srp_arg.strength);
1237 if (c_msg || c_debug || srp_arg.amp == 0)
1238 SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb);
1239 }
1240
1241#endif
a9e1c50b
BL		 1242 if (c_proof_debug)
1243 SSL_CTX_set_tlsext_authz_server_audit_proof_cb(ctx,
1244 audit_proof_cb);
ed3883d2 1245#endif
d02b48c6 1246
82fc1d9c 1247 con=SSL_new(ctx);
6434abbf
DSH		 1248 if (sess_in)
1249 {
1250 SSL_SESSION *sess;
1251 BIO *stmp = BIO_new_file(sess_in, "r");
1252 if (!stmp)
1253 {
1254 BIO_printf(bio_err, "Can't open session file %s\n",
1255 sess_in);
1256 ERR_print_errors(bio_err);
1257 goto end;
1258 }
1259 sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
1260 BIO_free(stmp);
1261 if (!sess)
1262 {
1263 BIO_printf(bio_err, "Can't open session file %s\n",
1264 sess_in);
1265 ERR_print_errors(bio_err);
1266 goto end;
1267 }
1268 SSL_set_session(con, sess);
1269 SSL_SESSION_free(sess);
1270 }
ed3883d2 1271#ifndef OPENSSL_NO_TLSEXT
b1277b99
BM		 1272 if (servername != NULL)
1273 {
a13c20f6 1274 if (!SSL_set_tlsext_host_name(con,servername))
b1277b99 1275 {
ed3883d2
BM		 1276 BIO_printf(bio_err,"Unable to set TLS servername extension.\n");
1277 ERR_print_errors(bio_err);
1278 goto end;
b1277b99 1279 }
ed3883d2 1280 }
ed3883d2 1281#endif
cf1b7d96 1282#ifndef OPENSSL_NO_KRB5
4f7a2ab8 1283 if (con && (kctx = kssl_ctx_new()) != NULL)
f9b3bff6 1284 {
4f7a2ab8
DSH		 1285 SSL_set0_kssl_ctx(con, kctx);
1286 kssl_ctx_setstring(kctx, KSSL_SERVER, host);
f9b3bff6 1287 }
cf1b7d96 1288#endif /* OPENSSL_NO_KRB5 */
58964a49 1289/* SSL_set_cipher_list(con,"RC4-MD5"); */
761772d7
BM		 1290#if 0
1291#ifdef TLSEXT_TYPE_opaque_prf_input
86d4bc3a 1292 SSL_set_tlsext_opaque_prf_input(con, "Test client", 11);
761772d7
BM		 1293#endif
1294#endif
d02b48c6
RE		 1295
1296re_start:
1297
b1277b99 1298 if (init_client(&s,host,port,socket_type) == 0)
d02b48c6 1299 {
58964a49 1300 BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
d02b48c6
RE		 1301 SHUTDOWN(s);
1302 goto end;
1303 }
1304 BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
1305
1306#ifdef FIONBIO
1307 if (c_nbio)
1308 {
1309 unsigned long l=1;
1310 BIO_printf(bio_c_out,"turning on non blocking io\n");
58964a49
RE		 1311 if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
1312 {
1313 ERR_print_errors(bio_err);
1314 goto end;
1315 }
d02b48c6
RE		 1316 }
1317#endif
08557cf2 1318 if (c_Pause & 0x01) SSL_set_debug(con, 1);
36d16f8e
BL		 1319
1320 if ( SSL_version(con) == DTLS1_VERSION)
1321 {
36d16f8e
BL		 1322
1323 sbio=BIO_new_dgram(s,BIO_NOCLOSE);
6c61726b 1324 if (getsockname(s, &peer, (void *)&peerlen) < 0)
36d16f8e
BL		 1325 {
1326 BIO_printf(bio_err, "getsockname:errno=%d\n",
1327 get_last_socket_error());
1328 SHUTDOWN(s);
1329 goto end;
1330 }
1331
710069c1 1332 (void)BIO_ctrl_set_connected(sbio, 1, &peer);
36d16f8e 1333
b1277b99 1334 if (enable_timeouts)
36d16f8e
BL		 1335 {
1336 timeout.tv_sec = 0;
1337 timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1338 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1339
1340 timeout.tv_sec = 0;
1341 timeout.tv_usec = DGRAM_SND_TIMEOUT;
1342 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1343 }
1344
046f2101 1345 if (socket_mtu > 28)
36d16f8e
BL		 1346 {
1347 SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
046f2101 1348 SSL_set_mtu(con, socket_mtu - 28);
36d16f8e
BL		 1349 }
1350 else
1351 /* want to do MTU discovery */
1352 BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1353 }
1354 else
1355 sbio=BIO_new_socket(s,BIO_NOCLOSE);
1356
d02b48c6
RE		 1357 if (nbio_test)
1358 {
1359 BIO *test;
1360
1361 test=BIO_new(BIO_f_nbio_test());
1362 sbio=BIO_push(test,sbio);
1363 }
1364
1365 if (c_debug)
1366 {
08557cf2 1367 SSL_set_debug(con, 1);
25495640 1368 BIO_set_callback(sbio,bio_dump_callback);
7806f3dd 1369 BIO_set_callback_arg(sbio,(char *)bio_c_out);
d02b48c6 1370 }
a661b653
BM		 1371 if (c_msg)
1372 {
93ab9e42
DSH		 1373#ifndef OPENSSL_NO_SSL_TRACE
1374 if (c_msg == 2)
1375 SSL_set_msg_callback(con, SSL_trace);
1376 else
1377#endif
1378 SSL_set_msg_callback(con, msg_cb);
1379 SSL_set_msg_callback_arg(con, bio_c_msg ? bio_c_msg : bio_c_out);
a661b653 1380 }
6434abbf
DSH		 1381#ifndef OPENSSL_NO_TLSEXT
1382 if (c_tlsextdebug)
1383 {
1384 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1385 SSL_set_tlsext_debug_arg(con, bio_c_out);
1386 }
67c8e7f4
DSH		 1387 if (c_status_req)
1388 {
1389 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
1390 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
1391 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
1392#if 0
1393{
1394STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null();
1395OCSP_RESPID *id = OCSP_RESPID_new();
1396id->value.byKey = ASN1_OCTET_STRING_new();
1397id->type = V_OCSP_RESPID_KEY;
1398ASN1_STRING_set(id->value.byKey, "Hello World", -1);
1399sk_OCSP_RESPID_push(ids, id);
1400SSL_set_tlsext_status_ids(con, ids);
1401}
1402#endif
1403 }
6434abbf 1404#endif
79bd20fd 1405#ifndef OPENSSL_NO_JPAKE
6caa4edd
BL		 1406 if (jpake_secret)
1407 jpake_client_auth(bio_c_out, sbio, jpake_secret);
ed551cdd 1408#endif
6caa4edd 1409
d02b48c6
RE		 1410 SSL_set_bio(con,sbio,sbio);
1411 SSL_set_connect_state(con);
1412
1413 /* ok, lets connect */
1414 width=SSL_get_fd(con)+1;
1415
1416 read_tty=1;
1417 write_tty=0;
1418 tty_on=0;
1419 read_ssl=1;
1420 write_ssl=1;
1421
1422 cbuf_len=0;
1423 cbuf_off=0;
1424 sbuf_len=0;
1425 sbuf_off=0;
1426
135c0af1 1427 /* This is an ugly hack that does a lot of assumptions */
ee373e7f
LJ		 1428 /* We do have to handle multi-line responses which may come
1429 in a single packet or not. We therefore have to use
1430 BIO_gets() which does need a buffering BIO. So during
1431 the initial chitchat we do push a buffering BIO into the
1432 chain that is removed again later on to not disturb the
1433 rest of the s_client operation. */
85c67492 1434 if (starttls_proto == PROTO_SMTP)
135c0af1 1435 {
8d72476e 1436 int foundit=0;
ee373e7f
LJ		 1437 BIO *fbio = BIO_new(BIO_f_buffer());
1438 BIO_push(fbio, sbio);
85c67492
RL		 1439 /* wait for multi-line response to end from SMTP */
1440 do
1441 {
ee373e7f 1442 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
85c67492
RL		 1443 }
1444 while (mbuf_len>3 && mbuf[3]=='-');
8d72476e 1445 /* STARTTLS command requires EHLO... */
ee373e7f 1446 BIO_printf(fbio,"EHLO openssl.client.net\r\n");
710069c1 1447 (void)BIO_flush(fbio);
8d72476e
LJ		 1448 /* wait for multi-line response to end EHLO SMTP response */
1449 do
1450 {
ee373e7f 1451 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
8d72476e
LJ		 1452 if (strstr(mbuf,"STARTTLS"))
1453 foundit=1;
1454 }
1455 while (mbuf_len>3 && mbuf[3]=='-');
710069c1 1456 (void)BIO_flush(fbio);
ee373e7f
LJ		 1457 BIO_pop(fbio);
1458 BIO_free(fbio);
8d72476e
LJ		 1459 if (!foundit)
1460 BIO_printf(bio_err,
1461 "didn't found starttls in server response,"
1462 " try anyway...\n");
135c0af1
RL		 1463 BIO_printf(sbio,"STARTTLS\r\n");
1464 BIO_read(sbio,sbuf,BUFSIZZ);
1465 }
85c67492 1466 else if (starttls_proto == PROTO_POP3)
4f17dfcd
LJ		 1467 {
1468 BIO_read(sbio,mbuf,BUFSIZZ);
1469 BIO_printf(sbio,"STLS\r\n");
1470 BIO_read(sbio,sbuf,BUFSIZZ);
1471 }
85c67492
RL		 1472 else if (starttls_proto == PROTO_IMAP)
1473 {
8d72476e 1474 int foundit=0;
ee373e7f
LJ		 1475 BIO *fbio = BIO_new(BIO_f_buffer());
1476 BIO_push(fbio, sbio);
1477 BIO_gets(fbio,mbuf,BUFSIZZ);
8d72476e 1478 /* STARTTLS command requires CAPABILITY... */
ee373e7f 1479 BIO_printf(fbio,". CAPABILITY\r\n");
710069c1 1480 (void)BIO_flush(fbio);
8d72476e
LJ		 1481 /* wait for multi-line CAPABILITY response */
1482 do
1483 {
ee373e7f 1484 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
8d72476e
LJ		 1485 if (strstr(mbuf,"STARTTLS"))
1486 foundit=1;
1487 }
ee373e7f 1488 while (mbuf_len>3 && mbuf[0]!='.');
710069c1 1489 (void)BIO_flush(fbio);
ee373e7f
LJ		 1490 BIO_pop(fbio);
1491 BIO_free(fbio);
8d72476e
LJ		 1492 if (!foundit)
1493 BIO_printf(bio_err,
1494 "didn't found STARTTLS in server response,"
1495 " try anyway...\n");
1496 BIO_printf(sbio,". STARTTLS\r\n");
85c67492
RL		 1497 BIO_read(sbio,sbuf,BUFSIZZ);
1498 }
1499 else if (starttls_proto == PROTO_FTP)
