Workaround for some CMS signature formats.
[openssl.git] / apps / s_client.c
1 /* apps/s_client.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2005 Nokia. All rights reserved.
113  *
114  * The portions of the attached software ("Contribution") is developed by
115  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116  * license.
117  *
118  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120  * support (see RFC 4279) to OpenSSL.
121  *
122  * No patent licenses or other rights except those expressly stated in
123  * the OpenSSL open source license shall be deemed granted or received
124  * expressly, by implication, estoppel, or otherwise.
125  *
126  * No assurances are provided by Nokia that the Contribution does not
127  * infringe the patent or other intellectual property rights of any third
128  * party or that the license provides you with all the necessary rights
129  * to make use of the Contribution.
130  *
131  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135  * OTHERWISE.
136  */
137
138 #include <assert.h>
139 #include <ctype.h>
140 #include <stdio.h>
141 #include <stdlib.h>
142 #include <string.h>
143 #include <openssl/e_os2.h>
144 #ifdef OPENSSL_NO_STDIO
145 #define APPS_WIN16
146 #endif
147
148 /* With IPv6, it looks like Digital has mixed up the proper order of
149    recursive header file inclusion, resulting in the compiler complaining
150    that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
151    is needed to have fileno() declared correctly...  So let's define u_int */
152 #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
153 #define __U_INT
154 typedef unsigned int u_int;
155 #endif
156
157 #define USE_SOCKETS
158 #include "apps.h"
159 #include <openssl/x509.h>
160 #include <openssl/ssl.h>
161 #include <openssl/err.h>
162 #include <openssl/pem.h>
163 #include <openssl/rand.h>
164 #include <openssl/ocsp.h>
165 #include <openssl/bn.h>
166 #ifndef OPENSSL_NO_SRP
167 #include <openssl/srp.h>
168 #endif
169 #include "s_apps.h"
170 #include "timeouts.h"
171
172 #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
173 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
174 #undef FIONBIO
175 #endif
176
177 #if defined(OPENSSL_SYS_BEOS_R5)
178 #include <fcntl.h>
179 #endif
180
181 #undef PROG
182 #define PROG    s_client_main
183
184 /*#define SSL_HOST_NAME "www.netscape.com" */
185 /*#define SSL_HOST_NAME "193.118.187.102" */
186 #define SSL_HOST_NAME   "localhost"
187
188 /*#define TEST_CERT "client.pem" */ /* no default cert. */
189
190 #undef BUFSIZZ
191 #define BUFSIZZ 1024*8
192
193 extern int verify_depth;
194 extern int verify_error;
195 extern int verify_return_error;
196 extern int verify_quiet;
197
198 #ifdef FIONBIO
199 static int c_nbio=0;
200 #endif
201 static int c_Pause=0;
202 static int c_debug=0;
203 #ifndef OPENSSL_NO_TLSEXT
204 static int c_tlsextdebug=0;
205 static int c_status_req=0;
206 #endif
207 static int c_msg=0;
208 static int c_showcerts=0;
209
210 static char *keymatexportlabel=NULL;
211 static int keymatexportlen=20;
212
213 static void sc_usage(void);
214 static void print_stuff(BIO *berr,SSL *con,int full);
215 #ifndef OPENSSL_NO_TLSEXT
216 static int ocsp_resp_cb(SSL *s, void *arg);
217 static int c_auth = 0;
218 static int c_auth_require_reneg = 0;
219 #endif
220 static BIO *bio_c_out=NULL;
221 static BIO *bio_c_msg=NULL;
222 static int c_quiet=0;
223 static int c_ign_eof=0;
224 static int c_brief=0;
225
226 #ifndef OPENSSL_NO_TLSEXT
227
228 static unsigned char *generated_supp_data = NULL;
229
230 static const unsigned char *most_recent_supplemental_data = NULL;
231 static size_t most_recent_supplemental_data_length = 0;
232
233 static int server_provided_server_authz = 0;
234 static int server_provided_client_authz = 0;
235
236 static const unsigned char auth_ext_data[]={TLSEXT_AUTHZDATAFORMAT_dtcp};
237
238 static int suppdata_cb(SSL *s, unsigned short supp_data_type,
239                        const unsigned char *in,
240                        unsigned short inlen, int *al,
241                        void *arg);
242
243 static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
244                                      const unsigned char **out,
245                                      unsigned short *outlen, int *al, void *arg);
246
247 static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
248                                     const unsigned char **out, unsigned short *outlen,
249                                     int *al, void *arg);
250
251 static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
252                            const unsigned char *in,
253                            unsigned short inlen, int *al,
254                            void *arg);
255 #endif
256
257 #ifndef OPENSSL_NO_PSK
258 /* Default PSK identity and key */
259 static char *psk_identity="Client_identity";
260 /*char *psk_key=NULL;  by default PSK is not used */
261
262 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
263         unsigned int max_identity_len, unsigned char *psk,
264         unsigned int max_psk_len)
265         {
266         unsigned int psk_len = 0;
267         int ret;
268         BIGNUM *bn=NULL;
269
270         if (c_debug)
271                 BIO_printf(bio_c_out, "psk_client_cb\n");
272         if (!hint)
273                 {
274                 /* no ServerKeyExchange message*/
275                 if (c_debug)
276                         BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n");
277                 }
278         else if (c_debug)
279                 BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
280
281         /* lookup PSK identity and PSK key based on the given identity hint here */
282         ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity);
283         if (ret < 0 || (unsigned int)ret > max_identity_len)
284                 goto out_err;
285         if (c_debug)
286                 BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret);
287         ret=BN_hex2bn(&bn, psk_key);
288         if (!ret)
289                 {
290                 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
291                 if (bn)
292                         BN_free(bn);
293                 return 0;
294                 }
295
296         if ((unsigned int)BN_num_bytes(bn) > max_psk_len)
297                 {
298                 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
299                         max_psk_len, BN_num_bytes(bn));
300                 BN_free(bn);
301                 return 0;
302                 }
303
304         psk_len=BN_bn2bin(bn, psk);
305         BN_free(bn);
306         if (psk_len == 0)
307                 goto out_err;
308
309         if (c_debug)
310                 BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len);
311
312         return psk_len;
313  out_err:
314         if (c_debug)
315                 BIO_printf(bio_err, "Error in PSK client callback\n");
316         return 0;
317         }
318 #endif
319
320 static void sc_usage(void)
321         {
322         BIO_printf(bio_err,"usage: s_client args\n");
323         BIO_printf(bio_err,"\n");
324         BIO_printf(bio_err," -host host     - use -connect instead\n");
325         BIO_printf(bio_err," -port port     - use -connect instead\n");
326         BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
327         BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
328         BIO_printf(bio_err," -cert arg     - certificate file to use, PEM format assumed\n");
329         BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
330         BIO_printf(bio_err," -key arg      - Private key file to use, in cert file if\n");
331         BIO_printf(bio_err,"                 not specified but cert file is.\n");
332         BIO_printf(bio_err," -keyform arg  - key format (PEM or DER) PEM default\n");
333         BIO_printf(bio_err," -pass arg     - private key file pass phrase source\n");
334         BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
335         BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
336         BIO_printf(bio_err," -reconnect    - Drop and re-make the connection with the same Session-ID\n");
337         BIO_printf(bio_err," -pause        - sleep(1) after each read(2) and write(2) system call\n");
338         BIO_printf(bio_err," -showcerts    - show all certificates in the chain\n");
339         BIO_printf(bio_err," -debug        - extra output\n");
340 #ifdef WATT32
341         BIO_printf(bio_err," -wdebug       - WATT-32 tcp debugging\n");
342 #endif
343         BIO_printf(bio_err," -msg          - Show protocol messages\n");
344         BIO_printf(bio_err," -nbio_test    - more ssl protocol testing\n");
345         BIO_printf(bio_err," -state        - print the 'ssl' states\n");
346 #ifdef FIONBIO
347         BIO_printf(bio_err," -nbio         - Run with non-blocking IO\n");
348 #endif
349         BIO_printf(bio_err," -crlf         - convert LF from terminal into CRLF\n");
350         BIO_printf(bio_err," -quiet        - no s_client output\n");
351         BIO_printf(bio_err," -ign_eof      - ignore input eof (default when -quiet)\n");
352         BIO_printf(bio_err," -no_ign_eof   - don't ignore input eof\n");
353 #ifndef OPENSSL_NO_PSK
354         BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
355         BIO_printf(bio_err," -psk arg      - PSK in hex (without 0x)\n");
356 # ifndef OPENSSL_NO_JPAKE
357         BIO_printf(bio_err," -jpake arg    - JPAKE secret to use\n");
358 # endif
359 #endif
360 #ifndef OPENSSL_NO_SRP
361         BIO_printf(bio_err," -srpuser user     - SRP authentification for 'user'\n");
362         BIO_printf(bio_err," -srppass arg      - password for 'user'\n");
363         BIO_printf(bio_err," -srp_lateuser     - SRP username into second ClientHello message\n");
364         BIO_printf(bio_err," -srp_moregroups   - Tolerate other than the known g N values.\n");
365         BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
366 #endif
367         BIO_printf(bio_err," -ssl2         - just use SSLv2\n");
368         BIO_printf(bio_err," -ssl3         - just use SSLv3\n");
369         BIO_printf(bio_err," -tls1_2       - just use TLSv1.2\n");
370         BIO_printf(bio_err," -tls1_1       - just use TLSv1.1\n");
371         BIO_printf(bio_err," -tls1         - just use TLSv1\n");
372         BIO_printf(bio_err," -dtls1        - just use DTLSv1\n");    
373         BIO_printf(bio_err," -mtu          - set the link layer MTU\n");
374         BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
375         BIO_printf(bio_err," -bugs         - Switch on all SSL implementation bug workarounds\n");
376         BIO_printf(bio_err," -serverpref   - Use server's cipher preferences (only SSLv2)\n");
377         BIO_printf(bio_err," -cipher       - preferred cipher to use, use the 'openssl ciphers'\n");
378         BIO_printf(bio_err,"                 command to see what is available\n");
379         BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
380         BIO_printf(bio_err,"                 for those protocols that support it, where\n");
381         BIO_printf(bio_err,"                 'prot' defines which one to assume.  Currently,\n");
382         BIO_printf(bio_err,"                 only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
383         BIO_printf(bio_err,"                 are supported.\n");
384         BIO_printf(bio_err," -xmpphost host - When used with \"-starttls xmpp\" specifies the virtual host.\n");
385 #ifndef OPENSSL_NO_ENGINE
386         BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
387 #endif
388         BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
389         BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n");
390         BIO_printf(bio_err," -sess_in arg  - file to read SSL session from\n");
391 #ifndef OPENSSL_NO_TLSEXT
392         BIO_printf(bio_err," -servername host  - Set TLS extension servername in ClientHello\n");
393         BIO_printf(bio_err," -tlsextdebug      - hex dump of all TLS extensions received\n");
394         BIO_printf(bio_err," -status           - request certificate status from server\n");
395         BIO_printf(bio_err," -no_ticket        - disable use of RFC4507bis session tickets\n");
396         BIO_printf(bio_err," -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n");
397         BIO_printf(bio_err," -auth               - send and receive RFC 5878 TLS auth extensions and supplemental data\n");
398         BIO_printf(bio_err," -auth_require_reneg - Do not send TLS auth extensions until renegotiation\n");
399 # ifndef OPENSSL_NO_NEXTPROTONEG
400         BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
401 # endif
402         BIO_printf(bio_err," -alpn arg         - enable ALPN extension, considering named protocols supported (comma-separated list)\n");
403 #endif
404         BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
405         BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
406         BIO_printf(bio_err," -keymatexport label   - Export keying material using label\n");
407         BIO_printf(bio_err," -keymatexportlen len  - Export len bytes of keying material (default 20)\n");
408         }
409
410 #ifndef OPENSSL_NO_TLSEXT
411
412 /* This is a context that we pass to callbacks */
413 typedef struct tlsextctx_st {
414    BIO * biodebug;
415    int ack;
416 } tlsextctx;
417
418
419 static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
420         {
421         tlsextctx * p = (tlsextctx *) arg;
422         const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
423         if (SSL_get_servername_type(s) != -1) 
424                 p->ack = !SSL_session_reused(s) && hn != NULL;
425         else 
426                 BIO_printf(bio_err,"Can't use SSL_get_servername\n");
427         
428         return SSL_TLSEXT_ERR_OK;
429         }
430
431 #ifndef OPENSSL_NO_SRP
432
433 /* This is a context that we pass to all callbacks */
434 typedef struct srp_arg_st
435         {
436         char *srppassin;
437         char *srplogin;
438         int msg;   /* copy from c_msg */
439         int debug; /* copy from c_debug */
440         int amp;   /* allow more groups */
441         int strength /* minimal size for N */ ;
442         } SRP_ARG;
443
444 #define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
445
446 static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g)
447         {
448         BN_CTX *bn_ctx = BN_CTX_new();
449         BIGNUM *p = BN_new();
450         BIGNUM *r = BN_new();
451         int ret =
452                 g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
453                 BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
454                 p != NULL && BN_rshift1(p, N) &&
455
456                 /* p = (N-1)/2 */
457                 BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
458                 r != NULL &&
459
460                 /* verify g^((N-1)/2) == -1 (mod N) */
461                 BN_mod_exp(r, g, p, N, bn_ctx) &&
462                 BN_add_word(r, 1) &&
463                 BN_cmp(r, N) == 0;
464
465         if(r)
466                 BN_free(r);
467         if(p)
468                 BN_free(p);
469         if(bn_ctx)
470                 BN_CTX_free(bn_ctx);
471         return ret;
472         }
473
474 /* This callback is used here for two purposes:
