Merge branch 'rawhide' into f34
This commit is contained in:
commit
8514b1b69d
38
.packit.yaml
38
.packit.yaml
@ -1,38 +0,0 @@
|
|||||||
# See the documentation for more information:
|
|
||||||
# https://packit.dev/docs/configuration/
|
|
||||||
|
|
||||||
specfile_path: packaging/fedora/sscg.spec
|
|
||||||
|
|
||||||
sync_changelog: true
|
|
||||||
|
|
||||||
upstream_package_name: sscg
|
|
||||||
upstream_tag_template: sscg-{version}
|
|
||||||
archive_root_dir_template: "{upstream_pkg_name}-{upstream_pkg_name}-{version}"
|
|
||||||
|
|
||||||
downstream_package_name: sscg
|
|
||||||
|
|
||||||
notifications:
|
|
||||||
pull_request:
|
|
||||||
successful_build: true
|
|
||||||
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
- job: copr_build
|
|
||||||
trigger: pull_request
|
|
||||||
metadata:
|
|
||||||
targets:
|
|
||||||
- fedora-all
|
|
||||||
- centos-stream-8
|
|
||||||
- epel-8
|
|
||||||
- job: tests
|
|
||||||
trigger: pull_request
|
|
||||||
metadata:
|
|
||||||
targets:
|
|
||||||
- fedora-all
|
|
||||||
- centos-stream-8
|
|
||||||
- epel-8
|
|
||||||
- job: propose_downstream
|
|
||||||
trigger: release
|
|
||||||
metadata:
|
|
||||||
dist_git_branches:
|
|
||||||
- fedora-all
|
|
@ -1,34 +0,0 @@
|
|||||||
From 60377ad4a6a6ef2012d502f118fedb425f4a11af Mon Sep 17 00:00:00 2001
|
|
||||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
|
||||||
Date: Sat, 7 Aug 2021 11:48:04 -0400
|
|
||||||
Subject: [PATCH] Drop usage of ERR_GET_FUNC()
|
|
||||||
|
|
||||||
This macro was dropped in OpenSSL 3.0 and has actually not been
|
|
||||||
providing a valid return code for some time.
|
|
||||||
|
|
||||||
Related: rhbz#1964837
|
|
||||||
|
|
||||||
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
||||||
---
|
|
||||||
include/sscg.h | 1 -
|
|
||||||
1 file changed, 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/include/sscg.h b/include/sscg.h
|
|
||||||
index d4499227ea5bd23ac5cae27680438cfe0709fbc4..99788e6001791b658298626d464edcdc7e4ba2cc 100644
|
|
||||||
--- a/include/sscg.h
|
|
||||||
+++ b/include/sscg.h
|
|
||||||
@@ -94,11 +94,10 @@
|
|
||||||
if (_sslret != 1) \
|
|
||||||
{ \
|
|
||||||
/* Get information about error from OpenSSL */ \
|
|
||||||
unsigned long _ssl_error = ERR_get_error (); \
|
|
||||||
if ((ERR_GET_LIB (_ssl_error) == ERR_LIB_UI) && \
|
|
||||||
- (ERR_GET_FUNC (_ssl_error) == UI_F_UI_SET_RESULT_EX) && \
|
|
||||||
((ERR_GET_REASON (_ssl_error) == UI_R_RESULT_TOO_LARGE) || \
|
|
||||||
(ERR_GET_REASON (_ssl_error) == UI_R_RESULT_TOO_SMALL))) \
|
|
||||||
{ \
|
|
||||||
fprintf ( \
|
|
||||||
stderr, \
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
40
0001-Protect-against-negative-bitshift.patch
Normal file
40
0001-Protect-against-negative-bitshift.patch
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
From e1e473650b45aff0b6a1fc50f4bdd7752dc45c85 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
Date: Tue, 1 Mar 2022 16:37:22 -0500
|
||||||
|
Subject: [PATCH 1/4] Protect against negative bitshift
|
||||||
|
|
||||||
|
Coverity scan identified that SSCG_FILE_TYPE_UNKNOWN could cause the
|
||||||
|
bitshifts further down to attempt to shift a negative number, which
|
||||||
|
results in undefined behavior. Though it should never occur that this
|
||||||
|
function is called with an invalid type, it's best to be overly
|
||||||
|
cautious and check for it.
|
||||||
|
|
||||||
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
---
|
||||||
|
src/io_utils.c | 6 ++++++
|
||||||
|
1 file changed, 6 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/io_utils.c b/src/io_utils.c
|
||||||
|
index 1b8bc41..0e05ed9 100644
|
||||||
|
--- a/src/io_utils.c
|
||||||
|
+++ b/src/io_utils.c
|
||||||
|
@@ -99,10 +99,16 @@ struct sscg_stream *
|
||||||
|
sscg_io_utils_get_stream_by_type (struct sscg_stream **streams,
|
||||||
|
enum sscg_file_type filetype)
|
||||||
|
{
|
||||||
|
struct sscg_stream *stream = NULL;
|
||||||
|
|
||||||
|
+ if (filetype < 0 || filetype > SSCG_NUM_FILE_TYPES)
|
||||||
|
+ {
|
||||||
|
+ SSCG_LOG (SSCG_DEFAULT, "Unknown filetype for stream");
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* First see if this path already exists in the list */
|
||||||
|
for (int i = 0; (stream = streams[i]) && i < SSCG_NUM_FILE_TYPES; i++)
|
||||||
|
{
|
||||||
|
SSCG_LOG (SSCG_DEBUG,
|
||||||
|
"Checking for 0x%.4x in 0x%.4x\n",
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
34
0002-Fix-another-negative-bitshift-issue.patch
Normal file
34
0002-Fix-another-negative-bitshift-issue.patch
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
From b9f757736f73db8c58bb9e422e018ab84eabd51f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
Date: Tue, 1 Mar 2022 16:46:24 -0500
|
||||||
|
Subject: [PATCH 2/4] Fix another negative bitshift issue
|
||||||
|
|
||||||
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
---
|
||||||
|
src/io_utils.c | 6 ++++++
|
||||||
|
1 file changed, 6 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/io_utils.c b/src/io_utils.c
|
||||||
|
index 0e05ed9..158db07 100644
|
||||||
|
--- a/src/io_utils.c
|
||||||
|
+++ b/src/io_utils.c
|
||||||
|
@@ -264,10 +264,16 @@ sscg_io_utils_add_output_key (struct sscg_stream **streams,
|
||||||
|
int ret, i;
|
||||||
|
TALLOC_CTX *tmp_ctx = NULL;
|
||||||
|
struct sscg_stream *stream = NULL;
|
||||||
|
char *normalized_path = NULL;
|
||||||
|
|
||||||
|
+ if (filetype < 0 || filetype > SSCG_NUM_FILE_TYPES)
|
||||||
|
+ {
|
||||||
|
+ SSCG_ERROR ("Unknown filetype for stream");
|
||||||
|
+ return EINVAL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* If we haven't been passed a path, just return; it's probably an optional
|
||||||
|
* output file
|
||||||
|
*/
|
||||||
|
if (path == NULL)
|
||||||
|
{
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
36
0003-Fix-incorrect-error-check.patch
Normal file
36
0003-Fix-incorrect-error-check.patch
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
From 3483a978eb1c667760992b012ea7350313b5a15a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
Date: Tue, 8 Mar 2022 16:33:35 -0500
|
||||||
|
Subject: [PATCH 3/4] Fix incorrect error-check
|
||||||
|
|
||||||
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
---
|
||||||
|
src/x509.c | 8 +++++++-
|
||||||
|
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/x509.c b/src/x509.c
|
||||||
|
index 7c7e4df..23bb337 100644
|
||||||
|
--- a/src/x509.c
|
||||||
|
+++ b/src/x509.c
|
||||||
|
@@ -287,11 +287,17 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
|
||||||
|
alt_name = tmp;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
ex = X509V3_EXT_conf_nid (NULL, NULL, NID_subject_alt_name, alt_name);
|
||||||
|
- CHECK_MEM (ex);
|
||||||
|
+ if (!ex)
|
||||||
|
+ {
|
||||||
|
+ ret = EINVAL;
|
||||||
|
+ fprintf (stderr, "Invalid subjectAlternativeName: %s\n", alt_name);
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
sk_X509_EXTENSION_push (certinfo->extensions, ex);
|
||||||
|
|
||||||
|
/* Set the public key for the certificate */
|
||||||
|
sslret = X509_REQ_set_pubkey (csr->x509_req, spkey->evp_pkey);
|
||||||
|
CHECK_SSL (sslret, X509_REQ_set_pubkey (OU));
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
49
0004-Truncate-IP-address-in-SAN.patch
Normal file
49
0004-Truncate-IP-address-in-SAN.patch
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
From 2e9889320c76368d31e6c9d579f239fe88002cf9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
Date: Tue, 8 Mar 2022 16:34:09 -0500
|
||||||
|
Subject: [PATCH 4/4] Truncate IP address in SAN
|
||||||
|
|
||||||
|
In OpenSSL 1.1, this was done automatically when addind a SAN extension,
|
||||||
|
but in OpenSSL 3.0 it is rejected as an invalid input.
