Prevent loading arbitrary executable code based on config at runtime,
while allowing libraries to be specified at compile time when they are
known in advance.
* Add the ability to configure libraries to load at compile time.
* CONFIG_PKCS11_ENGINE_PATH - pkcs11_engine library location.
* CONFIG_PKCS11_MODULE_PATH - pkcs11_module library location.
* CONFIG_OPENSC_ENGINE_PATH - opensc_engine library location.
* Add flags with the ability to set each of the libraries to NULL and
prevent loading them at runtime.
* CONFIG_NO_PKCS11_ENGINE_PATH - prevents loading pkcs11_engine
library.
* CONFIG_NO_PKCS11_MODULE_PATH - prevents loading pkcs11_module
library.
* CONFIG_NO_OPENSC_ENGINE_PATH - prevents loading opens_engine
library.
* CONFIG_NO_LOAD_DYNAMIC_EAP - prevents loading eap libraries at
runtime.
Signed-off-by: David Ruth <druth@xxxxxxxxxxxx>
---
src/crypto/tls.h | 6 +++++
src/crypto/tls_openssl.c | 26 ++++++++++++++++-----
src/eap_peer/eap.c | 6 +++++
src/eapol_supp/eapol_supp_sm.c | 6 +++++
src/eapol_supp/eapol_supp_sm.h | 6 +++++
wpa_supplicant/Makefile | 30 +++++++++++++++++++++++++
wpa_supplicant/config.c | 17 +++++++++++++-
wpa_supplicant/config.h | 6 +++++
wpa_supplicant/config_file.c | 6 +++++
wpa_supplicant/dbus/dbus_new_handlers.c | 13 +++++++++++
wpa_supplicant/wpa_supplicant.c | 6 ++++-
wpa_supplicant/wpas_glue.c | 6 +++++
12 files changed, 126 insertions(+), 8 deletions(-)
diff --git a/src/crypto/tls.h b/src/crypto/tls.h
index 7bed1830a..f839f9dfb 100644
--- a/src/crypto/tls.h
+++ b/src/crypto/tls.h
@@ -80,9 +80,15 @@ union tls_event_data {
};
struct tls_config {
+#ifndef CONFIG_OPENSC_ENGINE_PATH
const char *opensc_engine_path;
+#endif /* CONFIG_OPENSC_ENGINE_PATH */
+#ifndef CONFIG_PKCS11_ENGINE_PATH
const char *pkcs11_engine_path;
+#endif /* CONFIG_PKCS11_ENGINE_PATH */
+#ifndef CONFIG_PKCS11_MODULE_PATH
const char *pkcs11_module_path;
+#endif /* CONFIG_PKCS11_MODULE_PATH */
int fips_mode;
int cert_in_cb;
const char *openssl_ciphers;
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index fe38fa754..4b9b0ae1c 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -1134,12 +1134,26 @@ void * tls_init(const struct tls_config *conf)
wpa_printf(MSG_DEBUG, "ENGINE: Loading builtin engines");
ENGINE_load_builtin_engines();
- if (conf &&
- (conf->opensc_engine_path || conf->pkcs11_engine_path ||
- conf->pkcs11_module_path)) {
- if (tls_engine_load_dynamic_opensc(conf->opensc_engine_path) ||
- tls_engine_load_dynamic_pkcs11(conf->pkcs11_engine_path,
- conf->pkcs11_module_path)) {
+#ifdef CONFIG_OPENSC_ENGINE_PATH
+ char const * const opensc_engine_path = CONFIG_OPENSC_ENGINE_PATH;
+#else
+ char const * const opensc_engine_path = (conf) ? conf->opensc_engine_path: NULL;
+#endif /* CONFIG_OPENSC_ENGINE_PATH */
+#ifdef CONFIG_PKCS11_ENGINE_PATH
+ char const * const pkcs11_engine_path = CONFIG_PKCS11_ENGINE_PATH;
+#else
+ char const * const pkcs11_engine_path = (conf) ? conf->pkcs11_engine_path: NULL;
+#endif /* CONFIG_PKCS11_ENGINE_PATH */
+#ifdef CONFIG_PKCS11_MODULE_PATH
+ char const * const pkcs11_module_path = CONFIG_PKCS11_MODULE_PATH;
+#else
+ char const * const pkcs11_module_path = (conf) ? conf->pkcs11_module_path : NULL;
+#endif /* CONFIG_PKCS11_MODULE_PATH */
+
+ if (opensc_engine_path || pkcs11_engine_path || pkcs11_module_path) {
+ if (tls_engine_load_dynamic_opensc(opensc_engine_path) ||
+ tls_engine_load_dynamic_pkcs11(pkcs11_engine_path,
+ pkcs11_module_path)) {
tls_deinit(data);
return NULL;
}
diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c
index d07060213..18b8e5f43 100644
--- a/src/eap_peer/eap.c
+++ b/src/eap_peer/eap.c
@@ -2216,9 +2216,15 @@ struct eap_sm * eap_peer_sm_init(void *eapol_ctx,
dl_list_init(&sm->erp_keys);
os_memset(&tlsconf, 0, sizeof(tlsconf));
+#ifndef CONFIG_OPENSC_ENGINE_PATH
tlsconf.opensc_engine_path = conf->opensc_engine_path;
+#endif /* CONFIG_OPENSC_ENGINE_PATH */
+#ifndef CONFIG_PKCS11_ENGINE_PATH
tlsconf.pkcs11_engine_path = conf->pkcs11_engine_path;
+#endif /* CONFIG_PKCS11_ENGINE_PATH */
+#ifndef CONFIG_PKCS11_MODULE_PATH
tlsconf.pkcs11_module_path = conf->pkcs11_module_path;
+#endif /* CONFIG_PKCS11_MODULE_PATH */
tlsconf.openssl_ciphers = conf->openssl_ciphers;
#ifdef CONFIG_FIPS
tlsconf.fips_mode = 1;
diff --git a/src/eapol_supp/eapol_supp_sm.c b/src/eapol_supp/eapol_supp_sm.c
index 0bfe3c970..abc1416a3 100644
--- a/src/eapol_supp/eapol_supp_sm.c
+++ b/src/eapol_supp/eapol_supp_sm.c
@@ -2136,9 +2136,15 @@ struct eapol_sm *eapol_sm_init(struct eapol_ctx *ctx)
sm->authPeriod = 30;
os_memset(&conf, 0, sizeof(conf));
+#ifndef CONFIG_OPENSC_ENGINE_PATH
conf.opensc_engine_path = ctx->opensc_engine_path;
+#endif /* CONFIG_OPENSC_ENGINE_PATH */
+#ifndef CONFIG_PKCS11_ENGINE_PATH
conf.pkcs11_engine_path = ctx->pkcs11_engine_path;
+#endif /* CONFIG_PKCS11_ENGINE_PATH */
+#ifndef CONFIG_PKCS11_MODULE_PATH
conf.pkcs11_module_path = ctx->pkcs11_module_path;
+#endif /* CONFIG_PKCS11_MODULE_PATH */
conf.openssl_ciphers = ctx->openssl_ciphers;
conf.wps = ctx->wps;
conf.cert_in_cb = ctx->cert_in_cb;
diff --git a/src/eapol_supp/eapol_supp_sm.h b/src/eapol_supp/eapol_supp_sm.h
index 2b1aeff88..870ba1d02 100644
--- a/src/eapol_supp/eapol_supp_sm.h
+++ b/src/eapol_supp/eapol_supp_sm.h
@@ -188,6 +188,7 @@ struct eapol_ctx {
*/
void (*aborted_cached)(void *ctx);
+#ifndef CONFIG_OPENSC_ENGINE_PATH
/**
* opensc_engine_path - Path to the OpenSSL engine for opensc
*
@@ -195,7 +196,9 @@ struct eapol_ctx {
* engine (engine_opensc.so); if %NULL, this engine is not loaded.
*/
const char *opensc_engine_path;
+#endif /* CONFIG_OPENSC_ENGINE_PATH */
+#ifndef CONFIG_PKCS11_ENGINE_PATH
/**
* pkcs11_engine_path - Path to the OpenSSL engine for PKCS#11
*
@@ -203,7 +206,9 @@ struct eapol_ctx {
* engine (engine_pkcs11.so); if %NULL, this engine is not loaded.
*/
const char *pkcs11_engine_path;
+#endif /* CONFIG_PKCS11_ENGINE_PATH */
+#ifndef CONFIG_PKCS11_MODULE_PATH
/**
* pkcs11_module_path - Path to the OpenSSL OpenSC/PKCS#11 module
*
@@ -212,6 +217,7 @@ struct eapol_ctx {
* module is not loaded.
*/
const char *pkcs11_module_path;
+#endif /* CONFIG_PKCS11_MODULE_PATH */
/**
* openssl_ciphers - OpenSSL cipher string
diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
index 57620fe79..0acd1091d 100644
--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
@@ -445,6 +445,36 @@ ifdef CONFIG_NO_ROAMING
CFLAGS += -DCONFIG_NO_ROAMING
endif
+ifdef CONFIG_OPENSC_ENGINE_PATH
+CFLAGS += -DCONFIG_OPENSC_ENGINE_PATH=\"$(CONFIG_OPENSC_ENGINE_PATH)\"
+endif
+
+ifdef CONFIG_NO_OPENSC_ENGINE_PATH
+CFLAGS += -DCONFIG_OPENSC_ENGINE_PATH=NULL
+endif
+
+ifdef CONFIG_PKCS11_ENGINE_PATH
+CFLAGS += -DCONFIG_PKCS11_ENGINE_PATH=\"$(CONFIG_PKCS11_ENGINE_PATH)\"
+endif
+
+ifdef CONFIG_NO_PKCS11_ENGINE_PATH
+CFLAGS += -DCONFIG_PKCS11_ENGINE_PATH=NULL
+endif
+
+
+ifdef CONFIG_PKCS11_MODULE_PATH
+CFLAGS += -DCONFIG_PKCS11_MODULE_PATH=\"$(CONFIG_PKCS11_MODULE_PATH)\"
+endif
+
+ifdef CONFIG_NO_PKCS11_MODULE_PATH
+CFLAGS += -DCONFIG_PKCS11_MODULE_PATH=NULL
+endif
+
+
+ifdef CONFIG_NO_LOAD_DYNAMIC_EAP
+CFLAGS += -DCONFIG_NO_LOAD_DYNAMIC_EAP
+endif
+
include ../src/drivers/drivers.mak
ifdef CONFIG_AP
OBJS_d += $(DRV_BOTH_OBJS)
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index 5c57427af..8ac1eb5d3 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -3006,9 +3006,15 @@ void wpa_config_free(struct wpa_config *config)
wpabuf_free(config->wps_vendor_ext[i]);
os_free(config->ctrl_interface);
os_free(config->ctrl_interface_group);
+#ifndef CONFIG_OPENSC_ENGINE_PATH
os_free(config->opensc_engine_path);
+#endif /* CONFIG_OPENSC_ENGINE_PATH */
+#ifndef CONFIG_PKCS11_ENGINE_PATH
os_free(config->pkcs11_engine_path);
+#endif /* CONFIG_PKCS11_ENGINE_PATH */
+#ifndef CONFIG_PKCS11_MODULE_PATH
os_free(config->pkcs11_module_path);
+#endif /* CONFIG_PKCS11_MODULE_PATH */
os_free(config->openssl_ciphers);
os_free(config->pcsc_reader);
str_clear_free(config->pcsc_pin);
@@ -4921,7 +4927,7 @@ static int wpa_config_process_country(const struct global_parse_data *data,
return 0;
}
-
+#ifndef CONFIG_NO_LOAD_DYNAMIC_EAP
static int wpa_config_process_load_dynamic_eap(
const struct global_parse_data *data, struct wpa_config *config,
int line, const char *so)
@@ -4940,6 +4946,7 @@ static int wpa_config_process_load_dynamic_eap(
return 0;
}
+#endif /* CONFIG_NO_LOAD_DYNAMIC_EAP */
#ifdef CONFIG_WPS
@@ -5321,9 +5328,15 @@ static const struct global_parse_data global_fields[] = {
#endif /* CONFIG_MESH */
{ INT(disable_scan_offload), 0 },
{ INT(fast_reauth), 0 },
+#ifndef CONFIG_OPENSC_ENGINE_PATH
{ STR(opensc_engine_path), 0 },
+#endif /* CONFIG_OPENSC_ENGINE_PATH */
