diff --git a/.gitignore b/.gitignore index 403cc12..d3a8c75 100644 --- a/.gitignore +++ b/.gitignore @@ -25,3 +25,4 @@ /sscg-3.0.0.tar.xz /sscg-3.0.1.tar.gz /sscg-3.0.2.tar.gz +/sscg-3.0.3.tar.gz diff --git a/0001-Protect-against-negative-bitshift.patch b/0001-Protect-against-negative-bitshift.patch deleted file mode 100644 index e64d0bc..0000000 --- a/0001-Protect-against-negative-bitshift.patch +++ /dev/null @@ -1,40 +0,0 @@ -From e1e473650b45aff0b6a1fc50f4bdd7752dc45c85 Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Tue, 1 Mar 2022 16:37:22 -0500 -Subject: [PATCH 1/4] Protect against negative bitshift - -Coverity scan identified that SSCG_FILE_TYPE_UNKNOWN could cause the -bitshifts further down to attempt to shift a negative number, which -results in undefined behavior. Though it should never occur that this -function is called with an invalid type, it's best to be overly -cautious and check for it. - -Signed-off-by: Stephen Gallagher ---- - src/io_utils.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/io_utils.c b/src/io_utils.c -index 1b8bc41..0e05ed9 100644 ---- a/src/io_utils.c -+++ b/src/io_utils.c -@@ -99,10 +99,16 @@ struct sscg_stream * - sscg_io_utils_get_stream_by_type (struct sscg_stream **streams, - enum sscg_file_type filetype) - { - struct sscg_stream *stream = NULL; - -+ if (filetype < 0 || filetype > SSCG_NUM_FILE_TYPES) -+ { -+ SSCG_LOG (SSCG_DEFAULT, "Unknown filetype for stream"); -+ return NULL; -+ } -+ - /* First see if this path already exists in the list */ - for (int i = 0; (stream = streams[i]) && i < SSCG_NUM_FILE_TYPES; i++) - { - SSCG_LOG (SSCG_DEBUG, - "Checking for 0x%.4x in 0x%.4x\n", --- -2.35.1 - diff --git a/0002-Fix-another-negative-bitshift-issue.patch b/0002-Fix-another-negative-bitshift-issue.patch deleted file mode 100644 index 93e2c7a..0000000 --- a/0002-Fix-another-negative-bitshift-issue.patch +++ /dev/null @@ -1,34 +0,0 @@ -From b9f757736f73db8c58bb9e422e018ab84eabd51f Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Tue, 1 Mar 2022 16:46:24 -0500 -Subject: [PATCH 2/4] Fix another negative bitshift issue - -Signed-off-by: Stephen Gallagher ---- - src/io_utils.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/io_utils.c b/src/io_utils.c -index 0e05ed9..158db07 100644 ---- a/src/io_utils.c -+++ b/src/io_utils.c -@@ -264,10 +264,16 @@ sscg_io_utils_add_output_key (struct sscg_stream **streams, - int ret, i; - TALLOC_CTX *tmp_ctx = NULL; - struct sscg_stream *stream = NULL; - char *normalized_path = NULL; - -+ if (filetype < 0 || filetype > SSCG_NUM_FILE_TYPES) -+ { -+ SSCG_ERROR ("Unknown filetype for stream"); -+ return EINVAL; -+ } -+ - /* If we haven't been passed a path, just return; it's probably an optional - * output file - */ - if (path == NULL) - { --- -2.35.1 - diff --git a/0003-Fix-incorrect-error-check.patch b/0003-Fix-incorrect-error-check.patch deleted file mode 100644 index d074f45..0000000 --- a/0003-Fix-incorrect-error-check.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 3483a978eb1c667760992b012ea7350313b5a15a Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Tue, 8 Mar 2022 16:33:35 -0500 -Subject: [PATCH 3/4] Fix incorrect error-check - -Signed-off-by: Stephen Gallagher ---- - src/x509.