Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
c_rehash: Do not use shell to invoke openssl
Except on VMS where it is safe.

This fixes CVE-2022-1292.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
  • Loading branch information
t8m authored and mattcaswell committed May 3, 2022
1 parent 982fad3 commit e5fd172
Showing 1 changed file with 25 additions and 4 deletions.
29 changes: 25 additions & 4 deletions tools/c_rehash.in
Expand Up @@ -152,6 +152,23 @@ sub check_file {
return ($is_cert, $is_crl);
}

sub compute_hash {
my $fh;
if ( $^O eq "VMS" ) {
# VMS uses the open through shell
# The file names are safe there and list form is unsupported
if (!open($fh, "-|", join(' ', @_))) {
print STDERR "Cannot compute hash on '$fname'\n";
return;
}
} else {
if (!open($fh, "-|", @_)) {
print STDERR "Cannot compute hash on '$fname'\n";
return;
}
}
return (<$fh>, <$fh>);
}

# Link a certificate to its subject name hash value, each hash is of
# the form <hash>.<n> where n is an integer. If the hash value already exists
Expand All @@ -161,10 +178,12 @@ sub check_file {

sub link_hash_cert {
my $fname = $_[0];
$fname =~ s/\"/\\\"/g;
my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
"-fingerprint", "-noout",
"-in", $fname);
chomp $hash;
chomp $fprint;
return if !$hash;
$fprint =~ s/^.*=//;
$fprint =~ tr/://d;
my $suffix = 0;
Expand Down Expand Up @@ -202,10 +221,12 @@ sub link_hash_cert {

sub link_hash_crl {
my $fname = $_[0];
$fname =~ s/'/'\\''/g;
my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
"-fingerprint", "-noout",
"-in", $fname);
chomp $hash;
chomp $fprint;
return if !$hash;
$fprint =~ s/^.*=//;
$fprint =~ tr/://d;
my $suffix = 0;
Expand Down

0 comments on commit e5fd172

Please sign in to comment.