s_client.c revision 1.2.4.1.4.4
1 /* apps/s_client.c */ 2 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay (at) cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay (at) cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core (at) openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay (at) cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh (at) cryptsoft.com). 109 * 110 */ 111 /* ==================================================================== 112 * Copyright 2005 Nokia. All rights reserved. 113 * 114 * The portions of the attached software ("Contribution") is developed by 115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 116 * license. 117 * 118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 120 * support (see RFC 4279) to OpenSSL. 121 * 122 * No patent licenses or other rights except those expressly stated in 123 * the OpenSSL open source license shall be deemed granted or received 124 * expressly, by implication, estoppel, or otherwise. 125 * 126 * No assurances are provided by Nokia that the Contribution does not 127 * infringe the patent or other intellectual property rights of any third 128 * party or that the license provides you with all the necessary rights 129 * to make use of the Contribution. 130 * 131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 135 * OTHERWISE. 136 */ 137 138 #include <assert.h> 139 #include <ctype.h> 140 #include <stdio.h> 141 #include <stdlib.h> 142 #include <string.h> 143 #include <openssl/e_os2.h> 144 #ifdef OPENSSL_NO_STDIO 145 #define APPS_WIN16 146 #endif 147 148 /* With IPv6, it looks like Digital has mixed up the proper order of 149 recursive header file inclusion, resulting in the compiler complaining 150 that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which 151 is needed to have fileno() declared correctly... So let's define u_int */ 152 #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT) 153 #define __U_INT 154 typedef unsigned int u_int; 155 #endif 156 157 #define USE_SOCKETS 158 #include "apps.h" 159 #include <openssl/x509.h> 160 #include <openssl/ssl.h> 161 #include <openssl/err.h> 162 #include <openssl/pem.h> 163 #include <openssl/rand.h> 164 #include <openssl/ocsp.h> 165 #include <openssl/bn.h> 166 #ifndef OPENSSL_NO_SRP 167 #include <openssl/srp.h> 168 #endif 169 #include "s_apps.h" 170 #include "timeouts.h" 171 172 #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000) 173 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */ 174 #undef FIONBIO 175 #endif 176 177 #if defined(OPENSSL_SYS_BEOS_R5) 178 #include <fcntl.h> 179 #endif 180 181 #undef PROG 182 #define PROG s_client_main 183 184 /*#define SSL_HOST_NAME "www.netscape.com" */ 185 /*#define SSL_HOST_NAME "193.118.187.102" */ 186 #define SSL_HOST_NAME "localhost" 187 188 /*#define TEST_CERT "client.pem" */ /* no default cert. */ 189 190 #undef BUFSIZZ 191 #define BUFSIZZ 1024*8 192 193 extern int verify_depth; 194 extern int verify_error; 195 extern int verify_return_error; 196 197 #ifdef FIONBIO 198 static int c_nbio=0; 199 #endif 200 static int c_Pause=0; 201 static int c_debug=0; 202 #ifndef OPENSSL_NO_TLSEXT 203 static int c_tlsextdebug=0; 204 static int c_status_req=0; 205 #endif 206 static int c_msg=0; 207 static int c_showcerts=0; 208 209 static char *keymatexportlabel=NULL; 210 static int keymatexportlen=20; 211 212 static void sc_usage(void); 213 static void print_stuff(BIO *berr,SSL *con,int full); 214 #ifndef OPENSSL_NO_TLSEXT 215 static int ocsp_resp_cb(SSL *s, void *arg); 216 #endif 217 static BIO *bio_c_out=NULL; 218 static int c_quiet=0; 219 static int c_ign_eof=0; 220 221 #ifndef OPENSSL_NO_PSK 222 /* Default PSK identity and key */ 223 static char *psk_identity="Client_identity"; 224 /*char *psk_key=NULL; by default PSK is not used */ 225 226 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity, 227 unsigned int max_identity_len, unsigned char *psk, 228 unsigned int max_psk_len) 229 { 230 unsigned int psk_len = 0; 231 int ret; 232 BIGNUM *bn=NULL; 233 234 if (c_debug) 235 BIO_printf(bio_c_out, "psk_client_cb\n"); 236 if (!hint) 237 { 238 /* no ServerKeyExchange message*/ 239 if (c_debug) 240 BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n"); 241 } 242 else if (c_debug) 243 BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint); 244 245 /* lookup PSK identity and PSK key based on the given identity hint here */ 246 ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity); 247 if (ret < 0 || (unsigned int)ret > max_identity_len) 248 goto out_err; 249 if (c_debug) 250 BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret); 251 ret=BN_hex2bn(&bn, psk_key); 252 if (!ret) 253 { 254 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key); 255 if (bn) 256 BN_free(bn); 257 return 0; 258 } 259 260 if ((unsigned int)BN_num_bytes(bn) > max_psk_len) 261 { 262 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n", 263 max_psk_len, BN_num_bytes(bn)); 264 BN_free(bn); 265 return 0; 266 } 267 268 psk_len=BN_bn2bin(bn, psk); 269 BN_free(bn); 270 if (psk_len == 0) 271 goto out_err; 272 273 if (c_debug) 274 BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len); 275 276 return psk_len; 277 out_err: 278 if (c_debug) 279 BIO_printf(bio_err, "Error in PSK client callback\n"); 280 return 0; 281 } 282 #endif 283 284 static void sc_usage(void) 285 { 286 BIO_printf(bio_err,"usage: s_client args\n"); 287 BIO_printf(bio_err,"\n"); 288 BIO_printf(bio_err," -host host - use -connect instead\n"); 289 BIO_printf(bio_err," -port port - use -connect instead\n"); 290 BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR); 291 292 BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n"); 293 BIO_printf(bio_err," -verify_return_error - return verification errors\n"); 294 BIO_printf(bio_err," -cert arg - certificate file to use, PEM format assumed\n"); 295 BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n"); 296 BIO_printf(bio_err," -key arg - Private key file to use, in cert file if\n"); 297 BIO_printf(bio_err," not specified but cert file is.\n"); 298 BIO_printf(bio_err," -keyform arg - key format (PEM or DER) PEM default\n"); 299 BIO_printf(bio_err," -pass arg - private key file pass phrase source\n"); 300 BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n"); 301 BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n"); 302 BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n"); 303 BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n"); 304 BIO_printf(bio_err," -prexit - print session information even on connection failure\n"); 305 BIO_printf(bio_err," -showcerts - show all certificates in the chain\n"); 306 BIO_printf(bio_err," -debug - extra output\n"); 307 #ifdef WATT32 308 BIO_printf(bio_err," -wdebug - WATT-32 tcp debugging\n"); 309 #endif 310 BIO_printf(bio_err," -msg - Show protocol messages\n"); 311 BIO_printf(bio_err," -nbio_test - more ssl protocol testing\n"); 312 BIO_printf(bio_err," -state - print the 'ssl' states\n"); 313 #ifdef FIONBIO 314 BIO_printf(bio_err," -nbio - Run with non-blocking IO\n"); 315 #endif 316 BIO_printf(bio_err," -crlf - convert LF from terminal into CRLF\n"); 317 BIO_printf(bio_err," -quiet - no s_client output\n"); 318 BIO_printf(bio_err," -ign_eof - ignore input eof (default when -quiet)\n"); 319 BIO_printf(bio_err," -no_ign_eof - don't ignore input eof\n"); 320 #ifndef OPENSSL_NO_PSK 321 BIO_printf(bio_err," -psk_identity arg - PSK identity\n"); 322 BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n"); 323 # ifndef OPENSSL_NO_JPAKE 324 BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n"); 325 # endif 326 #endif 327 #ifndef OPENSSL_NO_SRP 328 BIO_printf(bio_err," -srpuser user - SRP authentification for 'user'\n"); 329 BIO_printf(bio_err," -srppass arg - password for 'user'\n"); 330 BIO_printf(bio_err," -srp_lateuser - SRP username into second ClientHello message\n"); 331 BIO_printf(bio_err," -srp_moregroups - Tolerate other than the known g N values.\n"); 332 BIO_printf(bio_err," -srp_strength int - minimal length in bits for N (default %d).\n",SRP_MINIMAL_N); 333 #endif 334 BIO_printf(bio_err," -ssl2 - just use SSLv2\n"); 335 #ifndef OPENSSL_NO_SSL3_METHOD 336 BIO_printf(bio_err," -ssl3 - just use SSLv3\n"); 337 #endif 338 BIO_printf(bio_err," -tls1_2 - just use TLSv1.2\n"); 339 BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n"); 340 BIO_printf(bio_err," -tls1 - just use TLSv1\n"); 341 BIO_printf(bio_err," -dtls1 - just use DTLSv1\n"); 342 BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n"); 343 BIO_printf(bio_err," -mtu - set the link layer MTU\n"); 344 BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n"); 345 BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n"); 346 BIO_printf(bio_err," -serverpref - Use server's cipher preferences (only SSLv2)\n"); 347 BIO_printf(bio_err," -cipher - preferred cipher to use, use the 'openssl ciphers'\n"); 348 BIO_printf(bio_err," command to see what is available\n"); 349 BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n"); 350 BIO_printf(bio_err," for those protocols that support it, where\n"); 351 BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n"); 352 BIO_printf(bio_err," only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n"); 353 BIO_printf(bio_err," are supported.\n"); 354 #ifndef OPENSSL_NO_ENGINE 355 BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n"); 356 #endif 357 BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); 358 BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n"); 359 BIO_printf(bio_err," -sess_in arg - file to read SSL session from\n"); 360 #ifndef OPENSSL_NO_TLSEXT 361 BIO_printf(bio_err," -servername host - Set TLS extension servername in ClientHello\n"); 362 BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); 363 BIO_printf(bio_err," -status - request certificate status from server\n"); 364 BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); 365 # ifndef OPENSSL_NO_NEXTPROTONEG 366 BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n"); 367 # endif 368 #endif 369 BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); 370 #ifndef OPENSSL_NO_SRTP 371 BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n"); 372 #endif 373 BIO_printf(bio_err," -keymatexport label - Export keying material using label\n"); 374 BIO_printf(bio_err," -keymatexportlen len - Export len bytes of keying material (default 20)\n"); 375 } 376 377 #ifndef OPENSSL_NO_TLSEXT 378 379 /* This is a context that we pass to callbacks */ 380 typedef struct tlsextctx_st { 381 BIO * biodebug; 382 int ack; 383 } tlsextctx; 384 385 386 static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg) 387 { 388 tlsextctx * p = (tlsextctx *) arg; 389 const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); 390 if (SSL_get_servername_type(s) != -1) 391 p->ack = !SSL_session_reused(s) && hn != NULL; 392 else 393 BIO_printf(bio_err,"Can't use SSL_get_servername\n"); 394 395 return SSL_TLSEXT_ERR_OK; 396 } 397 398 #ifndef OPENSSL_NO_SRP 399 400 /* This is a context that we pass to all callbacks */ 401 typedef struct srp_arg_st 402 { 403 char *srppassin; 404 char *srplogin; 405 int msg; /* copy from c_msg */ 406 int debug; /* copy from c_debug */ 407 int amp; /* allow more groups */ 408 int strength /* minimal size for N */ ; 409 } SRP_ARG; 410 411 #define SRP_NUMBER_ITERATIONS_FOR_PRIME 64 412 413 static int srp_Verify_N_and_g(BIGNUM *N, BIGNUM *g) 414 { 415 BN_CTX *bn_ctx = BN_CTX_new(); 416 BIGNUM *p = BN_new(); 417 BIGNUM *r = BN_new(); 418 int ret = 419 g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) && 420 BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) && 421 p != NULL && BN_rshift1(p, N) && 422 423 /* p = (N-1)/2 */ 424 BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) && 425 r != NULL && 426 427 /* verify g^((N-1)/2) == -1 (mod N) */ 428 BN_mod_exp(r, g, p, N, bn_ctx) && 429 BN_add_word(r, 1) && 430 BN_cmp(r, N) == 0; 431 432 if(r) 433 BN_free(r); 434 if(p) 435 BN_free(p); 436 if(bn_ctx) 437 BN_CTX_free(bn_ctx); 438 return ret; 439 } 440 441 /* This callback is used here for two purposes: 442 - extended debugging 443 - making some primality tests for unknown groups 444 The callback is only called for a non default group. 445 446 An application does not need the call back at all if 447 only the stanard groups are used. In real life situations, 448 client and server already share well known groups, 449 thus there is no need to verify them. 450 Furthermore, in case that a server actually proposes a group that 451 is not one of those defined in RFC 5054, it is more appropriate 452 to add the group to a static list and then compare since 453 primality tests are rather cpu consuming. 454 */ 455 456 static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg) 457 { 458 SRP_ARG *srp_arg = (SRP_ARG *)arg; 459 BIGNUM *N = NULL, *g = NULL; 460 if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s))) 461 return 0; 462 if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1) 463 { 464 BIO_printf(bio_err, "SRP parameters:\n"); 465 BIO_printf(bio_err,"\tN="); BN_print(bio_err,N); 466 BIO_printf(bio_err,"\n\tg="); BN_print(bio_err,g); 467 BIO_printf(bio_err,"\n"); 468 } 469 470 if (SRP_check_known_gN_param(g,N)) 471 return 1; 472 473 if (srp_arg->amp == 1) 474 { 475 if (srp_arg->debug) 476 BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n"); 477 478 /* The srp_moregroups is a real debugging feature. 479 Implementors should rather add the value to the known ones. 480 The minimal size has already been tested. 481 */ 482 if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g)) 483 return 1; 484 } 485 BIO_printf(bio_err, "SRP param N and g rejected.