From 0875cd6169e876c4296a307631d49b801fc686dc Mon Sep 17 00:00:00 2001

From: Stephen Gallagher <sgallagh@redhat.com>

Date: Tue, 8 Mar 2022 16:33:35 -0500

Subject: [PATCH] Truncate IP address in SAN

In OpenSSL 1.1, this was done automatically when addind a SAN extension,

but in OpenSSL 3.0 it is rejected as an invalid input.

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>

---

 src/x509.c | 15 ++++++++++++++-

 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/x509.c b/src/x509.c

index 7c7e4dfe56d5756862f3e0f851941e846ce96f31..e828ec725b23d7ea79393151e7bb436e2f61bdb8 100644

--- a/src/x509.c

+++ b/src/x509.c

@@ -131,10 +131,11 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,

   size_t i;

   X509_NAME *subject;

   char *alt_name = NULL;

   char *tmp = NULL;

   char *san = NULL;

+  char *slash = NULL;

   TALLOC_CTX *tmp_ctx;

   X509_EXTENSION *ex = NULL;

   struct sscg_x509_req *csr;

   /* Make sure we have a key available */

@@ -265,10 +266,16 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,

                 tmp_ctx, "DNS:%s", certinfo->subject_alt_names[i]);

             }

           else

             {

               san = talloc_strdup (tmp_ctx, certinfo->subject_alt_names[i]);

+              /* SAN IP addresses cannot include the subnet mask */

+              if ((slash = strchr (san, '/')))

+                {

+                  /* Truncate at the slash */

+                  *slash = '\0';

+                }

             }

           CHECK_MEM (san);

           if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4)

             {

@@ -287,11 +294,17 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,

           alt_name = tmp;

         }

     }

   ex = X509V3_EXT_conf_nid (NULL, NULL, NID_subject_alt_name, alt_name);

-  CHECK_MEM (ex);

+  if (!ex)

+    {

+      ret = EINVAL;

+      fprintf (stderr, "Invalid subjectAlternativeName: %s\n", alt_name);

+      goto done;

+    }

+

   sk_X509_EXTENSION_push (certinfo->extensions, ex);

   /* Set the public key for the certificate */

   sslret = X509_REQ_set_pubkey (csr->x509_req, spkey->evp_pkey);

   CHECK_SSL (sslret, X509_REQ_set_pubkey (OU));

-- 

2.35.1