/usr/src/usr.bin/openssl/s

Bug Summary

File:	src/usr.bin/openssl/s_client.c
Warning:	line 955, column 3 Value stored to 'badop' is never read

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name s_client.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/usr.bin/openssl/obj -resource-dir /usr/local/lib/clang/13.0.0 -D LIBRESSL_INTERNAL -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/usr.bin/openssl/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/usr.bin/openssl/s_client.c

1	/* $OpenBSD: s_client.c,v 1.57 2021/12/26 14:46:06 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.
4	*
5	* This package is an SSL implementation written
6	* by Eric Young (eay@cryptsoft.com).
7	* The implementation was written so as to conform with Netscapes SSL.
8	*
9	* This library is free for commercial and non-commercial use as long as
10	* the following conditions are aheared to. The following conditions
11	* apply to all code found in this distribution, be it the RC4, RSA,
12	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
13	* included with this distribution is covered by the same copyright terms
14	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
15	*
16	* Copyright remains Eric Young's, and as such any Copyright notices in
17	* the code are not to be removed.
18	* If this package is used in a product, Eric Young should be given attribution
19	* as the author of the parts of the library used.
20	* This can be in the form of a textual message at program startup or
21	* in documentation (online or textual) provided with the package.
22	*
23	* Redistribution and use in source and binary forms, with or without
24	* modification, are permitted provided that the following conditions
25	* are met:
26	* 1. Redistributions of source code must retain the copyright
27	* notice, this list of conditions and the following disclaimer.
28	* 2. Redistributions in binary form must reproduce the above copyright
29	* notice, this list of conditions and the following disclaimer in the
30	* documentation and/or other materials provided with the distribution.
31	* 3. All advertising materials mentioning features or use of this software
32	* must display the following acknowledgement:
33	* "This product includes cryptographic software written by
34	* Eric Young (eay@cryptsoft.com)"
35	* The word 'cryptographic' can be left out if the rouines from the library
36	* being used are not cryptographic related :-).
37	* 4. If you include any Windows specific code (or a derivative thereof) from
38	* the apps directory (application code) you must include an acknowledgement:
39	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40	*
41	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51	* SUCH DAMAGE.
52	*
53	* The licence and distribution terms for any publically available version or
54	* derivative of this code cannot be changed. i.e. this code cannot simply be
55	* copied and put under another distribution licence
56	* [including the GNU Public Licence.]
57	*/
58	/* ====================================================================
59	* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60	*
61	* Redistribution and use in source and binary forms, with or without
62	* modification, are permitted provided that the following conditions
63	* are met:
64	*
65	* 1. Redistributions of source code must retain the above copyright
66	* notice, this list of conditions and the following disclaimer.
67	*
68	* 2. Redistributions in binary form must reproduce the above copyright
69	* notice, this list of conditions and the following disclaimer in
70	* the documentation and/or other materials provided with the
71	* distribution.
72	*
73	* 3. All advertising materials mentioning features or use of this
74	* software must display the following acknowledgment:
75	* "This product includes software developed by the OpenSSL Project
76	* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77	*
78	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79	* endorse or promote products derived from this software without
80	* prior written permission. For written permission, please contact
81	* openssl-core@openssl.org.
82	*
83	* 5. Products derived from this software may not be called "OpenSSL"
84	* nor may "OpenSSL" appear in their names without prior written
85	* permission of the OpenSSL Project.
86	*
87	* 6. Redistributions of any form whatsoever must retain the following
88	* acknowledgment:
89	* "This product includes software developed by the OpenSSL Project
90	* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91	*
92	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103	* OF THE POSSIBILITY OF SUCH DAMAGE.
104	* ====================================================================
105	*
106	* This product includes cryptographic software written by Eric Young
107	* (eay@cryptsoft.com). This product includes software written by Tim
108	* Hudson (tjh@cryptsoft.com).
109	*
110	*/
111	/* ====================================================================
112	* Copyright 2005 Nokia. All rights reserved.
113	*
114	* The portions of the attached software ("Contribution") is developed by
115	* Nokia Corporation and is licensed pursuant to the OpenSSL open source
116	* license.
117	*
118	* The Contribution, originally written by Mika Kousa and Pasi Eronen of
119	* Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120	* support (see RFC 4279) to OpenSSL.
121	*
122	* No patent licenses or other rights except those expressly stated in
123	* the OpenSSL open source license shall be deemed granted or received
124	* expressly, by implication, estoppel, or otherwise.
125	*
126	* No assurances are provided by Nokia that the Contribution does not
127	* infringe the patent or other intellectual property rights of any third
128	* party or that the license provides you with all the necessary rights
129	* to make use of the Contribution.
130	*
131	* THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132	* ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133	* SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134	* OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135	* OTHERWISE.
136	*/
137
138	#include <sys/types.h>
139	#include <sys/socket.h>
140
141	#include <netinet/in.h>
142
143	#include <assert.h>
144	#include <ctype.h>
145	#include <limits.h>
146	#include <netdb.h>
147	#include <stdio.h>
148	#include <stdlib.h>
149	#include <string.h>
150	#include <unistd.h>
151	#include <poll.h>
152
153	#include "apps.h"
154
155	#include <openssl/bn.h>
156	#include <openssl/err.h>
157	#include <openssl/ocsp.h>
158	#include <openssl/pem.h>
159	#include <openssl/ssl.h>
160	#include <openssl/x509.h>
161
162	#include "s_apps.h"
163	#include "timeouts.h"
164
165	/#define SSL_HOST_NAME "www.netscape.com" /
166	/#define SSL_HOST_NAME "193.118.187.102" /
167	#define SSL_HOST_NAME"localhost" "localhost"
168
169	/#define TEST_CERT "client.pem" //* no default cert. */
170
171	#define BUFSIZZ10248 10248
172
173	static void sc_usage(void);
174	static void print_stuff(BIO berr, SSL con, int full);
175	static int ocsp_resp_cb(SSL s, void arg);
176	static int ssl_servername_cb(SSL s, int ad, void *arg);
177
178	enum {
179	PROTO_OFF = 0,
180	PROTO_SMTP,
181	PROTO_LMTP,
182	PROTO_POP3,
183	PROTO_IMAP,
184	PROTO_FTP,
185	PROTO_XMPP,
186	};
187
188	/* This is a context that we pass to callbacks */
189	typedef struct tlsextctx_st {
190	BIO *biodebug;
191	int ack;
192	} tlsextctx;
193
194	static struct {
195	int af;
196	char *alpn_in;
197	int bugs;
198	char *CAfile;
199	char *CApath;
200	char *cert_file;
201	int cert_format;
202	char *cipher;
203	unsigned int clr;
204	char *connect;
205	int crlf;
206	int debug;
207	int enable_timeouts;
208	const char *errstr;
209	char *groups_in;
210	char *host;
211	int ign_eof;
212	char *key_file;
213	int key_format;
214	char *keymatexportlabel;
215	int keymatexportlen;
216	uint16_t max_version;
217	uint16_t min_version;
218	const SSL_METHOD *meth;
219	int msg;
220	int nbio;
221	int nbio_test;
222	int no_servername;
223	char *npn_in;
224	unsigned int off;
225	char *passarg;
226	int pause;
227	int peekaboo;
228	char *port;
229	int prexit;
230	char *proxy;
231	int quiet;
232	int reconnect;
233	char *servername;
234	char *sess_in;
235	char *sess_out;
236	int showcerts;
237	int socket_type;
238	long socket_mtu;
239	#ifndef OPENSSL_NO_SRTP
240	char *srtp_profiles;
241	#endif
242	int starttls_proto;
243	int state;
244	int status_req;
245	int tlsextdebug;
246	int verify;
247	X509_VERIFY_PARAM *vpm;
248	char *xmpphost;
249	} s_client_config;
250
251	static int
252	s_client_opt_keymatexportlen(char *arg)
253	{
254	s_client_config.keymatexportlen = strtonum(arg, 1, INT_MAX2147483647,
255	&s_client_config.errstr);
256	if (s_client_config.errstr != NULL((void*)0)) {
257	BIO_printf(bio_err, "invalid argument %s: %s\n",
258	arg, s_client_config.errstr);
259	return (1);
260	}
261	return (0);
262	}
263
264	#ifndef OPENSSL_NO_DTLS
265	static int
266	s_client_opt_mtu(char *arg)
267	{
268	s_client_config.socket_mtu = strtonum(arg, 0, LONG_MAX9223372036854775807L,
269	&s_client_config.errstr);
270	if (s_client_config.errstr != NULL((void*)0)) {
271	BIO_printf(bio_err, "invalid argument %s: %s\n",
272	arg, s_client_config.errstr);
273	return (1);
274	}
275	return (0);
276	}
277	#endif
278
279	static int
280	s_client_opt_port(char *arg)
281	{
282	if (*arg == '\0')
283	return (1);
284
285	s_client_config.port = arg;
286	return (0);
287	}
288
289	#ifndef OPENSSL_NO_DTLS
290	static int
291	s_client_opt_protocol_version_dtls(void)
292	{
293	s_client_config.meth = DTLS_client_method();
294	s_client_config.socket_type = SOCK_DGRAM2;
295	return (0);
296	}
297	#endif
298
299	#ifndef OPENSSL_NO_DTLS1
300	static int
301	s_client_opt_protocol_version_dtls1(void)
302	{
303	s_client_config.meth = DTLS_client_method();
304	s_client_config.min_version = DTLS1_VERSION0xFEFF;
305	s_client_config.max_version = DTLS1_VERSION0xFEFF;
306	s_client_config.socket_type = SOCK_DGRAM2;
307	return (0);
308	}
309	#endif
310
311	#ifndef OPENSSL_NO_DTLS1_2
312	static int
313	s_client_opt_protocol_version_dtls1_2(void)
314	{
315	s_client_config.meth = DTLS_client_method();
316	s_client_config.min_version = DTLS1_2_VERSION0xFEFD;
317	s_client_config.max_version = DTLS1_2_VERSION0xFEFD;
318	s_client_config.socket_type = SOCK_DGRAM2;
319	return (0);
320	}
321	#endif
322
323	static int
324	s_client_opt_protocol_version_tls1(void)
325	{
326	s_client_config.min_version = TLS1_VERSION0x0301;
327	s_client_config.max_version = TLS1_VERSION0x0301;
328	return (0);
329	}
330
331	static int
332	s_client_opt_protocol_version_tls1_1(void)
333	{
334	s_client_config.min_version = TLS1_1_VERSION0x0302;
335	s_client_config.max_version = TLS1_1_VERSION0x0302;
336	return (0);
337	}
338
339	static int
340	s_client_opt_protocol_version_tls1_2(void)
341	{
342	s_client_config.min_version = TLS1_2_VERSION0x0303;
343	s_client_config.max_version = TLS1_2_VERSION0x0303;
344	return (0);
345	}
346
347	static int
348	s_client_opt_protocol_version_tls1_3(void)
349	{
350	s_client_config.min_version = TLS1_3_VERSION0x0304;
351	s_client_config.max_version = TLS1_3_VERSION0x0304;
352	return (0);
353	}
354
355	static int
356	s_client_opt_quiet(void)
357	{
358	s_client_config.quiet = 1;
359	s_client_config.ign_eof = 1;
360	return (0);
361	}
362
363	static int
364	s_client_opt_starttls(char *arg)
365	{
366	if (strcmp(arg, "smtp") == 0)
367	s_client_config.starttls_proto = PROTO_SMTP;
368	else if (strcmp(arg, "lmtp") == 0)
369	s_client_config.starttls_proto = PROTO_LMTP;
370	else if (strcmp(arg, "pop3") == 0)
371	s_client_config.starttls_proto = PROTO_POP3;
372	else if (strcmp(arg, "imap") == 0)
373	s_client_config.starttls_proto = PROTO_IMAP;
374	else if (strcmp(arg, "ftp") == 0)
375	s_client_config.starttls_proto = PROTO_FTP;
376	else if (strcmp(arg, "xmpp") == 0)
377	s_client_config.starttls_proto = PROTO_XMPP;
378	else
379	return (1);
380	return (0);
381	}
382
383	static int
384	s_client_opt_verify(char *arg)
385	{
386	s_client_config.verify = SSL_VERIFY_PEER0x01;
387
388	verify_depth = strtonum(arg, 0, INT_MAX2147483647, &s_client_config.errstr);
389	if (s_client_config.errstr != NULL((void*)0)) {
390	BIO_printf(bio_err, "invalid argument %s: %s\n",
391	arg, s_client_config.errstr);
392	return (1);
393	}
394	BIO_printf(bio_err, "verify depth is %d\n", verify_depth);
395	return (0);
396	}
397
398	static int
399	s_client_opt_verify_param(int argc, char *argv, int argsused)
400	{
401	char **pargs = argv;
402	int pargc = argc;
403	int badarg = 0;
404
405	if (!args_verify(&pargs, &pargc, &badarg, bio_err,
406	&s_client_config.vpm)) {
407	BIO_printf(bio_err, "unknown option %s\n", *argv);
408	return (1);
409	}
410	if (badarg)
411	return (1);
412
413	*argsused = argc - pargc;
414	return (0);
415	}
416
417	static const struct option s_client_options[] = {
418	{
419	.name = "4",
420	.desc = "Use IPv4 only",
421	.type = OPTION_VALUE,
422	.opt.value = &s_client_config.af,
423	.value = AF_INET2,
424	},
425	{
426	.name = "6",
427	.desc = "Use IPv6 only",
428	.type = OPTION_VALUE,
429	.opt.value = &s_client_config.af,
430	.value = AF_INET624,
431	},
432	{
433	.name = "alpn",
434	.argname = "protocols",
435	.desc = "Set the advertised protocols for ALPN"
436	" (comma-separated list)",
437	.type = OPTION_ARG,
438	.opt.arg = &s_client_config.alpn_in,
439	},
440	{
441	.name = "bugs",
442	.desc = "Enable various workarounds for buggy implementations",
443	.type = OPTION_FLAG,
444	.opt.flag = &s_client_config.bugs,
445	},
446	{
447	.name = "CAfile",
448	.argname = "file",
449	.desc = "PEM format file of CA certificates",
450	.type = OPTION_ARG,
451	.opt.arg = &s_client_config.CAfile,
452	},
453	{
454	.name = "CApath",
455	.argname = "directory",
456	.desc = "PEM format directory of CA certificates",
457	.type = OPTION_ARG,
458	.opt.arg = &s_client_config.CApath,
459	},
460	{
461	.name = "cert",
462	.argname = "file",
463	.desc = "Certificate file to use, PEM format assumed",
464	.type = OPTION_ARG,
465	.opt.arg = &s_client_config.cert_file,
466	},
467	{
468	.name = "certform",
469	.argname = "fmt",
470	.desc = "Certificate format (PEM or DER) PEM default",
471	.type = OPTION_ARG_FORMAT,
472	.opt.value = &s_client_config.cert_format,
473	},
474	{
475	.name = "cipher",
476	.argname = "cipherlist",
477	.desc = "Preferred cipher to use (see 'openssl ciphers')",
478	.type = OPTION_ARG,
479	.opt.arg = &s_client_config.cipher,
480	},
481	{
482	.name = "connect",
483	.argname = "host:port",
484	.desc = "Who to connect to (default is localhost:4433)",
485	.type = OPTION_ARG,
486	.opt.arg = &s_client_config.connect,
487	},
488	{
489	.name = "crlf",
490	.desc = "Convert LF from terminal into CRLF",
491	.type = OPTION_FLAG,
492	.opt.flag = &s_client_config.crlf,
493	},
494	{
495	.name = "debug",
496	.desc = "Print extensive debugging information",
497	.type = OPTION_FLAG,
498	.opt.flag = &s_client_config.debug,
499	},
500	#ifndef OPENSSL_NO_DTLS
501	{
502	.name = "dtls",
503	.desc = "Use any version of DTLS",
