6a377743a196c2e9d13d4aa01f2b045d2c103e09
[openssl.git] / apps / s_client.c
1 /* apps/s_client.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2005 Nokia. All rights reserved.
113  *
114  * The portions of the attached software ("Contribution") is developed by
115  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116  * license.
117  *
118  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120  * support (see RFC 4279) to OpenSSL.
121  *
122  * No patent licenses or other rights except those expressly stated in
123  * the OpenSSL open source license shall be deemed granted or received
124  * expressly, by implication, estoppel, or otherwise.
125  *
126  * No assurances are provided by Nokia that the Contribution does not
127  * infringe the patent or other intellectual property rights of any third
128  * party or that the license provides you with all the necessary rights
129  * to make use of the Contribution.
130  *
131  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135  * OTHERWISE.
136  */
137
138 #include <assert.h>
139 #include <ctype.h>
140 #include <stdio.h>
141 #include <stdlib.h>
142 #include <string.h>
143 #include <openssl/e_os2.h>
144 #ifdef OPENSSL_NO_STDIO
145 #define APPS_WIN16
146 #endif
147
148 /* With IPv6, it looks like Digital has mixed up the proper order of
149    recursive header file inclusion, resulting in the compiler complaining
150    that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
151    is needed to have fileno() declared correctly...  So let's define u_int */
152 #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
153 #define __U_INT
154 typedef unsigned int u_int;
155 #endif
156
157 #define USE_SOCKETS
158 #include "apps.h"
159 #include <openssl/x509.h>
160 #include <openssl/ssl.h>
161 #include <openssl/err.h>
162 #include <openssl/pem.h>
163 #include <openssl/rand.h>
164 #include <openssl/ocsp.h>
165 #include <openssl/bn.h>
166 #ifndef OPENSSL_NO_SRP
167 #include <openssl/srp.h>
168 #endif
169 #include "s_apps.h"
170 #include "timeouts.h"
171
172 #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
173 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
174 #undef FIONBIO
175 #endif
176
177 #if defined(OPENSSL_SYS_BEOS_R5)
178 #include <fcntl.h>
179 #endif
180
181 #undef PROG
182 #define PROG    s_client_main
183
184 /*#define SSL_HOST_NAME "www.netscape.com" */
185 /*#define SSL_HOST_NAME "193.118.187.102" */
186 #define SSL_HOST_NAME   "localhost"
187
188 /*#define TEST_CERT "client.pem" */ /* no default cert. */
189
190 #undef BUFSIZZ
191 #define BUFSIZZ 1024*8
192
193 extern int verify_depth;
194 extern int verify_error;
195 extern int verify_return_error;
196 extern int verify_quiet;
197
198 #ifdef FIONBIO
199 static int c_nbio=0;
200 #endif
201 static int c_Pause=0;
202 static int c_debug=0;
203 #ifndef OPENSSL_NO_TLSEXT
204 static int c_tlsextdebug=0;
205 static int c_status_req=0;
206 #endif
207 static int c_msg=0;
208 static int c_showcerts=0;
209
210 static char *keymatexportlabel=NULL;
211 static int keymatexportlen=20;
212
213 static void sc_usage(void);
214 static void print_stuff(BIO *berr,SSL *con,int full);
215 #ifndef OPENSSL_NO_TLSEXT
216 static int ocsp_resp_cb(SSL *s, void *arg);
217 #endif
218 static BIO *bio_c_out=NULL;
219 static BIO *bio_c_msg=NULL;
220 static int c_quiet=0;
221 static int c_ign_eof=0;
222 static int c_brief=0;
223
224 #ifndef OPENSSL_NO_PSK
225 /* Default PSK identity and key */
226 static char *psk_identity="Client_identity";
227 /*char *psk_key=NULL;  by default PSK is not used */
228
229 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
230         unsigned int max_identity_len, unsigned char *psk,
231         unsigned int max_psk_len)
232         {
233         unsigned int psk_len = 0;
234         int ret;
235         BIGNUM *bn=NULL;
236
237         if (c_debug)
238                 BIO_printf(bio_c_out, "psk_client_cb\n");
239         if (!hint)
240                 {
241                 /* no ServerKeyExchange message*/
242                 if (c_debug)
243                         BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n");
244                 }
245         else if (c_debug)
246                 BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
247
248         /* lookup PSK identity and PSK key based on the given identity hint here */
249         ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity);
250         if (ret < 0 || (unsigned int)ret > max_identity_len)
251                 goto out_err;
252         if (c_debug)
253                 BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret);
254         ret=BN_hex2bn(&bn, psk_key);
255         if (!ret)
256                 {
257                 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
258                 if (bn)
259                         BN_free(bn);
260                 return 0;
261                 }
262
263         if ((unsigned int)BN_num_bytes(bn) > max_psk_len)
264                 {
265                 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
266                         max_psk_len, BN_num_bytes(bn));
267                 BN_free(bn);
268                 return 0;
269                 }
270
271         psk_len=BN_bn2bin(bn, psk);
272         BN_free(bn);
273         if (psk_len == 0)
274                 goto out_err;
275
276         if (c_debug)
277                 BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len);
278
279         return psk_len;
280  out_err:
281         if (c_debug)
282                 BIO_printf(bio_err, "Error in PSK client callback\n");
283         return 0;
284         }
285 #endif
286
287 static void sc_usage(void)
288         {
289         BIO_printf(bio_err,"usage: s_client args\n");
290         BIO_printf(bio_err,"\n");
291         BIO_printf(bio_err," -host host     - use -connect instead\n");
292         BIO_printf(bio_err," -port port     - use -connect instead\n");
293         BIO_printf(bio_err," -connect host:port - connect over TCP/IP (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
294         BIO_printf(bio_err," -unix path    - connect over unix domain sockets\n");
295         BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
296         BIO_printf(bio_err," -verify_return_error - return verification errors\n");
297         BIO_printf(bio_err," -cert arg     - certificate file to use, PEM format assumed\n");
298         BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
299         BIO_printf(bio_err," -key arg      - Private key file to use, in cert file if\n");
300         BIO_printf(bio_err,"                 not specified but cert file is.\n");
301         BIO_printf(bio_err," -keyform arg  - key format (PEM or DER) PEM default\n");
302         BIO_printf(bio_err," -pass arg     - private key file pass phrase source\n");
303         BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
304         BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
305         BIO_printf(bio_err," -trusted_first - Use local CA's first when building trust chain\n");
306         BIO_printf(bio_err," -reconnect    - Drop and re-make the connection with the same Session-ID\n");
307         BIO_printf(bio_err," -pause        - sleep(1) after each read(2) and write(2) system call\n");
308         BIO_printf(bio_err," -prexit       - print session information even on connection failure\n");
309         BIO_printf(bio_err," -showcerts    - show all certificates in the chain\n");
310         BIO_printf(bio_err," -debug        - extra output\n");
311 #ifdef WATT32
312         BIO_printf(bio_err," -wdebug       - WATT-32 tcp debugging\n");
313 #endif
314         BIO_printf(bio_err," -msg          - Show protocol messages\n");
315         BIO_printf(bio_err," -nbio_test    - more ssl protocol testing\n");
316         BIO_printf(bio_err," -state        - print the 'ssl' states\n");
317 #ifdef FIONBIO
318         BIO_printf(bio_err," -nbio         - Run with non-blocking IO\n");
319 #endif
320         BIO_printf(bio_err," -crlf         - convert LF from terminal into CRLF\n");
321         BIO_printf(bio_err," -quiet        - no s_client output\n");
322         BIO_printf(bio_err," -ign_eof      - ignore input eof (default when -quiet)\n");
323         BIO_printf(bio_err," -no_ign_eof   - don't ignore input eof\n");
324 #ifndef OPENSSL_NO_PSK
325         BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
326         BIO_printf(bio_err," -psk arg      - PSK in hex (without 0x)\n");
327 # ifndef OPENSSL_NO_JPAKE
328         BIO_printf(bio_err," -jpake arg    - JPAKE secret to use\n");
329 # endif
330 #endif
331 #ifndef OPENSSL_NO_SRP
332         BIO_printf(bio_err," -srpuser user     - SRP authentification for 'user'\n");
333         BIO_printf(bio_err," -srppass arg      - password for 'user'\n");
334         BIO_printf(bio_err," -srp_lateuser     - SRP username into second ClientHello message\n");
335         BIO_printf(bio_err," -srp_moregroups   - Tolerate other than the known g N values.\n");
336         BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
337 #endif
338         BIO_printf(bio_err," -ssl2         - just use SSLv2\n");
339         BIO_printf(bio_err," -ssl3         - just use SSLv3\n");
340         BIO_printf(bio_err," -tls1_2       - just use TLSv1.2\n");
341         BIO_printf(bio_err," -tls1_1       - just use TLSv1.1\n");
342         BIO_printf(bio_err," -tls1         - just use TLSv1\n");
343         BIO_printf(bio_err," -dtls1        - just use DTLSv1\n");    
344         BIO_printf(bio_err," -mtu          - set the link layer MTU\n");
345         BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
346         BIO_printf(bio_err," -bugs         - Switch on all SSL implementation bug workarounds\n");
347         BIO_printf(bio_err," -serverpref   - Use server's cipher preferences (only SSLv2)\n");
348         BIO_printf(bio_err," -cipher       - preferred cipher to use, use the 'openssl ciphers'\n");
349         BIO_printf(bio_err,"                 command to see what is available\n");
350         BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
351         BIO_printf(bio_err,"                 for those protocols that support it, where\n");
352         BIO_printf(bio_err,"                 'prot' defines which one to assume.  Currently,\n");
353         BIO_printf(bio_err,"                 only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
354         BIO_printf(bio_err,"                 are supported.\n");
355         BIO_printf(bio_err," -xmpphost host - When used with \"-starttls xmpp\" specifies the virtual host.\n");
356 #ifndef OPENSSL_NO_ENGINE
357         BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
358 #endif
359         BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
360         BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n");
361         BIO_printf(bio_err," -sess_in arg  - file to read SSL session from\n");
362 #ifndef OPENSSL_NO_TLSEXT
363         BIO_printf(bio_err," -servername host  - Set TLS extension servername in ClientHello\n");
364         BIO_printf(bio_err," -tlsextdebug      - hex dump of all TLS extensions received\n");
365         BIO_printf(bio_err," -status           - request certificate status from server\n");
366         BIO_printf(bio_err," -no_ticket        - disable use of RFC4507bis session tickets\n");
367         BIO_printf(bio_err," -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n");
368 # ifndef OPENSSL_NO_NEXTPROTONEG
369         BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
370 # endif
371         BIO_printf(bio_err," -alpn arg         - enable ALPN extension, considering named protocols supported (comma-separated list)\n");
372 #endif
373         BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
374         BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
375         BIO_printf(bio_err," -keymatexport label   - Export keying material using label\n");
376         BIO_printf(bio_err," -keymatexportlen len  - Export len bytes of keying material (default 20)\n");
377         }
378
379 #ifndef OPENSSL_NO_TLSEXT
380
381 /* This is a context that we pass to callbacks */
382 typedef struct tlsextctx_st {
383    BIO * biodebug;
384    int ack;
385 } tlsextctx;
386
387
388 static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
389         {
390         tlsextctx * p = (tlsextctx *) arg;
391         const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
392         if (SSL_get_servername_type(s) != -1) 
393                 p->ack = !SSL_session_reused(s) && hn != NULL;
394         else 
395                 BIO_printf(bio_err,"Can't use SSL_get_servername\n");
396         
397         return SSL_TLSEXT_ERR_OK;
398         }
399
400 #ifndef OPENSSL_NO_SRP
401
402 /* This is a context that we pass to all callbacks */
403 typedef struct srp_arg_st
404         {
405         char *srppassin;
406         char *srplogin;
407         int msg;   /* copy from c_msg */
408         int debug; /* copy from c_debug */
409         int amp;   /* allow more groups */
410         int strength /* minimal size for N */ ;
411         } SRP_ARG;
412
413 #define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
414
415 static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g)
416         {
417         BN_CTX *bn_ctx = BN_CTX_new();
418         BIGNUM *p = BN_new();
419         BIGNUM *r = BN_new();
420         int ret =
421                 g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
422                 BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
423                 p != NULL && BN_rshift1(p, N) &&
424
425                 /* p = (N-1)/2 */
426                 BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
427                 r != NULL &&
428
429                 /* verify g^((N-1)/2) == -1 (mod N) */
430                 BN_mod_exp(r, g, p, N, bn_ctx) &&
431                 BN_add_word(r, 1) &&
432                 BN_cmp(r, N) == 0;
433
434         if(r)
435                 BN_free(r);
436         if(p)
437                 BN_free(p);
438         if(bn_ctx)
439                 BN_CTX_free(bn_ctx);
440         return ret;
441         }
442
443 /* This callback is used here for two purposes:
444    - extended debugging
445    - making some primality tests for unknown groups
446    The callback is only called for a non default group.
447
448    An application does not need the call back at all if
449    only the stanard groups are used.  In real life situations, 
450    client and server already share well known groups, 
451    thus there is no need to verify them. 
452    Furthermore, in case that a server actually proposes a group that
453    is not one of those defined in RFC 5054, it is more appropriate 
454    to add the group to a static list and then compare since 
455    primality tests are rather cpu consuming.
456 */
457
458 static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
459         {
460         SRP_ARG *srp_arg = (SRP_ARG *)arg;
461         BIGNUM *N = NULL, *g = NULL;
462         if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s)))
463                 return 0;
464         if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1)
465                 {
466                 BIO_printf(bio_err, "SRP parameters:\n"); 
467                 BIO_printf(bio_err,"\tN="); BN_print(bio_err,N);
468                 BIO_printf(bio_err,"\n\tg="); BN_print(bio_err,g);
469                 BIO_printf(bio_err,"\n");
470                 }
471
472         if (SRP_check_known_gN_param(g,N))
473                 return 1;
474
475         if (srp_arg->amp == 1)
476                 {
477                 if (srp_arg->debug)
478                         BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n");
479
480 /* The srp_moregroups is a real debugging feature.
481    Implementors should rather add the value to the known ones.
482    The minimal size has already been tested.
483 */
484                 if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g))
485                         return 1;
486                 }       
487         BIO_printf(bio_err, "SRP param N and g rejected.\n");
488         return 0;
489         }
490
491 #define PWD_STRLEN 1024
492
493 static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
494         {
495         SRP_ARG *srp_arg = (SRP_ARG *)arg;
496         char *pass = (char *)OPENSSL_malloc(PWD_STRLEN+1);
497         PW_CB_DATA cb_tmp;
498         int l;
499
500         cb_tmp.password = (char *)srp_arg->srppassin;
501         cb_tmp.prompt_info = "SRP user";
502         if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp))<0)
503                 {
504                 BIO_printf (bio_err, "Can't read Password\n");
505                 OPENSSL_free(pass);
506                 return NULL;
507                 }
508         *(pass+l)= '\0';
509
510         return pass;
511         }
512
513 #endif
514         char *srtp_profiles = NULL;
515
516 # ifndef OPENSSL_NO_NEXTPROTONEG
517 /* This the context that we pass to next_proto_cb */
518 typedef struct tlsextnextprotoctx_st {
519         unsigned char *data;
520         unsigned short len;
521         int status;
522 } tlsextnextprotoctx;
523
524 static tlsextnextprotoctx next_proto;
525
526 static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
527         {
528         tlsextnextprotoctx *ctx = arg;
529
530         if (!c_quiet)
531                 {
532                 /* We can assume that |in| is syntactically valid. */
533                 unsigned i;
534                 BIO_printf(bio_c_out, "Protocols advertised by server: ");
535                 for (i = 0; i < inlen; )
536                         {
537                         if (i)
538                                 BIO_write(bio_c_out, ", ", 2);
539                         BIO_write(bio_c_out, &in[i + 1], in[i]);
540                         i += in[i] + 1;
541                         }
542                 BIO_write(bio_c_out, "\n", 1);
543                 }
544
545         ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
546         return SSL_TLSEXT_ERR_OK;
547         }
548 # endif  /* ndef OPENSSL_NO_NEXTPROTONEG */
549
550 static int serverinfo_cli_cb(SSL* s, unsigned int ext_type,
551                              const unsigned char* in, size_t inlen, 
552                              int* al, void* arg)
553         {
554         char pem_name[100];
555         unsigned char ext_buf[4 + 65536];
556
557         /* Reconstruct the type/len fields prior to extension data */
558         ext_buf[0] = ext_type >> 8;
559         ext_buf[1] = ext_type & 0xFF;
560         ext_buf[2] = inlen >> 8;
561         ext_buf[3] = inlen & 0xFF;
562         memcpy(ext_buf+4, in, inlen);
563
564         BIO_snprintf(pem_name, sizeof(pem_name), "SERVERINFO FOR EXTENSION %d",
565                      ext_type);
566         PEM_write_bio(bio_c_out, pem_name, "", ext_buf, 4 + inlen);
567         return 1;
568         }
569
570 #endif
571
572 enum
573 {
574         PROTO_OFF       = 0,
575         PROTO_SMTP,
576         PROTO_POP3,
577         PROTO_IMAP,
578         PROTO_FTP,
579         PROTO_XMPP
580 };
581
582 int MAIN(int, char **);
583
584 int MAIN(int argc, char **argv)
585         {
586         int build_chain = 0;
587         SSL *con=NULL;
588 #ifndef OPENSSL_NO_KRB5
589         KSSL_CTX *kctx;
590 #endif
591         int s,k,width,state=0;
592         char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
593         int cbuf_len,cbuf_off;
594         int sbuf_len,sbuf_off;
595         fd_set readfds,writefds;
596         short port=PORT;
597         int full_log=1;
598         char *host=SSL_HOST_NAME;
599         const char *unix_path = NULL;
600         char *xmpphost = NULL;
601         char *cert_file=NULL,*key_file=NULL,*chain_file=NULL;
602         int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
603         char *passarg = NULL, *pass = NULL;
604         X509 *cert = NULL;
605         EVP_PKEY *key = NULL;
606         STACK_OF(X509) *chain = NULL;
607         char *CApath=NULL,*CAfile=NULL;
608         char *chCApath=NULL,*chCAfile=NULL;
609         char *vfyCApath=NULL,*vfyCAfile=NULL;
610         int reconnect=0,badop=0,verify=SSL_VERIFY_NONE;
611         int crlf=0;
612         int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
613         SSL_CTX *ctx=NULL;
614         int ret=1,in_init=1,i,nbio_test=0;
615         int starttls_proto = PROTO_OFF;
616         int prexit = 0;
617         X509_VERIFY_PARAM *vpm = NULL;
618         int badarg = 0;
619         const SSL_METHOD *meth=NULL;
620         int socket_type=SOCK_STREAM;
621         BIO *sbio;
622         char *inrand=NULL;
623         int mbuf_len=0;
624         struct timeval timeout, *timeoutp;
625 #ifndef OPENSSL_NO_ENGINE
626         char *engine_id=NULL;
627         char *ssl_client_engine_id=NULL;
628         ENGINE *ssl_client_engine=NULL;
629 #endif
630         ENGINE *e=NULL;
631 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
632         struct timeval tv;
633 #if defined(OPENSSL_SYS_BEOS_R5)
634         int stdin_set = 0;
635 #endif
636 #endif
637 #ifndef OPENSSL_NO_TLSEXT
638         char *servername = NULL; 
639         tlsextctx tlsextcbp = 
640         {NULL,0};
641 # ifndef OPENSSL_NO_NEXTPROTONEG
642         const char *next_proto_neg_in = NULL;
643 # endif
644         const char *alpn_in = NULL;
645 # define MAX_SI_TYPES 100
646         unsigned short serverinfo_types[MAX_SI_TYPES];
647         int serverinfo_types_count = 0;
648 #endif
649         char *sess_in = NULL;
650         char *sess_out = NULL;
651         struct sockaddr peer;
652         int peerlen = sizeof(peer);
653         int enable_timeouts = 0 ;
654         long socket_mtu = 0;
655 #ifndef OPENSSL_NO_JPAKE
656 static char *jpake_secret = NULL;
657 #define no_jpake !jpake_secret
658 #else
659 #define no_jpake 1
660 #endif
661 #ifndef OPENSSL_NO_SRP
662         char * srppass = NULL;
663         int srp_lateuser = 0;
664         SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
665 #endif
666         SSL_EXCERT *exc = NULL;
667
668         SSL_CONF_CTX *cctx = NULL;
669         STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
670
671         char *crl_file = NULL;
672         int crl_format = FORMAT_PEM;
673         int crl_download = 0;
674         STACK_OF(X509_CRL) *crls = NULL;
675         int sdebug = 0;
676
677         meth=SSLv23_client_method();
678
679         apps_startup();
680         c_Pause=0;
681         c_quiet=0;
682         c_ign_eof=0;
683         c_debug=0;
684         c_msg=0;
685         c_showcerts=0;
686
687         if (bio_err == NULL)
688                 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
689
690         if (!load_config(bio_err, NULL))
691                 goto end;
692         cctx = SSL_CONF_CTX_new();
693         if (!cctx)
694                 goto end;
695         SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
696         SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE);
697
698         if (    ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
699                 ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
700                 ((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
701                 {
702                 BIO_printf(bio_err,"out of memory\n");
703                 goto end;
704                 }
705
706         verify_depth=0;
707         verify_error=X509_V_OK;
708 #ifdef FIONBIO
709         c_nbio=0;
710 #endif
711
712         argc--;
713         argv++;
714         while (argc >= 1)
715                 {
716                 if      (strcmp(*argv,"-host") == 0)
717                         {
718                         if (--argc < 1) goto bad;
719                         host= *(++argv);
720                         }
721                 else if (strcmp(*argv,"-port") == 0)
722                         {
723                         if (--argc < 1) goto bad;
724                         port=atoi(*(++argv));
725                         if (port == 0) goto bad;
726                         }
727                 else if (strcmp(*argv,"-connect") == 0)
728                         {
729                         if (--argc < 1) goto bad;
730                         if (!extract_host_port(*(++argv),&host,NULL,&port))
731                                 goto bad;
732                         }
733                 else if (strcmp(*argv,"-unix") == 0)
734                         {
735                         if (--argc < 1) goto bad;
736                         unix_path = *(++argv);
737                         }
738                 else if (strcmp(*argv,"-xmpphost") == 0)
739                         {
740                         if (--argc < 1) goto bad;
741                         xmpphost= *(++argv);
742                         }
743                 else if (strcmp(*argv,"-verify") == 0)
744                         {
745                         verify=SSL_VERIFY_PEER;
746                         if (--argc < 1) goto bad;
747                         verify_depth=atoi(*(++argv));
748                         if (!c_quiet)
749                                 BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
750                         }
751                 else if (strcmp(*argv,"-cert") == 0)
752                         {
753                         if (--argc < 1) goto bad;
754                         cert_file= *(++argv);
755                         }
756                 else if (strcmp(*argv,"-CRL") == 0)
757                         {
758                         if (--argc < 1) goto bad;
759                         crl_file= *(++argv);
760                         }
761                 else if (strcmp(*argv,"-crl_download") == 0)
762                         crl_download = 1;
763                 else if (strcmp(*argv,"-sess_out") == 0)
764                         {
765                         if (--argc < 1) goto bad;
766                         sess_out = *(++argv);
767                         }
768                 else if (strcmp(*argv,"-sess_in") == 0)
769                         {
770                         if (--argc < 1) goto bad;
771                         sess_in = *(++argv);
772                         }
773                 else if (strcmp(*argv,"-certform") == 0)
774                         {
775                         if (--argc < 1) goto bad;
776                         cert_format = str2fmt(*(++argv));
777                         }
778                 else if (strcmp(*argv,"-CRLform") == 0)
779                         {
780                         if (--argc < 1) goto bad;
781                         crl_format = str2fmt(*(++argv));
782                         }
783                 else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
784                         {
785                         if (badarg)
786                                 goto bad;
787                         continue;
788                         }
789                 else if (strcmp(*argv,"-verify_return_error") == 0)
790                         verify_return_error = 1;
791                 else if (strcmp(*argv,"-verify_quiet") == 0)
792                         verify_quiet = 1;
793                 else if (strcmp(*argv,"-brief") == 0)
794                         {
795                         c_brief = 1;
796                         verify_quiet = 1;
797                         c_quiet = 1;
798                         }
799                 else if (args_excert(&argv, &argc, &badarg, bio_err, &exc))
800                         {
801                         if (badarg)
802                                 goto bad;
803                         continue;
804                         }
805                 else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args))
806                         {
807                         if (badarg)
808                                 goto bad;
809                         continue;
810                         }
811                 else if (strcmp(*argv,"-prexit") == 0)
812                         prexit=1;
813                 else if (strcmp(*argv,"-crlf") == 0)
814                         crlf=1;
815                 else if (strcmp(*argv,"-quiet") == 0)
816                         {
817                         c_quiet=1;
818                         c_ign_eof=1;
819                         }
820                 else if (strcmp(*argv,"-ign_eof") == 0)
821                         c_ign_eof=1;
822                 else if (strcmp(*argv,"-no_ign_eof") == 0)
823                         c_ign_eof=0;
824                 else if (strcmp(*argv,"-pause") == 0)
825                         c_Pause=1;
826                 else if (strcmp(*argv,"-debug") == 0)
827                         c_debug=1;
828 #ifndef OPENSSL_NO_TLSEXT
829                 else if (strcmp(*argv,"-tlsextdebug") == 0)
830                         c_tlsextdebug=1;
831                 else if (strcmp(*argv,"-status") == 0)
832                         c_status_req=1;
833 #endif
834 #ifdef WATT32
835                 else if (strcmp(*argv,"-wdebug") == 0)
836                         dbug_init();
837 #endif
838                 else if (strcmp(*argv,"-msg") == 0)
839                         c_msg=1;
840                 else if (strcmp(*argv,"-msgfile") == 0)
841                         {
842                         if (--argc < 1) goto bad;
843                         bio_c_msg = BIO_new_file(*(++argv), "w");
844                         }
845 #ifndef OPENSSL_NO_SSL_TRACE
846                 else if (strcmp(*argv,"-trace") == 0)
847                         c_msg=2;
848 #endif
849                 else if (strcmp(*argv,"-security_debug") == 0)
850                         { sdebug=1; }
851                 else if (strcmp(*argv,"-security_debug_verbose") == 0)
852                         { sdebug=2; }
853                 else if (strcmp(*argv,"-showcerts") == 0)
854                         c_showcerts=1;
855                 else if (strcmp(*argv,"-nbio_test") == 0)
856                         nbio_test=1;
857                 else if (strcmp(*argv,"-state") == 0)
858                         state=1;
859 #ifndef OPENSSL_NO_PSK
860                 else if (strcmp(*argv,"-psk_identity") == 0)
861                         {
862                         if (--argc < 1) goto bad;
863                         psk_identity=*(++argv);
864                         }
865                 else if (strcmp(*argv,"-psk") == 0)
866                         {
867                         size_t j;
868
869                         if (--argc < 1) goto bad;
870                         psk_key=*(++argv);
871                         for (j = 0; j < strlen(psk_key); j++)
872                                 {
873                                 if (isxdigit((unsigned char)psk_key[j]))
874                                         continue;
875                                 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
876                                 goto bad;
877                                 }
878                         }
879 #endif
880 #ifndef OPENSSL_NO_SRP
881                 else if (strcmp(*argv,"-srpuser") == 0)
882                         {
883                         if (--argc < 1) goto bad;
884                         srp_arg.srplogin= *(++argv);
885                         meth=TLSv1_client_method();
886                         }
887                 else if (strcmp(*argv,"-srppass") == 0)
888                         {
889                         if (--argc < 1) goto bad;
890                         srppass= *(++argv);
891                         meth=TLSv1_client_method();
892                         }
893                 else if (strcmp(*argv,"-srp_strength") == 0)
894                         {
895                         if (--argc < 1) goto bad;
896                         srp_arg.strength=atoi(*(++argv));
897                         BIO_printf(bio_err,"SRP minimal length for N is %d\n",srp_arg.strength);
898                         meth=TLSv1_client_method();
899                         }
900                 else if (strcmp(*argv,"-srp_lateuser") == 0)
901                         {
902                         srp_lateuser= 1;
903                         meth=TLSv1_client_method();
904                         }
905                 else if (strcmp(*argv,"-srp_moregroups") == 0)
906                         {
907                         srp_arg.amp=1;
908                         meth=TLSv1_client_method();
909                         }
910 #endif
911 #ifndef OPENSSL_NO_SSL2
912                 else if (strcmp(*argv,"-ssl2") == 0)
913                         meth=SSLv2_client_method();
914 #endif
915 #ifndef OPENSSL_NO_SSL3
916                 else if (strcmp(*argv,"-ssl3") == 0)
917                         meth=SSLv3_client_method();
918 #endif
919 #ifndef OPENSSL_NO_TLS1
920                 else if (strcmp(*argv,"-tls1_2") == 0)
921                         meth=TLSv1_2_client_method();
922                 else if (strcmp(*argv,"-tls1_1") == 0)
923                         meth=TLSv1_1_client_method();
924                 else if (strcmp(*argv,"-tls1") == 0)
925                         meth=TLSv1_client_method();
926 #endif
927 #ifndef OPENSSL_NO_DTLS1
928                 else if (strcmp(*argv,"-dtls") == 0)
929                         {
930                         meth=DTLS_client_method();
931                         socket_type=SOCK_DGRAM;
932                         }
933                 else if (strcmp(*argv,"-dtls1") == 0)
934                         {
935                         meth=DTLSv1_client_method();
936                         socket_type=SOCK_DGRAM;
937                         }
938                 else if (strcmp(*argv,"-dtls1_2") == 0)
939                         {
940                         meth=DTLSv1_2_client_method();
941                         socket_type=SOCK_DGRAM;
942                         }
943                 else if (strcmp(*argv,"-timeout") == 0)
944                         enable_timeouts=1;
945                 else if (strcmp(*argv,"-mtu") == 0)
946                         {
947                         if (--argc < 1) goto bad;
948                         socket_mtu = atol(*(++argv));
949                         }
950 #endif
951                 else if (strcmp(*argv,"-keyform") == 0)
952                         {
953                         if (--argc < 1) goto bad;
954                         key_format = str2fmt(*(++argv));
955                         }
956                 else if (strcmp(*argv,"-pass") == 0)
957                         {
958                         if (--argc < 1) goto bad;
959                         passarg = *(++argv);
960                         }
961                 else if (strcmp(*argv,"-cert_chain") == 0)
962                         {
963                         if (--argc < 1) goto bad;
964                         chain_file= *(++argv);
965                         }
966                 else if (strcmp(*argv,"-key") == 0)
967                         {
968                         if (--argc < 1) goto bad;
969                         key_file= *(++argv);
970                         }
971                 else if (strcmp(*argv,"-reconnect") == 0)
972                         {
973                         reconnect=5;
974                         }
975                 else if (strcmp(*argv,"-CApath") == 0)
976                         {
977                         if (--argc < 1) goto bad;
978                         CApath= *(++argv);
979                         }
980                 else if (strcmp(*argv,"-chainCApath") == 0)
981                         {
982                         if (--argc < 1) goto bad;
983                         chCApath= *(++argv);
984                         }
985                 else if (strcmp(*argv,"-verifyCApath") == 0)
986                         {
987                         if (--argc < 1) goto bad;
988                         vfyCApath= *(++argv);
989                         }
990                 else if (strcmp(*argv,"-build_chain") == 0)
991                         build_chain = 1;
992                 else if (strcmp(*argv,"-CAfile") == 0)
993                         {
994                         if (--argc < 1) goto bad;
995                         CAfile= *(++argv);
996                         }
997                 else if (strcmp(*argv,"-chainCAfile") == 0)
998                         {
999                         if (--argc < 1) goto bad;
1000                         chCAfile= *(++argv);
1001                         }
1002                 else if (strcmp(*argv,"-verifyCAfile") == 0)
1003                         {
1004                         if (--argc < 1) goto bad;
1005                         vfyCAfile= *(++argv);
1006                         }
1007 #ifndef OPENSSL_NO_TLSEXT
1008 # ifndef OPENSSL_NO_NEXTPROTONEG
1009                 else if (strcmp(*argv,"-nextprotoneg") == 0)
1010                         {
1011                         if (--argc < 1) goto bad;
1012                         next_proto_neg_in = *(++argv);
1013                         }
1014 # endif
1015                 else if (strcmp(*argv,"-alpn") == 0)
1016                         {
1017                         if (--argc < 1) goto bad;
1018                         alpn_in = *(++argv);
1019                         }
1020                 else if (strcmp(*argv,"-serverinfo") == 0)
1021                         {
1022                         char *c;
1023                         int start = 0;
1024                         int len;
1025
1026                         if (--argc < 1) goto bad;
1027                         c = *(++argv);
1028                         serverinfo_types_count = 0;
1029                         len = strlen(c);
1030                         for (i = 0; i <= len; ++i)
1031                                 {
1032                                 if (i == len || c[i] == ',')
1033                                         {
1034                                         serverinfo_types[serverinfo_types_count]
1035                                             = atoi(c+start);
1036                                         serverinfo_types_count++;
1037                                         start = i+1;
1038                                         }
1039                                 if (serverinfo_types_count == MAX_SI_TYPES)
1040                                         break;
1041                                 }
1042                         }
1043 #endif
1044 #ifdef FIONBIO
1045                 else if (strcmp(*argv,"-nbio") == 0)
1046                         { c_nbio=1; }
1047 #endif
1048                 else if (strcmp(*argv,"-starttls") == 0)
1049                         {
1050                         if (--argc < 1) goto bad;
1051                         ++argv;
1052                         if (strcmp(*argv,"smtp") == 0)
1053                                 starttls_proto = PROTO_SMTP;
1054                         else if (strcmp(*argv,"pop3") == 0)
1055                                 starttls_proto = PROTO_POP3;
1056                         else if (strcmp(*argv,"imap") == 0)
1057                                 starttls_proto = PROTO_IMAP;
1058                         else if (strcmp(*argv,"ftp") == 0)
1059                                 starttls_proto = PROTO_FTP;
1060                         else if (strcmp(*argv, "xmpp") == 0)
1061                                 starttls_proto = PROTO_XMPP;
1062                         else
1063                                 goto bad;
1064                         }
1065 #ifndef OPENSSL_NO_ENGINE
1066                 else if (strcmp(*argv,"-engine") == 0)
1067                         {
1068                         if (--argc < 1) goto bad;
1069                         engine_id = *(++argv);
1070                         }
1071                 else if (strcmp(*argv,"-ssl_client_engine") == 0)
1072                         {
1073                         if (--argc < 1) goto bad;
1074                         ssl_client_engine_id = *(++argv);
1075                         }
1076 #endif
1077                 else if (strcmp(*argv,"-rand") == 0)
1078                         {
1079                         if (--argc < 1) goto bad;
1080                         inrand= *(++argv);
1081                         }
1082 #ifndef OPENSSL_NO_TLSEXT
1083                 else if (strcmp(*argv,"-servername") == 0)
1084                         {
1085                         if (--argc < 1) goto bad;
1086                         servername= *(++argv);
1087                         /* meth=TLSv1_client_method(); */
1088                         }
1089 #endif
1090 #ifndef OPENSSL_NO_JPAKE
1091                 else if (strcmp(*argv,"-jpake") == 0)
1092                         {
1093                         if (--argc < 1) goto bad;
1094                         jpake_secret = *++argv;
1095                         }
1096 #endif
1097                 else if (strcmp(*argv,"-use_srtp") == 0)
1098                         {
1099                         if (--argc < 1) goto bad;
1100                         srtp_profiles = *(++argv);
1101                         }
1102                 else if (strcmp(*argv,"-keymatexport") == 0)
1103                         {
1104                         if (--argc < 1) goto bad;
1105                         keymatexportlabel= *(++argv);
1106                         }
1107                 else if (strcmp(*argv,"-keymatexportlen") == 0)
1108                         {
1109                         if (--argc < 1) goto bad;
1110                         keymatexportlen=atoi(*(++argv));
1111                         if (keymatexportlen == 0) goto bad;
1112                         }
1113                 else
1114                         {
1115                         BIO_printf(bio_err,"unknown option %s\n",*argv);
1116                         badop=1;
1117                         break;
1118                         }
1119                 argc--;
1120                 argv++;
1121                 }
1122         if (badop)
1123                 {
1124 bad:
1125                 sc_usage();
1126                 goto end;
1127                 }
1128
1129         if (unix_path && (socket_type != SOCK_STREAM))
1130                 {
1131                 BIO_printf(bio_err, "Can't use unix sockets and datagrams together\n");
1132                         goto end;
1133                 }
1134 #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
1135         if (jpake_secret)
1136                 {
1137                 if (psk_key)
1138                         {
1139                         BIO_printf(bio_err,
1140                                    "Can't use JPAKE and PSK together\n");
1141                         goto end;
1142                         }
1143                 psk_identity = "JPAKE";
1144                 }
1145 #endif
1146
1147         OpenSSL_add_ssl_algorithms();
1148         SSL_load_error_strings();
1149
1150 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
1151         next_proto.status = -1;
1152         if (next_proto_neg_in)
1153                 {
1154                 next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
1155                 if (next_proto.data == NULL)
1156                         {
1157                         BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
1158                         goto end;
1159                         }
1160                 }
1161         else
1162                 next_proto.data = NULL;
1163 #endif
1164
1165 #ifndef OPENSSL_NO_ENGINE
1166         e = setup_engine(bio_err, engine_id, 1);
1167         if (ssl_client_engine_id)
1168                 {
1169                 ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
1170                 if (!ssl_client_engine)
1171                         {
1172                         BIO_printf(bio_err,
1173                                         "Error getting client auth engine\n");
1174                         goto end;
1175                         }
1176                 }
1177
1178 #endif
1179         if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
1180                 {
1181                 BIO_printf(bio_err, "Error getting password\n");
1182                 goto end;
1183                 }
1184
1185         if (key_file == NULL)
1186                 key_file = cert_file;
1187
1188
1189         if (key_file)
1190
1191                 {
1192
1193                 key = load_key(bio_err, key_file, key_format, 0, pass, e,
1194                                "client certificate private key file");
1195                 if (!key)
1196                         {
1197                         ERR_print_errors(bio_err);
1198                         goto end;
1199                         }
1200
1201                 }
1202
1203         if (cert_file)
1204
1205                 {
1206                 cert = load_cert(bio_err,cert_file,cert_format,
1207                                 NULL, e, "client certificate file");
1208
1209                 if (!cert)
1210                         {
1211                         ERR_print_errors(bio_err);
1212                         goto end;
1213                         }
1214                 }
1215
1216         if (chain_file)
1217                 {
1218                 chain = load_certs(bio_err, chain_file,FORMAT_PEM,
1219                                         NULL, e, "client certificate chain");
1220                 if (!chain)
1221                         goto end;
1222                 }
1223
1224         if (crl_file)
1225                 {
1226                 X509_CRL *crl;
1227                 crl = load_crl(crl_file, crl_format);
1228                 if (!crl)
1229                         {
1230                         BIO_puts(bio_err, "Error loading CRL\n");
1231                         ERR_print_errors(bio_err);
1232                         goto end;
1233                         }
1234                 crls = sk_X509_CRL_new_null();
1235                 if (!crls || !sk_X509_CRL_push(crls, crl))
1236                         {
1237                         BIO_puts(bio_err, "Error adding CRL\n");
1238                         ERR_print_errors(bio_err);
1239                         X509_CRL_free(crl);
1240                         goto end;
1241                         }
1242                 }
1243
1244         if (!load_excert(&exc, bio_err))
1245                 goto end;
1246
1247         if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
1248                 && !RAND_status())
1249                 {
1250                 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
1251                 }
1252         if (inrand != NULL)
1253                 BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
1254                         app_RAND_load_files(inrand));
1255
1256         if (bio_c_out == NULL)
1257                 {
1258                 if (c_quiet && !c_debug)
1259                         {
1260                         bio_c_out=BIO_new(BIO_s_null());
1261                         if (c_msg && !bio_c_msg)
1262                                 bio_c_msg=BIO_new_fp(stdout,BIO_NOCLOSE);
1263                         }
1264                 else
1265                         {
1266                         if (bio_c_out == NULL)
1267                                 bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
1268                         }
1269                 }
1270
1271 #ifndef OPENSSL_NO_SRP
1272         if(!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL))
1273                 {
1274                 BIO_printf(bio_err, "Error getting password\n");
1275                 goto end;
1276                 }
1277 #endif
1278
1279         ctx=SSL_CTX_new(meth);
1280         if (ctx == NULL)
1281                 {
1282                 ERR_print_errors(bio_err);
1283                 goto end;
1284                 }
1285
1286         if (sdebug)
1287                 ssl_ctx_security_debug(ctx, bio_err, sdebug);
1288
1289         if (vpm)
1290                 SSL_CTX_set1_param(ctx, vpm);
1291
1292         if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1, no_jpake))
1293                 {
1294                 ERR_print_errors(bio_err);
1295                 goto end;
1296                 }
1297
1298         if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
1299                                                 crls, crl_download))
1300                 {
1301                 BIO_printf(bio_err, "Error loading store locations\n");
1302                 ERR_print_errors(bio_err);
1303                 goto end;
1304                 }
1305
1306 #ifndef OPENSSL_NO_ENGINE
1307         if (ssl_client_engine)
1308                 {
1309                 if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine))
1310                         {
1311                         BIO_puts(bio_err, "Error setting client auth engine\n");
1312                         ERR_print_errors(bio_err);
1313                         ENGINE_free(ssl_client_engine);
1314                         goto end;
1315                         }
1316                 ENGINE_free(ssl_client_engine);
1317                 }
1318 #endif
1319
1320 #ifndef OPENSSL_NO_PSK
1321 #ifdef OPENSSL_NO_JPAKE
1322         if (psk_key != NULL)
1323 #else
1324         if (psk_key != NULL || jpake_secret)
1325 #endif
1326                 {
1327                 if (c_debug)
1328                         BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");
1329                 SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
1330                 }
1331         if (srtp_profiles != NULL)
1332                 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
1333 #endif
1334         if (exc) ssl_ctx_set_excert(ctx, exc);
1335         /* DTLS: partial reads end up discarding unread UDP bytes :-( 
1336          * Setting read ahead solves this problem.
1337          */
1338         if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
1339
1340 #if !defined(OPENSSL_NO_TLSEXT)
1341 # if !defined(OPENSSL_NO_NEXTPROTONEG)
1342         if (next_proto.data)
1343                 SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
1344 # endif
1345         if (alpn_in)
1346                 {
1347                 unsigned short alpn_len;
1348                 unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in);
1349
1350                 if (alpn == NULL)
1351                         {
1352                         BIO_printf(bio_err, "Error parsing -alpn argument\n");
1353                         goto end;
1354                         }
1355                 SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len);
1356                 OPENSSL_free(alpn);
1357                 }
1358 #endif
1359 #ifndef OPENSSL_NO_TLSEXT
1360                 if (serverinfo_types_count)
1361                         {
1362                         for (i = 0; i < serverinfo_types_count; i++)
1363                                 {
1364                                 SSL_CTX_set_custom_cli_ext(ctx,
1365                                                            serverinfo_types[i],
1366                                                            NULL, 
1367                                                            serverinfo_cli_cb,
1368                                                            NULL);
1369                                 }
1370                         }
1371 #endif
1372
1373         if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
1374 #if 0
1375         else
1376                 SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
1377 #endif
1378
1379         SSL_CTX_set_verify(ctx,verify,verify_callback);
1380
1381         if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
1382                 (!SSL_CTX_set_default_verify_paths(ctx)))
1383                 {
1384                 /* BIO_printf(bio_err,"error setting default verify locations\n"); */
1385                 ERR_print_errors(bio_err);
1386                 /* goto end; */
1387                 }
1388
1389         ssl_ctx_add_crls(ctx, crls, crl_download);
1390
1391         if (!set_cert_key_stuff(ctx,cert,key,chain,build_chain))
1392                 goto end;
1393
1394 #ifndef OPENSSL_NO_TLSEXT
1395         if (servername != NULL)
1396                 {
1397                 tlsextcbp.biodebug = bio_err;
1398                 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1399                 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
1400                 }
1401 #ifndef OPENSSL_NO_SRP
1402         if (srp_arg.srplogin)
1403                 {
1404                 if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
1405                         {
1406                         BIO_printf(bio_err,"Unable to set SRP username\n");
1407                         goto end;
1408                         }
1409                 srp_arg.msg = c_msg;
1410                 srp_arg.debug = c_debug ;
1411                 SSL_CTX_set_srp_cb_arg(ctx,&srp_arg);
1412                 SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
1413                 SSL_CTX_set_srp_strength(ctx, srp_arg.strength);
1414                 if (c_msg || c_debug || srp_arg.amp == 0)
1415                         SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb);
1416                 }
1417
1418 #endif
1419 #endif
1420
1421         con=SSL_new(ctx);
1422         if (sess_in)
1423                 {
1424                 SSL_SESSION *sess;
1425                 BIO *stmp = BIO_new_file(sess_in, "r");
1426                 if (!stmp)
1427                         {
1428                         BIO_printf(bio_err, "Can't open session file %s\n",
1429                                                 sess_in);
1430                         ERR_print_errors(bio_err);
1431                         goto end;
1432                         }
1433                 sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
1434                 BIO_free(stmp);
1435                 if (!sess)
1436                         {
1437                         BIO_printf(bio_err, "Can't open session file %s\n",
1438                                                 sess_in);
1439                         ERR_print_errors(bio_err);
1440                         goto end;
1441                         }
1442                 SSL_set_session(con, sess);
1443                 SSL_SESSION_free(sess);
1444                 }
1445 #ifndef OPENSSL_NO_TLSEXT
1446         if (servername != NULL)
1447                 {
1448                 if (!SSL_set_tlsext_host_name(con,servername))
1449                         {
1450                         BIO_printf(bio_err,"Unable to set TLS servername extension.\n");
1451                         ERR_print_errors(bio_err);
1452                         goto end;
1453                         }
1454                 }
1455 #endif
1456 #ifndef OPENSSL_NO_KRB5
1457         if (con  &&  (kctx = kssl_ctx_new()) != NULL)
1458                 {
1459                 SSL_set0_kssl_ctx(con, kctx);
1460                 kssl_ctx_setstring(kctx, KSSL_SERVER, host);
1461                 }
1462 #endif  /* OPENSSL_NO_KRB5  */
1463 /*      SSL_set_cipher_list(con,"RC4-MD5"); */
1464 #if 0
1465 #ifdef TLSEXT_TYPE_opaque_prf_input
1466         SSL_set_tlsext_opaque_prf_input(con, "Test client", 11);
1467 #endif
1468 #endif
1469
1470 re_start:
1471 #ifdef NO_SYS_UN_H
1472         if (init_client(&s,host,port,socket_type) == 0)
1473 #else
1474         if ((!unix_path && (init_client(&s,host,port,socket_type) == 0)) ||
1475                         (unix_path && (init_client_unix(&s,unix_path) == 0)))
1476 #endif
1477                 {
1478                 BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
1479                 SHUTDOWN(s);
1480                 goto end;
1481                 }
1482         BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
1483
1484 #ifdef FIONBIO
1485         if (c_nbio)
1486                 {
1487                 unsigned long l=1;
1488                 BIO_printf(bio_c_out,"turning on non blocking io\n");
1489                 if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
1490                         {
1491                         ERR_print_errors(bio_err);
1492                         goto end;
1493                         }
1494                 }
1495 #endif                                              
1496         if (c_Pause & 0x01) SSL_set_debug(con, 1);
1497
1498         if (socket_type == SOCK_DGRAM)
1499                 {
1500
1501                 sbio=BIO_new_dgram(s,BIO_NOCLOSE);
1502                 if (getsockname(s, &peer, (void *)&peerlen) < 0)
1503                         {
1504                         BIO_printf(bio_err, "getsockname:errno=%d\n",
1505                                 get_last_socket_error());
1506                         SHUTDOWN(s);
1507                         goto end;
1508                         }
1509
1510                 (void)BIO_ctrl_set_connected(sbio, 1, &peer);
1511
1512                 if (enable_timeouts)
1513                         {
1514                         timeout.tv_sec = 0;
1515                         timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1516                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1517                         
1518                         timeout.tv_sec = 0;
1519                         timeout.tv_usec = DGRAM_SND_TIMEOUT;
1520                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1521                         }
1522
1523                 if (socket_mtu > 28)
1524                         {
1525                         SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
1526                         SSL_set_mtu(con, socket_mtu - 28);
1527                         }
1528                 else
1529                         /* want to do MTU discovery */
1530                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1531                 }
1532         else
1533                 sbio=BIO_new_socket(s,BIO_NOCLOSE);
1534
1535         if (nbio_test)
1536                 {
1537                 BIO *test;
1538
1539                 test=BIO_new(BIO_f_nbio_test());
1540                 sbio=BIO_push(test,sbio);
1541                 }
1542
1543         if (c_debug)
1544                 {
1545                 SSL_set_debug(con, 1);
1546                 BIO_set_callback(sbio,bio_dump_callback);
1547                 BIO_set_callback_arg(sbio,(char *)bio_c_out);
1548                 }
1549         if (c_msg)
1550                 {
1551 #ifndef OPENSSL_NO_SSL_TRACE
1552                 if (c_msg == 2)
1553                         SSL_set_msg_callback(con, SSL_trace);
1554                 else
1555 #endif
1556                         SSL_set_msg_callback(con, msg_cb);
1557                 SSL_set_msg_callback_arg(con, bio_c_msg ? bio_c_msg : bio_c_out);
1558                 }
1559 #ifndef OPENSSL_NO_TLSEXT
1560         if (c_tlsextdebug)
1561                 {
1562                 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1563                 SSL_set_tlsext_debug_arg(con, bio_c_out);
1564                 }
1565         if (c_status_req)
1566                 {
1567                 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
1568                 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
1569                 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
1570 #if 0
1571 {
1572 STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null();
1573 OCSP_RESPID *id = OCSP_RESPID_new();
1574 id->value.byKey = ASN1_OCTET_STRING_new();
1575 id->type = V_OCSP_RESPID_KEY;
1576 ASN1_STRING_set(id->value.byKey, "Hello World", -1);
1577 sk_OCSP_RESPID_push(ids, id);
1578 SSL_set_tlsext_status_ids(con, ids);
1579 }
1580 #endif
1581                 }
1582 #endif
1583 #ifndef OPENSSL_NO_JPAKE
1584         if (jpake_secret)
1585                 jpake_client_auth(bio_c_out, sbio, jpake_secret);
1586 #endif
1587
1588         SSL_set_bio(con,sbio,sbio);
1589         SSL_set_connect_state(con);
1590
1591         /* ok, lets connect */
1592         width=SSL_get_fd(con)+1;
1593
1594         read_tty=1;
1595         write_tty=0;
1596         tty_on=0;
1597         read_ssl=1;
1598         write_ssl=1;
1599         
1600         cbuf_len=0;
1601         cbuf_off=0;
1602         sbuf_len=0;
1603         sbuf_off=0;
1604
1605         /* This is an ugly hack that does a lot of assumptions */
1606         /* We do have to handle multi-line responses which may come
1607            in a single packet or not. We therefore have to use
1608            BIO_gets() which does need a buffering BIO. So during
1609            the initial chitchat we do push a buffering BIO into the
1610            chain that is removed again later on to not disturb the
