From patchwork Tue Apr 4 23:35:35 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Ruth X-Patchwork-Id: 1765240 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=muNTk7XE; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=chromium.org header.i=@chromium.org header.a=rsa-sha256 header.s=google header.b=U/IkIeCb; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Prkh10FNJz1yY8 for ; Wed, 5 Apr 2023 09:37:17 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=F5jD/gLzTNHPfA9g4rvEqelsUj/niSYwi3y8QxR1te0=; b=muNTk7XENnFXTK x/EoJPPHSiQgHme21rQAgdPPwFc+v2ipiRlllGeW2FTrQryiepCInlFLARJanmiBQjdnHsYr0lDj5 cEn0wTYORfSIUpJUxPa/E35jSYC0pEKdU8cvl6pP1jbKl1O9OxCIEERHObxjT/6pHefH5qdO3bzSy yyLN1EuhS3M2RRPfBsymNiVI16dHybVKJsMReTVbsiKFT/sOIecKTo0RqgMuyKajs4xXi+4jnwd+T mefhU/iTtbS7GmJcqxwGLGruPo1q3y4K5pD1AjGbKlODNaTrm7U8DpZSTh7IFZU7OT0Rn6IRIbZR5 oUyPfCneu3TT19Zbtj0A==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1pjqBz-00311G-1l; Tue, 04 Apr 2023 23:35:59 +0000 Received: from mail-qv1-xf2a.google.com ([2607:f8b0:4864:20::f2a]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1pjqBt-00310W-31 for hostap@lists.infradead.org; Tue, 04 Apr 2023 23:35:56 +0000 Received: by mail-qv1-xf2a.google.com with SMTP id jl13so25087199qvb.10 for ; Tue, 04 Apr 2023 16:35:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1680651350; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=0z1xPbxjMxAydvfm2spboLr77RCYiLcqZkhV3/0JuQw=; b=U/IkIeCbSixKPSwfJ1GX0Z+5wiPmg/5kkvAb3PWwW+RuMJkEsDnLf/23KDiEGTTQTA PGLsnfpDVTVKBePx4lxZ2i4iPTBBh5jx9tcHvZu08+p8nFAzubAe35/8KS/7wlDGEYdN euYRa9+e7jtNUCBFLJ7EhVKLGID8h02oTFiuM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680651350; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=0z1xPbxjMxAydvfm2spboLr77RCYiLcqZkhV3/0JuQw=; b=kgrv+2VZCsBcwOSi8Uq6rLu61wwhitju+lth+uEVhD3h3jxMVbI8W7vux/SIjT+0Kj XgNNX1g8CXT0638kOiAPjKHMfpTbPN3rEthBqAvhuLCX3k3oB1zcZMYTBcg+N9NYbWUP tDAANIScn/55j5I9xUajhfNpqptJGVsbDtpfTKE4/BCfgVFvD6mmIAgadEj7j+xuB/3i E3IEYBemG+nr1+3H+c6LN6BdYQNi6jS3nRgTtRUnr/MSx6z8dGv3HPEoCGQFgXFfzR9K h2mZ3uh3rq96VxOxRY8jBgMPt3i1rTiu68jc3n/6nfXlUCjKfhfNU99rc30t7g0EUQDW RNfQ== X-Gm-Message-State: AAQBX9dutVRVbrR6GrkBqv8XxWJP+NnbzGXOoqSC3GE1JGpL4fYLnUR0 q7pqmmWgPS5dnpRSRHBNUUYESva75xBbznfAljk= X-Google-Smtp-Source: AKy350b3CTEfyN+uUEZmb5t6FB6v5rt4pFjy77t0WDte0madiu93lP440viqvH5yd8ps2yELdvh4YQ== X-Received: by 2002:a05:6214:c8f:b0:5e0:3825:9ad9 with SMTP id r15-20020a0562140c8f00b005e038259ad9mr7014910qvr.2.1680651340865; Tue, 04 Apr 2023 16:35:40 -0700 (PDT) Received: from localhost (228.221.150.34.bc.googleusercontent.com. [34.150.221.228]) by smtp.gmail.com with UTF8SMTPSA id g66-20020a37b645000000b007486cc8a3f8sm1856045qkf.23.2023.04.04.16.35.40 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 04 Apr 2023 16:35:40 -0700 (PDT) From: David Ruth To: hostap Cc: David Ruth Subject: [PATCH] Compile-time config for libraries. Date: Tue, 4 Apr 2023 23:35:35 +0000 Message-Id: <20230404233535.3084185-1-druth@chromium.org> X-Mailer: git-send-email 