\n"); 486 return 0; 487 } 488 489 #define PWD_STRLEN 1024 490 491 static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg) 492 { 493 SRP_ARG *srp_arg = (SRP_ARG *)arg; 494 char *pass = (char *)OPENSSL_malloc(PWD_STRLEN+1); 495 PW_CB_DATA cb_tmp; 496 int l; 497 498 cb_tmp.password = (char *)srp_arg->srppassin; 499 cb_tmp.prompt_info = "SRP user"; 500 if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp))<0) 501 { 502 BIO_printf (bio_err, "Can't read Password\n"); 503 OPENSSL_free(pass); 504 return NULL; 505 } 506 *(pass+l)= '\0'; 507 508 return pass; 509 } 510 511 #endif 512 #ifndef OPENSSL_NO_SRTP 513 char *srtp_profiles = NULL; 514 #endif 515 516 # ifndef OPENSSL_NO_NEXTPROTONEG 517 /* This the context that we pass to next_proto_cb */ 518 typedef struct tlsextnextprotoctx_st { 519 unsigned char *data; 520 unsigned short len; 521 int status; 522 } tlsextnextprotoctx; 523 524 static tlsextnextprotoctx next_proto; 525 526 static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg) 527 { 528 tlsextnextprotoctx *ctx = arg; 529 530 if (!c_quiet) 531 { 532 /* We can assume that |in| is syntactically valid. */ 533 unsigned i; 534 BIO_printf(bio_c_out, "Protocols advertised by server: "); 535 for (i = 0; i < inlen; ) 536 { 537 if (i) 538 BIO_write(bio_c_out, ", ", 2); 539 BIO_write(bio_c_out, &in[i + 1], in[i]); 540 i += in[i] + 1; 541 } 542 BIO_write(bio_c_out, "\n", 1); 543 } 544 545 ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len); 546 return SSL_TLSEXT_ERR_OK; 547 } 548 # endif /* ndef OPENSSL_NO_NEXTPROTONEG */ 549 #endif 550 551 enum 552 { 553 PROTO_OFF = 0, 554 PROTO_SMTP, 555 PROTO_POP3, 556 PROTO_IMAP, 557 PROTO_FTP, 558 PROTO_XMPP 559 }; 560 561 int MAIN(int, char **); 562 563 int MAIN(int argc, char **argv) 564 { 565 unsigned int off=0, clr=0; 566 SSL *con=NULL; 567 #ifndef OPENSSL_NO_KRB5 568 KSSL_CTX *kctx; 569 #endif 570 int s,k,width,state=0; 571 char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL; 572 int cbuf_len,cbuf_off; 573 int sbuf_len,sbuf_off; 574 fd_set readfds,writefds; 575 int fdin, fdout; 576 short port=PORT; 577 int full_log=1; 578 char *host=SSL_HOST_NAME; 579 char *cert_file=NULL,*key_file=NULL; 580 int cert_format = FORMAT_PEM, key_format = FORMAT_PEM; 581 char *passarg = NULL, *pass = NULL; 582 X509 *cert = NULL; 583 EVP_PKEY *key = NULL; 584 char *CApath=NULL,*CAfile=NULL,*cipher=NULL; 585 int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0; 586 int crlf=0; 587 int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending; 588 SSL_CTX *ctx=NULL; 589 int ret=1,in_init=1,i,nbio_test=0; 590 int starttls_proto = PROTO_OFF; 591 int prexit = 0; 592 X509_VERIFY_PARAM *vpm = NULL; 593 int badarg = 0; 594 const SSL_METHOD *meth=NULL; 595 int socket_type=SOCK_STREAM; 596 BIO *sbio; 597 char *inrand=NULL; 598 int mbuf_len=0; 599 struct timeval timeout, *timeoutp; 600 #ifndef OPENSSL_NO_ENGINE 601 char *engine_id=NULL; 602 char *ssl_client_engine_id=NULL; 603 ENGINE *ssl_client_engine=NULL; 604 #endif 605 ENGINE *e=NULL; 606 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5) 607 struct timeval tv; 608 #if defined(OPENSSL_SYS_BEOS_R5) 609 int stdin_set = 0; 610 #endif 611 #endif 612 #ifndef OPENSSL_NO_TLSEXT 613 char *servername = NULL; 614 tlsextctx tlsextcbp = 615 {NULL,0}; 616 # ifndef OPENSSL_NO_NEXTPROTONEG 617 const char *next_proto_neg_in = NULL; 618 # endif 619 #endif 620 char *sess_in = NULL; 621 char *sess_out = NULL; 622 struct sockaddr peer; 623 int peerlen = sizeof(peer); 624 int fallback_scsv = 0; 625 int enable_timeouts = 0 ; 626 long socket_mtu = 0; 627 #ifndef OPENSSL_NO_JPAKE 628 char *jpake_secret = NULL; 629 #endif 630 #ifndef OPENSSL_NO_SRP 631 char * srppass = NULL; 632 int srp_lateuser = 0; 633 SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024}; 634 #endif 635 636 meth=SSLv23_client_method(); 637 638 apps_startup(); 639 c_Pause=0; 640 c_quiet=0; 641 c_ign_eof=0; 642 c_debug=0; 643 c_msg=0; 644 c_showcerts=0; 645 646 if (bio_err == NULL) 647 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); 648 649 if (!load_config(bio_err, NULL)) 650 goto end; 651 652 if ( ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) || 653 ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) || 654 ((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL)) 655 { 656 BIO_printf(bio_err,"out of memory\n"); 657 goto end; 658 } 659 660 verify_depth=0; 661 verify_error=X509_V_OK; 662 #ifdef FIONBIO 663 c_nbio=0; 664 #endif 665 666 argc--; 667 argv++; 668 while (argc >= 1) 669 { 670 if (strcmp(*argv,"-host") == 0) 671 { 672 if (--argc < 1) goto bad; 673 host= *(++argv); 674 } 675 else if (strcmp(*argv,"-port") == 0) 676 { 677 if (--argc < 1) goto bad; 678 port=atoi(*(++argv)); 679 if (port == 0) goto bad; 680 } 681 else if (strcmp(*argv,"-connect") == 0) 682 { 683 if (--argc < 1) goto bad; 684 if (!extract_host_port(*(++argv),&host,NULL,&port)) 685 goto bad; 686 } 687 else if (strcmp(*argv,"-verify") == 0) 688 { 689 verify=SSL_VERIFY_PEER; 690 if (--argc < 1) goto bad; 691 verify_depth=atoi(*(++argv)); 692 BIO_printf(bio_err,"verify depth is %d\n",verify_depth); 693 } 694 else if (strcmp(*argv,"-cert") == 0) 695 { 696 if (--argc < 1) goto bad; 697 cert_file= *(++argv); 698 } 699 else if (strcmp(*argv,"-sess_out") == 0) 700 { 701 if (--argc < 1) goto bad; 702 sess_out = *(++argv); 703 } 704 else if (strcmp(*argv,"-sess_in") == 0) 705 { 706 if (--argc < 1) goto bad; 707 sess_in = *(++argv); 708 } 709 else if (strcmp(*argv,"-certform") == 0) 710 { 711 if (--argc < 1) goto bad; 712 cert_format = str2fmt(*(++argv)); 713 } 714 else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) 715 { 716 if (badarg) 717 goto bad; 718 continue; 719 } 720 else if (strcmp(*argv,"-verify_return_error") == 0) 721 verify_return_error = 1; 722 else if (strcmp(*argv,"-prexit") == 0) 723 prexit=1; 724 else if (strcmp(*argv,"-crlf") == 0) 725 crlf=1; 726 else if (strcmp(*argv,"-quiet") == 0) 727 { 728 c_quiet=1; 729 c_ign_eof=1; 730 } 731 else if (strcmp(*argv,"-ign_eof") == 0) 732 c_ign_eof=1; 733 else if (strcmp(*argv,"-no_ign_eof") == 0) 734 c_ign_eof=0; 735 else if (strcmp(*argv,"-pause") == 0) 736 c_Pause=1; 737 else if (strcmp(*argv,"-debug") == 0) 738 c_debug=1; 739 #ifndef OPENSSL_NO_TLSEXT 740 else if (strcmp(*argv,"-tlsextdebug") == 0) 741 c_tlsextdebug=1; 742 else if (strcmp(*argv,"-status") == 0) 743 c_status_req=1; 744 #endif 745 #ifdef WATT32 746 else if (strcmp(*argv,"-wdebug") == 0) 747 dbug_init(); 748 #endif 749 else if (strcmp(*argv,"-msg") == 0) 750 c_msg=1; 751 else if (strcmp(*argv,"-showcerts") == 0) 752 c_showcerts=1; 753 else if (strcmp(*argv,"-nbio_test") == 0) 754 nbio_test=1; 755 else if (strcmp(*argv,"-state") == 0) 756 state=1; 757 #ifndef OPENSSL_NO_PSK 758 else if (strcmp(*argv,"-psk_identity") == 0) 759 { 760 if (--argc < 1) goto bad; 761 psk_identity=*(++argv); 762 } 763 else if (strcmp(*argv,"-psk") == 0) 764 { 765 size_t j; 766 767 if (--argc < 1) goto bad; 768 psk_key=*(++argv); 769 for (j = 0; j < strlen(psk_key); j++) 770 { 771 if (isxdigit((unsigned char)psk_key[j])) 772 continue; 773 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv); 774 goto bad; 775 } 776 } 777 #endif 778 #ifndef OPENSSL_NO_SRP 779 else if (strcmp(*argv,"-srpuser") == 0) 780 { 781 if (--argc < 1) goto bad; 782 srp_arg.srplogin= *(++argv); 783 meth=TLSv1_client_method(); 784 } 785 else if (strcmp(*argv,"-srppass") == 0) 786 { 787 if (--argc < 1) goto bad; 788 srppass= *(++argv); 789 meth=TLSv1_client_method(); 790 } 791 else if (strcmp(*argv,"-srp_strength") == 0) 792 { 793 if (--argc < 1) goto bad; 794 srp_arg.strength=atoi(*(++argv)); 795 BIO_printf(bio_err,"SRP minimal length for N is %d\n",srp_arg.strength); 796 meth=TLSv1_client_method(); 797 } 798 else if (strcmp(*argv,"-srp_lateuser") == 0) 799 { 800 srp_lateuser= 1; 801 meth=TLSv1_client_method(); 802 } 803 else if (strcmp(*argv,"-srp_moregroups") == 0) 804 { 805 srp_arg.amp=1; 806 meth=TLSv1_client_method(); 807 } 808 #endif 809 #ifndef OPENSSL_NO_SSL2 810 else if (strcmp(*argv,"-ssl2") == 0) 811 meth=SSLv2_client_method(); 812 #endif 813 #ifndef OPENSSL_NO_SSL3_METHOD 814 else if (strcmp(*argv,"-ssl3") == 0) 815 meth=SSLv3_client_method(); 816 #endif 817 #ifndef OPENSSL_NO_TLS1 818 else if (strcmp(*argv,"-tls1_2") == 0) 819 meth=TLSv1_2_client_method(); 820 else if (strcmp(*argv,"-tls1_1") == 0) 821 meth=TLSv1_1_client_method(); 822 else if (strcmp(*argv,"-tls1") == 0) 823 meth=TLSv1_client_method(); 824 #endif 825 #ifndef OPENSSL_NO_DTLS1 826 else if (strcmp(*argv,"-dtls1") == 0) 827 { 828 meth=DTLSv1_client_method(); 829 socket_type=SOCK_DGRAM; 830 } 831 else if (strcmp(*argv,"-fallback_scsv") == 0) 832 { 833 fallback_scsv = 1; 834 } 835 else if (strcmp(*argv,"-timeout") == 0) 836 enable_timeouts=1; 837 else if (strcmp(*argv,"-mtu") == 0) 838 { 839 if (--argc < 1) goto bad; 840 socket_mtu = atol(*(++argv)); 841 } 842 #endif 843 else if (strcmp(*argv,"-bugs") == 0) 844 bugs=1; 845 else if (strcmp(*argv,"-keyform") == 0) 846 { 847 if (--argc < 1) goto bad; 848 key_format = str2fmt(*(++argv)); 849 } 850 else if (strcmp(*argv,"-pass") == 0) 851 { 852 if (--argc < 1) goto bad; 853 passarg = *(++argv); 854 } 855 else if (strcmp(*argv,"-key") == 0) 856 { 857 if (--argc < 1) goto bad; 858 key_file= *(++argv); 859 } 860 else if (strcmp(*argv,"-reconnect") == 0) 861 { 862 reconnect=5; 863 } 864 else if (strcmp(*argv,"-CApath") == 0) 865 { 866 if (--argc < 1) goto bad; 867 CApath= *(++argv); 868 } 869 else if (strcmp(*argv,"-CAfile") == 0) 870 { 871 if (--argc < 1) goto bad; 872 CAfile= *(++argv); 873 } 874 else if (strcmp(*argv,"-no_tls1_2") == 0) 875 off|=SSL_OP_NO_TLSv1_2; 876 else if (strcmp(*argv,"-no_tls1_1") == 0) 877 off|=SSL_OP_NO_TLSv1_1; 878 else if (strcmp(*argv,"-no_tls1") == 0) 879 off|=SSL_OP_NO_TLSv1; 880 else if (strcmp(*argv,"-no_ssl3") == 0) 881 off|=SSL_OP_NO_SSLv3; 882 else if (strcmp(*argv,"-no_ssl2") == 0) 883 off|=SSL_OP_NO_SSLv2; 884 else if (strcmp(*argv,"-no_comp") == 0) 885 { off|=SSL_OP_NO_COMPRESSION; } 886 #ifndef OPENSSL_NO_TLSEXT 887 else if (strcmp(*argv,"-no_ticket") == 0) 888 { off|=SSL_OP_NO_TICKET; } 889 # ifndef OPENSSL_NO_NEXTPROTONEG 890 else if (strcmp(*argv,"-nextprotoneg") == 0) 891 { 892 if (--argc < 1) goto bad; 893 next_proto_neg_in = *(++argv); 894 } 895 # endif 896 #endif 897 else if (strcmp(*argv,"-serverpref") == 0) 898 off|=SSL_OP_CIPHER_SERVER_PREFERENCE; 899 else if (strcmp(*argv,"-legacy_renegotiation") == 0) 900 off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; 901 else if (strcmp(*argv,"-legacy_server_connect") == 0) 902 { off|=SSL_OP_LEGACY_SERVER_CONNECT; } 903 else if (strcmp(*argv,"-no_legacy_server_connect") == 0) 904 { clr|=SSL_OP_LEGACY_SERVER_CONNECT; } 905 else if (strcmp(*argv,"-cipher") == 0) 906 { 907 if (--argc < 1) goto bad; 908 cipher= *(++argv); 909 } 910 #ifdef FIONBIO 911 else if (strcmp(*argv,"-nbio") == 0) 912 { c_nbio=1; } 913 #endif 914 else if (strcmp(*argv,"-starttls") == 0) 915 { 916 if (--argc < 1) goto bad; 917 ++argv; 918 if (strcmp(*argv,"smtp") == 0) 919 starttls_proto = PROTO_SMTP; 920 else if (strcmp(*argv,"pop3") == 0) 921 starttls_proto = PROTO_POP3; 922 else if (strcmp(*argv,"imap") == 0) 923 starttls_proto = PROTO_IMAP; 924 else if (strcmp(*argv,"ftp") == 0) 925 starttls_proto = PROTO_FTP; 926 else if (strcmp(*argv, "xmpp") == 0) 927 starttls_proto = PROTO_XMPP; 928 else 929 goto bad; 930 } 931 #ifndef OPENSSL_NO_ENGINE 932 else if (strcmp(*argv,"-engine") == 0) 933 { 934 if (--argc < 1) goto bad; 935 engine_id = *(++argv); 936 } 937 else if (strcmp(*argv,"-ssl_client_engine") == 0) 938 { 939 if (--argc < 1) goto bad; 940 ssl_client_engine_id = *(++argv); 941 } 942 #endif 943 else if (strcmp(*argv,"-rand") == 0) 944 { 945 if (--argc < 1) goto bad; 946 inrand= *(++argv); 947 } 948 #ifndef OPENSSL_NO_TLSEXT 949 else if (strcmp(*argv,"-servername") == 0) 950 { 951 if (--argc < 1) goto bad; 952 servername= *(++argv); 953 /* meth=TLSv1_client_method(); */ 954 } 955 #endif 956 #ifndef OPENSSL_NO_JPAKE 957 else if (strcmp(*argv,"-jpake") == 0) 958 { 959 if (--argc < 1) goto bad; 960 jpake_secret = *++argv; 961 } 962 #endif 963 #ifndef OPENSSL_NO_SRTP 964 else if (strcmp(*argv,"-use_srtp") == 0) 965 { 966 if (--argc < 1) goto bad; 967 srtp_profiles = *(++argv); 968 } 969 #endif 970 else if (strcmp(*argv,"-keymatexport") == 0) 971 { 972 if (--argc < 1) goto bad; 973 keymatexportlabel= *(++argv); 974 } 975 else if (strcmp(*argv,"-keymatexportlen") == 0) 976 { 977 if (--argc < 1) goto bad; 978 keymatexportlen=atoi(*(++argv)); 979 if (keymatexportlen == 0) goto bad; 980 } 981 else 982 { 983 BIO_printf(bio_err,"unknown option %s\n",*argv); 984 badop=1; 985 break; 986 } 987 argc--; 988 argv++; 989 } 990 if (badop) 991 { 992 bad: 993 sc_usage(); 994 goto end; 995 } 996 997 #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) 998 if (jpake_secret) 999 { 1000 if (psk_key) 1001 { 1002 BIO_printf(bio_err, 1003 "Can't use JPAKE and PSK together\n"); 1004 goto end; 1005 } 1006 psk_identity = "JPAKE"; 1007 if (cipher) 1008 { 1009 BIO_printf(bio_err, "JPAKE sets cipher to PSK\n"); 1010 goto end; 1011 } 1012 cipher = "PSK"; 1013 } 1014 #endif 1015 1016 OpenSSL_add_ssl_algorithms(); 1017 SSL_load_error_strings(); 1018 1019 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 1020 next_proto.status = -1; 1021 if (next_proto_neg_in) 1022 { 1023 next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in); 1024 if (next_proto.data == NULL) 1025 { 1026 BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n"); 1027 goto end; 1028 } 1029 } 1030 else 1031 next_proto.data = NULL; 1032 #endif 1033 1034 #ifndef OPENSSL_NO_ENGINE 1035 e = setup_engine(bio_err, engine_id, 1); 1036 if (ssl_client_engine_id) 1037 { 1038 ssl_client_engine = ENGINE_by_id(ssl_client_engine_id); 1039 if (!ssl_client_engine) 1040 { 1041 BIO_printf(bio_err, 1042 "Error getting client auth engine\n"); 1043 goto end; 1044 } 1045 } 1046 1047 #endif 1048 if (!app_passwd(bio_err, passarg, NULL, &pass, NULL)) 1049 { 1050 BIO_printf(bio_err, "Error getting password\n"); 1051 goto end; 1052 } 1053 1054 if (key_file == NULL) 1055 key_file = cert_file; 1056 1057 1058 if (key_file) 1059 1060 { 1061 1062 key = load_key(bio_err, key_file, key_format, 0, pass, e, 1063 "client certificate private key file"); 1064 if (!key) 1065 { 1066 ERR_print_errors(bio_err); 1067 goto end; 1068 } 1069 1070 } 1071 1072 if (cert_file) 1073 1074 { 1075 cert = load_cert(bio_err,cert_file,cert_format, 1076 NULL, e, "client certificate file"); 1077 1078 if (!cert) 1079 { 1080 ERR_print_errors(bio_err); 1081 goto end; 1082 } 1083 } 1084 1085 if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL 1086 && !RAND_status()) 1087 { 1088 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n"); 1089 } 1090 if (inrand != NULL) 1091 BIO_printf(bio_err,"%ld semi-random bytes loaded\n", 1092 app_RAND_load_files(inrand)); 1093 1094 if (bio_c_out == NULL) 1095 { 1096 if (c_quiet && !c_debug && !c_msg) 1097 { 1098 bio_c_out=BIO_new(BIO_s_null()); 1099 } 1100 else 1101 { 1102 if (bio_c_out == NULL) 1103 bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE); 1104 } 1105 } 1106 1107 #ifndef OPENSSL_NO_SRP 1108 if(!