633d110f7999f07ff9e5112bbae6ebb46c118f09
[openssl.git] / apps / s_client.c
1 /* apps/s_client.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2005 Nokia. All rights reserved.
113  *
114  * The portions of the attached software ("Contribution") is developed by
115  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116  * license.
117  *
118  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120  * support (see RFC 4279) to OpenSSL.
121  *
122  * No patent licenses or other rights except those expressly stated in
123  * the OpenSSL open source license shall be deemed granted or received
124  * expressly, by implication, estoppel, or otherwise.
125  *
126  * No assurances are provided by Nokia that the Contribution does not
127  * infringe the patent or other intellectual property rights of any third
128  * party or that the license provides you with all the necessary rights
129  * to make use of the Contribution.
130  *
131  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135  * OTHERWISE.
136  */
137
138 #include <assert.h>
139 #include <ctype.h>
140 #include <stdio.h>
141 #include <stdlib.h>
142 #include <string.h>
143 #include <openssl/e_os2.h>
144 #ifdef OPENSSL_NO_STDIO
145 #define APPS_WIN16
146 #endif
147
148 /* With IPv6, it looks like Digital has mixed up the proper order of
149    recursive header file inclusion, resulting in the compiler complaining
150    that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
151    is needed to have fileno() declared correctly...  So let's define u_int */
152 #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
153 #define __U_INT
154 typedef unsigned int u_int;
155 #endif
156
157 #define USE_SOCKETS
158 #include "apps.h"
159 #include <openssl/x509.h>
160 #include <openssl/ssl.h>
161 #include <openssl/err.h>
162 #include <openssl/pem.h>
163 #include <openssl/rand.h>
164 #include "s_apps.h"
165 #include "timeouts.h"
166
167 #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
168 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
169 #undef FIONBIO
170 #endif
171
172 #if defined(OPENSSL_SYS_BEOS_R5)
173 #include <fcntl.h>
174 #endif
175
176 #undef PROG
177 #define PROG    s_client_main
178
179 /*#define SSL_HOST_NAME "www.netscape.com" */
180 /*#define SSL_HOST_NAME "193.118.187.102" */
181 #define SSL_HOST_NAME   "localhost"
182
183 /*#define TEST_CERT "client.pem" */ /* no default cert. */
184
185 #undef BUFSIZZ
186 #define BUFSIZZ 1024*8
187
188 extern int verify_depth;
189 extern int verify_error;
190 extern int verify_return_error;
191
192 #ifdef FIONBIO
193 static int c_nbio=0;
194 #endif
195 static int c_Pause=0;
196 static int c_debug=0;
197 static int c_msg=0;
198 static int c_showcerts=0;
199
200 static void sc_usage(void);
201 static void print_stuff(BIO *berr,SSL *con,int full);
202 static BIO *bio_c_out=NULL;
203 static int c_quiet=0;
204 static int c_ign_eof=0;
205
206 #ifndef OPENSSL_NO_PSK
207 /* Default PSK identity and key */
208 static char *psk_identity="Client_identity";
209 static char *psk_key=NULL; /* by default PSK is not used */
210
211 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
212         unsigned int max_identity_len, unsigned char *psk,
213         unsigned int max_psk_len)
214         {
215         unsigned int psk_len = 0;
216         int ret;
217         BIGNUM *bn=NULL;
218
219         if (c_debug)
220                 BIO_printf(bio_c_out, "psk_client_cb\n");
221         if (!hint)
222                 {
223                 /* no ServerKeyExchange message*/
224                 if (c_debug)
225                         BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n");
226                 }
227         else if (c_debug)
228                 BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
229
230         /* lookup PSK identity and PSK key based on the given identity hint here */
231         ret = BIO_snprintf(identity, max_identity_len, psk_identity);
232         if (ret < 0 || (unsigned int)ret > max_identity_len)
233                 goto out_err;
234         if (c_debug)
235                 BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret);
236         ret=BN_hex2bn(&bn, psk_key);
237         if (!ret)
238                 {
239                 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
240                 if (bn)
241                         BN_free(bn);
242                 return 0;
243                 }
244
245         if ((unsigned int)BN_num_bytes(bn) > max_psk_len)
246                 {
247                 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
248                         max_psk_len, BN_num_bytes(bn));
249                 BN_free(bn);
250                 return 0;
251                 }
252
253         psk_len=BN_bn2bin(bn, psk);
254         BN_free(bn);
255         if (psk_len == 0)
256                 goto out_err;
257
258         if (c_debug)
259                 BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len);
260
261         return psk_len;
262  out_err:
263         if (c_debug)
264                 BIO_printf(bio_err, "Error in PSK client callback\n");
265         return 0;
266         }
267 #endif
268
269 static void sc_usage(void)
270         {
271         BIO_printf(bio_err,"usage: s_client args\n");
272         BIO_printf(bio_err,"\n");
273         BIO_printf(bio_err," -host host     - use -connect instead\n");
274         BIO_printf(bio_err," -port port     - use -connect instead\n");
275         BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
276
277         BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
278         BIO_printf(bio_err," -cert arg     - certificate file to use, PEM format assumed\n");
279         BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
280         BIO_printf(bio_err," -key arg      - Private key file to use, in cert file if\n");
281         BIO_printf(bio_err,"                 not specified but cert file is.\n");
282         BIO_printf(bio_err," -keyform arg  - key format (PEM or DER) PEM default\n");
283         BIO_printf(bio_err," -pass arg     - private key file pass phrase source\n");
284         BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
285         BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
286         BIO_printf(bio_err," -reconnect    - Drop and re-make the connection with the same Session-ID\n");
287         BIO_printf(bio_err," -pause        - sleep(1) after each read(2) and write(2) system call\n");
288         BIO_printf(bio_err," -showcerts    - show all certificates in the chain\n");
289         BIO_printf(bio_err," -debug        - extra output\n");
290 #ifdef WATT32
291         BIO_printf(bio_err," -wdebug       - WATT-32 tcp debugging\n");
292 #endif
293         BIO_printf(bio_err," -msg          - Show protocol messages\n");
294         BIO_printf(bio_err," -nbio_test    - more ssl protocol testing\n");
295         BIO_printf(bio_err," -state        - print the 'ssl' states\n");
296 #ifdef FIONBIO
297         BIO_printf(bio_err," -nbio         - Run with non-blocking IO\n");
298 #endif
299         BIO_printf(bio_err," -crlf         - convert LF from terminal into CRLF\n");
300         BIO_printf(bio_err," -quiet        - no s_client output\n");
301         BIO_printf(bio_err," -ign_eof      - ignore input eof (default when -quiet)\n");
302 #ifndef OPENSSL_NO_PSK
303         BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
304         BIO_printf(bio_err," -psk arg      - PSK in hex (without 0x)\n");
305 #endif
306         BIO_printf(bio_err," -ssl2         - just use SSLv2\n");
307         BIO_printf(bio_err," -ssl3         - just use SSLv3\n");
308         BIO_printf(bio_err," -tls1         - just use TLSv1\n");
309         BIO_printf(bio_err," -dtls1        - just use DTLSv1\n");    
310         BIO_printf(bio_err," -mtu          - set the MTU\n");
311         BIO_printf(bio_err," -no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
312         BIO_printf(bio_err," -bugs         - Switch on all SSL implementation bug workarounds\n");
313         BIO_printf(bio_err," -serverpref   - Use server's cipher preferences (only SSLv2)\n");
314         BIO_printf(bio_err," -cipher       - preferred cipher to use, use the 'openssl ciphers'\n");
315         BIO_printf(bio_err,"                 command to see what is available\n");
316         BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
317         BIO_printf(bio_err,"                 for those protocols that support it, where\n");
318         BIO_printf(bio_err,"                 'prot' defines which one to assume.  Currently,\n");
319         BIO_printf(bio_err,"                 only \"smtp\", \"pop3\", \"imap\", and \"ftp\" are supported.\n");
320 #ifndef OPENSSL_NO_ENGINE
321         BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
322 #endif
323         BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
324 #ifndef OPENSSL_NO_TLSEXT
325         BIO_printf(bio_err," -servername host  - Set TLS extension servername in ClientHello\n");
326 #endif
327         }
328
329 #ifndef OPENSSL_NO_TLSEXT
330
331 /* This is a context that we pass to callbacks */
332 typedef struct tlsextctx_st {
333    BIO * biodebug;
334    int ack;
335 } tlsextctx;
336
337
338 static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
339         {
340         tlsextctx * p = (tlsextctx *) arg;
341         const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
342         if (SSL_get_servername_type(s) != -1) 
343                 p->ack = !SSL_session_reused(s) && hn != NULL;
344         else 
345                 BIO_printf(bio_err,"Can't use SSL_get_servername\n");
346         
347         return SSL_TLSEXT_ERR_OK;
348         }
349 #endif
350
351 enum
352 {
353         PROTO_OFF       = 0,
354         PROTO_SMTP,
355         PROTO_POP3,
356         PROTO_IMAP,
357         PROTO_FTP
358 };
359
360 int MAIN(int, char **);
361
362 int MAIN(int argc, char **argv)
363         {
364         int off=0;
365         SSL *con=NULL;
366         X509_STORE *store = NULL;
367         int s,k,width,state=0;
368         char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
369         int cbuf_len,cbuf_off;
370         int sbuf_len,sbuf_off;
371         fd_set readfds,writefds;
372         short port=PORT;
373         int full_log=1;
374         char *host=SSL_HOST_NAME;
375         char *cert_file=NULL,*key_file=NULL;
376         int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
377         char *passarg = NULL, *pass = NULL;
378         X509 *cert = NULL;
379         EVP_PKEY *key = NULL;
380         char *CApath=NULL,*CAfile=NULL,*cipher=NULL;
381         int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0;
382         int crlf=0;
383         int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
384         SSL_CTX *ctx=NULL;
385         int ret=1,in_init=1,i,nbio_test=0;
386         int starttls_proto = PROTO_OFF;
387         int prexit = 0, vflags = 0;
388         const SSL_METHOD *meth=NULL;
389         int socket_type=SOCK_STREAM;
390         BIO *sbio;
391         char *inrand=NULL;
392         int mbuf_len=0;
393 #ifndef OPENSSL_NO_ENGINE
394         char *engine_id=NULL;
395         ENGINE *e=NULL;
396 #endif
397 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
398         struct timeval tv;
399 #if defined(OPENSSL_SYS_BEOS_R5)
400         int stdin_set = 0;
401 #endif
402 #endif
403
404 #ifndef OPENSSL_NO_TLSEXT
405         char *servername = NULL; 
406         tlsextctx tlsextcbp = 
407         {NULL,0};
408 #endif
409         struct sockaddr peer;
410         int peerlen = sizeof(peer);
411         int enable_timeouts = 0 ;
412         long socket_mtu = 0;
413
414 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
415         meth=SSLv23_client_method();
416 #elif !defined(OPENSSL_NO_SSL3)
417         meth=SSLv3_client_method();
418 #elif !defined(OPENSSL_NO_SSL2)
419         meth=SSLv2_client_method();
420 #endif
421
422         apps_startup();
423         c_Pause=0;
424         c_quiet=0;
425         c_ign_eof=0;
426         c_debug=0;
427         c_msg=0;
428         c_showcerts=0;
429
430         if (bio_err == NULL)
431                 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
432
433         if (!load_config(bio_err, NULL))
434                 goto end;
435
436         if (    ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
437                 ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
438                 ((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
439                 {
440                 BIO_printf(bio_err,"out of memory\n");
441                 goto end;
442                 }
443
444         verify_depth=0;
445         verify_error=X509_V_OK;
446 #ifdef FIONBIO
447         c_nbio=0;
448 #endif
449
450         argc--;
451         argv++;
452         while (argc >= 1)
453                 {
454                 if      (strcmp(*argv,"-host") == 0)
455                         {
456                         if (--argc < 1) goto bad;
457                         host= *(++argv);
458                         }
459                 else if (strcmp(*argv,"-port") == 0)
460                         {
461                         if (--argc < 1) goto bad;
462                         port=atoi(*(++argv));
463                         if (port == 0) goto bad;
464                         }
465                 else if (strcmp(*argv,"-connect") == 0)
466                         {
467                         if (--argc < 1) goto bad;
468                         if (!extract_host_port(*(++argv),&host,NULL,&port))
469                                 goto bad;
470                         }
471                 else if (strcmp(*argv,"-verify") == 0)
472                         {
473                         verify=SSL_VERIFY_PEER;
474                         if (--argc < 1) goto bad;
475                         verify_depth=atoi(*(++argv));
476                         BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
477                         }
478                 else if (strcmp(*argv,"-cert") == 0)
479                         {
480                         if (--argc < 1) goto bad;
481                         cert_file= *(++argv);
482                         }
483                 else if (strcmp(*argv,"-certform") == 0)
484                         {
485                         if (--argc < 1) goto bad;
486                         cert_format = str2fmt(*(++argv));
487                         }
488                 else if (strcmp(*argv,"-crl_check") == 0)
489                         vflags |= X509_V_FLAG_CRL_CHECK;
490                 else if (strcmp(*argv,"-crl_check_all") == 0)
491                         vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;
492                 else if (strcmp(*argv,"-verify_return_error") == 0)
493                         verify_return_error = 1;
494                 else if (strcmp(*argv,"-prexit") == 0)
495                         prexit=1;
496                 else if (strcmp(*argv,"-crlf") == 0)
497                         crlf=1;
498                 else if (strcmp(*argv,"-quiet") == 0)
499                         {
500                         c_quiet=1;
501                         c_ign_eof=1;
502                         }
503                 else if (strcmp(*argv,"-ign_eof") == 0)
504                         c_ign_eof=1;
505                 else if (strcmp(*argv,"-pause") == 0)
506                         c_Pause=1;
507                 else if (strcmp(*argv,"-debug") == 0)
508                         c_debug=1;
509 #ifdef WATT32
510                 else if (strcmp(*argv,"-wdebug") == 0)
511                         dbug_init();
512 #endif
513                 else if (strcmp(*argv,"-msg") == 0)
514                         c_msg=1;
515                 else if (strcmp(*argv,"-showcerts") == 0)
516                         c_showcerts=1;
517                 else if (strcmp(*argv,"-nbio_test") == 0)
518                         nbio_test=1;
519                 else if (strcmp(*argv,"-state") == 0)
520                         state=1;
521 #ifndef OPENSSL_NO_PSK
522                 else if (strcmp(*argv,"-psk_identity") == 0)
523                         {
524                         if (--argc < 1) goto bad;
525                         psk_identity=*(++argv);
526                         }
527                 else if (strcmp(*argv,"-psk") == 0)
528                         {
529                         size_t j;
530
531                         if (--argc < 1) goto bad;
532                         psk_key=*(++argv);
533                         for (j = 0; j < strlen(psk_key); j++)
534                                 {
535                                 if (isxdigit((int)psk_key[j]))
536                                         continue;
537                                 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
538                                 goto bad;
539                                 }
540                         }
541 #endif
542 #ifndef OPENSSL_NO_SSL2
543                 else if (strcmp(*argv,"-ssl2") == 0)
544                         meth=SSLv2_client_method();
545 #endif
546 #ifndef OPENSSL_NO_SSL3
547                 else if (strcmp(*argv,"-ssl3") == 0)
548                         meth=SSLv3_client_method();
549 #endif
550 #ifndef OPENSSL_NO_TLS1
551                 else if (strcmp(*argv,"-tls1") == 0)
552                         meth=TLSv1_client_method();
553 #endif
554 #ifndef OPENSSL_NO_DTLS1
555                 else if (strcmp(*argv,"-dtls1") == 0)
556                         {
557                         meth=DTLSv1_client_method();
558                         socket_type=SOCK_DGRAM;
559                         }
560                 else if (strcmp(*argv,"-timeout") == 0)
561                         enable_timeouts=1;
562                 else if (strcmp(*argv,"-mtu") == 0)
563                         {
564                         if (--argc < 1) goto bad;
565                         socket_mtu = atol(*(++argv));
566                         }
567 #endif
568                 else if (strcmp(*argv,"-bugs") == 0)
569                         bugs=1;
570                 else if (strcmp(*argv,"-keyform") == 0)
571                         {
572                         if (--argc < 1) goto bad;
573                         key_format = str2fmt(*(++argv));
574                         }
575                 else if (strcmp(*argv,"-pass") == 0)
576                         {
577                         if (--argc < 1) goto bad;
578                         passarg = *(++argv);
579                         }
580                 else if (strcmp(*argv,"-key") == 0)
581                         {
582                         if (--argc < 1) goto bad;
583                         key_file= *(++argv);
584                         }
585                 else if (strcmp(*argv,"-reconnect") == 0)
586                         {
587                         reconnect=5;
588                         }
589                 else if (strcmp(*argv,"-CApath") == 0)
590                         {
591                         if (--argc < 1) goto bad;
592                         CApath= *(++argv);
593                         }
594                 else if (strcmp(*argv,"-CAfile") == 0)
595                         {
596                         if (--argc < 1) goto bad;
597                         CAfile= *(++argv);
598                         }
599                 else if (strcmp(*argv,"-no_tls1") == 0)
600                         off|=SSL_OP_NO_TLSv1;
601                 else if (strcmp(*argv,"-no_ssl3") == 0)
602                         off|=SSL_OP_NO_SSLv3;
603                 else if (strcmp(*argv,"-no_ssl2") == 0)
604                         off|=SSL_OP_NO_SSLv2;
605                 else if (strcmp(*argv,"-no_comp") == 0)
606                         { off|=SSL_OP_NO_COMPRESSION; }
607                 else if (strcmp(*argv,"-serverpref") == 0)
608                         off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
609                 else if (strcmp(*argv,"-cipher") == 0)
610                         {
611                         if (--argc < 1) goto bad;
612                         cipher= *(++argv);
613                         }
614 #ifdef FIONBIO
615                 else if (strcmp(*argv,"-nbio") == 0)
616                         { c_nbio=1; }
617 #endif
618                 else if (strcmp(*argv,"-starttls") == 0)
619                         {
620                         if (--argc < 1) goto bad;
621                         ++argv;
622                         if (strcmp(*argv,"smtp") == 0)
623                                 starttls_proto = PROTO_SMTP;
624                         else if (strcmp(*argv,"pop3") == 0)
625                                 starttls_proto = PROTO_POP3;
626                         else if (strcmp(*argv,"imap") == 0)
627                                 starttls_proto = PROTO_IMAP;
628                         else if (strcmp(*argv,"ftp") == 0)
629                                 starttls_proto = PROTO_FTP;
630                         else
631                                 goto bad;
632                         }
633 #ifndef OPENSSL_NO_ENGINE
634                 else if (strcmp(*argv,"-engine") == 0)
635                         {
636                         if (--argc < 1) goto bad;
637                         engine_id = *(++argv);
638                         }
639 #endif
640                 else if (strcmp(*argv,"-rand") == 0)
641                         {
642                         if (--argc < 1) goto bad;
643                         inrand= *(++argv);
644                         }
645 #ifndef OPENSSL_NO_TLSEXT
646                 else if (strcmp(*argv,"-servername") == 0)
647                         {
648                         if (--argc < 1) goto bad;
649                         servername= *(++argv);
650                         /* meth=TLSv1_client_method(); */
651                         }
652 #endif
653                 else
654                         {
655                         BIO_printf(bio_err,"unknown option %s\n",*argv);
656                         badop=1;
657                         break;
658                         }
659                 argc--;
