2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
111 /* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
143 #include <openssl/e_os2.h>
144 #ifdef OPENSSL_NO_STDIO
148 /* With IPv6, it looks like Digital has mixed up the proper order of
149 recursive header file inclusion, resulting in the compiler complaining
150 that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
151 is needed to have fileno() declared correctly... So let's define u_int */
152 #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
154 typedef unsigned int u_int;
159 #include <openssl/x509.h>
160 #include <openssl/ssl.h>
161 #include <openssl/err.h>
162 #include <openssl/pem.h>
163 #include <openssl/rand.h>
164 #include <openssl/ocsp.h>
165 #include <openssl/bn.h>
166 #ifndef OPENSSL_NO_SRP
167 #include <openssl/srp.h>
170 #include "timeouts.h"
172 #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
173 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
177 #if defined(OPENSSL_SYS_BEOS_R5)
182 #define PROG s_client_main
184 /*#define SSL_HOST_NAME "www.netscape.com" */
185 /*#define SSL_HOST_NAME "193.118.187.102" */
186 #define SSL_HOST_NAME "localhost"
188 /*#define TEST_CERT "client.pem" */ /* no default cert. */
191 #define BUFSIZZ 1024*8
193 extern int verify_depth;
194 extern int verify_error;
195 extern int verify_return_error;
196 extern int verify_quiet;
201 static int c_Pause=0;
202 static int c_debug=0;
203 #ifndef OPENSSL_NO_TLSEXT
204 static int c_tlsextdebug=0;
205 static int c_status_req=0;
208 static int c_showcerts=0;
210 static char *keymatexportlabel=NULL;
211 static int keymatexportlen=20;
213 static void sc_usage(void);
214 static void print_stuff(BIO *berr,SSL *con,int full);
215 #ifndef OPENSSL_NO_TLSEXT
216 static int ocsp_resp_cb(SSL *s, void *arg);
217 static int c_auth = 0;
218 static int c_auth_require_reneg = 0;
220 static BIO *bio_c_out=NULL;
221 static BIO *bio_c_msg=NULL;
222 static int c_quiet=0;
223 static int c_ign_eof=0;
224 static int c_brief=0;
226 #ifndef OPENSSL_NO_TLSEXT
228 static unsigned char *generated_supp_data = NULL;
230 static const unsigned char *most_recent_supplemental_data = NULL;
231 static size_t most_recent_supplemental_data_length = 0;
233 static int server_provided_server_authz = 0;
234 static int server_provided_client_authz = 0;
236 static const unsigned char auth_ext_data[]={TLSEXT_AUTHZDATAFORMAT_dtcp};
238 static int suppdata_cb(SSL *s, unsigned short supp_data_type,
239 const unsigned char *in,
240 unsigned short inlen, int *al,
243 static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
244 const unsigned char **out,
245 unsigned short *outlen, int *al, void *arg);
247 static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
248 const unsigned char **out, unsigned short *outlen,
251 static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
252 const unsigned char *in,
253 unsigned short inlen, int *al,
257 #ifndef OPENSSL_NO_PSK
258 /* Default PSK identity and key */
259 static char *psk_identity="Client_identity";
260 /*char *psk_key=NULL; by default PSK is not used */
262 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
263 unsigned int max_identity_len, unsigned char *psk,
264 unsigned int max_psk_len)
266 unsigned int psk_len = 0;
271 BIO_printf(bio_c_out, "psk_client_cb\n");
274 /* no ServerKeyExchange message*/
276 BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n");
279 BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
281 /* lookup PSK identity and PSK key based on the given identity hint here */
282 ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity);
283 if (ret < 0 || (unsigned int)ret > max_identity_len)
286 BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret);
287 ret=BN_hex2bn(&bn, psk_key);
290 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
296 if ((unsigned int)BN_num_bytes(bn) > max_psk_len)
298 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
299 max_psk_len, BN_num_bytes(bn));
304 psk_len=BN_bn2bin(bn, psk);
310 BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len);
315 BIO_printf(bio_err, "Error in PSK client callback\n");
320 static void sc_usage(void)
322 BIO_printf(bio_err,"usage: s_client args\n");
323 BIO_printf(bio_err,"\n");
324 BIO_printf(bio_err," -host host - use -connect instead\n");
325 BIO_printf(bio_err," -port port - use -connect instead\n");
326 BIO_printf(bio_err," -connect host:port - connect over TCP/IP (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
327 BIO_printf(bio_err," -unix path - connect over unix domain sockets\n");
328 BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n");
329 BIO_printf(bio_err," -cert arg - certificate file to use, PEM format assumed\n");
330 BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
331 BIO_printf(bio_err," -key arg - Private key file to use, in cert file if\n");
332 BIO_printf(bio_err," not specified but cert file is.\n");
333 BIO_printf(bio_err," -keyform arg - key format (PEM or DER) PEM default\n");
334 BIO_printf(bio_err," -pass arg - private key file pass phrase source\n");
335 BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
336 BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n");
337 BIO_printf(bio_err," -trusted_first - Use local CA's first when building trust chain\n");
338 BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n");
339 BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n");
340 BIO_printf(bio_err," -showcerts - show all certificates in the chain\n");
341 BIO_printf(bio_err," -debug - extra output\n");
343 BIO_printf(bio_err," -wdebug - WATT-32 tcp debugging\n");
345 BIO_printf(bio_err," -msg - Show protocol messages\n");
346 BIO_printf(bio_err," -nbio_test - more ssl protocol testing\n");
347 BIO_printf(bio_err," -state - print the 'ssl' states\n");
349 BIO_printf(bio_err," -nbio - Run with non-blocking IO\n");
351 BIO_printf(bio_err," -crlf - convert LF from terminal into CRLF\n");
352 BIO_printf(bio_err," -quiet - no s_client output\n");
353 BIO_printf(bio_err," -ign_eof - ignore input eof (default when -quiet)\n");
354 BIO_printf(bio_err," -no_ign_eof - don't ignore input eof\n");
355 #ifndef OPENSSL_NO_PSK
356 BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
357 BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n");
358 # ifndef OPENSSL_NO_JPAKE
359 BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n");
362 #ifndef OPENSSL_NO_SRP
363 BIO_printf(bio_err," -srpuser user - SRP authentification for 'user'\n");
364 BIO_printf(bio_err," -srppass arg - password for 'user'\n");
365 BIO_printf(bio_err," -srp_lateuser - SRP username into second ClientHello message\n");
366 BIO_printf(bio_err," -srp_moregroups - Tolerate other than the known g N values.\n");
367 BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
369 BIO_printf(bio_err," -ssl2 - just use SSLv2\n");
370 BIO_printf(bio_err," -ssl3 - just use SSLv3\n");
371 BIO_printf(bio_err," -tls1_2 - just use TLSv1.2\n");
372 BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n");
373 BIO_printf(bio_err," -tls1 - just use TLSv1\n");
374 BIO_printf(bio_err," -dtls1 - just use DTLSv1\n");
375 BIO_printf(bio_err," -mtu - set the link layer MTU\n");
376 BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
377 BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n");
378 BIO_printf(bio_err," -serverpref - Use server's cipher preferences (only SSLv2)\n");
379 BIO_printf(bio_err," -cipher - preferred cipher to use, use the 'openssl ciphers'\n");
380 BIO_printf(bio_err," command to see what is available\n");
381 BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
382 BIO_printf(bio_err," for those protocols that support it, where\n");
383 BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n");
384 BIO_printf(bio_err," only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
385 BIO_printf(bio_err," are supported.\n");
386 BIO_printf(bio_err," -xmpphost host - When used with \"-starttls xmpp\" specifies the virtual host.\n");
387 #ifndef OPENSSL_NO_ENGINE
388 BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n");
390 BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
391 BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n");
392 BIO_printf(bio_err," -sess_in arg - file to read SSL session from\n");
393 #ifndef OPENSSL_NO_TLSEXT
394 BIO_printf(bio_err," -servername host - Set TLS extension servername in ClientHello\n");
395 BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
396 BIO_printf(bio_err," -status - request certificate status from server\n");
397 BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
398 BIO_printf(bio_err," -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n");
399 BIO_printf(bio_err," -auth - send and receive RFC 5878 TLS auth extensions and supplemental data\n");
400 BIO_printf(bio_err," -auth_require_reneg - Do not send TLS auth extensions until renegotiation\n");
401 # ifndef OPENSSL_NO_NEXTPROTONEG
402 BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
404 BIO_printf(bio_err," -alpn arg - enable ALPN extension, considering named protocols supported (comma-separated list)\n");
406 BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
407 BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
408 BIO_printf(bio_err," -keymatexport label - Export keying material using label\n");
409 BIO_printf(bio_err," -keymatexportlen len - Export len bytes of keying material (default 20)\n");
412 #ifndef OPENSSL_NO_TLSEXT
414 /* This is a context that we pass to callbacks */
415 typedef struct tlsextctx_st {
421 static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
423 tlsextctx * p = (tlsextctx *) arg;
424 const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
425 if (SSL_get_servername_type(s) != -1)
426 p->ack = !SSL_session_reused(s) && hn != NULL;
428 BIO_printf(bio_err,"Can't use SSL_get_servername\n");
430 return SSL_TLSEXT_ERR_OK;
433 #ifndef OPENSSL_NO_SRP
435 /* This is a context that we pass to all callbacks */
436 typedef struct srp_arg_st
440 int msg; /* copy from c_msg */
441 int debug; /* copy from c_debug */
442 int amp; /* allow more groups */
443 int strength /* minimal size for N */ ;
446 #define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
448 static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g)
450 BN_CTX *bn_ctx = BN_CTX_new();
451 BIGNUM *p = BN_new();
452 BIGNUM *r = BN_new();
454 g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
455 BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
456 p != NULL && BN_rshift1(p, N) &&
459 BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
462 /* verify g^((N-1)/2) == -1 (mod N) */
463 BN_mod_exp(r, g, p, N, bn_ctx) &&
476 /* This callback is used here for two purposes:
478 - making some primality tests for unknown groups
479 The callback is only called for a non default group.
481 An application does not need the call back at all if
482 only the stanard groups are used. In real life situations,
483 client and server already share well known groups,
484 thus there is no need to verify them.
485 Furthermore, in case that a server actually proposes a group that
486 is not one of those defined in RFC 5054, it is more appropriate
487 to add the group to a static list and then compare since
488 primality tests are rather cpu consuming.
491 static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
493 SRP_ARG *srp_arg = (SRP_ARG *)arg;
494 BIGNUM *N = NULL, *g = NULL;
495 if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s)))
497 if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1)
499 BIO_printf(bio_err, "SRP parameters:\n");
500 BIO_printf(bio_err,"\tN="); BN_print(bio_err,N);
501 BIO_printf(bio_err,"\n\tg="); BN_print(bio_err,g);
502 BIO_printf(bio_err,"\n");
505 if (SRP_check_known_gN_param(g,N))
508 if (srp_arg->amp == 1)
511 BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n");
513 /* The srp_moregroups is a real debugging feature.
514 Implementors should rather add the value to the known ones.
515 The minimal size has already been tested.
517 if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g))
520 BIO_printf(bio_err, "SRP param N and g rejected.\n");
524 #define PWD_STRLEN 1024
526 static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
528 SRP_ARG *srp_arg = (SRP_ARG *)arg;
529 char *pass = (char *)OPENSSL_malloc(PWD_STRLEN+1);
533 cb_tmp.password = (char *)srp_arg->srppassin;
534 cb_tmp.prompt_info = "SRP user";
535 if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp))<0)
537 BIO_printf (bio_err, "Can't read Password\n");
547 char *srtp_profiles = NULL;
549 # ifndef OPENSSL_NO_NEXTPROTONEG
550 /* This the context that we pass to next_proto_cb */
551 typedef struct tlsextnextprotoctx_st {
555 } tlsextnextprotoctx;
557 static tlsextnextprotoctx next_proto;
559 static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
561 tlsextnextprotoctx *ctx = arg;
565 /* We can assume that |in| is syntactically valid. */
567 BIO_printf(bio_c_out, "Protocols advertised by server: ");
568 for (i = 0; i < inlen; )
571 BIO_write(bio_c_out, ", ", 2);
572 BIO_write(bio_c_out, &in[i + 1], in[i]);
575 BIO_write(bio_c_out, "\n", 1);
578 ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
579 return SSL_TLSEXT_ERR_OK;
581 # endif /* ndef OPENSSL_NO_NEXTPROTONEG */
583 static int serverinfo_cli_cb(SSL* s, unsigned short ext_type,
584 const unsigned char* in, unsigned short inlen,
588 unsigned char ext_buf[4 + 65536];
590 /* Reconstruct the type/len fields prior to extension data */
591 ext_buf[0] = ext_type >> 8;
592 ext_buf[1] = ext_type & 0xFF;
593 ext_buf[2] = inlen >> 8;
594 ext_buf[3] = inlen & 0xFF;
595 memcpy(ext_buf+4, in, inlen);
597 BIO_snprintf(pem_name, sizeof(pem_name), "SERVERINFO FOR EXTENSION %d",
599 PEM_write_bio(bio_c_out, pem_name, "", ext_buf, 4 + inlen);
615 int MAIN(int, char **);
617 int MAIN(int argc, char **argv)
621 #ifndef OPENSSL_NO_KRB5
624 int s,k,width,state=0;
625 char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
626 int cbuf_len,cbuf_off;
627 int sbuf_len,sbuf_off;
628 fd_set readfds,writefds;
631 char *host=SSL_HOST_NAME;
632 const char *unix_path = NULL;
633 char *xmpphost = NULL;
634 char *cert_file=NULL,*key_file=NULL,*chain_file=NULL;
635 int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
636 char *passarg = NULL, *pass = NULL;
638 EVP_PKEY *key = NULL;
639 STACK_OF(X509) *chain = NULL;
640 char *CApath=NULL,*CAfile=NULL;
641 char *chCApath=NULL,*chCAfile=NULL;
642 char *vfyCApath=NULL,*vfyCAfile=NULL;
643 int reconnect=0,badop=0,verify=SSL_VERIFY_NONE;
645 int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
647 int ret=1,in_init=1,i,nbio_test=0;
648 int starttls_proto = PROTO_OFF;
650 X509_VERIFY_PARAM *vpm = NULL;
652 const SSL_METHOD *meth=NULL;
653 int socket_type=SOCK_STREAM;
657 struct timeval timeout, *timeoutp;
658 #ifndef OPENSSL_NO_ENGINE
659 char *engine_id=NULL;
660 char *ssl_client_engine_id=NULL;
661 ENGINE *ssl_client_engine=NULL;
664 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
666 #if defined(OPENSSL_SYS_BEOS_R5)
670 #ifndef OPENSSL_NO_TLSEXT
671 char *servername = NULL;
672 tlsextctx tlsextcbp =
674 # ifndef OPENSSL_NO_NEXTPROTONEG
675 const char *next_proto_neg_in = NULL;
677 const char *alpn_in = NULL;
678 # define MAX_SI_TYPES 100
679 unsigned short serverinfo_types[MAX_SI_TYPES];
680 int serverinfo_types_count = 0;
682 char *sess_in = NULL;
683 char *sess_out = NULL;
684 struct sockaddr peer;
685 int peerlen = sizeof(peer);
686 int enable_timeouts = 0 ;
688 #ifndef OPENSSL_NO_JPAKE
689 static char *jpake_secret = NULL;
690 #define no_jpake !jpake_secret
694 #ifndef OPENSSL_NO_SRP
695 char * srppass = NULL;
696 int srp_lateuser = 0;
697 SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
699 SSL_EXCERT *exc = NULL;
701 SSL_CONF_CTX *cctx = NULL;
702 STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
704 char *crl_file = NULL;
705 int crl_format = FORMAT_PEM;
706 int crl_download = 0;
707 STACK_OF(X509_CRL) *crls = NULL;
710 meth=SSLv23_client_method();
721 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
723 if (!load_config(bio_err, NULL))
725 cctx = SSL_CONF_CTX_new();
728 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
729 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE);
731 if ( ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
732 ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
733 ((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
735 BIO_printf(bio_err,"out of memory\n");
740 verify_error=X509_V_OK;
749 if (strcmp(*argv,"-host") == 0)
751 if (--argc < 1) goto bad;
754 else if (strcmp(*argv,"-port") == 0)
756 if (--argc < 1) goto bad;
757 port=atoi(*(++argv));
758 if (port == 0) goto bad;
760 else if (strcmp(*argv,"-connect") == 0)
762 if (--argc < 1) goto bad;
763 if (!extract_host_port(*(++argv),&host,NULL,&port))
766 else if (strcmp(*argv,"-unix") == 0)
768 if (--argc < 1) goto bad;
769 unix_path = *(++argv);
771 else if (strcmp(*argv,"-xmpphost") == 0)
773 if (--argc < 1) goto bad;
776 else if (strcmp(*argv,"-verify") == 0)
778 verify=SSL_VERIFY_PEER;
779 if (--argc < 1) goto bad;
780 verify_depth=atoi(*(++argv));
782 BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
784 else if (strcmp(*argv,"-cert") == 0)
786 if (--argc < 1) goto bad;
787 cert_file= *(++argv);
789 else if (strcmp(*argv,"-CRL") == 0)
791 if (--argc < 1) goto bad;
794 else if (strcmp(*argv,"-crl_download") == 0)
796 else if (strcmp(*argv,"-sess_out") == 0)
798 if (--argc < 1) goto bad;
799 sess_out = *(++argv);
801 else if (strcmp(*argv,"-sess_in") == 0)
803 if (--argc < 1) goto bad;
806 else if (strcmp(*argv,"-certform") == 0)
808 if (--argc < 1) goto bad;
809 cert_format = str2fmt(*(++argv));
811 else if (strcmp(*argv,"-CRLform") == 0)
813 if (--argc < 1) goto bad;
814 crl_format = str2fmt(*(++argv));
816 else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
822 else if (strcmp(*argv,"-verify_return_error") == 0)
823 verify_return_error = 1;
824 else if (strcmp(*argv,"-verify_quiet") == 0)
826 else if (strcmp(*argv,"-brief") == 0)
832 else if (args_excert(&argv, &argc, &badarg, bio_err, &exc))
838 else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args))
844 else if (strcmp(*argv,"-prexit") == 0)
846 else if (strcmp(*argv,"-crlf") == 0)
848 else if (strcmp(*argv,"-quiet") == 0)
853 else if (strcmp(*argv,"-ign_eof") == 0)
855 else if (strcmp(*argv,"-no_ign_eof") == 0)
857 else if (strcmp(*argv,"-pause") == 0)
859 else if (strcmp(*argv,"-debug") == 0)
861 #ifndef OPENSSL_NO_TLSEXT
862 else if (strcmp(*argv,"-tlsextdebug") == 0)
864 else if (strcmp(*argv,"-status") == 0)
866 else if (strcmp(*argv,"-auth") == 0)
868 else if (strcmp(*argv,"-auth_require_reneg") == 0)
869 c_auth_require_reneg = 1;
872 else if (strcmp(*argv,"-wdebug") == 0)
875 else if (strcmp(*argv,"-msg") == 0)
877 else if (strcmp(*argv,"-msgfile") == 0)
879 if (--argc < 1) goto bad;
880 bio_c_msg = BIO_new_file(*(++argv), "w");
882 #ifndef OPENSSL_NO_SSL_TRACE
883 else if (strcmp(*argv,"-trace") == 0)
886 else if (strcmp(*argv,"-security_debug") == 0)
888 else if (strcmp(*argv,"-security_debug_verbose") == 0)
890 else if (strcmp(*argv,"-showcerts") == 0)
892 else if (strcmp(*argv,"-nbio_test") == 0)
894 else if (strcmp(*argv,"-state") == 0)
896 #ifndef OPENSSL_NO_PSK
897 else if (strcmp(*argv,"-psk_identity") == 0)
899 if (--argc < 1) goto bad;
900 psk_identity=*(++argv);
902 else if (strcmp(*argv,"-psk") == 0)
906 if (--argc < 1) goto bad;
908 for (j = 0; j < strlen(psk_key); j++)
910 if (isxdigit((unsigned char)psk_key[j]))
912 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
917 #ifndef OPENSSL_NO_SRP
918 else if (strcmp(*argv,"-srpuser") == 0)
920 if (--argc < 1) goto bad;
921 srp_arg.srplogin= *(++argv);
922 meth=TLSv1_client_method();
924 else if (strcmp(*argv,"-srppass") == 0)
926 if (--argc < 1) goto bad;
928 meth=TLSv1_client_method();
930 else if (strcmp(*argv,"-srp_strength") == 0)
932 if (--argc < 1) goto bad;
933 srp_arg.strength=atoi(*(++argv));
934 BIO_printf(bio_err,"SRP minimal length for N is %d\n",srp_arg.strength);
935 meth=TLSv1_client_method();
937 else if (strcmp(*argv,"-srp_lateuser") == 0)
940 meth=TLSv1_client_method();
942 else if (strcmp(*argv,"-srp_moregroups") == 0)
945 meth=TLSv1_client_method();
948 #ifndef OPENSSL_NO_SSL2
949 else if (strcmp(*argv,"-ssl2") == 0)
950 meth=SSLv2_client_method();
952 #ifndef OPENSSL_NO_SSL3
953 else if (strcmp(*argv,"-ssl3") == 0)
954 meth=SSLv3_client_method();
956 #ifndef OPENSSL_NO_TLS1
957 else if (strcmp(*argv,"-tls1_2") == 0)
958 meth=TLSv1_2_client_method();
959 else if (strcmp(*argv,"-tls1_1") == 0)
960 meth=TLSv1_1_client_method();
961 else if (strcmp(*argv,"-tls1") == 0)
962 meth=TLSv1_client_method();
964 #ifndef OPENSSL_NO_DTLS1
965 else if (strcmp(*argv,"-dtls") == 0)
967 meth=DTLS_client_method();
968 socket_type=SOCK_DGRAM;
970 else if (strcmp(*argv,"-dtls1") == 0)
972 meth=DTLSv1_client_method();
973 socket_type=SOCK_DGRAM;
975 else if (strcmp(*argv,"-dtls1_2") == 0)
977 meth=DTLSv1_2_client_method();
978 socket_type=SOCK_DGRAM;
980 else if (strcmp(*argv,"-timeout") == 0)
982 else if (strcmp(*argv,"-mtu") == 0)
984 if (--argc < 1) goto bad;
985 socket_mtu = atol(*(++argv));
988 else if (strcmp(*argv,"-keyform") == 0)
990 if (--argc < 1) goto bad;
991 key_format = str2fmt(*(++argv));
993 else if (strcmp(*argv,"-pass") == 0)
995 if (--argc < 1) goto bad;
998 else if (strcmp(*argv,"-cert_chain") == 0)
1000 if (--argc < 1) goto bad;
1001 chain_file= *(++argv);
1003 else if (strcmp(*argv,"-key") == 0)
1005 if (--argc < 1) goto bad;
1006 key_file= *(++argv);
1008 else if (strcmp(*argv,"-reconnect") == 0)
1012 else if (strcmp(*argv,"-CApath") == 0)
1014 if (--argc < 1) goto bad;
1017 else if (strcmp(*argv,"-chainCApath") == 0)
1019 if (--argc < 1) goto bad;
1020 chCApath= *(++argv);
1022 else if (strcmp(*argv,"-verifyCApath") == 0)
1024 if (--argc < 1) goto bad;
1025 vfyCApath= *(++argv);
1027 else if (strcmp(*argv,"-build_chain") == 0)
1029 else if (strcmp(*argv,"-CAfile") == 0)
1031 if (--argc < 1) goto bad;
1034 else if (strcmp(*argv,"-chainCAfile") == 0)
1036 if (--argc < 1) goto bad;
1037 chCAfile= *(++argv);
1039 else if (strcmp(*argv,"-verifyCAfile") == 0)
1041 if (--argc < 1) goto bad;
1042 vfyCAfile= *(++argv);
1044 #ifndef OPENSSL_NO_TLSEXT
1045 # ifndef OPENSSL_NO_NEXTPROTONEG
1046 else if (strcmp(*argv,"-nextprotoneg") == 0)
1048 if (--argc < 1) goto bad;
1049 next_proto_neg_in = *(++argv);
1052 else if (strcmp(*argv,"-alpn") == 0)
1054 if (--argc < 1) goto bad;
1055 alpn_in = *(++argv);
1057 else if (strcmp(*argv,"-serverinfo") == 0)
1063 if (--argc < 1) goto bad;
1065 serverinfo_types_count = 0;
1067 for (i = 0; i <= len; ++i)
1069 if (i == len || c[i] == ',')
1071 serverinfo_types[serverinfo_types_count]
1073 serverinfo_types_count++;
1076 if (serverinfo_types_count == MAX_SI_TYPES)
1082 else if (strcmp(*argv,"-nbio") == 0)
1085 else if (strcmp(*argv,"-starttls") == 0)
1087 if (--argc < 1) goto bad;
1089 if (strcmp(*argv,"smtp") == 0)
1090 starttls_proto = PROTO_SMTP;
1091 else if (strcmp(*argv,"pop3") == 0)
1092 starttls_proto = PROTO_POP3;
1093 else if (strcmp(*argv,"imap") == 0)
1094 starttls_proto = PROTO_IMAP;
1095 else if (strcmp(*argv,"ftp") == 0)
1096 starttls_proto = PROTO_FTP;
1097 else if (strcmp(*argv, "xmpp") == 0)
1098 starttls_proto = PROTO_XMPP;
1102 #ifndef OPENSSL_NO_ENGINE
1103 else if (strcmp(*argv,"-engine") == 0)
1105 if (--argc < 1) goto bad;
1106 engine_id = *(++argv);
1108 else if (strcmp(*argv,"-ssl_client_engine") == 0)
1110 if (--argc < 1) goto bad;
1111 ssl_client_engine_id = *(++argv);
1114 else if (strcmp(*argv,"-rand") == 0)
1116 if (--argc < 1) goto bad;
1119 #ifndef OPENSSL_NO_TLSEXT
1120 else if (strcmp(*argv,"-servername") == 0)
1122 if (--argc < 1) goto bad;
1123 servername= *(++argv);
1124 /* meth=TLSv1_client_method(); */
1127 #ifndef OPENSSL_NO_JPAKE
1128 else if (strcmp(*argv,"-jpake") == 0)
1130 if (--argc < 1) goto bad;
1131 jpake_secret = *++argv;
1134 else if (strcmp(*argv,"-use_srtp") == 0)
1136 if (--argc < 1) goto bad;
1137 srtp_profiles = *(++argv);
1139 else if (strcmp(*argv,"-keymatexport") == 0)
1141 if (--argc < 1) goto bad;
1142 keymatexportlabel= *(++argv);
1144 else if (strcmp(*argv,"-keymatexportlen") == 0)
1146 if (--argc < 1) goto bad;
1147 keymatexportlen=atoi(*(++argv));
1148 if (keymatexportlen == 0) goto bad;
1152 BIO_printf(bio_err,"unknown option %s\n",*argv);
1166 if (unix_path && (socket_type != SOCK_STREAM))
1168 BIO_printf(bio_err, "Can't use unix sockets and datagrams together\n");
1171 #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
1177 "Can't use JPAKE and PSK together\n");
1180 psk_identity = "JPAKE";
1184 OpenSSL_add_ssl_algorithms();
1185 SSL_load_error_strings();
1187 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
1188 next_proto.status = -1;
1189 if (next_proto_neg_in)
1191 next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
1192 if (next_proto.data == NULL)
1194 BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
1199 next_proto.data = NULL;
1202 #ifndef OPENSSL_NO_ENGINE
1203 e = setup_engine(bio_err, engine_id, 1);
1204 if (ssl_client_engine_id)
1206 ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
1207 if (!ssl_client_engine)
1210 "Error getting client auth engine\n");
1216 if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
1218 BIO_printf(bio_err, "Error getting password\n");
1222 if (key_file == NULL)
1223 key_file = cert_file;
1230 key = load_key(bio_err, key_file, key_format, 0, pass, e,
1231 "client certificate private key file");
1234 ERR_print_errors(bio_err);
1243 cert = load_cert(bio_err,cert_file,cert_format,
1244 NULL, e, "client certificate file");
1248 ERR_print_errors(bio_err);
1255 chain = load_certs(bio_err, chain_file,FORMAT_PEM,
1256 NULL, e, "client certificate chain");
1264 crl = load_crl(crl_file, crl_format);
1267 BIO_puts(bio_err, "Error loading CRL\n");
1268 ERR_print_errors(bio_err);
1271 crls = sk_X509_CRL_new_null();
1272 if (!crls || !sk_X509_CRL_push(crls, crl))
1274 BIO_puts(bio_err, "Error adding CRL\n");
1275 ERR_print_errors(bio_err);
1281 if (!load_excert(&exc, bio_err))
1284 if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
1287 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
1290 BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
1291 app_RAND_load_files(inrand));
1293 if (bio_c_out == NULL)
1295 if (c_quiet && !c_debug)
1297 bio_c_out=BIO_new(BIO_s_null());
1298 if (c_msg && !bio_c_msg)
1299 bio_c_msg=BIO_new_fp(stdout,BIO_NOCLOSE);
1303 if (bio_c_out == NULL)
1304 bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
1308 #ifndef OPENSSL_NO_SRP
1309 if(!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL))
1311 BIO_printf(bio_err, "Error getting password\n");
1316 ctx=SSL_CTX_new(meth);
1319 ERR_print_errors(bio_err);
1324 ssl_ctx_security_debug(ctx, bio_err, sdebug);
1327 SSL_CTX_set1_param(ctx, vpm);
1329 if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1, no_jpake))
1331 ERR_print_errors(bio_err);
1335 if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
1336 crls, crl_download))
1338 BIO_printf(bio_err, "Error loading store locations\n");
1339 ERR_print_errors(bio_err);
1343 #ifndef OPENSSL_NO_ENGINE
1344 if (ssl_client_engine)
1346 if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine))
1348 BIO_puts(bio_err, "Error setting client auth engine\n");
1349 ERR_print_errors(bio_err);
1350 ENGINE_free(ssl_client_engine);
1353 ENGINE_free(ssl_client_engine);
1357 #ifndef OPENSSL_NO_PSK
1358 #ifdef OPENSSL_NO_JPAKE
1359 if (psk_key != NULL)
1361 if (psk_key != NULL || jpake_secret)
1365 BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");
1366 SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
1368 if (srtp_profiles != NULL)
1369 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
1371 if (exc) ssl_ctx_set_excert(ctx, exc);
1372 /* DTLS: partial reads end up discarding unread UDP bytes :-(
1373 * Setting read ahead solves this problem.
