Home | History | Annotate | Download | only in apps
      1 /* apps/s_client.c */
      2 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com)
      3  * All rights reserved.
      4  *
      5  * This package is an SSL implementation written
      6  * by Eric Young (eay (at) cryptsoft.com).
      7  * The implementation was written so as to conform with Netscapes SSL.
      8  *
      9  * This library is free for commercial and non-commercial use as long as
     10  * the following conditions are aheared to.  The following conditions
     11  * apply to all code found in this distribution, be it the RC4, RSA,
     12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
     13  * included with this distribution is covered by the same copyright terms
     14  * except that the holder is Tim Hudson (tjh (at) cryptsoft.com).
     15  *
     16  * Copyright remains Eric Young's, and as such any Copyright notices in
     17  * the code are not to be removed.
     18  * If this package is used in a product, Eric Young should be given attribution
     19  * as the author of the parts of the library used.
     20  * This can be in the form of a textual message at program startup or
     21  * in documentation (online or textual) provided with the package.
     22  *
     23  * Redistribution and use in source and binary forms, with or without
     24  * modification, are permitted provided that the following conditions
     25  * are met:
     26  * 1. Redistributions of source code must retain the copyright
     27  *    notice, this list of conditions and the following disclaimer.
     28  * 2. Redistributions in binary form must reproduce the above copyright
     29  *    notice, this list of conditions and the following disclaimer in the
     30  *    documentation and/or other materials provided with the distribution.
     31  * 3. All advertising materials mentioning features or use of this software
     32  *    must display the following acknowledgement:
     33  *    "This product includes cryptographic software written by
     34  *     Eric Young (eay (at) cryptsoft.com)"
     35  *    The word 'cryptographic' can be left out if the rouines from the library
     36  *    being used are not cryptographic related :-).
     37  * 4. If you include any Windows specific code (or a derivative thereof) from
     38  *    the apps directory (application code) you must include an acknowledgement:
     39  *    "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)"
     40  *
     41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
     42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
     44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
     45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
     50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     51  * SUCH DAMAGE.
     52  *
     53  * The licence and distribution terms for any publically available version or
     54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
     55  * copied and put under another distribution licence
     56  * [including the GNU Public Licence.]
     57  */
     58 /* ====================================================================
     59  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
     60  *
     61  * Redistribution and use in source and binary forms, with or without
     62  * modification, are permitted provided that the following conditions
     63  * are met:
     64  *
     65  * 1. Redistributions of source code must retain the above copyright
     66  *    notice, this list of conditions and the following disclaimer.
     67  *
     68  * 2. Redistributions in binary form must reproduce the above copyright
     69  *    notice, this list of conditions and the following disclaimer in
     70  *    the documentation and/or other materials provided with the
     71  *    distribution.
     72  *
     73  * 3. All advertising materials mentioning features or use of this
     74  *    software must display the following acknowledgment:
     75  *    "This product includes software developed by the OpenSSL Project
     76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
     77  *
     78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
     79  *    endorse or promote products derived from this software without
     80  *    prior written permission. For written permission, please contact
     81  *    openssl-core (at) openssl.org.
     82  *
     83  * 5. Products derived from this software may not be called "OpenSSL"
     84  *    nor may "OpenSSL" appear in their names without prior written
     85  *    permission of the OpenSSL Project.
     86  *
     87  * 6. Redistributions of any form whatsoever must retain the following
     88  *    acknowledgment:
     89  *    "This product includes software developed by the OpenSSL Project
     90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
     91  *
     92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
     93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
     96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
     97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
     98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
     99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
    100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
    101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
    102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
    103  * OF THE POSSIBILITY OF SUCH DAMAGE.
    104  * ====================================================================
    105  *
    106  * This product includes cryptographic software written by Eric Young
    107  * (eay (at) cryptsoft.com).  This product includes software written by Tim
    108  * Hudson (tjh (at) cryptsoft.com).
    109  *
    110  */
    111 /* ====================================================================
    112  * Copyright 2005 Nokia. All rights reserved.
    113  *
    114  * The portions of the attached software ("Contribution") is developed by
    115  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
    116  * license.
    117  *
    118  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
    119  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
    120  * support (see RFC 4279) to OpenSSL.
    121  *
    122  * No patent licenses or other rights except those expressly stated in
    123  * the OpenSSL open source license shall be deemed granted or received
    124  * expressly, by implication, estoppel, or otherwise.
    125  *
    126  * No assurances are provided by Nokia that the Contribution does not
    127  * infringe the patent or other intellectual property rights of any third
    128  * party or that the license provides you with all the necessary rights
    129  * to make use of the Contribution.
    130  *
    131  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
    132  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
    133  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
    134  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
    135  * OTHERWISE.
    136  */
    137 
    138 #include <assert.h>
    139 #include <ctype.h>
    140 #include <stdio.h>
    141 #include <stdlib.h>
    142 #include <string.h>
    143 #include <openssl/e_os2.h>
    144 #ifdef OPENSSL_NO_STDIO
    145 #define APPS_WIN16
    146 #endif
    147 
    148 /* With IPv6, it looks like Digital has mixed up the proper order of
    149    recursive header file inclusion, resulting in the compiler complaining
    150    that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
    151    is needed to have fileno() declared correctly...  So let's define u_int */
    152 #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
    153 #define __U_INT
    154 typedef unsigned int u_int;
    155 #endif
    156 
    157 #define USE_SOCKETS
    158 #include "apps.h"
    159 #include <openssl/x509.h>
    160 #include <openssl/ssl.h>
    161 #include <openssl/err.h>
    162 #include <openssl/pem.h>
    163 #include <openssl/rand.h>
    164 #include <openssl/ocsp.h>
    165 #include <openssl/bn.h>
    166 #ifndef OPENSSL_NO_SRP
    167 #include <openssl/srp.h>
    168 #endif
    169 #include "s_apps.h"
    170 #include "timeouts.h"
    171 
    172 #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
    173 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
    174 #undef FIONBIO
    175 #endif
    176 
    177 #if defined(OPENSSL_SYS_BEOS_R5)
    178 #include <fcntl.h>
    179 #endif
    180 
    181 #undef PROG
    182 #define PROG	s_client_main
    183 
    184 /*#define SSL_HOST_NAME	"www.netscape.com" */
    185 /*#define SSL_HOST_NAME	"193.118.187.102" */
    186 #define SSL_HOST_NAME	"localhost"
    187 
    188 /*#define TEST_CERT "client.pem" */ /* no default cert. */
    189 
    190 #undef BUFSIZZ
    191 #define BUFSIZZ 1024*8
    192 
    193 extern int verify_depth;
    194 extern int verify_error;
    195 extern int verify_return_error;
    196 
    197 #ifdef FIONBIO
    198 static int c_nbio=0;
    199 #endif
    200 static int c_Pause=0;
    201 static int c_debug=0;
    202 #ifndef OPENSSL_NO_TLSEXT
    203 static int c_tlsextdebug=0;
    204 static int c_status_req=0;
    205 #endif
    206 static int c_msg=0;
    207 static int c_showcerts=0;
    208 
    209 static char *keymatexportlabel=NULL;
    210 static int keymatexportlen=20;
    211 
    212 static void sc_usage(void);
    213 static void print_stuff(BIO *berr,SSL *con,int full);
    214 #ifndef OPENSSL_NO_TLSEXT
    215 static int ocsp_resp_cb(SSL *s, void *arg);
    216 #endif
    217 static BIO *bio_c_out=NULL;
    218 static int c_quiet=0;
    219 static int c_ign_eof=0;
    220 
    221 #ifndef OPENSSL_NO_PSK
    222 /* Default PSK identity and key */
    223 static char *psk_identity="Client_identity";
    224 /*char *psk_key=NULL;  by default PSK is not used */
    225 
    226 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
    227 	unsigned int max_identity_len, unsigned char *psk,
    228 	unsigned int max_psk_len)
    229 	{
    230 	unsigned int psk_len = 0;
    231 	int ret;
    232         BIGNUM *bn=NULL;
    233 
    234 	if (c_debug)
    235 		BIO_printf(bio_c_out, "psk_client_cb\n");
    236 	if (!hint)
    237                 {
    238                 /* no ServerKeyExchange message*/
    239 		if (c_debug)
    240 			BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n");
    241                 }
    242         else if (c_debug)
    243 		BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
    244 
    245 	/* lookup PSK identity and PSK key based on the given identity hint here */
    246 	ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity);
    247 	if (ret < 0 || (unsigned int)ret > max_identity_len)
    248 		goto out_err;
    249 	if (c_debug)
    250 		BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret);
    251         ret=BN_hex2bn(&bn, psk_key);
    252         if (!ret)
    253                 {
    254                 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
    255                 if (bn)
    256                         BN_free(bn);
    257                 return 0;
    258                 }
    259 
    260         if ((unsigned int)BN_num_bytes(bn) > max_psk_len)
    261                 {
    262                 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
    263                         max_psk_len, BN_num_bytes(bn));
    264                 BN_free(bn);
    265                 return 0;
    266                 }
    267 
    268         psk_len=BN_bn2bin(bn, psk);
    269         BN_free(bn);
    270         if (psk_len == 0)
    271                 goto out_err;
    272 
    273 	if (c_debug)
    274 		BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len);
    275 
    276         return psk_len;
    277  out_err:
    278 	if (c_debug)
    279 		BIO_printf(bio_err, "Error in PSK client callback\n");
    280         return 0;
    281 	}
    282 #endif
    283 
    284 static void sc_usage(void)
    285 	{
    286 	BIO_printf(bio_err,"usage: s_client args\n");
    287 	BIO_printf(bio_err,"\n");
    288 	BIO_printf(bio_err," -host host     - use -connect instead\n");
    289 	BIO_printf(bio_err," -port port     - use -connect instead\n");
    290 	BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
    291 
    292 	BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
    293 	BIO_printf(bio_err," -cert arg     - certificate file to use, PEM format assumed\n");
    294 	BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
    295 	BIO_printf(bio_err," -key arg      - Private key file to use, in cert file if\n");
    296 	BIO_printf(bio_err,"                 not specified but cert file is.\n");
    297 	BIO_printf(bio_err," -keyform arg  - key format (PEM or DER) PEM default\n");
    298 	BIO_printf(bio_err," -pass arg     - private key file pass phrase source\n");
    299 	BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
    300 	BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
    301 	BIO_printf(bio_err," -reconnect    - Drop and re-make the connection with the same Session-ID\n");
    302 	BIO_printf(bio_err," -pause        - sleep(1) after each read(2) and write(2) system call\n");
    303 	BIO_printf(bio_err," -showcerts    - show all certificates in the chain\n");
    304 	BIO_printf(bio_err," -debug        - extra output\n");
    305 #ifdef WATT32
    306 	BIO_printf(bio_err," -wdebug       - WATT-32 tcp debugging\n");
    307 #endif
    308 	BIO_printf(bio_err," -msg          - Show protocol messages\n");
    309 	BIO_printf(bio_err," -nbio_test    - more ssl protocol testing\n");
    310 	BIO_printf(bio_err," -state        - print the 'ssl' states\n");
    311 #ifdef FIONBIO
    312 	BIO_printf(bio_err," -nbio         - Run with non-blocking IO\n");
    313 #endif
    314 	BIO_printf(bio_err," -crlf         - convert LF from terminal into CRLF\n");
    315 	BIO_printf(bio_err," -quiet        - no s_client output\n");
    316 	BIO_printf(bio_err," -ign_eof      - ignore input eof (default when -quiet)\n");
    317 	BIO_printf(bio_err," -no_ign_eof   - don't ignore input eof\n");
    318 #ifndef OPENSSL_NO_PSK
    319 	BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
    320 	BIO_printf(bio_err," -psk arg      - PSK in hex (without 0x)\n");
    321 # ifndef OPENSSL_NO_JPAKE
    322 	BIO_printf(bio_err," -jpake arg    - JPAKE secret to use\n");
    323 # endif
    324 #endif
    325 #ifndef OPENSSL_NO_SRP
    326 	BIO_printf(bio_err," -srpuser user     - SRP authentification for 'user'\n");
    327 	BIO_printf(bio_err," -srppass arg      - password for 'user'\n");
    328 	BIO_printf(bio_err," -srp_lateuser     - SRP username into second ClientHello message\n");
    329 	BIO_printf(bio_err," -srp_moregroups   - Tolerate other than the known g N values.\n");
    330 	BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
    331 #endif
    332 	BIO_printf(bio_err," -ssl2         - just use SSLv2\n");
    333 	BIO_printf(bio_err," -ssl3         - just use SSLv3\n");
    334 	BIO_printf(bio_err," -tls1_2       - just use TLSv1.2\n");
    335 	BIO_printf(bio_err," -tls1_1       - just use TLSv1.1\n");
    336 	BIO_printf(bio_err," -tls1         - just use TLSv1\n");
    337 	BIO_printf(bio_err," -dtls1        - just use DTLSv1\n");
    338 	BIO_printf(bio_err," -mtu          - set the link layer MTU\n");
    339 	BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
    340 	BIO_printf(bio_err," -bugs         - Switch on all SSL implementation bug workarounds\n");
    341 	BIO_printf(bio_err," -serverpref   - Use server's cipher preferences (only SSLv2)\n");
    342 	BIO_printf(bio_err," -cipher       - preferred cipher to use, use the 'openssl ciphers'\n");
    343 	BIO_printf(bio_err,"                 command to see what is available\n");
    344 	BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
    345 	BIO_printf(bio_err,"                 for those protocols that support it, where\n");
    346 	BIO_printf(bio_err,"                 'prot' defines which one to assume.  Currently,\n");
    347 	BIO_printf(bio_err,"                 only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
    348 	BIO_printf(bio_err,"                 are supported.\n");
    349 #ifndef OPENSSL_NO_ENGINE
    350 	BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
    351 #endif
    352 	BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
    353 	BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n");
    354 	BIO_printf(bio_err," -sess_in arg  - file to read SSL session from\n");
    355 #ifndef OPENSSL_NO_TLSEXT
    356 	BIO_printf(bio_err," -servername host  - Set TLS extension servername in ClientHello\n");
    357 	BIO_printf(bio_err," -tlsextdebug      - hex dump of all TLS extensions received\n");
    358 	BIO_printf(bio_err," -status           - request certificate status from server\n");
    359 	BIO_printf(bio_err," -no_ticket        - disable use of RFC4507bis session tickets\n");
    360 	BIO_printf(bio_err," -cutthrough       - enable 1-RTT full-handshake for strong ciphers\n");
    361 # if !defined(OPENSSL_NO_NEXTPROTONEG)
    362 	BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
    363 # endif
    364 #endif
    365 	BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
    366 	BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
    367  	BIO_printf(bio_err," -keymatexport label   - Export keying material using label\n");
    368  	BIO_printf(bio_err," -keymatexportlen len  - Export len bytes of keying material (default 20)\n");
    369 	}
    370 
    371 #ifndef OPENSSL_NO_TLSEXT
    372 
    373 /* This is a context that we pass to callbacks */
    374 typedef struct tlsextctx_st {
    375    BIO * biodebug;
    376    int ack;
    377 } tlsextctx;
    378 
    379 
    380 static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
    381 	{
    382 	tlsextctx * p = (tlsextctx *) arg;
    383 	const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
    384 	if (SSL_get_servername_type(s) != -1)
    385  	        p->ack = !SSL_session_reused(s) && hn != NULL;
    386 	else
    387 		BIO_printf(bio_err,"Can't use SSL_get_servername\n");
    388 
    389 	return SSL_TLSEXT_ERR_OK;
    390 	}
    391 
    392 #ifndef OPENSSL_NO_SRP
    393 
    394 /* This is a context that we pass to all callbacks */
    395 typedef struct srp_arg_st
    396 	{
    397 	char *srppassin;
    398 	char *srplogin;
    399 	int msg;   /* copy from c_msg */
    400 	int debug; /* copy from c_debug */
    401 	int amp;   /* allow more groups */
    402 	int strength /* minimal size for N */ ;
    403 	} SRP_ARG;
    404 
    405 #define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
    406 
    407 static int srp_Verify_N_and_g(BIGNUM *N, BIGNUM *g)
    408 	{
    409 	BN_CTX *bn_ctx = BN_CTX_new();
    410 	BIGNUM *p = BN_new();
    411 	BIGNUM *r = BN_new();
    412 	int ret =
    413 		g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
    414 		BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
    415 		p != NULL && BN_rshift1(p, N) &&
    416 
    417 		/* p = (N-1)/2 */
    418 		BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
    419 		r != NULL &&
    420 
    421 		/* verify g^((N-1)/2) == -1 (mod N) */
    422 		BN_mod_exp(r, g, p, N, bn_ctx) &&
    423 		BN_add_word(r, 1) &&
    424 		BN_cmp(r, N) == 0;
    425 
    426 	if(r)
    427 		BN_free(r);
    428 	if(p)
    429 		BN_free(p);
    430 	if(bn_ctx)
    431 		BN_CTX_free(bn_ctx);
    432 	return ret;
    433 	}
    434 
    435 /* This callback is used here for two purposes:
    436    - extended debugging
    437    - making some primality tests for unknown groups
    438    The callback is only called for a non default group.
    439 
    440    An application does not need the call back at all if
    441    only the stanard groups are used.  In real life situations,
    442    client and server already share well known groups,
    443    thus there is no need to verify them.
    444    Furthermore, in case that a server actually proposes a group that
    445    is not one of those defined in RFC 5054, it is more appropriate
    446    to add the group to a static list and then compare since
    447    primality tests are rather cpu consuming.
    448 */
    449 
    450 static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
    451 	{
    452 	SRP_ARG *srp_arg = (SRP_ARG *)arg;
    453 	BIGNUM *N = NULL, *g = NULL;
    454 	if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s)))
    455 		return 0;
    456 	if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1)
    457 		{
    458     		BIO_printf(bio_err, "SRP parameters:\n");
    459 		BIO_printf(bio_err,"\tN="); BN_print(bio_err,N);
    460 		BIO_printf(bio_err,"\n\tg="); BN_print(bio_err,g);
    461 		BIO_printf(bio_err,"\n");
    462 		}
    463 
    464 	if (SRP_check_known_gN_param(g,N))
    465 		return 1;
    466 
    467 	if (srp_arg->amp == 1)
    468 		{
    469 		if (srp_arg->debug)
    470 			BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n");
    471 
    472 /* The srp_moregroups is a real debugging feature.
    473    Implementors should rather add the value to the known ones.
    474    The minimal size has already been tested.
    475 */
    476 		if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g))
    477 			return 1;
    478 		}
    479 	BIO_printf(bio_err, "SRP param N and g rejected.\n");
    480 	return 0;
    481 	}
    482 
    483 #define PWD_STRLEN 1024
    484 
    485 static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
    486 	{
    487 	SRP_ARG *srp_arg = (SRP_ARG *)arg;
    488 	char *pass = (char *)OPENSSL_malloc(PWD_STRLEN+1);
    489 	PW_CB_DATA cb_tmp;
    490 	int l;
    491 
    492 	cb_tmp.password = (char *)srp_arg->srppassin;
    493 	cb_tmp.prompt_info = "SRP user";
    494 	if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp))<0)
    495 		{
    496 		BIO_printf (bio_err, "Can't read Password\n");
    497 		OPENSSL_free(pass);
    498 		return NULL;
    499 		}
    500 	*(pass+l)= '\0';
    501 
    502 	return pass;
    503 	}
    504 
    505 #endif
    506 	char *srtp_profiles = NULL;
    507 
    508 # ifndef OPENSSL_NO_NEXTPROTONEG
    509 /* This the context that we pass to next_proto_cb */
    510 typedef struct tlsextnextprotoctx_st {
    511 	unsigned char *data;
    512 	unsigned short len;
    513 	int status;
    514 } tlsextnextprotoctx;
    515 
    516 static tlsextnextprotoctx next_proto;
    517 
    518 static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
    519 	{
    520 	tlsextnextprotoctx *ctx = arg;
    521 
    522 	if (!c_quiet)
    523 		{
    524 		/* We can assume that |in| is syntactically valid. */
    525 		unsigned i;
    526 		BIO_printf(bio_c_out, "Protocols advertised by server: ");
    527 		for (i = 0; i < inlen; )
    528 			{
    529 			if (i)
    530 				BIO_write(bio_c_out, ", ", 2);
    531 			BIO_write(bio_c_out, &in[i + 1], in[i]);
    532 			i += in[i] + 1;
    533 			}
    534 		BIO_write(bio_c_out, "\n", 1);
    535 		}
    536 
    537 	ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
    538 	return SSL_TLSEXT_ERR_OK;
    539 	}
    540 # endif
    541 #endif
    542 
    543 enum
    544 {
    545 	PROTO_OFF	= 0,
    546 	PROTO_SMTP,
    547 	PROTO_POP3,
    548 	PROTO_IMAP,
    549 	PROTO_FTP,
    550 	PROTO_XMPP
    551 };
    552 
    553 int MAIN(int, char **);
    554 
    555 int MAIN(int argc, char **argv)
    556 	{
    557 	unsigned int off=0, clr=0;
    558 	SSL *con=NULL;
    559 #ifndef OPENSSL_NO_KRB5
    560 	KSSL_CTX *kctx;
    561 #endif
    562 	int s,k,width,state=0;
    563 	char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
    564 	int cbuf_len,cbuf_off;
    565 	int sbuf_len,sbuf_off;
    566 	fd_set readfds,writefds;
    567 	short port=PORT;
    568 	int full_log=1;
    569 	char *host=SSL_HOST_NAME;
    570 	char *cert_file=NULL,*key_file=NULL;
    571 	int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
    572 	char *passarg = NULL, *pass = NULL;
    573 	X509 *cert = NULL;
    574 	EVP_PKEY *key = NULL;
    575 	char *CApath=NULL,*CAfile=NULL,*cipher=NULL;
    576 	int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0;
    577 	int cutthrough=0;
    578 	int crlf=0;
    579 	int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
    580 	SSL_CTX *ctx=NULL;
    581 	int ret=1,in_init=1,i,nbio_test=0;
    582 	int starttls_proto = PROTO_OFF;
    583 	int prexit = 0;
    584 	X509_VERIFY_PARAM *vpm = NULL;
    585 	int badarg = 0;
    586 	const SSL_METHOD *meth=NULL;
    587 	int socket_type=SOCK_STREAM;
    588 	BIO *sbio;
    589 	char *inrand=NULL;
    590 	int mbuf_len=0;
    591 	struct timeval timeout, *timeoutp;
    592 #ifndef OPENSSL_NO_ENGINE
    593 	char *engine_id=NULL;
    594 	char *ssl_client_engine_id=NULL;
    595 	ENGINE *ssl_client_engine=NULL;
    596 #endif
    597 	ENGINE *e=NULL;
    598 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
    599 	struct timeval tv;
    600 #if defined(OPENSSL_SYS_BEOS_R5)
    601 	int stdin_set = 0;
    602 #endif
    603 #endif
    604 #ifndef OPENSSL_NO_TLSEXT
    605 	char *servername = NULL;
    606         tlsextctx tlsextcbp =
    607         {NULL,0};
    608 # ifndef OPENSSL_NO_NEXTPROTONEG
    609 	const char *next_proto_neg_in = NULL;
    610 # endif
    611 #endif
    612 	char *sess_in = NULL;
    613 	char *sess_out = NULL;
    614 	struct sockaddr peer;
    615 	int peerlen = sizeof(peer);
    616 	int enable_timeouts = 0 ;
    617 	long socket_mtu = 0;
    618 #ifndef OPENSSL_NO_JPAKE
    619 	char *jpake_secret = NULL;
    620 #endif
    621 #ifndef OPENSSL_NO_SRP
    622 	char * srppass = NULL;
    623 	int srp_lateuser = 0;
    624 	SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
    625 #endif
    626 
    627 	meth=SSLv23_client_method();
    628 
    629 	apps_startup();
    630 	c_Pause=0;
    631 	c_quiet=0;
    632 	c_ign_eof=0;
    633 	c_debug=0;
    634 	c_msg=0;
    635 	c_showcerts=0;
    636 
    637 	if (bio_err == NULL)
    638 		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
    639 
    640 	if (!load_config(bio_err, NULL))
    641 		goto end;
    642 
    643 	if (	((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
    644 		((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
    645 		((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
    646 		{
    647 		BIO_printf(bio_err,"out of memory\n");
    648 		goto end;
    649 		}
    650 
    651 	verify_depth=0;
    652 	verify_error=X509_V_OK;
    653 #ifdef FIONBIO
    654 	c_nbio=0;
    655 #endif
    656 
    657 	argc--;
    658 	argv++;
    659 	while (argc >= 1)
    660 		{
    661 		if	(strcmp(*argv,"-host") == 0)
    662 			{
    663 			if (--argc < 1) goto bad;
    664 			host= *(++argv);
    665 			}
    666 		else if	(strcmp(*argv,"-port") == 0)
    667 			{
    668 			if (--argc < 1) goto bad;
    669 			port=atoi(*(++argv));
    670 			if (port == 0) goto bad;
    671 			}
    672 		else if (strcmp(*argv,"-connect") == 0)
    673 			{
    674 			if (--argc < 1) goto bad;
    675 			if (!extract_host_port(*(++argv),&host,NULL,&port))
    676 				goto bad;
    677 			}
    678 		else if	(strcmp(*argv,"-verify") == 0)
    679 			{
    680 			verify=SSL_VERIFY_PEER;
    681 			if (--argc < 1) goto bad;
    682 			verify_depth=atoi(*(++argv));
    683 			BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
    684 			}
    685 		else if	(strcmp(*argv,"-cert") == 0)
    686 			{
    687 			if (--argc < 1) goto bad;
    688 			cert_file= *(++argv);
    689 			}
    690 		else if	(strcmp(*argv,"-sess_out") == 0)
    691 			{
    692 			if (--argc < 1) goto bad;
    693 			sess_out = *(++argv);
    694 			}
    695 		else if	(strcmp(*argv,"-sess_in") == 0)
    696 			{
    697 			if (--argc < 1) goto bad;
    698 			sess_in = *(++argv);
    699 			}
    700 		else if	(strcmp(*argv,"-certform") == 0)
    701 			{
    702 			if (--argc < 1) goto bad;
    703 			cert_format = str2fmt(*(++argv));
    704 			}
    705 		else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
    706 			{
    707 			if (badarg)
    708 				goto bad;
    709 			continue;
    710 			}
    711 		else if (strcmp(*argv,"-verify_return_error") == 0)
    712 			verify_return_error = 1;
    713 		else if	(strcmp(*argv,"-prexit") == 0)
    714 			prexit=1;
    715 		else if	(strcmp(*argv,"-crlf") == 0)
    716 			crlf=1;
    717 		else if	(strcmp(*argv,"-quiet") == 0)
    718 			{
    719 			c_quiet=1;
    720 			c_ign_eof=1;
    721 			}
    722 		else if	(strcmp(*argv,"-ign_eof") == 0)
    723 			c_ign_eof=1;
    724 		else if	(strcmp(*argv,"-no_ign_eof") == 0)
    725 			c_ign_eof=0;
    726 		else if	(strcmp(*argv,"-pause") == 0)
    727 			c_Pause=1;
    728 		else if	(strcmp(*argv,"-debug") == 0)
    729 			c_debug=1;
    730 #ifndef OPENSSL_NO_TLSEXT
    731 		else if	(strcmp(*argv,"-tlsextdebug") == 0)
    732 			c_tlsextdebug=1;
    733 		else if	(strcmp(*argv,"-status") == 0)
    734 			c_status_req=1;
    735 #endif
    736 #ifdef WATT32
    737 		else if (strcmp(*argv,"-wdebug") == 0)
    738 			dbug_init();
    739 #endif
    740 		else if	(strcmp(*argv,"-msg") == 0)
    741 			c_msg=1;
    742 		else if	(strcmp(*argv,"-showcerts") == 0)
    743 			c_showcerts=1;
    744 		else if	(strcmp(*argv,"-nbio_test") == 0)
    745 			nbio_test=1;
    746 		else if	(strcmp(*argv,"-state") == 0)
    747 			state=1;
    748 #ifndef OPENSSL_NO_PSK
    749                 else if (strcmp(*argv,"-psk_identity") == 0)
    750 			{
    751 			if (--argc < 1) goto bad;
    752 			psk_identity=*(++argv);
    753 			}
    754                 else if (strcmp(*argv,"-psk") == 0)
    755 			{
    756                         size_t j;
    757 
    758 			if (--argc < 1) goto bad;
    759 			psk_key=*(++argv);
    760 			for (j = 0; j < strlen(psk_key); j++)
    761                                 {
    762                                 if (isxdigit((unsigned char)psk_key[j]))
    763                                         continue;
    764                                 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
    765                                 goto bad;
    766                                 }
    767 			}
    768 #endif
    769 #ifndef OPENSSL_NO_SRP
    770 		else if (strcmp(*argv,"-srpuser") == 0)
    771 			{
    772 			if (--argc < 1) goto bad;
    773 			srp_arg.srplogin= *(++argv);
    774 			meth=TLSv1_client_method();
    775 			}
    776 		else if (strcmp(*argv,"-srppass") == 0)
    777 			{
    778 			if (--argc < 1) goto bad;
    779 			srppass= *(++argv);
    780 			meth=TLSv1_client_method();
    781 			}
    782 		else if (strcmp(*argv,"-srp_strength") == 0)
    783 			{
    784 			if (--argc < 1) goto bad;
    785 			srp_arg.strength=atoi(*(++argv));
    786 			BIO_printf(bio_err,"SRP minimal length for N is %d\n",srp_arg.strength);
    787 			meth=TLSv1_client_method();
    788 			}
    789 		else if (strcmp(*argv,"-srp_lateuser") == 0)
    790 			{
    791 			srp_lateuser= 1;
    792 			meth=TLSv1_client_method();
    793 			}
    794 		else if	(strcmp(*argv,"-srp_moregroups") == 0)
    795 			{
    796 			srp_arg.amp=1;
    797 			meth=TLSv1_client_method();
    798 			}
    799 #endif
    800 #ifndef OPENSSL_NO_SSL2
    801 		else if	(strcmp(*argv,"-ssl2") == 0)
    802 			meth=SSLv2_client_method();
    803 #endif
    804 #ifndef OPENSSL_NO_SSL3
