1. 14 Jun, 2021 3 commits
  2. 11 Jun, 2021 4 commits
  3. 09 Jun, 2021 2 commits
  4. 03 May, 2021 1 commit
  5. 27 Apr, 2021 13 commits
    • Jussi Laakkonen's avatar
      vpn-provider: Support all true/false options in vpn_provider_get_boolean · 28e3e34d
      Jussi Laakkonen authored
      [vpn-provider] Support all true/false opts boolean set. JB#53542
      
      Support also "yes" and "1" values for true boolean, similarly support
      "no" and "0" for false boolean in vpn_provider_get_boolean(). VPNs using
      PPPD do support all these strings for boolean values as strings.
      28e3e34d
    • Jussi Laakkonen's avatar
      [openfortivpn] Control IPv6 data leak prevention with additional PPPD noipv6. JB#53542 · a7aecf15
      Jussi Laakkonen authored
      Add the PPPD supported option noipv6 to be used to control IPv6 data
      leak prevention feature. The value must be explicitly set to true to
      enable the feature.
      
      OpenFortiVPN does not yet support the option but as it uses PPPD the
      option it may be enabled in the future releases.
      a7aecf15
    • Jussi Laakkonen's avatar
      vpnc: Control IPv6 data leak prevention with additional option · 22c0dc74
      Jussi Laakkonen authored
      [vpnc] Control IPv6 data leak prevention with additional option. JB#53542
      
      Add "VPNC.BlockIPv6" option for VPNC to control the IPv6 data leak
      prevention feature. If omitted default to false and require the feature
      to be explicitly set to true.
      
      VPNC does not have a separate option that is to be used but for
      convenience is saved along the VPNC provider configuration.
      22c0dc74
    • Jussi Laakkonen's avatar
      pptp: Control IPv6 data leak prevention option with PPPD noipv6 · dca4f682
      Jussi Laakkonen authored
      [pptp] Control IPv6 data leak prevention option with PPPD noipv6. JB#53542
      
      Add the PPPD supported noipv6 option to supported pptp options.
      
      Control the IPv6 data leak prevention feature with PPPD option noipv6.
      Require this value to be explicitly set in order to use the feature.
      dca4f682
    • Jussi Laakkonen's avatar
      l2tp: Control IPv6 data leak prevention option with PPPD noipv6 · 77b2b104
      Jussi Laakkonen authored
      [l2tp] Control IPv6 data leak prevetion option with PPPD noipv6. JB#53542
      
      Add PPPD supported noipv6 option to supported L2TP options.
      
      Control the IPv6 data leak prevention feature with PPPD option noipv6.
      Require this value to be explicitly set in order to use the feature.
      77b2b104
    • Jussi Laakkonen's avatar
      openvpn: Control IPv6 data leak prevention with --block-ipv6 option · c549a570
      Jussi Laakkonen authored
      [openvpn] Control IPv6 data leak prevention with --block-ipv6 option. JB#53542
      
      Use the --block-ipv6 option that is added in OpenVPN version >= 2.5
      (https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html) to control
      the feature to prevent data leak for the VPN if it has IPv6 set as off and
      ipconfig disabled. If the option is omitted disable the feature to
      prevent data leak and require the option to be explicitly enabled in
      order to enable data leak prevention feature.
      c549a570
    • Jussi Laakkonen's avatar
      openconnect: Control provider data leak prevention with DisableIPv6 value · b74707ed
      Jussi Laakkonen authored
      [openconnect] Control provider data leak prevention with DisableIPv6 value. JB#53542
      
      Control the provider data leak prevention value using the OpenConnect
      DisableIPv6 to to tell connmand whether to use IPv6 blocking or not.
      Value defaults to false.
      b74707ed
    • Jussi Laakkonen's avatar
      vpn-provider: Add PreventIpv6DataLeak to provider bool settings · 4ab5f78a
      Jussi Laakkonen authored
      [vpn-provider] Add PreventIPv6DataLeak to provider bool settings. JB#53542
      
      Support PreventIPv6DataLeak value changing on provider. Emit
      PropertyChanged signal to connmand when value is set. This value depends
      on the actual VPN setting and does not need to be saved along provider
      settings.
      
      Add a helper function for VPN plugins to use for changing the value as
      each plugin uses it to simplify code. The function supports enabling of
      either or both of the IP family networks but current functionality does
      changes only to the PreventIPv6DataLeak value. This is meant to be a
      part of future plans.
      4ab5f78a
    • Jussi Laakkonen's avatar
      vpn: Add PreventIPv6DataLeak boolean to D-Bus properties · 61a59dc9
      Jussi Laakkonen authored
      [vpn] Add PreventIPv6DataLeak boolean to D-Bus properties. JB#53542
      
      Add PreventIpv6DataLeak as a run-time changeable property emitted by
      vpn-provider.c. This changes the behavior on whether to disable/block
      the feature to disable IP family that is not used (currently only for
      disabling IPv6) on the particular provider if the provider does not
      have either of the IP families enabled.
      61a59dc9
    • Jussi Laakkonen's avatar
      [service] Remove provider family check if split routing changes. JB#53542 · ba77a799
      Jussi Laakkonen authored
      Not necessary to check the family of the VPN here. Let it rely on the
      provider setting whether to enable or disable IPv6.
      ba77a799
    • Jussi Laakkonen's avatar
      [provider] Allow to control VPN data leak prevention on provider basis. JB#53542 · 4b154272
      Jussi Laakkonen authored
      Add a function connman_provider_set_ipv6_data_leak_prevention() to be
      used to control whether IPv6 is to be disabled on a provider when
      connected. Defaults to false so the feature is by default off and needs
      to be explictly set on.
      
      Also skip IPv6 disabling if the transport is a VPN with IPv6. This is a
      future-proof case when we start to support multiple VPNs at the same
      time.
      4b154272
    • Jussi Laakkonen's avatar
    • Jussi Laakkonen's avatar
      provider: Reformat IPv6 toggle function to use service.c functionality · c4edf1a6
      Jussi Laakkonen authored
      [provider] Reformat IPv6 toggle function to use service.c funct. JB#53542
      
      Moved the IPv6 toggling functionality for the most part to service.c and
      this change adapts to the change. Only the VPN service checks are kept
      in provider.c and IPv6 is disabled for all connected services instead of
      using transport only and disabling IPv6 on system level. Current VPN and
      transport services are passed to the service.c functionality to exclude
      VPN service and always include transport service in IPv6 changes.
      
      Changed to use "enable" to be in line with rest of the code. This
      removes the need to use a lot of negations and perhaps it is easier to
      understand the code as well.
      
      Allow to change IPv6 only for VPNs that are connected (ready, as VPNs
      cannot reach online state).
      
      Prevent running the function as a loop within loop. This might happen
      when current transport service is disconnected that in turn causes the
      VPN to be disconnected as well. Then while looping through the services
      another disconnect on the transport will get provider_indicate_state()
      called again.
      
      When re-enabling IPv6 enable the internal IPv6 suppor prior to resuming
      IPv6 functionality on service basis. When disabling IPv6 do the internal
      disabling after the services are handled. This is due to the changes
      that were required for network.c to get new connections enabled but IPv6
      disabled if IPv6 is internally disabled.
      c4edf1a6
  6. 21 Apr, 2021 11 commits
    • Jussi Laakkonen's avatar
      service: Support IPv6 enable/disable for connected services · 36674c81
      Jussi Laakkonen authored
      [service] Support IPv6 enable/disable for conn services. JB#53542
      
      Implement support for enabling/disabling IPv6 for every connected
      service exluding the VPN and including the VPN transport. This is used
      when an IPv4 VPN is connected to avoid leaking of data to IPv6 network
      by disabling IPv6 for all services when connected and when disconnecting
      the VPN re-enable IPv6.
      
      When disabling the old IPv6 method is recorded, address is cleared, IPv6
      network is disconnected, then turned to idle and notified. When enabling
      IPv6 method is restored and simply enabling the ipconfig is required in
      order to get the IPv6 connectivity to be resumed. In case the transport
      has been disconnected prior to VPN disconnect it is imperative to do the
      changes only to ipconfig to avoid changing the state of the transport.
      
      Remove unnecessary __connman_service_notify_ipv6_configuration added in
      5b7e6fc0
      
      Change function name and use bool value as enable - remove negation.
      
      Adapt to network.c changes in __connman_network_enable_ipconfig() to not
      to include the force value. Instead use directly
      __connman_ipconfig_set_force_disabled_ipv6() to set the ipconfig
      internal value.
      36674c81
    • Jussi Laakkonen's avatar
      network: Prevent enabling IPv6 for network if internally disabled · 9454f93d
      Jussi Laakkonen authored
      [network] Dont' enable IPv6 for network if internally disabled. JB#53542
      
      If a new connection comes up/is manually connected when IPv6 is
      internally disabled for a IPv4 VPN the IPv6 configuration for the
      network must be prevented. If the different IPv6 method functions do
      this then an error is received from ipconfig.c which will propagate to
      disabling of the new connection completely as network error is
      triggered. This way IPv6 is silently ignored and forcefully set as
      disabled to be re-enabled when VPN is disconnected.
      
      Disable force disabled in IPv6 ipconfig when clearing the IPv6 address
      in set_disconnect(). This is required when re-enabling IPv6 for kernel
      to clear the values in order to return the proper /proc values for the
      interface in case IPv6 was disabled for IPv4 VPN. Also restore the
      original IPv6 method before setting disconnected to make kernel know
      about the changes as well. Otherwise IPv6 on some occasions is not
      enabled on the interface when, e.g., changing to another service of same
      type technology.
      
      Adopt to ipconfig.c changes to remove the force value from the IPv6
      enable/disable functions. Instead use the direct ipconfig.c function to
      set the value for force disabled. Thus, reverting most of the changes
      done in 2031f665
      9454f93d
    • Jussi Laakkonen's avatar
      ipconfig: IPv6 method restore, force disabled to own func, always set autoconf · c00d00dd
      Jussi Laakkonen authored
      [ipconfig] IPv6 method restore, force disbled to own func, always set autoconf. JB#53542
      
      Add functions to save and restore old IPv6 method. This is useful when
      IPv6 is disabled termporarily for the time IPv4 VPN is used. First save
      the IPv6 method before disabling and call restore when IPv6 needs to be
      set up again using the old method.
      
      Also, do not change system wide IPv6 disable_ipv6 with
      __connman_ipconfig_set_ipv6_support(). Add also getter for the internal
      IPv6 state.
      
      Move the force disabled use from the enable/disable functions to own
      separate getter and setter.
      
      It is more straightforward to always disable/enable autoconf for IPv6
      interface instead of managing it internally as well. This is a key
      feature in disabling IPv6 along the disable_ipv6 value in /proc so
      autoconf must be treated similarly as well. Dot save the value to be
      more consistent in use.
      
      When saving ipconfig use the original IPv6 method if the ipconfig is
      force disabled. This ensures that "OFF" method is not saved to settings
      file if the service and its ipconfig gets saved.
      
      Remove accept_ra completely as unnecessary. autoconf is only required.
      c00d00dd
    • ballock's avatar
      Merge branch 'jb53116-alternative' into 'master' · 458236e3
      ballock authored
      [dhcpv6] Do not fail when no keyfile saved. Fixes JB#53116
      
      See merge request !312
      458236e3
    • Boleslaw Tokarski's avatar
      [unit] Remove __connman_storage_open_service tests · 4410c342
      Boleslaw Tokarski authored
      Upstream stopped using __connman_storage_open_service function, and we
      removed it from our code too. No need to test it.
      4410c342
    • Daniel Wagner's avatar
      storage: Remove unused __connman_storage_open_service() · c0948d1f
      Daniel Wagner authored
      There is no user left for __connman_storage_open_service(). Thus
      remove it.
      c0948d1f
    • Boleslaw Tokarski's avatar
      [storage] Secure use of cached keyfiles · 2f7a4a6b
      Boleslaw Tokarski authored
      This is a Jolla-unique change due to heavy customization of storage.c
      
      Upstream decided to save its service data to file with an assumption
      that it is empty by default and it is ok to create a new keyfile.
      
      Meanwhile, we have decided to cache the keyfiles read from config files.
      This causes a conflict, where service_save may order storage_save to
      write a different keyfile to disk than the one loaded to cache with
      storage_load. Afterwards, reading key-var values with storage_load would
      return values stored in cache instead of those stored in file.
      
      Thus, just like upstream storage_save would write to disk, and
      subsequent storage_load would read from disk, we clean the cache, and
      any subsequent storage_load would use the keyfile that was ordered to be
      stored.
      
      Although the fact that the keyfile variables are different would already
      be suspicious, and is indicated by a debug print, this order may work
      perfectly in upstream, and with this change we can be relatively sure
      that we are not introducing any regressions compared to upstream.
      2f7a4a6b
    • Boleslaw Tokarski's avatar
      dhcpv6: Do not fail when no keyfile saved · cec70c16
      Boleslaw Tokarski authored
      During a DHCPv6 transaction, a DUID field was requested from storage by
      calling connman_service_load_service, which tried to open the keyfile on
      drive. If the service was not a newly created one, its data would get
      written to the keyfile and DHCPv6 solicitation would proceed, even if
      the keyfile would not contain the DUID value - a new one would be
      generated with the set_duid function.
      
      However, since the function connman_service_load_service fails when the
      file is not present, and does not create a new one, the rest of the
      set_duid function was not executed, and the DHCPv6 solicitation packet
      failed to be sent, rendering IPv6 on the interface as non-working.
      
      Also, the previous behaviour interferes badly with keyfile storage.
      A potential service save operation may overwrite the previously written
      duid value.
      
      This change adds a struct connman_ipconfig member, dhcpv6_duid, provides
      a getter and setter functions for it, and modifies
      __connman_ipconfig_load and __connman_ipconfig_save functions to load
      and store the value along with the connman_ipconfig structure.
      Initialization did not need to be modified, since the structure is
      allocated with g_try_new0, which zeros the dhcpv6_duid pointer. The
      memory is freed in __connman_ipconfig_unref_debug.
      cec70c16
    • Daniel Wagner's avatar
      ipconfig: Use prefix in store_{set|get}_int() · 520a3957
      Daniel Wagner authored
      The prefix/key pair should be used when writing or reading the integer
      values.
      
      Fixes: e72c871ab44c ("ipconfig: Refactor keyfile store and load operations")
      520a3957
    • Daniel Wagner's avatar
      ipconfig: Refactor keyfile store and load operations · e9ae1e74
      Daniel Wagner authored
      Move the open coded lookup key generation into a small helpers which
      create the ipconfig prefix (IPv4 or IPv6). Also move the checks into
      the helper which are generic. This makes the save and load functions
      less cluttered.
      e9ae1e74
    • Daniel Wagner's avatar
      service: Store configuration in empty keyfile · 8a67c14d
      Daniel Wagner authored
      Instead loading the keyfile from disk with the old configuration,
      start with an empty configuration. Because we do not have a previous
      configuration which needs to be updated we can drop all the remove
      code. This avoids complex code paths when switching from one
      connnection method to the next one (dhcp to manual and back).
      8a67c14d
  7. 17 Mar, 2021 6 commits
    • Jussi Laakkonen's avatar
      Merge branch 'jb48769' into 'master' · 15e368f1
      Jussi Laakkonen authored
      [connman] Prevent IPv4 only VPN data and DNS leak to IPv6. Fixes JB#48769
      
      See merge request !257
      15e368f1
    • Jussi Laakkonen's avatar
      [unit] Adopt to service.c and provider changes in service test. JB#48769 · 93f0a73d
      Jussi Laakkonen authored
      Remove use of the VPN dependency from the unit test. Remove connection.c
      build dependency and replace functions with dummies.
      
      Add provider family and VPN phy index dummies.
      
      Use service_hash and add provider dummy to have the service_hash
      supported within the test.
      93f0a73d
    • Jussi Laakkonen's avatar
      service: Toggle VPN transport IPv6 when split routing changes · 7a2c4378
      Jussi Laakkonen authored
      [service] Toggle VPN transport IPv6 when split routing changes. JB#48769
      
      Enable/disable IPv6 on VPNs transport when the split routing value is
      changed. This is important in both cases when a connected IPv4 VPN has
      the value changed as with split routing -> non-split routing IPv6 should
      be disabled as well as non-split-routing -> split routed IPv6 should be
      re-enabled.
      7a2c4378
    • Jussi Laakkonen's avatar
      provider: Toggle IPv6 on the transport of IPv4 VPN connection · d68291d6
      Jussi Laakkonen authored
      [provider] Toggle IPv6 on the transport of IPV4 VPN. JB#48769
      
      Add support to disable/enable IPv6 on the transport of the VPN that uses
      IPv4. This change eliminates the data and DNS leak to IPv6 when
      dual-stack transport is used on a IPv4 only VPN. Otherwise with an AAAA
      record for a requested hostname the traffic can bypass the VPN to
      transport's IPv6 network if the DNS server of the VPN serves both A
      and AAAA requests.
      
      If multiple connection technologies (SingleConnectedTechnology omitted
      or false) are in use IPv6 support is changed on system level. The value
      of SingleConnectedTechnology does not change run-time so there should
      not be a possibility for inconsistent state.
      
      To get the transport utilize the recorded transport from plugins/vpn.c.
      
      Disable IPv6 when state changes to READY (also ONLINE but that is never
      used with VPNs) for IPv4 provider. Record the old IPv6 method for
      re-enabling the IPv6 on the used transport.
      
      When provider state changes to DISCONNECT or FAILURE re-enable IPv6 the
      transport using the recorded method.
      d68291d6
    • Jussi Laakkonen's avatar
      service: Sort VPNs using the transport service if connected · f839c26f
      Jussi Laakkonen authored
      [service] Sort VPNs using the transport service if connected. JB#48769
      
      Use the transport to verify the order of the connected VPN services. If
      there is a transport service in use that ranks lower than an another
      service it means that the order must be changed based on comparing the
      transport and the service instead of comparing VPN and the service. This
      is because the higher ranking service should then become the transport
      of the VPN.
      
      This ensures that when the list is sorted the transport check in
      plugins/vpn.c will make VPN to switch to the new transport that is
      enabled to be the default. Use of the service ident from hash table for
      searching is used because the index cannot be retrieved from the list
      while sorting the list.
      f839c26f
    • Jussi Laakkonen's avatar
      vpn: Return transport ident with get_property() · 0d574b05
      Jussi Laakkonen authored
      [vpn] Return transport ident with get_property(). JB#48769
      
      Return the service_ident with "Transport" keyword given to
      get_property(). Plugin tracks the transport and this is can be used
      elsewhere as well.
      
      It is important to free the service_ident after notifying provider about
      state change as the service_ident is useful for IPv6 checks when
      disconnecting.
      0d574b05