OpenSSL  1.0.1c
 All Classes Files Functions Variables Typedefs Enumerations Enumerator Macros
s_client.c
Go to the documentation of this file.
1 /* apps/s_client.c */
2 /* Copyright (C) 1995-1998 Eric Young ([email protected])
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young ([email protected]).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to. The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson ([email protected]).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  * notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  * notice, this list of conditions and the following disclaimer in the
30  * documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  * must display the following acknowledgement:
33  * "This product includes cryptographic software written by
34  * Eric Young ([email protected])"
35  * The word 'cryptographic' can be left out if the rouines from the library
36  * being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  * the apps directory (application code) you must include an acknowledgement:
39  * "This product includes software written by Tim Hudson ([email protected])"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed. i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  * notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  * notice, this list of conditions and the following disclaimer in
70  * the documentation and/or other materials provided with the
71  * distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  * software must display the following acknowledgment:
75  * "This product includes software developed by the OpenSSL Project
76  * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  * endorse or promote products derived from this software without
80  * prior written permission. For written permission, please contact
81  * [email protected].
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  * nor may "OpenSSL" appear in their names without prior written
85  * permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  * acknowledgment:
89  * "This product includes software developed by the OpenSSL Project
90  * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * ([email protected]). This product includes software written by Tim
108  * Hudson ([email protected]).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2005 Nokia. All rights reserved.
113  *
114  * The portions of the attached software ("Contribution") is developed by
115  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116  * license.
117  *
118  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120  * support (see RFC 4279) to OpenSSL.
121  *
122  * No patent licenses or other rights except those expressly stated in
123  * the OpenSSL open source license shall be deemed granted or received
124  * expressly, by implication, estoppel, or otherwise.
125  *
126  * No assurances are provided by Nokia that the Contribution does not
127  * infringe the patent or other intellectual property rights of any third
128  * party or that the license provides you with all the necessary rights
129  * to make use of the Contribution.
130  *
131  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135  * OTHERWISE.
136  */
137 
138 #include <assert.h>
139 #include <ctype.h>
140 #include <stdio.h>
141 #include <stdlib.h>
142 #include <string.h>
143 #include <openssl/e_os2.h>
144 #ifdef OPENSSL_NO_STDIO
145 #define APPS_WIN16
146 #endif
147 
148 /* With IPv6, it looks like Digital has mixed up the proper order of
149  recursive header file inclusion, resulting in the compiler complaining
150  that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
151  is needed to have fileno() declared correctly... So let's define u_int */
152 #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
153 #define __U_INT
154 typedef unsigned int u_int;
155 #endif
156 
157 #define USE_SOCKETS
158 #include "apps.h"
159 #include <openssl/x509.h>
160 #include <openssl/ssl.h>
161 #include <openssl/err.h>
162 #include <openssl/pem.h>
163 #include <openssl/rand.h>
164 #include <openssl/ocsp.h>
165 #include <openssl/bn.h>
166 #ifndef OPENSSL_NO_SRP
167 #include <openssl/srp.h>
168 #endif
169 #include "s_apps.h"
170 #include "timeouts.h"
171 
172 #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
173 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
174 #undef FIONBIO
175 #endif
176 
177 #if defined(OPENSSL_SYS_BEOS_R5)
178 #include <fcntl.h>
179 #endif
180 
181 #undef PROG
182 #define PROG s_client_main
183 
184 /*#define SSL_HOST_NAME "www.netscape.com" */
185 /*#define SSL_HOST_NAME "193.118.187.102" */
186 #define SSL_HOST_NAME "localhost"
187 
188 /*#define TEST_CERT "client.pem" */ /* no default cert. */
189 
190 #undef BUFSIZZ
191 #define BUFSIZZ 1024*8
192 
193 extern int verify_depth;
194 extern int verify_error;
195 extern int verify_return_error;
196 
197 #ifdef FIONBIO
198 static int c_nbio=0;
199 #endif
200 static int c_Pause=0;
201 static int c_debug=0;
202 #ifndef OPENSSL_NO_TLSEXT
203 static int c_tlsextdebug=0;
204 static int c_status_req=0;
205 #endif
206 static int c_msg=0;
207 static int c_showcerts=0;
208 
209 static char *keymatexportlabel=NULL;
210 static int keymatexportlen=20;
211 
212 static void sc_usage(void);
213 static void print_stuff(BIO *berr,SSL *con,int full);
214 #ifndef OPENSSL_NO_TLSEXT
215 static int ocsp_resp_cb(SSL *s, void *arg);
216 #endif
217 static BIO *bio_c_out=NULL;
218 static int c_quiet=0;
219 static int c_ign_eof=0;
220 
221 #ifndef OPENSSL_NO_PSK
222 /* Default PSK identity and key */
223 static char *psk_identity="Client_identity";
224 /*char *psk_key=NULL; by default PSK is not used */
225 
226 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
227  unsigned int max_identity_len, unsigned char *psk,
228  unsigned int max_psk_len)
229  {
230  unsigned int psk_len = 0;
231  int ret;
232  BIGNUM *bn=NULL;
233 
234  if (c_debug)
235  BIO_printf(bio_c_out, "psk_client_cb\n");
236  if (!hint)
237  {
238  /* no ServerKeyExchange message*/
239  if (c_debug)
240  BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n");
241  }
242  else if (c_debug)
243  BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
244 
245  /* lookup PSK identity and PSK key based on the given identity hint here */
246  ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity);
247  if (ret < 0 || (unsigned int)ret > max_identity_len)
248  goto out_err;
249  if (c_debug)
250  BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret);
251  ret=BN_hex2bn(&bn, psk_key);
252  if (!ret)
253  {
254  BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
255  if (bn)
256  BN_free(bn);
257  return 0;
258  }
259 
260  if ((unsigned int)BN_num_bytes(bn) > max_psk_len)
261  {
262  BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
263  max_psk_len, BN_num_bytes(bn));
264  BN_free(bn);
265  return 0;
266  }
267 
268  psk_len=BN_bn2bin(bn, psk);
269  BN_free(bn);
270  if (psk_len == 0)
271  goto out_err;
272 
273  if (c_debug)
274  BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len);
275 
276  return psk_len;
277  out_err:
278  if (c_debug)
279  BIO_printf(bio_err, "Error in PSK client callback\n");
280  return 0;
281  }
282 #endif
283 
284 static void sc_usage(void)
285  {
286  BIO_printf(bio_err,"usage: s_client args\n");
287  BIO_printf(bio_err,"\n");
288  BIO_printf(bio_err," -host host - use -connect instead\n");
289  BIO_printf(bio_err," -port port - use -connect instead\n");
290  BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
291 
292  BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n");
293  BIO_printf(bio_err," -cert arg - certificate file to use, PEM format assumed\n");
294  BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
295  BIO_printf(bio_err," -key arg - Private key file to use, in cert file if\n");
296  BIO_printf(bio_err," not specified but cert file is.\n");
297  BIO_printf(bio_err," -keyform arg - key format (PEM or DER) PEM default\n");
298  BIO_printf(bio_err," -pass arg - private key file pass phrase source\n");
