Unify s_client/s_server srtp profiles option handling

[openssl.git] / apps / s_cb.c
diff --git a/apps/s_cb.c b/apps/s_cb.c

index 1f2d3719520ed6a9df6568d419c0cfe3c3380ce9..820491a037310fff73d718b303ef2c03cf0eddee 100644 (file)
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -1,120 +1,17 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+/*
+ * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
   *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
   */
  
  /* callback functions used by s_client, s_server, and s_time */
  #include <stdio.h>
  #include <stdlib.h>
-#include <assert.h>
-#define USE_SOCKETS
+#include <string.h> /* for memcpy() and strcmp() */
  #include "apps.h"
-#undef USE_SOCKETS
  #include <openssl/err.h>
  #include <openssl/rand.h>
  #include <openssl/x509.h>
@@ -127,12 +24,21 @@
  
  #define COOKIE_SECRET_LENGTH    16
  
-int verify_depth = 0;
-int verify_quiet = 0;
-int verify_error = X509_V_OK;
-int verify_return_error = 0;
-unsigned char cookie_secret[COOKIE_SECRET_LENGTH];
-int cookie_initialized = 0;
+VERIFY_CB_ARGS verify_args = { 0, 0, X509_V_OK, 0 };
+
+#ifndef OPENSSL_NO_SOCK
+static unsigned char cookie_secret[COOKIE_SECRET_LENGTH];
+static int cookie_initialized = 0;
+#endif
+static BIO *bio_keylog = NULL;
+
+static const char *lookup(int val, const STRINT_PAIR* list, const char* def)
+{
+    for ( ; list->name; ++list)
+        if (list->retval == val)
+            return list->name;
+    return def;
+}
  
  int verify_callback(int ok, X509_STORE_CTX *ctx)
  {
@@ -143,57 +49,58 @@ int verify_callback(int ok, X509_STORE_CTX *ctx)
      err = X509_STORE_CTX_get_error(ctx);
      depth = X509_STORE_CTX_get_error_depth(ctx);
  
-    if (!verify_quiet || !ok) {
+    if (!verify_args.quiet || !ok) {
          BIO_printf(bio_err, "depth=%d ", depth);
-        if (err_cert) {
+        if (err_cert != NULL) {
              X509_NAME_print_ex(bio_err,
                                 X509_get_subject_name(err_cert),
-                               0, XN_FLAG_ONELINE);
+                               0, get_nameopt());
              BIO_puts(bio_err, "\n");
-        } else
+        } else {
              BIO_puts(bio_err, "<no cert>\n");
+        }
      }
      if (!ok) {
          BIO_printf(bio_err, "verify error:num=%d:%s\n", err,
                     X509_verify_cert_error_string(err));
-        if (verify_depth >= depth) {
-            if (!verify_return_error)
+        if (verify_args.depth >= depth) {
+            if (!verify_args.return_error)
                  ok = 1;
-            verify_error = X509_V_OK;
+            verify_args.error = err;
          } else {
              ok = 0;
-            verify_error = X509_V_ERR_CERT_CHAIN_TOO_LONG;
+            verify_args.error = X509_V_ERR_CERT_CHAIN_TOO_LONG;
          }
      }
      switch (err) {
      case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
          BIO_puts(bio_err, "issuer= ");
          X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert),
-                           0, XN_FLAG_ONELINE);
+                           0, get_nameopt());
          BIO_puts(bio_err, "\n");
          break;
      case X509_V_ERR_CERT_NOT_YET_VALID:
      case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
          BIO_printf(bio_err, "notBefore=");
-        ASN1_TIME_print(bio_err, X509_get_notBefore(err_cert));
+        ASN1_TIME_print(bio_err, X509_get0_notBefore(err_cert));
          BIO_printf(bio_err, "\n");
          break;
      case X509_V_ERR_CERT_HAS_EXPIRED:
      case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
          BIO_printf(bio_err, "notAfter=");
-        ASN1_TIME_print(bio_err, X509_get_notAfter(err_cert));
+        ASN1_TIME_print(bio_err, X509_get0_notAfter(err_cert));
          BIO_printf(bio_err, "\n");
          break;
      case X509_V_ERR_NO_EXPLICIT_POLICY:
-        if (!verify_quiet)
+        if (!verify_args.quiet)
              policies_print(ctx);
          break;
      }
-    if (err == X509_V_OK && ok == 2 && !verify_quiet)
+    if (err == X509_V_OK && ok == 2 && !verify_args.quiet)
          policies_print(ctx);
-    if (ok && !verify_quiet)
+    if (ok && !verify_args.quiet)
          BIO_printf(bio_err, "verify return:%d\n", ok);
-    return (ok);
+    return ok;
  }
  
  int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file)
@@ -204,7 +111,7 @@ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file)
              BIO_printf(bio_err, "unable to get certificate from '%s'\n",
                         cert_file);
              ERR_print_errors(bio_err);
-            return (0);
+            return 0;
          }
          if (key_file == NULL)
              key_file = cert_file;
@@ -212,7 +119,7 @@ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file)
              BIO_printf(bio_err, "unable to get private key from '%s'\n",
                         key_file);
              ERR_print_errors(bio_err);
-            return (0);
+            return 0;
          }
  
          /*
@@ -227,10 +134,10 @@ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file)
          if (!SSL_CTX_check_private_key(ctx)) {
              BIO_printf(bio_err,
                         "Private key does not match the certificate public key\n");
-            return (0);
+            return 0;
          }
      }
-    return (1);
+    return 1;
  }
  
  int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
@@ -272,6 +179,18 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
      return 1;
  }
  
+static STRINT_PAIR cert_type_list[] = {
+    {"RSA sign", TLS_CT_RSA_SIGN},
+    {"DSA sign", TLS_CT_DSS_SIGN},
+    {"RSA fixed DH", TLS_CT_RSA_FIXED_DH},
+    {"DSS fixed DH", TLS_CT_DSS_FIXED_DH},
+    {"ECDSA sign", TLS_CT_ECDSA_SIGN},
+    {"RSA fixed ECDH", TLS_CT_RSA_FIXED_ECDH},
+    {"ECDSA fixed ECDH", TLS_CT_ECDSA_FIXED_ECDH},
+    {"GOST01 Sign", TLS_CT_GOST01_SIGN},
+    {NULL}
+};
+
  static void ssl_print_client_cert_types(BIO *bio, SSL *s)
  {
      const unsigned char *p;
@@ -282,57 +201,42 @@ static void ssl_print_client_cert_types(BIO *bio, SSL *s)
      BIO_puts(bio, "Client Certificate Types: ");
      for (i = 0; i < cert_type_num; i++) {
          unsigned char cert_type = p[i];
-        char *cname;
-        switch (cert_type) {
-        case TLS_CT_RSA_SIGN:
-            cname = "RSA sign";
-            break;
-
-        case TLS_CT_DSS_SIGN:
-            cname = "DSA sign";
-            break;
-
-        case TLS_CT_RSA_FIXED_DH:
-            cname = "RSA fixed DH";
-            break;
+        const char *cname = lookup((int)cert_type, cert_type_list, NULL);
  
-        case TLS_CT_DSS_FIXED_DH:
-            cname = "DSS fixed DH";
-            break;
-
-        case TLS_CT_ECDSA_SIGN:
-            cname = "ECDSA sign";
-            break;
+        if (i)
+            BIO_puts(bio, ", ");
+        if (cname != NULL)
+            BIO_puts(bio, cname);
+        else
+            BIO_printf(bio, "UNKNOWN (%d),", cert_type);
+    }
+    BIO_puts(bio, "\n");
+}
  
-        case TLS_CT_RSA_FIXED_ECDH:
-            cname = "RSA fixed ECDH";
-            break;
+static const char *get_sigtype(int nid)
+{
+    switch (nid) {
+    case EVP_PKEY_RSA:
+        return "RSA";
  
-        case TLS_CT_ECDSA_FIXED_ECDH:
-            cname = "ECDSA fixed ECDH";
-            break;
+    case EVP_PKEY_RSA_PSS:
+        return "RSA-PSS";
  
-        case TLS_CT_GOST94_SIGN:
-            cname = "GOST94 Sign";
-            break;
+    case EVP_PKEY_DSA:
+        return "DSA";
  
-        case TLS_CT_GOST01_SIGN:
-            cname = "GOST01 Sign";
-            break;
+     case EVP_PKEY_EC:
+        return "ECDSA";
  
-        default:
-            cname = NULL;
-        }
+     case NID_ED25519:
+        return "Ed25519";
  
-        if (i)
-            BIO_puts(bio, ", ");
+     case NID_ED448:
+        return "Ed448";
  
-        if (cname)
-            BIO_puts(bio, cname);
-        else
-            BIO_printf(bio, "UNKNOWN (%d),", cert_type);
+    default:
+        return NULL;
      }
-    BIO_puts(bio, "\n");
  }
  
  static int do_print_sigalgs(BIO *out, SSL *s, int shared)
@@ -340,7 +244,7 @@ static int do_print_sigalgs(BIO *out, SSL *s, int shared)
      int i, nsig, client;
      client = SSL_is_server(s) ? 0 : 1;
      if (shared)
-        nsig = SSL_get_shared_sigalgs(s, -1, NULL, NULL, NULL, NULL, NULL);
+        nsig = SSL_get_shared_sigalgs(s, 0, NULL, NULL, NULL, NULL, NULL);
      else
          nsig = SSL_get_sigalgs(s, -1, NULL, NULL, NULL, NULL, NULL);
      if (nsig == 0)
@@ -363,20 +267,15 @@ static int do_print_sigalgs(BIO *out, SSL *s, int shared)
              SSL_get_sigalgs(s, i, &sign_nid, &hash_nid, NULL, &rsign, &rhash);
          if (i)
              BIO_puts(out, ":");
-        if (sign_nid == EVP_PKEY_RSA)
-            sstr = "RSA";
-        else if (sign_nid == EVP_PKEY_DSA)
-            sstr = "DSA";
-        else if (sign_nid == EVP_PKEY_EC)
-            sstr = "ECDSA";
+        sstr = get_sigtype(sign_nid);
          if (sstr)
-            BIO_printf(out, "%s+", sstr);
+            BIO_printf(out, "%s", sstr);
          else
-            BIO_printf(out, "0x%02X+", (int)rsign);
+            BIO_printf(out, "0x%02X", (int)rsign);
          if (hash_nid != NID_undef)
-            BIO_printf(out, "%s", OBJ_nid2sn(hash_nid));
-        else
-            BIO_printf(out, "0x%02X", (int)rhash);
+            BIO_printf(out, "+%s", OBJ_nid2sn(hash_nid));
+        else if (sstr == NULL)
+            BIO_printf(out, "+0x%02X", (int)rhash);
      }
      BIO_puts(out, "\n");
      return 1;
@@ -384,13 +283,15 @@ static int do_print_sigalgs(BIO *out, SSL *s, int shared)
  
  int ssl_print_sigalgs(BIO *out, SSL *s)
  {
-    int mdnid;
+    int nid;
      if (!SSL_is_server(s))
          ssl_print_client_cert_types(out, s);
      do_print_sigalgs(out, s, 0);
      do_print_sigalgs(out, s, 1);
-    if (SSL_get_peer_signature_nid(s, &mdnid))
-        BIO_printf(out, "Peer signing digest: %s\n", OBJ_nid2sn(mdnid));
+    if (SSL_get_peer_signature_nid(s, &nid) && nid != NID_undef)
+        BIO_printf(out, "Peer signing digest: %s\n", OBJ_nid2sn(nid));
+    if (SSL_get_peer_signature_type_nid(s, &nid))
+        BIO_printf(out, "Peer signature type: %s\n", get_sigtype(nid));
      return 1;
  }
  
@@ -425,63 +326,62 @@ int ssl_print_point_formats(BIO *out, SSL *s)
  
          }
      }
-    if (nformats <= 0)
-        BIO_puts(out, "NONE");
      BIO_puts(out, "\n");
      return 1;
  }
  
-int ssl_print_curves(BIO *out, SSL *s, int noshared)
+int ssl_print_groups(BIO *out, SSL *s, int noshared)
  {
-    int i, ncurves, *curves, nid;
-    const char *cname;
+    int i, ngroups, *groups, nid;
+    const char *gname;
  
-    ncurves = SSL_get1_curves(s, NULL);
-    if (ncurves <= 0)
+    ngroups = SSL_get1_groups(s, NULL);
+    if (ngroups <= 0)
          return 1;
-    curves = app_malloc(ncurves * sizeof(int), "curves to print");
-    SSL_get1_curves(s, curves);
+    groups = app_malloc(ngroups * sizeof(int), "groups to print");
+    SSL_get1_groups(s, groups);
  
-    BIO_puts(out, "Supported Elliptic Curves: ");
-    for (i = 0; i < ncurves; i++) {
+    BIO_puts(out, "Supported Elliptic Groups: ");
+    for (i = 0; i < ngroups; i++) {
          if (i)
              BIO_puts(out, ":");
-        nid = curves[i];
+        nid = groups[i];
          /* If unrecognised print out hex version */
-        if (nid & TLSEXT_nid_unknown)
+        if (nid & TLSEXT_nid_unknown) {
              BIO_printf(out, "0x%04X", nid & 0xFFFF);
-        else {
+        } else {
+            /* TODO(TLS1.3): Get group name here */
              /* Use NIST name for curve if it exists */
-            cname = EC_curve_nid2nist(nid);
-            if (!cname)
-                cname = OBJ_nid2sn(nid);
-            BIO_printf(out, "%s", cname);
+            gname = EC_curve_nid2nist(nid);
+            if (gname == NULL)
+                gname = OBJ_nid2sn(nid);
+            BIO_printf(out, "%s", gname);
          }
      }
-    if (ncurves == 0)
-        BIO_puts(out, "NONE");
-    OPENSSL_free(curves);
+    OPENSSL_free(groups);
      if (noshared) {
          BIO_puts(out, "\n");
          return 1;
      }
-    BIO_puts(out, "\nShared Elliptic curves: ");
-    ncurves = SSL_get_shared_curve(s, -1);
-    for (i = 0; i < ncurves; i++) {
+    BIO_puts(out, "\nShared Elliptic groups: ");
+    ngroups = SSL_get_shared_group(s, -1);
+    for (i = 0; i < ngroups; i++) {
          if (i)
              BIO_puts(out, ":");
-        nid = SSL_get_shared_curve(s, i);
-        cname = EC_curve_nid2nist(nid);
-        if (!cname)
-            cname = OBJ_nid2sn(nid);
-        BIO_printf(out, "%s", cname);
+        nid = SSL_get_shared_group(s, i);
+        /* TODO(TLS1.3): Convert for DH groups */
+        gname = EC_curve_nid2nist(nid);
+        if (gname == NULL)
+            gname = OBJ_nid2sn(nid);
+        BIO_printf(out, "%s", gname);
      }
-    if (ncurves == 0)
+    if (ngroups == 0)
          BIO_puts(out, "NONE");
      BIO_puts(out, "\n");
      return 1;
  }
  #endif
+
  int ssl_print_tmp_key(BIO *out, SSL *s)
  {
      EVP_PKEY *key;
@@ -505,11 +405,15 @@ int ssl_print_tmp_key(BIO *out, SSL *s)
              nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
              EC_KEY_free(ec);
              cname = EC_curve_nid2nist(nid);
-            if (!cname)
+            if (cname == NULL)
                  cname = OBJ_nid2sn(nid);
              BIO_printf(out, "ECDH, %s, %d bits\n", cname, EVP_PKEY_bits(key));
          }
+    break;
  #endif
+    default:
+        BIO_printf(out, "%s, %d bits\n", OBJ_nid2sn(EVP_PKEY_id(key)),
+                   EVP_PKEY_bits(key));
      }
      EVP_PKEY_free(key);
      return 1;
@@ -522,19 +426,19 @@ long bio_dump_callback(BIO *bio, int cmd, const char *argp,
  
      out = (BIO *)BIO_get_callback_arg(bio);
      if (out == NULL)
-        return (ret);
+        return ret;
  
      if (cmd == (BIO_CB_READ | BIO_CB_RETURN)) {
          BIO_printf(out, "read from %p [%p] (%lu bytes => %ld (0x%lX))\n",
-                   (void *)bio, argp, (unsigned long)argi, ret, ret);
+                   (void *)bio, (void *)argp, (unsigned long)argi, ret, ret);
          BIO_dump(out, argp, (int)ret);
-        return (ret);
+        return ret;
      } else if (cmd == (BIO_CB_WRITE | BIO_CB_RETURN)) {
          BIO_printf(out, "write to %p [%p] (%lu bytes => %ld (0x%lX))\n",
-                   (void *)bio, argp, (unsigned long)argi, ret, ret);
+                   (void *)bio, (void *)argp, (unsigned long)argi, ret, ret);
          BIO_dump(out, argp, (int)ret);
      }
-    return (ret);
+    return ret;
  }
  
  void apps_ssl_info_callback(const SSL *s, int where, int ret)
@@ -563,66 +467,110 @@ void apps_ssl_info_callback(const SSL *s, int where, int ret)
          if (ret == 0)
              BIO_printf(bio_err, "%s:failed in %s\n",
                         str, SSL_state_string_long(s));
-        else if (ret < 0) {
+        else if (ret < 0)
              BIO_printf(bio_err, "%s:error in %s\n",
                         str, SSL_state_string_long(s));
-        }
      }
  }
  
-static const char *ssl_version_str(int version)
-{
-    switch (version) {
-    case SSL3_VERSION:
-        return "SSL 3.0";
-    case TLS1_VERSION:
-        return "TLS 1.0";
-    case TLS1_1_VERSION:
-        return "TLS 1.1";
-    case TLS1_2_VERSION:
-        return "TLS 1.2";
-    case DTLS1_VERSION:
-        return "DTLS 1.0";
-    case DTLS1_BAD_VER:
-        return "DTLS 1.0 (bad)";
-    default:
-        return "???";
-    }
-}
+static STRINT_PAIR ssl_versions[] = {
+    {"SSL 3.0", SSL3_VERSION},
+    {"TLS 1.0", TLS1_VERSION},
+    {"TLS 1.1", TLS1_1_VERSION},
+    {"TLS 1.2", TLS1_2_VERSION},
+    {"TLS 1.3", TLS1_3_VERSION},
+    {"DTLS 1.0", DTLS1_VERSION},
+    {"DTLS 1.0 (bad)", DTLS1_BAD_VER},
+    {NULL}
+};
+
+static STRINT_PAIR alert_types[] = {
+    {" close_notify", 0},
+    {" end_of_early_data", 1},
+    {" unexpected_message", 10},
+    {" bad_record_mac", 20},
+    {" decryption_failed", 21},
+    {" record_overflow", 22},
+    {" decompression_failure", 30},
+    {" handshake_failure", 40},
+    {" bad_certificate", 42},
+    {" unsupported_certificate", 43},
+    {" certificate_revoked", 44},
+    {" certificate_expired", 45},
+    {" certificate_unknown", 46},
+    {" illegal_parameter", 47},
+    {" unknown_ca", 48},
+    {" access_denied", 49},
+    {" decode_error", 50},
+    {" decrypt_error", 51},
+    {" export_restriction", 60},
+    {" protocol_version", 70},
+    {" insufficient_security", 71},
+    {" internal_error", 80},
+    {" inappropriate_fallback", 86},
+    {" user_canceled", 90},
+    {" no_renegotiation", 100},
+    {" missing_extension", 109},
+    {" unsupported_extension", 110},
+    {" certificate_unobtainable", 111},
+    {" unrecognized_name", 112},
+    {" bad_certificate_status_response", 113},
+    {" bad_certificate_hash_value", 114},
+    {" unknown_psk_identity", 115},
+    {" certificate_required", 116},
+    {NULL}
+};
+
+static STRINT_PAIR handshakes[] = {
+    {", HelloRequest", SSL3_MT_HELLO_REQUEST},
+    {", ClientHello", SSL3_MT_CLIENT_HELLO},
+    {", ServerHello", SSL3_MT_SERVER_HELLO},
+    {", HelloVerifyRequest", DTLS1_MT_HELLO_VERIFY_REQUEST},
+    {", NewSessionTicket", SSL3_MT_NEWSESSION_TICKET},
+    {", EndOfEarlyData", SSL3_MT_END_OF_EARLY_DATA},
+    {", EncryptedExtensions", SSL3_MT_ENCRYPTED_EXTENSIONS},
+    {", Certificate", SSL3_MT_CERTIFICATE},
+    {", ServerKeyExchange", SSL3_MT_SERVER_KEY_EXCHANGE},
+    {", CertificateRequest", SSL3_MT_CERTIFICATE_REQUEST},
+    {", ServerHelloDone", SSL3_MT_SERVER_DONE},
+    {", CertificateVerify", SSL3_MT_CERTIFICATE_VERIFY},
+    {", ClientKeyExchange", SSL3_MT_CLIENT_KEY_EXCHANGE},
+    {", Finished", SSL3_MT_FINISHED},
+    {", CertificateUrl", SSL3_MT_CERTIFICATE_URL},
+    {", CertificateStatus", SSL3_MT_CERTIFICATE_STATUS},
+    {", SupplementalData", SSL3_MT_SUPPLEMENTAL_DATA},
+    {", KeyUpdate", SSL3_MT_KEY_UPDATE},
+#ifndef OPENSSL_NO_NEXTPROTONEG
+    {", NextProto", SSL3_MT_NEXT_PROTO},
+#endif
+    {", MessageHash", SSL3_MT_MESSAGE_HASH},
+    {NULL}
+};
  
  void msg_cb(int write_p, int version, int content_type, const void *buf,
              size_t len, SSL *ssl, void *arg)
  {
      BIO *bio = arg;
-    const char *str_write_p, *str_version, *str_content_type =
-        "", *str_details1 = "", *str_details2 = "";
-
-    str_write_p = write_p ? ">>>" : "<<<";
-
-    str_version = ssl_version_str(version);
+    const char *str_write_p = write_p ? ">>>" : "<<<";
+    const char *str_version = lookup(version, ssl_versions, "???");
+    const char *str_content_type = "", *str_details1 = "", *str_details2 = "";
+    const unsigned char* bp = buf;
  
      if (version == SSL3_VERSION ||
          version == TLS1_VERSION ||
          version == TLS1_1_VERSION ||
          version == TLS1_2_VERSION ||
+        version == TLS1_3_VERSION ||
          version == DTLS1_VERSION || version == DTLS1_BAD_VER) {
          switch (content_type) {
          case 20:
-            str_content_type = "ChangeCipherSpec";
+            str_content_type = ", ChangeCipherSpec";
              break;
          case 21:
-            str_content_type = "Alert";
-            break;
-        case 22:
-            str_content_type = "Handshake";
-            break;
-        }
-
-        if (content_type == 21) { /* Alert */
+            str_content_type = ", Alert";
              str_details1 = ", ???";
-
              if (len == 2) {
-                switch (((const unsigned char *)buf)[0]) {
+                switch (bp[0]) {
                  case 1:
                      str_details1 = ", warning";
                      break;
@@ -630,147 +578,24 @@ void msg_cb(int write_p, int version, int content_type, const void *buf,
                      str_details1 = ", fatal";
                      break;
                  }
-
-                str_details2 = " ???";
-                switch (((const unsigned char *)buf)[1]) {
-                case 0:
-                    str_details2 = " close_notify";
-                    break;
-                case 10:
-                    str_details2 = " unexpected_message";
-                    break;
-                case 20:
-                    str_details2 = " bad_record_mac";
-                    break;
-                case 21:
-                    str_details2 = " decryption_failed";
-                    break;
-                case 22:
-                    str_details2 = " record_overflow";
-                    break;
-                case 30:
-                    str_details2 = " decompression_failure";
-                    break;
-                case 40:
-                    str_details2 = " handshake_failure";
-                    break;
-                case 42:
-                    str_details2 = " bad_certificate";
-                    break;
-                case 43:
-                    str_details2 = " unsupported_certificate";
-                    break;
-                case 44:
-                    str_details2 = " certificate_revoked";
-                    break;
-                case 45:
-                    str_details2 = " certificate_expired";
-                    break;
-                case 46:
-                    str_details2 = " certificate_unknown";
-                    break;
-                case 47:
-                    str_details2 = " illegal_parameter";
-                    break;
-                case 48:
-                    str_details2 = " unknown_ca";
-                    break;
-                case 49:
-                    str_details2 = " access_denied";
-                    break;
-                case 50:
-                    str_details2 = " decode_error";
-                    break;
-                case 51:
-                    str_details2 = " decrypt_error";
-                    break;
-                case 60:
-                    str_details2 = " export_restriction";
-                    break;
-                case 70:
-                    str_details2 = " protocol_version";
-                    break;
-                case 71:
-                    str_details2 = " insufficient_security";
-                    break;
-                case 80:
-                    str_details2 = " internal_error";
-                    break;
-                case 90:
-                    str_details2 = " user_canceled";
-                    break;
-                case 100:
-                    str_details2 = " no_renegotiation";
-                    break;
-                case 110:
-                    str_details2 = " unsupported_extension";
-                    break;
-                case 111:
-                    str_details2 = " certificate_unobtainable";
-                    break;
-                case 112:
-                    str_details2 = " unrecognized_name";
-                    break;
-                case 113:
-                    str_details2 = " bad_certificate_status_response";
-                    break;
-                case 114:
-                    str_details2 = " bad_certificate_hash_value";
-                    break;
-                case 115:
-                    str_details2 = " unknown_psk_identity";
-                    break;
-                }
+                str_details2 = lookup((int)bp[1], alert_types, " ???");
              }
-        }
-
-        if (content_type == 22) { /* Handshake */
+            break;
+        case 22:
+            str_content_type = ", Handshake";
              str_details1 = "???";
-
-            if (len > 0) {
-                switch (((const unsigned char *)buf)[0]) {
-                case 0:
-                    str_details1 = ", HelloRequest";
-                    break;
-                case 1:
-                    str_details1 = ", ClientHello";
-                    break;
-                case 2:
-                    str_details1 = ", ServerHello";
-                    break;
-                case 3:
-                    str_details1 = ", HelloVerifyRequest";
-                    break;
-                case 11:
-                    str_details1 = ", Certificate";
-                    break;
-                case 12:
-                    str_details1 = ", ServerKeyExchange";
-                    break;
-                case 13:
-                    str_details1 = ", CertificateRequest";
-                    break;
-                case 14:
-                    str_details1 = ", ServerHelloDone";
-                    break;
-                case 15:
-                    str_details1 = ", CertificateVerify";
-                    break;
-                case 16:
-                    str_details1 = ", ClientKeyExchange";
-                    break;
-                case 20:
-                    str_details1 = ", Finished";
-                    break;
-                }
-            }
-        }
+            if (len > 0)
+                str_details1 = lookup((int)bp[0], handshakes, "???");
+            break;
+        case 23:
+            str_content_type = ", ApplicationData";
+            break;
  #ifndef OPENSSL_NO_HEARTBEATS
-        if (content_type == 24) { /* Heartbeat */
+        case 24:
              str_details1 = ", Heartbeat";
  
              if (len > 0) {
-                switch (((const unsigned char *)buf)[0]) {
+                switch (bp[0]) {
                  case 1:
                      str_details1 = ", HeartbeatRequest";
                      break;
@@ -779,8 +604,9 @@ void msg_cb(int write_p, int version, int content_type, const void *buf,
                      break;
                  }
              }
-        }
+            break;
  #endif
+        }
      }
  
      BIO_printf(bio, "%s %s%s [length %04lx]%s%s\n", str_write_p, str_version,
@@ -804,123 +630,69 @@ void msg_cb(int write_p, int version, int content_type, const void *buf,
      (void)BIO_flush(bio);
  }
  
-void tlsext_cb(SSL *s, int client_server, int type,
-               unsigned char *data, int len, void *arg)
-{
-    BIO *bio = arg;
-    char *extname;
-
-    switch (type) {
-    case TLSEXT_TYPE_server_name:
-        extname = "server name";
-        break;
-
-    case TLSEXT_TYPE_max_fragment_length:
-        extname = "max fragment length";
-        break;
-
-    case TLSEXT_TYPE_client_certificate_url:
-        extname = "client certificate URL";
-        break;
-
-    case TLSEXT_TYPE_trusted_ca_keys:
-        extname = "trusted CA keys";
-        break;
-
-    case TLSEXT_TYPE_truncated_hmac:
-        extname = "truncated HMAC";
-        break;
-
-    case TLSEXT_TYPE_status_request:
-        extname = "status request";
-        break;
-
-    case TLSEXT_TYPE_user_mapping:
-        extname = "user mapping";
-        break;
-
-    case TLSEXT_TYPE_client_authz:
-        extname = "client authz";
-        break;
-
-    case TLSEXT_TYPE_server_authz:
-        extname = "server authz";
-        break;
-
-    case TLSEXT_TYPE_cert_type:
-        extname = "cert type";
-        break;
-
-    case TLSEXT_TYPE_elliptic_curves:
-        extname = "elliptic curves";
-        break;
-
-    case TLSEXT_TYPE_ec_point_formats:
-        extname = "EC point formats";
-        break;
-
-    case TLSEXT_TYPE_srp:
-        extname = "SRP";
-        break;
-
-    case TLSEXT_TYPE_signature_algorithms:
-        extname = "signature algorithms";
-        break;
-
-    case TLSEXT_TYPE_use_srtp:
-        extname = "use SRTP";
-        break;
-
-    case TLSEXT_TYPE_heartbeat:
-        extname = "heartbeat";
-        break;
-
-    case TLSEXT_TYPE_session_ticket:
-        extname = "session ticket";
-        break;
-
-    case TLSEXT_TYPE_renegotiate:
-        extname = "renegotiation info";
-        break;
-
+static STRINT_PAIR tlsext_types[] = {
+    {"server name", TLSEXT_TYPE_server_name},
+    {"max fragment length", TLSEXT_TYPE_max_fragment_length},
+    {"client certificate URL", TLSEXT_TYPE_client_certificate_url},
+    {"trusted CA keys", TLSEXT_TYPE_trusted_ca_keys},
+    {"truncated HMAC", TLSEXT_TYPE_truncated_hmac},
+    {"status request", TLSEXT_TYPE_status_request},
+    {"user mapping", TLSEXT_TYPE_user_mapping},
+    {"client authz", TLSEXT_TYPE_client_authz},
+    {"server authz", TLSEXT_TYPE_server_authz},
+    {"cert type", TLSEXT_TYPE_cert_type},
+    {"supported_groups", TLSEXT_TYPE_supported_groups},
+    {"EC point formats", TLSEXT_TYPE_ec_point_formats},
+    {"SRP", TLSEXT_TYPE_srp},
+    {"signature algorithms", TLSEXT_TYPE_signature_algorithms},
+    {"use SRTP", TLSEXT_TYPE_use_srtp},
+    {"heartbeat", TLSEXT_TYPE_heartbeat},
+    {"session ticket", TLSEXT_TYPE_session_ticket},
+    {"renegotiation info", TLSEXT_TYPE_renegotiate},
+    {"signed certificate timestamps", TLSEXT_TYPE_signed_certificate_timestamp},
+    {"TLS padding", TLSEXT_TYPE_padding},
  #ifdef TLSEXT_TYPE_next_proto_neg
-    case TLSEXT_TYPE_next_proto_neg:
-        extname = "next protocol";
-        break;
+    {"next protocol", TLSEXT_TYPE_next_proto_neg},
  #endif
  #ifdef TLSEXT_TYPE_encrypt_then_mac
-    case TLSEXT_TYPE_encrypt_then_mac:
-        extname = "encrypt-then-mac";
-        break;
+    {"encrypt-then-mac", TLSEXT_TYPE_encrypt_then_mac},
  #endif
-    case TLSEXT_TYPE_padding:
-        extname = "TLS padding";
-        break;
-
-    default:
-        extname = "unknown";
-        break;
+#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
+    {"application layer protocol negotiation",
+     TLSEXT_TYPE_application_layer_protocol_negotiation},
+#endif
+#ifdef TLSEXT_TYPE_extended_master_secret
+    {"extended master secret", TLSEXT_TYPE_extended_master_secret},
+#endif
+    {"key share", TLSEXT_TYPE_key_share},
+    {"supported versions", TLSEXT_TYPE_supported_versions},
+    {"psk", TLSEXT_TYPE_psk},
+    {"psk kex modes", TLSEXT_TYPE_psk_kex_modes},
+    {"certificate authorities", TLSEXT_TYPE_certificate_authorities},
+    {"post handshake auth", TLSEXT_TYPE_post_handshake_auth},
+    {NULL}
+};
  
-    }
+void tlsext_cb(SSL *s, int client_server, int type,
+               const unsigned char *data, int len, void *arg)
+{
+    BIO *bio = arg;
+    const char *extname = lookup(type, tlsext_types, "unknown");
  
      BIO_printf(bio, "TLS %s extension \"%s\" (id=%d), len=%d\n",
                 client_server ? "server" : "client", extname, type, len);
-    BIO_dump(bio, (char *)data, len);
+    BIO_dump(bio, (const char *)data, len);
      (void)BIO_flush(bio);
  }
  
