sscg/SOURCES/0003-Truncate-IP-address-in-SAN.patch

From c633de3d77987cef5b652c861aa646774c6f1167 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 8 Mar 2022 16:33:35 -0500
Subject: [PATCH 3/6] Truncate IP address in SAN

In OpenSSL 1.1, this was done automatically when addind a SAN extension,
but in OpenSSL 3.0 it is rejected as an invalid input.

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
 src/x509.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/x509.c b/src/x509.c
index 7c7e4dfe56d5756862f3e0f851941e846ce96f31..e828ec725b23d7ea79393151e7bb436e2f61bdb8 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -133,6 +133,7 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
   char *alt_name = NULL;
   char *tmp = NULL;
   char *san = NULL;
+  char *slash = NULL;
   TALLOC_CTX *tmp_ctx;
   X509_EXTENSION *ex = NULL;
   struct sscg_x509_req *csr;
@@ -267,6 +268,12 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
           else
             {
               san = talloc_strdup (tmp_ctx, certinfo->subject_alt_names[i]);
+              /* SAN IP addresses cannot include the subnet mask */
+              if ((slash = strchr (san, '/')))
+                {
+                  /* Truncate at the slash */
+                  *slash = '\0';
+                }
             }
           CHECK_MEM (san);
 
@@ -289,7 +296,13 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
     }
 
   ex = X509V3_EXT_conf_nid (NULL, NULL, NID_subject_alt_name, alt_name);
-  CHECK_MEM (ex);
+  if (!ex)
+    {
+      ret = EINVAL;
+      fprintf (stderr, "Invalid subjectAlternativeName: %s\n", alt_name);
+      goto done;
+    }
+
   sk_X509_EXTENSION_push (certinfo->extensions, ex);
 
   /* Set the public key for the certificate */
-- 
2.49.0