1. 11 Sep, 2020 5 commits
    • Jussi Laakkonen's avatar
      doc: Document VPN connection split routing boolean. · 7a82e6ff
      Jussi Laakkonen authored
      [doc] Document VPN connection split routing boolean. JB#45606
    • Jussi Laakkonen's avatar
      vpn-provider: Support split routing option for VPN providers · 0a72d0ab
      Jussi Laakkonen authored
      [vpn-provider] Support split routing option for VPN providers. JB#45606
      Add the same option as service.c has on connmand side to vpnd in
      vpn-provider.c. Replace all uses of default route except in supporting
      it as a legacy option when loading from config value and receiving via
      D-Bus API. SplitRouting is a boolean in every form, internal, settings
      file and in D-Bus API.
      The "DefaultRoute" is converted to "SplitRouting" if it exists in the
      settings file. Also, if some component wishes to use still
      "DefaultRoute" it is converted to "SplitRouting" when received via D-Bus
      API. DefaultRoute "true" means the same as SplitRouting bool false.
      Property change notifications on DefaultRoute are not sent anymore and
      these are replaced with SplitRouting notifications.
    • Jussi Laakkonen's avatar
      vpn-config: Implement function to get boolean from keyfile · ed947fd0
      Jussi Laakkonen authored
      [vpn-config] Implement function to get boolean from keyfile. JB#45606
      Simple boolean getter for VPN keyfiles. In case of error (key missing or
      invalid boolean) the default value given is returned.
    • Jussi Laakkonen's avatar
      [unit] Accommodate split routing changes in service.c test. JB#45606 · 826942c3
      Jussi Laakkonen authored
      Change to use split routing instead of default route. Add logging
      support to the service.c unit test.
    • Jussi Laakkonen's avatar
      [connman] Replace default route opt with split routing use. JB#45606 · cc810fcc
      Jussi Laakkonen authored
      Default route option "DefaultRoute" is replaced with split routing use.
      The use is the complete opposite compared to default route option. When
      split routing is set as "true" the VPN is treated as non-default route,
      and when set as "false" (the default) VPN is used as the main gateway
      for traffic. This change removes the use of default route from connmand.
      To make possible to use split routing service.c:set_split_routing() is
      changed to __connman_service_set_split_routing() and
      provider.c:connman_provider_set_split_routing() using the aforementioned
      function is implemented (for plugins).
      Cleaned up some code as well (intendations). Removed our default route
      connection.c additions which proved to be unnecessary with split
  2. 09 Sep, 2020 2 commits
  3. 07 Sep, 2020 4 commits
  4. 08 Jul, 2020 2 commits
  5. 05 Jun, 2020 6 commits
    • ballock's avatar
      Merge branch 'jb48869' into 'master' · f60c37e9
      ballock authored
      [firewall] Fix tests and special cases. JB#48869
      See merge request mer-core/connman!275
    • ballock's avatar
    • ballock's avatar
      [unit] Add tests for iptables validator. JB#48869 · aeb7578d
      ballock authored
      This extends validator code coverage and also verifies that options do
      not accept empty strings as their parameters.
      Multiple -m matches are also tested.
    • ballock's avatar
      [firewall] Fix iptables validator bugs. JB#48869 · 74c8d4d1
      ballock authored
      This example rule would fail, while being correct:
      -p tcp -m tcp ! --tcp-option 1 -m tcp ! --tcp-option 2 -j ACCEPT
      The reason is that tcp match has AF_UNSPEC instead of the particular
      AF_INET/AF_INET6 protocol specified in its requirements.
      Although it's possible to add a more complicated check (first to see,
      if the match's family_dep is not UNSPEC, then if it equals the family,
      but there's no need to since we only execute cleanup when the match
      was already in the invoked_matches list, and it could have been there
      only if it meets the conditions of the match.
      Ergo: this check is unnecessary and harmful.
      tokens[i] will only be false at the end of the vector, not when the
      string is empty. Thus, this check does what the g_strv_length does.
      It turned out that the function allows to use an empty
      string ('') as a correct value, which should not be allowed.
