lp:~connman-maintainers/connman/head

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

7934. By Daniel Wagner 23 hours ago

Revert "timeserver: Reload nameservers when service nameservers change"

This reverts commit da51f2d6afb09b3486bbefd3c748659b5ce4d878.

As it turns out this patch doesn't solve the issue Vivien is
seeing. It's better to go back to the original code and modify it when
needed.

7933. By Daniel Wagner 23 hours ago

wireguard: Fix typo in option parser

The option is called WireGuard.EndpointPort.

7932. By Daniel Wagner 23 hours ago

wireguard: Initialize data structure properly

The info data structure should be properly initialized.

  #0 0x00007ffff7bd98f7 in __memmove_avx_unaligned () from /lib64/libc.so.6
  #1 0x00007ffff7fa4925 in mnl_attr_put () from /usr/lib64/libmnl.so.0
  #2 0x00007ffff7fa496f in mnl_attr_put_check () from /usr/lib64/libmnl.so.0
  #3 0x000000000040dd95 in wg_set_device (dev=0x480c70) at vpn/plugins/libwireguard.c:341
  #4 0x0000000000410dd7 in wg_connect (provider=0x47e100, task=0x0, if_name=0x0, cb=0x0, dbus_sender=0x0,
      user_data=0x0) at vpn/plugins/wireguard.c:336
  #5 0x0000000000413092 in vpn_connect (provider=0x47e100, cb=0x41e946 <connect_cb>,
      dbus_sender=0x481dd4 ":1.46", user_data=0x475a10) at vpn/plugins/vpn.c:632
  #6 0x000000000041ec52 in __vpn_provider_connect (provider=0x47e100, msg=0x475a10) at vpn/vpn-provider.c:1206
  #7 0x000000000041d488 in do_connect (conn=0x473ce0, msg=0x475a10, data=0x47e100) at vpn/vpn-provider.c:505
  #8 0x000000000041d4da in do_connect2 (conn=0x473ce0, msg=0x475a10, data=0x47e100) at vpn/vpn-provider.c:515
  #9 0x0000000000435691 in process_message (connection=0x473ce0, message=0x475a10,
      method=0x43bfe0 <connection_methods+160>, iface_user_data=0x47e100) at gdbus/object.c:259
  #10 0x00000000004371a5 in generic_message (connection=0x473ce0, message=0x475a10, user_data=0x47f340)
      at gdbus/object.c:1071
  #11 0x00007ffff7e4fc4d in ?? () from /usr/lib64/libdbus-1.so.3
  #12 0x00007ffff7e407a4 in dbus_connection_dispatch () from /usr/lib64/libdbus-1.so.3
  #13 0x000000000043306b in message_dispatch (data=0x473ce0) at gdbus/mainloop.c:72
  #14 0x00007ffff7eca9f7 in ?? () from /usr/lib64/libglib-2.0.so.0
  #15 0x00007ffff7ecdf88 in g_main_context_dispatch () from /usr/lib64/libglib-2.0.so.0
  #16 0x00007ffff7ece310 in ?? () from /usr/lib64/libglib-2.0.so.0
  #17 0x00007ffff7ece5e3 in g_main_loop_run () from /usr/lib64/libglib-2.0.so.0
  #18 0x0000000000419f6f in main (argc=1, argv=0x7fffffffec28) at vpn/main.c:275

7931. By Daniel Wagner 23 hours ago

wireguard: Fix use after free

Use freeaddrinfo after rp has been used. rp points to an element in
results.

7930. By Daniel Wagner on 2019-11-14

AUTHORS: Mention Matt and David's contributions

7929. By Jussi Laakkonen <email address hidden> on 2019-11-14

doc: Add VPN agent API documentation for OpenVPN.PrivateKeyPassword

Document the encrypted private key password in the VPN agent API. This
is sent when OpenVPN process detects a encrypted private key file and
needs password for decryption.

7928. By Jussi Laakkonen <email address hidden> on 2019-11-14

openvpn: Rewrite plugin to support VPN agent and encrypted private keys

Co-authored-by: Matt Vogt <email address hidden>
Co-authored-by: Slava Monich <email address hidden>

This OpenVPN plugin rewrite contains numerous amount of fixes. Most
importantly VPN agent is used to query credentials as well as the
password for the encrypted private key.

VPN agent support is done utilizing the management interface of OpenVPN.
The management interface is opened at each connection attempt to get
the potential requests for credentials, or encrypted private key
password. OpenVPN process is started with the stored information and if
there is some credential missing it will be queried via management
interface.

Each credential failure increases the authentication failed error
counter in vpn-provider.c but does not indicate it as an error to be
signaled. This is because the authentication failures are handled within
the plugin->openvpn process and the openvpn process does not die in
between. In case the credentials or the private key password is wrong
OpenVPN requests them again via management channel. If the error would
be signaled, connmand would have wrong indication of what is actually
happening and would attempt to disconnect the VPN in question.

The new VPN agent functionality is utilized to advise the VPN agent not
to store the encrypted private key password. Encrypted private key
password is kept in memory only, during the connman-vpnd lifetime. On
some systems VPN agents may store the credentials into files and, thus
it is imperative to not to save the encrypted private key password using
the VPN agent as it is bad practice to have both encrypted file and its
password stored on same storage space. Use of the
vpn_agent_append_keep_credentials() is also needed to indicate VPN agent
that the credentials should not be affected by the request to input
encrypted private key password. It may be that some VPN agents would
react to the storage and retrieval prevention values as the existing
values should be removed.

The private key password errors are not recorded as authentication
errors but are handled internally within the plugin. The rationale is
that since VPN agent is affected by the authentication errors and the
VpnAgent.AuthFailure is sent in such case, and VPN agent is advised not
to store the private key password, handling of the errors related to
private key password should happen within the plugin. If the private key
password stored in memory is wrong, it will be still attempted on first
try but OpenVPN will requests new one via management interface after a
failed attempt. The encrypted private key password failures are not
reported by OpenVPN (at least version <= 2.4.5) via management interface
and following patch is required in order for the failures to be
reported: https://git.sailfishos.org/mer-core/openvpn/blob/
4f4b4af116292a207416c8a990392e35a6fc41af/rpm/privatekey-passphrase-
handling.diff - a note about this is added to README.

Since the management channel unix socket is to be used by both vpnd and
the OpenVPN process the socket is created under system temp (env
TMPDIR). If env TMPDIR is omitted or empty, /tmp is used instead.

7927. By Jussi Laakkonen <email address hidden> on 2019-11-14

vpn-provider: Handle ENOENT in connect_cb

ENOENT error is not an error to be reacted on, it is received from VPNs
that are disconnected by connmand while waiting for VPN agent message,
which in that case returns no reply message.

7926. By Jussi Laakkonen <email address hidden> on 2019-11-14

vpn-provider: Add function to add errors without state change

A function to increase error counters without changing the state to
failure, as vpn_provider_indicate_error() does, is required by VPNs that
do handle the credential requests within their own process. If the
authentication error is added with vpn_provider_indicate_error() then
the state would be changed and change is signaled, creating confusion
between connmand and connman-vpnd.

7925. By Jussi Laakkonen <email address hidden> on 2019-11-14

vpn-provider: Expose __vpn_provider_get_ident() to plugins

It is wrong to use local functions in a plugin. This commit exposes
__vpn_provider_get_ident() for plugins to use.

Changed the openvpn.c to use the exposed vpn_provider_get_ident().