1500 {
ee373e7f
LJ		 1501 BIO *fbio = BIO_new(BIO_f_buffer());
1502 BIO_push(fbio, sbio);
85c67492
RL		 1503 /* wait for multi-line response to end from FTP */
1504 do
1505 {
ee373e7f 1506 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
85c67492
RL		 1507 }
1508 while (mbuf_len>3 && mbuf[3]=='-');
710069c1 1509 (void)BIO_flush(fbio);
ee373e7f
LJ		 1510 BIO_pop(fbio);
1511 BIO_free(fbio);
85c67492
RL		 1512 BIO_printf(sbio,"AUTH TLS\r\n");
1513 BIO_read(sbio,sbuf,BUFSIZZ);
1514 }
d5bbead4
BL		 1515 if (starttls_proto == PROTO_XMPP)
1516 {
1517 int seen = 0;
1518 BIO_printf(sbio,"<stream:stream "
1519 "xmlns:stream='http://etherx.jabber.org/streams' "
1520 "xmlns='jabber:client' to='%s' version='1.0'>", host);
1521 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1522 mbuf[seen] = 0;
1523 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'"))
1524 {
1525 if (strstr(mbuf, "/stream:features>"))
1526 goto shut;
1527 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1528 mbuf[seen] = 0;
1529 }
1530 BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
1531 seen = BIO_read(sbio,sbuf,BUFSIZZ);
1532 sbuf[seen] = 0;
1533 if (!strstr(sbuf, "<proceed"))
1534 goto shut;
1535 mbuf[0] = 0;
1536 }
135c0af1 1537
d02b48c6
RE		 1538 for (;;)
1539 {
1540 FD_ZERO(&readfds);
1541 FD_ZERO(&writefds);
1542
b972fbaa
DSH		 1543 if ((SSL_version(con) == DTLS1_VERSION) &&
1544 DTLSv1_get_timeout(con, &timeout))
1545 timeoutp = &timeout;
1546 else
1547 timeoutp = NULL;
1548
58964a49 1549 if (SSL_in_init(con) && !SSL_total_renegotiations(con))
d02b48c6
RE		 1550 {
1551 in_init=1;
1552 tty_on=0;
1553 }
1554 else
1555 {
1556 tty_on=1;
1557 if (in_init)
1558 {
1559 in_init=0;
761772d7 1560#if 0 /* This test doesn't really work as intended (needs to be fixed) */
ed3883d2 1561#ifndef OPENSSL_NO_TLSEXT
b166f13e
BM		 1562 if (servername != NULL && !SSL_session_reused(con))
1563 {
1564 BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not ");
1565 }
761772d7 1566#endif
ed3883d2 1567#endif
6434abbf
DSH		 1568 if (sess_out)
1569 {
1570 BIO *stmp = BIO_new_file(sess_out, "w");
1571 if (stmp)
1572 {
1573 PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con));
1574 BIO_free(stmp);
1575 }
1576 else
1577 BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
1578 }
d02b48c6
RE		 1579 print_stuff(bio_c_out,con,full_log);
1580 if (full_log > 0) full_log--;
1581
4f17dfcd 1582 if (starttls_proto)
135c0af1
RL		 1583 {
1584 BIO_printf(bio_err,"%s",mbuf);
1585 /* We don't need to know any more */
85c67492 1586 starttls_proto = PROTO_OFF;
135c0af1
RL		 1587 }
1588
d02b48c6
RE		 1589 if (reconnect)
1590 {
1591 reconnect--;
1592 BIO_printf(bio_c_out,"drop connection and then reconnect\n");
1593 SSL_shutdown(con);
1594 SSL_set_connect_state(con);
1595 SHUTDOWN(SSL_get_fd(con));
1596 goto re_start;
1597 }
1598 }
1599 }
1600
c7ac31e2
BM		 1601 ssl_pending = read_ssl && SSL_pending(con);
1602
1603 if (!ssl_pending)
d02b48c6 1604 {
4700aea9 1605#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)
c7ac31e2
BM		 1606 if (tty_on)
1607 {
7bf7333d
DSH		 1608 if (read_tty) openssl_fdset(fileno(stdin),&readfds);
1609 if (write_tty) openssl_fdset(fileno(stdout),&writefds);
c7ac31e2 1610 }
c7ac31e2 1611 if (read_ssl)
7bf7333d 1612 openssl_fdset(SSL_get_fd(con),&readfds);
c7ac31e2 1613 if (write_ssl)
7bf7333d 1614 openssl_fdset(SSL_get_fd(con),&writefds);
06f4536a
DSH		 1615#else
1616 if(!tty_on || !write_tty) {
1617 if (read_ssl)
7bf7333d 1618 openssl_fdset(SSL_get_fd(con),&readfds);
06f4536a 1619 if (write_ssl)
7bf7333d 1620 openssl_fdset(SSL_get_fd(con),&writefds);
06f4536a
DSH		 1621 }
1622#endif
c7ac31e2
BM		 1623/* printf("mode tty(%d %d%d) ssl(%d%d)\n",
1624 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
d02b48c6 1625
75e0770d 1626 /* Note: under VMS with SOCKETSHR the second parameter
7d7d2cbc
UM		 1627 * is currently of type (int *) whereas under other
1628 * systems it is (void *) if you don't have a cast it
1629 * will choke the compiler: if you do have a cast then
1630 * you can either go for (int *) or (void *).
