xref: /freebsd/crypto/openssl/apps/s_client.c (revision 0572ccaa4543b0abef8ef81e384c1d04de9f3da1)
1 /* apps/s_client.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2005 Nokia. All rights reserved.
113  *
114  * The portions of the attached software ("Contribution") is developed by
115  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116  * license.
117  *
118  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120  * support (see RFC 4279) to OpenSSL.
121  *
122  * No patent licenses or other rights except those expressly stated in
123  * the OpenSSL open source license shall be deemed granted or received
124  * expressly, by implication, estoppel, or otherwise.
125  *
126  * No assurances are provided by Nokia that the Contribution does not
127  * infringe the patent or other intellectual property rights of any third
128  * party or that the license provides you with all the necessary rights
129  * to make use of the Contribution.
130  *
131  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135  * OTHERWISE.
136  */
137 
138 #include <assert.h>
139 #include <ctype.h>
140 #include <stdio.h>
141 #include <stdlib.h>
142 #include <string.h>
143 #include <openssl/e_os2.h>
144 #ifdef OPENSSL_NO_STDIO
145 #define APPS_WIN16
146 #endif
147 
148 /* With IPv6, it looks like Digital has mixed up the proper order of
149    recursive header file inclusion, resulting in the compiler complaining
150    that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
151    is needed to have fileno() declared correctly...  So let's define u_int */
152 #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
153 #define __U_INT
154 typedef unsigned int u_int;
155 #endif
156 
157 #define USE_SOCKETS
158 #include "apps.h"
159 #include <openssl/x509.h>
160 #include <openssl/ssl.h>
161 #include <openssl/err.h>
162 #include <openssl/pem.h>
163 #include <openssl/rand.h>
164 #include <openssl/ocsp.h>
165 #include <openssl/bn.h>
166 #ifndef OPENSSL_NO_SRP
167 #include <openssl/srp.h>
168 #endif
169 #include "s_apps.h"
170 #include "timeouts.h"
171 
172 #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
173 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
174 #undef FIONBIO
175 #endif
176 
177 #if defined(OPENSSL_SYS_BEOS_R5)
178 #include <fcntl.h>
179 #endif
180 
181 #undef PROG
182 #define PROG	s_client_main
183 
184 /*#define SSL_HOST_NAME	"www.netscape.com" */
185 /*#define SSL_HOST_NAME	"193.118.187.102" */
186 #define SSL_HOST_NAME	"localhost"
187 
188 /*#define TEST_CERT "client.pem" */ /* no default cert. */
189 
190 #undef BUFSIZZ
191 #define BUFSIZZ 1024*8
192 
193 extern int verify_depth;
194 extern int verify_error;
195 extern int verify_return_error;
196 
197 #ifdef FIONBIO
198 static int c_nbio=0;
199 #endif
200 static int c_Pause=0;
201 static int c_debug=0;
202 #ifndef OPENSSL_NO_TLSEXT
203 static int c_tlsextdebug=0;
204 static int c_status_req=0;
205 #endif
206 static int c_msg=0;
207 static int c_showcerts=0;
208 
209 static char *keymatexportlabel=NULL;
210 static int keymatexportlen=20;
211 
212 static void sc_usage(void);
213 static void print_stuff(BIO *berr,SSL *con,int full);
214 #ifndef OPENSSL_NO_TLSEXT
215 static int ocsp_resp_cb(SSL *s, void *arg);
216 #endif
217 static BIO *bio_c_out=NULL;
218 static int c_quiet=0;
219 static int c_ign_eof=0;
220 
221 #ifndef OPENSSL_NO_PSK
222 /* Default PSK identity and key */
223 static char *psk_identity="Client_identity";
224 /*char *psk_key=NULL;  by default PSK is not used */
225 
226 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
227 	unsigned int max_identity_len, unsigned char *psk,
228 	unsigned int max_psk_len)
229 	{
230 	unsigned int psk_len = 0;
231 	int ret;
232         BIGNUM *bn=NULL;
233 
234 	if (c_debug)
235 		BIO_printf(bio_c_out, "psk_client_cb\n");
236 	if (!hint)
237                 {
238                 /* no ServerKeyExchange message*/
239 		if (c_debug)
240 			BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n");
241                 }
242         else if (c_debug)
243 		BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
244 
245 	/* lookup PSK identity and PSK key based on the given identity hint here */
246 	ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity);
247 	if (ret < 0 || (unsigned int)ret > max_identity_len)
248 		goto out_err;
249 	if (c_debug)
250 		BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret);
251         ret=BN_hex2bn(&bn, psk_key);
252         if (!ret)
253                 {
254                 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
255                 if (bn)
256                         BN_free(bn);
257                 return 0;
258                 }
259 
260         if ((unsigned int)BN_num_bytes(bn) > max_psk_len)
261                 {
262                 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
263                         max_psk_len, BN_num_bytes(bn));
264                 BN_free(bn);
265                 return 0;
266                 }
267 
268         psk_len=BN_bn2bin(bn, psk);
269         BN_free(bn);
270         if (psk_len == 0)
271                 goto out_err;
272 
273 	if (c_debug)
274 		BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len);
275 
276         return psk_len;
277  out_err:
278 	if (c_debug)
279 		BIO_printf(bio_err, "Error in PSK client callback\n");
280         return 0;
281 	}
282 #endif
283 
284 static void sc_usage(void)
285 	{
286 	BIO_printf(bio_err,"usage: s_client args\n");
287 	BIO_printf(bio_err,"\n");
288 	BIO_printf(bio_err," -host host     - use -connect instead\n");
289 	BIO_printf(bio_err," -port port     - use -connect instead\n");
290 	BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
291 
292 	BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
293 	BIO_printf(bio_err," -cert arg     - certificate file to use, PEM format assumed\n");
294 	BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
295 	BIO_printf(bio_err," -key arg      - Private key file to use, in cert file if\n");
296 	BIO_printf(bio_err,"                 not specified but cert file is.\n");
297 	BIO_printf(bio_err," -keyform arg  - key format (PEM or DER) PEM default\n");
298 	BIO_printf(bio_err," -pass arg     - private key file pass phrase source\n");
299 	BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
300 	BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
301 	BIO_printf(bio_err," -reconnect    - Drop and re-make the connection with the same Session-ID\n");
302 	BIO_printf(bio_err," -pause        - sleep(1) after each read(2) and write(2) system call\n");
303 	BIO_printf(bio_err," -showcerts    - show all certificates in the chain\n");
304 	BIO_printf(bio_err," -debug        - extra output\n");
305 #ifdef WATT32
306 	BIO_printf(bio_err," -wdebug       - WATT-32 tcp debugging\n");
307 #endif
308 	BIO_printf(bio_err," -msg          - Show protocol messages\n");
309 	BIO_printf(bio_err," -nbio_test    - more ssl protocol testing\n");
310 	BIO_printf(bio_err," -state        - print the 'ssl' states\n");
311 #ifdef FIONBIO
312 	BIO_printf(bio_err," -nbio         - Run with non-blocking IO\n");
313 #endif
314 	BIO_printf(bio_err," -crlf         - convert LF from terminal into CRLF\n");
315 	BIO_printf(bio_err," -quiet        - no s_client output\n");
316 	BIO_printf(bio_err," -ign_eof      - ignore input eof (default when -quiet)\n");
317 	BIO_printf(bio_err," -no_ign_eof   - don't ignore input eof\n");
318 #ifndef OPENSSL_NO_PSK
319 	BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
320 	BIO_printf(bio_err," -psk arg      - PSK in hex (without 0x)\n");
321 # ifndef OPENSSL_NO_JPAKE
322 	BIO_printf(bio_err," -jpake arg    - JPAKE secret to use\n");
323 # endif
324 #endif
325 #ifndef OPENSSL_NO_SRP
326 	BIO_printf(bio_err," -srpuser user     - SRP authentification for 'user'\n");
327 	BIO_printf(bio_err," -srppass arg      - password for 'user'\n");
328 	BIO_printf(bio_err," -srp_lateuser     - SRP username into second ClientHello message\n");
329 	BIO_printf(bio_err," -srp_moregroups   - Tolerate other than the known g N values.\n");
330 	BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
331 #endif
332 	BIO_printf(bio_err," -ssl2         - just use SSLv2\n");
333 	BIO_printf(bio_err," -ssl3         - just use SSLv3\n");
334 	BIO_printf(bio_err," -tls1_2       - just use TLSv1.2\n");
335 	BIO_printf(bio_err," -tls1_1       - just use TLSv1.1\n");
336 	BIO_printf(bio_err," -tls1         - just use TLSv1\n");
337 	BIO_printf(bio_err," -dtls1        - just use DTLSv1\n");
338 	BIO_printf(bio_err," -mtu          - set the link layer MTU\n");
339 	BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
340 	BIO_printf(bio_err," -bugs         - Switch on all SSL implementation bug workarounds\n");
341 	BIO_printf(bio_err," -serverpref   - Use server's cipher preferences (only SSLv2)\n");
342 	BIO_printf(bio_err," -cipher       - preferred cipher to use, use the 'openssl ciphers'\n");
343 	BIO_printf(bio_err,"                 command to see what is available\n");
344 	BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
345 	BIO_printf(bio_err,"                 for those protocols that support it, where\n");
346 	BIO_printf(bio_err,"                 'prot' defines which one to assume.  Currently,\n");
347 	BIO_printf(bio_err,"                 only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
348 	BIO_printf(bio_err,"                 are supported.\n");
349 #ifndef OPENSSL_NO_ENGINE
350 	BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
351 #endif
352 	BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
353 	BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n");
354 	BIO_printf(bio_err," -sess_in arg  - file to read SSL session from\n");
355 #ifndef OPENSSL_NO_TLSEXT
356 	BIO_printf(bio_err," -servername host  - Set TLS extension servername in ClientHello\n");
357 	BIO_printf(bio_err," -tlsextdebug      - hex dump of all TLS extensions received\n");
358 	BIO_printf(bio_err," -status           - request certificate status from server\n");
359 	BIO_printf(bio_err," -no_ticket        - disable use of RFC4507bis session tickets\n");
360 # ifndef OPENSSL_NO_NEXTPROTONEG
361 	BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
362 # endif
363 #endif
364 	BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
365 #ifndef OPENSSL_NO_SRTP
366 	BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
367 #endif
368  	BIO_printf(bio_err," -keymatexport label   - Export keying material using label\n");
369  	BIO_printf(bio_err," -keymatexportlen len  - Export len bytes of keying material (default 20)\n");
370 	}
371 
372 #ifndef OPENSSL_NO_TLSEXT
373 
374 /* This is a context that we pass to callbacks */
375 typedef struct tlsextctx_st {
376    BIO * biodebug;
377    int ack;
378 } tlsextctx;
379 
380 
381 static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
382 	{
383 	tlsextctx * p = (tlsextctx *) arg;
384 	const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
385 	if (SSL_get_servername_type(s) != -1)
386  	        p->ack = !SSL_session_reused(s) && hn != NULL;
387 	else
388 		BIO_printf(bio_err,"Can't use SSL_get_servername\n");
389 
390 	return SSL_TLSEXT_ERR_OK;
391 	}
392 
393 #ifndef OPENSSL_NO_SRP
394 
395 /* This is a context that we pass to all callbacks */
396 typedef struct srp_arg_st
397 	{
398 	char *srppassin;
399 	char *srplogin;
400 	int msg;   /* copy from c_msg */
401 	int debug; /* copy from c_debug */
402 	int amp;   /* allow more groups */
403 	int strength /* minimal size for N */ ;
404 	} SRP_ARG;
405 
406 #define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
407 
408 static int srp_Verify_N_and_g(BIGNUM *N, BIGNUM *g)
409 	{
410 	BN_CTX *bn_ctx = BN_CTX_new();
411 	BIGNUM *p = BN_new();
412 	BIGNUM *r = BN_new();
413 	int ret =
414 		g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
415 		BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
416 		p != NULL && BN_rshift1(p, N) &&
417 
418 		/* p = (N-1)/2 */
419 		BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
420 		r != NULL &&
421 
422 		/* verify g^((N-1)/2) == -1 (mod N) */
423 		BN_mod_exp(r, g, p, N, bn_ctx) &&
424 		BN_add_word(r, 1) &&
425 		BN_cmp(r, N) == 0;
426 
427 	if(r)
428 		BN_free(r);
429 	if(p)
430 		BN_free(p);
431 	if(bn_ctx)
432 		BN_CTX_free(bn_ctx);
433 	return ret;
434 	}
435 
436 /* This callback is used here for two purposes:
437    - extended debugging
438    - making some primality tests for unknown groups
439    The callback is only called for a non default group.
440 
441    An application does not need the call back at all if
442    only the stanard groups are used.  In real life situations,
443    client and server already share well known groups,
444    thus there is no need to verify them.
445    Furthermore, in case that a server actually proposes a group that
446    is not one of those defined in RFC 5054, it is more appropriate
447    to add the group to a static list and then compare since
448    primality tests are rather cpu consuming.
449 */
450 
451 static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
452 	{
453 	SRP_ARG *srp_arg = (SRP_ARG *)arg;
454 	BIGNUM *N = NULL, *g = NULL;
455 	if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s)))
456 		return 0;
457 	if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1)
458 		{
459     		BIO_printf(bio_err, "SRP parameters:\n");
460 		BIO_printf(bio_err,"\tN="); BN_print(bio_err,N);
461 		BIO_printf(bio_err,"\n\tg="); BN_print(bio_err,g);
462 		BIO_printf(bio_err,"\n");
463 		}
464 
465 	if (SRP_check_known_gN_param(g,N))
466 		return 1;
467 
468 	if (srp_arg->amp == 1)
469 		{
470 		if (srp_arg->debug)
471 			BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n");
472 
473 /* The srp_moregroups is a real debugging feature.
474    Implementors should rather add the value to the known ones.
475    The minimal size has already been tested.
476 */
477 		if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g))
478 			return 1;
479 		}
480 	BIO_printf(bio_err, "SRP param N and g rejected.\n");
481 	return 0;
482 	}
483 
484 #define PWD_STRLEN 1024
485 
486 static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
487 	{
488 	SRP_ARG *srp_arg = (SRP_ARG *)arg;
489 	char *pass = (char *)OPENSSL_malloc(PWD_STRLEN+1);
490 	PW_CB_DATA cb_tmp;
491 	int l;
492 
493 	cb_tmp.password = (char *)srp_arg->srppassin;
494 	cb_tmp.prompt_info = "SRP user";
495 	if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp))<0)
496 		{
497 		BIO_printf (bio_err, "Can't read Password\n");
498 		OPENSSL_free(pass);
499 		return NULL;
500 		}
501 	*(pass+l)= '\0';
502 
503 	return pass;
504 	}
505 
506 #endif
507 #ifndef OPENSSL_NO_SRTP
508 	char *srtp_profiles = NULL;
509 #endif
510 
511 # ifndef OPENSSL_NO_NEXTPROTONEG
512 /* This the context that we pass to next_proto_cb */
513 typedef struct tlsextnextprotoctx_st {
514 	unsigned char *data;
515 	unsigned short len;
516 	int status;
517 } tlsextnextprotoctx;
518 
519 static tlsextnextprotoctx next_proto;
520 
521 static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
522 	{
523 	tlsextnextprotoctx *ctx = arg;
524 
525 	if (!c_quiet)
526 		{
527 		/* We can assume that |in| is syntactically valid. */
528 		unsigned i;
529 		BIO_printf(bio_c_out, "Protocols advertised by server: ");
530 		for (i = 0; i < inlen; )
531 			{
532 			if (i)
533 				BIO_write(bio_c_out, ", ", 2);
534 			BIO_write(bio_c_out, &in[i + 1], in[i]);
535 			i += in[i] + 1;
536 			}
537 		BIO_write(bio_c_out, "\n", 1);
538 		}
539 
540 	ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
541 	return SSL_TLSEXT_ERR_OK;
542 	}
543 # endif  /* ndef OPENSSL_NO_NEXTPROTONEG */
544 #endif
545 
546 enum
547 {
548 	PROTO_OFF	= 0,
549 	PROTO_SMTP,
550 	PROTO_POP3,
551 	PROTO_IMAP,
552 	PROTO_FTP,
553 	PROTO_XMPP
554 };
555 
556 int MAIN(int, char **);
557 
558 int MAIN(int argc, char **argv)
559 	{
560 	unsigned int off=0, clr=0;
561 	SSL *con=NULL;
562 #ifndef OPENSSL_NO_KRB5
563 	KSSL_CTX *kctx;
564 #endif
