colin/NetworkManager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

libnm-core: add domain-suffix-match properties to NMSetting8021x

Browse Source 
The new domain-suffix-match and phase2-domain-suffix-match properties
can be used to match against a given server domain suffix in the
dNSName elements or in the SubjectName CN of the server certificate.

Also, add a comment to the old subject-match properties documentation
to suggest that they are deprecated and should not be used anymore.
This commit is contained in:
Beniamino Galvani
2016-03-03 22:42:35 +01:00
parent c1383371cc
commit 64b76ba906
3 changed files with 103 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

97
libnm-core/nm-setting-8021x.c
View File

@@ -80,6 +80,7 @@ typedef struct {
char *ca_path; char *ca_path;
char *subject_match; char *subject_match;
GSList *altsubject_matches; GSList *altsubject_matches;
char *domain_suffix_match;
GBytes *client_cert; GBytes *client_cert;
char *phase1_peapver; char *phase1_peapver;
char *phase1_peaplabel; char *phase1_peaplabel;
@@ -90,6 +91,7 @@ typedef struct {
char *phase2_ca_path; char *phase2_ca_path;
char *phase2_subject_match; char *phase2_subject_match;
GSList *phase2_altsubject_matches; GSList *phase2_altsubject_matches;
char *phase2_domain_suffix_match;
GBytes *phase2_client_cert; GBytes *phase2_client_cert;
char *password; char *password;
NMSettingSecretFlags password_flags; NMSettingSecretFlags password_flags;
@@ -116,6 +118,7 @@ enum {
PROP_CA_PATH, PROP_CA_PATH,
PROP_SUBJECT_MATCH, PROP_SUBJECT_MATCH,
PROP_ALTSUBJECT_MATCHES, PROP_ALTSUBJECT_MATCHES,
PROP_DOMAIN_SUFFIX_MATCH,
PROP_CLIENT_CERT, PROP_CLIENT_CERT,
PROP_PHASE1_PEAPVER, PROP_PHASE1_PEAPVER,
PROP_PHASE1_PEAPLABEL, PROP_PHASE1_PEAPLABEL,
@@ -126,6 +129,7 @@ enum {
PROP_PHASE2_CA_PATH, PROP_PHASE2_CA_PATH,
PROP_PHASE2_SUBJECT_MATCH, PROP_PHASE2_SUBJECT_MATCH,
PROP_PHASE2_ALTSUBJECT_MATCHES, PROP_PHASE2_ALTSUBJECT_MATCHES,
PROP_PHASE2_DOMAIN_SUFFIX_MATCH,
PROP_PHASE2_CLIENT_CERT, PROP_PHASE2_CLIENT_CERT,
PROP_PASSWORD, PROP_PASSWORD,
PROP_PASSWORD_FLAGS, PROP_PASSWORD_FLAGS,
@@ -849,6 +853,22 @@ nm_setting_802_1x_clear_altsubject_matches (NMSetting8021x *setting)
g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_ALTSUBJECT_MATCHES); g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_ALTSUBJECT_MATCHES);
} }
/**
* nm_setting_802_1x_get_domain_suffix_match:
* @setting: the #NMSetting8021x
*
* Returns: the #NMSetting8021x:domain-suffix-match property.
*
* Since: 1.2
**/
const char *
nm_setting_802_1x_get_domain_suffix_match (NMSetting8021x *setting)
{
g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
return NM_SETTING_802_1X_GET_PRIVATE (setting)->domain_suffix_match;
}
/** /**
* nm_setting_802_1x_get_client_cert_scheme: * nm_setting_802_1x_get_client_cert_scheme:
* @setting: the #NMSetting8021x * @setting: the #NMSetting8021x
@@ -1298,6 +1318,22 @@ nm_setting_802_1x_get_num_phase2_altsubject_matches (NMSetting8021x *setting)
return g_slist_length (NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_altsubject_matches); return g_slist_length (NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_altsubject_matches);
} }
/**
* nm_setting_802_1x_get_phase2_domain_suffix_match:
* @setting: the #NMSetting8021x
*
* Returns: the #NMSetting8021x:phase2-domain-suffix-match property.
*
* Since: 1.2
**/
const char *
nm_setting_802_1x_get_phase2_domain_suffix_match (NMSetting8021x *setting)
{
g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_domain_suffix_match;
}
/** /**
* nm_setting_802_1x_get_phase2_altsubject_match: * nm_setting_802_1x_get_phase2_altsubject_match:
* @setting: the #NMSettingConnection * @setting: the #NMSettingConnection
@@ -2827,6 +2863,7 @@ finalize (GObject *object)
g_free (priv->anonymous_identity); g_free (priv->anonymous_identity);
g_free (priv->ca_path); g_free (priv->ca_path);
g_free (priv->subject_match); g_free (priv->subject_match);
g_free (priv->domain_suffix_match);
g_free (priv->phase1_peapver); g_free (priv->phase1_peapver);
g_free (priv->phase1_peaplabel); g_free (priv->phase1_peaplabel);
g_free (priv->phase1_fast_provisioning); g_free (priv->phase1_fast_provisioning);
@@ -2834,6 +2871,7 @@ finalize (GObject *object)
g_free (priv->phase2_autheap); g_free (priv->phase2_autheap);
g_free (priv->phase2_ca_path); g_free (priv->phase2_ca_path);
g_free (priv->phase2_subject_match); g_free (priv->phase2_subject_match);
g_free (priv->phase2_domain_suffix_match);
g_free (priv->password); g_free (priv->password);
if (priv->password_raw) if (priv->password_raw)
g_bytes_unref (priv->password_raw); g_bytes_unref (priv->password_raw);
@@ -2923,6 +2961,10 @@ set_property (GObject *object, guint prop_id,
g_slist_free_full (priv->altsubject_matches, g_free); g_slist_free_full (priv->altsubject_matches, g_free);
priv->altsubject_matches = _nm_utils_strv_to_slist (g_value_get_boxed (value), TRUE); priv->altsubject_matches = _nm_utils_strv_to_slist (g_value_get_boxed (value), TRUE);
break; break;
case PROP_DOMAIN_SUFFIX_MATCH:
g_free (priv->domain_suffix_match);
priv->domain_suffix_match = g_value_dup_string (value);
break;
case PROP_CLIENT_CERT: case PROP_CLIENT_CERT:
if (priv->client_cert) if (priv->client_cert)
g_bytes_unref (priv->client_cert); g_bytes_unref (priv->client_cert);
@@ -2973,6 +3015,10 @@ set_property (GObject *object, guint prop_id,
g_slist_free_full (priv->phase2_altsubject_matches, g_free); g_slist_free_full (priv->phase2_altsubject_matches, g_free);
priv->phase2_altsubject_matches = _nm_utils_strv_to_slist (g_value_get_boxed (value), TRUE); priv->phase2_altsubject_matches = _nm_utils_strv_to_slist (g_value_get_boxed (value), TRUE);
break; break;
case PROP_PHASE2_DOMAIN_SUFFIX_MATCH:
g_free (priv->phase2_domain_suffix_match);
priv->phase2_domain_suffix_match = g_value_dup_string (value);
break;
case PROP_PHASE2_CLIENT_CERT: case PROP_PHASE2_CLIENT_CERT:
if (priv->phase2_client_cert) if (priv->phase2_client_cert)
g_bytes_unref (priv->phase2_client_cert); g_bytes_unref (priv->phase2_client_cert);
@@ -3077,6 +3123,9 @@ get_property (GObject *object, guint prop_id,
case PROP_ALTSUBJECT_MATCHES: case PROP_ALTSUBJECT_MATCHES:
g_value_take_boxed (value, _nm_utils_slist_to_strv (priv->altsubject_matches, TRUE)); g_value_take_boxed (value, _nm_utils_slist_to_strv (priv->altsubject_matches, TRUE));
break; break;
case PROP_DOMAIN_SUFFIX_MATCH:
g_value_set_string (value, priv->domain_suffix_match);
break;
case PROP_CLIENT_CERT: case PROP_CLIENT_CERT:
g_value_set_boxed (value, priv->client_cert); g_value_set_boxed (value, priv->client_cert);
break; break;
@@ -3107,6 +3156,9 @@ get_property (GObject *object, guint prop_id,
case PROP_PHASE2_ALTSUBJECT_MATCHES: case PROP_PHASE2_ALTSUBJECT_MATCHES:
g_value_take_boxed (value, _nm_utils_slist_to_strv (priv->phase2_altsubject_matches, TRUE)); g_value_take_boxed (value, _nm_utils_slist_to_strv (priv->phase2_altsubject_matches, TRUE));
break; break;
case PROP_PHASE2_DOMAIN_SUFFIX_MATCH:
g_value_set_string (value, priv->phase2_domain_suffix_match);
break;
