Release 3.0.3

Multiple fixes for dhparams file generation. Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-01-16 09:15:52 -05:00 · 2023-01-16 09:15:52 -05:00 · 5da24d354e
commit 5da24d354e
parent f85686e675
7 changed files with 3 additions and 177 deletions
--- a/.gitignore
+++ b/.gitignore
@ -25,3 +25,4 @@
 /sscg-3.0.0.tar.xz
 /sscg-3.0.1.tar.gz
 /sscg-3.0.2.tar.gz
+/sscg-3.0.3.tar.gz
--- a/0001-Protect-against-negative-bitshift.patch
+++ b/0001-Protect-against-negative-bitshift.patch
@ -1,40 +0,0 @@
-From e1e473650b45aff0b6a1fc50f4bdd7752dc45c85 Mon Sep 17 00:00:00 2001
-From: Stephen Gallagher <sgallagh@redhat.com>
-Date: Tue, 1 Mar 2022 16:37:22 -0500
-Subject: [PATCH 1/4] Protect against negative bitshift
-
-Coverity scan identified that SSCG_FILE_TYPE_UNKNOWN could cause the
-bitshifts further down to attempt to shift a negative number, which
-results in undefined behavior. Though it should never occur that this
-function is called with an invalid type, it's best to be overly
-cautious and check for it.
-
-Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
- src/io_utils.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/src/io_utils.c b/src/io_utils.c
-index 1b8bc41..0e05ed9 100644
--- a/src/io_utils.c
-+++ b/src/io_utils.c
-@@ -99,10 +99,16 @@ struct sscg_stream *
- sscg_io_utils_get_stream_by_type (struct sscg_stream **streams,
-                                   enum sscg_file_type filetype)
- {
-   struct sscg_stream *stream = NULL;
- 
-+  if (filetype < 0 || filetype > SSCG_NUM_FILE_TYPES)
-+    {
-+      SSCG_LOG (SSCG_DEFAULT, "Unknown filetype for stream");
-+      return NULL;
-+    }
-+
-   /* First see if this path already exists in the list */
-   for (int i = 0; (stream = streams[i]) && i < SSCG_NUM_FILE_TYPES; i++)
-     {
-       SSCG_LOG (SSCG_DEBUG,
-                 "Checking for 0x%.4x in 0x%.4x\n",
-- 
-2.35.1
-
--- a/0002-Fix-another-negative-bitshift-issue.patch
+++ b/0002-Fix-another-negative-bitshift-issue.patch
@ -1,34 +0,0 @@
-From b9f757736f73db8c58bb9e422e018ab84eabd51f Mon Sep 17 00:00:00 2001
-From: Stephen Gallagher <sgallagh@redhat.com>
-Date: Tue, 1 Mar 2022 16:46:24 -0500
-Subject: [PATCH 2/4] Fix another negative bitshift issue
-
-Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
- src/io_utils.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/src/io_utils.c b/src/io_utils.c
-index 0e05ed9..158db07 100644
--- a/src/io_utils.c
-+++ b/src/io_utils.c
-@@ -264,10 +264,16 @@ sscg_io_utils_add_output_key (struct sscg_stream **streams,
-   int ret, i;
-   TALLOC_CTX *tmp_ctx = NULL;
-   struct sscg_stream *stream = NULL;
-   char *normalized_path = NULL;
- 
-+  if (filetype < 0 || filetype > SSCG_NUM_FILE_TYPES)
-+    {
-+      SSCG_ERROR ("Unknown filetype for stream");
-+      return EINVAL;
-+    }
-+
-   /* If we haven't been passed a path, just return; it's probably an optional
-    * output file
-    */
-   if (path == NULL)
-     {
-- 
-2.35.1
-
--- a/0003-Fix-incorrect-error-check.patch
+++ b/0003-Fix-incorrect-error-check.patch
@ -1,36 +0,0 @@
-From 3483a978eb1c667760992b012ea7350313b5a15a Mon Sep 17 00:00:00 2001
-From: Stephen Gallagher <sgallagh@redhat.com>
-Date: Tue, 8 Mar 2022 16:33:35 -0500
-Subject: [PATCH 3/4] Fix incorrect error-check
-
-Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
- src/x509.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/src/x509.c b/src/x509.c
-index 7c7e4df..23bb337 100644
--- a/src/x509.c
-+++ b/src/x509.c
-@@ -287,11 +287,17 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
-           alt_name = tmp;
