sscg/0004-Truncate-IP-address-in-SAN.patch

From 2e9889320c76368d31e6c9d579f239fe88002cf9 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 8 Mar 2022 16:34:09 -0500
Subject: [PATCH 4/4] Truncate IP address in SAN

In OpenSSL 1.1, this was done automatically when addind a SAN extension,
but in OpenSSL 3.0 it is rejected as an invalid input.

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
 src/x509.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/x509.c b/src/x509.c
index 23bb337..e828ec7 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -131,10 +131,11 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
   size_t i;
   X509_NAME *subject;
   char *alt_name = NULL;
   char *tmp = NULL;
   char *san = NULL;
+  char *slash = NULL;
   TALLOC_CTX *tmp_ctx;
   X509_EXTENSION *ex = NULL;
   struct sscg_x509_req *csr;
 
   /* Make sure we have a key available */
@@ -265,10 +266,16 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
                 tmp_ctx, "DNS:%s", certinfo->subject_alt_names[i]);
             }
           else
             {
               san = talloc_strdup (tmp_ctx, certinfo->subject_alt_names[i]);
+              /* SAN IP addresses cannot include the subnet mask */
+              if ((slash = strchr (san, '/')))
+                {
+                  /* Truncate at the slash */
+                  *slash = '\0';
+                }
             }
           CHECK_MEM (san);
 
           if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4)
             {
-- 
2.35.1
Truncate IP address in SAN Signed-off-by: Stephen Gallagher <sgallagh@redhat.com> 2022-03-09 19:42:46 +00:00			`From 2e9889320c76368d31e6c9d579f239fe88002cf9 Mon Sep 17 00:00:00 2001`
			`From: Stephen Gallagher <sgallagh@redhat.com>`
			`Date: Tue, 8 Mar 2022 16:34:09 -0500`
			`Subject: [PATCH 4/4] Truncate IP address in SAN`

			`In OpenSSL 1.1, this was done automatically when addind a SAN extension,`
			`but in OpenSSL 3.0 it is rejected as an invalid input.`

			`Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>`
			`---`
			`src/x509.c \| 7 +++++++`
			`1 file changed, 7 insertions(+)`

			`diff --git a/src/x509.c b/src/x509.c`
			`index 23bb337..e828ec7 100644`
			`--- a/src/x509.c`
			`+++ b/src/x509.c`
			`@@ -131,10 +131,11 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,`
			`size_t i;`
			`X509_NAME *subject;`
			`char *alt_name = NULL;`
			`char *tmp = NULL;`
			`char *san = NULL;`
			`+ char *slash = NULL;`
			`TALLOC_CTX *tmp_ctx;`
			`X509_EXTENSION *ex = NULL;`
			`struct sscg_x509_req *csr;`

			`/* Make sure we have a key available */`
			`@@ -265,10 +266,16 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,`
			`tmp_ctx, "DNS:%s", certinfo->subject_alt_names[i]);`
			`}`
			`else`
			`{`
			`san = talloc_strdup (tmp_ctx, certinfo->subject_alt_names[i]);`
			`+ /* SAN IP addresses cannot include the subnet mask */`
			`+ if ((slash = strchr (san, '/')))`
			`+ {`
			`+ /* Truncate at the slash */`
			`+ *slash = '\0';`
			`+ }`
			`}`
			`CHECK_MEM (san);`

			`if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4)`
			`{`
			`--`
			`2.35.1`