From f20c1143a3249580e9385404bf2ea7679b5e36db Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 18 Jul 2023 20:25:15 -0400
Subject: [PATCH] Extend maximum DNS name to 256

From-source-git-commit: 00fb4ba6ae29ed94b88675fa752f1c3e5c6fa85f
---
 0001-Extend-maximum-DNS-name-to-255.patch | 205 ++++++++++++++++++++++
 sscg.spec                                 |   3 +
 2 files changed, 208 insertions(+)
 create mode 100644 0001-Extend-maximum-DNS-name-to-255.patch

diff --git a/0001-Extend-maximum-DNS-name-to-255.patch b/0001-Extend-maximum-DNS-name-to-255.patch
new file mode 100644
index 0000000..de809fa
--- /dev/null
+++ b/0001-Extend-maximum-DNS-name-to-255.patch
@@ -0,0 +1,205 @@
+From 00fb4ba6ae29ed94b88675fa752f1c3e5c6fa85f Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Wed, 15 Feb 2023 15:49:38 -0500
+Subject: [PATCH] Extend maximum DNS name to 255
+
+The hostname part is still restricted to 63 characters
+
+See RFC 1035, section 2.3.4
+
+Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
+---
+ include/sscg.h  |  3 +++
+ src/arguments.c | 35 +++++++++++++++++++++++++++--------
+ src/authority.c | 26 +++++++++++++++++++++++---
+ src/cert.c      |  5 +++++
+ src/x509.c      |  6 +++---
+ 5 files changed, 61 insertions(+), 14 deletions(-)
+
+diff --git a/include/sscg.h b/include/sscg.h
+index 0f35631..f0c6d93 100644
+--- a/include/sscg.h
++++ b/include/sscg.h
+@@ -313,6 +313,9 @@ enum sscg_cert_type
+ #define SSCG_MIN_KEY_PASS_LEN 4
+ #define SSCG_MAX_KEY_PASS_LEN 1023
+ 
++/* RFC 1035, section 2.3.4 (Size Limits) */
++#define MAX_HOST_LEN 63
++#define MAX_FQDN_LEN 255
+ 
+ int
+ sscg_handle_arguments (TALLOC_CTX *mem_ctx,
+diff --git a/src/arguments.c b/src/arguments.c
+index 0b7a060..2f412be 100644
+--- a/src/arguments.c
++++ b/src/arguments.c
+@@ -786,10 +786,19 @@ sscg_handle_arguments (TALLOC_CTX *mem_ctx,
+     }
+   CHECK_MEM (options->hostname);
+ 
+-  if (strnlen (options->hostname, MAXHOSTNAMELEN + 1) > MAXHOSTNAMELEN)
++  if (strnlen (options->hostname, MAX_FQDN_LEN + 1) > MAX_FQDN_LEN)
+     {
+-      fprintf (
+-        stderr, "Hostnames may not exceed %d characters\n", MAXHOSTNAMELEN);
++      fprintf (stderr, "FQDNs may not exceed %d characters\n", MAX_FQDN_LEN);
++      ret = EINVAL;
++      goto done;
++    }
++
++  if ((strchr (options->hostname, '.') - options->hostname) > MAX_HOST_LEN + 4)
++    {
++      fprintf (stderr,
++               "Hostnames may not exceed %d characters in Subject "
++               "Alternative Names\n",
++               MAX_HOST_LEN);
+       ret = EINVAL;
+       goto done;
+     }
+@@ -798,25 +807,35 @@ sscg_handle_arguments (TALLOC_CTX *mem_ctx,
+        options struct. It's not the most efficient approach, but
+        it's only done one time, so there is no sense in optimizing
+        it. */
++  size_t i = 0;
+   if (alternative_names)
+     {
+-      size_t i = 0;
+       while (alternative_names[i] != NULL)
+         {
+           options->subject_alt_names = talloc_realloc (
+-            options, options->subject_alt_names, char *, i + 2);
++            options, options->subject_alt_names, char *, i + 1);
+           CHECK_MEM (options->subject_alt_names);
+ 
+           options->subject_alt_names[i] =
+             talloc_strdup (options->subject_alt_names, alternative_names[i]);
+           CHECK_MEM (options->subject_alt_names[i]);
+-
+-          /* Add a NULL terminator to the end */
+-          options->subject_alt_names[i + 1] = NULL;
+           i++;
+         }
+     }
+ 
++  /*
++    The hostname must always be listed in SubjectAlternativeNames as well.
