[PATCH] vpnc: Inform VPN agent about authentication errors
by Jussi Laakkonen
Send "VpnAgent.AuthFailure" to VPN agent if there are authentication
errors to indicate that previous login has failed and new credentials
are required to be given. Authentication errors are detected from the
output of VPNC process in io_channel_cb().
---
vpn/plugins/vpnc.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/vpn/plugins/vpnc.c b/vpn/plugins/vpnc.c
index 808c36cd..8927a6f7 100644
--- a/vpn/plugins/vpnc.c
+++ b/vpn/plugins/vpnc.c
@@ -723,6 +723,9 @@ static int request_input_credentials(struct vc_private_data *data,
connman_dbus_dict_open(&iter, &dict);
+ if (vpn_provider_get_authentication_errors(data->provider))
+ vpn_agent_append_auth_failure(&dict, data->provider, NULL);
+
request_input_append_to_dict(data->provider, &dict,
request_input_append_password,
"VPNC.IPSec.Secret");
--
2.20.1
1 year, 3 months
Does Connman support to connect home WiFi network by WiFi modem WPS process?
by JH
Hi,
I installed connman to a device which connects to home WiFi modem.
There could be two ways to configure WiFi modem connection:
(1) Set up a wifi.config with WiFi modem Name and Passphrase
(currently working on my device)
(2) Press WiFi modem WPS button in 3 seconds to allow WiFi device
(client) automatically set up configuration to connect to WiFi modem.
Is there an option in connman configuration to support to connect to
the WiFi network automatically by pushing WiFi modem WPS button?
Thank you.
Kind regards,
- jh
1 year, 3 months
Re: Insights on connmand -d
by JH
Hi David,
How did you edit the service file to add -d? Also, how could you added
-d to service file in Yocto recipe?
I could not start connman after added -d
# vi /lib/systemd/system/connman.service
ExecStart=/usr/sbin/connmand -n -d
Job for connman.service failed because the control process exited with
error code.
See "systemctl status connman.service" and "journalctl -xe" for details.
Thank you.
Kind regards
On 10/22/19, David Weidenkopf <David.Weidenkopf(a)arthrex.com> wrote:
> Hi,
>
> We use a yocto build as well. I routinely edit the service file to add -d to
How did you edit the service file to add -d? Also, how could you added
-d to service file in Yocto recipe?
I could not start connman after added -d
# vi /lib/systemd/system/connman.service
ExecStart=/usr/sbin/connmand -n -d
Job for connman.service failed because the control process exited with
error code.
See "systemctl status connman.service" and "journalctl -xe" for details.
> increase logging. We don't use LTE, just WiFi.
I am using both WiFi and LTE, both could not come up in systemd
service, i could only bring them up run the connmand -d manually.
> Can you confirm exactly the steps you are trying and the expected result?
Is it the right way to edit connman.service above?
Thanks David.
> David
> ________________________________________
> From: JH [jupiter.hce(a)gmail.com]
> Sent: Monday, October 21, 2019 2:41 AM
> To: David Weidenkopf
> Cc: Daniel Wagner; connman
> Subject: Re: Insights on connmand -d
>
> Hi Daniel and David,
>
> The connman was built by Yocto recipe, automatically launched by
> systemd service set up by the Yocto connman recipe.
>
> Any suggestion how to fix that issue or any workarounds? The connman
> is installed in an embedded device, currently I use the debug port to
> access the device and to stop systemd connman and to run command -d
> manually, it is not feasible to do it when a device is installed
> remotely.
>
> Thank you.
>
> Kind regards,
>
> - jh
>
>
>
> On 10/2/19, JH <jupiter.hce(a)gmail.com> wrote:
>> On 10/2/19, David Weidenkopf <David.Weidenkopf(a)arthrex.com> wrote:
>>> What user are you running connmand -d as? What user is the service
>>> running
>>> as when you launch using systemctl?
>>
>> Running root in connmand -d and root for systemctl for connman.service
>> in imx6 platform.
>>
>> Thanks David.
