Fix infinite loop on s_client starttls xmpp
[openssl.git] / apps / s_client.c
1 /* apps/s_client.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2005 Nokia. All rights reserved.
113  *
114  * The portions of the attached software ("Contribution") is developed by
115  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116  * license.
117  *
118  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120  * support (see RFC 4279) to OpenSSL.
121  *
122  * No patent licenses or other rights except those expressly stated in
123  * the OpenSSL open source license shall be deemed granted or received
124  * expressly, by implication, estoppel, or otherwise.
125  *
126  * No assurances are provided by Nokia that the Contribution does not
127  * infringe the patent or other intellectual property rights of any third
128  * party or that the license provides you with all the necessary rights
129  * to make use of the Contribution.
130  *
131  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135  * OTHERWISE.
136  */
137
138 #include <assert.h>
139 #include <ctype.h>
140 #include <stdio.h>
141 #include <stdlib.h>
142 #include <string.h>
143 #include <openssl/e_os2.h>
144 #ifdef OPENSSL_NO_STDIO
145 #define APPS_WIN16
146 #endif
147
148 /* With IPv6, it looks like Digital has mixed up the proper order of
149    recursive header file inclusion, resulting in the compiler complaining
150    that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
151    is needed to have fileno() declared correctly...  So let's define u_int */
152 #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
153 #define __U_INT
154 typedef unsigned int u_int;
155 #endif
156
157 #define USE_SOCKETS
158 #include "apps.h"
159 #include <openssl/x509.h>
160 #include <openssl/ssl.h>
161 #include <openssl/err.h>
162 #include <openssl/pem.h>
163 #include <openssl/rand.h>
164 #include <openssl/ocsp.h>
165 #include <openssl/bn.h>
166 #ifndef OPENSSL_NO_SRP
167 #include <openssl/srp.h>
168 #endif
169 #include "s_apps.h"
170 #include "timeouts.h"
171
172 #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
173 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
174 #undef FIONBIO
175 #endif
176
177 #if defined(OPENSSL_SYS_BEOS_R5)
178 #include <fcntl.h>
179 #endif
180
181 #undef PROG
182 #define PROG    s_client_main
183
184 /*#define SSL_HOST_NAME "www.netscape.com" */
185 /*#define SSL_HOST_NAME "193.118.187.102" */
186 #define SSL_HOST_NAME   "localhost"
187
188 /*#define TEST_CERT "client.pem" */ /* no default cert. */
189
190 #undef BUFSIZZ
191 #define BUFSIZZ 1024*8
192
193 extern int verify_depth;
194 extern int verify_error;
195 extern int verify_return_error;
196 extern int verify_quiet;
197
198 #ifdef FIONBIO
199 static int c_nbio=0;
200 #endif
201 static int c_Pause=0;
202 static int c_debug=0;
203 #ifndef OPENSSL_NO_TLSEXT
204 static int c_tlsextdebug=0;
205 static int c_status_req=0;
206 static int c_proof_debug=0;
207 #endif
208 static int c_msg=0;
209 static int c_showcerts=0;
210
211 static char *keymatexportlabel=NULL;
212 static int keymatexportlen=20;
213
214 static void sc_usage(void);
215 static void print_stuff(BIO *berr,SSL *con,int full);
216 #ifndef OPENSSL_NO_TLSEXT
217 static int ocsp_resp_cb(SSL *s, void *arg);
218 static int audit_proof_cb(SSL *s, void *arg);
219 #endif
220 static BIO *bio_c_out=NULL;
221 static BIO *bio_c_msg=NULL;
222 static int c_quiet=0;
223 static int c_ign_eof=0;
224 static int c_brief=0;
225
226 #ifndef OPENSSL_NO_PSK
227 /* Default PSK identity and key */
228 static char *psk_identity="Client_identity";
229 /*char *psk_key=NULL;  by default PSK is not used */
230
231 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
232         unsigned int max_identity_len, unsigned char *psk,
233         unsigned int max_psk_len)
234         {
235         unsigned int psk_len = 0;
236         int ret;
237         BIGNUM *bn=NULL;
238
239         if (c_debug)
240                 BIO_printf(bio_c_out, "psk_client_cb\n");
241         if (!hint)
242                 {
243                 /* no ServerKeyExchange message*/
244                 if (c_debug)
245                         BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n");
246                 }
247         else if (c_debug)
248                 BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
249
250         /* lookup PSK identity and PSK key based on the given identity hint here */
251         ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity);
252         if (ret < 0 || (unsigned int)ret > max_identity_len)
253                 goto out_err;
254         if (c_debug)
255                 BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret);
256         ret=BN_hex2bn(&bn, psk_key);
257         if (!ret)
258                 {
259                 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
260                 if (bn)
261                         BN_free(bn);
262                 return 0;
263                 }
264
265         if ((unsigned int)BN_num_bytes(bn) > max_psk_len)
266                 {
267                 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
268                         max_psk_len, BN_num_bytes(bn));
269                 BN_free(bn);
270                 return 0;
271                 }
272
273         psk_len=BN_bn2bin(bn, psk);
274         BN_free(bn);
275         if (psk_len == 0)
276                 goto out_err;
277
278         if (c_debug)
279                 BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len);
280
281         return psk_len;
282  out_err:
283         if (c_debug)
284                 BIO_printf(bio_err, "Error in PSK client callback\n");
285         return 0;
286         }
287 #endif
288
289 static void sc_usage(void)
290         {
291         BIO_printf(bio_err,"usage: s_client args\n");
292         BIO_printf(bio_err,"\n");
293         BIO_printf(bio_err," -host host     - use -connect instead\n");
294         BIO_printf(bio_err," -port port     - use -connect instead\n");
295         BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
296         BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
297         BIO_printf(bio_err," -cert arg     - certificate file to use, PEM format assumed\n");
298         BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
299         BIO_printf(bio_err," -key arg      - Private key file to use, in cert file if\n");
300         BIO_printf(bio_err,"                 not specified but cert file is.\n");
301         BIO_printf(bio_err," -keyform arg  - key format (PEM or DER) PEM default\n");
302         BIO_printf(bio_err," -pass arg     - private key file pass phrase source\n");
303         BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
304         BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
305         BIO_printf(bio_err," -reconnect    - Drop and re-make the connection with the same Session-ID\n");
306         BIO_printf(bio_err," -pause        - sleep(1) after each read(2) and write(2) system call\n");
307         BIO_printf(bio_err," -showcerts    - show all certificates in the chain\n");
308         BIO_printf(bio_err," -debug        - extra output\n");
309 #ifdef WATT32
310         BIO_printf(bio_err," -wdebug       - WATT-32 tcp debugging\n");
311 #endif
312         BIO_printf(bio_err," -msg          - Show protocol messages\n");
313         BIO_printf(bio_err," -nbio_test    - more ssl protocol testing\n");
314         BIO_printf(bio_err," -state        - print the 'ssl' states\n");
315 #ifdef FIONBIO
316         BIO_printf(bio_err," -nbio         - Run with non-blocking IO\n");
317 #endif
318         BIO_printf(bio_err," -crlf         - convert LF from terminal into CRLF\n");
319         BIO_printf(bio_err," -quiet        - no s_client output\n");
320         BIO_printf(bio_err," -ign_eof      - ignore input eof (default when -quiet)\n");
321         BIO_printf(bio_err," -no_ign_eof   - don't ignore input eof\n");
322 #ifndef OPENSSL_NO_PSK
323         BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
324         BIO_printf(bio_err," -psk arg      - PSK in hex (without 0x)\n");
325 # ifndef OPENSSL_NO_JPAKE
326         BIO_printf(bio_err," -jpake arg    - JPAKE secret to use\n");
327 # endif
328 #endif
329 #ifndef OPENSSL_NO_SRP
330         BIO_printf(bio_err," -srpuser user     - SRP authentification for 'user'\n");
331         BIO_printf(bio_err," -srppass arg      - password for 'user'\n");
332         BIO_printf(bio_err," -srp_lateuser     - SRP username into second ClientHello message\n");
333         BIO_printf(bio_err," -srp_moregroups   - Tolerate other than the known g N values.\n");
334         BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
335 #endif
336         BIO_printf(bio_err," -ssl2         - just use SSLv2\n");
337         BIO_printf(bio_err," -ssl3         - just use SSLv3\n");
338         BIO_printf(bio_err," -tls1_2       - just use TLSv1.2\n");
339         BIO_printf(bio_err," -tls1_1       - just use TLSv1.1\n");
340         BIO_printf(bio_err," -tls1         - just use TLSv1\n");
341         BIO_printf(bio_err," -dtls1        - just use DTLSv1\n");    
342         BIO_printf(bio_err," -mtu          - set the link layer MTU\n");
343         BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
344         BIO_printf(bio_err," -bugs         - Switch on all SSL implementation bug workarounds\n");
345         BIO_printf(bio_err," -serverpref   - Use server's cipher preferences (only SSLv2)\n");
346         BIO_printf(bio_err," -cipher       - preferred cipher to use, use the 'openssl ciphers'\n");
347         BIO_printf(bio_err,"                 command to see what is available\n");
348         BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
349         BIO_printf(bio_err,"                 for those protocols that support it, where\n");
350         BIO_printf(bio_err,"                 'prot' defines which one to assume.  Currently,\n");
351         BIO_printf(bio_err,"                 only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
352         BIO_printf(bio_err,"                 are supported.\n");
353 #ifndef OPENSSL_NO_ENGINE
354         BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
355 #endif
356         BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
357         BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n");
358         BIO_printf(bio_err," -sess_in arg  - file to read SSL session from\n");
359 #ifndef OPENSSL_NO_TLSEXT
360         BIO_printf(bio_err," -servername host  - Set TLS extension servername in ClientHello\n");
361         BIO_printf(bio_err," -tlsextdebug      - hex dump of all TLS extensions received\n");
362         BIO_printf(bio_err," -status           - request certificate status from server\n");
363         BIO_printf(bio_err," -no_ticket        - disable use of RFC4507bis session tickets\n");
364         BIO_printf(bio_err," -proof_debug      - request an audit proof and print its hex dump\n");
365 # ifndef OPENSSL_NO_NEXTPROTONEG
366         BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
367         BIO_printf(bio_err," -alpn arg         - enable ALPN extension, considering named protocols supported (comma-separated list)\n");
368 # endif
369 #ifndef OPENSSL_NO_TLSEXT
370         BIO_printf(bio_err," -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n");
371 #endif
372 #endif
373         BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
374         BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
375         BIO_printf(bio_err," -keymatexport label   - Export keying material using label\n");
376         BIO_printf(bio_err," -keymatexportlen len  - Export len bytes of keying material (default 20)\n");
377         }
378
379 #ifndef OPENSSL_NO_TLSEXT
380
381 /* This is a context that we pass to callbacks */
382 typedef struct tlsextctx_st {
383    BIO * biodebug;
384    int ack;
385 } tlsextctx;
386
387
388 static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
389         {
390         tlsextctx * p = (tlsextctx *) arg;
391         const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
392         if (SSL_get_servername_type(s) != -1) 
393                 p->ack = !SSL_session_reused(s) && hn != NULL;
394         else 
395                 BIO_printf(bio_err,"Can't use SSL_get_servername\n");
396         
397         return SSL_TLSEXT_ERR_OK;
398         }
399
400 #ifndef OPENSSL_NO_SRP
401
402 /* This is a context that we pass to all callbacks */
403 typedef struct srp_arg_st
404         {
405         char *srppassin;
406         char *srplogin;
407         int msg;   /* copy from c_msg */
408         int debug; /* copy from c_debug */
409         int amp;   /* allow more groups */
410         int strength /* minimal size for N */ ;
411         } SRP_ARG;
412
413 #define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
414
415 static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g)
416         {
417         BN_CTX *bn_ctx = BN_CTX_new();
418         BIGNUM *p = BN_new();
419         BIGNUM *r = BN_new();
420         int ret =
421                 g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
422                 BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
423                 p != NULL && BN_rshift1(p, N) &&
424
425                 /* p = (N-1)/2 */
426                 BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
427                 r != NULL &&
428
429                 /* verify g^((N-1)/2) == -1 (mod N) */
430                 BN_mod_exp(r, g, p, N, bn_ctx) &&
431                 BN_add_word(r, 1) &&
432                 BN_cmp(r, N) == 0;
433
434         if(r)
435                 BN_free(r);
436         if(p)
437                 BN_free(p);
438         if(bn_ctx)
439                 BN_CTX_free(bn_ctx);
440         return ret;
441         }
442
443 /* This callback is used here for two purposes:
444    - extended debugging
445    - making some primality tests for unknown groups
446    The callback is only called for a non default group.
447
448    An application does not need the call back at all if
449    only the stanard groups are used.  In real life situations, 
450    client and server already share well known groups, 
451    thus there is no need to verify them. 
452    Furthermore, in case that a server actually proposes a group that
453    is not one of those defined in RFC 5054, it is more appropriate 
454    to add the group to a static list and then compare since 
455    primality tests are rather cpu consuming.
456 */
457
458 static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
459         {
460         SRP_ARG *srp_arg = (SRP_ARG *)arg;
461         BIGNUM *N = NULL, *g = NULL;
462         if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s)))
463                 return 0;
464         if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1)
465                 {
466                 BIO_printf(bio_err, "SRP parameters:\n"); 
467                 BIO_printf(bio_err,"\tN="); BN_print(bio_err,N);
468                 BIO_printf(bio_err,"\n\tg="); BN_print(bio_err,g);
469                 BIO_printf(bio_err,"\n");
470                 }
471
472         if (SRP_check_known_gN_param(g,N))
473                 return 1;
474
475         if (srp_arg->amp == 1)
476                 {
477                 if (srp_arg->debug)
478                         BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n");
479
480 /* The srp_moregroups is a real debugging feature.
481    Implementors should rather add the value to the known ones.
482    The minimal size has already been tested.
483 */
484                 if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g))
485                         return 1;
486                 }       
487         BIO_printf(bio_err, "SRP param N and g rejected.\n");
488         return 0;
489         }
490
491 #define PWD_STRLEN 1024
492
493 static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
494         {
495         SRP_ARG *srp_arg = (SRP_ARG *)arg;
496         char *pass = (char *)OPENSSL_malloc(PWD_STRLEN+1);
497         PW_CB_DATA cb_tmp;
498         int l;
499
500         cb_tmp.password = (char *)srp_arg->srppassin;
501         cb_tmp.prompt_info = "SRP user";
502         if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp))<0)
503                 {
504                 BIO_printf (bio_err, "Can't read Password\n");
505                 OPENSSL_free(pass);
506                 return NULL;
507                 }
508         *(pass+l)= '\0';
509
510         return pass;
511         }
512
513 #endif
514         char *srtp_profiles = NULL;
515
516 # ifndef OPENSSL_NO_NEXTPROTONEG
517 /* This the context that we pass to next_proto_cb */
518 typedef struct tlsextnextprotoctx_st {
519         unsigned char *data;
520         unsigned short len;
521         int status;
522 } tlsextnextprotoctx;
523
524 static tlsextnextprotoctx next_proto;
525
526 static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
527         {
528         tlsextnextprotoctx *ctx = arg;
529
530         if (!c_quiet)
531                 {
532                 /* We can assume that |in| is syntactically valid. */
533                 unsigned i;
534                 BIO_printf(bio_c_out, "Protocols advertised by server: ");
535                 for (i = 0; i < inlen; )
536                         {
537                         if (i)
538                                 BIO_write(bio_c_out, ", ", 2);
539                         BIO_write(bio_c_out, &in[i + 1], in[i]);
540                         i += in[i] + 1;
541                         }
542                 BIO_write(bio_c_out, "\n", 1);
543                 }
544
545         ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
546         return SSL_TLSEXT_ERR_OK;
547         }
548 # endif  /* ndef OPENSSL_NO_NEXTPROTONEG */
549
550 static int serverinfo_cli_cb(SSL* s, unsigned short ext_type,
551                              const unsigned char* in, unsigned short inlen, 
552                              int* al, void* arg)
553         {
554         char pem_name[100];
555         unsigned char ext_buf[4 + 65536];
556
557         /* Reconstruct the type/len fields prior to extension data */
558         ext_buf[0] = ext_type >> 8;
559         ext_buf[1] = ext_type & 0xFF;
560         ext_buf[2] = inlen >> 8;
561         ext_buf[3] = inlen & 0xFF;
562         memcpy(ext_buf+4, in, inlen);
563
564         BIO_snprintf(pem_name, sizeof(pem_name), "SERVER_INFO %d", ext_type);
565         PEM_write_bio(bio_c_out, pem_name, "", ext_buf, 4 + inlen);
566         return 1;
567         }
568
569 #endif
570
571 enum
572 {
573         PROTO_OFF       = 0,
574         PROTO_SMTP,
575         PROTO_POP3,
576         PROTO_IMAP,
577         PROTO_FTP,
578         PROTO_XMPP
579 };
580
581 int MAIN(int, char **);
582
583 int MAIN(int argc, char **argv)
584         {
585         int build_chain = 0;
586         SSL *con=NULL;
587 #ifndef OPENSSL_NO_KRB5
588         KSSL_CTX *kctx;
589 #endif
590         int s,k,width,state=0;
591         char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
592         int cbuf_len,cbuf_off;
593         int sbuf_len,sbuf_off;
594         fd_set readfds,writefds;
595         short port=PORT;
596         int full_log=1;
597         char *host=SSL_HOST_NAME;
598         char *cert_file=NULL,*key_file=NULL,*chain_file=NULL;
599         int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
600         char *passarg = NULL, *pass = NULL;
601         X509 *cert = NULL;
602         EVP_PKEY *key = NULL;
603         STACK_OF(X509) *chain = NULL;
604         char *CApath=NULL,*CAfile=NULL;
605         char *chCApath=NULL,*chCAfile=NULL;
606         char *vfyCApath=NULL,*vfyCAfile=NULL;
607         int reconnect=0,badop=0,verify=SSL_VERIFY_NONE;
608         int crlf=0;
609         int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
610         SSL_CTX *ctx=NULL;
611         int ret=1,in_init=1,i,nbio_test=0;
612         int starttls_proto = PROTO_OFF;
613         int prexit = 0;
614         X509_VERIFY_PARAM *vpm = NULL;
615         int badarg = 0;
616         const SSL_METHOD *meth=NULL;
617         int socket_type=SOCK_STREAM;
618         BIO *sbio;
619         char *inrand=NULL;
620         int mbuf_len=0;
621         struct timeval timeout, *timeoutp;
622 #ifndef OPENSSL_NO_ENGINE
623         char *engine_id=NULL;
624         char *ssl_client_engine_id=NULL;
625         ENGINE *ssl_client_engine=NULL;
626 #endif
627         ENGINE *e=NULL;
628 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
629         struct timeval tv;
630 #if defined(OPENSSL_SYS_BEOS_R5)
631         int stdin_set = 0;
632 #endif
633 #endif
634 #ifndef OPENSSL_NO_TLSEXT
635         char *servername = NULL; 
636         tlsextctx tlsextcbp = 
637         {NULL,0};
638 # ifndef OPENSSL_NO_NEXTPROTONEG
639         const char *next_proto_neg_in = NULL;
640         const char *alpn_in = NULL;
641 # endif
642 # define MAX_SI_TYPES 100
643         unsigned short serverinfo_types[MAX_SI_TYPES];
644         int serverinfo_types_count = 0;
645 #endif
646         char *sess_in = NULL;
647         char *sess_out = NULL;
648         struct sockaddr peer;
649         int peerlen = sizeof(peer);
650         int enable_timeouts = 0 ;
651         long socket_mtu = 0;
652 #ifndef OPENSSL_NO_JPAKE
653 static char *jpake_secret = NULL;
654 #define no_jpake !jpake_secret
655 #else
656 #define no_jpake 1
657 #endif
658 #ifndef OPENSSL_NO_SRP
659         char * srppass = NULL;
660         int srp_lateuser = 0;
661         SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
662 #endif
663         SSL_EXCERT *exc = NULL;
664
665         SSL_CONF_CTX *cctx = NULL;
666         STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
667
668         char *crl_file = NULL;
669         int crl_format = FORMAT_PEM;
670         int crl_download = 0;
671         STACK_OF(X509_CRL) *crls = NULL;
672
673         meth=SSLv23_client_method();
674
675         apps_startup();
676         c_Pause=0;
677         c_quiet=0;
678         c_ign_eof=0;
679         c_debug=0;
680         c_msg=0;
681         c_showcerts=0;
682
683         if (bio_err == NULL)
684                 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
685
686         if (!load_config(bio_err, NULL))
687                 goto end;
688         cctx = SSL_CONF_CTX_new();
689         if (!cctx)
690                 goto end;
691         SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
692         SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE);
693
694         if (    ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
695                 ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
696                 ((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
697                 {
698                 BIO_printf(bio_err,"out of memory\n");
699                 goto end;
700                 }
701
702         verify_depth=0;
703         verify_error=X509_V_OK;
704 #ifdef FIONBIO
705         c_nbio=0;
706 #endif
707
708         argc--;
709         argv++;
710         while (argc >= 1)
711                 {
712                 if      (strcmp(*argv,"-host") == 0)
713                         {
714                         if (--argc < 1) goto bad;
715                         host= *(++argv);
716                         }
717                 else if (strcmp(*argv,"-port") == 0)
718                         {
719                         if (--argc < 1) goto bad;
720                         port=atoi(*(++argv));
721                         if (port == 0) goto bad;
722                         }
723                 else if (strcmp(*argv,"-connect") == 0)
724                         {
725                         if (--argc < 1) goto bad;
726                         if (!extract_host_port(*(++argv),&host,NULL,&port))
727                                 goto bad;
728                         }
729                 else if (strcmp(*argv,"-verify") == 0)
730                         {
731                         verify=SSL_VERIFY_PEER;
732                         if (--argc < 1) goto bad;
733                         verify_depth=atoi(*(++argv));
734                         if (!c_quiet)
735                                 BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
736                         }
737                 else if (strcmp(*argv,"-cert") == 0)
738                         {
739                         if (--argc < 1) goto bad;
740                         cert_file= *(++argv);
741                         }
742                 else if (strcmp(*argv,"-CRL") == 0)
743                         {
744                         if (--argc < 1) goto bad;
745                         crl_file= *(++argv);
746                         }
747                 else if (strcmp(*argv,"-crl_download") == 0)
748                         crl_download = 1;
749                 else if (strcmp(*argv,"-sess_out") == 0)
750                         {
751                         if (--argc < 1) goto bad;
752                         sess_out = *(++argv);
753                         }
754                 else if (strcmp(*argv,"-sess_in") == 0)
755                         {
756                         if (--argc < 1) goto bad;
757                         sess_in = *(++argv);
758                         }
759                 else if (strcmp(*argv,"-certform") == 0)
760                         {
