s_client.c revision 273415
171333Sitojun/* apps/s_client.c */ 2118664Sume/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 362656Skris * All rights reserved. 455505Sshin * 555505Sshin * This package is an SSL implementation written 655505Sshin * by Eric Young (eay@cryptsoft.com). 755505Sshin * The implementation was written so as to conform with Netscapes SSL. 855505Sshin * 955505Sshin * This library is free for commercial and non-commercial use as long as 1055505Sshin * the following conditions are aheared to. The following conditions 1155505Sshin * apply to all code found in this distribution, be it the RC4, RSA, 1255505Sshin * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1355505Sshin * included with this distribution is covered by the same copyright terms 1455505Sshin * except that the holder is Tim Hudson (tjh@cryptsoft.com). 1555505Sshin * 1655505Sshin * Copyright remains Eric Young's, and as such any Copyright notices in 1755505Sshin * the code are not to be removed. 1855505Sshin * If this package is used in a product, Eric Young should be given attribution 1955505Sshin * as the author of the parts of the library used. 2055505Sshin * This can be in the form of a textual message at program startup or 2155505Sshin * in documentation (online or textual) provided with the package. 2255505Sshin * 2355505Sshin * Redistribution and use in source and binary forms, with or without 2455505Sshin * modification, are permitted provided that the following conditions 2555505Sshin * are met: 2655505Sshin * 1. Redistributions of source code must retain the copyright 2755505Sshin * notice, this list of conditions and the following disclaimer. 2855505Sshin * 2. Redistributions in binary form must reproduce the above copyright 2955505Sshin * notice, this list of conditions and the following disclaimer in the 3055505Sshin * documentation and/or other materials provided with the distribution. 3155505Sshin * 3. All advertising materials mentioning features or use of this software 3278064Sume * must display the following acknowledgement: 3355505Sshin * "This product includes cryptographic software written by 3455505Sshin * Eric Young (eay@cryptsoft.com)" 3555505Sshin * The word 'cryptographic' can be left out if the rouines from the library 3655505Sshin * being used are not cryptographic related :-). 3755505Sshin * 4. If you include any Windows specific code (or a derivative thereof) from 3855505Sshin * the apps directory (application code) you must include an acknowledgement: 3955505Sshin * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 4055505Sshin * 4155505Sshin * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4255505Sshin * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4355505Sshin * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4455505Sshin * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4555505Sshin * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4655505Sshin * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4755505Sshin * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 4855505Sshin * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 4955505Sshin * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5055505Sshin * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5178064Sume * SUCH DAMAGE. 5255505Sshin * 5355505Sshin * The licence and distribution terms for any publically available version or 5455505Sshin * derivative of this code cannot be changed. i.e. this code cannot simply be 5555505Sshin * copied and put under another distribution licence 5655505Sshin * [including the GNU Public Licence.] 5755505Sshin */ 5855505Sshin/* ==================================================================== 5955505Sshin * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. 6055505Sshin * 6155505Sshin * Redistribution and use in source and binary forms, with or without 6255505Sshin * modification, are permitted provided that the following conditions 6355505Sshin * are met: 6455505Sshin * 6562656Skris * 1. Redistributions of source code must retain the above copyright 6662656Skris * notice, this list of conditions and the following disclaimer. 6762656Skris * 6862656Skris * 2. Redistributions in binary form must reproduce the above copyright 6962656Skris * notice, this list of conditions and the following disclaimer in 7062656Skris * the documentation and/or other materials provided with the 7162656Skris * distribution. 7255505Sshin * 7362656Skris * 3. All advertising materials mentioning features or use of this 7455505Sshin * software must display the following acknowledgment: 7555505Sshin * "This product includes software developed by the OpenSSL Project 7655505Sshin * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 7755505Sshin * 7855505Sshin * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 7955505Sshin * endorse or promote products derived from this software without 8055505Sshin * prior written permission. For written permission, please contact 8155505Sshin * openssl-core@openssl.org. 8255505Sshin * 8355505Sshin * 5. Products derived from this software may not be called "OpenSSL" 8455505Sshin * nor may "OpenSSL" appear in their names without prior written 8555505Sshin * permission of the OpenSSL Project. 8655505Sshin * 8755505Sshin * 6. Redistributions of any form whatsoever must retain the following 8855505Sshin * acknowledgment: 89118660Sume * "This product includes software developed by the OpenSSL Project 9055505Sshin * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 9155505Sshin * 9255505Sshin * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93118664Sume * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 9455505Sshin * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 9555505Sshin * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 9655505Sshin * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 9755505Sshin * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 9855505Sshin * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99118660Sume * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 10055505Sshin * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 10155505Sshin * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 10255505Sshin * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 10355505Sshin * OF THE POSSIBILITY OF SUCH DAMAGE. 10455505Sshin * ==================================================================== 10555505Sshin * 106118660Sume * This product includes cryptographic software written by Eric Young 10755505Sshin * (eay@cryptsoft.com). This product includes software written by Tim 10855505Sshin * Hudson (tjh@cryptsoft.com). 10955505Sshin * 11055505Sshin */ 11155505Sshin 11255505Sshin#include <assert.h> 11355505Sshin#include <stdio.h> 11455505Sshin#include <stdlib.h> 11555505Sshin#include <string.h> 11655505Sshin#include <openssl/e_os2.h> 11755505Sshin#ifdef OPENSSL_NO_STDIO 11855505Sshin#define APPS_WIN16 11955505Sshin#endif 12055505Sshin 12155505Sshin/* With IPv6, it looks like Digital has mixed up the proper order of 12255505Sshin recursive header file inclusion, resulting in the compiler complaining 12355505Sshin that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which 12455505Sshin is needed to have fileno() declared correctly... So let's define u_int */ 12555505Sshin#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT) 12655505Sshin#define __U_INT 12755505Sshintypedef unsigned int u_int; 12855505Sshin#endif 12955505Sshin 130118660Sume#define USE_SOCKETS 13155505Sshin#include "apps.h" 13255505Sshin#include <openssl/x509.h> 13355505Sshin#include <openssl/ssl.h> 13455505Sshin#include <openssl/err.h> 13555505Sshin#include <openssl/pem.h> 13655505Sshin#include <openssl/rand.h> 13755505Sshin#include <openssl/ocsp.h> 13855505Sshin#include "s_apps.h" 13955505Sshin#include "timeouts.h" 14078064Sume 14178064Sume#ifdef OPENSSL_SYS_WINCE 14278064Sume/* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */ 14355505Sshin#ifdef fileno 14478064Sume#undef fileno 14578064Sume#endif 14655505Sshin#define fileno(a) (int)_fileno(a) 14755505Sshin#endif 14855505Sshin 14955505Sshin 15078064Sume#if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000) 15155505Sshin/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */ 15255505Sshin#undef FIONBIO 15355505Sshin#endif 15455505Sshin 15555505Sshin#undef PROG 15655505Sshin#define PROG s_client_main 15755505Sshin 15855505Sshin/*#define SSL_HOST_NAME "www.netscape.com" */ 15955505Sshin/*#define SSL_HOST_NAME "193.118.187.102" */ 16055505Sshin#define SSL_HOST_NAME "localhost" 16155505Sshin 16255505Sshin/*#define TEST_CERT "client.pem" */ /* no default cert. */ 16355505Sshin 16455505Sshin#undef BUFSIZZ 16555505Sshin#define BUFSIZZ 1024*8 166118660Sume 16755505Sshinextern int verify_depth; 16855505Sshinextern int verify_error; 16955505Sshin 17055505Sshin#ifdef FIONBIO 17155505Sshinstatic int c_nbio=0; 17255505Sshin#endif 17355505Sshinstatic int c_Pause=0; 17455505Sshinstatic int c_debug=0; 17555505Sshin#ifndef OPENSSL_NO_TLSEXT 17655505Sshinstatic int c_tlsextdebug=0; 17755505Sshinstatic int c_status_req=0; 17855505Sshin#endif 17955505Sshinstatic int c_msg=0; 18055505Sshinstatic int c_showcerts=0; 18155505Sshin 18278064Sumestatic void sc_usage(void); 18378064Sumestatic void print_stuff(BIO *berr,SSL *con,int full); 18455505Sshin#ifndef OPENSSL_NO_TLSEXT 18578064Sumestatic int ocsp_resp_cb(SSL *s, void *arg); 18655505Sshin#endif 18778064Sumestatic BIO *bio_c_out=NULL; 18855505Sshinstatic int c_quiet=0; 18978064Sumestatic int c_ign_eof=0; 19055505Sshin 19178064Sumestatic void sc_usage(void) 19255505Sshin { 19355505Sshin BIO_printf(bio_err,"usage: s_client args\n"); 19455505Sshin BIO_printf(bio_err,"\n"); 19555505Sshin BIO_printf(bio_err," -host host - use -connect instead\n"); 19655505Sshin BIO_printf(bio_err," -port port - use -connect instead\n"); 19755505Sshin BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR); 198118660Sume 19955505Sshin BIO_printf(bio_err," -verify depth - turn on peer certificate verification\n"); 20078064Sume BIO_printf(bio_err," -cert arg - certificate file to use, PEM format assumed\n"); 20178064Sume BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n"); 20278064Sume BIO_printf(bio_err," -key arg - Private key file to use, in cert file if\n"); 20378064Sume BIO_printf(bio_err," not specified but cert file is.\n"); 20478064Sume BIO_printf(bio_err," -keyform arg - key format (PEM or DER) PEM default\n"); 20578064Sume BIO_printf(bio_err," -pass arg - private key file pass phrase source\n"); 20678064Sume BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n"); 20778064Sume BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n"); 20878064Sume BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n"); 20978064Sume BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n"); 21078064Sume BIO_printf(bio_err," -showcerts - show all certificates in the chain\n"); 21178064Sume BIO_printf(bio_err," -debug - extra output\n"); 21278064Sume#ifdef WATT32 21378064Sume BIO_printf(bio_err," -wdebug - WATT-32 tcp debugging\n"); 21478064Sume#endif 21578064Sume BIO_printf(bio_err," -msg - Show protocol messages\n"); 21678064Sume BIO_printf(bio_err," -nbio_test - more ssl protocol testing\n"); 21778064Sume BIO_printf(bio_err," -state - print the 'ssl' states\n"); 21878064Sume#ifdef FIONBIO 21978064Sume BIO_printf(bio_err," -nbio - Run with non-blocking IO\n"); 22078064Sume#endif 22178064Sume BIO_printf(bio_err," -crlf - convert LF from terminal into CRLF\n"); 22278064Sume BIO_printf(bio_err," -quiet - no s_client output\n"); 22378064Sume BIO_printf(bio_err," -ign_eof - ignore input eof (default when -quiet)\n"); 22478064Sume BIO_printf(bio_err," -no_ign_eof - don't ignore input eof\n"); 22578064Sume BIO_printf(bio_err," -ssl2 - just use SSLv2\n"); 22678064Sume BIO_printf(bio_err," -ssl3 - just use SSLv3\n"); 22778064Sume BIO_printf(bio_err," -tls1 - just use TLSv1\n"); 22878064Sume BIO_printf(bio_err," -dtls1 - just use DTLSv1\n"); 22978064Sume BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n"); 23078064Sume BIO_printf(bio_err," -mtu - set the link layer MTU\n"); 23178064Sume BIO_printf(bio_err," -no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n"); 23278064Sume BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n"); 23378064Sume BIO_printf(bio_err," -serverpref - Use server's cipher preferences (only SSLv2)\n"); 23455505Sshin BIO_printf(bio_err," -cipher - preferred cipher to use, use the 'openssl ciphers'\n"); 23555505Sshin BIO_printf(bio_err," command to see what is available\n"); 23655505Sshin BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n"); 23755505Sshin BIO_printf(bio_err," for those protocols that support it, where\n"); 23855505Sshin BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n"); 23955505Sshin BIO_printf(bio_err," only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n"); 24055505Sshin BIO_printf(bio_err," are supported.