>>
>>>
>>> ________________________________________
>>> From: JH [jupiter.hce(a)gmail.com]
>>> Sent: Monday, September 30, 2019 6:49 PM
>>> To: Daniel Wagner
>>> Cc: connman
>>> Subject: Re: Insights on connmand -d
>>>
>>> Hi Daniel,
>>>
>>> On 10/1/19, Daniel Wagner <wagi(a)monom.org> wrote:
>>>> Hi,
>>>>
>>>> On 9/30/19 12:51 AM, JH wrote:
>>>>> Could anyone give some insights on what connmand -d differs to
>>>>> connmand -n running by systemctl? From reading the documentation, my
>>>>> understanding is it should be identical except increasing debug level
>>>>> to printing out more debug messages, but the systemd service connmand
>>>>> -n incapable of bringing my LTE modem up makes my wandering what I
>>>>> could get wrong here, could the connman -n service messages be blocked
>>>>> by journal logs? Appreciate anyone helps to fix it,
>>>>
>>>> Yes the behavior of ConnMan doesn't change with or without '-d'. It
>>>> executes the exact same code. It's more like enabling a fancy function
>>>> tracer.
>>>
>>> That completed puzzled me, the LTE modem could not be up until I run
>>> systemctl stop connman and connmand -d. It is the latest version 1.36.
>>>
>>>
>>>> I don't know if journald blocks if the logging store gets full or not.
>>>> But you could try to increase the log buffer for testing. Just to rule
>>>> out this problem.
>>>
>>> Changed journald log buffer size, it did not help. Any suggestion how
>>> to debug and fix it?
>>>
>>> Thank you Daniel.
>>>
>>> Kind regards,
>>> _______________________________________________
>>> connman mailing list -- connman(a)lists.01.org
>>> To unsubscribe send an email to connman-leave(a)lists.01.org
>>> This e-mail and any files transmitted with it are the property of
>>> Arthrex,
>>> Inc. and/or its affiliates, are confidential, and are intended solely
>>> for
>>> the use of the individual or entity to whom this e-mail is addressed. If
>>> you
>>> are not one of the named recipient(s) or otherwise have reason to
>>> believe
>>> that you have received this message in error, please notify the sender
>>> at
>>> 239-643-5553 and delete this message immediately from your computer. Any
>>> other use, retention, dissemination forwarding, printing or copying of
>>> this
>>> e-mail is strictly prohibited. Please note that any views or opinions
>>> presented in this email are solely those of the author and do not
>>> necessarily represent those of the company. Finally, while Arthrex uses
>>> virus protection, the recipient should check this email and any
>>> attachments
>>> for the presence of viruses. The company accepts no liability for any
>>> damage
>>> caused by any virus transmitted by this email.
>>>
>>
> This e-mail and any files transmitted with it are the property of Arthrex,
> Inc. and/or its affiliates, are confidential, and are intended solely for
> the use of the individual or entity to whom this e-mail is addressed. If you
> are not one of the named recipient(s) or otherwise have reason to believe
> that you have received this message in error, please notify the sender at
> 239-643-5553 and delete this message immediately from your computer. Any
> other use, retention, dissemination forwarding, printing or copying of this
> e-mail is strictly prohibited. Please note that any views or opinions
> presented in this email are solely those of the author and do not
> necessarily represent those of the company. Finally, while Arthrex uses
> virus protection, the recipient should check this email and any attachments
> for the presence of viruses. The company accepts no liability for any damage
> caused by any virus transmitted by this email.
>
1 year, 3 months
if-up if-down scripts or systemd network-online target
by tormen@mail.ch
Dear connman maintainer,
is there currently support for this already?
The README [1] does only mention systemd-resolved.
As connmand already integrates with systemd-resolved it would seem the
simplest (and elegant) option to add support for if-up (Wants=) and
if-down (After=) through systemd.
The man-page systemd.special [2] states about `systemd-online`:
```
Units that strictly require a configured network connection should pull
in network-online.target (via a Wants= type dependency) and order
themselves after it. This target unit is intended to pull in a service
that delays further execution until the network is sufficiently set up.
What precisely this requires is left to the implementation of the
network managing service.
```
So if connman would
* start network-online when AT LEAST ONE interface is brought
up and would
* stop network-online when the LAST interfaces would be
brought down
then this could IMHO satisfy most cases for if-up if-down scripts.
