../deps/openssl/openssl/apps/s

Bug Summary

File:	out/../deps/openssl/openssl/apps/s_client.c
Warning:	line 1477, column 9 Value stored to 'connect_type' is never read

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple x86_64-unknown-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name s_client.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -pic-is-pie -mframe-pointer=all -fmath-errno -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/home/maurizio/node-v18.6.0/out -resource-dir /usr/local/lib/clang/16.0.0 -D V8_DEPRECATION_WARNINGS -D V8_IMMINENT_DEPRECATION_WARNINGS -D _GLIBCXX_USE_CXX11_ABI=1 -D NODE_OPENSSL_CONF_NAME=nodejs_conf -D NODE_OPENSSL_HAS_QUIC -D __STDC_FORMAT_MACROS -D OPENSSL_NO_PINSHARED -D OPENSSL_THREADS -D OPENSSL_API_COMPAT=0x10100001L -D NDEBUG -D OPENSSL_USE_NODELETE -D L_ENDIAN -D OPENSSL_BUILDING_OPENSSL -D AES_ASM -D BSAES_ASM -D CMLL_ASM -D ECP_NISTZ256_ASM -D GHASH_ASM -D KECCAK1600_ASM -D MD5_ASM -D OPENSSL_BN_ASM_GF2m -D OPENSSL_BN_ASM_MONT -D OPENSSL_BN_ASM_MONT5 -D OPENSSL_CPUID_OBJ -D OPENSSL_IA32_SSE2 -D PADLOCK_ASM -D POLY1305_ASM -D SHA1_ASM -D SHA256_ASM -D SHA512_ASM -D VPAES_ASM -D WHIRLPOOL_ASM -D X25519_ASM -D OPENSSL_PIC -D OPENSSLDIR="/etc/ssl" -D ENGINESDIR="/dev/null" -D TERMIOS -I ../deps/openssl/openssl/apps/include -I ../deps/openssl/openssl -I ../deps/openssl/openssl/include -I ../deps/openssl/openssl/crypto -I ../deps/openssl/openssl/crypto/include -I ../deps/openssl/openssl/crypto/modes -I ../deps/openssl/openssl/crypto/ec/curve448 -I ../deps/openssl/openssl/crypto/ec/curve448/arch_32 -I ../deps/openssl/openssl/providers/common/include -I ../deps/openssl/openssl/providers/implementations/include -I ../deps/openssl/config -I ../deps/openssl/config/archs/linux-x86_64/asm/include -I ../deps/openssl/openssl/include -I ../deps/openssl/openssl/crypto/include -I ../deps/openssl/config/archs/linux-x86_64/asm -internal-isystem /usr/local/lib/clang/16.0.0/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-redhat-linux/8/../../../../x86_64-redhat-linux/include -internal-externc-isystem /include -internal-externc-isystem /usr/include -O3 -Wno-unused-parameter -Wno-missing-field-initializers -Wno-old-style-declaration -fdebug-compilation-dir=/home/maurizio/node-v18.6.0/out -ferror-limit 19 -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /tmp/scan-build-2022-08-22-142216-507842-1 -x c ../deps/openssl/openssl/apps/s_client.c

1	/*
2	* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
3	* Copyright 2005 Nokia. All rights reserved.
4	*
5	* Licensed under the Apache License 2.0 (the "License"). You may not use
6	* this file except in compliance with the License. You can obtain a copy
7	* in the file LICENSE in the source distribution or at
8	* https://www.openssl.org/source/license.html
9	*/
10
11	#include "e_os.h"
12	#include <ctype.h>
13	#include <stdio.h>
14	#include <stdlib.h>
15	#include <string.h>
16	#include <errno(*__errno_location ()).h>
17	#include <openssl/e_os2.h>
18
19	#ifndef OPENSSL_NO_SOCK
20
21	/*
22	* With IPv6, it looks like Digital has mixed up the proper order of
23	* recursive header file inclusion, resulting in the compiler complaining
24	* that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which is
25	* needed to have fileno() declared correctly... So let's define u_int
26	*/
27	#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
28	# define __U_INT
29	typedef unsigned int u_int;
30	#endif
31
32	#include "apps.h"
33	#include "progs.h"
34	#include <openssl/x509.h>
35	#include <openssl/ssl.h>
36	#include <openssl/err.h>
37	#include <openssl/pem.h>
38	#include <openssl/rand.h>
39	#include <openssl/ocsp.h>
40	#include <openssl/bn.h>
41	#include <openssl/trace.h>
42	#include <openssl/async.h>
43	#ifndef OPENSSL_NO_CT
44	# include <openssl/ct.h>
45	#endif
46	#include "s_apps.h"
47	#include "timeouts.h"
48	#include "internal/sockets.h"
49
50	#if defined(__has_feature)0
51	# if __has_feature(memory_sanitizer)0
52	# include <sanitizer/msan_interface.h>
53	# endif
54	#endif
55
56	#undef BUFSIZZ1024*8
57	#define BUFSIZZ10248 10248
58	#define S_CLIENT_IRC_READ_TIMEOUT8 8
59
60	static char *prog;
61	static int c_debug = 0;
62	static int c_showcerts = 0;
63	static char keymatexportlabel = NULL((void)0);
64	static int keymatexportlen = 20;
65	static BIO bio_c_out = NULL((void)0);
66	static int c_quiet = 0;
67	static char sess_out = NULL((void)0);
68	static SSL_SESSION psksess = NULL((void)0);
69
70	static void print_stuff(BIO berr, SSL con, int full);
71	#ifndef OPENSSL_NO_OCSP
72	static int ocsp_resp_cb(SSL s, void arg);
73	#endif
74	static int ldap_ExtendedResponse_parse(const char *buf, long rem);
75	static int is_dNS_name(const char *host);
76
77	static int saved_errno;
78
79	static void save_errno(void)
80	{
81	saved_errno = errno(*__errno_location ());
82	errno(*__errno_location ()) = 0;
83	}
84
85	static int restore_errno(void)
86	{
87	int ret = errno(*__errno_location ());
88	errno(*__errno_location ()) = saved_errno;
89	return ret;
90	}
91
92	/* Default PSK identity and key */
93	static char *psk_identity = "Client_identity";
94
95	#ifndef OPENSSL_NO_PSK
96	static unsigned int psk_client_cb(SSL ssl, const char hint, char *identity,
97	unsigned int max_identity_len,
98	unsigned char *psk,
99	unsigned int max_psk_len)
100	{
101	int ret;
102	long key_len;
103	unsigned char *key;
104
105	if (c_debug)
106	BIO_printf(bio_c_out, "psk_client_cb\n");
107	if (!hint) {
108	/* no ServerKeyExchange message */
109	if (c_debug)
110	BIO_printf(bio_c_out,
111	"NULL received PSK identity hint, continuing anyway\n");
112	} else if (c_debug) {
113	BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
114	}
115
116	/*
117	* lookup PSK identity and PSK key based on the given identity hint here
118	*/
119	ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity);
120	if (ret < 0 \|\| (unsigned int)ret > max_identity_len)
121	goto out_err;
122	if (c_debug)
123	BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity,
124	ret);
125
126	/* convert the PSK key to binary */
127	key = OPENSSL_hexstr2buf(psk_key, &key_len);
128	if (key == NULL((void*)0)) {
129	BIO_printf(bio_err, "Could not convert PSK key '%s' to buffer\n",
130	psk_key);
131	return 0;
132	}
133	if (max_psk_len > INT_MAX2147483647 \|\| key_len > (long)max_psk_len) {
134	BIO_printf(bio_err,
135	"psk buffer of callback is too small (%d) for key (%ld)\n",
136	max_psk_len, key_len);
137	OPENSSL_free(key)CRYPTO_free(key, "../deps/openssl/openssl/apps/s_client.c", 137 );
138	return 0;
139	}
140
141	memcpy(psk, key, key_len);
142	OPENSSL_free(key)CRYPTO_free(key, "../deps/openssl/openssl/apps/s_client.c", 142 );
143
144	if (c_debug)
145	BIO_printf(bio_c_out, "created PSK len=%ld\n", key_len);
146
147	return key_len;
148	out_err:
149	if (c_debug)
150	BIO_printf(bio_err, "Error in PSK client callback\n");
151	return 0;
152	}
153	#endif
154
155	const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
156	const unsigned char tls13_aes256gcmsha384_id[] = { 0x13, 0x02 };
157
158	static int psk_use_session_cb(SSL s, const EVP_MD md,
159	const unsigned char *id, size_t idlen,
160	SSL_SESSION **sess)
161	{
162	SSL_SESSION usesess = NULL((void)0);
163	const SSL_CIPHER cipher = NULL((void)0);
164
165	if (psksess != NULL((void*)0)) {
166	SSL_SESSION_up_ref(psksess);
167	usesess = psksess;
168	} else {
169	long key_len;
170	unsigned char *key = OPENSSL_hexstr2buf(psk_key, &key_len);
171
172	if (key == NULL((void*)0)) {
173	BIO_printf(bio_err, "Could not convert PSK key '%s' to buffer\n",
174	psk_key);
175	return 0;
176	}
177
178	/* We default to SHA-256 */
179	cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
180	if (cipher == NULL((void*)0)) {
181	BIO_printf(bio_err, "Error finding suitable ciphersuite\n");
182	OPENSSL_free(key)CRYPTO_free(key, "../deps/openssl/openssl/apps/s_client.c", 182 );
183	return 0;
184	}
185
186	usesess = SSL_SESSION_new();
187	if (usesess == NULL((void*)0)
188	\|\| !SSL_SESSION_set1_master_key(usesess, key, key_len)
189	\|\| !SSL_SESSION_set_cipher(usesess, cipher)
190	\|\| !SSL_SESSION_set_protocol_version(usesess, TLS1_3_VERSION0x0304)) {
191	OPENSSL_free(key)CRYPTO_free(key, "../deps/openssl/openssl/apps/s_client.c", 191 );
192	goto err;
193	}
194	OPENSSL_free(key)CRYPTO_free(key, "../deps/openssl/openssl/apps/s_client.c", 194 );
195	}
196
197	cipher = SSL_SESSION_get0_cipher(usesess);
198	if (cipher == NULL((void*)0))
199	goto err;
200
201	if (md != NULL((void*)0) && SSL_CIPHER_get_handshake_digest(cipher) != md) {
202	/* PSK not usable, ignore it */
203	id = NULL((void)0);
204	*idlen = 0;
205	sess = NULL((void)0);
206	SSL_SESSION_free(usesess);
207	} else {
208	*sess = usesess;
209	id = (unsigned char )psk_identity;
210	*idlen = strlen(psk_identity);
211	}
212
213	return 1;
214
215	err:
216	SSL_SESSION_free(usesess);
217	return 0;
218	}
219
220	/* This is a context that we pass to callbacks */
221	typedef struct tlsextctx_st {
222	BIO *biodebug;
223	int ack;
224	} tlsextctx;
225
226	static int ssl_servername_cb(SSL s, int ad, void *arg)
227	{
228	tlsextctx p = (tlsextctx ) arg;
229	const char *hn = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name0);
230	if (SSL_get_servername_type(s) != -1)
231	p->ack = !SSL_session_reused(s) && hn != NULL((void*)0);
232	else
233	BIO_printf(bio_err, "Can't use SSL_get_servername\n");
234
235	return SSL_TLSEXT_ERR_OK0;
236	}
237
238	#ifndef OPENSSL_NO_NEXTPROTONEG
239	/* This the context that we pass to next_proto_cb */
240	typedef struct tlsextnextprotoctx_st {
241	unsigned char *data;
242	size_t len;
243	int status;
244	} tlsextnextprotoctx;
245
246	static tlsextnextprotoctx next_proto;
247
248	static int next_proto_cb(SSL s, unsigned char out, unsigned char outlen,
249	const unsigned char *in, unsigned int inlen,
250	void *arg)
251	{
252	tlsextnextprotoctx *ctx = arg;
253
254	if (!c_quiet) {
255	/* We can assume that \|in\| is syntactically valid. */
256	unsigned i;
257	BIO_printf(bio_c_out, "Protocols advertised by server: ");
258	for (i = 0; i < inlen;) {
259	if (i)
260	BIO_write(bio_c_out, ", ", 2);
261	BIO_write(bio_c_out, &in[i + 1], in[i]);
262	i += in[i] + 1;
263	}
264	BIO_write(bio_c_out, "\n", 1);
265	}
266
267	ctx->status =
268	SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
269	return SSL_TLSEXT_ERR_OK0;
270	}
271	#endif /* ndef OPENSSL_NO_NEXTPROTONEG */
272
273	static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type,
274	const unsigned char *in, size_t inlen,
275	int al, void arg)
276	{
277	char pem_name[100];
278	unsigned char ext_buf[4 + 65536];
279
280	/* Reconstruct the type/len fields prior to extension data */
281	inlen &= 0xffff; /* for formal memcmpy correctness */
282	ext_buf[0] = (unsigned char)(ext_type >> 8);
283	ext_buf[1] = (unsigned char)(ext_type);
284	ext_buf[2] = (unsigned char)(inlen >> 8);
285	ext_buf[3] = (unsigned char)(inlen);
286	memcpy(ext_buf + 4, in, inlen);
287
288	BIO_snprintf(pem_name, sizeof(pem_name), "SERVERINFO FOR EXTENSION %d",
289	ext_type);
290	PEM_write_bio(bio_c_out, pem_name, "", ext_buf, 4 + inlen);
291	return 1;
292	}
293
294	/*
295	* Hex decoder that tolerates optional whitespace. Returns number of bytes
296	* produced, advances inptr to end of input string.
297	*/
298	static ossl_ssize_tssize_t hexdecode(const char *inptr, void result)
299	{
300	unsigned char out = (unsigned char )result;
301	const char in = inptr;
302	unsigned char *ret = app_malloc(strlen(in) / 2, "hexdecode");
303	unsigned char *cp = ret;
304	uint8_t byte;
305	int nibble = 0;
306
307	if (ret == NULL((void*)0))
308	return -1;
309
310	for (byte = 0; *in; ++in) {
311	int x;
312
313	if (isspace(_UC(in))((__ctype_b_loc ())[(int) ((((unsigned char)(*in))))] & ( unsigned short int) _ISspace))
314	continue;
315	x = OPENSSL_hexchar2int(*in);
316	if (x < 0) {
317	OPENSSL_free(ret)CRYPTO_free(ret, "../deps/openssl/openssl/apps/s_client.c", 317 );
318	return 0;
319	}
320	byte \|= (char)x;
321	if ((nibble ^= 1) == 0) {
322	*cp++ = byte;
323	byte = 0;
324	} else {
325	byte <<= 4;
326	}
327	}
328	if (nibble != 0) {
329	OPENSSL_free(ret)CRYPTO_free(ret, "../deps/openssl/openssl/apps/s_client.c", 329 );
330	return 0;
331	}
332	*inptr = in;
333
334	return cp - (*out = ret);
335	}
336
337	/*
338	* Decode unsigned 0..255, returns 1 on success, <= 0 on failure. Advances
339	* inptr to next field skipping leading whitespace.
340	*/
341	static ossl_ssize_tssize_t checked_uint8(const char *inptr, void out)
342	{
343	uint8_t result = (uint8_t )out;
344	const char in = inptr;
345	char *endp;
346	long v;
347	int e;
348
349	save_errno();
350	v = strtol(in, &endp, 10);
351	e = restore_errno();
352
353	if (((v == LONG_MIN(-9223372036854775807L -1L) \|\| v == LONG_MAX9223372036854775807L) && e == ERANGE34) \|\|
354	endp == in \|\| !isspace(_UC(endp))((__ctype_b_loc ())[(int) ((((unsigned char)(*endp))))] & (unsigned short int) _ISspace) \|\|
355	v != (*result = (uint8_t) v)) {
356	return -1;
357	}
358	for (in = endp; isspace(_UC(in))((__ctype_b_loc ())[(int) ((((unsigned char)(*in))))] & ( unsigned short int) _ISspace); ++in)
359	continue;
360
361	*inptr = in;
362	return 1;
363	}
364
365	struct tlsa_field {
366	void *var;
367	const char *name;
368	ossl_ssize_tssize_t (parser)(const char , void );
369	};
370
371	static int tlsa_import_rr(SSL con, const char rrdata)
372	{
373	/* Not necessary to re-init these values; the "parsers" do that. */
374	static uint8_t usage;
375	static uint8_t selector;
376	static uint8_t mtype;
377	static unsigned char *data;
378	static struct tlsa_field tlsa_fields[] = {
379	{ &usage, "usage", checked_uint8 },
380	{ &selector, "selector", checked_uint8 },
381	{ &mtype, "mtype", checked_uint8 },
382	{ &data, "data", hexdecode },
383	{ NULL((void*)0), }
384	};
385	struct tlsa_field *f;
386	int ret;
387	const char *cp = rrdata;
388	ossl_ssize_tssize_t len = 0;
389
390	for (f = tlsa_fields; f->var; ++f) {
391	/* Returns number of bytes produced, advances cp to next field */
392	if ((len = f->parser(&cp, f->var)) <= 0) {
393	BIO_printf(bio_err, "%s: warning: bad TLSA %s field in: %s\n",
394	prog, f->name, rrdata);
395	return 0;
396	}
397	}
398	/* The data field is last, so len is its length */
399	ret = SSL_dane_tlsa_add(con, usage, selector, mtype, data, len);
400	OPENSSL_free(data)CRYPTO_free(data, "../deps/openssl/openssl/apps/s_client.c", 400 );
401
402	if (ret == 0) {
403	ERR_print_errors(bio_err);
404	BIO_printf(bio_err, "%s: warning: unusable TLSA rrdata: %s\n",
405	prog, rrdata);
406	return 0;
407	}
408	if (ret < 0) {
409	ERR_print_errors(bio_err);
410	BIO_printf(bio_err, "%s: warning: error loading TLSA rrdata: %s\n",
411	prog, rrdata);
412	return 0;
413	}
414	return ret;
415	}
416
417	static int tlsa_import_rrset(SSL con, STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING rrset)
418	{
419	int num = sk_OPENSSL_STRING_num(rrset)OPENSSL_sk_num(ossl_check_const_OPENSSL_STRING_sk_type(rrset) );
420	int count = 0;
421	int i;
422
423	for (i = 0; i < num; ++i) {
424	char rrdata = sk_OPENSSL_STRING_value(rrset, i)((char )OPENSSL_sk_value(ossl_check_const_OPENSSL_STRING_sk_type (rrset), (i)));
425	if (tlsa_import_rr(con, rrdata) > 0)
426	++count;
427	}
428	return count > 0;
429	}
430
431	typedef enum OPTION_choice {
432	OPT_COMMONOPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
433	OPT_4, OPT_6, OPT_HOST, OPT_PORT, OPT_CONNECT, OPT_BIND, OPT_UNIX,
434	OPT_XMPPHOST, OPT_VERIFY, OPT_NAMEOPT,
435	OPT_CERT, OPT_CRL, OPT_CRL_DOWNLOAD, OPT_SESS_OUT, OPT_SESS_IN,
436	OPT_CERTFORM, OPT_CRLFORM, OPT_VERIFY_RET_ERROR, OPT_VERIFY_QUIET,
437	OPT_BRIEF, OPT_PREXIT, OPT_CRLF, OPT_QUIET, OPT_NBIO,
438	OPT_SSL_CLIENT_ENGINE, OPT_IGN_EOF, OPT_NO_IGN_EOF,
439	OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_STATUS, OPT_WDEBUG,
440	OPT_MSG, OPT_MSGFILE, OPT_ENGINE, OPT_TRACE, OPT_SECURITY_DEBUG,
441	OPT_SECURITY_DEBUG_VERBOSE, OPT_SHOWCERTS, OPT_NBIO_TEST, OPT_STATE,
442	OPT_PSK_IDENTITY, OPT_PSK, OPT_PSK_SESS,
443	#ifndef OPENSSL_NO_SRP
444	OPT_SRPUSER, OPT_SRPPASS, OPT_SRP_STRENGTH, OPT_SRP_LATEUSER,
445	OPT_SRP_MOREGROUPS,
446	#endif
447	OPT_SSL3, OPT_SSL_CONFIG,
448	OPT_TLS1_3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
449	OPT_DTLS1_2, OPT_SCTP, OPT_TIMEOUT, OPT_MTU, OPT_KEYFORM, OPT_PASS,
450	OPT_CERT_CHAIN, OPT_KEY, OPT_RECONNECT, OPT_BUILD_CHAIN,
451	OPT_NEXTPROTONEG, OPT_ALPN,
452	OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH,
453	OPT_CAFILE, OPT_NOCAFILE, OPT_CHAINCAFILE, OPT_VERIFYCAFILE,
454	OPT_CASTORE, OPT_NOCASTORE, OPT_CHAINCASTORE, OPT_VERIFYCASTORE,
455	OPT_SERVERINFO, OPT_STARTTLS, OPT_SERVERNAME, OPT_NOSERVERNAME, OPT_ASYNC,
456	OPT_USE_SRTP, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, OPT_PROTOHOST,
457	OPT_MAXFRAGLEN, OPT_MAX_SEND_FRAG, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES,
458	OPT_READ_BUF, OPT_KEYLOG_FILE, OPT_EARLY_DATA, OPT_REQCAFILE,
459	OPT_V_ENUMOPT_V__FIRST=2000, OPT_V_POLICY, OPT_V_PURPOSE, OPT_V_VERIFY_NAME , OPT_V_VERIFY_DEPTH, OPT_V_ATTIME, OPT_V_VERIFY_HOSTNAME, OPT_V_VERIFY_EMAIL , OPT_V_VERIFY_IP, OPT_V_IGNORE_CRITICAL, OPT_V_ISSUER_CHECKS , OPT_V_CRL_CHECK, OPT_V_CRL_CHECK_ALL, OPT_V_POLICY_CHECK, OPT_V_EXPLICIT_POLICY , OPT_V_INHIBIT_ANY, OPT_V_INHIBIT_MAP, OPT_V_X509_STRICT, OPT_V_EXTENDED_CRL , OPT_V_USE_DELTAS, OPT_V_POLICY_PRINT, OPT_V_CHECK_SS_SIG, OPT_V_TRUSTED_FIRST , OPT_V_SUITEB_128_ONLY, OPT_V_SUITEB_128, OPT_V_SUITEB_192, OPT_V_PARTIAL_CHAIN , OPT_V_NO_ALT_CHAINS, OPT_V_NO_CHECK_TIME, OPT_V_VERIFY_AUTH_LEVEL , OPT_V_ALLOW_PROXY_CERTS, OPT_V__LAST,
460	OPT_X_ENUMOPT_X__FIRST=1000, OPT_X_KEY, OPT_X_CERT, OPT_X_CHAIN, OPT_X_CHAIN_BUILD , OPT_X_CERTFORM, OPT_X_KEYFORM, OPT_X__LAST,
461	OPT_S_ENUMOPT_S__FIRST=3000, OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1 , OPT_S_NOTLS1_2, OPT_S_NOTLS1_3, OPT_S_BUGS, OPT_S_NO_COMP, OPT_S_NOTICKET , OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_CLIENTRENEG, OPT_S_LEGACYCONN , OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_ALLOW_NO_DHE_KEX, OPT_S_PRIORITIZE_CHACHA, OPT_S_STRICT, OPT_S_SIGALGS, OPT_S_CLIENTSIGALGS , OPT_S_GROUPS, OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, OPT_S_CIPHERSUITES, OPT_S_RECORD_PADDING, OPT_S_DEBUGBROKE, OPT_S_COMP , OPT_S_MINPROTO, OPT_S_MAXPROTO, OPT_S_NO_RENEGOTIATION, OPT_S_NO_MIDDLEBOX , OPT_S_NO_ETM, OPT_S__LAST, OPT_IGNORE_UNEXPECTED_EOF,
462	OPT_FALLBACKSCSV, OPT_NOCMDS, OPT_PROXY, OPT_PROXY_USER, OPT_PROXY_PASS,
463	OPT_DANE_TLSA_DOMAIN,
464	#ifndef OPENSSL_NO_CT
465	OPT_CT, OPT_NOCT, OPT_CTLOG_FILE,
466	#endif
467	OPT_DANE_TLSA_RRDATA, OPT_DANE_EE_NO_NAME,
468	OPT_ENABLE_PHA,
469	OPT_SCTP_LABEL_BUG,
470	OPT_R_ENUMOPT_R__FIRST=1500, OPT_R_RAND, OPT_R_WRITERAND, OPT_R__LAST, OPT_PROV_ENUMOPT_PROV__FIRST=1600, OPT_PROV_PROVIDER, OPT_PROV_PROVIDER_PATH , OPT_PROV_PROPQUERY, OPT_PROV__LAST
471	} OPTION_CHOICE;
472
473	const OPTIONS s_client_options[] = {
474	{OPT_HELP_STR, 1, '-', "Usage: %s [options] [host:port]\n"},
475
476	OPT_SECTION("General"){ OPT_SECTION_STR, 1, '-', "General" " options:\n" },
477	{"help", OPT_HELP, '-', "Display this summary"},
478	#ifndef OPENSSL_NO_ENGINE
479	{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