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL)) 1109 { 1110 BIO_printf(bio_err, "Error getting password\n"); 1111 goto end; 1112 } 1113 #endif 1114 1115 ctx=SSL_CTX_new(meth); 1116 if (ctx == NULL) 1117 { 1118 ERR_print_errors(bio_err); 1119 goto end; 1120 } 1121 1122 if (vpm) 1123 SSL_CTX_set1_param(ctx, vpm); 1124 1125 #ifndef OPENSSL_NO_ENGINE 1126 if (ssl_client_engine) 1127 { 1128 if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine)) 1129 { 1130 BIO_puts(bio_err, "Error setting client auth engine\n"); 1131 ERR_print_errors(bio_err); 1132 ENGINE_free(ssl_client_engine); 1133 goto end; 1134 } 1135 ENGINE_free(ssl_client_engine); 1136 } 1137 #endif 1138 1139 #ifndef OPENSSL_NO_PSK 1140 #ifdef OPENSSL_NO_JPAKE 1141 if (psk_key != NULL) 1142 #else 1143 if (psk_key != NULL || jpake_secret) 1144 #endif 1145 { 1146 if (c_debug) 1147 BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n"); 1148 SSL_CTX_set_psk_client_callback(ctx, psk_client_cb); 1149 } 1150 #endif 1151 #ifndef OPENSSL_NO_SRTP 1152 if (srtp_profiles != NULL) 1153 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles); 1154 #endif 1155 if (bugs) 1156 SSL_CTX_set_options(ctx,SSL_OP_ALL|off); 1157 else 1158 SSL_CTX_set_options(ctx,off); 1159 1160 if (clr) 1161 SSL_CTX_clear_options(ctx, clr); 1162 /* DTLS: partial reads end up discarding unread UDP bytes :-( 1163 * Setting read ahead solves this problem. 1164 */ 1165 if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1); 1166 1167 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 1168 if (next_proto.data) 1169 SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto); 1170 #endif 1171 1172 if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback); 1173 if (cipher != NULL) 1174 if(!SSL_CTX_set_cipher_list(ctx,cipher)) { 1175 BIO_printf(bio_err,"error setting cipher list\n"); 1176 ERR_print_errors(bio_err); 1177 goto end; 1178 } 1179 #if 0 1180 else 1181 SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER")); 1182 #endif 1183 1184 SSL_CTX_set_verify(ctx,verify,verify_callback); 1185 if (!set_cert_key_stuff(ctx,cert,key)) 1186 goto end; 1187 1188 if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || 1189 (!SSL_CTX_set_default_verify_paths(ctx))) 1190 { 1191 /* BIO_printf(bio_err,"error setting default verify locations\n"); */ 1192 ERR_print_errors(bio_err); 1193 /* goto end; */ 1194 } 1195 1196 #ifndef OPENSSL_NO_TLSEXT 1197 if (servername != NULL) 1198 { 1199 tlsextcbp.biodebug = bio_err; 1200 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb); 1201 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp); 1202 } 1203 #ifndef OPENSSL_NO_SRP 1204 if (srp_arg.srplogin) 1205 { 1206 if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin)) 1207 { 1208 BIO_printf(bio_err,"Unable to set SRP username\n"); 1209 goto end; 1210 } 1211 srp_arg.msg = c_msg; 1212 srp_arg.debug = c_debug ; 1213 SSL_CTX_set_srp_cb_arg(ctx,&srp_arg); 1214 SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb); 1215 SSL_CTX_set_srp_strength(ctx, srp_arg.strength); 1216 if (c_msg || c_debug || srp_arg.amp == 0) 1217 SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb); 1218 } 1219 1220 #endif 1221 #endif 1222 1223 con=SSL_new(ctx); 1224 if (sess_in) 1225 { 1226 SSL_SESSION *sess; 1227 BIO *stmp = BIO_new_file(sess_in, "r"); 1228 if (!stmp) 1229 { 1230 BIO_printf(bio_err, "Can't open session file %s\n", 1231 sess_in); 1232 ERR_print_errors(bio_err); 1233 goto end; 1234 } 1235 sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL); 1236 BIO_free(stmp); 1237 if (!sess) 1238 { 1239 BIO_printf(bio_err, "Can't open session file %s\n", 1240 sess_in); 1241 ERR_print_errors(bio_err); 1242 goto end; 1243 } 1244 SSL_set_session(con, sess); 1245 SSL_SESSION_free(sess); 1246 } 1247 1248 if (fallback_scsv) 1249 SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV); 1250 1251 #ifndef OPENSSL_NO_TLSEXT 1252 if (servername != NULL) 1253 { 1254 if (!SSL_set_tlsext_host_name(con,servername)) 1255 { 1256 BIO_printf(bio_err,"Unable to set TLS servername extension.\n"); 1257 ERR_print_errors(bio_err); 1258 goto end; 1259 } 1260 } 1261 #endif 1262 #ifndef OPENSSL_NO_KRB5 1263 if (con && (kctx = kssl_ctx_new()) != NULL) 1264 { 1265 SSL_set0_kssl_ctx(con, kctx); 1266 kssl_ctx_setstring(kctx, KSSL_SERVER, host); 1267 } 1268 #endif /* OPENSSL_NO_KRB5 */ 1269 /* SSL_set_cipher_list(con,"RC4-MD5"); */ 1270 #if 0 1271 #ifdef TLSEXT_TYPE_opaque_prf_input 1272 SSL_set_tlsext_opaque_prf_input(con, "Test client", 11); 1273 #endif 1274 #endif 1275 1276 re_start: 1277 1278 if (init_client(&s,host,port,socket_type) == 0) 1279 { 1280 BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error()); 1281 SHUTDOWN(s); 1282 goto end; 1283 } 1284 BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s); 1285 1286 #ifdef FIONBIO 1287 if (c_nbio) 1288 { 1289 unsigned long l=1; 1290 BIO_printf(bio_c_out,"turning on non blocking io\n"); 1291 if (BIO_socket_ioctl(s,FIONBIO,&l) < 0) 1292 { 1293 ERR_print_errors(bio_err); 1294 goto end; 1295 } 1296 } 1297 #endif 1298 if (c_Pause & 0x01) SSL_set_debug(con, 1); 1299 1300 if ( SSL_version(con) == DTLS1_VERSION) 1301 { 1302 1303 sbio=BIO_new_dgram(s,BIO_NOCLOSE); 1304 if (getsockname(s, &peer, (void *)&peerlen) < 0) 1305 { 1306 BIO_printf(bio_err, "getsockname:errno=%d\n", 1307 get_last_socket_error()); 1308 SHUTDOWN(s); 1309 goto end; 1310 } 1311 1312 (void)BIO_ctrl_set_connected(sbio, 1, &peer); 1313 1314 if (enable_timeouts) 1315 { 1316 timeout.tv_sec = 0; 1317 timeout.tv_usec = DGRAM_RCV_TIMEOUT; 1318 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout); 1319 1320 timeout.tv_sec = 0; 1321 timeout.tv_usec = DGRAM_SND_TIMEOUT; 1322 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout); 1323 } 1324 1325 if (socket_mtu) 1326 { 1327 if(socket_mtu < DTLS_get_link_min_mtu(con)) 1328 { 1329 BIO_printf(bio_err,"MTU too small. Must be at least %ld\n", 1330 DTLS_get_link_min_mtu(con)); 1331 BIO_free(sbio); 1332 goto shut; 1333 } 1334 SSL_set_options(con, SSL_OP_NO_QUERY_MTU); 1335 if(!DTLS_set_link_mtu(con, socket_mtu)) 1336 { 1337 BIO_printf(bio_err, "Failed to set MTU\n"); 1338 BIO_free(sbio); 1339 goto shut; 1340 } 1341 } 1342 else 1343 /* want to do MTU discovery */ 1344 BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL); 1345 } 1346 else 1347 sbio=BIO_new_socket(s,BIO_NOCLOSE); 1348 1349 if (nbio_test) 1350 { 1351 BIO *test; 1352 1353 test=BIO_new(BIO_f_nbio_test()); 1354 sbio=BIO_push(test,sbio); 1355 } 1356 1357 if (c_debug) 1358 { 1359 SSL_set_debug(con, 1); 1360 BIO_set_callback(sbio,bio_dump_callback); 1361 BIO_set_callback_arg(sbio,(char *)bio_c_out); 1362 } 1363 if (c_msg) 1364 { 1365 SSL_set_msg_callback(con, msg_cb); 1366 SSL_set_msg_callback_arg(con, bio_c_out); 1367 } 1368 #ifndef OPENSSL_NO_TLSEXT 1369 if (c_tlsextdebug) 1370 { 1371 SSL_set_tlsext_debug_callback(con, tlsext_cb); 1372 SSL_set_tlsext_debug_arg(con, bio_c_out); 1373 } 1374 if (c_status_req) 1375 { 1376 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp); 1377 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb); 1378 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out); 1379 #if 0 1380 { 1381 STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null(); 1382 OCSP_RESPID *id = OCSP_RESPID_new(); 1383 id->value.byKey = ASN1_OCTET_STRING_new(); 1384 id->type = V_OCSP_RESPID_KEY; 1385 ASN1_STRING_set(id->value.byKey, "Hello World", -1); 1386 sk_OCSP_RESPID_push(ids, id); 1387 SSL_set_tlsext_status_ids(con, ids); 1388 } 1389 #endif 1390 } 1391 #endif 1392 #ifndef OPENSSL_NO_JPAKE 1393 if (jpake_secret) 1394 jpake_client_auth(bio_c_out, sbio, jpake_secret); 1395 #endif 1396 1397 SSL_set_bio(con,sbio,sbio); 1398 SSL_set_connect_state(con); 1399 1400 /* ok, lets connect */ 1401 width=SSL_get_fd(con)+1; 1402 1403 read_tty=1; 1404 write_tty=0; 1405 tty_on=0; 1406 read_ssl=1; 1407 write_ssl=1; 1408 1409 cbuf_len=0; 1410 cbuf_off=0; 1411 sbuf_len=0; 1412 sbuf_off=0; 1413 1414 /* This is an ugly hack that does a lot of assumptions */ 1415 /* We do have to handle multi-line responses which may come 1416 in a single packet or not. We therefore have to use 1417 BIO_gets() which does need a buffering BIO. So during 1418 the initial chitchat we do push a buffering BIO into the 1419 chain that is removed again later on to not disturb the 1420 rest of the s_client operation. */ 1421 if (starttls_proto == PROTO_SMTP) 1422 { 1423 int foundit=0; 1424 BIO *fbio = BIO_new(BIO_f_buffer()); 1425 BIO_push(fbio, sbio); 1426 /* wait for multi-line response to end from SMTP */ 1427 do 1428 { 1429 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); 1430 } 1431 while (mbuf_len>3 && mbuf[3]=='-'); 1432 /* STARTTLS command requires EHLO... */ 1433 BIO_printf(fbio,"EHLO openssl.client.net\r\n"); 1434 (void)BIO_flush(fbio); 1435 /* wait for multi-line response to end EHLO SMTP response */ 1436 do 1437 { 1438 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); 1439 if (strstr(mbuf,"STARTTLS")) 1440 foundit=1; 1441 } 1442 while (mbuf_len>3 && mbuf[3]=='-'); 1443 (void)BIO_flush(fbio); 1444 BIO_pop(fbio); 1445 BIO_free(fbio); 1446 if (!foundit) 1447 BIO_printf(bio_err, 1448 "didn't found starttls in server response," 1449 " try anyway...\n"); 1450 BIO_printf(sbio,"STARTTLS\r\n"); 1451 BIO_read(sbio,sbuf,BUFSIZZ); 1452 } 1453 else if (starttls_proto == PROTO_POP3) 1454 { 1455 BIO_read(sbio,mbuf,BUFSIZZ); 1456 BIO_printf(sbio,"STLS\r\n"); 1457 BIO_read(sbio,sbuf,BUFSIZZ); 1458 } 1459 else if (starttls_proto == PROTO_IMAP) 1460 { 1461 int foundit=0; 1462 BIO *fbio = BIO_new(BIO_f_buffer()); 1463 BIO_push(fbio, sbio); 1464 BIO_gets(fbio,mbuf,BUFSIZZ); 1465 /* STARTTLS command requires CAPABILITY... */ 1466 BIO_printf(fbio,". CAPABILITY\r\n"); 1467 (void)BIO_flush(fbio); 1468 /* wait for multi-line CAPABILITY response */ 1469 do 1470 { 1471 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); 1472 if (strstr(mbuf,"STARTTLS")) 1473 foundit=1; 1474 } 1475 while (mbuf_len>3 && mbuf[0]!='.'); 1476 (void)BIO_flush(fbio); 1477 BIO_pop(fbio); 1478 BIO_free(fbio); 1479 if (!foundit) 1480 BIO_printf(bio_err, 1481 "didn't found STARTTLS in server response," 1482 " try anyway...\n"); 1483 BIO_printf(sbio,". STARTTLS\r\n"); 1484 BIO_read(sbio,sbuf,BUFSIZZ); 1485 } 1486 else if (starttls_proto == PROTO_FTP) 1487 { 1488 BIO *fbio = BIO_new(BIO_f_buffer()); 1489 BIO_push(fbio, sbio); 1490 /* wait for multi-line response to end from FTP */ 1491 do 1492 { 1493 mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); 1494 } 1495 while (mbuf_len>3 && mbuf[3]=='-'); 1496 (void)BIO_flush(fbio); 1497 BIO_pop(fbio); 1498 BIO_free(fbio); 1499 BIO_printf(sbio,"AUTH TLS\r\n"); 1500 BIO_read(sbio,sbuf,BUFSIZZ); 1501 } 1502 if (starttls_proto == PROTO_XMPP) 1503 { 1504 int seen = 0; 1505 BIO_printf(sbio,"<stream:stream " 1506 "xmlns:stream='http://etherx.jabber.org/streams' " 1507 "xmlns='jabber:client' to='%s' version='1.0'>", host); 1508 seen = BIO_read(sbio,mbuf,BUFSIZZ); 1509 mbuf[seen] = 0; 1510 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")) 1511 { 1512 if (strstr(mbuf, "/stream:features>")) 1513 goto shut; 1514 seen = BIO_read(sbio,mbuf,BUFSIZZ); 1515 mbuf[seen] = 0; 1516 } 1517 BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>"); 1518 seen = BIO_read(sbio,sbuf,BUFSIZZ); 1519 sbuf[seen] = 0; 1520 if (!strstr(sbuf, "<proceed")) 1521 goto shut; 1522 mbuf[0] = 0; 1523 } 1524 1525 for (;;) 1526 { 1527 FD_ZERO(&readfds); 1528 FD_ZERO(&writefds); 1529 fdin = fileno(stdin); 1530 if (fdin < 0) 1531 { 1532 BIO_printf(bio_err,"bad fileno for stdin\n"); 1533 goto shut; 1534 } 1535 fdout = fileno(stdout); 1536 if (fdout < 0) 1537 { 1538 BIO_printf(bio_err,"bad fileno for stdout\n"); 1539 goto shut; 1540 } 1541 1542 if ((SSL_version(con) == DTLS1_VERSION) && 1543 DTLSv1_get_timeout(con, &timeout)) 1544 timeoutp = &timeout; 1545 else 1546 timeoutp = NULL; 1547 1548 if (SSL_in_init(con) && !SSL_total_renegotiations(con)) 1549 { 1550 in_init=1; 1551 tty_on=0; 1552 } 1553 else 1554 { 1555 tty_on=1; 1556 if (in_init) 1557 { 1558 in_init=0; 1559 #if 0 /* This test doesn't really work as intended (needs to be fixed) */ 1560 #ifndef OPENSSL_NO_TLSEXT 1561 if (servername != NULL && !SSL_session_reused(con)) 1562 { 1563 BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not "); 1564 } 1565 #endif 1566 #endif 1567 if (sess_out) 1568 { 1569 BIO *stmp = BIO_new_file(sess_out, "w"); 1570 if (stmp) 1571 { 1572 PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con)); 1573 BIO_free(stmp); 1574 } 1575 else 1576 BIO_printf(bio_err, "Error writing session file %s\n", sess_out); 1577 } 1578 print_stuff(bio_c_out,con,full_log); 1579 if (full_log > 0) full_log--; 1580 1581 if (starttls_proto) 1582 { 1583 BIO_printf(bio_err,"%s",mbuf); 1584 /* We don't need to know any more */ 1585 starttls_proto = PROTO_OFF; 1586 } 1587 1588 if (reconnect) 1589 { 1590 reconnect--; 1591 BIO_printf(bio_c_out,"drop connection and then reconnect\n"); 1592 SSL_shutdown(con); 1593 SSL_set_connect_state(con); 1594 SHUTDOWN(SSL_get_fd(con)); 1595 goto re_start; 1596 } 1597 } 1598 } 1599 1600 ssl_pending = read_ssl && SSL_pending(con); 1601 1602 if (!ssl_pending) 1603 { 1604 #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5) 1605 if (tty_on) 1606 { 1607 if (read_tty) openssl_fdset(fdin,&readfds); 1608 if (write_tty) openssl_fdset(fdout,&writefds); 1609 } 1610 if (read_ssl) 1611 openssl_fdset(SSL_get_fd(con),&readfds); 1612 if (write_ssl) 1613 openssl_fdset(SSL_get_fd(con),&writefds); 1614 #else 1615 if(!tty_on || !write_tty) { 1616 if (read_ssl) 1617 openssl_fdset(SSL_get_fd(con),&readfds); 1618 if (write_ssl) 1619 openssl_fdset(SSL_get_fd(con),&writefds); 1620 } 1621 #endif 1622 /* printf("mode tty(%d %d%d) ssl(%d%d)\n", 1623 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/ 1624 1625 /* Note: under VMS with SOCKETSHR the second parameter 1626 * is currently of type (int *) whereas under other 1627 * systems it is (void *) if you don't have a cast it 1628 * will choke the compiler: if you do have a cast then 1629 * you can either go for (int *) or (void *). 