504	.type = OPTION_FUNC,
505	.opt.func = s_client_opt_protocol_version_dtls,
506	},
507	#endif
508	#ifndef OPENSSL_NO_DTLS1
509	{
510	.name = "dtls1",
511	.desc = "Just use DTLSv1",
512	.type = OPTION_FUNC,
513	.opt.func = s_client_opt_protocol_version_dtls1,
514	},
515	#endif
516	#ifndef OPENSSL_NO_DTLS1_2
517	{
518	.name = "dtls1_2",
519	.desc = "Just use DTLSv1.2",
520	.type = OPTION_FUNC,
521	.opt.func = s_client_opt_protocol_version_dtls1_2,
522	},
523	#endif
524	{
525	.name = "groups",
526	.argname = "list",
527	.desc = "Specify EC groups (colon-separated list)",
528	.type = OPTION_ARG,
529	.opt.arg = &s_client_config.groups_in,
530	},
531	{
532	.name = "host",
533	.argname = "host",
534	.desc = "Use -connect instead",
535	.type = OPTION_ARG,
536	.opt.arg = &s_client_config.host,
537	},
538	{
539	.name = "ign_eof",
540	.desc = "Ignore input EOF (default when -quiet)",
541	.type = OPTION_VALUE,
542	.opt.value = &s_client_config.ign_eof,
543	.value = 1,
544	},
545	{
546	.name = "key",
547	.argname = "file",
548	.desc = "Private key file to use, if not, -cert file is used",
549	.type = OPTION_ARG,
550	.opt.arg = &s_client_config.key_file,
551	},
552	{
553	.name = "keyform",
554	.argname = "fmt",
555	.desc = "Key format (PEM or DER) PEM default",
556	.type = OPTION_ARG_FORMAT,
557	.opt.value = &s_client_config.key_format,
558	},
559	{
560	.name = "keymatexport",
561	.argname = "label",
562	.desc = "Export keying material using label",
563	.type = OPTION_ARG,
564	.opt.arg = &s_client_config.keymatexportlabel,
565	},
566	{
567	.name = "keymatexportlen",
568	.argname = "len",
569	.desc = "Export len bytes of keying material (default 20)",
570	.type = OPTION_ARG_FUNC,
571	.opt.argfunc = s_client_opt_keymatexportlen,
572	},
573	{
574	.name = "legacy_renegotiation",
575	.type = OPTION_DISCARD,
576	},
577	{
578	.name = "legacy_server_connect",
579	.desc = "Allow initial connection to servers that don't support RI",
580	.type = OPTION_VALUE_OR,
581	.opt.value = &s_client_config.off,
582	.value = SSL_OP_LEGACY_SERVER_CONNECT0x00000004L,
583	},
584	{
585	.name = "msg",
586	.desc = "Show all protocol messages with hex dump",
587	.type = OPTION_FLAG,
588	.opt.flag = &s_client_config.msg,
589	},
590	#ifndef OPENSSL_NO_DTLS
591	{
592	.name = "mtu",
593	.argname = "mtu",
594	.desc = "Set the link layer MTU on DTLS connections",
595	.type = OPTION_ARG_FUNC,
596	.opt.argfunc = s_client_opt_mtu,
597	},
598	#endif
599	{
600	.name = "nbio",
601	.desc = "Turn on non-blocking I/O",
602	.type = OPTION_FLAG,
603	.opt.flag = &s_client_config.nbio,
604	},
605	{
606	.name = "nbio_test",
607	.desc = "Test non-blocking I/O",
608	.type = OPTION_FLAG,
609	.opt.flag = &s_client_config.nbio_test,
610	},
611	{
612	.name = "nextprotoneg",
613	.argname = "protocols",
614	.type = OPTION_ARG,
615	.opt.arg = &s_client_config.npn_in, /* Ignored. */
616	},
617	{
618	.name = "no_comp",
619	.type = OPTION_VALUE_OR,
620	.opt.value = &s_client_config.off,
621	.value = SSL_OP_NO_COMPRESSION0x0,
622	},
623	{
624	.name = "no_ign_eof",
625	.desc = "Don't ignore input EOF",
626	.type = OPTION_VALUE,
627	.opt.value = &s_client_config.ign_eof,
628	.value = 0,
629	},
630	{
631	.name = "no_legacy_server_connect",
632	.desc = "Disallow initial connection to servers that don't support RI",
633	.type = OPTION_VALUE_OR,
634	.opt.value = &s_client_config.clr,
635	.value = SSL_OP_LEGACY_SERVER_CONNECT0x00000004L,
636	},
637	{
638	.name = "no_servername",
639	.desc = "Do not send a Server Name Indication (SNI) extension",
640	.type = OPTION_FLAG,
641	.opt.value = &s_client_config.no_servername,
642	},
643	{
644	.name = "no_ssl2",
645	.type = OPTION_VALUE_OR,
646	.opt.value = &s_client_config.off,
647	.value = SSL_OP_NO_SSLv20x0,
648	},
649	{
650	.name = "no_ssl3",
651	.type = OPTION_VALUE_OR,
652	.opt.value = &s_client_config.off,
653	.value = SSL_OP_NO_SSLv30x0,
654	},
655	{
656	.name = "no_ticket",
657	.desc = "Disable use of RFC4507 session ticket support",
658	.type = OPTION_VALUE_OR,
659	.opt.value = &s_client_config.off,
660	.value = SSL_OP_NO_TICKET0x00004000L,
661	},
662	{
663	.name = "no_tls1",
664	.desc = "Disable the use of TLSv1",
665	.type = OPTION_VALUE_OR,
666	.opt.value = &s_client_config.off,
667	.value = SSL_OP_NO_TLSv10x04000000L,
668	},
669	{
670	.name = "no_tls1_1",
671	.desc = "Disable the use of TLSv1.1",
672	.type = OPTION_VALUE_OR,
673	.opt.value = &s_client_config.off,
674	.value = SSL_OP_NO_TLSv1_10x10000000L,
675	},
676	{
677	.name = "no_tls1_2",
678	.desc = "Disable the use of TLSv1.2",
679	.type = OPTION_VALUE_OR,
680	.opt.value = &s_client_config.off,
681	.value = SSL_OP_NO_TLSv1_20x08000000L,
682	},
683	{
684	.name = "no_tls1_3",
685	.desc = "Disable the use of TLSv1.3",
686	.type = OPTION_VALUE_OR,
687	.opt.value = &s_client_config.off,
688	.value = SSL_OP_NO_TLSv1_30x20000000L,
689	},
690	{
691	.name = "noservername",
692	.type = OPTION_FLAG,
693	.opt.value = &s_client_config.no_servername,
694	},
695	{
696	.name = "pass",
697	.argname = "arg",
698	.desc = "Private key file pass phrase source",
699	.type = OPTION_ARG,
700	.opt.arg = &s_client_config.passarg,
701	},
702	{
703	.name = "pause",
704	.desc = "Pause 1 second between each read and write call",
705	.type = OPTION_FLAG,
706	.opt.flag = &s_client_config.pause,
707	},
708	{
709	.name = "peekaboo",
710	.type = OPTION_FLAG,
711	.opt.flag = &s_client_config.peekaboo,
712	},
713	{
714	.name = "port",
715	.argname = "port",
716	.desc = "Use -connect instead",
717	.type = OPTION_ARG_FUNC,
718	.opt.argfunc = s_client_opt_port,
719	},
720	{
721	.name = "prexit",
722	.desc = "Print session information when the program exits",
723	.type = OPTION_FLAG,
724	.opt.flag = &s_client_config.prexit,
725	},
726	{
727	.name = "proxy",
728	.argname = "host:port",
729	.desc = "Connect to http proxy",
730	.type = OPTION_ARG,
731	.opt.arg = &s_client_config.proxy,
732	},
733	{
734	.name = "quiet",
735	.desc = "Inhibit printing of session and certificate info",
736	.type = OPTION_FUNC,
737	.opt.func = s_client_opt_quiet,
738	},
739	{
740	.name = "reconnect",
741	.desc = "Drop and re-make the connection with the same Session-ID",
742	.type = OPTION_VALUE,
743	.opt.value = &s_client_config.reconnect,
744	.value = 5,
745	},
746	{
747	.name = "servername",
748	.argname = "name",
749	.desc = "Set TLS extension servername in ClientHello (SNI)",
750	.type = OPTION_ARG,
751	.opt.arg = &s_client_config.servername,
752	},
753	{
754	.name = "serverpref",
755	.desc = "Use server's cipher preferences",
756	.type = OPTION_VALUE_OR,
757	.opt.value = &s_client_config.off,
758	.value = SSL_OP_CIPHER_SERVER_PREFERENCE0x00400000L,
759	},
760	{
761	.name = "sess_in",
762	.argname = "file",
763	.desc = "File to read TLS session from",
764	.type = OPTION_ARG,
765	.opt.arg = &s_client_config.sess_in,
766	},
767	{
768	.name = "sess_out",
769	.argname = "file",
770	.desc = "File to write TLS session to",
771	.type = OPTION_ARG,
772	.opt.arg = &s_client_config.sess_out,
773	},
774	{
775	.name = "showcerts",
776	.desc = "Show all server certificates in the chain",
777	.type = OPTION_FLAG,
778	.opt.flag = &s_client_config.showcerts,
779	},
780	{
781	.name = "starttls",
782	.argname = "protocol",
783	.desc = "Use the STARTTLS command before starting TLS,\n"
784	"smtp, lmtp, pop3, imap, ftp and xmpp are supported.",
785	.type = OPTION_ARG_FUNC,
786	.opt.argfunc = s_client_opt_starttls,
787	},
788	{
789	.name = "state",
790	.desc = "Print the TLS session states",
791	.type = OPTION_FLAG,