761                         if (--argc < 1) goto bad;
762                         cert_format = str2fmt(*(++argv));
763                         }
764                 else if (strcmp(*argv,"-CRLform") == 0)
765                         {
766                         if (--argc < 1) goto bad;
767                         crl_format = str2fmt(*(++argv));
768                         }
769                 else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
770                         {
771                         if (badarg)
772                                 goto bad;
773                         continue;
774                         }
775                 else if (strcmp(*argv,"-verify_return_error") == 0)
776                         verify_return_error = 1;
777                 else if (strcmp(*argv,"-verify_quiet") == 0)
778                         verify_quiet = 1;
779                 else if (strcmp(*argv,"-brief") == 0)
780                         {
781                         c_brief = 1;
782                         verify_quiet = 1;
783                         c_quiet = 1;
784                         }
785                 else if (args_excert(&argv, &argc, &badarg, bio_err, &exc))
786                         {
787                         if (badarg)
788                                 goto bad;
789                         continue;
790                         }
791                 else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args))
792                         {
793                         if (badarg)
794                                 goto bad;
795                         continue;
796                         }
797                 else if (strcmp(*argv,"-prexit") == 0)
798                         prexit=1;
799                 else if (strcmp(*argv,"-crlf") == 0)
800                         crlf=1;
801                 else if (strcmp(*argv,"-quiet") == 0)
802                         {
803                         c_quiet=1;
804                         c_ign_eof=1;
805                         }
806                 else if (strcmp(*argv,"-ign_eof") == 0)
807                         c_ign_eof=1;
808                 else if (strcmp(*argv,"-no_ign_eof") == 0)
809                         c_ign_eof=0;
810                 else if (strcmp(*argv,"-pause") == 0)
811                         c_Pause=1;
812                 else if (strcmp(*argv,"-debug") == 0)
813                         c_debug=1;
814 #ifndef OPENSSL_NO_TLSEXT
815                 else if (strcmp(*argv,"-tlsextdebug") == 0)
816                         c_tlsextdebug=1;
817                 else if (strcmp(*argv,"-status") == 0)
818                         c_status_req=1;
819                 else if (strcmp(*argv,"-proof_debug") == 0)
820                         c_proof_debug=1;
821 #endif
822 #ifdef WATT32
823                 else if (strcmp(*argv,"-wdebug") == 0)
824                         dbug_init();
825 #endif
826                 else if (strcmp(*argv,"-msg") == 0)
827                         c_msg=1;
828                 else if (strcmp(*argv,"-msgfile") == 0)
829                         {
830                         if (--argc < 1) goto bad;
831                         bio_c_msg = BIO_new_file(*(++argv), "w");
832                         }
833 #ifndef OPENSSL_NO_SSL_TRACE
834                 else if (strcmp(*argv,"-trace") == 0)
835                         c_msg=2;
836 #endif
837                 else if (strcmp(*argv,"-showcerts") == 0)
838                         c_showcerts=1;
839                 else if (strcmp(*argv,"-nbio_test") == 0)
840                         nbio_test=1;
841                 else if (strcmp(*argv,"-state") == 0)
842                         state=1;
843 #ifndef OPENSSL_NO_PSK
844                 else if (strcmp(*argv,"-psk_identity") == 0)
845                         {
846                         if (--argc < 1) goto bad;
847                         psk_identity=*(++argv);
848                         }
849                 else if (strcmp(*argv,"-psk") == 0)
850                         {
851                         size_t j;
852
853                         if (--argc < 1) goto bad;
854                         psk_key=*(++argv);
855                         for (j = 0; j < strlen(psk_key); j++)
856                                 {
857                                 if (isxdigit((unsigned char)psk_key[j]))
858                                         continue;
859                                 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
860                                 goto bad;
861                                 }
862                         }
863 #endif
864 #ifndef OPENSSL_NO_SRP
865                 else if (strcmp(*argv,"-srpuser") == 0)
866                         {
867                         if (--argc < 1) goto bad;
868                         srp_arg.srplogin= *(++argv);
869                         meth=TLSv1_client_method();
870                         }
871                 else if (strcmp(*argv,"-srppass") == 0)
872                         {
873                         if (--argc < 1) goto bad;
874                         srppass= *(++argv);
875                         meth=TLSv1_client_method();
876                         }
877                 else if (strcmp(*argv,"-srp_strength") == 0)
878                         {
879                         if (--argc < 1) goto bad;
880                         srp_arg.strength=atoi(*(++argv));
881                         BIO_printf(bio_err,"SRP minimal length for N is %d\n",srp_arg.strength);
882                         meth=TLSv1_client_method();
883                         }
884                 else if (strcmp(*argv,"-srp_lateuser") == 0)
885                         {
886                         srp_lateuser= 1;
887                         meth=TLSv1_client_method();
888                         }
889                 else if (strcmp(*argv,"-srp_moregroups") == 0)
890                         {
891                         srp_arg.amp=1;
892                         meth=TLSv1_client_method();
893                         }
894 #endif
895 #ifndef OPENSSL_NO_SSL2
896                 else if (strcmp(*argv,"-ssl2") == 0)
897                         meth=SSLv2_client_method();
898 #endif
899 #ifndef OPENSSL_NO_SSL3
900                 else if (strcmp(*argv,"-ssl3") == 0)
901                         meth=SSLv3_client_method();
902 #endif
903 #ifndef OPENSSL_NO_TLS1
904                 else if (strcmp(*argv,"-tls1_2") == 0)
905                         meth=TLSv1_2_client_method();
906                 else if (strcmp(*argv,"-tls1_1") == 0)
907                         meth=TLSv1_1_client_method();
908                 else if (strcmp(*argv,"-tls1") == 0)
909                         meth=TLSv1_client_method();
910 #endif
911 #ifndef OPENSSL_NO_DTLS1
912                 else if (strcmp(*argv,"-dtls") == 0)
913                         {
914                         meth=DTLS_client_method();
915                         socket_type=SOCK_DGRAM;
916                         }
917                 else if (strcmp(*argv,"-dtls1") == 0)
918                         {
919                         meth=DTLSv1_client_method();
920                         socket_type=SOCK_DGRAM;
921                         }
922                 else if (strcmp(*argv,"-dtls1_2") == 0)
923                         {
924                         meth=DTLSv1_2_client_method();
925                         socket_type=SOCK_DGRAM;
926                         }
927                 else if (strcmp(*argv,"-timeout") == 0)
928                         enable_timeouts=1;
929                 else if (strcmp(*argv,"-mtu") == 0)
930                         {
931                         if (--argc < 1) goto bad;
932                         socket_mtu = atol(*(++argv));
933                         }
934 #endif
935                 else if (strcmp(*argv,"-keyform") == 0)
936                         {
937                         if (--argc < 1) goto bad;
938                         key_format = str2fmt(*(++argv));
939                         }
940                 else if (strcmp(*argv,"-pass") == 0)
941                         {
942                         if (--argc < 1) goto bad;
943                         passarg = *(++argv);
944                         }
945                 else if (strcmp(*argv,"-cert_chain") == 0)
946                         {
947                         if (--argc < 1) goto bad;
948                         chain_file= *(++argv);
949                         }
950                 else if (strcmp(*argv,"-key") == 0)
951                         {
952                         if (--argc < 1) goto bad;
953                         key_file= *(++argv);
954                         }
955                 else if (strcmp(*argv,"-reconnect") == 0)
956                         {
957                         reconnect=5;
958                         }
959                 else if (strcmp(*argv,"-CApath") == 0)
960                         {
961                         if (--argc < 1) goto bad;
962                         CApath= *(++argv);
963                         }
964                 else if (strcmp(*argv,"-chainCApath") == 0)
965                         {
966                         if (--argc < 1) goto bad;
967                         chCApath= *(++argv);
968                         }
969                 else if (strcmp(*argv,"-verifyCApath") == 0)
970                         {
971                         if (--argc < 1) goto bad;
972                         vfyCApath= *(++argv);
973                         }
974                 else if (strcmp(*argv,"-build_chain") == 0)
975                         build_chain = 1;
976                 else if (strcmp(*argv,"-CAfile") == 0)
977                         {
978                         if (--argc < 1) goto bad;
979                         CAfile= *(++argv);
980                         }
981                 else if (strcmp(*argv,"-chainCAfile") == 0)
982                         {
983                         if (--argc < 1) goto bad;
984                         chCAfile= *(++argv);
985                         }
986                 else if (strcmp(*argv,"-verifyCAfile") == 0)
987                         {
988                         if (--argc < 1) goto bad;
989                         vfyCAfile= *(++argv);
990                         }
991 #ifndef OPENSSL_NO_TLSEXT
992 # ifndef OPENSSL_NO_NEXTPROTONEG
993                 else if (strcmp(*argv,"-nextprotoneg") == 0)
994                         {
995                         if (--argc < 1) goto bad;
996                         next_proto_neg_in = *(++argv);
997                         }
998                 else if (strcmp(*argv,"-alpn") == 0)
999                         {
1000                         if (--argc < 1) goto bad;
1001                         alpn_in = *(++argv);
1002                         }
1003 # endif
1004                 else if (strcmp(*argv,"-serverinfo") == 0)
1005                         {
1006                         char *c;
1007                         int start = 0;
1008                         int len;
1009
1010                         if (--argc < 1) goto bad;
1011                         c = *(++argv);
1012                         serverinfo_types_count = 0;
1013                         len = strlen(c);
1014                         for (i = 0; i <= len; ++i)
1015                                 {
1016                                 if (i == len || c[i] == ',')
1017                                         {
1018                                         serverinfo_types[serverinfo_types_count]
