colin/NetworkManager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

libnm/wifi: rework NMSetting8021xAuthFlags to explicitly disable TLS version

Browse Source 
The wpa_supplicant API supports to enable/disable each TLS version
individually, or leave it at the default. Currently, the default
means to enable a TLS version, thus, the only meaningful option
for the momemnt means to explicitly disable it.

In the future, supplicant may disable options by default, and
the inverse option can become interesting to configure
"tls_disable_tlsv1_0=0". When that happens, we can solve it by
adding another flag NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_ENABLE.

Change the previous behavior of the NMSetting8021xAuthFlags.
Previously, when not specifying TLS_DISABLE_DEFAULT, all
options were unspecified. On the other hand, when specifying
a single TLS disable flag, all versions were explicitly enabled
or disabled.

Instead, change the meaning of the disable flags. When present,
it explicitly disables an option. But it does not explicitly enable
it.
This commit is contained in:
Thomas Haller
2017-02-17 15:19:42 +01:00
parent 8ce60a302a
commit 2a11c57c4e
3 changed files with 25 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
libnm-core/nm-setting-8021x.c
View File

@@ -3262,12 +3262,11 @@ verify (NMSetting *setting, NMConnection *connection, GError **error)
return FALSE; return FALSE;
} }
if (NM_FLAGS_ANY (priv->phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_DEFAULT) && if (NM_FLAGS_ANY (priv->phase1_auth_flags, ~NM_SETTING_802_1X_AUTH_FLAGS_ALL)) {
!nm_utils_is_power_of_two (priv->phase1_auth_flags)) {
g_set_error_literal (error, g_set_error_literal (error,
NM_CONNECTION_ERROR, NM_CONNECTION_ERROR,
NM_CONNECTION_ERROR_INVALID_PROPERTY, NM_CONNECTION_ERROR_INVALID_PROPERTY,
_("exclusive flags are used")); _("invalid auth flags"));
g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE1_AUTH_FLAGS); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE1_AUTH_FLAGS);
return FALSE; return FALSE;
} }
@@ -4144,20 +4143,17 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class)
* *
* Specifies authentication flags to use in "phase 1" outer * Specifies authentication flags to use in "phase 1" outer
* authentication using #NMSetting8021xAuthFlags options. * authentication using #NMSetting8021xAuthFlags options.
* May be any combination of %NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_0, * The invidual TLS versions can be explicitly disabled. If a certain
* %NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_1, * TLS disable flag is not set, it is up to the supplicant to allow
* %NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_2 or the special values * or forbid it. The TLS options map to tls_disable_tlsv1_x settings.
* %NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_DEFAULT (to use default settings) * See the wpa_supplicant documentation for more details.
* and %NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_NONE (to forcefully
* enable use of all TLS versions). See the wpa_supplicant documentation for
* more details.
* *
* Since: 1.8 * Since: 1.8
*/ */
g_object_class_install_property g_object_class_install_property
(object_class, PROP_PHASE1_AUTH_FLAGS, (object_class, PROP_PHASE1_AUTH_FLAGS,
g_param_spec_uint (NM_SETTING_802_1X_PHASE1_AUTH_FLAGS, "", "", g_param_spec_uint (NM_SETTING_802_1X_PHASE1_AUTH_FLAGS, "", "",
0, G_MAXUINT32, NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_DEFAULT, 0, G_MAXUINT32, NM_SETTING_802_1X_AUTH_FLAGS_NONE,
G_PARAM_CONSTRUCT | G_PARAM_CONSTRUCT |
G_PARAM_READWRITE | G_PARAM_READWRITE |
G_PARAM_STATIC_STRINGS)); G_PARAM_STATIC_STRINGS));

