diff options
| author | Tomas Mraz <tomas@openssl.org> | 2022-04-26 12:40:24 +0200 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2022-05-03 11:07:36 +0100 |
| commit | 7c33270707b568c524a8ef125fe611a8872cb5e8 (patch) | |
| tree | 2e5196c0868cb41c3d8837efbdcc707e8625f856 /tools | |
| parent | 33219939c782cf363b30e9e899b9997fb1ced440 (diff) | |
| download | openssl-new-7c33270707b568c524a8ef125fe611a8872cb5e8.tar.gz | |
c_rehash: Do not use shell to invoke openssl
Except on VMS where it is safe.
This fixes CVE-2022-1292.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Diffstat (limited to 'tools')
| -rw-r--r-- | tools/c_rehash.in | 29 |
1 files changed, 25 insertions, 4 deletions
diff --git a/tools/c_rehash.in b/tools/c_rehash.in index d51d8856d7..a630773a02 100644 --- a/tools/c_rehash.in +++ b/tools/c_rehash.in @@ -152,6 +152,23 @@ sub check_file { return ($is_cert, $is_crl); } +sub compute_hash { + my $fh; + if ( $^O eq "VMS" ) { + # VMS uses the open through shell + # The file names are safe there and list form is unsupported + if (!open($fh, "-|", join(' ', @_))) { + print STDERR "Cannot compute hash on '$fname'\n"; + return; + } + } else { + if (!open($fh, "-|", @_)) { + print STDERR "Cannot compute hash on '$fname'\n"; + return; + } + } + return (<$fh>, <$fh>); +} # Link a certificate to its subject name hash value, each hash is of # the form <hash>.<n> where n is an integer. If the hash value already exists @@ -161,10 +178,12 @@ sub check_file { sub link_hash_cert { my $fname = $_[0]; - $fname =~ s/\"/\\\"/g; - my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; + my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash, + "-fingerprint", "-noout", + "-in", $fname); chomp $hash; chomp $fprint; + return if !$hash; $fprint =~ s/^.*=//; $fprint =~ tr/://d; my $suffix = 0; @@ -202,10 +221,12 @@ sub link_hash_cert { sub link_hash_crl { my $fname = $_[0]; - $fname =~ s/'/'\\''/g; - my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`; + my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash, + "-fingerprint", "-noout", + "-in", $fname); chomp $hash; chomp $fprint; + return if !$hash; $fprint =~ s/^.*=//; $fprint =~ tr/://d; my $suffix = 0; |