de6a984febf785d1839579580aaa27a34755898a
[openssl.git] / apps / s_client.c
1 /* apps/s_client.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2005 Nokia. All rights reserved.
113  *
114  * The portions of the attached software ("Contribution") is developed by
115  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116  * license.
117  *
118  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120  * support (see RFC 4279) to OpenSSL.
121  *
122  * No patent licenses or other rights except those expressly stated in
123  * the OpenSSL open source license shall be deemed granted or received
124  * expressly, by implication, estoppel, or otherwise.
125  *
126  * No assurances are provided by Nokia that the Contribution does not
127  * infringe the patent or other intellectual property rights of any third
128  * party or that the license provides you with all the necessary rights
129  * to make use of the Contribution.
130  *
131  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135  * OTHERWISE.
136  */
137
138 #include <assert.h>
139 #include <ctype.h>
140 #include <stdio.h>
141 #include <stdlib.h>
142 #include <string.h>
143 #include <openssl/e_os2.h>
144 #ifdef OPENSSL_NO_STDIO
145 #define APPS_WIN16
146 #endif
147
148 /* With IPv6, it looks like Digital has mixed up the proper order of
149    recursive header file inclusion, resulting in the compiler complaining
150    that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
151    is needed to have fileno() declared correctly...  So let's define u_int */
152 #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
153 #define __U_INT
154 typedef unsigned int u_int;
155 #endif
156
157 #define USE_SOCKETS
158 #include "apps.h"
159 #include <openssl/x509.h>
160 #include <openssl/ssl.h>
161 #include <openssl/err.h>
162 #include <openssl/pem.h>
163 #include <openssl/rand.h>
164 #include <openssl/ocsp.h>
165 #include <openssl/bn.h>
166 #ifndef OPENSSL_NO_SRP
167 #include <openssl/srp.h>
168 #endif
169 #include "s_apps.h"
170 #include "timeouts.h"
171
172 #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
173 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
174 #undef FIONBIO
175 #endif
176
177 #if defined(OPENSSL_SYS_BEOS_R5)
178 #include <fcntl.h>
179 #endif
180
181 #undef PROG
182 #define PROG    s_client_main
183
184 /*#define SSL_HOST_NAME "www.netscape.com" */
185 /*#define SSL_HOST_NAME "193.118.187.102" */
186 #define SSL_HOST_NAME   "localhost"
187
188 /*#define TEST_CERT "client.pem" */ /* no default cert. */
189
190 #undef BUFSIZZ
191 #define BUFSIZZ 1024*8
192
193 extern int verify_depth;
194 extern int verify_error;
195 extern int verify_return_error;
196 extern int verify_quiet;
197
198 #ifdef FIONBIO
199 static int c_nbio=0;
200 #endif
201 static int c_Pause=0;
202 static int c_debug=0;
203 #ifndef OPENSSL_NO_TLSEXT
204 static int c_tlsextdebug=0;
205 static int c_status_req=0;
206 #endif
207 static int c_msg=0;
208 static int c_showcerts=0;
209
210 static char *keymatexportlabel=NULL;
211 static int keymatexportlen=20;
212
213 static void sc_usage(void);
214 static void print_stuff(BIO *berr,SSL *con,int full);
215 #ifndef OPENSSL_NO_TLSEXT
216 static int ocsp_resp_cb(SSL *s, void *arg);
217 static int c_auth = 0;
218 static int c_auth_require_reneg = 0;
219 #endif
220 static BIO *bio_c_out=NULL;
221 static BIO *bio_c_msg=NULL;
222 static int c_quiet=0;
223 static int c_ign_eof=0;
224 static int c_brief=0;
225
226 #ifndef OPENSSL_NO_TLSEXT
227
228 static unsigned char *generated_supp_data = NULL;
229
230 static const unsigned char *most_recent_supplemental_data = NULL;
231 static size_t most_recent_supplemental_data_length = 0;
232
233 static int server_provided_server_authz = 0;
234 static int server_provided_client_authz = 0;
235
236 static const unsigned char auth_ext_data[]={TLSEXT_AUTHZDATAFORMAT_dtcp};
237
238 static int suppdata_cb(SSL *s, unsigned short supp_data_type,
239                        const unsigned char *in,
240                        unsigned short inlen, int *al,
241                        void *arg);
242
243 static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
244                                      const unsigned char **out,
245                                      unsigned short *outlen, int *al, void *arg);
246
247 static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
248                                     const unsigned char **out, unsigned short *outlen,
249                                     int *al, void *arg);
250
251 static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
252                            const unsigned char *in,
253                            unsigned short inlen, int *al,
254                            void *arg);
255 #endif
256
257 #ifndef OPENSSL_NO_PSK
258 /* Default PSK identity and key */
259 static char *psk_identity="Client_identity";
260 /*char *psk_key=NULL;  by default PSK is not used */
261
262 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
263         unsigned int max_identity_len, unsigned char *psk,
264         unsigned int max_psk_len)
265         {
266         unsigned int psk_len = 0;
267         int ret;
268         BIGNUM *bn=NULL;
269
270         if (c_debug)
271                 BIO_printf(bio_c_out, "psk_client_cb\n");
272         if (!hint)
273                 {
274                 /* no ServerKeyExchange message*/
275                 if (c_debug)
276                         BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n");
277                 }
278         else if (c_debug)
279                 BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
280
281         /* lookup PSK identity and PSK key based on the given identity hint here */
282         ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity);
283         if (ret < 0 || (unsigned int)ret > max_identity_len)
284                 goto out_err;
285         if (c_debug)
286                 BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret);
287         ret=BN_hex2bn(&bn, psk_key);
288         if (!ret)
289                 {
290                 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
291                 if (bn)
292                         BN_free(bn);
293                 return 0;
294                 }
295
296         if ((unsigned int)BN_num_bytes(bn) > max_psk_len)
297                 {
298                 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
299                         max_psk_len, BN_num_bytes(bn));
300                 BN_free(bn);
301                 return 0;
302                 }
303
304         psk_len=BN_bn2bin(bn, psk);
305         BN_free(bn);
306         if (psk_len == 0)
307                 goto out_err;
308
309         if (c_debug)
310                 BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len);
311
312         return psk_len;
313  out_err:
314         if (c_debug)
315                 BIO_printf(bio_err, "Error in PSK client callback\n");
316         return 0;
317         }
318 #endif
319
320 static void sc_usage(void)
321         {
322         BIO_printf(bio_err,"usage: s_client args\n");
323         BIO_printf(bio_err,"\n");
324         BIO_printf(bio_err," -host host     - use -connect instead\n");
325         BIO_printf(bio_err," -port port     - use -connect instead\n");
326         BIO_printf(bio_err," -connect host:port - connect over TCP/IP (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
327         BIO_printf(bio_err," -unix path    - connect over unix domain sockets\n");
328         BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
329         BIO_printf(bio_err," -cert arg     - certificate file to use, PEM format assumed\n");
330         BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
331         BIO_printf(bio_err," -key arg      - Private key file to use, in cert file if\n");
332         BIO_printf(bio_err,"                 not specified but cert file is.\n");
333         BIO_printf(bio_err," -keyform arg  - key format (PEM or DER) PEM default\n");
334         BIO_printf(bio_err," -pass arg     - private key file pass phrase source\n");
335         BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
336         BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
337         BIO_printf(bio_err," -trusted_first - Use local CA's first when building trust chain\n");
338         BIO_printf(bio_err," -reconnect    - Drop and re-make the connection with the same Session-ID\n");
339         BIO_printf(bio_err," -pause        - sleep(1) after each read(2) and write(2) system call\n");
340         BIO_printf(bio_err," -showcerts    - show all certificates in the chain\n");
341         BIO_printf(bio_err," -debug        - extra output\n");
342 #ifdef WATT32
343         BIO_printf(bio_err," -wdebug       - WATT-32 tcp debugging\n");
344 #endif
345         BIO_printf(bio_err," -msg          - Show protocol messages\n");
346         BIO_printf(bio_err," -nbio_test    - more ssl protocol testing\n");
347         BIO_printf(bio_err," -state        - print the 'ssl' states\n");
348 #ifdef FIONBIO
349         BIO_printf(bio_err," -nbio         - Run with non-blocking IO\n");
350 #endif
351         BIO_printf(bio_err," -crlf         - convert LF from terminal into CRLF\n");
352         BIO_printf(bio_err," -quiet        - no s_client output\n");
353         BIO_printf(bio_err," -ign_eof      - ignore input eof (default when -quiet)\n");
354         BIO_printf(bio_err," -no_ign_eof   - don't ignore input eof\n");
355 #ifndef OPENSSL_NO_PSK
356         BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
357         BIO_printf(bio_err," -psk arg      - PSK in hex (without 0x)\n");
358 # ifndef OPENSSL_NO_JPAKE
359         BIO_printf(bio_err," -jpake arg    - JPAKE secret to use\n");
360 # endif
361 #endif
362 #ifndef OPENSSL_NO_SRP
363         BIO_printf(bio_err," -srpuser user     - SRP authentification for 'user'\n");
364         BIO_printf(bio_err," -srppass arg      - password for 'user'\n");
365         BIO_printf(bio_err," -srp_lateuser     - SRP username into second ClientHello message\n");
366         BIO_printf(bio_err," -srp_moregroups   - Tolerate other than the known g N values.\n");
367         BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
368 #endif
369         BIO_printf(bio_err," -ssl2         - just use SSLv2\n");
370         BIO_printf(bio_err," -ssl3         - just use SSLv3\n");
371         BIO_printf(bio_err," -tls1_2       - just use TLSv1.2\n");
372         BIO_printf(bio_err," -tls1_1       - just use TLSv1.1\n");
373         BIO_printf(bio_err," -tls1         - just use TLSv1\n");
374         BIO_printf(bio_err," -dtls1        - just use DTLSv1\n");    
375         BIO_printf(bio_err," -mtu          - set the link layer MTU\n");
376         BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
377         BIO_printf(bio_err," -bugs         - Switch on all SSL implementation bug workarounds\n");
378         BIO_printf(bio_err," -serverpref   - Use server's cipher preferences (only SSLv2)\n");
379         BIO_printf(bio_err," -cipher       - preferred cipher to use, use the 'openssl ciphers'\n");
380         BIO_printf(bio_err,"                 command to see what is available\n");
381         BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
382         BIO_printf(bio_err,"                 for those protocols that support it, where\n");
383         BIO_printf(bio_err,"                 'prot' defines which one to assume.  Currently,\n");
384         BIO_printf(bio_err,"                 only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
385         BIO_printf(bio_err,"                 are supported.\n");
386         BIO_printf(bio_err," -xmpphost host - When used with \"-starttls xmpp\" specifies the virtual host.\n");
387 #ifndef OPENSSL_NO_ENGINE
388         BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
389 #endif
390         BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
391         BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n");
392         BIO_printf(bio_err," -sess_in arg  - file to read SSL session from\n");
393 #ifndef OPENSSL_NO_TLSEXT
394         BIO_printf(bio_err," -servername host  - Set TLS extension servername in ClientHello\n");
395         BIO_printf(bio_err," -tlsextdebug      - hex dump of all TLS extensions received\n");
396         BIO_printf(bio_err," -status           - request certificate status from server\n");
397         BIO_printf(bio_err," -no_ticket        - disable use of RFC4507bis session tickets\n");
398         BIO_printf(bio_err," -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n");
399         BIO_printf(bio_err," -auth               - send and receive RFC 5878 TLS auth extensions and supplemental data\n");
400         BIO_printf(bio_err," -auth_require_reneg - Do not send TLS auth extensions until renegotiation\n");
401 # ifndef OPENSSL_NO_NEXTPROTONEG
