libnm-core/8021x: add phase1-auth-flags configuration items

2 files changed, 85 insertions, 0 deletions

diff --git a/libnm-core/nm-setting-8021x.c b/libnm-core/nm-setting-8021x.c
index 5ad89a65c1..186574a45f 100644
--- a/libnm-core/nm-setting-8021x.c
+++ b/libnm-core/nm-setting-8021x.c
@@ -89,6 +89,7 @@ typedef struct {
 	char *phase1_peapver;
 	char *phase1_peaplabel;
 	char *phase1_fast_provisioning;
+	NMSetting8021xAuthFlags phase1_auth_flags;
 	char *phase2_auth;
 	char *phase2_autheap;
 	GBytes *phase2_ca_cert;
@@ -135,6 +136,7 @@ enum {
 	PROP_PHASE1_PEAPVER,
 	PROP_PHASE1_PEAPLABEL,
 	PROP_PHASE1_FAST_PROVISIONING,
+	PROP_PHASE1_AUTH_FLAGS,
 	PROP_PHASE2_AUTH,
 	PROP_PHASE2_AUTHEAP,
 	PROP_PHASE2_CA_CERT,
@@ -1259,6 +1261,22 @@ nm_setting_802_1x_get_phase1_fast_provisioning (NMSetting8021x *setting)
 }
 
 /**
+ * nm_setting_802_1x_get_phase1_auth_flags:
+ * @setting: the #NMSetting8021x
+ *
+ * Returns: the authentication flags for "phase 1".
+ *
+ * Since: 1.8
+ */
+NMSetting8021xAuthFlags
+nm_setting_802_1x_get_phase1_auth_flags (NMSetting8021x *setting)
+{
+	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), 0);
+
+	return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase1_auth_flags;
+}
+
+/**
  * nm_setting_802_1x_get_phase2_auth:
  * @setting: the #NMSetting8021x
  *
@@ -3244,6 +3262,16 @@ verify (NMSetting *setting, NMConnection *connection, GError **error)
 		return FALSE;
 	}
 
+	if (NM_FLAGS_ANY (priv->phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_DEFAULT) &&
+	    !nm_utils_is_power_of_two (priv->phase1_auth_flags)) {
+		g_set_error_literal (error,
+		                     NM_CONNECTION_ERROR,
+		                     NM_CONNECTION_ERROR_INVALID_PROPERTY,
+		                     _("exclusive flags are used"));
+		g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE1_AUTH_FLAGS);
+		return FALSE;
+	}
+
 	if (priv->phase2_auth && !g_strv_contains (valid_phase2_auth, priv->phase2_auth)) {
 		g_set_error (error,
 		             NM_CONNECTION_ERROR,
@@ -3446,6 +3474,9 @@ set_property (GObject *object, guint prop_id,
 		g_free (priv->phase1_fast_provisioning);
 		priv->phase1_fast_provisioning = g_value_dup_string (value);
 		break;
+	case PROP_PHASE1_AUTH_FLAGS:
+		priv->phase1_auth_flags = g_value_get_uint (value);
+		break;
 	case PROP_PHASE2_AUTH:
 		g_free (priv->phase2_auth);
 		priv->phase2_auth = g_value_dup_string (value);
@@ -3625,6 +3656,9 @@ get_property (GObject *object, guint prop_id,
 	case PROP_PHASE1_FAST_PROVISIONING:
 		g_value_set_string (value, priv->phase1_fast_provisioning);
 		break;
+	case PROP_PHASE1_AUTH_FLAGS:
+		g_value_set_uint (value, priv->phase1_auth_flags);
+		break;
 	case PROP_PHASE2_AUTH:
 		g_value_set_string (value, priv->phase2_auth);
 		break;
@@ -4106,6 +4140,29 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class)
 		                      G_PARAM_STATIC_STRINGS));
 
 	/**
+	 * NMSetting8021x:phase1-auth-flags:
+	 *
+	 * Specifies authentication flags to use in "phase 1" outer
+	 * authentication using #NMSetting8021xAuthFlags options.
+	 * May be any combination of %NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_0,
+	 * %NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_1,
+	 * %NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_2 or the special values
+	 * %NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_DEFAULT (to use default settings)
+	 * and %NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_NONE (to forcefully
+	 * enable use of all TLS versions). See the wpa_supplicant documentation for
+	 * more details.
+	 *
+	 * Since: 1.8
+	 */
+	g_object_class_install_property
+		(object_class, PROP_PHASE1_AUTH_FLAGS,
+		 g_param_spec_uint (NM_SETTING_802_1X_PHASE1_AUTH_FLAGS, "", "",
+		                    0, G_MAXUINT32, NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_DEFAULT,
+		                    G_PARAM_CONSTRUCT |
+		                    G_PARAM_READWRITE |
+		                    G_PARAM_STATIC_STRINGS));
+
+	/**
 	 * NMSetting8021x:phase2-auth:
 	 *
 	 * Specifies the allowed "phase 2" inner non-EAP authentication methods when
diff --git a/libnm-core/nm-setting-8021x.h b/libnm-core/nm-setting-8021x.h
index 170843e096..e71ec93bb7 100644
--- a/libnm-core/nm-setting-8021x.h
+++ b/libnm-core/nm-setting-8021x.h
@@ -75,6 +75,31 @@ typedef enum { /*< underscore_name=nm_setting_802_1x_ck_scheme >*/
 	NM_SETTING_802_1X_CK_SCHEME_PKCS11,
 } NMSetting8021xCKScheme;
 
+/**
+ * NMSetting8021xAuthFlags
+ * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_NONE: Enable all TLS versions
+ * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_0: Disable TLSv1.0
+ * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_1: Disable TLSv1.1
+ * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_2: Disable TLSv1.2
+ * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_ALL: Disable all TLS versions
+ * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_DEFAULT: Use default value
+ *
+ * #NMSetting8021xAuthFlags values indicate which authentication settings
+ * should be used
+ *
+ * Since: 1.8
+ */
+typedef enum { /*< underscore_name=nm_setting_802_1x_auth_flags >*/
+	NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_NONE    = 0,
+	NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_0     = (1 << 1),
+	NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_1     = (1 << 2),
+	NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_2     = (1 << 3),
+
+	_NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_LAST, /*< skip >*/
+	NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_ALL     = (((_NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_LAST - 1) << 1) - 1) - (1 << 0 /* DEFAULT */), /*< skip >*/
+
+	NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_DEFAULT = (1 << 0),
+} NMSetting8021xAuthFlags;
 
 #define NM_TYPE_SETTING_802_1X            (nm_setting_802_1x_get_type ())
 #define NM_SETTING_802_1X(obj)            (G_TYPE_CHECK_INSTANCE_CAST ((obj), NM_TYPE_SETTING_802_1X, NMSetting8021x))
@@ -102,6 +127,7 @@ typedef enum { /*< underscore_name=nm_setting_802_1x_ck_scheme >*/
 #define NM_SETTING_802_1X_PHASE1_PEAPVER "phase1-peapver"
 #define NM_SETTING_802_1X_PHASE1_PEAPLABEL "phase1-peaplabel"
 #define NM_SETTING_802_1X_PHASE1_FAST_PROVISIONING "phase1-fast-provisioning"
+#define NM_SETTING_802_1X_PHASE1_AUTH_FLAGS "phase1-auth-flags"
 #define NM_SETTING_802_1X_PHASE2_AUTH "phase2-auth"
 #define NM_SETTING_802_1X_PHASE2_AUTHEAP "phase2-autheap"
 #define NM_SETTING_802_1X_PHASE2_CA_CERT "phase2-ca-cert"
@@ -331,6 +357,8 @@ NMSettingSecretFlags   nm_setting_802_1x_get_phase2_private_key_password_flags (
 
 NMSetting8021xCKFormat nm_setting_802_1x_get_phase2_private_key_format   (NMSetting8021x *setting);
 
+NM_AVAILABLE_IN_1_8
+NMSetting8021xAuthFlags nm_setting_802_1x_get_phase1_auth_flags        (NMSetting8021x *setting);
 
 G_END_DECLS