Bug Summary

File:src/usr.bin/openssl/s_client.c
Warning:line 955, column 3
Value stored to 'badop' is never read

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name s_client.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/usr.bin/openssl/obj -resource-dir /usr/local/lib/clang/13.0.0 -D LIBRESSL_INTERNAL -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/usr.bin/openssl/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/usr.bin/openssl/s_client.c
1/* $OpenBSD: s_client.c,v 1.57 2021/12/26 14:46:06 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
113 *
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116 * license.
117 *
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
121 *
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
125 *
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
130 *
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135 * OTHERWISE.
136 */
137
138#include <sys/types.h>
139#include <sys/socket.h>
140
141#include <netinet/in.h>
142
143#include <assert.h>
144#include <ctype.h>
145#include <limits.h>
146#include <netdb.h>
147#include <stdio.h>
148#include <stdlib.h>
149#include <string.h>
150#include <unistd.h>
151#include <poll.h>
152
153#include "apps.h"
154
155#include <openssl/bn.h>
156#include <openssl/err.h>
157#include <openssl/ocsp.h>
158#include <openssl/pem.h>
159#include <openssl/ssl.h>
160#include <openssl/x509.h>
161
162#include "s_apps.h"
163#include "timeouts.h"
164
165/*#define SSL_HOST_NAME "www.netscape.com" */
166/*#define SSL_HOST_NAME "193.118.187.102" */
167#define SSL_HOST_NAME"localhost" "localhost"
168
169 /*#define TEST_CERT "client.pem" *//* no default cert. */
170
171#define BUFSIZZ1024*8 1024*8
172
173static void sc_usage(void);
174static void print_stuff(BIO *berr, SSL *con, int full);
175static int ocsp_resp_cb(SSL *s, void *arg);
176static int ssl_servername_cb(SSL *s, int *ad, void *arg);
177
178enum {
179 PROTO_OFF = 0,
180 PROTO_SMTP,
181 PROTO_LMTP,
182 PROTO_POP3,
183 PROTO_IMAP,
184 PROTO_FTP,
185 PROTO_XMPP,
186};
187
188/* This is a context that we pass to callbacks */
189typedef struct tlsextctx_st {
190 BIO *biodebug;
191 int ack;
192} tlsextctx;
193
194static struct {
195 int af;
196 char *alpn_in;
197 int bugs;
198 char *CAfile;
199 char *CApath;
200 char *cert_file;
201 int cert_format;
202 char *cipher;
203 unsigned int clr;
204 char *connect;
205 int crlf;
206 int debug;
207 int enable_timeouts;
208 const char *errstr;
209 char *groups_in;
210 char *host;
211 int ign_eof;
212 char *key_file;
213 int key_format;
214 char *keymatexportlabel;
215 int keymatexportlen;
216 uint16_t max_version;
217 uint16_t min_version;
218 const SSL_METHOD *meth;
219 int msg;
220 int nbio;
221 int nbio_test;
222 int no_servername;
223 char *npn_in;
224 unsigned int off;
225 char *passarg;
226 int pause;
227 int peekaboo;
228 char *port;
229 int prexit;
230 char *proxy;
231 int quiet;
232 int reconnect;
233 char *servername;
234 char *sess_in;
235 char *sess_out;
236 int showcerts;
237 int socket_type;
238 long socket_mtu;
239#ifndef OPENSSL_NO_SRTP
240 char *srtp_profiles;
241#endif
242 int starttls_proto;
243 int state;
244 int status_req;
245 int tlsextdebug;
246 int verify;
247 X509_VERIFY_PARAM *vpm;
248 char *xmpphost;
249} s_client_config;
250
251static int
252s_client_opt_keymatexportlen(char *arg)
253{
254 s_client_config.keymatexportlen = strtonum(arg, 1, INT_MAX2147483647,
255 &s_client_config.errstr);
256 if (s_client_config.errstr != NULL((void*)0)) {
257 BIO_printf(bio_err, "invalid argument %s: %s\n",
258 arg, s_client_config.errstr);
259 return (1);
260 }
261 return (0);
262}
263
264#ifndef OPENSSL_NO_DTLS
265static int
266s_client_opt_mtu(char *arg)
267{
268 s_client_config.socket_mtu = strtonum(arg, 0, LONG_MAX9223372036854775807L,
269 &s_client_config.errstr);
270 if (s_client_config.errstr != NULL((void*)0)) {
271 BIO_printf(bio_err, "invalid argument %s: %s\n",
272 arg, s_client_config.errstr);
273 return (1);
274 }
275 return (0);
276}
277#endif
278
279static int
280s_client_opt_port(char *arg)
281{
282 if (*arg == '\0')
283 return (1);
284
285 s_client_config.port = arg;
286 return (0);
287}
288
289#ifndef OPENSSL_NO_DTLS
290static int
291s_client_opt_protocol_version_dtls(void)
292{
293 s_client_config.meth = DTLS_client_method();
294 s_client_config.socket_type = SOCK_DGRAM2;
295 return (0);
296}
297#endif
298
299#ifndef OPENSSL_NO_DTLS1
300static int
301s_client_opt_protocol_version_dtls1(void)
302{
303 s_client_config.meth = DTLS_client_method();
304 s_client_config.min_version = DTLS1_VERSION0xFEFF;
305 s_client_config.max_version = DTLS1_VERSION0xFEFF;
306 s_client_config.socket_type = SOCK_DGRAM2;
307 return (0);
308}
309#endif
310
311#ifndef OPENSSL_NO_DTLS1_2
312static int
313s_client_opt_protocol_version_dtls1_2(void)
314{
315 s_client_config.meth = DTLS_client_method();
316 s_client_config.min_version = DTLS1_2_VERSION0xFEFD;
317 s_client_config.max_version = DTLS1_2_VERSION0xFEFD;
318 s_client_config.socket_type = SOCK_DGRAM2;
319 return (0);
320}
321#endif
322
323static int
324s_client_opt_protocol_version_tls1(void)
325{
326 s_client_config.min_version = TLS1_VERSION0x0301;
327 s_client_config.max_version = TLS1_VERSION0x0301;
328 return (0);
329}
330
331static int
332s_client_opt_protocol_version_tls1_1(void)
333{
334 s_client_config.min_version = TLS1_1_VERSION0x0302;
335 s_client_config.max_version = TLS1_1_VERSION0x0302;
336 return (0);
337}
338
339static int
340s_client_opt_protocol_version_tls1_2(void)
341{
342 s_client_config.min_version = TLS1_2_VERSION0x0303;
343 s_client_config.max_version = TLS1_2_VERSION0x0303;
344 return (0);
345}
346
347static int
348s_client_opt_protocol_version_tls1_3(void)
349{
350 s_client_config.min_version = TLS1_3_VERSION0x0304;
351 s_client_config.max_version = TLS1_3_VERSION0x0304;
352 return (0);
353}
354
355static int
356s_client_opt_quiet(void)
357{
358 s_client_config.quiet = 1;
359 s_client_config.ign_eof = 1;
360 return (0);
361}
362
363static int
364s_client_opt_starttls(char *arg)
365{
366 if (strcmp(arg, "smtp") == 0)
367 s_client_config.starttls_proto = PROTO_SMTP;
368 else if (strcmp(arg, "lmtp") == 0)
369 s_client_config.starttls_proto = PROTO_LMTP;
370 else if (strcmp(arg, "pop3") == 0)
371 s_client_config.starttls_proto = PROTO_POP3;
372 else if (strcmp(arg, "imap") == 0)
373 s_client_config.starttls_proto = PROTO_IMAP;
374 else if (strcmp(arg, "ftp") == 0)
375 s_client_config.starttls_proto = PROTO_FTP;
376 else if (strcmp(arg, "xmpp") == 0)
377 s_client_config.starttls_proto = PROTO_XMPP;
378 else
379 return (1);
380 return (0);
381}
382
383static int
384s_client_opt_verify(char *arg)
385{
386 s_client_config.verify = SSL_VERIFY_PEER0x01;
387
388 verify_depth = strtonum(arg, 0, INT_MAX2147483647, &s_client_config.errstr);
389 if (s_client_config.errstr != NULL((void*)0)) {
390 BIO_printf(bio_err, "invalid argument %s: %s\n",
391 arg, s_client_config.errstr);
392 return (1);
393 }
394 BIO_printf(bio_err, "verify depth is %d\n", verify_depth);
395 return (0);
396}
397
398static int
