rpms / sscg

Clone
Source Code
GIT

Blame SOURCES/0003-Truncate-IP-address-in-SAN.patch

c8 c8-beta c8s c9 c9-beta
  1.   4cd8e687213c92d3680abce8f412c52f28c9b1a0
  2.   SOURCES
  3.   0003-Truncate-IP-address-in-SAN.patch
Blob History Raw
4cd8e6 
From 0875cd6169e876c4296a307631d49b801fc686dc Mon Sep 17 00:00:00 2001
4cd8e6 
From: Stephen Gallagher <sgallagh@redhat.com>
4cd8e6 
Date: Tue, 8 Mar 2022 16:33:35 -0500
4cd8e6 
Subject: [PATCH] Truncate IP address in SAN
4cd8e6
4cd8e6 
In OpenSSL 1.1, this was done automatically when addind a SAN extension,
4cd8e6 
but in OpenSSL 3.0 it is rejected as an invalid input.
4cd8e6
4cd8e6 
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
4cd8e6 
---
4cd8e6 
 src/x509.c | 15 ++++++++++++++-
4cd8e6 
 1 file changed, 14 insertions(+), 1 deletion(-)
4cd8e6
4cd8e6 
diff --git a/src/x509.c b/src/x509.c
4cd8e6 
index 7c7e4dfe56d5756862f3e0f851941e846ce96f31..e828ec725b23d7ea79393151e7bb436e2f61bdb8 100644
4cd8e6 
--- a/src/x509.c
4cd8e6 
+++ b/src/x509.c
4cd8e6 
@@ -131,10 +131,11 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
4cd8e6 
   size_t i;
4cd8e6 
   X509_NAME *subject;
4cd8e6 
   char *alt_name = NULL;
4cd8e6 
   char *tmp = NULL;
4cd8e6 
   char *san = NULL;
4cd8e6 
+  char *slash = NULL;
4cd8e6 
   TALLOC_CTX *tmp_ctx;
4cd8e6 
   X509_EXTENSION *ex = NULL;
4cd8e6 
   struct sscg_x509_req *csr;
4cd8e6
4cd8e6 
   /* Make sure we have a key available */
4cd8e6 
@@ -265,10 +266,16 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
4cd8e6 
                 tmp_ctx, "DNS:%s", certinfo->subject_alt_names[i]);
4cd8e6 
             }
4cd8e6 
           else
4cd8e6 
             {
4cd8e6 
               san = talloc_strdup (tmp_ctx, certinfo->subject_alt_names[i]);
4cd8e6 
+              /* SAN IP addresses cannot include the subnet mask */
4cd8e6 
+              if ((slash = strchr (san, '/')))
4cd8e6 
+                {
4cd8e6 
+                  /* Truncate at the slash */
4cd8e6 
+                  *slash = '\0';
4cd8e6 
+                }
4cd8e6 
             }
4cd8e6 
           CHECK_MEM (san);
4cd8e6
4cd8e6 
           if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4)
4cd8e6 
             {
4cd8e6 
@@ -287,11 +294,17 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
4cd8e6 
           alt_name = tmp;
4cd8e6 
         }
4cd8e6 
     }
4cd8e6
4cd8e6 
   ex = X509V3_EXT_conf_nid (NULL, NULL, NID_subject_alt_name, alt_name);
4cd8e6 
-  CHECK_MEM (ex);
4cd8e6 
+  if (!ex)
4cd8e6 
+    {
4cd8e6 
+      ret = EINVAL;
4cd8e6 
+      fprintf (stderr, "Invalid subjectAlternativeName: %s\n", alt_name);
4cd8e6 
+      goto done;
4cd8e6 
+    }
4cd8e6 
+
4cd8e6 
   sk_X509_EXTENSION_push (certinfo->extensions, ex);
4cd8e6
4cd8e6 
   /* Set the public key for the certificate */
4cd8e6 
   sslret = X509_REQ_set_pubkey (csr->x509_req, spkey->evp_pkey);
4cd8e6 
   CHECK_SSL (sslret, X509_REQ_set_pubkey (OU));
4cd8e6 
--
4cd8e6 
2.35.1
4cd8e6

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation