]> git.ipfire.org Git - thirdparty/openssl.git/blame - apps/s_client.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Reduce version skew: trivia (I hope).
[thirdparty/openssl.git] / apps / s_client.c
CommitLineData
d02b48c6 1/* apps/s_client.c */
58964a49 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
d02b48c6
RE		 3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
a661b653 58/* ====================================================================
b1277b99 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
a661b653
BM		 60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
ddac1974
NL		 111/* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
113 *
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116 * license.
117 *
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
121 *
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
125 *
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
130 *
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135 * OTHERWISE.
136 */
d02b48c6 137
1b1a6e78 138#include <assert.h>
ddac1974 139#include <ctype.h>
8c197cc5
UM		 140#include <stdio.h>
141#include <stdlib.h>
142#include <string.h>
be1bd923 143#include <openssl/e_os2.h>
cf1b7d96 144#ifdef OPENSSL_NO_STDIO
8c197cc5
UM		 145#define APPS_WIN16
146#endif
147
7d7d2cbc
UM		 148/* With IPv6, it looks like Digital has mixed up the proper order of
149 recursive header file inclusion, resulting in the compiler complaining
150 that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
151 is needed to have fileno() declared correctly... So let's define u_int */
bc36ee62 152#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
7d7d2cbc
UM		 153#define __U_INT
154typedef unsigned int u_int;
155#endif
156
d02b48c6 157#define USE_SOCKETS
d02b48c6 158#include "apps.h"
ec577822
BM		 159#include <openssl/x509.h>
160#include <openssl/ssl.h>
161#include <openssl/err.h>
162#include <openssl/pem.h>
1372965e 163#include <openssl/rand.h>
67c8e7f4 164#include <openssl/ocsp.h>
1e26a8ba 165#include <openssl/bn.h>
a149b246
BL		 166#ifndef OPENSSL_NO_SRP
167#include <openssl/srp.h>
168#endif
d02b48c6 169#include "s_apps.h"
36d16f8e 170#include "timeouts.h"
d02b48c6 171
bc36ee62 172#if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
75e0770d 173/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
7d7d2cbc
UM		 174#undef FIONBIO
175#endif
176
4700aea9
UM		 177#if defined(OPENSSL_SYS_BEOS_R5)
178#include <fcntl.h>
179#endif
180
d02b48c6
RE		 181#undef PROG
182#define PROG s_client_main
183
184/*#define SSL_HOST_NAME "www.netscape.com" */
185/*#define SSL_HOST_NAME "193.118.187.102" */
186#define SSL_HOST_NAME "localhost"
187
188/*#define TEST_CERT "client.pem" */ /* no default cert. */
189
190#undef BUFSIZZ
191#define BUFSIZZ 1024*8
192
193extern int verify_depth;
194extern int verify_error;
5d20c4fb 195extern int verify_return_error;
d02b48c6
RE		 196
197#ifdef FIONBIO
198static int c_nbio=0;
199#endif
200static int c_Pause=0;
201static int c_debug=0;
6434abbf
DSH		 202#ifndef OPENSSL_NO_TLSEXT
203static int c_tlsextdebug=0;
67c8e7f4 204static int c_status_req=0;
8a02a46a 205static int c_proof_debug=0;
6434abbf 206#endif
a661b653 207static int c_msg=0;
6d02d8e4 208static int c_showcerts=0;
d02b48c6 209
b1d74291
BL		 210static char *keymatexportlabel=NULL;
211static int keymatexportlen=20;
212
d02b48c6
RE		 213static void sc_usage(void);
214static void print_stuff(BIO *berr,SSL *con,int full);
0702150f 215#ifndef OPENSSL_NO_TLSEXT
67c8e7f4 216static int ocsp_resp_cb(SSL *s, void *arg);
8a02a46a 217static int audit_proof_cb(SSL *s, void *arg);
0702150f 218#endif
d02b48c6
RE		 219static BIO *bio_c_out=NULL;
220static int c_quiet=0;
ce301b6b 221static int c_ign_eof=0;
d02b48c6 222
ddac1974
NL		 223#ifndef OPENSSL_NO_PSK
224/* Default PSK identity and key */
225static char *psk_identity="Client_identity";
f3b7bdad 226/*char *psk_key=NULL; by default PSK is not used */
ddac1974
NL		 227
228static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
229 unsigned int max_identity_len, unsigned char *psk,
230 unsigned int max_psk_len)
231 {
232 unsigned int psk_len = 0;
233 int ret;
234 BIGNUM *bn=NULL;
235
236 if (c_debug)
237 BIO_printf(bio_c_out, "psk_client_cb\n");
238 if (!hint)
239 {
240 /* no ServerKeyExchange message*/
241 if (c_debug)
242 BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n");
243 }
244 else if (c_debug)
245 BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
246
247 /* lookup PSK identity and PSK key based on the given identity hint here */
0ed6b526 248 ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity);
a0aa8b4b 249 if (ret < 0 || (unsigned int)ret > max_identity_len)
ddac1974
NL		 250 goto out_err;
251 if (c_debug)
252 BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret);
253 ret=BN_hex2bn(&bn, psk_key);
254 if (!ret)
255 {
256 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
257 if (bn)
258 BN_free(bn);
259 return 0;
260 }
261
a0aa8b4b 262 if ((unsigned int)BN_num_bytes(bn) > max_psk_len)
ddac1974
NL		 263 {
264 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
265 max_psk_len, BN_num_bytes(bn));
266 BN_free(bn);
267 return 0;
268 }
269
270 psk_len=BN_bn2bin(bn, psk);
271 BN_free(bn);
272 if (psk_len == 0)
273 goto out_err;
274
275 if (c_debug)
276 BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len);
277
278 return psk_len;
279 out_err:
280 if (c_debug)
281 BIO_printf(bio_err, "Error in PSK client callback\n");
282 return 0;
283 }
284#endif
285
6b691a5c 286static void sc_usage(void)
d02b48c6 287 {
b6cff93d 288 BIO_printf(bio_err,"usage: s_client args\n");
d02b48c6
RE		 289 BIO_printf(bio_err,"\n");
290 BIO_printf(bio_err," -host host - use -connect instead\n");
291 BIO_printf(bio_err," -port port - use -connect instead\n");
292 BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
293
294 BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n");
295 BIO_printf(bio_err," -cert arg - certificate file to use, PEM format assumed\n");
826a42a0
DSH		 296 BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
297 BIO_printf(bio_err," -key arg - Private key file to use, in cert file if\n");
d02b48c6 298 BIO_printf(bio_err," not specified but cert file is.\n");
826a42a0
DSH		 299 BIO_printf(bio_err," -keyform arg - key format (PEM or DER) PEM default\n");
300 BIO_printf(bio_err," -pass arg - private key file pass phrase source\n");
d02b48c6
RE		 301 BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
302 BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n");
303 BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n");
304 BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n");
6d02d8e4 305 BIO_printf(bio_err," -showcerts - show all certificates in the chain\n");
d02b48c6 306 BIO_printf(bio_err," -debug - extra output\n");
02a00bb0
AP		 307#ifdef WATT32
308 BIO_printf(bio_err," -wdebug - WATT-32 tcp debugging\n");
309#endif
a661b653 310 BIO_printf(bio_err," -msg - Show protocol messages\n");
d02b48c6
RE		 311 BIO_printf(bio_err," -nbio_test - more ssl protocol testing\n");
312 BIO_printf(bio_err," -state - print the 'ssl' states\n");
313#ifdef FIONBIO
314 BIO_printf(bio_err," -nbio - Run with non-blocking IO\n");
1bdb8633 315#endif
1bdb8633 316 BIO_printf(bio_err," -crlf - convert LF from terminal into CRLF\n");
d02b48c6 317 BIO_printf(bio_err," -quiet - no s_client output\n");
ce301b6b 318 BIO_printf(bio_err," -ign_eof - ignore input eof (default when -quiet)\n");
020d67fb 319 BIO_printf(bio_err," -no_ign_eof - don't ignore input eof\n");
ddac1974
NL		 320#ifndef OPENSSL_NO_PSK
321 BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
322 BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n");
79bd20fd 323# ifndef OPENSSL_NO_JPAKE
f3b7bdad
BL		 324 BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n");
325# endif
a149b246
BL		 326#endif
327#ifndef OPENSSL_NO_SRP
328 BIO_printf(bio_err," -srpuser user - SRP authentification for 'user'\n");
329 BIO_printf(bio_err," -srppass arg - password for 'user'\n");
330 BIO_printf(bio_err," -srp_lateuser - SRP username into second ClientHello message\n");
331 BIO_printf(bio_err," -srp_moregroups - Tolerate other than the known g N values.\n");