299  BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
300  BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n");
301  BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n");
302  BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n");
303  BIO_printf(bio_err," -showcerts - show all certificates in the chain\n");
304  BIO_printf(bio_err," -debug - extra output\n");
305 #ifdef WATT32
306  BIO_printf(bio_err," -wdebug - WATT-32 tcp debugging\n");
307 #endif
308  BIO_printf(bio_err," -msg - Show protocol messages\n");
309  BIO_printf(bio_err," -nbio_test - more ssl protocol testing\n");
310  BIO_printf(bio_err," -state - print the 'ssl' states\n");
311 #ifdef FIONBIO
312  BIO_printf(bio_err," -nbio - Run with non-blocking IO\n");
313 #endif
314  BIO_printf(bio_err," -crlf - convert LF from terminal into CRLF\n");
315  BIO_printf(bio_err," -quiet - no s_client output\n");
316  BIO_printf(bio_err," -ign_eof - ignore input eof (default when -quiet)\n");
317  BIO_printf(bio_err," -no_ign_eof - don't ignore input eof\n");
318 #ifndef OPENSSL_NO_PSK
319  BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
320  BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n");
321 # ifndef OPENSSL_NO_JPAKE
322  BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n");
323 # endif
324 #endif
325 #ifndef OPENSSL_NO_SRP
326  BIO_printf(bio_err," -srpuser user - SRP authentification for 'user'\n");
327  BIO_printf(bio_err," -srppass arg - password for 'user'\n");
328  BIO_printf(bio_err," -srp_lateuser - SRP username into second ClientHello message\n");
329  BIO_printf(bio_err," -srp_moregroups - Tolerate other than the known g N values.\n");
330  BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
331 #endif
332  BIO_printf(bio_err," -ssl2 - just use SSLv2\n");
333  BIO_printf(bio_err," -ssl3 - just use SSLv3\n");
334  BIO_printf(bio_err," -tls1_2 - just use TLSv1.2\n");
335  BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n");
336  BIO_printf(bio_err," -tls1 - just use TLSv1\n");
337  BIO_printf(bio_err," -dtls1 - just use DTLSv1\n");
338  BIO_printf(bio_err," -mtu - set the link layer MTU\n");
339  BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
340  BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n");
341  BIO_printf(bio_err," -serverpref - Use server's cipher preferences (only SSLv2)\n");
342  BIO_printf(bio_err," -cipher - preferred cipher to use, use the 'openssl ciphers'\n");
343  BIO_printf(bio_err," command to see what is available\n");
344  BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
345  BIO_printf(bio_err," for those protocols that support it, where\n");
346  BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n");
347  BIO_printf(bio_err," only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
348  BIO_printf(bio_err," are supported.\n");
349 #ifndef OPENSSL_NO_ENGINE
350  BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n");
351 #endif
352  BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
353  BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n");
354  BIO_printf(bio_err," -sess_in arg - file to read SSL session from\n");
355 #ifndef OPENSSL_NO_TLSEXT
356  BIO_printf(bio_err," -servername host - Set TLS extension servername in ClientHello\n");
357  BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
358  BIO_printf(bio_err," -status - request certificate status from server\n");
359  BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
360 # if !defined(OPENSSL_NO_NEXTPROTONEG)
361  BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
362 # endif
363 #endif
364  BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
365  BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
366  BIO_printf(bio_err," -keymatexport label - Export keying material using label\n");
367  BIO_printf(bio_err," -keymatexportlen len - Export len bytes of keying material (default 20)\n");
368  }
369 
370 #ifndef OPENSSL_NO_TLSEXT
371 
372 /* This is a context that we pass to callbacks */
373 typedef struct tlsextctx_st {
374  BIO * biodebug;
375  int ack;
376 } tlsextctx;
377 
378 
379 static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
380  {
381  tlsextctx * p = (tlsextctx *) arg;
382  const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
383  if (SSL_get_servername_type(s) != -1)
384  p->ack = !SSL_session_reused(s) && hn != NULL;
385  else
386  BIO_printf(bio_err,"Can't use SSL_get_servername\n");
387 
388  return SSL_TLSEXT_ERR_OK;
389  }
390 
391 #ifndef OPENSSL_NO_SRP
392 
393 /* This is a context that we pass to all callbacks */
394 typedef struct srp_arg_st
395  {
396  char *srppassin;
397  char *srplogin;
398  int msg; /* copy from c_msg */
399  int debug; /* copy from c_debug */
400  int amp; /* allow more groups */
401  int strength /* minimal size for N */ ;
402  } SRP_ARG;
403 
404 #define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
405 
406 static int srp_Verify_N_and_g(BIGNUM *N, BIGNUM *g)
407  {
408  BN_CTX *bn_ctx = BN_CTX_new();
409  BIGNUM *p = BN_new();
410  BIGNUM *r = BN_new();
411  int ret =
412  g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
413  BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
414  p != NULL && BN_rshift1(p, N) &&
415 
416  /* p = (N-1)/2 */
417  BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
418  r != NULL &&
419 
420  /* verify g^((N-1)/2) == -1 (mod N) */
421  BN_mod_exp(r, g, p, N, bn_ctx) &&
422  BN_add_word(r, 1) &&
423  BN_cmp(r, N) == 0;
424 
425  if(r)
426  BN_free(r);
427  if(p)
428  BN_free(p);
429  if(bn_ctx)
430  BN_CTX_free(bn_ctx);
431  return ret;
432  }
433 
434 /* This callback is used here for two purposes:
435  - extended debugging
436  - making some primality tests for unknown groups
437  The callback is only called for a non default group.
438 
439  An application does not need the call back at all if
440  only the stanard groups are used. In real life situations,
441  client and server already share well known groups,
442  thus there is no need to verify them.
443  Furthermore, in case that a server actually proposes a group that
444  is not one of those defined in RFC 5054, it is more appropriate
445  to add the group to a static list and then compare since
446  primality tests are rather cpu consuming.
447 */
448 
449 static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
450  {
451  SRP_ARG *srp_arg = (SRP_ARG *)arg;
452  BIGNUM *N = NULL, *g = NULL;
453  if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s)))
454  return 0;
455  if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1)
456  {
457  BIO_printf(bio_err, "SRP parameters:\n");
458  BIO_printf(bio_err,"\tN="); BN_print(bio_err,N);
459  BIO_printf(bio_err,"\n\tg="); BN_print(bio_err,g);
460  BIO_printf(bio_err,"\n");
461  }
462 
463  if (SRP_check_known_gN_param(g,N))
464  return 1;
465 
466  if (srp_arg->amp == 1)
467  {
468  if (srp_arg->debug)
469  BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n");
470 
471 /* The srp_moregroups is a real debugging feature.
472  Implementors should rather add the value to the known ones.
473  The minimal size has already been tested.
474 */
475  if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g))
476  return 1;
477  }
478  BIO_printf(bio_err, "SRP param N and g rejected.\n");
479  return 0;
480  }
481 
482 #define PWD_STRLEN 1024
483 
484 static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
485  {
486  SRP_ARG *srp_arg = (SRP_ARG *)arg;
487  char *pass = (char *)OPENSSL_malloc(PWD_STRLEN+1);
488  PW_CB_DATA cb_tmp;
489  int l;
490 
491  cb_tmp.password = (char *)srp_arg->srppassin;
492  cb_tmp.prompt_info = "SRP user";
493  if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp))<0)
494  {
495  BIO_printf (bio_err, "Can't read Password\n");
496  OPENSSL_free(pass);
497  return NULL;
498  }
499  *(pass+l)= '\0';
500 
501  return pass;
502  }
503 
504 #endif
505  char *srtp_profiles = NULL;
506 
507 # ifndef OPENSSL_NO_NEXTPROTONEG
508 /* This the context that we pass to next_proto_cb */
