]> git.ipfire.org Git - thirdparty/openssl.git/blame - apps/s_client.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add -d debug option to save preprocessed files.
[thirdparty/openssl.git] / apps / s_client.c
CommitLineData
d02b48c6 1/* apps/s_client.c */
58964a49 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
d02b48c6
RE		 3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
a661b653
BM		 58/* ====================================================================
59 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
d02b48c6 111
1b1a6e78 112#include <assert.h>
8c197cc5
UM		 113#include <stdio.h>
114#include <stdlib.h>
115#include <string.h>
be1bd923 116#include <openssl/e_os2.h>
cf1b7d96 117#ifdef OPENSSL_NO_STDIO
8c197cc5
UM		 118#define APPS_WIN16
119#endif
120
7d7d2cbc
UM		 121/* With IPv6, it looks like Digital has mixed up the proper order of
122 recursive header file inclusion, resulting in the compiler complaining
123 that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
124 is needed to have fileno() declared correctly... So let's define u_int */
bc36ee62 125#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
7d7d2cbc
UM		 126#define __U_INT
127typedef unsigned int u_int;
128#endif
129
d02b48c6 130#define USE_SOCKETS
d02b48c6 131#include "apps.h"
ec577822
BM		 132#include <openssl/x509.h>
133#include <openssl/ssl.h>
134#include <openssl/err.h>
135#include <openssl/pem.h>
1372965e 136#include <openssl/rand.h>
a5232767 137#include <openssl/ocsp.h>
d02b48c6 138#include "s_apps.h"
36d16f8e 139#include "timeouts.h"
d02b48c6 140
0bf23d9b
RL		 141#ifdef OPENSSL_SYS_WINCE
142/* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */
143#ifdef fileno
144#undef fileno
145#endif
146#define fileno(a) (int)_fileno(a)
147#endif
148
06f4536a 149
bc36ee62 150#if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
75e0770d 151/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
7d7d2cbc
UM		 152#undef FIONBIO
153#endif
154
d02b48c6
RE		 155#undef PROG
156#define PROG s_client_main
157
158/*#define SSL_HOST_NAME "www.netscape.com" */
159/*#define SSL_HOST_NAME "193.118.187.102" */
160#define SSL_HOST_NAME "localhost"
161
00ea17f9
MC		 162/* no default cert. */
163/*#define TEST_CERT "client.pem" */
d02b48c6
RE		 164
165#undef BUFSIZZ
166#define BUFSIZZ 1024*8
167
168extern int verify_depth;
169extern int verify_error;
170
171#ifdef FIONBIO
172static int c_nbio=0;
173#endif
174static int c_Pause=0;
175static int c_debug=0;
865a90eb
DSH		 176#ifndef OPENSSL_NO_TLSEXT
177static int c_tlsextdebug=0;
a5232767 178static int c_status_req=0;
865a90eb 179#endif
a661b653 180static int c_msg=0;
6d02d8e4 181static int c_showcerts=0;
d02b48c6 182
d02b48c6
RE		 183static void sc_usage(void);
184static void print_stuff(BIO *berr,SSL *con,int full);
e66deb68 185#ifndef OPENSSL_NO_TLSEXT
a5232767 186static int ocsp_resp_cb(SSL *s, void *arg);
e66deb68 187#endif
d02b48c6
RE		 188static BIO *bio_c_out=NULL;
189static int c_quiet=0;
ce301b6b 190static int c_ign_eof=0;
d02b48c6 191
6b691a5c 192static void sc_usage(void)
d02b48c6 193 {
b6cff93d 194 BIO_printf(bio_err,"usage: s_client args\n");
d02b48c6
RE		 195 BIO_printf(bio_err,"\n");
196 BIO_printf(bio_err," -host host - use -connect instead\n");
197 BIO_printf(bio_err," -port port - use -connect instead\n");
198 BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
199
9e31e631 200 BIO_printf(bio_err," -verify depth - turn on peer certificate verification\n");
d02b48c6 201 BIO_printf(bio_err," -cert arg - certificate file to use, PEM format assumed\n");
826a42a0
DSH		 202 BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
203 BIO_printf(bio_err," -key arg - Private key file to use, in cert file if\n");
d02b48c6 204 BIO_printf(bio_err," not specified but cert file is.\n");
826a42a0
DSH		 205 BIO_printf(bio_err," -keyform arg - key format (PEM or DER) PEM default\n");
206 BIO_printf(bio_err," -pass arg - private key file pass phrase source\n");
d02b48c6
RE		 207 BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
208 BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n");
209 BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n");
210 BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n");
6d02d8e4 211 BIO_printf(bio_err," -showcerts - show all certificates in the chain\n");
d02b48c6 212 BIO_printf(bio_err," -debug - extra output\n");
02a00bb0
AP		 213#ifdef WATT32
214 BIO_printf(bio_err," -wdebug - WATT-32 tcp debugging\n");
215#endif
a661b653 216 BIO_printf(bio_err," -msg - Show protocol messages\n");
d02b48c6
RE		 217 BIO_printf(bio_err," -nbio_test - more ssl protocol testing\n");
218 BIO_printf(bio_err," -state - print the 'ssl' states\n");
219#ifdef FIONBIO
220 BIO_printf(bio_err," -nbio - Run with non-blocking IO\n");
1bdb8633 221#endif
1bdb8633 222 BIO_printf(bio_err," -crlf - convert LF from terminal into CRLF\n");
d02b48c6 223 BIO_printf(bio_err," -quiet - no s_client output\n");
ce301b6b 224 BIO_printf(bio_err," -ign_eof - ignore input eof (default when -quiet)\n");
155c70b8 225 BIO_printf(bio_err," -no_ign_eof - don't ignore input eof\n");
d02b48c6
RE		 226 BIO_printf(bio_err," -ssl2 - just use SSLv2\n");
227 BIO_printf(bio_err," -ssl3 - just use SSLv3\n");
58964a49 228 BIO_printf(bio_err," -tls1 - just use TLSv1\n");
36d16f8e 229 BIO_printf(bio_err," -dtls1 - just use DTLSv1\n");
c6a87647 230 BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n");
b7d0d35a 231 BIO_printf(bio_err," -mtu - set the link layer MTU\n");
58964a49 232 BIO_printf(bio_err," -no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
d02b48c6 233 BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n");