+#ifndef OPENSSL_NO_SOCK
  int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
                               unsigned int *cookie_len)
  {
-    unsigned char *buffer, result[EVP_MAX_MD_SIZE];
-    unsigned int length, resultlength;
-    union {
-        struct sockaddr sa;
-        struct sockaddr_in s4;
-#if OPENSSL_USE_IPV6
-        struct sockaddr_in6 s6;
-#endif
-    } peer;
+    unsigned char *buffer;
+    size_t length = 0;
+    unsigned short port;
+    BIO_ADDR *lpeer = NULL, *peer = NULL;
  
      /* Initialize a random secret */
      if (!cookie_initialized) {
@@ -931,126 +703,76 @@ int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
          cookie_initialized = 1;
      }
  
-    /* Read peer information */
-    (void)BIO_dgram_get_peer(SSL_get_rbio(ssl), &peer);
+    if (SSL_is_dtls(ssl)) {
+        lpeer = peer = BIO_ADDR_new();
+        if (peer == NULL) {
+            BIO_printf(bio_err, "memory full\n");
+            return 0;
+        }
+
+        /* Read peer information */
+        (void)BIO_dgram_get_peer(SSL_get_rbio(ssl), peer);
+    } else {
+        peer = ourpeer;
+    }
  
      /* Create buffer with peer's address and port */
-    length = 0;
-    switch (peer.sa.sa_family) {
-    case AF_INET:
-        length += sizeof(struct in_addr);
-        length += sizeof(peer.s4.sin_port);
-        break;
-#if OPENSSL_USE_IPV6
-    case AF_INET6:
-        length += sizeof(struct in6_addr);
-        length += sizeof(peer.s6.sin6_port);
-        break;
-#endif
-    default:
-        OPENSSL_assert(0);
-        break;
+    if (!BIO_ADDR_rawaddress(peer, NULL, &length)) {
+        BIO_printf(bio_err, "Failed getting peer address\n");
+        return 0;
      }
+    OPENSSL_assert(length != 0);
+    port = BIO_ADDR_rawport(peer);
+    length += sizeof(port);
      buffer = app_malloc(length, "cookie generate buffer");
  
-    switch (peer.sa.sa_family) {
-    case AF_INET:
-        memcpy(buffer, &peer.s4.sin_port, sizeof(peer.s4.sin_port));
-        memcpy(buffer + sizeof(peer.s4.sin_port),
-               &peer.s4.sin_addr, sizeof(struct in_addr));
-        break;
-#if OPENSSL_USE_IPV6
-    case AF_INET6:
-        memcpy(buffer, &peer.s6.sin6_port, sizeof(peer.s6.sin6_port));
-        memcpy(buffer + sizeof(peer.s6.sin6_port),
-               &peer.s6.sin6_addr, sizeof(struct in6_addr));
-        break;
-#endif
-    default:
-        OPENSSL_assert(0);
-        break;
-    }
+    memcpy(buffer, &port, sizeof(port));
+    BIO_ADDR_rawaddress(peer, buffer + sizeof(port), NULL);
  
      /* Calculate HMAC of buffer using the secret */
      HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH,
-         buffer, length, result, &resultlength);
-    OPENSSL_free(buffer);
+         buffer, length, cookie, cookie_len);
  
-    memcpy(cookie, result, resultlength);
-    *cookie_len = resultlength;
+    OPENSSL_free(buffer);
+    BIO_ADDR_free(lpeer);
  
      return 1;
  }
  
-int verify_cookie_callback(SSL *ssl, unsigned char *cookie,
+int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
                             unsigned int cookie_len)
  {
-    unsigned char *buffer, result[EVP_MAX_MD_SIZE];
-    unsigned int length, resultlength;
-    union {
-        struct sockaddr sa;
-        struct sockaddr_in s4;
-#if OPENSSL_USE_IPV6
-        struct sockaddr_in6 s6;
-#endif
-    } peer;
-
-    /* If secret isn't initialized yet, the cookie can't be valid */
-    if (!cookie_initialized)
-        return 0;
-
-    /* Read peer information */
-    (void)BIO_dgram_get_peer(SSL_get_rbio(ssl), &peer);
-
-    /* Create buffer with peer's address and port */
-    length = 0;
-    switch (peer.sa.sa_family) {
-    case AF_INET:
-        length += sizeof(struct in_addr);
-        length += sizeof(peer.s4.sin_port);
-        break;
-#if OPENSSL_USE_IPV6
-    case AF_INET6:
-        length += sizeof(struct in6_addr);
-        length += sizeof(peer.s6.sin6_port);
-        break;
-#endif
-    default:
-        OPENSSL_assert(0);
-        break;
-    }
-    buffer = app_malloc(length, "cookie verify buffer");
-
-    switch (peer.sa.sa_family) {
-    case AF_INET:
-        memcpy(buffer, &peer.s4.sin_port, sizeof(peer.s4.sin_port));
-        memcpy(buffer + sizeof(peer.s4.sin_port),
-               &peer.s4.sin_addr, sizeof(struct in_addr));
-        break;
-#if OPENSSL_USE_IPV6
-    case AF_INET6:
-        memcpy(buffer, &peer.s6.sin6_port, sizeof(peer.s6.sin6_port));
-        memcpy(buffer + sizeof(peer.s6.sin6_port),
-               &peer.s6.sin6_addr, sizeof(struct in6_addr));
-        break;
-#endif
-    default:
-        OPENSSL_assert(0);
-        break;
-    }
-
-    /* Calculate HMAC of buffer using the secret */
-    HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH,
-         buffer, length, result, &resultlength);
-    OPENSSL_free(buffer);
-
-    if (cookie_len == resultlength
+    unsigned char result[EVP_MAX_MD_SIZE];
+    unsigned int resultlength;
+
+    /* Note: we check cookie_initialized because if it's not,
+     * it cannot be valid */
+    if (cookie_initialized
+        && generate_cookie_callback(ssl, result, &resultlength)
+        && cookie_len == resultlength
          && memcmp(result, cookie, resultlength) == 0)
          return 1;
  
      return 0;
  }
  
+int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
+                                       size_t *cookie_len)
+{
+    unsigned int temp;
+    int res = generate_cookie_callback(ssl, cookie, &temp);
+    *cookie_len = temp;
+    return res;
+}
+
+int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
+                                     size_t cookie_len)
+{
+    return verify_cookie_callback(ssl, cookie, cookie_len);
+}
+
+#endif
+
  /*
   * Example of extended certificate handling. Where the standard support of
   * one certificate per algorithm is not sufficient an application can decide
@@ -1072,33 +794,27 @@ struct ssl_excert_st {
      struct ssl_excert_st *next, *prev;
  };
  
-struct chain_flags {
-    int flag;
-    const char *name;
-};
-
-struct chain_flags chain_flags_list[] = {
-    {CERT_PKEY_VALID, "Overall Validity"},
-    {CERT_PKEY_SIGN, "Sign with EE key"},
-    {CERT_PKEY_EE_SIGNATURE, "EE signature"},
-    {CERT_PKEY_CA_SIGNATURE, "CA signature"},
-    {CERT_PKEY_EE_PARAM, "EE key parameters"},
-    {CERT_PKEY_CA_PARAM, "CA key parameters"},
-    {CERT_PKEY_EXPLICIT_SIGN, "Explicity sign with EE key"},
-    {CERT_PKEY_ISSUER_NAME, "Issuer Name"},
-    {CERT_PKEY_CERT_TYPE, "Certificate Type"},
-    {0, NULL}
+static STRINT_PAIR chain_flags[] = {
+    {"Overall Validity", CERT_PKEY_VALID},
+    {"Sign with EE key", CERT_PKEY_SIGN},
+    {"EE signature", CERT_PKEY_EE_SIGNATURE},
+    {"CA signature", CERT_PKEY_CA_SIGNATURE},
+    {"EE key parameters", CERT_PKEY_EE_PARAM},
+    {"CA key parameters", CERT_PKEY_CA_PARAM},
+    {"Explicitly sign with EE key", CERT_PKEY_EXPLICIT_SIGN},
+    {"Issuer Name", CERT_PKEY_ISSUER_NAME},
+    {"Certificate Type", CERT_PKEY_CERT_TYPE},
+    {NULL}
  };
  
  static void print_chain_flags(SSL *s, int flags)
  {
-    struct chain_flags *ctmp = chain_flags_list;
+    STRINT_PAIR *pp;
  
