xref: /freebsd/crypto/openssl/apps/s_client.c (revision f5f7c05209ca2c3748fd8b27c5e80ffad49120eb)
1 /* apps/s_client.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2005 Nokia. All rights reserved.
113  *
114  * The portions of the attached software ("Contribution") is developed by
115  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116  * license.
117  *
118  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120  * support (see RFC 4279) to OpenSSL.
121  *
122  * No patent licenses or other rights except those expressly stated in
123  * the OpenSSL open source license shall be deemed granted or received
124  * expressly, by implication, estoppel, or otherwise.
125  *
126  * No assurances are provided by Nokia that the Contribution does not
127  * infringe the patent or other intellectual property rights of any third
128  * party or that the license provides you with all the necessary rights
129  * to make use of the Contribution.
130  *
131  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135  * OTHERWISE.
136  */
137 
138 #include <assert.h>
139 #include <ctype.h>
140 #include <stdio.h>
141 #include <stdlib.h>
142 #include <string.h>
143 #include <openssl/e_os2.h>
144 #ifdef OPENSSL_NO_STDIO
145 #define APPS_WIN16
146 #endif
147 
148 /* With IPv6, it looks like Digital has mixed up the proper order of
149    recursive header file inclusion, resulting in the compiler complaining
150    that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
151    is needed to have fileno() declared correctly...  So let's define u_int */
152 #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
153 #define __U_INT
154 typedef unsigned int u_int;
155 #endif
156 
157 #define USE_SOCKETS
158 #include "apps.h"
159 #include <openssl/x509.h>
160 #include <openssl/ssl.h>
161 #include <openssl/err.h>
162 #include <openssl/pem.h>
163 #include <openssl/rand.h>
164 #include <openssl/ocsp.h>
165 #include <openssl/bn.h>
166 #ifndef OPENSSL_NO_SRP
167 #include <openssl/srp.h>
168 #endif
169 #include "s_apps.h"
170 #include "timeouts.h"
171 
172 #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
173 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
174 #undef FIONBIO
175 #endif
176 
177 #if defined(OPENSSL_SYS_BEOS_R5)
178 #include <fcntl.h>
179 #endif
180 
181 #undef PROG
182 #define PROG	s_client_main
183 
184 /*#define SSL_HOST_NAME	"www.netscape.com" */
185 /*#define SSL_HOST_NAME	"193.118.187.102" */
186 #define SSL_HOST_NAME	"localhost"
187 
188 /*#define TEST_CERT "client.pem" */ /* no default cert. */
189 
190 #undef BUFSIZZ
191 #define BUFSIZZ 1024*8
192 
193 extern int verify_depth;
194 extern int verify_error;
195 extern int verify_return_error;
196 
197 #ifdef FIONBIO
198 static int c_nbio=0;
199 #endif
200 static int c_Pause=0;
201 static int c_debug=0;
202 #ifndef OPENSSL_NO_TLSEXT
203 static int c_tlsextdebug=0;
204 static int c_status_req=0;
205 #endif
206 static int c_msg=0;
207 static int c_showcerts=0;
208 
209 static char *keymatexportlabel=NULL;
210 static int keymatexportlen=20;
211 
212 static void sc_usage(void);
213 static void print_stuff(BIO *berr,SSL *con,int full);
214 #ifndef OPENSSL_NO_TLSEXT
215 static int ocsp_resp_cb(SSL *s, void *arg);
216 #endif
217 static BIO *bio_c_out=NULL;
218 static int c_quiet=0;
219 static int c_ign_eof=0;
220 
221 #ifndef OPENSSL_NO_PSK
222 /* Default PSK identity and key */
223 static char *psk_identity="Client_identity";
224 /*char *psk_key=NULL;  by default PSK is not used */
225 
226 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
227 	unsigned int max_identity_len, unsigned char *psk,
228 	unsigned int max_psk_len)
229 	{
230 	unsigned int psk_len = 0;
231 	int ret;
232         BIGNUM *bn=NULL;
233 
234 	if (c_debug)
235 		BIO_printf(bio_c_out, "psk_client_cb\n");
236 	if (!hint)
237                 {
238                 /* no ServerKeyExchange message*/
239 		if (c_debug)
240 			BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n");
241                 }
242         else if (c_debug)
243 		BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
244 
245 	/* lookup PSK identity and PSK key based on the given identity hint here */
246 	ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity);
247 	if (ret < 0 || (unsigned int)ret > max_identity_len)
248 		goto out_err;
249 	if (c_debug)
250 		BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret);
251         ret=BN_hex2bn(&bn, psk_key);
252         if (!ret)
253                 {
254                 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
255                 if (bn)
256                         BN_free(bn);
257                 return 0;
258                 }
259 
260         if ((unsigned int)BN_num_bytes(bn) > max_psk_len)
261                 {
262                 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
263                         max_psk_len, BN_num_bytes(bn));
264                 BN_free(bn);
265                 return 0;
266                 }
267 
268         psk_len=BN_bn2bin(bn, psk);
269         BN_free(bn);
270         if (psk_len == 0)
271                 goto out_err;
272 
273 	if (c_debug)
274 		BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len);
275 
276         return psk_len;
277  out_err:
278 	if (c_debug)
279 		BIO_printf(bio_err, "Error in PSK client callback\n");
280         return 0;
281 	}
282 #endif
283 
284 static void sc_usage(void)
285 	{
286 	BIO_printf(bio_err,"usage: s_client args\n");
287 	BIO_printf(bio_err,"\n");
288 	BIO_printf(bio_err," -host host     - use -connect instead\n");
289 	BIO_printf(bio_err," -port port     - use -connect instead\n");
290 	BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
291 
292 	BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
293 	BIO_printf(bio_err," -cert arg     - certificate file to use, PEM format assumed\n");
294 	BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
295 	BIO_printf(bio_err," -key arg      - Private key file to use, in cert file if\n");
296 	BIO_printf(bio_err,"                 not specified but cert file is.\n");
297 	BIO_printf(bio_err," -keyform arg  - key format (PEM or DER) PEM default\n");
298 	BIO_printf(bio_err," -pass arg     - private key file pass phrase source\n");
299 	BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
300 	BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
301 	BIO_printf(bio_err," -reconnect    - Drop and re-make the connection with the same Session-ID\n");
302 	BIO_printf(bio_err," -pause        - sleep(1) after each read(2) and write(2) system call\n");
303 	BIO_printf(bio_err," -showcerts    - show all certificates in the chain\n");
304 	BIO_printf(bio_err," -debug        - extra output\n");
305 #ifdef WATT32
306 	BIO_printf(bio_err," -wdebug       - WATT-32 tcp debugging\n");
307 #endif
308 	BIO_printf(bio_err," -msg          - Show protocol messages\n");
309 	BIO_printf(bio_err," -nbio_test    - more ssl protocol testing\n");
310 	BIO_printf(bio_err," -state        - print the 'ssl' states\n");
311 #ifdef FIONBIO
312 	BIO_printf(bio_err," -nbio         - Run with non-blocking IO\n");
313 #endif
314 	BIO_printf(bio_err," -crlf         - convert LF from terminal into CRLF\n");
315 	BIO_printf(bio_err," -quiet        - no s_client output\n");
316 	BIO_printf(bio_err," -ign_eof      - ignore input eof (default when -quiet)\n");
317 	BIO_printf(bio_err," -no_ign_eof   - don't ignore input eof\n");
318 #ifndef OPENSSL_NO_PSK
319 	BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
320 	BIO_printf(bio_err," -psk arg      - PSK in hex (without 0x)\n");
321 # ifndef OPENSSL_NO_JPAKE
322 	BIO_printf(bio_err," -jpake arg    - JPAKE secret to use\n");
323 # endif
324 #endif
325 #ifndef OPENSSL_NO_SRP
326 	BIO_printf(bio_err," -srpuser user     - SRP authentification for 'user'\n");
327 	BIO_printf(bio_err," -srppass arg      - password for 'user'\n");
328 	BIO_printf(bio_err," -srp_lateuser     - SRP username into second ClientHello message\n");
329 	BIO_printf(bio_err," -srp_moregroups   - Tolerate other than the known g N values.\n");
330 	BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
331 #endif
332 	BIO_printf(bio_err," -ssl2         - just use SSLv2\n");
333 	BIO_printf(bio_err," -ssl3         - just use SSLv3\n");
334 	BIO_printf(bio_err," -tls1_2       - just use TLSv1.2\n");
335 	BIO_printf(bio_err," -tls1_1       - just use TLSv1.1\n");
336 	BIO_printf(bio_err," -tls1         - just use TLSv1\n");
337 	BIO_printf(bio_err," -dtls1        - just use DTLSv1\n");
338 	BIO_printf(bio_err," -mtu          - set the link layer MTU\n");
339 	BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
340 	BIO_printf(bio_err," -bugs         - Switch on all SSL implementation bug workarounds\n");
341 	BIO_printf(bio_err," -serverpref   - Use server's cipher preferences (only SSLv2)\n");
342 	BIO_printf(bio_err," -cipher       - preferred cipher to use, use the 'openssl ciphers'\n");
343 	BIO_printf(bio_err,"                 command to see what is available\n");
344 	BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
345 	BIO_printf(bio_err,"                 for those protocols that support it, where\n");
346 	BIO_printf(bio_err,"                 'prot' defines which one to assume.  Currently,\n");
347 	BIO_printf(bio_err,"                 only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
348 	BIO_printf(bio_err,"                 are supported.\n");
349 #ifndef OPENSSL_NO_ENGINE
350 	BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
351 #endif
352 	BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
353 	BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n");
354 	BIO_printf(bio_err," -sess_in arg  - file to read SSL session from\n");
355 #ifndef OPENSSL_NO_TLSEXT
356 	BIO_printf(bio_err," -servername host  - Set TLS extension servername in ClientHello\n");
357 	BIO_printf(bio_err," -tlsextdebug      - hex dump of all TLS extensions received\n");
358 	BIO_printf(bio_err," -status           - request certificate status from server\n");
359 	BIO_printf(bio_err," -no_ticket        - disable use of RFC4507bis session tickets\n");
360 # if !defined(OPENSSL_NO_NEXTPROTONEG)
361 	BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
362 # endif
363 #endif
364 	BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
365 	BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
366  	BIO_printf(bio_err," -keymatexport label   - Export keying material using label\n");
367  	BIO_printf(bio_err," -keymatexportlen len  - Export len bytes of keying material (default 20)\n");
368 	}
369 
370 #ifndef OPENSSL_NO_TLSEXT
371 
372 /* This is a context that we pass to callbacks */
373 typedef struct tlsextctx_st {
374    BIO * biodebug;
375    int ack;
376 } tlsextctx;
377 
378 
379 static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
380 	{
381 	tlsextctx * p = (tlsextctx *) arg;
382 	const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
383 	if (SSL_get_servername_type(s) != -1)
384  	        p->ack = !SSL_session_reused(s) && hn != NULL;
385 	else
386 		BIO_printf(bio_err,"Can't use SSL_get_servername\n");
387 
388 	return SSL_TLSEXT_ERR_OK;
389 	}
390 
391 #ifndef OPENSSL_NO_SRP
392 
393 /* This is a context that we pass to all callbacks */
394 typedef struct srp_arg_st
395 	{
396 	char *srppassin;
397 	char *srplogin;
398 	int msg;   /* copy from c_msg */
399 	int debug; /* copy from c_debug */
400 	int amp;   /* allow more groups */
401 	int strength /* minimal size for N */ ;
402 	} SRP_ARG;
403 
404 #define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
405 
406 static int srp_Verify_N_and_g(BIGNUM *N, BIGNUM *g)
407 	{
408 	BN_CTX *bn_ctx = BN_CTX_new();
409 	BIGNUM *p = BN_new();
410 	BIGNUM *r = BN_new();
411 	int ret =
412 		g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
413 		BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
414 		p != NULL && BN_rshift1(p, N) &&
415 
416 		/* p = (N-1)/2 */
417 		BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
418 		r != NULL &&
419 
420 		/* verify g^((N-1)/2) == -1 (mod N) */
421 		BN_mod_exp(r, g, p, N, bn_ctx) &&
422 		BN_add_word(r, 1) &&
423 		BN_cmp(r, N) == 0;
424 
425 	if(r)
426 		BN_free(r);
427 	if(p)
428 		BN_free(p);
429 	if(bn_ctx)
430 		BN_CTX_free(bn_ctx);
431 	return ret;
432 	}
433 
434 /* This callback is used here for two purposes:
435    - extended debugging
436    - making some primality tests for unknown groups
437    The callback is only called for a non default group.
438 
439    An application does not need the call back at all if
440    only the stanard groups are used.  In real life situations,
441    client and server already share well known groups,
442    thus there is no need to verify them.
443    Furthermore, in case that a server actually proposes a group that
444    is not one of those defined in RFC 5054, it is more appropriate
445    to add the group to a static list and then compare since
446    primality tests are rather cpu consuming.
447 */
448 
449 static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
450 	{
451 	SRP_ARG *srp_arg = (SRP_ARG *)arg;
452 	BIGNUM *N = NULL, *g = NULL;
453 	if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s)))
454 		return 0;
455 	if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1)
456 		{
457     		BIO_printf(bio_err, "SRP parameters:\n");
458 		BIO_printf(bio_err,"\tN="); BN_print(bio_err,N);
459 		BIO_printf(bio_err,"\n\tg="); BN_print(bio_err,g);
460 		BIO_printf(bio_err,"\n");
461 		}
462 
463 	if (SRP_check_known_gN_param(g,N))
464 		return 1;
465 
466 	if (srp_arg->amp == 1)
467 		{
468 		if (srp_arg->debug)
469 			BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n");
470 
471 /* The srp_moregroups is a real debugging feature.
472    Implementors should rather add the value to the known ones.
473    The minimal size has already been tested.
474 */
475 		if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g))
476 			return 1;
477 		}
478 	BIO_printf(bio_err, "SRP param N and g rejected.\n");
479 	return 0;
480 	}
481 
482 #define PWD_STRLEN 1024
483 
484 static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
485 	{
486 	SRP_ARG *srp_arg = (SRP_ARG *)arg;
487 	char *pass = (char *)OPENSSL_malloc(PWD_STRLEN+1);
488 	PW_CB_DATA cb_tmp;
489 	int l;
490 
491 	cb_tmp.password = (char *)srp_arg->srppassin;
492 	cb_tmp.prompt_info = "SRP user";
493 	if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp))<0)
494 		{
495 		BIO_printf (bio_err, "Can't read Password\n");
496 		OPENSSL_free(pass);
497 		return NULL;
498 		}
499 	*(pass+l)= '\0';
500 
501 	return pass;
502 	}
503 
504 #endif
505 	char *srtp_profiles = NULL;
506 
507 # ifndef OPENSSL_NO_NEXTPROTONEG
508 /* This the context that we pass to next_proto_cb */
509 typedef struct tlsextnextprotoctx_st {
510 	unsigned char *data;
511 	unsigned short len;
512 	int status;
513 } tlsextnextprotoctx;
514 
515 static tlsextnextprotoctx next_proto;
516 
517 static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
518 	{
519 	tlsextnextprotoctx *ctx = arg;
520 
521 	if (!c_quiet)
522 		{
523 		/* We can assume that |in| is syntactically valid. */
524 		unsigned i;
525 		BIO_printf(bio_c_out, "Protocols advertised by server: ");
526 		for (i = 0; i < inlen; )
527 			{
528 			if (i)
529 				BIO_write(bio_c_out, ", ", 2);
530 			BIO_write(bio_c_out, &in[i + 1], in[i]);
531 			i += in[i] + 1;
532 			}
533 		BIO_write(bio_c_out, "\n", 1);
534 		}
535 
536 	ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
537 	return SSL_TLSEXT_ERR_OK;
538 	}
539 # endif
540 #endif
541 
542 enum
543 {
544 	PROTO_OFF	= 0,
545 	PROTO_SMTP,
546 	PROTO_POP3,
547 	PROTO_IMAP,
548 	PROTO_FTP,
549 	PROTO_XMPP
550 };
551 
552 int MAIN(int, char **);
553 
554 int MAIN(int argc, char **argv)
555 	{
556 	unsigned int off=0, clr=0;
557 	SSL *con=NULL;
558 #ifndef OPENSSL_NO_KRB5
559 	KSSL_CTX *kctx;
560 #endif