    805 		else if	(strcmp(*argv,"-ssl3") == 0)
    806 			meth=SSLv3_client_method();
    807 #endif
    808 #ifndef OPENSSL_NO_TLS1
    809 		else if	(strcmp(*argv,"-tls1_2") == 0)
    810 			meth=TLSv1_2_client_method();
    811 		else if	(strcmp(*argv,"-tls1_1") == 0)
    812 			meth=TLSv1_1_client_method();
    813 		else if	(strcmp(*argv,"-tls1") == 0)
    814 			meth=TLSv1_client_method();
    815 #endif
    816 #ifndef OPENSSL_NO_DTLS1
    817 		else if	(strcmp(*argv,"-dtls1") == 0)
    818 			{
    819 			meth=DTLSv1_client_method();
    820 			socket_type=SOCK_DGRAM;
    821 			}
    822 		else if (strcmp(*argv,"-timeout") == 0)
    823 			enable_timeouts=1;
    824 		else if (strcmp(*argv,"-mtu") == 0)
    825 			{
    826 			if (--argc < 1) goto bad;
    827 			socket_mtu = atol(*(++argv));
    828 			}
    829 #endif
    830 		else if (strcmp(*argv,"-bugs") == 0)
    831 			bugs=1;
    832 		else if	(strcmp(*argv,"-keyform") == 0)
    833 			{
    834 			if (--argc < 1) goto bad;
    835 			key_format = str2fmt(*(++argv));
    836 			}
    837 		else if	(strcmp(*argv,"-pass") == 0)
    838 			{
    839 			if (--argc < 1) goto bad;
    840 			passarg = *(++argv);
    841 			}
    842 		else if	(strcmp(*argv,"-key") == 0)
    843 			{
    844 			if (--argc < 1) goto bad;
    845 			key_file= *(++argv);
    846 			}
    847 		else if	(strcmp(*argv,"-reconnect") == 0)
    848 			{
    849 			reconnect=5;
    850 			}
    851 		else if	(strcmp(*argv,"-CApath") == 0)
    852 			{
    853 			if (--argc < 1) goto bad;
    854 			CApath= *(++argv);
    855 			}
    856 		else if	(strcmp(*argv,"-CAfile") == 0)
    857 			{
    858 			if (--argc < 1) goto bad;
    859 			CAfile= *(++argv);
    860 			}
    861 		else if (strcmp(*argv,"-no_tls1_2") == 0)
    862 			off|=SSL_OP_NO_TLSv1_2;
    863 		else if (strcmp(*argv,"-no_tls1_1") == 0)
    864 			off|=SSL_OP_NO_TLSv1_1;
    865 		else if (strcmp(*argv,"-no_tls1") == 0)
    866 			off|=SSL_OP_NO_TLSv1;
    867 		else if (strcmp(*argv,"-no_ssl3") == 0)
    868 			off|=SSL_OP_NO_SSLv3;
    869 		else if (strcmp(*argv,"-no_ssl2") == 0)
    870 			off|=SSL_OP_NO_SSLv2;
    871 		else if	(strcmp(*argv,"-no_comp") == 0)
    872 			{ off|=SSL_OP_NO_COMPRESSION; }
    873 #ifndef OPENSSL_NO_TLSEXT
    874 		else if	(strcmp(*argv,"-no_ticket") == 0)
    875 			{ off|=SSL_OP_NO_TICKET; }
    876 # ifndef OPENSSL_NO_NEXTPROTONEG
    877 		else if (strcmp(*argv,"-nextprotoneg") == 0)
    878 			{
    879 			if (--argc < 1) goto bad;
    880 			next_proto_neg_in = *(++argv);
    881 			}
    882 # endif
    883 #endif
    884 		else if (strcmp(*argv,"-cutthrough") == 0)
    885 			cutthrough=1;
    886 		else if (strcmp(*argv,"-serverpref") == 0)
    887 			off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
    888 		else if (strcmp(*argv,"-legacy_renegotiation") == 0)
    889 			off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
    890 		else if	(strcmp(*argv,"-legacy_server_connect") == 0)
    891 			{ off|=SSL_OP_LEGACY_SERVER_CONNECT; }
    892 		else if	(strcmp(*argv,"-no_legacy_server_connect") == 0)
    893 			{ clr|=SSL_OP_LEGACY_SERVER_CONNECT; }
    894 		else if	(strcmp(*argv,"-cipher") == 0)
    895 			{
    896 			if (--argc < 1) goto bad;
    897 			cipher= *(++argv);
    898 			}
    899 #ifdef FIONBIO
    900 		else if (strcmp(*argv,"-nbio") == 0)
    901 			{ c_nbio=1; }
    902 #endif
    903 		else if	(strcmp(*argv,"-starttls") == 0)
    904 			{
    905 			if (--argc < 1) goto bad;
    906 			++argv;
    907 			if (strcmp(*argv,"smtp") == 0)
    908 				starttls_proto = PROTO_SMTP;
    909 			else if (strcmp(*argv,"pop3") == 0)
    910 				starttls_proto = PROTO_POP3;
    911 			else if (strcmp(*argv,"imap") == 0)
    912 				starttls_proto = PROTO_IMAP;
    913 			else if (strcmp(*argv,"ftp") == 0)
    914 				starttls_proto = PROTO_FTP;
    915 			else if (strcmp(*argv, "xmpp") == 0)
    916 				starttls_proto = PROTO_XMPP;
    917 			else
    918 				goto bad;
    919 			}
    920 #ifndef OPENSSL_NO_ENGINE
    921 		else if	(strcmp(*argv,"-engine") == 0)
    922 			{
    923 			if (--argc < 1) goto bad;
    924 			engine_id = *(++argv);
    925 			}
    926 		else if	(strcmp(*argv,"-ssl_client_engine") == 0)
    927 			{
    928 			if (--argc < 1) goto bad;
    929 			ssl_client_engine_id = *(++argv);
    930 			}
    931 #endif
    932 		else if (strcmp(*argv,"-rand") == 0)
    933 			{
    934 			if (--argc < 1) goto bad;
    935 			inrand= *(++argv);
    936 			}
    937 #ifndef OPENSSL_NO_TLSEXT
    938 		else if (strcmp(*argv,"-servername") == 0)
    939 			{
    940 			if (--argc < 1) goto bad;
    941 			servername= *(++argv);
    942 			/* meth=TLSv1_client_method(); */
    943 			}
    944 #endif
    945 #ifndef OPENSSL_NO_JPAKE
    946 		else if (strcmp(*argv,"-jpake") == 0)
    947 			{
    948 			if (--argc < 1) goto bad;
    949 			jpake_secret = *++argv;
    950 			}
    951 #endif
    952 		else if (strcmp(*argv,"-use_srtp") == 0)
    953 			{
    954 			if (--argc < 1) goto bad;
    955 			srtp_profiles = *(++argv);
    956 			}
    957 		else if (strcmp(*argv,"-keymatexport") == 0)
    958 			{
    959 			if (--argc < 1) goto bad;
    960 			keymatexportlabel= *(++argv);
    961 			}
    962 		else if (strcmp(*argv,"-keymatexportlen") == 0)
    963 			{
    964 			if (--argc < 1) goto bad;
    965 			keymatexportlen=atoi(*(++argv));
    966 			if (keymatexportlen == 0) goto bad;
    967 			}
    968                 else
    969 			{
    970 			BIO_printf(bio_err,"unknown option %s\n",*argv);
    971 			badop=1;
    972 			break;
    973 			}
    974 		argc--;
    975 		argv++;
    976 		}
    977 	if (badop)
    978 		{
    979 bad:
    980 		sc_usage();
    981 		goto end;
    982 		}
    983 
    984 #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
    985 	if (jpake_secret)
    986 		{
    987 		if (psk_key)
    988 			{
    989 			BIO_printf(bio_err,
    990 				   "Can't use JPAKE and PSK together\n");
    991 			goto end;
    992 			}
    993 		psk_identity = "JPAKE";
    994 		if (cipher)
    995 			{
    996 			BIO_printf(bio_err, "JPAKE sets cipher to PSK\n");
    997 			goto end;
    998 			}
    999 		cipher = "PSK";
   1000 		}
   1001 #endif
   1002 
   1003 	OpenSSL_add_ssl_algorithms();
   1004 	SSL_load_error_strings();
   1005 
   1006 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
   1007 	next_proto.status = -1;
   1008 	if (next_proto_neg_in)
   1009 		{
   1010 		next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
   1011 		if (next_proto.data == NULL)
   1012 			{
   1013 			BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
   1014 			goto end;
   1015 			}
   1016 		}
   1017 	else
   1018 		next_proto.data = NULL;
   1019 #endif
   1020 
   1021 #ifndef OPENSSL_NO_ENGINE
   1022         e = setup_engine(bio_err, engine_id, 1);
   1023 	if (ssl_client_engine_id)
   1024 		{
   1025 		ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
   1026 		if (!ssl_client_engine)
   1027 			{
   1028 			BIO_printf(bio_err,
   1029 					"Error getting client auth engine\n");
   1030 			goto end;
   1031 			}
   1032 		}
   1033 
   1034 #endif
   1035 	if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
   1036 		{
   1037 		BIO_printf(bio_err, "Error getting password\n");
   1038 		goto end;
   1039 		}
   1040 
   1041 	if (key_file == NULL)
   1042 		key_file = cert_file;
   1043 
   1044 
   1045 	if (key_file)
   1046 
   1047 		{
   1048 
   1049 		key = load_key(bio_err, key_file, key_format, 0, pass, e,
   1050 			       "client certificate private key file");
   1051 		if (!key)
   1052 			{
   1053 			ERR_print_errors(bio_err);
   1054 			goto end;
   1055 			}
   1056 
   1057 		}
   1058 
   1059 	if (cert_file)
   1060 
   1061 		{
   1062 		cert = load_cert(bio_err,cert_file,cert_format,
   1063 				NULL, e, "client certificate file");
   1064 
   1065 		if (!cert)
   1066 			{
   1067 			ERR_print_errors(bio_err);
   1068 			goto end;
   1069 			}
   1070 		}
   1071 
   1072 	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
   1073 		&& !RAND_status())
   1074 		{
   1075 		BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
   1076 		}
   1077 	if (inrand != NULL)
   1078 		BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
   1079 			app_RAND_load_files(inrand));
   1080 
   1081 	if (bio_c_out == NULL)
   1082 		{
   1083 		if (c_quiet && !c_debug && !c_msg)
   1084 			{
   1085 			bio_c_out=BIO_new(BIO_s_null());
   1086 			}
   1087 		else
   1088 			{
   1089 			if (bio_c_out == NULL)
   1090 				bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
   1091 			}
   1092 		}
   1093 
   1094 #ifndef OPENSSL_NO_SRP
   1095 	if(!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL))
   1096 		{
   1097 		BIO_printf(bio_err, "Error getting password\n");
   1098 		goto end;
   1099 		}
   1100 #endif
   1101 
   1102 	ctx=SSL_CTX_new(meth);
   1103 	if (ctx == NULL)
   1104 		{
   1105 		ERR_print_errors(bio_err);
   1106 		goto end;
   1107 		}
   1108 
   1109 	if (vpm)
   1110 		SSL_CTX_set1_param(ctx, vpm);
   1111 
   1112 #ifndef OPENSSL_NO_ENGINE
   1113 	if (ssl_client_engine)
   1114 		{
   1115 		if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine))
   1116 			{
   1117 			BIO_puts(bio_err, "Error setting client auth engine\n");
   1118 			ERR_print_errors(bio_err);
   1119 			ENGINE_free(ssl_client_engine);
   1120 			goto end;
   1121 			}
   1122 		ENGINE_free(ssl_client_engine);
   1123 		}
   1124 #endif
   1125 
   1126 #ifndef OPENSSL_NO_PSK
   1127 #ifdef OPENSSL_NO_JPAKE
   1128 	if (psk_key != NULL)
   1129 #else
   1130 	if (psk_key != NULL || jpake_secret)
   1131 #endif
   1132 		{
   1133 		if (c_debug)
   1134 			BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");
   1135 		SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
   1136 		}
   1137 	if (srtp_profiles != NULL)
   1138 		SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
   1139 #endif
   1140 	if (bugs)
   1141 		SSL_CTX_set_options(ctx,SSL_OP_ALL|off);
   1142 	else
   1143 		SSL_CTX_set_options(ctx,off);
   1144 
   1145 	if (clr)
   1146 		SSL_CTX_clear_options(ctx, clr);
   1147 	/* DTLS: partial reads end up discarding unread UDP bytes :-(
   1148 	 * Setting read ahead solves this problem.
   1149 	 */
   1150 	if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
   1151 
   1152 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
   1153 	if (next_proto.data)
   1154 		SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
   1155 #endif
   1156 
   1157 	/* Enable handshake cutthrough for client connections using
   1158 	 * strong ciphers. */
   1159 	if (cutthrough)
   1160 		{
   1161 		int ssl_mode = SSL_CTX_get_mode(ctx);
   1162 		ssl_mode |= SSL_MODE_HANDSHAKE_CUTTHROUGH;
   1163 		SSL_CTX_set_mode(ctx, ssl_mode);
   1164 		}
   1165 
   1166 	if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
   1167 	if (cipher != NULL)
   1168 		if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
   1169 		BIO_printf(bio_err,"error setting cipher list\n");
   1170 		ERR_print_errors(bio_err);
   1171 		goto end;
   1172 	}
   1173 #if 0
   1174 	else
   1175 		SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
   1176 #endif
   1177 
   1178 	SSL_CTX_set_verify(ctx,verify,verify_callback);
   1179 	if (!set_cert_key_stuff(ctx,cert,key))
   1180 		goto end;
   1181 
   1182 	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
   1183 		(!SSL_CTX_set_default_verify_paths(ctx)))
   1184 		{
   1185 		/* BIO_printf(bio_err,"error setting default verify locations\n"); */
   1186 		ERR_print_errors(bio_err);
   1187 		/* goto end; */
   1188 		}
   1189 
   1190 #ifndef OPENSSL_NO_TLSEXT
   1191 	if (servername != NULL)
   1192 		{
   1193 		tlsextcbp.biodebug = bio_err;
   1194 		SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
   1195 		SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
   1196 		}
   1197 #ifndef OPENSSL_NO_SRP
   1198         if (srp_arg.srplogin)
   1199 		{
   1200 		if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
   1201 			{
   1202 			BIO_printf(bio_err,"Unable to set SRP username\n");
   1203 			goto end;
   1204 			}
   1205 		srp_arg.msg = c_msg;
   1206 		srp_arg.debug = c_debug ;
   1207 		SSL_CTX_set_srp_cb_arg(ctx,&srp_arg);
   1208 		SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
   1209 		SSL_CTX_set_srp_strength(ctx, srp_arg.strength);
   1210 		if (c_msg || c_debug || srp_arg.amp == 0)
   1211 			SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb);
   1212 		}
   1213 
   1214 #endif
   1215 #endif
   1216 
   1217 	con=SSL_new(ctx);
   1218 	if (sess_in)
   1219 		{
   1220 		SSL_SESSION *sess;
   1221 		BIO *stmp = BIO_new_file(sess_in, "r");
   1222 		if (!stmp)
   1223 			{
   1224 			BIO_printf(bio_err, "Can't open session file %s\n",
   1225 						sess_in);
   1226 			ERR_print_errors(bio_err);
   1227 			goto end;
   1228 			}
   1229 		sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
   1230 		BIO_free(stmp);
   1231 		if (!sess)
   1232 			{
   1233 			BIO_printf(bio_err, "Can't open session file %s\n",
   1234 						sess_in);
   1235 			ERR_print_errors(bio_err);
   1236 			goto end;
   1237 			}
   1238 		SSL_set_session(con, sess);
   1239 		SSL_SESSION_free(sess);
   1240 		}
   1241 #ifndef OPENSSL_NO_TLSEXT
   1242 	if (servername != NULL)
   1243 		{
   1244 		if (!SSL_set_tlsext_host_name(con,servername))
   1245 			{
   1246 			BIO_printf(bio_err,"Unable to set TLS servername extension.\n");
   1247 			ERR_print_errors(bio_err);
   1248 			goto end;
   1249 			}
   1250 		}
   1251 #endif
   1252 #ifndef OPENSSL_NO_KRB5
   1253 	if (con  &&  (kctx = kssl_ctx_new()) != NULL)
   1254                 {
   1255 		SSL_set0_kssl_ctx(con, kctx);
   1256                 kssl_ctx_setstring(kctx, KSSL_SERVER, host);
   1257 		}
   1258 #endif	/* OPENSSL_NO_KRB5  */
   1259 /*	SSL_set_cipher_list(con,"RC4-MD5"); */
   1260 #if 0
   1261 #ifdef TLSEXT_TYPE_opaque_prf_input
   1262 	SSL_set_tlsext_opaque_prf_input(con, "Test client", 11);
   1263 #endif
   1264 #endif
   1265 
   1266 re_start:
   1267 
   1268 	if (init_client(&s,host,port,socket_type) == 0)
   1269 		{
   1270 		BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
   1271 		SHUTDOWN(s);
   1272 		goto end;
   1273 		}
   1274 	BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
   1275 
   1276 #ifdef FIONBIO
   1277 	if (c_nbio)
   1278 		{
   1279 		unsigned long l=1;
   1280 		BIO_printf(bio_c_out,"turning on non blocking io\n");
   1281 		if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
   1282 			{
   1283 			ERR_print_errors(bio_err);
   1284 			goto end;
   1285 			}
   1286 		}
   1287 #endif
   1288 	if (c_Pause & 0x01) SSL_set_debug(con, 1);
   1289 
   1290 	if ( SSL_version(con) == DTLS1_VERSION)
   1291 		{
   1292 
   1293 		sbio=BIO_new_dgram(s,BIO_NOCLOSE);
   1294 		if (getsockname(s, &peer, (void *)&peerlen) < 0)
   1295 			{
   1296 			BIO_printf(bio_err, "getsockname:errno=%d\n",
   1297 				get_last_socket_error());
   1298 			SHUTDOWN(s);
   1299 			goto end;
   1300 			}
   1301 
   1302 		(void)BIO_ctrl_set_connected(sbio, 1, &peer);
   1303 
   1304 		if (enable_timeouts)
   1305 			{
   1306 			timeout.tv_sec = 0;
   1307 			timeout.tv_usec = DGRAM_RCV_TIMEOUT;
   1308 			BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
   1309 
   1310 			timeout.tv_sec = 0;
   1311 			timeout.tv_usec = DGRAM_SND_TIMEOUT;
   1312 			BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
   1313 			}
   1314 
   1315 		if (socket_mtu > 28)
   1316 			{
   1317 			SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
   1318 			SSL_set_mtu(con, socket_mtu - 28);
   1319 			}
   1320 		else
   1321 			/* want to do MTU discovery */
   1322 			BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
   1323 		}
   1324 	else
   1325 		sbio=BIO_new_socket(s,BIO_NOCLOSE);
   1326 
   1327 	if (nbio_test)
   1328 		{
   1329 		BIO *test;
   1330 
   1331 		test=BIO_new(BIO_f_nbio_test());
   1332 		sbio=BIO_push(test,sbio);
   1333 		}
   1334 
   1335 	if (c_debug)
   1336 		{
   1337 		SSL_set_debug(con, 1);
   1338 		BIO_set_callback(sbio,bio_dump_callback);
   1339 		BIO_set_callback_arg(sbio,(char *)bio_c_out);
   1340 		}
   1341 	if (c_msg)
   1342 		{
   1343 		SSL_set_msg_callback(con, msg_cb);
   1344 		SSL_set_msg_callback_arg(con, bio_c_out);
   1345 		}
   1346 #ifndef OPENSSL_NO_TLSEXT
   1347 	if (c_tlsextdebug)
   1348 		{
   1349 		SSL_set_tlsext_debug_callback(con, tlsext_cb);
   1350 		SSL_set_tlsext_debug_arg(con, bio_c_out);
   1351 		}
   1352 	if (c_status_req)
   1353 		{
   1354 		SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
   1355 		SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
   1356 		SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
   1357 #if 0
   1358 {
   1359 STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null();
   1360 OCSP_RESPID *id = OCSP_RESPID_new();
   1361 id->value.byKey = ASN1_OCTET_STRING_new();
   1362 id->type = V_OCSP_RESPID_KEY;
   1363 ASN1_STRING_set(id->value.byKey, "Hello World", -1);
   1364 sk_OCSP_RESPID_push(ids, id);
   1365 SSL_set_tlsext_status_ids(con, ids);
   1366 }
   1367 #endif
   1368 		}
   1369 #endif
   1370 #ifndef OPENSSL_NO_JPAKE
   1371 	if (jpake_secret)
   1372 		jpake_client_auth(bio_c_out, sbio, jpake_secret);
   1373 #endif
   1374 
   1375 	SSL_set_bio(con,sbio,sbio);
   1376 	SSL_set_connect_state(con);
   1377 
   1378 	/* ok, lets connect */
   1379 	width=SSL_get_fd(con)+1;
   1380 
   1381 	read_tty=1;
   1382 	write_tty=0;
   1383 	tty_on=0;
   1384 	read_ssl=1;
   1385 	write_ssl=1;
   1386 
   1387 	cbuf_len=0;
   1388 	cbuf_off=0;
   1389 	sbuf_len=0;
   1390 	sbuf_off=0;
   1391 
