1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
Description: only load libraries from trusted path
Author: Marc Deslauriers <marc.deslauriers@canonical.com>
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/2067613
--- wpa-2.10.orig/src/crypto/tls_openssl.c
+++ wpa-2.10/src/crypto/tls_openssl.c
@@ -862,6 +862,7 @@ static int tls_engine_load_dynamic_gener
return 0;
}
+#define TRUSTED_PATH "/usr/lib/"
/**
* tls_engine_load_dynamic_pkcs11 - load the pkcs11 engine provided by opensc
@@ -871,6 +872,8 @@ static int tls_engine_load_dynamic_gener
static int tls_engine_load_dynamic_pkcs11(const char *pkcs11_so_path,
const char *pkcs11_module_path)
{
+ char real_pkcs11_so_path[PATH_MAX];
+ char real_pkcs11_module_path[PATH_MAX];
char *engine_id = "pkcs11";
const char *pre_cmd[] = {
"SO_PATH", NULL /* pkcs11_so_path */,
@@ -888,15 +891,47 @@ static int tls_engine_load_dynamic_pkcs1
if (!pkcs11_so_path)
return 0;
- pre_cmd[1] = pkcs11_so_path;
+ if (realpath(pkcs11_so_path, real_pkcs11_so_path) == NULL) {
+ wpa_printf(MSG_INFO, "ENGINE: Failed to load pkcs11 Engine from %s: realpath: %s",
+ pkcs11_so_path,
+ strerror(errno));
+ return -1;
+ }
+
+ if (strncmp(TRUSTED_PATH, real_pkcs11_so_path, strlen(TRUSTED_PATH)) != 0) {
+ wpa_printf(MSG_INFO, "ENGINE: Failed to load pkcs11 Engine from %s: Not in trusted path %s",
+ pkcs11_so_path,
+ TRUSTED_PATH);
+ return -1;
+ }
+
+ pre_cmd[1] = real_pkcs11_so_path;
pre_cmd[3] = engine_id;
- if (pkcs11_module_path)
- post_cmd[1] = pkcs11_module_path;
- else
- post_cmd[0] = NULL;
- wpa_printf(MSG_DEBUG, "ENGINE: Loading pkcs11 Engine from %s",
- pkcs11_so_path);
+ if (pkcs11_module_path) {
+ if (realpath(pkcs11_module_path, real_pkcs11_module_path) == NULL) {
+ wpa_printf(MSG_INFO, "ENGINE: Failed to load pkcs11 Module from %s: realpath: %s",
+ pkcs11_module_path,
+ strerror(errno));
+ return -1;
+ }
+
+ if (strncmp(TRUSTED_PATH, real_pkcs11_module_path, strlen(TRUSTED_PATH)) != 0) {
+ wpa_printf(MSG_INFO, "ENGINE: Failed to load pkcs11 Module from %s: Not in trusted path %s",
+ pkcs11_module_path,
+ TRUSTED_PATH);
+ return -1;
+ }
+
+ wpa_printf(MSG_DEBUG, "ENGINE: Loading pkcs11 Engine from %s with module %s",
+ real_pkcs11_so_path, real_pkcs11_module_path);
+
+ post_cmd[1] = real_pkcs11_module_path;
+ } else {
+ wpa_printf(MSG_DEBUG, "ENGINE: Loading pkcs11 Engine from %s",
+ real_pkcs11_so_path);
+ post_cmd[0] = NULL;
+ }
return tls_engine_load_dynamic_generic(pre_cmd, post_cmd, engine_id);
}
@@ -908,6 +943,7 @@ static int tls_engine_load_dynamic_pkcs1
*/
static int tls_engine_load_dynamic_opensc(const char *opensc_so_path)
{
+ char real_opensc_so_path[PATH_MAX];
char *engine_id = "opensc";
const char *pre_cmd[] = {
"SO_PATH", NULL /* opensc_so_path */,
@@ -920,11 +956,25 @@ static int tls_engine_load_dynamic_opens
if (!opensc_so_path)
return 0;
- pre_cmd[1] = opensc_so_path;
+ if (realpath(opensc_so_path, real_opensc_so_path) == NULL) {
+ wpa_printf(MSG_INFO, "ENGINE: Failed to load OpenSC Engine from %s: realpath: %s",
+ opensc_so_path,
+ strerror(errno));
+ return -1;
+ }
+
+ if (strncmp(TRUSTED_PATH, real_opensc_so_path, strlen(TRUSTED_PATH)) != 0) {
+ wpa_printf(MSG_INFO, "ENGINE: Failed to load OpenSC Engine from %s: Not in trusted path %s",
+ opensc_so_path,
+ TRUSTED_PATH);
+ return -1;
+ }
+
+ pre_cmd[1] = real_opensc_so_path;
pre_cmd[3] = engine_id;
wpa_printf(MSG_DEBUG, "ENGINE: Loading OpenSC Engine from %s",
- opensc_so_path);
+ real_opensc_so_path);
return tls_engine_load_dynamic_generic(pre_cmd, NULL, engine_id);
}
|