402         BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
403 # endif
404         BIO_printf(bio_err," -alpn arg         - enable ALPN extension, considering named protocols supported (comma-separated list)\n");
405 #endif
406         BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
407         BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
408         BIO_printf(bio_err," -keymatexport label   - Export keying material using label\n");
409         BIO_printf(bio_err," -keymatexportlen len  - Export len bytes of keying material (default 20)\n");
410         }
411
412 #ifndef OPENSSL_NO_TLSEXT
413
414 /* This is a context that we pass to callbacks */
415 typedef struct tlsextctx_st {
416    BIO * biodebug;
417    int ack;
418 } tlsextctx;
419
420
421 static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
422         {
423         tlsextctx * p = (tlsextctx *) arg;
424         const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
425         if (SSL_get_servername_type(s) != -1) 
426                 p->ack = !SSL_session_reused(s) && hn != NULL;
427         else 
428                 BIO_printf(bio_err,"Can't use SSL_get_servername\n");
429         
430         return SSL_TLSEXT_ERR_OK;
431         }
432
433 #ifndef OPENSSL_NO_SRP
434
435 /* This is a context that we pass to all callbacks */
436 typedef struct srp_arg_st
437         {
438         char *srppassin;
439         char *srplogin;
440         int msg;   /* copy from c_msg */
441         int debug; /* copy from c_debug */
442         int amp;   /* allow more groups */
443         int strength /* minimal size for N */ ;
444         } SRP_ARG;
445
446 #define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
447
448 static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g)
449         {
450         BN_CTX *bn_ctx = BN_CTX_new();
451         BIGNUM *p = BN_new();
452         BIGNUM *r = BN_new();
453         int ret =
454                 g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
455                 BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
456                 p != NULL && BN_rshift1(p, N) &&
457
458                 /* p = (N-1)/2 */
459                 BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
460                 r != NULL &&
461
462                 /* verify g^((N-1)/2) == -1 (mod N) */
463                 BN_mod_exp(r, g, p, N, bn_ctx) &&
464                 BN_add_word(r, 1) &&
465                 BN_cmp(r, N) == 0;
466
467         if(r)
468                 BN_free(r);
469         if(p)
470                 BN_free(p);
471         if(bn_ctx)
472                 BN_CTX_free(bn_ctx);
473         return ret;
474         }
475
476 /* This callback is used here for two purposes:
477    - extended debugging
478    - making some primality tests for unknown groups
479    The callback is only called for a non default group.
480
481    An application does not need the call back at all if
482    only the stanard groups are used.  In real life situations, 
483    client and server already share well known groups, 
484    thus there is no need to verify them. 
485    Furthermore, in case that a server actually proposes a group that
486    is not one of those defined in RFC 5054, it is more appropriate 
487    to add the group to a static list and then compare since 
488    primality tests are rather cpu consuming.
489 */
490
491 static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
492         {
493         SRP_ARG *srp_arg = (SRP_ARG *)arg;
494         BIGNUM *N = NULL, *g = NULL;
495         if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s)))
496                 return 0;
497         if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1)
498                 {
499                 BIO_printf(bio_err, "SRP parameters:\n"); 
500                 BIO_printf(bio_err,"\tN="); BN_print(bio_err,N);
501                 BIO_printf(bio_err,"\n\tg="); BN_print(bio_err,g);
502                 BIO_printf(bio_err,"\n");
503                 }
504
505         if (SRP_check_known_gN_param(g,N))
506                 return 1;
507
508         if (srp_arg->amp == 1)
509                 {
510                 if (srp_arg->debug)
511                         BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n");
512
513 /* The srp_moregroups is a real debugging feature.
514    Implementors should rather add the value to the known ones.
515    The minimal size has already been tested.
516 */
517                 if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g))
518                         return 1;
519                 }       
520         BIO_printf(bio_err, "SRP param N and g rejected.\n");
521         return 0;
522         }
523
524 #define PWD_STRLEN 1024
525
526 static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
527         {
528         SRP_ARG *srp_arg = (SRP_ARG *)arg;
529         char *pass = (char *)OPENSSL_malloc(PWD_STRLEN+1);
530         PW_CB_DATA cb_tmp;
531         int l;
532
533         cb_tmp.password = (char *)srp_arg->srppassin;
534         cb_tmp.prompt_info = "SRP user";
535         if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp))<0)
536                 {
537                 BIO_printf (bio_err, "Can't read Password\n");
538                 OPENSSL_free(pass);
539                 return NULL;
540                 }
541         *(pass+l)= '\0';
542
543         return pass;
544         }
545
546 #endif
547         char *srtp_profiles = NULL;
548
549 # ifndef OPENSSL_NO_NEXTPROTONEG
550 /* This the context that we pass to next_proto_cb */
551 typedef struct tlsextnextprotoctx_st {
552         unsigned char *data;
553         unsigned short len;
554         int status;
555 } tlsextnextprotoctx;
556
557 static tlsextnextprotoctx next_proto;
558
559 static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
560         {
561         tlsextnextprotoctx *ctx = arg;
562
563         if (!c_quiet)
564                 {
565                 /* We can assume that |in| is syntactically valid. */
566                 unsigned i;
567                 BIO_printf(bio_c_out, "Protocols advertised by server: ");
568                 for (i = 0; i < inlen; )
569                         {
570                         if (i)
571                                 BIO_write(bio_c_out, ", ", 2);
572                         BIO_write(bio_c_out, &in[i + 1], in[i]);
573                         i += in[i] + 1;
574                         }
575                 BIO_write(bio_c_out, "\n", 1);
576                 }
577
578         ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
579         return SSL_TLSEXT_ERR_OK;
580         }
581 # endif  /* ndef OPENSSL_NO_NEXTPROTONEG */
582
583 static int serverinfo_cli_cb(SSL* s, unsigned short ext_type,
584                              const unsigned char* in, unsigned short inlen, 
585                              int* al, void* arg)
586         {
587         char pem_name[100];
588         unsigned char ext_buf[4 + 65536];
589
590         /* Reconstruct the type/len fields prior to extension data */
591         ext_buf[0] = ext_type >> 8;
592         ext_buf[1] = ext_type & 0xFF;
593         ext_buf[2] = inlen >> 8;
594         ext_buf[3] = inlen & 0xFF;
595         memcpy(ext_buf+4, in, inlen);
596
597         BIO_snprintf(pem_name, sizeof(pem_name), "SERVERINFO FOR EXTENSION %d",
598                      ext_type);
599         PEM_write_bio(bio_c_out, pem_name, "", ext_buf, 4 + inlen);
600         return 1;
601         }
602
603 #endif
604
605 enum
606 {
607         PROTO_OFF       = 0,
608         PROTO_SMTP,
609         PROTO_POP3,
610         PROTO_IMAP,
611         PROTO_FTP,
612         PROTO_XMPP
613 };
614
615 int MAIN(int, char **);
616
617 int MAIN(int argc, char **argv)
618         {
619         int build_chain = 0;
620         SSL *con=NULL;
621 #ifndef OPENSSL_NO_KRB5
622         KSSL_CTX *kctx;
623 #endif
624         int s,k,width,state=0;
625         char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
626         int cbuf_len,cbuf_off;
627         int sbuf_len,sbuf_off;
628         fd_set readfds,writefds;
629         short port=PORT;
630         int full_log=1;
631         char *host=SSL_HOST_NAME;
632         const char *unix_path = NULL;
633         char *xmpphost = NULL;
634         char *cert_file=NULL,*key_file=NULL,*chain_file=NULL;
635         int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
636         char *passarg = NULL, *pass = NULL;
637         X509 *cert = NULL;
638         EVP_PKEY *key = NULL;
639         STACK_OF(X509) *chain = NULL;
640         char *CApath=NULL,*CAfile=NULL;
641         char *chCApath=NULL,*chCAfile=NULL;
642         char *vfyCApath=NULL,*vfyCAfile=NULL;
643         int reconnect=0,badop=0,verify=SSL_VERIFY_NONE;
644         int crlf=0;
645         int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
646         SSL_CTX *ctx=NULL;
647         int ret=1,in_init=1,i,nbio_test=0;
648         int starttls_proto = PROTO_OFF;
649         int prexit = 0;
650         X509_VERIFY_PARAM *vpm = NULL;
651         int badarg = 0;
652         const SSL_METHOD *meth=NULL;
653         int socket_type=SOCK_STREAM;
654         BIO *sbio;
655         char *inrand=NULL;
656         int mbuf_len=0;
657         struct timeval timeout, *timeoutp;
658 #ifndef OPENSSL_NO_ENGINE
659         char *engine_id=NULL;
660         char *ssl_client_engine_id=NULL;
661         ENGINE *ssl_client_engine=NULL;
662 #endif
663         ENGINE *e=NULL;
664 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
665         struct timeval tv;
666 #if defined(OPENSSL_SYS_BEOS_R5)
667         int stdin_set = 0;
668 #endif
669 #endif
670 #ifndef OPENSSL_NO_TLSEXT
671         char *servername = NULL; 
672         tlsextctx tlsextcbp = 
673         {NULL,0};
674 # ifndef OPENSSL_NO_NEXTPROTONEG
675         const char *next_proto_neg_in = NULL;
676 # endif
677         const char *alpn_in = NULL;
678 # define MAX_SI_TYPES 100
679         unsigned short serverinfo_types[MAX_SI_TYPES];
680         int serverinfo_types_count = 0;
681 #endif
682         char *sess_in = NULL;
683         char *sess_out = NULL;
684         struct sockaddr peer;
685         int peerlen = sizeof(peer);
686         int enable_timeouts = 0 ;
687         long socket_mtu = 0;
688 #ifndef OPENSSL_NO_JPAKE
689 static char *jpake_secret = NULL;
690 #define no_jpake !jpake_secret
691 #else
692 #define no_jpake 1
693 #endif
694 #ifndef OPENSSL_NO_SRP
695         char * srppass = NULL;
696         int srp_lateuser = 0;
697         SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
698 #endif
699         SSL_EXCERT *exc = NULL;
700
701         SSL_CONF_CTX *cctx = NULL;
702         STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
703
704         char *crl_file = NULL;
705         int crl_format = FORMAT_PEM;
706         int crl_download = 0;
707         STACK_OF(X509_CRL) *crls = NULL;
708         int sdebug = 0;
709
710         meth=SSLv23_client_method();
711
712         apps_startup();
713         c_Pause=0;
714         c_quiet=0;
715         c_ign_eof=0;
716         c_debug=0;
717         c_msg=0;
718         c_showcerts=0;
719
720         if (bio_err == NULL)
721                 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
722
723         if (!load_config(bio_err, NULL))
724                 goto end;
725         cctx = SSL_CONF_CTX_new();
726         if (!cctx)
727                 goto end;
728         SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
729         SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE);
730
731         if (    ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
732                 ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
733                 ((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
734                 {
735                 BIO_printf(bio_err,"out of memory\n");
736                 goto end;
737                 }
738
739         verify_depth=0;
740         verify_error=X509_V_OK;
741 #ifdef FIONBIO
742         c_nbio=0;
743 #endif
744
745         argc--;
746         argv++;
747         while (argc >= 1)
748                 {
749                 if      (strcmp(*argv,"-host") == 0)
750                         {
751                         if (--argc < 1) goto bad;
752                         host= *(++argv);
753                         }
754                 else if (strcmp(*argv,"-port") == 0)
755                         {
756                         if (--argc < 1) goto bad;
757                         port=atoi(*(++argv));
758                         if (port == 0) goto bad;
759                         }
760                 else if (strcmp(*argv,"-connect") == 0)
761                         {
762                         if (--argc < 1) goto bad;
763                         if (!extract_host_port(*(++argv),&host,NULL,&port))
764                                 goto bad;
765                         }
766                 else if (strcmp(*argv,"-unix") == 0)
767                         {
768                         if (--argc < 1) goto bad;
769                         unix_path = *(++argv);
770                         }
771                 else if (strcmp(*argv,"-xmpphost") == 0)
772                         {
773                         if (--argc < 1) goto bad;
774                         xmpphost= *(++argv);
775                         }
776                 else if (strcmp(*argv,"-verify") == 0)
777                         {
778                         verify=SSL_VERIFY_PEER;
779                         if (--argc < 1) goto bad;
780                         verify_depth=atoi(*(++argv));
781                         if (!c_quiet)
782                                 BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
783                         }
784                 else if (strcmp(*argv,"-cert") == 0)
785                         {
786                         if (--argc < 1) goto bad;
787                         cert_file= *(++argv);
788                         }
789                 else if (strcmp(*argv,"-CRL") == 0)
790                         {
791                         if (--argc < 1) goto bad;
792                         crl_file= *(++argv);
793                         }
794                 else if (strcmp(*argv,"-crl_download") == 0)
795                         crl_download = 1;
796                 else if (strcmp(*argv,"-sess_out") == 0)
797                         {
798                         if (--argc < 1) goto bad;
799                         sess_out = *(++argv);
800                         }
801                 else if (strcmp(*argv,"-sess_in") == 0)
802                         {
803                         if (--argc < 1) goto bad;
804                         sess_in = *(++argv);
805                         }
806                 else if (strcmp(*argv,"-certform") == 0)
807                         {
808                         if (--argc < 1) goto bad;
809                         cert_format = str2fmt(*(++argv));
810                         }
811                 else if (strcmp(*argv,"-CRLform") == 0)
812                         {
813                         if (--argc < 1) goto bad;
814                         crl_format = str2fmt(*(++argv));
815                         }
816                 else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
817                         {
818                         if (badarg)
819                                 goto bad;
820                         continue;
821                         }
822                 else if (strcmp(*argv,"-verify_return_error") == 0)
823                         verify_return_error = 1;
824                 else if (strcmp(*argv,"-verify_quiet") == 0)
825                         verify_quiet = 1;
826                 else if (strcmp(*argv,"-brief") == 0)
827                         {
828                         c_brief = 1;
829                         verify_quiet = 1;
830                         c_quiet = 1;
831                         }
832                 else if (args_excert(&argv, &argc, &badarg, bio_err, &exc))
833                         {
834                         if (badarg)
835                                 goto bad;
836                         continue;
837                         }
838                 else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args))
839                         {
840                         if (badarg)
841                                 goto bad;
842                         continue;
843                         }
844                 else if (strcmp(*argv,"-prexit") == 0)
845                         prexit=1;
846                 else if (strcmp(*argv,"-crlf") == 0)
847                         crlf=1;
848                 else if (strcmp(*argv,"-quiet") == 0)
849                         {
850                         c_quiet=1;
851                         c_ign_eof=1;
852                         }
853                 else if (strcmp(*argv,"-ign_eof") == 0)
854                         c_ign_eof=1;
855                 else if (strcmp(*argv,"-no_ign_eof") == 0)
856                         c_ign_eof=0;
857                 else if (strcmp(*argv,"-pause") == 0)
858                         c_Pause=1;
859                 else if (strcmp(*argv,"-debug") == 0)
860                         c_debug=1;
861 #ifndef OPENSSL_NO_TLSEXT
862                 else if (strcmp(*argv,"-tlsextdebug") == 0)
863                         c_tlsextdebug=1;
864                 else if (strcmp(*argv,"-status") == 0)
865                         c_status_req=1;
866                 else if (strcmp(*argv,"-auth") == 0)
867                         c_auth = 1;
868                 else if (strcmp(*argv,"-auth_require_reneg") == 0)
869                         c_auth_require_reneg = 1;
870 #endif
871 #ifdef WATT32
872                 else if (strcmp(*argv,"-wdebug") == 0)
873                         dbug_init();
874 #endif
875                 else if (strcmp(*argv,"-msg") == 0)
876                         c_msg=1;
877                 else if (strcmp(*argv,"-msgfile") == 0)
878                         {
879                         if (--argc < 1) goto bad;
880                         bio_c_msg = BIO_new_file(*(++argv), "w");
881                         }
882 #ifndef OPENSSL_NO_SSL_TRACE
883                 else if (strcmp(*argv,"-trace") == 0)
884                         c_msg=2;
885 #endif
886                 else if (strcmp(*argv,"-security_debug") == 0)
887                         { sdebug=1; }
888                 else if (strcmp(*argv,"-security_debug_verbose") == 0)
889                         { sdebug=2; }
890                 else if (strcmp(*argv,"-showcerts") == 0)
891                         c_showcerts=1;
892                 else if (strcmp(*argv,"-nbio_test") == 0)
893                         nbio_test=1;
894                 else if (strcmp(*argv,"-state") == 0)
895                         state=1;
896 #ifndef OPENSSL_NO_PSK
897                 else if (strcmp(*argv,"-psk_identity") == 0)
898                         {
899                         if (--argc < 1) goto bad;
900                         psk_identity=*(++argv);
901                         }
902                 else if (strcmp(*argv,"-psk") == 0)
903                         {
904                         size_t j;
905
906                         if (--argc < 1) goto bad;
907                         psk_key=*(++argv);
908                         for (j = 0; j < strlen(psk_key); j++)
909                                 {
910                                 if (isxdigit((unsigned char)psk_key[j]))
911                                         continue;
912                                 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
913                                 goto bad;
914                                 }
915                         }
916 #endif
917 #ifndef OPENSSL_NO_SRP
918                 else if (strcmp(*argv,"-srpuser") == 0)
919                         {
920                         if (--argc < 1) goto bad;
921                         srp_arg.srplogin= *(++argv);
922                         meth=TLSv1_client_method();
923                         }
924                 else if (strcmp(*argv,"-srppass") == 0)
925                         {
926                         if (--argc < 1) goto bad;
927                         srppass= *(++argv);
928                         meth=TLSv1_client_method();
929                         }
930                 else if (strcmp(*argv,"-srp_strength") == 0)
931                         {
932                         if (--argc < 1) goto bad;
933                         srp_arg.strength=atoi(*(++argv));
934                         BIO_printf(bio_err,"SRP minimal length for N is %d\n",srp_arg.strength);
935                         meth=TLSv1_client_method();
936                         }
937                 else if (strcmp(*argv,"-srp_lateuser") == 0)
938                         {
939                         srp_lateuser= 1;
940                         meth=TLSv1_client_method();
941                         }
942                 else if (strcmp(*argv,"-srp_moregroups") == 0)
943                         {
944                         srp_arg.amp=1;
945                         meth=TLSv1_client_method();
946                         }
947 #endif
948 #ifndef OPENSSL_NO_SSL2
949                 else if (strcmp(*argv,"-ssl2") == 0)
950                         meth=SSLv2_client_method();
951 #endif
952 #ifndef OPENSSL_NO_SSL3
953                 else if (strcmp(*argv,"-ssl3") == 0)
954                         meth=SSLv3_client_method();
955 #endif
956 #ifndef OPENSSL_NO_TLS1
957                 else if (strcmp(*argv,"-tls1_2") == 0)
958                         meth=TLSv1_2_client_method();
959                 else if (strcmp(*argv,"-tls1_1") == 0)
960                         meth=TLSv1_1_client_method();
961                 else if (strcmp(*argv,"-tls1") == 0)
962                         meth=TLSv1_client_method();
963 #endif
964 #ifndef OPENSSL_NO_DTLS1
965                 else if (strcmp(*argv,"-dtls") == 0)
966                         {
967                         meth=DTLS_client_method();
968                         socket_type=SOCK_DGRAM;
969                         }
970                 else if (strcmp(*argv,"-dtls1") == 0)
971                         {
972                         meth=DTLSv1_client_method();
973                         socket_type=SOCK_DGRAM;
974                         }
975                 else if (strcmp(*argv,"-dtls1_2") == 0)
976                         {
977                         meth=DTLSv1_2_client_method();
978                         socket_type=SOCK_DGRAM;
979                         }
980                 else if (strcmp(*argv,"-timeout") == 0)
981                         enable_timeouts=1;
982                 else if (strcmp(*argv,"-mtu") == 0)
983                         {
984                         if (--argc < 1) goto bad;
985                         socket_mtu = atol(*(++argv));
986                         }
987 #endif
988                 else if (strcmp(*argv,"-keyform") == 0)
989                         {
990                         if (--argc < 1) goto bad;
991                         key_format = str2fmt(*(++argv));
992                         }
993                 else if (strcmp(*argv,"-pass") == 0)
994                         {
995                         if (--argc < 1) goto bad;
996                         passarg = *(++argv);
997                         }
998                 else if (strcmp(*argv,"-cert_chain") == 0)
999                         {
1000                         if (--argc < 1) goto bad;
1001                         chain_file= *(++argv);
1002                         }
1003                 else if (strcmp(*argv,"-key") == 0)
1004                         {
1005                         if (--argc < 1) goto bad;
1006                         key_file= *(++argv);
1007                         }
1008                 else if (strcmp(*argv,"-reconnect") == 0)
1009                         {
1010                         reconnect=5;
1011                         }
1012                 else if (strcmp(*argv,"-CApath") == 0)
1013                         {
1014                         if (--argc < 1) goto bad;
1015                         CApath= *(++argv);
1016                         }
1017                 else if (strcmp(*argv,"-chainCApath") == 0)
1018                         {
1019                         if (--argc < 1) goto bad;
1020                         chCApath= *(++argv);
1021                         }
1022                 else if (strcmp(*argv,"-verifyCApath") == 0)
1023                         {
1024                         if (--argc < 1) goto bad;
1025                         vfyCApath= *(++argv);
1026                         }
1027                 else if (strcmp(*argv,"-build_chain") == 0)
1028                         build_chain = 1;
1029                 else if (strcmp(*argv,"-CAfile") == 0)
1030                         {
1031                         if (--argc < 1) goto bad;
1032                         CAfile= *(++argv);
1033                         }
1034                 else if (strcmp(*argv,"-chainCAfile") == 0)
1035                         {
1036                         if (--argc < 1) goto bad;
1037                         chCAfile= *(++argv);
1038                         }
1039                 else if (strcmp(*argv,"-verifyCAfile") == 0)
1040                         {
1041                         if (--argc < 1) goto bad;
1042                         vfyCAfile= *(++argv);
1043                         }
1044 #ifndef OPENSSL_NO_TLSEXT
1045 # ifndef OPENSSL_NO_NEXTPROTONEG
1046                 else if (strcmp(*argv,"-nextprotoneg") == 0)
1047                         {
1048                         if (--argc < 1) goto bad;
1049                         next_proto_neg_in = *(++argv);
1050                         }
1051 # endif
1052                 else if (strcmp(*argv,"-alpn") == 0)
1053                         {
1054                         if (--argc < 1) goto bad;
1055                         alpn_in = *(++argv);
1056                         }
1057                 else if (strcmp(*argv,"-serverinfo") == 0)
1058                         {
1059                         char *c;
1060                         int start = 0;
1061                         int len;
1062
1063                         if (--argc < 1) goto bad;
1064                         c = *(++argv);
1065                         serverinfo_types_count = 0;
1066                         len = strlen(c);
1067                         for (i = 0; i <= len; ++i)
1068                                 {
1069                                 if (i == len || c[i] == ',')
1070                                         {
1071                                         serverinfo_types[serverinfo_types_count]
1072                                             = atoi(c+start);
1073                                         serverinfo_types_count++;
1074                                         start = i+1;
1075                                         }
1076                                 if (serverinfo_types_count == MAX_SI_TYPES)
1077                                         break;
1078                                 }
1079                         }
1080 #endif
1081 #ifdef FIONBIO
1082                 else if (strcmp(*argv,"-nbio") == 0)
1083                         { c_nbio=1; }
1084 #endif
1085                 else if (strcmp(*argv,"-starttls") == 0)
1086                         {
1087                         if (--argc < 1) goto bad;
1088                         ++argv;
1089                         if (strcmp(*argv,"smtp") == 0)
1090                                 starttls_proto = PROTO_SMTP;
1091                         else if (strcmp(*argv,"pop3") == 0)
1092                                 starttls_proto = PROTO_POP3;
1093                         else if (strcmp(*argv,"imap") == 0)
1094                                 starttls_proto = PROTO_IMAP;
1095                         else if (strcmp(*argv,"ftp") == 0)
1096                                 starttls_proto = PROTO_FTP;
1097                         else if (strcmp(*argv, "xmpp") == 0)
1098                                 starttls_proto = PROTO_XMPP;
1099                         else
1100                                 goto bad;
1101                         }
1102 #ifndef OPENSSL_NO_ENGINE
1103                 else if (strcmp(*argv,"-engine") == 0)
1104                         {
1105                         if (--argc < 1) goto bad;
1106                         engine_id = *(++argv);
1107                         }
1108                 else if (strcmp(*argv,"-ssl_client_engine") == 0)
1109                         {
1110                         if (--argc < 1) goto bad;
1111                         ssl_client_engine_id = *(++argv);
1112                         }
1113 #endif
1114                 else if (strcmp(*argv,"-rand") == 0)
1115                         {
1116                         if (--argc < 1) goto bad;
1117                         inrand= *(++argv);
1118                         }
1119 #ifndef OPENSSL_NO_TLSEXT
1120                 else if (strcmp(*argv,"-servername") == 0)
1121                         {
1122                         if (--argc < 1) goto bad;
1123                         servername= *(++argv);
1124                         /* meth=TLSv1_client_method(); */
1125                         }
1126 #endif
1127 #ifndef OPENSSL_NO_JPAKE
1128                 else if (strcmp(*argv,"-jpake") == 0)
1129                         {
1130                         if (--argc < 1) goto bad;
1131                         jpake_secret = *++argv;
1132                         }
1133 #endif
1134                 else if (strcmp(*argv,"-use_srtp") == 0)
1135                         {
1136                         if (--argc < 1) goto bad;
1137                         srtp_profiles = *(++argv);
1138                         }
1139                 else if (strcmp(*argv,"-keymatexport") == 0)
1140                         {
1141                         if (--argc < 1) goto bad;
1142                         keymatexportlabel= *(++argv);
1143                         }
1144                 else if (strcmp(*argv,"-keymatexportlen") == 0)
1145                         {
1146                         if (--argc < 1) goto bad;
1147                         keymatexportlen=atoi(*(++argv));
1148                         if (keymatexportlen == 0) goto bad;
1149                         }
1150                 else
1151                         {
1152                         BIO_printf(bio_err,"unknown option %s\n",*argv);
1153                         badop=1;
1154                         break;
1155                         }
1156                 argc--;
1157                 argv++;
1158                 }
1159         if (badop)
1160                 {
1161 bad:
1162                 sc_usage();
1163                 goto end;
1164                 }
1165
1166         if (unix_path && (socket_type != SOCK_STREAM))
1167                 {
1168                 BIO_printf(bio_err, "Can't use unix sockets and datagrams together\n");
1169                         goto end;
1170                 }
1171 #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
1172         if (jpake_secret)
1173                 {
1174                 if (psk_key)
1175                         {
1176                         BIO_printf(bio_err,
1177                                    "Can't use JPAKE and PSK together\n");
1178                         goto end;
1179                         }
1180                 psk_identity = "JPAKE";
1181                 }
1182 #endif
1183
1184         OpenSSL_add_ssl_algorithms();
1185         SSL_load_error_strings();
1186
1187 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
1188         next_proto.status = -1;
1189         if (next_proto_neg_in)
1190                 {
1191                 next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
1192                 if (next_proto.data == NULL)
1193                         {
1194                         BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
1195                         goto end;
1196                         }
1197                 }
1198         else
1199                 next_proto.data = NULL;
1200 #endif
1201
1202 #ifndef OPENSSL_NO_ENGINE
1203         e = setup_engine(bio_err, engine_id, 1);
1204         if (ssl_client_engine_id)
1205                 {
1206                 ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
1207                 if (!ssl_client_engine)
1208                         {
1209                         BIO_printf(bio_err,
1210                                         "Error getting client auth engine\n");
1211                         goto end;
1212                         }
1213                 }
1214
1215 #endif
1216         if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
1217                 {
1218                 BIO_printf(bio_err, "Error getting password\n");
1219                 goto end;
1220                 }
1221
1222         if (key_file == NULL)
1223                 key_file = cert_file;
1224
1225
1226         if (key_file)
1227
1228                 {
1229
1230                 key = load_key(bio_err, key_file, key_format, 0, pass, e,
1231                                "client certificate private key file");
1232                 if (!key)
1233                         {
1234                         ERR_print_errors(bio_err);
1235                         goto end;
1236                         }
1237
1238                 }
1239
1240         if (cert_file)
1241
1242                 {
1243                 cert = load_cert(bio_err,cert_file,cert_format,
1244                                 NULL, e, "client certificate file");
1245
1246                 if (!cert)
1247                         {
1248                         ERR_print_errors(bio_err);
1249                         goto end;
1250                         }
1251                 }
1252
1253         if (chain_file)
1254                 {
1255                 chain = load_certs(bio_err, chain_file,FORMAT_PEM,
1256                                         NULL, e, "client certificate chain");
1257                 if (!chain)
1258                         goto end;
1259                 }
1260
1261         if (crl_file)
1262                 {
1263                 X509_CRL *crl;
1264                 crl = load_crl(crl_file, crl_format);
1265                 if (!crl)
1266                         {
1267                         BIO_puts(bio_err, "Error loading CRL\n");
1268                         ERR_print_errors(bio_err);
1269                         goto end;
1270                         }
1271                 crls = sk_X509_CRL_new_null();
1272                 if (!crls || !sk_X509_CRL_push(crls, crl))
1273                         {
1274                         BIO_puts(bio_err, "Error adding CRL\n");
1275                         ERR_print_errors(bio_err);
1276                         X509_CRL_free(crl);
1277                         goto end;
1278                         }
1279                 }
1280
1281         if (!load_excert(&exc, bio_err))
1282                 goto end;
1283
1284         if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
1285                 && !RAND_status())
1286                 {
1287                 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
1288                 }
1289         if (inrand != NULL)
1290                 BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
1291                         app_RAND_load_files(inrand));
1292
1293         if (bio_c_out == NULL)
1294                 {
1295                 if (c_quiet && !c_debug)
1296                         {
1297                         bio_c_out=BIO_new(BIO_s_null());
1298                         if (c_msg && !bio_c_msg)
1299                                 bio_c_msg=BIO_new_fp(stdout,BIO_NOCLOSE);
1300                         }
1301                 else
1302                         {
1303                         if (bio_c_out == NULL)
1304                                 bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
1305                         }
1306                 }
1307
1308 #ifndef OPENSSL_NO_SRP
1309         if(!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL))
1310                 {
1311                 BIO_printf(bio_err, "Error getting password\n");
1312                 goto end;
1313                 }
1314 #endif
1315
1316         ctx=SSL_CTX_new(meth);
1317         if (ctx == NULL)
1318                 {
1319                 ERR_print_errors(bio_err);
1320                 goto end;
1321                 }
1322
1323         if (sdebug)
1324                 ssl_ctx_security_debug(ctx, bio_err, sdebug);
1325
1326         if (vpm)
1327                 SSL_CTX_set1_param(ctx, vpm);
1328
1329         if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1, no_jpake))
1330                 {
1331                 ERR_print_errors(bio_err);
1332                 goto end;
1333                 }
1334
1335         if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
1336                                                 crls, crl_download))
1337                 {
1338                 BIO_printf(bio_err, "Error loading store locations\n");
1339                 ERR_print_errors(bio_err);
1340                 goto end;
1341                 }
1342
1343 #ifndef OPENSSL_NO_ENGINE
1344         if (ssl_client_engine)
1345                 {
1346                 if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine))
1347                         {
1348                         BIO_puts(bio_err, "Error setting client auth engine\n");
1349                         ERR_print_errors(bio_err);
1350                         ENGINE_free(ssl_client_engine);
1351                         goto end;
1352                         }
1353                 ENGINE_free(ssl_client_engine);
1354                 }
1355 #endif
1356
1357 #ifndef OPENSSL_NO_PSK
1358 #ifdef OPENSSL_NO_JPAKE
1359         if (psk_key != NULL)
1360 #else
1361         if (psk_key != NULL || jpake_secret)
1362 #endif
1363                 {
1364                 if (c_debug)
1365                         BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");
1366                 SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
1367                 }
1368         if (srtp_profiles != NULL)
1369                 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
1370 #endif
1371         if (exc) ssl_ctx_set_excert(ctx, exc);
1372         /* DTLS: partial reads end up discarding unread UDP bytes :-( 
1373          * Setting read ahead solves this problem.
