core/8021x: request secrets for keys and certificates PKCS#11 tokens

Unless the secrets are explicitely flagged as not needed we probably require the PINs.
author: Lubomir Rintel <lkundrak@v3.sk> 2017-02-09 16:14:40 +0000
committer: Lubomir Rintel <lkundrak@v3.sk> 2017-02-17 14:24:34 +0100
commit: 57e379320ecb960b478aece5e2d6e6603bbd1ca3 (patch)
tree: c65ecf48b22598589acfaf4b61d3369fd124264e
parent: eda2ddb8c670d112d517c88caab794b91d7b4184 (diff)
download: NetworkManager-57e379320ecb960b478aece5e2d6e6603bbd1ca3.tar.gz
1 files changed, 38 insertions, 16 deletions
diff --git a/libnm-core/nm-setting-8021x.c b/libnm-core/nm-setting-8021x.c
index ffc21de399..1e28ddfa90 100644
--- a/libnm-core/nm-setting-8021x.c
+++ b/libnm-core/nm-setting-8021x.c
@@ -2732,10 +2732,14 @@ need_secrets_sim (NMSetting8021x *self,
 static gboolean
 need_private_key_password (GBytes *blob,
                            const char *path,
-                           const char *password)
+                           const char *password,
+                           NMSettingSecretFlags flags)
 {
 	NMCryptoFileFormat format = NM_CRYPTO_FILE_FORMAT_UNKNOWN;
 
+	if (flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)
+		return FALSE;
+
 	/* Private key password is required */
 	if (password) {
 		if (path)
@@ -2745,7 +2749,7 @@ need_private_key_password (GBytes *blob,
 			                                         g_bytes_get_size (blob),
 			                                         password, NULL, NULL);
 		else
-			g_warning ("%s: unknown private key password scheme", __func__);
+			return FALSE;
 	}
 
 	return (format == NM_CRYPTO_FILE_FORMAT_UNKNOWN);
@@ -2765,34 +2769,52 @@ need_secrets_tls (NMSetting8021x *self,
 		scheme = nm_setting_802_1x_get_phase2_private_key_scheme (self);
 		if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH)
 			path = nm_setting_802_1x_get_phase2_private_key_path (self);
-		else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11)
-			return;
 		else if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB)
 			blob = nm_setting_802_1x_get_phase2_private_key_blob (self);
-		else {
+		else if (scheme != NM_SETTING_802_1X_CK_SCHEME_PKCS11)
 			g_warning ("%s: unknown phase2 private key scheme %d", __func__, scheme);
-			g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY);
-			return;
-		}
 
-		if (need_private_key_password (blob, path, priv->phase2_private_key_password))
+		if (need_private_key_password (blob, path,
+		                               priv->phase2_private_key_password,
+		                               priv->phase2_private_key_password_flags))
 			g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD);
+
+		scheme = nm_setting_802_1x_get_phase2_ca_cert_scheme (self);
+		if (    scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11
+		    && !(priv->phase2_ca_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)
+		    && !priv->phase2_ca_cert_password)
+			g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD);
+
+		scheme = nm_setting_802_1x_get_phase2_client_cert_scheme (self);
+		if (    scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11
+		    && !(priv->phase2_client_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)
+		    && !priv->phase2_client_cert_password)
+			g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD);
 	} else {
 		scheme = nm_setting_802_1x_get_private_key_scheme (self);
 		if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH)
 			path = nm_setting_802_1x_get_private_key_path (self);
-		else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11)
-			return;
 		else if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB)
 			blob = nm_setting_802_1x_get_private_key_blob (self);
-		else {
+		else if (scheme != NM_SETTING_802_1X_CK_SCHEME_PKCS11)
 			g_warning ("%s: unknown private key scheme %d", __func__, scheme);
-			g_ptr_array_add (secrets, NM_SETTING_802_1X_PRIVATE_KEY);
-			return;
-		}
 
-		if (need_private_key_password (blob, path, priv->private_key_password))
+		if (need_private_key_password (blob, path,
+		                               priv->private_key_password,
+		                               priv->private_key_password_flags))
 			g_ptr_array_add (secrets, NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD);
+
+		scheme = nm_setting_802_1x_get_ca_cert_scheme (self);
+		if (    scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11
+		    && !(priv->ca_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)
+		    && !priv->ca_cert_password)
+			g_ptr_array_add (secrets, NM_SETTING_802_1X_CA_CERT_PASSWORD);
+
+		scheme = nm_setting_802_1x_get_client_cert_scheme (self);
+		if (    scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11
+		    && !(priv->client_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)
+		    && !priv->client_cert_password)
+			g_ptr_array_add (secrets, NM_SETTING_802_1X_CLIENT_CERT_PASSWORD);
 	}
 }
author	Lubomir Rintel <lkundrak@v3.sk>	2017-02-09 16:14:40 +0000
committer	Lubomir Rintel <lkundrak@v3.sk>	2017-02-17 14:24:34 +0100
commit	57e379320ecb960b478aece5e2d6e6603bbd1ca3 (patch)
tree	c65ecf48b22598589acfaf4b61d3369fd124264e
parent	eda2ddb8c670d112d517c88caab794b91d7b4184 (diff)
download	NetworkManager-57e379320ecb960b478aece5e2d6e6603bbd1ca3.tar.gz