Truncate IP address in SAN

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2022-03-09 14:42:46 -05:00 · 2022-03-09 14:42:46 -05:00 · 5111dabe2c
commit 5111dabe2c
parent 83dab1ae0f
6 changed files with 175 additions and 34 deletions
--- a/0001-Drop-usage-of-ERR_GET_FUNC.patch
+++ b/0001-Drop-usage-of-ERR_GET_FUNC.patch
@ -1,34 +0,0 @@
 From 60377ad4a6a6ef2012d502f118fedb425f4a11af Mon Sep 17 00:00:00 2001
 From: Stephen Gallagher <sgallagh@redhat.com>
 Date: Sat, 7 Aug 2021 11:48:04 -0400
 Subject: [PATCH] Drop usage of ERR_GET_FUNC()
 This macro was dropped in OpenSSL 3.0 and has actually not been
 providing a valid return code for some time.
 Related: rhbz#1964837
 Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
 ---
 include/sscg.h | 1 -
 1 file changed, 1 deletion(-)
 diff --git a/include/sscg.h b/include/sscg.h
 index d4499227ea5bd23ac5cae27680438cfe0709fbc4..99788e6001791b658298626d464edcdc7e4ba2cc 100644
 --- a/include/sscg.h
 +++ b/include/sscg.h
@@ -94,11 +94,10 @@
       if (_sslret != 1)                                                       \
         {                                                                     \
           /* Get information about error from OpenSSL */                      \
           unsigned long _ssl_error = ERR_get_error ();                        \
           if ((ERR_GET_LIB (_ssl_error) == ERR_LIB_UI) &&                     \
 -              (ERR_GET_FUNC (_ssl_error) == UI_F_UI_SET_RESULT_EX) &&         \
               ((ERR_GET_REASON (_ssl_error) == UI_R_RESULT_TOO_LARGE) ||      \
                (ERR_GET_REASON (_ssl_error) == UI_R_RESULT_TOO_SMALL)))       \
             {                                                                 \
               fprintf (                                                       \
                 stderr,                                                       \
 -- 
 2.31.1
--- a/0001-Protect-against-negative-bitshift.patch
+++ b/0001-Protect-against-negative-bitshift.patch
@ -0,0 +1,40 @@
 From e1e473650b45aff0b6a1fc50f4bdd7752dc45c85 Mon Sep 17 00:00:00 2001
 From: Stephen Gallagher <sgallagh@redhat.com>
 Date: Tue, 1 Mar 2022 16:37:22 -0500
 Subject: [PATCH 1/4] Protect against negative bitshift
 Coverity scan identified that SSCG_FILE_TYPE_UNKNOWN could cause the
 bitshifts further down to attempt to shift a negative number, which
 results in undefined behavior. Though it should never occur that this
 function is called with an invalid type, it's best to be overly
 cautious and check for it.
 Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
 ---
 src/io_utils.c | 6 ++++++
 1 file changed, 6 insertions(+)
 diff --git a/src/io_utils.c b/src/io_utils.c
 index 1b8bc41..0e05ed9 100644
 --- a/src/io_utils.c
 +++ b/src/io_utils.c
@@ -99,10 +99,16 @@ struct sscg_stream *
 sscg_io_utils_get_stream_by_type (struct sscg_stream **streams,
                                   enum sscg_file_type filetype)
 {
   struct sscg_stream *stream = NULL;
 +  if (filetype < 0 || filetype > SSCG_NUM_FILE_TYPES)
 +    {
 +      SSCG_LOG (SSCG_DEFAULT, "Unknown filetype for stream");
 +      return NULL;
 +    }
 +
   /* First see if this path already exists in the list */
   for (int i = 0; (stream = streams[i]) && i < SSCG_NUM_FILE_TYPES; i++)
     {
       SSCG_LOG (SSCG_DEBUG,
                 "Checking for 0x%.4x in 0x%.4x\n",
 -- 
 2.35.1
--- a/0002-Fix-another-negative-bitshift-issue.patch
+++ b/0002-Fix-another-negative-bitshift-issue.patch
@ -0,0 +1,34 @@
 From b9f757736f73db8c58bb9e422e018ab84eabd51f Mon Sep 17 00:00:00 2001
 From: Stephen Gallagher <sgallagh@redhat.com>
 Date: Tue, 1 Mar 2022 16:46:24 -0500
 Subject: [PATCH 2/4] Fix another negative bitshift issue
 Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
 ---
 src/io_utils.c | 6 ++++++
 1 file changed, 6 insertions(+)
 diff --git a/src/io_utils.c b/src/io_utils.c
 index 0e05ed9..158db07 100644
 --- a/src/io_utils.c
 +++ b/src/io_utils.c
@@ -264,10 +264,16 @@ sscg_io_utils_add_output_key (struct sscg_stream **streams,
   int ret, i;
   TALLOC_CTX *tmp_ctx = NULL;
   struct sscg_stream *stream = NULL;
   char *normalized_path = NULL;
 +  if (filetype < 0 || filetype > SSCG_NUM_FILE_TYPES)
 +    {
 +      SSCG_ERROR ("Unknown filetype for stream");
 +      return EINVAL;
 +    }
 +
   /* If we haven't been passed a path, just return; it's probably an optional
    * output file
    */
   if (path == NULL)
     {
 -- 
 2.35.1
--- a/0003-Fix-incorrect-error-check.patch
+++ b/0003-Fix-incorrect-error-check.patch
@ -0,0 +1,36 @@
 From 3483a978eb1c667760992b012ea7350313b5a15a Mon Sep 17 00:00:00 2001
 From: Stephen Gallagher <sgallagh@redhat.com>
 Date: Tue, 8 Mar 2022 16:33:35 -0500
 Subject: [PATCH 3/4] Fix incorrect error-check
 Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
 ---
 src/x509.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)
 diff --git a/src/x509.c b/src/x509.c
 index 7c7e4df..23bb337 100644
 --- a/src/x509.c
 +++ b/src/x509.c
@@ -287,11 +287,17 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
           alt_name = tmp;
         }
     }
   ex = X509V3_EXT_conf_nid (NULL, NULL, NID_subject_alt_name, alt_name);
 -  CHECK_MEM (ex);
 +  if (!ex)
 +    {
 +      ret = EINVAL;
 +      fprintf (stderr, "Invalid subjectAlternativeName: %s\n", alt_name);
 +      goto done;
 +    }
 +
   sk_X509_EXTENSION_push (certinfo->extensions, ex);
   /* Set the public key for the certificate */
   sslret = X509_REQ_set_pubkey (csr->x509_req, spkey->evp_pkey);
   CHECK_SSL (sslret, X509_REQ_set_pubkey (OU));
 -- 
 2.35.1
--- a/0004-Truncate-IP-address-in-SAN.patch
+++ b/0004-Truncate-IP-address-in-SAN.patch
@ -0,0 +1,49 @@
 From 2e9889320c76368d31e6c9d579f239fe88002cf9 Mon Sep 17 00:00:00 2001
 From: Stephen Gallagher <sgallagh@redhat.com>
 Date: Tue, 8 Mar 2022 16:34:09 -0500
 Subject: [PATCH 4/4] Truncate IP address in SAN
 In OpenSSL 1.1, this was done automatically when addind a SAN extension,
 but in OpenSSL 3.0 it is rejected as an invalid input.
 Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
 ---
 src/x509.c | 7 +++++++
 1 file changed, 7 insertions(+)
 diff --git a/src/x509.c b/src/x509.c
 index 23bb337..e828ec7 100644
 --- a/src/x509.c
 +++ b/src/x509.c
@@ -131,10 +131,11 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
   size_t i;
   X509_NAME *subject;
   char *alt_name = NULL;
   char *tmp = NULL;
   char *san = NULL;
 +  char *slash = NULL;
   TALLOC_CTX *tmp_ctx;
   X509_EXTENSION *ex = NULL;
   struct sscg_x509_req *csr;
   /* Make sure we have a key available */
@@ -265,10 +266,16 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
                 tmp_ctx, "DNS:%s", certinfo->subject_alt_names[i]);
             }
           else
             {
               san = talloc_strdup (tmp_ctx, certinfo->subject_alt_names[i]);
 +              /* SAN IP addresses cannot include the subnet mask */
 +              if ((slash = strchr (san, '/')))
 +                {
 +                  /* Truncate at the slash */
 +                  *slash = '\0';
 +                }
             }
           CHECK_MEM (san);
           if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4)
             {
 -- 
 2.35.1
--- a/sscg.spec
+++ b/sscg.spec
@ -25,6 +25,22 @@ BuildRequires:  meson
 BuildRequires:  ninja-build
 BuildRequires:  help2man
 # Protect against negative bitshift
 # Author: Stephen Gallagher <sgallagh@redhat.com>
 Patch1: 0001-Protect-against-negative-bitshift.patch
 # Fix another negative bitshift issue
 # Author: Stephen Gallagher <sgallagh@redhat.com>
 Patch2: 0002-Fix-another-negative-bitshift-issue.patch
 # Fix incorrect error-check
 # Author: Stephen Gallagher <sgallagh@redhat.com>
 Patch3: 0003-Fix-incorrect-error-check.patch
 # Truncate IP address in SAN
 # Author: Stephen Gallagher <sgallagh@redhat.com>
 Patch4: 0004-Truncate-IP-address-in-SAN.patch
 %description
 A utility to aid in the creation of more secure "self-signed"