From a43a3c22e8796a61988034eb3ac912c083e8f1c1 Mon Sep 17 00:00:00 2001 From: Veeraj Khokale Date: Wed, 25 Apr 2018 19:16:53 +0530 Subject: [PATCH] Disable TCP server role TCP server is used only in client role to connect to cloud server. A critical vulnerability is reported when ifw-thing process in TV connects to other device via TCP(D2D) which can compromise the Policy engine. Therefore disable TCP server role based on build configuration. https://github.sec.samsung.net/RS7-IOTIVITY/IoTivity/pull/286 (cherry picked from commit fbd41449a05001403bcf60169a3c780d97001e7a) Change-Id: If8437048cf4f4065643e6c4aae0be8f6f1782ed0 Signed-off-by: Veeraj Khokale Signed-off-by: DoHyun Pyun --- build_common/SConscript | 4 ++++ packaging/iotivity.spec | 3 +++ resource/csdk/connectivity/SConscript | 7 +++++++ resource/csdk/connectivity/build/SConscript | 1 + resource/csdk/connectivity/build/tizen/scons/SConscript | 5 +++++ resource/csdk/connectivity/src/tcp_adapter/catcpadapter.c | 5 ++++- resource/csdk/connectivity/src/tcp_adapter/catcpserver.c | 8 ++++++++ resource/csdk/stack/include/ocpayload.h | 2 +- resource/csdk/stack/samples/tizen/SimpleClientServer/SConscript | 1 + resource/csdk/stack/samples/tizen/build/scons/SConscript | 3 +++ resource/csdk/stack/src/ocpayload.c | 6 +++--- resource/csdk/stack/src/ocresource.c | 4 ++-- .../sampleapp/enrollee/tizen-sdb/EnrolleeSample/build/SConscript | 1 + tools/tizen/iotivity-vd-tv-es-tizen30.spec | 3 +++ tools/tizen/iotivity-vd-tv-tizen30.spec | 3 +++ 15 files changed, 49 insertions(+), 7 deletions(-) diff --git a/build_common/SConscript b/build_common/SConscript index 95268aa..3d2404c 100644 --- a/build_common/SConscript +++ b/build_common/SConscript @@ -96,6 +96,7 @@ help_vars.Add(EnumVariable('TARGET_OS', 'Target platform', host, host_target_map help_vars.Add(BoolVariable('WITH_RA', 'Build with Remote Access module', False)) help_vars.Add(BoolVariable('WITH_TCP', 'Build with TCP adapter', False)) +help_vars.Add(BoolVariable('DISABLE_TCP_SERVER', 'Disable TCP server', False)) help_vars.Add(BoolVariable('WITH_PROXY', 'Build with CoAP-HTTP Proxy', False)) help_vars.Add(ListVariable('WITH_MQ', 'Build with MQ publisher/broker', 'OFF', ['OFF', 'SUB', 'PUB', 'BROKER'])) help_vars.Add(BoolVariable('WITH_CLOUD', 'Build including AccountManager class and Cloud Client sample', False)) @@ -354,6 +355,9 @@ if env.get('WITH_TCP'): if env.get('SECURED') == '1': defines.append('-D__WITH_TLS__=1') +if env.get('DISABLE_TCP_SERVER'): + defines.append('-DDISABLE_TCP_SERVER=1') + libs = [] if env.get('SECURED') == '1': defines.append('-D__WITH_DTLS__=1') diff --git a/packaging/iotivity.spec b/packaging/iotivity.spec index 3d2c0e6..f0494d7 100755 --- a/packaging/iotivity.spec +++ b/packaging/iotivity.spec @@ -85,6 +85,7 @@ Source1002: %{name}-test.manifest %{!?WITH_MQ: %define WITH_MQ OFF} %{!?WITH_PROXY: %define WITH_PROXY 0} %{!?WITH_TCP: %define WITH_TCP 1} +%{!?DISABLE_TCP_SERVER: %define DISABLE_TCP_SERVER 1} %{!?RD_MODE: %define RD_MODE CLIENT} %{!?BLE_CUSTOM_ADV: %define BLE_CUSTOM_ADV False} %{!?BLE_DIVISION: %define BLE_DIVISION VD} @@ -180,6 +181,7 @@ scons %{JOB} --prefix=%{_prefix} \ WITH_MQ=%{WITH_MQ} \ WITH_PROXY=%{WITH_PROXY} \ WITH_TCP=%{WITH_TCP} \ + DISABLE_TCP_SERVER=%{DISABLE_TCP_SERVER} \ RD_MODE=%{RD_MODE} \ BLE_CUSTOM_ADV=%{BLE_CUSTOM_ADV} \ BLE_DIVISION=%{BLE_DIVISION} \ @@ -212,6 +214,7 @@ scons install --install-sandbox=%{buildroot} --prefix=%{_prefix} \ WITH_MQ=%{WITH_MQ} \ WITH_PROXY=%{WITH_PROXY} \ WITH_TCP=%{WITH_TCP} \ + DISABLE_TCP_SERVER=%{DISABLE_TCP_SERVER} \ RD_MODE=%{RD_MODE} \ BLE_CUSTOM_ADV=%{BLE_CUSTOM_ADV} \ BLE_DIVISION=%{BLE_DIVISION} \ diff --git a/resource/csdk/connectivity/SConscript b/resource/csdk/connectivity/SConscript index 16f1377..a38cdbc 100644 --- a/resource/csdk/connectivity/SConscript +++ b/resource/csdk/connectivity/SConscript @@ -9,6 +9,7 @@ transport = env.get('TARGET_TRANSPORT') build_sample = env.get('BUILD_SAMPLE') with_ra = env.get('WITH_RA') with_tcp = env.get('WITH_TCP') +disable_tcp_server = env.get('DISABLE_TCP_SERVER') with_mq = env.get('WITH_MQ') ble_custom_adv = env.get('BLE_CUSTOM_ADV') @@ -30,6 +31,8 @@ if 'ALL' in transport: env.AppendUnique(CPPDEFINES = ['RA_ADAPTER']) if with_tcp == True: env.AppendUnique(CPPDEFINES = ['TCP_ADAPTER']) + if disable_tcp_server == True: + env.AppendUnique(CPPDEFINES = ['DISABLE_TCP_SERVER']) if target_os in ['linux']: env.AppendUnique(CPPDEFINES = ['IP_ADAPTER','NO_EDR_ADAPTER','LE_ADAPTER']) elif target_os == 'tizen': @@ -81,6 +84,10 @@ else: else: env.AppendUnique(CPPDEFINES = ['NO_TCP_ADAPTER']) + if disable_tcp_server == True: + if target_os in ['linux', 'tizen', 'android', 'arduino', 'ios', 'tizenrt']: + env.AppendUnique(CPPDEFINES = ['DISABLE_TCP_SERVER']) + if 'NFC' in transport: if target_os in['android']: env.AppendUnique(CPPDEFINES = ['NFC_ADAPTER']) diff --git a/resource/csdk/connectivity/build/SConscript b/resource/csdk/connectivity/build/SConscript index 44c7d09..6aaa3c0 100644 --- a/resource/csdk/connectivity/build/SConscript +++ b/resource/csdk/connectivity/build/SConscript @@ -66,6 +66,7 @@ help_vars.Add(BoolVariable('UPLOAD', 'Upload binary ? (For Arduino)', require_up help_vars.Add(EnumVariable('ROUTING', 'Enable routing', 'EP', allowed_values=('GW', 'EP'))) help_vars.Add(EnumVariable('BUILD_SAMPLE', 'Build with sample', 'ON', allowed_values=('ON', 'OFF'))) help_vars.Add(BoolVariable('WITH_TCP', 'Enable TCP', False)) +help_vars.Add(BoolVariable('DISABLE_TCP_SERVER', 'Disable TCP server', False)) help_vars.Add(ListVariable('WITH_MQ', 'Build with MQ publisher/subscriber/broker', 'OFF', ['OFF', 'SUB', 'PUB', 'BROKER'])) help_vars.AddVariables(('DEVICE_NAME', 'Network display name for device', 'OIC-DEVICE', None, None),) diff --git a/resource/csdk/connectivity/build/tizen/scons/SConscript b/resource/csdk/connectivity/build/tizen/scons/SConscript index 621a39d..6b6d55b 100644 --- a/resource/csdk/connectivity/build/tizen/scons/SConscript +++ b/resource/csdk/connectivity/build/tizen/scons/SConscript @@ -9,6 +9,7 @@ Import('env') target_os = env.get('TARGET_OS') transport = env.get('TARGET_TRANSPORT') with_tcp = env.get('WITH_TCP') +disable_tcp_server = env.get('DISABLE_TCP_SERVER') print "Given Transport is %s" % transport @@ -52,6 +53,10 @@ else: else: env.AppendUnique(CPPDEFINES = ['NO_TCP_ADAPTER']) + if disable_tcp_server == True: + env.AppendUnique(CPPDEFINES = ['DISABLE_TCP_SERVER']) + print "TCP server is disabled" + env.SConscript(['../con/lib/libcoap-4.1.1/SConscript']) env.SConscript(['../con/SConscript']) diff --git a/resource/csdk/connectivity/src/tcp_adapter/catcpadapter.c b/resource/csdk/connectivity/src/tcp_adapter/catcpadapter.c index ca176c6..ee25ead 100644 --- a/resource/csdk/connectivity/src/tcp_adapter/catcpadapter.c +++ b/resource/csdk/connectivity/src/tcp_adapter/catcpadapter.c @@ -331,10 +331,13 @@ static void CAInitializeTCPGlobals() { flags |= caglobals.clientFlags; } + +#ifndef DISABLE_TCP_SERVER if (caglobals.server) { flags |= caglobals.serverFlags; } +#endif caglobals.tcp.ipv4tcpenabled = flags & CA_IPV4; caglobals.tcp.ipv6tcpenabled = flags & CA_IPV6; @@ -509,7 +512,7 @@ CAResult_t CATCPDisconnectSession(const CAEndpoint_t *endpoint) CAResult_t CAStartTCPListeningServer() { -#ifndef SINGLE_THREAD +#if !defined(SINGLE_THREAD) && !defined(DISABLE_TCP_SERVER) if (!caglobals.server) { caglobals.server = true; // only needed to run CA tests diff --git a/resource/csdk/connectivity/src/tcp_adapter/catcpserver.c b/resource/csdk/connectivity/src/tcp_adapter/catcpserver.c index f40c533..a1572c0 100644 --- a/resource/csdk/connectivity/src/tcp_adapter/catcpserver.c +++ b/resource/csdk/connectivity/src/tcp_adapter/catcpserver.c @@ -1019,6 +1019,7 @@ static void CAInitializePipe(int *fds) #endif } +#ifndef DISABLE_TCP_SERVER #define NEWSOCKET(FAMILY, NAME) \ caglobals.tcp.NAME.fd = CACreateAcceptSocket(FAMILY, &caglobals.tcp.NAME); \ if (caglobals.tcp.NAME.fd == -1) \ @@ -1056,6 +1057,7 @@ void CATCPInitializeSocket() caglobals.tcp.ipv6s.fd, caglobals.tcp.ipv6s.port); #endif } +#endif // DISABLE_TCP_SERVER CAResult_t CATCPStartServer(const ca_thread_pool_t threadPool) { @@ -1084,10 +1086,13 @@ CAResult_t CATCPStartServer(const ca_thread_pool_t threadPool) caglobals.tcp.svrlist = u_arraylist_create(); } +#ifndef DISABLE_TCP_SERVER if (caglobals.server) { CATCPInitializeSocket(); } +#endif + #ifndef __TIZENRT__ // create pipe for fast shutdown CAInitializePipe(caglobals.tcp.shutdownFds); @@ -1428,10 +1433,13 @@ CAResult_t CADisconnectTCPSession(size_t index) OIC_LOG(DEBUG, TAG, "data is removed from session list"); +#ifndef DISABLE_TCP_SERVER if (caglobals.server && MAX_CONNECTION_COUNTS == u_arraylist_length(caglobals.tcp.svrlist) + 1) { CATCPInitializeSocket(); } +#endif + return CA_STATUS_OK; } diff --git a/resource/csdk/stack/include/ocpayload.h b/resource/csdk/stack/include/ocpayload.h index 7d39aa8..fc11afa 100644 --- a/resource/csdk/stack/include/ocpayload.h +++ b/resource/csdk/stack/include/ocpayload.h @@ -235,7 +235,7 @@ OCDiscoveryPayload* OCDiscoveryPayloadCreate(); OCSecurityPayload* OCSecurityPayloadCreate(const uint8_t* securityData, size_t size); void OCSecurityPayloadDestroy(OCSecurityPayload* payload); -#ifndef TCP_ADAPTER +#if !defined(TCP_ADAPTER) || defined(DISABLE_TCP_SERVER) void OCDiscoveryPayloadAddResource(OCDiscoveryPayload* payload, const OCResource* res, uint16_t securePort); #else diff --git a/resource/csdk/stack/samples/tizen/SimpleClientServer/SConscript b/resource/csdk/stack/samples/tizen/SimpleClientServer/SConscript index 8872a4d..704e44f 100644 --- a/resource/csdk/stack/samples/tizen/SimpleClientServer/SConscript +++ b/resource/csdk/stack/samples/tizen/SimpleClientServer/SConscript @@ -59,6 +59,7 @@ help_vars.Add(EnumVariable('ROUTING', 'Enable routing', 'EP', allowed_values=('G help_vars.Add(BoolVariable('WITH_PROXY', 'CoAP-HTTP Proxy', False)) # set to 'no', 'false' or 0 for debug help_vars.Add(ListVariable('WITH_MQ', 'Build with MQ publisher/subscriber/broker', 'OFF', ['OFF', 'SUB', 'PUB', 'BROKER'])) help_vars.Add(BoolVariable('WITH_TCP', 'Build with TCP', False)) +help_vars.Add(BoolVariable('DISABLE_TCP_SERVER', 'Disable TCP server', False)) ###################################################################### # Platform(build target) specific options: SDK/NDK & toolchain diff --git a/resource/csdk/stack/samples/tizen/build/scons/SConscript b/resource/csdk/stack/samples/tizen/build/scons/SConscript index 87564ec..46e24be 100644 --- a/resource/csdk/stack/samples/tizen/build/scons/SConscript +++ b/resource/csdk/stack/samples/tizen/build/scons/SConscript @@ -51,6 +51,9 @@ else: else: env.AppendUnique(CPPDEFINES = ['NO_TCP_ADAPTER']) + if env.get('DISABLE_TCP_SERVER'): + env.AppendUnique(CPPDEFINES = ['DISABLE_TCP_SERVER']) + if 'SUB' in with_mq: env.AppendUnique(CPPDEFINES = ['MQ_SUBSCRIBER', 'WITH_MQ']) print "MQ SUB support" diff --git a/resource/csdk/stack/src/ocpayload.c b/resource/csdk/stack/src/ocpayload.c index a80eb21..95b9440 100755 --- a/resource/csdk/stack/src/ocpayload.c +++ b/resource/csdk/stack/src/ocpayload.c @@ -1708,7 +1708,7 @@ OCResourcePayload* OCDiscoveryPayloadGetResource(OCDiscoveryPayload* payload, si return NULL; } -#ifndef TCP_ADAPTER +#if !defined(TCP_ADAPTER) || defined(DISABLE_TCP_SERVER) static OCResourcePayload* OCCopyResource(const OCResource* res, uint16_t securePort) #else static OCResourcePayload* OCCopyResource(const OCResource* res, uint16_t securePort, @@ -1813,13 +1813,13 @@ static OCResourcePayload* OCCopyResource(const OCResource* res, uint16_t secureP ); pl->secure = (res->resourceProperties & OC_SECURE) != 0; pl->port = securePort; -#ifdef TCP_ADAPTER +#if defined(TCP_ADAPTER) && !defined(DISABLE_TCP_SERVER) pl->tcpPort = tcpPort; #endif return pl; } -#ifndef TCP_ADAPTER +#if !defined(TCP_ADAPTER) || defined(DISABLE_TCP_SERVER) void OCDiscoveryPayloadAddResource(OCDiscoveryPayload* payload, const OCResource* res, uint16_t securePort) { diff --git a/resource/csdk/stack/src/ocresource.c b/resource/csdk/stack/src/ocresource.c index b8f4b21..8abd4b3 100755 --- a/resource/csdk/stack/src/ocresource.c +++ b/resource/csdk/stack/src/ocresource.c @@ -106,7 +106,7 @@ static OCStackResult GetSecurePortInfo(OCDevAddr *endpoint, uint16_t *port) return OC_STACK_OK; } -#ifdef TCP_ADAPTER +#if defined(TCP_ADAPTER) && !defined(DISABLE_TCP_SERVER) /* This method will retrieve the tcp port */ static OCStackResult GetTCPPortInfo(OCDevAddr *endpoint, uint16_t *port, bool secured) { @@ -542,7 +542,7 @@ OCStackResult BuildVirtualResourceResponse(const OCResource *resourcePtr, } } -#ifdef TCP_ADAPTER +#if defined(TCP_ADAPTER) && !defined(DISABLE_TCP_SERVER) uint16_t tcpPort = 0; GetTCPPortInfo(devAddr, &tcpPort, (resourcePtr->resourceProperties & OC_SECURE)); diff --git a/service/easy-setup/sampleapp/enrollee/tizen-sdb/EnrolleeSample/build/SConscript