X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=apps%2Fapps.c;h=24a493e0eb1bed7c41f5c799dfcf5dd5d31c4f01;hp=22ef53a9e8c1c41431b3ddbd1330547c646bfb65;hb=87054c4f0e6a2cadcf50ce8aed9748b65e796bb5;hpb=f2e590942ea405638e7424a91fecd1e14efae3c4

diff --git a/apps/apps.c b/apps/apps.c
index 22ef53a9e8..24a493e0eb 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -109,7 +109,7 @@
  *
  */
 
-#ifndef _POSIX_C_SOURCE
+#if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS)
 #define _POSIX_C_SOURCE 2	/* On VMS, you need to define this to get
 				   the declaration of fileno().  The value
 				   2 is to make sure no function defined
@@ -1215,7 +1215,8 @@ STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
 	const char *pass, ENGINE *e, const char *desc)
 	{
 	STACK_OF(X509) *certs;
-	load_certs_crls(err, file, format, pass, e, desc, &certs, NULL);
+	if (!load_certs_crls(err, file, format, pass, e, desc, &certs, NULL))
+		return NULL;
 	return certs;
 	}	
 
@@ -1223,7 +1224,8 @@ STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format,
 	const char *pass, ENGINE *e, const char *desc)
 	{
 	STACK_OF(X509_CRL) *crls;
-	load_certs_crls(err, file, format, pass, e, desc, NULL, &crls);
+	if (!load_certs_crls(err, file, format, pass, e, desc, NULL, &crls))
+		return NULL;
 	return crls;
 	}	
 
@@ -2130,7 +2132,7 @@ X509_NAME *parse_name(char *subject, long chtype, int multirdn)
 	X509_NAME *n = NULL;
 	int nid;
 
-	if (!buf || !ne_types || !ne_values)
+	if (!buf || !ne_types || !ne_values || !mval)
 		{
 		BIO_printf(bio_err, "malloc error\n");
 		goto error;
@@ -2234,6 +2236,7 @@ X509_NAME *parse_name(char *subject, long chtype, int multirdn)
 	OPENSSL_free(ne_values);
 	OPENSSL_free(ne_types);
 	OPENSSL_free(buf);
+	OPENSSL_free(mval);
 	return n;
 
 error:
@@ -2242,6 +2245,8 @@ error:
 		OPENSSL_free(ne_values);
 	if (ne_types)
 		OPENSSL_free(ne_types);
+	if (mval)
+		OPENSSL_free(mval);
 	if (buf)
 		OPENSSL_free(buf);
 	return NULL;
@@ -2257,6 +2262,8 @@ int args_verify(char ***pargs, int *pargc,
 	char **oldargs = *pargs;
 	char *arg = **pargs, *argn = (*pargs)[1];
 	time_t at_time = 0;
+	const unsigned char *hostname = NULL, *email = NULL;
+	char *ipasc = NULL;
 	if (!strcmp(arg, "-policy"))
 		{
 		if (!argn)
@@ -2330,6 +2337,27 @@ int args_verify(char ***pargs, int *pargc,
 			}
 		(*pargs)++;
 		}
+	else if (strcmp(arg,"-verify_hostname") == 0)
+		{
+		if (!argn)
+			*badarg = 1;
+		hostname = (unsigned char *)argn;
+		(*pargs)++;
+		}
+	else if (strcmp(arg,"-verify_email") == 0)
+		{
+		if (!argn)
+			*badarg = 1;
+		email = (unsigned char *)argn;
+		(*pargs)++;
+		}
+	else if (strcmp(arg,"-verify_ip") == 0)
+		{
+		if (!argn)
+			*badarg = 1;
+		ipasc = argn;
+		(*pargs)++;
+		}
 	else if (!strcmp(arg, "-ignore_critical"))
 		flags |= X509_V_FLAG_IGNORE_CRITICAL;
 	else if (!strcmp(arg, "-issuer_checks"))
@@ -2356,6 +2384,10 @@ int args_verify(char ***pargs, int *pargc,
 		flags |= X509_V_FLAG_NOTIFY_POLICY;
 	else if (!strcmp(arg, "-check_ss_sig"))
 		flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
+	else if (!strcmp(arg, "-trusted_first"))
+		flags |= X509_V_FLAG_TRUSTED_FIRST;
+	else if (!strcmp(arg, "-partial_chain"))
+		flags |= X509_V_FLAG_PARTIAL_CHAIN;
 	else
 		return 0;
 
@@ -2387,6 +2419,15 @@ int args_verify(char ***pargs, int *pargc,
 	if (at_time) 
 		X509_VERIFY_PARAM_set_time(*pm, at_time);
 
+	if (hostname && !X509_VERIFY_PARAM_set1_host(*pm, hostname, 0))
+		*badarg = 1;
+
+	if (email && !X509_VERIFY_PARAM_set1_email(*pm, email, 0))
+		*badarg = 1;
+
+	if (ipasc && !X509_VERIFY_PARAM_set1_ip_asc(*pm, ipasc))
+		*badarg = 1;
+
 	end:
 
 	(*pargs)++;
@@ -2762,6 +2803,35 @@ unsigned char *next_protos_parse(unsigned short *outlen, const char *in)
 	}
 #endif  /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */
 
+void print_cert_checks(BIO *bio, X509 *x,
+				const unsigned char *checkhost,
+				const unsigned char *checkemail,
+				const char *checkip)
+	{
+	if (x == NULL)
+		return;
+	if (checkhost)
+		{
+		BIO_printf(bio, "Hostname %s does%s match certificate\n",
+				checkhost, X509_check_host(x, checkhost, 0, 0)
+						? "" : " NOT");
+		}
+
+	if (checkemail)
+		{
+		BIO_printf(bio, "Email %s does%s match certificate\n",
+				checkemail, X509_check_email(x, checkemail, 0,
+						0) ? "" : " NOT");
+		}
+
+	if (checkip)
+		{
+		BIO_printf(bio, "IP %s does%s match certificate\n",
+				checkip, X509_check_ip_asc(x, checkip,
+						0) ? "" : " NOT");
+		}
+	}
+
 /*
  * Platform-specific sections
  */