565 	int s,k,width,state=0;
566 	char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
567 	int cbuf_len,cbuf_off;
568 	int sbuf_len,sbuf_off;
569 	fd_set readfds,writefds;
570 	short port=PORT;
571 	int full_log=1;
572 	char *host=SSL_HOST_NAME;
573 	char *cert_file=NULL,*key_file=NULL;
574 	int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
575 	char *passarg = NULL, *pass = NULL;
576 	X509 *cert = NULL;
577 	EVP_PKEY *key = NULL;
578 	char *CApath=NULL,*CAfile=NULL,*cipher=NULL;
579 	int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0;
580 	int crlf=0;
581 	int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
582 	SSL_CTX *ctx=NULL;
583 	int ret=1,in_init=1,i,nbio_test=0;
584 	int starttls_proto = PROTO_OFF;
585 	int prexit = 0;
586 	X509_VERIFY_PARAM *vpm = NULL;
587 	int badarg = 0;
588 	const SSL_METHOD *meth=NULL;
589 	int socket_type=SOCK_STREAM;
590 	BIO *sbio;
591 	char *inrand=NULL;
592 	int mbuf_len=0;
593 	struct timeval timeout, *timeoutp;
594 #ifndef OPENSSL_NO_ENGINE
595 	char *engine_id=NULL;
596 	char *ssl_client_engine_id=NULL;
597 	ENGINE *ssl_client_engine=NULL;
598 #endif
599 	ENGINE *e=NULL;
600 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
601 	struct timeval tv;
602 #if defined(OPENSSL_SYS_BEOS_R5)
603 	int stdin_set = 0;
604 #endif
605 #endif
606 #ifndef OPENSSL_NO_TLSEXT
607 	char *servername = NULL;
608         tlsextctx tlsextcbp =
609         {NULL,0};
610 # ifndef OPENSSL_NO_NEXTPROTONEG
611 	const char *next_proto_neg_in = NULL;
612 # endif
613 #endif
614 	char *sess_in = NULL;
615 	char *sess_out = NULL;
616 	struct sockaddr peer;
617 	int peerlen = sizeof(peer);
618 	int enable_timeouts = 0 ;
619 	long socket_mtu = 0;
620 #ifndef OPENSSL_NO_JPAKE
621 	char *jpake_secret = NULL;
622 #endif
623 #ifndef OPENSSL_NO_SRP
624 	char * srppass = NULL;
625 	int srp_lateuser = 0;
626 	SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
627 #endif
628 
629 	meth=SSLv23_client_method();
630 
631 	apps_startup();
632 	c_Pause=0;
633 	c_quiet=0;
634 	c_ign_eof=0;
635 	c_debug=0;
636 	c_msg=0;
637 	c_showcerts=0;
638 
639 	if (bio_err == NULL)
640 		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
641 
642 	if (!load_config(bio_err, NULL))
643 		goto end;
644 
645 	if (	((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
646 		((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
647 		((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
648 		{
649 		BIO_printf(bio_err,"out of memory\n");
650 		goto end;
651 		}
652 
653 	verify_depth=0;
654 	verify_error=X509_V_OK;
655 #ifdef FIONBIO
656 	c_nbio=0;
657 #endif
658 
659 	argc--;
660 	argv++;
661 	while (argc >= 1)
662 		{
663 		if	(strcmp(*argv,"-host") == 0)
664 			{
665 			if (--argc < 1) goto bad;
666 			host= *(++argv);
667 			}
668 		else if	(strcmp(*argv,"-port") == 0)
669 			{
670 			if (--argc < 1) goto bad;
671 			port=atoi(*(++argv));
672 			if (port == 0) goto bad;
673 			}
674 		else if (strcmp(*argv,"-connect") == 0)
675 			{
676 			if (--argc < 1) goto bad;
677 			if (!extract_host_port(*(++argv),&host,NULL,&port))
678 				goto bad;
679 			}
680 		else if	(strcmp(*argv,"-verify") == 0)
681 			{
682 			verify=SSL_VERIFY_PEER;
683 			if (--argc < 1) goto bad;
684 			verify_depth=atoi(*(++argv));
685 			BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
686 			}
687 		else if	(strcmp(*argv,"-cert") == 0)
688 			{
689 			if (--argc < 1) goto bad;
690 			cert_file= *(++argv);
691 			}
692 		else if	(strcmp(*argv,"-sess_out") == 0)
693 			{
694 			if (--argc < 1) goto bad;
695 			sess_out = *(++argv);
696 			}
697 		else if	(strcmp(*argv,"-sess_in") == 0)
698 			{
699 			if (--argc < 1) goto bad;
700 			sess_in = *(++argv);
701 			}
702 		else if	(strcmp(*argv,"-certform") == 0)
703 			{
704 			if (--argc < 1) goto bad;
705 			cert_format = str2fmt(*(++argv));
706 			}
707 		else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
708 			{
709 			if (badarg)
710 				goto bad;
711 			continue;
712 			}
713 		else if (strcmp(*argv,"-verify_return_error") == 0)
714 			verify_return_error = 1;
715 		else if	(strcmp(*argv,"-prexit") == 0)
716 			prexit=1;
717 		else if	(strcmp(*argv,"-crlf") == 0)
718 			crlf=1;
719 		else if	(strcmp(*argv,"-quiet") == 0)
720 			{
721 			c_quiet=1;
722 			c_ign_eof=1;
723 			}
724 		else if	(strcmp(*argv,"-ign_eof") == 0)
725 			c_ign_eof=1;
726 		else if	(strcmp(*argv,"-no_ign_eof") == 0)
727 			c_ign_eof=0;
728 		else if	(strcmp(*argv,"-pause") == 0)
729 			c_Pause=1;
730 		else if	(strcmp(*argv,"-debug") == 0)
731 			c_debug=1;
732 #ifndef OPENSSL_NO_TLSEXT
733 		else if	(strcmp(*argv,"-tlsextdebug") == 0)
734 			c_tlsextdebug=1;
735 		else if	(strcmp(*argv,"-status") == 0)
736 			c_status_req=1;
737 #endif
738 #ifdef WATT32
739 		else if (strcmp(*argv,"-wdebug") == 0)
740 			dbug_init();
741 #endif
742 		else if	(strcmp(*argv,"-msg") == 0)
743 			c_msg=1;
744 		else if	(strcmp(*argv,"-showcerts") == 0)
745 			c_showcerts=1;
746 		else if	(strcmp(*argv,"-nbio_test") == 0)
747 			nbio_test=1;
748 		else if	(strcmp(*argv,"-state") == 0)
749 			state=1;
750 #ifndef OPENSSL_NO_PSK
751                 else if (strcmp(*argv,"-psk_identity") == 0)
752 			{
753 			if (--argc < 1) goto bad;
754 			psk_identity=*(++argv);
755 			}
756                 else if (strcmp(*argv,"-psk") == 0)
757 			{
758                         size_t j;
759 
760 			if (--argc < 1) goto bad;
761 			psk_key=*(++argv);
762 			for (j = 0; j < strlen(psk_key); j++)
763                                 {
764                                 if (isxdigit((unsigned char)psk_key[j]))
765                                         continue;
766                                 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
767                                 goto bad;
768                                 }
769 			}
770 #endif
771 #ifndef OPENSSL_NO_SRP
772 		else if (strcmp(*argv,"-srpuser") == 0)
773 			{
774 			if (--argc < 1) goto bad;
775 			srp_arg.srplogin= *(++argv);
776 			meth=TLSv1_client_method();
777 			}
778 		else if (strcmp(*argv,"-srppass") == 0)
779 			{
780 			if (--argc < 1) goto bad;
781 			srppass= *(++argv);
782 			meth=TLSv1_client_method();
783 			}
784 		else if (strcmp(*argv,"-srp_strength") == 0)
785 			{
786 			if (--argc < 1) goto bad;
787 			srp_arg.strength=atoi(*(++argv));
788 			BIO_printf(bio_err,"SRP minimal length for N is %d\n",srp_arg.strength);
789 			meth=TLSv1_client_method();
790 			}
791 		else if (strcmp(*argv,"-srp_lateuser") == 0)
792 			{
793 			srp_lateuser= 1;
794 			meth=TLSv1_client_method();
795 			}
796 		else if	(strcmp(*argv,"-srp_moregroups") == 0)
797 			{
798 			srp_arg.amp=1;
799 			meth=TLSv1_client_method();
800 			}
801 #endif
802 #ifndef OPENSSL_NO_SSL2
803 		else if	(strcmp(*argv,"-ssl2") == 0)
804 			meth=SSLv2_client_method();
805 #endif
806 #ifndef OPENSSL_NO_SSL3
807 		else if	(strcmp(*argv,"-ssl3") == 0)
808 			meth=SSLv3_client_method();
809 #endif
810 #ifndef OPENSSL_NO_TLS1
811 		else if	(strcmp(*argv,"-tls1_2") == 0)
812 			meth=TLSv1_2_client_method();
813 		else if	(strcmp(*argv,"-tls1_1") == 0)
814 			meth=TLSv1_1_client_method();
815 		else if	(strcmp(*argv,"-tls1") == 0)
816 			meth=TLSv1_client_method();
817 #endif
818 #ifndef OPENSSL_NO_DTLS1
819 		else if	(strcmp(*argv,"-dtls1") == 0)
820 			{
821 			meth=DTLSv1_client_method();
822 			socket_type=SOCK_DGRAM;
823 			}
824 		else if (strcmp(*argv,"-timeout") == 0)
825 			enable_timeouts=1;
826 		else if (strcmp(*argv,"-mtu") == 0)
827 			{
828 			if (--argc < 1) goto bad;
829 			socket_mtu = atol(*(++argv));
830 			}
831 #endif
832 		else if (strcmp(*argv,"-bugs") == 0)
833 			bugs=1;
834 		else if	(strcmp(*argv,"-keyform") == 0)
835 			{
836 			if (--argc < 1) goto bad;
837 			key_format = str2fmt(*(++argv));
838 			}
839 		else if	(strcmp(*argv,"-pass") == 0)
840 			{
841 			if (--argc < 1) goto bad;
842 			passarg = *(++argv);
843 			}
844 		else if	(strcmp(*argv,"-key") == 0)
845 			{
846 			if (--argc < 1) goto bad;
847 			key_file= *(++argv);
848 			}
849 		else if	(strcmp(*argv,"-reconnect") == 0)
850 			{
851 			reconnect=5;
852 			}
853 		else if	(strcmp(*argv,"-CApath") == 0)
854 			{
855 			if (--argc < 1) goto bad;
856 			CApath= *(++argv);
857 			}
858 		else if	(strcmp(*argv,"-CAfile") == 0)
859 			{
860 			if (--argc < 1) goto bad;
861 			CAfile= *(++argv);
862 			}
863 		else if (strcmp(*argv,"-no_tls1_2") == 0)
864 			off|=SSL_OP_NO_TLSv1_2;
865 		else if (strcmp(*argv,"-no_tls1_1") == 0)
866 			off|=SSL_OP_NO_TLSv1_1;
867 		else if (strcmp(*argv,"-no_tls1") == 0)
868 			off|=SSL_OP_NO_TLSv1;
869 		else if (strcmp(*argv,"-no_ssl3") == 0)
870 			off|=SSL_OP_NO_SSLv3;
871 		else if (strcmp(*argv,"-no_ssl2") == 0)
872 			off|=SSL_OP_NO_SSLv2;
873 		else if	(strcmp(*argv,"-no_comp") == 0)
874 			{ off|=SSL_OP_NO_COMPRESSION; }
875 #ifndef OPENSSL_NO_TLSEXT
876 		else if	(strcmp(*argv,"-no_ticket") == 0)
877 			{ off|=SSL_OP_NO_TICKET; }
878 # ifndef OPENSSL_NO_NEXTPROTONEG
879 		else if (strcmp(*argv,"-nextprotoneg") == 0)
880 			{
881 			if (--argc < 1) goto bad;
882 			next_proto_neg_in = *(++argv);
883 			}
884 # endif
885 #endif
886 		else if (strcmp(*argv,"-serverpref") == 0)
887 			off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
888 		else if (strcmp(*argv,"-legacy_renegotiation") == 0)
889 			off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
890 		else if	(strcmp(*argv,"-legacy_server_connect") == 0)
891 			{ off|=SSL_OP_LEGACY_SERVER_CONNECT; }
892 		else if	(strcmp(*argv,"-no_legacy_server_connect") == 0)
893 			{ clr|=SSL_OP_LEGACY_SERVER_CONNECT; }
894 		else if	(strcmp(*argv,"-cipher") == 0)
895 			{
896 			if (--argc < 1) goto bad;
897 			cipher= *(++argv);
898 			}
899 #ifdef FIONBIO
900 		else if (strcmp(*argv,"-nbio") == 0)
901 			{ c_nbio=1; }
902 #endif
903 		else if	(strcmp(*argv,"-starttls") == 0)
904 			{
905 			if (--argc < 1) goto bad;
906 			++argv;
907 			if (strcmp(*argv,"smtp") == 0)
908 				starttls_proto = PROTO_SMTP;
909 			else if (strcmp(*argv,"pop3") == 0)
910 				starttls_proto = PROTO_POP3;
911 			else if (strcmp(*argv,"imap") == 0)
912 				starttls_proto = PROTO_IMAP;
913 			else if (strcmp(*argv,"ftp") == 0)
914 				starttls_proto = PROTO_FTP;
915 			else if (strcmp(*argv, "xmpp") == 0)
916 				starttls_proto = PROTO_XMPP;
917 			else
918 				goto bad;
919 			}
920 #ifndef OPENSSL_NO_ENGINE
921 		else if	(strcmp(*argv,"-engine") == 0)
922 			{
923 			if (--argc < 1) goto bad;
924 			engine_id = *(++argv);
925 			}
926 		else if	(strcmp(*argv,"-ssl_client_engine") == 0)
927 			{
928 			if (--argc < 1) goto bad;
929 			ssl_client_engine_id = *(++argv);
930 			}
931 #endif
932 		else if (strcmp(*argv,"-rand") == 0)
933 			{
934 			if (--argc < 1) goto bad;
935 			inrand= *(++argv);
936 			}
937 #ifndef OPENSSL_NO_TLSEXT
938 		else if (strcmp(*argv,"-servername") == 0)
939 			{
940 			if (--argc < 1) goto bad;
941 			servername= *(++argv);
942 			/* meth=TLSv1_client_method(); */
943 			}
944 #endif
945 #ifndef OPENSSL_NO_JPAKE
946 		else if (strcmp(*argv,"-jpake") == 0)
947 			{
948 			if (--argc < 1) goto bad;
949 			jpake_secret = *++argv;
950 			}
951 #endif
952 #ifndef OPENSSL_NO_SRTP
953 		else if (strcmp(*argv,"-use_srtp") == 0)
954 			{
955 			if (--argc < 1) goto bad;
956 			srtp_profiles = *(++argv);
957 			}
958 #endif
959 		else if (strcmp(*argv,"-keymatexport") == 0)
960 			{
961 			if (--argc < 1) goto bad;
962 			keymatexportlabel= *(++argv);
963 			}
964 		else if (strcmp(*argv,"-keymatexportlen") == 0)
965 			{
966 			if (--argc < 1) goto bad;
967 			keymatexportlen=atoi(*(++argv));
968 			if (keymatexportlen == 0) goto bad;
969 			}
970                 else
971 			{
972 			BIO_printf(bio_err,"unknown option %s\n",*argv);
973 			badop=1;
974 			break;
975 			}
976 		argc--;
977 		argv++;
978 		}
979 	if (badop)
980 		{
981 bad:
982 		sc_usage();
983 		goto end;
984 		}
985 
986 #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
987 	if (jpake_secret)
988 		{
989 		if (psk_key)
990 			{
991 			BIO_printf(bio_err,
992 				   "Can't use JPAKE and PSK together\n");
993 			goto end;
994 			}
995 		psk_identity = "JPAKE";
996 		if (cipher)
997 			{
998 			BIO_printf(bio_err, "JPAKE sets cipher to PSK\n");
999 			goto end;
1000 			}
1001 		cipher = "PSK";
1002 		}
1003 #endif
1004 
1005 	OpenSSL_add_ssl_algorithms();
1006 	SSL_load_error_strings();
1007 
1008 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
1009 	next_proto.status = -1;
1010 	if (next_proto_neg_in)
1011 		{
1012 		next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
1013 		if (next_proto.data == NULL)
1014 			{
1015 			BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
1016 			goto end;
1017 			}
1018 		}
1019 	else
1020 		next_proto.data = NULL;
1021 #endif
1022 
1023 #ifndef OPENSSL_NO_ENGINE
1024         e = setup_engine(bio_err, engine_id, 1);
1025 	if (ssl_client_engine_id)
1026 		{
1027 		ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
1028 		if (!ssl_client_engine)
1029 			{
1030 			BIO_printf(bio_err,
1031 					"Error getting client auth engine\n");
1032 			goto end;
1033 			}
1034 		}
1035 
1036 #endif
1037 	if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
1038 		{
1039 		BIO_printf(bio_err, "Error getting password\n");
1040 		goto end;
1041 		}
1042 
1043 	if (key_file == NULL)
1044 		key_file = cert_file;
1045 
1046 
1047 	if (key_file)
1048 
1049 		{
1050 
1051 		key = load_key(bio_err, key_file, key_format, 0, pass, e,
1052 			       "client certificate private key file");
1053 		if (!key)
1054 			{
1055 			ERR_print_errors(bio_err);
1056 			goto end;
1057 			}
1058 
1059 		}
1060 
1061 	if (cert_file)
1062 
1063 		{
1064 		cert = load_cert(bio_err,cert_file,cert_format,
1065 				NULL, e, "client certificate file");
1066 
1067 		if (!cert)
1068 			{
1069 			ERR_print_errors(bio_err);
1070 			goto end;
1071 			}
1072 		}
1073 
1074 	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
1075 		&& !RAND_status())
1076 		{
1077 		BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
1078 		}
1079 	if (inrand != NULL)
1080 		BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
1081 			app_RAND_load_files(inrand));
1082 
1083 	if (bio_c_out == NULL)
1084 		{
1085 		if (c_quiet && !c_debug && !c_msg)
1086 			{
1087 			bio_c_out=BIO_new(BIO_s_null());
1088 			}
1089 		else
1090 			{
1091 			if (bio_c_out == NULL)
1092 				bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
1093 			}
1094 		}
1095 
1096 #ifndef OPENSSL_NO_SRP
1097 	if(!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL))
1098 		{
1099 		BIO_printf(bio_err, "Error getting password\n");
1100 		goto end;
1101 		}
1102 #endif
1103 
1104 	ctx=SSL_CTX_new(meth);
1105 	if (ctx == NULL)
1106 		{
1107 		ERR_print_errors(bio_err);
1108 		goto end;
1109 		}
1110 
1111 	if (vpm)
1112 		SSL_CTX_set1_param(ctx, vpm);
1113 
1114 #ifndef OPENSSL_NO_ENGINE
1115 	if (ssl_client_engine)
1116 		{
1117 		if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine))
1118 			{
1119 			BIO_puts(bio_err, "Error setting client auth engine\n");
1120 			ERR_print_errors(bio_err);
1121 			ENGINE_free(ssl_client_engine);
1122 			goto end;
1123 			}
1124 		ENGINE_free(ssl_client_engine);
1125 		}
1126 #endif
1127 
1128 #ifndef OPENSSL_NO_PSK
1129 #ifdef OPENSSL_NO_JPAKE
1130 	if (psk_key != NULL)
1131 #else
1132 	if (psk_key != NULL || jpake_secret)
1133 #endif
1134 		{
1135 		if (c_debug)
1136 			BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");
1137 		SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
1138 		}
1139 #endif
1140 #ifndef OPENSSL_NO_SRTP
1141 	if (srtp_profiles != NULL)
1142 		SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
1143 #endif
1144 	if (bugs)
1145 		SSL_CTX_set_options(ctx,SSL_OP_ALL|off);
1146 	else
1147 		SSL_CTX_set_options(ctx,off);
1148 
1149 	if (clr)
1150 		SSL_CTX_clear_options(ctx, clr);
1151 	/* DTLS: partial reads end up discarding unread UDP bytes :-(
1152 	 * Setting read ahead solves this problem.
1153 	 */
1154 	if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
1155 
1156 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
1157 	if (next_proto.data)
1158 		SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
1159 #endif
1160 
1161 	if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
1162 	if (cipher != NULL)
1163 		if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
1164 		BIO_printf(bio_err,"error setting cipher list\n");
1165 		ERR_print_errors(bio_err);
1166 		goto end;
1167 	}
1168 #if 0
1169 	else
1170 		SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
1171 #endif
1172 
1173 	SSL_CTX_set_verify(ctx,verify,verify_callback);
1174 	if (!set_cert_key_stuff(ctx,cert,key))
1175 		goto end;
1176 
1177 	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
1178 		(!SSL_CTX_set_default_verify_paths(ctx)))
1179 		{
1180 		/* BIO_printf(bio_err,"error setting default verify locations\n"); */
1181 		ERR_print_errors(bio_err);
1182 		/* goto end; */
1183 		}
1184 
1185 #ifndef OPENSSL_NO_TLSEXT
1186 	if (servername != NULL)
1187 		{
1188 		tlsextcbp.biodebug = bio_err;
1189 		SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1190 		SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
1191 		}
1192 #ifndef OPENSSL_NO_SRP
1193         if (srp_arg.srplogin)
1194 		{
1195 		if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
1196 			{
1197 			BIO_printf(bio_err,"Unable to set SRP username\n");
1198 			goto end;
1199 			}
1200 		srp_arg.msg = c_msg;
1201 		srp_arg.debug = c_debug ;
1202 		SSL_CTX_set_srp_cb_arg(ctx,&srp_arg);
1203 		SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
1204 		SSL_CTX_set_srp_strength(ctx, srp_arg.strength);
1205 		if (c_msg || c_debug || srp_arg.amp == 0)
1206 			SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb);
1207 		}
1208 
1209 #endif
1210 #endif
1211 
1212 	con=SSL_new(ctx);
1213 	if (sess_in)
1214 		{
1215 		SSL_SESSION *sess;
1216 		BIO *stmp = BIO_new_file(sess_in, "r");
1217 		if (!stmp)
1218 			{
1219 			BIO_printf(bio_err, "Can't open session file %s\n",
1220 						sess_in);
1221 			ERR_print_errors(bio_err);
1222 			goto end;
1223 			}
1224 		sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
1225 		BIO_free(stmp);
1226 		if (!sess)
1227 			{
1228 			BIO_printf(bio_err, "Can't open session file %s\n",
1229 						sess_in);
1230 			ERR_print_errors(bio_err);
1231 			goto end;
1232 			}
1233 		SSL_set_session(con, sess);
1234 		SSL_SESSION_free(sess);
1235 		}
1236 #ifndef OPENSSL_NO_TLSEXT
1237 	if (servername != NULL)
1238 		{
1239 		if (!SSL_set_tlsext_host_name(con,servername))
1240 			{
1241 			BIO_printf(bio_err,"Unable to set TLS servername extension.\n");
1242 			ERR_print_errors(bio_err);
1243 			goto end;
1244 			}
1245 		}
1246 #endif
1247 #ifndef OPENSSL_NO_KRB5
1248 	if (con  &&  (kctx = kssl_ctx_new()) != NULL)
1249                 {
1250 		SSL_set0_kssl_ctx(con, kctx);
1251                 kssl_ctx_setstring(kctx, KSSL_SERVER, host);
1252 		}
1253 #endif	/* OPENSSL_NO_KRB5  */
1254 /*	SSL_set_cipher_list(con,"RC4-MD5"); */
1255 #if 0
1256 #ifdef TLSEXT_TYPE_opaque_prf_input
1257 	SSL_set_tlsext_opaque_prf_input(con, "Test client", 11);
1258 #endif
1259 #endif
1260 
1261 re_start:
1262 
1263 	if (init_client(&s,host,port,socket_type) == 0)
1264 		{
1265 		BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
1266 		SHUTDOWN(s);
1267 		goto end;
1268 		}
1269 	BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
1270 
1271 #ifdef FIONBIO
1272 	if (c_nbio)
1273 		{
1274 		unsigned long l=1;
1275 		BIO_printf(bio_c_out,"turning on non blocking io\n");
1276 		if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
1277 			{
1278 			ERR_print_errors(bio_err);
1279 			goto end;
1280 			}
1281 		}
1282 #endif
1283 	if (c_Pause & 0x01) SSL_set_debug(con, 1);
1284 
1285 	if ( SSL_version(con) == DTLS1_VERSION)
1286 		{
1287 
1288 		sbio=BIO_new_dgram(s,BIO_NOCLOSE);
1289 		if (getsockname(s, &peer, (void *)&peerlen) < 0)
1290 			{
1291 			BIO_printf(bio_err, "getsockname:errno=%d\n",
1292 				get_last_socket_error());
1293 			SHUTDOWN(s);
1294 			goto end;
1295 			}
1296 
1297 		(void)BIO_ctrl_set_connected(sbio, 1, &peer);
1298 
1299 		if (enable_timeouts)
1300 			{
1301 			timeout.tv_sec = 0;
1302 			timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1303 			BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1304 
1305 			timeout.tv_sec = 0;
1306 			timeout.tv_usec = DGRAM_SND_TIMEOUT;
1307 			BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1308 			}
1309 
1310 		if (socket_mtu > 28)
1311 			{
1312 			SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
1313 			SSL_set_mtu(con, socket_mtu - 28);
1314 			}
1315 		else
1316 			/* want to do MTU discovery */
1317 			BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1318 		}
1319 	else
1320 		sbio=BIO_new_socket(s,BIO_NOCLOSE);
1321 
1322 	if (nbio_test)
1323 		{
1324 		BIO *test;
1325 
1326 		test=BIO_new(BIO_f_nbio_test());
1327 		sbio=BIO_push(test,sbio);
1328 		}
1329 
1330 	if (c_debug)
1331 		{
1332 		SSL_set_debug(con, 1);
1333 		BIO_set_callback(sbio,bio_dump_callback);
1334 		BIO_set_callback_arg(sbio,(char *)bio_c_out);
1335 		}
1336 	if (c_msg)
1337 		{
1338 		SSL_set_msg_callback(con, msg_cb);
1339 		SSL_set_msg_callback_arg(con, bio_c_out);
1340 		}
1341 #ifndef OPENSSL_NO_TLSEXT
1342 	if (c_tlsextdebug)
1343 		{
1344 		SSL_set_tlsext_debug_callback(con, tlsext_cb);
1345 		SSL_set_tlsext_debug_arg(con, bio_c_out);
1346 		}
1347 	if (c_status_req)
1348 		{
1349 		SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
1350 		SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
1351 		SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
1352 #if 0
1353 {
1354 STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null();
1355 OCSP_RESPID *id = OCSP_RESPID_new();
1356 id->value.byKey = ASN1_OCTET_STRING_new();
1357 id->type = V_OCSP_RESPID_KEY;
1358 ASN1_STRING_set(id->value.byKey, "Hello World", -1);
1359 sk_OCSP_RESPID_push(ids, id);
1360 SSL_set_tlsext_status_ids(con, ids);
1361 }
1362 #endif
1363 		}
1364 #endif
1365 #ifndef OPENSSL_NO_JPAKE
1366 	if (jpake_secret)
1367 		jpake_client_auth(bio_c_out, sbio, jpake_secret);
1368 #endif
1369 
1370 	SSL_set_bio(con,sbio,sbio);
1371 	SSL_set_connect_state(con);
1372 
1373 	/* ok, lets connect */
1374 	width=SSL_get_fd(con)+1;
1375 
1376 	read_tty=1;
1377 	write_tty=0;
1378 	tty_on=0;
1379 	read_ssl=1;
1380 	write_ssl=1;
1381 
1382 	cbuf_len=0;
1383 	cbuf_off=0;
1384 	sbuf_len=0;
1385 	sbuf_off=0;
1386 
1387 	/* This is an ugly hack that does a lot of assumptions */
1388 	/* We do have to handle multi-line responses which may come
1389  	   in a single packet or not. We therefore have to use
