Provisional DTLS 1.2 support.
[openssl.git] / apps / s_client.c
1 /* apps/s_client.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2005 Nokia. All rights reserved.
113  *
114  * The portions of the attached software ("Contribution") is developed by
115  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116  * license.
117  *
118  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120  * support (see RFC 4279) to OpenSSL.
121  *
122  * No patent licenses or other rights except those expressly stated in
123  * the OpenSSL open source license shall be deemed granted or received
124  * expressly, by implication, estoppel, or otherwise.
125  *
126  * No assurances are provided by Nokia that the Contribution does not
127  * infringe the patent or other intellectual property rights of any third
128  * party or that the license provides you with all the necessary rights
129  * to make use of the Contribution.
130  *
131  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135  * OTHERWISE.
136  */
137
138 #include <assert.h>
139 #include <ctype.h>
140 #include <stdio.h>
141 #include <stdlib.h>
142 #include <string.h>
143 #include <openssl/e_os2.h>
144 #ifdef OPENSSL_NO_STDIO
145 #define APPS_WIN16
146 #endif
147
148 /* With IPv6, it looks like Digital has mixed up the proper order of
149    recursive header file inclusion, resulting in the compiler complaining
150    that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
151    is needed to have fileno() declared correctly...  So let's define u_int */
152 #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
153 #define __U_INT
154 typedef unsigned int u_int;
155 #endif
156
157 #define USE_SOCKETS
158 #include "apps.h"
159 #include <openssl/x509.h>
160 #include <openssl/ssl.h>
161 #include <openssl/err.h>
162 #include <openssl/pem.h>
163 #include <openssl/rand.h>
164 #include <openssl/ocsp.h>
165 #include <openssl/bn.h>
166 #ifndef OPENSSL_NO_SRP
167 #include <openssl/srp.h>
168 #endif
169 #include "s_apps.h"
170 #include "timeouts.h"
171
172 #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
173 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
174 #undef FIONBIO
175 #endif
176
177 #if defined(OPENSSL_SYS_BEOS_R5)
178 #include <fcntl.h>
179 #endif
180
181 #undef PROG
182 #define PROG    s_client_main
183
184 /*#define SSL_HOST_NAME "www.netscape.com" */
185 /*#define SSL_HOST_NAME "193.118.187.102" */
186 #define SSL_HOST_NAME   "localhost"
187
188 /*#define TEST_CERT "client.pem" */ /* no default cert. */
189
190 #undef BUFSIZZ
191 #define BUFSIZZ 1024*8
192
193 extern int verify_depth;
194 extern int verify_error;
195 extern int verify_return_error;
196 extern int verify_quiet;
197
198 #ifdef FIONBIO
199 static int c_nbio=0;
200 #endif
201 static int c_Pause=0;
202 static int c_debug=0;
203 #ifndef OPENSSL_NO_TLSEXT
204 static int c_tlsextdebug=0;
205 static int c_status_req=0;
206 static int c_proof_debug=0;
207 #endif
208 static int c_msg=0;
209 static int c_showcerts=0;
210
211 static char *keymatexportlabel=NULL;
212 static int keymatexportlen=20;
213
214 static void sc_usage(void);
215 static void print_stuff(BIO *berr,SSL *con,int full);
216 #ifndef OPENSSL_NO_TLSEXT
217 static int ocsp_resp_cb(SSL *s, void *arg);
218 static int audit_proof_cb(SSL *s, void *arg);
219 #endif
220 static BIO *bio_c_out=NULL;
221 static BIO *bio_c_msg=NULL;
222 static int c_quiet=0;
223 static int c_ign_eof=0;
224 static int c_brief=0;
225
226 #ifndef OPENSSL_NO_PSK
227 /* Default PSK identity and key */
228 static char *psk_identity="Client_identity";
229 /*char *psk_key=NULL;  by default PSK is not used */
230
231 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
232         unsigned int max_identity_len, unsigned char *psk,
233         unsigned int max_psk_len)
234         {
235         unsigned int psk_len = 0;
236         int ret;
237         BIGNUM *bn=NULL;
238
239         if (c_debug)
240                 BIO_printf(bio_c_out, "psk_client_cb\n");
241         if (!hint)
242                 {
243                 /* no ServerKeyExchange message*/
244                 if (c_debug)
245                         BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n");
246                 }
247         else if (c_debug)
248                 BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
249
250         /* lookup PSK identity and PSK key based on the given identity hint here */
251         ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity);
252         if (ret < 0 || (unsigned int)ret > max_identity_len)
253                 goto out_err;
254         if (c_debug)
255                 BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret);
256         ret=BN_hex2bn(&bn, psk_key);
257         if (!ret)
258                 {
259                 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
260                 if (bn)
261                         BN_free(bn);
262                 return 0;
263                 }
264
265         if ((unsigned int)BN_num_bytes(bn) > max_psk_len)
266                 {
267                 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
268                         max_psk_len, BN_num_bytes(bn));
269                 BN_free(bn);
270                 return 0;
271                 }
272
273         psk_len=BN_bn2bin(bn, psk);
274         BN_free(bn);
275         if (psk_len == 0)
276                 goto out_err;
277
278         if (c_debug)
279                 BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len);
280
281         return psk_len;
282  out_err:
283         if (c_debug)
284                 BIO_printf(bio_err, "Error in PSK client callback\n");
285         return 0;
286         }
287 #endif
288
289 static void sc_usage(void)
290         {
291         BIO_printf(bio_err,"usage: s_client args\n");
292         BIO_printf(bio_err,"\n");
293         BIO_printf(bio_err," -host host     - use -connect instead\n");
294         BIO_printf(bio_err," -port port     - use -connect instead\n");
295         BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
296         BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
297         BIO_printf(bio_err," -cert arg     - certificate file to use, PEM format assumed\n");
298         BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
299         BIO_printf(bio_err," -key arg      - Private key file to use, in cert file if\n");
300         BIO_printf(bio_err,"                 not specified but cert file is.\n");
301         BIO_printf(bio_err," -keyform arg  - key format (PEM or DER) PEM default\n");
302         BIO_printf(bio_err," -pass arg     - private key file pass phrase source\n");
303         BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
304         BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
305         BIO_printf(bio_err," -reconnect    - Drop and re-make the connection with the same Session-ID\n");
306         BIO_printf(bio_err," -pause        - sleep(1) after each read(2) and write(2) system call\n");
307         BIO_printf(bio_err," -showcerts    - show all certificates in the chain\n");
308         BIO_printf(bio_err," -debug        - extra output\n");
309 #ifdef WATT32
310         BIO_printf(bio_err," -wdebug       - WATT-32 tcp debugging\n");
311 #endif
312         BIO_printf(bio_err," -msg          - Show protocol messages\n");
313         BIO_printf(bio_err," -nbio_test    - more ssl protocol testing\n");
314         BIO_printf(bio_err," -state        - print the 'ssl' states\n");
315 #ifdef FIONBIO
316         BIO_printf(bio_err," -nbio         - Run with non-blocking IO\n");
317 #endif
318         BIO_printf(bio_err," -crlf         - convert LF from terminal into CRLF\n");
319         BIO_printf(bio_err," -quiet        - no s_client output\n");
320         BIO_printf(bio_err," -ign_eof      - ignore input eof (default when -quiet)\n");
321         BIO_printf(bio_err," -no_ign_eof   - don't ignore input eof\n");
322 #ifndef OPENSSL_NO_PSK
323         BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
324         BIO_printf(bio_err," -psk arg      - PSK in hex (without 0x)\n");
325 # ifndef OPENSSL_NO_JPAKE
326         BIO_printf(bio_err," -jpake arg    - JPAKE secret to use\n");
327 # endif
328 #endif
329 #ifndef OPENSSL_NO_SRP
330         BIO_printf(bio_err," -srpuser user     - SRP authentification for 'user'\n");
331         BIO_printf(bio_err," -srppass arg      - password for 'user'\n");
332         BIO_printf(bio_err," -srp_lateuser     - SRP username into second ClientHello message\n");
333         BIO_printf(bio_err," -srp_moregroups   - Tolerate other than the known g N values.\n");
334         BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
335 #endif
336         BIO_printf(bio_err," -ssl2         - just use SSLv2\n");
337         BIO_printf(bio_err," -ssl3         - just use SSLv3\n");
338         BIO_printf(bio_err," -tls1_2       - just use TLSv1.2\n");
339         BIO_printf(bio_err," -tls1_1       - just use TLSv1.1\n");
340         BIO_printf(bio_err," -tls1         - just use TLSv1\n");
341         BIO_printf(bio_err," -dtls1        - just use DTLSv1\n");    
342         BIO_printf(bio_err," -mtu          - set the link layer MTU\n");
343         BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
344         BIO_printf(bio_err," -bugs         - Switch on all SSL implementation bug workarounds\n");
345         BIO_printf(bio_err," -serverpref   - Use server's cipher preferences (only SSLv2)\n");
346         BIO_printf(bio_err," -cipher       - preferred cipher to use, use the 'openssl ciphers'\n");
347         BIO_printf(bio_err,"                 command to see what is available\n");
348         BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
349         BIO_printf(bio_err,"                 for those protocols that support it, where\n");
350         BIO_printf(bio_err,"                 'prot' defines which one to assume.  Currently,\n");
351         BIO_printf(bio_err,"                 only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
352         BIO_printf(bio_err,"                 are supported.\n");
353 #ifndef OPENSSL_NO_ENGINE
354         BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
355 #endif
356         BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
357         BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n");
358         BIO_printf(bio_err," -sess_in arg  - file to read SSL session from\n");
359 #ifndef OPENSSL_NO_TLSEXT
360         BIO_printf(bio_err," -servername host  - Set TLS extension servername in ClientHello\n");
361         BIO_printf(bio_err," -tlsextdebug      - hex dump of all TLS extensions received\n");
362         BIO_printf(bio_err," -status           - request certificate status from server\n");
363         BIO_printf(bio_err," -no_ticket        - disable use of RFC4507bis session tickets\n");
364         BIO_printf(bio_err," -proof_debug      - request an audit proof and print its hex dump\n");
365 # ifndef OPENSSL_NO_NEXTPROTONEG
366         BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
367 # endif
368 #endif
369         BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
370         BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
371         BIO_printf(bio_err," -keymatexport label   - Export keying material using label\n");
372         BIO_printf(bio_err," -keymatexportlen len  - Export len bytes of keying material (default 20)\n");
373         }
374
375 #ifndef OPENSSL_NO_TLSEXT
376
377 /* This is a context that we pass to callbacks */
378 typedef struct tlsextctx_st {
379    BIO * biodebug;
380    int ack;
381 } tlsextctx;
382
383
384 static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
385         {
386         tlsextctx * p = (tlsextctx *) arg;
387         const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
388         if (SSL_get_servername_type(s) != -1) 
389                 p->ack = !SSL_session_reused(s) && hn != NULL;
390         else 
391                 BIO_printf(bio_err,"Can't use SSL_get_servername\n");
392         
393         return SSL_TLSEXT_ERR_OK;
394         }
395
396 #ifndef OPENSSL_NO_SRP
397
398 /* This is a context that we pass to all callbacks */
399 typedef struct srp_arg_st
400         {
401         char *srppassin;
402         char *srplogin;
403         int msg;   /* copy from c_msg */
404         int debug; /* copy from c_debug */
405         int amp;   /* allow more groups */
406         int strength /* minimal size for N */ ;
407         } SRP_ARG;
408
409 #define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
410
411 static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g)
412         {
413         BN_CTX *bn_ctx = BN_CTX_new();
414         BIGNUM *p = BN_new();
415         BIGNUM *r = BN_new();
416         int ret =
417                 g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
418                 BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
419                 p != NULL && BN_rshift1(p, N) &&
420
421                 /* p = (N-1)/2 */
422                 BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
423                 r != NULL &&
424
425                 /* verify g^((N-1)/2) == -1 (mod N) */
426                 BN_mod_exp(r, g, p, N, bn_ctx) &&
427                 BN_add_word(r, 1) &&
428                 BN_cmp(r, N) == 0;
429
430         if(r)
431                 BN_free(r);
432         if(p)
433                 BN_free(p);
434         if(bn_ctx)
435                 BN_CTX_free(bn_ctx);
436         return ret;
437         }
438
439 /* This callback is used here for two purposes:
440    - extended debugging
441    - making some primality tests for unknown groups
442    The callback is only called for a non default group.
443
444    An application does not need the call back at all if
445    only the stanard groups are used.  In real life situations, 
446    client and server already share well known groups, 
447    thus there is no need to verify them. 
448    Furthermore, in case that a server actually proposes a group that
449    is not one of those defined in RFC 5054, it is more appropriate 
450    to add the group to a static list and then compare since 
451    primality tests are rather cpu consuming.
452 */
453
454 static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
455         {
456         SRP_ARG *srp_arg = (SRP_ARG *)arg;
457         BIGNUM *N = NULL, *g = NULL;
458         if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s)))
459                 return 0;
460         if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1)
461                 {
462                 BIO_printf(bio_err, "SRP parameters:\n"); 
463                 BIO_printf(bio_err,"\tN="); BN_print(bio_err,N);
464                 BIO_printf(bio_err,"\n\tg="); BN_print(bio_err,g);
465                 BIO_printf(bio_err,"\n");
466                 }
467
468         if (SRP_check_known_gN_param(g,N))
469                 return 1;
470
471         if (srp_arg->amp == 1)
472                 {
473                 if (srp_arg->debug)
474                         BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n");
475
476 /* The srp_moregroups is a real debugging feature.
477    Implementors should rather add the value to the known ones.
478    The minimal size has already been tested.
479 */
480                 if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g))
481                         return 1;
482                 }       
483         BIO_printf(bio_err, "SRP param N and g rejected.\n");
484         return 0;
485         }
486
487 #define PWD_STRLEN 1024
488
489 static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
490         {
491         SRP_ARG *srp_arg = (SRP_ARG *)arg;
492         char *pass = (char *)OPENSSL_malloc(PWD_STRLEN+1);
493         PW_CB_DATA cb_tmp;
494         int l;
495
496         cb_tmp.password = (char *)srp_arg->srppassin;
497         cb_tmp.prompt_info = "SRP user";
498         if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp))<0)
499                 {
500                 BIO_printf (bio_err, "Can't read Password\n");
501                 OPENSSL_free(pass);
502                 return NULL;
503                 }
504         *(pass+l)= '\0';
505
506         return pass;
507         }
508
509 #endif
510         char *srtp_profiles = NULL;
511
512 # ifndef OPENSSL_NO_NEXTPROTONEG
513 /* This the context that we pass to next_proto_cb */
514 typedef struct tlsextnextprotoctx_st {
515         unsigned char *data;
516         unsigned short len;
517         int status;
518 } tlsextnextprotoctx;
519
520 static tlsextnextprotoctx next_proto;
521
522 static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
523         {
524         tlsextnextprotoctx *ctx = arg;
525
526         if (!c_quiet)
527                 {
528                 /* We can assume that |in| is syntactically valid. */
529                 unsigned i;
530                 BIO_printf(bio_c_out, "Protocols advertised by server: ");
531                 for (i = 0; i < inlen; )
532                         {
533                         if (i)
534                                 BIO_write(bio_c_out, ", ", 2);
535                         BIO_write(bio_c_out, &in[i + 1], in[i]);
536                         i += in[i] + 1;
537                         }
538                 BIO_write(bio_c_out, "\n", 1);
539                 }
540
541         ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
542         return SSL_TLSEXT_ERR_OK;
543         }
544 # endif  /* ndef OPENSSL_NO_NEXTPROTONEG */
545 #endif
546
547 enum
548 {
549         PROTO_OFF       = 0,
550         PROTO_SMTP,
551         PROTO_POP3,
552         PROTO_IMAP,
553         PROTO_FTP,
554         PROTO_XMPP
555 };
556
557 int MAIN(int, char **);
558
559 int MAIN(int argc, char **argv)
560         {
561         int build_chain = 0;
562         SSL *con=NULL;
563 #ifndef OPENSSL_NO_KRB5
564         KSSL_CTX *kctx;
565 #endif
566         int s,k,width,state=0;
567         char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
568         int cbuf_len,cbuf_off;
569         int sbuf_len,sbuf_off;
570         fd_set readfds,writefds;
571         short port=PORT;
572         int full_log=1;
573         char *host=SSL_HOST_NAME;
574         char *cert_file=NULL,*key_file=NULL,*chain_file=NULL;
575         int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
576         char *passarg = NULL, *pass = NULL;
577         X509 *cert = NULL;
578         EVP_PKEY *key = NULL;
579         STACK_OF(X509) *chain = NULL;
580         char *CApath=NULL,*CAfile=NULL;
581         char *chCApath=NULL,*chCAfile=NULL;
582         char *vfyCApath=NULL,*vfyCAfile=NULL;
583         int reconnect=0,badop=0,verify=SSL_VERIFY_NONE;
584         int crlf=0;
585         int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
586         SSL_CTX *ctx=NULL;
587         int ret=1,in_init=1,i,nbio_test=0;
588         int starttls_proto = PROTO_OFF;
589         int prexit = 0;
590         X509_VERIFY_PARAM *vpm = NULL;
591         int badarg = 0;
592         const SSL_METHOD *meth=NULL;
593         int socket_type=SOCK_STREAM;
594         BIO *sbio;
595         char *inrand=NULL;
596         int mbuf_len=0;
597         struct timeval timeout, *timeoutp;
598 #ifndef OPENSSL_NO_ENGINE
599         char *engine_id=NULL;
600         char *ssl_client_engine_id=NULL;
601         ENGINE *ssl_client_engine=NULL;
602 #endif
603         ENGINE *e=NULL;
604 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
605         struct timeval tv;
606 #if defined(OPENSSL_SYS_BEOS_R5)
607         int stdin_set = 0;
608 #endif
609 #endif
610 #ifndef OPENSSL_NO_TLSEXT
611         char *servername = NULL; 
612         tlsextctx tlsextcbp = 
613         {NULL,0};
614 # ifndef OPENSSL_NO_NEXTPROTONEG
615         const char *next_proto_neg_in = NULL;
616 # endif
617 #endif
618         char *sess_in = NULL;
619         char *sess_out = NULL;
620         struct sockaddr peer;
621         int peerlen = sizeof(peer);
622         int enable_timeouts = 0 ;
623         long socket_mtu = 0;
624 #ifndef OPENSSL_NO_JPAKE
625 static char *jpake_secret = NULL;
626 #define no_jpake !jpake_secret
627 #else
628 #define no_jpake 1
629 #endif
630 #ifndef OPENSSL_NO_SRP
631         char * srppass = NULL;
632         int srp_lateuser = 0;
633         SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
634 #endif
635         SSL_EXCERT *exc = NULL;
636
637         SSL_CONF_CTX *cctx = NULL;
638         STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
639
640         char *crl_file = NULL;
641         int crl_format = FORMAT_PEM;
642         int crl_download = 0;
643         STACK_OF(X509_CRL) *crls = NULL;
644
645         meth=SSLv23_client_method();
646
647         apps_startup();
648         c_Pause=0;
649         c_quiet=0;
650         c_ign_eof=0;
651         c_debug=0;
652         c_msg=0;
653         c_showcerts=0;
654
655         if (bio_err == NULL)
656                 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
657
658         if (!load_config(bio_err, NULL))
659                 goto end;
660         cctx = SSL_CONF_CTX_new();
661         if (!cctx)
662                 goto end;
663         SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
664         SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE);
665
666         if (    ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
667                 ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
668                 ((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
669                 {
670                 BIO_printf(bio_err,"out of memory\n");
671                 goto end;
672                 }
673
674         verify_depth=0;
675         verify_error=X509_V_OK;
676 #ifdef FIONBIO
677         c_nbio=0;
678 #endif
679
680         argc--;
681         argv++;
682         while (argc >= 1)
683                 {
684                 if      (strcmp(*argv,"-host") == 0)
685                         {
686                         if (--argc < 1) goto bad;
687                         host= *(++argv);
688                         }
689                 else if (strcmp(*argv,"-port") == 0)
690                         {
691                         if (--argc < 1) goto bad;
692                         port=atoi(*(++argv));
693                         if (port == 0) goto bad;
694                         }
695                 else if (strcmp(*argv,"-connect") == 0)
696                         {
697                         if (--argc < 1) goto bad;
698                         if (!extract_host_port(*(++argv),&host,NULL,&port))
699                                 goto bad;
700                         }
701                 else if (strcmp(*argv,"-verify") == 0)
702                         {
703                         verify=SSL_VERIFY_PEER;
704                         if (--argc < 1) goto bad;
705                         verify_depth=atoi(*(++argv));
706                         if (!c_quiet)
707                                 BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
708                         }
709                 else if (strcmp(*argv,"-cert") == 0)
710                         {
711                         if (--argc < 1) goto bad;
712                         cert_file= *(++argv);
713                         }
714                 else if (strcmp(*argv,"-CRL") == 0)
715                         {
716                         if (--argc < 1) goto bad;
717                         crl_file= *(++argv);
718                         }
719                 else if (strcmp(*argv,"-crl_download") == 0)
720                         crl_download = 1;
721                 else if (strcmp(*argv,"-sess_out") == 0)
722                         {
723                         if (--argc < 1) goto bad;
724                         sess_out = *(++argv);
725                         }
726                 else if (strcmp(*argv,"-sess_in") == 0)
727                         {
728                         if (--argc < 1) goto bad;
729                         sess_in = *(++argv);
730                         }
731                 else if (strcmp(*argv,"-certform") == 0)
732                         {
733                         if (--argc < 1) goto bad;
734                         cert_format = str2fmt(*(++argv));
735                         }
736                 else if (strcmp(*argv,"-CRLform") == 0)
737                         {
738                         if (--argc < 1) goto bad;
739                         crl_format = str2fmt(*(++argv));
740                         }
741                 else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
742                         {
743                         if (badarg)
744                                 goto bad;
745                         continue;
746                         }
747                 else if (strcmp(*argv,"-verify_return_error") == 0)
748                         verify_return_error = 1;
749                 else if (strcmp(*argv,"-verify_quiet") == 0)
750                         verify_quiet = 1;
751                 else if (strcmp(*argv,"-brief") == 0)
752                         {
753                         c_brief = 1;
754                         verify_quiet = 1;
755                         c_quiet = 1;
756                         }
757                 else if (args_excert(&argv, &argc, &badarg, bio_err, &exc))
758                         {
759                         if (badarg)
760                                 goto bad;
761                         continue;
762                         }
763                 else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args))
764                         {
765                         if (badarg)
766                                 goto bad;
767                         continue;
768                         }
769                 else if (strcmp(*argv,"-prexit") == 0)
770                         prexit=1;
771                 else if (strcmp(*argv,"-crlf") == 0)
772                         crlf=1;
773                 else if (strcmp(*argv,"-quiet") == 0)
774                         {
775                         c_quiet=1;
776                         c_ign_eof=1;
777                         }
778                 else if (strcmp(*argv,"-ign_eof") == 0)
779                         c_ign_eof=1;
780                 else if (strcmp(*argv,"-no_ign_eof") == 0)
781                         c_ign_eof=0;
782                 else if (strcmp(*argv,"-pause") == 0)
783                         c_Pause=1;
784                 else if (strcmp(*argv,"-debug") == 0)
785                         c_debug=1;
786 #ifndef OPENSSL_NO_TLSEXT
787                 else if (strcmp(*argv,"-tlsextdebug") == 0)
788                         c_tlsextdebug=1;
789                 else if (strcmp(*argv,"-status") == 0)
790                         c_status_req=1;
791                 else if (strcmp(*argv,"-proof_debug") == 0)
792                         c_proof_debug=1;
793 #endif
794 #ifdef WATT32
795                 else if (strcmp(*argv,"-wdebug") == 0)
796                         dbug_init();
797 #endif
798                 else if (strcmp(*argv,"-msg") == 0)
799                         c_msg=1;
800                 else if (strcmp(*argv,"-msgfile") == 0)
801                         {
802                         if (--argc < 1) goto bad;
803                         bio_c_msg = BIO_new_file(*(++argv), "w");
804                         }
805 #ifndef OPENSSL_NO_SSL_TRACE
806                 else if (strcmp(*argv,"-trace") == 0)
807                         c_msg=2;
808 #endif
809                 else if (strcmp(*argv,"-showcerts") == 0)
810                         c_showcerts=1;
811                 else if (strcmp(*argv,"-nbio_test") == 0)
812                         nbio_test=1;
813                 else if (strcmp(*argv,"-state") == 0)
814                         state=1;
815 #ifndef OPENSSL_NO_PSK
816                 else if (strcmp(*argv,"-psk_identity") == 0)
817                         {
818                         if (--argc < 1) goto bad;
819                         psk_identity=*(++argv);
820                         }
821                 else if (strcmp(*argv,"-psk") == 0)
822                         {
823                         size_t j;
824
825                         if (--argc < 1) goto bad;
826                         psk_key=*(++argv);
827                         for (j = 0; j < strlen(psk_key); j++)
828                                 {
829                                 if (isxdigit((unsigned char)psk_key[j]))
830                                         continue;
831                                 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
832                                 goto bad;
833                                 }
834                         }
835 #endif
836 #ifndef OPENSSL_NO_SRP
837                 else if (strcmp(*argv,"-srpuser") == 0)
838                         {
839                         if (--argc < 1) goto bad;
840                         srp_arg.srplogin= *(++argv);
841                         meth=TLSv1_client_method();
842                         }
843                 else if (strcmp(*argv,"-srppass") == 0)
844                         {
845                         if (--argc < 1) goto bad;
846                         srppass= *(++argv);
847                         meth=TLSv1_client_method();
848                         }
849                 else if (strcmp(*argv,"-srp_strength") == 0)
850                         {
851                         if (--argc < 1) goto bad;
852                         srp_arg.strength=atoi(*(++argv));
853                         BIO_printf(bio_err,"SRP minimal length for N is %d\n",srp_arg.strength);
854                         meth=TLSv1_client_method();
855                         }
856                 else if (strcmp(*argv,"-srp_lateuser") == 0)
857                         {
858                         srp_lateuser= 1;
859                         meth=TLSv1_client_method();
860                         }
861                 else if (strcmp(*argv,"-srp_moregroups") == 0)
862                         {
863                         srp_arg.amp=1;
864                         meth=TLSv1_client_method();
865                         }
866 #endif
867 #ifndef OPENSSL_NO_SSL2
868                 else if (strcmp(*argv,"-ssl2") == 0)
869                         meth=SSLv2_client_method();
870 #endif
871 #ifndef OPENSSL_NO_SSL3
872                 else if (strcmp(*argv,"-ssl3") == 0)
873                         meth=SSLv3_client_method();
874 #endif
875 #ifndef OPENSSL_NO_TLS1
876                 else if (strcmp(*argv,"-tls1_2") == 0)
877                         meth=TLSv1_2_client_method();
878                 else if (strcmp(*argv,"-tls1_1") == 0)
879                         meth=TLSv1_1_client_method();
880                 else if (strcmp(*argv,"-tls1") == 0)
881                         meth=TLSv1_client_method();
882 #endif
883 #ifndef OPENSSL_NO_DTLS1
884                 else if (strcmp(*argv,"-dtls1") == 0)
885                         {
886                         meth=DTLSv1_client_method();
887                         socket_type=SOCK_DGRAM;
888                         }
889                 else if (strcmp(*argv,"-dtls1_2") == 0)
890                         {
891                         meth=DTLSv1_2_client_method();
892                         socket_type=SOCK_DGRAM;
893                         }
894                 else if (strcmp(*argv,"-timeout") == 0)
895                         enable_timeouts=1;
896                 else if (strcmp(*argv,"-mtu") == 0)
897                         {
898                         if (--argc < 1) goto bad;
899                         socket_mtu = atol(*(++argv));
900                         }
901 #endif
902                 else if (strcmp(*argv,"-keyform") == 0)
903                         {
904                         if (--argc < 1) goto bad;
905                         key_format = str2fmt(*(++argv));
906                         }
907                 else if (strcmp(*argv,"-pass") == 0)
908                         {
909                         if (--argc < 1) goto bad;
910                         passarg = *(++argv);
911                         }
912                 else if (strcmp(*argv,"-cert_chain") == 0)
913                         {
914                         if (--argc < 1) goto bad;
915                         chain_file= *(++argv);
916                         }
917                 else if (strcmp(*argv,"-key") == 0)
918                         {
919                         if (--argc < 1) goto bad;
920                         key_file= *(++argv);
921                         }
922                 else if (strcmp(*argv,"-reconnect") == 0)
923                         {
924                         reconnect=5;
925                         }
926                 else if (strcmp(*argv,"-CApath") == 0)
927                         {
928                         if (--argc < 1) goto bad;
929                         CApath= *(++argv);
930                         }
931                 else if (strcmp(*argv,"-chainCApath") == 0)
932                         {
933                         if (--argc < 1) goto bad;
934                         chCApath= *(++argv);
935                         }
936                 else if (strcmp(*argv,"-verifyCApath") == 0)
937                         {
938                         if (--argc < 1) goto bad;
939                         vfyCApath= *(++argv);
940                         }
941                 else if (strcmp(*argv,"-build_chain") == 0)
942                         build_chain = 1;
943                 else if (strcmp(*argv,"-CAfile") == 0)
944                         {
945                         if (--argc < 1) goto bad;
946                         CAfile= *(++argv);
947                         }
948                 else if (strcmp(*argv,"-chainCAfile") == 0)
949                         {
950                         if (--argc < 1) goto bad;
951                         chCAfile= *(++argv);
952                         }
953                 else if (strcmp(*argv,"-verifyCAfile") == 0)
954                         {
955                         if (--argc < 1) goto bad;
956                         vfyCAfile= *(++argv);
957                         }
958 #ifndef OPENSSL_NO_TLSEXT
959 # ifndef OPENSSL_NO_NEXTPROTONEG
960                 else if (strcmp(*argv,"-nextprotoneg") == 0)
961                         {
962                         if (--argc < 1) goto bad;
963                         next_proto_neg_in = *(++argv);
964                         }
965 # endif
966 #endif
967 #ifdef FIONBIO
968                 else if (strcmp(*argv,"-nbio") == 0)
969                         { c_nbio=1; }
970 #endif
971                 else if (strcmp(*argv,"-starttls") == 0)
972                         {
973                         if (--argc < 1) goto bad;
974                         ++argv;
975                         if (strcmp(*argv,"smtp") == 0)
