From 2eccb21b8e70de2bfb8bfb9c8e5ea9d0f31826ea Mon Sep 17 00:00:00 2001 From: Alexander Elbs Date: Fri, 7 Oct 2022 10:59:02 +0200 Subject: [PATCH 1/3] core: move rerequest decision of secrets to NMSetting When an authentication attempt fails, NetworkManager re-requests new secrets from agents before retrying. This is currently decided outside of the NMSetting objects. With this change the decision if a re-request of new secrets is really needed is moved down to the NMSetting implementations. For the case "802.1x authentication with TLS" a certificate with password is configured and the assumption is, that this can never be wrong and no re-request is needed. --- src/libnm-core-impl/nm-connection.c | 84 ++++++++++++------- src/libnm-core-impl/nm-setting-8021x.c | 40 ++++++--- src/libnm-core-impl/nm-setting-adsl.c | 4 +- src/libnm-core-impl/nm-setting-cdma.c | 4 +- src/libnm-core-impl/nm-setting-gsm.c | 4 +- src/libnm-core-impl/nm-setting-macsec.c | 4 +- src/libnm-core-impl/nm-setting-pppoe.c | 4 +- src/libnm-core-impl/nm-setting-private.h | 4 +- src/libnm-core-impl/nm-setting-vpn.c | 2 +- src/libnm-core-impl/nm-setting-wireguard.c | 4 +- .../nm-setting-wireless-security.c | 16 ++-- src/libnm-core-impl/nm-setting.c | 10 ++- src/libnm-core-intern/nm-core-internal.h | 2 + 13 files changed, 115 insertions(+), 67 deletions(-) diff --git a/src/libnm-core-impl/nm-connection.c b/src/libnm-core-impl/nm-connection.c index 6c73c66bb5..e532d05690 100644 --- a/src/libnm-core-impl/nm-connection.c +++ b/src/libnm-core-impl/nm-connection.c @@ -2333,6 +2333,45 @@ nm_connection_update_secrets(NMConnection *connection, return success; } +static const char * +_need_secrets(NMConnection *connection, gboolean check_rerequest, GPtrArray **hints) +{ + NMSetting *setting_before = NULL; + NMConnectionPrivate *priv; + int i; + + nm_assert(NM_IS_CONNECTION(connection)); + nm_assert(!hints || !*hints); + + priv = NM_CONNECTION_GET_PRIVATE(connection); + + /* Get list of settings in priority order */ + for (i = 0; i < (int) _NM_META_SETTING_TYPE_NUM; i++) { + NMSetting *setting = priv->settings[nm_meta_setting_types_by_priority[i]]; + GPtrArray *secrets; + + if (!setting) + continue; + + nm_assert(!setting_before || _nm_setting_sort_for_nm_assert(setting_before, setting) < 0); + nm_assert(!setting_before || _nm_setting_compare_priority(setting_before, setting) <= 0); + setting_before = setting; + + secrets = _nm_setting_need_secrets(setting, check_rerequest); + if (!secrets) + continue; + + if (hints) + *hints = secrets; + else + g_ptr_array_free(secrets, TRUE); + + return nm_setting_get_name(setting); + } + + return NULL; +} + /** * nm_connection_need_secrets: * @connection: the #NMConnection @@ -2355,41 +2394,24 @@ nm_connection_update_secrets(NMConnection *connection, const char * nm_connection_need_secrets(NMConnection *connection, GPtrArray **hints) { - NMSetting *setting_before = NULL; - NMConnectionPrivate *priv; - int i; - g_return_val_if_fail(NM_IS_CONNECTION(connection), NULL); - if (hints) - g_return_val_if_fail(*hints == NULL, NULL); + g_return_val_if_fail(!hints || !*hints, NULL); - priv = NM_CONNECTION_GET_PRIVATE(connection); + return _need_secrets(connection, FALSE, hints); +} - /* Get list of settings in priority order */ - for (i = 0; i < (int) _NM_META_SETTING_TYPE_NUM; i++) { - NMSetting *setting = priv->settings[nm_meta_setting_types_by_priority[i]]; - GPtrArray *secrets; +/** + * nm_connection_need_secrets_for_rerequest: + * @connection: the #NMConnection + * + * Returns TRUE if some secret needs to be re-requested + **/ +gboolean +nm_connection_need_secrets_for_rerequest(NMConnection *connection) +{ + g_return_val_if_fail(NM_IS_CONNECTION(connection), FALSE); - if (!setting) - continue; - - nm_assert(!setting_before || _nm_setting_sort_for_nm_assert(setting_before, setting) < 0); - nm_assert(!setting_before || _nm_setting_compare_priority(setting_before, setting) <= 0); - setting_before = setting; - - secrets = _nm_setting_need_secrets(setting); - if (!secrets) - continue; - - if (hints) - *hints = secrets; - else - g_ptr_array_free(secrets, TRUE); - - return nm_setting_get_name(setting); - } - - return NULL; + return !!_need_secrets(connection, TRUE, NULL); } /** diff --git a/src/libnm-core-impl/nm-setting-8021x.c b/src/libnm-core-impl/nm-setting-8021x.c index 8858c0cebf..05917c286d 100644 --- a/src/libnm-core-impl/nm-setting-8021x.c +++ b/src/libnm-core-impl/nm-setting-8021x.c @@ -67,7 +67,10 @@ _crypto_format_to_ck(NMCryptoFileFormat format) /*****************************************************************************/ -typedef void (*EAPMethodNeedSecretsFunc)(NMSetting8021x *self, GPtrArray *secrets, gboolean phase2); +typedef void (*EAPMethodNeedSecretsFunc)(NMSetting8021x *self, + GPtrArray *secrets, + gboolean phase2, + gboolean check_rerequest); typedef gboolean (*EAPMethodValidateFunc)(NMSetting8021x *self, gboolean phase2, GError **error); @@ -2500,29 +2503,41 @@ nm_setting_802_1x_get_optional(NMSetting8021x *setting) /*****************************************************************************/ static void -need_secrets_password(NMSetting8021x *self, GPtrArray *secrets, gboolean phase2) +need_secrets_password(NMSetting8021x *self, + GPtrArray *secrets, + gboolean phase2, + gboolean check_rerequest) { NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE(self); - if (nm_str_is_empty(priv->password) - && (!priv->password_raw || !g_bytes_get_size(priv->password_raw))) { + if (check_rerequest + || (nm_str_is_empty(priv->password) + && (!priv->password_raw || !g_bytes_get_size(priv->password_raw)))) { g_ptr_array_add(secrets, NM_SETTING_802_1X_PASSWORD); g_ptr_array_add(secrets, NM_SETTING_802_1X_PASSWORD_RAW); } } static void -need_secrets_sim(NMSetting8021x *self, GPtrArray *secrets, gboolean phase2) +need_secrets_sim(NMSetting8021x *self, + GPtrArray *secrets, + gboolean phase2, + gboolean check_rerequest) { NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE(self); - if (nm_str_is_empty(priv->pin)) + if (check_rerequest || nm_str_is_empty(priv->pin)) g_ptr_array_add(secrets, NM_SETTING_802_1X_PIN); } static void -need_secrets_tls(NMSetting8021x *self, GPtrArray *secrets, gboolean phase2) +need_secrets_tls(NMSetting8021x *self, + GPtrArray *secrets, + gboolean phase2, + gboolean check_rerequest) { + // If check_rerequest is TRUE do not return secrets, unless missing. + // This secret cannot be wrong. NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE(self); NMSetting8021xCKScheme scheme; @@ -2719,7 +2734,10 @@ verify_ttls(NMSetting8021x *self, gboolean phase2, GError **error) } static void -need_secrets_phase2(NMSetting8021x *self, GPtrArray *secrets, gboolean phase2) +need_secrets_phase2(NMSetting8021x *self, + GPtrArray *secrets, + gboolean phase2, + gboolean check_rerequest) { NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE(self); char *method = NULL; @@ -2740,7 +2758,7 @@ need_secrets_phase2(NMSetting8021x *self, GPtrArray *secrets, gboolean phase2) if (!eap_methods_table[i].ns_func) continue; if (nm_streq(eap_methods_table[i].method, method)) { - (*eap_methods_table[i].ns_func)(self, secrets, TRUE); + (*eap_methods_table[i].ns_func)(self, secrets, TRUE, check_rerequest); break; } } @@ -3030,7 +3048,7 @@ verify(NMSetting *setting, NMConnection *connection, GError **error) /*****************************************************************************/ static GPtrArray * -need_secrets(NMSetting *setting) +need_secrets(NMSetting *setting, gboolean check_rerequest) { NMSetting8021x *self = NM_SETTING_802_1X(setting); NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE(self); @@ -3049,7 +3067,7 @@ need_secrets(NMSetting *setting) if (eap_methods_table[i].ns_func == NULL) continue; if (!strcmp(eap_methods_table[i].method, method)) { - (*eap_methods_table[i].ns_func)(self, secrets, FALSE); + (*eap_methods_table[i].ns_func)(self, secrets, FALSE, check_rerequest); /* Only break out of the outer loop if this EAP method * needed secrets. diff --git a/src/libnm-core-impl/nm-setting-adsl.c b/src/libnm-core-impl/nm-setting-adsl.c index 88606b69a0..ca2913898a 100644 --- a/src/libnm-core-impl/nm-setting-adsl.c +++ b/src/libnm-core-impl/nm-setting-adsl.c @@ -225,12 +225,12 @@ verify_secrets(NMSetting *setting, NMConnection *connection, GError **error) } static GPtrArray * -need_secrets(NMSetting *setting) +need_secrets(NMSetting *setting, gboolean check_rerequest) { NMSettingAdslPrivate *priv = NM_SETTING_ADSL_GET_PRIVATE(setting); GPtrArray *secrets = NULL; - if (priv->password && *priv->password) + if (!check_rerequest && priv->password && *priv->password) return NULL; if (!(priv->password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)) { diff --git a/src/libnm-core-impl/nm-setting-cdma.c b/src/libnm-core-impl/nm-setting-cdma.c index 46f29f969b..c32af6b744 100644 --- a/src/libnm-core-impl/nm-setting-cdma.c +++ b/src/libnm-core-impl/nm-setting-cdma.c @@ -174,12 +174,12 @@ verify_secrets(NMSetting *setting, NMConnection *connection, GError **error) } static GPtrArray * -need_secrets(NMSetting *setting) +need_secrets(NMSetting *setting, gboolean check_rerequest) { NMSettingCdmaPrivate *priv = NM_SETTING_CDMA_GET_PRIVATE(setting); GPtrArray *secrets = NULL; - if (!nm_str_is_empty(priv->password)) + if (!check_rerequest && !nm_str_is_empty(priv->password)) return NULL; if (priv->username) { diff --git a/src/libnm-core-impl/nm-setting-gsm.c b/src/libnm-core-impl/nm-setting-gsm.c index 15460ccc9e..cd7d9b8061 100644 --- a/src/libnm-core-impl/nm-setting-gsm.c +++ b/src/libnm-core-impl/nm-setting-gsm.c @@ -460,12 +460,12 @@ verify_secrets(NMSetting *setting, NMConnection *connection, GError **error) } static GPtrArray * -need_secrets(NMSetting *setting) +need_secrets(NMSetting *setting, gboolean check_rerequest) { NMSettingGsmPrivate *priv = NM_SETTING_GSM_GET_PRIVATE(setting); GPtrArray *secrets = NULL; - if (priv->password && *priv->password) + if (!check_rerequest && priv->password && *priv->password) return NULL; if (priv->username) { diff --git a/src/libnm-core-impl/nm-setting-macsec.c b/src/libnm-core-impl/nm-setting-macsec.c index 85271214ee..3c928e0138 100644 --- a/src/libnm-core-impl/nm-setting-macsec.c +++ b/src/libnm-core-impl/nm-setting-macsec.c @@ -215,13 +215,13 @@ nm_setting_macsec_get_send_sci(NMSettingMacsec *setting) } static GPtrArray * -need_secrets(NMSetting *setting) +need_secrets(NMSetting *setting, gboolean check_rerequest) { NMSettingMacsecPrivate *priv = NM_SETTING_MACSEC_GET_PRIVATE(setting); GPtrArray *secrets = NULL; if (priv->mode == NM_SETTING_MACSEC_MODE_PSK) { - if (!priv->mka_cak + if ((check_rerequest || !priv->mka_cak) && !NM_FLAGS_HAS(priv->mka_cak_flags, NM_SETTING_SECRET_FLAG_NOT_REQUIRED)) { secrets = g_ptr_array_sized_new(1); g_ptr_array_add(secrets, NM_SETTING_MACSEC_MKA_CAK); diff --git a/src/libnm-core-impl/nm-setting-pppoe.c b/src/libnm-core-impl/nm-setting-pppoe.c index c4a9a89cbd..5c4f3c28a1 100644 --- a/src/libnm-core-impl/nm-setting-pppoe.c +++ b/src/libnm-core-impl/nm-setting-pppoe.c @@ -178,12 +178,12 @@ verify(NMSetting *setting, NMConnection *connection, GError **error) } static GPtrArray * -need_secrets(NMSetting *setting) +need_secrets(NMSetting *setting, gboolean check_rerequest) { NMSettingPppoePrivate *priv = NM_SETTING_PPPOE_GET_PRIVATE(setting); GPtrArray *secrets = NULL; - if (priv->password) + if (!check_rerequest && priv->password) return NULL; if (!(priv->password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)) { diff --git a/src/libnm-core-impl/nm-setting-private.h b/src/libnm-core-impl/nm-setting-private.h index 99b31f354c..0b8b9cb640 100644 --- a/src/libnm-core-impl/nm-setting-private.h +++ b/src/libnm-core-impl/nm-setting-private.h @@ -100,7 +100,7 @@ struct _NMSettingClass { gboolean (*verify_secrets)(NMSetting *setting, NMConnection *connection, GError **error); - GPtrArray *(*need_secrets)(NMSetting *setting); + GPtrArray *(*need_secrets)(NMSetting *setting, gboolean check_rerequest); int (*update_one_secret)(NMSetting *setting, const char *key, GVariant *value, GError **error); @@ -1046,7 +1046,7 @@ gboolean _nm_setting_use_legacy_property(NMSetting *setting, const char *legacy_property, const char *new_property); -GPtrArray *_nm_setting_need_secrets(NMSetting *setting); +GPtrArray *_nm_setting_need_secrets(NMSetting *setting, gboolean check_rerequest); gboolean _nm_setting_should_compare_secret_property(NMSetting *setting, NMSetting *other, diff --git a/src/libnm-core-impl/nm-setting-vpn.c b/src/libnm-core-impl/nm-setting-vpn.c index 42f75fa211..4fd9022e51 100644 --- a/src/libnm-core-impl/nm-setting-vpn.c +++ b/src/libnm-core-impl/nm-setting-vpn.c @@ -801,7 +801,7 @@ set_secret_flags(NMSetting *setting, } static GPtrArray * -need_secrets(NMSetting *setting) +need_secrets(NMSetting *setting, gboolean check_rerequest) { /* Assume that VPN connections need secrets since they almost always will */ return g_ptr_array_sized_new(1); diff --git a/src/libnm-core-impl/nm-setting-wireguard.c b/src/libnm-core-impl/nm-setting-wireguard.c index 2cc1089eb2..08ba714fec 100644 --- a/src/libnm-core-impl/nm-setting-wireguard.c +++ b/src/libnm-core-impl/nm-setting-wireguard.c @@ -1800,13 +1800,13 @@ verify_secrets(NMSetting *setting, NMConnection *connection, GError **error) } static GPtrArray * -need_secrets(NMSetting *setting) +need_secrets(NMSetting *setting, gboolean check_rerequest) { NMSettingWireGuardPrivate *priv = NM_SETTING_WIREGUARD_GET_PRIVATE(setting); GPtrArray *secrets = NULL; guint i; - if (!priv->private_key_valid) { + if (check_rerequest || !priv->private_key_valid) { secrets = g_ptr_array_new_full(1, g_free); g_ptr_array_add(secrets, g_strdup(NM_SETTING_WIREGUARD_PRIVATE_KEY)); } diff --git a/src/libnm-core-impl/nm-setting-wireless-security.c b/src/libnm-core-impl/nm-setting-wireless-security.c index d9c5afb873..5a535dd04f 100644 --- a/src/libnm-core-impl/nm-setting-wireless-security.c +++ b/src/libnm-core-impl/nm-setting-wireless-security.c @@ -815,7 +815,7 @@ nm_setting_wireless_security_get_fils(NMSettingWirelessSecurity *setting) } static GPtrArray * -need_secrets(NMSetting *setting) +need_secrets(NMSetting *setting, gboolean check_rerequest) { NMSettingWirelessSecurity *self = NM_SETTING_WIRELESS_SECURITY(setting); NMSettingWirelessSecurityPrivate *priv = NM_SETTING_WIRELESS_SECURITY_GET_PRIVATE(self); @@ -828,22 +828,22 @@ need_secrets(NMSetting *setting) /* Static WEP */ if (strcmp(priv->key_mgmt, "none") == 0) { if ((priv->wep_tx_keyidx == 0) - && !nm_utils_wep_key_valid(priv->wep_key0, priv->wep_key_type)) { + && (check_rerequest || !nm_utils_wep_key_valid(priv->wep_key0, priv->wep_key_type))) { g_ptr_array_add(secrets, NM_SETTING_WIRELESS_SECURITY_WEP_KEY0); return secrets; } if ((priv->wep_tx_keyidx == 1) - && !nm_utils_wep_key_valid(priv->wep_key1, priv->wep_key_type)) { + && (check_rerequest || !nm_utils_wep_key_valid(priv->wep_key1, priv->wep_key_type))) { g_ptr_array_add(secrets, NM_SETTING_WIRELESS_SECURITY_WEP_KEY1); return secrets; } if ((priv->wep_tx_keyidx == 2) - && !nm_utils_wep_key_valid(priv->wep_key2, priv->wep_key_type)) { + && (check_rerequest || !nm_utils_wep_key_valid(priv->wep_key2, priv->wep_key_type))) { g_ptr_array_add(secrets, NM_SETTING_WIRELESS_SECURITY_WEP_KEY2); return secrets; } if ((priv->wep_tx_keyidx == 3) - && !nm_utils_wep_key_valid(priv->wep_key3, priv->wep_key_type)) { + && (check_rerequest || !nm_utils_wep_key_valid(priv->wep_key3, priv->wep_key_type))) { g_ptr_array_add(secrets, NM_SETTING_WIRELESS_SECURITY_WEP_KEY3); return secrets; } @@ -852,7 +852,7 @@ need_secrets(NMSetting *setting) /* WPA-PSK infrastructure */ if (strcmp(priv->key_mgmt, "wpa-psk") == 0) { - if (!nm_utils_wpa_psk_valid(priv->psk)) { + if (check_rerequest || !nm_utils_wpa_psk_valid(priv->psk)) { g_ptr_array_add(secrets, NM_SETTING_WIRELESS_SECURITY_PSK); return secrets; } @@ -861,7 +861,7 @@ need_secrets(NMSetting *setting) /* SAE, used in MESH and WPA3-Personal */ if (strcmp(priv->key_mgmt, "sae") == 0) { - if (!priv->psk || !*priv->psk) { + if (check_rerequest || !priv->psk || !*priv->psk) { g_ptr_array_add(secrets, NM_SETTING_WIRELESS_SECURITY_PSK); return secrets; } @@ -870,7 +870,7 @@ need_secrets(NMSetting *setting) /* LEAP */ if (priv->auth_alg && !strcmp(priv->auth_alg, "leap") && !strcmp(priv->key_mgmt, "ieee8021x")) { - if (!priv->leap_password || !*priv->leap_password) { + if (check_rerequest || !priv->leap_password || !*priv->leap_password) { g_ptr_array_add(secrets, NM_SETTING_WIRELESS_SECURITY_LEAP_PASSWORD); return secrets; } diff --git a/src/libnm-core-impl/nm-setting.c b/src/libnm-core-impl/nm-setting.c index 7086a60bc0..4c786ea18b 100644 --- a/src/libnm-core-impl/nm-setting.c +++ b/src/libnm-core-impl/nm-setting.c @@ -3181,6 +3181,12 @@ _nm_setting_clear_secrets(NMSetting *setting, /** * _nm_setting_need_secrets: * @setting: the #NMSetting + * @check_rerequest: If %TRUE: the stored secrets might be wrong and the agent + * should query the user for the correct credentials. If an #NMSetting knows + * that this cannot be the case it should *not* return the corresponding + * setting object. Otherwise it should always return it, even if it is not + * missing. + * If %FALSE: only return it when it is missing. * * Returns an array of property names for each secret which may be required * to make a successful connection. The returned hints are only intended as a @@ -3193,14 +3199,14 @@ _nm_setting_clear_secrets(NMSetting *setting, * free the elements. **/ GPtrArray * -_nm_setting_need_secrets(NMSetting *setting) +_nm_setting_need_secrets(NMSetting *setting, gboolean check_rerequest) { GPtrArray *secrets = NULL; g_return_val_if_fail(NM_IS_SETTING(setting), NULL); if (NM_SETTING_GET_CLASS(setting)->need_secrets) - secrets = NM_SETTING_GET_CLASS(setting)->need_secrets(setting); + secrets = NM_SETTING_GET_CLASS(setting)->need_secrets(setting, check_rerequest); return secrets; } diff --git a/src/libnm-core-intern/nm-core-internal.h b/src/libnm-core-intern/nm-core-internal.h index 9e9a673a10..a288dc43ce 100644 --- a/src/libnm-core-intern/nm-core-internal.h +++ b/src/libnm-core-intern/nm-core-internal.h @@ -1051,4 +1051,6 @@ gboolean _nm_ip_tunnel_mode_is_layer2(NMIPTunnelMode mode); GPtrArray *_nm_setting_ip_config_get_dns_array(NMSettingIPConfig *setting); +gboolean nm_connection_need_secrets_for_rerequest(NMConnection *connection); + #endif From 61a302ff6b2653d60e8dc32d74e7a6252c74b390 Mon Sep 17 00:00:00 2001 From: Alexander Elbs Date: Mon, 10 Oct 2022 12:38:24 +0200 Subject: [PATCH 2/3] core: use new rerequest infrastructure instead of always re-requesting secrets on authentication failure ask NMSetting if this is really needed. Currently only for the case "802.1x with TLS" this behaves differently, i.e. no re-request. --- src/core/settings/nm-agent-manager.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/core/settings/nm-agent-manager.c b/src/core/settings/nm-agent-manager.c index 295378bc86..6f9268b435 100644 --- a/src/core/settings/nm-agent-manager.c +++ b/src/core/settings/nm-agent-manager.c @@ -1172,8 +1172,10 @@ _con_get_try_complete_early(Request *req) } /* Do we have everything we need? */ if (NM_FLAGS_HAS(req->con.get.flags, NM_SECRET_AGENT_GET_SECRETS_FLAG_ONLY_SYSTEM) - || ((nm_connection_need_secrets(tmp, NULL) == NULL) - && !NM_FLAGS_HAS(req->con.get.flags, NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW))) { + || (NM_FLAGS_HAS(req->con.get.flags, NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW) + && !nm_connection_need_secrets_for_rerequest(tmp)) + || (!NM_FLAGS_HAS(req->con.get.flags, NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW) + && nm_connection_need_secrets(tmp, NULL) == NULL)) { _LOGD(NULL, "(" LOG_REQ_FMT ") system settings secrets sufficient", LOG_REQ_ARG(req)); /* Got everything, we're done */ From 16c0be1ada2221fc48ca693da937c1586dfd2014 Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Tue, 25 Oct 2022 08:41:18 +0200 Subject: [PATCH 3/3] style: various minor adjustments --- src/core/settings/nm-agent-manager.c | 2 +- src/libnm-core-impl/nm-setting-8021x.c | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/src/core/settings/nm-agent-manager.c b/src/core/settings/nm-agent-manager.c index 6f9268b435..0a12064936 100644 --- a/src/core/settings/nm-agent-manager.c +++ b/src/core/settings/nm-agent-manager.c @@ -1175,7 +1175,7 @@ _con_get_try_complete_early(Request *req) || (NM_FLAGS_HAS(req->con.get.flags, NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW) && !nm_connection_need_secrets_for_rerequest(tmp)) || (!NM_FLAGS_HAS(req->con.get.flags, NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW) - && nm_connection_need_secrets(tmp, NULL) == NULL)) { + && !nm_connection_need_secrets(tmp, NULL))) { _LOGD(NULL, "(" LOG_REQ_FMT ") system settings secrets sufficient", LOG_REQ_ARG(req)); /* Got everything, we're done */ diff --git a/src/libnm-core-impl/nm-setting-8021x.c b/src/libnm-core-impl/nm-setting-8021x.c index 05917c286d..be1ee41c56 100644 --- a/src/libnm-core-impl/nm-setting-8021x.c +++ b/src/libnm-core-impl/nm-setting-8021x.c @@ -2536,11 +2536,12 @@ need_secrets_tls(NMSetting8021x *self, gboolean phase2, gboolean check_rerequest) { - // If check_rerequest is TRUE do not return secrets, unless missing. - // This secret cannot be wrong. NMSetting8021xPrivate *priv = NM_SETTING_802_1X_GET_PRIVATE(self); NMSetting8021xCKScheme scheme; + /* If check_rerequest is TRUE do not return secrets, unless missing. + * This secret cannot be wrong. */ + if (!NM_FLAGS_HAS(phase2 ? priv->phase2_private_key_password_flags : priv->private_key_password_flags, NM_SETTING_SECRET_FLAG_NOT_REQUIRED)) {