475    - extended debugging
476    - making some primality tests for unknown groups
477    The callback is only called for a non default group.
478
479    An application does not need the call back at all if
480    only the stanard groups are used.  In real life situations, 
481    client and server already share well known groups, 
482    thus there is no need to verify them. 
483    Furthermore, in case that a server actually proposes a group that
484    is not one of those defined in RFC 5054, it is more appropriate 
485    to add the group to a static list and then compare since 
486    primality tests are rather cpu consuming.
487 */
488
489 static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
490         {
491         SRP_ARG *srp_arg = (SRP_ARG *)arg;
492         BIGNUM *N = NULL, *g = NULL;
493         if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s)))
494                 return 0;
495         if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1)
496                 {
497                 BIO_printf(bio_err, "SRP parameters:\n"); 
498                 BIO_printf(bio_err,"\tN="); BN_print(bio_err,N);
499                 BIO_printf(bio_err,"\n\tg="); BN_print(bio_err,g);
500                 BIO_printf(bio_err,"\n");
501                 }
502
503         if (SRP_check_known_gN_param(g,N))
504                 return 1;
505
506         if (srp_arg->amp == 1)
507                 {
508                 if (srp_arg->debug)
509                         BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n");
510
511 /* The srp_moregroups is a real debugging feature.
512    Implementors should rather add the value to the known ones.
513    The minimal size has already been tested.
514 */
515                 if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g))
516                         return 1;
517                 }       
518         BIO_printf(bio_err, "SRP param N and g rejected.\n");
519         return 0;
520         }
521
522 #define PWD_STRLEN 1024
523
524 static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
525         {
526         SRP_ARG *srp_arg = (SRP_ARG *)arg;
527         char *pass = (char *)OPENSSL_malloc(PWD_STRLEN+1);
528         PW_CB_DATA cb_tmp;
529         int l;
530
531         cb_tmp.password = (char *)srp_arg->srppassin;
532         cb_tmp.prompt_info = "SRP user";
533         if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp))<0)
534                 {
535                 BIO_printf (bio_err, "Can't read Password\n");
536                 OPENSSL_free(pass);
537                 return NULL;
538                 }
539         *(pass+l)= '\0';
540
541         return pass;
542         }
543
544 #endif
545         char *srtp_profiles = NULL;
546
547 # ifndef OPENSSL_NO_NEXTPROTONEG
548 /* This the context that we pass to next_proto_cb */
549 typedef struct tlsextnextprotoctx_st {
550         unsigned char *data;
551         unsigned short len;
552         int status;
553 } tlsextnextprotoctx;
554
555 static tlsextnextprotoctx next_proto;
556
557 static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
558         {
559         tlsextnextprotoctx *ctx = arg;
560
561         if (!c_quiet)
562                 {
563                 /* We can assume that |in| is syntactically valid. */
564                 unsigned i;
565                 BIO_printf(bio_c_out, "Protocols advertised by server: ");
566                 for (i = 0; i < inlen; )
567                         {
568                         if (i)
569                                 BIO_write(bio_c_out, ", ", 2);
570                         BIO_write(bio_c_out, &in[i + 1], in[i]);
571                         i += in[i] + 1;
572                         }
573                 BIO_write(bio_c_out, "\n", 1);
574                 }
575
576         ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
577         return SSL_TLSEXT_ERR_OK;
578         }
579 # endif  /* ndef OPENSSL_NO_NEXTPROTONEG */
580
581 static int serverinfo_cli_cb(SSL* s, unsigned short ext_type,
582                              const unsigned char* in, unsigned short inlen, 
583                              int* al, void* arg)
584         {
585         char pem_name[100];
586         unsigned char ext_buf[4 + 65536];
587
588         /* Reconstruct the type/len fields prior to extension data */
589         ext_buf[0] = ext_type >> 8;
590         ext_buf[1] = ext_type & 0xFF;
591         ext_buf[2] = inlen >> 8;
592         ext_buf[3] = inlen & 0xFF;
593         memcpy(ext_buf+4, in, inlen);
594
595         BIO_snprintf(pem_name, sizeof(pem_name), "SERVERINFO FOR EXTENSION %d",
596                      ext_type);
597         PEM_write_bio(bio_c_out, pem_name, "", ext_buf, 4 + inlen);
598         return 1;
599         }
600
601 #endif
602
603 enum
604 {
605         PROTO_OFF       = 0,
606         PROTO_SMTP,
607         PROTO_POP3,
608         PROTO_IMAP,
609         PROTO_FTP,
610         PROTO_XMPP
611 };
612
613 int MAIN(int, char **);
614
615 int MAIN(int argc, char **argv)
616         {
617         int build_chain = 0;
618         SSL *con=NULL;
619 #ifndef OPENSSL_NO_KRB5
620         KSSL_CTX *kctx;
621 #endif
622         int s,k,width,state=0;
623         char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
624         int cbuf_len,cbuf_off;
625         int sbuf_len,sbuf_off;
626         fd_set readfds,writefds;
627         short port=PORT;
628         int full_log=1;
629         char *host=SSL_HOST_NAME;
630         char *xmpphost = NULL;
631         char *cert_file=NULL,*key_file=NULL,*chain_file=NULL;
632         int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
633         char *passarg = NULL, *pass = NULL;
634         X509 *cert = NULL;
635         EVP_PKEY *key = NULL;
636         STACK_OF(X509) *chain = NULL;
637         char *CApath=NULL,*CAfile=NULL;
638         char *chCApath=NULL,*chCAfile=NULL;
639         char *vfyCApath=NULL,*vfyCAfile=NULL;
640         int reconnect=0,badop=0,verify=SSL_VERIFY_NONE;
641         int crlf=0;
642         int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
643         SSL_CTX *ctx=NULL;
644         int ret=1,in_init=1,i,nbio_test=0;
645         int starttls_proto = PROTO_OFF;
646         int prexit = 0;
647         X509_VERIFY_PARAM *vpm = NULL;
648         int badarg = 0;
649         const SSL_METHOD *meth=NULL;
650         int socket_type=SOCK_STREAM;
651         BIO *sbio;
652         char *inrand=NULL;
653         int mbuf_len=0;
654         struct timeval timeout, *timeoutp;
655 #ifndef OPENSSL_NO_ENGINE
656         char *engine_id=NULL;
657         char *ssl_client_engine_id=NULL;
658         ENGINE *ssl_client_engine=NULL;
659 #endif
660         ENGINE *e=NULL;
661 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
662         struct timeval tv;
663 #if defined(OPENSSL_SYS_BEOS_R5)
664         int stdin_set = 0;
665 #endif
666 #endif
667 #ifndef OPENSSL_NO_TLSEXT
668         char *servername = NULL; 
669         tlsextctx tlsextcbp = 
670         {NULL,0};
671 # ifndef OPENSSL_NO_NEXTPROTONEG
672         const char *next_proto_neg_in = NULL;
673 # endif
674         const char *alpn_in = NULL;
675 # define MAX_SI_TYPES 100
676         unsigned short serverinfo_types[MAX_SI_TYPES];
677         int serverinfo_types_count = 0;
678 #endif
679         char *sess_in = NULL;
680         char *sess_out = NULL;
681         struct sockaddr peer;
682         int peerlen = sizeof(peer);
683         int enable_timeouts = 0 ;
684         long socket_mtu = 0;
685 #ifndef OPENSSL_NO_JPAKE
686 static char *jpake_secret = NULL;
687 #define no_jpake !jpake_secret
688 #else
689 #define no_jpake 1
690 #endif
691 #ifndef OPENSSL_NO_SRP
692         char * srppass = NULL;
693         int srp_lateuser = 0;
694         SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
695 #endif
696         SSL_EXCERT *exc = NULL;
697
698         SSL_CONF_CTX *cctx = NULL;
699         STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
700
701         char *crl_file = NULL;
702         int crl_format = FORMAT_PEM;
703         int crl_download = 0;
704         STACK_OF(X509_CRL) *crls = NULL;
705
706         meth=SSLv23_client_method();
707
708         apps_startup();
709         c_Pause=0;
710         c_quiet=0;
711         c_ign_eof=0;
712         c_debug=0;
713         c_msg=0;
714         c_showcerts=0;
715
716         if (bio_err == NULL)
717                 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
718
719         if (!load_config(bio_err, NULL))
720                 goto end;
721         cctx = SSL_CONF_CTX_new();
722         if (!cctx)
723                 goto end;
724         SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
725         SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE);
726
727         if (    ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
728                 ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
729                 ((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
730                 {
731                 BIO_printf(bio_err,"out of memory\n");
732                 goto end;
733                 }
734
735         verify_depth=0;
736         verify_error=X509_V_OK;
737 #ifdef FIONBIO
738         c_nbio=0;
739 #endif
740
741         argc--;
742         argv++;
743         while (argc >= 1)
744                 {
745                 if      (strcmp(*argv,"-host") == 0)
746                         {
747                         if (--argc < 1) goto bad;
748                         host= *(++argv);
749                         }
750                 else if (strcmp(*argv,"-port") == 0)
751                         {
752                         if (--argc < 1) goto bad;
753                         port=atoi(*(++argv));
754                         if (port == 0) goto bad;
755                         }
756                 else if (strcmp(*argv,"-connect") == 0)
757                         {
758                         if (--argc < 1) goto bad;
759                         if (!extract_host_port(*(++argv),&host,NULL,&port))
760                                 goto bad;
761                         }
762                 else if (strcmp(*argv,"-xmpphost") == 0)
763                         {
764                         if (--argc < 1) goto bad;
765                         xmpphost= *(++argv);
766                         }
767                 else if (strcmp(*argv,"-verify") == 0)
768                         {
769                         verify=SSL_VERIFY_PEER;
770                         if (--argc < 1) goto bad;
771                         verify_depth=atoi(*(++argv));
772                         if (!c_quiet)
773                                 BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
774                         }
775                 else if (strcmp(*argv,"-cert") == 0)
776                         {
777                         if (--argc < 1) goto bad;
778                         cert_file= *(++argv);
779                         }
780                 else if (strcmp(*argv,"-CRL") == 0)
781                         {
782                         if (--argc < 1) goto bad;
783                         crl_file= *(++argv);
784                         }
785                 else if (strcmp(*argv,"-crl_download") == 0)
786                         crl_download = 1;
787                 else if (strcmp(*argv,"-sess_out") == 0)
788                         {
789                         if (--argc < 1) goto bad;
790                         sess_out = *(++argv);
791                         }
792                 else if (strcmp(*argv,"-sess_in") == 0)
793                         {
794                         if (--argc < 1) goto bad;
795                         sess_in = *(++argv);
