diff options
author | Lubomir Rintel <lkundrak@v3.sk> | 2017-02-09 16:14:40 +0000 |
---|---|---|
committer | Lubomir Rintel <lkundrak@v3.sk> | 2017-02-17 14:24:34 +0100 |
commit | 57e379320ecb960b478aece5e2d6e6603bbd1ca3 (patch) | |
tree | c65ecf48b22598589acfaf4b61d3369fd124264e | |
parent | eda2ddb8c670d112d517c88caab794b91d7b4184 (diff) | |
download | NetworkManager-57e379320ecb960b478aece5e2d6e6603bbd1ca3.tar.gz |
core/8021x: request secrets for keys and certificates PKCS#11 tokens
Unless the secrets are explicitely flagged as not needed we probably require
the PINs.
-rw-r--r-- | libnm-core/nm-setting-8021x.c | 54 |
1 files changed, 38 insertions, 16 deletions
diff --git a/libnm-core/nm-setting-8021x.c b/libnm-core/nm-setting-8021x.c index ffc21de399..1e28ddfa90 100644 --- a/libnm-core/nm-setting-8021x.c +++ b/libnm-core/nm-setting-8021x.c @@ -2732,10 +2732,14 @@ need_secrets_sim (NMSetting8021x *self, static gboolean need_private_key_password (GBytes *blob, const char *path, - const char *password) + const char *password, + NMSettingSecretFlags flags) { NMCryptoFileFormat format = NM_CRYPTO_FILE_FORMAT_UNKNOWN; + if (flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED) + return FALSE; + /* Private key password is required */ if (password) { if (path) @@ -2745,7 +2749,7 @@ need_private_key_password (GBytes *blob, g_bytes_get_size (blob), password, NULL, NULL); else - g_warning ("%s: unknown private key password scheme", __func__); + return FALSE; } return (format == NM_CRYPTO_FILE_FORMAT_UNKNOWN); @@ -2765,34 +2769,52 @@ need_secrets_tls (NMSetting8021x *self, scheme = nm_setting_802_1x_get_phase2_private_key_scheme (self); if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH) path = nm_setting_802_1x_get_phase2_private_key_path (self); - else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11) - return; else if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB) blob = nm_setting_802_1x_get_phase2_private_key_blob (self); - else { + else if (scheme != NM_SETTING_802_1X_CK_SCHEME_PKCS11) g_warning ("%s: unknown phase2 private key scheme %d", __func__, scheme); - g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY); - return; - } - if (need_private_key_password (blob, path, priv->phase2_private_key_password)) + if (need_private_key_password (blob, path, + priv->phase2_private_key_password, + priv->phase2_private_key_password_flags)) g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD); + + scheme = nm_setting_802_1x_get_phase2_ca_cert_scheme (self); + if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11 + && !(priv->phase2_ca_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED) + && !priv->phase2_ca_cert_password) + g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD); + + scheme = nm_setting_802_1x_get_phase2_client_cert_scheme (self); + if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11 + && !(priv->phase2_client_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED) + && !priv->phase2_client_cert_password) + g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD); } else { scheme = nm_setting_802_1x_get_private_key_scheme (self); if (scheme == NM_SETTING_802_1X_CK_SCHEME_PATH) path = nm_setting_802_1x_get_private_key_path (self); - else if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11) - return; else if (scheme == NM_SETTING_802_1X_CK_SCHEME_BLOB) blob = nm_setting_802_1x_get_private_key_blob (self); - else { + else if (scheme != NM_SETTING_802_1X_CK_SCHEME_PKCS11) g_warning ("%s: unknown private key scheme %d", __func__, scheme); - g_ptr_array_add (secrets, NM_SETTING_802_1X_PRIVATE_KEY); - return; - } - if (need_private_key_password (blob, path, priv->private_key_password)) + if (need_private_key_password (blob, path, + priv->private_key_password, + priv->private_key_password_flags)) g_ptr_array_add (secrets, NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD); + + scheme = nm_setting_802_1x_get_ca_cert_scheme (self); + if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11 + && !(priv->ca_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED) + && !priv->ca_cert_password) + g_ptr_array_add (secrets, NM_SETTING_802_1X_CA_CERT_PASSWORD); + + scheme = nm_setting_802_1x_get_client_cert_scheme (self); + if ( scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11 + && !(priv->client_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED) + && !priv->client_cert_password) + g_ptr_array_add (secrets, NM_SETTING_802_1X_CLIENT_CERT_PASSWORD); } } |