1375 if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
1377 #if !defined(OPENSSL_NO_TLSEXT)
1378 # if !defined(OPENSSL_NO_NEXTPROTONEG)
1379 if (next_proto.data)
1380 SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
1384 unsigned short alpn_len;
1385 unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in);
1389 BIO_printf(bio_err, "Error parsing -alpn argument\n");
1392 SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len);
1396 #ifndef OPENSSL_NO_TLSEXT
1397 if (serverinfo_types_count)
1399 for (i = 0; i < serverinfo_types_count; i++)
1401 SSL_CTX_set_custom_cli_ext(ctx,
1402 serverinfo_types[i],
1410 if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
1413 SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
1416 SSL_CTX_set_verify(ctx,verify,verify_callback);
1418 if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
1419 (!SSL_CTX_set_default_verify_paths(ctx)))
1421 /* BIO_printf(bio_err,"error setting default verify locations\n"); */
1422 ERR_print_errors(bio_err);
1426 ssl_ctx_add_crls(ctx, crls, crl_download);
1428 if (!set_cert_key_stuff(ctx,cert,key,chain,build_chain))
1431 #ifndef OPENSSL_NO_TLSEXT
1432 if (servername != NULL)
1434 tlsextcbp.biodebug = bio_err;
1435 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1436 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
1438 #ifndef OPENSSL_NO_SRP
1439 if (srp_arg.srplogin)
1441 if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
1443 BIO_printf(bio_err,"Unable to set SRP username\n");
1446 srp_arg.msg = c_msg;
1447 srp_arg.debug = c_debug ;
1448 SSL_CTX_set_srp_cb_arg(ctx,&srp_arg);
1449 SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
1450 SSL_CTX_set_srp_strength(ctx, srp_arg.strength);
1451 if (c_msg || c_debug || srp_arg.amp == 0)
1452 SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb);
1458 SSL_CTX_set_custom_cli_ext(ctx, TLSEXT_TYPE_client_authz, authz_tlsext_generate_cb, authz_tlsext_cb, bio_err);
1459 SSL_CTX_set_custom_cli_ext(ctx, TLSEXT_TYPE_server_authz, authz_tlsext_generate_cb, authz_tlsext_cb, bio_err);
1460 SSL_CTX_set_cli_supp_data(ctx, TLSEXT_SUPPLEMENTALDATATYPE_authz_data, suppdata_cb, auth_suppdata_generate_cb, bio_err);
1468 BIO *stmp = BIO_new_file(sess_in, "r");
1471 BIO_printf(bio_err, "Can't open session file %s\n",
1473 ERR_print_errors(bio_err);
1476 sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
1480 BIO_printf(bio_err, "Can't open session file %s\n",
1482 ERR_print_errors(bio_err);
1485 SSL_set_session(con, sess);
1486 SSL_SESSION_free(sess);
1488 #ifndef OPENSSL_NO_TLSEXT
1489 if (servername != NULL)
1491 if (!SSL_set_tlsext_host_name(con,servername))
1493 BIO_printf(bio_err,"Unable to set TLS servername extension.\n");
1494 ERR_print_errors(bio_err);
1499 #ifndef OPENSSL_NO_KRB5
1500 if (con && (kctx = kssl_ctx_new()) != NULL)
1502 SSL_set0_kssl_ctx(con, kctx);
1503 kssl_ctx_setstring(kctx, KSSL_SERVER, host);
1505 #endif /* OPENSSL_NO_KRB5 */
1506 /* SSL_set_cipher_list(con,"RC4-MD5"); */
1508 #ifdef TLSEXT_TYPE_opaque_prf_input
1509 SSL_set_tlsext_opaque_prf_input(con, "Test client", 11);
1515 if (init_client(&s,host,port,socket_type) == 0)
1517 if ((!unix_path && (init_client(&s,host,port,socket_type) == 0)) ||
1518 (unix_path && (init_client_unix(&s,unix_path) == 0)))
1521 BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
1525 BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
1531 BIO_printf(bio_c_out,"turning on non blocking io\n");
1532 if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
1534 ERR_print_errors(bio_err);
1539 if (c_Pause & 0x01) SSL_set_debug(con, 1);
1541 if (socket_type == SOCK_DGRAM)
1544 sbio=BIO_new_dgram(s,BIO_NOCLOSE);
1545 if (getsockname(s, &peer, (void *)&peerlen) < 0)
1547 BIO_printf(bio_err, "getsockname:errno=%d\n",
1548 get_last_socket_error());
1553 (void)BIO_ctrl_set_connected(sbio, 1, &peer);
1555 if (enable_timeouts)
1558 timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1559 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1562 timeout.tv_usec = DGRAM_SND_TIMEOUT;
1563 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1566 if (socket_mtu > 28)
1568 SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
1569 SSL_set_mtu(con, socket_mtu - 28);
1572 /* want to do MTU discovery */
1573 BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1576 sbio=BIO_new_socket(s,BIO_NOCLOSE);
1582 test=BIO_new(BIO_f_nbio_test());
1583 sbio=BIO_push(test,sbio);
1588 SSL_set_debug(con, 1);
1589 BIO_set_callback(sbio,bio_dump_callback);
1590 BIO_set_callback_arg(sbio,(char *)bio_c_out);
1594 #ifndef OPENSSL_NO_SSL_TRACE
1596 SSL_set_msg_callback(con, SSL_trace);
1599 SSL_set_msg_callback(con, msg_cb);
1600 SSL_set_msg_callback_arg(con, bio_c_msg ? bio_c_msg : bio_c_out);
1602 #ifndef OPENSSL_NO_TLSEXT
1605 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1606 SSL_set_tlsext_debug_arg(con, bio_c_out);
1610 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
1611 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
1612 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
1615 STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null();
1616 OCSP_RESPID *id = OCSP_RESPID_new();
1617 id->value.byKey = ASN1_OCTET_STRING_new();
1618 id->type = V_OCSP_RESPID_KEY;
1619 ASN1_STRING_set(id->value.byKey, "Hello World", -1);
1620 sk_OCSP_RESPID_push(ids, id);
1621 SSL_set_tlsext_status_ids(con, ids);
1626 #ifndef OPENSSL_NO_JPAKE
1628 jpake_client_auth(bio_c_out, sbio, jpake_secret);