2.40.0.348.gf938b09366-goog MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230404_163554_176097_B3296405 X-CRM114-Status: GOOD ( 18.07 ) X-Spam-Score: -0.4 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Prevent loading arbitrary executable code based on config at runtime, while allowing libraries to be specified at compile time when they are known in advance. * Add the ability to configure libraries to load at compile time. * CONFIG_PKCS11_ENGINE_PATH - pkcs11_engine library location. * CONFIG_PKCS11_MODULE_PATH - pkcs11_module library location. * CONFIG_O [...] Content analysis details: (-0.4 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:f2a listed in] [list.dnswl.org] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.2 DKIMWL_WL_HIGH DKIMwl.org - High trust sender X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Prevent loading arbitrary executable code based on config at runtime, while allowing libraries to be specified at compile time when they are known in advance. * Add the ability to configure libraries to load at compile time. * CONFIG_PKCS11_ENGINE_PATH - pkcs11_engine library location. * CONFIG_PKCS11_MODULE_PATH - pkcs11_module library location. * CONFIG_OPENSC_ENGINE_PATH - opensc_engine library location. * Add flags with the ability to set each of the libraries to NULL and prevent loading them at runtime. * CONFIG_NO_PKCS11_ENGINE_PATH - prevents loading pkcs11_engine library. * CONFIG_NO_PKCS11_MODULE_PATH - prevents loading pkcs11_module library. * CONFIG_NO_OPENSC_ENGINE_PATH - prevents loading opens_engine library. * CONFIG_NO_LOAD_DYNAMIC_EAP - prevents loading eap libraries at runtime. Signed-off-by: David Ruth --- src/crypto/tls.h | 6 +++++ src/crypto/tls_openssl.c | 26 ++++++++++++++++----- src/eap_peer/eap.c | 6 +++++ src/eapol_supp/eapol_supp_sm.c | 6 +++++ src/eapol_supp/eapol_supp_sm.h | 6 +++++ wpa_supplicant/Makefile | 30 +++++++++++++++++++++++++ wpa_supplicant/config.c | 17 +++++++++++++- wpa_supplicant/config.h | 6 +++++ wpa_supplicant/config_file.c | 6 +++++ wpa_supplicant/dbus/dbus_new_handlers.c | 13 +++++++++++ wpa_supplicant/wpa_supplicant.c | 6 ++++- wpa_supplicant/wpas_glue.c | 6 +++++ 12 files changed, 126 insertions(+), 8 deletions(-) diff --git a/src/crypto/tls.h b/src/crypto/tls.h index 7bed1830a..f839f9dfb 100644 --- a/src/crypto/tls.h +++ b/src/crypto/tls.h @@ -80,9 +80,15 @@ union tls_event_data { }; struct tls_config { +#ifndef CONFIG_OPENSC_ENGINE_PATH const char *opensc_engine_path; +#endif /* CONFIG_OPENSC_ENGINE_PATH */ +#ifndef CONFIG_PKCS11_ENGINE_PATH const char *pkcs11_engine_path; +#endif /* CONFIG_PKCS11_ENGINE_PATH */ +#ifndef CONFIG_PKCS11_MODULE_PATH const char *pkcs11_module_path; +#endif /* CONFIG_PKCS11_MODULE_PATH */ int fips_mode; int cert_in_cb; const char *openssl_ciphers; diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index fe38fa754..4b9b0ae1c 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -1134,12 +1134,26 @@ void * tls_init(const struct tls_config *conf) wpa_printf(MSG_DEBUG, "ENGINE: Loading builtin engines"); ENGINE_load_builtin_engines(); - if (conf && - (conf->opensc_engine_path || conf->pkcs11_engine_path || - conf->pkcs11_module_path)) { - if (tls_engine_load_dynamic_opensc(conf->opensc_engine_path) || - tls_engine_load_dynamic_pkcs11(conf->pkcs11_engine_path, - conf->pkcs11_module_path)) { +#ifdef CONFIG_OPENSC_ENGINE_PATH + char const * const opensc_engine_path = CONFIG_OPENSC_ENGINE_PATH; +#else + char const * const opensc_engine_path = (conf) ? conf->opensc_engine_path: NULL; +#endif /* CONFIG_OPENSC_ENGINE_PATH */ +#ifdef CONFIG_PKCS11_ENGINE_PATH + char const * const pkcs11_engine_path = CONFIG_PKCS11_ENGINE_PATH; +#else + char const * const pkcs11_engine_path = (conf) ? conf->pkcs11_engine_path: NULL; +#endif /* CONFIG_PKCS11_ENGINE_PATH */ +#ifdef CONFIG_PKCS11_MODULE_PATH + char const * const pkcs11_module_path = CONFIG_PKCS11_MODULE_PATH; +#else + char const * const pkcs11_module_path = (conf) ? conf->pkcs11_module_path : NULL; +#endif /* CONFIG_PKCS11_MODULE_PATH */ + + if (opensc_engine_path || pkcs11_engine_path || pkcs11_module_path) { + if (tls_engine_load_dynamic_opensc(opensc_engine_path) || + tls_engine_load_dynamic_pkcs11(pkcs11_engine_path, + pkcs11_module_path)) { tls_deinit(data); return NULL; } diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c index d07060213..18b8e5f43 100644 --- a/src/eap_peer/eap.c +++ b/src/eap_peer/eap.c @@ -2216,9 +2216,15 @@ struct eap_sm * eap_peer_sm_init(void *eapol_ctx, dl_list_init(&sm->erp_keys); os_memset(&tlsconf, 0, sizeof(tlsconf)); +#ifndef CONFIG_OPENSC_ENGINE_PATH tlsconf.opensc_engine_path = conf->opensc_engine_path; +#endif /* CONFIG_OPENSC_ENGINE_PATH */ +#ifndef CONFIG_PKCS11_ENGINE_PATH tlsconf.pkcs11_engine_path = conf->pkcs11_engine_path; +#endif /* CONFIG_PKCS11_ENGINE_PATH */ +#ifndef CONFIG_PKCS11_MODULE_PATH tlsconf.pkcs11_module_path = conf->pkcs11_module_path; +#endif /* CONFIG_PKCS11_MODULE_PATH */ tlsconf.openssl_ciphers = conf->openssl_ciphers; #ifdef CONFIG_FIPS tlsconf.fips_mode = 1; diff --git a/src/eapol_supp/eapol_supp_sm.c b/src/eapol_supp/eapol_supp_sm.c index 0bfe3c970..abc1416a3 100644 --- a/src/eapol_supp/eapol_supp_sm.c +++ b/src/eapol_supp/eapol_supp_sm.c @@ -2136,9 +2136,15 @@ struct eapol_sm *eapol_sm_init(struct eapol_ctx *ctx) sm->authPeriod = 30; os_memset(&conf, 0, sizeof(conf)); +#ifndef CONFIG_OPENSC_ENGINE_PATH conf.opensc_engine_path = ctx->opensc_engine_path; +#endif /* CONFIG_OPENSC_ENGINE_PATH */ +#ifndef CONFIG_PKCS11_ENGINE_PATH conf.pkcs11_engine_path = ctx->pkcs11_engine_path; +#endif /* CONFIG_PKCS11_ENGINE_PATH */ +#ifndef CONFIG_PKCS11_MODULE_PATH conf.pkcs11_module_path = ctx->pkcs11_module_path; +#endif /* CONFIG_PKCS11_MODULE_PATH */ conf.openssl_ciphers = ctx->openssl_ciphers; conf.wps = ctx->wps; conf.cert_in_cb = ctx->cert_in_cb; diff --git a/src/eapol_supp/eapol_supp_sm.h b/src/eapol_supp/eapol_supp_sm.h index 2b1aeff88..870ba1d02 100644 --- a/src/eapol_supp/eapol_supp_sm.h +++ b/src/eapol_supp/eapol_supp_sm.h @@ -188,6 +188,7 @@ struct eapol_ctx { */ void (*aborted_cached)(void *ctx); +#ifndef CONFIG_OPENSC_ENGINE_PATH /** * opensc_engine_path - Path to the OpenSSL engine for opensc * @@ -195,7 +196,9 @@ struct eapol_ctx { * engine (engine_opensc.so); if %NULL, this engine is not loaded. */ const char *opensc_engine_path; +#endif /* CONFIG_OPENSC_ENGINE_PATH */ +#ifndef CONFIG_PKCS11_ENGINE_PATH /** * pkcs11_engine_path - Path to the OpenSSL engine for PKCS#11 * @@ -203,7 +206,9 @@ struct eapol_ctx { * engine (engine_pkcs11.so); if %NULL, this engine is not loaded. */ const char *pkcs11_engine_path; +#endif /* CONFIG_PKCS11_ENGINE_PATH */ +#ifndef CONFIG_PKCS11_MODULE_PATH /** * pkcs11_module_path - Path to the OpenSSL OpenSC/PKCS#11 module * @@ -212,6 +217,7 @@ struct eapol_ctx { * module is not loaded. */ const char *pkcs11_module_path; +#endif /* CONFIG_PKCS11_MODULE_PATH */ /** * openssl_ciphers - OpenSSL cipher string diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile index 57620fe79..0acd1091d 100644 --- a/wpa_supplicant/Makefile +++ b/wpa_supplicant/Makefile @@ -445,6 +445,36 @@ ifdef CONFIG_NO_ROAMING CFLAGS += -DCONFIG_NO_ROAMING endif +ifdef CONFIG_OPENSC_ENGINE_PATH +CFLAGS += -DCONFIG_OPENSC_ENGINE_PATH=\"$(CONFIG_OPENSC_ENGINE_PATH)\" +endif + +ifdef CONFIG_NO_OPENSC_ENGINE_PATH +CFLAGS += -DCONFIG_OPENSC_ENGINE_PATH=NULL +endif + +ifdef CONFIG_PKCS11_ENGINE_PATH +CFLAGS += -DCONFIG_PKCS11_ENGINE_PATH=\"$(CONFIG_PKCS11_ENGINE_PATH)\" +endif + +ifdef CONFIG_NO_PKCS11_ENGINE_PATH +CFLAGS += -DCONFIG_PKCS11_ENGINE_PATH=NULL +endif + + +ifdef CONFIG_PKCS11_MODULE_PATH +CFLAGS += -DCONFIG_PKCS11_MODULE_PATH=\"$(CONFIG_PKCS11_MODULE_PATH)\" +endif + +ifdef CONFIG_NO_PKCS11_MODULE_PATH +CFLAGS += -DCONFIG_PKCS11_MODULE_PATH=NULL +endif + + +ifdef CONFIG_NO_LOAD_DYNAMIC_EAP +CFLAGS += -DCONFIG_NO_LOAD_DYNAMIC_EAP +endif + include ../src/drivers/drivers.mak ifdef CONFIG_AP OBJS_d += $(DRV_BOTH_OBJS) diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c index 5c57427af..8ac1eb5d3 100644 --- a/wpa_supplicant/config.c +++ b/wpa_supplicant/config.c @@ -3006,9 +3006,15 @@ void wpa_config_free(struct wpa_config *config) wpabuf_free(config->wps_vendor_ext[i]); os_free(config->ctrl_interface); os_free(config->ctrl_interface_group); +#ifndef CONFIG_OPENSC_ENGINE_PATH os_free(config->opensc_engine_path); +#endif /* CONFIG_OPENSC_ENGINE_PATH */ +#ifndef CONFIG_PKCS11_ENGINE_PATH os_free(config->pkcs11_engine_path); +#endif /* CONFIG_PKCS11_ENGINE_PATH */ +#ifndef CONFIG_PKCS11_MODULE_PATH os_free(config->pkcs11_module_path); +#endif /* CONFIG_PKCS11_MODULE_PATH */ os_free(config->openssl_ciphers); os_free(config->pcsc_reader); str_clear_free(config->pcsc_pin); @@ -4921,7 +4927,7 @@ static int wpa_config_process_country(const struct global_parse_data *data, return 0; } - +#ifndef CONFIG_NO_LOAD_DYNAMIC_EAP static int wpa_config_process_load_dynamic_eap( const struct global_parse_data *data, struct wpa_config *config, int line, const char *so) @@ -4940,6 +4946,7 @@ static int wpa_config_process_load_dynamic_eap( return 0; } +#endif /* CONFIG_NO_LOAD_DYNAMIC_EAP */ #ifdef CONFIG_WPS @@ -5321,9 +5328,15 @@ static const struct global_parse_data global_fields[] = { #endif /* CONFIG_MESH */ { INT(disable_scan_offload), 0 }, { INT(fast_reauth), 0 }, +#ifndef CONFIG_OPENSC_ENGINE_PATH { STR(opensc_engine_path), 0 }, +#endif /* CONFIG_OPENSC_ENGINE_PATH */ +#ifndef CONFIG_PKCS11_ENGINE_PATH { STR(pkcs11_engine_path), 0 }, +#endif /* CONFIG_PKCS11_ENGINE_PATH */ +#ifndef CONFIG_PKCS11_MODULE_PATH { STR(pkcs11_module_path), 0 }, +#endif /* CONFIG_PKCS11_MODULE_PATH */ { STR(openssl_ciphers), 0 }, { STR(pcsc_reader), 0 }, { STR(pcsc_pin), 0 }, @@ -5335,7 +5348,9 @@ static const struct global_parse_data global_fields[] = { #ifndef CONFIG_NO_CONFIG_WRITE { INT(update_config), 0 }, #endif /* CONFIG_NO_CONFIG_WRITE */ +#ifndef CONFIG_NO_LOAD_DYNAMIC_EAP { FUNC_NO_VAR(load_dynamic_eap), 0 }, +#endif /* CONFIG_NO_LOAD_DYNAMIC_EAP */ #ifdef CONFIG_WPS { FUNC(uuid), CFG_CHANGED_UUID }, { INT_RANGE(auto_uuid, 0, 1), 0 }, diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h index 4886fe649..7d2b57028 100644 --- a/wpa_supplicant/config.h +++ b/wpa_supplicant/config.h @@ -615,6 +615,7 @@ struct wpa_config { */ int fast_reauth; +#ifndef CONFIG_OPENSC_ENGINE_PATH /** * opensc_engine_path - Path to the OpenSSL engine for opensc * @@ -622,7 +623,9 @@ struct wpa_config { * engine (engine_opensc.so); if %NULL, this engine is not loaded. */ char *opensc_engine_path; +#endif /* CONFIG_OPENSC_ENGINE_PATH */ +#ifndef CONFIG_PKCS11_ENGINE_PATH /** * pkcs11_engine_path - Path to the OpenSSL engine for PKCS#11 * @@ -630,7 +633,9 @@ struct wpa_config { * engine (engine_pkcs11.so); if %NULL, this engine is not loaded. */ char *pkcs11_engine_path; +#endif /* CONFIG_PKCS11_ENGINE_PATH */ +#ifndef CONFIG_PKCS11_MODULE_PATH /** * pkcs11_module_path - Path to the OpenSSL OpenSC/PKCS#11 module * @@ -639,6 +644,7 @@ struct wpa_config { * module is not loaded. */ char *pkcs11_module_path; +#endif /* CONFIG_PKCS11_MODULE_PATH */ /** * openssl_ciphers - OpenSSL cipher string diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c index 88370e88d..9a474bd83 100644 --- a/wpa_supplicant/config_file.c +++ b/wpa_supplicant/config_file.c @@ -1124,15 +1124,21 @@ static void wpa_config_write_global(FILE *f, struct wpa_config *config) config->disable_scan_offload); if (config->fast_reauth != DEFAULT_FAST_REAUTH) fprintf(f, "fast_reauth=%d\n", config->fast_reauth); +#ifndef CONFIG_OPENSC_ENGINE_PATH if (config->opensc_engine_path) fprintf(f, "opensc_engine_path=%s\n", config->opensc_engine_path); +#endif /* CONFIG_OPENSC_ENGINE_PATH */ +#ifndef CONFIG_PKCS11_ENGINE_PATH if (config->pkcs11_engine_path) fprintf(f, "pkcs11_engine_path=%s\n", config->pkcs11_engine_path); +#endif /* CONFIG_PKCS11_ENGINE_PATH */ +#ifndef CONFIG_PKCS11_MODULE_PATH if (config->pkcs11_module_path) fprintf(f, "pkcs11_module_path=%s\n", config->pkcs11_module_path); +#endif /* CONFIG_PKCS11_MODULE_PATH */ if (config->openssl_ciphers) fprintf(f, "openssl_ciphers=%s\n", config->openssl_ciphers); if (config->pcsc_reader) diff --git a/wpa_supplicant/dbus/dbus_new_handlers.c b/wpa_supplicant/dbus/dbus_new_handlers.c index 67ce970d0..024624b3b 100644 --- a/wpa_supplicant/dbus/dbus_new_handlers.c +++ b/wpa_supplicant/dbus/dbus_new_handlers.c @@ -4318,11 +4318,18 @@ dbus_bool_t wpas_dbus_getter_pkcs11_engine_path( const struct wpa_dbus_property_desc *property_desc, DBusMessageIter *iter, DBusError *error, void *user_data) { + +#ifndef CONFIG_PKCS11_ENGINE_PATH struct wpa_supplicant *wpa_s = user_data; return wpas_dbus_string_property_getter(iter, wpa_s->conf->pkcs11_engine_path, error); +#else + return wpas_dbus_string_property_getter(iter, + CONFIG_PKCS11_ENGINE_PATH, + error); +#endif /* CONFIG_PKCS11_ENGINE_PATH */ } @@ -4339,11 +4346,17 @@ dbus_bool_t wpas_dbus_getter_pkcs11_module_path( const struct wpa_dbus_property_desc *property_desc, DBusMessageIter *iter, DBusError *error, void *user_data) { +#ifndef CONFIG_PKCS11_MODULE_PATH struct wpa_supplicant *wpa_s = user_data; return wpas_dbus_string_property_getter(iter, wpa_s->conf->pkcs11_module_path, error); +#else + return wpas_dbus_string_property_getter(iter, + CONFIG_PKCS11_MODULE_PATH, + error); +#endif /* CONFIG_PKCS11_MODULE_PATH */ } diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c index 93629e1f7..a742c4484 100644 --- a/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c @@ -4936,10 +4936,14 @@ int wpas_set_pkcs11_engine_and_module_path(struct wpa_supplicant *wpa_s, } } +#ifndef CONFIG_PKCS11_ENGINE_PATH os_free(wpa_s->conf->pkcs11_engine_path); - os_free(wpa_s->conf->pkcs11_module_path); wpa_s->conf->pkcs11_engine_path = pkcs11_engine_path_copy; +#endif /* CONFIG_PKCS11_ENGINE_PATH */ +#ifndef CONFIG_PKCS11_MODULE_PATH + os_free(wpa_s->conf->pkcs11_module_path); wpa_s->conf->pkcs11_module_path = pkcs11_module_path_copy; +#endif /* CONFIG_PKCS11_MODULE_PATH */ wpa_sm_set_eapol(wpa_s->wpa, NULL); eapol_sm_deinit(wpa_s->eapol); diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c index c4cfca50e..11f4fe742 100644 --- a/wpa_supplicant/wpas_glue.c +++ b/wpa_supplicant/wpas_glue.c @@ -1180,9 +1180,15 @@ int wpa_supplicant_init_eapol(struct wpa_supplicant *wpa_s) ctx->get_config_blob = wpa_supplicant_get_config_blob; #endif /* CONFIG_NO_CONFIG_BLOBS */ ctx->aborted_cached = wpa_supplicant_aborted_cached; +#ifndef CONFIG_OPENSC_ENGINE_PATH ctx->opensc_engine_path = wpa_s->conf->opensc_engine_path; +#endif /* CONFIG_OPENSC_ENGINE_PATH */ +#ifndef CONFIG_PKCS11_ENGINE_PATH ctx->pkcs11_engine_path = wpa_s->conf->pkcs11_engine_path; +#endif /* CONFIG_PKCS11_ENGINE_PATH */ +#ifndef CONFIG_PKCS11_MODULE_PATH ctx->pkcs11_module_path = wpa_s->conf->pkcs11_module_path; +#endif /* CONFIG_PKCS11_MODULE_PATH */ ctx->openssl_ciphers = wpa_s->conf->openssl_ciphers; ctx->wps = wpa_s->wps; ctx->eap_param_needed = wpa_supplicant_eap_param_needed;