From: Tomas Mraz <tomas@openssl.org>
Date: Fri, 28 Feb 2025 10:13:27 +0000 (+0100)
Subject: apps: Escape control characters in DNs by default
X-Git-Tag: openssl-3.3.4~147
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cf6085be17d0c2b1268940b2da7397aa0bbf6c09;p=thirdparty%2Fopenssl.git

apps: Escape control characters in DNs by default

When displaying distinguished names the control characters
are escaped by default.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26932)

(cherry picked from commit 2411f9b662fa501c9eec257a30a7da0cfc2dc173)
---

diff --git a/CHANGES.md b/CHANGES.md
index 27fc360625b..3ed965e8691 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -28,7 +28,10 @@ OpenSSL 3.3
 
 ### Changes between 3.3.3 and 3.3.4 [xx XXX xxxx]
 
- * none yet
+ * When displaying distinguished names in the openssl application escape control
+   characters by default.
+
+   *Tomáš Mráz*
 
 ### Changes between 3.3.2 and 3.3.3 [11 Feb 2025]
 
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 17a85380693..1c7baf6940f 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -189,7 +189,11 @@ int set_nameopt(const char *arg)
 unsigned long get_nameopt(void)
 {
     return
-        nmflag_set ? nmflag : XN_FLAG_SEP_CPLUS_SPC | ASN1_STRFLGS_UTF8_CONVERT;
+        nmflag_set ? nmflag : XN_FLAG_SEP_CPLUS_SPC | XN_FLAG_FN_SN
+                              | ASN1_STRFLGS_ESC_CTRL
+                              | ASN1_STRFLGS_UTF8_CONVERT
+                              | ASN1_STRFLGS_DUMP_UNKNOWN
+                              | ASN1_STRFLGS_DUMP_DER;
 }
 
 void dump_cert_text(BIO *out, X509 *x)
diff --git a/doc/man1/openssl-namedisplay-options.pod b/doc/man1/openssl-namedisplay-options.pod
index a12f4dbf66c..f16a582021f 100644
--- a/doc/man1/openssl-namedisplay-options.pod
+++ b/doc/man1/openssl-namedisplay-options.pod
@@ -18,8 +18,10 @@ displayed.
 This is specified by using the B<-nameopt> option, which takes a
 comma-separated list of options from the following set.
 An option may be preceded by a minus sign, C<->, to turn it off.
-The default value is C<utf8,sep_comma_plus_space>.
-The first four are the most commonly used.
+The first four option arguments are the most commonly used.
+
+The default value is
+C<esc_ctrl,utf8,dump_unknown,dump_der,sep_comma_plus_space,sname>.
 
 =head1 OPTIONS
 
diff --git a/test/certs/tab-in-dn.pem b/test/certs/tab-in-dn.pem
new file mode 100644
index 00000000000..85b7b62849d
--- /dev/null
+++ b/test/certs/tab-in-dn.pem
@@ -0,0 +1,8 @@
+-----BEGIN CERTIFICATE-----
+MIIBCjCBvaADAgECAhQtSLWSJKg8TpmuRG/UlzepKY2MazAFBgMrZXAwEzERMA8G
+A1UEAwwIVGVzdAlUQUIwIBcNMjUwMjI4MTAzNDE5WhgPMjEyNTAyMDQxMDM0MTla
+MBMxETAPBgNVBAMMCFRlc3QJVEFCMCowBQYDK2VwAyEA1ptSJCGrDHMlWEoirhZe
+s2TETOMe4f0G335qXYHDPP+jITAfMB0GA1UdDgQWBBQwCDnyYnvR2GXoToxSxPmp
+kvER+zAFBgMrZXADQQBszFQxeWW1BBUgWf9as2zDyYCO43kBWTFTypPsFkpuAg4t
+oxrqzb7Kd4RIT0TGtRGgd3gwRkqC0ecgM/NmXOYM
+-----END CERTIFICATE-----
diff --git a/test/certs/tab-in-dn.text b/test/certs/tab-in-dn.text
new file mode 100644
index 00000000000..fc7dee804f8
--- /dev/null
+++ b/test/certs/tab-in-dn.text
@@ -0,0 +1,27 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            2d:48:b5:92:24:a8:3c:4e:99:ae:44:6f:d4:97:37:a9:29:8d:8c:6b
+        Signature Algorithm: ED25519
+        Issuer: CN=Test\09TAB
+        Validity
+            Not Before: Feb 28 10:34:19 2025 GMT
+            Not After : Feb  4 10:34:19 2125 GMT
+        Subject: CN=Test\09TAB
+        Subject Public Key Info:
+            Public Key Algorithm: ED25519
+                ED25519 Public-Key:
+                pub:
+                    d6:9b:52:24:21:ab:0c:73:25:58:4a:22:ae:16:5e:
+                    b3:64:c4:4c:e3:1e:e1:fd:06:df:7e:6a:5d:81:c3:
+                    3c:ff
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                30:08:39:F2:62:7B:D1:D8:65:E8:4E:8C:52:C4:F9:A9:92:F1:11:FB
+    Signature Algorithm: ED25519
+    Signature Value:
+        6c:cc:54:31:79:65:b5:04:15:20:59:ff:5a:b3:6c:c3:c9:80:
+        8e:e3:79:01:59:31:53:ca:93:ec:16:4a:6e:02:0e:2d:a3:1a:
+        ea:cd:be:ca:77:84:48:4f:44:c6:b5:11:a0:77:78:30:46:4a:
+        82:d1:e7:20:33:f3:66:5c:e6:0c
diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t
index 13dce340766..2abc1b378d7 100644
--- a/test/recipes/25-test_x509.t
+++ b/test/recipes/25-test_x509.t
@@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
 
 setup("test_x509");
 
-plan tests => 46;
+plan tests => 48;
 
 # Prevent MSys2 filename munging for arguments that look like file paths but
 # aren't
@@ -42,6 +42,18 @@ ok(run(app(["openssl", "x509", "-text", "-in", $pem, "-out", $out_utf8,
 is(cmp_text($out_utf8, $utf),
    0, 'Comparing utf8 output with cyrillic.utf8');
 
+SKIP: {
+    skip "EdDSA disabled", 2 if disabled("ecx");
+
+    $pem = srctop_file(@certs, "tab-in-dn.pem");
+    my $out_text = "out-tab-in-dn.text";
+    my $text = srctop_file(@certs, "tab-in-dn.text");
+    ok(run(app(["openssl", "x509", "-text", "-noout",
+            "-in", $pem, "-out", $out_text])));
+    is(cmp_text($out_text, $text),
+       0, 'Comparing default output with tab-in-dn.text');
+}
+
 SKIP: {
     skip "DES disabled", 1 if disabled("des");
     skip "Platform doesn't support command line UTF-8", 1 if $^O =~ /^(VMS|msys)$/;