480	{"ssl_client_engine", OPT_SSL_CLIENT_ENGINE, 's',
481	"Specify engine to be used for client certificate operations"},
482	#endif
483	{"ssl_config", OPT_SSL_CONFIG, 's', "Use specified section for SSL_CTX configuration"},
484	#ifndef OPENSSL_NO_CT
485	{"ct", OPT_CT, '-', "Request and parse SCTs (also enables OCSP stapling)"},
486	{"noct", OPT_NOCT, '-', "Do not request or parse SCTs (default)"},
487	{"ctlogfile", OPT_CTLOG_FILE, '<', "CT log list CONF file"},
488	#endif
489
490	OPT_SECTION("Network"){ OPT_SECTION_STR, 1, '-', "Network" " options:\n" },
491	{"host", OPT_HOST, 's', "Use -connect instead"},
492	{"port", OPT_PORT, 'p', "Use -connect instead"},
493	{"connect", OPT_CONNECT, 's',
494	"TCP/IP where to connect; default: " PORT"4433" ")"},
495	{"bind", OPT_BIND, 's', "bind local address for connection"},
496	{"proxy", OPT_PROXY, 's',
497	"Connect to via specified proxy to the real server"},
498	{"proxy_user", OPT_PROXY_USER, 's', "UserID for proxy authentication"},
499	{"proxy_pass", OPT_PROXY_PASS, 's', "Proxy authentication password source"},
500	#ifdef AF_UNIX1
501	{"unix", OPT_UNIX, 's', "Connect over the specified Unix-domain socket"},
502	#endif
503	{"4", OPT_4, '-', "Use IPv4 only"},
504	#ifdef AF_INET610
505	{"6", OPT_6, '-', "Use IPv6 only"},
506	#endif
507	{"maxfraglen", OPT_MAXFRAGLEN, 'p',
508	"Enable Maximum Fragment Length Negotiation (len values: 512, 1024, 2048 and 4096)"},
509	{"max_send_frag", OPT_MAX_SEND_FRAG, 'p', "Maximum Size of send frames "},
510	{"split_send_frag", OPT_SPLIT_SEND_FRAG, 'p',
511	"Size used to split data for encrypt pipelines"},
512	{"max_pipelines", OPT_MAX_PIPELINES, 'p',
513	"Maximum number of encrypt/decrypt pipelines to be used"},
514	{"read_buf", OPT_READ_BUF, 'p',
515	"Default read buffer size to be used for connections"},
516	{"fallback_scsv", OPT_FALLBACKSCSV, '-', "Send the fallback SCSV"},
517
518	OPT_SECTION("Identity"){ OPT_SECTION_STR, 1, '-', "Identity" " options:\n" },
519	{"cert", OPT_CERT, '<', "Client certificate file to use"},
520	{"certform", OPT_CERTFORM, 'F',
521	"Client certificate file format (PEM/DER/P12); has no effect"},
522	{"cert_chain", OPT_CERT_CHAIN, '<',
523	"Client certificate chain file (in PEM format)"},
524	{"build_chain", OPT_BUILD_CHAIN, '-', "Build client certificate chain"},
525	{"key", OPT_KEY, 's', "Private key file to use; default: -cert file"},
526	{"keyform", OPT_KEYFORM, 'E', "Key format (ENGINE, other values ignored)"},
527	{"pass", OPT_PASS, 's', "Private key and cert file pass phrase source"},
528	{"verify", OPT_VERIFY, 'p', "Turn on peer certificate verification"},
529	{"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"},
530	{"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
531	{"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"},
532	{"CAstore", OPT_CASTORE, ':', "URI to store of CA's"},
533	{"no-CAfile", OPT_NOCAFILE, '-',
534	"Do not load the default certificates file"},
535	{"no-CApath", OPT_NOCAPATH, '-',
536	"Do not load certificates from the default certificates directory"},
537	{"no-CAstore", OPT_NOCASTORE, '-',
538	"Do not load certificates from the default certificates store"},
539	{"requestCAfile", OPT_REQCAFILE, '<',
540	"PEM format file of CA names to send to the server"},
541	{"dane_tlsa_domain", OPT_DANE_TLSA_DOMAIN, 's', "DANE TLSA base domain"},
542	{"dane_tlsa_rrdata", OPT_DANE_TLSA_RRDATA, 's',
543	"DANE TLSA rrdata presentation form"},
544	{"dane_ee_no_namechecks", OPT_DANE_EE_NO_NAME, '-',
545	"Disable name checks when matching DANE-EE(3) TLSA records"},
546	{"psk_identity", OPT_PSK_IDENTITY, 's', "PSK identity"},
547	{"psk", OPT_PSK, 's', "PSK in hex (without 0x)"},
548	{"psk_session", OPT_PSK_SESS, '<', "File to read PSK SSL session from"},
549	{"name", OPT_PROTOHOST, 's',
550	"Hostname to use for \"-starttls lmtp\", \"-starttls smtp\" or \"-starttls xmpp[-server]\""},
551
552	OPT_SECTION("Session"){ OPT_SECTION_STR, 1, '-', "Session" " options:\n" },
553	{"reconnect", OPT_RECONNECT, '-',
554	"Drop and re-make the connection with the same Session-ID"},
555	{"sess_out", OPT_SESS_OUT, '>', "File to write SSL session to"},
556	{"sess_in", OPT_SESS_IN, '<', "File to read SSL session from"},
557
558	OPT_SECTION("Input/Output"){ OPT_SECTION_STR, 1, '-', "Input/Output" " options:\n" },
559	{"crlf", OPT_CRLF, '-', "Convert LF from terminal into CRLF"},
560	{"quiet", OPT_QUIET, '-', "No s_client output"},
561	{"ign_eof", OPT_IGN_EOF, '-', "Ignore input eof (default when -quiet)"},
562	{"no_ign_eof", OPT_NO_IGN_EOF, '-', "Don't ignore input eof"},
563	{"starttls", OPT_STARTTLS, 's',
564	"Use the appropriate STARTTLS command before starting TLS"},
565	{"xmpphost", OPT_XMPPHOST, 's',
566	"Alias of -name option for \"-starttls xmpp[-server]\""},
567	{"brief", OPT_BRIEF, '-',
568	"Restrict output to brief summary of connection parameters"},
569	{"prexit", OPT_PREXIT, '-',
570	"Print session information when the program exits"},
571
572	OPT_SECTION("Debug"){ OPT_SECTION_STR, 1, '-', "Debug" " options:\n" },
573	{"showcerts", OPT_SHOWCERTS, '-',
574	"Show all certificates sent by the server"},
575	{"debug", OPT_DEBUG, '-', "Extra output"},
576	{"msg", OPT_MSG, '-', "Show protocol messages"},
577	{"msgfile", OPT_MSGFILE, '>',
578	"File to send output of -msg or -trace, instead of stdout"},
579	{"nbio_test", OPT_NBIO_TEST, '-', "More ssl protocol testing"},
580	{"state", OPT_STATE, '-', "Print the ssl states"},
581	{"keymatexport", OPT_KEYMATEXPORT, 's',
582	"Export keying material using label"},
583	{"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p',
584	"Export len bytes of keying material; default 20"},
585	{"security_debug", OPT_SECURITY_DEBUG, '-',
586	"Enable security debug messages"},
587	{"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-',
588	"Output more security debug output"},
589	#ifndef OPENSSL_NO_SSL_TRACE
590	{"trace", OPT_TRACE, '-', "Show trace output of protocol messages"},
591	#endif
592	#ifdef WATT32
593	{"wdebug", OPT_WDEBUG, '-', "WATT-32 tcp debugging"},
594	#endif
595	{"keylogfile", OPT_KEYLOG_FILE, '>', "Write TLS secrets to file"},
596	{"nocommands", OPT_NOCMDS, '-', "Do not use interactive command letters"},
597	{"servername", OPT_SERVERNAME, 's',
598	"Set TLS extension servername (SNI) in ClientHello (default)"},
599	{"noservername", OPT_NOSERVERNAME, '-',
600	"Do not send the server name (SNI) extension in the ClientHello"},
601	{"tlsextdebug", OPT_TLSEXTDEBUG, '-',
602	"Hex dump of all TLS extensions received"},
603	{"ignore_unexpected_eof", OPT_IGNORE_UNEXPECTED_EOF, '-',
604	"Do not treat lack of close_notify from a peer as an error"},
605	#ifndef OPENSSL_NO_OCSP
606	{"status", OPT_STATUS, '-', "Request certificate status from server"},
607	#endif
608	{"serverinfo", OPT_SERVERINFO, 's',
609	"types Send empty ClientHello extensions (comma-separated numbers)"},
610	{"alpn", OPT_ALPN, 's',
611	"Enable ALPN extension, considering named protocols supported (comma-separated list)"},
612	{"async", OPT_ASYNC, '-', "Support asynchronous operation"},
613	{"nbio", OPT_NBIO, '-', "Use non-blocking IO"},
614
615	OPT_SECTION("Protocol and version"){ OPT_SECTION_STR, 1, '-', "Protocol and version" " options:\n" },
616	#ifndef OPENSSL_NO_SSL3
617	{"ssl3", OPT_SSL3, '-', "Just use SSLv3"},
618	#endif
619	#ifndef OPENSSL_NO_TLS1
620	{"tls1", OPT_TLS1, '-', "Just use TLSv1"},
621	#endif
622	#ifndef OPENSSL_NO_TLS1_1
623	{"tls1_1", OPT_TLS1_1, '-', "Just use TLSv1.1"},
624	#endif
625	#ifndef OPENSSL_NO_TLS1_2
626	{"tls1_2", OPT_TLS1_2, '-', "Just use TLSv1.2"},
627	#endif
628	#ifndef OPENSSL_NO_TLS1_3
629	{"tls1_3", OPT_TLS1_3, '-', "Just use TLSv1.3"},
630	#endif
631	#ifndef OPENSSL_NO_DTLS
632	{"dtls", OPT_DTLS, '-', "Use any version of DTLS"},
633	{"timeout", OPT_TIMEOUT, '-',
634	"Enable send/receive timeout on DTLS connections"},
635	{"mtu", OPT_MTU, 'p', "Set the link layer MTU"},
636	#endif
637	#ifndef OPENSSL_NO_DTLS1
638	{"dtls1", OPT_DTLS1, '-', "Just use DTLSv1"},
639	#endif
640	#ifndef OPENSSL_NO_DTLS1_2
641	{"dtls1_2", OPT_DTLS1_2, '-', "Just use DTLSv1.2"},
642	#endif
643	#ifndef OPENSSL_NO_SCTP
644	{"sctp", OPT_SCTP, '-', "Use SCTP"},
645	{"sctp_label_bug", OPT_SCTP_LABEL_BUG, '-', "Enable SCTP label length bug"},
646	#endif
647	#ifndef OPENSSL_NO_NEXTPROTONEG
648	{"nextprotoneg", OPT_NEXTPROTONEG, 's',
649	"Enable NPN extension, considering named protocols supported (comma-separated list)"},
650	#endif
651	{"early_data", OPT_EARLY_DATA, '<', "File to send as early data"},
652	{"enable_pha", OPT_ENABLE_PHA, '-', "Enable post-handshake-authentication"},
653	#ifndef OPENSSL_NO_SRTP
654	{"use_srtp", OPT_USE_SRTP, 's',
655	"Offer SRTP key management with a colon-separated profile list"},
656	#endif
657	#ifndef OPENSSL_NO_SRP
658	{"srpuser", OPT_SRPUSER, 's', "(deprecated) SRP authentication for 'user'"},
659	{"srppass", OPT_SRPPASS, 's', "(deprecated) Password for 'user'"},
660	{"srp_lateuser", OPT_SRP_LATEUSER, '-',
661	"(deprecated) SRP username into second ClientHello message"},
662	{"srp_moregroups", OPT_SRP_MOREGROUPS, '-',
663	"(deprecated) Tolerate other than the known g N values."},
664	{"srp_strength", OPT_SRP_STRENGTH, 'p',
665	"(deprecated) Minimal length in bits for N"},
666	#endif
667
668	OPT_R_OPTIONS{ OPT_SECTION_STR, 1, '-', "Random state" " options:\n" }, {"rand" , OPT_R_RAND, 's', "Load the given file(s) into the random number generator" }, {"writerand", OPT_R_WRITERAND, '>', "Write random data to the specified file" },
669	OPT_S_OPTIONS{ OPT_SECTION_STR, 1, '-', "TLS/SSL" " options:\n" }, {"no_ssl3" , OPT_S_NOSSL3, '-',"Just disable SSLv3" }, {"no_tls1", OPT_S_NOTLS1 , '-', "Just disable TLSv1"}, {"no_tls1_1", OPT_S_NOTLS1_1, '-' , "Just disable TLSv1.1" }, {"no_tls1_2", OPT_S_NOTLS1_2, '-' , "Just disable TLSv1.2"}, {"no_tls1_3", OPT_S_NOTLS1_3, '-', "Just disable TLSv1.3"}, {"bugs", OPT_S_BUGS, '-', "Turn on SSL bug compatibility" }, {"no_comp", OPT_S_NO_COMP, '-', "Disable SSL/TLS compression (default)" }, {"comp", OPT_S_COMP, '-', "Use SSL/TLS-level compression" }, {"no_ticket", OPT_S_NOTICKET, '-', "Disable use of TLS session tickets" }, {"serverpref", OPT_S_SERVERPREF, '-', "Use server's cipher preferences" }, {"legacy_renegotiation", OPT_S_LEGACYRENEG, '-', "Enable use of legacy renegotiation (dangerous)" }, {"client_renegotiation", OPT_S_CLIENTRENEG, '-', "Allow client-initiated renegotiation" }, {"no_renegotiation", OPT_S_NO_RENEGOTIATION, '-', "Disable all renegotiation." }, {"legacy_server_connect", OPT_S_LEGACYCONN, '-', "Allow initial connection to servers that don't support RI" }, {"no_resumption_on_reneg", OPT_S_ONRESUMP, '-', "Disallow session resumption on renegotiation" }, {"no_legacy_server_connect", OPT_S_NOLEGACYCONN, '-', "Disallow initial connection to servers that don't support RI" }, {"allow_no_dhe_kex", OPT_S_ALLOW_NO_DHE_KEX, '-', "In TLSv1.3 allow non-(ec)dhe based key exchange on resumption" }, {"prioritize_chacha", OPT_S_PRIORITIZE_CHACHA, '-', "Prioritize ChaCha ciphers when preferred by clients" }, {"strict", OPT_S_STRICT, '-', "Enforce strict certificate checks as per TLS standard" }, {"sigalgs", OPT_S_SIGALGS, 's', "Signature algorithms to support (colon-separated list)" }, {"client_sigalgs", OPT_S_CLIENTSIGALGS, 's', "Signature algorithms to support for client certificate" " authentication (colon-separated list)" }, {"groups", OPT_S_GROUPS , 's', "Groups to advertise (colon-separated list)" }, {"curves" , OPT_S_CURVES, 's', "Groups to advertise (colon-separated list)" }, {"named_curve", OPT_S_NAMEDCURVE, 's', "Elliptic curve used for ECDHE (server-side only)" }, {"cipher", OPT_S_CIPHER, 's', "Specify TLSv1.2 and below cipher list to be used" }, {"ciphersuites", OPT_S_CIPHERSUITES, 's', "Specify TLSv1.3 ciphersuites to be used" }, {"min_protocol", OPT_S_MINPROTO, 's', "Specify the minimum protocol version to be used" }, {"max_protocol", OPT_S_MAXPROTO, 's', "Specify the maximum protocol version to be used" }, {"record_padding", OPT_S_RECORD_PADDING, 's', "Block size to pad TLS 1.3 records to." }, {"debug_broken_protocol", OPT_S_DEBUGBROKE, '-', "Perform all sorts of protocol violations for testing purposes" }, {"no_middlebox", OPT_S_NO_MIDDLEBOX, '-', "Disable TLSv1.3 middlebox compat mode" }, {"no_etm", OPT_S_NO_ETM, '-', "Disable Encrypt-then-Mac extension" },
670	OPT_V_OPTIONS{ OPT_SECTION_STR, 1, '-', "Validation" " options:\n" }, { "policy" , OPT_V_POLICY, 's', "adds policy to the acceptable policy set" }, { "purpose", OPT_V_PURPOSE, 's', "certificate chain purpose" }, { "verify_name", OPT_V_VERIFY_NAME, 's', "verification policy name" }, { "verify_depth", OPT_V_VERIFY_DEPTH, 'n', "chain depth limit" }, { "auth_level", OPT_V_VERIFY_AUTH_LEVEL, 'n', "chain authentication security level" }, { "attime", OPT_V_ATTIME, 'M', "verification epoch time" } , { "verify_hostname", OPT_V_VERIFY_HOSTNAME, 's', "expected peer hostname" }, { "verify_email", OPT_V_VERIFY_EMAIL, 's', "expected peer email" }, { "verify_ip", OPT_V_VERIFY_IP, 's', "expected peer IP address" }, { "ignore_critical", OPT_V_IGNORE_CRITICAL, '-', "permit unhandled critical extensions" }, { "issuer_checks", OPT_V_ISSUER_CHECKS, '-', "(deprecated)" }, { "crl_check", OPT_V_CRL_CHECK, '-', "check leaf certificate revocation" }, { "crl_check_all", OPT_V_CRL_CHECK_ALL, '-', "check full chain revocation" }, { "policy_check", OPT_V_POLICY_CHECK, '-', "perform rfc5280 policy checks" }, { "explicit_policy", OPT_V_EXPLICIT_POLICY, '-', "set policy variable require-explicit-policy" }, { "inhibit_any", OPT_V_INHIBIT_ANY, '-', "set policy variable inhibit-any-policy" }, { "inhibit_map", OPT_V_INHIBIT_MAP, '-', "set policy variable inhibit-policy-mapping" }, { "x509_strict", OPT_V_X509_STRICT, '-', "disable certificate compatibility work-arounds" }, { "extended_crl", OPT_V_EXTENDED_CRL, '-', "enable extended CRL features" }, { "use_deltas", OPT_V_USE_DELTAS, '-', "use delta CRLs"}, { "policy_print", OPT_V_POLICY_PRINT, '-', "print policy processing diagnostics" }, { "check_ss_sig", OPT_V_CHECK_SS_SIG, '-', "check root CA self-signatures" }, { "trusted_first", OPT_V_TRUSTED_FIRST, '-', "search trust store first (default)" }, { "suiteB_128_only", OPT_V_SUITEB_128_ONLY, '-', "Suite B 128-bit-only mode" }, { "suiteB_128", OPT_V_SUITEB_128, '-', "Suite B 128-bit mode allowing 192-bit algorithms" }, { "suiteB_192", OPT_V_SUITEB_192, '-', "Suite B 192-bit-only mode" }, { "partial_chain", OPT_V_PARTIAL_CHAIN, '-', "accept chains anchored by intermediate trust-store CAs" }, { "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "(deprecated)" }, { "no_check_time", OPT_V_NO_CHECK_TIME, '-', "ignore certificate validity time" }, { "allow_proxy_certs", OPT_V_ALLOW_PROXY_CERTS, '-', "allow the use of proxy certificates" },
671	{"CRL", OPT_CRL, '<', "CRL file to use"},
672	{"crl_download", OPT_CRL_DOWNLOAD, '-', "Download CRL from distribution points"},
673	{"CRLform", OPT_CRLFORM, 'F', "CRL format (PEM or DER); default PEM"},
674	{"verify_return_error", OPT_VERIFY_RET_ERROR, '-',
675	"Close connection on verification error"},
676	{"verify_quiet", OPT_VERIFY_QUIET, '-', "Restrict verify output to errors"},
677	{"chainCAfile", OPT_CHAINCAFILE, '<',
678	"CA file for certificate chain (PEM format)"},
679	{"chainCApath", OPT_CHAINCAPATH, '/',
680	"Use dir as certificate store path to build CA certificate chain"},
681	{"chainCAstore", OPT_CHAINCASTORE, ':',
682	"CA store URI for certificate chain"},
683	{"verifyCAfile", OPT_VERIFYCAFILE, '<',
684	"CA file for certificate verification (PEM format)"},
685	{"verifyCApath", OPT_VERIFYCAPATH, '/',
686	"Use dir as certificate store path to verify CA certificate"},
687	{"verifyCAstore", OPT_VERIFYCASTORE, ':',
688	"CA store URI for certificate verification"},
689	OPT_X_OPTIONS{ OPT_SECTION_STR, 1, '-', "Extended certificate" " options:\n" }, { "xkey", OPT_X_KEY, '<', "key for Extended certificates" }, { "xcert", OPT_X_CERT, '<', "cert for Extended certificates" }, { "xchain", OPT_X_CHAIN, '<', "chain for Extended certificates" }, { "xchain_build", OPT_X_CHAIN_BUILD, '-', "build certificate chain for the extended certificates" }, { "xcertform", OPT_X_CERTFORM, 'F', "format of Extended certificate (PEM/DER/P12); has no effect" }, { "xkeyform", OPT_X_KEYFORM, 'F', "format of Extended certificate's key (DER/PEM/P12); has no effect" },
690	OPT_PROV_OPTIONS{ OPT_SECTION_STR, 1, '-', "Provider" " options:\n" }, { "provider-path" , OPT_PROV_PROVIDER_PATH, 's', "Provider load path (must be before 'provider' argument if required)" }, { "provider", OPT_PROV_PROVIDER, 's', "Provider to load (can be specified multiple times)" }, { "propquery", OPT_PROV_PROPQUERY, 's', "Property query used when fetching algorithms" },
691
692	OPT_PARAMETERS(){ OPT_PARAM_STR, 1, '-', "Parameters:\n" },
693	{"host:port", 0, 0, "Where to connect; same as -connect option"},
694	{NULL((void*)0)}
695	};
696
697	typedef enum PROTOCOL_choice {
698	PROTO_OFF,
699	PROTO_SMTP,
700	PROTO_POP3,
701	PROTO_IMAP,
702	PROTO_FTP,
703	PROTO_TELNET,
704	PROTO_XMPP,
705	PROTO_XMPP_SERVER,
706	PROTO_IRC,
707	PROTO_MYSQL,
708	PROTO_POSTGRES,
709	PROTO_LMTP,
710	PROTO_NNTP,
711	PROTO_SIEVE,
712	PROTO_LDAP
713	} PROTOCOL_CHOICE;
714
715	static const OPT_PAIR services[] = {
716	{"smtp", PROTO_SMTP},
717	{"pop3", PROTO_POP3},
718	{"imap", PROTO_IMAP},
719	{"ftp", PROTO_FTP},
720	{"xmpp", PROTO_XMPP},
721	{"xmpp-server", PROTO_XMPP_SERVER},
722	{"telnet", PROTO_TELNET},
723	{"irc", PROTO_IRC},
724	{"mysql", PROTO_MYSQL},
725	{"postgres", PROTO_POSTGRES},
726	{"lmtp", PROTO_LMTP},
727	{"nntp", PROTO_NNTP},
728	{"sieve", PROTO_SIEVE},
729	{"ldap", PROTO_LDAP},
730	{NULL((void*)0), 0}
731	};
732
733	#define IS_INET_FLAG(o)(o == OPT_4 \|\| o == OPT_6 \|\| o == OPT_HOST \|\| o == OPT_PORT \|\| o == OPT_CONNECT) \
734	(o == OPT_4 \|\| o == OPT_6 \|\| o == OPT_HOST \|\| o == OPT_PORT \|\| o == OPT_CONNECT)
735	#define IS_UNIX_FLAG(o)(o == OPT_UNIX) (o == OPT_UNIX)
736
737	#define IS_PROT_FLAG(o)(o == OPT_SSL3 \|\| o == OPT_TLS1 \|\| o == OPT_TLS1_1 \|\| o == OPT_TLS1_2 \|\| o == OPT_TLS1_3 \|\| o == OPT_DTLS \|\| o == OPT_DTLS1 \|\| o == OPT_DTLS1_2) \
738	(o == OPT_SSL3 \|\| o == OPT_TLS1 \|\| o == OPT_TLS1_1 \|\| o == OPT_TLS1_2 \
739	\|\| o == OPT_TLS1_3 \|\| o == OPT_DTLS \|\| o == OPT_DTLS1 \|\| o == OPT_DTLS1_2)
740
741	/* Free \|dest\| and optionally set it to a copy of \|source\|. /
742	static void freeandcopy(char *dest, const char source)
743	{
744	OPENSSL_free(dest)CRYPTO_free(dest, "../deps/openssl/openssl/apps/s_client.c", 744);
745	dest = NULL((void)0);
746	if (source != NULL((void*)0))
747	*dest = OPENSSL_strdup(source)CRYPTO_strdup(source, "../deps/openssl/openssl/apps/s_client.c" , 747);
748	}
749
750	static int new_session_cb(SSL s, SSL_SESSION sess)
751	{
752
753	if (sess_out != NULL((void*)0)) {
754	BIO *stmp = BIO_new_file(sess_out, "w");
755
756	if (stmp == NULL((void*)0)) {
757	BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
758	} else {
759	PEM_write_bio_SSL_SESSION(stmp, sess);
760	BIO_free(stmp);
761	}
762	}
763
764	/*
765	* Session data gets dumped on connection for TLSv1.2 and below, and on
766	* arrival of the NewSessionTicket for TLSv1.3.
