Initialize num properly.
[openssl.git] / apps / s_client.c
1 /* apps/s_client.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2005 Nokia. All rights reserved.
113  *
114  * The portions of the attached software ("Contribution") is developed by
115  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116  * license.
117  *
118  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120  * support (see RFC 4279) to OpenSSL.
121  *
122  * No patent licenses or other rights except those expressly stated in
123  * the OpenSSL open source license shall be deemed granted or received
124  * expressly, by implication, estoppel, or otherwise.
125  *
126  * No assurances are provided by Nokia that the Contribution does not
127  * infringe the patent or other intellectual property rights of any third
128  * party or that the license provides you with all the necessary rights
129  * to make use of the Contribution.
130  *
131  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135  * OTHERWISE.
136  */
137
138 #include <assert.h>
139 #include <ctype.h>
140 #include <stdio.h>
141 #include <stdlib.h>
142 #include <string.h>
143 #include <openssl/e_os2.h>
144 #ifdef OPENSSL_NO_STDIO
145 #define APPS_WIN16
146 #endif
147
148 /* With IPv6, it looks like Digital has mixed up the proper order of
149    recursive header file inclusion, resulting in the compiler complaining
150    that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
151    is needed to have fileno() declared correctly...  So let's define u_int */
152 #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
153 #define __U_INT
154 typedef unsigned int u_int;
155 #endif
156
157 #define USE_SOCKETS
158 #include "apps.h"
159 #include <openssl/x509.h>
160 #include <openssl/ssl.h>
161 #include <openssl/err.h>
162 #include <openssl/pem.h>
163 #include <openssl/rand.h>
164 #include <openssl/ocsp.h>
165 #include <openssl/bn.h>
166 #ifndef OPENSSL_NO_SRP
167 #include <openssl/srp.h>
168 #endif
169 #include "s_apps.h"
170 #include "timeouts.h"
171
172 #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
173 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
174 #undef FIONBIO
175 #endif
176
177 #if defined(OPENSSL_SYS_BEOS_R5)
178 #include <fcntl.h>
179 #endif
180
181 #undef PROG
182 #define PROG    s_client_main
183
184 /*#define SSL_HOST_NAME "www.netscape.com" */
185 /*#define SSL_HOST_NAME "193.118.187.102" */
186 #define SSL_HOST_NAME   "localhost"
187
188 /*#define TEST_CERT "client.pem" */ /* no default cert. */
189
190 #undef BUFSIZZ
191 #define BUFSIZZ 1024*8
192
193 extern int verify_depth;
194 extern int verify_error;
195 extern int verify_return_error;
196 extern int verify_quiet;
197
198 #ifdef FIONBIO
199 static int c_nbio=0;
200 #endif
201 static int c_Pause=0;
202 static int c_debug=0;
203 #ifndef OPENSSL_NO_TLSEXT
204 static int c_tlsextdebug=0;
205 static int c_status_req=0;
206 #endif
207 static int c_msg=0;
208 static int c_showcerts=0;
209
210 static char *keymatexportlabel=NULL;
211 static int keymatexportlen=20;
212
213 static void sc_usage(void);
214 static void print_stuff(BIO *berr,SSL *con,int full);
215 #ifndef OPENSSL_NO_TLSEXT
216 static int ocsp_resp_cb(SSL *s, void *arg);
217 static int c_auth = 0;
218 static int c_auth_require_reneg = 0;
219 #endif
220 static BIO *bio_c_out=NULL;
221 static BIO *bio_c_msg=NULL;
222 static int c_quiet=0;
223 static int c_ign_eof=0;
224 static int c_brief=0;
225
226 #ifndef OPENSSL_NO_TLSEXT
227
228 static unsigned char *generated_supp_data = NULL;
229
230 static const unsigned char *most_recent_supplemental_data = NULL;
231 static size_t most_recent_supplemental_data_length = 0;
232
233 static int server_provided_server_authz = 0;
234 static int server_provided_client_authz = 0;
235
236 static const unsigned char auth_ext_data[]={TLSEXT_AUTHZDATAFORMAT_dtcp};
237
238 static int suppdata_cb(SSL *s, unsigned short supp_data_type,
239                        const unsigned char *in,
240                        unsigned short inlen, int *al,
241                        void *arg);
242
243 static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
244                                      const unsigned char **out,
245                                      unsigned short *outlen, int *al, void *arg);
246
247 static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
248                                     const unsigned char **out, unsigned short *outlen,
249                                     int *al, void *arg);
250
251 static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
252                            const unsigned char *in,
253                            unsigned short inlen, int *al,
254                            void *arg);
255 #endif
256
257 #ifndef OPENSSL_NO_PSK
258 /* Default PSK identity and key */
259 static char *psk_identity="Client_identity";
260 /*char *psk_key=NULL;  by default PSK is not used */
261
262 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
263         unsigned int max_identity_len, unsigned char *psk,
264         unsigned int max_psk_len)
265         {
266         unsigned int psk_len = 0;
267         int ret;
268         BIGNUM *bn=NULL;
269
270         if (c_debug)
271                 BIO_printf(bio_c_out, "psk_client_cb\n");
272         if (!hint)
273                 {
274                 /* no ServerKeyExchange message*/
275                 if (c_debug)
276                         BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n");
277                 }
278         else if (c_debug)
279                 BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
280
281         /* lookup PSK identity and PSK key based on the given identity hint here */
282         ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity);
283         if (ret < 0 || (unsigned int)ret > max_identity_len)
284                 goto out_err;
285         if (c_debug)
286                 BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret);
287         ret=BN_hex2bn(&bn, psk_key);
288         if (!ret)
289                 {
290                 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
291                 if (bn)
292                         BN_free(bn);
293                 return 0;
294                 }
295
296         if ((unsigned int)BN_num_bytes(bn) > max_psk_len)
297                 {
298                 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
299                         max_psk_len, BN_num_bytes(bn));
300                 BN_free(bn);
301                 return 0;
302                 }
303
304         psk_len=BN_bn2bin(bn, psk);
305         BN_free(bn);
306         if (psk_len == 0)
307                 goto out_err;
308
309         if (c_debug)
310                 BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len);
311
312         return psk_len;
313  out_err:
314         if (c_debug)
315                 BIO_printf(bio_err, "Error in PSK client callback\n");
316         return 0;
317         }
318 #endif
319
320 static void sc_usage(void)
321         {
322         BIO_printf(bio_err,"usage: s_client args\n");
323         BIO_printf(bio_err,"\n");
324         BIO_printf(bio_err," -host host     - use -connect instead\n");
325         BIO_printf(bio_err," -port port     - use -connect instead\n");
326         BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
327         BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
328         BIO_printf(bio_err," -cert arg     - certificate file to use, PEM format assumed\n");
329         BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
330         BIO_printf(bio_err," -key arg      - Private key file to use, in cert file if\n");
331         BIO_printf(bio_err,"                 not specified but cert file is.\n");
332         BIO_printf(bio_err," -keyform arg  - key format (PEM or DER) PEM default\n");
333         BIO_printf(bio_err," -pass arg     - private key file pass phrase source\n");
334         BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
335         BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
336         BIO_printf(bio_err," -reconnect    - Drop and re-make the connection with the same Session-ID\n");
337         BIO_printf(bio_err," -pause        - sleep(1) after each read(2) and write(2) system call\n");
338         BIO_printf(bio_err," -showcerts    - show all certificates in the chain\n");
339         BIO_printf(bio_err," -debug        - extra output\n");
340 #ifdef WATT32
341         BIO_printf(bio_err," -wdebug       - WATT-32 tcp debugging\n");
342 #endif
343         BIO_printf(bio_err," -msg          - Show protocol messages\n");
344         BIO_printf(bio_err," -nbio_test    - more ssl protocol testing\n");
345         BIO_printf(bio_err," -state        - print the 'ssl' states\n");
346 #ifdef FIONBIO
347         BIO_printf(bio_err," -nbio         - Run with non-blocking IO\n");
348 #endif
349         BIO_printf(bio_err," -crlf         - convert LF from terminal into CRLF\n");
350         BIO_printf(bio_err," -quiet        - no s_client output\n");
351         BIO_printf(bio_err," -ign_eof      - ignore input eof (default when -quiet)\n");
352         BIO_printf(bio_err," -no_ign_eof   - don't ignore input eof\n");
353 #ifndef OPENSSL_NO_PSK
354         BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
355         BIO_printf(bio_err," -psk arg      - PSK in hex (without 0x)\n");
356 # ifndef OPENSSL_NO_JPAKE
357         BIO_printf(bio_err," -jpake arg    - JPAKE secret to use\n");
358 # endif
359 #endif
360 #ifndef OPENSSL_NO_SRP
361         BIO_printf(bio_err," -srpuser user     - SRP authentification for 'user'\n");
362         BIO_printf(bio_err," -srppass arg      - password for 'user'\n");
363         BIO_printf(bio_err," -srp_lateuser     - SRP username into second ClientHello message\n");
364         BIO_printf(bio_err," -srp_moregroups   - Tolerate other than the known g N values.\n");
365         BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
366 #endif
367         BIO_printf(bio_err," -ssl2         - just use SSLv2\n");
368         BIO_printf(bio_err," -ssl3         - just use SSLv3\n");
369         BIO_printf(bio_err," -tls1_2       - just use TLSv1.2\n");
370         BIO_printf(bio_err," -tls1_1       - just use TLSv1.1\n");
371         BIO_printf(bio_err," -tls1         - just use TLSv1\n");
372         BIO_printf(bio_err," -dtls1        - just use DTLSv1\n");    
373         BIO_printf(bio_err," -mtu          - set the link layer MTU\n");
374         BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
375         BIO_printf(bio_err," -bugs         - Switch on all SSL implementation bug workarounds\n");
376         BIO_printf(bio_err," -serverpref   - Use server's cipher preferences (only SSLv2)\n");
377         BIO_printf(bio_err," -cipher       - preferred cipher to use, use the 'openssl ciphers'\n");
378         BIO_printf(bio_err,"                 command to see what is available\n");
379         BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
380         BIO_printf(bio_err,"                 for those protocols that support it, where\n");
381         BIO_printf(bio_err,"                 'prot' defines which one to assume.  Currently,\n");
382         BIO_printf(bio_err,"                 only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
383         BIO_printf(bio_err,"                 are supported.\n");
384         BIO_printf(bio_err," -xmpphost host - When used with \"-starttls xmpp\" specifies the virtual host.\n");
385 #ifndef OPENSSL_NO_ENGINE
386         BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
387 #endif
388         BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
389         BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n");
390         BIO_printf(bio_err," -sess_in arg  - file to read SSL session from\n");
391 #ifndef OPENSSL_NO_TLSEXT
392         BIO_printf(bio_err," -servername host  - Set TLS extension servername in ClientHello\n");
393         BIO_printf(bio_err," -tlsextdebug      - hex dump of all TLS extensions received\n");
394         BIO_printf(bio_err," -status           - request certificate status from server\n");
395         BIO_printf(bio_err," -no_ticket        - disable use of RFC4507bis session tickets\n");
396         BIO_printf(bio_err," -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n");
397         BIO_printf(bio_err," -auth               - send and receive RFC 5878 TLS auth extensions and supplemental data\n");
398         BIO_printf(bio_err," -auth_require_reneg - Do not send TLS auth extensions until renegotiation\n");
399 # ifndef OPENSSL_NO_NEXTPROTONEG
400         BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
401 # endif
402         BIO_printf(bio_err," -alpn arg         - enable ALPN extension, considering named protocols supported (comma-separated list)\n");
403 #endif
404         BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
405         BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
406         BIO_printf(bio_err," -keymatexport label   - Export keying material using label\n");
407         BIO_printf(bio_err," -keymatexportlen len  - Export len bytes of keying material (default 20)\n");
408         }
409
410 #ifndef OPENSSL_NO_TLSEXT
411
412 /* This is a context that we pass to callbacks */
413 typedef struct tlsextctx_st {
414    BIO * biodebug;
415    int ack;
416 } tlsextctx;
417
418
419 static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
420         {
421         tlsextctx * p = (tlsextctx *) arg;
422         const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
423         if (SSL_get_servername_type(s) != -1) 
424                 p->ack = !SSL_session_reused(s) && hn != NULL;
425         else 
426                 BIO_printf(bio_err,"Can't use SSL_get_servername\n");
427         
428         return SSL_TLSEXT_ERR_OK;
429         }
430
431 #ifndef OPENSSL_NO_SRP
432
433 /* This is a context that we pass to all callbacks */
434 typedef struct srp_arg_st
435         {
436         char *srppassin;
437         char *srplogin;
438         int msg;   /* copy from c_msg */
439         int debug; /* copy from c_debug */
440         int amp;   /* allow more groups */
441         int strength /* minimal size for N */ ;
442         } SRP_ARG;
443
444 #define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
445
446 static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g)
447         {
448         BN_CTX *bn_ctx = BN_CTX_new();
449         BIGNUM *p = BN_new();
450         BIGNUM *r = BN_new();
451         int ret =
452                 g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
453                 BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
454                 p != NULL && BN_rshift1(p, N) &&
455
456                 /* p = (N-1)/2 */
457                 BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
458                 r != NULL &&
459
460                 /* verify g^((N-1)/2) == -1 (mod N) */
461                 BN_mod_exp(r, g, p, N, bn_ctx) &&
462                 BN_add_word(r, 1) &&
463                 BN_cmp(r, N) == 0;
464
465         if(r)
466                 BN_free(r);
467         if(p)
468                 BN_free(p);
469         if(bn_ctx)
470                 BN_CTX_free(bn_ctx);
471         return ret;
472         }
473
474 /* This callback is used here for two purposes:
