Dev news

Commit 7123614134 for openssl.org

commit 712361413403dad7f09ee43ce1a5581d5ae7bb3a
Author: Dr. David von Oheimb <dev@ddvo.net>
Date:   Mon Sep 8 08:23:58 2025 +0200

    apps.c: fix next_item() to correctly handle space(s) before comma separators

    * Modified the parsing logic to handle space-followed-by-comma patterns
    * Updated the separator skipping logic to process at most one comma while allowing multiple spaces
    * Added a test case with a mixed DNS and IP SAN entry that includes the problematic spacing pattern

    Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
    Reviewed-by: Norbert Pocs <norbertp@openssl.org>
    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/28471)

diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index ae9ecfff39..e7a1791731 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -648,16 +648,19 @@ void *app_malloc_array(size_t n, size_t sz, const char *what)
     return vp;
 }

-char *next_item(char *opt) /* in list separated by comma and/or space */
+char *next_item(char *opt) /* in list separated by comma and/or spaces */
 {
     /* advance to separator (comma or whitespace), if any */
-    while (*opt != ',' && !isspace(_UC(*opt)) && *opt != '\0')
+    while (*opt != '\0' && *opt != ',' && !isspace(_UC(*opt)))
         opt++;
     if (*opt != '\0') {
+        int found_comma = *opt == ',';
+
         /* terminate current item */
         *opt++ = '\0';
-        /* skip over any whitespace after separator */
-        while (isspace(_UC(*opt)))
+        /* skip over any further separators, but only one comma */
+        while ((!found_comma && (found_comma = (*opt == ',')))
+            || isspace(_UC(*opt)))
             opt++;
     }
     return *opt == '\0' ? NULL : opt; /* NULL indicates end of input */
diff --git a/test/recipes/80-test_cmp_http_data/test_enrollment.csv b/test/recipes/80-test_cmp_http_data/test_enrollment.csv
index a66afdc837..ab348af3a0 100644
--- a/test/recipes/80-test_cmp_http_data/test_enrollment.csv
+++ b/test/recipes/80-test_cmp_http_data/test_enrollment.csv
@@ -47,6 +47,10 @@ expected,description, -section,val, -cmd,val, -newkey,val,val, -newkeypass,val,
 1,sans critical, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,,,BLANK,, -sans,critical,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_sans_critical.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,,
 1,sans 2 dns, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,,,BLANK,, -sans,localhost test,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_sans_two_dns.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,,
 1,sans 1 dns 1 ip, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,,,BLANK,, -sans,localhost 127.0.0.1,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_sans_dns_ip.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,,
+1,sans dns       comma       ip, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,,,BLANK,, -sans,'DNS:localhost,IP:127.0.0.1'  ,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_sans_dns_ip1.pem
+1,sans dns space comma       ip, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,,,BLANK,, -sans,'DNS:localhost ,IP:127.0.0.1' ,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_sans_dns_ip2.pem
+1,sans dns       comma space ip, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,,,BLANK,, -sans,'DNS:localhost, IP:127.0.0.1' ,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_sans_dns_ip3.pem
+1,sans dns space comma space ip, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,,,BLANK,, -sans,'DNS:localhost , IP:127.0.0.1',BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_sans_dns_ip4.pem
 1,sans 2 ip, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,,,BLANK,, -sans,127.0.0.1 1.2.3.4,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_sans_two_ip.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,,
 1,sans 1 uri, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,,,BLANK,, -sans,https://www.sample.com,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_sans_uri.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,,
 1,san_nodefault, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,,,BLANK,, -sans,127.0.0.1 1.2.3.4, -san_nodefault,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_sans_nodefault.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,,