sscg/0004-Truncate-IP-address-in-SAN.patch
Stephen Gallagher 5111dabe2c
Truncate IP address in SAN
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2022-03-09 14:42:46 -05:00

50 lines
1.5 KiB
Diff

From 2e9889320c76368d31e6c9d579f239fe88002cf9 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 8 Mar 2022 16:34:09 -0500
Subject: [PATCH 4/4] Truncate IP address in SAN
In OpenSSL 1.1, this was done automatically when addind a SAN extension,
but in OpenSSL 3.0 it is rejected as an invalid input.
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
src/x509.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/x509.c b/src/x509.c
index 23bb337..e828ec7 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -131,10 +131,11 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
size_t i;
X509_NAME *subject;
char *alt_name = NULL;
char *tmp = NULL;
char *san = NULL;
+ char *slash = NULL;
TALLOC_CTX *tmp_ctx;
X509_EXTENSION *ex = NULL;
struct sscg_x509_req *csr;
/* Make sure we have a key available */
@@ -265,10 +266,16 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
tmp_ctx, "DNS:%s", certinfo->subject_alt_names[i]);
}
else
{
san = talloc_strdup (tmp_ctx, certinfo->subject_alt_names[i]);
+ /* SAN IP addresses cannot include the subnet mask */
+ if ((slash = strchr (san, '/')))
+ {
+ /* Truncate at the slash */
+ *slash = '\0';
+ }
}
CHECK_MEM (san);
if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4)
{
--
2.35.1