What say you? :)
Tormen
[1]
https://git.kernel.org/pub/scm/network/connman/connman.git/tree/README
[2]
https://www.freedesktop.org/software/systemd/man/systemd.special.html
--
1 year, 4 months
problem changing wired connection from dhcp -> manual
by tgreen2@sorenson.com
I'm having an issue with connman 1.27. I have an ethernet connection that is configured with dhcp. I change that connection to manual, then things seem to go wrong. Here is the log of how to reproduce the problem:
connmanctl> services ethernet_0008720978d7_cable
/net/connman/service/ethernet_0008720978d7_cable
Type = ethernet
Security = [ ]
State = ready
Favorite = True
Immutable = False
AutoConnect = True
Name = Wired
Ethernet = [ Method=auto, Interface=eno1, Address=00:08:72:09:78:D7, MTU=1500 ]
IPv4 = [ Method=dhcp, Address=10.20.187.87, Netmask=255.255.255.0, Gateway=10.20.187.1 ]
IPv4.Configuration = [ Method=dhcp ]
IPv6 = [ ]
IPv6.Configuration = [ Method=auto, Privacy=disabled ]
Nameservers = [ 10.20.55.200, 10.150.5.200 ]
Nameservers.Configuration = [ ]
Timeservers = [ ]
Timeservers.Configuration = [ ]
Domains = [ XXXXXXXX.COM ]
Domains.Configuration = [ ]
Proxy = [ ]
Proxy.Configuration = [ ]
mDNS = False
mDNS.Configuration = False
Provider = [ ]
connmanctl> config ethernet_0008720978d7_cable --ipv4 manual 10.20.187.87 255.255.255.0 10.20.187.1
connmanctl> services ethernet_0008720978d7_cable
/net/connman/service/ethernet_0008720978d7_cable
Type = ethernet
Security = [ ]
State = ready
Favorite = True
Immutable = False
AutoConnect = True
Name = Wired
Ethernet = [ Method=auto, Interface=eno1, Address=00:08:72:09:78:D7, MTU=1500 ]
IPv4 = [ Method=manual, Address=10.20.187.87, Netmask=255.255.255.0, Gateway=10.20.187.1 ]
IPv4.Configuration = [ Method=manual, Address=10.20.187.87, Netmask=255.255.255.0, Gateway=10.20.187.1 ]
IPv6 = [ ]
IPv6.Configuration = [ Method=auto, Privacy=disabled ]
Nameservers = [ ]
Nameservers.Configuration = [ ]
Timeservers = [ ]
Timeservers.Configuration = [ ]
Domains = [ ]
Domains.Configuration = [ ]
Proxy = [ Method=direct ]
Proxy.Configuration = [ ]
mDNS = False
mDNS.Configuration = False
Provider = [ ]
connmanctl> disconnect ethernet_0008720978d7_cable
Disconnected ethernet_0008720978d7_cable
connmanctl> connect ethernet_0008720978d7_cable
Error /net/connman/service/ethernet_0008720978d7_cable: Input/output error
connmanctl> disconnect ethernet_0008720978d7_cable
Error /net/connman/service/ethernet_0008720978d7_cable: Not connected
connmanctl> connect ethernet_0008720978d7_cable
Error /net/connman/service/ethernet_0008720978d7_cable: Already connected
connmanctl>
If at this point I stop and restart connman, the service responds as expected
Thanks in advance for looking at this
Tom
1 year, 4 months
[PATCH] pptp: Cancel queued VPN agent msg when disconnected
by Jussi Laakkonen
Queued VPN agent messages must be canceled if the plugin timeouts
without starting the process. This fixes the issue of having multiple
VPN agent queries stacked on another in such scenario, where PPTP is
awaiting for user input.
---
vpn/plugins/pptp.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/vpn/plugins/pptp.c b/vpn/plugins/pptp.c
index b7b2676a..116c38f0 100644
--- a/vpn/plugins/pptp.c
+++ b/vpn/plugins/pptp.c
@@ -606,7 +606,12 @@ static int pptp_error_code(struct vpn_provider *provider, int exit_code)
static void pptp_disconnect(struct vpn_provider *provider)
{
+ if (!provider)
+ return;
+
vpn_provider_set_string(provider, "PPTP.Password", NULL);
+
+ connman_agent_cancel(provider);
}
static struct vpn_driver vpn_driver = {
--
2.20.1
1 year, 4 months
Re: Insights on connmand -d
by JH
On 10/2/19, David Weidenkopf <David.Weidenkopf(a)arthrex.com> wrote:
> What user are you running connmand -d as? What user is the service running
> as when you launch using systemctl?