1631 */
3d7c4a5a
RL		 1632#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1633 /* Under Windows/DOS we make the assumption that we can
06f4536a
DSH		 1634 * always write to the tty: therefore if we need to
1635 * write to the tty we just fall through. Otherwise
1636 * we timeout the select every second and see if there
1637 * are any keypresses. Note: this is a hack, in a proper
1638 * Windows application we wouldn't do this.
1639 */
4ec19e20 1640 i=0;
06f4536a
DSH		 1641 if(!write_tty) {
1642 if(read_tty) {
1643 tv.tv_sec = 1;
1644 tv.tv_usec = 0;
1645 i=select(width,(void *)&readfds,(void *)&writefds,
1646 NULL,&tv);
3d7c4a5a 1647#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
0bf23d9b
RL		 1648 if(!i && (!_kbhit() || !read_tty) ) continue;
1649#else
a9ef75c5 1650 if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
0bf23d9b 1651#endif
06f4536a 1652 } else i=select(width,(void *)&readfds,(void *)&writefds,
b972fbaa 1653 NULL,timeoutp);
06f4536a 1654 }
47c1735a
RL		 1655#elif defined(OPENSSL_SYS_NETWARE)
1656 if(!write_tty) {
1657 if(read_tty) {
1658 tv.tv_sec = 1;
1659 tv.tv_usec = 0;
1660 i=select(width,(void *)&readfds,(void *)&writefds,
1661 NULL,&tv);
1662 } else i=select(width,(void *)&readfds,(void *)&writefds,
b972fbaa 1663 NULL,timeoutp);
47c1735a 1664 }
4700aea9
UM		 1665#elif defined(OPENSSL_SYS_BEOS_R5)
1666 /* Under BeOS-R5 the situation is similar to DOS */
1667 i=0;
1668 stdin_set = 0;
1669 (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
1670 if(!write_tty) {
1671 if(read_tty) {
1672 tv.tv_sec = 1;
1673 tv.tv_usec = 0;
1674 i=select(width,(void *)&readfds,(void *)&writefds,
1675 NULL,&tv);
1676 if (read(fileno(stdin), sbuf, 0) >= 0)
1677 stdin_set = 1;
1678 if (!i && (stdin_set != 1 || !read_tty))
1679 continue;
1680 } else i=select(width,(void *)&readfds,(void *)&writefds,
b972fbaa 1681 NULL,timeoutp);
4700aea9
UM		 1682 }
1683 (void)fcntl(fileno(stdin), F_SETFL, 0);
06f4536a 1684#else
7d7d2cbc 1685 i=select(width,(void *)&readfds,(void *)&writefds,
b972fbaa 1686 NULL,timeoutp);
06f4536a 1687#endif
c7ac31e2
BM		 1688 if ( i < 0)
1689 {
1690 BIO_printf(bio_err,"bad select %d\n",
58964a49 1691 get_last_socket_error());
c7ac31e2
BM		 1692 goto shut;
1693 /* goto end; */
1694 }
d02b48c6
RE		 1695 }
1696
b972fbaa
DSH		 1697 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
1698 {
1699 BIO_printf(bio_err,"TIMEOUT occured\n");
1700 }
1701
c7ac31e2 1702 if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
d02b48c6
RE		 1703 {
1704 k=SSL_write(con,&(cbuf[cbuf_off]),
1705 (unsigned int)cbuf_len);
1706 switch (SSL_get_error(con,k))
1707 {
1708 case SSL_ERROR_NONE:
1709 cbuf_off+=k;
1710 cbuf_len-=k;
1711 if (k <= 0) goto end;
1712 /* we have done a write(con,NULL,0); */
1713 if (cbuf_len <= 0)
1714 {
1715 read_tty=1;
1716 write_ssl=0;
1717 }
1718 else /* if (cbuf_len > 0) */
1719 {
1720 read_tty=0;
1721 write_ssl=1;
1722 }
1723 break;
1724 case SSL_ERROR_WANT_WRITE:
1725 BIO_printf(bio_c_out,"write W BLOCK\n");
1726 write_ssl=1;
1727 read_tty=0;
1728 break;
1729 case SSL_ERROR_WANT_READ:
1730 BIO_printf(bio_c_out,"write R BLOCK\n");
1731 write_tty=0;
1732 read_ssl=1;
1733 write_ssl=0;
1734 break;
1735 case SSL_ERROR_WANT_X509_LOOKUP:
1736 BIO_printf(bio_c_out,"write X BLOCK\n");
1737 break;
1738 case SSL_ERROR_ZERO_RETURN:
1739 if (cbuf_len != 0)
1740 {
1741 BIO_printf(bio_c_out,"shutdown\n");
0e1dba93 1742 ret = 0;
d02b48c6
RE		 1743 goto shut;
1744 }
1745 else
1746 {
1747 read_tty=1;
1748 write_ssl=0;
1749 break;
1750 }
1751
1752 case SSL_ERROR_SYSCALL:
1753 if ((k != 0) || (cbuf_len != 0))
1754 {
1755 BIO_printf(bio_err,"write:errno=%d\n",
58964a49 1756 get_last_socket_error());
d02b48c6
RE		 1757 goto shut;
1758 }
1759 else
1760 {
1761 read_tty=1;
1762 write_ssl=0;
1763 }
1764 break;
1765 case SSL_ERROR_SSL:
1766 ERR_print_errors(bio_err);
1767 goto shut;
1768 }
1769 }
4700aea9
UM		 1770#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
1771 /* Assume Windows/DOS/BeOS can always write */
06f4536a
DSH		 1772 else if (!ssl_pending && write_tty)
1773#else
c7ac31e2 1774 else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
06f4536a 1775#endif
d02b48c6 1776 {
a53955d8
UM		 1777#ifdef CHARSET_EBCDIC
1778 ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
1779#endif
ffa10187 1780 i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len);
d02b48c6
RE		 1781
1782 if (i <= 0)
1783 {
1784 BIO_printf(bio_c_out,"DONE\n");
0e1dba93 1785 ret = 0;
d02b48c6
RE		 1786 goto shut;
1787 /* goto end; */
1788 }
1789
1790 sbuf_len-=i;;
1791 sbuf_off+=i;
1792 if (sbuf_len <= 0)
1793 {
1794 read_ssl=1;
1795 write_tty=0;
1796 }
1797 }
c7ac31e2 1798 else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
d02b48c6 1799 {
58964a49
RE		 1800#ifdef RENEG
1801{ static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
1802#endif
dfeab068 1803#if 1
58964a49 1804 k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
dfeab068
RE		 1805#else
1806/* Demo for pending and peek :-) */
1807 k=SSL_read(con,sbuf,16);
1808{ char zbuf[10240];
1809printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
1810}
1811#endif
d02b48c6
RE		 1812
1813 switch (SSL_get_error(con,k))
1814 {
1815 case SSL_ERROR_NONE:
1816 if (k <= 0)
1817 goto end;
1818 sbuf_off=0;
1819 sbuf_len=k;
1820
1821 read_ssl=0;
1822 write_tty=1;
1823 break;
1824 case SSL_ERROR_WANT_WRITE:
1825 BIO_printf(bio_c_out,"read W BLOCK\n");
1826 write_ssl=1;
1827 read_tty=0;
1828 break;
1829 case SSL_ERROR_WANT_READ:
1830 BIO_printf(bio_c_out,"read R BLOCK\n");
1831 write_tty=0;
1832 read_ssl=1;
1833 if ((read_tty == 0) && (write_ssl == 0))
1834 write_ssl=1;
1835 break;
1836 case SSL_ERROR_WANT_X509_LOOKUP:
1837 BIO_printf(bio_c_out,"read X BLOCK\n");
1838 break;
1839 case SSL_ERROR_SYSCALL:
0e1dba93
DSH		 1840 ret=get_last_socket_error();
1841 BIO_printf(bio_err,"read:errno=%d\n",ret);
d02b48c6
RE		 1842 goto shut;
1843 case SSL_ERROR_ZERO_RETURN:
1844 BIO_printf(bio_c_out,"closed\n");
0e1dba93 1845 ret=0;
d02b48c6
RE		 1846 goto shut;
1847 case SSL_ERROR_SSL:
1848 ERR_print_errors(bio_err);
1849 goto shut;
dfeab068 1850 /* break; */
d02b48c6
RE		 1851 }
1852 }
1853
3d7c4a5a
RL		 1854#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1855#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
0bf23d9b
RL		 1856 else if (_kbhit())
1857#else
a9ef75c5 1858 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
0bf23d9b 1859#endif
4d8743f4 1860#elif defined (OPENSSL_SYS_NETWARE)
ffa10187 1861 else if (_kbhit())
4700aea9
UM		 1862#elif defined(OPENSSL_SYS_BEOS_R5)
1863 else if (stdin_set)
06f4536a 1864#else
d02b48c6 1865 else if (FD_ISSET(fileno(stdin),&readfds))
06f4536a 1866#endif
d02b48c6 1867 {
1bdb8633
BM		 1868 if (crlf)
1869 {
1870 int j, lf_num;
1871
ffa10187 1872 i=raw_read_stdin(cbuf,BUFSIZZ/2);
1bdb8633