332 BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
ddac1974 333#endif
d02b48c6
RE		 334 BIO_printf(bio_err," -ssl2 - just use SSLv2\n");
335 BIO_printf(bio_err," -ssl3 - just use SSLv3\n");
9472baae 336 BIO_printf(bio_err," -tls1_2 - just use TLSv1.2\n");
1eb1cf45 337 BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n");
58964a49 338 BIO_printf(bio_err," -tls1 - just use TLSv1\n");
36d16f8e 339 BIO_printf(bio_err," -dtls1 - just use DTLSv1\n");
0454f2c4 340 BIO_printf(bio_err," -mtu - set the link layer MTU\n");
9472baae 341 BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
d02b48c6 342 BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n");
836f9960 343 BIO_printf(bio_err," -serverpref - Use server's cipher preferences (only SSLv2)\n");
657e60fa 344 BIO_printf(bio_err," -cipher - preferred cipher to use, use the 'openssl ciphers'\n");
dfeab068 345 BIO_printf(bio_err," command to see what is available\n");
135c0af1
RL		 346 BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
347 BIO_printf(bio_err," for those protocols that support it, where\n");
348 BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n");
d5bbead4
BL		 349 BIO_printf(bio_err," only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
350 BIO_printf(bio_err," are supported.\n");
0b13e9f0 351#ifndef OPENSSL_NO_ENGINE
5270e702 352 BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n");
0b13e9f0 353#endif
52b621db 354 BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
014f62b6
DSH		 355 BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n");
356 BIO_printf(bio_err," -sess_in arg - file to read SSL session from\n");
ed3883d2
BM		 357#ifndef OPENSSL_NO_TLSEXT
358 BIO_printf(bio_err," -servername host - Set TLS extension servername in ClientHello\n");
d24a9c8f 359 BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
67c8e7f4 360 BIO_printf(bio_err," -status - request certificate status from server\n");
d24a9c8f 361 BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
8a02a46a 362 BIO_printf(bio_err," -proof_debug - request an audit proof and print its hex dump\n");
68d2cf51 363# ifndef OPENSSL_NO_NEXTPROTONEG
68b33cc5
BL		 364 BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
365# endif
ed3883d2 366#endif
5c33091c 367 BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
cdf9d6f6 368 BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
b1d74291
BL		 369 BIO_printf(bio_err," -keymatexport label - Export keying material using label\n");
370 BIO_printf(bio_err," -keymatexportlen len - Export len bytes of keying material (default 20)\n");
d02b48c6
RE		 371 }
372
ed3883d2
BM		 373#ifndef OPENSSL_NO_TLSEXT
374
375/* This is a context that we pass to callbacks */
376typedef struct tlsextctx_st {
377 BIO * biodebug;
378 int ack;
379} tlsextctx;
380
381
b1277b99
BM		 382static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
383 {
ed3883d2 384 tlsextctx * p = (tlsextctx *) arg;
8de5b7f5 385 const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
ed3883d2
BM		 386 if (SSL_get_servername_type(s) != -1)
387 p->ack = !SSL_session_reused(s) && hn != NULL;
388 else
f1fd4544 389 BIO_printf(bio_err,"Can't use SSL_get_servername\n");
ed3883d2 390
241520e6 391 return SSL_TLSEXT_ERR_OK;
b1277b99 392 }
a149b246
BL		 393
394#ifndef OPENSSL_NO_SRP
395
396/* This is a context that we pass to all callbacks */
397typedef struct srp_arg_st
398 {
399 char *srppassin;
400 char *srplogin;
401 int msg; /* copy from c_msg */
402 int debug; /* copy from c_debug */
403 int amp; /* allow more groups */
404 int strength /* minimal size for N */ ;
405 } SRP_ARG;
406
407#define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
408
b8a22c40 409static int srp_Verify_N_and_g(BIGNUM *N, BIGNUM *g)
a149b246
BL		 410 {
411 BN_CTX *bn_ctx = BN_CTX_new();
412 BIGNUM *p = BN_new();
413 BIGNUM *r = BN_new();
414 int ret =
415 g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
416 BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
417 p != NULL && BN_rshift1(p, N) &&
418
419 /* p = (N-1)/2 */
420 BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
421 r != NULL &&
422
423 /* verify g^((N-1)/2) == -1 (mod N) */
424 BN_mod_exp(r, g, p, N, bn_ctx) &&
425 BN_add_word(r, 1) &&
426 BN_cmp(r, N) == 0;
427
428 if(r)
429 BN_free(r);
430 if(p)
431 BN_free(p);
432 if(bn_ctx)
433 BN_CTX_free(bn_ctx);
434 return ret;
435 }
436
b8a22c40
DSH		 437/* This callback is used here for two purposes:
438 - extended debugging
439 - making some primality tests for unknown groups
440 The callback is only called for a non default group.
441
442 An application does not need the call back at all if
443 only the stanard groups are used. In real life situations,
444 client and server already share well known groups,
445 thus there is no need to verify them.
446 Furthermore, in case that a server actually proposes a group that
447 is not one of those defined in RFC 5054, it is more appropriate
448 to add the group to a static list and then compare since
449 primality tests are rather cpu consuming.
450*/
451
a149b246
BL		 452static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
453 {
454 SRP_ARG *srp_arg = (SRP_ARG *)arg;
455 BIGNUM *N = NULL, *g = NULL;
456 if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s)))
457 return 0;
458 if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1)
459 {
460 BIO_printf(bio_err, "SRP parameters:\n");
461 BIO_printf(bio_err,"\tN="); BN_print(bio_err,N);
462 BIO_printf(bio_err,"\n\tg="); BN_print(bio_err,g);
463 BIO_printf(bio_err,"\n");
464 }
465
466 if (SRP_check_known_gN_param(g,N))
467 return 1;
468
469 if (srp_arg->amp == 1)
470 {
471 if (srp_arg->debug)
472 BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n");
473
b8a22c40 474/* The srp_moregroups is a real debugging feature.
a149b246
BL		 475 Implementors should rather add the value to the known ones.
476 The minimal size has already been tested.
477*/
b8a22c40 478 if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g))
a149b246
BL		 479 return 1;
480 }
481 BIO_printf(bio_err, "SRP param N and g rejected.\n");
482 return 0;
483 }
484
485#define PWD_STRLEN 1024
486
487static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
488 {
489 SRP_ARG *srp_arg = (SRP_ARG *)arg;
490 char *pass = (char *)OPENSSL_malloc(PWD_STRLEN+1);
491 PW_CB_DATA cb_tmp;
492 int l;
493
494 cb_tmp.password = (char *)srp_arg->srppassin;
495 cb_tmp.prompt_info = "SRP user";
496 if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp))<0)
497 {
498 BIO_printf (bio_err, "Can't read Password\n");
499 OPENSSL_free(pass);
500 return NULL;
501 }
502 *(pass+l)= '\0';
503
504 return pass;
505 }
506
a149b246 507#endif
060a38a2 508 char *srtp_profiles = NULL;
68b33cc5
BL		 509
510# ifndef OPENSSL_NO_NEXTPROTONEG
511/* This the context that we pass to next_proto_cb */
512typedef struct tlsextnextprotoctx_st {
513 unsigned char *data;
514 unsigned short len;
515 int status;
516} tlsextnextprotoctx;
517
518static tlsextnextprotoctx next_proto;
519
520static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
521 {
522 tlsextnextprotoctx *ctx = arg;
523
524 if (!c_quiet)
525 {
526 /* We can assume that |in| is syntactically valid. */
527 unsigned i;
528 BIO_printf(bio_c_out, "Protocols advertised by server: ");
529 for (i = 0; i < inlen; )
530 {
531 if (i)
532 BIO_write(bio_c_out, ", ", 2);
533 BIO_write(bio_c_out, &in[i + 1], in[i]);
534 i += in[i] + 1;
535 }
536 BIO_write(bio_c_out, "\n", 1);
537 }
538
539 ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
540 return SSL_TLSEXT_ERR_OK;
541 }
68d2cf51 542# endif /* ndef OPENSSL_NO_NEXTPROTONEG */
ed3883d2
BM		 543#endif
544
85c67492
RL		 545enum
546{
547 PROTO_OFF = 0,
548 PROTO_SMTP,
549 PROTO_POP3,
550 PROTO_IMAP,
d5bbead4 551 PROTO_FTP,
640b86cb 552 PROTO_XMPP
85c67492
RL		 553};
554
667ac4ec
RE		 555int MAIN(int, char **);
556
6b691a5c 557int MAIN(int argc, char **argv)
d02b48c6 558 {
67556483 559 unsigned int off=0, clr=0;
67b6f1ca 560 SSL *con=NULL;
39348038
DSH		 561#ifndef OPENSSL_NO_KRB5
562 KSSL_CTX *kctx;
563#endif
d02b48c6 564 int s,k,width,state=0;
135c0af1 565 char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
d02b48c6
RE		 566 int cbuf_len,cbuf_off;
567 int sbuf_len,sbuf_off;
568 fd_set readfds,writefds;