660                 argv++;
661                 }
662         if (badop)
663                 {
664 bad:
665                 sc_usage();
666                 goto end;
667                 }
668
669         OpenSSL_add_ssl_algorithms();
670         SSL_load_error_strings();
671
672 #ifndef OPENSSL_NO_ENGINE
673         e = setup_engine(bio_err, engine_id, 1);
674 #endif
675         if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
676                 {
677                 BIO_printf(bio_err, "Error getting password\n");
678                 goto end;
679                 }
680
681         if (key_file == NULL)
682                 key_file = cert_file;
683
684
685         if (key_file)
686
687                 {
688
689                 key = load_key(bio_err, key_file, key_format, 0, pass, e,
690                                "client certificate private key file");
691                 if (!key)
692                         {
693                         ERR_print_errors(bio_err);
694                         goto end;
695                         }
696
697                 }
698
699         if (cert_file)
700
701                 {
702                 cert = load_cert(bio_err,cert_file,cert_format,
703                                 NULL, e, "client certificate file");
704
705                 if (!cert)
706                         {
707                         ERR_print_errors(bio_err);
708                         goto end;
709                         }
710                 }
711
712         if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
713                 && !RAND_status())
714                 {
715                 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
716                 }
717         if (inrand != NULL)
718                 BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
719                         app_RAND_load_files(inrand));
720
721         if (bio_c_out == NULL)
722                 {
723                 if (c_quiet && !c_debug && !c_msg)
724                         {
725                         bio_c_out=BIO_new(BIO_s_null());
726                         }
727                 else
728                         {
729                         if (bio_c_out == NULL)
730                                 bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
731                         }
732                 }
733
734         ctx=SSL_CTX_new(meth);
735         if (ctx == NULL)
736                 {
737                 ERR_print_errors(bio_err);
738                 goto end;
739                 }
740
741 #ifndef OPENSSL_NO_PSK
742         if (psk_key != NULL)
743                 {
744                 if (c_debug)
745                         BIO_printf(bio_c_out, "PSK key given, setting client callback\n");
746                 SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
747                 }
748 #endif
749         if (bugs)
750                 SSL_CTX_set_options(ctx,SSL_OP_ALL|off);
751         else
752                 SSL_CTX_set_options(ctx,off);
753         /* DTLS: partial reads end up discarding unread UDP bytes :-( 
754          * Setting read ahead solves this problem.
755          */
756         if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
757
758         if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
759         if (cipher != NULL)
760                 if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
761                 BIO_printf(bio_err,"error setting cipher list\n");
762                 ERR_print_errors(bio_err);
763                 goto end;
764         }
765 #if 0
766         else
767                 SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
768 #endif
769
770         SSL_CTX_set_verify(ctx,verify,verify_callback);
771         if (!set_cert_key_stuff(ctx,cert,key))
772                 goto end;
773
774         if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
775                 (!SSL_CTX_set_default_verify_paths(ctx)))
776                 {
777                 /* BIO_printf(bio_err,"error setting default verify locations\n"); */
778                 ERR_print_errors(bio_err);
779                 /* goto end; */
780                 }
781
782         store = SSL_CTX_get_cert_store(ctx);
783         X509_STORE_set_flags(store, vflags);
784 #ifndef OPENSSL_NO_TLSEXT
785         if (servername != NULL)
786                 {
787                 tlsextcbp.biodebug = bio_err;
788                 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
789                 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
790                 }
791 #endif
792
793         con=SSL_new(ctx);
794 #ifndef OPENSSL_NO_TLSEXT
795         if (servername != NULL)
796                 {
797                 if (!SSL_set_tlsext_host_name(con,servername))
798                         {
799                         BIO_printf(bio_err,"Unable to set TLS servername extension.\n");
800                         ERR_print_errors(bio_err);
801                         goto end;
802                         }
803                 }
804 #endif
805 #ifndef OPENSSL_NO_KRB5
806         if (con  &&  (con->kssl_ctx = kssl_ctx_new()) != NULL)
807                 {
808                 kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVER, host);
809                 }
810 #endif  /* OPENSSL_NO_KRB5  */
811 /*      SSL_set_cipher_list(con,"RC4-MD5"); */
812
813 re_start:
814
815         if (init_client(&s,host,port,socket_type) == 0)
816                 {
817                 BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
818                 SHUTDOWN(s);
819                 goto end;
820                 }
821         BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
822
823 #ifdef FIONBIO
824         if (c_nbio)
825                 {
826                 unsigned long l=1;
827                 BIO_printf(bio_c_out,"turning on non blocking io\n");
828                 if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
829                         {
830                         ERR_print_errors(bio_err);
831                         goto end;
832                         }
833                 }
834 #endif                                              
835         if (c_Pause & 0x01) con->debug=1;
836
837         if ( SSL_version(con) == DTLS1_VERSION)
838                 {
839                 struct timeval timeout;
840
841                 sbio=BIO_new_dgram(s,BIO_NOCLOSE);
842                 if (getsockname(s, &peer, (void *)&peerlen) < 0)
843                         {
844                         BIO_printf(bio_err, "getsockname:errno=%d\n",
845                                 get_last_socket_error());
846                         SHUTDOWN(s);
847                         goto end;
848                         }
849
850                 BIO_ctrl_set_connected(sbio, 1, &peer);
851
852                 if (enable_timeouts)
853                         {
854                         timeout.tv_sec = 0;
855                         timeout.tv_usec = DGRAM_RCV_TIMEOUT;
856                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
857                         
858                         timeout.tv_sec = 0;
859                         timeout.tv_usec = DGRAM_SND_TIMEOUT;
860                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
861                         }
862
863                 if (socket_mtu > 0)
864                         {