Running root in connmand -d and root for systemctl for connman.service
in imx6 platform.
Thanks David.
>
> ________________________________________
> From: JH [jupiter.hce(a)gmail.com]
> Sent: Monday, September 30, 2019 6:49 PM
> To: Daniel Wagner
> Cc: connman
> Subject: Re: Insights on connmand -d
>
> Hi Daniel,
>
> On 10/1/19, Daniel Wagner <wagi(a)monom.org> wrote:
>> Hi,
>>
>> On 9/30/19 12:51 AM, JH wrote:
>>> Could anyone give some insights on what connmand -d differs to
>>> connmand -n running by systemctl? From reading the documentation, my
>>> understanding is it should be identical except increasing debug level
>>> to printing out more debug messages, but the systemd service connmand
>>> -n incapable of bringing my LTE modem up makes my wandering what I
>>> could get wrong here, could the connman -n service messages be blocked
>>> by journal logs? Appreciate anyone helps to fix it,
>>
>> Yes the behavior of ConnMan doesn't change with or without '-d'. It
>> executes the exact same code. It's more like enabling a fancy function
>> tracer.
>
> That completed puzzled me, the LTE modem could not be up until I run
> systemctl stop connman and connmand -d. It is the latest version 1.36.
>
>
>> I don't know if journald blocks if the logging store gets full or not.
>> But you could try to increase the log buffer for testing. Just to rule
>> out this problem.
>
> Changed journald log buffer size, it did not help. Any suggestion how
> to debug and fix it?
>
> Thank you Daniel.
>
> Kind regards,
> _______________________________________________
> connman mailing list -- connman(a)lists.01.org
> To unsubscribe send an email to connman-leave(a)lists.01.org
> This e-mail and any files transmitted with it are the property of Arthrex,
> Inc. and/or its affiliates, are confidential, and are intended solely for
> the use of the individual or entity to whom this e-mail is addressed. If you
> are not one of the named recipient(s) or otherwise have reason to believe
> that you have received this message in error, please notify the sender at
> 239-643-5553 and delete this message immediately from your computer. Any
> other use, retention, dissemination forwarding, printing or copying of this
> e-mail is strictly prohibited. Please note that any views or opinions
> presented in this email are solely those of the author and do not
> necessarily represent those of the company. Finally, while Arthrex uses
> virus protection, the recipient should check this email and any attachments
> for the presence of viruses. The company accepts no liability for any damage
> caused by any virus transmitted by this email.
>
1 year, 4 months
[PATCH] wispr: prevent use-after-free from agent browser request
by John Keeping
Agent requests take a reference on the service object, but this doesn't
guarantee that the wispr context is kept alive. When we get a callback,
lookup the context from first principles and verify that the object
we've been given is still a context on the given service.
This prevents a use-after-free on the wispr context pointer if the agent
takes a long time to respond (or fails to respond resulting in a DBus
timeout) and the context is freed before that response arrives.
---
This is the smallest change which solves this problem, but I'm not sure
if it would be better to make more widespread changes in the agent
handling code to better track and cancel agent requests that don't
relate directly to a service.
src/wispr.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/src/wispr.c b/src/wispr.c
index 473c0e03..41157580 100644
--- a/src/wispr.c
+++ b/src/wispr.c
@@ -555,12 +555,31 @@ static void wispr_portal_browser_reply_cb(struct connman_service *service,
const char *error, void *user_data)
{
struct connman_wispr_portal_context *wp_context = user_data;
+ struct connman_wispr_portal *wispr_portal;
+ int index;
DBG("");
if (!service || !wp_context)
return;
+ /*
+ * No way to cancel this if wp_context has been freed, so we lookup
+ * from the service and check that this is still the right context.