+#ifndef CONFIG_PKCS11_ENGINE_PATH
{ STR(pkcs11_engine_path), 0 },
+#endif /* CONFIG_PKCS11_ENGINE_PATH */
+#ifndef CONFIG_PKCS11_MODULE_PATH
{ STR(pkcs11_module_path), 0 },
+#endif /* CONFIG_PKCS11_MODULE_PATH */
{ STR(openssl_ciphers), 0 },
{ STR(pcsc_reader), 0 },
{ STR(pcsc_pin), 0 },
@@ -5335,7 +5348,9 @@ static const struct global_parse_data global_fields[] = {
#ifndef CONFIG_NO_CONFIG_WRITE
{ INT(update_config), 0 },
#endif /* CONFIG_NO_CONFIG_WRITE */
+#ifndef CONFIG_NO_LOAD_DYNAMIC_EAP
{ FUNC_NO_VAR(load_dynamic_eap), 0 },
+#endif /* CONFIG_NO_LOAD_DYNAMIC_EAP */
#ifdef CONFIG_WPS
{ FUNC(uuid), CFG_CHANGED_UUID },
{ INT_RANGE(auto_uuid, 0, 1), 0 },
diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h
index 4886fe649..7d2b57028 100644
--- a/wpa_supplicant/config.h
+++ b/wpa_supplicant/config.h
@@ -615,6 +615,7 @@ struct wpa_config {
*/
int fast_reauth;
+#ifndef CONFIG_OPENSC_ENGINE_PATH
/**
* opensc_engine_path - Path to the OpenSSL engine for opensc
*
@@ -622,7 +623,9 @@ struct wpa_config {
* engine (engine_opensc.so); if %NULL, this engine is not loaded.
*/
char *opensc_engine_path;
+#endif /* CONFIG_OPENSC_ENGINE_PATH */
+#ifndef CONFIG_PKCS11_ENGINE_PATH
/**
* pkcs11_engine_path - Path to the OpenSSL engine for PKCS#11
*
@@ -630,7 +633,9 @@ struct wpa_config {
* engine (engine_pkcs11.so); if %NULL, this engine is not loaded.
*/
char *pkcs11_engine_path;
+#endif /* CONFIG_PKCS11_ENGINE_PATH */
+#ifndef CONFIG_PKCS11_MODULE_PATH
/**
* pkcs11_module_path - Path to the OpenSSL OpenSC/PKCS#11 module
*
@@ -639,6 +644,7 @@ struct wpa_config {
* module is not loaded.
*/
char *pkcs11_module_path;
+#endif /* CONFIG_PKCS11_MODULE_PATH */
/**
* openssl_ciphers - OpenSSL cipher string
diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index 88370e88d..9a474bd83 100644
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -1124,15 +1124,21 @@ static void wpa_config_write_global(FILE *f, struct wpa_config *config)
config->disable_scan_offload);
if (config->fast_reauth != DEFAULT_FAST_REAUTH)
fprintf(f, "fast_reauth=%d\n", config->fast_reauth);
+#ifndef CONFIG_OPENSC_ENGINE_PATH
if (config->opensc_engine_path)
fprintf(f, "opensc_engine_path=%s\n",
config->opensc_engine_path);
+#endif /* CONFIG_OPENSC_ENGINE_PATH */
+#ifndef CONFIG_PKCS11_ENGINE_PATH
if (config->pkcs11_engine_path)
fprintf(f, "pkcs11_engine_path=%s\n",
config->pkcs11_engine_path);
+#endif /* CONFIG_PKCS11_ENGINE_PATH */
+#ifndef CONFIG_PKCS11_MODULE_PATH
if (config->pkcs11_module_path)
fprintf(f, "pkcs11_module_path=%s\n",
config->pkcs11_module_path);
+#endif /* CONFIG_PKCS11_MODULE_PATH */
if (config->openssl_ciphers)
fprintf(f, "openssl_ciphers=%s\n", config->openssl_ciphers);
if (config->pcsc_reader)
diff --git a/wpa_supplicant/dbus/dbus_new_handlers.c b/wpa_supplicant/dbus/dbus_new_handlers.c
index 67ce970d0..024624b3b 100644
--- a/wpa_supplicant/dbus/dbus_new_handlers.c
+++ b/wpa_supplicant/dbus/dbus_new_handlers.c
@@ -4318,11 +4318,18 @@ dbus_bool_t wpas_dbus_getter_pkcs11_engine_path(
const struct wpa_dbus_property_desc *property_desc,
DBusMessageIter *iter, DBusError *error, void *user_data)
{
+
+#ifndef CONFIG_PKCS11_ENGINE_PATH
struct wpa_supplicant *wpa_s = user_data;
return wpas_dbus_string_property_getter(iter,
wpa_s->conf->pkcs11_engine_path,
error);
+#else
+ return wpas_dbus_string_property_getter(iter,
+ CONFIG_PKCS11_ENGINE_PATH,
+ error);
+#endif /* CONFIG_PKCS11_ENGINE_PATH */
}
@@ -4339,11 +4346,17 @@ dbus_bool_t wpas_dbus_getter_pkcs11_module_path(
const struct wpa_dbus_property_desc *property_desc,
DBusMessageIter *iter, DBusError *error, void *user_data)
{
+#ifndef CONFIG_PKCS11_MODULE_PATH
struct wpa_supplicant *wpa_s = user_data;
return wpas_dbus_string_property_getter(iter,
wpa_s->conf->pkcs11_module_path,
error);
+#else
+ return wpas_dbus_string_property_getter(iter,
+ CONFIG_PKCS11_MODULE_PATH,
+ error);
+#endif /* CONFIG_PKCS11_MODULE_PATH */
}
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 93629e1f7..a742c4484 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -4936,10 +4936,14 @@ int wpas_set_pkcs11_engine_and_module_path(struct wpa_supplicant *wpa_s,
}
}
+#ifndef CONFIG_PKCS11_ENGINE_PATH
os_free(wpa_s->conf->pkcs11_engine_path);
- os_free(wpa_s->conf->pkcs11_module_path);
wpa_s->conf->pkcs11_engine_path = pkcs11_engine_path_copy;
+#endif /* CONFIG_PKCS11_ENGINE_PATH */
+#ifndef CONFIG_PKCS11_MODULE_PATH
+ os_free(wpa_s->conf->pkcs11_module_path);
wpa_s->conf->pkcs11_module_path = pkcs11_module_path_copy;
+#endif /* CONFIG_PKCS11_MODULE_PATH */
wpa_sm_set_eapol(wpa_s->wpa, NULL);
eapol_sm_deinit(wpa_s->eapol);
diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c
index c4cfca50e..11f4fe742 100644
--- a/wpa_supplicant/wpas_glue.c
+++ b/wpa_supplicant/wpas_glue.c
@@ -1180,9 +1180,15 @@ int wpa_supplicant_init_eapol(struct wpa_supplicant *wpa_s)
ctx->get_config_blob = wpa_supplicant_get_config_blob;
#endif /* CONFIG_NO_CONFIG_BLOBS */
ctx->aborted_cached = wpa_supplicant_aborted_cached;
+#ifndef CONFIG_OPENSC_ENGINE_PATH
ctx->opensc_engine_path = wpa_s->conf->opensc_engine_path;
+#endif /* CONFIG_OPENSC_ENGINE_PATH */
+#ifndef CONFIG_PKCS11_ENGINE_PATH
ctx->pkcs11_engine_path = wpa_s->conf->pkcs11_engine_path;
+#endif /* CONFIG_PKCS11_ENGINE_PATH */
+#ifndef CONFIG_PKCS11_MODULE_PATH
ctx->pkcs11_module_path = wpa_s->conf->pkcs11_module_path;
+#endif /* CONFIG_PKCS11_MODULE_PATH */
ctx->openssl_ciphers = wpa_s->conf->openssl_ciphers;
ctx->wps = wpa_s->wps;
ctx->eap_param_needed = wpa_supplicant_eap_param_needed;
--
2.40.0.348.gf938b09366-goog
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
