From a91a4515c970dea004e2216fbfcb953cb5835332 Mon Sep 17 00:00:00 2001 From: Keith Buck Date: Fri, 9 Dec 2016 10:01:22 +0000 Subject: [PATCH] mr_server: Handle certificate validation errors. When certificate validation fails, the certificate fingerprint won't be calculated, resulting in an attempt to format NULL into a log line showing the fingerprint. Instead, add a different error message for missing fingerprint (i.e. validation failed). --- modules/core/m_server.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/modules/core/m_server.c b/modules/core/m_server.c index 9fcbeb3b..e4a5780f 100644 --- a/modules/core/m_server.c +++ b/modules/core/m_server.c @@ -189,13 +189,25 @@ mr_server(struct Client *client_p, struct Client *source_p, int parc, const char exit_client(client_p, client_p, client_p, "Access denied, requires SSL/TLS but is plaintext"); return 0; case -6: - sendto_realops_snomask(SNO_GENERAL, L_ALL, - "Connection from servername %s has invalid certificate fingerprint %s", - name, client_p->certfp); - ilog(L_SERVER, "Access denied, invalid certificate fingerprint %s from %s", - client_p->certfp, log_client_name(client_p, SHOW_IP)); + if (client_p->certfp) + { + sendto_realops_snomask(SNO_GENERAL, L_ALL, + "Connection from servername %s has invalid certificate fingerprint %s", + name, client_p->certfp); + ilog(L_SERVER, "Access denied, invalid certificate fingerprint %s from %s", + client_p->certfp, log_client_name(client_p, SHOW_IP)); + exit_client(client_p, client_p, client_p, "Invalid fingerprint."); + } + else + { + sendto_realops_snomask(SNO_GENERAL, L_ALL, + "Connection from servername %s failed certificate validation", + name); + ilog(L_SERVER, "Access denied; certificate validation failed for certificate from %s", + log_client_name(client_p, SHOW_IP)); + exit_client(client_p, client_p, client_p, "Invalid certificate."); + } - exit_client(client_p, client_p, client_p, "Invalid fingerprint."); return 0; default: sendto_realops_snomask(SNO_GENERAL, L_ALL,