libnm-core: add domain-suffix-match properties to NMSetting8021x

The new domain-suffix-match and phase2-domain-suffix-match properties
can be used to match against a given server domain suffix in the
dNSName elements or in the SubjectName CN of the server certificate.

Also, add a comment to the old subject-match properties documentation
to suggest that they are deprecated and should not be used anymore.

1 files changed, 95 insertions, 2 deletions

diff --git a/libnm-core/nm-setting-8021x.c b/libnm-core/nm-setting-8021x.c
index cc8ea66ed7..db11be063e 100644
--- a/libnm-core/nm-setting-8021x.c
+++ b/libnm-core/nm-setting-8021x.c
@@ -80,6 +80,7 @@ typedef struct {
 	char *ca_path;
 	char *subject_match;
 	GSList *altsubject_matches;
+	char *domain_suffix_match;
 	GBytes *client_cert;
 	char *phase1_peapver;
 	char *phase1_peaplabel;
@@ -90,6 +91,7 @@ typedef struct {
 	char *phase2_ca_path;
 	char *phase2_subject_match;
 	GSList *phase2_altsubject_matches;
+	char *phase2_domain_suffix_match;
 	GBytes *phase2_client_cert;
 	char *password;
 	NMSettingSecretFlags password_flags;
@@ -116,6 +118,7 @@ enum {
 	PROP_CA_PATH,
 	PROP_SUBJECT_MATCH,
 	PROP_ALTSUBJECT_MATCHES,
+	PROP_DOMAIN_SUFFIX_MATCH,
 	PROP_CLIENT_CERT,
 	PROP_PHASE1_PEAPVER,
 	PROP_PHASE1_PEAPLABEL,
@@ -126,6 +129,7 @@ enum {
 	PROP_PHASE2_CA_PATH,
 	PROP_PHASE2_SUBJECT_MATCH,
 	PROP_PHASE2_ALTSUBJECT_MATCHES,
+	PROP_PHASE2_DOMAIN_SUFFIX_MATCH,
 	PROP_PHASE2_CLIENT_CERT,
 	PROP_PASSWORD,
 	PROP_PASSWORD_FLAGS,
@@ -850,6 +854,22 @@ nm_setting_802_1x_clear_altsubject_matches (NMSetting8021x *setting)
 }
 
 /**
+ * nm_setting_802_1x_get_domain_suffix_match:
+ * @setting: the #NMSetting8021x
+ *
+ * Returns: the #NMSetting8021x:domain-suffix-match property.
+ *
+ * Since: 1.2
+ **/
+const char *
+nm_setting_802_1x_get_domain_suffix_match (NMSetting8021x *setting)
+{
+	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
+
+	return NM_SETTING_802_1X_GET_PRIVATE (setting)->domain_suffix_match;
+}
+
+/**
  * nm_setting_802_1x_get_client_cert_scheme:
  * @setting: the #NMSetting8021x
  *
@@ -1299,6 +1319,22 @@ nm_setting_802_1x_get_num_phase2_altsubject_matches (NMSetting8021x *setting)
 }
 
