[RFC connman v2 0/1] Add wpa_supplicant WPA3-SAE support
by Ariel D'Alessandro
Hi all,
Here's another attemp on adding WPA3-SAE support to connman
(wpa_supplicant backend).
I'd like comments on the following mainly:
Based on plugin/iwd.c, a private data struct is added to each network
in plugin/wifi.c so it can keep track of keymgmt capabilities, needed to
use WPA3-SAE if it's available. See RFC v1 thread for more details.
Note that this is an RFC patchset. Feel free to give any kind of
feedback, always appreciated :-)
Changes from v1:
* Dropped changes to service API.
* Unified WPA3-SAE under WPA-PSK.
* Added private data struct to network in plugin/wifi.c
Regards,
Ariel D'Alessandro (1):
WIP: Add wpa_supplicant WPA3-SAE support
gsupplicant/gsupplicant.h | 10 ++++++++++
gsupplicant/supplicant.c | 33 ++++++++++++++++++++++++++++++---
plugins/wifi.c | 21 +++++++++++++++++++++
3 files changed, 61 insertions(+), 3 deletions(-)
--
2.30.2
2 months, 2 weeks
[PATCH 1/3] doc: Add net.connman.iwd.NetworkConfiguration API doc
by Andrew Zaborowski
---
doc/network-configuration-api.txt | 52 +++++++++++++++++++++++++++++++
1 file changed, 52 insertions(+)
create mode 100644 doc/network-configuration-api.txt
diff --git a/doc/network-configuration-api.txt b/doc/network-configuration-api.txt
new file mode 100644
index 00000000..5c302a37
--- /dev/null
+++ b/doc/network-configuration-api.txt
@@ -0,0 +1,52 @@
+Network Configuration hierarchy
+===============================
+
+Service net.connman.iwd
+Interface net.connman.iwd.NetworkConfiguration [Experimental]
+Object path /net/connman/iwd/{phy0,phy1,...}/{1,2,...}/{ipv4,ipv6}
+Object path /net/connman/iwd/{phy0,phy1,...}/p2p_peers/{aa_bb_cc_dd_ee_ff}
+
+Properties object Device [readonly]
+
+ The object path of the station, access point or P2P
+ device that this network configuration is active on.
+
+ In station mode, when network configuration is
+ enabled there may be one or two objects using this
+ interface and active on the same device: two if both
+ IPv4 and IPv6 addresses have been configured.
+
+ In P2P mode, this interface always refers to IPv4
+ network configuration.
+
+ string Method [readonly]
+
+ Indicates whether the local address was set
+ statically (value "static") or obtained automatically
+ such as through DHCP (value "auto"). Even when the
+ address was obtained from the remote end some
+ configuration bits, such as DNS addresses, may have
+ been overridden locally.
+
+ string Address [readonly]
+
+ Holds the local IP address.
+
+ byte PrefixLength [readonly]
+
+ Holds the prefix-length of the local subnet. For
+ IPv4 this maps to the netmask.
+
+ string Gateway [readonly, optional]
+
+ Holds the gateway address for the IPv4 subnet if one
+ exists.
+
+ array(string) DomainNameServers [readonly, optional]
+
+ Holds the list of domain name servers configured if
+ any.
+
+ string DomainNames [readonly, optional]
+
+ Holds the network's local domain names if any exist.
--
2.30.2
3 months, 3 weeks
[PATCH] Add capability for port in restricted range.
by Michael Johnson
This fixes an issue where the udp port was not being opened due to a
permission denied error. The result of this was the dhcp client would
fail to send the renewal request and so the dhcp lease would expire.
The addition of the CAP_NET_BIND_SERVICE capability allows the service
to open sockets in the restricted port range (<1024) which is required
for dhcp.
