2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
111 /* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
143 #include <openssl/e_os2.h>
144 #ifdef OPENSSL_NO_STDIO
148 /* With IPv6, it looks like Digital has mixed up the proper order of
149 recursive header file inclusion, resulting in the compiler complaining
150 that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
151 is needed to have fileno() declared correctly... So let's define u_int */
152 #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
154 typedef unsigned int u_int;
159 #include <openssl/x509.h>
160 #include <openssl/ssl.h>
161 #include <openssl/err.h>
162 #include <openssl/pem.h>
163 #include <openssl/rand.h>
164 #include <openssl/ocsp.h>
165 #include <openssl/bn.h>
166 #ifndef OPENSSL_NO_SRP
167 #include <openssl/srp.h>
170 #include "timeouts.h"
172 #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
173 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
177 #if defined(OPENSSL_SYS_BEOS_R5)
182 #define PROG s_client_main
184 /*#define SSL_HOST_NAME "www.netscape.com" */
185 /*#define SSL_HOST_NAME "193.118.187.102" */
186 #define SSL_HOST_NAME "localhost"
188 /*#define TEST_CERT "client.pem" */ /* no default cert. */
191 #define BUFSIZZ 1024*8
193 extern int verify_depth;
194 extern int verify_error;
195 extern int verify_return_error;
196 extern int verify_quiet;
201 static int c_Pause=0;
202 static int c_debug=0;
203 #ifndef OPENSSL_NO_TLSEXT
204 static int c_tlsextdebug=0;
205 static int c_status_req=0;
208 static int c_showcerts=0;
210 static char *keymatexportlabel=NULL;
211 static int keymatexportlen=20;
213 static void sc_usage(void);
214 static void print_stuff(BIO *berr,SSL *con,int full);
215 #ifndef OPENSSL_NO_TLSEXT
216 static int ocsp_resp_cb(SSL *s, void *arg);
217 static int c_auth = 0;
218 static int c_auth_require_reneg = 0;
220 static BIO *bio_c_out=NULL;
221 static BIO *bio_c_msg=NULL;
222 static int c_quiet=0;
223 static int c_ign_eof=0;
224 static int c_brief=0;
226 #ifndef OPENSSL_NO_TLSEXT
228 static const unsigned char *most_recent_supplemental_data;
229 static size_t most_recent_supplemental_data_length;
231 static int server_provided_server_authz = 0;
232 static int server_provided_client_authz = 0;
234 static const unsigned char auth_ext_data[]={TLSEXT_AUTHZDATAFORMAT_dtcp};
236 static int suppdata_cb(SSL *s, unsigned short supp_data_type,
237 const unsigned char *in,
238 unsigned short inlen, int *al,
241 static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
242 const unsigned char **out,
243 unsigned short *outlen, void *arg);
245 static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
246 const unsigned char **out, unsigned short *outlen,
249 static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
250 const unsigned char *in,
251 unsigned short inlen, int *al,
255 #ifndef OPENSSL_NO_PSK
256 /* Default PSK identity and key */
257 static char *psk_identity="Client_identity";
258 /*char *psk_key=NULL; by default PSK is not used */
260 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
261 unsigned int max_identity_len, unsigned char *psk,
262 unsigned int max_psk_len)
264 unsigned int psk_len = 0;
269 BIO_printf(bio_c_out, "psk_client_cb\n");
272 /* no ServerKeyExchange message*/
274 BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n");
277 BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
279 /* lookup PSK identity and PSK key based on the given identity hint here */
280 ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity);
281 if (ret < 0 || (unsigned int)ret > max_identity_len)
284 BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret);
285 ret=BN_hex2bn(&bn, psk_key);
288 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
294 if ((unsigned int)BN_num_bytes(bn) > max_psk_len)
296 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
297 max_psk_len, BN_num_bytes(bn));
302 psk_len=BN_bn2bin(bn, psk);
308 BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len);
313 BIO_printf(bio_err, "Error in PSK client callback\n");
318 static void sc_usage(void)
320 BIO_printf(bio_err,"usage: s_client args\n");
321 BIO_printf(bio_err,"\n");
322 BIO_printf(bio_err," -host host - use -connect instead\n");
323 BIO_printf(bio_err," -port port - use -connect instead\n");
324 BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
325 BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n");
326 BIO_printf(bio_err," -cert arg - certificate file to use, PEM format assumed\n");
327 BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
328 BIO_printf(bio_err," -key arg - Private key file to use, in cert file if\n");
329 BIO_printf(bio_err," not specified but cert file is.\n");
330 BIO_printf(bio_err," -keyform arg - key format (PEM or DER) PEM default\n");
331 BIO_printf(bio_err," -pass arg - private key file pass phrase source\n");
332 BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
333 BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n");
334 BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n");
335 BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n");
336 BIO_printf(bio_err," -showcerts - show all certificates in the chain\n");
337 BIO_printf(bio_err," -debug - extra output\n");
339 BIO_printf(bio_err," -wdebug - WATT-32 tcp debugging\n");
341 BIO_printf(bio_err," -msg - Show protocol messages\n");
342 BIO_printf(bio_err," -nbio_test - more ssl protocol testing\n");
343 BIO_printf(bio_err," -state - print the 'ssl' states\n");
345 BIO_printf(bio_err," -nbio - Run with non-blocking IO\n");
347 BIO_printf(bio_err," -crlf - convert LF from terminal into CRLF\n");
348 BIO_printf(bio_err," -quiet - no s_client output\n");
349 BIO_printf(bio_err," -ign_eof - ignore input eof (default when -quiet)\n");
350 BIO_printf(bio_err," -no_ign_eof - don't ignore input eof\n");
351 #ifndef OPENSSL_NO_PSK
352 BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
353 BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n");
354 # ifndef OPENSSL_NO_JPAKE
355 BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n");
358 #ifndef OPENSSL_NO_SRP
359 BIO_printf(bio_err," -srpuser user - SRP authentification for 'user'\n");
360 BIO_printf(bio_err," -srppass arg - password for 'user'\n");
361 BIO_printf(bio_err," -srp_lateuser - SRP username into second ClientHello message\n");
362 BIO_printf(bio_err," -srp_moregroups - Tolerate other than the known g N values.\n");
363 BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
365 BIO_printf(bio_err," -ssl2 - just use SSLv2\n");
366 BIO_printf(bio_err," -ssl3 - just use SSLv3\n");
367 BIO_printf(bio_err," -tls1_2 - just use TLSv1.2\n");
368 BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n");
369 BIO_printf(bio_err," -tls1 - just use TLSv1\n");
370 BIO_printf(bio_err," -dtls1 - just use DTLSv1\n");
