check mval for NULL too

[openssl.git] / apps / apps.c

diff --git a/apps/apps.c b/apps/apps.c
index 57390d37ccfe227660481b1e3f13c08f18cd19a8..34dc70b35453a664e3a9913ee754501bef8dc928 100644 (file)
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -109,7 +109,7 @@
  *
  */
 
-#ifndef _POSIX_C_SOURCE
+#if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS)
 #define _POSIX_C_SOURCE 2      /* On VMS, you need to define this to get
                                   the declaration of fileno().  The value
                                   2 is to make sure no function defined
@@ -275,6 +275,8 @@ int str2fmt(char *s)
                return(FORMAT_PKCS12);
        else if ((*s == 'E') || (*s == 'e'))
                return(FORMAT_ENGINE);
+       else if ((*s == 'H') || (*s == 'h'))
+               return FORMAT_HTTP;
        else if ((*s == 'P') || (*s == 'p'))
                {
                if (s[1] == 'V' || s[1] == 'v')
@@ -783,12 +785,80 @@ static int load_pkcs12(BIO *err, BIO *in, const char *desc,
        return ret;
        }
 
+int load_cert_crl_http(const char *url, BIO *err,
+                                       X509 **pcert, X509_CRL **pcrl)
+       {
+       char *host = NULL, *port = NULL, *path = NULL;
+       BIO *bio = NULL;
+       OCSP_REQ_CTX *rctx = NULL;
+       int use_ssl, rv = 0;
+       if (!OCSP_parse_url(url, &host, &port, &path, &use_ssl))
+               goto err;
+       if (use_ssl)
+               {
+               if (err)
+                       BIO_puts(err, "https not supported\n");
+               goto err;
+               }
+       bio = BIO_new_connect(host);
+       if (!bio || !BIO_set_conn_port(bio, port))
+               goto err;
+       rctx = OCSP_REQ_CTX_new(bio, 1024);
+       if (!rctx)
+               goto err;
+       if (!OCSP_REQ_CTX_http(rctx, "GET", path))
+               goto err;
+       if (!OCSP_REQ_CTX_add1_header(rctx, "Host", host))
+               goto err;
+       if (pcert)
+               {
+               do
+                       {
+                       rv = X509_http_nbio(rctx, pcert);
+                       }
+               while (rv == -1);
+               }
+       else
+               {
+               do
+                       {
+                       rv = X509_CRL_http_nbio(rctx, pcrl);
+                       } while (rv == -1);
+               }
+
+       err:
+       if (host)
+               OPENSSL_free(host);
+       if (path)
+               OPENSSL_free(path);
+       if (port)
+               OPENSSL_free(port);
+       if (bio)
+               BIO_free_all(bio);
+       if (rctx)
+               OCSP_REQ_CTX_free(rctx);
+       if (rv != 1)
+               {
+               if (bio && err)
+                       BIO_printf(bio_err, "Error loading %s from %s\n",
+                                       pcert ? "certificate" : "CRL", url);
+               ERR_print_errors(bio_err);
+               }
+       return rv;
+       }
+
 X509 *load_cert(BIO *err, const char *file, int format,
        const char *pass, ENGINE *e, const char *cert_descrip)
        {
        X509 *x=NULL;
        BIO *cert;
 
+       if (format == FORMAT_HTTP)
+               {
+               load_cert_crl_http(file, err, &x, NULL);
+               return x;
+               }
+
        if ((cert=BIO_new(BIO_s_file())) == NULL)
                {
                ERR_print_errors(err);
@@ -798,7 +868,9 @@ X509 *load_cert(BIO *err, const char *file, int format,
        if (file == NULL)
                {
 #ifdef _IONBF
+# ifndef OPENSSL_NO_SETVBUF_IONBF
                setvbuf(stdin, NULL, _IONBF, 0);
+# endif /* ndef OPENSSL_NO_SETVBUF_IONBF */
 #endif
                BIO_set_fp(cert,stdin,BIO_NOCLOSE);
                }
@@ -857,6 +929,55 @@ end:
        return(x);
        }
 