+ */
+ index = __connman_service_get_index(service);
+ if (index < 0)
+ return;
+
+ wispr_portal = g_hash_table_lookup(wispr_portal_list,
+ GINT_TO_POINTER(index));
+ if (!wispr_portal)
+ return;
+
+ if (wp_context != wispr_portal->ipv4_context &&
+ wp_context != wispr_portal->ipv6_context)
+ return;
+
if (!authentication_done) {
wispr_portal_error(wp_context);
free_wispr_routes(wp_context);
--
2.23.0
1 year, 4 months
[PATCH] [Fix] Dereference after free in sta_remove_callback()
by n.chaprana@samsung.com
Signed-off-by: Nishant Chaprana <n.chaprana(a)samsung.com>
---
plugins/wifi.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/plugins/wifi.c b/plugins/wifi.c
index 910b739..e675e6a 100644
--- a/plugins/wifi.c
+++ b/plugins/wifi.c
@@ -3356,15 +3356,15 @@ static void sta_remove_callback(int result,
info->wifi->tethering = false;
connman_technology_tethering_notify(info->technology, false);
- g_free(info->ifname);
- g_free(info->ssid);
- g_free(info);
-
if (info->wifi->ap_supported == WIFI_AP_SUPPORTED) {
g_free(info->wifi->tethering_param->ssid);
g_free(info->wifi->tethering_param);
info->wifi->tethering_param = NULL;
}
+
+ g_free(info->ifname);
+ g_free(info->ssid);
+ g_free(info);
return;
}
--
2.7.4
1 year, 4 months
[PATCH v5 0/9] Rewrite OpenConnect plugin and enhance support for VPN auth errors
by Jussi Laakkonen
This set of patches contains almost complete rewrite of OpenConnect VPN plugin,
introduces a method for informing VPN agent about authentication errors and
adds support for easier use of boolean type setting strings.
First of all, as the biggest change, OpenConnect VPN plugin is rewritten to
support the different authentication methods, which is configurable in provider
settings. If the configuration is omitted, cookie based authentication is set
as default. Support for automatic cookie (first use credentials to get cookie
and then connect with the cookie), credentials and separate public key with
private key and PKCS credential authentication is introduced. Credentials
and PKCS password are queried from VPN agent. Also support for the three
openconnect protocols is added also as provider settings for the OpenConnect
plugin. New options for OpenConnect are added as well to support allowing self
signed certificates and to toggle connection parameters, which may be required
with different server setups. Current approach utilizes screenscraping, which
should be replaced with libopenconnect use and guidelines for this are added
into TODO file.
Second, the authentication and connection errors are tracked by vpn-provider.c
when vpn_provider_indicate_error() is called with appropriate error code. These
errors can be utilized in VPN plugins to indicate VPN agent that saved
authentication credentials should be cleared. After succesful connection or
after saving provider settings the error counters are cleared. Main reason for
implementing these into provider is that saving the values in plugin private
data would be cleared after the connection is terminated, and provider is more
permanent during the runtime of vpnd.
And last, a new function to better support setting strings expected to be
boolean in value ("true" or "false") is implemented. This function can be used
to check if the setting string is explicitly the desired boolean value as the
default value in case of missing or invalid value is to be given.
This is a resent complete patch set with all versions bumped upwards, except
the last TODO one.
Changes since V2 and V3:
* Correct PKCS lines, remove PKCS#12 references.
* Update changed file contents as V1 cover letter was apparently sent.
Changes since V4:
* Update list of commits and changes.
Changes since V5:
* Update list of commits and changes.
* Added comment and commit describing TODO for libopenconnect use.
Jussi Laakkonen (9):
vpn-provider: Implement simple connection and auth error counters
vpn-agent: Implement function to add auth failures to VPN agent msg
doc: Add VpnAgent.AuthFailure to VPN agent API documentation
vpn-provider: Implement setting string to bool conversion function
openconnect: Rewrite plugin to support more auth methods and protocols
openconnect: Use interactive mode when input to stdin is required
doc: Add new OpenConnect PKCS parameters to VPN agent API
doc: Add new OpenConnect configuration options to VPN config format
TODO: Add task for libopenconnect use in OpenConnect VPN plugin
TODO | 35 +
doc/vpn-agent-api.txt | 18 +
doc/vpn-config-format.txt | 75 ++-
vpn/plugins/openconnect.c | 1299 ++++++++++++++++++++++++++++++++-----
vpn/vpn-agent.c | 54 ++
vpn/vpn-agent.h | 3 +
vpn/vpn-provider.c | 57 +-
vpn/vpn-provider.h | 9 +
8 files changed, 1389 insertions(+), 161 deletions(-)
--
2.20.1
1 year, 4 months