767	*/
768	if (SSL_version(s) == TLS1_3_VERSION0x0304) {
769	BIO_printf(bio_c_out,
770	"---\nPost-Handshake New Session Ticket arrived:\n");
771	SSL_SESSION_print(bio_c_out, sess);
772	BIO_printf(bio_c_out, "---\n");
773	}
774
775	/*
776	* We always return a "fail" response so that the session gets freed again
777	* because we haven't used the reference.
778	*/
779	return 0;
780	}
781
782	int s_client_main(int argc, char **argv)
783	{
784	BIO *sbio;
785	EVP_PKEY key = NULL((void)0);
786	SSL con = NULL((void)0);
787	SSL_CTX ctx = NULL((void)0);
788	STACK_OF(X509)struct stack_st_X509 chain = NULL((void)0);
789	X509 cert = NULL((void)0);
790	X509_VERIFY_PARAM vpm = NULL((void)0);
791	SSL_EXCERT exc = NULL((void)0);
792	SSL_CONF_CTX cctx = NULL((void)0);
793	STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING ssl_args = NULL((void)0);
794	char dane_tlsa_domain = NULL((void)0);
795	STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING dane_tlsa_rrset = NULL((void)0);
796	int dane_ee_no_name = 0;
797	STACK_OF(X509_CRL)struct stack_st_X509_CRL crls = NULL((void)0);
798	const SSL_METHOD *meth = TLS_client_method();
799	const char CApath = NULL((void)0), CAfile = NULL((void)0), CAstore = NULL((void)0);
800	char cbuf = NULL((void)0), sbuf = NULL((void)0), mbuf = NULL((void)0);
801	char proxystr = NULL((void)0), proxyuser = NULL((void)0);
802	char proxypassarg = NULL((void)0), proxypass = NULL((void)0);
803	char connectstr = NULL((void)0), bindstr = NULL((void)0);
804	char cert_file = NULL((void)0), key_file = NULL((void)0), chain_file = NULL((void)0);
805	char chCApath = NULL((void)0), chCAfile = NULL((void)0), chCAstore = NULL((void)0), host = NULL((void)0);
806	char thost = NULL((void)0), tport = NULL((void)0);
807	char port = NULL((void)0);
808	char bindhost = NULL((void)0), bindport = NULL((void)0);
809	char passarg = NULL((void)0), pass = NULL((void)0);
810	char vfyCApath = NULL((void)0), vfyCAfile = NULL((void)0), vfyCAstore = NULL((void)0);
811	char ReqCAfile = NULL((void)0);
812	char sess_in = NULL((void)0), crl_file = NULL((void)0), *p;
813	const char protohost = NULL((void)0);
814	struct timeval timeout, *timeoutp;
815	fd_set readfds, writefds;
816	int noCApath = 0, noCAfile = 0, noCAstore = 0;
817	int build_chain = 0, cbuf_len, cbuf_off, cert_format = FORMAT_UNDEF0;
818	int key_format = FORMAT_UNDEF0, crlf = 0, full_log = 1, mbuf_len = 0;
819	int prexit = 0;
820	int sdebug = 0;
821	int reconnect = 0, verify = SSL_VERIFY_NONE0x00, vpmtouched = 0;
822	int ret = 1, in_init = 1, i, nbio_test = 0, sock = -1, k, width, state = 0;
823	int sbuf_len, sbuf_off, cmdletters = 1;
824	int socket_family = AF_UNSPEC0, socket_type = SOCK_STREAMSOCK_STREAM, protocol = 0;
825	int starttls_proto = PROTO_OFF, crl_format = FORMAT_UNDEF0, crl_download = 0;
826	int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending;
827	#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
828	int at_eof = 0;
829	#endif
830	int read_buf_len = 0;
831	int fallback_scsv = 0;
832	OPTION_CHOICE o;
833	#ifndef OPENSSL_NO_DTLS
834	int enable_timeouts = 0;
835	long socket_mtu = 0;
836	#endif
837	#ifndef OPENSSL_NO_ENGINE
838	ENGINE ssl_client_engine = NULL((void)0);
839	#endif
840	ENGINE e = NULL((void)0);
841	#if defined(OPENSSL_SYS_WINDOWS) \|\| defined(OPENSSL_SYS_MSDOS)
842	struct timeval tv;
843	#endif
844	const char servername = NULL((void)0);
845	char sname_alloc = NULL((void)0);
846	int noservername = 0;
847	const char alpn_in = NULL((void)0);
848	tlsextctx tlsextcbp = { NULL((void*)0), 0 };
849	const char ssl_config = NULL((void)0);
850	#define MAX_SI_TYPES100 100
851	unsigned short serverinfo_types[MAX_SI_TYPES100];
852	int serverinfo_count = 0, start = 0, len;
853	#ifndef OPENSSL_NO_NEXTPROTONEG
854	const char next_proto_neg_in = NULL((void)0);
855	#endif
856	#ifndef OPENSSL_NO_SRP
857	char srppass = NULL((void)0);
858	int srp_lateuser = 0;
859	SRP_ARG srp_arg = { NULL((void)0), NULL((void)0), 0, 0, 0, 1024 };
860	#endif
861	#ifndef OPENSSL_NO_SRTP
862	char srtp_profiles = NULL((void)0);
863	#endif
864	#ifndef OPENSSL_NO_CT
865	char ctlog_file = NULL((void)0);
866	int ct_validation = 0;
867	#endif
868	int min_version = 0, max_version = 0, prot_opt = 0, no_prot_opt = 0;
869	int async = 0;
870	unsigned int max_send_fragment = 0;
871	unsigned int split_send_fragment = 0, max_pipelines = 0;
872	enum { use_inet, use_unix, use_unknown } connect_type = use_unknown;
873	int count4or6 = 0;
874	uint8_t maxfraglen = 0;
875	int c_nbio = 0, c_msg = 0, c_ign_eof = 0, c_brief = 0;
876	int c_tlsextdebug = 0;
877	#ifndef OPENSSL_NO_OCSP
878	int c_status_req = 0;
879	#endif
880	BIO bio_c_msg = NULL((void)0);
881	const char keylog_file = NULL((void)0), early_data_file = NULL((void)0);
882	#ifndef OPENSSL_NO_DTLS
883	int isdtls = 0;
884	#endif
885	char psksessf = NULL((void)0);
886	int enable_pha = 0;
887	#ifndef OPENSSL_NO_SCTP
888	int sctp_label_bug = 0;
889	#endif
890	int ignore_unexpected_eof = 0;
891
892	FD_ZERO(&readfds)do { int __d0, __d1; __asm__ __volatile__ ("cld; rep; " "stosq" : "=c" (__d0), "=D" (__d1) : "a" (0), "0" (sizeof (fd_set) / sizeof (__fd_mask)), "1" (&((&readfds)->__fds_bits )[0]) : "memory"); } while (0);
893	FD_ZERO(&writefds)do { int __d0, __d1; __asm__ __volatile__ ("cld; rep; " "stosq" : "=c" (__d0), "=D" (__d1) : "a" (0), "0" (sizeof (fd_set) / sizeof (__fd_mask)), "1" (&((&writefds)->__fds_bits )[0]) : "memory"); } while (0);
894	/* Known false-positive of MemorySanitizer. */
895	#if defined(__has_feature)0
896	# if __has_feature(memory_sanitizer)0
897	__msan_unpoison(&readfds, sizeof(readfds));
898	__msan_unpoison(&writefds, sizeof(writefds));
899	# endif
900	#endif
901
902	c_quiet = 0;
903	c_debug = 0;
904	c_showcerts = 0;
905	c_nbio = 0;
906	port = OPENSSL_strdup(PORT)CRYPTO_strdup("4433", "../deps/openssl/openssl/apps/s_client.c" , 906);
907	vpm = X509_VERIFY_PARAM_new();
908	cctx = SSL_CONF_CTX_new();
909
910	if (port == NULL((void)0) \|\| vpm == NULL((void)0) \|\| cctx == NULL((void*)0)) {
911	BIO_printf(bio_err, "%s: out of memory\n", opt_getprog());
912	goto end;
913	}
914
915	cbuf = app_malloc(BUFSIZZ1024*8, "cbuf");
916	sbuf = app_malloc(BUFSIZZ1024*8, "sbuf");
917	mbuf = app_malloc(BUFSIZZ1024*8, "mbuf");
918
919	SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT0x4 \| SSL_CONF_FLAG_CMDLINE0x1);
920
921	prog = opt_init(argc, argv, s_client_options);
922	while ((o = opt_next()) != OPT_EOF) {
923	/* Check for intermixing flags. */
924	if (connect_type == use_unix && IS_INET_FLAG(o)(o == OPT_4 \|\| o == OPT_6 \|\| o == OPT_HOST \|\| o == OPT_PORT \|\| o == OPT_CONNECT)) {
925	BIO_printf(bio_err,
926	"%s: Intermixed protocol flags (unix and internet domains)\n",
927	prog);
928	goto end;
929	}
930	if (connect_type == use_inet && IS_UNIX_FLAG(o)(o == OPT_UNIX)) {
931	BIO_printf(bio_err,
932	"%s: Intermixed protocol flags (internet and unix domains)\n",
933	prog);
934	goto end;
935	}
936
937	if (IS_PROT_FLAG(o)(o == OPT_SSL3 \|\| o == OPT_TLS1 \|\| o == OPT_TLS1_1 \|\| o == OPT_TLS1_2 \|\| o == OPT_TLS1_3 \|\| o == OPT_DTLS \|\| o == OPT_DTLS1 \|\| o == OPT_DTLS1_2) && ++prot_opt > 1) {
938	BIO_printf(bio_err, "Cannot supply multiple protocol flags\n");
939	goto end;
940	}
941	if (IS_NO_PROT_FLAG(o)(o == OPT_S_NOSSL3 \|\| o == OPT_S_NOTLS1 \|\| o == OPT_S_NOTLS1_1 \|\| o == OPT_S_NOTLS1_2 \|\| o == OPT_S_NOTLS1_3))
942	no_prot_opt++;
943	if (prot_opt == 1 && no_prot_opt) {
944	BIO_printf(bio_err,
945	"Cannot supply both a protocol flag and '-no_<prot>'\n");
946	goto end;
947	}
948
949	switch (o) {
950	case OPT_EOF:
951	case OPT_ERR:
952	opthelp:
953	BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
954	goto end;
955	case OPT_HELP:
956	opt_help(s_client_options);
957	ret = 0;
958	goto end;
959	case OPT_4:
960	connect_type = use_inet;
961	socket_family = AF_INET2;
962	count4or6++;
963	break;
964	#ifdef AF_INET610
965	case OPT_6:
966	connect_type = use_inet;
967	socket_family = AF_INET610;
968	count4or6++;
969	break;
970	#endif
971	case OPT_HOST:
972	connect_type = use_inet;
973	freeandcopy(&host, opt_arg());
974	break;
975	case OPT_PORT:
976	connect_type = use_inet;
977	freeandcopy(&port, opt_arg());
978	break;
979	case OPT_CONNECT:
980	connect_type = use_inet;
981	freeandcopy(&connectstr, opt_arg());
982	break;
983	case OPT_BIND:
984	freeandcopy(&bindstr, opt_arg());
985	break;
986	case OPT_PROXY:
987	proxystr = opt_arg();
988	break;
989	case OPT_PROXY_USER:
990	proxyuser = opt_arg();
991	break;
992	case OPT_PROXY_PASS:
993	proxypassarg = opt_arg();
994	break;
995	#ifdef AF_UNIX1
996	case OPT_UNIX:
997	connect_type = use_unix;
998	socket_family = AF_UNIX1;
999	freeandcopy(&host, opt_arg());
1000	break;
1001	#endif
1002	case OPT_XMPPHOST:
1003	/* fall through, since this is an alias */
1004	case OPT_PROTOHOST:
1005	protohost = opt_arg();
1006	break;
1007	case OPT_VERIFY:
1008	verify = SSL_VERIFY_PEER0x01;
1009	verify_args.depth = atoi(opt_arg());
1010	if (!c_quiet)
1011	BIO_printf(bio_err, "verify depth is %d\n", verify_args.depth);
1012	break;
1013	case OPT_CERT:
1014	cert_file = opt_arg();
1015	break;
1016	case OPT_NAMEOPT:
1017	if (!set_nameopt(opt_arg()))
1018	goto end;
1019	break;
1020	case OPT_CRL:
1021	crl_file = opt_arg();
1022	break;
1023	case OPT_CRL_DOWNLOAD:
1024	crl_download = 1;
1025	break;
1026	case OPT_SESS_OUT:
1027	sess_out = opt_arg();
1028	break;
1029	case OPT_SESS_IN:
1030	sess_in = opt_arg();
1031	break;
1032	case OPT_CERTFORM:
1033	if (!opt_format(opt_arg(), OPT_FMT_ANY( (1L << 1) \| (1L << 2) \| (1L << 3) \| (1L << 4) \| (1L << 5) \| (1L << 7) \| (1L << 8) \| ( 1L << 9) \| (1L << 10)), &cert_format))
1034	goto opthelp;
1035	break;
1036	case OPT_CRLFORM:
1037	if (!opt_format(opt_arg(), OPT_FMT_PEMDER(1L << 1), &crl_format))
1038	goto opthelp;
1039	break;
1040	case OPT_VERIFY_RET_ERROR:
1041	verify = SSL_VERIFY_PEER0x01;
1042	verify_args.return_error = 1;
1043	break;
1044	case OPT_VERIFY_QUIET:
1045	verify_args.quiet = 1;
1046	break;
1047	case OPT_BRIEF:
1048	c_brief = verify_args.quiet = c_quiet = 1;
1049	break;
1050	case OPT_S_CASESOPT_S__FIRST: case OPT_S__LAST: break; case OPT_S_NOSSL3: case OPT_S_NOTLS1: case OPT_S_NOTLS1_1: case OPT_S_NOTLS1_2: case OPT_S_NOTLS1_3: case OPT_S_BUGS: case OPT_S_NO_COMP: case OPT_S_COMP : case OPT_S_NOTICKET: case OPT_S_SERVERPREF: case OPT_S_LEGACYRENEG : case OPT_S_CLIENTRENEG: case OPT_S_LEGACYCONN: case OPT_S_ONRESUMP : case OPT_S_NOLEGACYCONN: case OPT_S_ALLOW_NO_DHE_KEX: case OPT_S_PRIORITIZE_CHACHA : case OPT_S_STRICT: case OPT_S_SIGALGS: case OPT_S_CLIENTSIGALGS : case OPT_S_GROUPS: case OPT_S_CURVES: case OPT_S_NAMEDCURVE : case OPT_S_CIPHER: case OPT_S_CIPHERSUITES: case OPT_S_RECORD_PADDING : case OPT_S_NO_RENEGOTIATION: case OPT_S_MINPROTO: case OPT_S_MAXPROTO : case OPT_S_DEBUGBROKE: case OPT_S_NO_MIDDLEBOX: case OPT_S_NO_ETM:
1051	if (ssl_args == NULL((void*)0))
1052	ssl_args = sk_OPENSSL_STRING_new_null()((struct stack_st_OPENSSL_STRING *)OPENSSL_sk_new_null());
1053	if (ssl_args == NULL((void*)0)
1054	\|\| !sk_OPENSSL_STRING_push(ssl_args, opt_flag())OPENSSL_sk_push(ossl_check_OPENSSL_STRING_sk_type(ssl_args), ossl_check_OPENSSL_STRING_type (opt_flag()))
1055	\|\| !sk_OPENSSL_STRING_push(ssl_args, opt_arg())OPENSSL_sk_push(ossl_check_OPENSSL_STRING_sk_type(ssl_args), ossl_check_OPENSSL_STRING_type (opt_arg()))) {
1056	BIO_printf(bio_err, "%s: Memory allocation failure\n", prog);
1057	goto end;
1058	}
1059	break;
1060	case OPT_V_CASESOPT_V__FIRST: case OPT_V__LAST: break; case OPT_V_POLICY: case OPT_V_PURPOSE: case OPT_V_VERIFY_NAME: case OPT_V_VERIFY_DEPTH : case OPT_V_VERIFY_AUTH_LEVEL: case OPT_V_ATTIME: case OPT_V_VERIFY_HOSTNAME : case OPT_V_VERIFY_EMAIL: case OPT_V_VERIFY_IP: case OPT_V_IGNORE_CRITICAL : case OPT_V_ISSUER_CHECKS: case OPT_V_CRL_CHECK: case OPT_V_CRL_CHECK_ALL : case OPT_V_POLICY_CHECK: case OPT_V_EXPLICIT_POLICY: case OPT_V_INHIBIT_ANY : case OPT_V_INHIBIT_MAP: case OPT_V_X509_STRICT: case OPT_V_EXTENDED_CRL : case OPT_V_USE_DELTAS: case OPT_V_POLICY_PRINT: case OPT_V_CHECK_SS_SIG : case OPT_V_TRUSTED_FIRST: case OPT_V_SUITEB_128_ONLY: case OPT_V_SUITEB_128 : case OPT_V_SUITEB_192: case OPT_V_PARTIAL_CHAIN: case OPT_V_NO_ALT_CHAINS : case OPT_V_NO_CHECK_TIME: case OPT_V_ALLOW_PROXY_CERTS:
1061	if (!opt_verify(o, vpm))
1062	goto end;
1063	vpmtouched++;
1064	break;
1065	case OPT_X_CASESOPT_X__FIRST: case OPT_X__LAST: break; case OPT_X_KEY: case OPT_X_CERT : case OPT_X_CHAIN: case OPT_X_CHAIN_BUILD: case OPT_X_CERTFORM : case OPT_X_KEYFORM:
1066	if (!args_excert(o, &exc))
1067	goto end;
1068	break;
1069	case OPT_IGNORE_UNEXPECTED_EOF:
1070	ignore_unexpected_eof = 1;
1071	break;
1072	case OPT_PREXIT:
1073	prexit = 1;
1074	break;
1075	case OPT_CRLF:
1076	crlf = 1;
1077	break;
1078	case OPT_QUIET:
1079	c_quiet = c_ign_eof = 1;
1080	break;
1081	case OPT_NBIO:
1082	c_nbio = 1;
1083	break;
1084	case OPT_NOCMDS:
1085	cmdletters = 0;
1086	break;
1087	case OPT_ENGINE:
1088	e = setup_engine(opt_arg(), 1)setup_engine_methods(opt_arg(), (unsigned int)-1, 1);
1089	break;
1090	case OPT_SSL_CLIENT_ENGINE:
1091	#ifndef OPENSSL_NO_ENGINE
1092	ssl_client_engine = setup_engine(opt_arg(), 0)setup_engine_methods(opt_arg(), (unsigned int)-1, 0);
1093	if (ssl_client_engine == NULL((void*)0)) {
1094	BIO_printf(bio_err, "Error getting client auth engine\n");
1095	goto opthelp;
1096	}
1097	#endif
1098	break;
1099	case OPT_R_CASESOPT_R__FIRST: case OPT_R__LAST: break; case OPT_R_RAND: case OPT_R_WRITERAND:
1100	if (!opt_rand(o))
1101	goto end;
1102	break;
1103	case OPT_PROV_CASESOPT_PROV__FIRST: case OPT_PROV__LAST: break; case OPT_PROV_PROVIDER : case OPT_PROV_PROVIDER_PATH: case OPT_PROV_PROPQUERY:
1104	if (!opt_provider(o))
1105	goto end;
1106	break;
1107	case OPT_IGN_EOF:
1108	c_ign_eof = 1;
1109	break;
1110	case OPT_NO_IGN_EOF:
1111	c_ign_eof = 0;
1112	break;
1113	case OPT_DEBUG:
1114	c_debug = 1;
1115	break;
1116	case OPT_TLSEXTDEBUG:
1117	c_tlsextdebug = 1;
1118	break;
1119	case OPT_STATUS:
1120	#ifndef OPENSSL_NO_OCSP
1121	c_status_req = 1;
1122	#endif
1123	break;
1124	case OPT_WDEBUG:
1125	#ifdef WATT32
1126	dbug_init();
1127	#endif
1128	break;
1129	case OPT_MSG:
1130	c_msg = 1;
1131	break;
1132	case OPT_MSGFILE:
1133	bio_c_msg = BIO_new_file(opt_arg(), "w");
1134	if (bio_c_msg == NULL((void*)0)) {
1135	BIO_printf(bio_err, "Error writing file %s\n", opt_arg());
1136	goto end;
1137	}
1138	break;
1139	case OPT_TRACE:
1140	#ifndef OPENSSL_NO_SSL_TRACE
1141	c_msg = 2;
1142	#endif
1143	break;
1144	case OPT_SECURITY_DEBUG:
1145	sdebug = 1;
1146	break;
1147	case OPT_SECURITY_DEBUG_VERBOSE:
1148	sdebug = 2;
1149	break;
1150	case OPT_SHOWCERTS:
1151	c_showcerts = 1;
1152	break;
1153	case OPT_NBIO_TEST:
1154	nbio_test = 1;
1155	break;
1156	case OPT_STATE:
1157	state = 1;
1158	break;
1159	case OPT_PSK_IDENTITY:
1160	psk_identity = opt_arg();
1161	break;
1162	case OPT_PSK:
1163	for (p = psk_key = opt_arg(); *p; p++) {
1164	if (isxdigit(_UC(p))((__ctype_b_loc ())[(int) ((((unsigned char)(*p))))] & ( unsigned short int) _ISxdigit))
1165	continue;
1166	BIO_printf(bio_err, "Not a hex number '%s'\n", psk_key);
1167	goto end;
1168	}
1169	break;
1170	case OPT_PSK_SESS:
1171	psksessf = opt_arg();
1172	break;
1173	#ifndef OPENSSL_NO_SRP
1174	case OPT_SRPUSER:
1175	srp_arg.srplogin = opt_arg();
1176	if (min_version < TLS1_VERSION0x0301)
1177	min_version = TLS1_VERSION0x0301;
1178	break;
1179	case OPT_SRPPASS:
1180	srppass = opt_arg();
1181	if (min_version < TLS1_VERSION0x0301)
1182	min_version = TLS1_VERSION0x0301;
1183	break;
1184	case OPT_SRP_STRENGTH:
1185	srp_arg.strength = atoi(opt_arg());
1186	BIO_printf(bio_err, "SRP minimal length for N is %d\n",
1187	srp_arg.strength);
1188	if (min_version < TLS1_VERSION0x0301)
1189	min_version = TLS1_VERSION0x0301;
1190	break;
1191	case OPT_SRP_LATEUSER:
1192	srp_lateuser = 1;
1193	if (min_version < TLS1_VERSION0x0301)
1194	min_version = TLS1_VERSION0x0301;
1195	break;
1196	case OPT_SRP_MOREGROUPS:
1197	srp_arg.amp = 1;
1198	if (min_version < TLS1_VERSION0x0301)
1199	min_version = TLS1_VERSION0x0301;
1200	break;
1201	#endif
1202	case OPT_SSL_CONFIG:
1203	ssl_config = opt_arg();
1204	break;
1205	case OPT_SSL3:
1206	min_version = SSL3_VERSION0x0300;
1207	max_version = SSL3_VERSION0x0300;
1208	socket_type = SOCK_STREAMSOCK_STREAM;
1209	#ifndef OPENSSL_NO_DTLS
1210	isdtls = 0;
1211	#endif
1212	break;
1213	case OPT_TLS1_3:
1214	min_version = TLS1_3_VERSION0x0304;
1215	max_version = TLS1_3_VERSION0x0304;
1216	socket_type = SOCK_STREAMSOCK_STREAM;
1217	#ifndef OPENSSL_NO_DTLS
1218	isdtls = 0;
1219	#endif
1220	break;
1221	case OPT_TLS1_2:
1222	min_version = TLS1_2_VERSION0x0303;
1223	max_version = TLS1_2_VERSION0x0303;
1224	socket_type = SOCK_STREAMSOCK_STREAM;
1225	#ifndef OPENSSL_NO_DTLS
1226	isdtls = 0;
1227	#endif
1228	break;
1229	case OPT_TLS1_1:
1230	min_version = TLS1_1_VERSION0x0302;
1231	max_version = TLS1_1_VERSION0x0302;
1232	socket_type = SOCK_STREAMSOCK_STREAM;
1233	#ifndef OPENSSL_NO_DTLS
1234	isdtls = 0;
1235	#endif
1236	break;
1237	case OPT_TLS1:
1238	min_version = TLS1_VERSION0x0301;
1239	max_version = TLS1_VERSION0x0301;
1240	socket_type = SOCK_STREAMSOCK_STREAM;
1241	#ifndef OPENSSL_NO_DTLS
1242	isdtls = 0;
1243	#endif
1244	break;
1245	case OPT_DTLS:
1246	#ifndef OPENSSL_NO_DTLS
1247	meth = DTLS_client_method();
1248	socket_type = SOCK_DGRAMSOCK_DGRAM;
1249	isdtls = 1;
1250	#endif
1251	break;
1252	case OPT_DTLS1:
1253	#ifndef OPENSSL_NO_DTLS1
1254	meth = DTLS_client_method();
1255	min_version = DTLS1_VERSION0xFEFF;
1256	max_version = DTLS1_VERSION0xFEFF;
1257	socket_type = SOCK_DGRAMSOCK_DGRAM;
1258	isdtls = 1;
1259	#endif
1260	break;
1261	case OPT_DTLS1_2:
1262	#ifndef OPENSSL_NO_DTLS1_2
1263	meth = DTLS_client_method();
1264	min_version = DTLS1_2_VERSION0xFEFD;
1265	max_version = DTLS1_2_VERSION0xFEFD;
1266	socket_type = SOCK_DGRAMSOCK_DGRAM;
1267	isdtls = 1;
1268	#endif
1269	break;
1270	case OPT_SCTP:
1271	#ifndef OPENSSL_NO_SCTP
1272	protocol = IPPROTO_SCTPIPPROTO_SCTP;
1273	#endif
1274	break;
1275	case OPT_SCTP_LABEL_BUG:
1276	#ifndef OPENSSL_NO_SCTP
1277	sctp_label_bug = 1;
1278	#endif
1279	break;
1280	case OPT_TIMEOUT:
1281	#ifndef OPENSSL_NO_DTLS
1282	enable_timeouts = 1;
1283	#endif
1284	break;
1285	case OPT_MTU:
1286	#ifndef OPENSSL_NO_DTLS
1287	socket_mtu = atol(opt_arg());
1288	#endif
1289	break;
1290	case OPT_FALLBACKSCSV:
1291	fallback_scsv = 1;
1292	break;
1293	case OPT_KEYFORM:
1294	if (!opt_format(opt_arg(), OPT_FMT_ANY( (1L << 1) \| (1L << 2) \| (1L << 3) \| (1L << 4) \| (1L << 5) \| (1L << 7) \| (1L << 8) \| ( 1L << 9) \| (1L << 10)), &key_format))
1295	goto opthelp;
1296	break;
1297	case OPT_PASS:
1298	passarg = opt_arg();
1299	break;
1300	case OPT_CERT_CHAIN:
1301	chain_file = opt_arg();
1302	break;
1303	case OPT_KEY:
1304	key_file = opt_arg();
1305	break;
1306	case OPT_RECONNECT:
1307	reconnect = 5;
1308	break;
1309	case OPT_CAPATH:
1310	CApath = opt_arg();
1311	break;
1312	case OPT_NOCAPATH:
1313	noCApath = 1;
1314	break;
1315	case OPT_CHAINCAPATH:
1316	chCApath = opt_arg();
1317	break;
1318	case OPT_VERIFYCAPATH:
1319	vfyCApath = opt_arg();
1320	break;
1321	case OPT_BUILD_CHAIN:
1322	build_chain = 1;
1323	break;
1324	case OPT_REQCAFILE:
1325	ReqCAfile = opt_arg();
1326	break;
1327	case OPT_CAFILE:
1328	CAfile = opt_arg();
1329	break;
1330	case OPT_NOCAFILE:
1331	noCAfile = 1;
1332	break;
1333	#ifndef OPENSSL_NO_CT
1334	case OPT_NOCT:
1335	ct_validation = 0;
1336	break;
1337	case OPT_CT:
1338	ct_validation = 1;
1339	break;
1340	case OPT_CTLOG_FILE:
1341	ctlog_file = opt_arg();
1342	break;
1343	#endif
1344	case OPT_CHAINCAFILE:
1345	chCAfile = opt_arg();
1346	break;
1347	case OPT_VERIFYCAFILE:
1348	vfyCAfile = opt_arg();
1349	break;
1350	case OPT_CASTORE:
1351	CAstore = opt_arg();
1352	break;
1353	case OPT_NOCASTORE:
1354	noCAstore = 1;
1355	break;
1356	case OPT_CHAINCASTORE:
1357	chCAstore = opt_arg();
1358	break;
1359	case OPT_VERIFYCASTORE:
1360	vfyCAstore = opt_arg();
1361	break;
1362	case OPT_DANE_TLSA_DOMAIN:
1363	dane_tlsa_domain = opt_arg();
1364	break;
1365	case OPT_DANE_TLSA_RRDATA:
1366	if (dane_tlsa_rrset == NULL((void*)0))
1367	dane_tlsa_rrset = sk_OPENSSL_STRING_new_null()((struct stack_st_OPENSSL_STRING *)OPENSSL_sk_new_null());
1368	if (dane_tlsa_rrset == NULL((void*)0) \|\|
1369	!sk_OPENSSL_STRING_push(dane_tlsa_rrset, opt_arg())OPENSSL_sk_push(ossl_check_OPENSSL_STRING_sk_type(dane_tlsa_rrset ), ossl_check_OPENSSL_STRING_type(opt_arg()))) {
1370	BIO_printf(bio_err, "%s: Memory allocation failure\n", prog);
1371	goto end;
1372	}
1373	break;
1374	case OPT_DANE_EE_NO_NAME:
1375	dane_ee_no_name = 1;
1376	break;
1377	case OPT_NEXTPROTONEG:
1378	#ifndef OPENSSL_NO_NEXTPROTONEG
1379	next_proto_neg_in = opt_arg();
1380	#endif
1381	break;
1382	case OPT_ALPN:
1383	alpn_in = opt_arg();
1384	break;
1385	case OPT_SERVERINFO:
1386	p = opt_arg();
1387	len = strlen(p);
1388	for (start = 0, i = 0; i <= len; ++i) {
1389	if (i == len \|\| p[i] == ',') {
1390	serverinfo_types[serverinfo_count] = atoi(p + start);
1391	if (++serverinfo_count == MAX_SI_TYPES100)
1392	break;
1393	start = i + 1;
1394	}
1395	}
1396	break;
1397	case OPT_STARTTLS:
1398	if (!opt_pair(opt_arg(), services, &starttls_proto))
1399	goto end;
1400	break;
1401	case OPT_SERVERNAME:
1402	servername = opt_arg();
1403	break;
1404	case OPT_NOSERVERNAME:
1405	noservername = 1;
1406	break;
1407	case OPT_USE_SRTP:
1408	#ifndef OPENSSL_NO_SRTP
1409	srtp_profiles = opt_arg();
1410	#endif
1411	break;
1412	case OPT_KEYMATEXPORT:
1413	keymatexportlabel = opt_arg();
1414	break;
1415	case OPT_KEYMATEXPORTLEN:
1416	keymatexportlen = atoi(opt_arg());
1417	break;
1418	case OPT_ASYNC:
1419	async = 1;
1420	break;
1421	case OPT_MAXFRAGLEN:
1422	len = atoi(opt_arg());
1423	switch (len) {
1424	case 512:
1425	maxfraglen = TLSEXT_max_fragment_length_5121;
1426	break;
1427	case 1024:
1428	maxfraglen = TLSEXT_max_fragment_length_10242;
1429	break;
1430	case 2048:
1431	maxfraglen = TLSEXT_max_fragment_length_20483;
1432	break;
1433	case 4096:
1434	maxfraglen = TLSEXT_max_fragment_length_40964;
1435	break;
1436	default:
1437	BIO_printf(bio_err,
1438	"%s: Max Fragment Len %u is out of permitted values",
1439	prog, len);
1440	goto opthelp;
1441	}
1442	break;
1443	case OPT_MAX_SEND_FRAG:
1444	max_send_fragment = atoi(opt_arg());
1445	break;
1446	case OPT_SPLIT_SEND_FRAG:
1447	split_send_fragment = atoi(opt_arg());
1448	break;
1449	case OPT_MAX_PIPELINES:
1450	max_pipelines = atoi(opt_arg());
1451	break;
1452	case OPT_READ_BUF:
1453	read_buf_len = atoi(opt_arg());
1454	break;
1455	case OPT_KEYLOG_FILE:
1456	keylog_file = opt_arg();
1457	break;
1458	case OPT_EARLY_DATA:
1459	early_data_file = opt_arg();
1460	break;
1461	case OPT_ENABLE_PHA:
1462	enable_pha = 1;
1463	break;
1464	}
1465	}
1466
1467	/* Optional argument is connect string if -connect not used. */
1468	argc = opt_num_rest();
1469	if (argc == 1) {
1470	/* Don't allow -connect and a separate argument. */
1471	if (connectstr != NULL((void*)0)) {
1472	BIO_printf(bio_err,
1473	"%s: cannot provide both -connect option and target parameter\n",
1474	prog);
1475	goto opthelp;
1476	}
1477	connect_type = use_inet;
	Value stored to 'connect_type' is never read
1478	freeandcopy(&connectstr, *opt_rest());
1479	} else if (argc != 0) {
1480	goto opthelp;
1481	}
1482	if (!app_RAND_load())
1483	goto end;
1484
1485	if (count4or6 >= 2) {
1486	BIO_printf(bio_err, "%s: Can't use both -4 and -6\n", prog);
1487	goto opthelp;
1488	}
1489	if (noservername) {
1490	if (servername != NULL((void*)0)) {
1491	BIO_printf(bio_err,
1492	"%s: Can't use -servername and -noservername together\n",
1493	prog);
1494	goto opthelp;
1495	}
1496	if (dane_tlsa_domain != NULL((void*)0)) {
1497	BIO_printf(bio_err,
1498	"%s: Can't use -dane_tlsa_domain and -noservername together\n",
1499	prog);
1500	goto opthelp;
1501	}
1502	}
1503
1504	#ifndef OPENSSL_NO_NEXTPROTONEG
1505	if (min_version == TLS1_3_VERSION0x0304 && next_proto_neg_in != NULL((void*)0)) {
1506	BIO_printf(bio_err, "Cannot supply -nextprotoneg with TLSv1.3\n");
1507	goto opthelp;
1508	}
1509	#endif
1510
1511	if (connectstr != NULL((void*)0)) {
1512	int res;
1513	char tmp_host = host, tmp_port = port;
1514
1515	res = BIO_parse_hostserv(connectstr, &host, &port, BIO_PARSE_PRIO_HOST);
1516	if (tmp_host != host)
1517	OPENSSL_free(tmp_host)CRYPTO_free(tmp_host, "../deps/openssl/openssl/apps/s_client.c" , 1517);
1518	if (tmp_port != port)
1519	OPENSSL_free(tmp_port)CRYPTO_free(tmp_port, "../deps/openssl/openssl/apps/s_client.c" , 1519);
1520	if (!res) {
1521	BIO_printf(bio_err,
1522	"%s: -connect argument or target parameter malformed or ambiguous\n",
1523	prog);
1524	goto end;
1525	}
1526	}
1527
1528	if (proxystr != NULL((void*)0)) {
1529	int res;
1530	char tmp_host = host, tmp_port = port;
1531
1532	if (host == NULL((void)0) \|\| port == NULL((void)0)) {
1533	BIO_printf(bio_err, "%s: -proxy requires use of -connect or target parameter\n", prog);
1534	goto opthelp;
1535	}
1536
1537	if (servername == NULL((void*)0) && !noservername) {
1538	servername = sname_alloc = OPENSSL_strdup(host)CRYPTO_strdup(host, "../deps/openssl/openssl/apps/s_client.c" , 1538);
1539	if (sname_alloc == NULL((void*)0)) {
1540	BIO_printf(bio_err, "%s: out of memory\n", prog);
1541	goto end;
1542	}
1543	}
1544
1545	/* Retain the original target host:port for use in the HTTP proxy connect string */
1546	thost = OPENSSL_strdup(host)CRYPTO_strdup(host, "../deps/openssl/openssl/apps/s_client.c" , 1546);
1547	tport = OPENSSL_strdup(port)CRYPTO_strdup(port, "../deps/openssl/openssl/apps/s_client.c" , 1547);
1548	if (thost == NULL((void)0) \|\| tport == NULL((void)0)) {
1549	BIO_printf(bio_err, "%s: out of memory\n", prog);
1550	goto end;
1551	}
1552
1553	res = BIO_parse_hostserv(proxystr, &host, &port, BIO_PARSE_PRIO_HOST);
1554	if (tmp_host != host)
1555	OPENSSL_free(tmp_host)CRYPTO_free(tmp_host, "../deps/openssl/openssl/apps/s_client.c" , 1555);
1556	if (tmp_port != port)
1557	OPENSSL_free(tmp_port)CRYPTO_free(tmp_port, "../deps/openssl/openssl/apps/s_client.c" , 1557);
1558	if (!res) {
1559	BIO_printf(bio_err,
1560	"%s: -proxy argument malformed or ambiguous\n", prog);
1561	goto end;
1562	}
1563	}
1564
1565	if (bindstr != NULL((void*)0)) {
1566	int res;
1567	res = BIO_parse_hostserv(bindstr, &bindhost, &bindport,
1568	BIO_PARSE_PRIO_HOST);
1569	if (!res) {
1570	BIO_printf(bio_err,
1571	"%s: -bind argument parameter malformed or ambiguous\n",
1572	prog);
1573	goto end;
1574	}
1575	}
1576
1577	#ifdef AF_UNIX1
1578	if (socket_family == AF_UNIX1 && socket_type != SOCK_STREAMSOCK_STREAM) {
1579	BIO_printf(bio_err,
1580	"Can't use unix sockets and datagrams together\n");
1581	goto end;
1582	}
1583	#endif
1584
1585	#ifndef OPENSSL_NO_SCTP
1586	if (protocol == IPPROTO_SCTPIPPROTO_SCTP) {
1587	if (socket_type != SOCK_DGRAMSOCK_DGRAM) {
1588	BIO_printf(bio_err, "Can't use -sctp without DTLS\n");
1589	goto end;
1590	}
1591	/* SCTP is unusual. It uses DTLS over a SOCK_STREAM protocol */
1592	socket_type = SOCK_STREAMSOCK_STREAM;
1593	}
1594	#endif
1595
1596	#if !defined(OPENSSL_NO_NEXTPROTONEG)
1597	next_proto.status = -1;
1598	if (next_proto_neg_in) {
1599	next_proto.data =
1600	next_protos_parse(&next_proto.len, next_proto_neg_in);
1601	if (next_proto.data == NULL((void*)0)) {
1602	BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
1603	goto end;
1604	}
1605	} else
1606	next_proto.data = NULL((void*)0);
1607	#endif
1608
1609	if (!app_passwd(passarg, NULL((void)0), &pass, NULL((void)0))) {
1610	BIO_printf(bio_err, "Error getting private key password\n");
1611	goto end;
1612	}
1613
1614	if (!app_passwd(proxypassarg, NULL((void)0), &proxypass, NULL((void)0))) {
1615	BIO_printf(bio_err, "Error getting proxy password\n");
1616	goto end;
1617	}
1618
1619	if (proxypass != NULL((void)0) && proxyuser == NULL((void)0)) {
1620	BIO_printf(bio_err, "Error: Must specify proxy_user with proxy_pass\n");
1621	goto end;
1622	}
1623
1624	if (key_file == NULL((void*)0))
1625	key_file = cert_file;
1626
1627	if (key_file != NULL((void*)0)) {
1628	key = load_key(key_file, key_format, 0, pass, e,
1629	"client certificate private key");
1630	if (key == NULL((void*)0))
1631	goto end;
1632	}
1633
1634	if (cert_file != NULL((void*)0)) {
1635	cert = load_cert_pass(cert_file, cert_format, 1, pass,
1636	"client certificate");
1637	if (cert == NULL((void*)0))
1638	goto end;
1639	}
1640
1641	if (chain_file != NULL((void*)0)) {
1642	if (!load_certs(chain_file, 0, &chain, pass, "client certificate chain"))
1643	goto end;
1644	}
1645
1646	if (crl_file != NULL((void*)0)) {
1647	X509_CRL *crl;
1648	crl = load_crl(crl_file, crl_format, 0, "CRL");
1649	if (crl == NULL((void*)0))
1650	goto end;
1651	crls = sk_X509_CRL_new_null()((struct stack_st_X509_CRL *)OPENSSL_sk_new_null());
1652	if (crls == NULL((void*)0) \|\| !sk_X509_CRL_push(crls, crl)OPENSSL_sk_push(ossl_check_X509_CRL_sk_type(crls), ossl_check_X509_CRL_type (crl))) {
1653	BIO_puts(bio_err, "Error adding CRL\n");
1654	ERR_print_errors(bio_err);
1655	X509_CRL_free(crl);
1656	goto end;
1657	}
1658	}
1659
1660	if (!load_excert(&exc))
1661	goto end;
1662
1663	if (bio_c_out == NULL((void*)0)) {
1664	if (c_quiet && !c_debug) {
1665	bio_c_out = BIO_new(BIO_s_null());
1666	if (c_msg && bio_c_msg == NULL((void*)0)) {
1667	bio_c_msg = dup_bio_out(FORMAT_TEXT(1 \| 0x8000));
1668	if (bio_c_msg == NULL((void*)0)) {
1669	BIO_printf(bio_err, "Out of memory\n");
1670	goto end;
1671	}
1672	}
1673	} else {
1674	bio_c_out = dup_bio_out(FORMAT_TEXT(1 \| 0x8000));
1675	}
1676
1677	if (bio_c_out == NULL((void*)0)) {
1678	BIO_printf(bio_err, "Unable to create BIO\n");
1679	goto end;
1680	}
1681	}
1682	#ifndef OPENSSL_NO_SRP
1683	if (!app_passwd(srppass, NULL((void)0), &srp_arg.srppassin, NULL((void)0))) {
1684	BIO_printf(bio_err, "Error getting password\n");
1685	goto end;
1686	}
1687	#endif
1688
1689	ctx = SSL_CTX_new_ex(app_get0_libctx(), app_get0_propq(), meth);
1690	if (ctx == NULL((void*)0)) {
1691	ERR_print_errors(bio_err);
1692	goto end;
1693	}
1694
1695	SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY)SSL_CTX_ctrl((ctx),78,(0x00000004U),((void*)0));
1696
1697	if (sdebug)
1698	ssl_ctx_security_debug(ctx, sdebug);
1699
1700	if (!config_ctx(cctx, ssl_args, ctx))
1701	goto end;
1702
1703	if (ssl_config != NULL((void*)0)) {
1704	if (SSL_CTX_config(ctx, ssl_config) == 0) {
1705	BIO_printf(bio_err, "Error using configuration \"%s\"\n",
1706	ssl_config);
1707	ERR_print_errors(bio_err);
1708	goto end;
1709	}
1710	}
1711
1712	#ifndef OPENSSL_NO_SCTP
1713	if (protocol == IPPROTO_SCTPIPPROTO_SCTP && sctp_label_bug == 1)
1714	SSL_CTX_set_mode(ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG)SSL_CTX_ctrl((ctx),33,(0x00000400U),((void*)0));
1715	#endif
1716
1717	if (min_version != 0
1718	&& SSL_CTX_set_min_proto_version(ctx, min_version)SSL_CTX_ctrl(ctx, 123, min_version, ((void*)0)) == 0)
1719	goto end;
1720	if (max_version != 0
1721	&& SSL_CTX_set_max_proto_version(ctx, max_version)SSL_CTX_ctrl(ctx, 124, max_version, ((void*)0)) == 0)
1722	goto end;
1723
1724	if (ignore_unexpected_eof)
1725	SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF((uint64_t)1 << (uint64_t)7));
1726
1727	if (vpmtouched && !SSL_CTX_set1_param(ctx, vpm)) {
1728	BIO_printf(bio_err, "Error setting verify params\n");
1729	ERR_print_errors(bio_err);
1730	goto end;
1731	}
1732
1733	if (async) {
1734	SSL_CTX_set_mode(ctx, SSL_MODE_ASYNC)SSL_CTX_ctrl((ctx),33,(0x00000100U),((void*)0));
1735	}
1736
1737	if (max_send_fragment > 0
1738	&& !SSL_CTX_set_max_send_fragment(ctx, max_send_fragment)SSL_CTX_ctrl(ctx,52,max_send_fragment,((void*)0))) {
1739	BIO_printf(bio_err, "%s: Max send fragment size %u is out of permitted range\n",
1740	prog, max_send_fragment);
1741	goto end;
1742	}
1743
1744	if (split_send_fragment > 0
1745	&& !SSL_CTX_set_split_send_fragment(ctx, split_send_fragment)SSL_CTX_ctrl(ctx,125,split_send_fragment,((void*)0))) {
1746	BIO_printf(bio_err, "%s: Split send fragment size %u is out of permitted range\n",
1747	prog, split_send_fragment);
1748	goto end;
1749	}
1750
1751	if (max_pipelines > 0
1752	&& !SSL_CTX_set_max_pipelines(ctx, max_pipelines)SSL_CTX_ctrl(ctx,126,max_pipelines,((void*)0))) {
1753	BIO_printf(bio_err, "%s: Max pipelines %u is out of permitted range\n",
1754	prog, max_pipelines);
1755	goto end;
1756	}
1757
1758	if (read_buf_len > 0) {
1759	SSL_CTX_set_default_read_buffer_len(ctx, read_buf_len);
1760	}
1761
1762	if (maxfraglen > 0
1763	&& !SSL_CTX_set_tlsext_max_fragment_length(ctx, maxfraglen)) {
1764	BIO_printf(bio_err,
1765	"%s: Max Fragment Length code %u is out of permitted values"
1766	"\n", prog, maxfraglen);
1767	goto end;
1768	}
1769
1770	if (!ssl_load_stores(ctx,
1771	vfyCApath, vfyCAfile, vfyCAstore,
1772	chCApath, chCAfile, chCAstore,
1773	crls, crl_download)) {
1774	BIO_printf(bio_err, "Error loading store locations\n");
1775	ERR_print_errors(bio_err);
1776	goto end;
1777	}
1778	if (ReqCAfile != NULL((void*)0)) {
1779	STACK_OF(X509_NAME)struct stack_st_X509_NAME nm = sk_X509_NAME_new_null()((struct stack_st_X509_NAME )OPENSSL_sk_new_null());
1780
1781	if (nm == NULL((void*)0) \|\| !SSL_add_file_cert_subjects_to_stack(nm, ReqCAfile)) {
1782	sk_X509_NAME_pop_free(nm, X509_NAME_free)OPENSSL_sk_pop_free(ossl_check_X509_NAME_sk_type(nm),ossl_check_X509_NAME_freefunc_type (X509_NAME_free));
1783	BIO_printf(bio_err, "Error loading CA names\n");
1784	ERR_print_errors(bio_err);
1785	goto end;
1786	}
1787	SSL_CTX_set0_CA_list(ctx, nm);
1788	}
1789	#ifndef OPENSSL_NO_ENGINE
1790	if (ssl_client_engine) {
1791	if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine)) {
1792	BIO_puts(bio_err, "Error setting client auth engine\n");
1793	ERR_print_errors(bio_err);
1794	release_engine(ssl_client_engine);
1795	goto end;
1796	}
1797	release_engine(ssl_client_engine);
1798	}
1799	#endif
1800
1801	#ifndef OPENSSL_NO_PSK
1802	if (psk_key != NULL((void*)0)) {
1803	if (c_debug)
1804	BIO_printf(bio_c_out, "PSK key given, setting client callback\n");
1805	SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
1806	}
1807	#endif
1808	if (psksessf != NULL((void*)0)) {
1809	BIO *stmp = BIO_new_file(psksessf, "r");
1810
1811	if (stmp == NULL((void*)0)) {
1812	BIO_printf(bio_err, "Can't open PSK session file %s\n", psksessf);
1813	ERR_print_errors(bio_err);
1814	goto end;
1815	}
1816	psksess = PEM_read_bio_SSL_SESSION(stmp, NULL((void)0), 0, NULL((void)0));
1817	BIO_free(stmp);
1818	if (psksess == NULL((void*)0)) {
1819	BIO_printf(bio_err, "Can't read PSK session file %s\n", psksessf);
1820	ERR_print_errors(bio_err);
1821	goto end;
1822	}
1823	}
1824	if (psk_key != NULL((void)0) \|\| psksess != NULL((void)0))
1825	SSL_CTX_set_psk_use_session_callback(ctx, psk_use_session_cb);
1826
1827	#ifndef OPENSSL_NO_SRTP
1828	if (srtp_profiles != NULL((void*)0)) {
1829	/* Returns 0 on success! */
1830	if (SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles) != 0) {
1831	BIO_printf(bio_err, "Error setting SRTP profile\n");
1832	ERR_print_errors(bio_err);
1833	goto end;
1834	}
1835	}
1836	#endif
1837
1838	if (exc != NULL((void*)0))
1839	ssl_ctx_set_excert(ctx, exc);
1840
1841	#if !defined(OPENSSL_NO_NEXTPROTONEG)
1842	if (next_proto.data != NULL((void*)0))
1843	SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
1844	#endif
1845	if (alpn_in) {
1846	size_t alpn_len;
1847	unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in);
1848
1849	if (alpn == NULL((void*)0)) {
1850	BIO_printf(bio_err, "Error parsing -alpn argument\n");
1851	goto end;
1852	}
1853	/* Returns 0 on success! */
1854	if (SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len) != 0) {
1855	BIO_printf(bio_err, "Error setting ALPN\n");
1856	goto end;
1857	}
1858	OPENSSL_free(alpn)CRYPTO_free(alpn, "../deps/openssl/openssl/apps/s_client.c", 1858 );
1859	}
1860
1861	for (i = 0; i < serverinfo_count; i++) {
1862	if (!SSL_CTX_add_client_custom_ext(ctx,
1863	serverinfo_types[i],
1864	NULL((void)0), NULL((void)0), NULL((void*)0),
1865	serverinfo_cli_parse_cb, NULL((void*)0))) {
1866	BIO_printf(bio_err,
1867	"Warning: Unable to add custom extension %u, skipping\n",
1868	serverinfo_types[i]);
1869	}
1870	}
1871
1872	if (state)
1873	SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
1874
1875	#ifndef OPENSSL_NO_CT
1876	/* Enable SCT processing, without early connection termination */
1877	if (ct_validation &&
1878	!SSL_CTX_enable_ct(ctx, SSL_CT_VALIDATION_PERMISSIVE)) {
1879	ERR_print_errors(bio_err);
1880	goto end;
1881	}
1882
1883	if (!ctx_set_ctlog_list_file(ctx, ctlog_file)) {
1884	if (ct_validation) {
1885	ERR_print_errors(bio_err);
1886	goto end;
1887	}
1888
1889	/*
1890	* If CT validation is not enabled, the log list isn't needed so don't
1891	* show errors or abort. We try to load it regardless because then we
1892	* can show the names of the logs any SCTs came from (SCTs may be seen
1893	* even with validation disabled).
1894	*/
1895	ERR_clear_error();
1896	}
1897	#endif
1898
1899	SSL_CTX_set_verify(ctx, verify, verify_callback);
1900
1901	if (!ctx_set_verify_locations(ctx, CAfile, noCAfile, CApath, noCApath,
1902	CAstore, noCAstore)) {
1903	ERR_print_errors(bio_err);
1904	goto end;
1905	}
1906
1907	ssl_ctx_add_crls(ctx, crls, crl_download);
1908
1909	if (!set_cert_key_stuff(ctx, cert, key, chain, build_chain))
1910	goto end;
1911
1912	if (!noservername) {
1913	tlsextcbp.biodebug = bio_err;
1914	SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb)SSL_CTX_callback_ctrl(ctx,53, (void (*)(void))ssl_servername_cb );
1915	SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp)SSL_CTX_ctrl(ctx,54,0,&tlsextcbp);
1916	}
1917	#ifndef OPENSSL_NO_SRP
1918	if (srp_arg.srplogin != NULL((void*)0)
1919	&& !set_up_srp_arg(ctx, &srp_arg, srp_lateuser, c_msg, c_debug))
1920	goto end;
1921	# endif
1922
1923	if (dane_tlsa_domain != NULL((void*)0)) {
1924	if (SSL_CTX_dane_enable(ctx) <= 0) {
1925	BIO_printf(bio_err,
1926	"%s: Error enabling DANE TLSA authentication.\n",
1927	prog);
1928	ERR_print_errors(bio_err);
1929	goto end;
1930	}
1931	}
1932
1933	/*
1934	* In TLSv1.3 NewSessionTicket messages arrive after the handshake and can
1935	* come at any time. Therefore we use a callback to write out the session
1936	* when we know about it. This approach works for < TLSv1.3 as well.
1937	*/
1938	SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENTSSL_CTX_ctrl(ctx,44,0x0001 \| 0x0200,((void*)0))
1939	\| SSL_SESS_CACHE_NO_INTERNAL_STORE)SSL_CTX_ctrl(ctx,44,0x0001 \| 0x0200,((void*)0));
1940	SSL_CTX_sess_set_new_cb(ctx, new_session_cb);
1941
1942	if (set_keylog_file(ctx, keylog_file))
1943	goto end;
1944
1945	con = SSL_new(ctx);
1946	if (con == NULL((void*)0))
1947	goto end;
1948
1949	if (enable_pha)
1950	SSL_set_post_handshake_auth(con, 1);
1951
1952	if (sess_in != NULL((void*)0)) {
1953	SSL_SESSION *sess;
1954	BIO *stmp = BIO_new_file(sess_in, "r");
1955	if (stmp == NULL((void*)0)) {
1956	BIO_printf(bio_err, "Can't open session file %s\n", sess_in);
1957	ERR_print_errors(bio_err);
1958	goto end;
1959	}
1960	sess = PEM_read_bio_SSL_SESSION(stmp, NULL((void)0), 0, NULL((void)0));
1961	BIO_free(stmp);
1962	if (sess == NULL((void*)0)) {
1963	BIO_printf(bio_err, "Can't open session file %s\n", sess_in);
1964	ERR_print_errors(bio_err);
1965	goto end;
1966	}
1967	if (!SSL_set_session(con, sess)) {
1968	BIO_printf(bio_err, "Can't set session\n");
1969	ERR_print_errors(bio_err);
1970	goto end;
1971	}
1972
1973	SSL_SESSION_free(sess);
1974	}
1975
1976	if (fallback_scsv)
1977	SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV)SSL_ctrl((con),33,(0x00000080U),((void*)0));
1978
1979	if (!noservername && (servername != NULL((void)0) \|\| dane_tlsa_domain == NULL((void)0))) {
1980	if (servername == NULL((void*)0)) {
1981	if(host == NULL((void*)0) \|\| is_dNS_name(host))
1982	servername = (host == NULL((void*)0)) ? "localhost" : host;
1983	}
1984	if (servername != NULL((void)0) && !SSL_set_tlsext_host_name(con, servername)SSL_ctrl(con,55,0, (void )servername)) {
1985	BIO_printf(bio_err, "Unable to set TLS servername extension.\n");
1986	ERR_print_errors(bio_err);
1987	goto end;
1988	}
1989	}
1990
1991	if (dane_tlsa_domain != NULL((void*)0)) {
1992	if (SSL_dane_enable(con, dane_tlsa_domain) <= 0) {
1993	BIO_printf(bio_err, "%s: Error enabling DANE TLSA "
1994	"authentication.\n", prog);
1995	ERR_print_errors(bio_err);
1996	goto end;
1997	}
1998	if (dane_tlsa_rrset == NULL((void*)0)) {
1999	BIO_printf(bio_err, "%s: DANE TLSA authentication requires at "
2000	"least one -dane_tlsa_rrdata option.\n", prog);
2001	goto end;
2002	}
2003	if (tlsa_import_rrset(con, dane_tlsa_rrset) <= 0) {
2004	BIO_printf(bio_err, "%s: Failed to import any TLSA "
2005	"records.\n", prog);
2006	goto end;
2007	}
2008	if (dane_ee_no_name)
2009	SSL_dane_set_flags(con, DANE_FLAG_NO_DANE_EE_NAMECHECKS(1L << 0));
2010	} else if (dane_tlsa_rrset != NULL((void*)0)) {
2011	BIO_printf(bio_err, "%s: DANE TLSA authentication requires the "
2012	"-dane_tlsa_domain option.\n", prog);
2013	goto end;
2014	}
2015
2016	re_start:
2017	if (init_client(&sock, host, port, bindhost, bindport, socket_family,
2018	socket_type, protocol) == 0) {
2019	BIO_printf(bio_err, "connect:errno=%d\n", get_last_socket_error()(*__errno_location ()));
2020	BIO_closesocket(sock);
2021	goto end;
2022	}
2023	BIO_printf(bio_c_out, "CONNECTED(%08X)\n", sock);
2024
2025	if (c_nbio) {
2026	if (!BIO_socket_nbio(sock, 1)) {
2027	ERR_print_errors(bio_err);
2028	goto end;
2029	}
2030	BIO_printf(bio_c_out, "Turned on non blocking io\n");
2031	}
2032	#ifndef OPENSSL_NO_DTLS
2033	if (isdtls) {
2034	union BIO_sock_info_u peer_info;
2035
2036	#ifndef OPENSSL_NO_SCTP
2037	if (protocol == IPPROTO_SCTPIPPROTO_SCTP)
2038	sbio = BIO_new_dgram_sctp(sock, BIO_NOCLOSE0x00);
2039	else
2040	#endif
2041	sbio = BIO_new_dgram(sock, BIO_NOCLOSE0x00);
2042
2043	if (sbio == NULL((void)0) \|\| (peer_info.addr = BIO_ADDR_new()) == NULL((void)0)) {
2044	BIO_printf(bio_err, "memory allocation failure\n");
2045	BIO_free(sbio);
2046	BIO_closesocket(sock);
2047	goto end;
2048	}
2049	if (!BIO_sock_info(sock, BIO_SOCK_INFO_ADDRESS, &peer_info)) {
2050	BIO_printf(bio_err, "getsockname:errno=%d\n",
2051	get_last_socket_error()(*__errno_location ()));
2052	BIO_free(sbio);
2053	BIO_ADDR_free(peer_info.addr);
2054	BIO_closesocket(sock);
2055	goto end;
2056	}
2057
2058	(void)BIO_ctrl_set_connected(sbio, peer_info.addr)(int)BIO_ctrl(sbio, 32, 0, (char *)(peer_info.addr));
2059	BIO_ADDR_free(peer_info.addr);
2060	peer_info.addr = NULL((void*)0);
2061
2062	if (enable_timeouts) {
2063	timeout.tv_sec = 0;
2064	timeout.tv_usec = DGRAM_RCV_TIMEOUT250000;
2065	BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT33, 0, &timeout);
2066
2067	timeout.tv_sec = 0;
2068	timeout.tv_usec = DGRAM_SND_TIMEOUT250000;
2069	BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT35, 0, &timeout);
2070	}
2071
2072	if (socket_mtu) {
2073	if (socket_mtu < DTLS_get_link_min_mtu(con)SSL_ctrl((con),121,0,((void*)0))) {
2074	BIO_printf(bio_err, "MTU too small. Must be at least %ld\n",
2075	DTLS_get_link_min_mtu(con)SSL_ctrl((con),121,0,((void*)0)));
2076	BIO_free(sbio);
2077	goto shut;
2078	}
2079	SSL_set_options(con, SSL_OP_NO_QUERY_MTU((uint64_t)1 << (uint64_t)12));
2080	if (!DTLS_set_link_mtu(con, socket_mtu)SSL_ctrl((con),120,(socket_mtu),((void*)0))) {
2081	BIO_printf(bio_err, "Failed to set MTU\n");
2082	BIO_free(sbio);
2083	goto shut;
2084	}
2085	} else {
2086	/* want to do MTU discovery */
2087	BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER39, 0, NULL((void*)0));
2088	}
2089	} else
2090	#endif /* OPENSSL_NO_DTLS */
2091	sbio = BIO_new_socket(sock, BIO_NOCLOSE0x00);
2092
2093	if (sbio == NULL((void*)0)) {
2094	BIO_printf(bio_err, "Unable to create BIO\n");
2095	ERR_print_errors(bio_err);
2096	BIO_closesocket(sock);
2097	goto end;
2098	}
2099
2100	if (nbio_test) {
2101	BIO *test;
2102
2103	test = BIO_new(BIO_f_nbio_test());
2104	if (test == NULL((void*)0)) {
2105	BIO_printf(bio_err, "Unable to create BIO\n");
2106	BIO_free(sbio);
2107	goto shut;
2108	}
2109	sbio = BIO_push(test, sbio);
2110	}
2111
2112	if (c_debug) {
2113	BIO_set_callback_ex(sbio, bio_dump_callback);
2114	BIO_set_callback_arg(sbio, (char *)bio_c_out);
2115	}
2116	if (c_msg) {
2117	#ifndef OPENSSL_NO_SSL_TRACE
2118	if (c_msg == 2)
2119	SSL_set_msg_callback(con, SSL_trace);
2120	else
2121	#endif
2122	SSL_set_msg_callback(con, msg_cb);
2123	SSL_set_msg_callback_arg(con, bio_c_msg ? bio_c_msg : bio_c_out)SSL_ctrl((con), 16, 0, (bio_c_msg ? bio_c_msg : bio_c_out));
2124	}
2125
2126	if (c_tlsextdebug) {
2127	SSL_set_tlsext_debug_callback(con, tlsext_cb)SSL_callback_ctrl(con,56, (void (*)(void))tlsext_cb);
2128	SSL_set_tlsext_debug_arg(con, bio_c_out)SSL_ctrl(con,57,0,bio_c_out);
2129	}
2130	#ifndef OPENSSL_NO_OCSP
2131	if (c_status_req) {
2132	SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp)SSL_ctrl(con,65,1,((void*)0));
2133	SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb)SSL_CTX_callback_ctrl(ctx,63, (void (*)(void))ocsp_resp_cb);
2134	SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out)SSL_CTX_ctrl(ctx,64,0,bio_c_out);
2135	}
2136	#endif
2137
2138	SSL_set_bio(con, sbio, sbio);
2139	SSL_set_connect_state(con);
2140
2141	/* ok, lets connect */
2142	if (fileno_stdin() > SSL_get_fd(con))
2143	width = fileno_stdin() + 1;
2144	else
2145	width = SSL_get_fd(con) + 1;
2146
2147	read_tty = 1;
2148	write_tty = 0;
2149	tty_on = 0;
2150	read_ssl = 1;
2151	write_ssl = 1;
2152
2153	cbuf_len = 0;
2154	cbuf_off = 0;
2155	sbuf_len = 0;
2156	sbuf_off = 0;
2157
2158	if (proxystr != NULL((void*)0)) {
2159	/* Here we must use the connect string target host & port */
2160	if (!OSSL_HTTP_proxy_connect(sbio, thost, tport, proxyuser, proxypass,
2161	0 /* no timeout */, bio_err, prog))
2162	goto shut;
2163	}
2164
2165	switch ((PROTOCOL_CHOICE) starttls_proto) {
2166	case PROTO_OFF:
2167	break;
2168	case PROTO_LMTP:
2169	case PROTO_SMTP:
2170	{
2171	/*
2172	* This is an ugly hack that does a lot of assumptions. We do
2173	* have to handle multi-line responses which may come in a single
2174	* packet or not. We therefore have to use BIO_gets() which does
2175	* need a buffering BIO. So during the initial chitchat we do
2176	* push a buffering BIO into the chain that is removed again
2177	* later on to not disturb the rest of the s_client operation.
