[PATCH 1/3] Added wpa_config_get_all function

Dan Williams dcbw at redhat.com
Thu Nov 12 13:09:19 EST 2009


On Wed, 2009-11-11 at 23:16 +0100, Witold Sowa wrote:
> Jouni Malinen pisze:
> > On Tue, Nov 10, 2009 at 04:18:04PM +0100, Witold Sowa wrote:
> > 
> >> The original patch doesn't introduce access to full config, but to
> >> non-secret config entries only, but it can be easily changed (second
> >> argument in wpa_config_get_all).
> > 
> > Now that I looked at this, the latest version of the new dbus code is
> > also using get_keys=0. As such, I don't think WPS would work with this
> > version. Am I missing something?
> 
> We still have credentials signal which is sent asynchronously when new
> credentials are received so the external application like NM will get
> WPS credentials.
> 
> > I did end up applying the patch to introduce wpa_config_get_all() at
> > least for now. However, I may consider a change on this in the future to
> > limit the access to only the keys provisioned with WPS (the current
> > version seems to limit this anyway with get_keys=0, but it can be
> > changed).
> > 
> > Are there any other missing patches that I would have missed? Is there
> > any good way for me to test the new interface?
> > 
> 
> There is one more short patch (in attachment). DBus signals sent from
> wpa_supplicant are readable to anyone. That applies to credentials
> signal which contains secret data too. This patch changes DBus policy so
> only root will receive signals from wpa_supplicant.

Yes, that's likely the right approach.  We can also filter signals by
interface so that normal users could still get general supplicant
status, but that the WPS signals were protected.

Dan

> To recap, we finished with:
> 1. Network configuration is available only to root and without secret
> data like PSKs.
> 2. WPS credentials are sent asynchronously only to root and only once
> when received. They are not cashed and cannot we reread later.
> jm: Is that secure enought? dcbw: Is that enough for NM requirements?
> 
> Here is updated documentation for new API I wrote some time ago:
> http://student.agh.edu.pl/~wsowa/new-dbus-api.html
> I think, that it should be available somewhere on wpa_supplicant's site.
> 
> Witek.
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap



More information about the HostAP mailing list