fc806eb67263bcd6c03cd0c911f6eb9813e0d816
[dragonfly.git] / crypto / openssl / apps / s_client.c
1 /* apps/s_client.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2005 Nokia. All rights reserved.
113  *
114  * The portions of the attached software ("Contribution") is developed by
115  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116  * license.
117  *
118  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120  * support (see RFC 4279) to OpenSSL.
121  *
122  * No patent licenses or other rights except those expressly stated in
123  * the OpenSSL open source license shall be deemed granted or received
124  * expressly, by implication, estoppel, or otherwise.
125  *
126  * No assurances are provided by Nokia that the Contribution does not
127  * infringe the patent or other intellectual property rights of any third
128  * party or that the license provides you with all the necessary rights
129  * to make use of the Contribution.
130  *
131  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135  * OTHERWISE.
136  */
137
138 #include <assert.h>
139 #include <ctype.h>
140 #include <stdio.h>
141 #include <stdlib.h>
142 #include <string.h>
143 #include <openssl/e_os2.h>
144 #ifdef OPENSSL_NO_STDIO
145 #define APPS_WIN16
146 #endif
147
148 /* With IPv6, it looks like Digital has mixed up the proper order of
149    recursive header file inclusion, resulting in the compiler complaining
150    that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
151    is needed to have fileno() declared correctly...  So let's define u_int */
152 #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
153 #define __U_INT
154 typedef unsigned int u_int;
155 #endif
156
157 #define USE_SOCKETS
158 #include "apps.h"
159 #include <openssl/x509.h>
160 #include <openssl/ssl.h>
161 #include <openssl/err.h>
162 #include <openssl/pem.h>
163 #include <openssl/rand.h>
164 #include <openssl/ocsp.h>
165 #include <openssl/bn.h>
166 #ifndef OPENSSL_NO_SRP
167 #include <openssl/srp.h>
168 #endif
169 #include "s_apps.h"
170 #include "timeouts.h"
171
172 #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
173 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
174 #undef FIONBIO
175 #endif
176
177 #if defined(OPENSSL_SYS_BEOS_R5)
178 #include <fcntl.h>
179 #endif
180
181 #undef PROG
182 #define PROG    s_client_main
183
184 /*#define SSL_HOST_NAME "www.netscape.com" */
185 /*#define SSL_HOST_NAME "193.118.187.102" */
186 #define SSL_HOST_NAME   "localhost"
187
188 /*#define TEST_CERT "client.pem" */ /* no default cert. */
189
190 #undef BUFSIZZ
191 #define BUFSIZZ 1024*8
192
193 extern int verify_depth;
194 extern int verify_error;
195 extern int verify_return_error;
196
197 #ifdef FIONBIO
198 static int c_nbio=0;
199 #endif
200 static int c_Pause=0;
201 static int c_debug=0;
202 #ifndef OPENSSL_NO_TLSEXT
203 static int c_tlsextdebug=0;
204 static int c_status_req=0;
205 #endif
206 static int c_msg=0;
207 static int c_showcerts=0;
208
209 static char *keymatexportlabel=NULL;
210 static int keymatexportlen=20;
211
212 static void sc_usage(void);
213 static void print_stuff(BIO *berr,SSL *con,int full);
214 #ifndef OPENSSL_NO_TLSEXT
215 static int ocsp_resp_cb(SSL *s, void *arg);
216 #endif
217 static BIO *bio_c_out=NULL;
218 static int c_quiet=0;
219 static int c_ign_eof=0;
220
221 #ifndef OPENSSL_NO_PSK
222 /* Default PSK identity and key */
223 static char *psk_identity="Client_identity";
224 /*char *psk_key=NULL;  by default PSK is not used */
225
226 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
227         unsigned int max_identity_len, unsigned char *psk,
228         unsigned int max_psk_len)
229         {
230         unsigned int psk_len = 0;
231         int ret;
232         BIGNUM *bn=NULL;
233
234         if (c_debug)
235                 BIO_printf(bio_c_out, "psk_client_cb\n");
236         if (!hint)
237                 {
238                 /* no ServerKeyExchange message*/
239                 if (c_debug)
240                         BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n");
241                 }
242         else if (c_debug)
243                 BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
244
245         /* lookup PSK identity and PSK key based on the given identity hint here */
246         ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity);
247         if (ret < 0 || (unsigned int)ret > max_identity_len)
248                 goto out_err;
249         if (c_debug)
250                 BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret);
251         ret=BN_hex2bn(&bn, psk_key);
252         if (!ret)
253                 {
254                 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
255                 if (bn)
256                         BN_free(bn);
257                 return 0;
258                 }
259
260         if ((unsigned int)BN_num_bytes(bn) > max_psk_len)
261                 {
262                 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
263                         max_psk_len, BN_num_bytes(bn));
264                 BN_free(bn);
265                 return 0;
266                 }
267
268         psk_len=BN_bn2bin(bn, psk);
269         BN_free(bn);
270         if (psk_len == 0)
271                 goto out_err;
272
273         if (c_debug)
274                 BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len);
275
276         return psk_len;
277  out_err:
278         if (c_debug)
279                 BIO_printf(bio_err, "Error in PSK client callback\n");
280         return 0;
281         }
282 #endif
283
284 static void sc_usage(void)
285         {
286         BIO_printf(bio_err,"usage: s_client args\n");
287         BIO_printf(bio_err,"\n");
288         BIO_printf(bio_err," -host host     - use -connect instead\n");
289         BIO_printf(bio_err," -port port     - use -connect instead\n");
290         BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
291
292         BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
293         BIO_printf(bio_err," -cert arg     - certificate file to use, PEM format assumed\n");
294         BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
295         BIO_printf(bio_err," -key arg      - Private key file to use, in cert file if\n");
296         BIO_printf(bio_err,"                 not specified but cert file is.\n");
297         BIO_printf(bio_err," -keyform arg  - key format (PEM or DER) PEM default\n");
298         BIO_printf(bio_err," -pass arg     - private key file pass phrase source\n");
299         BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
300         BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
301         BIO_printf(bio_err," -reconnect    - Drop and re-make the connection with the same Session-ID\n");
302         BIO_printf(bio_err," -pause        - sleep(1) after each read(2) and write(2) system call\n");
303         BIO_printf(bio_err," -showcerts    - show all certificates in the chain\n");
304         BIO_printf(bio_err," -debug        - extra output\n");
305 #ifdef WATT32
306         BIO_printf(bio_err," -wdebug       - WATT-32 tcp debugging\n");
307 #endif
308         BIO_printf(bio_err," -msg          - Show protocol messages\n");
309         BIO_printf(bio_err," -nbio_test    - more ssl protocol testing\n");
310         BIO_printf(bio_err," -state        - print the 'ssl' states\n");
311 #ifdef FIONBIO
312         BIO_printf(bio_err," -nbio         - Run with non-blocking IO\n");
313 #endif
314         BIO_printf(bio_err," -crlf         - convert LF from terminal into CRLF\n");
315         BIO_printf(bio_err," -quiet        - no s_client output\n");
316         BIO_printf(bio_err," -ign_eof      - ignore input eof (default when -quiet)\n");
317         BIO_printf(bio_err," -no_ign_eof   - don't ignore input eof\n");
318 #ifndef OPENSSL_NO_PSK
319         BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
320         BIO_printf(bio_err," -psk arg      - PSK in hex (without 0x)\n");
321 # ifndef OPENSSL_NO_JPAKE
322         BIO_printf(bio_err," -jpake arg    - JPAKE secret to use\n");
323 # endif
324 #endif
325 #ifndef OPENSSL_NO_SRP
326         BIO_printf(bio_err," -srpuser user     - SRP authentification for 'user'\n");
327         BIO_printf(bio_err," -srppass arg      - password for 'user'\n");
328         BIO_printf(bio_err," -srp_lateuser     - SRP username into second ClientHello message\n");
329         BIO_printf(bio_err," -srp_moregroups   - Tolerate other than the known g N values.\n");
330         BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
331 #endif
332         BIO_printf(bio_err," -ssl2         - just use SSLv2\n");
333         BIO_printf(bio_err," -ssl3         - just use SSLv3\n");
334         BIO_printf(bio_err," -tls1_2       - just use TLSv1.2\n");
335         BIO_printf(bio_err," -tls1_1       - just use TLSv1.1\n");
336         BIO_printf(bio_err," -tls1         - just use TLSv1\n");
337         BIO_printf(bio_err," -dtls1        - just use DTLSv1\n");    
338         BIO_printf(bio_err," -mtu          - set the link layer MTU\n");
339         BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
340         BIO_printf(bio_err," -bugs         - Switch on all SSL implementation bug workarounds\n");
341         BIO_printf(bio_err," -serverpref   - Use server's cipher preferences (only SSLv2)\n");
342         BIO_printf(bio_err," -cipher       - preferred cipher to use, use the 'openssl ciphers'\n");
343         BIO_printf(bio_err,"                 command to see what is available\n");
344         BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
345         BIO_printf(bio_err,"                 for those protocols that support it, where\n");
346         BIO_printf(bio_err,"                 'prot' defines which one to assume.  Currently,\n");
347         BIO_printf(bio_err,"                 only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
348         BIO_printf(bio_err,"                 are supported.\n");
349 #ifndef OPENSSL_NO_ENGINE
350         BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
351 #endif
352         BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
353         BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n");
354         BIO_printf(bio_err," -sess_in arg  - file to read SSL session from\n");
355 #ifndef OPENSSL_NO_TLSEXT
