vpaes-x86_64.pl: out-of-date Apple assembler fails to calculate
[openssl.git] / apps / s_client.c
1 /* apps/s_client.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2005 Nokia. All rights reserved.
113  *
114  * The portions of the attached software ("Contribution") is developed by
115  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116  * license.
117  *
118  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120  * support (see RFC 4279) to OpenSSL.
121  *
122  * No patent licenses or other rights except those expressly stated in
123  * the OpenSSL open source license shall be deemed granted or received
124  * expressly, by implication, estoppel, or otherwise.
125  *
126  * No assurances are provided by Nokia that the Contribution does not
127  * infringe the patent or other intellectual property rights of any third
128  * party or that the license provides you with all the necessary rights
129  * to make use of the Contribution.
130  *
131  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135  * OTHERWISE.
136  */
137
138 #include <assert.h>
139 #include <ctype.h>
140 #include <stdio.h>
141 #include <stdlib.h>
142 #include <string.h>
143 #include <openssl/e_os2.h>
144 #ifdef OPENSSL_NO_STDIO
145 #define APPS_WIN16
146 #endif
147
148 /* With IPv6, it looks like Digital has mixed up the proper order of
149    recursive header file inclusion, resulting in the compiler complaining
150    that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
151    is needed to have fileno() declared correctly...  So let's define u_int */
152 #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
153 #define __U_INT
154 typedef unsigned int u_int;
155 #endif
156
157 #define USE_SOCKETS
158 #include "apps.h"
159 #include <openssl/x509.h>
160 #include <openssl/ssl.h>
161 #include <openssl/err.h>
162 #include <openssl/pem.h>
163 #include <openssl/rand.h>
164 #include <openssl/ocsp.h>
165 #include <openssl/bn.h>
166 #ifndef OPENSSL_NO_SRP
167 #include <openssl/srp.h>
168 #endif
169 #include "s_apps.h"
170 #include "timeouts.h"
171
172 #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
173 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
174 #undef FIONBIO
175 #endif
176
177 #if defined(OPENSSL_SYS_BEOS_R5)
178 #include <fcntl.h>
179 #endif
180
181 #undef PROG
182 #define PROG    s_client_main
183
184 /*#define SSL_HOST_NAME "www.netscape.com" */
185 /*#define SSL_HOST_NAME "193.118.187.102" */
186 #define SSL_HOST_NAME   "localhost"
187
188 /*#define TEST_CERT "client.pem" */ /* no default cert. */
189
190 #undef BUFSIZZ
191 #define BUFSIZZ 1024*8
192
193 extern int verify_depth;
194 extern int verify_error;
195 extern int verify_return_error;
196
197 #ifdef FIONBIO
198 static int c_nbio=0;
199 #endif
200 static int c_Pause=0;
201 static int c_debug=0;
202 #ifndef OPENSSL_NO_TLSEXT
203 static int c_tlsextdebug=0;
204 static int c_status_req=0;
205 #endif
206 static int c_msg=0;
207 static int c_showcerts=0;
208
209 static char *keymatexportlabel=NULL;
210 static int keymatexportlen=20;
211
212 static void sc_usage(void);
213 static void print_stuff(BIO *berr,SSL *con,int full);
214 #ifndef OPENSSL_NO_TLSEXT
215 static int ocsp_resp_cb(SSL *s, void *arg);
216 #endif
217 static BIO *bio_c_out=NULL;
218 static int c_quiet=0;
219 static int c_ign_eof=0;
220
221 #ifndef OPENSSL_NO_PSK
222 /* Default PSK identity and key */
223 static char *psk_identity="Client_identity";
224 /*char *psk_key=NULL;  by default PSK is not used */
225
226 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
227         unsigned int max_identity_len, unsigned char *psk,
228         unsigned int max_psk_len)
229         {
230         unsigned int psk_len = 0;
231         int ret;
232         BIGNUM *bn=NULL;
233
234         if (c_debug)
235                 BIO_printf(bio_c_out, "psk_client_cb\n");
236         if (!hint)
237                 {
238                 /* no ServerKeyExchange message*/
239                 if (c_debug)
240                         BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n");
241                 }
242         else if (c_debug)
243                 BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
244
245         /* lookup PSK identity and PSK key based on the given identity hint here */
246         ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity);
247         if (ret < 0 || (unsigned int)ret > max_identity_len)
248                 goto out_err;
249         if (c_debug)
250                 BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret);
251         ret=BN_hex2bn(&bn, psk_key);
252         if (!ret)
253                 {
254                 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
255                 if (bn)
256                         BN_free(bn);
257                 return 0;
258                 }
259
260         if ((unsigned int)BN_num_bytes(bn) > max_psk_len)
261                 {
262                 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
263                         max_psk_len, BN_num_bytes(bn));
264                 BN_free(bn);
265                 return 0;
266                 }
267
268         psk_len=BN_bn2bin(bn, psk);
269         BN_free(bn);
270         if (psk_len == 0)
271                 goto out_err;
272
273         if (c_debug)
274                 BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len);
275
276         return psk_len;
277  out_err:
278         if (c_debug)
279                 BIO_printf(bio_err, "Error in PSK client callback\n");
280         return 0;
281         }
282 #endif
283
284 static void sc_usage(void)
285         {
286         BIO_printf(bio_err,"usage: s_client args\n");
287         BIO_printf(bio_err,"\n");
288         BIO_printf(bio_err," -host host     - use -connect instead\n");
289         BIO_printf(bio_err," -port port     - use -connect instead\n");
290         BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
291
292         BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
293         BIO_printf(bio_err," -cert arg     - certificate file to use, PEM format assumed\n");
294         BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
295         BIO_printf(bio_err," -key arg      - Private key file to use, in cert file if\n");
296         BIO_printf(bio_err,"                 not specified but cert file is.\n");
297         BIO_printf(bio_err," -keyform arg  - key format (PEM or DER) PEM default\n");
298         BIO_printf(bio_err," -pass arg     - private key file pass phrase source\n");
299         BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
300         BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
301         BIO_printf(bio_err," -reconnect    - Drop and re-make the connection with the same Session-ID\n");
302         BIO_printf(bio_err," -pause        - sleep(1) after each read(2) and write(2) system call\n");
303         BIO_printf(bio_err," -showcerts    - show all certificates in the chain\n");
304         BIO_printf(bio_err," -debug        - extra output\n");
305 #ifdef WATT32
306         BIO_printf(bio_err," -wdebug       - WATT-32 tcp debugging\n");
307 #endif
308         BIO_printf(bio_err," -msg          - Show protocol messages\n");
309         BIO_printf(bio_err," -nbio_test    - more ssl protocol testing\n");
310         BIO_printf(bio_err," -state        - print the 'ssl' states\n");
311 #ifdef FIONBIO
312         BIO_printf(bio_err," -nbio         - Run with non-blocking IO\n");
313 #endif
314         BIO_printf(bio_err," -crlf         - convert LF from terminal into CRLF\n");
315         BIO_printf(bio_err," -quiet        - no s_client output\n");
316         BIO_printf(bio_err," -ign_eof      - ignore input eof (default when -quiet)\n");
317         BIO_printf(bio_err," -no_ign_eof   - don't ignore input eof\n");
318 #ifndef OPENSSL_NO_PSK
319         BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
320         BIO_printf(bio_err," -psk arg      - PSK in hex (without 0x)\n");
321 # ifndef OPENSSL_NO_JPAKE
322         BIO_printf(bio_err," -jpake arg    - JPAKE secret to use\n");
323 # endif
324 #endif
325 #ifndef OPENSSL_NO_SRP
326         BIO_printf(bio_err," -srpuser user     - SRP authentification for 'user'\n");
327         BIO_printf(bio_err," -srppass arg      - password for 'user'\n");
328         BIO_printf(bio_err," -srp_lateuser     - SRP username into second ClientHello message\n");
329         BIO_printf(bio_err," -srp_moregroups   - Tolerate other than the known g N values.\n");
330         BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
331 #endif
332         BIO_printf(bio_err," -ssl2         - just use SSLv2\n");
333         BIO_printf(bio_err," -ssl3         - just use SSLv3\n");
334         BIO_printf(bio_err," -tls1_2       - just use TLSv1.2\n");
335         BIO_printf(bio_err," -tls1_1       - just use TLSv1.1\n");
336         BIO_printf(bio_err," -tls1         - just use TLSv1\n");
337         BIO_printf(bio_err," -dtls1        - just use DTLSv1\n");    
338         BIO_printf(bio_err," -mtu          - set the link layer MTU\n");
339         BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
340         BIO_printf(bio_err," -bugs         - Switch on all SSL implementation bug workarounds\n");
341         BIO_printf(bio_err," -serverpref   - Use server's cipher preferences (only SSLv2)\n");
342         BIO_printf(bio_err," -cipher       - preferred cipher to use, use the 'openssl ciphers'\n");
343         BIO_printf(bio_err,"                 command to see what is available\n");
344         BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
345         BIO_printf(bio_err,"                 for those protocols that support it, where\n");
346         BIO_printf(bio_err,"                 'prot' defines which one to assume.  Currently,\n");
347         BIO_printf(bio_err,"                 only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
348         BIO_printf(bio_err,"                 are supported.\n");
349 #ifndef OPENSSL_NO_ENGINE
350         BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
351 #endif
352         BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
353         BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n");
354         BIO_printf(bio_err," -sess_in arg  - file to read SSL session from\n");
355 #ifndef OPENSSL_NO_TLSEXT
356         BIO_printf(bio_err," -servername host  - Set TLS extension servername in ClientHello\n");
357         BIO_printf(bio_err," -tlsextdebug      - hex dump of all TLS extensions received\n");
358         BIO_printf(bio_err," -status           - request certificate status from server\n");
359         BIO_printf(bio_err," -no_ticket        - disable use of RFC4507bis session tickets\n");
360 # ifndef OPENSSL_NO_NEXTPROTONEG
361         BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
362 # endif
363 #endif
364         BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
365         BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
366         BIO_printf(bio_err," -keymatexport label   - Export keying material using label\n");
367         BIO_printf(bio_err," -keymatexportlen len  - Export len bytes of keying material (default 20)\n");
368         }
369
370 #ifndef OPENSSL_NO_TLSEXT
371
372 /* This is a context that we pass to callbacks */
373 typedef struct tlsextctx_st {
374    BIO * biodebug;
375    int ack;
376 } tlsextctx;
377
378
379 static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
380         {
381         tlsextctx * p = (tlsextctx *) arg;
382         const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
383         if (SSL_get_servername_type(s) != -1) 
384                 p->ack = !SSL_session_reused(s) && hn != NULL;
385         else 
386                 BIO_printf(bio_err,"Can't use SSL_get_servername\n");
387         
388         return SSL_TLSEXT_ERR_OK;
389         }
390
391 #ifndef OPENSSL_NO_SRP
392
393 /* This is a context that we pass to all callbacks */
394 typedef struct srp_arg_st
395         {
396         char *srppassin;
397         char *srplogin;
398         int msg;   /* copy from c_msg */
399         int debug; /* copy from c_debug */
400         int amp;   /* allow more groups */
401         int strength /* minimal size for N */ ;
402         } SRP_ARG;
403
404 #define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
405
406 static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g)
407         {
408         BN_CTX *bn_ctx = BN_CTX_new();
409         BIGNUM *p = BN_new();
410         BIGNUM *r = BN_new();
411         int ret =
412                 g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
413                 BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
414                 p != NULL && BN_rshift1(p, N) &&
415
416                 /* p = (N-1)/2 */
417                 BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
418                 r != NULL &&
419
420                 /* verify g^((N-1)/2) == -1 (mod N) */
421                 BN_mod_exp(r, g, p, N, bn_ctx) &&
422                 BN_add_word(r, 1) &&
423                 BN_cmp(r, N) == 0;
424
425         if(r)
426                 BN_free(r);
427         if(p)
428                 BN_free(p);
429         if(bn_ctx)
430                 BN_CTX_free(bn_ctx);
431         return ret;
432         }
433
434 /* This callback is used here for two purposes:
435    - extended debugging
436    - making some primality tests for unknown groups
437    The callback is only called for a non default group.
438
439    An application does not need the call back at all if
440    only the stanard groups are used.  In real life situations, 
441    client and server already share well known groups, 
442    thus there is no need to verify them. 
443    Furthermore, in case that a server actually proposes a group that
444    is not one of those defined in RFC 5054, it is more appropriate 
445    to add the group to a static list and then compare since 
446    primality tests are rather cpu consuming.
447 */
448
449 static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
450         {
451         SRP_ARG *srp_arg = (SRP_ARG *)arg;
452         BIGNUM *N = NULL, *g = NULL;
453         if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s)))
454                 return 0;
455         if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1)
456                 {
457                 BIO_printf(bio_err, "SRP parameters:\n"); 
458                 BIO_printf(bio_err,"\tN="); BN_print(bio_err,N);
459                 BIO_printf(bio_err,"\n\tg="); BN_print(bio_err,g);
460                 BIO_printf(bio_err,"\n");
461                 }
462
463         if (SRP_check_known_gN_param(g,N))
464                 return 1;
465
466         if (srp_arg->amp == 1)
467                 {
468                 if (srp_arg->debug)
469                         BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n");
470
471 /* The srp_moregroups is a real debugging feature.
472    Implementors should rather add the value to the known ones.
473    The minimal size has already been tested.
474 */
475                 if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g))
476                         return 1;
477                 }       
478         BIO_printf(bio_err, "SRP param N and g rejected.\n");
479         return 0;
480         }
481
482 #define PWD_STRLEN 1024
483
484 static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
485         {
486         SRP_ARG *srp_arg = (SRP_ARG *)arg;
487         char *pass = (char *)OPENSSL_malloc(PWD_STRLEN+1);
488         PW_CB_DATA cb_tmp;
489         int l;
490
491         cb_tmp.password = (char *)srp_arg->srppassin;
492         cb_tmp.prompt_info = "SRP user";
493         if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp))<0)
494                 {
495                 BIO_printf (bio_err, "Can't read Password\n");
496                 OPENSSL_free(pass);
497                 return NULL;
498                 }
499         *(pass+l)= '\0';
500
501         return pass;
502         }
503
504 #endif
505         char *srtp_profiles = NULL;
506
507 # ifndef OPENSSL_NO_NEXTPROTONEG
508 /* This the context that we pass to next_proto_cb */
509 typedef struct tlsextnextprotoctx_st {
510         unsigned char *data;
511         unsigned short len;
512         int status;
513 } tlsextnextprotoctx;
514
515 static tlsextnextprotoctx next_proto;
516
517 static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
518         {
519         tlsextnextprotoctx *ctx = arg;
520
521         if (!c_quiet)
522                 {
523                 /* We can assume that |in| is syntactically valid. */
524                 unsigned i;
525                 BIO_printf(bio_c_out, "Protocols advertised by server: ");
526                 for (i = 0; i < inlen; )
527                         {
528                         if (i)
529                                 BIO_write(bio_c_out, ", ", 2);
530                         BIO_write(bio_c_out, &in[i + 1], in[i]);
531                         i += in[i] + 1;
532                         }
533                 BIO_write(bio_c_out, "\n", 1);
534                 }
535
536         ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
537         return SSL_TLSEXT_ERR_OK;
538         }
539 # endif  /* ndef OPENSSL_NO_NEXTPROTONEG */
540 #endif
541
542 enum
543 {
544         PROTO_OFF       = 0,
545         PROTO_SMTP,
546         PROTO_POP3,
547         PROTO_IMAP,
548         PROTO_FTP,
549         PROTO_XMPP
550 };
551
552 int MAIN(int, char **);
553
554 int MAIN(int argc, char **argv)
555         {
556         unsigned int off=0, clr=0;
557         SSL *con=NULL;
558 #ifndef OPENSSL_NO_KRB5
559         KSSL_CTX *kctx;
560 #endif
561         int s,k,width,state=0;
562         char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
563         int cbuf_len,cbuf_off;
564         int sbuf_len,sbuf_off;
565         fd_set readfds,writefds;
566         short port=PORT;
567         int full_log=1;
568         char *host=SSL_HOST_NAME;
569         char *cert_file=NULL,*key_file=NULL;
570         int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
571         char *passarg = NULL, *pass = NULL;
572         X509 *cert = NULL;
573         EVP_PKEY *key = NULL;
574         char *CApath=NULL,*CAfile=NULL,*cipher=NULL;
575         int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0;
576         int crlf=0;
577         int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
578         SSL_CTX *ctx=NULL;
579         int ret=1,in_init=1,i,nbio_test=0;
580         int starttls_proto = PROTO_OFF;
581         int prexit = 0;
582         X509_VERIFY_PARAM *vpm = NULL;
583         int badarg = 0;
584         const SSL_METHOD *meth=NULL;
585         int socket_type=SOCK_STREAM;
586         BIO *sbio;
587         char *inrand=NULL;
588         int mbuf_len=0;
589         struct timeval timeout, *timeoutp;
590 #ifndef OPENSSL_NO_ENGINE
591         char *engine_id=NULL;
592         char *ssl_client_engine_id=NULL;
593         ENGINE *ssl_client_engine=NULL;
594 #endif
595         ENGINE *e=NULL;
596 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
597         struct timeval tv;
598 #if defined(OPENSSL_SYS_BEOS_R5)
599         int stdin_set = 0;
600 #endif
601 #endif
602 #ifndef OPENSSL_NO_TLSEXT
603         char *servername = NULL; 
604         tlsextctx tlsextcbp = 
605         {NULL,0};
606 # ifndef OPENSSL_NO_NEXTPROTONEG
607         const char *next_proto_neg_in = NULL;
608 # endif
609 #endif
610         char *sess_in = NULL;
611         char *sess_out = NULL;
612         struct sockaddr peer;
613         int peerlen = sizeof(peer);
614         int enable_timeouts = 0 ;
615         long socket_mtu = 0;
616 #ifndef OPENSSL_NO_JPAKE
617         char *jpake_secret = NULL;
618 #endif
619 #ifndef OPENSSL_NO_SRP
620         char * srppass = NULL;
621         int srp_lateuser = 0;
622         SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
623 #endif
624
625 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
626         meth=SSLv23_client_method();
627 #elif !defined(OPENSSL_NO_SSL3)
628         meth=SSLv3_client_method();
629 #elif !defined(OPENSSL_NO_SSL2)
630         meth=SSLv2_client_method();
631 #endif
632
633         apps_startup();
634         c_Pause=0;
635         c_quiet=0;
636         c_ign_eof=0;
637         c_debug=0;
638         c_msg=0;
639         c_showcerts=0;
640
641         if (bio_err == NULL)
642                 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
643
644         if (!load_config(bio_err, NULL))
645                 goto end;
646
647         if (    ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
648                 ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
649                 ((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
650                 {
651                 BIO_printf(bio_err,"out of memory\n");
652                 goto end;
653                 }
654
655         verify_depth=0;
656         verify_error=X509_V_OK;
657 #ifdef FIONBIO
658         c_nbio=0;
659 #endif
660
661         argc--;
662         argv++;
663         while (argc >= 1)
664                 {
665                 if      (strcmp(*argv,"-host") == 0)
666                         {
667                         if (--argc < 1) goto bad;
668                         host= *(++argv);
669                         }
670                 else if (strcmp(*argv,"-port") == 0)
671                         {
672                         if (--argc < 1) goto bad;
673                         port=atoi(*(++argv));
674                         if (port == 0) goto bad;
675                         }
676                 else if (strcmp(*argv,"-connect") == 0)
677                         {
678                         if (--argc < 1) goto bad;
679                         if (!extract_host_port(*(++argv),&host,NULL,&port))
680                                 goto bad;
681                         }
682                 else if (strcmp(*argv,"-verify") == 0)
683                         {
684                         verify=SSL_VERIFY_PEER;
685                         if (--argc < 1) goto bad;
686                         verify_depth=atoi(*(++argv));
687                         BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
688                         }
689                 else if (strcmp(*argv,"-cert") == 0)
690                         {
691                         if (--argc < 1) goto bad;
692                         cert_file= *(++argv);
693                         }
694                 else if (strcmp(*argv,"-sess_out") == 0)
695                         {
696                         if (--argc < 1) goto bad;
697                         sess_out = *(++argv);
698                         }
699                 else if (strcmp(*argv,"-sess_in") == 0)
700                         {
701                         if (--argc < 1) goto bad;
702                         sess_in = *(++argv);
703                         }
704                 else if (strcmp(*argv,"-certform") == 0)
705                         {
706                         if (--argc < 1) goto bad;
707                         cert_format = str2fmt(*(++argv));
708                         }
709                 else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
710                         {
711                         if (badarg)
712                                 goto bad;
713                         continue;
714                         }
715                 else if (strcmp(*argv,"-verify_return_error") == 0)
716                         verify_return_error = 1;
717                 else if (strcmp(*argv,"-prexit") == 0)
718                         prexit=1;
719                 else if (strcmp(*argv,"-crlf") == 0)
720                         crlf=1;
721                 else if (strcmp(*argv,"-quiet") == 0)
722                         {
723                         c_quiet=1;
724                         c_ign_eof=1;
725                         }
726                 else if (strcmp(*argv,"-ign_eof") == 0)
727                         c_ign_eof=1;
728                 else if (strcmp(*argv,"-no_ign_eof") == 0)
729                         c_ign_eof=0;
730                 else if (strcmp(*argv,"-pause") == 0)
731                         c_Pause=1;
732                 else if (strcmp(*argv,"-debug") == 0)
733                         c_debug=1;
734 #ifndef OPENSSL_NO_TLSEXT
735                 else if (strcmp(*argv,"-tlsextdebug") == 0)
736                         c_tlsextdebug=1;
737                 else if (strcmp(*argv,"-status") == 0)
738                         c_status_req=1;
739 #endif
740 #ifdef WATT32
741                 else if (strcmp(*argv,"-wdebug") == 0)
742                         dbug_init();
743 #endif
744                 else if (strcmp(*argv,"-msg") == 0)
745                         c_msg=1;
746                 else if (strcmp(*argv,"-showcerts") == 0)
747                         c_showcerts=1;
748                 else if (strcmp(*argv,"-nbio_test") == 0)
749                         nbio_test=1;
750                 else if (strcmp(*argv,"-state") == 0)
751                         state=1;
752 #ifndef OPENSSL_NO_PSK
753                 else if (strcmp(*argv,"-psk_identity") == 0)
754                         {
755                         if (--argc < 1) goto bad;
756                         psk_identity=*(++argv);
757                         }
758                 else if (strcmp(*argv,"-psk") == 0)
759                         {
760                         size_t j;
761
762                         if (--argc < 1) goto bad;
763                         psk_key=*(++argv);
764                         for (j = 0; j < strlen(psk_key); j++)
765                                 {
766                                 if (isxdigit((unsigned char)psk_key[j]))
767                                         continue;
768                                 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
769                                 goto bad;
770                                 }
771                         }
772 #endif
773 #ifndef OPENSSL_NO_SRP
774                 else if (strcmp(*argv,"-srpuser") == 0)
775                         {
776                         if (--argc < 1) goto bad;
777                         srp_arg.srplogin= *(++argv);
778                         meth=TLSv1_client_method();
779                         }
780                 else if (strcmp(*argv,"-srppass") == 0)
781                         {
782                         if (--argc < 1) goto bad;
783                         srppass= *(++argv);
784                         meth=TLSv1_client_method();
785                         }
786                 else if (strcmp(*argv,"-srp_strength") == 0)
787                         {
788                         if (--argc < 1) goto bad;
789                         srp_arg.strength=atoi(*(++argv));
790                         BIO_printf(bio_err,"SRP minimal length for N is %d\n",srp_arg.strength);
791                         meth=TLSv1_client_method();
792                         }
793                 else if (strcmp(*argv,"-srp_lateuser") == 0)
794                         {
795                         srp_lateuser= 1;
796                         meth=TLSv1_client_method();
797                         }
798                 else if (strcmp(*argv,"-srp_moregroups") == 0)
799                         {
800                         srp_arg.amp=1;
801                         meth=TLSv1_client_method();
802                         }
803 #endif
804 #ifndef OPENSSL_NO_SSL2
805                 else if (strcmp(*argv,"-ssl2") == 0)
806                         meth=SSLv2_client_method();
807 #endif
808 #ifndef OPENSSL_NO_SSL3
809                 else if (strcmp(*argv,"-ssl3") == 0)
810                         meth=SSLv3_client_method();
811 #endif
812 #ifndef OPENSSL_NO_TLS1
813                 else if (strcmp(*argv,"-tls1_2") == 0)
814                         meth=TLSv1_2_client_method();
815                 else if (strcmp(*argv,"-tls1_1") == 0)
816                         meth=TLSv1_1_client_method();
817                 else if (strcmp(*argv,"-tls1") == 0)
818                         meth=TLSv1_client_method();
819 #endif
820 #ifndef OPENSSL_NO_DTLS1
821                 else if (strcmp(*argv,"-dtls1") == 0)
822                         {
823                         meth=DTLSv1_client_method();
824                         socket_type=SOCK_DGRAM;
825                         }
826                 else if (strcmp(*argv,"-timeout") == 0)
827                         enable_timeouts=1;
828                 else if (strcmp(*argv,"-mtu") == 0)
829                         {
830                         if (--argc < 1) goto bad;
831                         socket_mtu = atol(*(++argv));
832                         }
833 #endif
834                 else if (strcmp(*argv,"-bugs") == 0)
835                         bugs=1;
836                 else if (strcmp(*argv,"-keyform") == 0)
837                         {
838                         if (--argc < 1) goto bad;
839                         key_format = str2fmt(*(++argv));
840                         }
841                 else if (strcmp(*argv,"-pass") == 0)
842                         {
843                         if (--argc < 1) goto bad;
844                         passarg = *(++argv);
845                         }
846                 else if (strcmp(*argv,"-key") == 0)
847                         {
848                         if (--argc < 1) goto bad;
849                         key_file= *(++argv);
850                         }
851                 else if (strcmp(*argv,"-reconnect") == 0)
852                         {
853                         reconnect=5;
854                         }
855                 else if (strcmp(*argv,"-CApath") == 0)
856                         {
857                         if (--argc < 1) goto bad;
858                         CApath= *(++argv);
859                         }
860                 else if (strcmp(*argv,"-CAfile") == 0)
861                         {
862                         if (--argc < 1) goto bad;
863                         CAfile= *(++argv);
864                         }
865                 else if (strcmp(*argv,"-no_tls1_2") == 0)
866                         off|=SSL_OP_NO_TLSv1_2;
867                 else if (strcmp(*argv,"-no_tls1_1") == 0)
868                         off|=SSL_OP_NO_TLSv1_1;
869                 else if (strcmp(*argv,"-no_tls1") == 0)
870                         off|=SSL_OP_NO_TLSv1;
871                 else if (strcmp(*argv,"-no_ssl3") == 0)
872                         off|=SSL_OP_NO_SSLv3;
873                 else if (strcmp(*argv,"-no_ssl2") == 0)
874                         off|=SSL_OP_NO_SSLv2;
875                 else if (strcmp(*argv,"-no_comp") == 0)
876                         { off|=SSL_OP_NO_COMPRESSION; }
877 #ifndef OPENSSL_NO_TLSEXT
878                 else if (strcmp(*argv,"-no_ticket") == 0)
879                         { off|=SSL_OP_NO_TICKET; }
880 # ifndef OPENSSL_NO_NEXTPROTONEG
881                 else if (strcmp(*argv,"-nextprotoneg") == 0)
882                         {
883                         if (--argc < 1) goto bad;
