supplicant: add NMSetting8021xAuthFlags for TLS v1.3 / enable a version

In the commit 2a11c57c4e ('libnm/wifi: rework NMSetting8021xAuthFlags to explicitly disable TLS version'), it said: > In the future, supplicant may disable options by default, and > the inverse option can become interesting to configure > "tls_disable_tlsv1_0=0". When that happens, we can solve it by > adding another flag NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_ENABLE. This commit adds the `NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_ENABLE` flag as well as similar flags for other TLS versions. This commit also adds flags for TLS v1.3, as the corresponding flags are now provided in wpa_supplicant. The NMSetting8021xAuthFlags setting is rejected when both enable and disable are set for the same TLS version. if-else-if is used in nm_supplicant_config_add_setting_8021x to guarantee this behavior. It prefers ENABLE over DISABLE to match the behavior of wpa_supplicant. https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1133 https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1450
2026-06-19 06:38:29 +02:00 · 2022-11-05 21:32:58 +08:00 · 2022-11-05 21:32:58 +08:00 · a275285537
commit a275285537
parent 8c779a7d8b
4 changed files with 55 additions and 8 deletions
--- a/src/core/supplicant/nm-supplicant-config.c
+++ b/src/core/supplicant/nm-supplicant-config.c
@ -1369,12 +1369,22 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
    }

    phase1_auth_flags = nm_setting_802_1x_get_phase1_auth_flags(setting);
-    if (NM_FLAGS_HAS(phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_DISABLE))
+    if (NM_FLAGS_HAS(phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_ENABLE))
+        g_string_append_printf(phase1, "%stls_disable_tlsv1_0=0", (phase1->len ? " " : ""));
+    else if (NM_FLAGS_HAS(phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_DISABLE))
        g_string_append_printf(phase1, "%stls_disable_tlsv1_0=1", (phase1->len ? " " : ""));
-    if (NM_FLAGS_HAS(phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_DISABLE))
+    if (NM_FLAGS_HAS(phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_ENABLE))
+        g_string_append_printf(phase1, "%stls_disable_tlsv1_1=0", (phase1->len ? " " : ""));
+    else if (NM_FLAGS_HAS(phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_DISABLE))
        g_string_append_printf(phase1, "%stls_disable_tlsv1_1=1", (phase1->len ? " " : ""));
-    if (NM_FLAGS_HAS(phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE))
+    if (NM_FLAGS_HAS(phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_ENABLE))
+        g_string_append_printf(phase1, "%stls_disable_tlsv1_2=0", (phase1->len ? " " : ""));
+    else if (NM_FLAGS_HAS(phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE))
        g_string_append_printf(phase1, "%stls_disable_tlsv1_2=1", (phase1->len ? " " : ""));
+    if (NM_FLAGS_HAS(phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_3_ENABLE))
+        g_string_append_printf(phase1, "%stls_disable_tlsv1_3=0", (phase1->len ? " " : ""));
+    else if (NM_FLAGS_HAS(phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_3_DISABLE))
+        g_string_append_printf(phase1, "%stls_disable_tlsv1_3=1", (phase1->len ? " " : ""));
    if (NM_FLAGS_HAS(phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_TIME_CHECKS))
        g_string_append_printf(phase1, "%stls_disable_time_checks=1", (phase1->len ? " " : ""));

--- a/src/core/supplicant/nm-supplicant-settings-verify.c
+++ b/src/core/supplicant/nm-supplicant-settings-verify.c
@ -114,6 +114,8 @@ static const struct Opt opt_table[] = {
                             "tls_disable_tlsv1_1=1",
                             "tls_disable_tlsv1_2=0",
                             "tls_disable_tlsv1_2=1",
+                             "tls_disable_tlsv1_3=0",
+                             "tls_disable_tlsv1_3=1",
                             "tls_disable_time_checks=0",
                             "tls_disable_time_checks=1", )),
    OPT_KEYWORD("phase2",
--- a/src/libnm-core-impl/nm-setting-8021x.c
+++ b/src/libnm-core-impl/nm-setting-8021x.c
@ -2904,10 +2904,35 @@ verify(NMSetting *setting, NMConnection *connection, GError **error)
    }