356         BIO_printf(bio_err," -servername host  - Set TLS extension servername in ClientHello\n");
357         BIO_printf(bio_err," -tlsextdebug      - hex dump of all TLS extensions received\n");
358         BIO_printf(bio_err," -status           - request certificate status from server\n");
359         BIO_printf(bio_err," -no_ticket        - disable use of RFC4507bis session tickets\n");
360 # if !defined(OPENSSL_NO_NEXTPROTONEG)
361         BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
362 # endif
363 #endif
364         BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
365         BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
366         BIO_printf(bio_err," -keymatexport label   - Export keying material using label\n");
367         BIO_printf(bio_err," -keymatexportlen len  - Export len bytes of keying material (default 20)\n");
368         }
369
370 #ifndef OPENSSL_NO_TLSEXT
371
372 /* This is a context that we pass to callbacks */
373 typedef struct tlsextctx_st {
374    BIO * biodebug;
375    int ack;
376 } tlsextctx;
377
378
379 static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
380         {
381         tlsextctx * p = (tlsextctx *) arg;
382         const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
383         if (SSL_get_servername_type(s) != -1) 
384                 p->ack = !SSL_session_reused(s) && hn != NULL;
385         else 
386                 BIO_printf(bio_err,"Can't use SSL_get_servername\n");
387         
388         return SSL_TLSEXT_ERR_OK;
389         }
390
391 #ifndef OPENSSL_NO_SRP
392
393 /* This is a context that we pass to all callbacks */
394 typedef struct srp_arg_st
395         {
396         char *srppassin;
397         char *srplogin;
398         int msg;   /* copy from c_msg */
399         int debug; /* copy from c_debug */
400         int amp;   /* allow more groups */
401         int strength /* minimal size for N */ ;
402         } SRP_ARG;
403
404 #define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
405
406 static int srp_Verify_N_and_g(BIGNUM *N, BIGNUM *g)
407         {
408         BN_CTX *bn_ctx = BN_CTX_new();
409         BIGNUM *p = BN_new();
410         BIGNUM *r = BN_new();
411         int ret =
412                 g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
413                 BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
414                 p != NULL && BN_rshift1(p, N) &&
415
416                 /* p = (N-1)/2 */
417                 BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
418                 r != NULL &&
419
420                 /* verify g^((N-1)/2) == -1 (mod N) */
421                 BN_mod_exp(r, g, p, N, bn_ctx) &&
422                 BN_add_word(r, 1) &&
423                 BN_cmp(r, N) == 0;
424
425         if(r)
426                 BN_free(r);
427         if(p)
428                 BN_free(p);
429         if(bn_ctx)
430                 BN_CTX_free(bn_ctx);
431         return ret;
432         }
433
434 /* This callback is used here for two purposes:
435    - extended debugging
436    - making some primality tests for unknown groups
437    The callback is only called for a non default group.
438
439    An application does not need the call back at all if
440    only the stanard groups are used.  In real life situations, 
441    client and server already share well known groups, 
442    thus there is no need to verify them. 
443    Furthermore, in case that a server actually proposes a group that
444    is not one of those defined in RFC 5054, it is more appropriate 
445    to add the group to a static list and then compare since 
446    primality tests are rather cpu consuming.
447 */
448
449 static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
450         {
451         SRP_ARG *srp_arg = (SRP_ARG *)arg;
452         BIGNUM *N = NULL, *g = NULL;
453         if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s)))
454                 return 0;
455         if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1)
456                 {
457                 BIO_printf(bio_err, "SRP parameters:\n"); 
458                 BIO_printf(bio_err,"\tN="); BN_print(bio_err,N);
459                 BIO_printf(bio_err,"\n\tg="); BN_print(bio_err,g);
460                 BIO_printf(bio_err,"\n");
461                 }
462
463         if (SRP_check_known_gN_param(g,N))
464                 return 1;
465
466         if (srp_arg->amp == 1)
467                 {
468                 if (srp_arg->debug)
469                         BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n");
470
471 /* The srp_moregroups is a real debugging feature.
472    Implementors should rather add the value to the known ones.
473    The minimal size has already been tested.
474 */
475                 if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g))
476                         return 1;
477                 }       
478         BIO_printf(bio_err, "SRP param N and g rejected.\n");
479         return 0;
480         }
481
482 #define PWD_STRLEN 1024
483
484 static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
485         {
486         SRP_ARG *srp_arg = (SRP_ARG *)arg;
487         char *pass = (char *)OPENSSL_malloc(PWD_STRLEN+1);
488         PW_CB_DATA cb_tmp;
489         int l;
490
491         cb_tmp.password = (char *)srp_arg->srppassin;
492         cb_tmp.prompt_info = "SRP user";
493         if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp))<0)
494                 {
495                 BIO_printf (bio_err, "Can't read Password\n");
496                 OPENSSL_free(pass);
497                 return NULL;
498                 }
499         *(pass+l)= '\0';
500
501         return pass;
502         }
503
504 #endif
505         char *srtp_profiles = NULL;
506
507 # ifndef OPENSSL_NO_NEXTPROTONEG
508 /* This the context that we pass to next_proto_cb */
509 typedef struct tlsextnextprotoctx_st {
510         unsigned char *data;
511         unsigned short len;
512         int status;
513 } tlsextnextprotoctx;
514
515 static tlsextnextprotoctx next_proto;
516
517 static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
518         {
519         tlsextnextprotoctx *ctx = arg;
520
521         if (!c_quiet)
522                 {
523                 /* We can assume that |in| is syntactically valid. */
524                 unsigned i;
525                 BIO_printf(bio_c_out, "Protocols advertised by server: ");
526                 for (i = 0; i < inlen; )
527                         {
528                         if (i)
529                                 BIO_write(bio_c_out, ", ", 2);
530                         BIO_write(bio_c_out, &in[i + 1], in[i]);
531                         i += in[i] + 1;
532                         }
533                 BIO_write(bio_c_out, "\n", 1);
534                 }
535
536         ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
537         return SSL_TLSEXT_ERR_OK;
538         }
539 # endif
540 #endif
541
542 enum
543 {
544         PROTO_OFF       = 0,
545         PROTO_SMTP,
546         PROTO_POP3,
547         PROTO_IMAP,
548         PROTO_FTP,
549         PROTO_XMPP
550 };
551
552 int MAIN(int, char **);
553
554 int MAIN(int argc, char **argv)
555         {
556         unsigned int off=0, clr=0;
557         SSL *con=NULL;
558 #ifndef OPENSSL_NO_KRB5
559         KSSL_CTX *kctx;
560 #endif
561         int s,k,width,state=0;
562         char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
563         int cbuf_len,cbuf_off;
564         int sbuf_len,sbuf_off;
565         fd_set readfds,writefds;
566         short port=PORT;
567         int full_log=1;
568         char *host=SSL_HOST_NAME;
569         char *cert_file=NULL,*key_file=NULL;
570         int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
571         char *passarg = NULL, *pass = NULL;
572         X509 *cert = NULL;
573         EVP_PKEY *key = NULL;
574         char *CApath=NULL,*CAfile=NULL,*cipher=NULL;
575         int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0;
576         int crlf=0;
577         int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
578         SSL_CTX *ctx=NULL;
579         int ret=1,in_init=1,i,nbio_test=0;
580         int starttls_proto = PROTO_OFF;
581         int prexit = 0;
582         X509_VERIFY_PARAM *vpm = NULL;
583         int badarg = 0;
584         const SSL_METHOD *meth=NULL;
585         int socket_type=SOCK_STREAM;
586         BIO *sbio;
587         char *inrand=NULL;
588         int mbuf_len=0;
589         struct timeval timeout, *timeoutp;
590 #ifndef OPENSSL_NO_ENGINE
591         char *engine_id=NULL;
592         char *ssl_client_engine_id=NULL;
593         ENGINE *ssl_client_engine=NULL;
594 #endif
595         ENGINE *e=NULL;
596 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
597         struct timeval tv;
598 #if defined(OPENSSL_SYS_BEOS_R5)
599         int stdin_set = 0;
600 #endif
601 #endif
602 #ifndef OPENSSL_NO_TLSEXT
603         char *servername = NULL; 
604         tlsextctx tlsextcbp = 
605         {NULL,0};
606 # ifndef OPENSSL_NO_NEXTPROTONEG
607         const char *next_proto_neg_in = NULL;
608 # endif
609 #endif
610         char *sess_in = NULL;
611         char *sess_out = NULL;
612         struct sockaddr peer;
613         int peerlen = sizeof(peer);
614         int enable_timeouts = 0 ;
615         long socket_mtu = 0;
616 #ifndef OPENSSL_NO_JPAKE
617         char *jpake_secret = NULL;
618 #endif
619 #ifndef OPENSSL_NO_SRP
620         char * srppass = NULL;
621         int srp_lateuser = 0;
622         SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
623 #endif
624
625         meth=SSLv23_client_method();
626
627         apps_startup();
628         c_Pause=0;
629         c_quiet=0;
630         c_ign_eof=0;
631         c_debug=0;
632         c_msg=0;
633         c_showcerts=0;
634
635         if (bio_err == NULL)
636                 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
637
638         if (!load_config(bio_err, NULL))
639                 goto end;
640
641         if (    ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
642                 ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
643                 ((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
644                 {
645                 BIO_printf(bio_err,"out of memory\n");
646                 goto end;
647                 }
648
649         verify_depth=0;
650         verify_error=X509_V_OK;
651 #ifdef FIONBIO
652         c_nbio=0;
653 #endif
654
655         argc--;
656         argv++;
657         while (argc >= 1)
658                 {
659                 if      (strcmp(*argv,"-host") == 0)
660                         {
661                         if (--argc < 1) goto bad;
662                         host= *(++argv);
663                         }
664                 else if (strcmp(*argv,"-port") == 0)
665                         {
666                         if (--argc < 1) goto bad;
667                         port=atoi(*(++argv));
668                         if (port == 0) goto bad;
669                         }
670                 else if (strcmp(*argv,"-connect") == 0)
671                         {
672                         if (--argc < 1) goto bad;
673                         if (!extract_host_port(*(++argv),&host,NULL,&port))
674                                 goto bad;
675                         }
676                 else if (strcmp(*argv,"-verify") == 0)
677                         {
678                         verify=SSL_VERIFY_PEER;
679                         if (--argc < 1) goto bad;
680                         verify_depth=atoi(*(++argv));
681                         BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
682                         }
683                 else if (strcmp(*argv,"-cert") == 0)
684                         {
685                         if (--argc < 1) goto bad;
686                         cert_file= *(++argv);
687                         }
688                 else if (strcmp(*argv,"-sess_out") == 0)
689                         {
690                         if (--argc < 1) goto bad;
691                         sess_out = *(++argv);
692                         }
693                 else if (strcmp(*argv,"-sess_in") == 0)
694                         {
695                         if (--argc < 1) goto bad;
696                         sess_in = *(++argv);
697                         }
698                 else if (strcmp(*argv,"-certform") == 0)
699                         {
700                         if (--argc < 1) goto bad;
701                         cert_format = str2fmt(*(++argv));
702                         }
703                 else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
704                         {
705                         if (badarg)
706                                 goto bad;
707                         continue;
708                         }
709                 else if (strcmp(*argv,"-verify_return_error") == 0)
710                         verify_return_error = 1;
711                 else if (strcmp(*argv,"-prexit") == 0)
712                         prexit=1;
713                 else if (strcmp(*argv,"-crlf") == 0)
714                         crlf=1;
715                 else if (strcmp(*argv,"-quiet") == 0)
716                         {
717                         c_quiet=1;
718                         c_ign_eof=1;
719                         }
720                 else if (strcmp(*argv,"-ign_eof") == 0)
721                         c_ign_eof=1;
722                 else if (strcmp(*argv,"-no_ign_eof") == 0)
723                         c_ign_eof=0;
724                 else if (strcmp(*argv,"-pause") == 0)
725                         c_Pause=1;
726                 else if (strcmp(*argv,"-debug") == 0)
727                         c_debug=1;
728 #ifndef OPENSSL_NO_TLSEXT
729                 else if (strcmp(*argv,"-tlsextdebug") == 0)
730                         c_tlsextdebug=1;
731                 else if (strcmp(*argv,"-status") == 0)
732                         c_status_req=1;
733 #endif
734 #ifdef WATT32
735                 else if (strcmp(*argv,"-wdebug") == 0)
736                         dbug_init();
737 #endif
738                 else if (strcmp(*argv,"-msg") == 0)
739                         c_msg=1;
740                 else if (strcmp(*argv,"-showcerts") == 0)
741                         c_showcerts=1;
742                 else if (strcmp(*argv,"-nbio_test") == 0)
743                         nbio_test=1;
744                 else if (strcmp(*argv,"-state") == 0)
745                         state=1;
746 #ifndef OPENSSL_NO_PSK
747                 else if (strcmp(*argv,"-psk_identity") == 0)
748                         {
749                         if (--argc < 1) goto bad;
750                         psk_identity=*(++argv);
751                         }
752                 else if (strcmp(*argv,"-psk") == 0)
753                         {
754                         size_t j;
755
756                         if (--argc < 1) goto bad;
757                         psk_key=*(++argv);
758                         for (j = 0; j < strlen(psk_key); j++)
759                                 {
760                                 if (isxdigit((unsigned char)psk_key[j]))
761                                         continue;
762                                 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
763                                 goto bad;
764                                 }
765                         }
766 #endif
767 #ifndef OPENSSL_NO_SRP
768                 else if (strcmp(*argv,"-srpuser") == 0)
769                         {
770                         if (--argc < 1) goto bad;
771                         srp_arg.srplogin= *(++argv);
772                         meth=TLSv1_client_method();
773                         }
774                 else if (strcmp(*argv,"-srppass") == 0)
775                         {
776                         if (--argc < 1) goto bad;
777                         srppass= *(++argv);
778                         meth=TLSv1_client_method();
779                         }
780                 else if (strcmp(*argv,"-srp_strength") == 0)
781                         {
782                         if (--argc < 1) goto bad;
783                         srp_arg.strength=atoi(*(++argv));
784                         BIO_printf(bio_err,"SRP minimal length for N is %d\n",srp_arg.strength);
785                         meth=TLSv1_client_method();
786                         }
787                 else if (strcmp(*argv,"-srp_lateuser") == 0)
788                         {
789                         srp_lateuser= 1;
790                         meth=TLSv1_client_method();
791                         }
792                 else if (strcmp(*argv,"-srp_moregroups") == 0)
793                         {
794                         srp_arg.amp=1;
795                         meth=TLSv1_client_method();
796                         }
797 #endif
798 #ifndef OPENSSL_NO_SSL2
799                 else if (strcmp(*argv,"-ssl2") == 0)
800                         meth=SSLv2_client_method();
801 #endif
802 #ifndef OPENSSL_NO_SSL3
803                 else if (strcmp(*argv,"-ssl3") == 0)
804                         meth=SSLv3_client_method();
805 #endif
806 #ifndef OPENSSL_NO_TLS1
807                 else if (strcmp(*argv,"-tls1_2") == 0)
808                         meth=TLSv1_2_client_method();
809                 else if (strcmp(*argv,"-tls1_1") == 0)
810                         meth=TLSv1_1_client_method();
811                 else if (strcmp(*argv,"-tls1") == 0)
812                         meth=TLSv1_client_method();
813 #endif
814 #ifndef OPENSSL_NO_DTLS1
815                 else if (strcmp(*argv,"-dtls1") == 0)
816                         {
817                         meth=DTLSv1_client_method();
818                         socket_type=SOCK_DGRAM;
819                         }
820                 else if (strcmp(*argv,"-timeout") == 0)
821                         enable_timeouts=1;
822                 else if (strcmp(*argv,"-mtu") == 0)
823                         {
824                         if (--argc < 1) goto bad;
825                         socket_mtu = atol(*(++argv));
826                         }
827 #endif
828                 else if (strcmp(*argv,"-bugs") == 0)
829                         bugs=1;
830                 else if (strcmp(*argv,"-keyform") == 0)
831                         {
832                         if (--argc < 1) goto bad;
833                         key_format = str2fmt(*(++argv));
834                         }
835                 else if (strcmp(*argv,"-pass") == 0)
836                         {
837                         if (--argc < 1) goto bad;
838                         passarg = *(++argv);
839                         }
840                 else if (strcmp(*argv,"-key") == 0)
841                         {
842                         if (--argc < 1) goto bad;
843                         key_file= *(++argv);
844                         }
845                 else if (strcmp(*argv,"-reconnect") == 0)
846                         {
847                         reconnect=5;
848                         }
849                 else if (strcmp(*argv,"-CApath") == 0)
850                         {
851                         if (--argc < 1) goto bad;
852                         CApath= *(++argv);
853                         }
854                 else if (strcmp(*argv,"-CAfile") == 0)
855                         {
856                         if (--argc < 1) goto bad;
857                         CAfile= *(++argv);
858                         }
859                 else if (strcmp(*argv,"-no_tls1_2") == 0)
860                         off|=SSL_OP_NO_TLSv1_2;
861                 else if (strcmp(*argv,"-no_tls1_1") == 0)
862                         off|=SSL_OP_NO_TLSv1_1;
863                 else if (strcmp(*argv,"-no_tls1") == 0)
864                         off|=SSL_OP_NO_TLSv1;
865                 else if (strcmp(*argv,"-no_ssl3") == 0)
866                         off|=SSL_OP_NO_SSLv3;
867                 else if (strcmp(*argv,"-no_ssl2") == 0)
868                         off|=SSL_OP_NO_SSLv2;
869                 else if (strcmp(*argv,"-no_comp") == 0)
870                         { off|=SSL_OP_NO_COMPRESSION; }
871 #ifndef OPENSSL_NO_TLSEXT
872                 else if (strcmp(*argv,"-no_ticket") == 0)
873                         { off|=SSL_OP_NO_TICKET; }
874 # ifndef OPENSSL_NO_NEXTPROTONEG
875                 else if (strcmp(*argv,"-nextprotoneg") == 0)
876                         {
877                         if (--argc < 1) goto bad;
878                         next_proto_neg_in = *(++argv);
879                         }
880 # endif
881 #endif
