Fix length check of IP addresses for name constraints

An IP address in a name constraint is actually an IP address concatenated
with a netmask, so it is twice as long as usual.

This fixes a third bug introduced in r1.3 and reported by Volker Schlecht

ok jsing

diff --git a/lib/libcrypto/x509/x509_alt.c b/lib/libcrypto/x509/x509_alt.c
index 52d30f9..4de6a09 100644 (file)
--- a/lib/libcrypto/x509/x509_alt.c
+++ b/lib/libcrypto/x509/x509_alt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_alt.c,v 1.7 2022/02/11 17:39:36 tb Exp $ */
+/* $OpenBSD: x509_alt.c,v 1.8 2022/02/11 17:41:55 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -677,7 +677,8 @@ v2i_GENERAL_NAME_ex(GENERAL_NAME *out, const X509V3_EXT_METHOD *method,
                }
                break;
        case GEN_IPADD:
-               if (len != 4 && len != 16) {
+               if ((!is_nc && len != 4 && len != 16) ||
+                   (is_nc && len != 8 && len != 32)) {
                        X509V3error(X509V3_R_BAD_IP_ADDRESS);
                        ERR_asprintf_error_data("name=%s len=%zu", name, len);
                        goto err;