976                                 starttls_proto = PROTO_SMTP;
977                         else if (strcmp(*argv,"pop3") == 0)
978                                 starttls_proto = PROTO_POP3;
979                         else if (strcmp(*argv,"imap") == 0)
980                                 starttls_proto = PROTO_IMAP;
981                         else if (strcmp(*argv,"ftp") == 0)
982                                 starttls_proto = PROTO_FTP;
983                         else if (strcmp(*argv, "xmpp") == 0)
984                                 starttls_proto = PROTO_XMPP;
985                         else
986                                 goto bad;
987                         }
988 #ifndef OPENSSL_NO_ENGINE
989                 else if (strcmp(*argv,"-engine") == 0)
990                         {
991                         if (--argc < 1) goto bad;
992                         engine_id = *(++argv);
993                         }
994                 else if (strcmp(*argv,"-ssl_client_engine") == 0)
995                         {
996                         if (--argc < 1) goto bad;
997                         ssl_client_engine_id = *(++argv);
998                         }
999 #endif
1000                 else if (strcmp(*argv,"-rand") == 0)
1001                         {
1002                         if (--argc < 1) goto bad;
1003                         inrand= *(++argv);
1004                         }
1005 #ifndef OPENSSL_NO_TLSEXT
1006                 else if (strcmp(*argv,"-servername") == 0)
1007                         {
1008                         if (--argc < 1) goto bad;
1009                         servername= *(++argv);
1010                         /* meth=TLSv1_client_method(); */
1011                         }
1012 #endif
1013 #ifndef OPENSSL_NO_JPAKE
1014                 else if (strcmp(*argv,"-jpake") == 0)
1015                         {
1016                         if (--argc < 1) goto bad;
1017                         jpake_secret = *++argv;
1018                         }
1019 #endif
1020                 else if (strcmp(*argv,"-use_srtp") == 0)
1021                         {
1022                         if (--argc < 1) goto bad;
1023                         srtp_profiles = *(++argv);
1024                         }
1025                 else if (strcmp(*argv,"-keymatexport") == 0)
1026                         {
1027                         if (--argc < 1) goto bad;
1028                         keymatexportlabel= *(++argv);
1029                         }
1030                 else if (strcmp(*argv,"-keymatexportlen") == 0)
1031                         {
1032                         if (--argc < 1) goto bad;
1033                         keymatexportlen=atoi(*(++argv));
1034                         if (keymatexportlen == 0) goto bad;
1035                         }
1036                 else
1037                         {
1038                         BIO_printf(bio_err,"unknown option %s\n",*argv);
1039                         badop=1;
1040                         break;
1041                         }
1042                 argc--;
1043                 argv++;
1044                 }
1045         if (badop)
1046                 {
1047 bad:
1048                 sc_usage();
1049                 goto end;
1050                 }
1051
1052 #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
1053         if (jpake_secret)
1054                 {
1055                 if (psk_key)
1056                         {
1057                         BIO_printf(bio_err,
1058                                    "Can't use JPAKE and PSK together\n");
1059                         goto end;
1060                         }
1061                 psk_identity = "JPAKE";
1062                 }
1063 #endif
1064
1065         OpenSSL_add_ssl_algorithms();
1066         SSL_load_error_strings();
1067
1068 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
1069         next_proto.status = -1;
1070         if (next_proto_neg_in)
1071                 {
1072                 next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
1073                 if (next_proto.data == NULL)
1074                         {
1075                         BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
1076                         goto end;
1077                         }
1078                 }
1079         else
1080                 next_proto.data = NULL;
1081 #endif
1082
1083 #ifndef OPENSSL_NO_ENGINE
1084         e = setup_engine(bio_err, engine_id, 1);
1085         if (ssl_client_engine_id)
1086                 {
1087                 ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
1088                 if (!ssl_client_engine)
1089                         {
1090                         BIO_printf(bio_err,
1091                                         "Error getting client auth engine\n");
1092                         goto end;
1093                         }
1094                 }
1095
1096 #endif
1097         if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
1098                 {
1099                 BIO_printf(bio_err, "Error getting password\n");
1100                 goto end;
1101                 }
1102
1103         if (key_file == NULL)
1104                 key_file = cert_file;
1105
1106
1107         if (key_file)
1108
1109                 {
1110
1111                 key = load_key(bio_err, key_file, key_format, 0, pass, e,
1112                                "client certificate private key file");
1113                 if (!key)
1114                         {
1115                         ERR_print_errors(bio_err);
1116                         goto end;
1117                         }
1118
1119                 }
1120
1121         if (cert_file)
1122
1123                 {
1124                 cert = load_cert(bio_err,cert_file,cert_format,
1125                                 NULL, e, "client certificate file");
1126
1127                 if (!cert)
1128                         {
1129                         ERR_print_errors(bio_err);
1130                         goto end;
1131                         }
1132                 }
1133
1134         if (chain_file)
1135                 {
1136                 chain = load_certs(bio_err, chain_file,FORMAT_PEM,
1137                                         NULL, e, "client certificate chain");
1138                 if (!chain)
1139                         goto end;
1140                 }
1141
1142         if (crl_file)
1143                 {
1144                 X509_CRL *crl;
1145                 crl = load_crl(crl_file, crl_format);
1146                 if (!crl)
1147                         {
1148                         BIO_puts(bio_err, "Error loading CRL\n");
1149                         ERR_print_errors(bio_err);
1150                         goto end;
1151                         }
1152                 crls = sk_X509_CRL_new_null();
1153                 if (!crls || !sk_X509_CRL_push(crls, crl))
1154                         {
1155                         BIO_puts(bio_err, "Error adding CRL\n");
1156                         ERR_print_errors(bio_err);
1157                         X509_CRL_free(crl);
1158                         goto end;
1159                         }
1160                 }
1161
1162         if (!load_excert(&exc, bio_err))
1163                 goto end;
1164
1165         if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
1166                 && !RAND_status())
1167                 {
1168                 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
1169                 }
1170         if (inrand != NULL)
1171                 BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
1172                         app_RAND_load_files(inrand));
1173
1174         if (bio_c_out == NULL)
1175                 {
1176                 if (c_quiet && !c_debug)
1177                         {
1178                         bio_c_out=BIO_new(BIO_s_null());
1179                         if (c_msg && !bio_c_msg)
1180                                 bio_c_msg=BIO_new_fp(stdout,BIO_NOCLOSE);
1181                         }
1182                 else
1183                         {
1184                         if (bio_c_out == NULL)
1185                                 bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
1186                         }
1187                 }
1188
1189 #ifndef OPENSSL_NO_SRP
1190         if(!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL))
1191                 {
1192                 BIO_printf(bio_err, "Error getting password\n");
1193                 goto end;
1194                 }
1195 #endif
1196
1197         ctx=SSL_CTX_new(meth);
1198         if (ctx == NULL)
1199                 {
1200                 ERR_print_errors(bio_err);
1201                 goto end;
1202                 }
1203
1204         if (vpm)
1205                 SSL_CTX_set1_param(ctx, vpm);
1206
1207         if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1, no_jpake))
1208                 {
1209                 ERR_print_errors(bio_err);
1210                 goto end;
1211                 }
1212
1213         if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
1214                                                 crls, crl_download))
1215                 {
1216                 BIO_printf(bio_err, "Error loading store locations\n");
1217                 ERR_print_errors(bio_err);
1218                 goto end;
1219                 }
1220
1221 #ifndef OPENSSL_NO_ENGINE
1222         if (ssl_client_engine)
1223                 {
1224                 if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine))
1225                         {
1226                         BIO_puts(bio_err, "Error setting client auth engine\n");
1227                         ERR_print_errors(bio_err);
1228                         ENGINE_free(ssl_client_engine);
1229                         goto end;
1230                         }
1231                 ENGINE_free(ssl_client_engine);
1232                 }
1233 #endif
1234
1235 #ifndef OPENSSL_NO_PSK
1236 #ifdef OPENSSL_NO_JPAKE
1237         if (psk_key != NULL)
1238 #else
1239         if (psk_key != NULL || jpake_secret)
1240 #endif
1241                 {
1242                 if (c_debug)
1243                         BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");
1244                 SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
1245                 }
1246         if (srtp_profiles != NULL)
1247                 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
1248 #endif
1249         if (exc) ssl_ctx_set_excert(ctx, exc);
1250         /* DTLS: partial reads end up discarding unread UDP bytes :-( 
1251          * Setting read ahead solves this problem.
1252          */
1253         if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
1254
1255 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
1256         if (next_proto.data)
1257                 SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
1258 #endif
1259
1260         if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
1261 #if 0
1262         else
1263                 SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
1264 #endif
1265
1266         SSL_CTX_set_verify(ctx,verify,verify_callback);
1267
1268         if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
1269                 (!SSL_CTX_set_default_verify_paths(ctx)))
1270                 {
1271                 /* BIO_printf(bio_err,"error setting default verify locations\n"); */
1272                 ERR_print_errors(bio_err);
1273                 /* goto end; */
1274                 }
1275
1276         ssl_ctx_add_crls(ctx, crls, crl_download);
1277
1278         if (!set_cert_key_stuff(ctx,cert,key,chain,build_chain))
1279                 goto end;
1280
1281 #ifndef OPENSSL_NO_TLSEXT
1282         if (servername != NULL)
1283                 {
1284                 tlsextcbp.biodebug = bio_err;
1285                 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1286                 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
1287                 }
1288 #ifndef OPENSSL_NO_SRP
1289         if (srp_arg.srplogin)
1290                 {
1291                 if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
1292                         {
1293                         BIO_printf(bio_err,"Unable to set SRP username\n");
1294                         goto end;
1295                         }
1296                 srp_arg.msg = c_msg;
1297                 srp_arg.debug = c_debug ;
1298                 SSL_CTX_set_srp_cb_arg(ctx,&srp_arg);
1299                 SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
1300                 SSL_CTX_set_srp_strength(ctx, srp_arg.strength);
1301                 if (c_msg || c_debug || srp_arg.amp == 0)
1302                         SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb);
1303                 }
1304
1305 #endif
1306         if (c_proof_debug)
1307                 SSL_CTX_set_tlsext_authz_server_audit_proof_cb(ctx,
1308                                                                audit_proof_cb);
1309 #endif
1310
1311         con=SSL_new(ctx);
1312         if (sess_in)
1313                 {
1314                 SSL_SESSION *sess;
1315                 BIO *stmp = BIO_new_file(sess_in, "r");
1316                 if (!stmp)
1317                         {
1318                         BIO_printf(bio_err, "Can't open session file %s\n",
1319                                                 sess_in);
1320                         ERR_print_errors(bio_err);
1321                         goto end;
1322                         }
1323                 sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
1324                 BIO_free(stmp);
1325                 if (!sess)
1326                         {
1327                         BIO_printf(bio_err, "Can't open session file %s\n",
1328                                                 sess_in);
1329                         ERR_print_errors(bio_err);
1330                         goto end;
1331                         }
1332                 SSL_set_session(con, sess);
1333                 SSL_SESSION_free(sess);
1334                 }
1335 #ifndef OPENSSL_NO_TLSEXT
1336         if (servername != NULL)
1337                 {
1338                 if (!SSL_set_tlsext_host_name(con,servername))
1339                         {
1340                         BIO_printf(bio_err,"Unable to set TLS servername extension.\n");
1341                         ERR_print_errors(bio_err);
1342                         goto end;
1343                         }
1344                 }
1345 #endif
1346 #ifndef OPENSSL_NO_KRB5
1347         if (con  &&  (kctx = kssl_ctx_new()) != NULL)
1348                 {
1349                 SSL_set0_kssl_ctx(con, kctx);
1350                 kssl_ctx_setstring(kctx, KSSL_SERVER, host);
1351                 }
1352 #endif  /* OPENSSL_NO_KRB5  */
1353 /*      SSL_set_cipher_list(con,"RC4-MD5"); */
1354 #if 0
1355 #ifdef TLSEXT_TYPE_opaque_prf_input
1356         SSL_set_tlsext_opaque_prf_input(con, "Test client", 11);
1357 #endif
1358 #endif
1359
1360 re_start:
1361
1362         if (init_client(&s,host,port,socket_type) == 0)
1363                 {
1364                 BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
1365                 SHUTDOWN(s);
1366                 goto end;
1367                 }
1368         BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
1369
1370 #ifdef FIONBIO
1371         if (c_nbio)
1372                 {
1373                 unsigned long l=1;
1374                 BIO_printf(bio_c_out,"turning on non blocking io\n");
1375                 if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
1376                         {
1377                         ERR_print_errors(bio_err);
1378                         goto end;
1379                         }
1380                 }
1381 #endif                                              
1382         if (c_Pause & 0x01) SSL_set_debug(con, 1);
1383
1384         if (socket_type == SOCK_DGRAM)
1385                 {
1386
1387                 sbio=BIO_new_dgram(s,BIO_NOCLOSE);
1388                 if (getsockname(s, &peer, (void *)&peerlen) < 0)
1389                         {
1390                         BIO_printf(bio_err, "getsockname:errno=%d\n",
1391                                 get_last_socket_error());
1392                         SHUTDOWN(s);
1393                         goto end;
1394                         }
1395
1396                 (void)BIO_ctrl_set_connected(sbio, 1, &peer);
1397
1398                 if (enable_timeouts)
1399                         {
1400                         timeout.tv_sec = 0;
1401                         timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1402                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1403                         
1404                         timeout.tv_sec = 0;
1405                         timeout.tv_usec = DGRAM_SND_TIMEOUT;
1406                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1407                         }
1408
1409                 if (socket_mtu > 28)
1410                         {
1411                         SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
1412                         SSL_set_mtu(con, socket_mtu - 28);
1413                         }
1414                 else
1415                         /* want to do MTU discovery */
1416                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1417                 }
1418         else
1419                 sbio=BIO_new_socket(s,BIO_NOCLOSE);
1420
1421         if (nbio_test)
1422                 {
1423                 BIO *test;
1424
1425                 test=BIO_new(BIO_f_nbio_test());
1426                 sbio=BIO_push(test,sbio);
1427                 }
1428
1429         if (c_debug)
1430                 {
1431                 SSL_set_debug(con, 1);
1432                 BIO_set_callback(sbio,bio_dump_callback);
1433                 BIO_set_callback_arg(sbio,(char *)bio_c_out);
1434                 }
1435         if (c_msg)
1436                 {
1437 #ifndef OPENSSL_NO_SSL_TRACE
1438                 if (c_msg == 2)
1439                         SSL_set_msg_callback(con, SSL_trace);
1440                 else
1441 #endif
1442                         SSL_set_msg_callback(con, msg_cb);
1443                 SSL_set_msg_callback_arg(con, bio_c_msg ? bio_c_msg : bio_c_out);
1444                 }
1445 #ifndef OPENSSL_NO_TLSEXT
1446         if (c_tlsextdebug)
1447                 {
1448                 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1449                 SSL_set_tlsext_debug_arg(con, bio_c_out);
1450                 }
1451         if (c_status_req)
1452                 {
1453                 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
1454                 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
1455                 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
1456 #if 0
1457 {
1458 STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null();
1459 OCSP_RESPID *id = OCSP_RESPID_new();
1460 id->value.byKey = ASN1_OCTET_STRING_new();
1461 id->type = V_OCSP_RESPID_KEY;
1462 ASN1_STRING_set(id->value.byKey, "Hello World", -1);
1463 sk_OCSP_RESPID_push(ids, id);
1464 SSL_set_tlsext_status_ids(con, ids);
1465 }
1466 #endif
1467                 }
1468 #endif
1469 #ifndef OPENSSL_NO_JPAKE
1470         if (jpake_secret)
1471                 jpake_client_auth(bio_c_out, sbio, jpake_secret);
1472 #endif
1473
1474         SSL_set_bio(con,sbio,sbio);
1475         SSL_set_connect_state(con);
1476
1477         /* ok, lets connect */
1478         width=SSL_get_fd(con)+1;
1479
1480         read_tty=1;
1481         write_tty=0;
1482         tty_on=0;
1483         read_ssl=1;
1484         write_ssl=1;
1485         
1486         cbuf_len=0;
1487         cbuf_off=0;
1488         sbuf_len=0;
1489         sbuf_off=0;
1490
1491         /* This is an ugly hack that does a lot of assumptions */
1492         /* We do have to handle multi-line responses which may come
1493            in a single packet or not. We therefore have to use
1494            BIO_gets() which does need a buffering BIO. So during
1495            the initial chitchat we do push a buffering BIO into the
1496            chain that is removed again later on to not disturb the
1497            rest of the s_client operation. */
1498         if (starttls_proto == PROTO_SMTP)
1499                 {
1500                 int foundit=0;
1501                 BIO *fbio = BIO_new(BIO_f_buffer());
1502                 BIO_push(fbio, sbio);
1503                 /* wait for multi-line response to end from SMTP */
1504                 do
1505                         {
1506                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1507                         }
1508                 while (mbuf_len>3 && mbuf[3]=='-');
1509                 /* STARTTLS command requires EHLO... */
1510                 BIO_printf(fbio,"EHLO openssl.client.net\r\n");
1511                 (void)BIO_flush(fbio);
1512                 /* wait for multi-line response to end EHLO SMTP response */
1513                 do
1514                         {
1515                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1516                         if (strstr(mbuf,"STARTTLS"))
1517                                 foundit=1;
1518                         }
1519                 while (mbuf_len>3 && mbuf[3]=='-');
1520                 (void)BIO_flush(fbio);
1521                 BIO_pop(fbio);
1522                 BIO_free(fbio);
1523                 if (!foundit)
1524                         BIO_printf(bio_err,
1525                                    "didn't found starttls in server response,"
1526                                    " try anyway...\n");
1527                 BIO_printf(sbio,"STARTTLS\r\n");
1528                 BIO_read(sbio,sbuf,BUFSIZZ);
1529                 }
1530         else if (starttls_proto == PROTO_POP3)
1531                 {
1532                 BIO_read(sbio,mbuf,BUFSIZZ);
1533                 BIO_printf(sbio,"STLS\r\n");
1534                 BIO_read(sbio,sbuf,BUFSIZZ);
1535                 }
1536         else if (starttls_proto == PROTO_IMAP)
1537                 {
1538                 int foundit=0;
1539                 BIO *fbio = BIO_new(BIO_f_buffer());
1540                 BIO_push(fbio, sbio);
1541                 BIO_gets(fbio,mbuf,BUFSIZZ);
1542                 /* STARTTLS command requires CAPABILITY... */
1543                 BIO_printf(fbio,". CAPABILITY\r\n");
1544                 (void)BIO_flush(fbio);
1545                 /* wait for multi-line CAPABILITY response */
1546                 do
1547                         {
1548                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1549                         if (strstr(mbuf,"STARTTLS"))
1550                                 foundit=1;
1551                         }
1552                 while (mbuf_len>3 && mbuf[0]!='.');
1553                 (void)BIO_flush(fbio);
1554                 BIO_pop(fbio);
1555                 BIO_free(fbio);
1556                 if (!foundit)
1557                         BIO_printf(bio_err,
1558                                    "didn't found STARTTLS in server response,"
1559                                    " try anyway...\n");
1560                 BIO_printf(sbio,". STARTTLS\r\n");
1561                 BIO_read(sbio,sbuf,BUFSIZZ);
1562                 }
1563         else if (starttls_proto == PROTO_FTP)
1564                 {
1565                 BIO *fbio = BIO_new(BIO_f_buffer());
1566                 BIO_push(fbio, sbio);
1567                 /* wait for multi-line response to end from FTP */
1568                 do
1569                         {
1570                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1571                         }
1572                 while (mbuf_len>3 && mbuf[3]=='-');
1573                 (void)BIO_flush(fbio);
1574                 BIO_pop(fbio);
1575                 BIO_free(fbio);
1576                 BIO_printf(sbio,"AUTH TLS\r\n");
1577                 BIO_read(sbio,sbuf,BUFSIZZ);
1578                 }
1579         if (starttls_proto == PROTO_XMPP)
1580                 {
1581                 int seen = 0;
1582                 BIO_printf(sbio,"<stream:stream "
1583                     "xmlns:stream='http://etherx.jabber.org/streams' "
1584                     "xmlns='jabber:client' to='%s' version='1.0'>", host);
1585                 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1586                 mbuf[seen] = 0;
1587                 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'"))
1588                         {
1589                         if (strstr(mbuf, "/stream:features>"))
1590                                 goto shut;
1591                         seen = BIO_read(sbio,mbuf,BUFSIZZ);
1592                         mbuf[seen] = 0;
1593                         }
1594                 BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
1595                 seen = BIO_read(sbio,sbuf,BUFSIZZ);
1596                 sbuf[seen] = 0;
1597                 if (!strstr(sbuf, "<proceed"))
1598                         goto shut;
1599                 mbuf[0] = 0;
1600                 }
1601
1602         for (;;)
1603                 {
1604                 FD_ZERO(&readfds);
1605                 FD_ZERO(&writefds);
1606
1607                 if ((SSL_version(con) == DTLS1_VERSION) &&
1608                         DTLSv1_get_timeout(con, &timeout))
1609                         timeoutp = &timeout;
1610                 else
1611                         timeoutp = NULL;
1612
1613                 if (SSL_in_init(con) && !SSL_total_renegotiations(con))
1614                         {
1615                         in_init=1;
1616                         tty_on=0;
1617                         }
1618                 else
1619                         {
1620                         tty_on=1;
1621                         if (in_init)
1622                                 {
1623                                 in_init=0;
1624 #if 0 /* This test doesn't really work as intended (needs to be fixed) */
1625 #ifndef OPENSSL_NO_TLSEXT
1626                                 if (servername != NULL && !SSL_session_reused(con))
1627                                         {
1628                                         BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not ");
1629                                         }
1630 #endif
1631 #endif
1632                                 if (sess_out)
1633                                         {
1634                                         BIO *stmp = BIO_new_file(sess_out, "w");
1635                                         if (stmp)
1636                                                 {
1637                                                 PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con));
1638                                                 BIO_free(stmp);
1639                                                 }
1640                                         else 
1641                                                 BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
1642                                         }
1643                                 if (c_brief)
1644                                         {
1645                                         BIO_puts(bio_err,
1646                                                 "CONNECTION ESTABLISHED\n");
1647                                         print_ssl_summary(bio_err, con);
1648                                         }
1649                                 print_stuff(bio_c_out,con,full_log);
1650                                 if (full_log > 0) full_log--;
1651
1652                                 if (starttls_proto)
1653                                         {
1654                                         BIO_printf(bio_err,"%s",mbuf);
1655                                         /* We don't need to know any more */
1656                                         starttls_proto = PROTO_OFF;
1657                                         }
1658
1659                                 if (reconnect)
1660                                         {
1661                                         reconnect--;
1662                                         BIO_printf(bio_c_out,"drop connection and then reconnect\n");
1663                                         SSL_shutdown(con);
1664                                         SSL_set_connect_state(con);
1665                                         SHUTDOWN(SSL_get_fd(con));
1666                                         goto re_start;
1667                                         }
1668                                 }
1669                         }
1670
1671                 ssl_pending = read_ssl && SSL_pending(con);
1672
1673                 if (!ssl_pending)
1674                         {
1675 #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)
1676                         if (tty_on)
1677                                 {
1678                                 if (read_tty)  openssl_fdset(fileno(stdin),&readfds);
1679                                 if (write_tty) openssl_fdset(fileno(stdout),&writefds);
1680                                 }
1681                         if (read_ssl)
1682                                 openssl_fdset(SSL_get_fd(con),&readfds);
1683                         if (write_ssl)
1684                                 openssl_fdset(SSL_get_fd(con),&writefds);
1685 #else
1686                         if(!tty_on || !write_tty) {
1687                                 if (read_ssl)
1688                                         openssl_fdset(SSL_get_fd(con),&readfds);
1689                                 if (write_ssl)
1690                                         openssl_fdset(SSL_get_fd(con),&writefds);
1691                         }
1692 #endif
1693 /*                      printf("mode tty(%d %d%d) ssl(%d%d)\n",
1694                                 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
1695
1696                         /* Note: under VMS with SOCKETSHR the second parameter
1697                          * is currently of type (int *) whereas under other
1698                          * systems it is (void *) if you don't have a cast it
1699                          * will choke the compiler: if you do have a cast then
1700                          * you can either go for (int *) or (void *).
1701                          */
1702 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1703                         /* Under Windows/DOS we make the assumption that we can
1704                          * always write to the tty: therefore if we need to
1705                          * write to the tty we just fall through. Otherwise
1706                          * we timeout the select every second and see if there
1707                          * are any keypresses. Note: this is a hack, in a proper
1708                          * Windows application we wouldn't do this.
1709                          */
1710                         i=0;
1711                         if(!write_tty) {
1712                                 if(read_tty) {
1713                                         tv.tv_sec = 1;
1714                                         tv.tv_usec = 0;
1715                                         i=select(width,(void *)&readfds,(void *)&writefds,
1716                                                  NULL,&tv);
1717 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
1718                                         if(!i && (!_kbhit() || !read_tty) ) continue;
1719 #else
1720                                         if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
1721 #endif
1722                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1723                                          NULL,timeoutp);
1724                         }
1725 #elif defined(OPENSSL_SYS_NETWARE)
1726                         if(!write_tty) {
1727                                 if(read_tty) {
1728                                         tv.tv_sec = 1;
1729                                         tv.tv_usec = 0;
1730                                         i=select(width,(void *)&readfds,(void *)&writefds,
1731                                                 NULL,&tv);
1732                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1733                                         NULL,timeoutp);
1734                         }
1735 #elif defined(OPENSSL_SYS_BEOS_R5)
1736                         /* Under BeOS-R5 the situation is similar to DOS */
1737                         i=0;
1738                         stdin_set = 0;
1739                         (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
1740                         if(!write_tty) {
1741                                 if(read_tty) {
1742                                         tv.tv_sec = 1;
1743                                         tv.tv_usec = 0;
1744                                         i=select(width,(void *)&readfds,(void *)&writefds,
1745                                                  NULL,&tv);
1746                                         if (read(fileno(stdin), sbuf, 0) >= 0)
1747                                                 stdin_set = 1;
1748                                         if (!i && (stdin_set != 1 || !read_tty))
1749                                                 continue;
1750                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1751                                          NULL,timeoutp);
1752                         }
1753                         (void)fcntl(fileno(stdin), F_SETFL, 0);
1754 #else
1755                         i=select(width,(void *)&readfds,(void *)&writefds,
1756                                  NULL,timeoutp);
1757 #endif
1758                         if ( i < 0)
1759                                 {
1760                                 BIO_printf(bio_err,"bad select %d\n",
1761                                 get_last_socket_error());
1762                                 goto shut;
1763                                 /* goto end; */
1764                                 }
1765                         }
1766
1767                 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
1768                         {
1769                         BIO_printf(bio_err,"TIMEOUT occured\n");
1770                         }
1771
1772                 if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
1773                         {
1774                         k=SSL_write(con,&(cbuf[cbuf_off]),
1775                                 (unsigned int)cbuf_len);
1776                         switch (SSL_get_error(con,k))
1777                                 {
1778                         case SSL_ERROR_NONE:
1779                                 cbuf_off+=k;
1780                                 cbuf_len-=k;
1781                                 if (k <= 0) goto end;
1782                                 /* we have done a  write(con,NULL,0); */
1783                                 if (cbuf_len <= 0)
1784                                         {
1785                                         read_tty=1;
1786                                         write_ssl=0;
1787                                         }
1788                                 else /* if (cbuf_len > 0) */
1789                                         {
1790                                         read_tty=0;
1791                                         write_ssl=1;
1792                                         }
1793                                 break;
1794                         case SSL_ERROR_WANT_WRITE:
1795                                 BIO_printf(bio_c_out,"write W BLOCK\n");
1796                                 write_ssl=1;
1797                                 read_tty=0;
1798                                 break;
1799                         case SSL_ERROR_WANT_READ:
1800                                 BIO_printf(bio_c_out,"write R BLOCK\n");
1801                                 write_tty=0;
1802                                 read_ssl=1;
1803                                 write_ssl=0;
1804                                 break;
1805                         case SSL_ERROR_WANT_X509_LOOKUP:
1806                                 BIO_printf(bio_c_out,"write X BLOCK\n");
1807                                 break;
1808                         case SSL_ERROR_ZERO_RETURN:
1809                                 if (cbuf_len != 0)
1810                                         {
1811                                         BIO_printf(bio_c_out,"shutdown\n");
1812                                         ret = 0;
1813                                         goto shut;
1814                                         }
1815                                 else
1816                                         {
1817                                         read_tty=1;
1818                                         write_ssl=0;
1819                                         break;
1820                                         }
1821                                 
1822                         case SSL_ERROR_SYSCALL:
1823                                 if ((k != 0) || (cbuf_len != 0))
1824                                         {
1825                                         BIO_printf(bio_err,"write:errno=%d\n",
1826                                                 get_last_socket_error());
1827                                         goto shut;
1828                                         }
1829                                 else
1830                                         {
1831                                         read_tty=1;
1832                                         write_ssl=0;
1833                                         }
1834                                 break;
1835                         case SSL_ERROR_SSL:
1836                                 ERR_print_errors(bio_err);
1837                                 goto shut;
1838                                 }
1839                         }
1840 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
1841                 /* Assume Windows/DOS/BeOS can always write */
1842                 else if (!ssl_pending && write_tty)
1843 #else
1844                 else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
1845 #endif
1846                         {
1847 #ifdef CHARSET_EBCDIC
1848                         ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
1849 #endif
1850                         i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len);
1851
1852                         if (i <= 0)
1853                                 {
1854                                 BIO_printf(bio_c_out,"DONE\n");
1855                                 ret = 0;
1856                                 goto shut;
1857                                 /* goto end; */
1858                                 }
1859
1860                         sbuf_len-=i;;
1861                         sbuf_off+=i;
1862                         if (sbuf_len <= 0)
1863                                 {
1864                                 read_ssl=1;
1865                                 write_tty=0;
1866                                 }
1867                         }
1868                 else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
1869                         {
1870 #ifdef RENEG
1871 { static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
1872 #endif
1873 #if 1
1874                         k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
1875 #else
1876 /* Demo for pending and peek :-) */
1877                         k=SSL_read(con,sbuf,16);
1878 { char zbuf[10240]; 
1879 printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
1880 }
1881 #endif
1882
1883                         switch (SSL_get_error(con,k))
1884                                 {
1885                         case SSL_ERROR_NONE:
1886                                 if (k <= 0)
1887                                         goto end;
1888                                 sbuf_off=0;
1889                                 sbuf_len=k;
1890
1891                                 read_ssl=0;
1892                                 write_tty=1;
1893                                 break;
1894                         case SSL_ERROR_WANT_WRITE:
1895                                 BIO_printf(bio_c_out,"read W BLOCK\n");
1896                                 write_ssl=1;
1897                                 read_tty=0;
1898                                 break;
1899                         case SSL_ERROR_WANT_READ:
1900                                 BIO_printf(bio_c_out,"read R BLOCK\n");
1901                                 write_tty=0;
1902                                 read_ssl=1;
1903                                 if ((read_tty == 0) && (write_ssl == 0))
1904                                         write_ssl=1;
1905                                 break;
1906                         case SSL_ERROR_WANT_X509_LOOKUP:
1907                                 BIO_printf(bio_c_out,"read X BLOCK\n");
1908                                 break;
1909                         case SSL_ERROR_SYSCALL:
1910                                 ret=get_last_socket_error();
1911                                 if (c_brief)
1912                                         BIO_puts(bio_err, "CONNECTION CLOSED BY SERVER\n");
1913                                 else
1914                                         BIO_printf(bio_err,"read:errno=%d\n",ret);
1915                                 goto shut;
1916                         case SSL_ERROR_ZERO_RETURN:
1917                                 BIO_printf(bio_c_out,"closed\n");
1918                                 ret=0;
1919                                 goto shut;
1920                         case SSL_ERROR_SSL:
1921                                 ERR_print_errors(bio_err);
1922                                 goto shut;
1923                                 /* break; */
1924                                 }
1925                         }
1926
1927 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1928 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
1929                 else if (_kbhit())
1930 #else
1931                 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
1932 #endif
1933 #elif defined (OPENSSL_SYS_NETWARE)
1934                 else if (_kbhit())
1935 #elif defined(OPENSSL_SYS_BEOS_R5)
1936                 else if (stdin_set)
1937 #else
1938                 else if (FD_ISSET(fileno(stdin),&readfds))
1939 #endif
1940                         {
1941                         if (crlf)
1942                                 {
1943                                 int j, lf_num;
1944
1945                                 i=raw_read_stdin(cbuf,BUFSIZZ/2);
1946                                 lf_num = 0;
1947                                 /* both loops are skipped when i <= 0 */
1948                                 for (j = 0; j < i; j++)
1949                                         if (cbuf[j] == '\n')
1950                                                 lf_num++;
1951                                 for (j = i-1; j >= 0; j--)
1952                                         {
1953                                         cbuf[j+lf_num] = cbuf[j];
1954                                         if (cbuf[j] == '\n')
1955                                                 {
1956                                                 lf_num--;
1957                                                 i++;
1958                                                 cbuf[j+lf_num] = '\r';
1959                                                 }
1960                                         }
1961                                 assert(lf_num == 0);
1962                                 }
1963                         else
1964                                 i=raw_read_stdin(cbuf,BUFSIZZ);
1965
1966                         if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
1967                                 {
1968                                 BIO_printf(bio_err,"DONE\n");
1969                                 ret=0;
1970                                 goto shut;
1971                                 }
1972
1973                         if ((!c_ign_eof) && (cbuf[0] == 'R'))
1974                                 {
1975                                 BIO_printf(bio_err,"RENEGOTIATING\n");
1976                                 SSL_renegotiate(con);
1977                                 cbuf_len=0;
1978                                 }
1979 #ifndef OPENSSL_NO_HEARTBEATS
1980                         else if ((!c_ign_eof) && (cbuf[0] == 'B'))
1981                                 {
1982                                 BIO_printf(bio_err,"HEARTBEATING\n");
