colin/NetworkManager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

8021x: don't request secrets if they are empty and system owned

Browse Source 
Empty secrets are fine. In particular, for PKCS#11 it means that protected
authentication path is used (the secrets are obtained on-demand from the
pinpad).
This commit is contained in:
Lubomir Rintel
2017-04-07 18:02:13 +02:00
parent 0812413c9d
commit df0dc912cc
1 changed files with 9 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
libnm-core/nm-setting-8021x.c
View File

@@ -2778,7 +2778,7 @@ need_private_key_password (GBytes *blob,
{ {
NMCryptoFileFormat format = NM_CRYPTO_FILE_FORMAT_UNKNOWN; NMCryptoFileFormat format = NM_CRYPTO_FILE_FORMAT_UNKNOWN;
if (flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED) if (flags == NM_SETTING_SECRET_FLAG_NONE || flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)
return FALSE; return FALSE;
/* Private key password is required */ /* Private key password is required */
@@ -2822,13 +2822,15 @@ need_secrets_tls (NMSetting8021x *self,
scheme = nm_setting_802_1x_get_phase2_ca_cert_scheme (self); scheme = nm_setting_802_1x_get_phase2_ca_cert_scheme (self);
if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11 if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11
&& !(priv->phase2_ca_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED) && !( priv->phase2_ca_cert_password_flags == NM_SETTING_SECRET_FLAG_NONE
|| priv->phase2_ca_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)
&& !priv->phase2_ca_cert_password) && !priv->phase2_ca_cert_password)
g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD); g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD);
scheme = nm_setting_802_1x_get_phase2_client_cert_scheme (self); scheme = nm_setting_802_1x_get_phase2_client_cert_scheme (self);
if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11 if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11
&& !(priv->phase2_client_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED) && !( priv->phase2_client_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED
|| priv->phase2_client_cert_password_flags == NM_SETTING_SECRET_FLAG_NONE)
&& !priv->phase2_client_cert_password) && !priv->phase2_client_cert_password)
g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD); g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD);
} else { } else {
@@ -2847,13 +2849,15 @@ need_secrets_tls (NMSetting8021x *self,
scheme = nm_setting_802_1x_get_ca_cert_scheme (self); scheme = nm_setting_802_1x_get_ca_cert_scheme (self);
if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11 if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11
&& !(priv->ca_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED) && !( priv->ca_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED
|| priv->ca_cert_password_flags == NM_SETTING_SECRET_FLAG_NONE)
&& !priv->ca_cert_password) && !priv->ca_cert_password)
g_ptr_array_add (secrets, NM_SETTING_802_1X_CA_CERT_PASSWORD); g_ptr_array_add (secrets, NM_SETTING_802_1X_CA_CERT_PASSWORD);
scheme = nm_setting_802_1x_get_client_cert_scheme (self); scheme = nm_setting_802_1x_get_client_cert_scheme (self);
if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11 if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11
&& !(priv->client_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED) && !( priv->client_cert_password_flags == NM_SETTING_SECRET_FLAG_NONE
|| priv->client_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)
&& !priv->client_cert_password) && !priv->client_cert_password)
g_ptr_array_add (secrets, NM_SETTING_802_1X_CLIENT_CERT_PASSWORD); g_ptr_array_add (secrets, NM_SETTING_802_1X_CLIENT_CERT_PASSWORD);
} }