 /**
+ * nm_setting_802_1x_get_phase2_domain_suffix_match:
+ * @setting: the #NMSetting8021x
+ *
+ * Returns: the #NMSetting8021x:phase2-domain-suffix-match property.
+ *
+ * Since: 1.2
+ **/
+const char *
+nm_setting_802_1x_get_phase2_domain_suffix_match (NMSetting8021x *setting)
+{
+	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
+
+	return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_domain_suffix_match;
+}
+
+/**
  * nm_setting_802_1x_get_phase2_altsubject_match:
  * @setting: the #NMSettingConnection
  * @i: the zero-based index of the array of "phase 2" altSubjectName matches
@@ -2827,6 +2863,7 @@ finalize (GObject *object)
 	g_free (priv->anonymous_identity);
 	g_free (priv->ca_path);
 	g_free (priv->subject_match);
+	g_free (priv->domain_suffix_match);
 	g_free (priv->phase1_peapver);
 	g_free (priv->phase1_peaplabel);
 	g_free (priv->phase1_fast_provisioning);
@@ -2834,6 +2871,7 @@ finalize (GObject *object)
 	g_free (priv->phase2_autheap);
 	g_free (priv->phase2_ca_path);
 	g_free (priv->phase2_subject_match);
+	g_free (priv->phase2_domain_suffix_match);
 	g_free (priv->password);
 	if (priv->password_raw)
 		g_bytes_unref (priv->password_raw);
@@ -2923,6 +2961,10 @@ set_property (GObject *object, guint prop_id,
 		g_slist_free_full (priv->altsubject_matches, g_free);
 		priv->altsubject_matches = _nm_utils_strv_to_slist (g_value_get_boxed (value), TRUE);
 		break;
+	case PROP_DOMAIN_SUFFIX_MATCH:
+		g_free (priv->domain_suffix_match);
+		priv->domain_suffix_match = g_value_dup_string (value);
+		break;
 	case PROP_CLIENT_CERT:
 		if (priv->client_cert)
 			g_bytes_unref (priv->client_cert);
@@ -2973,6 +3015,10 @@ set_property (GObject *object, guint prop_id,
 		g_slist_free_full (priv->phase2_altsubject_matches, g_free);
 		priv->phase2_altsubject_matches = _nm_utils_strv_to_slist (g_value_get_boxed (value), TRUE);
 		break;
+	case PROP_PHASE2_DOMAIN_SUFFIX_MATCH:
+		g_free (priv->phase2_domain_suffix_match);
+		priv->phase2_domain_suffix_match = g_value_dup_string (value);
+		break;
 	case PROP_PHASE2_CLIENT_CERT:
 		if (priv->phase2_client_cert)
 			g_bytes_unref (priv->phase2_client_cert);
@@ -3077,6 +3123,9 @@ get_property (GObject *object, guint prop_id,
 	case PROP_ALTSUBJECT_MATCHES:
 		g_value_take_boxed (value, _nm_utils_slist_to_strv (priv->altsubject_matches, TRUE));
 		break;
+	case PROP_DOMAIN_SUFFIX_MATCH:
+		g_value_set_string (value, priv->domain_suffix_match);
+		break;
 	case PROP_CLIENT_CERT:
 		g_value_set_boxed (value, priv->client_cert);
 		break;
@@ -3107,6 +3156,9 @@ get_property (GObject *object, guint prop_id,
 	case PROP_PHASE2_ALTSUBJECT_MATCHES:
 		g_value_take_boxed (value, _nm_utils_slist_to_strv (priv->phase2_altsubject_matches, TRUE));
 		break;
+	case PROP_PHASE2_DOMAIN_SUFFIX_MATCH:
+		g_value_set_string (value, priv->phase2_domain_suffix_match);
+		break;
 	case PROP_PHASE2_CLIENT_CERT:
 		g_value_set_boxed (value, priv->phase2_client_cert);
 		break;
@@ -3313,7 +3365,9 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class)
 	 *
 	 * Substring to be matched against the subject of the certificate presented
 	 * by the authentication server. When unset, no verification of the
-	 * authentication server certificate's subject is performed.
+	 * authentication server certificate's subject is performed.  This property
+	 * provides little security, if any, and its use is deprecated in favor of
+	 * NMSetting8021x:domain-suffix-match.
 	 **/
 	/* ---ifcfg-rh---
 	 * property: subject-match
@@ -3351,6 +3405,24 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class)
 		                     G_PARAM_STATIC_STRINGS));
 
 	/**
+	 * NMSetting8021x:domain-suffix-match:
+	 *
+	 * Constraint for server domain name. If set, this FQDN is used as a suffix
+	 * match requirement for dNSName element(s) of the certificate presented by
+	 * the authentication server.  If a matching dNSName is found, this
+	 * constraint is met.  If no dNSName values are present, this constraint is
+	 * matched against SubjectName CN using same suffix match comparison.
+	 *
+	 * Since: 1.2
+	 **/
+	g_object_class_install_property
+		(object_class, PROP_DOMAIN_SUFFIX_MATCH,
+		 g_param_spec_string (NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH, "", "",
+		                      NULL,
+		                      G_PARAM_READWRITE |
+		                      G_PARAM_STATIC_STRINGS));
+
+	/**
 	 * NMSetting8021x:client-cert:
 	 *
 	 * Contains the client certificate if used by the EAP method specified in
@@ -3550,7 +3622,9 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class)
 	 * Substring to be matched against the subject of the certificate presented
 	 * by the authentication server during the inner "phase 2"
 	 * authentication. When unset, no verification of the authentication server
-	 * certificate's subject is performed.
+	 * certificate's subject is performed.  This property provides little security,
+	 * if any, and its use is deprecated in favor of
+	 * NMSetting8021x:phase2-domain-suffix-match.
 	 **/
 	/* ---ifcfg-rh---
 	 * property: phase2-subject-match
@@ -3587,6 +3661,25 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class)
 		                     G_PARAM_STATIC_STRINGS));
 
 	/**
+	 * NMSetting8021x:phase2-domain-suffix-match:
+	 *
+	 * Constraint for server domain name. If set, this FQDN is used as a suffix
+	 * match requirement for dNSName element(s) of the certificate presented by
+	 * the authentication server during the inner "phase 2" authentication.  If
+	 * a matching dNSName is found, this constraint is met.  If no dNSName
+	 * values are present, this constraint is matched against SubjectName CN
+	 * using same suffix match comparison.
+	 *
+	 * Since: 1.2
+	 **/
+	g_object_class_install_property
+		(object_class, PROP_PHASE2_DOMAIN_SUFFIX_MATCH,
+		 g_param_spec_string (NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH, "", "",
+		                      NULL,
+		                      G_PARAM_READWRITE |
+		                      G_PARAM_STATIC_STRINGS));
+
+	/**
 	 * NMSetting8021x:phase2-client-cert:
 	 *
 	 * Contains the "phase 2" client certificate if used by the EAP method