399s_client_opt_verify_param(int argc, char **argv, int *argsused)
400{
401 char **pargs = argv;
402 int pargc = argc;
403 int badarg = 0;
404
405 if (!args_verify(&pargs, &pargc, &badarg, bio_err,
406 &s_client_config.vpm)) {
407 BIO_printf(bio_err, "unknown option %s\n", *argv);
408 return (1);
409 }
410 if (badarg)
411 return (1);
412
413 *argsused = argc - pargc;
414 return (0);
415}
416
417static const struct option s_client_options[] = {
418 {
419 .name = "4",
420 .desc = "Use IPv4 only",
421 .type = OPTION_VALUE,
422 .opt.value = &s_client_config.af,
423 .value = AF_INET2,
424 },
425 {
426 .name = "6",
427 .desc = "Use IPv6 only",
428 .type = OPTION_VALUE,
429 .opt.value = &s_client_config.af,
430 .value = AF_INET624,
431 },
432 {
433 .name = "alpn",
434 .argname = "protocols",
435 .desc = "Set the advertised protocols for ALPN"
436 " (comma-separated list)",
437 .type = OPTION_ARG,
438 .opt.arg = &s_client_config.alpn_in,
439 },
440 {
441 .name = "bugs",
442 .desc = "Enable various workarounds for buggy implementations",
443 .type = OPTION_FLAG,
444 .opt.flag = &s_client_config.bugs,
445 },
446 {
447 .name = "CAfile",
448 .argname = "file",
449 .desc = "PEM format file of CA certificates",
450 .type = OPTION_ARG,
451 .opt.arg = &s_client_config.CAfile,
452 },
453 {
454 .name = "CApath",
455 .argname = "directory",
456 .desc = "PEM format directory of CA certificates",
457 .type = OPTION_ARG,
458 .opt.arg = &s_client_config.CApath,
459 },
460 {
461 .name = "cert",
462 .argname = "file",
463 .desc = "Certificate file to use, PEM format assumed",
464 .type = OPTION_ARG,
465 .opt.arg = &s_client_config.cert_file,
466 },
467 {
468 .name = "certform",
469 .argname = "fmt",
470 .desc = "Certificate format (PEM or DER) PEM default",
471 .type = OPTION_ARG_FORMAT,
472 .opt.value = &s_client_config.cert_format,
473 },
474 {
475 .name = "cipher",
476 .argname = "cipherlist",
477 .desc = "Preferred cipher to use (see 'openssl ciphers')",
478 .type = OPTION_ARG,
479 .opt.arg = &s_client_config.cipher,
480 },
481 {
482 .name = "connect",
483 .argname = "host:port",
484 .desc = "Who to connect to (default is localhost:4433)",
485 .type = OPTION_ARG,
486 .opt.arg = &s_client_config.connect,
487 },
488 {
489 .name = "crlf",
490 .desc = "Convert LF from terminal into CRLF",
491 .type = OPTION_FLAG,
492 .opt.flag = &s_client_config.crlf,
493 },
494 {
495 .name = "debug",
496 .desc = "Print extensive debugging information",
497 .type = OPTION_FLAG,
498 .opt.flag = &s_client_config.debug,
499 },
500#ifndef OPENSSL_NO_DTLS
501 {
502 .name = "dtls",
503 .desc = "Use any version of DTLS",
504 .type = OPTION_FUNC,
505 .opt.func = s_client_opt_protocol_version_dtls,
506 },
507#endif
508#ifndef OPENSSL_NO_DTLS1
509 {
510 .name = "dtls1",
511 .desc = "Just use DTLSv1",
512 .type = OPTION_FUNC,
513 .opt.func = s_client_opt_protocol_version_dtls1,
514 },
515#endif
516#ifndef OPENSSL_NO_DTLS1_2
517 {
518 .name = "dtls1_2",
519 .desc = "Just use DTLSv1.2",
520 .type = OPTION_FUNC,
521 .opt.func = s_client_opt_protocol_version_dtls1_2,
522 },
523#endif
524 {
525 .name = "groups",
526 .argname = "list",
527 .desc = "Specify EC groups (colon-separated list)",
528 .type = OPTION_ARG,
529 .opt.arg = &s_client_config.groups_in,
530 },
531 {
532 .name = "host",
533 .argname = "host",
534 .desc = "Use -connect instead",
535 .type = OPTION_ARG,
536 .opt.arg = &s_client_config.host,
537 },
538 {
539 .name = "ign_eof",
540 .desc = "Ignore input EOF (default when -quiet)",
541 .type = OPTION_VALUE,
542 .opt.value = &s_client_config.ign_eof,
543 .value = 1,
544 },
545 {
546 .name = "key",
547 .argname = "file",
548 .desc = "Private key file to use, if not, -cert file is used",
549 .type = OPTION_ARG,
550 .opt.arg = &s_client_config.key_file,
551 },
552 {
553 .name = "keyform",
554 .argname = "fmt",
555 .desc = "Key format (PEM or DER) PEM default",
556 .type = OPTION_ARG_FORMAT,
557 .opt.value = &s_client_config.key_format,
558 },
559 {
560 .name = "keymatexport",
561 .argname = "label",
562 .desc = "Export keying material using label",
563 .type = OPTION_ARG,
564 .opt.arg = &s_client_config.keymatexportlabel,
565 },
566 {
567 .name = "keymatexportlen",
568 .argname = "len",
569 .desc = "Export len bytes of keying material (default 20)",
570 .type = OPTION_ARG_FUNC,
571 .opt.argfunc = s_client_opt_keymatexportlen,
572 },
573 {
574 .name = "legacy_renegotiation",
575 .type = OPTION_DISCARD,
576 },
577 {
578 .name = "legacy_server_connect",
579 .desc = "Allow initial connection to servers that don't support RI",
580 .type = OPTION_VALUE_OR,
581 .opt.value = &s_client_config.off,
582 .value = SSL_OP_LEGACY_SERVER_CONNECT0x00000004L,
583 },
584 {
585 .name = "msg",
586 .desc = "Show all protocol messages with hex dump",
587 .type = OPTION_FLAG,
588 .opt.flag = &s_client_config.msg,
589 },
590#ifndef OPENSSL_NO_DTLS
591 {
592 .name = "mtu",
593 .argname = "mtu",
594 .desc = "Set the link layer MTU on DTLS connections",
595 .type = OPTION_ARG_FUNC,
596 .opt.argfunc = s_client_opt_mtu,
597 },
598#endif
599 {
600 .name = "nbio",
601 .desc = "Turn on non-blocking I/O",
602 .type = OPTION_FLAG,
603 .opt.flag = &s_client_config.nbio,
604 },
605 {
606 .name = "nbio_test",
607 .desc = "Test non-blocking I/O",
608 .type = OPTION_FLAG,
609 .opt.flag = &s_client_config.nbio_test,
610 },
611 {
612 .name = "nextprotoneg",
613 .argname = "protocols",
614 .type = OPTION_ARG,
615 .opt.arg = &s_client_config.npn_in, /* Ignored. */
616 },
617 {
618 .name = "no_comp",
619 .type = OPTION_VALUE_OR,
620 .opt.value = &s_client_config.off,
621 .value = SSL_OP_NO_COMPRESSION0x0,
622 },
623 {
624 .name = "no_ign_eof",
625 .desc = "Don't ignore input EOF",
626 .type = OPTION_VALUE,
627 .opt.value = &s_client_config.ign_eof,
628 .value = 0,
629 },
630 {
631 .name = "no_legacy_server_connect",
632 .desc = "Disallow initial connection to servers that don't support RI",
633 .type = OPTION_VALUE_OR,
634 .opt.value = &s_client_config.clr,
635 .value = SSL_OP_LEGACY_SERVER_CONNECT0x00000004L,
636 },
637 {
638 .name = "no_servername",
639 .desc = "Do not send a Server Name Indication (SNI) extension",
640 .type = OPTION_FLAG,
641 .opt.value = &s_client_config.no_servername,
642 },
643 {
644 .name = "no_ssl2",
645 .type = OPTION_VALUE_OR,
646 .opt.value = &s_client_config.off,
647 .value = SSL_OP_NO_SSLv20x0,
648 },
649 {
650 .name = "no_ssl3",
651 .type = OPTION_VALUE_OR,
652 .opt.value = &s_client_config.off,
653 .value = SSL_OP_NO_SSLv30x0,
654 },
655 {
656 .name = "no_ticket",
657 .desc = "Disable use of RFC4507 session ticket support",
658 .type = OPTION_VALUE_OR,
659 .opt.value = &s_client_config.off,
660 .value = SSL_OP_NO_TICKET0x00004000L,
661 },
662 {
663 .name = "no_tls1",
664 .desc = "Disable the use of TLSv1",
665 .type = OPTION_VALUE_OR,
666 .opt.value = &s_client_config.off,
667 .value = SSL_OP_NO_TLSv10x04000000L,
668 },
669 {
670 .name = "no_tls1_1",
671 .desc = "Disable the use of TLSv1.1",
672 .type = OPTION_VALUE_OR,
673 .opt.value = &s_client_config.off,
674 .value = SSL_OP_NO_TLSv1_10x10000000L,
675 },
676 {
677 .name = "no_tls1_2",
678 .desc = "Disable the use of TLSv1.2",
679 .type = OPTION_VALUE_OR,
680 .opt.value = &s_client_config.off,
681 .value = SSL_OP_NO_TLSv1_20x08000000L,
682 },
683 {
684 .name = "no_tls1_3",
685 .desc = "Disable the use of TLSv1.3",
686 .type = OPTION_VALUE_OR,
687 .opt.value = &s_client_config.off,
688 .value = SSL_OP_NO_TLSv1_30x20000000L,
689 },
690 {
691 .name = "noservername",
692 .type = OPTION_FLAG,
693 .opt.value = &s_client_config.no_servername,
694 },
695 {
696 .name = "pass",
697 .argname = "arg",
698 .desc = "Private key file pass phrase source",
699 .type = OPTION_ARG,
700 .opt.arg = &s_client_config.passarg,
701 },
702 {
703 .name = "pause",
704 .desc = "Pause 1 second between each read and write call",
705 .type = OPTION_FLAG,
706 .opt.flag = &s_client_config.pause,
707 },
708 {
709 .name = "peekaboo",
710 .type = OPTION_FLAG,
711 .opt.flag = &s_client_config.peekaboo,
712 },
713 {
714 .name = "port",
715 .argname = "port",
716 .desc = "Use -connect instead",
717 .type = OPTION_ARG_FUNC,
718 .opt.argfunc = s_client_opt_port,
719 },
720 {
721 .name = "prexit",
722 .desc = "Print session information when the program exits",
723 .type = OPTION_FLAG,
724 .opt.flag = &s_client_config.prexit,
725 },
726 {
727 .name = "proxy",
728 .argname = "host:port",
729 .desc = "Connect to http proxy",
730 .type = OPTION_ARG,
731 .opt.arg = &s_client_config.proxy,
732 },
733 {
734 .name = "quiet",
735 .desc = "Inhibit printing of session and certificate info",
736 .type = OPTION_FUNC,
737 .opt.func = s_client_opt_quiet,
738 },
739 {
740 .name = "reconnect",
741 .desc = "Drop and re-make the connection with the same Session-ID",
742 .type = OPTION_VALUE,
743 .opt.value = &s_client_config.reconnect,
744 .value = 5,
745 },
746 {
747 .name = "servername",
748 .argname = "name",
749 .desc = "Set TLS extension servername in ClientHello (SNI)",
750 .type = OPTION_ARG,
751 .opt.arg = &s_client_config.servername,
752 },
753 {
754 .name = "serverpref",
755 .desc = "Use server's cipher preferences",
756 .type = OPTION_VALUE_OR,
757 .opt.value = &s_client_config.off,
758 .value = SSL_OP_CIPHER_SERVER_PREFERENCE0x00400000L,
759 },
760 {
761 .name = "sess_in",
762 .argname = "file",
763 .desc = "File to read TLS session from",
764 .type = OPTION_ARG,
765 .opt.arg = &s_client_config.sess_in,
766 },
767 {
768 .name = "sess_out",
769 .argname = "file",
770 .desc = "File to write TLS session to",
771 .type = OPTION_ARG,
772 .opt.arg = &s_client_config.sess_out,
773 },
774 {
775 .name = "showcerts",
776 .desc = "Show all server certificates in the chain",
777 .type = OPTION_FLAG,
778 .opt.flag = &s_client_config.showcerts,
779 },
780 {
781 .name = "starttls",
782 .argname = "protocol",
783 .desc = "Use the STARTTLS command before starting TLS,\n"
784 "smtp, lmtp, pop3, imap, ftp and xmpp are supported.",
785 .type = OPTION_ARG_FUNC,
786 .opt.argfunc = s_client_opt_starttls,
787 },
788 {
789 .name = "state",
790 .desc = "Print the TLS session states",
791 .type = OPTION_FLAG,
792 .opt.flag = &s_client_config.state,
793 },
794 {
795 .name = "status",
796 .desc = "Send a certificate status request to the server (OCSP)",
797 .type = OPTION_FLAG,
798 .opt.flag = &s_client_config.status_req,
799 },
800#ifndef OPENSSL_NO_DTLS
801 {
802 .name = "timeout",
803 .desc = "Enable send/receive timeout on DTLS connections",
804 .type = OPTION_FLAG,
805 .opt.flag = &s_client_config.enable_timeouts,
806 },
807#endif
808 {
809 .name = "tls1",
810 .desc = "Just use TLSv1",
811 .type = OPTION_FUNC,
812 .opt.func = s_client_opt_protocol_version_tls1,
813 },
814 {
815 .name = "tls1_1",
816 .desc = "Just use TLSv1.1",
817 .type = OPTION_FUNC,
818 .opt.func = s_client_opt_protocol_version_tls1_1,
819 },
820 {
821 .name = "tls1_2",
822 .desc = "Just use TLSv1.2",
823 .type = OPTION_FUNC,
824 .opt.func = s_client_opt_protocol_version_tls1_2,
825 },
826 {
827 .name = "tls1_3",
828 .desc = "Just use TLSv1.3",
829 .type = OPTION_FUNC,
830 .opt.func = s_client_opt_protocol_version_tls1_3,
831 },
832 {
833 .name = "tlsextdebug",
834 .desc = "Hex dump of all TLS extensions received",
835 .type = OPTION_FLAG,
836 .opt.flag = &s_client_config.tlsextdebug,
837 },
838#ifndef OPENSSL_NO_SRTP
839 {
840 .name = "use_srtp",
841 .argname = "profiles",
842 .desc = "Offer SRTP key management with a colon-separated profiles",
843 .type = OPTION_ARG,
844 .opt.arg = &s_client_config.srtp_profiles,
845 },
846#endif
847 {
848 .name = "verify",
849 .argname = "depth",
850 .desc = "Turn on peer certificate verification, with a max of depth",
851 .type = OPTION_ARG_FUNC,
852 .opt.argfunc = s_client_opt_verify,
853 },
854 {
855 .name = "verify_return_error",
856 .desc = "Return verification error",
857 .type = OPTION_FLAG,
858 .opt.flag = &verify_return_error,
859 },
860 {
861 .name = "xmpphost",
862 .argname = "host",
863 .desc = "Connect to this virtual host on the xmpp server",
864 .type = OPTION_ARG,
865 .opt.arg = &s_client_config.xmpphost,
866 },
867 {
868 .name = NULL((void*)0),
869 .desc = "",
870 .type = OPTION_ARGV_FUNC,
871 .opt.argvfunc = s_client_opt_verify_param,
872 },
873 { NULL((void*)0) },
874};
875
876static void
877sc_usage(void)
878{
879 fprintf(stderr(&__sF[2]), "usage: s_client "
880 "[-4 | -6] [-alpn protocols] [-bugs] [-CAfile file]\n"
881 " [-CApath directory] [-cert file] [-certform der | pem] [-check_ss_sig]\n"
882 " [-cipher cipherlist] [-connect host[:port]] [-crl_check]\n"
883 " [-crl_check_all] [-crlf] [-debug] [-dtls] [-dtls1] [-dtls1_2] [-extended_crl]\n"
884 " [-groups list] [-host host] [-ign_eof] [-ignore_critical]\n"
885 " [-issuer_checks] [-key keyfile] [-keyform der | pem]\n"
886 " [-keymatexport label] [-keymatexportlen len] [-legacy_server_connect]\n"
887 " [-msg] [-mtu mtu] [-nbio] [-nbio_test] [-no_comp] [-no_ign_eof]\n"
888 " [-no_legacy_server_connect] [-no_ticket] [-no_tls1] [-no_tls1_1]\n"
889 " [-no_tls1_2] [-no_tls1_3] [-pass arg] [-pause] [-policy_check]\n"
890 " [-port port] [-prexit] [-proxy host:port] [-quiet] [-reconnect]\n"
891 " [-servername name] [-serverpref] [-sess_in file] [-sess_out file]\n"
892 " [-showcerts] [-starttls protocol] [-state] [-status] [-timeout]\n"
893 " [-tls1] [-tls1_1] [-tls1_2] [-tls1_3] [-tlsextdebug]\n"
894 " [-use_srtp profiles] [-verify depth] [-verify_return_error]\n"
895 " [-x509_strict] [-xmpphost host]\n");
896 fprintf(stderr(&__sF[2]), "\n");
897 options_usage(s_client_options);
898 fprintf(stderr(&__sF[2]), "\n");
899}
900
901int
902s_client_main(int argc, char **argv)
903{
904 SSL *con = NULL((void*)0);
905 int s, k, p = 0, pending = 0;
906 char *cbuf = NULL((void*)0), *sbuf = NULL((void*)0), *mbuf = NULL((void*)0), *pbuf = NULL((void*)0);
907 int cbuf_len, cbuf_off;
908 int sbuf_len, sbuf_off;
909 int full_log = 1;
910 const char *servername;
911 char *pass = NULL((void*)0);
912 X509 *cert = NULL((void*)0);
913 EVP_PKEY *key = NULL((void*)0);
914 int badop = 0;
915 int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending;
916 SSL_CTX *ctx = NULL((void*)0);
917 int ret = 1, in_init = 1, i;
918 BIO *bio_c_out = NULL((void*)0);
919 BIO *sbio;
920 int mbuf_len = 0;
921 struct timeval timeout;
922 tlsextctx tlsextcbp = {NULL((void*)0), 0};
923 struct sockaddr_storage peer;
924 int peerlen = sizeof(peer);
925
926 if (single_execution) {
927 if (pledge("stdio cpath wpath rpath inet dns tty", NULL((void*)0)) == -1) {
928 perror("pledge");
929 exit(1);
930 }
931 }
932
933 memset(&s_client_config, 0, sizeof(s_client_config));
934 s_client_config.af = AF_UNSPEC0;
935 s_client_config.cert_format = FORMAT_PEM3;
936 s_client_config.host = SSL_HOST_NAME"localhost";
937 s_client_config.key_format = FORMAT_PEM3;
938 s_client_config.keymatexportlen = 20;
939 s_client_config.meth = TLS_client_method();
940 s_client_config.port = PORT_STR"4433";
941 s_client_config.socket_type = SOCK_STREAM1;
942 s_client_config.starttls_proto = PROTO_OFF;
943 s_client_config.verify = SSL_VERIFY_NONE0x00;
944
945 if (((cbuf = malloc(BUFSIZZ1024*8)) == NULL((void*)0)) ||
946 ((sbuf = malloc(BUFSIZZ1024*8)) == NULL((void*)0)) ||
947 ((pbuf = malloc(BUFSIZZ1024*8)) == NULL((void*)0)) ||
948 ((mbuf = malloc(BUFSIZZ1024*8 + 1)) == NULL((void*)0))) { /* NUL byte */
949 BIO_printf(bio_err, "out of memory\n");
950 goto end;
951 }
952 verify_depth = 0;
953
954 if (options_parse(argc, argv, s_client_options, NULL((void*)0), NULL((void*)0)) != 0) {
955 badop = 1;
Value stored to 'badop' is never read
956 goto bad;
957 }
958 if (s_client_config.proxy != NULL((void*)0)) {
959 if (!extract_host_port(s_client_config.proxy,
960 &s_client_config.host, NULL((void*)0), &s_client_config.port))
961 goto bad;
962 if (s_client_config.connect == NULL((void*)0))
963 s_client_config.connect = SSL_HOST_NAME"localhost";
964 } else if (s_client_config.connect != NULL((void*)0)) {
965 if (!extract_host_port(s_client_config.connect,
966 &s_client_config.host, NULL((void*)0), &s_client_config.port))
967 goto bad;
968 }
969 if (badop) {
970 bad:
971 if (s_client_config.errstr == NULL((void*)0))
972 sc_usage();
973 goto end;
974 }
975
976 if (!app_passwd(bio_err, s_client_config.passarg, NULL((void*)0), &pass, NULL((void*)0))) {
977 BIO_printf(bio_err, "Error getting password\n");
978 goto end;
979 }
980 if (s_client_config.key_file == NULL((void*)0))
981 s_client_config.key_file = s_client_config.cert_file;
982
983
984 if (s_client_config.key_file) {
985
986 key = load_key(bio_err, s_client_config.key_file,
987 s_client_config.key_format, 0, pass,
988 "client certificate private key file");
989 if (!key) {
990 ERR_print_errors(bio_err);
991 goto end;
992 }
993 }
994 if (s_client_config.cert_file) {
995 cert = load_cert(bio_err, s_client_config.cert_file,
996 s_client_config.cert_format,
997 NULL((void*)0), "client certificate file");
998
999 if (!cert) {
1000 ERR_print_errors(bio_err);
1001 goto end;
1002 }
1003 }
1004 if (s_client_config.quiet && !s_client_config.debug &&
1005 !s_client_config.msg) {
1006 if ((bio_c_out = BIO_new(BIO_s_null())) == NULL((void*)0))
1007 goto end;
1008 } else {
1009 if ((bio_c_out = BIO_new_fp(stdout(&__sF[1]), BIO_NOCLOSE0x00)) == NULL((void*)0))
1010 goto end;
1011 }
1012
1013 ctx = SSL_CTX_new(s_client_config.meth);
1014 if (ctx == NULL((void*)0)) {
1015 ERR_print_errors(bio_err);
1016 goto end;
1017 }
1018
1019 SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY)SSL_CTX_ctrl((ctx),78,(0x00000004L),((void*)0));
1020
1021 if (s_client_config.vpm)
1022 SSL_CTX_set1_param(ctx, s_client_config.vpm);
1023
1024 if (!SSL_CTX_set_min_proto_version(ctx, s_client_config.min_version))
1025 goto end;
1026 if (!SSL_CTX_set_max_proto_version(ctx, s_client_config.max_version))
1027 goto end;
1028
1029#ifndef OPENSSL_NO_SRTP
1030 if (s_client_config.srtp_profiles != NULL((void*)0))
1031 SSL_CTX_set_tlsext_use_srtp(ctx, s_client_config.srtp_profiles);
1032#endif
1033 if (s_client_config.bugs)
1034 SSL_CTX_set_options(ctx, SSL_OP_ALL | s_client_config.off)SSL_CTX_ctrl((ctx),32,((0x00000004L) | s_client_config.off),(
(void*)0))
;
1035 else
1036 SSL_CTX_set_options(ctx, s_client_config.off)SSL_CTX_ctrl((ctx),32,(s_client_config.off),((void*)0));
1037
1038 if (s_client_config.clr)
1039 SSL_CTX_clear_options(ctx, s_client_config.clr)SSL_CTX_ctrl((ctx),77,(s_client_config.clr),((void*)0));
1040
1041 if (s_client_config.alpn_in) {
1042 unsigned short alpn_len;
1043 unsigned char *alpn;
1044
1045 alpn = next_protos_parse(&alpn_len, s_client_config.alpn_in);
1046 if (alpn == NULL((void*)0)) {
1047 BIO_printf(bio_err, "Error parsing -alpn argument\n");
1048 goto end;
1049 }
1050 SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len);
1051 free(alpn);
1052 }
1053 if (s_client_config.groups_in != NULL((void*)0)) {
1054 if (SSL_CTX_set1_groups_list(ctx, s_client_config.groups_in) != 1) {
1055 BIO_printf(bio_err, "Failed to set groups '%s'\n",
1056 s_client_config.groups_in);
1057 goto end;
1058 }
1059 }
1060
1061 if (s_client_config.state)
1062 SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
1063 if (s_client_config.cipher != NULL((void*)0))
1064 if (!SSL_CTX_set_cipher_list(ctx, s_client_config.cipher)) {
1065 BIO_printf(bio_err, "error setting cipher list\n");
1066 ERR_print_errors(bio_err);
1067 goto end;
1068 }
1069
1070 SSL_CTX_set_verify(ctx, s_client_config.verify, verify_callback);
1071 if (!set_cert_key_stuff(ctx, cert, key))
1072 goto end;
1073
1074 if ((s_client_config.CAfile || s_client_config.CApath)
1075 && !SSL_CTX_load_verify_locations(ctx, s_client_config.CAfile,
1076 s_client_config.CApath))
1077 ERR_print_errors(bio_err);
1078
1079 if (!SSL_CTX_set_default_verify_paths(ctx))
1080 ERR_print_errors(bio_err);
1081
1082 con = SSL_new(ctx);
1083 if (s_client_config.sess_in) {
1084 SSL_SESSION *sess;
1085 BIO *stmp = BIO_new_file(s_client_config.sess_in, "r");
1086 if (!stmp) {
1087 BIO_printf(bio_err, "Can't open session file %s\n",
1088 s_client_config.sess_in);
1089 ERR_print_errors(bio_err);
1090 goto end;
1091 }
1092 sess = PEM_read_bio_SSL_SESSION(stmp, NULL((void*)0), 0, NULL((void*)0));
1093 BIO_free(stmp);
1094 if (!sess) {
1095 BIO_printf(bio_err, "Can't open session file %s\n",
1096 s_client_config.sess_in);
1097 ERR_print_errors(bio_err);
1098 goto end;
1099 }
1100 SSL_set_session(con, sess);
1101 SSL_SESSION_free(sess);
1102 }
1103
1104 /* Attempt to opportunistically use the host name for SNI. */
1105 servername = s_client_config.servername;
1106 if (servername == NULL((void*)0))
1107 servername = s_client_config.host;
1108
1109 if (!s_client_config.no_servername && servername != NULL((void*)0) &&
1110 !SSL_set_tlsext_host_name(con, servername)SSL_ctrl(con,55,0,(char *)servername)) {
1111 long ssl_err = ERR_peek_error();
1112
1113 if (s_client_config.servername != NULL((void*)0) ||
1114 ERR_GET_LIB(ssl_err)(int)((((unsigned long)ssl_err)>>24L)&0xffL) != ERR_LIB_SSL20 ||
1115 ERR_GET_REASON(ssl_err)(int)((ssl_err)&0xfffL) != SSL_R_SSL3_EXT_INVALID_SERVERNAME319) {
1116 BIO_printf(bio_err,
1117 "Unable to set TLS servername extension.\n");
1118 ERR_print_errors(bio_err);
1119 goto end;
1120 }
1121 servername = NULL((void*)0);
1122 ERR_clear_error();
1123 }
1124 if (!s_client_config.no_servername && servername != NULL((void*)0)) {
1125 tlsextcbp.biodebug = bio_err;
1126 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb)SSL_CTX_callback_ctrl(ctx,53,(void (*)(void))ssl_servername_cb
)
;
1127 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp)SSL_CTX_ctrl(ctx,54,0, (void *)&tlsextcbp);
1128 }
1129
1130 re_start:
1131
1132 if (init_client(&s, s_client_config.host, s_client_config.port,
1133 s_client_config.socket_type, s_client_config.af) == 0) {
1134 BIO_printf(bio_err, "connect:errno=%d\n", errno(*__errno()));
1135 goto end;
1136 }
1137 BIO_printf(bio_c_out, "CONNECTED(%08X)\n", s);
1138
1139 if (s_client_config.nbio) {
1140 if (!s_client_config.quiet)
1141 BIO_printf(bio_c_out, "turning on non blocking io\n");
1142 if (!BIO_socket_nbio(s, 1)) {
1143 ERR_print_errors(bio_err);
1144 goto end;
1145 }
1146 }
1147 if (s_client_config.pause & 0x01)
1148 SSL_set_debug(con, 1);
1149
1150 if (SSL_is_dtls(con)) {
1151 sbio = BIO_new_dgram(s, BIO_NOCLOSE0x00);
1152 if (getsockname(s, (struct sockaddr *)&peer,
1153 (void *)&peerlen) == -1) {
1154 BIO_printf(bio_err, "getsockname:errno=%d\n",
1155 errno(*__errno()));
1156 shutdown(s, SHUT_RD0);
1157 close(s);
1158 goto end;
1159 }
1160 (void) BIO_ctrl_set_connected(sbio, 1, &peer)(int)BIO_ctrl(sbio, 32, 1, (char *)&peer);
1161
1162 if (s_client_config.enable_timeouts) {
1163 timeout.tv_sec = 0;
1164 timeout.tv_usec = DGRAM_RCV_TIMEOUT250000;
1165 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT33, 0,
1166 &timeout);
1167
1168 timeout.tv_sec = 0;
1169 timeout.tv_usec = DGRAM_SND_TIMEOUT250000;
1170 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT35, 0,
1171 &timeout);
1172 }
1173 if (s_client_config.socket_mtu > 28) {
1174 SSL_set_options(con, SSL_OP_NO_QUERY_MTU)SSL_ctrl((con),32,(0x00001000L),((void*)0));
1175 SSL_set_mtu(con, s_client_config.socket_mtu - 28)SSL_ctrl((con),17,(s_client_config.socket_mtu - 28),((void*)0
))
;
1176 } else
1177 /* want to do MTU discovery */
1178 BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER39, 0, NULL((void*)0));
1179 } else
1180 sbio = BIO_new_socket(s, BIO_NOCLOSE0x00);
1181
1182 if (s_client_config.nbio_test) {
1183 BIO *test;
1184
1185 test = BIO_new(BIO_f_nbio_test());
1186 sbio = BIO_push(test, sbio);
1187 }
1188 if (s_client_config.debug) {
1189 SSL_set_debug(con, 1);
1190 BIO_set_callback(sbio, bio_dump_callback);
1191 BIO_set_callback_arg(sbio, (char *) bio_c_out);
1192 }
1193 if (s_client_config.msg) {
1194 SSL_set_msg_callback(con, msg_cb);
1195 SSL_set_msg_callback_arg(con, bio_c_out)SSL_ctrl((con), 16, 0, (bio_c_out));
1196 }
1197 if (s_client_config.tlsextdebug) {
1198 SSL_set_tlsext_debug_callback(con, tlsext_cb)SSL_callback_ctrl(con,56,(void (*)(void))tlsext_cb);
1199 SSL_set_tlsext_debug_arg(con, bio_c_out)SSL_ctrl(con,57,0, (void *)bio_c_out);
1200 }
1201 if (s_client_config.status_req) {
1202 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp)SSL_ctrl(con,65,1, ((void*)0));
1203 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb)SSL_CTX_callback_ctrl(ctx,63,(void (*)(void))ocsp_resp_cb);
1204 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out)SSL_CTX_ctrl(ctx,64,0,(void *)bio_c_out);
1205 }
1206
1207 SSL_set_bio(con, sbio, sbio);
1208 SSL_set_connect_state(con);
1209
1210 /* ok, lets connect */
1211 read_tty = 1;
1212 write_tty = 0;
1213 tty_on = 0;
1214 read_ssl = 1;
1215 write_ssl = 1;
1216
1217 cbuf_len = 0;
1218 cbuf_off = 0;
1219 sbuf_len = 0;
1220 sbuf_off = 0;
1221
1222 /* This is an ugly hack that does a lot of assumptions */
1223 /*
1224 * We do have to handle multi-line responses which may come in a
1225 * single packet or not. We therefore have to use BIO_gets() which
1226 * does need a buffering BIO. So during the initial chitchat we do
1227 * push a buffering BIO into the chain that is removed again later on
1228 * to not disturb the rest of the s_client operation.
1229 */
1230 if (s_client_config.starttls_proto == PROTO_SMTP ||
1231 s_client_config.starttls_proto == PROTO_LMTP) {
1232 int foundit = 0;
1233 BIO *fbio = BIO_new(BIO_f_buffer());
1234 BIO_push(fbio, sbio);
1235 /* wait for multi-line response to end from SMTP */
1236 do {
1237 mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ1024*8);
1238 }
1239 while (mbuf_len > 3 && mbuf[3] == '-');
1240 /* STARTTLS command requires EHLO... */
1241 BIO_printf(fbio, "%cHLO openssl.client.net\r\n",
1242 s_client_config.starttls_proto == PROTO_SMTP ? 'E' : 'L');
1243 (void) BIO_flush(fbio)(int)BIO_ctrl(fbio,11,0,((void*)0));
1244 /* wait for multi-line response to end EHLO SMTP response */
1245 do {
1246 mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ1024*8);
1247 if (strstr(mbuf, "STARTTLS"))
1248 foundit = 1;
1249 }
1250 while (mbuf_len > 3 && mbuf[3] == '-');
1251 (void) BIO_flush(fbio)(int)BIO_ctrl(fbio,11,0,((void*)0));
1252 BIO_pop(fbio);
1253 BIO_free(fbio);
1254 if (!foundit)
1255 BIO_printf(bio_err,
1256 "didn't find starttls in server response,"
1257 " try anyway...\n");
1258 BIO_printf(sbio, "STARTTLS\r\n");
1259 BIO_read(sbio, sbuf, BUFSIZZ1024*8);
1260 } else if (s_client_config.starttls_proto == PROTO_POP3) {
1261 mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ1024*8);
1262 if (mbuf_len == -1) {
1263 BIO_printf(bio_err, "BIO_read failed\n");
1264 goto end;
1265 }
1266 BIO_printf(sbio, "STLS\r\n");
1267 BIO_read(sbio, sbuf, BUFSIZZ1024*8);
1268 } else if (s_client_config.starttls_proto == PROTO_IMAP) {
1269 int foundit = 0;
1270 BIO *fbio = BIO_new(BIO_f_buffer());
1271 BIO_push(fbio, sbio);
1272 BIO_gets(fbio, mbuf, BUFSIZZ1024*8);
1273 /* STARTTLS command requires CAPABILITY... */
1274 BIO_printf(fbio, ". CAPABILITY\r\n");
1275 (void) BIO_flush(fbio)(int)BIO_ctrl(fbio,11,0,((void*)0));
1276 /* wait for multi-line CAPABILITY response */
1277 do {
1278 mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ1024*8);
1279 if (strstr(mbuf, "STARTTLS"))
1280 foundit = 1;
1281 }
1282 while (mbuf_len > 3 && mbuf[0] != '.');
1283 (void) BIO_flush(fbio)(int)BIO_ctrl(fbio,11,0,((void*)0));
1284 BIO_pop(fbio);
1285 BIO_free(fbio);
1286 if (!foundit)
1287 BIO_printf(bio_err,
1288 "didn't find STARTTLS in server response,"
1289 " try anyway...\n");
1290 BIO_printf(sbio, ". STARTTLS\r\n");
1291 BIO_read(sbio, sbuf, BUFSIZZ1024*8);
1292 } else if (s_client_config.starttls_proto == PROTO_FTP) {
1293 BIO *fbio = BIO_new(BIO_f_buffer());
1294 BIO_push(fbio, sbio);
1295 /* wait for multi-line response to end from FTP */
1296 do {
1297 mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ1024*8);
1298 }
1299 while (mbuf_len > 3 && mbuf[3] == '-');
1300 (void) BIO_flush(fbio)(int)BIO_ctrl(fbio,11,0,((void*)0));
1301 BIO_pop(fbio);
1302 BIO_free(fbio);
1303 BIO_printf(sbio, "AUTH TLS\r\n");
1304 BIO_read(sbio, sbuf, BUFSIZZ1024*8);
1305 } else if (s_client_config.starttls_proto == PROTO_XMPP) {
1306 int seen = 0;
1307 BIO_printf(sbio, "<stream:stream "
1308 "xmlns:stream='http://etherx.jabber.org/streams' "
1309 "xmlns='jabber:client' to='%s' version='1.0'>",
1310 s_client_config.xmpphost ?
