Send connman mailing list submissions to
connman@lists.01.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.01.org/mailman/listinfo/connman
or, via email, send a message with subject or body 'help' to
connman-requ...@lists.01.org
You can reach the person managing the list at
connman-ow...@lists.01.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of connman digest..."
Today's Topics:
1. Re: [PATCH] Adds support for additional wpa_supplicant
options (Lichtinger, Bernhard)
2. Re: [PATCH] rootnfs: Working rootnfs using connman
(Pantelis Antoniou)
----------------------------------------------------------------------
Message: 1
Date: Thu, 1 Dec 2016 14:52:31 +0000
From: "Lichtinger, Bernhard" <bernhard.lichtin...@lrz.de>
To: Daniel Wagner <w...@monom.org>
Cc: "marcel.holtm...@intel.com" <marcel.holtm...@intel.com>,
"connman@lists.01.org" <connman@lists.01.org>
Subject: Re: [PATCH] Adds support for additional wpa_supplicant
options
Message-ID: <85f87daa-f4fa-4e17-9d41-429b86470...@lrz.de>
Content-Type: text/plain; charset="us-ascii"
Hi Daniel,
> Sorry for the delay. This patch fell through the cracks. I saw your question
> on IRC. It was before I setup my patchwork [1] for tracking the state of
> patches.
It's no problem.
> From what I can tell, this shouldn't be a problem at all. Can you just rebase
> your patch and sent it again?
I think I managed to rebase my patch:
subject_match, altsubject_match, domain_suffix_match,
domain_match
they are used for 802.1X aka. enterprise-wpa to check
the authentication server's certificate in order to
prevent MITM attacks using a valid certificate issued
by the same root-CA as configured by CACertFile.
More details at
https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf
---
doc/config-format.txt | 9 ++++
gsupplicant/gsupplicant.h | 4 ++
gsupplicant/supplicant.c | 20 +++++++++
plugins/wifi.c | 12 ++++++
src/config.c | 60 ++++++++++++++++++++++++++
src/connman.h | 8 ++++
src/network.c | 28 ++++++++++++
src/service.c | 108 ++++++++++++++++++++++++++++++++++++++++++++++
8 files changed, 249 insertions(+)
diff --git a/doc/config-format.txt b/doc/config-format.txt
index eae51e0..ed3123a 100644
--- a/doc/config-format.txt
+++ b/doc/config-format.txt
@@ -84,6 +84,15 @@ The following options are valid if Type is "wifi"
to fsid.
- Identity: Identity string for EAP.
- AnonymousIdentity: Anonymous Identity string for EAP.
+- SubjectMatch: Substring to be matched against the subject of the
+ authentication server certificate for EAP.
+- AltSubjectMatch: Semicolon separated string of entries to be matched against
+ the alternative subject name of the authentication server certificate for
EAP.
+- DomainSuffixMatch: Constraint for server domain name. If set, this FQDN is
+ used as a suffix match requirement for the authentication server certificate
+ for EAP.
+- DomainMatch: This FQDN is used as a full match requirement for the
+ authentication server certificate for EAP.
- Phase2: Phase2 (inner authentication with TLS tunnel) authentication method.
Prefix the value with "EAP-" to indicate the usage of an EAP-based inner
authentication method (should only be used with EAP = TTLS).
diff --git a/gsupplicant/gsupplicant.h b/gsupplicant/gsupplicant.h
index 26fd2ca..678cf8b 100644
--- a/gsupplicant/gsupplicant.h
+++ b/gsupplicant/gsupplicant.h
@@ -144,6 +144,10 @@ struct _GSupplicantSSID {
const char *identity;
const char *anonymous_identity;
const char *ca_cert_path;
+ const char *subject_match;
+ const char *altsubject_match;
+ const char *domain_suffix_match;
+ const char *domain_match;
const char *client_cert_path;
const char *private_key_path;
const char *private_key_passphrase;
diff --git a/gsupplicant/supplicant.c b/gsupplicant/supplicant.c
index 7200041..8890447 100644
--- a/gsupplicant/supplicant.c
+++ b/gsupplicant/supplicant.c
@@ -4512,6 +4512,26 @@ static void add_network_security_eap(DBusMessageIter
*dict,
DBUS_TYPE_STRING,
&ssid->anonymous_identity);
+ if(ssid->subject_match)
+ supplicant_dbus_dict_append_basic(dict, "subject_match",
+ DBUS_TYPE_STRING,
+ &ssid->subject_match);
+
+ if(ssid->altsubject_match)
+ supplicant_dbus_dict_append_basic(dict, "altsubject_match",
+ DBUS_TYPE_STRING,
+ &ssid->altsubject_match);
+
+ if(ssid->domain_suffix_match)
+ supplicant_dbus_dict_append_basic(dict, "domain_suffix_match",
+ DBUS_TYPE_STRING,
+
&ssid->domain_suffix_match);
+
+ if(ssid->domain_match)
+ supplicant_dbus_dict_append_basic(dict, "domain_match",
+ DBUS_TYPE_STRING,
+ &ssid->domain_match);
+
g_free(eap_value);
}
diff --git a/plugins/wifi.c b/plugins/wifi.c
index 68b231d..70cec77 100644
--- a/plugins/wifi.c
+++ b/plugins/wifi.c
@@ -88,6 +88,10 @@ struct hidden_params {
unsigned int ssid_len;
char *identity;
char *anonymous_identity;
+ char *subject_match;
+ char *altsubject_match;
+ char *domain_suffix_match;
+ char *domain_match;
char *passphrase;
char *security;
GSupplicantScanParams *scan_params;
@@ -2058,6 +2062,14 @@ static void ssid_init(GSupplicantSSID *ssid, struct
connman_network *network)
"WiFi.AnonymousIdentity");
ssid->ca_cert_path = connman_network_get_string(network,
"WiFi.CACertFile");
+ ssid->subject_match = connman_network_get_string(network,
+ "WiFi.SubjectMatch");
+ ssid->altsubject_match = connman_network_get_string(network,
+ "WiFi.AltSubjectMatch");
+ ssid->domain_suffix_match = connman_network_get_string(network,
+
"WiFi.DomainSuffixMatch");
+ ssid->domain_match = connman_network_get_string(network,
+ "WiFi.DomainMatch");
ssid->client_cert_path = connman_network_get_string(network,
"WiFi.ClientCertFile");
ssid->private_key_path = connman_network_get_string(network,
diff --git a/src/config.c b/src/config.c
index ba10fbb..c40f76c 100644
--- a/src/config.c
+++ b/src/config.c
@@ -47,6 +47,10 @@ struct connman_config_service {
char *identity;
char *anonymous_identity;
char *ca_cert_file;
+ char *subject_match;
+ char *altsubject_match;
+ char *domain_suffix_match;
+ char *domain_match;
char *client_cert_file;
char *private_key_file;
char *private_key_passphrase;
@@ -100,6 +104,10 @@ static bool cleanup = false;
#define SERVICE_KEY_PRV_KEY_PASS_TYPE "PrivateKeyPassphraseType"
#define SERVICE_KEY_IDENTITY "Identity"
#define SERVICE_KEY_ANONYMOUS_IDENTITY "AnonymousIdentity"
+#define SERVICE_KEY_SUBJECT_MATCH "SubjectMatch"
+#define SERVICE_KEY_ALT_SUBJECT_MATCH "AltSubjectMatch"
+#define SERVICE_KEY_DOMAIN_SUFF_MATCH "DomainSuffixMatch"
+#define SERVICE_KEY_DOMAIN_MATCH "DomainMatch"
#define SERVICE_KEY_PHASE2 "Phase2"
#define SERVICE_KEY_PASSPHRASE "Passphrase"
#define SERVICE_KEY_SECURITY "Security"
@@ -132,6 +140,10 @@ static const char *service_possible_keys[] = {
SERVICE_KEY_PRV_KEY_PASS_TYPE,
SERVICE_KEY_IDENTITY,
SERVICE_KEY_ANONYMOUS_IDENTITY,
+ SERVICE_KEY_SUBJECT_MATCH,
+ SERVICE_KEY_ALT_SUBJECT_MATCH,
+ SERVICE_KEY_DOMAIN_SUFF_MATCH,
+ SERVICE_KEY_DOMAIN_MATCH,
SERVICE_KEY_PHASE2,
SERVICE_KEY_PASSPHRASE,
SERVICE_KEY_SECURITY,
@@ -225,6 +237,10 @@ free_only:
g_free(config_service->identity);
g_free(config_service->anonymous_identity);
g_free(config_service->ca_cert_file);
+ g_free(config_service->subject_match);
+ g_free(config_service->altsubject_match);
+ g_free(config_service->domain_suffix_match);
+ g_free(config_service->domain_match);
g_free(config_service->client_cert_file);
g_free(config_service->private_key_file);
g_free(config_service->private_key_passphrase);
@@ -666,6 +682,34 @@ static bool load_service(GKeyFile *keyfile, const char
*group,
service->anonymous_identity = str;
}
+ str = __connman_config_get_string(keyfile, group,
+ SERVICE_KEY_SUBJECT_MATCH, NULL);
+ if (str) {
+ g_free(service->subject_match);
+ service->subject_match = str;
+ }
+
+ str = __connman_config_get_string(keyfile, group,
+ SERVICE_KEY_ALT_SUBJECT_MATCH, NULL);
+ if (str) {
+ g_free(service->altsubject_match);
+ service->altsubject_match = str;
+ }
+
+ str = __connman_config_get_string(keyfile, group,
+ SERVICE_KEY_DOMAIN_SUFF_MATCH, NULL);
+ if (str) {
+ g_free(service->domain_suffix_match);
+ service->domain_suffix_match = str;
+ }
+
+ str = __connman_config_get_string(keyfile, group,
+ SERVICE_KEY_DOMAIN_MATCH, NULL);
+ if (str) {
+ g_free(service->domain_match);
+ service->domain_match = str;
+ }
+
str = __connman_config_get_string(keyfile, group, SERVICE_KEY_PHASE2,
NULL);
if (str) {
g_free(service->phase2);
@@ -1060,6 +1104,22 @@ static void provision_service_wifi(struct
connman_config_service *config,
__connman_service_set_string(service, "CACertFile",
config->ca_cert_file);
+ if (config->subject_match)
+ __connman_service_set_string(service, "SubjectMatch",
+ config->subject_match);
+
+ if (config->altsubject_match)
+ __connman_service_set_string(service, "AltSubjectMatch",
+
config->altsubject_match);
+
+ if (config->domain_suffix_match)
+ __connman_service_set_string(service, "DomainSuffixMatch",
+
config->domain_suffix_match);
+
+ if (config->domain_match)
+ __connman_service_set_string(service, "DomainMatch",
+ config->domain_match);
+
if (config->client_cert_file)
__connman_service_set_string(service, "ClientCertFile",
config->client_cert_file);
diff --git a/src/connman.h b/src/connman.h
index f85d243..577c808 100644
--- a/src/connman.h
+++ b/src/connman.h
@@ -779,6 +779,14 @@ void __connman_service_set_identity(struct connman_service
*service,
const char *identity);
void __connman_service_set_anonymous_identity(struct connman_service *service,
const char *anonymous_identity);
+void __connman_service_set_subject_match(struct connman_service *service,
+ const char *subject_match);
+void __connman_service_set_altsubject_match(struct connman_service *service,
+ const char *altsubject_match);
+void __connman_service_set_domain_suffix_match(struct connman_service *service,
+ const char *domain_suffix_match);
+void __connman_service_set_domain_match(struct connman_service *service,
+ const char *domain_match);
void __connman_service_set_agent_identity(struct connman_service *service,
const char *agent_identity);
int __connman_service_set_passphrase(struct connman_service *service,
diff --git a/src/network.c b/src/network.c
index 4c7f2d5..aa82b74 100644
--- a/src/network.c
+++ b/src/network.c
@@ -82,6 +82,10 @@ struct connman_network {
char *anonymous_identity;
char *agent_identity;
char *ca_cert_path;
+ char *subject_match;
+ char *altsubject_match;
+ char *domain_suffix_match;
+ char *domain_match;
char *client_cert_path;
char *private_key_path;
char *private_key_passphrase;
@@ -893,6 +897,10 @@ static void network_destruct(struct connman_network
*network)
g_free(network->wifi.anonymous_identity);
g_free(network->wifi.agent_identity);
g_free(network->wifi.ca_cert_path);
+ g_free(network->wifi.subject_match);
+ g_free(network->wifi.altsubject_match);
+ g_free(network->wifi.domain_suffix_match);
+ g_free(network->wifi.domain_match);
g_free(network->wifi.client_cert_path);
g_free(network->wifi.private_key_path);
g_free(network->wifi.private_key_passphrase);
@@ -1796,6 +1804,18 @@ int connman_network_set_string(struct connman_network
*network,
} else if (g_str_equal(key, "WiFi.CACertFile")) {
g_free(network->wifi.ca_cert_path);
network->wifi.ca_cert_path = g_strdup(value);
+ } else if (g_str_equal(key, "WiFi.SubjectMatch")) {
+ g_free(network->wifi.subject_match);
+ network->wifi.subject_match = g_strdup(value);
+ } else if (g_str_equal(key, "WiFi.AltSubjectMatch")) {
+ g_free(network->wifi.altsubject_match);
+ network->wifi.altsubject_match = g_strdup(value);
+ } else if (g_str_equal(key, "WiFi.DomainSuffixMatch")) {
+ g_free(network->wifi.domain_suffix_match);
+ network->wifi.domain_suffix_match = g_strdup(value);
+ } else if (g_str_equal(key, "WiFi.DomainMatch")) {
+ g_free(network->wifi.domain_match);
+ network->wifi.domain_match = g_strdup(value);
} else if (g_str_equal(key, "WiFi.ClientCertFile")) {
g_free(network->wifi.client_cert_path);
network->wifi.client_cert_path = g_strdup(value);
@@ -1850,6 +1870,14 @@ const char *connman_network_get_string(struct
connman_network *network,
return network->wifi.agent_identity;
else if (g_str_equal(key, "WiFi.CACertFile"))
return network->wifi.ca_cert_path;
+ else if (g_str_equal(key, "WiFi.SubjectMatch"))
+ return network->wifi.subject_match;
+ else if (g_str_equal(key, "WiFi.AltSubjectMatch"))
+ return network->wifi.altsubject_match;
+ else if (g_str_equal(key, "WiFi.DomainSuffixMatch"))
+ return network->wifi.domain_suffix_match;
+ else if (g_str_equal(key, "WiFi.DomainMatch"))
+ return network->wifi.domain_match;
else if (g_str_equal(key, "WiFi.ClientCertFile"))
return network->wifi.client_cert_path;
else if (g_str_equal(key, "WiFi.PrivateKeyFile"))
diff --git a/src/service.c b/src/service.c
index e5a106e..09472ab 100644
--- a/src/service.c
+++ b/src/service.c
@@ -104,6 +104,10 @@ struct connman_service {
char *anonymous_identity;
char *agent_identity;
char *ca_cert_file;
+ char *subject_match;
+ char *altsubject_match;
+ char *domain_suffix_match;
+ char *domain_match;
char *client_cert_file;
char *private_key_file;
char *private_key_passphrase;
@@ -2868,6 +2872,66 @@ void __connman_service_set_anonymous_identity(struct
connman_service *service,
service->anonymous_identity);
}
+void __connman_service_set_subject_match(struct connman_service *service,
+ const char *subject_match)
+{
+ if (service->immutable || service->hidden)
+ return;
+
+ g_free(service->subject_match);
+ service->subject_match = g_strdup(subject_match);
+
+ if (service->network)
+ connman_network_set_string(service->network,
+ "WiFi.SubjectMatch",
+ service->subject_match);
+}
+
+void __connman_service_set_altsubject_match(struct connman_service *service,
+ const char *altsubject_match)
+{
+ if (service->immutable || service->hidden)
+ return;
+
+ g_free(service->altsubject_match);
+ service->altsubject_match = g_strdup(altsubject_match);
+
+ if (service->network)
+ connman_network_set_string(service->network,
+ "WiFi.AltSubjectMatch",
+ service->altsubject_match);
+}
+
+void __connman_service_set_domain_suffix_match(struct connman_service *service,
+ const char *domain_suffix_match)
+{
+ if (service->immutable || service->hidden)
+ return;
+
+ g_free(service->domain_suffix_match);
+ service->domain_suffix_match = g_strdup(domain_suffix_match);
+
+ if (service->network)
+ connman_network_set_string(service->network,
+ "WiFi.DomainSuffixMatch",
+ service->domain_suffix_match);
+}
+
+void __connman_service_set_domain_match(struct connman_service *service,
+ const char *domain_match)
+{
+ if (service->immutable || service->hidden)
+ return;
+
+ g_free(service->domain_match);
+ service->domain_match = g_strdup(domain_match);
+
+ if (service->network)
+ connman_network_set_string(service->network,
+ "WiFi.DomainMatch",
+ service->domain_match);
+}
+
void __connman_service_set_agent_identity(struct connman_service *service,
const char *agent_identity)
{
@@ -4195,6 +4259,18 @@ bool __connman_service_remove(struct connman_service
*service)
g_free(service->anonymous_identity);
service->anonymous_identity = NULL;
+ g_free(service->subject_match);
+ service->subject_match = NULL;
+
+ g_free(service->altsubject_match);
+ service->altsubject_match = NULL;
+
+ g_free(service->domain_suffix_match);
+ service->domain_suffix_match = NULL;
+
+ g_free(service->domain_match);
+ service->domain_match = NULL;
+
g_free(service->agent_identity);
service->agent_identity = NULL;
@@ -4651,6 +4727,10 @@ static void service_free(gpointer user_data)
g_free(service->anonymous_identity);
g_free(service->agent_identity);
g_free(service->ca_cert_file);
+ g_free(service->subject_match);
+ g_free(service->altsubject_match);
+ g_free(service->domain_suffix_match);
+ g_free(service->domain_match);
g_free(service->client_cert_file);
g_free(service->private_key_file);
g_free(service->private_key_passphrase);
@@ -5148,6 +5228,18 @@ void __connman_service_set_string(struct connman_service
*service,
} else if (g_str_equal(key, "CACertFile")) {
g_free(service->ca_cert_file);
service->ca_cert_file = g_strdup(value);
+ } else if (g_str_equal(key, "SubjectMatch")) {
+ g_free(service->subject_match);
+ service->subject_match = g_strdup(value);
+ } else if (g_str_equal(key, "AltSubjectMatch")) {
+ g_free(service->altsubject_match);
+ service->altsubject_match = g_strdup(value);
+ } else if (g_str_equal(key, "DomainSuffixMatch")) {
+ g_free(service->domain_suffix_match);
+ service->domain_suffix_match = g_strdup(value);
+ } else if (g_str_equal(key, "DomainMatch")) {
+ g_free(service->domain_match);
+ service->domain_match = g_strdup(value);
} else if (g_str_equal(key, "ClientCertFile")) {
g_free(service->client_cert_file);
service->client_cert_file = g_strdup(value);
@@ -5989,6 +6081,22 @@ static void prepare_8021x(struct connman_service
*service)
connman_network_set_string(service->network, "WiFi.CACertFile",
service->ca_cert_file);
+ if (service->subject_match)
+ connman_network_set_string(service->network,
"WiFi.SubjectMatch",
+ service->subject_match);
+
+ if (service->altsubject_match)
+ connman_network_set_string(service->network,
"WiFi.AltSubjectMatch",
+
service->altsubject_match);
+
+ if (service->domain_suffix_match)