\n"); 24155505Sshin#ifndef OPENSSL_NO_ENGINE 24255505Sshin BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n"); 24355505Sshin#endif 24455505Sshin BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); 24555505Sshin BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n"); 24655505Sshin BIO_printf(bio_err," -sess_in arg - file to read SSL session from\n"); 247126797Sbde#ifndef OPENSSL_NO_TLSEXT 24855505Sshin BIO_printf(bio_err," -servername host - Set TLS extension servername in ClientHello\n"); 24955505Sshin BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); 25062656Skris BIO_printf(bio_err," -status - request certificate status from server\n"); 251118660Sume BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); 25262656Skris#endif 25362656Skris BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); 25462656Skris } 25562656Skris 25655505Sshin#ifndef OPENSSL_NO_TLSEXT 25755505Sshin 25855505Sshin/* This is a context that we pass to callbacks */ 25955505Sshintypedef struct tlsextctx_st { 26055505Sshin BIO * biodebug; 26155505Sshin int ack; 26255505Sshin} tlsextctx; 26355505Sshin 26455505Sshin 26555505Sshinstatic int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg) 26655505Sshin { 26755505Sshin tlsextctx * p = (tlsextctx *) arg; 26855505Sshin const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); 26955505Sshin if (SSL_get_servername_type(s) != -1) 27055505Sshin p->ack = !SSL_session_reused(s) && hn != NULL; 27155505Sshin else 27255505Sshin BIO_printf(bio_err,"Can't use SSL_get_servername\n"); 27355505Sshin 27478064Sume return SSL_TLSEXT_ERR_OK; 27555505Sshin } 27655505Sshin#endif 27755505Sshinenum 27855505Sshin{ 279118660Sume PROTO_OFF = 0, 28055505Sshin PROTO_SMTP, 28155505Sshin PROTO_POP3, 28255505Sshin PROTO_IMAP, 28355505Sshin PROTO_FTP, 28455505Sshin PROTO_XMPP 28555505Sshin}; 28655505Sshin 28755505Sshinint MAIN(int, char **); 28855505Sshin 28955505Sshinint MAIN(int argc, char **argv) 29055505Sshin { 29155505Sshin int off=0, clr = 0; 29255505Sshin SSL *con=NULL,*con2=NULL; 29355505Sshin X509_STORE *store = NULL; 29455505Sshin int s,k,width,state=0; 29555505Sshin char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL; 29655505Sshin int cbuf_len,cbuf_off; 29755505Sshin int sbuf_len,sbuf_off; 29855505Sshin fd_set readfds,writefds; 29955505Sshin short port=PORT; 30055505Sshin int full_log=1; 30155505Sshin char *host=SSL_HOST_NAME; 30255505Sshin char *cert_file=NULL,*key_file=NULL; 30355505Sshin int cert_format = FORMAT_PEM, key_format = FORMAT_PEM; 30455505Sshin char *passarg = NULL, *pass = NULL; 30555505Sshin X509 *cert = NULL; 30655505Sshin EVP_PKEY *key = NULL; 30755505Sshin char *CApath=NULL,*CAfile=NULL,*cipher=NULL; 30855505Sshin int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0; 30955505Sshin int crlf=0; 31055505Sshin int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending; 311118660Sume SSL_CTX *ctx=NULL; 31255505Sshin int ret=1,in_init=1,i,nbio_test=0; 31355505Sshin int starttls_proto = PROTO_OFF; 31455505Sshin int prexit = 0, vflags = 0; 31555505Sshin SSL_METHOD *meth=NULL; 31655505Sshin#ifdef sock_type 31755505Sshin#undef sock_type 31855505Sshin#endif 319118660Sume int sock_type=SOCK_STREAM; 32055505Sshin BIO *sbio; 32155505Sshin char *inrand=NULL; 32255505Sshin int mbuf_len=0; 32355505Sshin struct timeval timeout, *timeoutp; 32455505Sshin#ifndef OPENSSL_NO_ENGINE 32555505Sshin char *engine_id=NULL; 32655505Sshin char *ssl_client_engine_id=NULL; 32762656Skris ENGINE *ssl_client_engine=NULL; 32855505Sshin#endif 32955505Sshin ENGINE *e=NULL; 33055505Sshin#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) 33155505Sshin struct timeval tv; 33255505Sshin#endif 33355505Sshin 33455505Sshin#ifndef OPENSSL_NO_TLSEXT 33555505Sshin char *servername = NULL; 33655505Sshin tlsextctx tlsextcbp = 33755505Sshin {NULL,0}; 33855505Sshin#endif 33955505Sshin char *sess_in = NULL; 34055505Sshin char *sess_out = NULL; 34155505Sshin struct sockaddr peer; 34255505Sshin int peerlen = sizeof(peer); 34355505Sshin int fallback_scsv = 0; 34455505Sshin int enable_timeouts = 0 ; 34555505Sshin long socket_mtu = 0; 346118660Sume#ifndef OPENSSL_NO_JPAKE 34755505Sshin char *jpake_secret = NULL; 34855505Sshin#endif 34955505Sshin 35055505Sshin meth=SSLv23_client_method(); 35155505Sshin 35255505Sshin apps_startup(); 35355505Sshin c_Pause=0; 354118660Sume c_quiet=0; 35555505Sshin c_ign_eof=0; 35655505Sshin c_debug=0; 35755505Sshin c_msg=0; 35855505Sshin c_showcerts=0; 35955505Sshin 36055505Sshin if (bio_err == NULL) 36155505Sshin bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); 36255505Sshin 363118660Sume if (!load_config(bio_err, NULL)) 36455505Sshin goto end; 36555505Sshin 36655505Sshin if ( ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) || 36755505Sshin ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) || 36855505Sshin ((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL)) 36955505Sshin { 37055505Sshin BIO_printf(bio_err,"out of memory\n"); 37155505Sshin goto end; 37255505Sshin } 373118660Sume 37455505Sshin verify_depth=0; 37555505Sshin verify_error=X509_V_OK; 37655505Sshin#ifdef FIONBIO 37755505Sshin c_nbio=0; 37855505Sshin#endif 37955505Sshin 38055505Sshin argc--; 38155505Sshin argv++; 38255505Sshin while (argc >= 1) 38355505Sshin { 38455505Sshin if (strcmp(*argv,"-host") == 0) 38555505Sshin { 38655505Sshin if (--argc < 1) goto bad; 38755505Sshin host= *(++argv); 38855505Sshin } 38955505Sshin else if (strcmp(*argv,"-port") == 0) 39055505Sshin { 39155505Sshin if (--argc < 1) goto bad; 39255505Sshin port=atoi(*(++argv)); 39355505Sshin if (port == 0) goto bad; 39455505Sshin } 39555505Sshin else if (strcmp(*argv,"-connect") == 