561 	int s,k,width,state=0;
562 	char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
563 	int cbuf_len,cbuf_off;
564 	int sbuf_len,sbuf_off;
565 	fd_set readfds,writefds;
566 	short port=PORT;
567 	int full_log=1;
568 	char *host=SSL_HOST_NAME;
569 	char *cert_file=NULL,*key_file=NULL;
570 	int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
571 	char *passarg = NULL, *pass = NULL;
572 	X509 *cert = NULL;
573 	EVP_PKEY *key = NULL;
574 	char *CApath=NULL,*CAfile=NULL,*cipher=NULL;
575 	int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0;
576 	int crlf=0;
577 	int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
578 	SSL_CTX *ctx=NULL;
579 	int ret=1,in_init=1,i,nbio_test=0;
580 	int starttls_proto = PROTO_OFF;
581 	int prexit = 0;
582 	X509_VERIFY_PARAM *vpm = NULL;
583 	int badarg = 0;
584 	const SSL_METHOD *meth=NULL;
585 	int socket_type=SOCK_STREAM;
586 	BIO *sbio;
587 	char *inrand=NULL;
588 	int mbuf_len=0;
589 	struct timeval timeout, *timeoutp;
590 #ifndef OPENSSL_NO_ENGINE
591 	char *engine_id=NULL;
592 	char *ssl_client_engine_id=NULL;
593 	ENGINE *ssl_client_engine=NULL;
594 #endif
595 	ENGINE *e=NULL;
596 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
597 	struct timeval tv;
598 #if defined(OPENSSL_SYS_BEOS_R5)
599 	int stdin_set = 0;
600 #endif
601 #endif
602 #ifndef OPENSSL_NO_TLSEXT
603 	char *servername = NULL;
604         tlsextctx tlsextcbp =
605         {NULL,0};
606 # ifndef OPENSSL_NO_NEXTPROTONEG
607 	const char *next_proto_neg_in = NULL;
608 # endif
609 #endif
610 	char *sess_in = NULL;
611 	char *sess_out = NULL;
612 	struct sockaddr peer;
613 	int peerlen = sizeof(peer);
614 	int enable_timeouts = 0 ;
615 	long socket_mtu = 0;
616 #ifndef OPENSSL_NO_JPAKE
617 	char *jpake_secret = NULL;
618 #endif
619 #ifndef OPENSSL_NO_SRP
620 	char * srppass = NULL;
621 	int srp_lateuser = 0;
622 	SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
623 #endif
624 
625 	meth=SSLv23_client_method();
626 
627 	apps_startup();
628 	c_Pause=0;
629 	c_quiet=0;
630 	c_ign_eof=0;
631 	c_debug=0;
632 	c_msg=0;
633 	c_showcerts=0;
634 
635 	if (bio_err == NULL)
636 		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
637 
638 	if (!load_config(bio_err, NULL))
639 		goto end;
640 
641 	if (	((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
642 		((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
643 		((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
644 		{
645 		BIO_printf(bio_err,"out of memory\n");
646 		goto end;
647 		}
648 
649 	verify_depth=0;
650 	verify_error=X509_V_OK;
651 #ifdef FIONBIO
652 	c_nbio=0;
653 #endif
654 
655 	argc--;
656 	argv++;
657 	while (argc >= 1)
658 		{
659 		if	(strcmp(*argv,"-host") == 0)
660 			{
661 			if (--argc < 1) goto bad;
662 			host= *(++argv);
663 			}
664 		else if	(strcmp(*argv,"-port") == 0)
665 			{
666 			if (--argc < 1) goto bad;
667 			port=atoi(*(++argv));
668 			if (port == 0) goto bad;
669 			}
670 		else if (strcmp(*argv,"-connect") == 0)
671 			{
672 			if (--argc < 1) goto bad;
673 			if (!extract_host_port(*(++argv),&host,NULL,&port))
674 				goto bad;
675 			}
676 		else if	(strcmp(*argv,"-verify") == 0)
677 			{
678 			verify=SSL_VERIFY_PEER;
679 			if (--argc < 1) goto bad;
680 			verify_depth=atoi(*(++argv));
681 			BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
682 			}
683 		else if	(strcmp(*argv,"-cert") == 0)
684 			{
685 			if (--argc < 1) goto bad;
686 			cert_file= *(++argv);
687 			}
688 		else if	(strcmp(*argv,"-sess_out") == 0)
689 			{
690 			if (--argc < 1) goto bad;
691 			sess_out = *(++argv);
692 			}
693 		else if	(strcmp(*argv,"-sess_in") == 0)
694 			{
695 			if (--argc < 1) goto bad;
696 			sess_in = *(++argv);
697 			}
698 		else if	(strcmp(*argv,"-certform") == 0)
699 			{
700 			if (--argc < 1) goto bad;
701 			cert_format = str2fmt(*(++argv));
702 			}
703 		else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
704 			{
705 			if (badarg)
706 				goto bad;
707 			continue;
708 			}
709 		else if (strcmp(*argv,"-verify_return_error") == 0)
710 			verify_return_error = 1;
711 		else if	(strcmp(*argv,"-prexit") == 0)
712 			prexit=1;
713 		else if	(strcmp(*argv,"-crlf") == 0)
714 			crlf=1;
715 		else if	(strcmp(*argv,"-quiet") == 0)
716 			{
717 			c_quiet=1;
718 			c_ign_eof=1;
719 			}
720 		else if	(strcmp(*argv,"-ign_eof") == 0)
721 			c_ign_eof=1;
722 		else if	(strcmp(*argv,"-no_ign_eof") == 0)
723 			c_ign_eof=0;
724 		else if	(strcmp(*argv,"-pause") == 0)
725 			c_Pause=1;
726 		else if	(strcmp(*argv,"-debug") == 0)
727 			c_debug=1;
728 #ifndef OPENSSL_NO_TLSEXT
729 		else if	(strcmp(*argv,"-tlsextdebug") == 0)
730 			c_tlsextdebug=1;
731 		else if	(strcmp(*argv,"-status") == 0)
732 			c_status_req=1;
733 #endif
734 #ifdef WATT32
735 		else if (strcmp(*argv,"-wdebug") == 0)
736 			dbug_init();
737 #endif
738 		else if	(strcmp(*argv,"-msg") == 0)
739 			c_msg=1;
740 		else if	(strcmp(*argv,"-showcerts") == 0)
741 			c_showcerts=1;
742 		else if	(strcmp(*argv,"-nbio_test") == 0)
743 			nbio_test=1;
744 		else if	(strcmp(*argv,"-state") == 0)
745 			state=1;
746 #ifndef OPENSSL_NO_PSK
747                 else if (strcmp(*argv,"-psk_identity") == 0)
748 			{
749 			if (--argc < 1) goto bad;
750 			psk_identity=*(++argv);
751 			}
752                 else if (strcmp(*argv,"-psk") == 0)
753 			{
754                         size_t j;
755 
756 			if (--argc < 1) goto bad;
757 			psk_key=*(++argv);
758 			for (j = 0; j < strlen(psk_key); j++)
759                                 {
760                                 if (isxdigit((unsigned char)psk_key[j]))
761                                         continue;
762                                 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
763                                 goto bad;
764                                 }
765 			}
766 #endif
767 #ifndef OPENSSL_NO_SRP
768 		else if (strcmp(*argv,"-srpuser") == 0)
769 			{
770 			if (--argc < 1) goto bad;
771 			srp_arg.srplogin= *(++argv);
772 			meth=TLSv1_client_method();
773 			}
774 		else if (strcmp(*argv,"-srppass") == 0)
775 			{
776 			if (--argc < 1) goto bad;
777 			srppass= *(++argv);
778 			meth=TLSv1_client_method();
779 			}
780 		else if (strcmp(*argv,"-srp_strength") == 0)
781 			{
782 			if (--argc < 1) goto bad;
783 			srp_arg.strength=atoi(*(++argv));
784 			BIO_printf(bio_err,"SRP minimal length for N is %d\n",srp_arg.strength);
785 			meth=TLSv1_client_method();
786 			}
787 		else if (strcmp(*argv,"-srp_lateuser") == 0)
788 			{
789 			srp_lateuser= 1;
790 			meth=TLSv1_client_method();
791 			}
792 		else if	(strcmp(*argv,"-srp_moregroups") == 0)
793 			{
794 			srp_arg.amp=1;
795 			meth=TLSv1_client_method();
796 			}
797 #endif
798 #ifndef OPENSSL_NO_SSL2
799 		else if	(strcmp(*argv,"-ssl2") == 0)
800 			meth=SSLv2_client_method();
801 #endif
802 #ifndef OPENSSL_NO_SSL3
803 		else if	(strcmp(*argv,"-ssl3") == 0)
804 			meth=SSLv3_client_method();
805 #endif
806 #ifndef OPENSSL_NO_TLS1
807 		else if	(strcmp(*argv,"-tls1_2") == 0)
808 			meth=TLSv1_2_client_method();
809 		else if	(strcmp(*argv,"-tls1_1") == 0)
810 			meth=TLSv1_1_client_method();
811 		else if	(strcmp(*argv,"-tls1") == 0)
812 			meth=TLSv1_client_method();
813 #endif
814 #ifndef OPENSSL_NO_DTLS1
815 		else if	(strcmp(*argv,"-dtls1") == 0)
816 			{
817 			meth=DTLSv1_client_method();
818 			socket_type=SOCK_DGRAM;
819 			}
820 		else if (strcmp(*argv,"-timeout") == 0)
821 			enable_timeouts=1;
822 		else if (strcmp(*argv,"-mtu") == 0)
823 			{
824 			if (--argc < 1) goto bad;
825 			socket_mtu = atol(*(++argv));
826 			}
827 #endif
828 		else if (strcmp(*argv,"-bugs") == 0)
829 			bugs=1;
830 		else if	(strcmp(*argv,"-keyform") == 0)
831 			{
832 			if (--argc < 1) goto bad;
833 			key_format = str2fmt(*(++argv));
834 			}
835 		else if	(strcmp(*argv,"-pass") == 0)
836 			{
837 			if (--argc < 1) goto bad;
838 			passarg = *(++argv);
839 			}
840 		else if	(strcmp(*argv,"-key") == 0)
841 			{
842 			if (--argc < 1) goto bad;
843 			key_file= *(++argv);
844 			}
845 		else if	(strcmp(*argv,"-reconnect") == 0)
846 			{
847 			reconnect=5;
848 			}
849 		else if	(strcmp(*argv,"-CApath") == 0)
850 			{
851 			if (--argc < 1) goto bad;
852 			CApath= *(++argv);
853 			}
854 		else if	(strcmp(*argv,"-CAfile") == 0)
855 			{
856 			if (--argc < 1) goto bad;
857 			CAfile= *(++argv);
858 			}
859 		else if (strcmp(*argv,"-no_tls1_2") == 0)
860 			off|=SSL_OP_NO_TLSv1_2;
861 		else if (strcmp(*argv,"-no_tls1_1") == 0)
862 			off|=SSL_OP_NO_TLSv1_1;
863 		else if (strcmp(*argv,"-no_tls1") == 0)
864 			off|=SSL_OP_NO_TLSv1;
865 		else if (strcmp(*argv,"-no_ssl3") == 0)
866 			off|=SSL_OP_NO_SSLv3;
867 		else if (strcmp(*argv,"-no_ssl2") == 0)
868 			off|=SSL_OP_NO_SSLv2;
869 		else if	(strcmp(*argv,"-no_comp") == 0)
870 			{ off|=SSL_OP_NO_COMPRESSION; }
871 #ifndef OPENSSL_NO_TLSEXT
872 		else if	(strcmp(*argv,"-no_ticket") == 0)
873 			{ off|=SSL_OP_NO_TICKET; }
874 # ifndef OPENSSL_NO_NEXTPROTONEG
875 		else if (strcmp(*argv,"-nextprotoneg") == 0)
876 			{
877 			if (--argc < 1) goto bad;
878 			next_proto_neg_in = *(++argv);
879 			}
880 # endif
881 #endif
882 		else if (strcmp(*argv,"-serverpref") == 0)
883 			off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
884 		else if (strcmp(*argv,"-legacy_renegotiation") == 0)
885 			off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
886 		else if	(strcmp(*argv,"-legacy_server_connect") == 0)
887 			{ off|=SSL_OP_LEGACY_SERVER_CONNECT; }
888 		else if	(strcmp(*argv,"-no_legacy_server_connect") == 0)
889 			{ clr|=SSL_OP_LEGACY_SERVER_CONNECT; }
890 		else if	(strcmp(*argv,"-cipher") == 0)
891 			{
892 			if (--argc < 1) goto bad;
893 			cipher= *(++argv);
894 			}
895 #ifdef FIONBIO
896 		else if (strcmp(*argv,"-nbio") == 0)
897 			{ c_nbio=1; }
898 #endif
899 		else if	(strcmp(*argv,"-starttls") == 0)
900 			{
901 			if (--argc < 1) goto bad;
902 			++argv;
903 			if (strcmp(*argv,"smtp") == 0)
904 				starttls_proto = PROTO_SMTP;
905 			else if (strcmp(*argv,"pop3") == 0)
906 				starttls_proto = PROTO_POP3;
907 			else if (strcmp(*argv,"imap") == 0)
908 				starttls_proto = PROTO_IMAP;
909 			else if (strcmp(*argv,"ftp") == 0)
910 				starttls_proto = PROTO_FTP;
911 			else if (strcmp(*argv, "xmpp") == 0)
912 				starttls_proto = PROTO_XMPP;
913 			else
914 				goto bad;
915 			}
916 #ifndef OPENSSL_NO_ENGINE
917 		else if	(strcmp(*argv,"-engine") == 0)
918 			{
919 			if (--argc < 1) goto bad;
920 			engine_id = *(++argv);
921 			}
922 		else if	(strcmp(*argv,"-ssl_client_engine") == 0)
923 			{
924 			if (--argc < 1) goto bad;
925 			ssl_client_engine_id = *(++argv);
926 			}
927 #endif
928 		else if (strcmp(*argv,"-rand") == 0)
929 			{
930 			if (--argc < 1) goto bad;
931 			inrand= *(++argv);
932 			}
933 #ifndef OPENSSL_NO_TLSEXT
934 		else if (strcmp(*argv,"-servername") == 0)
935 			{
936 			if (--argc < 1) goto bad;
937 			servername= *(++argv);
938 			/* meth=TLSv1_client_method(); */
939 			}
940 #endif
941 #ifndef OPENSSL_NO_JPAKE
942 		else if (strcmp(*argv,"-jpake") == 0)
943 			{
944 			if (--argc < 1) goto bad;
945 			jpake_secret = *++argv;
946 			}
947 #endif
948 		else if (strcmp(*argv,"-use_srtp") == 0)
949 			{
950 			if (--argc < 1) goto bad;
951 			srtp_profiles = *(++argv);
952 			}
953 		else if (strcmp(*argv,"-keymatexport") == 0)
954 			{
955 			if (--argc < 1) goto bad;
956 			keymatexportlabel= *(++argv);
957 			}
958 		else if (strcmp(*argv,"-keymatexportlen") == 0)
959 			{
960 			if (--argc < 1) goto bad;
961 			keymatexportlen=atoi(*(++argv));
962 			if (keymatexportlen == 0) goto bad;
963 			}
964                 else
965 			{
966 			BIO_printf(bio_err,"unknown option %s\n",*argv);
967 			badop=1;
968 			break;
969 			}
970 		argc--;
971 		argv++;
972 		}
973 	if (badop)
974 		{
975 bad:
976 		sc_usage();
977 		goto end;
978 		}
979 
980 #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
981 	if (jpake_secret)
982 		{
983 		if (psk_key)
984 			{
985 			BIO_printf(bio_err,
986 				   "Can't use JPAKE and PSK together\n");
987 			goto end;
988 			}
989 		psk_identity = "JPAKE";
990 		if (cipher)
991 			{
992 			BIO_printf(bio_err, "JPAKE sets cipher to PSK\n");
993 			goto end;
994 			}
995 		cipher = "PSK";
996 		}
997 #endif
998 
999 	OpenSSL_add_ssl_algorithms();
1000 	SSL_load_error_strings();
1001 
1002 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
1003 	next_proto.status = -1;
1004 	if (next_proto_neg_in)
1005 		{
1006 		next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
1007 		if (next_proto.data == NULL)
1008 			{
1009 			BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
1010 			goto end;
1011 			}
1012 		}
1013 	else
1014 		next_proto.data = NULL;
1015 #endif
1016 
1017 #ifndef OPENSSL_NO_ENGINE
1018         e = setup_engine(bio_err, engine_id, 1);
1019 	if (ssl_client_engine_id)
1020 		{
1021 		ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
1022 		if (!ssl_client_engine)
1023 			{
1024 			BIO_printf(bio_err,
1025 					"Error getting client auth engine\n");
1026 			goto end;
1027 			}
1028 		}
1029 
1030 #endif
1031 	if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
1032 		{
1033 		BIO_printf(bio_err, "Error getting password\n");
1034 		goto end;
1035 		}
1036 
1037 	if (key_file == NULL)
1038 		key_file = cert_file;
1039 
1040 
1041 	if (key_file)
1042 
1043 		{
1044 
1045 		key = load_key(bio_err, key_file, key_format, 0, pass, e,
1046 			       "client certificate private key file");
1047 		if (!key)
1048 			{
1049 			ERR_print_errors(bio_err);
1050 			goto end;
1051 			}
1052 
1053 		}
1054 
1055 	if (cert_file)
1056 
1057 		{
1058 		cert = load_cert(bio_err,cert_file,cert_format,
1059 				NULL, e, "client certificate file");
1060 
1061 		if (!cert)
1062 			{
1063 			ERR_print_errors(bio_err);
1064 			goto end;
1065 			}
1066 		}
1067 
1068 	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
1069 		&& !RAND_status())
1070 		{
1071 		BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
1072 		}
1073 	if (inrand != NULL)
1074 		BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
1075 			app_RAND_load_files(inrand));
1076 
1077 	if (bio_c_out == NULL)
1078 		{
1079 		if (c_quiet && !c_debug && !c_msg)
1080 			{
1081 			bio_c_out=BIO_new(BIO_s_null());
1082 			}
1083 		else
1084 			{
1085 			if (bio_c_out == NULL)
1086 				bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
1087 			}
1088 		}
1089 
1090 #ifndef OPENSSL_NO_SRP
1091 	if(!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL))
1092 		{
1093 		BIO_printf(bio_err, "Error getting password\n");
1094 		goto end;
1095 		}
1096 #endif
1097 
1098 	ctx=SSL_CTX_new(meth);
1099 	if (ctx == NULL)
1100 		{
1101 		ERR_print_errors(bio_err);
1102 		goto end;
1103 		}
1104 
1105 	if (vpm)
1106 		SSL_CTX_set1_param(ctx, vpm);
1107 
1108 #ifndef OPENSSL_NO_ENGINE
1109 	if (ssl_client_engine)
1110 		{
1111 		if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine))
1112 			{
1113 			BIO_puts(bio_err, "Error setting client auth engine\n");
1114 			ERR_print_errors(bio_err);
1115 			ENGINE_free(ssl_client_engine);
1116 			goto end;
1117 			}
1118 		ENGINE_free(ssl_client_engine);
1119 		}
1120 #endif
1121 
1122 #ifndef OPENSSL_NO_PSK
1123 #ifdef OPENSSL_NO_JPAKE
1124 	if (psk_key != NULL)
1125 #else
1126 	if (psk_key != NULL || jpake_secret)
1127 #endif
1128 		{
1129 		if (c_debug)
1130 			BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");
1131 		SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
1132 		}
1133 	if (srtp_profiles != NULL)
1134 		SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
1135 #endif
1136 	if (bugs)
1137 		SSL_CTX_set_options(ctx,SSL_OP_ALL|off);
1138 	else
1139 		SSL_CTX_set_options(ctx,off);
1140 
1141 	if (clr)
1142 		SSL_CTX_clear_options(ctx, clr);
1143 	/* DTLS: partial reads end up discarding unread UDP bytes :-(
1144 	 * Setting read ahead solves this problem.
1145 	 */
1146 	if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
1147 
1148 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
1149 	if (next_proto.data)
1150 		SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
1151 #endif
1152 
1153 	if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
1154 	if (cipher != NULL)
1155 		if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
1156 		BIO_printf(bio_err,"error setting cipher list\n");
1157 		ERR_print_errors(bio_err);
1158 		goto end;
1159 	}
1160 #if 0
1161 	else
1162 		SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
1163 #endif
1164 
1165 	SSL_CTX_set_verify(ctx,verify,verify_callback);
1166 	if (!set_cert_key_stuff(ctx,cert,key))
1167 		goto end;
1168 
1169 	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
1170 		(!SSL_CTX_set_default_verify_paths(ctx)))
1171 		{
1172 		/* BIO_printf(bio_err,"error setting default verify locations\n"); */
1173 		ERR_print_errors(bio_err);
1174 		/* goto end; */
1175 		}
1176 
1177 #ifndef OPENSSL_NO_TLSEXT
1178 	if (servername != NULL)
1179 		{
1180 		tlsextcbp.biodebug = bio_err;
1181 		SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1182 		SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
1183 		}
1184 #ifndef OPENSSL_NO_SRP
1185         if (srp_arg.srplogin)
1186 		{
1187 		if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
1188 			{
1189 			BIO_printf(bio_err,"Unable to set SRP username\n");
1190 			goto end;
1191 			}
1192 		srp_arg.msg = c_msg;
1193 		srp_arg.debug = c_debug ;
1194 		SSL_CTX_set_srp_cb_arg(ctx,&srp_arg);
1195 		SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
1196 		SSL_CTX_set_srp_strength(ctx, srp_arg.strength);
1197 		if (c_msg || c_debug || srp_arg.amp == 0)
1198 			SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb);
1199 		}
1200 
1201 #endif
1202 #endif
1203 
1204 	con=SSL_new(ctx);
1205 	if (sess_in)
1206 		{
1207 		SSL_SESSION *sess;
1208 		BIO *stmp = BIO_new_file(sess_in, "r");
1209 		if (!stmp)
1210 			{
1211 			BIO_printf(bio_err, "Can't open session file %s\n",
1212 						sess_in);
1213 			ERR_print_errors(bio_err);
1214 			goto end;
1215 			}
1216 		sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
1217 		BIO_free(stmp);
1218 		if (!sess)
1219 			{
1220 			BIO_printf(bio_err, "Can't open session file %s\n",
1221 						sess_in);
1222 			ERR_print_errors(bio_err);
1223 			goto end;
1224 			}
1225 		SSL_set_session(con, sess);
1226 		SSL_SESSION_free(sess);
1227 		}
1228 #ifndef OPENSSL_NO_TLSEXT
1229 	if (servername != NULL)
1230 		{
1231 		if (!SSL_set_tlsext_host_name(con,servername))
1232 			{
1233 			BIO_printf(bio_err,"Unable to set TLS servername extension.\n");
1234 			ERR_print_errors(bio_err);
1235 			goto end;
1236 			}
1237 		}
1238 #endif
1239 #ifndef OPENSSL_NO_KRB5
1240 	if (con  &&  (kctx = kssl_ctx_new()) != NULL)
1241                 {
1242 		SSL_set0_kssl_ctx(con, kctx);
1243                 kssl_ctx_setstring(kctx, KSSL_SERVER, host);
1244 		}
1245 #endif	/* OPENSSL_NO_KRB5  */
1246 /*	SSL_set_cipher_list(con,"RC4-MD5"); */
1247 #if 0
1248 #ifdef TLSEXT_TYPE_opaque_prf_input
1249 	SSL_set_tlsext_opaque_prf_input(con, "Test client", 11);
1250 #endif
1251 #endif
1252 
1253 re_start:
1254 
1255 	if (init_client(&s,host,port,socket_type) == 0)
1256 		{
1257 		BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
1258 		SHUTDOWN(s);
1259 		goto end;
1260 		}
1261 	BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
1262 
1263 #ifdef FIONBIO
1264 	if (c_nbio)
1265 		{
1266 		unsigned long l=1;
1267 		BIO_printf(bio_c_out,"turning on non blocking io\n");
1268 		if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
1269 			{
1270 			ERR_print_errors(bio_err);
1271 			goto end;
1272 			}
1273 		}
1274 #endif
1275 	if (c_Pause & 0x01) SSL_set_debug(con, 1);
1276 
1277 	if ( SSL_version(con) == DTLS1_VERSION)
1278 		{
1279 
1280 		sbio=BIO_new_dgram(s,BIO_NOCLOSE);
1281 		if (getsockname(s, &peer, (void *)&peerlen) < 0)
1282 			{
1283 			BIO_printf(bio_err, "getsockname:errno=%d\n",
1284 				get_last_socket_error());
1285 			SHUTDOWN(s);
1286 			goto end;
1287 			}
1288 
1289 		(void)BIO_ctrl_set_connected(sbio, 1, &peer);
1290 
1291 		if (enable_timeouts)
1292 			{
1293 			timeout.tv_sec = 0;
1294 			timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1295 			BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1296 
1297 			timeout.tv_sec = 0;
1298 			timeout.tv_usec = DGRAM_SND_TIMEOUT;
1299 			BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1300 			}
1301 
1302 		if (socket_mtu > 28)
1303 			{
1304 			SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
1305 			SSL_set_mtu(con, socket_mtu - 28);
1306 			}
1307 		else
1308 			/* want to do MTU discovery */
1309 			BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1310 		}
1311 	else
1312 		sbio=BIO_new_socket(s,BIO_NOCLOSE);
1313 
1314 	if (nbio_test)
1315 		{
1316 		BIO *test;
1317 
1318 		test=BIO_new(BIO_f_nbio_test());
1319 		sbio=BIO_push(test,sbio);
1320 		}
1321 
1322 	if (c_debug)
1323 		{
1324 		SSL_set_debug(con, 1);
1325 		BIO_set_callback(sbio,bio_dump_callback);
1326 		BIO_set_callback_arg(sbio,(char *)bio_c_out);
1327 		}
1328 	if (c_msg)
1329 		{
1330 		SSL_set_msg_callback(con, msg_cb);
1331 		SSL_set_msg_callback_arg(con, bio_c_out);
1332 		}
1333 #ifndef OPENSSL_NO_TLSEXT
1334 	if (c_tlsextdebug)
1335 		{
1336 		SSL_set_tlsext_debug_callback(con, tlsext_cb);
1337 		SSL_set_tlsext_debug_arg(con, bio_c_out);
1338 		}
1339 	if (c_status_req)
1340 		{
1341 		SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
1342 		SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
1343 		SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
1344 #if 0
1345 {
1346 STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null();
1347 OCSP_RESPID *id = OCSP_RESPID_new();
1348 id->value.byKey = ASN1_OCTET_STRING_new();
1349 id->type = V_OCSP_RESPID_KEY;
1350 ASN1_STRING_set(id->value.byKey, "Hello World", -1);
1351 sk_OCSP_RESPID_push(ids, id);
1352 SSL_set_tlsext_status_ids(con, ids);
1353 }
1354 #endif
1355 		}
1356 #endif
1357 #ifndef OPENSSL_NO_JPAKE
1358 	if (jpake_secret)
1359 		jpake_client_auth(bio_c_out, sbio, jpake_secret);
1360 #endif
1361 
1362 	SSL_set_bio(con,sbio,sbio);
1363 	SSL_set_connect_state(con);
1364 
1365 	/* ok, lets connect */
1366 	width=SSL_get_fd(con)+1;
1367 
1368 	read_tty=1;
1369 	write_tty=0;
1370 	tty_on=0;
1371 	read_ssl=1;
1372 	write_ssl=1;
1373 
1374 	cbuf_len=0;
1375 	cbuf_off=0;
1376 	sbuf_len=0;
1377 	sbuf_off=0;
1378 
1379 	/* This is an ugly hack that does a lot of assumptions */
1380 	/* We do have to handle multi-line responses which may come
1381  	   in a single packet or not. We therefore have to use
