1/* apps/s_client.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58/* ==================================================================== 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111/* ==================================================================== 112 * Copyright 2005 Nokia. All rights reserved. 113 * 114 * The portions of the attached software ("Contribution") is developed by 115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 116 * license. 117 * 118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 120 * support (see RFC 4279) to OpenSSL. 121 * 122 * No patent licenses or other rights except those expressly stated in 123 * the OpenSSL open source license shall be deemed granted or received 124 * expressly, by implication, estoppel, or otherwise. 125 * 126 * No assurances are provided by Nokia that the Contribution does not 127 * infringe the patent or other intellectual property rights of any third 128 * party or that the license provides you with all the necessary rights 129 * to make use of the Contribution. 130 * 131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 135 * OTHERWISE. 136 */ 137 138#include <assert.h> 139#include <ctype.h> 140#include <stdio.h> 141#include <stdlib.h> 142#include <string.h> 143#include <openssl/e_os2.h> 144#ifdef OPENSSL_NO_STDIO 145#define APPS_WIN16 146#endif 147 148/* With IPv6, it looks like Digital has mixed up the proper order of 149 recursive header file inclusion, resulting in the compiler complaining 150 that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which 151 is needed to have fileno() declared correctly... So let's define u_int */ 152#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT) 153#define __U_INT 154typedef unsigned int u_int; 155#endif 156 157#define USE_SOCKETS 158#include "apps.h" 159#include <openssl/x509.h> 160#include <openssl/ssl.h> 161#include <openssl/err.h> 162#include <openssl/pem.h> 163#include <openssl/rand.h> 164#include <openssl/ocsp.h> 165#include <openssl/bn.h> 166#ifndef OPENSSL_NO_SRP 167#include <openssl/srp.h> 168#endif 169#include "s_apps.h" 170#include "timeouts.h" 171 172#if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000) 173/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */ 174#undef FIONBIO 175#endif 176 177#if defined(OPENSSL_SYS_BEOS_R5) 178#include <fcntl.h> 179#endif 180 181#undef PROG 182#define PROG s_client_main 183 184/*#define SSL_HOST_NAME "www.netscape.com" */ 185/*#define SSL_HOST_NAME "193.118.187.102" */ 186#define SSL_HOST_NAME "localhost" 187 188/*#define TEST_CERT "client.pem" */ /* no default cert. */ 189 190#undef BUFSIZZ 191#define BUFSIZZ 1024*8 192 193extern int verify_depth; 194extern int verify_error; 195extern int verify_return_error; 196 197#ifdef FIONBIO 198static int c_nbio=0; 199#endif 200static int c_Pause=0; 201static int c_debug=0; 202#ifndef OPENSSL_NO_TLSEXT 203static int c_tlsextdebug=0; 204static int c_status_req=0; 205#endif 206static int c_msg=0; 207static int c_showcerts=0; 208 209static char *keymatexportlabel=NULL; 210static int keymatexportlen=20; 211 212static void sc_usage(void); 213static void print_stuff(BIO *berr,SSL *con,int full); 214#ifndef OPENSSL_NO_TLSEXT 215static int ocsp_resp_cb(SSL *s, void *arg); 216#endif 217static BIO *bio_c_out=NULL; 218static int c_quiet=0; 219static int c_ign_eof=0; 220 221#ifndef OPENSSL_NO_PSK 222/* Default PSK identity and key */ 223static char *psk_identity="Client_identity"; 224/*char *psk_key=NULL; by default PSK is not used */ 225 226static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity, 227 unsigned int max_identity_len, unsigned char *psk, 228 unsigned int max_psk_len) 229 { 230 unsigned int psk_len = 0; 231 int ret; 232 BIGNUM *bn=NULL; 233 234 if (c_debug) 235 BIO_printf(bio_c_out, "psk_client_cb\n"); 236 if (!hint) 237 { 238 /* no ServerKeyExchange message*/ 239 if (c_debug) 240 BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n"); 241 } 242 else if (c_debug) 243 BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint); 244 245 /* lookup PSK identity and PSK key based on the given identity hint here */ 246 ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity); 247 if (ret < 0 || (unsigned int)ret > max_identity_len) 248 goto out_err; 249 if (c_debug) 250 BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret); 251 ret=BN_hex2bn(&bn, psk_key); 252 if (!ret) 253 { 254 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key); 255 if (bn) 256 BN_free(bn); 257 return 0; 258 } 259 260 if ((unsigned int)BN_num_bytes(bn) > max_psk_len) 261 { 262 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n", 263 max_psk_len, BN_num_bytes(bn)); 264 BN_free(bn); 265 return 0; 266 } 267 268 psk_len=BN_bn2bin(bn, psk); 269 BN_free(bn); 270 if (psk_len == 0) 271 goto out_err; 272 273 if (c_debug) 274 BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len); 275 276 return psk_len; 277 out_err: 278 if (c_debug) 279 BIO_printf(bio_err, "Error in PSK client callback\n"); 280 return 0; 281 } 282#endif 283 284static void sc_usage(void) 285 { 286 BIO_printf(bio_err,"usage: s_client args\n"); 287 BIO_printf(bio_err,"\n"); 288 BIO_printf(bio_err," -host host - use -connect instead\n"); 289 BIO_printf(bio_err," -port port - use -connect instead\n"); 290 BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR); 291 292 BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n"); 293 BIO_printf(bio_err," -cert arg - certificate file to use, PEM format assumed\n"); 294 BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n"); 295 BIO_printf(bio_err," -key arg - Private key file to use, in cert file if\n"); 296 BIO_printf(bio_err," not specified but cert file is.\n"); 297 BIO_printf(bio_err," -keyform arg - key format (PEM or DER) PEM default\n"); 298 BIO_printf(bio_err," -pass arg - private key file pass phrase source\n"); 299 BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n"); 300 BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n"); 301 BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n"); 302 BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n"); 303 BIO_printf(bio_err," -showcerts - show all certificates in the chain\n"); 304 BIO_printf(bio_err," -debug - extra output\n"); 305#ifdef WATT32 306 BIO_printf(bio_err," -wdebug - WATT-32 tcp debugging\n"); 307#endif 308 BIO_printf(bio_err," -msg - Show protocol messages\n"); 309 BIO_printf(bio_err," -nbio_test - more ssl protocol testing\n"); 310 BIO_printf(bio_err," -state - print the 'ssl' states\n"); 311#ifdef FIONBIO 312 BIO_printf(bio_err," -nbio - Run with non-blocking IO\n"); 313#endif 314 BIO_printf(bio_err," -crlf - convert LF from terminal into CRLF\n"); 315 BIO_printf(bio_err," -quiet - no s_client output\n"); 316 BIO_printf(bio_err," -ign_eof - ignore input eof (default when -quiet)\n"); 317 BIO_printf(bio_err," -no_ign_eof - don't ignore input eof\n"); 318#ifndef OPENSSL_NO_PSK 319 BIO_printf(bio_err," -psk_identity arg - PSK identity\n"); 320 BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n"); 321# ifndef OPENSSL_NO_JPAKE 322 BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n"); 323# endif 324#endif 325#ifndef OPENSSL_NO_SRP 326 BIO_printf(bio_err," -srpuser user - SRP authentification for 'user'\n"); 327 BIO_printf(bio_err," -srppass arg - password for 'user'\n"); 328 BIO_printf(bio_err," -srp_lateuser - SRP username into second ClientHello message\n"); 329 BIO_printf(bio_err," -srp_moregroups - Tolerate other than the known g N values.\n"); 330 BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N); 331#endif 332 BIO_printf(bio_err," -ssl2 - just use SSLv2\n"); 333 BIO_printf(bio_err," -ssl3 - just use SSLv3\n"); 334 BIO_printf(bio_err," -tls1_2 - just use TLSv1.2\n"); 335 BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n"); 336 BIO_printf(bio_err," -tls1 - just use TLSv1\n"); 337 BIO_printf(bio_err," -dtls1 - just use DTLSv1\n"); 338 BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n"); 339 BIO_printf(bio_err," -mtu - set the link layer MTU\n"); 340 BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n"); 341 BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n"); 342 BIO_printf(bio_err," -serverpref - Use server's cipher preferences (only SSLv2)\n"); 343 BIO_printf(bio_err," -cipher - preferred cipher to use, use the 'openssl ciphers'\n"); 344 BIO_printf(bio_err," command to see what is available\n"); 345 BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n"); 346 BIO_printf(bio_err," for those protocols that support it, where\n"); 347 BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n"); 348 BIO_printf(bio_err," only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n"); 349 BIO_printf(bio_err," are supported.\n"); 350#ifndef OPENSSL_NO_ENGINE 351 BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n"); 352#endif 353 BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); 354 BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n"); 355 BIO_printf(bio_err," -sess_in arg - file to read SSL session from\n"); 356#ifndef OPENSSL_NO_TLSEXT 357 BIO_printf(bio_err," -servername host - Set TLS extension servername in ClientHello\n"); 358 BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); 359 BIO_printf(bio_err," -status - request certificate status from server\n"); 360 BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); 361# ifndef OPENSSL_NO_NEXTPROTONEG 362 BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n"); 363# endif 364#endif 365 BIO_printf(bio_err," -cutthrough - enable 1-RTT full-handshake for strong ciphers\n"); 366 BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); 367#ifndef OPENSSL_NO_SRTP 368 BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n"); 369#endif 370 BIO_printf(bio_err," -keymatexport label - Export keying material using label\n"); 371 BIO_printf(bio_err," -keymatexportlen len - Export len bytes of keying material (default 20)\n"); 372 } 373 374#ifndef OPENSSL_NO_TLSEXT 375 376/* This is a context that we pass to callbacks */ 377typedef struct tlsextctx_st { 378 BIO * biodebug; 379 int ack; 380} tlsextctx; 381 382 383static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg) 384 { 385 tlsextctx * p = (tlsextctx *) arg; 386 const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); 387 if (SSL_get_servername_type(s) != -1) 388 p->ack = !SSL_session_reused(s) && hn != NULL; 389 else 390 BIO_printf(bio_err,"Can't use SSL_get_servername\n"); 391 392 return SSL_TLSEXT_ERR_OK; 393 } 394 395#ifndef OPENSSL_NO_SRP 396 397/* This is a context that we pass to all callbacks */ 398typedef struct srp_arg_st 399 { 400 char *srppassin; 401 char *srplogin; 402 int msg; /* copy from c_msg */ 403 int debug; /* copy from c_debug */ 404 int amp; /* allow more groups */ 405 int strength /* minimal size for N */ ; 406 } SRP_ARG; 407 408#define SRP_NUMBER_ITERATIONS_FOR_PRIME 64 409 410static int srp_Verify_N_and_g(BIGNUM *N, BIGNUM *g) 411 { 412 BN_CTX *bn_ctx = BN_CTX_new(); 413 BIGNUM *p = BN_new(); 414 BIGNUM *r = BN_new(); 415 int ret = 416 g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) && 417 BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) && 418 p != NULL && BN_rshift1(p, N) && 419 420 /* p = (N-1)/2 */ 421 BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) && 422 r != NULL && 423 424 /* verify g^((N-1)/2) == -1 (mod N) */ 425 BN_mod_exp(r, g, p, N, bn_ctx) && 426 BN_add_word(r, 1) && 427 BN_cmp(r, N) == 0; 428 429 if(r) 430 BN_free(r); 431 if(p) 432 BN_free(p); 433 if(bn_ctx) 434 BN_CTX_free(bn_ctx); 435 return ret; 436 } 437 438/* This callback is used here for two purposes: 439 - extended debugging 440 - making some primality tests for unknown groups 441 The callback is only called for a non default group. 442 443 An application does not need the call back at all if 444 only the stanard groups are used. In real life situations, 445 client and server already share well known groups, 446 thus there is no need to verify them. 447 Furthermore, in case that a server actually proposes a group that 448 is not one of those defined in RFC 5054, it is more appropriate 449 to add the group to a static list and then compare since 450 primality tests are rather cpu consuming. 451*/ 452 453static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg) 454 { 455 SRP_ARG *srp_arg = (SRP_ARG *)arg; 456 BIGNUM *N = NULL, *g = NULL; 457 if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s))) 458 return 0; 459 if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1) 460 { 461 BIO_printf(bio_err, "SRP parameters:\n"); 462 BIO_printf(bio_err,"\tN="); BN_print(bio_err,N); 463 BIO_printf(bio_err,"\n\tg="); BN_print(bio_err,g); 464 BIO_printf(bio_err,"\n"); 465 } 466 467 if (SRP_check_known_gN_param(g,N)) 468 return 1; 469 470 if (srp_arg->amp == 1) 471 { 472 if (srp_arg->debug) 473 BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n"); 474 475/* The srp_moregroups is a real debugging feature. 476 Implementors should rather add the value to the known ones. 477 The minimal size has already been tested. 478*/ 479 if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g)) 480 return 1; 481 } 482 BIO_printf(bio_err, "SRP param N and g rejected.\n"); 483 return 0; 484 } 485 486#define PWD_STRLEN 1024 487 488static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg) 489 { 490 SRP_ARG *srp_arg = (SRP_ARG *)arg; 491 char *pass = (char *)OPENSSL_malloc(PWD_STRLEN+1); 492 PW_CB_DATA cb_tmp; 493 int l; 494 495 cb_tmp.password = (char *)srp_arg->srppassin; 496 cb_tmp.prompt_info = "SRP user"; 497 if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp))<0) 498 { 499 BIO_printf (bio_err, "Can't read Password\n"); 500 OPENSSL_free(pass); 501 return NULL; 502 } 503 *(pass+l)= '\0'; 504 505 return pass; 506 } 507 508#endif 509#ifndef OPENSSL_NO_SRTP 510 char *srtp_profiles = NULL; 511#endif 512 513# ifndef OPENSSL_NO_NEXTPROTONEG 514/* This the context that we pass to next_proto_cb */ 515typedef struct tlsextnextprotoctx_st { 516 unsigned char *data; 517 unsigned short len; 518 int status; 519} tlsextnextprotoctx; 520 521static tlsextnextprotoctx next_proto; 522 523static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg) 524 { 525 tlsextnextprotoctx *ctx = arg; 526 527 if (!c_quiet) 528 { 529 /* We can assume that |in| is syntactically valid. */ 530 unsigned i; 531 BIO_printf(bio_c_out, "Protocols advertised by server: "); 532 for (i = 0; i < inlen; ) 533 { 534 if (i) 535 BIO_write(bio_c_out, ", ", 2); 536 BIO_write(bio_c_out, &in[i + 1], in[i]); 537 i += in[i] + 1; 538 } 539 BIO_write(bio_c_out, "\n", 1); 540 } 541 542 ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len); 543 return SSL_TLSEXT_ERR_OK; 544 } 545# endif /* ndef OPENSSL_NO_NEXTPROTONEG */ 546#endif 547 548enum 549{ 550 PROTO_OFF = 0, 551 PROTO_SMTP, 552 PROTO_POP3, 553 PROTO_IMAP, 554 PROTO_FTP, 555 PROTO_XMPP 556}; 557 558int MAIN(int, char **); 559 560int MAIN(int argc, char **argv) 561 { 562 unsigned int off=0, clr=0; 563 SSL *con=NULL; 564#ifndef OPENSSL_NO_KRB5 565 KSSL_CTX *kctx; 566#endif 567 int s,k,width,state=0; 568 char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL; 569 int cbuf_len,cbuf_off; 570 int sbuf_len,sbuf_off; 571 fd_set readfds,writefds; 572 short port=PORT; 573 int full_log=1; 574 char *host=SSL_HOST_NAME; 575 char *cert_file=NULL,*key_file=NULL; 576 int cert_format = FORMAT_PEM, key_format = FORMAT_PEM; 577 char *passarg = NULL, *pass = NULL; 578 X509 *cert = NULL; 579 EVP_PKEY *key = NULL; 580 char *CApath=NULL,*CAfile=NULL,*cipher=NULL; 581 int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0; 582 int cutthrough=0; 583 int crlf=0; 584 int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending; 585 SSL_CTX *ctx=NULL; 586 int ret=1,in_init=1,i,nbio_test=0; 587 int starttls_proto = PROTO_OFF; 588 int prexit = 0; 589 X509_VERIFY_PARAM *vpm = NULL; 590 int badarg = 0; 591 const SSL_METHOD *meth=NULL; 592 int socket_type=SOCK_STREAM; 593 BIO *sbio; 594 char *inrand=NULL; 595 int mbuf_len=0; 596 struct timeval timeout, *timeoutp; 597#ifndef OPENSSL_NO_ENGINE 598 char *engine_id=NULL; 599 char *ssl_client_engine_id=NULL; 600 ENGINE *ssl_client_engine=NULL; 601#endif 602 ENGINE *e=NULL; 603#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5) 604 struct timeval tv; 605#if defined(OPENSSL_SYS_BEOS_R5) 606 int stdin_set = 0; 607#endif 608#endif 609#ifndef OPENSSL_NO_TLSEXT 610 char *servername = NULL; 611 tlsextctx tlsextcbp = 612 {NULL,0}; 613# ifndef OPENSSL_NO_NEXTPROTONEG 614 const char *next_proto_neg_in = NULL; 615# endif 616#endif 617 char *sess_in = NULL; 618 char *sess_out = NULL; 619 struct sockaddr peer; 620 int peerlen = sizeof(peer); 621 int fallback_scsv = 0; 622 int enable_timeouts = 0 ; 623 long socket_mtu = 0; 624#ifndef OPENSSL_NO_JPAKE 625 char *jpake_secret = NULL; 626#endif 627#ifndef OPENSSL_NO_SRP 628 char * srppass = NULL; 629 int srp_lateuser = 0; 630 SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024}; 631#endif 632 633 meth=SSLv23_client_method(); 634 635 apps_startup(); 636 c_Pause=0; 637 c_quiet=0; 638 c_ign_eof=0; 639 c_debug=0; 640 c_msg=0; 641 c_showcerts=0; 642 643 if (bio_err == NULL) 644 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); 645 646 if (!load_config(bio_err, NULL)) 647 goto end; 648 649 if ( ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) || 650 ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) || 651 ((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL)) 652 { 653 BIO_printf(bio_err,"out of memory\n"); 654 goto end; 655 } 656 657 verify_depth=0; 658 verify_error=X509_V_OK; 659#ifdef FIONBIO 660 c_nbio=0; 661#endif 662 663 argc--; 664 argv++; 665 while (argc >= 1) 666 { 667 if (strcmp(*argv,"-host") == 0) 668 { 669 if (--argc < 1) goto bad; 670 host= *(++argv); 671 } 672 else if (strcmp(*argv,"-port") == 0) 673 { 674 if (--argc < 1) goto bad; 675 port=atoi(*(++argv)); 676 if (port == 0) goto bad; 677 } 678 else if (strcmp(*argv,"-connect") == 0) 679 { 680 if (--argc < 1) goto bad; 681 if (!extract_host_port(*(++argv),&host,NULL,&port)) 682 goto bad; 683 } 684 else if (strcmp(*argv,"-verify") == 0) 685 { 686 verify=SSL_VERIFY_PEER; 687 if (--argc < 1) goto bad; 688 verify_depth=atoi(*(++argv)); 689 BIO_printf(bio_err,"verify depth is %d\n",verify_depth); 690 } 691 else if (strcmp(*argv,"-cert") == 0) 692 { 693 if (--argc < 1) goto bad; 694 cert_file= *(++argv); 695 } 696 else if (strcmp(*argv,"-sess_out") == 0) 697 { 698 if (--argc < 1) goto bad; 699 sess_out = *(++argv); 700 } 701 else if (strcmp(*argv,"-sess_in") == 0) 702 { 703 if (--argc < 1) goto bad; 704 sess_in = *(++argv); 705 } 706 else if (strcmp(*argv,"-certform") == 0) 707 { 708 if (--argc < 1) goto bad; 709 cert_format = str2fmt(*(++argv)); 710 } 711 else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) 712 { 713 if (badarg) 714 goto bad; 715 continue; 716 } 717 else if (strcmp(*argv,"-verify_return_error") == 0) 718 verify_return_error = 1; 719 else if (strcmp(*argv,"-prexit") == 0) 720 prexit=1; 721 else if (strcmp(*argv,"-crlf") == 0) 722 crlf=1; 723 else if (strcmp(*argv,"-quiet") == 0) 724 { 725 c_quiet=1; 726 c_ign_eof=1; 727 } 728 else if (strcmp(*argv,"-ign_eof") == 0) 729 c_ign_eof=1; 730 else if (strcmp(*argv,"-no_ign_eof") == 0) 731 c_ign_eof=0; 732 else if (strcmp(*argv,"-pause") == 0) 733 c_Pause=1; 734 else if (strcmp(*argv,"-debug") == 0) 735 c_debug=1; 736#ifndef OPENSSL_NO_TLSEXT 737 else if (strcmp(*argv,"-tlsextdebug") == 0) 738 c_tlsextdebug=1; 739 else if (strcmp(*argv,"-status") == 0) 740 c_status_req=1; 741#endif 742#ifdef WATT32 743 else if (strcmp(*argv,"-wdebug") == 0) 744 dbug_init(); 745#endif 746 else if (strcmp(*argv,"-msg") == 0) 747 c_msg=1; 748 else if (strcmp(*argv,"-showcerts") == 0) 749 c_showcerts=1; 750 else if (strcmp(*argv,"-nbio_test") == 0) 751 nbio_test=1; 752 else if (strcmp(*argv,"-state") == 0) 753 state=1; 754#ifndef OPENSSL_NO_PSK 755 else if (strcmp(*argv,"-psk_identity") == 0) 756 { 757 if (--argc < 1) goto bad; 758 psk_identity=*(++argv); 759 } 760 else if (strcmp(*argv,"-psk") == 0) 761 { 762 size_t j; 763 764 if (--argc < 1) goto bad; 765 psk_key=*(++argv); 766 for (j = 0; j < strlen(psk_key); j++) 767 { 768 if (isxdigit((unsigned char)psk_key[j])) 769 continue; 770 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv); 771 goto bad; 772 } 773 } 774#endif 775#ifndef OPENSSL_NO_SRP 776 else if (strcmp(*argv,"-srpuser") == 0) 777 { 778 if (--argc < 1) goto bad; 779 srp_arg.srplogin= *(++argv); 780 meth=TLSv1_client_method(); 781 } 782 else if (strcmp(*argv,"-srppass") == 0) 783 { 784 if (--argc < 1) goto bad; 785 srppass= *(++argv); 786 meth=TLSv1_client_method(); 787 } 788 else if (strcmp(*argv,"-srp_strength") == 0) 789 { 790 if (--argc < 1) goto bad; 791 srp_arg.strength=atoi(*(++argv)); 792 BIO_printf(bio_err,"SRP minimal length for N is %d\n",srp_arg.strength); 793 meth=TLSv1_client_method(); 794 } 795 else if (strcmp(*argv,"-srp_lateuser") == 0) 796 { 797 srp_lateuser= 1; 798 meth=TLSv1_client_method(); 799 } 800 else if (strcmp(*argv,"-srp_moregroups") == 0) 801 { 802 srp_arg.amp=1; 803 meth=TLSv1_client_method(); 804 } 805#endif 806#ifndef OPENSSL_NO_SSL2 807 else if (strcmp(*argv,"-ssl2") == 0) 808 meth=SSLv2_client_method(); 809#endif 810#ifndef OPENSSL_NO_SSL3 811 else if (strcmp(*argv,"-ssl3") == 0) 812 meth=SSLv3_client_method(); 813#endif 814#ifndef OPENSSL_NO_TLS1 815 else if (strcmp(*argv,"-tls1_2") == 0) 816 meth=TLSv1_2_client_method(); 817 else if (strcmp(*argv,"-tls1_1") == 0) 818 meth=TLSv1_1_client_method(); 819 else if (strcmp(*argv,"-tls1") == 0) 820 meth=TLSv1_client_method(); 821#endif 822#ifndef OPENSSL_NO_DTLS1 823 else if (strcmp(*argv,"-dtls1") == 0) 824 { 825 meth=DTLSv1_client_method(); 826 socket_type=SOCK_DGRAM; 827 } 828 else if (strcmp(*argv,"-fallback_scsv") == 0) 829 { 830 fallback_scsv = 1; 831 } 832 else if (strcmp(*argv,"-timeout") == 0) 833 enable_timeouts=1; 834 else if (strcmp(*argv,"-mtu") == 0) 835 { 836 if (--argc < 1) goto bad; 837 socket_mtu = atol(*(++argv)); 838 } 839#endif 840 else if (strcmp(*argv,"-bugs") == 0) 841 bugs=1; 842 else if (strcmp(*argv,"-keyform") == 0) 843 { 844 if (--argc < 1) goto bad; 845 key_format = str2fmt(*(++argv)); 846 } 847 else if (strcmp(*argv,"-pass") == 0) 848 { 849 if (--argc < 1) goto bad; 850 passarg = *(++argv); 851 } 852 else if (strcmp(*argv,"-key") == 0) 853 { 854 if (--argc < 1) goto bad; 855 key_file= *(++argv); 856 } 857 else if (strcmp(*argv,"-reconnect") == 0) 858 { 859 reconnect=5; 860 } 861 else if (strcmp(*argv,"-CApath") == 0) 862 { 863 if (--argc < 1) goto bad; 864 CApath= *(++argv); 865 } 866 else if (strcmp(*argv,"-CAfile") == 0) 867 { 868 if (--argc < 1) goto bad; 869 CAfile= *(++argv); 870 } 871 else if (strcmp(*argv,"-no_tls1_2") == 0) 872 off|=SSL_OP_NO_TLSv1_2; 873 else if (strcmp(*argv,"-no_tls1_1") == 0) 874 off|=SSL_OP_NO_TLSv1_1; 875 else if (strcmp(*argv,"-no_tls1") == 0) 876 off|=SSL_OP_NO_TLSv1; 877 else if (strcmp(*argv,"-no_ssl3") == 0) 878 off|=SSL_OP_NO_SSLv3; 879 else if (strcmp(*argv,"-no_ssl2") == 0) 880 off|=SSL_OP_NO_SSLv2; 881 else if (strcmp(*argv,"-no_comp") == 0) 882 { off|=SSL_OP_NO_COMPRESSION; } 883#ifndef OPENSSL_NO_TLSEXT 884 else if (strcmp(*argv,"-no_ticket") == 0) 885 { off|=SSL_OP_NO_TICKET; } 886# ifndef OPENSSL_NO_NEXTPROTONEG 887 else if (strcmp(*argv,"-nextprotoneg") == 0) 888 { 889 if (--argc < 1) goto bad; 890 next_proto_neg_in = *(++argv); 891 } 892# endif 893#endif 894 else if (strcmp(*argv,"-cutthrough") == 0) 895 cutthrough=1; 896 else if (strcmp(*argv,"-serverpref") == 0) 897 off|=SSL_OP_CIPHER_SERVER_PREFERENCE; 898 else if (strcmp(*argv,"-legacy_renegotiation") == 0) 899 off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; 900 else if (strcmp(*argv,"-legacy_server_connect") == 0) 901 { off|=SSL_OP_LEGACY_SERVER_CONNECT; } 902 else if (strcmp(*argv,"-no_legacy_server_connect") == 0) 903 { clr|=SSL_OP_LEGACY_SERVER_CONNECT; } 904 else if (strcmp(*argv,"-cipher") == 0) 905 { 906 if (--argc < 1) goto bad; 907 cipher= *(++argv); 908 } 909#ifdef FIONBIO 910 else if (strcmp(*argv,"-nbio") == 0) 911 { c_nbio=1; } 912#endif 913 else if (strcmp(*argv,"-starttls") == 0) 914 { 915 if (--argc < 1) goto bad; 916 ++argv; 917 if (strcmp(*argv,"smtp") == 0) 918 starttls_proto = PROTO_SMTP; 919 else if (strcmp(*argv,"pop3") == 0) 920 starttls_proto = PROTO_POP3; 921 else if (strcmp(*argv,"imap") == 0) 922 starttls_proto = PROTO_IMAP; 923 else if (strcmp(*argv,"ftp") == 0) 924 starttls_proto = PROTO_FTP; 925 else if (strcmp(*argv, "xmpp") == 0) 926 starttls_proto = PROTO_XMPP; 927 else 928 goto bad; 929 } 930#ifndef OPENSSL_NO_ENGINE 931 else if (strcmp(*argv,"-engine") == 0) 932 { 933 if (--argc < 1) goto bad; 934 engine_id = *(++argv); 935 } 936 else if (strcmp(*argv,"-ssl_client_engine") == 0) 937 { 938 if (--argc < 1) goto bad; 939 ssl_client_engine_id = *(++argv); 940 } 941#endif 942 else if (strcmp(*argv,"-rand") == 0) 943 { 944 if (--argc < 1) goto bad; 945 inrand= *(++argv); 946 } 947#ifndef OPENSSL_NO_TLSEXT 948 else if (strcmp(*argv,"-servername") == 0) 949 { 950 if (--argc < 1) goto bad; 951 servername= *(++argv); 952 /* meth=TLSv1_client_method(); */ 953 } 954#endif 955#ifndef OPENSSL_NO_JPAKE 956 else if (strcmp(*argv,"-jpake") == 0) 957 { 958 if (--argc < 1) goto bad; 959 jpake_secret = *++argv; 960 } 961#endif 962#ifndef OPENSSL_NO_SRTP 963 else if (strcmp(*argv,"-use_srtp") == 0) 964 { 965 if (--argc < 1) goto bad; 966 srtp_profiles = *(++argv); 967 } 968#endif 969 else if (strcmp(*argv,"-keymatexport") == 0) 970 { 971 if (--argc < 1) goto bad; 972 keymatexportlabel= *(++argv); 973 } 974 else if (strcmp(*argv,"-keymatexportlen") == 0) 975 { 976 if (--argc < 1) goto bad; 977 keymatexportlen=atoi(*(++argv)); 978 if (keymatexportlen == 0) goto bad; 979 } 980 else 981 { 982 BIO_printf(bio_err,"unknown option %s\n",*argv); 983 badop=1; 984 break; 985 } 986 argc--; 987 argv++; 988 } 989 if (badop) 990 { 991bad: 992 sc_usage(); 993 goto end; 994 } 995 996#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) 997 if (jpake_secret) 998 { 999 if (psk_key) 1000 { 1001 BIO_printf(bio_err, 1002 "Can't use JPAKE and PSK together\n"); 1003 goto end; 1004 } 1005 psk_identity = "JPAKE"; 1006 if (cipher) 1007 { 1008 BIO_printf(bio_err, "JPAKE sets cipher to PSK\n"); 1009 goto end; 1010 } 1011 cipher = "PSK"; 1012 } 1013#endif 1014 1015 OpenSSL_add_ssl_algorithms(); 1016 SSL_load_error_strings(); 1017 1018#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 1019 next_proto.status = -1; 1020 if (next_proto_neg_in) 1021 { 1022 next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in); 1023 if (next_proto.data == NULL) 1024 { 1025 BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n"); 1026 goto end; 1027 } 1028 } 1029 else 1030 next_proto.data = NULL; 1031#endif 1032 1033#ifndef OPENSSL_NO_ENGINE 1034 e = setup_engine(bio_err, engine_id, 1); 1035 if (ssl_client_engine_id) 1036 { 1037 ssl_client_engine = ENGINE_by_id(ssl_client_engine_id); 1038 if (!ssl_client_engine) 1039 { 1040 BIO_printf(bio_err, 1041 "Error getting client auth engine\n"); 1042 goto end; 1043 } 1044 } 1045 1046#endif 1047 if (!app_passwd(bio_err, passarg, NULL, &pass, NULL)) 1048 { 1049 BIO_printf(bio_err, "Error getting password\n"); 1050 goto end; 1051 } 1052 1053 if (key_file == NULL) 1054 key_file = cert_file; 1055 1056 1057 if (key_file) 1058 1059 { 1060 1061 key = load_key(bio_err, key_file, key_format, 0, pass, e, 1062 "client certificate private key file"); 1063 if (!key) 1064 { 1065 ERR_print_errors(bio_err); 1066 goto end; 1067 } 1068 1069 } 1070 1071 if (cert_file) 1072 1073 { 1074 cert = load_cert(bio_err,cert_file,cert_format, 1075 NULL, e, "client certificate file"); 1076 1077 if (!cert) 1078 { 1079 ERR_print_errors(bio_err); 1080 goto end; 1081 } 1082 } 1083 1084 if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL 1085 && !RAND_status()) 1086 { 1087 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n"); 1088 } 1089 if (inrand != NULL) 1090 BIO_printf(bio_err,"%ld semi-random bytes loaded\n", 1091 app_RAND_load_files(inrand)); 1092 1093 if (bio_c_out == NULL) 1094 { 1095 if (c_quiet && !c_debug && !c_msg) 1096 { 1097 bio_c_out=BIO_new(BIO_s_null()); 1098 } 1099 else 1100 { 1101 if (bio_c_out == NULL) 1102 bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE); 1103 } 1104 } 1105 1106#ifndef OPENSSL_NO_SRP 1107 if(!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL)) 1108 { 1109 BIO_printf(bio_err, "Error getting password\n"); 1110 goto end; 1111 } 1112#endif 1113 1114 ctx=SSL_CTX_new(meth); 1115 if (ctx == NULL) 1116 { 1117 ERR_print_errors(bio_err); 1118 goto end; 1119 } 1120 1121 if (vpm) 1122 SSL_CTX_set1_param(ctx, vpm); 1123 1124#ifndef OPENSSL_NO_ENGINE 1125 if (ssl_client_engine) 1126 { 1127 if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine)) 1128 { 1129 BIO_puts(bio_err, "Error setting client auth engine\n"); 1130 ERR_print_errors(bio_err); 1131 ENGINE_free(ssl_client_engine); 1132 goto end; 1133 } 1134 ENGINE_free(ssl_client_engine); 1135 } 1136#endif 1137 1138#ifndef OPENSSL_NO_PSK 1139#ifdef OPENSSL_NO_JPAKE 1140 if (psk_key != NULL) 1141#else 1142 if (psk_key != NULL || jpake_secret) 1143#endif 1144 { 1145 if (c_debug) 1146 BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n"); 1147 SSL_CTX_set_psk_client_callback(ctx, psk_client_cb); 1148 } 1149#endif 1150#ifndef OPENSSL_NO_SRTP 1151 if (srtp_profiles != NULL) 1152 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles); 1153#endif 1154 if (bugs) 1155 SSL_CTX_set_options(ctx,SSL_OP_ALL|off); 1156 else 1157 SSL_CTX_set_options(ctx,off); 1158 1159 if (clr) 1160 SSL_CTX_clear_options(ctx, clr); 1161 /* DTLS: partial reads end up discarding unread UDP bytes :-( 1162 * Setting read ahead solves this problem. 1163 */ 1164 if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1); 1165 1166#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 1167 if (next_proto.data) 1168 SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto); 1169#endif 1170 1171 /* Enable handshake cutthrough for client connections using 1172 * strong ciphers. */ 1173 if (cutthrough) 1174 { 1175 int ssl_mode = SSL_CTX_get_mode(ctx); 1176 ssl_mode |= SSL_MODE_HANDSHAKE_CUTTHROUGH; 1177 SSL_CTX_set_mode(ctx, ssl_mode); 1178 } 1179 1180 if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback); 1181 if (cipher != NULL) 1182 if(!SSL_CTX_set_cipher_list(ctx,cipher)) { 1183 BIO_printf(bio_err,"error setting cipher list\n"); 1184 ERR_print_errors(bio_err); 1185 goto end; 1186 } 1187#if 0 1188 else 1189 SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER")); 1190#endif 1191 1192 SSL_CTX_set_verify(ctx,verify,verify_callback); 1193 if (!set_cert_key_stuff(ctx,cert,key)) 1194 goto end; 1195 1196 if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || 1197 (!SSL_CTX_set_default_verify_paths(ctx))) 1198 { 1199 /* BIO_printf(bio_err,"error setting default verify locations\n"); */ 1200 ERR_print_errors(bio_err); 1201 /* goto end; */ 1202 } 1203 1204#ifndef OPENSSL_NO_TLSEXT 1205 if (servername != NULL) 1206 { 1207 tlsextcbp.biodebug = bio_err; 1208 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb); 1209 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp); 1210 } 1211#ifndef OPENSSL_NO_SRP 1212 if (srp_arg.srplogin) 1213 { 1214 if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin)) 1215 { 1216 BIO_printf(bio_err,"Unable to set SRP username\n"); 1217 goto end; 1218 } 1219 srp_arg.msg = c_msg; 1220 srp_arg.debug = c_debug ; 1221 SSL_CTX_set_srp_cb_arg(ctx,&srp_arg); 1222 SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb); 1223 SSL_CTX_set_srp_strength(ctx, srp_arg.strength); 1224 if (c_msg || c_debug || srp_arg.amp == 0) 1225 SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb); 1226 } 1227 1228#endif 1229#endif 1230 1231 con=SSL_new(ctx); 1232 if (sess_in) 1233 { 1234 SSL_SESSION *sess; 1235 BIO *stmp = BIO_new_file(sess_in, "r"); 1236 if (!stmp) 1237 { 1238 BIO_printf(bio_err, "Can't open session file %s\n", 1239 sess_in); 1240 ERR_print_errors(bio_err); 1241 goto end; 1242 } 1243 sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL); 1244 BIO_free(stmp); 1245 if (!sess) 1246 { 1247 BIO_printf(bio_err, "Can't open session file %s\n", 1248 sess_in); 1249 ERR_print_errors(bio_err); 1250 goto end; 1251 } 1252 SSL_set_session(con, sess); 1253 SSL_SESSION_free(sess); 1254 } 1255 1256 if (fallback_scsv) 1257 SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV); 1258 1259#ifndef OPENSSL_NO_TLSEXT 1260 if (servername != NULL) 1261 { 1262 if (!SSL_set_tlsext_host_name(con,servername)) 1263 { 1264 BIO_printf(bio_err,"Unable to set TLS servername extension.\n"); 1265 ERR_print_errors(bio_err); 1266 goto end; 1267 } 1268 } 1269#endif 1270#ifndef OPENSSL_NO_KRB5 1271 if (con && (kctx = kssl_ctx_new()) != NULL) 1272 { 1273 SSL_set0_kssl_ctx(con, kctx); 1274 kssl_ctx_setstring(kctx, KSSL_SERVER, host); 1275 } 1276#endif /* OPENSSL_NO_KRB5 */ 1277/* SSL_set_cipher_list(con,"RC4-MD5"); */ 1278#if 0 1279#ifdef TLSEXT_TYPE_opaque_prf_input 1280 SSL_set_tlsext_opaque_prf_input(con, "Test client", 11); 1281#endif 1282#endif 1283 1284re_start: 1285 1286 if (init_client(&s,host,port,socket_type) == 0) 1287 { 1288 BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error()); 1289 SHUTDOWN(s); 1290 goto end; 1291 } 1292 BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s); 1293 1294#ifdef FIONBIO 1295 if (c_nbio) 1296 { 1297 unsigned long l=1; 1298 BIO_printf(bio_c_out,"turning on non blocking io\n"); 1299 if (BIO_socket_ioctl(s,FIONBIO,&l) < 0) 1300 { 1301 ERR_print_errors(bio_err); 1302 goto end; 1303 } 1304 } 1305#endif 1306 if (c_Pause & 0x01) SSL_set_debug(con, 1); 1307 1308 if ( SSL_version(con) == DTLS1_VERSION) 1309 { 1310 1311 sbio=BIO_new_dgram(s,BIO_NOCLOSE); 1312 if (getsockname(s, &peer, (void *)&peerlen) < 0) 1313 { 1314 BIO_printf(bio_err, "getsockname:errno=%d\n", 1315 get_last_socket_error()); 1316 SHUTDOWN(s); 1317 goto end; 1318 } 1319 1320 (void)BIO_ctrl_set_connected(sbio, 1, &peer); 1321 1322 if (enable_timeouts) 1323 { 1324 timeout.tv_sec = 0; 1325 timeout.tv_usec = DGRAM_RCV_TIMEOUT; 1326 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout); 1327 1328 timeout.tv_sec = 0; 1329 timeout.tv_usec = DGRAM_SND_TIMEOUT; 1330 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout); 1331 } 1332 1333 if (socket_mtu > 28) 1334 { 1335 SSL_set_options(con, SSL_OP_NO_QUERY_MTU); 1336 SSL_set_mtu(con, socket_mtu - 28); 1337 } 1338 else 1339 /* want to do MTU discovery */ 1340 BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL); 1341 } 1342 else 1343 sbio=BIO_new_socket(s,BIO_NOCLOSE); 1344 1345 if (nbio_test) 1346 { 1347 BIO *test; 1348 1349 test=BIO_new(BIO_f_nbio_test()); 1350 sbio=BIO_push(test,sbio); 1351 } 1352 1353 if (c_debug) 1354 { 1355 SSL_set_debug(con, 1); 1356 BIO_set_callback(sbio,bio_dump_callback); 1357 BIO_set_callback_arg(sbio,(char *)bio_c_out); 1358 } 1359 if (c_msg) 1360 { 1361 SSL_set_msg_callback(con, msg_cb); 1362 SSL_set_msg_callback_arg(con, bio_c_out); 1363 } 1364#ifndef OPENSSL_NO_TLSEXT 1365 if (c_tlsextdebug) 1366 { 1367 SSL_set_tlsext_debug_callback(con, tlsext_cb); 1368 SSL_set_tlsext_debug_arg(con, bio_c_out); 1369 } 1370 if (c_status_req) 1371 { 1372 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp); 1373 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb); 1374 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out); 1375#if 0 1376{ 1377STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null(); 1378OCSP_RESPID *id = OCSP_RESPID_new(); 1379id->value.byKey = ASN1_OCTET_STRING_new(); 1380id->type = V_OCSP_RESPID_KEY; 1381ASN1_STRING_set(id->value.byKey, "Hello World", -1); 1382sk_OCSP_RESPID_push(ids, id); 1383SSL_set_tlsext_status_ids(con, ids); 1384} 1385#endif 1386 } 1387#endif 1388#ifndef OPENSSL_NO_JPAKE 1389 if (jpake_secret) 1390 jpake_client_auth(bio_c_out, sbio, jpake_secret); 1391#endif 1392 1393 SSL_set_bio(con,sbio,sbio); 1394 SSL_set_connect_state(con); 1395 1396 /* ok, lets connect */ 1397 width=SSL_get_fd(con)+1; 1398 1399 read_tty=1; 1400 write_tty=0; 1401 tty_on=0; 1402 read_ssl=1; 1403 write_ssl=1; 1404 1405 cbuf_len=0; 1406 cbuf_off=0; 1407 sbuf_len=0; 1408 sbuf_off=0; 1409 1410 /* This is an ugly hack that does a lot of assumptions */ 1411 /* We do have to handle multi-line responses which may come 1412 in a single packet or not. We therefore have to use 1413 BIO_gets() which does need a buffering BIO. So during 1414 the initial chitchat we do push a buffering BIO into the 1415 chain that is removed again later on to not disturb the 1416 rest of the s_client operation. */ 1417 if (starttls_proto == PROTO_SMTP) 1418 { 1419 int foundit=0; 1420 BIO *fbio = BIO_new(BIO_f_buffer()); 1421 BIO_push(fbio, sbio); 1422 /* wait for multi-line response to end from SMTP */ 1423 do 1424 { 1425 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); 1426 } 1427 while (mbuf_len>3 && mbuf[3]=='-'); 1428 /* STARTTLS command requires EHLO... */ 1429 BIO_printf(fbio,"EHLO openssl.client.net\r\n"); 1430 (void)BIO_flush(fbio); 1431 /* wait for multi-line response to end EHLO SMTP response */ 1432 do 1433 { 1434 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); 1435 if (strstr(mbuf,"STARTTLS")) 1436 foundit=1; 1437 } 1438 while (mbuf_len>3 && mbuf[3]=='-'); 1439 (void)BIO_flush(fbio); 1440 BIO_pop(fbio); 1441 BIO_free(fbio); 1442 if (!foundit) 1443 BIO_printf(bio_err, 1444 "didn't found starttls in server response," 1445 " try anyway...\n"); 1446 BIO_printf(sbio,"STARTTLS\r\n"); 1447 BIO_read(sbio,sbuf,BUFSIZZ); 1448 } 1449 else if (starttls_proto == PROTO_POP3) 1450 { 1451 BIO_read(sbio,mbuf,BUFSIZZ); 1452 BIO_printf(sbio,"STLS\r\n"); 1453 BIO_read(sbio,sbuf,BUFSIZZ); 1454 } 1455 else if (starttls_proto == PROTO_IMAP) 1456 { 1457 int foundit=0; 1458 BIO *fbio = BIO_new(BIO_f_buffer()); 1459 BIO_push(fbio, sbio); 1460 BIO_gets(fbio,mbuf,BUFSIZZ); 1461 /* STARTTLS command requires CAPABILITY... */ 1462 BIO_printf(fbio,". CAPABILITY\r\n"); 1463 (void)BIO_flush(fbio); 1464 /* wait for multi-line CAPABILITY response */ 1465 do 1466 { 1467 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); 1468 if (strstr(mbuf,"STARTTLS")) 1469 foundit=1; 1470 } 1471 while (mbuf_len>3 && mbuf[0]!='.'); 1472 (void)BIO_flush(fbio); 1473 BIO_pop(fbio); 1474 BIO_free(fbio); 1475 if (!foundit) 1476 BIO_printf(bio_err, 1477 "didn't found STARTTLS in server response," 1478 " try anyway...\n"); 1479 BIO_printf(sbio,". STARTTLS\r\n"); 1480 BIO_read(sbio,sbuf,BUFSIZZ); 1481 } 1482 else if (starttls_proto == PROTO_FTP) 1483 { 1484 BIO *fbio = BIO_new(BIO_f_buffer()); 1485 BIO_push(fbio, sbio); 1486 /* wait for multi-line response to end from FTP */ 1487 do 1488 { 1489 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); 1490 } 1491 while (mbuf_len>3 && mbuf[3]=='-'); 1492 (void)BIO_flush(fbio); 1493 BIO_pop(fbio); 1494 BIO_free(fbio); 1495 BIO_printf(sbio,"AUTH TLS\r\n"); 1496 BIO_read(sbio,sbuf,BUFSIZZ); 1497 } 1498 if (starttls_proto == PROTO_XMPP) 1499 { 1500 int seen = 0; 1501 BIO_printf(sbio,"<stream:stream " 1502 "xmlns:stream='http://etherx.jabber.org/streams' " 1503 "xmlns='jabber:client' to='%s' version='1.0'>", host); 1504 seen = BIO_read(sbio,mbuf,BUFSIZZ); 1505 mbuf[seen] = 0; 1506 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")) 1507 { 1508 if (strstr(mbuf, "/stream:features>")) 1509 goto shut; 1510 seen = BIO_read(sbio,mbuf,BUFSIZZ); 1511 mbuf[seen] = 0; 1512 } 1513 BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>"); 1514 seen = BIO_read(sbio,sbuf,BUFSIZZ); 1515 sbuf[seen] = 0; 1516 if (!strstr(sbuf, "<proceed")) 1517 goto shut; 1518 mbuf[0] = 0; 1519 } 1520 1521 for (;;) 1522 { 1523 FD_ZERO(&readfds); 1524 FD_ZERO(&writefds); 1525 1526 if ((SSL_version(con) == DTLS1_VERSION) && 1527 DTLSv1_get_timeout(con, &timeout)) 1528 timeoutp = &timeout; 1529 else 1530 timeoutp = NULL; 1531 1532 if (SSL_in_init(con) && !SSL_total_renegotiations(con)) 1533 { 1534 in_init=1; 1535 tty_on=0; 1536 } 1537 else 1538 { 1539 tty_on=1; 1540 if (in_init) 1541 { 1542 in_init=0; 1543#if 0 /* This test doesn't really work as intended (needs to be fixed) */ 1544#ifndef OPENSSL_NO_TLSEXT 1545 if (servername != NULL && !SSL_session_reused(con)) 1546 { 1547 BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not "); 1548 } 1549#endif 1550#endif 1551 if (sess_out) 1552 { 1553 BIO *stmp = BIO_new_file(sess_out, "w"); 1554 if (stmp) 1555 { 1556 PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con)); 1557 BIO_free(stmp); 1558 } 1559 else 1560 BIO_printf(bio_err, "Error writing session file %s\n", sess_out); 1561 } 1562 print_stuff(bio_c_out,con,full_log); 1563 if (full_log > 0) full_log--; 1564 1565 if (starttls_proto) 1566 { 1567 BIO_printf(bio_err,"%s",mbuf); 1568 /* We don't need to know any more */ 1569 starttls_proto = PROTO_OFF; 1570 } 1571 1572 if (reconnect) 1573 { 1574 reconnect--; 1575 BIO_printf(bio_c_out,"drop connection and then reconnect\n"); 1576 SSL_shutdown(con); 1577 SSL_set_connect_state(con); 1578 SHUTDOWN(SSL_get_fd(con)); 1579 goto re_start; 1580 } 1581 } 1582 } 1583 1584 ssl_pending = read_ssl && SSL_pending(con); 1585 1586 if (!ssl_pending) 1587 { 1588#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5) 1589 if (tty_on) 1590 { 1591 if (read_tty) openssl_fdset(fileno(stdin),&readfds); 1592 if (write_tty) openssl_fdset(fileno(stdout),&writefds); 1593 } 1594 if (read_ssl) 1595 openssl_fdset(SSL_get_fd(con),&readfds); 1596 if (write_ssl) 1597 openssl_fdset(SSL_get_fd(con),&writefds); 1598#else 1599 if(!tty_on || !write_tty) { 1600 if (read_ssl) 1601 openssl_fdset(SSL_get_fd(con),&readfds); 1602 if (write_ssl) 1603 openssl_fdset(SSL_get_fd(con),&writefds); 1604 } 1605#endif 1606/* printf("mode tty(%d %d%d) ssl(%d%d)\n", 1607 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/ 1608 1609 /* Note: under VMS with SOCKETSHR the second parameter 1610 * is currently of type (int *) whereas under other 1611 * systems it is (void *) if you don't have a cast it 1612 * will choke the compiler: if you do have a cast then 1613 * you can either go for (int *) or (void *). 1614 */ 1615#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) 1616 /* Under Windows/DOS we make the assumption that we can 1617 * always write to the tty: therefore if we need to 1618 * write to the tty we just fall through. Otherwise 1619 * we timeout the select every second and see if there 1620 * are any keypresses. Note: this is a hack, in a proper 1621 * Windows application we wouldn't do this. 1622 */ 1623 i=0; 1624 if(!write_tty) { 1625 if(read_tty) { 1626 tv.tv_sec = 1; 1627 tv.tv_usec = 0; 1628 i=select(width,(void *)&readfds,(void *)&writefds, 1629 NULL,&tv); 1630#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS) 1631 if(!i && (!_kbhit() || !read_tty) ) continue; 1632#else 1633 if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue; 1634#endif 1635 } else i=select(width,(void *)&readfds,(void *)&writefds, 1636 NULL,timeoutp); 1637 } 1638#elif defined(OPENSSL_SYS_NETWARE) 1639 if(!write_tty) { 1640 if(read_tty) { 1641 tv.tv_sec = 1; 1642 tv.tv_usec = 0; 1643 i=select(width,(void *)&readfds,(void *)&writefds, 1644 NULL,&tv); 1645 } else i=select(width,(void *)&readfds,(void *)&writefds, 1646 NULL,timeoutp); 1647 } 1648#elif defined(OPENSSL_SYS_BEOS_R5) 1649 /* Under BeOS-R5 the situation is similar to DOS */ 1650 i=0; 1651 stdin_set = 0; 1652 (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK); 1653 if(!write_tty) { 1654 if(read_tty) { 1655 tv.tv_sec = 1; 1656 tv.tv_usec = 0; 1657 i=select(width,(void *)&readfds,(void *)&writefds, 1658 NULL,&tv); 1659 if (read(fileno(stdin), sbuf, 0) >= 0) 1660 stdin_set = 1; 1661 if (!i && (stdin_set != 1 || !read_tty)) 1662 continue; 1663 } else i=select(width,(void *)&readfds,(void *)&writefds, 1664 NULL,timeoutp); 1665 } 1666 (void)fcntl(fileno(stdin), F_SETFL, 0); 1667#else 1668 i=select(width,(void *)&readfds,(void *)&writefds, 1669 NULL,timeoutp); 1670#endif 1671 if ( i < 0) 1672 { 1673 BIO_printf(bio_err,"bad select %d\n", 1674 get_last_socket_error()); 1675 goto shut; 1676 /* goto end; */ 1677 } 1678 } 1679 1680 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0) 1681 { 1682 BIO_printf(bio_err,"TIMEOUT occured\n"); 1683 } 1684 1685 if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds)) 1686 { 1687 k=SSL_write(con,&(cbuf[cbuf_off]), 1688 (unsigned int)cbuf_len); 1689 switch (SSL_get_error(con,k)) 1690 { 1691 case SSL_ERROR_NONE: 1692 cbuf_off+=k; 1693 cbuf_len-=k; 1694 if (k <= 0) goto end; 1695 /* we have done a write(con,NULL,0); */ 1696 if (cbuf_len <= 0) 1697 { 1698 read_tty=1; 1699 write_ssl=0; 1700 } 1701 else /* if (cbuf_len > 0) */ 1702 { 1703 read_tty=0; 1704 write_ssl=1; 1705 } 1706 break; 1707 case SSL_ERROR_WANT_WRITE: 1708 BIO_printf(bio_c_out,"write W BLOCK\n"); 1709 write_ssl=1; 1710 read_tty=0; 1711 break; 1712 case SSL_ERROR_WANT_READ: 1713 BIO_printf(bio_c_out,"write R BLOCK\n"); 1714 write_tty=0; 1715 read_ssl=1; 1716 write_ssl=0; 1717 break; 1718 case SSL_ERROR_WANT_X509_LOOKUP: 1719 BIO_printf(bio_c_out,"write X BLOCK\n"); 1720 break; 1721 case SSL_ERROR_ZERO_RETURN: 1722 if (cbuf_len != 0) 1723 { 1724 BIO_printf(bio_c_out,"shutdown\n"); 1725 ret = 0; 1726 goto shut; 1727 } 1728 else 1729 { 1730 read_tty=1; 1731 write_ssl=0; 1732 break; 1733 } 1734 1735 case SSL_ERROR_SYSCALL: 1736 if ((k != 0) || (cbuf_len != 0)) 1737 { 1738 BIO_printf(bio_err,"write:errno=%d\n", 1739 get_last_socket_error()); 1740 goto shut; 1741 } 1742 else 1743 { 1744 read_tty=1; 1745 write_ssl=0; 1746 } 1747 break; 1748 case SSL_ERROR_SSL: 1749 ERR_print_errors(bio_err); 1750 goto shut; 1751 } 1752 } 1753#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5) 1754 /* Assume Windows/DOS/BeOS can always write */ 1755 else if (!ssl_pending && write_tty) 1756#else 1757 else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds)) 1758#endif 1759 { 1760#ifdef CHARSET_EBCDIC 1761 ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len); 1762#endif 1763 i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len); 1764 1765 if (i <= 0) 1766 { 1767 BIO_printf(bio_c_out,"DONE\n"); 1768 ret = 0; 1769 goto shut; 1770 /* goto end; */ 1771 } 1772 1773 sbuf_len-=i;; 1774 sbuf_off+=i; 1775 if (sbuf_len <= 0) 1776 { 1777 read_ssl=1; 1778 write_tty=0; 1779 } 1780 } 1781 else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds)) 1782 { 1783#ifdef RENEG 1784{ static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } } 1785#endif 1786#if 1 1787 k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ ); 1788#else 1789/* Demo for pending and peek :-) */ 1790 k=SSL_read(con,sbuf,16); 1791{ char zbuf[10240]; 1792printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240)); 1793} 1794#endif 1795 1796 switch (SSL_get_error(con,k)) 1797 { 1798 case SSL_ERROR_NONE: 1799 if (k <= 0) 1800 goto end; 1801 sbuf_off=0; 1802 sbuf_len=k; 1803 1804 read_ssl=0; 1805 write_tty=1; 1806 break; 1807 case SSL_ERROR_WANT_WRITE: 1808 BIO_printf(bio_c_out,"read W BLOCK\n"); 1809 write_ssl=1; 1810 read_tty=0; 1811 break; 1812 case SSL_ERROR_WANT_READ: 1813 BIO_printf(bio_c_out,"read R BLOCK\n"); 1814 write_tty=0; 1815 read_ssl=1; 1816 if ((read_tty == 0) && (write_ssl == 0)) 1817 write_ssl=1; 1818 break; 1819 case SSL_ERROR_WANT_X509_LOOKUP: 1820 BIO_printf(bio_c_out,"read X BLOCK\n"); 1821 break; 1822 case SSL_ERROR_SYSCALL: 1823 ret=get_last_socket_error(); 1824 BIO_printf(bio_err,"read:errno=%d\n",ret); 1825 goto shut; 1826 case SSL_ERROR_ZERO_RETURN: 1827 BIO_printf(bio_c_out,"closed\n"); 1828 ret=0; 1829 goto shut; 1830 case SSL_ERROR_SSL: 1831 ERR_print_errors(bio_err); 1832 goto shut; 1833 /* break; */ 1834 } 1835 } 1836 1837#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) 1838#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS) 1839 else if (_kbhit()) 1840#else 1841 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) 1842#endif 1843#elif defined (OPENSSL_SYS_NETWARE) 1844 else if (_kbhit()) 1845#elif defined(OPENSSL_SYS_BEOS_R5) 1846 else if (stdin_set) 1847#else 1848 else if (FD_ISSET(fileno(stdin),&readfds)) 1849#endif 1850 { 1851 if (crlf) 1852 { 1853 int j, lf_num; 1854 1855 i=raw_read_stdin(cbuf,BUFSIZZ/2); 1856 lf_num = 0; 1857 /* both loops are skipped when i <= 0 */ 1858 for (j = 0; j < i; j++) 1859 if (cbuf[j] == '\n') 1860 lf_num++; 1861 for (j = i-1; j >= 0; j--) 1862 { 1863 cbuf[j+lf_num] = cbuf[j]; 1864 if (cbuf[j] == '\n') 1865 { 1866 lf_num--; 1867 i++; 1868 cbuf[j+lf_num] = '\r'; 1869 } 1870 } 1871 assert(lf_num == 0); 1872 } 1873 else 1874 i=raw_read_stdin(cbuf,BUFSIZZ); 1875 1876 if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q'))) 1877 { 1878 BIO_printf(bio_err,"DONE\n"); 1879 ret=0; 1880 goto shut; 1881 } 1882 1883 if ((!c_ign_eof) && (cbuf[0] == 'R')) 1884 { 1885 BIO_printf(bio_err,"RENEGOTIATING\n"); 1886 SSL_renegotiate(con); 1887 cbuf_len=0; 1888 } 1889#ifndef OPENSSL_NO_HEARTBEATS 1890 else if ((!c_ign_eof) && (cbuf[0] == 'B')) 1891 { 1892 BIO_printf(bio_err,"HEARTBEATING\n"); 1893 SSL_heartbeat(con); 1894 cbuf_len=0; 1895 } 1896#endif 1897 else 1898 { 1899 cbuf_len=i; 1900 cbuf_off=0; 1901#ifdef CHARSET_EBCDIC 1902 ebcdic2ascii(cbuf, cbuf, i); 1903#endif 1904 } 1905 1906 write_ssl=1; 1907 read_tty=0; 1908 } 1909 } 1910 1911 ret=0; 1912shut: 1913 if (in_init) 1914 print_stuff(bio_c_out,con,full_log); 1915 SSL_shutdown(con); 1916 SHUTDOWN(SSL_get_fd(con)); 1917end: 1918 if (con != NULL) 1919 { 1920 if (prexit != 0) 1921 print_stuff(bio_c_out,con,1); 1922 SSL_free(con); 