1311 s_client_config.xmpphost : s_client_config.host);
1312 seen = BIO_read(sbio, mbuf, BUFSIZZ1024*8);
1313
1314 if (seen <= 0)
1315 goto shut;
1316
1317 mbuf[seen] = 0;
1318 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") &&
1319 !strstr(mbuf, "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\"")) {
1320 seen = BIO_read(sbio, mbuf, BUFSIZZ1024*8);
1321
1322 if (seen <= 0)
1323 goto shut;
1324
1325 mbuf[seen] = 0;
1326 }
1327 BIO_printf(sbio,
1328 "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
1329 seen = BIO_read(sbio, sbuf, BUFSIZZ1024*8);
1330 sbuf[seen] = 0;
1331 if (!strstr(sbuf, "<proceed"))
1332 goto shut;
1333 mbuf[0] = 0;
1334 } else if (s_client_config.proxy != NULL((void*)0)) {
1335 BIO_printf(sbio, "CONNECT %s HTTP/1.0\r\n\r\n",
1336 s_client_config.connect);
1337 mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ1024*8);
1338 if (mbuf_len == -1) {
1339 BIO_printf(bio_err, "BIO_read failed\n");
1340 goto end;
1341 }
1342 }
1343 for (;;) {
1344 struct pollfd pfd[3]; /* stdin, stdout, socket */
1345 int ptimeout = -1;
1346
1347 if (SSL_is_dtls(con) && DTLSv1_get_timeout(con, &timeout)SSL_ctrl(con,73,0, (void *)&timeout))
1348 ptimeout = timeout.tv_sec * 1000 +
1349 timeout.tv_usec / 1000;
1350
1351 if (SSL_in_init(con)(SSL_state((con))&(0x1000|0x2000)) && !SSL_total_renegotiations(con)SSL_ctrl((con),12,0,((void*)0))) {
1352 in_init = 1;
1353 tty_on = 0;
1354 } else {
1355 tty_on = 1;
1356 if (in_init) {
1357 in_init = 0;
1358 if (s_client_config.sess_out) {
1359 BIO *stmp = BIO_new_file(
1360 s_client_config.sess_out, "w");
1361 if (stmp) {
1362 PEM_write_bio_SSL_SESSION(stmp,
1363 SSL_get_session(con));
1364 BIO_free(stmp);
1365 } else
1366 BIO_printf(bio_err,
1367 "Error writing session file %s\n",
1368 s_client_config.sess_out);
1369 }
1370 print_stuff(bio_c_out, con, full_log);
1371 if (full_log > 0)
1372 full_log--;
1373
1374 if (s_client_config.starttls_proto) {
1375 BIO_write(bio_err, mbuf, mbuf_len);
1376 /* We don't need to know any more */
1377 s_client_config.starttls_proto = PROTO_OFF;
1378 }
1379 if (s_client_config.reconnect) {
1380 s_client_config.reconnect--;
1381 BIO_printf(bio_c_out,
1382 "drop connection and then reconnect\n");
1383 SSL_shutdown(con);
1384 SSL_set_connect_state(con);
1385 shutdown(SSL_get_fd(con), SHUT_RD0);
1386 close(SSL_get_fd(con));
1387 goto re_start;
1388 }
1389 }
1390 }
1391
1392 ssl_pending = read_ssl && SSL_pending(con);
1393
1394 pfd[0].fd = -1;
1395 pfd[1].fd = -1;
1396 if (!ssl_pending) {
1397 if (tty_on) {
1398 if (read_tty) {
1399 pfd[0].fd = fileno(stdin)(!__isthreaded ? (((&__sF[0]))->_file) : (fileno)((&
__sF[0])))
;
1400 pfd[0].events = POLLIN0x0001;
1401 }
1402 if (write_tty) {
1403 pfd[1].fd = fileno(stdout)(!__isthreaded ? (((&__sF[1]))->_file) : (fileno)((&
__sF[1])))
;
1404 pfd[1].events = POLLOUT0x0004;
1405 }
1406 }
1407
1408 pfd[2].fd = SSL_get_fd(con);
1409 pfd[2].events = 0;
1410 if (read_ssl)
1411 pfd[2].events |= POLLIN0x0001;
1412 if (write_ssl)
1413 pfd[2].events |= POLLOUT0x0004;
1414
1415/* printf("mode tty(%d %d%d) ssl(%d%d)\n",
1416 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
1417
1418 i = poll(pfd, 3, ptimeout);
1419 if (i == -1) {
1420 BIO_printf(bio_err, "bad select %d\n",
1421 errno(*__errno()));
1422 goto shut;
1423 /* goto end; */
1424 }
1425 }
1426 if (SSL_is_dtls(con) &&
1427 DTLSv1_handle_timeout(con)SSL_ctrl(con,74,0, ((void*)0)) > 0)
1428 BIO_printf(bio_err, "TIMEOUT occured\n");
1429 if (!ssl_pending &&
1430 (pfd[2].revents & (POLLOUT0x0004|POLLERR0x0008|POLLNVAL0x0020))) {
1431 if (pfd[2].revents & (POLLERR0x0008|POLLNVAL0x0020)) {
1432 BIO_printf(bio_err, "poll error");
1433 goto shut;
1434 }
1435 k = SSL_write(con, &(cbuf[cbuf_off]),
1436 (unsigned int) cbuf_len);
1437 switch (SSL_get_error(con, k)) {
1438 case SSL_ERROR_NONE0:
1439 cbuf_off += k;
1440 cbuf_len -= k;
1441 if (k <= 0)
1442 goto end;
1443 /* we have done a write(con,NULL,0); */
1444 if (cbuf_len <= 0) {
1445 read_tty = 1;
1446 write_ssl = 0;
1447 } else { /* if (cbuf_len > 0) */
1448 read_tty = 0;
1449 write_ssl = 1;
1450 }
1451 break;
1452 case SSL_ERROR_WANT_WRITE3:
1453 BIO_printf(bio_c_out, "write W BLOCK\n");
1454 write_ssl = 1;
1455 read_tty = 0;
1456 break;
1457 case SSL_ERROR_WANT_READ2:
1458 BIO_printf(bio_c_out, "write R BLOCK\n");
1459 write_tty = 0;
1460 read_ssl = 1;
1461 write_ssl = 0;
1462 break;
1463 case SSL_ERROR_WANT_X509_LOOKUP4:
1464 BIO_printf(bio_c_out, "write X BLOCK\n");
1465 break;
1466 case SSL_ERROR_ZERO_RETURN6:
1467 if (cbuf_len != 0) {
1468 BIO_printf(bio_c_out, "shutdown\n");
1469 ret = 0;
1470 goto shut;
1471 } else {
1472 read_tty = 1;
1473 write_ssl = 0;
1474 break;
1475 }
1476
1477 case SSL_ERROR_SYSCALL5:
1478 if ((k != 0) || (cbuf_len != 0)) {
1479 BIO_printf(bio_err, "write:errno=%d\n",
1480 errno(*__errno()));
1481 goto shut;
1482 } else {
1483 read_tty = 1;
1484 write_ssl = 0;
1485 }
1486 break;
1487 case SSL_ERROR_SSL1:
1488 ERR_print_errors(bio_err);
1489 goto shut;
1490 }
1491 } else if (!ssl_pending &&
1492 (pfd[1].revents & (POLLOUT0x0004|POLLERR0x0008|POLLNVAL0x0020))) {
1493 if (pfd[1].revents & (POLLERR0x0008|POLLNVAL0x0020)) {
1494 BIO_printf(bio_err, "poll error");
1495 goto shut;
1496 }
1497 i = write(fileno(stdout)(!__isthreaded ? (((&__sF[1]))->_file) : (fileno)((&
__sF[1])))
, &(sbuf[sbuf_off]), sbuf_len);
1498
1499 if (i <= 0) {
1500 BIO_printf(bio_c_out, "DONE\n");
1501 ret = 0;
1502 goto shut;
1503 /* goto end; */
1504 }
1505 sbuf_len -= i;
1506 sbuf_off += i;
1507 if (sbuf_len <= 0) {
1508 read_ssl = 1;
1509 write_tty = 0;
1510 }
1511 } else if (ssl_pending || (pfd[2].revents & (POLLIN0x0001|POLLHUP0x0010))) {
1512#ifdef RENEG
1513 {
1514 static int iiii;
1515 if (++iiii == 52) {
1516 SSL_renegotiate(con);
1517 iiii = 0;
1518 }
1519 }
1520#endif
1521 if (s_client_config.peekaboo) {
1522 k = p = SSL_peek(con, pbuf, 1024 /* BUFSIZZ */ );
1523 pending = SSL_pending(con);
1524 if (SSL_get_error(con, p) == SSL_ERROR_NONE0) {
1525 if (p <= 0)
1526 goto end;
1527
1528 k = SSL_read(con, sbuf, p);
1529 }
1530 } else {
1531 k = SSL_read(con, sbuf, 1024 /* BUFSIZZ */ );
1532 }
1533
1534 switch (SSL_get_error(con, k)) {
1535 case SSL_ERROR_NONE0:
1536 if (k <= 0)
1537 goto end;
1538 sbuf_off = 0;
1539 sbuf_len = k;
1540 if (s_client_config.peekaboo) {
1541 if (p != pending) {
1542 ret = -1;
1543 BIO_printf(bio_err,
1544 "peeked %d but pending %d!\n",
1545 p, pending);
1546 goto shut;
1547 }
1548 if (k < p) {
1549 ret = -1;
1550 BIO_printf(bio_err,
1551 "read less than peek!\n");
1552 goto shut;
1553 }
1554 if (p > 0 &&
1555 (memcmp(sbuf, pbuf, p) != 0)) {
1556 ret = -1;
1557 BIO_printf(bio_err,
1558 "peek of %d different from read of %d!\n",
1559 p, k);
1560 goto shut;
1561 }
1562 }
1563 read_ssl = 0;
1564 write_tty = 1;
1565 break;
1566 case SSL_ERROR_WANT_WRITE3:
1567 BIO_printf(bio_c_out, "read W BLOCK\n");
1568 write_ssl = 1;
1569 read_tty = 0;
1570 break;
1571 case SSL_ERROR_WANT_READ2:
1572 BIO_printf(bio_c_out, "read R BLOCK\n");
1573 write_tty = 0;
1574 read_ssl = 1;
1575 if ((read_tty == 0) && (write_ssl == 0))
1576 write_ssl = 1;
1577 break;
1578 case SSL_ERROR_WANT_X509_LOOKUP4:
1579 BIO_printf(bio_c_out, "read X BLOCK\n");
1580 break;
1581 case SSL_ERROR_SYSCALL5:
1582 ret = errno(*__errno());
1583 BIO_printf(bio_err, "read:errno=%d\n", ret);
1584 goto shut;
1585 case SSL_ERROR_ZERO_RETURN6:
1586 BIO_printf(bio_c_out, "closed\n");
1587 ret = 0;
1588 goto shut;
1589 case SSL_ERROR_SSL1:
1590 ERR_print_errors(bio_err);
1591 goto shut;
1592 /* break; */
1593 }
1594 } else if (pfd[0].revents) {
1595 if (pfd[0].revents & (POLLERR0x0008|POLLNVAL0x0020)) {
1596 BIO_printf(bio_err, "poll error");
1597 goto shut;
1598 }
1599 if (s_client_config.crlf) {
1600 int j, lf_num;
1601
1602 i = read(fileno(stdin)(!__isthreaded ? (((&__sF[0]))->_file) : (fileno)((&
__sF[0])))
, cbuf, BUFSIZZ1024*8 / 2);
1603 lf_num = 0;
1604 /* both loops are skipped when i <= 0 */
1605 for (j = 0; j < i; j++)
1606 if (cbuf[j] == '\n')
1607 lf_num++;
1608 for (j = i - 1; j >= 0; j--) {
1609 cbuf[j + lf_num] = cbuf[j];
1610 if (cbuf[j] == '\n') {
1611 lf_num--;
1612 i++;
1613 cbuf[j + lf_num] = '\r';
1614 }
1615 }
1616 assert(lf_num == 0)((lf_num == 0) ? (void)0 : __assert2("/usr/src/usr.bin/openssl/s_client.c"
, 1616, __func__, "lf_num == 0"))
;
1617 } else
1618 i = read(fileno(stdin)(!__isthreaded ? (((&__sF[0]))->_file) : (fileno)((&
__sF[0])))
, cbuf, BUFSIZZ1024*8);
1619
1620 if ((!s_client_config.ign_eof) &&
1621 ((i <= 0) || (cbuf[0] == 'Q'))) {
1622 BIO_printf(bio_err, "DONE\n");
1623 ret = 0;
1624 goto shut;
1625 }
1626 if ((!s_client_config.ign_eof) && (cbuf[0] == 'R')) {
1627 BIO_printf(bio_err, "RENEGOTIATING\n");
1628 SSL_renegotiate(con);
1629 cbuf_len = 0;
1630 } else {
1631 cbuf_len = i;
1632 cbuf_off = 0;
1633 }
1634
1635 write_ssl = 1;
1636 read_tty = 0;
1637 }
1638 }
1639
1640 ret = 0;
1641 shut:
1642 if (in_init)
1643 print_stuff(bio_c_out, con, full_log);
1644 SSL_shutdown(con);
1645 shutdown(SSL_get_fd(con), SHUT_RD0);
1646 close(SSL_get_fd(con));
1647 end:
1648 if (con != NULL((void*)0)) {
1649 if (s_client_config.prexit != 0)
1650 print_stuff(bio_c_out, con, 1);
1651 SSL_free(con);
1652 }
1653 SSL_CTX_free(ctx);
1654 X509_free(cert);
1655 EVP_PKEY_free(key);
1656 free(pass);
1657 X509_VERIFY_PARAM_free(s_client_config.vpm);
1658 freezero(cbuf, BUFSIZZ1024*8);
1659 freezero(sbuf, BUFSIZZ1024*8);
1660 freezero(pbuf, BUFSIZZ1024*8);
1661 freezero(mbuf, BUFSIZZ1024*8);
1662 BIO_free(bio_c_out);
1663
1664 return (ret);
1665}
1666
1667static void
1668print_stuff(BIO *bio, SSL *s, int full)
1669{
1670 X509 *peer = NULL((void*)0);
1671 char *p;
1672 static const char *space = " ";
1673 char buf[BUFSIZ1024];
1674 STACK_OF(X509)struct stack_st_X509 *sk;
1675 STACK_OF(X509_NAME)struct stack_st_X509_NAME *sk2;
1676 const SSL_CIPHER *c;
1677 X509_NAME *xn;
1678 int j, i;
1679 unsigned char *exportedkeymat;
1680
1681 if (full) {
1682 int got_a_chain = 0;
1683
1684 sk = SSL_get_peer_cert_chain(s);
1685 if (sk != NULL((void*)0)) {
1686 got_a_chain = 1; /* we don't have it for SSL2
1687 * (yet) */
1688
1689 BIO_printf(bio, "---\nCertificate chain\n");
1690 for (i = 0; i < sk_X509_num(sk)sk_num(((_STACK*) (1 ? (sk) : (struct stack_st_X509*)0))); i++) {
1691 X509_NAME_oneline(X509_get_subject_name(
1692 sk_X509_value(sk, i)((X509 *)sk_value(((_STACK*) (1 ? (sk) : (struct stack_st_X509
*)0)), (i)))
), buf, sizeof buf);
1693 BIO_printf(bio, "%2d s:%s\n", i, buf);
1694 X509_NAME_oneline(X509_get_issuer_name(
1695 sk_X509_value(sk, i)((X509 *)sk_value(((_STACK*) (1 ? (sk) : (struct stack_st_X509
*)0)), (i)))
), buf, sizeof buf);
1696 BIO_printf(bio, " i:%s\n", buf);
1697 if (s_client_config.showcerts)
1698 PEM_write_bio_X509(bio,
1699 sk_X509_value(sk, i)((X509 *)sk_value(((_STACK*) (1 ? (sk) : (struct stack_st_X509
*)0)), (i)))
);
1700 }
1701 }
1702 BIO_printf(bio, "---\n");
1703 peer = SSL_get_peer_certificate(s);
1704 if (peer != NULL((void*)0)) {
1705 BIO_printf(bio, "Server certificate\n");
1706 if (!(s_client_config.showcerts && got_a_chain)) {
1707 /* Redundant if we showed the whole chain */
1708 PEM_write_bio_X509(bio, peer);
1709 }
1710 X509_NAME_oneline(X509_get_subject_name(peer),
1711 buf, sizeof buf);
1712 BIO_printf(bio, "subject=%s\n", buf);
1713 X509_NAME_oneline(X509_get_issuer_name(peer),
1714 buf, sizeof buf);
1715 BIO_printf(bio, "issuer=%s\n", buf);
1716 } else
1717 BIO_printf(bio, "no peer certificate available\n");
1718
1719 sk2 = SSL_get_client_CA_list(s);
1720 if ((sk2 != NULL((void*)0)) && (sk_X509_NAME_num(sk2)sk_num(((_STACK*) (1 ? (sk2) : (struct stack_st_X509_NAME*)0)
))
> 0)) {
1721 BIO_printf(bio,
1722 "---\nAcceptable client certificate CA names\n");
1723 for (i = 0; i < sk_X509_NAME_num(sk2)sk_num(((_STACK*) (1 ? (sk2) : (struct stack_st_X509_NAME*)0)
))
; i++) {
1724 xn = sk_X509_NAME_value(sk2, i)((X509_NAME *)sk_value(((_STACK*) (1 ? (sk2) : (struct stack_st_X509_NAME
*)0)), (i)))
;
1725 X509_NAME_oneline(xn, buf, sizeof(buf));
1726 BIO_write(bio, buf, strlen(buf));
1727 BIO_write(bio, "\n", 1);
1728 }
1729 } else {
1730 BIO_printf(bio,
1731 "---\nNo client certificate CA names sent\n");
1732 }
1733 p = SSL_get_shared_ciphers(s, buf, sizeof buf);
1734 if (p != NULL((void*)0)) {
1735 /*
1736 * This works only for SSL 2. In later protocol
1737 * versions, the client does not know what other
1738 * ciphers (in addition to the one to be used in the
1739 * current connection) the server supports.
1740 */
1741
1742 BIO_printf(bio,
1743 "---\nCiphers common between both SSL endpoints:\n");
1744 j = i = 0;
1745 while (*p) {
1746 if (*p == ':') {
1747 BIO_write(bio, space, 15 - j % 25);
1748 i++;
1749 j = 0;
1750 BIO_write(bio,
1751 ((i % 3) ? " " : "\n"), 1);
1752 } else {
1753 BIO_write(bio, p, 1);
1754 j++;
1755 }
1756 p++;
1757 }
1758 BIO_write(bio, "\n", 1);
1759 }
1760
1761 ssl_print_tmp_key(bio, s);
1762
1763 BIO_printf(bio,
1764 "---\nSSL handshake has read %ld bytes and written %ld bytes\n",
1765 BIO_number_read(SSL_get_rbio(s)),
1766 BIO_number_written(SSL_get_wbio(s)));
1767 }
1768 BIO_printf(bio, (SSL_cache_hit(s) ? "---\nReused, " : "---\nNew, "));
1769 c = SSL_get_current_cipher(s);
1770 BIO_printf(bio, "%s, Cipher is %s\n",
1771 SSL_CIPHER_get_version(c),
1772 SSL_CIPHER_get_name(c));
1773 if (peer != NULL((void*)0)) {
1774 EVP_PKEY *pktmp;
1775 pktmp = X509_get_pubkey(peer);
1776 BIO_printf(bio, "Server public key is %d bit\n",
1777 EVP_PKEY_bits(pktmp));
1778 EVP_PKEY_free(pktmp);
1779 }
1780 BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
1781 SSL_get_secure_renegotiation_support(s)SSL_ctrl((s), 76, 0, ((void*)0)) ? "" : " NOT");
1782
1783 /* Compression is not supported and will always be none. */
1784 BIO_printf(bio, "Compression: NONE\n");
1785 BIO_printf(bio, "Expansion: NONE\n");
1786
1787#ifdef SSL_DEBUG
1788 {
1789 /* Print out local port of connection: useful for debugging */
1790 int sock;
1791 struct sockaddr_in ladd;
1792 socklen_t ladd_size = sizeof(ladd);
1793 sock = SSL_get_fd(s);
1794 getsockname(sock, (struct sockaddr *) & ladd, &ladd_size);
1795 BIO_printf(bio, "LOCAL PORT is %u\n",
1796 ntohs(ladd.sin_port)(__uint16_t)(__builtin_constant_p(ladd.sin_port) ? (__uint16_t
)(((__uint16_t)(ladd.sin_port) & 0xffU) << 8 | ((__uint16_t
)(ladd.sin_port) & 0xff00U) >> 8) : __swap16md(ladd
.sin_port))
);
1797 }
1798#endif
1799
1800 {
1801 const unsigned char *proto;
1802 unsigned int proto_len;
1803 SSL_get0_alpn_selected(s, &proto, &proto_len);
1804 if (proto_len > 0) {
1805 BIO_printf(bio, "ALPN protocol: ");
1806 BIO_write(bio, proto, proto_len);
1807 BIO_write(bio, "\n", 1);
1808 } else
1809 BIO_printf(bio, "No ALPN negotiated\n");
1810 }
1811
1812#ifndef OPENSSL_NO_SRTP
1813 {
1814 SRTP_PROTECTION_PROFILE *srtp_profile;
1815
1816 srtp_profile = SSL_get_selected_srtp_profile(s);
1817 if (srtp_profile)
1818 BIO_printf(bio,
1819 "SRTP Extension negotiated, profile=%s\n",
1820 srtp_profile->name);
1821 }
1822#endif
1823
1824 SSL_SESSION_print(bio, SSL_get_session(s));
1825 if (s_client_config.keymatexportlabel != NULL((void*)0)) {
1826 BIO_printf(bio, "Keying material exporter:\n");
1827 BIO_printf(bio, " Label: '%s'\n",
1828 s_client_config.keymatexportlabel);
1829 BIO_printf(bio, " Length: %i bytes\n",
1830 s_client_config.keymatexportlen);
1831 exportedkeymat = malloc(s_client_config.keymatexportlen);
1832 if (exportedkeymat != NULL((void*)0)) {
1833 if (!SSL_export_keying_material(s, exportedkeymat,
1834 s_client_config.keymatexportlen,
1835 s_client_config.keymatexportlabel,
1836 strlen(s_client_config.keymatexportlabel),
1837 NULL((void*)0), 0, 0)) {
1838 BIO_printf(bio, " Error\n");
1839 } else {
1840 BIO_printf(bio, " Keying material: ");
1841 for (i = 0; i < s_client_config.keymatexportlen; i++)
1842 BIO_printf(bio, "%02X",
1843 exportedkeymat[i]);
1844 BIO_printf(bio, "\n");
1845 }
1846 free(exportedkeymat);
1847 }
1848 }
1849 BIO_printf(bio, "---\n");
1850 X509_free(peer);
1851 /* flush, or debugging output gets mixed with http response */
1852 (void) BIO_flush(bio)(int)BIO_ctrl(bio,11,0,((void*)0));
1853}
1854
1855static int
1856ocsp_resp_cb(SSL *s, void *arg)
1857{
1858 const unsigned char *p;
1859 int len;
1860 OCSP_RESPONSE *rsp;
1861 len = SSL_get_tlsext_status_ocsp_resp(s, &p)SSL_ctrl(s,70,0, (void *)&p);
1862 BIO_puts(arg, "OCSP response: ");
1863 if (!p) {
1864 BIO_puts(arg, "no response sent\n");
1865 return 1;
1866 }
1867 rsp = d2i_OCSP_RESPONSE(NULL((void*)0), &p, len);
1868 if (!rsp) {
1869 BIO_puts(arg, "response parse error\n");
1870 BIO_dump_indent(arg, (char *) p, len, 4);
1871 return 0;
1872 }
1873 BIO_puts(arg, "\n======================================\n");
1874 OCSP_RESPONSE_print(arg, rsp, 0);
1875 BIO_puts(arg, "======================================\n");
1876 OCSP_RESPONSE_free(rsp);
1877 return 1;
1878}
1879
1880static int
1881ssl_servername_cb(SSL *s, int *ad, void *arg)
1882{
1883 tlsextctx *p = (tlsextctx *) arg;
1884 const char *hn = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name0);
1885 if (SSL_get_servername_type(s) != -1)
1886 p->ack = !SSL_session_reused(s)SSL_ctrl((s),8,0,((void*)0)) && hn != NULL((void*)0);
1887 else
1888 BIO_printf(bio_err, "Can't use SSL_get_servername\n");
1889
1890 return SSL_TLSEXT_ERR_OK0;
1891}
1892