lp:~connman-maintainers/connman/head

Created by David Barth and last modified
Get this branch:
bzr branch lp:~connman-maintainers/connman/head

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
ConnMan packaging maintainers
Project:
Connection Manager
Status:
Development

Import details

Import Status: Reviewed

This branch is an import of the HEAD branch of the Git repository at git://git.kernel.org/pub/scm/network/connman/connman.git.

The next import is scheduled to run .

Last successful import was .

Import started on juju-1e3bde-prod-lp-code-import-12 and finished taking 15 seconds — see the log
Import started on juju-1e3bde-prod-lp-code-import-15 and finished taking 15 seconds — see the log
Import started on juju-1e3bde-prod-lp-code-import-14 and finished taking 15 seconds — see the log
Import started on juju-1e3bde-prod-lp-code-import-12 and finished taking 15 seconds — see the log
Import started on juju-1e3bde-prod-lp-code-import-15 and finished taking 10 seconds — see the log
Import started on juju-1e3bde-prod-lp-code-import-14 and finished taking 10 seconds — see the log
Import started on juju-1e3bde-prod-lp-code-import-12 and finished taking 10 seconds — see the log
Import started on juju-1e3bde-prod-lp-code-import-15 and finished taking 10 seconds — see the log
Import started on juju-1e3bde-prod-lp-code-import-15 and finished taking 10 seconds — see the log
Import started on juju-1e3bde-prod-lp-code-import-15 and finished taking 10 seconds — see the log

Recent revisions

8149. By Jussi Laakkonen <email address hidden>

doc: Document AuthErrorLimit in VPN connection API

Add documentation of AuthErrorLimit that can be set for each provider
via the D-Bus API.

8148. By Jussi Laakkonen <email address hidden>

openvpn: Default to 10 AuthErrorLimit unless set by user

Unless the user has set a value for provider property "AuthErrorLimit"
default to 10 attempts after a successful connection has been made before
allowing to clear the credentials. This is imperative for the cases when
OpenVPN server requires client to do a clean shutdown but the network
goes down before it can be completed. In these cases server may respond
back with AUTH_FAILED control message until it determines that old
client is realy gone. By using this limit credentials are not
unnecessarily cleared because there was no real problem with them.

8147. By Jussi Laakkonen <email address hidden>

vpn-provider: Add auth error check heuristic to avoid losing creds

Implement a heuristic into authentication error getter to avoid losing
credentials in scenarios where the VPN server expects a clean shutdown
but the route/network has gone down and client cannot do this and as a
result the server responds to consequtive authentications with auth
failed message. As a result this would cause the VPN agent to clear the
credentials as the authentication errors are passed to it, even though
there was no real authentication error in place.

This was noticed to happen in a scenario where an OpenVPN service is
1) connected over UDP using cellular, 2) connection is switched to WiFi
letting VPN to connect, 3) triggering cellular off and back on again,
4) disconnecting WiFi and letting VPN to connect over cellular after
which 5) WiFi is re-enabled. Usually this is enough to time the network
disconnects in the sense that OpenVPN binary cannot send the disconnect
message back to server having following in the system log:
    openvpn: event_wait : Interrupted system call (code=4)
    openvpn: SIGTERM received, sending exit notification to peer
    openvpn: write UDP: Network is unreachable (code=101)
    openvpn: Closing TUN/TAP interface

As a solution each provider sets a run-time only "previous_connect_time"
using the monotonic boot time clock whenever the connection has been
successful. This, in conjunction with a limit for allowed authentication
errors is used to determine whether the actual authentication error
count reported to VPN agent or not. After a connection has been made all
errors are cleared. If the connection abruptly goes away, e.g., the
server is lost only the conn_error_counter is increased and
previous_connect_time is cleared but this does not trigger clearing of
the authentication error and, provided the credentials are still valid,
next attempt succeeds whet the server is again reachable. Same applies
for a proper disconnect. Thus, this solution does not interfere with
normal cases but mitigates unwanted credential loss in case if the VPN
server determines connection limit being full and reports back with
authentication error message.