836f9960 234 BIO_printf(bio_err," -serverpref - Use server's cipher preferences (only SSLv2)\n");
657e60fa 235 BIO_printf(bio_err," -cipher - preferred cipher to use, use the 'openssl ciphers'\n");
dfeab068 236 BIO_printf(bio_err," command to see what is available\n");
135c0af1
RL		 237 BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
238 BIO_printf(bio_err," for those protocols that support it, where\n");
239 BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n");
5dffc13f
BL		 240 BIO_printf(bio_err," only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
241 BIO_printf(bio_err," are supported.\n");
0b13e9f0 242#ifndef OPENSSL_NO_ENGINE
5270e702 243 BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n");
0b13e9f0 244#endif
52b621db 245 BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
80355002
DSH		 246 BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n");
247 BIO_printf(bio_err," -sess_in arg - file to read SSL session from\n");
865a90eb
DSH		 248#ifndef OPENSSL_NO_TLSEXT
249 BIO_printf(bio_err," -servername host - Set TLS extension servername in ClientHello\n");
0e368252 250 BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
a5232767 251 BIO_printf(bio_err," -status - request certificate status from server\n");
0e368252 252 BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
865a90eb 253#endif
c2b78c31 254 BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
d02b48c6
RE		 255 }
256
865a90eb
DSH		 257#ifndef OPENSSL_NO_TLSEXT
258
259/* This is a context that we pass to callbacks */
260typedef struct tlsextctx_st {
261 BIO * biodebug;
262 int ack;
263} tlsextctx;
264
265
266static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
267 {
268 tlsextctx * p = (tlsextctx *) arg;
269 const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
270 if (SSL_get_servername_type(s) != -1)
271 p->ack = !SSL_session_reused(s) && hn != NULL;
272 else
273 BIO_printf(bio_err,"Can't use SSL_get_servername\n");
274
275 return SSL_TLSEXT_ERR_OK;
276 }
277#endif
28f58731
RL		 278enum
279{
280 PROTO_OFF = 0,
281 PROTO_SMTP,
282 PROTO_POP3,
283 PROTO_IMAP,
5dffc13f 284 PROTO_FTP,
74714313 285 PROTO_XMPP
28f58731
RL		 286};
287
667ac4ec
RE		 288int MAIN(int, char **);
289
6b691a5c 290int MAIN(int argc, char **argv)
d02b48c6 291 {
ccc3df8c 292 int off=0, clr = 0;
d02b48c6 293 SSL *con=NULL,*con2=NULL;
bdee69f7 294 X509_STORE *store = NULL;
d02b48c6 295 int s,k,width,state=0;
135c0af1 296 char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
d02b48c6
RE		 297 int cbuf_len,cbuf_off;
298 int sbuf_len,sbuf_off;
299 fd_set readfds,writefds;
300 short port=PORT;
301 int full_log=1;
302 char *host=SSL_HOST_NAME;
303 char *cert_file=NULL,*key_file=NULL;
826a42a0
DSH		 304 int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
305 char *passarg = NULL, *pass = NULL;
306 X509 *cert = NULL;
307 EVP_PKEY *key = NULL;
d02b48c6
RE		 308 char *CApath=NULL,*CAfile=NULL,*cipher=NULL;
309 int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0;
1bdb8633 310 int crlf=0;
c7ac31e2 311 int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
d02b48c6
RE		 312 SSL_CTX *ctx=NULL;
313 int ret=1,in_init=1,i,nbio_test=0;
28f58731 314 int starttls_proto = PROTO_OFF;
bdee69f7 315 int prexit = 0, vflags = 0;
d02b48c6 316 SSL_METHOD *meth=NULL;
77b97ee0
RL		 317#ifdef sock_type
318#undef sock_type
319#endif
36d16f8e 320 int sock_type=SOCK_STREAM;
d02b48c6 321 BIO *sbio;
52b621db 322 char *inrand=NULL;
28f58731 323 int mbuf_len=0;
fbc4a246 324 struct timeval timeout, *timeoutp;
0b13e9f0 325#ifndef OPENSSL_NO_ENGINE
5270e702 326 char *engine_id=NULL;
1cfe6842 327 char *ssl_client_engine_id=NULL;
2cad035c 328 ENGINE *ssl_client_engine=NULL;
0b13e9f0 329#endif
2cad035c 330 ENGINE *e=NULL;
4d8743f4 331#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
06f4536a
DSH		 332 struct timeval tv;
333#endif
d02b48c6 334
865a90eb
DSH		 335#ifndef OPENSSL_NO_TLSEXT
336 char *servername = NULL;
337 tlsextctx tlsextcbp =
338 {NULL,0};
339#endif
340 char *sess_in = NULL;
341 char *sess_out = NULL;
36d16f8e 342 struct sockaddr peer;
6c61726b 343 int peerlen = sizeof(peer);
c6a87647 344 int fallback_scsv = 0;
36d16f8e 345 int enable_timeouts = 0 ;
b7d0d35a 346 long socket_mtu = 0;
5a02ac6e 347#ifndef OPENSSL_NO_JPAKE
2124e869 348 char *jpake_secret = NULL;
81dde5e8 349#endif
36d16f8e 350
d02b48c6 351 meth=SSLv23_client_method();
d02b48c6
RE		 352
353 apps_startup();
58964a49 354 c_Pause=0;
d02b48c6 355 c_quiet=0;
ce301b6b 356 c_ign_eof=0;
d02b48c6 357 c_debug=0;
a661b653 358 c_msg=0;
6d02d8e4 359 c_showcerts=0;
d02b48c6
RE		 360
361 if (bio_err == NULL)
362 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
363
3647bee2
DSH		 364 if (!load_config(bio_err, NULL))
365 goto end;
366
26a3a48d 367 if ( ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
135c0af1
RL		 368 ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
369 ((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
d02b48c6
RE		 370 {
371 BIO_printf(bio_err,"out of memory\n");
372 goto end;
373 }
374
375 verify_depth=0;
376 verify_error=X509_V_OK;
377#ifdef FIONBIO
378 c_nbio=0;
379#endif
380
381 argc--;
382 argv++;
383 while (argc >= 1)
384 {
385 if (strcmp(*argv,"-host") == 0)
386 {
387 if (--argc < 1) goto bad;
388 host= *(++argv);
389 }
390 else if (strcmp(*argv,"-port") == 0)
391 {
392 if (--argc < 1) goto bad;
393 port=atoi(*(++argv));
394 if (port == 0) goto bad;
395 }
396 else if (strcmp(*argv,"-connect") == 0)
397 {
398 if (--argc < 1) goto bad;
399 if (!extract_host_port(*(++argv),&host,NULL,&port))
400 goto bad;
401 }
402 else if (strcmp(*argv,"-verify") == 0)
403 {
404 verify=SSL_VERIFY_PEER;
405 if (--argc < 1) goto bad;
