提交 3d318062 编写于 作者: Z zhao_zhen_zhou

fix CVE-2022-1292 and CVE-2022-2068

Signed-off-by: Nzhao_zhen_zhou <zhaozhenzhou@huawei.com>
上级 b664f6e9
#!{- $config{HASHBANGPERL} -} #!{- $config{HASHBANGPERL} -}
# {- join("\n# ", @autowarntext) -} # {- join("\n# ", @autowarntext) -}
# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. # Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
# #
# Licensed under the OpenSSL license (the "License"). You may not use # Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy # this file except in compliance with the License. You can obtain a copy
...@@ -104,18 +104,41 @@ foreach (@dirlist) { ...@@ -104,18 +104,41 @@ foreach (@dirlist) {
} }
exit($errorcount); exit($errorcount);
sub copy_file {
my ($src_fname, $dst_fname) = @_;
if (open(my $in, "<", $src_fname)) {
if (open(my $out, ">", $dst_fname)) {
print $out $_ while (<$in>);
close $out;
} else {
warn "Cannot open $dst_fname for write, $!";
}
close $in;
} else {
warn "Cannot open $src_fname for read, $!";
}
}
sub hash_dir { sub hash_dir {
my $dir = shift;
my %hashlist; my %hashlist;
print "Doing $_[0]\n";
chdir $_[0]; print "Doing $dir\n";
opendir(DIR, ".");
if (!chdir $dir) {
print STDERR "WARNING: Cannot chdir to '$dir', $!\n";
return;
}
opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n";
my @flist = sort readdir(DIR); my @flist = sort readdir(DIR);
closedir DIR; closedir DIR;
if ( $removelinks ) { if ( $removelinks ) {
# Delete any existing symbolic links # Delete any existing symbolic links
foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
if (-l $_) { if (-l $_) {
print "unlink $_" if $verbose; print "unlink $_\n" if $verbose;
unlink $_ || warn "Can't unlink $_, $!\n"; unlink $_ || warn "Can't unlink $_, $!\n";
} }
} }
...@@ -130,13 +153,16 @@ sub hash_dir { ...@@ -130,13 +153,16 @@ sub hash_dir {
link_hash_cert($fname) if ($cert); link_hash_cert($fname) if ($cert);
link_hash_crl($fname) if ($crl); link_hash_crl($fname) if ($crl);
} }
chdir $pwd;
} }
sub check_file { sub check_file {
my ($is_cert, $is_crl) = (0,0); my ($is_cert, $is_crl) = (0,0);
my $fname = $_[0]; my $fname = $_[0];
open IN, $fname;
while(<IN>) { open(my $in, "<", $fname);
while(<$in>) {
if (/^-----BEGIN (.*)-----/) { if (/^-----BEGIN (.*)-----/) {
my $hdr = $1; my $hdr = $1;
if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
...@@ -148,10 +174,27 @@ sub check_file { ...@@ -148,10 +174,27 @@ sub check_file {
} }
} }
} }
close IN; close $in;
return ($is_cert, $is_crl); return ($is_cert, $is_crl);
} }
sub compute_hash {
my $fh;
if ( $^O eq "VMS" ) {
# VMS uses the open through shell
# The file names are safe there and list form is unsupported
if (!open($fh, "-|", join(' ', @_))) {
print STDERR "Cannot compute hash on '$fname'\n";
return;
}
} else {
if (!open($fh, "-|", @_)) {
print STDERR "Cannot compute hash on '$fname'\n";
return;
}
}
return (<$fh>, <$fh>);
}
# Link a certificate to its subject name hash value, each hash is of # Link a certificate to its subject name hash value, each hash is of
# the form <hash>.<n> where n is an integer. If the hash value already exists # the form <hash>.<n> where n is an integer. If the hash value already exists
...@@ -160,72 +203,48 @@ sub check_file { ...@@ -160,72 +203,48 @@ sub check_file {
# certificate fingerprints # certificate fingerprints
sub link_hash_cert { sub link_hash_cert {
my $fname = $_[0]; link_hash($_[0], 'cert');
$fname =~ s/\"/\\\"/g;
my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
chomp $hash;
chomp $fprint;
$fprint =~ s/^.*=//;
$fprint =~ tr/://d;
my $suffix = 0;
# Search for an unused hash filename
while(exists $hashlist{"$hash.$suffix"}) {
# Hash matches: if fingerprint matches its a duplicate cert
if ($hashlist{"$hash.$suffix"} eq $fprint) {
print STDERR "WARNING: Skipping duplicate certificate $fname\n";
return;
}
$suffix++;
}
$hash .= ".$suffix";
if ($symlink_exists) {
print "link $fname -> $hash\n" if $verbose;
symlink $fname, $hash || warn "Can't symlink, $!";
} else {
print "copy $fname -> $hash\n" if $verbose;
if (open($in, "<", $fname)) {
if (open($out,">", $hash)) {
print $out $_ while (<$in>);
close $out;
} else {
warn "can't open $hash for write, $!";
}
close $in;
} else {
warn "can't open $fname for read, $!";
}
}
$hashlist{$hash} = $fprint;
} }
# Same as above except for a CRL. CRL links are of the form <hash>.r<n> # Same as above except for a CRL. CRL links are of the form <hash>.r<n>
sub link_hash_crl { sub link_hash_crl {
my $fname = $_[0]; link_hash($_[0], 'crl');
$fname =~ s/'/'\\''/g; }
my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
sub link_hash {
my ($fname, $type) = @_;
my $is_cert = $type eq 'cert';
my ($hash, $fprint) = compute_hash($openssl,
$is_cert ? "x509" : "crl",
$is_cert ? $x509hash : $crlhash,
"-fingerprint", "-noout",
"-in", $fname);
chomp $hash; chomp $hash;
chomp $fprint; chomp $fprint;
return if !$hash;
$fprint =~ s/^.*=//; $fprint =~ s/^.*=//;
$fprint =~ tr/://d; $fprint =~ tr/://d;
my $suffix = 0; my $suffix = 0;
# Search for an unused hash filename # Search for an unused hash filename
while(exists $hashlist{"$hash.r$suffix"}) { my $crlmark = $is_cert ? "" : "r";
while(exists $hashlist{"$hash.$crlmark$suffix"}) {
# Hash matches: if fingerprint matches its a duplicate cert # Hash matches: if fingerprint matches its a duplicate cert
if ($hashlist{"$hash.r$suffix"} eq $fprint) { if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) {
print STDERR "WARNING: Skipping duplicate CRL $fname\n"; my $what = $is_cert ? 'certificate' : 'CRL';
print STDERR "WARNING: Skipping duplicate $what $fname\n";
return; return;
} }
$suffix++; $suffix++;
} }
$hash .= ".r$suffix"; $hash .= ".$crlmark$suffix";
if ($symlink_exists) { if ($symlink_exists) {
print "link $fname -> $hash\n" if $verbose; print "link $fname -> $hash\n" if $verbose;
symlink $fname, $hash || warn "Can't symlink, $!"; symlink $fname, $hash || warn "Can't symlink, $!";
} else { } else {
print "cp $fname -> $hash\n" if $verbose; print "copy $fname -> $hash\n" if $verbose;
system ("cp", $fname, $hash); copy_file($fname, $hash);
warn "Can't copy, $!" if ($? >> 8) != 0;
} }
$hashlist{$hash} = $fprint; $hashlist{$hash} = $fprint;
} }
\ No newline at end of file
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册