import sscg-3.0.0-5.el9
This commit is contained in:
CentOS Sources
Stepan Oksanichenko
parent
e1b2521274
commit
e75e2d6647
|
|
@ -0,0 +1,68 @@
|
|||
From 0875cd6169e876c4296a307631d49b801fc686dc Mon Sep 17 00:00:00 2001
|
||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||
Date: Tue, 8 Mar 2022 16:33:35 -0500
|
||||
Subject: [PATCH] Truncate IP address in SAN
|
||||
|
||||
In OpenSSL 1.1, this was done automatically when addind a SAN extension,
|
||||
but in OpenSSL 3.0 it is rejected as an invalid input.
|
||||
|
||||
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||
---
|
||||
src/x509.c | 15 ++++++++++++++-
|
||||
1 file changed, 14 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/x509.c b/src/x509.c
|
||||
index 7c7e4dfe56d5756862f3e0f851941e846ce96f31..e828ec725b23d7ea79393151e7bb436e2f61bdb8 100644
|
||||
--- a/src/x509.c
|
||||
+++ b/src/x509.c
|
||||
@@ -131,10 +131,11 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
|
||||
size_t i;
|
||||
X509_NAME *subject;
|
||||
char *alt_name = NULL;
|
||||
char *tmp = NULL;
|
||||
char *san = NULL;
|
||||
+ char *slash = NULL;
|
||||
TALLOC_CTX *tmp_ctx;
|
||||
X509_EXTENSION *ex = NULL;
|
||||
struct sscg_x509_req *csr;
|
||||
|
||||
/* Make sure we have a key available */
|
||||
@@ -265,10 +266,16 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
|
||||
tmp_ctx, "DNS:%s", certinfo->subject_alt_names[i]);
|
||||
}
|
||||
else
|
||||
{
|
||||
san = talloc_strdup (tmp_ctx, certinfo->subject_alt_names[i]);
|
||||
+ /* SAN IP addresses cannot include the subnet mask */
|
||||
+ if ((slash = strchr (san, '/')))
|
||||
+ {
|
||||
+ /* Truncate at the slash */
|
||||
+ *slash = '\0';
|
||||
+ }
|
||||
}
|
||||
CHECK_MEM (san);
|
||||
|
||||
if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4)
|
||||
{
|
||||
@@ -287,11 +294,17 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
|
||||
alt_name = tmp;
|
||||
}
|
||||
}
|
||||
|
||||
ex = X509V3_EXT_conf_nid (NULL, NULL, NID_subject_alt_name, alt_name);
|
||||
- CHECK_MEM (ex);
|
||||
+ if (!ex)
|
||||
+ {
|
||||
+ ret = EINVAL;
|
||||
+ fprintf (stderr, "Invalid subjectAlternativeName: %s\n", alt_name);
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
sk_X509_EXTENSION_push (certinfo->extensions, ex);
|
||||
|
||||
/* Set the public key for the certificate */
|
||||
sslret = X509_REQ_set_pubkey (csr->x509_req, spkey->evp_pkey);
|
||||
CHECK_SSL (sslret, X509_REQ_set_pubkey (OU));
|
||||
--
|
||||
2.35.1
|
||||
|
||||
|
|
@ -9,7 +9,7 @@
|
|||
|
||||
Name: sscg
|
||||
Version: 3.0.0
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
Summary: Simple SSL certificate generator
|
||||
|
||||
License: GPLv3+ with exceptions
|
||||
|
|
@ -28,6 +28,7 @@ BuildRequires: help2man
|
|||
|
||||
Patch0001: 0001-Drop-usage-of-ERR_GET_FUNC.patch
|
||||
Patch0002: 0002-Correct-certificate-lifetime-calculation.patch
|
||||
Patch0003: 0003-Truncate-IP-address-in-SAN.patch
|
||||
|
||||
|
||||
%description
|
||||
|
|
@ -59,6 +60,10 @@ false signatures from the service certificate.
|
|||
%{_mandir}/man8/%{name}.8*
|
||||
|
||||
%changelog
|
||||
* Wed Mar 09 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-5
|
||||
- Handle IP addresses in subjectAlternativeName correctly
|
||||
- Resolves: rhbz#2061923
|
||||
|
||||
* Fri Oct 29 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-4
|
||||
- Correct certificate lifetime calculation
|
||||
- Resolves: rhbz#2017667
|
||||
|
|
|
|||
Loading…
Reference in New Issue