1983                                 SSL_heartbeat(con);
1984                                 cbuf_len=0;
1985                                 }
1986 #endif
1987                         else
1988                                 {
1989                                 cbuf_len=i;
1990                                 cbuf_off=0;
1991 #ifdef CHARSET_EBCDIC
1992                                 ebcdic2ascii(cbuf, cbuf, i);
1993 #endif
1994                                 }
1995
1996                         write_ssl=1;
1997                         read_tty=0;
1998                         }
1999                 }
2000
2001         ret=0;
2002 shut:
2003         if (in_init)
2004                 print_stuff(bio_c_out,con,full_log);
2005         SSL_shutdown(con);
2006         SHUTDOWN(SSL_get_fd(con));
2007 end:
2008         if (con != NULL)
2009                 {
2010                 if (prexit != 0)
2011                         print_stuff(bio_c_out,con,1);
2012                 SSL_free(con);
2013                 }
2014 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
2015         if (next_proto.data)
2016                 OPENSSL_free(next_proto.data);
2017 #endif
2018         if (ctx != NULL) SSL_CTX_free(ctx);
2019         if (cert)
2020                 X509_free(cert);
2021         if (crls)
2022                 sk_X509_CRL_pop_free(crls, X509_CRL_free);
2023         if (key)
2024                 EVP_PKEY_free(key);
2025         if (chain)
2026                 sk_X509_pop_free(chain, X509_free);
2027         if (pass)
2028                 OPENSSL_free(pass);
2029         if (vpm)
2030                 X509_VERIFY_PARAM_free(vpm);
2031         ssl_excert_free(exc);
2032         if (ssl_args)
2033                 sk_OPENSSL_STRING_free(ssl_args);
2034         if (cctx)
2035                 SSL_CONF_CTX_free(cctx);
2036 #ifndef OPENSSL_NO_JPAKE
2037         if (jpake_secret && psk_key)
2038                 OPENSSL_free(psk_key);
2039 #endif
2040         if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
2041         if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
2042         if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
2043         if (bio_c_out != NULL)
2044                 {
2045                 BIO_free(bio_c_out);
2046                 bio_c_out=NULL;
2047                 }
2048         if (bio_c_msg != NULL)
2049                 {
2050                 BIO_free(bio_c_msg);
2051                 bio_c_msg=NULL;
2052                 }
2053         apps_shutdown();
2054         OPENSSL_EXIT(ret);
2055         }
2056
2057
2058 static void print_stuff(BIO *bio, SSL *s, int full)
2059         {
2060         X509 *peer=NULL;
2061         char *p;
2062         static const char *space="                ";
2063         char buf[BUFSIZ];
2064         STACK_OF(X509) *sk;
2065         STACK_OF(X509_NAME) *sk2;
2066         const SSL_CIPHER *c;
2067         X509_NAME *xn;
2068         int j,i;
2069 #ifndef OPENSSL_NO_COMP
2070         const COMP_METHOD *comp, *expansion;
2071 #endif
2072         unsigned char *exportedkeymat;
2073
2074         if (full)
2075                 {
2076                 int got_a_chain = 0;
2077
2078                 sk=SSL_get_peer_cert_chain(s);
2079                 if (sk != NULL)
2080                         {
2081                         got_a_chain = 1; /* we don't have it for SSL2 (yet) */
2082
2083                         BIO_printf(bio,"---\nCertificate chain\n");
2084                         for (i=0; i<sk_X509_num(sk); i++)
2085                                 {
2086                                 X509_NAME_oneline(X509_get_subject_name(
2087                                         sk_X509_value(sk,i)),buf,sizeof buf);
2088                                 BIO_printf(bio,"%2d s:%s\n",i,buf);
2089                                 X509_NAME_oneline(X509_get_issuer_name(
2090                                         sk_X509_value(sk,i)),buf,sizeof buf);
2091                                 BIO_printf(bio,"   i:%s\n",buf);
2092                                 if (c_showcerts)
2093                                         PEM_write_bio_X509(bio,sk_X509_value(sk,i));
2094                                 }
2095                         }
2096
2097                 BIO_printf(bio,"---\n");
2098                 peer=SSL_get_peer_certificate(s);
2099                 if (peer != NULL)
2100                         {
2101                         BIO_printf(bio,"Server certificate\n");
2102                         if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
2103                                 PEM_write_bio_X509(bio,peer);
2104                         X509_NAME_oneline(X509_get_subject_name(peer),
2105                                 buf,sizeof buf);
2106                         BIO_printf(bio,"subject=%s\n",buf);
2107                         X509_NAME_oneline(X509_get_issuer_name(peer),
2108                                 buf,sizeof buf);
2109                         BIO_printf(bio,"issuer=%s\n",buf);
2110                         }
2111                 else
2112                         BIO_printf(bio,"no peer certificate available\n");
2113
2114                 sk2=SSL_get_client_CA_list(s);
2115                 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
2116                         {
2117                         BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
2118                         for (i=0; i<sk_X509_NAME_num(sk2); i++)
2119                                 {
2120                                 xn=sk_X509_NAME_value(sk2,i);
2121                                 X509_NAME_oneline(xn,buf,sizeof(buf));
2122                                 BIO_write(bio,buf,strlen(buf));
2123                                 BIO_write(bio,"\n",1);
2124                                 }
2125                         }
2126                 else
2127                         {
2128                         BIO_printf(bio,"---\nNo client certificate CA names sent\n");
2129                         }
2130                 p=SSL_get_shared_ciphers(s,buf,sizeof buf);
2131                 if (p != NULL)
2132                         {
2133                         /* This works only for SSL 2.  In later protocol
2134                          * versions, the client does not know what other
2135                          * ciphers (in addition to the one to be used
2136                          * in the current connection) the server supports. */
2137
2138                         BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
2139                         j=i=0;
2140                         while (*p)
2141                                 {
2142                                 if (*p == ':')
2143                                         {
2144                                         BIO_write(bio,space,15-j%25);
2145                                         i++;
2146                                         j=0;
2147                                         BIO_write(bio,((i%3)?" ":"\n"),1);
2148                                         }
2149                                 else
2150                                         {
2151                                         BIO_write(bio,p,1);
2152                                         j++;
2153                                         }
2154                                 p++;
2155                                 }
2156                         BIO_write(bio,"\n",1);
2157                         }
2158
2159                 ssl_print_sigalgs(bio, s);
2160                 ssl_print_tmp_key(bio, s);
2161
2162                 BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
2163                         BIO_number_read(SSL_get_rbio(s)),
2164                         BIO_number_written(SSL_get_wbio(s)));
2165                 }
2166         BIO_printf(bio,(SSL_cache_hit(s)?"---\nReused, ":"---\nNew, "));
2167         c=SSL_get_current_cipher(s);
2168         BIO_printf(bio,"%s, Cipher is %s\n",
2169                 SSL_CIPHER_get_version(c),
2170                 SSL_CIPHER_get_name(c));
2171         if (peer != NULL) {
2172                 EVP_PKEY *pktmp;
2173                 pktmp = X509_get_pubkey(peer);
2174                 BIO_printf(bio,"Server public key is %d bit\n",
2175                                                          EVP_PKEY_bits(pktmp));
2176                 EVP_PKEY_free(pktmp);
2177         }
2178         BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
2179                         SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
2180 #ifndef OPENSSL_NO_COMP
2181         comp=SSL_get_current_compression(s);
2182         expansion=SSL_get_current_expansion(s);
2183         BIO_printf(bio,"Compression: %s\n",
2184                 comp ? SSL_COMP_get_name(comp) : "NONE");
2185         BIO_printf(bio,"Expansion: %s\n",
2186                 expansion ? SSL_COMP_get_name(expansion) : "NONE");
2187 #endif
2188  
2189 #ifdef SSL_DEBUG
2190         {
2191         /* Print out local port of connection: useful for debugging */
2192         int sock;
2193         struct sockaddr_in ladd;
2194         socklen_t ladd_size = sizeof(ladd);
2195         sock = SSL_get_fd(s);
2196         getsockname(sock, (struct sockaddr *)&ladd, &ladd_size);
2197         BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port));
2198         }
2199 #endif
2200
2201 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
2202         if (next_proto.status != -1) {
2203                 const unsigned char *proto;
2204                 unsigned int proto_len;
2205                 SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
2206                 BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
2207                 BIO_write(bio, proto, proto_len);
2208                 BIO_write(bio, "\n", 1);
2209         }
2210 #endif
2211
2212         {
2213         SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s);
2214  
2215         if(srtp_profile)
2216                 BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n",
2217                            srtp_profile->name);
2218         }
2219  
2220         SSL_SESSION_print(bio,SSL_get_session(s));
2221         if (keymatexportlabel != NULL)
2222                 {
2223                 BIO_printf(bio, "Keying material exporter:\n");
2224                 BIO_printf(bio, "    Label: '%s'\n", keymatexportlabel);
2225                 BIO_printf(bio, "    Length: %i bytes\n", keymatexportlen);
2226                 exportedkeymat = OPENSSL_malloc(keymatexportlen);
2227                 if (exportedkeymat != NULL)
2228                         {
2229                         if (!SSL_export_keying_material(s, exportedkeymat,
2230                                                         keymatexportlen,
2231                                                         keymatexportlabel,
2232                                                         strlen(keymatexportlabel),
2233                                                         NULL, 0, 0))
2234                                 {
2235                                 BIO_printf(bio, "    Error\n");
2236                                 }
2237                         else
2238                                 {
2239                                 BIO_printf(bio, "    Keying material: ");
2240                                 for (i=0; i<keymatexportlen; i++)
2241                                         BIO_printf(bio, "%02X",
2242                                                    exportedkeymat[i]);
2243                                 BIO_printf(bio, "\n");
2244                                 }
2245                         OPENSSL_free(exportedkeymat);
2246                         }
2247                 }
2248         BIO_printf(bio,"---\n");
2249         if (peer != NULL)
2250                 X509_free(peer);
2251         /* flush, or debugging output gets mixed with http response */
2252         (void)BIO_flush(bio);
2253         }
2254
2255 #ifndef OPENSSL_NO_TLSEXT
2256
2257 static int ocsp_resp_cb(SSL *s, void *arg)
2258         {
2259         const unsigned char *p;
2260         int len;
2261         OCSP_RESPONSE *rsp;
2262         len = SSL_get_tlsext_status_ocsp_resp(s, &p);
2263         BIO_puts(arg, "OCSP response: ");
2264         if (!p)
2265                 {
2266                 BIO_puts(arg, "no response sent\n");
2267                 return 1;
2268                 }
2269         rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
2270         if (!rsp)
2271                 {
2272                 BIO_puts(arg, "response parse error\n");
2273                 BIO_dump_indent(arg, (char *)p, len, 4);
2274                 return 0;
2275                 }
2276         BIO_puts(arg, "\n======================================\n");
2277         OCSP_RESPONSE_print(arg, rsp, 0);
2278         BIO_puts(arg, "======================================\n");
2279         OCSP_RESPONSE_free(rsp);
2280         return 1;
2281         }
2282
2283 static int audit_proof_cb(SSL *s, void *arg)
2284         {
2285         const unsigned char *proof;
2286         size_t proof_len;
2287         size_t i;
2288         SSL_SESSION *sess = SSL_get_session(s);
2289
2290         proof = SSL_SESSION_get_tlsext_authz_server_audit_proof(sess,
2291                                                                 &proof_len);
2292         if (proof != NULL)
2293                 {
2294                 BIO_printf(bio_c_out, "Audit proof: ");
2295                 for (i = 0; i < proof_len; ++i)
2296                         BIO_printf(bio_c_out, "%02X", proof[i]);
2297                 BIO_printf(bio_c_out, "\n");
2298                 }
2299         else
2300                 {
2301                 BIO_printf(bio_c_out, "No audit proof found.\n");
2302                 }
2303         return 1;
2304         }
2305 #endif