      Since like with the previous function, we can either use tokens[i] to
      indicate vector end or g_strv_length. However, since we need to verify
      that the split vector is empty, this form was chosen.
    • ballock's avatar
      [doc] Update firewall documentation. JB#48869 · 872ab71c
      ballock authored
    • Slava Monich's avatar
      Merge branch 'wifi-dontcrash' into 'master' · 61934257
      Slava Monich authored
      Clear wifi_bss -> wifi_network pointers when wifi_network us being deleted
      See merge request mer-core/connman!277
  6. 04 Jun, 2020 4 commits
    • Slava Monich's avatar
      [wifi] Clear wifi_bss -> wifi_network pointers on delete. JB#47990 · 15a3407d
      Slava Monich authored
      When WiFi is being turned off, wifi_network is getting deallocated before
      wifi_bss, causing crashes like this one:
         Invalid read of size 4
            at 0x3496E: wifi_network_update_strength (sailfish_wifi.c:1626)
            by 0x36A8D: wifi_device_bss_signal_changed (sailfish_wifi.c:2908)
            by 0x4CB06E7: _g_closure_invoke_va (gclosure.c)
            by 0x4CC3EF7: g_signal_emit_valist (gsignal.c)
            by 0x4CC42EB: g_signal_emit (gsignal.c)
            by 0x4B591F1: gsupplicant_bss_signal_property_change (gsupplicant_bss.c)
         Address 0x68b0038 is 8 bytes inside a block of size 100 free'd
            at 0x48432B0: free (vg_replace_malloc.c)
            by 0x34D75: wifi_network_delete (sailfish_wifi.c:1763)
            by 0x35321: wifi_device_delete_network (sailfish_wifi.c:2009)
            by 0x3538D: wifi_device_remove_all_networks_cb (sailfish_wifi.c:2036)
            by 0x4D434B3: g_slist_foreach (gslist.c)
            by 0x353BB: wifi_device_remove_all_networks (sailfish_wifi.c:2042)
            by 0x3895B: wifi_device_set_state (sailfish_wifi.c:3952)
            by 0x387D3: wifi_device_disable (sailfish_wifi.c:3883)
            by 0x39263: wifi_device_driver_disable (sailfish_wifi.c:4307)
            by 0x512AF: __connman_device_disable (device.c:265)
            by 0x8B3AB: technology_affect_devices (technology.c:742)
            by 0x8B835: technology_disable (technology.c:901)
            by 0x8BABF: set_powered (technology.c:1017)
            by 0x8BFA7: set_property (technology.c:1165)
    • Jussi Laakkonen's avatar
      Merge branch 'jb48797' into 'master' · c4ac4802
      Jussi Laakkonen authored
      [openfortivpn] Implement VPN plugin for openfortivpn. JB#48797
      See merge request mer-core/connman!258
    • Alexey's avatar
      [openfortivpn] Implement VPN plugin for openfortivpn. JB#48797 · 2213c44e
      Alexey authored
      Co-authored-by: Jussi Laakkonen's avatarJussi Laakkonen <jussi.laakkonen@jolla.com>
      This adds a new VPN plugin that uses openfortivpn binary to access
      FortiNet VPNs with the help of ppp. Code is based on existing L2TP and
      OpenConnect plugins. Plugin structure follows same approach as in L2TP
      plugin. Property management is similar to OpenConnect plugin.
      Additionally, via patch in openfortivpn, --trust-all-certs, is supported
      as a property to disable certificate signature checks. Following
      properties are supported so far, which are saved to the settings:
       Name                              Value                Option
       openfortivpn.AllowSelfSignedCert  string: true|false   --trust-all-certs
       openfortivpn.TrustedCert          string: fingerprint  --trusted-cert
       openfortivpn.Port                 string: digits
      By default, if Port is omitted, openfortivpn uses port 10433.
      Signed-off-by: Alexey's avatarAlexey Andreev <a.andreev@omprussia.ru>
      Signed-off-by: Jussi Laakkonen's avatarJussi Laakkonen <jussi.laakkonen@jolla.com>
    • Slava Monich's avatar
      vpn: Constify struct vpn_driver pointer · d4924a38
      Slava Monich authored
      There's no reason for it to be writable
  7. 03 Jun, 2020 2 commits
  8. 29 May, 2020 10 commits
    • Jussi Laakkonen's avatar
      Merge branch 'jb49506' into 'master' · c56c3eec
      Jussi Laakkonen authored
      [connman] Add vpnd crash recovery functionality. Fixes JB#49506
      See merge request mer-core/connman!270
    • Jussi Laakkonen's avatar
      [unit] Improve storage tests for vpnd crash and request limit. JB#49506 · 0dc4cc02
      Jussi Laakkonen authored
      Use main loop iteration simulation for testing the timeout
      functionality. Add new tests for vpnd crashing alone, after and in
      between user change process.
      Implement some missing test cases to existing tests as well. Reorganize
      tests a bit.
      Add also fixes for most of the leaks and errors reported by valgrind.
      Still some oddities left. Most of the leaks seem to be from the
      g_test_run, though.
    • Jussi Laakkonen's avatar
      [unit] Fix iptables, globalproxy, storage, systemd login tests. JB#49506 · 223e0f17
      Jussi Laakkonen authored
      Fix iptables unit test tool, globalproxy test and storage test after
      storage changes. Add notifier stubs for systemd login test.
    • Jussi Laakkonen's avatar
    • Jussi Laakkonen's avatar
      [config] Register to storage notifications for config inotify. JB#49506 · 3ab96ef9
      Jussi Laakkonen authored
      Listen and react to user id changes in config.c. Add a notifier for the
      new user to listen for config changes. If the user id is different from
      the one connmand is running, add notifier to it and copy the storagedir
      of that user to be removed later on from inotify (shutdown or another
      user change).
    • Jussi Laakkonen's avatar
      [systemd login] Register to storage notifications. JB#49506 · 6f98b9ba
      Jussi Laakkonen authored
      Register to storage notifications to receive uid changes. Set the uid
      always to login_data, if it exists.
    • Jussi Laakkonen's avatar
      [connman] Add uid changed notifier use to storage callbacks. JB#49506 · 0befa35a
      Jussi Laakkonen authored
      Use __connman_notifier_storage_uid_changed() as storage uid_changed
    • Jussi Laakkonen's avatar
      [storage] Limit user change reqs, vpnd crash recovery with timeouts. JB#49506 · 2b930b9d
      Jussi Laakkonen authored
      1) Record D-Bus pending call to restrict one user change call to be made
      at a time. If there is a pending call report back EBUSY to differentiate
      that process from the EALREADY reported when user is already set as the
      one that is requested.
      2) Send current uid to vpnd if it restarts after crash. This is achieved
      by implementing a service watcher for vpnd that sets a bool for sending
      the current uid to vpnd when it comes back to keep connmand and vpnd
      synchronized. Removal detection is used to avoid sending the user change
      when services are starting.
      storage.c now also saves the current uid that was required for the vpnd
      synchronization. This allows for more robust error replies in case the
      uid is already set.
      Added uid changed callback and use of it in uid changes. In order to
      support both connmand and vpnd the notify functionality must be added as
      a callback. Vpnd does not use notify, nor it does to save the uid.
      When getting a reply from vpnd the uid in the request data may equal the
      current_uid in case when vpnd has crashed and connmand has sent a user
      change message after detecting vpnd to be back online. It is feasible to
      stop processing at that point to avoid additional unnecessary calls to
      be made.
      In error cases when returning to root user use geteuid() instead of 0 as
      3) Add functionality for sending a delayed user change when a) there is
      already a pending user change waiting for a reply (timeout) b) a service
      or D-Bus related error is reported back. This enables better error
      tolerance and handling the potential crashes in between user change
    • Jussi Laakkonen's avatar
      [notifier] Add storage uid changed notify functionality. JB#49506 · c0ae879d
      Jussi Laakkonen authored
      Storage does need to inform about user id changes to other components
      using the user change functionality. This enables informing about the
      newly set uid.
    • Slava Monich's avatar
      Merge branch 'optimize_wifi' into 'master' · 2877561f
      Slava Monich authored
      Optimize WiFi
      See merge request mer-core/connman!273
  9. 28 May, 2020 5 commits