2178	*/
2179	int foundit = 0;
2180	BIO *fbio = BIO_new(BIO_f_buffer());
2181
2182	if (fbio == NULL((void*)0)) {
2183	BIO_printf(bio_err, "Unable to create BIO\n");
2184	goto shut;
2185	}
2186	BIO_push(fbio, sbio);
2187	/* Wait for multi-line response to end from LMTP or SMTP */
2188	do {
2189	mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ1024*8);
2190	} while (mbuf_len > 3 && mbuf[3] == '-');
2191	if (protohost == NULL((void*)0))
2192	protohost = "mail.example.com";
2193	if (starttls_proto == (int)PROTO_LMTP)
2194	BIO_printf(fbio, "LHLO %s\r\n", protohost);
2195	else
2196	BIO_printf(fbio, "EHLO %s\r\n", protohost);
2197	(void)BIO_flush(fbio)(int)BIO_ctrl(fbio,11,0,((void*)0));
2198	/*
2199	* Wait for multi-line response to end LHLO LMTP or EHLO SMTP
2200	* response.
2201	*/
2202	do {
2203	mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ1024*8);
2204	if (strstr(mbuf, "STARTTLS"))
2205	foundit = 1;
2206	} while (mbuf_len > 3 && mbuf[3] == '-');
2207	(void)BIO_flush(fbio)(int)BIO_ctrl(fbio,11,0,((void*)0));
2208	BIO_pop(fbio);
2209	BIO_free(fbio);
2210	if (!foundit)
2211	BIO_printf(bio_err,
2212	"Didn't find STARTTLS in server response,"
2213	" trying anyway...\n");
2214	BIO_printf(sbio, "STARTTLS\r\n");
2215	BIO_read(sbio, sbuf, BUFSIZZ1024*8);
2216	}
2217	break;
2218	case PROTO_POP3:
2219	{
2220	BIO_read(sbio, mbuf, BUFSIZZ1024*8);
2221	BIO_printf(sbio, "STLS\r\n");
2222	mbuf_len = BIO_read(sbio, sbuf, BUFSIZZ1024*8);
2223	if (mbuf_len < 0) {
2224	BIO_printf(bio_err, "BIO_read failed\n");
2225	goto end;
2226	}
2227	}
2228	break;
2229	case PROTO_IMAP:
2230	{
2231	int foundit = 0;
2232	BIO *fbio = BIO_new(BIO_f_buffer());
2233
2234	if (fbio == NULL((void*)0)) {
2235	BIO_printf(bio_err, "Unable to create BIO\n");
2236	goto shut;
2237	}
2238	BIO_push(fbio, sbio);
2239	BIO_gets(fbio, mbuf, BUFSIZZ1024*8);
2240	/* STARTTLS command requires CAPABILITY... */
2241	BIO_printf(fbio, ". CAPABILITY\r\n");
2242	(void)BIO_flush(fbio)(int)BIO_ctrl(fbio,11,0,((void*)0));
2243	/* wait for multi-line CAPABILITY response */
2244	do {
2245	mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ1024*8);
2246	if (strstr(mbuf, "STARTTLS"))
2247	foundit = 1;
2248	}
2249	while (mbuf_len > 3 && mbuf[0] != '.');
2250	(void)BIO_flush(fbio)(int)BIO_ctrl(fbio,11,0,((void*)0));
2251	BIO_pop(fbio);
2252	BIO_free(fbio);
2253	if (!foundit)
2254	BIO_printf(bio_err,
2255	"Didn't find STARTTLS in server response,"
2256	" trying anyway...\n");
2257	BIO_printf(sbio, ". STARTTLS\r\n");
2258	BIO_read(sbio, sbuf, BUFSIZZ1024*8);
2259	}
2260	break;
2261	case PROTO_FTP:
2262	{
2263	BIO *fbio = BIO_new(BIO_f_buffer());
2264
2265	if (fbio == NULL((void*)0)) {
2266	BIO_printf(bio_err, "Unable to create BIO\n");
2267	goto shut;
2268	}
2269	BIO_push(fbio, sbio);
2270	/* wait for multi-line response to end from FTP */
2271	do {
2272	mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ1024*8);
2273	}
2274	while (mbuf_len > 3 && (!isdigit(mbuf[0])((__ctype_b_loc ())[(int) ((mbuf[0]))] & (unsigned short int) _ISdigit) \|\| !isdigit(mbuf[1])((__ctype_b_loc ())[(int) ((mbuf[1]))] & (unsigned short int) _ISdigit) \|\| !isdigit(mbuf[2])((*__ctype_b_loc ())[(int) ((mbuf[2]))] & (unsigned short int) _ISdigit) \|\| mbuf[3] != ' '));
2275	(void)BIO_flush(fbio)(int)BIO_ctrl(fbio,11,0,((void*)0));
2276	BIO_pop(fbio);
2277	BIO_free(fbio);
2278	BIO_printf(sbio, "AUTH TLS\r\n");
2279	BIO_read(sbio, sbuf, BUFSIZZ1024*8);
2280	}
2281	break;
2282	case PROTO_XMPP:
2283	case PROTO_XMPP_SERVER:
2284	{
2285	int seen = 0;
2286	BIO_printf(sbio, "<stream:stream "
2287	"xmlns:stream='http://etherx.jabber.org/streams' "
2288	"xmlns='jabber:%s' to='%s' version='1.0'>",
2289	starttls_proto == PROTO_XMPP ? "client" : "server",
2290	protohost ? protohost : host);
2291	seen = BIO_read(sbio, mbuf, BUFSIZZ1024*8);
2292	if (seen < 0) {
2293	BIO_printf(bio_err, "BIO_read failed\n");
2294	goto end;
2295	}
2296	mbuf[seen] = '\0';
2297	while (!strstr
2298	(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")
2299	&& !strstr(mbuf,
2300	"<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
2301	{
2302	seen = BIO_read(sbio, mbuf, BUFSIZZ1024*8);
2303
2304	if (seen <= 0)
2305	goto shut;
2306
2307	mbuf[seen] = '\0';
2308	}
2309	BIO_printf(sbio,
2310	"<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
2311	seen = BIO_read(sbio, sbuf, BUFSIZZ1024*8);
2312	if (seen < 0) {
2313	BIO_printf(bio_err, "BIO_read failed\n");
2314	goto shut;
2315	}
2316	sbuf[seen] = '\0';
2317	if (!strstr(sbuf, "<proceed"))
2318	goto shut;
2319	mbuf[0] = '\0';
2320	}
2321	break;
2322	case PROTO_TELNET:
2323	{
2324	static const unsigned char tls_do[] = {
2325	/* IAC DO START_TLS */
2326	255, 253, 46
2327	};
2328	static const unsigned char tls_will[] = {
2329	/* IAC WILL START_TLS */
2330	255, 251, 46
2331	};
2332	static const unsigned char tls_follows[] = {
2333	/* IAC SB START_TLS FOLLOWS IAC SE */
2334	255, 250, 46, 1, 255, 240
2335	};
2336	int bytes;
2337
2338	/* Telnet server should demand we issue START_TLS */
2339	bytes = BIO_read(sbio, mbuf, BUFSIZZ1024*8);
2340	if (bytes != 3 \|\| memcmp(mbuf, tls_do, 3) != 0)
2341	goto shut;
2342	/* Agree to issue START_TLS and send the FOLLOWS sub-command */
2343	BIO_write(sbio, tls_will, 3);
2344	BIO_write(sbio, tls_follows, 6);
2345	(void)BIO_flush(sbio)(int)BIO_ctrl(sbio,11,0,((void*)0));
2346	/* Telnet server also sent the FOLLOWS sub-command */
2347	bytes = BIO_read(sbio, mbuf, BUFSIZZ1024*8);
2348	if (bytes != 6 \|\| memcmp(mbuf, tls_follows, 6) != 0)
2349	goto shut;
2350	}
2351	break;
2352	case PROTO_IRC:
2353	{
2354	int numeric;
2355	BIO *fbio = BIO_new(BIO_f_buffer());
2356
2357	if (fbio == NULL((void*)0)) {
2358	BIO_printf(bio_err, "Unable to create BIO\n");
2359	goto end;
2360	}
2361	BIO_push(fbio, sbio);
2362	BIO_printf(fbio, "STARTTLS\r\n");
2363	(void)BIO_flush(fbio)(int)BIO_ctrl(fbio,11,0,((void*)0));
2364	width = SSL_get_fd(con) + 1;
2365
2366	do {
2367	numeric = 0;
2368
2369	FD_ZERO(&readfds)do { int __d0, __d1; __asm__ __volatile__ ("cld; rep; " "stosq" : "=c" (__d0), "=D" (__d1) : "a" (0), "0" (sizeof (fd_set) / sizeof (__fd_mask)), "1" (&((&readfds)->__fds_bits )[0]) : "memory"); } while (0);
2370	openssl_fdset(SSL_get_fd(con), &readfds)((void) (((&readfds)->__fds_bits)[((SSL_get_fd(con)) / (8 * (int) sizeof (__fd_mask)))] \|= ((__fd_mask) (1UL << ((SSL_get_fd(con)) % (8 * (int) sizeof (__fd_mask)))))));
2371	timeout.tv_sec = S_CLIENT_IRC_READ_TIMEOUT8;
2372	timeout.tv_usec = 0;
2373	/*
2374	* If the IRCd doesn't respond within
2375	* S_CLIENT_IRC_READ_TIMEOUT seconds, assume
2376	* it doesn't support STARTTLS. Many IRCds
2377	* will not give _any_ sort of response to a
2378	* STARTTLS command when it's not supported.
2379	*/
2380	if (!BIO_get_buffer_num_lines(fbio)BIO_ctrl(fbio,116,0,((void*)0))
2381	&& !BIO_pending(fbio)(int)BIO_ctrl(fbio,10,0,((void*)0))
2382	&& !BIO_pending(sbio)(int)BIO_ctrl(sbio,10,0,((void*)0))
2383	&& select(width, (void )&readfds, NULL((void)0), NULL((void*)0),
2384	&timeout) < 1) {
2385	BIO_printf(bio_err,
2386	"Timeout waiting for response (%d seconds).\n",
2387	S_CLIENT_IRC_READ_TIMEOUT8);
2388	break;
2389	}
2390
2391	mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ1024*8);
2392	if (mbuf_len < 1 \|\| sscanf(mbuf, "%*s %d", &numeric) != 1)
2393	break;
2394	/* :example.net 451 STARTTLS :You have not registered */
2395	/* :example.net 421 STARTTLS :Unknown command */
2396	if ((numeric == 451 \|\| numeric == 421)
2397	&& strstr(mbuf, "STARTTLS") != NULL((void*)0)) {
2398	BIO_printf(bio_err, "STARTTLS not supported: %s", mbuf);
2399	break;
2400	}
2401	if (numeric == 691) {
2402	BIO_printf(bio_err, "STARTTLS negotiation failed: ");
2403	ERR_print_errors(bio_err);
2404	break;
2405	}
2406	} while (numeric != 670);
2407
2408	(void)BIO_flush(fbio)(int)BIO_ctrl(fbio,11,0,((void*)0));
2409	BIO_pop(fbio);
2410	BIO_free(fbio);
2411	if (numeric != 670) {
2412	BIO_printf(bio_err, "Server does not support STARTTLS.\n");
2413	ret = 1;
2414	goto shut;
2415	}
2416	}
2417	break;
2418	case PROTO_MYSQL:
2419	{
2420	/* SSL request packet */
2421	static const unsigned char ssl_req[] = {
2422	/* payload_length, sequence_id */
2423	0x20, 0x00, 0x00, 0x01,
2424	/* payload */
2425	/* capability flags, CLIENT_SSL always set */
2426	0x85, 0xae, 0x7f, 0x00,
2427	/* max-packet size */
2428	0x00, 0x00, 0x00, 0x01,
2429	/* character set */
2430	0x21,
2431	/* string[23] reserved (all [0]) */
2432	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2433	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2434	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
2435	};
2436	int bytes = 0;
2437	int ssl_flg = 0x800;
2438	int pos;
2439	const unsigned char packet = (const unsigned char )sbuf;
2440
2441	/* Receiving Initial Handshake packet. */
2442	bytes = BIO_read(sbio, (void )packet, BUFSIZZ10248);
2443	if (bytes < 0) {
2444	BIO_printf(bio_err, "BIO_read failed\n");
2445	goto shut;
2446	/* Packet length[3], Packet number[1] + minimum payload[17] */
2447	} else if (bytes < 21) {
2448	BIO_printf(bio_err, "MySQL packet too short.\n");
2449	goto shut;
2450	} else if (bytes != (4 + packet[0] +
2451	(packet[1] << 8) +
2452	(packet[2] << 16))) {
2453	BIO_printf(bio_err, "MySQL packet length does not match.\n");
2454	goto shut;
2455	/* protocol version[1] */
2456	} else if (packet[4] != 0xA) {
2457	BIO_printf(bio_err,
2458	"Only MySQL protocol version 10 is supported.\n");
2459	goto shut;
2460	}
2461
2462	pos = 5;
2463	/* server version[string+NULL] */
2464	for (;;) {
2465	if (pos >= bytes) {
2466	BIO_printf(bio_err, "Cannot confirm server version. ");
2467	goto shut;
2468	} else if (packet[pos++] == '\0') {
2469	break;
2470	}
2471	}
2472
2473	/* make sure we have at least 15 bytes left in the packet */
2474	if (pos + 15 > bytes) {
2475	BIO_printf(bio_err,
2476	"MySQL server handshake packet is broken.\n");
2477	goto shut;
2478	}
2479
2480	pos += 12; /* skip over conn id[4] + SALT[8] */
2481	if (packet[pos++] != '\0') { /* verify filler */
2482	BIO_printf(bio_err,
2483	"MySQL packet is broken.\n");
2484	goto shut;
2485	}
2486
2487	/* capability flags[2] */
2488	if (!((packet[pos] + (packet[pos + 1] << 8)) & ssl_flg)) {
2489	BIO_printf(bio_err, "MySQL server does not support SSL.\n");
2490	goto shut;
2491	}
2492
2493	/* Sending SSL Handshake packet. */
2494	BIO_write(sbio, ssl_req, sizeof(ssl_req));
2495	(void)BIO_flush(sbio)(int)BIO_ctrl(sbio,11,0,((void*)0));
2496	}
2497	break;
2498	case PROTO_POSTGRES:
2499	{
2500	static const unsigned char ssl_request[] = {
2501	/* Length SSLRequest */
2502	0, 0, 0, 8, 4, 210, 22, 47
2503	};
2504	int bytes;
2505
2506	/* Send SSLRequest packet */
2507	BIO_write(sbio, ssl_request, 8);
2508	(void)BIO_flush(sbio)(int)BIO_ctrl(sbio,11,0,((void*)0));
2509
2510	/* Reply will be a single S if SSL is enabled */
2511	bytes = BIO_read(sbio, sbuf, BUFSIZZ1024*8);
2512	if (bytes != 1 \|\| sbuf[0] != 'S')
2513	goto shut;
2514	}
2515	break;
2516	case PROTO_NNTP:
2517	{
2518	int foundit = 0;
2519	BIO *fbio = BIO_new(BIO_f_buffer());
2520
2521	if (fbio == NULL((void*)0)) {
2522	BIO_printf(bio_err, "Unable to create BIO\n");
2523	goto end;
2524	}
2525	BIO_push(fbio, sbio);
2526	BIO_gets(fbio, mbuf, BUFSIZZ1024*8);
2527	/* STARTTLS command requires CAPABILITIES... */
2528	BIO_printf(fbio, "CAPABILITIES\r\n");
2529	(void)BIO_flush(fbio)(int)BIO_ctrl(fbio,11,0,((void*)0));
2530	BIO_gets(fbio, mbuf, BUFSIZZ1024*8);
2531	/* no point in trying to parse the CAPABILITIES response if there is none */
2532	if (strstr(mbuf, "101") != NULL((void*)0)) {
2533	/* wait for multi-line CAPABILITIES response */
2534	do {
2535	mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ1024*8);
2536	if (strstr(mbuf, "STARTTLS"))
2537	foundit = 1;
2538	} while (mbuf_len > 1 && mbuf[0] != '.');
2539	}
2540	(void)BIO_flush(fbio)(int)BIO_ctrl(fbio,11,0,((void*)0));
2541	BIO_pop(fbio);
2542	BIO_free(fbio);
2543	if (!foundit)
2544	BIO_printf(bio_err,
2545	"Didn't find STARTTLS in server response,"
2546	" trying anyway...\n");
2547	BIO_printf(sbio, "STARTTLS\r\n");
2548	mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ1024*8);
2549	if (mbuf_len < 0) {
2550	BIO_printf(bio_err, "BIO_read failed\n");
2551	goto end;
2552	}
2553	mbuf[mbuf_len] = '\0';
2554	if (strstr(mbuf, "382") == NULL((void*)0)) {
2555	BIO_printf(bio_err, "STARTTLS failed: %s", mbuf);
2556	goto shut;
2557	}
2558	}
2559	break;
2560	case PROTO_SIEVE:
2561	{
2562	int foundit = 0;
2563	BIO *fbio = BIO_new(BIO_f_buffer());
2564
2565	if (fbio == NULL((void*)0)) {
2566	BIO_printf(bio_err, "Unable to create BIO\n");
2567	goto end;
2568	}
2569	BIO_push(fbio, sbio);
2570	/* wait for multi-line response to end from Sieve */
2571	do {
2572	mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ1024*8);
2573	/*
2574	* According to RFC 5804 § 1.7, capability
2575	* is case-insensitive, make it uppercase
2576	*/
2577	if (mbuf_len > 1 && mbuf[0] == '"') {
2578	make_uppercase(mbuf);
2579	if (strncmp(mbuf, "\"STARTTLS\"", 10) == 0)
2580	foundit = 1;
2581	}
2582	} while (mbuf_len > 1 && mbuf[0] == '"');
2583	(void)BIO_flush(fbio)(int)BIO_ctrl(fbio,11,0,((void*)0));
2584	BIO_pop(fbio);
2585	BIO_free(fbio);
2586	if (!foundit)
2587	BIO_printf(bio_err,
2588	"Didn't find STARTTLS in server response,"
2589	" trying anyway...\n");
2590	BIO_printf(sbio, "STARTTLS\r\n");
2591	mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ1024*8);
2592	if (mbuf_len < 0) {
2593	BIO_printf(bio_err, "BIO_read failed\n");
2594	goto end;
2595	}
2596	mbuf[mbuf_len] = '\0';
2597	if (mbuf_len < 2) {
2598	BIO_printf(bio_err, "STARTTLS failed: %s", mbuf);
2599	goto shut;
2600	}
2601	/*
2602	* According to RFC 5804 § 2.2, response codes are case-
2603	* insensitive, make it uppercase but preserve the response.
2604	*/
2605	strncpy(sbuf, mbuf, 2);
2606	make_uppercase(sbuf);
2607	if (strncmp(sbuf, "OK", 2) != 0) {
2608	BIO_printf(bio_err, "STARTTLS not supported: %s", mbuf);
2609	goto shut;
2610	}
2611	}
2612	break;
2613	case PROTO_LDAP:
2614	{
2615	/* StartTLS Operation according to RFC 4511 */
2616	static char ldap_tls_genconf[] = "asn1=SEQUENCE:LDAPMessage\n"
2617	"[LDAPMessage]\n"
2618	"messageID=INTEGER:1\n"
2619	"extendedReq=EXPLICIT:23A,IMPLICIT:0C,"
2620	"FORMAT:ASCII,OCT:1.3.6.1.4.1.1466.20037\n";
2621	long errline = -1;
2622	char genstr = NULL((void)0);
2623	int result = -1;
2624	ASN1_TYPE atyp = NULL((void)0);
2625	BIO *ldapbio = BIO_new(BIO_s_mem());
2626	CONF cnf = NCONF_new(NULL((void)0));
2627
2628	if (ldapbio == NULL((void)0) \|\| cnf == NULL((void)0)) {
2629	BIO_free(ldapbio);
2630	NCONF_free(cnf);
2631	goto end;
2632	}
2633	BIO_puts(ldapbio, ldap_tls_genconf);
2634	if (NCONF_load_bio(cnf, ldapbio, &errline) <= 0) {
2635	BIO_free(ldapbio);
2636	NCONF_free(cnf);
2637	if (errline <= 0) {
2638	BIO_printf(bio_err, "NCONF_load_bio failed\n");
2639	goto end;
2640	} else {
2641	BIO_printf(bio_err, "Error on line %ld\n", errline);
2642	goto end;
2643	}
2644	}
2645	BIO_free(ldapbio);
2646	genstr = NCONF_get_string(cnf, "default", "asn1");
2647	if (genstr == NULL((void*)0)) {
2648	NCONF_free(cnf);
2649	BIO_printf(bio_err, "NCONF_get_string failed\n");
2650	goto end;
2651	}
2652	atyp = ASN1_generate_nconf(genstr, cnf);
2653	if (atyp == NULL((void*)0)) {
2654	NCONF_free(cnf);
2655	BIO_printf(bio_err, "ASN1_generate_nconf failed\n");
2656	goto end;
2657	}
2658	NCONF_free(cnf);
2659
2660	/* Send SSLRequest packet */
2661	BIO_write(sbio, atyp->value.sequence->data,
2662	atyp->value.sequence->length);
2663	(void)BIO_flush(sbio)(int)BIO_ctrl(sbio,11,0,((void*)0));
2664	ASN1_TYPE_free(atyp);
2665
2666	mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ1024*8);
2667	if (mbuf_len < 0) {
2668	BIO_printf(bio_err, "BIO_read failed\n");
2669	goto end;
2670	}
2671	result = ldap_ExtendedResponse_parse(mbuf, mbuf_len);
2672	if (result < 0) {
2673	BIO_printf(bio_err, "ldap_ExtendedResponse_parse failed\n");
2674	goto shut;
2675	} else if (result > 0) {
2676	BIO_printf(bio_err, "STARTTLS failed, LDAP Result Code: %i\n",
2677	result);
2678	goto shut;
2679	}
2680	mbuf_len = 0;
2681	}
2682	break;
2683	}
2684
2685	if (early_data_file != NULL((void*)0)
2686	&& ((SSL_get0_sessionSSL_get_session(con) != NULL((void*)0)
2687	&& SSL_SESSION_get_max_early_data(SSL_get0_sessionSSL_get_session(con)) > 0)
2688	\|\| (psksess != NULL((void*)0)
2689	&& SSL_SESSION_get_max_early_data(psksess) > 0))) {
2690	BIO *edfile = BIO_new_file(early_data_file, "r");
2691	size_t readbytes, writtenbytes;
2692	int finish = 0;
2693
2694	if (edfile == NULL((void*)0)) {
2695	BIO_printf(bio_err, "Cannot open early data file\n");
2696	goto shut;
2697	}
2698
2699	while (!finish) {
2700	if (!BIO_read_ex(edfile, cbuf, BUFSIZZ1024*8, &readbytes))
2701	finish = 1;
2702
2703	while (!SSL_write_early_data(con, cbuf, readbytes, &writtenbytes)) {
2704	switch (SSL_get_error(con, 0)) {
2705	case SSL_ERROR_WANT_WRITE3:
2706	case SSL_ERROR_WANT_ASYNC9:
2707	case SSL_ERROR_WANT_READ2:
2708	/* Just keep trying - busy waiting */
2709	continue;
2710	default:
2711	BIO_printf(bio_err, "Error writing early data\n");
2712	BIO_free(edfile);
2713	ERR_print_errors(bio_err);
2714	goto shut;
2715	}
2716	}
2717	}
2718
2719	BIO_free(edfile);
2720	}
2721
2722	for (;;) {
2723	FD_ZERO(&readfds)do { int __d0, __d1; __asm__ __volatile__ ("cld; rep; " "stosq" : "=c" (__d0), "=D" (__d1) : "a" (0), "0" (sizeof (fd_set) / sizeof (__fd_mask)), "1" (&((&readfds)->__fds_bits )[0]) : "memory"); } while (0);
2724	FD_ZERO(&writefds)do { int __d0, __d1; __asm__ __volatile__ ("cld; rep; " "stosq" : "=c" (__d0), "=D" (__d1) : "a" (0), "0" (sizeof (fd_set) / sizeof (__fd_mask)), "1" (&((&writefds)->__fds_bits )[0]) : "memory"); } while (0);
2725
2726	if (SSL_is_dtls(con) && DTLSv1_get_timeout(con, &timeout)SSL_ctrl(con,73,0, (void *)(&timeout)))
2727	timeoutp = &timeout;
2728	else
2729	timeoutp = NULL((void*)0);
2730
2731	if (!SSL_is_init_finished(con) && SSL_total_renegotiations(con)SSL_ctrl((con),12,0,((void*)0)) == 0
2732	&& SSL_get_key_update_type(con) == SSL_KEY_UPDATE_NONE-1) {
2733	in_init = 1;
2734	tty_on = 0;
2735	} else {
2736	tty_on = 1;
2737	if (in_init) {
2738	in_init = 0;
2739	if (c_brief) {
2740	BIO_puts(bio_err, "CONNECTION ESTABLISHED\n");
2741	print_ssl_summary(con);
2742	}
2743
2744	print_stuff(bio_c_out, con, full_log);
2745	if (full_log > 0)
2746	full_log--;
2747
2748	if (starttls_proto) {
2749	BIO_write(bio_err, mbuf, mbuf_len);
2750	/* We don't need to know any more */
2751	if (!reconnect)
2752	starttls_proto = PROTO_OFF;
2753	}
2754
2755	if (reconnect) {
2756	reconnect--;
2757	BIO_printf(bio_c_out,
2758	"drop connection and then reconnect\n");
2759	do_ssl_shutdown(con);
2760	SSL_set_connect_state(con);
2761	BIO_closesocket(SSL_get_fd(con));
2762	goto re_start;
2763	}
2764	}
2765	}
2766
2767	ssl_pending = read_ssl && SSL_has_pending(con);
2768
2769	if (!ssl_pending) {
2770	#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
2771	if (tty_on) {
2772	/*
2773	* Note that select() returns when read _would not block_,
2774	* and EOF satisfies that. To avoid a CPU-hogging loop,
2775	* set the flag so we exit.
2776	*/
2777	if (read_tty && !at_eof)
2778	openssl_fdset(fileno_stdin(), &readfds)((void) (((&readfds)->__fds_bits)[((fileno_stdin()) / ( 8 * (int) sizeof (__fd_mask)))] \|= ((__fd_mask) (1UL << ((fileno_stdin()) % (8 * (int) sizeof (__fd_mask)))))));
2779	#if !defined(OPENSSL_SYS_VMS)
2780	if (write_tty)
2781	openssl_fdset(fileno_stdout(), &writefds)((void) (((&writefds)->__fds_bits)[((fileno_stdout()) / (8 * (int) sizeof (__fd_mask)))] \|= ((__fd_mask) (1UL << ((fileno_stdout()) % (8 * (int) sizeof (__fd_mask)))))));
2782	#endif
2783	}
2784	if (read_ssl)
2785	openssl_fdset(SSL_get_fd(con), &readfds)((void) (((&readfds)->__fds_bits)[((SSL_get_fd(con)) / (8 * (int) sizeof (__fd_mask)))] \|= ((__fd_mask) (1UL << ((SSL_get_fd(con)) % (8 * (int) sizeof (__fd_mask)))))));
2786	if (write_ssl)
2787	openssl_fdset(SSL_get_fd(con), &writefds)((void) (((&writefds)->__fds_bits)[((SSL_get_fd(con)) / (8 * (int) sizeof (__fd_mask)))] \|= ((__fd_mask) (1UL << ((SSL_get_fd(con)) % (8 * (int) sizeof (__fd_mask)))))));
2788	#else
2789	if (!tty_on \|\| !write_tty) {
2790	if (read_ssl)
2791	openssl_fdset(SSL_get_fd(con), &readfds)((void) (((&readfds)->__fds_bits)[((SSL_get_fd(con)) / (8 * (int) sizeof (__fd_mask)))] \|= ((__fd_mask) (1UL << ((SSL_get_fd(con)) % (8 * (int) sizeof (__fd_mask)))))));
2792	if (write_ssl)
2793	openssl_fdset(SSL_get_fd(con), &writefds)((void) (((&writefds)->__fds_bits)[((SSL_get_fd(con)) / (8 * (int) sizeof (__fd_mask)))] \|= ((__fd_mask) (1UL << ((SSL_get_fd(con)) % (8 * (int) sizeof (__fd_mask)))))));
2794	}
2795	#endif
2796
2797	/*
2798	* Note: under VMS with SOCKETSHR the second parameter is
2799	* currently of type (int *) whereas under other systems it is
2800	* (void *) if you don't have a cast it will choke the compiler:
2801	* if you do have a cast then you can either go for (int *) or
2802	* (void *).
2803	*/
2804	#if defined(OPENSSL_SYS_WINDOWS) \|\| defined(OPENSSL_SYS_MSDOS)
2805	/*
2806	* Under Windows/DOS we make the assumption that we can always
2807	* write to the tty: therefore if we need to write to the tty we
2808	* just fall through. Otherwise we timeout the select every
2809	* second and see if there are any keypresses. Note: this is a
2810	* hack, in a proper Windows application we wouldn't do this.
2811	*/
2812	i = 0;
2813	if (!write_tty) {
2814	if (read_tty) {
2815	tv.tv_sec = 1;
2816	tv.tv_usec = 0;
2817	i = select(width, (void )&readfds, (void )&writefds,
2818	NULL((void*)0), &tv);
2819	if (!i && (!has_stdin_waiting() \|\| !read_tty))
2820	continue;
2821	} else
2822	i = select(width, (void )&readfds, (void )&writefds,
2823	NULL((void*)0), timeoutp);
2824	}
2825	#else
2826	i = select(width, (void )&readfds, (void )&writefds,
2827	NULL((void*)0), timeoutp);
2828	#endif
2829	if (i < 0) {
2830	BIO_printf(bio_err, "bad select %d\n",
2831	get_last_socket_error()(*__errno_location ()));
2832	goto shut;
2833	}
2834	}
2835
2836	if (SSL_is_dtls(con) && DTLSv1_handle_timeout(con)SSL_ctrl(con,74,0, ((void*)0)) > 0)
2837	BIO_printf(bio_err, "TIMEOUT occurred\n");
2838
2839	if (!ssl_pending && FD_ISSET(SSL_get_fd(con), &writefds)((((&writefds)->__fds_bits)[((SSL_get_fd(con)) / (8 * ( int) sizeof (__fd_mask)))] & ((__fd_mask) (1UL << ( (SSL_get_fd(con)) % (8 * (int) sizeof (__fd_mask)))))) != 0)) {
2840	k = SSL_write(con, &(cbuf[cbuf_off]), (unsigned int)cbuf_len);
2841	switch (SSL_get_error(con, k)) {
2842	case SSL_ERROR_NONE0:
2843	cbuf_off += k;
2844	cbuf_len -= k;
2845	if (k <= 0)
2846	goto end;
2847	/* we have done a write(con,NULL,0); */
2848	if (cbuf_len <= 0) {
2849	read_tty = 1;
2850	write_ssl = 0;
2851	} else { /* if (cbuf_len > 0) */
2852
2853	read_tty = 0;
2854	write_ssl = 1;
2855	}
2856	break;
2857	case SSL_ERROR_WANT_WRITE3:
2858	BIO_printf(bio_c_out, "write W BLOCK\n");
2859	write_ssl = 1;
2860	read_tty = 0;
2861	break;
2862	case SSL_ERROR_WANT_ASYNC9:
2863	BIO_printf(bio_c_out, "write A BLOCK\n");
2864	wait_for_async(con);
2865	write_ssl = 1;
2866	read_tty = 0;
2867	break;
2868	case SSL_ERROR_WANT_READ2:
2869	BIO_printf(bio_c_out, "write R BLOCK\n");
2870	write_tty = 0;
2871	read_ssl = 1;
2872	write_ssl = 0;
2873	break;
2874	case SSL_ERROR_WANT_X509_LOOKUP4:
2875	BIO_printf(bio_c_out, "write X BLOCK\n");
2876	break;
2877	case SSL_ERROR_ZERO_RETURN6:
2878	if (cbuf_len != 0) {
2879	BIO_printf(bio_c_out, "shutdown\n");
2880	ret = 0;
2881	goto shut;
2882	} else {
2883	read_tty = 1;
2884	write_ssl = 0;
2885	break;
2886	}
2887
2888	case SSL_ERROR_SYSCALL5:
2889	if ((k != 0) \|\| (cbuf_len != 0)) {
2890	BIO_printf(bio_err, "write:errno=%d\n",
2891	get_last_socket_error()(*__errno_location ()));
2892	goto shut;
2893	} else {
2894	read_tty = 1;
2895	write_ssl = 0;
2896	}
2897	break;
2898	case SSL_ERROR_WANT_ASYNC_JOB10:
2899	/* This shouldn't ever happen in s_client - treat as an error */
2900	case SSL_ERROR_SSL1:
2901	ERR_print_errors(bio_err);
2902	goto shut;
2903	}
2904	}
2905	#if defined(OPENSSL_SYS_WINDOWS) \|\| defined(OPENSSL_SYS_MSDOS) \|\| defined(OPENSSL_SYS_VMS)
2906	/* Assume Windows/DOS/BeOS can always write */
2907	else if (!ssl_pending && write_tty)
2908	#else
2909	else if (!ssl_pending && FD_ISSET(fileno_stdout(), &writefds)((((&writefds)->__fds_bits)[((fileno_stdout()) / (8 * ( int) sizeof (__fd_mask)))] & ((__fd_mask) (1UL << ( (fileno_stdout()) % (8 * (int) sizeof (__fd_mask)))))) != 0))
2910	#endif
2911	{
2912	#ifdef CHARSET_EBCDIC
2913	ascii2ebcdic(&(sbuf[sbuf_off]), &(sbuf[sbuf_off]), sbuf_len);
2914	#endif
2915	i = raw_write_stdout(&(sbuf[sbuf_off]), sbuf_len);
2916
2917	if (i <= 0) {
2918	BIO_printf(bio_c_out, "DONE\n");
2919	ret = 0;
2920	goto shut;
2921	}
2922
2923	sbuf_len -= i;
2924	sbuf_off += i;
2925	if (sbuf_len <= 0) {
2926	read_ssl = 1;
2927	write_tty = 0;
2928	}
2929	} else if (ssl_pending \|\| FD_ISSET(SSL_get_fd(con), &readfds)((((&readfds)->__fds_bits)[((SSL_get_fd(con)) / (8 * ( int) sizeof (__fd_mask)))] & ((__fd_mask) (1UL << ( (SSL_get_fd(con)) % (8 * (int) sizeof (__fd_mask)))))) != 0)) {
2930	#ifdef RENEG
2931	{
2932	static int iiii;
2933	if (++iiii == 52) {
2934	SSL_renegotiate(con);
2935	iiii = 0;
2936	}
2937	}
2938	#endif
2939	k = SSL_read(con, sbuf, 1024 /* BUFSIZZ */ );
2940
2941	switch (SSL_get_error(con, k)) {
2942	case SSL_ERROR_NONE0:
2943	if (k <= 0)
2944	goto end;
2945	sbuf_off = 0;
2946	sbuf_len = k;
2947
2948	read_ssl = 0;
2949	write_tty = 1;
2950	break;
2951	case SSL_ERROR_WANT_ASYNC9:
2952	BIO_printf(bio_c_out, "read A BLOCK\n");
2953	wait_for_async(con);
2954	write_tty = 0;
2955	read_ssl = 1;
2956	if ((read_tty == 0) && (write_ssl == 0))
2957	write_ssl = 1;
2958	break;
2959	case SSL_ERROR_WANT_WRITE3:
2960	BIO_printf(bio_c_out, "read W BLOCK\n");
2961	write_ssl = 1;
2962	read_tty = 0;
2963	break;
2964	case SSL_ERROR_WANT_READ2:
2965	BIO_printf(bio_c_out, "read R BLOCK\n");
2966	write_tty = 0;
2967	read_ssl = 1;
2968	if ((read_tty == 0) && (write_ssl == 0))
2969	write_ssl = 1;
2970	break;
2971	case SSL_ERROR_WANT_X509_LOOKUP4:
2972	BIO_printf(bio_c_out, "read X BLOCK\n");
2973	break;
2974	case SSL_ERROR_SYSCALL5:
2975	ret = get_last_socket_error()(*__errno_location ());
2976	if (c_brief)
2977	BIO_puts(bio_err, "CONNECTION CLOSED BY SERVER\n");
2978	else
2979	BIO_printf(bio_err, "read:errno=%d\n", ret);
2980	goto shut;
2981	case SSL_ERROR_ZERO_RETURN6:
2982	BIO_printf(bio_c_out, "closed\n");
2983	ret = 0;
2984	goto shut;
2985	case SSL_ERROR_WANT_ASYNC_JOB10:
2986	/* This shouldn't ever happen in s_client. Treat as an error */
2987	case SSL_ERROR_SSL1:
2988	ERR_print_errors(bio_err);
2989	goto shut;
2990	}
2991	}
2992	/* OPENSSL_SYS_MSDOS includes OPENSSL_SYS_WINDOWS */
2993	#if defined(OPENSSL_SYS_MSDOS)
2994	else if (has_stdin_waiting())
2995	#else
2996	else if (FD_ISSET(fileno_stdin(), &readfds)((((&readfds)->__fds_bits)[((fileno_stdin()) / (8 * (int ) sizeof (__fd_mask)))] & ((__fd_mask) (1UL << ((fileno_stdin ()) % (8 * (int) sizeof (__fd_mask)))))) != 0))
2997	#endif
2998	{
2999	if (crlf) {
3000	int j, lf_num;
3001
3002	i = raw_read_stdin(cbuf, BUFSIZZ1024*8 / 2);
3003	lf_num = 0;
3004	/* both loops are skipped when i <= 0 */
3005	for (j = 0; j < i; j++)
3006	if (cbuf[j] == '\n')
3007	lf_num++;
3008	for (j = i - 1; j >= 0; j--) {
3009	cbuf[j + lf_num] = cbuf[j];
3010	if (cbuf[j] == '\n') {
3011	lf_num--;
3012	i++;
3013	cbuf[j + lf_num] = '\r';
3014	}
3015	}
3016	assert(lf_num == 0)((void) (0));
3017	} else
3018	i = raw_read_stdin(cbuf, BUFSIZZ1024*8);
3019	#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
3020	if (i == 0)
3021	at_eof = 1;
3022	#endif
3023
3024	if ((!c_ign_eof) && ((i <= 0) \|\| (cbuf[0] == 'Q' && cmdletters))) {
3025	BIO_printf(bio_err, "DONE\n");
3026	ret = 0;
3027	goto shut;
3028	}
3029
3030	if ((!c_ign_eof) && (cbuf[0] == 'R' && cmdletters)) {
3031	BIO_printf(bio_err, "RENEGOTIATING\n");
3032	SSL_renegotiate(con);
3033	cbuf_len = 0;
3034	} else if (!c_ign_eof && (cbuf[0] == 'K' \|\| cbuf[0] == 'k' )
3035	&& cmdletters) {
3036	BIO_printf(bio_err, "KEYUPDATE\n");
3037	SSL_key_update(con,
3038	cbuf[0] == 'K' ? SSL_KEY_UPDATE_REQUESTED1
3039	: SSL_KEY_UPDATE_NOT_REQUESTED0);
3040	cbuf_len = 0;
3041	} else {
3042	cbuf_len = i;
3043	cbuf_off = 0;
3044	#ifdef CHARSET_EBCDIC
3045	ebcdic2ascii(cbuf, cbuf, i);
3046	#endif
3047	}
3048
3049	write_ssl = 1;
3050	read_tty = 0;
3051	}
3052	}
3053
3054	shut:
3055	if (in_init)
3056	print_stuff(bio_c_out, con, full_log);
3057	do_ssl_shutdown(con);
3058
3059	/*
3060	* If we ended with an alert being sent, but still with data in the
3061	* network buffer to be read, then calling BIO_closesocket() will
3062	* result in a TCP-RST being sent. On some platforms (notably
3063	* Windows) then this will result in the peer immediately abandoning
3064	* the connection including any buffered alert data before it has
3065	* had a chance to be read. Shutting down the sending side first,
3066	* and then closing the socket sends TCP-FIN first followed by
3067	* TCP-RST. This seems to allow the peer to read the alert data.
3068	*/
3069	shutdown(SSL_get_fd(con), 1); /* SHUT_WR */
3070	/*
3071	* We just said we have nothing else to say, but it doesn't mean that
3072	* the other side has nothing. It's even recommended to consume incoming
3073	* data. [In testing context this ensures that alerts are passed on...]
