]> git.ipfire.org Git - thirdparty/openssl.git/blame - apps/s_client.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Use consistent function naming.
[thirdparty/openssl.git] / apps / s_client.c
CommitLineData
d02b48c6 1/* apps/s_client.c */
58964a49 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
d02b48c6
RE		 3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
a661b653 58/* ====================================================================
b1277b99 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
a661b653
BM		 60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
ddac1974
NL		 111/* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
113 *
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116 * license.
117 *
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
121 *
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
125 *
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
130 *
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135 * OTHERWISE.
136 */
d02b48c6 137
1b1a6e78 138#include <assert.h>
ddac1974 139#include <ctype.h>
8c197cc5
UM		 140#include <stdio.h>
141#include <stdlib.h>
142#include <string.h>
be1bd923 143#include <openssl/e_os2.h>
cf1b7d96 144#ifdef OPENSSL_NO_STDIO
8c197cc5
UM		 145#define APPS_WIN16
146#endif
147
7d7d2cbc
UM		 148/* With IPv6, it looks like Digital has mixed up the proper order of
149 recursive header file inclusion, resulting in the compiler complaining
150 that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
151 is needed to have fileno() declared correctly... So let's define u_int */
bc36ee62 152#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
7d7d2cbc
UM		 153#define __U_INT
154typedef unsigned int u_int;
155#endif
156
d02b48c6 157#define USE_SOCKETS
d02b48c6 158#include "apps.h"
ec577822
BM		 159#include <openssl/x509.h>
160#include <openssl/ssl.h>
161#include <openssl/err.h>
162#include <openssl/pem.h>
1372965e 163#include <openssl/rand.h>
67c8e7f4 164#include <openssl/ocsp.h>
1e26a8ba 165#include <openssl/bn.h>
edc032b5
BL		 166#ifndef OPENSSL_NO_SRP
167#include <openssl/srp.h>
168#endif
d02b48c6 169#include "s_apps.h"
36d16f8e 170#include "timeouts.h"
d02b48c6 171
bc36ee62 172#if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
75e0770d 173/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
7d7d2cbc
UM		 174#undef FIONBIO
175#endif
176
4700aea9
UM		 177#if defined(OPENSSL_SYS_BEOS_R5)
178#include <fcntl.h>
179#endif
180
d02b48c6
RE		 181#undef PROG
182#define PROG s_client_main
183
184/*#define SSL_HOST_NAME "www.netscape.com" */
185/*#define SSL_HOST_NAME "193.118.187.102" */
186#define SSL_HOST_NAME "localhost"
187
188/*#define TEST_CERT "client.pem" */ /* no default cert. */
189
190#undef BUFSIZZ
191#define BUFSIZZ 1024*8
192
193extern int verify_depth;
194extern int verify_error;
5d20c4fb 195extern int verify_return_error;
2a7cbe77 196extern int verify_quiet;
d02b48c6
RE		 197
198#ifdef FIONBIO
199static int c_nbio=0;
200#endif
201static int c_Pause=0;
202static int c_debug=0;
6434abbf
DSH		 203#ifndef OPENSSL_NO_TLSEXT
204static int c_tlsextdebug=0;
67c8e7f4 205static int c_status_req=0;
6434abbf 206#endif
a661b653 207static int c_msg=0;
6d02d8e4 208static int c_showcerts=0;
d02b48c6 209
e0af0405
BL		 210static char *keymatexportlabel=NULL;
211static int keymatexportlen=20;
212
d02b48c6
RE		 213static void sc_usage(void);
214static void print_stuff(BIO *berr,SSL *con,int full);
0702150f 215#ifndef OPENSSL_NO_TLSEXT
67c8e7f4 216static int ocsp_resp_cb(SSL *s, void *arg);
0702150f 217#endif
d02b48c6 218static BIO *bio_c_out=NULL;
93ab9e42 219static BIO *bio_c_msg=NULL;
d02b48c6 220static int c_quiet=0;
ce301b6b 221static int c_ign_eof=0;
2a7cbe77 222static int c_brief=0;
d02b48c6 223
ddac1974
NL		 224#ifndef OPENSSL_NO_PSK
225/* Default PSK identity and key */
226static char *psk_identity="Client_identity";
f3b7bdad 227/*char *psk_key=NULL; by default PSK is not used */
ddac1974
NL		 228
229static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
230 unsigned int max_identity_len, unsigned char *psk,
231 unsigned int max_psk_len)
232 {
233 unsigned int psk_len = 0;
234 int ret;
235 BIGNUM *bn=NULL;
236
237 if (c_debug)
238 BIO_printf(bio_c_out, "psk_client_cb\n");
239 if (!hint)
240 {
241 /* no ServerKeyExchange message*/
242 if (c_debug)
243 BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n");
244 }
245 else if (c_debug)
246 BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
247
248 /* lookup PSK identity and PSK key based on the given identity hint here */
0ed6b526 249 ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity);
a0aa8b4b 250 if (ret < 0 || (unsigned int)ret > max_identity_len)
ddac1974
NL		 251 goto out_err;
252 if (c_debug)
253 BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret);
254 ret=BN_hex2bn(&bn, psk_key);
255 if (!ret)
256 {
257 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
258 if (bn)
259 BN_free(bn);
260 return 0;
261 }
262
a0aa8b4b 263 if ((unsigned int)BN_num_bytes(bn) > max_psk_len)
ddac1974
NL		 264 {
265 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
266 max_psk_len, BN_num_bytes(bn));
267 BN_free(bn);
268 return 0;
269 }
270
271 psk_len=BN_bn2bin(bn, psk);
272 BN_free(bn);
273 if (psk_len == 0)
274 goto out_err;
275
276 if (c_debug)
277 BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len);
278
279 return psk_len;
280 out_err:
281 if (c_debug)
282 BIO_printf(bio_err, "Error in PSK client callback\n");
283 return 0;
284 }
285#endif
286
6b691a5c 287static void sc_usage(void)
d02b48c6 288 {
b6cff93d 289 BIO_printf(bio_err,"usage: s_client args\n");
d02b48c6
RE		 290 BIO_printf(bio_err,"\n");
291 BIO_printf(bio_err," -host host - use -connect instead\n");
292 BIO_printf(bio_err," -port port - use -connect instead\n");
a9351320
GT		 293 BIO_printf(bio_err," -connect host:port - connect over TCP/IP (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
294 BIO_printf(bio_err," -unix path - connect over unix domain sockets\n");
d02b48c6 295 BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n");
ee724df7 296 BIO_printf(bio_err," -verify_return_error - return verification errors\n");
d02b48c6 297 BIO_printf(bio_err," -cert arg - certificate file to use, PEM format assumed\n");
826a42a0
DSH		 298 BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
299 BIO_printf(bio_err," -key arg - Private key file to use, in cert file if\n");
d02b48c6 300 BIO_printf(bio_err," not specified but cert file is.\n");
826a42a0
DSH		 301 BIO_printf(bio_err," -keyform arg - key format (PEM or DER) PEM default\n");
302 BIO_printf(bio_err," -pass arg - private key file pass phrase source\n");
d02b48c6
RE		 303 BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
304 BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n");
6d3d5793 305 BIO_printf(bio_err," -trusted_first - Use local CA's first when building trust chain\n");
d02b48c6
RE		 306 BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n");
307 BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n");
ee724df7 308 BIO_printf(bio_err," -prexit - print session information even on connection failure\n");
6d02d8e4 309 BIO_printf(bio_err," -showcerts - show all certificates in the chain\n");
d02b48c6 310 BIO_printf(bio_err," -debug - extra output\n");
f642ebc1
RS		 311#ifdef WATT32
312 BIO_printf(bio_err," -wdebug - WATT-32 tcp debugging\n");
313#endif
a661b653 314 BIO_printf(bio_err," -msg - Show protocol messages\n");
d02b48c6
RE		 315 BIO_printf(bio_err," -nbio_test - more ssl protocol testing\n");
316 BIO_printf(bio_err," -state - print the 'ssl' states\n");
317#ifdef FIONBIO
318 BIO_printf(bio_err," -nbio - Run with non-blocking IO\n");
1bdb8633 319#endif
1bdb8633 320 BIO_printf(bio_err," -crlf - convert LF from terminal into CRLF\n");
d02b48c6 321 BIO_printf(bio_err," -quiet - no s_client output\n");
ce301b6b 322 BIO_printf(bio_err," -ign_eof - ignore input eof (default when -quiet)\n");
020d67fb 323 BIO_printf(bio_err," -no_ign_eof - don't ignore input eof\n");
ddac1974
NL		 324#ifndef OPENSSL_NO_PSK
325 BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
326 BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n");
79bd20fd 327# ifndef OPENSSL_NO_JPAKE
f3b7bdad
BL		 328 BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n");
329# endif
edc032b5
BL		 330#endif
331#ifndef OPENSSL_NO_SRP
332 BIO_printf(bio_err," -srpuser user - SRP authentification for 'user'\n");
333 BIO_printf(bio_err," -srppass arg - password for 'user'\n");
334 BIO_printf(bio_err," -srp_lateuser - SRP username into second ClientHello message\n");
335 BIO_printf(bio_err," -srp_moregroups - Tolerate other than the known g N values.\n");
336 BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
ddac1974 337#endif
d02b48c6
RE		 338 BIO_printf(bio_err," -ssl2 - just use SSLv2\n");
339 BIO_printf(bio_err," -ssl3 - just use SSLv3\n");
7409d7ad 340 BIO_printf(bio_err," -tls1_2 - just use TLSv1.2\n");
637f374a 341 BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n");
58964a49 342 BIO_printf(bio_err," -tls1 - just use TLSv1\n");
36d16f8e 343 BIO_printf(bio_err," -dtls1 - just use DTLSv1\n");
046f2101 344 BIO_printf(bio_err," -mtu - set the link layer MTU\n");
7409d7ad 345 BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
d02b48c6 346 BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n");
836f9960 347 BIO_printf(bio_err," -serverpref - Use server's cipher preferences (only SSLv2)\n");
657e60fa 348 BIO_printf(bio_err," -cipher - preferred cipher to use, use the 'openssl ciphers'\n");
dfeab068 349 BIO_printf(bio_err," command to see what is available\n");
135c0af1
RL		 350 BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
351 BIO_printf(bio_err," for those protocols that support it, where\n");
352 BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n");
d5bbead4
BL		 353 BIO_printf(bio_err," only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
354 BIO_printf(bio_err," are supported.\n");
b98af49d 355 BIO_printf(bio_err," -xmpphost host - When used with \"-starttls xmpp\" specifies the virtual host.\n");
0b13e9f0 356#ifndef OPENSSL_NO_ENGINE
5270e702 357 BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n");
0b13e9f0 358#endif
52b621db 359 BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
014f62b6
DSH		 360 BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n");
361 BIO_printf(bio_err," -sess_in arg - file to read SSL session from\n");
ed3883d2
BM		 362#ifndef OPENSSL_NO_TLSEXT
363 BIO_printf(bio_err," -servername host - Set TLS extension servername in ClientHello\n");
d24a9c8f 364 BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
67c8e7f4 365 BIO_printf(bio_err," -status - request certificate status from server\n");
d24a9c8f 366 BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
36086186 367 BIO_printf(bio_err," -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n");
bf48836c 368# ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 369 BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
370# endif
2911575c 371 BIO_printf(bio_err," -alpn arg - enable ALPN extension, considering named protocols supported (comma-separated list)\n");
ed3883d2 372#endif
2942dde5 373 BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
be81f4dd 374 BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
e0af0405
BL		 375 BIO_printf(bio_err," -keymatexport label - Export keying material using label\n");
376 BIO_printf(bio_err," -keymatexportlen len - Export len bytes of keying material (default 20)\n");
d02b48c6
RE		 377 }
378
ed3883d2
BM		 379#ifndef OPENSSL_NO_TLSEXT
380
381/* This is a context that we pass to callbacks */
382typedef struct tlsextctx_st {
383 BIO * biodebug;
384 int ack;
385} tlsextctx;
386
387
b1277b99
BM		 388static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
389 {
ed3883d2 390 tlsextctx * p = (tlsextctx *) arg;
8de5b7f5 391 const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
ed3883d2
BM		 392 if (SSL_get_servername_type(s) != -1)
393 p->ack = !SSL_session_reused(s) && hn != NULL;
394 else
f1fd4544 395 BIO_printf(bio_err,"Can't use SSL_get_servername\n");
ed3883d2 396
241520e6 397 return SSL_TLSEXT_ERR_OK;
b1277b99 398 }
ee2ffc27 399
edc032b5
BL		 400#ifndef OPENSSL_NO_SRP
401
402/* This is a context that we pass to all callbacks */
403typedef struct srp_arg_st
404 {
405 char *srppassin;
406 char *srplogin;
407 int msg; /* copy from c_msg */
408 int debug; /* copy from c_debug */
409 int amp; /* allow more groups */
410 int strength /* minimal size for N */ ;
411 } SRP_ARG;
412
413#define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
414
f2fc3075 415static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g)
edc032b5
BL		 416 {
417 BN_CTX *bn_ctx = BN_CTX_new();
418 BIGNUM *p = BN_new();
419 BIGNUM *r = BN_new();
420 int ret =
421 g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
f2fc3075 422 BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
edc032b5
BL		 423 p != NULL && BN_rshift1(p, N) &&
424
425 /* p = (N-1)/2 */
f2fc3075 426 BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
edc032b5
BL		 427 r != NULL &&
428
429 /* verify g^((N-1)/2) == -1 (mod N) */
430 BN_mod_exp(r, g, p, N, bn_ctx) &&
431 BN_add_word(r, 1) &&
432 BN_cmp(r, N) == 0;
433
434 if(r)
435 BN_free(r);
436 if(p)
437 BN_free(p);
438 if(bn_ctx)
439 BN_CTX_free(bn_ctx);
440 return ret;
441 }
442
f2fc3075
DSH		 443/* This callback is used here for two purposes:
444 - extended debugging
445 - making some primality tests for unknown groups
446 The callback is only called for a non default group.
447
448 An application does not need the call back at all if
449 only the stanard groups are used. In real life situations,
450 client and server already share well known groups,
451 thus there is no need to verify them.
452 Furthermore, in case that a server actually proposes a group that
453 is not one of those defined in RFC 5054, it is more appropriate
454 to add the group to a static list and then compare since
455 primality tests are rather cpu consuming.
456*/
457
edc032b5
BL		 458static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
459 {
460 SRP_ARG *srp_arg = (SRP_ARG *)arg;
461 BIGNUM *N = NULL, *g = NULL;
462 if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s)))
463 return 0;
464 if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1)
465 {
466 BIO_printf(bio_err, "SRP parameters:\n");
467 BIO_printf(bio_err,"\tN="); BN_print(bio_err,N);
468 BIO_printf(bio_err,"\n\tg="); BN_print(bio_err,g);
469 BIO_printf(bio_err,"\n");
470 }
471
472 if (SRP_check_known_gN_param(g,N))
473 return 1;
474
475 if (srp_arg->amp == 1)
476 {
477 if (srp_arg->debug)
478 BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n");
479
f2fc3075 480/* The srp_moregroups is a real debugging feature.
edc032b5
BL		 481 Implementors should rather add the value to the known ones.
482 The minimal size has already been tested.
483*/
f2fc3075 484 if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g))
edc032b5
BL		 485 return 1;
486 }
487 BIO_printf(bio_err, "SRP param N and g rejected.\n");
488 return 0;
489 }
490
491#define PWD_STRLEN 1024
492
493static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
494 {
495 SRP_ARG *srp_arg = (SRP_ARG *)arg;
496 char *pass = (char *)OPENSSL_malloc(PWD_STRLEN+1);
497 PW_CB_DATA cb_tmp;
498 int l;
499
500 cb_tmp.password = (char *)srp_arg->srppassin;
501 cb_tmp.prompt_info = "SRP user";
502 if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp))<0)
503 {
504 BIO_printf (bio_err, "Can't read Password\n");
505 OPENSSL_free(pass);
506 return NULL;
507 }
508 *(pass+l)= '\0';
509
510 return pass;
511 }
512
edc032b5 513#endif
333f926d 514 char *srtp_profiles = NULL;
edc032b5 515
bf48836c 516# ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 517/* This the context that we pass to next_proto_cb */
518typedef struct tlsextnextprotoctx_st {
519 unsigned char *data;
520 unsigned short len;
521 int status;
522} tlsextnextprotoctx;
523
524static tlsextnextprotoctx next_proto;
525
526static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
527 {
528 tlsextnextprotoctx *ctx = arg;
529
530 if (!c_quiet)
531 {
532 /* We can assume that |in| is syntactically valid. */
533 unsigned i;
534 BIO_printf(bio_c_out, "Protocols advertised by server: ");
535 for (i = 0; i < inlen; )
536 {
537 if (i)
538 BIO_write(bio_c_out, ", ", 2);
539 BIO_write(bio_c_out, &in[i + 1], in[i]);
540 i += in[i] + 1;
541 }
542 BIO_write(bio_c_out, "\n", 1);
543 }
544
545 ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
546 return SSL_TLSEXT_ERR_OK;
547 }
bf48836c 548# endif /* ndef OPENSSL_NO_NEXTPROTONEG */
a398f821 549
de2a9e38
DSH		 550static int serverinfo_cli_cb(SSL* s, unsigned int ext_type,
551 const unsigned char* in, size_t inlen,
a398f821
T		 552 int* al, void* arg)
553 {
554 char pem_name[100];
555 unsigned char ext_buf[4 + 65536];
556
557 /* Reconstruct the type/len fields prior to extension data */
558 ext_buf[0] = ext_type >> 8;
559 ext_buf[1] = ext_type & 0xFF;
560 ext_buf[2] = inlen >> 8;
561 ext_buf[3] = inlen & 0xFF;
562 memcpy(ext_buf+4, in, inlen);
563
70d416ec
BL		 564 BIO_snprintf(pem_name, sizeof(pem_name), "SERVERINFO FOR EXTENSION %d",
565 ext_type);
a398f821
T		 566 PEM_write_bio(bio_c_out, pem_name, "", ext_buf, 4 + inlen);
567 return 1;
568 }
569
ed3883d2
BM		 570#endif
571
85c67492
RL		 572enum
573{
574 PROTO_OFF = 0,
575 PROTO_SMTP,
576 PROTO_POP3,
577 PROTO_IMAP,
d5bbead4 578 PROTO_FTP,
640b86cb 579 PROTO_XMPP
85c67492
RL		 580};
581
667ac4ec
RE		 582int MAIN(int, char **);
583
6b691a5c 584int MAIN(int argc, char **argv)
d02b48c6 585 {
74ecfab4 586 int build_chain = 0;
67b6f1ca 587 SSL *con=NULL;
4f7a2ab8
DSH		 588#ifndef OPENSSL_NO_KRB5
589 KSSL_CTX *kctx;
590#endif
d02b48c6 591 int s,k,width,state=0;
135c0af1 592 char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
d02b48c6
RE		 593 int cbuf_len,cbuf_off;
594 int sbuf_len,sbuf_off;
595 fd_set readfds,writefds;
596 short port=PORT;
597 int full_log=1;
598 char *host=SSL_HOST_NAME;
a9351320 599 const char *unix_path = NULL;
b98af49d 600 char *xmpphost = NULL;
4e71d952 601 char *cert_file=NULL,*key_file=NULL,*chain_file=NULL;
826a42a0
DSH		 602 int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
603 char *passarg = NULL, *pass = NULL;
604 X509 *cert = NULL;
605 EVP_PKEY *key = NULL;
4e71d952 606 STACK_OF(X509) *chain = NULL;
5d2e07f1 607 char *CApath=NULL,*CAfile=NULL;
a5afc0a8
DSH		 608 char *chCApath=NULL,*chCAfile=NULL;
609 char *vfyCApath=NULL,*vfyCAfile=NULL;
5d2e07f1 610 int reconnect=0,badop=0,verify=SSL_VERIFY_NONE;
1bdb8633 611 int crlf=0;
c7ac31e2 612 int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
d02b48c6
RE		 613 SSL_CTX *ctx=NULL;
614 int ret=1,in_init=1,i,nbio_test=0;
85c67492 615 int starttls_proto = PROTO_OFF;
db99779b
DSH		 616 int prexit = 0;
617 X509_VERIFY_PARAM *vpm = NULL;
618 int badarg = 0;
4ebb342f 619 const SSL_METHOD *meth=NULL;
b1277b99 620 int socket_type=SOCK_STREAM;
d02b48c6 621 BIO *sbio;
52b621db 622 char *inrand=NULL;
85c67492 623 int mbuf_len=0;
b972fbaa 624 struct timeval timeout, *timeoutp;
0b13e9f0 625#ifndef OPENSSL_NO_ENGINE
5270e702 626 char *engine_id=NULL;
59d2d48f 627 char *ssl_client_engine_id=NULL;
70531c14 628 ENGINE *ssl_client_engine=NULL;
0b13e9f0 629#endif
70531c14 630 ENGINE *e=NULL;
4700aea9 631#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
06f4536a 632 struct timeval tv;
4700aea9
UM		 633#if defined(OPENSSL_SYS_BEOS_R5)
634 int stdin_set = 0;
635#endif
06f4536a 636#endif
ed3883d2
BM		 637#ifndef OPENSSL_NO_TLSEXT
638 char *servername = NULL;
639 tlsextctx tlsextcbp =
640 {NULL,0};
bf48836c 641# ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 642 const char *next_proto_neg_in = NULL;
643# endif
2911575c 644 const char *alpn_in = NULL;
a398f821
T		 645# define MAX_SI_TYPES 100
646 unsigned short serverinfo_types[MAX_SI_TYPES];
647 int serverinfo_types_count = 0;
ed3883d2 648#endif
6434abbf
DSH		 649 char *sess_in = NULL;
650 char *sess_out = NULL;
36d16f8e 651 struct sockaddr peer;
6c61726b 652 int peerlen = sizeof(peer);
36d16f8e 653 int enable_timeouts = 0 ;
b1277b99 654 long socket_mtu = 0;
79bd20fd 655#ifndef OPENSSL_NO_JPAKE
b252cf0d
DSH		 656static char *jpake_secret = NULL;
657#define no_jpake !jpake_secret
658#else
659#define no_jpake 1
ed551cdd 660#endif
edc032b5
BL		 661#ifndef OPENSSL_NO_SRP
662 char * srppass = NULL;
663 int srp_lateuser = 0;
664 SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
665#endif
3208fc59 666 SSL_EXCERT *exc = NULL;
36d16f8e 667
5d2e07f1
DSH		 668 SSL_CONF_CTX *cctx = NULL;
669 STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
a70da5b3 670
fdb78f3d
DSH		 671 char *crl_file = NULL;
672 int crl_format = FORMAT_PEM;
0090a686 673 int crl_download = 0;
fdb78f3d 674 STACK_OF(X509_CRL) *crls = NULL;
e03c5b59 675 int sdebug = 0;
fdb78f3d 676
d02b48c6 677 meth=SSLv23_client_method();
d02b48c6
RE		 678
679 apps_startup();
58964a49 680 c_Pause=0;
d02b48c6 681 c_quiet=0;
ce301b6b 682 c_ign_eof=0;
d02b48c6 683 c_debug=0;
a661b653 684 c_msg=0;
6d02d8e4 685 c_showcerts=0;
d02b48c6
RE		 686
687 if (bio_err == NULL)
688 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
689
3647bee2
DSH		 690 if (!load_config(bio_err, NULL))
691 goto end;
5d2e07f1
DSH		 692 cctx = SSL_CONF_CTX_new();
693 if (!cctx)
694 goto end;
695 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
696 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE);
3647bee2 697
26a3a48d 698 if ( ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
135c0af1
RL		 699 ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
700 ((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
d02b48c6
RE		 701 {
702 BIO_printf(bio_err,"out of memory\n");
703 goto end;
704 }
705
706 verify_depth=0;
