You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
256 lines
7.6 KiB
256 lines
7.6 KiB
2 years ago
|
From 9639817dac8bbbaa64d09efad7464ccc405527c7 Mon Sep 17 00:00:00 2001
|
||
|
From: Daniel Fiala <daniel@openssl.org>
|
||
|
Date: Sun, 29 May 2022 20:11:24 +0200
|
||
|
Subject: [PATCH] Fix file operations in c_rehash.
|
||
|
|
||
|
CVE-2022-2068
|
||
|
|
||
|
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
||
|
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/9639817dac8bbbaa64d09efad7464ccc405527c7]
|
||
|
---
|
||
|
tools/c_rehash.in | 216 +++++++++++++++++++++++-----------------------
|
||
|
1 file changed, 107 insertions(+), 109 deletions(-)
|
||
|
|
||
|
diff --git a/tools/c_rehash.in b/tools/c_rehash.in
|
||
|
index cfd18f5da110..9d2a6f6db73b 100644
|
||
|
--- a/tools/c_rehash.in
|
||
|
+++ b/tools/c_rehash.in
|
||
|
@@ -104,52 +104,78 @@ foreach (@dirlist) {
|
||
|
}
|
||
|
exit($errorcount);
|
||
|
|
||
|
+sub copy_file {
|
||
|
+ my ($src_fname, $dst_fname) = @_;
|
||
|
+
|
||
|
+ if (open(my $in, "<", $src_fname)) {
|
||
|
+ if (open(my $out, ">", $dst_fname)) {
|
||
|
+ print $out $_ while (<$in>);
|
||
|
+ close $out;
|
||
|
+ } else {
|
||
|
+ warn "Cannot open $dst_fname for write, $!";
|
||
|
+ }
|
||
|
+ close $in;
|
||
|
+ } else {
|
||
|
+ warn "Cannot open $src_fname for read, $!";
|
||
|
+ }
|
||
|
+}
|
||
|
+
|
||
|
sub hash_dir {
|
||
|
- my %hashlist;
|
||
|
- print "Doing $_[0]\n";
|
||
|
- chdir $_[0];
|
||
|
- opendir(DIR, ".");
|
||
|
- my @flist = sort readdir(DIR);
|
||
|
- closedir DIR;
|
||
|
- if ( $removelinks ) {
|
||
|
- # Delete any existing symbolic links
|
||
|
- foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
|
||
|
- if (-l $_) {
|
||
|
- print "unlink $_" if $verbose;
|
||
|
- unlink $_ || warn "Can't unlink $_, $!\n";
|
||
|
- }
|
||
|
- }
|
||
|
- }
|
||
|
- FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
|
||
|
- # Check to see if certificates and/or CRLs present.
|
||
|
- my ($cert, $crl) = check_file($fname);
|
||
|
- if (!$cert && !$crl) {
|
||
|
- print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
|
||
|
- next;
|
||
|
- }
|
||
|
- link_hash_cert($fname) if ($cert);
|
||
|
- link_hash_crl($fname) if ($crl);
|
||
|
- }
|
||
|
+ my $dir = shift;
|
||
|
+ my %hashlist;
|
||
|
+
|
||
|
+ print "Doing $dir\n";
|
||
|
+
|
||
|
+ if (!chdir $dir) {
|
||
|
+ print STDERR "WARNING: Cannot chdir to '$dir', $!\n";
|
||
|
+ return;
|
||
|
+ }
|
||
|
+
|
||
|
+ opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n";
|
||
|
+ my @flist = sort readdir(DIR);
|
||
|
+ closedir DIR;
|
||
|
+ if ( $removelinks ) {
|
||
|
+ # Delete any existing symbolic links
|
||
|
+ foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
|
||
|
+ if (-l $_) {
|
||
|
+ print "unlink $_\n" if $verbose;
|
||
|
+ unlink $_ || warn "Can't unlink $_, $!\n";
|
||
|
+ }
|
||
|
+ }
|
||
|
+ }
|
||
|
+ FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
|
||
|
+ # Check to see if certificates and/or CRLs present.