1390 	   BIO_gets() which does need a buffering BIO. So during
1391 	   the initial chitchat we do push a buffering BIO into the
1392 	   chain that is removed again later on to not disturb the
1393 	   rest of the s_client operation. */
1394 	if (starttls_proto == PROTO_SMTP)
1395 		{
1396 		int foundit=0;
1397 		BIO *fbio = BIO_new(BIO_f_buffer());
1398 		BIO_push(fbio, sbio);
1399 		/* wait for multi-line response to end from SMTP */
1400 		do
1401 			{
1402 			mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1403 			}
1404 		while (mbuf_len>3 && mbuf[3]=='-');
1405 		/* STARTTLS command requires EHLO... */
1406 		BIO_printf(fbio,"EHLO openssl.client.net\r\n");
1407 		(void)BIO_flush(fbio);
1408 		/* wait for multi-line response to end EHLO SMTP response */
1409 		do
1410 			{
1411 			mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1412 			if (strstr(mbuf,"STARTTLS"))
1413 				foundit=1;
1414 			}
1415 		while (mbuf_len>3 && mbuf[3]=='-');
1416 		(void)BIO_flush(fbio);
1417 		BIO_pop(fbio);
1418 		BIO_free(fbio);
1419 		if (!foundit)
1420 			BIO_printf(bio_err,
1421 				   "didn't found starttls in server response,"
1422 				   " try anyway...\n");
1423 		BIO_printf(sbio,"STARTTLS\r\n");
1424 		BIO_read(sbio,sbuf,BUFSIZZ);
1425 		}
1426 	else if (starttls_proto == PROTO_POP3)
1427 		{
1428 		BIO_read(sbio,mbuf,BUFSIZZ);
1429 		BIO_printf(sbio,"STLS\r\n");
1430 		BIO_read(sbio,sbuf,BUFSIZZ);
1431 		}
1432 	else if (starttls_proto == PROTO_IMAP)
1433 		{
1434 		int foundit=0;
1435 		BIO *fbio = BIO_new(BIO_f_buffer());
1436 		BIO_push(fbio, sbio);
1437 		BIO_gets(fbio,mbuf,BUFSIZZ);
1438 		/* STARTTLS command requires CAPABILITY... */
1439 		BIO_printf(fbio,". CAPABILITY\r\n");
1440 		(void)BIO_flush(fbio);
1441 		/* wait for multi-line CAPABILITY response */
1442 		do
1443 			{
1444 			mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1445 			if (strstr(mbuf,"STARTTLS"))
1446 				foundit=1;
1447 			}
1448 		while (mbuf_len>3 && mbuf[0]!='.');
1449 		(void)BIO_flush(fbio);
1450 		BIO_pop(fbio);
1451 		BIO_free(fbio);
1452 		if (!foundit)
1453 			BIO_printf(bio_err,
1454 				   "didn't found STARTTLS in server response,"
1455 				   " try anyway...\n");
1456 		BIO_printf(sbio,". STARTTLS\r\n");
1457 		BIO_read(sbio,sbuf,BUFSIZZ);
1458 		}
1459 	else if (starttls_proto == PROTO_FTP)
1460 		{
1461 		BIO *fbio = BIO_new(BIO_f_buffer());
1462 		BIO_push(fbio, sbio);
1463 		/* wait for multi-line response to end from FTP */
1464 		do
1465 			{
1466 			mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1467 			}
1468 		while (mbuf_len>3 && mbuf[3]=='-');
1469 		(void)BIO_flush(fbio);
1470 		BIO_pop(fbio);
1471 		BIO_free(fbio);
1472 		BIO_printf(sbio,"AUTH TLS\r\n");
1473 		BIO_read(sbio,sbuf,BUFSIZZ);
1474 		}
1475 	if (starttls_proto == PROTO_XMPP)
1476 		{
1477 		int seen = 0;
1478 		BIO_printf(sbio,"<stream:stream "
1479 		    "xmlns:stream='http://etherx.jabber.org/streams' "
1480 		    "xmlns='jabber:client' to='%s' version='1.0'>", host);
1481 		seen = BIO_read(sbio,mbuf,BUFSIZZ);
1482 		mbuf[seen] = 0;
1483 		while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'"))
1484 			{
1485 			if (strstr(mbuf, "/stream:features>"))
1486 				goto shut;
1487 			seen = BIO_read(sbio,mbuf,BUFSIZZ);
1488 			mbuf[seen] = 0;
1489 			}
1490 		BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
1491 		seen = BIO_read(sbio,sbuf,BUFSIZZ);
1492 		sbuf[seen] = 0;
1493 		if (!strstr(sbuf, "<proceed"))
1494 			goto shut;
1495 		mbuf[0] = 0;
1496 		}
1497 
1498 	for (;;)
1499 		{
1500 		FD_ZERO(&readfds);
1501 		FD_ZERO(&writefds);
1502 
1503 		if ((SSL_version(con) == DTLS1_VERSION) &&
1504 			DTLSv1_get_timeout(con, &timeout))
1505 			timeoutp = &timeout;
1506 		else
1507 			timeoutp = NULL;
1508 
1509 		if (SSL_in_init(con) && !SSL_total_renegotiations(con))
1510 			{
1511 			in_init=1;
1512 			tty_on=0;
1513 			}
1514 		else
1515 			{
1516 			tty_on=1;
1517 			if (in_init)
1518 				{
1519 				in_init=0;
1520 #if 0 /* This test doesn't really work as intended (needs to be fixed) */
1521 #ifndef OPENSSL_NO_TLSEXT
1522 				if (servername != NULL && !SSL_session_reused(con))
1523 					{
1524 					BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not ");
1525 					}
1526 #endif
1527 #endif
1528 				if (sess_out)
1529 					{
1530 					BIO *stmp = BIO_new_file(sess_out, "w");
1531 					if (stmp)
1532 						{
1533 						PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con));
1534 						BIO_free(stmp);
1535 						}
1536 					else
1537 						BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
1538 					}
1539 				print_stuff(bio_c_out,con,full_log);
1540 				if (full_log > 0) full_log--;
1541 
1542 				if (starttls_proto)
1543 					{
1544 					BIO_printf(bio_err,"%s",mbuf);
1545 					/* We don't need to know any more */
1546 					starttls_proto = PROTO_OFF;
1547 					}
1548 
1549 				if (reconnect)
1550 					{
1551 					reconnect--;
1552 					BIO_printf(bio_c_out,"drop connection and then reconnect\n");
1553 					SSL_shutdown(con);
1554 					SSL_set_connect_state(con);
1555 					SHUTDOWN(SSL_get_fd(con));
1556 					goto re_start;
1557 					}
1558 				}
1559 			}
1560 
1561 		ssl_pending = read_ssl && SSL_pending(con);
1562 
1563 		if (!ssl_pending)
1564 			{
1565 #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)
1566 			if (tty_on)
1567 				{
1568 				if (read_tty)  openssl_fdset(fileno(stdin),&readfds);
1569 				if (write_tty) openssl_fdset(fileno(stdout),&writefds);
1570 				}
1571 			if (read_ssl)
1572 				openssl_fdset(SSL_get_fd(con),&readfds);
1573 			if (write_ssl)
1574 				openssl_fdset(SSL_get_fd(con),&writefds);
1575 #else
1576 			if(!tty_on || !write_tty) {
1577 				if (read_ssl)
1578 					openssl_fdset(SSL_get_fd(con),&readfds);
1579 				if (write_ssl)
1580 					openssl_fdset(SSL_get_fd(con),&writefds);
1581 			}
1582 #endif
1583 /*			printf("mode tty(%d %d%d) ssl(%d%d)\n",
1584 				tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
1585 
1586 			/* Note: under VMS with SOCKETSHR the second parameter
1587 			 * is currently of type (int *) whereas under other
1588 			 * systems it is (void *) if you don't have a cast it
1589 			 * will choke the compiler: if you do have a cast then
1590 			 * you can either go for (int *) or (void *).
1591 			 */
1592 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1593                         /* Under Windows/DOS we make the assumption that we can
1594 			 * always write to the tty: therefore if we need to
1595 			 * write to the tty we just fall through. Otherwise
1596 			 * we timeout the select every second and see if there
1597 			 * are any keypresses. Note: this is a hack, in a proper
1598 			 * Windows application we wouldn't do this.
1599 			 */
1600 			i=0;
1601 			if(!write_tty) {
1602 				if(read_tty) {
1603 					tv.tv_sec = 1;
1604 					tv.tv_usec = 0;
1605 					i=select(width,(void *)&readfds,(void *)&writefds,
1606 						 NULL,&tv);
1607 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
1608 					if(!i && (!_kbhit() || !read_tty) ) continue;
1609 #else
1610 					if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
1611 #endif
1612 				} else 	i=select(width,(void *)&readfds,(void *)&writefds,
1613 					 NULL,timeoutp);
1614 			}
1615 #elif defined(OPENSSL_SYS_NETWARE)
1616 			if(!write_tty) {
1617 				if(read_tty) {
1618 					tv.tv_sec = 1;
1619 					tv.tv_usec = 0;
1620 					i=select(width,(void *)&readfds,(void *)&writefds,
1621 						NULL,&tv);
1622 				} else 	i=select(width,(void *)&readfds,(void *)&writefds,
1623 					NULL,timeoutp);
1624 			}
1625 #elif defined(OPENSSL_SYS_BEOS_R5)
1626 			/* Under BeOS-R5 the situation is similar to DOS */
1627 			i=0;
1628 			stdin_set = 0;
1629 			(void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
1630 			if(!write_tty) {
1631 				if(read_tty) {
1632 					tv.tv_sec = 1;
1633 					tv.tv_usec = 0;
1634 					i=select(width,(void *)&readfds,(void *)&writefds,
1635 						 NULL,&tv);
1636 					if (read(fileno(stdin), sbuf, 0) >= 0)
1637 						stdin_set = 1;
1638 					if (!i && (stdin_set != 1 || !read_tty))
1639 						continue;
1640 				} else 	i=select(width,(void *)&readfds,(void *)&writefds,
1641 					 NULL,timeoutp);
1642 			}
1643 			(void)fcntl(fileno(stdin), F_SETFL, 0);
1644 #else
1645 			i=select(width,(void *)&readfds,(void *)&writefds,
1646 				 NULL,timeoutp);
1647 #endif
1648 			if ( i < 0)
1649 				{
1650 				BIO_printf(bio_err,"bad select %d\n",
1651 				get_last_socket_error());
1652 				goto shut;
1653 				/* goto end; */
1654 				}
1655 			}
1656 
1657 		if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
1658 			{
1659 			BIO_printf(bio_err,"TIMEOUT occured\n");
1660 			}
1661 
1662 		if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
1663 			{
1664 			k=SSL_write(con,&(cbuf[cbuf_off]),
1665 				(unsigned int)cbuf_len);
1666 			switch (SSL_get_error(con,k))
1667 				{
1668 			case SSL_ERROR_NONE:
1669 				cbuf_off+=k;
1670 				cbuf_len-=k;
1671 				if (k <= 0) goto end;
1672 				/* we have done a  write(con,NULL,0); */
1673 				if (cbuf_len <= 0)
1674 					{
1675 					read_tty=1;
1676 					write_ssl=0;
1677 					}
1678 				else /* if (cbuf_len > 0) */
1679 					{
1680 					read_tty=0;
1681 					write_ssl=1;
1682 					}
1683 				break;
1684 			case SSL_ERROR_WANT_WRITE:
1685 				BIO_printf(bio_c_out,"write W BLOCK\n");
1686 				write_ssl=1;
1687 				read_tty=0;
1688 				break;
1689 			case SSL_ERROR_WANT_READ:
1690 				BIO_printf(bio_c_out,"write R BLOCK\n");
1691 				write_tty=0;
1692 				read_ssl=1;
1693 				write_ssl=0;
1694 				break;
1695 			case SSL_ERROR_WANT_X509_LOOKUP:
1696 				BIO_printf(bio_c_out,"write X BLOCK\n");
1697 				break;
1698 			case SSL_ERROR_ZERO_RETURN:
1699 				if (cbuf_len != 0)
1700 					{
1701 					BIO_printf(bio_c_out,"shutdown\n");
1702 					ret = 0;
1703 					goto shut;
1704 					}
1705 				else
1706 					{
1707 					read_tty=1;
1708 					write_ssl=0;
1709 					break;
1710 					}
1711 
1712 			case SSL_ERROR_SYSCALL:
1713 				if ((k != 0) || (cbuf_len != 0))
1714 					{
1715 					BIO_printf(bio_err,"write:errno=%d\n",
1716 						get_last_socket_error());
1717 					goto shut;
1718 					}
1719 				else
1720 					{
1721 					read_tty=1;
1722 					write_ssl=0;
1723 					}
1724 				break;
1725 			case SSL_ERROR_SSL:
1726 				ERR_print_errors(bio_err);
1727 				goto shut;
1728 				}
1729 			}
1730 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
1731 		/* Assume Windows/DOS/BeOS can always write */
1732 		else if (!ssl_pending && write_tty)
1733 #else
1734 		else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
1735 #endif
1736 			{
1737 #ifdef CHARSET_EBCDIC
1738 			ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
1739 #endif
1740 			i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len);
1741 
1742 			if (i <= 0)
1743 				{
1744 				BIO_printf(bio_c_out,"DONE\n");
1745 				ret = 0;
1746 				goto shut;
1747 				/* goto end; */
1748 				}
1749 
1750 			sbuf_len-=i;;
1751 			sbuf_off+=i;
1752 			if (sbuf_len <= 0)
1753 				{
1754 				read_ssl=1;
1755 				write_tty=0;
1756 				}
1757 			}
1758 		else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
1759 			{
1760 #ifdef RENEG
1761 { static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
1762 #endif
1763 #if 1
1764 			k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
1765 #else
1766 /* Demo for pending and peek :-) */
1767 			k=SSL_read(con,sbuf,16);
1768 { char zbuf[10240];
1769 printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
1770 }
1771 #endif
1772 
1773 			switch (SSL_get_error(con,k))
1774 				{
1775 			case SSL_ERROR_NONE:
1776 				if (k <= 0)
1777 					goto end;
1778 				sbuf_off=0;
1779 				sbuf_len=k;
1780 
1781 				read_ssl=0;
1782 				write_tty=1;
1783 				break;
1784 			case SSL_ERROR_WANT_WRITE:
1785 				BIO_printf(bio_c_out,"read W BLOCK\n");
1786 				write_ssl=1;
1787 				read_tty=0;
1788 				break;
1789 			case SSL_ERROR_WANT_READ:
1790 				BIO_printf(bio_c_out,"read R BLOCK\n");
1791 				write_tty=0;
1792 				read_ssl=1;
1793 				if ((read_tty == 0) && (write_ssl == 0))
1794 					write_ssl=1;
1795 				break;
1796 			case SSL_ERROR_WANT_X509_LOOKUP:
1797 				BIO_printf(bio_c_out,"read X BLOCK\n");
1798 				break;
1799 			case SSL_ERROR_SYSCALL:
1800 				ret=get_last_socket_error();
1801 				BIO_printf(bio_err,"read:errno=%d\n",ret);
1802 				goto shut;
1803 			case SSL_ERROR_ZERO_RETURN:
1804 				BIO_printf(bio_c_out,"closed\n");
1805 				ret=0;
1806 				goto shut;
1807 			case SSL_ERROR_SSL:
1808 				ERR_print_errors(bio_err);
1809 				goto shut;
1810 				/* break; */
1811 				}
1812 			}
1813 
1814 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1815 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
1816 		else if (_kbhit())
1817 #else
1818 		else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
1819 #endif
1820 #elif defined (OPENSSL_SYS_NETWARE)
1821 		else if (_kbhit())
1822 #elif defined(OPENSSL_SYS_BEOS_R5)
1823 		else if (stdin_set)
1824 #else
1825 		else if (FD_ISSET(fileno(stdin),&readfds))
1826 #endif
1827 			{
1828 			if (crlf)
1829 				{
1830 				int j, lf_num;
1831 
1832 				i=raw_read_stdin(cbuf,BUFSIZZ/2);
1833 				lf_num = 0;
1834 				/* both loops are skipped when i <= 0 */
1835 				for (j = 0; j < i; j++)
1836 					if (cbuf[j] == '\n')
1837 						lf_num++;
1838 				for (j = i-1; j >= 0; j--)
1839 					{
1840 					cbuf[j+lf_num] = cbuf[j];
1841 					if (cbuf[j] == '\n')
1842 						{
1843 						lf_num--;
1844 						i++;
1845 						cbuf[j+lf_num] = '\r';
1846 						}
1847 					}
1848 				assert(lf_num == 0);
1849 				}
1850 			else
1851 				i=raw_read_stdin(cbuf,BUFSIZZ);
1852 
1853 			if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
1854 				{
1855 				BIO_printf(bio_err,"DONE\n");
1856 				ret=0;
1857 				goto shut;
1858 				}
1859 
1860 			if ((!c_ign_eof) && (cbuf[0] == 'R'))
1861 				{
1862 				BIO_printf(bio_err,"RENEGOTIATING\n");
1863 				SSL_renegotiate(con);
1864 				cbuf_len=0;
1865 				}
1866 #ifndef OPENSSL_NO_HEARTBEATS
1867 			else if ((!c_ign_eof) && (cbuf[0] == 'B'))
1868  				{
1869 				BIO_printf(bio_err,"HEARTBEATING\n");
1870 				SSL_heartbeat(con);
1871 				cbuf_len=0;
1872 				}
1873 #endif
1874 			else
1875 				{
1876 				cbuf_len=i;
1877 				cbuf_off=0;
1878 #ifdef CHARSET_EBCDIC
1879 				ebcdic2ascii(cbuf, cbuf, i);
1880 #endif
1881 				}
1882 
1883 			write_ssl=1;
1884 			read_tty=0;
1885 			}
1886 		}
1887 
1888 	ret=0;
1889 shut:
1890 	if (in_init)
1891 		print_stuff(bio_c_out,con,full_log);
1892 	SSL_shutdown(con);
1893 	SHUTDOWN(SSL_get_fd(con));
1894 end:
1895 	if (con != NULL)
1896 		{
1897 		if (prexit != 0)
1898 			print_stuff(bio_c_out,con,1);
1899 		SSL_free(con);
1900 		}
1901 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
1902 	if (next_proto.data)
1903 		OPENSSL_free(next_proto.data);
1904 #endif
1905 	if (ctx != NULL) SSL_CTX_free(ctx);
1906 	if (cert)
1907 		X509_free(cert);
1908 	if (key)
1909 		EVP_PKEY_free(key);
1910 	if (pass)
1911 		OPENSSL_free(pass);
1912 	if (vpm)
1913 		X509_VERIFY_PARAM_free(vpm);
1914 	if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
1915 	if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
1916 	if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
1917 	if (bio_c_out != NULL)
1918 		{
1919 		BIO_free(bio_c_out);
1920 		bio_c_out=NULL;
1921 		}
1922 	apps_shutdown();
1923 	OPENSSL_EXIT(ret);
1924 	}
1925 
1926 
1927 static void print_stuff(BIO *bio, SSL *s, int full)
1928 	{
1929 	X509 *peer=NULL;
1930 	char *p;
1931 	static const char *space="                ";
1932 	char buf[BUFSIZ];
1933 	STACK_OF(X509) *sk;
1934 	STACK_OF(X509_NAME) *sk2;
1935 	const SSL_CIPHER *c;
1936 	X509_NAME *xn;
1937 	int j,i;
1938 #ifndef OPENSSL_NO_COMP
1939 	const COMP_METHOD *comp, *expansion;
1940 #endif
1941 	unsigned char *exportedkeymat;
1942 
1943 	if (full)
1944 		{
1945 		int got_a_chain = 0;
1946 
1947 		sk=SSL_get_peer_cert_chain(s);
1948 		if (sk != NULL)
1949 			{
1950 			got_a_chain = 1; /* we don't have it for SSL2 (yet) */
1951 
1952 			BIO_printf(bio,"---\nCertificate chain\n");
1953 			for (i=0; i<sk_X509_num(sk); i++)
1954 				{
1955 				X509_NAME_oneline(X509_get_subject_name(
1956 					sk_X509_value(sk,i)),buf,sizeof buf);
1957 				BIO_printf(bio,"%2d s:%s\n",i,buf);
1958 				X509_NAME_oneline(X509_get_issuer_name(
1959 					sk_X509_value(sk,i)),buf,sizeof buf);
1960 				BIO_printf(bio,"   i:%s\n",buf);
1961 				if (c_showcerts)
1962 					PEM_write_bio_X509(bio,sk_X509_value(sk,i));
1963 				}
1964 			}
1965 
1966 		BIO_printf(bio,"---\n");
1967 		peer=SSL_get_peer_certificate(s);
1968 		if (peer != NULL)
1969 			{
1970 			BIO_printf(bio,"Server certificate\n");
1971 			if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
1972 				PEM_write_bio_X509(bio,peer);
1973 			X509_NAME_oneline(X509_get_subject_name(peer),
1974 				buf,sizeof buf);
1975 			BIO_printf(bio,"subject=%s\n",buf);
1976 			X509_NAME_oneline(X509_get_issuer_name(peer),
1977 				buf,sizeof buf);
1978 			BIO_printf(bio,"issuer=%s\n",buf);
1979 			}
1980 		else
1981 			BIO_printf(bio,"no peer certificate available\n");
1982 
1983 		sk2=SSL_get_client_CA_list(s);
1984 		if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
1985 			{
1986 			BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
1987 			for (i=0; i<sk_X509_NAME_num(sk2); i++)
1988 				{
1989 				xn=sk_X509_NAME_value(sk2,i);
1990 				X509_NAME_oneline(xn,buf,sizeof(buf));
1991 				BIO_write(bio,buf,strlen(buf));
1992 				BIO_write(bio,"\n",1);
1993 				}
1994 			}
1995 		else
1996 			{
1997 			BIO_printf(bio,"---\nNo client certificate CA names sent\n");
1998 			}
1999 		p=SSL_get_shared_ciphers(s,buf,sizeof buf);
2000 		if (p != NULL)
2001 			{
2002 			/* This works only for SSL 2.  In later protocol
2003 			 * versions, the client does not know what other
2004 			 * ciphers (in addition to the one to be used
2005 			 * in the current connection) the server supports. */
2006 
2007 			BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
2008 			j=i=0;
2009 			while (*p)
2010 				{
2011 				if (*p == ':')
2012 					{
2013 					BIO_write(bio,space,15-j%25);
2014 					i++;
2015 					j=0;
2016 					BIO_write(bio,((i%3)?" ":"\n"),1);
2017 					}
2018 				else
2019 					{
2020 					BIO_write(bio,p,1);
2021 					j++;
2022 					}
2023 				p++;
2024 				}
2025 			BIO_write(bio,"\n",1);
2026 			}
2027 
2028 		BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
2029 			BIO_number_read(SSL_get_rbio(s)),
2030 			BIO_number_written(SSL_get_wbio(s)));
2031 		}
2032 	BIO_printf(bio,(SSL_cache_hit(s)?"---\nReused, ":"---\nNew, "));
2033 	c=SSL_get_current_cipher(s);
2034 	BIO_printf(bio,"%s, Cipher is %s\n",
2035 		SSL_CIPHER_get_version(c),
2036 		SSL_CIPHER_get_name(c));
2037 	if (peer != NULL) {
2038 		EVP_PKEY *pktmp;
2039 		pktmp = X509_get_pubkey(peer);
2040 		BIO_printf(bio,"Server public key is %d bit\n",
2041 							 EVP_PKEY_bits(pktmp));
2042 		EVP_PKEY_free(pktmp);
2043 	}
2044 	BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
2045 			SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
2046 #ifndef OPENSSL_NO_COMP
2047 	comp=SSL_get_current_compression(s);
2048 	expansion=SSL_get_current_expansion(s);
2049 	BIO_printf(bio,"Compression: %s\n",
2050 		comp ? SSL_COMP_get_name(comp) : "NONE");
2051 	BIO_printf(bio,"Expansion: %s\n",
2052 		expansion ? SSL_COMP_get_name(expansion) : "NONE");
2053 #endif
2054 
2055 #ifdef SSL_DEBUG
2056 	{
2057 	/* Print out local port of connection: useful for debugging */
2058 	int sock;
2059 	struct sockaddr_in ladd;
2060 	socklen_t ladd_size = sizeof(ladd);
2061 	sock = SSL_get_fd(s);
2062 	getsockname(sock, (struct sockaddr *)&ladd, &ladd_size);
2063 	BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port));
2064 	}
2065 #endif
2066 
2067 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
2068 	if (next_proto.status != -1) {
2069 		const unsigned char *proto;
2070 		unsigned int proto_len;
2071 		SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
2072 		BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
2073 		BIO_write(bio, proto, proto_len);
2074 		BIO_write(bio, "\n", 1);
2075 	}
2076 #endif
2077 
2078 #ifndef OPENSSL_NO_SRTP
2079  	{
2080  	SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s);
2081 
2082 	if(srtp_profile)
2083 		BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n",
2084 			   srtp_profile->name);
2085 	}
2086 #endif
2087 
2088 	SSL_SESSION_print(bio,SSL_get_session(s));
2089 	if (keymatexportlabel != NULL)
2090 		{
2091 		BIO_printf(bio, "Keying material exporter:\n");
2092 		BIO_printf(bio, "    Label: '%s'\n", keymatexportlabel);
2093 		BIO_printf(bio, "    Length: %i bytes\n", keymatexportlen);
2094 		exportedkeymat = OPENSSL_malloc(keymatexportlen);
2095 		if (exportedkeymat != NULL)
2096 			{
2097 			if (!SSL_export_keying_material(s, exportedkeymat,
2098 						        keymatexportlen,
2099 						        keymatexportlabel,
2100 						        strlen(keymatexportlabel),
2101 						        NULL, 0, 0))
2102 				{
2103 				BIO_printf(bio, "    Error\n");
2104 				}
2105 			else
2106 				{
2107 				BIO_printf(bio, "    Keying material: ");
2108 				for (i=0; i<keymatexportlen; i++)
2109 					BIO_printf(bio, "%02X",
2110 						   exportedkeymat[i]);
2111 				BIO_printf(bio, "\n");
2112 				}
2113 			OPENSSL_free(exportedkeymat);
2114 			}
2115 		}
2116 	BIO_printf(bio,"---\n");
2117 	if (peer != NULL)
2118 		X509_free(peer);
2119 	/* flush, or debugging output gets mixed with http response */
2120 	(void)BIO_flush(bio);
2121 	}
2122 
2123 #ifndef OPENSSL_NO_TLSEXT
2124 
2125 static int ocsp_resp_cb(SSL *s, void *arg)
2126 	{
2127 	const unsigned char *p;
2128 	int len;
2129 	OCSP_RESPONSE *rsp;
2130 	len = SSL_get_tlsext_status_ocsp_resp(s, &p);
2131 	BIO_puts(arg, "OCSP response: ");
2132 	if (!p)
2133 		{
2134 		BIO_puts(arg, "no response sent\n");
2135 		return 1;
2136 		}
2137 	rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
2138 	if (!rsp)
2139 		{
2140 		BIO_puts(arg, "response parse error\n");
2141 		BIO_dump_indent(arg, (char *)p, len, 4);
2142 		return 0;
2143 		}
2144 	BIO_puts(arg, "\n======================================\n");
2145 	OCSP_RESPONSE_print(arg, rsp, 0);
2146 	BIO_puts(arg, "======================================\n");
2147 	OCSP_RESPONSE_free(rsp);
2148 	return 1;
2149 	}
2150 
2151 #endif
2152