1019                                             = atoi(c+start);
1020                                         serverinfo_types_count++;
1021                                         start = i+1;
1022                                         }
1023                                 if (serverinfo_types_count == MAX_SI_TYPES)
1024                                         break;
1025                                 }
1026                         }
1027 #endif
1028 #ifdef FIONBIO
1029                 else if (strcmp(*argv,"-nbio") == 0)
1030                         { c_nbio=1; }
1031 #endif
1032                 else if (strcmp(*argv,"-starttls") == 0)
1033                         {
1034                         if (--argc < 1) goto bad;
1035                         ++argv;
1036                         if (strcmp(*argv,"smtp") == 0)
1037                                 starttls_proto = PROTO_SMTP;
1038                         else if (strcmp(*argv,"pop3") == 0)
1039                                 starttls_proto = PROTO_POP3;
1040                         else if (strcmp(*argv,"imap") == 0)
1041                                 starttls_proto = PROTO_IMAP;
1042                         else if (strcmp(*argv,"ftp") == 0)
1043                                 starttls_proto = PROTO_FTP;
1044                         else if (strcmp(*argv, "xmpp") == 0)
1045                                 starttls_proto = PROTO_XMPP;
1046                         else
1047                                 goto bad;
1048                         }
1049 #ifndef OPENSSL_NO_ENGINE
1050                 else if (strcmp(*argv,"-engine") == 0)
1051                         {
1052                         if (--argc < 1) goto bad;
1053                         engine_id = *(++argv);
1054                         }
1055                 else if (strcmp(*argv,"-ssl_client_engine") == 0)
1056                         {
1057                         if (--argc < 1) goto bad;
1058                         ssl_client_engine_id = *(++argv);
1059                         }
1060 #endif
1061                 else if (strcmp(*argv,"-rand") == 0)
1062                         {
1063                         if (--argc < 1) goto bad;
1064                         inrand= *(++argv);
1065                         }
1066 #ifndef OPENSSL_NO_TLSEXT
1067                 else if (strcmp(*argv,"-servername") == 0)
1068                         {
1069                         if (--argc < 1) goto bad;
1070                         servername= *(++argv);
1071                         /* meth=TLSv1_client_method(); */
1072                         }
1073 #endif
1074 #ifndef OPENSSL_NO_JPAKE
1075                 else if (strcmp(*argv,"-jpake") == 0)
1076                         {
1077                         if (--argc < 1) goto bad;
1078                         jpake_secret = *++argv;
1079                         }
1080 #endif
1081                 else if (strcmp(*argv,"-use_srtp") == 0)
1082                         {
1083                         if (--argc < 1) goto bad;
1084                         srtp_profiles = *(++argv);
1085                         }
1086                 else if (strcmp(*argv,"-keymatexport") == 0)
1087                         {
1088                         if (--argc < 1) goto bad;
1089                         keymatexportlabel= *(++argv);
1090                         }
1091                 else if (strcmp(*argv,"-keymatexportlen") == 0)
1092                         {
1093                         if (--argc < 1) goto bad;
1094                         keymatexportlen=atoi(*(++argv));
1095                         if (keymatexportlen == 0) goto bad;
1096                         }
1097                 else
1098                         {
1099                         BIO_printf(bio_err,"unknown option %s\n",*argv);
1100                         badop=1;
1101                         break;
1102                         }
1103                 argc--;
1104                 argv++;
1105                 }
1106         if (badop)
1107                 {
1108 bad:
1109                 sc_usage();
1110                 goto end;
1111                 }
1112
1113 #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
1114         if (jpake_secret)
1115                 {
1116                 if (psk_key)
1117                         {
1118                         BIO_printf(bio_err,
1119                                    "Can't use JPAKE and PSK together\n");
1120                         goto end;
1121                         }
1122                 psk_identity = "JPAKE";
1123                 }
1124 #endif
1125
1126         OpenSSL_add_ssl_algorithms();
1127         SSL_load_error_strings();
1128
1129 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
1130         next_proto.status = -1;
1131         if (next_proto_neg_in)
1132                 {
1133                 next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
1134                 if (next_proto.data == NULL)
1135                         {
1136                         BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
1137                         goto end;
1138                         }
1139                 }
1140         else
1141                 next_proto.data = NULL;
1142 #endif
1143
1144 #ifndef OPENSSL_NO_ENGINE
1145         e = setup_engine(bio_err, engine_id, 1);
1146         if (ssl_client_engine_id)
1147                 {
1148                 ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
1149                 if (!ssl_client_engine)
1150                         {
1151                         BIO_printf(bio_err,
1152                                         "Error getting client auth engine\n");
1153                         goto end;
1154                         }
1155                 }
1156
1157 #endif
1158         if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
1159                 {
1160                 BIO_printf(bio_err, "Error getting password\n");
1161                 goto end;
1162                 }
1163
1164         if (key_file == NULL)
1165                 key_file = cert_file;
1166
1167
1168         if (key_file)
1169
1170                 {
1171
1172                 key = load_key(bio_err, key_file, key_format, 0, pass, e,
1173                                "client certificate private key file");
1174                 if (!key)
1175                         {
1176                         ERR_print_errors(bio_err);
1177                         goto end;
1178                         }
1179
1180                 }
1181
1182         if (cert_file)
1183
1184                 {
1185                 cert = load_cert(bio_err,cert_file,cert_format,
1186                                 NULL, e, "client certificate file");
1187
1188                 if (!cert)
1189                         {
1190                         ERR_print_errors(bio_err);
1191                         goto end;
1192                         }
1193                 }
1194
1195         if (chain_file)
1196                 {
1197                 chain = load_certs(bio_err, chain_file,FORMAT_PEM,
1198                                         NULL, e, "client certificate chain");
1199                 if (!chain)
1200                         goto end;
1201                 }
1202
1203         if (crl_file)
1204                 {
1205                 X509_CRL *crl;
1206                 crl = load_crl(crl_file, crl_format);
1207                 if (!crl)
1208                         {
1209                         BIO_puts(bio_err, "Error loading CRL\n");
1210                         ERR_print_errors(bio_err);
1211                         goto end;
1212                         }
1213                 crls = sk_X509_CRL_new_null();
1214                 if (!crls || !sk_X509_CRL_push(crls, crl))
1215                         {
1216                         BIO_puts(bio_err, "Error adding CRL\n");
1217                         ERR_print_errors(bio_err);
1218                         X509_CRL_free(crl);
1219                         goto end;
1220                         }
1221                 }
1222
1223         if (!load_excert(&exc, bio_err))
1224                 goto end;
1225
1226         if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
1227                 && !RAND_status())
1228                 {
1229                 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
1230                 }
1231         if (inrand != NULL)
1232                 BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
1233                         app_RAND_load_files(inrand));
1234
1235         if (bio_c_out == NULL)
1236                 {
1237                 if (c_quiet && !c_debug)
1238                         {
1239                         bio_c_out=BIO_new(BIO_s_null());
1240                         if (c_msg && !bio_c_msg)
1241                                 bio_c_msg=BIO_new_fp(stdout,BIO_NOCLOSE);
1242                         }
1243                 else
1244                         {
1245                         if (bio_c_out == NULL)
1246                                 bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
1247                         }
1248                 }
1249
1250 #ifndef OPENSSL_NO_SRP
1251         if(!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL))
1252                 {
1253                 BIO_printf(bio_err, "Error getting password\n");
1254                 goto end;
1255                 }
1256 #endif
1257
1258         ctx=SSL_CTX_new(meth);
1259         if (ctx == NULL)
1260                 {
1261                 ERR_print_errors(bio_err);
1262                 goto end;
1263                 }
1264
1265         if (vpm)
1266                 SSL_CTX_set1_param(ctx, vpm);
1267
1268         if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1, no_jpake))
1269                 {
1270                 ERR_print_errors(bio_err);
1271                 goto end;
1272                 }
1273
1274         if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
1275                                                 crls, crl_download))
1276                 {
1277                 BIO_printf(bio_err, "Error loading store locations\n");
1278                 ERR_print_errors(bio_err);
1279                 goto end;
1280                 }
1281
1282 #ifndef OPENSSL_NO_ENGINE
1283         if (ssl_client_engine)
1284                 {
1285                 if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine))
1286                         {
1287                         BIO_puts(bio_err, "Error setting client auth engine\n");
1288                         ERR_print_errors(bio_err);
1289                         ENGINE_free(ssl_client_engine);
1290                         goto end;
1291                         }
1292                 ENGINE_free(ssl_client_engine);
1293                 }
1294 #endif
1295
1296 #ifndef OPENSSL_NO_PSK
1297 #ifdef OPENSSL_NO_JPAKE
1298         if (psk_key != NULL)
1299 #else
1300         if (psk_key != NULL || jpake_secret)
1301 #endif
1302                 {
1303                 if (c_debug)
1304                         BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");
1305                 SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
1306                 }
1307         if (srtp_profiles != NULL)
1308                 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
1309 #endif
1310         if (exc) ssl_ctx_set_excert(ctx, exc);
1311         /* DTLS: partial reads end up discarding unread UDP bytes :-( 
1312          * Setting read ahead solves this problem.