0) 39655505Sshin { 39755505Sshin if (--argc < 1) goto bad; 39855505Sshin if (!extract_host_port(*(++argv),&host,NULL,&port)) 39955505Sshin goto bad; 40055505Sshin } 40155505Sshin else if (strcmp(*argv,"-verify") == 0) 40255505Sshin { 40355505Sshin verify=SSL_VERIFY_PEER; 40455505Sshin if (--argc < 1) goto bad; 40555505Sshin verify_depth=atoi(*(++argv)); 40655505Sshin BIO_printf(bio_err,"verify depth is %d\n",verify_depth); 40755505Sshin } 40855505Sshin else if (strcmp(*argv,"-cert") == 0) 40955505Sshin { 41055505Sshin if (--argc < 1) goto bad; 41155505Sshin cert_file= *(++argv); 41255505Sshin } 41355505Sshin else if (strcmp(*argv,"-sess_out") == 0) 414118660Sume { 41555505Sshin if (--argc < 1) goto bad; 41655505Sshin sess_out = *(++argv); 41755505Sshin } 41855505Sshin else if (strcmp(*argv,"-sess_in") == 0) 41955505Sshin { 42055505Sshin if (--argc < 1) goto bad; 42155505Sshin sess_in = *(++argv); 42255505Sshin } 42355505Sshin else if (strcmp(*argv,"-certform") == 0) 42455505Sshin { 42555505Sshin if (--argc < 1) goto bad; 426118660Sume cert_format = str2fmt(*(++argv)); 42755505Sshin } 42855505Sshin else if (strcmp(*argv,"-crl_check") == 0) 42955505Sshin vflags |= X509_V_FLAG_CRL_CHECK; 43055505Sshin else if (strcmp(*argv,"-crl_check_all") == 0) 43155505Sshin vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL; 43278064Sume else if (strcmp(*argv,"-prexit") == 0) 43378064Sume prexit=1; 43478064Sume else if (strcmp(*argv,"-crlf") == 0) 43578064Sume crlf=1; 436118660Sume else if (strcmp(*argv,"-quiet") == 0) 43778064Sume { 43878064Sume c_quiet=1; 43978064Sume c_ign_eof=1; 44078064Sume } 44178064Sume else if (strcmp(*argv,"-ign_eof") == 0) 44278064Sume c_ign_eof=1; 44378064Sume else if (strcmp(*argv,"-no_ign_eof") == 0) 44478064Sume c_ign_eof=0; 44578064Sume else if (strcmp(*argv,"-pause") == 0) 44678064Sume c_Pause=1; 44778064Sume else if (strcmp(*argv,"-debug") == 0) 44878064Sume c_debug=1; 44978064Sume#ifndef OPENSSL_NO_TLSEXT 45078064Sume else if (strcmp(*argv,"-tlsextdebug") == 0) 45178064Sume c_tlsextdebug=1; 45278064Sume else if (strcmp(*argv,"-status") == 0) 45378064Sume c_status_req=1; 45478064Sume#endif 45578064Sume#ifdef WATT32 45678064Sume else if (strcmp(*argv,"-wdebug") == 0) 457118660Sume dbug_init(); 45878064Sume#endif 45978064Sume else if (strcmp(*argv,"-msg") == 0) 46078064Sume c_msg=1; 46178064Sume else if (strcmp(*argv,"-showcerts") == 0) 46278064Sume c_showcerts=1; 46378064Sume else if (strcmp(*argv,"-nbio_test") == 0) 46478064Sume nbio_test=1; 46555505Sshin else if (strcmp(*argv,"-state") == 0) 46655505Sshin state=1; 46755505Sshin#ifndef OPENSSL_NO_SSL2 46855505Sshin else if (strcmp(*argv,"-ssl2") == 0) 46955505Sshin meth=SSLv2_client_method(); 47055505Sshin#endif 47155505Sshin#ifndef OPENSSL_NO_SSL3 47255505Sshin else if (strcmp(*argv,"-ssl3") == 0) 47355505Sshin meth=SSLv3_client_method(); 47455505Sshin#endif 47555505Sshin#ifndef OPENSSL_NO_TLS1 47655505Sshin else if (strcmp(*argv,"-tls1") == 0) 47755505Sshin meth=TLSv1_client_method(); 47855505Sshin#endif 47955505Sshin#ifndef OPENSSL_NO_DTLS1 480118660Sume else if (strcmp(*argv,"-dtls1") == 0) 48155505Sshin { 48255505Sshin meth=DTLSv1_client_method(); 48355505Sshin sock_type=SOCK_DGRAM; 48455505Sshin } 48555505Sshin else if (strcmp(*argv,"-timeout") == 0) 48655505Sshin enable_timeouts=1; 487 else if (strcmp(*argv,"-mtu") == 0) 488 { 489 if (--argc < 1) goto bad; 490 socket_mtu = atol(*(++argv)); 491 } 492#endif 493 else if (strcmp(*argv,"-fallback_scsv") == 0) 494 { 495 fallback_scsv = 1; 496 } 497 else if (strcmp(*argv,"-bugs") == 0) 498 bugs=1; 499 else if (strcmp(*argv,"-keyform") == 0) 500 { 501 if (--argc < 1) goto bad; 502 key_format = str2fmt(*(++argv)); 503 } 504 else if (strcmp(*argv,"-pass") == 0) 505 { 506 if (--argc < 1) goto bad; 507 passarg = *(++argv); 508 } 509 else if (strcmp(*argv,"-key") == 0) 510 { 511 if (--argc < 1) goto bad; 512 key_file= *(++argv); 513 } 514 else if (strcmp(*argv,"-reconnect") == 0) 515 { 516 reconnect=5; 517 } 518 else if (strcmp(*argv,"-CApath") == 0) 519 { 520 if (--argc < 1) goto bad; 521 CApath= *(++argv); 522 } 523 else if (strcmp(*argv,"-CAfile") == 0) 524 { 525 if (--argc < 1) goto bad; 526 CAfile= *(++argv); 527 } 528 else if (strcmp(*argv,"-no_tls1") == 0) 529 off|=SSL_OP_NO_TLSv1; 530 else if (strcmp(*argv,"-no_ssl3") == 0) 531 off|=SSL_OP_NO_SSLv3; 532 else if (strcmp(*argv,"-no_ssl2") == 0) 533 off|=SSL_OP_NO_SSLv2; 534#ifndef OPENSSL_NO_TLSEXT 535 else if (strcmp(*argv,"-no_ticket") == 0) 536 { off|=SSL_OP_NO_TICKET; } 537#endif 538 else if (strcmp(*argv,"-serverpref") == 0) 539 off|=SSL_OP_CIPHER_SERVER_PREFERENCE; 540 else if (strcmp(*argv,"-legacy_renegotiation") == 0) 541 off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; 542 else if (strcmp(*argv,"-legacy_server_connect") == 0) 543 { off|=SSL_OP_LEGACY_SERVER_CONNECT; } 544 else if (strcmp(*argv,"-no_legacy_server_connect") == 0) 545 { clr|=SSL_OP_LEGACY_SERVER_CONNECT; } 546 else if (strcmp(*argv,"-cipher") == 0) 547 { 548 if (--argc < 1) goto bad; 549 cipher= *(++argv); 550 } 551#ifdef FIONBIO 552 else if (strcmp(*argv,"-nbio") == 0) 553 { c_nbio=1; } 554#endif 555 else if (strcmp(*argv,"-starttls") == 0) 556 { 557 if (--argc < 1) goto bad; 558 ++argv; 559 if (strcmp(*argv,"smtp") == 0) 560 starttls_proto = PROTO_SMTP; 561 else if (strcmp(*argv,"pop3") == 0) 562 starttls_proto = PROTO_POP3; 563 else if (strcmp(*argv,"imap") == 0) 564 starttls_proto = PROTO_IMAP; 565 else if (strcmp(*argv,"ftp") == 0) 566 starttls_proto = PROTO_FTP; 567 else if (strcmp(*argv, "xmpp") == 0) 568 starttls_proto = PROTO_XMPP; 569 else 570 goto bad; 571 } 572#ifndef OPENSSL_NO_ENGINE 573 else if (strcmp(*argv,"-engine") == 0) 574 { 575 if (--argc < 1) goto bad; 576 engine_id = *(++argv); 577 } 578 else if (strcmp(*argv,"-ssl_client_engine") == 0) 579 { 580 if (--argc < 1) goto bad; 581 ssl_client_engine_id = *(++argv); 582 } 583#endif 584 else if (strcmp(*argv,"-rand") == 0) 585 { 586 if (--argc < 1) goto bad; 587 inrand= *(++argv); 588 } 589#ifndef OPENSSL_NO_TLSEXT 590 else if (strcmp(*argv,"-servername") == 0) 591 { 592 if (--argc < 1) goto bad; 593 servername= *(++argv); 594 /* meth=TLSv1_client_method(); */ 595 } 596#endif 597#ifndef OPENSSL_NO_JPAKE 598 else if (strcmp(*argv,"-jpake") == 0) 599 { 600 if (--argc < 1) goto bad; 601 jpake_secret = *++argv; 602 } 603#endif 604 else 605 { 606 BIO_printf(bio_err,"unknown option %s\n",*argv); 607 badop=1; 608 break; 609 } 610 argc--; 611 argv++; 612 } 613 if (badop) 614 { 615bad: 616 sc_usage(); 617 goto end; 618 } 619 620 OpenSSL_add_ssl_algorithms(); 621 SSL_load_error_strings(); 622 623#ifndef OPENSSL_NO_ENGINE 624 e = setup_engine(bio_err, engine_id, 1); 625 if (ssl_client_engine_id) 626 { 627 ssl_client_engine = ENGINE_by_id(ssl_client_engine_id); 628 if (!ssl_client_engine) 629 { 630 BIO_printf(bio_err, 631 "Error getting client auth engine\n"); 632 goto end; 633 } 634 } 635#endif 636 if (!app_passwd(bio_err, passarg, NULL, &pass, NULL)) 637 { 638 BIO_printf(bio_err, "Error getting password\n"); 639 goto end; 640 } 641 642 if (key_file == NULL) 643 key_file = cert_file; 644 645 646 if (key_file) 647 648 { 649 650 key = load_key(bio_err, key_file, key_format, 0, pass, e, 651 "client certificate private key file"); 652 if (!key) 653 { 654 ERR_print_errors(bio_err); 655 goto end; 656 } 657 658 } 659 660 if (cert_file) 661 662 { 663 cert = load_cert(bio_err,cert_file,cert_format, 664 NULL, e, "client certificate file"); 665 666 if (!cert) 667 { 668 ERR_print_errors(bio_err); 669 goto end; 670 } 671 } 672 673 if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL 674 && !RAND_status()) 675 { 676 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n"); 677 } 678 if (inrand != NULL) 679 BIO_printf(bio_err,"%ld semi-random bytes loaded\n", 680 app_RAND_load_files(inrand)); 681 682 if (bio_c_out == NULL) 683 { 684 if (c_quiet && !c_debug && !c_msg) 685 { 686 bio_c_out=BIO_new(BIO_s_null()); 687 } 688 else 689 { 690 if (bio_c_out == NULL) 691 bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE); 692 } 693 } 694 695 ctx=SSL_CTX_new(meth); 696 if (ctx == NULL) 697 { 698 ERR_print_errors(bio_err); 699 goto end; 700 } 701 702#ifndef OPENSSL_NO_ENGINE 703 if (ssl_client_engine) 704 { 705 if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine)) 706 { 707 BIO_puts(bio_err, "Error setting client auth engine\n"); 708 ERR_print_errors(bio_err); 709 ENGINE_free(ssl_client_engine); 710 goto end; 711 } 712 ENGINE_free(ssl_client_engine); 713 } 714#endif 715 716 if (bugs) 717 SSL_CTX_set_options(ctx,SSL_OP_ALL|off); 718 else 719 SSL_CTX_set_options(ctx,off); 720 721 if (clr) 722 SSL_CTX_clear_options(ctx, clr); 723 /* DTLS: partial reads end up discarding unread UDP bytes :-( 724 * Setting read ahead solves this problem. 725 */ 726 if (sock_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1); 727 728 if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback); 729 if (cipher != NULL) 730 if(!SSL_CTX_set_cipher_list(ctx,cipher)) { 731 BIO_printf(bio_err,"error setting cipher list\n"); 732 ERR_print_errors(bio_err); 733 goto end; 734 } 735#if 0 736 else 737 SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER")); 738#endif 739 740 SSL_CTX_set_verify(ctx,verify,verify_callback); 741 if (!set_cert_key_stuff(ctx,cert,key)) 742 goto end; 743 744 if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || 745 (!SSL_CTX_set_default_verify_paths(ctx))) 746 { 747 /* BIO_printf(bio_err,"error setting default verify locations\n"); */ 748 ERR_print_errors(bio_err); 749 /* goto end; */ 750 } 751 752 store = SSL_CTX_get_cert_store(ctx); 753 X509_STORE_set_flags(store, vflags); 754#ifndef OPENSSL_NO_TLSEXT 755 if (servername != NULL) 756 { 757 tlsextcbp.biodebug = bio_err; 758 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb); 759 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp); 760 } 761#endif 762 763 con=SSL_new(ctx); 764 if (sess_in) 765 { 766 SSL_SESSION *sess; 767 BIO *stmp = BIO_new_file(sess_in, "r"); 768 if (!stmp) 769 { 770 BIO_printf(bio_err, "Can't open session file %s\n", 771 sess_in); 772 ERR_print_errors(bio_err); 773 goto end; 774 } 775 sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL); 776 BIO_free(stmp); 777 if (!sess) 778 { 779 BIO_printf(bio_err, "Can't open session file %s\n", 780 sess_in); 781 ERR_print_errors(bio_err); 782 goto end; 783 } 784 SSL_set_session(con, sess); 785 SSL_SESSION_free(sess); 786 } 787 788 if (fallback_scsv) 789 SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV); 790 791#ifndef OPENSSL_NO_TLSEXT 792 if (servername != NULL) 793 { 794 if (!SSL_set_tlsext_host_name(con,servername)) 795 { 796 BIO_printf(bio_err,"Unable to set TLS servername extension.\n"); 797 ERR_print_errors(bio_err); 798 goto end; 799 } 800 } 801#endif 802 803#ifndef OPENSSL_NO_KRB5 804 if (con && (con->kssl_ctx = kssl_ctx_new()) != NULL) 805 { 806 kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVER, host); 807 } 808#endif /* OPENSSL_NO_KRB5 */ 809/* SSL_set_cipher_list(con,"RC4-MD5"); */ 810 811re_start: 812 813 if (init_client(&s,host,port,sock_type) == 0) 814 { 815 BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error()); 816 SHUTDOWN(s); 817 goto end; 818 } 819 BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s); 820 821#ifdef FIONBIO 822 if (c_nbio) 823 { 824 unsigned long l=1; 825 BIO_printf(bio_c_out,"turning on non blocking io\n"); 826 if (BIO_socket_ioctl(s,FIONBIO,&l) < 0) 827 { 828 ERR_print_errors(bio_err); 829 goto end; 830 } 831 } 832#endif 833 if (c_Pause & 0x01) con->debug=1; 834 835 if ( SSL_version(con) == DTLS1_VERSION) 836 { 837 838 sbio=BIO_new_dgram(s,BIO_NOCLOSE); 839 if (getsockname(s, &peer, (void *)&peerlen) < 0) 840 { 841 BIO_printf(bio_err, "getsockname:errno=%d\n", 842 get_last_socket_error()); 843 SHUTDOWN(s); 844 goto end; 845 } 846 847 (void)BIO_ctrl_set_connected(sbio, 1, &peer); 848 849 if ( enable_timeouts) 850 { 851 timeout.tv_sec = 0; 852 timeout.tv_usec = DGRAM_RCV_TIMEOUT; 853 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout); 854 855 timeout.tv_sec = 0; 856 timeout.tv_usec = DGRAM_SND_TIMEOUT; 857 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout); 858 } 859 860 if (socket_mtu > 28) 861 { 862 SSL_set_options(con, SSL_OP_NO_QUERY_MTU); 863 SSL_set_mtu(con, socket_mtu - 28); 864 } 865 else 866 /* want to do MTU discovery */ 867 BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL); 868 } 869 else 870 sbio=BIO_new_socket(s,BIO_NOCLOSE); 871 872 if (nbio_test) 873 { 874 BIO *test; 875 876 test=BIO_new(BIO_f_nbio_test()); 877 sbio=BIO_push(test,sbio); 878 } 879 880 if (c_debug) 881 { 882 con->debug=1; 883 BIO_set_callback(sbio,bio_dump_callback); 884 BIO_set_callback_arg(sbio,(char *)bio_c_out); 885 } 886 if (c_msg) 887 { 888 SSL_set_msg_callback(con, msg_cb); 889 SSL_set_msg_callback_arg(con, bio_c_out); 890 } 891#ifndef OPENSSL_NO_TLSEXT 892 if (c_tlsextdebug) 893 { 894 SSL_set_tlsext_debug_callback(con, tlsext_cb); 895 SSL_set_tlsext_debug_arg(con, bio_c_out); 896 } 897 if (c_status_req) 898 { 899 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp); 900 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb); 901 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out); 902#if 0 903{ 904STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null(); 905OCSP_RESPID *id = OCSP_RESPID_new(); 906id->value.byKey = ASN1_OCTET_STRING_new(); 907id->type = V_OCSP_RESPID_KEY; 908ASN1_STRING_set(id->value.byKey, "Hello World", -1); 909sk_OCSP_RESPID_push(ids, id); 910SSL_set_tlsext_status_ids(con, ids); 911} 912#endif 913 } 914#endif 915#ifndef OPENSSL_NO_JPAKE 916 if (jpake_secret) 917 jpake_client_auth(bio_c_out, sbio, jpake_secret); 918#endif 919 920 SSL_set_bio(con,sbio,sbio); 921 SSL_set_connect_state(con); 922 923 /* ok, lets connect */ 924 width=SSL_get_fd(con)+1; 925 926 read_tty=1; 927 write_tty=0; 928 tty_on=0; 929 read_ssl=1; 930 write_ssl=1; 931 932 cbuf_len=0; 933 cbuf_off=0; 934 sbuf_len=0; 935 sbuf_off=0; 936 937 /* This is an ugly hack that does a lot of assumptions */ 938 /* We do have to handle multi-line responses which may come 939 in a single packet or not. We therefore have to use 940 BIO_gets() which does need a buffering BIO. So during 941 the initial chitchat we do push a buffering BIO into the 942 chain that is removed again later on to not disturb the 943 rest of the s_client operation. */ 944 if (starttls_proto == PROTO_SMTP) 945 { 946 int foundit=0; 947 BIO *fbio = BIO_new(BIO_f_buffer()); 948 BIO_push(fbio, sbio); 949 /* wait for multi-line response to end from SMTP */ 950 do 951 { 952 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); 953 } 954 while (mbuf_len>3 && mbuf[3]=='-'); 955 /* STARTTLS command requires EHLO... */ 956 BIO_printf(fbio,"EHLO openssl.client.net\r\n"); 957 (void)BIO_flush(fbio); 958 /* wait for multi-line response to end EHLO SMTP response */ 959 do 960 { 961 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); 962 if (strstr(mbuf,"STARTTLS")) 963 foundit=1; 964 } 965 while (mbuf_len>3 && mbuf[3]=='-'); 966 (void)BIO_flush(fbio); 967 BIO_pop(fbio); 968 BIO_free(fbio); 969 if (!foundit) 970 BIO_printf(bio_err, 971 "didn't found starttls in server response," 972 " try anyway...\n"); 973 BIO_printf(sbio,"STARTTLS\r\n"); 974 BIO_read(sbio,sbuf,BUFSIZZ); 975 } 976 else if (starttls_proto == PROTO_POP3) 977 { 978 BIO_read(sbio,mbuf,BUFSIZZ); 979 BIO_printf(sbio,"STLS\r\n"); 980 BIO_read(sbio,sbuf,BUFSIZZ); 981 } 982 else if (starttls_proto == PROTO_IMAP) 983 { 984 int foundit=0; 985 BIO *fbio = BIO_new(BIO_f_buffer()); 986 BIO_push(fbio, sbio); 987 BIO_gets(fbio,mbuf,BUFSIZZ); 988 /* STARTTLS command requires CAPABILITY... */ 989 BIO_printf(fbio,". CAPABILITY\r\n"); 990 (void)BIO_flush(fbio); 991 /* wait for multi-line CAPABILITY response */ 992 do 993 { 994 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); 995 if (strstr(mbuf,"STARTTLS")) 996 foundit=1; 997 } 998 while (mbuf_len>3 && mbuf[0]!='.'); 999 (void)BIO_flush(fbio); 1000 BIO_pop(fbio); 1001 BIO_free(fbio); 1002 if (!foundit) 1003 BIO_printf(bio_err, 1004 "didn't found STARTTLS in server response," 1005 " try anyway...\n"); 1006 BIO_printf(sbio,". STARTTLS\r\n"); 1007 BIO_read(sbio,sbuf,BUFSIZZ); 1008 } 1009 else if (starttls_proto == PROTO_FTP) 1010 { 1011 BIO *fbio = BIO_new(BIO_f_buffer()); 1012 BIO_push(fbio, sbio); 1013 /* wait for multi-line response to end from FTP */ 1014 do 1015 { 1016 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); 1017 } 1018 while (mbuf_len>3 && mbuf[3]=='-'); 1019 (void)BIO_flush(fbio); 1020 BIO_pop(fbio); 1021 BIO_free(fbio); 1022 BIO_printf(sbio,"AUTH TLS\r\n"); 1023 BIO_read(sbio,sbuf,BUFSIZZ); 1024 } 1025 if (starttls_proto == PROTO_XMPP) 1026 { 1027 int seen = 0; 1028 BIO_printf(sbio,"<stream:stream " 1029 "xmlns:stream='http://etherx.jabber.org/streams' " 1030 "xmlns='jabber:client' to='%s' version='1.0'>", host); 1031 seen = BIO_read(sbio,mbuf,BUFSIZZ); 1032 mbuf[seen] = 0; 1033 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")) 1034 { 1035 if (strstr(mbuf, "/stream:features>")) 1036 goto shut; 1037 seen = BIO_read(sbio,mbuf,BUFSIZZ); 1038 mbuf[seen] = 0; 1039 } 1040 BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>"); 1041 seen = BIO_read(sbio,sbuf,BUFSIZZ); 1042 sbuf[seen] = 0; 1043 if (!strstr(sbuf, "<proceed")) 1044 goto shut; 1045 mbuf[0] = 0; 1046 } 1047 1048 for (;;) 1049 { 1050 FD_ZERO(&readfds); 1051 FD_ZERO(&writefds); 1052 1053 if ((SSL_version(con) == DTLS1_VERSION) && 1054 DTLSv1_get_timeout(con, &timeout)) 1055 timeoutp = &timeout; 1056 else 1057 timeoutp = NULL; 1058 1059 if (SSL_in_init(con) && !SSL_total_renegotiations(con)) 1060 { 1061 in_init=1; 1062 tty_on=0; 1063 } 1064 else 1065 { 1066 tty_on=1; 1067 if (in_init) 1068 { 1069 in_init=0; 1070 if (sess_out) 1071 { 1072 BIO *stmp = BIO_new_file(sess_out, "w"); 1073 if (stmp) 1074 { 1075 PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con)); 1076 BIO_free(stmp); 1077 } 1078 else 1079 BIO_printf(bio_err, "Error writing session file %s\n", sess_out); 1080 } 1081 print_stuff(bio_c_out,con,full_log); 1082 if (full_log > 0) full_log--; 1083 1084 if (starttls_proto) 1085 { 1086 BIO_printf(bio_err,"%s",mbuf); 1087 /* We don't need to know any more */ 1088 starttls_proto = PROTO_OFF; 1089 } 1090 1091 if (reconnect) 1092 { 1093 reconnect--; 1094 BIO_printf(bio_c_out,"drop connection and then reconnect\n"); 1095 SSL_shutdown(con); 1096 SSL_set_connect_state(con); 1097 SHUTDOWN(SSL_get_fd(con)); 1098 goto re_start; 1099 } 1100 } 1101 } 1102 1103 ssl_pending = read_ssl && SSL_pending(con); 1104 1105 if (!ssl_pending) 1106 { 1107#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) 1108 if (tty_on) 1109 { 1110 if (read_tty) FD_SET(fileno(stdin),&readfds); 1111 if (write_tty) FD_SET(fileno(stdout),&writefds); 1112 } 1113 if (read_ssl) 1114 FD_SET(SSL_get_fd(con),&readfds); 1115 if (write_ssl) 1116 FD_SET(SSL_get_fd(con),&writefds); 1117#else 1118 if(!tty_on || !write_tty) { 1119 if (read_ssl) 1120 FD_SET(SSL_get_fd(con),&readfds); 1121 if (write_ssl) 1122 FD_SET(SSL_get_fd(con),&writefds); 1123 } 1124#endif 1125/* printf("mode tty(%d %d%d) ssl(%d%d)\n", 1126 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/ 1127 1128 /* Note: under VMS with SOCKETSHR the second parameter 1129 * is currently of type (int *) whereas under other 1130 * systems it is (void *) if you don't have a cast it 1131 * will choke the compiler: if you do have a cast then 1132 * you can either go for (int *) or (void *). 1133 */ 1134#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) 1135 /* Under Windows/DOS we make the assumption that we can 1136 * always write to the tty: therefore if we need to 1137 * write to the tty we just fall through. Otherwise 1138 * we timeout the select every second and see if there 1139 * are any keypresses. Note: this is a hack, in a proper 1140 * Windows application we wouldn't do this. 1141 */ 1142 i=0; 1143 if(!write_tty) { 1144 if(read_tty) { 1145 tv.tv_sec = 1; 1146 tv.tv_usec = 0; 1147 i=select(width,(void *)&readfds,(void *)&writefds, 1148 NULL,&tv); 1149#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS) 1150 if(!i && (!_kbhit() || !read_tty) ) continue; 1151#else 1152 if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue; 1153#endif 1154 } else i=select(width,(void *)&readfds,(void *)&writefds, 1155 NULL,timeoutp); 1156 } 1157#elif defined(OPENSSL_SYS_NETWARE) 1158 if(!write_tty) { 1159 if(read_tty) { 1160 tv.tv_sec = 1; 1161 tv.tv_usec = 0; 1162 i=select(width,(void *)&readfds,(void *)&writefds, 1163 NULL,&tv); 1164 } else i=select(width,(void *)&readfds,(void *)&writefds, 1165 NULL,timeoutp); 1166 } 1167#else 1168 i=select(width,(void *)&readfds,(void *)&writefds, 1169 NULL,timeoutp); 1170#endif 1171 if ( i < 0) 1172 { 1173 BIO_printf(bio_err,"bad select %d\n", 1174 get_last_socket_error()); 1175 goto shut; 1176 /* goto end; */ 1177 } 1178 } 1179 1180 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0) 1181 { 1182 BIO_printf(bio_err,"TIMEOUT occured\n"); 1183 } 1184 1185 if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds)) 1186 { 1187 k=SSL_write(con,&(cbuf[cbuf_off]), 1188 (unsigned int)cbuf_len); 1189 switch (SSL_get_error(con,k)) 1190 { 1191 case SSL_ERROR_NONE: 1192 cbuf_off+=k; 1193 cbuf_len-=k; 1194 if (k <= 0) goto end; 1195 /* we have done a write(con,NULL,0); */ 1196 if (cbuf_len <= 0) 1197 { 1198 read_tty=1; 1199 write_ssl=0; 1200 } 1201 else /* if (cbuf_len > 0) */ 1202 { 1203 read_tty=0; 1204 write_ssl=1; 1205 } 1206 break; 1207 case SSL_ERROR_WANT_WRITE: 1208 BIO_printf(bio_c_out,"write W BLOCK\n"); 1209 write_ssl=1; 1210 read_tty=0; 1211 break; 1212 case SSL_ERROR_WANT_READ: 1213 BIO_printf(bio_c_out,"write R BLOCK\n"); 1214 write_tty=0; 1215 read_ssl=1; 1216 write_ssl=0; 1217 break; 1218 case SSL_ERROR_WANT_X509_LOOKUP: 1219 BIO_printf(bio_c_out,"write X BLOCK\n"); 1220 break; 1221 case SSL_ERROR_ZERO_RETURN: 1222 if (cbuf_len != 0) 1223 { 1224 BIO_printf(bio_c_out,"shutdown\n"); 1225 goto shut; 1226 } 1227 else 1228 { 1229 read_tty=1; 1230 write_ssl=0; 1231 break; 1232 } 1233 1234 case SSL_ERROR_SYSCALL: 1235 if ((k != 0) || (cbuf_len != 0)) 1236 { 1237 BIO_printf(bio_err,"write:errno=%d\n", 1238 get_last_socket_error()); 1239 goto shut; 1240 } 1241 else 1242 { 1243 read_tty=1; 1244 write_ssl=0; 1245 } 1246 break; 1247 case SSL_ERROR_SSL: 1248 ERR_print_errors(bio_err); 1249 goto shut; 1250 } 1251 } 1252#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) 1253 /* Assume Windows/DOS can always write */ 1254 else if (!ssl_pending && write_tty) 1255#else 1256 else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds)) 1257#endif 1258 { 1259#ifdef CHARSET_EBCDIC 1260 ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len); 1261#endif 1262 i=write(fileno(stdout),&(sbuf[sbuf_off]),sbuf_len); 1263 1264 if (i <= 0) 1265 { 1266 BIO_printf(bio_c_out,"DONE\n"); 1267 goto shut; 1268 /* goto end; */ 1269 } 1270 1271 sbuf_len-=i;; 1272 sbuf_off+=i; 1273 if (sbuf_len <= 0) 1274 { 1275 read_ssl=1; 1276 write_tty=0; 1277 } 1278 } 1279 else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds)) 1280 { 1281#ifdef RENEG 1282{ static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } } 1283#endif 1284#if 1 1285 k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ ); 1286#else 1287/* Demo for pending and peek :-) */ 1288 k=SSL_read(con,sbuf,16); 1289{ char zbuf[10240]; 1290printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240)); 1291} 1292#endif 1293 1294 switch (SSL_get_error(con,k)) 1295 { 1296 case SSL_ERROR_NONE: 1297 if (k <= 0) 1298 goto end; 1299 sbuf_off=0; 1300 sbuf_len=k; 1301 1302 read_ssl=0; 1303 write_tty=1; 1304 break; 1305 case SSL_ERROR_WANT_WRITE: 1306 BIO_printf(bio_c_out,"read W BLOCK\n"); 1307 write_ssl=1; 1308 read_tty=0; 1309 break; 1310 case SSL_ERROR_WANT_READ: 1311 BIO_printf(bio_c_out,"read R BLOCK\n"); 1312 write_tty=0; 1313 read_ssl=1; 1314 if ((read_tty == 0) && (write_ssl == 0)) 1315 write_ssl=1; 1316 break; 1317 case SSL_ERROR_WANT_X509_LOOKUP: 1318 BIO_printf(bio_c_out,"read X BLOCK\n"); 1319 break; 1320 case SSL_ERROR_SYSCALL: 1321 BIO_printf(bio_err,"read:errno=%d\n",get_last_socket_error()); 1322 goto shut; 1323 case SSL_ERROR_ZERO_RETURN: 1324 BIO_printf(bio_c_out,"closed\n"); 1325 goto shut; 1326 case SSL_ERROR_SSL: 1327 ERR_print_errors(bio_err); 1328 goto shut; 1329 /* break; */ 1330 } 1331 } 1332 1333#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) 1334#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS) 1335 else if (_kbhit()) 1336#else 1337 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) 1338#endif 1339#elif defined (OPENSSL_SYS_NETWARE) 1340 else if (_kbhit()) 1341#else 1342 else if (FD_ISSET(fileno(stdin),&readfds)) 1343#endif 1344 { 1345 if (crlf) 1346 { 1347 int j, lf_num; 1348 1349 i=read(fileno(stdin),cbuf,BUFSIZZ/2); 