406 verify_depth=atoi(*(++argv));
407 BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
408 }
409 else if (strcmp(*argv,"-cert") == 0)
410 {
411 if (--argc < 1) goto bad;
412 cert_file= *(++argv);
413 }
865a90eb
DSH		 414 else if (strcmp(*argv,"-sess_out") == 0)
415 {
416 if (--argc < 1) goto bad;
417 sess_out = *(++argv);
418 }
419 else if (strcmp(*argv,"-sess_in") == 0)
420 {
421 if (--argc < 1) goto bad;
422 sess_in = *(++argv);
423 }
826a42a0
DSH		 424 else if (strcmp(*argv,"-certform") == 0)
425 {
426 if (--argc < 1) goto bad;
427 cert_format = str2fmt(*(++argv));
428 }
bdee69f7
DSH		 429 else if (strcmp(*argv,"-crl_check") == 0)
430 vflags |= X509_V_FLAG_CRL_CHECK;
431 else if (strcmp(*argv,"-crl_check_all") == 0)
432 vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;
c3ed3b6e
DSH		 433 else if (strcmp(*argv,"-prexit") == 0)
434 prexit=1;
1bdb8633
BM		 435 else if (strcmp(*argv,"-crlf") == 0)
436 crlf=1;
d02b48c6 437 else if (strcmp(*argv,"-quiet") == 0)
ce301b6b 438 {
d02b48c6 439 c_quiet=1;
ce301b6b
RL		 440 c_ign_eof=1;
441 }
442 else if (strcmp(*argv,"-ign_eof") == 0)
443 c_ign_eof=1;
155c70b8
LJ		 444 else if (strcmp(*argv,"-no_ign_eof") == 0)
445 c_ign_eof=0;
d02b48c6
RE		 446 else if (strcmp(*argv,"-pause") == 0)
447 c_Pause=1;
448 else if (strcmp(*argv,"-debug") == 0)
449 c_debug=1;
865a90eb
DSH		 450#ifndef OPENSSL_NO_TLSEXT
451 else if (strcmp(*argv,"-tlsextdebug") == 0)
452 c_tlsextdebug=1;
a5232767
DSH		 453 else if (strcmp(*argv,"-status") == 0)
454 c_status_req=1;
865a90eb 455#endif
02a00bb0
AP		 456#ifdef WATT32
457 else if (strcmp(*argv,"-wdebug") == 0)
458 dbug_init();
459#endif
a661b653
BM		 460 else if (strcmp(*argv,"-msg") == 0)
461 c_msg=1;
6d02d8e4
BM		 462 else if (strcmp(*argv,"-showcerts") == 0)
463 c_showcerts=1;
d02b48c6
RE		 464 else if (strcmp(*argv,"-nbio_test") == 0)
465 nbio_test=1;
466 else if (strcmp(*argv,"-state") == 0)
467 state=1;
cf1b7d96 468#ifndef OPENSSL_NO_SSL2
d02b48c6
RE		 469 else if (strcmp(*argv,"-ssl2") == 0)
470 meth=SSLv2_client_method();
471#endif
cf1b7d96 472#ifndef OPENSSL_NO_SSL3
d02b48c6
RE		 473 else if (strcmp(*argv,"-ssl3") == 0)
474 meth=SSLv3_client_method();
58964a49 475#endif
cf1b7d96 476#ifndef OPENSSL_NO_TLS1
58964a49
RE		 477 else if (strcmp(*argv,"-tls1") == 0)
478 meth=TLSv1_client_method();
36d16f8e
BL		 479#endif
480#ifndef OPENSSL_NO_DTLS1
481 else if (strcmp(*argv,"-dtls1") == 0)
482 {
483 meth=DTLSv1_client_method();
484 sock_type=SOCK_DGRAM;
485 }
486 else if (strcmp(*argv,"-timeout") == 0)
487 enable_timeouts=1;
488 else if (strcmp(*argv,"-mtu") == 0)
489 {
490 if (--argc < 1) goto bad;
b7d0d35a 491 socket_mtu = atol(*(++argv));
36d16f8e 492 }
d02b48c6 493#endif
3f4d81e8
BM		 494 else if (strcmp(*argv,"-fallback_scsv") == 0)
495 {
496 fallback_scsv = 1;
497 }
d02b48c6
RE		 498 else if (strcmp(*argv,"-bugs") == 0)
499 bugs=1;
826a42a0
DSH		 500 else if (strcmp(*argv,"-keyform") == 0)
501 {
502 if (--argc < 1) goto bad;
503 key_format = str2fmt(*(++argv));
504 }
505 else if (strcmp(*argv,"-pass") == 0)
506 {
507 if (--argc < 1) goto bad;
508 passarg = *(++argv);
509 }
d02b48c6
RE		 510 else if (strcmp(*argv,"-key") == 0)
511 {
512 if (--argc < 1) goto bad;
513 key_file= *(++argv);
514 }
515 else if (strcmp(*argv,"-reconnect") == 0)
516 {
517 reconnect=5;
518 }
519 else if (strcmp(*argv,"-CApath") == 0)
520 {
521 if (--argc < 1) goto bad;
522 CApath= *(++argv);
523 }
524 else if (strcmp(*argv,"-CAfile") == 0)
525 {
526 if (--argc < 1) goto bad;
527 CAfile= *(++argv);
528 }
58964a49
RE		 529 else if (strcmp(*argv,"-no_tls1") == 0)
530 off|=SSL_OP_NO_TLSv1;
531 else if (strcmp(*argv,"-no_ssl3") == 0)
532 off|=SSL_OP_NO_SSLv3;
533 else if (strcmp(*argv,"-no_ssl2") == 0)
534 off|=SSL_OP_NO_SSLv2;
865a90eb
DSH		 535#ifndef OPENSSL_NO_TLSEXT
536 else if (strcmp(*argv,"-no_ticket") == 0)
537 { off|=SSL_OP_NO_TICKET; }
538#endif
836f9960
LJ		 539 else if (strcmp(*argv,"-serverpref") == 0)
540 off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
c2b78c31
BL		 541 else if (strcmp(*argv,"-legacy_renegotiation") == 0)
542 off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
ccc3df8c
DSH		 543 else if (strcmp(*argv,"-legacy_server_connect") == 0)
544 { off|=SSL_OP_LEGACY_SERVER_CONNECT; }
545 else if (strcmp(*argv,"-no_legacy_server_connect") == 0)
546 { clr|=SSL_OP_LEGACY_SERVER_CONNECT; }
d02b48c6
RE		 547 else if (strcmp(*argv,"-cipher") == 0)
548 {
549 if (--argc < 1) goto bad;
550 cipher= *(++argv);
551 }
552#ifdef FIONBIO
553 else if (strcmp(*argv,"-nbio") == 0)
554 { c_nbio=1; }
555#endif
135c0af1
RL		 556 else if (strcmp(*argv,"-starttls") == 0)
557 {
558 if (--argc < 1) goto bad;
559 ++argv;
560 if (strcmp(*argv,"smtp") == 0)
28f58731 561 starttls_proto = PROTO_SMTP;
4f17dfcd 562 else if (strcmp(*argv,"pop3") == 0)
28f58731
RL		 563 starttls_proto = PROTO_POP3;
564 else if (strcmp(*argv,"imap") == 0)
565 starttls_proto = PROTO_IMAP;
566 else if (strcmp(*argv,"ftp") == 0)
567 starttls_proto = PROTO_FTP;
5dffc13f
BL		 568 else if (strcmp(*argv, "xmpp") == 0)
569 starttls_proto = PROTO_XMPP;
135c0af1
RL		 570 else
571 goto bad;
572 }
0b13e9f0 573#ifndef OPENSSL_NO_ENGINE
5270e702
RL		 574 else if (strcmp(*argv,"-engine") == 0)
575 {
576 if (--argc < 1) goto bad;
577 engine_id = *(++argv);
578 }
1cfe6842
DSH		 579 else if (strcmp(*argv,"-ssl_client_engine") == 0)
580 {
581 if (--argc < 1) goto bad;
582 ssl_client_engine_id = *(++argv);
583 }
0b13e9f0 584#endif
52b621db
LJ		 585 else if (strcmp(*argv,"-rand") == 0)
586 {
587 if (--argc < 1) goto bad;
588 inrand= *(++argv);
589 }
865a90eb
DSH		 590#ifndef OPENSSL_NO_TLSEXT
591 else if (strcmp(*argv,"-servername") == 0)
