If empty private_key_passwd field sent via DBus to wpa_supplicant it will fail

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Dear wpa_supplicant developers,

I have faced an issue with wpa_supplicant using NetworkManager.
I cannot decide if this behaviour is intended or a bug
but I think it is worth to mention.
I am using Ubuntu 18.04 and I tried to connect to a (WPA2 Enterprise EAP-TLS)
Wi-Fi access point using NetworkManager but it didn't work
so I have started to investigate.

My settings were something like this:

[802-11-wireless]
ssid=SOME_AP
mode=infrastructure
security=802-11-wireless-security
...
[802-1x]
eap=tls
identity=user
client-cert=/path/to/your/private/key/cert.crt
private-key=/path/to/your/private/key/private.pem
private-key-password=

Notice the empty private-key-password field.
What I have found in the logs as symptoms:

journalctl -u NetworkManager

    aug 10 14:33:57 my_host NetworkManager[17975]: <info>
[1565440437.0361] manager: NetworkManager state is now CONNECTING
    aug 10 14:33:57 my_host NetworkManager[17975]: <info>
[1565440437.0366] device (wlp1s0): state change: prepare -> config
(reason 'none', sys-iface-state: 'managed')
    aug 10 14:33:57 my_host NetworkManager[17975]: <info>
[1565440437.0370] device (wlp1s0): Activation: (wifi) access point
'SOME_AP' has security, but secrets are required.
    aug 10 14:33:57 my_host NetworkManager[17975]: <info>
[1565440437.0370] device (wlp1s0): state change: config -> need-auth
(reason 'none', sys-iface-state: 'managed')
    aug 10 14:33:57 my_host NetworkManager[17975]: <info>
[1565440437.0409] device (wlp1s0): state change: need-auth -> prepare
(reason 'none', sys-iface-state: 'managed')
    aug 10 14:33:57 my_host NetworkManager[17975]: <info>
[1565440437.0412] device (wlp1s0): state change: prepare -> config
(reason 'none', sys-iface-state: 'managed')
    aug 10 14:33:57 my_host NetworkManager[17975]: <info>
[1565440437.0416] device (wlp1s0): Activation: (wifi) connection
'SOME_AP' has security, and secrets exist. No new secrets needed.
    aug 10 14:33:57 my_host NetworkManager[17975]: <info>
[1565440437.0416] Config: added 'ssid' value 'SOME_AP'
    aug 10 14:33:57 my_host NetworkManager[17975]: <info>
[1565440437.0416] Config: added 'scan_ssid' value '1'
    aug 10 14:33:57 my_host NetworkManager[17975]: <info>
[1565440437.0416] Config: added 'bgscan' value 'simple:ff:-22:100'
    aug 10 14:33:57 my_host NetworkManager[17975]: <info>
[1565440437.0416] Config: added 'key_mgmt' value 'WPA-EAP'
    aug 10 14:33:57 my_host NetworkManager[17975]: <info>
[1565440437.0417] Config: added 'eap' value 'TLS'
    aug 10 14:33:57 my_host NetworkManager[17975]: <info>
[1565440437.0417] Config: added 'fragment_size' value '1266'
    aug 10 14:33:57 my_host NetworkManager[17975]: <info>
[1565440437.0417] Config: added 'private_key' value
'/path/to/your/private/key/private.pem'
    aug 10 14:33:57 my_host NetworkManager[17975]: <info>
[1565440437.0417] Config: added 'private_key_passwd' value '<hidden>'
    aug 10 14:33:57 my_host NetworkManager[17975]: <info>
[1565440437.0417] Config: added 'client_cert' value
'/path/to/your/private/key/cert.crt'
    aug 10 14:33:57 my_host NetworkManager[17975]: <info>
[1565440437.0417] Config: added 'identity' value 'user'
    aug 10 14:33:57 my_host NetworkManager[17975]: <info>
[1565440437.0417] Config: added 'proactive_key_caching' value '1'
    aug 10 14:33:57 my_host NetworkManager[17975]: <warn>
[1565440437.0433] sup-iface[0x55c9d5fcf450,wlp1s0]:
assoc[0x7f281000bb40]: failure to add network: invalid message format
    aug 10 14:33:57 my_host NetworkManager[17975]: <info>
[1565440437.0434] device (wlp1s0): state change: config -> failed
(reason 'supplicant-failed', sys-iface-state: 'managed')
    aug 10 14:33:57 my_host NetworkManager[17975]: <info>
[1565440437.0435] manager: NetworkManager state is now CONNECTED_LOCAL
    aug 10 14:33:57 my_host NetworkManager[17975]: <warn>
[1565440437.0441] device (wlp1s0): Activation: failed for connection
'SOME_AP'
    aug 10 14:33:57 my_host NetworkManager[17975]: <info>
[1565440437.0445] device (wlp1s0): state change: failed ->
disconnected (reason 'none', sys-iface-state: 'managed')
    aug 10 14:33:57 my_host NetworkManager[17975]: <info>
[1565440437.0361] manager: NetworkManager state is now CONNECTING

