libnm/wifi: rework NMSetting8021xAuthFlags to explicitly disable TLS version

The wpa_supplicant API supports to enable/disable each TLS version
individually, or leave it at the default. Currently, the default
means to enable a TLS version, thus, the only meaningful option
for the momemnt means to explicitly disable it.

In the future, supplicant may disable options by default, and
the inverse option can become interesting to configure
"tls_disable_tlsv1_0=0". When that happens, we can solve it by
adding another flag NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_ENABLE.

Change the previous behavior of the NMSetting8021xAuthFlags.
Previously, when not specifying TLS_DISABLE_DEFAULT, all
options were unspecified. On the other hand, when specifying
a single TLS disable flag, all versions were explicitly enabled
or disabled.

Instead, change the meaning of the disable flags. When present,
it explicitly disables an option. But it does not explicitly enable
it.

2 files changed, 19 insertions, 26 deletions

diff --git a/libnm-core/nm-setting-8021x.c b/libnm-core/nm-setting-8021x.c
index 186574a45f..59e8abcc1e 100644
--- a/libnm-core/nm-setting-8021x.c
+++ b/libnm-core/nm-setting-8021x.c
@@ -3262,12 +3262,11 @@ verify (NMSetting *setting, NMConnection *connection, GError **error)
 		return FALSE;
 	}
 
-	if (NM_FLAGS_ANY (priv->phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_DEFAULT) &&
-	    !nm_utils_is_power_of_two (priv->phase1_auth_flags)) {
+	if (NM_FLAGS_ANY (priv->phase1_auth_flags, ~NM_SETTING_802_1X_AUTH_FLAGS_ALL)) {
 		g_set_error_literal (error,
 		                     NM_CONNECTION_ERROR,
 		                     NM_CONNECTION_ERROR_INVALID_PROPERTY,
-		                     _("exclusive flags are used"));
+		                     _("invalid auth flags"));
 		g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE1_AUTH_FLAGS);
 		return FALSE;
 	}
@@ -4144,20 +4143,17 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class)
 	 *
 	 * Specifies authentication flags to use in "phase 1" outer
 	 * authentication using #NMSetting8021xAuthFlags options.
-	 * May be any combination of %NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_0,
-	 * %NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_1,
-	 * %NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_2 or the special values
-	 * %NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_DEFAULT (to use default settings)
-	 * and %NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_NONE (to forcefully
-	 * enable use of all TLS versions). See the wpa_supplicant documentation for
-	 * more details.
+	 * The invidual TLS versions can be explicitly disabled. If a certain
+	 * TLS disable flag is not set, it is up to the supplicant to allow
+	 * or forbid it. The TLS options map to tls_disable_tlsv1_x settings.
+	 * See the wpa_supplicant documentation for more details.
 	 *
 	 * Since: 1.8
 	 */
 	g_object_class_install_property
 		(object_class, PROP_PHASE1_AUTH_FLAGS,
 		 g_param_spec_uint (NM_SETTING_802_1X_PHASE1_AUTH_FLAGS, "", "",
-		                    0, G_MAXUINT32, NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_DEFAULT,
+		                    0, G_MAXUINT32, NM_SETTING_802_1X_AUTH_FLAGS_NONE,
 		                    G_PARAM_CONSTRUCT |
 		                    G_PARAM_READWRITE |
 		                    G_PARAM_STATIC_STRINGS));
diff --git a/libnm-core/nm-setting-8021x.h b/libnm-core/nm-setting-8021x.h
index e71ec93bb7..15ba07b3ac 100644
--- a/libnm-core/nm-setting-8021x.h
+++ b/libnm-core/nm-setting-8021x.h
@@ -77,28 +77,25 @@ typedef enum { /*< underscore_name=nm_setting_802_1x_ck_scheme >*/
 
 /**
  * NMSetting8021xAuthFlags
- * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_NONE: Enable all TLS versions
- * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_0: Disable TLSv1.0
- * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_1: Disable TLSv1.1
- * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_2: Disable TLSv1.2
- * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_ALL: Disable all TLS versions
- * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_DEFAULT: Use default value
+ * @NM_SETTING_802_1X_AUTH_FLAGS_NONE: No flags
+ * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_DISABLE: Disable TLSv1.0
+ * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_DISABLE: Disable TLSv1.1
+ * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE: Disable TLSv1.2
+ * @NM_SETTING_802_1X_AUTH_FLAGS_ALL: All supported flags
  *
  * #NMSetting8021xAuthFlags values indicate which authentication settings
- * should be used
+ * should be used.
  *
  * Since: 1.8
  */
 typedef enum { /*< underscore_name=nm_setting_802_1x_auth_flags >*/
-	NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_NONE    = 0,
-	NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_0     = (1 << 1),
-	NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_1     = (1 << 2),
-	NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_2     = (1 << 3),
+	NM_SETTING_802_1X_AUTH_FLAGS_NONE                = 0,
+	NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_DISABLE     = (1 << 0),
+	NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_DISABLE     = (1 << 1),
+	NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE     = (1 << 2),
 
-	_NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_LAST, /*< skip >*/
-	NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_ALL     = (((_NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_LAST - 1) << 1) - 1) - (1 << 0 /* DEFAULT */), /*< skip >*/
-
-	NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_DEFAULT = (1 << 0),
+	_NM_SETTING_802_1X_AUTH_FLAGS_LAST, /*< skip >*/
+	NM_SETTING_802_1X_AUTH_FLAGS_ALL                 = (((_NM_SETTING_802_1X_AUTH_FLAGS_LAST - 1) << 1) - 1),
 } NMSetting8021xAuthFlags;
 
 #define NM_TYPE_SETTING_802_1X            (nm_setting_802_1x_get_type ())