+X509_CRL *load_crl(char *infile, int format)
+       {
+       X509_CRL *x=NULL;
+       BIO *in=NULL;
+
+       if (format == FORMAT_HTTP)
+               {
+               load_cert_crl_http(infile, bio_err, NULL, &x);
+               return x;
+               }
+
+       in=BIO_new(BIO_s_file());
+       if (in == NULL)
+               {
+               ERR_print_errors(bio_err);
+               goto end;
+               }
+
+       if (infile == NULL)
+               BIO_set_fp(in,stdin,BIO_NOCLOSE);
+       else
+               {
+               if (BIO_read_filename(in,infile) <= 0)
+                       {
+                       perror(infile);
+                       goto end;
+                       }
+               }
+       if      (format == FORMAT_ASN1)
+               x=d2i_X509_CRL_bio(in,NULL);
+       else if (format == FORMAT_PEM)
+               x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
+       else    {
+               BIO_printf(bio_err,"bad input format specified for input crl\n");
+               goto end;
+               }
+       if (x == NULL)
+               {
+               BIO_printf(bio_err,"unable to load CRL\n");
+               ERR_print_errors(bio_err);
+               goto end;
+               }
+       
+end:
+       BIO_free(in);
+       return(x);
+       }
+
+
 EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
        const char *pass, ENGINE *e, const char *key_descrip)
        {
@@ -899,7 +1020,9 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
        if (file == NULL && maybe_stdin)
                {
 #ifdef _IONBF
+# ifndef OPENSSL_NO_SETVBUF_IONBF
                setvbuf(stdin, NULL, _IONBF, 0);
+# endif /* ndef OPENSSL_NO_SETVBUF_IONBF */
 #endif
                BIO_set_fp(key,stdin,BIO_NOCLOSE);
                }
@@ -988,7 +1111,9 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
        if (file == NULL && maybe_stdin)
                {
 #ifdef _IONBF
+# ifndef OPENSSL_NO_SETVBUF_IONBF
                setvbuf(stdin, NULL, _IONBF, 0);
+# endif /* ndef OPENSSL_NO_SETVBUF_IONBF */
 #endif
                BIO_set_fp(key,stdin,BIO_NOCLOSE);
                }
@@ -1209,7 +1334,8 @@ STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
        const char *pass, ENGINE *e, const char *desc)
        {
        STACK_OF(X509) *certs;
-       load_certs_crls(err, file, format, pass, e, desc, &certs, NULL);
+       if (!load_certs_crls(err, file, format, pass, e, desc, &certs, NULL))
+               return NULL;
        return certs;
        }       
 
@@ -1217,7 +1343,8 @@ STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format,
        const char *pass, ENGINE *e, const char *desc)
        {
        STACK_OF(X509_CRL) *crls;
-       load_certs_crls(err, file, format, pass, e, desc, NULL, &crls);
+       if (!load_certs_crls(err, file, format, pass, e, desc, NULL, &crls))
+               return NULL;
        return crls;
        }       
 
@@ -2124,7 +2251,7 @@ X509_NAME *parse_name(char *subject, long chtype, int multirdn)
        X509_NAME *n = NULL;
        int nid;
 
-       if (!buf || !ne_types || !ne_values)
+       if (!buf || !ne_types || !ne_values || !mval)
                {
                BIO_printf(bio_err, "malloc error\n");
                goto error;
@@ -2228,6 +2355,7 @@ X509_NAME *parse_name(char *subject, long chtype, int multirdn)
        OPENSSL_free(ne_values);
        OPENSSL_free(ne_types);
        OPENSSL_free(buf);
+       OPENSSL_free(mval);
        return n;
 
 error:
@@ -2236,6 +2364,8 @@ error:
                OPENSSL_free(ne_values);
        if (ne_types)
                OPENSSL_free(ne_types);
+       if (mval)
+               OPENSSL_free(mval);
        if (buf)
                OPENSSL_free(buf);
        return NULL;
@@ -2251,6 +2381,7 @@ int args_verify(char ***pargs, int *pargc,
        char **oldargs = *pargs;
        char *arg = **pargs, *argn = (*pargs)[1];
        const X509_VERIFY_PARAM *vpm = NULL;
+       time_t at_time = 0;
        if (!strcmp(arg, "-policy"))
                {
                if (!argn)
@@ -2318,6 +2449,27 @@ int args_verify(char ***pargs, int *pargc,
                        }
                (*pargs)++;
                }
+       else if (strcmp(arg,"-attime") == 0)
+               {
+               if (!argn)
+                       *badarg = 1;
+               else
+                       {
+                       long timestamp;
+                       /* interpret the -attime argument as seconds since
+                        * Epoch */
+                       if (sscanf(argn, "%li", &timestamp) != 1)
+                               {
+                               BIO_printf(bio_err,
+                                               "Error parsing timestamp %s\n",
+                                               argn);
+                               *badarg = 1;
+                               }
+                       /* on some platforms time_t may be a float */
+                       at_time = (time_t) timestamp;
+                       }
+               (*pargs)++;
+               }
        else if (!strcmp(arg, "-ignore_critical"))
                flags |= X509_V_FLAG_IGNORE_CRITICAL;
        else if (!strcmp(arg, "-issuer_checks"))
@@ -2346,6 +2498,12 @@ int args_verify(char ***pargs, int *pargc,
                flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
        else if (!strcmp(arg, "-trusted_first"))
                flags |= X509_V_FLAG_TRUSTED_FIRST;
+       else if (!strcmp(arg, "-suiteB_128_only"))
+               flags |= X509_V_FLAG_SUITEB_128_LOS_ONLY;
+       else if (!strcmp(arg, "-suiteB_128"))
+               flags |= X509_V_FLAG_SUITEB_128_LOS;
+       else if (!strcmp(arg, "-suiteB_192"))
+               flags |= X509_V_FLAG_SUITEB_192_LOS;
        else
                return 0;
 
@@ -2377,6 +2535,9 @@ int args_verify(char ***pargs, int *pargc,
        if (depth >= 0)
                X509_VERIFY_PARAM_set_depth(*pm, depth);
 
+       if (at_time) 
+               X509_VERIFY_PARAM_set_time(*pm, at_time);
+
        end:
 
        (*pargs)++;
@@ -2708,6 +2869,79 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret)
 
 #endif
 
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+/* next_protos_parse parses a comma separated list of strings into a string
+ * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
+ *   outlen: (output) set to the length of the resulting buffer on success.
+ *   err: (maybe NULL) on failure, an error message line is written to this BIO.
+ *   in: a NUL termianted string like "abc,def,ghi"
+ *
+ *   returns: a malloced buffer or NULL on failure.
+ */
+unsigned char *next_protos_parse(unsigned short *outlen, const char *in)
+       {
+       size_t len;
+       unsigned char *out;
+       size_t i, start = 0;
+
+       len = strlen(in);
+       if (len >= 65535)
+               return NULL;
+
+       out = OPENSSL_malloc(strlen(in) + 1);
+       if (!out)
+               return NULL;
+
+       for (i = 0; i <= len; ++i)
+               {
+               if (i == len || in[i] == ',')
+                       {
+                       if (i - start > 255)
+                               {
+                               OPENSSL_free(out);
+                               return NULL;
+                               }
+                       out[start] = i - start;
+                       start = i + 1;
+                       }
+               else
+                       out[i+1] = in[i];
+               }
+
+       *outlen = len + 1;
+       return out;
+       }
+#endif  /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */
+
+void print_cert_checks(BIO *bio, X509 *x,
+                               const unsigned char *checkhost,
+                               const unsigned char *checkemail,
+                               const char *checkip)
+       {
+       if (x == NULL)
+               return;
+       if (checkhost)
+               {
+               BIO_printf(bio, "Hostname %s does%s match certificate\n",
+                               checkhost, X509_check_host(x, checkhost, 0, 0)
+                                               ? "" : " NOT");
+               }
+
+       if (checkemail)
+               {
+               BIO_printf(bio, "Email %s does%s match certificate\n",
+                               checkemail, X509_check_email(x, checkemail, 0,
+                                               0) ? "" : " NOT");
+               }
+
+       if (checkip)
+               {
+               BIO_printf(bio, "IP %s does%s match certificate\n",
+                               checkip, X509_check_ip_asc(x, checkip,
+                                               0) ? "" : " NOT");
+               }
+       }
+
 /*
  * Platform-specific sections
  */
@@ -3033,46 +3267,3 @@ int raw_write_stdout(const void *buf,int siz)
 int raw_write_stdout(const void *buf,int siz)
        {       return write(fileno(stdout),buf,siz);   }
 #endif
-
-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
-/* next_protos_parse parses a comma separated list of strings into a string
- * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
- *   outlen: (output) set to the length of the resulting buffer on success.
- *   in: a NUL termianted string like "abc,def,ghi"
- *
- *   returns: a malloced buffer or NULL on failure.
- */
-unsigned char *next_protos_parse(unsigned short *outlen, const char *in)
-       {
-       size_t len;
-       unsigned char *out;
-       size_t i, start = 0;
-
-       len = strlen(in);
-       if (len >= 65535)
-               return NULL;
-
-       out = OPENSSL_malloc(strlen(in) + 1);
-       if (!out)
-               return NULL;
-
-       for (i = 0; i <= len; ++i)
-               {
-               if (i == len || in[i] == ',')
-                       {
-                       if (i - start > 255)
-                               {
-                               OPENSSL_free(out);
-                               return NULL;
-                               }
-                       out[start] = i - start;
-                       start = i + 1;
-                       }
-               else
-                       out[i+1] = in[i];
-               }
-
-       *outlen = len + 1;
-       return out;
-       }
-#endif  /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */