From df0c70dd1fc903d67cbe98c426b3e9fea8e87464 Mon Sep 17 00:00:00 2001 From: Keith Buck Date: Fri, 9 Dec 2016 10:01:22 +0000 Subject: [PATCH] mr_server: Handle certificate validation errors. When certificate validation fails, the certificate fingerprint won't be calculated, resulting in an attempt to format NULL into a log line showing the fingerprint. Instead, add a different error message for missing fingerprint (i.e. validation failed). --- modules/core/m_server.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/modules/core/m_server.c b/modules/core/m_server.c index 1ceaca9f..ad8f66a9 100644 --- a/modules/core/m_server.c +++ b/modules/core/m_server.c @@ -189,13 +189,25 @@ mr_server(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *sourc exit_client(client_p, client_p, client_p, "Access denied, requires SSL/TLS but is plaintext"); return; case -6: - sendto_realops_snomask(SNO_GENERAL, L_ALL, - "Connection from servername %s has invalid certificate fingerprint %s", - name, client_p->certfp); - ilog(L_SERVER, "Access denied, invalid certificate fingerprint %s from %s", - client_p->certfp, log_client_name(client_p, SHOW_IP)); + if (client_p->certfp) + { + sendto_realops_snomask(SNO_GENERAL, L_ALL, + "Connection from servername %s has invalid certificate fingerprint %s", + name, client_p->certfp); + ilog(L_SERVER, "Access denied, invalid certificate fingerprint %s from %s", + client_p->certfp, log_client_name(client_p, SHOW_IP)); + exit_client(client_p, client_p, client_p, "Invalid fingerprint."); + } + else + { + sendto_realops_snomask(SNO_GENERAL, L_ALL, + "Connection from servername %s failed certificate validation", + name); + ilog(L_SERVER, "Access denied; certificate validation failed for certificate from %s", + log_client_name(client_p, SHOW_IP)); + exit_client(client_p, client_p, client_p, "Invalid certificate."); + } - exit_client(client_p, client_p, client_p, "Invalid fingerprint."); return; default: sendto_realops_snomask(SNO_GENERAL, L_ALL,