796                         }
797                 else if (strcmp(*argv,"-certform") == 0)
798                         {
799                         if (--argc < 1) goto bad;
800                         cert_format = str2fmt(*(++argv));
801                         }
802                 else if (strcmp(*argv,"-CRLform") == 0)
803                         {
804                         if (--argc < 1) goto bad;
805                         crl_format = str2fmt(*(++argv));
806                         }
807                 else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
808                         {
809                         if (badarg)
810                                 goto bad;
811                         continue;
812                         }
813                 else if (strcmp(*argv,"-verify_return_error") == 0)
814                         verify_return_error = 1;
815                 else if (strcmp(*argv,"-verify_quiet") == 0)
816                         verify_quiet = 1;
817                 else if (strcmp(*argv,"-brief") == 0)
818                         {
819                         c_brief = 1;
820                         verify_quiet = 1;
821                         c_quiet = 1;
822                         }
823                 else if (args_excert(&argv, &argc, &badarg, bio_err, &exc))
824                         {
825                         if (badarg)
826                                 goto bad;
827                         continue;
828                         }
829                 else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args))
830                         {
831                         if (badarg)
832                                 goto bad;
833                         continue;
834                         }
835                 else if (strcmp(*argv,"-prexit") == 0)
836                         prexit=1;
837                 else if (strcmp(*argv,"-crlf") == 0)
838                         crlf=1;
839                 else if (strcmp(*argv,"-quiet") == 0)
840                         {
841                         c_quiet=1;
842                         c_ign_eof=1;
843                         }
844                 else if (strcmp(*argv,"-ign_eof") == 0)
845                         c_ign_eof=1;
846                 else if (strcmp(*argv,"-no_ign_eof") == 0)
847                         c_ign_eof=0;
848                 else if (strcmp(*argv,"-pause") == 0)
849                         c_Pause=1;
850                 else if (strcmp(*argv,"-debug") == 0)
851                         c_debug=1;
852 #ifndef OPENSSL_NO_TLSEXT
853                 else if (strcmp(*argv,"-tlsextdebug") == 0)
854                         c_tlsextdebug=1;
855                 else if (strcmp(*argv,"-status") == 0)
856                         c_status_req=1;
857                 else if (strcmp(*argv,"-auth") == 0)
858                         c_auth = 1;
859                 else if (strcmp(*argv,"-auth_require_reneg") == 0)
860                         c_auth_require_reneg = 1;
861 #endif
862 #ifdef WATT32
863                 else if (strcmp(*argv,"-wdebug") == 0)
864                         dbug_init();
865 #endif
866                 else if (strcmp(*argv,"-msg") == 0)
867                         c_msg=1;
868                 else if (strcmp(*argv,"-msgfile") == 0)
869                         {
870                         if (--argc < 1) goto bad;
871                         bio_c_msg = BIO_new_file(*(++argv), "w");
872                         }
873 #ifndef OPENSSL_NO_SSL_TRACE
874                 else if (strcmp(*argv,"-trace") == 0)
875                         c_msg=2;
876 #endif
877                 else if (strcmp(*argv,"-showcerts") == 0)
878                         c_showcerts=1;
879                 else if (strcmp(*argv,"-nbio_test") == 0)
880                         nbio_test=1;
881                 else if (strcmp(*argv,"-state") == 0)
882                         state=1;
883 #ifndef OPENSSL_NO_PSK
884                 else if (strcmp(*argv,"-psk_identity") == 0)
885                         {
886                         if (--argc < 1) goto bad;
887                         psk_identity=*(++argv);
888                         }
889                 else if (strcmp(*argv,"-psk") == 0)
890                         {
891                         size_t j;
892
893                         if (--argc < 1) goto bad;
894                         psk_key=*(++argv);
895                         for (j = 0; j < strlen(psk_key); j++)
896                                 {
897                                 if (isxdigit((unsigned char)psk_key[j]))
898                                         continue;
899                                 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
900                                 goto bad;
901                                 }
902                         }
903 #endif
904 #ifndef OPENSSL_NO_SRP
905                 else if (strcmp(*argv,"-srpuser") == 0)
906                         {
907                         if (--argc < 1) goto bad;
908                         srp_arg.srplogin= *(++argv);
909                         meth=TLSv1_client_method();
910                         }
911                 else if (strcmp(*argv,"-srppass") == 0)
912                         {
913                         if (--argc < 1) goto bad;
914                         srppass= *(++argv);
915                         meth=TLSv1_client_method();
916                         }
917                 else if (strcmp(*argv,"-srp_strength") == 0)
918                         {
919                         if (--argc < 1) goto bad;
920                         srp_arg.strength=atoi(*(++argv));
921                         BIO_printf(bio_err,"SRP minimal length for N is %d\n",srp_arg.strength);
922                         meth=TLSv1_client_method();
923                         }
924                 else if (strcmp(*argv,"-srp_lateuser") == 0)
925                         {
926                         srp_lateuser= 1;
927                         meth=TLSv1_client_method();
928                         }
929                 else if (strcmp(*argv,"-srp_moregroups") == 0)
930                         {
931                         srp_arg.amp=1;
932                         meth=TLSv1_client_method();
933                         }
934 #endif
935 #ifndef OPENSSL_NO_SSL2
936                 else if (strcmp(*argv,"-ssl2") == 0)
937                         meth=SSLv2_client_method();
938 #endif
939 #ifndef OPENSSL_NO_SSL3
940                 else if (strcmp(*argv,"-ssl3") == 0)
941                         meth=SSLv3_client_method();
942 #endif
943 #ifndef OPENSSL_NO_TLS1
944                 else if (strcmp(*argv,"-tls1_2") == 0)
945                         meth=TLSv1_2_client_method();
946                 else if (strcmp(*argv,"-tls1_1") == 0)
947                         meth=TLSv1_1_client_method();
948                 else if (strcmp(*argv,"-tls1") == 0)
949                         meth=TLSv1_client_method();
950 #endif
951 #ifndef OPENSSL_NO_DTLS1
952                 else if (strcmp(*argv,"-dtls") == 0)
953                         {
954                         meth=DTLS_client_method();
955                         socket_type=SOCK_DGRAM;
956                         }
957                 else if (strcmp(*argv,"-dtls1") == 0)
958                         {
959                         meth=DTLSv1_client_method();
960                         socket_type=SOCK_DGRAM;
961                         }
962                 else if (strcmp(*argv,"-dtls1_2") == 0)
963                         {
964                         meth=DTLSv1_2_client_method();
965                         socket_type=SOCK_DGRAM;
966                         }
967                 else if (strcmp(*argv,"-timeout") == 0)
968                         enable_timeouts=1;
969                 else if (strcmp(*argv,"-mtu") == 0)
970                         {
971                         if (--argc < 1) goto bad;
972                         socket_mtu = atol(*(++argv));
973                         }
974 #endif
975                 else if (strcmp(*argv,"-keyform") == 0)
976                         {
977                         if (--argc < 1) goto bad;
978                         key_format = str2fmt(*(++argv));
979                         }
980                 else if (strcmp(*argv,"-pass") == 0)
981                         {
982                         if (--argc < 1) goto bad;
983                         passarg = *(++argv);
984                         }
985                 else if (strcmp(*argv,"-cert_chain") == 0)
986                         {
987                         if (--argc < 1) goto bad;
988                         chain_file= *(++argv);
989                         }
990                 else if (strcmp(*argv,"-key") == 0)
991                         {
992                         if (--argc < 1) goto bad;
993                         key_file= *(++argv);
994                         }
995                 else if (strcmp(*argv,"-reconnect") == 0)
996                         {
997                         reconnect=5;
998                         }
999                 else if (strcmp(*argv,"-CApath") == 0)
1000                         {
1001                         if (--argc < 1) goto bad;
1002                         CApath= *(++argv);
1003                         }
1004                 else if (strcmp(*argv,"-chainCApath") == 0)
1005                         {
1006                         if (--argc < 1) goto bad;
1007                         chCApath= *(++argv);
1008                         }
1009                 else if (strcmp(*argv,"-verifyCApath") == 0)
1010                         {
1011                         if (--argc < 1) goto bad;
1012                         vfyCApath= *(++argv);
1013                         }
1014                 else if (strcmp(*argv,"-build_chain") == 0)
1015                         build_chain = 1;
1016                 else if (strcmp(*argv,"-CAfile") == 0)
1017                         {
1018                         if (--argc < 1) goto bad;
1019                         CAfile= *(++argv);
1020                         }
1021                 else if (strcmp(*argv,"-chainCAfile") == 0)
1022                         {
1023                         if (--argc < 1) goto bad;
1024                         chCAfile= *(++argv);
1025                         }
1026                 else if (strcmp(*argv,"-verifyCAfile") == 0)
1027                         {
1028                         if (--argc < 1) goto bad;
1029                         vfyCAfile= *(++argv);
1030                         }
1031 #ifndef OPENSSL_NO_TLSEXT
1032 # ifndef OPENSSL_NO_NEXTPROTONEG
1033                 else if (strcmp(*argv,"-nextprotoneg") == 0)
1034                         {
1035                         if (--argc < 1) goto bad;
1036                         next_proto_neg_in = *(++argv);
1037                         }
1038 # endif
1039                 else if (strcmp(*argv,"-alpn") == 0)
1040                         {
1041                         if (--argc < 1) goto bad;
1042                         alpn_in = *(++argv);
1043                         }
1044                 else if (strcmp(*argv,"-serverinfo") == 0)
1045                         {
1046                         char *c;
1047                         int start = 0;
1048                         int len;
1049
1050                         if (--argc < 1) goto bad;
1051                         c = *(++argv);
1052                         serverinfo_types_count = 0;
1053                         len = strlen(c);
1054                         for (i = 0; i <= len; ++i)
1055                                 {
1056                                 if (i == len || c[i] == ',')
1057                                         {
1058                                         serverinfo_types[serverinfo_types_count]
1059                                             = atoi(c+start);
1060                                         serverinfo_types_count++;
1061                                         start = i+1;
1062                                         }
1063                                 if (serverinfo_types_count == MAX_SI_TYPES)
1064                                         break;
1065                                 }
1066                         }
1067 #endif
1068 #ifdef FIONBIO
1069                 else if (strcmp(*argv,"-nbio") == 0)
1070                         { c_nbio=1; }
1071 #endif
1072                 else if (strcmp(*argv,"-starttls") == 0)
1073                         {
1074                         if (--argc < 1) goto bad;
1075                         ++argv;
1076                         if (strcmp(*argv,"smtp") == 0)
1077                                 starttls_proto = PROTO_SMTP;
1078                         else if (strcmp(*argv,"pop3") == 0)
1079                                 starttls_proto = PROTO_POP3;
1080                         else if (strcmp(*argv,"imap") == 0)
1081                                 starttls_proto = PROTO_IMAP;
1082                         else if (strcmp(*argv,"ftp") == 0)
1083                                 starttls_proto = PROTO_FTP;
1084                         else if (strcmp(*argv, "xmpp") == 0)
1085                                 starttls_proto = PROTO_XMPP;
1086                         else
1087                                 goto bad;
1088                         }
1089 #ifndef OPENSSL_NO_ENGINE
1090                 else if (strcmp(*argv,"-engine") == 0)
1091                         {
1092                         if (--argc < 1) goto bad;
1093                         engine_id = *(++argv);
1094                         }
1095                 else if (strcmp(*argv,"-ssl_client_engine") == 0)
1096                         {
1097                         if (--argc < 1) goto bad;
1098                         ssl_client_engine_id = *(++argv);
1099                         }
1100 #endif
1101                 else if (strcmp(*argv,"-rand") == 0)
1102                         {
1103                         if (--argc < 1) goto bad;
1104                         inrand= *(++argv);
1105                         }
1106 #ifndef OPENSSL_NO_TLSEXT
1107                 else if (strcmp(*argv,"-servername") == 0)
1108                         {
1109                         if (--argc < 1) goto bad;
1110                         servername= *(++argv);
1111                         /* meth=TLSv1_client_method(); */
1112                         }
1113 #endif
1114 #ifndef OPENSSL_NO_JPAKE
1115                 else if (strcmp(*argv,"-jpake") == 0)
1116                         {
1117                         if (--argc < 1) goto bad;
1118                         jpake_secret = *++argv;
1119                         }
1120 #endif
1121                 else if (strcmp(*argv,"-use_srtp") == 0)
1122                         {
1123                         if (--argc < 1) goto bad;
1124                         srtp_profiles = *(++argv);
1125                         }
1126                 else if (strcmp(*argv,"-keymatexport") == 0)
1127                         {
1128                         if (--argc < 1) goto bad;
1129                         keymatexportlabel= *(++argv);
1130                         }
1131                 else if (strcmp(*argv,"-keymatexportlen") == 0)
1132                         {
1133                         if (--argc < 1) goto bad;
1134                         keymatexportlen=atoi(*(++argv));
1135                         if (keymatexportlen == 0) goto bad;
1136                         }
1137                 else
1138                         {
1139                         BIO_printf(bio_err,"unknown option %s\n",*argv);
1140                         badop=1;
1141                         break;
1142                         }
1143                 argc--;
1144                 argv++;
1145                 }
1146         if (badop)
1147                 {
1148 bad:
1149                 sc_usage();
1150                 goto end;
1151                 }
1152
1153 #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
1154         if (jpake_secret)
1155                 {
1156                 if (psk_key)
1157                         {
1158                         BIO_printf(bio_err,
1159                                    "Can't use JPAKE and PSK together\n");
1160                         goto end;
1161                         }
1162                 psk_identity = "JPAKE";
1163                 }
1164 #endif
1165
1166         OpenSSL_add_ssl_algorithms();
1167         SSL_load_error_strings();
1168
1169 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
1170         next_proto.status = -1;
1171         if (next_proto_neg_in)
1172                 {
1173                 next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
1174                 if (next_proto.data == NULL)
1175                         {
1176                         BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
1177                         goto end;
1178                         }
1179                 }
1180         else
1181                 next_proto.data = NULL;
1182 #endif
1183
1184 #ifndef OPENSSL_NO_ENGINE
1185         e = setup_engine(bio_err, engine_id, 1);
1186         if (ssl_client_engine_id)
1187                 {
1188                 ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
1189                 if (!ssl_client_engine)
1190                         {
1191                         BIO_printf(bio_err,
1192                                         "Error getting client auth engine\n");
1193                         goto end;
1194                         }
1195                 }
1196
1197 #endif
1198         if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
1199                 {
1200                 BIO_printf(bio_err, "Error getting password\n");
1201                 goto end;
1202                 }
1203
1204         if (key_file == NULL)
1205                 key_file = cert_file;
1206
1207
1208         if (key_file)
1209
1210                 {
1211
1212                 key = load_key(bio_err, key_file, key_format, 0, pass, e,
1213                                "client certificate private key file");
1214                 if (!key)
1215                         {
1216                         ERR_print_errors(bio_err);
1217                         goto end;
1218                         }
1219
1220                 }
1221
1222         if (cert_file)
1223
1224                 {
1225                 cert = load_cert(bio_err,cert_file,cert_format,
1226                                 NULL, e, "client certificate file");
1227
1228                 if (!cert)
1229                         {
1230                         ERR_print_errors(bio_err);
1231                         goto end;
1232                         }
1233                 }
1234
1235         if (chain_file)
1236                 {
1237                 chain = load_certs(bio_err, chain_file,FORMAT_PEM,
1238                                         NULL, e, "client certificate chain");
1239                 if (!chain)
1240                         goto end;
1241                 }
1242
1243         if (crl_file)
1244                 {
1245                 X509_CRL *crl;
1246                 crl = load_crl(crl_file, crl_format);
1247                 if (!crl)
1248                         {
1249                         BIO_puts(bio_err, "Error loading CRL\n");
1250                         ERR_print_errors(bio_err);
1251                         goto end;
1252                         }
1253                 crls = sk_X509_CRL_new_null();
1254                 if (!crls || !sk_X509_CRL_push(crls, crl))
1255                         {
1256                         BIO_puts(bio_err, "Error adding CRL\n");
1257                         ERR_print_errors(bio_err);
1258                         X509_CRL_free(crl);
1259                         goto end;
1260                         }
1261                 }
1262
1263         if (!load_excert(&exc, bio_err))
1264                 goto end;
1265
1266         if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
1267                 && !RAND_status())
1268                 {
1269                 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
1270                 }
1271         if (inrand != NULL)
1272                 BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
1273                         app_RAND_load_files(inrand));
1274
1275         if (bio_c_out == NULL)
1276                 {
1277                 if (c_quiet && !c_debug)
1278                         {
1279                         bio_c_out=BIO_new(BIO_s_null());
1280                         if (c_msg && !bio_c_msg)
1281                                 bio_c_msg=BIO_new_fp(stdout,BIO_NOCLOSE);
1282                         }
1283                 else
1284                         {
1285                         if (bio_c_out == NULL)
1286                                 bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
1287                         }
1288                 }
1289
1290 #ifndef OPENSSL_NO_SRP
1291         if(!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL))
1292                 {
1293                 BIO_printf(bio_err, "Error getting password\n");
1294                 goto end;
1295                 }
1296 #endif
1297
1298         ctx=SSL_CTX_new(meth);
1299         if (ctx == NULL)
1300                 {
1301                 ERR_print_errors(bio_err);
1302                 goto end;
1303                 }
1304
1305         if (vpm)
1306                 SSL_CTX_set1_param(ctx, vpm);
1307
1308         if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1, no_jpake))
1309                 {
1310                 ERR_print_errors(bio_err);
1311                 goto end;
1312                 }
1313
1314         if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
1315                                                 crls, crl_download))
1316                 {
1317                 BIO_printf(bio_err, "Error loading store locations\n");
1318                 ERR_print_errors(bio_err);
1319                 goto end;
1320                 }
1321
1322 #ifndef OPENSSL_NO_ENGINE
1323         if (ssl_client_engine)
1324                 {
1325                 if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine))
1326                         {
1327                         BIO_puts(bio_err, "Error setting client auth engine\n");
1328                         ERR_print_errors(bio_err);
1329                         ENGINE_free(ssl_client_engine);
1330                         goto end;
1331                         }
1332                 ENGINE_free(ssl_client_engine);
1333                 }
1334 #endif
1335
1336 #ifndef OPENSSL_NO_PSK
1337 #ifdef OPENSSL_NO_JPAKE
1338         if (psk_key != NULL)
1339 #else
1340         if (psk_key != NULL || jpake_secret)
1341 #endif
1342                 {
1343                 if (c_debug)
1344                         BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");
1345                 SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
1346                 }
1347         if (srtp_profiles != NULL)
1348                 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
1349 #endif
1350         if (exc) ssl_ctx_set_excert(ctx, exc);
1351         /* DTLS: partial reads end up discarding unread UDP bytes :-( 
1352          * Setting read ahead solves this problem.
1353          */
1354         if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
1355
1356 #if !defined(OPENSSL_NO_TLSEXT)
1357 # if !defined(OPENSSL_NO_NEXTPROTONEG)
1358         if (next_proto.data)
1359                 SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
1360 # endif
1361         if (alpn_in)
1362                 {
1363                 unsigned short alpn_len;
1364                 unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in);
1365
1366                 if (alpn == NULL)
1367                         {
1368                         BIO_printf(bio_err, "Error parsing -alpn argument\n");
1369                         goto end;
1370                         }
1371                 SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len);
1372                 OPENSSL_free(alpn);
1373                 }
1374 #endif
1375 #ifndef OPENSSL_NO_TLSEXT
1376                 if (serverinfo_types_count)
1377                         {
1378                         for (i = 0; i < serverinfo_types_count; i++)
1379                                 {
1380                                 SSL_CTX_set_custom_cli_ext(ctx,
1381                                                            serverinfo_types[i],
1382                                                            NULL, 
1383                                                            serverinfo_cli_cb,
1384                                                            NULL);
1385                                 }
1386                         }
1387 #endif
1388
1389         if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
1390 #if 0
1391         else
1392                 SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
1393 #endif
1394
1395         SSL_CTX_set_verify(ctx,verify,verify_callback);
1396
1397         if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
1398                 (!SSL_CTX_set_default_verify_paths(ctx)))
1399                 {
1400                 /* BIO_printf(bio_err,"error setting default verify locations\n"); */
1401                 ERR_print_errors(bio_err);
1402                 /* goto end; */
1403                 }
1404
1405         ssl_ctx_add_crls(ctx, crls, crl_download);
1406
1407         if (!set_cert_key_stuff(ctx,cert,key,chain,build_chain))
1408                 goto end;
1409
1410 #ifndef OPENSSL_NO_TLSEXT
1411         if (servername != NULL)
1412                 {
1413                 tlsextcbp.biodebug = bio_err;
1414                 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1415                 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
1416                 }
1417 #ifndef OPENSSL_NO_SRP
1418         if (srp_arg.srplogin)
1419                 {
1420                 if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
1421                         {
1422                         BIO_printf(bio_err,"Unable to set SRP username\n");
1423                         goto end;
1424                         }
1425                 srp_arg.msg = c_msg;
1426                 srp_arg.debug = c_debug ;
1427                 SSL_CTX_set_srp_cb_arg(ctx,&srp_arg);
1428                 SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
1429                 SSL_CTX_set_srp_strength(ctx, srp_arg.strength);
1430                 if (c_msg || c_debug || srp_arg.amp == 0)
1431                         SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb);
1432                 }
1433
1434 #endif
1435         if (c_auth)
1436                 {
1437                 SSL_CTX_set_custom_cli_ext(ctx, TLSEXT_TYPE_client_authz, authz_tlsext_generate_cb, authz_tlsext_cb, bio_err);
1438                 SSL_CTX_set_custom_cli_ext(ctx, TLSEXT_TYPE_server_authz, authz_tlsext_generate_cb, authz_tlsext_cb, bio_err);
1439                 SSL_CTX_set_cli_supp_data(ctx, TLSEXT_SUPPLEMENTALDATATYPE_authz_data, suppdata_cb, auth_suppdata_generate_cb, bio_err);
1440                 }
1441 #endif
1442
1443         con=SSL_new(ctx);
1444         if (sess_in)
1445                 {
1446                 SSL_SESSION *sess;
1447                 BIO *stmp = BIO_new_file(sess_in, "r");
1448                 if (!stmp)
1449                         {
1450                         BIO_printf(bio_err, "Can't open session file %s\n",
1451                                                 sess_in);
1452                         ERR_print_errors(bio_err);
1453                         goto end;
1454                         }
1455                 sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
1456                 BIO_free(stmp);
1457                 if (!sess)
1458                         {
1459                         BIO_printf(bio_err, "Can't open session file %s\n",
1460                                                 sess_in);
1461                         ERR_print_errors(bio_err);
1462                         goto end;
1463                         }
1464                 SSL_set_session(con, sess);
1465                 SSL_SESSION_free(sess);
1466                 }
1467 #ifndef OPENSSL_NO_TLSEXT
1468         if (servername != NULL)
1469                 {
1470                 if (!SSL_set_tlsext_host_name(con,servername))
1471                         {
1472                         BIO_printf(bio_err,"Unable to set TLS servername extension.\n");
1473                         ERR_print_errors(bio_err);
1474                         goto end;
1475                         }
1476                 }
1477 #endif
1478 #ifndef OPENSSL_NO_KRB5
1479         if (con  &&  (kctx = kssl_ctx_new()) != NULL)
1480                 {
1481                 SSL_set0_kssl_ctx(con, kctx);
1482                 kssl_ctx_setstring(kctx, KSSL_SERVER, host);
1483                 }
1484 #endif  /* OPENSSL_NO_KRB5  */
1485 /*      SSL_set_cipher_list(con,"RC4-MD5"); */
1486 #if 0
1487 #ifdef TLSEXT_TYPE_opaque_prf_input
1488         SSL_set_tlsext_opaque_prf_input(con, "Test client", 11);
1489 #endif
1490 #endif
1491
1492 re_start:
1493
1494         if (init_client(&s,host,port,socket_type) == 0)
1495                 {
1496                 BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
1497                 SHUTDOWN(s);
1498                 goto end;
1499                 }
1500         BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
1501
1502 #ifdef FIONBIO
1503         if (c_nbio)
1504                 {
1505                 unsigned long l=1;
1506                 BIO_printf(bio_c_out,"turning on non blocking io\n");
1507                 if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
1508                         {
1509                         ERR_print_errors(bio_err);
1510                         goto end;
1511                         }
1512                 }
1513 #endif                                              
1514         if (c_Pause & 0x01) SSL_set_debug(con, 1);
1515
1516         if (socket_type == SOCK_DGRAM)
1517                 {
1518
1519                 sbio=BIO_new_dgram(s,BIO_NOCLOSE);
1520                 if (getsockname(s, &peer, (void *)&peerlen) < 0)
1521                         {
1522                         BIO_printf(bio_err, "getsockname:errno=%d\n",
1523                                 get_last_socket_error());
1524                         SHUTDOWN(s);
1525                         goto end;
1526                         }
1527
1528                 (void)BIO_ctrl_set_connected(sbio, 1, &peer);
1529
1530                 if (enable_timeouts)
1531                         {
1532                         timeout.tv_sec = 0;
1533                         timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1534                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1535                         
1536                         timeout.tv_sec = 0;
1537                         timeout.tv_usec = DGRAM_SND_TIMEOUT;
1538                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1539                         }
1540
1541                 if (socket_mtu > 28)
1542                         {
1543                         SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
1544                         SSL_set_mtu(con, socket_mtu - 28);
1545                         }
1546                 else
1547                         /* want to do MTU discovery */
1548                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1549                 }
1550         else
1551                 sbio=BIO_new_socket(s,BIO_NOCLOSE);
1552
1553         if (nbio_test)
1554                 {
1555                 BIO *test;
1556
1557                 test=BIO_new(BIO_f_nbio_test());
1558                 sbio=BIO_push(test,sbio);
1559                 }
1560
1561         if (c_debug)
1562                 {
1563                 SSL_set_debug(con, 1);
1564                 BIO_set_callback(sbio,bio_dump_callback);
1565                 BIO_set_callback_arg(sbio,(char *)bio_c_out);
1566                 }
1567         if (c_msg)
1568                 {
1569 #ifndef OPENSSL_NO_SSL_TRACE
1570                 if (c_msg == 2)
1571                         SSL_set_msg_callback(con, SSL_trace);
1572                 else
1573 #endif
1574                         SSL_set_msg_callback(con, msg_cb);
1575                 SSL_set_msg_callback_arg(con, bio_c_msg ? bio_c_msg : bio_c_out);
1576                 }
1577 #ifndef OPENSSL_NO_TLSEXT
1578         if (c_tlsextdebug)
1579                 {
1580                 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1581                 SSL_set_tlsext_debug_arg(con, bio_c_out);
1582                 }
1583         if (c_status_req)
1584                 {
1585                 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
1586                 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
1587                 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
1588 #if 0
1589 {
1590 STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null();
1591 OCSP_RESPID *id = OCSP_RESPID_new();
1592 id->value.byKey = ASN1_OCTET_STRING_new();
1593 id->type = V_OCSP_RESPID_KEY;
1594 ASN1_STRING_set(id->value.byKey, "Hello World", -1);
1595 sk_OCSP_RESPID_push(ids, id);
1596 SSL_set_tlsext_status_ids(con, ids);
1597 }
1598 #endif
1599                 }
1600 #endif
1601 #ifndef OPENSSL_NO_JPAKE
1602         if (jpake_secret)
1603                 jpake_client_auth(bio_c_out, sbio, jpake_secret);
1604 #endif
1605
1606         SSL_set_bio(con,sbio,sbio);
1607         SSL_set_connect_state(con);
1608
1609         /* ok, lets connect */
1610         width=SSL_get_fd(con)+1;
1611
1612         read_tty=1;
1613         write_tty=0;
1614         tty_on=0;
1615         read_ssl=1;
1616         write_ssl=1;
1617         
1618         cbuf_len=0;
1619         cbuf_off=0;
1620         sbuf_len=0;
1621         sbuf_off=0;
1622
1623         /* This is an ugly hack that does a lot of assumptions */
1624         /* We do have to handle multi-line responses which may come
1625            in a single packet or not. We therefore have to use
1626            BIO_gets() which does need a buffering BIO. So during
1627            the initial chitchat we do push a buffering BIO into the
1628            chain that is removed again later on to not disturb the
1629            rest of the s_client operation. */
