RT3548: Remove some obsolete platforms
[openssl.git] / apps / s_client.c
1 /* apps/s_client.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2005 Nokia. All rights reserved.
113  *
114  * The portions of the attached software ("Contribution") is developed by
115  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116  * license.
117  *
118  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120  * support (see RFC 4279) to OpenSSL.
121  *
122  * No patent licenses or other rights except those expressly stated in
123  * the OpenSSL open source license shall be deemed granted or received
124  * expressly, by implication, estoppel, or otherwise.
125  *
126  * No assurances are provided by Nokia that the Contribution does not
127  * infringe the patent or other intellectual property rights of any third
128  * party or that the license provides you with all the necessary rights
129  * to make use of the Contribution.
130  *
131  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135  * OTHERWISE.
136  */
137
138 #include <assert.h>
139 #include <ctype.h>
140 #include <stdio.h>
141 #include <stdlib.h>
142 #include <string.h>
143 #include <openssl/e_os2.h>
144 #ifdef OPENSSL_NO_STDIO
145 #define APPS_WIN16
146 #endif
147
148 /* With IPv6, it looks like Digital has mixed up the proper order of
149    recursive header file inclusion, resulting in the compiler complaining
150    that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
151    is needed to have fileno() declared correctly...  So let's define u_int */
152 #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
153 #define __U_INT
154 typedef unsigned int u_int;
155 #endif
156
157 #define USE_SOCKETS
158 #include "apps.h"
159 #include <openssl/x509.h>
160 #include <openssl/ssl.h>
161 #include <openssl/err.h>
162 #include <openssl/pem.h>
163 #include <openssl/rand.h>
164 #include <openssl/ocsp.h>
165 #include <openssl/bn.h>
166 #ifndef OPENSSL_NO_SRP
167 #include <openssl/srp.h>
168 #endif
169 #include "s_apps.h"
170 #include "timeouts.h"
171
172 #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
173 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
174 #undef FIONBIO
175 #endif
176
177 #undef PROG
178 #define PROG    s_client_main
179
180 /*#define SSL_HOST_NAME "www.netscape.com" */
181 /*#define SSL_HOST_NAME "193.118.187.102" */
182 #define SSL_HOST_NAME   "localhost"
183
184 /*#define TEST_CERT "client.pem" */ /* no default cert. */
185
186 #undef BUFSIZZ
187 #define BUFSIZZ 1024*8
188
189 extern int verify_depth;
190 extern int verify_error;
191 extern int verify_return_error;
192 extern int verify_quiet;
193
194 #ifdef FIONBIO
195 static int c_nbio=0;
196 #endif
197 static int c_Pause=0;
198 static int c_debug=0;
199 #ifndef OPENSSL_NO_TLSEXT
200 static int c_tlsextdebug=0;
201 static int c_status_req=0;
202 #endif
203 static int c_msg=0;
204 static int c_showcerts=0;
205
206 static char *keymatexportlabel=NULL;
207 static int keymatexportlen=20;
208
209 static void sc_usage(void);
210 static void print_stuff(BIO *berr,SSL *con,int full);
211 #ifndef OPENSSL_NO_TLSEXT
212 static int ocsp_resp_cb(SSL *s, void *arg);
213 #endif
214 static BIO *bio_c_out=NULL;
215 static BIO *bio_c_msg=NULL;
216 static int c_quiet=0;
217 static int c_ign_eof=0;
218 static int c_brief=0;
219
220 #ifndef OPENSSL_NO_PSK
221 /* Default PSK identity and key */
222 static char *psk_identity="Client_identity";
223 /*char *psk_key=NULL;  by default PSK is not used */
224
225 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
226         unsigned int max_identity_len, unsigned char *psk,
227         unsigned int max_psk_len)
228         {
229         unsigned int psk_len = 0;
230         int ret;
231         BIGNUM *bn=NULL;
232
233         if (c_debug)
234                 BIO_printf(bio_c_out, "psk_client_cb\n");
235         if (!hint)
236                 {
237                 /* no ServerKeyExchange message*/
238                 if (c_debug)
239                         BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n");
240                 }
241         else if (c_debug)
242                 BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
243
244         /* lookup PSK identity and PSK key based on the given identity hint here */
245         ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity);
246         if (ret < 0 || (unsigned int)ret > max_identity_len)
247                 goto out_err;
248         if (c_debug)
249                 BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret);
250         ret=BN_hex2bn(&bn, psk_key);
251         if (!ret)
252                 {
253                 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
254                 if (bn)
255                         BN_free(bn);
256                 return 0;
257                 }
258
259         if ((unsigned int)BN_num_bytes(bn) > max_psk_len)
260                 {
261                 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
262                         max_psk_len, BN_num_bytes(bn));
263                 BN_free(bn);
264                 return 0;
265                 }
266
267         psk_len=BN_bn2bin(bn, psk);
268         BN_free(bn);
269         if (psk_len == 0)
270                 goto out_err;
271
272         if (c_debug)
273                 BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len);
274
275         return psk_len;
276  out_err:
277         if (c_debug)
278                 BIO_printf(bio_err, "Error in PSK client callback\n");
279         return 0;
280         }
281 #endif
282
283 static void sc_usage(void)
284         {
285         BIO_printf(bio_err,"usage: s_client args\n");
286         BIO_printf(bio_err,"\n");
287         BIO_printf(bio_err," -host host     - use -connect instead\n");
288         BIO_printf(bio_err," -port port     - use -connect instead\n");
289         BIO_printf(bio_err," -connect host:port - connect over TCP/IP (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
290         BIO_printf(bio_err," -unix path    - connect over unix domain sockets\n");
291         BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
292         BIO_printf(bio_err," -verify_return_error - return verification errors\n");
293         BIO_printf(bio_err," -cert arg     - certificate file to use, PEM format assumed\n");
294         BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
295         BIO_printf(bio_err," -key arg      - Private key file to use, in cert file if\n");
296         BIO_printf(bio_err,"                 not specified but cert file is.\n");
297         BIO_printf(bio_err," -keyform arg  - key format (PEM or DER) PEM default\n");
298         BIO_printf(bio_err," -pass arg     - private key file pass phrase source\n");
299         BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
300         BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
301         BIO_printf(bio_err," -trusted_first - Use local CA's first when building trust chain\n");
302         BIO_printf(bio_err," -reconnect    - Drop and re-make the connection with the same Session-ID\n");
303         BIO_printf(bio_err," -pause        - sleep(1) after each read(2) and write(2) system call\n");
304         BIO_printf(bio_err," -prexit       - print session information even on connection failure\n");
305         BIO_printf(bio_err," -showcerts    - show all certificates in the chain\n");
306         BIO_printf(bio_err," -debug        - extra output\n");
307 #ifdef WATT32
308         BIO_printf(bio_err," -wdebug       - WATT-32 tcp debugging\n");
309 #endif
310         BIO_printf(bio_err," -msg          - Show protocol messages\n");
311         BIO_printf(bio_err," -nbio_test    - more ssl protocol testing\n");
312         BIO_printf(bio_err," -state        - print the 'ssl' states\n");
313 #ifdef FIONBIO
314         BIO_printf(bio_err," -nbio         - Run with non-blocking IO\n");
315 #endif
316         BIO_printf(bio_err," -crlf         - convert LF from terminal into CRLF\n");
317         BIO_printf(bio_err," -quiet        - no s_client output\n");
318         BIO_printf(bio_err," -ign_eof      - ignore input eof (default when -quiet)\n");
319         BIO_printf(bio_err," -no_ign_eof   - don't ignore input eof\n");
320 #ifndef OPENSSL_NO_PSK
321         BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
322         BIO_printf(bio_err," -psk arg      - PSK in hex (without 0x)\n");
323 # ifndef OPENSSL_NO_JPAKE
324         BIO_printf(bio_err," -jpake arg    - JPAKE secret to use\n");
325 # endif
326 #endif
327 #ifndef OPENSSL_NO_SRP
328         BIO_printf(bio_err," -srpuser user     - SRP authentification for 'user'\n");
329         BIO_printf(bio_err," -srppass arg      - password for 'user'\n");
330         BIO_printf(bio_err," -srp_lateuser     - SRP username into second ClientHello message\n");
331         BIO_printf(bio_err," -srp_moregroups   - Tolerate other than the known g N values.\n");
332         BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
333 #endif
334 #ifndef OPENSSL_NO_SSL3_METHOD
335         BIO_printf(bio_err," -ssl3         - just use SSLv3\n");
336 #endif
337         BIO_printf(bio_err," -tls1_2       - just use TLSv1.2\n");
338         BIO_printf(bio_err," -tls1_1       - just use TLSv1.1\n");
339         BIO_printf(bio_err," -tls1         - just use TLSv1\n");
340         BIO_printf(bio_err," -dtls1        - just use DTLSv1\n");    
341         BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n");
342         BIO_printf(bio_err," -mtu          - set the link layer MTU\n");
343         BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3 - turn off that protocol\n");
344         BIO_printf(bio_err," -bugs         - Switch on all SSL implementation bug workarounds\n");
345         BIO_printf(bio_err," -cipher       - preferred cipher to use, use the 'openssl ciphers'\n");
346         BIO_printf(bio_err,"                 command to see what is available\n");
347         BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
348         BIO_printf(bio_err,"                 for those protocols that support it, where\n");
349         BIO_printf(bio_err,"                 'prot' defines which one to assume.  Currently,\n");
350         BIO_printf(bio_err,"                 only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
351         BIO_printf(bio_err,"                 are supported.\n");
352         BIO_printf(bio_err," -xmpphost host - When used with \"-starttls xmpp\" specifies the virtual host.\n");
353 #ifndef OPENSSL_NO_ENGINE
354         BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
355 #endif
356         BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
357         BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n");
358         BIO_printf(bio_err," -sess_in arg  - file to read SSL session from\n");
359 #ifndef OPENSSL_NO_TLSEXT
360         BIO_printf(bio_err," -servername host  - Set TLS extension servername in ClientHello\n");
361         BIO_printf(bio_err," -tlsextdebug      - hex dump of all TLS extensions received\n");
362         BIO_printf(bio_err," -status           - request certificate status from server\n");
363         BIO_printf(bio_err," -no_ticket        - disable use of RFC4507bis session tickets\n");
364         BIO_printf(bio_err," -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n");
365 # ifndef OPENSSL_NO_NEXTPROTONEG
366         BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
367 # endif
368         BIO_printf(bio_err," -alpn arg         - enable ALPN extension, considering named protocols supported (comma-separated list)\n");
369 #endif
370         BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
371         BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
372         BIO_printf(bio_err," -keymatexport label   - Export keying material using label\n");
373         BIO_printf(bio_err," -keymatexportlen len  - Export len bytes of keying material (default 20)\n");
374         }
375
376 #ifndef OPENSSL_NO_TLSEXT
377
378 /* This is a context that we pass to callbacks */
379 typedef struct tlsextctx_st {
380    BIO * biodebug;
381    int ack;
382 } tlsextctx;
383
384
385 static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
386         {
387         tlsextctx * p = (tlsextctx *) arg;
388         const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
389         if (SSL_get_servername_type(s) != -1) 
390                 p->ack = !SSL_session_reused(s) && hn != NULL;
391         else 
392                 BIO_printf(bio_err,"Can't use SSL_get_servername\n");
393         
394         return SSL_TLSEXT_ERR_OK;
395         }
396
397 #ifndef OPENSSL_NO_SRP
398
399 /* This is a context that we pass to all callbacks */
400 typedef struct srp_arg_st
401         {
402         char *srppassin;
403         char *srplogin;
404         int msg;   /* copy from c_msg */
405         int debug; /* copy from c_debug */
406         int amp;   /* allow more groups */
407         int strength /* minimal size for N */ ;
408         } SRP_ARG;
409
410 #define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
411
412 static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g)
413         {
414         BN_CTX *bn_ctx = BN_CTX_new();
415         BIGNUM *p = BN_new();
416         BIGNUM *r = BN_new();
417         int ret =
418                 g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
419                 BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
420                 p != NULL && BN_rshift1(p, N) &&
421
422                 /* p = (N-1)/2 */
423                 BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
424                 r != NULL &&
425
426                 /* verify g^((N-1)/2) == -1 (mod N) */
427                 BN_mod_exp(r, g, p, N, bn_ctx) &&
428                 BN_add_word(r, 1) &&
429                 BN_cmp(r, N) == 0;
430
431         if(r)
432                 BN_free(r);
433         if(p)
434                 BN_free(p);
435         if(bn_ctx)
436                 BN_CTX_free(bn_ctx);
437         return ret;
438         }
439
440 /* This callback is used here for two purposes:
441    - extended debugging
442    - making some primality tests for unknown groups
443    The callback is only called for a non default group.
444
445    An application does not need the call back at all if
446    only the stanard groups are used.  In real life situations, 
447    client and server already share well known groups, 
448    thus there is no need to verify them. 
449    Furthermore, in case that a server actually proposes a group that
450    is not one of those defined in RFC 5054, it is more appropriate 
451    to add the group to a static list and then compare since 
452    primality tests are rather cpu consuming.
453 */
454
455 static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
456         {
457         SRP_ARG *srp_arg = (SRP_ARG *)arg;
458         BIGNUM *N = NULL, *g = NULL;
459         if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s)))
460                 return 0;
461         if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1)
462                 {
463                 BIO_printf(bio_err, "SRP parameters:\n"); 
464                 BIO_printf(bio_err,"\tN="); BN_print(bio_err,N);
465                 BIO_printf(bio_err,"\n\tg="); BN_print(bio_err,g);
466                 BIO_printf(bio_err,"\n");
467                 }
468
469         if (SRP_check_known_gN_param(g,N))
470                 return 1;
471
472         if (srp_arg->amp == 1)
473                 {
474                 if (srp_arg->debug)
475                         BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n");
476
477 /* The srp_moregroups is a real debugging feature.
478    Implementors should rather add the value to the known ones.
479    The minimal size has already been tested.
480 */
481                 if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g))
482                         return 1;
483                 }       
484         BIO_printf(bio_err, "SRP param N and g rejected.\n");
485         return 0;
486         }
487
488 #define PWD_STRLEN 1024
489
490 static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
491         {
492         SRP_ARG *srp_arg = (SRP_ARG *)arg;
493         char *pass = (char *)OPENSSL_malloc(PWD_STRLEN+1);
494         PW_CB_DATA cb_tmp;
495         int l;
496
497         cb_tmp.password = (char *)srp_arg->srppassin;
498         cb_tmp.prompt_info = "SRP user";
499         if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp))<0)
500                 {
501                 BIO_printf (bio_err, "Can't read Password\n");
502                 OPENSSL_free(pass);
503                 return NULL;
504                 }
505         *(pass+l)= '\0';
506
507         return pass;
508         }
509
510 #endif
511         char *srtp_profiles = NULL;
512
513 # ifndef OPENSSL_NO_NEXTPROTONEG
514 /* This the context that we pass to next_proto_cb */
515 typedef struct tlsextnextprotoctx_st {
516         unsigned char *data;
517         unsigned short len;
518         int status;
519 } tlsextnextprotoctx;
520
521 static tlsextnextprotoctx next_proto;
522
523 static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
524         {
525         tlsextnextprotoctx *ctx = arg;
526
527         if (!c_quiet)
528                 {
529                 /* We can assume that |in| is syntactically valid. */
530                 unsigned i;
531                 BIO_printf(bio_c_out, "Protocols advertised by server: ");
532                 for (i = 0; i < inlen; )
533                         {
534                         if (i)
535                                 BIO_write(bio_c_out, ", ", 2);
536                         BIO_write(bio_c_out, &in[i + 1], in[i]);
537                         i += in[i] + 1;
538                         }
539                 BIO_write(bio_c_out, "\n", 1);
540                 }
541
542         ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
543         return SSL_TLSEXT_ERR_OK;
544         }
545 # endif  /* ndef OPENSSL_NO_NEXTPROTONEG */
546
547 static int serverinfo_cli_parse_cb(SSL* s, unsigned int ext_type,
548                                    const unsigned char* in, size_t inlen, 
549                                    int* al, void* arg)
550         {
551         char pem_name[100];
552         unsigned char ext_buf[4 + 65536];
553
554         /* Reconstruct the type/len fields prior to extension data */
555         ext_buf[0] = ext_type >> 8;
556         ext_buf[1] = ext_type & 0xFF;
557         ext_buf[2] = inlen >> 8;
558         ext_buf[3] = inlen & 0xFF;
559         memcpy(ext_buf+4, in, inlen);
560
561         BIO_snprintf(pem_name, sizeof(pem_name), "SERVERINFO FOR EXTENSION %d",
562                      ext_type);
563         PEM_write_bio(bio_c_out, pem_name, "", ext_buf, 4 + inlen);
564         return 1;
565         }
566
567 #endif
568
569 enum
570 {
571         PROTO_OFF       = 0,
572         PROTO_SMTP,
573         PROTO_POP3,
574         PROTO_IMAP,
575         PROTO_FTP,
576         PROTO_XMPP
577 };
578
579 int MAIN(int, char **);
580
581 int MAIN(int argc, char **argv)
582         {
583         int build_chain = 0;
584         SSL *con=NULL;
585 #ifndef OPENSSL_NO_KRB5
586         KSSL_CTX *kctx;
587 #endif
588         int s,k,width,state=0;
589         char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
590         int cbuf_len,cbuf_off;
591         int sbuf_len,sbuf_off;
592         fd_set readfds,writefds;
593         short port=PORT;
594         int full_log=1;
595         char *host=SSL_HOST_NAME;
596         const char *unix_path = NULL;
597         char *xmpphost = NULL;
598         char *cert_file=NULL,*key_file=NULL,*chain_file=NULL;
599         int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
600         char *passarg = NULL, *pass = NULL;
601         X509 *cert = NULL;
602         EVP_PKEY *key = NULL;
603         STACK_OF(X509) *chain = NULL;
604         char *CApath=NULL,*CAfile=NULL;
605         char *chCApath=NULL,*chCAfile=NULL;
606         char *vfyCApath=NULL,*vfyCAfile=NULL;
607         int reconnect=0,badop=0,verify=SSL_VERIFY_NONE;
608         int crlf=0;
609         int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
610         SSL_CTX *ctx=NULL;
611         int ret=1,in_init=1,i,nbio_test=0;
612         int starttls_proto = PROTO_OFF;
613         int prexit = 0;
614         X509_VERIFY_PARAM *vpm = NULL;
615         int badarg = 0;
616         const SSL_METHOD *meth=NULL;
617         int socket_type=SOCK_STREAM;
618         BIO *sbio;
619         char *inrand=NULL;
620         int mbuf_len=0;
621         struct timeval timeout, *timeoutp;
622 #ifndef OPENSSL_NO_ENGINE
623         char *engine_id=NULL;
624         char *ssl_client_engine_id=NULL;
625         ENGINE *ssl_client_engine=NULL;
626 #endif
627         ENGINE *e=NULL;
628 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
629         struct timeval tv;
630 #endif
631 #ifndef OPENSSL_NO_TLSEXT
632         char *servername = NULL; 
633         tlsextctx tlsextcbp = 
634         {NULL,0};
635 # ifndef OPENSSL_NO_NEXTPROTONEG
636         const char *next_proto_neg_in = NULL;
637 # endif
638         const char *alpn_in = NULL;
639 # define MAX_SI_TYPES 100
640         unsigned short serverinfo_types[MAX_SI_TYPES];
641         int serverinfo_types_count = 0;
642 #endif
643         char *sess_in = NULL;
644         char *sess_out = NULL;
645         struct sockaddr peer;
646         int peerlen = sizeof(peer);
647         int fallback_scsv = 0;
648         int enable_timeouts = 0 ;
649         long socket_mtu = 0;
650 #ifndef OPENSSL_NO_JPAKE
651 static char *jpake_secret = NULL;
652 #define no_jpake !jpake_secret
653 #else
654 #define no_jpake 1
655 #endif
656 #ifndef OPENSSL_NO_SRP
657         char * srppass = NULL;
658         int srp_lateuser = 0;
659         SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
660 #endif
661         SSL_EXCERT *exc = NULL;
662
663         SSL_CONF_CTX *cctx = NULL;
664         STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
665
666         char *crl_file = NULL;
667         int crl_format = FORMAT_PEM;
668         int crl_download = 0;
669         STACK_OF(X509_CRL) *crls = NULL;
670         int sdebug = 0;
671
672         meth=SSLv23_client_method();
673
674         apps_startup();
675         c_Pause=0;
676         c_quiet=0;
677         c_ign_eof=0;
678         c_debug=0;
679         c_msg=0;
680         c_showcerts=0;
681
682         if (bio_err == NULL)
683                 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
684
685         if (!load_config(bio_err, NULL))
686                 goto end;
687         cctx = SSL_CONF_CTX_new();
688         if (!cctx)
689                 goto end;
690         SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
691         SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE);
692
693         if (    ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
694                 ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
695                 ((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
696                 {
697                 BIO_printf(bio_err,"out of memory\n");
698                 goto end;
699                 }
700
701         verify_depth=0;
702         verify_error=X509_V_OK;
703 #ifdef FIONBIO
704         c_nbio=0;
705 #endif
706
707         argc--;
708         argv++;
709         while (argc >= 1)
710                 {
711                 if      (strcmp(*argv,"-host") == 0)
712                         {
713                         if (--argc < 1) goto bad;
714                         host= *(++argv);
715                         }
716                 else if (strcmp(*argv,"-port") == 0)
717                         {
718                         if (--argc < 1) goto bad;
719                         port=atoi(*(++argv));
720                         if (port == 0) goto bad;
721                         }
722                 else if (strcmp(*argv,"-connect") == 0)
723                         {
724                         if (--argc < 1) goto bad;
725                         if (!extract_host_port(*(++argv),&host,NULL,&port))
726                                 goto bad;
727                         }
728                 else if (strcmp(*argv,"-unix") == 0)
729                         {
730                         if (--argc < 1) goto bad;
731                         unix_path = *(++argv);
732                         }
733                 else if (strcmp(*argv,"-xmpphost") == 0)
734                         {
735                         if (--argc < 1) goto bad;
736                         xmpphost= *(++argv);
737                         }
738                 else if (strcmp(*argv,"-verify") == 0)
739                         {
740                         verify=SSL_VERIFY_PEER;
741                         if (--argc < 1) goto bad;
742                         verify_depth=atoi(*(++argv));
743                         if (!c_quiet)
744                                 BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
745                         }
746                 else if (strcmp(*argv,"-cert") == 0)
747                         {
748                         if (--argc < 1) goto bad;
749                         cert_file= *(++argv);
750                         }
751                 else if (strcmp(*argv,"-CRL") == 0)
752                         {
753                         if (--argc < 1) goto bad;
754                         crl_file= *(++argv);
755                         }
756                 else if (strcmp(*argv,"-crl_download") == 0)
757                         crl_download = 1;
758                 else if (strcmp(*argv,"-sess_out") == 0)
759                         {
760                         if (--argc < 1) goto bad;
761                         sess_out = *(++argv);
762                         }
763                 else if (strcmp(*argv,"-sess_in") == 0)
764                         {
765                         if (--argc < 1) goto bad;
766                         sess_in = *(++argv);
767                         }
768                 else if (strcmp(*argv,"-certform") == 0)
769                         {
770                         if (--argc < 1) goto bad;
771                         cert_format = str2fmt(*(++argv));
772                         }
773                 else if (strcmp(*argv,"-CRLform") == 0)
774                         {
775                         if (--argc < 1) goto bad;
776                         crl_format = str2fmt(*(++argv));
777                         }
778                 else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
779                         {
780                         if (badarg)
781                                 goto bad;
782                         continue;
783                         }
784                 else if (strcmp(*argv,"-verify_return_error") == 0)
785                         verify_return_error = 1;
786                 else if (strcmp(*argv,"-verify_quiet") == 0)
787                         verify_quiet = 1;
788                 else if (strcmp(*argv,"-brief") == 0)
789                         {
790                         c_brief = 1;
791                         verify_quiet = 1;
792                         c_quiet = 1;
793                         }
794                 else if (args_excert(&argv, &argc, &badarg, bio_err, &exc))
795                         {
796                         if (badarg)
797                                 goto bad;
798                         continue;
799                         }
800                 else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args))
801                         {
802                         if (badarg)
803                                 goto bad;
804                         continue;
805                         }
806                 else if (strcmp(*argv,"-prexit") == 0)
807                         prexit=1;
808                 else if (strcmp(*argv,"-crlf") == 0)
809                         crlf=1;
810                 else if (strcmp(*argv,"-quiet") == 0)
811                         {
812                         c_quiet=1;
813                         c_ign_eof=1;
814                         }
815                 else if (strcmp(*argv,"-ign_eof") == 0)
816                         c_ign_eof=1;
817                 else if (strcmp(*argv,"-no_ign_eof") == 0)
818                         c_ign_eof=0;
819                 else if (strcmp(*argv,"-pause") == 0)
820                         c_Pause=1;
821                 else if (strcmp(*argv,"-debug") == 0)
822                         c_debug=1;
823 #ifndef OPENSSL_NO_TLSEXT
824                 else if (strcmp(*argv,"-tlsextdebug") == 0)
825                         c_tlsextdebug=1;
826                 else if (strcmp(*argv,"-status") == 0)
827                         c_status_req=1;
828 #endif
829 #ifdef WATT32
830                 else if (strcmp(*argv,"-wdebug") == 0)
831                         dbug_init();
832 #endif
833                 else if (strcmp(*argv,"-msg") == 0)
834                         c_msg=1;
835                 else if (strcmp(*argv,"-msgfile") == 0)
836                         {
837                         if (--argc < 1) goto bad;
838                         bio_c_msg = BIO_new_file(*(++argv), "w");
839                         }
840 #ifndef OPENSSL_NO_SSL_TRACE
841                 else if (strcmp(*argv,"-trace") == 0)
842                         c_msg=2;
843 #endif
844                 else if (strcmp(*argv,"-security_debug") == 0)
845                         { sdebug=1; }
846                 else if (strcmp(*argv,"-security_debug_verbose") == 0)
847                         { sdebug=2; }
848                 else if (strcmp(*argv,"-showcerts") == 0)
849                         c_showcerts=1;
850                 else if (strcmp(*argv,"-nbio_test") == 0)
851                         nbio_test=1;
852                 else if (strcmp(*argv,"-state") == 0)
853                         state=1;
854 #ifndef OPENSSL_NO_PSK
855                 else if (strcmp(*argv,"-psk_identity") == 0)
856                         {
857                         if (--argc < 1) goto bad;
858                         psk_identity=*(++argv);
859                         }
860                 else if (strcmp(*argv,"-psk") == 0)
861                         {
862                         size_t j;
863
864                         if (--argc < 1) goto bad;
865                         psk_key=*(++argv);
866                         for (j = 0; j < strlen(psk_key); j++)
867                                 {
868                                 if (isxdigit((unsigned char)psk_key[j]))
869                                         continue;
870                                 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
871                                 goto bad;
872                                 }
873                         }
874 #endif
875 #ifndef OPENSSL_NO_SRP
876                 else if (strcmp(*argv,"-srpuser") == 0)
877                         {
878                         if (--argc < 1) goto bad;
879                         srp_arg.srplogin= *(++argv);
880                         meth=TLSv1_client_method();
881                         }
882                 else if (strcmp(*argv,"-srppass") == 0)
883                         {
884                         if (--argc < 1) goto bad;
885                         srppass= *(++argv);
886                         meth=TLSv1_client_method();
887                         }
888                 else if (strcmp(*argv,"-srp_strength") == 0)
889                         {
890                         if (--argc < 1) goto bad;
891                         srp_arg.strength=atoi(*(++argv));
892                         BIO_printf(bio_err,"SRP minimal length for N is %d\n",srp_arg.strength);
893                         meth=TLSv1_client_method();
894                         }
895                 else if (strcmp(*argv,"-srp_lateuser") == 0)
896                         {
897                         srp_lateuser= 1;
898                         meth=TLSv1_client_method();
899                         }
900                 else if (strcmp(*argv,"-srp_moregroups") == 0)
901                         {
902                         srp_arg.amp=1;
903                         meth=TLSv1_client_method();
904                         }
905 #endif
906 #ifndef OPENSSL_NO_SSL3_METHOD
907                 else if (strcmp(*argv,"-ssl3") == 0)
908                         meth=SSLv3_client_method();
909 #endif
910 #ifndef OPENSSL_NO_TLS1
911                 else if (strcmp(*argv,"-tls1_2") == 0)
912                         meth=TLSv1_2_client_method();
913                 else if (strcmp(*argv,"-tls1_1") == 0)
914                         meth=TLSv1_1_client_method();
915                 else if (strcmp(*argv,"-tls1") == 0)
916                         meth=TLSv1_client_method();
917 #endif
918 #ifndef OPENSSL_NO_DTLS1
919                 else if (strcmp(*argv,"-dtls") == 0)
920                         {
921                         meth=DTLS_client_method();
922                         socket_type=SOCK_DGRAM;
923                         }
924                 else if (strcmp(*argv,"-dtls1") == 0)
925                         {
926                         meth=DTLSv1_client_method();
927                         socket_type=SOCK_DGRAM;
928                         }
929                 else if (strcmp(*argv,"-dtls1_2") == 0)
930                         {
931                         meth=DTLSv1_2_client_method();
932                         socket_type=SOCK_DGRAM;
933                         }
934                 else if (strcmp(*argv,"-timeout") == 0)
935                         enable_timeouts=1;
936                 else if (strcmp(*argv,"-mtu") == 0)
937                         {
938                         if (--argc < 1) goto bad;
939                         socket_mtu = atol(*(++argv));
940                         }
941 #endif
942                 else if (strcmp(*argv,"-fallback_scsv") == 0)
943                         {
944                         fallback_scsv = 1;
945                         }
946                 else if (strcmp(*argv,"-keyform") == 0)
947                         {
948                         if (--argc < 1) goto bad;
949                         key_format = str2fmt(*(++argv));
950                         }
951                 else if (strcmp(*argv,"-pass") == 0)
952                         {
953                         if (--argc < 1) goto bad;
954                         passarg = *(++argv);
955                         }
956                 else if (strcmp(*argv,"-cert_chain") == 0)
957                         {
958                         if (--argc < 1) goto bad;
959                         chain_file= *(++argv);
960                         }
961                 else if (strcmp(*argv,"-key") == 0)
962                         {
963                         if (--argc < 1) goto bad;
964                         key_file= *(++argv);
965                         }
966                 else if (strcmp(*argv,"-reconnect") == 0)
967                         {
968                         reconnect=5;
969                         }
970                 else if (strcmp(*argv,"-CApath") == 0)
971                         {
972                         if (--argc < 1) goto bad;
973                         CApath= *(++argv);
974                         }
975                 else if (strcmp(*argv,"-chainCApath") == 0)
976                         {
977                         if (--argc < 1) goto bad;
978                         chCApath= *(++argv);
979                         }
980                 else if (strcmp(*argv,"-verifyCApath") == 0)
981                         {
982                         if (--argc < 1) goto bad;
983                         vfyCApath= *(++argv);
984                         }
985                 else if (strcmp(*argv,"-build_chain") == 0)
986                         build_chain = 1;
987                 else if (strcmp(*argv,"-CAfile") == 0)
988                         {
989                         if (--argc < 1) goto bad;
990                         CAfile= *(++argv);
991                         }
992                 else if (strcmp(*argv,"-chainCAfile") == 0)
993                         {
994                         if (--argc < 1) goto bad;
995                         chCAfile= *(++argv);
996                         }
997                 else if (strcmp(*argv,"-verifyCAfile") == 0)
998                         {
999                         if (--argc < 1) goto bad;
1000                         vfyCAfile= *(++argv);
1001                         }
1002 #ifndef OPENSSL_NO_TLSEXT
1003 # ifndef OPENSSL_NO_NEXTPROTONEG
1004                 else if (strcmp(*argv,"-nextprotoneg") == 0)
1005                         {
1006                         if (--argc < 1) goto bad;
1007                         next_proto_neg_in = *(++argv);
1008                         }
1009 # endif
1010                 else if (strcmp(*argv,"-alpn") == 0)
1011                         {
1012                         if (--argc < 1) goto bad;
1013                         alpn_in = *(++argv);
1014                         }
1015                 else if (strcmp(*argv,"-serverinfo") == 0)
1016                         {
1017                         char *c;
1018                         int start = 0;
1019                         int len;
1020
1021                         if (--argc < 1) goto bad;
1022                         c = *(++argv);
1023                         serverinfo_types_count = 0;
1024                         len = strlen(c);
1025                         for (i = 0; i <= len; ++i)
1026                                 {
1027                                 if (i == len || c[i] == ',')
1028                                         {
1029                                         serverinfo_types[serverinfo_types_count]