882                 else if (strcmp(*argv,"-serverpref") == 0)
883                         off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
884                 else if (strcmp(*argv,"-legacy_renegotiation") == 0)
885                         off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
886                 else if (strcmp(*argv,"-legacy_server_connect") == 0)
887                         { off|=SSL_OP_LEGACY_SERVER_CONNECT; }
888                 else if (strcmp(*argv,"-no_legacy_server_connect") == 0)
889                         { clr|=SSL_OP_LEGACY_SERVER_CONNECT; }
890                 else if (strcmp(*argv,"-cipher") == 0)
891                         {
892                         if (--argc < 1) goto bad;
893                         cipher= *(++argv);
894                         }
895 #ifdef FIONBIO
896                 else if (strcmp(*argv,"-nbio") == 0)
897                         { c_nbio=1; }
898 #endif
899                 else if (strcmp(*argv,"-starttls") == 0)
900                         {
901                         if (--argc < 1) goto bad;
902                         ++argv;
903                         if (strcmp(*argv,"smtp") == 0)
904                                 starttls_proto = PROTO_SMTP;
905                         else if (strcmp(*argv,"pop3") == 0)
906                                 starttls_proto = PROTO_POP3;
907                         else if (strcmp(*argv,"imap") == 0)
908                                 starttls_proto = PROTO_IMAP;
909                         else if (strcmp(*argv,"ftp") == 0)
910                                 starttls_proto = PROTO_FTP;
911                         else if (strcmp(*argv, "xmpp") == 0)
912                                 starttls_proto = PROTO_XMPP;
913                         else
914                                 goto bad;
915                         }
916 #ifndef OPENSSL_NO_ENGINE
917                 else if (strcmp(*argv,"-engine") == 0)
918                         {
919                         if (--argc < 1) goto bad;
920                         engine_id = *(++argv);
921                         }
922                 else if (strcmp(*argv,"-ssl_client_engine") == 0)
923                         {
924                         if (--argc < 1) goto bad;
925                         ssl_client_engine_id = *(++argv);
926                         }
927 #endif
928                 else if (strcmp(*argv,"-rand") == 0)
929                         {
930                         if (--argc < 1) goto bad;
931                         inrand= *(++argv);
932                         }
933 #ifndef OPENSSL_NO_TLSEXT
934                 else if (strcmp(*argv,"-servername") == 0)
935                         {
936                         if (--argc < 1) goto bad;
937                         servername= *(++argv);
938                         /* meth=TLSv1_client_method(); */
939                         }
940 #endif
941 #ifndef OPENSSL_NO_JPAKE
942                 else if (strcmp(*argv,"-jpake") == 0)
943                         {
944                         if (--argc < 1) goto bad;
945                         jpake_secret = *++argv;
946                         }
947 #endif
948                 else if (strcmp(*argv,"-use_srtp") == 0)
949                         {
950                         if (--argc < 1) goto bad;
951                         srtp_profiles = *(++argv);
952                         }
953                 else if (strcmp(*argv,"-keymatexport") == 0)
954                         {
955                         if (--argc < 1) goto bad;
956                         keymatexportlabel= *(++argv);
957                         }
958                 else if (strcmp(*argv,"-keymatexportlen") == 0)
959                         {
960                         if (--argc < 1) goto bad;
961                         keymatexportlen=atoi(*(++argv));
962                         if (keymatexportlen == 0) goto bad;
963                         }
964                 else
965                         {
966                         BIO_printf(bio_err,"unknown option %s\n",*argv);
967                         badop=1;
968                         break;
969                         }
970                 argc--;
971                 argv++;
972                 }
973         if (badop)
974                 {
975 bad:
976                 sc_usage();
977                 goto end;
978                 }
979
980 #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
981         if (jpake_secret)
982                 {
983                 if (psk_key)
984                         {
985                         BIO_printf(bio_err,
986                                    "Can't use JPAKE and PSK together\n");
987                         goto end;
988                         }
989                 psk_identity = "JPAKE";
990                 if (cipher)
991                         {
992                         BIO_printf(bio_err, "JPAKE sets cipher to PSK\n");
993                         goto end;
994                         }
995                 cipher = "PSK";
996                 }
997 #endif
998
999         OpenSSL_add_ssl_algorithms();
1000         SSL_load_error_strings();
1001
1002 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
1003         next_proto.status = -1;
1004         if (next_proto_neg_in)
1005                 {
1006                 next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
1007                 if (next_proto.data == NULL)
1008                         {
1009                         BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
1010                         goto end;
1011                         }
1012                 }
1013         else
1014                 next_proto.data = NULL;
1015 #endif
1016
1017 #ifndef OPENSSL_NO_ENGINE
1018         e = setup_engine(bio_err, engine_id, 1);
1019         if (ssl_client_engine_id)
1020                 {
1021                 ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
1022                 if (!ssl_client_engine)
1023                         {
1024                         BIO_printf(bio_err,
1025                                         "Error getting client auth engine\n");
1026                         goto end;
1027                         }
1028                 }
1029
1030 #endif
1031         if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
1032                 {
1033                 BIO_printf(bio_err, "Error getting password\n");
1034                 goto end;
1035                 }
1036
1037         if (key_file == NULL)
1038                 key_file = cert_file;
1039
1040
1041         if (key_file)
1042
1043                 {
1044
1045                 key = load_key(bio_err, key_file, key_format, 0, pass, e,
1046                                "client certificate private key file");
1047                 if (!key)
1048                         {
1049                         ERR_print_errors(bio_err);
1050                         goto end;
1051                         }
1052
1053                 }
1054
1055         if (cert_file)
1056
1057                 {
1058                 cert = load_cert(bio_err,cert_file,cert_format,
1059                                 NULL, e, "client certificate file");
1060
1061                 if (!cert)
1062                         {
1063                         ERR_print_errors(bio_err);
1064                         goto end;
1065                         }
1066                 }
1067
1068         if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
1069                 && !RAND_status())
1070                 {
1071                 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
1072                 }
1073         if (inrand != NULL)
1074                 BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
1075                         app_RAND_load_files(inrand));
1076
1077         if (bio_c_out == NULL)
1078                 {
1079                 if (c_quiet && !c_debug && !c_msg)
1080                         {
1081                         bio_c_out=BIO_new(BIO_s_null());
1082                         }
1083                 else
1084                         {
1085                         if (bio_c_out == NULL)
1086                                 bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
1087                         }
1088                 }
1089
1090 #ifndef OPENSSL_NO_SRP
1091         if(!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL))
1092                 {
1093                 BIO_printf(bio_err, "Error getting password\n");
1094                 goto end;
1095                 }
1096 #endif
1097
1098         ctx=SSL_CTX_new(meth);
1099         if (ctx == NULL)
1100                 {
1101                 ERR_print_errors(bio_err);
1102                 goto end;
1103                 }
1104
1105         if (vpm)
1106                 SSL_CTX_set1_param(ctx, vpm);
1107
1108 #ifndef OPENSSL_NO_ENGINE
1109         if (ssl_client_engine)
1110                 {
1111                 if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine))
1112                         {
1113                         BIO_puts(bio_err, "Error setting client auth engine\n");
1114                         ERR_print_errors(bio_err);
1115                         ENGINE_free(ssl_client_engine);
1116                         goto end;
1117                         }
1118                 ENGINE_free(ssl_client_engine);
1119                 }
1120 #endif
1121
1122 #ifndef OPENSSL_NO_PSK
1123 #ifdef OPENSSL_NO_JPAKE
1124         if (psk_key != NULL)
1125 #else
1126         if (psk_key != NULL || jpake_secret)
1127 #endif
1128                 {
1129                 if (c_debug)
1130                         BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");
1131                 SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
1132                 }
1133         if (srtp_profiles != NULL)
1134                 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
1135 #endif
1136         if (bugs)
1137                 SSL_CTX_set_options(ctx,SSL_OP_ALL|off);
1138         else
1139                 SSL_CTX_set_options(ctx,off);
1140
1141         if (clr)
1142                 SSL_CTX_clear_options(ctx, clr);
1143         /* DTLS: partial reads end up discarding unread UDP bytes :-( 
1144          * Setting read ahead solves this problem.
1145          */
1146         if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
1147
1148 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
1149         if (next_proto.data)
1150                 SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
1151 #endif
1152
1153         if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
1154         if (cipher != NULL)
1155                 if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
1156                 BIO_printf(bio_err,"error setting cipher list\n");
1157                 ERR_print_errors(bio_err);
1158                 goto end;
1159         }
1160 #if 0
1161         else
1162                 SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
1163 #endif
1164
1165         SSL_CTX_set_verify(ctx,verify,verify_callback);
1166         if (!set_cert_key_stuff(ctx,cert,key))
1167                 goto end;
1168
1169         if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
1170                 (!SSL_CTX_set_default_verify_paths(ctx)))
1171                 {
1172                 /* BIO_printf(bio_err,"error setting default verify locations\n"); */
1173                 ERR_print_errors(bio_err);
1174                 /* goto end; */
1175                 }
1176
1177 #ifndef OPENSSL_NO_TLSEXT
1178         if (servername != NULL)
1179                 {
1180                 tlsextcbp.biodebug = bio_err;
1181                 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1182                 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
1183                 }
1184 #ifndef OPENSSL_NO_SRP
1185         if (srp_arg.srplogin)
1186                 {
1187                 if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
1188                         {
1189                         BIO_printf(bio_err,"Unable to set SRP username\n");
1190                         goto end;
1191                         }
1192                 srp_arg.msg = c_msg;
1193                 srp_arg.debug = c_debug ;
1194                 SSL_CTX_set_srp_cb_arg(ctx,&srp_arg);
1195                 SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
1196                 SSL_CTX_set_srp_strength(ctx, srp_arg.strength);
1197                 if (c_msg || c_debug || srp_arg.amp == 0)
1198                         SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb);
1199                 }
1200
1201 #endif
1202 #endif
1203
1204         con=SSL_new(ctx);
1205         if (sess_in)
1206                 {
1207                 SSL_SESSION *sess;
1208                 BIO *stmp = BIO_new_file(sess_in, "r");
1209                 if (!stmp)
1210                         {
1211                         BIO_printf(bio_err, "Can't open session file %s\n",
1212                                                 sess_in);
1213                         ERR_print_errors(bio_err);
1214                         goto end;
1215                         }
1216                 sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
1217                 BIO_free(stmp);
1218                 if (!sess)
1219                         {
1220                         BIO_printf(bio_err, "Can't open session file %s\n",
1221                                                 sess_in);
1222                         ERR_print_errors(bio_err);
1223                         goto end;
1224                         }
1225                 SSL_set_session(con, sess);
1226                 SSL_SESSION_free(sess);
1227                 }
1228 #ifndef OPENSSL_NO_TLSEXT
1229         if (servername != NULL)
1230                 {
1231                 if (!SSL_set_tlsext_host_name(con,servername))
1232                         {
1233                         BIO_printf(bio_err,"Unable to set TLS servername extension.\n");
1234                         ERR_print_errors(bio_err);
1235                         goto end;
1236                         }
1237                 }
1238 #endif
1239 #ifndef OPENSSL_NO_KRB5
1240         if (con  &&  (kctx = kssl_ctx_new()) != NULL)
1241                 {
1242                 SSL_set0_kssl_ctx(con, kctx);
1243                 kssl_ctx_setstring(kctx, KSSL_SERVER, host);
1244                 }
1245 #endif  /* OPENSSL_NO_KRB5  */
1246 /*      SSL_set_cipher_list(con,"RC4-MD5"); */
1247 #if 0
1248 #ifdef TLSEXT_TYPE_opaque_prf_input
1249         SSL_set_tlsext_opaque_prf_input(con, "Test client", 11);
1250 #endif
1251 #endif
1252
1253 re_start:
1254
1255         if (init_client(&s,host,port,socket_type) == 0)
1256                 {
1257                 BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
1258                 SHUTDOWN(s);
1259                 goto end;
1260                 }
1261         BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
1262
1263 #ifdef FIONBIO
1264         if (c_nbio)
1265                 {
1266                 unsigned long l=1;
1267                 BIO_printf(bio_c_out,"turning on non blocking io\n");
1268                 if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
1269                         {
1270                         ERR_print_errors(bio_err);
1271                         goto end;
1272                         }
1273                 }
1274 #endif                                              
1275         if (c_Pause & 0x01) SSL_set_debug(con, 1);
1276
1277         if ( SSL_version(con) == DTLS1_VERSION)
1278                 {
1279
1280                 sbio=BIO_new_dgram(s,BIO_NOCLOSE);
1281                 if (getsockname(s, &peer, (void *)&peerlen) < 0)
1282                         {
1283                         BIO_printf(bio_err, "getsockname:errno=%d\n",
1284                                 get_last_socket_error());
1285                         SHUTDOWN(s);
1286                         goto end;
1287                         }
1288
1289                 (void)BIO_ctrl_set_connected(sbio, 1, &peer);
1290
1291                 if (enable_timeouts)
1292                         {
1293                         timeout.tv_sec = 0;
1294                         timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1295                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1296                         
1297                         timeout.tv_sec = 0;
1298                         timeout.tv_usec = DGRAM_SND_TIMEOUT;
1299                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1300                         }
1301
1302                 if (socket_mtu > 28)
1303                         {
1304                         SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
1305                         SSL_set_mtu(con, socket_mtu - 28);
1306                         }
1307                 else
1308                         /* want to do MTU discovery */
1309                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1310                 }
1311         else
1312                 sbio=BIO_new_socket(s,BIO_NOCLOSE);
1313
1314         if (nbio_test)
1315                 {
1316                 BIO *test;
1317
1318                 test=BIO_new(BIO_f_nbio_test());
1319                 sbio=BIO_push(test,sbio);
1320                 }
1321
1322         if (c_debug)
1323                 {
1324                 SSL_set_debug(con, 1);
1325                 BIO_set_callback(sbio,bio_dump_callback);
1326                 BIO_set_callback_arg(sbio,(char *)bio_c_out);
1327                 }
1328         if (c_msg)
1329                 {
1330                 SSL_set_msg_callback(con, msg_cb);
1331                 SSL_set_msg_callback_arg(con, bio_c_out);
1332                 }
1333 #ifndef OPENSSL_NO_TLSEXT
1334         if (c_tlsextdebug)
1335                 {
1336                 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1337                 SSL_set_tlsext_debug_arg(con, bio_c_out);
1338                 }
1339         if (c_status_req)
1340                 {
1341                 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
1342                 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
1343                 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
1344 #if 0
1345 {
1346 STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null();
1347 OCSP_RESPID *id = OCSP_RESPID_new();
1348 id->value.byKey = ASN1_OCTET_STRING_new();
1349 id->type = V_OCSP_RESPID_KEY;
1350 ASN1_STRING_set(id->value.byKey, "Hello World", -1);
1351 sk_OCSP_RESPID_push(ids, id);
1352 SSL_set_tlsext_status_ids(con, ids);
1353 }
1354 #endif
1355                 }
1356 #endif
1357 #ifndef OPENSSL_NO_JPAKE
1358         if (jpake_secret)
1359                 jpake_client_auth(bio_c_out, sbio, jpake_secret);
1360 #endif
1361
1362         SSL_set_bio(con,sbio,sbio);
1363         SSL_set_connect_state(con);
1364
1365         /* ok, lets connect */
1366         width=SSL_get_fd(con)+1;
1367
1368         read_tty=1;
1369         write_tty=0;
1370         tty_on=0;
1371         read_ssl=1;
1372         write_ssl=1;
1373         
1374         cbuf_len=0;
1375         cbuf_off=0;
1376         sbuf_len=0;
1377         sbuf_off=0;
1378
1379         /* This is an ugly hack that does a lot of assumptions */
1380         /* We do have to handle multi-line responses which may come
1381            in a single packet or not. We therefore have to use
1382            BIO_gets() which does need a buffering BIO. So during
1383            the initial chitchat we do push a buffering BIO into the
1384            chain that is removed again later on to not disturb the
1385            rest of the s_client operation. */
1386         if (starttls_proto == PROTO_SMTP)
1387                 {
1388                 int foundit=0;
1389                 BIO *fbio = BIO_new(BIO_f_buffer());
1390                 BIO_push(fbio, sbio);
1391                 /* wait for multi-line response to end from SMTP */
1392                 do
1393                         {
1394                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1395                         }
1396                 while (mbuf_len>3 && mbuf[3]=='-');
1397                 /* STARTTLS command requires EHLO... */
1398                 BIO_printf(fbio,"EHLO openssl.client.net\r\n");
1399                 (void)BIO_flush(fbio);
1400                 /* wait for multi-line response to end EHLO SMTP response */
1401                 do
1402                         {
1403                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1404                         if (strstr(mbuf,"STARTTLS"))
1405                                 foundit=1;
1406                         }
1407                 while (mbuf_len>3 && mbuf[3]=='-');
1408                 (void)BIO_flush(fbio);
1409                 BIO_pop(fbio);
1410                 BIO_free(fbio);
1411                 if (!foundit)
1412                         BIO_printf(bio_err,
1413                                    "didn't found starttls in server response,"
1414                                    " try anyway...\n");
1415                 BIO_printf(sbio,"STARTTLS\r\n");
1416                 BIO_read(sbio,sbuf,BUFSIZZ);
1417                 }
1418         else if (starttls_proto == PROTO_POP3)
1419                 {
1420                 BIO_read(sbio,mbuf,BUFSIZZ);
1421                 BIO_printf(sbio,"STLS\r\n");
1422                 BIO_read(sbio,sbuf,BUFSIZZ);
1423                 }
1424         else if (starttls_proto == PROTO_IMAP)
1425                 {
1426                 int foundit=0;
1427                 BIO *fbio = BIO_new(BIO_f_buffer());
1428                 BIO_push(fbio, sbio);
1429                 BIO_gets(fbio,mbuf,BUFSIZZ);
1430                 /* STARTTLS command requires CAPABILITY... */
1431                 BIO_printf(fbio,". CAPABILITY\r\n");
1432                 (void)BIO_flush(fbio);
1433                 /* wait for multi-line CAPABILITY response */
1434                 do
1435                         {
1436                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1437                         if (strstr(mbuf,"STARTTLS"))
1438                                 foundit=1;
1439                         }
1440                 while (mbuf_len>3 && mbuf[0]!='.');
1441                 (void)BIO_flush(fbio);
1442                 BIO_pop(fbio);
1443                 BIO_free(fbio);
1444                 if (!foundit)
1445                         BIO_printf(bio_err,
1446                                    "didn't found STARTTLS in server response,"
1447                                    " try anyway...\n");
1448                 BIO_printf(sbio,". STARTTLS\r\n");
1449                 BIO_read(sbio,sbuf,BUFSIZZ);
1450                 }
1451         else if (starttls_proto == PROTO_FTP)
1452                 {
1453                 BIO *fbio = BIO_new(BIO_f_buffer());
1454                 BIO_push(fbio, sbio);
1455                 /* wait for multi-line response to end from FTP */
1456                 do
1457                         {
1458                         mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1459                         }
1460                 while (mbuf_len>3 && mbuf[3]=='-');
1461                 (void)BIO_flush(fbio);
1462                 BIO_pop(fbio);
1463                 BIO_free(fbio);
1464                 BIO_printf(sbio,"AUTH TLS\r\n");
1465                 BIO_read(sbio,sbuf,BUFSIZZ);
1466                 }
1467         if (starttls_proto == PROTO_XMPP)
1468                 {
1469                 int seen = 0;
1470                 BIO_printf(sbio,"<stream:stream "
1471                     "xmlns:stream='http://etherx.jabber.org/streams' "
1472                     "xmlns='jabber:client' to='%s' version='1.0'>", host);
1473                 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1474                 mbuf[seen] = 0;
1475                 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'"))
1476                         {
1477                         if (strstr(mbuf, "/stream:features>"))
1478                                 goto shut;
1479                         seen = BIO_read(sbio,mbuf,BUFSIZZ);
1480                         mbuf[seen] = 0;
1481                         }
1482                 BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
1483                 seen = BIO_read(sbio,sbuf,BUFSIZZ);
1484                 sbuf[seen] = 0;
1485                 if (!strstr(sbuf, "<proceed"))
1486                         goto shut;
1487                 mbuf[0] = 0;
1488                 }
1489
1490         for (;;)
1491                 {
1492                 FD_ZERO(&readfds);
1493                 FD_ZERO(&writefds);
1494
1495                 if ((SSL_version(con) == DTLS1_VERSION) &&
1496                         DTLSv1_get_timeout(con, &timeout))
1497                         timeoutp = &timeout;
1498                 else
1499                         timeoutp = NULL;
1500
1501                 if (SSL_in_init(con) && !SSL_total_renegotiations(con))
1502                         {
1503                         in_init=1;
1504                         tty_on=0;
1505                         }
1506                 else
1507                         {
1508                         tty_on=1;
1509                         if (in_init)
1510                                 {
1511                                 in_init=0;
1512 #if 0 /* This test doesn't really work as intended (needs to be fixed) */
1513 #ifndef OPENSSL_NO_TLSEXT
1514                                 if (servername != NULL && !SSL_session_reused(con))
1515                                         {
1516                                         BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not ");
1517                                         }
1518 #endif
1519 #endif
1520                                 if (sess_out)
1521                                         {
1522                                         BIO *stmp = BIO_new_file(sess_out, "w");
1523                                         if (stmp)
1524                                                 {
1525                                                 PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con));
1526                                                 BIO_free(stmp);
1527                                                 }
1528                                         else 
1529                                                 BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
1530                                         }
1531                                 print_stuff(bio_c_out,con,full_log);
1532                                 if (full_log > 0) full_log--;
1533
1534                                 if (starttls_proto)
1535                                         {
1536                                         BIO_printf(bio_err,"%s",mbuf);
1537                                         /* We don't need to know any more */
1538                                         starttls_proto = PROTO_OFF;
1539                                         }
1540
1541                                 if (reconnect)
1542                                         {
1543                                         reconnect--;
1544                                         BIO_printf(bio_c_out,"drop connection and then reconnect\n");
1545                                         SSL_shutdown(con);
1546                                         SSL_set_connect_state(con);
1547                                         SHUTDOWN(SSL_get_fd(con));
1548                                         goto re_start;
1549                                         }
1550                                 }
1551                         }
1552
1553                 ssl_pending = read_ssl && SSL_pending(con);
1554
1555                 if (!ssl_pending)
1556                         {
1557 #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)
1558                         if (tty_on)
1559                                 {
1560                                 if (read_tty)  openssl_fdset(fileno(stdin),&readfds);
1561                                 if (write_tty) openssl_fdset(fileno(stdout),&writefds);
1562                                 }
1563                         if (read_ssl)
1564                                 openssl_fdset(SSL_get_fd(con),&readfds);
1565                         if (write_ssl)
1566                                 openssl_fdset(SSL_get_fd(con),&writefds);
1567 #else
1568                         if(!tty_on || !write_tty) {
1569                                 if (read_ssl)
1570                                         openssl_fdset(SSL_get_fd(con),&readfds);
1571                                 if (write_ssl)
1572                                         openssl_fdset(SSL_get_fd(con),&writefds);
1573                         }
1574 #endif
1575 /*                      printf("mode tty(%d %d%d) ssl(%d%d)\n",
1576                                 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
1577
1578                         /* Note: under VMS with SOCKETSHR the second parameter
1579                          * is currently of type (int *) whereas under other
1580                          * systems it is (void *) if you don't have a cast it
1581                          * will choke the compiler: if you do have a cast then
1582                          * you can either go for (int *) or (void *).
1583                          */
1584 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1585                         /* Under Windows/DOS we make the assumption that we can
1586                          * always write to the tty: therefore if we need to
1587                          * write to the tty we just fall through. Otherwise
1588                          * we timeout the select every second and see if there
1589                          * are any keypresses. Note: this is a hack, in a proper
1590                          * Windows application we wouldn't do this.
