Revert "wifi: support "802-1x.phase1-auth-flags=tls-allow-unsafe-renegotiation" flag"

There is still no agreement, about how to name this option, or whether
it should exist at all. Revert the addition of the flag.

As the new release is coming up, drop the new API.

https://bugzilla.redhat.com/show_bug.cgi?id=2072070#c64
https://bugzilla.redhat.com/show_bug.cgi?id=2077973#c24
http://lists.infradead.org/pipermail/hostap/2022-July/040665.html

This reverts commit a5a4aea2e627214a3da3c6fdb2651d65a7182ea8.

6 files changed, 7 insertions, 21 deletions

diff --git a/NEWS b/NEWS
index c6ea88ac72..c88ad137f0 100644
--- a/NEWS
+++ b/NEWS
@@ -27,8 +27,6 @@ USE AT YOUR OWN RISK.  NOT RECOMMENDED FOR PRODUCTION USE!
   With MPTCP handling enabled, NetworkManager will relax a strict (1) rp_filter
   to loose (2). Otherwise rp_filter is untouched by NetworkManager.
 * NetworkManager expanded log messages for invalid DHCP options.
-* Support "802-1x.phase1-auth-flags=tls-allow-unsafe-renegotiation" flag
-  for Wi-Fi.
 * Fix the requirement of hardware address for DHCPv6, by dropping it.
 * Increase the PMK lifetime for Wi-Fi connections using WPA-EAP.
 * "nmcli networking off" now waits for deactivations to complete.
diff --git a/src/core/supplicant/nm-supplicant-config.c b/src/core/supplicant/nm-supplicant-config.c
index 7e089ecf93..22c422a2e5 100644
--- a/src/core/supplicant/nm-supplicant-config.c
+++ b/src/core/supplicant/nm-supplicant-config.c
@@ -1375,9 +1375,6 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
         g_string_append_printf(phase1, "%stls_disable_tlsv1_1=1", (phase1->len ? " " : ""));
     if (NM_FLAGS_HAS(phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE))
         g_string_append_printf(phase1, "%stls_disable_tlsv1_2=1", (phase1->len ? " " : ""));
-    if (NM_FLAGS_HAS(phase1_auth_flags,
-                     NM_SETTING_802_1X_AUTH_FLAGS_TLS_ALLOW_UNSAFE_RENEGOTIATION))
-        g_string_append_printf(phase1, "%sallow_unsafe_renegotiation=1", (phase1->len ? " " : ""));
 
     if (phase1->len) {
         if (!add_string_val(self, phase1->str, "phase1", FALSE, NULL, error)) {
diff --git a/src/libnm-core-impl/nm-setting-8021x.c b/src/libnm-core-impl/nm-setting-8021x.c
index deace5acaa..fd9a0961f5 100644
--- a/src/libnm-core-impl/nm-setting-8021x.c
+++ b/src/libnm-core-impl/nm-setting-8021x.c
@@ -3594,13 +3594,9 @@ nm_setting_802_1x_class_init(NMSetting8021xClass *klass)
      *
      * Specifies authentication flags to use in "phase 1" outer
      * authentication using #NMSetting8021xAuthFlags options.
-     *
      * The individual TLS versions can be explicitly disabled. If a certain
      * TLS disable flag is not set, it is up to the supplicant to allow
      * or forbid it. The TLS options map to tls_disable_tlsv1_x settings.
-     * It also allows to set "tls-allow-unsafe-renegotiation" to workaround
-     * authentication servers that don't support RFC 5746 secure authentication.
-     *
      * See the wpa_supplicant documentation for more details.
      *
      * Since: 1.8
diff --git a/src/libnm-core-public/nm-setting-8021x.h b/src/libnm-core-public/nm-setting-8021x.h
index 0ee344299c..93c78fa374 100644
--- a/src/libnm-core-public/nm-setting-8021x.h
+++ b/src/libnm-core-public/nm-setting-8021x.h
@@ -65,10 +65,6 @@ typedef enum { /*< underscore_name=nm_setting_802_1x_ck_scheme >*/
  * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_DISABLE: Disable TLSv1.0
  * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_DISABLE: Disable TLSv1.1
  * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE: Disable TLSv1.2
- * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_ALLOW_UNSAFE_RENEGOTIATION: Allow
- *   unsafe TLS renegotiation, if the authentication server does not support
- *   RFC 5746. This might open security vulnerabilities, but might
- *   be necessary to connect to legacy authentication servers. Since: 1.40.
  * @NM_SETTING_802_1X_AUTH_FLAGS_ALL: All supported flags
  *
  * #NMSetting8021xAuthFlags values indicate which authentication settings
@@ -80,13 +76,12 @@ typedef enum { /*< underscore_name=nm_setting_802_1x_ck_scheme >*/
  * Since: 1.8
  */
 typedef enum /*< underscore_name=nm_setting_802_1x_auth_flags, flags >*/ {
-    NM_SETTING_802_1X_AUTH_FLAGS_NONE                           = 0,
-    NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_DISABLE                = 0x1,
-    NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_DISABLE                = 0x2,
-    NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE                = 0x4,
-    NM_SETTING_802_1X_AUTH_FLAGS_TLS_ALLOW_UNSAFE_RENEGOTIATION = 0x8,
+    NM_SETTING_802_1X_AUTH_FLAGS_NONE            = 0,
+    NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_DISABLE = 0x1,
+    NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_DISABLE = 0x2,
+    NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE = 0x4,
 
-    NM_SETTING_802_1X_AUTH_FLAGS_ALL = 0xF,
+    NM_SETTING_802_1X_AUTH_FLAGS_ALL = 0x7,
 } NMSetting8021xAuthFlags;
 
 #define NM_TYPE_SETTING_802_1X (nm_setting_802_1x_get_type())
diff --git a/src/libnmc-setting/settings-docs.h.in b/src/libnmc-setting/settings-docs.h.in
index 11c85eb581..3e86c04b11 100644
--- a/src/libnmc-setting/settings-docs.h.in
+++ b/src/libnmc-setting/settings-docs.h.in
@@ -49,7 +49,7 @@
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PASSWORD_FLAGS N_("Flags indicating how to handle the \"password\" property.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PASSWORD_RAW N_("Password used for EAP authentication methods, given as a byte array to allow passwords in other encodings than UTF-8 to be used. If both the \"password\" property and the \"password-raw\" property are specified, \"password\" is preferred.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PASSWORD_RAW_FLAGS N_("Flags indicating how to handle the \"password-raw\" property.")
-#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE1_AUTH_FLAGS N_("Specifies authentication flags to use in \"phase 1\" outer authentication using NMSetting8021xAuthFlags options. The individual TLS versions can be explicitly disabled. If a certain TLS disable flag is not set, it is up to the supplicant to allow or forbid it. The TLS options map to tls_disable_tlsv1_x settings. It also allows to set \"tls-allow-unsafe-renegotiation\" to workaround authentication servers that don't support RFC 5746 secure authentication. See the wpa_supplicant documentation for more details.")
+#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE1_AUTH_FLAGS N_("Specifies authentication flags to use in \"phase 1\" outer authentication using NMSetting8021xAuthFlags options. The individual TLS versions can be explicitly disabled. If a certain TLS disable flag is not set, it is up to the supplicant to allow or forbid it. The TLS options map to tls_disable_tlsv1_x settings. See the wpa_supplicant documentation for more details.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE1_FAST_PROVISIONING N_("Enables or disables in-line provisioning of EAP-FAST credentials when FAST is specified as the EAP method in the \"eap\" property. Recognized values are \"0\" (disabled), \"1\" (allow unauthenticated provisioning), \"2\" (allow authenticated provisioning), and \"3\" (allow both authenticated and unauthenticated provisioning).  See the wpa_supplicant documentation for more details.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE1_PEAPLABEL N_("Forces use of the new PEAP label during key derivation.  Some RADIUS servers may require forcing the new PEAP label to interoperate with PEAPv1.  Set to \"1\" to force use of the new PEAP label.  See the wpa_supplicant documentation for more details.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE1_PEAPVER N_("Forces which PEAP version is used when PEAP is set as the EAP method in the \"eap\" property.  When unset, the version reported by the server will be used.  Sometimes when using older RADIUS servers, it is necessary to force the client to use a particular PEAP version.  To do so, this property may be set to \"0\" or \"1\" to force that specific PEAP version.")
diff --git a/src/nmcli/generate-docs-nm-settings-nmcli.xml.in b/src/nmcli/generate-docs-nm-settings-nmcli.xml.in
index 29d7fdaab6..85df9ce54b 100644
--- a/src/nmcli/generate-docs-nm-settings-nmcli.xml.in
+++ b/src/nmcli/generate-docs-nm-settings-nmcli.xml.in
@@ -143,7 +143,7 @@
         <property name="phase1-fast-provisioning"
                   description="Enables or disables in-line provisioning of EAP-FAST credentials when FAST is specified as the EAP method in the &quot;eap&quot; property. Recognized values are &quot;0&quot; (disabled), &quot;1&quot; (allow unauthenticated provisioning), &quot;2&quot; (allow authenticated provisioning), and &quot;3&quot; (allow both authenticated and unauthenticated provisioning).  See the wpa_supplicant documentation for more details." />
         <property name="phase1-auth-flags"
-                  description="Specifies authentication flags to use in &quot;phase 1&quot; outer authentication using NMSetting8021xAuthFlags options. The individual TLS versions can be explicitly disabled. If a certain TLS disable flag is not set, it is up to the supplicant to allow or forbid it. The TLS options map to tls_disable_tlsv1_x settings. It also allows to set &quot;tls-allow-unsafe-renegotiation&quot; to workaround authentication servers that don&apos;t support RFC 5746 secure authentication. See the wpa_supplicant documentation for more details." />
+                  description="Specifies authentication flags to use in &quot;phase 1&quot; outer authentication using NMSetting8021xAuthFlags options. The individual TLS versions can be explicitly disabled. If a certain TLS disable flag is not set, it is up to the supplicant to allow or forbid it. The TLS options map to tls_disable_tlsv1_x settings. See the wpa_supplicant documentation for more details." />
         <property name="phase2-auth"
                   description="Specifies the allowed &quot;phase 2&quot; inner authentication method when an EAP method that uses an inner TLS tunnel is specified in the &quot;eap&quot; property.  For TTLS this property selects one of the supported non-EAP inner methods: &quot;pap&quot;, &quot;chap&quot;, &quot;mschap&quot;, &quot;mschapv2&quot; while &quot;phase2-autheap&quot; selects an EAP inner method.  For PEAP this selects an inner EAP method, one of: &quot;gtc&quot;, &quot;otp&quot;, &quot;md5&quot; and &quot;tls&quot;. Each &quot;phase 2&quot; inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details. Both &quot;phase2-auth&quot; and &quot;phase2-autheap&quot; cannot be specified." />
         <property name="phase2-autheap"