1030                                             = atoi(c+start);
1031                                         serverinfo_types_count++;
1032                                         start = i+1;
1033                                         }
1034                                 if (serverinfo_types_count == MAX_SI_TYPES)
1035                                         break;
1036                                 }
1037                         }
1038 #endif
1039 #ifdef FIONBIO
1040                 else if (strcmp(*argv,"-nbio") == 0)
1041                         { c_nbio=1; }
1042 #endif
1043                 else if (strcmp(*argv,"-starttls") == 0)
1044                         {
1045                         if (--argc < 1) goto bad;
1046                         ++argv;
1047                         if (strcmp(*argv,"smtp") == 0)
1048                                 starttls_proto = PROTO_SMTP;
1049                         else if (strcmp(*argv,"pop3") == 0)
1050                                 starttls_proto = PROTO_POP3;
1051                         else if (strcmp(*argv,"imap") == 0)
1052                                 starttls_proto = PROTO_IMAP;
1053                         else if (strcmp(*argv,"ftp") == 0)
1054                                 starttls_proto = PROTO_FTP;
1055                         else if (strcmp(*argv, "xmpp") == 0)
1056                                 starttls_proto = PROTO_XMPP;
1057                         else
1058                                 goto bad;
1059                         }
1060 #ifndef OPENSSL_NO_ENGINE
1061                 else if (strcmp(*argv,"-engine") == 0)
1062                         {
1063                         if (--argc < 1) goto bad;
1064                         engine_id = *(++argv);
1065                         }
1066                 else if (strcmp(*argv,"-ssl_client_engine") == 0)
1067                         {
1068                         if (--argc < 1) goto bad;
1069                         ssl_client_engine_id = *(++argv);
1070                         }
1071 #endif
1072                 else if (strcmp(*argv,"-rand") == 0)
1073                         {
1074                         if (--argc < 1) goto bad;
1075                         inrand= *(++argv);
1076                         }
1077 #ifndef OPENSSL_NO_TLSEXT
1078                 else if (strcmp(*argv,"-servername") == 0)
1079                         {
1080                         if (--argc < 1) goto bad;
1081                         servername= *(++argv);
1082                         /* meth=TLSv1_client_method(); */
1083                         }
1084 #endif
1085 #ifndef OPENSSL_NO_JPAKE
1086                 else if (strcmp(*argv,"-jpake") == 0)
1087                         {
1088                         if (--argc < 1) goto bad;
1089                         jpake_secret = *++argv;
1090                         }
1091 #endif
1092                 else if (strcmp(*argv,"-use_srtp") == 0)
1093                         {
1094                         if (--argc < 1) goto bad;
1095                         srtp_profiles = *(++argv);
1096                         }
1097                 else if (strcmp(*argv,"-keymatexport") == 0)
1098                         {
1099                         if (--argc < 1) goto bad;
1100                         keymatexportlabel= *(++argv);
1101                         }
1102                 else if (strcmp(*argv,"-keymatexportlen") == 0)
1103                         {
1104                         if (--argc < 1) goto bad;
1105                         keymatexportlen=atoi(*(++argv));
1106                         if (keymatexportlen == 0) goto bad;
1107                         }
1108                 else
1109                         {
1110                         BIO_printf(bio_err,"unknown option %s\n",*argv);
1111                         badop=1;
1112                         break;
1113                         }
1114                 argc--;
1115                 argv++;
1116                 }
1117         if (badop)
1118                 {
1119 bad:
1120                 sc_usage();
1121                 goto end;
1122                 }
1123
1124         if (unix_path && (socket_type != SOCK_STREAM))
1125                 {
1126                 BIO_printf(bio_err, "Can't use unix sockets and datagrams together\n");
1127                         goto end;
1128                 }
1129 #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
1130         if (jpake_secret)
1131                 {
1132                 if (psk_key)
1133                         {
1134                         BIO_printf(bio_err,
1135                                    "Can't use JPAKE and PSK together\n");
1136                         goto end;
1137                         }
1138                 psk_identity = "JPAKE";
1139                 }
1140 #endif
1141
1142         OpenSSL_add_ssl_algorithms();
1143         SSL_load_error_strings();
1144
1145 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
1146         next_proto.status = -1;
1147         if (next_proto_neg_in)
1148                 {
1149                 next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
1150                 if (next_proto.data == NULL)
1151                         {
1152                         BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
1153                         goto end;
1154                         }
1155                 }
1156         else
1157                 next_proto.data = NULL;
1158 #endif
1159
1160 #ifndef OPENSSL_NO_ENGINE
1161         e = setup_engine(bio_err, engine_id, 1);
1162         if (ssl_client_engine_id)
1163                 {
1164                 ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
1165                 if (!ssl_client_engine)
1166                         {
1167                         BIO_printf(bio_err,
1168                                         "Error getting client auth engine\n");
1169                         goto end;
1170                         }
1171                 }
1172
1173 #endif
1174         if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
1175                 {
1176                 BIO_printf(bio_err, "Error getting password\n");
1177                 goto end;
1178                 }
1179
1180         if (key_file == NULL)
1181                 key_file = cert_file;
1182
1183
1184         if (key_file)
1185
1186                 {
1187
1188                 key = load_key(bio_err, key_file, key_format, 0, pass, e,
1189                                "client certificate private key file");
1190                 if (!key)
1191                         {
1192                         ERR_print_errors(bio_err);
1193                         goto end;
1194                         }
1195
1196                 }
1197
1198         if (cert_file)
1199
1200                 {
1201                 cert = load_cert(bio_err,cert_file,cert_format,
1202                                 NULL, e, "client certificate file");
1203
1204                 if (!cert)
1205                         {
1206                         ERR_print_errors(bio_err);
1207                         goto end;
1208                         }
1209                 }
1210
1211         if (chain_file)
1212                 {
1213                 chain = load_certs(bio_err, chain_file,FORMAT_PEM,
1214                                         NULL, e, "client certificate chain");
1215                 if (!chain)
1216                         goto end;
1217                 }
1218
1219         if (crl_file)
1220                 {
1221                 X509_CRL *crl;
1222                 crl = load_crl(crl_file, crl_format);
1223                 if (!crl)
1224                         {
1225                         BIO_puts(bio_err, "Error loading CRL\n");
1226                         ERR_print_errors(bio_err);
1227                         goto end;
1228                         }
1229                 crls = sk_X509_CRL_new_null();
1230                 if (!crls || !sk_X509_CRL_push(crls, crl))
1231                         {
1232                         BIO_puts(bio_err, "Error adding CRL\n");
1233                         ERR_print_errors(bio_err);
1234                         X509_CRL_free(crl);
1235                         goto end;
1236                         }
1237                 }
1238
1239         if (!load_excert(&exc, bio_err))
1240                 goto end;
1241
1242         if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
1243                 && !RAND_status())
1244                 {
1245                 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
1246                 }
1247         if (inrand != NULL)
1248                 BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
1249                         app_RAND_load_files(inrand));
1250
1251         if (bio_c_out == NULL)
1252                 {
1253                 if (c_quiet && !c_debug)
1254                         {
1255                         bio_c_out=BIO_new(BIO_s_null());
1256                         if (c_msg && !bio_c_msg)
1257                                 bio_c_msg=BIO_new_fp(stdout,BIO_NOCLOSE);
1258                         }
1259                 else
1260                         {
1261                         if (bio_c_out == NULL)
1262                                 bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
1263                         }
1264                 }
1265
1266 #ifndef OPENSSL_NO_SRP
1267         if(!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL))
1268                 {
1269                 BIO_printf(bio_err, "Error getting password\n");
1270                 goto end;
1271                 }
1272 #endif
1273
1274         ctx=SSL_CTX_new(meth);
1275         if (ctx == NULL)
1276                 {
1277                 ERR_print_errors(bio_err);
1278                 goto end;
1279                 }
1280
1281         if (sdebug)
1282                 ssl_ctx_security_debug(ctx, bio_err, sdebug);
1283
1284         if (vpm)
1285                 SSL_CTX_set1_param(ctx, vpm);
1286
1287         if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1, no_jpake))
1288                 {
1289                 ERR_print_errors(bio_err);
1290                 goto end;
1291                 }
1292
1293         if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
1294                                                 crls, crl_download))
1295                 {
1296                 BIO_printf(bio_err, "Error loading store locations\n");
1297                 ERR_print_errors(bio_err);
1298                 goto end;
1299                 }
1300
1301 #ifndef OPENSSL_NO_ENGINE
1302         if (ssl_client_engine)
1303                 {
1304                 if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine))
1305                         {
1306                         BIO_puts(bio_err, "Error setting client auth engine\n");
1307                         ERR_print_errors(bio_err);
1308                         ENGINE_free(ssl_client_engine);
1309                         goto end;
1310                         }
1311                 ENGINE_free(ssl_client_engine);
1312                 }
1313 #endif
1314
1315 #ifndef OPENSSL_NO_PSK
1316 #ifdef OPENSSL_NO_JPAKE
1317         if (psk_key != NULL)
1318 #else
1319         if (psk_key != NULL || jpake_secret)
1320 #endif
1321                 {
1322                 if (c_debug)
1323                         BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");
1324                 SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
1325                 }
1326         if (srtp_profiles != NULL)
1327                 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
1328 #endif
1329         if (exc) ssl_ctx_set_excert(ctx, exc);
1330         /* DTLS: partial reads end up discarding unread UDP bytes :-( 
1331          * Setting read ahead solves this problem.
1332          */
1333         if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
1334
1335 #if !defined(OPENSSL_NO_TLSEXT)
1336 # if !defined(OPENSSL_NO_NEXTPROTONEG)
1337         if (next_proto.data)
1338                 SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
1339 # endif
1340         if (alpn_in)
1341                 {
1342                 unsigned short alpn_len;
1343                 unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in);
1344
1345                 if (alpn == NULL)
1346                         {
1347                         BIO_printf(bio_err, "Error parsing -alpn argument\n");
1348                         goto end;
1349                         }
1350                 SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len);
1351                 OPENSSL_free(alpn);
1352                 }
1353 #endif
1354 #ifndef OPENSSL_NO_TLSEXT
1355                 for (i = 0; i < serverinfo_types_count; i++)
1356                         {
1357                         SSL_CTX_add_client_custom_ext(ctx,
1358                                                       serverinfo_types[i],
1359                                                       NULL, NULL, NULL,
1360                                                       serverinfo_cli_parse_cb,
1361                                                       NULL);
1362                         }
1363 #endif
1364
1365         if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
1366 #if 0
1367         else
1368                 SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
1369 #endif
1370
1371         SSL_CTX_set_verify(ctx,verify,verify_callback);
1372
1373         if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
1374                 (!SSL_CTX_set_default_verify_paths(ctx)))
1375                 {
1376                 /* BIO_printf(bio_err,"error setting default verify locations\n"); */
1377                 ERR_print_errors(bio_err);
1378                 /* goto end; */
1379                 }
1380
1381         ssl_ctx_add_crls(ctx, crls, crl_download);
1382
1383         if (!set_cert_key_stuff(ctx,cert,key,chain,build_chain))
1384                 goto end;
1385
1386 #ifndef OPENSSL_NO_TLSEXT
1387         if (servername != NULL)
1388                 {
1389                 tlsextcbp.biodebug = bio_err;
1390                 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1391                 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
1392                 }
1393 #ifndef OPENSSL_NO_SRP
1394         if (srp_arg.srplogin)
1395                 {
1396                 if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
1397                         {
1398                         BIO_printf(bio_err,"Unable to set SRP username\n");
1399                         goto end;
1400                         }
1401                 srp_arg.msg = c_msg;
1402                 srp_arg.debug = c_debug ;
1403                 SSL_CTX_set_srp_cb_arg(ctx,&srp_arg);
1404                 SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
1405                 SSL_CTX_set_srp_strength(ctx, srp_arg.strength);
1406                 if (c_msg || c_debug || srp_arg.amp == 0)
1407                         SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb);
1408                 }
1409
1410 #endif
1411 #endif
1412
1413         con=SSL_new(ctx);
1414         if (sess_in)
1415                 {
1416                 SSL_SESSION *sess;
1417                 BIO *stmp = BIO_new_file(sess_in, "r");
1418                 if (!stmp)
1419                         {
1420                         BIO_printf(bio_err, "Can't open session file %s\n",
1421                                                 sess_in);
1422                         ERR_print_errors(bio_err);
1423                         goto end;
1424                         }
1425                 sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
1426                 BIO_free(stmp);
1427                 if (!sess)
1428                         {
1429                         BIO_printf(bio_err, "Can't open session file %s\n",
1430                                                 sess_in);
1431                         ERR_print_errors(bio_err);
1432                         goto end;
1433                         }
1434                 SSL_set_session(con, sess);
1435                 SSL_SESSION_free(sess);
1436                 }
1437
1438         if (fallback_scsv)
1439                 SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV);
1440
1441 #ifndef OPENSSL_NO_TLSEXT
1442         if (servername != NULL)
1443                 {
1444                 if (!SSL_set_tlsext_host_name(con,servername))
1445                         {
1446                         BIO_printf(bio_err,"Unable to set TLS servername extension.\n");
1447                         ERR_print_errors(bio_err);
1448                         goto end;
1449                         }
1450                 }
1451 #endif
1452 #ifndef OPENSSL_NO_KRB5
1453         if (con  &&  (kctx = kssl_ctx_new()) != NULL)
1454                 {
1455                 SSL_set0_kssl_ctx(con, kctx);
1456                 kssl_ctx_setstring(kctx, KSSL_SERVER, host);
1457                 }
1458 #endif  /* OPENSSL_NO_KRB5  */
1459 /*      SSL_set_cipher_list(con,"RC4-MD5"); */
1460 #if 0
1461 #ifdef TLSEXT_TYPE_opaque_prf_input
1462         SSL_set_tlsext_opaque_prf_input(con, "Test client", 11);
1463 #endif
1464 #endif
1465
1466 re_start:
1467 #ifdef NO_SYS_UN_H
1468         if (init_client(&s,host,port,socket_type) == 0)
1469 #else
1470         if ((!unix_path && (init_client(&s,host,port,socket_type) == 0)) ||
1471                         (unix_path && (init_client_unix(&s,unix_path) == 0)))
1472 #endif
1473                 {
1474                 BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
1475                 SHUTDOWN(s);
1476                 goto end;
1477                 }
1478         BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
1479
1480 #ifdef FIONBIO
1481         if (c_nbio)
1482                 {
1483                 unsigned long l=1;
1484                 BIO_printf(bio_c_out,"turning on non blocking io\n");
1485                 if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
1486                         {
1487                         ERR_print_errors(bio_err);
1488                         goto end;
1489                         }
1490                 }
1491 #endif                                              
1492         if (c_Pause & 0x01) SSL_set_debug(con, 1);
1493
1494         if (socket_type == SOCK_DGRAM)
1495                 {
1496
1497                 sbio=BIO_new_dgram(s,BIO_NOCLOSE);
1498                 if (getsockname(s, &peer, (void *)&peerlen) < 0)
1499                         {
1500                         BIO_printf(bio_err, "getsockname:errno=%d\n",
1501                                 get_last_socket_error());
1502                         SHUTDOWN(s);
1503                         goto end;
1504                         }
1505
1506                 (void)BIO_ctrl_set_connected(sbio, 1, &peer);
1507
1508                 if (enable_timeouts)
1509                         {
1510                         timeout.tv_sec = 0;
1511                         timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1512                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1513                         
1514                         timeout.tv_sec = 0;
1515                         timeout.tv_usec = DGRAM_SND_TIMEOUT;
1516                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1517                         }
1518
1519                 if (socket_mtu)
1520                         {
1521                         if(socket_mtu < DTLS_get_link_min_mtu(con))
1522                                 {
1523                                 BIO_printf(bio_err,"MTU too small. Must be at least %ld\n",
1524                                         DTLS_get_link_min_mtu(con));
1525                                 BIO_free(sbio);
1526                                 goto shut;
1527                                 }
1528                         SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
1529                         if(!DTLS_set_link_mtu(con, socket_mtu))
1530                                 {
1531                                 BIO_printf(bio_err, "Failed to set MTU\n");
1532                                 BIO_free(sbio);
1533                                 goto shut;
1534                                 }
1535                         }
1536                 else
1537                         /* want to do MTU discovery */
1538                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1539                 }
1540         else
1541                 sbio=BIO_new_socket(s,BIO_NOCLOSE);
1542
1543         if (nbio_test)
1544                 {
1545                 BIO *test;
1546
1547                 test=BIO_new(BIO_f_nbio_test());
1548                 sbio=BIO_push(test,sbio);
1549                 }
1550
1551         if (c_debug)
1552                 {
1553                 SSL_set_debug(con, 1);
1554                 BIO_set_callback(sbio,bio_dump_callback);
1555                 BIO_set_callback_arg(sbio,(char *)bio_c_out);
1556                 }
1557         if (c_msg)
1558                 {
1559 #ifndef OPENSSL_NO_SSL_TRACE
1560                 if (c_msg == 2)
1561                         SSL_set_msg_callback(con, SSL_trace);
1562                 else
1563 #endif
1564                         SSL_set_msg_callback(con, msg_cb);
1565                 SSL_set_msg_callback_arg(con, bio_c_msg ? bio_c_msg : bio_c_out);
1566                 }
1567 #ifndef OPENSSL_NO_TLSEXT
1568         if (c_tlsextdebug)
1569                 {
1570                 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1571                 SSL_set_tlsext_debug_arg(con, bio_c_out);
1572                 }
1573         if (c_status_req)
1574                 {
1575                 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
1576                 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
1577                 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
1578 #if 0
1579 {
1580 STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null();
1581 OCSP_RESPID *id = OCSP_RESPID_new();
1582 id->value.byKey = ASN1_OCTET_STRING_new();
1583 id->type = V_OCSP_RESPID_KEY;
1584 ASN1_STRING_set(id->value.byKey, "Hello World", -1);
1585 sk_OCSP_RESPID_push(ids, id);
1586 SSL_set_tlsext_status_ids(con, ids);
1587 }
1588 #endif
1589                 }
1590 #endif
1591 #ifndef OPENSSL_NO_JPAKE
1592         if (jpake_secret)
1593                 jpake_client_auth(bio_c_out, sbio, jpake_secret);
1594 #endif
1595
1596         SSL_set_bio(con,sbio,sbio);
1597         SSL_set_connect_state(con);
1598
1599         /* ok, lets connect */
1600         width=SSL_get_fd(con)+1;
1601
1602         read_tty=1;
1603         write_tty=0;
1604         tty_on=0;
1605         read_ssl=1;
1606         write_ssl=1;
1607         
1608         cbuf_len=0;
1609         cbuf_off=0;
1610         sbuf_len=0;
1611         sbuf_off=0;
1612
1613         /* This is an ugly hack that does a lot of assumptions */
1614         /* We do have to handle multi-line responses which may come
1615            in a single packet or not. We therefore have to use
1616            BIO_gets() which does need a buffering BIO. So during
1617            the initial chitchat we do push a buffering BIO into the
1618            chain that is removed again later on to not disturb the
1619            rest of the s_client operation. */
1620         if (starttls_proto == PROTO_SMTP)
1621                 {
1622                 int foundit=0;
1623                 BIO *fbio = BIO_new(BIO_f_buffer());
1624                 BIO_push(fbio, sbio);
1625                 /* wait for multi-line response to end from SMTP */
1626                 do
1627                         {
1628                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1629                         }
1630                 while (mbuf_len>3 && mbuf[3]=='-');
1631                 /* STARTTLS command requires EHLO... */
1632                 BIO_printf(fbio,"EHLO openssl.client.net\r\n");
1633                 (void)BIO_flush(fbio);
1634                 /* wait for multi-line response to end EHLO SMTP response */
1635                 do
1636                         {
1637                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1638                         if (strstr(mbuf,"STARTTLS"))
1639                                 foundit=1;
1640                         }
1641                 while (mbuf_len>3 && mbuf[3]=='-');
1642                 (void)BIO_flush(fbio);
1643                 BIO_pop(fbio);
1644                 BIO_free(fbio);
1645                 if (!foundit)
1646                         BIO_printf(bio_err,
1647                                    "didn't found starttls in server response,"
1648                                    " try anyway...\n");
1649                 BIO_printf(sbio,"STARTTLS\r\n");
1650                 BIO_read(sbio,sbuf,BUFSIZZ);
1651                 }
1652         else if (starttls_proto == PROTO_POP3)
1653                 {
1654                 BIO_read(sbio,mbuf,BUFSIZZ);
1655                 BIO_printf(sbio,"STLS\r\n");
1656                 BIO_read(sbio,sbuf,BUFSIZZ);
1657                 }
1658         else if (starttls_proto == PROTO_IMAP)
1659                 {
1660                 int foundit=0;
1661                 BIO *fbio = BIO_new(BIO_f_buffer());
1662                 BIO_push(fbio, sbio);
1663                 BIO_gets(fbio,mbuf,BUFSIZZ);
1664                 /* STARTTLS command requires CAPABILITY... */
1665                 BIO_printf(fbio,". CAPABILITY\r\n");
1666                 (void)BIO_flush(fbio);
1667                 /* wait for multi-line CAPABILITY response */
1668                 do
1669                         {
1670                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1671                         if (strstr(mbuf,"STARTTLS"))
1672                                 foundit=1;
1673                         }
1674                 while (mbuf_len>3 && mbuf[0]!='.');
1675                 (void)BIO_flush(fbio);
1676                 BIO_pop(fbio);
1677                 BIO_free(fbio);
1678                 if (!foundit)
1679                         BIO_printf(bio_err,
1680                                    "didn't found STARTTLS in server response,"
1681                                    " try anyway...\n");
1682                 BIO_printf(sbio,". STARTTLS\r\n");
1683                 BIO_read(sbio,sbuf,BUFSIZZ);
1684                 }
1685         else if (starttls_proto == PROTO_FTP)
1686                 {
1687                 BIO *fbio = BIO_new(BIO_f_buffer());
1688                 BIO_push(fbio, sbio);
1689                 /* wait for multi-line response to end from FTP */
1690                 do
1691                         {
1692                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1693                         }
1694                 while (mbuf_len>3 && mbuf[3]=='-');
1695                 (void)BIO_flush(fbio);
1696                 BIO_pop(fbio);
1697                 BIO_free(fbio);
1698                 BIO_printf(sbio,"AUTH TLS\r\n");
1699                 BIO_read(sbio,sbuf,BUFSIZZ);
1700                 }
1701         if (starttls_proto == PROTO_XMPP)
1702                 {
1703                 int seen = 0;
1704                 BIO_printf(sbio,"<stream:stream "
1705                     "xmlns:stream='http://etherx.jabber.org/streams' "
1706                     "xmlns='jabber:client' to='%s' version='1.0'>", xmpphost ?
1707                            xmpphost : host);
1708                 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1709                 mbuf[seen] = 0;
1710                 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") &&
1711                                 !strstr(mbuf, "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
1712                         {
1713                         seen = BIO_read(sbio,mbuf,BUFSIZZ);
1714
1715                         if (seen <= 0)
1716                                 goto shut;
1717
1718                         mbuf[seen] = 0;
1719                         }
1720                 BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
1721                 seen = BIO_read(sbio,sbuf,BUFSIZZ);
1722                 sbuf[seen] = 0;
1723                 if (!strstr(sbuf, "<proceed"))
1724                         goto shut;
1725                 mbuf[0] = 0;
1726                 }
1727
1728         for (;;)
1729                 {
1730                 FD_ZERO(&readfds);
1731                 FD_ZERO(&writefds);
1732
1733                 if ((SSL_version(con) == DTLS1_VERSION) &&
1734                         DTLSv1_get_timeout(con, &timeout))
1735                         timeoutp = &timeout;
1736                 else
1737                         timeoutp = NULL;
1738
1739                 if (SSL_in_init(con) && !SSL_total_renegotiations(con))
1740                         {
1741                         in_init=1;
1742                         tty_on=0;
1743                         }
1744                 else
1745                         {
1746                         tty_on=1;
1747                         if (in_init)
1748                                 {
1749                                 in_init=0;
1750 #if 0 /* This test doesn't really work as intended (needs to be fixed) */
1751 #ifndef OPENSSL_NO_TLSEXT
1752                                 if (servername != NULL && !SSL_session_reused(con))
1753                                         {
1754                                         BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not ");
1755                                         }
1756 #endif
1757 #endif
1758                                 if (sess_out)
1759                                         {
1760                                         BIO *stmp = BIO_new_file(sess_out, "w");
1761                                         if (stmp)
1762                                                 {
1763                                                 PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con));
1764                                                 BIO_free(stmp);
1765                                                 }
1766                                         else 
1767                                                 BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
1768                                         }
1769                                 if (c_brief)
1770                                         {
1771                                         BIO_puts(bio_err,
1772                                                 "CONNECTION ESTABLISHED\n");
1773                                         print_ssl_summary(bio_err, con);
1774                                         }
1775
1776                                 print_stuff(bio_c_out,con,full_log);
1777                                 if (full_log > 0) full_log--;
1778
1779                                 if (starttls_proto)
1780                                         {
1781                                         BIO_printf(bio_err,"%s",mbuf);
1782                                         /* We don't need to know any more */
1783                                         starttls_proto = PROTO_OFF;
1784                                         }
1785
1786                                 if (reconnect)
1787                                         {
1788                                         reconnect--;
1789                                         BIO_printf(bio_c_out,"drop connection and then reconnect\n");
1790                                         SSL_shutdown(con);
1791                                         SSL_set_connect_state(con);
1792                                         SHUTDOWN(SSL_get_fd(con));
1793                                         goto re_start;
1794                                         }
1795                                 }
1796                         }
1797
1798                 ssl_pending = read_ssl && SSL_pending(con);
1799
1800                 if (!ssl_pending)
1801                         {
1802 #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE)
1803                         if (tty_on)
1804                                 {
1805                                 if (read_tty)  openssl_fdset(fileno(stdin),&readfds);
1806                                 if (write_tty) openssl_fdset(fileno(stdout),&writefds);
1807                                 }
1808                         if (read_ssl)
1809                                 openssl_fdset(SSL_get_fd(con),&readfds);
1810                         if (write_ssl)
1811                                 openssl_fdset(SSL_get_fd(con),&writefds);
1812 #else
1813                         if(!tty_on || !write_tty) {
1814                                 if (read_ssl)
1815                                         openssl_fdset(SSL_get_fd(con),&readfds);
1816                                 if (write_ssl)
1817                                         openssl_fdset(SSL_get_fd(con),&writefds);
1818                         }
1819 #endif
1820 /*                      printf("mode tty(%d %d%d) ssl(%d%d)\n",
1821                                 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
1822
1823                         /* Note: under VMS with SOCKETSHR the second parameter
1824                          * is currently of type (int *) whereas under other
1825                          * systems it is (void *) if you don't have a cast it
1826                          * will choke the compiler: if you do have a cast then
1827                          * you can either go for (int *) or (void *).