BM		 1873 lf_num = 0;
1874 /* both loops are skipped when i <= 0 */
1875 for (j = 0; j < i; j++)
1876 if (cbuf[j] == '\n')
1877 lf_num++;
1878 for (j = i-1; j >= 0; j--)
1879 {
1880 cbuf[j+lf_num] = cbuf[j];
1881 if (cbuf[j] == '\n')
1882 {
1883 lf_num--;
1884 i++;
1885 cbuf[j+lf_num] = '\r';
1886 }
1887 }
1888 assert(lf_num == 0);
1889 }
1890 else
ffa10187 1891 i=raw_read_stdin(cbuf,BUFSIZZ);
d02b48c6 1892
ce301b6b 1893 if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
d02b48c6
RE		 1894 {
1895 BIO_printf(bio_err,"DONE\n");
0e1dba93 1896 ret=0;
d02b48c6
RE		 1897 goto shut;
1898 }
1899
ce301b6b 1900 if ((!c_ign_eof) && (cbuf[0] == 'R'))
d02b48c6 1901 {
3bb307c1 1902 BIO_printf(bio_err,"RENEGOTIATING\n");
d02b48c6 1903 SSL_renegotiate(con);
3bb307c1 1904 cbuf_len=0;
d02b48c6 1905 }
4817504d
DSH		 1906#ifndef OPENSSL_NO_HEARTBEATS
1907 else if ((!c_ign_eof) && (cbuf[0] == 'B'))
1908 {
1909 BIO_printf(bio_err,"HEARTBEATING\n");
1910 SSL_heartbeat(con);
1911 cbuf_len=0;
1912 }
1913#endif
d02b48c6
RE		 1914 else
1915 {
1916 cbuf_len=i;
1917 cbuf_off=0;
a53955d8
UM		 1918#ifdef CHARSET_EBCDIC
1919 ebcdic2ascii(cbuf, cbuf, i);
1920#endif
d02b48c6
RE		 1921 }
1922
d02b48c6 1923 write_ssl=1;
3bb307c1 1924 read_tty=0;
d02b48c6 1925 }
d02b48c6 1926 }
0e1dba93
DSH		 1927
1928 ret=0;
d02b48c6 1929shut:
b166f13e
BM		 1930 if (in_init)
1931 print_stuff(bio_c_out,con,full_log);
d02b48c6
RE		 1932 SSL_shutdown(con);
1933 SHUTDOWN(SSL_get_fd(con));
d02b48c6 1934end:
d916ba1b
NL		 1935 if (con != NULL)
1936 {
1937 if (prexit != 0)
1938 print_stuff(bio_c_out,con,1);
1939 SSL_free(con);
1940 }
d02b48c6 1941 if (ctx != NULL) SSL_CTX_free(ctx);
826a42a0
DSH		 1942 if (cert)
1943 X509_free(cert);
1944 if (key)
1945 EVP_PKEY_free(key);
1946 if (pass)
1947 OPENSSL_free(pass);
4579924b
RL		 1948 if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
1949 if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
1950 if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
d02b48c6
RE		 1951 if (bio_c_out != NULL)
1952 {
1953 BIO_free(bio_c_out);
1954 bio_c_out=NULL;
1955 }
93ab9e42
DSH		 1956 if (bio_c_msg != NULL)
1957 {
1958 BIO_free(bio_c_msg);
1959 bio_c_msg=NULL;
1960 }
c04f8cf4 1961 apps_shutdown();
1c3e4a36 1962 OPENSSL_EXIT(ret);
d02b48c6
RE		 1963 }
1964
1965
6b691a5c 1966static void print_stuff(BIO *bio, SSL *s, int full)
d02b48c6 1967 {
58964a49 1968 X509 *peer=NULL;
d02b48c6 1969 char *p;
7d727231 1970 static const char *space=" ";
d02b48c6 1971 char buf[BUFSIZ];
f73e07cf
BL		 1972 STACK_OF(X509) *sk;
1973 STACK_OF(X509_NAME) *sk2;
babb3798 1974 const SSL_CIPHER *c;
d02b48c6
RE		 1975 X509_NAME *xn;
1976 int j,i;
09b6c2ef 1977#ifndef OPENSSL_NO_COMP
d8ec0dcf 1978 const COMP_METHOD *comp, *expansion;
09b6c2ef 1979#endif
e0af0405 1980 unsigned char *exportedkeymat;
d02b48c6
RE		 1981
1982 if (full)
1983 {
bc2e519a
BM		 1984 int got_a_chain = 0;
1985
d02b48c6
RE		 1986 sk=SSL_get_peer_cert_chain(s);
1987 if (sk != NULL)
1988 {
bc2e519a
BM		 1989 got_a_chain = 1; /* we don't have it for SSL2 (yet) */
1990
dfeab068 1991 BIO_printf(bio,"---\nCertificate chain\n");
f73e07cf 1992 for (i=0; i<sk_X509_num(sk); i++)
d02b48c6 1993 {
f73e07cf 1994 X509_NAME_oneline(X509_get_subject_name(
54a656ef 1995 sk_X509_value(sk,i)),buf,sizeof buf);
d02b48c6 1996 BIO_printf(bio,"%2d s:%s\n",i,buf);
f73e07cf 1997 X509_NAME_oneline(X509_get_issuer_name(
54a656ef 1998 sk_X509_value(sk,i)),buf,sizeof buf);