27
libnm-core/nm-setting-8021x.h
View File

@@ -77,28 +77,25 @@ typedef enum { /*< underscore_name=nm_setting_802_1x_ck_scheme >*/
/** /**
* NMSetting8021xAuthFlags * NMSetting8021xAuthFlags
* @NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_NONE: Enable all TLS versions * @NM_SETTING_802_1X_AUTH_FLAGS_NONE: No flags
* @NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_0: Disable TLSv1.0 * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_DISABLE: Disable TLSv1.0
* @NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_1: Disable TLSv1.1 * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_DISABLE: Disable TLSv1.1
* @NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_2: Disable TLSv1.2 * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE: Disable TLSv1.2
* @NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_ALL: Disable all TLS versions * @NM_SETTING_802_1X_AUTH_FLAGS_ALL: All supported flags
* @NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_DEFAULT: Use default value
* *
* #NMSetting8021xAuthFlags values indicate which authentication settings * #NMSetting8021xAuthFlags values indicate which authentication settings
* should be used * should be used.
* *
* Since: 1.8 * Since: 1.8
*/ */
typedef enum { /*< underscore_name=nm_setting_802_1x_auth_flags >*/ typedef enum { /*< underscore_name=nm_setting_802_1x_auth_flags >*/
NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_NONE = 0, NM_SETTING_802_1X_AUTH_FLAGS_NONE = 0,
NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_0 = (1 << 1), NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_DISABLE = (1 << 0),
NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_1 = (1 << 2), NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_DISABLE = (1 << 1),
NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_2 = (1 << 3), NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE = (1 << 2),
_NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_LAST, /*< skip >*/ _NM_SETTING_802_1X_AUTH_FLAGS_LAST, /*< skip >*/
NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_ALL = (((_NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_LAST - 1) << 1) - 1) - (1 << 0 /* DEFAULT */), /*< skip >*/ NM_SETTING_802_1X_AUTH_FLAGS_ALL = (((_NM_SETTING_802_1X_AUTH_FLAGS_LAST - 1) << 1) - 1),
NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_DEFAULT = (1 << 0),
} NMSetting8021xAuthFlags; } NMSetting8021xAuthFlags;
#define NM_TYPE_SETTING_802_1X (nm_setting_802_1x_get_type ()) #define NM_TYPE_SETTING_802_1X (nm_setting_802_1x_get_type ())

19
src/supplicant/nm-supplicant-config.c
View File

@@ -984,19 +984,12 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self,
} }
phase1_auth_flags = nm_setting_802_1x_get_phase1_auth_flags (setting); phase1_auth_flags = nm_setting_802_1x_get_phase1_auth_flags (setting);
if (phase1_auth_flags != NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_DEFAULT) { if (NM_FLAGS_HAS (phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_DISABLE))
if (phase1->len) g_string_append_printf (phase1, "%stls_disable_tlsv1_0=1", (phase1->len ? " " : ""));
g_string_append_c (phase1, ' '); if (NM_FLAGS_HAS (phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_DISABLE))
g_string_append_printf (phase1, "tls_disable_tlsv1_0=%d", g_string_append_printf (phase1, "%stls_disable_tlsv1_1=1", (phase1->len ? " " : ""));
(NM_FLAGS_HAS (phase1_auth_flags, if (NM_FLAGS_HAS (phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE))
NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_0)) ? 1 : 0); g_string_append_printf (phase1, "%stls_disable_tlsv1_2=1", (phase1->len ? " " : ""));
g_string_append_printf (phase1, " tls_disable_tlsv1_1=%d",
(NM_FLAGS_HAS (phase1_auth_flags,
NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_1)) ? 1 : 0);
g_string_append_printf (phase1, " tls_disable_tlsv1_2=%d",
(NM_FLAGS_HAS (phase1_auth_flags,
NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_2)) ? 1 : 0);
}
if (phase1->len) { if (phase1->len) {
if (!add_string_val (self, phase1->str, "phase1", FALSE, NULL, error)) { if (!add_string_val (self, phase1->str, "phase1", FALSE, NULL, error)) {