1374          */
1375         if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
1376
1377 #if !defined(OPENSSL_NO_TLSEXT)
1378 # if !defined(OPENSSL_NO_NEXTPROTONEG)
1379         if (next_proto.data)
1380                 SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
1381 # endif
1382         if (alpn_in)
1383                 {
1384                 unsigned short alpn_len;
1385                 unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in);
1386
1387                 if (alpn == NULL)
1388                         {
1389                         BIO_printf(bio_err, "Error parsing -alpn argument\n");
1390                         goto end;
1391                         }
1392                 SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len);
1393                 OPENSSL_free(alpn);
1394                 }
1395 #endif
1396 #ifndef OPENSSL_NO_TLSEXT
1397                 if (serverinfo_types_count)
1398                         {
1399                         for (i = 0; i < serverinfo_types_count; i++)
1400                                 {
1401                                 SSL_CTX_set_custom_cli_ext(ctx,
1402                                                            serverinfo_types[i],
1403                                                            NULL, 
1404                                                            serverinfo_cli_cb,
1405                                                            NULL);
1406                                 }
1407                         }
1408 #endif
1409
1410         if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
1411 #if 0
1412         else
1413                 SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
1414 #endif
1415
1416         SSL_CTX_set_verify(ctx,verify,verify_callback);
1417
1418         if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
1419                 (!SSL_CTX_set_default_verify_paths(ctx)))
1420                 {
1421                 /* BIO_printf(bio_err,"error setting default verify locations\n"); */
1422                 ERR_print_errors(bio_err);
1423                 /* goto end; */
1424                 }
1425
1426         ssl_ctx_add_crls(ctx, crls, crl_download);
1427
1428         if (!set_cert_key_stuff(ctx,cert,key,chain,build_chain))
1429                 goto end;
1430
1431 #ifndef OPENSSL_NO_TLSEXT
1432         if (servername != NULL)
1433                 {
1434                 tlsextcbp.biodebug = bio_err;
1435                 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1436                 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
1437                 }
1438 #ifndef OPENSSL_NO_SRP
1439         if (srp_arg.srplogin)
1440                 {
1441                 if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
1442                         {
1443                         BIO_printf(bio_err,"Unable to set SRP username\n");
1444                         goto end;
1445                         }
1446                 srp_arg.msg = c_msg;
1447                 srp_arg.debug = c_debug ;
1448                 SSL_CTX_set_srp_cb_arg(ctx,&srp_arg);
1449                 SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
1450                 SSL_CTX_set_srp_strength(ctx, srp_arg.strength);
1451                 if (c_msg || c_debug || srp_arg.amp == 0)
1452                         SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb);
1453                 }
1454
1455 #endif
1456         if (c_auth)
1457                 {
1458                 SSL_CTX_set_custom_cli_ext(ctx, TLSEXT_TYPE_client_authz, authz_tlsext_generate_cb, authz_tlsext_cb, bio_err);
1459                 SSL_CTX_set_custom_cli_ext(ctx, TLSEXT_TYPE_server_authz, authz_tlsext_generate_cb, authz_tlsext_cb, bio_err);
1460                 SSL_CTX_set_cli_supp_data(ctx, TLSEXT_SUPPLEMENTALDATATYPE_authz_data, suppdata_cb, auth_suppdata_generate_cb, bio_err);
1461                 }
1462 #endif
1463
1464         con=SSL_new(ctx);
1465         if (sess_in)
1466                 {
1467                 SSL_SESSION *sess;
1468                 BIO *stmp = BIO_new_file(sess_in, "r");
1469                 if (!stmp)
1470                         {
1471                         BIO_printf(bio_err, "Can't open session file %s\n",
1472                                                 sess_in);
1473                         ERR_print_errors(bio_err);
1474                         goto end;
1475                         }
1476                 sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
1477                 BIO_free(stmp);
1478                 if (!sess)
1479                         {
1480                         BIO_printf(bio_err, "Can't open session file %s\n",
1481                                                 sess_in);
1482                         ERR_print_errors(bio_err);
1483                         goto end;
1484                         }
1485                 SSL_set_session(con, sess);
1486                 SSL_SESSION_free(sess);
1487                 }
1488 #ifndef OPENSSL_NO_TLSEXT
1489         if (servername != NULL)
1490                 {
1491                 if (!SSL_set_tlsext_host_name(con,servername))
1492                         {
1493                         BIO_printf(bio_err,"Unable to set TLS servername extension.\n");
1494                         ERR_print_errors(bio_err);
1495                         goto end;
1496                         }
1497                 }
1498 #endif
1499 #ifndef OPENSSL_NO_KRB5
1500         if (con  &&  (kctx = kssl_ctx_new()) != NULL)
1501                 {
1502                 SSL_set0_kssl_ctx(con, kctx);
1503                 kssl_ctx_setstring(kctx, KSSL_SERVER, host);
1504                 }
1505 #endif  /* OPENSSL_NO_KRB5  */
1506 /*      SSL_set_cipher_list(con,"RC4-MD5"); */
1507 #if 0
1508 #ifdef TLSEXT_TYPE_opaque_prf_input
1509         SSL_set_tlsext_opaque_prf_input(con, "Test client", 11);
1510 #endif
1511 #endif
1512
1513 re_start:
1514
1515         if ((!unix_path && (init_client(&s,host,port,socket_type) == 0)) ||
1516                         (unix_path && (init_client_unix(&s,unix_path) == 0)))
1517                 {
1518                 BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
1519                 SHUTDOWN(s);
1520                 goto end;
1521                 }
1522         BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
1523
1524 #ifdef FIONBIO
1525         if (c_nbio)
1526                 {
1527                 unsigned long l=1;
1528                 BIO_printf(bio_c_out,"turning on non blocking io\n");
1529                 if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
1530                         {
1531                         ERR_print_errors(bio_err);
1532                         goto end;
1533                         }
1534                 }
1535 #endif                                              
1536         if (c_Pause & 0x01) SSL_set_debug(con, 1);
1537
1538         if (socket_type == SOCK_DGRAM)
1539                 {
1540
1541                 sbio=BIO_new_dgram(s,BIO_NOCLOSE);
1542                 if (getsockname(s, &peer, (void *)&peerlen) < 0)
1543                         {
1544                         BIO_printf(bio_err, "getsockname:errno=%d\n",
1545                                 get_last_socket_error());
1546                         SHUTDOWN(s);
1547                         goto end;
1548                         }
1549
1550                 (void)BIO_ctrl_set_connected(sbio, 1, &peer);
1551
1552                 if (enable_timeouts)
1553                         {
1554                         timeout.tv_sec = 0;
1555                         timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1556                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1557                         
1558                         timeout.tv_sec = 0;
1559                         timeout.tv_usec = DGRAM_SND_TIMEOUT;
1560                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1561                         }
1562
1563                 if (socket_mtu > 28)
1564                         {
1565                         SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
1566                         SSL_set_mtu(con, socket_mtu - 28);
1567                         }
1568                 else
1569                         /* want to do MTU discovery */
1570                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1571                 }
1572         else
1573                 sbio=BIO_new_socket(s,BIO_NOCLOSE);
1574
1575         if (nbio_test)
1576                 {
1577                 BIO *test;
1578
1579                 test=BIO_new(BIO_f_nbio_test());
1580                 sbio=BIO_push(test,sbio);
1581                 }
1582
1583         if (c_debug)
1584                 {
1585                 SSL_set_debug(con, 1);
1586                 BIO_set_callback(sbio,bio_dump_callback);
1587                 BIO_set_callback_arg(sbio,(char *)bio_c_out);
1588                 }
1589         if (c_msg)
1590                 {
1591 #ifndef OPENSSL_NO_SSL_TRACE
1592                 if (c_msg == 2)
1593                         SSL_set_msg_callback(con, SSL_trace);
1594                 else
1595 #endif
1596                         SSL_set_msg_callback(con, msg_cb);
1597                 SSL_set_msg_callback_arg(con, bio_c_msg ? bio_c_msg : bio_c_out);
1598                 }
1599 #ifndef OPENSSL_NO_TLSEXT
1600         if (c_tlsextdebug)
1601                 {
1602                 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1603                 SSL_set_tlsext_debug_arg(con, bio_c_out);
1604                 }
1605         if (c_status_req)
1606                 {
1607                 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
1608                 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
1609                 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
1610 #if 0
1611 {
1612 STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null();
1613 OCSP_RESPID *id = OCSP_RESPID_new();
1614 id->value.byKey = ASN1_OCTET_STRING_new();
1615 id->type = V_OCSP_RESPID_KEY;
1616 ASN1_STRING_set(id->value.byKey, "Hello World", -1);
1617 sk_OCSP_RESPID_push(ids, id);
1618 SSL_set_tlsext_status_ids(con, ids);
1619 }
1620 #endif
1621                 }
1622 #endif
1623 #ifndef OPENSSL_NO_JPAKE
1624         if (jpake_secret)
1625                 jpake_client_auth(bio_c_out, sbio, jpake_secret);
1626 #endif
1627
1628         SSL_set_bio(con,sbio,sbio);
1629         SSL_set_connect_state(con);
1630
1631         /* ok, lets connect */
1632         width=SSL_get_fd(con)+1;
1633
1634         read_tty=1;
1635         write_tty=0;
1636         tty_on=0;
1637         read_ssl=1;
1638         write_ssl=1;
1639         
1640         cbuf_len=0;
1641         cbuf_off=0;
1642         sbuf_len=0;
1643         sbuf_off=0;
1644
1645         /* This is an ugly hack that does a lot of assumptions */
1646         /* We do have to handle multi-line responses which may come
1647            in a single packet or not. We therefore have to use
1648            BIO_gets() which does need a buffering BIO. So during
1649            the initial chitchat we do push a buffering BIO into the
1650            chain that is removed again later on to not disturb the
1651            rest of the s_client operation. */
1652         if (starttls_proto == PROTO_SMTP)
1653                 {
1654                 int foundit=0;
1655                 BIO *fbio = BIO_new(BIO_f_buffer());
1656                 BIO_push(fbio, sbio);
1657                 /* wait for multi-line response to end from SMTP */
1658                 do
1659                         {
1660                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1661                         }
1662                 while (mbuf_len>3 && mbuf[3]=='-');
1663                 /* STARTTLS command requires EHLO... */
1664                 BIO_printf(fbio,"EHLO openssl.client.net\r\n");
1665                 (void)BIO_flush(fbio);
1666                 /* wait for multi-line response to end EHLO SMTP response */
1667                 do
1668                         {
1669                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1670                         if (strstr(mbuf,"STARTTLS"))
1671                                 foundit=1;
1672                         }
1673                 while (mbuf_len>3 && mbuf[3]=='-');
1674                 (void)BIO_flush(fbio);
1675                 BIO_pop(fbio);
1676                 BIO_free(fbio);
1677                 if (!foundit)
1678                         BIO_printf(bio_err,
1679                                    "didn't found starttls in server response,"
1680                                    " try anyway...\n");
1681                 BIO_printf(sbio,"STARTTLS\r\n");
1682                 BIO_read(sbio,sbuf,BUFSIZZ);
1683                 }
1684         else if (starttls_proto == PROTO_POP3)
1685                 {
1686                 BIO_read(sbio,mbuf,BUFSIZZ);
1687                 BIO_printf(sbio,"STLS\r\n");
1688                 BIO_read(sbio,sbuf,BUFSIZZ);
1689                 }
1690         else if (starttls_proto == PROTO_IMAP)
1691                 {
1692                 int foundit=0;
1693                 BIO *fbio = BIO_new(BIO_f_buffer());
1694                 BIO_push(fbio, sbio);
1695                 BIO_gets(fbio,mbuf,BUFSIZZ);
1696                 /* STARTTLS command requires CAPABILITY... */
1697                 BIO_printf(fbio,". CAPABILITY\r\n");
1698                 (void)BIO_flush(fbio);
1699                 /* wait for multi-line CAPABILITY response */
1700                 do
1701                         {
1702                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1703                         if (strstr(mbuf,"STARTTLS"))
1704                                 foundit=1;
1705                         }
1706                 while (mbuf_len>3 && mbuf[0]!='.');
1707                 (void)BIO_flush(fbio);
1708                 BIO_pop(fbio);
1709                 BIO_free(fbio);
1710                 if (!foundit)
1711                         BIO_printf(bio_err,
1712                                    "didn't found STARTTLS in server response,"
1713                                    " try anyway...\n");
1714                 BIO_printf(sbio,". STARTTLS\r\n");
1715                 BIO_read(sbio,sbuf,BUFSIZZ);
1716                 }
1717         else if (starttls_proto == PROTO_FTP)
1718                 {
1719                 BIO *fbio = BIO_new(BIO_f_buffer());
1720                 BIO_push(fbio, sbio);
1721                 /* wait for multi-line response to end from FTP */
1722                 do
1723                         {
1724                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1725                         }
1726                 while (mbuf_len>3 && mbuf[3]=='-');
1727                 (void)BIO_flush(fbio);
1728                 BIO_pop(fbio);
1729                 BIO_free(fbio);
1730                 BIO_printf(sbio,"AUTH TLS\r\n");
1731                 BIO_read(sbio,sbuf,BUFSIZZ);
1732                 }
1733         if (starttls_proto == PROTO_XMPP)
1734                 {
1735                 int seen = 0;
1736                 BIO_printf(sbio,"<stream:stream "
1737                     "xmlns:stream='http://etherx.jabber.org/streams' "
1738                     "xmlns='jabber:client' to='%s' version='1.0'>", xmpphost ?
1739                            xmpphost : host);
1740                 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1741                 mbuf[seen] = 0;
1742                 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") &&
1743                                 !strstr(mbuf, "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
1744                         {
1745                         seen = BIO_read(sbio,mbuf,BUFSIZZ);
1746
1747                         if (seen <= 0)
1748                                 goto shut;
1749
1750                         mbuf[seen] = 0;
1751                         }
1752                 BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
1753                 seen = BIO_read(sbio,sbuf,BUFSIZZ);
1754                 sbuf[seen] = 0;
1755                 if (!strstr(sbuf, "<proceed"))
1756                         goto shut;
1757                 mbuf[0] = 0;
1758                 }
1759
1760         for (;;)
1761                 {
1762                 FD_ZERO(&readfds);
1763                 FD_ZERO(&writefds);
1764
1765                 if ((SSL_version(con) == DTLS1_VERSION) &&
1766                         DTLSv1_get_timeout(con, &timeout))
1767                         timeoutp = &timeout;
1768                 else
1769                         timeoutp = NULL;
1770
1771                 if (SSL_in_init(con) && !SSL_total_renegotiations(con))
1772                         {
1773                         in_init=1;
1774                         tty_on=0;
1775                         }
1776                 else
1777                         {
1778                         tty_on=1;
1779                         if (in_init)
1780                                 {
1781                                 in_init=0;
1782 #if 0 /* This test doesn't really work as intended (needs to be fixed) */
1783 #ifndef OPENSSL_NO_TLSEXT
1784                                 if (servername != NULL && !SSL_session_reused(con))
1785                                         {
1786                                         BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not ");
1787                                         }
1788 #endif
1789 #endif
1790                                 if (sess_out)
1791                                         {
1792                                         BIO *stmp = BIO_new_file(sess_out, "w");
1793                                         if (stmp)
1794                                                 {
1795                                                 PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con));
1796                                                 BIO_free(stmp);
1797                                                 }
1798                                         else 
1799                                                 BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
1800                                         }
1801                                 if (c_brief)
1802                                         {
1803                                         BIO_puts(bio_err,
1804                                                 "CONNECTION ESTABLISHED\n");
1805                                         print_ssl_summary(bio_err, con);
1806                                         }
1807                                 /*handshake is complete - free the generated supp data allocated in the callback */
1808                                 if (generated_supp_data)
1809                                         {
1810                                         OPENSSL_free(generated_supp_data);
1811                                         generated_supp_data = NULL;
1812                                         }
1813
1814                                 print_stuff(bio_c_out,con,full_log);
1815                                 if (full_log > 0) full_log--;
1816
1817                                 if (starttls_proto)
1818                                         {
1819                                         BIO_printf(bio_err,"%s",mbuf);
1820                                         /* We don't need to know any more */
1821                                         starttls_proto = PROTO_OFF;
1822                                         }
1823
1824                                 if (reconnect)
1825                                         {
1826                                         reconnect--;
1827                                         BIO_printf(bio_c_out,"drop connection and then reconnect\n");
1828                                         SSL_shutdown(con);
1829                                         SSL_set_connect_state(con);
1830                                         SHUTDOWN(SSL_get_fd(con));
1831                                         goto re_start;
1832                                         }
1833                                 }
1834                         }
1835
1836                 ssl_pending = read_ssl && SSL_pending(con);
1837
1838                 if (!ssl_pending)
1839                         {
1840 #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)
1841                         if (tty_on)
1842                                 {
1843                                 if (read_tty)  openssl_fdset(fileno(stdin),&readfds);
1844                                 if (write_tty) openssl_fdset(fileno(stdout),&writefds);
1845                                 }
1846                         if (read_ssl)
1847                                 openssl_fdset(SSL_get_fd(con),&readfds);
1848                         if (write_ssl)
1849                                 openssl_fdset(SSL_get_fd(con),&writefds);
1850 #else
1851                         if(!tty_on || !write_tty) {
1852                                 if (read_ssl)
1853                                         openssl_fdset(SSL_get_fd(con),&readfds);
1854                                 if (write_ssl)
1855                                         openssl_fdset(SSL_get_fd(con),&writefds);
1856                         }
1857 #endif
1858 /*                      printf("mode tty(%d %d%d) ssl(%d%d)\n",
1859                                 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
1860
1861                         /* Note: under VMS with SOCKETSHR the second parameter
1862                          * is currently of type (int *) whereas under other
1863                          * systems it is (void *) if you don't have a cast it
1864                          * will choke the compiler: if you do have a cast then
1865                          * you can either go for (int *) or (void *).
1866                          */
1867 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1868                         /* Under Windows/DOS we make the assumption that we can
1869                          * always write to the tty: therefore if we need to
1870                          * write to the tty we just fall through. Otherwise
1871                          * we timeout the select every second and see if there
1872                          * are any keypresses. Note: this is a hack, in a proper
1873                          * Windows application we wouldn't do this.