1591                          */
1592                         i=0;
1593                         if(!write_tty) {
1594                                 if(read_tty) {
1595                                         tv.tv_sec = 1;
1596                                         tv.tv_usec = 0;
1597                                         i=select(width,(void *)&readfds,(void *)&writefds,
1598                                                  NULL,&tv);
1599 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
1600                                         if(!i && (!_kbhit() || !read_tty) ) continue;
1601 #else
1602                                         if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
1603 #endif
1604                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1605                                          NULL,timeoutp);
1606                         }
1607 #elif defined(OPENSSL_SYS_NETWARE)
1608                         if(!write_tty) {
1609                                 if(read_tty) {
1610                                         tv.tv_sec = 1;
1611                                         tv.tv_usec = 0;
1612                                         i=select(width,(void *)&readfds,(void *)&writefds,
1613                                                 NULL,&tv);
1614                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1615                                         NULL,timeoutp);
1616                         }
1617 #elif defined(OPENSSL_SYS_BEOS_R5)
1618                         /* Under BeOS-R5 the situation is similar to DOS */
1619                         i=0;
1620                         stdin_set = 0;
1621                         (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
1622                         if(!write_tty) {
1623                                 if(read_tty) {
1624                                         tv.tv_sec = 1;
1625                                         tv.tv_usec = 0;
1626                                         i=select(width,(void *)&readfds,(void *)&writefds,
1627                                                  NULL,&tv);
1628                                         if (read(fileno(stdin), sbuf, 0) >= 0)
1629                                                 stdin_set = 1;
1630                                         if (!i && (stdin_set != 1 || !read_tty))
1631                                                 continue;
1632                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
1633                                          NULL,timeoutp);
1634                         }
1635                         (void)fcntl(fileno(stdin), F_SETFL, 0);
1636 #else
1637                         i=select(width,(void *)&readfds,(void *)&writefds,
1638                                  NULL,timeoutp);
1639 #endif
1640                         if ( i < 0)
1641                                 {
1642                                 BIO_printf(bio_err,"bad select %d\n",
1643                                 get_last_socket_error());
1644                                 goto shut;
1645                                 /* goto end; */
1646                                 }
1647                         }
1648
1649                 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
1650                         {
1651                         BIO_printf(bio_err,"TIMEOUT occured\n");
1652                         }
1653
1654                 if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
1655                         {
1656                         k=SSL_write(con,&(cbuf[cbuf_off]),
1657                                 (unsigned int)cbuf_len);
1658                         switch (SSL_get_error(con,k))
1659                                 {
1660                         case SSL_ERROR_NONE:
1661                                 cbuf_off+=k;
1662                                 cbuf_len-=k;
1663                                 if (k <= 0) goto end;
1664                                 /* we have done a  write(con,NULL,0); */
1665                                 if (cbuf_len <= 0)
1666                                         {
1667                                         read_tty=1;
1668                                         write_ssl=0;
1669                                         }
1670                                 else /* if (cbuf_len > 0) */
1671                                         {
1672                                         read_tty=0;
1673                                         write_ssl=1;
1674                                         }
1675                                 break;
1676                         case SSL_ERROR_WANT_WRITE:
1677                                 BIO_printf(bio_c_out,"write W BLOCK\n");
1678                                 write_ssl=1;
1679                                 read_tty=0;
1680                                 break;
1681                         case SSL_ERROR_WANT_READ:
1682                                 BIO_printf(bio_c_out,"write R BLOCK\n");
1683                                 write_tty=0;
1684                                 read_ssl=1;
1685                                 write_ssl=0;
1686                                 break;
1687                         case SSL_ERROR_WANT_X509_LOOKUP:
1688                                 BIO_printf(bio_c_out,"write X BLOCK\n");
1689                                 break;
1690                         case SSL_ERROR_ZERO_RETURN:
1691                                 if (cbuf_len != 0)
1692                                         {
1693                                         BIO_printf(bio_c_out,"shutdown\n");
1694                                         ret = 0;
1695                                         goto shut;
1696                                         }
1697                                 else
1698                                         {
1699                                         read_tty=1;
1700                                         write_ssl=0;
1701                                         break;
1702                                         }
1703                                 
1704                         case SSL_ERROR_SYSCALL:
1705                                 if ((k != 0) || (cbuf_len != 0))
1706                                         {
1707                                         BIO_printf(bio_err,"write:errno=%d\n",
1708                                                 get_last_socket_error());
1709                                         goto shut;
1710                                         }
1711                                 else
1712                                         {
1713                                         read_tty=1;
1714                                         write_ssl=0;
1715                                         }
1716                                 break;
1717                         case SSL_ERROR_SSL:
1718                                 ERR_print_errors(bio_err);
1719                                 goto shut;
1720                                 }
1721                         }
1722 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
1723                 /* Assume Windows/DOS/BeOS can always write */
1724                 else if (!ssl_pending && write_tty)
1725 #else
1726                 else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
1727 #endif
1728                         {
1729 #ifdef CHARSET_EBCDIC
1730                         ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
1731 #endif
1732                         i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len);
1733
1734                         if (i <= 0)
1735                                 {
1736                                 BIO_printf(bio_c_out,"DONE\n");
1737                                 ret = 0;
1738                                 goto shut;
1739                                 /* goto end; */
1740                                 }
1741
1742                         sbuf_len-=i;;
1743                         sbuf_off+=i;
1744                         if (sbuf_len <= 0)
1745                                 {
1746                                 read_ssl=1;
1747                                 write_tty=0;
1748                                 }
1749                         }
1750                 else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
1751                         {
1752 #ifdef RENEG
1753 { static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
1754 #endif
1755 #if 1
1756                         k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
1757 #else
1758 /* Demo for pending and peek :-) */
1759                         k=SSL_read(con,sbuf,16);
1760 { char zbuf[10240]; 
1761 printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
1762 }
1763 #endif
1764
1765                         switch (SSL_get_error(con,k))
1766                                 {
1767                         case SSL_ERROR_NONE:
1768                                 if (k <= 0)
1769                                         goto end;
1770                                 sbuf_off=0;
1771                                 sbuf_len=k;
1772
1773                                 read_ssl=0;
1774                                 write_tty=1;
1775                                 break;
1776                         case SSL_ERROR_WANT_WRITE:
1777                                 BIO_printf(bio_c_out,"read W BLOCK\n");
1778                                 write_ssl=1;
1779                                 read_tty=0;
1780                                 break;
1781                         case SSL_ERROR_WANT_READ:
1782                                 BIO_printf(bio_c_out,"read R BLOCK\n");
1783                                 write_tty=0;
1784                                 read_ssl=1;
1785                                 if ((read_tty == 0) && (write_ssl == 0))
1786                                         write_ssl=1;
1787                                 break;
1788                         case SSL_ERROR_WANT_X509_LOOKUP:
1789                                 BIO_printf(bio_c_out,"read X BLOCK\n");
1790                                 break;
1791                         case SSL_ERROR_SYSCALL:
1792                                 ret=get_last_socket_error();
1793                                 BIO_printf(bio_err,"read:errno=%d\n",ret);
1794                                 goto shut;
1795                         case SSL_ERROR_ZERO_RETURN:
1796                                 BIO_printf(bio_c_out,"closed\n");
1797                                 ret=0;
1798                                 goto shut;
1799                         case SSL_ERROR_SSL:
1800                                 ERR_print_errors(bio_err);
1801                                 goto shut;
1802                                 /* break; */
1803                                 }
1804                         }
1805
1806 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1807 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
1808                 else if (_kbhit())
1809 #else
1810                 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
1811 #endif
1812 #elif defined (OPENSSL_SYS_NETWARE)
1813                 else if (_kbhit())
1814 #elif defined(OPENSSL_SYS_BEOS_R5)
1815                 else if (stdin_set)
1816 #else
1817                 else if (FD_ISSET(fileno(stdin),&readfds))
1818 #endif
1819                         {
1820                         if (crlf)
1821                                 {
1822                                 int j, lf_num;
1823
1824                                 i=raw_read_stdin(cbuf,BUFSIZZ/2);
1825                                 lf_num = 0;
1826                                 /* both loops are skipped when i <= 0 */
1827                                 for (j = 0; j < i; j++)
1828                                         if (cbuf[j] == '\n')
1829                                                 lf_num++;
1830                                 for (j = i-1; j >= 0; j--)
1831                                         {
1832                                         cbuf[j+lf_num] = cbuf[j];
1833                                         if (cbuf[j] == '\n')
1834                                                 {
1835                                                 lf_num--;
1836                                                 i++;
1837                                                 cbuf[j+lf_num] = '\r';
1838                                                 }
1839                                         }
1840                                 assert(lf_num == 0);
1841                                 }
1842                         else
1843                                 i=raw_read_stdin(cbuf,BUFSIZZ);
1844
1845                         if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