case PROP_PHASE2_CLIENT_CERT: case PROP_PHASE2_CLIENT_CERT:
g_value_set_boxed (value, priv->phase2_client_cert); g_value_set_boxed (value, priv->phase2_client_cert);
break; break;
@@ -3313,7 +3365,9 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class)
* *
* Substring to be matched against the subject of the certificate presented * Substring to be matched against the subject of the certificate presented
* by the authentication server. When unset, no verification of the * by the authentication server. When unset, no verification of the
* authentication server certificate's subject is performed. * authentication server certificate's subject is performed. This property
* provides little security, if any, and its use is deprecated in favor of
* NMSetting8021x:domain-suffix-match.
**/ **/
/* ---ifcfg-rh--- /* ---ifcfg-rh---
* property: subject-match * property: subject-match
@@ -3350,6 +3404,24 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class)
G_PARAM_READWRITE | G_PARAM_READWRITE |
G_PARAM_STATIC_STRINGS)); G_PARAM_STATIC_STRINGS));
/**
* NMSetting8021x:domain-suffix-match:
*
* Constraint for server domain name. If set, this FQDN is used as a suffix
* match requirement for dNSName element(s) of the certificate presented by
* the authentication server. If a matching dNSName is found, this
* constraint is met. If no dNSName values are present, this constraint is
* matched against SubjectName CN using same suffix match comparison.
*
* Since: 1.2
**/
g_object_class_install_property
(object_class, PROP_DOMAIN_SUFFIX_MATCH,
g_param_spec_string (NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH, "", "",
NULL,
G_PARAM_READWRITE |
G_PARAM_STATIC_STRINGS));
/** /**
* NMSetting8021x:client-cert: * NMSetting8021x:client-cert:
* *
@@ -3550,7 +3622,9 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class)
* Substring to be matched against the subject of the certificate presented * Substring to be matched against the subject of the certificate presented
* by the authentication server during the inner "phase 2" * by the authentication server during the inner "phase 2"
* authentication. When unset, no verification of the authentication server * authentication. When unset, no verification of the authentication server
* certificate's subject is performed. * certificate's subject is performed. This property provides little security,
* if any, and its use is deprecated in favor of
* NMSetting8021x:phase2-domain-suffix-match.
**/ **/
/* ---ifcfg-rh--- /* ---ifcfg-rh---
* property: phase2-subject-match * property: phase2-subject-match
@@ -3586,6 +3660,25 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class)
G_PARAM_READWRITE | G_PARAM_READWRITE |
G_PARAM_STATIC_STRINGS)); G_PARAM_STATIC_STRINGS));
/**
* NMSetting8021x:phase2-domain-suffix-match:
*
* Constraint for server domain name. If set, this FQDN is used as a suffix
* match requirement for dNSName element(s) of the certificate presented by
* the authentication server during the inner "phase 2" authentication. If
* a matching dNSName is found, this constraint is met. If no dNSName
* values are present, this constraint is matched against SubjectName CN
* using same suffix match comparison.
*
* Since: 1.2
**/
g_object_class_install_property
(object_class, PROP_PHASE2_DOMAIN_SUFFIX_MATCH,
g_param_spec_string (NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH, "", "",
NULL,
G_PARAM_READWRITE |
G_PARAM_STATIC_STRINGS));
/** /**
* NMSetting8021x:phase2-client-cert: * NMSetting8021x:phase2-client-cert:
* *

6
libnm-core/nm-setting-8021x.h
View File

@@ -89,6 +89,7 @@ typedef enum { /*< underscore_name=nm_setting_802_1x_ck_scheme >*/
#define NM_SETTING_802_1X_CA_PATH "ca-path" #define NM_SETTING_802_1X_CA_PATH "ca-path"
#define NM_SETTING_802_1X_SUBJECT_MATCH "subject-match" #define NM_SETTING_802_1X_SUBJECT_MATCH "subject-match"
#define NM_SETTING_802_1X_ALTSUBJECT_MATCHES "altsubject-matches" #define NM_SETTING_802_1X_ALTSUBJECT_MATCHES "altsubject-matches"
#define NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH "domain-suffix-match"
#define NM_SETTING_802_1X_CLIENT_CERT "client-cert" #define NM_SETTING_802_1X_CLIENT_CERT "client-cert"
#define NM_SETTING_802_1X_PHASE1_PEAPVER "phase1-peapver" #define NM_SETTING_802_1X_PHASE1_PEAPVER "phase1-peapver"
#define NM_SETTING_802_1X_PHASE1_PEAPLABEL "phase1-peaplabel" #define NM_SETTING_802_1X_PHASE1_PEAPLABEL "phase1-peaplabel"
@@ -99,6 +100,7 @@ typedef enum { /*< underscore_name=nm_setting_802_1x_ck_scheme >*/
#define NM_SETTING_802_1X_PHASE2_CA_PATH "phase2-ca-path" #define NM_SETTING_802_1X_PHASE2_CA_PATH "phase2-ca-path"
#define NM_SETTING_802_1X_PHASE2_SUBJECT_MATCH "phase2-subject-match" #define NM_SETTING_802_1X_PHASE2_SUBJECT_MATCH "phase2-subject-match"
#define NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES "phase2-altsubject-matches" #define NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES "phase2-altsubject-matches"
#define NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH "phase2-domain-suffix-match"
#define NM_SETTING_802_1X_PHASE2_CLIENT_CERT "phase2-client-cert" #define NM_SETTING_802_1X_PHASE2_CLIENT_CERT "phase2-client-cert"
#define NM_SETTING_802_1X_PASSWORD "password" #define NM_SETTING_802_1X_PASSWORD "password"
#define NM_SETTING_802_1X_PASSWORD_FLAGS "password-flags" #define NM_SETTING_802_1X_PASSWORD_FLAGS "password-flags"
@@ -190,6 +192,8 @@ void nm_setting_802_1x_remove_altsubject_match (NMSetting8
gboolean nm_setting_802_1x_remove_altsubject_match_by_value (NMSetting8021x *setting, gboolean nm_setting_802_1x_remove_altsubject_match_by_value (NMSetting8021x *setting,
const char *altsubject_match); const char *altsubject_match);
void nm_setting_802_1x_clear_altsubject_matches (NMSetting8021x *setting); void nm_setting_802_1x_clear_altsubject_matches (NMSetting8021x *setting);
NM_AVAILABLE_IN_1_2
const char * nm_setting_802_1x_get_domain_suffix_match (NMSetting8021x *setting);
NMSetting8021xCKScheme nm_setting_802_1x_get_client_cert_scheme (NMSetting8021x *setting); NMSetting8021xCKScheme nm_setting_802_1x_get_client_cert_scheme (NMSetting8021x *setting);
GBytes * nm_setting_802_1x_get_client_cert_blob (NMSetting8021x *setting); GBytes * nm_setting_802_1x_get_client_cert_blob (NMSetting8021x *setting);
@@ -231,6 +235,8 @@ void nm_setting_802_1x_remove_phase2_altsubject_match (NMS
gboolean nm_setting_802_1x_remove_phase2_altsubject_match_by_value (NMSetting8021x *setting, gboolean nm_setting_802_1x_remove_phase2_altsubject_match_by_value (NMSetting8021x *setting,
const char *phase2_altsubject_match); const char *phase2_altsubject_match);
void nm_setting_802_1x_clear_phase2_altsubject_matches (NMSetting8021x *setting); void nm_setting_802_1x_clear_phase2_altsubject_matches (NMSetting8021x *setting);
NM_AVAILABLE_IN_1_2
const char * nm_setting_802_1x_get_phase2_domain_suffix_match (NMSetting8021x *setting);
NMSetting8021xCKScheme nm_setting_802_1x_get_phase2_client_cert_scheme (NMSetting8021x *setting); NMSetting8021xCKScheme nm_setting_802_1x_get_phase2_client_cert_scheme (NMSetting8021x *setting);
GBytes * nm_setting_802_1x_get_phase2_client_cert_blob (NMSetting8021x *setting); GBytes * nm_setting_802_1x_get_phase2_client_cert_blob (NMSetting8021x *setting);

2
libnm/libnm.ver
View File

@@ -942,6 +942,8 @@ global:
nm_lldp_neighbor_unref; nm_lldp_neighbor_unref;
nm_metered_get_type; nm_metered_get_type;
nm_setting_802_1x_check_cert_scheme; nm_setting_802_1x_check_cert_scheme;
nm_setting_802_1x_get_domain_suffix_match;
nm_setting_802_1x_get_phase2_domain_suffix_match;
nm_setting_bridge_get_multicast_snooping; nm_setting_bridge_get_multicast_snooping;
nm_setting_connection_autoconnect_slaves_get_type; nm_setting_connection_autoconnect_slaves_get_type;
nm_setting_connection_get_autoconnect_slaves; nm_setting_connection_get_autoconnect_slaves;