From 699492c1a5509083aa87e770cc1df7de1a52f1ed Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Tue, 27 Jun 2017 10:11:36 +0200
Subject: [PATCH] libnm-core: 8021x: fix check on private key password

Commit df0dc912cc6d ("8021x: don't request secrets if they are empty
and system owned") changed need_private_key_password() to return FALSE
when flags are NONE. This broke authentication using an encrypted
private key because after this the key password is never added to the
applied connection.

Don't require a password with NONE flags only for the PKCS11 scheme.

Fixes: df0dc912cc6d9252759fb6de22f7607324c7ae0e
---
 libnm-core/nm-setting-8021x.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/libnm-core/nm-setting-8021x.c b/libnm-core/nm-setting-8021x.c
index 0050a7420b..31a72fe17f 100644
--- a/libnm-core/nm-setting-8021x.c
+++ b/libnm-core/nm-setting-8021x.c
@@ -2772,13 +2772,18 @@ need_secrets_sim (NMSetting8021x *self,
 
 static gboolean
 need_private_key_password (GBytes *blob,
+                           NMSetting8021xCKScheme scheme,
                            const char *path,
                            const char *password,
                            NMSettingSecretFlags flags)
 {
 	NMCryptoFileFormat format = NM_CRYPTO_FILE_FORMAT_UNKNOWN;
 
-	if (flags == NM_SETTING_SECRET_FLAG_NONE || flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)
+	if (flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)
+		return FALSE;
+
+	if (   scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11
+	    && flags == NM_SETTING_SECRET_FLAG_NONE)
 		return FALSE;
 
 	/* Private key password is required */
@@ -2815,7 +2820,7 @@ need_secrets_tls (NMSetting8021x *self,
 		else if (scheme != NM_SETTING_802_1X_CK_SCHEME_PKCS11)
 			g_warning ("%s: unknown phase2 private key scheme %d", __func__, scheme);
 
-		if (need_private_key_password (blob, path,
+		if (need_private_key_password (blob, scheme, path,
 		                               priv->phase2_private_key_password,
 		                               priv->phase2_private_key_password_flags))
 			g_ptr_array_add (secrets, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD);
@@ -2842,7 +2847,7 @@ need_secrets_tls (NMSetting8021x *self,
 		else if (scheme != NM_SETTING_802_1X_CK_SCHEME_PKCS11)
 			g_warning ("%s: unknown private key scheme %d", __func__, scheme);
 
-		if (need_private_key_password (blob, path,
+		if (need_private_key_password (blob, scheme, path,
 		                               priv->private_key_password,
 		                               priv->private_key_password_flags))
 			g_ptr_array_add (secrets, NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD);