2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
111 /* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
143 #include <openssl/e_os2.h>
144 #ifdef OPENSSL_NO_STDIO
148 /* With IPv6, it looks like Digital has mixed up the proper order of
149 recursive header file inclusion, resulting in the compiler complaining
150 that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
151 is needed to have fileno() declared correctly... So let's define u_int */
152 #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
154 typedef unsigned int u_int;
159 #include <openssl/x509.h>
160 #include <openssl/ssl.h>
161 #include <openssl/err.h>
162 #include <openssl/pem.h>
163 #include <openssl/rand.h>
164 #include <openssl/ocsp.h>
165 #include <openssl/bn.h>
166 #ifndef OPENSSL_NO_SRP
167 #include <openssl/srp.h>
170 #include "timeouts.h"
172 #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
173 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
177 #if defined(OPENSSL_SYS_BEOS_R5)
182 #define PROG s_client_main
184 /*#define SSL_HOST_NAME "www.netscape.com" */
185 /*#define SSL_HOST_NAME "193.118.187.102" */
186 #define SSL_HOST_NAME "localhost"
188 /*#define TEST_CERT "client.pem" */ /* no default cert. */
191 #define BUFSIZZ 1024*8
193 extern int verify_depth;
194 extern int verify_error;
195 extern int verify_return_error;
196 extern int verify_quiet;
201 static int c_Pause=0;
202 static int c_debug=0;
203 #ifndef OPENSSL_NO_TLSEXT
204 static int c_tlsextdebug=0;
205 static int c_status_req=0;
208 static int c_showcerts=0;
210 static char *keymatexportlabel=NULL;
211 static int keymatexportlen=20;
213 static void sc_usage(void);
214 static void print_stuff(BIO *berr,SSL *con,int full);
215 #ifndef OPENSSL_NO_TLSEXT
216 static int ocsp_resp_cb(SSL *s, void *arg);
217 static int c_auth = 0;
218 static int c_auth_require_reneg = 0;
220 static BIO *bio_c_out=NULL;
221 static BIO *bio_c_msg=NULL;
222 static int c_quiet=0;
223 static int c_ign_eof=0;
224 static int c_brief=0;
226 #ifndef OPENSSL_NO_TLSEXT
228 static unsigned char *generated_supp_data = NULL;
230 static const unsigned char *most_recent_supplemental_data = NULL;
231 static size_t most_recent_supplemental_data_length = 0;
233 static int server_provided_server_authz = 0;
234 static int server_provided_client_authz = 0;
236 static const unsigned char auth_ext_data[]={TLSEXT_AUTHZDATAFORMAT_dtcp};
238 static int suppdata_cb(SSL *s, unsigned short supp_data_type,
239 const unsigned char *in,
240 unsigned short inlen, int *al,
243 static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
244 const unsigned char **out,
245 unsigned short *outlen, int *al, void *arg);
247 static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
248 const unsigned char **out, unsigned short *outlen,
251 static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
252 const unsigned char *in,
253 unsigned short inlen, int *al,
257 #ifndef OPENSSL_NO_PSK
258 /* Default PSK identity and key */
259 static char *psk_identity="Client_identity";
260 /*char *psk_key=NULL; by default PSK is not used */
262 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
263 unsigned int max_identity_len, unsigned char *psk,
264 unsigned int max_psk_len)
266 unsigned int psk_len = 0;
271 BIO_printf(bio_c_out, "psk_client_cb\n");
274 /* no ServerKeyExchange message*/
276 BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n");
279 BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
281 /* lookup PSK identity and PSK key based on the given identity hint here */
282 ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity);
283 if (ret < 0 || (unsigned int)ret > max_identity_len)
286 BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret);
287 ret=BN_hex2bn(&bn, psk_key);
290 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
296 if ((unsigned int)BN_num_bytes(bn) > max_psk_len)
298 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
299 max_psk_len, BN_num_bytes(bn));
304 psk_len=BN_bn2bin(bn, psk);
310 BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len);
315 BIO_printf(bio_err, "Error in PSK client callback\n");
320 static void sc_usage(void)
322 BIO_printf(bio_err,"usage: s_client args\n");
323 BIO_printf(bio_err,"\n");
324 BIO_printf(bio_err," -host host - use -connect instead\n");
325 BIO_printf(bio_err," -port port - use -connect instead\n");
326 BIO_printf(bio_err," -connect host:port - connect over TCP/IP (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
327 BIO_printf(bio_err," -unix path - connect over unix domain sockets\n");
328 BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n");
329 BIO_printf(bio_err," -cert arg - certificate file to use, PEM format assumed\n");
330 BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
331 BIO_printf(bio_err," -key arg - Private key file to use, in cert file if\n");
332 BIO_printf(bio_err," not specified but cert file is.\n");
333 BIO_printf(bio_err," -keyform arg - key format (PEM or DER) PEM default\n");
334 BIO_printf(bio_err," -pass arg - private key file pass phrase source\n");
335 BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
336 BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n");
337 BIO_printf(bio_err," -trusted_first - Use local CA's first when building trust chain\n");
338 BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n");
339 BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n");
340 BIO_printf(bio_err," -showcerts - show all certificates in the chain\n");
341 BIO_printf(bio_err," -debug - extra output\n");
343 BIO_printf(bio_err," -wdebug - WATT-32 tcp debugging\n");
345 BIO_printf(bio_err," -msg - Show protocol messages\n");
346 BIO_printf(bio_err," -nbio_test - more ssl protocol testing\n");
347 BIO_printf(bio_err," -state - print the 'ssl' states\n");
349 BIO_printf(bio_err," -nbio - Run with non-blocking IO\n");
351 BIO_printf(bio_err," -crlf - convert LF from terminal into CRLF\n");
352 BIO_printf(bio_err," -quiet - no s_client output\n");
353 BIO_printf(bio_err," -ign_eof - ignore input eof (default when -quiet)\n");
354 BIO_printf(bio_err," -no_ign_eof - don't ignore input eof\n");
355 #ifndef OPENSSL_NO_PSK
356 BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
357 BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n");
358 # ifndef OPENSSL_NO_JPAKE
359 BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n");
362 #ifndef OPENSSL_NO_SRP
363 BIO_printf(bio_err," -srpuser user - SRP authentification for 'user'\n");
364 BIO_printf(bio_err," -srppass arg - password for 'user'\n");
365 BIO_printf(bio_err," -srp_lateuser - SRP username into second ClientHello message\n");
366 BIO_printf(bio_err," -srp_moregroups - Tolerate other than the known g N values.\n");
367 BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
369 BIO_printf(bio_err," -ssl2 - just use SSLv2\n");
370 BIO_printf(bio_err," -ssl3 - just use SSLv3\n");
371 BIO_printf(bio_err," -tls1_2 - just use TLSv1.2\n");
372 BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n");
373 BIO_printf(bio_err," -tls1 - just use TLSv1\n");
374 BIO_printf(bio_err," -dtls1 - just use DTLSv1\n");
375 BIO_printf(bio_err," -mtu - set the link layer MTU\n");
376 BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
377 BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n");
378 BIO_printf(bio_err," -serverpref - Use server's cipher preferences (only SSLv2)\n");
379 BIO_printf(bio_err," -cipher - preferred cipher to use, use the 'openssl ciphers'\n");
380 BIO_printf(bio_err," command to see what is available\n");
381 BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
382 BIO_printf(bio_err," for those protocols that support it, where\n");
383 BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n");
384 BIO_printf(bio_err," only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
385 BIO_printf(bio_err," are supported.\n");
386 BIO_printf(bio_err," -xmpphost host - When used with \"-starttls xmpp\" specifies the virtual host.\n");
387 #ifndef OPENSSL_NO_ENGINE
388 BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n");
390 BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
391 BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n");
392 BIO_printf(bio_err," -sess_in arg - file to read SSL session from\n");
393 #ifndef OPENSSL_NO_TLSEXT
394 BIO_printf(bio_err," -servername host - Set TLS extension servername in ClientHello\n");
395 BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
396 BIO_printf(bio_err," -status - request certificate status from server\n");
397 BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
398 BIO_printf(bio_err," -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n");
399 BIO_printf(bio_err," -auth - send and receive RFC 5878 TLS auth extensions and supplemental data\n");
400 BIO_printf(bio_err," -auth_require_reneg - Do not send TLS auth extensions until renegotiation\n");
401 # ifndef OPENSSL_NO_NEXTPROTONEG
402 BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
404 BIO_printf(bio_err," -alpn arg - enable ALPN extension, considering named protocols supported (comma-separated list)\n");
406 BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
407 BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
408 BIO_printf(bio_err," -keymatexport label - Export keying material using label\n");
409 BIO_printf(bio_err," -keymatexportlen len - Export len bytes of keying material (default 20)\n");
412 #ifndef OPENSSL_NO_TLSEXT
414 /* This is a context that we pass to callbacks */
415 typedef struct tlsextctx_st {
421 static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
423 tlsextctx * p = (tlsextctx *) arg;
424 const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
425 if (SSL_get_servername_type(s) != -1)
426 p->ack = !SSL_session_reused(s) && hn != NULL;
428 BIO_printf(bio_err,"Can't use SSL_get_servername\n");
430 return SSL_TLSEXT_ERR_OK;
433 #ifndef OPENSSL_NO_SRP
435 /* This is a context that we pass to all callbacks */
436 typedef struct srp_arg_st
440 int msg; /* copy from c_msg */
441 int debug; /* copy from c_debug */
442 int amp; /* allow more groups */
443 int strength /* minimal size for N */ ;
446 #define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
448 static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g)
450 BN_CTX *bn_ctx = BN_CTX_new();
451 BIGNUM *p = BN_new();
452 BIGNUM *r = BN_new();
454 g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
455 BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
456 p != NULL && BN_rshift1(p, N) &&
459 BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
462 /* verify g^((N-1)/2) == -1 (mod N) */
463 BN_mod_exp(r, g, p, N, bn_ctx) &&
476 /* This callback is used here for two purposes:
478 - making some primality tests for unknown groups
479 The callback is only called for a non default group.
481 An application does not need the call back at all if
482 only the stanard groups are used. In real life situations,
483 client and server already share well known groups,
484 thus there is no need to verify them.
485 Furthermore, in case that a server actually proposes a group that
486 is not one of those defined in RFC 5054, it is more appropriate
487 to add the group to a static list and then compare since
488 primality tests are rather cpu consuming.
491 static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
493 SRP_ARG *srp_arg = (SRP_ARG *)arg;
494 BIGNUM *N = NULL, *g = NULL;
495 if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s)))
497 if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1)
499 BIO_printf(bio_err, "SRP parameters:\n");
500 BIO_printf(bio_err,"\tN="); BN_print(bio_err,N);
501 BIO_printf(bio_err,"\n\tg="); BN_print(bio_err,g);
502 BIO_printf(bio_err,"\n");
505 if (SRP_check_known_gN_param(g,N))
508 if (srp_arg->amp == 1)
511 BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n");
513 /* The srp_moregroups is a real debugging feature.
514 Implementors should rather add the value to the known ones.
515 The minimal size has already been tested.
517 if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g))
520 BIO_printf(bio_err, "SRP param N and g rejected.\n");
524 #define PWD_STRLEN 1024
526 static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
528 SRP_ARG *srp_arg = (SRP_ARG *)arg;
529 char *pass = (char *)OPENSSL_malloc(PWD_STRLEN+1);
533 cb_tmp.password = (char *)srp_arg->srppassin;
534 cb_tmp.prompt_info = "SRP user";
535 if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp))<0)
537 BIO_printf (bio_err, "Can't read Password\n");
547 char *srtp_profiles = NULL;
549 # ifndef OPENSSL_NO_NEXTPROTONEG
550 /* This the context that we pass to next_proto_cb */
551 typedef struct tlsextnextprotoctx_st {
555 } tlsextnextprotoctx;
557 static tlsextnextprotoctx next_proto;
559 static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
561 tlsextnextprotoctx *ctx = arg;
565 /* We can assume that |in| is syntactically valid. */
567 BIO_printf(bio_c_out, "Protocols advertised by server: ");
568 for (i = 0; i < inlen; )
571 BIO_write(bio_c_out, ", ", 2);
572 BIO_write(bio_c_out, &in[i + 1], in[i]);
575 BIO_write(bio_c_out, "\n", 1);
578 ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
579 return SSL_TLSEXT_ERR_OK;
581 # endif /* ndef OPENSSL_NO_NEXTPROTONEG */
583 static int serverinfo_cli_cb(SSL* s, unsigned short ext_type,
584 const unsigned char* in, unsigned short inlen,
588 unsigned char ext_buf[4 + 65536];
590 /* Reconstruct the type/len fields prior to extension data */
591 ext_buf[0] = ext_type >> 8;
592 ext_buf[1] = ext_type & 0xFF;
593 ext_buf[2] = inlen >> 8;
594 ext_buf[3] = inlen & 0xFF;
595 memcpy(ext_buf+4, in, inlen);
597 BIO_snprintf(pem_name, sizeof(pem_name), "SERVERINFO FOR EXTENSION %d",
599 PEM_write_bio(bio_c_out, pem_name, "", ext_buf, 4 + inlen);
615 int MAIN(int, char **);
617 int MAIN(int argc, char **argv)
621 #ifndef OPENSSL_NO_KRB5
624 int s,k,width,state=0;
625 char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
626 int cbuf_len,cbuf_off;
627 int sbuf_len,sbuf_off;
628 fd_set readfds,writefds;
631 char *host=SSL_HOST_NAME;
632 const char *unix_path = NULL;
633 char *xmpphost = NULL;
634 char *cert_file=NULL,*key_file=NULL,*chain_file=NULL;
635 int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
636 char *passarg = NULL, *pass = NULL;
638 EVP_PKEY *key = NULL;
639 STACK_OF(X509) *chain = NULL;
640 char *CApath=NULL,*CAfile=NULL;
641 char *chCApath=NULL,*chCAfile=NULL;
642 char *vfyCApath=NULL,*vfyCAfile=NULL;
643 int reconnect=0,badop=0,verify=SSL_VERIFY_NONE;
645 int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
647 int ret=1,in_init=1,i,nbio_test=0;
648 int starttls_proto = PROTO_OFF;
650 X509_VERIFY_PARAM *vpm = NULL;
652 const SSL_METHOD *meth=NULL;
653 int socket_type=SOCK_STREAM;
657 struct timeval timeout, *timeoutp;
658 #ifndef OPENSSL_NO_ENGINE
659 char *engine_id=NULL;
660 char *ssl_client_engine_id=NULL;
661 ENGINE *ssl_client_engine=NULL;
664 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
666 #if defined(OPENSSL_SYS_BEOS_R5)
670 #ifndef OPENSSL_NO_TLSEXT
671 char *servername = NULL;
672 tlsextctx tlsextcbp =
674 # ifndef OPENSSL_NO_NEXTPROTONEG
675 const char *next_proto_neg_in = NULL;
677 const char *alpn_in = NULL;
678 # define MAX_SI_TYPES 100
679 unsigned short serverinfo_types[MAX_SI_TYPES];
680 int serverinfo_types_count = 0;
682 char *sess_in = NULL;
683 char *sess_out = NULL;
684 struct sockaddr peer;
685 int peerlen = sizeof(peer);
686 int enable_timeouts = 0 ;
688 #ifndef OPENSSL_NO_JPAKE
689 static char *jpake_secret = NULL;
690 #define no_jpake !jpake_secret
694 #ifndef OPENSSL_NO_SRP
695 char * srppass = NULL;
696 int srp_lateuser = 0;
697 SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
699 SSL_EXCERT *exc = NULL;
701 SSL_CONF_CTX *cctx = NULL;
702 STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
704 char *crl_file = NULL;
705 int crl_format = FORMAT_PEM;
706 int crl_download = 0;
707 STACK_OF(X509_CRL) *crls = NULL;
710 meth=SSLv23_client_method();
721 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
723 if (!load_config(bio_err, NULL))
725 cctx = SSL_CONF_CTX_new();
728 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
729 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE);
731 if ( ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
732 ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
733 ((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
735 BIO_printf(bio_err,"out of memory\n");
740 verify_error=X509_V_OK;
749 if (strcmp(*argv,"-host") == 0)
751 if (--argc < 1) goto bad;
754 else if (strcmp(*argv,"-port") == 0)
756 if (--argc < 1) goto bad;
757 port=atoi(*(++argv));
758 if (port == 0) goto bad;
760 else if (strcmp(*argv,"-connect") == 0)
762 if (--argc < 1) goto bad;
763 if (!extract_host_port(*(++argv),&host,NULL,&port))
766 else if (strcmp(*argv,"-unix") == 0)
768 if (--argc < 1) goto bad;
769 unix_path = *(++argv);
771 else if (strcmp(*argv,"-xmpphost") == 0)
773 if (--argc < 1) goto bad;
776 else if (strcmp(*argv,"-verify") == 0)
778 verify=SSL_VERIFY_PEER;
779 if (--argc < 1) goto bad;
780 verify_depth=atoi(*(++argv));
782 BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
784 else if (strcmp(*argv,"-cert") == 0)
786 if (--argc < 1) goto bad;
787 cert_file= *(++argv);
789 else if (strcmp(*argv,"-CRL") == 0)
791 if (--argc < 1) goto bad;
794 else if (strcmp(*argv,"-crl_download") == 0)
796 else if (strcmp(*argv,"-sess_out") == 0)
798 if (--argc < 1) goto bad;
799 sess_out = *(++argv);
801 else if (strcmp(*argv,"-sess_in") == 0)
803 if (--argc < 1) goto bad;
806 else if (strcmp(*argv,"-certform") == 0)
808 if (--argc < 1) goto bad;
809 cert_format = str2fmt(*(++argv));
811 else if (strcmp(*argv,"-CRLform") == 0)
813 if (--argc < 1) goto bad;
814 crl_format = str2fmt(*(++argv));
816 else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
822 else if (strcmp(*argv,"-verify_return_error") == 0)
823 verify_return_error = 1;
824 else if (strcmp(*argv,"-verify_quiet") == 0)
826 else if (strcmp(*argv,"-brief") == 0)
832 else if (args_excert(&argv, &argc, &badarg, bio_err, &exc))
838 else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args))
844 else if (strcmp(*argv,"-prexit") == 0)
846 else if (strcmp(*argv,"-crlf") == 0)
848 else if (strcmp(*argv,"-quiet") == 0)
853 else if (strcmp(*argv,"-ign_eof") == 0)
855 else if (strcmp(*argv,"-no_ign_eof") == 0)
857 else if (strcmp(*argv,"-pause") == 0)
859 else if (strcmp(*argv,"-debug") == 0)
861 #ifndef OPENSSL_NO_TLSEXT
862 else if (strcmp(*argv,"-tlsextdebug") == 0)
864 else if (strcmp(*argv,"-status") == 0)
866 else if (strcmp(*argv,"-auth") == 0)
868 else if (strcmp(*argv,"-auth_require_reneg") == 0)
869 c_auth_require_reneg = 1;
872 else if (strcmp(*argv,"-wdebug") == 0)
875 else if (strcmp(*argv,"-msg") == 0)
877 else if (strcmp(*argv,"-msgfile") == 0)
879 if (--argc < 1) goto bad;
880 bio_c_msg = BIO_new_file(*(++argv), "w");
882 #ifndef OPENSSL_NO_SSL_TRACE
883 else if (strcmp(*argv,"-trace") == 0)
886 else if (strcmp(*argv,"-security_debug") == 0)
888 else if (strcmp(*argv,"-security_debug_verbose") == 0)
890 else if (strcmp(*argv,"-showcerts") == 0)
892 else if (strcmp(*argv,"-nbio_test") == 0)
894 else if (strcmp(*argv,"-state") == 0)
896 #ifndef OPENSSL_NO_PSK
897 else if (strcmp(*argv,"-psk_identity") == 0)
899 if (--argc < 1) goto bad;
900 psk_identity=*(++argv);
902 else if (strcmp(*argv,"-psk") == 0)
906 if (--argc < 1) goto bad;
908 for (j = 0; j < strlen(psk_key); j++)
910 if (isxdigit((unsigned char)psk_key[j]))
912 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
917 #ifndef OPENSSL_NO_SRP
918 else if (strcmp(*argv,"-srpuser") == 0)
920 if (--argc < 1) goto bad;
921 srp_arg.srplogin= *(++argv);
922 meth=TLSv1_client_method();
924 else if (strcmp(*argv,"-srppass") == 0)
926 if (--argc < 1) goto bad;
928 meth=TLSv1_client_method();
930 else if (strcmp(*argv,"-srp_strength") == 0)
932 if (--argc < 1) goto bad;
933 srp_arg.strength=atoi(*(++argv));
934 BIO_printf(bio_err,"SRP minimal length for N is %d\n",srp_arg.strength);
935 meth=TLSv1_client_method();
937 else if (strcmp(*argv,"-srp_lateuser") == 0)
940 meth=TLSv1_client_method();
942 else if (strcmp(*argv,"-srp_moregroups") == 0)
945 meth=TLSv1_client_method();
948 #ifndef OPENSSL_NO_SSL2
949 else if (strcmp(*argv,"-ssl2") == 0)
950 meth=SSLv2_client_method();
952 #ifndef OPENSSL_NO_SSL3
953 else if (strcmp(*argv,"-ssl3") == 0)
954 meth=SSLv3_client_method();
956 #ifndef OPENSSL_NO_TLS1
957 else if (strcmp(*argv,"-tls1_2") == 0)
958 meth=TLSv1_2_client_method();
959 else if (strcmp(*argv,"-tls1_1") == 0)
960 meth=TLSv1_1_client_method();
961 else if (strcmp(*argv,"-tls1") == 0)
962 meth=TLSv1_client_method();
964 #ifndef OPENSSL_NO_DTLS1
965 else if (strcmp(*argv,"-dtls") == 0)
967 meth=DTLS_client_method();
968 socket_type=SOCK_DGRAM;
970 else if (strcmp(*argv,"-dtls1") == 0)
972 meth=DTLSv1_client_method();
973 socket_type=SOCK_DGRAM;
975 else if (strcmp(*argv,"-dtls1_2") == 0)