d02b48c6 1999 BIO_printf(bio," i:%s\n",buf);
6d02d8e4 2000 if (c_showcerts)
f73e07cf 2001 PEM_write_bio_X509(bio,sk_X509_value(sk,i));
d02b48c6
RE		 2002 }
2003 }
2004
2005 BIO_printf(bio,"---\n");
2006 peer=SSL_get_peer_certificate(s);
2007 if (peer != NULL)
2008 {
2009 BIO_printf(bio,"Server certificate\n");
bc2e519a 2010 if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
6d02d8e4 2011 PEM_write_bio_X509(bio,peer);
d02b48c6 2012 X509_NAME_oneline(X509_get_subject_name(peer),
54a656ef 2013 buf,sizeof buf);
d02b48c6
RE		 2014 BIO_printf(bio,"subject=%s\n",buf);
2015 X509_NAME_oneline(X509_get_issuer_name(peer),
54a656ef 2016 buf,sizeof buf);
d02b48c6 2017 BIO_printf(bio,"issuer=%s\n",buf);
d02b48c6
RE		 2018 }
2019 else
2020 BIO_printf(bio,"no peer certificate available\n");
2021
f73e07cf 2022 sk2=SSL_get_client_CA_list(s);
d91f8c3c 2023 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
d02b48c6
RE		 2024 {
2025 BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
f73e07cf 2026 for (i=0; i<sk_X509_NAME_num(sk2); i++)
d02b48c6 2027 {
f73e07cf 2028 xn=sk_X509_NAME_value(sk2,i);
d02b48c6
RE		 2029 X509_NAME_oneline(xn,buf,sizeof(buf));
2030 BIO_write(bio,buf,strlen(buf));
2031 BIO_write(bio,"\n",1);
2032 }
2033 }
2034 else
2035 {
2036 BIO_printf(bio,"---\nNo client certificate CA names sent\n");
2037 }
54a656ef 2038 p=SSL_get_shared_ciphers(s,buf,sizeof buf);
d02b48c6
RE		 2039 if (p != NULL)
2040 {
67a47285
BM		 2041 /* This works only for SSL 2. In later protocol
2042 * versions, the client does not know what other
2043 * ciphers (in addition to the one to be used
2044 * in the current connection) the server supports. */
2045
d02b48c6
RE		 2046 BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
2047 j=i=0;
2048 while (*p)
2049 {
2050 if (*p == ':')
2051 {
58964a49 2052 BIO_write(bio,space,15-j%25);
d02b48c6
RE		 2053 i++;
2054 j=0;
2055 BIO_write(bio,((i%3)?" ":"\n"),1);
2056 }
2057 else
2058 {
2059 BIO_write(bio,p,1);
2060 j++;
2061 }
2062 p++;
2063 }
2064 BIO_write(bio,"\n",1);
2065 }
2066
e7f8ff43
DSH		 2067 ssl_print_sigalgs(bio, s);
2068
d02b48c6
RE		 2069 BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
2070 BIO_number_read(SSL_get_rbio(s)),
2071 BIO_number_written(SSL_get_wbio(s)));
2072 }
08557cf2 2073 BIO_printf(bio,(SSL_cache_hit(s)?"---\nReused, ":"---\nNew, "));
d02b48c6
RE		 2074 c=SSL_get_current_cipher(s);
2075 BIO_printf(bio,"%s, Cipher is %s\n",
2076 SSL_CIPHER_get_version(c),
2077 SSL_CIPHER_get_name(c));
a8236c8c
DSH		 2078 if (peer != NULL) {
2079 EVP_PKEY *pktmp;
2080 pktmp = X509_get_pubkey(peer);
58964a49 2081 BIO_printf(bio,"Server public key is %d bit\n",
a8236c8c
DSH		 2082 EVP_PKEY_bits(pktmp));
2083 EVP_PKEY_free(pktmp);
2084 }
5430200b
DSH		 2085 BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
2086 SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
09b6c2ef 2087#ifndef OPENSSL_NO_COMP
f44e184e 2088 comp=SSL_get_current_compression(s);
d8ec0dcf 2089 expansion=SSL_get_current_expansion(s);
f44e184e
RL		 2090 BIO_printf(bio,"Compression: %s\n",
2091 comp ? SSL_COMP_get_name(comp) : "NONE");
2092 BIO_printf(bio,"Expansion: %s\n",
d8ec0dcf 2093 expansion ? SSL_COMP_get_name(expansion) : "NONE");
09b6c2ef 2094#endif
71fa4513 2095
57559471 2096#ifdef SSL_DEBUG
a2f9200f
DSH		 2097 {
2098 /* Print out local port of connection: useful for debugging */
2099 int sock;