707 verify_error=X509_V_OK;
708#ifdef FIONBIO
709 c_nbio=0;
710#endif
711
712 argc--;
713 argv++;
714 while (argc >= 1)
715 {
716 if (strcmp(*argv,"-host") == 0)
717 {
718 if (--argc < 1) goto bad;
719 host= *(++argv);
720 }
721 else if (strcmp(*argv,"-port") == 0)
722 {
723 if (--argc < 1) goto bad;
724 port=atoi(*(++argv));
725 if (port == 0) goto bad;
726 }
727 else if (strcmp(*argv,"-connect") == 0)
728 {
729 if (--argc < 1) goto bad;
730 if (!extract_host_port(*(++argv),&host,NULL,&port))
731 goto bad;
732 }
a9351320
GT		 733 else if (strcmp(*argv,"-unix") == 0)
734 {
735 if (--argc < 1) goto bad;
736 unix_path = *(++argv);
737 }
b98af49d
CALP		 738 else if (strcmp(*argv,"-xmpphost") == 0)
739 {
740 if (--argc < 1) goto bad;
741 xmpphost= *(++argv);
742 }
d02b48c6
RE		 743 else if (strcmp(*argv,"-verify") == 0)
744 {
745 verify=SSL_VERIFY_PEER;
746 if (--argc < 1) goto bad;
747 verify_depth=atoi(*(++argv));
2a7cbe77
DSH		 748 if (!c_quiet)
749 BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
d02b48c6
RE		 750 }
751 else if (strcmp(*argv,"-cert") == 0)
752 {
753 if (--argc < 1) goto bad;
754 cert_file= *(++argv);
755 }
fdb78f3d
DSH		 756 else if (strcmp(*argv,"-CRL") == 0)
757 {
758 if (--argc < 1) goto bad;
759 crl_file= *(++argv);
760 }
0090a686
DSH		 761 else if (strcmp(*argv,"-crl_download") == 0)
762 crl_download = 1;
6434abbf
DSH		 763 else if (strcmp(*argv,"-sess_out") == 0)
764 {
765 if (--argc < 1) goto bad;
766 sess_out = *(++argv);
767 }
768 else if (strcmp(*argv,"-sess_in") == 0)
769 {
770 if (--argc < 1) goto bad;
771 sess_in = *(++argv);
772 }
826a42a0
DSH		 773 else if (strcmp(*argv,"-certform") == 0)
774 {
775 if (--argc < 1) goto bad;
776 cert_format = str2fmt(*(++argv));
777 }
fdb78f3d
DSH		 778 else if (strcmp(*argv,"-CRLform") == 0)
779 {
780 if (--argc < 1) goto bad;
781 crl_format = str2fmt(*(++argv));
782 }
db99779b
DSH		 783 else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
784 {
785 if (badarg)
786 goto bad;
787 continue;
788 }
5d20c4fb
DSH		 789 else if (strcmp(*argv,"-verify_return_error") == 0)
790 verify_return_error = 1;
2a7cbe77
DSH		 791 else if (strcmp(*argv,"-verify_quiet") == 0)
792 verify_quiet = 1;
793 else if (strcmp(*argv,"-brief") == 0)
794 {
795 c_brief = 1;
796 verify_quiet = 1;
797 c_quiet = 1;
798 }
3208fc59
DSH		 799 else if (args_excert(&argv, &argc, &badarg, bio_err, &exc))
800 {
801 if (badarg)
802 goto bad;
803 continue;
804 }
5d2e07f1
DSH		 805 else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args))
806 {
807 if (badarg)
808 goto bad;
809 continue;
810 }
c3ed3b6e
DSH		 811 else if (strcmp(*argv,"-prexit") == 0)
812 prexit=1;
1bdb8633
BM		 813 else if (strcmp(*argv,"-crlf") == 0)
814 crlf=1;
d02b48c6 815 else if (strcmp(*argv,"-quiet") == 0)
ce301b6b 816 {
d02b48c6 817 c_quiet=1;
ce301b6b
RL		 818 c_ign_eof=1;
819 }
820 else if (strcmp(*argv,"-ign_eof") == 0)
821 c_ign_eof=1;
020d67fb
LJ		 822 else if (strcmp(*argv,"-no_ign_eof") == 0)
823 c_ign_eof=0;
d02b48c6
RE		 824 else if (strcmp(*argv,"-pause") == 0)
825 c_Pause=1;
826 else if (strcmp(*argv,"-debug") == 0)
827 c_debug=1;
6434abbf
DSH		 828#ifndef OPENSSL_NO_TLSEXT
829 else if (strcmp(*argv,"-tlsextdebug") == 0)
830 c_tlsextdebug=1;
67c8e7f4
DSH		 831 else if (strcmp(*argv,"-status") == 0)
832 c_status_req=1;
f642ebc1
RS		 833#endif
834#ifdef WATT32
835 else if (strcmp(*argv,"-wdebug") == 0)
836 dbug_init();
02a00bb0 837#endif
a661b653
BM		 838 else if (strcmp(*argv,"-msg") == 0)
839 c_msg=1;
93ab9e42
DSH		 840 else if (strcmp(*argv,"-msgfile") == 0)
841 {
842 if (--argc < 1) goto bad;
843 bio_c_msg = BIO_new_file(*(++argv), "w");
844 }
845#ifndef OPENSSL_NO_SSL_TRACE
846 else if (strcmp(*argv,"-trace") == 0)
847 c_msg=2;
848#endif
e03c5b59
DSH		 849 else if (strcmp(*argv,"-security_debug") == 0)
850 { sdebug=1; }
851 else if (strcmp(*argv,"-security_debug_verbose") == 0)
852 { sdebug=2; }
6d02d8e4
BM		 853 else if (strcmp(*argv,"-showcerts") == 0)
854 c_showcerts=1;
d02b48c6
RE		 855 else if (strcmp(*argv,"-nbio_test") == 0)
856 nbio_test=1;
857 else if (strcmp(*argv,"-state") == 0)
858 state=1;
ddac1974
NL		 859#ifndef OPENSSL_NO_PSK
860 else if (strcmp(*argv,"-psk_identity") == 0)
861 {
862 if (--argc < 1) goto bad;
863 psk_identity=*(++argv);
864 }
865 else if (strcmp(*argv,"-psk") == 0)
866 {
867 size_t j;
868
869 if (--argc < 1) goto bad;
870 psk_key=*(++argv);
871 for (j = 0; j < strlen(psk_key); j++)
872 {
a50bce82 873 if (isxdigit((unsigned char)psk_key[j]))
ddac1974
NL		 874 continue;
875 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
876 goto bad;
877 }
878 }
879#endif
edc032b5
BL		 880#ifndef OPENSSL_NO_SRP
881 else if (strcmp(*argv,"-srpuser") == 0)
882 {
883 if (--argc < 1) goto bad;
884 srp_arg.srplogin= *(++argv);
885 meth=TLSv1_client_method();
886 }
887 else if (strcmp(*argv,"-srppass") == 0)
888 {
889 if (--argc < 1) goto bad;
890 srppass= *(++argv);
891 meth=TLSv1_client_method();
892 }
893 else if (strcmp(*argv,"-srp_strength") == 0)
894 {
895 if (--argc < 1) goto bad;
896 srp_arg.strength=atoi(*(++argv));
897 BIO_printf(bio_err,"SRP minimal length for N is %d\n",srp_arg.strength);
898 meth=TLSv1_client_method();
899 }
900 else if (strcmp(*argv,"-srp_lateuser") == 0)
901 {
902 srp_lateuser= 1;
903 meth=TLSv1_client_method();
904 }
905 else if (strcmp(*argv,"-srp_moregroups") == 0)
906 {
907 srp_arg.amp=1;
908 meth=TLSv1_client_method();
909 }
910#endif
cf1b7d96 911#ifndef OPENSSL_NO_SSL2
d02b48c6
RE		 912 else if (strcmp(*argv,"-ssl2") == 0)
913 meth=SSLv2_client_method();
914#endif
cf1b7d96 915#ifndef OPENSSL_NO_SSL3
d02b48c6
RE		 916 else if (strcmp(*argv,"-ssl3") == 0)
917 meth=SSLv3_client_method();
58964a49 918#endif
cf1b7d96 919#ifndef OPENSSL_NO_TLS1
7409d7ad
DSH		 920 else if (strcmp(*argv,"-tls1_2") == 0)
921 meth=TLSv1_2_client_method();
637f374a
DSH		 922 else if (strcmp(*argv,"-tls1_1") == 0)
923 meth=TLSv1_1_client_method();
58964a49
RE		 924 else if (strcmp(*argv,"-tls1") == 0)
925 meth=TLSv1_client_method();
36d16f8e
BL		 926#endif
927#ifndef OPENSSL_NO_DTLS1
c6913eeb
DSH		 928 else if (strcmp(*argv,"-dtls") == 0)
929 {
930 meth=DTLS_client_method();
931 socket_type=SOCK_DGRAM;
932 }
36d16f8e
BL		 933 else if (strcmp(*argv,"-dtls1") == 0)
934 {
935 meth=DTLSv1_client_method();
b1277b99 936 socket_type=SOCK_DGRAM;
36d16f8e 937 }
c3b344e3
DSH		 938 else if (strcmp(*argv,"-dtls1_2") == 0)
939 {
940 meth=DTLSv1_2_client_method();
941 socket_type=SOCK_DGRAM;
942 }
36d16f8e
BL		 943 else if (strcmp(*argv,"-timeout") == 0)
944 enable_timeouts=1;
945 else if (strcmp(*argv,"-mtu") == 0)
946 {
947 if (--argc < 1) goto bad;
b1277b99 948 socket_mtu = atol(*(++argv));
36d16f8e 949 }
d02b48c6 950#endif
826a42a0
DSH		 951 else if (strcmp(*argv,"-keyform") == 0)
952 {
953 if (--argc < 1) goto bad;
954 key_format = str2fmt(*(++argv));
955 }
956 else if (strcmp(*argv,"-pass") == 0)
957 {
958 if (--argc < 1) goto bad;
959 passarg = *(++argv);
960 }
4e71d952
DSH		 961 else if (strcmp(*argv,"-cert_chain") == 0)
962 {
963 if (--argc < 1) goto bad;
964 chain_file= *(++argv);
965 }
d02b48c6
RE		 966 else if (strcmp(*argv,"-key") == 0)
967 {
968 if (--argc < 1) goto bad;
969 key_file= *(++argv);
970 }
971 else if (strcmp(*argv,"-reconnect") == 0)
972 {
973 reconnect=5;
974 }
975 else if (strcmp(*argv,"-CApath") == 0)
976 {
977 if (--argc < 1) goto bad;
978 CApath= *(++argv);
979 }
a5afc0a8
DSH		 980 else if (strcmp(*argv,"-chainCApath") == 0)
981 {
982 if (--argc < 1) goto bad;
983 chCApath= *(++argv);
984 }
985 else if (strcmp(*argv,"-verifyCApath") == 0)
986 {
987 if (--argc < 1) goto bad;
988 vfyCApath= *(++argv);
989 }
74ecfab4
DSH		 990 else if (strcmp(*argv,"-build_chain") == 0)
991 build_chain = 1;
d02b48c6
RE		 992 else if (strcmp(*argv,"-CAfile") == 0)
993 {
994 if (--argc < 1) goto bad;
995 CAfile= *(++argv);
996 }
a5afc0a8
DSH		 997 else if (strcmp(*argv,"-chainCAfile") == 0)
998 {
999 if (--argc < 1) goto bad;
1000 chCAfile= *(++argv);
1001 }
1002 else if (strcmp(*argv,"-verifyCAfile") == 0)
1003 {
1004 if (--argc < 1) goto bad;
1005 vfyCAfile= *(++argv);
1006 }
6434abbf 1007#ifndef OPENSSL_NO_TLSEXT
bf48836c 1008# ifndef OPENSSL_NO_NEXTPROTONEG
ee2ffc27
BL		 1009 else if (strcmp(*argv,"-nextprotoneg") == 0)
1010 {
1011 if (--argc < 1) goto bad;
1012 next_proto_neg_in = *(++argv);
1013 }
2911575c 1014# endif
6f017a8f