1313          */
1314         if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
1315
1316 #if !defined(OPENSSL_NO_TLSEXT)
1317 # if !defined(OPENSSL_NO_NEXTPROTONEG)
1318         if (next_proto.data)
1319                 SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
1320 # endif
1321         if (alpn_in)
1322                 {
1323                 unsigned short alpn_len;
1324                 unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in);
1325
1326                 if (alpn == NULL)
1327                         {
1328                         BIO_printf(bio_err, "Error parsing -alpn argument\n");
1329                         goto end;
1330                         }
1331                 SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len);
1332                 OPENSSL_free(alpn);
1333                 }
1334 #endif
1335 #ifndef OPENSSL_NO_TLSEXT
1336                 if (serverinfo_types_count)
1337                         {
1338                         for (i = 0; i < serverinfo_types_count; i++)
1339                                 {
1340                                 SSL_CTX_set_custom_cli_ext(ctx,
1341                                                            serverinfo_types[i],
1342                                                            NULL, 
1343                                                            serverinfo_cli_cb,
1344                                                            NULL);
1345                                 }
1346                         }
1347 #endif
1348
1349         if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
1350 #if 0
1351         else
1352                 SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
1353 #endif
1354
1355         SSL_CTX_set_verify(ctx,verify,verify_callback);
1356
1357         if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
1358                 (!SSL_CTX_set_default_verify_paths(ctx)))
1359                 {
1360                 /* BIO_printf(bio_err,"error setting default verify locations\n"); */
1361                 ERR_print_errors(bio_err);
1362                 /* goto end; */
1363                 }
1364
1365         ssl_ctx_add_crls(ctx, crls, crl_download);
1366
1367         if (!set_cert_key_stuff(ctx,cert,key,chain,build_chain))
1368                 goto end;
1369
1370 #ifndef OPENSSL_NO_TLSEXT
1371         if (servername != NULL)
1372                 {
1373                 tlsextcbp.biodebug = bio_err;
1374                 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1375                 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
1376                 }
1377 #ifndef OPENSSL_NO_SRP
1378         if (srp_arg.srplogin)
1379                 {
1380                 if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
1381                         {
1382                         BIO_printf(bio_err,"Unable to set SRP username\n");
1383                         goto end;
1384                         }
1385                 srp_arg.msg = c_msg;
1386                 srp_arg.debug = c_debug ;
1387                 SSL_CTX_set_srp_cb_arg(ctx,&srp_arg);
1388                 SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
1389                 SSL_CTX_set_srp_strength(ctx, srp_arg.strength);
1390                 if (c_msg || c_debug || srp_arg.amp == 0)
1391                         SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb);
1392                 }
1393
1394 #endif
1395         if (c_proof_debug)
1396                 SSL_CTX_set_tlsext_authz_server_audit_proof_cb(ctx,
1397                                                                audit_proof_cb);
1398 #endif
1399
1400         con=SSL_new(ctx);
1401         if (sess_in)
1402                 {
1403                 SSL_SESSION *sess;
1404                 BIO *stmp = BIO_new_file(sess_in, "r");
1405                 if (!stmp)
1406                         {
1407                         BIO_printf(bio_err, "Can't open session file %s\n",
1408                                                 sess_in);
1409                         ERR_print_errors(bio_err);
1410                         goto end;
1411                         }
1412                 sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
1413                 BIO_free(stmp);
1414                 if (!sess)
1415                         {
1416                         BIO_printf(bio_err, "Can't open session file %s\n",
1417                                                 sess_in);
1418                         ERR_print_errors(bio_err);
1419                         goto end;
1420                         }
1421                 SSL_set_session(con, sess);
1422                 SSL_SESSION_free(sess);
1423                 }
1424 #ifndef OPENSSL_NO_TLSEXT
1425         if (servername != NULL)
1426                 {
1427                 if (!SSL_set_tlsext_host_name(con,servername))
1428                         {
1429                         BIO_printf(bio_err,"Unable to set TLS servername extension.\n");
1430                         ERR_print_errors(bio_err);
1431                         goto end;
1432                         }
1433                 }
1434 #endif
1435 #ifndef OPENSSL_NO_KRB5
1436         if (con  &&  (kctx = kssl_ctx_new()) != NULL)
1437                 {
1438                 SSL_set0_kssl_ctx(con, kctx);
1439                 kssl_ctx_setstring(kctx, KSSL_SERVER, host);
1440                 }
1441 #endif  /* OPENSSL_NO_KRB5  */
1442 /*      SSL_set_cipher_list(con,"RC4-MD5"); */
1443 #if 0
1444 #ifdef TLSEXT_TYPE_opaque_prf_input
1445         SSL_set_tlsext_opaque_prf_input(con, "Test client", 11);
1446 #endif
1447 #endif
1448
1449 re_start:
1450
1451         if (init_client(&s,host,port,socket_type) == 0)
1452                 {
1453                 BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
1454                 SHUTDOWN(s);
1455                 goto end;
1456                 }
1457         BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
1458
1459 #ifdef FIONBIO
1460         if (c_nbio)
1461                 {
1462                 unsigned long l=1;
1463                 BIO_printf(bio_c_out,"turning on non blocking io\n");
1464                 if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
1465                         {
1466                         ERR_print_errors(bio_err);
1467                         goto end;
1468                         }
1469                 }
1470 #endif                                              
1471         if (c_Pause & 0x01) SSL_set_debug(con, 1);
1472
1473         if (socket_type == SOCK_DGRAM)
1474                 {
1475
1476                 sbio=BIO_new_dgram(s,BIO_NOCLOSE);
1477                 if (getsockname(s, &peer, (void *)&peerlen) < 0)
1478                         {
1479                         BIO_printf(bio_err, "getsockname:errno=%d\n",
1480                                 get_last_socket_error());
1481                         SHUTDOWN(s);
1482                         goto end;
1483                         }
1484
1485                 (void)BIO_ctrl_set_connected(sbio, 1, &peer);
1486
1487                 if (enable_timeouts)
1488                         {
1489                         timeout.tv_sec = 0;
1490                         timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1491                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1492                         
1493                         timeout.tv_sec = 0;
1494                         timeout.tv_usec = DGRAM_SND_TIMEOUT;
1495                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1496                         }
1497
1498                 if (socket_mtu > 28)
1499                         {
1500                         SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
1501                         SSL_set_mtu(con, socket_mtu - 28);
1502                         }
1503                 else
1504                         /* want to do MTU discovery */
1505                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1506                 }
1507         else
1508                 sbio=BIO_new_socket(s,BIO_NOCLOSE);
1509
1510         if (nbio_test)
1511                 {
1512                 BIO *test;
1513
1514                 test=BIO_new(BIO_f_nbio_test());
1515                 sbio=BIO_push(test,sbio);
1516                 }
1517
1518         if (c_debug)
1519                 {
1520                 SSL_set_debug(con, 1);
1521                 BIO_set_callback(sbio,bio_dump_callback);
1522                 BIO_set_callback_arg(sbio,(char *)bio_c_out);
1523                 }
1524         if (c_msg)
1525                 {
1526 #ifndef OPENSSL_NO_SSL_TRACE
1527                 if (c_msg == 2)
1528                         SSL_set_msg_callback(con, SSL_trace);
1529                 else
1530 #endif
1531                         SSL_set_msg_callback(con, msg_cb);
1532                 SSL_set_msg_callback_arg(con, bio_c_msg ? bio_c_msg : bio_c_out);
1533                 }
1534 #ifndef OPENSSL_NO_TLSEXT
1535         if (c_tlsextdebug)
1536                 {
1537                 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1538                 SSL_set_tlsext_debug_arg(con, bio_c_out);
1539                 }
1540         if (c_status_req)
1541                 {
1542                 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
1543                 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
1544                 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
1545 #if 0
1546 {
1547 STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null();
1548 OCSP_RESPID *id = OCSP_RESPID_new();
1549 id->value.byKey = ASN1_OCTET_STRING_new();
1550 id->type = V_OCSP_RESPID_KEY;
1551 ASN1_STRING_set(id->value.byKey, "Hello World", -1);
1552 sk_OCSP_RESPID_push(ids, id);
1553 SSL_set_tlsext_status_ids(con, ids);
1554 }
1555 #endif
1556                 }
1557 #endif
1558 #ifndef OPENSSL_NO_JPAKE
1559         if (jpake_secret)
1560                 jpake_client_auth(bio_c_out, sbio, jpake_secret);
1561 #endif
1562
1563         SSL_set_bio(con,sbio,sbio);
1564         SSL_set_connect_state(con);
1565
1566         /* ok, lets connect */
1567         width=SSL_get_fd(con)+1;
1568
1569         read_tty=1;
1570         write_tty=0;
1571         tty_on=0;
1572         read_ssl=1;
1573         write_ssl=1;
1574         
1575         cbuf_len=0;
1576         cbuf_off=0;
1577         sbuf_len=0;
1578         sbuf_off=0;
1579
1580         /* This is an ugly hack that does a lot of assumptions */
1581         /* We do have to handle multi-line responses which may come
1582            in a single packet or not. We therefore have to use
1583            BIO_gets() which does need a buffering BIO. So during
1584            the initial chitchat we do push a buffering BIO into the
1585            chain that is removed again later on to not disturb the
1586            rest of the s_client operation. */
1587         if (starttls_proto == PROTO_SMTP)
1588                 {
1589                 int foundit=0;
1590                 BIO *fbio = BIO_new(BIO_f_buffer());
1591                 BIO_push(fbio, sbio);
1592                 /* wait for multi-line response to end from SMTP */
1593                 do
1594                         {
1595                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1596                         }
1597                 while (mbuf_len>3 && mbuf[3]=='-');
1598                 /* STARTTLS command requires EHLO... */
1599                 BIO_printf(fbio,"EHLO openssl.client.net\r\n");
1600                 (void)BIO_flush(fbio);
1601                 /* wait for multi-line response to end EHLO SMTP response */
1602                 do
1603                         {
1604                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1605                         if (strstr(mbuf,"STARTTLS"))
1606                                 foundit=1;
1607                         }
1608                 while (mbuf_len>3 && mbuf[3]=='-');
1609                 (void)BIO_flush(fbio);
1610                 BIO_pop(fbio);
1611                 BIO_free(fbio);
1612                 if (!foundit)
1613                         BIO_printf(bio_err,
1614                                    "didn't found starttls in server response,"
1615                                    " try anyway...\n");
1616                 BIO_printf(sbio,"STARTTLS\r\n");
1617                 BIO_read(sbio,sbuf,BUFSIZZ);
1618                 }
1619         else if (starttls_proto == PROTO_POP3)
1620                 {
1621                 BIO_read(sbio,mbuf,BUFSIZZ);
1622                 BIO_printf(sbio,"STLS\r\n");
1623                 BIO_read(sbio,sbuf,BUFSIZZ);
1624                 }
1625         else if (starttls_proto == PROTO_IMAP)
1626                 {
1627                 int foundit=0;
1628                 BIO *fbio = BIO_new(BIO_f_buffer());
1629                 BIO_push(fbio, sbio);
1630                 BIO_gets(fbio,mbuf,BUFSIZZ);
1631                 /* STARTTLS command requires CAPABILITY... */
1632                 BIO_printf(fbio,". CAPABILITY\r\n");
1633                 (void)BIO_flush(fbio);
1634                 /* wait for multi-line CAPABILITY response */
1635                 do
1636                         {
1637                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1638                         if (strstr(mbuf,"STARTTLS"))
1639                                 foundit=1;
1640                         }
1641                 while (mbuf_len>3 && mbuf[0]!='.');
1642                 (void)BIO_flush(fbio);
1643                 BIO_pop(fbio);
1644                 BIO_free(fbio);
1645                 if (!foundit)
1646                         BIO_printf(bio_err,
1647                                    "didn't found STARTTLS in server response,"
1648                                    " try anyway...\n");
1649                 BIO_printf(sbio,". STARTTLS\r\n");
1650                 BIO_read(sbio,sbuf,BUFSIZZ);
1651                 }
1652         else if (starttls_proto == PROTO_FTP)
1653                 {
1654                 BIO *fbio = BIO_new(BIO_f_buffer());
1655                 BIO_push(fbio, sbio);
1656                 /* wait for multi-line response to end from FTP */
1657                 do
1658                         {
1659                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1660                         }
1661                 while (mbuf_len>3 && mbuf[3]=='-');
1662                 (void)BIO_flush(fbio);
1663                 BIO_pop(fbio);
1664                 BIO_free(fbio);
1665                 BIO_printf(sbio,"AUTH TLS\r\n");
1666                 BIO_read(sbio,sbuf,BUFSIZZ);
1667                 }
1668         if (starttls_proto == PROTO_XMPP)
1669                 {
1670                 int seen = 0;
1671                 BIO_printf(sbio,"<stream:stream "
1672                     "xmlns:stream='http://etherx.jabber.org/streams' "
1673                     "xmlns='jabber:client' to='%s' version='1.0'>", host);
1674                 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1675                 mbuf[seen] = 0;
1676                 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") &&
1677                                 !strstr(mbuf, "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
1678                         {
1679                         seen = BIO_read(sbio,mbuf,BUFSIZZ);
1680
1681                         if (seen <= 0)
1682                                 goto shut;
1683
1684                         mbuf[seen] = 0;
1685                         }
1686                 BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
1687                 seen = BIO_read(sbio,sbuf,BUFSIZZ);
1688                 sbuf[seen] = 0;
1689                 if (!strstr(sbuf, "<proceed"))
1690                         goto shut;
1691                 mbuf[0] = 0;
1692                 }
1693
1694         for (;;)
1695                 {
1696                 FD_ZERO(&readfds);
1697                 FD_ZERO(&writefds);
1698
1699                 if ((SSL_version(con) == DTLS1_VERSION) &&
1700                         DTLSv1_get_timeout(con, &timeout))
1701                         timeoutp = &timeout;
1702                 else
1703                         timeoutp = NULL;
1704
1705                 if (SSL_in_init(con) && !SSL_total_renegotiations(con))
1706                         {
1707                         in_init=1;
1708                         tty_on=0;
1709                         }
1710                 else
1711                         {
1712                         tty_on=1;
1713                         if (in_init)
1714                                 {
1715                                 in_init=0;
1716 #if 0 /* This test doesn't really work as intended (needs to be fixed) */
1717 #ifndef OPENSSL_NO_TLSEXT
1718                                 if (servername != NULL && !SSL_session_reused(con))
1719                                         {
1720                                         BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not ");
1721                                         }
1722 #endif
1723 #endif
1724                                 if (sess_out)
1725                                         {
1726                                         BIO *stmp = BIO_new_file(sess_out, "w");
1727                                         if (stmp)
1728                                                 {
1729                                                 PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con));
1730                                                 BIO_free(stmp);
1731                                                 }
1732                                         else 
1733                                                 BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
1734                                         }
1735                                 if (c_brief)
1736                                         {
1737                                         BIO_puts(bio_err,
1738                                                 "CONNECTION ESTABLISHED\n");
1739                                         print_ssl_summary(bio_err, con);
1740                                         }
1741                                 print_stuff(bio_c_out,con,full_log);
1742                                 if (full_log > 0) full_log--;
1743
1744                                 if (starttls_proto)
1745                                         {
1746                                         BIO_printf(bio_err,"%s",mbuf);
1747                                         /* We don't need to know any more */
1748                                         starttls_proto = PROTO_OFF;
1749                                         }
1750
1751                                 if (reconnect)
1752                                         {
1753                                         reconnect--;
1754                                         BIO_printf(bio_c_out,"drop connection and then reconnect\n");
1755                                         SSL_shutdown(con);
1756                                         SSL_set_connect_state(con);
1757                                         SHUTDOWN(SSL_get_fd(con));
1758                                         goto re_start;
1759                                         }
1760                                 }
1761                         }
1762
1763                 ssl_pending = read_ssl && SSL_pending(con);
1764
1765                 if (!ssl_pending)
1766                         {
1767 #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)
1768                         if (tty_on)
1769                                 {
1770                                 if (read_tty)  openssl_fdset(fileno(stdin),&readfds);
1771                                 if (write_tty) openssl_fdset(fileno(stdout),&writefds);
1772                                 }
1773                         if (read_ssl)
1774                                 openssl_fdset(SSL_get_fd(con),&readfds);
1775                         if (write_ssl)
1776                                 openssl_fdset(SSL_get_fd(con),&writefds);
1777 #else
1778                         if(!tty_on || !write_tty) {
1779                                 if (read_ssl)
1780                                         openssl_fdset(SSL_get_fd(con),&readfds);
1781                                 if (write_ssl)
1782                                         openssl_fdset(SSL_get_fd(con),&writefds);
1783                         }
1784 #endif
1785 /*                      printf("mode tty(%d %d%d) ssl(%d%d)\n",
1786                                 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
1787
1788                         /* Note: under VMS with SOCKETSHR the second parameter
1789                          * is currently of type (int *) whereas under other
1790                          * systems it is (void *) if you don't have a cast it
1791                          * will choke the compiler: if you do have a cast then
1792                          * you can either go for (int *) or (void *).
1793                          */
1794 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1795                         /* Under Windows/DOS we make the assumption that we can
1796                          * always write to the tty: therefore if we need to
1797                          * write to the tty we just fall through. Otherwise
1798                          * we timeout the select every second and see if there
1799                          * are any keypresses. Note: this is a hack, in a proper
1800                          * Windows application we wouldn't do this.
1801                          */
1802                         i=0;
1803                         if(!write_tty) {
1804                                 if(read_tty) {
1805                                         tv.tv_sec = 1;
1806                                         tv.tv_usec = 0;
1807                                         i=select(width,(void *)&readfds,(void *)&writefds,
1808                                                  NULL,&tv);
1809 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
1810                                         if(!i && (!_kbhit() || !read_tty) ) continue;
1811 #else
1812                                         if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
1813 #endif
1814                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1815                                          NULL,timeoutp);
1816                         }
1817 #elif defined(OPENSSL_SYS_NETWARE)
1818                         if(!write_tty) {
1819                                 if(read_tty) {
1820                                         tv.tv_sec = 1;
1821                                         tv.tv_usec = 0;
1822                                         i=select(width,(void *)&readfds,(void *)&writefds,
1823                                                 NULL,&tv);
1824                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1825                                         NULL,timeoutp);
1826                         }
1827 #elif defined(OPENSSL_SYS_BEOS_R5)
1828                         /* Under BeOS-R5 the situation is similar to DOS */
1829                         i=0;
1830                         stdin_set = 0;
1831                         (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
1832                         if(!write_tty) {
1833                                 if(read_tty) {
1834                                         tv.tv_sec = 1;
1835                                         tv.tv_usec = 0;
1836                                         i=select(width,(void *)&readfds,(void *)&writefds,
1837                                                  NULL,&tv);
1838                                         if (read(fileno(stdin), sbuf, 0) >= 0)
1839                                                 stdin_set = 1;
1840                                         if (!i && (stdin_set != 1 || !read_tty))
1841                                                 continue;
1842                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1843                                          NULL,timeoutp);
1844                         }
1845                         (void)fcntl(fileno(stdin), F_SETFL, 0);
1846 #else
1847                         i=select(width,(void *)&readfds,(void *)&writefds,
1848                                  NULL,timeoutp);
1849 #endif
1850                         if ( i < 0)
1851                                 {
1852                                 BIO_printf(bio_err,"bad select %d\n",
1853                                 get_last_socket_error());
1854                                 goto shut;
1855                                 /* goto end; */
1856                                 }
1857                         }
1858
1859                 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
1860                         {
1861                         BIO_printf(bio_err,"TIMEOUT occured\n");
1862                         }
1863
1864                 if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
1865                         {
1866                         k=SSL_write(con,&(cbuf[cbuf_off]),
1867                                 (unsigned int)cbuf_len);
1868                         switch (SSL_get_error(con,k))
1869                                 {
1870                         case SSL_ERROR_NONE:
1871                                 cbuf_off+=k;
1872                                 cbuf_len-=k;
1873                                 if (k <= 0) goto end;
1874                                 /* we have done a  write(con,NULL,0); */
1875                                 if (cbuf_len <= 0)
1876                                         {
1877                                         read_tty=1;
1878                                         write_ssl=0;
1879                                         }
1880                                 else /* if (cbuf_len > 0) */
1881                                         {
1882                                         read_tty=0;
1883                                         write_ssl=1;
1884                                         }
1885                                 break;
1886                         case SSL_ERROR_WANT_WRITE:
1887                                 BIO_printf(bio_c_out,"write W BLOCK\n");
1888                                 write_ssl=1;
1889                                 read_tty=0;
1890                                 break;
1891                         case SSL_ERROR_WANT_READ:
1892                                 BIO_printf(bio_c_out,"write R BLOCK\n");
1893                                 write_tty=0;
1894                                 read_ssl=1;
1895                                 write_ssl=0;
1896                                 break;
1897                         case SSL_ERROR_WANT_X509_LOOKUP:
1898                                 BIO_printf(bio_c_out,"write X BLOCK\n");
1899                                 break;
1900                         case SSL_ERROR_ZERO_RETURN:
1901                                 if (cbuf_len != 0)
1902                                         {
1903                                         BIO_printf(bio_c_out,"shutdown\n");
1904                                         ret = 0;
1905                                         goto shut;
1906                                         }
1907                                 else
1908                                         {
1909                                         read_tty=1;
1910                                         write_ssl=0;
1911                                         break;
1912                                         }
1913                                 
1914                         case SSL_ERROR_SYSCALL:
1915                                 if ((k != 0) || (cbuf_len != 0))
1916                                         {
1917                                         BIO_printf(bio_err,"write:errno=%d\n",
1918                                                 get_last_socket_error());
1919                                         goto shut;
1920                                         }
1921                                 else
1922                                         {
1923                                         read_tty=1;
1924                                         write_ssl=0;
1925                                         }
1926                                 break;
1927                         case SSL_ERROR_SSL:
1928                                 ERR_print_errors(bio_err);
1929                                 goto shut;
1930                                 }
1931                         }
1932 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
1933                 /* Assume Windows/DOS/BeOS can always write */
1934                 else if (!ssl_pending && write_tty)
1935 #else
1936                 else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
1937 #endif
1938                         {
1939 #ifdef CHARSET_EBCDIC
1940                         ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
1941 #endif
1942                         i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len);
1943
1944                         if (i <= 0)
1945                                 {
1946                                 BIO_printf(bio_c_out,"DONE\n");
1947                                 ret = 0;
1948                                 goto shut;
1949                                 /* goto end; */
1950                                 }
1951
1952                         sbuf_len-=i;;
1953                         sbuf_off+=i;
1954                         if (sbuf_len <= 0)
1955                                 {
1956                                 read_ssl=1;
1957                                 write_tty=0;
1958                                 }
1959                         }
1960                 else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
1961                         {
1962 #ifdef RENEG
1963 { static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
1964 #endif
1965 #if 1
1966                         k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
1967 #else
1968 /* Demo for pending and peek :-) */
1969                         k=SSL_read(con,sbuf,16);
1970 { char zbuf[10240]; 
1971 printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
1972 }
1973 #endif
1974
1975                         switch (SSL_get_error(con,k))
1976                                 {
1977                         case SSL_ERROR_NONE:
1978                                 if (k <= 0)
1979                                         goto end;
1980                                 sbuf_off=0;
1981                                 sbuf_len=k;
1982
1983                                 read_ssl=0;
1984                                 write_tty=1;
1985                                 break;
1986                         case SSL_ERROR_WANT_WRITE:
1987                                 BIO_printf(bio_c_out,"read W BLOCK\n");
1988                                 write_ssl=1;
1989                                 read_tty=0;
1990                                 break;
1991                         case SSL_ERROR_WANT_READ:
1992                                 BIO_printf(bio_c_out,"read R BLOCK\n");
1993                                 write_tty=0;
1994                                 read_ssl=1;
1995                                 if ((read_tty == 0) && (write_ssl == 0))
1996                                         write_ssl=1;
1997                                 break;
1998                         case SSL_ERROR_WANT_X509_LOOKUP:
1999                                 BIO_printf(bio_c_out,"read X BLOCK\n");
2000                                 break;
2001                         case SSL_ERROR_SYSCALL:
2002                                 ret=get_last_socket_error();
2003                                 if (c_brief)
2004                                         BIO_puts(bio_err, "CONNECTION CLOSED BY SERVER\n");
2005                                 else
2006                                         BIO_printf(bio_err,"read:errno=%d\n",ret);
2007                                 goto shut;
2008                         case SSL_ERROR_ZERO_RETURN:
2009                                 BIO_printf(bio_c_out,"closed\n");
2010                                 ret=0;
2011                                 goto shut;
2012                         case SSL_ERROR_SSL:
2013                                 ERR_print_errors(bio_err);
2014                                 goto shut;
2015                                 /* break; */
2016                                 }
2017                         }
2018
2019 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
2020 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
2021                 else if (_kbhit())
2022 #else
2023                 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
2024 #endif
2025 #elif defined (OPENSSL_SYS_NETWARE)
2026                 else if (_kbhit())
2027 #elif defined(OPENSSL_SYS_BEOS_R5)
2028                 else if (stdin_set)
2029 #else
2030                 else if (FD_ISSET(fileno(stdin),&readfds))
2031 #endif
2032                         {
2033                         if (crlf)
2034                                 {
2035                                 int j, lf_num;
2036
2037                                 i=raw_read_stdin(cbuf,BUFSIZZ/2);
2038                                 lf_num = 0;
2039                                 /* both loops are skipped when i <= 0 */
2040                                 for (j = 0; j < i; j++)
2041                                         if (cbuf[j] == '\n')
2042                                                 lf_num++;
2043                                 for (j = i-1; j >= 0; j--)
2044                                         {
2045                                         cbuf[j+lf_num] = cbuf[j];
2046                                         if (cbuf[j] == '\n')
2047                                                 {
2048                                                 lf_num--;
2049                                                 i++;
2050                                                 cbuf[j+lf_num] = '\r';
2051                                                 }
2052                                         }
2053                                 assert(lf_num == 0);
2054                                 }
2055                         else
2056                                 i=raw_read_stdin(cbuf,BUFSIZZ);
2057
2058                         if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
2059                                 {
2060                                 BIO_printf(bio_err,"DONE\n");
2061                                 ret=0;
2062                                 goto shut;
2063                                 }
2064
2065                         if ((!c_ign_eof) && (cbuf[0] == 'R'))
2066                                 {
2067                                 BIO_printf(bio_err,"RENEGOTIATING\n");
2068                                 SSL_renegotiate(con);
2069                                 cbuf_len=0;
2070                                 }
2071 #ifndef OPENSSL_NO_HEARTBEATS
2072                         else if ((!c_ign_eof) && (cbuf[0] == 'B'))
2073                                 {
2074                                 BIO_printf(bio_err,"HEARTBEATING\n");
2075                                 SSL_heartbeat(con);
2076                                 cbuf_len=0;
2077                                 }
2078 #endif
2079                         else
2080                                 {
2081                                 cbuf_len=i;
2082                                 cbuf_off=0;