1382 	   BIO_gets() which does need a buffering BIO. So during
1383 	   the initial chitchat we do push a buffering BIO into the
1384 	   chain that is removed again later on to not disturb the
1385 	   rest of the s_client operation. */
1386 	if (starttls_proto == PROTO_SMTP)
1387 		{
1388 		int foundit=0;
1389 		BIO *fbio = BIO_new(BIO_f_buffer());
1390 		BIO_push(fbio, sbio);
1391 		/* wait for multi-line response to end from SMTP */
1392 		do
1393 			{
1394 			mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1395 			}
1396 		while (mbuf_len>3 && mbuf[3]=='-');
1397 		/* STARTTLS command requires EHLO... */
1398 		BIO_printf(fbio,"EHLO openssl.client.net\r\n");
1399 		(void)BIO_flush(fbio);
1400 		/* wait for multi-line response to end EHLO SMTP response */
1401 		do
1402 			{
1403 			mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1404 			if (strstr(mbuf,"STARTTLS"))
1405 				foundit=1;
1406 			}
1407 		while (mbuf_len>3 && mbuf[3]=='-');
1408 		(void)BIO_flush(fbio);
1409 		BIO_pop(fbio);
1410 		BIO_free(fbio);
1411 		if (!foundit)
1412 			BIO_printf(bio_err,
1413 				   "didn't found starttls in server response,"
1414 				   " try anyway...\n");
1415 		BIO_printf(sbio,"STARTTLS\r\n");
1416 		BIO_read(sbio,sbuf,BUFSIZZ);
1417 		}
1418 	else if (starttls_proto == PROTO_POP3)
1419 		{
1420 		BIO_read(sbio,mbuf,BUFSIZZ);
1421 		BIO_printf(sbio,"STLS\r\n");
1422 		BIO_read(sbio,sbuf,BUFSIZZ);
1423 		}
1424 	else if (starttls_proto == PROTO_IMAP)
1425 		{
1426 		int foundit=0;
1427 		BIO *fbio = BIO_new(BIO_f_buffer());
1428 		BIO_push(fbio, sbio);
1429 		BIO_gets(fbio,mbuf,BUFSIZZ);
1430 		/* STARTTLS command requires CAPABILITY... */
1431 		BIO_printf(fbio,". CAPABILITY\r\n");
1432 		(void)BIO_flush(fbio);
1433 		/* wait for multi-line CAPABILITY response */
1434 		do
1435 			{
1436 			mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1437 			if (strstr(mbuf,"STARTTLS"))
1438 				foundit=1;
1439 			}
1440 		while (mbuf_len>3 && mbuf[0]!='.');
1441 		(void)BIO_flush(fbio);
1442 		BIO_pop(fbio);
1443 		BIO_free(fbio);
1444 		if (!foundit)
1445 			BIO_printf(bio_err,
1446 				   "didn't found STARTTLS in server response,"
1447 				   " try anyway...\n");
1448 		BIO_printf(sbio,". STARTTLS\r\n");
1449 		BIO_read(sbio,sbuf,BUFSIZZ);
1450 		}
1451 	else if (starttls_proto == PROTO_FTP)
1452 		{
1453 		BIO *fbio = BIO_new(BIO_f_buffer());
1454 		BIO_push(fbio, sbio);
1455 		/* wait for multi-line response to end from FTP */
1456 		do
1457 			{
1458 			mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1459 			}
1460 		while (mbuf_len>3 && mbuf[3]=='-');
1461 		(void)BIO_flush(fbio);
1462 		BIO_pop(fbio);
1463 		BIO_free(fbio);
1464 		BIO_printf(sbio,"AUTH TLS\r\n");
1465 		BIO_read(sbio,sbuf,BUFSIZZ);
1466 		}
1467 	if (starttls_proto == PROTO_XMPP)
1468 		{
1469 		int seen = 0;
1470 		BIO_printf(sbio,"<stream:stream "
1471 		    "xmlns:stream='http://etherx.jabber.org/streams' "
1472 		    "xmlns='jabber:client' to='%s' version='1.0'>", host);
1473 		seen = BIO_read(sbio,mbuf,BUFSIZZ);
1474 		mbuf[seen] = 0;
1475 		while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'"))
1476 			{
1477 			if (strstr(mbuf, "/stream:features>"))
1478 				goto shut;
1479 			seen = BIO_read(sbio,mbuf,BUFSIZZ);
1480 			mbuf[seen] = 0;
1481 			}
1482 		BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
1483 		seen = BIO_read(sbio,sbuf,BUFSIZZ);
1484 		sbuf[seen] = 0;
1485 		if (!strstr(sbuf, "<proceed"))
1486 			goto shut;
1487 		mbuf[0] = 0;
1488 		}
1489 
1490 	for (;;)
1491 		{
1492 		FD_ZERO(&readfds);
1493 		FD_ZERO(&writefds);
1494 
1495 		if ((SSL_version(con) == DTLS1_VERSION) &&
1496 			DTLSv1_get_timeout(con, &timeout))
1497 			timeoutp = &timeout;
1498 		else
1499 			timeoutp = NULL;
1500 
1501 		if (SSL_in_init(con) && !SSL_total_renegotiations(con))
1502 			{
1503 			in_init=1;
1504 			tty_on=0;
1505 			}
1506 		else
1507 			{
1508 			tty_on=1;
1509 			if (in_init)
1510 				{
1511 				in_init=0;
1512 #if 0 /* This test doesn't really work as intended (needs to be fixed) */
1513 #ifndef OPENSSL_NO_TLSEXT
1514 				if (servername != NULL && !SSL_session_reused(con))
1515 					{
1516 					BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not ");
1517 					}
1518 #endif
1519 #endif
1520 				if (sess_out)
1521 					{
1522 					BIO *stmp = BIO_new_file(sess_out, "w");
1523 					if (stmp)
1524 						{
1525 						PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con));
1526 						BIO_free(stmp);
1527 						}
1528 					else
1529 						BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
1530 					}
1531 				print_stuff(bio_c_out,con,full_log);
1532 				if (full_log > 0) full_log--;
1533 
1534 				if (starttls_proto)
1535 					{
1536 					BIO_printf(bio_err,"%s",mbuf);
1537 					/* We don't need to know any more */
1538 					starttls_proto = PROTO_OFF;
1539 					}
1540 
1541 				if (reconnect)
1542 					{
1543 					reconnect--;
1544 					BIO_printf(bio_c_out,"drop connection and then reconnect\n");
1545 					SSL_shutdown(con);
1546 					SSL_set_connect_state(con);
1547 					SHUTDOWN(SSL_get_fd(con));
1548 					goto re_start;
1549 					}
1550 				}
1551 			}
1552 
1553 		ssl_pending = read_ssl && SSL_pending(con);
1554 
1555 		if (!ssl_pending)
1556 			{
1557 #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)
1558 			if (tty_on)
1559 				{
1560 				if (read_tty)  openssl_fdset(fileno(stdin),&readfds);
1561 				if (write_tty) openssl_fdset(fileno(stdout),&writefds);
1562 				}
1563 			if (read_ssl)
1564 				openssl_fdset(SSL_get_fd(con),&readfds);
1565 			if (write_ssl)
1566 				openssl_fdset(SSL_get_fd(con),&writefds);
1567 #else
1568 			if(!tty_on || !write_tty) {
1569 				if (read_ssl)
1570 					openssl_fdset(SSL_get_fd(con),&readfds);
1571 				if (write_ssl)
1572 					openssl_fdset(SSL_get_fd(con),&writefds);
1573 			}
1574 #endif
1575 /*			printf("mode tty(%d %d%d) ssl(%d%d)\n",
1576 				tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
1577 
1578 			/* Note: under VMS with SOCKETSHR the second parameter
1579 			 * is currently of type (int *) whereas under other
1580 			 * systems it is (void *) if you don't have a cast it
1581 			 * will choke the compiler: if you do have a cast then
1582 			 * you can either go for (int *) or (void *).
1583 			 */
1584 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1585                         /* Under Windows/DOS we make the assumption that we can
1586 			 * always write to the tty: therefore if we need to
1587 			 * write to the tty we just fall through. Otherwise
1588 			 * we timeout the select every second and see if there
1589 			 * are any keypresses. Note: this is a hack, in a proper
1590 			 * Windows application we wouldn't do this.