1611            rest of the s_client operation. */
1612         if (starttls_proto == PROTO_SMTP)
1613                 {
1614                 int foundit=0;
1615                 BIO *fbio = BIO_new(BIO_f_buffer());
1616                 BIO_push(fbio, sbio);
1617                 /* wait for multi-line response to end from SMTP */
1618                 do
1619                         {
1620                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1621                         }
1622                 while (mbuf_len>3 && mbuf[3]=='-');
1623                 /* STARTTLS command requires EHLO... */
1624                 BIO_printf(fbio,"EHLO openssl.client.net\r\n");
1625                 (void)BIO_flush(fbio);
1626                 /* wait for multi-line response to end EHLO SMTP response */
1627                 do
1628                         {
1629                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1630                         if (strstr(mbuf,"STARTTLS"))
1631                                 foundit=1;
1632                         }
1633                 while (mbuf_len>3 && mbuf[3]=='-');
1634                 (void)BIO_flush(fbio);
1635                 BIO_pop(fbio);
1636                 BIO_free(fbio);
1637                 if (!foundit)
1638                         BIO_printf(bio_err,
1639                                    "didn't found starttls in server response,"
1640                                    " try anyway...\n");
1641                 BIO_printf(sbio,"STARTTLS\r\n");
1642                 BIO_read(sbio,sbuf,BUFSIZZ);
1643                 }
1644         else if (starttls_proto == PROTO_POP3)
1645                 {
1646                 BIO_read(sbio,mbuf,BUFSIZZ);
1647                 BIO_printf(sbio,"STLS\r\n");
1648                 BIO_read(sbio,sbuf,BUFSIZZ);
1649                 }
1650         else if (starttls_proto == PROTO_IMAP)
1651                 {
1652                 int foundit=0;
1653                 BIO *fbio = BIO_new(BIO_f_buffer());
1654                 BIO_push(fbio, sbio);
1655                 BIO_gets(fbio,mbuf,BUFSIZZ);
1656                 /* STARTTLS command requires CAPABILITY... */
1657                 BIO_printf(fbio,". CAPABILITY\r\n");
1658                 (void)BIO_flush(fbio);
1659                 /* wait for multi-line CAPABILITY response */
1660                 do
1661                         {
1662                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1663                         if (strstr(mbuf,"STARTTLS"))
1664                                 foundit=1;
1665                         }
1666                 while (mbuf_len>3 && mbuf[0]!='.');
1667                 (void)BIO_flush(fbio);
1668                 BIO_pop(fbio);
1669                 BIO_free(fbio);
1670                 if (!foundit)
1671                         BIO_printf(bio_err,
1672                                    "didn't found STARTTLS in server response,"
1673                                    " try anyway...\n");
1674                 BIO_printf(sbio,". STARTTLS\r\n");
1675                 BIO_read(sbio,sbuf,BUFSIZZ);
1676                 }
1677         else if (starttls_proto == PROTO_FTP)
1678                 {
1679                 BIO *fbio = BIO_new(BIO_f_buffer());
1680                 BIO_push(fbio, sbio);
1681                 /* wait for multi-line response to end from FTP */
1682                 do
1683                         {
1684                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1685                         }
1686                 while (mbuf_len>3 && mbuf[3]=='-');
1687                 (void)BIO_flush(fbio);
1688                 BIO_pop(fbio);
1689                 BIO_free(fbio);
1690                 BIO_printf(sbio,"AUTH TLS\r\n");
1691                 BIO_read(sbio,sbuf,BUFSIZZ);
1692                 }
1693         if (starttls_proto == PROTO_XMPP)
1694                 {
1695                 int seen = 0;
1696                 BIO_printf(sbio,"<stream:stream "
1697                     "xmlns:stream='http://etherx.jabber.org/streams' "
1698                     "xmlns='jabber:client' to='%s' version='1.0'>", xmpphost ?
1699                            xmpphost : host);
1700                 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1701                 mbuf[seen] = 0;
1702                 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") &&
1703                                 !strstr(mbuf, "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
1704                         {
1705                         seen = BIO_read(sbio,mbuf,BUFSIZZ);
1706
1707                         if (seen <= 0)
1708                                 goto shut;
1709
1710                         mbuf[seen] = 0;
1711                         }
1712                 BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
1713                 seen = BIO_read(sbio,sbuf,BUFSIZZ);
1714                 sbuf[seen] = 0;
1715                 if (!strstr(sbuf, "<proceed"))
1716                         goto shut;
1717                 mbuf[0] = 0;
1718                 }
1719
1720         for (;;)
1721                 {
1722                 FD_ZERO(&readfds);
1723                 FD_ZERO(&writefds);
1724
1725                 if ((SSL_version(con) == DTLS1_VERSION) &&
1726                         DTLSv1_get_timeout(con, &timeout))
1727                         timeoutp = &timeout;
1728                 else
1729                         timeoutp = NULL;
1730
1731                 if (SSL_in_init(con) && !SSL_total_renegotiations(con))
1732                         {
1733                         in_init=1;
1734                         tty_on=0;
1735                         }
1736                 else
1737                         {
1738                         tty_on=1;
1739                         if (in_init)
1740                                 {
1741                                 in_init=0;
1742 #if 0 /* This test doesn't really work as intended (needs to be fixed) */
1743 #ifndef OPENSSL_NO_TLSEXT
1744                                 if (servername != NULL && !SSL_session_reused(con))
1745                                         {
1746                                         BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not ");
1747                                         }
1748 #endif
1749 #endif
1750                                 if (sess_out)
1751                                         {
1752                                         BIO *stmp = BIO_new_file(sess_out, "w");
1753                                         if (stmp)
1754                                                 {
1755                                                 PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con));
1756                                                 BIO_free(stmp);
1757                                                 }
1758                                         else 
1759                                                 BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
1760                                         }
1761                                 if (c_brief)
1762                                         {
1763                                         BIO_puts(bio_err,
1764                                                 "CONNECTION ESTABLISHED\n");
1765                                         print_ssl_summary(bio_err, con);
1766                                         }
1767
1768                                 print_stuff(bio_c_out,con,full_log);
1769                                 if (full_log > 0) full_log--;
1770
1771                                 if (starttls_proto)
1772                                         {
1773                                         BIO_printf(bio_err,"%s",mbuf);
1774                                         /* We don't need to know any more */
1775                                         starttls_proto = PROTO_OFF;
1776                                         }
1777
1778                                 if (reconnect)
1779                                         {
1780                                         reconnect--;
1781                                         BIO_printf(bio_c_out,"drop connection and then reconnect\n");
1782                                         SSL_shutdown(con);
1783                                         SSL_set_connect_state(con);
1784                                         SHUTDOWN(SSL_get_fd(con));
1785                                         goto re_start;
1786                                         }
1787                                 }
1788                         }
1789
1790                 ssl_pending = read_ssl && SSL_pending(con);
1791
1792                 if (!ssl_pending)
1793                         {
1794 #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)
1795                         if (tty_on)
1796                                 {
1797                                 if (read_tty)  openssl_fdset(fileno(stdin),&readfds);
1798                                 if (write_tty) openssl_fdset(fileno(stdout),&writefds);
1799                                 }
1800                         if (read_ssl)
1801                                 openssl_fdset(SSL_get_fd(con),&readfds);
1802                         if (write_ssl)
1803                                 openssl_fdset(SSL_get_fd(con),&writefds);
1804 #else
1805                         if(!tty_on || !write_tty) {
1806                                 if (read_ssl)
1807                                         openssl_fdset(SSL_get_fd(con),&readfds);
1808                                 if (write_ssl)
1809                                         openssl_fdset(SSL_get_fd(con),&writefds);
1810                         }
1811 #endif
1812 /*                      printf("mode tty(%d %d%d) ssl(%d%d)\n",
1813                                 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
1814
1815                         /* Note: under VMS with SOCKETSHR the second parameter
1816                          * is currently of type (int *) whereas under other
1817                          * systems it is (void *) if you don't have a cast it
1818                          * will choke the compiler: if you do have a cast then
1819                          * you can either go for (int *) or (void *).
1820                          */
1821 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1822                         /* Under Windows/DOS we make the assumption that we can
1823                          * always write to the tty: therefore if we need to
1824                          * write to the tty we just fall through. Otherwise
1825                          * we timeout the select every second and see if there
1826                          * are any keypresses. Note: this is a hack, in a proper
1827                          * Windows application we wouldn't do this.