977 meth=DTLSv1_2_client_method();
978 socket_type=SOCK_DGRAM;
980 else if (strcmp(*argv,"-timeout") == 0)
982 else if (strcmp(*argv,"-mtu") == 0)
984 if (--argc < 1) goto bad;
985 socket_mtu = atol(*(++argv));
988 else if (strcmp(*argv,"-keyform") == 0)
990 if (--argc < 1) goto bad;
991 key_format = str2fmt(*(++argv));
993 else if (strcmp(*argv,"-pass") == 0)
995 if (--argc < 1) goto bad;
998 else if (strcmp(*argv,"-cert_chain") == 0)
1000 if (--argc < 1) goto bad;
1001 chain_file= *(++argv);
1003 else if (strcmp(*argv,"-key") == 0)
1005 if (--argc < 1) goto bad;
1006 key_file= *(++argv);
1008 else if (strcmp(*argv,"-reconnect") == 0)
1012 else if (strcmp(*argv,"-CApath") == 0)
1014 if (--argc < 1) goto bad;
1017 else if (strcmp(*argv,"-chainCApath") == 0)
1019 if (--argc < 1) goto bad;
1020 chCApath= *(++argv);
1022 else if (strcmp(*argv,"-verifyCApath") == 0)
1024 if (--argc < 1) goto bad;
1025 vfyCApath= *(++argv);
1027 else if (strcmp(*argv,"-build_chain") == 0)
1029 else if (strcmp(*argv,"-CAfile") == 0)
1031 if (--argc < 1) goto bad;
1034 else if (strcmp(*argv,"-chainCAfile") == 0)
1036 if (--argc < 1) goto bad;
1037 chCAfile= *(++argv);
1039 else if (strcmp(*argv,"-verifyCAfile") == 0)
1041 if (--argc < 1) goto bad;
1042 vfyCAfile= *(++argv);
1044 #ifndef OPENSSL_NO_TLSEXT
1045 # ifndef OPENSSL_NO_NEXTPROTONEG
1046 else if (strcmp(*argv,"-nextprotoneg") == 0)
1048 if (--argc < 1) goto bad;
1049 next_proto_neg_in = *(++argv);
1052 else if (strcmp(*argv,"-alpn") == 0)
1054 if (--argc < 1) goto bad;
1055 alpn_in = *(++argv);
1057 else if (strcmp(*argv,"-serverinfo") == 0)
1063 if (--argc < 1) goto bad;
1065 serverinfo_types_count = 0;
1067 for (i = 0; i <= len; ++i)
1069 if (i == len || c[i] == ',')
1071 serverinfo_types[serverinfo_types_count]
1073 serverinfo_types_count++;
1076 if (serverinfo_types_count == MAX_SI_TYPES)
1082 else if (strcmp(*argv,"-nbio") == 0)
1085 else if (strcmp(*argv,"-starttls") == 0)
1087 if (--argc < 1) goto bad;
1089 if (strcmp(*argv,"smtp") == 0)
1090 starttls_proto = PROTO_SMTP;
1091 else if (strcmp(*argv,"pop3") == 0)
1092 starttls_proto = PROTO_POP3;
1093 else if (strcmp(*argv,"imap") == 0)
1094 starttls_proto = PROTO_IMAP;
1095 else if (strcmp(*argv,"ftp") == 0)
1096 starttls_proto = PROTO_FTP;
1097 else if (strcmp(*argv, "xmpp") == 0)
1098 starttls_proto = PROTO_XMPP;
1102 #ifndef OPENSSL_NO_ENGINE
1103 else if (strcmp(*argv,"-engine") == 0)
1105 if (--argc < 1) goto bad;
1106 engine_id = *(++argv);
1108 else if (strcmp(*argv,"-ssl_client_engine") == 0)
1110 if (--argc < 1) goto bad;
1111 ssl_client_engine_id = *(++argv);
1114 else if (strcmp(*argv,"-rand") == 0)
1116 if (--argc < 1) goto bad;
1119 #ifndef OPENSSL_NO_TLSEXT
1120 else if (strcmp(*argv,"-servername") == 0)
1122 if (--argc < 1) goto bad;
1123 servername= *(++argv);
1124 /* meth=TLSv1_client_method(); */
1127 #ifndef OPENSSL_NO_JPAKE
1128 else if (strcmp(*argv,"-jpake") == 0)
1130 if (--argc < 1) goto bad;
1131 jpake_secret = *++argv;
1134 else if (strcmp(*argv,"-use_srtp") == 0)
1136 if (--argc < 1) goto bad;
1137 srtp_profiles = *(++argv);
1139 else if (strcmp(*argv,"-keymatexport") == 0)
1141 if (--argc < 1) goto bad;
1142 keymatexportlabel= *(++argv);
1144 else if (strcmp(*argv,"-keymatexportlen") == 0)
1146 if (--argc < 1) goto bad;
1147 keymatexportlen=atoi(*(++argv));
1148 if (keymatexportlen == 0) goto bad;
1152 BIO_printf(bio_err,"unknown option %s\n",*argv);
1166 if (unix_path && (socket_type != SOCK_STREAM))
1168 BIO_printf(bio_err, "Can't use unix sockets and datagrams together\n");
1171 #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
1177 "Can't use JPAKE and PSK together\n");
1180 psk_identity = "JPAKE";
1184 OpenSSL_add_ssl_algorithms();
1185 SSL_load_error_strings();
1187 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
1188 next_proto.status = -1;
1189 if (next_proto_neg_in)
1191 next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
1192 if (next_proto.data == NULL)
1194 BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
1199 next_proto.data = NULL;
1202 #ifndef OPENSSL_NO_ENGINE
1203 e = setup_engine(bio_err, engine_id, 1);
1204 if (ssl_client_engine_id)
1206 ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
1207 if (!ssl_client_engine)
1210 "Error getting client auth engine\n");
1216 if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
1218 BIO_printf(bio_err, "Error getting password\n");
1222 if (key_file == NULL)
1223 key_file = cert_file;
1230 key = load_key(bio_err, key_file, key_format, 0, pass, e,
1231 "client certificate private key file");
1234 ERR_print_errors(bio_err);
1243 cert = load_cert(bio_err,cert_file,cert_format,
1244 NULL, e, "client certificate file");
1248 ERR_print_errors(bio_err);
1255 chain = load_certs(bio_err, chain_file,FORMAT_PEM,
1256 NULL, e, "client certificate chain");
1264 crl = load_crl(crl_file, crl_format);
1267 BIO_puts(bio_err, "Error loading CRL\n");
1268 ERR_print_errors(bio_err);
1271 crls = sk_X509_CRL_new_null();
1272 if (!crls || !sk_X509_CRL_push(crls, crl))
1274 BIO_puts(bio_err, "Error adding CRL\n");
1275 ERR_print_errors(bio_err);
1281 if (!load_excert(&exc, bio_err))
1284 if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
1287 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
1290 BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
1291 app_RAND_load_files(inrand));
1293 if (bio_c_out == NULL)
1295 if (c_quiet && !c_debug)
1297 bio_c_out=BIO_new(BIO_s_null());
1298 if (c_msg && !bio_c_msg)
1299 bio_c_msg=BIO_new_fp(stdout,BIO_NOCLOSE);
1303 if (bio_c_out == NULL)
1304 bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
1308 #ifndef OPENSSL_NO_SRP
1309 if(!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL))
1311 BIO_printf(bio_err, "Error getting password\n");
1316 ctx=SSL_CTX_new(meth);
1319 ERR_print_errors(bio_err);
1324 ssl_ctx_security_debug(ctx, bio_err, sdebug);
1327 SSL_CTX_set1_param(ctx, vpm);
1329 if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1, no_jpake))
1331 ERR_print_errors(bio_err);
1335 if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
1336 crls, crl_download))
1338 BIO_printf(bio_err, "Error loading store locations\n");
1339 ERR_print_errors(bio_err);
1343 #ifndef OPENSSL_NO_ENGINE
1344 if (ssl_client_engine)
1346 if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine))
1348 BIO_puts(bio_err, "Error setting client auth engine\n");
1349 ERR_print_errors(bio_err);
1350 ENGINE_free(ssl_client_engine);
1353 ENGINE_free(ssl_client_engine);
1357 #ifndef OPENSSL_NO_PSK
1358 #ifdef OPENSSL_NO_JPAKE
1359 if (psk_key != NULL)
1361 if (psk_key != NULL || jpake_secret)
1365 BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");
1366 SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
1368 if (srtp_profiles != NULL)
1369 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
1371 if (exc) ssl_ctx_set_excert(ctx, exc);
1372 /* DTLS: partial reads end up discarding unread UDP bytes :-(
1373 * Setting read ahead solves this problem.
