[PATCH 1/3] Added wpa_config_get_all function

Dan Williams dcbw at redhat.com
Tue Nov 10 01:23:57 EST 2009


On Mon, 2009-11-09 at 20:52 +0200, Jouni Malinen wrote:
> On Wed, Oct 21, 2009 at 10:56:45AM -0700, Dan Williams wrote:
> > On Sun, 2009-10-18 at 03:55 +0200, Witold Sowa wrote:
> > > New function returns all parameters of network configuration block.
> > 
> > Cool; we'd use this in NM to retrieve the new security settings after
> > the supplicant updates the network block with the options received from
> > a WPS run.
> 
> In general, I do not really like the idea of exposing all the
> configuration data (mainly, passwords, PSK, etc. private information)
> from wpa_supplicant. How does the dbus interface authenticate the caller
> and prevent unauthorized users from using this interface to extract
> private keys?

At the moment, the D-Bus interface is restricted to 'root' only.  This
is done by the D-Bus permissions config file (dbus-wpa_supplicant.conf).

> As far as WPS is concerned, the enrolled credential could be provided to
> the external program when something else is in control of the
> configuration. This would at least limit the access to information
> available via WPS and would not expose other configuration items that
> the user could have entered directly into wpa_supplicant configuration.

I think the idea here was to ensure that an external program (like NM)
could get the actual key used to connect to the network after the WPS
exchange had succeeded.  Otherwise, how would we know what PSK to send
back to the supplicant the next time we connect?

We can't really send out a signal (since signals are usually readable by
anyone) thus the original method of caching the response and using
properties to get it.  If you don't like that (you didn't) then we can
let the supplicant update the network block in the in-memory config, and
then add a method to allow NM to read back the updated network block
(which I think you are now objecting to as well :).  Not sure how we're
supposed to get out the negotiated PSK then?

Dan




More information about the HostAP mailing list