792	.opt.flag = &s_client_config.state,
793	},
794	{
795	.name = "status",
796	.desc = "Send a certificate status request to the server (OCSP)",
797	.type = OPTION_FLAG,
798	.opt.flag = &s_client_config.status_req,
799	},
800	#ifndef OPENSSL_NO_DTLS
801	{
802	.name = "timeout",
803	.desc = "Enable send/receive timeout on DTLS connections",
804	.type = OPTION_FLAG,
805	.opt.flag = &s_client_config.enable_timeouts,
806	},
807	#endif
808	{
809	.name = "tls1",
810	.desc = "Just use TLSv1",
811	.type = OPTION_FUNC,
812	.opt.func = s_client_opt_protocol_version_tls1,
813	},
814	{
815	.name = "tls1_1",
816	.desc = "Just use TLSv1.1",
817	.type = OPTION_FUNC,
818	.opt.func = s_client_opt_protocol_version_tls1_1,
819	},
820	{
821	.name = "tls1_2",
822	.desc = "Just use TLSv1.2",
823	.type = OPTION_FUNC,
824	.opt.func = s_client_opt_protocol_version_tls1_2,
825	},
826	{
827	.name = "tls1_3",
828	.desc = "Just use TLSv1.3",
829	.type = OPTION_FUNC,
830	.opt.func = s_client_opt_protocol_version_tls1_3,
831	},
832	{
833	.name = "tlsextdebug",
834	.desc = "Hex dump of all TLS extensions received",
835	.type = OPTION_FLAG,
836	.opt.flag = &s_client_config.tlsextdebug,
837	},
838	#ifndef OPENSSL_NO_SRTP
839	{
840	.name = "use_srtp",
841	.argname = "profiles",
842	.desc = "Offer SRTP key management with a colon-separated profiles",
843	.type = OPTION_ARG,
844	.opt.arg = &s_client_config.srtp_profiles,
845	},
846	#endif
847	{
848	.name = "verify",
849	.argname = "depth",
850	.desc = "Turn on peer certificate verification, with a max of depth",
851	.type = OPTION_ARG_FUNC,
852	.opt.argfunc = s_client_opt_verify,
853	},
854	{
855	.name = "verify_return_error",
856	.desc = "Return verification error",
857	.type = OPTION_FLAG,
858	.opt.flag = &verify_return_error,
859	},
860	{
861	.name = "xmpphost",
862	.argname = "host",
863	.desc = "Connect to this virtual host on the xmpp server",
864	.type = OPTION_ARG,
865	.opt.arg = &s_client_config.xmpphost,
866	},
867	{
868	.name = NULL((void*)0),
869	.desc = "",
870	.type = OPTION_ARGV_FUNC,
871	.opt.argvfunc = s_client_opt_verify_param,
872	},
873	{ NULL((void*)0) },
874	};
875
876	static void
877	sc_usage(void)
878	{
879	fprintf(stderr(&__sF[2]), "usage: s_client "
880	"[-4 \| -6] [-alpn protocols] [-bugs] [-CAfile file]\n"
881	" [-CApath directory] [-cert file] [-certform der \| pem] [-check_ss_sig]\n"
882	" [-cipher cipherlist] [-connect host[:port]] [-crl_check]\n"
883	" [-crl_check_all] [-crlf] [-debug] [-dtls] [-dtls1] [-dtls1_2] [-extended_crl]\n"
884	" [-groups list] [-host host] [-ign_eof] [-ignore_critical]\n"
885	" [-issuer_checks] [-key keyfile] [-keyform der \| pem]\n"
886	" [-keymatexport label] [-keymatexportlen len] [-legacy_server_connect]\n"
887	" [-msg] [-mtu mtu] [-nbio] [-nbio_test] [-no_comp] [-no_ign_eof]\n"
888	" [-no_legacy_server_connect] [-no_ticket] [-no_tls1] [-no_tls1_1]\n"
889	" [-no_tls1_2] [-no_tls1_3] [-pass arg] [-pause] [-policy_check]\n"
890	" [-port port] [-prexit] [-proxy host:port] [-quiet] [-reconnect]\n"
891	" [-servername name] [-serverpref] [-sess_in file] [-sess_out file]\n"
892	" [-showcerts] [-starttls protocol] [-state] [-status] [-timeout]\n"
893	" [-tls1] [-tls1_1] [-tls1_2] [-tls1_3] [-tlsextdebug]\n"
894	" [-use_srtp profiles] [-verify depth] [-verify_return_error]\n"
895	" [-x509_strict] [-xmpphost host]\n");
896	fprintf(stderr(&__sF[2]), "\n");
897	options_usage(s_client_options);
898	fprintf(stderr(&__sF[2]), "\n");
899	}
900
901	int
902	s_client_main(int argc, char **argv)
903	{
904	SSL con = NULL((void)0);
905	int s, k, p = 0, pending = 0;
906	char cbuf = NULL((void)0), sbuf = NULL((void)0), mbuf = NULL((void)0), pbuf = NULL((void)0);
907	int cbuf_len, cbuf_off;
908	int sbuf_len, sbuf_off;
909	int full_log = 1;
910	const char *servername;
911	char pass = NULL((void)0);
912	X509 cert = NULL((void)0);
913	EVP_PKEY key = NULL((void)0);
914	int badop = 0;
915	int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending;
916	SSL_CTX ctx = NULL((void)0);
917	int ret = 1, in_init = 1, i;
918	BIO bio_c_out = NULL((void)0);
919	BIO *sbio;
920	int mbuf_len = 0;
921	struct timeval timeout;
922	tlsextctx tlsextcbp = {NULL((void*)0), 0};
923	struct sockaddr_storage peer;
924	int peerlen = sizeof(peer);
925
926	if (single_execution) {
927	if (pledge("stdio cpath wpath rpath inet dns tty", NULL((void*)0)) == -1) {
928	perror("pledge");
929	exit(1);
930	}
931	}
932
933	memset(&s_client_config, 0, sizeof(s_client_config));
934	s_client_config.af = AF_UNSPEC0;
935	s_client_config.cert_format = FORMAT_PEM3;
936	s_client_config.host = SSL_HOST_NAME"localhost";
937	s_client_config.key_format = FORMAT_PEM3;
938	s_client_config.keymatexportlen = 20;
939	s_client_config.meth = TLS_client_method();
940	s_client_config.port = PORT_STR"4433";
941	s_client_config.socket_type = SOCK_STREAM1;
942	s_client_config.starttls_proto = PROTO_OFF;
943	s_client_config.verify = SSL_VERIFY_NONE0x00;
944
945	if (((cbuf = malloc(BUFSIZZ10248)) == NULL((void)0)) \|\|
946	((sbuf = malloc(BUFSIZZ10248)) == NULL((void)0)) \|\|
947	((pbuf = malloc(BUFSIZZ10248)) == NULL((void)0)) \|\|
948	((mbuf = malloc(BUFSIZZ10248 + 1)) == NULL((void)0))) { /* NUL byte */
949	BIO_printf(bio_err, "out of memory\n");
950	goto end;
951	}
952	verify_depth = 0;
953
954	if (options_parse(argc, argv, s_client_options, NULL((void)0), NULL((void)0)) != 0) {
955	badop = 1;
	Value stored to 'badop' is never read
956	goto bad;
957	}
958	if (s_client_config.proxy != NULL((void*)0)) {
959	if (!extract_host_port(s_client_config.proxy,
960	&s_client_config.host, NULL((void*)0), &s_client_config.port))
961	goto bad;
962	if (s_client_config.connect == NULL((void*)0))
963	s_client_config.connect = SSL_HOST_NAME"localhost";
964	} else if (s_client_config.connect != NULL((void*)0)) {
965	if (!extract_host_port(s_client_config.connect,
966	&s_client_config.host, NULL((void*)0), &s_client_config.port))
967	goto bad;
968	}
969	if (badop) {
970	bad:
971	if (s_client_config.errstr == NULL((void*)0))
972	sc_usage();
973	goto end;
974	}
975
976	if (!app_passwd(bio_err, s_client_config.passarg, NULL((void)0), &pass, NULL((void)0))) {
977	BIO_printf(bio_err, "Error getting password\n");
978	goto end;
979	}
980	if (s_client_config.key_file == NULL((void*)0))
981	s_client_config.key_file = s_client_config.cert_file;
982
983
984	if (s_client_config.key_file) {
985
986	key = load_key(bio_err, s_client_config.key_file,
987	s_client_config.key_format, 0, pass,
988	"client certificate private key file");
989	if (!key) {
990	ERR_print_errors(bio_err);
991	goto end;
992	}
993	}
994	if (s_client_config.cert_file) {
995	cert = load_cert(bio_err, s_client_config.cert_file,
996	s_client_config.cert_format,
997	NULL((void*)0), "client certificate file");
998
999	if (!cert) {
1000	ERR_print_errors(bio_err);
1001	goto end;
1002	}
1003	}
1004	if (s_client_config.quiet && !s_client_config.debug &&
1005	!s_client_config.msg) {
1006	if ((bio_c_out = BIO_new(BIO_s_null())) == NULL((void*)0))
1007	goto end;
1008	} else {
1009	if ((bio_c_out = BIO_new_fp(stdout(&__sF[1]), BIO_NOCLOSE0x00)) == NULL((void*)0))
1010	goto end;
1011	}
1012
1013	ctx = SSL_CTX_new(s_client_config.meth);
1014	if (ctx == NULL((void*)0)) {
1015	ERR_print_errors(bio_err);
1016	goto end;
1017	}
1018
1019	SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY)SSL_CTX_ctrl((ctx),78,(0x00000004L),((void*)0));
1020
1021	if (s_client_config.vpm)
1022	SSL_CTX_set1_param(ctx, s_client_config.vpm);
1023
1024	if (!SSL_CTX_set_min_proto_version(ctx, s_client_config.min_version))
1025	goto end;
1026	if (!SSL_CTX_set_max_proto_version(ctx, s_client_config.max_version))
1027	goto end;
1028
1029	#ifndef OPENSSL_NO_SRTP
1030	if (s_client_config.srtp_profiles != NULL((void*)0))
1031	SSL_CTX_set_tlsext_use_srtp(ctx, s_client_config.srtp_profiles);
1032	#endif
1033	if (s_client_config.bugs)
1034	SSL_CTX_set_options(ctx, SSL_OP_ALL \| s_client_config.off)SSL_CTX_ctrl((ctx),32,((0x00000004L) \| s_client_config.off),( (void*)0));
1035	else
1036	SSL_CTX_set_options(ctx, s_client_config.off)SSL_CTX_ctrl((ctx),32,(s_client_config.off),((void*)0));
1037
1038	if (s_client_config.clr)
1039	SSL_CTX_clear_options(ctx, s_client_config.clr)SSL_CTX_ctrl((ctx),77,(s_client_config.clr),((void*)0));
1040
1041	if (s_client_config.alpn_in) {
1042	unsigned short alpn_len;
1043	unsigned char *alpn;
1044
1045	alpn = next_protos_parse(&alpn_len, s_client_config.alpn_in);
1046	if (alpn == NULL((void*)0)) {
1047	BIO_printf(bio_err, "Error parsing -alpn argument\n");
1048	goto end;
1049	}
1050	SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len);
1051	free(alpn);
1052	}
1053	if (s_client_config.groups_in != NULL((void*)0)) {
1054	if (SSL_CTX_set1_groups_list(ctx, s_client_config.groups_in) != 1) {
1055	BIO_printf(bio_err, "Failed to set groups '%s'\n",
1056	s_client_config.groups_in);
1057	goto end;
1058	}
1059	}
1060
1061	if (s_client_config.state)
1062	SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
1063	if (s_client_config.cipher != NULL((void*)0))
1064	if (!SSL_CTX_set_cipher_list(ctx, s_client_config.cipher)) {
1065	BIO_printf(bio_err, "error setting cipher list\n");
1066	ERR_print_errors(bio_err);
1067	goto end;
1068	}
1069
1070	SSL_CTX_set_verify(ctx, s_client_config.verify, verify_callback);
1071	if (!set_cert_key_stuff(ctx, cert, key))
1072	goto end;
1073
1074	if ((s_client_config.CAfile \|\| s_client_config.CApath)
1075	&& !SSL_CTX_load_verify_locations(ctx, s_client_config.CAfile,
1076	s_client_config.CApath))
1077	ERR_print_errors(bio_err);
1078
1079	if (!SSL_CTX_set_default_verify_paths(ctx))
1080	ERR_print_errors(bio_err);
1081
1082	con = SSL_new(ctx);
1083	if (s_client_config.sess_in) {
1084	SSL_SESSION *sess;
1085	BIO *stmp = BIO_new_file(s_client_config.sess_in, "r");
1086	if (!stmp) {
1087	BIO_printf(bio_err, "Can't open session file %s\n",
1088	s_client_config.sess_in);
1089	ERR_print_errors(bio_err);
1090	goto end;
1091	}
1092	sess = PEM_read_bio_SSL_SESSION(stmp, NULL((void)0), 0, NULL((void)0));
1093	BIO_free(stmp);
1094	if (!sess) {
1095	BIO_printf(bio_err, "Can't open session file %s\n",
1096	s_client_config.sess_in);
1097	ERR_print_errors(bio_err);
1098	goto end;
1099	}
1100	SSL_set_session(con, sess);
1101	SSL_SESSION_free(sess);
1102	}
1103
1104	/* Attempt to opportunistically use the host name for SNI. */
1105	servername = s_client_config.servername;
1106	if (servername == NULL((void*)0))
1107	servername = s_client_config.host;
1108
1109	if (!s_client_config.no_servername && servername != NULL((void*)0) &&
1110	!SSL_set_tlsext_host_name(con, servername)SSL_ctrl(con,55,0,(char *)servername)) {
1111	long ssl_err = ERR_peek_error();
1112
1113	if (s_client_config.servername != NULL((void*)0) \|\|
1114	ERR_GET_LIB(ssl_err)(int)((((unsigned long)ssl_err)>>24L)&0xffL) != ERR_LIB_SSL20 \|\|
1115	ERR_GET_REASON(ssl_err)(int)((ssl_err)&0xfffL) != SSL_R_SSL3_EXT_INVALID_SERVERNAME319) {
1116	BIO_printf(bio_err,
1117	"Unable to set TLS servername extension.\n");
1118	ERR_print_errors(bio_err);
1119	goto end;
1120	}
1121	servername = NULL((void*)0);
1122	ERR_clear_error();
1123	}
1124	if (!s_client_config.no_servername && servername != NULL((void*)0)) {
1125	tlsextcbp.biodebug = bio_err;
1126	SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb)SSL_CTX_callback_ctrl(ctx,53,(void (*)(void))ssl_servername_cb );
1127	SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp)SSL_CTX_ctrl(ctx,54,0, (void *)&tlsextcbp);
1128	}
1129
1130	re_start:
1131
1132	if (init_client(&s, s_client_config.host, s_client_config.port,
1133	s_client_config.socket_type, s_client_config.af) == 0) {
1134	BIO_printf(bio_err, "connect:errno=%d\n", errno(*__errno()));
1135	goto end;
1136	}
1137	BIO_printf(bio_c_out, "CONNECTED(%08X)\n", s);
1138
1139	if (s_client_config.nbio) {
1140	if (!s_client_config.quiet)
1141	BIO_printf(bio_c_out, "turning on non blocking io\n");
1142	if (!BIO_socket_nbio(s, 1)) {
1143	ERR_print_errors(bio_err);
1144	goto end;
1145	}
1146	}
1147	if (s_client_config.pause & 0x01)
1148	SSL_set_debug(con, 1);
1149
1150	if (SSL_is_dtls(con)) {
1151	sbio = BIO_new_dgram(s, BIO_NOCLOSE0x00);
1152	if (getsockname(s, (struct sockaddr *)&peer,
1153	(void *)&peerlen) == -1) {
1154	BIO_printf(bio_err, "getsockname:errno=%d\n",
1155	errno(*__errno()));
1156	shutdown(s, SHUT_RD0);
1157	close(s);
1158	goto end;
1159	}
1160	(void) BIO_ctrl_set_connected(sbio, 1, &peer)(int)BIO_ctrl(sbio, 32, 1, (char *)&peer);
1161
1162	if (s_client_config.enable_timeouts) {
1163	timeout.tv_sec = 0;
1164	timeout.tv_usec = DGRAM_RCV_TIMEOUT250000;
1165	BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT33, 0,
1166	&timeout);
1167
1168	timeout.tv_sec = 0;
1169	timeout.tv_usec = DGRAM_SND_TIMEOUT250000;
1170	BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT35, 0,
1171	&timeout);
1172	}
1173	if (s_client_config.socket_mtu > 28) {
1174	SSL_set_options(con, SSL_OP_NO_QUERY_MTU)SSL_ctrl((con),32,(0x00001000L),((void*)0));
1175	SSL_set_mtu(con, s_client_config.socket_mtu - 28)SSL_ctrl((con),17,(s_client_config.socket_mtu - 28),((void*)0 ));
1176	} else
1177	/* want to do MTU discovery */
1178	BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER39, 0, NULL((void*)0));
1179	} else
1180	sbio = BIO_new_socket(s, BIO_NOCLOSE0x00);
1181
1182	if (s_client_config.nbio_test) {
1183	BIO *test;
1184
1185	test = BIO_new(BIO_f_nbio_test());
1186	sbio = BIO_push(test, sbio);
1187	}
1188	if (s_client_config.debug) {
1189	SSL_set_debug(con, 1);
1190	BIO_set_callback(sbio, bio_dump_callback);
1191	BIO_set_callback_arg(sbio, (char *) bio_c_out);
1192	}
1193	if (s_client_config.msg) {
1194	SSL_set_msg_callback(con, msg_cb);
1195	SSL_set_msg_callback_arg(con, bio_c_out)SSL_ctrl((con), 16, 0, (bio_c_out));
1196	}
1197	if (s_client_config.tlsextdebug) {
1198	SSL_set_tlsext_debug_callback(con, tlsext_cb)SSL_callback_ctrl(con,56,(void (*)(void))tlsext_cb);
1199	SSL_set_tlsext_debug_arg(con, bio_c_out)SSL_ctrl(con,57,0, (void *)bio_c_out);
1200	}
1201	if (s_client_config.status_req) {
1202	SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp)SSL_ctrl(con,65,1, ((void*)0));
1203	SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb)SSL_CTX_callback_ctrl(ctx,63,(void (*)(void))ocsp_resp_cb);
1204	SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out)SSL_CTX_ctrl(ctx,64,0,(void *)bio_c_out);
1205	}
1206
1207	SSL_set_bio(con, sbio, sbio);
1208	SSL_set_connect_state(con);
1209
1210	/* ok, lets connect */
1211	read_tty = 1;
1212	write_tty = 0;
1213	tty_on = 0;
1214	read_ssl = 1;
1215	write_ssl = 1;
1216
1217	cbuf_len = 0;
1218	cbuf_off = 0;
1219	sbuf_len = 0;
1220	sbuf_off = 0;
1221
1222	/* This is an ugly hack that does a lot of assumptions */
1223	/*
1224	* We do have to handle multi-line responses which may come in a
1225	* single packet or not. We therefore have to use BIO_gets() which
1226	* does need a buffering BIO. So during the initial chitchat we do
1227	* push a buffering BIO into the chain that is removed again later on
1228	* to not disturb the rest of the s_client operation.
