GCC Code Coverage Report
Directory: ./ Exec Total Coverage
File: usr.bin/openssl/s_client.c Lines: 374 781 47.9 %
Date: 2017-11-13 Branches: 199 564 35.3 %

Line Branch Exec Source
1
/* $OpenBSD: s_client.c,v 1.33 2017/08/12 21:04:33 jsing Exp $ */
2
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3
 * All rights reserved.
4
 *
5
 * This package is an SSL implementation written
6
 * by Eric Young (eay@cryptsoft.com).
7
 * The implementation was written so as to conform with Netscapes SSL.
8
 *
9
 * This library is free for commercial and non-commercial use as long as
10
 * the following conditions are aheared to.  The following conditions
11
 * apply to all code found in this distribution, be it the RC4, RSA,
12
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13
 * included with this distribution is covered by the same copyright terms
14
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15
 *
16
 * Copyright remains Eric Young's, and as such any Copyright notices in
17
 * the code are not to be removed.
18
 * If this package is used in a product, Eric Young should be given attribution
19
 * as the author of the parts of the library used.
20
 * This can be in the form of a textual message at program startup or
21
 * in documentation (online or textual) provided with the package.
22
 *
23
 * Redistribution and use in source and binary forms, with or without
24
 * modification, are permitted provided that the following conditions
25
 * are met:
26
 * 1. Redistributions of source code must retain the copyright
27
 *    notice, this list of conditions and the following disclaimer.
28
 * 2. Redistributions in binary form must reproduce the above copyright
29
 *    notice, this list of conditions and the following disclaimer in the
30
 *    documentation and/or other materials provided with the distribution.
31
 * 3. All advertising materials mentioning features or use of this software
32
 *    must display the following acknowledgement:
33
 *    "This product includes cryptographic software written by
34
 *     Eric Young (eay@cryptsoft.com)"
35
 *    The word 'cryptographic' can be left out if the rouines from the library
36
 *    being used are not cryptographic related :-).
37
 * 4. If you include any Windows specific code (or a derivative thereof) from
38
 *    the apps directory (application code) you must include an acknowledgement:
39
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40
 *
41
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51
 * SUCH DAMAGE.
52
 *
53
 * The licence and distribution terms for any publically available version or
54
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
55
 * copied and put under another distribution licence
56
 * [including the GNU Public Licence.]
57
 */
58
/* ====================================================================
59
 * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
60
 *
61
 * Redistribution and use in source and binary forms, with or without
62
 * modification, are permitted provided that the following conditions
63
 * are met:
64
 *
65
 * 1. Redistributions of source code must retain the above copyright
66
 *    notice, this list of conditions and the following disclaimer.
67
 *
68
 * 2. Redistributions in binary form must reproduce the above copyright
69
 *    notice, this list of conditions and the following disclaimer in
70
 *    the documentation and/or other materials provided with the
71
 *    distribution.
72
 *
73
 * 3. All advertising materials mentioning features or use of this
74
 *    software must display the following acknowledgment:
75
 *    "This product includes software developed by the OpenSSL Project
76
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77
 *
78
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79
 *    endorse or promote products derived from this software without
80
 *    prior written permission. For written permission, please contact
81
 *    openssl-core@openssl.org.
82
 *
83
 * 5. Products derived from this software may not be called "OpenSSL"
84
 *    nor may "OpenSSL" appear in their names without prior written
85
 *    permission of the OpenSSL Project.
86
 *
87
 * 6. Redistributions of any form whatsoever must retain the following
88
 *    acknowledgment:
89
 *    "This product includes software developed by the OpenSSL Project
90
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91
 *
92
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103
 * OF THE POSSIBILITY OF SUCH DAMAGE.
104
 * ====================================================================
105
 *
106
 * This product includes cryptographic software written by Eric Young
107
 * (eay@cryptsoft.com).  This product includes software written by Tim
108
 * Hudson (tjh@cryptsoft.com).
109
 *
110
 */
111
/* ====================================================================
112
 * Copyright 2005 Nokia. All rights reserved.
113
 *
114
 * The portions of the attached software ("Contribution") is developed by
115
 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116
 * license.
117
 *
118
 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119
 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120
 * support (see RFC 4279) to OpenSSL.
121
 *
122
 * No patent licenses or other rights except those expressly stated in
123
 * the OpenSSL open source license shall be deemed granted or received
124
 * expressly, by implication, estoppel, or otherwise.
125
 *
126
 * No assurances are provided by Nokia that the Contribution does not
127
 * infringe the patent or other intellectual property rights of any third
128
 * party or that the license provides you with all the necessary rights
129
 * to make use of the Contribution.
130
 *
131
 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132
 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133
 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134
 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135
 * OTHERWISE.
136
 */
137
138
#include <sys/types.h>
139
#include <sys/socket.h>
140
141
#include <netinet/in.h>
142
143
#include <assert.h>
144
#include <ctype.h>
145
#include <limits.h>
146
#include <netdb.h>
147
#include <stdio.h>
148
#include <stdlib.h>
149
#include <string.h>
150
#include <unistd.h>
151
#include <poll.h>
152
153
#include "apps.h"
154
155
#include <openssl/bn.h>
156
#include <openssl/err.h>
157
#include <openssl/ocsp.h>
158
#include <openssl/pem.h>
159
#include <openssl/ssl.h>
160
#include <openssl/x509.h>
161
162
#include "s_apps.h"
163
#include "timeouts.h"
164
165
/*#define SSL_HOST_NAME	"www.netscape.com" */
166
/*#define SSL_HOST_NAME	"193.118.187.102" */
167
#define SSL_HOST_NAME	"localhost"
168
169
 /*#define TEST_CERT "client.pem" *//* no default cert. */
170
171
#define BUFSIZZ 1024*8
172
173
static int c_nbio = 0;
174
static int c_Pause = 0;
175
static int c_debug = 0;
176
static int c_tlsextdebug = 0;
177
static int c_status_req = 0;
178
static int c_msg = 0;
179
static int c_showcerts = 0;
180
181
static char *keymatexportlabel = NULL;
182
static int keymatexportlen = 20;
183
184
static void sc_usage(void);
185
static void print_stuff(BIO * berr, SSL * con, int full);
186
static int ocsp_resp_cb(SSL * s, void *arg);
187
static BIO *bio_c_out = NULL;
188
static int c_quiet = 0;
189
static int c_ign_eof = 0;
190
191
192
static void
193
sc_usage(void)
194
{
195
8
	BIO_printf(bio_err, "usage: s_client args\n");
196
4
	BIO_printf(bio_err, "\n");
197
4
	BIO_printf(bio_err, " -4            - Force IPv4\n");
198
4
	BIO_printf(bio_err, " -6            - Force IPv6\n");
199
4
	BIO_printf(bio_err, " -host host     - use -connect instead\n");
200
4
	BIO_printf(bio_err, " -port port     - use -connect instead\n");
201
4
	BIO_printf(bio_err, " -connect host:port - who to connect to (default is %s:%s)\n", SSL_HOST_NAME, PORT_STR);
202
4
	BIO_printf(bio_err, " -proxy host:port - connect to http proxy\n");
203
204
4
	BIO_printf(bio_err, " -verify arg   - turn on peer certificate verification\n");
205
4
	BIO_printf(bio_err, " -cert arg     - certificate file to use, PEM format assumed\n");
206
4
	BIO_printf(bio_err, " -certform arg - certificate format (PEM or DER) PEM default\n");
207
4
	BIO_printf(bio_err, " -key arg      - Private key file to use, in cert file if\n");
208
4
	BIO_printf(bio_err, "                 not specified but cert file is.\n");
209
4
	BIO_printf(bio_err, " -keyform arg  - key format (PEM or DER) PEM default\n");
210
4
	BIO_printf(bio_err, " -pass arg     - private key file pass phrase source\n");
211
4
	BIO_printf(bio_err, " -CApath arg   - PEM format directory of CA's\n");
212
4
	BIO_printf(bio_err, " -CAfile arg   - PEM format file of CA's\n");
213
4
	BIO_printf(bio_err, " -reconnect    - Drop and re-make the connection with the same Session-ID\n");
214
4
	BIO_printf(bio_err, " -pause        - sleep(1) after each read(2) and write(2) system call\n");
215
4
	BIO_printf(bio_err, " -showcerts    - show all certificates in the chain\n");
216
4
	BIO_printf(bio_err, " -debug        - extra output\n");
217
4
	BIO_printf(bio_err, " -msg          - Show protocol messages\n");
218
4
	BIO_printf(bio_err, " -nbio_test    - more ssl protocol testing\n");
219
4
	BIO_printf(bio_err, " -state        - print the 'ssl' states\n");
220
4
	BIO_printf(bio_err, " -nbio         - Run with non-blocking IO\n");
221
4
	BIO_printf(bio_err, " -crlf         - convert LF from terminal into CRLF\n");
222
4
	BIO_printf(bio_err, " -quiet        - no s_client output\n");
223
4
	BIO_printf(bio_err, " -ign_eof      - ignore input eof (default when -quiet)\n");
224
4
	BIO_printf(bio_err, " -no_ign_eof   - don't ignore input eof\n");
225
4
	BIO_printf(bio_err, " -tls1_2       - just use TLSv1.2\n");
226
4
	BIO_printf(bio_err, " -tls1_1       - just use TLSv1.1\n");
227
4
	BIO_printf(bio_err, " -tls1         - just use TLSv1\n");
228
4
	BIO_printf(bio_err, " -dtls1        - just use DTLSv1\n");
229
4
	BIO_printf(bio_err, " -mtu          - set the link layer MTU\n");
230
4
	BIO_printf(bio_err, " -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
231
4
	BIO_printf(bio_err, " -bugs         - Switch on all SSL implementation bug workarounds\n");
232
4
	BIO_printf(bio_err, " -cipher       - preferred cipher to use, use the 'openssl ciphers'\n");
233
4
	BIO_printf(bio_err, "                 command to see what is available\n");
234
4
	BIO_printf(bio_err, " -starttls prot - use the STARTTLS command before starting TLS\n");
235
4
	BIO_printf(bio_err, "                 for those protocols that support it, where\n");
236
4
	BIO_printf(bio_err, "                 'prot' defines which one to assume.  Currently,\n");
237
4
	BIO_printf(bio_err, "                 only \"smtp\", \"lmtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
238
4
	BIO_printf(bio_err, "                 are supported.\n");
239
4
	BIO_printf(bio_err, " -xmpphost host - connect to this virtual host on the xmpp server\n");
240
4
	BIO_printf(bio_err, " -sess_out arg - file to write SSL session to\n");
241
4
	BIO_printf(bio_err, " -sess_in arg  - file to read SSL session from\n");
242
4
	BIO_printf(bio_err, " -servername host  - Set TLS extension servername in ClientHello\n");
243
4
	BIO_printf(bio_err, " -tlsextdebug      - hex dump of all TLS extensions received\n");
244
4
	BIO_printf(bio_err, " -status           - request certificate status from server\n");
245
4
	BIO_printf(bio_err, " -no_ticket        - disable use of RFC4507bis session tickets\n");
246
4
	BIO_printf(bio_err, " -alpn arg         - enable ALPN extension, considering named protocols supported (comma-separated list)\n");
247
4
	BIO_printf(bio_err, " -groups arg       - specify EC curve groups (colon-separated list)\n");
248
#ifndef OPENSSL_NO_SRTP
249
4
	BIO_printf(bio_err, " -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
250
#endif
251
4
	BIO_printf(bio_err, " -keymatexport label   - Export keying material using label\n");
252
4
	BIO_printf(bio_err, " -keymatexportlen len  - Export len bytes of keying material (default 20)\n");
253
4
}
254
255
256
/* This is a context that we pass to callbacks */
257
typedef struct tlsextctx_st {
