X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=apps%2Fs_client.c;h=f6717f1a71c60a10ba7daf977875e25dc97a8562;hb=fbc4a24633bf2e36044fe3ebe39c2ae20812acac;hp=c1fcd9d97f05ed8e675cee3c32bf050ce798ef20;hpb=abbc186bd2798afc4ad405af15d7e2668d66ef3e;p=oweals%2Fopenssl.git diff --git a/apps/s_client.c b/apps/s_client.c index c1fcd9d97f..f6717f1a71 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -134,7 +134,9 @@ typedef unsigned int u_int; #include #include #include +#include #include "s_apps.h" +#include "timeouts.h" #ifdef OPENSSL_SYS_WINCE /* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */ @@ -170,11 +172,18 @@ static int c_nbio=0; #endif static int c_Pause=0; static int c_debug=0; +#ifndef OPENSSL_NO_TLSEXT +static int c_tlsextdebug=0; +static int c_status_req=0; +#endif static int c_msg=0; static int c_showcerts=0; static void sc_usage(void); static void print_stuff(BIO *berr,SSL *con,int full); +#ifndef OPENSSL_NO_TLSEXT +static int ocsp_resp_cb(SSL *s, void *arg); +#endif static BIO *bio_c_out=NULL; static int c_quiet=0; static int c_ign_eof=0; @@ -187,7 +196,7 @@ static void sc_usage(void) BIO_printf(bio_err," -port port - use -connect instead\n"); BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR); - BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n"); + BIO_printf(bio_err," -verify depth - turn on peer certificate verification\n"); BIO_printf(bio_err," -cert arg - certificate file to use, PEM format assumed\n"); BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n"); BIO_printf(bio_err," -key arg - Private key file to use, in cert file if\n"); @@ -200,6 +209,9 @@ static void sc_usage(void) BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n"); BIO_printf(bio_err," -showcerts - show all certificates in the chain\n"); BIO_printf(bio_err," -debug - extra output\n"); +#ifdef WATT32 + BIO_printf(bio_err," -wdebug - WATT-32 tcp debugging\n"); +#endif BIO_printf(bio_err," -msg - Show protocol messages\n"); BIO_printf(bio_err," -nbio_test - more ssl protocol testing\n"); BIO_printf(bio_err," -state - print the 'ssl' states\n"); @@ -209,9 +221,12 @@ static void sc_usage(void) BIO_printf(bio_err," -crlf - convert LF from terminal into CRLF\n"); BIO_printf(bio_err," -quiet - no s_client output\n"); BIO_printf(bio_err," -ign_eof - ignore input eof (default when -quiet)\n"); + BIO_printf(bio_err," -no_ign_eof - don't ignore input eof\n"); BIO_printf(bio_err," -ssl2 - just use SSLv2\n"); BIO_printf(bio_err," -ssl3 - just use SSLv3\n"); BIO_printf(bio_err," -tls1 - just use TLSv1\n"); + BIO_printf(bio_err," -dtls1 - just use DTLSv1\n"); + BIO_printf(bio_err," -mtu - set the link layer MTU\n"); BIO_printf(bio_err," -no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n"); BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n"); BIO_printf(bio_err," -serverpref - Use server's cipher preferences (only SSLv2)\n"); @@ -220,13 +235,52 @@ static void sc_usage(void) BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n"); BIO_printf(bio_err," for those protocols that support it, where\n"); BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n"); - BIO_printf(bio_err," only \"smtp\" and \"pop3\" are supported.\n"); + BIO_printf(bio_err," only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n"); + BIO_printf(bio_err," are supported.\n"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n"); #endif BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); + BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n"); + BIO_printf(bio_err," -sess_in arg - file to read SSL session from\n"); +#ifndef OPENSSL_NO_TLSEXT + BIO_printf(bio_err," -servername host - Set TLS extension servername in ClientHello\n"); + BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); + BIO_printf(bio_err," -status - request certificate status from server\n"); + BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); +#endif + } +#ifndef OPENSSL_NO_TLSEXT + +/* This is a context that we pass to callbacks */ +typedef struct tlsextctx_st { + BIO * biodebug; + int ack; +} tlsextctx; + + +static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg) + { + tlsextctx * p = (tlsextctx *) arg; + const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); + if (SSL_get_servername_type(s) != -1) + p->ack = !SSL_session_reused(s) && hn != NULL; + else + BIO_printf(bio_err,"Can't use SSL_get_servername\n"); + + return SSL_TLSEXT_ERR_OK; } +#endif +enum +{ + PROTO_OFF = 0, + PROTO_SMTP, + PROTO_POP3, + PROTO_IMAP, + PROTO_FTP, + PROTO_XMPP +}; int MAIN(int, char **); @@ -254,19 +308,42 @@ int MAIN(int argc, char **argv) int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending; SSL_CTX *ctx=NULL; int ret=1,in_init=1,i,nbio_test=0; - int starttls_proto = 0; + int starttls_proto = PROTO_OFF; int prexit = 0, vflags = 0; SSL_METHOD *meth=NULL; +#ifdef sock_type +#undef sock_type +#endif + int sock_type=SOCK_STREAM; BIO *sbio; char *inrand=NULL; + int mbuf_len=0; + struct timeval timeout, *timeoutp; #ifndef OPENSSL_NO_ENGINE char *engine_id=NULL; - ENGINE *e=NULL; + char *ssl_client_engine_id=NULL; + ENGINE *ssl_client_engine=NULL; #endif + ENGINE *e=NULL; #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) struct timeval tv; #endif +#ifndef OPENSSL_NO_TLSEXT + char *servername = NULL; + tlsextctx tlsextcbp = + {NULL,0}; +#endif + char *sess_in = NULL; + char *sess_out = NULL; + struct sockaddr peer; + int peerlen = sizeof(peer); + int enable_timeouts = 0 ; + long socket_mtu = 0; +#ifndef OPENSSL_NO_JPAKE + char *jpake_secret = NULL; +#endif + #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) meth=SSLv23_client_method(); #elif !defined(OPENSSL_NO_SSL3) @@ -336,6 +413,16 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; cert_file= *(++argv); } + else if (strcmp(*argv,"-sess_out") == 0) + { + if (--argc < 1) goto bad; + sess_out = *(++argv); + } + else if (strcmp(*argv,"-sess_in") == 0) + { + if (--argc < 1) goto bad; + sess_in = *(++argv); + } else if (strcmp(*argv,"-certform") == 0) { if (--argc < 1) goto bad; @@ -356,10 +443,22 @@ int MAIN(int argc, char **argv) } else if (strcmp(*argv,"-ign_eof") == 0) c_ign_eof=1; + else if (strcmp(*argv,"-no_ign_eof") == 0) + c_ign_eof=0; else if (strcmp(*argv,"-pause") == 0) c_Pause=1; else if (strcmp(*argv,"-debug") == 0) c_debug=1; +#ifndef OPENSSL_NO_TLSEXT + else if (strcmp(*argv,"-tlsextdebug") == 0) + c_tlsextdebug=1; + else if (strcmp(*argv,"-status") == 0) + c_status_req=1; +#endif +#ifdef WATT32 + else if (strcmp(*argv,"-wdebug") == 0) + dbug_init(); +#endif else if (strcmp(*argv,"-msg") == 0) c_msg=1; else if (strcmp(*argv,"-showcerts") == 0) @@ -379,6 +478,20 @@ int MAIN(int argc, char **argv) #ifndef OPENSSL_NO_TLS1 else if (strcmp(*argv,"-tls1") == 0) meth=TLSv1_client_method(); +#endif +#ifndef OPENSSL_NO_DTLS1 + else if (strcmp(*argv,"-dtls1") == 0) + { + meth=DTLSv1_client_method(); + sock_type=SOCK_DGRAM; + } + else if (strcmp(*argv,"-timeout") == 0) + enable_timeouts=1; + else if (strcmp(*argv,"-mtu") == 0) + { + if (--argc < 1) goto bad; + socket_mtu = atol(*(++argv)); + } #endif else if (strcmp(*argv,"-bugs") == 0) bugs=1; @@ -417,6 +530,10 @@ int MAIN(int argc, char **argv) off|=SSL_OP_NO_SSLv3; else if (strcmp(*argv,"-no_ssl2") == 0) off|=SSL_OP_NO_SSLv2; +#ifndef OPENSSL_NO_TLSEXT + else if (strcmp(*argv,"-no_ticket") == 0) + { off|=SSL_OP_NO_TICKET; } +#endif else if (strcmp(*argv,"-serverpref") == 0) off|=SSL_OP_CIPHER_SERVER_PREFERENCE; else if (strcmp(*argv,"-cipher") == 