1874                          */
1875                         i=0;
1876                         if(!write_tty) {
1877                                 if(read_tty) {
1878                                         tv.tv_sec = 1;
1879                                         tv.tv_usec = 0;
1880                                         i=select(width,(void *)&readfds,(void *)&writefds,
1881                                                  NULL,&tv);
1882 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
1883                                         if(!i && (!_kbhit() || !read_tty) ) continue;
1884 #else
1885                                         if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
1886 #endif
1887                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1888                                          NULL,timeoutp);
1889                         }
1890 #elif defined(OPENSSL_SYS_NETWARE)
1891                         if(!write_tty) {
1892                                 if(read_tty) {
1893                                         tv.tv_sec = 1;
1894                                         tv.tv_usec = 0;
1895                                         i=select(width,(void *)&readfds,(void *)&writefds,
1896                                                 NULL,&tv);
1897                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1898                                         NULL,timeoutp);
1899                         }
1900 #elif defined(OPENSSL_SYS_BEOS_R5)
1901                         /* Under BeOS-R5 the situation is similar to DOS */
1902                         i=0;
1903                         stdin_set = 0;
1904                         (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
1905                         if(!write_tty) {
1906                                 if(read_tty) {
1907                                         tv.tv_sec = 1;
1908                                         tv.tv_usec = 0;
1909                                         i=select(width,(void *)&readfds,(void *)&writefds,
1910                                                  NULL,&tv);
1911                                         if (read(fileno(stdin), sbuf, 0) >= 0)
1912                                                 stdin_set = 1;
1913                                         if (!i && (stdin_set != 1 || !read_tty))
1914                                                 continue;
1915                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1916                                          NULL,timeoutp);
1917                         }
1918                         (void)fcntl(fileno(stdin), F_SETFL, 0);
1919 #else
1920                         i=select(width,(void *)&readfds,(void *)&writefds,
1921                                  NULL,timeoutp);
1922 #endif
1923                         if ( i < 0)
1924                                 {
1925                                 BIO_printf(bio_err,"bad select %d\n",
1926                                 get_last_socket_error());
1927                                 goto shut;
1928                                 /* goto end; */
1929                                 }
1930                         }
1931
1932                 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
1933                         {
1934                         BIO_printf(bio_err,"TIMEOUT occurred\n");
1935                         }
1936
1937                 if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
1938                         {
1939                         k=SSL_write(con,&(cbuf[cbuf_off]),
1940                                 (unsigned int)cbuf_len);
1941                         switch (SSL_get_error(con,k))
1942                                 {
1943                         case SSL_ERROR_NONE:
1944                                 cbuf_off+=k;
1945                                 cbuf_len-=k;
1946                                 if (k <= 0) goto end;
1947                                 /* we have done a  write(con,NULL,0); */
1948                                 if (cbuf_len <= 0)
1949                                         {
1950                                         read_tty=1;
1951                                         write_ssl=0;
1952                                         }
1953                                 else /* if (cbuf_len > 0) */
1954                                         {
1955                                         read_tty=0;
1956                                         write_ssl=1;
1957                                         }
1958                                 break;
1959                         case SSL_ERROR_WANT_WRITE:
1960                                 BIO_printf(bio_c_out,"write W BLOCK\n");
1961                                 write_ssl=1;
1962                                 read_tty=0;
1963                                 break;
1964                         case SSL_ERROR_WANT_READ:
1965                                 BIO_printf(bio_c_out,"write R BLOCK\n");
1966                                 write_tty=0;
1967                                 read_ssl=1;
1968                                 write_ssl=0;
1969                                 break;
1970                         case SSL_ERROR_WANT_X509_LOOKUP:
1971                                 BIO_printf(bio_c_out,"write X BLOCK\n");
1972                                 break;
1973                         case SSL_ERROR_ZERO_RETURN:
1974                                 if (cbuf_len != 0)
1975                                         {
1976                                         BIO_printf(bio_c_out,"shutdown\n");
1977                                         ret = 0;
1978                                         goto shut;
1979                                         }
1980                                 else
1981                                         {
1982                                         read_tty=1;
1983                                         write_ssl=0;
1984                                         break;
1985                                         }
1986                                 
1987                         case SSL_ERROR_SYSCALL:
1988                                 if ((k != 0) || (cbuf_len != 0))
1989                                         {
1990                                         BIO_printf(bio_err,"write:errno=%d\n",
1991                                                 get_last_socket_error());
1992                                         goto shut;
1993                                         }
1994                                 else
1995                                         {
1996                                         read_tty=1;
1997                                         write_ssl=0;
1998                                         }
1999                                 break;
2000                         case SSL_ERROR_SSL:
2001                                 ERR_print_errors(bio_err);
2002                                 goto shut;
2003                                 }
2004                         }
2005 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
2006                 /* Assume Windows/DOS/BeOS can always write */
2007                 else if (!ssl_pending && write_tty)
2008 #else
2009                 else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
2010 #endif
2011                         {
2012 #ifdef CHARSET_EBCDIC
2013                         ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
2014 #endif
2015                         i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len);
2016
2017                         if (i <= 0)
2018                                 {
2019                                 BIO_printf(bio_c_out,"DONE\n");
2020                                 ret = 0;
2021                                 goto shut;
2022                                 /* goto end; */
2023                                 }
2024
2025                         sbuf_len-=i;;
2026                         sbuf_off+=i;
2027                         if (sbuf_len <= 0)
2028                                 {
2029                                 read_ssl=1;
2030                                 write_tty=0;
2031                                 }
2032                         }
2033                 else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
2034                         {
2035 #ifdef RENEG
2036 { static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
2037 #endif
2038 #if 1
2039                         k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
2040 #else
2041 /* Demo for pending and peek :-) */
2042                         k=SSL_read(con,sbuf,16);
2043 { char zbuf[10240]; 
2044 printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
2045 }
2046 #endif
2047
2048                         switch (SSL_get_error(con,k))
2049                                 {
2050                         case SSL_ERROR_NONE:
2051                                 if (k <= 0)
2052                                         goto end;
2053                                 sbuf_off=0;
2054                                 sbuf_len=k;
2055
2056                                 read_ssl=0;
2057                                 write_tty=1;
2058                                 break;
2059                         case SSL_ERROR_WANT_WRITE:
2060                                 BIO_printf(bio_c_out,"read W BLOCK\n");
2061                                 write_ssl=1;
2062                                 read_tty=0;
2063                                 break;
2064                         case SSL_ERROR_WANT_READ:
2065                                 BIO_printf(bio_c_out,"read R BLOCK\n");
2066                                 write_tty=0;
2067                                 read_ssl=1;
2068                                 if ((read_tty == 0) && (write_ssl == 0))
2069                                         write_ssl=1;
2070                                 break;
2071                         case SSL_ERROR_WANT_X509_LOOKUP:
2072                                 BIO_printf(bio_c_out,"read X BLOCK\n");
2073                                 break;
2074                         case SSL_ERROR_SYSCALL:
2075                                 ret=get_last_socket_error();
2076                                 if (c_brief)
2077                                         BIO_puts(bio_err, "CONNECTION CLOSED BY SERVER\n");
2078                                 else
2079                                         BIO_printf(bio_err,"read:errno=%d\n",ret);
2080                                 goto shut;
2081                         case SSL_ERROR_ZERO_RETURN:
2082                                 BIO_printf(bio_c_out,"closed\n");
2083                                 ret=0;
2084                                 goto shut;
2085                         case SSL_ERROR_SSL:
2086                                 ERR_print_errors(bio_err);
2087                                 goto shut;
2088                                 /* break; */
2089                                 }
2090                         }
2091
2092 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
2093 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
2094                 else if (_kbhit())
2095 #else
2096                 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
2097 #endif
2098 #elif defined (OPENSSL_SYS_NETWARE)
2099                 else if (_kbhit())
2100 #elif defined(OPENSSL_SYS_BEOS_R5)
2101                 else if (stdin_set)
2102 #else
2103                 else if (FD_ISSET(fileno(stdin),&readfds))
2104 #endif
2105                         {
2106                         if (crlf)
2107                                 {
2108                                 int j, lf_num;
2109
2110                                 i=raw_read_stdin(cbuf,BUFSIZZ/2);
2111                                 lf_num = 0;
2112                                 /* both loops are skipped when i <= 0 */
2113                                 for (j = 0; j < i; j++)
2114                                         if (cbuf[j] == '\n')
2115                                                 lf_num++;
2116                                 for (j = i-1; j >= 0; j--)
2117                                         {
2118                                         cbuf[j+lf_num] = cbuf[j];
2119                                         if (cbuf[j] == '\n')
2120                                                 {
2121                                                 lf_num--;
2122                                                 i++;
2123                                                 cbuf[j+lf_num] = '\r';
2124                                                 }
2125                                         }
2126                                 assert(lf_num == 0);
2127                                 }
2128                         else
2129                                 i=raw_read_stdin(cbuf,BUFSIZZ);
2130
2131                         if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
2132                                 {
2133                                 BIO_printf(bio_err,"DONE\n");
2134                                 ret=0;
2135                                 goto shut;
2136                                 }
2137
2138                         if ((!c_ign_eof) && (cbuf[0] == 'R'))
2139                                 {
2140                                 BIO_printf(bio_err,"RENEGOTIATING\n");
2141                                 SSL_renegotiate(con);
2142                                 cbuf_len=0;
2143                                 }
2144 #ifndef OPENSSL_NO_HEARTBEATS
2145                         else if ((!c_ign_eof) && (cbuf[0] == 'B'))
2146                                 {
2147                                 BIO_printf(bio_err,"HEARTBEATING\n");
2148                                 SSL_heartbeat(con);
2149                                 cbuf_len=0;
2150                                 }
2151 #endif
2152                         else
2153                                 {
2154                                 cbuf_len=i;
2155                                 cbuf_off=0;
2156 #ifdef CHARSET_EBCDIC
2157                                 ebcdic2ascii(cbuf, cbuf, i);
2158 #endif
2159                                 }
2160
2161                         write_ssl=1;
2162                         read_tty=0;
2163                         }
2164                 }
2165
2166         ret=0;
2167 shut:
2168         if (in_init)
2169                 print_stuff(bio_c_out,con,full_log);
2170         SSL_shutdown(con);
2171         SHUTDOWN(SSL_get_fd(con));
2172 end:
2173         if (con != NULL)
2174                 {
2175                 if (prexit != 0)
2176                         print_stuff(bio_c_out,con,1);
2177                 SSL_free(con);
2178                 }
2179 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
2180         if (next_proto.data)
2181                 OPENSSL_free(next_proto.data);
2182 #endif
2183         if (ctx != NULL) SSL_CTX_free(ctx);
2184         if (cert)
2185                 X509_free(cert);
2186         if (crls)
2187                 sk_X509_CRL_pop_free(crls, X509_CRL_free);
2188         if (key)
2189                 EVP_PKEY_free(key);
