[Pkg-utopia-maintainers] Bug#864357: network-manager: Support for certificate hashes when writing 802.1x configuration.
Tomas Ebenlendr
ebik at ucw.cz
Wed Jun 7 13:36:50 UTC 2017
Package: network-manager
Version: 1.6.2-3
Severity: normal
Tags: patch upstream
Some 802.1x networks (wifi or wired) use self-signed certificates.
Wpa-supplicant has support for this, by checking sha256 sum of the
certificate instead of verifying certificate against some CA
certificate, by supplying 'hash://...' url instead of path into 'ca-cert'
configuration option.
The keyfile plugin of networkmanager responsible for reading
/etc/NetworkManager/system-connections/* thinks, that ca-cert
is local path and adds /etc/NetworkManager/... before the hash.
Solution is simple: just pass the hash url from the keyfile to
wpa-supplicant as-is, as it is done for absolute paths.
(It would be nice, to have also graphical configuration for this, but
that would be feature request to another package.)
Sha256 sum of the certificate is logged already when no certificate check is done:
Jun 7 14:51:57 chewbacca wpa_supplicant[841]: wlp3s0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=WMSvc-ELVIRA' hash=c640682caa9cd14bf60640f92ff59c844df363dfce800fca3416b9cb222a4cdb
Then I can use the hash in the keyfile, and wpa-supplicant forbids to
send my username/pasword to any server that provides different
certificate.
Example configuration from follows /etc/NetworkManager/system-connections/my_safer_8021x
...
[802-1x]
ca-cert=hash://server/sha256/c640682caa9cd14bf60640f92ff59c844df363dfce800fca3416b9cb222a4cdb
eap=peap;
identity=my_user_name
password=my_password
phase2-auth=mschapv2
...
Patch allowing 'hash://' url in ca-cert follows:
diff --git a/libnm-core/nm-keyfile-reader.c b/libnm-core/nm-keyfile-reader.c
index 8adf67dd..c071264d 100644
--- a/libnm-core/nm-keyfile-reader.c
+++ b/libnm-core/nm-keyfile-reader.c
@@ -893,7 +893,7 @@ get_cert_path (const char *base_dir, const guint8 *cert_path, gsize cert_path_le
base = path = g_malloc0 (cert_path_len + 1);
memcpy (path, cert_path, cert_path_len);
- if ((path[0] == '/') || (strncmp(path, "hash://",7)==0))
+ if (path[0] == '/')
return path;
p = strrchr (path, '/');
-- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages network-manager depends on:
ii adduser 3.115
ii dbus 1.10.16-1
ii init-system-helpers 1.47
ii libaudit1 1:2.6.7-2
ii libbluetooth3 5.43-2
ii libc6 2.24-9
ii libglib2.0-0 2.50.3-1
ii libgnutls30 3.5.8-3
ii libgudev-1.0-0 230-3
ii libjansson4 2.9-1
ii libmm-glib0 1.6.4-1
ii libndp0 1.6-1+b1
ii libnewt0.52 0.52.19-1+b1
ii libnl-3-200 3.2.27-2
ii libnm0 1.6.2-2
ii libpam-systemd 233-5
ii libpolkit-agent-1-0 0.105-18
ii libpolkit-gobject-1-0 0.105-18
ii libreadline7 7.0-2
ii libselinux1 2.6-3+b1
ii libsoup2.4-1 2.56.0-2
ii libsystemd0 233-5
ii libteamdctl0 1.26-1+b1
ii libuuid1 2.29.2-1
ii lsb-base 9.20161125
ii policykit-1 0.105-18
ii udev 233-8
ii wpasupplicant 2:2.4-1
Versions of packages network-manager recommends:
ii crda 3.18-1
ii dnsmasq-base 2.76-5+b1
ii iptables 1.6.0+snapshot20161117-5
ii iputils-arping 3:20161105-1
ii isc-dhcp-client 4.3.5-3
ii modemmanager 1.6.4-1
ii ppp 2.4.7-1+4
Versions of packages network-manager suggests:
pn libteam-utils <none>
-- Configuration Files:
/etc/NetworkManager/NetworkManager.conf changed [not included]
-- no debconf information
More information about the Pkg-utopia-maintainers
mailing list