From 0875cd6169e876c4296a307631d49b801fc686dc Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Tue, 8 Mar 2022 16:33:35 -0500 Subject: [PATCH] Truncate IP address in SAN In OpenSSL 1.1, this was done automatically when addind a SAN extension, but in OpenSSL 3.0 it is rejected as an invalid input. Signed-off-by: Stephen Gallagher --- src/x509.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/src/x509.c b/src/x509.c index 7c7e4dfe56d5756862f3e0f851941e846ce96f31..e828ec725b23d7ea79393151e7bb436e2f61bdb8 100644 --- a/src/x509.c +++ b/src/x509.c @@ -131,10 +131,11 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx, size_t i; X509_NAME *subject; char *alt_name = NULL; char *tmp = NULL; char *san = NULL; + char *slash = NULL; TALLOC_CTX *tmp_ctx; X509_EXTENSION *ex = NULL; struct sscg_x509_req *csr; /* Make sure we have a key available */ @@ -265,10 +266,16 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx, tmp_ctx, "DNS:%s", certinfo->subject_alt_names[i]); } else { san = talloc_strdup (tmp_ctx, certinfo->subject_alt_names[i]); + /* SAN IP addresses cannot include the subnet mask */ + if ((slash = strchr (san, '/'))) + { + /* Truncate at the slash */ + *slash = '\0'; + } } CHECK_MEM (san); if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4) { @@ -287,11 +294,17 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx, alt_name = tmp; } } ex = X509V3_EXT_conf_nid (NULL, NULL, NID_subject_alt_name, alt_name); - CHECK_MEM (ex); + if (!ex) + { + ret = EINVAL; + fprintf (stderr, "Invalid subjectAlternativeName: %s\n", alt_name); + goto done; + } + sk_X509_EXTENSION_push (certinfo->extensions, ex); /* Set the public key for the certificate */ sslret = X509_REQ_set_pubkey (csr->x509_req, spkey->evp_pkey); CHECK_SSL (sslret, X509_REQ_set_pubkey (OU)); -- 2.35.1