+ if (!srv->tls_active)
+ {
+ printf("Failed to start TLS\n");
+ fflush(stdout);
+ }
+ #ifdef HAVE_GNUTLS
+ else if (ocsp_stapling)
+ {
+ if ((rc= gnutls_certificate_verify_peers2(tls_session, &verify)) < 0)
+ {
+ printf("Failed to verify certificate: %s\n", gnutls_strerror(rc));
+ fflush(stdout);
+ }
+ else if (verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
+ {
+ printf("Bad certificate\n");
+ fflush(stdout);
+ }
+ #ifdef HAVE_OCSP
+ else if (gnutls_ocsp_status_request_is_checked(tls_session, 0) == 0)
+ {
+ printf("Failed to verify certificate status\n");
+ {
+ gnutls_datum_t stapling;
+ gnutls_ocsp_resp_t resp;
+ gnutls_datum_t printed;
+ if ( (rc= gnutls_ocsp_status_request_get(tls_session, &stapling)) == 0
+ && (rc= gnutls_ocsp_resp_init(&resp)) == 0
+ && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
+ && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_FULL, &printed)) == 0
+ )
+ {
+ fprintf(stderr, "%.4096s", printed.data);
+ gnutls_free(printed.data);
+ }
+ else
+ (void) fprintf(stderr,"ocsp decode: %s", gnutls_strerror(rc));
+ }
+ fflush(stdout);
+ }
+ #endif
+ }
+ #endif
+ else
+ printf("Succeeded in starting TLS\n");
+ }
+ else printf("Abandoning TLS start attempt\n");
+ }
+ srv->sent_starttls = 0;
+ #endif
+ }
+
+ /* Wait for a bit before proceeding */
+
+ else if (strncmp(CS outbuffer, "+++ ", 4) == 0)
+ {
+ printf("%s\n", outbuffer);
+ sleep(atoi(CS outbuffer + 4));
+ }
+
+ /* Stack new input file */
+
+ else if (strncmp(CS outbuffer, "<<< ", 4) == 0)
+ {
+ FILE * new_f;
+ if (!(new_f = fopen((const char *)outbuffer+4 , "r")))
+ {
+ printf("Unable to open '%s': %s", inptr, strerror(errno));
+ exit(74);
+ }
+ do_file(srv, new_f, timeout, inbuffer, bsiz, inptr);
+ }
+
+
+ /* Send line outgoing, but barf if unconsumed incoming */
+
+ else
+ {
+ unsigned char * out = outbuffer;
+
+ if (strncmp(CS outbuffer, ">>> ", 4) == 0)
+ {
+ crlf = 0;
+ out += 4;
+ n -= 4;
+ }
+
+ if (*inptr != 0)
+ {
+ printf("Unconsumed input: %s", inptr);
+ printf(" About to send: %s\n", out);
+ exit(78);
+ }
+
+ #ifdef HAVE_TLS
+
+ /* Shutdown TLS */
+
+ if (strcmp(CS out, "stoptls") == 0 ||
+ strcmp(CS out, "STOPTLS") == 0)
+ {
+ if (!srv->tls_active)
+ {
+ printf("STOPTLS read when TLS not active\n");
+ exit(77);
+ }
+ printf("Shutting down TLS encryption\n");
+
+ #ifdef HAVE_OPENSSL
+ SSL_shutdown(srv->ssl);
+ SSL_free(srv->ssl);
+ #endif
+
+ #ifdef HAVE_GNUTLS
+ gnutls_bye(tls_session, GNUTLS_SHUT_WR);
+ gnutls_deinit(tls_session);
+ tls_session = NULL;
+ gnutls_global_deinit();
+ #endif
+
+ srv->tls_active = 0;
+ continue;
+ }
+
+ /* Remember that we sent STARTTLS */
+
+ srv->sent_starttls = (strcmp(CS out, "starttls") == 0 ||
+ strcmp(CS out, "STARTTLS") == 0);
+
+ /* Fudge: if the command is "starttls_wait", we send the starttls bit,
+ but we haven't set the flag, so that there is no negotiation. This is for
+ testing the server's timeout. */
+
+ if (strcmp(CS out, "starttls_wait") == 0)
+ {
+ out[8] = 0;
+ n = 8;
+ }
+ #endif
+
+ printf(">>> %s\n", out);
+ if (crlf)
+ {
+ strcpy(CS out + n, "\r\n");
+ n += 2;
+ }
+
+ n = unescape_buf(out, n);
+
+ /* OK, do it */
+
+ alarm(timeout);
+ if (srv->tls_active)
+ {
+ #ifdef HAVE_OPENSSL
+ rc = SSL_write (srv->ssl, out, n);
+ #endif
+ #ifdef HAVE_GNUTLS
+ if ((rc = gnutls_record_send(tls_session, CS out, n)) < 0)
+ {
+ printf("GnuTLS write error: %s\n", gnutls_strerror(rc));
+ exit(76);
+ }
+ #endif
+ }
+ else
+ rc = write(srv->sock, out, n);
+ alarm(0);
+
+ if (rc < 0)
+ {
+ printf("Write error: %s\n", strerror(errno));
+ exit(75);
+ }
+ }
+ }
+}
+
+
+
+
+/*************************************************
+* Main Program *
+*************************************************/
+
+const char * const HELP_MESSAGE = "\n\
+Usage: client\n"
+#ifdef HAVE_TLS
+"\
+ [-tls-on-connect]\n\
+ [-ocsp]\n"
+# ifdef HAVE_GNUTLS
+"\
+ [-p priority-string]\n"
+# endif
+#endif
+"\
+ [-tn] n seconds timeout\n\
+ <IP address>\n\
+ <port>\n\
+ [<outgoing interface>]\n\
+ [<cert file>]\n\
+ [<key file>]\n\
+\n";
+
+int
+main(int argc, char **argv)
+{
+struct sockaddr *s_ptr;
+struct sockaddr_in s_in4;
+char *interface = NULL;
+char *address = NULL;
+char *certfile = NULL;
+char *keyfile = NULL;
+char *end = NULL;
+int argi = 1;
+int host_af, port, s_len, rc, save_errno;
+int timeout = 5;
+int tls_on_connect = 0;
+long tmplong;
+
+#if HAVE_IPV6
+struct sockaddr_in6 s_in6;
+#endif
+
+srv_ctx srv;
+
+unsigned char inbuffer[100 * 1024];
+unsigned char *inptr = inbuffer;
+
+*inptr = 0; /* Buffer empty */
+srv.tls_active = 0;
+srv.sent_starttls = 0;
+
+/* Options */
+
+while (argc >= argi + 1 && argv[argi][0] == '-')
+ {
+ if (strcmp(argv[argi], "-help") == 0 ||
+ strcmp(argv[argi], "--help") == 0 ||
+ strcmp(argv[argi], "-h") == 0)
+ {
+ puts(HELP_MESSAGE);
+ exit(0);
+ }
+ if (strcmp(argv[argi], "-tls-on-connect") == 0)
+ {
+ tls_on_connect = 1;
+ argi++;
+ }
+#ifdef HAVE_TLS
+ else if (strcmp(argv[argi], "-ocsp") == 0)
+ {
+ if (argc < ++argi + 1)
+ {
+ fprintf(stderr, "Missing required certificate file for ocsp option\n");
+ exit(96);
+ }
+ ocsp_stapling = argv[argi++];
+ }
+# ifdef HAVE_GNUTLS
+ else if (strcmp(argv[argi], "-p") == 0)
+ {
+ if (argc < ++argi + 1)
+ {
+ fprintf(stderr, "Missing priority string\n");
+ exit(96);
+ }
+ pri_string = argv[argi++];
+ }
+#endif
+
+#endif
+ else if (argv[argi][1] == 't' && isdigit(argv[argi][2]))
+ {
+ tmplong = strtol(argv[argi]+2, &end, 10);
+ if (end == argv[argi]+2 || *end)
+ {
+ fprintf(stderr, "Failed to parse seconds from option <%s>\n",
+ argv[argi]);
+ exit(95);
+ }
+ if (tmplong > 10000L)
+ {
+ fprintf(stderr, "Unreasonably long wait of %ld seconds requested\n",
+ tmplong);
+ exit(94);
+ }
+ if (tmplong < 0L)
+ {
+ fprintf(stderr, "Timeout must not be negative (%ld)\n", tmplong);
+ exit(93);
+ }
+ timeout = (int) tmplong;
+ argi++;
+ }
+ else
+ {
+ fprintf(stderr, "Unrecognized option %s\n", argv[argi]);
+ exit(92);
+ }
+ }
+
+/* Mandatory 1st arg is IP address */
+
+if (argc < argi+1)
+ {
+ fprintf(stderr, "No IP address given\n");
+ exit(91);
+ }
+
+address = argv[argi++];
+host_af = (strchr(address, ':') != NULL)? AF_INET6 : AF_INET;
+
+/* Mandatory 2nd arg is port */
+
+if (argc < argi+1)
+ {
+ fprintf(stderr, "No port number given\n");
+ exit(90);
+ }
+
+port = atoi(argv[argi++]);
+
+/* Optional next arg is interface */
+
+if (argc > argi &&
+ (isdigit((unsigned char)argv[argi][0]) || argv[argi][0] == ':'))
+ interface = argv[argi++];
+
+/* Any more arguments are the name of a certificate file and key file */
+
+if (argc > argi) certfile = argv[argi++];
+if (argc > argi) keyfile = argv[argi++];
+
+
+#if HAVE_IPV6
+/* For an IPv6 address, use an IPv6 sockaddr structure. */
+
+if (host_af == AF_INET6)
+ {
+ s_ptr = (struct sockaddr *)&s_in6;
+ s_len = sizeof(s_in6);
+ }
+else
+#endif
+
+/* For an IPv4 address, use an IPv4 sockaddr structure,
+even on an IPv6 system. */
+
+ {
+ s_ptr = (struct sockaddr *)&s_in4;
+ s_len = sizeof(s_in4);
+ }
+
+printf("Connecting to %s port %d ... ", address, port);
+
+srv.sock = socket(host_af, SOCK_STREAM, 0);
+if (srv.sock < 0)
+ {
+ printf("socket creation failed: %s\n", strerror(errno));
+ exit(89);
+ }
+
+/* Bind to a specific interface if requested. On an IPv6 system, this has
+to be of the same family as the address we are calling. On an IPv4 system the
+test is redundant, but it keeps the code tidier. */
+
+if (interface != NULL)
+ {
+ int interface_af = (strchr(interface, ':') != NULL)? AF_INET6 : AF_INET;
+
+ if (interface_af == host_af)
+ {
+ #if HAVE_IPV6
+
+ /* Set up for IPv6 binding */