371 BIO_printf(bio_err," -mtu - set the link layer MTU\n");
372 BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
373 BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n");
374 BIO_printf(bio_err," -serverpref - Use server's cipher preferences (only SSLv2)\n");
375 BIO_printf(bio_err," -cipher - preferred cipher to use, use the 'openssl ciphers'\n");
376 BIO_printf(bio_err," command to see what is available\n");
377 BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
378 BIO_printf(bio_err," for those protocols that support it, where\n");
379 BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n");
380 BIO_printf(bio_err," only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
381 BIO_printf(bio_err," are supported.\n");
382 BIO_printf(bio_err," -xmpphost host - When used with \"-starttls xmpp\" specifies the virtual host.\n");
383 #ifndef OPENSSL_NO_ENGINE
384 BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n");
386 BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
387 BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n");
388 BIO_printf(bio_err," -sess_in arg - file to read SSL session from\n");
389 #ifndef OPENSSL_NO_TLSEXT
390 BIO_printf(bio_err," -servername host - Set TLS extension servername in ClientHello\n");
391 BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
392 BIO_printf(bio_err," -status - request certificate status from server\n");
393 BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
394 BIO_printf(bio_err," -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n");
395 BIO_printf(bio_err," -auth - send and receive RFC 5878 TLS auth extensions and supplemental data\n");
396 BIO_printf(bio_err," -auth_require_reneg - Do not send TLS auth extensions until renegotiation\n");
397 # ifndef OPENSSL_NO_NEXTPROTONEG
398 BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
399 BIO_printf(bio_err," -alpn arg - enable ALPN extension, considering named protocols supported (comma-separated list)\n");
402 BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
403 BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
404 BIO_printf(bio_err," -keymatexport label - Export keying material using label\n");
405 BIO_printf(bio_err," -keymatexportlen len - Export len bytes of keying material (default 20)\n");
408 #ifndef OPENSSL_NO_TLSEXT
410 /* This is a context that we pass to callbacks */
411 typedef struct tlsextctx_st {
417 static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
419 tlsextctx * p = (tlsextctx *) arg;
420 const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
421 if (SSL_get_servername_type(s) != -1)
422 p->ack = !SSL_session_reused(s) && hn != NULL;
424 BIO_printf(bio_err,"Can't use SSL_get_servername\n");
426 return SSL_TLSEXT_ERR_OK;
429 #ifndef OPENSSL_NO_SRP
431 /* This is a context that we pass to all callbacks */
432 typedef struct srp_arg_st
436 int msg; /* copy from c_msg */
437 int debug; /* copy from c_debug */
438 int amp; /* allow more groups */
439 int strength /* minimal size for N */ ;
442 #define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
444 static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g)
446 BN_CTX *bn_ctx = BN_CTX_new();
447 BIGNUM *p = BN_new();
448 BIGNUM *r = BN_new();
450 g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
451 BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
452 p != NULL && BN_rshift1(p, N) &&
455 BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
458 /* verify g^((N-1)/2) == -1 (mod N) */
459 BN_mod_exp(r, g, p, N, bn_ctx) &&
472 /* This callback is used here for two purposes:
474 - making some primality tests for unknown groups
475 The callback is only called for a non default group.
477 An application does not need the call back at all if
478 only the stanard groups are used. In real life situations,
479 client and server already share well known groups,
480 thus there is no need to verify them.
481 Furthermore, in case that a server actually proposes a group that
482 is not one of those defined in RFC 5054, it is more appropriate
483 to add the group to a static list and then compare since
484 primality tests are rather cpu consuming.
487 static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
489 SRP_ARG *srp_arg = (SRP_ARG *)arg;
490 BIGNUM *N = NULL, *g = NULL;
491 if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s)))
493 if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1)
495 BIO_printf(bio_err, "SRP parameters:\n");
496 BIO_printf(bio_err,"\tN="); BN_print(bio_err,N);
497 BIO_printf(bio_err,"\n\tg="); BN_print(bio_err,g);
498 BIO_printf(bio_err,"\n");
501 if (SRP_check_known_gN_param(g,N))
504 if (srp_arg->amp == 1)
507 BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n");
509 /* The srp_moregroups is a real debugging feature.
510 Implementors should rather add the value to the known ones.
511 The minimal size has already been tested.
513 if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g))
516 BIO_printf(bio_err, "SRP param N and g rejected.\n");
520 #define PWD_STRLEN 1024
522 static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
524 SRP_ARG *srp_arg = (SRP_ARG *)arg;
525 char *pass = (char *)OPENSSL_malloc(PWD_STRLEN+1);
529 cb_tmp.password = (char *)srp_arg->srppassin;
530 cb_tmp.prompt_info = "SRP user";
531 if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp))<0)
533 BIO_printf (bio_err, "Can't read Password\n");
543 char *srtp_profiles = NULL;
545 # ifndef OPENSSL_NO_NEXTPROTONEG
546 /* This the context that we pass to next_proto_cb */
547 typedef struct tlsextnextprotoctx_st {
551 } tlsextnextprotoctx;
553 static tlsextnextprotoctx next_proto;
555 static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
557 tlsextnextprotoctx *ctx = arg;
561 /* We can assume that |in| is syntactically valid. */
563 BIO_printf(bio_c_out, "Protocols advertised by server: ");
564 for (i = 0; i < inlen; )
567 BIO_write(bio_c_out, ", ", 2);
568 BIO_write(bio_c_out, &in[i + 1], in[i]);
571 BIO_write(bio_c_out, "\n", 1);
574 ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
575 return SSL_TLSEXT_ERR_OK;
577 # endif /* ndef OPENSSL_NO_NEXTPROTONEG */
579 static int serverinfo_cli_cb(SSL* s, unsigned short ext_type,
580 const unsigned char* in, unsigned short inlen,
584 unsigned char ext_buf[4 + 65536];
586 /* Reconstruct the type/len fields prior to extension data */
587 ext_buf[0] = ext_type >> 8;
588 ext_buf[1] = ext_type & 0xFF;
589 ext_buf[2] = inlen >> 8;
590 ext_buf[3] = inlen & 0xFF;
591 memcpy(ext_buf+4, in, inlen);
593 BIO_snprintf(pem_name, sizeof(pem_name), "SERVER_INFO %d", ext_type);
594 PEM_write_bio(bio_c_out, pem_name, "", ext_buf, 4 + inlen);
610 int MAIN(int, char **);
612 int MAIN(int argc, char **argv)
616 #ifndef OPENSSL_NO_KRB5
619 int s,k,width,state=0;