509 typedef struct tlsextnextprotoctx_st {
510  unsigned char *data;
511  unsigned short len;
512  int status;
513 } tlsextnextprotoctx;
514 
515 static tlsextnextprotoctx next_proto;
516 
517 static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
518  {
519  tlsextnextprotoctx *ctx = arg;
520 
521  if (!c_quiet)
522  {
523  /* We can assume that |in| is syntactically valid. */
524  unsigned i;
525  BIO_printf(bio_c_out, "Protocols advertised by server: ");
526  for (i = 0; i < inlen; )
527  {
528  if (i)
529  BIO_write(bio_c_out, ", ", 2);
530  BIO_write(bio_c_out, &in[i + 1], in[i]);
531  i += in[i] + 1;
532  }
533  BIO_write(bio_c_out, "\n", 1);
534  }
535 
536  ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
537  return SSL_TLSEXT_ERR_OK;
538  }
539 # endif
540 #endif
541 
542 enum
543 {
544  PROTO_OFF = 0,
545  PROTO_SMTP,
546  PROTO_POP3,
547  PROTO_IMAP,
548  PROTO_FTP,
549  PROTO_XMPP
550 };
551 
552 int MAIN(int, char **);
553 
554 int MAIN(int argc, char **argv)
555  {
556  unsigned int off=0, clr=0;
557  SSL *con=NULL;
558 #ifndef OPENSSL_NO_KRB5
559  KSSL_CTX *kctx;
560 #endif
561  int s,k,width,state=0;
562  char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
563  int cbuf_len,cbuf_off;
564  int sbuf_len,sbuf_off;
565  fd_set readfds,writefds;
566  short port=PORT;
567  int full_log=1;
568  char *host=SSL_HOST_NAME;
569  char *cert_file=NULL,*key_file=NULL;
570  int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
571  char *passarg = NULL, *pass = NULL;
572  X509 *cert = NULL;
573  EVP_PKEY *key = NULL;
574  char *CApath=NULL,*CAfile=NULL,*cipher=NULL;
575  int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0;
576  int crlf=0;
577  int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
578  SSL_CTX *ctx=NULL;
579  int ret=1,in_init=1,i,nbio_test=0;
580  int starttls_proto = PROTO_OFF;
581  int prexit = 0;
582  X509_VERIFY_PARAM *vpm = NULL;
583  int badarg = 0;
584  const SSL_METHOD *meth=NULL;
585  int socket_type=SOCK_STREAM;
586  BIO *sbio;
587  char *inrand=NULL;
588  int mbuf_len=0;
589  struct timeval timeout, *timeoutp;
590 #ifndef OPENSSL_NO_ENGINE
591  char *engine_id=NULL;
592  char *ssl_client_engine_id=NULL;
593  ENGINE *ssl_client_engine=NULL;
594 #endif
595  ENGINE *e=NULL;
596 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
597  struct timeval tv;
598 #if defined(OPENSSL_SYS_BEOS_R5)
599  int stdin_set = 0;
600 #endif
601 #endif
602 #ifndef OPENSSL_NO_TLSEXT
603  char *servername = NULL;
604  tlsextctx tlsextcbp =
605  {NULL,0};
606 # ifndef OPENSSL_NO_NEXTPROTONEG
607  const char *next_proto_neg_in = NULL;
608 # endif
609 #endif
610  char *sess_in = NULL;
611  char *sess_out = NULL;
612  struct sockaddr peer;
613  int peerlen = sizeof(peer);
614  int enable_timeouts = 0 ;
615  long socket_mtu = 0;
616 #ifndef OPENSSL_NO_JPAKE
617  char *jpake_secret = NULL;
618 #endif
619 #ifndef OPENSSL_NO_SRP
620  char * srppass = NULL;
621  int srp_lateuser = 0;
622  SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
623 #endif
624 
625  meth=SSLv23_client_method();
626 
627  apps_startup();
628  c_Pause=0;
629  c_quiet=0;
630  c_ign_eof=0;
631  c_debug=0;
632  c_msg=0;
633  c_showcerts=0;
634 
635  if (bio_err == NULL)
636  bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
637 
638  if (!load_config(bio_err, NULL))
639  goto end;
640 
641  if ( ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
642  ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
643  ((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
644  {
645  BIO_printf(bio_err,"out of memory\n");
646  goto end;
647  }
648 
649  verify_depth=0;
650  verify_error=X509_V_OK;
651 #ifdef FIONBIO
652  c_nbio=0;
653 #endif
654 
655  argc--;
656  argv++;
657  while (argc >= 1)
658  {
659  if (strcmp(*argv,"-host") == 0)
660  {
661  if (--argc < 1) goto bad;
662  host= *(++argv);
663  }
664  else if (strcmp(*argv,"-port") == 0)
665  {
666  if (--argc < 1) goto bad;
667  port=atoi(*(++argv));
668  if (port == 0) goto bad;
669  }
670  else if (strcmp(*argv,"-connect") == 0)
671  {
672  if (--argc < 1) goto bad;
673  if (!extract_host_port(*(++argv),&host,NULL,&port))
674  goto bad;
675  }
676  else if (strcmp(*argv,"-verify") == 0)
677  {
678  verify=SSL_VERIFY_PEER;
679  if (--argc < 1) goto bad;
680  verify_depth=atoi(*(++argv));
681  BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
682  }
683  else if (strcmp(*argv,"-cert") == 0)
684  {
685  if (--argc < 1) goto bad;
686  cert_file= *(++argv);
687  }
688  else if (strcmp(*argv,"-sess_out") == 0)
689  {
690  if (--argc < 1) goto bad;
691  sess_out = *(++argv);
692  }
693  else if (strcmp(*argv,"-sess_in") == 0)
694  {
695  if (--argc < 1) goto bad;
696  sess_in = *(++argv);
697  }
698  else if (strcmp(*argv,"-certform") == 0)
699  {
700  if (--argc < 1) goto bad;
701  cert_format = str2fmt(*(++argv));
702  }
703  else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
704  {
705  if (badarg)
706  goto bad;
707  continue;
708  }
709  else if (strcmp(*argv,"-verify_return_error") == 0)
710  verify_return_error = 1;
711  else if (strcmp(*argv,"-prexit") == 0)
712  prexit=1;
713  else if (strcmp(*argv,"-crlf") == 0)
714  crlf=1;
715  else if (strcmp(*argv,"-quiet") == 0)
716  {
717  c_quiet=1;
718  c_ign_eof=1;
719  }
720  else if (strcmp(*argv,"-ign_eof") == 0)
721  c_ign_eof=1;
722  else if (strcmp(*argv,"-no_ign_eof") == 0)
723  c_ign_eof=0;
724  else if (strcmp(*argv,"-pause") == 0)
725  c_Pause=1;
726  else if (strcmp(*argv,"-debug") == 0)
727  c_debug=1;
728 #ifndef OPENSSL_NO_TLSEXT
729  else if (strcmp(*argv,"-tlsextdebug") == 0)
730  c_tlsextdebug=1;
731  else if (strcmp(*argv,"-status") == 0)
732  c_status_req=1;
733 #endif
734 #ifdef WATT32
735  else if (strcmp(*argv,"-wdebug") == 0)
736  dbug_init();
737 #endif
738  else if (strcmp(*argv,"-msg") == 0)
739  c_msg=1;
740  else if (strcmp(*argv,"-showcerts") == 0)
741  c_showcerts=1;
742  else if (strcmp(*argv,"-nbio_test") == 0)
743  nbio_test=1;
744  else if (strcmp(*argv,"-state") == 0)
745  state=1;
746 #ifndef OPENSSL_NO_PSK
747  else if (strcmp(*argv,"-psk_identity") == 0)
748  {
749  if (--argc < 1) goto bad;
750  psk_identity=*(++argv);
751  }
752  else if (strcmp(*argv,"-psk") == 0)
753  {
754  size_t j;
755 
756  if (--argc < 1) goto bad;
757  psk_key=*(++argv);
758  for (j = 0; j < strlen(psk_key); j++)
759  {
760  if (isxdigit((unsigned char)psk_key[j]))
761  continue;
762  BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
763  goto bad;
764  }
765  }
766 #endif
767 #ifndef OPENSSL_NO_SRP
768  else if (strcmp(*argv,"-srpuser") == 0)
769  {
770  if (--argc < 1) goto bad;
771  srp_arg.srplogin= *(++argv);
772  meth=TLSv1_client_method();
773  }
774  else if (strcmp(*argv,"-srppass") == 0)
775  {
776  if (--argc < 1) goto bad;
777  srppass= *(++argv);
778  meth=TLSv1_client_method();
779  }
780  else if (strcmp(*argv,"-srp_strength") == 0)
781  {
782  if (--argc < 1) goto bad;
783  srp_arg.strength=atoi(*(++argv));
784  BIO_printf(bio_err,"SRP minimal length for N is %d\n",srp_arg.strength);
785  meth=TLSv1_client_method();
786  }
787  else if (strcmp(*argv,"-srp_lateuser") == 0)
788  {
789  srp_lateuser= 1;
790  meth=TLSv1_client_method();
791  }
792  else if (strcmp(*argv,"-srp_moregroups") == 0)
793  {
794  srp_arg.amp=1;
795  meth=TLSv1_client_method();
796  }
797 #endif
798 #ifndef OPENSSL_NO_SSL2
799  else if (strcmp(*argv,"-ssl2") == 0)
800  meth=SSLv2_client_method();
801 #endif
802 #ifndef OPENSSL_NO_SSL3
803  else if (strcmp(*argv,"-ssl3") == 0)
804  meth=SSLv3_client_method();
805 #endif
806 #ifndef OPENSSL_NO_TLS1
807  else if (strcmp(*argv,"-tls1_2") == 0)
808  meth=TLSv1_2_client_method();
809  else if (strcmp(*argv,"-tls1_1") == 0)
810  meth=TLSv1_1_client_method();
811  else if (strcmp(*argv,"-tls1") == 0)
812  meth=TLSv1_client_method();
813 #endif
814 #ifndef OPENSSL_NO_DTLS1
815  else if (strcmp(*argv,"-dtls1") == 0)
816  {
817  meth=DTLSv1_client_method();
818  socket_type=SOCK_DGRAM;
819  }
820  else if (strcmp(*argv,"-timeout") == 0)