258
	BIO *biodebug;
259
	int ack;
260
} tlsextctx;
261
262
263
static int
264
ssl_servername_cb(SSL * s, int *ad, void *arg)
265
{
266
	tlsextctx *p = (tlsextctx *) arg;
267
	const char *hn = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
268
	if (SSL_get_servername_type(s) != -1)
269
		p->ack = !SSL_session_reused(s) && hn != NULL;
270
	else
271
		BIO_printf(bio_err, "Can't use SSL_get_servername\n");
272
273
	return SSL_TLSEXT_ERR_OK;
274
}
275
276
#ifndef OPENSSL_NO_SRTP
277
char *srtp_profiles = NULL;
278
#endif
279
280
enum {
281
	PROTO_OFF = 0,
282
	PROTO_SMTP,
283
	PROTO_LMTP,
284
	PROTO_POP3,
285
	PROTO_IMAP,
286
	PROTO_FTP,
287
	PROTO_XMPP
288
};
289
290
int
291
s_client_main(int argc, char **argv)
292
{
293
	unsigned int off = 0, clr = 0;
294
	SSL *con = NULL;
295
8
	int s, k, state = 0, af = AF_UNSPEC;
296
	char *cbuf = NULL, *sbuf = NULL, *mbuf = NULL;
297
	int cbuf_len, cbuf_off;
298
	int sbuf_len, sbuf_off;
299
8
	char *port = PORT_STR;
300
	int full_log = 1;
301
8
	char *host = SSL_HOST_NAME;
302
	char *xmpphost = NULL;
303
	char *proxy = NULL, *connect = NULL;
304
	char *cert_file = NULL, *key_file = NULL;
305
	int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
306
8
	char *passarg = NULL, *pass = NULL;
307
	X509 *cert = NULL;
308
	EVP_PKEY *key = NULL;
309
	char *CApath = NULL, *CAfile = NULL, *cipher = NULL;
310
	int reconnect = 0, badop = 0, verify = SSL_VERIFY_NONE, bugs = 0;
311
	int crlf = 0;
312
	int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending;
313
	SSL_CTX *ctx = NULL;
314
	int ret = 1, in_init = 1, i, nbio_test = 0;
315
	int starttls_proto = PROTO_OFF;
316
	int prexit = 0;
317
8
	X509_VERIFY_PARAM *vpm = NULL;
318
8
	int badarg = 0;
319
	const SSL_METHOD *meth = NULL;
320
	int socket_type = SOCK_STREAM;
321
	BIO *sbio;
322
	int mbuf_len = 0;
323
8
	struct timeval timeout;
324
8
	const char *errstr = NULL;
325
	char *servername = NULL;
326
8
	tlsextctx tlsextcbp = {NULL, 0};
327
	const char *alpn_in = NULL;
328
	const char *groups_in = NULL;
329
	char *sess_in = NULL;
330
	char *sess_out = NULL;
331
8
	struct sockaddr peer;
332
8
	int peerlen = sizeof(peer);
333
	int enable_timeouts = 0;
334
	long socket_mtu = 0;
335
336
8
	if (single_execution) {
337
8
		if (pledge("stdio cpath wpath rpath inet dns tty flock", NULL) == -1) {
338
			perror("pledge");
339
			exit(1);
340
		}
341
	}
342
343
8
	meth = SSLv23_client_method();
344
345
8
	c_Pause = 0;
346
8
	c_quiet = 0;
347
8
	c_ign_eof = 0;
348
8
	c_debug = 0;
349
8
	c_msg = 0;
350
8
	c_showcerts = 0;
351
352

16
	if (((cbuf = malloc(BUFSIZZ)) == NULL) ||
353
8
	    ((sbuf = malloc(BUFSIZZ)) == NULL) ||
354
8
	    ((mbuf = malloc(BUFSIZZ + 1)) == NULL)) {	/* NUL byte */
355
		BIO_printf(bio_err, "out of memory\n");
356
		goto end;
357
	}
358
8
	verify_depth = 0;
359
8
	c_nbio = 0;
360
361
8
	argc--;
362
8
	argv++;
363
92
	while (argc >= 1) {
364
48
		if (strcmp(*argv, "-host") == 0) {
365
			if (--argc < 1)
366
				goto bad;
367
			host = *(++argv);
368
48
		} else if (strcmp(*argv, "-port") == 0) {
369
			if (--argc < 1)
370
				goto bad;
371
			port = *(++argv);
372
			if (port == NULL || *port == '\0')
373
				goto bad;
374
48
		} else if (strcmp(*argv, "-connect") == 0) {
375
4
			if (--argc < 1)
376
				goto bad;
377
4
			connect = *(++argv);
378
48
		} else if (strcmp(*argv, "-proxy") == 0) {
379
			if (--argc < 1)
380
				goto bad;
381
			proxy = *(++argv);
382
44
		} else if (strcmp(*argv,"-xmpphost") == 0) {
383
			if (--argc < 1)
384
				goto bad;
385
			xmpphost= *(++argv);
386
44
		} else if (strcmp(*argv, "-verify") == 0) {
387
			verify = SSL_VERIFY_PEER;
388
			if (--argc < 1)
389
				goto bad;
390
			verify_depth = strtonum(*(++argv), 0, INT_MAX, &errstr);
391
			if (errstr)
392
				goto bad;
393
			BIO_printf(bio_err, "verify depth is %d\n", verify_depth);
394
44
		} else if (strcmp(*argv, "-cert") == 0) {
395
			if (--argc < 1)
396
				goto bad;
397
			cert_file = *(++argv);
398
44
		} else if (strcmp(*argv, "-sess_out") == 0) {
399
4
			if (--argc < 1)
400
				goto bad;
401
4
			sess_out = *(++argv);
402
44
		} else if (strcmp(*argv, "-sess_in") == 0) {
403
			if (--argc < 1)
404
				goto bad;
405
			sess_in = *(++argv);
406
40
		} else if (strcmp(*argv, "-certform") == 0) {
407
			if (--argc < 1)
408
				goto bad;
409
			cert_format = str2fmt(*(++argv));
410
40
		} else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) {
411
12
			if (badarg)
412
				goto bad;
413
12
			continue;
414
28
		} else if (strcmp(*argv, "-verify_return_error") == 0)
415
			verify_return_error = 1;
416
28
		else if (strcmp(*argv, "-prexit") == 0)
417
4
			prexit = 1;
418
24
		else if (strcmp(*argv, "-crlf") == 0)
419
			crlf = 1;
420
24
		else if (strcmp(*argv, "-quiet") == 0) {
421
			c_quiet = 1;
422
			c_ign_eof = 1;
423
24
		} else if (strcmp(*argv, "-ign_eof") == 0)
424
			c_ign_eof = 1;
425
24
		else if (strcmp(*argv, "-no_ign_eof") == 0)
426
			c_ign_eof = 0;
427
24
		else if (strcmp(*argv, "-pause") == 0)
428
4
			c_Pause = 1;
429
20
		else if (strcmp(*argv, "-debug") == 0)
430
			c_debug = 1;
431
20
		else if (strcmp(*argv, "-tlsextdebug") == 0)
432
			c_tlsextdebug = 1;
433
20
		else if (strcmp(*argv, "-status") == 0)
434
			c_status_req = 1;
435
20
		else if (strcmp(*argv, "-msg") == 0)
436
			c_msg = 1;
437
20
		else if (strcmp(*argv, "-showcerts") == 0)
438
4
			c_showcerts = 1;
439
16
		else if (strcmp(*argv, "-nbio_test") == 0)
440
			nbio_test = 1;
441
16
		else if (strcmp(*argv, "-state") == 0)
442
			state = 1;
443
16
		else if (strcmp(*argv, "-tls1_2") == 0)
444
			meth = TLSv1_2_client_method();
445
16
		else if (strcmp(*argv, "-tls1_1") == 0)
446
			meth = TLSv1_1_client_method();
447
16
		else if (strcmp(*argv, "-tls1") == 0)
448
			meth = TLSv1_client_method();
449
#ifndef OPENSSL_NO_DTLS1
450
16
		else if (strcmp(*argv, "-dtls1") == 0) {
451
			meth = DTLSv1_client_method();
452
			socket_type = SOCK_DGRAM;
453
16
		} else if (strcmp(*argv, "-timeout") == 0)
454
			enable_timeouts = 1;
455
16
		else if (strcmp(*argv, "-mtu") == 0) {
456
			if (--argc < 1)
457
				goto bad;
458
			socket_mtu = strtonum(*(++argv), 0, LONG_MAX, &errstr);
459
			if (errstr)
460
				goto bad;
461
		}
462
#endif
463
16
		else if (strcmp(*argv, "-bugs") == 0)
464
			bugs = 1;
465
16
		else if (strcmp(*argv, "-keyform") == 0) {
466
			if (--argc < 1)
467
				goto bad;
468
			key_format = str2fmt(*(++argv));
469
16
		} else if (strcmp(*argv, "-pass") == 0) {
470
			if (--argc < 1)
471
				goto bad;
472
			passarg = *(++argv);
473
16
		} else if (strcmp(*argv, "-key") == 0) {
474
			if (--argc < 1)
475
				goto bad;
476
			key_file = *(++argv);
477
16
		} else if (strcmp(*argv, "-reconnect") == 0) {
478
			reconnect = 5;
479
16
		} else if (strcmp(*argv, "-CApath") == 0) {
480
			if (--argc < 1)
481
				goto bad;
482
			CApath = *(++argv);
483
16
		} else if (strcmp(*argv, "-CAfile") == 0) {
484
4
			if (--argc < 1)
485
				goto bad;
486
4
			CAfile = *(++argv);
487
16
		} else if (strcmp(*argv, "-no_tls1_2") == 0)
488
			off |= SSL_OP_NO_TLSv1_2;
489
12
		else if (strcmp(*argv, "-no_tls1_1") == 0)
490
			off |= SSL_OP_NO_TLSv1_1;
491
12
		else if (strcmp(*argv, "-no_tls1") == 0)
492
			off |= SSL_OP_NO_TLSv1;
493
12
		else if (strcmp(*argv, "-no_ssl3") == 0)
494
			off |= SSL_OP_NO_SSLv3;
495
12
		else if (strcmp(*argv, "-no_ssl2") == 0)
496
			off |= SSL_OP_NO_SSLv2;
497
12
		else if (strcmp(*argv, "-no_comp") == 0) {
498
			off |= SSL_OP_NO_COMPRESSION;
499
12
		} else if (strcmp(*argv, "-no_ticket") == 0) {
500
			off |= SSL_OP_NO_TICKET;
501
12
		} else if (strcmp(*argv, "-nextprotoneg") == 0) {
502
			/* Ignored. */
503
4
			if (--argc < 1)
504
				goto bad;
505
4
			++argv;
506
12
		} else if (strcmp(*argv, "-alpn") == 0) {
507
4
			if (--argc < 1)
508
				goto bad;
509
4
			alpn_in = *(++argv);
510
8
		} else if (strcmp(*argv, "-groups") == 0) {
511
			if (--argc < 1)
512
				goto bad;
513
			groups_in = *(++argv);
514
4
		} else if (strcmp(*argv, "-serverpref") == 0)
515
			off |= SSL_OP_CIPHER_SERVER_PREFERENCE;
516
4
		else if (strcmp(*argv, "-legacy_renegotiation") == 0)
517
			; /* no-op */
518
4
		else if (strcmp(*argv, "-legacy_server_connect") == 0) {
519
			off |= SSL_OP_LEGACY_SERVER_CONNECT;
520
4
		} else if (strcmp(*argv, "-no_legacy_server_connect") == 0) {
521
			clr |= SSL_OP_LEGACY_SERVER_CONNECT;
522
4
		} else if (strcmp(*argv, "-cipher") == 0) {
523
			if (--argc < 1)
524
				goto bad;
525
			cipher = *(++argv);
526
		}
527
4
		else if (strcmp(*argv, "-nbio") == 0) {
528
			c_nbio = 1;
529
		}
530
4
		else if (strcmp(*argv, "-starttls") == 0) {
531
			if (--argc < 1)
532
				goto bad;
533
			++argv;
534
			if (strcmp(*argv, "smtp") == 0)
535
				starttls_proto = PROTO_SMTP;
536
			else if (strcmp(*argv, "lmtp") == 0)
537
				starttls_proto = PROTO_LMTP;
538
			else if (strcmp(*argv, "pop3") == 0)
539
				starttls_proto = PROTO_POP3;
540
			else if (strcmp(*argv, "imap") == 0)
541
				starttls_proto = PROTO_IMAP;
542
			else if (strcmp(*argv, "ftp") == 0)
543
				starttls_proto = PROTO_FTP;
544
			else if (strcmp(*argv, "xmpp") == 0)
545
				starttls_proto = PROTO_XMPP;
546
			else
547
				goto bad;
548
		}
549
4
		else if (strcmp(*argv, "-4") == 0) {
550
			af = AF_INET;
551
4
		} else if (strcmp(*argv, "-6") == 0) {
552
			af = AF_INET6;
553
		}
554
4
		else if (strcmp(*argv, "-servername") == 0) {
555
			if (--argc < 1)
556
				goto bad;
557
			servername = *(++argv);
558
			/* meth=TLSv1_client_method(); */
559
		}
560
#ifndef OPENSSL_NO_SRTP
561
4
		else if (strcmp(*argv, "-use_srtp") == 0) {
562
			if (--argc < 1)
563
				goto bad;
564
			srtp_profiles = *(++argv);
565
		}
566
#endif
567
4
		else if (strcmp(*argv, "-keymatexport") == 0) {
568
			if (--argc < 1)
569
				goto bad;
570
			keymatexportlabel = *(++argv);
571
4
		} else if (strcmp(*argv, "-keymatexportlen") == 0) {
572
			if (--argc < 1)
573
				goto bad;
574
			keymatexportlen = strtonum(*(++argv), 1, INT_MAX, &errstr);
575
			if (errstr)
576
				goto bad;
577
		} else {
578
4
			BIO_printf(bio_err, "unknown option %s\n", *argv);
579
			badop = 1;
580
4
			break;
581
		}
582
32
		argc--;
583
32
		argv++;
584
	}
585
8
	if (proxy != NULL) {
586
		if (!extract_host_port(proxy, &host, NULL, &port))
587
			goto bad;
588
		if (connect == NULL)
589
			connect = SSL_HOST_NAME;
590
8
	} else if (connect != NULL) {
591
8
		if (!extract_host_port(connect, &host, NULL, &port))
592
			goto bad;
593
	}
594
8
	if (badop) {
595
bad:
596
4
		if (errstr)
597
			BIO_printf(bio_err, "invalid argument %s: %s\n",
598
			    *argv, errstr);
599
		else
600
4
			sc_usage();
601
		goto end;
602
	}
603
604
4
	if (!app_passwd(bio_err, passarg, NULL, &pass, NULL)) {
605
		BIO_printf(bio_err, "Error getting password\n");
606
		goto end;
607
	}
608
4
	if (key_file == NULL)
609
4
		key_file = cert_file;
610
611
612
4
	if (key_file) {
613
614
		key = load_key(bio_err, key_file, key_format, 0, pass,
615
		    "client certificate private key file");
616
		if (!key) {
617
			ERR_print_errors(bio_err);
618
			goto end;
619
		}
620
	}
621
4
	if (cert_file) {
622
		cert = load_cert(bio_err, cert_file, cert_format,
623
		    NULL, "client certificate file");
624
625
		if (!cert) {
626
			ERR_print_errors(bio_err);
627
			goto end;
628
		}
629
	}
630
4
	if (bio_c_out == NULL) {
631
4
		if (c_quiet && !c_debug && !c_msg) {
632
			bio_c_out = BIO_new(BIO_s_null());
633
		} else {
634
4
			if (bio_c_out == NULL)
635
4
				bio_c_out = BIO_new_fp(stdout, BIO_NOCLOSE);
636
		}
637
	}
638
639
4
	ctx = SSL_CTX_new(meth);
640
4
	if (ctx == NULL) {
641
		ERR_print_errors(bio_err);
642
		goto end;
643
	}
644
4
	if (vpm)
645
4
		SSL_CTX_set1_param(ctx, vpm);
646
647
#ifndef OPENSSL_NO_SRTP
648
4
	if (srtp_profiles != NULL)
649
		SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
650
#endif
651
4
	if (bugs)
652
		SSL_CTX_set_options(ctx, SSL_OP_ALL | off);
653
	else
654
4
		SSL_CTX_set_options(ctx, off);
655
656
4
	if (clr)
657
		SSL_CTX_clear_options(ctx, clr);
658
	/*
659
	 * DTLS: partial reads end up discarding unread UDP bytes :-( Setting
660
	 * read ahead solves this problem.