620 char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
621 int cbuf_len,cbuf_off;
622 int sbuf_len,sbuf_off;
623 fd_set readfds,writefds;
626 char *host=SSL_HOST_NAME;
627 char *xmpphost = NULL;
628 char *cert_file=NULL,*key_file=NULL,*chain_file=NULL;
629 int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
630 char *passarg = NULL, *pass = NULL;
632 EVP_PKEY *key = NULL;
633 STACK_OF(X509) *chain = NULL;
634 char *CApath=NULL,*CAfile=NULL;
635 char *chCApath=NULL,*chCAfile=NULL;
636 char *vfyCApath=NULL,*vfyCAfile=NULL;
637 int reconnect=0,badop=0,verify=SSL_VERIFY_NONE;
639 int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
641 int ret=1,in_init=1,i,nbio_test=0;
642 int starttls_proto = PROTO_OFF;
644 X509_VERIFY_PARAM *vpm = NULL;
646 const SSL_METHOD *meth=NULL;
647 int socket_type=SOCK_STREAM;
651 struct timeval timeout, *timeoutp;
652 #ifndef OPENSSL_NO_ENGINE
653 char *engine_id=NULL;
654 char *ssl_client_engine_id=NULL;
655 ENGINE *ssl_client_engine=NULL;
658 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
660 #if defined(OPENSSL_SYS_BEOS_R5)
664 #ifndef OPENSSL_NO_TLSEXT
665 char *servername = NULL;
666 tlsextctx tlsextcbp =
668 # ifndef OPENSSL_NO_NEXTPROTONEG
669 const char *next_proto_neg_in = NULL;
670 const char *alpn_in = NULL;
672 # define MAX_SI_TYPES 100
673 unsigned short serverinfo_types[MAX_SI_TYPES];
674 int serverinfo_types_count = 0;
676 char *sess_in = NULL;
677 char *sess_out = NULL;
678 struct sockaddr peer;
679 int peerlen = sizeof(peer);
680 int enable_timeouts = 0 ;
682 #ifndef OPENSSL_NO_JPAKE
683 static char *jpake_secret = NULL;
684 #define no_jpake !jpake_secret
688 #ifndef OPENSSL_NO_SRP
689 char * srppass = NULL;
690 int srp_lateuser = 0;
691 SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
693 SSL_EXCERT *exc = NULL;
695 SSL_CONF_CTX *cctx = NULL;
696 STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
698 char *crl_file = NULL;
699 int crl_format = FORMAT_PEM;
700 int crl_download = 0;
701 STACK_OF(X509_CRL) *crls = NULL;
703 meth=SSLv23_client_method();
714 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
716 if (!load_config(bio_err, NULL))
718 cctx = SSL_CONF_CTX_new();
721 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
722 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE);
724 if ( ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
725 ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
726 ((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
728 BIO_printf(bio_err,"out of memory\n");
733 verify_error=X509_V_OK;
742 if (strcmp(*argv,"-host") == 0)
744 if (--argc < 1) goto bad;
747 else if (strcmp(*argv,"-port") == 0)
749 if (--argc < 1) goto bad;
750 port=atoi(*(++argv));
751 if (port == 0) goto bad;
753 else if (strcmp(*argv,"-connect") == 0)
755 if (--argc < 1) goto bad;
756 if (!extract_host_port(*(++argv),&host,NULL,&port))
759 else if (strcmp(*argv,"-xmpphost") == 0)
761 if (--argc < 1) goto bad;
764 else if (strcmp(*argv,"-verify") == 0)
766 verify=SSL_VERIFY_PEER;
767 if (--argc < 1) goto bad;
768 verify_depth=atoi(*(++argv));
770 BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
772 else if (strcmp(*argv,"-cert") == 0)
774 if (--argc < 1) goto bad;
775 cert_file= *(++argv);
777 else if (strcmp(*argv,"-CRL") == 0)
779 if (--argc < 1) goto bad;
782 else if (strcmp(*argv,"-crl_download") == 0)
784 else if (strcmp(*argv,"-sess_out") == 0)
786 if (--argc < 1) goto bad;
787 sess_out = *(++argv);
789 else if (strcmp(*argv,"-sess_in") == 0)
791 if (--argc < 1) goto bad;
794 else if (strcmp(*argv,"-certform") == 0)
796 if (--argc < 1) goto bad;
797 cert_format = str2fmt(*(++argv));
799 else if (strcmp(*argv,"-CRLform") == 0)
801 if (--argc < 1) goto bad;
802 crl_format = str2fmt(*(++argv));
804 else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
810 else if (strcmp(*argv,"-verify_return_error") == 0)
811 verify_return_error = 1;
812 else if (strcmp(*argv,"-verify_quiet") == 0)
814 else if (strcmp(*argv,"-brief") == 0)
820 else if (args_excert(&argv, &argc, &badarg, bio_err, &exc))
826 else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args))
832 else if (strcmp(*argv,"-prexit") == 0)
834 else if (strcmp(*argv,"-crlf") == 0)
836 else if (strcmp(*argv,"-quiet") == 0)
841 else if (strcmp(*argv,"-ign_eof") == 0)
843 else if (strcmp(*argv,"-no_ign_eof") == 0)
845 else if (strcmp(*argv,"-pause") == 0)
847 else if (strcmp(*argv,"-debug") == 0)
849 #ifndef OPENSSL_NO_TLSEXT
850 else if (strcmp(*argv,"-tlsextdebug") == 0)
852 else if (strcmp(*argv,"-status") == 0)
854 else if (strcmp(*argv,"-auth") == 0)
856 else if (strcmp(*argv,"-auth_require_reneg") == 0)
857 c_auth_require_reneg = 1;
860 else if (strcmp(*argv,"-wdebug") == 0)
863 else if (strcmp(*argv,"-msg") == 0)
865 else if (strcmp(*argv,"-msgfile") == 0)
867 if (--argc < 1) goto bad;
868 bio_c_msg = BIO_new_file(*(++argv), "w");
870 #ifndef OPENSSL_NO_SSL_TRACE
871 else if (strcmp(*argv,"-trace") == 0)
874 else if (strcmp(*argv,"-showcerts") == 0)
876 else if (strcmp(*argv,"-nbio_test") == 0)
878 else if (strcmp(*argv,"-state") == 0)
880 #ifndef OPENSSL_NO_PSK
881 else if (strcmp(*argv,"-psk_identity") == 0)
883 if (--argc < 1) goto bad;
884 psk_identity=*(++argv);
886 else if (strcmp(*argv,"-psk") == 0)
890 if (--argc < 1) goto bad;
892 for (j = 0; j < strlen(psk_key); j++)
894 if (isxdigit((unsigned char)psk_key[j]))
896 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
901 #ifndef OPENSSL_NO_SRP
902 else if (strcmp(*argv,"-srpuser") == 0)
904 if (--argc < 1) goto bad;
905 srp_arg.srplogin= *(++argv);
906 meth=TLSv1_client_method();
908 else if (strcmp(*argv,"-srppass") == 0)
910 if (--argc < 1) goto bad;
912 meth=TLSv1_client_method();
914 else if (strcmp(*argv,"-srp_strength") == 0)
916 if (--argc < 1) goto bad;
917 srp_arg.strength=atoi(*(++argv));
918 BIO_printf(bio_err,"SRP minimal length for N is %d\n",srp_arg.strength);
919 meth=TLSv1_client_method();
921 else if (strcmp(*argv,"-srp_lateuser") == 0)
924 meth=TLSv1_client_method();
926 else if (strcmp(*argv,"-srp_moregroups") == 0)
929 meth=TLSv1_client_method();
932 #ifndef OPENSSL_NO_SSL2
933 else if (strcmp(*argv,"-ssl2") == 0)
934 meth=SSLv2_client_method();
936 #ifndef OPENSSL_NO_SSL3
937 else if (strcmp(*argv,"-ssl3") == 0)
938 meth=SSLv3_client_method();
940 #ifndef OPENSSL_NO_TLS1
941 else if (strcmp(*argv,"-tls1_2") == 0)
942 meth=TLSv1_2_client_method();
943 else if (strcmp(*argv,"-tls1_1") == 0)
944 meth=TLSv1_1_client_method();
945 else if (strcmp(*argv,"-tls1") == 0)
946 meth=TLSv1_client_method();
948 #ifndef OPENSSL_NO_DTLS1
949 else if (strcmp(*argv,"-dtls") == 0)
951 meth=DTLS_client_method();
952 socket_type=SOCK_DGRAM;
954 else if (strcmp(*argv,"-dtls1") == 0)
956 meth=DTLSv1_client_method();
957 socket_type=SOCK_DGRAM;
959 else if (strcmp(*argv,"-dtls1_2") == 0)
961 meth=DTLSv1_2_client_method();
962 socket_type=SOCK_DGRAM;
964 else if (strcmp(*argv,"-timeout") == 0)
966 else if (strcmp(*argv,"-mtu") == 0)
968 if (--argc < 1) goto bad;
969 socket_mtu = atol(*(++argv));
972 else if (strcmp(*argv,"-keyform") == 0)
974 if (--argc < 1) goto bad;
975 key_format = str2fmt(*(++argv));
977 else if (strcmp(*argv,"-pass") == 0)
979 if (--argc < 1) goto bad;
982 else if (strcmp(*argv,"-cert_chain") == 0)
984 if (--argc < 1) goto bad;
985 chain_file= *(++argv);
987 else if (strcmp(*argv,"-key") == 0)
989 if (--argc < 1) goto bad;
992 else if (strcmp(*argv,"-reconnect") == 0)
996 else if (strcmp(*argv,"-CApath") == 0)
998 if (--argc < 1) goto bad;
1001 else if (strcmp(*argv,"-chainCApath") == 0)
1003 if (--argc < 1) goto bad;
1004 chCApath= *(++argv);
1006 else if (strcmp(*argv,"-verifyCApath") == 0)
1008 if (--argc < 1) goto bad;
1009 vfyCApath= *(++argv);
1011 else if (strcmp(*argv,"-build_chain") == 0)
1013 else if (strcmp(*argv,"-CAfile") == 0)
1015 if (--argc < 1) goto bad;
1018 else if (strcmp(*argv,"-chainCAfile") == 0)
1020 if (--argc < 1) goto bad;
1021 chCAfile= *(++argv);
1023 else if (strcmp(*argv,"-verifyCAfile") == 0)
1025 if (--argc < 1) goto bad;
1026 vfyCAfile= *(++argv);
1028 #ifndef OPENSSL_NO_TLSEXT
1029 # ifndef OPENSSL_NO_NEXTPROTONEG
1030 else if (strcmp(*argv,"-nextprotoneg") == 0)
1032 if (--argc < 1) goto bad;
1033 next_proto_neg_in = *(++argv);
1035 else if (strcmp(*argv,"-alpn") == 0)
1037 if (--argc < 1) goto bad;
1038 alpn_in = *(++argv);
1041 else if (strcmp(*argv,"-serverinfo") == 0)
1047 if (--argc < 1) goto bad;
1049 serverinfo_types_count = 0;
1051 for (i = 0; i <= len; ++i)
1053 if (i == len || c[i] == ',')
1055 serverinfo_types[serverinfo_types_count]
1057 serverinfo_types_count++;
1060 if (serverinfo_types_count == MAX_SI_TYPES)
1066 else if (strcmp(*argv,"-nbio") == 0)
1069 else if (strcmp(*argv,"-starttls") == 0)
1071 if (--argc < 1) goto bad;
1073 if (strcmp(*argv,"smtp") == 0)
1074 starttls_proto = PROTO_SMTP;
1075 else if (strcmp(*argv,"pop3") == 0)
1076 starttls_proto = PROTO_POP3;
1077 else if (strcmp(*argv,"imap") == 0)
1078 starttls_proto = PROTO_IMAP;
1079 else if (strcmp(*argv,"ftp") == 0)
1080 starttls_proto = PROTO_FTP;
1081 else if (strcmp(*argv, "xmpp") == 0)
1082 starttls_proto = PROTO_XMPP;
1086 #ifndef OPENSSL_NO_ENGINE
1087 else if (strcmp(*argv,"-engine") == 0)
1089 if (--argc < 1) goto bad;
1090 engine_id = *(++argv);
1092 else if (strcmp(*argv,"-ssl_client_engine") == 0)
1094 if (--argc < 1) goto bad;
1095 ssl_client_engine_id = *(++argv);
1098 else if (strcmp(*argv,"-rand") == 0)
1100 if (--argc < 1) goto bad;
1103 #ifndef OPENSSL_NO_TLSEXT
1104 else if (strcmp(*argv,"-servername") == 0)
1106 if (--argc < 1) goto bad;
1107 servername= *(++argv);
1108 /* meth=TLSv1_client_method(); */
1111 #ifndef OPENSSL_NO_JPAKE
1112 else if (strcmp(*argv,"-jpake") == 0)
1114 if (--argc < 1) goto bad;
1115 jpake_secret = *++argv;
1118 else if (strcmp(*argv,"-use_srtp") == 0)
1120 if (--argc < 1) goto bad;
1121 srtp_profiles = *(++argv);
1123 else if (strcmp(*argv,"-keymatexport") == 0)
1125 if (--argc < 1) goto bad;
1126 keymatexportlabel= *(++argv);
1128 else if (strcmp(*argv,"-keymatexportlen") == 0)
1130 if (--argc < 1) goto bad;
1131 keymatexportlen=atoi(*(++argv));
1132 if (keymatexportlen == 0) goto bad;
1136 BIO_printf(bio_err,"unknown option %s\n",*argv);
1150 #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
1156 "Can't use JPAKE and PSK together\n");
1159 psk_identity = "JPAKE";
1163 OpenSSL_add_ssl_algorithms();
1164 SSL_load_error_strings();
1166 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
1167 next_proto.status = -1;
1168 if (next_proto_neg_in)
1170 next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
1171 if (next_proto.data == NULL)
1173 BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
1178 next_proto.data = NULL;
1181 #ifndef OPENSSL_NO_ENGINE
1182 e = setup_engine(bio_err, engine_id, 1);
1183 if (ssl_client_engine_id)
1185 ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
1186 if (!ssl_client_engine)
1189 "Error getting client auth engine\n");
1195 if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
1197 BIO_printf(bio_err, "Error getting password\n");
1201 if (key_file == NULL)
1202 key_file = cert_file;
1209 key = load_key(bio_err, key_file, key_format, 0, pass, e,
1210 "client certificate private key file");
1213 ERR_print_errors(bio_err);
1222 cert = load_cert(bio_err,cert_file,cert_format,
1223 NULL, e, "client certificate file");
1227 ERR_print_errors(bio_err);
1234 chain = load_certs(bio_err, chain_file,FORMAT_PEM,
1235 NULL, e, "client certificate chain");
1243 crl = load_crl(crl_file, crl_format);
1246 BIO_puts(bio_err, "Error loading CRL\n");
1247 ERR_print_errors(bio_err);
1250 crls = sk_X509_CRL_new_null();
1251 if (!crls || !sk_X509_CRL_push(crls, crl))
1253 BIO_puts(bio_err, "Error adding CRL\n");
1254 ERR_print_errors(bio_err);
1260 if (!load_excert(&exc, bio_err))
1263 if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
1266 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
1269 BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
1270 app_RAND_load_files(inrand));
1272 if (bio_c_out == NULL)
1274 if (c_quiet && !c_debug)
1276 bio_c_out=BIO_new(BIO_s_null());
1277 if (c_msg && !bio_c_msg)
1278 bio_c_msg=BIO_new_fp(stdout,BIO_NOCLOSE);
1282 if (bio_c_out == NULL)
1283 bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
1287 #ifndef OPENSSL_NO_SRP
1288 if(!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL))
1290 BIO_printf(bio_err, "Error getting password\n");
1295 ctx=SSL_CTX_new(meth);
1298 ERR_print_errors(bio_err);
1303 SSL_CTX_set1_param(ctx, vpm);
1305 if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1, no_jpake))
1307 ERR_print_errors(bio_err);
1311 if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
1312 crls, crl_download))
1314 BIO_printf(bio_err, "Error loading store locations\n");
1315 ERR_print_errors(bio_err);
1319 #ifndef OPENSSL_NO_ENGINE
1320 if (ssl_client_engine)
1322 if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine))
1324 BIO_puts(bio_err, "Error setting client auth engine\n");
1325 ERR_print_errors(bio_err);
1326 ENGINE_free(ssl_client_engine);
1329 ENGINE_free(ssl_client_engine);
1333 #ifndef OPENSSL_NO_PSK
1334 #ifdef OPENSSL_NO_JPAKE
1335 if (psk_key != NULL)
1337 if (psk_key != NULL || jpake_secret)
1341 BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");
1342 SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
1344 if (srtp_profiles != NULL)
1345 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
1347 if (exc) ssl_ctx_set_excert(ctx, exc);
1348 /* DTLS: partial reads end up discarding unread UDP bytes :-(
1349 * Setting read ahead solves this problem.
1351 if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
1353 #if !defined(OPENSSL_NO_TLSEXT)
1354 # if !defined(OPENSSL_NO_NEXTPROTONEG)
1355 if (next_proto.data)
1356 SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
1360 unsigned short alpn_len;
1361 unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in);
1365 BIO_printf(bio_err, "Error parsing -alpn argument\n");
1368 SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len);
1372 #ifndef OPENSSL_NO_TLSEXT
1373 if (serverinfo_types_count)
1375 for (i = 0; i < serverinfo_types_count; i++)
1377 SSL_CTX_set_custom_cli_ext(ctx,
1378 serverinfo_types[i],
1386 if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
1389 SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
1392 SSL_CTX_set_verify(ctx,verify,verify_callback);
1394 if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
1395 (!SSL_CTX_set_default_verify_paths(ctx)))
1397 /* BIO_printf(bio_err,"error setting default verify locations\n"); */
1398 ERR_print_errors(bio_err);
1402 ssl_ctx_add_crls(ctx, crls, crl_download);
1404 if (!set_cert_key_stuff(ctx,cert,key,chain,build_chain))
1407 #ifndef OPENSSL_NO_TLSEXT
1408 if (servername != NULL)
1410 tlsextcbp.biodebug = bio_err;
1411 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1412 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
1414 #ifndef OPENSSL_NO_SRP
1415 if (srp_arg.srplogin)
1417 if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
1419 BIO_printf(bio_err,"Unable to set SRP username\n");
1422 srp_arg.msg = c_msg;
1423 srp_arg.debug = c_debug ;
1424 SSL_CTX_set_srp_cb_arg(ctx,&srp_arg);
1425 SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
1426 SSL_CTX_set_srp_strength(ctx, srp_arg.strength);
1427 if (c_msg || c_debug || srp_arg.amp == 0)
1428 SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb);
1434 SSL_CTX_set_custom_cli_ext(ctx, TLSEXT_TYPE_client_authz, authz_tlsext_generate_cb, authz_tlsext_cb, bio_err);
1435 SSL_CTX_set_custom_cli_ext(ctx, TLSEXT_TYPE_server_authz, authz_tlsext_generate_cb, authz_tlsext_cb, bio_err);
1436 SSL_CTX_set_cli_supp_data(ctx, TLSEXT_SUPPLEMENTALDATATYPE_authz_data, suppdata_cb, auth_suppdata_generate_cb, bio_err);
1444 BIO *stmp = BIO_new_file(sess_in, "r");
1447 BIO_printf(bio_err, "Can't open session file %s\n",
1449 ERR_print_errors(bio_err);
1452 sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
1456 BIO_printf(bio_err, "Can't open session file %s\n",
1458 ERR_print_errors(bio_err);
1461 SSL_set_session(con, sess);
1462 SSL_SESSION_free(sess);
1464 #ifndef OPENSSL_NO_TLSEXT
1465 if (servername != NULL)
1467 if (!SSL_set_tlsext_host_name(con,servername))
1469 BIO_printf(bio_err,"Unable to set TLS servername extension.\n");
1470 ERR_print_errors(bio_err);
1475 #ifndef OPENSSL_NO_KRB5
1476 if (con && (kctx = kssl_ctx_new()) != NULL)
1478 SSL_set0_kssl_ctx(con, kctx);
1479 kssl_ctx_setstring(kctx, KSSL_SERVER, host);
1481 #endif /* OPENSSL_NO_KRB5 */
1482 /* SSL_set_cipher_list(con,"RC4-MD5"); */
1484 #ifdef TLSEXT_TYPE_opaque_prf_input
1485 SSL_set_tlsext_opaque_prf_input(con, "Test client", 11);
1491 if (init_client(&s,host,port,socket_type) == 0)
1493 BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
1497 BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
1503 BIO_printf(bio_c_out,"turning on non blocking io\n");
1504 if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
1506 ERR_print_errors(bio_err);
1511 if (c_Pause & 0x01) SSL_set_debug(con, 1);
1513 if (socket_type == SOCK_DGRAM)
1516 sbio=BIO_new_dgram(s,BIO_NOCLOSE);
1517 if (getsockname(s, &peer, (void *)&peerlen) < 0)
1519 BIO_printf(bio_err, "getsockname:errno=%d\n",
1520 get_last_socket_error());
1525 (void)BIO_ctrl_set_connected(sbio, 1, &peer);
1527 if (enable_timeouts)
1530 timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1531 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1534 timeout.tv_usec = DGRAM_SND_TIMEOUT;
1535 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1538 if (socket_mtu > 28)
1540 SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
1541 SSL_set_mtu(con, socket_mtu - 28);
1544 /* want to do MTU discovery */
1545 BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1548 sbio=BIO_new_socket(s,BIO_NOCLOSE);
1554 test=BIO_new(BIO_f_nbio_test());
1555 sbio=BIO_push(test,sbio);
1560 SSL_set_debug(con, 1);
1561 BIO_set_callback(sbio,bio_dump_callback);
1562 BIO_set_callback_arg(sbio,(char *)bio_c_out);
1566 #ifndef OPENSSL_NO_SSL_TRACE
1568 SSL_set_msg_callback(con, SSL_trace);
1571 SSL_set_msg_callback(con, msg_cb);
1572 SSL_set_msg_callback_arg(con, bio_c_msg ? bio_c_msg : bio_c_out);
1574 #ifndef OPENSSL_NO_TLSEXT
1577 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1578 SSL_set_tlsext_debug_arg(con, bio_c_out);
1582 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
1583 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
1584 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
1587 STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null();
1588 OCSP_RESPID *id = OCSP_RESPID_new();
1589 id->value.byKey = ASN1_OCTET_STRING_new();
1590 id->type = V_OCSP_RESPID_KEY;
1591 ASN1_STRING_set(id->value.byKey, "Hello World", -1);
1592 sk_OCSP_RESPID_push(ids, id);
1593 SSL_set_tlsext_status_ids(con, ids);
1598 #ifndef OPENSSL_NO_JPAKE
1600 jpake_client_auth(bio_c_out, sbio, jpake_secret);
1603 SSL_set_bio(con,sbio,sbio);
1604 SSL_set_connect_state(con);
1606 /* ok, lets connect */
1607 width=SSL_get_fd(con)+1;
1620 /* This is an ugly hack that does a lot of assumptions */
1621 /* We do have to handle multi-line responses which may come
1622 in a single packet or not. We therefore have to use
1623 BIO_gets() which does need a buffering BIO. So during
1624 the initial chitchat we do push a buffering BIO into the
1625 chain that is removed again later on to not disturb the
1626 rest of the s_client operation. */
1627 if (starttls_proto == PROTO_SMTP)
1630 BIO *fbio = BIO_new(BIO_f_buffer());
1631 BIO_push(fbio, sbio);
1632 /* wait for multi-line response to end from SMTP */
1635 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1637 while (mbuf_len>3 && mbuf[3]=='-');
1638 /* STARTTLS command requires EHLO... */
1639 BIO_printf(fbio,"EHLO openssl.client.net\r\n");
1640 (void)BIO_flush(fbio);
1641 /* wait for multi-line response to end EHLO SMTP response */
1644 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1645 if (strstr(mbuf,"STARTTLS"))
1648 while (mbuf_len>3 && mbuf[3]=='-');
1649 (void)BIO_flush(fbio);
1654 "didn't found starttls in server response,"
1655 " try anyway...\n");
1656 BIO_printf(sbio,"STARTTLS\r\n");
1657 BIO_read(sbio,sbuf,BUFSIZZ);
1659 else if (starttls_proto == PROTO_POP3)
1661 BIO_read(sbio,mbuf,BUFSIZZ);
1662 BIO_printf(sbio,"STLS\r\n");
1663 BIO_read(sbio,sbuf,BUFSIZZ);
1665 else if (starttls_proto == PROTO_IMAP)
1668 BIO *fbio = BIO_new(BIO_f_buffer());
1669 BIO_push(fbio, sbio);
1670 BIO_gets(fbio,mbuf,BUFSIZZ);
1671 /* STARTTLS command requires CAPABILITY... */
1672 BIO_printf(fbio,". CAPABILITY\r\n");
1673 (void)BIO_flush(fbio);
1674 /* wait for multi-line CAPABILITY response */
1677 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1678 if (strstr(mbuf,"STARTTLS"))
1681 while (mbuf_len>3 && mbuf[0]!='.');
1682 (void)BIO_flush(fbio);
1687 "didn't found STARTTLS in server response,"
1688 " try anyway...\n");
1689 BIO_printf(sbio,". STARTTLS\r\n");
1690 BIO_read(sbio,sbuf,BUFSIZZ);
1692 else if (starttls_proto == PROTO_FTP)
1694 BIO *fbio = BIO_new(BIO_f_buffer());
1695 BIO_push(fbio, sbio);
1696 /* wait for multi-line response to end from FTP */
1699 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
1701 while (mbuf_len>3 && mbuf[3]=='-');
1702 (void)BIO_flush(fbio);
1705 BIO_printf(sbio,"AUTH TLS\r\n");
1706 BIO_read(sbio,sbuf,BUFSIZZ);
1708 if (starttls_proto == PROTO_XMPP)
1711 BIO_printf(sbio,"<stream:stream "
1712 "xmlns:stream='http://etherx.jabber.org/streams' "
1713 "xmlns='jabber:client' to='%s' version='1.0'>", xmpphost ?
1715 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1717 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") &&
1718 !strstr(mbuf, "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
1720 seen = BIO_read(sbio,mbuf,BUFSIZZ);
1727 BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
1728 seen = BIO_read(sbio,sbuf,BUFSIZZ);
1730 if (!strstr(sbuf, "<proceed"))
1740 if ((SSL_version(con) == DTLS1_VERSION) &&
1741 DTLSv1_get_timeout(con, &timeout))
1742 timeoutp = &timeout;
1746 if (SSL_in_init(con) && !SSL_total_renegotiations(con))
1757 #if 0 /* This test doesn't really work as intended (needs to be fixed) */
1758 #ifndef OPENSSL_NO_TLSEXT
1759 if (servername != NULL && !SSL_session_reused(con))
1761 BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not ");
1767 BIO *stmp = BIO_new_file(sess_out, "w");
1770 PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con));
1774 BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
1779 "CONNECTION ESTABLISHED\n");
1780 print_ssl_summary(bio_err, con);
1782 print_stuff(bio_c_out,con,full_log);
1783 if (full_log > 0) full_log--;
1787 BIO_printf(bio_err,"%s",mbuf);
1788 /* We don't need to know any more */
1789 starttls_proto = PROTO_OFF;
1795 BIO_printf(bio_c_out,"drop connection and then reconnect\n");
1797 SSL_set_connect_state(con);
1798 SHUTDOWN(SSL_get_fd(con));
1804 ssl_pending = read_ssl && SSL_pending(con);
1808 #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)
1811 if (read_tty) openssl_fdset(fileno(stdin),&readfds);
1812 if (write_tty) openssl_fdset(fileno(stdout),&writefds);
1815 openssl_fdset(SSL_get_fd(con),&readfds);
1817 openssl_fdset(SSL_get_fd(con),&writefds);
1819 if(!tty_on || !write_tty) {
1821 openssl_fdset(SSL_get_fd(con),&readfds);
1823 openssl_fdset(SSL_get_fd(con),&writefds);
1826 /* printf("mode tty(%d %d%d) ssl(%d%d)\n",
1827 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
1829 /* Note: under VMS with SOCKETSHR the second parameter
1830 * is currently of type (int *) whereas under other
1831 * systems it is (void *) if you don't have a cast it
1832 * will choke the compiler: if you do have a cast then
1833 * you can either go for (int *) or (void *).
1835 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1836 /* Under Windows/DOS we make the assumption that we can
1837 * always write to the tty: therefore if we need to
1838 * write to the tty we just fall through. Otherwise
1839 * we timeout the select every second and see if there
1840 * are any keypresses. Note: this is a hack, in a proper
1841 * Windows application we wouldn't do this.