1631 SSL_set_bio(con,sbio,sbio);
1632 SSL_set_connect_state(con);
1634 /* ok, lets connect */
1635 width=SSL_get_fd(con)+1;
1648 /* This is an ugly hack that does a lot of assumptions */
1649 /* We do have to handle multi-line responses which may come
1650 in a single packet or not. We therefore have to use
1651 BIO_gets() which does need a buffering BIO. So during
1652 the initial chitchat we do push a buffering BIO into the
1653 chain that is removed again later on to not disturb the
1654 rest of the s_client operation. */
1655 if (starttls_proto == PROTO_SMTP)
1658 BIO *fbio = BIO_new(BIO_f_buffer());
1659 BIO_push(fbio, sbio);
1660 /* wait for multi-line response to end from SMTP */
1663 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1665 while (mbuf_len>3 && mbuf[3]=='-');
1666 /* STARTTLS command requires EHLO... */
1667 BIO_printf(fbio,"EHLO openssl.client.net\r\n");
1668 (void)BIO_flush(fbio);
1669 /* wait for multi-line response to end EHLO SMTP response */
1672 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1673 if (strstr(mbuf,"STARTTLS"))
1676 while (mbuf_len>3 && mbuf[3]=='-');
1677 (void)BIO_flush(fbio);
1682 "didn't found starttls in server response,"
1683 " try anyway...\n");
1684 BIO_printf(sbio,"STARTTLS\r\n");
1685 BIO_read(sbio,sbuf,BUFSIZZ);
1687 else if (starttls_proto == PROTO_POP3)
1689 BIO_read(sbio,mbuf,BUFSIZZ);
1690 BIO_printf(sbio,"STLS\r\n");
1691 BIO_read(sbio,sbuf,BUFSIZZ);
1693 else if (starttls_proto == PROTO_IMAP)
1696 BIO *fbio = BIO_new(BIO_f_buffer());
1697 BIO_push(fbio, sbio);
1698 BIO_gets(fbio,mbuf,BUFSIZZ);
1699 /* STARTTLS command requires CAPABILITY... */
1700 BIO_printf(fbio,". CAPABILITY\r\n");
1701 (void)BIO_flush(fbio);
1702 /* wait for multi-line CAPABILITY response */
1705 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1706 if (strstr(mbuf,"STARTTLS"))
1709 while (mbuf_len>3 && mbuf[0]!='.');
1710 (void)BIO_flush(fbio);
1715 "didn't found STARTTLS in server response,"
1716 " try anyway...\n");
1717 BIO_printf(sbio,". STARTTLS\r\n");
1718 BIO_read(sbio,sbuf,BUFSIZZ);
1720 else if (starttls_proto == PROTO_FTP)
1722 BIO *fbio = BIO_new(BIO_f_buffer());
1723 BIO_push(fbio, sbio);
1724 /* wait for multi-line response to end from FTP */
1727 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1729 while (mbuf_len>3 && mbuf[3]=='-');
1730 (void)BIO_flush(fbio);
1733 BIO_printf(sbio,"AUTH TLS\r\n");
1734 BIO_read(sbio,sbuf,BUFSIZZ);
1736 if (starttls_proto == PROTO_XMPP)
1739 BIO_printf(sbio,"<stream:stream "
1740 "xmlns:stream='http://etherx.jabber.org/streams' "
1741 "xmlns='jabber:client' to='%s' version='1.0'>", xmpphost ?
1743 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1745 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") &&
1746 !strstr(mbuf, "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
1748 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1755 BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
1756 seen = BIO_read(sbio,sbuf,BUFSIZZ);
1758 if (!strstr(sbuf, "<proceed"))
1768 if ((SSL_version(con) == DTLS1_VERSION) &&
1769 DTLSv1_get_timeout(con, &timeout))
1770 timeoutp = &timeout;
1774 if (SSL_in_init(con) && !SSL_total_renegotiations(con))
1785 #if 0 /* This test doesn't really work as intended (needs to be fixed) */
1786 #ifndef OPENSSL_NO_TLSEXT
1787 if (servername != NULL && !SSL_session_reused(con))
1789 BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not ");
1795 BIO *stmp = BIO_new_file(sess_out, "w");
1798 PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con));
1802 BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
1807 "CONNECTION ESTABLISHED\n");
1808 print_ssl_summary(bio_err, con);
1810 /*handshake is complete - free the generated supp data allocated in the callback */
1811 if (generated_supp_data)
1813 OPENSSL_free(generated_supp_data);
1814 generated_supp_data = NULL;
1817 print_stuff(bio_c_out,con,full_log);
1818 if (full_log > 0) full_log--;
1822 BIO_printf(bio_err,"%s",mbuf);
1823 /* We don't need to know any more */
1824 starttls_proto = PROTO_OFF;
1830 BIO_printf(bio_c_out,"drop connection and then reconnect\n");
1832 SSL_set_connect_state(con);
1833 SHUTDOWN(SSL_get_fd(con));
1839 ssl_pending = read_ssl && SSL_pending(con);
1843 #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)
1846 if (read_tty) openssl_fdset(fileno(stdin),&readfds);
1847 if (write_tty) openssl_fdset(fileno(stdout),&writefds);
1850 openssl_fdset(SSL_get_fd(con),&readfds);
1852 openssl_fdset(SSL_get_fd(con),&writefds);
1854 if(!tty_on || !write_tty) {
1856 openssl_fdset(SSL_get_fd(con),&readfds);
1858 openssl_fdset(SSL_get_fd(con),&writefds);
1861 /* printf("mode tty(%d %d%d) ssl(%d%d)\n",
1862 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
1864 /* Note: under VMS with SOCKETSHR the second parameter
1865 * is currently of type (int *) whereas under other
1866 * systems it is (void *) if you don't have a cast it
1867 * will choke the compiler: if you do have a cast then
1868 * you can either go for (int *) or (void *).
1870 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1871 /* Under Windows/DOS we make the assumption that we can
1872 * always write to the tty: therefore if we need to
1873 * write to the tty we just fall through. Otherwise
1874 * we timeout the select every second and see if there
1875 * are any keypresses. Note: this is a hack, in a proper
1876 * Windows application we wouldn't do this.