592 {
593 if (--argc < 1) goto bad;
594 servername= *(++argv);
595 /* meth=TLSv1_client_method(); */
596 }
597#endif
5a02ac6e 598#ifndef OPENSSL_NO_JPAKE
2124e869
BL		 599 else if (strcmp(*argv,"-jpake") == 0)
600 {
601 if (--argc < 1) goto bad;
602 jpake_secret = *++argv;
603 }
81dde5e8 604#endif
d02b48c6
RE		 605 else
606 {
607 BIO_printf(bio_err,"unknown option %s\n",*argv);
608 badop=1;
609 break;
610 }
611 argc--;
612 argv++;
613 }
614 if (badop)
615 {
616bad:
617 sc_usage();
618 goto end;
619 }
620
cead7f36
RL		 621 OpenSSL_add_ssl_algorithms();
622 SSL_load_error_strings();
623
0b13e9f0 624#ifndef OPENSSL_NO_ENGINE
cead7f36 625 e = setup_engine(bio_err, engine_id, 1);
1cfe6842
DSH		 626 if (ssl_client_engine_id)
627 {
628 ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
629 if (!ssl_client_engine)
630 {
631 BIO_printf(bio_err,
632 "Error getting client auth engine\n");
633 goto end;
634 }
635 }
0b13e9f0 636#endif
826a42a0
DSH		 637 if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
638 {
639 BIO_printf(bio_err, "Error getting password\n");
640 goto end;
641 }
642
643 if (key_file == NULL)
644 key_file = cert_file;
645
abbc186b
DSH		 646
647 if (key_file)
648
826a42a0 649 {
abbc186b
DSH		 650
651 key = load_key(bio_err, key_file, key_format, 0, pass, e,
652 "client certificate private key file");
653 if (!key)
654 {
655 ERR_print_errors(bio_err);
656 goto end;
657 }
658
826a42a0
DSH		 659 }
660
abbc186b 661 if (cert_file)
826a42a0 662
826a42a0 663 {
abbc186b
DSH		 664 cert = load_cert(bio_err,cert_file,cert_format,
665 NULL, e, "client certificate file");
666
667 if (!cert)
668 {
669 ERR_print_errors(bio_err);
670 goto end;
671 }
826a42a0 672 }
cead7f36 673
52b621db
LJ		 674 if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
675 && !RAND_status())
676 {
677 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
678 }
679 if (inrand != NULL)
680 BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
681 app_RAND_load_files(inrand));
a31011e8 682
d02b48c6
RE		 683 if (bio_c_out == NULL)
684 {
a661b653 685 if (c_quiet && !c_debug && !c_msg)
d02b48c6
RE		 686 {
687 bio_c_out=BIO_new(BIO_s_null());
688 }
689 else
690 {
691 if (bio_c_out == NULL)
692 bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
693 }
694 }
695
d02b48c6
RE		 696 ctx=SSL_CTX_new(meth);
697 if (ctx == NULL)
698 {
699 ERR_print_errors(bio_err);
700 goto end;
701 }
702
5799b721
DSH		 703#ifndef OPENSSL_NO_ENGINE
704 if (ssl_client_engine)
705 {
706 if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine))
707 {
708 BIO_puts(bio_err, "Error setting client auth engine\n");
709 ERR_print_errors(bio_err);
710 ENGINE_free(ssl_client_engine);
711 goto end;
712 }
713 ENGINE_free(ssl_client_engine);
714 }
715#endif
716
58964a49
RE		 717 if (bugs)
718 SSL_CTX_set_options(ctx,SSL_OP_ALL|off);
719 else
720 SSL_CTX_set_options(ctx,off);
ccc3df8c
DSH		 721
722 if (clr)
723 SSL_CTX_clear_options(ctx, clr);
36d16f8e
BL		 724 /* DTLS: partial reads end up discarding unread UDP bytes :-(
725 * Setting read ahead solves this problem.
726 */
727 if (sock_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
d02b48c6
RE		 728
729 if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
730 if (cipher != NULL)
fabce041 731 if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
657e60fa 732 BIO_printf(bio_err,"error setting cipher list\n");
fabce041
DSH		 733 ERR_print_errors(bio_err);
734 goto end;
735 }
d02b48c6
RE		 736#if 0
737 else
738 SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
739#endif
740
741 SSL_CTX_set_verify(ctx,verify,verify_callback);
826a42a0 742 if (!set_cert_key_stuff(ctx,cert,key))
d02b48c6
RE		 743 goto end;
744
745 if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
746 (!SSL_CTX_set_default_verify_paths(ctx)))
747 {
657e60fa 748 /* BIO_printf(bio_err,"error setting default verify locations\n"); */
d02b48c6 749 ERR_print_errors(bio_err);
58964a49 750 /* goto end; */
d02b48c6
RE		 751 }
752
bdee69f7
DSH		 753 store = SSL_CTX_get_cert_store(ctx);
754 X509_STORE_set_flags(store, vflags);
865a90eb
DSH		 755#ifndef OPENSSL_NO_TLSEXT
756 if (servername != NULL)
757 {
758 tlsextcbp.biodebug = bio_err;
759 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
760 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
761 }
762#endif
d02b48c6 763
82fc1d9c 764 con=SSL_new(ctx);
865a90eb
DSH		 765 if (sess_in)
766 {
767 SSL_SESSION *sess;
768 BIO *stmp = BIO_new_file(sess_in, "r");
769 if (!stmp)
770 {
771 BIO_printf(bio_err, "Can't open session file %s\n",
772 sess_in);
773 ERR_print_errors(bio_err);
774 goto end;
775 }
776 sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
777 BIO_free(stmp);
778 if (!sess)
779 {
780 BIO_printf(bio_err, "Can't open session file %s\n",
781 sess_in);
782 ERR_print_errors(bio_err);
783 goto end;
784 }
785 SSL_set_session(con, sess);
786 SSL_SESSION_free(sess);
787 }
c6a87647
BM		 788
789 if (fallback_scsv)
790 SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV);
791
865a90eb
DSH		 792#ifndef OPENSSL_NO_TLSEXT
793 if (servername != NULL)
794 {
795 if (!SSL_set_tlsext_host_name(con,servername))
796 {
797 BIO_printf(bio_err,"Unable to set TLS servername extension.\n");
798 ERR_print_errors(bio_err);
799 goto end;
800 }
801 }
802#endif
803
cf1b7d96 804#ifndef OPENSSL_NO_KRB5
f9b3bff6
RL		 805 if (con && (con->kssl_ctx = kssl_ctx_new()) != NULL)
806 {
807 kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVER, host);
808 }
cf1b7d96 809#endif /* OPENSSL_NO_KRB5 */
58964a49 810/* SSL_set_cipher_list(con,"RC4-MD5"); */
d02b48c6
RE		 811
812re_start:
813
36d16f8e 814 if (init_client(&s,host,port,sock_type) == 0)
d02b48c6 815 {