1630         if (starttls_proto == PROTO_SMTP)
1631                 {
1632                 int foundit=0;
1633                 BIO *fbio = BIO_new(BIO_f_buffer());
1634                 BIO_push(fbio, sbio);
1635                 /* wait for multi-line response to end from SMTP */
1636                 do
1637                         {
1638                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1639                         }
1640                 while (mbuf_len>3 && mbuf[3]=='-');
1641                 /* STARTTLS command requires EHLO... */
1642                 BIO_printf(fbio,"EHLO openssl.client.net\r\n");
1643                 (void)BIO_flush(fbio);
1644                 /* wait for multi-line response to end EHLO SMTP response */
1645                 do
1646                         {
1647                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1648                         if (strstr(mbuf,"STARTTLS"))
1649                                 foundit=1;
1650                         }
1651                 while (mbuf_len>3 && mbuf[3]=='-');
1652                 (void)BIO_flush(fbio);
1653                 BIO_pop(fbio);
1654                 BIO_free(fbio);
1655                 if (!foundit)
1656                         BIO_printf(bio_err,
1657                                    "didn't found starttls in server response,"
1658                                    " try anyway...\n");
1659                 BIO_printf(sbio,"STARTTLS\r\n");
1660                 BIO_read(sbio,sbuf,BUFSIZZ);
1661                 }
1662         else if (starttls_proto == PROTO_POP3)
1663                 {
1664                 BIO_read(sbio,mbuf,BUFSIZZ);
1665                 BIO_printf(sbio,"STLS\r\n");
1666                 BIO_read(sbio,sbuf,BUFSIZZ);
1667                 }
1668         else if (starttls_proto == PROTO_IMAP)
1669                 {
1670                 int foundit=0;
1671                 BIO *fbio = BIO_new(BIO_f_buffer());
1672                 BIO_push(fbio, sbio);
1673                 BIO_gets(fbio,mbuf,BUFSIZZ);
1674                 /* STARTTLS command requires CAPABILITY... */
1675                 BIO_printf(fbio,". CAPABILITY\r\n");
1676                 (void)BIO_flush(fbio);
1677                 /* wait for multi-line CAPABILITY response */
1678                 do
1679                         {
1680                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1681                         if (strstr(mbuf,"STARTTLS"))
1682                                 foundit=1;
1683                         }
1684                 while (mbuf_len>3 && mbuf[0]!='.');
1685                 (void)BIO_flush(fbio);
1686                 BIO_pop(fbio);
1687                 BIO_free(fbio);
1688                 if (!foundit)
1689                         BIO_printf(bio_err,
1690                                    "didn't found STARTTLS in server response,"
1691                                    " try anyway...\n");
1692                 BIO_printf(sbio,". STARTTLS\r\n");
1693                 BIO_read(sbio,sbuf,BUFSIZZ);
1694                 }
1695         else if (starttls_proto == PROTO_FTP)
1696                 {
1697                 BIO *fbio = BIO_new(BIO_f_buffer());
1698                 BIO_push(fbio, sbio);
1699                 /* wait for multi-line response to end from FTP */
1700                 do
1701                         {
1702                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1703                         }
1704                 while (mbuf_len>3 && mbuf[3]=='-');
1705                 (void)BIO_flush(fbio);
1706                 BIO_pop(fbio);
1707                 BIO_free(fbio);
1708                 BIO_printf(sbio,"AUTH TLS\r\n");
1709                 BIO_read(sbio,sbuf,BUFSIZZ);
1710                 }
1711         if (starttls_proto == PROTO_XMPP)
1712                 {
1713                 int seen = 0;
1714                 BIO_printf(sbio,"<stream:stream "
1715                     "xmlns:stream='http://etherx.jabber.org/streams' "
1716                     "xmlns='jabber:client' to='%s' version='1.0'>", xmpphost ?
1717                            xmpphost : host);
1718                 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1719                 mbuf[seen] = 0;
1720                 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") &&
1721                                 !strstr(mbuf, "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
1722                         {
1723                         seen = BIO_read(sbio,mbuf,BUFSIZZ);
1724
1725                         if (seen <= 0)
1726                                 goto shut;
1727
1728                         mbuf[seen] = 0;
1729                         }
1730                 BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
1731                 seen = BIO_read(sbio,sbuf,BUFSIZZ);
1732                 sbuf[seen] = 0;
1733                 if (!strstr(sbuf, "<proceed"))
1734                         goto shut;
1735                 mbuf[0] = 0;
1736                 }
1737
1738         for (;;)
1739                 {
1740                 FD_ZERO(&readfds);
1741                 FD_ZERO(&writefds);
1742
1743                 if ((SSL_version(con) == DTLS1_VERSION) &&
1744                         DTLSv1_get_timeout(con, &timeout))
1745                         timeoutp = &timeout;
1746                 else
1747                         timeoutp = NULL;
1748
1749                 if (SSL_in_init(con) && !SSL_total_renegotiations(con))
1750                         {
1751                         in_init=1;
1752                         tty_on=0;
1753                         }
1754                 else
1755                         {
1756                         tty_on=1;
1757                         if (in_init)
1758                                 {
1759                                 in_init=0;
1760 #if 0 /* This test doesn't really work as intended (needs to be fixed) */
1761 #ifndef OPENSSL_NO_TLSEXT
1762                                 if (servername != NULL && !SSL_session_reused(con))
1763                                         {
1764                                         BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not ");
1765                                         }
1766 #endif
1767 #endif
1768                                 if (sess_out)
1769                                         {
1770                                         BIO *stmp = BIO_new_file(sess_out, "w");
1771                                         if (stmp)
1772                                                 {
1773                                                 PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con));
1774                                                 BIO_free(stmp);
1775                                                 }
1776                                         else 
1777                                                 BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
1778                                         }
1779                                 if (c_brief)
1780                                         {
1781                                         BIO_puts(bio_err,
1782                                                 "CONNECTION ESTABLISHED\n");
1783                                         print_ssl_summary(bio_err, con);
1784                                         }
1785                                 /*handshake is complete - free the generated supp data allocated in the callback */
1786                                 if (generated_supp_data)
1787                                         {
1788                                         OPENSSL_free(generated_supp_data);
1789                                         generated_supp_data = NULL;
1790                                         }
1791
1792                                 print_stuff(bio_c_out,con,full_log);
1793                                 if (full_log > 0) full_log--;
1794
1795                                 if (starttls_proto)
1796                                         {
1797                                         BIO_printf(bio_err,"%s",mbuf);
1798                                         /* We don't need to know any more */
1799                                         starttls_proto = PROTO_OFF;
1800                                         }
1801
1802                                 if (reconnect)
1803                                         {
1804                                         reconnect--;
1805                                         BIO_printf(bio_c_out,"drop connection and then reconnect\n");
1806                                         SSL_shutdown(con);
1807                                         SSL_set_connect_state(con);
1808                                         SHUTDOWN(SSL_get_fd(con));
1809                                         goto re_start;
1810                                         }
1811                                 }
1812                         }
1813
1814                 ssl_pending = read_ssl && SSL_pending(con);
1815
1816                 if (!ssl_pending)
1817                         {
1818 #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)
1819                         if (tty_on)
1820                                 {
1821                                 if (read_tty)  openssl_fdset(fileno(stdin),&readfds);
1822                                 if (write_tty) openssl_fdset(fileno(stdout),&writefds);
1823                                 }
1824                         if (read_ssl)
1825                                 openssl_fdset(SSL_get_fd(con),&readfds);
1826                         if (write_ssl)
1827                                 openssl_fdset(SSL_get_fd(con),&writefds);
1828 #else
1829                         if(!tty_on || !write_tty) {
1830                                 if (read_ssl)
1831                                         openssl_fdset(SSL_get_fd(con),&readfds);
1832                                 if (write_ssl)
1833                                         openssl_fdset(SSL_get_fd(con),&writefds);
1834                         }
1835 #endif
1836 /*                      printf("mode tty(%d %d%d) ssl(%d%d)\n",
1837                                 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
1838
1839                         /* Note: under VMS with SOCKETSHR the second parameter
1840                          * is currently of type (int *) whereas under other
1841                          * systems it is (void *) if you don't have a cast it
1842                          * will choke the compiler: if you do have a cast then
1843                          * you can either go for (int *) or (void *).
1844                          */
1845 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1846                         /* Under Windows/DOS we make the assumption that we can
1847                          * always write to the tty: therefore if we need to
1848                          * write to the tty we just fall through. Otherwise
1849                          * we timeout the select every second and see if there
1850                          * are any keypresses. Note: this is a hack, in a proper
1851                          * Windows application we wouldn't do this.
1852                          */
1853                         i=0;
1854                         if(!write_tty) {
1855                                 if(read_tty) {
1856                                         tv.tv_sec = 1;
1857                                         tv.tv_usec = 0;
1858                                         i=select(width,(void *)&readfds,(void *)&writefds,
1859                                                  NULL,&tv);
1860 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
1861                                         if(!i && (!_kbhit() || !read_tty) ) continue;
1862 #else
1863                                         if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
1864 #endif
1865                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1866                                          NULL,timeoutp);
1867                         }
1868 #elif defined(OPENSSL_SYS_NETWARE)
1869                         if(!write_tty) {
1870                                 if(read_tty) {
1871                                         tv.tv_sec = 1;
1872                                         tv.tv_usec = 0;
1873                                         i=select(width,(void *)&readfds,(void *)&writefds,
1874                                                 NULL,&tv);
1875                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1876                                         NULL,timeoutp);
1877                         }
1878 #elif defined(OPENSSL_SYS_BEOS_R5)
1879                         /* Under BeOS-R5 the situation is similar to DOS */
1880                         i=0;
1881                         stdin_set = 0;
1882                         (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
1883                         if(!write_tty) {
1884                                 if(read_tty) {
1885                                         tv.tv_sec = 1;
1886                                         tv.tv_usec = 0;
1887                                         i=select(width,(void *)&readfds,(void *)&writefds,
1888                                                  NULL,&tv);
1889                                         if (read(fileno(stdin), sbuf, 0) >= 0)
1890                                                 stdin_set = 1;
1891                                         if (!i && (stdin_set != 1 || !read_tty))
1892                                                 continue;
1893                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1894                                          NULL,timeoutp);
1895                         }
1896                         (void)fcntl(fileno(stdin), F_SETFL, 0);
1897 #else
1898                         i=select(width,(void *)&readfds,(void *)&writefds,
1899                                  NULL,timeoutp);
1900 #endif
1901                         if ( i < 0)
1902                                 {
1903                                 BIO_printf(bio_err,"bad select %d\n",
1904                                 get_last_socket_error());
1905                                 goto shut;
1906                                 /* goto end; */
1907                                 }
1908                         }
1909
1910                 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
1911                         {
1912                         BIO_printf(bio_err,"TIMEOUT occurred\n");
1913                         }
1914
1915                 if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
1916                         {
1917                         k=SSL_write(con,&(cbuf[cbuf_off]),
1918                                 (unsigned int)cbuf_len);
1919                         switch (SSL_get_error(con,k))
1920                                 {
1921                         case SSL_ERROR_NONE:
1922                                 cbuf_off+=k;
1923                                 cbuf_len-=k;
1924                                 if (k <= 0) goto end;
1925                                 /* we have done a  write(con,NULL,0); */
1926                                 if (cbuf_len <= 0)
1927                                         {
1928                                         read_tty=1;
1929                                         write_ssl=0;
1930                                         }
1931                                 else /* if (cbuf_len > 0) */
1932                                         {
1933                                         read_tty=0;
1934                                         write_ssl=1;
1935                                         }
1936                                 break;
1937                         case SSL_ERROR_WANT_WRITE:
1938                                 BIO_printf(bio_c_out,"write W BLOCK\n");
1939                                 write_ssl=1;
1940                                 read_tty=0;
1941                                 break;
1942                         case SSL_ERROR_WANT_READ:
1943                                 BIO_printf(bio_c_out,"write R BLOCK\n");
1944                                 write_tty=0;
1945                                 read_ssl=1;
1946                                 write_ssl=0;
1947                                 break;
1948                         case SSL_ERROR_WANT_X509_LOOKUP:
1949                                 BIO_printf(bio_c_out,"write X BLOCK\n");
1950                                 break;
1951                         case SSL_ERROR_ZERO_RETURN:
1952                                 if (cbuf_len != 0)
1953                                         {
1954                                         BIO_printf(bio_c_out,"shutdown\n");
1955                                         ret = 0;
1956                                         goto shut;
1957                                         }
1958                                 else
1959                                         {
1960                                         read_tty=1;
1961                                         write_ssl=0;
1962                                         break;
1963                                         }
1964                                 
1965                         case SSL_ERROR_SYSCALL:
1966                                 if ((k != 0) || (cbuf_len != 0))
1967                                         {
1968                                         BIO_printf(bio_err,"write:errno=%d\n",
1969                                                 get_last_socket_error());
1970                                         goto shut;
1971                                         }
1972                                 else
1973                                         {
1974                                         read_tty=1;
1975                                         write_ssl=0;
1976                                         }
1977                                 break;
1978                         case SSL_ERROR_SSL:
1979                                 ERR_print_errors(bio_err);
1980                                 goto shut;
1981                                 }
1982                         }
1983 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
1984                 /* Assume Windows/DOS/BeOS can always write */
1985                 else if (!ssl_pending && write_tty)
1986 #else
1987                 else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
1988 #endif
1989                         {
1990 #ifdef CHARSET_EBCDIC
1991                         ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
1992 #endif
1993                         i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len);
1994
1995                         if (i <= 0)
1996                                 {
1997                                 BIO_printf(bio_c_out,"DONE\n");
1998                                 ret = 0;
1999                                 goto shut;
2000                                 /* goto end; */
2001                                 }
2002
2003                         sbuf_len-=i;;
2004                         sbuf_off+=i;
2005                         if (sbuf_len <= 0)
2006                                 {
2007                                 read_ssl=1;
2008                                 write_tty=0;
2009                                 }
2010                         }
2011                 else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
2012                         {
2013 #ifdef RENEG
2014 { static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
2015 #endif
2016 #if 1
2017                         k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
2018 #else
2019 /* Demo for pending and peek :-) */
2020                         k=SSL_read(con,sbuf,16);
2021 { char zbuf[10240]; 
2022 printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
2023 }
2024 #endif
2025
2026                         switch (SSL_get_error(con,k))
2027                                 {
2028                         case SSL_ERROR_NONE:
2029                                 if (k <= 0)
2030                                         goto end;
2031                                 sbuf_off=0;
2032                                 sbuf_len=k;
2033
2034                                 read_ssl=0;
2035                                 write_tty=1;
2036                                 break;
2037                         case SSL_ERROR_WANT_WRITE:
2038                                 BIO_printf(bio_c_out,"read W BLOCK\n");
2039                                 write_ssl=1;
2040                                 read_tty=0;
2041                                 break;
2042                         case SSL_ERROR_WANT_READ:
2043                                 BIO_printf(bio_c_out,"read R BLOCK\n");
2044                                 write_tty=0;
2045                                 read_ssl=1;
2046                                 if ((read_tty == 0) && (write_ssl == 0))
2047                                         write_ssl=1;
2048                                 break;
2049                         case SSL_ERROR_WANT_X509_LOOKUP:
2050                                 BIO_printf(bio_c_out,"read X BLOCK\n");
2051                                 break;
2052                         case SSL_ERROR_SYSCALL:
2053                                 ret=get_last_socket_error();
2054                                 if (c_brief)
2055                                         BIO_puts(bio_err, "CONNECTION CLOSED BY SERVER\n");
2056                                 else
2057                                         BIO_printf(bio_err,"read:errno=%d\n",ret);
2058                                 goto shut;
2059                         case SSL_ERROR_ZERO_RETURN:
2060                                 BIO_printf(bio_c_out,"closed\n");
2061                                 ret=0;
2062                                 goto shut;
2063                         case SSL_ERROR_SSL:
2064                                 ERR_print_errors(bio_err);
2065                                 goto shut;
2066                                 /* break; */
2067                                 }
2068                         }
2069
2070 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
2071 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
2072                 else if (_kbhit())
2073 #else
2074                 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
2075 #endif
2076 #elif defined (OPENSSL_SYS_NETWARE)
2077                 else if (_kbhit())
2078 #elif defined(OPENSSL_SYS_BEOS_R5)
2079                 else if (stdin_set)
2080 #else
2081                 else if (FD_ISSET(fileno(stdin),&readfds))
2082 #endif
2083                         {
2084                         if (crlf)
2085                                 {
2086                                 int j, lf_num;
2087
2088                                 i=raw_read_stdin(cbuf,BUFSIZZ/2);
2089                                 lf_num = 0;
2090                                 /* both loops are skipped when i <= 0 */
2091                                 for (j = 0; j < i; j++)
2092                                         if (cbuf[j] == '\n')
2093                                                 lf_num++;
2094                                 for (j = i-1; j >= 0; j--)
2095                                         {
2096                                         cbuf[j+lf_num] = cbuf[j];
2097                                         if (cbuf[j] == '\n')
2098                                                 {
2099                                                 lf_num--;
2100                                                 i++;
2101                                                 cbuf[j+lf_num] = '\r';
2102                                                 }
2103                                         }
2104                                 assert(lf_num == 0);
2105                                 }
2106                         else
2107                                 i=raw_read_stdin(cbuf,BUFSIZZ);
2108
2109                         if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
2110                                 {
2111                                 BIO_printf(bio_err,"DONE\n");
2112                                 ret=0;
2113                                 goto shut;
2114                                 }
2115
2116                         if ((!c_ign_eof) && (cbuf[0] == 'R'))
2117                                 {
2118                                 BIO_printf(bio_err,"RENEGOTIATING\n");
2119                                 SSL_renegotiate(con);
2120                                 cbuf_len=0;
2121                                 }
2122 #ifndef OPENSSL_NO_HEARTBEATS
2123                         else if ((!c_ign_eof) && (cbuf[0] == 'B'))
2124                                 {
2125                                 BIO_printf(bio_err,"HEARTBEATING\n");
2126                                 SSL_heartbeat(con);
2127                                 cbuf_len=0;
2128                                 }
2129 #endif
2130                         else
2131                                 {
2132                                 cbuf_len=i;
2133                                 cbuf_off=0;
2134 #ifdef CHARSET_EBCDIC
2135                                 ebcdic2ascii(cbuf, cbuf, i);
2136 #endif
2137                                 }
2138
2139                         write_ssl=1;
2140                         read_tty=0;
2141                         }
2142                 }
2143
2144         ret=0;
2145 shut:
2146         if (in_init)
2147                 print_stuff(bio_c_out,con,full_log);
2148         SSL_shutdown(con);
2149         SHUTDOWN(SSL_get_fd(con));
2150 end:
2151         if (con != NULL)
2152                 {
2153                 if (prexit != 0)
2154                         print_stuff(bio_c_out,con,1);
2155                 SSL_free(con);
2156                 }
2157 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
2158         if (next_proto.data)
2159                 OPENSSL_free(next_proto.data);
2160 #endif
2161         if (ctx != NULL) SSL_CTX_free(ctx);
2162         if (cert)
2163                 X509_free(cert);
2164         if (crls)
2165                 sk_X509_CRL_pop_free(crls, X509_CRL_free);
2166         if (key)
2167                 EVP_PKEY_free(key);