   1392 	/* This is an ugly hack that does a lot of assumptions */
   1393 	/* We do have to handle multi-line responses which may come
   1394  	   in a single packet or not. We therefore have to use
   1395 	   BIO_gets() which does need a buffering BIO. So during
   1396 	   the initial chitchat we do push a buffering BIO into the
   1397 	   chain that is removed again later on to not disturb the
   1398 	   rest of the s_client operation. */
   1399 	if (starttls_proto == PROTO_SMTP)
   1400 		{
   1401 		int foundit=0;
   1402 		BIO *fbio = BIO_new(BIO_f_buffer());
   1403 		BIO_push(fbio, sbio);
   1404 		/* wait for multi-line response to end from SMTP */
   1405 		do
   1406 			{
   1407 			mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
   1408 			}
   1409 		while (mbuf_len>3 && mbuf[3]=='-');
   1410 		/* STARTTLS command requires EHLO... */
   1411 		BIO_printf(fbio,"EHLO openssl.client.net\r\n");
   1412 		(void)BIO_flush(fbio);
   1413 		/* wait for multi-line response to end EHLO SMTP response */
   1414 		do
   1415 			{
   1416 			mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
   1417 			if (strstr(mbuf,"STARTTLS"))
   1418 				foundit=1;
   1419 			}
   1420 		while (mbuf_len>3 && mbuf[3]=='-');
   1421 		(void)BIO_flush(fbio);
   1422 		BIO_pop(fbio);
   1423 		BIO_free(fbio);
   1424 		if (!foundit)
   1425 			BIO_printf(bio_err,
   1426 				   "didn't found starttls in server response,"
   1427 				   " try anyway...\n");
   1428 		BIO_printf(sbio,"STARTTLS\r\n");
   1429 		BIO_read(sbio,sbuf,BUFSIZZ);
   1430 		}
   1431 	else if (starttls_proto == PROTO_POP3)
   1432 		{
   1433 		BIO_read(sbio,mbuf,BUFSIZZ);
   1434 		BIO_printf(sbio,"STLS\r\n");
   1435 		BIO_read(sbio,sbuf,BUFSIZZ);
   1436 		}
   1437 	else if (starttls_proto == PROTO_IMAP)
   1438 		{
   1439 		int foundit=0;
   1440 		BIO *fbio = BIO_new(BIO_f_buffer());
   1441 		BIO_push(fbio, sbio);
   1442 		BIO_gets(fbio,mbuf,BUFSIZZ);
   1443 		/* STARTTLS command requires CAPABILITY... */
   1444 		BIO_printf(fbio,". CAPABILITY\r\n");
   1445 		(void)BIO_flush(fbio);
   1446 		/* wait for multi-line CAPABILITY response */
   1447 		do
   1448 			{
   1449 			mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
   1450 			if (strstr(mbuf,"STARTTLS"))
   1451 				foundit=1;
   1452 			}
   1453 		while (mbuf_len>3 && mbuf[0]!='.');
   1454 		(void)BIO_flush(fbio);
   1455 		BIO_pop(fbio);
   1456 		BIO_free(fbio);
   1457 		if (!foundit)
   1458 			BIO_printf(bio_err,
   1459 				   "didn't found STARTTLS in server response,"
   1460 				   " try anyway...\n");
   1461 		BIO_printf(sbio,". STARTTLS\r\n");
   1462 		BIO_read(sbio,sbuf,BUFSIZZ);
   1463 		}
   1464 	else if (starttls_proto == PROTO_FTP)
   1465 		{
   1466 		BIO *fbio = BIO_new(BIO_f_buffer());
   1467 		BIO_push(fbio, sbio);
   1468 		/* wait for multi-line response to end from FTP */
   1469 		do
   1470 			{
   1471 			mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
   1472 			}
   1473 		while (mbuf_len>3 && mbuf[3]=='-');
   1474 		(void)BIO_flush(fbio);
   1475 		BIO_pop(fbio);
   1476 		BIO_free(fbio);
   1477 		BIO_printf(sbio,"AUTH TLS\r\n");
   1478 		BIO_read(sbio,sbuf,BUFSIZZ);
   1479 		}
   1480 	if (starttls_proto == PROTO_XMPP)
   1481 		{
   1482 		int seen = 0;
   1483 		BIO_printf(sbio,"<stream:stream "
   1484 		    "xmlns:stream='http://etherx.jabber.org/streams' "
   1485 		    "xmlns='jabber:client' to='%s' version='1.0'>", host);
   1486 		seen = BIO_read(sbio,mbuf,BUFSIZZ);
   1487 		mbuf[seen] = 0;
   1488 		while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'"))
   1489 			{
   1490 			if (strstr(mbuf, "/stream:features>"))
   1491 				goto shut;
   1492 			seen = BIO_read(sbio,mbuf,BUFSIZZ);
   1493 			mbuf[seen] = 0;
   1494 			}
   1495 		BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
   1496 		seen = BIO_read(sbio,sbuf,BUFSIZZ);
   1497 		sbuf[seen] = 0;
   1498 		if (!strstr(sbuf, "<proceed"))
   1499 			goto shut;
   1500 		mbuf[0] = 0;
   1501 		}
   1502 
   1503 	for (;;)
   1504 		{
   1505 		FD_ZERO(&readfds);
   1506 		FD_ZERO(&writefds);
   1507 
   1508 		if ((SSL_version(con) == DTLS1_VERSION) &&
   1509 			DTLSv1_get_timeout(con, &timeout))
   1510 			timeoutp = &timeout;
   1511 		else
   1512 			timeoutp = NULL;
   1513 
   1514 		if (SSL_in_init(con) && !SSL_total_renegotiations(con))
   1515 			{
   1516 			in_init=1;
   1517 			tty_on=0;
   1518 			}
   1519 		else
   1520 			{
   1521 			tty_on=1;
   1522 			if (in_init)
   1523 				{
   1524 				in_init=0;
   1525 #if 0 /* This test doesn't really work as intended (needs to be fixed) */
   1526 #ifndef OPENSSL_NO_TLSEXT
   1527 				if (servername != NULL && !SSL_session_reused(con))
   1528 					{
   1529 					BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not ");
   1530 					}
   1531 #endif
   1532 #endif
   1533 				if (sess_out)
   1534 					{
   1535 					BIO *stmp = BIO_new_file(sess_out, "w");
   1536 					if (stmp)
   1537 						{
   1538 						PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con));
   1539 						BIO_free(stmp);
   1540 						}
   1541 					else
   1542 						BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
   1543 					}
   1544 				print_stuff(bio_c_out,con,full_log);
   1545 				if (full_log > 0) full_log--;
   1546 
   1547 				if (starttls_proto)
   1548 					{
   1549 					BIO_printf(bio_err,"%s",mbuf);
   1550 					/* We don't need to know any more */
   1551 					starttls_proto = PROTO_OFF;
   1552 					}
   1553 
   1554 				if (reconnect)
   1555 					{
   1556 					reconnect--;
   1557 					BIO_printf(bio_c_out,"drop connection and then reconnect\n");
   1558 					SSL_shutdown(con);
   1559 					SSL_set_connect_state(con);
   1560 					SHUTDOWN(SSL_get_fd(con));
   1561 					goto re_start;
   1562 					}
   1563 				}
   1564 			}
   1565 
   1566 		ssl_pending = read_ssl && SSL_pending(con);
   1567 
   1568 		if (!ssl_pending)
   1569 			{
   1570 #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)
   1571 			if (tty_on)
   1572 				{
   1573 				if (read_tty)  openssl_fdset(fileno(stdin),&readfds);
   1574 				if (write_tty) openssl_fdset(fileno(stdout),&writefds);
   1575 				}
   1576 			if (read_ssl)
   1577 				openssl_fdset(SSL_get_fd(con),&readfds);
   1578 			if (write_ssl)
   1579 				openssl_fdset(SSL_get_fd(con),&writefds);
   1580 #else
   1581 			if(!tty_on || !write_tty) {
   1582 				if (read_ssl)
   1583 					openssl_fdset(SSL_get_fd(con),&readfds);
   1584 				if (write_ssl)
   1585 					openssl_fdset(SSL_get_fd(con),&writefds);
   1586 			}
   1587 #endif
   1588 /*			printf("mode tty(%d %d%d) ssl(%d%d)\n",
   1589 				tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
   1590 
   1591 			/* Note: under VMS with SOCKETSHR the second parameter
   1592 			 * is currently of type (int *) whereas under other
   1593 			 * systems it is (void *) if you don't have a cast it
   1594 			 * will choke the compiler: if you do have a cast then
   1595 			 * you can either go for (int *) or (void *).
   1596 			 */
   1597 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
   1598                         /* Under Windows/DOS we make the assumption that we can
   1599 			 * always write to the tty: therefore if we need to
   1600 			 * write to the tty we just fall through. Otherwise
   1601 			 * we timeout the select every second and see if there
   1602 			 * are any keypresses. Note: this is a hack, in a proper
   1603 			 * Windows application we wouldn't do this.
   1604 			 */
   1605 			i=0;
   1606 			if(!write_tty) {
   1607 				if(read_tty) {
   1608 					tv.tv_sec = 1;
   1609 					tv.tv_usec = 0;
   1610 					i=select(width,(void *)&readfds,(void *)&writefds,
   1611 						 NULL,&tv);
   1612 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
   1613 					if(!i && (!_kbhit() || !read_tty) ) continue;
   1614 #else
   1615 					if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
   1616 #endif
   1617 				} else 	i=select(width,(void *)&readfds,(void *)&writefds,
   1618 					 NULL,timeoutp);
   1619 			}
   1620 #elif defined(OPENSSL_SYS_NETWARE)
   1621 			if(!write_tty) {
   1622 				if(read_tty) {
   1623 					tv.tv_sec = 1;
   1624 					tv.tv_usec = 0;
   1625 					i=select(width,(void *)&readfds,(void *)&writefds,
   1626 						NULL,&tv);
   1627 				} else 	i=select(width,(void *)&readfds,(void *)&writefds,
   1628 					NULL,timeoutp);
   1629 			}
   1630 #elif defined(OPENSSL_SYS_BEOS_R5)
   1631 			/* Under BeOS-R5 the situation is similar to DOS */
   1632 			i=0;
   1633 			stdin_set = 0;
   1634 			(void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
   1635 			if(!write_tty) {
   1636 				if(read_tty) {
   1637 					tv.tv_sec = 1;
   1638 					tv.tv_usec = 0;
   1639 					i=select(width,(void *)&readfds,(void *)&writefds,
   1640 						 NULL,&tv);
   1641 					if (read(fileno(stdin), sbuf, 0) >= 0)
   1642 						stdin_set = 1;
   1643 					if (!i && (stdin_set != 1 || !read_tty))
   1644 						continue;
   1645 				} else 	i=select(width,(void *)&readfds,(void *)&writefds,
   1646 					 NULL,timeoutp);
   1647 			}
   1648 			(void)fcntl(fileno(stdin), F_SETFL, 0);
   1649 #else
   1650 			i=select(width,(void *)&readfds,(void *)&writefds,
   1651 				 NULL,timeoutp);
   1652 #endif
   1653 			if ( i < 0)
   1654 				{
   1655 				BIO_printf(bio_err,"bad select %d\n",
   1656 				get_last_socket_error());
   1657 				goto shut;
   1658 				/* goto end; */
   1659 				}
   1660 			}
   1661 
   1662 		if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
   1663 			{
   1664 			BIO_printf(bio_err,"TIMEOUT occured\n");
   1665 			}
   1666 
   1667 		if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
   1668 			{
   1669 			k=SSL_write(con,&(cbuf[cbuf_off]),
   1670 				(unsigned int)cbuf_len);
   1671 			switch (SSL_get_error(con,k))
   1672 				{
   1673 			case SSL_ERROR_NONE:
   1674 				cbuf_off+=k;
   1675 				cbuf_len-=k;
   1676 				if (k <= 0) goto end;
   1677 				/* we have done a  write(con,NULL,0); */
   1678 				if (cbuf_len <= 0)
   1679 					{
   1680 					read_tty=1;
   1681 					write_ssl=0;
   1682 					}
   1683 				else /* if (cbuf_len > 0) */
   1684 					{
   1685 					read_tty=0;
   1686 					write_ssl=1;
   1687 					}
   1688 				break;
   1689 			case SSL_ERROR_WANT_WRITE:
   1690 				BIO_printf(bio_c_out,"write W BLOCK\n");
   1691 				write_ssl=1;
   1692 				read_tty=0;
   1693 				break;
   1694 			case SSL_ERROR_WANT_READ:
   1695 				BIO_printf(bio_c_out,"write R BLOCK\n");
   1696 				write_tty=0;
   1697 				read_ssl=1;
   1698 				write_ssl=0;
   1699 				break;
   1700 			case SSL_ERROR_WANT_X509_LOOKUP:
   1701 				BIO_printf(bio_c_out,"write X BLOCK\n");
   1702 				break;
   1703 			case SSL_ERROR_ZERO_RETURN:
   1704 				if (cbuf_len != 0)
   1705 					{
   1706 					BIO_printf(bio_c_out,"shutdown\n");
   1707 					ret = 0;
   1708 					goto shut;
   1709 					}
   1710 				else
   1711 					{
   1712 					read_tty=1;
   1713 					write_ssl=0;
   1714 					break;
   1715 					}
   1716 
   1717 			case SSL_ERROR_SYSCALL:
   1718 				if ((k != 0) || (cbuf_len != 0))
   1719 					{
   1720 					BIO_printf(bio_err,"write:errno=%d\n",
   1721 						get_last_socket_error());
   1722 					goto shut;
   1723 					}
   1724 				else
   1725 					{
   1726 					read_tty=1;
   1727 					write_ssl=0;
   1728 					}
   1729 				break;
   1730 			case SSL_ERROR_SSL:
   1731 				ERR_print_errors(bio_err);
   1732 				goto shut;
   1733 				}
   1734 			}
   1735 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
   1736 		/* Assume Windows/DOS/BeOS can always write */
   1737 		else if (!ssl_pending && write_tty)
   1738 #else
   1739 		else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
   1740 #endif
   1741 			{
   1742 #ifdef CHARSET_EBCDIC
   1743 			ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
   1744 #endif
   1745 			i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len);
   1746 
   1747 			if (i <= 0)
   1748 				{
   1749 				BIO_printf(bio_c_out,"DONE\n");
   1750 				ret = 0;
   1751 				goto shut;
   1752 				/* goto end; */
   1753 				}
   1754 
   1755 			sbuf_len-=i;;
   1756 			sbuf_off+=i;
   1757 			if (sbuf_len <= 0)
   1758 				{
   1759 				read_ssl=1;
   1760 				write_tty=0;
   1761 				}
   1762 			}
   1763 		else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
   1764 			{
   1765 #ifdef RENEG
   1766 { static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
   1767 #endif
   1768 #if 1
   1769 			k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
   1770 #else
   1771 /* Demo for pending and peek :-) */
   1772 			k=SSL_read(con,sbuf,16);
   1773 { char zbuf[10240];
   1774 printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
   1775 }
   1776 #endif
   1777 
   1778 			switch (SSL_get_error(con,k))
   1779 				{
   1780 			case SSL_ERROR_NONE:
   1781 				if (k <= 0)
   1782 					goto end;
   1783 				sbuf_off=0;
   1784 				sbuf_len=k;
   1785 
   1786 				read_ssl=0;
   1787 				write_tty=1;
   1788 				break;
   1789 			case SSL_ERROR_WANT_WRITE:
   1790 				BIO_printf(bio_c_out,"read W BLOCK\n");
   1791 				write_ssl=1;
   1792 				read_tty=0;
   1793 				break;
   1794 			case SSL_ERROR_WANT_READ:
   1795 				BIO_printf(bio_c_out,"read R BLOCK\n");
   1796 				write_tty=0;
   1797 				read_ssl=1;
   1798 				if ((read_tty == 0) && (write_ssl == 0))
   1799 					write_ssl=1;
   1800 				break;
   1801 			case SSL_ERROR_WANT_X509_LOOKUP:
   1802 				BIO_printf(bio_c_out,"read X BLOCK\n");
   1803 				break;
   1804 			case SSL_ERROR_SYSCALL:
   1805 				ret=get_last_socket_error();
   1806 				BIO_printf(bio_err,"read:errno=%d\n",ret);
   1807 				goto shut;
   1808 			case SSL_ERROR_ZERO_RETURN:
   1809 				BIO_printf(bio_c_out,"closed\n");
   1810 				ret=0;
   1811 				goto shut;
   1812 			case SSL_ERROR_SSL:
   1813 				ERR_print_errors(bio_err);
   1814 				goto shut;
   1815 				/* break; */
   1816 				}
   1817 			}
   1818 
   1819 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
   1820 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
   1821 		else if (_kbhit())
   1822 #else
   1823 		else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
   1824 #endif
   1825 #elif defined (OPENSSL_SYS_NETWARE)
   1826 		else if (_kbhit())
   1827 #elif defined(OPENSSL_SYS_BEOS_R5)
   1828 		else if (stdin_set)
   1829 #else
   1830 		else if (FD_ISSET(fileno(stdin),&readfds))
   1831 #endif
   1832 			{
   1833 			if (crlf)
   1834 				{
   1835 				int j, lf_num;
   1836 
   1837 				i=raw_read_stdin(cbuf,BUFSIZZ/2);
   1838 				lf_num = 0;
   1839 				/* both loops are skipped when i <= 0 */
   1840 				for (j = 0; j < i; j++)
   1841 					if (cbuf[j] == '\n')
   1842 						lf_num++;
   1843 				for (j = i-1; j >= 0; j--)
   1844 					{
   1845 					cbuf[j+lf_num] = cbuf[j];
   1846 					if (cbuf[j] == '\n')
   1847 						{
   1848 						lf_num--;
   1849 						i++;
   1850 						cbuf[j+lf_num] = '\r';
   1851 						}
   1852 					}
   1853 				assert(lf_num == 0);
   1854 				}
   1855 			else
   1856 				i=raw_read_stdin(cbuf,BUFSIZZ);
   1857 
   1858 			if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
   1859 				{
   1860 				BIO_printf(bio_err,"DONE\n");
   1861 				ret=0;
   1862 				goto shut;
   1863 				}
   1864 
   1865 			if ((!c_ign_eof) && (cbuf[0] == 'R'))
   1866 				{
   1867 				BIO_printf(bio_err,"RENEGOTIATING\n");
   1868 				SSL_renegotiate(con);
   1869 				cbuf_len=0;
   1870 				}
   1871 #ifndef OPENSSL_NO_HEARTBEATS
   1872 			else if ((!c_ign_eof) && (cbuf[0] == 'B'))
   1873  				{
   1874 				BIO_printf(bio_err,"HEARTBEATING\n");
   1875 				SSL_heartbeat(con);
   1876 				cbuf_len=0;
   1877 				}
   1878 #endif
   1879 			else
   1880 				{
   1881 				cbuf_len=i;
   1882 				cbuf_off=0;
   1883 #ifdef CHARSET_EBCDIC
   1884 				ebcdic2ascii(cbuf, cbuf, i);
   1885 #endif
   1886 				}
   1887 
   1888 			write_ssl=1;
   1889 			read_tty=0;