884                         next_proto_neg_in = *(++argv);
885                         }
886 # endif
887 #endif
888                 else if (strcmp(*argv,"-serverpref") == 0)
889                         off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
890                 else if (strcmp(*argv,"-legacy_renegotiation") == 0)
891                         off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
892                 else if (strcmp(*argv,"-legacy_server_connect") == 0)
893                         { off|=SSL_OP_LEGACY_SERVER_CONNECT; }
894                 else if (strcmp(*argv,"-no_legacy_server_connect") == 0)
895                         { clr|=SSL_OP_LEGACY_SERVER_CONNECT; }
896                 else if (strcmp(*argv,"-cipher") == 0)
897                         {
898                         if (--argc < 1) goto bad;
899                         cipher= *(++argv);
900                         }
901 #ifdef FIONBIO
902                 else if (strcmp(*argv,"-nbio") == 0)
903                         { c_nbio=1; }
904 #endif
905                 else if (strcmp(*argv,"-starttls") == 0)
906                         {
907                         if (--argc < 1) goto bad;
908                         ++argv;
909                         if (strcmp(*argv,"smtp") == 0)
910                                 starttls_proto = PROTO_SMTP;
911                         else if (strcmp(*argv,"pop3") == 0)
912                                 starttls_proto = PROTO_POP3;
913                         else if (strcmp(*argv,"imap") == 0)
914                                 starttls_proto = PROTO_IMAP;
915                         else if (strcmp(*argv,"ftp") == 0)
916                                 starttls_proto = PROTO_FTP;
917                         else if (strcmp(*argv, "xmpp") == 0)
918                                 starttls_proto = PROTO_XMPP;
919                         else
920                                 goto bad;
921                         }
922 #ifndef OPENSSL_NO_ENGINE
923                 else if (strcmp(*argv,"-engine") == 0)
924                         {
925                         if (--argc < 1) goto bad;
926                         engine_id = *(++argv);
927                         }
928                 else if (strcmp(*argv,"-ssl_client_engine") == 0)
929                         {
930                         if (--argc < 1) goto bad;
931                         ssl_client_engine_id = *(++argv);
932                         }
933 #endif
934                 else if (strcmp(*argv,"-rand") == 0)
935                         {
936                         if (--argc < 1) goto bad;
937                         inrand= *(++argv);
938                         }
939 #ifndef OPENSSL_NO_TLSEXT
940                 else if (strcmp(*argv,"-servername") == 0)
941                         {
942                         if (--argc < 1) goto bad;
943                         servername= *(++argv);
944                         /* meth=TLSv1_client_method(); */
945                         }
946 #endif
947 #ifndef OPENSSL_NO_JPAKE
948                 else if (strcmp(*argv,"-jpake") == 0)
949                         {
950                         if (--argc < 1) goto bad;
951                         jpake_secret = *++argv;
952                         }
953 #endif
954                 else if (strcmp(*argv,"-use_srtp") == 0)
955                         {
956                         if (--argc < 1) goto bad;
957                         srtp_profiles = *(++argv);
958                         }
959                 else if (strcmp(*argv,"-keymatexport") == 0)
960                         {
961                         if (--argc < 1) goto bad;
962                         keymatexportlabel= *(++argv);
963                         }
964                 else if (strcmp(*argv,"-keymatexportlen") == 0)
965                         {
966                         if (--argc < 1) goto bad;
967                         keymatexportlen=atoi(*(++argv));
968                         if (keymatexportlen == 0) goto bad;
969                         }
970                 else
971                         {
972                         BIO_printf(bio_err,"unknown option %s\n",*argv);
973                         badop=1;
974                         break;
975                         }
976                 argc--;
977                 argv++;
978                 }
979         if (badop)
980                 {
981 bad:
982                 sc_usage();
983                 goto end;
984                 }
985
986 #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
987         if (jpake_secret)
988                 {
989                 if (psk_key)
990                         {
991                         BIO_printf(bio_err,
992                                    "Can't use JPAKE and PSK together\n");
993                         goto end;
994                         }
995                 psk_identity = "JPAKE";
996                 }
997
998         if (cipher)
999                 {
1000                 BIO_printf(bio_err, "JPAKE sets cipher to PSK\n");
1001                 goto end;
1002                 }
1003         cipher = "PSK";
1004 #endif
1005
1006         OpenSSL_add_ssl_algorithms();
1007         SSL_load_error_strings();
1008
1009 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
1010         next_proto.status = -1;
1011         if (next_proto_neg_in)
1012                 {
1013                 next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
1014                 if (next_proto.data == NULL)
1015                         {
1016                         BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
1017                         goto end;
1018                         }
1019                 }
1020         else
1021                 next_proto.data = NULL;
1022 #endif
1023
1024 #ifndef OPENSSL_NO_ENGINE
1025         e = setup_engine(bio_err, engine_id, 1);
1026         if (ssl_client_engine_id)
1027                 {
1028                 ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
1029                 if (!ssl_client_engine)
1030                         {
1031                         BIO_printf(bio_err,
1032                                         "Error getting client auth engine\n");
1033                         goto end;
1034                         }
1035                 }
1036
1037 #endif
1038         if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
1039                 {
1040                 BIO_printf(bio_err, "Error getting password\n");
1041                 goto end;
1042                 }
1043
1044         if (key_file == NULL)
1045                 key_file = cert_file;
1046
1047
1048         if (key_file)
1049
1050                 {
1051
1052                 key = load_key(bio_err, key_file, key_format, 0, pass, e,
1053                                "client certificate private key file");
1054                 if (!key)
1055                         {
1056                         ERR_print_errors(bio_err);
1057                         goto end;
1058                         }
1059
1060                 }
1061
1062         if (cert_file)
1063
1064                 {
1065                 cert = load_cert(bio_err,cert_file,cert_format,
1066                                 NULL, e, "client certificate file");
1067
1068                 if (!cert)
1069                         {
1070                         ERR_print_errors(bio_err);
1071                         goto end;
1072                         }
1073                 }
1074
1075         if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
1076                 && !RAND_status())
1077                 {
1078                 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
1079                 }
1080         if (inrand != NULL)
1081                 BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
1082                         app_RAND_load_files(inrand));
1083
1084         if (bio_c_out == NULL)
1085                 {
1086                 if (c_quiet && !c_debug && !c_msg)
1087                         {
1088                         bio_c_out=BIO_new(BIO_s_null());
1089                         }
1090                 else
1091                         {
1092                         if (bio_c_out == NULL)
1093                                 bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
1094                         }
1095                 }
1096
1097 #ifndef OPENSSL_NO_SRP
1098         if(!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL))
1099                 {
1100                 BIO_printf(bio_err, "Error getting password\n");
1101                 goto end;
1102                 }
1103 #endif
1104
1105         ctx=SSL_CTX_new(meth);
1106         if (ctx == NULL)
1107                 {
1108                 ERR_print_errors(bio_err);
1109                 goto end;
1110                 }
1111
1112         if (vpm)
1113                 SSL_CTX_set1_param(ctx, vpm);
1114
1115 #ifndef OPENSSL_NO_ENGINE
1116         if (ssl_client_engine)
1117                 {
1118                 if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine))
1119                         {
1120                         BIO_puts(bio_err, "Error setting client auth engine\n");
1121                         ERR_print_errors(bio_err);
1122                         ENGINE_free(ssl_client_engine);
1123                         goto end;
1124                         }
1125                 ENGINE_free(ssl_client_engine);
1126                 }
1127 #endif
1128
1129 #ifndef OPENSSL_NO_PSK
1130 #ifdef OPENSSL_NO_JPAKE
1131         if (psk_key != NULL)
1132 #else
1133         if (psk_key != NULL || jpake_secret)
1134 #endif
1135                 {
1136                 if (c_debug)
1137                         BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");
1138                 SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
1139                 }
1140         if (srtp_profiles != NULL)
1141                 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
1142 #endif
1143         if (bugs)
1144                 SSL_CTX_set_options(ctx,SSL_OP_ALL|off);
1145         else
1146                 SSL_CTX_set_options(ctx,off);
1147
1148         if (clr)
1149                 SSL_CTX_clear_options(ctx, clr);
1150         /* DTLS: partial reads end up discarding unread UDP bytes :-( 
1151          * Setting read ahead solves this problem.
1152          */
1153         if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
1154
1155 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
1156         if (next_proto.data)
1157                 SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
1158 #endif
1159
1160         if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
1161         if (cipher != NULL)
1162                 if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
1163                 BIO_printf(bio_err,"error setting cipher list\n");
1164                 ERR_print_errors(bio_err);
1165                 goto end;
1166         }
1167 #if 0
1168         else
1169                 SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
1170 #endif
1171
1172         SSL_CTX_set_verify(ctx,verify,verify_callback);
1173         if (!set_cert_key_stuff(ctx,cert,key))
1174                 goto end;
1175
1176         if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
1177                 (!SSL_CTX_set_default_verify_paths(ctx)))
1178                 {
1179                 /* BIO_printf(bio_err,"error setting default verify locations\n"); */
1180                 ERR_print_errors(bio_err);
1181                 /* goto end; */
1182                 }
1183
1184 #ifndef OPENSSL_NO_TLSEXT
1185         if (servername != NULL)
1186                 {
1187                 tlsextcbp.biodebug = bio_err;
1188                 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1189                 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
1190                 }
1191 #ifndef OPENSSL_NO_SRP
1192         if (srp_arg.srplogin)
1193                 {
1194                 if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
1195                         {
1196                         BIO_printf(bio_err,"Unable to set SRP username\n");
1197                         goto end;
1198                         }
1199                 srp_arg.msg = c_msg;
1200                 srp_arg.debug = c_debug ;
1201                 SSL_CTX_set_srp_cb_arg(ctx,&srp_arg);
1202                 SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
1203                 SSL_CTX_set_srp_strength(ctx, srp_arg.strength);
1204                 if (c_msg || c_debug || srp_arg.amp == 0)
1205                         SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb);
1206                 }
1207
1208 #endif
1209 #endif
1210
1211         con=SSL_new(ctx);
1212         if (sess_in)
1213                 {
1214                 SSL_SESSION *sess;
1215                 BIO *stmp = BIO_new_file(sess_in, "r");
1216                 if (!stmp)
1217                         {
1218                         BIO_printf(bio_err, "Can't open session file %s\n",
1219                                                 sess_in);
1220                         ERR_print_errors(bio_err);
1221                         goto end;
1222                         }
1223                 sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
1224                 BIO_free(stmp);
1225                 if (!sess)
1226                         {
1227                         BIO_printf(bio_err, "Can't open session file %s\n",
1228                                                 sess_in);
1229                         ERR_print_errors(bio_err);
1230                         goto end;
1231                         }
1232                 SSL_set_session(con, sess);
1233                 SSL_SESSION_free(sess);
1234                 }
1235 #ifndef OPENSSL_NO_TLSEXT
1236         if (servername != NULL)
1237                 {
1238                 if (!SSL_set_tlsext_host_name(con,servername))
1239                         {
1240                         BIO_printf(bio_err,"Unable to set TLS servername extension.\n");
1241                         ERR_print_errors(bio_err);
1242                         goto end;
1243                         }
1244                 }
1245 #endif
1246 #ifndef OPENSSL_NO_KRB5
1247         if (con  &&  (kctx = kssl_ctx_new()) != NULL)
1248                 {
1249                 SSL_set0_kssl_ctx(con, kctx);
1250                 kssl_ctx_setstring(kctx, KSSL_SERVER, host);
1251                 }
1252 #endif  /* OPENSSL_NO_KRB5  */
1253 /*      SSL_set_cipher_list(con,"RC4-MD5"); */
1254 #if 0
1255 #ifdef TLSEXT_TYPE_opaque_prf_input
1256         SSL_set_tlsext_opaque_prf_input(con, "Test client", 11);
1257 #endif
1258 #endif
1259
1260 re_start:
1261
1262         if (init_client(&s,host,port,socket_type) == 0)
1263                 {
1264                 BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
1265                 SHUTDOWN(s);
1266                 goto end;
1267                 }
1268         BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
1269
1270 #ifdef FIONBIO
1271         if (c_nbio)
1272                 {
1273                 unsigned long l=1;
1274                 BIO_printf(bio_c_out,"turning on non blocking io\n");
1275                 if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
1276                         {
1277                         ERR_print_errors(bio_err);
1278                         goto end;
1279                         }
1280                 }
1281 #endif                                              
1282         if (c_Pause & 0x01) SSL_set_debug(con, 1);
1283
1284         if ( SSL_version(con) == DTLS1_VERSION)
1285                 {
1286
1287                 sbio=BIO_new_dgram(s,BIO_NOCLOSE);
1288                 if (getsockname(s, &peer, (void *)&peerlen) < 0)
1289                         {
1290                         BIO_printf(bio_err, "getsockname:errno=%d\n",
1291                                 get_last_socket_error());
1292                         SHUTDOWN(s);
1293                         goto end;
1294                         }
1295
1296                 (void)BIO_ctrl_set_connected(sbio, 1, &peer);
1297
1298                 if (enable_timeouts)
1299                         {
1300                         timeout.tv_sec = 0;
1301                         timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1302                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1303                         
1304                         timeout.tv_sec = 0;
1305                         timeout.tv_usec = DGRAM_SND_TIMEOUT;
1306                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1307                         }
1308
1309                 if (socket_mtu > 28)
1310                         {
1311                         SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
1312                         SSL_set_mtu(con, socket_mtu - 28);
1313                         }
1314                 else
1315                         /* want to do MTU discovery */
1316                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1317                 }
1318         else
1319                 sbio=BIO_new_socket(s,BIO_NOCLOSE);
1320
1321         if (nbio_test)
1322                 {
1323                 BIO *test;
1324
1325                 test=BIO_new(BIO_f_nbio_test());
1326                 sbio=BIO_push(test,sbio);
1327                 }
1328
1329         if (c_debug)
1330                 {
1331                 SSL_set_debug(con, 1);
1332                 BIO_set_callback(sbio,bio_dump_callback);
1333                 BIO_set_callback_arg(sbio,(char *)bio_c_out);
1334                 }
1335         if (c_msg)
1336                 {
1337                 SSL_set_msg_callback(con, msg_cb);
1338                 SSL_set_msg_callback_arg(con, bio_c_out);
1339                 }
1340 #ifndef OPENSSL_NO_TLSEXT
1341         if (c_tlsextdebug)
1342                 {
1343                 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1344                 SSL_set_tlsext_debug_arg(con, bio_c_out);
1345                 }
1346         if (c_status_req)
1347                 {
1348                 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
1349                 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
1350                 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
1351 #if 0
1352 {
1353 STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null();
1354 OCSP_RESPID *id = OCSP_RESPID_new();
1355 id->value.byKey = ASN1_OCTET_STRING_new();
1356 id->type = V_OCSP_RESPID_KEY;
1357 ASN1_STRING_set(id->value.byKey, "Hello World", -1);
1358 sk_OCSP_RESPID_push(ids, id);
1359 SSL_set_tlsext_status_ids(con, ids);
1360 }
1361 #endif
1362                 }
1363 #endif
1364 #ifndef OPENSSL_NO_JPAKE
1365         if (jpake_secret)
1366                 jpake_client_auth(bio_c_out, sbio, jpake_secret);
1367 #endif
1368
1369         SSL_set_bio(con,sbio,sbio);
1370         SSL_set_connect_state(con);
1371
1372         /* ok, lets connect */
1373         width=SSL_get_fd(con)+1;
1374
1375         read_tty=1;
1376         write_tty=0;
1377         tty_on=0;
1378         read_ssl=1;
1379         write_ssl=1;
1380         
1381         cbuf_len=0;
1382         cbuf_off=0;
1383         sbuf_len=0;
1384         sbuf_off=0;
1385
1386         /* This is an ugly hack that does a lot of assumptions */
1387         /* We do have to handle multi-line responses which may come
1388            in a single packet or not. We therefore have to use
1389            BIO_gets() which does need a buffering BIO. So during
1390            the initial chitchat we do push a buffering BIO into the
1391            chain that is removed again later on to not disturb the
1392            rest of the s_client operation. */
1393         if (starttls_proto == PROTO_SMTP)
1394                 {
1395                 int foundit=0;
1396                 BIO *fbio = BIO_new(BIO_f_buffer());
1397                 BIO_push(fbio, sbio);
1398                 /* wait for multi-line response to end from SMTP */
1399                 do
1400                         {
1401                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1402                         }
1403                 while (mbuf_len>3 && mbuf[3]=='-');
1404                 /* STARTTLS command requires EHLO... */
1405                 BIO_printf(fbio,"EHLO openssl.client.net\r\n");
1406                 (void)BIO_flush(fbio);
1407                 /* wait for multi-line response to end EHLO SMTP response */
1408                 do
1409                         {
1410                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1411                         if (strstr(mbuf,"STARTTLS"))
1412                                 foundit=1;
1413                         }
1414                 while (mbuf_len>3 && mbuf[3]=='-');
1415                 (void)BIO_flush(fbio);
1416                 BIO_pop(fbio);
1417                 BIO_free(fbio);
1418                 if (!foundit)
1419                         BIO_printf(bio_err,
1420                                    "didn't found starttls in server response,"
1421                                    " try anyway...\n");
1422                 BIO_printf(sbio,"STARTTLS\r\n");
1423                 BIO_read(sbio,sbuf,BUFSIZZ);
1424                 }
1425         else if (starttls_proto == PROTO_POP3)
1426                 {
1427                 BIO_read(sbio,mbuf,BUFSIZZ);
1428                 BIO_printf(sbio,"STLS\r\n");
1429                 BIO_read(sbio,sbuf,BUFSIZZ);
1430                 }
1431         else if (starttls_proto == PROTO_IMAP)
1432                 {
1433                 int foundit=0;
1434                 BIO *fbio = BIO_new(BIO_f_buffer());
1435                 BIO_push(fbio, sbio);
1436                 BIO_gets(fbio,mbuf,BUFSIZZ);
1437                 /* STARTTLS command requires CAPABILITY... */
1438                 BIO_printf(fbio,". CAPABILITY\r\n");
1439                 (void)BIO_flush(fbio);
1440                 /* wait for multi-line CAPABILITY response */
1441                 do
1442                         {
1443                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1444                         if (strstr(mbuf,"STARTTLS"))
1445                                 foundit=1;
1446                         }
1447                 while (mbuf_len>3 && mbuf[0]!='.');
1448                 (void)BIO_flush(fbio);
1449                 BIO_pop(fbio);
1450                 BIO_free(fbio);
1451                 if (!foundit)
1452                         BIO_printf(bio_err,
1453                                    "didn't found STARTTLS in server response,"
1454                                    " try anyway...\n");
1455                 BIO_printf(sbio,". STARTTLS\r\n");
1456                 BIO_read(sbio,sbuf,BUFSIZZ);
1457                 }
1458         else if (starttls_proto == PROTO_FTP)
1459                 {
1460                 BIO *fbio = BIO_new(BIO_f_buffer());
1461                 BIO_push(fbio, sbio);
1462                 /* wait for multi-line response to end from FTP */
1463                 do
1464                         {
1465                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1466                         }
1467                 while (mbuf_len>3 && mbuf[3]=='-');
1468                 (void)BIO_flush(fbio);
1469                 BIO_pop(fbio);
1470                 BIO_free(fbio);
1471                 BIO_printf(sbio,"AUTH TLS\r\n");
1472                 BIO_read(sbio,sbuf,BUFSIZZ);
1473                 }
1474         if (starttls_proto == PROTO_XMPP)
1475                 {
1476                 int seen = 0;
1477                 BIO_printf(sbio,"<stream:stream "
1478                     "xmlns:stream='http://etherx.jabber.org/streams' "
1479                     "xmlns='jabber:client' to='%s' version='1.0'>", host);
1480                 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1481                 mbuf[seen] = 0;
1482                 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'"))
1483                         {
1484                         if (strstr(mbuf, "/stream:features>"))
1485                                 goto shut;
1486                         seen = BIO_read(sbio,mbuf,BUFSIZZ);
1487                         mbuf[seen] = 0;
1488                         }
1489                 BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
1490                 seen = BIO_read(sbio,sbuf,BUFSIZZ);
1491                 sbuf[seen] = 0;
1492                 if (!strstr(sbuf, "<proceed"))
1493                         goto shut;
1494                 mbuf[0] = 0;
1495                 }
1496
1497         for (;;)
1498                 {
1499                 FD_ZERO(&readfds);
1500                 FD_ZERO(&writefds);
1501
1502                 if ((SSL_version(con) == DTLS1_VERSION) &&
1503                         DTLSv1_get_timeout(con, &timeout))
1504                         timeoutp = &timeout;
1505                 else
1506                         timeoutp = NULL;
1507
1508                 if (SSL_in_init(con) && !SSL_total_renegotiations(con))
1509                         {
1510                         in_init=1;
1511                         tty_on=0;
1512                         }
1513                 else
1514                         {
1515                         tty_on=1;
1516                         if (in_init)
1517                                 {
1518                                 in_init=0;
1519 #if 0 /* This test doesn't really work as intended (needs to be fixed) */
1520 #ifndef OPENSSL_NO_TLSEXT
1521                                 if (servername != NULL && !SSL_session_reused(con))
1522                                         {
1523                                         BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not ");
1524                                         }
1525 #endif
1526 #endif
1527                                 if (sess_out)
1528                                         {
1529                                         BIO *stmp = BIO_new_file(sess_out, "w");
1530                                         if (stmp)
1531                                                 {
1532                                                 PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con));
1533                                                 BIO_free(stmp);
1534                                                 }
1535                                         else 
1536                                                 BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
1537                                         }
1538                                 print_stuff(bio_c_out,con,full_log);
1539                                 if (full_log > 0) full_log--;
1540
1541                                 if (starttls_proto)
1542                                         {
1543                                         BIO_printf(bio_err,"%s",mbuf);
1544                                         /* We don't need to know any more */
1545                                         starttls_proto = PROTO_OFF;
1546                                         }
1547
1548                                 if (reconnect)
1549                                         {
1550                                         reconnect--;
1551                                         BIO_printf(bio_c_out,"drop connection and then reconnect\n");
1552                                         SSL_shutdown(con);
1553                                         SSL_set_connect_state(con);
1554                                         SHUTDOWN(SSL_get_fd(con));
1555                                         goto re_start;
1556                                         }
1557                                 }
1558                         }
1559
1560                 ssl_pending = read_ssl && SSL_pending(con);
1561
1562                 if (!ssl_pending)
1563                         {
1564 #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)
1565                         if (tty_on)
1566                                 {
1567                                 if (read_tty)  openssl_fdset(fileno(stdin),&readfds);
1568                                 if (write_tty) openssl_fdset(fileno(stdout),&writefds);
1569                                 }
1570                         if (read_ssl)
1571                                 openssl_fdset(SSL_get_fd(con),&readfds);
1572                         if (write_ssl)
1573                                 openssl_fdset(SSL_get_fd(con),&writefds);
1574 #else
1575                         if(!tty_on || !write_tty) {
1576                                 if (read_ssl)
1577                                         openssl_fdset(SSL_get_fd(con),&readfds);
1578                                 if (write_ssl)
1579                                         openssl_fdset(SSL_get_fd(con),&writefds);
1580                         }
1581 #endif
1582 /*                      printf("mode tty(%d %d%d) ssl(%d%d)\n",
1583                                 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
1584
1585                         /* Note: under VMS with SOCKETSHR the second parameter
1586                          * is currently of type (int *) whereas under other
1587                          * systems it is (void *) if you don't have a cast it
1588                          * will choke the compiler: if you do have a cast then
1589                          * you can either go for (int *) or (void *).
1590                          */
1591 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1592                         /* Under Windows/DOS we make the assumption that we can
1593                          * always write to the tty: therefore if we need to
1594                          * write to the tty we just fall through. Otherwise
1595                          * we timeout the select every second and see if there
1596                          * are any keypresses. Note: this is a hack, in a proper
1597                          * Windows application we wouldn't do this.
1598                          */
1599                         i=0;
1600                         if(!write_tty) {
1601                                 if(read_tty) {
1602                                         tv.tv_sec = 1;
1603                                         tv.tv_usec = 0;
1604                                         i=select(width,(void *)&readfds,(void *)&writefds,
1605                                                  NULL,&tv);
1606 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
1607                                         if(!i && (!_kbhit() || !read_tty) ) continue;
1608 #else
1609                                         if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
1610 #endif
1611                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1612                                          NULL,timeoutp);
1613                         }
1614 #elif defined(OPENSSL_SYS_NETWARE)
1615                         if(!write_tty) {
1616                                 if(read_tty) {
1617                                         tv.tv_sec = 1;
1618                                         tv.tv_usec = 0;
1619                                         i=select(width,(void *)&readfds,(void *)&writefds,
1620                                                 NULL,&tv);
1621                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1622                                         NULL,timeoutp);
1623                         }
1624 #elif defined(OPENSSL_SYS_BEOS_R5)
1625                         /* Under BeOS-R5 the situation is similar to DOS */
1626                         i=0;
1627                         stdin_set = 0;
1628                         (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
1629                         if(!write_tty) {
1630                                 if(read_tty) {
1631                                         tv.tv_sec = 1;
1632                                         tv.tv_usec = 0;
1633                                         i=select(width,(void *)&readfds,(void *)&writefds,
1634                                                  NULL,&tv);
1635                                         if (read(fileno(stdin), sbuf, 0) >= 0)
1636                                                 stdin_set = 1;
1637                                         if (!i && (stdin_set != 1 || !read_tty))
1638                                                 continue;
1639                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1640                                          NULL,timeoutp);
1641                         }
1642                         (void)fcntl(fileno(stdin), F_SETFL, 0);
1643 #else
1644                         i=select(width,(void *)&readfds,(void *)&writefds,
1645                                  NULL,timeoutp);
1646 #endif
1647                         if ( i < 0)
1648                                 {
1649                                 BIO_printf(bio_err,"bad select %d\n",
1650                                 get_last_socket_error());
1651                                 goto shut;
1652                                 /* goto end; */
1653                                 }
1654                         }
1655
1656                 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
1657                         {
1658                         BIO_printf(bio_err,"TIMEOUT occured\n");
1659                         }
1660
1661                 if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
1662                         {
1663                         k=SSL_write(con,&(cbuf[cbuf_off]),
1664                                 (unsigned int)cbuf_len);
1665                         switch (SSL_get_error(con,k))
1666                                 {
1667                         case SSL_ERROR_NONE:
1668                                 cbuf_off+=k;
1669                                 cbuf_len-=k;
1670                                 if (k <= 0) goto end;
1671                                 /* we have done a  write(con,NULL,0); */
1672                                 if (cbuf_len <= 0)
1673                                         {
1674                                         read_tty=1;
1675                                         write_ssl=0;
1676                                         }
1677                                 else /* if (cbuf_len > 0) */
1678                                         {
1679                                         read_tty=0;
1680                                         write_ssl=1;
1681                                         }
1682                                 break;
1683                         case SSL_ERROR_WANT_WRITE:
1684                                 BIO_printf(bio_c_out,"write W BLOCK\n");
1685                                 write_ssl=1;
1686                                 read_tty=0;
1687                                 break;
1688                         case SSL_ERROR_WANT_READ:
1689                                 BIO_printf(bio_c_out,"write R BLOCK\n");
1690                                 write_tty=0;
1691                                 read_ssl=1;
1692                                 write_ssl=0;
1693                                 break;
1694                         case SSL_ERROR_WANT_X509_LOOKUP:
1695                                 BIO_printf(bio_c_out,"write X BLOCK\n");
1696                                 break;
1697                         case SSL_ERROR_ZERO_RETURN:
1698                                 if (cbuf_len != 0)
1699                                         {
1700                                         BIO_printf(bio_c_out,"shutdown\n");
1701                                         ret = 0;
1702                                         goto shut;
1703                                         }
1704                                 else
1705                                         {
1706                                         read_tty=1;
1707                                         write_ssl=0;
1708                                         break;
1709                                         }
1710                                 
1711                         case SSL_ERROR_SYSCALL:
1712                                 if ((k != 0) || (cbuf_len != 0))
1713                                         {
1714                                         BIO_printf(bio_err,"write:errno=%d\n",
1715                                                 get_last_socket_error());
1716                                         goto shut;
1717                                         }
1718                                 else
1719                                         {
1720                                         read_tty=1;
1721                                         write_ssl=0;
1722                                         }
1723                                 break;
1724                         case SSL_ERROR_SSL:
1725                                 ERR_print_errors(bio_err);
1726                                 goto shut;
1727                                 }
1728                         }
1729 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
1730                 /* Assume Windows/DOS/BeOS can always write */
1731                 else if (!ssl_pending && write_tty)
1732 #else
1733                 else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
1734 #endif
1735                         {
1736 #ifdef CHARSET_EBCDIC
1737                         ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
1738 #endif
1739                         i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len);
1740
1741                         if (i <= 0)
1742                                 {
1743                                 BIO_printf(bio_c_out,"DONE\n");
1744                                 ret = 0;
1745                                 goto shut;
1746                                 /* goto end; */
1747                                 }
1748
1749                         sbuf_len-=i;;
1750                         sbuf_off+=i;
1751                         if (sbuf_len <= 0)
1752                                 {
1753                                 read_ssl=1;
1754                                 write_tty=0;
1755                                 }
1756                         }
1757                 else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
1758                         {
1759 #ifdef RENEG
1760 { static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
1761 #endif
1762 #if 1
1763                         k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
1764 #else
1765 /* Demo for pending and peek :-) */
1766                         k=SSL_read(con,sbuf,16);
1767 { char zbuf[10240]; 
1768 printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
1769 }
1770 #endif
1771
1772                         switch (SSL_get_error(con,k))
1773                                 {
1774                         case SSL_ERROR_NONE:
1775                                 if (k <= 0)
1776                                         goto end;
1777                                 sbuf_off=0;
1778                                 sbuf_len=k;
1779
1780                                 read_ssl=0;
1781                                 write_tty=1;
1782                                 break;
1783                         case SSL_ERROR_WANT_WRITE:
1784                                 BIO_printf(bio_c_out,"read W BLOCK\n");
1785                                 write_ssl=1;
1786                                 read_tty=0;
1787                                 break;
1788                         case SSL_ERROR_WANT_READ:
1789                                 BIO_printf(bio_c_out,"read R BLOCK\n");
1790                                 write_tty=0;
1791                                 read_ssl=1;
1792                                 if ((read_tty == 0) && (write_ssl == 0))
1793                                         write_ssl=1;
1794                                 break;
1795                         case SSL_ERROR_WANT_X509_LOOKUP:
1796                                 BIO_printf(bio_c_out,"read X BLOCK\n");
1797                                 break;
1798                         case SSL_ERROR_SYSCALL:
1799                                 ret=get_last_socket_error();
1800                                 BIO_printf(bio_err,"read:errno=%d\n",ret);
1801                                 goto shut;
1802                         case SSL_ERROR_ZERO_RETURN:
1803                                 BIO_printf(bio_c_out,"closed\n");
1804                                 ret=0;
1805                                 goto shut;
1806                         case SSL_ERROR_SSL:
1807                                 ERR_print_errors(bio_err);
1808                                 goto shut;
1809                                 /* break; */
1810                                 }
1811                         }
1812
1813 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1814 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
1815                 else if (_kbhit())
1816 #else
1817                 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
1818 #endif
1819 #elif defined (OPENSSL_SYS_NETWARE)
1820                 else if (_kbhit())
1821 #elif defined(OPENSSL_SYS_BEOS_R5)
1822                 else if (stdin_set)
1823 #else
1824                 else if (FD_ISSET(fileno(stdin),&readfds))
1825 #endif
1826                         {
1827                         if (crlf)
1828                                 {
1829                                 int j, lf_num;
1830
1831                                 i=raw_read_stdin(cbuf,BUFSIZZ/2);
1832                                 lf_num = 0;
1833                                 /* both loops are skipped when i <= 0 */
1834                                 for (j = 0; j < i; j++)
1835                                         if (cbuf[j] == '\n')
1836                                                 lf_num++;
1837                                 for (j = i-1; j >= 0; j--)
1838                                         {
1839                                         cbuf[j+lf_num] = cbuf[j];
1840                                         if (cbuf[j] == '\n')
1841                                                 {
1842                                                 lf_num--;
1843                                                 i++;
1844                                                 cbuf[j+lf_num] = '\r';
1845                                                 }
1846                                         }
1847                                 assert(lf_num == 0);
1848                                 }
1849                         else
1850                                 i=raw_read_stdin(cbuf,BUFSIZZ);
1851
1852                         if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
