diff options
author | Beniamino Galvani <bgalvani@redhat.com> | 2016-03-16 17:34:52 +0100 |
---|---|---|
committer | Beniamino Galvani <bgalvani@redhat.com> | 2016-03-16 17:34:52 +0100 |
commit | e2040e5ebeae8e50e3f3b5a0e724fc9211866972 (patch) | |
tree | 64b8c93f7a7128d62e377255f53c42994a981266 | |
parent | c1383371ccb129b4683dafb185c0734cc4cf4c35 (diff) | |
parent | 46f8045c9e68bc341ad0d1c1587974995be8a92e (diff) | |
download | NetworkManager-e2040e5ebeae8e50e3f3b5a0e724fc9211866972.tar.gz |
merge: branch 'bg/8021x-domain-suffix-match-bgo341323'
Add domain-suffix-match properties to NMSetting8021x.
https://bugzilla.gnome.org/show_bug.cgi?id=341323
-rw-r--r-- | clients/cli/settings.c | 118 | ||||
-rw-r--r-- | libnm-core/nm-setting-8021x.c | 122 | ||||
-rw-r--r-- | libnm-core/nm-setting-8021x.h | 6 | ||||
-rw-r--r-- | libnm/libnm.ver | 2 | ||||
-rw-r--r-- | src/settings/plugins/ifcfg-rh/reader.c | 7 | ||||
-rw-r--r-- | src/settings/plugins/ifcfg-rh/writer.c | 7 | ||||
-rw-r--r-- | src/supplicant-manager/nm-supplicant-config.c | 8 | ||||
-rw-r--r-- | src/supplicant-manager/nm-supplicant-settings-verify.c | 2 |
8 files changed, 220 insertions, 52 deletions
diff --git a/clients/cli/settings.c b/clients/cli/settings.c index 9e0cf08e0f..3fb841a154 100644 --- a/clients/cli/settings.c +++ b/clients/cli/settings.c @@ -123,30 +123,32 @@ NmcOutputField nmc_fields_setting_8021X[] = { SETTING_FIELD (NM_SETTING_802_1X_CA_PATH), /* 6 */ SETTING_FIELD (NM_SETTING_802_1X_SUBJECT_MATCH), /* 7 */ SETTING_FIELD (NM_SETTING_802_1X_ALTSUBJECT_MATCHES), /* 8 */ - SETTING_FIELD (NM_SETTING_802_1X_CLIENT_CERT), /* 9 */ - SETTING_FIELD (NM_SETTING_802_1X_PHASE1_PEAPVER), /* 10 */ - SETTING_FIELD (NM_SETTING_802_1X_PHASE1_PEAPLABEL), /* 11 */ - SETTING_FIELD (NM_SETTING_802_1X_PHASE1_FAST_PROVISIONING), /* 12 */ - SETTING_FIELD (NM_SETTING_802_1X_PHASE2_AUTH), /* 13 */ - SETTING_FIELD (NM_SETTING_802_1X_PHASE2_AUTHEAP), /* 14 */ - SETTING_FIELD (NM_SETTING_802_1X_PHASE2_CA_CERT), /* 15 */ - SETTING_FIELD (NM_SETTING_802_1X_PHASE2_CA_PATH), /* 16 */ - SETTING_FIELD (NM_SETTING_802_1X_PHASE2_SUBJECT_MATCH), /* 17 */ - SETTING_FIELD (NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES), /* 18 */ - SETTING_FIELD (NM_SETTING_802_1X_PHASE2_CLIENT_CERT), /* 19 */ - SETTING_FIELD (NM_SETTING_802_1X_PASSWORD), /* 20 */ - SETTING_FIELD (NM_SETTING_802_1X_PASSWORD_FLAGS), /* 21 */ - SETTING_FIELD (NM_SETTING_802_1X_PASSWORD_RAW), /* 22 */ - SETTING_FIELD (NM_SETTING_802_1X_PASSWORD_RAW_FLAGS), /* 23 */ - SETTING_FIELD (NM_SETTING_802_1X_PRIVATE_KEY), /* 24 */ - SETTING_FIELD (NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD), /* 25 */ - SETTING_FIELD (NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD_FLAGS), /* 26 */ - SETTING_FIELD (NM_SETTING_802_1X_PHASE2_PRIVATE_KEY), /* 27 */ - SETTING_FIELD (NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD), /* 28 */ - SETTING_FIELD (NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD_FLAGS), /* 29 */ - SETTING_FIELD (NM_SETTING_802_1X_PIN), /* 30 */ - SETTING_FIELD (NM_SETTING_802_1X_PIN_FLAGS), /* 31 */ - SETTING_FIELD (NM_SETTING_802_1X_SYSTEM_CA_CERTS), /* 32 */ + SETTING_FIELD (NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH), /* 9 */ + SETTING_FIELD (NM_SETTING_802_1X_CLIENT_CERT), /* 10 */ + SETTING_FIELD (NM_SETTING_802_1X_PHASE1_PEAPVER), /* 11 */ + SETTING_FIELD (NM_SETTING_802_1X_PHASE1_PEAPLABEL), /* 12 */ + SETTING_FIELD (NM_SETTING_802_1X_PHASE1_FAST_PROVISIONING), /* 13 */ + SETTING_FIELD (NM_SETTING_802_1X_PHASE2_AUTH), /* 14 */ + SETTING_FIELD (NM_SETTING_802_1X_PHASE2_AUTHEAP), /* 15 */ + SETTING_FIELD (NM_SETTING_802_1X_PHASE2_CA_CERT), /* 16 */ + SETTING_FIELD (NM_SETTING_802_1X_PHASE2_CA_PATH), /* 17 */ + SETTING_FIELD (NM_SETTING_802_1X_PHASE2_SUBJECT_MATCH), /* 18 */ + SETTING_FIELD (NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES), /* 19 */ + SETTING_FIELD (NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH), /* 20 */ + SETTING_FIELD (NM_SETTING_802_1X_PHASE2_CLIENT_CERT), /* 21 */ + SETTING_FIELD (NM_SETTING_802_1X_PASSWORD), /* 22 */ + SETTING_FIELD (NM_SETTING_802_1X_PASSWORD_FLAGS), /* 23 */ + SETTING_FIELD (NM_SETTING_802_1X_PASSWORD_RAW), /* 24 */ + SETTING_FIELD (NM_SETTING_802_1X_PASSWORD_RAW_FLAGS), /* 25 */ + SETTING_FIELD (NM_SETTING_802_1X_PRIVATE_KEY), /* 26 */ + SETTING_FIELD (NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD), /* 27 */ + SETTING_FIELD (NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD_FLAGS), /* 28 */ + SETTING_FIELD (NM_SETTING_802_1X_PHASE2_PRIVATE_KEY), /* 29 */ + SETTING_FIELD (NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD), /* 30 */ + SETTING_FIELD (NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD_FLAGS), /* 31 */ + SETTING_FIELD (NM_SETTING_802_1X_PIN), /* 32 */ + SETTING_FIELD (NM_SETTING_802_1X_PIN_FLAGS), /* 33 */ + SETTING_FIELD (NM_SETTING_802_1X_SYSTEM_CA_CERTS), /* 34 */ {NULL, NULL, 0, NULL, FALSE, FALSE, 0} }; #define NMC_FIELDS_SETTING_802_1X_ALL "name"","\ @@ -158,6 +160,7 @@ NmcOutputField nmc_fields_setting_8021X[] = { NM_SETTING_802_1X_CA_PATH","\ NM_SETTING_802_1X_SUBJECT_MATCH","\ NM_SETTING_802_1X_ALTSUBJECT_MATCHES","\ + NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH","\ NM_SETTING_802_1X_CLIENT_CERT","\ NM_SETTING_802_1X_PHASE1_PEAPVER","\ NM_SETTING_802_1X_PHASE1_PEAPLABEL","\ @@ -168,6 +171,7 @@ NmcOutputField nmc_fields_setting_8021X[] = { NM_SETTING_802_1X_PHASE2_CA_PATH","\ NM_SETTING_802_1X_PHASE2_SUBJECT_MATCH","\ NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES","\ + NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH","\ NM_SETTING_802_1X_PHASE2_CLIENT_CERT","\ NM_SETTING_802_1X_PASSWORD","\ NM_SETTING_802_1X_PASSWORD_FLAGS","\ @@ -999,6 +1003,7 @@ DEFINE_GETTER (nmc_property_802_1X_get_pac_file, NM_SETTING_802_1X_PAC_FILE) DEFINE_GETTER (nmc_property_802_1X_get_ca_path, NM_SETTING_802_1X_CA_PATH) DEFINE_GETTER (nmc_property_802_1X_get_subject_match, NM_SETTING_802_1X_SUBJECT_MATCH) DEFINE_GETTER (nmc_property_802_1X_get_altsubject_matches, NM_SETTING_802_1X_ALTSUBJECT_MATCHES) +DEFINE_GETTER (nmc_property_802_1X_get_domain_suffix_match, NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH) DEFINE_GETTER (nmc_property_802_1X_get_phase1_peapver, NM_SETTING_802_1X_PHASE1_PEAPVER) DEFINE_GETTER (nmc_property_802_1X_get_phase1_peaplabel, NM_SETTING_802_1X_PHASE1_PEAPLABEL) DEFINE_GETTER (nmc_property_802_1X_get_phase1_fast_provisioning, NM_SETTING_802_1X_PHASE1_FAST_PROVISIONING) @@ -1007,6 +1012,7 @@ DEFINE_GETTER (nmc_property_802_1X_get_phase2_autheap, NM_SETTING_802_1X_PHASE2_ DEFINE_GETTER (nmc_property_802_1X_get_phase2_ca_path, NM_SETTING_802_1X_PHASE2_CA_PATH) DEFINE_GETTER (nmc_property_802_1X_get_phase2_subject_match, NM_SETTING_802_1X_PHASE2_SUBJECT_MATCH) DEFINE_GETTER (nmc_property_802_1X_get_phase2_altsubject_matches, NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES) +DEFINE_GETTER (nmc_property_802_1X_get_phase2_domain_suffix_match, NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH) DEFINE_GETTER (nmc_property_802_1X_get_password, NM_SETTING_802_1X_PASSWORD) DEFINE_SECRET_FLAGS_GETTER (nmc_property_802_1X_get_password_flags, NM_SETTING_802_1X_PASSWORD_FLAGS) DEFINE_SECRET_FLAGS_GETTER (nmc_property_802_1X_get_password_raw_flags, NM_SETTING_802_1X_PASSWORD_RAW_FLAGS) @@ -5673,6 +5679,13 @@ nmc_properties_init (void) NULL, NULL, NULL); + nmc_add_prop_funcs (GLUE (802_1X, DOMAIN_SUFFIX_MATCH), + nmc_property_802_1X_get_domain_suffix_match, + nmc_property_set_string, + NULL, + NULL, + NULL, + NULL); nmc_add_prop_funcs (GLUE (802_1X, CLIENT_CERT), nmc_property_802_1X_get_client_cert, nmc_property_802_1X_set_client_cert, @@ -5743,6 +5756,13 @@ nmc_properties_init (void) NULL, NULL, NULL); + nmc_add_prop_funcs (GLUE (802_1X, PHASE2_DOMAIN_SUFFIX_MATCH), + nmc_property_802_1X_get_phase2_domain_suffix_match, + nmc_property_set_string, + NULL, + NULL, + NULL, + NULL); nmc_add_prop_funcs (GLUE (802_1X, PHASE2_CLIENT_CERT), nmc_property_802_1X_get_phase2_client_cert, nmc_property_802_1X_set_phase2_client_cert, @@ -7956,30 +7976,32 @@ setting_802_1X_details (NMSetting *setting, NmCli *nmc, const char *one_prop, g set_val_str (arr, 6, nmc_property_802_1X_get_ca_path (setting, NMC_PROPERTY_GET_PRETTY)); set_val_str (arr, 7, nmc_property_802_1X_get_subject_match (setting, NMC_PROPERTY_GET_PRETTY)); set_val_str (arr, 8, nmc_property_802_1X_get_altsubject_matches (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 9, nmc_property_802_1X_get_client_cert (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 10, nmc_property_802_1X_get_phase1_peapver (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 11, nmc_property_802_1X_get_phase1_peaplabel (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 12, nmc_property_802_1X_get_phase1_fast_provisioning (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 13, nmc_property_802_1X_get_phase2_auth (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 14, nmc_property_802_1X_get_phase2_autheap (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 15, nmc_property_802_1X_get_phase2_ca_cert (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 16, nmc_property_802_1X_get_phase2_ca_path (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 17, nmc_property_802_1X_get_phase2_subject_match (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 18, nmc_property_802_1X_get_phase2_altsubject_matches (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 19, nmc_property_802_1X_get_phase2_client_cert (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 20, GET_SECRET (secrets, setting, nmc_property_802_1X_get_password)); - set_val_str (arr, 21, nmc_property_802_1X_get_password_flags (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 22, GET_SECRET (secrets, setting, nmc_property_802_1X_get_password_raw)); - set_val_str (arr, 23, nmc_property_802_1X_get_password_raw_flags (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 24, nmc_property_802_1X_get_private_key (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 25, GET_SECRET (secrets, setting, nmc_property_802_1X_get_private_key_password)); - set_val_str (arr, 26, nmc_property_802_1X_get_private_key_password_flags (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 27, nmc_property_802_1X_get_phase2_private_key (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 28, GET_SECRET (secrets, setting, nmc_property_802_1X_get_phase2_private_key_password)); - set_val_str (arr, 29, nmc_property_802_1X_get_phase2_private_key_password_flags (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 30, GET_SECRET (secrets, setting, nmc_property_802_1X_get_pin)); - set_val_str (arr, 31, nmc_property_802_1X_get_pin_flags (setting, NMC_PROPERTY_GET_PRETTY)); - set_val_str (arr, 32, nmc_property_802_1X_get_system_ca_certs (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 9, nmc_property_802_1X_get_domain_suffix_match (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 10, nmc_property_802_1X_get_client_cert (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 11, nmc_property_802_1X_get_phase1_peapver (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 12, nmc_property_802_1X_get_phase1_peaplabel (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 13, nmc_property_802_1X_get_phase1_fast_provisioning (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 14, nmc_property_802_1X_get_phase2_auth (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 15, nmc_property_802_1X_get_phase2_autheap (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 16, nmc_property_802_1X_get_phase2_ca_cert (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 17, nmc_property_802_1X_get_phase2_ca_path (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 18, nmc_property_802_1X_get_phase2_subject_match (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 19, nmc_property_802_1X_get_phase2_altsubject_matches (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 20, nmc_property_802_1X_get_phase2_domain_suffix_match (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 21, nmc_property_802_1X_get_phase2_client_cert (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 22, GET_SECRET (secrets, setting, nmc_property_802_1X_get_password)); + set_val_str (arr, 23, nmc_property_802_1X_get_password_flags (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 24, GET_SECRET (secrets, setting, nmc_property_802_1X_get_password_raw)); + set_val_str (arr, 25, nmc_property_802_1X_get_password_raw_flags (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 26, nmc_property_802_1X_get_private_key (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 27, GET_SECRET (secrets, setting, nmc_property_802_1X_get_private_key_password)); + set_val_str (arr, 28, nmc_property_802_1X_get_private_key_password_flags (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 29, nmc_property_802_1X_get_phase2_private_key (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 30, GET_SECRET (secrets, setting, nmc_property_802_1X_get_phase2_private_key_password)); + set_val_str (arr, 31, nmc_property_802_1X_get_phase2_private_key_password_flags (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 32, GET_SECRET (secrets, setting, nmc_property_802_1X_get_pin)); + set_val_str (arr, 33, nmc_property_802_1X_get_pin_flags (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 34, nmc_property_802_1X_get_system_ca_certs (setting, NMC_PROPERTY_GET_PRETTY)); g_ptr_array_add (nmc->output_data, arr); print_data (nmc); /* Print all data */ diff --git a/libnm-core/nm-setting-8021x.c b/libnm-core/nm-setting-8021x.c index cc8ea66ed7..4db420de05 100644 --- a/libnm-core/nm-setting-8021x.c +++ b/libnm-core/nm-setting-8021x.c @@ -80,6 +80,7 @@ typedef struct { char *ca_path; char *subject_match; GSList *altsubject_matches; + char *domain_suffix_match; GBytes *client_cert; char *phase1_peapver; char *phase1_peaplabel; @@ -90,6 +91,7 @@ typedef struct { char *phase2_ca_path; char *phase2_subject_match; GSList *phase2_altsubject_matches; + char *phase2_domain_suffix_match; GBytes *phase2_client_cert; char *password; NMSettingSecretFlags password_flags; @@ -116,6 +118,7 @@ enum { PROP_CA_PATH, PROP_SUBJECT_MATCH, PROP_ALTSUBJECT_MATCHES, + PROP_DOMAIN_SUFFIX_MATCH, PROP_CLIENT_CERT, PROP_PHASE1_PEAPVER, PROP_PHASE1_PEAPLABEL, @@ -126,6 +129,7 @@ enum { PROP_PHASE2_CA_PATH, PROP_PHASE2_SUBJECT_MATCH, PROP_PHASE2_ALTSUBJECT_MATCHES, + PROP_PHASE2_DOMAIN_SUFFIX_MATCH, PROP_PHASE2_CLIENT_CERT, PROP_PASSWORD, PROP_PASSWORD_FLAGS, @@ -850,6 +854,22 @@ nm_setting_802_1x_clear_altsubject_matches (NMSetting8021x *setting) } /** + * nm_setting_802_1x_get_domain_suffix_match: + * @setting: the #NMSetting8021x + * + * Returns: the #NMSetting8021x:domain-suffix-match property. + * + * Since: 1.2 + **/ +const char * +nm_setting_802_1x_get_domain_suffix_match (NMSetting8021x *setting) +{ + g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); + + return NM_SETTING_802_1X_GET_PRIVATE (setting)->domain_suffix_match; +} + +/** * nm_setting_802_1x_get_client_cert_scheme: * @setting: the #NMSetting8021x * @@ -1299,6 +1319,22 @@ nm_setting_802_1x_get_num_phase2_altsubject_matches (NMSetting8021x *setting) } /** + * nm_setting_802_1x_get_phase2_domain_suffix_match: + * @setting: the #NMSetting8021x + * + * Returns: the #NMSetting8021x:phase2-domain-suffix-match property. + * + * Since: 1.2 + **/ +const char * +nm_setting_802_1x_get_phase2_domain_suffix_match (NMSetting8021x *setting) +{ + g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); + + return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_domain_suffix_match; +} + +/** * nm_setting_802_1x_get_phase2_altsubject_match: * @setting: the #NMSettingConnection * @i: the zero-based index of the array of "phase 2" altSubjectName matches @@ -2827,6 +2863,7 @@ finalize (GObject *object) g_free (priv->anonymous_identity); g_free (priv->ca_path); g_free (priv->subject_match); + g_free (priv->domain_suffix_match); g_free (priv->phase1_peapver); g_free (priv->phase1_peaplabel); g_free (priv->phase1_fast_provisioning); @@ -2834,6 +2871,7 @@ finalize (GObject *object) g_free (priv->phase2_autheap); g_free (priv->phase2_ca_path); g_free (priv->phase2_subject_match); + g_free (priv->phase2_domain_suffix_match); g_free (priv->password); if (priv->password_raw) g_bytes_unref (priv->password_raw); @@ -2877,6 +2915,15 @@ set_cert_prop_helper (const GValue *value, const char *prop_name, GError **error return bytes; } +static char * +_g_value_dup_string_not_empty (const GValue *value) +{ + const gchar *str; + + str = g_value_get_string (value); + return str && str[0] ? g_strdup (str) : NULL; +} + static void set_property (GObject *object, guint prop_id, const GValue *value, GParamSpec *pspec) @@ -2917,12 +2964,16 @@ set_property (GObject *object, guint prop_id, break; case PROP_SUBJECT_MATCH: g_free (priv->subject_match); - priv->subject_match = g_value_dup_string (value); + priv->subject_match = _g_value_dup_string_not_empty (value); break; case PROP_ALTSUBJECT_MATCHES: g_slist_free_full (priv->altsubject_matches, g_free); priv->altsubject_matches = _nm_utils_strv_to_slist (g_value_get_boxed (value), TRUE); break; + case PROP_DOMAIN_SUFFIX_MATCH: + g_free (priv->domain_suffix_match); + priv->domain_suffix_match = _g_value_dup_string_not_empty (value); + break; case PROP_CLIENT_CERT: if (priv->client_cert) g_bytes_unref (priv->client_cert); @@ -2967,12 +3018,16 @@ set_property (GObject *object, guint prop_id, break; case PROP_PHASE2_SUBJECT_MATCH: g_free (priv->phase2_subject_match); - priv->phase2_subject_match = g_value_dup_string (value); + priv->phase2_subject_match = _g_value_dup_string_not_empty (value); break; case PROP_PHASE2_ALTSUBJECT_MATCHES: g_slist_free_full (priv->phase2_altsubject_matches, g_free); priv->phase2_altsubject_matches = _nm_utils_strv_to_slist (g_value_get_boxed (value), TRUE); break; + case PROP_PHASE2_DOMAIN_SUFFIX_MATCH: + g_free (priv->phase2_domain_suffix_match); + priv->phase2_domain_suffix_match = _g_value_dup_string_not_empty (value); + break; case PROP_PHASE2_CLIENT_CERT: if (priv->phase2_client_cert) g_bytes_unref (priv->phase2_client_cert); @@ -3077,6 +3132,9 @@ get_property (GObject *object, guint prop_id, case PROP_ALTSUBJECT_MATCHES: g_value_take_boxed (value, _nm_utils_slist_to_strv (priv->altsubject_matches, TRUE)); break; + case PROP_DOMAIN_SUFFIX_MATCH: + g_value_set_string (value, priv->domain_suffix_match); + break; case PROP_CLIENT_CERT: g_value_set_boxed (value, priv->client_cert); break; @@ -3107,6 +3165,9 @@ get_property (GObject *object, guint prop_id, case PROP_PHASE2_ALTSUBJECT_MATCHES: g_value_take_boxed (value, _nm_utils_slist_to_strv (priv->phase2_altsubject_matches, TRUE)); break; + case PROP_PHASE2_DOMAIN_SUFFIX_MATCH: + g_value_set_string (value, priv->phase2_domain_suffix_match); + break; case PROP_PHASE2_CLIENT_CERT: g_value_set_boxed (value, priv->phase2_client_cert); break; @@ -3313,7 +3374,9 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class) * * Substring to be matched against the subject of the certificate presented * by the authentication server. When unset, no verification of the - * authentication server certificate's subject is performed. + * authentication server certificate's subject is performed. This property + * provides little security, if any, and its use is deprecated in favor of + * NMSetting8021x:domain-suffix-match. **/ /* ---ifcfg-rh--- * property: subject-match @@ -3351,6 +3414,30 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class) G_PARAM_STATIC_STRINGS)); /** + * NMSetting8021x:domain-suffix-match: + * + * Constraint for server domain name. If set, this FQDN is used as a suffix + * match requirement for dNSName element(s) of the certificate presented by + * the authentication server. If a matching dNSName is found, this + * constraint is met. If no dNSName values are present, this constraint is + * matched against SubjectName CN using same suffix match comparison. + * + * Since: 1.2 + **/ + /* ---ifcfg-rh--- + * property: domain-suffix-match + * description: Suffix to match domain of server certificate against. + * variable: IEEE_8021X_DOMAIN_SUFFIX_MATCH(+) + * ---end--- + */ + g_object_class_install_property + (object_class, PROP_DOMAIN_SUFFIX_MATCH, + g_param_spec_string (NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH, "", "", + NULL, + G_PARAM_READWRITE | + G_PARAM_STATIC_STRINGS)); + + /** * NMSetting8021x:client-cert: * * Contains the client certificate if used by the EAP method specified in @@ -3550,7 +3637,9 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class) * Substring to be matched against the subject of the certificate presented * by the authentication server during the inner "phase 2" * authentication. When unset, no verification of the authentication server - * certificate's subject is performed. + * certificate's subject is performed. This property provides little security, + * if any, and its use is deprecated in favor of + * NMSetting8021x:phase2-domain-suffix-match. **/ /* ---ifcfg-rh--- * property: phase2-subject-match @@ -3587,6 +3676,31 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class) G_PARAM_STATIC_STRINGS)); /** + * NMSetting8021x:phase2-domain-suffix-match: + * + * Constraint for server domain name. If set, this FQDN is used as a suffix + * match requirement for dNSName element(s) of the certificate presented by + * the authentication server during the inner "phase 2" authentication. If + * a matching dNSName is found, this constraint is met. If no dNSName + * values are present, this constraint is matched against SubjectName CN + * using same suffix match comparison. + * + * Since: 1.2 + **/ + /* ---ifcfg-rh--- + * property: phase2-domain-suffix-match + * description: Suffix to match domain of server certificate for phase 2 against. + * variable: IEEE_8021X_PHASE2_DOMAIN_SUFFIX_MATCH(+) + * ---end--- + */ + g_object_class_install_property + (object_class, PROP_PHASE2_DOMAIN_SUFFIX_MATCH, + g_param_spec_string (NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH, "", "", + NULL, + G_PARAM_READWRITE | + G_PARAM_STATIC_STRINGS)); + + /** * NMSetting8021x:phase2-client-cert: * * Contains the "phase 2" client certificate if used by the EAP method diff --git a/libnm-core/nm-setting-8021x.h b/libnm-core/nm-setting-8021x.h index da86071a63..d8867b9261 100644 --- a/libnm-core/nm-setting-8021x.h +++ b/libnm-core/nm-setting-8021x.h @@ -89,6 +89,7 @@ typedef enum { /*< underscore_name=nm_setting_802_1x_ck_scheme >*/ #define NM_SETTING_802_1X_CA_PATH "ca-path" #define NM_SETTING_802_1X_SUBJECT_MATCH "subject-match" #define NM_SETTING_802_1X_ALTSUBJECT_MATCHES "altsubject-matches" +#define NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH "domain-suffix-match" #define NM_SETTING_802_1X_CLIENT_CERT "client-cert" #define NM_SETTING_802_1X_PHASE1_PEAPVER "phase1-peapver" #define NM_SETTING_802_1X_PHASE1_PEAPLABEL "phase1-peaplabel" @@ -99,6 +100,7 @@ typedef enum { /*< underscore_name=nm_setting_802_1x_ck_scheme >*/ #define NM_SETTING_802_1X_PHASE2_CA_PATH "phase2-ca-path" #define NM_SETTING_802_1X_PHASE2_SUBJECT_MATCH "phase2-subject-match" #define NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES "phase2-altsubject-matches" +#define NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH "phase2-domain-suffix-match" #define NM_SETTING_802_1X_PHASE2_CLIENT_CERT "phase2-client-cert" #define NM_SETTING_802_1X_PASSWORD "password" #define NM_SETTING_802_1X_PASSWORD_FLAGS "password-flags" @@ -190,6 +192,8 @@ void nm_setting_802_1x_remove_altsubject_match (NMSetting8 gboolean nm_setting_802_1x_remove_altsubject_match_by_value (NMSetting8021x *setting, const char *altsubject_match); void nm_setting_802_1x_clear_altsubject_matches (NMSetting8021x *setting); +NM_AVAILABLE_IN_1_2 +const char * nm_setting_802_1x_get_domain_suffix_match (NMSetting8021x *setting); NMSetting8021xCKScheme nm_setting_802_1x_get_client_cert_scheme (NMSetting8021x *setting); GBytes * nm_setting_802_1x_get_client_cert_blob (NMSetting8021x *setting); @@ -231,6 +235,8 @@ void nm_setting_802_1x_remove_phase2_altsubject_match (NMS gboolean nm_setting_802_1x_remove_phase2_altsubject_match_by_value (NMSetting8021x *setting, const char *phase2_altsubject_match); void nm_setting_802_1x_clear_phase2_altsubject_matches (NMSetting8021x *setting); +NM_AVAILABLE_IN_1_2 +const char * nm_setting_802_1x_get_phase2_domain_suffix_match (NMSetting8021x *setting); NMSetting8021xCKScheme nm_setting_802_1x_get_phase2_client_cert_scheme (NMSetting8021x *setting); GBytes * nm_setting_802_1x_get_phase2_client_cert_blob (NMSetting8021x *setting); diff --git a/libnm/libnm.ver b/libnm/libnm.ver index e3ede1d213..7ece1b2fef 100644 --- a/libnm/libnm.ver +++ b/libnm/libnm.ver @@ -942,6 +942,8 @@ global: nm_lldp_neighbor_unref; nm_metered_get_type; nm_setting_802_1x_check_cert_scheme; + nm_setting_802_1x_get_domain_suffix_match; + nm_setting_802_1x_get_phase2_domain_suffix_match; nm_setting_bridge_get_multicast_snooping; nm_setting_connection_autoconnect_slaves_get_type; nm_setting_connection_get_autoconnect_slaves; diff --git a/src/settings/plugins/ifcfg-rh/reader.c