821  enable_timeouts=1;
822  else if (strcmp(*argv,"-mtu") == 0)
823  {
824  if (--argc < 1) goto bad;
825  socket_mtu = atol(*(++argv));
826  }
827 #endif
828  else if (strcmp(*argv,"-bugs") == 0)
829  bugs=1;
830  else if (strcmp(*argv,"-keyform") == 0)
831  {
832  if (--argc < 1) goto bad;
833  key_format = str2fmt(*(++argv));
834  }
835  else if (strcmp(*argv,"-pass") == 0)
836  {
837  if (--argc < 1) goto bad;
838  passarg = *(++argv);
839  }
840  else if (strcmp(*argv,"-key") == 0)
841  {
842  if (--argc < 1) goto bad;
843  key_file= *(++argv);
844  }
845  else if (strcmp(*argv,"-reconnect") == 0)
846  {
847  reconnect=5;
848  }
849  else if (strcmp(*argv,"-CApath") == 0)
850  {
851  if (--argc < 1) goto bad;
852  CApath= *(++argv);
853  }
854  else if (strcmp(*argv,"-CAfile") == 0)
855  {
856  if (--argc < 1) goto bad;
857  CAfile= *(++argv);
858  }
859  else if (strcmp(*argv,"-no_tls1_2") == 0)
860  off|=SSL_OP_NO_TLSv1_2;
861  else if (strcmp(*argv,"-no_tls1_1") == 0)
862  off|=SSL_OP_NO_TLSv1_1;
863  else if (strcmp(*argv,"-no_tls1") == 0)
864  off|=SSL_OP_NO_TLSv1;
865  else if (strcmp(*argv,"-no_ssl3") == 0)
866  off|=SSL_OP_NO_SSLv3;
867  else if (strcmp(*argv,"-no_ssl2") == 0)
868  off|=SSL_OP_NO_SSLv2;
869  else if (strcmp(*argv,"-no_comp") == 0)
870  { off|=SSL_OP_NO_COMPRESSION; }
871 #ifndef OPENSSL_NO_TLSEXT
872  else if (strcmp(*argv,"-no_ticket") == 0)
873  { off|=SSL_OP_NO_TICKET; }
874 # ifndef OPENSSL_NO_NEXTPROTONEG
875  else if (strcmp(*argv,"-nextprotoneg") == 0)
876  {
877  if (--argc < 1) goto bad;
878  next_proto_neg_in = *(++argv);
879  }
880 # endif
881 #endif
882  else if (strcmp(*argv,"-serverpref") == 0)
883  off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
884  else if (strcmp(*argv,"-legacy_renegotiation") == 0)
885  off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
886  else if (strcmp(*argv,"-legacy_server_connect") == 0)
887  { off|=SSL_OP_LEGACY_SERVER_CONNECT; }
888  else if (strcmp(*argv,"-no_legacy_server_connect") == 0)
889  { clr|=SSL_OP_LEGACY_SERVER_CONNECT; }
890  else if (strcmp(*argv,"-cipher") == 0)
891  {
892  if (--argc < 1) goto bad;
893  cipher= *(++argv);
894  }
895 #ifdef FIONBIO
896  else if (strcmp(*argv,"-nbio") == 0)
897  { c_nbio=1; }
898 #endif
899  else if (strcmp(*argv,"-starttls") == 0)
900  {
901  if (--argc < 1) goto bad;
902  ++argv;
903  if (strcmp(*argv,"smtp") == 0)
904  starttls_proto = PROTO_SMTP;
905  else if (strcmp(*argv,"pop3") == 0)
906  starttls_proto = PROTO_POP3;
907  else if (strcmp(*argv,"imap") == 0)
908  starttls_proto = PROTO_IMAP;
909  else if (strcmp(*argv,"ftp") == 0)
910  starttls_proto = PROTO_FTP;
911  else if (strcmp(*argv, "xmpp") == 0)
912  starttls_proto = PROTO_XMPP;
913  else
914  goto bad;
915  }
916 #ifndef OPENSSL_NO_ENGINE
917  else if (strcmp(*argv,"-engine") == 0)
918  {
919  if (--argc < 1) goto bad;
920  engine_id = *(++argv);
921  }
922  else if (strcmp(*argv,"-ssl_client_engine") == 0)
923  {
924  if (--argc < 1) goto bad;
925  ssl_client_engine_id = *(++argv);
926  }
927 #endif
928  else if (strcmp(*argv,"-rand") == 0)
929  {
930  if (--argc < 1) goto bad;
931  inrand= *(++argv);
932  }
933 #ifndef OPENSSL_NO_TLSEXT
934  else if (strcmp(*argv,"-servername") == 0)
935  {
936  if (--argc < 1) goto bad;
937  servername= *(++argv);
938  /* meth=TLSv1_client_method(); */
939  }
940 #endif
941 #ifndef OPENSSL_NO_JPAKE
942  else if (strcmp(*argv,"-jpake") == 0)
943  {
944  if (--argc < 1) goto bad;
945  jpake_secret = *++argv;
946  }
947 #endif
948  else if (strcmp(*argv,"-use_srtp") == 0)
949  {
950  if (--argc < 1) goto bad;
951  srtp_profiles = *(++argv);
952  }
953  else if (strcmp(*argv,"-keymatexport") == 0)
954  {
955  if (--argc < 1) goto bad;
956  keymatexportlabel= *(++argv);
957  }
958  else if (strcmp(*argv,"-keymatexportlen") == 0)
959  {
960  if (--argc < 1) goto bad;
961  keymatexportlen=atoi(*(++argv));
962  if (keymatexportlen == 0) goto bad;
963  }
964  else
965  {
966  BIO_printf(bio_err,"unknown option %s\n",*argv);
967  badop=1;
968  break;
969  }
970  argc--;
971  argv++;
972  }
973  if (badop)
974  {
975 bad:
976  sc_usage();
977  goto end;
978  }
979 
980 #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
981  if (jpake_secret)
982  {
983  if (psk_key)
984  {
985  BIO_printf(bio_err,
986  "Can't use JPAKE and PSK together\n");
987  goto end;
988  }
989  psk_identity = "JPAKE";
990  if (cipher)
991  {
992  BIO_printf(bio_err, "JPAKE sets cipher to PSK\n");
993  goto end;
994  }
995  cipher = "PSK";
996  }
997 #endif
998 
999  OpenSSL_add_ssl_algorithms();
1000  SSL_load_error_strings();
1001 
1002 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
1003  next_proto.status = -1;
1004  if (next_proto_neg_in)
1005  {
1006  next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
1007  if (next_proto.data == NULL)
1008  {
1009  BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
1010  goto end;
1011  }
1012  }
1013  else
1014  next_proto.data = NULL;
1015 #endif
1016 
1017 #ifndef OPENSSL_NO_ENGINE
1018  e = setup_engine(bio_err, engine_id, 1);
1019  if (ssl_client_engine_id)
1020  {
1021  ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
1022  if (!ssl_client_engine)
1023  {
1024  BIO_printf(bio_err,
1025  "Error getting client auth engine\n");
1026  goto end;
1027  }
1028  }
1029 
1030 #endif
1031  if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
1032  {
1033  BIO_printf(bio_err, "Error getting password\n");
1034  goto end;
1035  }
1036 
1037  if (key_file == NULL)
1038  key_file = cert_file;
1039 
1040 
1041  if (key_file)
1042 
1043  {
1044 
1045  key = load_key(bio_err, key_file, key_format, 0, pass, e,
1046  "client certificate private key file");
1047  if (!key)
1048  {
1049  ERR_print_errors(bio_err);
1050  goto end;
1051  }
1052 
1053  }
1054 
1055  if (cert_file)
1056 
1057  {
1058  cert = load_cert(bio_err,cert_file,cert_format,
1059  NULL, e, "client certificate file");
1060 
1061  if (!cert)
1062  {
1063  ERR_print_errors(bio_err);
1064  goto end;
1065  }
1066  }
1067 
1068  if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
1069  && !RAND_status())
1070  {
1071  BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
1072  }
1073  if (inrand != NULL)
1074  BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
1075  app_RAND_load_files(inrand));
1076 
1077  if (bio_c_out == NULL)
1078  {
1079  if (c_quiet && !c_debug && !c_msg)
1080  {
1081  bio_c_out=BIO_new(BIO_s_null());
1082  }
1083  else
1084  {
1085  if (bio_c_out == NULL)
1086  bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
1087  }
1088  }
1089 
1090 #ifndef OPENSSL_NO_SRP
1091  if(!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL))
1092  {
1093  BIO_printf(bio_err, "Error getting password\n");
1094  goto end;
1095  }
1096 #endif
1097 
1098  ctx=SSL_CTX_new(meth);
1099  if (ctx == NULL)
1100  {
1101  ERR_print_errors(bio_err);
1102  goto end;
1103  }
1104 
1105  if (vpm)
1106  SSL_CTX_set1_param(ctx, vpm);
1107 
1108 #ifndef OPENSSL_NO_ENGINE
1109  if (ssl_client_engine)
1110  {
1111  if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine))
1112  {
1113  BIO_puts(bio_err, "Error setting client auth engine\n");
1114  ERR_print_errors(bio_err);
1115  ENGINE_free(ssl_client_engine);
1116  goto end;
1117  }
1118  ENGINE_free(ssl_client_engine);
1119  }
1120 #endif
1121 
1122 #ifndef OPENSSL_NO_PSK
1123 #ifdef OPENSSL_NO_JPAKE
1124  if (psk_key != NULL)
1125 #else
1126  if (psk_key != NULL || jpake_secret)
1127 #endif
1128  {
1129  if (c_debug)
1130  BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");
1131  SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
1132  }
1133  if (srtp_profiles != NULL)
1134  SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
1135 #endif
1136  if (bugs)
1137  SSL_CTX_set_options(ctx,SSL_OP_ALL|off);
1138  else
1139  SSL_CTX_set_options(ctx,off);
1140 
1141  if (clr)
1142  SSL_CTX_clear_options(ctx, clr);
1143  /* DTLS: partial reads end up discarding unread UDP bytes :-(
1144  * Setting read ahead solves this problem.