journalctl -u wpa_supplicant.service

    aug 07 14:20:08 my_host wpa_supplicant[1035]: wlp1s0: Associated
with ff:f2:1f:dd:ac:10
    aug 07 14:20:08 my_host wpa_supplicant[1035]: wlp1s0:
CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
    aug 07 14:20:08 my_host wpa_supplicant[1035]: wlp1s0:
CTRL-EVENT-EAP-STARTED EAP authentication started
    aug 07 14:20:08 my_host wpa_supplicant[1035]: wlp1s0:
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
    aug 07 14:20:08 my_host wpa_supplicant[1035]: wlp1s0:
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
    aug 07 14:20:09 my_host wpa_supplicant[1035]: wlp1s0:
CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/DC=com/DC=company/CN=CA'
hash=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aug 07 14:20:09 my_host wpa_supplicant[1035]: wlp1s0:
CTRL-EVENT-EAP-PEER-CERT depth=0
subject='/C=HU/ST=BUDAPEST/L=BUDAPEST/O=COMPANY/OU=SOMETHING/CN=company.com/emailAddress=mail@xxxxxxxxxxx'
hash=bbbbbbbbbbbbbbbbbbbbbbbbbbb
   aug 07 14:20:10 my_host wpa_supplicant[1035]: wlp1s0:
CTRL-EVENT-EAP-FAILURE EAP authentication failed
    aug 07 14:20:12 my_host wpa_supplicant[1035]: wlp1s0:
Authentication with ff:f2:1f:dd:ac:10 timed out.
    aug 07 14:20:12 my_host wpa_supplicant[1035]: wlp1s0:
CTRL-EVENT-DISCONNECTED bssid=ff:f2:1f:dd:ac:10 reason=3
locally_generated=1
    aug 07 14:20:12 my_host wpa_supplicant[1035]: wlp1s0:
CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="SOME_AP" auth_failures=2
duration=35 reason=AUTH_FAILED

Debug wpa_supplicant.log:

    wpa_dbus_dict_get_entry: dict entry key: private_key_passwd
    wpa_dbus_dict_get_entry: dict entry variant content type: a
    _wpa_dbus_dict_entry_get_array: array_type y
    dbus: byte array contents - hexdump(len=0): [REMOVED]
    wpas_dbus_handler_add_network[dbus]: control interface couldn't
set network properties
    dbus: Unregister network object
'/fi/w1/wpa_supplicant1/Interfaces/1/Networks/0'

I have figured out that this line causes the problem:

    https://w1.fi/cgit/hostap/tree/wpa_supplicant/dbus/dbus_new_handlers.c#n210

When I have only used wpa_supplicant to connect to the AP
everything worked well, because wpa_supplicant handled correctly
the password-less private key config from the file.
I think wpa_supplicant will fail every time when empty byte array will be sent
to it via DBus, but if the user creates a wpa_supplicant.conf and leaves
some config fields empty the program can proceed.

My question is: do you think it is a bug?
If it is then I would like to help to fix this issue and
I welcome any suggestions.

Best regards,
Istvan

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux