3089a97176935a81cf5d7181ffea3191e465cf67
[openssl.git] / apps / s_client.c
1 /* apps/s_client.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2005 Nokia. All rights reserved.
113  *
114  * The portions of the attached software ("Contribution") is developed by
115  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116  * license.
117  *
118  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120  * support (see RFC 4279) to OpenSSL.
121  *
122  * No patent licenses or other rights except those expressly stated in
123  * the OpenSSL open source license shall be deemed granted or received
124  * expressly, by implication, estoppel, or otherwise.
125  *
126  * No assurances are provided by Nokia that the Contribution does not
127  * infringe the patent or other intellectual property rights of any third
128  * party or that the license provides you with all the necessary rights
129  * to make use of the Contribution.
130  *
131  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135  * OTHERWISE.
136  */
137
138 #include <assert.h>
139 #include <ctype.h>
140 #include <stdio.h>
141 #include <stdlib.h>
142 #include <string.h>
143 #include <openssl/e_os2.h>
144 #ifdef OPENSSL_NO_STDIO
145 #define APPS_WIN16
146 #endif
147
148 /* With IPv6, it looks like Digital has mixed up the proper order of
149    recursive header file inclusion, resulting in the compiler complaining
150    that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
151    is needed to have fileno() declared correctly...  So let's define u_int */
152 #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
153 #define __U_INT
154 typedef unsigned int u_int;
155 #endif
156
157 #define USE_SOCKETS
158 #include "apps.h"
159 #include <openssl/x509.h>
160 #include <openssl/ssl.h>
161 #include <openssl/err.h>
162 #include <openssl/pem.h>
163 #include <openssl/rand.h>
164 #include <openssl/ocsp.h>
165 #include <openssl/bn.h>
166 #ifndef OPENSSL_NO_SRP
167 #include <openssl/srp.h>
168 #endif
169 #include "s_apps.h"
170 #include "timeouts.h"
171
172 #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
173 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
174 #undef FIONBIO
175 #endif
176
177 #if defined(OPENSSL_SYS_BEOS_R5)
178 #include <fcntl.h>
179 #endif
180
181 #undef PROG
182 #define PROG    s_client_main
183
184 /*#define SSL_HOST_NAME "www.netscape.com" */
185 /*#define SSL_HOST_NAME "193.118.187.102" */
186 #define SSL_HOST_NAME   "localhost"
187
188 /*#define TEST_CERT "client.pem" */ /* no default cert. */
189
190 #undef BUFSIZZ
191 #define BUFSIZZ 1024*8
192
193 extern int verify_depth;
194 extern int verify_error;
195 extern int verify_return_error;
196 extern int verify_quiet;
197
198 #ifdef FIONBIO
199 static int c_nbio=0;
200 #endif
201 static int c_Pause=0;
202 static int c_debug=0;
203 #ifndef OPENSSL_NO_TLSEXT
204 static int c_tlsextdebug=0;
205 static int c_status_req=0;
206 static int c_proof_debug=0;
207 #endif
208 static int c_msg=0;
209 static int c_showcerts=0;
210
211 static char *keymatexportlabel=NULL;
212 static int keymatexportlen=20;
213
214 static void sc_usage(void);
215 static void print_stuff(BIO *berr,SSL *con,int full);
216 #ifndef OPENSSL_NO_TLSEXT
217 static int ocsp_resp_cb(SSL *s, void *arg);
218 static int audit_proof_cb(SSL *s, void *arg);
219 #endif
220 static BIO *bio_c_out=NULL;
221 static BIO *bio_c_msg=NULL;
222 static int c_quiet=0;
223 static int c_ign_eof=0;
224 static int c_brief=0;
225
226 #ifndef OPENSSL_NO_PSK
227 /* Default PSK identity and key */
228 static char *psk_identity="Client_identity";
229 /*char *psk_key=NULL;  by default PSK is not used */
230
231 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
232         unsigned int max_identity_len, unsigned char *psk,
233         unsigned int max_psk_len)
234         {
235         unsigned int psk_len = 0;
236         int ret;
237         BIGNUM *bn=NULL;
238
239         if (c_debug)
240                 BIO_printf(bio_c_out, "psk_client_cb\n");
241         if (!hint)
242                 {
243                 /* no ServerKeyExchange message*/
244                 if (c_debug)
245                         BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n");
246                 }
247         else if (c_debug)
248                 BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
249
250         /* lookup PSK identity and PSK key based on the given identity hint here */
251         ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity);
252         if (ret < 0 || (unsigned int)ret > max_identity_len)
253                 goto out_err;
254         if (c_debug)
255                 BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret);
256         ret=BN_hex2bn(&bn, psk_key);
257         if (!ret)
258                 {
259                 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
260                 if (bn)
261                         BN_free(bn);
262                 return 0;
263                 }
264
265         if ((unsigned int)BN_num_bytes(bn) > max_psk_len)
266                 {
267                 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
268                         max_psk_len, BN_num_bytes(bn));
269                 BN_free(bn);
270                 return 0;
271                 }
272
273         psk_len=BN_bn2bin(bn, psk);
274         BN_free(bn);
275         if (psk_len == 0)
276                 goto out_err;
277
278         if (c_debug)
279                 BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len);
280
281         return psk_len;
282  out_err:
283         if (c_debug)
284                 BIO_printf(bio_err, "Error in PSK client callback\n");
285         return 0;
286         }
287 #endif
288
289 static void sc_usage(void)
290         {
291         BIO_printf(bio_err,"usage: s_client args\n");
292         BIO_printf(bio_err,"\n");
293         BIO_printf(bio_err," -host host     - use -connect instead\n");
294         BIO_printf(bio_err," -port port     - use -connect instead\n");
295         BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
296         BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
297         BIO_printf(bio_err," -cert arg     - certificate file to use, PEM format assumed\n");
298         BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
299         BIO_printf(bio_err," -key arg      - Private key file to use, in cert file if\n");
300         BIO_printf(bio_err,"                 not specified but cert file is.\n");
301         BIO_printf(bio_err," -keyform arg  - key format (PEM or DER) PEM default\n");
302         BIO_printf(bio_err," -pass arg     - private key file pass phrase source\n");
303         BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
304         BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
305         BIO_printf(bio_err," -reconnect    - Drop and re-make the connection with the same Session-ID\n");
306         BIO_printf(bio_err," -pause        - sleep(1) after each read(2) and write(2) system call\n");
307         BIO_printf(bio_err," -showcerts    - show all certificates in the chain\n");
308         BIO_printf(bio_err," -debug        - extra output\n");
309 #ifdef WATT32
310         BIO_printf(bio_err," -wdebug       - WATT-32 tcp debugging\n");
311 #endif
312         BIO_printf(bio_err," -msg          - Show protocol messages\n");
313         BIO_printf(bio_err," -nbio_test    - more ssl protocol testing\n");
314         BIO_printf(bio_err," -state        - print the 'ssl' states\n");
315 #ifdef FIONBIO
316         BIO_printf(bio_err," -nbio         - Run with non-blocking IO\n");
317 #endif
318         BIO_printf(bio_err," -crlf         - convert LF from terminal into CRLF\n");
319         BIO_printf(bio_err," -quiet        - no s_client output\n");
320         BIO_printf(bio_err," -ign_eof      - ignore input eof (default when -quiet)\n");
321         BIO_printf(bio_err," -no_ign_eof   - don't ignore input eof\n");
322 #ifndef OPENSSL_NO_PSK
323         BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
324         BIO_printf(bio_err," -psk arg      - PSK in hex (without 0x)\n");
325 # ifndef OPENSSL_NO_JPAKE
326         BIO_printf(bio_err," -jpake arg    - JPAKE secret to use\n");
327 # endif
328 #endif
329 #ifndef OPENSSL_NO_SRP
330         BIO_printf(bio_err," -srpuser user     - SRP authentification for 'user'\n");
331         BIO_printf(bio_err," -srppass arg      - password for 'user'\n");
332         BIO_printf(bio_err," -srp_lateuser     - SRP username into second ClientHello message\n");
333         BIO_printf(bio_err," -srp_moregroups   - Tolerate other than the known g N values.\n");
334         BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
335 #endif
336         BIO_printf(bio_err," -ssl2         - just use SSLv2\n");
337         BIO_printf(bio_err," -ssl3         - just use SSLv3\n");
338         BIO_printf(bio_err," -tls1_2       - just use TLSv1.2\n");
339         BIO_printf(bio_err," -tls1_1       - just use TLSv1.1\n");
340         BIO_printf(bio_err," -tls1         - just use TLSv1\n");
341         BIO_printf(bio_err," -dtls1        - just use DTLSv1\n");    
342         BIO_printf(bio_err," -mtu          - set the link layer MTU\n");
343         BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
344         BIO_printf(bio_err," -bugs         - Switch on all SSL implementation bug workarounds\n");
345         BIO_printf(bio_err," -serverpref   - Use server's cipher preferences (only SSLv2)\n");
346         BIO_printf(bio_err," -cipher       - preferred cipher to use, use the 'openssl ciphers'\n");
347         BIO_printf(bio_err,"                 command to see what is available\n");
348         BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
349         BIO_printf(bio_err,"                 for those protocols that support it, where\n");
350         BIO_printf(bio_err,"                 'prot' defines which one to assume.  Currently,\n");
351         BIO_printf(bio_err,"                 only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
352         BIO_printf(bio_err,"                 are supported.\n");
353         BIO_printf(bio_err," -xmpphost host - When used with \"-starttls xmpp\" specifies the virtual host.\n");
354 #ifndef OPENSSL_NO_ENGINE
355         BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
356 #endif
357         BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
358         BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n");
359         BIO_printf(bio_err," -sess_in arg  - file to read SSL session from\n");
360 #ifndef OPENSSL_NO_TLSEXT
361         BIO_printf(bio_err," -servername host  - Set TLS extension servername in ClientHello\n");
362         BIO_printf(bio_err," -tlsextdebug      - hex dump of all TLS extensions received\n");
363         BIO_printf(bio_err," -status           - request certificate status from server\n");
364         BIO_printf(bio_err," -no_ticket        - disable use of RFC4507bis session tickets\n");
365         BIO_printf(bio_err," -proof_debug      - request an audit proof and print its hex dump\n");
366 # ifndef OPENSSL_NO_NEXTPROTONEG
367         BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
368         BIO_printf(bio_err," -alpn arg         - enable ALPN extension, considering named protocols supported (comma-separated list)\n");
369 # endif
370 #ifndef OPENSSL_NO_TLSEXT
371         BIO_printf(bio_err," -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n");
372 #endif
373 #endif
374         BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
375         BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
376         BIO_printf(bio_err," -keymatexport label   - Export keying material using label\n");
377         BIO_printf(bio_err," -keymatexportlen len  - Export len bytes of keying material (default 20)\n");
378         }
379
380 #ifndef OPENSSL_NO_TLSEXT
381
382 /* This is a context that we pass to callbacks */
383 typedef struct tlsextctx_st {
384    BIO * biodebug;
385    int ack;
386 } tlsextctx;
387
388
389 static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
390         {
391         tlsextctx * p = (tlsextctx *) arg;
392         const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
393         if (SSL_get_servername_type(s) != -1) 
394                 p->ack = !SSL_session_reused(s) && hn != NULL;
395         else 
396                 BIO_printf(bio_err,"Can't use SSL_get_servername\n");
397         
398         return SSL_TLSEXT_ERR_OK;
399         }
400
401 #ifndef OPENSSL_NO_SRP
402
403 /* This is a context that we pass to all callbacks */
404 typedef struct srp_arg_st
405         {
406         char *srppassin;
407         char *srplogin;
408         int msg;   /* copy from c_msg */
409         int debug; /* copy from c_debug */
410         int amp;   /* allow more groups */
411         int strength /* minimal size for N */ ;
412         } SRP_ARG;
413
414 #define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
415
416 static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g)
417         {
418         BN_CTX *bn_ctx = BN_CTX_new();
419         BIGNUM *p = BN_new();
420         BIGNUM *r = BN_new();
421         int ret =
422                 g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
423                 BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
424                 p != NULL && BN_rshift1(p, N) &&
425
426                 /* p = (N-1)/2 */
427                 BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
428                 r != NULL &&
429
430                 /* verify g^((N-1)/2) == -1 (mod N) */
431                 BN_mod_exp(r, g, p, N, bn_ctx) &&
432                 BN_add_word(r, 1) &&
433                 BN_cmp(r, N) == 0;
434
435         if(r)
436                 BN_free(r);
437         if(p)
438                 BN_free(p);
439         if(bn_ctx)
440                 BN_CTX_free(bn_ctx);
441         return ret;
442         }
443
444 /* This callback is used here for two purposes:
445    - extended debugging
446    - making some primality tests for unknown groups
447    The callback is only called for a non default group.
448
449    An application does not need the call back at all if
450    only the stanard groups are used.  In real life situations, 
451    client and server already share well known groups, 
452    thus there is no need to verify them. 
453    Furthermore, in case that a server actually proposes a group that
454    is not one of those defined in RFC 5054, it is more appropriate 
455    to add the group to a static list and then compare since 
456    primality tests are rather cpu consuming.
457 */
458
459 static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
460         {
461         SRP_ARG *srp_arg = (SRP_ARG *)arg;
462         BIGNUM *N = NULL, *g = NULL;
463         if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s)))
464                 return 0;
465         if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1)
466                 {
467                 BIO_printf(bio_err, "SRP parameters:\n"); 
468                 BIO_printf(bio_err,"\tN="); BN_print(bio_err,N);
469                 BIO_printf(bio_err,"\n\tg="); BN_print(bio_err,g);
470                 BIO_printf(bio_err,"\n");
471                 }
472
473         if (SRP_check_known_gN_param(g,N))
474                 return 1;
475
476         if (srp_arg->amp == 1)
477                 {
478                 if (srp_arg->debug)
479                         BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n");
480
481 /* The srp_moregroups is a real debugging feature.
482    Implementors should rather add the value to the known ones.
483    The minimal size has already been tested.
484 */
485                 if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g))
486                         return 1;
487                 }       
488         BIO_printf(bio_err, "SRP param N and g rejected.\n");
489         return 0;
490         }
491
492 #define PWD_STRLEN 1024
493
494 static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
495         {
496         SRP_ARG *srp_arg = (SRP_ARG *)arg;
497         char *pass = (char *)OPENSSL_malloc(PWD_STRLEN+1);
498         PW_CB_DATA cb_tmp;
499         int l;
500
501         cb_tmp.password = (char *)srp_arg->srppassin;
502         cb_tmp.prompt_info = "SRP user";
503         if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp))<0)
504                 {
505                 BIO_printf (bio_err, "Can't read Password\n");
506                 OPENSSL_free(pass);
507                 return NULL;
508                 }
509         *(pass+l)= '\0';
510
511         return pass;
512         }
513
514 #endif
515         char *srtp_profiles = NULL;
516
517 # ifndef OPENSSL_NO_NEXTPROTONEG
518 /* This the context that we pass to next_proto_cb */
519 typedef struct tlsextnextprotoctx_st {
520         unsigned char *data;
521         unsigned short len;
522         int status;
523 } tlsextnextprotoctx;
524
525 static tlsextnextprotoctx next_proto;
526
527 static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
528         {
529         tlsextnextprotoctx *ctx = arg;
530
531         if (!c_quiet)
532                 {
533                 /* We can assume that |in| is syntactically valid. */
534                 unsigned i;
535                 BIO_printf(bio_c_out, "Protocols advertised by server: ");
536                 for (i = 0; i < inlen; )
537                         {
538                         if (i)
539                                 BIO_write(bio_c_out, ", ", 2);
540                         BIO_write(bio_c_out, &in[i + 1], in[i]);
541                         i += in[i] + 1;
542                         }
543                 BIO_write(bio_c_out, "\n", 1);
544                 }
545
546         ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
547         return SSL_TLSEXT_ERR_OK;
548         }
549 # endif  /* ndef OPENSSL_NO_NEXTPROTONEG */
550
551 static int serverinfo_cli_cb(SSL* s, unsigned short ext_type,
552                              const unsigned char* in, unsigned short inlen, 
553                              int* al, void* arg)
554         {
555         char pem_name[100];
556         unsigned char ext_buf[4 + 65536];
557
558         /* Reconstruct the type/len fields prior to extension data */
559         ext_buf[0] = ext_type >> 8;
560         ext_buf[1] = ext_type & 0xFF;
561         ext_buf[2] = inlen >> 8;
562         ext_buf[3] = inlen & 0xFF;
563         memcpy(ext_buf+4, in, inlen);
564
565         BIO_snprintf(pem_name, sizeof(pem_name), "SERVER_INFO %d", ext_type);
566         PEM_write_bio(bio_c_out, pem_name, "", ext_buf, 4 + inlen);
567         return 1;
568         }
569
570 #endif
571
572 enum
573 {
574         PROTO_OFF       = 0,
575         PROTO_SMTP,
576         PROTO_POP3,
577         PROTO_IMAP,
578         PROTO_FTP,
579         PROTO_XMPP
580 };
581
582 int MAIN(int, char **);
583
584 int MAIN(int argc, char **argv)
585         {
586         int build_chain = 0;
587         SSL *con=NULL;
588 #ifndef OPENSSL_NO_KRB5
589         KSSL_CTX *kctx;
590 #endif
591         int s,k,width,state=0;
592         char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
593         int cbuf_len,cbuf_off;
594         int sbuf_len,sbuf_off;
595         fd_set readfds,writefds;
596         short port=PORT;
597         int full_log=1;
598         char *host=SSL_HOST_NAME;
599         char *xmpphost = NULL;
600         char *cert_file=NULL,*key_file=NULL,*chain_file=NULL;
601         int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
602         char *passarg = NULL, *pass = NULL;
603         X509 *cert = NULL;
604         EVP_PKEY *key = NULL;
605         STACK_OF(X509) *chain = NULL;
606         char *CApath=NULL,*CAfile=NULL;
607         char *chCApath=NULL,*chCAfile=NULL;
608         char *vfyCApath=NULL,*vfyCAfile=NULL;
609         int reconnect=0,badop=0,verify=SSL_VERIFY_NONE;
610         int crlf=0;
611         int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
612         SSL_CTX *ctx=NULL;
613         int ret=1,in_init=1,i,nbio_test=0;
614         int starttls_proto = PROTO_OFF;
615         int prexit = 0;
616         X509_VERIFY_PARAM *vpm = NULL;
617         int badarg = 0;
618         const SSL_METHOD *meth=NULL;
619         int socket_type=SOCK_STREAM;
620         BIO *sbio;
621         char *inrand=NULL;
622         int mbuf_len=0;
623         struct timeval timeout, *timeoutp;
624 #ifndef OPENSSL_NO_ENGINE
625         char *engine_id=NULL;
626         char *ssl_client_engine_id=NULL;
627         ENGINE *ssl_client_engine=NULL;
628 #endif
629         ENGINE *e=NULL;
630 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
631         struct timeval tv;
632 #if defined(OPENSSL_SYS_BEOS_R5)
633         int stdin_set = 0;
634 #endif
635 #endif
636 #ifndef OPENSSL_NO_TLSEXT
637         char *servername = NULL; 
638         tlsextctx tlsextcbp = 
639         {NULL,0};
640 # ifndef OPENSSL_NO_NEXTPROTONEG
641         const char *next_proto_neg_in = NULL;
642         const char *alpn_in = NULL;
643 # endif
644 # define MAX_SI_TYPES 100
645         unsigned short serverinfo_types[MAX_SI_TYPES];
646         int serverinfo_types_count = 0;
647 #endif
648         char *sess_in = NULL;
649         char *sess_out = NULL;
650         struct sockaddr peer;
651         int peerlen = sizeof(peer);
652         int enable_timeouts = 0 ;
653         long socket_mtu = 0;
654 #ifndef OPENSSL_NO_JPAKE
655 static char *jpake_secret = NULL;
656 #define no_jpake !jpake_secret
657 #else
658 #define no_jpake 1
659 #endif
660 #ifndef OPENSSL_NO_SRP
661         char * srppass = NULL;
662         int srp_lateuser = 0;
663         SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
664 #endif
665         SSL_EXCERT *exc = NULL;
666
667         SSL_CONF_CTX *cctx = NULL;
668         STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
669
670         char *crl_file = NULL;
671         int crl_format = FORMAT_PEM;
672         int crl_download = 0;
673         STACK_OF(X509_CRL) *crls = NULL;
674
675         meth=SSLv23_client_method();
676
677         apps_startup();
678         c_Pause=0;
679         c_quiet=0;
680         c_ign_eof=0;
681         c_debug=0;
682         c_msg=0;
683         c_showcerts=0;
684
685         if (bio_err == NULL)
686                 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
687
688         if (!load_config(bio_err, NULL))
689                 goto end;
690         cctx = SSL_CONF_CTX_new();
691         if (!cctx)
692                 goto end;
693         SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
694         SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE);
695
696         if (    ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
697                 ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
698                 ((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
699                 {
700                 BIO_printf(bio_err,"out of memory\n");
701                 goto end;
702                 }
703
704         verify_depth=0;
705         verify_error=X509_V_OK;
706 #ifdef FIONBIO
707         c_nbio=0;
708 #endif
709
710         argc--;
711         argv++;
712         while (argc >= 1)
713                 {
714                 if      (strcmp(*argv,"-host") == 0)
715                         {
716                         if (--argc < 1) goto bad;
717                         host= *(++argv);
718                         }
719                 else if (strcmp(*argv,"-port") == 0)
720                         {
721                         if (--argc < 1) goto bad;
722                         port=atoi(*(++argv));
723                         if (port == 0) goto bad;
724                         }
725                 else if (strcmp(*argv,"-connect") == 0)
726                         {
727                         if (--argc < 1) goto bad;
728                         if (!extract_host_port(*(++argv),&host,NULL,&port))
729                                 goto bad;
730                         }
731                 else if (strcmp(*argv,"-xmpphost") == 0)
732                         {
733                         if (--argc < 1) goto bad;
734                         xmpphost= *(++argv);
735                         }
736                 else if (strcmp(*argv,"-verify") == 0)
737                         {
738                         verify=SSL_VERIFY_PEER;
739                         if (--argc < 1) goto bad;
740                         verify_depth=atoi(*(++argv));
741                         if (!c_quiet)
742                                 BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
743                         }
744                 else if (strcmp(*argv,"-cert") == 0)
745                         {
746                         if (--argc < 1) goto bad;
747                         cert_file= *(++argv);
748                         }
749                 else if (strcmp(*argv,"-CRL") == 0)
750                         {
751                         if (--argc < 1) goto bad;
752                         crl_file= *(++argv);
753                         }
754                 else if (strcmp(*argv,"-crl_download") == 0)
755                         crl_download = 1;
756                 else if (strcmp(*argv,"-sess_out") == 0)
757                         {
758                         if (--argc < 1) goto bad;
759                         sess_out = *(++argv);
760                         }
761                 else if (strcmp(*argv,"-sess_in") == 0)
762                         {
763                         if (--argc < 1) goto bad;
764                         sess_in = *(++argv);
765                         }
766                 else if (strcmp(*argv,"-certform") == 0)
767                         {
768                         if (--argc < 1) goto bad;
769                         cert_format = str2fmt(*(++argv));
770                         }
771                 else if (strcmp(*argv,"-CRLform") == 0)
772                         {
773                         if (--argc < 1) goto bad;
774                         crl_format = str2fmt(*(++argv));
775                         }
776                 else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
777                         {
778                         if (badarg)
779                                 goto bad;
780                         continue;
781                         }
782                 else if (strcmp(*argv,"-verify_return_error") == 0)
783                         verify_return_error = 1;
784                 else if (strcmp(*argv,"-verify_quiet") == 0)
785                         verify_quiet = 1;
786                 else if (strcmp(*argv,"-brief") == 0)
787                         {
788                         c_brief = 1;
789                         verify_quiet = 1;
790                         c_quiet = 1;
791                         }
792                 else if (args_excert(&argv, &argc, &badarg, bio_err, &exc))
793                         {
794                         if (badarg)
795                                 goto bad;
796                         continue;
797                         }
798                 else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args))
799                         {
800                         if (badarg)
801                                 goto bad;
802                         continue;
803                         }
804                 else if (strcmp(*argv,"-prexit") == 0)
805                         prexit=1;
806                 else if (strcmp(*argv,"-crlf") == 0)
807                         crlf=1;
808                 else if (strcmp(*argv,"-quiet") == 0)
809                         {
810                         c_quiet=1;
811                         c_ign_eof=1;
812                         }
813                 else if (strcmp(*argv,"-ign_eof") == 0)
814                         c_ign_eof=1;
815                 else if (strcmp(*argv,"-no_ign_eof") == 0)
816                         c_ign_eof=0;
817                 else if (strcmp(*argv,"-pause") == 0)
818                         c_Pause=1;
819                 else if (strcmp(*argv,"-debug") == 0)
820                         c_debug=1;
821 #ifndef OPENSSL_NO_TLSEXT
822                 else if (strcmp(*argv,"-tlsextdebug") == 0)
823                         c_tlsextdebug=1;
824                 else if (strcmp(*argv,"-status") == 0)
825                         c_status_req=1;
826                 else if (strcmp(*argv,"-proof_debug") == 0)
827                         c_proof_debug=1;
828 #endif
829 #ifdef WATT32
830                 else if (strcmp(*argv,"-wdebug") == 0)
831                         dbug_init();
832 #endif
833                 else if (strcmp(*argv,"-msg") == 0)
834                         c_msg=1;
835                 else if (strcmp(*argv,"-msgfile") == 0)
836                         {
837                         if (--argc < 1) goto bad;
838                         bio_c_msg = BIO_new_file(*(++argv), "w");
839                         }
840 #ifndef OPENSSL_NO_SSL_TRACE
841                 else if (strcmp(*argv,"-trace") == 0)
842                         c_msg=2;
843 #endif
844                 else if (strcmp(*argv,"-showcerts") == 0)
845                         c_showcerts=1;
846                 else if (strcmp(*argv,"-nbio_test") == 0)
847                         nbio_test=1;
848                 else if (strcmp(*argv,"-state") == 0)
849                         state=1;
850 #ifndef OPENSSL_NO_PSK
851                 else if (strcmp(*argv,"-psk_identity") == 0)
852                         {
853                         if (--argc < 1) goto bad;
854                         psk_identity=*(++argv);
855                         }
856                 else if (strcmp(*argv,"-psk") == 0)
857                         {
858                         size_t j;
859
860                         if (--argc < 1) goto bad;
861                         psk_key=*(++argv);
862                         for (j = 0; j < strlen(psk_key); j++)
863                                 {
864                                 if (isxdigit((unsigned char)psk_key[j]))
865                                         continue;
866                                 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
867                                 goto bad;
868                                 }
869                         }
870 #endif
871 #ifndef OPENSSL_NO_SRP
872                 else if (strcmp(*argv,"-srpuser") == 0)
873                         {
874                         if (--argc < 1) goto bad;
875                         srp_arg.srplogin= *(++argv);
876                         meth=TLSv1_client_method();
877                         }
878                 else if (strcmp(*argv,"-srppass") == 0)
879                         {
880                         if (--argc < 1) goto bad;
881                         srppass= *(++argv);
882                         meth=TLSv1_client_method();
883                         }
884                 else if (strcmp(*argv,"-srp_strength") == 0)
885                         {
886                         if (--argc < 1) goto bad;
887                         srp_arg.strength=atoi(*(++argv));
888                         BIO_printf(bio_err,"SRP minimal length for N is %d\n",srp_arg.strength);
889                         meth=TLSv1_client_method();
890                         }
891                 else if (strcmp(*argv,"-srp_lateuser") == 0)
892                         {
893                         srp_lateuser= 1;
894                         meth=TLSv1_client_method();
895                         }
896                 else if (strcmp(*argv,"-srp_moregroups") == 0)
897                         {
898                         srp_arg.amp=1;
899                         meth=TLSv1_client_method();
900                         }
901 #endif
902 #ifndef OPENSSL_NO_SSL2
903                 else if (strcmp(*argv,"-ssl2") == 0)
904                         meth=SSLv2_client_method();
905 #endif
906 #ifndef OPENSSL_NO_SSL3
907                 else if (strcmp(*argv,"-ssl3") == 0)
908                         meth=SSLv3_client_method();
909 #endif
910 #ifndef OPENSSL_NO_TLS1
911                 else if (strcmp(*argv,"-tls1_2") == 0)
912                         meth=TLSv1_2_client_method();
913                 else if (strcmp(*argv,"-tls1_1") == 0)
914                         meth=TLSv1_1_client_method();
915                 else if (strcmp(*argv,"-tls1") == 0)
916                         meth=TLSv1_client_method();
917 #endif
918 #ifndef OPENSSL_NO_DTLS1
919                 else if (strcmp(*argv,"-dtls") == 0)
920                         {
921                         meth=DTLS_client_method();
922                         socket_type=SOCK_DGRAM;
923                         }
924                 else if (strcmp(*argv,"-dtls1") == 0)
925                         {
926                         meth=DTLSv1_client_method();
927                         socket_type=SOCK_DGRAM;
928                         }
929                 else if (strcmp(*argv,"-dtls1_2") == 0)
930                         {
931                         meth=DTLSv1_2_client_method();
932                         socket_type=SOCK_DGRAM;
933                         }
934                 else if (strcmp(*argv,"-timeout") == 0)
935                         enable_timeouts=1;
936                 else if (strcmp(*argv,"-mtu") == 0)
937                         {
938                         if (--argc < 1) goto bad;
939                         socket_mtu = atol(*(++argv));
940                         }
941 #endif
942                 else if (strcmp(*argv,"-keyform") == 0)
943                         {
944                         if (--argc < 1) goto bad;
945                         key_format = str2fmt(*(++argv));
946                         }
947                 else if (strcmp(*argv,"-pass") == 0)
948                         {
949                         if (--argc < 1) goto bad;
950                         passarg = *(++argv);
951                         }
952                 else if (strcmp(*argv,"-cert_chain") == 0)
953                         {
954                         if (--argc < 1) goto bad;
955                         chain_file= *(++argv);
956                         }
957                 else if (strcmp(*argv,"-key") == 0)
958                         {
959                         if (--argc < 1) goto bad;
960                         key_file= *(++argv);
961                         }
962                 else if (strcmp(*argv,"-reconnect") == 0)
963                         {
964                         reconnect=5;
965                         }
966                 else if (strcmp(*argv,"-CApath") == 0)
967                         {
968                         if (--argc < 1) goto bad;
969                         CApath= *(++argv);
970                         }
971                 else if (strcmp(*argv,"-chainCApath") == 0)
972                         {
973                         if (--argc < 1) goto bad;
974                         chCApath= *(++argv);
975                         }
976                 else if (strcmp(*argv,"-verifyCApath") == 0)
977                         {
978                         if (--argc < 1) goto bad;
979                         vfyCApath= *(++argv);
980                         }
981                 else if (strcmp(*argv,"-build_chain") == 0)
982                         build_chain = 1;
983                 else if (strcmp(*argv,"-CAfile") == 0)
984                         {
985                         if (--argc < 1) goto bad;
986                         CAfile= *(++argv);
987                         }
988                 else if (strcmp(*argv,"-chainCAfile") == 0)
989                         {
990                         if (--argc < 1) goto bad;
991                         chCAfile= *(++argv);
992                         }
993                 else if (strcmp(*argv,"-verifyCAfile") == 0)
994                         {
995                         if (--argc < 1) goto bad;
996                         vfyCAfile= *(++argv);
997                         }
998 #ifndef OPENSSL_NO_TLSEXT
999 # ifndef OPENSSL_NO_NEXTPROTONEG
1000                 else if (strcmp(*argv,"-nextprotoneg") == 0)
1001                         {
1002                         if (--argc < 1) goto bad;
1003                         next_proto_neg_in = *(++argv);
1004                         }
1005                 else if (strcmp(*argv,"-alpn") == 0)
1006                         {
1007                         if (--argc < 1) goto bad;
1008                         alpn_in = *(++argv);
1009                         }
1010 # endif
1011                 else if (strcmp(*argv,"-serverinfo") == 0)
1012                         {
1013                         char *c;
1014                         int start = 0;
1015                         int len;
1016
1017                         if (--argc < 1) goto bad;
1018                         c = *(++argv);
1019                         serverinfo_types_count = 0;
1020                         len = strlen(c);
1021                         for (i = 0; i <= len; ++i)
1022                                 {
1023                                 if (i == len || c[i] == ',')
1024                                         {
1025                                         serverinfo_types[serverinfo_types_count]
1026                                             = atoi(c+start);
1027                                         serverinfo_types_count++;
1028                                         start = i+1;
1029                                         }
1030                                 if (serverinfo_types_count == MAX_SI_TYPES)
1031                                         break;
1032                                 }
1033                         }
1034 #endif
1035 #ifdef FIONBIO
1036                 else if (strcmp(*argv,"-nbio") == 0)
1037                         { c_nbio=1; }
1038 #endif
1039                 else if (strcmp(*argv,"-starttls") == 0)
1040                         {
1041                         if (--argc < 1) goto bad;
1042                         ++argv;
1043                         if (strcmp(*argv,"smtp") == 0)
1044                                 starttls_proto = PROTO_SMTP;
1045                         else if (strcmp(*argv,"pop3") == 0)
1046                                 starttls_proto = PROTO_POP3;
1047                         else if (strcmp(*argv,"imap") == 0)
1048                                 starttls_proto = PROTO_IMAP;
1049                         else if (strcmp(*argv,"ftp") == 0)
1050                                 starttls_proto = PROTO_FTP;
1051                         else if (strcmp(*argv, "xmpp") == 0)
1052                                 starttls_proto = PROTO_XMPP;
1053                         else
1054                                 goto bad;
1055                         }
1056 #ifndef OPENSSL_NO_ENGINE
1057                 else if (strcmp(*argv,"-engine") == 0)
1058                         {
1059                         if (--argc < 1) goto bad;
1060                         engine_id = *(++argv);
1061                         }
1062                 else if (strcmp(*argv,"-ssl_client_engine") == 0)
1063                         {
1064                         if (--argc < 1) goto bad;
1065                         ssl_client_engine_id = *(++argv);
1066                         }
1067 #endif
1068                 else if (strcmp(*argv,"-rand") == 0)
1069                         {
1070                         if (--argc < 1) goto bad;
1071                         inrand= *(++argv);
1072                         }
1073 #ifndef OPENSSL_NO_TLSEXT
1074                 else if (strcmp(*argv,"-servername") == 0)
1075                         {
1076                         if (--argc < 1) goto bad;
1077                         servername= *(++argv);
1078                         /* meth=TLSv1_client_method(); */
1079                         }
1080 #endif
1081 #ifndef OPENSSL_NO_JPAKE
1082                 else if (strcmp(*argv,"-jpake") == 0)
1083                         {
1084                         if (--argc < 1) goto bad;
1085                         jpake_secret = *++argv;
1086                         }
1087 #endif
1088                 else if (strcmp(*argv,"-use_srtp") == 0)
1089                         {
1090                         if (--argc < 1) goto bad;
1091                         srtp_profiles = *(++argv);
1092                         }
1093                 else if (strcmp(*argv,"-keymatexport") == 0)
1094                         {
1095                         if (--argc < 1) goto bad;
1096                         keymatexportlabel= *(++argv);
1097                         }
1098                 else if (strcmp(*argv,"-keymatexportlen") == 0)
1099                         {
1100                         if (--argc < 1) goto bad;
1101                         keymatexportlen=atoi(*(++argv));
1102                         if (keymatexportlen == 0) goto bad;
1103                         }
1104                 else
1105                         {
1106                         BIO_printf(bio_err,"unknown option %s\n",*argv);
1107                         badop=1;
1108                         break;
1109                         }
1110                 argc--;
1111                 argv++;
1112                 }
1113         if (badop)
1114                 {
1115 bad:
1116                 sc_usage();
1117                 goto end;
1118                 }
1119
1120 #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
1121         if (jpake_secret)
1122                 {
1123                 if (psk_key)
1124                         {
1125                         BIO_printf(bio_err,
1126                                    "Can't use JPAKE and PSK together\n");
1127                         goto end;
1128                         }
1129                 psk_identity = "JPAKE";
1130                 }
1131 #endif
1132
1133         OpenSSL_add_ssl_algorithms();
1134         SSL_load_error_strings();
1135
1136 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
1137         next_proto.status = -1;
1138         if (next_proto_neg_in)
1139                 {
1140                 next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
1141                 if (next_proto.data == NULL)
1142                         {
1143                         BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
1144                         goto end;
1145                         }
1146                 }
1147         else
1148                 next_proto.data = NULL;
1149 #endif
1150
1151 #ifndef OPENSSL_NO_ENGINE
1152         e = setup_engine(bio_err, engine_id, 1);
1153         if (ssl_client_engine_id)
1154                 {
1155                 ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
1156                 if (!ssl_client_engine)
1157                         {
1158                         BIO_printf(bio_err,
1159                                         "Error getting client auth engine\n");
1160                         goto end;
1161                         }
1162                 }
1163
1164 #endif
1165         if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
1166                 {
1167                 BIO_printf(bio_err, "Error getting password\n");
1168                 goto end;
1169                 }
1170
1171         if (key_file == NULL)
1172                 key_file = cert_file;
1173
1174
1175         if (key_file)
1176
1177                 {
1178
1179                 key = load_key(bio_err, key_file, key_format, 0, pass, e,
1180                                "client certificate private key file");
1181                 if (!key)
1182                         {
1183                         ERR_print_errors(bio_err);
1184                         goto end;
1185                         }
1186
1187                 }
1188
1189         if (cert_file)
1190
1191                 {
1192                 cert = load_cert(bio_err,cert_file,cert_format,
1193                                 NULL, e, "client certificate file");
1194
1195                 if (!cert)
1196                         {
1197                         ERR_print_errors(bio_err);
1198                         goto end;
1199                         }
1200                 }
1201
1202         if (chain_file)
1203                 {
1204                 chain = load_certs(bio_err, chain_file,FORMAT_PEM,
1205                                         NULL, e, "client certificate chain");
1206                 if (!chain)
1207                         goto end;
1208                 }
1209
1210         if (crl_file)
1211                 {
1212                 X509_CRL *crl;
1213                 crl = load_crl(crl_file, crl_format);
1214                 if (!crl)
1215                         {
1216                         BIO_puts(bio_err, "Error loading CRL\n");
1217                         ERR_print_errors(bio_err);
1218                         goto end;
1219                         }
1220                 crls = sk_X509_CRL_new_null();
1221                 if (!crls || !sk_X509_CRL_push(crls, crl))
1222                         {
1223                         BIO_puts(bio_err, "Error adding CRL\n");
1224                         ERR_print_errors(bio_err);
1225                         X509_CRL_free(crl);
1226                         goto end;
1227                         }
1228                 }
1229
1230         if (!load_excert(&exc, bio_err))
1231                 goto end;
1232
1233         if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
1234                 && !RAND_status())
1235                 {
1236                 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
1237                 }
1238         if (inrand != NULL)
1239                 BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
1240                         app_RAND_load_files(inrand));
1241
1242         if (bio_c_out == NULL)
1243                 {
1244                 if (c_quiet && !c_debug)
1245                         {
1246                         bio_c_out=BIO_new(BIO_s_null());
1247                         if (c_msg && !bio_c_msg)
1248                                 bio_c_msg=BIO_new_fp(stdout,BIO_NOCLOSE);
1249                         }
1250                 else
1251                         {
1252                         if (bio_c_out == NULL)
1253                                 bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
1254                         }
1255                 }
1256
1257 #ifndef OPENSSL_NO_SRP
1258         if(!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL))
1259                 {
1260                 BIO_printf(bio_err, "Error getting password\n");
1261                 goto end;
1262                 }
1263 #endif
1264
1265         ctx=SSL_CTX_new(meth);
1266         if (ctx == NULL)
1267                 {
1268                 ERR_print_errors(bio_err);
1269                 goto end;
1270                 }
1271
1272         if (vpm)
1273                 SSL_CTX_set1_param(ctx, vpm);
1274
1275         if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1, no_jpake))
1276                 {
1277                 ERR_print_errors(bio_err);
1278                 goto end;
1279                 }
1280
1281         if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
1282                                                 crls, crl_download))
1283                 {
1284                 BIO_printf(bio_err, "Error loading store locations\n");
1285                 ERR_print_errors(bio_err);
1286                 goto end;
1287                 }
1288
1289 #ifndef OPENSSL_NO_ENGINE
1290         if (ssl_client_engine)
1291                 {
1292                 if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine))
1293                         {
1294                         BIO_puts(bio_err, "Error setting client auth engine\n");
1295                         ERR_print_errors(bio_err);
1296                         ENGINE_free(ssl_client_engine);
1297                         goto end;
1298                         }
1299                 ENGINE_free(ssl_client_engine);
1300                 }
1301 #endif
1302
1303 #ifndef OPENSSL_NO_PSK
1304 #ifdef OPENSSL_NO_JPAKE
1305         if (psk_key != NULL)
1306 #else
1307         if (psk_key != NULL || jpake_secret)
1308 #endif
1309                 {
1310                 if (c_debug)
1311                         BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");
1312                 SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
1313                 }
1314         if (srtp_profiles != NULL)
1315                 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
1316 #endif
1317         if (exc) ssl_ctx_set_excert(ctx, exc);
1318         /* DTLS: partial reads end up discarding unread UDP bytes :-( 
1319          * Setting read ahead solves this problem.
1320          */
1321         if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
1322
1323 #if !defined(OPENSSL_NO_TLSEXT)
1324 # if !defined(OPENSSL_NO_NEXTPROTONEG)
1325         if (next_proto.data)
1326                 SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
1327 # endif
1328         if (alpn_in)
1329                 {
1330                 unsigned short alpn_len;
1331                 unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in);
1332
1333                 if (alpn == NULL)
1334                         {
1335                         BIO_printf(bio_err, "Error parsing -alpn argument\n");
1336                         goto end;
1337                         }
1338                 SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len);
1339                 OPENSSL_free(alpn);
1340                 }
1341 #endif
1342 #ifndef OPENSSL_NO_TLSEXT
1343                 if (serverinfo_types_count)
1344                         {
1345                         for (i = 0; i < serverinfo_types_count; i++)
1346                                 {
1347                                 SSL_CTX_set_custom_cli_ext(ctx,
1348                                                            serverinfo_types[i],
1349                                                            NULL, 
1350                                                            serverinfo_cli_cb,
1351                                                            NULL);
1352                                 }
1353                         }
1354 #endif
1355
1356         if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
1357 #if 0
1358         else
1359                 SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
1360 #endif
1361
1362         SSL_CTX_set_verify(ctx,verify,verify_callback);
1363
1364         if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
1365                 (!SSL_CTX_set_default_verify_paths(ctx)))
1366                 {
1367                 /* BIO_printf(bio_err,"error setting default verify locations\n"); */
1368                 ERR_print_errors(bio_err);
1369                 /* goto end; */
1370                 }
1371
1372         ssl_ctx_add_crls(ctx, crls, crl_download);
1373
1374         if (!set_cert_key_stuff(ctx,cert,key,chain,build_chain))
1375                 goto end;
1376
1377 #ifndef OPENSSL_NO_TLSEXT
1378         if (servername != NULL)
1379                 {
1380                 tlsextcbp.biodebug = bio_err;
1381                 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1382                 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
1383                 }
1384 #ifndef OPENSSL_NO_SRP
1385         if (srp_arg.srplogin)
1386                 {
1387                 if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
1388                         {
1389                         BIO_printf(bio_err,"Unable to set SRP username\n");
1390                         goto end;
1391                         }
1392                 srp_arg.msg = c_msg;
1393                 srp_arg.debug = c_debug ;
1394                 SSL_CTX_set_srp_cb_arg(ctx,&srp_arg);
1395                 SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
1396                 SSL_CTX_set_srp_strength(ctx, srp_arg.strength);
1397                 if (c_msg || c_debug || srp_arg.amp == 0)
1398                         SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb);
1399                 }
1400
1401 #endif
1402         if (c_proof_debug)
1403                 SSL_CTX_set_tlsext_authz_server_audit_proof_cb(ctx,
1404                                                                audit_proof_cb);
1405 #endif
1406
1407         con=SSL_new(ctx);
1408         if (sess_in)
1409                 {
1410                 SSL_SESSION *sess;
1411                 BIO *stmp = BIO_new_file(sess_in, "r");
1412                 if (!stmp)
1413                         {
1414                         BIO_printf(bio_err, "Can't open session file %s\n",
1415                                                 sess_in);
1416                         ERR_print_errors(bio_err);
1417                         goto end;
1418                         }
1419                 sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
1420                 BIO_free(stmp);
1421                 if (!sess)
1422                         {
1423                         BIO_printf(bio_err, "Can't open session file %s\n",
1424                                                 sess_in);
1425                         ERR_print_errors(bio_err);
1426                         goto end;
1427                         }
1428                 SSL_set_session(con, sess);
1429                 SSL_SESSION_free(sess);
1430                 }
1431 #ifndef OPENSSL_NO_TLSEXT
1432         if (servername != NULL)
1433                 {
1434                 if (!SSL_set_tlsext_host_name(con,servername))
1435                         {
1436                         BIO_printf(bio_err,"Unable to set TLS servername extension.\n");
1437                         ERR_print_errors(bio_err);
1438                         goto end;
1439                         }
1440                 }
1441 #endif
1442 #ifndef OPENSSL_NO_KRB5
1443         if (con  &&  (kctx = kssl_ctx_new()) != NULL)
1444                 {
1445                 SSL_set0_kssl_ctx(con, kctx);
1446                 kssl_ctx_setstring(kctx, KSSL_SERVER, host);
1447                 }
1448 #endif  /* OPENSSL_NO_KRB5  */
1449 /*      SSL_set_cipher_list(con,"RC4-MD5"); */
1450 #if 0
1451 #ifdef TLSEXT_TYPE_opaque_prf_input
1452         SSL_set_tlsext_opaque_prf_input(con, "Test client", 11);
1453 #endif
1454 #endif
1455
1456 re_start:
1457
1458         if (init_client(&s,host,port,socket_type) == 0)
1459                 {
1460                 BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
1461                 SHUTDOWN(s);
1462                 goto end;
1463                 }
1464         BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
1465
1466 #ifdef FIONBIO
1467         if (c_nbio)
1468                 {
1469                 unsigned long l=1;
1470                 BIO_printf(bio_c_out,"turning on non blocking io\n");
1471                 if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
1472                         {
1473                         ERR_print_errors(bio_err);
1474                         goto end;
1475                         }
1476                 }
1477 #endif                                              
1478         if (c_Pause & 0x01) SSL_set_debug(con, 1);
1479
1480         if (socket_type == SOCK_DGRAM)
1481                 {
1482
1483                 sbio=BIO_new_dgram(s,BIO_NOCLOSE);
1484                 if (getsockname(s, &peer, (void *)&peerlen) < 0)
1485                         {
1486                         BIO_printf(bio_err, "getsockname:errno=%d\n",
1487                                 get_last_socket_error());
1488                         SHUTDOWN(s);
1489                         goto end;
1490                         }
1491
1492                 (void)BIO_ctrl_set_connected(sbio, 1, &peer);
1493
1494                 if (enable_timeouts)
1495                         {
1496                         timeout.tv_sec = 0;
1497                         timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1498                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1499                         
1500                         timeout.tv_sec = 0;
1501                         timeout.tv_usec = DGRAM_SND_TIMEOUT;
1502                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1503                         }
1504
1505                 if (socket_mtu > 28)
1506                         {
1507                         SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
1508                         SSL_set_mtu(con, socket_mtu - 28);
1509                         }
1510                 else
1511                         /* want to do MTU discovery */
1512                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1513                 }
1514         else
1515                 sbio=BIO_new_socket(s,BIO_NOCLOSE);
1516
1517         if (nbio_test)
1518                 {
1519                 BIO *test;
1520
1521                 test=BIO_new(BIO_f_nbio_test());
1522                 sbio=BIO_push(test,sbio);
1523                 }
1524
1525         if (c_debug)
1526                 {
1527                 SSL_set_debug(con, 1);
1528                 BIO_set_callback(sbio,bio_dump_callback);
1529                 BIO_set_callback_arg(sbio,(char *)bio_c_out);
1530                 }
1531         if (c_msg)
1532                 {
1533 #ifndef OPENSSL_NO_SSL_TRACE
1534                 if (c_msg == 2)
1535                         SSL_set_msg_callback(con, SSL_trace);
1536                 else
1537 #endif
1538                         SSL_set_msg_callback(con, msg_cb);
1539                 SSL_set_msg_callback_arg(con, bio_c_msg ? bio_c_msg : bio_c_out);
1540                 }
1541 #ifndef OPENSSL_NO_TLSEXT
1542         if (c_tlsextdebug)
1543                 {
1544                 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1545                 SSL_set_tlsext_debug_arg(con, bio_c_out);
1546                 }
1547         if (c_status_req)
1548                 {
1549                 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
1550                 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
1551                 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
1552 #if 0
1553 {
1554 STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null();
1555 OCSP_RESPID *id = OCSP_RESPID_new();
1556 id->value.byKey = ASN1_OCTET_STRING_new();
1557 id->type = V_OCSP_RESPID_KEY;
1558 ASN1_STRING_set(id->value.byKey, "Hello World", -1);
1559 sk_OCSP_RESPID_push(ids, id);
1560 SSL_set_tlsext_status_ids(con, ids);
1561 }
1562 #endif
1563                 }
1564 #endif
1565 #ifndef OPENSSL_NO_JPAKE
1566         if (jpake_secret)
1567                 jpake_client_auth(bio_c_out, sbio, jpake_secret);
1568 #endif
1569
1570         SSL_set_bio(con,sbio,sbio);
1571         SSL_set_connect_state(con);
1572
1573         /* ok, lets connect */
1574         width=SSL_get_fd(con)+1;
1575
1576         read_tty=1;
1577         write_tty=0;
1578         tty_on=0;
1579         read_ssl=1;
1580         write_ssl=1;
1581         
1582         cbuf_len=0;
1583         cbuf_off=0;
1584         sbuf_len=0;
1585         sbuf_off=0;
1586
1587         /* This is an ugly hack that does a lot of assumptions */
1588         /* We do have to handle multi-line responses which may come
1589            in a single packet or not. We therefore have to use
1590            BIO_gets() which does need a buffering BIO. So during
1591            the initial chitchat we do push a buffering BIO into the
1592            chain that is removed again later on to not disturb the
1593            rest of the s_client operation. */
1594         if (starttls_proto == PROTO_SMTP)
1595                 {
1596                 int foundit=0;
1597                 BIO *fbio = BIO_new(BIO_f_buffer());
1598                 BIO_push(fbio, sbio);
1599                 /* wait for multi-line response to end from SMTP */
1600                 do
1601                         {
1602                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1603                         }
1604                 while (mbuf_len>3 && mbuf[3]=='-');
1605                 /* STARTTLS command requires EHLO... */
1606                 BIO_printf(fbio,"EHLO openssl.client.net\r\n");
1607                 (void)BIO_flush(fbio);
1608                 /* wait for multi-line response to end EHLO SMTP response */
1609                 do
1610                         {
1611                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1612                         if (strstr(mbuf,"STARTTLS"))
1613                                 foundit=1;
1614                         }
1615                 while (mbuf_len>3 && mbuf[3]=='-');
1616                 (void)BIO_flush(fbio);
1617                 BIO_pop(fbio);
1618                 BIO_free(fbio);
1619                 if (!foundit)
1620                         BIO_printf(bio_err,
1621                                    "didn't found starttls in server response,"
1622                                    " try anyway...\n");
1623                 BIO_printf(sbio,"STARTTLS\r\n");
1624                 BIO_read(sbio,sbuf,BUFSIZZ);
1625                 }
1626         else if (starttls_proto == PROTO_POP3)
1627                 {
1628                 BIO_read(sbio,mbuf,BUFSIZZ);
1629                 BIO_printf(sbio,"STLS\r\n");
1630                 BIO_read(sbio,sbuf,BUFSIZZ);
1631                 }
1632         else if (starttls_proto == PROTO_IMAP)
1633                 {
1634                 int foundit=0;
1635                 BIO *fbio = BIO_new(BIO_f_buffer());
1636                 BIO_push(fbio, sbio);
1637                 BIO_gets(fbio,mbuf,BUFSIZZ);
1638                 /* STARTTLS command requires CAPABILITY... */
1639                 BIO_printf(fbio,". CAPABILITY\r\n");
1640                 (void)BIO_flush(fbio);
1641                 /* wait for multi-line CAPABILITY response */
1642                 do
1643                         {
1644                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1645                         if (strstr(mbuf,"STARTTLS"))
1646                                 foundit=1;
1647                         }
1648                 while (mbuf_len>3 && mbuf[0]!='.');
1649                 (void)BIO_flush(fbio);
1650                 BIO_pop(fbio);
1651                 BIO_free(fbio);
1652                 if (!foundit)
1653                         BIO_printf(bio_err,
1654                                    "didn't found STARTTLS in server response,"
1655                                    " try anyway...\n");
1656                 BIO_printf(sbio,". STARTTLS\r\n");
1657                 BIO_read(sbio,sbuf,BUFSIZZ);
1658                 }
1659         else if (starttls_proto == PROTO_FTP)
1660                 {
1661                 BIO *fbio = BIO_new(BIO_f_buffer());
1662                 BIO_push(fbio, sbio);
1663                 /* wait for multi-line response to end from FTP */
1664                 do
1665                         {
1666                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1667                         }
1668                 while (mbuf_len>3 && mbuf[3]=='-');
1669                 (void)BIO_flush(fbio);
1670                 BIO_pop(fbio);
1671                 BIO_free(fbio);
1672                 BIO_printf(sbio,"AUTH TLS\r\n");
1673                 BIO_read(sbio,sbuf,BUFSIZZ);
1674                 }
1675         if (starttls_proto == PROTO_XMPP)
1676                 {
1677                 int seen = 0;
1678                 BIO_printf(sbio,"<stream:stream "
1679                     "xmlns:stream='http://etherx.jabber.org/streams' "
1680                     "xmlns='jabber:client' to='%s' version='1.0'>", xmpphost? xmpphost:host);
1681                 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1682                 mbuf[seen] = 0;
1683                 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") &&
1684                                 !strstr(mbuf, "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
1685                         {
1686                         seen = BIO_read(sbio,mbuf,BUFSIZZ);
1687
1688                         if (seen <= 0)
1689                                 goto shut;
1690
1691                         mbuf[seen] = 0;
1692                         }
1693                 BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
1694                 seen = BIO_read(sbio,sbuf,BUFSIZZ);
1695                 sbuf[seen] = 0;
1696                 if (!strstr(sbuf, "<proceed"))
1697                         goto shut;
1698                 mbuf[0] = 0;
1699                 }
1700
1701         for (;;)
1702                 {
1703                 FD_ZERO(&readfds);
1704                 FD_ZERO(&writefds);
1705
1706                 if ((SSL_version(con) == DTLS1_VERSION) &&
1707                         DTLSv1_get_timeout(con, &timeout))
1708                         timeoutp = &timeout;
1709                 else
1710                         timeoutp = NULL;
1711
1712                 if (SSL_in_init(con) && !SSL_total_renegotiations(con))
1713                         {
1714                         in_init=1;
1715                         tty_on=0;
1716                         }
1717                 else
1718                         {
1719                         tty_on=1;
1720                         if (in_init)
1721                                 {
1722                                 in_init=0;
1723 #if 0 /* This test doesn't really work as intended (needs to be fixed) */
1724 #ifndef OPENSSL_NO_TLSEXT
1725                                 if (servername != NULL && !SSL_session_reused(con))
1726                                         {
1727                                         BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not ");
1728                                         }
1729 #endif
1730 #endif
1731                                 if (sess_out)
1732                                         {
1733                                         BIO *stmp = BIO_new_file(sess_out, "w");
1734                                         if (stmp)
1735                                                 {
1736                                                 PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con));
1737                                                 BIO_free(stmp);
1738                                                 }
1739                                         else 
1740                                                 BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
1741                                         }
1742                                 if (c_brief)
1743                                         {
1744                                         BIO_puts(bio_err,
1745                                                 "CONNECTION ESTABLISHED\n");
1746                                         print_ssl_summary(bio_err, con);
1747                                         }
1748                                 print_stuff(bio_c_out,con,full_log);
1749                                 if (full_log > 0) full_log--;
1750
1751                                 if (starttls_proto)
1752                                         {
1753                                         BIO_printf(bio_err,"%s",mbuf);
1754                                         /* We don't need to know any more */
1755                                         starttls_proto = PROTO_OFF;
1756                                         }
1757
1758                                 if (reconnect)
1759                                         {
1760                                         reconnect--;
1761                                         BIO_printf(bio_c_out,"drop connection and then reconnect\n");
1762                                         SSL_shutdown(con);
1763                                         SSL_set_connect_state(con);
1764                                         SHUTDOWN(SSL_get_fd(con));
1765                                         goto re_start;
1766                                         }
1767                                 }
1768                         }
1769
1770                 ssl_pending = read_ssl && SSL_pending(con);
1771
1772                 if (!ssl_pending)
1773                         {
1774 #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)
1775                         if (tty_on)
1776                                 {
1777                                 if (read_tty)  openssl_fdset(fileno(stdin),&readfds);
1778                                 if (write_tty) openssl_fdset(fileno(stdout),&writefds);
1779                                 }
1780                         if (read_ssl)
1781                                 openssl_fdset(SSL_get_fd(con),&readfds);
1782                         if (write_ssl)
1783                                 openssl_fdset(SSL_get_fd(con),&writefds);
1784 #else
1785                         if(!tty_on || !write_tty) {
1786                                 if (read_ssl)
1787                                         openssl_fdset(SSL_get_fd(con),&readfds);
1788                                 if (write_ssl)
1789                                         openssl_fdset(SSL_get_fd(con),&writefds);
1790                         }
1791 #endif
1792 /*                      printf("mode tty(%d %d%d) ssl(%d%d)\n",
1793                                 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
1794
1795                         /* Note: under VMS with SOCKETSHR the second parameter
1796                          * is currently of type (int *) whereas under other
1797                          * systems it is (void *) if you don't have a cast it
1798                          * will choke the compiler: if you do have a cast then
1799                          * you can either go for (int *) or (void *).
1800                          */
1801 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1802                         /* Under Windows/DOS we make the assumption that we can
1803                          * always write to the tty: therefore if we need to
1804                          * write to the tty we just fall through. Otherwise
1805                          * we timeout the select every second and see if there
1806                          * are any keypresses. Note: this is a hack, in a proper
1807                          * Windows application we wouldn't do this.
