Fix length check of IP addresses for name constraints

An IP address in a name constraint is actually an IP address concatenated
with a netmask, so it is twice as long as usual.

This fixes a third bug introduced in r1.3 and reported by Volker Schlecht

ok jsing

1 files changed, 3 insertions, 2 deletions

diff --git a/src/lib/libcrypto/x509/x509_alt.c b/src/lib/libcrypto/x509/x509_alt.c
index 52d30f91e8..4de6a09101 100644
--- a/src/lib/libcrypto/x509/x509_alt.c
+++ b/src/lib/libcrypto/x509/x509_alt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_alt.c,v 1.7 2022/02/11 17:39:36 tb Exp $ */
+/* $OpenBSD: x509_alt.c,v 1.8 2022/02/11 17:41:55 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -677,7 +677,8 @@ v2i_GENERAL_NAME_ex(GENERAL_NAME *out, const X509V3_EXT_METHOD *method,
                 }
                 break;
         case GEN_IPADD:
-                if (len != 4 && len != 16) {
+                if ((!is_nc && len != 4 && len != 16) ||
+                    (is_nc && len != 8 && len != 32)) {
                         X509V3error(X509V3_R_BAD_IP_ADDRESS);
                         ERR_asprintf_error_data("name=%s len=%zu", name, len);
                         goto err;