8021x: request PINs for PKCS#11 certs unless explicitly not-required

Commit df0dc912cc ('8021x: don't request secrets if they are empty and system owned') changed the setting so that NM doesn't request the PIN for PKCS#11 certificates and keys when the password property has NM_SETTING_SECRET_FLAG_NONE. From the commit message: Empty secrets are fine. In particular, for PKCS#11 it means that protected authentication path is used (the secrets are obtained on-demand from the pinpad). This change breaks the scenario in which PINs are stored in the connection, as the setting indicates that no secrets are required, and thus PINs are not sent to the supplicant. If the PIN is entered through a pinpad, users should set the secret flags as 'not-required'. This reverts commit df0dc912cc ('8021x: don't request secrets if they are empty and system owned'). https://bugzilla.redhat.com/show_bug.cgi?id=1992829 https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/965
2026-05-05 05:18:23 +02:00 · 2021-08-19 17:06:46 +02:00 · 2021-08-19 17:06:46 +02:00 · bbb7eb1767
commit bbb7eb1767
parent c8d80f332d
1 changed files with 4 additions and 11 deletions
--- a/src/libnm-core-impl/nm-setting-8021x.c
+++ b/src/libnm-core-impl/nm-setting-8021x.c
@ -2532,9 +2532,6 @@ need_private_key_password(GBytes *               blob,
    if (flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)
        return FALSE;

-    if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11 && flags == NM_SETTING_SECRET_FLAG_NONE)
-        return FALSE;
-
    /* Private key password is required */
    if (password) {
        if (path)
@ -2578,15 +2575,13 @@ need_secrets_tls(NMSetting8021x *self, GPtrArray *secrets, gboolean phase2)

        scheme = nm_setting_802_1x_get_phase2_ca_cert_scheme(self);
        if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11
-            && !(priv->phase2_ca_cert_password_flags == NM_SETTING_SECRET_FLAG_NONE
-                 || priv->phase2_ca_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)
+            && !(priv->phase2_ca_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)
            && !priv->phase2_ca_cert_password)
            g_ptr_array_add(secrets, NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD);

        scheme = nm_setting_802_1x_get_phase2_client_cert_scheme(self);
        if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11
-            && !(priv->phase2_client_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED
-                 || priv->phase2_client_cert_password_flags == NM_SETTING_SECRET_FLAG_NONE)
+            && !(priv->phase2_client_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)
            && !priv->phase2_client_cert_password)
            g_ptr_array_add(secrets, NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD);
    } else {
@ -2607,15 +2602,13 @@ need_secrets_tls(NMSetting8021x *self, GPtrArray *secrets, gboolean phase2)

        scheme = nm_setting_802_1x_get_ca_cert_scheme(self);
        if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11
-            && !(priv->ca_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED
-                 || priv->ca_cert_password_flags == NM_SETTING_SECRET_FLAG_NONE)
+            && !(priv->ca_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)
            && !priv->ca_cert_password)
            g_ptr_array_add(secrets, NM_SETTING_802_1X_CA_CERT_PASSWORD);

        scheme = nm_setting_802_1x_get_client_cert_scheme(self);
        if (scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11
-            && !(priv->client_cert_password_flags == NM_SETTING_SECRET_FLAG_NONE
-                 || priv->client_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)
+            && !(priv->client_cert_password_flags & NM_SETTING_SECRET_FLAG_NOT_REQUIRED)
            && !priv->client_cert_password)
            g_ptr_array_add(secrets, NM_SETTING_802_1X_CLIENT_CERT_PASSWORD);
    }