661
	 */
662
4
	if (socket_type == SOCK_DGRAM)
663
		SSL_CTX_set_read_ahead(ctx, 1);
664
665
4
	if (alpn_in) {
666
4
		unsigned short alpn_len;
667
4
		unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in);
668
669
4
		if (alpn == NULL) {
670
			BIO_printf(bio_err, "Error parsing -alpn argument\n");
671
			goto end;
672
		}
673
4
		SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len);
674
4
		free(alpn);
675
8
	}
676
4
	if (groups_in != NULL) {
677
		if (SSL_CTX_set1_groups_list(ctx, groups_in) != 1) {
678
			BIO_printf(bio_err, "Failed to set groups '%s'\n",
679
			    groups_in);
680
			goto end;
681
		}
682
	}
683
684
4
	if (state)
685
		SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
686
4
	if (cipher != NULL)
687
		if (!SSL_CTX_set_cipher_list(ctx, cipher)) {
688
			BIO_printf(bio_err, "error setting cipher list\n");
689
			ERR_print_errors(bio_err);
690
			goto end;
691
		}
692
693
4
	SSL_CTX_set_verify(ctx, verify, verify_callback);
694
4
	if (!set_cert_key_stuff(ctx, cert, key))
695
		goto end;
696
697

8
	if ((CAfile || CApath)
698
4
	    && !SSL_CTX_load_verify_locations(ctx, CAfile, CApath))
699
		ERR_print_errors(bio_err);
700
701
4
	if (!SSL_CTX_set_default_verify_paths(ctx))
702
		ERR_print_errors(bio_err);
703
704
4
	if (servername != NULL) {
705
		tlsextcbp.biodebug = bio_err;
706
		SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
707
		SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
708
	}
709
710
4
	con = SSL_new(ctx);
711
4
	if (sess_in) {
712
		SSL_SESSION *sess;
713
		BIO *stmp = BIO_new_file(sess_in, "r");
714
		if (!stmp) {
715
			BIO_printf(bio_err, "Can't open session file %s\n",
716
			    sess_in);
717
			ERR_print_errors(bio_err);
718
			goto end;
719
		}
720
		sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
721
		BIO_free(stmp);
722
		if (!sess) {
723
			BIO_printf(bio_err, "Can't open session file %s\n",
724
			    sess_in);
725
			ERR_print_errors(bio_err);
726
			goto end;
727
		}
728
		SSL_set_session(con, sess);
729
		SSL_SESSION_free(sess);
730
	}
731
8
	if (servername != NULL) {
732
		if (!SSL_set_tlsext_host_name(con, servername)) {
733
			BIO_printf(bio_err, "Unable to set TLS servername extension.\n");
734
			ERR_print_errors(bio_err);
735
			goto end;
736
		}
737
	}
738
/*	SSL_set_cipher_list(con,"RC4-MD5"); */
739
740
re_start:
741
742
4
	if (init_client(&s, host, port, socket_type, af) == 0) {
743
		BIO_printf(bio_err, "connect:errno=%d\n", errno);
744
		goto end;
745
	}
746
4
	BIO_printf(bio_c_out, "CONNECTED(%08X)\n", s);
747
748
4
	if (c_nbio) {
749
		if (!c_quiet)
750
			BIO_printf(bio_c_out, "turning on non blocking io\n");
751
		if (!BIO_socket_nbio(s, 1)) {
752
			ERR_print_errors(bio_err);
753
			goto end;
754
		}
755
	}
756
4
	if (c_Pause & 0x01)
757
4
		SSL_set_debug(con, 1);
758
759
4
	if (SSL_version(con) == DTLS1_VERSION) {
760
761
		sbio = BIO_new_dgram(s, BIO_NOCLOSE);
762
		if (getsockname(s, &peer, (void *) &peerlen) < 0) {
763
			BIO_printf(bio_err, "getsockname:errno=%d\n",
764
			    errno);
765
			shutdown(s, SHUT_RD);
766
			close(s);
767
			goto end;
768
		}
769
		(void) BIO_ctrl_set_connected(sbio, 1, &peer);
770
771
		if (enable_timeouts) {
772
			timeout.tv_sec = 0;
773
			timeout.tv_usec = DGRAM_RCV_TIMEOUT;
774
			BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
775
776
			timeout.tv_sec = 0;
777
			timeout.tv_usec = DGRAM_SND_TIMEOUT;
778
			BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
779
		}
780
		if (socket_mtu > 28) {
781
			SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
782
			SSL_set_mtu(con, socket_mtu - 28);
783
		} else
784
			/* want to do MTU discovery */
785
			BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
786
	} else
787
4
		sbio = BIO_new_socket(s, BIO_NOCLOSE);
788
789
4
	if (nbio_test) {
790
		BIO *test;
791
792
		test = BIO_new(BIO_f_nbio_test());
793
		sbio = BIO_push(test, sbio);
794
	}
795
4
	if (c_debug) {
796
		SSL_set_debug(con, 1);
797
		BIO_set_callback(sbio, bio_dump_callback);
798
		BIO_set_callback_arg(sbio, (char *) bio_c_out);
799
	}
800
4
	if (c_msg) {
801
		SSL_set_msg_callback(con, msg_cb);
802
		SSL_set_msg_callback_arg(con, bio_c_out);
803
	}
804
4
	if (c_tlsextdebug) {
805
		SSL_set_tlsext_debug_callback(con, tlsext_cb);
806
		SSL_set_tlsext_debug_arg(con, bio_c_out);
807
	}
808
4
	if (c_status_req) {
809
		SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
810
		SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
811
		SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
812
	}
813
814
4
	SSL_set_bio(con, sbio, sbio);
815
4
	SSL_set_connect_state(con);
816
817
	/* ok, lets connect */
818
	read_tty = 1;
819
	write_tty = 0;
820
	tty_on = 0;
821
	read_ssl = 1;
822
	write_ssl = 1;
823
824
	cbuf_len = 0;
825
	cbuf_off = 0;
826
	sbuf_len = 0;
827
	sbuf_off = 0;
828
829
	/* This is an ugly hack that does a lot of assumptions */
830
	/*
831
	 * We do have to handle multi-line responses which may come in a
832
	 * single packet or not. We therefore have to use BIO_gets() which
833
	 * does need a buffering BIO. So during the initial chitchat we do
834
	 * push a buffering BIO into the chain that is removed again later on
835
	 * to not disturb the rest of the s_client operation.
836
	 */
837
4
	if (starttls_proto == PROTO_SMTP || starttls_proto == PROTO_LMTP) {
838
		int foundit = 0;
839
		BIO *fbio = BIO_new(BIO_f_buffer());
840
		BIO_push(fbio, sbio);
841
		/* wait for multi-line response to end from SMTP */
842
		do {
843
			mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
844
		}
845
		while (mbuf_len > 3 && mbuf[3] == '-');
846
		/* STARTTLS command requires EHLO... */
847
		BIO_printf(fbio, "%cHLO openssl.client.net\r\n",
848
			   starttls_proto == PROTO_SMTP ? 'E' : 'L');
849
		(void) BIO_flush(fbio);
850
		/* wait for multi-line response to end EHLO SMTP response */
851
		do {
852
			mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
853
			if (strstr(mbuf, "STARTTLS"))
854
				foundit = 1;
855
		}
856
		while (mbuf_len > 3 && mbuf[3] == '-');
857
		(void) BIO_flush(fbio);
858
		BIO_pop(fbio);
859
		BIO_free(fbio);
860
		if (!foundit)
861
			BIO_printf(bio_err,
862
			    "didn't found starttls in server response,"
863
			    " try anyway...\n");
864
		BIO_printf(sbio, "STARTTLS\r\n");
865
		BIO_read(sbio, sbuf, BUFSIZZ);
866
4
	} else if (starttls_proto == PROTO_POP3) {
867
		mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ);
868
		if (mbuf_len == -1) {
869
			BIO_printf(bio_err, "BIO_read failed\n");
870
			goto end;
871
		}
872
		BIO_printf(sbio, "STLS\r\n");
873
		BIO_read(sbio, sbuf, BUFSIZZ);
874
4
	} else if (starttls_proto == PROTO_IMAP) {
875
		int foundit = 0;
876
		BIO *fbio = BIO_new(BIO_f_buffer());
877
		BIO_push(fbio, sbio);
878
		BIO_gets(fbio, mbuf, BUFSIZZ);
879
		/* STARTTLS command requires CAPABILITY... */
880
		BIO_printf(fbio, ". CAPABILITY\r\n");
881
		(void) BIO_flush(fbio);
882
		/* wait for multi-line CAPABILITY response */
883
		do {
884
			mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
885
			if (strstr(mbuf, "STARTTLS"))
886
				foundit = 1;
887
		}
888
		while (mbuf_len > 3 && mbuf[0] != '.');
889
		(void) BIO_flush(fbio);
890
		BIO_pop(fbio);
891
		BIO_free(fbio);
892
		if (!foundit)
893
			BIO_printf(bio_err,
894
			    "didn't found STARTTLS in server response,"
895
			    " try anyway...\n");
896
		BIO_printf(sbio, ". STARTTLS\r\n");
897
		BIO_read(sbio, sbuf, BUFSIZZ);
898
4
	} else if (starttls_proto == PROTO_FTP) {
899
		BIO *fbio = BIO_new(BIO_f_buffer());
900
		BIO_push(fbio, sbio);
901
		/* wait for multi-line response to end from FTP */
902
		do {
903
			mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
904
		}
905
		while (mbuf_len > 3 && mbuf[3] == '-');
906
		(void) BIO_flush(fbio);
907
		BIO_pop(fbio);
908
		BIO_free(fbio);
909
		BIO_printf(sbio, "AUTH TLS\r\n");
910
		BIO_read(sbio, sbuf, BUFSIZZ);
911
4
	} else if (starttls_proto == PROTO_XMPP) {
912
		int seen = 0;
913
		BIO_printf(sbio, "<stream:stream "
914
		    "xmlns:stream='http://etherx.jabber.org/streams' "
915
		    "xmlns='jabber:client' to='%s' version='1.0'>", xmpphost ? xmpphost : host);
916
		seen = BIO_read(sbio, mbuf, BUFSIZZ);
917
918
		if (seen <= 0)
919
			goto shut;
920
921
		mbuf[seen] = 0;
922
		while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") &&
923
		       !strstr(mbuf, "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\"")) {
924
			seen = BIO_read(sbio, mbuf, BUFSIZZ);
925
926
			if (seen <= 0)
927
				goto shut;
928
929
			mbuf[seen] = 0;
930
		}
931
		BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
932
		seen = BIO_read(sbio, sbuf, BUFSIZZ);
933
		sbuf[seen] = 0;
934
		if (!strstr(sbuf, "<proceed"))
935
			goto shut;
936
		mbuf[0] = 0;
937

4
	} else if (proxy != NULL) {
938
		BIO_printf(sbio, "CONNECT %s HTTP/1.0\r\n\r\n", connect);
939
		mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ);
940
		if (mbuf_len == -1) {
941
			BIO_printf(bio_err, "BIO_read failed\n");
942
			goto end;
943
		}
944
	}
945
8
	for (;;) {
946
8
		struct pollfd pfd[3];	/* stdin, stdout, socket */
947
		int ptimeout = -1;
948
949

8
		if ((SSL_version(con) == DTLS1_VERSION) &&
950
		    DTLSv1_get_timeout(con, &timeout))
951
			ptimeout = timeout.tv_sec * 1000 + timeout.tv_usec / 1000;
952
953

12
		if (SSL_in_init(con) && !SSL_total_renegotiations(con)) {
954
			in_init = 1;
955
			tty_on = 0;
956
4
		} else {
957
			tty_on = 1;
958
4
			if (in_init) {
959
				in_init = 0;
960
4
				if (sess_out) {
961
4
					BIO *stmp = BIO_new_file(sess_out, "w");
962
4
					if (stmp) {
963
4
						PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con));
964
4
						BIO_free(stmp);
965
4
					} else
966
						BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
967
4
				}
968
4
				print_stuff(bio_c_out, con, full_log);
969
4
				if (full_log > 0)
970
4
					full_log--;
971
972
4
				if (starttls_proto) {
973
					BIO_write(bio_err, mbuf, mbuf_len);
974
					/* We don't need to know any more */
975
					starttls_proto = PROTO_OFF;
976
				}
977
4
				if (reconnect) {
978
					reconnect--;
979
					BIO_printf(bio_c_out, "drop connection and then reconnect\n");
980
					SSL_shutdown(con);
981
					SSL_set_connect_state(con);
982
					shutdown(SSL_get_fd(con), SHUT_RD);
983
					close(SSL_get_fd(con));
984
					goto re_start;
985
				}
986
			}
987
		}
988
989
24
		ssl_pending = read_ssl && SSL_pending(con);
990
991
8
		pfd[0].fd = -1;
992
8
		pfd[1].fd = -1;
993
8
		if (!ssl_pending) {
994
8
			if (tty_on) {
995
4
				if (read_tty) {
996
12
					pfd[0].fd = fileno(stdin);
997
4
					pfd[0].events = POLLIN;
998
4
				}
999
4
				if (write_tty) {
1000
					pfd[1].fd = fileno(stdout);
1001
					pfd[1].events = POLLOUT;
1002
				}
1003
			}
1004
1005
8
			pfd[2].fd = SSL_get_fd(con);
1006
8
			pfd[2].events = 0;
1007
8
			if (read_ssl)
1008
8
				pfd[2].events |= POLLIN;
1009
8
			if (write_ssl)
1010
4
				pfd[2].events |= POLLOUT;
1011
1012
/*			printf("mode tty(%d %d%d) ssl(%d%d)\n",
1013
				tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
1014
1015
8
			i = poll(pfd, 3, ptimeout);
1016
8
			if (i < 0) {
1017
				BIO_printf(bio_err, "bad select %d\n",
1018
				    errno);
1019
				goto shut;
1020
				/* goto end; */
1021
			}
1022
		}
1023

8
		if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0) {
1024
			BIO_printf(bio_err, "TIMEOUT occured\n");
1025
		}
1026

16
		if (!ssl_pending && (pfd[2].revents & (POLLOUT|POLLERR|POLLNVAL))) {
1027
4
			if (pfd[2].revents & (POLLERR|POLLNVAL)) {
1028
				BIO_printf(bio_err, "poll error");
1029
				goto shut;
1030
			}
1031
8
			k = SSL_write(con, &(cbuf[cbuf_off]),
1032
			    (unsigned int) cbuf_len);
1033


8
			switch (SSL_get_error(con, k)) {
1034
			case SSL_ERROR_NONE:
1035
				cbuf_off += k;
1036
				cbuf_len -= k;
1037
				if (k <= 0)
1038
					goto end;
1039
				/* we have done a  write(con,NULL,0); */
1040
				if (cbuf_len <= 0) {
1041
					read_tty = 1;
1042
					write_ssl = 0;
1043
				} else {	/* if (cbuf_len > 0) */
1044
					read_tty = 0;
1045
					write_ssl = 1;
1046
				}
1047
				break;
1048
			case SSL_ERROR_WANT_WRITE:
1049
				BIO_printf(bio_c_out, "write W BLOCK\n");
1050
				write_ssl = 1;
1051
				read_tty = 0;
1052
				break;
1053
			case SSL_ERROR_WANT_READ:
1054
				BIO_printf(bio_c_out, "write R BLOCK\n");
1055
				write_tty = 0;
1056
				read_ssl = 1;
1057
				write_ssl = 0;
1058
				break;
1059
			case SSL_ERROR_WANT_X509_LOOKUP:
1060
				BIO_printf(bio_c_out, "write X BLOCK\n");
1061
				break;
1062
			case SSL_ERROR_ZERO_RETURN:
1063
				if (cbuf_len != 0) {
1064
					BIO_printf(bio_c_out, "shutdown\n");
1065
					ret = 0;
1066
					goto shut;
1067
				} else {
1068
					read_tty = 1;
1069
					write_ssl = 0;
1070
					break;
1071
				}
1072
1073
			case SSL_ERROR_SYSCALL:
1074
4
				if ((k != 0) || (cbuf_len != 0)) {
1075
					BIO_printf(bio_err, "write:errno=%d\n",
1076
					    errno);
1077
					goto shut;
1078
				} else {
1079
					read_tty = 1;
1080
					write_ssl = 0;
1081
				}
1082
4
				break;
1083
			case SSL_ERROR_SSL:
1084
				ERR_print_errors(bio_err);
1085
				goto shut;
1086
			}
1087

8
		} else if (!ssl_pending &&
1088
4
		    (pfd[1].revents & (POLLOUT|POLLERR|POLLNVAL))) {
1089
			if (pfd[1].revents & (POLLERR|POLLNVAL)) {
1090
				BIO_printf(bio_err, "poll error");
1091
				goto shut;
1092
			}
1093
			i = write(fileno(stdout), &(sbuf[sbuf_off]), sbuf_len);
1094
1095
			if (i <= 0) {
1096
				BIO_printf(bio_c_out, "DONE\n");
1097
				ret = 0;
1098
				goto shut;
1099
				/* goto end; */
1100
			}
1101
			sbuf_len -= i;
1102
			sbuf_off += i;
1103
			if (sbuf_len <= 0) {
1104
				read_ssl = 1;
1105
				write_tty = 0;
1106
			}
1107

8
		} else if (ssl_pending || (pfd[2].revents & (POLLIN|POLLHUP))) {
1108
#ifdef RENEG
1109
			{
1110
				static int iiii;
1111
				if (++iiii == 52) {
1112
					SSL_renegotiate(con);
1113
					iiii = 0;
1114
				}
1115
			}
1116
#endif
1117
			k = SSL_read(con, sbuf, 1024 /* BUFSIZZ */ );
1118
1119
			switch (SSL_get_error(con, k)) {
1120
			case SSL_ERROR_NONE:
1121
				if (k <= 0)
1122
					goto end;
1123
				sbuf_off = 0;
1124
				sbuf_len = k;
1125
1126
				read_ssl = 0;
1127
				write_tty = 1;
1128
				break;
1129
			case SSL_ERROR_WANT_WRITE:
1130
				BIO_printf(bio_c_out, "read W BLOCK\n");
1131
				write_ssl = 1;
1132
				read_tty = 0;
1133
				break;
1134
			case SSL_ERROR_WANT_READ:
1135
				BIO_printf(bio_c_out, "read R BLOCK\n");
1136
				write_tty = 0;
1137
				read_ssl = 1;
1138
				if ((read_tty == 0) && (write_ssl == 0))
1139
					write_ssl = 1;
1140
				break;
1141
			case SSL_ERROR_WANT_X509_LOOKUP:
1142
				BIO_printf(bio_c_out, "read X BLOCK\n");
1143
				break;
1144
			case SSL_ERROR_SYSCALL:
1145
				ret = errno;
1146
				BIO_printf(bio_err, "read:errno=%d\n", ret);
1147
				goto shut;
1148
			case SSL_ERROR_ZERO_RETURN:
1149
				BIO_printf(bio_c_out, "closed\n");
1150
				ret = 0;
1151
				goto shut;
1152
			case SSL_ERROR_SSL:
1153
				ERR_print_errors(bio_err);
1154
				goto shut;
1155
				/* break; */
1156
			}
1157
4
		} else if (pfd[0].revents) {
1158
4
			if (pfd[0].revents & (POLLERR|POLLNVAL)) {
1159
				BIO_printf(bio_err, "poll error");
1160
				goto shut;
1161
			}
1162
4
			if (crlf) {
1163
				int j, lf_num;
1164
1165
				i = read(fileno(stdin), cbuf, BUFSIZZ / 2);
1166
				lf_num = 0;
1167
				/* both loops are skipped when i <= 0 */
1168
				for (j = 0; j < i; j++)
1169
					if (cbuf[j] == '\n')
1170
						lf_num++;
1171
				for (j = i - 1; j >= 0; j--) {
1172
					cbuf[j + lf_num] = cbuf[j];
1173
					if (cbuf[j] == '\n') {
1174
						lf_num--;
1175
						i++;
1176
						cbuf[j + lf_num] = '\r';
1177
					}
1178
				}
1179
				assert(lf_num == 0);
1180
			} else
1181
12
				i = read(fileno(stdin), cbuf, BUFSIZZ);
1182
1183

8
			if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q'))) {
1184
4
				BIO_printf(bio_err, "DONE\n");
1185
				ret = 0;
1186
4
				goto shut;
1187
			}
1188
			if ((!c_ign_eof) && (cbuf[0] == 'R')) {
1189
				BIO_printf(bio_err, "RENEGOTIATING\n");
1190
				SSL_renegotiate(con);
1191
				cbuf_len = 0;
1192
			} else {
1193
				cbuf_len = i;
1194
				cbuf_off = 0;
1195
			}
1196
1197
			write_ssl = 1;
1198
			read_tty = 0;
1199
		}
1200

20
	}
1201
1202
	ret = 0;
1203
shut:
1204
4
	if (in_init)
1205
		print_stuff(bio_c_out, con, full_log);
1206
4
	SSL_shutdown(con);
1207
4
	shutdown(SSL_get_fd(con), SHUT_RD);
1208
4
	close(SSL_get_fd(con));
1209
end:
1210
8
	if (con != NULL) {
1211
4
		if (prexit != 0)
1212
4
			print_stuff(bio_c_out, con, 1);
1213
4
		SSL_free(con);
1214
4
	}
1215
8
	if (ctx != NULL)
1216
4
		SSL_CTX_free(ctx);
1217
8
	if (cert)
1218
		X509_free(cert);
1219
8
	if (key)
1220
		EVP_PKEY_free(key);
1221
8
	free(pass);
1222
8
	if (vpm)
1223
4
		X509_VERIFY_PARAM_free(vpm);
1224
8
	freezero(cbuf, BUFSIZZ);
1225
8
	freezero(sbuf, BUFSIZZ);
1226
8
	freezero(mbuf, BUFSIZZ);
1227
8
	if (bio_c_out != NULL) {
1228
4
		BIO_free(bio_c_out);
1229
4
		bio_c_out = NULL;
1230
4
	}
1231
1232
8
	return (ret);
1233
8
}
1234
1235
1236
static void
1237
print_stuff(BIO * bio, SSL * s, int full)
1238
{
1239
	X509 *peer = NULL;
1240
	char *p;
1241
	static const char *space = "                ";
1242
16
	char buf[BUFSIZ];
1243
	STACK_OF(X509) * sk;
1244
	STACK_OF(X509_NAME) * sk2;
1245
	const SSL_CIPHER *c;
1246
	X509_NAME *xn;
1247
	int j, i;
1248
	unsigned char *exportedkeymat;
1249
1250
8
	if (full) {
1251
		int got_a_chain = 0;
1252
1253
8
		sk = SSL_get_peer_cert_chain(s);
1254
8
		if (sk != NULL) {
1255
			got_a_chain = 1;	/* we don't have it for SSL2
1256
						 * (yet) */
1257
1258
8
			BIO_printf(bio, "---\nCertificate chain\n");
1259
48
			for (i = 0; i < sk_X509_num(sk); i++) {
1260
32
				X509_NAME_oneline(X509_get_subject_name(
1261
32
					sk_X509_value(sk, i)), buf, sizeof buf);
1262
16
				BIO_printf(bio, "%2d s:%s\n", i, buf);
1263
16
				X509_NAME_oneline(X509_get_issuer_name(
1264
16
					sk_X509_value(sk, i)), buf, sizeof buf);
1265
16
				BIO_printf(bio, "   i:%s\n", buf);
1266
16
				if (c_showcerts)
1267
16
					PEM_write_bio_X509(bio, sk_X509_value(sk, i));
1268
			}
1269
		}
1270
8
		BIO_printf(bio, "---\n");
1271
8
		peer = SSL_get_peer_certificate(s);
1272
8
		if (peer != NULL) {
1273
8
			BIO_printf(bio, "Server certificate\n");
1274
8
			if (!(c_showcerts && got_a_chain))	/* Redundant if we
1275
								 * showed the whole
1276
								 * chain */
1277
				PEM_write_bio_X509(bio, peer);
1278
16
			X509_NAME_oneline(X509_get_subject_name(peer),
1279
8
			    buf, sizeof buf);
1280
8
			BIO_printf(bio, "subject=%s\n", buf);
1281
8
			X509_NAME_oneline(X509_get_issuer_name(peer),
1282
			    buf, sizeof buf);
1283
8
			BIO_printf(bio, "issuer=%s\n", buf);
1284
8
		} else
1285
			BIO_printf(bio, "no peer certificate available\n");
1286
1287
8
		sk2 = SSL_get_client_CA_list(s);
1288

8
		if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0)) {
1289
			BIO_printf(bio, "---\nAcceptable client certificate CA names\n");
1290
			for (i = 0; i < sk_X509_NAME_num(sk2); i++) {
1291
				xn = sk_X509_NAME_value(sk2, i);
1292
				X509_NAME_oneline(xn, buf, sizeof(buf));
1293
				BIO_write(bio, buf, strlen(buf));
1294
				BIO_write(bio, "\n", 1);
1295
			}
1296
		} else {
1297
8
			BIO_printf(bio, "---\nNo client certificate CA names sent\n");
1298
		}
1299
8
		p = SSL_get_shared_ciphers(s, buf, sizeof buf);
1300
8
		if (p != NULL) {
1301
			/*
1302
			 * This works only for SSL 2.  In later protocol
1303
			 * versions, the client does not know what other
1304
			 * ciphers (in addition to the one to be used in the
1305
			 * current connection) the server supports.