1853                                 {
1854                                 BIO_printf(bio_err,"DONE\n");
1855                                 ret=0;
1856                                 goto shut;
1857                                 }
1858
1859                         if ((!c_ign_eof) && (cbuf[0] == 'R'))
1860                                 {
1861                                 BIO_printf(bio_err,"RENEGOTIATING\n");
1862                                 SSL_renegotiate(con);
1863                                 cbuf_len=0;
1864                                 }
1865 #ifndef OPENSSL_NO_HEARTBEATS
1866                         else if ((!c_ign_eof) && (cbuf[0] == 'B'))
1867                                 {
1868                                 BIO_printf(bio_err,"HEARTBEATING\n");
1869                                 SSL_heartbeat(con);
1870                                 cbuf_len=0;
1871                                 }
1872 #endif
1873                         else
1874                                 {
1875                                 cbuf_len=i;
1876                                 cbuf_off=0;
1877 #ifdef CHARSET_EBCDIC
1878                                 ebcdic2ascii(cbuf, cbuf, i);
1879 #endif
1880                                 }
1881
1882                         write_ssl=1;
1883                         read_tty=0;
1884                         }
1885                 }
1886
1887         ret=0;
1888 shut:
1889         if (in_init)
1890                 print_stuff(bio_c_out,con,full_log);
1891         SSL_shutdown(con);
1892         SHUTDOWN(SSL_get_fd(con));
1893 end:
1894         if (con != NULL)
1895                 {
1896                 if (prexit != 0)
1897                         print_stuff(bio_c_out,con,1);
1898                 SSL_free(con);
1899                 }
1900         if (ctx != NULL) SSL_CTX_free(ctx);
1901         if (cert)
1902                 X509_free(cert);
1903         if (key)
1904                 EVP_PKEY_free(key);
1905         if (pass)
1906                 OPENSSL_free(pass);
1907         if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
1908         if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
1909         if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
1910         if (bio_c_out != NULL)
1911                 {
1912                 BIO_free(bio_c_out);
1913                 bio_c_out=NULL;
1914                 }
1915         apps_shutdown();
1916         OPENSSL_EXIT(ret);
1917         }
1918
1919
1920 static void print_stuff(BIO *bio, SSL *s, int full)
1921         {
1922         X509 *peer=NULL;
1923         char *p;
1924         static const char *space="                ";
1925         char buf[BUFSIZ];
1926         STACK_OF(X509) *sk;
1927         STACK_OF(X509_NAME) *sk2;
1928         const SSL_CIPHER *c;
1929         X509_NAME *xn;
1930         int j,i;
1931 #ifndef OPENSSL_NO_COMP
1932         const COMP_METHOD *comp, *expansion;
1933 #endif
1934         unsigned char *exportedkeymat;
1935
1936         if (full)
1937                 {
1938                 int got_a_chain = 0;
1939
1940                 sk=SSL_get_peer_cert_chain(s);
1941                 if (sk != NULL)
1942                         {
1943                         got_a_chain = 1; /* we don't have it for SSL2 (yet) */
1944
1945                         BIO_printf(bio,"---\nCertificate chain\n");
1946                         for (i=0; i<sk_X509_num(sk); i++)
1947                                 {
1948                                 X509_NAME_oneline(X509_get_subject_name(
1949                                         sk_X509_value(sk,i)),buf,sizeof buf);
1950                                 BIO_printf(bio,"%2d s:%s\n",i,buf);
1951                                 X509_NAME_oneline(X509_get_issuer_name(
1952                                         sk_X509_value(sk,i)),buf,sizeof buf);
1953                                 BIO_printf(bio,"   i:%s\n",buf);
1954                                 if (c_showcerts)
1955                                         PEM_write_bio_X509(bio,sk_X509_value(sk,i));
1956                                 }
1957                         }
1958
1959                 BIO_printf(bio,"---\n");
1960                 peer=SSL_get_peer_certificate(s);
1961                 if (peer != NULL)
1962                         {
1963                         BIO_printf(bio,"Server certificate\n");
1964                         if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
1965                                 PEM_write_bio_X509(bio,peer);
1966                         X509_NAME_oneline(X509_get_subject_name(peer),
1967                                 buf,sizeof buf);
1968                         BIO_printf(bio,"subject=%s\n",buf);
1969                         X509_NAME_oneline(X509_get_issuer_name(peer),
1970                                 buf,sizeof buf);
1971                         BIO_printf(bio,"issuer=%s\n",buf);
1972                         }
1973                 else
1974                         BIO_printf(bio,"no peer certificate available\n");
1975
1976                 sk2=SSL_get_client_CA_list(s);
1977                 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
1978                         {
1979                         BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
1980                         for (i=0; i<sk_X509_NAME_num(sk2); i++)
1981                                 {
1982                                 xn=sk_X509_NAME_value(sk2,i);
1983                                 X509_NAME_oneline(xn,buf,sizeof(buf));
1984                                 BIO_write(bio,buf,strlen(buf));
1985                                 BIO_write(bio,"\n",1);
1986                                 }
1987                         }
1988                 else
1989                         {
1990                         BIO_printf(bio,"---\nNo client certificate CA names sent\n");
1991                         }
1992                 p=SSL_get_shared_ciphers(s,buf,sizeof buf);
1993                 if (p != NULL)
1994                         {
1995                         /* This works only for SSL 2.  In later protocol
1996                          * versions, the client does not know what other
1997                          * ciphers (in addition to the one to be used
1998                          * in the current connection) the server supports. */
1999
2000                         BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
2001                         j=i=0;
2002                         while (*p)
2003                                 {
2004                                 if (*p == ':')
2005                                         {
2006                                         BIO_write(bio,space,15-j%25);
2007                                         i++;
2008                                         j=0;
2009                                         BIO_write(bio,((i%3)?" ":"\n"),1);
2010                                         }
2011                                 else
2012                                         {
2013                                         BIO_write(bio,p,1);
2014                                         j++;
2015                                         }
2016                                 p++;
2017                                 }
2018                         BIO_write(bio,"\n",1);
2019                         }
2020
2021                 ssl_print_sigalgs(bio, s);
2022
2023                 BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
2024                         BIO_number_read(SSL_get_rbio(s)),
2025                         BIO_number_written(SSL_get_wbio(s)));
2026                 }
2027         BIO_printf(bio,(SSL_cache_hit(s)?"---\nReused, ":"---\nNew, "));
2028         c=SSL_get_current_cipher(s);
2029         BIO_printf(bio,"%s, Cipher is %s\n",
2030                 SSL_CIPHER_get_version(c),
2031                 SSL_CIPHER_get_name(c));
2032         if (peer != NULL) {
2033                 EVP_PKEY *pktmp;
2034                 pktmp = X509_get_pubkey(peer);
2035                 BIO_printf(bio,"Server public key is %d bit\n",
2036                                                          EVP_PKEY_bits(pktmp));
2037                 EVP_PKEY_free(pktmp);
2038         }
2039         BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
2040                         SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
2041 #ifndef OPENSSL_NO_COMP
2042         comp=SSL_get_current_compression(s);
2043         expansion=SSL_get_current_expansion(s);
2044         BIO_printf(bio,"Compression: %s\n",
2045                 comp ? SSL_COMP_get_name(comp) : "NONE");
2046         BIO_printf(bio,"Expansion: %s\n",
2047                 expansion ? SSL_COMP_get_name(expansion) : "NONE");
2048 #endif
2049
2050 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
2051         if (next_proto.status != -1) {
2052                 const unsigned char *proto;
2053                 unsigned int proto_len;
2054                 SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
2055                 BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
2056                 BIO_write(bio, proto, proto_len);
2057                 BIO_write(bio, "\n", 1);
2058         }
2059 #endif
2060
2061 #ifdef SSL_DEBUG
2062         {
2063         /* Print out local port of connection: useful for debugging */
2064         int sock;
2065         struct sockaddr_in ladd;
2066         socklen_t ladd_size = sizeof(ladd);
2067         sock = SSL_get_fd(s);
2068         getsockname(sock, (struct sockaddr *)&ladd, &ladd_size);
2069         BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port));
2070         }
2071 #endif
2072
2073         {
2074         SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s);
2075  
2076         if(srtp_profile)
2077                 BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n",
2078                            srtp_profile->name);
2079         }
2080  
2081         SSL_SESSION_print(bio,SSL_get_session(s));
2082         if (keymatexportlabel != NULL)
2083                 {
2084                 BIO_printf(bio, "Keying material exporter:\n");
2085                 BIO_printf(bio, "    Label: '%s'\n", keymatexportlabel);
2086                 BIO_printf(bio, "    Length: %i bytes\n", keymatexportlen);
2087                 exportedkeymat = OPENSSL_malloc(keymatexportlen);
2088                 if (exportedkeymat != NULL)
2089                         {
2090                         if (!SSL_export_keying_material(s, exportedkeymat,
2091                                                         keymatexportlen,
2092                                                         keymatexportlabel,
2093                                                         strlen(keymatexportlabel),
2094                                                         NULL, 0, 0))
2095                                 {
2096                                 BIO_printf(bio, "    Error\n");
2097                                 }
2098                         else
2099                                 {
2100                                 BIO_printf(bio, "    Keying material: ");
2101                                 for (i=0; i<keymatexportlen; i++)
2102                                         BIO_printf(bio, "%02X",
2103                                                    exportedkeymat[i]);
2104                                 BIO_printf(bio, "\n");
2105                                 }
2106                         OPENSSL_free(exportedkeymat);
2107                         }
2108                 }
2109         BIO_printf(bio,"---\n");
2110         if (peer != NULL)
2111                 X509_free(peer);
2112         /* flush, or debugging output gets mixed with http response */
2113         (void)BIO_flush(bio);
2114         }
2115
2116 #ifndef OPENSSL_NO_TLSEXT
2117
2118 static int ocsp_resp_cb(SSL *s, void *arg)
2119         {
2120         const unsigned char *p;
2121         int len;
2122         OCSP_RESPONSE *rsp;
2123         len = SSL_get_tlsext_status_ocsp_resp(s, &p);
2124         BIO_puts(arg, "OCSP response: ");
2125         if (!p)
2126                 {
2127                 BIO_puts(arg, "no response sent\n");
2128                 return 1;
2129                 }
2130         rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
2131         if (!rsp)
2132                 {
2133                 BIO_puts(arg, "response parse error\n");
2134                 BIO_dump_indent(arg, (char *)p, len, 4);
2135                 return 0;
2136                 }
2137         BIO_puts(arg, "\n======================================\n");
2138         OCSP_RESPONSE_print(arg, rsp, 0);
2139         BIO_puts(arg, "======================================\n");
2140         OCSP_RESPONSE_free(rsp);
2141         return 1;
2142         }
2143
2144 #endif