|
||||||
|
|
||||||
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
---
|
||||||
|
src/x509.c | 7 +++++++
|
||||||
|
1 file changed, 7 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/x509.c b/src/x509.c
|
||||||
|
index 23bb337..e828ec7 100644
|
||||||
|
--- a/src/x509.c
|
||||||
|
+++ b/src/x509.c
|
||||||
|
@@ -131,10 +131,11 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
|
||||||
|
size_t i;
|
||||||
|
X509_NAME *subject;
|
||||||
|
char *alt_name = NULL;
|
||||||
|
char *tmp = NULL;
|
||||||
|
char *san = NULL;
|
||||||
|
+ char *slash = NULL;
|
||||||
|
TALLOC_CTX *tmp_ctx;
|
||||||
|
X509_EXTENSION *ex = NULL;
|
||||||
|
struct sscg_x509_req *csr;
|
||||||
|
|
||||||
|
/* Make sure we have a key available */
|
||||||
|
@@ -265,10 +266,16 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
|
||||||
|
tmp_ctx, "DNS:%s", certinfo->subject_alt_names[i]);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
san = talloc_strdup (tmp_ctx, certinfo->subject_alt_names[i]);
|
||||||
|
+ /* SAN IP addresses cannot include the subnet mask */
|
||||||
|
+ if ((slash = strchr (san, '/')))
|
||||||
|
+ {
|
||||||
|
+ /* Truncate at the slash */
|
||||||
|
+ *slash = '\0';
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
CHECK_MEM (san);
|
||||||
|
|
||||||
|
if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4)
|
||||||
|
{
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
@ -1,3 +0,0 @@
|
|||||||
This repository is maintained by packit.
|
|
||||||
https://packit.dev/
|
|
||||||
The file was generated using packit 0.46.0.
|
|
16
sscg.spec
16
sscg.spec
@ -25,6 +25,22 @@ BuildRequires: meson
|
|||||||
BuildRequires: ninja-build
|
BuildRequires: ninja-build
|
||||||
BuildRequires: help2man
|
BuildRequires: help2man
|
||||||
|
|
||||||
|
# Protect against negative bitshift
|
||||||
|
# Author: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
Patch1: 0001-Protect-against-negative-bitshift.patch
|
||||||
|
|
||||||
|
# Fix another negative bitshift issue
|
||||||
|
# Author: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
Patch2: 0002-Fix-another-negative-bitshift-issue.patch
|
||||||
|
|
||||||
|
# Fix incorrect error-check
|
||||||
|
# Author: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
Patch3: 0003-Fix-incorrect-error-check.patch
|
||||||
|
|
||||||
|
# Truncate IP address in SAN
|
||||||
|
# Author: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
Patch4: 0004-Truncate-IP-address-in-SAN.patch
|
||||||
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
A utility to aid in the creation of more secure "self-signed"
|
A utility to aid in the creation of more secure "self-signed"
|
||||||
|
Loading…
Reference in New Issue
Block a user