1848 i=select(width,(void *)&readfds,(void *)&writefds,
1850 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
1851 if(!i && (!_kbhit() || !read_tty) ) continue;
1853 if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
1855 } else i=select(width,(void *)&readfds,(void *)&writefds,
1858 #elif defined(OPENSSL_SYS_NETWARE)
1863 i=select(width,(void *)&readfds,(void *)&writefds,
1865 } else i=select(width,(void *)&readfds,(void *)&writefds,
1868 #elif defined(OPENSSL_SYS_BEOS_R5)
1869 /* Under BeOS-R5 the situation is similar to DOS */
1872 (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
1877 i=select(width,(void *)&readfds,(void *)&writefds,
1879 if (read(fileno(stdin), sbuf, 0) >= 0)
1881 if (!i && (stdin_set != 1 || !read_tty))
1883 } else i=select(width,(void *)&readfds,(void *)&writefds,
1886 (void)fcntl(fileno(stdin), F_SETFL, 0);
1888 i=select(width,(void *)&readfds,(void *)&writefds,
1893 BIO_printf(bio_err,"bad select %d\n",
1894 get_last_socket_error());
1900 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
1902 BIO_printf(bio_err,"TIMEOUT occurred\n");
1905 if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
1907 k=SSL_write(con,&(cbuf[cbuf_off]),
1908 (unsigned int)cbuf_len);
1909 switch (SSL_get_error(con,k))
1911 case SSL_ERROR_NONE:
1914 if (k <= 0) goto end;
1915 /* we have done a write(con,NULL,0); */
1921 else /* if (cbuf_len > 0) */
1927 case SSL_ERROR_WANT_WRITE:
1928 BIO_printf(bio_c_out,"write W BLOCK\n");
1932 case SSL_ERROR_WANT_READ:
1933 BIO_printf(bio_c_out,"write R BLOCK\n");
1938 case SSL_ERROR_WANT_X509_LOOKUP:
1939 BIO_printf(bio_c_out,"write X BLOCK\n");
1941 case SSL_ERROR_ZERO_RETURN:
1944 BIO_printf(bio_c_out,"shutdown\n");
1955 case SSL_ERROR_SYSCALL:
1956 if ((k != 0) || (cbuf_len != 0))
1958 BIO_printf(bio_err,"write:errno=%d\n",
1959 get_last_socket_error());
1969 ERR_print_errors(bio_err);
1973 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
1974 /* Assume Windows/DOS/BeOS can always write */
1975 else if (!ssl_pending && write_tty)
1977 else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
1980 #ifdef CHARSET_EBCDIC
1981 ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
1983 i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len);
1987 BIO_printf(bio_c_out,"DONE\n");
2001 else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
2004 { static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
2007 k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
2009 /* Demo for pending and peek :-) */
2010 k=SSL_read(con,sbuf,16);
2012 printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
2016 switch (SSL_get_error(con,k))
2018 case SSL_ERROR_NONE:
2027 case SSL_ERROR_WANT_WRITE:
2028 BIO_printf(bio_c_out,"read W BLOCK\n");
2032 case SSL_ERROR_WANT_READ:
2033 BIO_printf(bio_c_out,"read R BLOCK\n");
2036 if ((read_tty == 0) && (write_ssl == 0))
2039 case SSL_ERROR_WANT_X509_LOOKUP:
2040 BIO_printf(bio_c_out,"read X BLOCK\n");
2042 case SSL_ERROR_SYSCALL:
2043 ret=get_last_socket_error();
2045 BIO_puts(bio_err, "CONNECTION CLOSED BY SERVER\n");
2047 BIO_printf(bio_err,"read:errno=%d\n",ret);
2049 case SSL_ERROR_ZERO_RETURN:
2050 BIO_printf(bio_c_out,"closed\n");
2054 ERR_print_errors(bio_err);
2060 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
2061 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
2064 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
2066 #elif defined (OPENSSL_SYS_NETWARE)
2068 #elif defined(OPENSSL_SYS_BEOS_R5)
2071 else if (FD_ISSET(fileno(stdin),&readfds))
2078 i=raw_read_stdin(cbuf,BUFSIZZ/2);
2080 /* both loops are skipped when i <= 0 */
2081 for (j = 0; j < i; j++)
2082 if (cbuf[j] == '\n')
2084 for (j = i-1; j >= 0; j--)
2086 cbuf[j+lf_num] = cbuf[j];
2087 if (cbuf[j] == '\n')
2091 cbuf[j+lf_num] = '\r';
2094 assert(lf_num == 0);
2097 i=raw_read_stdin(cbuf,BUFSIZZ);
2099 if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
2101 BIO_printf(bio_err,"DONE\n");
2106 if ((!c_ign_eof) && (cbuf[0] == 'R'))
2108 BIO_printf(bio_err,"RENEGOTIATING\n");
2109 SSL_renegotiate(con);
2112 #ifndef OPENSSL_NO_HEARTBEATS
2113 else if ((!c_ign_eof) && (cbuf[0] == 'B'))
2115 BIO_printf(bio_err,"HEARTBEATING\n");
2124 #ifdef CHARSET_EBCDIC
2125 ebcdic2ascii(cbuf, cbuf, i);
2137 print_stuff(bio_c_out,con,full_log);
2139 SHUTDOWN(SSL_get_fd(con));
2144 print_stuff(bio_c_out,con,1);
2147 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
2148 if (next_proto.data)
2149 OPENSSL_free(next_proto.data);
2151 if (ctx != NULL) SSL_CTX_free(ctx);
2155 sk_X509_CRL_pop_free(crls, X509_CRL_free);
2159 sk_X509_pop_free(chain, X509_free);
2163 X509_VERIFY_PARAM_free(vpm);
2164 ssl_excert_free(exc);
2166 sk_OPENSSL_STRING_free(ssl_args);
2168 SSL_CONF_CTX_free(cctx);
2169 #ifndef OPENSSL_NO_JPAKE
2170 if (jpake_secret && psk_key)
2171 OPENSSL_free(psk_key);
2173 if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
2174 if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
2175 if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
2176 if (bio_c_out != NULL)
2178 BIO_free(bio_c_out);
2181 if (bio_c_msg != NULL)
2183 BIO_free(bio_c_msg);
2191 static void print_stuff(BIO *bio, SSL *s, int full)
2195 static const char *space=" ";
2198 STACK_OF(X509_NAME) *sk2;
2199 const SSL_CIPHER *c;
2202 #ifndef OPENSSL_NO_COMP
2203 const COMP_METHOD *comp, *expansion;
2205 unsigned char *exportedkeymat;
2209 int got_a_chain = 0;
2211 sk=SSL_get_peer_cert_chain(s);
2214 got_a_chain = 1; /* we don't have it for SSL2 (yet) */
2216 BIO_printf(bio,"---\nCertificate chain\n");
2217 for (i=0; i<sk_X509_num(sk); i++)
2219 X509_NAME_oneline(X509_get_subject_name(
2220 sk_X509_value(sk,i)),buf,sizeof buf);
2221 BIO_printf(bio,"%2d s:%s\n",i,buf);
2222 X509_NAME_oneline(X509_get_issuer_name(
2223 sk_X509_value(sk,i)),buf,sizeof buf);
2224 BIO_printf(bio," i:%s\n",buf);
2226 PEM_write_bio_X509(bio,sk_X509_value(sk,i));
2230 BIO_printf(bio,"---\n");
2231 peer=SSL_get_peer_certificate(s);
2234 BIO_printf(bio,"Server certificate\n");
2235 if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
2236 PEM_write_bio_X509(bio,peer);
2237 X509_NAME_oneline(X509_get_subject_name(peer),
2239 BIO_printf(bio,"subject=%s\n",buf);
2240 X509_NAME_oneline(X509_get_issuer_name(peer),
2242 BIO_printf(bio,"issuer=%s\n",buf);
2245 BIO_printf(bio,"no peer certificate available\n");
2247 sk2=SSL_get_client_CA_list(s);
2248 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
2250 BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
2251 for (i=0; i<sk_X509_NAME_num(sk2); i++)
2253 xn=sk_X509_NAME_value(sk2,i);
2254 X509_NAME_oneline(xn,buf,sizeof(buf));
2255 BIO_write(bio,buf,strlen(buf));
2256 BIO_write(bio,"\n",1);
2261 BIO_printf(bio,"---\nNo client certificate CA names sent\n");
2263 p=SSL_get_shared_ciphers(s,buf,sizeof buf);
2266 /* This works only for SSL 2. In later protocol
2267 * versions, the client does not know what other
2268 * ciphers (in addition to the one to be used
2269 * in the current connection) the server supports. */
2271 BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
2277 BIO_write(bio,space,15-j%25);
2280 BIO_write(bio,((i%3)?" ":"\n"),1);
2289 BIO_write(bio,"\n",1);
2292 ssl_print_sigalgs(bio, s);
2293 ssl_print_tmp_key(bio, s);
2295 BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
2296 BIO_number_read(SSL_get_rbio(s)),
2297 BIO_number_written(SSL_get_wbio(s)));
2299 BIO_printf(bio,(SSL_cache_hit(s)?"---\nReused, ":"---\nNew, "));
2300 c=SSL_get_current_cipher(s);
2301 BIO_printf(bio,"%s, Cipher is %s\n",
2302 SSL_CIPHER_get_version(c),
2303 SSL_CIPHER_get_name(c));
2306 pktmp = X509_get_pubkey(peer);
2307 BIO_printf(bio,"Server public key is %d bit\n",
2308 EVP_PKEY_bits(pktmp));
2309 EVP_PKEY_free(pktmp);
2311 BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
2312 SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
2313 #ifndef OPENSSL_NO_COMP
2314 comp=SSL_get_current_compression(s);
2315 expansion=SSL_get_current_expansion(s);
2316 BIO_printf(bio,"Compression: %s\n",
2317 comp ? SSL_COMP_get_name(comp) : "NONE");
2318 BIO_printf(bio,"Expansion: %s\n",
2319 expansion ? SSL_COMP_get_name(expansion) : "NONE");
2324 /* Print out local port of connection: useful for debugging */
2326 struct sockaddr_in ladd;
2327 socklen_t ladd_size = sizeof(ladd);
2328 sock = SSL_get_fd(s);
2329 getsockname(sock, (struct sockaddr *)&ladd, &ladd_size);
2330 BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port));
2334 #if !defined(OPENSSL_NO_TLSEXT)
2335 # if !defined(OPENSSL_NO_NEXTPROTONEG)
2336 if (next_proto.status != -1) {
2337 const unsigned char *proto;
2338 unsigned int proto_len;
2339 SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
2340 BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
2341 BIO_write(bio, proto, proto_len);
2342 BIO_write(bio, "\n", 1);
2345 const unsigned char *proto;
2346 unsigned int proto_len;
2347 SSL_get0_alpn_selected(s, &proto, &proto_len);
2350 BIO_printf(bio, "ALPN protocol: ");
2351 BIO_write(bio, proto, proto_len);
2352 BIO_write(bio, "\n", 1);
2355 BIO_printf(bio, "No ALPN negotiated\n");
2361 SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s);
2364 BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n",
2365 srtp_profile->name);
2368 SSL_SESSION_print(bio,SSL_get_session(s));
2369 if (keymatexportlabel != NULL)
2371 BIO_printf(bio, "Keying material exporter:\n");
2372 BIO_printf(bio, " Label: '%s'\n", keymatexportlabel);
2373 BIO_printf(bio, " Length: %i bytes\n", keymatexportlen);
2374 exportedkeymat = OPENSSL_malloc(keymatexportlen);
2375 if (exportedkeymat != NULL)
2377 if (!SSL_export_keying_material(s, exportedkeymat,
2380 strlen(keymatexportlabel),
2383 BIO_printf(bio, " Error\n");
2387 BIO_printf(bio, " Keying material: ");
2388 for (i=0; i<keymatexportlen; i++)
2389 BIO_printf(bio, "%02X",
2391 BIO_printf(bio, "\n");
2393 OPENSSL_free(exportedkeymat);
2396 BIO_printf(bio,"---\n");
2399 /* flush, or debugging output gets mixed with http response */
2400 (void)BIO_flush(bio);
2403 #ifndef OPENSSL_NO_TLSEXT
2405 static int ocsp_resp_cb(SSL *s, void *arg)
2407 const unsigned char *p;
2410 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
2411 BIO_puts(arg, "OCSP response: ");
2414 BIO_puts(arg, "no response sent\n");
2417 rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
2420 BIO_puts(arg, "response parse error\n");
2421 BIO_dump_indent(arg, (char *)p, len, 4);
2424 BIO_puts(arg, "\n======================================\n");
2425 OCSP_RESPONSE_print(arg, rsp, 0);
2426 BIO_puts(arg, "======================================\n");
2427 OCSP_RESPONSE_free(rsp);
2431 static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
2432 const unsigned char *in,
2433 unsigned short inlen, int *al,
2436 if (TLSEXT_TYPE_server_authz == ext_type)
2437 server_provided_server_authz
2438 = (memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL);
2440 if (TLSEXT_TYPE_client_authz == ext_type)
2441 server_provided_client_authz
2442 = (memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL);
2447 static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
2448 const unsigned char **out, unsigned short *outlen,
2453 if (!c_auth_require_reneg || (c_auth_require_reneg && SSL_num_renegotiations(s)))
2455 *out = auth_ext_data;
2460 /* no auth extension to send */
2464 static int suppdata_cb(SSL *s, unsigned short supp_data_type,
2465 const unsigned char *in,
2466 unsigned short inlen, int *al,
2469 if (supp_data_type == TLSEXT_SUPPLEMENTALDATATYPE_authz_data)
2471 most_recent_supplemental_data = in;
2472 most_recent_supplemental_data_length = inlen;
2477 static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
2478 const unsigned char **out,
2479 unsigned short *outlen, void *arg)
2481 unsigned char *result;
2482 if (c_auth && server_provided_client_authz && server_provided_server_authz)
2484 if (!c_auth_require_reneg
2485 || (c_auth_require_reneg && SSL_num_renegotiations(s)))
2487 result = OPENSSL_malloc(10);
2488 memcpy(result, "5432154321", 10);
2494 /* no supplemental data to send */