1808                          */
1809                         i=0;
1810                         if(!write_tty) {
1811                                 if(read_tty) {
1812                                         tv.tv_sec = 1;
1813                                         tv.tv_usec = 0;
1814                                         i=select(width,(void *)&readfds,(void *)&writefds,
1815                                                  NULL,&tv);
1816 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
1817                                         if(!i && (!_kbhit() || !read_tty) ) continue;
1818 #else
1819                                         if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
1820 #endif
1821                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1822                                          NULL,timeoutp);
1823                         }
1824 #elif defined(OPENSSL_SYS_NETWARE)
1825                         if(!write_tty) {
1826                                 if(read_tty) {
1827                                         tv.tv_sec = 1;
1828                                         tv.tv_usec = 0;
1829                                         i=select(width,(void *)&readfds,(void *)&writefds,
1830                                                 NULL,&tv);
1831                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1832                                         NULL,timeoutp);
1833                         }
1834 #elif defined(OPENSSL_SYS_BEOS_R5)
1835                         /* Under BeOS-R5 the situation is similar to DOS */
1836                         i=0;
1837                         stdin_set = 0;
1838                         (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
1839                         if(!write_tty) {
1840                                 if(read_tty) {
1841                                         tv.tv_sec = 1;
1842                                         tv.tv_usec = 0;
1843                                         i=select(width,(void *)&readfds,(void *)&writefds,
1844                                                  NULL,&tv);
1845                                         if (read(fileno(stdin), sbuf, 0) >= 0)
1846                                                 stdin_set = 1;
1847                                         if (!i && (stdin_set != 1 || !read_tty))
1848                                                 continue;
1849                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1850                                          NULL,timeoutp);
1851                         }
1852                         (void)fcntl(fileno(stdin), F_SETFL, 0);
1853 #else
1854                         i=select(width,(void *)&readfds,(void *)&writefds,
1855                                  NULL,timeoutp);
1856 #endif
1857                         if ( i < 0)
1858                                 {
1859                                 BIO_printf(bio_err,"bad select %d\n",
1860                                 get_last_socket_error());
1861                                 goto shut;
1862                                 /* goto end; */
1863                                 }
1864                         }
1865
1866                 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
1867                         {
1868                         BIO_printf(bio_err,"TIMEOUT occured\n");
1869                         }
1870
1871                 if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
1872                         {
1873                         k=SSL_write(con,&(cbuf[cbuf_off]),
1874                                 (unsigned int)cbuf_len);
1875                         switch (SSL_get_error(con,k))
1876                                 {
1877                         case SSL_ERROR_NONE:
1878                                 cbuf_off+=k;
1879                                 cbuf_len-=k;
1880                                 if (k <= 0) goto end;
1881                                 /* we have done a  write(con,NULL,0); */
1882                                 if (cbuf_len <= 0)
1883                                         {
1884                                         read_tty=1;
1885                                         write_ssl=0;
1886                                         }
1887                                 else /* if (cbuf_len > 0) */
1888                                         {
1889                                         read_tty=0;
1890                                         write_ssl=1;
1891                                         }
1892                                 break;
1893                         case SSL_ERROR_WANT_WRITE:
1894                                 BIO_printf(bio_c_out,"write W BLOCK\n");
1895                                 write_ssl=1;
1896                                 read_tty=0;
1897                                 break;
1898                         case SSL_ERROR_WANT_READ:
1899                                 BIO_printf(bio_c_out,"write R BLOCK\n");
1900                                 write_tty=0;
1901                                 read_ssl=1;
1902                                 write_ssl=0;
1903                                 break;
1904                         case SSL_ERROR_WANT_X509_LOOKUP:
1905                                 BIO_printf(bio_c_out,"write X BLOCK\n");
1906                                 break;
1907                         case SSL_ERROR_ZERO_RETURN:
1908                                 if (cbuf_len != 0)
1909                                         {
1910                                         BIO_printf(bio_c_out,"shutdown\n");
1911                                         ret = 0;
1912                                         goto shut;
1913                                         }
1914                                 else
1915                                         {
1916                                         read_tty=1;
1917                                         write_ssl=0;
1918                                         break;
1919                                         }
1920                                 
1921                         case SSL_ERROR_SYSCALL:
1922                                 if ((k != 0) || (cbuf_len != 0))
1923                                         {
1924                                         BIO_printf(bio_err,"write:errno=%d\n",
1925                                                 get_last_socket_error());
1926                                         goto shut;
1927                                         }
1928                                 else
1929                                         {
1930                                         read_tty=1;
1931                                         write_ssl=0;
1932                                         }
1933                                 break;
1934                         case SSL_ERROR_SSL:
1935                                 ERR_print_errors(bio_err);
1936                                 goto shut;
1937                                 }
1938                         }
1939 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
1940                 /* Assume Windows/DOS/BeOS can always write */
1941                 else if (!ssl_pending && write_tty)
1942 #else
1943                 else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
1944 #endif
1945                         {
1946 #ifdef CHARSET_EBCDIC
1947                         ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
1948 #endif
1949                         i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len);
1950
1951                         if (i <= 0)
1952                                 {
1953                                 BIO_printf(bio_c_out,"DONE\n");
1954                                 ret = 0;
1955                                 goto shut;
1956                                 /* goto end; */
1957                                 }
1958
1959                         sbuf_len-=i;;
1960                         sbuf_off+=i;
1961                         if (sbuf_len <= 0)
1962                                 {
1963                                 read_ssl=1;
1964                                 write_tty=0;
1965                                 }
1966                         }
1967                 else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
1968                         {
1969 #ifdef RENEG
1970 { static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
1971 #endif
1972 #if 1
1973                         k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
1974 #else
1975 /* Demo for pending and peek :-) */
1976                         k=SSL_read(con,sbuf,16);
1977 { char zbuf[10240]; 
1978 printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
1979 }
1980 #endif
1981
1982                         switch (SSL_get_error(con,k))
1983                                 {
1984                         case SSL_ERROR_NONE:
1985                                 if (k <= 0)
1986                                         goto end;
1987                                 sbuf_off=0;
1988                                 sbuf_len=k;
1989
1990                                 read_ssl=0;
1991                                 write_tty=1;
1992                                 break;
1993                         case SSL_ERROR_WANT_WRITE:
1994                                 BIO_printf(bio_c_out,"read W BLOCK\n");
1995                                 write_ssl=1;
1996                                 read_tty=0;
1997                                 break;
1998                         case SSL_ERROR_WANT_READ:
1999                                 BIO_printf(bio_c_out,"read R BLOCK\n");
2000                                 write_tty=0;
2001                                 read_ssl=1;
2002                                 if ((read_tty == 0) && (write_ssl == 0))
2003                                         write_ssl=1;
2004                                 break;
2005                         case SSL_ERROR_WANT_X509_LOOKUP:
2006                                 BIO_printf(bio_c_out,"read X BLOCK\n");
2007                                 break;
2008                         case SSL_ERROR_SYSCALL:
2009                                 ret=get_last_socket_error();
2010                                 if (c_brief)
2011                                         BIO_puts(bio_err, "CONNECTION CLOSED BY SERVER\n");
2012                                 else
2013                                         BIO_printf(bio_err,"read:errno=%d\n",ret);
2014                                 goto shut;
2015                         case SSL_ERROR_ZERO_RETURN:
2016                                 BIO_printf(bio_c_out,"closed\n");
2017                                 ret=0;
2018                                 goto shut;
2019                         case SSL_ERROR_SSL:
2020                                 ERR_print_errors(bio_err);
2021                                 goto shut;
2022                                 /* break; */
2023                                 }
2024                         }
2025
2026 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
2027 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
2028                 else if (_kbhit())
2029 #else
2030                 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
2031 #endif
2032 #elif defined (OPENSSL_SYS_NETWARE)
2033                 else if (_kbhit())
2034 #elif defined(OPENSSL_SYS_BEOS_R5)
2035                 else if (stdin_set)
2036 #else
2037                 else if (FD_ISSET(fileno(stdin),&readfds))
2038 #endif
2039                         {
2040                         if (crlf)
2041                                 {
2042                                 int j, lf_num;
2043
2044                                 i=raw_read_stdin(cbuf,BUFSIZZ/2);
2045                                 lf_num = 0;
2046                                 /* both loops are skipped when i <= 0 */
2047                                 for (j = 0; j < i; j++)
2048                                         if (cbuf[j] == '\n')
2049                                                 lf_num++;
2050                                 for (j = i-1; j >= 0; j--)
2051                                         {
2052                                         cbuf[j+lf_num] = cbuf[j];
2053                                         if (cbuf[j] == '\n')
2054                                                 {
2055                                                 lf_num--;
2056                                                 i++;
2057                                                 cbuf[j+lf_num] = '\r';
2058                                                 }
2059                                         }
2060                                 assert(lf_num == 0);
2061                                 }
2062                         else
2063                                 i=raw_read_stdin(cbuf,BUFSIZZ);
2064
2065                         if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
2066                                 {
2067                                 BIO_printf(bio_err,"DONE\n");
2068                                 ret=0;
2069                                 goto shut;
2070                                 }
2071
2072                         if ((!c_ign_eof) && (cbuf[0] == 'R'))
2073                                 {
2074                                 BIO_printf(bio_err,"RENEGOTIATING\n");
2075                                 SSL_renegotiate(con);
2076                                 cbuf_len=0;
2077                                 }
2078 #ifndef OPENSSL_NO_HEARTBEATS
2079                         else if ((!c_ign_eof) && (cbuf[0] == 'B'))
2080                                 {
2081                                 BIO_printf(bio_err,"HEARTBEATING\n");
2082                                 SSL_heartbeat(con);
2083                                 cbuf_len=0;
2084                                 }
2085 #endif
2086                         else
2087                                 {
2088                                 cbuf_len=i;
2089                                 cbuf_off=0;
2090 #ifdef CHARSET_EBCDIC
2091                                 ebcdic2ascii(cbuf, cbuf, i);
2092 #endif
2093                                 }
2094
2095                         write_ssl=1;
2096                         read_tty=0;
2097                         }
2098                 }
2099
2100         ret=0;
2101 shut:
2102         if (in_init)
2103                 print_stuff(bio_c_out,con,full_log);
2104         SSL_shutdown(con);
2105         SHUTDOWN(SSL_get_fd(con));
2106 end:
2107         if (con != NULL)
2108                 {
2109                 if (prexit != 0)
2110                         print_stuff(bio_c_out,con,1);
2111                 SSL_free(con);
2112                 }
2113 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
2114         if (next_proto.data)
2115                 OPENSSL_free(next_proto.data);
2116 #endif
2117         if (ctx != NULL) SSL_CTX_free(ctx);
2118         if (cert)
2119                 X509_free(cert);
2120         if (crls)
2121                 sk_X509_CRL_pop_free(crls, X509_CRL_free);
2122         if (key)
2123                 EVP_PKEY_free(key);
2124         if (chain)
2125                 sk_X509_pop_free(chain, X509_free);
2126         if (pass)
2127                 OPENSSL_free(pass);
2128         if (vpm)
2129                 X509_VERIFY_PARAM_free(vpm);
2130         ssl_excert_free(exc);
2131         if (ssl_args)
2132                 sk_OPENSSL_STRING_free(ssl_args);
2133         if (cctx)
2134                 SSL_CONF_CTX_free(cctx);
2135 #ifndef OPENSSL_NO_JPAKE
2136         if (jpake_secret && psk_key)
2137                 OPENSSL_free(psk_key);
2138 #endif
2139         if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
2140         if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
2141         if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
2142         if (bio_c_out != NULL)
2143                 {
2144                 BIO_free(bio_c_out);
2145                 bio_c_out=NULL;
2146                 }
2147         if (bio_c_msg != NULL)
2148                 {
2149                 BIO_free(bio_c_msg);
2150                 bio_c_msg=NULL;
2151                 }
2152         apps_shutdown();
2153         OPENSSL_EXIT(ret);
2154         }
2155
2156
2157 static void print_stuff(BIO *bio, SSL *s, int full)
2158         {
2159         X509 *peer=NULL;
2160         char *p;
2161         static const char *space="                ";
2162         char buf[BUFSIZ];
2163         STACK_OF(X509) *sk;
2164         STACK_OF(X509_NAME) *sk2;
2165         const SSL_CIPHER *c;
2166         X509_NAME *xn;
2167         int j,i;
2168 #ifndef OPENSSL_NO_COMP
2169         const COMP_METHOD *comp, *expansion;
2170 #endif
2171         unsigned char *exportedkeymat;
2172
2173         if (full)
2174                 {
2175                 int got_a_chain = 0;
2176
2177                 sk=SSL_get_peer_cert_chain(s);
2178                 if (sk != NULL)
2179                         {
2180                         got_a_chain = 1; /* we don't have it for SSL2 (yet) */
2181
2182                         BIO_printf(bio,"---\nCertificate chain\n");
2183                         for (i=0; i<sk_X509_num(sk); i++)
2184                                 {
2185                                 X509_NAME_oneline(X509_get_subject_name(
2186                                         sk_X509_value(sk,i)),buf,sizeof buf);
2187                                 BIO_printf(bio,"%2d s:%s\n",i,buf);
2188                                 X509_NAME_oneline(X509_get_issuer_name(
2189                                         sk_X509_value(sk,i)),buf,sizeof buf);
2190                                 BIO_printf(bio,"   i:%s\n",buf);
2191                                 if (c_showcerts)
2192                                         PEM_write_bio_X509(bio,sk_X509_value(sk,i));
2193                                 }
2194                         }
2195
2196                 BIO_printf(bio,"---\n");
2197                 peer=SSL_get_peer_certificate(s);
2198                 if (peer != NULL)
2199                         {
2200                         BIO_printf(bio,"Server certificate\n");
2201                         if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
2202                                 PEM_write_bio_X509(bio,peer);
2203                         X509_NAME_oneline(X509_get_subject_name(peer),
2204                                 buf,sizeof buf);
2205                         BIO_printf(bio,"subject=%s\n",buf);
2206                         X509_NAME_oneline(X509_get_issuer_name(peer),
2207                                 buf,sizeof buf);
2208                         BIO_printf(bio,"issuer=%s\n",buf);
2209                         }
2210                 else
2211                         BIO_printf(bio,"no peer certificate available\n");
2212
2213                 sk2=SSL_get_client_CA_list(s);
2214                 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
2215                         {
2216                         BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
2217                         for (i=0; i<sk_X509_NAME_num(sk2); i++)
2218                                 {
2219                                 xn=sk_X509_NAME_value(sk2,i);
2220                                 X509_NAME_oneline(xn,buf,sizeof(buf));
2221                                 BIO_write(bio,buf,strlen(buf));
2222                                 BIO_write(bio,"\n",1);
2223                                 }
2224                         }
2225                 else
2226                         {
2227                         BIO_printf(bio,"---\nNo client certificate CA names sent\n");
2228                         }
2229                 p=SSL_get_shared_ciphers(s,buf,sizeof buf);
2230                 if (p != NULL)
2231                         {
2232                         /* This works only for SSL 2.  In later protocol
2233                          * versions, the client does not know what other
2234                          * ciphers (in addition to the one to be used
2235                          * in the current connection) the server supports. */
2236
2237                         BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
2238                         j=i=0;
2239                         while (*p)
2240                                 {
2241                                 if (*p == ':')
2242                                         {
2243                                         BIO_write(bio,space,15-j%25);
2244                                         i++;
2245                                         j=0;
2246                                         BIO_write(bio,((i%3)?" ":"\n"),1);
2247                                         }
2248                                 else
2249                                         {
2250                                         BIO_write(bio,p,1);
2251                                         j++;
2252                                         }
2253                                 p++;
2254                                 }
2255                         BIO_write(bio,"\n",1);
2256                         }
2257
2258                 ssl_print_sigalgs(bio, s);
2259                 ssl_print_tmp_key(bio, s);
2260
2261                 BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
2262                         BIO_number_read(SSL_get_rbio(s)),
2263                         BIO_number_written(SSL_get_wbio(s)));
2264                 }
2265         BIO_printf(bio,(SSL_cache_hit(s)?"---\nReused, ":"---\nNew, "));
2266         c=SSL_get_current_cipher(s);
2267         BIO_printf(bio,"%s, Cipher is %s\n",
2268                 SSL_CIPHER_get_version(c),
2269                 SSL_CIPHER_get_name(c));
2270         if (peer != NULL) {
2271                 EVP_PKEY *pktmp;
2272                 pktmp = X509_get_pubkey(peer);
2273                 BIO_printf(bio,"Server public key is %d bit\n",
2274                                                          EVP_PKEY_bits(pktmp));
2275                 EVP_PKEY_free(pktmp);
2276         }
2277         BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
2278                         SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
2279 #ifndef OPENSSL_NO_COMP
2280         comp=SSL_get_current_compression(s);
2281         expansion=SSL_get_current_expansion(s);
2282         BIO_printf(bio,"Compression: %s\n",
2283                 comp ? SSL_COMP_get_name(comp) : "NONE");
2284         BIO_printf(bio,"Expansion: %s\n",
2285                 expansion ? SSL_COMP_get_name(expansion) : "NONE");
2286 #endif
2287  
2288 #ifdef SSL_DEBUG
2289         {
2290         /* Print out local port of connection: useful for debugging */
2291         int sock;
2292         struct sockaddr_in ladd;
2293         socklen_t ladd_size = sizeof(ladd);
2294         sock = SSL_get_fd(s);
2295         getsockname(sock, (struct sockaddr *)&ladd, &ladd_size);
2296         BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port));
2297         }
2298 #endif
2299
2300 #if !defined(OPENSSL_NO_TLSEXT)
2301 # if !defined(OPENSSL_NO_NEXTPROTONEG)
2302         if (next_proto.status != -1) {
2303                 const unsigned char *proto;
2304                 unsigned int proto_len;
2305                 SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
2306                 BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
2307                 BIO_write(bio, proto, proto_len);
2308                 BIO_write(bio, "\n", 1);
2309         }
2310         {
2311                 const unsigned char *proto;
2312                 unsigned int proto_len;
2313                 SSL_get0_alpn_selected(s, &proto, &proto_len);
2314                 if (proto_len > 0)
2315                         {
2316                         BIO_printf(bio, "ALPN protocol: ");
2317                         BIO_write(bio, proto, proto_len);
2318                         BIO_write(bio, "\n", 1);
2319                         }
2320                 else
2321                         BIO_printf(bio, "No ALPN negotiated\n");
2322         }
2323 # endif
2324 #endif
2325
2326         {
2327         SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s);
2328  
2329         if(srtp_profile)
2330                 BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n",
2331                            srtp_profile->name);
2332         }
2333  
2334         SSL_SESSION_print(bio,SSL_get_session(s));
2335         if (keymatexportlabel != NULL)
2336                 {
2337                 BIO_printf(bio, "Keying material exporter:\n");
2338                 BIO_printf(bio, "    Label: '%s'\n", keymatexportlabel);
2339                 BIO_printf(bio, "    Length: %i bytes\n", keymatexportlen);
2340                 exportedkeymat = OPENSSL_malloc(keymatexportlen);
2341                 if (exportedkeymat != NULL)
2342                         {
2343                         if (!SSL_export_keying_material(s, exportedkeymat,
2344                                                         keymatexportlen,
2345                                                         keymatexportlabel,
2346                                                         strlen(keymatexportlabel),
2347                                                         NULL, 0, 0))
2348                                 {
2349                                 BIO_printf(bio, "    Error\n");
2350                                 }
2351                         else
2352                                 {
2353                                 BIO_printf(bio, "    Keying material: ");
2354                                 for (i=0; i<keymatexportlen; i++)
2355                                         BIO_printf(bio, "%02X",
2356                                                    exportedkeymat[i]);
2357                                 BIO_printf(bio, "\n");
2358                                 }
2359                         OPENSSL_free(exportedkeymat);
2360                         }
2361                 }
2362         BIO_printf(bio,"---\n");
2363         if (peer != NULL)
2364                 X509_free(peer);
2365         /* flush, or debugging output gets mixed with http response */
2366         (void)BIO_flush(bio);
2367         }
2368
2369 #ifndef OPENSSL_NO_TLSEXT
2370
2371 static int ocsp_resp_cb(SSL *s, void *arg)
2372         {
2373         const unsigned char *p;
2374         int len;
2375         OCSP_RESPONSE *rsp;
2376         len = SSL_get_tlsext_status_ocsp_resp(s, &p);
2377         BIO_puts(arg, "OCSP response: ");
2378         if (!p)
2379                 {
2380                 BIO_puts(arg, "no response sent\n");
2381                 return 1;
2382                 }
2383         rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
2384         if (!rsp)
2385                 {
2386                 BIO_puts(arg, "response parse error\n");
2387                 BIO_dump_indent(arg, (char *)p, len, 4);
2388                 return 0;
2389                 }
2390         BIO_puts(arg, "\n======================================\n");
2391         OCSP_RESPONSE_print(arg, rsp, 0);
2392         BIO_puts(arg, "======================================\n");
2393         OCSP_RESPONSE_free(rsp);
2394         return 1;
2395         }
2396
2397 static int audit_proof_cb(SSL *s, void *arg)
2398         {
2399         const unsigned char *proof;
2400         size_t proof_len;
2401         size_t i;
2402         SSL_SESSION *sess = SSL_get_session(s);
2403
2404         proof = SSL_SESSION_get_tlsext_authz_server_audit_proof(sess,
2405                                                                 &proof_len);
2406         if (proof != NULL)
2407                 {
2408                 BIO_printf(bio_c_out, "Audit proof: ");
2409                 for (i = 0; i < proof_len; ++i)
2410                         BIO_printf(bio_c_out, "%02X", proof[i]);
2411                 BIO_printf(bio_c_out, "\n");
2412                 }
2413         else
2414                 {
2415                 BIO_printf(bio_c_out, "No audit proof found.\n");
2416                 }
2417         return 1;
2418         }
2419 #endif