[Pkg-utopia-maintainers] Bug#864357: network-manager: Support for certificate hashes when writing 802.1x configuration.

Tomas Ebenlendr ebik at ucw.cz
Wed Jun 7 13:36:50 UTC 2017


Package: network-manager
Version: 1.6.2-3
Severity: normal
Tags: patch upstream

Some 802.1x networks (wifi or wired) use self-signed certificates.
Wpa-supplicant has support for this, by checking sha256 sum of the
certificate instead of verifying certificate against some CA
certificate, by supplying 'hash://...' url instead of path into 'ca-cert'
configuration option.

The keyfile plugin of networkmanager responsible for reading
/etc/NetworkManager/system-connections/* thinks, that ca-cert
is local path and adds /etc/NetworkManager/... before the hash.
Solution is simple: just pass the hash url from the keyfile to
wpa-supplicant as-is, as it is done for absolute paths.

(It would be nice, to have also graphical configuration for this, but
that would be feature request to another package.)

Sha256 sum of the certificate is logged already when no certificate check is done:
Jun  7 14:51:57 chewbacca wpa_supplicant[841]: wlp3s0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=WMSvc-ELVIRA' hash=c640682caa9cd14bf60640f92ff59c844df363dfce800fca3416b9cb222a4cdb
Then I can use the hash in the keyfile, and wpa-supplicant forbids to
send my username/pasword to any server that provides different
certificate.

Example configuration from follows /etc/NetworkManager/system-connections/my_safer_8021x
...
[802-1x]
ca-cert=hash://server/sha256/c640682caa9cd14bf60640f92ff59c844df363dfce800fca3416b9cb222a4cdb
eap=peap;
identity=my_user_name
password=my_password
phase2-auth=mschapv2
...

Patch allowing 'hash://' url in ca-cert follows:

diff --git a/libnm-core/nm-keyfile-reader.c b/libnm-core/nm-keyfile-reader.c
index 8adf67dd..c071264d 100644
--- a/libnm-core/nm-keyfile-reader.c
+++ b/libnm-core/nm-keyfile-reader.c
@@ -893,7 +893,7 @@ get_cert_path (const char *base_dir, const guint8 *cert_path, gsize cert_path_le
 	base = path = g_malloc0 (cert_path_len + 1);
 	memcpy (path, cert_path, cert_path_len);
 
-	if ((path[0] == '/') || (strncmp(path, "hash://",7)==0))
+	if (path[0] == '/')
 		return path;
 
 	p = strrchr (path, '/');


-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages network-manager depends on:
ii  adduser                3.115
ii  dbus                   1.10.16-1
ii  init-system-helpers    1.47
ii  libaudit1              1:2.6.7-2
ii  libbluetooth3          5.43-2
ii  libc6                  2.24-9
ii  libglib2.0-0           2.50.3-1
ii  libgnutls30            3.5.8-3
ii  libgudev-1.0-0         230-3
ii  libjansson4            2.9-1
ii  libmm-glib0            1.6.4-1
ii  libndp0                1.6-1+b1
ii  libnewt0.52            0.52.19-1+b1
ii  libnl-3-200            3.2.27-2
ii  libnm0                 1.6.2-2
ii  libpam-systemd         233-5
ii  libpolkit-agent-1-0    0.105-18
ii  libpolkit-gobject-1-0  0.105-18
ii  libreadline7           7.0-2
ii  libselinux1            2.6-3+b1
ii  libsoup2.4-1           2.56.0-2
ii  libsystemd0            233-5
ii  libteamdctl0           1.26-1+b1
ii  libuuid1               2.29.2-1
ii  lsb-base               9.20161125
ii  policykit-1            0.105-18
ii  udev                   233-8
ii  wpasupplicant          2:2.4-1

Versions of packages network-manager recommends:
ii  crda             3.18-1
ii  dnsmasq-base     2.76-5+b1
ii  iptables         1.6.0+snapshot20161117-5
ii  iputils-arping   3:20161105-1
ii  isc-dhcp-client  4.3.5-3
ii  modemmanager     1.6.4-1
ii  ppp              2.4.7-1+4

Versions of packages network-manager suggests:
pn  libteam-utils  <none>

-- Configuration Files:
/etc/NetworkManager/NetworkManager.conf changed [not included]

-- no debconf information



More information about the Pkg-utopia-maintainers mailing list