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/src/x509.c b/src/x509.c -index 7c7e4df..23bb337 100644 ---- a/src/x509.c -+++ b/src/x509.c -@@ -287,11 +287,17 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx, - alt_name = tmp; - } - } - - ex = X509V3_EXT_conf_nid (NULL, NULL, NID_subject_alt_name, alt_name); -- CHECK_MEM (ex); -+ if (!ex) -+ { -+ ret = EINVAL; -+ fprintf (stderr, "Invalid subjectAlternativeName: %s\n", alt_name); -+ goto done; -+ } -+ - sk_X509_EXTENSION_push (certinfo->extensions, ex); - - /* Set the public key for the certificate */ - sslret = X509_REQ_set_pubkey (csr->x509_req, spkey->evp_pkey); - CHECK_SSL (sslret, X509_REQ_set_pubkey (OU)); --- -2.35.1 - diff --git a/0004-Truncate-IP-address-in-SAN.patch b/0004-Truncate-IP-address-in-SAN.patch deleted file mode 100644 index 39343e8..0000000 --- a/0004-Truncate-IP-address-in-SAN.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 2e9889320c76368d31e6c9d579f239fe88002cf9 Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Tue, 8 Mar 2022 16:34:09 -0500 -Subject: [PATCH 4/4] Truncate IP address in SAN - -In OpenSSL 1.1, this was done automatically when addind a SAN extension, -but in OpenSSL 3.0 it is rejected as an invalid input. - -Signed-off-by: Stephen Gallagher ---- - src/x509.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/src/x509.c b/src/x509.c -index 23bb337..e828ec7 100644 ---- a/src/x509.c -+++ b/src/x509.c -@@ -131,10 +131,11 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx, - size_t i; - X509_NAME *subject; - char *alt_name = NULL; - char *tmp = NULL; - char *san = NULL; -+ char *slash = NULL; - TALLOC_CTX *tmp_ctx; - X509_EXTENSION *ex = NULL; - struct sscg_x509_req *csr; - - /* Make sure we have a key available */ -@@ -265,10 +266,16 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx, - tmp_ctx, "DNS:%s", certinfo->subject_alt_names[i]); - } - else - { - san = talloc_strdup (tmp_ctx, certinfo->subject_alt_names[i]); -+ /* SAN IP addresses cannot include the subnet mask */ -+ if ((slash = strchr (san, '/'))) -+ { -+ /* Truncate at the slash */ -+ *slash = '\0'; -+ } - } - CHECK_MEM (san); - - if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4) - { --- -2.35.1 - diff --git a/sources b/sources index 2bf99b1..261d5bb 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sscg-3.0.2.tar.gz) = c722bc0640d46ed5e8aa1c0b1b238419189501ca36bf37b057874eb91246d024209c19dd522903edddda660b8d4ee772d86362077195c0f1a59aabc1d6866c34 +SHA512 (sscg-3.0.3.tar.gz) = 5820a44deaabf67296bf218485a22a5b58fcf48c6c33e2617946d0edaded3554f1acb2fb170eb189cdf4f8a61bb29bcb0385dc54996f7d0acdc8f45048b8e081 diff --git a/sscg.spec b/sscg.spec index 5432d5a..0804810 100644 --- a/sscg.spec +++ b/sscg.spec @@ -9,7 +9,7 @@ %{!?meson_test: %global meson_test %{__meson} test -C %{_vpath_builddir} --num-processes %{_smp_build_ncpus} --print-errorlogs} Name: sscg -Version: 3.0.2 +Version: 3.0.3 Release: %autorelease Summary: Simple SSL certificate generator @@ -25,22 +25,6 @@ BuildRequires: meson BuildRequires: ninja-build BuildRequires: help2man -# Protect against negative bitshift -# Author: Stephen Gallagher -Patch1: 0001-Protect-against-negative-bitshift.patch - -# Fix another negative bitshift issue -# Author: Stephen Gallagher -Patch2: 0002-Fix-another-negative-bitshift-issue.patch - -# Fix incorrect error-check -# Author: Stephen Gallagher -Patch3: 0003-Fix-incorrect-error-check.patch - -# Truncate IP address in SAN -# Author: Stephen Gallagher -Patch4: 0004-Truncate-IP-address-in-SAN.patch - %description A utility to aid in the creation of more secure "self-signed"