Truncate IP address in SAN

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2022-03-09 14:42:46 -05:00 · 2022-03-09 14:42:46 -05:00 · 5111dabe2c
commit 5111dabe2c
parent 83dab1ae0f
6 changed files with 175 additions and 34 deletions
--- a/0001-Drop-usage-of-ERR_GET_FUNC.patch
+++ b/0001-Drop-usage-of-ERR_GET_FUNC.patch
@ -1,34 +0,0 @@
-From 60377ad4a6a6ef2012d502f118fedb425f4a11af Mon Sep 17 00:00:00 2001
-From: Stephen Gallagher <sgallagh@redhat.com>
-Date: Sat, 7 Aug 2021 11:48:04 -0400
-Subject: [PATCH] Drop usage of ERR_GET_FUNC()
-
-This macro was dropped in OpenSSL 3.0 and has actually not been
-providing a valid return code for some time.
-
-Related: rhbz#1964837
-
-Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
- include/sscg.h | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/include/sscg.h b/include/sscg.h
-index d4499227ea5bd23ac5cae27680438cfe0709fbc4..99788e6001791b658298626d464edcdc7e4ba2cc 100644
--- a/include/sscg.h
-+++ b/include/sscg.h
-@@ -94,11 +94,10 @@
-       if (_sslret != 1)                                                       \
-         {                                                                     \
-           /* Get information about error from OpenSSL */                      \
-           unsigned long _ssl_error = ERR_get_error ();                        \
-           if ((ERR_GET_LIB (_ssl_error) == ERR_LIB_UI) &&                     \
-              (ERR_GET_FUNC (_ssl_error) == UI_F_UI_SET_RESULT_EX) &&         \
-               ((ERR_GET_REASON (_ssl_error) == UI_R_RESULT_TOO_LARGE) ||      \
-                (ERR_GET_REASON (_ssl_error) == UI_R_RESULT_TOO_SMALL)))       \
-             {                                                                 \
-               fprintf (                                                       \
-                 stderr,                                                       \
-- 
-2.31.1
-
--- a/0001-Protect-against-negative-bitshift.patch
+++ b/0001-Protect-against-negative-bitshift.patch
@ -0,0 +1,40 @@
+From e1e473650b45aff0b6a1fc50f4bdd7752dc45c85 Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Tue, 1 Mar 2022 16:37:22 -0500
+Subject: [PATCH 1/4] Protect against negative bitshift
+
+Coverity scan identified that SSCG_FILE_TYPE_UNKNOWN could cause the
+bitshifts further down to attempt to shift a negative number, which
+results in undefined behavior. Though it should never occur that this
+function is called with an invalid type, it's best to be overly
+cautious and check for it.
+
+Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
+---
+ src/io_utils.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/io_utils.c b/src/io_utils.c
+index 1b8bc41..0e05ed9 100644
+--- a/src/io_utils.c
+++ b/src/io_utils.c
+@@ -99,10 +99,16 @@ struct sscg_stream *
+ sscg_io_utils_get_stream_by_type (struct sscg_stream **streams,
+                                   enum sscg_file_type filetype)
+ {
+   struct sscg_stream *stream = NULL;
+ 
+  if (filetype < 0 || filetype > SSCG_NUM_FILE_TYPES)
+    {
+      SSCG_LOG (SSCG_DEFAULT, "Unknown filetype for stream");
+      return NULL;
+    }
+
+   /* First see if this path already exists in the list */
+   for (int i = 0; (stream = streams[i]) && i < SSCG_NUM_FILE_TYPES; i++)
+     {
+       SSCG_LOG (SSCG_DEBUG,
+                 "Checking for 0x%.4x in 0x%.4x\n",
+-- 
+2.35.1
+
--- a/0002-Fix-another-negative-bitshift-issue.patch
+++ b/0002-Fix-another-negative-bitshift-issue.patch
@ -0,0 +1,34 @@
+From b9f757736f73db8c58bb9e422e018ab84eabd51f Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Tue, 1 Mar 2022 16:46:24 -0500
+Subject: [PATCH 2/4] Fix another negative bitshift issue
+
+Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
+---
+ src/io_utils.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/io_utils.c b/src/io_utils.c
+index 0e05ed9..158db07 100644
+--- a/src/io_utils.c
+++ b/src/io_utils.c