475    - extended debugging
476    - making some primality tests for unknown groups
477    The callback is only called for a non default group.
478
479    An application does not need the call back at all if
480    only the stanard groups are used.  In real life situations, 
481    client and server already share well known groups, 
482    thus there is no need to verify them. 
483    Furthermore, in case that a server actually proposes a group that
484    is not one of those defined in RFC 5054, it is more appropriate 
485    to add the group to a static list and then compare since 
486    primality tests are rather cpu consuming.
487 */
488
489 static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
490         {
491         SRP_ARG *srp_arg = (SRP_ARG *)arg;
492         BIGNUM *N = NULL, *g = NULL;
493         if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s)))
494                 return 0;
495         if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1)
496                 {
497                 BIO_printf(bio_err, "SRP parameters:\n"); 
498                 BIO_printf(bio_err,"\tN="); BN_print(bio_err,N);
499                 BIO_printf(bio_err,"\n\tg="); BN_print(bio_err,g);
500                 BIO_printf(bio_err,"\n");
501                 }
502
503         if (SRP_check_known_gN_param(g,N))
504                 return 1;
505
506         if (srp_arg->amp == 1)
507                 {
508                 if (srp_arg->debug)
509                         BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n");
510
511 /* The srp_moregroups is a real debugging feature.
512    Implementors should rather add the value to the known ones.
513    The minimal size has already been tested.
514 */
515                 if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g))
516                         return 1;
517                 }       
518         BIO_printf(bio_err, "SRP param N and g rejected.\n");
519         return 0;
520         }
521
522 #define PWD_STRLEN 1024
523
524 static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
525         {
526         SRP_ARG *srp_arg = (SRP_ARG *)arg;
527         char *pass = (char *)OPENSSL_malloc(PWD_STRLEN+1);
528         PW_CB_DATA cb_tmp;
529         int l;
530
531         cb_tmp.password = (char *)srp_arg->srppassin;
532         cb_tmp.prompt_info = "SRP user";
533         if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp))<0)
534                 {
535                 BIO_printf (bio_err, "Can't read Password\n");
536                 OPENSSL_free(pass);
537                 return NULL;
538                 }
539         *(pass+l)= '\0';
540
541         return pass;
542         }
543
544 #endif
545         char *srtp_profiles = NULL;
546
547 # ifndef OPENSSL_NO_NEXTPROTONEG
548 /* This the context that we pass to next_proto_cb */
549 typedef struct tlsextnextprotoctx_st {
550         unsigned char *data;
551         unsigned short len;
552         int status;
553 } tlsextnextprotoctx;
554
555 static tlsextnextprotoctx next_proto;
556
557 static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
558         {
559         tlsextnextprotoctx *ctx = arg;
560
561         if (!c_quiet)
562                 {
563                 /* We can assume that |in| is syntactically valid. */
564                 unsigned i;
565                 BIO_printf(bio_c_out, "Protocols advertised by server: ");
566                 for (i = 0; i < inlen; )
567                         {
568                         if (i)
569                                 BIO_write(bio_c_out, ", ", 2);
570                         BIO_write(bio_c_out, &in[i + 1], in[i]);
571                         i += in[i] + 1;
572                         }
573                 BIO_write(bio_c_out, "\n", 1);
574                 }
575
576         ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
577         return SSL_TLSEXT_ERR_OK;
578         }
579 # endif  /* ndef OPENSSL_NO_NEXTPROTONEG */
580
581 static int serverinfo_cli_cb(SSL* s, unsigned short ext_type,
582                              const unsigned char* in, unsigned short inlen, 
583                              int* al, void* arg)
584         {
585         char pem_name[100];
586         unsigned char ext_buf[4 + 65536];
587
588         /* Reconstruct the type/len fields prior to extension data */
589         ext_buf[0] = ext_type >> 8;
590         ext_buf[1] = ext_type & 0xFF;
591         ext_buf[2] = inlen >> 8;
592         ext_buf[3] = inlen & 0xFF;
593         memcpy(ext_buf+4, in, inlen);
594
595         BIO_snprintf(pem_name, sizeof(pem_name), "SERVERINFO FOR EXTENSION %d",
596                      ext_type);
597         PEM_write_bio(bio_c_out, pem_name, "", ext_buf, 4 + inlen);
598         return 1;
599         }
600
601 #endif
602
603 enum
604 {
605         PROTO_OFF       = 0,
606         PROTO_SMTP,
607         PROTO_POP3,
608         PROTO_IMAP,
609         PROTO_FTP,
610         PROTO_XMPP
611 };
612
613 int MAIN(int, char **);
614
615 int MAIN(int argc, char **argv)
616         {
617         int build_chain = 0;
618         SSL *con=NULL;
619 #ifndef OPENSSL_NO_KRB5
620         KSSL_CTX *kctx;
621 #endif
622         int s,k,width,state=0;
623         char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
624         int cbuf_len,cbuf_off;
625         int sbuf_len,sbuf_off;
626         fd_set readfds,writefds;
627         short port=PORT;
628         int full_log=1;
629         char *host=SSL_HOST_NAME;
630         char *xmpphost = NULL;
631         char *cert_file=NULL,*key_file=NULL,*chain_file=NULL;
632         int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
633         char *passarg = NULL, *pass = NULL;
634         X509 *cert = NULL;
635         EVP_PKEY *key = NULL;
636         STACK_OF(X509) *chain = NULL;
637         char *CApath=NULL,*CAfile=NULL;
638         char *chCApath=NULL,*chCAfile=NULL;
639         char *vfyCApath=NULL,*vfyCAfile=NULL;
640         int reconnect=0,badop=0,verify=SSL_VERIFY_NONE;
641         int crlf=0;
642         int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
643         SSL_CTX *ctx=NULL;
644         int ret=1,in_init=1,i,nbio_test=0;
645         int starttls_proto = PROTO_OFF;
646         int prexit = 0;
647         X509_VERIFY_PARAM *vpm = NULL;
648         int badarg = 0;
649         const SSL_METHOD *meth=NULL;
650         int socket_type=SOCK_STREAM;
651         BIO *sbio;
652         char *inrand=NULL;
653         int mbuf_len=0;
654         struct timeval timeout, *timeoutp;
655 #ifndef OPENSSL_NO_ENGINE
656         char *engine_id=NULL;
657         char *ssl_client_engine_id=NULL;
658         ENGINE *ssl_client_engine=NULL;
659 #endif
660         ENGINE *e=NULL;
661 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
662         struct timeval tv;
663 #if defined(OPENSSL_SYS_BEOS_R5)
664         int stdin_set = 0;
665 #endif
666 #endif
667 #ifndef OPENSSL_NO_TLSEXT
668         char *servername = NULL; 
669         tlsextctx tlsextcbp = 
670         {NULL,0};
671 # ifndef OPENSSL_NO_NEXTPROTONEG
672         const char *next_proto_neg_in = NULL;
673 # endif
674         const char *alpn_in = NULL;
675 # define MAX_SI_TYPES 100
676         unsigned short serverinfo_types[MAX_SI_TYPES];
677         int serverinfo_types_count = 0;
678 #endif
679         char *sess_in = NULL;
680         char *sess_out = NULL;
681         struct sockaddr peer;
682         int peerlen = sizeof(peer);
683         int enable_timeouts = 0 ;
684         long socket_mtu = 0;
685 #ifndef OPENSSL_NO_JPAKE
686 static char *jpake_secret = NULL;
687 #define no_jpake !jpake_secret
688 #else
689 #define no_jpake 1
690 #endif
691 #ifndef OPENSSL_NO_SRP
692         char * srppass = NULL;
693         int srp_lateuser = 0;
694         SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
695 #endif
696         SSL_EXCERT *exc = NULL;
697
698         SSL_CONF_CTX *cctx = NULL;
699         STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
700
701         char *crl_file = NULL;
702         int crl_format = FORMAT_PEM;
703         int crl_download = 0;
704         STACK_OF(X509_CRL) *crls = NULL;
705         int sdebug = 0;
706
707         meth=SSLv23_client_method();
708
709         apps_startup();
710         c_Pause=0;
711         c_quiet=0;
712         c_ign_eof=0;
713         c_debug=0;
714         c_msg=0;
715         c_showcerts=0;
716
717         if (bio_err == NULL)
718                 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
719
720         if (!load_config(bio_err, NULL))
721                 goto end;
722         cctx = SSL_CONF_CTX_new();
723         if (!cctx)
724                 goto end;
725         SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
726         SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE);
727
728         if (    ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
729                 ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
730                 ((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
731                 {
732                 BIO_printf(bio_err,"out of memory\n");
733                 goto end;
734                 }
735
736         verify_depth=0;
737         verify_error=X509_V_OK;
738 #ifdef FIONBIO
739         c_nbio=0;
740 #endif
741
742         argc--;
743         argv++;
744         while (argc >= 1)
745                 {
746                 if      (strcmp(*argv,"-host") == 0)
747                         {
748                         if (--argc < 1) goto bad;
749                         host= *(++argv);
750                         }
751                 else if (strcmp(*argv,"-port") == 0)
752                         {
753                         if (--argc < 1) goto bad;
754                         port=atoi(*(++argv));
755                         if (port == 0) goto bad;
756                         }
757                 else if (strcmp(*argv,"-connect") == 0)
758                         {
759                         if (--argc < 1) goto bad;
760                         if (!extract_host_port(*(++argv),&host,NULL,&port))
761                                 goto bad;
762                         }
763                 else if (strcmp(*argv,"-xmpphost") == 0)
764                         {
765                         if (--argc < 1) goto bad;
766                         xmpphost= *(++argv);
767                         }
768                 else if (strcmp(*argv,"-verify") == 0)
769                         {
770                         verify=SSL_VERIFY_PEER;
771                         if (--argc < 1) goto bad;
772                         verify_depth=atoi(*(++argv));
773                         if (!c_quiet)
774                                 BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
775                         }
776                 else if (strcmp(*argv,"-cert") == 0)
777                         {
778                         if (--argc < 1) goto bad;
779                         cert_file= *(++argv);
780                         }
781                 else if (strcmp(*argv,"-CRL") == 0)
782                         {
783                         if (--argc < 1) goto bad;
784                         crl_file= *(++argv);
785                         }
786                 else if (strcmp(*argv,"-crl_download") == 0)
787                         crl_download = 1;
788                 else if (strcmp(*argv,"-sess_out") == 0)
789                         {
790                         if (--argc < 1) goto bad;
791                         sess_out = *(++argv);
792                         }
793                 else if (strcmp(*argv,"-sess_in") == 0)
794                         {
795                         if (--argc < 1) goto bad;
796                         sess_in = *(++argv);
797                         }
798                 else if (strcmp(*argv,"-certform") == 0)
799                         {
800                         if (--argc < 1) goto bad;
801                         cert_format = str2fmt(*(++argv));
802                         }
803                 else if (strcmp(*argv,"-CRLform") == 0)
804                         {
805                         if (--argc < 1) goto bad;
806                         crl_format = str2fmt(*(++argv));
807                         }
808                 else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
809                         {
810                         if (badarg)
811                                 goto bad;
812                         continue;
813                         }
814                 else if (strcmp(*argv,"-verify_return_error") == 0)
815                         verify_return_error = 1;
816                 else if (strcmp(*argv,"-verify_quiet") == 0)
817                         verify_quiet = 1;
818                 else if (strcmp(*argv,"-brief") == 0)
819                         {
820                         c_brief = 1;
821                         verify_quiet = 1;
822                         c_quiet = 1;
823                         }
824                 else if (args_excert(&argv, &argc, &badarg, bio_err, &exc))
825                         {
826                         if (badarg)
827                                 goto bad;
828                         continue;
829                         }
830                 else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args))
831                         {
832                         if (badarg)
833                                 goto bad;
834                         continue;
835                         }
836                 else if (strcmp(*argv,"-prexit") == 0)
837                         prexit=1;
838                 else if (strcmp(*argv,"-crlf") == 0)
839                         crlf=1;
840                 else if (strcmp(*argv,"-quiet") == 0)
841                         {
842                         c_quiet=1;
843                         c_ign_eof=1;
844                         }
845                 else if (strcmp(*argv,"-ign_eof") == 0)
846                         c_ign_eof=1;
847                 else if (strcmp(*argv,"-no_ign_eof") == 0)
848                         c_ign_eof=0;
849                 else if (strcmp(*argv,"-pause") == 0)
850                         c_Pause=1;
851                 else if (strcmp(*argv,"-debug") == 0)
852                         c_debug=1;
853 #ifndef OPENSSL_NO_TLSEXT
854                 else if (strcmp(*argv,"-tlsextdebug") == 0)
855                         c_tlsextdebug=1;
856                 else if (strcmp(*argv,"-status") == 0)
857                         c_status_req=1;
858                 else if (strcmp(*argv,"-auth") == 0)
859                         c_auth = 1;
860                 else if (strcmp(*argv,"-auth_require_reneg") == 0)
861                         c_auth_require_reneg = 1;
862 #endif
863 #ifdef WATT32
864                 else if (strcmp(*argv,"-wdebug") == 0)
865                         dbug_init();
866 #endif
867                 else if (strcmp(*argv,"-msg") == 0)
868                         c_msg=1;
869                 else if (strcmp(*argv,"-msgfile") == 0)
870                         {
871                         if (--argc < 1) goto bad;
872                         bio_c_msg = BIO_new_file(*(++argv), "w");
873                         }
874 #ifndef OPENSSL_NO_SSL_TRACE
875                 else if (strcmp(*argv,"-trace") == 0)
876                         c_msg=2;
877 #endif
878                 else if (strcmp(*argv,"-security_debug") == 0)
879                         { sdebug=1; }
880                 else if (strcmp(*argv,"-security_debug_verbose") == 0)
881                         { sdebug=2; }
882                 else if (strcmp(*argv,"-showcerts") == 0)
883                         c_showcerts=1;
884                 else if (strcmp(*argv,"-nbio_test") == 0)
885                         nbio_test=1;
886                 else if (strcmp(*argv,"-state") == 0)
887                         state=1;
888 #ifndef OPENSSL_NO_PSK
889                 else if (strcmp(*argv,"-psk_identity") == 0)
890                         {
891                         if (--argc < 1) goto bad;
892                         psk_identity=*(++argv);
893                         }
894                 else if (strcmp(*argv,"-psk") == 0)
895                         {
896                         size_t j;
897
898                         if (--argc < 1) goto bad;
899                         psk_key=*(++argv);
900                         for (j = 0; j < strlen(psk_key); j++)
901                                 {
902                                 if (isxdigit((unsigned char)psk_key[j]))
903                                         continue;
904                                 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
905                                 goto bad;
906                                 }
907                         }
908 #endif
909 #ifndef OPENSSL_NO_SRP
910                 else if (strcmp(*argv,"-srpuser") == 0)
911                         {
912                         if (--argc < 1) goto bad;
913                         srp_arg.srplogin= *(++argv);
914                         meth=TLSv1_client_method();
915                         }
916                 else if (strcmp(*argv,"-srppass") == 0)
917                         {
918                         if (--argc < 1) goto bad;
919                         srppass= *(++argv);
920                         meth=TLSv1_client_method();
921                         }
922                 else if (strcmp(*argv,"-srp_strength") == 0)
923                         {
924                         if (--argc < 1) goto bad;
925                         srp_arg.strength=atoi(*(++argv));
926                         BIO_printf(bio_err,"SRP minimal length for N is %d\n",srp_arg.strength);
927                         meth=TLSv1_client_method();
928                         }
929                 else if (strcmp(*argv,"-srp_lateuser") == 0)
930                         {
931                         srp_lateuser= 1;
932                         meth=TLSv1_client_method();
933                         }
934                 else if (strcmp(*argv,"-srp_moregroups") == 0)
935                         {
936                         srp_arg.amp=1;
937                         meth=TLSv1_client_method();
938                         }
939 #endif
940 #ifndef OPENSSL_NO_SSL2
941                 else if (strcmp(*argv,"-ssl2") == 0)
942                         meth=SSLv2_client_method();
943 #endif
944 #ifndef OPENSSL_NO_SSL3
945                 else if (strcmp(*argv,"-ssl3") == 0)
946                         meth=SSLv3_client_method();
947 #endif
948 #ifndef OPENSSL_NO_TLS1
949                 else if (strcmp(*argv,"-tls1_2") == 0)
950                         meth=TLSv1_2_client_method();
951                 else if (strcmp(*argv,"-tls1_1") == 0)
952                         meth=TLSv1_1_client_method();
953                 else if (strcmp(*argv,"-tls1") == 0)
954                         meth=TLSv1_client_method();
955 #endif
956 #ifndef OPENSSL_NO_DTLS1
957                 else if (strcmp(*argv,"-dtls") == 0)
958                         {
959                         meth=DTLS_client_method();
960                         socket_type=SOCK_DGRAM;
961                         }
962                 else if (strcmp(*argv,"-dtls1") == 0)
963                         {
964                         meth=DTLSv1_client_method();
965                         socket_type=SOCK_DGRAM;
966                         }
967                 else if (strcmp(*argv,"-dtls1_2") == 0)
968                         {
969                         meth=DTLSv1_2_client_method();
970                         socket_type=SOCK_DGRAM;
971                         }
972                 else if (strcmp(*argv,"-timeout") == 0)
973                         enable_timeouts=1;
974                 else if (strcmp(*argv,"-mtu") == 0)
975                         {
976                         if (--argc < 1) goto bad;
977                         socket_mtu = atol(*(++argv));
978                         }
979 #endif
980                 else if (strcmp(*argv,"-keyform") == 0)
981                         {
982                         if (--argc < 1) goto bad;
983                         key_format = str2fmt(*(++argv));
984                         }
985                 else if (strcmp(*argv,"-pass") == 0)
986                         {
987                         if (--argc < 1) goto bad;
988                         passarg = *(++argv);
989                         }
990                 else if (strcmp(*argv,"-cert_chain") == 0)
991                         {
992                         if (--argc < 1) goto bad;
993                         chain_file= *(++argv);
994                         }
995                 else if (strcmp(*argv,"-key") == 0)
996                         {
997                         if (--argc < 1) goto bad;
998                         key_file= *(++argv);
999                         }
1000                 else if (strcmp(*argv,"-reconnect") == 0)
1001                         {
1002                         reconnect=5;
1003                         }
1004                 else if (strcmp(*argv,"-CApath") == 0)
1005                         {
1006                         if (--argc < 1) goto bad;
1007                         CApath= *(++argv);
1008                         }
1009                 else if (strcmp(*argv,"-chainCApath") == 0)
1010                         {
1011                         if (--argc < 1) goto bad;
1012                         chCApath= *(++argv);
1013                         }
1014                 else if (strcmp(*argv,"-verifyCApath") == 0)
1015                         {
1016                         if (--argc < 1) goto bad;
1017                         vfyCApath= *(++argv);
1018                         }
1019                 else if (strcmp(*argv,"-build_chain") == 0)
1020                         build_chain = 1;
1021                 else if (strcmp(*argv,"-CAfile") == 0)
1022                         {
1023                         if (--argc < 1) goto bad;
1024                         CAfile= *(++argv);
1025                         }
1026                 else if (strcmp(*argv,"-chainCAfile") == 0)
1027                         {
1028                         if (--argc < 1) goto bad;
1029                         chCAfile= *(++argv);
1030                         }
1031                 else if (strcmp(*argv,"-verifyCAfile") == 0)
1032                         {
1033                         if (--argc < 1) goto bad;
1034                         vfyCAfile= *(++argv);
1035                         }
1036 #ifndef OPENSSL_NO_TLSEXT
1037 # ifndef OPENSSL_NO_NEXTPROTONEG
1038                 else if (strcmp(*argv,"-nextprotoneg") == 0)
1039                         {
1040                         if (--argc < 1) goto bad;
1041                         next_proto_neg_in = *(++argv);
1042                         }
1043 # endif
1044                 else if (strcmp(*argv,"-alpn") == 0)
1045                         {
1046                         if (--argc < 1) goto bad;
1047                         alpn_in = *(++argv);
1048                         }
1049                 else if (strcmp(*argv,"-serverinfo") == 0)
1050                         {
1051                         char *c;
1052                         int start = 0;
1053                         int len;
1054
1055                         if (--argc < 1) goto bad;
1056                         c = *(++argv);
1057                         serverinfo_types_count = 0;
1058                         len = strlen(c);
1059                         for (i = 0; i <= len; ++i)
1060                                 {
1061                                 if (i == len || c[i] == ',')
1062                                         {
1063                                         serverinfo_types[serverinfo_types_count]
1064                                             = atoi(c+start);
1065                                         serverinfo_types_count++;
1066                                         start = i+1;
1067                                         }
1068                                 if (serverinfo_types_count == MAX_SI_TYPES)
1069                                         break;
1070                                 }
1071                         }
1072 #endif
1073 #ifdef FIONBIO
1074                 else if (strcmp(*argv,"-nbio") == 0)
1075                         { c_nbio=1; }
1076 #endif
1077                 else if (strcmp(*argv,"-starttls") == 0)
1078                         {
1079                         if (--argc < 1) goto bad;
1080                         ++argv;
1081                         if (strcmp(*argv,"smtp") == 0)
1082                                 starttls_proto = PROTO_SMTP;
1083                         else if (strcmp(*argv,"pop3") == 0)
1084                                 starttls_proto = PROTO_POP3;
1085                         else if (strcmp(*argv,"imap") == 0)
1086                                 starttls_proto = PROTO_IMAP;
1087                         else if (strcmp(*argv,"ftp") == 0)
1088                                 starttls_proto = PROTO_FTP;
1089                         else if (strcmp(*argv, "xmpp") == 0)
1090                                 starttls_proto = PROTO_XMPP;
1091                         else
1092                                 goto bad;
1093                         }
1094 #ifndef OPENSSL_NO_ENGINE
1095                 else if (strcmp(*argv,"-engine") == 0)
1096                         {
1097                         if (--argc < 1) goto bad;
1098                         engine_id = *(++argv);
1099                         }
1100                 else if (strcmp(*argv,"-ssl_client_engine") == 0)
1101                         {
1102                         if (--argc < 1) goto bad;
1103                         ssl_client_engine_id = *(++argv);
1104                         }
1105 #endif
1106                 else if (strcmp(*argv,"-rand") == 0)
1107                         {
1108                         if (--argc < 1) goto bad;
1109                         inrand= *(++argv);
1110                         }
1111 #ifndef OPENSSL_NO_TLSEXT
1112                 else if (strcmp(*argv,"-servername") == 0)
1113                         {
1114                         if (--argc < 1) goto bad;
1115                         servername= *(++argv);
1116                         /* meth=TLSv1_client_method(); */
1117                         }
1118 #endif
1119 #ifndef OPENSSL_NO_JPAKE
1120                 else if (strcmp(*argv,"-jpake") == 0)
1121                         {
1122                         if (--argc < 1) goto bad;
1123                         jpake_secret = *++argv;
1124                         }
1125 #endif
1126                 else if (strcmp(*argv,"-use_srtp") == 0)
1127                         {
1128                         if (--argc < 1) goto bad;
1129                         srtp_profiles = *(++argv);
1130                         }
1131                 else if (strcmp(*argv,"-keymatexport") == 0)
1132                         {
1133                         if (--argc < 1) goto bad;
1134                         keymatexportlabel= *(++argv);
1135                         }
1136                 else if (strcmp(*argv,"-keymatexportlen") == 0)
1137                         {
1138                         if (--argc < 1) goto bad;
1139                         keymatexportlen=atoi(*(++argv));
1140                         if (keymatexportlen == 0) goto bad;
1141                         }
1142                 else
1143                         {
1144                         BIO_printf(bio_err,"unknown option %s\n",*argv);
1145                         badop=1;
1146                         break;
1147                         }
1148                 argc--;
1149                 argv++;
1150                 }
1151         if (badop)
1152                 {
1153 bad:
1154                 sc_usage();
1155                 goto end;
1156                 }
1157
1158 #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
1159         if (jpake_secret)
1160                 {
1161                 if (psk_key)
1162                         {
1163                         BIO_printf(bio_err,
1164                                    "Can't use JPAKE and PSK together\n");
1165                         goto end;
1166                         }
1167                 psk_identity = "JPAKE";
1168                 }
1169 #endif
1170
1171         OpenSSL_add_ssl_algorithms();
1172         SSL_load_error_strings();
1173
1174 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
1175         next_proto.status = -1;
1176         if (next_proto_neg_in)
1177                 {
1178                 next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
1179                 if (next_proto.data == NULL)
1180                         {
1181                         BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
1182                         goto end;
1183                         }
1184                 }
1185         else
1186                 next_proto.data = NULL;
1187 #endif
1188
1189 #ifndef OPENSSL_NO_ENGINE
1190         e = setup_engine(bio_err, engine_id, 1);
1191         if (ssl_client_engine_id)
1192                 {
1193                 ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
1194                 if (!ssl_client_engine)
1195                         {
1196                         BIO_printf(bio_err,
1197                                         "Error getting client auth engine\n");
1198                         goto end;
1199                         }
1200                 }
1201
1202 #endif
1203         if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
1204                 {
1205                 BIO_printf(bio_err, "Error getting password\n");
1206                 goto end;
1207                 }
1208
1209         if (key_file == NULL)
1210                 key_file = cert_file;
1211
1212
1213         if (key_file)
1214
1215                 {
1216
1217                 key = load_key(bio_err, key_file, key_format, 0, pass, e,
1218                                "client certificate private key file");
1219                 if (!key)
1220                         {
1221                         ERR_print_errors(bio_err);
1222                         goto end;
1223                         }
1224
1225                 }
1226
1227         if (cert_file)
1228
1229                 {
1230                 cert = load_cert(bio_err,cert_file,cert_format,
1231                                 NULL, e, "client certificate file");
1232
1233                 if (!cert)
1234                         {
1235                         ERR_print_errors(bio_err);
1236                         goto end;
1237                         }
1238                 }
1239
1240         if (chain_file)
1241                 {
1242                 chain = load_certs(bio_err, chain_file,FORMAT_PEM,
1243                                         NULL, e, "client certificate chain");
1244                 if (!chain)
1245                         goto end;
1246                 }
1247
1248         if (crl_file)
1249                 {
1250                 X509_CRL *crl;
1251                 crl = load_crl(crl_file, crl_format);
1252                 if (!crl)
1253                         {
1254                         BIO_puts(bio_err, "Error loading CRL\n");
1255                         ERR_print_errors(bio_err);
1256                         goto end;
1257                         }
1258                 crls = sk_X509_CRL_new_null();
1259                 if (!crls || !sk_X509_CRL_push(crls, crl))
1260                         {
1261                         BIO_puts(bio_err, "Error adding CRL\n");
1262                         ERR_print_errors(bio_err);
1263                         X509_CRL_free(crl);
1264                         goto end;
1265                         }
1266                 }
1267
1268         if (!load_excert(&exc, bio_err))
1269                 goto end;
1270
1271         if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
1272                 && !RAND_status())
1273                 {
1274                 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
1275                 }
1276         if (inrand != NULL)
1277                 BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
1278                         app_RAND_load_files(inrand));
1279
1280         if (bio_c_out == NULL)
1281                 {
1282                 if (c_quiet && !c_debug)
1283                         {
1284                         bio_c_out=BIO_new(BIO_s_null());
1285                         if (c_msg && !bio_c_msg)
1286                                 bio_c_msg=BIO_new_fp(stdout,BIO_NOCLOSE);
1287                         }
1288                 else
1289                         {
1290                         if (bio_c_out == NULL)
1291                                 bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
1292                         }
1293                 }
1294
1295 #ifndef OPENSSL_NO_SRP
1296         if(!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL))
1297                 {
1298                 BIO_printf(bio_err, "Error getting password\n");
1299                 goto end;
1300                 }
1301 #endif
1302
1303         ctx=SSL_CTX_new(meth);
1304         if (ctx == NULL)
1305                 {
1306                 ERR_print_errors(bio_err);
1307                 goto end;
1308                 }
1309
1310         if (sdebug)
1311                 ssl_ctx_security_debug(ctx, bio_err, sdebug);
1312
1313         if (vpm)
1314                 SSL_CTX_set1_param(ctx, vpm);
1315
1316         if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1, no_jpake))
1317                 {
1318                 ERR_print_errors(bio_err);
1319                 goto end;
1320                 }
1321
1322         if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
1323                                                 crls, crl_download))
1324                 {
1325                 BIO_printf(bio_err, "Error loading store locations\n");
1326                 ERR_print_errors(bio_err);
1327                 goto end;
1328                 }
1329
1330 #ifndef OPENSSL_NO_ENGINE
1331         if (ssl_client_engine)
1332                 {
1333                 if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine))
1334                         {
1335                         BIO_puts(bio_err, "Error setting client auth engine\n");
1336                         ERR_print_errors(bio_err);
1337                         ENGINE_free(ssl_client_engine);
1338                         goto end;
1339                         }
1340                 ENGINE_free(ssl_client_engine);
1341                 }
1342 #endif
1343
1344 #ifndef OPENSSL_NO_PSK
1345 #ifdef OPENSSL_NO_JPAKE
1346         if (psk_key != NULL)
1347 #else
1348         if (psk_key != NULL || jpake_secret)
1349 #endif
1350                 {
1351                 if (c_debug)
1352                         BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");
1353                 SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
1354                 }
1355         if (srtp_profiles != NULL)
1356                 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
1357 #endif
1358         if (exc) ssl_ctx_set_excert(ctx, exc);
1359         /* DTLS: partial reads end up discarding unread UDP bytes :-( 
1360          * Setting read ahead solves this problem.
1361          */
1362         if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
1363
1364 #if !defined(OPENSSL_NO_TLSEXT)
1365 # if !defined(OPENSSL_NO_NEXTPROTONEG)
1366         if (next_proto.data)
1367                 SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
1368 # endif
1369         if (alpn_in)
1370                 {
1371                 unsigned short alpn_len;
1372                 unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in);
1373
1374                 if (alpn == NULL)
1375                         {
1376                         BIO_printf(bio_err, "Error parsing -alpn argument\n");
1377                         goto end;
1378                         }
1379                 SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len);
1380                 OPENSSL_free(alpn);
1381                 }
1382 #endif
1383 #ifndef OPENSSL_NO_TLSEXT
1384                 if (serverinfo_types_count)
1385                         {
1386                         for (i = 0; i < serverinfo_types_count; i++)
1387                                 {
1388                                 SSL_CTX_set_custom_cli_ext(ctx,
1389                                                            serverinfo_types[i],
1390                                                            NULL, 
1391                                                            serverinfo_cli_cb,
1392                                                            NULL);
1393                                 }
1394                         }
1395 #endif
1396
1397         if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
1398 #if 0
1399         else
1400                 SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
1401 #endif
1402
1403         SSL_CTX_set_verify(ctx,verify,verify_callback);
1404
1405         if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
1406                 (!SSL_CTX_set_default_verify_paths(ctx)))
1407                 {
1408                 /* BIO_printf(bio_err,"error setting default verify locations\n"); */
1409                 ERR_print_errors(bio_err);
1410                 /* goto end; */
1411                 }
1412
1413         ssl_ctx_add_crls(ctx, crls, crl_download);
1414
1415         if (!set_cert_key_stuff(ctx,cert,key,chain,build_chain))
1416                 goto end;
1417
1418 #ifndef OPENSSL_NO_TLSEXT
1419         if (servername != NULL)
1420                 {
1421                 tlsextcbp.biodebug = bio_err;
1422                 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1423                 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
1424                 }
1425 #ifndef OPENSSL_NO_SRP
1426         if (srp_arg.srplogin)
1427                 {
1428                 if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
1429                         {
1430                         BIO_printf(bio_err,"Unable to set SRP username\n");
1431                         goto end;
1432                         }
1433                 srp_arg.msg = c_msg;
1434                 srp_arg.debug = c_debug ;
1435                 SSL_CTX_set_srp_cb_arg(ctx,&srp_arg);
1436                 SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
1437                 SSL_CTX_set_srp_strength(ctx, srp_arg.strength);
1438                 if (c_msg || c_debug || srp_arg.amp == 0)
1439                         SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb);
1440                 }
1441
1442 #endif
1443         if (c_auth)
1444                 {
1445                 SSL_CTX_set_custom_cli_ext(ctx, TLSEXT_TYPE_client_authz, authz_tlsext_generate_cb, authz_tlsext_cb, bio_err);
1446                 SSL_CTX_set_custom_cli_ext(ctx, TLSEXT_TYPE_server_authz, authz_tlsext_generate_cb, authz_tlsext_cb, bio_err);
1447                 SSL_CTX_set_cli_supp_data(ctx, TLSEXT_SUPPLEMENTALDATATYPE_authz_data, suppdata_cb, auth_suppdata_generate_cb, bio_err);
1448                 }
1449 #endif
1450
1451         con=SSL_new(ctx);
1452         if (sess_in)
1453                 {
1454                 SSL_SESSION *sess;
1455                 BIO *stmp = BIO_new_file(sess_in, "r");
1456                 if (!stmp)
1457                         {
1458                         BIO_printf(bio_err, "Can't open session file %s\n",
1459                                                 sess_in);
1460                         ERR_print_errors(bio_err);
1461                         goto end;
1462                         }
1463                 sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
1464                 BIO_free(stmp);
1465                 if (!sess)
1466                         {
1467                         BIO_printf(bio_err, "Can't open session file %s\n",
1468                                                 sess_in);
1469                         ERR_print_errors(bio_err);
1470                         goto end;
1471                         }
1472                 SSL_set_session(con, sess);
1473                 SSL_SESSION_free(sess);
1474                 }
1475 #ifndef OPENSSL_NO_TLSEXT
1476         if (servername != NULL)
1477                 {
1478                 if (!SSL_set_tlsext_host_name(con,servername))
1479                         {
1480                         BIO_printf(bio_err,"Unable to set TLS servername extension.\n");
1481                         ERR_print_errors(bio_err);
1482                         goto end;
1483                         }
1484                 }
1485 #endif
1486 #ifndef OPENSSL_NO_KRB5
1487         if (con  &&  (kctx = kssl_ctx_new()) != NULL)
1488                 {
1489                 SSL_set0_kssl_ctx(con, kctx);
1490                 kssl_ctx_setstring(kctx, KSSL_SERVER, host);
1491                 }
1492 #endif  /* OPENSSL_NO_KRB5  */
1493 /*      SSL_set_cipher_list(con,"RC4-MD5"); */
1494 #if 0
1495 #ifdef TLSEXT_TYPE_opaque_prf_input
1496         SSL_set_tlsext_opaque_prf_input(con, "Test client", 11);
1497 #endif
1498 #endif
1499
1500 re_start:
1501
1502         if (init_client(&s,host,port,socket_type) == 0)
1503                 {
1504                 BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
1505                 SHUTDOWN(s);
1506                 goto end;
1507                 }
1508         BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
1509
1510 #ifdef FIONBIO
1511         if (c_nbio)
1512                 {
1513                 unsigned long l=1;
1514                 BIO_printf(bio_c_out,"turning on non blocking io\n");
1515                 if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
1516                         {
1517                         ERR_print_errors(bio_err);
1518                         goto end;
1519                         }
1520                 }
1521 #endif                                              
1522         if (c_Pause & 0x01) SSL_set_debug(con, 1);
1523
1524         if (socket_type == SOCK_DGRAM)
1525                 {
1526
1527                 sbio=BIO_new_dgram(s,BIO_NOCLOSE);
1528                 if (getsockname(s, &peer, (void *)&peerlen) < 0)
1529                         {
1530                         BIO_printf(bio_err, "getsockname:errno=%d\n",
1531                                 get_last_socket_error());
1532                         SHUTDOWN(s);
1533                         goto end;
1534                         }
1535
1536                 (void)BIO_ctrl_set_connected(sbio, 1, &peer);
1537
1538                 if (enable_timeouts)
1539                         {
1540                         timeout.tv_sec = 0;
1541                         timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1542                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1543                         
1544                         timeout.tv_sec = 0;
1545                         timeout.tv_usec = DGRAM_SND_TIMEOUT;
1546                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1547                         }
1548
1549                 if (socket_mtu > 28)
1550                         {
1551                         SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
1552                         SSL_set_mtu(con, socket_mtu - 28);
1553                         }
1554                 else
1555                         /* want to do MTU discovery */
1556                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1557                 }
1558         else
1559                 sbio=BIO_new_socket(s,BIO_NOCLOSE);
1560
1561         if (nbio_test)
1562                 {
1563                 BIO *test;
1564
1565                 test=BIO_new(BIO_f_nbio_test());
1566                 sbio=BIO_push(test,sbio);
1567                 }
1568
1569         if (c_debug)
1570                 {
1571                 SSL_set_debug(con, 1);
1572                 BIO_set_callback(sbio,bio_dump_callback);
1573                 BIO_set_callback_arg(sbio,(char *)bio_c_out);
1574                 }
1575         if (c_msg)
1576                 {
1577 #ifndef OPENSSL_NO_SSL_TRACE
1578                 if (c_msg == 2)
1579                         SSL_set_msg_callback(con, SSL_trace);
1580                 else
1581 #endif
1582                         SSL_set_msg_callback(con, msg_cb);
1583                 SSL_set_msg_callback_arg(con, bio_c_msg ? bio_c_msg : bio_c_out);
1584                 }
1585 #ifndef OPENSSL_NO_TLSEXT
1586         if (c_tlsextdebug)
1587                 {
1588                 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1589                 SSL_set_tlsext_debug_arg(con, bio_c_out);
1590                 }
1591         if (c_status_req)
1592                 {
1593                 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
1594                 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
1595                 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
1596 #if 0
1597 {
1598 STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null();
1599 OCSP_RESPID *id = OCSP_RESPID_new();
1600 id->value.byKey = ASN1_OCTET_STRING_new();
1601 id->type = V_OCSP_RESPID_KEY;
1602 ASN1_STRING_set(id->value.byKey, "Hello World", -1);
1603 sk_OCSP_RESPID_push(ids, id);
1604 SSL_set_tlsext_status_ids(con, ids);
1605 }
1606 #endif
1607                 }
1608 #endif
1609 #ifndef OPENSSL_NO_JPAKE
1610         if (jpake_secret)
1611                 jpake_client_auth(bio_c_out, sbio, jpake_secret);
1612 #endif
1613
1614         SSL_set_bio(con,sbio,sbio);
1615         SSL_set_connect_state(con);
1616
1617         /* ok, lets connect */
1618         width=SSL_get_fd(con)+1;
1619
1620         read_tty=1;
1621         write_tty=0;
1622         tty_on=0;
1623         read_ssl=1;
1624         write_ssl=1;
1625         
1626         cbuf_len=0;
1627         cbuf_off=0;
1628         sbuf_len=0;
1629         sbuf_off=0;
1630
1631         /* This is an ugly hack that does a lot of assumptions */
1632         /* We do have to handle multi-line responses which may come
1633            in a single packet or not. We therefore have to use
1634            BIO_gets() which does need a buffering BIO. So during
1635            the initial chitchat we do push a buffering BIO into the
1636            chain that is removed again later on to not disturb the
1637            rest of the s_client operation. */