1350 lf_num = 0; 1351 /* both loops are skipped when i <= 0 */ 1352 for (j = 0; j < i; j++) 1353 if (cbuf[j] == '\n') 1354 lf_num++; 1355 for (j = i-1; j >= 0; j--) 1356 { 1357 cbuf[j+lf_num] = cbuf[j]; 1358 if (cbuf[j] == '\n') 1359 { 1360 lf_num--; 1361 i++; 1362 cbuf[j+lf_num] = '\r'; 1363 } 1364 } 1365 assert(lf_num == 0); 1366 } 1367 else 1368 i=read(fileno(stdin),cbuf,BUFSIZZ); 1369 1370 if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q'))) 1371 { 1372 BIO_printf(bio_err,"DONE\n"); 1373 goto shut; 1374 } 1375 1376 if ((!c_ign_eof) && (cbuf[0] == 'R')) 1377 { 1378 BIO_printf(bio_err,"RENEGOTIATING\n"); 1379 SSL_renegotiate(con); 1380 cbuf_len=0; 1381 } 1382 else 1383 { 1384 cbuf_len=i; 1385 cbuf_off=0; 1386#ifdef CHARSET_EBCDIC 1387 ebcdic2ascii(cbuf, cbuf, i); 1388#endif 1389 } 1390 1391 write_ssl=1; 1392 read_tty=0; 1393 } 1394 } 1395shut: 1396 SSL_shutdown(con); 1397 SHUTDOWN(SSL_get_fd(con)); 1398 ret=0; 1399end: 1400 if(prexit) print_stuff(bio_c_out,con,1); 1401 if (con != NULL) SSL_free(con); 1402 if (con2 != NULL) SSL_free(con2); 1403 if (ctx != NULL) SSL_CTX_free(ctx); 1404 if (cert) 1405 X509_free(cert); 1406 if (key) 1407 EVP_PKEY_free(key); 1408 if (pass) 1409 OPENSSL_free(pass); 1410 if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); } 1411 if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); } 1412 if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); } 1413 if (bio_c_out != NULL) 1414 { 1415 BIO_free(bio_c_out); 1416 bio_c_out=NULL; 1417 } 1418 apps_shutdown(); 1419 OPENSSL_EXIT(ret); 1420 } 1421 1422 1423static void print_stuff(BIO *bio, SSL *s, int full) 1424 { 1425 X509 *peer=NULL; 1426 char *p; 1427 static const char *space=" "; 1428 char buf[BUFSIZ]; 1429 STACK_OF(X509) *sk; 1430 STACK_OF(X509_NAME) *sk2; 1431 SSL_CIPHER *c; 1432 X509_NAME *xn; 1433 int j,i; 1434#ifndef OPENSSL_NO_COMP 1435 const COMP_METHOD *comp, *expansion; 1436#endif 1437 1438 if (full) 1439 { 1440 int got_a_chain = 0; 1441 1442 sk=SSL_get_peer_cert_chain(s); 1443 if (sk != NULL) 1444 { 1445 got_a_chain = 1; /* we don't have it for SSL2 (yet) */ 1446 1447 BIO_printf(bio,"---\nCertificate chain\n"); 1448 for (i=0; i<sk_X509_num(sk); i++) 1449 { 1450 X509_NAME_oneline(X509_get_subject_name( 1451 sk_X509_value(sk,i)),buf,sizeof buf); 1452 BIO_printf(bio,"%2d s:%s\n",i,buf); 1453 X509_NAME_oneline(X509_get_issuer_name( 1454 sk_X509_value(sk,i)),buf,sizeof buf); 1455 BIO_printf(bio," i:%s\n",buf); 1456 if (c_showcerts) 1457 PEM_write_bio_X509(bio,sk_X509_value(sk,i)); 1458 } 1459 } 1460 1461 BIO_printf(bio,"---\n"); 1462 peer=SSL_get_peer_certificate(s); 1463 if (peer != NULL) 1464 { 1465 BIO_printf(bio,"Server certificate\n"); 1466 if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */ 1467 PEM_write_bio_X509(bio,peer); 1468 X509_NAME_oneline(X509_get_subject_name(peer), 1469 buf,sizeof buf); 1470 BIO_printf(bio,"subject=%s\n",buf); 1471 X509_NAME_oneline(X509_get_issuer_name(peer), 1472 buf,sizeof buf); 1473 BIO_printf(bio,"issuer=%s\n",buf); 1474 } 1475 else 1476 BIO_printf(bio,"no peer certificate available\n"); 1477 1478 sk2=SSL_get_client_CA_list(s); 1479 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0)) 1480 { 1481 BIO_printf(bio,"---\nAcceptable client certificate CA names\n"); 1482 for (i=0; i<sk_X509_NAME_num(sk2); i++) 1483 { 1484 xn=sk_X509_NAME_value(sk2,i); 1485 X509_NAME_oneline(xn,buf,sizeof(buf)); 1486 BIO_write(bio,buf,strlen(buf)); 1487 BIO_write(bio,"\n",1); 1488 } 1489 } 1490 else 1491 { 1492 BIO_printf(bio,"---\nNo client certificate CA names sent\n"); 1493 } 1494 p=SSL_get_shared_ciphers(s,buf,sizeof buf); 1495 if (p != NULL) 1496 { 1497 /* This works only for SSL 2. In later protocol 1498 * versions, the client does not know what other 1499 * ciphers (in addition to the one to be used 1500 * in the current connection) the server supports. */ 1501 1502 BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n"); 1503 j=i=0; 1504 while (*p) 1505 { 1506 if (*p == ':') 1507 { 1508 BIO_write(bio,space,15-j%25); 1509 i++; 1510 j=0; 1511 BIO_write(bio,((i%3)?" ":"\n"),1); 1512 } 1513 else 1514 { 1515 BIO_write(bio,p,1); 1516 j++; 1517 } 1518 p++; 1519 } 1520 BIO_write(bio,"\n",1); 1521 } 1522 1523 BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n", 1524 BIO_number_read(SSL_get_rbio(s)), 1525 BIO_number_written(SSL_get_wbio(s))); 1526 } 1527 BIO_printf(bio,((s->hit)?"---\nReused, ":"---\nNew, ")); 1528 c=SSL_get_current_cipher(s); 1529 BIO_printf(bio,"%s, Cipher is %s\n", 1530 SSL_CIPHER_get_version(c), 1531 SSL_CIPHER_get_name(c)); 1532 if (peer != NULL) { 1533 EVP_PKEY *pktmp; 1534 pktmp = X509_get_pubkey(peer); 1535 BIO_printf(bio,"Server public key is %d bit\n", 1536 EVP_PKEY_bits(pktmp)); 1537 EVP_PKEY_free(pktmp); 1538 } 1539 BIO_printf(bio, "Secure Renegotiation IS%s supported\n", 1540 SSL_get_secure_renegotiation_support(s) ? "" : " NOT"); 1541#ifndef OPENSSL_NO_COMP 1542 comp=SSL_get_current_compression(s); 1543 expansion=SSL_get_current_expansion(s); 1544 BIO_printf(bio,"Compression: %s\n", 1545 comp ? SSL_COMP_get_name(comp) : "NONE"); 1546 BIO_printf(bio,"Expansion: %s\n", 1547 expansion ? SSL_COMP_get_name(expansion) : "NONE"); 1548#endif 1549 SSL_SESSION_print(bio,SSL_get_session(s)); 1550 BIO_printf(bio,"---\n"); 1551 if (peer != NULL) 1552 X509_free(peer); 1553 /* flush, or debugging output gets mixed with http response */ 1554 (void)BIO_flush(bio); 1555 } 1556 1557#ifndef OPENSSL_NO_TLSEXT 1558 1559static int ocsp_resp_cb(SSL *s, void *arg) 1560 { 1561 const unsigned char *p; 1562 int len; 1563 OCSP_RESPONSE *rsp; 1564 len = SSL_get_tlsext_status_ocsp_resp(s, &p); 1565 BIO_puts(arg, "OCSP response: "); 1566 if (!p) 1567 { 1568 BIO_puts(arg, "no response sent\n"); 1569 return 1; 1570 } 1571 rsp = d2i_OCSP_RESPONSE(NULL, &p, len); 1572 if (!rsp) 1573 { 1574 BIO_puts(arg, "response parse error\n"); 1575 BIO_dump_indent(arg, (char *)p, len, 4); 1576 return 0; 1577 } 1578 BIO_puts(arg, "\n======================================\n"); 1579 OCSP_RESPONSE_print(arg, rsp, 0); 1580 BIO_puts(arg, "======================================\n"); 1581 OCSP_RESPONSE_free(rsp); 1582 return 1; 1583 } 1584#endif /* ndef OPENSSL_NO_TLSEXT */ 1585