1. 24 Jul, 2019 2 commits
  2. 10 Jul, 2019 1 commit
  3. 04 Jul, 2019 4 commits
    • Jussi Laakkonen's avatar
      Add service_schedule_changed() proto before move_service() · f93b8475
      Jussi Laakkonen authored
      Get fork to build after including upstream commit, in fork:
      be165aa6 - in upstream:
      acf200507c9a9648f0839d9a11d0a1215ae99a41
      f93b8475
    • Jussi Laakkonen's avatar
      service: Prevent sending D-Bus error reply twice with hidden networks · 1a49ce63
      Jussi Laakkonen authored
      When the input request has timed out or some other error has occurred do
      not allow to send duplicate D-Bus error replies. This would result in
      crashes when hidden network is first informed with ETIMEDOUT and error
      is returned and if the __connman_device_request_hidden_scan() reports an
      error or that it is already running (EALREADY) and then second error
      reply is sent.
      
      After each reply to pending D-Bus message (reply_pending()) the
      service->pending is set NULL but since request_input_cb() holds the
      reference to the pending D-Bus message (user_data) there will be a
      second reply.
      
      This fixes the issue by 1) recording the error also when D-Bus error is
      other than Canceled to prevent connecting attempt at done label and 2)
      skipping hidden network connect in such case as well.
      1a49ce63
    • Benoît Monin's avatar
      service: Signal when services are moved · be165aa6
      Benoît Monin authored
      When calling MoveBefore or MoveAfter on a service, no signal is emitted
      by ConnMan. This makes it impossible for a D-Bus client to maintain an
      ordered list of services in sync with ConnMan.
      
      This patch schedules the emission of the signal ServicesChanged from the
      function move_service(), so the new list will get published over D-Bus.
      be165aa6
    • Daniel Wagner's avatar
      service: Return OperationAborted when agent gets Canceled · 2faa7972
      Daniel Wagner authored
      When the user decided to cancel the connect attempt, the agent sends
      net.connman.Agent.Error.Canceled. Currently, we return InvalidArgument
      for normal non-hidden networks and ConnectedAborted for hidden
      networks. Return OperationAborted also for non-hidden networks to
      avoid confusion on the user ends. That means the cancel operation was
      successful and nothing went wrong as invalid argument indicates.
      
      Reported by Vasyl Vavrychuk.
      2faa7972
  4. 02 Jul, 2019 1 commit
  5. 01 Jul, 2019 1 commit
  6. 27 Jun, 2019 2 commits
  7. 25 Jun, 2019 6 commits
  8. 24 Jun, 2019 4 commits
    • Jussi Laakkonen's avatar
      l2tp: Use vpn-agent.c error processing for VPN agent errors. · f77d49e3
      Jussi Laakkonen authored
      Use vpn_agent_check_and_process_reply_error() to check and process VPN
      agent errors. Clear callback and pending D-Bus message (user_data) if
      error was processed to avoid calling the callback twice.
      f77d49e3
    • Jussi Laakkonen's avatar
      [connman] Save VPN service if autoconnect changes. Contributes to JB#45903 · ca72d6fa
      Jussi Laakkonen authored
      It is imperative to save the VPN service when autoconnect changes since
      otherwise the change is done only to run-time service settings and not
      written to disk if user has canceled VPN agent dialog, for example.
      Otherwise the data within connman and service file is out of sync, and
      next restart of connman will be a race between each VPNs that were
      attempted to connect but canceled by user.
      ca72d6fa
    • Jussi Laakkonen's avatar
      vpn-provider: React to different error types in connect_cb() · 3b7259a4
      Jussi Laakkonen authored
      The connection callback (connect_cb()) can be called via vpn-agent.c to
      indicate that VPN agent dialog had an error or was cancelled in addition
      to calling the function via VPN plugin. Because of this the different
      error types should be handled properly.
      
      Errors:
       - EACCES is an authentication error: VPN_PROVIDER_ERROR_AUTH_FAILED.
       - ENOMSG and ETIMEDOUT are system reported errors and then the agent
         request needs to be canceled and error set unknown error.
       - ECANCELED is reported when user canceled VPN agent dialog, treat this
         as same as ECONNABORTED as the VPN may have been initialized already.
       - ECONNABORTED is set when connect_cb() is called via VPN plugin.  To
         ensure that proper disconnect -> idle cycle is done both driver and
         provider are set to disconnect state and eventually killed and put to
         idle state if the provider was 1) being connected or 2) already
         connected.
       - In other cases the VPN provider is set to failure state and connect
         error is indicated.
      3b7259a4
    • Jussi Laakkonen's avatar
      vpn-agent: Implement generic D-Bus error checker for plugins. · e83819bb
      Jussi Laakkonen authored
      It is not feasible for every VPN plugin to check the errors in D-Bus
      reply sent by VPN agent in their own way. This kind of general use makes
      reacting to the canceled, timed out or no response replies sent by VPN
      agent more common and less error prone.
      
      The check function (vpn_agent_check_and_process_reply_error()) takes in
      the reply, callback to provider connect function and the pending D-Bus
      message, that will be utilized by the callback
      (vpn-provider.c:connect_cb()). This way proper notifications are passed
      forwards and appropriate reply is sent to the caller of the VPN plugin
      connection request (connmand). By sending the reply the caller
      (connmand) can then disable autoconnection from the VPN to avoid
      re-connection in case the user canceled the VPN agent dialog.
      
      The errors that are reacted to:
       - net.connman.vpn.Agent.Error.Canceled -> ECANCELED
       - org.freedesktop.DBus.Error.Timeout -> ETIMEDOUT
       - org.freedesktop.DBus.Error.NoReply -> ENOMSG
       - any other error from VPN agent is EACCES
      
      Error in VPN agent or canceling the VPN agent should not be an error in
      the VPN provider and, therefore, set the provider state to idle. Also,
      if task was already running stop it to avoid leaving VPN processes
      running.
      e83819bb
  9. 13 Jun, 2019 1 commit
    • chriadam's avatar
      [connman] Initialise counter table entry before registering service counter.... · db0374b5
      chriadam authored
      [connman] Initialise counter table entry before registering service counter. Contributes to JB#45681
      
      __connman_service_counter_register() calls service_send_initial_stats()
      which calls __connman_counter_send_usage() which attempts to look
      up the counter entry in the global counter table.
      
      This commit ensures that the counter entry is inserted into the
      global counter table prior to calling
      __connman_service_counter_register() to ensure that the initial
      statistics are sent to the counter.
      db0374b5
  10. 10 Jun, 2019 1 commit
  11. 04 Jun, 2019 1 commit
  12. 03 Jun, 2019 1 commit
    • flypig's avatar
      [connman] Add access control to connman-vpn dbus interface. Contributes to JB#45379 · 9c30b7d1
      flypig authored
      Currently access to the connman-vpn dbus interfaces (connection and
      manager) are controlled only by the policy config, which sets `<policy
      at_console="true">`, allowing access to all users.
      
      This change adds internal access control to the connection dbus
      interface, which is configurable using a similar plugin approach as the
      existing access method implemented for connman. It also adds a
      Sailfish-specific plugin that blocks access for non-privileged users
      base on a policy file installed at /etc/connman/vpn-dbus-access.conf.
      
      The exceptions are the GetProperties and GetConnections dbus methods
      which are available to all users (including nemo).
      
      This Sailfish configuration is needed for MDM, to prevent users from
      being able to connect to and disconnect from VPNs when this capability
      is being restricted by the MDM policy.
      9c30b7d1
  13. 29 May, 2019 8 commits
    • Jussi Laakkonen's avatar
      [connman] Support main and VPN type storages in init and cleanup. JB#44950 · 810d8b98
      Jussi Laakkonen authored
      Add VPN type initialization value for storage context and use it as enum
      when initializing and clearing storage dir as well as detecting which
      one to use.
      810d8b98
    • Jussi Laakkonen's avatar
      [connman] Add helper function to get appropriate storagedir. JB#44950 · 4cc73775
      Jussi Laakkonen authored
      Add storagedir_for() helper function. Returns VPN_STORAGEDIR if dir is
      VPN dir, otherwise STORAGEDIR.
      4cc73775
    • Jussi Laakkonen's avatar
      [unit] Update VPN settings test state and storage dir use. JB#45657 JB#44950 · 547b2567
      Jussi Laakkonen authored
      Use changed vpn_settings_get_state_dir() and
      __vpn_settings_get_storage_dir(). Add debug support with --debug.
      547b2567
    • Jussi Laakkonen's avatar
      [connman] Separate main and vpn storage dir use. JB#45657 JB#44950 · 628daee5
      Jussi Laakkonen authored
      This changes to use STORAGEDIR for regular services (non-VPN) and
      VPN_STORAGE_DIR is used for VPN services (provider_ and vpn_ prefixed
      dirs). The main services are then stored in /connman whereas
      all VPN content is in /connman-vpn.
      628daee5
    • Jussi Laakkonen's avatar
      [vpn] Expose state dir func to plugins and fix storage dir return. JB#45657 · 4c0312b4
      Jussi Laakkonen authored
      Expose vpn_settings_get_state_dir() to plugins and use it instead of
      buildtime vpn_statedir.
      
      Return default storage dir if not set in VPN settings.
      4c0312b4
    • eeremin's avatar
      [vpn] Use configured paths instead of defaults. JB#45657 · f96ee843
      eeremin authored
      The __vpn_settings_init() which reads configuration file is
      called after __connman_storage_init() which sets default
      paths.  So connman-vpnd uses defaults irrelevant to
      configuration file settings.
      Signed-off-by: eeremin's avatarE.V.Eremin <e.eremin@omprussia.ru>
      f96ee843
    • Jussi Laakkonen's avatar
      vpnc: Detect authentication and connection errors · cf6826db
      Jussi Laakkonen authored
      Add support for detecting authentication and connection errors reported
      by VPNC. These are read from stderr using GIOChannel.
      
      In case of an authentication error VPN_PROVIDER_ERROR_AUTH_FAILED is
      indicated. Authentication errors are:
       - hash comparison failed
       - authentication unsuccessful
       - expected xauth packet; rejected
      
      In case of an connection error VPN_PROVIDER_ERROR_CONNECT is
      indicated. Connect errors are:
       - unknown host
       - no response from target
       - receiving packet: No route to host
      
      The approach is imitated from how OpenVPN (openvpn.c) reads output via
      management channel.
      cf6826db
    • Jussi Laakkonen's avatar
      vpnc: Implement VPN agent support · 09699771
      Jussi Laakkonen authored
      This adds VPN agent support for VPNC plugin. IPSec.Secret,
      Xauth.Username and Xauth.Password are queried from agent if not set in
      .config of the VPN provider.
      
      By default, VPNC does not save the credentials to provider config. The
      VPNC credentials stored by vpn-provider.c in the provider settings
      strings are cleared after run_connect() has finished.
      
      The values of IPSec.Secret, Xauth.Username and Xauth.Password are set to
      "-" in order to get them retrieved via VPN agent at next connect request.
      The credentials read from .config file are not being reset as the
      immutable value of them is checked first. This approach supports also
      partially defined credentials in .config, leaving some of them to be
      retrieved using a VPN agent. The immutable values are sent as
      informational, passwords are changed to "********" to hide them since
      the values cannot be changed.
      
      The approach for setting the credentials to "-" follows the approach of
      OpenVPN plugin, where credential set as "-" is retrieved over management
      interface.
      
      If the credential has something else than "-" set it is forwarded to VPN
      agent as old information, if at least one of the credentials is missing.
      In this case request_input_credentials() is called and a message is sent
      to VPN agent if any. request_input_credentials_reply() handles the
      message sent by VPN agent, or errors (Error.Canceled = ECONNABORTED and
      Error.Timeout = ETIMEDOUT) from VPN_AGENT_INTERFACE. vc_connect_done()
      is invoked to call the callback function, which is executed only once,
      with the error code, if any. In case of success, run_connect() is called
      and VPN is attempted to connect.
      
      When vc_notify() is called, it retrieves the plugin data from provider
      and utilizes its callback by calling vc_connect_done() with the proper
      error code, 0 being success.
      
      If plugin dies or is disconnected, vc_died() handles the shutdown by
      canceling all agent requests and calls vpn_died(). Last, the data
      allocated for the connection is free'd.
      09699771
  14. 28 May, 2019 4 commits
  15. 22 May, 2019 2 commits
  16. 13 May, 2019 1 commit
    • Jussi Laakkonen's avatar
      [connman] Fix service preference check. Contributes to JB#43191 · 4959dc60
      Jussi Laakkonen authored
      Ignore VPN services in service preference check. VPNs are special case
      depending on other services as transport. They are never in preferred
      technologies lists.
      
      Use the preferred technology type list instead of using service_list. It
      was wrong to use service_list here as service_preferred_over() is called
      while sorting it and will result in undesirable results. This fixes the
      sorting by simply using the service types to get their position in the
      list.
      
      Service preference is based on the position of the service type in the
      preferred technology list. Lower index means that service type is
      preferred over the one having higher index in the list. If the service
      type is not in the preferred technology list, then the one being in that
      list is preferred. Function service_preferred_over() is changed to return:
       *  1 when service b is preferred over a
       * -1 when service a is preferred over b
       *  0 when preference sorting does not apply
      
      Connected VPNs are preferred over any other service. Non-connected VPNs
      should be left as last.
      
      Also reduce log noise on  __connman_service_is_default_route().
      4959dc60