b/service/easy-setup/sampleapp/enrollee/tizen-sdb/EnrolleeSample/build/SConscript index 76a902b..d73e383 100644 --- a/service/easy-setup/sampleapp/enrollee/tizen-sdb/EnrolleeSample/build/SConscript +++ b/service/easy-setup/sampleapp/enrollee/tizen-sdb/EnrolleeSample/build/SConscript @@ -78,6 +78,7 @@ help_vars.Add(BoolVariable('UPLOAD', 'Upload binary ? (For Arduino)', require_up help_vars.Add(EnumVariable('ROUTING', 'Enable routing', 'EP', allowed_values=('GW', 'EP'))) help_vars.Add(EnumVariable('BUILD_SAMPLE', 'Build with sample', 'ON', allowed_values=('ON', 'OFF'))) help_vars.Add(BoolVariable('WITH_TCP', 'Build with TCP adapter', False)) +help_vars.Add(BoolVariable('DISABLE_TCP_SERVER', 'Disable TCP server', False)) help_vars.Add(BoolVariable('WITH_CLOUD', 'Build including AccountManager class and Cloud Client sample', False)) help_vars.AddVariables(('DEVICE_NAME', 'Network display name for device', 'OIC-DEVICE', None, None),) diff --git a/tools/tizen/iotivity-vd-tv-es-tizen30.spec b/tools/tizen/iotivity-vd-tv-es-tizen30.spec index 70afcdd..2dae53f 100644 --- a/tools/tizen/iotivity-vd-tv-es-tizen30.spec +++ b/tools/tizen/iotivity-vd-tv-es-tizen30.spec @@ -83,6 +83,7 @@ Source1002: %{name}-test.manifest %{!?WITH_MQ: %define WITH_MQ OFF} %{!?WITH_PROXY: %define WITH_PROXY 0} %{!?WITH_TCP: %define WITH_TCP 1} +%{!?DISABLE_TCP_SERVER: %define DISABLE_TCP_SERVER 1} %{!?RD_MODE: %define RD_MODE CLIENT} %{!?BLE_CUSTOM_ADV: %define BLE_CUSTOM_ADV False} %{!?BLE_DIVISION: %define BLE_DIVISION VD} @@ -178,6 +179,7 @@ scons %{JOB} --prefix=%{_prefix} \ WITH_MQ=%{WITH_MQ} \ WITH_PROXY=%{WITH_PROXY} \ WITH_TCP=%{WITH_TCP} \ + DISABLE_TCP_SERVER=%{DISABLE_TCP_SERVER} \ RD_MODE=%{RD_MODE} \ BLE_CUSTOM_ADV=%{BLE_CUSTOM_ADV} \ BLE_DIVISION=%{BLE_DIVISION} \ @@ -210,6 +212,7 @@ scons install --install-sandbox=%{buildroot} --prefix=%{_prefix} \ WITH_MQ=%{WITH_MQ} \ WITH_PROXY=%{WITH_PROXY} \ WITH_TCP=%{WITH_TCP} \ + DISABLE_TCP_SERVER=%{DISABLE_TCP_SERVER} \ RD_MODE=%{RD_MODE} \ BLE_CUSTOM_ADV=%{BLE_CUSTOM_ADV} \ BLE_DIVISION=%{BLE_DIVISION} \ diff --git a/tools/tizen/iotivity-vd-tv-tizen30.spec b/tools/tizen/iotivity-vd-tv-tizen30.spec index 848ca7d..86a0068 100644 --- a/tools/tizen/iotivity-vd-tv-tizen30.spec +++ b/tools/tizen/iotivity-vd-tv-tizen30.spec @@ -83,6 +83,7 @@ Source1002: %{name}-test.manifest %{!?WITH_MQ: %define WITH_MQ OFF} %{!?WITH_PROXY: %define WITH_PROXY 0} %{!?WITH_TCP: %define WITH_TCP 1} +%{!?DISABLE_TCP_SERVER: %define DISABLE_TCP_SERVER 1} %{!?RD_MODE: %define RD_MODE CLIENT} %{!?BLE_CUSTOM_ADV: %define BLE_CUSTOM_ADV False} %{!?BLE_DIVISION: %define BLE_DIVISION VD} @@ -178,6 +179,7 @@ scons %{JOB} --prefix=%{_prefix} \ WITH_MQ=%{WITH_MQ} \ WITH_PROXY=%{WITH_PROXY} \ WITH_TCP=%{WITH_TCP} \ + DISABLE_TCP_SERVER=%{DISABLE_TCP_SERVER} \ RD_MODE=%{RD_MODE} \ BLE_CUSTOM_ADV=%{BLE_CUSTOM_ADV} \ BLE_DIVISION=%{BLE_DIVISION} \ @@ -210,6 +212,7 @@ scons install --install-sandbox=%{buildroot} --prefix=%{_prefix} \ WITH_MQ=%{WITH_MQ} \ WITH_PROXY=%{WITH_PROXY} \ WITH_TCP=%{WITH_TCP} \ + DISABLE_TCP_SERVER=%{DISABLE_TCP_SERVER} \ RD_MODE=%{RD_MODE} \ BLE_CUSTOM_ADV=%{BLE_CUSTOM_ADV} \ BLE_DIVISION=%{BLE_DIVISION} \ -- 2.7.4