1 |
Index: istream.c |
2 |
=================================================================== |
3 |
--- istream.c |
4 |
+++ istream.c |
5 |
@@ -447,8 +447,17 @@ ssl_check_cert_ident(X509 * x, char *hos |
6 |
|
7 |
if (!seen_dnsname) |
8 |
seen_dnsname = Strnew(); |
9 |
+ /* replace \0 to make full string visible to user */ |
10 |
+ if (sl != strlen(sn)) { |
11 |
+ int i; |
12 |
+ for (i = 0; i < sl; ++i) { |
13 |
+ if (!sn[i]) |
14 |
+ sn[i] = '!'; |
15 |
+ } |
16 |
+ } |
17 |
Strcat_m_charp(seen_dnsname, sn, " ", NULL); |
18 |
- if (ssl_match_cert_ident(sn, sl, hostname)) |
19 |
+ if (sl == strlen(sn) /* catch \0 in SAN */ |
20 |
+ && ssl_match_cert_ident(sn, sl, hostname)) |
21 |
break; |
22 |
} |
23 |
} |
24 |
@@ -466,16 +475,27 @@ ssl_check_cert_ident(X509 * x, char *hos |
25 |
if (match_ident == FALSE && ret == NULL) { |
26 |
X509_NAME *xn; |
27 |
char buf[2048]; |
28 |
+ int slen; |
29 |
|
30 |
xn = X509_get_subject_name(x); |
31 |
|
32 |
- if (X509_NAME_get_text_by_NID(xn, NID_commonName, |
33 |
- buf, sizeof(buf)) == -1) |
34 |
+ slen = X509_NAME_get_text_by_NID(xn, NID_commonName, buf, sizeof(buf)); |
35 |
+ if ( slen == -1) |
36 |
/* FIXME: gettextize? */ |
37 |
ret = Strnew_charp("Unable to get common name from peer cert"); |
38 |
- else if (!ssl_match_cert_ident(buf, strlen(buf), hostname)) |
39 |
+ else if (slen != strlen(buf) |
40 |
+ || !ssl_match_cert_ident(buf, strlen(buf), hostname)) { |
41 |
+ /* replace \0 to make full string visible to user */ |
42 |
+ if (slen != strlen(buf)) { |
43 |
+ int i; |
44 |
+ for (i = 0; i < slen; ++i) { |
45 |
+ if (!buf[i]) |
46 |
+ buf[i] = '!'; |
47 |
+ } |
48 |
+ } |
49 |
/* FIXME: gettextize? */ |
50 |
ret = Sprintf("Bad cert ident %s from %s", buf, hostname); |
51 |
+ } |
52 |
else |
53 |
match_ident = TRUE; |
54 |
} |
55 |
|