+@@ -264,10 +264,16 @@ sscg_io_utils_add_output_key (struct sscg_stream **streams,
+   int ret, i;
+   TALLOC_CTX *tmp_ctx = NULL;
+   struct sscg_stream *stream = NULL;
+   char *normalized_path = NULL;
+ 
+  if (filetype < 0 || filetype > SSCG_NUM_FILE_TYPES)
+    {
+      SSCG_ERROR ("Unknown filetype for stream");
+      return EINVAL;
+    }
+
+   /* If we haven't been passed a path, just return; it's probably an optional
+    * output file
+    */
+   if (path == NULL)
+     {
+-- 
+2.35.1
+
--- a/0003-Fix-incorrect-error-check.patch
+++ b/0003-Fix-incorrect-error-check.patch
@ -0,0 +1,36 @@
+From 3483a978eb1c667760992b012ea7350313b5a15a Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Tue, 8 Mar 2022 16:33:35 -0500
+Subject: [PATCH 3/4] Fix incorrect error-check
+
+Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
+---
+ src/x509.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/x509.c b/src/x509.c
+index 7c7e4df..23bb337 100644
+--- a/src/x509.c
+++ b/src/x509.c
+@@ -287,11 +287,17 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
+           alt_name = tmp;
+         }
+     }
+ 
+   ex = X509V3_EXT_conf_nid (NULL, NULL, NID_subject_alt_name, alt_name);
+-  CHECK_MEM (ex);
+  if (!ex)
+    {
+      ret = EINVAL;
+      fprintf (stderr, "Invalid subjectAlternativeName: %s\n", alt_name);
+      goto done;
+    }
+
+   sk_X509_EXTENSION_push (certinfo->extensions, ex);
+ 
+   /* Set the public key for the certificate */
+   sslret = X509_REQ_set_pubkey (csr->x509_req, spkey->evp_pkey);
+   CHECK_SSL (sslret, X509_REQ_set_pubkey (OU));
+-- 
+2.35.1
+
--- a/0004-Truncate-IP-address-in-SAN.patch
+++ b/0004-Truncate-IP-address-in-SAN.patch
@ -0,0 +1,49 @@
+From 2e9889320c76368d31e6c9d579f239fe88002cf9 Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Tue, 8 Mar 2022 16:34:09 -0500
+Subject: [PATCH 4/4] Truncate IP address in SAN
+
+In OpenSSL 1.1, this was done automatically when addind a SAN extension,
+but in OpenSSL 3.0 it is rejected as an invalid input.
+
+Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
+---
+ src/x509.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/x509.c b/src/x509.c
+index 23bb337..e828ec7 100644
+--- a/src/x509.c
+++ b/src/x509.c
+@@ -131,10 +131,11 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
+   size_t i;
+   X509_NAME *subject;
+   char *alt_name = NULL;
+   char *tmp = NULL;
+   char *san = NULL;
+  char *slash = NULL;
+   TALLOC_CTX *tmp_ctx;
+   X509_EXTENSION *ex = NULL;
+   struct sscg_x509_req *csr;
+ 
+   /* Make sure we have a key available */
+@@ -265,10 +266,16 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
+                 tmp_ctx, "DNS:%s", certinfo->subject_alt_names[i]);
+             }
+           else
+             {
+               san = talloc_strdup (tmp_ctx, certinfo->subject_alt_names[i]);
+              /* SAN IP addresses cannot include the subnet mask */
+              if ((slash = strchr (san, '/')))
+                {
+                  /* Truncate at the slash */
+                  *slash = '\0';
+                }
+             }
+           CHECK_MEM (san);
+ 
+           if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4)
+             {
+-- 
+2.35.1
+
--- a/sscg.spec
+++ b/sscg.spec
@ -25,6 +25,22 @@ BuildRequires:  meson
 BuildRequires:  ninja-build
 BuildRequires:  help2man

+# Protect against negative bitshift
+# Author: Stephen Gallagher <sgallagh@redhat.com>
+Patch1: 0001-Protect-against-negative-bitshift.patch
+
+# Fix another negative bitshift issue
+# Author: Stephen Gallagher <sgallagh@redhat.com>
+Patch2: 0002-Fix-another-negative-bitshift-issue.patch
+
+# Fix incorrect error-check
+# Author: Stephen Gallagher <sgallagh@redhat.com>
+Patch3: 0003-Fix-incorrect-error-check.patch
+
+# Truncate IP address in SAN
+# Author: Stephen Gallagher <sgallagh@redhat.com>
+Patch4: 0004-Truncate-IP-address-in-SAN.patch
+

 %description
 A utility to aid in the creation of more secure "self-signed"