Merge branch 'rawhide' into f35

This commit is contained in:
Stephen Gallagher 2022-03-09 14:43:35 -05:00
commit 75ccf91fd0
No known key found for this signature in database
GPG Key ID: 45DB85A568286D11
8 changed files with 175 additions and 75 deletions

View File

@ -1,38 +0,0 @@
# See the documentation for more information:
# https://packit.dev/docs/configuration/
specfile_path: packaging/fedora/sscg.spec
sync_changelog: true
upstream_package_name: sscg
upstream_tag_template: sscg-{version}
archive_root_dir_template: "{upstream_pkg_name}-{upstream_pkg_name}-{version}"
downstream_package_name: sscg
notifications:
pull_request:
successful_build: true
jobs:
- job: copr_build
trigger: pull_request
metadata:
targets:
- fedora-all
- centos-stream-8
- epel-8
- job: tests
trigger: pull_request
metadata:
targets:
- fedora-all
- centos-stream-8
- epel-8
- job: propose_downstream
trigger: release
metadata:
dist_git_branches:
- fedora-all

View File

@ -1,34 +0,0 @@
From 60377ad4a6a6ef2012d502f118fedb425f4a11af Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Sat, 7 Aug 2021 11:48:04 -0400
Subject: [PATCH] Drop usage of ERR_GET_FUNC()
This macro was dropped in OpenSSL 3.0 and has actually not been
providing a valid return code for some time.
Related: rhbz#1964837
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
include/sscg.h | 1 -
1 file changed, 1 deletion(-)
diff --git a/include/sscg.h b/include/sscg.h
index d4499227ea5bd23ac5cae27680438cfe0709fbc4..99788e6001791b658298626d464edcdc7e4ba2cc 100644
--- a/include/sscg.h
+++ b/include/sscg.h
@@ -94,11 +94,10 @@
if (_sslret != 1) \
{ \
/* Get information about error from OpenSSL */ \
unsigned long _ssl_error = ERR_get_error (); \
if ((ERR_GET_LIB (_ssl_error) == ERR_LIB_UI) && \
- (ERR_GET_FUNC (_ssl_error) == UI_F_UI_SET_RESULT_EX) && \
((ERR_GET_REASON (_ssl_error) == UI_R_RESULT_TOO_LARGE) || \
(ERR_GET_REASON (_ssl_error) == UI_R_RESULT_TOO_SMALL))) \
{ \
fprintf ( \
stderr, \
--
2.31.1

View File

@ -0,0 +1,40 @@
From e1e473650b45aff0b6a1fc50f4bdd7752dc45c85 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 1 Mar 2022 16:37:22 -0500
Subject: [PATCH 1/4] Protect against negative bitshift
Coverity scan identified that SSCG_FILE_TYPE_UNKNOWN could cause the
bitshifts further down to attempt to shift a negative number, which
results in undefined behavior. Though it should never occur that this
function is called with an invalid type, it's best to be overly
cautious and check for it.
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
src/io_utils.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/io_utils.c b/src/io_utils.c
index 1b8bc41..0e05ed9 100644
--- a/src/io_utils.c
+++ b/src/io_utils.c
@@ -99,10 +99,16 @@ struct sscg_stream *
sscg_io_utils_get_stream_by_type (struct sscg_stream **streams,
enum sscg_file_type filetype)
{
struct sscg_stream *stream = NULL;
+ if (filetype < 0 || filetype > SSCG_NUM_FILE_TYPES)
+ {
+ SSCG_LOG (SSCG_DEFAULT, "Unknown filetype for stream");
+ return NULL;
+ }
+
/* First see if this path already exists in the list */
for (int i = 0; (stream = streams[i]) && i < SSCG_NUM_FILE_TYPES; i++)
{
SSCG_LOG (SSCG_DEBUG,
"Checking for 0x%.4x in 0x%.4x\n",
--
2.35.1

View File

@ -0,0 +1,34 @@
From b9f757736f73db8c58bb9e422e018ab84eabd51f Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 1 Mar 2022 16:46:24 -0500
Subject: [PATCH 2/4] Fix another negative bitshift issue
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
src/io_utils.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/io_utils.c b/src/io_utils.c
index 0e05ed9..158db07 100644
--- a/src/io_utils.c
+++ b/src/io_utils.c
@@ -264,10 +264,16 @@ sscg_io_utils_add_output_key (struct sscg_stream **streams,
int ret, i;
TALLOC_CTX *tmp_ctx = NULL;
struct sscg_stream *stream = NULL;
char *normalized_path = NULL;
+ if (filetype < 0 || filetype > SSCG_NUM_FILE_TYPES)
+ {
+ SSCG_ERROR ("Unknown filetype for stream");
+ return EINVAL;
+ }
+
/* If we haven't been passed a path, just return; it's probably an optional
* output file
*/
if (path == NULL)
{
--
2.35.1

View File

@ -0,0 +1,36 @@
From 3483a978eb1c667760992b012ea7350313b5a15a Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 8 Mar 2022 16:33:35 -0500
Subject: [PATCH 3/4] Fix incorrect error-check
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
src/x509.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/x509.c b/src/x509.c
index 7c7e4df..23bb337 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -287,11 +287,17 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
alt_name = tmp;
}
}
ex = X509V3_EXT_conf_nid (NULL, NULL, NID_subject_alt_name, alt_name);
- CHECK_MEM (ex);
+ if (!ex)
+ {
+ ret = EINVAL;
+ fprintf (stderr, "Invalid subjectAlternativeName: %s\n", alt_name);
+ goto done;
+ }
+
sk_X509_EXTENSION_push (certinfo->extensions, ex);
/* Set the public key for the certificate */
sslret = X509_REQ_set_pubkey (csr->x509_req, spkey->evp_pkey);
CHECK_SSL (sslret, X509_REQ_set_pubkey (OU));
--
2.35.1

View File

@ -0,0 +1,49 @@
From 2e9889320c76368d31e6c9d579f239fe88002cf9 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 8 Mar 2022 16:34:09 -0500
Subject: [PATCH 4/4] Truncate IP address in SAN
In OpenSSL 1.1, this was done automatically when addind a SAN extension,
but in OpenSSL 3.0 it is rejected as an invalid input.
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
src/x509.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/x509.c b/src/x509.c
index 23bb337..e828ec7 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -131,10 +131,11 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
size_t i;
X509_NAME *subject;
char *alt_name = NULL;
char *tmp = NULL;
char *san = NULL;
+ char *slash = NULL;
TALLOC_CTX *tmp_ctx;
X509_EXTENSION *ex = NULL;
struct sscg_x509_req *csr;
/* Make sure we have a key available */
@@ -265,10 +266,16 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
tmp_ctx, "DNS:%s", certinfo->subject_alt_names[i]);
}
else
{
san = talloc_strdup (tmp_ctx, certinfo->subject_alt_names[i]);
+ /* SAN IP addresses cannot include the subnet mask */
+ if ((slash = strchr (san, '/')))
+ {
+ /* Truncate at the slash */
+ *slash = '\0';
+ }
}
CHECK_MEM (san);
if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4)
{
--
2.35.1

View File

@ -1,3 +0,0 @@
This repository is maintained by packit.
https://packit.dev/
The file was generated using packit 0.46.0.

View File

@ -25,6 +25,22 @@ BuildRequires: meson
BuildRequires: ninja-build BuildRequires: ninja-build
BuildRequires: help2man BuildRequires: help2man
# Protect against negative bitshift
# Author: Stephen Gallagher <sgallagh@redhat.com>
Patch1: 0001-Protect-against-negative-bitshift.patch
# Fix another negative bitshift issue
# Author: Stephen Gallagher <sgallagh@redhat.com>
Patch2: 0002-Fix-another-negative-bitshift-issue.patch
# Fix incorrect error-check
# Author: Stephen Gallagher <sgallagh@redhat.com>
Patch3: 0003-Fix-incorrect-error-check.patch
# Truncate IP address in SAN
# Author: Stephen Gallagher <sgallagh@redhat.com>
Patch4: 0004-Truncate-IP-address-in-SAN.patch
%description %description
A utility to aid in the creation of more secure "self-signed" A utility to aid in the creation of more secure "self-signed"