-         }
-     }
- 
-   ex = X509V3_EXT_conf_nid (NULL, NULL, NID_subject_alt_name, alt_name);
-  CHECK_MEM (ex);
-+  if (!ex)
-+    {
-+      ret = EINVAL;
-+      fprintf (stderr, "Invalid subjectAlternativeName: %s\n", alt_name);
-+      goto done;
-+    }
-+
-   sk_X509_EXTENSION_push (certinfo->extensions, ex);
- 
-   /* Set the public key for the certificate */
-   sslret = X509_REQ_set_pubkey (csr->x509_req, spkey->evp_pkey);
-   CHECK_SSL (sslret, X509_REQ_set_pubkey (OU));
-- 
-2.35.1
-
--- a/0004-Truncate-IP-address-in-SAN.patch
+++ b/0004-Truncate-IP-address-in-SAN.patch
@ -1,49 +0,0 @@
-From 2e9889320c76368d31e6c9d579f239fe88002cf9 Mon Sep 17 00:00:00 2001
-From: Stephen Gallagher <sgallagh@redhat.com>
-Date: Tue, 8 Mar 2022 16:34:09 -0500
-Subject: [PATCH 4/4] Truncate IP address in SAN
-
-In OpenSSL 1.1, this was done automatically when addind a SAN extension,
-but in OpenSSL 3.0 it is rejected as an invalid input.
-
-Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
- src/x509.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/src/x509.c b/src/x509.c
-index 23bb337..e828ec7 100644
--- a/src/x509.c
-+++ b/src/x509.c
-@@ -131,10 +131,11 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
-   size_t i;
-   X509_NAME *subject;
-   char *alt_name = NULL;
-   char *tmp = NULL;
-   char *san = NULL;
-+  char *slash = NULL;
-   TALLOC_CTX *tmp_ctx;
-   X509_EXTENSION *ex = NULL;
-   struct sscg_x509_req *csr;
- 
-   /* Make sure we have a key available */
-@@ -265,10 +266,16 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
-                 tmp_ctx, "DNS:%s", certinfo->subject_alt_names[i]);
-             }
-           else
-             {
-               san = talloc_strdup (tmp_ctx, certinfo->subject_alt_names[i]);
-+              /* SAN IP addresses cannot include the subnet mask */
-+              if ((slash = strchr (san, '/')))
-+                {
-+                  /* Truncate at the slash */
-+                  *slash = '\0';
-+                }
-             }
-           CHECK_MEM (san);
- 
-           if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4)
-             {
-- 
-2.35.1
-
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (sscg-3.0.2.tar.gz) = c722bc0640d46ed5e8aa1c0b1b238419189501ca36bf37b057874eb91246d024209c19dd522903edddda660b8d4ee772d86362077195c0f1a59aabc1d6866c34
+SHA512 (sscg-3.0.3.tar.gz) = 5820a44deaabf67296bf218485a22a5b58fcf48c6c33e2617946d0edaded3554f1acb2fb170eb189cdf4f8a61bb29bcb0385dc54996f7d0acdc8f45048b8e081
--- a/sscg.spec
+++ b/sscg.spec
@ -9,7 +9,7 @@
 %{!?meson_test: %global meson_test %{__meson} test -C %{_vpath_builddir} --num-processes %{_smp_build_ncpus} --print-errorlogs}

 Name:           sscg
-Version:        3.0.2
+Version:        3.0.3
 Release:        %autorelease
 Summary:        Simple SSL certificate generator

@ -25,22 +25,6 @@ BuildRequires:  meson
 BuildRequires:  ninja-build
 BuildRequires:  help2man

-# Protect against negative bitshift
-# Author: Stephen Gallagher <sgallagh@redhat.com>
-Patch1: 0001-Protect-against-negative-bitshift.patch
-
-# Fix another negative bitshift issue
-# Author: Stephen Gallagher <sgallagh@redhat.com>
-Patch2: 0002-Fix-another-negative-bitshift-issue.patch
-
-# Fix incorrect error-check
-# Author: Stephen Gallagher <sgallagh@redhat.com>
-Patch3: 0003-Fix-incorrect-error-check.patch
-
-# Truncate IP address in SAN
-# Author: Stephen Gallagher <sgallagh@redhat.com>
-Patch4: 0004-Truncate-IP-address-in-SAN.patch
-

 %description
 A utility to aid in the creation of more secure "self-signed"