1375 if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
1377 #if !defined(OPENSSL_NO_TLSEXT)
1378 # if !defined(OPENSSL_NO_NEXTPROTONEG)
1379 if (next_proto.data)
1380 SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
1384 unsigned short alpn_len;
1385 unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in);
1389 BIO_printf(bio_err, "Error parsing -alpn argument\n");
1392 SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len);
1396 #ifndef OPENSSL_NO_TLSEXT
1397 if (serverinfo_types_count)
1399 for (i = 0; i < serverinfo_types_count; i++)
1401 SSL_CTX_set_custom_cli_ext(ctx,
1402 serverinfo_types[i],
1410 if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
1413 SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
1416 SSL_CTX_set_verify(ctx,verify,verify_callback);
1418 if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
1419 (!SSL_CTX_set_default_verify_paths(ctx)))
1421 /* BIO_printf(bio_err,"error setting default verify locations\n"); */
1422 ERR_print_errors(bio_err);
1426 ssl_ctx_add_crls(ctx, crls, crl_download);
1428 if (!set_cert_key_stuff(ctx,cert,key,chain,build_chain))
1431 #ifndef OPENSSL_NO_TLSEXT
1432 if (servername != NULL)
1434 tlsextcbp.biodebug = bio_err;
1435 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1436 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
1438 #ifndef OPENSSL_NO_SRP
1439 if (srp_arg.srplogin)
1441 if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
1443 BIO_printf(bio_err,"Unable to set SRP username\n");
1446 srp_arg.msg = c_msg;
1447 srp_arg.debug = c_debug ;
1448 SSL_CTX_set_srp_cb_arg(ctx,&srp_arg);
1449 SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
1450 SSL_CTX_set_srp_strength(ctx, srp_arg.strength);
1451 if (c_msg || c_debug || srp_arg.amp == 0)
1452 SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb);
1458 SSL_CTX_set_custom_cli_ext(ctx, TLSEXT_TYPE_client_authz, authz_tlsext_generate_cb, authz_tlsext_cb, bio_err);
1459 SSL_CTX_set_custom_cli_ext(ctx, TLSEXT_TYPE_server_authz, authz_tlsext_generate_cb, authz_tlsext_cb, bio_err);
1460 SSL_CTX_set_cli_supp_data(ctx, TLSEXT_SUPPLEMENTALDATATYPE_authz_data, suppdata_cb, auth_suppdata_generate_cb, bio_err);
1468 BIO *stmp = BIO_new_file(sess_in, "r");
1471 BIO_printf(bio_err, "Can't open session file %s\n",
1473 ERR_print_errors(bio_err);
1476 sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
1480 BIO_printf(bio_err, "Can't open session file %s\n",
1482 ERR_print_errors(bio_err);
1485 SSL_set_session(con, sess);
1486 SSL_SESSION_free(sess);
1488 #ifndef OPENSSL_NO_TLSEXT
1489 if (servername != NULL)
1491 if (!SSL_set_tlsext_host_name(con,servername))
1493 BIO_printf(bio_err,"Unable to set TLS servername extension.\n");
1494 ERR_print_errors(bio_err);
1499 #ifndef OPENSSL_NO_KRB5
1500 if (con && (kctx = kssl_ctx_new()) != NULL)
1502 SSL_set0_kssl_ctx(con, kctx);
1503 kssl_ctx_setstring(kctx, KSSL_SERVER, host);
1505 #endif /* OPENSSL_NO_KRB5 */
1506 /* SSL_set_cipher_list(con,"RC4-MD5"); */
1508 #ifdef TLSEXT_TYPE_opaque_prf_input
1509 SSL_set_tlsext_opaque_prf_input(con, "Test client", 11);
1515 if ((!unix_path && (init_client(&s,host,port,socket_type) == 0)) ||
1516 (unix_path && (init_client_unix(&s,unix_path) == 0)))
1518 BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
1522 BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
1528 BIO_printf(bio_c_out,"turning on non blocking io\n");
1529 if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
1531 ERR_print_errors(bio_err);
1536 if (c_Pause & 0x01) SSL_set_debug(con, 1);
1538 if (socket_type == SOCK_DGRAM)
1541 sbio=BIO_new_dgram(s,BIO_NOCLOSE);
1542 if (getsockname(s, &peer, (void *)&peerlen) < 0)
1544 BIO_printf(bio_err, "getsockname:errno=%d\n",
1545 get_last_socket_error());
1550 (void)BIO_ctrl_set_connected(sbio, 1, &peer);
1552 if (enable_timeouts)
1555 timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1556 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1559 timeout.tv_usec = DGRAM_SND_TIMEOUT;
1560 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1563 if (socket_mtu > 28)
1565 SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
1566 SSL_set_mtu(con, socket_mtu - 28);
1569 /* want to do MTU discovery */
1570 BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1573 sbio=BIO_new_socket(s,BIO_NOCLOSE);
1579 test=BIO_new(BIO_f_nbio_test());
1580 sbio=BIO_push(test,sbio);
1585 SSL_set_debug(con, 1);
1586 BIO_set_callback(sbio,bio_dump_callback);
1587 BIO_set_callback_arg(sbio,(char *)bio_c_out);
1591 #ifndef OPENSSL_NO_SSL_TRACE
1593 SSL_set_msg_callback(con, SSL_trace);
1596 SSL_set_msg_callback(con, msg_cb);
1597 SSL_set_msg_callback_arg(con, bio_c_msg ? bio_c_msg : bio_c_out);
1599 #ifndef OPENSSL_NO_TLSEXT
1602 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1603 SSL_set_tlsext_debug_arg(con, bio_c_out);
1607 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
1608 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
1609 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
1612 STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null();
1613 OCSP_RESPID *id = OCSP_RESPID_new();
1614 id->value.byKey = ASN1_OCTET_STRING_new();
1615 id->type = V_OCSP_RESPID_KEY;
1616 ASN1_STRING_set(id->value.byKey, "Hello World", -1);
1617 sk_OCSP_RESPID_push(ids, id);
1618 SSL_set_tlsext_status_ids(con, ids);
1623 #ifndef OPENSSL_NO_JPAKE
1625 jpake_client_auth(bio_c_out, sbio, jpake_secret);
