File 73-auth-dialog_encrypted-key-file.patch of Package NetworkManager-openvpn

From 49c11dd21930cc7fe3f4aac5842d188a472493c7 Mon Sep 17 00:00:00 2001
From: Martin Wilck <mwilck@suse.com>
Date: Thu, 25 Jan 2024 16:50:14 +0100
Subject: [PATCH] auth-dialog: assume encrypted key file if the file can't be
 read

For openvpn with TLS and password, get_passwords_required() checks
if the key file is encrypted. If the key file can't be opened
(e.g. because it's owned by root with permissions 0600),
is_encrypted() returns FALSE. The user will not be asked for
a certificate password in this case, and left clueless about the
reason.

If the keyfile is not readable, print an error message and assume
that the password is required. While the error message will only be observed
by nmcli users, this will allow users with encrypted keys to activate
their connection. Users with unencrypted keys can just enter anything
into the 2nd password prompt and will still be able to connect. Such
users might be confused, but this is better than not being able to
connect at all.
---
 auth-dialog/main.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/auth-dialog/main.c b/auth-dialog/main.c
index 459802a8..31adf988 100644
--- a/auth-dialog/main.c
+++ b/auth-dialog/main.c
@@ -415,8 +415,14 @@ get_passwords_required (GHashTable *data,
 
 		/* Encrypted private key password */
 		val = g_hash_table_lookup (data, NM_OPENVPN_KEY_KEY);
-		if (val)
-			*out_need_certpass = is_encrypted (val);
+		if (val) {
+			if (access (val, R_OK) == 0)
+				*out_need_certpass = is_encrypted (val);
+			else {
+				fprintf (stderr, "WARNING: unable to open key file %s - missing permissions?\n", val);
+				*out_need_certpass = TRUE;
+			}
+		}
 	} else if (!strcmp (ctype, NM_OPENVPN_CONTYPE_PASSWORD)) {
 		flags = NM_SETTING_SECRET_FLAG_NONE;
 		nm_vpn_service_plugin_get_secret_flags (data, NM_OPENVPN_KEY_PASSWORD, &flags);
-- 
GitLab