58964a49 816 BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
d02b48c6
RE		 817 SHUTDOWN(s);
818 goto end;
819 }
820 BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
821
822#ifdef FIONBIO
823 if (c_nbio)
824 {
825 unsigned long l=1;
826 BIO_printf(bio_c_out,"turning on non blocking io\n");
58964a49
RE		 827 if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
828 {
829 ERR_print_errors(bio_err);
830 goto end;
831 }
d02b48c6
RE		 832 }
833#endif
834 if (c_Pause & 0x01) con->debug=1;
36d16f8e
BL		 835
836 if ( SSL_version(con) == DTLS1_VERSION)
837 {
36d16f8e
BL		 838
839 sbio=BIO_new_dgram(s,BIO_NOCLOSE);
6c61726b 840 if (getsockname(s, &peer, (void *)&peerlen) < 0)
36d16f8e
BL		 841 {
842 BIO_printf(bio_err, "getsockname:errno=%d\n",
843 get_last_socket_error());
844 SHUTDOWN(s);
845 goto end;
846 }
847
761f3b40 848 (void)BIO_ctrl_set_connected(sbio, 1, &peer);
36d16f8e
BL		 849
850 if ( enable_timeouts)
851 {
852 timeout.tv_sec = 0;
853 timeout.tv_usec = DGRAM_RCV_TIMEOUT;
854 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
855
856 timeout.tv_sec = 0;
857 timeout.tv_usec = DGRAM_SND_TIMEOUT;
858 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
859 }
860
3e82dfdf 861 if (socket_mtu > 28)
36d16f8e
BL		 862 {
863 SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
b7d0d35a 864 SSL_set_mtu(con, socket_mtu - 28);
36d16f8e
BL		 865 }
866 else
867 /* want to do MTU discovery */
868 BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
869 }
870 else
871 sbio=BIO_new_socket(s,BIO_NOCLOSE);
872
d02b48c6
RE		 873 if (nbio_test)
874 {
875 BIO *test;
876
877 test=BIO_new(BIO_f_nbio_test());
878 sbio=BIO_push(test,sbio);
879 }
880
881 if (c_debug)
882 {
883 con->debug=1;
25495640 884 BIO_set_callback(sbio,bio_dump_callback);
d4a62400 885 BIO_set_callback_arg(sbio,(char *)bio_c_out);
d02b48c6 886 }
a661b653
BM		 887 if (c_msg)
888 {
889 SSL_set_msg_callback(con, msg_cb);
890 SSL_set_msg_callback_arg(con, bio_c_out);
891 }
865a90eb
DSH		 892#ifndef OPENSSL_NO_TLSEXT
893 if (c_tlsextdebug)
894 {
895 SSL_set_tlsext_debug_callback(con, tlsext_cb);
896 SSL_set_tlsext_debug_arg(con, bio_c_out);
897 }
a5232767
DSH		 898 if (c_status_req)
899 {
900 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
901 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
902 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
903#if 0
904{
905STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null();
906OCSP_RESPID *id = OCSP_RESPID_new();
907id->value.byKey = ASN1_OCTET_STRING_new();
908id->type = V_OCSP_RESPID_KEY;
909ASN1_STRING_set(id->value.byKey, "Hello World", -1);
910sk_OCSP_RESPID_push(ids, id);
911SSL_set_tlsext_status_ids(con, ids);
912}
913#endif
914 }
865a90eb 915#endif
5a02ac6e 916#ifndef OPENSSL_NO_JPAKE
2124e869
BL		 917 if (jpake_secret)
918 jpake_client_auth(bio_c_out, sbio, jpake_secret);
81dde5e8 919#endif
2124e869 920
d02b48c6
RE		 921 SSL_set_bio(con,sbio,sbio);
922 SSL_set_connect_state(con);
923
924 /* ok, lets connect */
925 width=SSL_get_fd(con)+1;
926
927 read_tty=1;
928 write_tty=0;
929 tty_on=0;
930 read_ssl=1;
931 write_ssl=1;
932
933 cbuf_len=0;
934 cbuf_off=0;
935 sbuf_len=0;
936 sbuf_off=0;
937
135c0af1 938 /* This is an ugly hack that does a lot of assumptions */
81fae49d
LJ		 939 /* We do have to handle multi-line responses which may come
940 in a single packet or not. We therefore have to use
941 BIO_gets() which does need a buffering BIO. So during
942 the initial chitchat we do push a buffering BIO into the
943 chain that is removed again later on to not disturb the
944 rest of the s_client operation. */
28f58731 945 if (starttls_proto == PROTO_SMTP)
135c0af1 946 {
cdb13ae8 947 int foundit=0;
81fae49d
LJ		 948 BIO *fbio = BIO_new(BIO_f_buffer());
949 BIO_push(fbio, sbio);
28f58731
RL		 950 /* wait for multi-line response to end from SMTP */
951 do
952 {
81fae49d 953 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
28f58731
RL		 954 }
955 while (mbuf_len>3 && mbuf[3]=='-');
cdb13ae8 956 /* STARTTLS command requires EHLO... */
81fae49d 957 BIO_printf(fbio,"EHLO openssl.client.net\r\n");
761f3b40 958 (void)BIO_flush(fbio);
cdb13ae8
LJ		 959 /* wait for multi-line response to end EHLO SMTP response */
960 do
961 {
81fae49d 962 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
cdb13ae8
LJ		 963 if (strstr(mbuf,"STARTTLS"))
964 foundit=1;
965 }
966 while (mbuf_len>3 && mbuf[3]=='-');
761f3b40 967 (void)BIO_flush(fbio);
81fae49d
LJ		 968 BIO_pop(fbio);
969 BIO_free(fbio);
cdb13ae8
LJ		 970 if (!foundit)
971 BIO_printf(bio_err,
972 "didn't found starttls in server response,"
973 " try anyway...\n");
135c0af1
RL		 974 BIO_printf(sbio,"STARTTLS\r\n");
975 BIO_read(sbio,sbuf,BUFSIZZ);
976 }
28f58731 977 else if (starttls_proto == PROTO_POP3)
4f17dfcd
LJ		 978 {
979 BIO_read(sbio,mbuf,BUFSIZZ);
980 BIO_printf(sbio,"STLS\r\n");
981 BIO_read(sbio,sbuf,BUFSIZZ);
982 }
28f58731
RL		 983 else if (starttls_proto == PROTO_IMAP)
984 {
cdb13ae8 985 int foundit=0;
81fae49d
LJ		 986 BIO *fbio = BIO_new(BIO_f_buffer());
987 BIO_push(fbio, sbio);
988 BIO_gets(fbio,mbuf,BUFSIZZ);
cdb13ae8 989 /* STARTTLS command requires CAPABILITY... */
81fae49d 990 BIO_printf(fbio,". CAPABILITY\r\n");
761f3b40 991 (void)BIO_flush(fbio);
cdb13ae8
LJ		 992 /* wait for multi-line CAPABILITY response */
993 do
994 {
81fae49d 995 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
cdb13ae8
LJ		 996 if (strstr(mbuf,"STARTTLS"))
997 foundit=1;
998 }
81fae49d 999 while (mbuf_len>3 && mbuf[0]!='.');
761f3b40 1000 (void)BIO_flush(fbio);
81fae49d
LJ		 1001 BIO_pop(fbio);
1002 BIO_free(fbio);
cdb13ae8
LJ		 1003 if (!foundit)
1004 BIO_printf(bio_err,