1306
			 */
1307
1308
			BIO_printf(bio, "---\nCiphers common between both SSL endpoints:\n");
1309
			j = i = 0;
1310
			while (*p) {
1311
				if (*p == ':') {
1312
					BIO_write(bio, space, 15 - j % 25);
1313
					i++;
1314
					j = 0;
1315
					BIO_write(bio, ((i % 3) ? " " : "\n"), 1);
1316
				} else {
1317
					BIO_write(bio, p, 1);
1318
					j++;
1319
				}
1320
				p++;
1321
			}
1322
			BIO_write(bio, "\n", 1);
1323
		}
1324
1325
8
		ssl_print_tmp_key(bio, s);
1326
1327
8
		BIO_printf(bio, "---\nSSL handshake has read %ld bytes and written %ld bytes\n",
1328
8
		    BIO_number_read(SSL_get_rbio(s)),
1329
8
		    BIO_number_written(SSL_get_wbio(s)));
1330
8
	}
1331
8
	BIO_printf(bio, (SSL_cache_hit(s) ? "---\nReused, " : "---\nNew, "));
1332
8
	c = SSL_get_current_cipher(s);
1333
8
	BIO_printf(bio, "%s, Cipher is %s\n",
1334
8
	    SSL_CIPHER_get_version(c),
1335
8
	    SSL_CIPHER_get_name(c));
1336
8
	if (peer != NULL) {
1337
		EVP_PKEY *pktmp;
1338
8
		pktmp = X509_get_pubkey(peer);
1339
8
		BIO_printf(bio, "Server public key is %d bit\n",
1340
8
		    EVP_PKEY_bits(pktmp));
1341
8
		EVP_PKEY_free(pktmp);
1342
8
	}
1343
8
	BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
1344
8
	    SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
1345
1346
	/* Compression is not supported and will always be none. */
1347
8
	BIO_printf(bio, "Compression: NONE\n");
1348
8
	BIO_printf(bio, "Expansion: NONE\n");
1349
1350
#ifdef SSL_DEBUG
1351
	{
1352
		/* Print out local port of connection: useful for debugging */
1353
		int sock;
1354
		struct sockaddr_in ladd;
1355
		socklen_t ladd_size = sizeof(ladd);
1356
		sock = SSL_get_fd(s);
1357
		getsockname(sock, (struct sockaddr *) & ladd, &ladd_size);
1358
		BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port));
1359
	}
1360
#endif
1361
1362
	{
1363
8
		const unsigned char *proto;
1364
8
		unsigned int proto_len;
1365
8
		SSL_get0_alpn_selected(s, &proto, &proto_len);
1366
8
		if (proto_len > 0) {
1367
8
			BIO_printf(bio, "ALPN protocol: ");
1368
8
			BIO_write(bio, proto, proto_len);
1369
8
			BIO_write(bio, "\n", 1);
1370
8
		} else
1371
			BIO_printf(bio, "No ALPN negotiated\n");
1372
8
	}
1373
1374
#ifndef OPENSSL_NO_SRTP
1375
	{
1376
8
		SRTP_PROTECTION_PROFILE *srtp_profile = SSL_get_selected_srtp_profile(s);
1377
1378
8
		if (srtp_profile)
1379
			BIO_printf(bio, "SRTP Extension negotiated, profile=%s\n",
1380
			    srtp_profile->name);
1381
	}
1382
#endif
1383
1384
8
	SSL_SESSION_print(bio, SSL_get_session(s));
1385
8
	if (keymatexportlabel != NULL) {
1386
		BIO_printf(bio, "Keying material exporter:\n");
1387
		BIO_printf(bio, "    Label: '%s'\n", keymatexportlabel);
1388
		BIO_printf(bio, "    Length: %i bytes\n", keymatexportlen);
1389
		exportedkeymat = malloc(keymatexportlen);
1390
		if (exportedkeymat != NULL) {
1391
			if (!SSL_export_keying_material(s, exportedkeymat,
1392
				keymatexportlen,
1393
				keymatexportlabel,
1394
				strlen(keymatexportlabel),
1395
				NULL, 0, 0)) {
1396
				BIO_printf(bio, "    Error\n");
1397
			} else {
1398
				BIO_printf(bio, "    Keying material: ");
1399
				for (i = 0; i < keymatexportlen; i++)
1400
					BIO_printf(bio, "%02X",
1401
					    exportedkeymat[i]);
1402
				BIO_printf(bio, "\n");
1403
			}
1404
			free(exportedkeymat);
1405
		}
1406
	}
1407
8
	BIO_printf(bio, "---\n");
1408
8
	if (peer != NULL)
1409
8
		X509_free(peer);
1410
	/* flush, or debugging output gets mixed with http response */
1411
8
	(void) BIO_flush(bio);
1412
8
}
1413
1414
1415
static int
1416
ocsp_resp_cb(SSL * s, void *arg)
1417
{
1418
	const unsigned char *p;
1419
	int len;
1420
	OCSP_RESPONSE *rsp;
1421
	len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1422
	BIO_puts(arg, "OCSP response: ");
1423
	if (!p) {
1424
		BIO_puts(arg, "no response sent\n");
1425
		return 1;
1426
	}
1427
	rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
1428
	if (!rsp) {
1429
		BIO_puts(arg, "response parse error\n");
1430
		BIO_dump_indent(arg, (char *) p, len, 4);
1431
		return 0;
1432
	}
1433
	BIO_puts(arg, "\n======================================\n");
1434
	OCSP_RESPONSE_print(arg, rsp, 0);
1435
	BIO_puts(arg, "======================================\n");
1436
	OCSP_RESPONSE_free(rsp);
1437
	return 1;
1438
}
1439