   1890 			}
   1891 		}
   1892 
   1893 	ret=0;
   1894 shut:
   1895 	if (in_init)
   1896 		print_stuff(bio_c_out,con,full_log);
   1897 	SSL_shutdown(con);
   1898 	SHUTDOWN(SSL_get_fd(con));
   1899 end:
   1900 	if (con != NULL)
   1901 		{
   1902 		if (prexit != 0)
   1903 			print_stuff(bio_c_out,con,1);
   1904 		SSL_free(con);
   1905 		}
   1906 	if (ctx != NULL) SSL_CTX_free(ctx);
   1907 	if (cert)
   1908 		X509_free(cert);
   1909 	if (key)
   1910 		EVP_PKEY_free(key);
   1911 	if (pass)
   1912 		OPENSSL_free(pass);
   1913 	if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
   1914 	if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
   1915 	if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
   1916 	if (bio_c_out != NULL)
   1917 		{
   1918 		BIO_free(bio_c_out);
   1919 		bio_c_out=NULL;
   1920 		}
   1921 	apps_shutdown();
   1922 	OPENSSL_EXIT(ret);
   1923 	}
   1924 
   1925 
   1926 static void print_stuff(BIO *bio, SSL *s, int full)
   1927 	{
   1928 	X509 *peer=NULL;
   1929 	char *p;
   1930 	static const char *space="                ";
   1931 	char buf[BUFSIZ];
   1932 	STACK_OF(X509) *sk;
   1933 	STACK_OF(X509_NAME) *sk2;
   1934 	const SSL_CIPHER *c;
   1935 	X509_NAME *xn;
   1936 	int j,i;
   1937 #ifndef OPENSSL_NO_COMP
   1938 	const COMP_METHOD *comp, *expansion;
   1939 #endif
   1940 	unsigned char *exportedkeymat;
   1941 
   1942 	if (full)
   1943 		{
   1944 		int got_a_chain = 0;
   1945 
   1946 		sk=SSL_get_peer_cert_chain(s);
   1947 		if (sk != NULL)
   1948 			{
   1949 			got_a_chain = 1; /* we don't have it for SSL2 (yet) */
   1950 
   1951 			BIO_printf(bio,"---\nCertificate chain\n");
   1952 			for (i=0; i<sk_X509_num(sk); i++)
   1953 				{
   1954 				X509_NAME_oneline(X509_get_subject_name(
   1955 					sk_X509_value(sk,i)),buf,sizeof buf);
   1956 				BIO_printf(bio,"%2d s:%s\n",i,buf);
   1957 				X509_NAME_oneline(X509_get_issuer_name(
   1958 					sk_X509_value(sk,i)),buf,sizeof buf);
   1959 				BIO_printf(bio,"   i:%s\n",buf);
   1960 				if (c_showcerts)
   1961 					PEM_write_bio_X509(bio,sk_X509_value(sk,i));
   1962 				}
   1963 			}
   1964 
   1965 		BIO_printf(bio,"---\n");
   1966 		peer=SSL_get_peer_certificate(s);
   1967 		if (peer != NULL)
   1968 			{
   1969 			BIO_printf(bio,"Server certificate\n");
   1970 			if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
   1971 				PEM_write_bio_X509(bio,peer);
   1972 			X509_NAME_oneline(X509_get_subject_name(peer),
   1973 				buf,sizeof buf);
   1974 			BIO_printf(bio,"subject=%s\n",buf);
   1975 			X509_NAME_oneline(X509_get_issuer_name(peer),
   1976 				buf,sizeof buf);
   1977 			BIO_printf(bio,"issuer=%s\n",buf);
   1978 			}
   1979 		else
   1980 			BIO_printf(bio,"no peer certificate available\n");
   1981 
   1982 		sk2=SSL_get_client_CA_list(s);
   1983 		if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
   1984 			{
   1985 			BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
   1986 			for (i=0; i<sk_X509_NAME_num(sk2); i++)
   1987 				{
   1988 				xn=sk_X509_NAME_value(sk2,i);
   1989 				X509_NAME_oneline(xn,buf,sizeof(buf));
   1990 				BIO_write(bio,buf,strlen(buf));
   1991 				BIO_write(bio,"\n",1);
   1992 				}
   1993 			}
   1994 		else
   1995 			{
   1996 			BIO_printf(bio,"---\nNo client certificate CA names sent\n");
   1997 			}
   1998 		p=SSL_get_shared_ciphers(s,buf,sizeof buf);
   1999 		if (p != NULL)
   2000 			{
   2001 			/* This works only for SSL 2.  In later protocol
   2002 			 * versions, the client does not know what other
   2003 			 * ciphers (in addition to the one to be used
   2004 			 * in the current connection) the server supports. */
   2005 
   2006 			BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
   2007 			j=i=0;
   2008 			while (*p)
   2009 				{
   2010 				if (*p == ':')
   2011 					{
   2012 					BIO_write(bio,space,15-j%25);
   2013 					i++;
   2014 					j=0;
   2015 					BIO_write(bio,((i%3)?" ":"\n"),1);
   2016 					}
   2017 				else
   2018 					{
   2019 					BIO_write(bio,p,1);
   2020 					j++;
   2021 					}
   2022 				p++;
   2023 				}
   2024 			BIO_write(bio,"\n",1);
   2025 			}
   2026 
   2027 		BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
   2028 			BIO_number_read(SSL_get_rbio(s)),
   2029 			BIO_number_written(SSL_get_wbio(s)));
   2030 		}
   2031 	BIO_printf(bio,(SSL_cache_hit(s)?"---\nReused, ":"---\nNew, "));
   2032 	c=SSL_get_current_cipher(s);
   2033 	BIO_printf(bio,"%s, Cipher is %s\n",
   2034 		SSL_CIPHER_get_version(c),
   2035 		SSL_CIPHER_get_name(c));
   2036 	if (peer != NULL) {
   2037 		EVP_PKEY *pktmp;
   2038 		pktmp = X509_get_pubkey(peer);
   2039 		BIO_printf(bio,"Server public key is %d bit\n",
   2040 							 EVP_PKEY_bits(pktmp));
   2041 		EVP_PKEY_free(pktmp);
   2042 	}
   2043 	BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
   2044 			SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
   2045 #ifndef OPENSSL_NO_COMP
   2046 	comp=SSL_get_current_compression(s);
   2047 	expansion=SSL_get_current_expansion(s);
   2048 	BIO_printf(bio,"Compression: %s\n",
   2049 		comp ? SSL_COMP_get_name(comp) : "NONE");
   2050 	BIO_printf(bio,"Expansion: %s\n",
   2051 		expansion ? SSL_COMP_get_name(expansion) : "NONE");
   2052 #endif
   2053 
   2054 #ifdef SSL_DEBUG
   2055 	{
   2056 	/* Print out local port of connection: useful for debugging */
   2057 	int sock;
   2058 	struct sockaddr_in ladd;
   2059 	socklen_t ladd_size = sizeof(ladd);
   2060 	sock = SSL_get_fd(s);
   2061 	getsockname(sock, (struct sockaddr *)&ladd, &ladd_size);
   2062 	BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port));
   2063 	}
   2064 #endif
   2065 
   2066 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
   2067 	if (next_proto.status != -1) {
   2068 		const unsigned char *proto;
   2069 		unsigned int proto_len;
   2070 		SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
   2071 		BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
   2072 		BIO_write(bio, proto, proto_len);
   2073 		BIO_write(bio, "\n", 1);
   2074 	}
   2075 #endif
   2076 
   2077  	{
   2078  	SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s);
   2079 
   2080 	if(srtp_profile)
   2081 		BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n",
   2082 			   srtp_profile->name);
   2083 	}
   2084 
   2085 	SSL_SESSION_print(bio,SSL_get_session(s));
   2086 	if (keymatexportlabel != NULL)
   2087 		{
   2088 		BIO_printf(bio, "Keying material exporter:\n");
   2089 		BIO_printf(bio, "    Label: '%s'\n", keymatexportlabel);
   2090 		BIO_printf(bio, "    Length: %i bytes\n", keymatexportlen);
   2091 		exportedkeymat = OPENSSL_malloc(keymatexportlen);
   2092 		if (exportedkeymat != NULL)
   2093 			{
   2094 			if (!SSL_export_keying_material(s, exportedkeymat,
   2095 						        keymatexportlen,
   2096 						        keymatexportlabel,
   2097 						        strlen(keymatexportlabel),
   2098 						        NULL, 0, 0))
   2099 				{
   2100 				BIO_printf(bio, "    Error\n");
   2101 				}
   2102 			else
   2103 				{
   2104 				BIO_printf(bio, "    Keying material: ");
   2105 				for (i=0; i<keymatexportlen; i++)
   2106 					BIO_printf(bio, "%02X",
   2107 						   exportedkeymat[i]);
   2108 				BIO_printf(bio, "\n");
   2109 				}
   2110 			OPENSSL_free(exportedkeymat);
   2111 			}
   2112 		}
   2113 	BIO_printf(bio,"---\n");
   2114 	if (peer != NULL)
   2115 		X509_free(peer);
   2116 	/* flush, or debugging output gets mixed with http response */
   2117 	(void)BIO_flush(bio);
   2118 	}
   2119 
   2120 #ifndef OPENSSL_NO_TLSEXT
   2121 
   2122 static int ocsp_resp_cb(SSL *s, void *arg)
   2123 	{
   2124 	const unsigned char *p;
   2125 	int len;
   2126 	OCSP_RESPONSE *rsp;
   2127 	len = SSL_get_tlsext_status_ocsp_resp(s, &p);
   2128 	BIO_puts(arg, "OCSP response: ");
   2129 	if (!p)
   2130 		{
   2131 		BIO_puts(arg, "no response sent\n");
   2132 		return 1;
   2133 		}
   2134 	rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
   2135 	if (!rsp)
   2136 		{
   2137 		BIO_puts(arg, "response parse error\n");
   2138 		BIO_dump_indent(arg, (char *)p, len, 4);
   2139 		return 0;
   2140 		}
   2141 	BIO_puts(arg, "\n======================================\n");
   2142 	OCSP_RESPONSE_print(arg, rsp, 0);
   2143 	BIO_puts(arg, "======================================\n");
   2144 	OCSP_RESPONSE_free(rsp);
   2145 	return 1;
   2146 	}
   2147 
   2148 #endif
   2149