1005 "didn't found STARTTLS in server response,"
1006 " try anyway...\n");
1007 BIO_printf(sbio,". STARTTLS\r\n");
28f58731
RL		 1008 BIO_read(sbio,sbuf,BUFSIZZ);
1009 }
1010 else if (starttls_proto == PROTO_FTP)
1011 {
81fae49d
LJ		 1012 BIO *fbio = BIO_new(BIO_f_buffer());
1013 BIO_push(fbio, sbio);
28f58731
RL		 1014 /* wait for multi-line response to end from FTP */
1015 do
1016 {
81fae49d 1017 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
28f58731
RL		 1018 }
1019 while (mbuf_len>3 && mbuf[3]=='-');
761f3b40 1020 (void)BIO_flush(fbio);
81fae49d
LJ		 1021 BIO_pop(fbio);
1022 BIO_free(fbio);
28f58731
RL		 1023 BIO_printf(sbio,"AUTH TLS\r\n");
1024 BIO_read(sbio,sbuf,BUFSIZZ);
1025 }
5dffc13f
BL		 1026 if (starttls_proto == PROTO_XMPP)
1027 {
1028 int seen = 0;
1029 BIO_printf(sbio,"<stream:stream "
1030 "xmlns:stream='http://etherx.jabber.org/streams' "
1031 "xmlns='jabber:client' to='%s' version='1.0'>", host);
1032 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1033 mbuf[seen] = 0;
1034 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'"))
1035 {
1036 if (strstr(mbuf, "/stream:features>"))
1037 goto shut;
1038 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1039 mbuf[seen] = 0;
1040 }
1041 BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
1042 seen = BIO_read(sbio,sbuf,BUFSIZZ);
1043 sbuf[seen] = 0;
1044 if (!strstr(sbuf, "<proceed"))
1045 goto shut;
1046 mbuf[0] = 0;
1047 }
135c0af1 1048
d02b48c6
RE		 1049 for (;;)
1050 {
1051 FD_ZERO(&readfds);
1052 FD_ZERO(&writefds);
1053
fbc4a246
DSH		 1054 if ((SSL_version(con) == DTLS1_VERSION) &&
1055 DTLSv1_get_timeout(con, &timeout))
1056 timeoutp = &timeout;
1057 else
1058 timeoutp = NULL;
1059
58964a49 1060 if (SSL_in_init(con) && !SSL_total_renegotiations(con))
d02b48c6
RE		 1061 {
1062 in_init=1;
1063 tty_on=0;
1064 }
1065 else
1066 {
1067 tty_on=1;
1068 if (in_init)
1069 {
1070 in_init=0;
865a90eb
DSH		 1071 if (sess_out)
1072 {
1073 BIO *stmp = BIO_new_file(sess_out, "w");
1074 if (stmp)
1075 {
1076 PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con));
1077 BIO_free(stmp);
1078 }
1079 else
1080 BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
1081 }
d02b48c6
RE		 1082 print_stuff(bio_c_out,con,full_log);
1083 if (full_log > 0) full_log--;
1084
4f17dfcd 1085 if (starttls_proto)
135c0af1
RL		 1086 {
1087 BIO_printf(bio_err,"%s",mbuf);
1088 /* We don't need to know any more */
28f58731 1089 starttls_proto = PROTO_OFF;
135c0af1
RL		 1090 }
1091
d02b48c6
RE		 1092 if (reconnect)
1093 {
1094 reconnect--;
1095 BIO_printf(bio_c_out,"drop connection and then reconnect\n");
1096 SSL_shutdown(con);
1097 SSL_set_connect_state(con);
1098 SHUTDOWN(SSL_get_fd(con));
1099 goto re_start;
1100 }
1101 }
1102 }
1103
c7ac31e2
BM		 1104 ssl_pending = read_ssl && SSL_pending(con);
1105
1106 if (!ssl_pending)
d02b48c6 1107 {
4d8743f4 1108#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE)
c7ac31e2
BM		 1109 if (tty_on)
1110 {
1111 if (read_tty) FD_SET(fileno(stdin),&readfds);
1112 if (write_tty) FD_SET(fileno(stdout),&writefds);
1113 }
c7ac31e2
BM		 1114 if (read_ssl)
1115 FD_SET(SSL_get_fd(con),&readfds);
1116 if (write_ssl)
1117 FD_SET(SSL_get_fd(con),&writefds);
06f4536a
DSH		 1118#else
1119 if(!tty_on || !write_tty) {
1120 if (read_ssl)
1121 FD_SET(SSL_get_fd(con),&readfds);
1122 if (write_ssl)
1123 FD_SET(SSL_get_fd(con),&writefds);
1124 }
1125#endif
3e8042c3 1126/*- printf("mode tty(%d %d%d) ssl(%d%d)\n",
c7ac31e2 1127 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
d02b48c6 1128
75e0770d 1129 /* Note: under VMS with SOCKETSHR the second parameter
7d7d2cbc
UM		 1130 * is currently of type (int *) whereas under other
1131 * systems it is (void *) if you don't have a cast it
1132 * will choke the compiler: if you do have a cast then
1133 * you can either go for (int *) or (void *).
1134 */
3d7c4a5a
RL		 1135#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1136 /* Under Windows/DOS we make the assumption that we can
06f4536a
DSH		 1137 * always write to the tty: therefore if we need to
1138 * write to the tty we just fall through. Otherwise
1139 * we timeout the select every second and see if there
1140 * are any keypresses. Note: this is a hack, in a proper
1141 * Windows application we wouldn't do this.
1142 */
4ec19e20 1143 i=0;
06f4536a
DSH		 1144 if(!write_tty) {
1145 if(read_tty) {
1146 tv.tv_sec = 1;
1147 tv.tv_usec = 0;
1148 i=select(width,(void *)&readfds,(void *)&writefds,
1149 NULL,&tv);
3d7c4a5a 1150#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
0bf23d9b
RL		 1151 if(!i && (!_kbhit() || !read_tty) ) continue;
1152#else
a9ef75c5 1153 if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
0bf23d9b 1154#endif
06f4536a 1155 } else i=select(width,(void *)&readfds,(void *)&writefds,
fbc4a246 1156 NULL,timeoutp);
06f4536a 1157 }
47c1735a
RL		 1158#elif defined(OPENSSL_SYS_NETWARE)
1159 if(!write_tty) {
1160 if(read_tty) {
1161 tv.tv_sec = 1;
1162 tv.tv_usec = 0;
1163 i=select(width,(void *)&readfds,(void *)&writefds,
1164 NULL,&tv);
1165 } else i=select(width,(void *)&readfds,(void *)&writefds,
fbc4a246 1166 NULL,timeoutp);
47c1735a 1167 }
06f4536a 1168#else
7d7d2cbc 1169 i=select(width,(void *)&readfds,(void *)&writefds,
fbc4a246 1170 NULL,timeoutp);
06f4536a 1171#endif
c7ac31e2
BM		 1172 if ( i < 0)
1173 {
1174 BIO_printf(bio_err,"bad select %d\n",
58964a49 1175 get_last_socket_error());
c7ac31e2
BM		 1176 goto shut;
1177 /* goto end; */
1178 }
d02b48c6
RE		 1179 }
1180
fbc4a246
DSH		 1181 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
1182 {
1183 BIO_printf(bio_err,"TIMEOUT occured\n");
1184 }
1185
c7ac31e2 1186 if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