-    while (ctmp->name) {
-        BIO_printf(bio_err, "\t%s: %s\n", ctmp->name,
-                   flags & ctmp->flag ? "OK" : "NOT OK");
-        ctmp++;
-    }
+    for (pp = chain_flags; pp->name; ++pp)
+        BIO_printf(bio_err, "\t%s: %s\n",
+                   pp->name,
+                   (flags & pp->retval) ? "OK" : "NOT OK");
      BIO_printf(bio_err, "\tSuite B: ");
      if (SSL_set_cert_flags(s, 0) & SSL_CERT_FLAG_SUITEB_128_LOS)
          BIO_puts(bio_err, flags & CERT_PKEY_SUITEB ? "OK\n" : "NOT OK\n");
@@ -1118,31 +834,32 @@ static int set_cert_cb(SSL *ssl, void *arg)
      static int retry_cnt;
      if (retry_cnt < 5) {
          retry_cnt++;
-        fprintf(stderr, "Certificate callback retry test: count %d\n",
-                retry_cnt);
+        BIO_printf(bio_err,
+                   "Certificate callback retry test: count %d\n",
+                   retry_cnt);
          return -1;
      }
  #endif
      SSL_certs_clear(ssl);
  
-    if (!exc)
+    if (exc == NULL)
          return 1;
  
      /*
       * Go to end of list and traverse backwards since we prepend newer
       * entries this retains the original order.
       */
-    while (exc->next)
+    while (exc->next != NULL)
          exc = exc->next;
  
      i = 0;
  
-    while (exc) {
+    while (exc != NULL) {
          i++;
          rv = SSL_check_chain(ssl, exc->cert, exc->key, exc->chain);
          BIO_printf(bio_err, "Checking cert chain %d:\nSubject: ", i);
          X509_NAME_print_ex(bio_err, X509_get_subject_name(exc->cert), 0,
-                           XN_FLAG_ONELINE);
+                           get_nameopt());
          BIO_puts(bio_err, "\n");
          print_chain_flags(ssl, rv);
          if (rv & CERT_PKEY_VALID) {
@@ -1158,8 +875,9 @@ static int set_cert_cb(SSL *ssl, void *arg)
              if (exc->build_chain) {
                  if (!SSL_build_cert_chain(ssl, 0))
                      return 0;
-            } else if (exc->chain)
+            } else if (exc->chain != NULL) {
                  SSL_set1_chain(ssl, exc->chain);
+            }
          }
          exc = exc->prev;
      }
@@ -1173,16 +891,9 @@ void ssl_ctx_set_excert(SSL_CTX *ctx, SSL_EXCERT *exc)
  
  static int ssl_excert_prepend(SSL_EXCERT **pexc)
  {
-    SSL_EXCERT *exc = app_malloc(sizeof *exc, "prepend cert");
+    SSL_EXCERT *exc = app_malloc(sizeof(*exc), "prepend cert");
  
-    exc->certfile = NULL;
-    exc->keyfile = NULL;
-    exc->chainfile = NULL;
-    exc->cert = NULL;
-    exc->key = NULL;
-    exc->chain = NULL;
-    exc->prev = NULL;
-    exc->build_chain = 0;
+    memset(exc, 0, sizeof(*exc));
  
      exc->next = *pexc;
      *pexc = exc;
@@ -1202,6 +913,9 @@ static int ssl_excert_prepend(SSL_EXCERT **pexc)
  void ssl_excert_free(SSL_EXCERT *exc)
  {
      SSL_EXCERT *curr;
+
+    if (exc == NULL)
+        return;
      while (exc) {
          X509_free(exc->cert);
          EVP_PKEY_free(exc->key);
@@ -1215,36 +929,35 @@ void ssl_excert_free(SSL_EXCERT *exc)
  int load_excert(SSL_EXCERT **pexc)
  {
      SSL_EXCERT *exc = *pexc;
-    if (!exc)
+    if (exc == NULL)
          return 1;
      /* If nothing in list, free and set to NULL */
-    if (!exc->certfile && !exc->next) {
+    if (exc->certfile == NULL && exc->next == NULL) {
          ssl_excert_free(exc);
          *pexc = NULL;
          return 1;
      }
      for (; exc; exc = exc->next) {
-        if (!exc->certfile) {
+        if (exc->certfile == NULL) {
              BIO_printf(bio_err, "Missing filename\n");
              return 0;
          }
          exc->cert = load_cert(exc->certfile, exc->certform,
-                              NULL, NULL, "Server Certificate");
-        if (!exc->cert)
+                              "Server Certificate");
+        if (exc->cert == NULL)
              return 0;
-        if (exc->keyfile) {
+        if (exc->keyfile != NULL) {
              exc->key = load_key(exc->keyfile, exc->keyform,
                                  0, NULL, NULL, "Server Key");
          } else {
              exc->key = load_key(exc->certfile, exc->certform,
                                  0, NULL, NULL, "Server Key");
          }
-        if (!exc->key)
+        if (exc->key == NULL)
              return 0;
-        if (exc->chainfile) {
-            exc->chain = load_certs(exc->chainfile, FORMAT_PEM,
-                                    NULL, NULL, "Server Chain");
-            if (!exc->chain)
+        if (exc->chainfile != NULL) {
+            if (!load_certs(exc->chainfile, &exc->chain, FORMAT_PEM, NULL,
+                            "Server Chain"))
                  return 0;
          }
      }
@@ -1274,21 +987,22 @@ int args_excert(int opt, SSL_EXCERT **pexc)
      case OPT_X__LAST:
          return 0;
      case OPT_X_CERT:
-        if (exc->certfile && !ssl_excert_prepend(&exc)) {
+        if (exc->certfile != NULL && !ssl_excert_prepend(&exc)) {
              BIO_printf(bio_err, "%s: Error adding xcert\n", opt_getprog());
              goto err;
          }
+        *pexc = exc;
          exc->certfile = opt_arg();
          break;
      case OPT_X_KEY:
-        if (exc->keyfile) {
+        if (exc->keyfile != NULL) {
              BIO_printf(bio_err, "%s: Key already specified\n", opt_getprog());
              goto err;
          }
          exc->keyfile = opt_arg();
          break;
      case OPT_X_CHAIN:
-        if (exc->chainfile) {
+        if (exc->chainfile != NULL) {
              BIO_printf(bio_err, "%s: Chain already specified\n",
                         opt_getprog());
              goto err;
@@ -1311,8 +1025,7 @@ int args_excert(int opt, SSL_EXCERT **pexc)
  
   err:
      ERR_print_errors(bio_err);
-    if (exc)
-        ssl_excert_free(exc);
+    ssl_excert_free(exc);
      *pexc = NULL;
      return 0;
  }
@@ -1320,22 +1033,23 @@ int args_excert(int opt, SSL_EXCERT **pexc)
  static void print_raw_cipherlist(SSL *s)
  {
      const unsigned char *rlist;
-    static const unsigned char scsv_id[] = { 0, 0, 0xFF };
+    static const unsigned char scsv_id[] = { 0, 0xFF };
      size_t i, rlistlen, num;
      if (!SSL_is_server(s))
          return;
      num = SSL_get0_raw_cipherlist(s, NULL);
+    OPENSSL_assert(num == 2);
      rlistlen = SSL_get0_raw_cipherlist(s, &rlist);
      BIO_puts(bio_err, "Client cipher list: ");
      for (i = 0; i < rlistlen; i += num, rlist += num) {
          const SSL_CIPHER *c = SSL_CIPHER_find(s, rlist);
          if (i)
              BIO_puts(bio_err, ":");
-        if (c)
+        if (c != NULL) {
              BIO_puts(bio_err, SSL_CIPHER_get_name(c));
-        else if (!memcmp(rlist, scsv_id - num + 3, num))
+        } else if (memcmp(rlist, scsv_id, num) == 0) {
              BIO_puts(bio_err, "SCSV");
-        else {
+        } else {
              size_t j;
              BIO_puts(bio_err, "0x");
              for (j = 0; j < num; j++)
@@ -1345,11 +1059,84 @@ static void print_raw_cipherlist(SSL *s)
      BIO_puts(bio_err, "\n");
  }
  
+/*
+ * Hex encoder for TLSA RRdata, not ':' delimited.
+ */
+static char *hexencode(const unsigned char *data, size_t len)
+{
+    static const char *hex = "0123456789abcdef";
+    char *out;
+    char *cp;
+    size_t outlen = 2 * len + 1;
+    int ilen = (int) outlen;
+
+    if (outlen < len || ilen < 0 || outlen != (size_t)ilen) {
+        BIO_printf(bio_err, "%s: %zu-byte buffer too large to hexencode\n",
+                   opt_getprog(), len);
+        exit(1);
+    }
+    cp = out = app_malloc(ilen, "TLSA hex data buffer");
+
+    while (len-- > 0) {
+        *cp++ = hex[(*data >> 4) & 0x0f];
+        *cp++ = hex[*data++ & 0x0f];
+    }
+    *cp = '\0';
+    return out;
+}
+
+void print_verify_detail(SSL *s, BIO *bio)
+{
+    int mdpth;
+    EVP_PKEY *mspki;
+    long verify_err = SSL_get_verify_result(s);
+
+    if (verify_err == X509_V_OK) {
+        const char *peername = SSL_get0_peername(s);
+
+        BIO_printf(bio, "Verification: OK\n");
+        if (peername != NULL)
+            BIO_printf(bio, "Verified peername: %s\n", peername);
+    } else {
+        const char *reason = X509_verify_cert_error_string(verify_err);
+
+        BIO_printf(bio, "Verification error: %s\n", reason);
+    }
+
+    if ((mdpth = SSL_get0_dane_authority(s, NULL, &mspki)) >= 0) {
+        uint8_t usage, selector, mtype;
+        const unsigned char *data = NULL;
+        size_t dlen = 0;
+        char *hexdata;
+
+        mdpth = SSL_get0_dane_tlsa(s, &usage, &selector, &mtype, &data, &dlen);
+
+        /*
+         * The TLSA data field can be quite long when it is a certificate,
+         * public key or even a SHA2-512 digest.  Because the initial octets of
+         * ASN.1 certificates and public keys contain mostly boilerplate OIDs
+         * and lengths, we show the last 12 bytes of the data instead, as these
+         * are more likely to distinguish distinct TLSA records.
+         */
+#define TLSA_TAIL_SIZE 12
+        if (dlen > TLSA_TAIL_SIZE)
+            hexdata = hexencode(data + dlen - TLSA_TAIL_SIZE, TLSA_TAIL_SIZE);
+        else
+            hexdata = hexencode(data, dlen);
+        BIO_printf(bio, "DANE TLSA %d %d %d %s%s %s at depth %d\n",
+                   usage, selector, mtype,
+                   (dlen > TLSA_TAIL_SIZE) ? "..." : "", hexdata,
+                   (mspki != NULL) ? "signed the certificate" :
+                   mdpth ? "matched TA certificate" : "matched EE certificate",
+                   mdpth);
+        OPENSSL_free(hexdata);
+    }
+}
+
  void print_ssl_summary(SSL *s)
  {
      const SSL_CIPHER *c;
      X509 *peer;
-    /* const char *pnam = SSL_is_server(s) ? "client" : "server"; */
  
      BIO_printf(bio_err, "Protocol version: %s\n", SSL_get_version(s));
      print_raw_cipherlist(s);
@@ -1357,21 +1144,26 @@ void print_ssl_summary(SSL *s)
      BIO_printf(bio_err, "Ciphersuite: %s\n", SSL_CIPHER_get_name(c));
      do_print_sigalgs(bio_err, s, 0);
      peer = SSL_get_peer_certificate(s);
-    if (peer) {
+    if (peer != NULL) {
          int nid;
+
          BIO_puts(bio_err, "Peer certificate: ");
          X509_NAME_print_ex(bio_err, X509_get_subject_name(peer),
-                           0, XN_FLAG_ONELINE);
+                           0, get_nameopt());
          BIO_puts(bio_err, "\n");
          if (SSL_get_peer_signature_nid(s, &nid))
              BIO_printf(bio_err, "Hash used: %s\n", OBJ_nid2sn(nid));
-    } else
+        if (SSL_get_peer_signature_type_nid(s, &nid))
+            BIO_printf(bio_err, "Signature type: %s\n", get_sigtype(nid));
+        print_verify_detail(s, bio_err);
+    } else {
          BIO_puts(bio_err, "No peer certificate\n");
+    }
      X509_free(peer);
  #ifndef OPENSSL_NO_EC
      ssl_print_point_formats(bio_err, s);
      if (SSL_is_server(s))
-        ssl_print_curves(bio_err, s, 1);
+        ssl_print_groups(bio_err, s, 1);
      else
          ssl_print_tmp_key(bio_err, s);
  #else
@@ -1381,7 +1173,7 @@ void print_ssl_summary(SSL *s)
  }
  
  int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,
-               SSL_CTX *ctx, int no_ecdhe, int no_jpake)
+               SSL_CTX *ctx)
  {
      int i;
  
@@ -1389,17 +1181,8 @@ int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,
      for (i = 0; i < sk_OPENSSL_STRING_num(str); i += 2) {
          const char *flag = sk_OPENSSL_STRING_value(str, i);
          const char *arg = sk_OPENSSL_STRING_value(str, i + 1);
-        /* If no_ecdhe or named curve already specified don't need a default. */
-        if (!no_ecdhe && !strcmp(flag, "-named_curve"))
-            no_ecdhe = 1;
-#ifndef OPENSSL_NO_JPAKE
-        if (!no_jpake && !strcmp(flag, "-cipher")) {
-            BIO_puts(bio_err, "JPAKE sets cipher to PSK\n");
-            return 0;
-        }
-#endif
          if (SSL_CONF_cmd(cctx, flag, arg) <= 0) {
-            if (arg)
+            if (arg != NULL)
                  BIO_printf(bio_err, "Error with command: \"%s %s\"\n",
                             flag, arg);
              else
@@ -1408,27 +1191,6 @@ int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,
              return 0;
          }
      }
-    /*
-     * This is a special case to keep existing s_server functionality: if we
-     * don't have any curve specified *and* we haven't disabled ECDHE then
-     * use P-256.
-     */
-    if (!no_ecdhe) {
-        if (SSL_CONF_cmd(cctx, "-named_curve", "P-256") <= 0) {
-            BIO_puts(bio_err, "Error setting EC curve\n");
-            ERR_print_errors(bio_err);
-            return 0;
-        }
-    }
-#ifndef OPENSSL_NO_JPAKE
-    if (!no_jpake) {
-        if (SSL_CONF_cmd(cctx, "-cipher", "PSK") <= 0) {
-            BIO_puts(bio_err, "Error setting cipher to PSK\n");
-            ERR_print_errors(bio_err);
-            return 0;
-        }
-    }
-#endif
      if (!SSL_CONF_CTX_finish(cctx)) {
          BIO_puts(bio_err, "Error finishing context\n");
          ERR_print_errors(bio_err);
@@ -1465,8 +1227,10 @@ int ssl_load_stores(SSL_CTX *ctx,
  {
      X509_STORE *vfy = NULL, *ch = NULL;
      int rv = 0;
-    if (vfyCApath || vfyCAfile) {
+    if (vfyCApath != NULL || vfyCAfile != NULL) {
          vfy = X509_STORE_new();
+        if (vfy == NULL)
+            goto err;
          if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath))
              goto err;
          add_crls_store(vfy, crls);
@@ -1474,8 +1238,10 @@ int ssl_load_stores(SSL_CTX *ctx,
          if (crl_download)
              store_setup_crl_download(vfy);
      }
-    if (chCApath || chCAfile) {
+    if (chCApath != NULL || chCAfile != NULL) {
          ch = X509_STORE_new();
+        if (ch == NULL)
+            goto err;
          if (!X509_STORE_load_locations(ch, chCAfile, chCApath))
              goto err;
          SSL_CTX_set1_chain_cert_store(ctx, ch);
@@ -1492,11 +1258,36 @@ int ssl_load_stores(SSL_CTX *ctx,
  typedef struct {
      BIO *out;
      int verbose;
-    int (*old_cb) (SSL *s, SSL_CTX *ctx, int op, int bits, int nid,
+    int (*old_cb) (const SSL *s, const SSL_CTX *ctx, int op, int bits, int nid,
                     void *other, void *ex);
  } security_debug_ex;
  
-static int security_callback_debug(SSL *s, SSL_CTX *ctx,
+static STRINT_PAIR callback_types[] = {
+    {"Supported Ciphersuite", SSL_SECOP_CIPHER_SUPPORTED},
+    {"Shared Ciphersuite", SSL_SECOP_CIPHER_SHARED},
+    {"Check Ciphersuite", SSL_SECOP_CIPHER_CHECK},
+#ifndef OPENSSL_NO_DH
+    {"Temp DH key bits", SSL_SECOP_TMP_DH},
+#endif
+    {"Supported Curve", SSL_SECOP_CURVE_SUPPORTED},
+    {"Shared Curve", SSL_SECOP_CURVE_SHARED},
+    {"Check Curve", SSL_SECOP_CURVE_CHECK},
+    {"Supported Signature Algorithm digest", SSL_SECOP_SIGALG_SUPPORTED},
+    {"Shared Signature Algorithm digest", SSL_SECOP_SIGALG_SHARED},
+    {"Check Signature Algorithm digest", SSL_SECOP_SIGALG_CHECK},
+    {"Signature Algorithm mask", SSL_SECOP_SIGALG_MASK},
+    {"Certificate chain EE key", SSL_SECOP_EE_KEY},
+    {"Certificate chain CA key", SSL_SECOP_CA_KEY},
+    {"Peer Chain EE key", SSL_SECOP_PEER_EE_KEY},
+    {"Peer Chain CA key", SSL_SECOP_PEER_CA_KEY},
+    {"Certificate chain CA digest", SSL_SECOP_CA_MD},
+    {"Peer chain CA digest", SSL_SECOP_PEER_CA_MD},
+    {"SSL compression", SSL_SECOP_COMPRESSION},
+    {"Session ticket", SSL_SECOP_TICKET},
+    {NULL}
+};
+
+static int security_callback_debug(const SSL *s, const SSL_CTX *ctx,
                                     int op, int bits, int nid,
                                     void *other, void *ex)
  {
@@ -1508,81 +1299,24 @@ static int security_callback_debug(SSL *s, SSL_CTX *ctx,
          return 1;
      BIO_puts(sdb->out, "Security callback: ");
  
+    nm = lookup(op, callback_types, NULL);
      switch (op) {
-    case SSL_SECOP_CIPHER_SUPPORTED:
-        nm = "Supported Ciphersuite";
-        break;
-    case SSL_SECOP_CIPHER_SHARED:
-        nm = "Shared Ciphersuite";
-        break;
-    case SSL_SECOP_CIPHER_CHECK:
-        nm = "Check Ciphersuite";
-        break;
      case SSL_SECOP_TICKET:
-        BIO_puts(sdb->out, "Session ticket");
-        show_bits = 0;
-        nm = NULL;
-        break;
      case SSL_SECOP_COMPRESSION:
-        BIO_puts(sdb->out, "SSL compression");
          show_bits = 0;
          nm = NULL;
          break;
-#ifndef OPENSSL_NO_DH
-    case SSL_SECOP_TMP_DH:
-        nm = "Temp DH key bits";
-        break;
-#endif
-    case SSL_SECOP_CURVE_SUPPORTED:
-        nm = "Supported Curve";
-        break;
-    case SSL_SECOP_CURVE_SHARED:
-        nm = "Shared Curve";
-        break;
-    case SSL_SECOP_CURVE_CHECK:
-        nm = "Check Curve";
-        break;
      case SSL_SECOP_VERSION:
-        BIO_printf(sdb->out, "Version=%s", ssl_version_str(nid));
+        BIO_printf(sdb->out, "Version=%s", lookup(nid, ssl_versions, "???"));
          show_bits = 0;
          nm = NULL;
          break;
-    case SSL_SECOP_SIGALG_SUPPORTED:
-        nm = "Supported Signature Algorithm digest";
-        break;
-    case SSL_SECOP_SIGALG_SHARED:
-        nm = "Shared Signature Algorithm digest";
-        break;
-    case SSL_SECOP_SIGALG_CHECK:
-        nm = "Check Signature Algorithm digest";
-        break;
-    case SSL_SECOP_SIGALG_MASK:
-        nm = "Signature Algorithm mask";
-        break;
-    case SSL_SECOP_EE_KEY:
-        nm = "Certificate chain EE key";
-        break;
-    case SSL_SECOP_CA_KEY:
-        nm = "Certificate chain CA key";
-        break;
      case SSL_SECOP_CA_MD:
-        cert_md = 1;
-        nm = "Certificate chain CA digest";
-        break;
-    case SSL_SECOP_PEER_EE_KEY:
-        nm = "Peer Chain EE key";
-        break;
-    case SSL_SECOP_PEER_CA_KEY:
-        nm = "Peer Chain CA key";
-        break;
      case SSL_SECOP_PEER_CA_MD:
          cert_md = 1;
-        nm = "Peer chain CA digest";
          break;
-    default:
-        nm = NULL;
      }
-    if (nm)
+    if (nm != NULL)
          BIO_printf(sdb->out, "%s=", nm);
  
      switch (op & SSL_SECOP_OTHER_TYPE) {
@@ -1602,26 +1336,26 @@ static int security_callback_debug(SSL *s, SSL_CTX *ctx,
          }
          break;
  #endif
-
+#ifndef OPENSSL_NO_DH
      case SSL_SECOP_OTHER_DH:
          {
              DH *dh = other;
-            BIO_printf(sdb->out, "%d", BN_num_bits(dh->p));
+            BIO_printf(sdb->out, "%d", DH_bits(dh));
              break;
          }
+#endif
      case SSL_SECOP_OTHER_CERT:
          {
              if (cert_md) {
                  int sig_nid = X509_get_signature_nid(other);
                  BIO_puts(sdb->out, OBJ_nid2sn(sig_nid));
              } else {
-                EVP_PKEY *pkey = X509_get_pubkey(other);
+                EVP_PKEY *pkey = X509_get0_pubkey(other);
                  const char *algname = "";
                  EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL,
                                          &algname, EVP_PKEY_get0_asn1(pkey));
                  BIO_printf(sdb->out, "%s, bits=%d",
                             algname, EVP_PKEY_bits(pkey));
-                EVP_PKEY_free(pkey);
              }
              break;
          }
@@ -1670,3 +1404,68 @@ void ssl_ctx_security_debug(SSL_CTX *ctx, int verbose)
      SSL_CTX_set_security_callback(ctx, security_callback_debug);
      SSL_CTX_set0_security_ex_data(ctx, &sdb);
  }
+
+static void keylog_callback(const SSL *ssl, const char *line)
+{
+    if (bio_keylog == NULL) {
+        BIO_printf(bio_err, "Keylog callback is invoked without valid file!\n");
+        return;
+    }
+
+    /*
+     * There might be concurrent writers to the keylog file, so we must ensure
+     * that the given line is written at once.
+     */
+    BIO_printf(bio_keylog, "%s\n", line);
+    (void)BIO_flush(bio_keylog);
+}
+
+int set_keylog_file(SSL_CTX *ctx, const char *keylog_file)
+{
+    /* Close any open files */
+    BIO_free_all(bio_keylog);
+    bio_keylog = NULL;
+
+    if (ctx == NULL || keylog_file == NULL) {
+        /* Keylogging is disabled, OK. */
+        return 0;
+    }
+
+    /*
+     * Append rather than write in order to allow concurrent modification.
+     * Furthermore, this preserves existing keylog files which is useful when
+     * the tool is run multiple times.
+     */
+    bio_keylog = BIO_new_file(keylog_file, "a");
+    if (bio_keylog == NULL) {
+        BIO_printf(bio_err, "Error writing keylog file %s\n", keylog_file);
+        return 1;
+    }
+
+    /* Write a header for seekable, empty files (this excludes pipes). */
+    if (BIO_tell(bio_keylog) == 0) {
+        BIO_puts(bio_keylog,
+                 "# SSL/TLS secrets log file, generated by OpenSSL\n");
+        (void)BIO_flush(bio_keylog);
+    }
+    SSL_CTX_set_keylog_callback(ctx, keylog_callback);
+    return 0;
+}
+
+void print_ca_names(BIO *bio, SSL *s)
+{
+    const char *cs = SSL_is_server(s) ? "server" : "client";
+    const STACK_OF(X509_NAME) *sk = SSL_get0_peer_CA_list(s);
+    int i;
+
+    if (sk == NULL || sk_X509_NAME_num(sk) == 0) {
+        BIO_printf(bio, "---\nNo %s certificate CA names sent\n", cs);
+        return;
+    }
+
+    BIO_printf(bio, "---\nAcceptable %s certificate CA names\n",cs);
+    for (i = 0; i < sk_X509_NAME_num(sk); i++) {
+        X509_NAME_print_ex(bio, sk_X509_NAME_value(sk, i), 0, get_nameopt());
+        BIO_write(bio, "\n", 1);
+    }
+}