1630 */ 1631 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) 1632 /* Under Windows/DOS we make the assumption that we can 1633 * always write to the tty: therefore if we need to 1634 * write to the tty we just fall through. Otherwise 1635 * we timeout the select every second and see if there 1636 * are any keypresses. Note: this is a hack, in a proper 1637 * Windows application we wouldn't do this. 1638 */ 1639 i=0; 1640 if(!write_tty) { 1641 if(read_tty) { 1642 tv.tv_sec = 1; 1643 tv.tv_usec = 0; 1644 i=select(width,(void *)&readfds,(void *)&writefds, 1645 NULL,&tv); 1646 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS) 1647 if(!i && (!_kbhit() || !read_tty) ) continue; 1648 #else 1649 if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue; 1650 #endif 1651 } else i=select(width,(void *)&readfds,(void *)&writefds, 1652 NULL,timeoutp); 1653 } 1654 #elif defined(OPENSSL_SYS_NETWARE) 1655 if(!write_tty) { 1656 if(read_tty) { 1657 tv.tv_sec = 1; 1658 tv.tv_usec = 0; 1659 i=select(width,(void *)&readfds,(void *)&writefds, 1660 NULL,&tv); 1661 } else i=select(width,(void *)&readfds,(void *)&writefds, 1662 NULL,timeoutp); 1663 } 1664 #elif defined(OPENSSL_SYS_BEOS_R5) 1665 /* Under BeOS-R5 the situation is similar to DOS */ 1666 i=0; 1667 stdin_set = 0; 1668 (void)fcntl(fdin, F_SETFL, O_NONBLOCK); 1669 if(!write_tty) { 1670 if(read_tty) { 1671 tv.tv_sec = 1; 1672 tv.tv_usec = 0; 1673 i=select(width,(void *)&readfds,(void *)&writefds, 1674 NULL,&tv); 1675 if (read(fdin, sbuf, 0) >= 0) 1676 stdin_set = 1; 1677 if (!i && (stdin_set != 1 || !read_tty)) 1678 continue; 1679 } else i=select(width,(void *)&readfds,(void *)&writefds, 1680 NULL,timeoutp); 1681 } 1682 (void)fcntl(fdin, F_SETFL, 0); 1683 #else 1684 i=select(width,(void *)&readfds,(void *)&writefds, 1685 NULL,timeoutp); 1686 #endif 1687 if ( i < 0) 1688 { 1689 BIO_printf(bio_err,"bad select %d\n", 1690 get_last_socket_error()); 1691 goto shut; 1692 /* goto end; */ 1693 } 1694 } 1695 1696 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0) 1697 { 1698 BIO_printf(bio_err,"TIMEOUT occured\n"); 1699 } 1700 1701 if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds)) 1702 { 1703 k=SSL_write(con,&(cbuf[cbuf_off]), 1704 (unsigned int)cbuf_len); 1705 switch (SSL_get_error(con,k)) 1706 { 1707 case SSL_ERROR_NONE: 1708 cbuf_off+=k; 1709 cbuf_len-=k; 1710 if (k <= 0) goto end; 1711 /* we have done a write(con,NULL,0); */ 1712 if (cbuf_len <= 0) 1713 { 1714 read_tty=1; 1715 write_ssl=0; 1716 } 1717 else /* if (cbuf_len > 0) */ 1718 { 1719 read_tty=0; 1720 write_ssl=1; 1721 } 1722 break; 1723 case SSL_ERROR_WANT_WRITE: 1724 BIO_printf(bio_c_out,"write W BLOCK\n"); 1725 write_ssl=1; 1726 read_tty=0; 1727 break; 1728 case SSL_ERROR_WANT_READ: 1729 BIO_printf(bio_c_out,"write R BLOCK\n"); 1730 write_tty=0; 1731 read_ssl=1; 1732 write_ssl=0; 1733 break; 1734 case SSL_ERROR_WANT_X509_LOOKUP: 1735 BIO_printf(bio_c_out,"write X BLOCK\n"); 1736 break; 1737 case SSL_ERROR_ZERO_RETURN: 1738 if (cbuf_len != 0) 1739 { 1740 BIO_printf(bio_c_out,"shutdown\n"); 1741 ret = 0; 1742 goto shut; 1743 } 1744 else 1745 { 1746 read_tty=1; 1747 write_ssl=0; 1748 break; 1749 } 1750 1751 case SSL_ERROR_SYSCALL: 1752 if ((k != 0) || (cbuf_len != 0)) 1753 { 1754 BIO_printf(bio_err,"write:errno=%d\n", 1755 get_last_socket_error()); 1756 goto shut; 1757 } 1758 else 1759 { 1760 read_tty=1; 1761 write_ssl=0; 1762 } 1763 break; 1764 case SSL_ERROR_SSL: 1765 ERR_print_errors(bio_err); 1766 goto shut; 1767 } 1768 } 1769 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5) 1770 /* Assume Windows/DOS/BeOS can always write */ 1771 else if (!ssl_pending && write_tty) 1772 #else 1773 else if (!ssl_pending && FD_ISSET(fdout,&writefds)) 1774 #endif 1775 { 1776 #ifdef CHARSET_EBCDIC 1777 ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len); 1778 #endif 1779 i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len); 1780 1781 if (i <= 0) 1782 { 1783 BIO_printf(bio_c_out,"DONE\n"); 1784 ret = 0; 1785 goto shut; 1786 /* goto end; */ 1787 } 1788 1789 sbuf_len-=i;; 1790 sbuf_off+=i; 1791 if (sbuf_len <= 0) 1792 { 1793 read_ssl=1; 1794 write_tty=0; 1795 } 1796 } 1797 else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds)) 1798 { 1799 #ifdef RENEG 1800 { static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } } 1801 #endif 1802 #if 1 1803 k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ ); 1804 #else 1805 /* Demo for pending and peek :-) */ 1806 k=SSL_read(con,sbuf,16); 1807 { char zbuf[10240]; 1808 printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240)); 1809 } 1810 #endif 1811 1812 switch (SSL_get_error(con,k)) 1813 { 1814 case SSL_ERROR_NONE: 1815 if (k <= 0) 1816 goto end; 1817 sbuf_off=0; 1818 sbuf_len=k; 1819 1820 read_ssl=0; 1821 write_tty=1; 1822 break; 1823 case SSL_ERROR_WANT_WRITE: 1824 BIO_printf(bio_c_out,"read W BLOCK\n"); 1825 write_ssl=1; 1826 read_tty=0; 1827 break; 1828 case SSL_ERROR_WANT_READ: 1829 BIO_printf(bio_c_out,"read R BLOCK\n"); 1830 write_tty=0; 1831 read_ssl=1; 1832 if ((read_tty == 0) && (write_ssl == 0)) 1833 write_ssl=1; 1834 break; 1835 case SSL_ERROR_WANT_X509_LOOKUP: 1836 BIO_printf(bio_c_out,"read X BLOCK\n"); 1837 break; 1838 case SSL_ERROR_SYSCALL: 1839 ret=get_last_socket_error(); 1840 BIO_printf(bio_err,"read:errno=%d\n",ret); 1841 goto shut; 1842 case SSL_ERROR_ZERO_RETURN: 1843 BIO_printf(bio_c_out,"closed\n"); 1844 ret=0; 1845 goto shut; 1846 case SSL_ERROR_SSL: 1847 ERR_print_errors(bio_err); 1848 goto shut; 1849 /* break; */ 1850 } 1851 } 1852 1853 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) 1854 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS) 1855 else if (_kbhit()) 1856 #else 1857 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) 1858 #endif 1859 #elif defined (OPENSSL_SYS_NETWARE) 1860 else if (_kbhit()) 1861 #elif defined(OPENSSL_SYS_BEOS_R5) 1862 else if (stdin_set) 1863 #else 1864 else if (FD_ISSET(fdin,&readfds)) 1865 #endif 1866 { 1867 if (crlf) 1868 { 1869 int j, lf_num; 1870 1871 i=raw_read_stdin(cbuf,BUFSIZZ/2); 1872 lf_num = 0; 1873 /* both loops are skipped when i <= 0 */ 1874 for (j = 0; j < i; j++) 1875 if (cbuf[j] == '\n') 1876 lf_num++; 1877 for (j = i-1; j >= 0; j--) 1878 { 1879 cbuf[j+lf_num] = cbuf[j]; 1880 if (cbuf[j] == '\n') 1881 { 1882 lf_num--; 1883 i++; 1884 cbuf[j+lf_num] = '\r'; 1885 } 1886 } 1887 assert(lf_num == 0); 1888 } 1889 else 1890 i=raw_read_stdin(cbuf,BUFSIZZ); 1891 1892 if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q'))) 1893 { 1894 BIO_printf(bio_err,"DONE\n"); 1895 ret=0; 1896 goto shut; 1897 } 1898 1899 if ((!c_ign_eof) && (cbuf[0] == 'R')) 1900 { 1901 BIO_printf(bio_err,"RENEGOTIATING\n"); 1902 SSL_renegotiate(con); 1903 cbuf_len=0; 1904 } 1905 #ifndef OPENSSL_NO_HEARTBEATS 1906 else if ((!c_ign_eof) && (cbuf[0] == 'B')) 1907 { 1908 BIO_printf(bio_err,"HEARTBEATING\n"); 1909 SSL_heartbeat(con); 1910 cbuf_len=0; 1911 } 1912 #endif 1913 else 1914 { 1915 cbuf_len=i; 1916 cbuf_off=0; 1917 #ifdef CHARSET_EBCDIC 1918 ebcdic2ascii(cbuf, cbuf, i); 1919 #endif 1920 } 1921 1922 write_ssl=1; 1923 read_tty=0; 1924 } 1925 } 1926 1927 ret=0; 1928 shut: 1929 if (in_init) 1930 print_stuff(bio_c_out,con,full_log); 1931 SSL_shutdown(con); 1932 SHUTDOWN(SSL_get_fd(con)); 1933 end: 1934 if (con != NULL) 1935 { 1936 if (prexit != 0) 1937 print_stuff(bio_c_out,con,1); 1938 SSL_free(con); 1939 } 1940 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 1941 if (next_proto.data) 1942 OPENSSL_free(next_proto.data); 1943 #endif 1944 if (ctx != NULL) SSL_CTX_free(ctx); 1945 if (cert) 1946 X509_free(cert); 1947 if (key) 1948 EVP_PKEY_free(key); 1949 if (pass) 1950 OPENSSL_free(pass); 1951 if (vpm) 1952 X509_VERIFY_PARAM_free(vpm); 1953 if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); } 1954 if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); } 1955 if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); } 1956 if (bio_c_out != NULL) 1957 { 1958 BIO_free(bio_c_out); 1959 bio_c_out=NULL; 1960 } 1961 apps_shutdown(); 1962 OPENSSL_EXIT(ret); 1963 } 1964 1965 1966 static void print_stuff(BIO *bio, SSL *s, int full) 1967 { 1968 X509 *peer=NULL; 1969 char *p; 1970 static const char *space=" "; 1971 char buf[BUFSIZ]; 1972 STACK_OF(X509) *sk; 1973 STACK_OF(X509_NAME) *sk2; 1974 const SSL_CIPHER *c; 1975 X509_NAME *xn; 1976 int j,i; 1977 #ifndef OPENSSL_NO_COMP 1978 const COMP_METHOD *comp, *expansion; 1979 #endif 1980 unsigned char *exportedkeymat; 1981 1982 if (full) 1983 { 1984 int got_a_chain = 0; 1985 1986 sk=SSL_get_peer_cert_chain(s); 1987 if (sk != NULL) 1988 { 1989 got_a_chain = 1; /* we don't have it for SSL2 (yet) */ 1990 1991 BIO_printf(bio,"---\nCertificate chain\n"); 1992 for (i=0; i<sk_X509_num(sk); i++) 1993 { 1994 X509_NAME_oneline(X509_get_subject_name( 1995 sk_X509_value(sk,i)),buf,sizeof buf); 1996 BIO_printf(bio,"%2d s:%s\n",i,buf); 1997 X509_NAME_oneline(X509_get_issuer_name( 1998 sk_X509_value(sk,i)),buf,sizeof buf); 1999 BIO_printf(bio," i:%s\n",buf); 2000 if (c_showcerts) 2001 PEM_write_bio_X509(bio,sk_X509_value(sk,i)); 2002 } 2003 } 2004 2005 BIO_printf(bio,"---\n"); 2006 peer=SSL_get_peer_certificate(s); 2007 if (peer != NULL) 2008 { 2009 BIO_printf(bio,"Server certificate\n"); 2010 if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */ 2011 PEM_write_bio_X509(bio,peer); 2012 X509_NAME_oneline(X509_get_subject_name(peer), 2013 buf,sizeof buf); 2014 BIO_printf(bio,"subject=%s\n",buf); 2015 X509_NAME_oneline(X509_get_issuer_name(peer), 2016 buf,sizeof buf); 2017 BIO_printf(bio,"issuer=%s\n",buf); 2018 } 2019 else 2020 BIO_printf(bio,"no peer certificate available\n"); 2021 2022 sk2=SSL_get_client_CA_list(s); 2023 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0)) 2024 { 2025 BIO_printf(bio,"---\nAcceptable client certificate CA names\n"); 2026 for (i=0; i<sk_X509_NAME_num(sk2); i++) 2027 { 2028 xn=sk_X509_NAME_value(sk2,i); 2029 X509_NAME_oneline(xn,buf,sizeof(buf)); 2030 BIO_write(bio,buf,strlen(buf)); 2031 BIO_write(bio,"\n",1); 2032 } 2033 } 2034 else 2035 { 2036 BIO_printf(bio,"---\nNo client certificate CA names sent\n"); 2037 } 2038 p=SSL_get_shared_ciphers(s,buf,sizeof buf); 2039 if (p != NULL) 2040 { 2041 /* This works only for SSL 2. In later protocol 2042 * versions, the client does not know what other 2043 * ciphers (in addition to the one to be used 2044 * in the current connection) the server supports. */ 2045 2046 BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n"); 2047 j=i=0; 2048 while (*p) 2049 { 2050 if (*p == ':') 2051 { 2052 BIO_write(bio,space,15-j%25); 2053 i++; 2054 j=0; 2055 BIO_write(bio,((i%3)?" ":"\n"),1); 2056 } 2057 else 2058 { 2059 BIO_write(bio,p,1); 2060 j++; 2061 } 2062 p++; 2063 } 2064 BIO_write(bio,"\n",1); 2065 } 2066 2067 BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n", 2068 BIO_number_read(SSL_get_rbio(s)), 2069 BIO_number_written(SSL_get_wbio(s))); 2070 } 2071 BIO_printf(bio,(SSL_cache_hit(s)?"---\nReused, ":"---\nNew, ")); 2072 c=SSL_get_current_cipher(s); 2073 BIO_printf(bio,"%s, Cipher is %s\n", 2074 SSL_CIPHER_get_version(c), 2075 SSL_CIPHER_get_name(c)); 2076 if (peer != NULL) { 2077 EVP_PKEY *pktmp; 2078 pktmp = X509_get_pubkey(peer); 2079 BIO_printf(bio,"Server public key is %d bit\n", 2080 EVP_PKEY_bits(pktmp)); 2081 EVP_PKEY_free(pktmp); 2082 } 2083 BIO_printf(bio, "Secure Renegotiation IS%s supported\n", 2084 SSL_get_secure_renegotiation_support(s) ? "" : " NOT"); 2085 #ifndef OPENSSL_NO_COMP 2086 comp=SSL_get_current_compression(s); 2087 expansion=SSL_get_current_expansion(s); 2088 BIO_printf(bio,"Compression: %s\n", 2089 comp ? SSL_COMP_get_name(comp) : "NONE"); 2090 BIO_printf(bio,"Expansion: %s\n", 2091 expansion ? SSL_COMP_get_name(expansion) : "NONE"); 2092 #endif 2093 2094 #ifdef SSL_DEBUG 2095 { 2096 /* Print out local port of connection: useful for debugging */ 2097 int sock; 2098 struct sockaddr_in ladd; 2099 socklen_t ladd_size = sizeof(ladd); 2100 sock = SSL_get_fd(s); 2101 getsockname(sock, (struct sockaddr *)&ladd, &ladd_size); 2102 BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port)); 2103 } 2104 #endif 2105 2106 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 2107 if (next_proto.status != -1) { 2108 const unsigned char *proto; 2109 unsigned int proto_len; 2110 SSL_get0_next_proto_negotiated(s, &proto, &proto_len); 2111 BIO_printf(bio, "Next protocol: (%d) ", next_proto.status); 2112 BIO_write(bio, proto, proto_len); 2113 BIO_write(bio, "\n", 1); 2114 } 2115 #endif 2116 2117 #ifndef OPENSSL_NO_SRTP 2118 { 2119 SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s); 2120 2121 if(srtp_profile) 2122 BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n", 2123 srtp_profile->name); 2124 } 2125 #endif 2126 2127 SSL_SESSION_print(bio,SSL_get_session(s)); 2128 if (keymatexportlabel != NULL) 2129 { 2130 BIO_printf(bio, "Keying material exporter:\n"); 2131 BIO_printf(bio, " Label: '%s'\n", keymatexportlabel); 2132 BIO_printf(bio, " Length: %i bytes\n", keymatexportlen); 2133 exportedkeymat = OPENSSL_malloc(keymatexportlen); 2134 if (exportedkeymat != NULL) 2135 { 2136 if (!SSL_export_keying_material(s, exportedkeymat, 2137 keymatexportlen, 2138 keymatexportlabel, 2139 strlen(keymatexportlabel), 2140 NULL, 0, 0)) 2141 { 2142 BIO_printf(bio, " Error\n"); 2143 } 2144 else 2145 { 2146 BIO_printf(bio, " Keying material: "); 2147 for (i=0; i<keymatexportlen; i++) 2148 BIO_printf(bio, "%02X", 2149 exportedkeymat[i]); 2150 BIO_printf(bio, "\n"); 2151 } 2152 OPENSSL_free(exportedkeymat); 2153 } 2154 } 2155 BIO_printf(bio,"---\n"); 2156 if (peer != NULL) 2157 X509_free(peer); 2158 /* flush, or debugging output gets mixed with http response */ 2159 (void)BIO_flush(bio); 2160 } 2161 2162 #ifndef OPENSSL_NO_TLSEXT 2163 2164 static int ocsp_resp_cb(SSL *s, void *arg) 2165 { 2166 const unsigned char *p; 2167 int len; 2168 OCSP_RESPONSE *rsp; 2169 len = SSL_get_tlsext_status_ocsp_resp(s, &p); 2170 BIO_puts(arg, "OCSP response: "); 2171 if (!p) 2172 { 2173 BIO_puts(arg, "no response sent\n"); 2174 return 1; 2175 } 2176 rsp = d2i_OCSP_RESPONSE(NULL, &p, len); 2177 if (!rsp) 2178 { 2179 BIO_puts(arg, "response parse error\n"); 2180 BIO_dump_indent(arg, (char *)p, len, 4); 2181 return 0; 2182 } 2183 BIO_puts(arg, "\n======================================\n"); 2184 OCSP_RESPONSE_print(arg, rsp, 0); 2185 BIO_puts(arg, "======================================\n"); 2186 OCSP_RESPONSE_free(rsp); 2187 return 1; 2188 } 2189 2190 #endif 2191
Indexes created Sat Feb 28 05:31:39 UTC 2026