d02b48c6
RE		 1187 {
1188 k=SSL_write(con,&(cbuf[cbuf_off]),
1189 (unsigned int)cbuf_len);
1190 switch (SSL_get_error(con,k))
1191 {
1192 case SSL_ERROR_NONE:
1193 cbuf_off+=k;
1194 cbuf_len-=k;
1195 if (k <= 0) goto end;
1196 /* we have done a write(con,NULL,0); */
1197 if (cbuf_len <= 0)
1198 {
1199 read_tty=1;
1200 write_ssl=0;
1201 }
1202 else /* if (cbuf_len > 0) */
1203 {
1204 read_tty=0;
1205 write_ssl=1;
1206 }
1207 break;
1208 case SSL_ERROR_WANT_WRITE:
1209 BIO_printf(bio_c_out,"write W BLOCK\n");
1210 write_ssl=1;
1211 read_tty=0;
1212 break;
1213 case SSL_ERROR_WANT_READ:
1214 BIO_printf(bio_c_out,"write R BLOCK\n");
1215 write_tty=0;
1216 read_ssl=1;
1217 write_ssl=0;
1218 break;
1219 case SSL_ERROR_WANT_X509_LOOKUP:
1220 BIO_printf(bio_c_out,"write X BLOCK\n");
1221 break;
1222 case SSL_ERROR_ZERO_RETURN:
1223 if (cbuf_len != 0)
1224 {
1225 BIO_printf(bio_c_out,"shutdown\n");
1226 goto shut;
1227 }
1228 else
1229 {
1230 read_tty=1;
1231 write_ssl=0;
1232 break;
1233 }
1234
1235 case SSL_ERROR_SYSCALL:
1236 if ((k != 0) || (cbuf_len != 0))
1237 {
1238 BIO_printf(bio_err,"write:errno=%d\n",
58964a49 1239 get_last_socket_error());
d02b48c6
RE		 1240 goto shut;
1241 }
1242 else
1243 {
1244 read_tty=1;
1245 write_ssl=0;
1246 }
1247 break;
1248 case SSL_ERROR_SSL:
1249 ERR_print_errors(bio_err);
1250 goto shut;
1251 }
1252 }
4d8743f4 1253#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
8d6e6048 1254 /* Assume Windows/DOS can always write */
06f4536a
DSH		 1255 else if (!ssl_pending && write_tty)
1256#else
c7ac31e2 1257 else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
06f4536a 1258#endif
d02b48c6 1259 {
a53955d8
UM		 1260#ifdef CHARSET_EBCDIC
1261 ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
1262#endif
d02b48c6
RE		 1263 i=write(fileno(stdout),&(sbuf[sbuf_off]),sbuf_len);
1264
1265 if (i <= 0)
1266 {
1267 BIO_printf(bio_c_out,"DONE\n");
1268 goto shut;
1269 /* goto end; */
1270 }
1271
1272 sbuf_len-=i;;
1273 sbuf_off+=i;
1274 if (sbuf_len <= 0)
1275 {
1276 read_ssl=1;
1277 write_tty=0;
1278 }
1279 }
c7ac31e2 1280 else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
d02b48c6 1281 {
58964a49
RE		 1282#ifdef RENEG
1283{ static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
1284#endif
dfeab068 1285#if 1
58964a49 1286 k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
dfeab068
RE		 1287#else
1288/* Demo for pending and peek :-) */
1289 k=SSL_read(con,sbuf,16);
1290{ char zbuf[10240];
1291printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
1292}
1293#endif
d02b48c6
RE		 1294
1295 switch (SSL_get_error(con,k))
1296 {
1297 case SSL_ERROR_NONE:
1298 if (k <= 0)
1299 goto end;
1300 sbuf_off=0;
1301 sbuf_len=k;
1302
1303 read_ssl=0;
1304 write_tty=1;
1305 break;
1306 case SSL_ERROR_WANT_WRITE:
1307 BIO_printf(bio_c_out,"read W BLOCK\n");
1308 write_ssl=1;
1309 read_tty=0;
1310 break;
1311 case SSL_ERROR_WANT_READ:
1312 BIO_printf(bio_c_out,"read R BLOCK\n");
1313 write_tty=0;
1314 read_ssl=1;
1315 if ((read_tty == 0) && (write_ssl == 0))
1316 write_ssl=1;
1317 break;
1318 case SSL_ERROR_WANT_X509_LOOKUP:
1319 BIO_printf(bio_c_out,"read X BLOCK\n");
1320 break;
1321 case SSL_ERROR_SYSCALL:
58964a49 1322 BIO_printf(bio_err,"read:errno=%d\n",get_last_socket_error());
d02b48c6
RE		 1323 goto shut;
1324 case SSL_ERROR_ZERO_RETURN:
1325 BIO_printf(bio_c_out,"closed\n");
1326 goto shut;
1327 case SSL_ERROR_SSL:
1328 ERR_print_errors(bio_err);
1329 goto shut;
dfeab068 1330 /* break; */
d02b48c6
RE		 1331 }
1332 }
1333
3d7c4a5a
RL		 1334#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1335#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
0bf23d9b
RL		 1336 else if (_kbhit())
1337#else
a9ef75c5 1338 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
0bf23d9b 1339#endif
4d8743f4
RL		 1340#elif defined (OPENSSL_SYS_NETWARE)
1341 else if (_kbhit())
06f4536a 1342#else
d02b48c6 1343 else if (FD_ISSET(fileno(stdin),&readfds))
06f4536a 1344#endif
d02b48c6 1345 {
1bdb8633
BM		 1346 if (crlf)
1347 {
1348 int j, lf_num;
1349
1350 i=read(fileno(stdin),cbuf,BUFSIZZ/2);
1351 lf_num = 0;
1352 /* both loops are skipped when i <= 0 */
1353 for (j = 0; j < i; j++)
1354 if (cbuf[j] == '\n')
1355 lf_num++;
1356 for (j = i-1; j >= 0; j--)
1357 {
1358 cbuf[j+lf_num] = cbuf[j];
1359 if (cbuf[j] == '\n')
1360 {
1361 lf_num--;
1362 i++;
1363 cbuf[j+lf_num] = '\r';
1364 }
1365 }
1366 assert(lf_num == 0);
1367 }
1368 else
1bdb8633 1369 i=read(fileno(stdin),cbuf,BUFSIZZ);
d02b48c6 1370
ce301b6b 1371 if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
d02b48c6
RE		 1372 {
1373 BIO_printf(bio_err,"DONE\n");
1374 goto shut;
1375 }
1376
ce301b6b 1377 if ((!c_ign_eof) && (cbuf[0] == 'R'))
d02b48c6 1378 {
3bb307c1 1379 BIO_printf(bio_err,"RENEGOTIATING\n");
d02b48c6 1380 SSL_renegotiate(con);
3bb307c1 1381 cbuf_len=0;
d02b48c6
RE		 1382 }
1383 else
1384 {
1385 cbuf_len=i;
1386 cbuf_off=0;
a53955d8
UM		 1387#ifdef CHARSET_EBCDIC
1388 ebcdic2ascii(cbuf, cbuf, i);
1389#endif
d02b48c6
RE		 1390 }
1391
d02b48c6 1392 write_ssl=1;
3bb307c1 1393 read_tty=0;
d02b48c6 1394 }
d02b48c6
RE		 1395 }
1396shut:
1397 SSL_shutdown(con);
1398 SHUTDOWN(SSL_get_fd(con));
1399 ret=0;
1400end:
c3ed3b6e 1401 if(prexit) print_stuff(bio_c_out,con,1);
d02b48c6
RE		 1402 if (con != NULL) SSL_free(con);
1403 if (con2 != NULL) SSL_free(con2);
1404 if (ctx != NULL) SSL_CTX_free(ctx);
826a42a0
DSH		 1405 if (cert)
1406 X509_free(cert);
1407 if (key)
1408 EVP_PKEY_free(key);
1409 if (pass)
1410 OPENSSL_free(pass);
4579924b
RL		 1411 if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
1412 if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
1413 if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
d02b48c6
RE		 1414 if (bio_c_out != NULL)
1415 {
1416 BIO_free(bio_c_out);
1417 bio_c_out=NULL;
1418 }
c04f8cf4 1419 apps_shutdown();
1c3e4a36 1420 OPENSSL_EXIT(ret);
d02b48c6
RE		 1421 }
1422
1423
6b691a5c 1424static void print_stuff(BIO *bio, SSL *s, int full)
d02b48c6 1425 {
58964a49 1426 X509 *peer=NULL;
d02b48c6 1427 char *p;
7d727231 1428 static const char *space=" ";
d02b48c6 1429 char buf[BUFSIZ];
f73e07cf
BL		 1430 STACK_OF(X509) *sk;
1431 STACK_OF(X509_NAME) *sk2;
d02b48c6
RE		 1432 SSL_CIPHER *c;
1433 X509_NAME *xn;
1434 int j,i;
54f51116 1435#ifndef OPENSSL_NO_COMP
d8ec0dcf 1436 const COMP_METHOD *comp, *expansion;
54f51116 1437#endif
d02b48c6
RE		 1438
1439 if (full)
1440 {
bc2e519a
BM		 1441 int got_a_chain = 0;
1442
d02b48c6
RE		 1443 sk=SSL_get_peer_cert_chain(s);
1444 if (sk != NULL)
1445 {
bc2e519a
BM		 1446 got_a_chain = 1; /* we don't have it for SSL2 (yet) */
1447
dfeab068 1448 BIO_printf(bio,"---\nCertificate chain\n");
f73e07cf 1449 for (i=0; i<sk_X509_num(sk); i++)
d02b48c6 1450 {
f73e07cf 1451 X509_NAME_oneline(X509_get_subject_name(
54a656ef 1452 sk_X509_value(sk,i)),buf,sizeof buf);
d02b48c6 1453 BIO_printf(bio,"%2d s:%s\n",i,buf);
f73e07cf 1454 X509_NAME_oneline(X509_get_issuer_name(
54a656ef 1455 sk_X509_value(sk,i)),buf,sizeof buf);
d02b48c6 1456 BIO_printf(bio," i:%s\n",buf);
6d02d8e4 1457 if (c_showcerts)
f73e07cf 1458 PEM_write_bio_X509(bio,sk_X509_value(sk,i));
d02b48c6
RE		 1459 }
1460 }
1461
1462 BIO_printf(bio,"---\n");
1463 peer=SSL_get_peer_certificate(s);
1464 if (peer != NULL)
1465 {
1466 BIO_printf(bio,"Server certificate\n");
c7c7a432
MC		 1467
1468 /* Redundant if we showed the whole chain */
1469 if (!(c_showcerts && got_a_chain))
6d02d8e4 1470 PEM_write_bio_X509(bio,peer);
d02b48c6 1471 X509_NAME_oneline(X509_get_subject_name(peer),
54a656ef 1472 buf,sizeof buf);
d02b48c6
RE		 1473 BIO_printf(bio,"subject=%s\n",buf);
1474 X509_NAME_oneline(X509_get_issuer_name(peer),
54a656ef 1475 buf,sizeof buf);
d02b48c6 1476 BIO_printf(bio,"issuer=%s\n",buf);
d02b48c6
RE		 1477 }
1478 else
1479 BIO_printf(bio,"no peer certificate available\n");
1480
f73e07cf 1481 sk2=SSL_get_client_CA_list(s);
d91f8c3c 1482 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
d02b48c6
RE		 1483 {
1484 BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
f73e07cf 1485 for (i=0; i<sk_X509_NAME_num(sk2); i++)
d02b48c6 1486 {
f73e07cf 1487 xn=sk_X509_NAME_value(sk2,i);
d02b48c6
RE		 1488 X509_NAME_oneline(xn,buf,sizeof(buf));
1489 BIO_write(bio,buf,strlen(buf));
1490 BIO_write(bio,"\n",1);
1491 }
1492 }
1493 else
1494 {
1495 BIO_printf(bio,"---\nNo client certificate CA names sent\n");
1496 }
54a656ef 1497 p=SSL_get_shared_ciphers(s,buf,sizeof buf);
d02b48c6
RE		 1498 if (p != NULL)
1499 {
67a47285
BM		 1500 /* This works only for SSL 2. In later protocol
1501 * versions, the client does not know what other
1502 * ciphers (in addition to the one to be used
1503 * in the current connection) the server supports. */
1504
d02b48c6
RE		 1505 BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
1506 j=i=0;
1507 while (*p)
1508 {
1509 if (*p == ':')
1510 {
58964a49 1511 BIO_write(bio,space,15-j%25);
d02b48c6
RE		 1512 i++;
1513 j=0;
1514 BIO_write(bio,((i%3)?" ":"\n"),1);
1515 }
1516 else
1517 {
1518 BIO_write(bio,p,1);
1519 j++;
1520 }
1521 p++;
1522 }
1523 BIO_write(bio,"\n",1);
1524 }
1525
1526 BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
1527 BIO_number_read(SSL_get_rbio(s)),
1528 BIO_number_written(SSL_get_wbio(s)));
1529 }
1530 BIO_printf(bio,((s->hit)?"---\nReused, ":"---\nNew, "));
1531 c=SSL_get_current_cipher(s);
1532 BIO_printf(bio,"%s, Cipher is %s\n",
1533 SSL_CIPHER_get_version(c),
1534 SSL_CIPHER_get_name(c));
a8236c8c
DSH		 1535 if (peer != NULL) {
1536 EVP_PKEY *pktmp;
1537 pktmp = X509_get_pubkey(peer);
58964a49 1538 BIO_printf(bio,"Server public key is %d bit\n",
a8236c8c
DSH		 1539 EVP_PKEY_bits(pktmp));
1540 EVP_PKEY_free(pktmp);
1541 }
59f44e81
DSH		 1542 BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
1543 SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
54f51116 1544#ifndef OPENSSL_NO_COMP
f44e184e 1545 comp=SSL_get_current_compression(s);
d8ec0dcf 1546 expansion=SSL_get_current_expansion(s);
f44e184e
RL		 1547 BIO_printf(bio,"Compression: %s\n",
1548 comp ? SSL_COMP_get_name(comp) : "NONE");
1549 BIO_printf(bio,"Expansion: %s\n",
d8ec0dcf 1550 expansion ? SSL_COMP_get_name(expansion) : "NONE");
54f51116 1551#endif
d02b48c6
RE		 1552 SSL_SESSION_print(bio,SSL_get_session(s));
1553 BIO_printf(bio,"---\n");
58964a49
RE		 1554 if (peer != NULL)
1555 X509_free(peer);
41ebed27 1556 /* flush, or debugging output gets mixed with http response */
761f3b40 1557 (void)BIO_flush(bio);
d02b48c6
RE		 1558 }
1559
e66deb68
BL		 1560#ifndef OPENSSL_NO_TLSEXT
1561
a5232767
DSH		 1562static int ocsp_resp_cb(SSL *s, void *arg)
1563 {
1564 const unsigned char *p;
1565 int len;
1566 OCSP_RESPONSE *rsp;
1567 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1568 BIO_puts(arg, "OCSP response: ");
1569 if (!p)
1570 {
1571 BIO_puts(arg, "no response sent\n");
1572 return 1;
1573 }
1574 rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
1575 if (!rsp)
1576 {
1577 BIO_puts(arg, "response parse error\n");
1578 BIO_dump_indent(arg, (char *)p, len, 4);
1579 return 0;
1580 }
1581 BIO_puts(arg, "\n======================================\n");
1582 OCSP_RESPONSE_print(arg, rsp, 0);
1583 BIO_puts(arg, "======================================\n");
1584 OCSP_RESPONSE_free(rsp);
1585 return 1;
1586 }
e66deb68 1587#endif /* ndef OPENSSL_NO_TLSEXT */
A mirror of the official openssl repository