1145  */
1146  if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
1147 
1148 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
1149  if (next_proto.data)
1150  SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
1151 #endif
1152 
1153  if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
1154  if (cipher != NULL)
1155  if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
1156  BIO_printf(bio_err,"error setting cipher list\n");
1157  ERR_print_errors(bio_err);
1158  goto end;
1159  }
1160 #if 0
1161  else
1162  SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
1163 #endif
1164 
1165  SSL_CTX_set_verify(ctx,verify,verify_callback);
1166  if (!set_cert_key_stuff(ctx,cert,key))
1167  goto end;
1168 
1169  if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
1170  (!SSL_CTX_set_default_verify_paths(ctx)))
1171  {
1172  /* BIO_printf(bio_err,"error setting default verify locations\n"); */
1173  ERR_print_errors(bio_err);
1174  /* goto end; */
1175  }
1176 
1177 #ifndef OPENSSL_NO_TLSEXT
1178  if (servername != NULL)
1179  {
1180  tlsextcbp.biodebug = bio_err;
1181  SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1182  SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
1183  }
1184 #ifndef OPENSSL_NO_SRP
1185  if (srp_arg.srplogin)
1186  {
1187  if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
1188  {
1189  BIO_printf(bio_err,"Unable to set SRP username\n");
1190  goto end;
1191  }
1192  srp_arg.msg = c_msg;
1193  srp_arg.debug = c_debug ;
1194  SSL_CTX_set_srp_cb_arg(ctx,&srp_arg);
1195  SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
1196  SSL_CTX_set_srp_strength(ctx, srp_arg.strength);
1197  if (c_msg || c_debug || srp_arg.amp == 0)
1198  SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb);
1199  }
1200 
1201 #endif
1202 #endif
1203 
1204  con=SSL_new(ctx);
1205  if (sess_in)
1206  {
1207  SSL_SESSION *sess;
1208  BIO *stmp = BIO_new_file(sess_in, "r");
1209  if (!stmp)
1210  {
1211  BIO_printf(bio_err, "Can't open session file %s\n",
1212  sess_in);
1213  ERR_print_errors(bio_err);
1214  goto end;
1215  }
1216  sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
1217  BIO_free(stmp);
1218  if (!sess)
1219  {
1220  BIO_printf(bio_err, "Can't open session file %s\n",
1221  sess_in);
1222  ERR_print_errors(bio_err);
1223  goto end;
1224  }
1225  SSL_set_session(con, sess);
1226  SSL_SESSION_free(sess);
1227  }
1228 #ifndef OPENSSL_NO_TLSEXT
1229  if (servername != NULL)
1230  {
1231  if (!SSL_set_tlsext_host_name(con,servername))
1232  {
1233  BIO_printf(bio_err,"Unable to set TLS servername extension.\n");
1234  ERR_print_errors(bio_err);
1235  goto end;
1236  }
1237  }
1238 #endif
1239 #ifndef OPENSSL_NO_KRB5
1240  if (con && (kctx = kssl_ctx_new()) != NULL)
1241  {
1242  SSL_set0_kssl_ctx(con, kctx);
1243  kssl_ctx_setstring(kctx, KSSL_SERVER, host);
1244  }
1245 #endif /* OPENSSL_NO_KRB5 */
1246 /* SSL_set_cipher_list(con,"RC4-MD5"); */
1247 #if 0
1248 #ifdef TLSEXT_TYPE_opaque_prf_input
1249  SSL_set_tlsext_opaque_prf_input(con, "Test client", 11);
1250 #endif
1251 #endif
1252 
1253 re_start:
1254 
1255  if (init_client(&s,host,port,socket_type) == 0)
1256  {
1257  BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
1258  SHUTDOWN(s);
1259  goto end;
1260  }
1261  BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
1262 
1263 #ifdef FIONBIO
1264  if (c_nbio)
1265  {
1266  unsigned long l=1;
1267  BIO_printf(bio_c_out,"turning on non blocking io\n");
1268  if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
1269  {
1270  ERR_print_errors(bio_err);
1271  goto end;
1272  }
1273  }
1274 #endif
1275  if (c_Pause & 0x01) SSL_set_debug(con, 1);
1276 
1277  if ( SSL_version(con) == DTLS1_VERSION)
1278  {
1279 
1280  sbio=BIO_new_dgram(s,BIO_NOCLOSE);
1281  if (getsockname(s, &peer, (void *)&peerlen) < 0)
1282  {
1283  BIO_printf(bio_err, "getsockname:errno=%d\n",
1284  get_last_socket_error());
1285  SHUTDOWN(s);
1286  goto end;
1287  }
1288 
1289  (void)BIO_ctrl_set_connected(sbio, 1, &peer);
1290 
1291  if (enable_timeouts)
1292  {
1293  timeout.tv_sec = 0;
1294  timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1295  BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1296 
1297  timeout.tv_sec = 0;
1298  timeout.tv_usec = DGRAM_SND_TIMEOUT;
1299  BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1300  }
1301 
1302  if (socket_mtu > 28)
1303  {
1304  SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
1305  SSL_set_mtu(con, socket_mtu - 28);
1306  }
1307  else
1308  /* want to do MTU discovery */
1309  BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1310  }
1311  else
1312  sbio=BIO_new_socket(s,BIO_NOCLOSE);
1313 
1314  if (nbio_test)
1315  {
1316  BIO *test;
1317 
1318  test=BIO_new(BIO_f_nbio_test());
1319  sbio=BIO_push(test,sbio);
1320  }
1321 
1322  if (c_debug)
1323  {
1324  SSL_set_debug(con, 1);
1325  BIO_set_callback(sbio,bio_dump_callback);
1326  BIO_set_callback_arg(sbio,(char *)bio_c_out);
1327  }
1328  if (c_msg)
1329  {
1330  SSL_set_msg_callback(con, msg_cb);
1331  SSL_set_msg_callback_arg(con, bio_c_out);
1332  }
1333 #ifndef OPENSSL_NO_TLSEXT
1334  if (c_tlsextdebug)
1335  {
1336  SSL_set_tlsext_debug_callback(con, tlsext_cb);
1337  SSL_set_tlsext_debug_arg(con, bio_c_out);
1338  }
1339  if (c_status_req)
1340  {
1341  SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
1342  SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
1343  SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
1344 #if 0
1345 {
1346 STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null();
1347 OCSP_RESPID *id = OCSP_RESPID_new();
1348 id->value.byKey = ASN1_OCTET_STRING_new();
1349 id->type = V_OCSP_RESPID_KEY;
1350 ASN1_STRING_set(id->value.byKey, "Hello World", -1);
1351 sk_OCSP_RESPID_push(ids, id);
1352 SSL_set_tlsext_status_ids(con, ids);
1353 }
1354 #endif
1355  }
1356 #endif
1357 #ifndef OPENSSL_NO_JPAKE
1358  if (jpake_secret)
1359  jpake_client_auth(bio_c_out, sbio, jpake_secret);
1360 #endif
1361 
1362  SSL_set_bio(con,sbio,sbio);
1363  SSL_set_connect_state(con);
1364 
1365  /* ok, lets connect */
1366  width=SSL_get_fd(con)+1;
1367 
1368  read_tty=1;
1369  write_tty=0;
1370  tty_on=0;
1371  read_ssl=1;
1372  write_ssl=1;
1373 
1374  cbuf_len=0;
1375  cbuf_off=0;
1376  sbuf_len=0;
1377  sbuf_off=0;
1378 
1379  /* This is an ugly hack that does a lot of assumptions */
1380  /* We do have to handle multi-line responses which may come
1381  in a single packet or not. We therefore have to use
1382  BIO_gets() which does need a buffering BIO. So during
1383  the initial chitchat we do push a buffering BIO into the
1384  chain that is removed again later on to not disturb the
1385  rest of the s_client operation. */
1386  if (starttls_proto == PROTO_SMTP)
1387  {
1388  int foundit=0;
1389  BIO *fbio = BIO_new(BIO_f_buffer());
1390  BIO_push(fbio, sbio);
1391  /* wait for multi-line response to end from SMTP */
1392  do
1393  {
1394  mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1395  }
1396  while (mbuf_len>3 && mbuf[3]=='-');
1397  /* STARTTLS command requires EHLO... */
1398  BIO_printf(fbio,"EHLO openssl.client.net\r\n");
1399  (void)BIO_flush(fbio);
1400  /* wait for multi-line response to end EHLO SMTP response */
1401  do
1402  {
1403  mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1404  if (strstr(mbuf,"STARTTLS"))
1405  foundit=1;
1406  }
1407  while (mbuf_len>3 && mbuf[3]=='-');
1408  (void)BIO_flush(fbio);
1409  BIO_pop(fbio);
1410  BIO_free(fbio);
1411  if (!foundit)
1412  BIO_printf(bio_err,
1413  "didn't found starttls in server response,"
1414  " try anyway...\n");
1415  BIO_printf(sbio,"STARTTLS\r\n");
1416  BIO_read(sbio,sbuf,BUFSIZZ);
1417  }
1418  else if (starttls_proto == PROTO_POP3)
1419  {
1420  BIO_read(sbio,mbuf,BUFSIZZ);
1421  BIO_printf(sbio,"STLS\r\n");
1422  BIO_read(sbio,sbuf,BUFSIZZ);
1423  }
1424  else if (starttls_proto == PROTO_IMAP)
1425  {
1426  int foundit=0;
1427  BIO *fbio = BIO_new(BIO_f_buffer());
1428  BIO_push(fbio, sbio);
1429  BIO_gets(fbio,mbuf,BUFSIZZ);
1430  /* STARTTLS command requires CAPABILITY... */
1431  BIO_printf(fbio,". CAPABILITY\r\n");
1432  (void)BIO_flush(fbio);
1433  /* wait for multi-line CAPABILITY response */
1434  do
1435  {
1436  mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1437  if (strstr(mbuf,"STARTTLS"))
1438  foundit=1;
1439  }
1440  while (mbuf_len>3 && mbuf[0]!='.');
1441  (void)BIO_flush(fbio);
1442  BIO_pop(fbio);
1443  BIO_free(fbio);
1444  if (!foundit)
1445  BIO_printf(bio_err,
1446  "didn't found STARTTLS in server response,"
1447  " try anyway...\n");
1448  BIO_printf(sbio,". STARTTLS\r\n");
1449  BIO_read(sbio,sbuf,BUFSIZZ);
1450  }
1451  else if (starttls_proto == PROTO_FTP)
1452  {
1453  BIO *fbio = BIO_new(BIO_f_buffer());
1454  BIO_push(fbio, sbio);
1455  /* wait for multi-line response to end from FTP */
1456  do
1457  {
1458  mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1459  }
1460  while (mbuf_len>3 && mbuf[3]=='-');
1461  (void)BIO_flush(fbio);
1462  BIO_pop(fbio);
1463  BIO_free(fbio);
1464  BIO_printf(sbio,"AUTH TLS\r\n");
1465  BIO_read(sbio,sbuf,BUFSIZZ);
1466  }
1467  if (starttls_proto == PROTO_XMPP)
1468  {
1469  int seen = 0;
1470  BIO_printf(sbio,"<stream:stream "
1471  "xmlns:stream='http://etherx.jabber.org/streams' "
1472  "xmlns='jabber:client' to='%s' version='1.0'>", host);
1473  seen = BIO_read(sbio,mbuf,BUFSIZZ);
1474  mbuf[seen] = 0;
1475  while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'"))
1476  {
1477  if (strstr(mbuf, "/stream:features>"))
1478  goto shut;
1479  seen = BIO_read(sbio,mbuf,BUFSIZZ);
1480  mbuf[seen] = 0;
1481  }
1482  BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
1483  seen = BIO_read(sbio,sbuf,BUFSIZZ);
1484  sbuf[seen] = 0;
1485  if (!strstr(sbuf, "<proceed"))
1486  goto shut;
1487  mbuf[0] = 0;
1488  }
1489 
1490  for (;;)
1491  {
1492  FD_ZERO(&readfds);
1493  FD_ZERO(&writefds);
1494 
1495  if ((SSL_version(con) == DTLS1_VERSION) &&
1496  DTLSv1_get_timeout(con, &timeout))
1497  timeoutp = &timeout;
1498  else
1499  timeoutp = NULL;
1500 
1501  if (SSL_in_init(con) && !SSL_total_renegotiations(con))
1502  {
1503  in_init=1;
1504  tty_on=0;
1505  }
1506  else
1507  {
1508  tty_on=1;
1509  if (in_init)
1510  {
1511  in_init=0;
1512 #if 0 /* This test doesn't really work as intended (needs to be fixed) */
1513 #ifndef OPENSSL_NO_TLSEXT
1514  if (servername != NULL && !SSL_session_reused(con))
1515  {
1516  BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not ");
1517  }
1518 #endif
1519 #endif
1520  if (sess_out)
1521  {
1522  BIO *stmp = BIO_new_file(sess_out, "w");
1523  if (stmp)
1524  {
1525  PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con));
1526  BIO_free(stmp);
1527  }
1528  else
1529  BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
1530  }
1531  print_stuff(bio_c_out,con,full_log);
1532  if (full_log > 0) full_log--;
1533 
1534  if (starttls_proto)
1535  {
1536  BIO_printf(bio_err,"%s",mbuf);
1537  /* We don't need to know any more */
1538  starttls_proto = PROTO_OFF;
1539  }
1540 
1541  if (reconnect)
1542  {
1543  reconnect--;
1544  BIO_printf(bio_c_out,"drop connection and then reconnect\n");
1545  SSL_shutdown(con);
1546  SSL_set_connect_state(con);
1547  SHUTDOWN(SSL_get_fd(con));
1548  goto re_start;
1549  }
1550  }
1551  }
1552 
1553  ssl_pending = read_ssl && SSL_pending(con);
1554 
1555  if (!ssl_pending)
1556  {
1557 #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)
1558  if (tty_on)
1559  {
1560  if (read_tty) openssl_fdset(fileno(stdin),&readfds);
1561  if (write_tty) openssl_fdset(fileno(stdout),&writefds);
1562  }
1563  if (read_ssl)
1564  openssl_fdset(SSL_get_fd(con),&readfds);
1565  if (write_ssl)
1566  openssl_fdset(SSL_get_fd(con),&writefds);
1567 #else
1568  if(!tty_on || !write_tty) {
1569  if (read_ssl)
1570  openssl_fdset(SSL_get_fd(con),&readfds);
1571  if (write_ssl)
1572  openssl_fdset(SSL_get_fd(con),&writefds);
1573  }
1574 #endif
1575 /* printf("mode tty(%d %d%d) ssl(%d%d)\n",
1576  tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
1577 
1578  /* Note: under VMS with SOCKETSHR the second parameter
1579  * is currently of type (int *) whereas under other
1580  * systems it is (void *) if you don't have a cast it
1581  * will choke the compiler: if you do have a cast then
1582  * you can either go for (int *) or (void *).
1583  */
1584 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1585  /* Under Windows/DOS we make the assumption that we can
1586  * always write to the tty: therefore if we need to
1587  * write to the tty we just fall through. Otherwise
1588  * we timeout the select every second and see if there
1589  * are any keypresses. Note: this is a hack, in a proper
1590  * Windows application we wouldn't do this.