1628 SSL_set_bio(con,sbio,sbio);
1629 SSL_set_connect_state(con);
1631 /* ok, lets connect */
1632 width=SSL_get_fd(con)+1;
1645 /* This is an ugly hack that does a lot of assumptions */
1646 /* We do have to handle multi-line responses which may come
1647 in a single packet or not. We therefore have to use
1648 BIO_gets() which does need a buffering BIO. So during
1649 the initial chitchat we do push a buffering BIO into the
1650 chain that is removed again later on to not disturb the
1651 rest of the s_client operation. */
1652 if (starttls_proto == PROTO_SMTP)
1655 BIO *fbio = BIO_new(BIO_f_buffer());
1656 BIO_push(fbio, sbio);
1657 /* wait for multi-line response to end from SMTP */
1660 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1662 while (mbuf_len>3 && mbuf[3]=='-');
1663 /* STARTTLS command requires EHLO... */
1664 BIO_printf(fbio,"EHLO openssl.client.net\r\n");
1665 (void)BIO_flush(fbio);
1666 /* wait for multi-line response to end EHLO SMTP response */
1669 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1670 if (strstr(mbuf,"STARTTLS"))
1673 while (mbuf_len>3 && mbuf[3]=='-');
1674 (void)BIO_flush(fbio);
1679 "didn't found starttls in server response,"
1680 " try anyway...\n");
1681 BIO_printf(sbio,"STARTTLS\r\n");
1682 BIO_read(sbio,sbuf,BUFSIZZ);
1684 else if (starttls_proto == PROTO_POP3)
1686 BIO_read(sbio,mbuf,BUFSIZZ);
1687 BIO_printf(sbio,"STLS\r\n");
1688 BIO_read(sbio,sbuf,BUFSIZZ);
1690 else if (starttls_proto == PROTO_IMAP)
1693 BIO *fbio = BIO_new(BIO_f_buffer());
1694 BIO_push(fbio, sbio);
1695 BIO_gets(fbio,mbuf,BUFSIZZ);
1696 /* STARTTLS command requires CAPABILITY... */
1697 BIO_printf(fbio,". CAPABILITY\r\n");
1698 (void)BIO_flush(fbio);
1699 /* wait for multi-line CAPABILITY response */
1702 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1703 if (strstr(mbuf,"STARTTLS"))
1706 while (mbuf_len>3 && mbuf[0]!='.');
1707 (void)BIO_flush(fbio);
1712 "didn't found STARTTLS in server response,"
1713 " try anyway...\n");
1714 BIO_printf(sbio,". STARTTLS\r\n");
1715 BIO_read(sbio,sbuf,BUFSIZZ);
1717 else if (starttls_proto == PROTO_FTP)
1719 BIO *fbio = BIO_new(BIO_f_buffer());
1720 BIO_push(fbio, sbio);
1721 /* wait for multi-line response to end from FTP */
1724 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1726 while (mbuf_len>3 && mbuf[3]=='-');
1727 (void)BIO_flush(fbio);
1730 BIO_printf(sbio,"AUTH TLS\r\n");
1731 BIO_read(sbio,sbuf,BUFSIZZ);
1733 if (starttls_proto == PROTO_XMPP)
1736 BIO_printf(sbio,"<stream:stream "
1737 "xmlns:stream='http://etherx.jabber.org/streams' "
1738 "xmlns='jabber:client' to='%s' version='1.0'>", xmpphost ?
1740 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1742 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") &&
1743 !strstr(mbuf, "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
1745 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1752 BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
1753 seen = BIO_read(sbio,sbuf,BUFSIZZ);
1755 if (!strstr(sbuf, "<proceed"))
1765 if ((SSL_version(con) == DTLS1_VERSION) &&
1766 DTLSv1_get_timeout(con, &timeout))
1767 timeoutp = &timeout;
1771 if (SSL_in_init(con) && !SSL_total_renegotiations(con))
1782 #if 0 /* This test doesn't really work as intended (needs to be fixed) */
1783 #ifndef OPENSSL_NO_TLSEXT
1784 if (servername != NULL && !SSL_session_reused(con))
1786 BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not ");
1792 BIO *stmp = BIO_new_file(sess_out, "w");
1795 PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con));
1799 BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
1804 "CONNECTION ESTABLISHED\n");
1805 print_ssl_summary(bio_err, con);
1807 /*handshake is complete - free the generated supp data allocated in the callback */
1808 if (generated_supp_data)
1810 OPENSSL_free(generated_supp_data);
1811 generated_supp_data = NULL;
1814 print_stuff(bio_c_out,con,full_log);
1815 if (full_log > 0) full_log--;
1819 BIO_printf(bio_err,"%s",mbuf);
1820 /* We don't need to know any more */
1821 starttls_proto = PROTO_OFF;
1827 BIO_printf(bio_c_out,"drop connection and then reconnect\n");
1829 SSL_set_connect_state(con);
1830 SHUTDOWN(SSL_get_fd(con));
1836 ssl_pending = read_ssl && SSL_pending(con);
1840 #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)
1843 if (read_tty) openssl_fdset(fileno(stdin),&readfds);
1844 if (write_tty) openssl_fdset(fileno(stdout),&writefds);
1847 openssl_fdset(SSL_get_fd(con),&readfds);
1849 openssl_fdset(SSL_get_fd(con),&writefds);
1851 if(!tty_on || !write_tty) {
1853 openssl_fdset(SSL_get_fd(con),&readfds);
1855 openssl_fdset(SSL_get_fd(con),&writefds);
1858 /* printf("mode tty(%d %d%d) ssl(%d%d)\n",
1859 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
1861 /* Note: under VMS with SOCKETSHR the second parameter
1862 * is currently of type (int *) whereas under other
1863 * systems it is (void *) if you don't have a cast it
1864 * will choke the compiler: if you do have a cast then
1865 * you can either go for (int *) or (void *).
1867 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1868 /* Under Windows/DOS we make the assumption that we can
1869 * always write to the tty: therefore if we need to
1870 * write to the tty we just fall through. Otherwise
1871 * we timeout the select every second and see if there
1872 * are any keypresses. Note: this is a hack, in a proper
1873 * Windows application we wouldn't do this.
1880 i=select(width,(void *)&readfds,(void *)&writefds,
1882 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
1883 if(!i && (!_kbhit() || !read_tty) ) continue;
1885 if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
1887 } else i=select(width,(void *)&readfds,(void *)&writefds,
1890 #elif defined(OPENSSL_SYS_NETWARE)
1895 i=select(width,(void *)&readfds,(void *)&writefds,
1897 } else i=select(width,(void *)&readfds,(void *)&writefds,
1900 #elif defined(OPENSSL_SYS_BEOS_R5)
1901 /* Under BeOS-R5 the situation is similar to DOS */
1904 (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
1909 i=select(width,(void *)&readfds,(void *)&writefds,
1911 if (read(fileno(stdin), sbuf, 0) >= 0)
1913 if (!i && (stdin_set != 1 || !read_tty))
1915 } else i=select(width,(void *)&readfds,(void *)&writefds,
1918 (void)fcntl(fileno(stdin), F_SETFL, 0);
1920 i=select(width,(void *)&readfds,(void *)&writefds,
1925 BIO_printf(bio_err,"bad select %d\n",
1926 get_last_socket_error());
1932 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
1934 BIO_printf(bio_err,"TIMEOUT occurred\n");
1937 if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
1939 k=SSL_write(con,&(cbuf[cbuf_off]),
1940 (unsigned int)cbuf_len);
1941 switch (SSL_get_error(con,k))
1943 case SSL_ERROR_NONE:
1946 if (k <= 0) goto end;
1947 /* we have done a write(con,NULL,0); */
1953 else /* if (cbuf_len > 0) */
1959 case SSL_ERROR_WANT_WRITE:
1960 BIO_printf(bio_c_out,"write W BLOCK\n");
1964 case SSL_ERROR_WANT_READ:
1965 BIO_printf(bio_c_out,"write R BLOCK\n");
1970 case SSL_ERROR_WANT_X509_LOOKUP:
1971 BIO_printf(bio_c_out,"write X BLOCK\n");
1973 case SSL_ERROR_ZERO_RETURN:
1976 BIO_printf(bio_c_out,"shutdown\n");
1987 case SSL_ERROR_SYSCALL:
1988 if ((k != 0) || (cbuf_len != 0))
1990 BIO_printf(bio_err,"write:errno=%d\n",
1991 get_last_socket_error());
2001 ERR_print_errors(bio_err);
2005 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
2006 /* Assume Windows/DOS/BeOS can always write */
2007 else if (!ssl_pending && write_tty)
2009 else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
2012 #ifdef CHARSET_EBCDIC
2013 ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
2015 i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len);
2019 BIO_printf(bio_c_out,"DONE\n");
2033 else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
2036 { static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
2039 k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
2041 /* Demo for pending and peek :-) */
2042 k=SSL_read(con,sbuf,16);
2044 printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
2048 switch (SSL_get_error(con,k))
2050 case SSL_ERROR_NONE:
2059 case SSL_ERROR_WANT_WRITE:
2060 BIO_printf(bio_c_out,"read W BLOCK\n");
2064 case SSL_ERROR_WANT_READ:
2065 BIO_printf(bio_c_out,"read R BLOCK\n");
2068 if ((read_tty == 0) && (write_ssl == 0))
2071 case SSL_ERROR_WANT_X509_LOOKUP:
2072 BIO_printf(bio_c_out,"read X BLOCK\n");
2074 case SSL_ERROR_SYSCALL:
2075 ret=get_last_socket_error();
2077 BIO_puts(bio_err, "CONNECTION CLOSED BY SERVER\n");
2079 BIO_printf(bio_err,"read:errno=%d\n",ret);
2081 case SSL_ERROR_ZERO_RETURN:
2082 BIO_printf(bio_c_out,"closed\n");
2086 ERR_print_errors(bio_err);
2092 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
2093 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
2096 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
2098 #elif defined (OPENSSL_SYS_NETWARE)
2100 #elif defined(OPENSSL_SYS_BEOS_R5)
2103 else if (FD_ISSET(fileno(stdin),&readfds))
2110 i=raw_read_stdin(cbuf,BUFSIZZ/2);
2112 /* both loops are skipped when i <= 0 */
2113 for (j = 0; j < i; j++)
2114 if (cbuf[j] == '\n')
2116 for (j = i-1; j >= 0; j--)
2118 cbuf[j+lf_num] = cbuf[j];
2119 if (cbuf[j] == '\n')
2123 cbuf[j+lf_num] = '\r';
2126 assert(lf_num == 0);
2129 i=raw_read_stdin(cbuf,BUFSIZZ);
2131 if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
2133 BIO_printf(bio_err,"DONE\n");
2138 if ((!c_ign_eof) && (cbuf[0] == 'R'))
2140 BIO_printf(bio_err,"RENEGOTIATING\n");
2141 SSL_renegotiate(con);
2144 #ifndef OPENSSL_NO_HEARTBEATS
2145 else if ((!c_ign_eof) && (cbuf[0] == 'B'))
2147 BIO_printf(bio_err,"HEARTBEATING\n");
2156 #ifdef CHARSET_EBCDIC
2157 ebcdic2ascii(cbuf, cbuf, i);
2169 print_stuff(bio_c_out,con,full_log);
2171 SHUTDOWN(SSL_get_fd(con));
2176 print_stuff(bio_c_out,con,1);
2179 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
2180 if (next_proto.data)
2181 OPENSSL_free(next_proto.data);
2183 if (ctx != NULL) SSL_CTX_free(ctx);
2187 sk_X509_CRL_pop_free(crls, X509_CRL_free);
2191 sk_X509_pop_free(chain, X509_free);
2195 X509_VERIFY_PARAM_free(vpm);
2196 ssl_excert_free(exc);
2198 sk_OPENSSL_STRING_free(ssl_args);
2200 SSL_CONF_CTX_free(cctx);
2201 #ifndef OPENSSL_NO_JPAKE
2202 if (jpake_secret && psk_key)
2203 OPENSSL_free(psk_key);
2205 if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
2206 if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
2207 if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
2208 if (bio_c_out != NULL)
2210 BIO_free(bio_c_out);
2213 if (bio_c_msg != NULL)
2215 BIO_free(bio_c_msg);
2223 static void print_stuff(BIO *bio, SSL *s, int full)
2227 static const char *space=" ";
2230 STACK_OF(X509_NAME) *sk2;
2231 const SSL_CIPHER *c;
2234 #ifndef OPENSSL_NO_COMP
2235 const COMP_METHOD *comp, *expansion;
2237 unsigned char *exportedkeymat;
2241 int got_a_chain = 0;
2243 sk=SSL_get_peer_cert_chain(s);
2246 got_a_chain = 1; /* we don't have it for SSL2 (yet) */
2248 BIO_printf(bio,"---\nCertificate chain\n");
2249 for (i=0; i<sk_X509_num(sk); i++)
2251 X509_NAME_oneline(X509_get_subject_name(
2252 sk_X509_value(sk,i)),buf,sizeof buf);
2253 BIO_printf(bio,"%2d s:%s\n",i,buf);
2254 X509_NAME_oneline(X509_get_issuer_name(
2255 sk_X509_value(sk,i)),buf,sizeof buf);
2256 BIO_printf(bio," i:%s\n",buf);
2258 PEM_write_bio_X509(bio,sk_X509_value(sk,i));
2262 BIO_printf(bio,"---\n");
2263 peer=SSL_get_peer_certificate(s);
2266 BIO_printf(bio,"Server certificate\n");
2267 if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
2268 PEM_write_bio_X509(bio,peer);
2269 X509_NAME_oneline(X509_get_subject_name(peer),