1591 			 */
1592 			i=0;
1593 			if(!write_tty) {
1594 				if(read_tty) {
1595 					tv.tv_sec = 1;
1596 					tv.tv_usec = 0;
1597 					i=select(width,(void *)&readfds,(void *)&writefds,
1598 						 NULL,&tv);
1599 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
1600 					if(!i && (!_kbhit() || !read_tty) ) continue;
1601 #else
1602 					if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
1603 #endif
1604 				} else 	i=select(width,(void *)&readfds,(void *)&writefds,
1605 					 NULL,timeoutp);
1606 			}
1607 #elif defined(OPENSSL_SYS_NETWARE)
1608 			if(!write_tty) {
1609 				if(read_tty) {
1610 					tv.tv_sec = 1;
1611 					tv.tv_usec = 0;
1612 					i=select(width,(void *)&readfds,(void *)&writefds,
1613 						NULL,&tv);
1614 				} else 	i=select(width,(void *)&readfds,(void *)&writefds,
1615 					NULL,timeoutp);
1616 			}
1617 #elif defined(OPENSSL_SYS_BEOS_R5)
1618 			/* Under BeOS-R5 the situation is similar to DOS */
1619 			i=0;
1620 			stdin_set = 0;
1621 			(void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
1622 			if(!write_tty) {
1623 				if(read_tty) {
1624 					tv.tv_sec = 1;
1625 					tv.tv_usec = 0;
1626 					i=select(width,(void *)&readfds,(void *)&writefds,
1627 						 NULL,&tv);
1628 					if (read(fileno(stdin), sbuf, 0) >= 0)
1629 						stdin_set = 1;
1630 					if (!i && (stdin_set != 1 || !read_tty))
1631 						continue;
1632 				} else 	i=select(width,(void *)&readfds,(void *)&writefds,
1633 					 NULL,timeoutp);
1634 			}
1635 			(void)fcntl(fileno(stdin), F_SETFL, 0);
1636 #else
1637 			i=select(width,(void *)&readfds,(void *)&writefds,
1638 				 NULL,timeoutp);
1639 #endif
1640 			if ( i < 0)
1641 				{
1642 				BIO_printf(bio_err,"bad select %d\n",
1643 				get_last_socket_error());
1644 				goto shut;
1645 				/* goto end; */
1646 				}
1647 			}
1648 
1649 		if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
1650 			{
1651 			BIO_printf(bio_err,"TIMEOUT occured\n");
1652 			}
1653 
1654 		if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
1655 			{
1656 			k=SSL_write(con,&(cbuf[cbuf_off]),
1657 				(unsigned int)cbuf_len);
1658 			switch (SSL_get_error(con,k))
1659 				{
1660 			case SSL_ERROR_NONE:
1661 				cbuf_off+=k;
1662 				cbuf_len-=k;
1663 				if (k <= 0) goto end;
1664 				/* we have done a  write(con,NULL,0); */
1665 				if (cbuf_len <= 0)
1666 					{
1667 					read_tty=1;
1668 					write_ssl=0;
1669 					}
1670 				else /* if (cbuf_len > 0) */
1671 					{
1672 					read_tty=0;
1673 					write_ssl=1;
1674 					}
1675 				break;
1676 			case SSL_ERROR_WANT_WRITE:
1677 				BIO_printf(bio_c_out,"write W BLOCK\n");
1678 				write_ssl=1;
1679 				read_tty=0;
1680 				break;
1681 			case SSL_ERROR_WANT_READ:
1682 				BIO_printf(bio_c_out,"write R BLOCK\n");
1683 				write_tty=0;
1684 				read_ssl=1;
1685 				write_ssl=0;
1686 				break;
1687 			case SSL_ERROR_WANT_X509_LOOKUP:
1688 				BIO_printf(bio_c_out,"write X BLOCK\n");
1689 				break;
1690 			case SSL_ERROR_ZERO_RETURN:
1691 				if (cbuf_len != 0)
1692 					{
1693 					BIO_printf(bio_c_out,"shutdown\n");
1694 					ret = 0;
1695 					goto shut;
1696 					}
1697 				else
1698 					{
1699 					read_tty=1;
1700 					write_ssl=0;
1701 					break;
1702 					}
1703 
1704 			case SSL_ERROR_SYSCALL:
1705 				if ((k != 0) || (cbuf_len != 0))
1706 					{
1707 					BIO_printf(bio_err,"write:errno=%d\n",
1708 						get_last_socket_error());
1709 					goto shut;
1710 					}
1711 				else
1712 					{
1713 					read_tty=1;
1714 					write_ssl=0;
1715 					}
1716 				break;
1717 			case SSL_ERROR_SSL:
1718 				ERR_print_errors(bio_err);
1719 				goto shut;
1720 				}
1721 			}
1722 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
1723 		/* Assume Windows/DOS/BeOS can always write */
1724 		else if (!ssl_pending && write_tty)
1725 #else
1726 		else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
1727 #endif
1728 			{
1729 #ifdef CHARSET_EBCDIC
1730 			ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
1731 #endif
1732 			i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len);
1733 
1734 			if (i <= 0)
1735 				{
1736 				BIO_printf(bio_c_out,"DONE\n");
1737 				ret = 0;
1738 				goto shut;
1739 				/* goto end; */
1740 				}
1741 
1742 			sbuf_len-=i;;
1743 			sbuf_off+=i;
1744 			if (sbuf_len <= 0)
1745 				{
1746 				read_ssl=1;
1747 				write_tty=0;
1748 				}
1749 			}
1750 		else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
1751 			{
1752 #ifdef RENEG
1753 { static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
1754 #endif
1755 #if 1
1756 			k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
1757 #else
1758 /* Demo for pending and peek :-) */
1759 			k=SSL_read(con,sbuf,16);
1760 { char zbuf[10240];
1761 printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
1762 }
1763 #endif
1764 
1765 			switch (SSL_get_error(con,k))
1766 				{
1767 			case SSL_ERROR_NONE:
1768 				if (k <= 0)
1769 					goto end;
1770 				sbuf_off=0;
1771 				sbuf_len=k;
1772 
1773 				read_ssl=0;
1774 				write_tty=1;
1775 				break;
1776 			case SSL_ERROR_WANT_WRITE:
1777 				BIO_printf(bio_c_out,"read W BLOCK\n");
1778 				write_ssl=1;
1779 				read_tty=0;
1780 				break;
1781 			case SSL_ERROR_WANT_READ:
1782 				BIO_printf(bio_c_out,"read R BLOCK\n");
1783 				write_tty=0;
1784 				read_ssl=1;
1785 				if ((read_tty == 0) && (write_ssl == 0))
1786 					write_ssl=1;
1787 				break;
1788 			case SSL_ERROR_WANT_X509_LOOKUP:
1789 				BIO_printf(bio_c_out,"read X BLOCK\n");
1790 				break;
1791 			case SSL_ERROR_SYSCALL:
1792 				ret=get_last_socket_error();
1793 				BIO_printf(bio_err,"read:errno=%d\n",ret);
1794 				goto shut;
1795 			case SSL_ERROR_ZERO_RETURN:
1796 				BIO_printf(bio_c_out,"closed\n");
1797 				ret=0;
1798 				goto shut;
1799 			case SSL_ERROR_SSL:
1800 				ERR_print_errors(bio_err);
1801 				goto shut;
1802 				/* break; */
1803 				}
1804 			}
1805 
1806 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1807 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
1808 		else if (_kbhit())
1809 #else
1810 		else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
1811 #endif
1812 #elif defined (OPENSSL_SYS_NETWARE)
1813 		else if (_kbhit())
1814 #elif defined(OPENSSL_SYS_BEOS_R5)
1815 		else if (stdin_set)
1816 #else
1817 		else if (FD_ISSET(fileno(stdin),&readfds))
1818 #endif
1819 			{
1820 			if (crlf)
1821 				{
1822 				int j, lf_num;
1823 
1824 				i=raw_read_stdin(cbuf,BUFSIZZ/2);
1825 				lf_num = 0;
1826 				/* both loops are skipped when i <= 0 */
1827 				for (j = 0; j < i; j++)
1828 					if (cbuf[j] == '\n')
1829 						lf_num++;
1830 				for (j = i-1; j >= 0; j--)
1831 					{
1832 					cbuf[j+lf_num] = cbuf[j];
1833 					if (cbuf[j] == '\n')
1834 						{
1835 						lf_num--;
1836 						i++;
1837 						cbuf[j+lf_num] = '\r';
1838 						}
1839 					}
1840 				assert(lf_num == 0);
1841 				}
1842 			else
1843 				i=raw_read_stdin(cbuf,BUFSIZZ);
1844 
1845 			if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
1846 				{
1847 				BIO_printf(bio_err,"DONE\n");
1848 				ret=0;
1849 				goto shut;
1850 				}
1851 
1852 			if ((!c_ign_eof) && (cbuf[0] == 'R'))
1853 				{
1854 				BIO_printf(bio_err,"RENEGOTIATING\n");
1855 				SSL_renegotiate(con);
1856 				cbuf_len=0;
1857 				}
1858 #ifndef OPENSSL_NO_HEARTBEATS
1859 			else if ((!c_ign_eof) && (cbuf[0] == 'B'))
1860  				{
1861 				BIO_printf(bio_err,"HEARTBEATING\n");
1862 				SSL_heartbeat(con);
1863 				cbuf_len=0;
1864 				}
1865 #endif
1866 			else
1867 				{
1868 				cbuf_len=i;
1869 				cbuf_off=0;
1870 #ifdef CHARSET_EBCDIC
1871 				ebcdic2ascii(cbuf, cbuf, i);
1872 #endif
1873 				}
1874 
1875 			write_ssl=1;
1876 			read_tty=0;
1877 			}
1878 		}
1879 
1880 	ret=0;
1881 shut:
1882 	if (in_init)
1883 		print_stuff(bio_c_out,con,full_log);
1884 	SSL_shutdown(con);
1885 	SHUTDOWN(SSL_get_fd(con));
1886 end:
1887 	if (con != NULL)
1888 		{
1889 		if (prexit != 0)
1890 			print_stuff(bio_c_out,con,1);
1891 		SSL_free(con);
1892 		}
1893 	if (ctx != NULL) SSL_CTX_free(ctx);
1894 	if (cert)
1895 		X509_free(cert);
1896 	if (key)
1897 		EVP_PKEY_free(key);
1898 	if (pass)
1899 		OPENSSL_free(pass);
1900 	if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
1901 	if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
1902 	if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
1903 	if (bio_c_out != NULL)
1904 		{
1905 		BIO_free(bio_c_out);
1906 		bio_c_out=NULL;
1907 		}
1908 	apps_shutdown();
1909 	OPENSSL_EXIT(ret);
1910 	}
1911 
1912 
1913 static void print_stuff(BIO *bio, SSL *s, int full)
1914 	{
1915 	X509 *peer=NULL;
1916 	char *p;
1917 	static const char *space="                ";
1918 	char buf[BUFSIZ];
1919 	STACK_OF(X509) *sk;
1920 	STACK_OF(X509_NAME) *sk2;
1921 	const SSL_CIPHER *c;
1922 	X509_NAME *xn;
1923 	int j,i;
1924 #ifndef OPENSSL_NO_COMP
1925 	const COMP_METHOD *comp, *expansion;
1926 #endif
1927 	unsigned char *exportedkeymat;
1928 
1929 	if (full)
1930 		{
1931 		int got_a_chain = 0;
1932 
1933 		sk=SSL_get_peer_cert_chain(s);
1934 		if (sk != NULL)
1935 			{
1936 			got_a_chain = 1; /* we don't have it for SSL2 (yet) */
1937 
1938 			BIO_printf(bio,"---\nCertificate chain\n");
1939 			for (i=0; i<sk_X509_num(sk); i++)
1940 				{
1941 				X509_NAME_oneline(X509_get_subject_name(
1942 					sk_X509_value(sk,i)),buf,sizeof buf);
1943 				BIO_printf(bio,"%2d s:%s\n",i,buf);
1944 				X509_NAME_oneline(X509_get_issuer_name(
1945 					sk_X509_value(sk,i)),buf,sizeof buf);
1946 				BIO_printf(bio,"   i:%s\n",buf);
1947 				if (c_showcerts)
1948 					PEM_write_bio_X509(bio,sk_X509_value(sk,i));
1949 				}
1950 			}
1951 
1952 		BIO_printf(bio,"---\n");
1953 		peer=SSL_get_peer_certificate(s);
1954 		if (peer != NULL)
1955 			{
1956 			BIO_printf(bio,"Server certificate\n");
1957 			if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
1958 				PEM_write_bio_X509(bio,peer);
1959 			X509_NAME_oneline(X509_get_subject_name(peer),
1960 				buf,sizeof buf);
1961 			BIO_printf(bio,"subject=%s\n",buf);
1962 			X509_NAME_oneline(X509_get_issuer_name(peer),
1963 				buf,sizeof buf);
1964 			BIO_printf(bio,"issuer=%s\n",buf);
1965 			}
1966 		else
1967 			BIO_printf(bio,"no peer certificate available\n");
1968 
1969 		sk2=SSL_get_client_CA_list(s);
1970 		if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
1971 			{
1972 			BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
1973 			for (i=0; i<sk_X509_NAME_num(sk2); i++)
1974 				{
1975 				xn=sk_X509_NAME_value(sk2,i);
1976 				X509_NAME_oneline(xn,buf,sizeof(buf));
1977 				BIO_write(bio,buf,strlen(buf));
1978 				BIO_write(bio,"\n",1);
1979 				}
1980 			}
1981 		else
1982 			{
1983 			BIO_printf(bio,"---\nNo client certificate CA names sent\n");
1984 			}
1985 		p=SSL_get_shared_ciphers(s,buf,sizeof buf);
1986 		if (p != NULL)
1987 			{
1988 			/* This works only for SSL 2.  In later protocol
1989 			 * versions, the client does not know what other
1990 			 * ciphers (in addition to the one to be used
1991 			 * in the current connection) the server supports. */
1992 
1993 			BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
1994 			j=i=0;
1995 			while (*p)
1996 				{
1997 				if (*p == ':')
1998 					{
1999 					BIO_write(bio,space,15-j%25);
2000 					i++;
2001 					j=0;
2002 					BIO_write(bio,((i%3)?" ":"\n"),1);
2003 					}
2004 				else
2005 					{
2006 					BIO_write(bio,p,1);
2007 					j++;
2008 					}
2009 				p++;
2010 				}
2011 			BIO_write(bio,"\n",1);
2012 			}
2013 
2014 		BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
2015 			BIO_number_read(SSL_get_rbio(s)),
2016 			BIO_number_written(SSL_get_wbio(s)));
2017 		}
2018 	BIO_printf(bio,(SSL_cache_hit(s)?"---\nReused, ":"---\nNew, "));
2019 	c=SSL_get_current_cipher(s);
2020 	BIO_printf(bio,"%s, Cipher is %s\n",
2021 		SSL_CIPHER_get_version(c),
2022 		SSL_CIPHER_get_name(c));
2023 	if (peer != NULL) {
2024 		EVP_PKEY *pktmp;
2025 		pktmp = X509_get_pubkey(peer);
2026 		BIO_printf(bio,"Server public key is %d bit\n",
2027 							 EVP_PKEY_bits(pktmp));
2028 		EVP_PKEY_free(pktmp);
2029 	}
2030 	BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
2031 			SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
2032 #ifndef OPENSSL_NO_COMP
2033 	comp=SSL_get_current_compression(s);
2034 	expansion=SSL_get_current_expansion(s);
2035 	BIO_printf(bio,"Compression: %s\n",
2036 		comp ? SSL_COMP_get_name(comp) : "NONE");
2037 	BIO_printf(bio,"Expansion: %s\n",
2038 		expansion ? SSL_COMP_get_name(expansion) : "NONE");
2039 #endif
2040 
2041 #ifdef SSL_DEBUG
2042 	{
2043 	/* Print out local port of connection: useful for debugging */
2044 	int sock;
2045 	struct sockaddr_in ladd;
2046 	socklen_t ladd_size = sizeof(ladd);
2047 	sock = SSL_get_fd(s);
2048 	getsockname(sock, (struct sockaddr *)&ladd, &ladd_size);
2049 	BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port));
2050 	}
2051 #endif
2052 
2053 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
2054 	if (next_proto.status != -1) {
2055 		const unsigned char *proto;
2056 		unsigned int proto_len;
2057 		SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
2058 		BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
2059 		BIO_write(bio, proto, proto_len);
2060 		BIO_write(bio, "\n", 1);
2061 	}
2062 #endif
2063 
2064  	{
2065  	SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s);
2066 
2067 	if(srtp_profile)
2068 		BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n",
2069 			   srtp_profile->name);
2070 	}
2071 
2072 	SSL_SESSION_print(bio,SSL_get_session(s));
2073 	if (keymatexportlabel != NULL)
2074 		{
2075 		BIO_printf(bio, "Keying material exporter:\n");
2076 		BIO_printf(bio, "    Label: '%s'\n", keymatexportlabel);
2077 		BIO_printf(bio, "    Length: %i bytes\n", keymatexportlen);
2078 		exportedkeymat = OPENSSL_malloc(keymatexportlen);
2079 		if (exportedkeymat != NULL)
2080 			{
2081 			if (!SSL_export_keying_material(s, exportedkeymat,
2082 						        keymatexportlen,
2083 						        keymatexportlabel,
2084 						        strlen(keymatexportlabel),
2085 						        NULL, 0, 0))
2086 				{
2087 				BIO_printf(bio, "    Error\n");
2088 				}
2089 			else
2090 				{
2091 				BIO_printf(bio, "    Keying material: ");
2092 				for (i=0; i<keymatexportlen; i++)
2093 					BIO_printf(bio, "%02X",
2094 						   exportedkeymat[i]);
2095 				BIO_printf(bio, "\n");
2096 				}
2097 			OPENSSL_free(exportedkeymat);
2098 			}
2099 		}
2100 	BIO_printf(bio,"---\n");
2101 	if (peer != NULL)
2102 		X509_free(peer);
2103 	/* flush, or debugging output gets mixed with http response */
2104 	(void)BIO_flush(bio);
2105 	}
2106 
2107 #ifndef OPENSSL_NO_TLSEXT
2108 
2109 static int ocsp_resp_cb(SSL *s, void *arg)
2110 	{
2111 	const unsigned char *p;
2112 	int len;
2113 	OCSP_RESPONSE *rsp;
2114 	len = SSL_get_tlsext_status_ocsp_resp(s, &p);
2115 	BIO_puts(arg, "OCSP response: ");
2116 	if (!p)
2117 		{
2118 		BIO_puts(arg, "no response sent\n");
2119 		return 1;
2120 		}
2121 	rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
2122 	if (!rsp)
2123 		{
2124 		BIO_puts(arg, "response parse error\n");
2125 		BIO_dump_indent(arg, (char *)p, len, 4);
2126 		return 0;
2127 		}
2128 	BIO_puts(arg, "\n======================================\n");
2129 	OCSP_RESPONSE_print(arg, rsp, 0);
2130 	BIO_puts(arg, "======================================\n");
2131 	OCSP_RESPONSE_free(rsp);
2132 	return 1;
2133 	}
2134 
2135 #endif
2136