2083 #ifdef CHARSET_EBCDIC
2084                                 ebcdic2ascii(cbuf, cbuf, i);
2085 #endif
2086                                 }
2087
2088                         write_ssl=1;
2089                         read_tty=0;
2090                         }
2091                 }
2092
2093         ret=0;
2094 shut:
2095         if (in_init)
2096                 print_stuff(bio_c_out,con,full_log);
2097         SSL_shutdown(con);
2098         SHUTDOWN(SSL_get_fd(con));
2099 end:
2100         if (con != NULL)
2101                 {
2102                 if (prexit != 0)
2103                         print_stuff(bio_c_out,con,1);
2104                 SSL_free(con);
2105                 }
2106 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
2107         if (next_proto.data)
2108                 OPENSSL_free(next_proto.data);
2109 #endif
2110         if (ctx != NULL) SSL_CTX_free(ctx);
2111         if (cert)
2112                 X509_free(cert);
2113         if (crls)
2114                 sk_X509_CRL_pop_free(crls, X509_CRL_free);
2115         if (key)
2116                 EVP_PKEY_free(key);
2117         if (chain)
2118                 sk_X509_pop_free(chain, X509_free);
2119         if (pass)
2120                 OPENSSL_free(pass);
2121         if (vpm)
2122                 X509_VERIFY_PARAM_free(vpm);
2123         ssl_excert_free(exc);
2124         if (ssl_args)
2125                 sk_OPENSSL_STRING_free(ssl_args);
2126         if (cctx)
2127                 SSL_CONF_CTX_free(cctx);
2128 #ifndef OPENSSL_NO_JPAKE
2129         if (jpake_secret && psk_key)
2130                 OPENSSL_free(psk_key);
2131 #endif
2132         if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
2133         if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
2134         if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
2135         if (bio_c_out != NULL)
2136                 {
2137                 BIO_free(bio_c_out);
2138                 bio_c_out=NULL;
2139                 }
2140         if (bio_c_msg != NULL)
2141                 {
2142                 BIO_free(bio_c_msg);
2143                 bio_c_msg=NULL;
2144                 }
2145         apps_shutdown();
2146         OPENSSL_EXIT(ret);
2147         }
2148
2149
2150 static void print_stuff(BIO *bio, SSL *s, int full)
2151         {
2152         X509 *peer=NULL;
2153         char *p;
2154         static const char *space="                ";
2155         char buf[BUFSIZ];
2156         STACK_OF(X509) *sk;
2157         STACK_OF(X509_NAME) *sk2;
2158         const SSL_CIPHER *c;
2159         X509_NAME *xn;
2160         int j,i;
2161 #ifndef OPENSSL_NO_COMP
2162         const COMP_METHOD *comp, *expansion;
2163 #endif
2164         unsigned char *exportedkeymat;
2165
2166         if (full)
2167                 {
2168                 int got_a_chain = 0;
2169
2170                 sk=SSL_get_peer_cert_chain(s);
2171                 if (sk != NULL)
2172                         {
2173                         got_a_chain = 1; /* we don't have it for SSL2 (yet) */
2174
2175                         BIO_printf(bio,"---\nCertificate chain\n");
2176                         for (i=0; i<sk_X509_num(sk); i++)
2177                                 {
2178                                 X509_NAME_oneline(X509_get_subject_name(
2179                                         sk_X509_value(sk,i)),buf,sizeof buf);
2180                                 BIO_printf(bio,"%2d s:%s\n",i,buf);
2181                                 X509_NAME_oneline(X509_get_issuer_name(
2182                                         sk_X509_value(sk,i)),buf,sizeof buf);
2183                                 BIO_printf(bio,"   i:%s\n",buf);
2184                                 if (c_showcerts)
2185                                         PEM_write_bio_X509(bio,sk_X509_value(sk,i));
2186                                 }
2187                         }
2188
2189                 BIO_printf(bio,"---\n");
2190                 peer=SSL_get_peer_certificate(s);
2191                 if (peer != NULL)
2192                         {
2193                         BIO_printf(bio,"Server certificate\n");
2194                         if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
2195                                 PEM_write_bio_X509(bio,peer);
2196                         X509_NAME_oneline(X509_get_subject_name(peer),
2197                                 buf,sizeof buf);
2198                         BIO_printf(bio,"subject=%s\n",buf);
2199                         X509_NAME_oneline(X509_get_issuer_name(peer),
2200                                 buf,sizeof buf);
2201                         BIO_printf(bio,"issuer=%s\n",buf);
2202                         }
2203                 else
2204                         BIO_printf(bio,"no peer certificate available\n");
2205
2206                 sk2=SSL_get_client_CA_list(s);
2207                 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
2208                         {
2209                         BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
2210                         for (i=0; i<sk_X509_NAME_num(sk2); i++)
2211                                 {
2212                                 xn=sk_X509_NAME_value(sk2,i);
2213                                 X509_NAME_oneline(xn,buf,sizeof(buf));
2214                                 BIO_write(bio,buf,strlen(buf));
2215                                 BIO_write(bio,"\n",1);
2216                                 }
2217                         }
2218                 else
2219                         {
2220                         BIO_printf(bio,"---\nNo client certificate CA names sent\n");
2221                         }
2222                 p=SSL_get_shared_ciphers(s,buf,sizeof buf);
2223                 if (p != NULL)
2224                         {
2225                         /* This works only for SSL 2.  In later protocol
2226                          * versions, the client does not know what other
2227                          * ciphers (in addition to the one to be used
2228                          * in the current connection) the server supports. */
2229
2230                         BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
2231                         j=i=0;
2232                         while (*p)
2233                                 {
2234                                 if (*p == ':')
2235                                         {
2236                                         BIO_write(bio,space,15-j%25);
2237                                         i++;
2238                                         j=0;
2239                                         BIO_write(bio,((i%3)?" ":"\n"),1);
2240                                         }
2241                                 else
2242                                         {
2243                                         BIO_write(bio,p,1);
2244                                         j++;
2245                                         }
2246                                 p++;
2247                                 }
2248                         BIO_write(bio,"\n",1);
2249                         }
2250
2251                 ssl_print_sigalgs(bio, s);
2252                 ssl_print_tmp_key(bio, s);
2253
2254                 BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
2255                         BIO_number_read(SSL_get_rbio(s)),
2256                         BIO_number_written(SSL_get_wbio(s)));
2257                 }
2258         BIO_printf(bio,(SSL_cache_hit(s)?"---\nReused, ":"---\nNew, "));
2259         c=SSL_get_current_cipher(s);
2260         BIO_printf(bio,"%s, Cipher is %s\n",
2261                 SSL_CIPHER_get_version(c),
2262                 SSL_CIPHER_get_name(c));
2263         if (peer != NULL) {
2264                 EVP_PKEY *pktmp;
2265                 pktmp = X509_get_pubkey(peer);
2266                 BIO_printf(bio,"Server public key is %d bit\n",
2267                                                          EVP_PKEY_bits(pktmp));
2268                 EVP_PKEY_free(pktmp);
2269         }
2270         BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
2271                         SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
2272 #ifndef OPENSSL_NO_COMP
2273         comp=SSL_get_current_compression(s);
2274         expansion=SSL_get_current_expansion(s);
2275         BIO_printf(bio,"Compression: %s\n",
2276                 comp ? SSL_COMP_get_name(comp) : "NONE");
2277         BIO_printf(bio,"Expansion: %s\n",
2278                 expansion ? SSL_COMP_get_name(expansion) : "NONE");
2279 #endif
2280  
2281 #ifdef SSL_DEBUG
2282         {
2283         /* Print out local port of connection: useful for debugging */
2284         int sock;
2285         struct sockaddr_in ladd;
2286         socklen_t ladd_size = sizeof(ladd);
2287         sock = SSL_get_fd(s);
2288         getsockname(sock, (struct sockaddr *)&ladd, &ladd_size);
2289         BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port));
2290         }
2291 #endif
2292
2293 #if !defined(OPENSSL_NO_TLSEXT)
2294 # if !defined(OPENSSL_NO_NEXTPROTONEG)
2295         if (next_proto.status != -1) {
2296                 const unsigned char *proto;
2297                 unsigned int proto_len;
2298                 SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
2299                 BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
2300                 BIO_write(bio, proto, proto_len);
2301                 BIO_write(bio, "\n", 1);
2302         }
2303         {
2304                 const unsigned char *proto;
2305                 unsigned int proto_len;
2306                 SSL_get0_alpn_selected(s, &proto, &proto_len);
2307                 if (proto_len > 0)
2308                         {
2309                         BIO_printf(bio, "ALPN protocol: ");
2310                         BIO_write(bio, proto, proto_len);
2311                         BIO_write(bio, "\n", 1);
2312                         }
2313                 else
2314                         BIO_printf(bio, "No ALPN negotiated\n");
2315         }
2316 # endif
2317 #endif
2318
2319         {
2320         SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s);
2321  
2322         if(srtp_profile)
2323                 BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n",
2324                            srtp_profile->name);
2325         }
2326  
2327         SSL_SESSION_print(bio,SSL_get_session(s));
2328         if (keymatexportlabel != NULL)
2329                 {
2330                 BIO_printf(bio, "Keying material exporter:\n");
2331                 BIO_printf(bio, "    Label: '%s'\n", keymatexportlabel);
2332                 BIO_printf(bio, "    Length: %i bytes\n", keymatexportlen);
2333                 exportedkeymat = OPENSSL_malloc(keymatexportlen);
2334                 if (exportedkeymat != NULL)
2335                         {
2336                         if (!SSL_export_keying_material(s, exportedkeymat,
2337                                                         keymatexportlen,
2338                                                         keymatexportlabel,
2339                                                         strlen(keymatexportlabel),
2340                                                         NULL, 0, 0))
2341                                 {
2342                                 BIO_printf(bio, "    Error\n");
2343                                 }
2344                         else
2345                                 {
2346                                 BIO_printf(bio, "    Keying material: ");
2347                                 for (i=0; i<keymatexportlen; i++)
2348                                         BIO_printf(bio, "%02X",
2349                                                    exportedkeymat[i]);
2350                                 BIO_printf(bio, "\n");
2351                                 }
2352                         OPENSSL_free(exportedkeymat);
2353                         }
2354                 }
2355         BIO_printf(bio,"---\n");
2356         if (peer != NULL)
2357                 X509_free(peer);
2358         /* flush, or debugging output gets mixed with http response */
2359         (void)BIO_flush(bio);
2360         }
2361
2362 #ifndef OPENSSL_NO_TLSEXT
2363
2364 static int ocsp_resp_cb(SSL *s, void *arg)
2365         {
2366         const unsigned char *p;
2367         int len;
2368         OCSP_RESPONSE *rsp;
2369         len = SSL_get_tlsext_status_ocsp_resp(s, &p);
2370         BIO_puts(arg, "OCSP response: ");
2371         if (!p)
2372                 {
2373                 BIO_puts(arg, "no response sent\n");
2374                 return 1;
2375                 }
2376         rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
2377         if (!rsp)
2378                 {
2379                 BIO_puts(arg, "response parse error\n");
2380                 BIO_dump_indent(arg, (char *)p, len, 4);
2381                 return 0;
2382                 }
2383         BIO_puts(arg, "\n======================================\n");
2384         OCSP_RESPONSE_print(arg, rsp, 0);
2385         BIO_puts(arg, "======================================\n");
2386         OCSP_RESPONSE_free(rsp);
2387         return 1;
2388         }
2389
2390 static int audit_proof_cb(SSL *s, void *arg)
2391         {
2392         const unsigned char *proof;
2393         size_t proof_len;
2394         size_t i;
2395         SSL_SESSION *sess = SSL_get_session(s);
2396
2397         proof = SSL_SESSION_get_tlsext_authz_server_audit_proof(sess,
2398                                                                 &proof_len);
2399         if (proof != NULL)
2400                 {
2401                 BIO_printf(bio_c_out, "Audit proof: ");
2402                 for (i = 0; i < proof_len; ++i)
2403                         BIO_printf(bio_c_out, "%02X", proof[i]);
2404                 BIO_printf(bio_c_out, "\n");
2405                 }
2406         else
2407                 {
2408                 BIO_printf(bio_c_out, "No audit proof found.\n");
2409                 }
2410         return 1;
2411         }
2412 #endif