2190         if (chain)
2191                 sk_X509_pop_free(chain, X509_free);
2192         if (pass)
2193                 OPENSSL_free(pass);
2194         if (vpm)
2195                 X509_VERIFY_PARAM_free(vpm);
2196         ssl_excert_free(exc);
2197         if (ssl_args)
2198                 sk_OPENSSL_STRING_free(ssl_args);
2199         if (cctx)
2200                 SSL_CONF_CTX_free(cctx);
2201 #ifndef OPENSSL_NO_JPAKE
2202         if (jpake_secret && psk_key)
2203                 OPENSSL_free(psk_key);
2204 #endif
2205         if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
2206         if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
2207         if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
2208         if (bio_c_out != NULL)
2209                 {
2210                 BIO_free(bio_c_out);
2211                 bio_c_out=NULL;
2212                 }
2213         if (bio_c_msg != NULL)
2214                 {
2215                 BIO_free(bio_c_msg);
2216                 bio_c_msg=NULL;
2217                 }
2218         apps_shutdown();
2219         OPENSSL_EXIT(ret);
2220         }
2221
2222
2223 static void print_stuff(BIO *bio, SSL *s, int full)
2224         {
2225         X509 *peer=NULL;
2226         char *p;
2227         static const char *space="                ";
2228         char buf[BUFSIZ];
2229         STACK_OF(X509) *sk;
2230         STACK_OF(X509_NAME) *sk2;
2231         const SSL_CIPHER *c;
2232         X509_NAME *xn;
2233         int j,i;
2234 #ifndef OPENSSL_NO_COMP
2235         const COMP_METHOD *comp, *expansion;
2236 #endif
2237         unsigned char *exportedkeymat;
2238
2239         if (full)
2240                 {
2241                 int got_a_chain = 0;
2242
2243                 sk=SSL_get_peer_cert_chain(s);
2244                 if (sk != NULL)
2245                         {
2246                         got_a_chain = 1; /* we don't have it for SSL2 (yet) */
2247
2248                         BIO_printf(bio,"---\nCertificate chain\n");
2249                         for (i=0; i<sk_X509_num(sk); i++)
2250                                 {
2251                                 X509_NAME_oneline(X509_get_subject_name(
2252                                         sk_X509_value(sk,i)),buf,sizeof buf);
2253                                 BIO_printf(bio,"%2d s:%s\n",i,buf);
2254                                 X509_NAME_oneline(X509_get_issuer_name(
2255                                         sk_X509_value(sk,i)),buf,sizeof buf);
2256                                 BIO_printf(bio,"   i:%s\n",buf);
2257                                 if (c_showcerts)
2258                                         PEM_write_bio_X509(bio,sk_X509_value(sk,i));
2259                                 }
2260                         }
2261
2262                 BIO_printf(bio,"---\n");
2263                 peer=SSL_get_peer_certificate(s);
2264                 if (peer != NULL)
2265                         {
2266                         BIO_printf(bio,"Server certificate\n");
2267                         if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
2268                                 PEM_write_bio_X509(bio,peer);
2269                         X509_NAME_oneline(X509_get_subject_name(peer),
2270                                 buf,sizeof buf);
2271                         BIO_printf(bio,"subject=%s\n",buf);
2272                         X509_NAME_oneline(X509_get_issuer_name(peer),
2273                                 buf,sizeof buf);
2274                         BIO_printf(bio,"issuer=%s\n",buf);
2275                         }
2276                 else
2277                         BIO_printf(bio,"no peer certificate available\n");
2278
2279                 sk2=SSL_get_client_CA_list(s);
2280                 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
2281                         {
2282                         BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
2283                         for (i=0; i<sk_X509_NAME_num(sk2); i++)
2284                                 {
2285                                 xn=sk_X509_NAME_value(sk2,i);
2286                                 X509_NAME_oneline(xn,buf,sizeof(buf));
2287                                 BIO_write(bio,buf,strlen(buf));
2288                                 BIO_write(bio,"\n",1);
2289                                 }
2290                         }
2291                 else
2292                         {
2293                         BIO_printf(bio,"---\nNo client certificate CA names sent\n");
2294                         }
2295                 p=SSL_get_shared_ciphers(s,buf,sizeof buf);
2296                 if (p != NULL)
2297                         {
2298                         /* This works only for SSL 2.  In later protocol
2299                          * versions, the client does not know what other
2300                          * ciphers (in addition to the one to be used
2301                          * in the current connection) the server supports. */
2302
2303                         BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
2304                         j=i=0;
2305                         while (*p)
2306                                 {
2307                                 if (*p == ':')
2308                                         {
2309                                         BIO_write(bio,space,15-j%25);
2310                                         i++;
2311                                         j=0;
2312                                         BIO_write(bio,((i%3)?" ":"\n"),1);
2313                                         }
2314                                 else
2315                                         {
2316                                         BIO_write(bio,p,1);
2317                                         j++;
2318                                         }
2319                                 p++;
2320                                 }
2321                         BIO_write(bio,"\n",1);
2322                         }
2323
2324                 ssl_print_sigalgs(bio, s);
2325                 ssl_print_tmp_key(bio, s);
2326
2327                 BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
2328                         BIO_number_read(SSL_get_rbio(s)),
2329                         BIO_number_written(SSL_get_wbio(s)));
2330                 }
2331         BIO_printf(bio,(SSL_cache_hit(s)?"---\nReused, ":"---\nNew, "));
2332         c=SSL_get_current_cipher(s);
2333         BIO_printf(bio,"%s, Cipher is %s\n",
2334                 SSL_CIPHER_get_version(c),
2335                 SSL_CIPHER_get_name(c));
2336         if (peer != NULL) {
2337                 EVP_PKEY *pktmp;
2338                 pktmp = X509_get_pubkey(peer);
2339                 BIO_printf(bio,"Server public key is %d bit\n",
2340                                                          EVP_PKEY_bits(pktmp));
2341                 EVP_PKEY_free(pktmp);
2342         }
2343         BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
2344                         SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
2345 #ifndef OPENSSL_NO_COMP
2346         comp=SSL_get_current_compression(s);
2347         expansion=SSL_get_current_expansion(s);
2348         BIO_printf(bio,"Compression: %s\n",
2349                 comp ? SSL_COMP_get_name(comp) : "NONE");
2350         BIO_printf(bio,"Expansion: %s\n",
2351                 expansion ? SSL_COMP_get_name(expansion) : "NONE");
2352 #endif
2353  
2354 #ifdef SSL_DEBUG
2355         {
2356         /* Print out local port of connection: useful for debugging */
2357         int sock;
2358         struct sockaddr_in ladd;
2359         socklen_t ladd_size = sizeof(ladd);
2360         sock = SSL_get_fd(s);
2361         getsockname(sock, (struct sockaddr *)&ladd, &ladd_size);
2362         BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port));
2363         }
2364 #endif
2365
2366 #if !defined(OPENSSL_NO_TLSEXT)
2367 # if !defined(OPENSSL_NO_NEXTPROTONEG)
2368         if (next_proto.status != -1) {
2369                 const unsigned char *proto;
2370                 unsigned int proto_len;
2371                 SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
2372                 BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
2373                 BIO_write(bio, proto, proto_len);
2374                 BIO_write(bio, "\n", 1);
2375         }
2376 # endif
2377         {
2378                 const unsigned char *proto;
2379                 unsigned int proto_len;
2380                 SSL_get0_alpn_selected(s, &proto, &proto_len);
2381                 if (proto_len > 0)
2382                         {
2383                         BIO_printf(bio, "ALPN protocol: ");
2384                         BIO_write(bio, proto, proto_len);
2385                         BIO_write(bio, "\n", 1);
2386                         }
2387                 else
2388                         BIO_printf(bio, "No ALPN negotiated\n");
2389         }
2390 #endif
2391
2392         {
2393         SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s);
2394  
2395         if(srtp_profile)
2396                 BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n",
2397                            srtp_profile->name);
2398         }
2399  
2400         SSL_SESSION_print(bio,SSL_get_session(s));
2401         if (keymatexportlabel != NULL)
2402                 {
2403                 BIO_printf(bio, "Keying material exporter:\n");
2404                 BIO_printf(bio, "    Label: '%s'\n", keymatexportlabel);
2405                 BIO_printf(bio, "    Length: %i bytes\n", keymatexportlen);
2406                 exportedkeymat = OPENSSL_malloc(keymatexportlen);
2407                 if (exportedkeymat != NULL)
2408                         {
2409                         if (!SSL_export_keying_material(s, exportedkeymat,
2410                                                         keymatexportlen,
2411                                                         keymatexportlabel,
2412                                                         strlen(keymatexportlabel),
2413                                                         NULL, 0, 0))
2414                                 {
2415                                 BIO_printf(bio, "    Error\n");
2416                                 }
2417                         else
2418                                 {
2419                                 BIO_printf(bio, "    Keying material: ");
2420                                 for (i=0; i<keymatexportlen; i++)
2421                                         BIO_printf(bio, "%02X",
2422                                                    exportedkeymat[i]);
2423                                 BIO_printf(bio, "\n");
2424                                 }
2425                         OPENSSL_free(exportedkeymat);
2426                         }
2427                 }
2428         BIO_printf(bio,"---\n");
2429         if (peer != NULL)
2430                 X509_free(peer);
2431         /* flush, or debugging output gets mixed with http response */
2432         (void)BIO_flush(bio);
2433         }
2434
2435 #ifndef OPENSSL_NO_TLSEXT
2436
2437 static int ocsp_resp_cb(SSL *s, void *arg)
2438         {
2439         const unsigned char *p;
2440         int len;
2441         OCSP_RESPONSE *rsp;
2442         len = SSL_get_tlsext_status_ocsp_resp(s, &p);
2443         BIO_puts(arg, "OCSP response: ");
2444         if (!p)
2445                 {
2446                 BIO_puts(arg, "no response sent\n");
2447                 return 1;
2448                 }
2449         rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
2450         if (!rsp)
2451                 {
2452                 BIO_puts(arg, "response parse error\n");
2453                 BIO_dump_indent(arg, (char *)p, len, 4);
2454                 return 0;
2455                 }
2456         BIO_puts(arg, "\n======================================\n");
2457         OCSP_RESPONSE_print(arg, rsp, 0);
2458         BIO_puts(arg, "======================================\n");
2459         OCSP_RESPONSE_free(rsp);
2460         return 1;
2461         }
2462
2463 static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
2464                            const unsigned char *in,
2465                            unsigned short inlen, int *al,
2466                            void *arg)
2467         {
2468         if (TLSEXT_TYPE_server_authz == ext_type)
2469                 server_provided_server_authz
2470                   = (memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL);
2471
2472         if (TLSEXT_TYPE_client_authz == ext_type)
2473                 server_provided_client_authz
2474                   = (memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL);
2475
2476         return 1;
2477         }
2478
2479 static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
2480                                     const unsigned char **out, unsigned short *outlen,
2481                                     int *al, void *arg)
2482         {
2483         if (c_auth)
2484                 {
2485                 /*if auth_require_reneg flag is set, only send extensions if
2486                   renegotiation has occurred */
2487                 if (!c_auth_require_reneg || (c_auth_require_reneg && SSL_num_renegotiations(s)))
2488                         {
2489                         *out = auth_ext_data;
2490                         *outlen = 1;
2491                         return 1;
2492                         }
2493                 }
2494         /* no auth extension to send */
2495         return -1;
2496         }
2497
2498 static int suppdata_cb(SSL *s, unsigned short supp_data_type,
2499                        const unsigned char *in,
2500                        unsigned short inlen, int *al,
2501                        void *arg)
2502         {
2503         if (supp_data_type == TLSEXT_SUPPLEMENTALDATATYPE_authz_data)
2504                 {
2505                 most_recent_supplemental_data = in;
2506                 most_recent_supplemental_data_length = inlen;
2507                 }
2508         return 1;
2509         }
2510
2511 static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
2512                                      const unsigned char **out,
2513                                      unsigned short *outlen, int *al, void *arg)
2514         {
2515         if (c_auth && server_provided_client_authz && server_provided_server_authz)
2516                 {
2517                 /*if auth_require_reneg flag is set, only send supplemental data if
2518                   renegotiation has occurred */
2519                 if (!c_auth_require_reneg
2520                     || (c_auth_require_reneg && SSL_num_renegotiations(s)))
2521                         {
2522                         generated_supp_data = OPENSSL_malloc(10);
2523                         memcpy(generated_supp_data, "5432154321", 10);
2524                         *out = generated_supp_data;
2525                         *outlen = 10;
2526                         return 1;
2527                         }
2528                 }
2529         /* no supplemental data to send */
2530         return -1;
2531         }
2532
2533 #endif