diff options
| author | Beniamino Galvani <bgalvani@redhat.com> | 2021-08-19 17:06:46 +0200 |
|---|---|---|
| committer | Beniamino Galvani <bgalvani@redhat.com> | 2021-08-20 18:09:48 +0200 |
| commit | bbb7eb17676318ad3d454f069006144c5ba27f2c (patch) | |
| tree | 262382734f7fc117474b0abd01b8e37e20d79490 | |
| parent | c8d80f332d7a292e2e200d6f2eea9dbb1581135e (diff) | |
| download | NetworkManager-bg/pkcs11-pin-rh1992829.tar.gz | |
8021x: request PINs for PKCS#11 certs unless explicitly not-requiredbg/pkcs11-pin-rh1992829
Commit df0dc912cc6d ('8021x: don't request secrets if they are empty
and system owned') changed the setting so that NM doesn't request the
PIN for PKCS#11 certificates and keys when the password property has
NM_SETTING_SECRET_FLAG_NONE. From the commit message:
Empty secrets are fine. In particular, for PKCS#11 it means that
protected authentication path is used (the secrets are obtained
on-demand from the pinpad).
This change breaks the scenario in which PINs are stored in the
connection, as the setting indicates that no secrets are required, and
thus PINs are not sent to the supplicant.
If the PIN is entered through a pinpad, users should set the secret
flags as 'not-required'.
This reverts commit df0dc912cc6d ('8021x: don't request secrets if
they are empty and system owned').
https://bugzilla.redhat.com/show_bug.cgi?id=1992829
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/965
| -rw-r--r-- | src/libnm-core-impl/nm-setting-8021x.c | 15 |
1 files changed, 4 insertions, 11 deletions
diff --git a/src/libnm-core-impl/nm-setting-8021x.c b/src/libnm-core-impl/nm-setting-8021x.c index e625c318f0..8f0972bfea 100644 --- a/src/libnm-core-impl/nm-setting-8021x.c +++ b/src/libnm-core-impl/nm-setting-8021x.c @@ -2532,9 +2532,6 @@ need_private_key_password(GBytes * blob, if (flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED) return FALSE; - if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11 && flags == NM_SETTING_SECRET_FLAG_NONE) - return FALSE; - /* Private key password is required */ if (password) { if (path) @@ -2578,15 +2575,13 @@ need_secrets_tls(NMSetting8021x *self, GPtrArray *secrets, gboolean phase2) scheme = nm_setting_802_1x_get_phase2_ca_cert_scheme(self); if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11 - && !(priv->phase2_ca_cert_password_flags == NM_SETTING_SECRET_FLAG_NONE - || priv->phase2_ca_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED) + && !(priv->phase2_ca_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED) && !priv->phase2_ca_cert_password) g_ptr_array_add(secrets, NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD); scheme = nm_setting_802_1x_get_phase2_client_cert_scheme(self); if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11 - && !(priv->phase2_client_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED - || priv->phase2_client_cert_password_flags == NM_SETTING_SECRET_FLAG_NONE) + && !(priv->phase2_client_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED) && !priv->phase2_client_cert_password) g_ptr_array_add(secrets, NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD); } else { @@ -2607,15 +2602,13 @@ need_secrets_tls(NMSetting8021x *self, GPtrArray *secrets, gboolean phase2) scheme = nm_setting_802_1x_get_ca_cert_scheme(self); if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11 - && !(priv->ca_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED - || priv->ca_cert_password_flags == NM_SETTING_SECRET_FLAG_NONE) + && !(priv->ca_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED) && !priv->ca_cert_password) g_ptr_array_add(secrets, NM_SETTING_802_1X_CA_CERT_PASSWORD); scheme = nm_setting_802_1x_get_client_cert_scheme(self); if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11 - && !(priv->client_cert_password_flags == NM_SETTING_SECRET_FLAG_NONE - || priv->client_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED) + && !(priv->client_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED) && !priv->client_cert_password) g_ptr_array_add(secrets, NM_SETTING_802_1X_CLIENT_CERT_PASSWORD); } |