diff --git a/libnm-core/nm-setting-8021x.c b/libnm-core/nm-setting-8021x.c index 186574a45f..59e8abcc1e 100644 --- a/libnm-core/nm-setting-8021x.c +++ b/libnm-core/nm-setting-8021x.c @@ -3262,12 +3262,11 @@ verify (NMSetting *setting, NMConnection *connection, GError **error) return FALSE; } - if (NM_FLAGS_ANY (priv->phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_DEFAULT) && - !nm_utils_is_power_of_two (priv->phase1_auth_flags)) { + if (NM_FLAGS_ANY (priv->phase1_auth_flags, ~NM_SETTING_802_1X_AUTH_FLAGS_ALL)) { g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY, - _("exclusive flags are used")); + _("invalid auth flags")); g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_PHASE1_AUTH_FLAGS); return FALSE; } @@ -4144,20 +4143,17 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *setting_class) * * Specifies authentication flags to use in "phase 1" outer * authentication using #NMSetting8021xAuthFlags options. - * May be any combination of %NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_0, - * %NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_1, - * %NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_2 or the special values - * %NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_DEFAULT (to use default settings) - * and %NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_NONE (to forcefully - * enable use of all TLS versions). See the wpa_supplicant documentation for - * more details. + * The invidual TLS versions can be explicitly disabled. If a certain + * TLS disable flag is not set, it is up to the supplicant to allow + * or forbid it. The TLS options map to tls_disable_tlsv1_x settings. + * See the wpa_supplicant documentation for more details. * * Since: 1.8 */ g_object_class_install_property (object_class, PROP_PHASE1_AUTH_FLAGS, g_param_spec_uint (NM_SETTING_802_1X_PHASE1_AUTH_FLAGS, "", "", - 0, G_MAXUINT32, NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_DEFAULT, + 0, G_MAXUINT32, NM_SETTING_802_1X_AUTH_FLAGS_NONE, G_PARAM_CONSTRUCT | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS)); diff --git a/libnm-core/nm-setting-8021x.h b/libnm-core/nm-setting-8021x.h index e71ec93bb7..15ba07b3ac 100644 --- a/libnm-core/nm-setting-8021x.h +++ b/libnm-core/nm-setting-8021x.h @@ -77,28 +77,25 @@ typedef enum { /*< underscore_name=nm_setting_802_1x_ck_scheme >*/ /** * NMSetting8021xAuthFlags - * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_NONE: Enable all TLS versions - * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_0: Disable TLSv1.0 - * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_1: Disable TLSv1.1 - * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_2: Disable TLSv1.2 - * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_ALL: Disable all TLS versions - * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_DEFAULT: Use default value + * @NM_SETTING_802_1X_AUTH_FLAGS_NONE: No flags + * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_DISABLE: Disable TLSv1.0 + * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_DISABLE: Disable TLSv1.1 + * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE: Disable TLSv1.2 + * @NM_SETTING_802_1X_AUTH_FLAGS_ALL: All supported flags * * #NMSetting8021xAuthFlags values indicate which authentication settings - * should be used + * should be used. * * Since: 1.8 */ typedef enum { /*< underscore_name=nm_setting_802_1x_auth_flags >*/ - NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_NONE = 0, - NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_0 = (1 << 1), - NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_1 = (1 << 2), - NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_2 = (1 << 3), + NM_SETTING_802_1X_AUTH_FLAGS_NONE = 0, + NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_DISABLE = (1 << 0), + NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_DISABLE = (1 << 1), + NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE = (1 << 2), - _NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_LAST, /*< skip >*/ - NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_ALL = (((_NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_LAST - 1) << 1) - 1) - (1 << 0 /* DEFAULT */), /*< skip >*/ - - NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_DEFAULT = (1 << 0), + _NM_SETTING_802_1X_AUTH_FLAGS_LAST, /*< skip >*/ + NM_SETTING_802_1X_AUTH_FLAGS_ALL = (((_NM_SETTING_802_1X_AUTH_FLAGS_LAST - 1) << 1) - 1), } NMSetting8021xAuthFlags; #define NM_TYPE_SETTING_802_1X (nm_setting_802_1x_get_type ()) diff --git a/src/supplicant/nm-supplicant-config.c b/src/supplicant/nm-supplicant-config.c index e67912cb5f..f9a846204b 100644 --- a/src/supplicant/nm-supplicant-config.c +++ b/src/supplicant/nm-supplicant-config.c @@ -984,19 +984,12 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self, } phase1_auth_flags = nm_setting_802_1x_get_phase1_auth_flags (setting); - if (phase1_auth_flags != NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_DEFAULT) { - if (phase1->len) - g_string_append_c (phase1, ' '); - g_string_append_printf (phase1, "tls_disable_tlsv1_0=%d", - (NM_FLAGS_HAS (phase1_auth_flags, - NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_0)) ? 1 : 0); - g_string_append_printf (phase1, " tls_disable_tlsv1_1=%d", - (NM_FLAGS_HAS (phase1_auth_flags, - NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_1)) ? 1 : 0); - g_string_append_printf (phase1, " tls_disable_tlsv1_2=%d", - (NM_FLAGS_HAS (phase1_auth_flags, - NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_2)) ? 1 : 0); - } + if (NM_FLAGS_HAS (phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_DISABLE)) + g_string_append_printf (phase1, "%stls_disable_tlsv1_0=1", (phase1->len ? " " : "")); + if (NM_FLAGS_HAS (phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_DISABLE)) + g_string_append_printf (phase1, "%stls_disable_tlsv1_1=1", (phase1->len ? " " : "")); + if (NM_FLAGS_HAS (phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE)) + g_string_append_printf (phase1, "%stls_disable_tlsv1_2=1", (phase1->len ? " " : "")); if (phase1->len) { if (!add_string_val (self, phase1->str, "phase1", FALSE, NULL, error)) {