|
||
|
+ my ($cert, $crl) = check_file($fname);
|
||
|
+ if (!$cert && !$crl) {
|
||
|
+ print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
|
||
|
+ next;
|
||
|
+ }
|
||
|
+ link_hash_cert($fname) if ($cert);
|
||
|
+ link_hash_crl($fname) if ($crl);
|
||
|
+ }
|
||
|
+
|
||
|
+ chdir $pwd;
|
||
|
}
|
||
|
|
||
|
sub check_file {
|
||
|
- my ($is_cert, $is_crl) = (0,0);
|
||
|
- my $fname = $_[0];
|
||
|
- open IN, $fname;
|
||
|
- while(<IN>) {
|
||
|
- if (/^-----BEGIN (.*)-----/) {
|
||
|
- my $hdr = $1;
|
||
|
- if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
|
||
|
- $is_cert = 1;
|
||
|
- last if ($is_crl);
|
||
|
- } elsif ($hdr eq "X509 CRL") {
|
||
|
- $is_crl = 1;
|
||
|
- last if ($is_cert);
|
||
|
- }
|
||
|
- }
|
||
|
- }
|
||
|
- close IN;
|
||
|
- return ($is_cert, $is_crl);
|
||
|
+ my ($is_cert, $is_crl) = (0,0);
|
||
|
+ my $fname = $_[0];
|
||
|
+
|
||
|
+ open(my $in, "<", $fname);
|
||
|
+ while(<$in>) {
|
||
|
+ if (/^-----BEGIN (.*)-----/) {
|
||
|
+ my $hdr = $1;
|
||
|
+ if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
|
||
|
+ $is_cert = 1;
|
||
|
+ last if ($is_crl);
|
||
|
+ } elsif ($hdr eq "X509 CRL") {
|
||
|
+ $is_crl = 1;
|
||
|
+ last if ($is_cert);
|
||
|
+ }
|
||
|
+ }
|
||
|
+ }
|
||
|
+ close $in;
|
||
|
+ return ($is_cert, $is_crl);
|
||
|
}
|
||
|
|
||
|
sub compute_hash {
|
||
|
@@ -177,76 +203,48 @@ sub compute_hash {
|
||
|
# certificate fingerprints
|
||
|
|
||
|
sub link_hash_cert {
|
||
|
- my $fname = $_[0];
|
||
|
- my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
|
||
|
- "-fingerprint", "-noout",
|
||
|
- "-in", $fname);
|
||
|
- chomp $hash;
|
||
|
- chomp $fprint;
|
||
|
- return if !$hash;
|
||
|
- $fprint =~ s/^.*=//;
|
||
|
- $fprint =~ tr/://d;
|
||
|
- my $suffix = 0;
|
||
|
- # Search for an unused hash filename
|
||
|
- while(exists $hashlist{"$hash.$suffix"}) {
|
||
|
- # Hash matches: if fingerprint matches its a duplicate cert
|
||
|
- if ($hashlist{"$hash.$suffix"} eq $fprint) {
|
||
|
- print STDERR "WARNING: Skipping duplicate certificate $fname\n";
|
||
|
- return;
|
||
|
- }
|
||
|
- $suffix++;
|
||
|
- }
|
||
|
- $hash .= ".$suffix";
|
||
|
- if ($symlink_exists) {
|
||
|
- print "link $fname -> $hash\n" if $verbose;
|
||
|
- symlink $fname, $hash || warn "Can't symlink, $!";
|
||
|
- } else {
|
||
|
- print "copy $fname -> $hash\n" if $verbose;
|
||
|
- if (open($in, "<", $fname)) {
|
||
|
- if (open($out,">", $hash)) {
|
||
|
- print $out $_ while (<$in>);
|
||
|
- close $out;
|
||
|
- } else {
|
||
|
- warn "can't open $hash for write, $!";
|
||
|
- }
|
||
|
- close $in;
|
||
|
- } else {
|
||
|
- warn "can't open $fname for read, $!";
|
||
|
- }
|
||
|
- }
|
||
|
- $hashlist{$hash} = $fprint;
|
||
|
+ link_hash($_[0], 'cert');
|
||
|
}
|
||
|
|
||
|
# Same as above except for a CRL. CRL links are of the form <hash>.r<n>
|
||
|
|
||
|
sub link_hash_crl {
|
||
|
- my $fname = $_[0];
|
||
|
- my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
|
||
|
- "-fingerprint", "-noout",
|
||
|
- "-in", $fname);
|
||
|
- chomp $hash;
|
||
|
- chomp $fprint;
|
||
|
- return if !$hash;
|
||
|
- $fprint =~ s/^.*=//;
|
||
|
- $fprint =~ tr/://d;
|
||
|
- my $suffix = 0;
|
||
|
- # Search for an unused hash filename
|
||
|
- while(exists $hashlist{"$hash.r$suffix"}) {
|
||
|
- # Hash matches: if fingerprint matches its a duplicate cert
|
||
|
- if ($hashlist{"$hash.r$suffix"} eq $fprint) {
|
||
|
- print STDERR "WARNING: Skipping duplicate CRL $fname\n";
|
||
|
- return;
|
||
|
- }
|
||
|
- $suffix++;
|
||
|
- }
|
||
|
- $hash .= ".r$suffix";
|
||
|
- if ($symlink_exists) {
|
||
|
- print "link $fname -> $hash\n" if $verbose;
|
||
|
- symlink $fname, $hash || warn "Can't symlink, $!";
|
||
|
- } else {
|
||
|
- print "cp $fname -> $hash\n" if $verbose;
|
||
|
- system ("cp", $fname, $hash);
|
||
|
- warn "Can't copy, $!" if ($? >> 8) != 0;
|
||
|
- }
|
||
|
- $hashlist{$hash} = $fprint;
|
||
|
+ link_hash($_[0], 'crl');
|
||
|
+}
|
||
|
+
|
||
|
+sub link_hash {
|
||
|
+ my ($fname, $type) = @_;
|
||
|
+ my $is_cert = $type eq 'cert';
|
||
|
+
|
||
|
+ my ($hash, $fprint) = compute_hash($openssl,
|
||
|
+ $is_cert ? "x509" : "crl",
|
||
|
+ $is_cert ? $x509hash : $crlhash,
|
||
|
+ "-fingerprint", "-noout",
|
||
|
+ "-in", $fname);
|
||
|
+ chomp $hash;
|
||
|
+ chomp $fprint;
|
||
|
+ return if !$hash;
|
||
|
+ $fprint =~ s/^.*=//;
|
||
|
+ $fprint =~ tr/://d;
|
||
|
+ my $suffix = 0;
|
||
|
+ # Search for an unused hash filename
|
||
|
+ my $crlmark = $is_cert ? "" : "r";
|
||
|
+ while(exists $hashlist{"$hash.$crlmark$suffix"}) {
|
||
|
+ # Hash matches: if fingerprint matches its a duplicate cert
|
||
|
+ if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) {
|
||
|
+ my $what = $is_cert ? 'certificate' : 'CRL';
|
||
|
+ print STDERR "WARNING: Skipping duplicate $what $fname\n";
|
||
|
+ return;
|
||
|
+ }
|
||
|
+ $suffix++;
|
||
|
+ }
|
||
|
+ $hash .= ".$crlmark$suffix";
|
||
|
+ if ($symlink_exists) {
|
||
|
+ print "link $fname -> $hash\n" if $verbose;
|
||
|
+ symlink $fname, $hash || warn "Can't symlink, $!";
|
||
|
+ } else {
|
||
|
+ print "copy $fname -> $hash\n" if $verbose;
|
||
|
+ copy_file($fname, $hash);
|
||
|
+ }
|
||
|
+ $hashlist{$hash} = $fprint;
|
||
|
}
|