Remove all RFC5878 code.
[openssl.git] / apps / s_client.c
1 /* apps/s_client.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2005 Nokia. All rights reserved.
113  *
114  * The portions of the attached software ("Contribution") is developed by
115  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116  * license.
117  *
118  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120  * support (see RFC 4279) to OpenSSL.
121  *
122  * No patent licenses or other rights except those expressly stated in
123  * the OpenSSL open source license shall be deemed granted or received
124  * expressly, by implication, estoppel, or otherwise.
125  *
126  * No assurances are provided by Nokia that the Contribution does not
127  * infringe the patent or other intellectual property rights of any third
128  * party or that the license provides you with all the necessary rights
129  * to make use of the Contribution.
130  *
131  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135  * OTHERWISE.
136  */
137
138 #include <assert.h>
139 #include <ctype.h>
140 #include <stdio.h>
141 #include <stdlib.h>
142 #include <string.h>
143 #include <openssl/e_os2.h>
144 #ifdef OPENSSL_NO_STDIO
145 #define APPS_WIN16
146 #endif
147
148 /* With IPv6, it looks like Digital has mixed up the proper order of
149    recursive header file inclusion, resulting in the compiler complaining
150    that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
151    is needed to have fileno() declared correctly...  So let's define u_int */
152 #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
153 #define __U_INT
154 typedef unsigned int u_int;
155 #endif
156
157 #define USE_SOCKETS
158 #include "apps.h"
159 #include <openssl/x509.h>
160 #include <openssl/ssl.h>
161 #include <openssl/err.h>
162 #include <openssl/pem.h>
163 #include <openssl/rand.h>
164 #include <openssl/ocsp.h>
165 #include <openssl/bn.h>
166 #ifndef OPENSSL_NO_SRP
167 #include <openssl/srp.h>
168 #endif
169 #include "s_apps.h"
170 #include "timeouts.h"
171
172 #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
173 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
174 #undef FIONBIO
175 #endif
176
177 #if defined(OPENSSL_SYS_BEOS_R5)
178 #include <fcntl.h>
179 #endif
180
181 #undef PROG
182 #define PROG    s_client_main
183
184 /*#define SSL_HOST_NAME "www.netscape.com" */
185 /*#define SSL_HOST_NAME "193.118.187.102" */
186 #define SSL_HOST_NAME   "localhost"
187
188 /*#define TEST_CERT "client.pem" */ /* no default cert. */
189
190 #undef BUFSIZZ
191 #define BUFSIZZ 1024*8
192
193 extern int verify_depth;
194 extern int verify_error;
195 extern int verify_return_error;
196 extern int verify_quiet;
197
198 #ifdef FIONBIO
199 static int c_nbio=0;
200 #endif
201 static int c_Pause=0;
202 static int c_debug=0;
203 #ifndef OPENSSL_NO_TLSEXT
204 static int c_tlsextdebug=0;
205 static int c_status_req=0;
206 #endif
207 static int c_msg=0;
208 static int c_showcerts=0;
209
210 static char *keymatexportlabel=NULL;
211 static int keymatexportlen=20;
212
213 static void sc_usage(void);
214 static void print_stuff(BIO *berr,SSL *con,int full);
215 #ifndef OPENSSL_NO_TLSEXT
216 static int ocsp_resp_cb(SSL *s, void *arg);
217 #endif
218 static BIO *bio_c_out=NULL;
219 static BIO *bio_c_msg=NULL;
220 static int c_quiet=0;
221 static int c_ign_eof=0;
222 static int c_brief=0;
223
224 #ifndef OPENSSL_NO_PSK
225 /* Default PSK identity and key */
226 static char *psk_identity="Client_identity";
227 /*char *psk_key=NULL;  by default PSK is not used */
228
229 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
230         unsigned int max_identity_len, unsigned char *psk,
231         unsigned int max_psk_len)
232         {
233         unsigned int psk_len = 0;
234         int ret;
235         BIGNUM *bn=NULL;
236
237         if (c_debug)
238                 BIO_printf(bio_c_out, "psk_client_cb\n");
239         if (!hint)
240                 {
241                 /* no ServerKeyExchange message*/
242                 if (c_debug)
243                         BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n");
244                 }
245         else if (c_debug)
246                 BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
247
248         /* lookup PSK identity and PSK key based on the given identity hint here */
249         ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity);
250         if (ret < 0 || (unsigned int)ret > max_identity_len)
251                 goto out_err;
252         if (c_debug)
253                 BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret);
254         ret=BN_hex2bn(&bn, psk_key);
255         if (!ret)
256                 {
257                 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
258                 if (bn)
259                         BN_free(bn);
260                 return 0;
261                 }
262
263         if ((unsigned int)BN_num_bytes(bn) > max_psk_len)
264                 {
265                 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
266                         max_psk_len, BN_num_bytes(bn));
267                 BN_free(bn);
268                 return 0;
269                 }
270
271         psk_len=BN_bn2bin(bn, psk);
272         BN_free(bn);
273         if (psk_len == 0)
274                 goto out_err;
275
276         if (c_debug)
277                 BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len);
278
279         return psk_len;
280  out_err:
281         if (c_debug)
282                 BIO_printf(bio_err, "Error in PSK client callback\n");
283         return 0;
284         }
285 #endif
286
287 static void sc_usage(void)
288         {
289         BIO_printf(bio_err,"usage: s_client args\n");
290         BIO_printf(bio_err,"\n");
291         BIO_printf(bio_err," -host host     - use -connect instead\n");
292         BIO_printf(bio_err," -port port     - use -connect instead\n");
293         BIO_printf(bio_err," -connect host:port - connect over TCP/IP (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
294         BIO_printf(bio_err," -unix path    - connect over unix domain sockets\n");
295         BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
296         BIO_printf(bio_err," -cert arg     - certificate file to use, PEM format assumed\n");
297         BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
298         BIO_printf(bio_err," -key arg      - Private key file to use, in cert file if\n");
299         BIO_printf(bio_err,"                 not specified but cert file is.\n");
300         BIO_printf(bio_err," -keyform arg  - key format (PEM or DER) PEM default\n");
301         BIO_printf(bio_err," -pass arg     - private key file pass phrase source\n");
302         BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
303         BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
304         BIO_printf(bio_err," -trusted_first - Use local CA's first when building trust chain\n");
305         BIO_printf(bio_err," -reconnect    - Drop and re-make the connection with the same Session-ID\n");
306         BIO_printf(bio_err," -pause        - sleep(1) after each read(2) and write(2) system call\n");
307         BIO_printf(bio_err," -showcerts    - show all certificates in the chain\n");
308         BIO_printf(bio_err," -debug        - extra output\n");
309 #ifdef WATT32
310         BIO_printf(bio_err," -wdebug       - WATT-32 tcp debugging\n");
311 #endif
312         BIO_printf(bio_err," -msg          - Show protocol messages\n");
313         BIO_printf(bio_err," -nbio_test    - more ssl protocol testing\n");
314         BIO_printf(bio_err," -state        - print the 'ssl' states\n");
315 #ifdef FIONBIO
316         BIO_printf(bio_err," -nbio         - Run with non-blocking IO\n");
317 #endif
318         BIO_printf(bio_err," -crlf         - convert LF from terminal into CRLF\n");
319         BIO_printf(bio_err," -quiet        - no s_client output\n");
320         BIO_printf(bio_err," -ign_eof      - ignore input eof (default when -quiet)\n");
321         BIO_printf(bio_err," -no_ign_eof   - don't ignore input eof\n");
322 #ifndef OPENSSL_NO_PSK
323         BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
324         BIO_printf(bio_err," -psk arg      - PSK in hex (without 0x)\n");
325 # ifndef OPENSSL_NO_JPAKE
326         BIO_printf(bio_err," -jpake arg    - JPAKE secret to use\n");
327 # endif
328 #endif
329 #ifndef OPENSSL_NO_SRP
330         BIO_printf(bio_err," -srpuser user     - SRP authentification for 'user'\n");
331         BIO_printf(bio_err," -srppass arg      - password for 'user'\n");
332         BIO_printf(bio_err," -srp_lateuser     - SRP username into second ClientHello message\n");
333         BIO_printf(bio_err," -srp_moregroups   - Tolerate other than the known g N values.\n");
334         BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
335 #endif
336         BIO_printf(bio_err," -ssl2         - just use SSLv2\n");
337         BIO_printf(bio_err," -ssl3         - just use SSLv3\n");
338         BIO_printf(bio_err," -tls1_2       - just use TLSv1.2\n");
339         BIO_printf(bio_err," -tls1_1       - just use TLSv1.1\n");
340         BIO_printf(bio_err," -tls1         - just use TLSv1\n");
341         BIO_printf(bio_err," -dtls1        - just use DTLSv1\n");    
342         BIO_printf(bio_err," -mtu          - set the link layer MTU\n");
343         BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
344         BIO_printf(bio_err," -bugs         - Switch on all SSL implementation bug workarounds\n");
345         BIO_printf(bio_err," -serverpref   - Use server's cipher preferences (only SSLv2)\n");
346         BIO_printf(bio_err," -cipher       - preferred cipher to use, use the 'openssl ciphers'\n");
347         BIO_printf(bio_err,"                 command to see what is available\n");
348         BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
349         BIO_printf(bio_err,"                 for those protocols that support it, where\n");
350         BIO_printf(bio_err,"                 'prot' defines which one to assume.  Currently,\n");
351         BIO_printf(bio_err,"                 only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
352         BIO_printf(bio_err,"                 are supported.\n");
353         BIO_printf(bio_err," -xmpphost host - When used with \"-starttls xmpp\" specifies the virtual host.\n");
354 #ifndef OPENSSL_NO_ENGINE
355         BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
356 #endif
357         BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
358         BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n");
359         BIO_printf(bio_err," -sess_in arg  - file to read SSL session from\n");
360 #ifndef OPENSSL_NO_TLSEXT
361         BIO_printf(bio_err," -servername host  - Set TLS extension servername in ClientHello\n");
362         BIO_printf(bio_err," -tlsextdebug      - hex dump of all TLS extensions received\n");
363         BIO_printf(bio_err," -status           - request certificate status from server\n");
364         BIO_printf(bio_err," -no_ticket        - disable use of RFC4507bis session tickets\n");
365         BIO_printf(bio_err," -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n");
366 # ifndef OPENSSL_NO_NEXTPROTONEG
367         BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
368 # endif
369         BIO_printf(bio_err," -alpn arg         - enable ALPN extension, considering named protocols supported (comma-separated list)\n");
370 #endif
371         BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
372         BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
373         BIO_printf(bio_err," -keymatexport label   - Export keying material using label\n");
374         BIO_printf(bio_err," -keymatexportlen len  - Export len bytes of keying material (default 20)\n");
375         }
376
377 #ifndef OPENSSL_NO_TLSEXT
378
379 /* This is a context that we pass to callbacks */
380 typedef struct tlsextctx_st {
381    BIO * biodebug;
382    int ack;
383 } tlsextctx;
384
385
386 static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
387         {
388         tlsextctx * p = (tlsextctx *) arg;
389         const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
390         if (SSL_get_servername_type(s) != -1) 
391                 p->ack = !SSL_session_reused(s) && hn != NULL;
392         else 
393                 BIO_printf(bio_err,"Can't use SSL_get_servername\n");
394         
395         return SSL_TLSEXT_ERR_OK;
396         }
397
398 #ifndef OPENSSL_NO_SRP
399
400 /* This is a context that we pass to all callbacks */
401 typedef struct srp_arg_st
402         {
403         char *srppassin;
404         char *srplogin;
405         int msg;   /* copy from c_msg */
406         int debug; /* copy from c_debug */
407         int amp;   /* allow more groups */
408         int strength /* minimal size for N */ ;
409         } SRP_ARG;
410
411 #define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
412
413 static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g)
414         {
415         BN_CTX *bn_ctx = BN_CTX_new();
416         BIGNUM *p = BN_new();
417         BIGNUM *r = BN_new();
418         int ret =
419                 g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
420                 BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
421                 p != NULL && BN_rshift1(p, N) &&
422
423                 /* p = (N-1)/2 */
424                 BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
425                 r != NULL &&
426
427                 /* verify g^((N-1)/2) == -1 (mod N) */
428                 BN_mod_exp(r, g, p, N, bn_ctx) &&
429                 BN_add_word(r, 1) &&
430                 BN_cmp(r, N) == 0;
431
432         if(r)
433                 BN_free(r);
434         if(p)
435                 BN_free(p);
436         if(bn_ctx)
437                 BN_CTX_free(bn_ctx);
438         return ret;
439         }
440
441 /* This callback is used here for two purposes:
442    - extended debugging
443    - making some primality tests for unknown groups
444    The callback is only called for a non default group.
445
446    An application does not need the call back at all if
447    only the stanard groups are used.  In real life situations, 
448    client and server already share well known groups, 
449    thus there is no need to verify them. 
450    Furthermore, in case that a server actually proposes a group that
451    is not one of those defined in RFC 5054, it is more appropriate 
452    to add the group to a static list and then compare since 
453    primality tests are rather cpu consuming.
454 */
455
456 static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
457         {
458         SRP_ARG *srp_arg = (SRP_ARG *)arg;
459         BIGNUM *N = NULL, *g = NULL;
460         if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s)))
461                 return 0;
462         if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1)
463                 {
464                 BIO_printf(bio_err, "SRP parameters:\n"); 
465                 BIO_printf(bio_err,"\tN="); BN_print(bio_err,N);
466                 BIO_printf(bio_err,"\n\tg="); BN_print(bio_err,g);
467                 BIO_printf(bio_err,"\n");
468                 }
469
470         if (SRP_check_known_gN_param(g,N))
471                 return 1;
472
473         if (srp_arg->amp == 1)
474                 {
475                 if (srp_arg->debug)
476                         BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n");
477
478 /* The srp_moregroups is a real debugging feature.
479    Implementors should rather add the value to the known ones.
480    The minimal size has already been tested.
481 */
482                 if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g))
483                         return 1;
484                 }       
485         BIO_printf(bio_err, "SRP param N and g rejected.\n");
486         return 0;
487         }
488
489 #define PWD_STRLEN 1024
490
491 static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
492         {
493         SRP_ARG *srp_arg = (SRP_ARG *)arg;
494         char *pass = (char *)OPENSSL_malloc(PWD_STRLEN+1);
495         PW_CB_DATA cb_tmp;
496         int l;
497
498         cb_tmp.password = (char *)srp_arg->srppassin;
499         cb_tmp.prompt_info = "SRP user";
500         if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp))<0)
501                 {
502                 BIO_printf (bio_err, "Can't read Password\n");
503                 OPENSSL_free(pass);
504                 return NULL;
505                 }
506         *(pass+l)= '\0';
507
508         return pass;
509         }
510
511 #endif
512         char *srtp_profiles = NULL;
513
514 # ifndef OPENSSL_NO_NEXTPROTONEG
515 /* This the context that we pass to next_proto_cb */
516 typedef struct tlsextnextprotoctx_st {
517         unsigned char *data;
518         unsigned short len;
519         int status;
520 } tlsextnextprotoctx;
521
522 static tlsextnextprotoctx next_proto;
523
524 static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
525         {
526         tlsextnextprotoctx *ctx = arg;
527
528         if (!c_quiet)
529                 {
530                 /* We can assume that |in| is syntactically valid. */
531                 unsigned i;
532                 BIO_printf(bio_c_out, "Protocols advertised by server: ");
533                 for (i = 0; i < inlen; )
534                         {
535                         if (i)
536                                 BIO_write(bio_c_out, ", ", 2);
537                         BIO_write(bio_c_out, &in[i + 1], in[i]);
538                         i += in[i] + 1;
539                         }
540                 BIO_write(bio_c_out, "\n", 1);
541                 }
542
543         ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
544         return SSL_TLSEXT_ERR_OK;
545         }
546 # endif  /* ndef OPENSSL_NO_NEXTPROTONEG */
547
548 static int serverinfo_cli_cb(SSL* s, unsigned short ext_type,
549                              const unsigned char* in, unsigned short inlen, 
550                              int* al, void* arg)
551         {
552         char pem_name[100];
553         unsigned char ext_buf[4 + 65536];
554
555         /* Reconstruct the type/len fields prior to extension data */
556         ext_buf[0] = ext_type >> 8;
557         ext_buf[1] = ext_type & 0xFF;
558         ext_buf[2] = inlen >> 8;
559         ext_buf[3] = inlen & 0xFF;
560         memcpy(ext_buf+4, in, inlen);
561
562         BIO_snprintf(pem_name, sizeof(pem_name), "SERVERINFO FOR EXTENSION %d",
563                      ext_type);
564         PEM_write_bio(bio_c_out, pem_name, "", ext_buf, 4 + inlen);
565         return 1;
566         }
567
568 #endif
569
570 enum
571 {
572         PROTO_OFF       = 0,
573         PROTO_SMTP,
574         PROTO_POP3,
575         PROTO_IMAP,
576         PROTO_FTP,
577         PROTO_XMPP
578 };
579
580 int MAIN(int, char **);
581
582 int MAIN(int argc, char **argv)
583         {
584         int build_chain = 0;
585         SSL *con=NULL;
586 #ifndef OPENSSL_NO_KRB5
587         KSSL_CTX *kctx;
588 #endif
589         int s,k,width,state=0;
590         char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
591         int cbuf_len,cbuf_off;
592         int sbuf_len,sbuf_off;
593         fd_set readfds,writefds;
594         short port=PORT;
595         int full_log=1;
596         char *host=SSL_HOST_NAME;
597         const char *unix_path = NULL;
598         char *xmpphost = NULL;
599         char *cert_file=NULL,*key_file=NULL,*chain_file=NULL;
600         int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
601         char *passarg = NULL, *pass = NULL;
602         X509 *cert = NULL;
603         EVP_PKEY *key = NULL;
604         STACK_OF(X509) *chain = NULL;
605         char *CApath=NULL,*CAfile=NULL;
606         char *chCApath=NULL,*chCAfile=NULL;
607         char *vfyCApath=NULL,*vfyCAfile=NULL;
608         int reconnect=0,badop=0,verify=SSL_VERIFY_NONE;
609         int crlf=0;
610         int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
611         SSL_CTX *ctx=NULL;
612         int ret=1,in_init=1,i,nbio_test=0;
613         int starttls_proto = PROTO_OFF;
614         int prexit = 0;
615         X509_VERIFY_PARAM *vpm = NULL;
616         int badarg = 0;
617         const SSL_METHOD *meth=NULL;
618         int socket_type=SOCK_STREAM;
619         BIO *sbio;
620         char *inrand=NULL;
621         int mbuf_len=0;
622         struct timeval timeout, *timeoutp;
623 #ifndef OPENSSL_NO_ENGINE
624         char *engine_id=NULL;
625         char *ssl_client_engine_id=NULL;
626         ENGINE *ssl_client_engine=NULL;
627 #endif
628         ENGINE *e=NULL;
629 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
630         struct timeval tv;
631 #if defined(OPENSSL_SYS_BEOS_R5)
632         int stdin_set = 0;
633 #endif
634 #endif
635 #ifndef OPENSSL_NO_TLSEXT
636         char *servername = NULL; 
637         tlsextctx tlsextcbp = 
638         {NULL,0};
639 # ifndef OPENSSL_NO_NEXTPROTONEG
640         const char *next_proto_neg_in = NULL;
641 # endif
642         const char *alpn_in = NULL;
643 # define MAX_SI_TYPES 100
644         unsigned short serverinfo_types[MAX_SI_TYPES];
645         int serverinfo_types_count = 0;
646 #endif
647         char *sess_in = NULL;
648         char *sess_out = NULL;
649         struct sockaddr peer;
650         int peerlen = sizeof(peer);
651         int enable_timeouts = 0 ;
652         long socket_mtu = 0;
653 #ifndef OPENSSL_NO_JPAKE
654 static char *jpake_secret = NULL;
655 #define no_jpake !jpake_secret
656 #else
657 #define no_jpake 1
658 #endif
659 #ifndef OPENSSL_NO_SRP
660         char * srppass = NULL;
661         int srp_lateuser = 0;
662         SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
663 #endif
664         SSL_EXCERT *exc = NULL;
665
666         SSL_CONF_CTX *cctx = NULL;
667         STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
668
669         char *crl_file = NULL;
670         int crl_format = FORMAT_PEM;
671         int crl_download = 0;
672         STACK_OF(X509_CRL) *crls = NULL;
673         int sdebug = 0;
674
675         meth=SSLv23_client_method();
676
677         apps_startup();
678         c_Pause=0;
679         c_quiet=0;
680         c_ign_eof=0;
681         c_debug=0;
682         c_msg=0;
683         c_showcerts=0;
684
685         if (bio_err == NULL)
686                 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
687
688         if (!load_config(bio_err, NULL))
689                 goto end;
690         cctx = SSL_CONF_CTX_new();
691         if (!cctx)
692                 goto end;
693         SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
694         SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE);
695
696         if (    ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
697                 ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
698                 ((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
699                 {
700                 BIO_printf(bio_err,"out of memory\n");
701                 goto end;
702                 }
703
704         verify_depth=0;
705         verify_error=X509_V_OK;
706 #ifdef FIONBIO
707         c_nbio=0;
708 #endif
709
710         argc--;
711         argv++;
712         while (argc >= 1)
713                 {
714                 if      (strcmp(*argv,"-host") == 0)
715                         {
716                         if (--argc < 1) goto bad;
717                         host= *(++argv);
718                         }
719                 else if (strcmp(*argv,"-port") == 0)
720                         {
721                         if (--argc < 1) goto bad;
722                         port=atoi(*(++argv));
723                         if (port == 0) goto bad;
724                         }
725                 else if (strcmp(*argv,"-connect") == 0)
726                         {
727                         if (--argc < 1) goto bad;
728                         if (!extract_host_port(*(++argv),&host,NULL,&port))
729                                 goto bad;
730                         }
731                 else if (strcmp(*argv,"-unix") == 0)
732                         {
733                         if (--argc < 1) goto bad;
734                         unix_path = *(++argv);
735                         }
736                 else if (strcmp(*argv,"-xmpphost") == 0)
737                         {
738                         if (--argc < 1) goto bad;
739                         xmpphost= *(++argv);
740                         }
741                 else if (strcmp(*argv,"-verify") == 0)
742                         {
743                         verify=SSL_VERIFY_PEER;
744                         if (--argc < 1) goto bad;
745                         verify_depth=atoi(*(++argv));
746                         if (!c_quiet)
747                                 BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
748                         }
749                 else if (strcmp(*argv,"-cert") == 0)
750                         {
751                         if (--argc < 1) goto bad;
752                         cert_file= *(++argv);
753                         }
754                 else if (strcmp(*argv,"-CRL") == 0)
755                         {
756                         if (--argc < 1) goto bad;
757                         crl_file= *(++argv);
758                         }
759                 else if (strcmp(*argv,"-crl_download") == 0)
760                         crl_download = 1;
761                 else if (strcmp(*argv,"-sess_out") == 0)
762                         {
763                         if (--argc < 1) goto bad;
764                         sess_out = *(++argv);
765                         }
766                 else if (strcmp(*argv,"-sess_in") == 0)
767                         {
