1/* apps/s_client.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58/* ==================================================================== 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111/* ==================================================================== 112 * Copyright 2005 Nokia. All rights reserved. 113 * 114 * The portions of the attached software ("Contribution") is developed by 115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 116 * license. 117 * 118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 120 * support (see RFC 4279) to OpenSSL. 121 * 122 * No patent licenses or other rights except those expressly stated in 123 * the OpenSSL open source license shall be deemed granted or received 124 * expressly, by implication, estoppel, or otherwise. 125 * 126 * No assurances are provided by Nokia that the Contribution does not 127 * infringe the patent or other intellectual property rights of any third 128 * party or that the license provides you with all the necessary rights 129 * to make use of the Contribution. 130 * 131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 135 * OTHERWISE. 136 */ 137 138#include <assert.h> 139#include <ctype.h> 140#include <stdio.h> 141#include <stdlib.h> 142#include <string.h> 143#include <openssl/e_os2.h> 144#ifdef OPENSSL_NO_STDIO 145#define APPS_WIN16 146#endif 147 148/* With IPv6, it looks like Digital has mixed up the proper order of 149 recursive header file inclusion, resulting in the compiler complaining 150 that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which 151 is needed to have fileno() declared correctly... So let's define u_int */ 152#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT) 153#define __U_INT 154typedef unsigned int u_int; 155#endif 156 157#define USE_SOCKETS 158#include "apps.h" 159#include <openssl/x509.h> 160#include <openssl/ssl.h> 161#include <openssl/err.h> 162#include <openssl/pem.h> 163#include <openssl/rand.h> 164#include <openssl/ocsp.h> 165#include <openssl/bn.h> 166#ifndef OPENSSL_NO_SRP 167#include <openssl/srp.h> 168#endif 169#include "s_apps.h" 170#include "timeouts.h" 171 172#if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000) 173/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */ 174#undef FIONBIO 175#endif 176 177#if defined(OPENSSL_SYS_BEOS_R5) 178#include <fcntl.h> 179#endif 180 181#undef PROG 182#define PROG s_client_main 183 184/*#define SSL_HOST_NAME "www.netscape.com" */ 185/*#define SSL_HOST_NAME "193.118.187.102" */ 186#define SSL_HOST_NAME "localhost" 187 188/*#define TEST_CERT "client.pem" */ /* no default cert. */ 189 190#undef BUFSIZZ 191#define BUFSIZZ 1024*8 192 193extern int verify_depth; 194extern int verify_error; 195extern int verify_return_error; 196 197#ifdef FIONBIO 198static int c_nbio=0; 199#endif 200static int c_Pause=0; 201static int c_debug=0; 202#ifndef OPENSSL_NO_TLSEXT 203static int c_tlsextdebug=0; 204static int c_status_req=0; 205#endif 206static int c_msg=0; 207static int c_showcerts=0; 208 209static char *keymatexportlabel=NULL; 210static int keymatexportlen=20; 211 212static void sc_usage(void); 213static void print_stuff(BIO *berr,SSL *con,int full); 214#ifndef OPENSSL_NO_TLSEXT 215static int ocsp_resp_cb(SSL *s, void *arg); 216#endif 217static BIO *bio_c_out=NULL; 218static int c_quiet=0; 219static int c_ign_eof=0; 220 221#ifndef OPENSSL_NO_PSK 222/* Default PSK identity and key */ 223static char *psk_identity="Client_identity"; 224/*char *psk_key=NULL; by default PSK is not used */ 225 226static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity, 227 unsigned int max_identity_len, unsigned char *psk, 228 unsigned int max_psk_len) 229 { 230 unsigned int psk_len = 0; 231 int ret; 232 BIGNUM *bn=NULL; 233 234 if (c_debug) 235 BIO_printf(bio_c_out, "psk_client_cb\n"); 236 if (!hint) 237 { 238 /* no ServerKeyExchange message*/ 239 if (c_debug) 240 BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n"); 241 } 242 else if (c_debug) 243 BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint); 244 245 /* lookup PSK identity and PSK key based on the given identity hint here */ 246 ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity); 247 if (ret < 0 || (unsigned int)ret > max_identity_len) 248 goto out_err; 249 if (c_debug) 250 BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret); 251 ret=BN_hex2bn(&bn, psk_key); 252 if (!ret) 253 { 254 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key); 255 if (bn) 256 BN_free(bn); 257 return 0; 258 } 259 260 if ((unsigned int)BN_num_bytes(bn) > max_psk_len) 261 { 262 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n", 263 max_psk_len, BN_num_bytes(bn)); 264 BN_free(bn); 265 return 0; 266 } 267 268 psk_len=BN_bn2bin(bn, psk); 269 BN_free(bn); 270 if (psk_len == 0) 271 goto out_err; 272 273 if (c_debug) 274 BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len); 275 276 return psk_len; 277 out_err: 278 if (c_debug) 279 BIO_printf(bio_err, "Error in PSK client callback\n"); 280 return 0; 281 } 282#endif 283 284static void sc_usage(void) 285 { 286 BIO_printf(bio_err,"usage: s_client args\n"); 287 BIO_printf(bio_err,"\n"); 288 BIO_printf(bio_err," -host host - use -connect instead\n"); 289 BIO_printf(bio_err," -port port - use -connect instead\n"); 290 BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR); 291 292 BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n"); 293 BIO_printf(bio_err," -cert arg - certificate file to use, PEM format assumed\n"); 294 BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n"); 295 BIO_printf(bio_err," -key arg - Private key file to use, in cert file if\n"); 296 BIO_printf(bio_err," not specified but cert file is.\n"); 297 BIO_printf(bio_err," -keyform arg - key format (PEM or DER) PEM default\n"); 298 BIO_printf(bio_err," -pass arg - private key file pass phrase source\n"); 299 BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n"); 300 BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n"); 301 BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n"); 302 BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n"); 303 BIO_printf(bio_err," -showcerts - show all certificates in the chain\n"); 304 BIO_printf(bio_err," -debug - extra output\n"); 305#ifdef WATT32 306 BIO_printf(bio_err," -wdebug - WATT-32 tcp debugging\n"); 307#endif 308 BIO_printf(bio_err," -msg - Show protocol messages\n"); 309 BIO_printf(bio_err," -nbio_test - more ssl protocol testing\n"); 310 BIO_printf(bio_err," -state - print the 'ssl' states\n"); 311#ifdef FIONBIO 312 BIO_printf(bio_err," -nbio - Run with non-blocking IO\n"); 313#endif 314 BIO_printf(bio_err," -crlf - convert LF from terminal into CRLF\n"); 315 BIO_printf(bio_err," -quiet - no s_client output\n"); 316 BIO_printf(bio_err," -ign_eof - ignore input eof (default when -quiet)\n"); 317 BIO_printf(bio_err," -no_ign_eof - don't ignore input eof\n"); 318#ifndef OPENSSL_NO_PSK 319 BIO_printf(bio_err," -psk_identity arg - PSK identity\n"); 320 BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n"); 321# ifndef OPENSSL_NO_JPAKE 322 BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n"); 323# endif 324#endif 325#ifndef OPENSSL_NO_SRP 326 BIO_printf(bio_err," -srpuser user - SRP authentification for 'user'\n"); 327 BIO_printf(bio_err," -srppass arg - password for 'user'\n"); 328 BIO_printf(bio_err," -srp_lateuser - SRP username into second ClientHello message\n"); 329 BIO_printf(bio_err," -srp_moregroups - Tolerate other than the known g N values.\n"); 330 BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N); 331#endif 332 BIO_printf(bio_err," -ssl2 - just use SSLv2\n"); 333 BIO_printf(bio_err," -ssl3 - just use SSLv3\n"); 334 BIO_printf(bio_err," -tls1_2 - just use TLSv1.2\n"); 335 BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n"); 336 BIO_printf(bio_err," -tls1 - just use TLSv1\n"); 337 BIO_printf(bio_err," -dtls1 - just use DTLSv1\n"); 338 BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n"); 339 BIO_printf(bio_err," -mtu - set the link layer MTU\n"); 340 BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n"); 341 BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n"); 342 BIO_printf(bio_err," -serverpref - Use server's cipher preferences (only SSLv2)\n"); 343 BIO_printf(bio_err," -cipher - preferred cipher to use, use the 'openssl ciphers'\n"); 344 BIO_printf(bio_err," command to see what is available\n"); 345 BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n"); 346 BIO_printf(bio_err," for those protocols that support it, where\n"); 347 BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n"); 348 BIO_printf(bio_err," only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n"); 349 BIO_printf(bio_err," are supported.\n"); 350#ifndef OPENSSL_NO_ENGINE 351 BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n"); 352#endif 353 BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); 354 BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n"); 355 BIO_printf(bio_err," -sess_in arg - file to read SSL session from\n"); 356#ifndef OPENSSL_NO_TLSEXT 357 BIO_printf(bio_err," -servername host - Set TLS extension servername in ClientHello\n"); 358 BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); 359 BIO_printf(bio_err," -status - request certificate status from server\n"); 360 BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); 361# ifndef OPENSSL_NO_NEXTPROTONEG 362 BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n"); 363 BIO_printf(bio_err," -alpn arg - enable ALPN extension, considering named protocols supported (comma-separated list)\n"); 364# endif 365#endif 366 BIO_printf(bio_err," -cutthrough - enable 1-RTT full-handshake for strong ciphers\n"); 367 BIO_printf(bio_err," -no_record_splitting - disable 1/n-1 record splitting in CBC mode\n"); 368 BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); 369#ifndef OPENSSL_NO_SRTP 370 BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n"); 371#endif 372 BIO_printf(bio_err," -keymatexport label - Export keying material using label\n"); 373 BIO_printf(bio_err," -keymatexportlen len - Export len bytes of keying material (default 20)\n"); 374 } 375 376#ifndef OPENSSL_NO_TLSEXT 377 378/* This is a context that we pass to callbacks */ 379typedef struct tlsextctx_st { 380 BIO * biodebug; 381 int ack; 382} tlsextctx; 383 384 385static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg) 386 { 387 tlsextctx * p = (tlsextctx *) arg; 388 const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); 389 if (SSL_get_servername_type(s) != -1) 390 p->ack = !SSL_session_reused(s) && hn != NULL; 391 else 392 BIO_printf(bio_err,"Can't use SSL_get_servername\n"); 393 394 return SSL_TLSEXT_ERR_OK; 395 } 396 397#ifndef OPENSSL_NO_SRP 398 399/* This is a context that we pass to all callbacks */ 400typedef struct srp_arg_st 401 { 402 char *srppassin; 403 char *srplogin; 404 int msg; /* copy from c_msg */ 405 int debug; /* copy from c_debug */ 406 int amp; /* allow more groups */ 407 int strength /* minimal size for N */ ; 408 } SRP_ARG; 409 410#define SRP_NUMBER_ITERATIONS_FOR_PRIME 64 411 412static int srp_Verify_N_and_g(BIGNUM *N, BIGNUM *g) 413 { 414 BN_CTX *bn_ctx = BN_CTX_new(); 415 BIGNUM *p = BN_new(); 416 BIGNUM *r = BN_new(); 417 int ret = 418 g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) && 419 BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) && 420 p != NULL && BN_rshift1(p, N) && 421 422 /* p = (N-1)/2 */ 423 BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) && 424 r != NULL && 425 426 /* verify g^((N-1)/2) == -1 (mod N) */ 427 BN_mod_exp(r, g, p, N, bn_ctx) && 428 BN_add_word(r, 1) && 429 BN_cmp(r, N) == 0; 430 431 if(r) 432 BN_free(r); 433 if(p) 434 BN_free(p); 435 if(bn_ctx) 436 BN_CTX_free(bn_ctx); 437 return ret; 438 } 439 440/* This callback is used here for two purposes: 441 - extended debugging 442 - making some primality tests for unknown groups 443 The callback is only called for a non default group. 444 445 An application does not need the call back at all if 446 only the stanard groups are used. In real life situations, 447 client and server already share well known groups, 448 thus there is no need to verify them. 449 Furthermore, in case that a server actually proposes a group that 450 is not one of those defined in RFC 5054, it is more appropriate 451 to add the group to a static list and then compare since 452 primality tests are rather cpu consuming. 453*/ 454 455static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg) 456 { 457 SRP_ARG *srp_arg = (SRP_ARG *)arg; 458 BIGNUM *N = NULL, *g = NULL; 459 if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s))) 460 return 0; 461 if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1) 462 { 463 BIO_printf(bio_err, "SRP parameters:\n"); 464 BIO_printf(bio_err,"\tN="); BN_print(bio_err,N); 465 BIO_printf(bio_err,"\n\tg="); BN_print(bio_err,g); 466 BIO_printf(bio_err,"\n"); 467 } 468 469 if (SRP_check_known_gN_param(g,N)) 470 return 1; 471 472 if (srp_arg->amp == 1) 473 { 474 if (srp_arg->debug) 475 BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n"); 476 477/* The srp_moregroups is a real debugging feature. 478 Implementors should rather add the value to the known ones. 479 The minimal size has already been tested. 480*/ 481 if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g)) 482 return 1; 483 } 484 BIO_printf(bio_err, "SRP param N and g rejected.\n"); 485 return 0; 486 } 487 488#define PWD_STRLEN 1024 489 490static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg) 491 { 492 SRP_ARG *srp_arg = (SRP_ARG *)arg; 493 char *pass = (char *)OPENSSL_malloc(PWD_STRLEN+1); 494 PW_CB_DATA cb_tmp; 495 int l; 496 497 cb_tmp.password = (char *)srp_arg->srppassin; 498 cb_tmp.prompt_info = "SRP user"; 499 if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp))<0) 500 { 501 BIO_printf (bio_err, "Can't read Password\n"); 502 OPENSSL_free(pass); 503 return NULL; 504 } 505 *(pass+l)= '\0'; 506 507 return pass; 508 } 509 510#endif 511#ifndef OPENSSL_NO_SRTP 512 char *srtp_profiles = NULL; 513#endif 514 515# ifndef OPENSSL_NO_NEXTPROTONEG 516/* This the context that we pass to next_proto_cb */ 517typedef struct tlsextnextprotoctx_st { 518 unsigned char *data; 519 unsigned short len; 520 int status; 521} tlsextnextprotoctx; 522 523static tlsextnextprotoctx next_proto; 524 525static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg) 526 { 527 tlsextnextprotoctx *ctx = arg; 528 529 if (!c_quiet) 530 { 531 /* We can assume that |in| is syntactically valid. */ 532 unsigned i; 533 BIO_printf(bio_c_out, "Protocols advertised by server: "); 534 for (i = 0; i < inlen; ) 535 { 536 if (i) 537 BIO_write(bio_c_out, ", ", 2); 538 BIO_write(bio_c_out, &in[i + 1], in[i]); 539 i += in[i] + 1; 540 } 541 BIO_write(bio_c_out, "\n", 1); 542 } 543 544 ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len); 545 return SSL_TLSEXT_ERR_OK; 546 } 547# endif /* ndef OPENSSL_NO_NEXTPROTONEG */ 548#endif 549 550enum 551{ 552 PROTO_OFF = 0, 553 PROTO_SMTP, 554 PROTO_POP3, 555 PROTO_IMAP, 556 PROTO_FTP, 557 PROTO_XMPP 558}; 559 560int MAIN(int, char **); 561 562int MAIN(int argc, char **argv) 563 { 564 unsigned int off=0, clr=0; 565 SSL *con=NULL; 566#ifndef OPENSSL_NO_KRB5 567 KSSL_CTX *kctx; 568#endif 569 int s,k,width,state=0; 570 char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL; 571 int cbuf_len,cbuf_off; 572 int sbuf_len,sbuf_off; 573 fd_set readfds,writefds; 574 short port=PORT; 575 int full_log=1; 576 char *host=SSL_HOST_NAME; 577 char *cert_file=NULL,*key_file=NULL; 578 int cert_format = FORMAT_PEM, key_format = FORMAT_PEM; 579 char *passarg = NULL, *pass = NULL; 580 X509 *cert = NULL; 581 EVP_PKEY *key = NULL; 582 char *CApath=NULL,*CAfile=NULL,*cipher=NULL; 583 int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0; 584 int cutthrough=0, no_record_splitting=0; 585 int crlf=0; 586 int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending; 587 SSL_CTX *ctx=NULL; 588 int ret=1,in_init=1,i,nbio_test=0; 589 int starttls_proto = PROTO_OFF; 590 int prexit = 0; 591 X509_VERIFY_PARAM *vpm = NULL; 592 int badarg = 0; 593 const SSL_METHOD *meth=NULL; 594 int socket_type=SOCK_STREAM; 595 BIO *sbio; 596 char *inrand=NULL; 597 int mbuf_len=0; 598 struct timeval timeout, *timeoutp; 599 int ssl_mode; 600#ifndef OPENSSL_NO_ENGINE 601 char *engine_id=NULL; 602 char *ssl_client_engine_id=NULL; 603 ENGINE *ssl_client_engine=NULL; 604#endif 605 ENGINE *e=NULL; 606#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5) 607 struct timeval tv; 608#if defined(OPENSSL_SYS_BEOS_R5) 609 int stdin_set = 0; 610#endif 611#endif 612#ifndef OPENSSL_NO_TLSEXT 613 char *servername = NULL; 614 tlsextctx tlsextcbp = 615 {NULL,0}; 616# ifndef OPENSSL_NO_NEXTPROTONEG 617 const char *next_proto_neg_in = NULL; 618 const char *alpn_in = NULL; 619# endif 620#endif 621 char *sess_in = NULL; 622 char *sess_out = NULL; 623 struct sockaddr peer; 624 int peerlen = sizeof(peer); 625 int fallback_scsv = 0; 626 int enable_timeouts = 0 ; 627 long socket_mtu = 0; 628#ifndef OPENSSL_NO_JPAKE 629 char *jpake_secret = NULL; 630#endif 631#ifndef OPENSSL_NO_SRP 632 char * srppass = NULL; 633 int srp_lateuser = 0; 634 SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024}; 635#endif 636 637 meth=SSLv23_client_method(); 638 639 apps_startup(); 640 c_Pause=0; 641 c_quiet=0; 642 c_ign_eof=0; 643 c_debug=0; 644 c_msg=0; 645 c_showcerts=0; 646 647 if (bio_err == NULL) 648 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); 649 650 if (!load_config(bio_err, NULL)) 651 goto end; 652 653 if ( ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) || 654 ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) || 655 ((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL)) 656 { 657 BIO_printf(bio_err,"out of memory\n"); 658 goto end; 659 } 660 661 verify_depth=0; 662 verify_error=X509_V_OK; 663#ifdef FIONBIO 664 c_nbio=0; 665#endif 666 667 argc--; 668 argv++; 669 while (argc >= 1) 670 { 671 if (strcmp(*argv,"-host") == 0) 672 { 673 if (--argc < 1) goto bad; 674 host= *(++argv); 675 } 676 else if (strcmp(*argv,"-port") == 0) 677 { 678 if (--argc < 1) goto bad; 679 port=atoi(*(++argv)); 680 if (port == 0) goto bad; 681 } 682 else if (strcmp(*argv,"-connect") == 0) 683 { 684 if (--argc < 1) goto bad; 685 if (!extract_host_port(*(++argv),&host,NULL,&port)) 686 goto bad; 687 } 688 else if (strcmp(*argv,"-verify") == 0) 689 { 690 verify=SSL_VERIFY_PEER; 691 if (--argc < 1) goto bad; 692 verify_depth=atoi(*(++argv)); 693 BIO_printf(bio_err,"verify depth is %d\n",verify_depth); 694 } 695 else if (strcmp(*argv,"-cert") == 0) 696 { 697 if (--argc < 1) goto bad; 698 cert_file= *(++argv); 699 } 700 else if (strcmp(*argv,"-sess_out") == 0) 701 { 702 if (--argc < 1) goto bad; 703 sess_out = *(++argv); 704 } 705 else if (strcmp(*argv,"-sess_in") == 0) 706 { 707 if (--argc < 1) goto bad; 708 sess_in = *(++argv); 709 } 710 else if (strcmp(*argv,"-certform") == 0) 711 { 712 if (--argc < 1) goto bad; 713 cert_format = str2fmt(*(++argv)); 714 } 715 else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) 716 { 717 if (badarg) 718 goto bad; 719 continue; 720 } 721 else if (strcmp(*argv,"-verify_return_error") == 0) 722 verify_return_error = 1; 723 else if (strcmp(*argv,"-prexit") == 0) 724 prexit=1; 725 else if (strcmp(*argv,"-crlf") == 0) 726 crlf=1; 727 else if (strcmp(*argv,"-quiet") == 0) 728 { 729 c_quiet=1; 730 c_ign_eof=1; 731 } 732 else if (strcmp(*argv,"-ign_eof") == 0) 733 c_ign_eof=1; 734 else if (strcmp(*argv,"-no_ign_eof") == 0) 735 c_ign_eof=0; 736 else if (strcmp(*argv,"-pause") == 0) 737 c_Pause=1; 738 else if (strcmp(*argv,"-debug") == 0) 739 c_debug=1; 740#ifndef OPENSSL_NO_TLSEXT 741 else if (strcmp(*argv,"-tlsextdebug") == 0) 742 c_tlsextdebug=1; 743 else if (strcmp(*argv,"-status") == 0) 744 c_status_req=1; 745#endif 746#ifdef WATT32 747 else if (strcmp(*argv,"-wdebug") == 0) 748 dbug_init(); 749#endif 750 else if (strcmp(*argv,"-msg") == 0) 751 c_msg=1; 752 else if (strcmp(*argv,"-showcerts") == 0) 753 c_showcerts=1; 754 else if (strcmp(*argv,"-nbio_test") == 0) 755 nbio_test=1; 756 else if (strcmp(*argv,"-state") == 0) 757 state=1; 758#ifndef OPENSSL_NO_PSK 759 else if (strcmp(*argv,"-psk_identity") == 0) 760 { 761 if (--argc < 1) goto bad; 762 psk_identity=*(++argv); 763 } 764 else if (strcmp(*argv,"-psk") == 0) 765 { 766 size_t j; 767 768 if (--argc < 1) goto bad; 769 psk_key=*(++argv); 770 for (j = 0; j < strlen(psk_key); j++) 771 { 772 if (isxdigit((unsigned char)psk_key[j])) 773 continue; 774 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv); 775 goto bad; 776 } 777 } 778#endif 779#ifndef OPENSSL_NO_SRP 780 else if (strcmp(*argv,"-srpuser") == 0) 781 { 782 if (--argc < 1) goto bad; 783 srp_arg.srplogin= *(++argv); 784 meth=TLSv1_client_method(); 785 } 786 else if (strcmp(*argv,"-srppass") == 0) 787 { 788 if (--argc < 1) goto bad; 789 srppass= *(++argv); 790 meth=TLSv1_client_method(); 791 } 792 else if (strcmp(*argv,"-srp_strength") == 0) 793 { 794 if (--argc < 1) goto bad; 795 srp_arg.strength=atoi(*(++argv)); 796 BIO_printf(bio_err,"SRP minimal length for N is %d\n",srp_arg.strength); 797 meth=TLSv1_client_method(); 798 } 799 else if (strcmp(*argv,"-srp_lateuser") == 0) 800 { 801 srp_lateuser= 1; 802 meth=TLSv1_client_method(); 803 } 804 else if (strcmp(*argv,"-srp_moregroups") == 0) 805 { 806 srp_arg.amp=1; 807 meth=TLSv1_client_method(); 808 } 809#endif 810#ifndef OPENSSL_NO_SSL2 811 else if (strcmp(*argv,"-ssl2") == 0) 812 meth=SSLv2_client_method(); 813#endif 814#ifndef OPENSSL_NO_SSL3 815 else if (strcmp(*argv,"-ssl3") == 0) 816 meth=SSLv3_client_method(); 817#endif 818#ifndef OPENSSL_NO_TLS1 819 else if (strcmp(*argv,"-tls1_2") == 0) 820 meth=TLSv1_2_client_method(); 821 else if (strcmp(*argv,"-tls1_1") == 0) 822 meth=TLSv1_1_client_method(); 823 else if (strcmp(*argv,"-tls1") == 0) 824 meth=TLSv1_client_method(); 825#endif 826#ifndef OPENSSL_NO_DTLS1 827 else if (strcmp(*argv,"-dtls1") == 0) 828 { 829 meth=DTLSv1_client_method(); 830 socket_type=SOCK_DGRAM; 831 } 832 else if (strcmp(*argv,"-fallback_scsv") == 0) 833 { 834 fallback_scsv = 1; 835 } 836 else if (strcmp(*argv,"-timeout") == 0) 837 enable_timeouts=1; 838 else if (strcmp(*argv,"-mtu") == 0) 839 { 840 if (--argc < 1) goto bad; 841 socket_mtu = atol(*(++argv)); 842 } 843#endif 844 else if (strcmp(*argv,"-bugs") == 0) 845 bugs=1; 846 else if (strcmp(*argv,"-keyform") == 0) 847 { 848 if (--argc < 1) goto bad; 849 key_format = str2fmt(*(++argv)); 850 } 851 else if (strcmp(*argv,"-pass") == 0) 852 { 853 if (--argc < 1) goto bad; 854 passarg = *(++argv); 855 } 856 else if (strcmp(*argv,"-key") == 0) 857 { 858 if (--argc < 1) goto bad; 859 key_file= *(++argv); 860 } 861 else if (strcmp(*argv,"-reconnect") == 0) 862 { 863 reconnect=5; 864 } 865 else if (strcmp(*argv,"-CApath") == 0) 866 { 867 if (--argc < 1) goto bad; 868 CApath= *(++argv); 869 } 870 else if (strcmp(*argv,"-CAfile") == 0) 871 { 872 if (--argc < 1) goto bad; 873 CAfile= *(++argv); 874 } 875 else if (strcmp(*argv,"-no_tls1_2") == 0) 876 off|=SSL_OP_NO_TLSv1_2; 877 else if (strcmp(*argv,"-no_tls1_1") == 0) 878 off|=SSL_OP_NO_TLSv1_1; 879 else if (strcmp(*argv,"-no_tls1") == 0) 880 off|=SSL_OP_NO_TLSv1; 881 else if (strcmp(*argv,"-no_ssl3") == 0) 882 off|=SSL_OP_NO_SSLv3; 883 else if (strcmp(*argv,"-no_ssl2") == 0) 884 off|=SSL_OP_NO_SSLv2; 885 else if (strcmp(*argv,"-no_comp") == 0) 886 { off|=SSL_OP_NO_COMPRESSION; } 887#ifndef OPENSSL_NO_TLSEXT 888 else if (strcmp(*argv,"-no_ticket") == 0) 889 { off|=SSL_OP_NO_TICKET; } 890# ifndef OPENSSL_NO_NEXTPROTONEG 891 else if (strcmp(*argv,"-nextprotoneg") == 0) 892 { 893 if (--argc < 1) goto bad; 894 next_proto_neg_in = *(++argv); 895 } 896 else if (strcmp(*argv,"-alpn") == 0) 897 { 898 if (--argc < 1) goto bad; 899 alpn_in = *(++argv); 900 } 901# endif 902#endif 903 else if (strcmp(*argv,"-cutthrough") == 0) 904 cutthrough=1; 905 else if (strcmp(*argv,"-no_record_splitting") == 0) 906 no_record_splitting=1; 907 else if (strcmp(*argv,"-serverpref") == 0) 908 off|=SSL_OP_CIPHER_SERVER_PREFERENCE; 909 else if (strcmp(*argv,"-legacy_renegotiation") == 0) 910 off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; 911 else if (strcmp(*argv,"-legacy_server_connect") == 0) 912 { off|=SSL_OP_LEGACY_SERVER_CONNECT; } 913 else if (strcmp(*argv,"-no_legacy_server_connect") == 0) 914 { clr|=SSL_OP_LEGACY_SERVER_CONNECT; } 915 else if (strcmp(*argv,"-cipher") == 0) 916 { 917 if (--argc < 1) goto bad; 918 cipher= *(++argv); 919 } 920#ifdef FIONBIO 921 else if (strcmp(*argv,"-nbio") == 0) 922 { c_nbio=1; } 923#endif 924 else if (strcmp(*argv,"-starttls") == 0) 925 { 926 if (--argc < 1) goto bad; 927 ++argv; 928 if (strcmp(*argv,"smtp") == 0) 929 starttls_proto = PROTO_SMTP; 930 else if (strcmp(*argv,"pop3") == 0) 931 starttls_proto = PROTO_POP3; 932 else if (strcmp(*argv,"imap") == 0) 933 starttls_proto = PROTO_IMAP; 934 else if (strcmp(*argv,"ftp") == 0) 935 starttls_proto = PROTO_FTP; 936 else if (strcmp(*argv, "xmpp") == 0) 937 starttls_proto = PROTO_XMPP; 938 else 939 goto bad; 940 } 941#ifndef OPENSSL_NO_ENGINE 942 else if (strcmp(*argv,"-engine") == 0) 943 { 944 if (--argc < 1) goto bad; 945 engine_id = *(++argv); 946 } 947 else if (strcmp(*argv,"-ssl_client_engine") == 0) 948 { 949 if (--argc < 1) goto bad; 950 ssl_client_engine_id = *(++argv); 951 } 952#endif 953 else if (strcmp(*argv,"-rand") == 0) 954 { 955 if (--argc < 1) goto bad; 956 inrand= *(++argv); 957 } 958#ifndef OPENSSL_NO_TLSEXT 959 else if (strcmp(*argv,"-servername") == 0) 960 { 961 if (--argc < 1) goto bad; 962 servername= *(++argv); 963 /* meth=TLSv1_client_method(); */ 964 } 965#endif 966#ifndef OPENSSL_NO_JPAKE 967 else if (strcmp(*argv,"-jpake") == 0) 968 { 969 if (--argc < 1) goto bad; 970 jpake_secret = *++argv; 971 } 972#endif 973#ifndef OPENSSL_NO_SRTP 974 else if (strcmp(*argv,"-use_srtp") == 0) 975 { 976 if (--argc < 1) goto bad; 977 srtp_profiles = *(++argv); 978 } 979#endif 980 else if (strcmp(*argv,"-keymatexport") == 0) 981 { 982 if (--argc < 1) goto bad; 983 keymatexportlabel= *(++argv); 984 } 985 else if (strcmp(*argv,"-keymatexportlen") == 0) 986 { 987 if (--argc < 1) goto bad; 988 keymatexportlen=atoi(*(++argv)); 989 if (keymatexportlen == 0) goto bad; 990 } 991 else 992 { 993 BIO_printf(bio_err,"unknown option %s\n",*argv); 994 badop=1; 995 break; 996 } 997 argc--; 998 argv++; 999 } 1000 if (badop) 1001 { 1002bad: 1003 sc_usage(); 1004 goto end; 1005 } 1006 1007#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) 1008 if (jpake_secret) 1009 { 1010 if (psk_key) 1011 { 1012 BIO_printf(bio_err, 1013 "Can't use JPAKE and PSK together\n"); 1014 goto end; 1015 } 1016 psk_identity = "JPAKE"; 1017 if (cipher) 1018 { 1019 BIO_printf(bio_err, "JPAKE sets cipher to PSK\n"); 1020 goto end; 1021 } 1022 cipher = "PSK"; 1023 } 1024#endif 1025 1026 OpenSSL_add_ssl_algorithms(); 1027 SSL_load_error_strings(); 1028 1029#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 1030 next_proto.status = -1; 1031 if (next_proto_neg_in) 1032 { 1033 next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in); 1034 if (next_proto.data == NULL) 1035 { 1036 BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n"); 1037 goto end; 1038 } 1039 } 1040 else 1041 next_proto.data = NULL; 1042#endif 1043 1044#ifndef OPENSSL_NO_ENGINE 1045 e = setup_engine(bio_err, engine_id, 1); 1046 if (ssl_client_engine_id) 1047 { 1048 ssl_client_engine = ENGINE_by_id(ssl_client_engine_id); 1049 if (!ssl_client_engine) 1050 { 1051 BIO_printf(bio_err, 1052 "Error getting client auth engine\n"); 1053 goto end; 1054 } 1055 } 1056 1057#endif 1058 if (!app_passwd(bio_err, passarg, NULL, &pass, NULL)) 1059 { 1060 BIO_printf(bio_err, "Error getting password\n"); 1061 goto end; 1062 } 1063 1064 if (key_file == NULL) 1065 key_file = cert_file; 1066 1067 1068 if (key_file) 1069 1070 { 1071 1072 key = load_key(bio_err, key_file, key_format, 0, pass, e, 1073 "client certificate private key file"); 1074 if (!key) 1075 { 1076 ERR_print_errors(bio_err); 1077 goto end; 1078 } 1079 1080 } 1081 1082 if (cert_file) 1083 1084 { 1085 cert = load_cert(bio_err,cert_file,cert_format, 1086 NULL, e, "client certificate file"); 1087 1088 if (!cert) 1089 { 1090 ERR_print_errors(bio_err); 1091 goto end; 1092 } 1093 } 1094 1095 if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL 1096 && !RAND_status()) 1097 { 1098 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n"); 1099 } 1100 if (inrand != NULL) 1101 BIO_printf(bio_err,"%ld semi-random bytes loaded\n", 1102 app_RAND_load_files(inrand)); 1103 1104 if (bio_c_out == NULL) 1105 { 1106 if (c_quiet && !c_debug && !c_msg) 1107 { 1108 bio_c_out=BIO_new(BIO_s_null()); 1109 } 1110 else 1111 { 1112 if (bio_c_out == NULL) 1113 bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE); 1114 } 1115 } 1116 1117#ifndef OPENSSL_NO_SRP 1118 if(!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL)) 1119 { 1120 BIO_printf(bio_err, "Error getting password\n"); 1121 goto end; 1122 } 1123#endif 1124 1125 ctx=SSL_CTX_new(meth); 1126 if (ctx == NULL) 1127 { 1128 ERR_print_errors(bio_err); 1129 goto end; 1130 } 1131 1132 if (vpm) 1133 SSL_CTX_set1_param(ctx, vpm); 1134 1135#ifndef OPENSSL_NO_ENGINE 1136 if (ssl_client_engine) 1137 { 1138 if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine)) 1139 { 1140 BIO_puts(bio_err, "Error setting client auth engine\n"); 1141 ERR_print_errors(bio_err); 1142 ENGINE_free(ssl_client_engine); 1143 goto end; 1144 } 1145 ENGINE_free(ssl_client_engine); 1146 } 1147#endif 1148 1149#ifndef OPENSSL_NO_PSK 1150#ifdef OPENSSL_NO_JPAKE 1151 if (psk_key != NULL) 1152#else 1153 if (psk_key != NULL || jpake_secret) 1154#endif 1155 { 1156 if (c_debug) 1157 BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n"); 1158 SSL_CTX_set_psk_client_callback(ctx, psk_client_cb); 1159 } 1160#endif 1161#ifndef OPENSSL_NO_SRTP 1162 if (srtp_profiles != NULL) 1163 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles); 1164#endif 1165 if (bugs) 1166 SSL_CTX_set_options(ctx,SSL_OP_ALL|off); 1167 else 1168 SSL_CTX_set_options(ctx,off); 1169 1170 if (clr) 1171 SSL_CTX_clear_options(ctx, clr); 1172 /* DTLS: partial reads end up discarding unread UDP bytes :-( 1173 * Setting read ahead solves this problem. 1174 */ 1175 if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1); 1176 1177#if !defined(OPENSSL_NO_TLSEXT) 1178# if !defined(OPENSSL_NO_NEXTPROTONEG) 1179 if (next_proto.data) 1180 SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto); 1181# endif 1182 if (alpn_in) 1183 { 1184 unsigned short alpn_len; 1185 unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in); 1186 1187 if (alpn == NULL) 1188 { 1189 BIO_printf(bio_err, "Error parsing -alpn argument\n"); 1190 goto end; 1191 } 1192 SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len); 1193 } 1194#endif 1195 1196 ssl_mode = SSL_CTX_get_mode(ctx); 1197 if (!no_record_splitting) 1198 ssl_mode |= SSL_MODE_CBC_RECORD_SPLITTING; 1199 if (cutthrough) 1200 { 1201 /* Enable handshake cutthrough for client connections using 1202 * strong ciphers. */ 1203 ssl_mode |= SSL_MODE_HANDSHAKE_CUTTHROUGH; 1204 } 1205 SSL_CTX_set_mode(ctx, ssl_mode); 1206 1207 if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback); 1208 if (cipher != NULL) 1209 if(!SSL_CTX_set_cipher_list(ctx,cipher)) { 1210 BIO_printf(bio_err,"error setting cipher list\n"); 1211 ERR_print_errors(bio_err); 1212 goto end; 1213 } 1214#if 0 1215 else 1216 SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER")); 1217#endif 1218 1219 SSL_CTX_set_verify(ctx,verify,verify_callback); 1220 if (!set_cert_key_stuff(ctx,cert,key)) 1221 goto end; 1222 1223 if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || 1224 (!SSL_CTX_set_default_verify_paths(ctx))) 1225 { 1226 /* BIO_printf(bio_err,"error setting default verify locations\n"); */ 1227 ERR_print_errors(bio_err); 1228 /* goto end; */ 1229 } 1230 1231#ifndef OPENSSL_NO_TLSEXT 1232 if (servername != NULL) 1233 { 1234 tlsextcbp.biodebug = bio_err; 1235 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb); 1236 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp); 1237 } 1238#ifndef OPENSSL_NO_SRP 1239 if (srp_arg.srplogin) 1240 { 1241 if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin)) 1242 { 1243 BIO_printf(bio_err,"Unable to set SRP username\n"); 1244 goto end; 1245 } 1246 srp_arg.msg = c_msg; 1247 srp_arg.debug = c_debug ; 1248 SSL_CTX_set_srp_cb_arg(ctx,&srp_arg); 1249 SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb); 1250 SSL_CTX_set_srp_strength(ctx, srp_arg.strength); 1251 if (c_msg || c_debug || srp_arg.amp == 0) 1252 SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb); 1253 } 1254 1255#endif 1256#endif 1257 1258 con=SSL_new(ctx); 1259 if (sess_in) 1260 { 1261 SSL_SESSION *sess; 1262 BIO *stmp = BIO_new_file(sess_in, "r"); 1263 if (!stmp) 1264 { 1265 BIO_printf(bio_err, "Can't open session file %s\n", 1266 sess_in); 1267 ERR_print_errors(bio_err); 1268 goto end; 1269 } 1270 sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL); 1271 BIO_free(stmp); 1272 if (!sess) 1273 { 1274 BIO_printf(bio_err, "Can't open session file %s\n", 1275 sess_in); 1276 ERR_print_errors(bio_err); 1277 goto end; 1278 } 1279 SSL_set_session(con, sess); 1280 SSL_SESSION_free(sess); 1281 } 1282 1283 if (fallback_scsv) 1284 SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV); 1285 1286#ifndef OPENSSL_NO_TLSEXT 1287 if (servername != NULL) 1288 { 1289 if (!SSL_set_tlsext_host_name(con,servername)) 1290 { 1291 BIO_printf(bio_err,"Unable to set TLS servername extension.\n"); 1292 ERR_print_errors(bio_err); 1293 goto end; 1294 } 1295 } 1296#endif 1297#ifndef OPENSSL_NO_KRB5 1298 if (con && (kctx = kssl_ctx_new()) != NULL) 1299 { 1300 SSL_set0_kssl_ctx(con, kctx); 1301 kssl_ctx_setstring(kctx, KSSL_SERVER, host); 1302 } 1303#endif /* OPENSSL_NO_KRB5 */ 1304/* SSL_set_cipher_list(con,"RC4-MD5"); */ 1305#if 0 1306#ifdef TLSEXT_TYPE_opaque_prf_input 1307 SSL_set_tlsext_opaque_prf_input(con, "Test client", 11); 1308#endif 1309#endif 1310 1311re_start: 1312 1313 if (init_client(&s,host,port,socket_type) == 0) 1314 { 1315 BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error()); 1316 SHUTDOWN(s); 1317 goto end; 1318 } 1319 BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s); 1320 1321#ifdef FIONBIO 1322 if (c_nbio) 1323 { 1324 unsigned long l=1; 1325 BIO_printf(bio_c_out,"turning on non blocking io\n"); 1326 if (BIO_socket_ioctl(s,FIONBIO,&l) < 0) 1327 { 1328 ERR_print_errors(bio_err); 1329 goto end; 1330 } 1331 } 1332#endif 1333 if (c_Pause & 0x01) SSL_set_debug(con, 1); 1334 1335 if ( SSL_version(con) == DTLS1_VERSION) 1336 { 1337 1338 sbio=BIO_new_dgram(s,BIO_NOCLOSE); 1339 if (getsockname(s, &peer, (void *)&peerlen) < 0) 1340 { 1341 BIO_printf(bio_err, "getsockname:errno=%d\n", 1342 get_last_socket_error()); 1343 SHUTDOWN(s); 1344 goto end; 1345 } 1346 1347 (void)BIO_ctrl_set_connected(sbio, 1, &peer); 1348 1349 if (enable_timeouts) 1350 { 1351 timeout.tv_sec = 0; 1352 timeout.tv_usec = DGRAM_RCV_TIMEOUT; 1353 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout); 1354 1355 timeout.tv_sec = 0; 1356 timeout.tv_usec = DGRAM_SND_TIMEOUT; 1357 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout); 1358 } 1359 1360 if (socket_mtu > 28) 1361 { 1362 SSL_set_options(con, SSL_OP_NO_QUERY_MTU); 1363 SSL_set_mtu(con, socket_mtu - 28); 1364 } 1365 else 1366 /* want to do MTU discovery */ 1367 BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL); 1368 } 1369 else 1370 sbio=BIO_new_socket(s,BIO_NOCLOSE); 1371 1372 if (nbio_test) 1373 { 1374 BIO *test; 1375 1376 test=BIO_new(BIO_f_nbio_test()); 1377 sbio=BIO_push(test,sbio); 1378 } 1379 1380 if (c_debug) 1381 { 1382 SSL_set_debug(con, 1); 1383 BIO_set_callback(sbio,bio_dump_callback); 1384 BIO_set_callback_arg(sbio,(char *)bio_c_out); 1385 } 1386 if (c_msg) 1387 { 1388 SSL_set_msg_callback(con, msg_cb); 1389 SSL_set_msg_callback_arg(con, bio_c_out); 1390 } 1391#ifndef OPENSSL_NO_TLSEXT 1392 if (c_tlsextdebug) 1393 { 1394 SSL_set_tlsext_debug_callback(con, tlsext_cb); 1395 SSL_set_tlsext_debug_arg(con, bio_c_out); 1396 } 1397 if (c_status_req) 1398 { 1399 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp); 1400 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb); 1401 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out); 1402#if 0 1403{ 1404STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null(); 1405OCSP_RESPID *id = OCSP_RESPID_new(); 1406id->value.byKey = ASN1_OCTET_STRING_new(); 1407id->type = V_OCSP_RESPID_KEY; 1408ASN1_STRING_set(id->value.byKey, "Hello World", -1); 1409sk_OCSP_RESPID_push(ids, id); 1410SSL_set_tlsext_status_ids(con, ids); 1411} 1412#endif 1413 } 1414#endif 1415#ifndef OPENSSL_NO_JPAKE 1416 if (jpake_secret) 1417 jpake_client_auth(bio_c_out, sbio, jpake_secret); 1418#endif 1419 1420 SSL_set_bio(con,sbio,sbio); 1421 SSL_set_connect_state(con); 1422 1423 /* ok, lets connect */ 1424 width=SSL_get_fd(con)+1; 1425 1426 read_tty=1; 1427 write_tty=0; 1428 tty_on=0; 1429 read_ssl=1; 1430 write_ssl=1; 1431 1432 cbuf_len=0; 1433 cbuf_off=0; 1434 sbuf_len=0; 1435 sbuf_off=0; 1436 1437 /* This is an ugly hack that does a lot of assumptions */ 1438 /* We do have to handle multi-line responses which may come 1439 in a single packet or not. We therefore have to use 1440 BIO_gets() which does need a buffering BIO. So during 1441 the initial chitchat we do push a buffering BIO into the 1442 chain that is removed again later on to not disturb the 1443 rest of the s_client operation. */ 1444 if (starttls_proto == PROTO_SMTP) 1445 { 1446 int foundit=0; 1447 BIO *fbio = BIO_new(BIO_f_buffer()); 1448 BIO_push(fbio, sbio); 1449 /* wait for multi-line response to end from SMTP */ 1450 do 1451 { 1452 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); 1453 } 1454 while (mbuf_len>3 && mbuf[3]=='-'); 1455 /* STARTTLS command requires EHLO... */ 1456 BIO_printf(fbio,"EHLO openssl.client.net\r\n"); 1457 (void)BIO_flush(fbio); 1458 /* wait for multi-line response to end EHLO SMTP response */ 1459 do 1460 { 1461 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); 1462 if (strstr(mbuf,"STARTTLS")) 1463 foundit=1; 1464 } 1465 while (mbuf_len>3 && mbuf[3]=='-'); 1466 (void)BIO_flush(fbio); 1467 BIO_pop(fbio); 1468 BIO_free(fbio); 1469 if (!foundit) 1470 BIO_printf(bio_err, 1471 "didn't found starttls in server response," 1472 " try anyway...\n"); 1473 BIO_printf(sbio,"STARTTLS\r\n"); 1474 BIO_read(sbio,sbuf,BUFSIZZ); 1475 } 1476 else if (starttls_proto == PROTO_POP3) 1477 { 1478 BIO_read(sbio,mbuf,BUFSIZZ); 1479 BIO_printf(sbio,"STLS\r\n"); 1480 BIO_read(sbio,sbuf,BUFSIZZ); 1481 } 1482 else if (starttls_proto == PROTO_IMAP) 1483 { 1484 int foundit=0; 1485 BIO *fbio = BIO_new(BIO_f_buffer()); 1486 BIO_push(fbio, sbio); 1487 BIO_gets(fbio,mbuf,BUFSIZZ); 1488 /* STARTTLS command requires CAPABILITY... */ 1489 BIO_printf(fbio,". CAPABILITY\r\n"); 1490 (void)BIO_flush(fbio); 1491 /* wait for multi-line CAPABILITY response */ 1492 do 1493 { 1494 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); 1495 if (strstr(mbuf,"STARTTLS")) 1496 foundit=1; 1497 } 1498 while (mbuf_len>3 && mbuf[0]!='.'); 1499 (void)BIO_flush(fbio); 1500 BIO_pop(fbio); 1501 BIO_free(fbio); 1502 if (!foundit) 1503 BIO_printf(bio_err, 1504 "didn't found STARTTLS in server response," 1505 " try anyway...\n"); 1506 BIO_printf(sbio,". STARTTLS\r\n"); 1507 BIO_read(sbio,sbuf,BUFSIZZ); 1508 } 1509 else if (starttls_proto == PROTO_FTP) 1510 { 1511 BIO *fbio = BIO_new(BIO_f_buffer()); 1512 BIO_push(fbio, sbio); 1513 /* wait for multi-line response to end from FTP */ 1514 do 1515 { 1516 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); 1517 } 1518 while (mbuf_len>3 && mbuf[3]=='-'); 1519 (void)BIO_flush(fbio); 1520 BIO_pop(fbio); 1521 BIO_free(fbio); 1522 BIO_printf(sbio,"AUTH TLS\r\n"); 1523 BIO_read(sbio,sbuf,BUFSIZZ); 1524 } 1525 if (starttls_proto == PROTO_XMPP) 1526 { 1527 int seen = 0; 1528 BIO_printf(sbio,"<stream:stream " 1529 "xmlns:stream='http://etherx.jabber.org/streams' " 1530 "xmlns='jabber:client' to='%s' version='1.0'>", host); 1531 seen = BIO_read(sbio,mbuf,BUFSIZZ); 1532 mbuf[seen] = 0; 1533 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")) 1534 { 1535 if (strstr(mbuf, "/stream:features>")) 1536 goto shut; 1537 seen = BIO_read(sbio,mbuf,BUFSIZZ); 1538 mbuf[seen] = 0; 1539 } 1540 BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>"); 1541 seen = BIO_read(sbio,sbuf,BUFSIZZ); 1542 sbuf[seen] = 0; 1543 if (!strstr(sbuf, "<proceed")) 1544 goto shut; 1545 mbuf[0] = 0; 1546 } 1547 1548 for (;;) 1549 { 1550 FD_ZERO(&readfds); 1551 FD_ZERO(&writefds); 1552 1553 if ((SSL_version(con) == DTLS1_VERSION) && 1554 DTLSv1_get_timeout(con, &timeout)) 1555 timeoutp = &timeout; 1556 else 1557 timeoutp = NULL; 1558 1559 if (SSL_in_init(con) && !SSL_total_renegotiations(con)) 1560 { 1561 in_init=1; 1562 tty_on=0; 1563 } 1564 else 1565 { 1566 tty_on=1; 1567 if (in_init) 1568 { 1569 in_init=0; 1570#if 0 /* This test doesn't really work as intended (needs to be fixed) */ 1571#ifndef OPENSSL_NO_TLSEXT 1572 if (servername != NULL && !SSL_session_reused(con)) 1573 { 1574 BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not "); 1575 } 1576#endif 1577#endif 1578 if (sess_out) 1579 { 1580 BIO *stmp = BIO_new_file(sess_out, "w"); 1581 if (stmp) 1582 { 1583 PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con)); 1584 BIO_free(stmp); 1585 } 1586 else 1587 BIO_printf(bio_err, "Error writing session file %s\n", sess_out); 1588 } 1589 print_stuff(bio_c_out,con,full_log); 1590 if (full_log > 0) full_log--; 1591 1592 if (starttls_proto) 1593 { 1594 BIO_printf(bio_err,"%s",mbuf); 1595 /* We don't need to know any more */ 1596 starttls_proto = PROTO_OFF; 1597 } 1598 1599 if (reconnect) 1600 { 1601 reconnect--; 1602 BIO_printf(bio_c_out,"drop connection and then reconnect\n"); 1603 SSL_shutdown(con); 1604 SSL_set_connect_state(con); 1605 SHUTDOWN(SSL_get_fd(con)); 1606 goto re_start; 1607 } 1608 } 1609 } 1610 1611 ssl_pending = read_ssl && SSL_pending(con); 1612 1613 if (!ssl_pending) 1614 { 1615#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5) 1616 if (tty_on) 1617 { 1618 if (read_tty) openssl_fdset(fileno(stdin),&readfds); 1619 if (write_tty) openssl_fdset(fileno(stdout),&writefds); 1620 } 1621 if (read_ssl) 1622 openssl_fdset(SSL_get_fd(con),&readfds); 1623 if (write_ssl) 1624 openssl_fdset(SSL_get_fd(con),&writefds); 1625#else 1626 if(!tty_on || !write_tty) { 1627 if (read_ssl) 1628 openssl_fdset(SSL_get_fd(con),&readfds); 1629 if (write_ssl) 1630 openssl_fdset(SSL_get_fd(con),&writefds); 1631 } 1632#endif 1633/* printf("mode tty(%d %d%d) ssl(%d%d)\n", 1634 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/ 1635 1636 /* Note: under VMS with SOCKETSHR the second parameter 1637 * is currently of type (int *) whereas under other 1638 * systems it is (void *) if you don't have a cast it 1639 * will choke the compiler: if you do have a cast then 1640 * you can either go for (int *) or (void *). 1641 */ 1642#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) 1643 /* Under Windows/DOS we make the assumption that we can 1644 * always write to the tty: therefore if we need to 1645 * write to the tty we just fall through. Otherwise 1646 * we timeout the select every second and see if there 1647 * are any keypresses. Note: this is a hack, in a proper 1648 * Windows application we wouldn't do this. 1649 */ 1650 i=0; 1651 if(!write_tty) { 1652 if(read_tty) { 1653 tv.tv_sec = 1; 1654 tv.tv_usec = 0; 1655 i=select(width,(void *)&readfds,(void *)&writefds, 1656 NULL,&tv); 1657#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS) 1658 if(!i && (!_kbhit() || !read_tty) ) continue; 1659#else 1660 if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue; 1661#endif 1662 } else i=select(width,(void *)&readfds,(void *)&writefds, 1663 NULL,timeoutp); 1664 } 1665#elif defined(OPENSSL_SYS_NETWARE) 1666 if(!write_tty) { 1667 if(read_tty) { 1668 tv.tv_sec = 1; 1669 tv.tv_usec = 0; 1670 i=select(width,(void *)&readfds,(void *)&writefds, 1671 NULL,&tv); 1672 } else i=select(width,(void *)&readfds,(void *)&writefds, 1673 NULL,timeoutp); 1674 } 1675#elif defined(OPENSSL_SYS_BEOS_R5) 1676 /* Under BeOS-R5 the situation is similar to DOS */ 1677 i=0; 1678 stdin_set = 0; 1679 (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK); 1680 if(!write_tty) { 1681 if(read_tty) { 1682 tv.tv_sec = 1; 1683 tv.tv_usec = 0; 1684 i=select(width,(void *)&readfds,(void *)&writefds, 1685 NULL,&tv); 1686 if (read(fileno(stdin), sbuf, 0) >= 0) 1687 stdin_set = 1; 1688 if (!i && (stdin_set != 1 || !read_tty)) 1689 continue; 1690 } else i=select(width,(void *)&readfds,(void *)&writefds, 1691 NULL,timeoutp); 1692 } 1693 (void)fcntl(fileno(stdin), F_SETFL, 0); 1694#else 1695 i=select(width,(void *)&readfds,(void *)&writefds, 1696 NULL,timeoutp); 1697#endif 1698 if ( i < 0) 1699 { 1700 BIO_printf(bio_err,"bad select %d\n", 1701 get_last_socket_error()); 1702 goto shut; 1703 /* goto end; */ 1704 } 1705 } 1706 1707 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0) 1708 { 1709 BIO_printf(bio_err,"TIMEOUT occured\n"); 1710 } 1711 1712 if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds)) 1713 { 1714 k=SSL_write(con,&(cbuf[cbuf_off]), 1715 (unsigned int)cbuf_len); 1716 switch (SSL_get_error(con,k)) 1717 { 1718 case SSL_ERROR_NONE: 1719 cbuf_off+=k; 1720 cbuf_len-=k; 1721 if (k <= 0) goto end; 1722 /* we have done a write(con,NULL,0); */ 1723 if (cbuf_len <= 0) 1724 { 1725 read_tty=1; 1726 write_ssl=0; 1727 } 1728 else /* if (cbuf_len > 0) */ 1729 { 1730 read_tty=0; 1731 write_ssl=1; 1732 } 1733 break; 1734 case SSL_ERROR_WANT_WRITE: 1735 BIO_printf(bio_c_out,"write W BLOCK\n"); 1736 write_ssl=1; 1737 read_tty=0; 1738 break; 1739 case SSL_ERROR_WANT_READ: 1740 BIO_printf(bio_c_out,"write R BLOCK\n"); 1741 write_tty=0; 1742 read_ssl=1; 1743 write_ssl=0; 1744 break; 1745 case SSL_ERROR_WANT_X509_LOOKUP: 1746 BIO_printf(bio_c_out,"write X BLOCK\n"); 1747 break; 1748 case SSL_ERROR_ZERO_RETURN: 1749 if (cbuf_len != 0) 1750 { 1751 BIO_printf(bio_c_out,"shutdown\n"); 1752 ret = 0; 1753 goto shut; 1754 } 1755 else 1756 { 1757 read_tty=1; 1758 write_ssl=0; 1759 break; 1760 } 1761 1762 case SSL_ERROR_SYSCALL: 1763 if ((k != 0) || (cbuf_len != 0)) 1764 { 1765 BIO_printf(bio_err,"write:errno=%d\n", 1766 get_last_socket_error()); 1767 goto shut; 1768 } 1769 else 1770 { 1771 read_tty=1; 1772 write_ssl=0; 1773 } 1774 break; 1775 case SSL_ERROR_SSL: 1776 ERR_print_errors(bio_err); 1777 goto shut; 1778 } 1779 } 1780#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5) 1781 /* Assume Windows/DOS/BeOS can always write */ 1782 else if (!ssl_pending && write_tty) 1783#else 1784 else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds)) 1785#endif 1786 { 1787#ifdef CHARSET_EBCDIC 1788 ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len); 1789#endif 1790 i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len); 1791 1792 if (i <= 0) 1793 { 1794 BIO_printf(bio_c_out,"DONE\n"); 1795 ret = 0; 1796 goto shut; 1797 /* goto end; */ 1798 } 1799 1800 sbuf_len-=i;; 1801 sbuf_off+=i; 1802 if (sbuf_len <= 0) 1803 { 1804 read_ssl=1; 1805 write_tty=0; 1806 } 1807 } 1808 else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds)) 1809 { 1810#ifdef RENEG 1811{ static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } } 1812#endif 1813#if 1 1814 k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ ); 1815#else 1816/* Demo for pending and peek :-) */ 1817 k=SSL_read(con,sbuf,16); 1818{ char zbuf[10240]; 1819printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240)); 1820} 1821#endif 1822 1823 switch (SSL_get_error(con,k)) 1824 { 1825 case SSL_ERROR_NONE: 1826 if (k <= 0) 1827 goto end; 1828 sbuf_off=0; 1829 sbuf_len=k; 1830 1831 read_ssl=0; 1832 write_tty=1; 1833 break; 1834 case SSL_ERROR_WANT_WRITE: 1835 BIO_printf(bio_c_out,"read W BLOCK\n"); 1836 write_ssl=1; 1837 read_tty=0; 1838 break; 1839 case SSL_ERROR_WANT_READ: 1840 BIO_printf(bio_c_out,"read R BLOCK\n"); 1841 write_tty=0; 1842 read_ssl=1; 1843 if ((read_tty == 0) && (write_ssl == 0)) 1844 write_ssl=1; 1845 break; 1846 case SSL_ERROR_WANT_X509_LOOKUP: 1847 BIO_printf(bio_c_out,"read X BLOCK\n"); 1848 break; 1849 case SSL_ERROR_SYSCALL: 1850 ret=get_last_socket_error(); 1851 BIO_printf(bio_err,"read:errno=%d\n",ret); 1852 goto shut; 1853 case SSL_ERROR_ZERO_RETURN: 1854 BIO_printf(bio_c_out,"closed\n"); 1855 ret=0; 1856 goto shut; 1857 case SSL_ERROR_SSL: 1858 ERR_print_errors(bio_err); 1859 goto shut; 1860 /* break; */ 1861 } 1862 } 1863 1864#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) 1865#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS) 1866 else if (_kbhit()) 1867#else 1868 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) 1869#endif 1870#elif defined (OPENSSL_SYS_NETWARE) 1871 else if (_kbhit()) 1872#elif defined(OPENSSL_SYS_BEOS_R5) 1873 else if (stdin_set) 1874#else 1875 else if (FD_ISSET(fileno(stdin),&readfds)) 1876#endif 1877 { 1878 if (crlf) 1879 { 1880 int j, lf_num; 1881 1882 i=raw_read_stdin(cbuf,BUFSIZZ/2); 1883 lf_num = 0; 1884 /* both loops are skipped when i <= 0 */ 1885 for (j = 0; j < i; j++) 1886 if (cbuf[j] == '\n') 1887 lf_num++; 1888 for (j = i-1; j >= 0; j--) 1889 { 1890 cbuf[j+lf_num] = cbuf[j]; 1891 if (cbuf[j] == '\n') 1892 { 1893 lf_num--; 1894 i++; 1895 cbuf[j+lf_num] = '\r'; 1896 } 1897 } 1898 assert(lf_num == 0); 1899 } 1900 else 1901 i=raw_read_stdin(cbuf,BUFSIZZ); 1902 1903 if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q'))) 1904 { 1905 BIO_printf(bio_err,"DONE\n"); 1906 ret=0; 1907 goto shut; 1908 } 1909 1910 if ((!c_ign_eof) && (cbuf[0] == 'R')) 1911 { 1912 BIO_printf(bio_err,"RENEGOTIATING\n"); 1913 SSL_renegotiate(con); 1914 cbuf_len=0; 1915 } 1916#ifndef OPENSSL_NO_HEARTBEATS 1917 else if ((!c_ign_eof) && (cbuf[0] == 'B')) 1918 { 1919 BIO_printf(bio_err,"HEARTBEATING\n"); 1920 SSL_heartbeat(con); 1921 cbuf_len=0; 1922 } 1923#endif 1924 else 1925 { 1926 cbuf_len=i; 1927 cbuf_off=0; 1928#ifdef CHARSET_EBCDIC 1929 ebcdic2ascii(cbuf, cbuf, i); 1930#endif 1931 } 1932 1933 write_ssl=1; 1934 read_tty=0; 1935 } 1936 } 1937 1938 ret=0; 1939shut: 1940 if (in_init) 1941 print_stuff(bio_c_out,con,full_log); 1942 SSL_shutdown(con); 1943 SHUTDOWN(SSL_get_fd(con)); 1944end: 1945 if (con != NULL) 1946 { 1947 if (prexit != 0) 1948 print_stuff(bio_c_out,con,1); 1949 SSL_free(con); 1950 } 1951#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 1952 if (next_proto.data) 1953 OPENSSL_free(next_proto.data); 1954#endif 1955 if (ctx != NULL) SSL_CTX_free(ctx); 1956 if (cert) 1957 X509_free(cert); 1958 if (key) 1959 EVP_PKEY_free(key); 1960 if (pass) 1961 OPENSSL_free(pass); 1962 if (vpm) 1963 X509_VERIFY_PARAM_free(vpm); 1964 if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); } 1965 if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); } 1966 if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); } 1967 if (bio_c_out != NULL) 1968 { 1969 BIO_free(bio_c_out); 1970 bio_c_out=NULL; 1971 } 1972 apps_shutdown(); 1973 OPENSSL_EXIT(ret); 1974 } 1975 1976 1977static void print_stuff(BIO *bio, SSL *s, int full) 1978 { 1979 X509 *peer=NULL; 1980 char *p; 1981 static const char *space=" "; 1982 char buf[BUFSIZ]; 1983 STACK_OF(X509) *sk; 1984 STACK_OF(X509_NAME) *sk2; 1985 const SSL_CIPHER *c; 1986 X509_NAME *xn; 1987 int j,i; 1988#ifndef OPENSSL_NO_COMP 1989 const COMP_METHOD *comp, *expansion; 1990#endif 1991 unsigned char *exportedkeymat; 1992 1993 if (full) 1994 { 1995 int got_a_chain = 0; 1996 1997 sk=SSL_get_peer_cert_chain(s); 1998 if (sk != NULL) 1999 { 2000 got_a_chain = 1; /* we don't have it for SSL2 (yet) */ 2001 2002 BIO_printf(bio,"---\nCertificate chain\n"); 2003 for (i=0; i<sk_X509_num(sk); i++) 2004 { 2005 X509_NAME_oneline(X509_get_subject_name( 2006 sk_X509_value(sk,i)),buf,sizeof buf); 2007 BIO_printf(bio,"%2d s:%s\n",i,buf); 2008 X509_NAME_oneline(X509_get_issuer_name( 2009 sk_X509_value(sk,i)),buf,sizeof buf); 2010 BIO_printf(bio," i:%s\n",buf); 2011 if (c_showcerts) 2012 PEM_write_bio_X509(bio,sk_X509_value(sk,i)); 2013 } 2014 } 2015 2016 BIO_printf(bio,"---\n"); 2017 peer=SSL_get_peer_certificate(s); 2018 if (peer != NULL) 2019 { 2020 BIO_printf(bio,"Server certificate\n"); 2021 if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */ 2022 PEM_write_bio_X509(bio,peer); 2023 X509_NAME_oneline(X509_get_subject_name(peer), 2024 buf,sizeof buf); 2025 BIO_printf(bio,"subject=%s\n",buf); 2026 X509_NAME_oneline(X509_get_issuer_name(peer), 2027 buf,sizeof buf); 2028 BIO_printf(bio,"issuer=%s\n",buf); 2029 } 2030 else 2031 BIO_printf(bio,"no peer certificate available\n"); 2032 2033 sk2=SSL_get_client_CA_list(s); 2034 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0)) 2035 { 2036 BIO_printf(bio,"---\nAcceptable client certificate CA names\n"); 2037 for (i=0; i<sk_X509_NAME_num(sk2); i++) 2038 { 2039 xn=sk_X509_NAME_value(sk2,i); 2040 X509_NAME_oneline(xn,buf,sizeof(buf)); 2041 BIO_write(bio,buf,strlen(buf)); 2042 BIO_write(bio,"\n",1); 2043 } 2044 } 2045 else 2046 { 2047 BIO_printf(bio,"---\nNo client certificate CA names sent\n"); 2048 } 2049 p=SSL_get_shared_ciphers(s,buf,sizeof buf); 2050 if (p != NULL) 2051 { 2052 /* This works only for SSL 2. In later protocol 2053 * versions, the client does not know what other 2054 * ciphers (in addition to the one to be used 2055 * in the current connection) the server supports. */ 2056 2057 BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n"); 2058 j=i=0; 2059 while (*p) 2060 { 2061 if (*p == ':') 2062 { 2063 BIO_write(bio,space,15-j%25); 2064 i++; 2065 j=0; 2066 BIO_write(bio,((i%3)?" ":"\n"),1); 2067 } 2068 else 2069 { 2070 BIO_write(bio,p,1); 2071 j++; 2072 } 2073 p++; 2074 } 2075 BIO_write(bio,"\n",1); 2076 } 2077 2078 BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n", 2079 BIO_number_read(SSL_get_rbio(s)), 2080 BIO_number_written(SSL_get_wbio(s))); 2081 } 2082 BIO_printf(bio,(SSL_cache_hit(s)?"---\nReused, ":"---\nNew, ")); 2083 c=SSL_get_current_cipher(s); 2084 BIO_printf(bio,"%s, Cipher is %s\n", 2085 SSL_CIPHER_get_version(c), 2086 SSL_CIPHER_get_name(c)); 2087 if (peer != NULL) { 2088 EVP_PKEY *pktmp; 2089 pktmp = X509_get_pubkey(peer); 2090 BIO_printf(bio,"Server public key is %d bit\n", 2091 EVP_PKEY_bits(pktmp)); 2092 EVP_PKEY_free(pktmp); 2093 } 2094 BIO_printf(bio, "Secure Renegotiation IS%s supported\n", 2095 SSL_get_secure_renegotiation_support(s) ? "" : " NOT"); 2096#ifndef OPENSSL_NO_COMP 2097 comp=SSL_get_current_compression(s); 2098 expansion=SSL_get_current_expansion(s); 2099 BIO_printf(bio,"Compression: %s\n", 2100 comp ? SSL_COMP_get_name(comp) : "NONE"); 2101 BIO_printf(bio,"Expansion: %s\n", 2102 expansion ? SSL_COMP_get_name(expansion) : "NONE"); 2103#endif 2104 2105#ifdef SSL_DEBUG 2106 { 2107 /* Print out local port of connection: useful for debugging */ 2108 int sock; 2109 struct sockaddr_in ladd; 2110 socklen_t ladd_size = sizeof(ladd); 2111 sock = SSL_get_fd(s); 2112 getsockname(sock, (struct sockaddr *)&ladd, &ladd_size); 2113 BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port)); 2114 } 2115#endif 2116 2117#if !defined(OPENSSL_NO_TLSEXT) 2118# if !defined(OPENSSL_NO_NEXTPROTONEG) 2119 if (next_proto.status != -1) { 2120 const unsigned char *proto; 2121 unsigned int proto_len; 2122 SSL_get0_next_proto_negotiated(s, &proto, &proto_len); 2123 BIO_printf(bio, "Next protocol: (%d) ", next_proto.status); 2124 BIO_write(bio, proto, proto_len); 2125 BIO_write(bio, "\n", 1); 2126 } 2127 { 2128 const unsigned char *proto; 2129 unsigned int proto_len; 2130 SSL_get0_alpn_selected(s, &proto, &proto_len); 2131 if (proto_len > 0) 2132 { 2133 BIO_printf(bio, "ALPN protocol: "); 2134 BIO_write(bio, proto, proto_len); 2135 BIO_write(bio, "\n", 1); 2136 } 2137 else 2138 BIO_printf(bio, "No ALPN negotiated\n"); 2139 } 2140# endif 2141#endif 2142 2143#ifndef OPENSSL_NO_SRTP 2144 { 2145 SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s); 2146 2147 if(srtp_profile) 2148 BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n", 2149 srtp_profile->name); 2150 } 2151#endif 2152 2153 SSL_SESSION_print(bio,SSL_get_session(s)); 2154 if (keymatexportlabel != NULL) 2155 { 2156 BIO_printf(bio, "Keying material exporter:\n"); 2157 BIO_printf(bio, " Label: '%s'\n", keymatexportlabel); 2158 BIO_printf(bio, " Length: %i bytes\n", keymatexportlen); 2159 exportedkeymat = OPENSSL_malloc(keymatexportlen); 2160 if (exportedkeymat != NULL) 2161 { 2162 if (!SSL_export_keying_material(s, exportedkeymat, 2163 keymatexportlen, 2164 keymatexportlabel, 2165 strlen(keymatexportlabel), 2166 NULL, 0, 0)) 2167 { 2168 BIO_printf(bio, " Error\n"); 2169 } 2170 else 2171 { 2172 BIO_printf(bio, " Keying material: "); 2173 for (i=0; i<keymatexportlen; i++) 2174 BIO_printf(bio, "%02X", 2175 exportedkeymat[i]); 2176 BIO_printf(bio, "\n"); 2177 } 2178 OPENSSL_free(exportedkeymat); 2179 } 2180 } 2181 BIO_printf(bio,"---\n"); 2182 if (peer != NULL) 2183 X509_free(peer); 2184 /* flush, or debugging output gets mixed with http response */ 2185 (void)BIO_flush(bio); 2186 } 2187 2188#ifndef OPENSSL_NO_TLSEXT 2189 2190static int ocsp_resp_cb(SSL *s, void *arg) 2191 { 2192 const unsigned char *p; 2193 int len; 2194 OCSP_RESPONSE *rsp; 2195 len = SSL_get_tlsext_status_ocsp_resp(s, &p); 2196 BIO_puts(arg, "OCSP response: "); 2197 if (!p) 2198 { 2199 BIO_puts(arg, "no response sent\n"); 2200 return 1; 2201 } 2202 rsp = d2i_OCSP_RESPONSE(NULL, &p, len); 2203 if (!rsp) 2204 { 2205 BIO_puts(arg, "response parse error\n"); 2206 BIO_dump_indent(arg, (char *)p, len, 4); 2207 return 0; 2208 } 2209 BIO_puts(arg, "\n======================================\n"); 2210 OCSP_RESPONSE_print(arg, rsp, 0); 2211 BIO_puts(arg, "======================================\n"); 2212 OCSP_RESPONSE_free(rsp); 2213 return 1; 2214 } 2215 2216#endif 2217