1828                          */
1829 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1830                         /* Under Windows/DOS we make the assumption that we can
1831                          * always write to the tty: therefore if we need to
1832                          * write to the tty we just fall through. Otherwise
1833                          * we timeout the select every second and see if there
1834                          * are any keypresses. Note: this is a hack, in a proper
1835                          * Windows application we wouldn't do this.
1836                          */
1837                         i=0;
1838                         if(!write_tty) {
1839                                 if(read_tty) {
1840                                         tv.tv_sec = 1;
1841                                         tv.tv_usec = 0;
1842                                         i=select(width,(void *)&readfds,(void *)&writefds,
1843                                                  NULL,&tv);
1844 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
1845                                         if(!i && (!_kbhit() || !read_tty) ) continue;
1846 #else
1847                                         if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
1848 #endif
1849                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1850                                          NULL,timeoutp);
1851                         }
1852 #elif defined(OPENSSL_SYS_NETWARE)
1853                         if(!write_tty) {
1854                                 if(read_tty) {
1855                                         tv.tv_sec = 1;
1856                                         tv.tv_usec = 0;
1857                                         i=select(width,(void *)&readfds,(void *)&writefds,
1858                                                 NULL,&tv);
1859                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1860                                         NULL,timeoutp);
1861                         }
1862 #else
1863                         i=select(width,(void *)&readfds,(void *)&writefds,
1864                                  NULL,timeoutp);
1865 #endif
1866                         if ( i < 0)
1867                                 {
1868                                 BIO_printf(bio_err,"bad select %d\n",
1869                                 get_last_socket_error());
1870                                 goto shut;
1871                                 /* goto end; */
1872                                 }
1873                         }
1874
1875                 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
1876                         {
1877                         BIO_printf(bio_err,"TIMEOUT occurred\n");
1878                         }
1879
1880                 if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
1881                         {
1882                         k=SSL_write(con,&(cbuf[cbuf_off]),
1883                                 (unsigned int)cbuf_len);
1884                         switch (SSL_get_error(con,k))
1885                                 {
1886                         case SSL_ERROR_NONE:
1887                                 cbuf_off+=k;
1888                                 cbuf_len-=k;
1889                                 if (k <= 0) goto end;
1890                                 /* we have done a  write(con,NULL,0); */
1891                                 if (cbuf_len <= 0)
1892                                         {
1893                                         read_tty=1;
1894                                         write_ssl=0;
1895                                         }
1896                                 else /* if (cbuf_len > 0) */
1897                                         {
1898                                         read_tty=0;
1899                                         write_ssl=1;
1900                                         }
1901                                 break;
1902                         case SSL_ERROR_WANT_WRITE:
1903                                 BIO_printf(bio_c_out,"write W BLOCK\n");
1904                                 write_ssl=1;
1905                                 read_tty=0;
1906                                 break;
1907                         case SSL_ERROR_WANT_READ:
1908                                 BIO_printf(bio_c_out,"write R BLOCK\n");
1909                                 write_tty=0;
1910                                 read_ssl=1;
1911                                 write_ssl=0;
1912                                 break;
1913                         case SSL_ERROR_WANT_X509_LOOKUP:
1914                                 BIO_printf(bio_c_out,"write X BLOCK\n");
1915                                 break;
1916                         case SSL_ERROR_ZERO_RETURN:
1917                                 if (cbuf_len != 0)
1918                                         {
1919                                         BIO_printf(bio_c_out,"shutdown\n");
1920                                         ret = 0;
1921                                         goto shut;
1922                                         }
1923                                 else
1924                                         {
1925                                         read_tty=1;
1926                                         write_ssl=0;
1927                                         break;
1928                                         }
1929                                 
1930                         case SSL_ERROR_SYSCALL:
1931                                 if ((k != 0) || (cbuf_len != 0))
1932                                         {
1933                                         BIO_printf(bio_err,"write:errno=%d\n",
1934                                                 get_last_socket_error());
1935                                         goto shut;
1936                                         }
1937                                 else
1938                                         {
1939                                         read_tty=1;
1940                                         write_ssl=0;
1941                                         }
1942                                 break;
1943                         case SSL_ERROR_SSL:
1944                                 ERR_print_errors(bio_err);
1945                                 goto shut;
1946                                 }
1947                         }
1948 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
1949                 /* Assume Windows/DOS/BeOS can always write */
1950                 else if (!ssl_pending && write_tty)
1951 #else
1952                 else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
1953 #endif
1954                         {
1955 #ifdef CHARSET_EBCDIC
1956                         ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
1957 #endif
1958                         i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len);
1959
1960                         if (i <= 0)
1961                                 {
1962                                 BIO_printf(bio_c_out,"DONE\n");
1963                                 ret = 0;
1964                                 goto shut;
1965                                 /* goto end; */
1966                                 }
1967
1968                         sbuf_len-=i;;
1969                         sbuf_off+=i;
1970                         if (sbuf_len <= 0)
1971                                 {
1972                                 read_ssl=1;
1973                                 write_tty=0;
1974                                 }
1975                         }
1976                 else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
1977                         {
1978 #ifdef RENEG
1979 { static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
1980 #endif
1981 #if 1
1982                         k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
1983 #else
1984 /* Demo for pending and peek :-) */
1985                         k=SSL_read(con,sbuf,16);
1986 { char zbuf[10240]; 
1987 printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
1988 }
1989 #endif
1990
1991                         switch (SSL_get_error(con,k))
1992                                 {
1993                         case SSL_ERROR_NONE:
1994                                 if (k <= 0)
1995                                         goto end;
1996                                 sbuf_off=0;
1997                                 sbuf_len=k;
1998
1999                                 read_ssl=0;
2000                                 write_tty=1;
2001                                 break;
2002                         case SSL_ERROR_WANT_WRITE:
2003                                 BIO_printf(bio_c_out,"read W BLOCK\n");
2004                                 write_ssl=1;
2005                                 read_tty=0;
2006                                 break;
2007                         case SSL_ERROR_WANT_READ:
2008                                 BIO_printf(bio_c_out,"read R BLOCK\n");
2009                                 write_tty=0;
2010                                 read_ssl=1;
2011                                 if ((read_tty == 0) && (write_ssl == 0))
2012                                         write_ssl=1;
2013                                 break;
2014                         case SSL_ERROR_WANT_X509_LOOKUP:
2015                                 BIO_printf(bio_c_out,"read X BLOCK\n");
2016                                 break;
2017                         case SSL_ERROR_SYSCALL:
2018                                 ret=get_last_socket_error();
2019                                 if (c_brief)
2020                                         BIO_puts(bio_err, "CONNECTION CLOSED BY SERVER\n");
2021                                 else
2022                                         BIO_printf(bio_err,"read:errno=%d\n",ret);
2023                                 goto shut;
2024                         case SSL_ERROR_ZERO_RETURN:
2025                                 BIO_printf(bio_c_out,"closed\n");
2026                                 ret=0;
2027                                 goto shut;
2028                         case SSL_ERROR_SSL:
2029                                 ERR_print_errors(bio_err);
2030                                 goto shut;
2031                                 /* break; */
2032                                 }
2033                         }
2034
2035 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
2036 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
2037                 else if (_kbhit())
2038 #else
2039                 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
2040 #endif
2041 #elif defined (OPENSSL_SYS_NETWARE)
2042                 else if (_kbhit())
2043 #else
2044                 else if (FD_ISSET(fileno(stdin),&readfds))
2045 #endif
2046                         {
2047                         if (crlf)
2048                                 {
2049                                 int j, lf_num;
2050
2051                                 i=raw_read_stdin(cbuf,BUFSIZZ/2);
2052                                 lf_num = 0;
2053                                 /* both loops are skipped when i <= 0 */
2054                                 for (j = 0; j < i; j++)
2055                                         if (cbuf[j] == '\n')
2056                                                 lf_num++;
2057                                 for (j = i-1; j >= 0; j--)
2058                                         {
2059                                         cbuf[j+lf_num] = cbuf[j];
2060                                         if (cbuf[j] == '\n')
2061                                                 {
2062                                                 lf_num--;
2063                                                 i++;
2064                                                 cbuf[j+lf_num] = '\r';
2065                                                 }
2066                                         }
2067                                 assert(lf_num == 0);
2068                                 }
2069                         else
2070                                 i=raw_read_stdin(cbuf,BUFSIZZ);
2071
2072                         if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
2073                                 {
2074                                 BIO_printf(bio_err,"DONE\n");
2075                                 ret=0;
2076                                 goto shut;
2077                                 }
2078
2079                         if ((!c_ign_eof) && (cbuf[0] == 'R'))
2080                                 {
2081                                 BIO_printf(bio_err,"RENEGOTIATING\n");
2082                                 SSL_renegotiate(con);
2083                                 cbuf_len=0;
2084                                 }
2085 #ifndef OPENSSL_NO_HEARTBEATS
2086                         else if ((!c_ign_eof) && (cbuf[0] == 'B'))
2087                                 {
2088                                 BIO_printf(bio_err,"HEARTBEATING\n");
2089                                 SSL_heartbeat(con);
2090                                 cbuf_len=0;
2091                                 }
2092 #endif
2093                         else
2094                                 {
2095                                 cbuf_len=i;
2096                                 cbuf_off=0;
2097 #ifdef CHARSET_EBCDIC
2098                                 ebcdic2ascii(cbuf, cbuf, i);
2099 #endif
2100                                 }
2101
2102                         write_ssl=1;
2103                         read_tty=0;
2104                         }
2105                 }
2106
2107         ret=0;
2108 shut:
2109         if (in_init)
2110                 print_stuff(bio_c_out,con,full_log);
2111         SSL_shutdown(con);
2112         SHUTDOWN(SSL_get_fd(con));
2113 end:
2114         if (con != NULL)
2115                 {
2116                 if (prexit != 0)
2117                         print_stuff(bio_c_out,con,1);
2118                 SSL_free(con);
2119                 }
2120 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
2121         if (next_proto.data)
2122                 OPENSSL_free(next_proto.data);
2123 #endif
2124         if (ctx != NULL) SSL_CTX_free(ctx);
2125         if (cert)
2126                 X509_free(cert);
2127         if (crls)
2128                 sk_X509_CRL_pop_free(crls, X509_CRL_free);
2129         if (key)
2130                 EVP_PKEY_free(key);
2131         if (chain)
2132                 sk_X509_pop_free(chain, X509_free);
2133         if (pass)
2134                 OPENSSL_free(pass);
2135         if (vpm)
2136                 X509_VERIFY_PARAM_free(vpm);
2137         ssl_excert_free(exc);
2138         if (ssl_args)
2139                 sk_OPENSSL_STRING_free(ssl_args);
2140         if (cctx)
2141                 SSL_CONF_CTX_free(cctx);
2142 #ifndef OPENSSL_NO_JPAKE
2143         if (jpake_secret && psk_key)
2144                 OPENSSL_free(psk_key);
2145 #endif
2146         if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
2147         if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
2148         if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
2149         if (bio_c_out != NULL)
2150                 {
2151                 BIO_free(bio_c_out);
2152                 bio_c_out=NULL;
2153                 }
2154         if (bio_c_msg != NULL)
2155                 {
2156                 BIO_free(bio_c_msg);
2157                 bio_c_msg=NULL;
2158                 }
2159         apps_shutdown();
2160         OPENSSL_EXIT(ret);
2161         }
2162
2163
2164 static void print_stuff(BIO *bio, SSL *s, int full)
2165         {
2166         X509 *peer=NULL;
2167         char buf[BUFSIZ];
2168         STACK_OF(X509) *sk;
2169         STACK_OF(X509_NAME) *sk2;
2170         const SSL_CIPHER *c;
2171         X509_NAME *xn;
2172         int i;
2173 #ifndef OPENSSL_NO_COMP
2174         const COMP_METHOD *comp, *expansion;
2175 #endif
2176         unsigned char *exportedkeymat;
2177
2178         if (full)
2179                 {
2180                 int got_a_chain = 0;
2181
2182                 sk=SSL_get_peer_cert_chain(s);
2183                 if (sk != NULL)
2184                         {
2185                         got_a_chain = 1; /* we don't have it for SSL2 (yet) */
2186
2187                         BIO_printf(bio,"---\nCertificate chain\n");
2188                         for (i=0; i<sk_X509_num(sk); i++)
2189                                 {
2190                                 X509_NAME_oneline(X509_get_subject_name(
2191                                         sk_X509_value(sk,i)),buf,sizeof buf);
2192                                 BIO_printf(bio,"%2d s:%s\n",i,buf);
2193                                 X509_NAME_oneline(X509_get_issuer_name(
2194                                         sk_X509_value(sk,i)),buf,sizeof buf);
2195                                 BIO_printf(bio,"   i:%s\n",buf);
2196                                 if (c_showcerts)
2197                                         PEM_write_bio_X509(bio,sk_X509_value(sk,i));
2198                                 }
2199                         }
2200
2201                 BIO_printf(bio,"---\n");
2202                 peer=SSL_get_peer_certificate(s);
2203                 if (peer != NULL)
2204                         {
2205                         BIO_printf(bio,"Server certificate\n");
2206                         if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
2207                                 PEM_write_bio_X509(bio,peer);
2208                         X509_NAME_oneline(X509_get_subject_name(peer),
2209                                 buf,sizeof buf);
2210                         BIO_printf(bio,"subject=%s\n",buf);
2211                         X509_NAME_oneline(X509_get_issuer_name(peer),
2212                                 buf,sizeof buf);
2213                         BIO_printf(bio,"issuer=%s\n",buf);
2214                         }
2215                 else
2216                         BIO_printf(bio,"no peer certificate available\n");
2217
2218                 sk2=SSL_get_client_CA_list(s);
2219                 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
2220                         {
2221                         BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
2222                         for (i=0; i<sk_X509_NAME_num(sk2); i++)
2223                                 {
2224                                 xn=sk_X509_NAME_value(sk2,i);
2225                                 X509_NAME_oneline(xn,buf,sizeof(buf));
2226                                 BIO_write(bio,buf,strlen(buf));
2227                                 BIO_write(bio,"\n",1);
2228                                 }
2229                         }
2230                 else
2231                         {
2232                         BIO_printf(bio,"---\nNo client certificate CA names sent\n");
2233                         }
2234
2235                 ssl_print_sigalgs(bio, s);
2236                 ssl_print_tmp_key(bio, s);
2237
2238                 BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
2239                         BIO_number_read(SSL_get_rbio(s)),
2240                         BIO_number_written(SSL_get_wbio(s)));
2241                 }
2242         BIO_printf(bio,(SSL_cache_hit(s)?"---\nReused, ":"---\nNew, "));
2243         c=SSL_get_current_cipher(s);
2244         BIO_printf(bio,"%s, Cipher is %s\n",
2245                 SSL_CIPHER_get_version(c),
2246                 SSL_CIPHER_get_name(c));
2247         if (peer != NULL) {
2248                 EVP_PKEY *pktmp;
2249                 pktmp = X509_get_pubkey(peer);
2250                 BIO_printf(bio,"Server public key is %d bit\n",
2251                                                          EVP_PKEY_bits(pktmp));
2252                 EVP_PKEY_free(pktmp);
2253         }
2254         BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
2255                         SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
2256 #ifndef OPENSSL_NO_COMP
2257         comp=SSL_get_current_compression(s);
2258         expansion=SSL_get_current_expansion(s);
2259         BIO_printf(bio,"Compression: %s\n",
2260                 comp ? SSL_COMP_get_name(comp) : "NONE");
2261         BIO_printf(bio,"Expansion: %s\n",
2262                 expansion ? SSL_COMP_get_name(expansion) : "NONE");
2263 #endif
2264  
2265 #ifdef SSL_DEBUG
2266         {
2267         /* Print out local port of connection: useful for debugging */
2268         int sock;
2269         struct sockaddr_in ladd;
2270         socklen_t ladd_size = sizeof(ladd);
2271         sock = SSL_get_fd(s);
2272         getsockname(sock, (struct sockaddr *)&ladd, &ladd_size);
2273         BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port));
2274         }
2275 #endif
2276
2277 #if !defined(OPENSSL_NO_TLSEXT)
2278 # if !defined(OPENSSL_NO_NEXTPROTONEG)
2279         if (next_proto.status != -1) {
2280                 const unsigned char *proto;
2281                 unsigned int proto_len;
2282                 SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
2283                 BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
2284                 BIO_write(bio, proto, proto_len);
2285                 BIO_write(bio, "\n", 1);
2286         }
2287 # endif
2288         {
2289                 const unsigned char *proto;
2290                 unsigned int proto_len;
2291                 SSL_get0_alpn_selected(s, &proto, &proto_len);
2292                 if (proto_len > 0)
2293                         {
2294                         BIO_printf(bio, "ALPN protocol: ");
2295                         BIO_write(bio, proto, proto_len);
2296                         BIO_write(bio, "\n", 1);
2297                         }
2298                 else
2299                         BIO_printf(bio, "No ALPN negotiated\n");
2300         }
2301 #endif
2302
2303         {
2304         SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s);
2305  
2306         if(srtp_profile)
2307                 BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n",
2308                            srtp_profile->name);
2309         }
2310  
2311         SSL_SESSION_print(bio,SSL_get_session(s));
2312         if (keymatexportlabel != NULL)
2313                 {
2314                 BIO_printf(bio, "Keying material exporter:\n");
2315                 BIO_printf(bio, "    Label: '%s'\n", keymatexportlabel);
2316                 BIO_printf(bio, "    Length: %i bytes\n", keymatexportlen);
2317                 exportedkeymat = OPENSSL_malloc(keymatexportlen);
2318                 if (exportedkeymat != NULL)
2319                         {
2320                         if (!SSL_export_keying_material(s, exportedkeymat,
2321                                                         keymatexportlen,
2322                                                         keymatexportlabel,
2323                                                         strlen(keymatexportlabel),
2324                                                         NULL, 0, 0))
2325                                 {
2326                                 BIO_printf(bio, "    Error\n");
2327                                 }
2328                         else
2329                                 {
2330                                 BIO_printf(bio, "    Keying material: ");
2331                                 for (i=0; i<keymatexportlen; i++)
2332                                         BIO_printf(bio, "%02X",
2333                                                    exportedkeymat[i]);
2334                                 BIO_printf(bio, "\n");
2335                                 }
2336                         OPENSSL_free(exportedkeymat);
2337                         }
2338                 }
2339         BIO_printf(bio,"---\n");
2340         if (peer != NULL)
2341                 X509_free(peer);
2342         /* flush, or debugging output gets mixed with http response */
2343         (void)BIO_flush(bio);
2344         }
2345
2346 #ifndef OPENSSL_NO_TLSEXT
2347
2348 static int ocsp_resp_cb(SSL *s, void *arg)
2349         {
2350         const unsigned char *p;
2351         int len;
2352         OCSP_RESPONSE *rsp;
2353         len = SSL_get_tlsext_status_ocsp_resp(s, &p);
2354         BIO_puts(arg, "OCSP response: ");
2355         if (!p)
2356                 {
2357                 BIO_puts(arg, "no response sent\n");
2358                 return 1;
2359                 }
2360         rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
2361         if (!rsp)
2362                 {
2363                 BIO_puts(arg, "response parse error\n");
2364                 BIO_dump_indent(arg, (char *)p, len, 4);
2365                 return 0;
2366                 }
2367         BIO_puts(arg, "\n======================================\n");
2368         OCSP_RESPONSE_print(arg, rsp, 0);
2369         BIO_puts(arg, "======================================\n");
2370         OCSP_RESPONSE_free(rsp);
2371         return 1;
2372         }
2373
2374 #endif