569 short port=PORT;
570 int full_log=1;
571 char *host=SSL_HOST_NAME;
572 char *cert_file=NULL,*key_file=NULL;
826a42a0
DSH		 573 int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
574 char *passarg = NULL, *pass = NULL;
575 X509 *cert = NULL;
576 EVP_PKEY *key = NULL;
d02b48c6
RE		 577 char *CApath=NULL,*CAfile=NULL,*cipher=NULL;
578 int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0;
1bdb8633 579 int crlf=0;
c7ac31e2 580 int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
d02b48c6
RE		 581 SSL_CTX *ctx=NULL;
582 int ret=1,in_init=1,i,nbio_test=0;
85c67492 583 int starttls_proto = PROTO_OFF;
e323afb0
DSH		 584 int prexit = 0;
585 X509_VERIFY_PARAM *vpm = NULL;
586 int badarg = 0;
4ebb342f 587 const SSL_METHOD *meth=NULL;
b1277b99 588 int socket_type=SOCK_STREAM;
d02b48c6 589 BIO *sbio;
52b621db 590 char *inrand=NULL;
85c67492 591 int mbuf_len=0;
a4bade7a 592 struct timeval timeout, *timeoutp;
0b13e9f0 593#ifndef OPENSSL_NO_ENGINE
5270e702 594 char *engine_id=NULL;
59d2d48f 595 char *ssl_client_engine_id=NULL;
70531c14 596 ENGINE *ssl_client_engine=NULL;
0b13e9f0 597#endif
70531c14 598 ENGINE *e=NULL;
4700aea9 599#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
06f4536a 600 struct timeval tv;
4700aea9
UM		 601#if defined(OPENSSL_SYS_BEOS_R5)
602 int stdin_set = 0;
603#endif
06f4536a 604#endif
ed3883d2
BM		 605#ifndef OPENSSL_NO_TLSEXT
606 char *servername = NULL;
6b870763 607 char *curves=NULL;
ed3883d2
BM		 608 tlsextctx tlsextcbp =
609 {NULL,0};
68b33cc5
BL		 610# ifndef OPENSSL_NO_NEXTPROTONEG
611 const char *next_proto_neg_in = NULL;
612# endif
ed3883d2 613#endif
6434abbf
DSH		 614 char *sess_in = NULL;
615 char *sess_out = NULL;
36d16f8e 616 struct sockaddr peer;
6c61726b 617 int peerlen = sizeof(peer);
36d16f8e 618 int enable_timeouts = 0 ;
b1277b99 619 long socket_mtu = 0;
79bd20fd 620#ifndef OPENSSL_NO_JPAKE
6caa4edd 621 char *jpake_secret = NULL;
ed551cdd 622#endif
a149b246
BL		 623#ifndef OPENSSL_NO_SRP
624 char * srppass = NULL;
625 int srp_lateuser = 0;
626 SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
627#endif
36d16f8e 628
d02b48c6 629 meth=SSLv23_client_method();
d02b48c6
RE		 630
631 apps_startup();
58964a49 632 c_Pause=0;
d02b48c6 633 c_quiet=0;
ce301b6b 634 c_ign_eof=0;
d02b48c6 635 c_debug=0;
a661b653 636 c_msg=0;
6d02d8e4 637 c_showcerts=0;
d02b48c6
RE		 638
639 if (bio_err == NULL)
640 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
641
3647bee2
DSH		 642 if (!load_config(bio_err, NULL))
643 goto end;
644
26a3a48d 645 if ( ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
135c0af1
RL		 646 ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
647 ((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
d02b48c6
RE		 648 {
649 BIO_printf(bio_err,"out of memory\n");
650 goto end;
651 }
652
653 verify_depth=0;
654 verify_error=X509_V_OK;
655#ifdef FIONBIO
656 c_nbio=0;
657#endif
658
659 argc--;
660 argv++;
661 while (argc >= 1)
662 {
663 if (strcmp(*argv,"-host") == 0)
664 {
665 if (--argc < 1) goto bad;
666 host= *(++argv);
667 }
668 else if (strcmp(*argv,"-port") == 0)
669 {
670 if (--argc < 1) goto bad;
671 port=atoi(*(++argv));
672 if (port == 0) goto bad;
673 }
674 else if (strcmp(*argv,"-connect") == 0)
675 {
676 if (--argc < 1) goto bad;
677 if (!extract_host_port(*(++argv),&host,NULL,&port))
678 goto bad;
679 }
680 else if (strcmp(*argv,"-verify") == 0)
681 {
682 verify=SSL_VERIFY_PEER;
683 if (--argc < 1) goto bad;
684 verify_depth=atoi(*(++argv));
685 BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
686 }
687 else if (strcmp(*argv,"-cert") == 0)
688 {
689 if (--argc < 1) goto bad;
690 cert_file= *(++argv);
691 }
6434abbf
DSH		 692 else if (strcmp(*argv,"-sess_out") == 0)
693 {
694 if (--argc < 1) goto bad;
695 sess_out = *(++argv);
696 }
697 else if (strcmp(*argv,"-sess_in") == 0)
698 {
699 if (--argc < 1) goto bad;
700 sess_in = *(++argv);
701 }
826a42a0
DSH		 702 else if (strcmp(*argv,"-certform") == 0)
703 {
704 if (--argc < 1) goto bad;
705 cert_format = str2fmt(*(++argv));
706 }
e323afb0
DSH		 707 else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
708 {
709 if (badarg)
710 goto bad;
711 continue;
712 }
5d20c4fb
DSH		 713 else if (strcmp(*argv,"-verify_return_error") == 0)
714 verify_return_error = 1;
c3ed3b6e
DSH		 715 else if (strcmp(*argv,"-prexit") == 0)
716 prexit=1;
1bdb8633
BM		 717 else if (strcmp(*argv,"-crlf") == 0)
718 crlf=1;
d02b48c6 719 else if (strcmp(*argv,"-quiet") == 0)
ce301b6b 720 {
d02b48c6 721 c_quiet=1;
ce301b6b
RL		 722 c_ign_eof=1;
723 }
724 else if (strcmp(*argv,"-ign_eof") == 0)
725 c_ign_eof=1;
020d67fb
LJ		 726 else if (strcmp(*argv,"-no_ign_eof") == 0)
727 c_ign_eof=0;
d02b48c6
RE		 728 else if (strcmp(*argv,"-pause") == 0)
729 c_Pause=1;
730 else if (strcmp(*argv,"-debug") == 0)
731 c_debug=1;
6434abbf
DSH		 732#ifndef OPENSSL_NO_TLSEXT
733 else if (strcmp(*argv,"-tlsextdebug") == 0)
734 c_tlsextdebug=1;
67c8e7f4
DSH		 735 else if (strcmp(*argv,"-status") == 0)
736 c_status_req=1;
8a02a46a
BL		 737 else if (strcmp(*argv,"-proof_debug") == 0)
738 c_proof_debug=1;
6434abbf 739#endif
02a00bb0
AP		 740#ifdef WATT32
741 else if (strcmp(*argv,"-wdebug") == 0)
742 dbug_init();
743#endif
a661b653
BM		 744 else if (strcmp(*argv,"-msg") == 0)
745 c_msg=1;
6d02d8e4
BM		 746 else if (strcmp(*argv,"-showcerts") == 0)
747 c_showcerts=1;
d02b48c6
RE		 748 else if (strcmp(*argv,"-nbio_test") == 0)
749 nbio_test=1;
750 else if (strcmp(*argv,"-state") == 0)
751 state=1;
ddac1974
NL		 752#ifndef OPENSSL_NO_PSK
753 else if (strcmp(*argv,"-psk_identity") == 0)
754 {
755 if (--argc < 1) goto bad;
756 psk_identity=*(++argv);
757 }
758 else if (strcmp(*argv,"-psk") == 0)
759 {
760 size_t j;
761
762 if (--argc < 1) goto bad;
763 psk_key=*(++argv);
764 for (j = 0; j < strlen(psk_key); j++)
765 {
9b2a2966 766 if (isxdigit((unsigned char)psk_key[j]))
ddac1974
NL		 767 continue;
768 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
769 goto bad;
770 }
771 }
772#endif
a149b246
BL		 773#ifndef OPENSSL_NO_SRP
774 else if (strcmp(*argv,"-srpuser") == 0)
775 {
776 if (--argc < 1) goto bad;
777 srp_arg.srplogin= *(++argv);
778 meth=TLSv1_client_method();
779 }
780 else if (strcmp(*argv,"-srppass") == 0)
781 {
782 if (--argc < 1) goto bad;
783 srppass= *(++argv);
784 meth=TLSv1_client_method();
785 }
786 else if (strcmp(*argv,"-srp_strength") == 0)
787 {
788 if (--argc < 1) goto bad;
789 srp_arg.strength=atoi(*(++argv));
790 BIO_printf(bio_err,"SRP minimal length for N is %d\n",srp_arg.strength);
791 meth=TLSv1_client_method();
792 }
793 else if (strcmp(*argv,"-srp_lateuser") == 0)
794 {
795 srp_lateuser= 1;
796 meth=TLSv1_client_method();
797 }
798 else if (strcmp(*argv,"-srp_moregroups") == 0)
799 {
800 srp_arg.amp=1;
801 meth=TLSv1_client_method();
802 }
803#endif
cf1b7d96 804#ifndef OPENSSL_NO_SSL2
d02b48c6
RE		 805 else if (strcmp(*argv,"-ssl2") == 0)
806 meth=SSLv2_client_method();
807#endif
cf1b7d96 808#ifndef OPENSSL_NO_SSL3
d02b48c6
RE		 809 else if (strcmp(*argv,"-ssl3") == 0)
810 meth=SSLv3_client_method();
58964a49 811#endif
cf1b7d96 812#ifndef OPENSSL_NO_TLS1
9472baae
DSH		 813 else if (strcmp(*argv,"-tls1_2") == 0)
814 meth=TLSv1_2_client_method();
1eb1cf45
DSH		 815 else if (strcmp(*argv,"-tls1_1") == 0)
816 meth=TLSv1_1_client_method();
58964a49
RE		 817 else if (strcmp(*argv,"-tls1") == 0)
818 meth=TLSv1_client_method();
36d16f8e
BL		 819#endif
820#ifndef OPENSSL_NO_DTLS1
821 else if (strcmp(*argv,"-dtls1") == 0)
822 {
823 meth=DTLSv1_client_method();
b1277b99 824 socket_type=SOCK_DGRAM;
36d16f8e
BL		 825 }
826 else if (strcmp(*argv,"-timeout") == 0)
827 enable_timeouts=1;
828 else if (strcmp(*argv,"-mtu") == 0)
829 {
830 if (--argc < 1) goto bad;
b1277b99 831 socket_mtu = atol(*(++argv));
36d16f8e 832 }
d02b48c6
RE		 833#endif
834 else if (strcmp(*argv,"-bugs") == 0)
835 bugs=1;
826a42a0
DSH		 836 else if (strcmp(*argv,"-keyform") == 0)
837 {
838 if (--argc < 1) goto bad;
839 key_format = str2fmt(*(++argv));
840 }
841 else if (strcmp(*argv,"-pass") == 0)
842 {
843 if (--argc < 1) goto bad;
844 passarg = *(++argv);
845 }
d02b48c6
RE		 846 else if (strcmp(*argv,"-key") == 0)
847 {
848 if (--argc < 1) goto bad;
849 key_file= *(++argv);
850 }
851 else if (strcmp(*argv,"-reconnect") == 0)
852 {
853 reconnect=5;
854 }
855 else if (strcmp(*argv,"-CApath") == 0)
856 {
857 if (--argc < 1) goto bad;
858 CApath= *(++argv);
859 }
860 else if (strcmp(*argv,"-CAfile") == 0)
861 {
862 if (--argc < 1) goto bad;
863 CAfile= *(++argv);
864 }
9472baae
DSH		 865 else if (strcmp(*argv,"-no_tls1_2") == 0)
866 off|=SSL_OP_NO_TLSv1_2;
1eb1cf45
DSH		 867 else if (strcmp(*argv,"-no_tls1_1") == 0)
868 off|=SSL_OP_NO_TLSv1_1;
58964a49
RE		 869 else if (strcmp(*argv,"-no_tls1") == 0)
870 off|=SSL_OP_NO_TLSv1;
871 else if (strcmp(*argv,"-no_ssl3") == 0)
872 off|=SSL_OP_NO_SSLv3;
873 else if (strcmp(*argv,"-no_ssl2") == 0)
874 off|=SSL_OP_NO_SSLv2;
566dda07
DSH		 875 else if (strcmp(*argv,"-no_comp") == 0)
876 { off|=SSL_OP_NO_COMPRESSION; }
6434abbf
DSH		 877#ifndef OPENSSL_NO_TLSEXT
878 else if (strcmp(*argv,"-no_ticket") == 0)
879 { off|=SSL_OP_NO_TICKET; }
68b33cc5
BL		 880# ifndef OPENSSL_NO_NEXTPROTONEG
881 else if (strcmp(*argv,"-nextprotoneg") == 0)
882 {
883 if (--argc < 1) goto bad;
884 next_proto_neg_in = *(++argv);
885 }
886# endif
6434abbf 887#endif
836f9960
LJ		 888 else if (strcmp(*argv,"-serverpref") == 0)
889 off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
5c33091c
DSH		 890 else if (strcmp(*argv,"-legacy_renegotiation") == 0)
891 off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
67556483
DSH		 892 else if (strcmp(*argv,"-legacy_server_connect") == 0)
893 { off|=SSL_OP_LEGACY_SERVER_CONNECT; }
894 else if (strcmp(*argv,"-no_legacy_server_connect") == 0)
895 { clr|=SSL_OP_LEGACY_SERVER_CONNECT; }
d02b48c6
RE		 896 else if (strcmp(*argv,"-cipher") == 0)
897 {
898 if (--argc < 1) goto bad;
899 cipher= *(++argv);
900 }
901#ifdef FIONBIO
902 else if (strcmp(*argv,"-nbio") == 0)
903 { c_nbio=1; }
904#endif
135c0af1
RL		 905 else if (strcmp(*argv,"-starttls") == 0)
906 {
907 if (--argc < 1) goto bad;
908 ++argv;
909 if (strcmp(*argv,"smtp") == 0)
85c67492 910 starttls_proto = PROTO_SMTP;
4f17dfcd 911 else if (strcmp(*argv,"pop3") == 0)
85c67492
RL		 912 starttls_proto = PROTO_POP3;
913 else if (strcmp(*argv,"imap") == 0)
914 starttls_proto = PROTO_IMAP;
915 else if (strcmp(*argv,"ftp") == 0)
916 starttls_proto = PROTO_FTP;
d5bbead4
BL		 917 else if (strcmp(*argv, "xmpp") == 0)
918 starttls_proto = PROTO_XMPP;
135c0af1
RL		 919 else
920 goto bad;
921 }
0b13e9f0 922#ifndef OPENSSL_NO_ENGINE
5270e702
RL		 923 else if (strcmp(*argv,"-engine") == 0)
924 {
925 if (--argc < 1) goto bad;
926 engine_id = *(++argv);
927 }
59d2d48f
DSH		 928 else if (strcmp(*argv,"-ssl_client_engine") == 0)
929 {
930 if (--argc < 1) goto bad;
931 ssl_client_engine_id = *(++argv);
932 }
0b13e9f0 933#endif
52b621db
LJ		 934 else if (strcmp(*argv,"-rand") == 0)
935 {
936 if (--argc < 1) goto bad;
937 inrand= *(++argv);
938 }
ed3883d2
BM		 939#ifndef OPENSSL_NO_TLSEXT
940 else if (strcmp(*argv,"-servername") == 0)
941 {
942 if (--argc < 1) goto bad;
943 servername= *(++argv);
944 /* meth=TLSv1_client_method(); */
945 }
6b870763
DSH		 946 else if (strcmp(*argv,"-curves") == 0)
947 {
948 if (--argc < 1) goto bad;
949 curves= *(++argv);
950 }
ed3883d2 951#endif
79bd20fd 952#ifndef OPENSSL_NO_JPAKE
6caa4edd
BL		 953 else if (strcmp(*argv,"-jpake") == 0)
954 {
955 if (--argc < 1) goto bad;
956 jpake_secret = *++argv;
957 }
ed551cdd 958#endif
060a38a2
BL		 959 else if (strcmp(*argv,"-use_srtp") == 0)
960 {
961 if (--argc < 1) goto bad;
962 srtp_profiles = *(++argv);
963 }
b1d74291
BL		 964 else if (strcmp(*argv,"-keymatexport") == 0)
965 {
966 if (--argc < 1) goto bad;
967 keymatexportlabel= *(++argv);
968 }
969 else if (strcmp(*argv,"-keymatexportlen") == 0)
970 {
971 if (--argc < 1) goto bad;
972 keymatexportlen=atoi(*(++argv));
973 if (keymatexportlen == 0) goto bad;
974 }
060a38a2 975 else
d02b48c6
RE		 976 {
977 BIO_printf(bio_err,"unknown option %s\n",*argv);
978 badop=1;
979 break;
980 }
981 argc--;
982 argv++;
983 }
984 if (badop)
985 {
986bad:
987 sc_usage();
988 goto end;
989 }
990
79bd20fd 991#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
f3b7bdad
BL		 992 if (jpake_secret)
993 {
994 if (psk_key)
995 {
996 BIO_printf(bio_err,
997 "Can't use JPAKE and PSK together\n");
998 goto end;
999 }
1000 psk_identity = "JPAKE";
49f6cb96
RL		 1001 if (cipher)
1002 {
1003 BIO_printf(bio_err, "JPAKE sets cipher to PSK\n");
1004 goto end;
1005 }
1006 cipher = "PSK";
f3b7bdad 1007 }
f3b7bdad
BL		 1008#endif
1009
cead7f36
RL		 1010 OpenSSL_add_ssl_algorithms();
1011 SSL_load_error_strings();
1012
68b33cc5
BL		 1013#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
1014 next_proto.status = -1;
1015 if (next_proto_neg_in)
1016 {
1017 next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
1018 if (next_proto.data == NULL)
1019 {
1020 BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
1021 goto end;
1022 }
1023 }
1024 else
1025 next_proto.data = NULL;
1026#endif
1027
0b13e9f0 1028#ifndef OPENSSL_NO_ENGINE
cead7f36 1029 e = setup_engine(bio_err, engine_id, 1);
59d2d48f
DSH		 1030 if (ssl_client_engine_id)
1031 {
1032 ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
1033 if (!ssl_client_engine)
1034 {
1035 BIO_printf(bio_err,
1036 "Error getting client auth engine\n");
1037 goto end;
1038 }
1039 }
1040
0b13e9f0 1041#endif
826a42a0
DSH		 1042 if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
1043 {
1044 BIO_printf(bio_err, "Error getting password\n");
1045 goto end;
1046 }
1047
1048 if (key_file == NULL)
1049 key_file = cert_file;
1050
abbc186b
DSH		 1051
1052 if (key_file)
1053
826a42a0 1054 {
abbc186b
DSH		 1055
1056 key = load_key(bio_err, key_file, key_format, 0, pass, e,
1057 "client certificate private key file");
1058 if (!key)
1059 {
1060 ERR_print_errors(bio_err);
1061 goto end;
1062 }
1063
826a42a0
DSH		 1064 }
1065
abbc186b 1066 if (cert_file)
826a42a0 1067
826a42a0 1068 {
abbc186b
DSH		 1069 cert = load_cert(bio_err,cert_file,cert_format,
1070 NULL, e, "client certificate file");
1071
1072 if (!cert)
1073 {
1074 ERR_print_errors(bio_err);
1075 goto end;
1076 }
826a42a0 1077 }
cead7f36 1078
52b621db
LJ		 1079 if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
1080 && !RAND_status())
1081 {
1082 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
1083 }
1084 if (inrand != NULL)
1085 BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
1086 app_RAND_load_files(inrand));
a31011e8 1087
d02b48c6
RE		 1088 if (bio_c_out == NULL)
1089 {
a661b653 1090 if (c_quiet && !c_debug && !c_msg)
d02b48c6
RE		 1091 {
1092 bio_c_out=BIO_new(BIO_s_null());
1093 }
1094 else
1095 {
1096 if (bio_c_out == NULL)
1097 bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
1098 }
1099 }
1100
a149b246
BL		 1101#ifndef OPENSSL_NO_SRP
1102 if(!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL))
1103 {
1104 BIO_printf(bio_err, "Error getting password\n");
1105 goto end;
1106 }
1107#endif
1108
d02b48c6
RE		 1109 ctx=SSL_CTX_new(meth);
1110 if (ctx == NULL)
1111 {
1112 ERR_print_errors(bio_err);
1113 goto end;
1114 }
1115
e323afb0
DSH		 1116 if (vpm)
1117 SSL_CTX_set1_param(ctx, vpm);
1118
59d2d48f
DSH		 1119#ifndef OPENSSL_NO_ENGINE
1120 if (ssl_client_engine)
1121 {
1122 if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine))
1123 {
1124 BIO_puts(bio_err, "Error setting client auth engine\n");
1125 ERR_print_errors(bio_err);
1126 ENGINE_free(ssl_client_engine);
1127 goto end;
1128 }
1129 ENGINE_free(ssl_client_engine);
1130 }
1131#endif
1132
ddac1974 1133#ifndef OPENSSL_NO_PSK
79bd20fd
DSH		 1134#ifdef OPENSSL_NO_JPAKE
1135 if (psk_key != NULL)
1136#else
f3b7bdad 1137 if (psk_key != NULL || jpake_secret)
79bd20fd 1138#endif
ddac1974
NL		 1139 {
1140 if (c_debug)
f3b7bdad 1141 BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");
ddac1974
NL		 1142 SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
1143 }
060a38a2
BL		 1144 if (srtp_profiles != NULL)
1145 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
ddac1974 1146#endif
58964a49
RE		 1147 if (bugs)
1148 SSL_CTX_set_options(ctx,SSL_OP_ALL|off);
1149 else
1150 SSL_CTX_set_options(ctx,off);
67556483
DSH		 1151
1152 if (clr)
1153 SSL_CTX_clear_options(ctx, clr);
36d16f8e
BL		 1154 /* DTLS: partial reads end up discarding unread UDP bytes :-(
1155 * Setting read ahead solves this problem.