1846                                 {
1847                                 BIO_printf(bio_err,"DONE\n");
1848                                 ret=0;
1849                                 goto shut;
1850                                 }
1851
1852                         if ((!c_ign_eof) && (cbuf[0] == 'R'))
1853                                 {
1854                                 BIO_printf(bio_err,"RENEGOTIATING\n");
1855                                 SSL_renegotiate(con);
1856                                 cbuf_len=0;
1857                                 }
1858 #ifndef OPENSSL_NO_HEARTBEATS
1859                         else if ((!c_ign_eof) && (cbuf[0] == 'B'))
1860                                 {
1861                                 BIO_printf(bio_err,"HEARTBEATING\n");
1862                                 SSL_heartbeat(con);
1863                                 cbuf_len=0;
1864                                 }
1865 #endif
1866                         else
1867                                 {
1868                                 cbuf_len=i;
1869                                 cbuf_off=0;
1870 #ifdef CHARSET_EBCDIC
1871                                 ebcdic2ascii(cbuf, cbuf, i);
1872 #endif
1873                                 }
1874
1875                         write_ssl=1;
1876                         read_tty=0;
1877                         }
1878                 }
1879
1880         ret=0;
1881 shut:
1882         if (in_init)
1883                 print_stuff(bio_c_out,con,full_log);
1884         SSL_shutdown(con);
1885         SHUTDOWN(SSL_get_fd(con));
1886 end:
1887         if (con != NULL)
1888                 {
1889                 if (prexit != 0)
1890                         print_stuff(bio_c_out,con,1);
1891                 SSL_free(con);
1892                 }
1893         if (ctx != NULL) SSL_CTX_free(ctx);
1894         if (cert)
1895                 X509_free(cert);
1896         if (key)
1897                 EVP_PKEY_free(key);
1898         if (pass)
1899                 OPENSSL_free(pass);
1900         if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
1901         if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
1902         if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
1903         if (bio_c_out != NULL)
1904                 {
1905                 BIO_free(bio_c_out);
1906                 bio_c_out=NULL;
1907                 }
1908         apps_shutdown();
1909         OPENSSL_EXIT(ret);
1910         }
1911
1912
1913 static void print_stuff(BIO *bio, SSL *s, int full)
1914         {
1915         X509 *peer=NULL;
1916         char *p;
1917         static const char *space="                ";
1918         char buf[BUFSIZ];
1919         STACK_OF(X509) *sk;
1920         STACK_OF(X509_NAME) *sk2;
1921         const SSL_CIPHER *c;
1922         X509_NAME *xn;
1923         int j,i;
1924 #ifndef OPENSSL_NO_COMP
1925         const COMP_METHOD *comp, *expansion;
1926 #endif
1927         unsigned char *exportedkeymat;
1928
1929         if (full)
1930                 {
1931                 int got_a_chain = 0;
1932
1933                 sk=SSL_get_peer_cert_chain(s);
1934                 if (sk != NULL)
1935                         {
1936                         got_a_chain = 1; /* we don't have it for SSL2 (yet) */
1937
1938                         BIO_printf(bio,"---\nCertificate chain\n");
1939                         for (i=0; i<sk_X509_num(sk); i++)
1940                                 {
1941                                 X509_NAME_oneline(X509_get_subject_name(
1942                                         sk_X509_value(sk,i)),buf,sizeof buf);
1943                                 BIO_printf(bio,"%2d s:%s\n",i,buf);
1944                                 X509_NAME_oneline(X509_get_issuer_name(
1945                                         sk_X509_value(sk,i)),buf,sizeof buf);
1946                                 BIO_printf(bio,"   i:%s\n",buf);
1947                                 if (c_showcerts)
1948                                         PEM_write_bio_X509(bio,sk_X509_value(sk,i));
1949                                 }
1950                         }
1951
1952                 BIO_printf(bio,"---\n");
1953                 peer=SSL_get_peer_certificate(s);
1954                 if (peer != NULL)
1955                         {
1956                         BIO_printf(bio,"Server certificate\n");
1957                         if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
1958                                 PEM_write_bio_X509(bio,peer);
1959                         X509_NAME_oneline(X509_get_subject_name(peer),
1960                                 buf,sizeof buf);
1961                         BIO_printf(bio,"subject=%s\n",buf);
1962                         X509_NAME_oneline(X509_get_issuer_name(peer),
1963                                 buf,sizeof buf);
1964                         BIO_printf(bio,"issuer=%s\n",buf);
1965                         }
1966                 else
1967                         BIO_printf(bio,"no peer certificate available\n");
1968
1969                 sk2=SSL_get_client_CA_list(s);
1970                 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
1971                         {
1972                         BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
1973                         for (i=0; i<sk_X509_NAME_num(sk2); i++)
1974                                 {
1975                                 xn=sk_X509_NAME_value(sk2,i);
1976                                 X509_NAME_oneline(xn,buf,sizeof(buf));
1977                                 BIO_write(bio,buf,strlen(buf));
1978                                 BIO_write(bio,"\n",1);
1979                                 }
1980                         }
1981                 else
1982                         {
1983                         BIO_printf(bio,"---\nNo client certificate CA names sent\n");
1984                         }
1985                 p=SSL_get_shared_ciphers(s,buf,sizeof buf);
1986                 if (p != NULL)
1987                         {
1988                         /* This works only for SSL 2.  In later protocol
1989                          * versions, the client does not know what other
1990                          * ciphers (in addition to the one to be used
1991                          * in the current connection) the server supports. */
1992
1993                         BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
1994                         j=i=0;
1995                         while (*p)
1996                                 {
1997                                 if (*p == ':')
1998                                         {
1999                                         BIO_write(bio,space,15-j%25);
2000                                         i++;
2001                                         j=0;
2002                                         BIO_write(bio,((i%3)?" ":"\n"),1);
2003                                         }
2004                                 else
2005                                         {
2006                                         BIO_write(bio,p,1);
2007                                         j++;
2008                                         }
2009                                 p++;
2010                                 }
2011                         BIO_write(bio,"\n",1);
2012                         }
2013
2014                 BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
2015                         BIO_number_read(SSL_get_rbio(s)),
2016                         BIO_number_written(SSL_get_wbio(s)));
2017                 }
2018         BIO_printf(bio,(SSL_cache_hit(s)?"---\nReused, ":"---\nNew, "));
2019         c=SSL_get_current_cipher(s);
2020         BIO_printf(bio,"%s, Cipher is %s\n",
2021                 SSL_CIPHER_get_version(c),
2022                 SSL_CIPHER_get_name(c));
2023         if (peer != NULL) {
2024                 EVP_PKEY *pktmp;
2025                 pktmp = X509_get_pubkey(peer);
2026                 BIO_printf(bio,"Server public key is %d bit\n",
2027                                                          EVP_PKEY_bits(pktmp));
2028                 EVP_PKEY_free(pktmp);
2029         }
2030         BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
2031                         SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
2032 #ifndef OPENSSL_NO_COMP
2033         comp=SSL_get_current_compression(s);
2034         expansion=SSL_get_current_expansion(s);
2035         BIO_printf(bio,"Compression: %s\n",
2036                 comp ? SSL_COMP_get_name(comp) : "NONE");
2037         BIO_printf(bio,"Expansion: %s\n",
2038                 expansion ? SSL_COMP_get_name(expansion) : "NONE");
2039 #endif
2040  
2041 #ifdef SSL_DEBUG
2042         {
2043         /* Print out local port of connection: useful for debugging */
2044         int sock;
2045         struct sockaddr_in ladd;
2046         socklen_t ladd_size = sizeof(ladd);
2047         sock = SSL_get_fd(s);
2048         getsockname(sock, (struct sockaddr *)&ladd, &ladd_size);
2049         BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port));
2050         }
2051 #endif
2052
2053 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
2054         if (next_proto.status != -1) {
2055                 const unsigned char *proto;
2056                 unsigned int proto_len;
2057                 SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
2058                 BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
2059                 BIO_write(bio, proto, proto_len);
2060                 BIO_write(bio, "\n", 1);
2061         }
2062 #endif
2063
2064         {
2065         SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s);
2066  
2067         if(srtp_profile)
2068                 BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n",
2069                            srtp_profile->name);
2070         }
2071  
2072         SSL_SESSION_print(bio,SSL_get_session(s));
2073         if (keymatexportlabel != NULL)
2074                 {
2075                 BIO_printf(bio, "Keying material exporter:\n");
2076                 BIO_printf(bio, "    Label: '%s'\n", keymatexportlabel);
2077                 BIO_printf(bio, "    Length: %i bytes\n", keymatexportlen);
2078                 exportedkeymat = OPENSSL_malloc(keymatexportlen);
2079                 if (exportedkeymat != NULL)
2080                         {
2081                         if (!SSL_export_keying_material(s, exportedkeymat,
2082                                                         keymatexportlen,
2083                                                         keymatexportlabel,
2084                                                         strlen(keymatexportlabel),
2085                                                         NULL, 0, 0))
2086                                 {
2087                                 BIO_printf(bio, "    Error\n");
2088                                 }
2089                         else
2090                                 {
2091                                 BIO_printf(bio, "    Keying material: ");
2092                                 for (i=0; i<keymatexportlen; i++)
2093                                         BIO_printf(bio, "%02X",
2094                                                    exportedkeymat[i]);
2095                                 BIO_printf(bio, "\n");
2096                                 }
2097                         OPENSSL_free(exportedkeymat);
2098                         }
2099                 }
2100         BIO_printf(bio,"---\n");
2101         if (peer != NULL)
2102                 X509_free(peer);
2103         /* flush, or debugging output gets mixed with http response */
2104         (void)BIO_flush(bio);
2105         }
2106
2107 #ifndef OPENSSL_NO_TLSEXT
2108
2109 static int ocsp_resp_cb(SSL *s, void *arg)
2110         {
2111         const unsigned char *p;
2112         int len;
2113         OCSP_RESPONSE *rsp;
2114         len = SSL_get_tlsext_status_ocsp_resp(s, &p);
2115         BIO_puts(arg, "OCSP response: ");
2116         if (!p)
2117                 {
2118                 BIO_puts(arg, "no response sent\n");
2119                 return 1;
2120                 }
2121         rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
2122         if (!rsp)
2123                 {
2124                 BIO_puts(arg, "response parse error\n");
2125                 BIO_dump_indent(arg, (char *)p, len, 4);
2126                 return 0;
2127                 }
2128         BIO_puts(arg, "\n======================================\n");
2129         OCSP_RESPONSE_print(arg, rsp, 0);
2130         BIO_puts(arg, "======================================\n");
2131         OCSP_RESPONSE_free(rsp);
2132         return 1;
2133         }
2134
2135 #endif