AL		 1015 else if (strcmp(*argv,"-alpn") == 0)
1016 {
1017 if (--argc < 1) goto bad;
1018 alpn_in = *(++argv);
1019 }
a398f821
T		 1020 else if (strcmp(*argv,"-serverinfo") == 0)
1021 {
1022 char *c;
1023 int start = 0;
1024 int len;
1025
1026 if (--argc < 1) goto bad;
1027 c = *(++argv);
1028 serverinfo_types_count = 0;
1029 len = strlen(c);
1030 for (i = 0; i <= len; ++i)
1031 {
1032 if (i == len || c[i] == ',')
1033 {
1034 serverinfo_types[serverinfo_types_count]
1035 = atoi(c+start);
1036 serverinfo_types_count++;
1037 start = i+1;
1038 }
1039 if (serverinfo_types_count == MAX_SI_TYPES)
1040 break;
1041 }
1042 }
6434abbf 1043#endif
d02b48c6
RE		 1044#ifdef FIONBIO
1045 else if (strcmp(*argv,"-nbio") == 0)
1046 { c_nbio=1; }
1047#endif
135c0af1
RL		 1048 else if (strcmp(*argv,"-starttls") == 0)
1049 {
1050 if (--argc < 1) goto bad;
1051 ++argv;
1052 if (strcmp(*argv,"smtp") == 0)
85c67492 1053 starttls_proto = PROTO_SMTP;
4f17dfcd 1054 else if (strcmp(*argv,"pop3") == 0)
85c67492
RL		 1055 starttls_proto = PROTO_POP3;
1056 else if (strcmp(*argv,"imap") == 0)
1057 starttls_proto = PROTO_IMAP;
1058 else if (strcmp(*argv,"ftp") == 0)
1059 starttls_proto = PROTO_FTP;
d5bbead4
BL		 1060 else if (strcmp(*argv, "xmpp") == 0)
1061 starttls_proto = PROTO_XMPP;
135c0af1
RL		 1062 else
1063 goto bad;
1064 }
0b13e9f0 1065#ifndef OPENSSL_NO_ENGINE
5270e702
RL		 1066 else if (strcmp(*argv,"-engine") == 0)
1067 {
1068 if (--argc < 1) goto bad;
1069 engine_id = *(++argv);
1070 }
59d2d48f
DSH		 1071 else if (strcmp(*argv,"-ssl_client_engine") == 0)
1072 {
1073 if (--argc < 1) goto bad;
1074 ssl_client_engine_id = *(++argv);
1075 }
0b13e9f0 1076#endif
52b621db
LJ		 1077 else if (strcmp(*argv,"-rand") == 0)
1078 {
1079 if (--argc < 1) goto bad;
1080 inrand= *(++argv);
1081 }
ed3883d2
BM		 1082#ifndef OPENSSL_NO_TLSEXT
1083 else if (strcmp(*argv,"-servername") == 0)
1084 {
1085 if (--argc < 1) goto bad;
1086 servername= *(++argv);
1087 /* meth=TLSv1_client_method(); */
1088 }
1089#endif
79bd20fd 1090#ifndef OPENSSL_NO_JPAKE
6caa4edd
BL		 1091 else if (strcmp(*argv,"-jpake") == 0)
1092 {
1093 if (--argc < 1) goto bad;
1094 jpake_secret = *++argv;
1095 }
ed551cdd 1096#endif
333f926d
BL		 1097 else if (strcmp(*argv,"-use_srtp") == 0)
1098 {
1099 if (--argc < 1) goto bad;
1100 srtp_profiles = *(++argv);
1101 }
e0af0405
BL		 1102 else if (strcmp(*argv,"-keymatexport") == 0)
1103 {
1104 if (--argc < 1) goto bad;
1105 keymatexportlabel= *(++argv);
1106 }
1107 else if (strcmp(*argv,"-keymatexportlen") == 0)
1108 {
1109 if (--argc < 1) goto bad;
1110 keymatexportlen=atoi(*(++argv));
1111 if (keymatexportlen == 0) goto bad;
1112 }
333f926d 1113 else
d02b48c6
RE		 1114 {
1115 BIO_printf(bio_err,"unknown option %s\n",*argv);
1116 badop=1;
1117 break;
1118 }
1119 argc--;
1120 argv++;
1121 }
1122 if (badop)
1123 {
1124bad:
1125 sc_usage();
1126 goto end;
1127 }
1128
a9351320
GT		 1129 if (unix_path && (socket_type != SOCK_STREAM))
1130 {
1131 BIO_printf(bio_err, "Can't use unix sockets and datagrams together\n");
1132 goto end;
1133 }
79bd20fd 1134#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
f3b7bdad
BL		 1135 if (jpake_secret)
1136 {
1137 if (psk_key)
1138 {
1139 BIO_printf(bio_err,
1140 "Can't use JPAKE and PSK together\n");
1141 goto end;
1142 }
1143 psk_identity = "JPAKE";
1144 }
f3b7bdad
BL		 1145#endif
1146
cead7f36
RL		 1147 OpenSSL_add_ssl_algorithms();
1148 SSL_load_error_strings();
1149
bf48836c 1150#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
ee2ffc27
BL		 1151 next_proto.status = -1;
1152 if (next_proto_neg_in)
1153 {
1154 next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
1155 if (next_proto.data == NULL)
1156 {
1157 BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
1158 goto end;
1159 }
1160 }
1161 else
1162 next_proto.data = NULL;
1163#endif
1164
0b13e9f0 1165#ifndef OPENSSL_NO_ENGINE
cead7f36 1166 e = setup_engine(bio_err, engine_id, 1);
59d2d48f
DSH		 1167 if (ssl_client_engine_id)
1168 {
1169 ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
1170 if (!ssl_client_engine)
1171 {
1172 BIO_printf(bio_err,
1173 "Error getting client auth engine\n");
1174 goto end;
1175 }
1176 }
1177
0b13e9f0 1178#endif
826a42a0
DSH		 1179 if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
1180 {
1181 BIO_printf(bio_err, "Error getting password\n");
1182 goto end;
1183 }
1184
1185 if (key_file == NULL)
1186 key_file = cert_file;
1187
abbc186b
DSH		 1188
1189 if (key_file)
1190
826a42a0 1191 {
abbc186b
DSH		 1192
1193 key = load_key(bio_err, key_file, key_format, 0, pass, e,
1194 "client certificate private key file");
1195 if (!key)
1196 {
1197 ERR_print_errors(bio_err);
1198 goto end;
1199 }
1200
826a42a0
DSH		 1201 }
1202
abbc186b 1203 if (cert_file)
826a42a0 1204
826a42a0 1205 {
abbc186b
DSH		 1206 cert = load_cert(bio_err,cert_file,cert_format,
1207 NULL, e, "client certificate file");
1208
1209 if (!cert)
1210 {
1211 ERR_print_errors(bio_err);
1212 goto end;
1213 }
826a42a0 1214 }
cead7f36 1215
4e71d952
DSH		 1216 if (chain_file)
1217 {
1218 chain = load_certs(bio_err, chain_file,FORMAT_PEM,
1219 NULL, e, "client certificate chain");
1220 if (!chain)
1221 goto end;
1222 }
1223
fdb78f3d
DSH		 1224 if (crl_file)
1225 {
1226 X509_CRL *crl;
1227 crl = load_crl(crl_file, crl_format);
1228 if (!crl)
1229 {
1230 BIO_puts(bio_err, "Error loading CRL\n");
1231 ERR_print_errors(bio_err);
1232 goto end;
1233 }
1234 crls = sk_X509_CRL_new_null();
1235 if (!crls || !sk_X509_CRL_push(crls, crl))
1236 {
1237 BIO_puts(bio_err, "Error adding CRL\n");
1238 ERR_print_errors(bio_err);
1239 X509_CRL_free(crl);
1240 goto end;
1241 }
1242 }
1243
3208fc59
DSH		 1244 if (!load_excert(&exc, bio_err))
1245 goto end;
1246
52b621db
LJ		 1247 if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
1248 && !RAND_status())
1249 {
1250 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
1251 }
1252 if (inrand != NULL)
1253 BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
1254 app_RAND_load_files(inrand));
a31011e8 1255
d02b48c6
RE		 1256 if (bio_c_out == NULL)
1257 {
1740c9fb 1258 if (c_quiet && !c_debug)
d02b48c6
RE		 1259 {
1260 bio_c_out=BIO_new(BIO_s_null());
1740c9fb
DSH		 1261 if (c_msg && !bio_c_msg)
1262 bio_c_msg=BIO_new_fp(stdout,BIO_NOCLOSE);
d02b48c6
RE		 1263 }
1264 else
1265 {
1266 if (bio_c_out == NULL)
1267 bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
1268 }
1269 }
1270
edc032b5
BL		 1271#ifndef OPENSSL_NO_SRP
1272 if(!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL))
1273 {
1274 BIO_printf(bio_err, "Error getting password\n");
1275 goto end;
1276 }
1277#endif
1278
d02b48c6
RE		 1279 ctx=SSL_CTX_new(meth);
1280 if (ctx == NULL)
1281 {
1282 ERR_print_errors(bio_err);
1283 goto end;
1284 }
1285
e03c5b59
DSH		 1286 if (sdebug)
1287 ssl_ctx_security_debug(ctx, bio_err, sdebug);
1288
db99779b
DSH		 1289 if (vpm)
1290 SSL_CTX_set1_param(ctx, vpm);
1291
b252cf0d 1292 if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1, no_jpake))
5d2e07f1
DSH		 1293 {
1294 ERR_print_errors(bio_err);
1295 goto end;
1296 }
1297
0090a686
DSH		 1298 if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
1299 crls, crl_download))
a5afc0a8
DSH		 1300 {
1301 BIO_printf(bio_err, "Error loading store locations\n");
1302 ERR_print_errors(bio_err);
1303 goto end;
1304 }
1305
59d2d48f
DSH		 1306#ifndef OPENSSL_NO_ENGINE
1307 if (ssl_client_engine)
1308 {
1309 if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine))
1310 {
1311 BIO_puts(bio_err, "Error setting client auth engine\n");
1312 ERR_print_errors(bio_err);
1313 ENGINE_free(ssl_client_engine);
1314 goto end;
1315 }
1316 ENGINE_free(ssl_client_engine);
1317 }
1318#endif
1319
ddac1974 1320#ifndef OPENSSL_NO_PSK
79bd20fd
DSH		 1321#ifdef OPENSSL_NO_JPAKE
1322 if (psk_key != NULL)
1323#else
f3b7bdad 1324 if (psk_key != NULL || jpake_secret)
79bd20fd 1325#endif
ddac1974
NL		 1326 {
1327 if (c_debug)
f3b7bdad 1328 BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");
ddac1974
NL		 1329 SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
1330 }
333f926d
BL		 1331 if (srtp_profiles != NULL)
1332 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
ddac1974 1333#endif
3208fc59 1334 if (exc) ssl_ctx_set_excert(ctx, exc);
36d16f8e
BL		 1335 /* DTLS: partial reads end up discarding unread UDP bytes :-(
1336 * Setting read ahead solves this problem.
1337 */
b1277b99 1338 if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
d02b48c6 1339
6f017a8f
AL		 1340#if !defined(OPENSSL_NO_TLSEXT)
1341# if !defined(OPENSSL_NO_NEXTPROTONEG)
ee2ffc27
BL		 1342 if (next_proto.data)
1343 SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
6f017a8f
AL		 1344# endif
1345 if (alpn_in)
1346 {
1347 unsigned short alpn_len;
1348 unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in);
1349
1350 if (alpn == NULL)
1351 {
1352 BIO_printf(bio_err, "Error parsing -alpn argument\n");
1353 goto end;
1354 }
1355 SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len);
a8989362 1356 OPENSSL_free(alpn);
6f017a8f 1357 }
ee2ffc27 1358#endif
a398f821
T		 1359#ifndef OPENSSL_NO_TLSEXT
1360 if (serverinfo_types_count)
1361 {
1362 for (i = 0; i < serverinfo_types_count; i++)
1363 {
8cafe9e8 1364 SSL_CTX_add_client_custom_ext(ctx,
a398f821 1365 serverinfo_types[i],
33f653ad 1366 NULL, NULL, NULL,
a398f821
T		 1367 serverinfo_cli_cb,
1368 NULL);
1369 }
1370 }
1371#endif
ee2ffc27 1372
d02b48c6 1373 if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
d02b48c6
RE		 1374#if 0
1375 else
1376 SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
1377#endif
1378
1379 SSL_CTX_set_verify(ctx,verify,verify_callback);
d02b48c6
RE		 1380
1381 if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
1382 (!SSL_CTX_set_default_verify_paths(ctx)))
1383 {
657e60fa 1384 /* BIO_printf(bio_err,"error setting default verify locations\n"); */
d02b48c6 1385 ERR_print_errors(bio_err);
58964a49 1386 /* goto end; */
d02b48c6
RE		 1387 }
1388
0090a686 1389 ssl_ctx_add_crls(ctx, crls, crl_download);
fdb78f3d 1390
4e71d952 1391 if (!set_cert_key_stuff(ctx,cert,key,chain,build_chain))
74ecfab4
DSH		 1392 goto end;
1393
ed3883d2 1394#ifndef OPENSSL_NO_TLSEXT
b1277b99
BM		 1395 if (servername != NULL)
1396 {
ed3883d2
BM		 1397 tlsextcbp.biodebug = bio_err;
1398 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1399 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
b1277b99 1400 }
edc032b5
BL		 1401#ifndef OPENSSL_NO_SRP
1402 if (srp_arg.srplogin)
1403 {
f2fc3075 1404 if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
edc032b5
BL		 1405 {
1406 BIO_printf(bio_err,"Unable to set SRP username\n");
1407 goto end;
1408 }
1409 srp_arg.msg = c_msg;
1410 srp_arg.debug = c_debug ;
1411 SSL_CTX_set_srp_cb_arg(ctx,&srp_arg);
1412 SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
1413 SSL_CTX_set_srp_strength(ctx, srp_arg.strength);
1414 if (c_msg || c_debug || srp_arg.amp == 0)
1415 SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb);
1416 }
1417
1418#endif
ed3883d2 1419#endif
d02b48c6 1420
82fc1d9c 1421 con=SSL_new(ctx);
6434abbf
DSH		 1422 if (sess_in)
1423 {
1424 SSL_SESSION *sess;
1425 BIO *stmp = BIO_new_file(sess_in, "r");
1426 if (!stmp)
1427 {
1428 BIO_printf(bio_err, "Can't open session file %s\n",
1429 sess_in);
1430 ERR_print_errors(bio_err);
1431 goto end;
1432 }
1433 sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
1434 BIO_free(stmp);
1435 if (!sess)
1436 {
1437 BIO_printf(bio_err, "Can't open session file %s\n",
1438 sess_in);
1439 ERR_print_errors(bio_err);
1440 goto end;
1441 }
1442 SSL_set_session(con, sess);
1443 SSL_SESSION_free(sess);
1444 }
ed3883d2 1445#ifndef OPENSSL_NO_TLSEXT
b1277b99
BM		 1446 if (servername != NULL)
1447 {
a13c20f6 1448 if (!SSL_set_tlsext_host_name(con,servername))
b1277b99 1449 {
ed3883d2
BM		 1450 BIO_printf(bio_err,"Unable to set TLS servername extension.\n");
1451 ERR_print_errors(bio_err);
1452 goto end;
b1277b99 1453 }
ed3883d2 1454 }
ed3883d2 1455#endif
cf1b7d96 1456#ifndef OPENSSL_NO_KRB5
4f7a2ab8 1457 if (con && (kctx = kssl_ctx_new()) != NULL)
f9b3bff6 1458 {
4f7a2ab8
DSH		 1459 SSL_set0_kssl_ctx(con, kctx);
1460 kssl_ctx_setstring(kctx, KSSL_SERVER, host);
f9b3bff6 1461 }
cf1b7d96 1462#endif /* OPENSSL_NO_KRB5 */
58964a49 1463/* SSL_set_cipher_list(con,"RC4-MD5"); */
761772d7
BM		 1464#if 0
1465#ifdef TLSEXT_TYPE_opaque_prf_input
86d4bc3a 1466 SSL_set_tlsext_opaque_prf_input(con, "Test client", 11);
761772d7
BM		 1467#endif
1468#endif
d02b48c6
RE		 1469
1470re_start:
9cd86abb
DSH		 1471#ifdef NO_SYS_UN_H
1472 if (init_client(&s,host,port,socket_type) == 0)
1473#else
a9351320
GT		 1474 if ((!unix_path && (init_client(&s,host,port,socket_type) == 0)) ||
1475 (unix_path && (init_client_unix(&s,unix_path) == 0)))
9cd86abb 1476#endif
d02b48c6 1477 {
58964a49 1478 BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
d02b48c6
RE		 1479 SHUTDOWN(s);
1480 goto end;
1481 }
1482 BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
1483
1484#ifdef FIONBIO
1485 if (c_nbio)
1486 {
1487 unsigned long l=1;
1488 BIO_printf(bio_c_out,"turning on non blocking io\n");
58964a49
RE		 1489 if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
1490 {
1491 ERR_print_errors(bio_err);
1492 goto end;
1493 }
d02b48c6
RE		 1494 }
1495#endif
08557cf2 1496 if (c_Pause & 0x01) SSL_set_debug(con, 1);
36d16f8e 1497
c3b344e3 1498 if (socket_type == SOCK_DGRAM)
36d16f8e 1499 {
36d16f8e
BL		 1500
1501 sbio=BIO_new_dgram(s,BIO_NOCLOSE);
6c61726b 1502 if (getsockname(s, &peer, (void *)&peerlen) < 0)
36d16f8e
BL		 1503 {
1504 BIO_printf(bio_err, "getsockname:errno=%d\n",
1505 get_last_socket_error());
1506 SHUTDOWN(s);
1507 goto end;
1508 }
1509
710069c1 1510 (void)BIO_ctrl_set_connected(sbio, 1, &peer);
36d16f8e 1511
b1277b99 1512 if (enable_timeouts)
36d16f8e
BL		 1513 {
1514 timeout.tv_sec = 0;
1515 timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1516 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1517
1518 timeout.tv_sec = 0;
1519 timeout.tv_usec = DGRAM_SND_TIMEOUT;
1520 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1521 }
1522
046f2101 1523 if (socket_mtu > 28)
36d16f8e
BL		 1524 {
1525 SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
046f2101 1526 SSL_set_mtu(con, socket_mtu - 28);
36d16f8e
BL		 1527 }
1528 else
1529 /* want to do MTU discovery */
1530 BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1531 }
1532 else
1533 sbio=BIO_new_socket(s,BIO_NOCLOSE);
1534
d02b48c6
RE		 1535 if (nbio_test)
1536 {
1537 BIO *test;
1538
1539 test=BIO_new(BIO_f_nbio_test());
1540 sbio=BIO_push(test,sbio);
1541 }
1542
1543 if (c_debug)
1544 {
08557cf2 1545 SSL_set_debug(con, 1);
25495640 1546 BIO_set_callback(sbio,bio_dump_callback);
7806f3dd 1547 BIO_set_callback_arg(sbio,(char *)bio_c_out);
d02b48c6 1548 }
a661b653
BM		 1549 if (c_msg)
1550 {
93ab9e42
DSH		 1551#ifndef OPENSSL_NO_SSL_TRACE
1552 if (c_msg == 2)
1553 SSL_set_msg_callback(con, SSL_trace);
1554 else
1555#endif
1556 SSL_set_msg_callback(con, msg_cb);
1557 SSL_set_msg_callback_arg(con, bio_c_msg ? bio_c_msg : bio_c_out);
a661b653 1558 }
6434abbf
DSH		 1559#ifndef OPENSSL_NO_TLSEXT
1560 if (c_tlsextdebug)
1561 {
1562 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1563 SSL_set_tlsext_debug_arg(con, bio_c_out);
1564 }
67c8e7f4
DSH		 1565 if (c_status_req)
1566 {
1567 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
1568 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
1569 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
1570#if 0
1571{
1572STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null();
1573OCSP_RESPID *id = OCSP_RESPID_new();
1574id->value.byKey = ASN1_OCTET_STRING_new();
1575id->type = V_OCSP_RESPID_KEY;
1576ASN1_STRING_set(id->value.byKey, "Hello World", -1);
1577sk_OCSP_RESPID_push(ids, id);
1578SSL_set_tlsext_status_ids(con, ids);
1579}
1580#endif
1581 }
6434abbf 1582#endif
79bd20fd 1583#ifndef OPENSSL_NO_JPAKE
6caa4edd
BL		 1584 if (jpake_secret)
1585 jpake_client_auth(bio_c_out, sbio, jpake_secret);
ed551cdd 1586#endif
6caa4edd 1587
d02b48c6
RE		 1588 SSL_set_bio(con,sbio,sbio);
1589 SSL_set_connect_state(con);
1590
1591 /* ok, lets connect */
