diff --git a/0001-Drop-usage-of-ERR_GET_FUNC.patch b/0001-Drop-usage-of-ERR_GET_FUNC.patch deleted file mode 100644 index 97adf7c..0000000 --- a/0001-Drop-usage-of-ERR_GET_FUNC.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 60377ad4a6a6ef2012d502f118fedb425f4a11af Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Sat, 7 Aug 2021 11:48:04 -0400 -Subject: [PATCH] Drop usage of ERR_GET_FUNC() - -This macro was dropped in OpenSSL 3.0 and has actually not been -providing a valid return code for some time. - -Related: rhbz#1964837 - -Signed-off-by: Stephen Gallagher ---- - include/sscg.h | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/include/sscg.h b/include/sscg.h -index d4499227ea5bd23ac5cae27680438cfe0709fbc4..99788e6001791b658298626d464edcdc7e4ba2cc 100644 ---- a/include/sscg.h -+++ b/include/sscg.h -@@ -94,11 +94,10 @@ - if (_sslret != 1) \ - { \ - /* Get information about error from OpenSSL */ \ - unsigned long _ssl_error = ERR_get_error (); \ - if ((ERR_GET_LIB (_ssl_error) == ERR_LIB_UI) && \ -- (ERR_GET_FUNC (_ssl_error) == UI_F_UI_SET_RESULT_EX) && \ - ((ERR_GET_REASON (_ssl_error) == UI_R_RESULT_TOO_LARGE) || \ - (ERR_GET_REASON (_ssl_error) == UI_R_RESULT_TOO_SMALL))) \ - { \ - fprintf ( \ - stderr, \ --- -2.31.1 - diff --git a/0001-Protect-against-negative-bitshift.patch b/0001-Protect-against-negative-bitshift.patch new file mode 100644 index 0000000..e64d0bc --- /dev/null +++ b/0001-Protect-against-negative-bitshift.patch @@ -0,0 +1,40 @@ +From e1e473650b45aff0b6a1fc50f4bdd7752dc45c85 Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Tue, 1 Mar 2022 16:37:22 -0500 +Subject: [PATCH 1/4] Protect against negative bitshift + +Coverity scan identified that SSCG_FILE_TYPE_UNKNOWN could cause the +bitshifts further down to attempt to shift a negative number, which +results in undefined behavior. Though it should never occur that this +function is called with an invalid type, it's best to be overly +cautious and check for it. + +Signed-off-by: Stephen Gallagher +--- + src/io_utils.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/io_utils.c b/src/io_utils.c +index 1b8bc41..0e05ed9 100644 +--- a/src/io_utils.c ++++ b/src/io_utils.c +@@ -99,10 +99,16 @@ struct sscg_stream * + sscg_io_utils_get_stream_by_type (struct sscg_stream **streams, + enum sscg_file_type filetype) + { + struct sscg_stream *stream = NULL; + ++ if (filetype < 0 || filetype > SSCG_NUM_FILE_TYPES) ++ { ++ SSCG_LOG (SSCG_DEFAULT, "Unknown filetype for stream"); ++ return NULL; ++ } ++ + /* First see if this path already exists in the list */ + for (int i = 0; (stream = streams[i]) && i < SSCG_NUM_FILE_TYPES; i++) + { + SSCG_LOG (SSCG_DEBUG, + "Checking for 0x%.4x in 0x%.4x\n", +-- +2.35.1 + diff --git a/0002-Fix-another-negative-bitshift-issue.patch b/0002-Fix-another-negative-bitshift-issue.patch new file mode 100644 index 0000000..93e2c7a --- /dev/null +++ b/0002-Fix-another-negative-bitshift-issue.patch @@ -0,0 +1,34 @@ +From b9f757736f73db8c58bb9e422e018ab84eabd51f Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Tue, 1 Mar 2022 16:46:24 -0500 +Subject: [PATCH 2/4] Fix another negative bitshift issue + +Signed-off-by: Stephen Gallagher +--- + src/io_utils.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/io_utils.c b/src/io_utils.c +index 0e05ed9..158db07 100644 +--- a/src/io_utils.c ++++ b/src/io_utils.c +@@ -264,10 +264,16 @@ sscg_io_utils_add_output_key (struct sscg_stream **streams, + int ret, i; + TALLOC_CTX *tmp_ctx = NULL; + struct sscg_stream *stream = NULL; + char *normalized_path = NULL; + ++ if (filetype < 0 || filetype > SSCG_NUM_FILE_TYPES) ++ { ++ SSCG_ERROR ("Unknown filetype for stream"); ++ return EINVAL; ++ } ++ + /* If we haven't been passed a path, just return; it's probably an optional + * output file + */ + if (path == NULL) + { +-- +2.35.1 + diff --git a/0003-Fix-incorrect-error-check.patch b/0003-Fix-incorrect-error-check.patch new file mode 100644 index 0000000..d074f45 --- /dev/null +++ b/0003-Fix-incorrect-error-check.patch @@ -0,0 +1,36 @@ +From 3483a978eb1c667760992b012ea7350313b5a15a Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Tue, 8 Mar 2022 16:33:35 -0500 +Subject: [PATCH 3/4] Fix incorrect error-check + +Signed-off-by: Stephen Gallagher +--- + src/x509.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/x509.c b/src/x509.c +index 7c7e4df..23bb337 100644 +--- a/src/x509.c ++++ b/src/x509.c +@@ -287,11 +287,17 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx, + alt_name = tmp; + } + } + + ex = X509V3_EXT_conf_nid (NULL, NULL, NID_subject_alt_name, alt_name); +- CHECK_MEM (ex); ++ if (!ex) ++ { ++ ret = EINVAL; ++ fprintf (stderr, "Invalid subjectAlternativeName: %s\n", alt_name); ++ goto done; ++ } ++ + sk_X509_EXTENSION_push (certinfo->extensions, ex); + + /* Set the public key for the certificate */ + sslret = X509_REQ_set_pubkey (csr->x509_req, spkey->evp_pkey); + CHECK_SSL (sslret, X509_REQ_set_pubkey (OU)); +-- +2.35.1 + diff --git a/0004-Truncate-IP-address-in-SAN.patch b/0004-Truncate-IP-address-in-SAN.patch new file mode 100644 index 0000000..39343e8 --- /dev/null +++ b/0004-Truncate-IP-address-in-SAN.patch @@ -0,0 +1,49 @@ +From 2e9889320c76368d31e6c9d579f239fe88002cf9 Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Tue, 8 Mar 2022 16:34:09 -0500 +Subject: [PATCH 4/4] Truncate IP address in SAN + +In OpenSSL 1.1, this was done automatically when addind a SAN extension, +but in OpenSSL 3.0 it is rejected as an invalid input. + +Signed-off-by: Stephen Gallagher +--- + src/x509.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/x509.c b/src/x509.c +index 23bb337..e828ec7 100644 +--- a/src/x509.c ++++ b/src/x509.c +@@ -131,10 +131,11 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx, + size_t i; + X509_NAME *subject; + char *alt_name = NULL; + char *tmp = NULL; + char *san = NULL; ++ char *slash = NULL; + TALLOC_CTX *tmp_ctx; + X509_EXTENSION *ex = NULL; + struct sscg_x509_req *csr; + + /* Make sure we have a key available */ +@@ -265,10 +266,16 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx, + tmp_ctx, "DNS:%s", certinfo->subject_alt_names[i]); + } + else + { + san = talloc_strdup (tmp_ctx, certinfo->subject_alt_names[i]); ++ /* SAN IP addresses cannot include the subnet mask */ ++ if ((slash = strchr (san, '/'))) ++ { ++ /* Truncate at the slash */ ++ *slash = '\0'; ++ } + } + CHECK_MEM (san); + + if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4) + { +-- +2.35.1 + diff --git a/sscg.spec b/sscg.spec index c2ba1ab..5432d5a 100644 --- a/sscg.spec +++ b/sscg.spec @@ -25,6 +25,22 @@ BuildRequires: meson BuildRequires: ninja-build BuildRequires: help2man +# Protect against negative bitshift +# Author: Stephen Gallagher +Patch1: 0001-Protect-against-negative-bitshift.patch + +# Fix another negative bitshift issue +# Author: Stephen Gallagher +Patch2: 0002-Fix-another-negative-bitshift-issue.patch + +# Fix incorrect error-check +# Author: Stephen Gallagher +Patch3: 0003-Fix-incorrect-error-check.patch + +# Truncate IP address in SAN +# Author: Stephen Gallagher +Patch4: 0004-Truncate-IP-address-in-SAN.patch + %description A utility to aid in the creation of more secure "self-signed"