    if (NM_FLAGS_ANY(priv->phase1_auth_flags, ~((guint32) NM_SETTING_802_1X_AUTH_FLAGS_ALL))) {
-        g_set_error_literal(error,
-                            NM_CONNECTION_ERROR,
-                            NM_CONNECTION_ERROR_INVALID_PROPERTY,
-                            _("invalid auth flags"));
+        g_set_error(error,
+                    NM_CONNECTION_ERROR,
+                    NM_CONNECTION_ERROR_INVALID_PROPERTY,
+                    _("invalid auth flags: '%d' contains unknown flags"),
+                    priv->phase1_auth_flags);
+        g_prefix_error(error,
+                       "%s.%s: ",
+                       NM_SETTING_802_1X_SETTING_NAME,
+                       NM_SETTING_802_1X_PHASE1_AUTH_FLAGS);
+        return FALSE;
+    }
+
+    if (NM_FLAGS_ALL(priv->phase1_auth_flags,
+                     NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_ENABLE
+                         | NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_DISABLE)
+        || NM_FLAGS_ALL(priv->phase1_auth_flags,
+                        NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_ENABLE
+                            | NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_DISABLE)
+        || NM_FLAGS_ALL(priv->phase1_auth_flags,
+                        NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_ENABLE
+                            | NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE)
+        || NM_FLAGS_ALL(priv->phase1_auth_flags,
+                        NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_3_ENABLE
+                            | NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_3_DISABLE)) {
+        g_set_error_literal(
+            error,
+            NM_CONNECTION_ERROR,
+            NM_CONNECTION_ERROR_INVALID_PROPERTY,
+            _("invalid auth flags: both enable and disable are set for the same TLS version"));
        g_prefix_error(error,
                       "%s.%s: ",
                       NM_SETTING_802_1X_SETTING_NAME,
--- a/src/libnm-core-public/nm-setting-8021x.h
+++ b/src/libnm-core-public/nm-setting-8021x.h
@ -63,8 +63,13 @@ typedef enum { /*< underscore_name=nm_setting_802_1x_ck_scheme >*/
 * NMSetting8021xAuthFlags:
 * @NM_SETTING_802_1X_AUTH_FLAGS_NONE: No flags
 * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_DISABLE: Disable TLSv1.0
+ * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_ENABLE: Enable TLSv1.0. Since 1.42.
 * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_DISABLE: Disable TLSv1.1
+ * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_ENABLE: Enable TLSv1.1. Since 1.42.
 * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE: Disable TLSv1.2
+ * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_ENABLE: Enable TLSv1.2. Since 1.42.
+ * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_3_DISABLE: Disable TLSv1.3. Since 1.42.
+ * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_3_ENABLE: Enable TLSv1.3. Since 1.42.
 * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_TIME_CHECKS: Disable TLS time checks. Since 1.42.
 * @NM_SETTING_802_1X_AUTH_FLAGS_ALL: All supported flags
 *
@ -82,8 +87,13 @@ typedef enum /*< underscore_name=nm_setting_802_1x_auth_flags, flags >*/ {
    NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_DISABLE         = 0x2,
    NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE         = 0x4,
    NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_TIME_CHECKS = 0x8,
+    NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_3_DISABLE         = 0x10,
+    NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_ENABLE          = 0x20,
+    NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_ENABLE          = 0x40,
+    NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_ENABLE          = 0x80,
+    NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_3_ENABLE          = 0x100,

-    NM_SETTING_802_1X_AUTH_FLAGS_ALL = 0xF,
+    NM_SETTING_802_1X_AUTH_FLAGS_ALL = 0x1FF,
 } NMSetting8021xAuthFlags;

 #define NM_TYPE_SETTING_802_1X (nm_setting_802_1x_get_type())