2271 BIO_printf(bio,"subject=%s\n",buf);
2272 X509_NAME_oneline(X509_get_issuer_name(peer),
2274 BIO_printf(bio,"issuer=%s\n",buf);
2277 BIO_printf(bio,"no peer certificate available\n");
2279 sk2=SSL_get_client_CA_list(s);
2280 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
2282 BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
2283 for (i=0; i<sk_X509_NAME_num(sk2); i++)
2285 xn=sk_X509_NAME_value(sk2,i);
2286 X509_NAME_oneline(xn,buf,sizeof(buf));
2287 BIO_write(bio,buf,strlen(buf));
2288 BIO_write(bio,"\n",1);
2293 BIO_printf(bio,"---\nNo client certificate CA names sent\n");
2295 p=SSL_get_shared_ciphers(s,buf,sizeof buf);
2298 /* This works only for SSL 2. In later protocol
2299 * versions, the client does not know what other
2300 * ciphers (in addition to the one to be used
2301 * in the current connection) the server supports. */
2303 BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
2309 BIO_write(bio,space,15-j%25);
2312 BIO_write(bio,((i%3)?" ":"\n"),1);
2321 BIO_write(bio,"\n",1);
2324 ssl_print_sigalgs(bio, s);
2325 ssl_print_tmp_key(bio, s);
2327 BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
2328 BIO_number_read(SSL_get_rbio(s)),
2329 BIO_number_written(SSL_get_wbio(s)));
2331 BIO_printf(bio,(SSL_cache_hit(s)?"---\nReused, ":"---\nNew, "));
2332 c=SSL_get_current_cipher(s);
2333 BIO_printf(bio,"%s, Cipher is %s\n",
2334 SSL_CIPHER_get_version(c),
2335 SSL_CIPHER_get_name(c));
2338 pktmp = X509_get_pubkey(peer);
2339 BIO_printf(bio,"Server public key is %d bit\n",
2340 EVP_PKEY_bits(pktmp));
2341 EVP_PKEY_free(pktmp);
2343 BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
2344 SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
2345 #ifndef OPENSSL_NO_COMP
2346 comp=SSL_get_current_compression(s);
2347 expansion=SSL_get_current_expansion(s);
2348 BIO_printf(bio,"Compression: %s\n",
2349 comp ? SSL_COMP_get_name(comp) : "NONE");
2350 BIO_printf(bio,"Expansion: %s\n",
2351 expansion ? SSL_COMP_get_name(expansion) : "NONE");
2356 /* Print out local port of connection: useful for debugging */
2358 struct sockaddr_in ladd;
2359 socklen_t ladd_size = sizeof(ladd);
2360 sock = SSL_get_fd(s);
2361 getsockname(sock, (struct sockaddr *)&ladd, &ladd_size);
2362 BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port));
2366 #if !defined(OPENSSL_NO_TLSEXT)
2367 # if !defined(OPENSSL_NO_NEXTPROTONEG)
2368 if (next_proto.status != -1) {
2369 const unsigned char *proto;
2370 unsigned int proto_len;
2371 SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
2372 BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
2373 BIO_write(bio, proto, proto_len);
2374 BIO_write(bio, "\n", 1);
2378 const unsigned char *proto;
2379 unsigned int proto_len;
2380 SSL_get0_alpn_selected(s, &proto, &proto_len);
2383 BIO_printf(bio, "ALPN protocol: ");
2384 BIO_write(bio, proto, proto_len);
2385 BIO_write(bio, "\n", 1);
2388 BIO_printf(bio, "No ALPN negotiated\n");
2393 SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s);
2396 BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n",
2397 srtp_profile->name);
2400 SSL_SESSION_print(bio,SSL_get_session(s));
2401 if (keymatexportlabel != NULL)
2403 BIO_printf(bio, "Keying material exporter:\n");
2404 BIO_printf(bio, " Label: '%s'\n", keymatexportlabel);
2405 BIO_printf(bio, " Length: %i bytes\n", keymatexportlen);
2406 exportedkeymat = OPENSSL_malloc(keymatexportlen);
2407 if (exportedkeymat != NULL)
2409 if (!SSL_export_keying_material(s, exportedkeymat,
2412 strlen(keymatexportlabel),
2415 BIO_printf(bio, " Error\n");
2419 BIO_printf(bio, " Keying material: ");
2420 for (i=0; i<keymatexportlen; i++)
2421 BIO_printf(bio, "%02X",
2423 BIO_printf(bio, "\n");
2425 OPENSSL_free(exportedkeymat);
2428 BIO_printf(bio,"---\n");
2431 /* flush, or debugging output gets mixed with http response */
2432 (void)BIO_flush(bio);
2435 #ifndef OPENSSL_NO_TLSEXT
2437 static int ocsp_resp_cb(SSL *s, void *arg)
2439 const unsigned char *p;
2442 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
2443 BIO_puts(arg, "OCSP response: ");
2446 BIO_puts(arg, "no response sent\n");
2449 rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
2452 BIO_puts(arg, "response parse error\n");
2453 BIO_dump_indent(arg, (char *)p, len, 4);
2456 BIO_puts(arg, "\n======================================\n");
2457 OCSP_RESPONSE_print(arg, rsp, 0);
2458 BIO_puts(arg, "======================================\n");
2459 OCSP_RESPONSE_free(rsp);
2463 static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
2464 const unsigned char *in,
2465 unsigned short inlen, int *al,
2468 if (TLSEXT_TYPE_server_authz == ext_type)
2469 server_provided_server_authz
2470 = (memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL);
2472 if (TLSEXT_TYPE_client_authz == ext_type)
2473 server_provided_client_authz
2474 = (memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL);
2479 static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
2480 const unsigned char **out, unsigned short *outlen,
2485 /*if auth_require_reneg flag is set, only send extensions if
2486 renegotiation has occurred */
2487 if (!c_auth_require_reneg || (c_auth_require_reneg && SSL_num_renegotiations(s)))
2489 *out = auth_ext_data;
2494 /* no auth extension to send */
2498 static int suppdata_cb(SSL *s, unsigned short supp_data_type,
2499 const unsigned char *in,
2500 unsigned short inlen, int *al,
2503 if (supp_data_type == TLSEXT_SUPPLEMENTALDATATYPE_authz_data)
2505 most_recent_supplemental_data = in;
2506 most_recent_supplemental_data_length = inlen;
2511 static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
2512 const unsigned char **out,
2513 unsigned short *outlen, int *al, void *arg)
2515 if (c_auth && server_provided_client_authz && server_provided_server_authz)
2517 /*if auth_require_reneg flag is set, only send supplemental data if
2518 renegotiation has occurred */
2519 if (!c_auth_require_reneg
2520 || (c_auth_require_reneg && SSL_num_renegotiations(s)))
2522 generated_supp_data = OPENSSL_malloc(10);
2523 memcpy(generated_supp_data, "5432154321", 10);
2524 *out = generated_supp_data;
2529 /* no supplemental data to send */