2100 struct sockaddr_in ladd;
2101 socklen_t ladd_size = sizeof(ladd);
2102 sock = SSL_get_fd(s);
2103 getsockname(sock, (struct sockaddr *)&ladd, &ladd_size);
2104 BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port));
2105 }
2106#endif
2107
71fa4513
BL		 2108#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
2109 if (next_proto.status != -1) {
2110 const unsigned char *proto;
2111 unsigned int proto_len;
2112 SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
2113 BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
2114 BIO_write(bio, proto, proto_len);
2115 BIO_write(bio, "\n", 1);
2116 }
2117#endif
2118
333f926d
BL		 2119 {
2120 SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s);
2121
2122 if(srtp_profile)
2123 BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n",
2124 srtp_profile->name);
2125 }
2126
d02b48c6 2127 SSL_SESSION_print(bio,SSL_get_session(s));
be81f4dd
DSH		 2128 if (keymatexportlabel != NULL)
2129 {
e0af0405
BL		 2130 BIO_printf(bio, "Keying material exporter:\n");
2131 BIO_printf(bio, " Label: '%s'\n", keymatexportlabel);
2132 BIO_printf(bio, " Length: %i bytes\n", keymatexportlen);
2133 exportedkeymat = OPENSSL_malloc(keymatexportlen);
be81f4dd
DSH		 2134 if (exportedkeymat != NULL)
2135 {
2136 if (!SSL_export_keying_material(s, exportedkeymat,
2137 keymatexportlen,
2138 keymatexportlabel,
2139 strlen(keymatexportlabel),
2140 NULL, 0, 0))
2141 {
2142 BIO_printf(bio, " Error\n");
2143 }
2144 else
2145 {
e0af0405
BL		 2146 BIO_printf(bio, " Keying material: ");
2147 for (i=0; i<keymatexportlen; i++)
2148 BIO_printf(bio, "%02X",
2149 exportedkeymat[i]);
2150 BIO_printf(bio, "\n");
be81f4dd 2151 }
e0af0405 2152 OPENSSL_free(exportedkeymat);
be81f4dd 2153 }
e0af0405 2154 }
d02b48c6 2155 BIO_printf(bio,"---\n");
58964a49
RE		 2156 if (peer != NULL)
2157 X509_free(peer);
41ebed27 2158 /* flush, or debugging output gets mixed with http response */
710069c1 2159 (void)BIO_flush(bio);
d02b48c6
RE		 2160 }
2161
0702150f
DSH		 2162#ifndef OPENSSL_NO_TLSEXT
2163
67c8e7f4
DSH		 2164static int ocsp_resp_cb(SSL *s, void *arg)
2165 {
2166 const unsigned char *p;
2167 int len;
2168 OCSP_RESPONSE *rsp;
2169 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
2170 BIO_puts(arg, "OCSP response: ");
2171 if (!p)
2172 {
2173 BIO_puts(arg, "no response sent\n");
2174 return 1;
2175 }
2176 rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
2177 if (!rsp)
2178 {
2179 BIO_puts(arg, "response parse error\n");
2180 BIO_dump_indent(arg, (char *)p, len, 4);
2181 return 0;
2182 }
2183 BIO_puts(arg, "\n======================================\n");
2184 OCSP_RESPONSE_print(arg, rsp, 0);
2185 BIO_puts(arg, "======================================\n");
2186 OCSP_RESPONSE_free(rsp);
2187 return 1;
2188 }
0702150f 2189
a9e1c50b
BL		 2190static int audit_proof_cb(SSL *s, void *arg)
2191 {
2192 const unsigned char *proof;
2193 size_t proof_len;
2194 size_t i;
2195 SSL_SESSION *sess = SSL_get_session(s);
2196
2197 proof = SSL_SESSION_get_tlsext_authz_server_audit_proof(sess,
2198 &proof_len);
2199 if (proof != NULL)
2200 {
2201 BIO_printf(bio_c_out, "Audit proof: ");
2202 for (i = 0; i < proof_len; ++i)
2203 BIO_printf(bio_c_out, "%02X", proof[i]);
2204 BIO_printf(bio_c_out, "\n");
2205 }
2206 else
2207 {
2208 BIO_printf(bio_c_out, "No audit proof found.\n");
2209 }
2210 return 1;
2211 }
0702150f 2212#endif
A mirror of the official openssl repository