b/src/settings/plugins/ifcfg-rh/reader.c index a65ca5d7c4..41ffa27db9 100644 --- a/src/settings/plugins/ifcfg-rh/reader.c +++ b/src/settings/plugins/ifcfg-rh/reader.c @@ -3076,6 +3076,13 @@ fill_8021x (shvarFile *ifcfg, read_8021x_list_value (ifcfg, "IEEE_8021X_PHASE2_ALTSUBJECT_MATCHES", s_8021x, NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES); + value = svGetValue (ifcfg, "IEEE_8021X_DOMAIN_SUFFIX_MATCH", FALSE); + g_object_set (s_8021x, NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH, value, NULL); + g_free (value); + value = svGetValue (ifcfg, "IEEE_8021X_PHASE2_DOMAIN_SUFFIX_MATCH", FALSE); + g_object_set (s_8021x, NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH, value, NULL); + g_free (value); + if (list) g_strfreev (list); if (keys) diff --git a/src/settings/plugins/ifcfg-rh/writer.c b/src/settings/plugins/ifcfg-rh/writer.c index e7d64379da..c17824d6fc 100644 --- a/src/settings/plugins/ifcfg-rh/writer.c +++ b/src/settings/plugins/ifcfg-rh/writer.c @@ -582,6 +582,13 @@ write_8021x_setting (NMConnection *connection, svSetValue (ifcfg, "IEEE_8021X_PHASE2_ALTSUBJECT_MATCHES", str->str, FALSE); g_string_free (str, TRUE); + svSetValue (ifcfg, "IEEE_8021X_DOMAIN_SUFFIX_MATCH", + nm_setting_802_1x_get_domain_suffix_match (s_8021x), + FALSE); + svSetValue (ifcfg, "IEEE_8021X_PHASE2_DOMAIN_SUFFIX_MATCH", + nm_setting_802_1x_get_phase2_domain_suffix_match (s_8021x), + FALSE); + success = write_8021x_certs (s_8021x, FALSE, ifcfg, error); if (success) { /* phase2/inner certs */ diff --git a/src/supplicant-manager/nm-supplicant-config.c b/src/supplicant-manager/nm-supplicant-config.c index 091742e586..67bba5835c 100644 --- a/src/supplicant-manager/nm-supplicant-config.c +++ b/src/supplicant-manager/nm-supplicant-config.c @@ -1033,6 +1033,14 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self, if (!ADD_STRING_LIST_VAL (self, setting, 802_1x, phase2_altsubject_match, phase2_altsubject_matches, "altsubject_match2", ';', FALSE, FALSE, error)) return FALSE; + /* Domain suffix match */ + value = nm_setting_802_1x_get_domain_suffix_match (setting); + if (!add_string_val (self, value, "domain_suffix_match", FALSE, FALSE, error)) + return FALSE; + value = nm_setting_802_1x_get_phase2_domain_suffix_match (setting); + if (!add_string_val (self, value, "domain_suffix_match2", FALSE, FALSE, error)) + return FALSE; + /* Private key */ added = FALSE; switch (nm_setting_802_1x_get_private_key_scheme (setting)) { diff --git a/src/supplicant-manager/nm-supplicant-settings-verify.c b/src/supplicant-manager/nm-supplicant-settings-verify.c index ec660d189f..bb046f9361 100644 --- a/src/supplicant-manager/nm-supplicant-settings-verify.c +++ b/src/supplicant-manager/nm-supplicant-settings-verify.c @@ -112,6 +112,7 @@ static const struct Opt opt_table[] = { { "ca_path", TYPE_BYTES, 0, 0, FALSE, NULL }, { "subject_match", TYPE_BYTES, 0, 0, FALSE, NULL }, { "altsubject_match", TYPE_BYTES, 0, 0, FALSE, NULL }, + { "domain_suffix_match",TYPE_BYTES, 0, 0, FALSE, NULL }, { "ca_cert", TYPE_BYTES, 0, 65536, FALSE, NULL }, { "client_cert", TYPE_BYTES, 0, 65536, FALSE, NULL }, { "private_key", TYPE_BYTES, 0, 65536, FALSE, NULL }, @@ -122,6 +123,7 @@ static const struct Opt opt_table[] = { { "ca_path2", TYPE_BYTES, 0, 0, FALSE, NULL }, { "subject_match2", TYPE_BYTES, 0, 0, FALSE, NULL }, { "altsubject_match2", TYPE_BYTES, 0, 0, FALSE, NULL }, + { "domain_suffix_match2", TYPE_BYTES, 0, 0, FALSE, NULL }, { "ca_cert2", TYPE_BYTES, 0, 65536, FALSE, NULL }, { "client_cert2", TYPE_BYTES, 0, 65536, FALSE, NULL }, { "private_key2", TYPE_BYTES, 0, 65536, FALSE, NULL }, |