768                         if (--argc < 1) goto bad;
769                         sess_in = *(++argv);
770                         }
771                 else if (strcmp(*argv,"-certform") == 0)
772                         {
773                         if (--argc < 1) goto bad;
774                         cert_format = str2fmt(*(++argv));
775                         }
776                 else if (strcmp(*argv,"-CRLform") == 0)
777                         {
778                         if (--argc < 1) goto bad;
779                         crl_format = str2fmt(*(++argv));
780                         }
781                 else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
782                         {
783                         if (badarg)
784                                 goto bad;
785                         continue;
786                         }
787                 else if (strcmp(*argv,"-verify_return_error") == 0)
788                         verify_return_error = 1;
789                 else if (strcmp(*argv,"-verify_quiet") == 0)
790                         verify_quiet = 1;
791                 else if (strcmp(*argv,"-brief") == 0)
792                         {
793                         c_brief = 1;
794                         verify_quiet = 1;
795                         c_quiet = 1;
796                         }
797                 else if (args_excert(&argv, &argc, &badarg, bio_err, &exc))
798                         {
799                         if (badarg)
800                                 goto bad;
801                         continue;
802                         }
803                 else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args))
804                         {
805                         if (badarg)
806                                 goto bad;
807                         continue;
808                         }
809                 else if (strcmp(*argv,"-prexit") == 0)
810                         prexit=1;
811                 else if (strcmp(*argv,"-crlf") == 0)
812                         crlf=1;
813                 else if (strcmp(*argv,"-quiet") == 0)
814                         {
815                         c_quiet=1;
816                         c_ign_eof=1;
817                         }
818                 else if (strcmp(*argv,"-ign_eof") == 0)
819                         c_ign_eof=1;
820                 else if (strcmp(*argv,"-no_ign_eof") == 0)
821                         c_ign_eof=0;
822                 else if (strcmp(*argv,"-pause") == 0)
823                         c_Pause=1;
824                 else if (strcmp(*argv,"-debug") == 0)
825                         c_debug=1;
826 #ifndef OPENSSL_NO_TLSEXT
827                 else if (strcmp(*argv,"-tlsextdebug") == 0)
828                         c_tlsextdebug=1;
829                 else if (strcmp(*argv,"-status") == 0)
830                         c_status_req=1;
831 #endif
832 #ifdef WATT32
833                 else if (strcmp(*argv,"-wdebug") == 0)
834                         dbug_init();
835 #endif
836                 else if (strcmp(*argv,"-msg") == 0)
837                         c_msg=1;
838                 else if (strcmp(*argv,"-msgfile") == 0)
839                         {
840                         if (--argc < 1) goto bad;
841                         bio_c_msg = BIO_new_file(*(++argv), "w");
842                         }
843 #ifndef OPENSSL_NO_SSL_TRACE
844                 else if (strcmp(*argv,"-trace") == 0)
845                         c_msg=2;
846 #endif
847                 else if (strcmp(*argv,"-security_debug") == 0)
848                         { sdebug=1; }
849                 else if (strcmp(*argv,"-security_debug_verbose") == 0)
850                         { sdebug=2; }
851                 else if (strcmp(*argv,"-showcerts") == 0)
852                         c_showcerts=1;
853                 else if (strcmp(*argv,"-nbio_test") == 0)
854                         nbio_test=1;
855                 else if (strcmp(*argv,"-state") == 0)
856                         state=1;
857 #ifndef OPENSSL_NO_PSK
858                 else if (strcmp(*argv,"-psk_identity") == 0)
859                         {
860                         if (--argc < 1) goto bad;
861                         psk_identity=*(++argv);
862                         }
863                 else if (strcmp(*argv,"-psk") == 0)
864                         {
865                         size_t j;
866
867                         if (--argc < 1) goto bad;
868                         psk_key=*(++argv);
869                         for (j = 0; j < strlen(psk_key); j++)
870                                 {
871                                 if (isxdigit((unsigned char)psk_key[j]))
872                                         continue;
873                                 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
874                                 goto bad;
875                                 }
876                         }
877 #endif
878 #ifndef OPENSSL_NO_SRP
879                 else if (strcmp(*argv,"-srpuser") == 0)
880                         {
881                         if (--argc < 1) goto bad;
882                         srp_arg.srplogin= *(++argv);
883                         meth=TLSv1_client_method();
884                         }
885                 else if (strcmp(*argv,"-srppass") == 0)
886                         {
887                         if (--argc < 1) goto bad;
888                         srppass= *(++argv);
889                         meth=TLSv1_client_method();
890                         }
891                 else if (strcmp(*argv,"-srp_strength") == 0)
892                         {
893                         if (--argc < 1) goto bad;
894                         srp_arg.strength=atoi(*(++argv));
895                         BIO_printf(bio_err,"SRP minimal length for N is %d\n",srp_arg.strength);
896                         meth=TLSv1_client_method();
897                         }
898                 else if (strcmp(*argv,"-srp_lateuser") == 0)
899                         {
900                         srp_lateuser= 1;
901                         meth=TLSv1_client_method();
902                         }
903                 else if (strcmp(*argv,"-srp_moregroups") == 0)
904                         {
905                         srp_arg.amp=1;
906                         meth=TLSv1_client_method();
907                         }
908 #endif
909 #ifndef OPENSSL_NO_SSL2
910                 else if (strcmp(*argv,"-ssl2") == 0)
911                         meth=SSLv2_client_method();
912 #endif
913 #ifndef OPENSSL_NO_SSL3
914                 else if (strcmp(*argv,"-ssl3") == 0)
915                         meth=SSLv3_client_method();
916 #endif
917 #ifndef OPENSSL_NO_TLS1
918                 else if (strcmp(*argv,"-tls1_2") == 0)
919                         meth=TLSv1_2_client_method();
920                 else if (strcmp(*argv,"-tls1_1") == 0)
921                         meth=TLSv1_1_client_method();
922                 else if (strcmp(*argv,"-tls1") == 0)
923                         meth=TLSv1_client_method();
924 #endif
925 #ifndef OPENSSL_NO_DTLS1
926                 else if (strcmp(*argv,"-dtls") == 0)
927                         {
928                         meth=DTLS_client_method();
929                         socket_type=SOCK_DGRAM;
930                         }
931                 else if (strcmp(*argv,"-dtls1") == 0)
932                         {
933                         meth=DTLSv1_client_method();
934                         socket_type=SOCK_DGRAM;
935                         }
936                 else if (strcmp(*argv,"-dtls1_2") == 0)
937                         {
938                         meth=DTLSv1_2_client_method();
939                         socket_type=SOCK_DGRAM;
940                         }
941                 else if (strcmp(*argv,"-timeout") == 0)
942                         enable_timeouts=1;
943                 else if (strcmp(*argv,"-mtu") == 0)
944                         {
945                         if (--argc < 1) goto bad;
946                         socket_mtu = atol(*(++argv));
947                         }
948 #endif
949                 else if (strcmp(*argv,"-keyform") == 0)
950                         {
951                         if (--argc < 1) goto bad;
952                         key_format = str2fmt(*(++argv));
953                         }
954                 else if (strcmp(*argv,"-pass") == 0)
955                         {
956                         if (--argc < 1) goto bad;
957                         passarg = *(++argv);
958                         }
959                 else if (strcmp(*argv,"-cert_chain") == 0)
960                         {
961                         if (--argc < 1) goto bad;
962                         chain_file= *(++argv);
963                         }
964                 else if (strcmp(*argv,"-key") == 0)
965                         {
966                         if (--argc < 1) goto bad;
967                         key_file= *(++argv);
968                         }
969                 else if (strcmp(*argv,"-reconnect") == 0)
970                         {
971                         reconnect=5;
972                         }
973                 else if (strcmp(*argv,"-CApath") == 0)
974                         {
975                         if (--argc < 1) goto bad;
976                         CApath= *(++argv);
977                         }
978                 else if (strcmp(*argv,"-chainCApath") == 0)
979                         {
980                         if (--argc < 1) goto bad;
981                         chCApath= *(++argv);
982                         }
983                 else if (strcmp(*argv,"-verifyCApath") == 0)
984                         {
985                         if (--argc < 1) goto bad;
986                         vfyCApath= *(++argv);
987                         }
988                 else if (strcmp(*argv,"-build_chain") == 0)
989                         build_chain = 1;
990                 else if (strcmp(*argv,"-CAfile") == 0)
991                         {
992                         if (--argc < 1) goto bad;
993                         CAfile= *(++argv);
994                         }
995                 else if (strcmp(*argv,"-chainCAfile") == 0)
996                         {
997                         if (--argc < 1) goto bad;
998                         chCAfile= *(++argv);
999                         }
1000                 else if (strcmp(*argv,"-verifyCAfile") == 0)
1001                         {
1002                         if (--argc < 1) goto bad;
1003                         vfyCAfile= *(++argv);
1004                         }
1005 #ifndef OPENSSL_NO_TLSEXT
1006 # ifndef OPENSSL_NO_NEXTPROTONEG
1007                 else if (strcmp(*argv,"-nextprotoneg") == 0)
1008                         {
1009                         if (--argc < 1) goto bad;
1010                         next_proto_neg_in = *(++argv);
1011                         }
1012 # endif
1013                 else if (strcmp(*argv,"-alpn") == 0)
1014                         {
1015                         if (--argc < 1) goto bad;
1016                         alpn_in = *(++argv);
1017                         }
1018                 else if (strcmp(*argv,"-serverinfo") == 0)
1019                         {
1020                         char *c;
1021                         int start = 0;
1022                         int len;
1023
1024                         if (--argc < 1) goto bad;
1025                         c = *(++argv);
1026                         serverinfo_types_count = 0;
1027                         len = strlen(c);
1028                         for (i = 0; i <= len; ++i)
1029                                 {
1030                                 if (i == len || c[i] == ',')
1031                                         {
1032                                         serverinfo_types[serverinfo_types_count]
1033                                             = atoi(c+start);
1034                                         serverinfo_types_count++;
1035                                         start = i+1;
1036                                         }
1037                                 if (serverinfo_types_count == MAX_SI_TYPES)
1038                                         break;
1039                                 }
1040                         }
1041 #endif
1042 #ifdef FIONBIO
1043                 else if (strcmp(*argv,"-nbio") == 0)
1044                         { c_nbio=1; }
1045 #endif
1046                 else if (strcmp(*argv,"-starttls") == 0)
1047                         {
1048                         if (--argc < 1) goto bad;
1049                         ++argv;
1050                         if (strcmp(*argv,"smtp") == 0)
1051                                 starttls_proto = PROTO_SMTP;
1052                         else if (strcmp(*argv,"pop3") == 0)
1053                                 starttls_proto = PROTO_POP3;
1054                         else if (strcmp(*argv,"imap") == 0)
1055                                 starttls_proto = PROTO_IMAP;
1056                         else if (strcmp(*argv,"ftp") == 0)
1057                                 starttls_proto = PROTO_FTP;
1058                         else if (strcmp(*argv, "xmpp") == 0)
1059                                 starttls_proto = PROTO_XMPP;
1060                         else
1061                                 goto bad;
1062                         }
1063 #ifndef OPENSSL_NO_ENGINE
1064                 else if (strcmp(*argv,"-engine") == 0)
1065                         {
1066                         if (--argc < 1) goto bad;
1067                         engine_id = *(++argv);
1068                         }
1069                 else if (strcmp(*argv,"-ssl_client_engine") == 0)
1070                         {
1071                         if (--argc < 1) goto bad;
1072                         ssl_client_engine_id = *(++argv);
1073                         }
1074 #endif
1075                 else if (strcmp(*argv,"-rand") == 0)
1076                         {
1077                         if (--argc < 1) goto bad;
1078                         inrand= *(++argv);
1079                         }
1080 #ifndef OPENSSL_NO_TLSEXT
1081                 else if (strcmp(*argv,"-servername") == 0)
1082                         {
1083                         if (--argc < 1) goto bad;
1084                         servername= *(++argv);
1085                         /* meth=TLSv1_client_method(); */
1086                         }
1087 #endif
1088 #ifndef OPENSSL_NO_JPAKE
1089                 else if (strcmp(*argv,"-jpake") == 0)
1090                         {
1091                         if (--argc < 1) goto bad;
1092                         jpake_secret = *++argv;
1093                         }
1094 #endif
1095                 else if (strcmp(*argv,"-use_srtp") == 0)
1096                         {
1097                         if (--argc < 1) goto bad;
1098                         srtp_profiles = *(++argv);
1099                         }
1100                 else if (strcmp(*argv,"-keymatexport") == 0)
1101                         {
1102                         if (--argc < 1) goto bad;
1103                         keymatexportlabel= *(++argv);
1104                         }
1105                 else if (strcmp(*argv,"-keymatexportlen") == 0)
1106                         {
1107                         if (--argc < 1) goto bad;
1108                         keymatexportlen=atoi(*(++argv));
1109                         if (keymatexportlen == 0) goto bad;
1110                         }
1111                 else
1112                         {
1113                         BIO_printf(bio_err,"unknown option %s\n",*argv);
1114                         badop=1;
1115                         break;
1116                         }
1117                 argc--;
1118                 argv++;
1119                 }
1120         if (badop)
1121                 {
1122 bad:
1123                 sc_usage();
1124                 goto end;
1125                 }
1126
1127         if (unix_path && (socket_type != SOCK_STREAM))
1128                 {
1129                 BIO_printf(bio_err, "Can't use unix sockets and datagrams together\n");
1130                         goto end;
1131                 }
1132 #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
1133         if (jpake_secret)
1134                 {
1135                 if (psk_key)
1136                         {
1137                         BIO_printf(bio_err,
1138                                    "Can't use JPAKE and PSK together\n");
1139                         goto end;
1140                         }
1141                 psk_identity = "JPAKE";
1142                 }
1143 #endif
1144
1145         OpenSSL_add_ssl_algorithms();
1146         SSL_load_error_strings();
1147
1148 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
1149         next_proto.status = -1;
1150         if (next_proto_neg_in)
1151                 {
1152                 next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
1153                 if (next_proto.data == NULL)
1154                         {
1155                         BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
1156                         goto end;
1157                         }
1158                 }
1159         else
1160                 next_proto.data = NULL;
1161 #endif
1162
1163 #ifndef OPENSSL_NO_ENGINE
1164         e = setup_engine(bio_err, engine_id, 1);
1165         if (ssl_client_engine_id)
1166                 {
1167                 ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
1168                 if (!ssl_client_engine)
1169                         {
1170                         BIO_printf(bio_err,
1171                                         "Error getting client auth engine\n");
1172                         goto end;
1173                         }
1174                 }
1175
1176 #endif
1177         if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
1178                 {
1179                 BIO_printf(bio_err, "Error getting password\n");
1180                 goto end;
1181                 }
1182
1183         if (key_file == NULL)
1184                 key_file = cert_file;
1185
1186
1187         if (key_file)
1188
1189                 {
1190
1191                 key = load_key(bio_err, key_file, key_format, 0, pass, e,
1192                                "client certificate private key file");
1193                 if (!key)
1194                         {
1195                         ERR_print_errors(bio_err);
1196                         goto end;
1197                         }
1198
1199                 }
1200
1201         if (cert_file)
1202
1203                 {
1204                 cert = load_cert(bio_err,cert_file,cert_format,
1205                                 NULL, e, "client certificate file");
1206
1207                 if (!cert)
1208                         {
1209                         ERR_print_errors(bio_err);
1210                         goto end;
1211                         }
1212                 }
1213
1214         if (chain_file)
1215                 {
1216                 chain = load_certs(bio_err, chain_file,FORMAT_PEM,
1217                                         NULL, e, "client certificate chain");
1218                 if (!chain)
1219                         goto end;
1220                 }
1221
1222         if (crl_file)
1223                 {
1224                 X509_CRL *crl;
1225                 crl = load_crl(crl_file, crl_format);
1226                 if (!crl)
1227                         {
1228                         BIO_puts(bio_err, "Error loading CRL\n");
1229                         ERR_print_errors(bio_err);
1230                         goto end;
1231                         }
1232                 crls = sk_X509_CRL_new_null();
1233                 if (!crls || !sk_X509_CRL_push(crls, crl))
1234                         {
1235                         BIO_puts(bio_err, "Error adding CRL\n");
1236                         ERR_print_errors(bio_err);
1237                         X509_CRL_free(crl);
1238                         goto end;
1239                         }
1240                 }
1241
1242         if (!load_excert(&exc, bio_err))
1243                 goto end;
1244
1245         if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
1246                 && !RAND_status())
1247                 {
1248                 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
1249                 }
1250         if (inrand != NULL)
1251                 BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
1252                         app_RAND_load_files(inrand));
1253
1254         if (bio_c_out == NULL)
1255                 {
1256                 if (c_quiet && !c_debug)
1257                         {
1258                         bio_c_out=BIO_new(BIO_s_null());
1259                         if (c_msg && !bio_c_msg)
1260                                 bio_c_msg=BIO_new_fp(stdout,BIO_NOCLOSE);
1261                         }
1262                 else
1263                         {
1264                         if (bio_c_out == NULL)
1265                                 bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
1266                         }
1267                 }
1268
1269 #ifndef OPENSSL_NO_SRP
1270         if(!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL))
1271                 {
1272                 BIO_printf(bio_err, "Error getting password\n");
1273                 goto end;
1274                 }
1275 #endif
1276
1277         ctx=SSL_CTX_new(meth);
1278         if (ctx == NULL)
1279                 {
1280                 ERR_print_errors(bio_err);
1281                 goto end;
1282                 }
1283
1284         if (sdebug)
1285                 ssl_ctx_security_debug(ctx, bio_err, sdebug);
1286
1287         if (vpm)
1288                 SSL_CTX_set1_param(ctx, vpm);
1289
1290         if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1, no_jpake))
1291                 {
1292                 ERR_print_errors(bio_err);
1293                 goto end;
1294                 }
1295
1296         if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
1297                                                 crls, crl_download))
1298                 {
1299                 BIO_printf(bio_err, "Error loading store locations\n");
1300                 ERR_print_errors(bio_err);
1301                 goto end;
1302                 }
1303
1304 #ifndef OPENSSL_NO_ENGINE
1305         if (ssl_client_engine)
1306                 {
1307                 if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine))
1308                         {
1309                         BIO_puts(bio_err, "Error setting client auth engine\n");
1310                         ERR_print_errors(bio_err);
1311                         ENGINE_free(ssl_client_engine);
1312                         goto end;
1313                         }
1314                 ENGINE_free(ssl_client_engine);
1315                 }
1316 #endif
1317
1318 #ifndef OPENSSL_NO_PSK
1319 #ifdef OPENSSL_NO_JPAKE
1320         if (psk_key != NULL)
1321 #else
1322         if (psk_key != NULL || jpake_secret)
1323 #endif
1324                 {
1325                 if (c_debug)
1326                         BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");
1327                 SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
1328                 }
1329         if (srtp_profiles != NULL)
1330                 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
1331 #endif
1332         if (exc) ssl_ctx_set_excert(ctx, exc);
1333         /* DTLS: partial reads end up discarding unread UDP bytes :-( 
1334          * Setting read ahead solves this problem.
1335          */
1336         if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
1337
1338 #if !defined(OPENSSL_NO_TLSEXT)
1339 # if !defined(OPENSSL_NO_NEXTPROTONEG)
1340         if (next_proto.data)
1341                 SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
1342 # endif
1343         if (alpn_in)
1344                 {
1345                 unsigned short alpn_len;
1346                 unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in);
1347
1348                 if (alpn == NULL)
1349                         {
1350                         BIO_printf(bio_err, "Error parsing -alpn argument\n");
1351                         goto end;
1352                         }
1353                 SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len);
1354                 OPENSSL_free(alpn);
1355                 }
1356 #endif
1357 #ifndef OPENSSL_NO_TLSEXT
1358                 if (serverinfo_types_count)
1359                         {
1360                         for (i = 0; i < serverinfo_types_count; i++)
1361                                 {
1362                                 SSL_CTX_set_custom_cli_ext(ctx,
1363                                                            serverinfo_types[i],
1364                                                            NULL, 
1365                                                            serverinfo_cli_cb,
1366                                                            NULL);
1367                                 }
1368                         }
1369 #endif
1370
1371         if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
1372 #if 0
1373         else
1374                 SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
1375 #endif
1376
1377         SSL_CTX_set_verify(ctx,verify,verify_callback);
1378
1379         if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
1380                 (!SSL_CTX_set_default_verify_paths(ctx)))
1381                 {
1382                 /* BIO_printf(bio_err,"error setting default verify locations\n"); */
1383                 ERR_print_errors(bio_err);
1384                 /* goto end; */
1385                 }
1386
1387         ssl_ctx_add_crls(ctx, crls, crl_download);
1388
1389         if (!set_cert_key_stuff(ctx,cert,key,chain,build_chain))
1390                 goto end;
1391
1392 #ifndef OPENSSL_NO_TLSEXT
1393         if (servername != NULL)
1394                 {
1395                 tlsextcbp.biodebug = bio_err;
1396                 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1397                 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
1398                 }
1399 #ifndef OPENSSL_NO_SRP
1400         if (srp_arg.srplogin)
1401                 {
1402                 if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
1403                         {
1404                         BIO_printf(bio_err,"Unable to set SRP username\n");
1405                         goto end;
1406                         }
1407                 srp_arg.msg = c_msg;
1408                 srp_arg.debug = c_debug ;
1409                 SSL_CTX_set_srp_cb_arg(ctx,&srp_arg);
1410                 SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
1411                 SSL_CTX_set_srp_strength(ctx, srp_arg.strength);
1412                 if (c_msg || c_debug || srp_arg.amp == 0)
1413                         SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb);
1414                 }
1415
1416 #endif
1417 #endif
1418
1419         con=SSL_new(ctx);
1420         if (sess_in)
1421                 {
1422                 SSL_SESSION *sess;
1423                 BIO *stmp = BIO_new_file(sess_in, "r");
1424                 if (!stmp)
1425                         {
1426                         BIO_printf(bio_err, "Can't open session file %s\n",
1427                                                 sess_in);
1428                         ERR_print_errors(bio_err);
1429                         goto end;
1430                         }
1431                 sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
1432                 BIO_free(stmp);
1433                 if (!sess)
1434                         {
1435                         BIO_printf(bio_err, "Can't open session file %s\n",
1436                                                 sess_in);
1437                         ERR_print_errors(bio_err);
1438                         goto end;
1439                         }
1440                 SSL_set_session(con, sess);
1441                 SSL_SESSION_free(sess);
1442                 }
1443 #ifndef OPENSSL_NO_TLSEXT
1444         if (servername != NULL)
1445                 {
1446                 if (!SSL_set_tlsext_host_name(con,servername))
1447                         {
1448                         BIO_printf(bio_err,"Unable to set TLS servername extension.\n");
1449                         ERR_print_errors(bio_err);
1450                         goto end;
1451                         }
1452                 }
1453 #endif
1454 #ifndef OPENSSL_NO_KRB5
1455         if (con  &&  (kctx = kssl_ctx_new()) != NULL)
1456                 {
1457                 SSL_set0_kssl_ctx(con, kctx);
1458                 kssl_ctx_setstring(kctx, KSSL_SERVER, host);
1459                 }
1460 #endif  /* OPENSSL_NO_KRB5  */
1461 /*      SSL_set_cipher_list(con,"RC4-MD5"); */
1462 #if 0
1463 #ifdef TLSEXT_TYPE_opaque_prf_input
1464         SSL_set_tlsext_opaque_prf_input(con, "Test client", 11);
1465 #endif
1466 #endif
1467
1468 re_start:
1469 #ifdef NO_SYS_UN_H
1470         if (init_client(&s,host,port,socket_type) == 0)
1471 #else
1472         if ((!unix_path && (init_client(&s,host,port,socket_type) == 0)) ||
1473                         (unix_path && (init_client_unix(&s,unix_path) == 0)))
1474 #endif
1475                 {
1476                 BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
1477                 SHUTDOWN(s);
1478                 goto end;
1479                 }
1480         BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
1481
1482 #ifdef FIONBIO
1483         if (c_nbio)
1484                 {
1485                 unsigned long l=1;
1486                 BIO_printf(bio_c_out,"turning on non blocking io\n");
1487                 if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
1488                         {
1489                         ERR_print_errors(bio_err);
1490                         goto end;
1491                         }
1492                 }
1493 #endif                                              
1494         if (c_Pause & 0x01) SSL_set_debug(con, 1);
1495
1496         if (socket_type == SOCK_DGRAM)
1497                 {
1498
1499                 sbio=BIO_new_dgram(s,BIO_NOCLOSE);
1500                 if (getsockname(s, &peer, (void *)&peerlen) < 0)
1501                         {
1502                         BIO_printf(bio_err, "getsockname:errno=%d\n",
1503                                 get_last_socket_error());
1504                         SHUTDOWN(s);
1505                         goto end;
1506                         }
1507
1508                 (void)BIO_ctrl_set_connected(sbio, 1, &peer);
1509
1510                 if (enable_timeouts)
1511                         {
1512                         timeout.tv_sec = 0;
1513                         timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1514                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1515                         
1516                         timeout.tv_sec = 0;
1517                         timeout.tv_usec = DGRAM_SND_TIMEOUT;
1518                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1519                         }
1520
1521                 if (socket_mtu > 28)
1522                         {
1523                         SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
1524                         SSL_set_mtu(con, socket_mtu - 28);
1525                         }
1526                 else
1527                         /* want to do MTU discovery */
1528                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1529                 }
1530         else
1531                 sbio=BIO_new_socket(s,BIO_NOCLOSE);
1532
1533         if (nbio_test)
1534                 {
1535                 BIO *test;
1536
1537                 test=BIO_new(BIO_f_nbio_test());
1538                 sbio=BIO_push(test,sbio);
1539                 }
1540
1541         if (c_debug)
1542                 {
1543                 SSL_set_debug(con, 1);
1544                 BIO_set_callback(sbio,bio_dump_callback);
1545                 BIO_set_callback_arg(sbio,(char *)bio_c_out);
1546                 }
1547         if (c_msg)
1548                 {
1549 #ifndef OPENSSL_NO_SSL_TRACE
1550                 if (c_msg == 2)
1551                         SSL_set_msg_callback(con, SSL_trace);
1552                 else
1553 #endif
1554                         SSL_set_msg_callback(con, msg_cb);
1555                 SSL_set_msg_callback_arg(con, bio_c_msg ? bio_c_msg : bio_c_out);
1556                 }
1557 #ifndef OPENSSL_NO_TLSEXT
1558         if (c_tlsextdebug)
1559                 {
1560                 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1561                 SSL_set_tlsext_debug_arg(con, bio_c_out);
1562                 }
1563         if (c_status_req)
1564                 {
1565                 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
1566                 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
1567                 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
1568 #if 0
1569 {
1570 STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null();
1571 OCSP_RESPID *id = OCSP_RESPID_new();
1572 id->value.byKey = ASN1_OCTET_STRING_new();
1573 id->type = V_OCSP_RESPID_KEY;
1574 ASN1_STRING_set(id->value.byKey, "Hello World", -1);
1575 sk_OCSP_RESPID_push(ids, id);
1576 SSL_set_tlsext_status_ids(con, ids);
1577 }
1578 #endif
1579                 }
1580 #endif
1581 #ifndef OPENSSL_NO_JPAKE
1582         if (jpake_secret)
1583                 jpake_client_auth(bio_c_out, sbio, jpake_secret);
1584 #endif
1585
1586         SSL_set_bio(con,sbio,sbio);
1587         SSL_set_connect_state(con);
1588
1589         /* ok, lets connect */
1590         width=SSL_get_fd(con)+1;
1591
1592         read_tty=1;
1593         write_tty=0;
1594         tty_on=0;
1595         read_ssl=1;
1596         write_ssl=1;
1597         
1598         cbuf_len=0;
1599         cbuf_off=0;
1600         sbuf_len=0;
1601         sbuf_off=0;
1602
1603         /* This is an ugly hack that does a lot of assumptions */
1604         /* We do have to handle multi-line responses which may come
1605            in a single packet or not. We therefore have to use
1606            BIO_gets() which does need a buffering BIO. So during
1607            the initial chitchat we do push a buffering BIO into the
1608            chain that is removed again later on to not disturb the