1638         if (starttls_proto == PROTO_SMTP)
1639                 {
1640                 int foundit=0;
1641                 BIO *fbio = BIO_new(BIO_f_buffer());
1642                 BIO_push(fbio, sbio);
1643                 /* wait for multi-line response to end from SMTP */
1644                 do
1645                         {
1646                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1647                         }
1648                 while (mbuf_len>3 && mbuf[3]=='-');
1649                 /* STARTTLS command requires EHLO... */
1650                 BIO_printf(fbio,"EHLO openssl.client.net\r\n");
1651                 (void)BIO_flush(fbio);
1652                 /* wait for multi-line response to end EHLO SMTP response */
1653                 do
1654                         {
1655                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1656                         if (strstr(mbuf,"STARTTLS"))
1657                                 foundit=1;
1658                         }
1659                 while (mbuf_len>3 && mbuf[3]=='-');
1660                 (void)BIO_flush(fbio);
1661                 BIO_pop(fbio);
1662                 BIO_free(fbio);
1663                 if (!foundit)
1664                         BIO_printf(bio_err,
1665                                    "didn't found starttls in server response,"
1666                                    " try anyway...\n");
1667                 BIO_printf(sbio,"STARTTLS\r\n");
1668                 BIO_read(sbio,sbuf,BUFSIZZ);
1669                 }
1670         else if (starttls_proto == PROTO_POP3)
1671                 {
1672                 BIO_read(sbio,mbuf,BUFSIZZ);
1673                 BIO_printf(sbio,"STLS\r\n");
1674                 BIO_read(sbio,sbuf,BUFSIZZ);
1675                 }
1676         else if (starttls_proto == PROTO_IMAP)
1677                 {
1678                 int foundit=0;
1679                 BIO *fbio = BIO_new(BIO_f_buffer());
1680                 BIO_push(fbio, sbio);
1681                 BIO_gets(fbio,mbuf,BUFSIZZ);
1682                 /* STARTTLS command requires CAPABILITY... */
1683                 BIO_printf(fbio,". CAPABILITY\r\n");
1684                 (void)BIO_flush(fbio);
1685                 /* wait for multi-line CAPABILITY response */
1686                 do
1687                         {
1688                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1689                         if (strstr(mbuf,"STARTTLS"))
1690                                 foundit=1;
1691                         }
1692                 while (mbuf_len>3 && mbuf[0]!='.');
1693                 (void)BIO_flush(fbio);
1694                 BIO_pop(fbio);
1695                 BIO_free(fbio);
1696                 if (!foundit)
1697                         BIO_printf(bio_err,
1698                                    "didn't found STARTTLS in server response,"
1699                                    " try anyway...\n");
1700                 BIO_printf(sbio,". STARTTLS\r\n");
1701                 BIO_read(sbio,sbuf,BUFSIZZ);
1702                 }
1703         else if (starttls_proto == PROTO_FTP)
1704                 {
1705                 BIO *fbio = BIO_new(BIO_f_buffer());
1706                 BIO_push(fbio, sbio);
1707                 /* wait for multi-line response to end from FTP */
1708                 do
1709                         {
1710                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1711                         }
1712                 while (mbuf_len>3 && mbuf[3]=='-');
1713                 (void)BIO_flush(fbio);
1714                 BIO_pop(fbio);
1715                 BIO_free(fbio);
1716                 BIO_printf(sbio,"AUTH TLS\r\n");
1717                 BIO_read(sbio,sbuf,BUFSIZZ);
1718                 }
1719         if (starttls_proto == PROTO_XMPP)
1720                 {
1721                 int seen = 0;
1722                 BIO_printf(sbio,"<stream:stream "
1723                     "xmlns:stream='http://etherx.jabber.org/streams' "
1724                     "xmlns='jabber:client' to='%s' version='1.0'>", xmpphost ?
1725                            xmpphost : host);
1726                 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1727                 mbuf[seen] = 0;
1728                 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") &&
1729                                 !strstr(mbuf, "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
1730                         {
1731                         seen = BIO_read(sbio,mbuf,BUFSIZZ);
1732
1733                         if (seen <= 0)
1734                                 goto shut;
1735
1736                         mbuf[seen] = 0;
1737                         }
1738                 BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
1739                 seen = BIO_read(sbio,sbuf,BUFSIZZ);
1740                 sbuf[seen] = 0;
1741                 if (!strstr(sbuf, "<proceed"))
1742                         goto shut;
1743                 mbuf[0] = 0;
1744                 }
1745
1746         for (;;)
1747                 {
1748                 FD_ZERO(&readfds);
1749                 FD_ZERO(&writefds);
1750
1751                 if ((SSL_version(con) == DTLS1_VERSION) &&
1752                         DTLSv1_get_timeout(con, &timeout))
1753                         timeoutp = &timeout;
1754                 else
1755                         timeoutp = NULL;
1756
1757                 if (SSL_in_init(con) && !SSL_total_renegotiations(con))
1758                         {
1759                         in_init=1;
1760                         tty_on=0;
1761                         }
1762                 else
1763                         {
1764                         tty_on=1;
1765                         if (in_init)
1766                                 {
1767                                 in_init=0;
1768 #if 0 /* This test doesn't really work as intended (needs to be fixed) */
1769 #ifndef OPENSSL_NO_TLSEXT
1770                                 if (servername != NULL && !SSL_session_reused(con))
1771                                         {
1772                                         BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not ");
1773                                         }
1774 #endif
1775 #endif
1776                                 if (sess_out)
1777                                         {
1778                                         BIO *stmp = BIO_new_file(sess_out, "w");
1779                                         if (stmp)
1780                                                 {
1781                                                 PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con));
1782                                                 BIO_free(stmp);
1783                                                 }
1784                                         else 
1785                                                 BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
1786                                         }
1787                                 if (c_brief)
1788                                         {
1789                                         BIO_puts(bio_err,
1790                                                 "CONNECTION ESTABLISHED\n");
1791                                         print_ssl_summary(bio_err, con);
1792                                         }
1793                                 /*handshake is complete - free the generated supp data allocated in the callback */
1794                                 if (generated_supp_data)
1795                                         {
1796                                         OPENSSL_free(generated_supp_data);
1797                                         generated_supp_data = NULL;
1798                                         }
1799
1800                                 print_stuff(bio_c_out,con,full_log);
1801                                 if (full_log > 0) full_log--;
1802
1803                                 if (starttls_proto)
1804                                         {
1805                                         BIO_printf(bio_err,"%s",mbuf);
1806                                         /* We don't need to know any more */
1807                                         starttls_proto = PROTO_OFF;
1808                                         }
1809
1810                                 if (reconnect)
1811                                         {
1812                                         reconnect--;
1813                                         BIO_printf(bio_c_out,"drop connection and then reconnect\n");
1814                                         SSL_shutdown(con);
1815                                         SSL_set_connect_state(con);
1816                                         SHUTDOWN(SSL_get_fd(con));
1817                                         goto re_start;
1818                                         }
1819                                 }
1820                         }
1821
1822                 ssl_pending = read_ssl && SSL_pending(con);
1823
1824                 if (!ssl_pending)
1825                         {
1826 #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)
1827                         if (tty_on)
1828                                 {
1829                                 if (read_tty)  openssl_fdset(fileno(stdin),&readfds);
1830                                 if (write_tty) openssl_fdset(fileno(stdout),&writefds);
1831                                 }
1832                         if (read_ssl)
1833                                 openssl_fdset(SSL_get_fd(con),&readfds);
1834                         if (write_ssl)
1835                                 openssl_fdset(SSL_get_fd(con),&writefds);
1836 #else
1837                         if(!tty_on || !write_tty) {
1838                                 if (read_ssl)
1839                                         openssl_fdset(SSL_get_fd(con),&readfds);
1840                                 if (write_ssl)
1841                                         openssl_fdset(SSL_get_fd(con),&writefds);
1842                         }
1843 #endif
1844 /*                      printf("mode tty(%d %d%d) ssl(%d%d)\n",
1845                                 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
1846
1847                         /* Note: under VMS with SOCKETSHR the second parameter
1848                          * is currently of type (int *) whereas under other
1849                          * systems it is (void *) if you don't have a cast it
1850                          * will choke the compiler: if you do have a cast then
1851                          * you can either go for (int *) or (void *).
1852                          */
1853 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1854                         /* Under Windows/DOS we make the assumption that we can
1855                          * always write to the tty: therefore if we need to
1856                          * write to the tty we just fall through. Otherwise
1857                          * we timeout the select every second and see if there
1858                          * are any keypresses. Note: this is a hack, in a proper
1859                          * Windows application we wouldn't do this.