1229	*/
1230	if (s_client_config.starttls_proto == PROTO_SMTP \|\|
1231	s_client_config.starttls_proto == PROTO_LMTP) {
1232	int foundit = 0;
1233	BIO *fbio = BIO_new(BIO_f_buffer());
1234	BIO_push(fbio, sbio);
1235	/* wait for multi-line response to end from SMTP */
1236	do {
1237	mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ1024*8);
1238	}
1239	while (mbuf_len > 3 && mbuf[3] == '-');
1240	/* STARTTLS command requires EHLO... */
1241	BIO_printf(fbio, "%cHLO openssl.client.net\r\n",
1242	s_client_config.starttls_proto == PROTO_SMTP ? 'E' : 'L');
1243	(void) BIO_flush(fbio)(int)BIO_ctrl(fbio,11,0,((void*)0));
1244	/* wait for multi-line response to end EHLO SMTP response */
1245	do {
1246	mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ1024*8);
1247	if (strstr(mbuf, "STARTTLS"))
1248	foundit = 1;
1249	}
1250	while (mbuf_len > 3 && mbuf[3] == '-');
1251	(void) BIO_flush(fbio)(int)BIO_ctrl(fbio,11,0,((void*)0));
1252	BIO_pop(fbio);
1253	BIO_free(fbio);
1254	if (!foundit)
1255	BIO_printf(bio_err,
1256	"didn't find starttls in server response,"
1257	" try anyway...\n");
1258	BIO_printf(sbio, "STARTTLS\r\n");
1259	BIO_read(sbio, sbuf, BUFSIZZ1024*8);
1260	} else if (s_client_config.starttls_proto == PROTO_POP3) {
1261	mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ1024*8);
1262	if (mbuf_len == -1) {
1263	BIO_printf(bio_err, "BIO_read failed\n");
1264	goto end;
1265	}
1266	BIO_printf(sbio, "STLS\r\n");
1267	BIO_read(sbio, sbuf, BUFSIZZ1024*8);
1268	} else if (s_client_config.starttls_proto == PROTO_IMAP) {
1269	int foundit = 0;
1270	BIO *fbio = BIO_new(BIO_f_buffer());
1271	BIO_push(fbio, sbio);
1272	BIO_gets(fbio, mbuf, BUFSIZZ1024*8);
1273	/* STARTTLS command requires CAPABILITY... */
1274	BIO_printf(fbio, ". CAPABILITY\r\n");
1275	(void) BIO_flush(fbio)(int)BIO_ctrl(fbio,11,0,((void*)0));
1276	/* wait for multi-line CAPABILITY response */
1277	do {
1278	mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ1024*8);
1279	if (strstr(mbuf, "STARTTLS"))
1280	foundit = 1;
1281	}
1282	while (mbuf_len > 3 && mbuf[0] != '.');
1283	(void) BIO_flush(fbio)(int)BIO_ctrl(fbio,11,0,((void*)0));
1284	BIO_pop(fbio);
1285	BIO_free(fbio);
1286	if (!foundit)
1287	BIO_printf(bio_err,
1288	"didn't find STARTTLS in server response,"
1289	" try anyway...\n");
1290	BIO_printf(sbio, ". STARTTLS\r\n");
1291	BIO_read(sbio, sbuf, BUFSIZZ1024*8);
1292	} else if (s_client_config.starttls_proto == PROTO_FTP) {
1293	BIO *fbio = BIO_new(BIO_f_buffer());
1294	BIO_push(fbio, sbio);
1295	/* wait for multi-line response to end from FTP */
1296	do {
1297	mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ1024*8);
1298	}
1299	while (mbuf_len > 3 && mbuf[3] == '-');
1300	(void) BIO_flush(fbio)(int)BIO_ctrl(fbio,11,0,((void*)0));
1301	BIO_pop(fbio);
1302	BIO_free(fbio);
1303	BIO_printf(sbio, "AUTH TLS\r\n");
1304	BIO_read(sbio, sbuf, BUFSIZZ1024*8);
1305	} else if (s_client_config.starttls_proto == PROTO_XMPP) {
1306	int seen = 0;
1307	BIO_printf(sbio, "<stream:stream "
1308	"xmlns:stream='http://etherx.jabber.org/streams' "
1309	"xmlns='jabber:client' to='%s' version='1.0'>",
1310	s_client_config.xmpphost ?
1311	s_client_config.xmpphost : s_client_config.host);
1312	seen = BIO_read(sbio, mbuf, BUFSIZZ1024*8);
1313
1314	if (seen <= 0)
1315	goto shut;
1316
1317	mbuf[seen] = 0;
1318	while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") &&
1319	!strstr(mbuf, "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\"")) {
1320	seen = BIO_read(sbio, mbuf, BUFSIZZ1024*8);
1321
1322	if (seen <= 0)
1323	goto shut;
1324
1325	mbuf[seen] = 0;
1326	}
1327	BIO_printf(sbio,
1328	"<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
1329	seen = BIO_read(sbio, sbuf, BUFSIZZ1024*8);
1330	sbuf[seen] = 0;
1331	if (!strstr(sbuf, "<proceed"))
1332	goto shut;
1333	mbuf[0] = 0;
1334	} else if (s_client_config.proxy != NULL((void*)0)) {
1335	BIO_printf(sbio, "CONNECT %s HTTP/1.0\r\n\r\n",
1336	s_client_config.connect);
1337	mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ1024*8);
1338	if (mbuf_len == -1) {
1339	BIO_printf(bio_err, "BIO_read failed\n");
1340	goto end;
1341	}
1342	}
1343	for (;;) {
1344	struct pollfd pfd[3]; /* stdin, stdout, socket */
1345	int ptimeout = -1;
1346
1347	if (SSL_is_dtls(con) && DTLSv1_get_timeout(con, &timeout)SSL_ctrl(con,73,0, (void *)&timeout))
1348	ptimeout = timeout.tv_sec * 1000 +
1349	timeout.tv_usec / 1000;
1350
1351	if (SSL_in_init(con)(SSL_state((con))&(0x1000\|0x2000)) && !SSL_total_renegotiations(con)SSL_ctrl((con),12,0,((void*)0))) {
1352	in_init = 1;
1353	tty_on = 0;
1354	} else {
1355	tty_on = 1;
1356	if (in_init) {
1357	in_init = 0;
1358	if (s_client_config.sess_out) {
1359	BIO *stmp = BIO_new_file(
1360	s_client_config.sess_out, "w");
1361	if (stmp) {
1362	PEM_write_bio_SSL_SESSION(stmp,
1363	SSL_get_session(con));
1364	BIO_free(stmp);
1365	} else
1366	BIO_printf(bio_err,
1367	"Error writing session file %s\n",
1368	s_client_config.sess_out);
1369	}
1370	print_stuff(bio_c_out, con, full_log);
1371	if (full_log > 0)
1372	full_log--;
1373
1374	if (s_client_config.starttls_proto) {
1375	BIO_write(bio_err, mbuf, mbuf_len);
1376	/* We don't need to know any more */
1377	s_client_config.starttls_proto = PROTO_OFF;
1378	}
1379	if (s_client_config.reconnect) {
1380	s_client_config.reconnect--;
1381	BIO_printf(bio_c_out,
1382	"drop connection and then reconnect\n");
1383	SSL_shutdown(con);
1384	SSL_set_connect_state(con);
1385	shutdown(SSL_get_fd(con), SHUT_RD0);
1386	close(SSL_get_fd(con));
1387	goto re_start;
1388	}
1389	}
1390	}
1391
1392	ssl_pending = read_ssl && SSL_pending(con);
1393
1394	pfd[0].fd = -1;
1395	pfd[1].fd = -1;
1396	if (!ssl_pending) {
1397	if (tty_on) {
1398	if (read_tty) {
1399	pfd[0].fd = fileno(stdin)(!__isthreaded ? (((&__sF[0]))->_file) : (fileno)((& __sF[0])));
1400	pfd[0].events = POLLIN0x0001;
1401	}
1402	if (write_tty) {
1403	pfd[1].fd = fileno(stdout)(!__isthreaded ? (((&__sF[1]))->_file) : (fileno)((& __sF[1])));
1404	pfd[1].events = POLLOUT0x0004;
1405	}
1406	}
1407
1408	pfd[2].fd = SSL_get_fd(con);
1409	pfd[2].events = 0;
1410	if (read_ssl)
1411	pfd[2].events \|= POLLIN0x0001;
1412	if (write_ssl)
1413	pfd[2].events \|= POLLOUT0x0004;
1414
1415	/* printf("mode tty(%d %d%d) ssl(%d%d)\n",
1416	tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
1417
1418	i = poll(pfd, 3, ptimeout);
1419	if (i == -1) {
1420	BIO_printf(bio_err, "bad select %d\n",
1421	errno(*__errno()));
1422	goto shut;
1423	/* goto end; */
1424	}
1425	}
1426	if (SSL_is_dtls(con) &&
1427	DTLSv1_handle_timeout(con)SSL_ctrl(con,74,0, ((void*)0)) > 0)
1428	BIO_printf(bio_err, "TIMEOUT occured\n");
1429	if (!ssl_pending &&
1430	(pfd[2].revents & (POLLOUT0x0004\|POLLERR0x0008\|POLLNVAL0x0020))) {
1431	if (pfd[2].revents & (POLLERR0x0008\|POLLNVAL0x0020)) {
1432	BIO_printf(bio_err, "poll error");
1433	goto shut;
1434	}
1435	k = SSL_write(con, &(cbuf[cbuf_off]),
1436	(unsigned int) cbuf_len);
1437	switch (SSL_get_error(con, k)) {
1438	case SSL_ERROR_NONE0:
1439	cbuf_off += k;
1440	cbuf_len -= k;
1441	if (k <= 0)
1442	goto end;
1443	/* we have done a write(con,NULL,0); */
1444	if (cbuf_len <= 0) {
1445	read_tty = 1;
1446	write_ssl = 0;
1447	} else { /* if (cbuf_len > 0) */
1448	read_tty = 0;
1449	write_ssl = 1;
1450	}
1451	break;
1452	case SSL_ERROR_WANT_WRITE3:
1453	BIO_printf(bio_c_out, "write W BLOCK\n");
1454	write_ssl = 1;
1455	read_tty = 0;
1456	break;
1457	case SSL_ERROR_WANT_READ2:
1458	BIO_printf(bio_c_out, "write R BLOCK\n");
1459	write_tty = 0;
1460	read_ssl = 1;
1461	write_ssl = 0;
1462	break;
1463	case SSL_ERROR_WANT_X509_LOOKUP4:
1464	BIO_printf(bio_c_out, "write X BLOCK\n");
1465	break;
1466	case SSL_ERROR_ZERO_RETURN6:
1467	if (cbuf_len != 0) {
1468	BIO_printf(bio_c_out, "shutdown\n");
1469	ret = 0;
1470	goto shut;
1471	} else {
1472	read_tty = 1;