---
src/iwd.service.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/iwd.service.in b/src/iwd.service.in
index 96e4abac..ab0a5da7 100644
--- a/src/iwd.service.in
+++ b/src/iwd.service.in
@@ -11,7 +11,7 @@ ExecStart=@libexecdir@/iwd
NotifyAccess=main
LimitNPROC=1
Restart=on-failure
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE
PrivateTmp=true
NoNewPrivileges=true
DevicePolicy=closed
--
2.25.1
3 months, 3 weeks
DHCP renewal
by Michael Johnson
Hi all,
I'm having a problem with the DHCP component of iwd whereby I have it
sending the initial request and getting the IP fine but when it comes time
for renewal (in my case after 1 hour) then there is an error and the DHCP
lease is left to expire. Turning on the IWD_DHCP_DEBUG flag I get this
output:
Jun 28 14:46:25 p3-1337 iwd[7281]: [DHCPv4] dhcp_client_t1_expired:626
Jun 28 14:46:25 p3-1337 iwd[7281]: [DHCPv4] dhcp_client_t1_expired:628
Entering state: DHCP_STATE_RENEWING
Jun 28 14:46:25 p3-1337 iwd[7281]: [DHCPv4] dhcp_client_send_request:394
Jun 28 14:46:25 p3-1337 iwd[7281]: [DHCPv4] dhcp_client_t1_expired:633
Sending request failed: Socket operation on non-socket
Jun 28 14:46:25 p3-1337 iwd[7281]: [DHCPv4] dhcp_client_send_release:487
Jun 28 14:46:25 p3-1337 iwd[7281]: [DHCPv4] l_dhcp_client_stop:1199
Entering state: DHCP_STATE_INIT
Does anyone know what might be causing this? I'm still learning the code
base but I don't see anything obvious wrong (and I can't be sure this isn't
a problem with my system).
This is with the latest master build of both iwd and ell.
Michael
3 months, 3 weeks
[PATCH] Send hostname as part of DHCP request.
by mjohnson459@gmail.com
This is based on a previous patch by Roberto Santalla Fernández.
A new config is introduced into the network config file under IPv4
called SendHostname. If this is set to true then we add the hostname
into all DHCP requests. The default is false.
---
src/iwd.network.rst | 6 ++++++
src/netconfig.c | 15 +++++++++++++++
2 files changed, 21 insertions(+)
diff --git a/src/iwd.network.rst b/src/iwd.network.rst
index 083b2103..472caca8 100644
--- a/src/iwd.network.rst
+++ b/src/iwd.network.rst
@@ -322,6 +322,12 @@ network configuration with the static addresses.
`optional`. DomainName setting can be used to override the DomainName
value obtained from the DHCP server.
+ * - SendHostname
+ - Values: true, **false**
+
+ Configures DHCP to include the hostname in the request. This setting
+ is disabled by default.
+
The group ``[IPv6]`` contains settings for Internet Protocol version 6 (IPv6)
network configuration.
diff --git a/src/netconfig.c b/src/netconfig.c
index 316431ee..eb6d80ff 100644
--- a/src/netconfig.c
+++ b/src/netconfig.c
@@ -1004,6 +1004,8 @@ bool netconfig_configure(struct netconfig *netconfig,
netconfig_notify_func_t notify, void *user_data)
{
char *mdns;
+ char hostname[HOST_NAME_MAX + 1];
+ bool send_hostname;
netconfig->dns4_overrides = l_settings_get_string_list(active_settings,
"IPv4", "DNS", ' ');
@@ -1044,6 +1046,19 @@ bool netconfig_configure(struct netconfig *netconfig,
l_dhcp6_client_set_address(netconfig->dhcp6_client, ARPHRD_ETHER,
mac_address, ETH_ALEN);
+ if (!l_settings_get_bool(active_settings,
+ "IPv4", "SendHostname", &send_hostname))
+ send_hostname = false;
+
+ if (send_hostname) {
+ if (gethostname(hostname, sizeof(hostname)) == 0) {
+ l_dhcp_client_set_hostname(
+ netconfig->dhcp_client, hostname);
+ } else {
+ l_warn("netconfig: Unable to get hostname");
+ }
+ }
+
netconfig_ipv4_select_and_install(netconfig);
netconfig_ipv6_select_and_install(netconfig);
--
2.25.1
4 months
[PATCH 1/3] station: Remove diagnostics interface reliably
by Andrew Zaborowski
If the idea is that the interface should only be present when connected
then don't do this in the DISCONNECTING state as there are various
possible transitions from CONNECTED or ROAMING directly to DISCONNECTED.
---
src/station.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/station.c b/src/station.c
index 5b8b61b4..11711973 100644
--- a/src/station.c
+++ b/src/station.c
@@ -1211,9 +1211,6 @@ static void station_enter_state(struct station *station,
periodic_scan_stop(station);
break;
case STATION_STATE_DISCONNECTING:
- l_dbus_object_remove_interface(dbus_get_bus(),
- netdev_get_path(station->netdev),
- IWD_STATION_DIAGNOSTIC_INTERFACE);
break;
case STATION_STATE_ROAMING:
break;
@@ -1317,6 +1314,8 @@ static void station_reset_connection_state(struct station *station)
IWD_STATION_INTERFACE, "ConnectedNetwork");
l_dbus_property_changed(dbus, network_get_path(network),
IWD_NETWORK_INTERFACE, "Connected");
+ l_dbus_object_remove_interface(dbus, netdev_get_path(station->netdev),
+ IWD_STATION_DIAGNOSTIC_INTERFACE);
}
static void station_disassociated(struct station *station)
--
2.30.2
4 months
[PATCH 1/1] eapol: Use constant-time comparison
by Joseph Benden
This closes the possibility of a timing attack against PMKIDs.
---
src/eapol.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/eapol.c b/src/eapol.c
index f587e708..51fb3c92 100644
--- a/src/eapol.c
+++ b/src/eapol.c
@@ -1142,7 +1142,7 @@ static void eapol_handle_ptk_1_of_4(struct eapol_sm *sm,
goto error_unspecified;
for (i = 0; i < rsn_info.num_pmkids; i++)
- if (!memcmp(rsn_info.pmkids + i * 16, pmkid, 16)) {
+ if (!l_secure_memcmp(rsn_info.pmkids + i * 16, pmkid, 16)) {
found = true;
break;
}
@@ -1155,7 +1155,7 @@ static void eapol_handle_ptk_1_of_4(struct eapol_sm *sm,
if (!handshake_state_get_pmkid(sm->handshake, own_pmkid))
goto error_unspecified;
- if (memcmp(pmkid, own_pmkid, 16)) {
+ if (l_secure_memcmp(pmkid, own_pmkid, 16)) {
l_debug("Authenticator sent a PMKID that didn't match");
/*
--
2.32.0
4 months, 1 week
[PATCH] autotest: Improve cleanup in testP2P
by Andrew Zaborowski
Make sure some of the processes and files created are also cleaned up on
failure so that the next chance has a chance to succeed anyway.
---
autotests/testP2P/connection_test.py | 31 +++++++++++++++++++++-------
autotests/util/wpas.py | 11 ++++------
2 files changed, 27 insertions(+), 15 deletions(-)
diff --git a/autotests/testP2P/connection_test.py b/autotests/testP2P/connection_test.py
index 9bb0e34e..22871547 100644
--- a/autotests/testP2P/connection_test.py
+++ b/autotests/testP2P/connection_test.py
@@ -27,7 +27,7 @@ class Test(unittest.TestCase):
def p2p_connect_test(self, preauthorize, go):
wd = IWD()
- wpas = Wpas(p2p=True)
+ wpas = self.wpas = Wpas(p2p=True)
wpas_go_intent = 10 if not go else 1
# Not strictly necessary but prevents the station interface from queuing its scans
@@ -35,7 +35,7 @@ class Test(unittest.TestCase):
wd.list_devices(1)[0].disconnect()
devices = wd.list_p2p_devices(1)
- p2p = devices[0]
+ p2p = self.p2p = devices[0]
p2p.enabled = True
p2p.name = 'testdev1'
@@ -94,15 +94,17 @@ class Test(unittest.TestCase):
if not go:
ctx.start_process(['ifconfig', peer_ifname, '192.168.1.20', 'netmask', '255.255.255.0'], wait=True)
- os.system('> /tmp/dhcpd.leases')
- dhcp = ctx.start_process(['dhcpd', '-f', '-cf', '/tmp/dhcpd.conf', '-lf', '/tmp/dhcpd.leases', peer_ifname])
+ os.system('> /tmp/dhcp.leases')
+ dhcp = ctx.start_process(['dhcpd', '-f', '-cf', '/tmp/dhcpd.conf', '-lf', '/tmp/dhcp.leases', peer_ifname])
+ self.dhcp = dhcp
wd.wait_for_object_condition(wpas, 'len(obj.p2p_clients) == 1', max_wait=3)
client = wpas.p2p_clients[request['peer_iface']]
self.assertEqual(client['p2p_dev_addr'], wpas_peer['p2p_dev_addr'])
else:
- dhcp = ctx.start_process(['dhclient', '-v', '-d', '--no-pid', '-cf', '/dev/null', '-lf', '/tmp/dhcpd.leases',
+ dhcp = ctx.start_process(['dhclient', '-v', '-d', '--no-pid', '-cf', '/dev/null', '-lf', '/tmp/dhcp.leases',
'-sf', '/tmp/dhclient-script', peer_ifname])
+ self.dhcp = dhcp
wd.wait_for_object_condition(peer, 'obj.connected', max_wait=15)
time.sleep(1) # Give the client time to set the IP
@@ -127,9 +129,22 @@ class Test(unittest.TestCase):
wd.wait_for_object_condition(wpas, 'obj.p2p_group is None', max_wait=3)
self.assertEqual(peer.connected, False)
- p2p.enabled = False
- ctx.stop_process(dhcp)
- wpas.clean_up()
+ def setUp(self):
+ self.p2p = None
+ self.wpas = None
+ self.dhcp = None
+
+ def tearDown(self):
+ if self.p2p is not None:
+ self.p2p.enabled = False
+ if self.wpas is not None:
+ self.wpas.clean_up()
+ self.wpas = None
+ if self.dhcp is not None:
+ ctx.stop_process(self.dhcp)
+ for path in ['/tmp/dhcp.leases']:
+ if os.path.exists(path):
+ os.remove(path)
@classmethod
def tearDownClass(cls):
diff --git a/autotests/util/wpas.py b/autotests/util/wpas.py
index 7072272a..1758eede 100644
--- a/autotests/util/wpas.py
+++ b/autotests/util/wpas.py
@@ -245,6 +245,9 @@ class Wpas:
if self.io_watch is not None:
GLib.source_remove(self.io_watch)
self.io_watch = None
+ for ifname in self.sockets:
+ self.sockets[ifname].close()
+ self.sockets = {}
if self.wpa_supplicant is not None:
ctx.stop_process(self.wpa_supplicant)
self.wpa_supplicant = None
@@ -253,11 +256,5 @@ class Wpas:
os.remove(path)
self.cleanup_paths = []
- def _stop_wpas(self):
- self.clean_up()
- for ifname in self.sockets:
- self.sockets[ifname].close()
- self.sockets = {}
-
def __del__(self):
- self._stop_wpas()
+ self.clean_up()
--
2.30.2
4 months, 1 week
[ANNOUNCE] IRC channel moving to OFTC
by Denis Kenzior
Hi Everyone,
Just a heads up, that due to changes at Freenode we decided to move our IRC
channel to OFTC.net. You can find us there at #iwd.
We will keep the #iwd channel on Freenode active for a bit longer to help the
transition.
Regards,
-Denis
4 months, 1 week
[PATCH] netconfig: Make gateway optional for client
by Andrew Zaborowski
Don't require a gateway address from the settings file or from the DHCP
server when doing netconfig. Failing when the gateway address was
missing was breaking P2P but also small local networks.
---
src/netconfig.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/netconfig.c b/src/netconfig.c
index 7665d786..316431ee 100644
--- a/src/netconfig.c
+++ b/src/netconfig.c
@@ -652,11 +652,17 @@ static bool netconfig_ipv4_routes_install(struct netconfig *netconfig)
gateway = netconfig_ipv4_get_gateway(netconfig);
if (!gateway) {
- l_error("netconfig: Failed to obtain gateway from %s.",
+ l_debug("No gateway obtained from %s.",
netconfig->rtm_protocol == RTPROT_STATIC ?
"setting file" : "DHCPv4 lease");
- return false;
+ if (netconfig->notify) {
+ netconfig->notify(NETCONFIG_EVENT_CONNECTED,
+ netconfig->user_data);
+ netconfig->notify = NULL;
+ }
+
+ return true;
}
netconfig->route4_add_gateway_cmd_id =
--
2.30.2
4 months, 2 weeks