1828                          */
1829                         i=0;
1830                         if(!write_tty) {
1831                                 if(read_tty) {
1832                                         tv.tv_sec = 1;
1833                                         tv.tv_usec = 0;
1834                                         i=select(width,(void *)&readfds,(void *)&writefds,
1835                                                  NULL,&tv);
1836 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
1837                                         if(!i && (!_kbhit() || !read_tty) ) continue;
1838 #else
1839                                         if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
1840 #endif
1841                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1842                                          NULL,timeoutp);
1843                         }
1844 #elif defined(OPENSSL_SYS_NETWARE)
1845                         if(!write_tty) {
1846                                 if(read_tty) {
1847                                         tv.tv_sec = 1;
1848                                         tv.tv_usec = 0;
1849                                         i=select(width,(void *)&readfds,(void *)&writefds,
1850                                                 NULL,&tv);
1851                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1852                                         NULL,timeoutp);
1853                         }
1854 #elif defined(OPENSSL_SYS_BEOS_R5)
1855                         /* Under BeOS-R5 the situation is similar to DOS */
1856                         i=0;
1857                         stdin_set = 0;
1858                         (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
1859                         if(!write_tty) {
1860                                 if(read_tty) {
1861                                         tv.tv_sec = 1;
1862                                         tv.tv_usec = 0;
1863                                         i=select(width,(void *)&readfds,(void *)&writefds,
1864                                                  NULL,&tv);
1865                                         if (read(fileno(stdin), sbuf, 0) >= 0)
1866                                                 stdin_set = 1;
1867                                         if (!i && (stdin_set != 1 || !read_tty))
1868                                                 continue;
1869                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1870                                          NULL,timeoutp);
1871                         }
1872                         (void)fcntl(fileno(stdin), F_SETFL, 0);
1873 #else
1874                         i=select(width,(void *)&readfds,(void *)&writefds,
1875                                  NULL,timeoutp);
1876 #endif
1877                         if ( i < 0)
1878                                 {
1879                                 BIO_printf(bio_err,"bad select %d\n",
1880                                 get_last_socket_error());
1881                                 goto shut;
1882                                 /* goto end; */
1883                                 }
1884                         }
1885
1886                 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
1887                         {
1888                         BIO_printf(bio_err,"TIMEOUT occurred\n");
1889                         }
1890
1891                 if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
1892                         {
1893                         k=SSL_write(con,&(cbuf[cbuf_off]),
1894                                 (unsigned int)cbuf_len);
1895                         switch (SSL_get_error(con,k))
1896                                 {
1897                         case SSL_ERROR_NONE:
1898                                 cbuf_off+=k;
1899                                 cbuf_len-=k;
1900                                 if (k <= 0) goto end;
1901                                 /* we have done a  write(con,NULL,0); */
1902                                 if (cbuf_len <= 0)
1903                                         {
1904                                         read_tty=1;
1905                                         write_ssl=0;
1906                                         }
1907                                 else /* if (cbuf_len > 0) */
1908                                         {
1909                                         read_tty=0;
1910                                         write_ssl=1;
1911                                         }
1912                                 break;
1913                         case SSL_ERROR_WANT_WRITE:
1914                                 BIO_printf(bio_c_out,"write W BLOCK\n");
1915                                 write_ssl=1;
1916                                 read_tty=0;
1917                                 break;
1918                         case SSL_ERROR_WANT_READ:
1919                                 BIO_printf(bio_c_out,"write R BLOCK\n");
1920                                 write_tty=0;
1921                                 read_ssl=1;
1922                                 write_ssl=0;
1923                                 break;
1924                         case SSL_ERROR_WANT_X509_LOOKUP:
1925                                 BIO_printf(bio_c_out,"write X BLOCK\n");
1926                                 break;
1927                         case SSL_ERROR_ZERO_RETURN:
1928                                 if (cbuf_len != 0)
1929                                         {
1930                                         BIO_printf(bio_c_out,"shutdown\n");
1931                                         ret = 0;
1932                                         goto shut;
1933                                         }
1934                                 else
1935                                         {
1936                                         read_tty=1;
1937                                         write_ssl=0;
1938                                         break;
1939                                         }
1940                                 
1941                         case SSL_ERROR_SYSCALL:
1942                                 if ((k != 0) || (cbuf_len != 0))
1943                                         {
1944                                         BIO_printf(bio_err,"write:errno=%d\n",
1945                                                 get_last_socket_error());
1946                                         goto shut;
1947                                         }
1948                                 else
1949                                         {
1950                                         read_tty=1;
1951                                         write_ssl=0;
1952                                         }
1953                                 break;
1954                         case SSL_ERROR_SSL:
1955                                 ERR_print_errors(bio_err);
1956                                 goto shut;
1957                                 }
1958                         }
1959 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
1960                 /* Assume Windows/DOS/BeOS can always write */
1961                 else if (!ssl_pending && write_tty)
1962 #else
1963                 else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
1964 #endif
1965                         {
1966 #ifdef CHARSET_EBCDIC
1967                         ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
1968 #endif
1969                         i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len);
1970
1971                         if (i <= 0)
1972                                 {
1973                                 BIO_printf(bio_c_out,"DONE\n");
1974                                 ret = 0;
1975                                 goto shut;
1976                                 /* goto end; */
1977                                 }
1978
1979                         sbuf_len-=i;;
1980                         sbuf_off+=i;
1981                         if (sbuf_len <= 0)
1982                                 {
1983                                 read_ssl=1;
1984                                 write_tty=0;
1985                                 }
1986                         }
1987                 else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
1988                         {
1989 #ifdef RENEG
1990 { static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
1991 #endif
1992 #if 1
1993                         k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
1994 #else
1995 /* Demo for pending and peek :-) */
1996                         k=SSL_read(con,sbuf,16);
1997 { char zbuf[10240]; 
1998 printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
1999 }
2000 #endif
2001
2002                         switch (SSL_get_error(con,k))
2003                                 {
2004                         case SSL_ERROR_NONE:
2005                                 if (k <= 0)
2006                                         goto end;
2007                                 sbuf_off=0;
2008                                 sbuf_len=k;
2009
2010                                 read_ssl=0;
2011                                 write_tty=1;
2012                                 break;
2013                         case SSL_ERROR_WANT_WRITE:
2014                                 BIO_printf(bio_c_out,"read W BLOCK\n");
2015                                 write_ssl=1;
2016                                 read_tty=0;
2017                                 break;
2018                         case SSL_ERROR_WANT_READ:
2019                                 BIO_printf(bio_c_out,"read R BLOCK\n");
2020                                 write_tty=0;
2021                                 read_ssl=1;
2022                                 if ((read_tty == 0) && (write_ssl == 0))
2023                                         write_ssl=1;
2024                                 break;
2025                         case SSL_ERROR_WANT_X509_LOOKUP:
2026                                 BIO_printf(bio_c_out,"read X BLOCK\n");
2027                                 break;
2028                         case SSL_ERROR_SYSCALL:
2029                                 ret=get_last_socket_error();
2030                                 if (c_brief)
2031                                         BIO_puts(bio_err, "CONNECTION CLOSED BY SERVER\n");
2032                                 else
2033                                         BIO_printf(bio_err,"read:errno=%d\n",ret);
2034                                 goto shut;
2035                         case SSL_ERROR_ZERO_RETURN:
2036                                 BIO_printf(bio_c_out,"closed\n");
2037                                 ret=0;
2038                                 goto shut;
2039                         case SSL_ERROR_SSL:
2040                                 ERR_print_errors(bio_err);
2041                                 goto shut;
2042                                 /* break; */
2043                                 }
2044                         }
2045
2046 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
2047 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
2048                 else if (_kbhit())
2049 #else
2050                 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
2051 #endif
2052 #elif defined (OPENSSL_SYS_NETWARE)
2053                 else if (_kbhit())
2054 #elif defined(OPENSSL_SYS_BEOS_R5)
2055                 else if (stdin_set)
2056 #else
2057                 else if (FD_ISSET(fileno(stdin),&readfds))
2058 #endif
2059                         {
2060                         if (crlf)
2061                                 {
2062                                 int j, lf_num;
2063
2064                                 i=raw_read_stdin(cbuf,BUFSIZZ/2);
2065                                 lf_num = 0;
2066                                 /* both loops are skipped when i <= 0 */
2067                                 for (j = 0; j < i; j++)
2068                                         if (cbuf[j] == '\n')
2069                                                 lf_num++;
2070                                 for (j = i-1; j >= 0; j--)
2071                                         {
2072                                         cbuf[j+lf_num] = cbuf[j];
2073                                         if (cbuf[j] == '\n')
2074                                                 {
2075                                                 lf_num--;
2076                                                 i++;
2077                                                 cbuf[j+lf_num] = '\r';
2078                                                 }
2079                                         }
2080                                 assert(lf_num == 0);
2081                                 }
2082                         else
2083                                 i=raw_read_stdin(cbuf,BUFSIZZ);
2084
2085                         if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
2086                                 {
2087                                 BIO_printf(bio_err,"DONE\n");
2088                                 ret=0;
2089                                 goto shut;
2090                                 }
2091
2092                         if ((!c_ign_eof) && (cbuf[0] == 'R'))
2093                                 {
2094                                 BIO_printf(bio_err,"RENEGOTIATING\n");
2095                                 SSL_renegotiate(con);
2096                                 cbuf_len=0;
2097                                 }
2098 #ifndef OPENSSL_NO_HEARTBEATS
2099                         else if ((!c_ign_eof) && (cbuf[0] == 'B'))