0) @@ -433,9 +550,15 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; ++argv; if (strcmp(*argv,"smtp") == 0) - starttls_proto = 1; + starttls_proto = PROTO_SMTP; else if (strcmp(*argv,"pop3") == 0) - starttls_proto = 2; + starttls_proto = PROTO_POP3; + else if (strcmp(*argv,"imap") == 0) + starttls_proto = PROTO_IMAP; + else if (strcmp(*argv,"ftp") == 0) + starttls_proto = PROTO_FTP; + else if (strcmp(*argv, "xmpp") == 0) + starttls_proto = PROTO_XMPP; else goto bad; } @@ -445,12 +568,32 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; engine_id = *(++argv); } + else if (strcmp(*argv,"-ssl_client_engine") == 0) + { + if (--argc < 1) goto bad; + ssl_client_engine_id = *(++argv); + } #endif else if (strcmp(*argv,"-rand") == 0) { if (--argc < 1) goto bad; inrand= *(++argv); } +#ifndef OPENSSL_NO_TLSEXT + else if (strcmp(*argv,"-servername") == 0) + { + if (--argc < 1) goto bad; + servername= *(++argv); + /* meth=TLSv1_client_method(); */ + } +#endif +#ifndef OPENSSL_NO_JPAKE + else if (strcmp(*argv,"-jpake") == 0) + { + if (--argc < 1) goto bad; + jpake_secret = *++argv; + } +#endif else { BIO_printf(bio_err,"unknown option %s\n",*argv); @@ -472,6 +615,16 @@ bad: #ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine_id, 1); + if (ssl_client_engine_id) + { + ssl_client_engine = ENGINE_by_id(ssl_client_engine_id); + if (!ssl_client_engine) + { + BIO_printf(bio_err, + "Error getting client auth engine\n"); + goto end; + } + } #endif if (!app_passwd(bio_err, passarg, NULL, &pass, NULL)) { @@ -539,10 +692,28 @@ bad: goto end; } +#ifndef OPENSSL_NO_ENGINE + if (ssl_client_engine) + { + if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine)) + { + BIO_puts(bio_err, "Error setting client auth engine\n"); + ERR_print_errors(bio_err); + ENGINE_free(ssl_client_engine); + goto end; + } + ENGINE_free(ssl_client_engine); + } +#endif + if (bugs) SSL_CTX_set_options(ctx,SSL_OP_ALL|off); else SSL_CTX_set_options(ctx,off); + /* DTLS: partial reads end up discarding unread UDP bytes :-( + * Setting read ahead solves this problem. + */ + if (sock_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1); if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback); if (cipher != NULL) @@ -570,8 +741,51 @@ bad: store = SSL_CTX_get_cert_store(ctx); X509_STORE_set_flags(store, vflags); +#ifndef OPENSSL_NO_TLSEXT + if (servername != NULL) + { + tlsextcbp.biodebug = bio_err; + SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb); + SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp); + } +#endif con=SSL_new(ctx); + if (sess_in) + { + SSL_SESSION *sess; + BIO *stmp = BIO_new_file(sess_in, "r"); + if (!stmp) + { + BIO_printf(bio_err, "Can't open session file %s\n", + sess_in); + ERR_print_errors(bio_err); + goto end; + } + sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL); + BIO_free(stmp); + if (!sess) + { + BIO_printf(bio_err, "Can't open session file %s\n", + sess_in); + ERR_print_errors(bio_err); + goto end; + } + SSL_set_session(con, sess); + SSL_SESSION_free(sess); + } +#ifndef OPENSSL_NO_TLSEXT + if (servername != NULL) + { + if (!SSL_set_tlsext_host_name(con,servername)) + { + BIO_printf(bio_err,"Unable to set TLS servername extension.\n"); + ERR_print_errors(bio_err); + goto end; + } + } +#endif + #ifndef OPENSSL_NO_KRB5 if (con && (con->kssl_ctx = kssl_ctx_new()) != NULL) { @@ -582,7 +796,7 @@ bad: re_start: - if (init_client(&s,host,port) == 0) + if (init_client(&s,host,port,sock_type) == 0) { BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error()); SHUTDOWN(s); @@ -603,7 +817,43 @@ re_start: } #endif if (c_Pause & 0x01) con->debug=1; - sbio=BIO_new_socket(s,BIO_NOCLOSE); + + if ( SSL_version(con) == DTLS1_VERSION) + { + + sbio=BIO_new_dgram(s,BIO_NOCLOSE); + if (getsockname(s, &peer, (void *)&peerlen) < 0) + { + BIO_printf(bio_err, "getsockname:errno=%d\n", + get_last_socket_error()); + SHUTDOWN(s); + goto end; + } + + (void)BIO_ctrl_set_connected(sbio, 1, &peer); + + if ( enable_timeouts) + { + timeout.tv_sec = 0; + timeout.tv_usec = DGRAM_RCV_TIMEOUT; + BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout); + + timeout.tv_sec = 0; + timeout.tv_usec = DGRAM_SND_TIMEOUT; + BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout); + } + + if (socket_mtu > 28) + { + SSL_set_options(con, SSL_OP_NO_QUERY_MTU); + SSL_set_mtu(con, socket_mtu - 28); + } + else + /* want to do MTU discovery */ + BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL); + } + else + sbio=BIO_new_socket(s,BIO_NOCLOSE); if (nbio_test) { @@ -617,13 +867,41 @@ re_start: { con->debug=1; BIO_set_callback(sbio,bio_dump_callback); - BIO_set_callback_arg(sbio,bio_c_out); + BIO_set_callback_arg(sbio,(char *)bio_c_out); } if (c_msg) { SSL_set_msg_callback(con, msg_cb); SSL_set_msg_callback_arg(con, bio_c_out); } +#ifndef OPENSSL_NO_TLSEXT + if (c_tlsextdebug) + { + SSL_set_tlsext_debug_callback(con, tlsext_cb); + SSL_set_tlsext_debug_arg(con, bio_c_out); + } + if (c_status_req) + { + SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp); + SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb); + SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out); +#if 0 +{ +STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null(); +OCSP_RESPID *id = OCSP_RESPID_new(); +id->value.byKey = ASN1_OCTET_STRING_new(); +id->type = V_OCSP_RESPID_KEY; +ASN1_STRING_set(id->value.byKey, "Hello World", -1); +sk_OCSP_RESPID_push(ids, id); +SSL_set_tlsext_status_ids(con, ids); +} +#endif + } +#endif +#ifndef OPENSSL_NO_JPAKE + if (jpake_secret) + jpake_client_auth(bio_c_out, sbio, jpake_secret); +#endif SSL_set_bio(con,sbio,sbio); SSL_set_connect_state(con); @@ -643,24 +921,127 @@ re_start: sbuf_off=0; /* This is an ugly hack that does a lot of assumptions */ - if (starttls_proto == 1) + /* We do have to handle multi-line responses which may come + in a single packet or not. We therefore have to use + BIO_gets() which does need a buffering BIO. So during + the initial chitchat we do push a buffering BIO into the + chain that is removed again later on to not disturb the + rest of the s_client operation. */ + if (starttls_proto == PROTO_SMTP) { - BIO_read(sbio,mbuf,BUFSIZZ); + int foundit=0; + BIO *fbio = BIO_new(BIO_f_buffer()); + BIO_push(fbio, sbio); + /* wait for multi-line response to end from SMTP */ + do + { + mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); + } + while (mbuf_len>3 && mbuf[3]=='-'); + /* STARTTLS command requires EHLO... */ + BIO_printf(fbio,"EHLO openssl.client.net\r\n"); + (void)BIO_flush(fbio); + /* wait for multi-line response to end EHLO SMTP response */ + do + { + mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); + if (strstr(mbuf,"STARTTLS")) + foundit=1; + } + while (mbuf_len>3 && mbuf[3]=='-'); + (void)BIO_flush(fbio); + BIO_pop(fbio); + BIO_free(fbio); + if (!foundit) + BIO_printf(bio_err, + "didn't found starttls in server response," + " try anyway...\n"); BIO_printf(sbio,"STARTTLS\r\n"); BIO_read(sbio,sbuf,BUFSIZZ); } - if (starttls_proto == 2) + else if (starttls_proto == PROTO_POP3) { BIO_read(sbio,mbuf,BUFSIZZ); BIO_printf(sbio,"STLS\r\n"); BIO_read(sbio,sbuf,BUFSIZZ); } + else if (starttls_proto == PROTO_IMAP) + { + int foundit=0; + BIO *fbio = BIO_new(BIO_f_buffer()); + BIO_push(fbio, sbio); + BIO_gets(fbio,mbuf,BUFSIZZ); + /* STARTTLS command requires CAPABILITY... */ + BIO_printf(fbio,". CAPABILITY\r\n"); + (void)BIO_flush(fbio); + /* wait for multi-line CAPABILITY response */ + do + { + mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); + if (strstr(mbuf,"STARTTLS")) + foundit=1; + } + while (mbuf_len>3 && mbuf[0]!='.'); + (void)BIO_flush(fbio); + BIO_pop(fbio); + BIO_free(fbio); + if (!foundit) + BIO_printf(bio_err, + "didn't found STARTTLS in server response," + " try anyway...\n"); + BIO_printf(sbio,". STARTTLS\r\n"); + BIO_read(sbio,sbuf,BUFSIZZ); + } + else if (starttls_proto == PROTO_FTP) + { + BIO *fbio = BIO_new(BIO_f_buffer()); + BIO_push(fbio, sbio); + /* wait for multi-line response to end from FTP */ + do + { + mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); + } + while (mbuf_len>3 && mbuf[3]=='-'); + (void)BIO_flush(fbio); + BIO_pop(fbio); + BIO_free(fbio); + BIO_printf(sbio,"AUTH TLS\r\n"); + BIO_read(sbio,sbuf,BUFSIZZ); + } + if (starttls_proto == PROTO_XMPP) + { + int seen = 0; + BIO_printf(sbio,"", host); + seen = BIO_read(sbio,mbuf,BUFSIZZ); + mbuf[seen] = 0; + while (!strstr(mbuf, "")) + goto shut; + seen = BIO_read(sbio,mbuf,BUFSIZZ); + mbuf[seen] = 0; + } + BIO_printf(sbio, ""); + seen = BIO_read(sbio,sbuf,BUFSIZZ); + sbuf[seen] = 0; + if (!strstr(sbuf, " 0) full_log--; @@ -679,7 +1071,7 @@ re_start: { BIO_printf(bio_err,"%s",mbuf); /* We don't need to know any more */ - starttls_proto = 0; + starttls_proto = PROTO_OFF; } if (reconnect) @@ -746,7 +1138,7 @@ re_start: if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue; #endif } else i=select(width,(void *)&readfds,(void *)&writefds, - NULL,NULL); + NULL,timeoutp); } #elif defined(OPENSSL_SYS_NETWARE) if(!write_tty) { @@ -756,11 +1148,11 @@ re_start: i=select(width,(void *)&readfds,(void *)&writefds, NULL,&tv); } else i=select(width,(void *)&readfds,(void *)&writefds, - NULL,NULL); + NULL,timeoutp); } #else i=select(width,(void *)&readfds,(void *)&writefds, - NULL,NULL); + NULL,timeoutp); #endif if ( i < 0) { @@ -771,6 +1163,11 @@ re_start: } } + if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0) + { + BIO_printf(bio_err,"TIMEOUT occured\n"); + } + if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds)) { k=SSL_write(con,&(cbuf[cbuf_off]), @@ -1013,14 +1410,16 @@ static void print_stuff(BIO *bio, SSL *s, int full) { X509 *peer=NULL; char *p; - static char *space=" "; + static const char *space=" "; char buf[BUFSIZ]; STACK_OF(X509) *sk; STACK_OF(X509_NAME) *sk2; SSL_CIPHER *c; X509_NAME *xn; int j,i; +#ifndef OPENSSL_NO_COMP const COMP_METHOD *comp, *expansion; +#endif if (full) { @@ -1123,17 +1522,47 @@ static void print_stuff(BIO *bio, SSL *s, int full) EVP_PKEY_bits(pktmp)); EVP_PKEY_free(pktmp); } +#ifndef OPENSSL_NO_COMP comp=SSL_get_current_compression(s); expansion=SSL_get_current_expansion(s); BIO_printf(bio,"Compression: %s\n", comp ? SSL_COMP_get_name(comp) : "NONE"); BIO_printf(bio,"Expansion: %s\n", expansion ? SSL_COMP_get_name(expansion) : "NONE"); +#endif SSL_SESSION_print(bio,SSL_get_session(s)); BIO_printf(bio,"---\n"); if (peer != NULL) X509_free(peer); /* flush, or debugging output gets mixed with http response */ - BIO_flush(bio); + (void)BIO_flush(bio); } +#ifndef OPENSSL_NO_TLSEXT + +static int ocsp_resp_cb(SSL *s, void *arg) + { + const unsigned char *p; + int len; + OCSP_RESPONSE *rsp; + len = SSL_get_tlsext_status_ocsp_resp(s, &p); + BIO_puts(arg, "OCSP response: "); + if (!p) + { + BIO_puts(arg, "no response sent\n"); + return 1; + } + rsp = d2i_OCSP_RESPONSE(NULL, &p, len); + if (!rsp) + { + BIO_puts(arg, "response parse error\n"); + BIO_dump_indent(arg, (char *)p, len, 4); + return 0; + } + BIO_puts(arg, "\n======================================\n"); + OCSP_RESPONSE_print(arg, rsp, 0); + BIO_puts(arg, "======================================\n"); + OCSP_RESPONSE_free(rsp); + return 1; + } +#endif /* ndef OPENSSL_NO_TLSEXT */