1156 */
b1277b99 1157 if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
d02b48c6 1158
68b33cc5
BL		 1159#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
1160 if (next_proto.data)
1161 SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
1162#endif
1163
d02b48c6
RE		 1164 if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
1165 if (cipher != NULL)
fabce041 1166 if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
657e60fa 1167 BIO_printf(bio_err,"error setting cipher list\n");
fabce041
DSH		 1168 ERR_print_errors(bio_err);
1169 goto end;
1170 }
d02b48c6
RE		 1171#if 0
1172 else
1173 SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
1174#endif
1175
1176 SSL_CTX_set_verify(ctx,verify,verify_callback);
65a0f684 1177 if (!set_cert_key_stuff(ctx,cert,key, NULL))
d02b48c6
RE		 1178 goto end;
1179
1180 if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
1181 (!SSL_CTX_set_default_verify_paths(ctx)))
1182 {
657e60fa 1183 /* BIO_printf(bio_err,"error setting default verify locations\n"); */
d02b48c6 1184 ERR_print_errors(bio_err);
58964a49 1185 /* goto end; */
d02b48c6
RE		 1186 }
1187
ed3883d2 1188#ifndef OPENSSL_NO_TLSEXT
6b870763
DSH		 1189 if (curves != NULL)
1190 if(!SSL_CTX_set1_curves_list(ctx,curves)) {
1191 BIO_printf(bio_err,"error setting curve list\n");
1192 ERR_print_errors(bio_err);
1193 goto end;
1194 }
b1277b99
BM		 1195 if (servername != NULL)
1196 {
ed3883d2
BM		 1197 tlsextcbp.biodebug = bio_err;
1198 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1199 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
b1277b99 1200 }
a149b246
BL		 1201#ifndef OPENSSL_NO_SRP
1202 if (srp_arg.srplogin)
1203 {
b8a22c40 1204 if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
a149b246
BL		 1205 {
1206 BIO_printf(bio_err,"Unable to set SRP username\n");
1207 goto end;
1208 }
1209 srp_arg.msg = c_msg;
1210 srp_arg.debug = c_debug ;
1211 SSL_CTX_set_srp_cb_arg(ctx,&srp_arg);
1212 SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
1213 SSL_CTX_set_srp_strength(ctx, srp_arg.strength);
1214 if (c_msg || c_debug || srp_arg.amp == 0)
1215 SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb);
1216 }
1217
1218#endif
8a02a46a
BL		 1219 if (c_proof_debug)
1220 SSL_CTX_set_tlsext_authz_server_audit_proof_cb(ctx,
1221 audit_proof_cb);
ed3883d2 1222#endif
d02b48c6 1223
82fc1d9c 1224 con=SSL_new(ctx);
6434abbf
DSH		 1225 if (sess_in)
1226 {
1227 SSL_SESSION *sess;
1228 BIO *stmp = BIO_new_file(sess_in, "r");
1229 if (!stmp)
1230 {
1231 BIO_printf(bio_err, "Can't open session file %s\n",
1232 sess_in);
1233 ERR_print_errors(bio_err);
1234 goto end;
1235 }
1236 sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
1237 BIO_free(stmp);
1238 if (!sess)
1239 {
1240 BIO_printf(bio_err, "Can't open session file %s\n",
1241 sess_in);
1242 ERR_print_errors(bio_err);
1243 goto end;
1244 }
1245 SSL_set_session(con, sess);
1246 SSL_SESSION_free(sess);
1247 }
ed3883d2 1248#ifndef OPENSSL_NO_TLSEXT
b1277b99
BM		 1249 if (servername != NULL)
1250 {
a13c20f6 1251 if (!SSL_set_tlsext_host_name(con,servername))
b1277b99 1252 {
ed3883d2
BM		 1253 BIO_printf(bio_err,"Unable to set TLS servername extension.\n");
1254 ERR_print_errors(bio_err);
1255 goto end;
b1277b99 1256 }
ed3883d2 1257 }
ed3883d2 1258#endif
cf1b7d96 1259#ifndef OPENSSL_NO_KRB5
39348038 1260 if (con && (kctx = kssl_ctx_new()) != NULL)
f9b3bff6 1261 {
39348038
DSH		 1262 SSL_set0_kssl_ctx(con, kctx);
1263 kssl_ctx_setstring(kctx, KSSL_SERVER, host);
f9b3bff6 1264 }
cf1b7d96 1265#endif /* OPENSSL_NO_KRB5 */
58964a49 1266/* SSL_set_cipher_list(con,"RC4-MD5"); */
761772d7
BM		 1267#if 0
1268#ifdef TLSEXT_TYPE_opaque_prf_input
86d4bc3a 1269 SSL_set_tlsext_opaque_prf_input(con, "Test client", 11);
761772d7
BM		 1270#endif
1271#endif
d02b48c6
RE		 1272
1273re_start:
1274
b1277b99 1275 if (init_client(&s,host,port,socket_type) == 0)
d02b48c6 1276 {
58964a49 1277 BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
d02b48c6
RE		 1278 SHUTDOWN(s);
1279 goto end;
1280 }
1281 BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
1282
1283#ifdef FIONBIO
1284 if (c_nbio)
1285 {
1286 unsigned long l=1;
1287 BIO_printf(bio_c_out,"turning on non blocking io\n");
58964a49
RE		 1288 if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
1289 {
1290 ERR_print_errors(bio_err);
1291 goto end;
1292 }
d02b48c6
RE		 1293 }
1294#endif
74096890 1295 if (c_Pause & 0x01) SSL_set_debug(con, 1);
36d16f8e
BL		 1296
1297 if ( SSL_version(con) == DTLS1_VERSION)
1298 {
36d16f8e
BL		 1299
1300 sbio=BIO_new_dgram(s,BIO_NOCLOSE);
6c61726b 1301 if (getsockname(s, &peer, (void *)&peerlen) < 0)
36d16f8e
BL		 1302 {
1303 BIO_printf(bio_err, "getsockname:errno=%d\n",
1304 get_last_socket_error());
1305 SHUTDOWN(s);
1306 goto end;
1307 }
1308
710069c1 1309 (void)BIO_ctrl_set_connected(sbio, 1, &peer);
36d16f8e 1310
b1277b99 1311 if (enable_timeouts)
36d16f8e
BL		 1312 {
1313 timeout.tv_sec = 0;
1314 timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1315 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1316
1317 timeout.tv_sec = 0;
1318 timeout.tv_usec = DGRAM_SND_TIMEOUT;
1319 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1320 }
1321
0454f2c4 1322 if (socket_mtu > 28)
36d16f8e
BL		 1323 {
1324 SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
0454f2c4 1325 SSL_set_mtu(con, socket_mtu - 28);
36d16f8e
BL		 1326 }
1327 else
1328 /* want to do MTU discovery */
1329 BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1330 }
1331 else
1332 sbio=BIO_new_socket(s,BIO_NOCLOSE);
1333
d02b48c6
RE		 1334 if (nbio_test)
1335 {
1336 BIO *test;
1337
1338 test=BIO_new(BIO_f_nbio_test());
1339 sbio=BIO_push(test,sbio);
1340 }
1341
1342 if (c_debug)
1343 {
74096890 1344 SSL_set_debug(con, 1);
25495640 1345 BIO_set_callback(sbio,bio_dump_callback);
7806f3dd 1346 BIO_set_callback_arg(sbio,(char *)bio_c_out);
d02b48c6 1347 }
a661b653
BM		 1348 if (c_msg)
1349 {
1350 SSL_set_msg_callback(con, msg_cb);
1351 SSL_set_msg_callback_arg(con, bio_c_out);
1352 }
6434abbf
DSH		 1353#ifndef OPENSSL_NO_TLSEXT
1354 if (c_tlsextdebug)
1355 {
1356 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1357 SSL_set_tlsext_debug_arg(con, bio_c_out);
1358 }
67c8e7f4
DSH		 1359 if (c_status_req)
1360 {
1361 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
1362 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
1363 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
1364#if 0
1365{
1366STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null();
1367OCSP_RESPID *id = OCSP_RESPID_new();
1368id->value.byKey = ASN1_OCTET_STRING_new();
1369id->type = V_OCSP_RESPID_KEY;
1370ASN1_STRING_set(id->value.byKey, "Hello World", -1);
1371sk_OCSP_RESPID_push(ids, id);
1372SSL_set_tlsext_status_ids(con, ids);
1373}
1374#endif
1375 }
6434abbf 1376#endif
79bd20fd 1377#ifndef OPENSSL_NO_JPAKE
6caa4edd
BL		 1378 if (jpake_secret)
1379 jpake_client_auth(bio_c_out, sbio, jpake_secret);
ed551cdd 1380#endif
6caa4edd 1381
d02b48c6
RE		 1382 SSL_set_bio(con,sbio,sbio);
1383 SSL_set_connect_state(con);
1384
1385 /* ok, lets connect */
1386 width=SSL_get_fd(con)+1;
1387
1388 read_tty=1;
1389 write_tty=0;
1390 tty_on=0;
1391 read_ssl=1;
1392 write_ssl=1;
1393
1394 cbuf_len=0;
1395 cbuf_off=0;
1396 sbuf_len=0;
1397 sbuf_off=0;
1398
135c0af1 1399 /* This is an ugly hack that does a lot of assumptions */
ee373e7f
LJ		 1400 /* We do have to handle multi-line responses which may come
1401 in a single packet or not. We therefore have to use
1402 BIO_gets() which does need a buffering BIO. So during
1403 the initial chitchat we do push a buffering BIO into the
1404 chain that is removed again later on to not disturb the
1405 rest of the s_client operation. */
85c67492 1406 if (starttls_proto == PROTO_SMTP)
135c0af1 1407 {
8d72476e 1408 int foundit=0;
ee373e7f
LJ		 1409 BIO *fbio = BIO_new(BIO_f_buffer());
1410 BIO_push(fbio, sbio);
85c67492
RL		 1411 /* wait for multi-line response to end from SMTP */
1412 do
1413 {
ee373e7f 1414 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
85c67492
RL		 1415 }
1416 while (mbuf_len>3 && mbuf[3]=='-');
8d72476e 1417 /* STARTTLS command requires EHLO... */
ee373e7f 1418 BIO_printf(fbio,"EHLO openssl.client.net\r\n");
710069c1 1419 (void)BIO_flush(fbio);
8d72476e
LJ		 1420 /* wait for multi-line response to end EHLO SMTP response */
1421 do
1422 {
ee373e7f 1423 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
8d72476e
LJ		 1424 if (strstr(mbuf,"STARTTLS"))
1425 foundit=1;
1426 }
1427 while (mbuf_len>3 && mbuf[3]=='-');
710069c1 1428 (void)BIO_flush(fbio);
ee373e7f
LJ		 1429 BIO_pop(fbio);
1430 BIO_free(fbio);
8d72476e
LJ		 1431 if (!foundit)
1432 BIO_printf(bio_err,
1433 "didn't found starttls in server response,"
1434 " try anyway...\n");
135c0af1
RL		 1435 BIO_printf(sbio,"STARTTLS\r\n");
1436 BIO_read(sbio,sbuf,BUFSIZZ);
1437 }
85c67492 1438 else if (starttls_proto == PROTO_POP3)
4f17dfcd
LJ		 1439 {
1440 BIO_read(sbio,mbuf,BUFSIZZ);
1441 BIO_printf(sbio,"STLS\r\n");
1442 BIO_read(sbio,sbuf,BUFSIZZ);
1443 }
85c67492
RL		 1444 else if (starttls_proto == PROTO_IMAP)
1445 {
8d72476e 1446 int foundit=0;
ee373e7f
LJ		 1447 BIO *fbio = BIO_new(BIO_f_buffer());
1448 BIO_push(fbio, sbio);
1449 BIO_gets(fbio,mbuf,BUFSIZZ);
8d72476e 1450 /* STARTTLS command requires CAPABILITY... */
ee373e7f 1451 BIO_printf(fbio,". CAPABILITY\r\n");
710069c1 1452 (void)BIO_flush(fbio);
8d72476e
LJ		 1453 /* wait for multi-line CAPABILITY response */
1454 do
1455 {
ee373e7f 1456 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
8d72476e
LJ		 1457 if (strstr(mbuf,"STARTTLS"))
1458 foundit=1;
1459 }
ee373e7f 1460 while (mbuf_len>3 && mbuf[0]!='.');
710069c1 1461 (void)BIO_flush(fbio);
ee373e7f
LJ		 1462 BIO_pop(fbio);
1463 BIO_free(fbio);
8d72476e
LJ		 1464 if (!foundit)
1465 BIO_printf(bio_err,
1466 "didn't found STARTTLS in server response,"
1467 " try anyway...\n");
1468 BIO_printf(sbio,". STARTTLS\r\n");
85c67492
RL		 1469 BIO_read(sbio,sbuf,BUFSIZZ);
1470 }
1471 else if (starttls_proto == PROTO_FTP)
1472 {
ee373e7f
LJ		 1473 BIO *fbio = BIO_new(BIO_f_buffer());
1474 BIO_push(fbio, sbio);
85c67492
RL		 1475 /* wait for multi-line response to end from FTP */
1476 do
1477 {
ee373e7f 1478 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
85c67492
RL		 1479 }
1480 while (mbuf_len>3 && mbuf[3]=='-');
710069c1 1481 (void)BIO_flush(fbio);
ee373e7f
LJ		 1482 BIO_pop(fbio);
1483 BIO_free(fbio);
85c67492
RL		 1484 BIO_printf(sbio,"AUTH TLS\r\n");
1485 BIO_read(sbio,sbuf,BUFSIZZ);
1486 }
d5bbead4
BL		 1487 if (starttls_proto == PROTO_XMPP)
1488 {
1489 int seen = 0;
1490 BIO_printf(sbio,"<stream:stream "
1491 "xmlns:stream='http://etherx.jabber.org/streams' "
1492 "xmlns='jabber:client' to='%s' version='1.0'>", host);
1493 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1494 mbuf[seen] = 0;
1495 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'"))
1496 {
1497 if (strstr(mbuf, "/stream:features>"))
1498 goto shut;
1499 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1500 mbuf[seen] = 0;
1501 }
1502 BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
1503 seen = BIO_read(sbio,sbuf,BUFSIZZ);
1504 sbuf[seen] = 0;
1505 if (!strstr(sbuf, "<proceed"))
1506 goto shut;
1507 mbuf[0] = 0;
1508 }
135c0af1 1509
d02b48c6
RE		 1510 for (;;)
1511 {
1512 FD_ZERO(&readfds);
1513 FD_ZERO(&writefds);
1514
a4bade7a
DSH		 1515 if ((SSL_version(con) == DTLS1_VERSION) &&
1516 DTLSv1_get_timeout(con, &timeout))
1517 timeoutp = &timeout;
1518 else
1519 timeoutp = NULL;
1520
58964a49 1521 if (SSL_in_init(con) && !SSL_total_renegotiations(con))
d02b48c6
RE		 1522 {
1523 in_init=1;
1524 tty_on=0;
1525 }
1526 else
1527 {
1528 tty_on=1;
1529 if (in_init)
1530 {
1531 in_init=0;
761772d7 1532#if 0 /* This test doesn't really work as intended (needs to be fixed) */
ed3883d2 1533#ifndef OPENSSL_NO_TLSEXT
b166f13e
BM		 1534 if (servername != NULL && !SSL_session_reused(con))
1535 {
1536 BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not ");
1537 }
761772d7 1538#endif
ed3883d2 1539#endif
6434abbf
DSH		 1540 if (sess_out)
1541 {
1542 BIO *stmp = BIO_new_file(sess_out, "w");
1543 if (stmp)
1544 {
1545 PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con));
1546 BIO_free(stmp);
1547 }
1548 else
1549 BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
1550 }
d02b48c6
RE		 1551 print_stuff(bio_c_out,con,full_log);
1552 if (full_log > 0) full_log--;
1553
4f17dfcd 1554 if (starttls_proto)
135c0af1
RL		 1555 {
1556 BIO_printf(bio_err,"%s",mbuf);
1557 /* We don't need to know any more */
85c67492 1558 starttls_proto = PROTO_OFF;
135c0af1
RL		 1559 }
1560
d02b48c6
RE		 1561 if (reconnect)
1562 {
1563 reconnect--;
1564 BIO_printf(bio_c_out,"drop connection and then reconnect\n");
1565 SSL_shutdown(con);
1566 SSL_set_connect_state(con);
1567 SHUTDOWN(SSL_get_fd(con));
1568 goto re_start;
1569 }
1570 }
1571 }
1572
c7ac31e2
BM		 1573 ssl_pending = read_ssl && SSL_pending(con);
1574
1575 if (!ssl_pending)
d02b48c6 1576 {
4700aea9 1577#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)
c7ac31e2
BM		 1578 if (tty_on)
1579 {
7bf7333d
DSH		 1580 if (read_tty) openssl_fdset(fileno(stdin),&readfds);
1581 if (write_tty) openssl_fdset(fileno(stdout),&writefds);
c7ac31e2 1582 }
c7ac31e2 1583 if (read_ssl)
7bf7333d 1584 openssl_fdset(SSL_get_fd(con),&readfds);
c7ac31e2 1585 if (write_ssl)
7bf7333d 1586 openssl_fdset(SSL_get_fd(con),&writefds);
06f4536a
DSH		 1587#else
1588 if(!tty_on || !write_tty) {
1589 if (read_ssl)
7bf7333d 1590 openssl_fdset(SSL_get_fd(con),&readfds);
06f4536a 1591 if (write_ssl)
7bf7333d 1592 openssl_fdset(SSL_get_fd(con),&writefds);
06f4536a
DSH		 1593 }
1594#endif
c7ac31e2
BM		 1595/* printf("mode tty(%d %d%d) ssl(%d%d)\n",
1596 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
d02b48c6 1597
75e0770d 1598 /* Note: under VMS with SOCKETSHR the second parameter
7d7d2cbc
UM		 1599 * is currently of type (int *) whereas under other
1600 * systems it is (void *) if you don't have a cast it
1601 * will choke the compiler: if you do have a cast then
1602 * you can either go for (int *) or (void *).
1603 */
3d7c4a5a
RL		 1604#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1605 /* Under Windows/DOS we make the assumption that we can
06f4536a
DSH		 1606 * always write to the tty: therefore if we need to
1607 * write to the tty we just fall through. Otherwise
1608 * we timeout the select every second and see if there
1609 * are any keypresses. Note: this is a hack, in a proper
1610 * Windows application we wouldn't do this.