1473	write_ssl = 0;
1474	break;
1475	}
1476
1477	case SSL_ERROR_SYSCALL5:
1478	if ((k != 0) \|\| (cbuf_len != 0)) {
1479	BIO_printf(bio_err, "write:errno=%d\n",
1480	errno(*__errno()));
1481	goto shut;
1482	} else {
1483	read_tty = 1;
1484	write_ssl = 0;
1485	}
1486	break;
1487	case SSL_ERROR_SSL1:
1488	ERR_print_errors(bio_err);
1489	goto shut;
1490	}
1491	} else if (!ssl_pending &&
1492	(pfd[1].revents & (POLLOUT0x0004\|POLLERR0x0008\|POLLNVAL0x0020))) {
1493	if (pfd[1].revents & (POLLERR0x0008\|POLLNVAL0x0020)) {
1494	BIO_printf(bio_err, "poll error");
1495	goto shut;
1496	}
1497	i = write(fileno(stdout)(!__isthreaded ? (((&__sF[1]))->_file) : (fileno)((& __sF[1]))), &(sbuf[sbuf_off]), sbuf_len);
1498
1499	if (i <= 0) {
1500	BIO_printf(bio_c_out, "DONE\n");
1501	ret = 0;
1502	goto shut;
1503	/* goto end; */
1504	}
1505	sbuf_len -= i;
1506	sbuf_off += i;
1507	if (sbuf_len <= 0) {
1508	read_ssl = 1;
1509	write_tty = 0;
1510	}
1511	} else if (ssl_pending \|\| (pfd[2].revents & (POLLIN0x0001\|POLLHUP0x0010))) {
1512	#ifdef RENEG
1513	{
1514	static int iiii;
1515	if (++iiii == 52) {
1516	SSL_renegotiate(con);
1517	iiii = 0;
1518	}
1519	}
1520	#endif
1521	if (s_client_config.peekaboo) {
1522	k = p = SSL_peek(con, pbuf, 1024 /* BUFSIZZ */ );
1523	pending = SSL_pending(con);
1524	if (SSL_get_error(con, p) == SSL_ERROR_NONE0) {
1525	if (p <= 0)
1526	goto end;
1527
1528	k = SSL_read(con, sbuf, p);
1529	}
1530	} else {
1531	k = SSL_read(con, sbuf, 1024 /* BUFSIZZ */ );
1532	}
1533
1534	switch (SSL_get_error(con, k)) {
1535	case SSL_ERROR_NONE0:
1536	if (k <= 0)
1537	goto end;
1538	sbuf_off = 0;
1539	sbuf_len = k;
1540	if (s_client_config.peekaboo) {
1541	if (p != pending) {
1542	ret = -1;
1543	BIO_printf(bio_err,
1544	"peeked %d but pending %d!\n",
1545	p, pending);
1546	goto shut;
1547	}
1548	if (k < p) {
1549	ret = -1;
1550	BIO_printf(bio_err,
1551	"read less than peek!\n");
1552	goto shut;
1553	}
1554	if (p > 0 &&
1555	(memcmp(sbuf, pbuf, p) != 0)) {
1556	ret = -1;
1557	BIO_printf(bio_err,
1558	"peek of %d different from read of %d!\n",
1559	p, k);
1560	goto shut;
1561	}
1562	}
1563	read_ssl = 0;
1564	write_tty = 1;
1565	break;
1566	case SSL_ERROR_WANT_WRITE3:
1567	BIO_printf(bio_c_out, "read W BLOCK\n");
1568	write_ssl = 1;
1569	read_tty = 0;
1570	break;
1571	case SSL_ERROR_WANT_READ2:
1572	BIO_printf(bio_c_out, "read R BLOCK\n");
1573	write_tty = 0;
1574	read_ssl = 1;
1575	if ((read_tty == 0) && (write_ssl == 0))
1576	write_ssl = 1;
1577	break;
1578	case SSL_ERROR_WANT_X509_LOOKUP4:
1579	BIO_printf(bio_c_out, "read X BLOCK\n");
1580	break;
1581	case SSL_ERROR_SYSCALL5:
1582	ret = errno(*__errno());
1583	BIO_printf(bio_err, "read:errno=%d\n", ret);
1584	goto shut;
1585	case SSL_ERROR_ZERO_RETURN6:
1586	BIO_printf(bio_c_out, "closed\n");
1587	ret = 0;
1588	goto shut;
1589	case SSL_ERROR_SSL1:
1590	ERR_print_errors(bio_err);
1591	goto shut;
1592	/* break; */
1593	}
1594	} else if (pfd[0].revents) {
1595	if (pfd[0].revents & (POLLERR0x0008\|POLLNVAL0x0020)) {
1596	BIO_printf(bio_err, "poll error");
1597	goto shut;
1598	}
1599	if (s_client_config.crlf) {
1600	int j, lf_num;
1601
1602	i = read(fileno(stdin)(!__isthreaded ? (((&__sF[0]))->_file) : (fileno)((& __sF[0]))), cbuf, BUFSIZZ1024*8 / 2);
1603	lf_num = 0;
1604	/* both loops are skipped when i <= 0 */
1605	for (j = 0; j < i; j++)
1606	if (cbuf[j] == '\n')
1607	lf_num++;
1608	for (j = i - 1; j >= 0; j--) {
1609	cbuf[j + lf_num] = cbuf[j];
1610	if (cbuf[j] == '\n') {
1611	lf_num--;
1612	i++;
1613	cbuf[j + lf_num] = '\r';
1614	}
1615	}
1616	assert(lf_num == 0)((lf_num == 0) ? (void)0 : __assert2("/usr/src/usr.bin/openssl/s_client.c" , 1616, __func__, "lf_num == 0"));
1617	} else
1618	i = read(fileno(stdin)(!__isthreaded ? (((&__sF[0]))->_file) : (fileno)((& __sF[0]))), cbuf, BUFSIZZ1024*8);
1619
1620	if ((!s_client_config.ign_eof) &&
1621	((i <= 0) \|\| (cbuf[0] == 'Q'))) {
1622	BIO_printf(bio_err, "DONE\n");
1623	ret = 0;
1624	goto shut;
1625	}
1626	if ((!s_client_config.ign_eof) && (cbuf[0] == 'R')) {
1627	BIO_printf(bio_err, "RENEGOTIATING\n");
1628	SSL_renegotiate(con);
1629	cbuf_len = 0;
1630	} else {
1631	cbuf_len = i;
1632	cbuf_off = 0;
1633	}
1634
1635	write_ssl = 1;
1636	read_tty = 0;
1637	}
1638	}
1639
1640	ret = 0;
1641	shut:
1642	if (in_init)
1643	print_stuff(bio_c_out, con, full_log);
1644	SSL_shutdown(con);
1645	shutdown(SSL_get_fd(con), SHUT_RD0);
1646	close(SSL_get_fd(con));
1647	end:
1648	if (con != NULL((void*)0)) {
1649	if (s_client_config.prexit != 0)
1650	print_stuff(bio_c_out, con, 1);
1651	SSL_free(con);
1652	}
1653	SSL_CTX_free(ctx);
1654	X509_free(cert);
1655	EVP_PKEY_free(key);
1656	free(pass);
1657	X509_VERIFY_PARAM_free(s_client_config.vpm);
1658	freezero(cbuf, BUFSIZZ1024*8);
1659	freezero(sbuf, BUFSIZZ1024*8);
1660	freezero(pbuf, BUFSIZZ1024*8);
1661	freezero(mbuf, BUFSIZZ1024*8);
1662	BIO_free(bio_c_out);
1663
1664	return (ret);
1665	}
1666
1667	static void
1668	print_stuff(BIO bio, SSL s, int full)
1669	{
1670	X509 peer = NULL((void)0);
1671	char *p;
1672	static const char *space = " ";
1673	char buf[BUFSIZ1024];
1674	STACK_OF(X509)struct stack_st_X509 *sk;
1675	STACK_OF(X509_NAME)struct stack_st_X509_NAME *sk2;
1676	const SSL_CIPHER *c;
1677	X509_NAME *xn;
1678	int j, i;
1679	unsigned char *exportedkeymat;
1680
1681	if (full) {
1682	int got_a_chain = 0;
1683
1684	sk = SSL_get_peer_cert_chain(s);
1685	if (sk != NULL((void*)0)) {
1686	got_a_chain = 1; /* we don't have it for SSL2
1687	* (yet) */
1688
1689	BIO_printf(bio, "---\nCertificate chain\n");
1690	for (i = 0; i < sk_X509_num(sk)sk_num(((_STACK) (1 ? (sk) : (struct stack_st_X509)0))); i++) {
1691	X509_NAME_oneline(X509_get_subject_name(
1692	sk_X509_value(sk, i)((X509 )sk_value(((_STACK) (1 ? (sk) : (struct stack_st_X509 *)0)), (i)))), buf, sizeof buf);
1693	BIO_printf(bio, "%2d s:%s\n", i, buf);
1694	X509_NAME_oneline(X509_get_issuer_name(
1695	sk_X509_value(sk, i)((X509 )sk_value(((_STACK) (1 ? (sk) : (struct stack_st_X509 *)0)), (i)))), buf, sizeof buf);
1696	BIO_printf(bio, " i:%s\n", buf);
1697	if (s_client_config.showcerts)
1698	PEM_write_bio_X509(bio,
1699	sk_X509_value(sk, i)((X509 )sk_value(((_STACK) (1 ? (sk) : (struct stack_st_X509 *)0)), (i))));
1700	}
1701	}
1702	BIO_printf(bio, "---\n");
1703	peer = SSL_get_peer_certificate(s);
1704	if (peer != NULL((void*)0)) {
1705	BIO_printf(bio, "Server certificate\n");
1706	if (!(s_client_config.showcerts && got_a_chain)) {
1707	/* Redundant if we showed the whole chain */
1708	PEM_write_bio_X509(bio, peer);
1709	}
1710	X509_NAME_oneline(X509_get_subject_name(peer),
1711	buf, sizeof buf);
1712	BIO_printf(bio, "subject=%s\n", buf);
1713	X509_NAME_oneline(X509_get_issuer_name(peer),
1714	buf, sizeof buf);
1715	BIO_printf(bio, "issuer=%s\n", buf);
1716	} else
1717	BIO_printf(bio, "no peer certificate available\n");
1718
1719	sk2 = SSL_get_client_CA_list(s);
1720	if ((sk2 != NULL((void)0)) && (sk_X509_NAME_num(sk2)sk_num(((_STACK) (1 ? (sk2) : (struct stack_st_X509_NAME*)0) )) > 0)) {
1721	BIO_printf(bio,
1722	"---\nAcceptable client certificate CA names\n");
1723	for (i = 0; i < sk_X509_NAME_num(sk2)sk_num(((_STACK) (1 ? (sk2) : (struct stack_st_X509_NAME)0) )); i++) {
1724	xn = sk_X509_NAME_value(sk2, i)((X509_NAME )sk_value(((_STACK) (1 ? (sk2) : (struct stack_st_X509_NAME *)0)), (i)));
1725	X509_NAME_oneline(xn, buf, sizeof(buf));
1726	BIO_write(bio, buf, strlen(buf));
1727	BIO_write(bio, "\n", 1);
1728	}
1729	} else {
1730	BIO_printf(bio,
1731	"---\nNo client certificate CA names sent\n");
1732	}
1733	p = SSL_get_shared_ciphers(s, buf, sizeof buf);
1734	if (p != NULL((void*)0)) {
1735	/*
1736	* This works only for SSL 2. In later protocol
1737	* versions, the client does not know what other
1738	* ciphers (in addition to the one to be used in the
1739	* current connection) the server supports.