++    Note that the realloc also adds an extra entry for the NULL terminator
++  */
++  options->subject_alt_names =
++    talloc_realloc (options, options->subject_alt_names, char *, i + 2);
++  CHECK_MEM (options->subject_alt_names);
++  options->subject_alt_names[i] =
++    talloc_strdup (options->subject_alt_names, options->hostname);
++  CHECK_MEM (options->subject_alt_names[i]);
++  /* Add a NULL terminator to the end */
++  options->subject_alt_names[i + 1] = NULL;
++
+   if (options->key_strength < options->minimum_key_strength)
+     {
+       fprintf (stderr,
+diff --git a/src/authority.c b/src/authority.c
+index 4efaa9e..f509fd4 100644
+--- a/src/authority.c
++++ b/src/authority.c
+@@ -56,6 +56,7 @@ create_private_CA (TALLOC_CTX *mem_ctx,
+   char *name_constraint;
+   char *san;
+   char *tmp;
++  char *dot;
+ 
+   tmp_ctx = talloc_new (NULL);
+   CHECK_MEM (tmp_ctx);
+@@ -89,6 +90,26 @@ create_private_CA (TALLOC_CTX *mem_ctx,
+ 
+   ca_certinfo->cn = talloc_strdup (ca_certinfo, options->hostname);
+   CHECK_MEM (ca_certinfo->cn);
++  /* Truncate the CN at the first dot */
++  if ((dot = strchr (ca_certinfo->cn, '.')))
++    *dot = '\0';
++
++  if (options->subject_alt_names)
++    {
++      for (i = 0; options->subject_alt_names[i]; i++)
++        {
++          ca_certinfo->subject_alt_names = talloc_realloc (
++            ca_certinfo, ca_certinfo->subject_alt_names, char *, i + 2);
++          CHECK_MEM (ca_certinfo->subject_alt_names);
++
++          ca_certinfo->subject_alt_names[i] = talloc_strdup (
++            ca_certinfo->subject_alt_names, options->subject_alt_names[i]);
++          CHECK_MEM (ca_certinfo->subject_alt_names[i]);
++
++          /* Add a NULL terminator to the end */
++          ca_certinfo->subject_alt_names[i + 1] = NULL;
++        }
++    }
+ 
+   /* Make this a CA certificate */
+ 
+@@ -106,10 +127,9 @@ create_private_CA (TALLOC_CTX *mem_ctx,
+   CHECK_MEM (ex);
+   sk_X509_EXTENSION_push (ca_certinfo->extensions, ex);
+ 
+-  /* Restrict signing to the hostname and subjectAltNames of the
+-       service certificate */
++  /* Restrict signing to the CN and subjectAltNames of the service certificate */
+   name_constraint =
+-    talloc_asprintf (tmp_ctx, "permitted;DNS:%s", options->hostname);
++    talloc_asprintf (tmp_ctx, "permitted;DNS:%s", ca_certinfo->cn);
+   CHECK_MEM (name_constraint);
+ 
+   if (options->subject_alt_names)
+diff --git a/src/cert.c b/src/cert.c
+index 99d9109..e36de71 100644
+--- a/src/cert.c
++++ b/src/cert.c
+@@ -31,6 +31,7 @@
+ */
+ 
+ 
++#include <string.h>
+ #include "include/sscg.h"
+ #include "include/cert.h"
+ #include "include/x509.h"
+@@ -52,6 +53,7 @@ create_cert (TALLOC_CTX *mem_ctx,
+   struct sscg_x509_req *csr;
+   struct sscg_evp_pkey *pkey;
+   struct sscg_x509_cert *cert;
++  char *dot;
+   X509_EXTENSION *ex = NULL;
+   EXTENDED_KEY_USAGE *extended;
+   TALLOC_CTX *tmp_ctx = NULL;
+@@ -87,6 +89,9 @@ create_cert (TALLOC_CTX *mem_ctx,
+ 
+   certinfo->cn = talloc_strdup (certinfo, options->hostname);
+   CHECK_MEM (certinfo->cn);
++  /* Truncate the CN at the first dot */
++  if ((dot = strchr (certinfo->cn, '.')))
++    *dot = '\0';
+ 
+   if (options->subject_alt_names)
+     {
+diff --git a/src/x509.c b/src/x509.c
+index 4f3f11c..9f6f21b 100644
+--- a/src/x509.c
++++ b/src/x509.c
+@@ -290,12 +290,12 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
+             }
+           CHECK_MEM (san);
+ 
+-          if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4)
++          if (strnlen (san, MAX_FQDN_LEN + 5) > MAX_FQDN_LEN + 4)
+             {
+               fprintf (stderr,
+-                       "Hostnames may not exceed %d characters in Subject "
++                       "FQDNs may not exceed %d characters in Subject "
+                        "Alternative Names\n",
+-                       MAXHOSTNAMELEN);
++                       MAX_FQDN_LEN);
+               ret = EINVAL;
+               goto done;
+             }
+-- 
+2.41.0
+
diff --git a/sscg.spec b/sscg.spec
index ddf1a43..ffb54d3 100644
--- a/sscg.spec
+++ b/sscg.spec
@@ -16,6 +16,9 @@ Summary:        Simple SSL certificate generator
 License:        GPLv3+ with exceptions
 URL:            https://%{provider_prefix}
 Source0:        sscg-3.0.5.tar.gz
+# Extend maximum DNS name to 255
+# Author: Stephen Gallagher <sgallagh@redhat.com>
+Patch1:         0001-Extend-maximum-DNS-name-to-255.patch
 BuildRequires:  gcc
 BuildRequires:  libtalloc-devel
 BuildRequires:  openssl