1609            rest of the s_client operation. */
1610         if (starttls_proto == PROTO_SMTP)
1611                 {
1612                 int foundit=0;
1613                 BIO *fbio = BIO_new(BIO_f_buffer());
1614                 BIO_push(fbio, sbio);
1615                 /* wait for multi-line response to end from SMTP */
1616                 do
1617                         {
1618                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1619                         }
1620                 while (mbuf_len>3 && mbuf[3]=='-');
1621                 /* STARTTLS command requires EHLO... */
1622                 BIO_printf(fbio,"EHLO openssl.client.net\r\n");
1623                 (void)BIO_flush(fbio);
1624                 /* wait for multi-line response to end EHLO SMTP response */
1625                 do
1626                         {
1627                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1628                         if (strstr(mbuf,"STARTTLS"))
1629                                 foundit=1;
1630                         }
1631                 while (mbuf_len>3 && mbuf[3]=='-');
1632                 (void)BIO_flush(fbio);
1633                 BIO_pop(fbio);
1634                 BIO_free(fbio);
1635                 if (!foundit)
1636                         BIO_printf(bio_err,
1637                                    "didn't found starttls in server response,"
1638                                    " try anyway...\n");
1639                 BIO_printf(sbio,"STARTTLS\r\n");
1640                 BIO_read(sbio,sbuf,BUFSIZZ);
1641                 }
1642         else if (starttls_proto == PROTO_POP3)
1643                 {
1644                 BIO_read(sbio,mbuf,BUFSIZZ);
1645                 BIO_printf(sbio,"STLS\r\n");
1646                 BIO_read(sbio,sbuf,BUFSIZZ);
1647                 }
1648         else if (starttls_proto == PROTO_IMAP)
1649                 {
1650                 int foundit=0;
1651                 BIO *fbio = BIO_new(BIO_f_buffer());
1652                 BIO_push(fbio, sbio);
1653                 BIO_gets(fbio,mbuf,BUFSIZZ);
1654                 /* STARTTLS command requires CAPABILITY... */
1655                 BIO_printf(fbio,". CAPABILITY\r\n");
1656                 (void)BIO_flush(fbio);
1657                 /* wait for multi-line CAPABILITY response */
1658                 do
1659                         {
1660                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1661                         if (strstr(mbuf,"STARTTLS"))
1662                                 foundit=1;
1663                         }
1664                 while (mbuf_len>3 && mbuf[0]!='.');
1665                 (void)BIO_flush(fbio);
1666                 BIO_pop(fbio);
1667                 BIO_free(fbio);
1668                 if (!foundit)
1669                         BIO_printf(bio_err,
1670                                    "didn't found STARTTLS in server response,"
1671                                    " try anyway...\n");
1672                 BIO_printf(sbio,". STARTTLS\r\n");
1673                 BIO_read(sbio,sbuf,BUFSIZZ);
1674                 }
1675         else if (starttls_proto == PROTO_FTP)
1676                 {
1677                 BIO *fbio = BIO_new(BIO_f_buffer());
1678                 BIO_push(fbio, sbio);
1679                 /* wait for multi-line response to end from FTP */
1680                 do
1681                         {
1682                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1683                         }
1684                 while (mbuf_len>3 && mbuf[3]=='-');
1685                 (void)BIO_flush(fbio);
1686                 BIO_pop(fbio);
1687                 BIO_free(fbio);
1688                 BIO_printf(sbio,"AUTH TLS\r\n");
1689                 BIO_read(sbio,sbuf,BUFSIZZ);
1690                 }
1691         if (starttls_proto == PROTO_XMPP)
1692                 {
1693                 int seen = 0;
1694                 BIO_printf(sbio,"<stream:stream "
1695                     "xmlns:stream='http://etherx.jabber.org/streams' "
1696                     "xmlns='jabber:client' to='%s' version='1.0'>", xmpphost ?
1697                            xmpphost : host);
1698                 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1699                 mbuf[seen] = 0;
1700                 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") &&
1701                                 !strstr(mbuf, "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
1702                         {
1703                         seen = BIO_read(sbio,mbuf,BUFSIZZ);
1704
1705                         if (seen <= 0)
1706                                 goto shut;
1707
1708                         mbuf[seen] = 0;
1709                         }
1710                 BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
1711                 seen = BIO_read(sbio,sbuf,BUFSIZZ);
1712                 sbuf[seen] = 0;
1713                 if (!strstr(sbuf, "<proceed"))
1714                         goto shut;
1715                 mbuf[0] = 0;
1716                 }
1717
1718         for (;;)
1719                 {
1720                 FD_ZERO(&readfds);
1721                 FD_ZERO(&writefds);
1722
1723                 if ((SSL_version(con) == DTLS1_VERSION) &&
1724                         DTLSv1_get_timeout(con, &timeout))
1725                         timeoutp = &timeout;
1726                 else
1727                         timeoutp = NULL;
1728
1729                 if (SSL_in_init(con) && !SSL_total_renegotiations(con))
1730                         {
1731                         in_init=1;
1732                         tty_on=0;
1733                         }
1734                 else
1735                         {
1736                         tty_on=1;
1737                         if (in_init)
1738                                 {
1739                                 in_init=0;
1740 #if 0 /* This test doesn't really work as intended (needs to be fixed) */
1741 #ifndef OPENSSL_NO_TLSEXT
1742                                 if (servername != NULL && !SSL_session_reused(con))
1743                                         {
1744                                         BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not ");
1745                                         }
1746 #endif
1747 #endif
1748                                 if (sess_out)
1749                                         {
1750                                         BIO *stmp = BIO_new_file(sess_out, "w");
1751                                         if (stmp)
1752                                                 {
1753                                                 PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con));
1754                                                 BIO_free(stmp);
1755                                                 }
1756                                         else 
1757                                                 BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
1758                                         }
1759                                 if (c_brief)
1760                                         {
1761                                         BIO_puts(bio_err,
1762                                                 "CONNECTION ESTABLISHED\n");
1763                                         print_ssl_summary(bio_err, con);
1764                                         }
1765
1766                                 print_stuff(bio_c_out,con,full_log);
1767                                 if (full_log > 0) full_log--;
1768
1769                                 if (starttls_proto)
1770                                         {
1771                                         BIO_printf(bio_err,"%s",mbuf);
1772                                         /* We don't need to know any more */
1773                                         starttls_proto = PROTO_OFF;
1774                                         }
1775
1776                                 if (reconnect)
1777                                         {
1778                                         reconnect--;
1779                                         BIO_printf(bio_c_out,"drop connection and then reconnect\n");
1780                                         SSL_shutdown(con);
1781                                         SSL_set_connect_state(con);
1782                                         SHUTDOWN(SSL_get_fd(con));
1783                                         goto re_start;
1784                                         }
1785                                 }
1786                         }
1787
1788                 ssl_pending = read_ssl && SSL_pending(con);
1789
1790                 if (!ssl_pending)
1791                         {
1792 #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)
1793                         if (tty_on)
1794                                 {
1795                                 if (read_tty)  openssl_fdset(fileno(stdin),&readfds);
1796                                 if (write_tty) openssl_fdset(fileno(stdout),&writefds);
1797                                 }
1798                         if (read_ssl)
1799                                 openssl_fdset(SSL_get_fd(con),&readfds);
1800                         if (write_ssl)
1801                                 openssl_fdset(SSL_get_fd(con),&writefds);
1802 #else
1803                         if(!tty_on || !write_tty) {
1804                                 if (read_ssl)
1805                                         openssl_fdset(SSL_get_fd(con),&readfds);
1806                                 if (write_ssl)
1807                                         openssl_fdset(SSL_get_fd(con),&writefds);
1808                         }
1809 #endif
1810 /*                      printf("mode tty(%d %d%d) ssl(%d%d)\n",
1811                                 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
1812
1813                         /* Note: under VMS with SOCKETSHR the second parameter
1814                          * is currently of type (int *) whereas under other
1815                          * systems it is (void *) if you don't have a cast it
1816                          * will choke the compiler: if you do have a cast then
1817                          * you can either go for (int *) or (void *).
1818                          */
1819 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1820                         /* Under Windows/DOS we make the assumption that we can
1821                          * always write to the tty: therefore if we need to
1822                          * write to the tty we just fall through. Otherwise
1823                          * we timeout the select every second and see if there
1824                          * are any keypresses. Note: this is a hack, in a proper
1825                          * Windows application we wouldn't do this.
1826                          */
1827                         i=0;
1828                         if(!write_tty) {
1829                                 if(read_tty) {
1830                                         tv.tv_sec = 1;
1831                                         tv.tv_usec = 0;
1832                                         i=select(width,(void *)&readfds,(void *)&writefds,
1833                                                  NULL,&tv);
1834 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
1835                                         if(!i && (!_kbhit() || !read_tty) ) continue;
1836 #else
1837                                         if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
1838 #endif
1839                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1840                                          NULL,timeoutp);
1841                         }
1842 #elif defined(OPENSSL_SYS_NETWARE)
1843                         if(!write_tty) {
1844                                 if(read_tty) {
1845                                         tv.tv_sec = 1;
1846                                         tv.tv_usec = 0;
1847                                         i=select(width,(void *)&readfds,(void *)&writefds,
1848                                                 NULL,&tv);
1849                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1850                                         NULL,timeoutp);
1851                         }
1852 #elif defined(OPENSSL_SYS_BEOS_R5)
1853                         /* Under BeOS-R5 the situation is similar to DOS */
1854                         i=0;
1855                         stdin_set = 0;
1856                         (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
1857                         if(!write_tty) {
1858                                 if(read_tty) {
1859                                         tv.tv_sec = 1;
1860                                         tv.tv_usec = 0;
1861                                         i=select(width,(void *)&readfds,(void *)&writefds,
1862                                                  NULL,&tv);
1863                                         if (read(fileno(stdin), sbuf, 0) >= 0)
1864                                                 stdin_set = 1;
1865                                         if (!i && (stdin_set != 1 || !read_tty))
1866                                                 continue;
1867                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1868                                          NULL,timeoutp);
1869                         }
1870                         (void)fcntl(fileno(stdin), F_SETFL, 0);
1871 #else
1872                         i=select(width,(void *)&readfds,(void *)&writefds,
1873                                  NULL,timeoutp);
1874 #endif
1875                         if ( i < 0)
1876                                 {
1877                                 BIO_printf(bio_err,"bad select %d\n",
1878                                 get_last_socket_error());
1879                                 goto shut;
1880                                 /* goto end; */
1881                                 }
1882                         }
1883
1884                 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
1885                         {
1886                         BIO_printf(bio_err,"TIMEOUT occurred\n");
1887                         }
1888
1889                 if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
1890                         {
1891                         k=SSL_write(con,&(cbuf[cbuf_off]),
1892                                 (unsigned int)cbuf_len);
1893                         switch (SSL_get_error(con,k))
1894                                 {
1895                         case SSL_ERROR_NONE:
1896                                 cbuf_off+=k;
1897                                 cbuf_len-=k;
1898                                 if (k <= 0) goto end;
1899                                 /* we have done a  write(con,NULL,0); */
1900                                 if (cbuf_len <= 0)
1901                                         {
1902                                         read_tty=1;
1903                                         write_ssl=0;
1904                                         }
1905                                 else /* if (cbuf_len > 0) */
1906                                         {
1907                                         read_tty=0;
1908                                         write_ssl=1;
1909                                         }
1910                                 break;
1911                         case SSL_ERROR_WANT_WRITE:
1912                                 BIO_printf(bio_c_out,"write W BLOCK\n");
1913                                 write_ssl=1;
1914                                 read_tty=0;
1915                                 break;
1916                         case SSL_ERROR_WANT_READ:
1917                                 BIO_printf(bio_c_out,"write R BLOCK\n");
1918                                 write_tty=0;
1919                                 read_ssl=1;
1920                                 write_ssl=0;
1921                                 break;
1922                         case SSL_ERROR_WANT_X509_LOOKUP:
1923                                 BIO_printf(bio_c_out,"write X BLOCK\n");
1924                                 break;
1925                         case SSL_ERROR_ZERO_RETURN:
1926                                 if (cbuf_len != 0)
1927                                         {
1928                                         BIO_printf(bio_c_out,"shutdown\n");
1929                                         ret = 0;
1930                                         goto shut;
1931                                         }
1932                                 else
1933                                         {
1934                                         read_tty=1;
1935                                         write_ssl=0;
1936                                         break;
1937                                         }
1938                                 
1939                         case SSL_ERROR_SYSCALL:
1940                                 if ((k != 0) || (cbuf_len != 0))
1941                                         {
1942                                         BIO_printf(bio_err,"write:errno=%d\n",
1943                                                 get_last_socket_error());
1944                                         goto shut;
1945                                         }
1946                                 else
1947                                         {
1948                                         read_tty=1;
1949                                         write_ssl=0;
1950                                         }
1951                                 break;
1952                         case SSL_ERROR_SSL:
1953                                 ERR_print_errors(bio_err);
1954                                 goto shut;
1955                                 }
1956                         }
1957 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
1958                 /* Assume Windows/DOS/BeOS can always write */
1959                 else if (!ssl_pending && write_tty)
1960 #else
1961                 else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
1962 #endif
1963                         {
1964 #ifdef CHARSET_EBCDIC
1965                         ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
1966 #endif
1967                         i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len);
1968
1969                         if (i <= 0)
1970                                 {
1971                                 BIO_printf(bio_c_out,"DONE\n");
1972                                 ret = 0;
1973                                 goto shut;
1974                                 /* goto end; */
1975                                 }
1976
1977                         sbuf_len-=i;;
1978                         sbuf_off+=i;
1979                         if (sbuf_len <= 0)
1980                                 {
1981                                 read_ssl=1;
1982                                 write_tty=0;
1983                                 }
1984                         }
1985                 else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
1986                         {
1987 #ifdef RENEG
1988 { static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
1989 #endif
1990 #if 1
1991                         k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
1992 #else
1993 /* Demo for pending and peek :-) */
1994                         k=SSL_read(con,sbuf,16);
1995 { char zbuf[10240]; 
1996 printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
1997 }
1998 #endif
1999
2000                         switch (SSL_get_error(con,k))
2001                                 {
2002                         case SSL_ERROR_NONE:
2003                                 if (k <= 0)
2004                                         goto end;
2005                                 sbuf_off=0;
2006                                 sbuf_len=k;
2007
2008                                 read_ssl=0;
2009                                 write_tty=1;
2010                                 break;
2011                         case SSL_ERROR_WANT_WRITE:
2012                                 BIO_printf(bio_c_out,"read W BLOCK\n");
2013                                 write_ssl=1;
2014                                 read_tty=0;
2015                                 break;
2016                         case SSL_ERROR_WANT_READ:
2017                                 BIO_printf(bio_c_out,"read R BLOCK\n");
2018                                 write_tty=0;
2019                                 read_ssl=1;
2020                                 if ((read_tty == 0) && (write_ssl == 0))
2021                                         write_ssl=1;
2022                                 break;
2023                         case SSL_ERROR_WANT_X509_LOOKUP:
2024                                 BIO_printf(bio_c_out,"read X BLOCK\n");
2025                                 break;
2026                         case SSL_ERROR_SYSCALL:
2027                                 ret=get_last_socket_error();
2028                                 if (c_brief)
2029                                         BIO_puts(bio_err, "CONNECTION CLOSED BY SERVER\n");
2030                                 else
2031                                         BIO_printf(bio_err,"read:errno=%d\n",ret);
2032                                 goto shut;
2033                         case SSL_ERROR_ZERO_RETURN:
2034                                 BIO_printf(bio_c_out,"closed\n");
2035                                 ret=0;
2036                                 goto shut;
2037                         case SSL_ERROR_SSL:
2038                                 ERR_print_errors(bio_err);
2039                                 goto shut;
2040                                 /* break; */
2041                                 }
2042                         }
2043
2044 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
2045 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
2046                 else if (_kbhit())
2047 #else
2048                 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
2049 #endif
2050 #elif defined (OPENSSL_SYS_NETWARE)
2051                 else if (_kbhit())
2052 #elif defined(OPENSSL_SYS_BEOS_R5)
2053                 else if (stdin_set)
2054 #else
2055                 else if (FD_ISSET(fileno(stdin),&readfds))
2056 #endif
2057                         {
2058                         if (crlf)
2059                                 {
2060                                 int j, lf_num;
2061
2062                                 i=raw_read_stdin(cbuf,BUFSIZZ/2);
2063                                 lf_num = 0;
2064                                 /* both loops are skipped when i <= 0 */
2065                                 for (j = 0; j < i; j++)
2066                                         if (cbuf[j] == '\n')
2067                                                 lf_num++;
2068                                 for (j = i-1; j >= 0; j--)
2069                                         {
2070                                         cbuf[j+lf_num] = cbuf[j];
2071                                         if (cbuf[j] == '\n')
2072                                                 {
2073                                                 lf_num--;
2074                                                 i++;
2075                                                 cbuf[j+lf_num] = '\r';
2076                                                 }
2077                                         }
2078                                 assert(lf_num == 0);
2079                                 }
2080                         else
2081                                 i=raw_read_stdin(cbuf,BUFSIZZ);
2082
2083                         if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
2084                                 {
2085                                 BIO_printf(bio_err,"DONE\n");
2086                                 ret=0;
2087                                 goto shut;
2088                                 }
2089
2090                         if ((!c_ign_eof) && (cbuf[0] == 'R'))
2091                                 {
2092                                 BIO_printf(bio_err,"RENEGOTIATING\n");
2093                                 SSL_renegotiate(con);
2094                                 cbuf_len=0;
2095                                 }
2096 #ifndef OPENSSL_NO_HEARTBEATS
2097                         else if ((!c_ign_eof) && (cbuf[0] == 'B'))
2098                                 {
2099                                 BIO_printf(bio_err,"HEARTBEATING\n");
2100                                 SSL_heartbeat(con);
2101                                 cbuf_len=0;
2102                                 }
2103 #endif
2104                         else
2105                                 {
2106                                 cbuf_len=i;
2107                                 cbuf_off=0;
2108 #ifdef CHARSET_EBCDIC
2109                                 ebcdic2ascii(cbuf, cbuf, i);
2110 #endif
2111                                 }
2112
2113                         write_ssl=1;
2114                         read_tty=0;
2115                         }
2116                 }
2117
2118         ret=0;
2119 shut:
2120         if (in_init)
2121                 print_stuff(bio_c_out,con,full_log);
2122         SSL_shutdown(con);
2123         SHUTDOWN(SSL_get_fd(con));
2124 end:
2125         if (con != NULL)
2126                 {
2127                 if (prexit != 0)
2128                         print_stuff(bio_c_out,con,1);
2129                 SSL_free(con);
2130                 }
2131 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
2132         if (next_proto.data)
2133                 OPENSSL_free(next_proto.data);
2134 #endif
2135         if (ctx != NULL) SSL_CTX_free(ctx);
2136         if (cert)
2137                 X509_free(cert);
2138         if (crls)
2139                 sk_X509_CRL_pop_free(crls, X509_CRL_free);
2140         if (key)
2141                 EVP_PKEY_free(key);
2142         if (chain)
2143                 sk_X509_pop_free(chain, X509_free);
2144         if (pass)
2145                 OPENSSL_free(pass);
2146         if (vpm)
2147                 X509_VERIFY_PARAM_free(vpm);
2148         ssl_excert_free(exc);
2149         if (ssl_args)
2150                 sk_OPENSSL_STRING_free(ssl_args);
2151         if (cctx)
2152                 SSL_CONF_CTX_free(cctx);
2153 #ifndef OPENSSL_NO_JPAKE
2154         if (jpake_secret && psk_key)
2155                 OPENSSL_free(psk_key);
2156 #endif
2157         if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
2158         if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
2159         if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
2160         if (bio_c_out != NULL)
2161                 {
2162                 BIO_free(bio_c_out);
2163                 bio_c_out=NULL;
2164                 }
2165         if (bio_c_msg != NULL)
2166                 {
2167                 BIO_free(bio_c_msg);
2168                 bio_c_msg=NULL;
2169                 }
2170         apps_shutdown();
2171         OPENSSL_EXIT(ret);
2172         }
2173
2174
2175 static void print_stuff(BIO *bio, SSL *s, int full)
2176         {
2177         X509 *peer=NULL;
2178         char *p;
2179         static const char *space="                ";
2180         char buf[BUFSIZ];
2181         STACK_OF(X509) *sk;
2182         STACK_OF(X509_NAME) *sk2;
2183         const SSL_CIPHER *c;
2184         X509_NAME *xn;
2185         int j,i;
2186 #ifndef OPENSSL_NO_COMP
2187         const COMP_METHOD *comp, *expansion;
2188 #endif
2189         unsigned char *exportedkeymat;
2190
2191         if (full)
2192                 {
2193                 int got_a_chain = 0;
2194
2195                 sk=SSL_get_peer_cert_chain(s);
2196                 if (sk != NULL)
2197                         {
2198                         got_a_chain = 1; /* we don't have it for SSL2 (yet) */
2199
2200                         BIO_printf(bio,"---\nCertificate chain\n");
2201                         for (i=0; i<sk_X509_num(sk); i++)
2202                                 {
2203                                 X509_NAME_oneline(X509_get_subject_name(
2204                                         sk_X509_value(sk,i)),buf,sizeof buf);
2205                                 BIO_printf(bio,"%2d s:%s\n",i,buf);
2206                                 X509_NAME_oneline(X509_get_issuer_name(
2207                                         sk_X509_value(sk,i)),buf,sizeof buf);
2208                                 BIO_printf(bio,"   i:%s\n",buf);
2209                                 if (c_showcerts)
2210                                         PEM_write_bio_X509(bio,sk_X509_value(sk,i));
2211                                 }
2212                         }
2213
2214                 BIO_printf(bio,"---\n");
2215                 peer=SSL_get_peer_certificate(s);
2216                 if (peer != NULL)
2217                         {
2218                         BIO_printf(bio,"Server certificate\n");
2219                         if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
2220                                 PEM_write_bio_X509(bio,peer);
2221                         X509_NAME_oneline(X509_get_subject_name(peer),
2222                                 buf,sizeof buf);
2223                         BIO_printf(bio,"subject=%s\n",buf);
2224                         X509_NAME_oneline(X509_get_issuer_name(peer),
2225                                 buf,sizeof buf);
2226                         BIO_printf(bio,"issuer=%s\n",buf);
2227                         }
2228                 else
2229                         BIO_printf(bio,"no peer certificate available\n");
2230
2231                 sk2=SSL_get_client_CA_list(s);
2232                 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
2233                         {
2234                         BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
2235                         for (i=0; i<sk_X509_NAME_num(sk2); i++)
2236                                 {
2237                                 xn=sk_X509_NAME_value(sk2,i);
2238                                 X509_NAME_oneline(xn,buf,sizeof(buf));
2239                                 BIO_write(bio,buf,strlen(buf));
2240                                 BIO_write(bio,"\n",1);
2241                                 }
2242                         }
2243                 else
2244                         {
2245                         BIO_printf(bio,"---\nNo client certificate CA names sent\n");
2246                         }
2247                 p=SSL_get_shared_ciphers(s,buf,sizeof buf);
2248                 if (p != NULL)
2249                         {
2250                         /* This works only for SSL 2.  In later protocol
2251                          * versions, the client does not know what other
2252                          * ciphers (in addition to the one to be used
2253                          * in the current connection) the server supports. */
2254
2255                         BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
2256                         j=i=0;
2257                         while (*p)
2258                                 {
2259                                 if (*p == ':')
2260                                         {
2261                                         BIO_write(bio,space,15-j%25);
2262                                         i++;
2263                                         j=0;
2264                                         BIO_write(bio,((i%3)?" ":"\n"),1);
2265                                         }
2266                                 else
2267                                         {
2268                                         BIO_write(bio,p,1);
2269                                         j++;
2270                                         }
2271                                 p++;
2272                                 }
2273                         BIO_write(bio,"\n",1);
2274                         }
2275
2276                 ssl_print_sigalgs(bio, s);
2277                 ssl_print_tmp_key(bio, s);
2278
2279                 BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
2280                         BIO_number_read(SSL_get_rbio(s)),
2281                         BIO_number_written(SSL_get_wbio(s)));
2282                 }
2283         BIO_printf(bio,(SSL_cache_hit(s)?"---\nReused, ":"---\nNew, "));
2284         c=SSL_get_current_cipher(s);
2285         BIO_printf(bio,"%s, Cipher is %s\n",
2286                 SSL_CIPHER_get_version(c),
2287                 SSL_CIPHER_get_name(c));
2288         if (peer != NULL) {
2289                 EVP_PKEY *pktmp;
2290                 pktmp = X509_get_pubkey(peer);
2291                 BIO_printf(bio,"Server public key is %d bit\n",
2292                                                          EVP_PKEY_bits(pktmp));
2293                 EVP_PKEY_free(pktmp);
2294         }
2295         BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
2296                         SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
2297 #ifndef OPENSSL_NO_COMP
2298         comp=SSL_get_current_compression(s);
2299         expansion=SSL_get_current_expansion(s);
2300         BIO_printf(bio,"Compression: %s\n",
2301                 comp ? SSL_COMP_get_name(comp) : "NONE");
2302         BIO_printf(bio,"Expansion: %s\n",
2303                 expansion ? SSL_COMP_get_name(expansion) : "NONE");
2304 #endif
2305  
2306 #ifdef SSL_DEBUG
2307         {
2308         /* Print out local port of connection: useful for debugging */
2309         int sock;
2310         struct sockaddr_in ladd;
2311         socklen_t ladd_size = sizeof(ladd);
2312         sock = SSL_get_fd(s);
2313         getsockname(sock, (struct sockaddr *)&ladd, &ladd_size);
2314         BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port));
2315         }
2316 #endif
2317
2318 #if !defined(OPENSSL_NO_TLSEXT)
2319 # if !defined(OPENSSL_NO_NEXTPROTONEG)
2320         if (next_proto.status != -1) {
2321                 const unsigned char *proto;
2322                 unsigned int proto_len;
2323                 SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
2324                 BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
2325                 BIO_write(bio, proto, proto_len);
2326                 BIO_write(bio, "\n", 1);
2327         }
2328 # endif
2329         {
2330                 const unsigned char *proto;
2331                 unsigned int proto_len;
2332                 SSL_get0_alpn_selected(s, &proto, &proto_len);
2333                 if (proto_len > 0)
2334                         {
2335                         BIO_printf(bio, "ALPN protocol: ");
2336                         BIO_write(bio, proto, proto_len);
2337                         BIO_write(bio, "\n", 1);
2338                         }
2339                 else
2340                         BIO_printf(bio, "No ALPN negotiated\n");
2341         }
2342 #endif
2343
2344         {
2345         SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s);
2346  
2347         if(srtp_profile)
2348                 BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n",
2349                            srtp_profile->name);
2350         }
2351  
2352         SSL_SESSION_print(bio,SSL_get_session(s));
2353         if (keymatexportlabel != NULL)
2354                 {
2355                 BIO_printf(bio, "Keying material exporter:\n");
2356                 BIO_printf(bio, "    Label: '%s'\n", keymatexportlabel);
2357                 BIO_printf(bio, "    Length: %i bytes\n", keymatexportlen);
2358                 exportedkeymat = OPENSSL_malloc(keymatexportlen);
2359                 if (exportedkeymat != NULL)
2360                         {
2361                         if (!SSL_export_keying_material(s, exportedkeymat,
2362                                                         keymatexportlen,
2363                                                         keymatexportlabel,
2364                                                         strlen(keymatexportlabel),
2365                                                         NULL, 0, 0))
2366                                 {
2367                                 BIO_printf(bio, "    Error\n");
2368                                 }
2369                         else
2370                                 {
2371                                 BIO_printf(bio, "    Keying material: ");
2372                                 for (i=0; i<keymatexportlen; i++)
2373                                         BIO_printf(bio, "%02X",
2374                                                    exportedkeymat[i]);
2375                                 BIO_printf(bio, "\n");
2376                                 }
2377                         OPENSSL_free(exportedkeymat);
2378                         }
2379                 }
2380         BIO_printf(bio,"---\n");
2381         if (peer != NULL)
2382                 X509_free(peer);
2383         /* flush, or debugging output gets mixed with http response */
2384         (void)BIO_flush(bio);
2385         }
2386
2387 #ifndef OPENSSL_NO_TLSEXT
2388
2389 static int ocsp_resp_cb(SSL *s, void *arg)
2390         {
2391         const unsigned char *p;
2392         int len;
2393         OCSP_RESPONSE *rsp;
2394         len = SSL_get_tlsext_status_ocsp_resp(s, &p);
2395         BIO_puts(arg, "OCSP response: ");
2396         if (!p)
2397                 {
2398                 BIO_puts(arg, "no response sent\n");
2399                 return 1;
2400                 }
2401         rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
2402         if (!rsp)
2403                 {
2404                 BIO_puts(arg, "response parse error\n");
2405                 BIO_dump_indent(arg, (char *)p, len, 4);
2406                 return 0;
2407                 }
2408         BIO_puts(arg, "\n======================================\n");
2409         OCSP_RESPONSE_print(arg, rsp, 0);
2410         BIO_puts(arg, "======================================\n");
2411         OCSP_RESPONSE_free(rsp);
2412         return 1;
2413         }
2414
2415 #endif