1591  */
1592  i=0;
1593  if(!write_tty) {
1594  if(read_tty) {
1595  tv.tv_sec = 1;
1596  tv.tv_usec = 0;
1597  i=select(width,(void *)&readfds,(void *)&writefds,
1598  NULL,&tv);
1599 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
1600  if(!i && (!_kbhit() || !read_tty) ) continue;
1601 #else
1602  if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
1603 #endif
1604  } else i=select(width,(void *)&readfds,(void *)&writefds,
1605  NULL,timeoutp);
1606  }
1607 #elif defined(OPENSSL_SYS_NETWARE)
1608  if(!write_tty) {
1609  if(read_tty) {
1610  tv.tv_sec = 1;
1611  tv.tv_usec = 0;
1612  i=select(width,(void *)&readfds,(void *)&writefds,
1613  NULL,&tv);
1614  } else i=select(width,(void *)&readfds,(void *)&writefds,
1615  NULL,timeoutp);
1616  }
1617 #elif defined(OPENSSL_SYS_BEOS_R5)
1618  /* Under BeOS-R5 the situation is similar to DOS */
1619  i=0;
1620  stdin_set = 0;
1621  (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
1622  if(!write_tty) {
1623  if(read_tty) {
1624  tv.tv_sec = 1;
1625  tv.tv_usec = 0;
1626  i=select(width,(void *)&readfds,(void *)&writefds,
1627  NULL,&tv);
1628  if (read(fileno(stdin), sbuf, 0) >= 0)
1629  stdin_set = 1;
1630  if (!i && (stdin_set != 1 || !read_tty))
1631  continue;
1632  } else i=select(width,(void *)&readfds,(void *)&writefds,
1633  NULL,timeoutp);
1634  }
1635  (void)fcntl(fileno(stdin), F_SETFL, 0);
1636 #else
1637  i=select(width,(void *)&readfds,(void *)&writefds,
1638  NULL,timeoutp);
1639 #endif
1640  if ( i < 0)
1641  {
1642  BIO_printf(bio_err,"bad select %d\n",
1643  get_last_socket_error());
1644  goto shut;
1645  /* goto end; */
1646  }
1647  }
1648 
1649  if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
1650  {
1651  BIO_printf(bio_err,"TIMEOUT occured\n");
1652  }
1653 
1654  if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
1655  {
1656  k=SSL_write(con,&(cbuf[cbuf_off]),
1657  (unsigned int)cbuf_len);
1658  switch (SSL_get_error(con,k))
1659  {
1660  case SSL_ERROR_NONE:
1661  cbuf_off+=k;
1662  cbuf_len-=k;
1663  if (k <= 0) goto end;
1664  /* we have done a write(con,NULL,0); */
1665  if (cbuf_len <= 0)
1666  {
1667  read_tty=1;
1668  write_ssl=0;
1669  }
1670  else /* if (cbuf_len > 0) */
1671  {
1672  read_tty=0;
1673  write_ssl=1;
1674  }
1675  break;
1676  case SSL_ERROR_WANT_WRITE:
1677  BIO_printf(bio_c_out,"write W BLOCK\n");
1678  write_ssl=1;
1679  read_tty=0;
1680  break;
1681  case SSL_ERROR_WANT_READ:
1682  BIO_printf(bio_c_out,"write R BLOCK\n");
1683  write_tty=0;
1684  read_ssl=1;
1685  write_ssl=0;
1686  break;
1687  case SSL_ERROR_WANT_X509_LOOKUP:
1688  BIO_printf(bio_c_out,"write X BLOCK\n");
1689  break;
1690  case SSL_ERROR_ZERO_RETURN:
1691  if (cbuf_len != 0)
1692  {
1693  BIO_printf(bio_c_out,"shutdown\n");
1694  ret = 0;
1695  goto shut;
1696  }
1697  else
1698  {
1699  read_tty=1;
1700  write_ssl=0;
1701  break;
1702  }
1703 
1704  case SSL_ERROR_SYSCALL:
1705  if ((k != 0) || (cbuf_len != 0))
1706  {
1707  BIO_printf(bio_err,"write:errno=%d\n",
1708  get_last_socket_error());
1709  goto shut;
1710  }
1711  else
1712  {
1713  read_tty=1;
1714  write_ssl=0;
1715  }
1716  break;
1717  case SSL_ERROR_SSL:
1718  ERR_print_errors(bio_err);
1719  goto shut;
1720  }
1721  }
1722 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
1723  /* Assume Windows/DOS/BeOS can always write */
1724  else if (!ssl_pending && write_tty)
1725 #else
1726  else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
1727 #endif
1728  {
1729 #ifdef CHARSET_EBCDIC
1730  ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
1731 #endif
1732  i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len);
1733 
1734  if (i <= 0)
1735  {
1736  BIO_printf(bio_c_out,"DONE\n");
1737  ret = 0;
1738  goto shut;
1739  /* goto end; */
1740  }
1741 
1742  sbuf_len-=i;;
1743  sbuf_off+=i;
1744  if (sbuf_len <= 0)
1745  {
1746  read_ssl=1;
1747  write_tty=0;
1748  }
1749  }
1750  else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
1751  {
1752 #ifdef RENEG
1753 { static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
1754 #endif
1755 #if 1
1756  k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
1757 #else
1758 /* Demo for pending and peek :-) */
1759  k=SSL_read(con,sbuf,16);
1760 { char zbuf[10240];
1761 printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
1762 }
1763 #endif
1764 
1765  switch (SSL_get_error(con,k))
1766  {
1767  case SSL_ERROR_NONE:
1768  if (k <= 0)
1769  goto end;
1770  sbuf_off=0;
1771  sbuf_len=k;
1772 
1773  read_ssl=0;
1774  write_tty=1;
1775  break;
1776  case SSL_ERROR_WANT_WRITE:
1777  BIO_printf(bio_c_out,"read W BLOCK\n");
1778  write_ssl=1;
1779  read_tty=0;
1780  break;
1781  case SSL_ERROR_WANT_READ:
1782  BIO_printf(bio_c_out,"read R BLOCK\n");
1783  write_tty=0;
1784  read_ssl=1;
1785  if ((read_tty == 0) && (write_ssl == 0))
1786  write_ssl=1;
1787  break;
1788  case SSL_ERROR_WANT_X509_LOOKUP:
1789  BIO_printf(bio_c_out,"read X BLOCK\n");
1790  break;
1791  case SSL_ERROR_SYSCALL:
1792  ret=get_last_socket_error();
1793  BIO_printf(bio_err,"read:errno=%d\n",ret);
1794  goto shut;
1795  case SSL_ERROR_ZERO_RETURN:
1796  BIO_printf(bio_c_out,"closed\n");
1797  ret=0;
1798  goto shut;
1799  case SSL_ERROR_SSL:
1800  ERR_print_errors(bio_err);
1801  goto shut;
1802  /* break; */
1803  }
1804  }
1805 
1806 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1807 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
1808  else if (_kbhit())
1809 #else
1810  else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
1811 #endif
1812 #elif defined (OPENSSL_SYS_NETWARE)
1813  else if (_kbhit())
1814 #elif defined(OPENSSL_SYS_BEOS_R5)
1815  else if (stdin_set)
1816 #else
1817  else if (FD_ISSET(fileno(stdin),&readfds))
1818 #endif
1819  {
1820  if (crlf)
1821  {
1822  int j, lf_num;
1823 
1824  i=raw_read_stdin(cbuf,BUFSIZZ/2);
1825  lf_num = 0;
1826  /* both loops are skipped when i <= 0 */
1827  for (j = 0; j < i; j++)
1828  if (cbuf[j] == '\n')
1829  lf_num++;
1830  for (j = i-1; j >= 0; j--)
1831  {
1832  cbuf[j+lf_num] = cbuf[j];
1833  if (cbuf[j] == '\n')
1834  {
1835  lf_num--;
1836  i++;
1837  cbuf[j+lf_num] = '\r';
1838  }
1839  }
1840  assert(lf_num == 0);
1841  }
1842  else
1843  i=raw_read_stdin(cbuf,BUFSIZZ);
1844 
1845  if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
1846  {
1847  BIO_printf(bio_err,"DONE\n");
1848  ret=0;
1849  goto shut;
1850  }
1851 
1852  if ((!c_ign_eof) && (cbuf[0] == 'R'))
1853  {
1854  BIO_printf(bio_err,"RENEGOTIATING\n");
1855  SSL_renegotiate(con);
1856  cbuf_len=0;
1857  }
1858 #ifndef OPENSSL_NO_HEARTBEATS
1859  else if ((!c_ign_eof) && (cbuf[0] == 'B'))
1860  {
1861  BIO_printf(bio_err,"HEARTBEATING\n");
1862  SSL_heartbeat(con);
1863  cbuf_len=0;
1864  }
1865 #endif
1866  else
1867  {
1868  cbuf_len=i;
1869  cbuf_off=0;
1870 #ifdef CHARSET_EBCDIC
1871  ebcdic2ascii(cbuf, cbuf, i);
1872 #endif
1873  }
1874 
1875  write_ssl=1;
1876  read_tty=0;
1877  }
1878  }
1879 
1880  ret=0;
1881 shut:
1882  if (in_init)
1883  print_stuff(bio_c_out,con,full_log);
1884  SSL_shutdown(con);
1885  SHUTDOWN(SSL_get_fd(con));
1886 end:
1887  if (con != NULL)
1888  {
1889  if (prexit != 0)