865                         SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
866                         SSL_set_mtu(con, socket_mtu);
867                         }
868                 else
869                         /* want to do MTU discovery */
870                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
871                 }
872         else
873                 sbio=BIO_new_socket(s,BIO_NOCLOSE);
874
875
876
877         if (nbio_test)
878                 {
879                 BIO *test;
880
881                 test=BIO_new(BIO_f_nbio_test());
882                 sbio=BIO_push(test,sbio);
883                 }
884
885         if (c_debug)
886                 {
887                 con->debug=1;
888                 BIO_set_callback(sbio,bio_dump_callback);
889                 BIO_set_callback_arg(sbio,(char *)bio_c_out);
890                 }
891         if (c_msg)
892                 {
893                 SSL_set_msg_callback(con, msg_cb);
894                 SSL_set_msg_callback_arg(con, bio_c_out);
895                 }
896
897         SSL_set_bio(con,sbio,sbio);
898         SSL_set_connect_state(con);
899
900         /* ok, lets connect */
901         width=SSL_get_fd(con)+1;
902
903         read_tty=1;
904         write_tty=0;
905         tty_on=0;
906         read_ssl=1;
907         write_ssl=1;
908         
909         cbuf_len=0;
910         cbuf_off=0;
911         sbuf_len=0;
912         sbuf_off=0;
913
914         /* This is an ugly hack that does a lot of assumptions */
915         if (starttls_proto == PROTO_SMTP)
916                 {
917                 int foundit=0;
918                 /* wait for multi-line response to end from SMTP */
919                 do
920                         {
921                         mbuf_len = BIO_read(sbio,mbuf,BUFSIZZ);
922                         }
923                 while (mbuf_len>3 && mbuf[3]=='-');
924                 /* STARTTLS command requires EHLO... */
925                 BIO_printf(sbio,"EHLO openssl.client.net\r\n");
926                 /* wait for multi-line response to end EHLO SMTP response */
927                 do
928                         {
929                         mbuf_len = BIO_read(sbio,mbuf,BUFSIZZ);
930                         if (strstr(mbuf,"STARTTLS"))
931                                 foundit=1;
932                         }
933                 while (mbuf_len>3 && mbuf[3]=='-');
934                 if (!foundit)
935                         BIO_printf(bio_err,
936                                    "didn't found starttls in server response,"
937                                    " try anyway...\n");
938                 BIO_printf(sbio,"STARTTLS\r\n");
939                 BIO_read(sbio,sbuf,BUFSIZZ);
940                 }
941         else if (starttls_proto == PROTO_POP3)
942                 {
943                 BIO_read(sbio,mbuf,BUFSIZZ);
944                 BIO_printf(sbio,"STLS\r\n");
945                 BIO_read(sbio,sbuf,BUFSIZZ);
946                 }
947         else if (starttls_proto == PROTO_IMAP)
948                 {
949                 int foundit=0;
950                 BIO_read(sbio,mbuf,BUFSIZZ);
951                 /* STARTTLS command requires CAPABILITY... */
952                 BIO_printf(sbio,". CAPABILITY\r\n");
953                 /* wait for multi-line CAPABILITY response */
954                 do
955                         {
956                         mbuf_len = BIO_read(sbio,mbuf,BUFSIZZ);
957                         if (strstr(mbuf,"STARTTLS"))
958                                 foundit=1;
959                         }
960                 while (mbuf_len>3);
961                 if (!foundit)
962                         BIO_printf(bio_err,
963                                    "didn't found STARTTLS in server response,"
964                                    " try anyway...\n");
965                 BIO_printf(sbio,". STARTTLS\r\n");
966                 BIO_read(sbio,sbuf,BUFSIZZ);
967                 }
968         else if (starttls_proto == PROTO_FTP)
969                 {
970                 /* wait for multi-line response to end from FTP */
971                 do
972                         {
973                         mbuf_len = BIO_read(sbio,mbuf,BUFSIZZ);
974                         }
975                 while (mbuf_len>3 && mbuf[3]=='-');
976                 BIO_printf(sbio,"AUTH TLS\r\n");
977                 BIO_read(sbio,sbuf,BUFSIZZ);
978                 }
979
980         for (;;)
981                 {
982                 FD_ZERO(&readfds);
983                 FD_ZERO(&writefds);
984
985                 if (SSL_in_init(con) && !SSL_total_renegotiations(con))
986                         {
987                         in_init=1;
988                         tty_on=0;
989                         }
990                 else
991                         {
992                         tty_on=1;
993                         if (in_init)
994                                 {
995                                 in_init=0;
996 #ifndef OPENSSL_NO_TLSEXT
997                                 if (servername != NULL && !SSL_session_reused(con))
998                                         {
999                                         BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not ");
1000                                         }
1001 #endif
1002                                 print_stuff(bio_c_out,con,full_log);
1003                                 if (full_log > 0) full_log--;
1004
1005                                 if (starttls_proto)
1006                                         {
1007                                         BIO_printf(bio_err,"%s",mbuf);
1008                                         /* We don't need to know any more */
1009                                         starttls_proto = PROTO_OFF;
1010                                         }
1011
1012                                 if (reconnect)
1013                                         {
1014                                         reconnect--;
1015                                         BIO_printf(bio_c_out,"drop connection and then reconnect\n");
1016                                         SSL_shutdown(con);
1017                                         SSL_set_connect_state(con);
1018                                         SHUTDOWN(SSL_get_fd(con));
1019                                         goto re_start;
1020                                         }
1021                                 }
1022                         }
1023
1024                 ssl_pending = read_ssl && SSL_pending(con);
1025
1026                 if (!ssl_pending)
1027                         {
1028 #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)
1029                         if (tty_on)
1030                                 {
1031                                 if (read_tty)  openssl_fdset(fileno(stdin),&readfds);
1032                                 if (write_tty) openssl_fdset(fileno(stdout),&writefds);
1033                                 }
1034                         if (read_ssl)
1035                                 openssl_fdset(SSL_get_fd(con),&readfds);
1036                         if (write_ssl)
1037                                 openssl_fdset(SSL_get_fd(con),&writefds);
1038 #else
1039                         if(!tty_on || !write_tty) {
1040                                 if (read_ssl)
1041                                         openssl_fdset(SSL_get_fd(con),&readfds);
1042                                 if (write_ssl)
1043                                         openssl_fdset(SSL_get_fd(con),&writefds);
1044                         }
1045 #endif
1046 /*                      printf("mode tty(%d %d%d) ssl(%d%d)\n",
1047                                 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
1048
1049                         /* Note: under VMS with SOCKETSHR the second parameter
1050                          * is currently of type (int *) whereas under other
1051                          * systems it is (void *) if you don't have a cast it
1052                          * will choke the compiler: if you do have a cast then
1053                          * you can either go for (int *) or (void *).
1054                          */
1055 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1056                         /* Under Windows/DOS we make the assumption that we can
1057                          * always write to the tty: therefore if we need to
1058                          * write to the tty we just fall through. Otherwise
1059                          * we timeout the select every second and see if there
1060                          * are any keypresses. Note: this is a hack, in a proper
1061                          * Windows application we wouldn't do this.
1062                          */
1063                         i=0;
1064                         if(!write_tty) {
1065                                 if(read_tty) {
1066                                         tv.tv_sec = 1;
1067                                         tv.tv_usec = 0;
1068                                         i=select(width,(void *)&readfds,(void *)&writefds,
1069                                                  NULL,&tv);
1070 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
1071                                         if(!i && (!_kbhit() || !read_tty) ) continue;
1072 #else
1073                                         if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
1074 #endif
1075                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1076                                          NULL,NULL);
1077                         }
1078 #elif defined(OPENSSL_SYS_NETWARE)
1079                         if(!write_tty) {
1080                                 if(read_tty) {
1081                                         tv.tv_sec = 1;
1082                                         tv.tv_usec = 0;
1083                                         i=select(width,(void *)&readfds,(void *)&writefds,
1084                                                 NULL,&tv);
1085                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1086                                         NULL,NULL);
1087                         }
1088 #elif defined(OPENSSL_SYS_BEOS_R5)
1089                         /* Under BeOS-R5 the situation is similar to DOS */
1090                         i=0;
1091                         stdin_set = 0;
1092                         (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
1093                         if(!write_tty) {
1094                                 if(read_tty) {
1095                                         tv.tv_sec = 1;
1096                                         tv.tv_usec = 0;
1097                                         i=select(width,(void *)&readfds,(void *)&writefds,
1098                                                  NULL,&tv);
1099                                         if (read(fileno(stdin), sbuf, 0) >= 0)
1100                                                 stdin_set = 1;
1101                                         if (!i && (stdin_set != 1 || !read_tty))
1102                                                 continue;
1103                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1104                                          NULL,NULL);
1105                         }
1106                         (void)fcntl(fileno(stdin), F_SETFL, 0);
1107 #else
1108                         i=select(width,(void *)&readfds,(void *)&writefds,
1109                                  NULL,NULL);
1110 #endif
1111                         if ( i < 0)
1112                                 {
1113                                 BIO_printf(bio_err,"bad select %d\n",
1114                                 get_last_socket_error());
1115                                 goto shut;
1116                                 /* goto end; */
1117                                 }
1118                         }
1119
1120                 if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
1121                         {
1122                         k=SSL_write(con,&(cbuf[cbuf_off]),
1123                                 (unsigned int)cbuf_len);
1124                         switch (SSL_get_error(con,k))
1125                                 {
1126                         case SSL_ERROR_NONE:
1127                                 cbuf_off+=k;
1128                                 cbuf_len-=k;
1129                                 if (k <= 0) goto end;
1130                                 /* we have done a  write(con,NULL,0); */
1131                                 if (cbuf_len <= 0)
1132                                         {
1133                                         read_tty=1;
1134                                         write_ssl=0;
1135                                         }
1136                                 else /* if (cbuf_len > 0) */
1137                                         {
1138                                         read_tty=0;
1139                                         write_ssl=1;
1140                                         }
1141                                 break;
1142                         case SSL_ERROR_WANT_WRITE:
1143                                 BIO_printf(bio_c_out,"write W BLOCK\n");
1144                                 write_ssl=1;
1145                                 read_tty=0;
1146                                 break;
1147                         case SSL_ERROR_WANT_READ:
1148                                 BIO_printf(bio_c_out,"write R BLOCK\n");
1149                                 write_tty=0;
1150                                 read_ssl=1;
1151                                 write_ssl=0;
1152                                 break;
1153                         case SSL_ERROR_WANT_X509_LOOKUP:
1154                                 BIO_printf(bio_c_out,"write X BLOCK\n");
1155                                 break;
1156                         case SSL_ERROR_ZERO_RETURN:
1157                                 if (cbuf_len != 0)
1158                                         {
1159                                         BIO_printf(bio_c_out,"shutdown\n");
1160                                         goto shut;
1161                                         }
1162                                 else
1163                                         {
1164                                         read_tty=1;
1165                                         write_ssl=0;
1166                                         break;
1167                                         }
1168                                 
1169                         case SSL_ERROR_SYSCALL:
1170                                 if ((k != 0) || (cbuf_len != 0))
1171                                         {
1172                                         BIO_printf(bio_err,"write:errno=%d\n",
1173                                                 get_last_socket_error());
1174                                         goto shut;
1175                                         }
1176                                 else
1177                                         {
1178                                         read_tty=1;
1179                                         write_ssl=0;
1180                                         }
1181                                 break;
1182                         case SSL_ERROR_SSL:
1183                                 ERR_print_errors(bio_err);
1184                                 goto shut;
1185                                 }
1186                         }
1187 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
1188                 /* Assume Windows/DOS/BeOS can always write */
1189                 else if (!ssl_pending && write_tty)
1190 #else
1191                 else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
1192 #endif
1193                         {
1194 #ifdef CHARSET_EBCDIC
1195                         ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
1196 #endif
1197                         i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len);
1198
1199                         if (i <= 0)
1200                                 {
1201                                 BIO_printf(bio_c_out,"DONE\n");
1202                                 goto shut;
1203                                 /* goto end; */
1204                                 }
1205
1206                         sbuf_len-=i;;
1207                         sbuf_off+=i;
1208                         if (sbuf_len <= 0)
1209                                 {
1210                                 read_ssl=1;
1211                                 write_tty=0;
1212                                 }
1213                         }
1214                 else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
1215                         {
1216 #ifdef RENEG
1217 { static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
1218 #endif
1219 #if 1
1220                         k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
1221 #else
1222 /* Demo for pending and peek :-) */
1223                         k=SSL_read(con,sbuf,16);
1224 { char zbuf[10240]; 
1225 printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
1226 }
1227 #endif
1228
1229                         switch (SSL_get_error(con,k))
1230                                 {
1231                         case SSL_ERROR_NONE:
1232                                 if (k <= 0)
1233                                         goto end;
1234                                 sbuf_off=0;
1235                                 sbuf_len=k;
1236
1237                                 read_ssl=0;
1238                                 write_tty=1;
1239                                 break;
1240                         case SSL_ERROR_WANT_WRITE:
1241                                 BIO_printf(bio_c_out,"read W BLOCK\n");
1242                                 write_ssl=1;
1243                                 read_tty=0;
1244                                 break;
1245                         case SSL_ERROR_WANT_READ:
1246                                 BIO_printf(bio_c_out,"read R BLOCK\n");
1247                                 write_tty=0;
1248                                 read_ssl=1;
1249                                 if ((read_tty == 0) && (write_ssl == 0))
1250                                         write_ssl=1;
1251                                 break;
1252                         case SSL_ERROR_WANT_X509_LOOKUP:
1253                                 BIO_printf(bio_c_out,"read X BLOCK\n");
1254                                 break;
1255                         case SSL_ERROR_SYSCALL:
1256                                 BIO_printf(bio_err,"read:errno=%d\n",get_last_socket_error());
1257                                 goto shut;
1258                         case SSL_ERROR_ZERO_RETURN:
1259                                 BIO_printf(bio_c_out,"closed\n");
1260                                 goto shut;
1261                         case SSL_ERROR_SSL:
1262                                 ERR_print_errors(bio_err);
1263                                 goto shut;
1264                                 /* break; */
1265                                 }
1266                         }
1267
1268 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1269 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
1270                 else if (_kbhit())
1271 #else
1272                 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
1273 #endif
1274 #elif defined (OPENSSL_SYS_NETWARE)
1275                 else if (_kbhit())
1276 #elif defined(OPENSSL_SYS_BEOS_R5)
1277                 else if (stdin_set)
1278 #else
1279                 else if (FD_ISSET(fileno(stdin),&readfds))
1280 #endif
1281                         {
1282                         if (crlf)
1283                                 {
1284                                 int j, lf_num;
1285
1286                                 i=raw_read_stdin(cbuf,BUFSIZZ/2);
1287                                 lf_num = 0;
1288                                 /* both loops are skipped when i <= 0 */
1289                                 for (j = 0; j < i; j++)
1290                                         if (cbuf[j] == '\n')
1291                                                 lf_num++;
1292                                 for (j = i-1; j >= 0; j--)
1293                                         {
1294                                         cbuf[j+lf_num] = cbuf[j];
1295                                         if (cbuf[j] == '\n')
1296                                                 {
1297                                                 lf_num--;
1298                                                 i++;
1299                                                 cbuf[j+lf_num] = '\r';
1300                                                 }
1301                                         }
1302                                 assert(lf_num == 0);
1303                                 }
1304                         else
1305                                 i=raw_read_stdin(cbuf,BUFSIZZ);
1306
1307                         if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
1308                                 {
1309                                 BIO_printf(bio_err,"DONE\n");
1310                                 goto shut;
1311                                 }
1312
1313                         if ((!c_ign_eof) && (cbuf[0] == 'R'))
1314                                 {
1315                                 BIO_printf(bio_err,"RENEGOTIATING\n");
1316                                 SSL_renegotiate(con);
1317                                 cbuf_len=0;
1318                                 }
1319                         else
1320                                 {
1321                                 cbuf_len=i;
1322                                 cbuf_off=0;
1323 #ifdef CHARSET_EBCDIC
1324                                 ebcdic2ascii(cbuf, cbuf, i);
1325 #endif
1326                                 }
1327
1328                         write_ssl=1;
1329                         read_tty=0;
1330                         }
1331                 }
1332 shut:
1333         if (in_init)
1334                 print_stuff(bio_c_out,con,full_log);
1335         SSL_shutdown(con);
1336         SHUTDOWN(SSL_get_fd(con));
1337         ret=0;
1338 end:
1339         if (con != NULL)
1340                 {
1341                 if (prexit != 0)
1342                         print_stuff(bio_c_out,con,1);
1343                 SSL_free(con);
1344                 }
1345         if (ctx != NULL) SSL_CTX_free(ctx);
1346         if (cert)
1347                 X509_free(cert);
1348         if (key)
1349                 EVP_PKEY_free(key);
1350         if (pass)
1351                 OPENSSL_free(pass);
1352         if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
1353         if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
1354         if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
1355         if (bio_c_out != NULL)
1356                 {
1357                 BIO_free(bio_c_out);
1358                 bio_c_out=NULL;
1359                 }
1360         apps_shutdown();
1361         OPENSSL_EXIT(ret);
1362         }
1363
1364
1365 static void print_stuff(BIO *bio, SSL *s, int full)
1366         {
1367         X509 *peer=NULL;
1368         char *p;
1369         static const char *space="                ";
1370         char buf[BUFSIZ];
1371         STACK_OF(X509) *sk;
1372         STACK_OF(X509_NAME) *sk2;
1373         SSL_CIPHER *c;
1374         X509_NAME *xn;
1375         int j,i;
1376 #ifndef OPENSSL_NO_COMP
1377         const COMP_METHOD *comp, *expansion;
1378 #endif
1379
1380         if (full)
1381                 {
1382                 int got_a_chain = 0;
1383
1384                 sk=SSL_get_peer_cert_chain(s);
1385                 if (sk != NULL)
1386                         {
1387                         got_a_chain = 1; /* we don't have it for SSL2 (yet) */
1388
1389                         BIO_printf(bio,"---\nCertificate chain\n");
1390                         for (i=0; i<sk_X509_num(sk); i++)
1391                                 {
1392                                 X509_NAME_oneline(X509_get_subject_name(
1393                                         sk_X509_value(sk,i)),buf,sizeof buf);
1394                                 BIO_printf(bio,"%2d s:%s\n",i,buf);
1395                                 X509_NAME_oneline(X509_get_issuer_name(
1396                                         sk_X509_value(sk,i)),buf,sizeof buf);
1397                                 BIO_printf(bio,"   i:%s\n",buf);
1398                                 if (c_showcerts)
1399                                         PEM_write_bio_X509(bio,sk_X509_value(sk,i));
1400                                 }
1401                         }
1402
1403                 BIO_printf(bio,"---\n");
1404                 peer=SSL_get_peer_certificate(s);
1405                 if (peer != NULL)
1406                         {
1407                         BIO_printf(bio,"Server certificate\n");
1408                         if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
1409                                 PEM_write_bio_X509(bio,peer);
1410                         X509_NAME_oneline(X509_get_subject_name(peer),
1411                                 buf,sizeof buf);
1412                         BIO_printf(bio,"subject=%s\n",buf);
1413                         X509_NAME_oneline(X509_get_issuer_name(peer),
1414                                 buf,sizeof buf);
1415                         BIO_printf(bio,"issuer=%s\n",buf);
1416                         }
1417                 else
1418                         BIO_printf(bio,"no peer certificate available\n");
1419
1420                 sk2=SSL_get_client_CA_list(s);
1421                 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
1422                         {
1423                         BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
1424                         for (i=0; i<sk_X509_NAME_num(sk2); i++)
1425                                 {
1426                                 xn=sk_X509_NAME_value(sk2,i);
1427                                 X509_NAME_oneline(xn,buf,sizeof(buf));
1428                                 BIO_write(bio,buf,strlen(buf));
1429                                 BIO_write(bio,"\n",1);
1430                                 }
1431                         }
1432                 else
1433                         {
1434                         BIO_printf(bio,"---\nNo client certificate CA names sent\n");
1435                         }
1436                 p=SSL_get_shared_ciphers(s,buf,sizeof buf);
1437                 if (p != NULL)
1438                         {
1439                         /* This works only for SSL 2.  In later protocol
1440                          * versions, the client does not know what other
1441                          * ciphers (in addition to the one to be used
1442                          * in the current connection) the server supports. */
1443
1444                         BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
1445                         j=i=0;
1446                         while (*p)
1447                                 {
1448                                 if (*p == ':')
1449                                         {
1450                                         BIO_write(bio,space,15-j%25);
1451                                         i++;
1452                                         j=0;
1453                                         BIO_write(bio,((i%3)?" ":"\n"),1);
1454                                         }
1455                                 else
1456                                         {
1457                                         BIO_write(bio,p,1);
1458                                         j++;
1459                                         }
1460                                 p++;
1461                                 }
1462                         BIO_write(bio,"\n",1);
1463                         }
1464
1465                 BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
1466                         BIO_number_read(SSL_get_rbio(s)),
1467                         BIO_number_written(SSL_get_wbio(s)));
1468                 }
1469         BIO_printf(bio,((s->hit)?"---\nReused, ":"---\nNew, "));
1470         c=SSL_get_current_cipher(s);
1471         BIO_printf(bio,"%s, Cipher is %s\n",
1472                 SSL_CIPHER_get_version(c),
1473                 SSL_CIPHER_get_name(c));
1474         if (peer != NULL) {
1475                 EVP_PKEY *pktmp;
1476                 pktmp = X509_get_pubkey(peer);
1477                 BIO_printf(bio,"Server public key is %d bit\n",
1478                                                          EVP_PKEY_bits(pktmp));
1479                 EVP_PKEY_free(pktmp);
1480         }
1481 #ifndef OPENSSL_NO_COMP
1482         comp=SSL_get_current_compression(s);
1483         expansion=SSL_get_current_expansion(s);
1484         BIO_printf(bio,"Compression: %s\n",
1485                 comp ? SSL_COMP_get_name(comp) : "NONE");
1486         BIO_printf(bio,"Expansion: %s\n",
1487                 expansion ? SSL_COMP_get_name(expansion) : "NONE");
1488 #endif
1489         SSL_SESSION_print(bio,SSL_get_session(s));
1490         BIO_printf(bio,"---\n");
1491         if (peer != NULL)
1492                 X509_free(peer);
1493         /* flush, or debugging output gets mixed with http response */
1494         BIO_flush(bio);
1495         }
1496