Some VPNs may not require this option at all. Thus, limit is set as a
configurable per provider parameter "AuthErrorLimit" which defaults to
"1" and the heuristic can be completely disabled by setting value "0".
The value can be changed either by the user over D-Bus or made to be a
higher default for a provider by using provider_set_auth_error_limit(),
e.g., by a VPN plugin. The default per provider value is used only when
there is no user defined one. This way the plugin default value will not
get saved to the VPN settings and plugin default is changeable.

8146. By Jussi Laakkonen <email address hidden>

vpn-provider: Ignore error adding when state is idle/unknown

Do not allow to add errors for provider that is already set into idle
state or is in unknown state. This case may happen when networks are
rapidly changed and VPN did not call the callback connect_cb() until the
VPN is died and vpn.c:vpn_died() initiates cleanup in the VPN which
eventually calls connect_cb() with an error.

8145. By Jussi Laakkonen <email address hidden>

vpn: Report EALREADY back to caller if VPN is already disconnecting

Instead of reporting EINVAL report EALREADY to return correct
information back to the caller. This way caller knows that the call was
not to a wrong identifier but the VPN has already been requested to
shut down. The error eventually translates to InProgress D-Bus message
back to the caller.

8144. By Ariel D'Alessandro <email address hidden>

gsupplicant: Add support for WPA3-Personal transition mode

This commit adds support for WPA3-Personal transition mode, which
supports both WPA2-Personal (PSK) and WPA3-Personal (SAE).

Based on the AP accepted key management protocols, connman configures
wpa_supplicant as follows:

* WPA3-Personal-only mode: key_mgmt="SAE" ; ieee80211w=2
* WPA3-Personal transition mode: key_mgmt="SAE WPA-PSK" ; ieee80211w=1

8143. By Lukáš Karas

doc: Add new openconnect input fields

Recently added input fields:
 - authentication group (OpenConnect.Group)
 - second password (OpenConnect.SecondPassword, OpenConnect.UseSecondPassword)

8142. By Lukáš Karas

openconnect: Add support for 2nd password

Some servers are configured with multiple authentication groups.
OpenConnect request just authentication entries that are valid
for specific group (process_auth_form method). So, authentication
group have to setup first, and new form have to be requested then.

Some authentication groups may require secondary password.
For example one-time password from Google Authenticator app.

8141. By Jussi Laakkonen <email address hidden>

vpn: Refactor connect_reply() and handle NoCarrier -> ENOLINK error

Refactor connect_reply() to be extendable for more fine grained error
handling.

Add handling of ENOLINK error that is reported back by vpnd when a VPN
cannot be connected because connmand is in offline state. ENOLINK is to
be handled as any other error causing the VPN state not to change later
on that in turn would cause the cb_data->callback() never getting
called.

8140. By Jussi Laakkonen <email address hidden>

vpn-provider: Implement connmand online state checking

Add a complete mechanism to track connmand state and query it if
necessary to avoid connecting VPNs when there is either no connmand or
no network to use. This also makes VPNs to disconnect when connmand
loses its online state or disappears.

The connmand state listener uses net.connman.Manager interface to get
the state using GetProperties at startup. PropertyChanged signal is
monitored for state changes to update the state. State is changed and
queried when the D-Bus service listener is notified. Connmand state is
tracked within vpnd with a boolean: "true" = online/ready, "false" =
offline/idle.

Also a feature to support delayed connecting of VPNs is added. It may
happen in a situation where ConnMan status is not queried yet and
a request to connect is received over D-Bus. In this case a timeout
function is added to the main loop that runs with 1s interval. When the
delayed connect function is running it keeps on trying until connmand
state is online/ready. If connection request comes when the state is
queried and it is not online/ready ENOLINK is returned as an error
("NoCarrier" D-Bus msg). The delayed connect function is removed if
connect request comes when the function is waiting to be scheduled and
the VPN in question is connected immediately.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
This branch contains Public information 
Everyone can see this information.

Subscribers

No subscribers.