8021x: don't request secrets if they are empty and system owned
Empty secrets are fine. In particular, for PKCS#11 it means that protected authentication path is used (the secrets are obtained on-demand from the pinpad).
This commit is contained in:
@@ -2778,7 +2778,7 @@ need_private_key_password (GBytes *blob,
|
||||
{
|
||||
NMCryptoFileFormat format = NM_CRYPTO_FILE_FORMAT_UNKNOWN;
|
||||
|
||||
if (flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)
|
||||
if (flags == NM_SETTING_SECRET_FLAG_NONE || flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)
|
||||
return FALSE;
|
||||
|
||||
/* Private key password is required */
|
||||
@@ -2822,13 +2822,15 @@ need_secrets_tls (NMSetting8021x *self,
|
||||
|
||||
scheme = nm_setting_802_1x_get_phase2_ca_cert_scheme (self);
|
||||
if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11
|
||||
&& !(priv->phase2_ca_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)
|
||||
&& !( priv->phase2_ca_cert_password_flags == NM_SETTING_SECRET_FLAG_NONE
|
||||
|| priv->phase2_ca_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)
|
||||
&& !priv->phase2_ca_cert_password)
|
||||
g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD);
|
||||
|
||||
scheme = nm_setting_802_1x_get_phase2_client_cert_scheme (self);
|
||||
if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11
|
||||
&& !(priv->phase2_client_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)
|
||||
&& !( priv->phase2_client_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED
|
||||
|| priv->phase2_client_cert_password_flags == NM_SETTING_SECRET_FLAG_NONE)
|
||||
&& !priv->phase2_client_cert_password)
|
||||
g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD);
|
||||
} else {
|
||||
@@ -2847,13 +2849,15 @@ need_secrets_tls (NMSetting8021x *self,
|
||||
|
||||
scheme = nm_setting_802_1x_get_ca_cert_scheme (self);
|
||||
if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11
|
||||
&& !(priv->ca_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)
|
||||
&& !( priv->ca_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED
|
||||
|| priv->ca_cert_password_flags == NM_SETTING_SECRET_FLAG_NONE)
|
||||
&& !priv->ca_cert_password)
|
||||
g_ptr_array_add (secrets, NM_SETTING_802_1X_CA_CERT_PASSWORD);
|
||||
|
||||
scheme = nm_setting_802_1x_get_client_cert_scheme (self);
|
||||
if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11
|
||||
&& !(priv->client_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)
|
||||
&& !( priv->client_cert_password_flags == NM_SETTING_SECRET_FLAG_NONE
|
||||
|| priv->client_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)
|
||||
&& !priv->client_cert_password)
|
||||
g_ptr_array_add (secrets, NM_SETTING_802_1X_CLIENT_CERT_PASSWORD);
|
||||
}
|
||||
|
Reference in New Issue
Block a user