diff options
author | Beniamino Galvani <bgalvani@redhat.com> | 2016-03-03 22:42:35 +0100 |
---|---|---|
committer | Beniamino Galvani <bgalvani@redhat.com> | 2016-03-16 17:32:17 +0100 |
commit | 64b76ba90656fd082aea4cf59263ea99943dcfeb (patch) | |
tree | 44c3c5bccb2718f3cbf6b54a34f6cc2ac62842bf | |
parent | c1383371ccb129b4683dafb185c0734cc4cf4c35 (diff) | |
download | NetworkManager-64b76ba90656fd082aea4cf59263ea99943dcfeb.tar.gz |
libnm-core: add domain-suffix-match properties to NMSetting8021x
The new domain-suffix-match and phase2-domain-suffix-match properties
can be used to match against a given server domain suffix in the
dNSName elements or in the SubjectName CN of the server certificate.
Also, add a comment to the old subject-match properties documentation
to suggest that they are deprecated and should not be used anymore.
-rw-r--r-- | libnm-core/nm-setting-8021x.c | 97 | ||||
-rw-r--r-- | libnm-core/nm-setting-8021x.h | 6 | ||||
-rw-r--r-- | libnm/libnm.ver | 2 |
3 files changed, 103 insertions, 2 deletions
diff --git a/libnm-core/nm-setting-8021x.c b/libnm-core/nm-setting-8021x.c index cc8ea66ed7..db11be063e 100644 --- a/libnm-core/nm-setting-8021x.c +++ b/libnm-core/nm-setting-8021x.c @@ -80,6 +80,7 @@ typedef struct { char *ca_path; char *subject_match; GSList *altsubject_matches; + char *domain_suffix_match; GBytes *client_cert; char *phase1_peapver; char *phase1_peaplabel; @@ -90,6 +91,7 @@ typedef struct { char *phase2_ca_path; char *phase2_subject_match; GSList *phase2_altsubject_matches; + char *phase2_domain_suffix_match; GBytes *phase2_client_cert; char *password; NMSettingSecretFlags password_flags; @@ -116,6 +118,7 @@ enum { PROP_CA_PATH, PROP_SUBJECT_MATCH, PROP_ALTSUBJECT_MATCHES, + PROP_DOMAIN_SUFFIX_MATCH, PROP_CLIENT_CERT, PROP_PHASE1_PEAPVER, PROP_PHASE1_PEAPLABEL, @@ -126,6 +129,7 @@ enum { PROP_PHASE2_CA_PATH, PROP_PHASE2_SUBJECT_MATCH, PROP_PHASE2_ALTSUBJECT_MATCHES, + PROP_PHASE2_DOMAIN_SUFFIX_MATCH, PROP_PHASE2_CLIENT_CERT, PROP_PASSWORD, PROP_PASSWORD_FLAGS, @@ -850,6 +854,22 @@ nm_setting_802_1x_clear_altsubject_matches (NMSetting8021x *setting) } /** + * nm_setting_802_1x_get_domain_suffix_match: + * @setting: the #NMSetting8021x + * + * Returns: the #NMSetting8021x:domain-suffix-match property. + * + * Since: 1.2 + **/ +const char * +nm_setting_802_1x_get_domain_suffix_match (NMSetting8021x *setting) +{ + g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); + + return NM_SETTING_802_1X_GET_PRIVATE (setting)->domain_suffix_match; +} + +/** * nm_setting_802_1x_get_client_cert_scheme: * @setting: the #NMSetting8021x * @@ -1299,6 +1319,22 @@ nm_setting_802_1x_get_num_phase2_altsubject_matches (NMSetting8021x *setting) } /** + * nm_setting_802_1x_get_phase2_domain_suffix_match: + * @setting: the #NMSetting8021x + * + * Returns: the #NMSetting8021x:phase2-domain-suffix-match property. + * + * Since: 1.2 + **/ +const char * +nm_setting_802_1x_get_phase2_domain_suffix_match (NMSetting8021x *setting) +{ + g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL); + + return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_domain_suffix_match; +} + +/** * nm_setting_802_1x_get_phase2_altsubject_match: * @setting: the #NMSettingConnection * @i: the zero-based index of the array of "phase 2" altSubjectName matches @@ -2827,6 +2863,7 @@ finalize (GObject *object) g_free (priv->anonymous_identity); g_free (priv->ca_path); g_free (priv->subject_match); + g_free (priv->domain_suffix_match); g_free (priv->phase1_peapver); g_free (priv->phase1_peaplabel); g_free (priv->phase1_fast_provisioning); @@ -2834,6 +2871,7 @@ finalize (GObject *object) g_free (priv->phase2_autheap); g_free (priv->phase2_ca_path); g_free (priv->phase2_subject_match); + g_free (priv->phase2_domain_suffix_match); g_free (priv->password); if (priv->password_raw) g_bytes_unref (priv->password_raw); @@ -2923,6 +2961,10 @@ set_property (GObject *object, guint prop_id, g_slist_free_full (priv->altsubject_matches, g_free); priv->altsubject_matches = _nm_utils_strv_to_slist (g_value_get_boxed (value), TRUE); break; + case PROP_DOMAIN_SUFFIX_MATCH: + g_free (priv->domain_suffix_match); + priv->domain_suffix_match = g_value_dup_string (value); + break; case PROP_CLIENT_CERT: if (priv->client_cert) g_bytes_unref (priv->client_cert); @@ -2973,6 +3015,10 @@ set_property (GObject *object, guint prop_id, g_slist_free_full (priv->phase2_altsubject_matches, g_free); priv->phase2_altsubject_matches = _nm_utils_strv_to_slist (g_value_get_boxed (value), TRUE); break; + case PROP_PHASE2_DOMAIN_SUFFIX_MATCH: + g_free (priv->phase2_domain_suffix_match); + priv->phase2_domain_suffix_match = g_value_dup_string (value); + break; case PROP_PHASE2_CLIENT_CERT: if (priv->phase2_client_cert) g_bytes_unref (priv->phase2_client_cert); @@ -3077,6 +3123,9 @@ get_property (GObject *object, guint prop_id, case PROP_ALTSUBJECT_MATCHES: g_value_take_boxed (value, _nm_utils_slist_to_strv (priv->altsubject_matches, TRUE)); break; + case PROP_DOMAIN_SUFFIX_MATCH: + g_value_set_string (value, priv->domain_suffix_match); + break; case PROP_CLIENT_CERT: g_value_set_boxed (value, priv->client_cert); break; @@ -3107,6 +3156,9 @@ get_property (GObject *object, guint prop_id, case PROP_PHASE2_ALTSUBJECT_MATCHES: g_value_take_boxed (value, _nm_utils_slist_to_strv (priv->phase2_altsubject_matches, TRUE)); break; + case PROP_PHASE2_DOMAIN_SUFFIX_MATCH: + g_value_set_string (value, priv->phase2_domain_suffix_match); + break; case PROP_PHASE2_CLIENT_CERT: g_value_set_boxed (value, priv->phase2_client_cert); break; @@ -3313,7 +3365,9 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class) * * Substring to be matched against the subject of the certificate presented * by the authentication server. When unset, no verification of the - * authentication server certificate's subject is performed. + * authentication server certificate's subject is performed. This property + * provides little security, if any, and its use is deprecated in favor of + * NMSetting8021x:domain-suffix-match. **/ /* ---ifcfg-rh--- * property: subject-match @@ -3351,6 +3405,24 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class) G_PARAM_STATIC_STRINGS)); /** + * NMSetting8021x:domain-suffix-match: + * + * Constraint for server domain name. If set, this FQDN is used as a suffix + * match requirement for dNSName element(s) of the certificate presented by + * the authentication server. If a matching dNSName is found, this + * constraint is met. If no dNSName values are present, this constraint is + * matched against SubjectName CN using same suffix match comparison. + * + * Since: 1.2 + **/ + g_object_class_install_property + (object_class, PROP_DOMAIN_SUFFIX_MATCH, + g_param_spec_string (NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH, "", "", + NULL, + G_PARAM_READWRITE | + G_PARAM_STATIC_STRINGS)); + + /** * NMSetting8021x:client-cert: * * Contains the client certificate if used by the EAP method specified in @@ -3550,7 +3622,9 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class) * Substring to be matched against the subject of the certificate presented * by the authentication server during the inner "phase 2" * authentication. When unset, no verification of the authentication server - * certificate's subject is performed. + * certificate's subject is performed. This property provides little security, + * if any, and its use is deprecated in favor of + * NMSetting8021x:phase2-domain-suffix-match. **/ /* ---ifcfg-rh--- * property: phase2-subject-match @@ -3587,6 +3661,25 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class) G_PARAM_STATIC_STRINGS)); /** + * NMSetting8021x:phase2-domain-suffix-match: + * + * Constraint for server domain name. If set, this FQDN is used as a suffix + * match requirement for dNSName element(s) of the certificate presented by + * the authentication server during the inner "phase 2" authentication. If + * a matching dNSName is found, this constraint is met. If no dNSName + * values are present, this constraint is matched against SubjectName CN + * using same suffix match comparison. + * + * Since: 1.2 + **/ + g_object_class_install_property + (object_class, PROP_PHASE2_DOMAIN_SUFFIX_MATCH, + g_param_spec_string (NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH, "", "", + NULL, + G_PARAM_READWRITE | + G_PARAM_STATIC_STRINGS)); + + /** * NMSetting8021x:phase2-client-cert: * * Contains the "phase 2" client certificate if used by the EAP method diff --git a/libnm-core/nm-setting-8021x.h b/libnm-core/nm-setting-8021x.h index da86071a63..d8867b9261 100644 --- a/libnm-core/nm-setting-8021x.h +++ b/libnm-core/nm-setting-8021x.h @@ -89,6 +89,7 @@ typedef enum { /*< underscore_name=nm_setting_802_1x_ck_scheme >*/ #define NM_SETTING_802_1X_CA_PATH "ca-path" #define NM_SETTING_802_1X_SUBJECT_MATCH "subject-match" #define NM_SETTING_802_1X_ALTSUBJECT_MATCHES "altsubject-matches" +#define NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH "domain-suffix-match" #define NM_SETTING_802_1X_CLIENT_CERT "client-cert" #define NM_SETTING_802_1X_PHASE1_PEAPVER "phase1-peapver" #define NM_SETTING_802_1X_PHASE1_PEAPLABEL "phase1-peaplabel" @@ -99,6 +100,7 @@ typedef enum { /*< underscore_name=nm_setting_802_1x_ck_scheme >*/ #define NM_SETTING_802_1X_PHASE2_CA_PATH "phase2-ca-path" #define NM_SETTING_802_1X_PHASE2_SUBJECT_MATCH "phase2-subject-match" #define NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES "phase2-altsubject-matches" +#define NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH "phase2-domain-suffix-match" #define NM_SETTING_802_1X_PHASE2_CLIENT_CERT "phase2-client-cert" #define NM_SETTING_802_1X_PASSWORD "password" #define NM_SETTING_802_1X_PASSWORD_FLAGS "password-flags" @@ -190,6 +192,8 @@ void nm_setting_802_1x_remove_altsubject_match (NMSetting8 gboolean nm_setting_802_1x_remove_altsubject_match_by_value (NMSetting8021x *setting, const char *altsubject_match); void nm_setting_802_1x_clear_altsubject_matches (NMSetting8021x *setting); +NM_AVAILABLE_IN_1_2 +const char * nm_setting_802_1x_get_domain_suffix_match (NMSetting8021x *setting); NMSetting8021xCKScheme nm_setting_802_1x_get_client_cert_scheme (NMSetting8021x *setting); GBytes * nm_setting_802_1x_get_client_cert_blob (NMSetting8021x *setting); @@ -231,6 +235,8 @@ void nm_setting_802_1x_remove_phase2_altsubject_match (NMS gboolean nm_setting_802_1x_remove_phase2_altsubject_match_by_value (NMSetting8021x *setting, const char *phase2_altsubject_match); void nm_setting_802_1x_clear_phase2_altsubject_matches (NMSetting8021x *setting); +NM_AVAILABLE_IN_1_2 +const char * nm_setting_802_1x_get_phase2_domain_suffix_match (NMSetting8021x *setting); NMSetting8021xCKScheme nm_setting_802_1x_get_phase2_client_cert_scheme (NMSetting8021x *setting); GBytes * nm_setting_802_1x_get_phase2_client_cert_blob (NMSetting8021x *setting); diff --git a/libnm/libnm.ver b/libnm/libnm.ver index e3ede1d213..7ece1b2fef 100644 --- a/libnm/libnm.ver +++ b/libnm/libnm.ver @@ -942,6 +942,8 @@ global: nm_lldp_neighbor_unref; nm_metered_get_type; nm_setting_802_1x_check_cert_scheme; + nm_setting_802_1x_get_domain_suffix_match; + nm_setting_802_1x_get_phase2_domain_suffix_match; nm_setting_bridge_get_multicast_snooping; nm_setting_connection_autoconnect_slaves_get_type; nm_setting_connection_get_autoconnect_slaves; |