3074	*/
3075	timeout.tv_sec = 0;
3076	timeout.tv_usec = 500000; /* some extreme round-trip */
3077	do {
3078	FD_ZERO(&readfds)do { int __d0, __d1; __asm__ __volatile__ ("cld; rep; " "stosq" : "=c" (__d0), "=D" (__d1) : "a" (0), "0" (sizeof (fd_set) / sizeof (__fd_mask)), "1" (&((&readfds)->__fds_bits )[0]) : "memory"); } while (0);
3079	openssl_fdset(sock, &readfds)((void) (((&readfds)->__fds_bits)[((sock) / (8 * (int) sizeof (__fd_mask)))] \|= ((__fd_mask) (1UL << ((sock) % (8 * (int) sizeof (__fd_mask)))))));
3080	} while (select(sock + 1, &readfds, NULL((void)0), NULL((void)0), &timeout) > 0
3081	&& BIO_read(sbio, sbuf, BUFSIZZ1024*8) > 0);
3082
3083	BIO_closesocket(SSL_get_fd(con));
3084	end:
3085	if (con != NULL((void*)0)) {
3086	if (prexit != 0)
3087	print_stuff(bio_c_out, con, 1);
3088	SSL_free(con);
3089	}
3090	SSL_SESSION_free(psksess);
3091	#if !defined(OPENSSL_NO_NEXTPROTONEG)
3092	OPENSSL_free(next_proto.data)CRYPTO_free(next_proto.data, "../deps/openssl/openssl/apps/s_client.c" , 3092);
3093	#endif
3094	SSL_CTX_free(ctx);
3095	set_keylog_file(NULL((void)0), NULL((void)0));
3096	X509_free(cert);
3097	sk_X509_CRL_pop_free(crls, X509_CRL_free)OPENSSL_sk_pop_free(ossl_check_X509_CRL_sk_type(crls),ossl_check_X509_CRL_freefunc_type (X509_CRL_free));
3098	EVP_PKEY_free(key);
3099	sk_X509_pop_free(chain, X509_free)OPENSSL_sk_pop_free(ossl_check_X509_sk_type(chain),ossl_check_X509_freefunc_type (X509_free));
3100	OPENSSL_free(pass)CRYPTO_free(pass, "../deps/openssl/openssl/apps/s_client.c", 3100 );
3101	#ifndef OPENSSL_NO_SRP
3102	OPENSSL_free(srp_arg.srppassin)CRYPTO_free(srp_arg.srppassin, "../deps/openssl/openssl/apps/s_client.c" , 3102);
3103	#endif
3104	OPENSSL_free(sname_alloc)CRYPTO_free(sname_alloc, "../deps/openssl/openssl/apps/s_client.c" , 3104);
3105	OPENSSL_free(connectstr)CRYPTO_free(connectstr, "../deps/openssl/openssl/apps/s_client.c" , 3105);
3106	OPENSSL_free(bindstr)CRYPTO_free(bindstr, "../deps/openssl/openssl/apps/s_client.c" , 3106);
3107	OPENSSL_free(bindhost)CRYPTO_free(bindhost, "../deps/openssl/openssl/apps/s_client.c" , 3107);
3108	OPENSSL_free(bindport)CRYPTO_free(bindport, "../deps/openssl/openssl/apps/s_client.c" , 3108);
3109	OPENSSL_free(host)CRYPTO_free(host, "../deps/openssl/openssl/apps/s_client.c", 3109 );
3110	OPENSSL_free(port)CRYPTO_free(port, "../deps/openssl/openssl/apps/s_client.c", 3110 );
3111	OPENSSL_free(thost)CRYPTO_free(thost, "../deps/openssl/openssl/apps/s_client.c", 3111);
3112	OPENSSL_free(tport)CRYPTO_free(tport, "../deps/openssl/openssl/apps/s_client.c", 3112);
3113	X509_VERIFY_PARAM_free(vpm);
3114	ssl_excert_free(exc);
3115	sk_OPENSSL_STRING_free(ssl_args)OPENSSL_sk_free(ossl_check_OPENSSL_STRING_sk_type(ssl_args));
3116	sk_OPENSSL_STRING_free(dane_tlsa_rrset)OPENSSL_sk_free(ossl_check_OPENSSL_STRING_sk_type(dane_tlsa_rrset ));
3117	SSL_CONF_CTX_free(cctx);
3118	OPENSSL_clear_free(cbuf, BUFSIZZ)CRYPTO_clear_free(cbuf, 1024*8, "../deps/openssl/openssl/apps/s_client.c" , 3118);
3119	OPENSSL_clear_free(sbuf, BUFSIZZ)CRYPTO_clear_free(sbuf, 1024*8, "../deps/openssl/openssl/apps/s_client.c" , 3119);
3120	OPENSSL_clear_free(mbuf, BUFSIZZ)CRYPTO_clear_free(mbuf, 1024*8, "../deps/openssl/openssl/apps/s_client.c" , 3120);
3121	clear_free(proxypass);
3122	release_engine(e);
3123	BIO_free(bio_c_out);
3124	bio_c_out = NULL((void*)0);
3125	BIO_free(bio_c_msg);
3126	bio_c_msg = NULL((void*)0);
3127	return ret;
3128	}
3129
3130	static void print_stuff(BIO bio, SSL s, int full)
3131	{
3132	X509 peer = NULL((void)0);
3133	STACK_OF(X509)struct stack_st_X509 *sk;
3134	const SSL_CIPHER *c;
3135	EVP_PKEY *public_key;
3136	int i, istls13 = (SSL_version(s) == TLS1_3_VERSION0x0304);
3137	long verify_result;
3138	#ifndef OPENSSL_NO_COMP
3139	const COMP_METHOD comp, expansion;
3140	#endif
3141	unsigned char *exportedkeymat;
3142	#ifndef OPENSSL_NO_CT
3143	const SSL_CTX *ctx = SSL_get_SSL_CTX(s);
3144	#endif
3145
3146	if (full) {
3147	int got_a_chain = 0;
3148
3149	sk = SSL_get_peer_cert_chain(s);
3150	if (sk != NULL((void*)0)) {
3151	got_a_chain = 1;
3152
3153	BIO_printf(bio, "---\nCertificate chain\n");
3154	for (i = 0; i < sk_X509_num(sk)OPENSSL_sk_num(ossl_check_const_X509_sk_type(sk)); i++) {
3155	BIO_printf(bio, "%2d s:", i);
3156	X509_NAME_print_ex(bio, X509_get_subject_name(sk_X509_value(sk, i)((X509 *)OPENSSL_sk_value(ossl_check_const_X509_sk_type(sk), ( i)))), 0, get_nameopt());
3157	BIO_puts(bio, "\n");
3158	BIO_printf(bio, " i:");
3159	X509_NAME_print_ex(bio, X509_get_issuer_name(sk_X509_value(sk, i)((X509 *)OPENSSL_sk_value(ossl_check_const_X509_sk_type(sk), ( i)))), 0, get_nameopt());
3160	BIO_puts(bio, "\n");
3161	public_key = X509_get_pubkey(sk_X509_value(sk, i)((X509 *)OPENSSL_sk_value(ossl_check_const_X509_sk_type(sk), ( i))));
3162	if (public_key != NULL((void*)0)) {
3163	BIO_printf(bio, " a:PKEY: %s, %d (bit); sigalg: %s\n",
3164	OBJ_nid2sn(EVP_PKEY_get_base_id(public_key)),
3165	EVP_PKEY_get_bits(public_key),
3166	OBJ_nid2sn(X509_get_signature_nid(sk_X509_value(sk, i)((X509 *)OPENSSL_sk_value(ossl_check_const_X509_sk_type(sk), ( i))))));
3167	EVP_PKEY_free(public_key);
3168	}
3169	BIO_printf(bio, " v:NotBefore: ");
3170	ASN1_TIME_print(bio, X509_get0_notBefore(sk_X509_value(sk, i)((X509 *)OPENSSL_sk_value(ossl_check_const_X509_sk_type(sk), ( i)))));
3171	BIO_printf(bio, "; NotAfter: ");
3172	ASN1_TIME_print(bio, X509_get0_notAfter(sk_X509_value(sk, i)((X509 *)OPENSSL_sk_value(ossl_check_const_X509_sk_type(sk), ( i)))));
3173	BIO_puts(bio, "\n");
3174	if (c_showcerts)
3175	PEM_write_bio_X509(bio, sk_X509_value(sk, i)((X509 *)OPENSSL_sk_value(ossl_check_const_X509_sk_type(sk), ( i))));
3176	}
3177	}
3178
3179	BIO_printf(bio, "---\n");
3180	peer = SSL_get0_peer_certificate(s);
3181	if (peer != NULL((void*)0)) {
3182	BIO_printf(bio, "Server certificate\n");
3183
3184	/* Redundant if we showed the whole chain */
3185	if (!(c_showcerts && got_a_chain))
3186	PEM_write_bio_X509(bio, peer);
3187	dump_cert_text(bio, peer);
3188	} else {
3189	BIO_printf(bio, "no peer certificate available\n");
3190	}
3191	print_ca_names(bio, s);
3192
3193	ssl_print_sigalgs(bio, s);
3194	ssl_print_tmp_key(bio, s);
3195
3196	#ifndef OPENSSL_NO_CT
3197	/*
3198	* When the SSL session is anonymous, or resumed via an abbreviated
3199	* handshake, no SCTs are provided as part of the handshake. While in
3200	* a resumed session SCTs may be present in the session's certificate,
3201	* no callbacks are invoked to revalidate these, and in any case that
3202	* set of SCTs may be incomplete. Thus it makes little sense to
3203	* attempt to display SCTs from a resumed session's certificate, and of
3204	* course none are associated with an anonymous peer.
3205	*/
3206	if (peer != NULL((void*)0) && !SSL_session_reused(s) && SSL_ct_is_enabled(s)) {
3207	const STACK_OF(SCT)struct stack_st_SCT *scts = SSL_get0_peer_scts(s);
3208	int sct_count = scts != NULL((void*)0) ? sk_SCT_num(scts)OPENSSL_sk_num(ossl_check_const_SCT_sk_type(scts)) : 0;
3209
3210	BIO_printf(bio, "---\nSCTs present (%i)\n", sct_count);
3211	if (sct_count > 0) {
3212	const CTLOG_STORE *log_store = SSL_CTX_get0_ctlog_store(ctx);
3213
3214	BIO_printf(bio, "---\n");
3215	for (i = 0; i < sct_count; ++i) {
3216	SCT sct = sk_SCT_value(scts, i)((SCT )OPENSSL_sk_value(ossl_check_const_SCT_sk_type(scts), ( i)));
3217
3218	BIO_printf(bio, "SCT validation status: %s\n",
3219	SCT_validation_status_string(sct));
3220	SCT_print(sct, bio, 0, log_store);
3221	if (i < sct_count - 1)
3222	BIO_printf(bio, "\n---\n");
3223	}
3224	BIO_printf(bio, "\n");
3225	}
3226	}
3227	#endif
3228
3229	BIO_printf(bio,
3230	"---\nSSL handshake has read %ju bytes "
3231	"and written %ju bytes\n",
3232	BIO_number_read(SSL_get_rbio(s)),
3233	BIO_number_written(SSL_get_wbio(s)));
3234	}
3235	print_verify_detail(s, bio);
3236	BIO_printf(bio, (SSL_session_reused(s) ? "---\nReused, " : "---\nNew, "));
3237	c = SSL_get_current_cipher(s);
3238	BIO_printf(bio, "%s, Cipher is %s\n",
3239	SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c));
3240	if (peer != NULL((void*)0)) {
3241	EVP_PKEY *pktmp;
3242
3243	pktmp = X509_get0_pubkey(peer);
3244	BIO_printf(bio, "Server public key is %d bit\n",
3245	EVP_PKEY_get_bits(pktmp));
3246	}
3247	BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
3248	SSL_get_secure_renegotiation_support(s)SSL_ctrl((s), 76, 0, ((void*)0)) ? "" : " NOT");
3249	#ifndef OPENSSL_NO_COMP
3250	comp = SSL_get_current_compression(s);
3251	expansion = SSL_get_current_expansion(s);
3252	BIO_printf(bio, "Compression: %s\n",
3253	comp ? SSL_COMP_get_name(comp) : "NONE");
3254	BIO_printf(bio, "Expansion: %s\n",
3255	expansion ? SSL_COMP_get_name(expansion) : "NONE");
3256	#endif
3257	#ifndef OPENSSL_NO_KTLS
3258	if (BIO_get_ktls_send(SSL_get_wbio(s))(0))
3259	BIO_printf(bio_err, "Using Kernel TLS for sending\n");
3260	if (BIO_get_ktls_recv(SSL_get_rbio(s))(0))
3261	BIO_printf(bio_err, "Using Kernel TLS for receiving\n");
3262	#endif
3263
3264	if (OSSL_TRACE_ENABLED(TLS)(0)) {
3265	/* Print out local port of connection: useful for debugging */
3266	int sock;
3267	union BIO_sock_info_u info;
3268
3269	sock = SSL_get_fd(s);
3270	if ((info.addr = BIO_ADDR_new()) != NULL((void*)0)
3271	&& BIO_sock_info(sock, BIO_SOCK_INFO_ADDRESS, &info)) {
3272	BIO_printf(bio_c_out, "LOCAL PORT is %u\n",
3273	ntohs(BIO_ADDR_rawport(info.addr))__bswap_16 (BIO_ADDR_rawport(info.addr)));
3274	}
3275	BIO_ADDR_free(info.addr);
3276	}
3277
3278	#if !defined(OPENSSL_NO_NEXTPROTONEG)
3279	if (next_proto.status != -1) {
3280	const unsigned char *proto;
3281	unsigned int proto_len;
3282	SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
3283	BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
3284	BIO_write(bio, proto, proto_len);
3285	BIO_write(bio, "\n", 1);
3286	}
3287	#endif
3288	{
3289	const unsigned char *proto;
3290	unsigned int proto_len;
3291	SSL_get0_alpn_selected(s, &proto, &proto_len);
3292	if (proto_len > 0) {
3293	BIO_printf(bio, "ALPN protocol: ");
3294	BIO_write(bio, proto, proto_len);
3295	BIO_write(bio, "\n", 1);
3296	} else
3297	BIO_printf(bio, "No ALPN negotiated\n");
3298	}
3299
3300	#ifndef OPENSSL_NO_SRTP
3301	{
3302	SRTP_PROTECTION_PROFILE *srtp_profile =
3303	SSL_get_selected_srtp_profile(s);
3304
3305	if (srtp_profile)
3306	BIO_printf(bio, "SRTP Extension negotiated, profile=%s\n",
3307	srtp_profile->name);
3308	}
3309	#endif
3310
3311	if (istls13) {
3312	switch (SSL_get_early_data_status(s)) {
3313	case SSL_EARLY_DATA_NOT_SENT0:
3314	BIO_printf(bio, "Early data was not sent\n");
3315	break;
3316
3317	case SSL_EARLY_DATA_REJECTED1:
3318	BIO_printf(bio, "Early data was rejected\n");
3319	break;
3320
3321	case SSL_EARLY_DATA_ACCEPTED2:
3322	BIO_printf(bio, "Early data was accepted\n");
3323	break;
3324
3325	}
3326
3327	/*
3328	* We also print the verify results when we dump session information,
3329	* but in TLSv1.3 we may not get that right away (or at all) depending
3330	* on when we get a NewSessionTicket. Therefore we print it now as well.
3331	*/
3332	verify_result = SSL_get_verify_result(s);
3333	BIO_printf(bio, "Verify return code: %ld (%s)\n", verify_result,
3334	X509_verify_cert_error_string(verify_result));
3335	} else {
3336	/* In TLSv1.3 we do this on arrival of a NewSessionTicket */
3337	SSL_SESSION_print(bio, SSL_get_session(s));
3338	}
3339
3340	if (SSL_get_session(s) != NULL((void)0) && keymatexportlabel != NULL((void)0)) {
3341	BIO_printf(bio, "Keying material exporter:\n");
3342	BIO_printf(bio, " Label: '%s'\n", keymatexportlabel);
3343	BIO_printf(bio, " Length: %i bytes\n", keymatexportlen);
3344	exportedkeymat = app_malloc(keymatexportlen, "export key");
3345	if (SSL_export_keying_material(s, exportedkeymat,
3346	keymatexportlen,
3347	keymatexportlabel,
3348	strlen(keymatexportlabel),
3349	NULL((void*)0), 0, 0) <= 0) {
3350	BIO_printf(bio, " Error\n");
3351	} else {
3352	BIO_printf(bio, " Keying material: ");
3353	for (i = 0; i < keymatexportlen; i++)
3354	BIO_printf(bio, "%02X", exportedkeymat[i]);
3355	BIO_printf(bio, "\n");
3356	}
3357	OPENSSL_free(exportedkeymat)CRYPTO_free(exportedkeymat, "../deps/openssl/openssl/apps/s_client.c" , 3357);
3358	}
3359	BIO_printf(bio, "---\n");
3360	/* flush, or debugging output gets mixed with http response */
3361	(void)BIO_flush(bio)(int)BIO_ctrl(bio,11,0,((void*)0));
3362	}
3363
3364	# ifndef OPENSSL_NO_OCSP
3365	static int ocsp_resp_cb(SSL s, void arg)
3366	{
3367	const unsigned char *p;
3368	int len;
3369	OCSP_RESPONSE *rsp;
3370	len = SSL_get_tlsext_status_ocsp_resp(s, &p)SSL_ctrl(s,70,0,&p);
3371	BIO_puts(arg, "OCSP response: ");
3372	if (p == NULL((void*)0)) {
3373	BIO_puts(arg, "no response sent\n");
3374	return 1;
3375	}
3376	rsp = d2i_OCSP_RESPONSE(NULL((void*)0), &p, len);
3377	if (rsp == NULL((void*)0)) {
3378	BIO_puts(arg, "response parse error\n");
3379	BIO_dump_indent(arg, (char *)p, len, 4);
3380	return 0;
3381	}
3382	BIO_puts(arg, "\n======================================\n");
3383	OCSP_RESPONSE_print(arg, rsp, 0);
3384	BIO_puts(arg, "======================================\n");
3385	OCSP_RESPONSE_free(rsp);
3386	return 1;
3387	}
3388	# endif
3389
3390	static int ldap_ExtendedResponse_parse(const char *buf, long rem)
3391	{
3392	const unsigned char cur, end;
3393	long len;
3394	int tag, xclass, inf, ret = -1;
3395
3396	cur = (const unsigned char *)buf;
3397	end = cur + rem;
3398
3399	/*
3400	* From RFC 4511:
3401	*
3402	* LDAPMessage ::= SEQUENCE {
3403	* messageID MessageID,
3404	* protocolOp CHOICE {
3405	* ...
3406	* extendedResp ExtendedResponse,
3407	* ... },
3408	* controls [0] Controls OPTIONAL }
3409	*
3410	* ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
3411	* COMPONENTS OF LDAPResult,
3412	* responseName [10] LDAPOID OPTIONAL,
3413	* responseValue [11] OCTET STRING OPTIONAL }
3414	*
3415	* LDAPResult ::= SEQUENCE {
3416	* resultCode ENUMERATED {
3417	* success (0),
3418	* ...
3419	* other (80),
3420	* ... },
3421	* matchedDN LDAPDN,
3422	* diagnosticMessage LDAPString,
3423	* referral [3] Referral OPTIONAL }
3424	*/
3425
3426	/* pull SEQUENCE */
3427	inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem);
3428	if (inf != V_ASN1_CONSTRUCTED0x20 \|\| tag != V_ASN1_SEQUENCE16 \|\|
3429	(rem = end - cur, len > rem)) {
3430	BIO_printf(bio_err, "Unexpected LDAP response\n");
3431	goto end;
3432	}
3433
3434	rem = len; /* ensure that we don't overstep the SEQUENCE */
3435
3436	/* pull MessageID */
3437	inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem);
3438	if (inf != V_ASN1_UNIVERSAL0x00 \|\| tag != V_ASN1_INTEGER2 \|\|
3439	(rem = end - cur, len > rem)) {
3440	BIO_printf(bio_err, "No MessageID\n");
3441	goto end;
3442	}
3443
3444	cur += len; /* shall we check for MessageId match or just skip? */
3445
3446	/* pull [APPLICATION 24] */
3447	rem = end - cur;
3448	inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem);
3449	if (inf != V_ASN1_CONSTRUCTED0x20 \|\| xclass != V_ASN1_APPLICATION0x40 \|\|
3450	tag != 24) {
3451	BIO_printf(bio_err, "Not ExtendedResponse\n");
3452	goto end;
3453	}
3454
3455	/* pull resultCode */
3456	rem = end - cur;
3457	inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem);
3458	if (inf != V_ASN1_UNIVERSAL0x00 \|\| tag != V_ASN1_ENUMERATED10 \|\| len == 0 \|\|
3459	(rem = end - cur, len > rem)) {
3460	BIO_printf(bio_err, "Not LDAPResult\n");
3461	goto end;
3462	}
3463
3464	/* len should always be one, but just in case... */
3465	for (ret = 0, inf = 0; inf < len; inf++) {
3466	ret <<= 8;
3467	ret \|= cur[inf];
3468	}
3469	/* There is more data, but we don't care... */
3470	end:
3471	return ret;
3472	}
3473
3474	/*
3475	* Host dNS Name verifier: used for checking that the hostname is in dNS format
3476	* before setting it as SNI
3477	*/
3478	static int is_dNS_name(const char *host)
3479	{
3480	const size_t MAX_LABEL_LENGTH = 63;
3481	size_t i;
3482	int isdnsname = 0;
3483	size_t length = strlen(host);
3484	size_t label_length = 0;
3485	int all_numeric = 1;
3486
3487	/*
3488	* Deviation from strict DNS name syntax, also check names with '_'
3489	* Check DNS name syntax, any '-' or '.' must be internal,
3490	* and on either side of each '.' we can't have a '-' or '.'.
3491	*
3492	* If the name has just one label, we don't consider it a DNS name.
3493	*/
3494	for (i = 0; i < length && label_length < MAX_LABEL_LENGTH; ++i) {
3495	char c = host[i];
3496
3497	if ((c >= 'a' && c <= 'z')
3498	\|\| (c >= 'A' && c <= 'Z')
3499	\|\| c == '_') {
3500	label_length += 1;
3501	all_numeric = 0;
3502	continue;
3503	}
3504
3505	if (c >= '0' && c <= '9') {
3506	label_length += 1;
3507	continue;
3508	}
3509
3510	/* Dot and hyphen cannot be first or last. */
3511	if (i > 0 && i < length - 1) {
3512	if (c == '-') {
3513	label_length += 1;
3514	continue;
3515	}
3516	/*
3517	* Next to a dot the preceding and following characters must not be
3518	* another dot or a hyphen. Otherwise, record that the name is
3519	* plausible, since it has two or more labels.
3520	*/
3521	if (c == '.'
3522	&& host[i + 1] != '.'
3523	&& host[i - 1] != '-'
3524	&& host[i + 1] != '-') {
3525	label_length = 0;
3526	isdnsname = 1;
3527	continue;
3528	}
3529	}
3530	isdnsname = 0;
3531	break;
3532	}
3533
3534	/* dNS name must not be all numeric and labels must be shorter than 64 characters. */
3535	isdnsname &= !all_numeric && !(label_length == MAX_LABEL_LENGTH);
3536
3537	return isdnsname;
3538	}
3539	#endif /* OPENSSL_NO_SOCK */