1860                          */
1861                         i=0;
1862                         if(!write_tty) {
1863                                 if(read_tty) {
1864                                         tv.tv_sec = 1;
1865                                         tv.tv_usec = 0;
1866                                         i=select(width,(void *)&readfds,(void *)&writefds,
1867                                                  NULL,&tv);
1868 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
1869                                         if(!i && (!_kbhit() || !read_tty) ) continue;
1870 #else
1871                                         if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
1872 #endif
1873                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1874                                          NULL,timeoutp);
1875                         }
1876 #elif defined(OPENSSL_SYS_NETWARE)
1877                         if(!write_tty) {
1878                                 if(read_tty) {
1879                                         tv.tv_sec = 1;
1880                                         tv.tv_usec = 0;
1881                                         i=select(width,(void *)&readfds,(void *)&writefds,
1882                                                 NULL,&tv);
1883                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1884                                         NULL,timeoutp);
1885                         }
1886 #elif defined(OPENSSL_SYS_BEOS_R5)
1887                         /* Under BeOS-R5 the situation is similar to DOS */
1888                         i=0;
1889                         stdin_set = 0;
1890                         (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
1891                         if(!write_tty) {
1892                                 if(read_tty) {
1893                                         tv.tv_sec = 1;
1894                                         tv.tv_usec = 0;
1895                                         i=select(width,(void *)&readfds,(void *)&writefds,
1896                                                  NULL,&tv);
1897                                         if (read(fileno(stdin), sbuf, 0) >= 0)
1898                                                 stdin_set = 1;
1899                                         if (!i && (stdin_set != 1 || !read_tty))
1900                                                 continue;
1901                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1902                                          NULL,timeoutp);
1903                         }
1904                         (void)fcntl(fileno(stdin), F_SETFL, 0);
1905 #else
1906                         i=select(width,(void *)&readfds,(void *)&writefds,
1907                                  NULL,timeoutp);
1908 #endif
1909                         if ( i < 0)
1910                                 {
1911                                 BIO_printf(bio_err,"bad select %d\n",
1912                                 get_last_socket_error());
1913                                 goto shut;
1914                                 /* goto end; */
1915                                 }
1916                         }
1917
1918                 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
1919                         {
1920                         BIO_printf(bio_err,"TIMEOUT occurred\n");
1921                         }
1922
1923                 if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
1924                         {
1925                         k=SSL_write(con,&(cbuf[cbuf_off]),
1926                                 (unsigned int)cbuf_len);
1927                         switch (SSL_get_error(con,k))
1928                                 {
1929                         case SSL_ERROR_NONE:
1930                                 cbuf_off+=k;
1931                                 cbuf_len-=k;
1932                                 if (k <= 0) goto end;
1933                                 /* we have done a  write(con,NULL,0); */
1934                                 if (cbuf_len <= 0)
1935                                         {
1936                                         read_tty=1;
1937                                         write_ssl=0;
1938                                         }
1939                                 else /* if (cbuf_len > 0) */
1940                                         {
1941                                         read_tty=0;
1942                                         write_ssl=1;
1943                                         }
1944                                 break;
1945                         case SSL_ERROR_WANT_WRITE:
1946                                 BIO_printf(bio_c_out,"write W BLOCK\n");
1947                                 write_ssl=1;
1948                                 read_tty=0;
1949                                 break;
1950                         case SSL_ERROR_WANT_READ:
1951                                 BIO_printf(bio_c_out,"write R BLOCK\n");
1952                                 write_tty=0;
1953                                 read_ssl=1;
1954                                 write_ssl=0;
1955                                 break;
1956                         case SSL_ERROR_WANT_X509_LOOKUP:
1957                                 BIO_printf(bio_c_out,"write X BLOCK\n");
1958                                 break;
1959                         case SSL_ERROR_ZERO_RETURN:
1960                                 if (cbuf_len != 0)
1961                                         {
1962                                         BIO_printf(bio_c_out,"shutdown\n");
1963                                         ret = 0;
1964                                         goto shut;
1965                                         }
1966                                 else
1967                                         {
1968                                         read_tty=1;
1969                                         write_ssl=0;
1970                                         break;
1971                                         }
1972                                 
1973                         case SSL_ERROR_SYSCALL:
1974                                 if ((k != 0) || (cbuf_len != 0))
1975                                         {
1976                                         BIO_printf(bio_err,"write:errno=%d\n",
1977                                                 get_last_socket_error());
1978                                         goto shut;
1979                                         }
1980                                 else
1981                                         {
1982                                         read_tty=1;
1983                                         write_ssl=0;
1984                                         }
1985                                 break;
1986                         case SSL_ERROR_SSL:
1987                                 ERR_print_errors(bio_err);
1988                                 goto shut;
1989                                 }
1990                         }
1991 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
1992                 /* Assume Windows/DOS/BeOS can always write */
1993                 else if (!ssl_pending && write_tty)
1994 #else
1995                 else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
1996 #endif
1997                         {
1998 #ifdef CHARSET_EBCDIC
1999                         ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
2000 #endif
2001                         i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len);
2002
2003                         if (i <= 0)
2004                                 {
2005                                 BIO_printf(bio_c_out,"DONE\n");
2006                                 ret = 0;
2007                                 goto shut;
2008                                 /* goto end; */
2009                                 }
2010
2011                         sbuf_len-=i;;
2012                         sbuf_off+=i;
2013                         if (sbuf_len <= 0)
2014                                 {
2015                                 read_ssl=1;
2016                                 write_tty=0;
2017                                 }
2018                         }
2019                 else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
2020                         {
2021 #ifdef RENEG
2022 { static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
2023 #endif
2024 #if 1
2025                         k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
2026 #else
2027 /* Demo for pending and peek :-) */
2028                         k=SSL_read(con,sbuf,16);
2029 { char zbuf[10240]; 
2030 printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
2031 }
2032 #endif
2033
2034                         switch (SSL_get_error(con,k))
2035                                 {
2036                         case SSL_ERROR_NONE:
2037                                 if (k <= 0)
2038                                         goto end;
2039                                 sbuf_off=0;
2040                                 sbuf_len=k;
2041
2042                                 read_ssl=0;
2043                                 write_tty=1;
2044                                 break;
2045                         case SSL_ERROR_WANT_WRITE:
2046                                 BIO_printf(bio_c_out,"read W BLOCK\n");
2047                                 write_ssl=1;
2048                                 read_tty=0;
2049                                 break;
2050                         case SSL_ERROR_WANT_READ:
2051                                 BIO_printf(bio_c_out,"read R BLOCK\n");
2052                                 write_tty=0;
2053                                 read_ssl=1;
2054                                 if ((read_tty == 0) && (write_ssl == 0))
2055                                         write_ssl=1;
2056                                 break;
2057                         case SSL_ERROR_WANT_X509_LOOKUP:
2058                                 BIO_printf(bio_c_out,"read X BLOCK\n");
2059                                 break;
2060                         case SSL_ERROR_SYSCALL:
2061                                 ret=get_last_socket_error();
2062                                 if (c_brief)
2063                                         BIO_puts(bio_err, "CONNECTION CLOSED BY SERVER\n");
2064                                 else
2065                                         BIO_printf(bio_err,"read:errno=%d\n",ret);
2066                                 goto shut;
2067                         case SSL_ERROR_ZERO_RETURN:
2068                                 BIO_printf(bio_c_out,"closed\n");
2069                                 ret=0;
2070                                 goto shut;
2071                         case SSL_ERROR_SSL:
2072                                 ERR_print_errors(bio_err);
2073                                 goto shut;
2074                                 /* break; */
2075                                 }
2076                         }
2077
2078 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
2079 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
2080                 else if (_kbhit())
2081 #else
2082                 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
2083 #endif
2084 #elif defined (OPENSSL_SYS_NETWARE)
2085                 else if (_kbhit())
2086 #elif defined(OPENSSL_SYS_BEOS_R5)
2087                 else if (stdin_set)
2088 #else
2089                 else if (FD_ISSET(fileno(stdin),&readfds))
2090 #endif
2091                         {
2092                         if (crlf)
2093                                 {
2094                                 int j, lf_num;
2095
2096                                 i=raw_read_stdin(cbuf,BUFSIZZ/2);
2097                                 lf_num = 0;
2098                                 /* both loops are skipped when i <= 0 */
2099                                 for (j = 0; j < i; j++)
2100                                         if (cbuf[j] == '\n')
2101                                                 lf_num++;
2102                                 for (j = i-1; j >= 0; j--)
2103                                         {
2104                                         cbuf[j+lf_num] = cbuf[j];
2105                                         if (cbuf[j] == '\n')
2106                                                 {
2107                                                 lf_num--;
2108                                                 i++;
2109                                                 cbuf[j+lf_num] = '\r';
2110                                                 }
2111                                         }
2112                                 assert(lf_num == 0);
2113                                 }
2114                         else
2115                                 i=raw_read_stdin(cbuf,BUFSIZZ);
2116
2117                         if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
2118                                 {
2119                                 BIO_printf(bio_err,"DONE\n");
2120                                 ret=0;
2121                                 goto shut;
2122                                 }
2123
2124                         if ((!c_ign_eof) && (cbuf[0] == 'R'))
2125                                 {
2126                                 BIO_printf(bio_err,"RENEGOTIATING\n");
2127                                 SSL_renegotiate(con);
2128                                 cbuf_len=0;
2129                                 }
2130 #ifndef OPENSSL_NO_HEARTBEATS
2131                         else if ((!c_ign_eof) && (cbuf[0] == 'B'))
2132                                 {
2133                                 BIO_printf(bio_err,"HEARTBEATING\n");
2134                                 SSL_heartbeat(con);
2135                                 cbuf_len=0;
2136                                 }
2137 #endif
2138                         else
2139                                 {
2140                                 cbuf_len=i;
2141                                 cbuf_off=0;
2142 #ifdef CHARSET_EBCDIC
2143                                 ebcdic2ascii(cbuf, cbuf, i);
2144 #endif
2145                                 }
2146
2147                         write_ssl=1;
2148                         read_tty=0;
2149                         }
2150                 }
2151
2152         ret=0;
2153 shut:
2154         if (in_init)
2155                 print_stuff(bio_c_out,con,full_log);
2156         SSL_shutdown(con);
2157         SHUTDOWN(SSL_get_fd(con));
2158 end:
2159         if (con != NULL)
2160                 {
2161                 if (prexit != 0)
2162                         print_stuff(bio_c_out,con,1);
2163                 SSL_free(con);
2164                 }
2165 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
2166         if (next_proto.data)
2167                 OPENSSL_free(next_proto.data);
2168 #endif
2169         if (ctx != NULL) SSL_CTX_free(ctx);
2170         if (cert)
2171                 X509_free(cert);
2172         if (crls)
2173                 sk_X509_CRL_pop_free(crls, X509_CRL_free);
2174         if (key)
2175                 EVP_PKEY_free(key);
2176         if (chain)
2177                 sk_X509_pop_free(chain, X509_free);
2178         if (pass)
2179                 OPENSSL_free(pass);
2180         if (vpm)
2181                 X509_VERIFY_PARAM_free(vpm);
2182         ssl_excert_free(exc);
2183         if (ssl_args)
2184                 sk_OPENSSL_STRING_free(ssl_args);
2185         if (cctx)
2186                 SSL_CONF_CTX_free(cctx);
2187 #ifndef OPENSSL_NO_JPAKE
2188         if (jpake_secret && psk_key)
2189                 OPENSSL_free(psk_key);
2190 #endif
2191         if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
2192         if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
2193         if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
2194         if (bio_c_out != NULL)
2195                 {
2196                 BIO_free(bio_c_out);
2197                 bio_c_out=NULL;
2198                 }
2199         if (bio_c_msg != NULL)
2200                 {
2201                 BIO_free(bio_c_msg);
2202                 bio_c_msg=NULL;
2203                 }
2204         apps_shutdown();
2205         OPENSSL_EXIT(ret);
2206         }
2207
2208
2209 static void print_stuff(BIO *bio, SSL *s, int full)
2210         {
2211         X509 *peer=NULL;
2212         char *p;
2213         static const char *space="                ";
2214         char buf[BUFSIZ];
2215         STACK_OF(X509) *sk;
2216         STACK_OF(X509_NAME) *sk2;
2217         const SSL_CIPHER *c;
2218         X509_NAME *xn;
2219         int j,i;
2220 #ifndef OPENSSL_NO_COMP
2221         const COMP_METHOD *comp, *expansion;
2222 #endif
2223         unsigned char *exportedkeymat;
2224
2225         if (full)
2226                 {
2227                 int got_a_chain = 0;
2228
2229                 sk=SSL_get_peer_cert_chain(s);
2230                 if (sk != NULL)
2231                         {
2232                         got_a_chain = 1; /* we don't have it for SSL2 (yet) */
2233
2234                         BIO_printf(bio,"---\nCertificate chain\n");
2235                         for (i=0; i<sk_X509_num(sk); i++)
2236                                 {
2237                                 X509_NAME_oneline(X509_get_subject_name(
2238                                         sk_X509_value(sk,i)),buf,sizeof buf);
2239                                 BIO_printf(bio,"%2d s:%s\n",i,buf);
2240                                 X509_NAME_oneline(X509_get_issuer_name(
2241                                         sk_X509_value(sk,i)),buf,sizeof buf);
2242                                 BIO_printf(bio,"   i:%s\n",buf);
2243                                 if (c_showcerts)
2244                                         PEM_write_bio_X509(bio,sk_X509_value(sk,i));
2245                                 }
2246                         }
2247
2248                 BIO_printf(bio,"---\n");
2249                 peer=SSL_get_peer_certificate(s);
2250                 if (peer != NULL)
2251                         {
2252                         BIO_printf(bio,"Server certificate\n");
2253                         if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
2254                                 PEM_write_bio_X509(bio,peer);
2255                         X509_NAME_oneline(X509_get_subject_name(peer),
2256                                 buf,sizeof buf);
2257                         BIO_printf(bio,"subject=%s\n",buf);
2258                         X509_NAME_oneline(X509_get_issuer_name(peer),
2259                                 buf,sizeof buf);
2260                         BIO_printf(bio,"issuer=%s\n",buf);
2261                         }
2262                 else
2263                         BIO_printf(bio,"no peer certificate available\n");
2264
2265                 sk2=SSL_get_client_CA_list(s);
2266                 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
2267                         {
2268                         BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
2269                         for (i=0; i<sk_X509_NAME_num(sk2); i++)
2270                                 {
2271                                 xn=sk_X509_NAME_value(sk2,i);
2272                                 X509_NAME_oneline(xn,buf,sizeof(buf));
2273                                 BIO_write(bio,buf,strlen(buf));
2274                                 BIO_write(bio,"\n",1);
2275                                 }
2276                         }
2277                 else
2278                         {
2279                         BIO_printf(bio,"---\nNo client certificate CA names sent\n");
2280                         }
2281                 p=SSL_get_shared_ciphers(s,buf,sizeof buf);
2282                 if (p != NULL)
2283                         {
2284                         /* This works only for SSL 2.  In later protocol
2285                          * versions, the client does not know what other
2286                          * ciphers (in addition to the one to be used
2287                          * in the current connection) the server supports. */
2288
2289                         BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
2290                         j=i=0;
2291                         while (*p)
2292                                 {
2293                                 if (*p == ':')
2294                                         {
2295                                         BIO_write(bio,space,15-j%25);
2296                                         i++;
2297                                         j=0;
2298                                         BIO_write(bio,((i%3)?" ":"\n"),1);
2299                                         }
2300                                 else
2301                                         {
2302                                         BIO_write(bio,p,1);
2303                                         j++;
2304                                         }
2305                                 p++;
2306                                 }
2307                         BIO_write(bio,"\n",1);
2308                         }
2309
2310                 ssl_print_sigalgs(bio, s);
2311                 ssl_print_tmp_key(bio, s);
2312
2313                 BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
2314                         BIO_number_read(SSL_get_rbio(s)),
2315                         BIO_number_written(SSL_get_wbio(s)));
2316                 }
2317         BIO_printf(bio,(SSL_cache_hit(s)?"---\nReused, ":"---\nNew, "));
2318         c=SSL_get_current_cipher(s);
2319         BIO_printf(bio,"%s, Cipher is %s\n",
2320                 SSL_CIPHER_get_version(c),
2321                 SSL_CIPHER_get_name(c));
2322         if (peer != NULL) {
2323                 EVP_PKEY *pktmp;
2324                 pktmp = X509_get_pubkey(peer);
2325                 BIO_printf(bio,"Server public key is %d bit\n",
2326                                                          EVP_PKEY_bits(pktmp));
2327                 EVP_PKEY_free(pktmp);
2328         }
2329         BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
2330                         SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
2331 #ifndef OPENSSL_NO_COMP
2332         comp=SSL_get_current_compression(s);
2333         expansion=SSL_get_current_expansion(s);
2334         BIO_printf(bio,"Compression: %s\n",
2335                 comp ? SSL_COMP_get_name(comp) : "NONE");
2336         BIO_printf(bio,"Expansion: %s\n",
2337                 expansion ? SSL_COMP_get_name(expansion) : "NONE");
2338 #endif
2339  
2340 #ifdef SSL_DEBUG
2341         {
2342         /* Print out local port of connection: useful for debugging */
2343         int sock;
2344         struct sockaddr_in ladd;
2345         socklen_t ladd_size = sizeof(ladd);
2346         sock = SSL_get_fd(s);
2347         getsockname(sock, (struct sockaddr *)&ladd, &ladd_size);
2348         BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port));
2349         }
2350 #endif
2351
2352 #if !defined(OPENSSL_NO_TLSEXT)
2353 # if !defined(OPENSSL_NO_NEXTPROTONEG)
2354         if (next_proto.status != -1) {
2355                 const unsigned char *proto;
2356                 unsigned int proto_len;
2357                 SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
2358                 BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
2359                 BIO_write(bio, proto, proto_len);
2360                 BIO_write(bio, "\n", 1);
2361         }
2362 # endif
2363         {
2364                 const unsigned char *proto;
2365                 unsigned int proto_len;
2366                 SSL_get0_alpn_selected(s, &proto, &proto_len);
2367                 if (proto_len > 0)
2368                         {
2369                         BIO_printf(bio, "ALPN protocol: ");
2370                         BIO_write(bio, proto, proto_len);
2371                         BIO_write(bio, "\n", 1);
2372                         }
2373                 else
2374                         BIO_printf(bio, "No ALPN negotiated\n");
2375         }
2376 #endif
2377
2378         {
2379         SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s);
2380  
2381         if(srtp_profile)
2382                 BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n",
2383                            srtp_profile->name);
2384         }
2385  
2386         SSL_SESSION_print(bio,SSL_get_session(s));
2387         if (keymatexportlabel != NULL)
2388                 {
2389                 BIO_printf(bio, "Keying material exporter:\n");
2390                 BIO_printf(bio, "    Label: '%s'\n", keymatexportlabel);
2391                 BIO_printf(bio, "    Length: %i bytes\n", keymatexportlen);
2392                 exportedkeymat = OPENSSL_malloc(keymatexportlen);
2393                 if (exportedkeymat != NULL)
2394                         {
2395                         if (!SSL_export_keying_material(s, exportedkeymat,
2396                                                         keymatexportlen,
2397                                                         keymatexportlabel,
2398                                                         strlen(keymatexportlabel),
2399                                                         NULL, 0, 0))
2400                                 {
2401                                 BIO_printf(bio, "    Error\n");
2402                                 }
2403                         else
2404                                 {
2405                                 BIO_printf(bio, "    Keying material: ");
2406                                 for (i=0; i<keymatexportlen; i++)
2407                                         BIO_printf(bio, "%02X",
2408                                                    exportedkeymat[i]);
2409                                 BIO_printf(bio, "\n");
2410                                 }
2411                         OPENSSL_free(exportedkeymat);
2412                         }
2413                 }
2414         BIO_printf(bio,"---\n");
2415         if (peer != NULL)
2416                 X509_free(peer);
2417         /* flush, or debugging output gets mixed with http response */
2418         (void)BIO_flush(bio);
2419         }
2420
2421 #ifndef OPENSSL_NO_TLSEXT
2422
2423 static int ocsp_resp_cb(SSL *s, void *arg)
2424         {
2425         const unsigned char *p;
2426         int len;
2427         OCSP_RESPONSE *rsp;
2428         len = SSL_get_tlsext_status_ocsp_resp(s, &p);
2429         BIO_puts(arg, "OCSP response: ");
2430         if (!p)
2431                 {
2432                 BIO_puts(arg, "no response sent\n");
2433                 return 1;
2434                 }
2435         rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
2436         if (!rsp)
2437                 {
2438                 BIO_puts(arg, "response parse error\n");
2439                 BIO_dump_indent(arg, (char *)p, len, 4);
2440                 return 0;
2441                 }
2442         BIO_puts(arg, "\n======================================\n");
2443         OCSP_RESPONSE_print(arg, rsp, 0);
2444         BIO_puts(arg, "======================================\n");
2445         OCSP_RESPONSE_free(rsp);
2446         return 1;
2447         }
2448
2449 static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
2450                            const unsigned char *in,
2451                            unsigned short inlen, int *al,
2452                            void *arg)
2453         {
2454         if (TLSEXT_TYPE_server_authz == ext_type)
2455                 server_provided_server_authz
2456                   = (memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL);
2457
2458         if (TLSEXT_TYPE_client_authz == ext_type)
2459                 server_provided_client_authz
2460                   = (memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL);
2461
2462         return 1;
2463         }
2464
2465 static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
2466                                     const unsigned char **out, unsigned short *outlen,
2467                                     int *al, void *arg)
2468         {
2469         if (c_auth)
2470                 {
2471                 /*if auth_require_reneg flag is set, only send extensions if
2472                   renegotiation has occurred */
2473                 if (!c_auth_require_reneg || (c_auth_require_reneg && SSL_num_renegotiations(s)))
2474                         {
2475                         *out = auth_ext_data;
2476                         *outlen = 1;
2477                         return 1;
2478                         }
2479                 }
2480         /* no auth extension to send */
2481         return -1;
2482         }
2483
2484 static int suppdata_cb(SSL *s, unsigned short supp_data_type,
2485                        const unsigned char *in,
2486                        unsigned short inlen, int *al,
2487                        void *arg)
2488         {
2489         if (supp_data_type == TLSEXT_SUPPLEMENTALDATATYPE_authz_data)
2490                 {
2491                 most_recent_supplemental_data = in;
2492                 most_recent_supplemental_data_length = inlen;
2493                 }
2494         return 1;
2495         }
2496
2497 static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
2498                                      const unsigned char **out,
2499                                      unsigned short *outlen, int *al, void *arg)
2500         {
2501         if (c_auth && server_provided_client_authz && server_provided_server_authz)
2502                 {
2503                 /*if auth_require_reneg flag is set, only send supplemental data if
2504                   renegotiation has occurred */
2505                 if (!c_auth_require_reneg
2506                     || (c_auth_require_reneg && SSL_num_renegotiations(s)))
2507                         {
2508                         generated_supp_data = OPENSSL_malloc(10);
2509                         memcpy(generated_supp_data, "5432154321", 10);
2510                         *out = generated_supp_data;
2511                         *outlen = 10;
2512                         return 1;
2513                         }
2514                 }
2515         /* no supplemental data to send */
2516         return -1;
2517         }
2518
2519 #endif