+ connman_network_set_string(service->network,
"WiFi.DomainSuffixMatch",
+
service->domain_suffix_match);
+
+ if (service->domain_match)
+ connman_network_set_string(service->network, "WiFi.DomainMatch",
+ service->domain_match);
+
if (service->client_cert_file)
connman_network_set_string(service->network,
"WiFi.ClientCertFile",
--
2.9.3 (Apple Git-75)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5128 bytes
Desc: not available
URL:
<http://lists.01.org/pipermail/connman/attachments/20161201/1c606372/attachment-0001.p7s>
------------------------------
Message: 2
Date: Thu, 1 Dec 2016 17:37:34 +0200
From: Pantelis Antoniou <pantelis.anton...@konsulko.com>
To: Daniel Wagner <w...@monom.org>
Cc: David Woodhouse <dw...@infradead.org>, conn...@ml01.01.org,
Stephane Desneux <stephane.desn...@iot.bzh>, Koen Kooi
<koen.k...@linaro.org>
Subject: Re: [PATCH] rootnfs: Working rootnfs using connman
Message-ID: <87d6f617-f294-46a5-9293-4f08515d9...@konsulko.com>
Content-Type: text/plain; charset=utf-8
Hi Daniel,
> On Dec 1, 2016, at 15:32 , Daniel Wagner <w...@monom.org> wrote:
>
> Hi Pantelis,
>
> On 12/01/2016 09:39 AM, Pantelis Antoniou wrote:
>>> On Dec 1, 2016, at 10:29 , David Woodhouse <dw...@infradead.org> wrote:
>>>
>>> On Wed, 2016-11-30 at 20:59 +0200, Pantelis Antoniou wrote:
>>>> Until now for root NFS you either had to manually blacklist
>>>> the interface or disable connman all together
>>>>
>>>> This patch automatically blacklists the interface the NFS server
>>>> is reachable from and populates the resolver entries that the
>>>> DHCP server provided on startup.
>>>>
>>>> It is now possible to use a vanilla rootfs tarball without
>>>> having to manually edit connman configuration entries.
>>>
>>> That looks like it supports Legacy IP only. Is that also true of the
>>> kernel's built-in nfsroot support, or did that get brought into the
>>> 21st century? And part of the *reason* for not updating the old nfsroot
>>> support in the kernel is that it can be done from an initramfs....
>>> should we attempt to handle that case too?
>>>
>>
>> In-kernel support is IPv4 as far as I know so that?s why this is
>> IPv4 only. It is not hard to add IPv6 support.
>>
>> When using initram rootnfs and rootnfs? I haven?t tried it but it should
>> be possible to detect that your root is on an NFS share. All you need is
>> to find out the server ip and the same method to find the interface to
>> blacklist.
>>
>> Personally I dislike using initramfs on embedded systems because a) uses up
>> memory for not a particularly valid reason b) slows down boot and c) on
>> an embedded system you have a pretty good chance of booting directly without
>> needing to load non-free drivers from initramfs. Unfortunately most PC based
>> distros seem to use it :)
>>
>> If someone wants to do it, please go ahead ;)
>
> At least if you don't want to do it, send a patch which adds it to TODO file
> so we don't forget it.
>
I didn?t say that :) I just don?t have a setup that uses this scheme.
If someone else has it and willing to share something that?s easy enough to
replicate I can
give it a whirl.
> Thanks,
> Daniel
Regards
? Pantelis
------------------------------
Subject: Digest Footer
_______________________________________________
connman mailing list
connman@lists.01.org
https://lists.01.org/mailman/listinfo/connman
------------------------------
End of connman Digest, Vol 14, Issue 3
**************************************