1883 i=select(width,(void *)&readfds,(void *)&writefds,
1885 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
1886 if(!i && (!_kbhit() || !read_tty) ) continue;
1888 if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
1890 } else i=select(width,(void *)&readfds,(void *)&writefds,
1893 #elif defined(OPENSSL_SYS_NETWARE)
1898 i=select(width,(void *)&readfds,(void *)&writefds,
1900 } else i=select(width,(void *)&readfds,(void *)&writefds,
1903 #elif defined(OPENSSL_SYS_BEOS_R5)
1904 /* Under BeOS-R5 the situation is similar to DOS */
1907 (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
1912 i=select(width,(void *)&readfds,(void *)&writefds,
1914 if (read(fileno(stdin), sbuf, 0) >= 0)
1916 if (!i && (stdin_set != 1 || !read_tty))
1918 } else i=select(width,(void *)&readfds,(void *)&writefds,
1921 (void)fcntl(fileno(stdin), F_SETFL, 0);
1923 i=select(width,(void *)&readfds,(void *)&writefds,
1928 BIO_printf(bio_err,"bad select %d\n",
1929 get_last_socket_error());
1935 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
1937 BIO_printf(bio_err,"TIMEOUT occurred\n");
1940 if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
1942 k=SSL_write(con,&(cbuf[cbuf_off]),
1943 (unsigned int)cbuf_len);
1944 switch (SSL_get_error(con,k))
1946 case SSL_ERROR_NONE:
1949 if (k <= 0) goto end;
1950 /* we have done a write(con,NULL,0); */
1956 else /* if (cbuf_len > 0) */
1962 case SSL_ERROR_WANT_WRITE:
1963 BIO_printf(bio_c_out,"write W BLOCK\n");
1967 case SSL_ERROR_WANT_READ:
1968 BIO_printf(bio_c_out,"write R BLOCK\n");
1973 case SSL_ERROR_WANT_X509_LOOKUP:
1974 BIO_printf(bio_c_out,"write X BLOCK\n");
1976 case SSL_ERROR_ZERO_RETURN:
1979 BIO_printf(bio_c_out,"shutdown\n");
1990 case SSL_ERROR_SYSCALL:
1991 if ((k != 0) || (cbuf_len != 0))
1993 BIO_printf(bio_err,"write:errno=%d\n",
1994 get_last_socket_error());
2004 ERR_print_errors(bio_err);
2008 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
2009 /* Assume Windows/DOS/BeOS can always write */
2010 else if (!ssl_pending && write_tty)
2012 else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
2015 #ifdef CHARSET_EBCDIC
2016 ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
2018 i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len);
2022 BIO_printf(bio_c_out,"DONE\n");
2036 else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
2039 { static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
2042 k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
2044 /* Demo for pending and peek :-) */
2045 k=SSL_read(con,sbuf,16);
2047 printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
2051 switch (SSL_get_error(con,k))
2053 case SSL_ERROR_NONE:
2062 case SSL_ERROR_WANT_WRITE:
2063 BIO_printf(bio_c_out,"read W BLOCK\n");
2067 case SSL_ERROR_WANT_READ:
2068 BIO_printf(bio_c_out,"read R BLOCK\n");
2071 if ((read_tty == 0) && (write_ssl == 0))
2074 case SSL_ERROR_WANT_X509_LOOKUP:
2075 BIO_printf(bio_c_out,"read X BLOCK\n");
2077 case SSL_ERROR_SYSCALL:
2078 ret=get_last_socket_error();
2080 BIO_puts(bio_err, "CONNECTION CLOSED BY SERVER\n");
2082 BIO_printf(bio_err,"read:errno=%d\n",ret);
2084 case SSL_ERROR_ZERO_RETURN:
2085 BIO_printf(bio_c_out,"closed\n");
2089 ERR_print_errors(bio_err);
2095 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
2096 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
2099 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
2101 #elif defined (OPENSSL_SYS_NETWARE)
2103 #elif defined(OPENSSL_SYS_BEOS_R5)
2106 else if (FD_ISSET(fileno(stdin),&readfds))
2113 i=raw_read_stdin(cbuf,BUFSIZZ/2);
2115 /* both loops are skipped when i <= 0 */
2116 for (j = 0; j < i; j++)
2117 if (cbuf[j] == '\n')
2119 for (j = i-1; j >= 0; j--)
2121 cbuf[j+lf_num] = cbuf[j];
2122 if (cbuf[j] == '\n')
2126 cbuf[j+lf_num] = '\r';
2129 assert(lf_num == 0);
2132 i=raw_read_stdin(cbuf,BUFSIZZ);
2134 if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
2136 BIO_printf(bio_err,"DONE\n");
2141 if ((!c_ign_eof) && (cbuf[0] == 'R'))
2143 BIO_printf(bio_err,"RENEGOTIATING\n");
2144 SSL_renegotiate(con);
2147 #ifndef OPENSSL_NO_HEARTBEATS
2148 else if ((!c_ign_eof) && (cbuf[0] == 'B'))
2150 BIO_printf(bio_err,"HEARTBEATING\n");
2159 #ifdef CHARSET_EBCDIC
2160 ebcdic2ascii(cbuf, cbuf, i);
2172 print_stuff(bio_c_out,con,full_log);
2174 SHUTDOWN(SSL_get_fd(con));
2179 print_stuff(bio_c_out,con,1);
2182 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
2183 if (next_proto.data)
2184 OPENSSL_free(next_proto.data);
2186 if (ctx != NULL) SSL_CTX_free(ctx);
2190 sk_X509_CRL_pop_free(crls, X509_CRL_free);
2194 sk_X509_pop_free(chain, X509_free);
2198 X509_VERIFY_PARAM_free(vpm);
2199 ssl_excert_free(exc);
2201 sk_OPENSSL_STRING_free(ssl_args);
2203 SSL_CONF_CTX_free(cctx);
2204 #ifndef OPENSSL_NO_JPAKE
2205 if (jpake_secret && psk_key)
2206 OPENSSL_free(psk_key);
2208 if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
2209 if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
2210 if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
2211 if (bio_c_out != NULL)
2213 BIO_free(bio_c_out);
2216 if (bio_c_msg != NULL)
2218 BIO_free(bio_c_msg);
2226 static void print_stuff(BIO *bio, SSL *s, int full)
2230 static const char *space=" ";
2233 STACK_OF(X509_NAME) *sk2;
2234 const SSL_CIPHER *c;
2237 #ifndef OPENSSL_NO_COMP
2238 const COMP_METHOD *comp, *expansion;
2240 unsigned char *exportedkeymat;
2244 int got_a_chain = 0;
2246 sk=SSL_get_peer_cert_chain(s);
2249 got_a_chain = 1; /* we don't have it for SSL2 (yet) */
2251 BIO_printf(bio,"---\nCertificate chain\n");
2252 for (i=0; i<sk_X509_num(sk); i++)
2254 X509_NAME_oneline(X509_get_subject_name(
2255 sk_X509_value(sk,i)),buf,sizeof buf);
2256 BIO_printf(bio,"%2d s:%s\n",i,buf);
2257 X509_NAME_oneline(X509_get_issuer_name(
2258 sk_X509_value(sk,i)),buf,sizeof buf);
2259 BIO_printf(bio," i:%s\n",buf);
2261 PEM_write_bio_X509(bio,sk_X509_value(sk,i));
2265 BIO_printf(bio,"---\n");
2266 peer=SSL_get_peer_certificate(s);
2269 BIO_printf(bio,"Server certificate\n");
2270 if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
2271 PEM_write_bio_X509(bio,peer);
2272 X509_NAME_oneline(X509_get_subject_name(peer),
2274 BIO_printf(bio,"subject=%s\n",buf);
2275 X509_NAME_oneline(X509_get_issuer_name(peer),
2277 BIO_printf(bio,"issuer=%s\n",buf);
2280 BIO_printf(bio,"no peer certificate available\n");
2282 sk2=SSL_get_client_CA_list(s);
2283 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
2285 BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
2286 for (i=0; i<sk_X509_NAME_num(sk2); i++)
2288 xn=sk_X509_NAME_value(sk2,i);
2289 X509_NAME_oneline(xn,buf,sizeof(buf));
2290 BIO_write(bio,buf,strlen(buf));
2291 BIO_write(bio,"\n",1);
2296 BIO_printf(bio,"---\nNo client certificate CA names sent\n");
2298 p=SSL_get_shared_ciphers(s,buf,sizeof buf);
2301 /* This works only for SSL 2. In later protocol
2302 * versions, the client does not know what other
2303 * ciphers (in addition to the one to be used
2304 * in the current connection) the server supports. */
2306 BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
2312 BIO_write(bio,space,15-j%25);
2315 BIO_write(bio,((i%3)?" ":"\n"),1);
2324 BIO_write(bio,"\n",1);
2327 ssl_print_sigalgs(bio, s);
2328 ssl_print_tmp_key(bio, s);
2330 BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
2331 BIO_number_read(SSL_get_rbio(s)),
2332 BIO_number_written(SSL_get_wbio(s)));
2334 BIO_printf(bio,(SSL_cache_hit(s)?"---\nReused, ":"---\nNew, "));
2335 c=SSL_get_current_cipher(s);
2336 BIO_printf(bio,"%s, Cipher is %s\n",
2337 SSL_CIPHER_get_version(c),
2338 SSL_CIPHER_get_name(c));
2341 pktmp = X509_get_pubkey(peer);
2342 BIO_printf(bio,"Server public key is %d bit\n",
2343 EVP_PKEY_bits(pktmp));
2344 EVP_PKEY_free(pktmp);
2346 BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
2347 SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
2348 #ifndef OPENSSL_NO_COMP
2349 comp=SSL_get_current_compression(s);
2350 expansion=SSL_get_current_expansion(s);
2351 BIO_printf(bio,"Compression: %s\n",
2352 comp ? SSL_COMP_get_name(comp) : "NONE");
2353 BIO_printf(bio,"Expansion: %s\n",
2354 expansion ? SSL_COMP_get_name(expansion) : "NONE");
2359 /* Print out local port of connection: useful for debugging */
2361 struct sockaddr_in ladd;
2362 socklen_t ladd_size = sizeof(ladd);
2363 sock = SSL_get_fd(s);
2364 getsockname(sock, (struct sockaddr *)&ladd, &ladd_size);
2365 BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port));
2369 #if !defined(OPENSSL_NO_TLSEXT)
2370 # if !defined(OPENSSL_NO_NEXTPROTONEG)
2371 if (next_proto.status != -1) {
2372 const unsigned char *proto;
2373 unsigned int proto_len;
2374 SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
2375 BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
2376 BIO_write(bio, proto, proto_len);
2377 BIO_write(bio, "\n", 1);
2381 const unsigned char *proto;
2382 unsigned int proto_len;
2383 SSL_get0_alpn_selected(s, &proto, &proto_len);
2386 BIO_printf(bio, "ALPN protocol: ");
2387 BIO_write(bio, proto, proto_len);
2388 BIO_write(bio, "\n", 1);
2391 BIO_printf(bio, "No ALPN negotiated\n");
2396 SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s);
2399 BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n",
2400 srtp_profile->name);
2403 SSL_SESSION_print(bio,SSL_get_session(s));
2404 if (keymatexportlabel != NULL)
2406 BIO_printf(bio, "Keying material exporter:\n");
2407 BIO_printf(bio, " Label: '%s'\n", keymatexportlabel);
2408 BIO_printf(bio, " Length: %i bytes\n", keymatexportlen);
2409 exportedkeymat = OPENSSL_malloc(keymatexportlen);
2410 if (exportedkeymat != NULL)
2412 if (!SSL_export_keying_material(s, exportedkeymat,
2415 strlen(keymatexportlabel),
2418 BIO_printf(bio, " Error\n");
2422 BIO_printf(bio, " Keying material: ");
2423 for (i=0; i<keymatexportlen; i++)
2424 BIO_printf(bio, "%02X",
2426 BIO_printf(bio, "\n");
2428 OPENSSL_free(exportedkeymat);
2431 BIO_printf(bio,"---\n");
2434 /* flush, or debugging output gets mixed with http response */
2435 (void)BIO_flush(bio);
2438 #ifndef OPENSSL_NO_TLSEXT
2440 static int ocsp_resp_cb(SSL *s, void *arg)
2442 const unsigned char *p;
2445 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
2446 BIO_puts(arg, "OCSP response: ");
2449 BIO_puts(arg, "no response sent\n");
2452 rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
2455 BIO_puts(arg, "response parse error\n");
2456 BIO_dump_indent(arg, (char *)p, len, 4);
2459 BIO_puts(arg, "\n======================================\n");
2460 OCSP_RESPONSE_print(arg, rsp, 0);
2461 BIO_puts(arg, "======================================\n");
2462 OCSP_RESPONSE_free(rsp);
2466 static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
2467 const unsigned char *in,
2468 unsigned short inlen, int *al,
2471 if (TLSEXT_TYPE_server_authz == ext_type)
2472 server_provided_server_authz
2473 = (memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL);
2475 if (TLSEXT_TYPE_client_authz == ext_type)
2476 server_provided_client_authz
2477 = (memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL);
2482 static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
2483 const unsigned char **out, unsigned short *outlen,
2488 /*if auth_require_reneg flag is set, only send extensions if
2489 renegotiation has occurred */
2490 if (!c_auth_require_reneg || (c_auth_require_reneg && SSL_num_renegotiations(s)))
2492 *out = auth_ext_data;
2497 /* no auth extension to send */
2501 static int suppdata_cb(SSL *s, unsigned short supp_data_type,
2502 const unsigned char *in,
2503 unsigned short inlen, int *al,
2506 if (supp_data_type == TLSEXT_SUPPLEMENTALDATATYPE_authz_data)
2508 most_recent_supplemental_data = in;
2509 most_recent_supplemental_data_length = inlen;
2514 static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
2515 const unsigned char **out,
2516 unsigned short *outlen, int *al, void *arg)
2518 if (c_auth && server_provided_client_authz && server_provided_server_authz)
2520 /*if auth_require_reneg flag is set, only send supplemental data if
2521 renegotiation has occurred */
2522 if (!c_auth_require_reneg
2523 || (c_auth_require_reneg && SSL_num_renegotiations(s)))
2525 generated_supp_data = OPENSSL_malloc(10);
2526 memcpy(generated_supp_data, "5432154321", 10);
2527 *out = generated_supp_data;
2532 /* no supplemental data to send */