2100                                 {
2101                                 BIO_printf(bio_err,"HEARTBEATING\n");
2102                                 SSL_heartbeat(con);
2103                                 cbuf_len=0;
2104                                 }
2105 #endif
2106                         else
2107                                 {
2108                                 cbuf_len=i;
2109                                 cbuf_off=0;
2110 #ifdef CHARSET_EBCDIC
2111                                 ebcdic2ascii(cbuf, cbuf, i);
2112 #endif
2113                                 }
2114
2115                         write_ssl=1;
2116                         read_tty=0;
2117                         }
2118                 }
2119
2120         ret=0;
2121 shut:
2122         if (in_init)
2123                 print_stuff(bio_c_out,con,full_log);
2124         SSL_shutdown(con);
2125         SHUTDOWN(SSL_get_fd(con));
2126 end:
2127         if (con != NULL)
2128                 {
2129                 if (prexit != 0)
2130                         print_stuff(bio_c_out,con,1);
2131                 SSL_free(con);
2132                 }
2133 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
2134         if (next_proto.data)
2135                 OPENSSL_free(next_proto.data);
2136 #endif
2137         if (ctx != NULL) SSL_CTX_free(ctx);
2138         if (cert)
2139                 X509_free(cert);
2140         if (crls)
2141                 sk_X509_CRL_pop_free(crls, X509_CRL_free);
2142         if (key)
2143                 EVP_PKEY_free(key);
2144         if (chain)
2145                 sk_X509_pop_free(chain, X509_free);
2146         if (pass)
2147                 OPENSSL_free(pass);
2148         if (vpm)
2149                 X509_VERIFY_PARAM_free(vpm);
2150         ssl_excert_free(exc);
2151         if (ssl_args)
2152                 sk_OPENSSL_STRING_free(ssl_args);
2153         if (cctx)
2154                 SSL_CONF_CTX_free(cctx);
2155 #ifndef OPENSSL_NO_JPAKE
2156         if (jpake_secret && psk_key)
2157                 OPENSSL_free(psk_key);
2158 #endif
2159         if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
2160         if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
2161         if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
2162         if (bio_c_out != NULL)
2163                 {
2164                 BIO_free(bio_c_out);
2165                 bio_c_out=NULL;
2166                 }
2167         if (bio_c_msg != NULL)
2168                 {
2169                 BIO_free(bio_c_msg);
2170                 bio_c_msg=NULL;
2171                 }
2172         apps_shutdown();
2173         OPENSSL_EXIT(ret);
2174         }
2175
2176
2177 static void print_stuff(BIO *bio, SSL *s, int full)
2178         {
2179         X509 *peer=NULL;
2180         char *p;
2181         static const char *space="                ";
2182         char buf[BUFSIZ];
2183         STACK_OF(X509) *sk;
2184         STACK_OF(X509_NAME) *sk2;
2185         const SSL_CIPHER *c;
2186         X509_NAME *xn;
2187         int j,i;
2188 #ifndef OPENSSL_NO_COMP
2189         const COMP_METHOD *comp, *expansion;
2190 #endif
2191         unsigned char *exportedkeymat;
2192
2193         if (full)
2194                 {
2195                 int got_a_chain = 0;
2196
2197                 sk=SSL_get_peer_cert_chain(s);
2198                 if (sk != NULL)
2199                         {
2200                         got_a_chain = 1; /* we don't have it for SSL2 (yet) */
2201
2202                         BIO_printf(bio,"---\nCertificate chain\n");
2203                         for (i=0; i<sk_X509_num(sk); i++)
2204                                 {
2205                                 X509_NAME_oneline(X509_get_subject_name(
2206                                         sk_X509_value(sk,i)),buf,sizeof buf);
2207                                 BIO_printf(bio,"%2d s:%s\n",i,buf);
2208                                 X509_NAME_oneline(X509_get_issuer_name(
2209                                         sk_X509_value(sk,i)),buf,sizeof buf);
2210                                 BIO_printf(bio,"   i:%s\n",buf);
2211                                 if (c_showcerts)
2212                                         PEM_write_bio_X509(bio,sk_X509_value(sk,i));
2213                                 }
2214                         }
2215
2216                 BIO_printf(bio,"---\n");
2217                 peer=SSL_get_peer_certificate(s);
2218                 if (peer != NULL)
2219                         {
2220                         BIO_printf(bio,"Server certificate\n");
2221                         if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
2222                                 PEM_write_bio_X509(bio,peer);
2223                         X509_NAME_oneline(X509_get_subject_name(peer),
2224                                 buf,sizeof buf);
2225                         BIO_printf(bio,"subject=%s\n",buf);
2226                         X509_NAME_oneline(X509_get_issuer_name(peer),
2227                                 buf,sizeof buf);
2228                         BIO_printf(bio,"issuer=%s\n",buf);
2229                         }
2230                 else
2231                         BIO_printf(bio,"no peer certificate available\n");
2232
2233                 sk2=SSL_get_client_CA_list(s);
2234                 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
2235                         {
2236                         BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
2237                         for (i=0; i<sk_X509_NAME_num(sk2); i++)
2238                                 {
2239                                 xn=sk_X509_NAME_value(sk2,i);
2240                                 X509_NAME_oneline(xn,buf,sizeof(buf));
2241                                 BIO_write(bio,buf,strlen(buf));
2242                                 BIO_write(bio,"\n",1);
2243                                 }
2244                         }
2245                 else
2246                         {
2247                         BIO_printf(bio,"---\nNo client certificate CA names sent\n");
2248                         }
2249                 p=SSL_get_shared_ciphers(s,buf,sizeof buf);
2250                 if (p != NULL)
2251                         {
2252                         /* This works only for SSL 2.  In later protocol
2253                          * versions, the client does not know what other
2254                          * ciphers (in addition to the one to be used
2255                          * in the current connection) the server supports. */
2256
2257                         BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
2258                         j=i=0;
2259                         while (*p)
2260                                 {
2261                                 if (*p == ':')
2262                                         {
2263                                         BIO_write(bio,space,15-j%25);
2264                                         i++;
2265                                         j=0;
2266                                         BIO_write(bio,((i%3)?" ":"\n"),1);
2267                                         }
2268                                 else
2269                                         {
2270                                         BIO_write(bio,p,1);
2271                                         j++;
2272                                         }
2273                                 p++;
2274                                 }
2275                         BIO_write(bio,"\n",1);
2276                         }
2277
2278                 ssl_print_sigalgs(bio, s);
2279                 ssl_print_tmp_key(bio, s);
2280
2281                 BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
2282                         BIO_number_read(SSL_get_rbio(s)),
2283                         BIO_number_written(SSL_get_wbio(s)));
2284                 }
2285         BIO_printf(bio,(SSL_cache_hit(s)?"---\nReused, ":"---\nNew, "));
2286         c=SSL_get_current_cipher(s);
2287         BIO_printf(bio,"%s, Cipher is %s\n",
2288                 SSL_CIPHER_get_version(c),
2289                 SSL_CIPHER_get_name(c));
2290         if (peer != NULL) {
2291                 EVP_PKEY *pktmp;
2292                 pktmp = X509_get_pubkey(peer);
2293                 BIO_printf(bio,"Server public key is %d bit\n",
2294                                                          EVP_PKEY_bits(pktmp));
2295                 EVP_PKEY_free(pktmp);
2296         }
2297         BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
2298                         SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
2299 #ifndef OPENSSL_NO_COMP
2300         comp=SSL_get_current_compression(s);
2301         expansion=SSL_get_current_expansion(s);
2302         BIO_printf(bio,"Compression: %s\n",
2303                 comp ? SSL_COMP_get_name(comp) : "NONE");
2304         BIO_printf(bio,"Expansion: %s\n",
2305                 expansion ? SSL_COMP_get_name(expansion) : "NONE");
2306 #endif
2307  
2308 #ifdef SSL_DEBUG
2309         {
2310         /* Print out local port of connection: useful for debugging */
2311         int sock;
2312         struct sockaddr_in ladd;
2313         socklen_t ladd_size = sizeof(ladd);
2314         sock = SSL_get_fd(s);
2315         getsockname(sock, (struct sockaddr *)&ladd, &ladd_size);
2316         BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port));
2317         }
2318 #endif
2319
2320 #if !defined(OPENSSL_NO_TLSEXT)
2321 # if !defined(OPENSSL_NO_NEXTPROTONEG)
2322         if (next_proto.status != -1) {
2323                 const unsigned char *proto;
2324                 unsigned int proto_len;
2325                 SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
2326                 BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
2327                 BIO_write(bio, proto, proto_len);
2328                 BIO_write(bio, "\n", 1);
2329         }
2330 # endif
2331         {
2332                 const unsigned char *proto;
2333                 unsigned int proto_len;
2334                 SSL_get0_alpn_selected(s, &proto, &proto_len);
2335                 if (proto_len > 0)
2336                         {
2337                         BIO_printf(bio, "ALPN protocol: ");
2338                         BIO_write(bio, proto, proto_len);
2339                         BIO_write(bio, "\n", 1);
2340                         }
2341                 else
2342                         BIO_printf(bio, "No ALPN negotiated\n");
2343         }
2344 #endif
2345
2346         {
2347         SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s);
2348  
2349         if(srtp_profile)
2350                 BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n",
2351                            srtp_profile->name);
2352         }
2353  
2354         SSL_SESSION_print(bio,SSL_get_session(s));
2355         if (keymatexportlabel != NULL)
2356                 {
2357                 BIO_printf(bio, "Keying material exporter:\n");
2358                 BIO_printf(bio, "    Label: '%s'\n", keymatexportlabel);
2359                 BIO_printf(bio, "    Length: %i bytes\n", keymatexportlen);
2360                 exportedkeymat = OPENSSL_malloc(keymatexportlen);
2361                 if (exportedkeymat != NULL)
2362                         {
2363                         if (!SSL_export_keying_material(s, exportedkeymat,
2364                                                         keymatexportlen,
2365                                                         keymatexportlabel,
2366                                                         strlen(keymatexportlabel),
2367                                                         NULL, 0, 0))
2368                                 {
2369                                 BIO_printf(bio, "    Error\n");
2370                                 }
2371                         else
2372                                 {
2373                                 BIO_printf(bio, "    Keying material: ");
2374                                 for (i=0; i<keymatexportlen; i++)
2375                                         BIO_printf(bio, "%02X",
2376                                                    exportedkeymat[i]);
2377                                 BIO_printf(bio, "\n");
2378                                 }
2379                         OPENSSL_free(exportedkeymat);
2380                         }
2381                 }
2382         BIO_printf(bio,"---\n");
2383         if (peer != NULL)
2384                 X509_free(peer);
2385         /* flush, or debugging output gets mixed with http response */
2386         (void)BIO_flush(bio);
2387         }
2388
2389 #ifndef OPENSSL_NO_TLSEXT
2390
2391 static int ocsp_resp_cb(SSL *s, void *arg)
2392         {
2393         const unsigned char *p;
2394         int len;
2395         OCSP_RESPONSE *rsp;
2396         len = SSL_get_tlsext_status_ocsp_resp(s, &p);
2397         BIO_puts(arg, "OCSP response: ");
2398         if (!p)
2399                 {
2400                 BIO_puts(arg, "no response sent\n");
2401                 return 1;
2402                 }
2403         rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
2404         if (!rsp)
2405                 {
2406                 BIO_puts(arg, "response parse error\n");
2407                 BIO_dump_indent(arg, (char *)p, len, 4);
2408                 return 0;
2409                 }
2410         BIO_puts(arg, "\n======================================\n");
2411         OCSP_RESPONSE_print(arg, rsp, 0);
2412         BIO_puts(arg, "======================================\n");
2413         OCSP_RESPONSE_free(rsp);
2414         return 1;
2415         }
2416
2417 #endif