From de78843144d40b991cefc652532c03dd8c56e5cc Mon Sep 17 00:00:00 2001 From: Attila Molnar Date: Tue, 22 Jul 2014 20:05:10 +0200 Subject: Make sure the DN strings obtained from the SSL mods are always valid --- src/modules/extra/m_ssl_gnutls.cpp | 20 ++++++++++++++++---- src/modules/extra/m_ssl_openssl.cpp | 6 ++++++ 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/src/modules/extra/m_ssl_gnutls.cpp b/src/modules/extra/m_ssl_gnutls.cpp index 03673d7a0..6a6a7923a 100644 --- a/src/modules/extra/m_ssl_gnutls.cpp +++ b/src/modules/extra/m_ssl_gnutls.cpp @@ -880,11 +880,23 @@ class ModuleSSLGnuTLS : public Module goto info_done_dealloc; } - gnutls_x509_crt_get_dn(cert, name, &name_size); - certinfo->dn = name; + if (gnutls_x509_crt_get_dn(cert, name, &name_size) == 0) + { + std::string& dn = certinfo->dn; + dn = name; + // Make sure there are no chars in the string that we consider invalid + if (dn.find_first_of("\r\n") != std::string::npos) + dn.clear(); + } - gnutls_x509_crt_get_issuer_dn(cert, name, &name_size); - certinfo->issuer = name; + name_size = sizeof(name); + if (gnutls_x509_crt_get_issuer_dn(cert, name, &name_size) == 0) + { + std::string& issuer = certinfo->issuer; + issuer = name; + if (issuer.find_first_of("\r\n") != std::string::npos) + issuer.clear(); + } if ((ret = gnutls_x509_crt_get_fingerprint(cert, hash, digest, &digest_size)) < 0) { diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp index 60c90988a..33f848798 100644 --- a/src/modules/extra/m_ssl_openssl.cpp +++ b/src/modules/extra/m_ssl_openssl.cpp @@ -639,8 +639,14 @@ class ModuleSSLOpenSSL : public Module char buf[512]; X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf)); certinfo->dn = buf; + // Make sure there are no chars in the string that we consider invalid + if (certinfo->dn.find_first_of("\r\n") != std::string::npos) + certinfo->dn.clear(); + X509_NAME_oneline(X509_get_issuer_name(cert), buf, sizeof(buf)); certinfo->issuer = buf; + if (certinfo->issuer.find_first_of("\r\n") != std::string::npos) + certinfo->issuer.clear(); if (!X509_digest(cert, digest, md, &n)) { -- cgit v1.2.3