1592 width=SSL_get_fd(con)+1;
1593
1594 read_tty=1;
1595 write_tty=0;
1596 tty_on=0;
1597 read_ssl=1;
1598 write_ssl=1;
1599
1600 cbuf_len=0;
1601 cbuf_off=0;
1602 sbuf_len=0;
1603 sbuf_off=0;
1604
135c0af1 1605 /* This is an ugly hack that does a lot of assumptions */
ee373e7f
LJ		 1606 /* We do have to handle multi-line responses which may come
1607 in a single packet or not. We therefore have to use
1608 BIO_gets() which does need a buffering BIO. So during
1609 the initial chitchat we do push a buffering BIO into the
1610 chain that is removed again later on to not disturb the
1611 rest of the s_client operation. */
85c67492 1612 if (starttls_proto == PROTO_SMTP)
135c0af1 1613 {
8d72476e 1614 int foundit=0;
ee373e7f
LJ		 1615 BIO *fbio = BIO_new(BIO_f_buffer());
1616 BIO_push(fbio, sbio);
85c67492
RL		 1617 /* wait for multi-line response to end from SMTP */
1618 do
1619 {
ee373e7f 1620 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
85c67492
RL		 1621 }
1622 while (mbuf_len>3 && mbuf[3]=='-');
8d72476e 1623 /* STARTTLS command requires EHLO... */
ee373e7f 1624 BIO_printf(fbio,"EHLO openssl.client.net\r\n");
710069c1 1625 (void)BIO_flush(fbio);
8d72476e
LJ		 1626 /* wait for multi-line response to end EHLO SMTP response */
1627 do
1628 {
ee373e7f 1629 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
8d72476e
LJ		 1630 if (strstr(mbuf,"STARTTLS"))
1631 foundit=1;
1632 }
1633 while (mbuf_len>3 && mbuf[3]=='-');
710069c1 1634 (void)BIO_flush(fbio);
ee373e7f
LJ		 1635 BIO_pop(fbio);
1636 BIO_free(fbio);
8d72476e
LJ		 1637 if (!foundit)
1638 BIO_printf(bio_err,
1639 "didn't found starttls in server response,"
1640 " try anyway...\n");
135c0af1
RL		 1641 BIO_printf(sbio,"STARTTLS\r\n");
1642 BIO_read(sbio,sbuf,BUFSIZZ);
1643 }
85c67492 1644 else if (starttls_proto == PROTO_POP3)
4f17dfcd
LJ		 1645 {
1646 BIO_read(sbio,mbuf,BUFSIZZ);
1647 BIO_printf(sbio,"STLS\r\n");
1648 BIO_read(sbio,sbuf,BUFSIZZ);
1649 }
85c67492
RL		 1650 else if (starttls_proto == PROTO_IMAP)
1651 {
8d72476e 1652 int foundit=0;
ee373e7f
LJ		 1653 BIO *fbio = BIO_new(BIO_f_buffer());
1654 BIO_push(fbio, sbio);
1655 BIO_gets(fbio,mbuf,BUFSIZZ);
8d72476e 1656 /* STARTTLS command requires CAPABILITY... */
ee373e7f 1657 BIO_printf(fbio,". CAPABILITY\r\n");
710069c1 1658 (void)BIO_flush(fbio);
8d72476e
LJ		 1659 /* wait for multi-line CAPABILITY response */
1660 do
1661 {
ee373e7f 1662 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
8d72476e
LJ		 1663 if (strstr(mbuf,"STARTTLS"))
1664 foundit=1;
1665 }
ee373e7f 1666 while (mbuf_len>3 && mbuf[0]!='.');
710069c1 1667 (void)BIO_flush(fbio);
ee373e7f
LJ		 1668 BIO_pop(fbio);
1669 BIO_free(fbio);
8d72476e
LJ		 1670 if (!foundit)
1671 BIO_printf(bio_err,
1672 "didn't found STARTTLS in server response,"
1673 " try anyway...\n");
1674 BIO_printf(sbio,". STARTTLS\r\n");
85c67492
RL		 1675 BIO_read(sbio,sbuf,BUFSIZZ);
1676 }
1677 else if (starttls_proto == PROTO_FTP)
1678 {
ee373e7f
LJ		 1679 BIO *fbio = BIO_new(BIO_f_buffer());
1680 BIO_push(fbio, sbio);
85c67492
RL		 1681 /* wait for multi-line response to end from FTP */
1682 do
1683 {
ee373e7f 1684 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
85c67492
RL		 1685 }
1686 while (mbuf_len>3 && mbuf[3]=='-');
710069c1 1687 (void)BIO_flush(fbio);
ee373e7f
LJ		 1688 BIO_pop(fbio);
1689 BIO_free(fbio);
85c67492
RL		 1690 BIO_printf(sbio,"AUTH TLS\r\n");
1691 BIO_read(sbio,sbuf,BUFSIZZ);
1692 }
d5bbead4
BL		 1693 if (starttls_proto == PROTO_XMPP)
1694 {
1695 int seen = 0;
1696 BIO_printf(sbio,"<stream:stream "
1697 "xmlns:stream='http://etherx.jabber.org/streams' "
d2625fd6
BL		 1698 "xmlns='jabber:client' to='%s' version='1.0'>", xmpphost ?
1699 xmpphost : host);
d5bbead4
BL		 1700 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1701 mbuf[seen] = 0;
4e48c775
CALP		 1702 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") &&
1703 !strstr(mbuf, "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
d5bbead4 1704 {
d5bbead4 1705 seen = BIO_read(sbio,mbuf,BUFSIZZ);
4249d4ba
CALP		 1706
1707 if (seen <= 0)
1708 goto shut;
1709
d5bbead4
BL		 1710 mbuf[seen] = 0;
1711 }
1712 BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
1713 seen = BIO_read(sbio,sbuf,BUFSIZZ);
1714 sbuf[seen] = 0;
1715 if (!strstr(sbuf, "<proceed"))
1716 goto shut;
1717 mbuf[0] = 0;
1718 }
135c0af1 1719
d02b48c6
RE		 1720 for (;;)
1721 {
1722 FD_ZERO(&readfds);
1723 FD_ZERO(&writefds);
1724
b972fbaa
DSH		 1725 if ((SSL_version(con) == DTLS1_VERSION) &&
1726 DTLSv1_get_timeout(con, &timeout))
1727 timeoutp = &timeout;
1728 else
1729 timeoutp = NULL;
1730
58964a49 1731 if (SSL_in_init(con) && !SSL_total_renegotiations(con))
d02b48c6
RE		 1732 {
1733 in_init=1;
1734 tty_on=0;
1735 }
1736 else
1737 {
1738 tty_on=1;
1739 if (in_init)
1740 {
1741 in_init=0;
761772d7 1742#if 0 /* This test doesn't really work as intended (needs to be fixed) */
ed3883d2 1743#ifndef OPENSSL_NO_TLSEXT
b166f13e
BM		 1744 if (servername != NULL && !SSL_session_reused(con))
1745 {
1746 BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not ");
1747 }
761772d7 1748#endif
ed3883d2 1749#endif
6434abbf
DSH		 1750 if (sess_out)
1751 {
1752 BIO *stmp = BIO_new_file(sess_out, "w");
1753 if (stmp)
1754 {
1755 PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con));
1756 BIO_free(stmp);
1757 }
1758 else
1759 BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
1760 }
2a7cbe77
DSH		 1761 if (c_brief)
1762 {
1763 BIO_puts(bio_err,
1764 "CONNECTION ESTABLISHED\n");
1765 print_ssl_summary(bio_err, con);
1766 }
67c408ce 1767
d02b48c6
RE		 1768 print_stuff(bio_c_out,con,full_log);
1769 if (full_log > 0) full_log--;
1770
4f17dfcd 1771 if (starttls_proto)
135c0af1
RL		 1772 {
1773 BIO_printf(bio_err,"%s",mbuf);
1774 /* We don't need to know any more */
85c67492 1775 starttls_proto = PROTO_OFF;
135c0af1
RL		 1776 }
1777
d02b48c6
RE		 1778 if (reconnect)
1779 {
1780 reconnect--;
1781 BIO_printf(bio_c_out,"drop connection and then reconnect\n");
1782 SSL_shutdown(con);
1783 SSL_set_connect_state(con);
1784 SHUTDOWN(SSL_get_fd(con));
1785 goto re_start;
1786 }
1787 }
1788 }
1789
c7ac31e2
BM		 1790 ssl_pending = read_ssl && SSL_pending(con);
1791
1792 if (!ssl_pending)
d02b48c6 1793 {
4700aea9 1794#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)
c7ac31e2
BM		 1795 if (tty_on)
1796 {
7bf7333d
DSH		 1797 if (read_tty) openssl_fdset(fileno(stdin),&readfds);
1798 if (write_tty) openssl_fdset(fileno(stdout),&writefds);
c7ac31e2 1799 }
c7ac31e2 1800 if (read_ssl)
7bf7333d 1801 openssl_fdset(SSL_get_fd(con),&readfds);
c7ac31e2 1802 if (write_ssl)
7bf7333d 1803 openssl_fdset(SSL_get_fd(con),&writefds);
06f4536a
DSH		 1804#else
1805 if(!tty_on || !write_tty) {
1806 if (read_ssl)
7bf7333d 1807 openssl_fdset(SSL_get_fd(con),&readfds);
06f4536a 1808 if (write_ssl)
7bf7333d 1809 openssl_fdset(SSL_get_fd(con),&writefds);
06f4536a
DSH		 1810 }
1811#endif
c7ac31e2
BM		 1812/* printf("mode tty(%d %d%d) ssl(%d%d)\n",
1813 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
d02b48c6 1814
75e0770d 1815 /* Note: under VMS with SOCKETSHR the second parameter
7d7d2cbc
UM		 1816 * is currently of type (int *) whereas under other
1817 * systems it is (void *) if you don't have a cast it
1818 * will choke the compiler: if you do have a cast then
1819 * you can either go for (int *) or (void *).
1820 */
3d7c4a5a
RL		 1821#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1822 /* Under Windows/DOS we make the assumption that we can
06f4536a
DSH		 1823 * always write to the tty: therefore if we need to
1824 * write to the tty we just fall through. Otherwise
1825 * we timeout the select every second and see if there
1826 * are any keypresses. Note: this is a hack, in a proper
1827 * Windows application we wouldn't do this.
1828 */
4ec19e20 1829 i=0;
06f4536a
DSH		 1830 if(!write_tty) {
1831 if(read_tty) {
1832 tv.tv_sec = 1;
1833 tv.tv_usec = 0;
1834 i=select(width,(void *)&readfds,(void *)&writefds,
1835 NULL,&tv);
3d7c4a5a 1836#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
0bf23d9b
RL		 1837 if(!i && (!_kbhit() || !read_tty) ) continue;
1838#else
a9ef75c5 1839 if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
0bf23d9b 1840#endif
06f4536a 1841 } else i=select(width,(void *)&readfds,(void *)&writefds,
b972fbaa 1842 NULL,timeoutp);
06f4536a 1843 }
47c1735a
RL		 1844#elif defined(OPENSSL_SYS_NETWARE)
1845 if(!write_tty) {
1846 if(read_tty) {
1847 tv.tv_sec = 1;
1848 tv.tv_usec = 0;
1849 i=select(width,(void *)&readfds,(void *)&writefds,
1850 NULL,&tv);
1851 } else i=select(width,(void *)&readfds,(void *)&writefds,
b972fbaa 1852 NULL,timeoutp);
47c1735a 1853 }
4700aea9
UM		 1854#elif defined(OPENSSL_SYS_BEOS_R5)
1855 /* Under BeOS-R5 the situation is similar to DOS */
1856 i=0;
1857 stdin_set = 0;
1858 (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
1859 if(!write_tty) {
1860 if(read_tty) {
1861 tv.tv_sec = 1;
1862 tv.tv_usec = 0;
1863 i=select(width,(void *)&readfds,(void *)&writefds,
1864 NULL,&tv);
1865 if (read(fileno(stdin), sbuf, 0) >= 0)
1866 stdin_set = 1;
1867 if (!i && (stdin_set != 1 || !read_tty))
1868 continue;
1869 } else i=select(width,(void *)&readfds,(void *)&writefds,
b972fbaa 1870 NULL,timeoutp);
4700aea9
UM		 1871 }
1872 (void)fcntl(fileno(stdin), F_SETFL, 0);
06f4536a 1873#else
7d7d2cbc 1874 i=select(width,(void *)&readfds,(void *)&writefds,
b972fbaa 1875 NULL,timeoutp);
06f4536a 1876#endif
c7ac31e2
BM		 1877 if ( i < 0)
1878 {
1879 BIO_printf(bio_err,"bad select %d\n",
58964a49 1880 get_last_socket_error());
c7ac31e2
BM		 1881 goto shut;
1882 /* goto end; */
1883 }
d02b48c6
RE		 1884 }
1885
b972fbaa
DSH		 1886 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
1887 {
478b50cf 1888 BIO_printf(bio_err,"TIMEOUT occurred\n");
b972fbaa
DSH		 1889 }
1890
c7ac31e2 1891 if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
d02b48c6
RE		 1892 {
1893 k=SSL_write(con,&(cbuf[cbuf_off]),
1894 (unsigned int)cbuf_len);
1895 switch (SSL_get_error(con,k))
1896 {
1897 case SSL_ERROR_NONE:
1898 cbuf_off+=k;
1899 cbuf_len-=k;
1900 if (k <= 0) goto end;
1901 /* we have done a write(con,NULL,0); */
1902 if (cbuf_len <= 0)
1903 {
1904 read_tty=1;
1905 write_ssl=0;
1906 }
1907 else /* if (cbuf_len > 0) */
1908 {
1909 read_tty=0;
1910 write_ssl=1;
1911 }
1912 break;
1913 case SSL_ERROR_WANT_WRITE:
1914 BIO_printf(bio_c_out,"write W BLOCK\n");
1915 write_ssl=1;
1916 read_tty=0;
1917 break;
1918 case SSL_ERROR_WANT_READ:
1919 BIO_printf(bio_c_out,"write R BLOCK\n");
1920 write_tty=0;
1921 read_ssl=1;
1922 write_ssl=0;
1923 break;
1924 case SSL_ERROR_WANT_X509_LOOKUP:
1925 BIO_printf(bio_c_out,"write X BLOCK\n");
1926 break;
1927 case SSL_ERROR_ZERO_RETURN:
1928 if (cbuf_len != 0)
1929 {
1930 BIO_printf(bio_c_out,"shutdown\n");
0e1dba93 1931 ret = 0;
d02b48c6
RE		 1932 goto shut;
1933 }
1934 else
1935 {
1936 read_tty=1;
1937 write_ssl=0;
1938 break;
1939 }
1940
1941 case SSL_ERROR_SYSCALL:
1942 if ((k != 0) || (cbuf_len != 0))
1943 {
1944 BIO_printf(bio_err,"write:errno=%d\n",
58964a49 1945 get_last_socket_error());
d02b48c6
RE		 1946 goto shut;
1947 }
1948 else
1949 {
1950 read_tty=1;
1951 write_ssl=0;
1952 }
1953 break;
1954 case SSL_ERROR_SSL:
1955 ERR_print_errors(bio_err);
1956 goto shut;
1957 }
1958 }
4700aea9
UM		 1959#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
1960 /* Assume Windows/DOS/BeOS can always write */
06f4536a
DSH		 1961 else if (!ssl_pending && write_tty)
1962#else
c7ac31e2 1963 else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
06f4536a 1964#endif
d02b48c6 1965 {
a53955d8
UM		 1966#ifdef CHARSET_EBCDIC
1967 ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
1968#endif
ffa10187 1969 i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len);
d02b48c6
RE		 1970
1971 if (i <= 0)
1972 {
1973 BIO_printf(bio_c_out,"DONE\n");
0e1dba93 1974 ret = 0;
d02b48c6
RE		 1975 goto shut;
1976 /* goto end; */
1977 }
1978
1979 sbuf_len-=i;;
1980 sbuf_off+=i;
1981 if (sbuf_len <= 0)
1982 {
1983 read_ssl=1;
1984 write_tty=0;
1985 }
1986 }
c7ac31e2 1987 else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
d02b48c6 1988 {
58964a49
RE		 1989#ifdef RENEG
1990{ static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
1991#endif
dfeab068 1992#if 1
58964a49 1993 k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
dfeab068
RE		 1994#else
1995/* Demo for pending and peek :-) */
1996 k=SSL_read(con,sbuf,16);
1997{ char zbuf[10240];
1998printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
1999}
2000#endif
d02b48c6
RE		 2001
2002 switch (SSL_get_error(con,k))
2003 {
2004 case SSL_ERROR_NONE:
2005 if (k <= 0)
2006 goto end;
2007 sbuf_off=0;
2008 sbuf_len=k;
2009
2010 read_ssl=0;
2011 write_tty=1;
2012 break;
2013 case SSL_ERROR_WANT_WRITE:
2014 BIO_printf(bio_c_out,"read W BLOCK\n");
2015 write_ssl=1;
2016 read_tty=0;
2017 break;
2018 case SSL_ERROR_WANT_READ:
2019 BIO_printf(bio_c_out,"read R BLOCK\n");
2020 write_tty=0;
2021 read_ssl=1;
2022 if ((read_tty == 0) && (write_ssl == 0))
2023 write_ssl=1;
2024 break;
2025 case SSL_ERROR_WANT_X509_LOOKUP:
2026 BIO_printf(bio_c_out,"read X BLOCK\n");
2027 break;
2028 case SSL_ERROR_SYSCALL:
0e1dba93 2029 ret=get_last_socket_error();
2537d469 2030 if (c_brief)
66d9f2e5
DSH		 2031 BIO_puts(bio_err, "CONNECTION CLOSED BY SERVER\n");
2032 else
2033 BIO_printf(bio_err,"read:errno=%d\n",ret);
d02b48c6
RE		 2034 goto shut;
2035 case SSL_ERROR_ZERO_RETURN:
2036 BIO_printf(bio_c_out,"closed\n");
0e1dba93 2037 ret=0;
d02b48c6
RE		 2038 goto shut;
2039 case SSL_ERROR_SSL:
2040 ERR_print_errors(bio_err);
2041 goto shut;
dfeab068 2042 /* break; */
d02b48c6
RE		 2043 }
2044 }
2045
3d7c4a5a
RL		 2046#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
2047#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
0bf23d9b
RL		 2048 else if (_kbhit())
2049#else
a9ef75c5 2050 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
0bf23d9b 2051#endif
4d8743f4 2052#elif defined (OPENSSL_SYS_NETWARE)
ffa10187 2053 else if (_kbhit())
4700aea9
UM		 2054#elif defined(OPENSSL_SYS_BEOS_R5)
2055 else if (stdin_set)
06f4536a 2056#else
d02b48c6 2057 else if (FD_ISSET(fileno(stdin),&readfds))
06f4536a 2058#endif
d02b48c6 2059 {
1bdb8633
BM		 2060 if (crlf)
2061 {
2062 int j, lf_num;
2063
ffa10187 2064 i=raw_read_stdin(cbuf,BUFSIZZ/2);
1bdb8633
BM		 2065 lf_num = 0;
2066 /* both loops are skipped when i <= 0 */
2067 for (j = 0; j < i; j++)
2068 if (cbuf[j] == '\n')
2069 lf_num++;
2070 for (j = i-1; j >= 0; j--)
2071 {
2072 cbuf[j+lf_num] = cbuf[j];
2073 if (cbuf[j] == '\n')
2074 {
2075 lf_num--;
2076 i++;
2077 cbuf[j+lf_num] = '\r';
2078 }
2079 }
2080 assert(lf_num == 0);
2081 }
2082 else
ffa10187 2083 i=raw_read_stdin(cbuf,BUFSIZZ);
d02b48c6 2084
ce301b6b 2085 if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
d02b48c6
RE		 2086 {
2087 BIO_printf(bio_err,"DONE\n");
0e1dba93 2088 ret=0;
d02b48c6
RE		 2089 goto shut;
2090 }
2091
ce301b6b 2092 if ((!c_ign_eof) && (cbuf[0] == 'R'))
d02b48c6 2093 {
3bb307c1 2094 BIO_printf(bio_err,"RENEGOTIATING\n");
d02b48c6 2095 SSL_renegotiate(con);
3bb307c1 2096 cbuf_len=0;
d02b48c6 2097 }
4817504d
DSH		 2098#ifndef OPENSSL_NO_HEARTBEATS
2099 else if ((!c_ign_eof) && (cbuf[0] == 'B'))
2100 {
2101 BIO_printf(bio_err,"HEARTBEATING\n");
2102 SSL_heartbeat(con);
2103 cbuf_len=0;
2104 }
2105#endif
d02b48c6
RE		 2106 else
2107 {
2108 cbuf_len=i;
2109 cbuf_off=0;
a53955d8
UM		 2110#ifdef CHARSET_EBCDIC
2111 ebcdic2ascii(cbuf, cbuf, i);
2112#endif
d02b48c6
RE		 2113 }
2114
d02b48c6 2115 write_ssl=1;
3bb307c1 2116 read_tty=0;
d02b48c6 2117 }
d02b48c6 2118 }
0e1dba93
DSH		 2119
2120 ret=0;
d02b48c6 2121shut:
b166f13e
BM		 2122 if (in_init)
2123 print_stuff(bio_c_out,con,full_log);
d02b48c6
RE		 2124 SSL_shutdown(con);
2125 SHUTDOWN(SSL_get_fd(con));
d02b48c6 2126end:
d916ba1b
NL		 2127 if (con != NULL)
2128 {
2129 if (prexit != 0)
2130 print_stuff(bio_c_out,con,1);
2131 SSL_free(con);
2132 }
dd251659
DSH		 2133#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
2134 if (next_proto.data)
2135 OPENSSL_free(next_proto.data);
2136#endif
d02b48c6 2137 if (ctx != NULL) SSL_CTX_free(ctx);
826a42a0
DSH		 2138 if (cert)
2139 X509_free(cert);
fdb78f3d
DSH		 2140 if (crls)
2141 sk_X509_CRL_pop_free(crls, X509_CRL_free);
826a42a0
DSH		 2142 if (key)
2143 EVP_PKEY_free(key);
4e71d952
DSH		 2144 if (chain)
2145 sk_X509_pop_free(chain, X509_free);
826a42a0
DSH		 2146 if (pass)
2147 OPENSSL_free(pass);
22b5d7c8
DSH		 2148 if (vpm)
2149 X509_VERIFY_PARAM_free(vpm);
3208fc59 2150 ssl_excert_free(exc);
5d2e07f1
DSH		 2151 if (ssl_args)
2152 sk_OPENSSL_STRING_free(ssl_args);
2153 if (cctx)
2154 SSL_CONF_CTX_free(cctx);
b252cf0d
DSH		 2155#ifndef OPENSSL_NO_JPAKE
2156 if (jpake_secret && psk_key)
2157 OPENSSL_free(psk_key);
2158#endif
4579924b
RL		 2159 if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
2160 if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
2161 if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
d02b48c6
RE		 2162 if (bio_c_out != NULL)
2163 {
2164 BIO_free(bio_c_out);
2165 bio_c_out=NULL;
2166 }
93ab9e42
DSH		 2167 if (bio_c_msg != NULL)
2168 {
2169 BIO_free(bio_c_msg);
2170 bio_c_msg=NULL;
2171 }
c04f8cf4 2172 apps_shutdown();
1c3e4a36 2173 OPENSSL_EXIT(ret);
d02b48c6
RE		 2174 }
2175
2176
6b691a5c 2177static void print_stuff(BIO *bio, SSL *s, int full)
d02b48c6 2178 {
58964a49 2179 X509 *peer=NULL;
d02b48c6 2180 char *p;
7d727231 2181 static const char *space=" ";
d02b48c6 2182 char buf[BUFSIZ];
f73e07cf
BL		 2183 STACK_OF(X509) *sk;
2184 STACK_OF(X509_NAME) *sk2;
babb3798 2185 const SSL_CIPHER *c;
d02b48c6
RE		 2186 X509_NAME *xn;
2187 int j,i;
09b6c2ef 2188#ifndef OPENSSL_NO_COMP
d8ec0dcf 2189 const COMP_METHOD *comp, *expansion;
09b6c2ef 2190#endif
e0af0405 2191 unsigned char *exportedkeymat;
d02b48c6
RE		 2192
2193 if (full)
2194 {
bc2e519a
BM		 2195 int got_a_chain = 0;
2196
d02b48c6
RE		 2197 sk=SSL_get_peer_cert_chain(s);
2198 if (sk != NULL)
2199 {
bc2e519a
BM		 2200 got_a_chain = 1; /* we don't have it for SSL2 (yet) */
2201
dfeab068 2202 BIO_printf(bio,"---\nCertificate chain\n");
f73e07cf 2203 for (i=0; i<sk_X509_num(sk); i++)
d02b48c6 2204 {
f73e07cf 2205 X509_NAME_oneline(X509_get_subject_name(
54a656ef 2206 sk_X509_value(sk,i)),buf,sizeof buf);
d02b48c6 2207 BIO_printf(bio,"%2d s:%s\n",i,buf);
f73e07cf 2208 X509_NAME_oneline(X509_get_issuer_name(
54a656ef 2209 sk_X509_value(sk,i)),buf,sizeof buf);
d02b48c6 2210 BIO_printf(bio," i:%s\n",buf);
6d02d8e4 2211 if (c_showcerts)
f73e07cf 2212 PEM_write_bio_X509(bio,sk_X509_value(sk,i));
d02b48c6
RE		 2213 }
2214 }
2215
2216 BIO_printf(bio,"---\n");
2217 peer=SSL_get_peer_certificate(s);
2218 if (peer != NULL)
2219 {
2220 BIO_printf(bio,"Server certificate\n");
bc2e519a 2221 if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
6d02d8e4 2222 PEM_write_bio_X509(bio,peer);
d02b48c6 2223 X509_NAME_oneline(X509_get_subject_name(peer),
54a656ef 2224 buf,sizeof buf);
d02b48c6
RE		 2225 BIO_printf(bio,"subject=%s\n",buf);
2226 X509_NAME_oneline(X509_get_issuer_name(peer),
54a656ef 2227 buf,sizeof buf);
d02b48c6 2228 BIO_printf(bio,"issuer=%s\n",buf);
d02b48c6
RE		 2229 }
2230 else
2231 BIO_printf(bio,"no peer certificate available\n");
2232
f73e07cf 2233 sk2=SSL_get_client_CA_list(s);
d91f8c3c 2234 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
d02b48c6
RE		 2235 {
2236 BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
f73e07cf 2237 for (i=0; i<sk_X509_NAME_num(sk2); i++)
d02b48c6 2238 {
f73e07cf 2239 xn=sk_X509_NAME_value(sk2,i);
d02b48c6
RE		 2240 X509_NAME_oneline(xn,buf,sizeof(buf));
2241 BIO_write(bio,buf,strlen(buf));
2242 BIO_write(bio,"\n",1);
2243 }
2244 }
2245 else
2246 {
2247 BIO_printf(bio,"---\nNo client certificate CA names sent\n");
2248 }
54a656ef 2249 p=SSL_get_shared_ciphers(s,buf,sizeof buf);
d02b48c6
RE		 2250 if (p != NULL)
2251 {
67a47285
BM		 2252 /* This works only for SSL 2. In later protocol
2253 * versions, the client does not know what other
2254 * ciphers (in addition to the one to be used
2255 * in the current connection) the server supports. */
2256
d02b48c6
RE		 2257 BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
2258 j=i=0;
2259 while (*p)
2260 {
2261 if (*p == ':')
2262 {
58964a49 2263 BIO_write(bio,space,15-j%25);
d02b48c6
RE		 2264 i++;
2265 j=0;
2266 BIO_write(bio,((i%3)?" ":"\n"),1);
2267 }
2268 else
2269 {
2270 BIO_write(bio,p,1);
2271 j++;
2272 }
2273 p++;
2274 }
2275 BIO_write(bio,"\n",1);
2276 }
2277
9f27b1ee 2278 ssl_print_sigalgs(bio, s);
33a8de69 2279 ssl_print_tmp_key(bio, s);
e7f8ff43 2280
d02b48c6
RE		 2281 BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
2282 BIO_number_read(SSL_get_rbio(s)),
2283 BIO_number_written(SSL_get_wbio(s)));
2284 }
08557cf2 2285 BIO_printf(bio,(SSL_cache_hit(s)?"---\nReused, ":"---\nNew, "));
d02b48c6
RE		 2286 c=SSL_get_current_cipher(s);
2287 BIO_printf(bio,"%s, Cipher is %s\n",
2288 SSL_CIPHER_get_version(c),
2289 SSL_CIPHER_get_name(c));
a8236c8c
DSH		 2290 if (peer != NULL) {
2291 EVP_PKEY *pktmp;
2292 pktmp = X509_get_pubkey(peer);
58964a49 2293 BIO_printf(bio,"Server public key is %d bit\n",
a8236c8c
DSH		 2294 EVP_PKEY_bits(pktmp));
2295 EVP_PKEY_free(pktmp);
2296 }
5430200b
DSH		 2297 BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
2298 SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
09b6c2ef 2299#ifndef OPENSSL_NO_COMP
f44e184e 2300 comp=SSL_get_current_compression(s);
d8ec0dcf 2301 expansion=SSL_get_current_expansion(s);
f44e184e
RL		 2302 BIO_printf(bio,"Compression: %s\n",
2303 comp ? SSL_COMP_get_name(comp) : "NONE");
2304 BIO_printf(bio,"Expansion: %s\n",
d8ec0dcf 2305 expansion ? SSL_COMP_get_name(expansion) : "NONE");
09b6c2ef 2306#endif
71fa4513 2307
57559471 2308#ifdef SSL_DEBUG
a2f9200f
DSH		 2309 {
2310 /* Print out local port of connection: useful for debugging */
2311 int sock;
2312 struct sockaddr_in ladd;
2313 socklen_t ladd_size = sizeof(ladd);
2314 sock = SSL_get_fd(s);
2315 getsockname(sock, (struct sockaddr *)&ladd, &ladd_size);
2316 BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port));
2317 }
2318#endif
2319
6f017a8f
AL		 2320#if !defined(OPENSSL_NO_TLSEXT)
2321# if !defined(OPENSSL_NO_NEXTPROTONEG)
71fa4513
BL		 2322 if (next_proto.status != -1) {
2323 const unsigned char *proto;
2324 unsigned int proto_len;
2325 SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
2326 BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
2327 BIO_write(bio, proto, proto_len);
2328 BIO_write(bio, "\n", 1);
2329 }
2911575c 2330# endif
6f017a8f
AL		 2331 {
2332 const unsigned char *proto;
2333 unsigned int proto_len;
2334 SSL_get0_alpn_selected(s, &proto, &proto_len);
2335 if (proto_len > 0)
2336 {
2337 BIO_printf(bio, "ALPN protocol: ");
2338 BIO_write(bio, proto, proto_len);
2339 BIO_write(bio, "\n", 1);
2340 }
2341 else
2342 BIO_printf(bio, "No ALPN negotiated\n");
2343 }
71fa4513
BL		 2344#endif
2345
333f926d
BL		 2346 {
2347 SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s);
2348
2349 if(srtp_profile)
2350 BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n",
2351 srtp_profile->name);
2352 }
2353
d02b48c6 2354 SSL_SESSION_print(bio,SSL_get_session(s));
be81f4dd
DSH		 2355 if (keymatexportlabel != NULL)
2356 {
e0af0405
BL		 2357 BIO_printf(bio, "Keying material exporter:\n");
2358 BIO_printf(bio, " Label: '%s'\n", keymatexportlabel);
2359 BIO_printf(bio, " Length: %i bytes\n", keymatexportlen);
2360 exportedkeymat = OPENSSL_malloc(keymatexportlen);
be81f4dd
DSH		 2361 if (exportedkeymat != NULL)
2362 {
2363 if (!SSL_export_keying_material(s, exportedkeymat,
2364 keymatexportlen,
2365 keymatexportlabel,
2366 strlen(keymatexportlabel),
2367 NULL, 0, 0))
2368 {
2369 BIO_printf(bio, " Error\n");
2370 }
2371 else
2372 {
e0af0405
BL		 2373 BIO_printf(bio, " Keying material: ");
2374 for (i=0; i<keymatexportlen; i++)
2375 BIO_printf(bio, "%02X",
2376 exportedkeymat[i]);
2377 BIO_printf(bio, "\n");
be81f4dd 2378 }
e0af0405 2379 OPENSSL_free(exportedkeymat);
be81f4dd 2380 }
e0af0405 2381 }
d02b48c6 2382 BIO_printf(bio,"---\n");
58964a49
RE		 2383 if (peer != NULL)
2384 X509_free(peer);
41ebed27 2385 /* flush, or debugging output gets mixed with http response */
710069c1 2386 (void)BIO_flush(bio);
d02b48c6
RE		 2387 }
2388
0702150f
DSH		 2389#ifndef OPENSSL_NO_TLSEXT
2390
67c8e7f4
DSH		 2391static int ocsp_resp_cb(SSL *s, void *arg)
2392 {
2393 const unsigned char *p;
2394 int len;
2395 OCSP_RESPONSE *rsp;
2396 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
2397 BIO_puts(arg, "OCSP response: ");
2398 if (!p)
2399 {
2400 BIO_puts(arg, "no response sent\n");
2401 return 1;
2402 }
2403 rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
2404 if (!rsp)
2405 {
2406 BIO_puts(arg, "response parse error\n");
2407 BIO_dump_indent(arg, (char *)p, len, 4);
2408 return 0;
2409 }
2410 BIO_puts(arg, "\n======================================\n");
2411 OCSP_RESPONSE_print(arg, rsp, 0);
2412 BIO_puts(arg, "======================================\n");
2413 OCSP_RESPONSE_free(rsp);
2414 return 1;
2415 }
0702150f
DSH		 2416
2417#endif
A mirror of the official openssl repository