2168         if (chain)
2169                 sk_X509_pop_free(chain, X509_free);
2170         if (pass)
2171                 OPENSSL_free(pass);
2172         if (vpm)
2173                 X509_VERIFY_PARAM_free(vpm);
2174         ssl_excert_free(exc);
2175         if (ssl_args)
2176                 sk_OPENSSL_STRING_free(ssl_args);
2177         if (cctx)
2178                 SSL_CONF_CTX_free(cctx);
2179 #ifndef OPENSSL_NO_JPAKE
2180         if (jpake_secret && psk_key)
2181                 OPENSSL_free(psk_key);
2182 #endif
2183         if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
2184         if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
2185         if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
2186         if (bio_c_out != NULL)
2187                 {
2188                 BIO_free(bio_c_out);
2189                 bio_c_out=NULL;
2190                 }
2191         if (bio_c_msg != NULL)
2192                 {
2193                 BIO_free(bio_c_msg);
2194                 bio_c_msg=NULL;
2195                 }
2196         apps_shutdown();
2197         OPENSSL_EXIT(ret);
2198         }
2199
2200
2201 static void print_stuff(BIO *bio, SSL *s, int full)
2202         {
2203         X509 *peer=NULL;
2204         char *p;
2205         static const char *space="                ";
2206         char buf[BUFSIZ];
2207         STACK_OF(X509) *sk;
2208         STACK_OF(X509_NAME) *sk2;
2209         const SSL_CIPHER *c;
2210         X509_NAME *xn;
2211         int j,i;
2212 #ifndef OPENSSL_NO_COMP
2213         const COMP_METHOD *comp, *expansion;
2214 #endif
2215         unsigned char *exportedkeymat;
2216
2217         if (full)
2218                 {
2219                 int got_a_chain = 0;
2220
2221                 sk=SSL_get_peer_cert_chain(s);
2222                 if (sk != NULL)
2223                         {
2224                         got_a_chain = 1; /* we don't have it for SSL2 (yet) */
2225
2226                         BIO_printf(bio,"---\nCertificate chain\n");
2227                         for (i=0; i<sk_X509_num(sk); i++)
2228                                 {
2229                                 X509_NAME_oneline(X509_get_subject_name(
2230                                         sk_X509_value(sk,i)),buf,sizeof buf);
2231                                 BIO_printf(bio,"%2d s:%s\n",i,buf);
2232                                 X509_NAME_oneline(X509_get_issuer_name(
2233                                         sk_X509_value(sk,i)),buf,sizeof buf);
2234                                 BIO_printf(bio,"   i:%s\n",buf);
2235                                 if (c_showcerts)
2236                                         PEM_write_bio_X509(bio,sk_X509_value(sk,i));
2237                                 }
2238                         }
2239
2240                 BIO_printf(bio,"---\n");
2241                 peer=SSL_get_peer_certificate(s);
2242                 if (peer != NULL)
2243                         {
2244                         BIO_printf(bio,"Server certificate\n");
2245                         if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
2246                                 PEM_write_bio_X509(bio,peer);
2247                         X509_NAME_oneline(X509_get_subject_name(peer),
2248                                 buf,sizeof buf);
2249                         BIO_printf(bio,"subject=%s\n",buf);
2250                         X509_NAME_oneline(X509_get_issuer_name(peer),
2251                                 buf,sizeof buf);
2252                         BIO_printf(bio,"issuer=%s\n",buf);
2253                         }
2254                 else
2255                         BIO_printf(bio,"no peer certificate available\n");
2256
2257                 sk2=SSL_get_client_CA_list(s);
2258                 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
2259                         {
2260                         BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
2261                         for (i=0; i<sk_X509_NAME_num(sk2); i++)
2262                                 {
2263                                 xn=sk_X509_NAME_value(sk2,i);
2264                                 X509_NAME_oneline(xn,buf,sizeof(buf));
2265                                 BIO_write(bio,buf,strlen(buf));
2266                                 BIO_write(bio,"\n",1);
2267                                 }
2268                         }
2269                 else
2270                         {
2271                         BIO_printf(bio,"---\nNo client certificate CA names sent\n");
2272                         }
2273                 p=SSL_get_shared_ciphers(s,buf,sizeof buf);
2274                 if (p != NULL)
2275                         {
2276                         /* This works only for SSL 2.  In later protocol
2277                          * versions, the client does not know what other
2278                          * ciphers (in addition to the one to be used
2279                          * in the current connection) the server supports. */
2280
2281                         BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
2282                         j=i=0;
2283                         while (*p)
2284                                 {
2285                                 if (*p == ':')
2286                                         {
2287                                         BIO_write(bio,space,15-j%25);
2288                                         i++;
2289                                         j=0;
2290                                         BIO_write(bio,((i%3)?" ":"\n"),1);
2291                                         }
2292                                 else
2293                                         {
2294                                         BIO_write(bio,p,1);
2295                                         j++;
2296                                         }
2297                                 p++;
2298                                 }
2299                         BIO_write(bio,"\n",1);
2300                         }
2301
2302                 ssl_print_sigalgs(bio, s);
2303                 ssl_print_tmp_key(bio, s);
2304
2305                 BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
2306                         BIO_number_read(SSL_get_rbio(s)),
2307                         BIO_number_written(SSL_get_wbio(s)));
2308                 }
2309         BIO_printf(bio,(SSL_cache_hit(s)?"---\nReused, ":"---\nNew, "));
2310         c=SSL_get_current_cipher(s);
2311         BIO_printf(bio,"%s, Cipher is %s\n",
2312                 SSL_CIPHER_get_version(c),
2313                 SSL_CIPHER_get_name(c));
2314         if (peer != NULL) {
2315                 EVP_PKEY *pktmp;
2316                 pktmp = X509_get_pubkey(peer);
2317                 BIO_printf(bio,"Server public key is %d bit\n",
2318                                                          EVP_PKEY_bits(pktmp));
2319                 EVP_PKEY_free(pktmp);
2320         }
2321         BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
2322                         SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
2323 #ifndef OPENSSL_NO_COMP
2324         comp=SSL_get_current_compression(s);
2325         expansion=SSL_get_current_expansion(s);
2326         BIO_printf(bio,"Compression: %s\n",
2327                 comp ? SSL_COMP_get_name(comp) : "NONE");
2328         BIO_printf(bio,"Expansion: %s\n",
2329                 expansion ? SSL_COMP_get_name(expansion) : "NONE");
2330 #endif
2331  
2332 #ifdef SSL_DEBUG
2333         {
2334         /* Print out local port of connection: useful for debugging */
2335         int sock;
2336         struct sockaddr_in ladd;
2337         socklen_t ladd_size = sizeof(ladd);
2338         sock = SSL_get_fd(s);
2339         getsockname(sock, (struct sockaddr *)&ladd, &ladd_size);
2340         BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port));
2341         }
2342 #endif
2343
2344 #if !defined(OPENSSL_NO_TLSEXT)
2345 # if !defined(OPENSSL_NO_NEXTPROTONEG)
2346         if (next_proto.status != -1) {
2347                 const unsigned char *proto;
2348                 unsigned int proto_len;
2349                 SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
2350                 BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
2351                 BIO_write(bio, proto, proto_len);
2352                 BIO_write(bio, "\n", 1);
2353         }
2354 # endif
2355         {
2356                 const unsigned char *proto;
2357                 unsigned int proto_len;
2358                 SSL_get0_alpn_selected(s, &proto, &proto_len);
2359                 if (proto_len > 0)
2360                         {
2361                         BIO_printf(bio, "ALPN protocol: ");
2362                         BIO_write(bio, proto, proto_len);
2363                         BIO_write(bio, "\n", 1);
2364                         }
2365                 else
2366                         BIO_printf(bio, "No ALPN negotiated\n");
2367         }
2368 #endif
2369
2370         {
2371         SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s);
2372  
2373         if(srtp_profile)
2374                 BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n",
2375                            srtp_profile->name);
2376         }
2377  
2378         SSL_SESSION_print(bio,SSL_get_session(s));
2379         if (keymatexportlabel != NULL)
2380                 {
2381                 BIO_printf(bio, "Keying material exporter:\n");
2382                 BIO_printf(bio, "    Label: '%s'\n", keymatexportlabel);
2383                 BIO_printf(bio, "    Length: %i bytes\n", keymatexportlen);
2384                 exportedkeymat = OPENSSL_malloc(keymatexportlen);
2385                 if (exportedkeymat != NULL)
2386                         {
2387                         if (!SSL_export_keying_material(s, exportedkeymat,
2388                                                         keymatexportlen,
2389                                                         keymatexportlabel,
2390                                                         strlen(keymatexportlabel),
2391                                                         NULL, 0, 0))
2392                                 {
2393                                 BIO_printf(bio, "    Error\n");
2394                                 }
2395                         else
2396                                 {
2397                                 BIO_printf(bio, "    Keying material: ");
2398                                 for (i=0; i<keymatexportlen; i++)
2399                                         BIO_printf(bio, "%02X",
2400                                                    exportedkeymat[i]);
2401                                 BIO_printf(bio, "\n");
2402                                 }
2403                         OPENSSL_free(exportedkeymat);
2404                         }
2405                 }
2406         BIO_printf(bio,"---\n");
2407         if (peer != NULL)
2408                 X509_free(peer);
2409         /* flush, or debugging output gets mixed with http response */
2410         (void)BIO_flush(bio);
2411         }
2412
2413 #ifndef OPENSSL_NO_TLSEXT
2414
2415 static int ocsp_resp_cb(SSL *s, void *arg)
2416         {
2417         const unsigned char *p;
2418         int len;
2419         OCSP_RESPONSE *rsp;
2420         len = SSL_get_tlsext_status_ocsp_resp(s, &p);
2421         BIO_puts(arg, "OCSP response: ");
2422         if (!p)
2423                 {
2424                 BIO_puts(arg, "no response sent\n");
2425                 return 1;
2426                 }
2427         rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
2428         if (!rsp)
2429                 {
2430                 BIO_puts(arg, "response parse error\n");
2431                 BIO_dump_indent(arg, (char *)p, len, 4);
2432                 return 0;
2433                 }
2434         BIO_puts(arg, "\n======================================\n");
2435         OCSP_RESPONSE_print(arg, rsp, 0);
2436         BIO_puts(arg, "======================================\n");
2437         OCSP_RESPONSE_free(rsp);
2438         return 1;
2439         }
2440
2441 static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
2442                            const unsigned char *in,
2443                            unsigned short inlen, int *al,
2444                            void *arg)
2445         {
2446         if (TLSEXT_TYPE_server_authz == ext_type)
2447                 server_provided_server_authz
2448                   = (memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL);
2449
2450         if (TLSEXT_TYPE_client_authz == ext_type)
2451                 server_provided_client_authz
2452                   = (memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL);
2453
2454         return 1;
2455         }
2456
2457 static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
2458                                     const unsigned char **out, unsigned short *outlen,
2459                                     int *al, void *arg)
2460         {
2461         if (c_auth)
2462                 {
2463                 /*if auth_require_reneg flag is set, only send extensions if
2464                   renegotiation has occurred */
2465                 if (!c_auth_require_reneg || (c_auth_require_reneg && SSL_num_renegotiations(s)))
2466                         {
2467                         *out = auth_ext_data;
2468                         *outlen = 1;
2469                         return 1;
2470                         }
2471                 }
2472         /* no auth extension to send */
2473         return -1;
2474         }
2475
2476 static int suppdata_cb(SSL *s, unsigned short supp_data_type,
2477                        const unsigned char *in,
2478                        unsigned short inlen, int *al,
2479                        void *arg)
2480         {
2481         if (supp_data_type == TLSEXT_SUPPLEMENTALDATATYPE_authz_data)
2482                 {
2483                 most_recent_supplemental_data = in;
2484                 most_recent_supplemental_data_length = inlen;
2485                 }
2486         return 1;
2487         }
2488
2489 static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
2490                                      const unsigned char **out,
2491                                      unsigned short *outlen, int *al, void *arg)
2492         {
2493         if (c_auth && server_provided_client_authz && server_provided_server_authz)
2494                 {
2495                 /*if auth_require_reneg flag is set, only send supplemental data if
2496                   renegotiation has occurred */
2497                 if (!c_auth_require_reneg
2498                     || (c_auth_require_reneg && SSL_num_renegotiations(s)))
2499                         {
2500                         generated_supp_data = OPENSSL_malloc(10);
2501                         memcpy(generated_supp_data, "5432154321", 10);
2502                         *out = generated_supp_data;
2503                         *outlen = 10;
2504                         return 1;
2505                         }
2506                 }
2507         /* no supplemental data to send */
2508         return -1;
2509         }
2510
2511 #endif