1611 */
4ec19e20 1612 i=0;
06f4536a
DSH		 1613 if(!write_tty) {
1614 if(read_tty) {
1615 tv.tv_sec = 1;
1616 tv.tv_usec = 0;
1617 i=select(width,(void *)&readfds,(void *)&writefds,
1618 NULL,&tv);
3d7c4a5a 1619#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
0bf23d9b
RL		 1620 if(!i && (!_kbhit() || !read_tty) ) continue;
1621#else
a9ef75c5 1622 if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
0bf23d9b 1623#endif
06f4536a 1624 } else i=select(width,(void *)&readfds,(void *)&writefds,
a4bade7a 1625 NULL,timeoutp);
06f4536a 1626 }
47c1735a
RL		 1627#elif defined(OPENSSL_SYS_NETWARE)
1628 if(!write_tty) {
1629 if(read_tty) {
1630 tv.tv_sec = 1;
1631 tv.tv_usec = 0;
1632 i=select(width,(void *)&readfds,(void *)&writefds,
1633 NULL,&tv);
1634 } else i=select(width,(void *)&readfds,(void *)&writefds,
a4bade7a 1635 NULL,timeoutp);
47c1735a 1636 }
4700aea9
UM		 1637#elif defined(OPENSSL_SYS_BEOS_R5)
1638 /* Under BeOS-R5 the situation is similar to DOS */
1639 i=0;
1640 stdin_set = 0;
1641 (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
1642 if(!write_tty) {
1643 if(read_tty) {
1644 tv.tv_sec = 1;
1645 tv.tv_usec = 0;
1646 i=select(width,(void *)&readfds,(void *)&writefds,
1647 NULL,&tv);
1648 if (read(fileno(stdin), sbuf, 0) >= 0)
1649 stdin_set = 1;
1650 if (!i && (stdin_set != 1 || !read_tty))
1651 continue;
1652 } else i=select(width,(void *)&readfds,(void *)&writefds,
a4bade7a 1653 NULL,timeoutp);
4700aea9
UM		 1654 }
1655 (void)fcntl(fileno(stdin), F_SETFL, 0);
06f4536a 1656#else
7d7d2cbc 1657 i=select(width,(void *)&readfds,(void *)&writefds,
a4bade7a 1658 NULL,timeoutp);
06f4536a 1659#endif
c7ac31e2
BM		 1660 if ( i < 0)
1661 {
1662 BIO_printf(bio_err,"bad select %d\n",
58964a49 1663 get_last_socket_error());
c7ac31e2
BM		 1664 goto shut;
1665 /* goto end; */
1666 }
d02b48c6
RE		 1667 }
1668
a4bade7a
DSH		 1669 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
1670 {
1671 BIO_printf(bio_err,"TIMEOUT occured\n");
1672 }
1673
c7ac31e2 1674 if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
d02b48c6
RE		 1675 {
1676 k=SSL_write(con,&(cbuf[cbuf_off]),
1677 (unsigned int)cbuf_len);
1678 switch (SSL_get_error(con,k))
1679 {
1680 case SSL_ERROR_NONE:
1681 cbuf_off+=k;
1682 cbuf_len-=k;
1683 if (k <= 0) goto end;
1684 /* we have done a write(con,NULL,0); */
1685 if (cbuf_len <= 0)
1686 {
1687 read_tty=1;
1688 write_ssl=0;
1689 }
1690 else /* if (cbuf_len > 0) */
1691 {
1692 read_tty=0;
1693 write_ssl=1;
1694 }
1695 break;
1696 case SSL_ERROR_WANT_WRITE:
1697 BIO_printf(bio_c_out,"write W BLOCK\n");
1698 write_ssl=1;
1699 read_tty=0;
1700 break;
1701 case SSL_ERROR_WANT_READ:
1702 BIO_printf(bio_c_out,"write R BLOCK\n");
1703 write_tty=0;
1704 read_ssl=1;
1705 write_ssl=0;
1706 break;
1707 case SSL_ERROR_WANT_X509_LOOKUP:
1708 BIO_printf(bio_c_out,"write X BLOCK\n");
1709 break;
1710 case SSL_ERROR_ZERO_RETURN:
1711 if (cbuf_len != 0)
1712 {
1713 BIO_printf(bio_c_out,"shutdown\n");
0e1dba93 1714 ret = 0;
d02b48c6
RE		 1715 goto shut;
1716 }
1717 else
1718 {
1719 read_tty=1;
1720 write_ssl=0;
1721 break;
1722 }
1723
1724 case SSL_ERROR_SYSCALL:
1725 if ((k != 0) || (cbuf_len != 0))
1726 {
1727 BIO_printf(bio_err,"write:errno=%d\n",
58964a49 1728 get_last_socket_error());
d02b48c6
RE		 1729 goto shut;
1730 }
1731 else
1732 {
1733 read_tty=1;
1734 write_ssl=0;
1735 }
1736 break;
1737 case SSL_ERROR_SSL:
1738 ERR_print_errors(bio_err);
1739 goto shut;
1740 }
1741 }
4700aea9
UM		 1742#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
1743 /* Assume Windows/DOS/BeOS can always write */
06f4536a
DSH		 1744 else if (!ssl_pending && write_tty)
1745#else
c7ac31e2 1746 else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
06f4536a 1747#endif
d02b48c6 1748 {
a53955d8
UM		 1749#ifdef CHARSET_EBCDIC
1750 ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
1751#endif
ffa10187 1752 i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len);
d02b48c6
RE		 1753
1754 if (i <= 0)
1755 {
1756 BIO_printf(bio_c_out,"DONE\n");
0e1dba93 1757 ret = 0;
d02b48c6
RE		 1758 goto shut;
1759 /* goto end; */
1760 }
1761
1762 sbuf_len-=i;;
1763 sbuf_off+=i;
1764 if (sbuf_len <= 0)
1765 {
1766 read_ssl=1;
1767 write_tty=0;
1768 }
1769 }
c7ac31e2 1770 else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
d02b48c6 1771 {
58964a49
RE		 1772#ifdef RENEG
1773{ static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
1774#endif
dfeab068 1775#if 1
58964a49 1776 k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
dfeab068
RE		 1777#else
1778/* Demo for pending and peek :-) */
1779 k=SSL_read(con,sbuf,16);
1780{ char zbuf[10240];
1781printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
1782}
1783#endif
d02b48c6
RE		 1784
1785 switch (SSL_get_error(con,k))
1786 {
1787 case SSL_ERROR_NONE:
1788 if (k <= 0)
1789 goto end;
1790 sbuf_off=0;
1791 sbuf_len=k;
1792
1793 read_ssl=0;
1794 write_tty=1;
1795 break;
1796 case SSL_ERROR_WANT_WRITE:
1797 BIO_printf(bio_c_out,"read W BLOCK\n");
1798 write_ssl=1;
1799 read_tty=0;
1800 break;
1801 case SSL_ERROR_WANT_READ:
1802 BIO_printf(bio_c_out,"read R BLOCK\n");
1803 write_tty=0;
1804 read_ssl=1;
1805 if ((read_tty == 0) && (write_ssl == 0))
1806 write_ssl=1;
1807 break;
1808 case SSL_ERROR_WANT_X509_LOOKUP:
1809 BIO_printf(bio_c_out,"read X BLOCK\n");
1810 break;
1811 case SSL_ERROR_SYSCALL:
0e1dba93
DSH		 1812 ret=get_last_socket_error();
1813 BIO_printf(bio_err,"read:errno=%d\n",ret);
d02b48c6
RE		 1814 goto shut;
1815 case SSL_ERROR_ZERO_RETURN:
1816 BIO_printf(bio_c_out,"closed\n");
0e1dba93 1817 ret=0;
d02b48c6
RE		 1818 goto shut;
1819 case SSL_ERROR_SSL:
1820 ERR_print_errors(bio_err);
1821 goto shut;
dfeab068 1822 /* break; */
d02b48c6
RE		 1823 }
1824 }
1825
3d7c4a5a
RL		 1826#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1827#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
0bf23d9b
RL		 1828 else if (_kbhit())
1829#else
a9ef75c5 1830 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
0bf23d9b 1831#endif
4d8743f4 1832#elif defined (OPENSSL_SYS_NETWARE)
ffa10187 1833 else if (_kbhit())
4700aea9
UM		 1834#elif defined(OPENSSL_SYS_BEOS_R5)
1835 else if (stdin_set)
06f4536a 1836#else
d02b48c6 1837 else if (FD_ISSET(fileno(stdin),&readfds))
06f4536a 1838#endif
d02b48c6 1839 {
1bdb8633
BM		 1840 if (crlf)
1841 {
1842 int j, lf_num;
1843
ffa10187 1844 i=raw_read_stdin(cbuf,BUFSIZZ/2);
1bdb8633
BM		 1845 lf_num = 0;
1846 /* both loops are skipped when i <= 0 */
1847 for (j = 0; j < i; j++)
1848 if (cbuf[j] == '\n')
1849 lf_num++;
1850 for (j = i-1; j >= 0; j--)
1851 {
1852 cbuf[j+lf_num] = cbuf[j];
1853 if (cbuf[j] == '\n')
1854 {
1855 lf_num--;
1856 i++;
1857 cbuf[j+lf_num] = '\r';
1858 }
1859 }
1860 assert(lf_num == 0);
1861 }
1862 else
ffa10187 1863 i=raw_read_stdin(cbuf,BUFSIZZ);
d02b48c6 1864
ce301b6b 1865 if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
d02b48c6
RE		 1866 {
1867 BIO_printf(bio_err,"DONE\n");
0e1dba93 1868 ret=0;
d02b48c6
RE		 1869 goto shut;
1870 }
1871
ce301b6b 1872 if ((!c_ign_eof) && (cbuf[0] == 'R'))
d02b48c6 1873 {
3bb307c1 1874 BIO_printf(bio_err,"RENEGOTIATING\n");
d02b48c6 1875 SSL_renegotiate(con);
3bb307c1 1876 cbuf_len=0;
d02b48c6 1877 }
bd6941cf
DSH		 1878#ifndef OPENSSL_NO_HEARTBEATS
1879 else if ((!c_ign_eof) && (cbuf[0] == 'B'))
1880 {
1881 BIO_printf(bio_err,"HEARTBEATING\n");
1882 SSL_heartbeat(con);
1883 cbuf_len=0;
1884 }
1885#endif
d02b48c6
RE		 1886 else
1887 {
1888 cbuf_len=i;
1889 cbuf_off=0;
a53955d8
UM		 1890#ifdef CHARSET_EBCDIC
1891 ebcdic2ascii(cbuf, cbuf, i);
1892#endif
d02b48c6
RE		 1893 }
1894
d02b48c6 1895 write_ssl=1;
3bb307c1 1896 read_tty=0;
d02b48c6 1897 }
d02b48c6 1898 }
0e1dba93
DSH		 1899
1900 ret=0;
d02b48c6 1901shut:
b166f13e
BM		 1902 if (in_init)
1903 print_stuff(bio_c_out,con,full_log);
d02b48c6
RE		 1904 SSL_shutdown(con);
1905 SHUTDOWN(SSL_get_fd(con));
d02b48c6 1906end:
d916ba1b
NL		 1907 if (con != NULL)
1908 {
1909 if (prexit != 0)
1910 print_stuff(bio_c_out,con,1);
1911 SSL_free(con);
1912 }
d02b48c6 1913 if (ctx != NULL) SSL_CTX_free(ctx);
826a42a0
DSH		 1914 if (cert)
1915 X509_free(cert);
1916 if (key)
1917 EVP_PKEY_free(key);
1918 if (pass)
1919 OPENSSL_free(pass);
4579924b
RL		 1920 if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
1921 if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
1922 if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
d02b48c6
RE		 1923 if (bio_c_out != NULL)
1924 {
1925 BIO_free(bio_c_out);
1926 bio_c_out=NULL;
1927 }
c04f8cf4 1928 apps_shutdown();
1c3e4a36 1929 OPENSSL_EXIT(ret);
d02b48c6
RE		 1930 }
1931
1932
6b691a5c 1933static void print_stuff(BIO *bio, SSL *s, int full)
d02b48c6 1934 {
58964a49 1935 X509 *peer=NULL;
d02b48c6 1936 char *p;
7d727231 1937 static const char *space=" ";
d02b48c6 1938 char buf[BUFSIZ];
f73e07cf
BL		 1939 STACK_OF(X509) *sk;
1940 STACK_OF(X509_NAME) *sk2;
babb3798 1941 const SSL_CIPHER *c;
d02b48c6
RE		 1942 X509_NAME *xn;
1943 int j,i;
09b6c2ef 1944#ifndef OPENSSL_NO_COMP
d8ec0dcf 1945 const COMP_METHOD *comp, *expansion;
09b6c2ef 1946#endif
b1d74291 1947 unsigned char *exportedkeymat;
d02b48c6
RE		 1948
1949 if (full)
1950 {
bc2e519a
BM		 1951 int got_a_chain = 0;
1952
d02b48c6
RE		 1953 sk=SSL_get_peer_cert_chain(s);
1954 if (sk != NULL)
1955 {
bc2e519a
BM		 1956 got_a_chain = 1; /* we don't have it for SSL2 (yet) */
1957
dfeab068 1958 BIO_printf(bio,"---\nCertificate chain\n");
f73e07cf 1959 for (i=0; i<sk_X509_num(sk); i++)
d02b48c6 1960 {
f73e07cf 1961 X509_NAME_oneline(X509_get_subject_name(
54a656ef 1962 sk_X509_value(sk,i)),buf,sizeof buf);
d02b48c6 1963 BIO_printf(bio,"%2d s:%s\n",i,buf);
f73e07cf 1964 X509_NAME_oneline(X509_get_issuer_name(
54a656ef 1965 sk_X509_value(sk,i)),buf,sizeof buf);
d02b48c6 1966 BIO_printf(bio," i:%s\n",buf);
6d02d8e4 1967 if (c_showcerts)
f73e07cf 1968 PEM_write_bio_X509(bio,sk_X509_value(sk,i));
d02b48c6
RE		 1969 }
1970 }
1971
1972 BIO_printf(bio,"---\n");
1973 peer=SSL_get_peer_certificate(s);
1974 if (peer != NULL)
1975 {
1976 BIO_printf(bio,"Server certificate\n");
bc2e519a 1977 if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
6d02d8e4 1978 PEM_write_bio_X509(bio,peer);
d02b48c6 1979 X509_NAME_oneline(X509_get_subject_name(peer),
54a656ef 1980 buf,sizeof buf);
d02b48c6
RE		 1981 BIO_printf(bio,"subject=%s\n",buf);
1982 X509_NAME_oneline(X509_get_issuer_name(peer),
54a656ef 1983 buf,sizeof buf);
d02b48c6 1984 BIO_printf(bio,"issuer=%s\n",buf);
d02b48c6
RE		 1985 }
1986 else
1987 BIO_printf(bio,"no peer certificate available\n");
1988
f73e07cf 1989 sk2=SSL_get_client_CA_list(s);
d91f8c3c 1990 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
d02b48c6
RE		 1991 {
1992 BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
f73e07cf 1993 for (i=0; i<sk_X509_NAME_num(sk2); i++)
d02b48c6 1994 {
f73e07cf 1995 xn=sk_X509_NAME_value(sk2,i);
d02b48c6
RE		 1996 X509_NAME_oneline(xn,buf,sizeof(buf));
1997 BIO_write(bio,buf,strlen(buf));
1998 BIO_write(bio,"\n",1);
1999 }
2000 }
2001 else
2002 {
2003 BIO_printf(bio,"---\nNo client certificate CA names sent\n");
2004 }
54a656ef 2005 p=SSL_get_shared_ciphers(s,buf,sizeof buf);
d02b48c6
RE		 2006 if (p != NULL)
2007 {
67a47285
BM		 2008 /* This works only for SSL 2. In later protocol
2009 * versions, the client does not know what other
2010 * ciphers (in addition to the one to be used
2011 * in the current connection) the server supports. */
2012
d02b48c6
RE		 2013 BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
2014 j=i=0;
2015 while (*p)
2016 {
2017 if (*p == ':')
2018 {
58964a49 2019 BIO_write(bio,space,15-j%25);
d02b48c6
RE		 2020 i++;
2021 j=0;
2022 BIO_write(bio,((i%3)?" ":"\n"),1);
2023 }
2024 else
2025 {
2026 BIO_write(bio,p,1);
2027 j++;
2028 }
2029 p++;
2030 }
2031 BIO_write(bio,"\n",1);
2032 }
2033
55058181
DSH		 2034 ssl_print_sigalgs(bio, s);
2035
d02b48c6
RE		 2036 BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
2037 BIO_number_read(SSL_get_rbio(s)),
2038 BIO_number_written(SSL_get_wbio(s)));
2039 }
74096890 2040 BIO_printf(bio,(SSL_cache_hit(s)?"---\nReused, ":"---\nNew, "));
d02b48c6
RE		 2041 c=SSL_get_current_cipher(s);
2042 BIO_printf(bio,"%s, Cipher is %s\n",
2043 SSL_CIPHER_get_version(c),
2044 SSL_CIPHER_get_name(c));
a8236c8c
DSH		 2045 if (peer != NULL) {
2046 EVP_PKEY *pktmp;
2047 pktmp = X509_get_pubkey(peer);
58964a49 2048 BIO_printf(bio,"Server public key is %d bit\n",
a8236c8c
DSH		 2049 EVP_PKEY_bits(pktmp));
2050 EVP_PKEY_free(pktmp);
2051 }
b52a2738
DSH		 2052 BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
2053 SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
09b6c2ef 2054#ifndef OPENSSL_NO_COMP
f44e184e 2055 comp=SSL_get_current_compression(s);
d8ec0dcf 2056 expansion=SSL_get_current_expansion(s);
f44e184e
RL		 2057 BIO_printf(bio,"Compression: %s\n",
2058 comp ? SSL_COMP_get_name(comp) : "NONE");
2059 BIO_printf(bio,"Expansion: %s\n",
d8ec0dcf 2060 expansion ? SSL_COMP_get_name(expansion) : "NONE");
09b6c2ef 2061#endif
9472baae
DSH		 2062
2063#ifdef SSL_DEBUG
2064 {
2065 /* Print out local port of connection: useful for debugging */
2066 int sock;
2067 struct sockaddr_in ladd;
2068 socklen_t ladd_size = sizeof(ladd);
2069 sock = SSL_get_fd(s);
2070 getsockname(sock, (struct sockaddr *)&ladd, &ladd_size);
2071 BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port));
2072 }
2073#endif
2074
68b33cc5
BL		 2075#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
2076 if (next_proto.status != -1) {
2077 const unsigned char *proto;
2078 unsigned int proto_len;
2079 SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
2080 BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
2081 BIO_write(bio, proto, proto_len);
2082 BIO_write(bio, "\n", 1);
2083 }
2084#endif
2085
060a38a2
BL		 2086 {
2087 SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s);
2088
2089 if(srtp_profile)
2090 BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n",
2091 srtp_profile->name);
2092 }
2093
d02b48c6 2094 SSL_SESSION_print(bio,SSL_get_session(s));
cdf9d6f6
DSH		 2095 if (keymatexportlabel != NULL)
2096 {
b1d74291
BL		 2097 BIO_printf(bio, "Keying material exporter:\n");
2098 BIO_printf(bio, " Label: '%s'\n", keymatexportlabel);
2099 BIO_printf(bio, " Length: %i bytes\n", keymatexportlen);
2100 exportedkeymat = OPENSSL_malloc(keymatexportlen);
cdf9d6f6
DSH		 2101 if (exportedkeymat != NULL)
2102 {
2103 if (!SSL_export_keying_material(s, exportedkeymat,
2104 keymatexportlen,
2105 keymatexportlabel,
2106 strlen(keymatexportlabel),
2107 NULL, 0, 0))
2108 {
2109 BIO_printf(bio, " Error\n");
2110 }
2111 else
2112 {
b1d74291
BL		 2113 BIO_printf(bio, " Keying material: ");
2114 for (i=0; i<keymatexportlen; i++)
2115 BIO_printf(bio, "%02X",
2116 exportedkeymat[i]);
2117 BIO_printf(bio, "\n");
cdf9d6f6 2118 }
b1d74291 2119 OPENSSL_free(exportedkeymat);
cdf9d6f6 2120 }
b1d74291 2121 }
d02b48c6 2122 BIO_printf(bio,"---\n");
58964a49
RE		 2123 if (peer != NULL)
2124 X509_free(peer);
41ebed27 2125 /* flush, or debugging output gets mixed with http response */
710069c1 2126 (void)BIO_flush(bio);
d02b48c6
RE		 2127 }
2128
0702150f
DSH		 2129#ifndef OPENSSL_NO_TLSEXT
2130
67c8e7f4
DSH		 2131static int ocsp_resp_cb(SSL *s, void *arg)
2132 {
2133 const unsigned char *p;
2134 int len;
2135 OCSP_RESPONSE *rsp;
2136 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
2137 BIO_puts(arg, "OCSP response: ");
2138 if (!p)
2139 {
2140 BIO_puts(arg, "no response sent\n");
2141 return 1;
2142 }
2143 rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
2144 if (!rsp)
2145 {
2146 BIO_puts(arg, "response parse error\n");
2147 BIO_dump_indent(arg, (char *)p, len, 4);
2148 return 0;
2149 }
2150 BIO_puts(arg, "\n======================================\n");
2151 OCSP_RESPONSE_print(arg, rsp, 0);
2152 BIO_puts(arg, "======================================\n");
2153 OCSP_RESPONSE_free(rsp);
2154 return 1;
2155 }
0702150f 2156
8a02a46a
BL		 2157static int audit_proof_cb(SSL *s, void *arg)
2158 {
2159 const unsigned char *proof;
2160 size_t proof_len;
2161 size_t i;
2162 SSL_SESSION *sess = SSL_get_session(s);
2163
2164 proof = SSL_SESSION_get_tlsext_authz_server_audit_proof(sess,
2165 &proof_len);
2166 if (proof != NULL)
2167 {
2168 BIO_printf(bio_c_out, "Audit proof: ");
2169 for (i = 0; i < proof_len; ++i)
2170 BIO_printf(bio_c_out, "%02X", proof[i]);
2171 BIO_printf(bio_c_out, "\n");
2172 }
2173 else
2174 {
2175 BIO_printf(bio_c_out, "No audit proof found.\n");
2176 }
2177 return 1;
2178 }
0702150f 2179#endif
A mirror of the official openssl repository