1890  print_stuff(bio_c_out,con,1);
1891  SSL_free(con);
1892  }
1893  if (ctx != NULL) SSL_CTX_free(ctx);
1894  if (cert)
1895  X509_free(cert);
1896  if (key)
1897  EVP_PKEY_free(key);
1898  if (pass)
1899  OPENSSL_free(pass);
1900  if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
1901  if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
1902  if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
1903  if (bio_c_out != NULL)
1904  {
1905  BIO_free(bio_c_out);
1906  bio_c_out=NULL;
1907  }
1908  apps_shutdown();
1909  OPENSSL_EXIT(ret);
1910  }
1911 
1912 
1913 static void print_stuff(BIO *bio, SSL *s, int full)
1914  {
1915  X509 *peer=NULL;
1916  char *p;
1917  static const char *space=" ";
1918  char buf[BUFSIZ];
1919  STACK_OF(X509) *sk;
1920  STACK_OF(X509_NAME) *sk2;
1921  const SSL_CIPHER *c;
1922  X509_NAME *xn;
1923  int j,i;
1924 #ifndef OPENSSL_NO_COMP
1925  const COMP_METHOD *comp, *expansion;
1926 #endif
1927  unsigned char *exportedkeymat;
1928 
1929  if (full)
1930  {
1931  int got_a_chain = 0;
1932 
1933  sk=SSL_get_peer_cert_chain(s);
1934  if (sk != NULL)
1935  {
1936  got_a_chain = 1; /* we don't have it for SSL2 (yet) */
1937 
1938  BIO_printf(bio,"---\nCertificate chain\n");
1939  for (i=0; i<sk_X509_num(sk); i++)
1940  {
1941  X509_NAME_oneline(X509_get_subject_name(
1942  sk_X509_value(sk,i)),buf,sizeof buf);
1943  BIO_printf(bio,"%2d s:%s\n",i,buf);
1944  X509_NAME_oneline(X509_get_issuer_name(
1945  sk_X509_value(sk,i)),buf,sizeof buf);
1946  BIO_printf(bio," i:%s\n",buf);
1947  if (c_showcerts)
1948  PEM_write_bio_X509(bio,sk_X509_value(sk,i));
1949  }
1950  }
1951 
1952  BIO_printf(bio,"---\n");
1953  peer=SSL_get_peer_certificate(s);
1954  if (peer != NULL)
1955  {
1956  BIO_printf(bio,"Server certificate\n");
1957  if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
1958  PEM_write_bio_X509(bio,peer);
1959  X509_NAME_oneline(X509_get_subject_name(peer),
1960  buf,sizeof buf);
1961  BIO_printf(bio,"subject=%s\n",buf);
1962  X509_NAME_oneline(X509_get_issuer_name(peer),
1963  buf,sizeof buf);
1964  BIO_printf(bio,"issuer=%s\n",buf);
1965  }
1966  else
1967  BIO_printf(bio,"no peer certificate available\n");
1968 
1969  sk2=SSL_get_client_CA_list(s);
1970  if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
1971  {
1972  BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
1973  for (i=0; i<sk_X509_NAME_num(sk2); i++)
1974  {
1975  xn=sk_X509_NAME_value(sk2,i);
1976  X509_NAME_oneline(xn,buf,sizeof(buf));
1977  BIO_write(bio,buf,strlen(buf));
1978  BIO_write(bio,"\n",1);
1979  }
1980  }
1981  else
1982  {
1983  BIO_printf(bio,"---\nNo client certificate CA names sent\n");
1984  }
1985  p=SSL_get_shared_ciphers(s,buf,sizeof buf);
1986  if (p != NULL)
1987  {
1988  /* This works only for SSL 2. In later protocol
1989  * versions, the client does not know what other
1990  * ciphers (in addition to the one to be used
1991  * in the current connection) the server supports. */
1992 
1993  BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
1994  j=i=0;
1995  while (*p)
1996  {
1997  if (*p == ':')
1998  {
1999  BIO_write(bio,space,15-j%25);
2000  i++;
2001  j=0;
2002  BIO_write(bio,((i%3)?" ":"\n"),1);
2003  }
2004  else
2005  {
2006  BIO_write(bio,p,1);
2007  j++;
2008  }
2009  p++;
2010  }
2011  BIO_write(bio,"\n",1);
2012  }
2013 
2014  BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
2015  BIO_number_read(SSL_get_rbio(s)),
2016  BIO_number_written(SSL_get_wbio(s)));
2017  }
2018  BIO_printf(bio,(SSL_cache_hit(s)?"---\nReused, ":"---\nNew, "));
2019  c=SSL_get_current_cipher(s);
2020  BIO_printf(bio,"%s, Cipher is %s\n",
2021  SSL_CIPHER_get_version(c),
2022  SSL_CIPHER_get_name(c));
2023  if (peer != NULL) {
2024  EVP_PKEY *pktmp;
2025  pktmp = X509_get_pubkey(peer);
2026  BIO_printf(bio,"Server public key is %d bit\n",
2027  EVP_PKEY_bits(pktmp));
2028  EVP_PKEY_free(pktmp);
2029  }
2030  BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
2031  SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
2032 #ifndef OPENSSL_NO_COMP
2033  comp=SSL_get_current_compression(s);
2034  expansion=SSL_get_current_expansion(s);
2035  BIO_printf(bio,"Compression: %s\n",
2036  comp ? SSL_COMP_get_name(comp) : "NONE");
2037  BIO_printf(bio,"Expansion: %s\n",
2038  expansion ? SSL_COMP_get_name(expansion) : "NONE");
2039 #endif
2040 
2041 #ifdef SSL_DEBUG
2042  {
2043  /* Print out local port of connection: useful for debugging */
2044  int sock;
2045  struct sockaddr_in ladd;
2046  socklen_t ladd_size = sizeof(ladd);
2047  sock = SSL_get_fd(s);
2048  getsockname(sock, (struct sockaddr *)&ladd, &ladd_size);
2049  BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port));
2050  }
2051 #endif
2052 
2053 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
2054  if (next_proto.status != -1) {
2055  const unsigned char *proto;
2056  unsigned int proto_len;
2057  SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
2058  BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
2059  BIO_write(bio, proto, proto_len);
2060  BIO_write(bio, "\n", 1);
2061  }
2062 #endif
2063 
2064  {
2065  SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s);
2066 
2067  if(srtp_profile)
2068  BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n",
2069  srtp_profile->name);
2070  }
2071 
2072  SSL_SESSION_print(bio,SSL_get_session(s));
2073  if (keymatexportlabel != NULL)
2074  {
2075  BIO_printf(bio, "Keying material exporter:\n");
2076  BIO_printf(bio, " Label: '%s'\n", keymatexportlabel);
2077  BIO_printf(bio, " Length: %i bytes\n", keymatexportlen);
2078  exportedkeymat = OPENSSL_malloc(keymatexportlen);
2079  if (exportedkeymat != NULL)
2080  {
2081  if (!SSL_export_keying_material(s, exportedkeymat,
2082  keymatexportlen,
2083  keymatexportlabel,
2084  strlen(keymatexportlabel),
2085  NULL, 0, 0))
2086  {
2087  BIO_printf(bio, " Error\n");
2088  }
2089  else
2090  {
2091  BIO_printf(bio, " Keying material: ");
2092  for (i=0; i<keymatexportlen; i++)
2093  BIO_printf(bio, "%02X",
2094  exportedkeymat[i]);
2095  BIO_printf(bio, "\n");
2096  }
2097  OPENSSL_free(exportedkeymat);
2098  }
2099  }
2100  BIO_printf(bio,"---\n");
2101  if (peer != NULL)
2102  X509_free(peer);
2103  /* flush, or debugging output gets mixed with http response */
2104  (void)BIO_flush(bio);
2105  }
2106 
2107 #ifndef OPENSSL_NO_TLSEXT
2108 
2109 static int ocsp_resp_cb(SSL *s, void *arg)
2110  {
2111  const unsigned char *p;
2112  int len;
2113  OCSP_RESPONSE *rsp;
2114  len = SSL_get_tlsext_status_ocsp_resp(s, &p);
2115  BIO_puts(arg, "OCSP response: ");
2116  if (!p)
2117  {
2118  BIO_puts(arg, "no response sent\n");
2119  return 1;
2120  }
2121  rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
2122  if (!rsp)
2123  {
2124  BIO_puts(arg, "response parse error\n");
2125  BIO_dump_indent(arg, (char *)p, len, 4);
2126  return 0;
2127  }
2128  BIO_puts(arg, "\n======================================\n");
2129  OCSP_RESPONSE_print(arg, rsp, 0);
2130  BIO_puts(arg, "======================================\n");
2131  OCSP_RESPONSE_free(rsp);
2132  return 1;
2133  }
2134 
2135 #endif
Generated on Thu Jan 10 2013 09:53:32 for OpenSSL by   doxygen 1.8.2