1923 } 1924#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 1925 if (next_proto.data) 1926 OPENSSL_free(next_proto.data); 1927#endif 1928 if (ctx != NULL) SSL_CTX_free(ctx); 1929 if (cert) 1930 X509_free(cert); 1931 if (key) 1932 EVP_PKEY_free(key); 1933 if (pass) 1934 OPENSSL_free(pass); 1935 if (vpm) 1936 X509_VERIFY_PARAM_free(vpm); 1937 if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); } 1938 if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); } 1939 if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); } 1940 if (bio_c_out != NULL) 1941 { 1942 BIO_free(bio_c_out); 1943 bio_c_out=NULL; 1944 } 1945 apps_shutdown(); 1946 OPENSSL_EXIT(ret); 1947 } 1948 1949 1950static void print_stuff(BIO *bio, SSL *s, int full) 1951 { 1952 X509 *peer=NULL; 1953 char *p; 1954 static const char *space=" "; 1955 char buf[BUFSIZ]; 1956 STACK_OF(X509) *sk; 1957 STACK_OF(X509_NAME) *sk2; 1958 const SSL_CIPHER *c; 1959 X509_NAME *xn; 1960 int j,i; 1961#ifndef OPENSSL_NO_COMP 1962 const COMP_METHOD *comp, *expansion; 1963#endif 1964 unsigned char *exportedkeymat; 1965 1966 if (full) 1967 { 1968 int got_a_chain = 0; 1969 1970 sk=SSL_get_peer_cert_chain(s); 1971 if (sk != NULL) 1972 { 1973 got_a_chain = 1; /* we don't have it for SSL2 (yet) */ 1974 1975 BIO_printf(bio,"---\nCertificate chain\n"); 1976 for (i=0; i<sk_X509_num(sk); i++) 1977 { 1978 X509_NAME_oneline(X509_get_subject_name( 1979 sk_X509_value(sk,i)),buf,sizeof buf); 1980 BIO_printf(bio,"%2d s:%s\n",i,buf); 1981 X509_NAME_oneline(X509_get_issuer_name( 1982 sk_X509_value(sk,i)),buf,sizeof buf); 1983 BIO_printf(bio," i:%s\n",buf); 1984 if (c_showcerts) 1985 PEM_write_bio_X509(bio,sk_X509_value(sk,i)); 1986 } 1987 } 1988 1989 BIO_printf(bio,"---\n"); 1990 peer=SSL_get_peer_certificate(s); 1991 if (peer != NULL) 1992 { 1993 BIO_printf(bio,"Server certificate\n"); 1994 if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */ 1995 PEM_write_bio_X509(bio,peer); 1996 X509_NAME_oneline(X509_get_subject_name(peer), 1997 buf,sizeof buf); 1998 BIO_printf(bio,"subject=%s\n",buf); 1999 X509_NAME_oneline(X509_get_issuer_name(peer), 2000 buf,sizeof buf); 2001 BIO_printf(bio,"issuer=%s\n",buf); 2002 } 2003 else 2004 BIO_printf(bio,"no peer certificate available\n"); 2005 2006 sk2=SSL_get_client_CA_list(s); 2007 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0)) 2008 { 2009 BIO_printf(bio,"---\nAcceptable client certificate CA names\n"); 2010 for (i=0; i<sk_X509_NAME_num(sk2); i++) 2011 { 2012 xn=sk_X509_NAME_value(sk2,i); 2013 X509_NAME_oneline(xn,buf,sizeof(buf)); 2014 BIO_write(bio,buf,strlen(buf)); 2015 BIO_write(bio,"\n",1); 2016 } 2017 } 2018 else 2019 { 2020 BIO_printf(bio,"---\nNo client certificate CA names sent\n"); 2021 } 2022 p=SSL_get_shared_ciphers(s,buf,sizeof buf); 2023 if (p != NULL) 2024 { 2025 /* This works only for SSL 2. In later protocol 2026 * versions, the client does not know what other 2027 * ciphers (in addition to the one to be used 2028 * in the current connection) the server supports. */ 2029 2030 BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n"); 2031 j=i=0; 2032 while (*p) 2033 { 2034 if (*p == ':') 2035 { 2036 BIO_write(bio,space,15-j%25); 2037 i++; 2038 j=0; 2039 BIO_write(bio,((i%3)?" ":"\n"),1); 2040 } 2041 else 2042 { 2043 BIO_write(bio,p,1); 2044 j++; 2045 } 2046 p++; 2047 } 2048 BIO_write(bio,"\n",1); 2049 } 2050 2051 BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n", 2052 BIO_number_read(SSL_get_rbio(s)), 2053 BIO_number_written(SSL_get_wbio(s))); 2054 } 2055 BIO_printf(bio,(SSL_cache_hit(s)?"---\nReused, ":"---\nNew, ")); 2056 c=SSL_get_current_cipher(s); 2057 BIO_printf(bio,"%s, Cipher is %s\n", 2058 SSL_CIPHER_get_version(c), 2059 SSL_CIPHER_get_name(c)); 2060 if (peer != NULL) { 2061 EVP_PKEY *pktmp; 2062 pktmp = X509_get_pubkey(peer); 2063 BIO_printf(bio,"Server public key is %d bit\n", 2064 EVP_PKEY_bits(pktmp)); 2065 EVP_PKEY_free(pktmp); 2066 } 2067 BIO_printf(bio, "Secure Renegotiation IS%s supported\n", 2068 SSL_get_secure_renegotiation_support(s) ? "" : " NOT"); 2069#ifndef OPENSSL_NO_COMP 2070 comp=SSL_get_current_compression(s); 2071 expansion=SSL_get_current_expansion(s); 2072 BIO_printf(bio,"Compression: %s\n", 2073 comp ? SSL_COMP_get_name(comp) : "NONE"); 2074 BIO_printf(bio,"Expansion: %s\n", 2075 expansion ? SSL_COMP_get_name(expansion) : "NONE"); 2076#endif 2077 2078#ifdef SSL_DEBUG 2079 { 2080 /* Print out local port of connection: useful for debugging */ 2081 int sock; 2082 struct sockaddr_in ladd; 2083 socklen_t ladd_size = sizeof(ladd); 2084 sock = SSL_get_fd(s); 2085 getsockname(sock, (struct sockaddr *)&ladd, &ladd_size); 2086 BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port)); 2087 } 2088#endif 2089 2090#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 2091 if (next_proto.status != -1) { 2092 const unsigned char *proto; 2093 unsigned int proto_len; 2094 SSL_get0_next_proto_negotiated(s, &proto, &proto_len); 2095 BIO_printf(bio, "Next protocol: (%d) ", next_proto.status); 2096 BIO_write(bio, proto, proto_len); 2097 BIO_write(bio, "\n", 1); 2098 } 2099#endif 2100 2101#ifndef OPENSSL_NO_SRTP 2102 { 2103 SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s); 2104 2105 if(srtp_profile) 2106 BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n", 2107 srtp_profile->name); 2108 } 2109#endif 2110 2111 SSL_SESSION_print(bio,SSL_get_session(s)); 2112 if (keymatexportlabel != NULL) 2113 { 2114 BIO_printf(bio, "Keying material exporter:\n"); 2115 BIO_printf(bio, " Label: '%s'\n", keymatexportlabel); 2116 BIO_printf(bio, " Length: %i bytes\n", keymatexportlen); 2117 exportedkeymat = OPENSSL_malloc(keymatexportlen); 2118 if (exportedkeymat != NULL) 2119 { 2120 if (!SSL_export_keying_material(s, exportedkeymat, 2121 keymatexportlen, 2122 keymatexportlabel, 2123 strlen(keymatexportlabel), 2124 NULL, 0, 0)) 2125 { 2126 BIO_printf(bio, " Error\n"); 2127 } 2128 else 2129 { 2130 BIO_printf(bio, " Keying material: "); 2131 for (i=0; i<keymatexportlen; i++) 2132 BIO_printf(bio, "%02X", 2133 exportedkeymat[i]); 2134 BIO_printf(bio, "\n"); 2135 } 2136 OPENSSL_free(exportedkeymat); 2137 } 2138 } 2139 BIO_printf(bio,"---\n"); 2140 if (peer != NULL) 2141 X509_free(peer); 2142 /* flush, or debugging output gets mixed with http response */ 2143 (void)BIO_flush(bio); 2144 } 2145 2146#ifndef OPENSSL_NO_TLSEXT 2147 2148static int ocsp_resp_cb(SSL *s, void *arg) 2149 { 2150 const unsigned char *p; 2151 int len; 2152 OCSP_RESPONSE *rsp; 2153 len = SSL_get_tlsext_status_ocsp_resp(s, &p); 2154 BIO_puts(arg, "OCSP response: "); 2155 if (!p) 2156 { 2157 BIO_puts(arg, "no response sent\n"); 2158 return 1; 2159 } 2160 rsp = d2i_OCSP_RESPONSE(NULL, &p, len); 2161 if (!rsp) 2162 { 2163 BIO_puts(arg, "response parse error\n"); 2164 BIO_dump_indent(arg, (char *)p, len, 4); 2165 return 0; 2166 } 2167 BIO_puts(arg, "\n======================================\n"); 2168 OCSP_RESPONSE_print(arg, rsp, 0); 2169 BIO_puts(arg, "======================================\n"); 2170 OCSP_RESPONSE_free(rsp); 2171 return 1; 2172 } 2173 2174#endif 2175