1740	*/
1741
1742	BIO_printf(bio,
1743	"---\nCiphers common between both SSL endpoints:\n");
1744	j = i = 0;
1745	while (*p) {
1746	if (*p == ':') {
1747	BIO_write(bio, space, 15 - j % 25);
1748	i++;
1749	j = 0;
1750	BIO_write(bio,
1751	((i % 3) ? " " : "\n"), 1);
1752	} else {
1753	BIO_write(bio, p, 1);
1754	j++;
1755	}
1756	p++;
1757	}
1758	BIO_write(bio, "\n", 1);
1759	}
1760
1761	ssl_print_tmp_key(bio, s);
1762
1763	BIO_printf(bio,
1764	"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
1765	BIO_number_read(SSL_get_rbio(s)),
1766	BIO_number_written(SSL_get_wbio(s)));
1767	}
1768	BIO_printf(bio, (SSL_cache_hit(s) ? "---\nReused, " : "---\nNew, "));
1769	c = SSL_get_current_cipher(s);
1770	BIO_printf(bio, "%s, Cipher is %s\n",
1771	SSL_CIPHER_get_version(c),
1772	SSL_CIPHER_get_name(c));
1773	if (peer != NULL((void*)0)) {
1774	EVP_PKEY *pktmp;
1775	pktmp = X509_get_pubkey(peer);
1776	BIO_printf(bio, "Server public key is %d bit\n",
1777	EVP_PKEY_bits(pktmp));
1778	EVP_PKEY_free(pktmp);
1779	}
1780	BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
1781	SSL_get_secure_renegotiation_support(s)SSL_ctrl((s), 76, 0, ((void*)0)) ? "" : " NOT");
1782
1783	/* Compression is not supported and will always be none. */
1784	BIO_printf(bio, "Compression: NONE\n");
1785	BIO_printf(bio, "Expansion: NONE\n");
1786
1787	#ifdef SSL_DEBUG
1788	{
1789	/* Print out local port of connection: useful for debugging */
1790	int sock;
1791	struct sockaddr_in ladd;
1792	socklen_t ladd_size = sizeof(ladd);
1793	sock = SSL_get_fd(s);
1794	getsockname(sock, (struct sockaddr *) & ladd, &ladd_size);
1795	BIO_printf(bio, "LOCAL PORT is %u\n",
1796	ntohs(ladd.sin_port)(__uint16_t)(__builtin_constant_p(ladd.sin_port) ? (__uint16_t )(((__uint16_t)(ladd.sin_port) & 0xffU) << 8 \| ((__uint16_t )(ladd.sin_port) & 0xff00U) >> 8) : __swap16md(ladd .sin_port)));
1797	}
1798	#endif
1799
1800	{
1801	const unsigned char *proto;
1802	unsigned int proto_len;
1803	SSL_get0_alpn_selected(s, &proto, &proto_len);
1804	if (proto_len > 0) {
1805	BIO_printf(bio, "ALPN protocol: ");
1806	BIO_write(bio, proto, proto_len);
1807	BIO_write(bio, "\n", 1);
1808	} else
1809	BIO_printf(bio, "No ALPN negotiated\n");
1810	}
1811
1812	#ifndef OPENSSL_NO_SRTP
1813	{
1814	SRTP_PROTECTION_PROFILE *srtp_profile;
1815
1816	srtp_profile = SSL_get_selected_srtp_profile(s);
1817	if (srtp_profile)
1818	BIO_printf(bio,
1819	"SRTP Extension negotiated, profile=%s\n",
1820	srtp_profile->name);
1821	}
1822	#endif
1823
1824	SSL_SESSION_print(bio, SSL_get_session(s));
1825	if (s_client_config.keymatexportlabel != NULL((void*)0)) {
1826	BIO_printf(bio, "Keying material exporter:\n");
1827	BIO_printf(bio, " Label: '%s'\n",
1828	s_client_config.keymatexportlabel);
1829	BIO_printf(bio, " Length: %i bytes\n",
1830	s_client_config.keymatexportlen);
1831	exportedkeymat = malloc(s_client_config.keymatexportlen);
1832	if (exportedkeymat != NULL((void*)0)) {
1833	if (!SSL_export_keying_material(s, exportedkeymat,
1834	s_client_config.keymatexportlen,
1835	s_client_config.keymatexportlabel,
1836	strlen(s_client_config.keymatexportlabel),
1837	NULL((void*)0), 0, 0)) {
1838	BIO_printf(bio, " Error\n");
1839	} else {
1840	BIO_printf(bio, " Keying material: ");
1841	for (i = 0; i < s_client_config.keymatexportlen; i++)
1842	BIO_printf(bio, "%02X",
1843	exportedkeymat[i]);
1844	BIO_printf(bio, "\n");
1845	}
1846	free(exportedkeymat);
1847	}
1848	}
1849	BIO_printf(bio, "---\n");
1850	X509_free(peer);
1851	/* flush, or debugging output gets mixed with http response */
1852	(void) BIO_flush(bio)(int)BIO_ctrl(bio,11,0,((void*)0));
1853	}
1854
1855	static int
1856	ocsp_resp_cb(SSL s, void arg)
1857	{
1858	const unsigned char *p;
1859	int len;
1860	OCSP_RESPONSE *rsp;
1861	len = SSL_get_tlsext_status_ocsp_resp(s, &p)SSL_ctrl(s,70,0, (void *)&p);
1862	BIO_puts(arg, "OCSP response: ");
1863	if (!p) {
1864	BIO_puts(arg, "no response sent\n");
1865	return 1;
1866	}
1867	rsp = d2i_OCSP_RESPONSE(NULL((void*)0), &p, len);
1868	if (!rsp) {
1869	BIO_puts(arg, "response parse error\n");
1870	BIO_dump_indent(arg, (char *) p, len, 4);
1871	return 0;
1872	}
1873	BIO_puts(arg, "\n======================================\n");
1874	OCSP_RESPONSE_print(arg, rsp, 0);
1875	BIO_puts(arg, "======================================\n");
1876	OCSP_RESPONSE_free(rsp);
1877	return 1;
1878	}
1879
1880	static int
1881	ssl_servername_cb(SSL s, int ad, void *arg)
1882	{
1883	tlsextctx p = (tlsextctx ) arg;
1884	const char *hn = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name0);
1885	if (SSL_get_servername_type(s) != -1)
1886	p->ack = !SSL_session_reused(s)SSL_ctrl((s),8,0,((void)0)) && hn != NULL((void)0);
1887	else
1888	BIO_printf(bio_err, "Can't use SSL_get_servername\n");
1889
1890	return SSL_TLSEXT_ERR_OK0;
1891	}
1892